diff -ru openssh-3.5p1/ChangeLog openssh-3.6p1/ChangeLog --- openssh-3.5p1/ChangeLog 2002-10-03 15:45:53.000000000 +1000 +++ openssh-3.6p1/ChangeLog 2003-03-26 16:03:05.000000000 +1100 @@ -1,3 +1,504 @@ +20030326 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 + [sftp-server.c] + one last fix to the tree: race fix broke stuff; pr 3169; + srp@srparish.net, help from djm + - (djm) Fix getpeerid support for 64 bit BE systems. From + Arnd Bergmann + - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. + Report from murple@murple.net, diagnosis from dtucker@zip.com.au + - Release 3.6p1 + +20030324 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/23 19:02:00 + [monitor.c] + unbreak rekeying for privsep; ok millert@ + +20030320 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/17 10:38:38 + [progressmeter.c] + don't print \n if backgrounded; from ho@ + - markus@cvs.openbsd.org 2003/03/17 11:43:47 + [version.h] + enter 3.6 + - (bal) The days of lack of int64_t support are over. Sorry kids. + - (bal) scp.c 'limit' conflicts with Cray. Rename to 'limitbw' + - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved + guessing rules) + - (bal) Disable Privsep for Tru64 after pre-authentication due to issues + with SIA. Also, clean up of tru64 support patch by Chris Adams + + - (tim) [contrib/caldera/openssh.spec] workaround RPM quirk. Fix %files + section. + +20030318 + - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + add nanosleep(). testing/corrections by Darren Tucker + +20030317 + - (djm) Fix return value checks for RAND_bytes. Report from + Steve G + +20030315 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/13 11:42:19 + [authfile.c ssh-keysign.c] + move RSA_blinding_on to generic key load method + - markus@cvs.openbsd.org 2003/03/13 11:44:50 + [ssh-agent.c] + ssh-agent is similar to ssh-keysign (allows other processes to use + private rsa keys). however, it gets key over socket and not from + a file, so we have to do blinding here as well. + +20030310 +- (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/05 22:33:43 + [channels.c monitor.c scp.c session.c sftp-client.c sftp-int.c] + [sftp-server.c ssh-add.c sshconnect2.c] + fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@ + - (djm) One more portable-specific one from dlheine@suif.Stanford.EDU/ + CLOUSEAU + - (djm) Bug #245: TTY problems on Solaris. Fix by stevesk@ and + dtucker@zip.com.au + - (djm) AIX package builder update from dtucker@zip.com.au + +20030225 + - (djm) Fix some compile errors spotted by dtucker and his fabulous + tinderbox + +20030224 + - (djm) Tweak gnome-ssh-askpass2: + - Retry kb and mouse grab a couple of times, so passphrase dialog doesn't + immediately fail if you are doing something else when it appears (e.g. + dragging a window) + - Perform server grab after we have the keyboard and/or pointer to avoid + races. + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/01/27 17:06:31 + [sshd.c] + more specific error message when /var/empty has wrong permissions; + bug #46, map@appgate.com; ok henning@, provos@, stevesk@ + - markus@cvs.openbsd.org 2003/01/28 16:11:52 + [scp.1] + document -l; pekkas@netcore.fi + - stevesk@cvs.openbsd.org 2003/01/28 17:24:51 + [scp.1] + remove example not pertinent with -1 addition; ok markus@ + - jmc@cvs.openbsd.org 2003/01/31 21:54:40 + [sshd.8] + typos; sshd(8): help and ok markus@ + help and ok millert@ + - markus@cvs.openbsd.org 2003/02/02 10:51:13 + [scp.c] + call okname() only when using system(3) for remote-remote copy; + fixes bugs #483, #472; ok deraadt@, mouring@ + - markus@cvs.openbsd.org 2003/02/02 10:56:08 + [kex.c] + add support for key exchange guesses; based on work by + avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@ + - markus@cvs.openbsd.org 2003/02/03 08:56:16 + [sshpty.c] + don't call error() for readonly /dev; from soekris list; ok mcbride, + henning, deraadt. + - markus@cvs.openbsd.org 2003/02/04 09:32:08 + [key.c] + better debug3 message + - markus@cvs.openbsd.org 2003/02/04 09:33:22 + [monitor.c monitor_wrap.c] + skey/bsdauth: use 0 to indicate failure instead of -1, because + the buffer API only supports unsigned ints. + - markus@cvs.openbsd.org 2003/02/05 09:02:28 + [readconf.c] + simplify ProxyCommand parsing, remove strcat/xrealloc; ok henning@, djm@ + - markus@cvs.openbsd.org 2003/02/06 09:26:23 + [session.c] + missing call to setproctitle() after authentication; ok provos@ + - markus@cvs.openbsd.org 2003/02/06 09:27:29 + [ssh.c ssh_config.5] + support 'ProxyCommand none'; bugzilla #433; binder@arago.de; ok djm@ + - markus@cvs.openbsd.org 2003/02/06 09:29:18 + [sftp-server.c] + fix races in rename/symlink; from Tony Finch; ok djm@ + - markus@cvs.openbsd.org 2003/02/06 21:22:43 + [auth1.c auth2.c] + undo broken fix for #387, fixes #486 + - markus@cvs.openbsd.org 2003/02/10 11:51:47 + [ssh-add.1] + xref sshd_config.5 (not sshd.8); mark@summersault.com; bug #490 + - markus@cvs.openbsd.org 2003/02/12 09:33:04 + [key.c key.h ssh-dss.c ssh-rsa.c] + merge ssh-dss.h ssh-rsa.h into key.h; ok deraadt@ + - markus@cvs.openbsd.org 2003/02/12 21:39:50 + [crc32.c crc32.h] + replace crc32.c with a BSD licensed version; noted by David Turner + - markus@cvs.openbsd.org 2003/02/16 17:09:57 + [kex.c kexdh.c kexgex.c kex.h sshconnect2.c sshd.c ssh-keyscan.c] + split kex into client and server code, no need to link + server code into the client; ok provos@ + - markus@cvs.openbsd.org 2003/02/16 17:30:33 + [monitor.c monitor_wrap.c] + fix permitrootlogin forced-commands-only for privsep; bux #387; + ok provos@ + - markus@cvs.openbsd.org 2003/02/21 09:05:53 + [servconf.c] + print sshd_config filename in debug2 mode. + - mpech@cvs.openbsd.org 2003/02/21 10:34:48 + [auth-krb4.c] + ...sizeof(&adat.session) is not good here. + henning@, deraadt@, millert@ + - (djm) Add new object files to Makefile and reorder + - (djm) Bug #501: gai_strerror should return char*; + fix from dtucker@zip.com.au + - (djm) Most of Bug #499: Cygwin compile fixes for new progressmeter; + From vinschen@redhat.com + - (djm) Rest of Bug #499: Import a basename() function from OpenBSD libc + - (djm) Bug #494: Allow multiple accounts on Windows 9x/Me; + From vinschen@redhat.com + - (djm) Bug #456: Support for NEC SX6 with Unicos; from wendyp@cray.com + +20030211 + - (djm) Cygwin needs libcrypt too. Patch from vinschen@redhat.com + +20030206 + - (djm) Teach fake-getaddrinfo to use getservbyname() when provided a + string service name. Suggested by markus@, review by itojun@ + +20030131 + - (bal) AIX 4.2.1 lacks nanosleep(). Patch to use nsleep() provided by + dtucker@zip.com.au + +20030130 + - (djm) Unbreak root password auth. Spotted by dtucker@zip.com.au + +200301028 + - (djm) Search libposix4 and librt for nanosleep. From dtucker@zip.com.au + and openssh-unix-dev@thewrittenword.com + +200301027 + - (bal) Bugzilla 477 patch by wendyp@cray.com. Define TIOCGPGRP for + cray. Also removed test for tcgetpgrp in configure.ac since it + is no longer used. + +20030124 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/01/23 08:58:47 + [sshd_config.5] + typos; ok millert@ + - markus@cvs.openbsd.org 2003/01/23 13:50:27 + [authfd.c authfd.h readpass.c ssh-add.1 ssh-add.c ssh-agent.c] + ssh-add -c, prompt user for confirmation (using ssh-askpass) when + private agent key is used; with djm@; test by dugsong@, djm@; + ok deraadt@ + - markus@cvs.openbsd.org 2003/01/23 14:01:53 + [scp.c] + bandwidth limitation patch (scp -l) from niels@; ok todd@, deraadt@ + - markus@cvs.openbsd.org 2003/01/23 14:06:15 + [scp.1 scp.c] + scp -12; Sam Smith and others; ok provos@, deraadt@ + - (djm) Add TIMEVAL_TO_TIMESPEC macros + +20030123 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/01/23 00:03:00 + [auth1.c] + Don't log TIS auth response; "get rid of it" - markus@ + +20030122 + - (djm) OpenBSD CVS Sync + - marc@cvs.openbsd.org 2003/01/21 18:14:36 + [ssh-agent.1 ssh-agent.c] + Add a -t life option to ssh-agent that set the default lifetime. + The default can still be overriden by using -t in ssh-add. + OK markus@ + - (djm) Reorganise PAM & SIA password handling to eliminate some common code + - (djm) Sync regress with OpenBSD -current + +20030120 + - (djm) Fix compilation for NetBSD from dtucker@zip.com.au + - (tim) [progressmeter.c] make compilers without long long happy. + - (tim) [configure.ac] Add -belf to build ELF binaries on OpenServer 5 when + using cc. (gcc already did) + +20030118 + - (djm) Revert fix for Bug #442 for now. + +20030117 + - (djm) Bug #470: Detect strnvis, not strvis in configure. + From d_wllms@lanl.gov + +20030116 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/01/16 03:41:55 + [sftp-int.c] + explicitly use first glob result + +20030114 + - (djm) OpenBSD CVS Sync + - fgsch@cvs.openbsd.org 2003/01/10 23:23:24 + [sftp-int.c] + typo; from Nils Nordman . + - markus@cvs.openbsd.org 2003/01/11 18:29:43 + [log.c] + set fatal_cleanups to NULL in fatal_remove_all_cleanups(); + dtucker@zip.com.au + - markus@cvs.openbsd.org 2003/01/12 16:57:02 + [progressmeter.c] + allow WARNINGS=yes; ok djm@ + - djm@cvs.openbsd.org 2003/01/13 11:04:04 + [sftp-int.c] + make cmds[] array static to avoid conflict with BSDI libc. + mindrot bug #466. Fix from mdev@idg.nl; ok markus@ + - djm@cvs.openbsd.org 2003/01/14 10:58:00 + [sftp-client.c sftp-int.c] + Don't try to upload or download non-regular files. Report from + apoloval@pantuflo.escet.urjc.es; ok markus@ + +20030113 + - (djm) Rework openbsd-compat/setproctitle.c a bit: move emulation type + detection to configure.ac. Prompted by stevesk@ + - (djm) Bug #467: Add a --disable-strip option to turn off stripping of + installed binaries. From mdev@idg.nl + +20030110 + - (djm) Enable new setproctitle emulation for Linux, AIX and HP/UX. More + systems may be added later. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/01/08 23:53:26 + [sftp.1 sftp.c sftp-int.c sftp-int.h] + Cleanup error handling for batchmode + Allow blank lines and comments in input + Ability to suppress abort on error in batchmode ("-put blah") + Fixes mindrot bug #452; markus@ ok + - fgsch@cvs.openbsd.org 2003/01/10 08:19:07 + [scp.c sftp.1 sftp.c sftp-client.c sftp-int.c progressmeter.c] + [progressmeter.h] + sftp progress meter support. + original diffs by Nils Nordman via + markus@, merged to -current by me, djm@ ok. + - djm@cvs.openbsd.org 2003/01/10 08:48:15 + [sftp-client.c] + Simplify and avoid redundancy in packet send and receive + functions; ok fgs@ + - djm@cvs.openbsd.org 2003/01/10 10:29:35 + [scp.c] + Don't ftruncate after write error, creating sparse files of + incorrect length + mindrot bug #403, reported by rusr@cup.hp.com; ok markus@ + - djm@cvs.openbsd.org 2003/01/10 10:32:54 + [channels.c] + hush socket() errors, except last. Fixes mindrot bug #408; ok markus@ + +20030108 + - (djm) Sync openbsd-compat/ with OpenBSD -current + - (djm) Avoid redundant xstrdup/xfree in auth2-pam.c. From Solar via markus@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/01/01 18:08:52 + [channels.c] + move big output buffer messages to debug2 + - djm@cvs.openbsd.org 2003/01/06 23:51:22 + [sftp-client.c] + Fix "get -p" download to not add user-write perm. mindrot bug #426 + reported by gfernandez@livevault.com; ok markus@ + - fgsch@cvs.openbsd.org 2003/01/07 23:42:54 + [sftp.1] + add version; from Nils Nordman via markus@. + markus@ ok + - (djm) Update README to reflect AIX's status as a well supported platform. + From dtucker@zip.com.au + - (tim) [Makefile.in configure.ac] replace fixpath with sed script. Patch + by Mo DeJong. + - (tim) [auth.c] declare today at top of allowed_user() to keep + older compilers happy. + - (tim) [scp.c] make compilers without long long happy. + +20030107 + - (djm) Bug #401: Work around Linux breakage with IPv6 mapped addresses. + Based on fix from yoshfuji@linux-ipv6.org + - (djm) Bug #442: Check for and deny access to accounts with locked + passwords. Patch from dtucker@zip.com.au + - (djm) Bug #44: Use local mkstemp() rather than glibc's silly one. Fixes + Can't pass KRB4 TGT passing. Fix from: jan.iven@cern.ch + - (djm) Fix Bug #442 for PAM case + - (djm) Bug #110: bogus error messages in lastlog_get_entry(). Fix based + on one by peak@argo.troja.mff.cuni.cz + - (djm) Bug #111: Run syslog and stderr logging through strnvis to eliminate + nasties. Report from peak@argo.troja.mff.cuni.cz + - (djm) Bug #178: On AIX /etc/nologin wasnt't shown to users. Fix from + Ralf.Wenk@fh-karlsruhe.de and dtucker@zip.com.au + - (djm) Fix my fix of the fix for the Bug #442 for PAM case. Spotted by + dtucker@zip.com.au. Reorder for clarity too. + +20030103 + - (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from + cjwatson@debian.org + - (djm) Bug #460: Filling utmp[x]->ut_addr_v6 if present. Patch from + cjwatson@debian.org + - (djm) Bug #446: Set LOGIN env var to pw_name on AIX. Patch from + mii@ornl.gov + +20030101 + - (stevesk) [session.c sshlogin.c sshlogin.h] complete portable + parts of pass addrlen with sockaddr * fix. + from Hajimu UMEMOTO + +20021222 + - (bal) OpenBSD CVS Sync + - fgsch@cvs.openbsd.org 2002/11/15 10:03:09 + [authfile.c] + lseek(2) may return -1 when getting the public/private key lenght. + Simplify the code and check for errors using fstat(2). + + Problem reported by Mauricio Sanchez, markus@ ok. + - markus@cvs.openbsd.org 2002/11/18 16:43:44 + [clientloop.c] + don't overwrite SIG{INT,QUIT,TERM} handler if set to SIG_IGN; + e.g. if ssh is used for backup; report Joerg Schilling; ok millert@ + - markus@cvs.openbsd.org 2002/11/21 22:22:50 + [dh.c] + debug->debug2 + - markus@cvs.openbsd.org 2002/11/21 22:45:31 + [cipher.c kex.c packet.c sshconnect.c sshconnect2.c] + debug->debug2, unify debug messages + - deraadt@cvs.openbsd.org 2002/11/21 23:03:51 + [auth-krb5.c auth1.c hostfile.h monitor_wrap.c sftp-client.c sftp-int.c ssh-add.c ssh-rsa.c + sshconnect.c] + KNF + - markus@cvs.openbsd.org 2002/11/21 23:04:33 + [ssh.c] + debug->debug2 + - stevesk@cvs.openbsd.org 2002/11/24 21:46:24 + [ssh-keysign.8] + typo: "the the" + - wcobb@cvs.openbsd.org 2002/11/26 00:45:03 + [scp.c ssh-keygen.c] + Remove unnecessary fflush(stderr) calls, stderr is unbuffered by default. + ok markus@ + - stevesk@cvs.openbsd.org 2002/11/26 02:35:30 + [ssh-keygen.1] + remove outdated statement; ok markus@ deraadt@ + - stevesk@cvs.openbsd.org 2002/11/26 02:38:54 + [canohost.c] + KNF, comment and error message repair; ok markus@ + - markus@cvs.openbsd.org 2002/11/27 17:53:35 + [scp.c sftp.c ssh.c] + allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp; + http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@ + - stevesk@cvs.openbsd.org 2002/12/04 04:36:47 + [session.c] + remove xauth entries before add; PR 2994 from janjaap@stack.nl. + ok markus@ + - markus@cvs.openbsd.org 2002/12/05 11:08:35 + [scp.c] + use roundup() similar to rcp/util.c and avoid problems with strange + filesystem block sizes, noted by tjr@freebsd.org; ok djm@ + - djm@cvs.openbsd.org 2002/12/06 05:20:02 + [sftp.1] + Fix cut'n'paste error, spotted by matthias.riese@b-novative.de; ok deraadt@ + - millert@cvs.openbsd.org 2002/12/09 16:50:30 + [ssh.c] + Avoid setting optind to 0 as GNU getopt treats that like we do optreset. + markus@ OK + - markus@cvs.openbsd.org 2002/12/10 08:56:00 + [session.c] + Make sure $SHELL points to the shell from the password file, even if shell + is overridden from login.conf; bug#453; semen at online.sinor.ru; ok millert@ + - markus@cvs.openbsd.org 2002/12/10 19:26:50 + [packet.c] + move tos handling to packet_set_tos; ok provos/henning/deraadt + - markus@cvs.openbsd.org 2002/12/10 19:47:14 + [packet.c] + static + - markus@cvs.openbsd.org 2002/12/13 10:03:15 + [channels.c misc.c sshconnect2.c] + cleanup debug messages, more useful information for the client user. + - markus@cvs.openbsd.org 2002/12/13 15:20:52 + [scp.c] + 1) include stalling time in total time + 2) truncate filenames to 45 instead of 20 characters + 3) print rate instead of progress bar, no more stars + 4) scale output to tty width + based on a patch from Niels; ok fries@ lebel@ fgs@ millert@ + - (bal) [msg.c msg.h scp.c ssh-keysign.c sshconnect2.c] Resync CVS IDs since + we already did s/msg_send/ssh_msg_send/ + +20021205 + - (djm) PERL-free fixpaths from stuge-openssh-unix-dev@cdy.org + +20021122 + - (tim) [configure.ac] fix STDPATH test for IRIX. First reported by + advax@triumf.ca. This type of solution tested by + +20021113 + - (tim) [configure.ac] remove unused variables no_libsocket and no_libnsl + +20021111 + - (tim) [contrib/solaris/opensshd.in] add umask 022 so sshd.pid is + not world writable. + +20021109 + - (bal) OpenBSD CVS Sync + - itojun@cvs.openbsd.org 2002/10/16 14:31:48 + [sftp-common.c] + 64bit pedant. %llu is "unsigned long long". markus ok + - markus@cvs.openbsd.org 2002/10/23 10:32:13 + [packet.c] + use %u for u_int + - markus@cvs.openbsd.org 2002/10/23 10:40:16 + [bufaux.c] + %u for u_int + - markus@cvs.openbsd.org 2002/11/04 10:07:53 + [auth.c] + don't compare against pw_home if realpath fails for pw_home (seen + on AFS); ok djm@ + - markus@cvs.openbsd.org 2002/11/04 10:09:51 + [packet.c] + log before send disconnect; ok djm@ + - markus@cvs.openbsd.org 2002/11/05 19:45:20 + [monitor.c] + handle overflows for size_t larger than u_int; siw@goneko.de, bug #425 + - markus@cvs.openbsd.org 2002/11/05 20:10:37 + [sftp-client.c] + typo; GaryF@livevault.com + - markus@cvs.openbsd.org 2002/11/07 16:28:47 + [sshd.c] + log to stderr if -ie is given, bug #414, prj@po.cwru.edu + - markus@cvs.openbsd.org 2002/11/07 22:08:07 + [readconf.c readconf.h ssh-keysign.8 ssh-keysign.c] + we cannot use HostbasedAuthentication for enabling ssh-keysign(8), + because HostbasedAuthentication might be enabled based on the + target host and ssh-keysign(8) does not know the remote hostname + and not trust ssh(1) about the hostname, so we add a new option + EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de + - markus@cvs.openbsd.org 2002/11/07 22:35:38 + [scp.c] + check exit status from ssh, and exit(1) if ssh fails; bug#369; + binder@arago.de + - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c + ntsec now default if cygwin version beginning w/ version 56. Patch + by Corinna Vinschen + - (bal) AIX does not log login attempts for unknown users (bug #432). + patch by dtucker@zip.com.au + +20021021 + - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from + dtucker@zip.com.au + - (djm) Bug #317: FreeBSD needs libutil.h for openpty() Report from + dirk.meyer@dinoex.sub.org + +20021015 + - (bal) Fix bug id 383 and only call loginrestrict for AIX if not root. + - (bal) More advanced strsep test by Darren Tucker + +20021015 + - (tim) [contrib/caldera/openssh.spec] make ssh-agent setgid nobody + +20021004 + - (bal) Disable post-authentication Privsep for OSF/1. It conflicts with + SIA. + 20021003 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2002/10/01 20:34:12 @@ -7,7 +508,7 @@ [version.h] OpenSSH 3.5 - (djm) Bump RPM spec version numbers - - (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2 + - (djm) Bug #406: s/msg_send/ssh_msg_send/ for Mac OS X 1.2 20020930 - (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs, @@ -757,4 +1258,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2491.2.1 2002/10/03 05:45:53 djm Exp $ +$Id: ChangeLog,v 1.2633.2.9 2003/03/26 05:03:05 djm Exp $ diff -ru openssh-3.5p1/Makefile.in openssh-3.6p1/Makefile.in --- openssh-3.5p1/Makefile.in 2002-07-15 03:02:21.000000000 +1000 +++ openssh-3.6p1/Makefile.in 2003-03-21 11:51:35.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.222 2002/07/14 17:02:21 tim Exp $ +# $Id: Makefile.in,v 1.227.2.1 2003/03/21 00:51:35 mouring Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -27,6 +27,7 @@ RAND_HELPER=$(libexecdir)/ssh-rand-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +STRIP_OPT=@STRIP_OPT@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ @@ -48,6 +49,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ PERL=@PERL@ +SED=@SED@ ENT=@ENT@ XAUTH_PATH=@XAUTH_PATH@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ @@ -56,15 +58,30 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ -@NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} $(SFTP_PROGS) - -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o msg.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o scard-opensc.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o monitor_wrap.o monitor_fdpass.o - -SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o - -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o +LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ + cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ + hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \ + rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ + key.o dispatch.o kex.o mac.o uuencode.o misc.o \ + rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ + kexdhc.o kexgexc.o scard.o msg.o progressmeter.o \ + entropy.o + +SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ + sshconnect.o sshconnect1.o sshconnect2.o + +SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o \ + auth.o auth1.o auth2.o auth-options.o session.o \ + auth-chall.o auth2-chall.o groupaccess.o \ + auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ + monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ + kexdhs.o kexgexs.o \ + auth-krb5.o auth-krb4.o \ + loginrec.o auth-pam.o auth2-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 @@ -74,23 +91,23 @@ CONFIGFILES_IN=sshd_config ssh_config moduli PATHSUBS = \ - -D/etc/ssh/ssh_prng_cmds=$(sysconfdir)/ssh_prng_cmds \ - -D/etc/ssh/ssh_config=$(sysconfdir)/ssh_config \ - -D/etc/ssh/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts \ - -D/etc/ssh/sshd_config=$(sysconfdir)/sshd_config \ - -D/usr/libexec=$(libexecdir) \ - -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv \ - -D/etc/ssh/ssh_host_key=$(sysconfdir)/ssh_host_key \ - -D/etc/ssh/ssh_host_dsa_key=$(sysconfdir)/ssh_host_dsa_key \ - -D/etc/ssh/ssh_host_rsa_key=$(sysconfdir)/ssh_host_rsa_key \ - -D/var/run/sshd.pid=$(piddir)/sshd.pid \ - -D/etc/ssh/moduli=$(sysconfdir)/moduli \ - -D/etc/ssh/sshrc=$(sysconfdir)/sshrc \ - -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ - -D/var/empty=$(PRIVSEP_PATH) \ - -D/usr/bin:/bin:/usr/sbin:/sbin=@user_path@ + -e 's|/etc/ssh/ssh_prng_cmds|$(sysconfdir)/ssh_prng_cmds|g' \ + -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ + -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ + -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ + -e 's|/usr/libexec|$(libexecdir)|g' \ + -e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \ + -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ + -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ + -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ + -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ + -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ + -e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \ + -e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \ + -e 's|/var/empty|$(PRIVSEP_PATH)|g' \ + -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' -FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) +FIXPATHSCMD = $(SED) $(PATHSUBS) all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) @@ -116,8 +133,8 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) -scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o - $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -137,8 +154,8 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o - $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o progressmeter.o + $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -217,19 +234,19 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) - $(INSTALL) -m 0755 -s ssh $(DESTDIR)$(bindir)/ssh - $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp - $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add - $(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent - $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen - $(INSTALL) -m 0755 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan - $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh + $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan + $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ - $(INSTALL) -m 0755 -s ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ fi - $(INSTALL) -m 4711 -s ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp - @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 @@ -242,8 +259,8 @@ if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ fi - @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin diff -ru openssh-3.5p1/README openssh-3.6p1/README --- openssh-3.5p1/README 2001-12-24 14:17:21.000000000 +1100 +++ openssh-3.6p1/README 2003-01-08 23:28:40.000000000 +1100 @@ -15,8 +15,8 @@ This port consists of the re-introduction of autoconf support, PAM support (for Linux and Solaris), EGD[1]/PRNGD[2] support and replacements for OpenBSD library functions that are (regrettably) absent from other -unices. This port has been best tested on Linux, Solaris, HP-UX, NetBSD -and Irix. Support for AIX, SCO, NeXT and other Unices is underway. +unices. This port has been best tested on Linux, Solaris, HP-UX, NetBSD, +Irix and AIX. Support for SCO, NeXT and other Unices is underway. This version actively tracks changes in the OpenBSD CVS repository. The PAM support is now more functional than the popular packages of @@ -63,4 +63,4 @@ [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.50 2001/12/24 03:17:21 djm Exp $ +$Id: README,v 1.51 2003/01/08 12:28:40 djm Exp $ diff -ru openssh-3.5p1/README.privsep openssh-3.6p1/README.privsep --- openssh-3.5p1/README.privsep 2002-06-26 10:43:57.000000000 +1000 +++ openssh-3.6p1/README.privsep 2003-03-21 12:15:18.000000000 +1100 @@ -43,6 +43,10 @@ configuration. PAMAuthenticationViaKbdInt does not function with privsep. +On Compaq Tru64 Unix, only the pre-authentication part of privsep is +supported. Post-authentication privsep is disabled automatically (so +you won't see the additional process mentioned below). + Note that for a normal interactive login with a shell, enabling privsep will require 1 additional process per login session. @@ -58,4 +62,4 @@ process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. -$Id: README.privsep,v 1.10 2002/06/26 00:43:57 stevesk Exp $ +$Id: README.privsep,v 1.10.6.1 2003/03/21 01:15:18 mouring Exp $ diff -ru openssh-3.5p1/TODO openssh-3.6p1/TODO --- openssh-3.5p1/TODO 2002-09-05 16:32:03.000000000 +1000 +++ openssh-3.6p1/TODO 2003-01-13 10:00:34.000000000 +1100 @@ -13,7 +13,7 @@ - Write a test program that calls stat() to search for EGD/PRNGd socket rather than use the (non-portable) "test -S". -- Replacement for setproctitle() - HP-UX support only currently +- More platforms for for setproctitle() emulation (testing needed) - Handle changing passwords for the non-PAM expired password case @@ -101,6 +101,7 @@ (vinschen@redhat.com) - Replace the whole u_intXX_t evilness in acconfig.h with something better??? + - Do it in configure.ac - Consider splitting the u_intXX_t test for sys/bitype.h into seperate test to allow people to (right/wrongfully) link against Bind directly. @@ -133,4 +134,4 @@ - Cygwin + Privsep for Pre-auth only (no fd passing) -$Id: TODO,v 1.51 2002/09/05 06:32:03 djm Exp $ +$Id: TODO,v 1.53 2003/01/12 23:00:34 djm Exp $ diff -ru openssh-3.5p1/acconfig.h openssh-3.6p1/acconfig.h --- openssh-3.5p1/acconfig.h 2002-09-26 10:38:48.000000000 +1000 +++ openssh-3.6p1/acconfig.h 2003-03-10 11:38:10.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */ +/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -364,6 +364,19 @@ /* Define if your platform needs to skip post auth file descriptor passing */ #undef DISABLE_FD_PASSING +/* Silly mkstemp() */ +#undef HAVE_STRICT_MKSTEMP + +/* Setproctitle emulation */ +#undef SETPROCTITLE_STRATEGY +#undef SETPROCTITLE_PS_PADDING + +/* Some systems put this outside of libc */ +#undef HAVE_NANOSLEEP + +/* Pushing STREAMS modules incorrectly acquires a controlling TTY */ +#undef STREAMS_PUSH_ACQUIRES_CTTY + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -ru openssh-3.5p1/auth-krb4.c openssh-3.6p1/auth-krb4.c --- openssh-3.5p1/auth-krb4.c 2002-09-27 13:26:00.000000000 +1000 +++ openssh-3.6p1/auth-krb4.c 2003-02-24 12:05:19.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $"); #include "ssh.h" #include "ssh1.h" @@ -271,7 +271,7 @@ reply->length = r; /* Clear session key. */ - memset(&adat.session, 0, sizeof(&adat.session)); + memset(&adat.session, 0, sizeof(adat.session)); return (1); } #endif /* KRB4 */ diff -ru openssh-3.5p1/auth-krb5.c openssh-3.6p1/auth-krb5.c --- openssh-3.5p1/auth-krb5.c 2002-09-12 09:47:30.000000000 +1000 +++ openssh-3.6p1/auth-krb5.c 2002-12-23 13:06:20.000000000 +1100 @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); #include "ssh.h" #include "ssh1.h" @@ -107,7 +107,7 @@ if (problem) goto err; - problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL , + problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, KRB5_NT_SRV_HST, &server); if (problem) goto err; diff -ru openssh-3.5p1/auth-pam.c openssh-3.6p1/auth-pam.c --- openssh-3.5p1/auth-pam.c 2002-07-29 06:24:08.000000000 +1000 +++ openssh-3.6p1/auth-pam.c 2003-01-22 15:42:26.000000000 +1100 @@ -38,7 +38,7 @@ extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); +RCSID("$Id: auth-pam.c,v 1.55 2003/01/22 04:42:26 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -210,14 +210,6 @@ do_pam_set_conv(&conv); - /* deny if no user. */ - if (pw == NULL) - return 0; - if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) - return 0; - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - __pampasswd = password; pamstate = INITIAL_LOGIN; diff -ru openssh-3.5p1/auth-passwd.c openssh-3.6p1/auth-passwd.c --- openssh-3.5p1/auth-passwd.c 2002-09-26 09:14:16.000000000 +1000 +++ openssh-3.6p1/auth-passwd.c 2003-01-30 10:20:57.000000000 +1100 @@ -92,33 +92,26 @@ int auth_password(Authctxt *authctxt, const char *password) { -#if defined(USE_PAM) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_pam_password(authctxt, password); -#elif defined(HAVE_OSF_SIA) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_sia_password(authctxt, password); -#else struct passwd * pw = authctxt->pw; +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) char *encrypted_password; char *pw_password; char *salt; -#if defined(__hpux) || defined(HAVE_SECUREWARE) +# if defined(__hpux) || defined(HAVE_SECUREWARE) struct pr_passwd *spw; -#endif /* __hpux || HAVE_SECUREWARE */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# endif /* __hpux || HAVE_SECUREWARE */ +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; -#endif -#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) +# endif +# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; -#endif -#ifdef WITH_AIXAUTHENTICATE +# endif +# ifdef WITH_AIXAUTHENTICATE char *authmsg; int authsuccess; int reenter = 1; -#endif +# endif +#endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */ /* deny if no user. */ if (pw == NULL) @@ -129,15 +122,21 @@ #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; -#ifdef KRB5 + +#if defined(USE_PAM) + return auth_pam_password(authctxt, password); +#elif defined(HAVE_OSF_SIA) + return auth_sia_password(authctxt, password); +#else +# ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); if (ret == 1 || ret == 0) return ret; /* Fall back to ordinary passwd authentication. */ } -#endif -#ifdef HAVE_CYGWIN +# endif +# ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); @@ -146,8 +145,8 @@ cygwin_set_impersonation_token(hToken); return 1; } -#endif -#ifdef WITH_AIXAUTHENTICATE +# endif +# ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); if (authsuccess) @@ -158,47 +157,47 @@ aixloginmsg = NULL; return(authsuccess); -#endif -#ifdef KRB4 +# endif +# ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(authctxt, password); if (ret == 1 || ret == 0) return ret; /* Fall back to ordinary passwd authentication. */ } -#endif -#ifdef BSD_AUTH +# endif +# ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", (char *)password) == 0) return 0; else return 1; -#endif +# endif pw_password = pw->pw_passwd; /* * Various interfaces to shadow or protected password data */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); if (spw != NULL) pw_password = spw->sp_pwdp; -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +# endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) +# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) pw_password = spw->pwa_passwd; -#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ +# endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ -#ifdef HAVE_SECUREWARE +# ifdef HAVE_SECUREWARE if ((spw = getprpwnam(pw->pw_name)) != NULL) pw_password = spw->ufld.fd_encrypt; -#endif /* HAVE_SECUREWARE */ +# endif /* HAVE_SECUREWARE */ -#if defined(__hpux) && !defined(HAVE_SECUREWARE) +# if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) pw_password = spw->ufld.fd_encrypt; -#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ +# endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ /* Check for users with no password. */ if ((password[0] == '\0') && (pw_password[0] == '\0')) @@ -209,25 +208,25 @@ else salt = "xx"; -#ifdef HAVE_MD5_PASSWORDS +# ifdef HAVE_MD5_PASSWORDS if (is_md5_salt(salt)) encrypted_password = md5_crypt(password, salt); else encrypted_password = crypt(password, salt); -#else /* HAVE_MD5_PASSWORDS */ -# if defined(__hpux) && !defined(HAVE_SECUREWARE) +# else /* HAVE_MD5_PASSWORDS */ +# if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec()) encrypted_password = bigcrypt(password, salt); else encrypted_password = crypt(password, salt); -# else -# ifdef HAVE_SECUREWARE - encrypted_password = bigcrypt(password, salt); # else +# ifdef HAVE_SECUREWARE + encrypted_password = bigcrypt(password, salt); +# else encrypted_password = crypt(password, salt); -# endif /* HAVE_SECUREWARE */ -# endif /* __hpux && !defined(HAVE_SECUREWARE) */ -#endif /* HAVE_MD5_PASSWORDS */ +# endif /* HAVE_SECUREWARE */ +# endif /* __hpux && !defined(HAVE_SECUREWARE) */ +# endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); diff -ru openssh-3.5p1/auth-sia.c openssh-3.6p1/auth-sia.c --- openssh-3.5p1/auth-sia.c 2002-04-13 01:36:08.000000000 +1000 +++ openssh-3.6p1/auth-sia.c 2003-03-21 12:15:18.000000000 +1100 @@ -45,27 +45,25 @@ extern int saved_argc; extern char **saved_argv; -extern int errno; - int auth_sia_password(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; const char *host; - char *user = authctxt->user; host = get_canonical_hostname(options.verify_reverse_mapping); - if (!user || !pass || pass[0] == '\0') + if (!authctxt->user || !pass || pass[0] == '\0') return(0); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, - NULL) != SIASUCCESS) + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + NULL, 0, NULL) != SIASUCCESS) return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ } void -session_setup_sia(char *user, char *tty) +session_setup_sia(struct passwd *pw, char *tty) { - struct passwd *pw; SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname (options.verify_reverse_mapping); + host = get_canonical_hostname(options.verify_reverse_mapping); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, + 0, NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } - if ((pw = getpwnam(user)) == NULL) { - sia_ses_release(&ent); - fatal("getpwnam: no user: %s", user); - } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); fatal("sia_make_entity_pwd failed"); } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't establish session for %s from %s", user, - host); - } - - if (setpriority(PRIO_PROCESS, 0, 0) == -1) { - sia_ses_release(&ent); - fatal("setpriority: %s", strerror (errno)); - } + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't establish session for %s from %s", + pw->pw_name, host); - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't launch session for %s from %s", user, host); - } + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't launch session for %s from %s", pw->pw_name, + host); sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) { + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); - } } #endif /* HAVE_OSF_SIA */ diff -ru openssh-3.5p1/auth-sia.h openssh-3.6p1/auth-sia.h --- openssh-3.5p1/auth-sia.h 2002-04-13 01:36:08.000000000 +1000 +++ openssh-3.6p1/auth-sia.h 2003-03-21 12:15:18.000000000 +1100 @@ -27,6 +27,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(Authctxt *authctxt, char *pass); -void session_setup_sia(char *user, char *tty); +void session_setup_sia(struct passwd *pw, char *tty); #endif /* HAVE_OSF_SIA */ diff -ru openssh-3.5p1/auth.c openssh-3.6p1/auth.c --- openssh-3.5p1/auth.c 2002-09-22 01:26:53.000000000 +1000 +++ openssh-3.6p1/auth.c 2003-01-18 16:24:06.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $"); +RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $"); #ifdef HAVE_LOGIN_H #include @@ -79,17 +79,20 @@ char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ - !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; + time_t today; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #define DAY (24L * 60 * 60) /* 1 day in seconds */ - spw = getspnam(pw->pw_name); - if (spw != NULL) { - time_t today = time(NULL) / DAY; + if ((spw = getspnam(pw->pw_name)) != NULL) { + today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" " sp_max %d", (int)today, (int)spw->sp_expire, (int)spw->sp_lstchg, (int)spw->sp_max); @@ -116,10 +119,6 @@ return 0; } } -#else - /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw || !pw->pw_name) - return 0; #endif /* @@ -202,7 +201,15 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + /* + * Don't check loginrestrictions() for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ((pw->pw_uid != 0) && (geteuid() == 0) && + loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + int loginrestrict_errno = errno; + if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; @@ -212,9 +219,13 @@ } /* Remove trailing newline */ *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + log("Login restricted for %s: %.100s", pw->pw_name, + loginmsg); } - return 0; + /* Don't fail if /etc/nologin set */ + if (!(loginrestrict_errno == EPERM && + stat(_PATH_NOLOGIN, &st) == 0)) + return 0; } #endif /* WITH_AIXAUTHENTICATE */ @@ -417,6 +428,7 @@ uid_t uid = pw->pw_uid; char buf[MAXPATHLEN], homedir[MAXPATHLEN]; char *cp; + int comparehome = 0; struct stat st; if (realpath(file, buf) == NULL) { @@ -424,11 +436,8 @@ strerror(errno)); return -1; } - if (realpath(pw->pw_dir, homedir) == NULL) { - snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir, - strerror(errno)); - return -1; - } + if (realpath(pw->pw_dir, homedir) != NULL) + comparehome = 1; /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || @@ -457,7 +466,7 @@ } /* If are passed the homedir then we can stop */ - if (strcmp(homedir, buf) == 0) { + if (comparehome && strcmp(homedir, buf) == 0) { debug3("secure_filename: terminating check at '%s'", buf); break; @@ -487,6 +496,11 @@ if (pw == NULL) { log("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); +#endif return (NULL); } if (!allowed_user(pw)) diff -ru openssh-3.5p1/auth1.c openssh-3.6p1/auth1.c --- openssh-3.5p1/auth1.c 2002-09-27 13:26:01.000000000 +1000 +++ openssh-3.6p1/auth1.c 2003-02-24 11:59:27.000000000 +1100 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -150,7 +150,7 @@ snprintf(info, sizeof(info), " tktuser %.100s", client_user); - + /* Send response to client */ packet_start( SSH_SMSG_AUTH_KERBEROS_RESPONSE); @@ -285,7 +285,6 @@ debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); - debug("got response '%s'", response); packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); @@ -329,8 +328,7 @@ } #else /* Special handling for root */ - if (!use_privsep && - authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; #endif diff -ru openssh-3.5p1/auth2-pam.c openssh-3.6p1/auth2-pam.c --- openssh-3.5p1/auth2-pam.c 2002-06-29 02:48:12.000000000 +1000 +++ openssh-3.6p1/auth2-pam.c 2003-01-08 12:37:03.000000000 +1100 @@ -1,5 +1,5 @@ #include "includes.h" -RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $"); +RCSID("$Id: auth2-pam.c,v 1.15 2003/01/08 01:37:03 djm Exp $"); #ifdef USE_PAM #include @@ -154,8 +154,7 @@ resp = packet_get_string(&rlen); context_pam2.responses[j].resp_retcode = PAM_SUCCESS; - context_pam2.responses[j].resp = xstrdup(resp); - xfree(resp); + context_pam2.responses[j].resp = resp; context_pam2.num_received++; } diff -ru openssh-3.5p1/auth2.c openssh-3.6p1/auth2.c --- openssh-3.5p1/auth2.c 2002-09-26 10:38:49.000000000 +1000 +++ openssh-3.6p1/auth2.c 2003-02-24 11:59:27.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -205,8 +205,7 @@ authctxt->user); /* Special handling for root */ - if (!use_privsep && - authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) authenticated = 0; diff -ru openssh-3.5p1/authfd.c openssh-3.6p1/authfd.c --- openssh-3.5p1/authfd.c 2002-09-12 09:52:47.000000000 +1000 +++ openssh-3.6p1/authfd.c 2003-01-24 11:36:23.000000000 +1100 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.58 2003/01/23 13:50:27 markus Exp $"); #include @@ -499,10 +499,10 @@ int ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, - const char *comment, u_int life) + const char *comment, u_int life, u_int confirm) { Buffer msg; - int type, constrained = (life != 0); + int type, constrained = (life || confirm); buffer_init(&msg); @@ -532,6 +532,8 @@ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); buffer_put_int(&msg, life); } + if (confirm != 0) + buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM); } if (ssh_request_reply(auth, &msg, &msg) == 0) { buffer_free(&msg); @@ -545,7 +547,7 @@ int ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) { - return ssh_add_identity_constrained(auth, key, comment, 0); + return ssh_add_identity_constrained(auth, key, comment, 0, 0); } /* diff -ru openssh-3.5p1/authfd.h openssh-3.6p1/authfd.h --- openssh-3.5p1/authfd.h 2002-09-12 09:52:47.000000000 +1000 +++ openssh-3.6p1/authfd.h 2003-01-24 11:36:23.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.31 2002/09/11 18:27:25 stevesk Exp $ */ +/* $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $ */ /* * Author: Tatu Ylonen @@ -51,6 +51,7 @@ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENT_CONSTRAIN_LIFETIME 1 +#define SSH_AGENT_CONSTRAIN_CONFIRM 2 /* extended failure messages */ #define SSH2_AGENT_FAILURE 30 @@ -76,7 +77,8 @@ Key *ssh_get_first_identity(AuthenticationConnection *, char **, int); Key *ssh_get_next_identity(AuthenticationConnection *, char **, int); int ssh_add_identity(AuthenticationConnection *, Key *, const char *); -int ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int); +int ssh_add_identity_constrained(AuthenticationConnection *, Key *, + const char *, u_int, u_int); int ssh_remove_identity(AuthenticationConnection *, Key *); int ssh_remove_all_identities(AuthenticationConnection *, int); int ssh_lock_agent(AuthenticationConnection *, int, const char *); diff -ru openssh-3.5p1/authfile.c openssh-3.6p1/authfile.c --- openssh-3.5p1/authfile.c 2002-06-26 09:19:13.000000000 +1000 +++ openssh-3.6p1/authfile.c 2003-03-15 11:36:18.000000000 +1100 @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.50 2002/06/24 14:55:38 markus Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $"); #include #include @@ -232,12 +232,17 @@ { Buffer buffer; Key *pub; + struct stat st; char *cp; int i; off_t len; - len = lseek(fd, (off_t) 0, SEEK_END); - lseek(fd, (off_t) 0, SEEK_SET); + if (fstat(fd, &st) < 0) { + error("fstat for key file %.200s failed: %.100s", + filename, strerror(errno)); + return NULL; + } + len = st.st_size; buffer_init(&buffer); cp = buffer_append_space(&buffer, len); @@ -318,9 +323,15 @@ CipherContext ciphercontext; Cipher *cipher; Key *prv = NULL; + struct stat st; - len = lseek(fd, (off_t) 0, SEEK_END); - lseek(fd, (off_t) 0, SEEK_SET); + if (fstat(fd, &st) < 0) { + error("fstat for key file %.200s failed: %.100s", + filename, strerror(errno)); + close(fd); + return NULL; + } + len = st.st_size; buffer_init(&buffer); cp = buffer_append_space(&buffer, len); @@ -410,6 +421,12 @@ rsa_generate_additional_parameters(prv->rsa); buffer_free(&decrypted); + + /* enable blinding */ + if (RSA_blinding_on(prv->rsa, NULL) != 1) { + error("key_load_private_rsa1: RSA_blinding_on failed"); + goto fail; + } close(fd); return prv; @@ -449,6 +466,11 @@ #ifdef DEBUG_PK RSA_print_fp(stderr, prv->rsa, 8); #endif + if (RSA_blinding_on(prv->rsa, NULL) != 1) { + error("key_load_private_pem: RSA_blinding_on failed"); + key_free(prv); + prv = NULL; + } } else if (pk->type == EVP_PKEY_DSA && (type == KEY_UNSPEC||type==KEY_DSA)) { prv = key_new(KEY_UNSPEC); diff -ru openssh-3.5p1/autom4te-2.53.cache/output.0 openssh-3.6p1/autom4te-2.53.cache/output.0 --- openssh-3.5p1/autom4te-2.53.cache/output.0 2002-10-04 11:31:54.000000000 +1000 +++ openssh-3.6p1/autom4te-2.53.cache/output.0 2003-03-26 16:12:33.000000000 +1100 @@ -827,6 +827,7 @@ --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-largefile omit support for large files + --disable-strip Disable calling strip(1) on install --disable-lastlog disable use of lastlog even if detected no --disable-utmp disable use of utmp even if detected no --disable-utmpx disable use of utmpx even if detected no @@ -2719,6 +2720,45 @@ test -n "$PERL" && break done +# Extract the first word of "sed", so it can be a program name with args. +set dummy sed; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_path_SED+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + case $SED in + [\\/]* | ?:[\\/]*) + ac_cv_path_SED="$SED" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SED="$as_dir/$ac_word$ac_exec_ext" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + + ;; +esac +fi +SED=$ac_cv_path_SED + +if test -n "$SED"; then + echo "$as_me:$LINENO: result: $SED" >&5 +echo "${ECHO_T}$SED" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 @@ -3660,8 +3700,17 @@ @%:@define LOGIN_NEEDS_UTMPX 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +@%:@define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV +_ACEOF + + cat >>confdefs.h <<\_ACEOF +@%:@define SETPROCTITLE_PS_PADDING '\0' +_ACEOF + ;; *-*-cygwin*) + check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textmode.o" cat >>confdefs.h <<\_ACEOF @%:@define HAVE_CYGWIN 1 @@ -3782,7 +3831,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -@%:@define SPT_TYPE SPT_PSTAT +@%:@define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec -lsecpw" @@ -3884,7 +3933,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -@%:@define SPT_TYPE SPT_PSTAT +@%:@define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec" @@ -3986,7 +4035,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -@%:@define SPT_TYPE SPT_PSTAT +@%:@define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec" @@ -4180,6 +4229,14 @@ @%:@define PAM_TTY_KLUDGE 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +@%:@define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV +_ACEOF + + cat >>confdefs.h <<\_ACEOF +@%:@define SETPROCTITLE_PS_PADDING '\0' +_ACEOF + inet6_default_4in6=yes ;; mips-sony-bsd|mips-sony-newsos4) @@ -4240,6 +4297,10 @@ @%:@define PAM_TTY_KLUDGE 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +@%:@define STREAMS_PUSH_ACQUIRES_CTTY 1 +_ACEOF + # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo "$as_me:$LINENO: checking for obsolete utmp and wtmp in solaris2.x" >&5 @@ -4504,6 +4565,9 @@ do_sco3_extra_lib_check=yes ;; *-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" @@ -4604,8 +4668,6 @@ MANTYPE=man ;; *-*-unicosmk*) - no_libsocket=1 - no_libnsl=1 cat >>confdefs.h <<\_ACEOF @%:@define USE_PIPES 1 _ACEOF @@ -4619,8 +4681,6 @@ MANTYPE=cat ;; *-*-unicos*) - no_libsocket=1 - no_libnsl=1 cat >>confdefs.h <<\_ACEOF @%:@define USE_PIPES 1 _ACEOF @@ -4665,12 +4725,20 @@ @%:@define DISABLE_LOGIN 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +@%:@define DISABLE_FD_PASSING 1 +_ACEOF + LIBS="$LIBS -lsecurity -ldb -lm -laud" else echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 fi fi + cat >>confdefs.h <<\_ACEOF +@%:@define DISABLE_FD_PASSING 1 +_ACEOF + ;; *-*-nto-qnx) @@ -4984,14 +5052,17 @@ + + + for ac_header in bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ - sys/mman.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h \ + sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h do @@ -6740,17 +6811,24 @@ -for ac_func in arc4random b64_ntop bcopy bindresvport_sa \ - clock fchmod fchown freeaddrinfo futimes gai_strerror \ - getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\ - getrlimit getrusage getttyent glob inet_aton inet_ntoa \ - inet_ntop innetgr login_getcapbool md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ - realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ - setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ - setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ - socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty + + + + + +for ac_func in \ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \ + bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ + gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ + getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ + inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ + mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \ + readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \ + setegid setenv seteuid setgroups setlogin setpcred setproctitle \ + setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \ + snprintf socketpair strerror strlcat strlcpy strmode strnvis \ + sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ + do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -6826,6 +6904,246 @@ done +echo "$as_me:$LINENO: checking for library containing nanosleep" >&5 +echo $ECHO_N "checking for library containing nanosleep... $ECHO_C" >&6 +if test "${ac_cv_search_nanosleep+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +ac_cv_search_nanosleep=no +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char nanosleep (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_search_nanosleep="none required" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +if test "$ac_cv_search_nanosleep" = no; then + for ac_lib in rt posix4; do + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char nanosleep (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_search_nanosleep="-l$ac_lib" +break +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext + done +fi +LIBS=$ac_func_search_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_search_nanosleep" >&5 +echo "${ECHO_T}$ac_cv_search_nanosleep" >&6 +if test "$ac_cv_search_nanosleep" != no; then + test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS" + cat >>confdefs.h <<\_ACEOF +@%:@define HAVE_NANOSLEEP 1 +_ACEOF + +fi + + +echo "$as_me:$LINENO: checking whether strsep is declared" >&5 +echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6 +if test "${ac_cv_have_decl_strsep+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +$ac_includes_default +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +#ifndef strsep + char *p = (char *) strsep; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_have_decl_strsep=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_have_decl_strsep=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_have_decl_strsep" >&5 +echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6 +if test $ac_cv_have_decl_strsep = yes; then + +for ac_func in strsep +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +char (*f) (); + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +f = $ac_func; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +eval "$as_ac_var=no" +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +@%:@define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +fi + + for ac_func in dirname do @@ -7975,6 +8293,65 @@ fi fi +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +echo "$as_me:$LINENO: checking for (overly) strict mkstemp" >&5 +echo $ECHO_N "checking for (overly) strict mkstemp... $ECHO_C" >&6 +if test "$cross_compiling" = yes; then + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cat >>confdefs.h <<\_ACEOF +@%:@define HAVE_STRICT_MKSTEMP 1 +_ACEOF + + + +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +#include +main() { char template[]="conftest.mkstemp-test"; +if (mkstemp(template) == -1) + exit(1); +unlink(template); exit(0); +} + +_ACEOF +rm -f conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +( exit $ac_status ) + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cat >>confdefs.h <<\_ACEOF +@%:@define HAVE_STRICT_MKSTEMP 1 +_ACEOF + + +fi +rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +fi + echo "$as_me:$LINENO: checking whether getpgrp requires zero arguments" >&5 echo $ECHO_N "checking whether getpgrp requires zero arguments... $ECHO_C" >&6 if test "${ac_cv_func_getpgrp_void+set}" = set; then @@ -13128,12 +13505,72 @@ have_struct_timeval=1 fi -# If we don't have int64_t then we can't compile sftp-server. So don't -# even attempt to do it. +echo "$as_me:$LINENO: checking for struct timespec" >&5 +echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6 +if test "${ac_cv_type_struct_timespec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +$ac_includes_default +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +if ((struct timespec *) 0) + return 0; +if (sizeof (struct timespec)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_type_struct_timespec=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_type_struct_timespec=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_type_struct_timespec" >&5 +echo "${ECHO_T}$ac_cv_type_struct_timespec" >&6 +if test $ac_cv_type_struct_timespec = yes; then + +cat >>confdefs.h <<_ACEOF +@%:@define HAVE_STRUCT_TIMESPEC 1 +_ACEOF + + +fi + + +# We need int64_t or else certian parts of the compile will fail. if test "x$ac_cv_have_int64_t" = "xno" -a \ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; else if test "$cross_compiling" = yes; then { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5 @@ -13196,7 +13633,6 @@ fi - # look for field 'ut_host' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host @@ -15730,6 +16166,19 @@ fi; +STRIP_OPT=-s +# Check whether --enable-strip or --disable-strip was given. +if test "${enable_strip+set}" = set; then + enableval="$enable_strip" + + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + + +fi; + + if test -z "$xauth_path" ; then XAUTH_PATH="undefined" @@ -16056,7 +16505,11 @@ # include #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif #endif #include #include @@ -17346,6 +17799,7 @@ s,@INSTALL_DATA@,$INSTALL_DATA,;t t s,@AR@,$AR,;t t s,@PERL@,$PERL,;t t +s,@SED@,$SED,;t t s,@ENT@,$ENT,;t t s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t s,@SH@,$SH,;t t @@ -17372,10 +17826,10 @@ s,@PROG_IPCS@,$PROG_IPCS,;t t s,@PROG_TAIL@,$PROG_TAIL,;t t s,@INSTALL_SSH_PRNG_CMDS@,$INSTALL_SSH_PRNG_CMDS,;t t -s,@NO_SFTP@,$NO_SFTP,;t t s,@OPENSC_CONFIG@,$OPENSC_CONFIG,;t t s,@PRIVSEP_PATH@,$PRIVSEP_PATH,;t t s,@xauth_path@,$xauth_path,;t t +s,@STRIP_OPT@,$STRIP_OPT,;t t s,@XAUTH_PATH@,$XAUTH_PATH,;t t s,@NROFF@,$NROFF,;t t s,@MANTYPE@,$MANTYPE,;t t @@ -17895,12 +18349,6 @@ echo "" fi -if test ! -z "$NO_SFTP"; then - echo "sftp-server will be disabled. Your compiler does not " - echo "support 64bit integers." - echo "" -fi - if test ! -z "$RAND_HELPER_CMDHASH" ; then echo "WARNING: you are using the builtin random number collection " echo "service. Please read WARNING.RNG and request that your OS " diff -ru openssh-3.5p1/autom4te-2.53.cache/requests openssh-3.6p1/autom4te-2.53.cache/requests --- openssh-3.5p1/autom4te-2.53.cache/requests 2002-10-04 11:31:57.000000000 +1000 +++ openssh-3.6p1/autom4te-2.53.cache/requests 2003-03-26 16:12:41.000000000 +1100 @@ -7,89 +7,89 @@ '0', 1, [ - '/usr/share/autoconf-2.53' + '/usr/share/autoconf' ], [ - '--reload-state=/usr/share/autoconf-2.53/autoconf/autoconf.m4f', + '--reload-state=/usr/share/autoconf/autoconf/autoconf.m4f', 'aclocal.m4', 'configure.ac' ], { - 'AC_HEADER_STAT' => 1, - 'AC_FUNC_STRFTIME' => 1, - 'AC_PROG_RANLIB' => 1, - 'AC_FUNC_WAIT3' => 1, - 'AC_FUNC_SETPGRP' => 1, + 'm4_pattern_forbid' => 1, + 'AC_TYPE_OFF_T' => 1, + 'AC_PROG_LIBTOOL' => 1, + 'AC_FUNC_STAT' => 1, 'AC_HEADER_TIME' => 1, - 'AC_FUNC_SETVBUF_REVERSED' => 1, - 'AC_HEADER_SYS_WAIT' => 1, + 'AC_FUNC_WAIT3' => 1, + 'AC_STRUCT_TM' => 1, + 'AC_FUNC_LSTAT' => 1, + 'AC_TYPE_MODE_T' => 1, + 'AC_FUNC_STRTOD' => 1, + 'AC_CHECK_HEADERS' => 1, + 'AC_PROG_CXX' => 1, + 'AC_PATH_X' => 1, + 'AC_PROG_AWK' => 1, + 'AC_HEADER_STDC' => 1, + 'AC_HEADER_MAJOR' => 1, + 'AC_FUNC_ERROR_AT_LINE' => 1, + 'AC_PROG_GCC_TRADITIONAL' => 1, + 'AC_LIBSOURCE' => 1, + 'AC_STRUCT_ST_BLOCKS' => 1, + 'AC_TYPE_SIGNAL' => 1, 'AC_TYPE_UID_T' => 1, - 'AM_CONDITIONAL' => 1, - 'AC_CHECK_LIB' => 1, - 'AC_PROG_LN_S' => 1, - 'AC_FUNC_MEMCMP' => 1, + 'AC_PROG_MAKE_SET' => 1, + 'm4_pattern_allow' => 1, + 'AC_DEFINE_TRACE_LITERAL' => 1, + 'AM_PROG_LIBTOOL' => 1, + 'AC_FUNC_STRERROR_R' => 1, + 'AC_PROG_CC' => 1, + 'AC_DECL_SYS_SIGLIST' => 1, 'AC_FUNC_FORK' => 1, - 'AC_FUNC_GETGROUPS' => 1, - 'AC_HEADER_MAJOR' => 1, - 'AC_FUNC_STRTOD' => 1, - 'AC_HEADER_DIRENT' => 1, - 'AC_FUNC_UTIME_NULL' => 1, - 'AC_CONFIG_FILES' => 1, - 'AC_FUNC_ALLOCA' => 1, - 'AC_C_CONST' => 1, - 'include' => 1, - 'AC_FUNC_OBSTACK' => 1, - 'AC_FUNC_LSTAT' => 1, + 'AC_FUNC_VPRINTF' => 1, + 'AC_FUNC_STRCOLL' => 1, + 'AC_PROG_YACC' => 1, + 'AC_INIT' => 1, 'AC_STRUCT_TIMEZONE' => 1, + 'AC_FUNC_CHOWN' => 1, + 'AC_SUBST' => 1, + 'AC_FUNC_ALLOCA' => 1, 'AC_FUNC_GETPGRP' => 1, - 'AC_DEFINE_TRACE_LITERAL' => 1, - 'AC_CHECK_HEADERS' => 1, - 'AC_TYPE_MODE_T' => 1, + 'AC_PROG_RANLIB' => 1, + 'AC_FUNC_SETPGRP' => 1, + 'AC_CONFIG_SUBDIRS' => 1, + 'AC_FUNC_MMAP' => 1, + 'AC_TYPE_SIZE_T' => 1, 'AC_CHECK_TYPES' => 1, - 'AC_PROG_YACC' => 1, + 'AC_FUNC_UTIME_NULL' => 1, + 'AC_FUNC_STRFTIME' => 1, + 'AC_HEADER_STAT' => 1, + 'AC_C_INLINE' => 1, + 'AC_PROG_CPP' => 1, + 'AC_C_CONST' => 1, + 'AC_PROG_LEX' => 1, 'AC_TYPE_PID_T' => 1, - 'AC_FUNC_STRERROR_R' => 1, - 'AC_STRUCT_ST_BLOCKS' => 1, - 'AC_PROG_GCC_TRADITIONAL' => 1, - 'AC_TYPE_SIGNAL' => 1, - 'AM_PROG_LIBTOOL' => 1, + 'AC_CONFIG_FILES' => 1, + 'include' => 1, + 'AC_FUNC_SETVBUF_REVERSED' => 1, 'AC_FUNC_FNMATCH' => 1, - 'AC_PROG_CPP' => 1, - 'AC_FUNC_STAT' => 1, 'AC_PROG_INSTALL' => 1, 'AM_GNU_GETTEXT' => 1, - 'AC_CONFIG_SUBDIRS' => 1, - 'AC_FUNC_STRCOLL' => 1, - 'AC_LIBSOURCE' => 1, - 'AC_C_INLINE' => 1, - 'AC_FUNC_CHOWN' => 1, - 'AC_INIT' => 1, - 'AC_PROG_LEX' => 1, - 'AH_OUTPUT' => 1, - 'AC_HEADER_STDC' => 1, + 'AC_FUNC_OBSTACK' => 1, + 'AC_CHECK_LIB' => 1, + 'AC_FUNC_MALLOC' => 1, + 'AC_FUNC_GETGROUPS' => 1, 'AC_FUNC_GETLOADAVG' => 1, - 'AC_CHECK_FUNCS' => 1, - 'AC_TYPE_SIZE_T' => 1, - 'AC_DECL_SYS_SIGLIST' => 1, + 'AH_OUTPUT' => 1, + 'AC_FUNC_FSEEKO' => 1, 'AC_FUNC_MKTIME' => 1, - 'AC_PROG_MAKE_SET' => 1, - 'AC_PROG_CXX' => 1, - 'm4_pattern_allow' => 1, - 'm4_include' => 1, - 'm4_pattern_forbid' => 1, - 'AC_PROG_AWK' => 1, - 'AC_FUNC_VPRINTF' => 1, + 'AM_CONDITIONAL' => 1, 'AC_CONFIG_HEADERS' => 1, - 'AC_PATH_X' => 1, - 'AC_TYPE_OFF_T' => 1, - 'AC_FUNC_MALLOC' => 1, - 'AC_FUNC_ERROR_AT_LINE' => 1, - 'AC_FUNC_FSEEKO' => 1, - 'AC_FUNC_MMAP' => 1, - 'AC_STRUCT_TM' => 1, - 'AC_SUBST' => 1, - 'AC_PROG_LIBTOOL' => 1, - 'AC_PROG_CC' => 1 + 'AC_HEADER_SYS_WAIT' => 1, + 'AC_PROG_LN_S' => 1, + 'AC_FUNC_MEMCMP' => 1, + 'm4_include' => 1, + 'AC_HEADER_DIRENT' => 1, + 'AC_CHECK_FUNCS' => 1 } ], 'Request' ) ); diff -ru openssh-3.5p1/autom4te-2.53.cache/traces.0 openssh-3.6p1/autom4te-2.53.cache/traces.0 --- openssh-3.5p1/autom4te-2.53.cache/traces.0 2002-10-04 11:31:54.000000000 +1000 +++ openssh-3.6p1/autom4te-2.53.cache/traces.0 2003-03-26 16:12:33.000000000 +1100 @@ -91,462 +91,492 @@ m4trace:configure.ac:14: -1- AC_SUBST([INSTALL_DATA]) m4trace:configure.ac:15: -1- AC_SUBST([AR], [$ac_cv_path_AR]) m4trace:configure.ac:16: -1- AC_SUBST([PERL], [$ac_cv_path_PERL]) -m4trace:configure.ac:17: -1- AC_SUBST([PERL]) -m4trace:configure.ac:18: -1- AC_SUBST([ENT], [$ac_cv_path_ENT]) -m4trace:configure.ac:19: -1- AC_SUBST([ENT]) -m4trace:configure.ac:20: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH]) +m4trace:configure.ac:17: -1- AC_SUBST([SED], [$ac_cv_path_SED]) +m4trace:configure.ac:18: -1- AC_SUBST([PERL]) +m4trace:configure.ac:19: -1- AC_SUBST([ENT], [$ac_cv_path_ENT]) +m4trace:configure.ac:20: -1- AC_SUBST([ENT]) m4trace:configure.ac:21: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH]) m4trace:configure.ac:22: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH]) -m4trace:configure.ac:23: -1- AC_SUBST([SH], [$ac_cv_path_SH]) -m4trace:configure.ac:26: -1- AC_DEFINE_TRACE_LITERAL([_FILE_OFFSET_BITS]) -m4trace:configure.ac:26: -1- AH_OUTPUT([_FILE_OFFSET_BITS], [/* Number of bits in a file offset, on hosts where this is settable. */ +m4trace:configure.ac:23: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH]) +m4trace:configure.ac:24: -1- AC_SUBST([SH], [$ac_cv_path_SH]) +m4trace:configure.ac:27: -1- AC_DEFINE_TRACE_LITERAL([_FILE_OFFSET_BITS]) +m4trace:configure.ac:27: -1- AH_OUTPUT([_FILE_OFFSET_BITS], [/* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS]) -m4trace:configure.ac:26: -1- AC_DEFINE_TRACE_LITERAL([_LARGE_FILES]) -m4trace:configure.ac:26: -1- AH_OUTPUT([_LARGE_FILES], [/* Define for large files, on AIX-style hosts. */ +m4trace:configure.ac:27: -1- AC_DEFINE_TRACE_LITERAL([_LARGE_FILES]) +m4trace:configure.ac:27: -1- AH_OUTPUT([_LARGE_FILES], [/* Define for large files, on AIX-style hosts. */ #undef _LARGE_FILES]) -m4trace:configure.ac:34: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK]) -m4trace:configure.ac:37: -1- AC_SUBST([LOGIN_PROGRAM_FALLBACK], [$ac_cv_path_LOGIN_PROGRAM_FALLBACK]) -m4trace:configure.ac:39: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK]) -m4trace:configure.ac:46: -1- AC_SUBST([LD]) -m4trace:configure.ac:48: -1- AC_C_INLINE -m4trace:configure.ac:48: -1- AC_DEFINE_TRACE_LITERAL([inline]) -m4trace:configure.ac:48: -1- AH_OUTPUT([inline], [/* Define as \`__inline' if that's what the C compiler calls it, or to nothing +m4trace:configure.ac:35: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK]) +m4trace:configure.ac:38: -1- AC_SUBST([LOGIN_PROGRAM_FALLBACK], [$ac_cv_path_LOGIN_PROGRAM_FALLBACK]) +m4trace:configure.ac:40: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK]) +m4trace:configure.ac:47: -1- AC_SUBST([LD]) +m4trace:configure.ac:49: -1- AC_C_INLINE +m4trace:configure.ac:49: -1- AC_DEFINE_TRACE_LITERAL([inline]) +m4trace:configure.ac:49: -1- AH_OUTPUT([inline], [/* Define as \`__inline' if that's what the C compiler calls it, or to nothing if it is not supported. */ #undef inline]) -m4trace:configure.ac:48: -1- AC_DEFINE_TRACE_LITERAL([inline]) -m4trace:configure.ac:78: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE]) -m4trace:configure.ac:78: -1- AC_CHECK_LIB([s], [authenticate], [ AC_DEFINE(WITH_AIXAUTHENTICATE) +m4trace:configure.ac:49: -1- AC_DEFINE_TRACE_LITERAL([inline]) +m4trace:configure.ac:79: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE]) +m4trace:configure.ac:79: -1- AC_CHECK_LIB([s], [authenticate], [ AC_DEFINE(WITH_AIXAUTHENTICATE) LIBS="$LIBS -ls" ]) -m4trace:configure.ac:78: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE]) -m4trace:configure.ac:79: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO]) -m4trace:configure.ac:80: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH]) -m4trace:configure.ac:82: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) -m4trace:configure.ac:83: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) -m4trace:configure.ac:87: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CYGWIN]) -m4trace:configure.ac:88: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:89: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:90: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT]) -m4trace:configure.ac:91: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) -m4trace:configure.ac:92: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS]) -m4trace:configure.ac:93: -1- AC_DEFINE_TRACE_LITERAL([NO_IPPORT_RESERVED_CONCEPT]) -m4trace:configure.ac:94: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) -m4trace:configure.ac:95: -1- AC_DEFINE_TRACE_LITERAL([SETGROUPS_NOOP]) -m4trace:configure.ac:98: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) -m4trace:configure.ac:110: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO]) -m4trace:configure.ac:118: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) -m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) -m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) -m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE]) -m4trace:configure.ac:126: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 +m4trace:configure.ac:79: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE]) +m4trace:configure.ac:80: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO]) +m4trace:configure.ac:81: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH]) +m4trace:configure.ac:83: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) +m4trace:configure.ac:84: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) +m4trace:configure.ac:85: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_STRATEGY]) +m4trace:configure.ac:86: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_PS_PADDING]) +m4trace:configure.ac:91: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CYGWIN]) +m4trace:configure.ac:92: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:93: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:94: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT]) +m4trace:configure.ac:95: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) +m4trace:configure.ac:96: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS]) +m4trace:configure.ac:97: -1- AC_DEFINE_TRACE_LITERAL([NO_IPPORT_RESERVED_CONCEPT]) +m4trace:configure.ac:98: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:99: -1- AC_DEFINE_TRACE_LITERAL([SETGROUPS_NOOP]) +m4trace:configure.ac:102: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) +m4trace:configure.ac:114: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO]) +m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) +m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) +m4trace:configure.ac:125: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) +m4trace:configure.ac:126: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:127: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:128: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_STRATEGY]) +m4trace:configure.ac:130: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; }]) -m4trace:configure.ac:126: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ +m4trace:configure.ac:130: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ #undef HAVE_LIBXNET]) -m4trace:configure.ac:126: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) -m4trace:configure.ac:135: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:136: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) -m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) -m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:139: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:140: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE]) -m4trace:configure.ac:142: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 +m4trace:configure.ac:130: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) +m4trace:configure.ac:139: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:140: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) +m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) +m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:143: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_STRATEGY]) +m4trace:configure.ac:146: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; }]) -m4trace:configure.ac:142: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ +m4trace:configure.ac:146: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ #undef HAVE_LIBXNET]) -m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) -m4trace:configure.ac:147: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) -m4trace:configure.ac:148: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) -m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) -m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE]) -m4trace:configure.ac:155: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 +m4trace:configure.ac:146: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) +m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) +m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT]) +m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) +m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:157: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_STRATEGY]) +m4trace:configure.ac:159: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; }]) -m4trace:configure.ac:155: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ +m4trace:configure.ac:159: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */ #undef HAVE_LIBXNET]) -m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) -m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA]) -m4trace:configure.ac:162: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY]) -m4trace:configure.ac:168: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY]) -m4trace:configure.ac:169: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT]) -m4trace:configure.ac:170: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT]) -m4trace:configure.ac:171: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS]) -m4trace:configure.ac:172: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA]) -m4trace:configure.ac:173: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY]) -m4trace:configure.ac:178: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF]) -m4trace:configure.ac:179: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE]) -m4trace:configure.ac:183: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4]) -m4trace:configure.ac:198: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT]) -m4trace:configure.ac:199: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH]) -m4trace:configure.ac:200: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:201: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS]) -m4trace:configure.ac:209: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) -m4trace:configure.ac:210: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) -m4trace:configure.ac:211: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM]) -m4trace:configure.ac:212: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE]) -m4trace:configure.ac:219: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:220: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) -m4trace:configure.ac:227: -1- AC_CHECK_FUNCS([getpwanam]) -m4trace:configure.ac:227: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */ +m4trace:configure.ac:159: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET]) +m4trace:configure.ac:165: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA]) +m4trace:configure.ac:166: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY]) +m4trace:configure.ac:172: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY]) +m4trace:configure.ac:173: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT]) +m4trace:configure.ac:174: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT]) +m4trace:configure.ac:175: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS]) +m4trace:configure.ac:176: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA]) +m4trace:configure.ac:177: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY]) +m4trace:configure.ac:182: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF]) +m4trace:configure.ac:183: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE]) +m4trace:configure.ac:184: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_STRATEGY]) +m4trace:configure.ac:185: -1- AC_DEFINE_TRACE_LITERAL([SETPROCTITLE_PS_PADDING]) +m4trace:configure.ac:189: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4]) +m4trace:configure.ac:204: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT]) +m4trace:configure.ac:205: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH]) +m4trace:configure.ac:206: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:207: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS]) +m4trace:configure.ac:215: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) +m4trace:configure.ac:216: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX]) +m4trace:configure.ac:217: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM]) +m4trace:configure.ac:218: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE]) +m4trace:configure.ac:219: -1- AC_DEFINE_TRACE_LITERAL([STREAMS_PUSH_ACQUIRES_CTTY]) +m4trace:configure.ac:226: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:227: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) +m4trace:configure.ac:234: -1- AC_CHECK_FUNCS([getpwanam]) +m4trace:configure.ac:234: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */ #undef HAVE_GETPWANAM]) -m4trace:configure.ac:228: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) -m4trace:configure.ac:232: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:238: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:235: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE]) +m4trace:configure.ac:239: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) m4trace:configure.ac:245: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:246: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) -m4trace:configure.ac:254: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:259: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:271: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H]) -m4trace:configure.ac:272: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:273: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) -m4trace:configure.ac:274: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:275: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS]) -m4trace:configure.ac:276: -1- AC_CHECK_FUNCS([getluid setluid]) -m4trace:configure.ac:276: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */ +m4trace:configure.ac:252: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:253: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN]) +m4trace:configure.ac:261: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:266: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:278: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H]) +m4trace:configure.ac:279: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:280: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) +m4trace:configure.ac:281: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:282: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS]) +m4trace:configure.ac:283: -1- AC_CHECK_FUNCS([getluid setluid]) +m4trace:configure.ac:283: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */ #undef HAVE_GETLUID]) -m4trace:configure.ac:276: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */ +m4trace:configure.ac:283: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */ #undef HAVE_SETLUID]) -m4trace:configure.ac:285: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:286: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) -m4trace:configure.ac:287: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:288: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) -m4trace:configure.ac:289: -1- AC_CHECK_FUNCS([getluid setluid]) -m4trace:configure.ac:289: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */ +m4trace:configure.ac:295: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:296: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE]) +m4trace:configure.ac:297: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:298: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:299: -1- AC_CHECK_FUNCS([getluid setluid]) +m4trace:configure.ac:299: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */ #undef HAVE_GETLUID]) -m4trace:configure.ac:289: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */ +m4trace:configure.ac:299: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */ #undef HAVE_SETLUID]) -m4trace:configure.ac:295: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:296: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) -m4trace:configure.ac:304: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:305: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) -m4trace:configure.ac:306: -1- AC_DEFINE_TRACE_LITERAL([NO_SSH_LASTLOG]) -m4trace:configure.ac:326: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA]) -m4trace:configure.ac:327: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN]) -m4trace:configure.ac:336: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) -m4trace:configure.ac:337: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS]) -m4trace:configure.ac:338: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS]) -m4trace:configure.ac:339: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY]) -m4trace:configure.ac:340: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK]) -m4trace:configure.ac:388: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h limits.h login.h \ +m4trace:configure.ac:303: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:304: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:310: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:311: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:312: -1- AC_DEFINE_TRACE_LITERAL([NO_SSH_LASTLOG]) +m4trace:configure.ac:332: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA]) +m4trace:configure.ac:333: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN]) +m4trace:configure.ac:334: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:340: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING]) +m4trace:configure.ac:344: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES]) +m4trace:configure.ac:345: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS]) +m4trace:configure.ac:346: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS]) +m4trace:configure.ac:347: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY]) +m4trace:configure.ac:348: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK]) +m4trace:configure.ac:396: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \ + getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ - sys/mman.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h \ + sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the header file. */ #undef HAVE_BSTRING_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_CRYPT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_ENDIAN_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_FLOATINGPOINT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the header file. */ #undef HAVE_GLOB_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_IA_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_IA_H], [/* Define to 1 if you have the header file. */ #undef HAVE_IA_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LASTLOG_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the header file. */ +#undef HAVE_LIBGEN_H]) +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LOGIN_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LOGIN_CAP_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the header file. */ #undef HAVE_MAILLOCK_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the header file. */ #undef HAVE_NETGROUP_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_SYSTM_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_PATHS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the header file. */ #undef HAVE_PTY_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the header file. */ #undef HAVE_READPASSPHRASE_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the header file. */ #undef HAVE_RPC_TYPES_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SECURITY_PAM_APPL_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SHADOW_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STDDEF_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_BITYPES_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_BSDTTY_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_CDEFS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_PSTAT_H], [/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_PSTAT_H]) +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_STROPTS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_SYSMACROS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_TIMERS_H], [/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TIMERS_H]) +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_UN_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the header file. */ #undef HAVE_TIME_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TMPDIR_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_TMPDIR_H], [/* Define to 1 if you have the header file. */ #undef HAVE_TMPDIR_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_TTYENT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the header file. */ #undef HAVE_USERSEC_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the header file. */ #undef HAVE_UTIL_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the header file. */ #undef HAVE_UTIME_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the header file. */ #undef HAVE_UTMP_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the header file. */ #undef HAVE_UTMPX_H]) -m4trace:configure.ac:388: -1- AC_HEADER_STDC -m4trace:configure.ac:388: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS]) -m4trace:configure.ac:388: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */ +m4trace:configure.ac:396: -1- AC_HEADER_STDC +m4trace:configure.ac:396: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS]) +m4trace:configure.ac:396: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS]) -m4trace:configure.ac:388: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ +m4trace:configure.ac:396: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h], [], [], [$ac_includes_default]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STRING_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H]) -m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:396: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H]) -m4trace:configure.ac:391: -2- AC_CHECK_LIB([nsl], [yp_match]) -m4trace:configure.ac:391: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */ +m4trace:configure.ac:399: -2- AC_CHECK_LIB([nsl], [yp_match]) +m4trace:configure.ac:399: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */ #undef HAVE_LIBNSL]) -m4trace:configure.ac:391: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL]) -m4trace:configure.ac:392: -2- AC_CHECK_LIB([socket], [setsockopt]) -m4trace:configure.ac:392: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */ +m4trace:configure.ac:399: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL]) +m4trace:configure.ac:400: -2- AC_CHECK_LIB([socket], [setsockopt]) +m4trace:configure.ac:400: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */ #undef HAVE_LIBSOCKET]) -m4trace:configure.ac:392: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET]) -m4trace:configure.ac:397: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc]) -m4trace:configure.ac:402: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"]) -m4trace:configure.ac:444: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5 +m4trace:configure.ac:400: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET]) +m4trace:configure.ac:405: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc]) +m4trace:configure.ac:410: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"]) +m4trace:configure.ac:452: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5 echo "$as_me: error: *** zlib missing - please install first or check config.log ***" >&2;} { (exit 1); exit 1; }; }]) -m4trace:configure.ac:444: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */ +m4trace:configure.ac:452: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */ #undef HAVE_LIBZ]) -m4trace:configure.ac:444: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ]) -m4trace:configure.ac:449: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) -m4trace:configure.ac:453: -1- AC_CHECK_LIB([c89], [utimes], [AC_DEFINE(HAVE_UTIMES) +m4trace:configure.ac:452: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ]) +m4trace:configure.ac:457: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) +m4trace:configure.ac:461: -1- AC_CHECK_LIB([c89], [utimes], [AC_DEFINE(HAVE_UTIMES) LIBS="$LIBS -lc89"]) -m4trace:configure.ac:453: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UTIMES]) -m4trace:configure.ac:456: -1- AC_CHECK_HEADERS([libutil.h]) -m4trace:configure.ac:456: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:461: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UTIMES]) +m4trace:configure.ac:464: -1- AC_CHECK_HEADERS([libutil.h]) +m4trace:configure.ac:464: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LIBUTIL_H]) -m4trace:configure.ac:457: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN]) -m4trace:configure.ac:458: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp]) -m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */ +m4trace:configure.ac:465: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN]) +m4trace:configure.ac:466: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp]) +m4trace:configure.ac:466: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */ #undef HAVE_LOGOUT]) -m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */ +m4trace:configure.ac:466: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */ #undef HAVE_UPDWTMP]) -m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */ +m4trace:configure.ac:466: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */ #undef HAVE_LOGWTMP]) -m4trace:configure.ac:460: -1- AC_FUNC_STRFTIME -m4trace:configure.ac:460: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX. +m4trace:configure.ac:468: -1- AC_FUNC_STRFTIME +m4trace:configure.ac:468: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX. AC_CHECK_LIB(intl, strftime, [AC_DEFINE(HAVE_STRFTIME) LIBS="-lintl $LIBS"])]) -m4trace:configure.ac:460: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */ +m4trace:configure.ac:468: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */ #undef HAVE_STRFTIME]) -m4trace:configure.ac:460: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME) +m4trace:configure.ac:468: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME) LIBS="-lintl $LIBS"]) -m4trace:configure.ac:460: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME]) -m4trace:configure.ac:478: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC]) -m4trace:configure.ac:494: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC]) -m4trace:configure.ac:508: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME]) -m4trace:configure.ac:541: -1- AC_DEFINE_TRACE_LITERAL([SKEY]) -m4trace:configure.ac:595: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP]) -m4trace:configure.ac:595: -1- AC_SUBST([LIBWRAP]) -m4trace:configure.ac:608: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresvport_sa \ - clock fchmod fchown freeaddrinfo futimes gai_strerror \ - getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\ - getrlimit getrusage getttyent glob inet_aton inet_ntoa \ - inet_ntop innetgr login_getcapbool md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ - realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ - setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ - setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ - socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */ +m4trace:configure.ac:468: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME]) +m4trace:configure.ac:486: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC]) +m4trace:configure.ac:502: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC]) +m4trace:configure.ac:516: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME]) +m4trace:configure.ac:549: -1- AC_DEFINE_TRACE_LITERAL([SKEY]) +m4trace:configure.ac:603: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP]) +m4trace:configure.ac:603: -1- AC_SUBST([LIBWRAP]) +m4trace:configure.ac:618: -1- AC_CHECK_FUNCS([\ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \ + bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ + gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ + getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ + inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ + mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \ + readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \ + setegid setenv seteuid setgroups setlogin setpcred setproctitle \ + setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \ + snprintf socketpair strerror strlcat strlcpy strmode strnvis \ + sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ +]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */ #undef HAVE_ARC4RANDOM]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */ +#undef HAVE___B64_NTOP]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */ #undef HAVE_B64_NTOP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE___B64_PTON], [/* Define to 1 if you have the \`__b64_pton' function. */ +#undef HAVE___B64_PTON]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_B64_PTON], [/* Define to 1 if you have the \`b64_pton' function. */ +#undef HAVE_B64_PTON]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_BASENAME], [/* Define to 1 if you have the \`basename' function. */ +#undef HAVE_BASENAME]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */ #undef HAVE_BCOPY]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */ #undef HAVE_BINDRESVPORT_SA]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */ #undef HAVE_CLOCK]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */ #undef HAVE_FCHMOD]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */ #undef HAVE_FCHOWN]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */ #undef HAVE_FREEADDRINFO]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */ #undef HAVE_FUTIMES]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */ #undef HAVE_GAI_STRERROR]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */ #undef HAVE_GETADDRINFO]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */ #undef HAVE_GETCWD]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */ #undef HAVE_GETGROUPLIST]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */ #undef HAVE_GETNAMEINFO]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */ #undef HAVE_GETOPT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETPEEREID], [/* Define to 1 if you have the \`getpeereid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETPEEREID], [/* Define to 1 if you have the \`getpeereid' function. */ #undef HAVE_GETPEEREID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */ +#undef HAVE__GETPTY]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */ #undef HAVE_GETRLIMIT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */ #undef HAVE_GETRUSAGE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */ #undef HAVE_GETTTYENT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */ #undef HAVE_GLOB]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */ #undef HAVE_INET_ATON]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */ #undef HAVE_INET_NTOA]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */ #undef HAVE_INET_NTOP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */ #undef HAVE_INNETGR]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */ #undef HAVE_LOGIN_GETCAPBOOL]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */ #undef HAVE_MD5_CRYPT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */ #undef HAVE_MEMMOVE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */ #undef HAVE_MKDTEMP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */ #undef HAVE_MMAP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */ #undef HAVE_NGETADDRINFO]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */ -#undef HAVE_OPENPTY]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_NSLEEP], [/* Define to 1 if you have the \`nsleep' function. */ +#undef HAVE_NSLEEP]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */ #undef HAVE_OGETADDRINFO]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */ +#undef HAVE_OPENPTY]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_PSTAT], [/* Define to 1 if you have the \`pstat' function. */ +#undef HAVE_PSTAT]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */ #undef HAVE_READPASSPHRASE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */ #undef HAVE_REALPATH]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */ #undef HAVE_RECVMSG]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */ #undef HAVE_RRESVPORT_AF]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */ #undef HAVE_SENDMSG]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */ #undef HAVE_SETDTABLESIZE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */ #undef HAVE_SETEGID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */ #undef HAVE_SETENV]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */ #undef HAVE_SETEUID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETGROUPS], [/* Define to 1 if you have the \`setgroups' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETGROUPS], [/* Define to 1 if you have the \`setgroups' function. */ #undef HAVE_SETGROUPS]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */ #undef HAVE_SETLOGIN]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETPCRED], [/* Define to 1 if you have the \`setpcred' function. */ +#undef HAVE_SETPCRED]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */ #undef HAVE_SETPROCTITLE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */ #undef HAVE_SETRESGID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */ #undef HAVE_SETREUID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */ #undef HAVE_SETRLIMIT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */ #undef HAVE_SETSID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETPCRED], [/* Define to 1 if you have the \`setpcred' function. */ -#undef HAVE_SETPCRED]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */ #undef HAVE_SETVBUF]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */ #undef HAVE_SIGACTION]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */ #undef HAVE_SIGVEC]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */ #undef HAVE_SNPRINTF]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */ #undef HAVE_SOCKETPAIR]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */ #undef HAVE_STRERROR]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */ #undef HAVE_STRLCAT]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */ #undef HAVE_STRLCPY]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */ #undef HAVE_STRMODE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */ -#undef HAVE_STRSEP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_STRNVIS], [/* Define to 1 if you have the \`strnvis' function. */ +#undef HAVE_STRNVIS]) +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */ #undef HAVE_SYSCONF]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */ #undef HAVE_TCGETPGRP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */ #undef HAVE_TRUNCATE]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */ #undef HAVE_UTIMES]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */ #undef HAVE_VHANGUP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */ #undef HAVE_VSNPRINTF]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */ +m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */ #undef HAVE_WAITPID]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */ -#undef HAVE___B64_NTOP]) -m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */ -#undef HAVE__GETPTY]) -m4trace:configure.ac:645: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [ +m4trace:configure.ac:620: -2- AC_DEFINE_TRACE_LITERAL([HAVE_NANOSLEEP]) +m4trace:configure.ac:623: -1- AC_CHECK_FUNCS([strsep]) +m4trace:configure.ac:623: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */ +#undef HAVE_STRSEP]) +m4trace:configure.ac:660: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [ AC_CHECK_LIB(gen, dirname,[ AC_CACHE_CHECK([for broken dirname], ac_cv_have_broken_dirname, [ @@ -581,12 +611,12 @@ fi ]) ]) -m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */ +m4trace:configure.ac:660: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */ #undef HAVE_DIRNAME]) -m4trace:configure.ac:645: -1- AC_CHECK_HEADERS([libgen.h]) -m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:660: -1- AC_CHECK_HEADERS([libgen.h]) +m4trace:configure.ac:660: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LIBGEN_H]) -m4trace:configure.ac:645: -1- AC_CHECK_LIB([gen], [dirname], [ +m4trace:configure.ac:660: -1- AC_CHECK_LIB([gen], [dirname], [ AC_CACHE_CHECK([for broken dirname], ac_cv_have_broken_dirname, [ save_LIBS="$LIBS" @@ -619,287 +649,293 @@ AC_CHECK_HEADERS(libgen.h) fi ]) -m4trace:configure.ac:645: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME]) -m4trace:configure.ac:645: -1- AC_CHECK_HEADERS([libgen.h]) -m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:660: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME]) +m4trace:configure.ac:660: -1- AC_CHECK_HEADERS([libgen.h]) +m4trace:configure.ac:660: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the header file. */ #undef HAVE_LIBGEN_H]) -m4trace:configure.ac:648: -1- AC_CHECK_FUNCS([gettimeofday time]) -m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */ +m4trace:configure.ac:663: -1- AC_CHECK_FUNCS([gettimeofday time]) +m4trace:configure.ac:663: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY]) -m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */ +m4trace:configure.ac:663: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */ #undef HAVE_TIME]) -m4trace:configure.ac:650: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */ +m4trace:configure.ac:665: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent]) +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */ #undef HAVE_ENDUTENT]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */ +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */ #undef HAVE_GETUTENT]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */ +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */ #undef HAVE_GETUTID]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */ +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */ #undef HAVE_GETUTLINE]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */ +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */ #undef HAVE_PUTUTLINE]) -m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */ +m4trace:configure.ac:665: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */ #undef HAVE_SETUTENT]) -m4trace:configure.ac:651: -1- AC_CHECK_FUNCS([utmpname]) -m4trace:configure.ac:651: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */ +m4trace:configure.ac:666: -1- AC_CHECK_FUNCS([utmpname]) +m4trace:configure.ac:666: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */ #undef HAVE_UTMPNAME]) -m4trace:configure.ac:653: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ]) -m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */ +m4trace:configure.ac:668: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ]) +m4trace:configure.ac:668: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */ #undef HAVE_ENDUTXENT]) -m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */ +m4trace:configure.ac:668: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */ #undef HAVE_GETUTXENT]) -m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */ +m4trace:configure.ac:668: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */ #undef HAVE_GETUTXID]) -m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */ +m4trace:configure.ac:668: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */ #undef HAVE_GETUTXLINE]) -m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */ +m4trace:configure.ac:668: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */ #undef HAVE_PUTUTXLINE]) -m4trace:configure.ac:654: -1- AC_CHECK_FUNCS([setutxent utmpxname]) -m4trace:configure.ac:654: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */ +m4trace:configure.ac:669: -1- AC_CHECK_FUNCS([setutxent utmpxname]) +m4trace:configure.ac:669: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */ #undef HAVE_SETUTXENT]) -m4trace:configure.ac:654: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */ +m4trace:configure.ac:669: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */ #undef HAVE_UTMPXNAME]) -m4trace:configure.ac:659: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON]) -m4trace:configure.ac:659: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)]) -m4trace:configure.ac:659: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON]) -m4trace:configure.ac:664: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE]) -m4trace:configure.ac:664: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)]) -m4trace:configure.ac:664: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE]) -m4trace:configure.ac:680: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF]) -m4trace:configure.ac:683: -1- AC_FUNC_GETPGRP -m4trace:configure.ac:683: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID]) -m4trace:configure.ac:683: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */ +m4trace:configure.ac:674: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON]) +m4trace:configure.ac:674: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)]) +m4trace:configure.ac:674: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON]) +m4trace:configure.ac:679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE]) +m4trace:configure.ac:679: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)]) +m4trace:configure.ac:679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE]) +m4trace:configure.ac:695: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF]) +m4trace:configure.ac:721: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRICT_MKSTEMP]) +m4trace:configure.ac:721: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRICT_MKSTEMP]) +m4trace:configure.ac:724: -1- AC_FUNC_GETPGRP +m4trace:configure.ac:724: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID]) +m4trace:configure.ac:724: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */ #undef GETPGRP_VOID]) -m4trace:configure.ac:711: -1- AC_CHECK_LIB([dl], [dlopen], [], []) -m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */ +m4trace:configure.ac:752: -1- AC_CHECK_LIB([dl], [dlopen], [], []) +m4trace:configure.ac:752: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */ #undef HAVE_LIBDL]) -m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL]) -m4trace:configure.ac:711: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5 +m4trace:configure.ac:752: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL]) +m4trace:configure.ac:752: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5 echo "$as_me: error: *** libpam missing" >&2;} { (exit 1); exit 1; }; }]) -m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */ +m4trace:configure.ac:752: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */ #undef HAVE_LIBPAM]) -m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM]) -m4trace:configure.ac:711: -1- AC_CHECK_FUNCS([pam_getenvlist]) -m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */ +m4trace:configure.ac:752: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM]) +m4trace:configure.ac:752: -1- AC_CHECK_FUNCS([pam_getenvlist]) +m4trace:configure.ac:752: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */ #undef HAVE_PAM_GETENVLIST]) -m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM]) -m4trace:configure.ac:711: -1- AC_SUBST([LIBPAM]) -m4trace:configure.ac:729: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM]) -m4trace:configure.ac:735: -1- AC_CHECK_LIB([crypt], [crypt]) -m4trace:configure.ac:735: -1- AH_OUTPUT([HAVE_LIBCRYPT], [/* Define to 1 if you have the \`crypt' library (-lcrypt). */ +m4trace:configure.ac:752: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM]) +m4trace:configure.ac:752: -1- AC_SUBST([LIBPAM]) +m4trace:configure.ac:770: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM]) +m4trace:configure.ac:776: -1- AC_CHECK_LIB([crypt], [crypt]) +m4trace:configure.ac:776: -1- AH_OUTPUT([HAVE_LIBCRYPT], [/* Define to 1 if you have the \`crypt' library (-lcrypt). */ #undef HAVE_LIBCRYPT]) -m4trace:configure.ac:735: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBCRYPT]) -m4trace:configure.ac:767: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL]) -m4trace:configure.ac:782: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL]) -m4trace:configure.ac:869: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) -m4trace:configure.ac:917: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY]) -m4trace:configure.ac:925: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER]) -m4trace:configure.ac:948: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT]) -m4trace:configure.ac:998: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET]) -m4trace:configure.ac:998: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET]) -m4trace:configure.ac:1010: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC]) -m4trace:configure.ac:1021: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER]) -m4trace:configure.ac:1022: -1- AC_SUBST([SSH_PRIVSEP_USER]) -m4trace:configure.ac:1039: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS]) -m4trace:configure.ac:1039: -1- AC_SUBST([PROG_LS]) -m4trace:configure.ac:1040: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT]) -m4trace:configure.ac:1040: -1- AC_SUBST([PROG_NETSTAT]) -m4trace:configure.ac:1041: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP]) -m4trace:configure.ac:1041: -1- AC_SUBST([PROG_ARP]) -m4trace:configure.ac:1042: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG]) -m4trace:configure.ac:1042: -1- AC_SUBST([PROG_IFCONFIG]) -m4trace:configure.ac:1043: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT]) -m4trace:configure.ac:1043: -1- AC_SUBST([PROG_JSTAT]) -m4trace:configure.ac:1044: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS]) -m4trace:configure.ac:1044: -1- AC_SUBST([PROG_PS]) -m4trace:configure.ac:1045: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR]) -m4trace:configure.ac:1045: -1- AC_SUBST([PROG_SAR]) -m4trace:configure.ac:1046: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W]) -m4trace:configure.ac:1046: -1- AC_SUBST([PROG_W]) -m4trace:configure.ac:1047: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO]) -m4trace:configure.ac:1047: -1- AC_SUBST([PROG_WHO]) -m4trace:configure.ac:1048: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST]) -m4trace:configure.ac:1048: -1- AC_SUBST([PROG_LAST]) -m4trace:configure.ac:1049: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG]) -m4trace:configure.ac:1049: -1- AC_SUBST([PROG_LASTLOG]) -m4trace:configure.ac:1050: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF]) -m4trace:configure.ac:1050: -1- AC_SUBST([PROG_DF]) -m4trace:configure.ac:1051: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT]) -m4trace:configure.ac:1051: -1- AC_SUBST([PROG_VMSTAT]) -m4trace:configure.ac:1052: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME]) -m4trace:configure.ac:1052: -1- AC_SUBST([PROG_UPTIME]) -m4trace:configure.ac:1053: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS]) -m4trace:configure.ac:1053: -1- AC_SUBST([PROG_IPCS]) -m4trace:configure.ac:1054: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL]) -m4trace:configure.ac:1054: -1- AC_SUBST([PROG_TAIL]) -m4trace:configure.ac:1071: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS]) -m4trace:configure.ac:1080: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR]) -m4trace:configure.ac:1080: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */ +m4trace:configure.ac:776: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBCRYPT]) +m4trace:configure.ac:808: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL]) +m4trace:configure.ac:823: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL]) +m4trace:configure.ac:910: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) +m4trace:configure.ac:958: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY]) +m4trace:configure.ac:966: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER]) +m4trace:configure.ac:989: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT]) +m4trace:configure.ac:1039: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET]) +m4trace:configure.ac:1039: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET]) +m4trace:configure.ac:1051: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC]) +m4trace:configure.ac:1062: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER]) +m4trace:configure.ac:1063: -1- AC_SUBST([SSH_PRIVSEP_USER]) +m4trace:configure.ac:1080: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS]) +m4trace:configure.ac:1080: -1- AC_SUBST([PROG_LS]) +m4trace:configure.ac:1081: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT]) +m4trace:configure.ac:1081: -1- AC_SUBST([PROG_NETSTAT]) +m4trace:configure.ac:1082: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP]) +m4trace:configure.ac:1082: -1- AC_SUBST([PROG_ARP]) +m4trace:configure.ac:1083: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG]) +m4trace:configure.ac:1083: -1- AC_SUBST([PROG_IFCONFIG]) +m4trace:configure.ac:1084: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT]) +m4trace:configure.ac:1084: -1- AC_SUBST([PROG_JSTAT]) +m4trace:configure.ac:1085: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS]) +m4trace:configure.ac:1085: -1- AC_SUBST([PROG_PS]) +m4trace:configure.ac:1086: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR]) +m4trace:configure.ac:1086: -1- AC_SUBST([PROG_SAR]) +m4trace:configure.ac:1087: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W]) +m4trace:configure.ac:1087: -1- AC_SUBST([PROG_W]) +m4trace:configure.ac:1088: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO]) +m4trace:configure.ac:1088: -1- AC_SUBST([PROG_WHO]) +m4trace:configure.ac:1089: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST]) +m4trace:configure.ac:1089: -1- AC_SUBST([PROG_LAST]) +m4trace:configure.ac:1090: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG]) +m4trace:configure.ac:1090: -1- AC_SUBST([PROG_LASTLOG]) +m4trace:configure.ac:1091: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF]) +m4trace:configure.ac:1091: -1- AC_SUBST([PROG_DF]) +m4trace:configure.ac:1092: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT]) +m4trace:configure.ac:1092: -1- AC_SUBST([PROG_VMSTAT]) +m4trace:configure.ac:1093: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME]) +m4trace:configure.ac:1093: -1- AC_SUBST([PROG_UPTIME]) +m4trace:configure.ac:1094: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS]) +m4trace:configure.ac:1094: -1- AC_SUBST([PROG_IPCS]) +m4trace:configure.ac:1095: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL]) +m4trace:configure.ac:1095: -1- AC_SUBST([PROG_TAIL]) +m4trace:configure.ac:1112: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS]) +m4trace:configure.ac:1121: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR]) +m4trace:configure.ac:1121: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */ #undef SIZEOF_CHAR]) -m4trace:configure.ac:1081: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT]) -m4trace:configure.ac:1081: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */ +m4trace:configure.ac:1122: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT]) +m4trace:configure.ac:1122: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */ #undef SIZEOF_SHORT_INT]) -m4trace:configure.ac:1082: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT]) -m4trace:configure.ac:1082: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */ +m4trace:configure.ac:1123: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT]) +m4trace:configure.ac:1123: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */ #undef SIZEOF_INT]) -m4trace:configure.ac:1083: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT]) -m4trace:configure.ac:1083: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */ +m4trace:configure.ac:1124: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT]) +m4trace:configure.ac:1124: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */ #undef SIZEOF_LONG_INT]) -m4trace:configure.ac:1084: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT]) -m4trace:configure.ac:1084: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */ +m4trace:configure.ac:1125: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT]) +m4trace:configure.ac:1125: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */ #undef SIZEOF_LONG_LONG_INT]) -m4trace:configure.ac:1101: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT]) -m4trace:configure.ac:1114: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) -m4trace:configure.ac:1130: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) -m4trace:configure.ac:1151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T]) -m4trace:configure.ac:1163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) -m4trace:configure.ac:1177: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) -m4trace:configure.ac:1189: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T]) -m4trace:configure.ac:1203: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T]) -m4trace:configure.ac:1218: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T]) -m4trace:configure.ac:1232: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T]) -m4trace:configure.ac:1254: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) -m4trace:configure.ac:1254: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) -m4trace:configure.ac:1269: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR]) -m4trace:configure.ac:1272: -1- AC_DEFINE_TRACE_LITERAL([socklen_t]) -m4trace:configure.ac:1272: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */ +m4trace:configure.ac:1142: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT]) +m4trace:configure.ac:1155: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) +m4trace:configure.ac:1171: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) +m4trace:configure.ac:1192: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T]) +m4trace:configure.ac:1204: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) +m4trace:configure.ac:1218: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) +m4trace:configure.ac:1230: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T]) +m4trace:configure.ac:1244: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T]) +m4trace:configure.ac:1259: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T]) +m4trace:configure.ac:1273: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T]) +m4trace:configure.ac:1295: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T]) +m4trace:configure.ac:1295: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T]) +m4trace:configure.ac:1310: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR]) +m4trace:configure.ac:1313: -1- AC_DEFINE_TRACE_LITERAL([socklen_t]) +m4trace:configure.ac:1313: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */ #undef socklen_t]) -m4trace:configure.ac:1274: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include ]) -m4trace:configure.ac:1274: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T]) -m4trace:configure.ac:1274: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */ +m4trace:configure.ac:1315: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include ]) +m4trace:configure.ac:1315: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T]) +m4trace:configure.ac:1315: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */ #undef HAVE_SIG_ATOMIC_T]) -m4trace:configure.ac:1287: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T]) -m4trace:configure.ac:1301: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T]) -m4trace:configure.ac:1315: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T]) -m4trace:configure.ac:1340: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T]) -m4trace:configure.ac:1354: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T]) -m4trace:configure.ac:1368: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T]) -m4trace:configure.ac:1384: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE]) -m4trace:configure.ac:1399: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6]) -m4trace:configure.ac:1414: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR]) -m4trace:configure.ac:1430: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO]) -m4trace:configure.ac:1442: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL]) -m4trace:configure.ac:1479: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF]) -m4trace:configure.ac:1481: -1- AC_SUBST([NO_SFTP]) -m4trace:configure.ac:1484: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP]) -m4trace:configure.ac:1485: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX]) -m4trace:configure.ac:1486: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX]) -m4trace:configure.ac:1487: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP]) -m4trace:configure.ac:1488: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP]) -m4trace:configure.ac:1489: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX]) -m4trace:configure.ac:1490: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP]) -m4trace:configure.ac:1491: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP]) -m4trace:configure.ac:1492: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX]) -m4trace:configure.ac:1493: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP]) -m4trace:configure.ac:1494: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX]) -m4trace:configure.ac:1495: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP]) -m4trace:configure.ac:1496: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX]) -m4trace:configure.ac:1497: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP]) -m4trace:configure.ac:1498: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP]) -m4trace:configure.ac:1499: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX]) -m4trace:configure.ac:1500: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX]) -m4trace:configure.ac:1502: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE]) -m4trace:configure.ac:1502: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */ +m4trace:configure.ac:1328: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T]) +m4trace:configure.ac:1342: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T]) +m4trace:configure.ac:1356: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T]) +m4trace:configure.ac:1381: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T]) +m4trace:configure.ac:1395: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T]) +m4trace:configure.ac:1409: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T]) +m4trace:configure.ac:1425: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE]) +m4trace:configure.ac:1440: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6]) +m4trace:configure.ac:1455: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR]) +m4trace:configure.ac:1471: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO]) +m4trace:configure.ac:1483: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL]) +m4trace:configure.ac:1487: -1- AC_CHECK_TYPES([struct timespec]) +m4trace:configure.ac:1487: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMESPEC]) +m4trace:configure.ac:1487: -1- AH_OUTPUT([HAVE_STRUCT_TIMESPEC], [/* Define to 1 if the system has the type \`struct timespec'. */ +#undef HAVE_STRUCT_TIMESPEC]) +m4trace:configure.ac:1524: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF]) +m4trace:configure.ac:1528: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP]) +m4trace:configure.ac:1529: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX]) +m4trace:configure.ac:1530: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX]) +m4trace:configure.ac:1531: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP]) +m4trace:configure.ac:1532: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP]) +m4trace:configure.ac:1533: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX]) +m4trace:configure.ac:1534: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP]) +m4trace:configure.ac:1535: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP]) +m4trace:configure.ac:1536: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX]) +m4trace:configure.ac:1537: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP]) +m4trace:configure.ac:1538: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX]) +m4trace:configure.ac:1539: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP]) +m4trace:configure.ac:1540: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX]) +m4trace:configure.ac:1541: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP]) +m4trace:configure.ac:1542: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP]) +m4trace:configure.ac:1543: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX]) +m4trace:configure.ac:1544: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX]) +m4trace:configure.ac:1546: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE]) +m4trace:configure.ac:1546: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */ #undef HAVE_STRUCT_STAT_ST_BLKSIZE]) -m4trace:configure.ac:1517: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS]) -m4trace:configure.ac:1533: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS]) -m4trace:configure.ac:1548: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD]) -m4trace:configure.ac:1563: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD]) -m4trace:configure.ac:1578: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD]) -m4trace:configure.ac:1603: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR]) -m4trace:configure.ac:1627: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR]) -m4trace:configure.ac:1638: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME]) -m4trace:configure.ac:1651: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__]) -m4trace:configure.ac:1664: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__]) -m4trace:configure.ac:1679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET]) -m4trace:configure.ac:1690: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST]) -m4trace:configure.ac:1702: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR]) -m4trace:configure.ac:1735: -1- AC_CHECK_HEADERS([sectok.h]) -m4trace:configure.ac:1735: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:1561: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS]) +m4trace:configure.ac:1577: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS]) +m4trace:configure.ac:1592: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD]) +m4trace:configure.ac:1607: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD]) +m4trace:configure.ac:1622: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD]) +m4trace:configure.ac:1647: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR]) +m4trace:configure.ac:1671: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR]) +m4trace:configure.ac:1682: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME]) +m4trace:configure.ac:1695: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__]) +m4trace:configure.ac:1708: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__]) +m4trace:configure.ac:1723: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET]) +m4trace:configure.ac:1734: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST]) +m4trace:configure.ac:1746: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR]) +m4trace:configure.ac:1779: -1- AC_CHECK_HEADERS([sectok.h]) +m4trace:configure.ac:1779: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the header file. */ #undef HAVE_SECTOK_H]) -m4trace:configure.ac:1735: -1- AC_CHECK_LIB([sectok], [sectok_open]) -m4trace:configure.ac:1735: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */ +m4trace:configure.ac:1779: -1- AC_CHECK_LIB([sectok], [sectok_open]) +m4trace:configure.ac:1779: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */ #undef HAVE_LIBSECTOK]) -m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK]) -m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD]) -m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK]) -m4trace:configure.ac:1744: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG]) -m4trace:configure.ac:1750: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD]) -m4trace:configure.ac:1751: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC]) -m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([KRB5]) -m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL]) -m4trace:configure.ac:1793: -1- AC_CHECK_LIB([resolv], [dn_expand], [], []) -m4trace:configure.ac:1793: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */ +m4trace:configure.ac:1779: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK]) +m4trace:configure.ac:1779: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD]) +m4trace:configure.ac:1779: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK]) +m4trace:configure.ac:1788: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG]) +m4trace:configure.ac:1794: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD]) +m4trace:configure.ac:1795: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC]) +m4trace:configure.ac:1837: -1- AC_DEFINE_TRACE_LITERAL([KRB5]) +m4trace:configure.ac:1837: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL]) +m4trace:configure.ac:1837: -1- AC_CHECK_LIB([resolv], [dn_expand], [], []) +m4trace:configure.ac:1837: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */ #undef HAVE_LIBRESOLV]) -m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV]) -m4trace:configure.ac:1847: -1- AC_CHECK_HEADERS([krb.h]) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the header file. */ +m4trace:configure.ac:1837: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV]) +m4trace:configure.ac:1891: -1- AC_CHECK_HEADERS([krb.h]) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the header file. */ #undef HAVE_KRB_H]) -m4trace:configure.ac:1847: -1- AC_CHECK_LIB([krb], [main]) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */ +m4trace:configure.ac:1891: -1- AC_CHECK_LIB([krb], [main]) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */ #undef HAVE_LIBKRB]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB]) -m4trace:configure.ac:1847: -1- AC_CHECK_LIB([krb4], [main]) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */ +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB]) +m4trace:configure.ac:1891: -1- AC_CHECK_LIB([krb4], [main]) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */ #undef HAVE_LIBKRB4]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4]) -m4trace:configure.ac:1847: -1- AC_CHECK_LIB([des], [des_cbc_encrypt]) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */ +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4]) +m4trace:configure.ac:1891: -1- AC_CHECK_LIB([des], [des_cbc_encrypt]) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */ #undef HAVE_LIBDES]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES]) -m4trace:configure.ac:1847: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt]) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */ +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES]) +m4trace:configure.ac:1891: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt]) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */ #undef HAVE_LIBDES425]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425]) -m4trace:configure.ac:1847: -1- AC_CHECK_LIB([resolv], [dn_expand], [], []) -m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */ +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425]) +m4trace:configure.ac:1891: -1- AC_CHECK_LIB([resolv], [dn_expand], [], []) +m4trace:configure.ac:1891: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */ #undef HAVE_LIBRESOLV]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV]) -m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([KRB4]) -m4trace:configure.ac:1873: -1- AC_DEFINE_TRACE_LITERAL([AFS]) -m4trace:configure.ac:1887: -1- AC_SUBST([PRIVSEP_PATH]) -m4trace:configure.ac:1907: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path]) -m4trace:configure.ac:1911: -1- AC_SUBST([XAUTH_PATH]) -m4trace:configure.ac:1913: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH]) -m4trace:configure.ac:1915: -1- AC_SUBST([XAUTH_PATH]) -m4trace:configure.ac:1921: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY]) -m4trace:configure.ac:1931: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX]) -m4trace:configure.ac:1939: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC]) -m4trace:configure.ac:1957: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF]) -m4trace:configure.ac:1966: -1- AC_SUBST([MANTYPE]) -m4trace:configure.ac:1972: -1- AC_SUBST([mansubdir]) -m4trace:configure.ac:1984: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS]) -m4trace:configure.ac:1995: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) -m4trace:configure.ac:2010: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE]) -m4trace:configure.ac:2019: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY]) -m4trace:configure.ac:2030: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY]) -m4trace:configure.ac:2107: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH]) -m4trace:configure.ac:2108: -1- AC_SUBST([user_path]) -m4trace:configure.ac:2120: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH]) -m4trace:configure.ac:2133: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT]) -m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6]) -m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6]) -m4trace:configure.ac:2168: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH]) -m4trace:configure.ac:2192: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR]) -m4trace:configure.ac:2193: -1- AC_SUBST([piddir]) -m4trace:configure.ac:2199: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) -m4trace:configure.ac:2203: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:2207: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX]) -m4trace:configure.ac:2211: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) -m4trace:configure.ac:2215: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX]) -m4trace:configure.ac:2219: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN]) -m4trace:configure.ac:2223: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE]) -m4trace:configure.ac:2227: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE]) -m4trace:configure.ac:2237: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) -m4trace:configure.ac:2299: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE]) -m4trace:configure.ac:2324: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) -m4trace:configure.ac:2329: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE]) -m4trace:configure.ac:2354: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) -m4trace:configure.ac:2359: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE]) -m4trace:configure.ac:2384: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX]) -m4trace:configure.ac:2387: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE]) -m4trace:configure.ac:2409: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX]) -m4trace:configure.ac:2412: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE]) -m4trace:configure.ac:2430: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV]) +m4trace:configure.ac:1891: -1- AC_DEFINE_TRACE_LITERAL([KRB4]) +m4trace:configure.ac:1917: -1- AC_DEFINE_TRACE_LITERAL([AFS]) +m4trace:configure.ac:1931: -1- AC_SUBST([PRIVSEP_PATH]) +m4trace:configure.ac:1951: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path]) +m4trace:configure.ac:1962: -1- AC_SUBST([STRIP_OPT]) +m4trace:configure.ac:1966: -1- AC_SUBST([XAUTH_PATH]) +m4trace:configure.ac:1968: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH]) +m4trace:configure.ac:1970: -1- AC_SUBST([XAUTH_PATH]) +m4trace:configure.ac:1976: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY]) +m4trace:configure.ac:1986: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX]) +m4trace:configure.ac:1994: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC]) +m4trace:configure.ac:2012: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF]) +m4trace:configure.ac:2021: -1- AC_SUBST([MANTYPE]) +m4trace:configure.ac:2027: -1- AC_SUBST([mansubdir]) +m4trace:configure.ac:2039: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS]) +m4trace:configure.ac:2050: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW]) +m4trace:configure.ac:2065: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE]) +m4trace:configure.ac:2074: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY]) +m4trace:configure.ac:2085: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY]) +m4trace:configure.ac:2166: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH]) +m4trace:configure.ac:2167: -1- AC_SUBST([user_path]) +m4trace:configure.ac:2179: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH]) +m4trace:configure.ac:2192: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT]) +m4trace:configure.ac:2215: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6]) +m4trace:configure.ac:2215: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6]) +m4trace:configure.ac:2227: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH]) +m4trace:configure.ac:2251: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR]) +m4trace:configure.ac:2252: -1- AC_SUBST([piddir]) +m4trace:configure.ac:2258: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) +m4trace:configure.ac:2262: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:2266: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX]) +m4trace:configure.ac:2270: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) +m4trace:configure.ac:2274: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX]) +m4trace:configure.ac:2278: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN]) +m4trace:configure.ac:2282: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE]) +m4trace:configure.ac:2286: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE]) +m4trace:configure.ac:2296: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG]) +m4trace:configure.ac:2358: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE]) +m4trace:configure.ac:2383: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP]) +m4trace:configure.ac:2388: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE]) +m4trace:configure.ac:2413: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP]) +m4trace:configure.ac:2418: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE]) +m4trace:configure.ac:2443: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX]) +m4trace:configure.ac:2446: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE]) +m4trace:configure.ac:2468: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX]) +m4trace:configure.ac:2471: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE]) +m4trace:configure.ac:2489: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) diff -ru openssh-3.5p1/bufaux.c openssh-3.6p1/bufaux.c --- openssh-3.5p1/bufaux.c 2002-06-26 19:14:09.000000000 +1000 +++ openssh-3.6p1/bufaux.c 2002-11-10 02:43:25.000000000 +1100 @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.28 2002/10/23 10:40:16 markus Exp $"); #include #include "bufaux.h" @@ -225,7 +225,7 @@ /* Get the length. */ len = buffer_get_int(buffer); if (len > 256 * 1024) - fatal("buffer_get_string: bad string length %d", len); + fatal("buffer_get_string: bad string length %u", len); /* Allocate space for the string. Add one byte for a null character. */ value = xmalloc(len + 1); /* Get the string. */ diff -ru openssh-3.5p1/canohost.c openssh-3.6p1/canohost.c --- openssh-3.5p1/canohost.c 2002-09-25 12:19:09.000000000 +1000 +++ openssh-3.6p1/canohost.c 2003-01-07 10:51:23.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.34 2002/09/23 20:46:27 stevesk Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $"); #include "packet.h" #include "xmalloc.h" @@ -38,7 +38,7 @@ /* Get IP address of client. */ fromlen = sizeof(from); memset(&from, 0, sizeof(from)); - if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) { + if (getpeername(socket, (struct sockaddr *)&from, &fromlen) < 0) { debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } @@ -59,11 +59,14 @@ memset(&from, 0, sizeof(from)); from4->sin_family = AF_INET; + fromlen = sizeof(*from4); memcpy(&from4->sin_addr, &addr, sizeof(addr)); from4->sin_port = port; } } #endif + if (from.ss_family == AF_INET6) + fromlen = sizeof(struct sockaddr_in6); if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) @@ -202,8 +205,8 @@ } /* - * Returns the remote IP-address of socket as a string. The returned - * string must be freed. + * Returns the local/remote IP-address/hostname of socket as a string. + * The returned string must be freed. */ static char * get_socket_address(int socket, int remote, int flags) @@ -225,10 +228,15 @@ < 0) return NULL; } + + /* Work around Linux IPv6 weirdness */ + if (addr.ss_family == AF_INET6) + addrlen = sizeof(struct sockaddr_in6); + /* Get the address in ascii. */ if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), NULL, 0, flags) != 0) { - error("get_socket_ipaddr: getnameinfo %d failed", flags); + error("get_socket_address: getnameinfo %d failed", flags); return NULL; } return xstrdup(ntop); @@ -314,11 +322,16 @@ return 0; } } else { - if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) { + if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } } + + /* Work around Linux IPv6 weirdness */ + if (from.ss_family == AF_INET6) + fromlen = sizeof(struct sockaddr_in6); + /* Return port number. */ if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, strport, sizeof(strport), NI_NUMERICSERV) != 0) diff -ru openssh-3.5p1/channels.c openssh-3.6p1/channels.c --- openssh-3.5p1/channels.c 2002-09-19 11:54:55.000000000 +1000 +++ openssh-3.6p1/channels.c 2003-03-10 11:21:17.000000000 +1100 @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $"); +RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -413,13 +413,13 @@ #if 0 if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) { - debug("channel %d: big input buffer %d", + debug2("channel %d: big input buffer %d", c->self, buffer_len(&c->input)); return 0; } #endif if (buffer_len(&c->output) > packet_get_maxsize()) { - debug("channel %d: big output buffer %d > %d", + debug2("channel %d: big output buffer %d > %d", c->self, buffer_len(&c->output), packet_get_maxsize()); return 0; @@ -578,7 +578,7 @@ log("channel_send_open: %d: bad id", id); return; } - debug("send channel open %d", id); + debug2("channel %d: send open", id); packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring(c->ctype); packet_put_int(c->self); @@ -588,15 +588,15 @@ } void -channel_request_start(int local_id, char *service, int wantconfirm) +channel_request_start(int id, char *service, int wantconfirm) { - Channel *c = channel_lookup(local_id); + Channel *c = channel_lookup(id); if (c == NULL) { - log("channel_request_start: %d: unknown channel id", local_id); + log("channel_request_start: %d: unknown channel id", id); return; } - debug("channel request %d: %s", local_id, service) ; + debug("channel %d: request %s", id, service) ; packet_start(SSH2_MSG_CHANNEL_REQUEST); packet_put_int(c->remote_id); packet_put_cstring(service); @@ -1997,6 +1997,7 @@ c->remote_id = remote_id; } if (c == NULL) { + xfree(originator_string); packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); packet_send(); @@ -2281,7 +2282,10 @@ } sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - error("socket: %.100s", strerror(errno)); + if (ai->ai_next == NULL) + error("socket: %.100s", strerror(errno)); + else + verbose("socket: %.100s", strerror(errno)); continue; } if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) @@ -2606,6 +2610,7 @@ /* Send refusal to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(remote_id); + xfree(remote_host); } else { /* Send a confirmation to the remote host. */ packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); diff -ru openssh-3.5p1/cipher.c openssh-3.6p1/cipher.c --- openssh-3.5p1/cipher.c 2002-09-10 22:26:18.000000000 +1000 +++ openssh-3.6p1/cipher.c 2002-12-23 13:04:22.000000000 +1100 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $"); #include "xmalloc.h" #include "log.h" @@ -239,7 +239,7 @@ cipher->name); klen = EVP_CIPHER_CTX_key_length(&cc->evp); if (klen > 0 && keylen != klen) { - debug("cipher_init: set keylen (%d -> %d)", klen, keylen); + debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) fatal("cipher_init: set keylen failed (%d -> %d)", klen, keylen); diff -ru openssh-3.5p1/clientloop.c openssh-3.6p1/clientloop.c --- openssh-3.5p1/clientloop.c 2002-09-04 16:32:13.000000000 +1000 +++ openssh-3.6p1/clientloop.c 2002-12-23 13:01:55.000000000 +1100 @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.104 2002/08/22 19:38:42 stevesk Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.105 2002/11/18 16:43:44 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -888,10 +888,16 @@ client_init_dispatch(); - /* Set signal handlers to restore non-blocking mode. */ - signal(SIGINT, signal_handler); - signal(SIGQUIT, signal_handler); - signal(SIGTERM, signal_handler); + /* + * Set signal handlers, (e.g. to restore non-blocking mode) + * but don't overwrite SIG_IGN, matches behaviour from rsh(1) + */ + if (signal(SIGINT, SIG_IGN) != SIG_IGN) + signal(SIGINT, signal_handler); + if (signal(SIGQUIT, SIG_IGN) != SIG_IGN) + signal(SIGQUIT, signal_handler); + if (signal(SIGTERM, SIG_IGN) != SIG_IGN) + signal(SIGTERM, signal_handler); if (have_pty) signal(SIGWINCH, window_change_handler); diff -ru openssh-3.5p1/config.guess openssh-3.6p1/config.guess --- openssh-3.5p1/config.guess 2002-07-25 14:40:23.000000000 +1000 +++ openssh-3.6p1/config.guess 2003-03-21 12:07:45.000000000 +1100 @@ -726,6 +726,9 @@ CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; + *:UNICOS/mp:*:*) + echo nv1-cray-unicosmp | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` diff -ru openssh-3.5p1/config.h.in openssh-3.6p1/config.h.in --- openssh-3.5p1/config.h.in 2002-10-04 11:31:57.000000000 +1000 +++ openssh-3.6p1/config.h.in 2003-03-26 16:12:36.000000000 +1100 @@ -1,5 +1,5 @@ /* config.h.in. Generated from configure.ac by autoheader. */ -/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */ +/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -364,6 +364,19 @@ /* Define if your platform needs to skip post auth file descriptor passing */ #undef DISABLE_FD_PASSING +/* Silly mkstemp() */ +#undef HAVE_STRICT_MKSTEMP + +/* Setproctitle emulation */ +#undef SETPROCTITLE_STRATEGY +#undef SETPROCTITLE_PS_PADDING + +/* Some systems put this outside of libc */ +#undef HAVE_NANOSLEEP + +/* Pushing STREAMS modules incorrectly acquires a controlling TTY */ +#undef STREAMS_PUSH_ACQUIRES_CTTY + /* Define to 1 if the `getpgrp' function requires zero arguments. */ #undef GETPGRP_VOID @@ -374,6 +387,12 @@ /* Define to 1 if you have the `b64_ntop' function. */ #undef HAVE_B64_NTOP +/* Define to 1 if you have the `b64_pton' function. */ +#undef HAVE_B64_PTON + +/* Define to 1 if you have the `basename' function. */ +#undef HAVE_BASENAME + /* Define to 1 if you have the `bcopy' function. */ #undef HAVE_BCOPY @@ -599,6 +618,9 @@ /* Define to 1 if you have the `ngetaddrinfo' function. */ #undef HAVE_NGETADDRINFO +/* Define to 1 if you have the `nsleep' function. */ +#undef HAVE_NSLEEP + /* Define to 1 if you have the `ogetaddrinfo' function. */ #undef HAVE_OGETADDRINFO @@ -611,6 +633,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_PATHS_H +/* Define to 1 if you have the `pstat' function. */ +#undef HAVE_PSTAT + /* Define to 1 if you have the header file. */ #undef HAVE_PTY_H @@ -743,12 +768,18 @@ /* Define to 1 if you have the `strmode' function. */ #undef HAVE_STRMODE +/* Define to 1 if you have the `strnvis' function. */ +#undef HAVE_STRNVIS + /* Define to 1 if you have the `strsep' function. */ #undef HAVE_STRSEP /* Define to 1 if `st_blksize' is member of `struct stat'. */ #undef HAVE_STRUCT_STAT_ST_BLKSIZE +/* Define to 1 if the system has the type `struct timespec'. */ +#undef HAVE_STRUCT_TIMESPEC + /* Define to 1 if you have the `sysconf' function. */ #undef HAVE_SYSCONF @@ -764,6 +795,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_PSTAT_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H @@ -776,6 +810,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SYSMACROS_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TIMERS_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H @@ -848,6 +885,9 @@ /* Define to 1 if you have the `__b64_ntop' function. */ #undef HAVE___B64_NTOP +/* Define to 1 if you have the `__b64_pton' function. */ +#undef HAVE___B64_PTON + /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT diff -ru openssh-3.5p1/config.sub openssh-3.6p1/config.sub --- openssh-3.5p1/config.sub 2002-07-25 14:40:24.000000000 +1000 +++ openssh-3.6p1/config.sub 2003-03-21 12:07:45.000000000 +1100 @@ -315,7 +315,7 @@ | mipsisa64-* | mipsisa64el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipstx39 | mipstx39el \ - | none-* | np1-* | ns16k-* | ns32k-* \ + | none-* | np1-* | ns16k-* | ns32k-* | nv1-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ @@ -715,6 +715,9 @@ nsr-tandem) basic_machine=nsr-tandem ;; + nv1) + basic_machine=nv1-cray + ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf @@ -887,6 +890,10 @@ basic_machine=sv1-cray os=-unicos ;; + sx*-nec) + basic_machine=sx6-nec + os=-sysv + ;; symmetry) basic_machine=i386-sequent os=-dynix diff -ru openssh-3.5p1/configure openssh-3.6p1/configure --- openssh-3.5p1/configure 2002-10-04 11:31:56.000000000 +1000 +++ openssh-3.6p1/configure 2003-03-26 16:12:34.000000000 +1100 @@ -827,6 +827,7 @@ --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-largefile omit support for large files + --disable-strip Disable calling strip(1) on install --disable-lastlog disable use of lastlog even if detected no --disable-utmp disable use of utmp even if detected no --disable-utmpx disable use of utmpx even if detected no @@ -2719,6 +2720,45 @@ test -n "$PERL" && break done +# Extract the first word of "sed", so it can be a program name with args. +set dummy sed; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_path_SED+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + case $SED in + [\\/]* | ?:[\\/]*) + ac_cv_path_SED="$SED" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SED="$as_dir/$ac_word$ac_exec_ext" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + + ;; +esac +fi +SED=$ac_cv_path_SED + +if test -n "$SED"; then + echo "$as_me:$LINENO: result: $SED" >&5 +echo "${ECHO_T}$SED" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 @@ -3660,8 +3700,17 @@ #define LOGIN_NEEDS_UTMPX 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +#define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define SETPROCTITLE_PS_PADDING '\0' +_ACEOF + ;; *-*-cygwin*) + check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textmode.o" cat >>confdefs.h <<\_ACEOF #define HAVE_CYGWIN 1 @@ -3782,7 +3831,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -#define SPT_TYPE SPT_PSTAT +#define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec -lsecpw" @@ -3884,7 +3933,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -#define SPT_TYPE SPT_PSTAT +#define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec" @@ -3986,7 +4035,7 @@ _ACEOF cat >>confdefs.h <<\_ACEOF -#define SPT_TYPE SPT_PSTAT +#define SETPROCTITLE_STRATEGY PS_USE_PSTAT _ACEOF LIBS="$LIBS -lsec" @@ -4180,6 +4229,14 @@ #define PAM_TTY_KLUDGE 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +#define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define SETPROCTITLE_PS_PADDING '\0' +_ACEOF + inet6_default_4in6=yes ;; mips-sony-bsd|mips-sony-newsos4) @@ -4240,6 +4297,10 @@ #define PAM_TTY_KLUDGE 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +#define STREAMS_PUSH_ACQUIRES_CTTY 1 +_ACEOF + # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo "$as_me:$LINENO: checking for obsolete utmp and wtmp in solaris2.x" >&5 @@ -4504,6 +4565,9 @@ do_sco3_extra_lib_check=yes ;; *-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" @@ -4604,8 +4668,6 @@ MANTYPE=man ;; *-*-unicosmk*) - no_libsocket=1 - no_libnsl=1 cat >>confdefs.h <<\_ACEOF #define USE_PIPES 1 _ACEOF @@ -4619,8 +4681,6 @@ MANTYPE=cat ;; *-*-unicos*) - no_libsocket=1 - no_libnsl=1 cat >>confdefs.h <<\_ACEOF #define USE_PIPES 1 _ACEOF @@ -4665,12 +4725,20 @@ #define DISABLE_LOGIN 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +#define DISABLE_FD_PASSING 1 +_ACEOF + LIBS="$LIBS -lsecurity -ldb -lm -laud" else echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 fi fi + cat >>confdefs.h <<\_ACEOF +#define DISABLE_FD_PASSING 1 +_ACEOF + ;; *-*-nto-qnx) @@ -4984,14 +5052,17 @@ + + + for ac_header in bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ - sys/mman.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h \ + sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h do @@ -6740,17 +6811,262 @@ -for ac_func in arc4random b64_ntop bcopy bindresvport_sa \ - clock fchmod fchown freeaddrinfo futimes gai_strerror \ - getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\ - getrlimit getrusage getttyent glob inet_aton inet_ntoa \ - inet_ntop innetgr login_getcapbool md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ - realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ - setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ - setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ - socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty + + + + + +for ac_func in \ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \ + bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ + gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ + getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ + inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ + mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \ + readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \ + setegid setenv seteuid setgroups setlogin setpcred setproctitle \ + setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \ + snprintf socketpair strerror strlcat strlcpy strmode strnvis \ + sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ + +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +char (*f) (); + +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +f = $ac_func; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +eval "$as_ac_var=no" +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +echo "$as_me:$LINENO: checking for library containing nanosleep" >&5 +echo $ECHO_N "checking for library containing nanosleep... $ECHO_C" >&6 +if test "${ac_cv_search_nanosleep+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +ac_cv_search_nanosleep=no +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char nanosleep (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_search_nanosleep="none required" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +if test "$ac_cv_search_nanosleep" = no; then + for ac_lib in rt posix4; do + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char nanosleep (); +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +nanosleep (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_search_nanosleep="-l$ac_lib" +break +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext + done +fi +LIBS=$ac_func_search_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_search_nanosleep" >&5 +echo "${ECHO_T}$ac_cv_search_nanosleep" >&6 +if test "$ac_cv_search_nanosleep" != no; then + test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS" + cat >>confdefs.h <<\_ACEOF +#define HAVE_NANOSLEEP 1 +_ACEOF + +fi + + +echo "$as_me:$LINENO: checking whether strsep is declared" >&5 +echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6 +if test "${ac_cv_have_decl_strsep+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +$ac_includes_default +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +#ifndef strsep + char *p = (char *) strsep; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_have_decl_strsep=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_have_decl_strsep=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_have_decl_strsep" >&5 +echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6 +if test $ac_cv_have_decl_strsep = yes; then + +for ac_func in strsep do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -6825,6 +7141,8 @@ fi done +fi + for ac_func in dirname @@ -7975,6 +8293,65 @@ fi fi +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +echo "$as_me:$LINENO: checking for (overly) strict mkstemp" >&5 +echo $ECHO_N "checking for (overly) strict mkstemp... $ECHO_C" >&6 +if test "$cross_compiling" = yes; then + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cat >>confdefs.h <<\_ACEOF +#define HAVE_STRICT_MKSTEMP 1 +_ACEOF + + + +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" + +#include +main() { char template[]="conftest.mkstemp-test"; +if (mkstemp(template) == -1) + exit(1); +unlink(template); exit(0); +} + +_ACEOF +rm -f conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +( exit $ac_status ) + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cat >>confdefs.h <<\_ACEOF +#define HAVE_STRICT_MKSTEMP 1 +_ACEOF + + +fi +rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +fi + echo "$as_me:$LINENO: checking whether getpgrp requires zero arguments" >&5 echo $ECHO_N "checking whether getpgrp requires zero arguments... $ECHO_C" >&6 if test "${ac_cv_func_getpgrp_void+set}" = set; then @@ -13128,12 +13505,72 @@ have_struct_timeval=1 fi -# If we don't have int64_t then we can't compile sftp-server. So don't -# even attempt to do it. +echo "$as_me:$LINENO: checking for struct timespec" >&5 +echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6 +if test "${ac_cv_type_struct_timespec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +#include "confdefs.h" +$ac_includes_default +#ifdef F77_DUMMY_MAIN +# ifdef __cplusplus + extern "C" +# endif + int F77_DUMMY_MAIN() { return 1; } +#endif +int +main () +{ +if ((struct timespec *) 0) + return 0; +if (sizeof (struct timespec)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_type_struct_timespec=yes +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +ac_cv_type_struct_timespec=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_type_struct_timespec" >&5 +echo "${ECHO_T}$ac_cv_type_struct_timespec" >&6 +if test $ac_cv_type_struct_timespec = yes; then + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_TIMESPEC 1 +_ACEOF + + +fi + + +# We need int64_t or else certian parts of the compile will fail. if test "x$ac_cv_have_int64_t" = "xno" -a \ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; else if test "$cross_compiling" = yes; then { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5 @@ -13196,7 +13633,6 @@ fi - # look for field 'ut_host' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host @@ -15730,6 +16166,19 @@ fi; +STRIP_OPT=-s +# Check whether --enable-strip or --disable-strip was given. +if test "${enable_strip+set}" = set; then + enableval="$enable_strip" + + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + + +fi; + + if test -z "$xauth_path" ; then XAUTH_PATH="undefined" @@ -16056,7 +16505,11 @@ # include #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif #endif #include #include @@ -17346,6 +17799,7 @@ s,@INSTALL_DATA@,$INSTALL_DATA,;t t s,@AR@,$AR,;t t s,@PERL@,$PERL,;t t +s,@SED@,$SED,;t t s,@ENT@,$ENT,;t t s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t s,@SH@,$SH,;t t @@ -17372,10 +17826,10 @@ s,@PROG_IPCS@,$PROG_IPCS,;t t s,@PROG_TAIL@,$PROG_TAIL,;t t s,@INSTALL_SSH_PRNG_CMDS@,$INSTALL_SSH_PRNG_CMDS,;t t -s,@NO_SFTP@,$NO_SFTP,;t t s,@OPENSC_CONFIG@,$OPENSC_CONFIG,;t t s,@PRIVSEP_PATH@,$PRIVSEP_PATH,;t t s,@xauth_path@,$xauth_path,;t t +s,@STRIP_OPT@,$STRIP_OPT,;t t s,@XAUTH_PATH@,$XAUTH_PATH,;t t s,@NROFF@,$NROFF,;t t s,@MANTYPE@,$MANTYPE,;t t @@ -17895,12 +18349,6 @@ echo "" fi -if test ! -z "$NO_SFTP"; then - echo "sftp-server will be disabled. Your compiler does not " - echo "support 64bit integers." - echo "" -fi - if test ! -z "$RAND_HELPER_CMDHASH" ; then echo "WARNING: you are using the builtin random number collection " echo "service. Please read WARNING.RNG and request that your OS " diff -ru openssh-3.5p1/configure.ac openssh-3.6p1/configure.ac --- openssh-3.5p1/configure.ac 2002-09-26 10:38:47.000000000 +1000 +++ openssh-3.6p1/configure.ac 2003-03-21 12:15:18.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.89 2002/09/26 00:38:47 tim Exp $ +# $Id: configure.ac,v 1.111.2.2 2003/03/21 01:15:18 mouring Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -14,6 +14,7 @@ AC_PROG_INSTALL AC_PATH_PROG(AR, ar) AC_PATH_PROGS(PERL, perl5 perl) +AC_PATH_PROG(SED, sed) AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) @@ -81,8 +82,11 @@ dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV) + AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0') ;; *-*-cygwin*) + check_for_libcrypt_later=1 LIBS="$LIBS /usr/lib/textmode.o" AC_DEFINE(HAVE_CYGWIN) AC_DEFINE(USE_PIPES) @@ -121,7 +125,7 @@ AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) - AC_DEFINE(SPT_TYPE,SPT_PSTAT) + AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) LIBS="$LIBS -lsec -lsecpw" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) disable_ptmx_check=yes @@ -137,7 +141,7 @@ AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) - AC_DEFINE(SPT_TYPE,SPT_PSTAT) + AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; @@ -150,7 +154,7 @@ AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) - AC_DEFINE(SPT_TYPE,SPT_PSTAT) + AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT) LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; @@ -177,6 +181,8 @@ check_for_libcrypt_later=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV) + AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0') inet6_default_4in6=yes ;; mips-sony-bsd|mips-sony-newsos4) @@ -210,6 +216,7 @@ AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) @@ -278,6 +285,9 @@ do_sco3_extra_lib_check=yes ;; *-*-sco3.2v5*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -belf" + fi CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" @@ -290,8 +300,6 @@ MANTYPE=man ;; *-*-unicosmk*) - no_libsocket=1 - no_libnsl=1 AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) LDFLAGS="$LDFLAGS" @@ -299,8 +307,6 @@ MANTYPE=cat ;; *-*-unicos*) - no_libsocket=1 - no_libnsl=1 AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(NO_SSH_LASTLOG) @@ -325,11 +331,13 @@ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_OSF_SIA) AC_DEFINE(DISABLE_LOGIN) + AC_DEFINE(DISABLE_FD_PASSING) LIBS="$LIBS -lsecurity -ldb -lm -laud" else AC_MSG_RESULT(no) fi fi + AC_DEFINE(DISABLE_FD_PASSING) ;; *-*-nto-qnx) @@ -377,13 +385,13 @@ # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ - sys/mman.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h \ + sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) @@ -594,18 +602,25 @@ ] ) -dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \ - clock fchmod fchown freeaddrinfo futimes gai_strerror \ - getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\ - getrlimit getrusage getttyent glob inet_aton inet_ntoa \ - inet_ntop innetgr login_getcapbool md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ - realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ - setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ - setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ - socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) +dnl Checks for library functions. Please keep in alphabetical order +AC_CHECK_FUNCS(\ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \ + bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ + gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ + getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ + inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ + mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \ + readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \ + setegid setenv seteuid setgroups setlogin setpcred setproctitle \ + setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \ + snprintf socketpair strerror strlcat strlcpy strmode strnvis \ + sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ +) + +AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) + +dnl Make sure strsep prototype is defined before defining HAVE_STRSEP +AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) dnl IRIX and Solaris 2.5.1 have dirname() in libgen AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ @@ -680,6 +695,32 @@ ) fi +dnl see whether mkstemp() requires XXXXXX +if test "x$ac_cv_func_mkdtemp" = "xyes" ; then +AC_MSG_CHECKING([for (overly) strict mkstemp]) +AC_TRY_RUN( + [ +#include +main() { char template[]="conftest.mkstemp-test"; +if (mkstemp(template) == -1) + exit(1); +unlink(template); exit(0); +} + ], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_STRICT_MKSTEMP) + ] +) +fi + AC_FUNC_GETPGRP # Check for PAM libs @@ -1443,12 +1484,16 @@ have_struct_timeval=1 fi -# If we don't have int64_t then we can't compile sftp-server. So don't -# even attempt to do it. +AC_CHECK_TYPES(struct timespec) + +# We need int64_t or else certian parts of the compile will fail. if test "x$ac_cv_have_int64_t" = "xno" -a \ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' + echo "OpenSSH requires int64_t support. Contact your vendor or install" + echo "an alternative compiler (I.E., GCC) before continuing." + echo "" + exit 1; else dnl test snprintf (broken on SCO w/gcc) AC_TRY_RUN( @@ -1478,7 +1523,6 @@ ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] ) fi -AC_SUBST(NO_SFTP) dnl Checks for structure members OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) @@ -1906,6 +1950,17 @@ ] ) +STRIP_OPT=-s +AC_ARG_ENABLE(strip, + [ --disable-strip Disable calling strip(1) on install], + [ + if test "x$enableval" = "xno" ; then + STRIP_OPT= + fi + ] +) +AC_SUBST(STRIP_OPT) + if test -z "$xauth_path" ; then XAUTH_PATH="undefined" AC_SUBST(XAUTH_PATH) @@ -2060,7 +2115,11 @@ # include #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif #endif #include #include @@ -2498,12 +2557,6 @@ echo "" fi -if test ! -z "$NO_SFTP"; then - echo "sftp-server will be disabled. Your compiler does not " - echo "support 64bit integers." - echo "" -fi - if test ! -z "$RAND_HELPER_CMDHASH" ; then echo "WARNING: you are using the builtin random number collection " echo "service. Please read WARNING.RNG and request that your OS " diff -ru openssh-3.5p1/contrib/aix/README openssh-3.6p1/contrib/aix/README --- openssh-3.5p1/contrib/aix/README 2002-06-26 09:38:48.000000000 +1000 +++ openssh-3.6p1/contrib/aix/README 2003-03-10 12:10:46.000000000 +1100 @@ -6,9 +6,15 @@ Directions: +(optional) create config.local in your build dir ./configure [options] -cd contrib/aix; ./buildbff.sh +contrib/aix/buildbff.sh +The file config.local or the environment is read to set the following options +(default first): +PERMIT_ROOT_LOGIN=[no|yes] +X11_FORWARDING=[no|yes] +AIX_SRC=[no|yes] Acknowledgements: @@ -19,6 +25,8 @@ and for comparison with the output from this script, however no code from lppbuild is included and it is not required for operation. +SRC support based on examples provided by Sandor Sklar and Maarten Kreuger. + Other notes: @@ -26,8 +34,7 @@ appropriate). It seems to work, though...... If there are any patches to this that have not yet been integrated they -may be found at http://www.zip.com.au/~dtucker/openssh/ or -http://home.usf.advantra.com.au/~dtucker/openssh/. +may be found at http://www.zip.com.au/~dtucker/openssh/. Disclaimer: diff -ru openssh-3.5p1/contrib/aix/buildbff.sh openssh-3.6p1/contrib/aix/buildbff.sh --- openssh-3.5p1/contrib/aix/buildbff.sh 2002-07-18 11:04:51.000000000 +1000 +++ openssh-3.6p1/contrib/aix/buildbff.sh 2003-03-10 12:10:46.000000000 +1100 @@ -11,10 +11,12 @@ # # Tunable configuration settings -# create a "config.local" in your build directory to override these. +# create a "config.local" in your build directory or set +# environment variables to override these. # -PERMIT_ROOT_LOGIN=no -X11_FORWARDING=no +[ -z "$PERMIT_ROOT_LOGIN" ] || PERMIT_ROOT_LOGIN=no +[ -z "$X11_FORWARDING" ] || X11_FORWARDING=no +[ -z "$AIX_SRC" ] || AIX_SRC=no umask 022 @@ -167,6 +169,18 @@ EOD # +# openssh.size file allows filesystem expansion as required +# generate list of directories containing files +# then calculate disk usage for each directory and store in openssh.size +# +files=`find . -type f -print` +dirs=`for file in $files; do dirname $file; done | sort -u` +for dir in $dirs +do + du $dir +done > ../openssh.size + +# # Create postinstall script # cat <>../openssh.post_i @@ -245,14 +259,42 @@ fi echo -# Add to system startup if required -if grep $sbindir/sshd /etc/rc.tcpip >/dev/null +# Set startup command depending on SRC support +if [ "$AIX_SRC" = "yes" ] then - echo "sshd found in rc.tcpip, not adding." + echo Creating SRC sshd subsystem. + rmssys -s sshd 2>&1 >/dev/null + mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip + startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\"" + oldstartcmd="$sbindir/sshd" else - echo >>/etc/rc.tcpip - echo "echo Starting sshd" >>/etc/rc.tcpip - echo "$sbindir/sshd" >>/etc/rc.tcpip + startupcmd="$sbindir/sshd" + oldstartcmd="start $sbindir/sshd \\\"$src_running\\\"" +fi + +# If migrating to or from SRC, change previous startup command +# otherwise add to rc.tcpip +if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null +then + if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new + then + chmod 0755 /etc/rc.tcpip.new + mv /etc/rc.tcpip /etc/rc.tcpip.old && \ + mv /etc/rc.tcpip.new /etc/rc.tcpip + else + echo "Updating /etc/rc.tcpip failed, please check." + fi +else + # Add to system startup if required + if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null + then + echo "sshd found in rc.tcpip, not adding." + else + echo "Adding sshd to rc.tcpip" + echo >>/etc/rc.tcpip + echo "# Start sshd" >>/etc/rc.tcpip + echo "\$startupcmd" >>/etc/rc.tcpip + fi fi EOF @@ -262,7 +304,7 @@ echo Creating liblpp.a ( cd .. - for i in openssh.al openssh.copyright openssh.inventory openssh.post_i LICENCE README* + for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README* do ar -r liblpp.a $i rm $i diff -ru openssh-3.5p1/contrib/aix/inventory.sh openssh-3.6p1/contrib/aix/inventory.sh --- openssh-3.5p1/contrib/aix/inventory.sh 2002-03-18 09:05:25.000000000 +1100 +++ openssh-3.6p1/contrib/aix/inventory.sh 2003-03-10 12:10:46.000000000 +1100 @@ -2,9 +2,9 @@ # # inventory.sh # -# Originall written by Ben Lindstrom, modified by Darren Tucker to use perl +# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl # -# This will produced and AIX package inventory file, which looks like: +# This will produce an AIX package inventory file, which looks like: # # /usr/local/bin: # class=apply,inventory,openssh diff -ru openssh-3.5p1/contrib/caldera/openssh.spec openssh-3.6p1/contrib/caldera/openssh.spec --- openssh-3.5p1/contrib/caldera/openssh.spec 2002-10-03 11:56:59.000000000 +1000 +++ openssh-3.6p1/contrib/caldera/openssh.spec 2003-03-21 15:52:56.000000000 +1100 @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.5p1 + %define version 3.6p1 %define cvs %{nil} %define release 2 %else @@ -198,7 +198,7 @@ %Install [ %{buildroot} != "/" ] && rm -rf %{buildroot} -%makeinstall +make install DESTDIR=%{buildroot} %makeinstall -C %{askpass} \ BINDIR=%{_libexecdir} \ MANPATH=%{_mandir} \ @@ -316,8 +316,16 @@ %defattr(-,root,root) %dir %{_sysconfdir} %config %{_sysconfdir}/ssh_config -%{_bindir}/* +%{_bindir}/scp +%{_bindir}/sftp +%{_bindir}/ssh +%{_bindir}/slogin +%{_bindir}/ssh-add +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%{_bindir}/ssh-keygen +%{_bindir}/ssh-keyscan %dir %{_libexecdir} +%attr(4711,root,root) %{_libexecdir}/ssh-keysign %{_sbindir}/ssh-host-keygen %dir %{_defaultdocdir}/%{name}-%{version} %{_defaultdocdir}/%{name}-%{version}/CREDITS @@ -328,10 +336,12 @@ %{_defaultdocdir}/%{name}-%{version}/TODO %{_defaultdocdir}/%{name}-%{version}/faq.html %{_mandir}/man1/* +%{_mandir}/man8/ssh-keysign.8.gz +%{_mandir}/man5/ssh_config.5.gz %Files server %defattr(-,root,root) -%dir %attr(0700,root,root) %{_var}/empty/sshd +%dir %{_var}/empty/sshd %config %{SVIdir}/sshd %config /etc/pam.d/sshd %config %{_sysconfdir}/moduli @@ -339,6 +349,7 @@ %config %{SVIcdir}/sshd %{_libexecdir}/sftp-server %{_sbindir}/sshd +%{_mandir}/man5/sshd_config.5.gz %{_mandir}/man8/sftp-server.8.gz %{_mandir}/man8/sshd.8.gz @@ -353,4 +364,4 @@ * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.38 2002/10/03 01:56:59 djm Exp $ +$Id: openssh.spec,v 1.39.2.2 2003/03/21 04:52:56 tim Exp $ diff -ru openssh-3.5p1/contrib/cygwin/ssh-host-config openssh-3.6p1/contrib/cygwin/ssh-host-config --- openssh-3.5p1/contrib/cygwin/ssh-host-config 2002-07-11 00:40:12.000000000 +1000 +++ openssh-3.6p1/contrib/cygwin/ssh-host-config 2002-11-10 02:59:29.000000000 +1100 @@ -378,6 +378,8 @@ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a @@ -394,7 +396,7 @@ #HostKey ${SYSCONFDIR}/ssh_host_rsa_key #HostKey ${SYSCONFDIR}/ssh_host_dsa_key -# Lifetime and size of ephemeral version 1 server ke +# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 @@ -405,7 +407,7 @@ # Authentication: -#LoginGraceTime 600 +#LoginGraceTime 120 #PermitRootLogin yes # The following setting overrides permission checks on host key files # and directories. For security reasons set this to "yes" when running @@ -414,11 +416,11 @@ #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no -# Don't read ~/.rhosts and ~/.shosts files +# Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts #RhostsRSAAuthentication no @@ -443,6 +445,7 @@ #KeepAlive yes #UseLogin no UsePrivilegeSeparation $privsep_used +#PermitUserEnvironment no #Compression yes #MaxStartups 10 diff -ru openssh-3.5p1/contrib/gnome-ssh-askpass2.c openssh-3.6p1/contrib/gnome-ssh-askpass2.c --- openssh-3.5p1/contrib/gnome-ssh-askpass2.c 2002-09-12 14:49:02.000000000 +1000 +++ openssh-3.6p1/contrib/gnome-ssh-askpass2.c 2003-02-24 11:48:23.000000000 +1100 @@ -36,10 +36,13 @@ * you don't trust your X server. We grab the keyboard always. */ +#define GRAB_TRIES 16 +#define GRAB_WAIT 250 /* milliseconds */ + /* * Compile with: * - * cc `pkg-config --cflags gtk+-2.0` \ + * cc -Wall `pkg-config --cflags gtk+-2.0` \ * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ * `pkg-config --libs gtk+-2.0` * @@ -48,6 +51,7 @@ #include #include #include +#include #include #include #include @@ -84,13 +88,13 @@ { const char *failed; char *passphrase, *local; - char **messages; - int result, i, grab_server, grab_pointer; - GtkWidget *dialog, *entry, *label; + int result, grab_tries, grab_server, grab_pointer; + GtkWidget *dialog, *entry; GdkGrabStatus status; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + grab_tries = 0; dialog = gtk_message_dialog_new(NULL, 0, GTK_MESSAGE_QUESTION, @@ -117,23 +121,35 @@ /* Grab focus */ gtk_widget_show_now(dialog); - if (grab_server) { - gdk_x11_grab_server(); - } if (grab_pointer) { - status = gdk_pointer_grab((GTK_WIDGET(dialog))->window, TRUE, - 0, NULL, NULL, GDK_CURRENT_TIME); - if (status != GDK_GRAB_SUCCESS) { - failed = "mouse"; - goto nograb; + for(;;) { + status = gdk_pointer_grab( + (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, + NULL, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "mouse"; + goto nograb; + } } } - status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, FALSE, - GDK_CURRENT_TIME); - if (status != GDK_GRAB_SUCCESS) { - failed = "keyboard"; - goto nograbkb; + for(;;) { + status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, + FALSE, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "keyboard"; + goto nograbkb; + } } + if (grab_server) { + gdk_x11_grab_server(); + } + result = gtk_dialog_run(GTK_DIALOG(dialog)); /* Ungrab */ diff -ru openssh-3.5p1/contrib/redhat/openssh.spec openssh-3.6p1/contrib/redhat/openssh.spec --- openssh-3.5p1/contrib/redhat/openssh.spec 2002-10-03 12:08:19.000000000 +1000 +++ openssh-3.6p1/contrib/redhat/openssh.spec 2003-03-20 11:05:11.000000000 +1100 @@ -1,4 +1,4 @@ -%define ver 3.5p1 +%define ver 3.6p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID @@ -21,7 +21,7 @@ %define scard 0 # Use GTK2 instead of GNOME in gnome-ssh-askpass -%define gtk2 0 +%define gtk2 1 # Is this build for RHL 6.x? %define build6x 0 diff -ru openssh-3.5p1/contrib/solaris/opensshd.in openssh-3.6p1/contrib/solaris/opensshd.in --- openssh-3.5p1/contrib/solaris/opensshd.in 2002-07-17 07:24:39.000000000 +1000 +++ openssh-3.6p1/contrib/solaris/opensshd.in 2002-11-14 10:50:07.000000000 +1100 @@ -3,6 +3,8 @@ # # Stripped PRNGd out of it for the time being. +umask 022 + CAT=/usr/bin/cat KILL=/usr/bin/kill diff -ru openssh-3.5p1/contrib/ssh-copy-id openssh-3.6p1/contrib/ssh-copy-id --- openssh-3.5p1/contrib/ssh-copy-id 2001-10-08 11:54:26.000000000 +1000 +++ openssh-3.6p1/contrib/ssh-copy-id 2003-01-03 14:34:07.000000000 +1100 @@ -29,7 +29,12 @@ fi if [ -z "`eval $GET_ID`" ]; then - echo "$0: ERROR: No identities found" + echo "$0: ERROR: No identities found" >&2 + exit 1 +fi + +if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 exit 1 fi diff -ru openssh-3.5p1/contrib/suse/openssh.spec openssh-3.6p1/contrib/suse/openssh.spec --- openssh-3.5p1/contrib/suse/openssh.spec 2002-10-03 11:57:00.000000000 +1000 +++ openssh-3.6p1/contrib/suse/openssh.spec 2003-03-20 10:52:34.000000000 +1100 @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.5p1 +Version: 3.6p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff -ru openssh-3.5p1/crc32.c openssh-3.6p1/crc32.c --- openssh-3.5p1/crc32.c 2000-12-22 12:43:59.000000000 +1100 +++ openssh-3.6p1/crc32.c 2003-02-25 10:22:36.000000000 +1100 @@ -1,114 +1,105 @@ +/* $OpenBSD: crc32.c,v 1.9 2003/02/12 21:39:50 markus Exp $ */ + /* - * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or - * code or tables extracted from it, as desired without restriction. - * - * First, the polynomial itself and its table of feedback terms. The - * polynomial is - * X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 - * - * Note that we take it "backwards" and put the highest-order term in - * the lowest-order bit. The X^32 term is "implied"; the LSB is the - * X^31 term, etc. The X^0 term (usually shown as "+1") results in - * the MSB being 1 - * - * Note that the usual hardware shift register implementation, which - * is what we're using (we're merely optimizing it by doing eight-bit - * chunks at a time) shifts bits into the lowest-order term. In our - * implementation, that means shifting towards the right. Why do we - * do it this way? Because the calculated CRC must be transmitted in - * order from highest-order term to lowest-order term. UARTs transmit - * characters in order from LSB to MSB. By storing the CRC this way - * we hand it to the UART in the order low-byte to high-byte; the UART - * sends each low-bit to hight-bit; and the result is transmission bit - * by bit from highest- to lowest-order term without requiring any bit - * shuffling on our part. Reception works similarly - * - * The feedback terms table consists of 256, 32-bit entries. Notes + * Copyright (c) 2003 Markus Friedl. All rights reserved. * - * The table can be generated at runtime if desired; code to do so - * is shown later. It might not be obvious, but the feedback - * terms simply represent the results of eight shift/xor opera - * tions for all combinations of data and CRC register values - * - * The values must be right-shifted by eight bits by the "updcrc - * logic; the shift must be u_(bring in zeroes). On some - * hardware you could probably optimize the shift in assembler by - * using byte-swap instructions - * polynomial $edb88320 + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - - #include "includes.h" -RCSID("$OpenBSD: crc32.c,v 1.8 2000/12/19 23:17:56 markus Exp $"); - #include "crc32.h" -static u_int crc32_tab[] = { - 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, - 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, - 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, - 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, - 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, - 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, - 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, - 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, - 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, - 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, - 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, - 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, - 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, - 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, - 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, - 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, - 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, - 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, - 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, - 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, - 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, - 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, - 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, - 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, - 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, - 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, - 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, - 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, - 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, - 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, - 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, - 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, - 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, - 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, - 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, - 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, - 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, - 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, - 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, - 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, - 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, - 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, - 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, - 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, - 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, - 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, - 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, - 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, - 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, - 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, - 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, - 0x2d02ef8dL +static const u_int32_t crc32tab[] = { + 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, + 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, + 0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, + 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L, + 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, + 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, + 0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, + 0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L, + 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L, + 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, + 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, + 0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, + 0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L, + 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL, + 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, + 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, + 0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL, + 0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L, + 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L, + 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, + 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, + 0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, + 0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL, + 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L, + 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, + 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, + 0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, + 0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L, + 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L, + 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, + 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, + 0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, + 0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL, + 0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L, + 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, + 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, + 0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, + 0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L, + 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL, + 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, + 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, + 0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, + 0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L, + 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L, + 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, + 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, + 0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, + 0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL, + 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL, + 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, + 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, + 0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, + 0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL, + 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L, + 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, + 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, + 0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, + 0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL, + 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L, + 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, + 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, + 0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL, + 0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, + 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL }; -/* Return a 32-bit CRC of the contents of the buffer. */ - -u_int -ssh_crc32(const u_char *s, u_int len) +u_int32_t +ssh_crc32(const u_char *buf, u_int32_t size) { - u_int i; - u_int crc32val; + u_int32_t i, crc; - crc32val = 0; - for (i = 0; i < len; i ++) { - crc32val = crc32_tab[(crc32val ^ s[i]) & 0xff] ^ (crc32val >> 8); - } - return crc32val; + crc = 0; + for (i = 0; i < size; i++) + crc = crc32tab[(crc ^ buf[i]) & 0xff] ^ (crc >> 8); + return crc; } diff -ru openssh-3.5p1/crc32.h openssh-3.6p1/crc32.h --- openssh-3.5p1/crc32.h 2002-03-05 12:53:05.000000000 +1100 +++ openssh-3.6p1/crc32.h 2003-02-24 12:02:13.000000000 +1100 @@ -1,21 +1,30 @@ -/* $OpenBSD: crc32.h,v 1.13 2002/03/04 17:27:39 stevesk Exp $ */ +/* $OpenBSD: crc32.h,v 1.14 2003/02/12 21:39:50 markus Exp $ */ /* - * Author: Tatu Ylonen - * Copyright (c) 1992 Tatu Ylonen , Espoo, Finland - * All rights reserved - * Functions for computing 32-bit CRC. + * Copyright (c) 2003 Markus Friedl. All rights reserved. * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef CRC32_H -#define CRC32_H - -u_int ssh_crc32(const u_char *, u_int); - -#endif /* CRC32_H */ +#ifndef SSH_CRC32_H +#define SSH_CRC32_H +u_int32_t ssh_crc32(const u_char *, u_int32_t); +#endif diff -ru openssh-3.5p1/defines.h openssh-3.6p1/defines.h --- openssh-3.5p1/defines.h 2002-09-26 10:38:48.000000000 +1000 +++ openssh-3.6p1/defines.h 2003-01-24 11:50:32.000000000 +1100 @@ -1,7 +1,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.96 2002/09/26 00:38:48 tim Exp $ */ +/* $Id: defines.h,v 1.97 2003/01/24 00:50:32 djm Exp $ */ /* Constants */ @@ -370,6 +370,20 @@ } while (0) #endif +#ifndef TIMEVAL_TO_TIMESPEC +#define TIMEVAL_TO_TIMESPEC(tv, ts) { \ + (ts)->tv_sec = (tv)->tv_sec; \ + (ts)->tv_nsec = (tv)->tv_usec * 1000; \ +} +#endif + +#ifndef TIMESPEC_TO_TIMEVAL +#define TIMESPEC_TO_TIMEVAL(tv, ts) { \ + (tv)->tv_sec = (ts)->tv_sec; \ + (tv)->tv_usec = (ts)->tv_nsec / 1000; \ +} +#endif + #ifndef __P # define __P(x) x #endif diff -ru openssh-3.5p1/dh.c openssh-3.6p1/dh.c --- openssh-3.5p1/dh.c 2002-07-04 10:03:56.000000000 +1000 +++ openssh-3.6p1/dh.c 2002-12-23 13:03:02.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.22 2002/06/27 08:49:44 markus Exp $"); +RCSID("$OpenBSD: dh.c,v 1.23 2002/11/21 22:22:50 markus Exp $"); #include "xmalloc.h" @@ -182,7 +182,7 @@ for (i = 0; i <= n; i++) if (BN_is_bit_set(dh_pub, i)) bits_set++; - debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); + debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p)); /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */ if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1)) @@ -214,7 +214,7 @@ for (i = 0; i <= BN_num_bits(dh->priv_key); i++) if (BN_is_bit_set(dh->priv_key, i)) bits_set++; - debug("dh_gen_key: priv key bits set: %d/%d", + debug2("dh_gen_key: priv key bits set: %d/%d", bits_set, BN_num_bits(dh->priv_key)); if (tries++ > 10) fatal("dh_gen_key: too many bad keys: giving up"); diff -ru openssh-3.5p1/fixpaths openssh-3.6p1/fixpaths --- openssh-3.5p1/fixpaths 2001-04-16 10:41:47.000000000 +1000 +++ openssh-3.6p1/fixpaths 2002-12-05 20:59:33.000000000 +1100 @@ -1,43 +1,22 @@ -#!/usr/bin/perl -w +#!/bin/sh # # fixpaths - substitute makefile variables into text files +# Usage: fixpaths -Dsomething=somethingelse ... - -$usage = "Usage: $0 [-Dstring=replacement] [[infile] ...]\n"; - -if (!defined(@ARGV)) { die ("$usage"); } - -# read in the command line and get some definitions -while ($_=$ARGV[0], /^-/) { - if (/^-D/) { - # definition - shift(@ARGV); - if ( /-D(.*)=(.*)/ ) { - $def{"$1"}=$2; - } else { - die ("$usage$0: error in command line arguments.\n"); - } - } else { - @cmd = split(//, $ARGV[0]); $opt = $cmd[1]; - die ("$usage$0: unknown option '-$opt'\n"); - } -} # while parsing arguments - -if (!defined(%def)) { - die ("$0: nothing to do - no substitutions listed!\n"); +die() { + echo $* + exit -1 } -for $f (@ARGV) { +test -n "`echo $1|grep -- -D`" || \ + die $0: nothing to do - no substitutions listed! + +test -n "`echo $1|grep -- '-D[^=]\+=[^ ]\+'`" || \ + die $0: error in command line arguments. - $f =~ /(.*\/)*(.*)$/; +test -n "`echo $*|grep -- ' [^-]'`" || \ + die Usage: $0 '[-Dstring=replacement] [[infile] ...]' - open(IN, "<$f") || die ("$0: input file $f missing!\n"); - while () { - for $s (keys(%def)) { - s#$s#$def{$s}#; - } # for $s - print; - } # while -} # for $f +sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'` -exit 0; +exit 0 diff -ru openssh-3.5p1/hostfile.h openssh-3.6p1/hostfile.h --- openssh-3.5p1/hostfile.h 2002-09-12 09:43:58.000000000 +1000 +++ openssh-3.6p1/hostfile.h 2002-12-23 13:06:20.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.12 2002/09/08 20:24:08 markus Exp $ */ +/* $OpenBSD: hostfile.h,v 1.13 2002/11/21 23:03:51 deraadt Exp $ */ /* * Author: Tatu Ylonen @@ -19,10 +19,10 @@ } HostStatus; int hostfile_read_key(char **, u_int *, Key *); -HostStatus -check_host_in_hostfile(const char *, const char *, Key *, Key *, int *); -int add_host_to_hostfile(const char *, const char *, Key *); -int -lookup_key_in_hostfile_by_type(const char *, const char *, int , Key *, int *); +HostStatus check_host_in_hostfile(const char *, const char *, + Key *, Key *, int *); +int add_host_to_hostfile(const char *, const char *, Key *); +int lookup_key_in_hostfile_by_type(const char *, const char *, + int, Key *, int *); #endif diff -ru openssh-3.5p1/includes.h openssh-3.6p1/includes.h --- openssh-3.5p1/includes.h 2002-09-26 10:38:48.000000000 +1000 +++ openssh-3.6p1/includes.h 2002-10-21 10:50:26.000000000 +1000 @@ -157,6 +157,10 @@ # include #endif +#ifdef HAVE_LIBUTIL_H +# include /* Openpty on FreeBSD at least */ +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" diff -ru openssh-3.5p1/kex.c openssh-3.6p1/kex.c --- openssh-3.5p1/kex.c 2002-06-26 09:19:13.000000000 +1000 +++ openssh-3.6p1/kex.c 2003-02-24 12:03:03.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.51 2002/06/24 14:55:38 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.54 2003/02/16 17:09:57 markus Exp $"); #include @@ -44,11 +44,6 @@ #define KEX_COOKIE_LEN 16 -/* Use privilege separation for sshd */ -int use_privsep; -struct monitor *pmonitor; - - /* prototype */ static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); @@ -74,7 +69,7 @@ /* parse buffer and return algorithm proposal */ static char ** -kex_buf2prop(Buffer *raw) +kex_buf2prop(Buffer *raw, int *first_kex_follows) { Buffer b; int i; @@ -94,6 +89,8 @@ } /* first kex follows / reserved */ i = buffer_get_char(&b); + if (first_kex_follows != NULL) + *first_kex_follows = i; debug2("kex_parse_kexinit: first_kex_follows %d ", i); i = buffer_get_int(&b); debug2("kex_parse_kexinit: reserved %d ", i); @@ -135,7 +132,7 @@ /* packet_write_wait(); */ debug("SSH2_MSG_NEWKEYS sent"); - debug("waiting for SSH2_MSG_NEWKEYS"); + debug("expecting SSH2_MSG_NEWKEYS"); packet_read_expect(SSH2_MSG_NEWKEYS); packet_check_eom(); debug("SSH2_MSG_NEWKEYS received"); @@ -235,14 +232,10 @@ kex_choose_conf(kex); - switch (kex->kex_type) { - case DH_GRP1_SHA1: - kexdh(kex); - break; - case DH_GEX_SHA1: - kexgex(kex); - break; - default: + if (kex->kex_type >= 0 && kex->kex_type < KEX_MAX && + kex->kex[kex->kex_type] != NULL) { + (kex->kex[kex->kex_type])(kex); + } else { fatal("Unsupported key exchange %d", kex->kex_type); } } @@ -299,9 +292,9 @@ if (k->name == NULL) fatal("no kex alg"); if (strcmp(k->name, KEX_DH1) == 0) { - k->kex_type = DH_GRP1_SHA1; + k->kex_type = KEX_DH_GRP1_SHA1; } else if (strcmp(k->name, KEX_DHGEX) == 0) { - k->kex_type = DH_GEX_SHA1; + k->kex_type = KEX_DH_GEX_SHA1; } else fatal("bad kex alg %s", k->name); } @@ -317,6 +310,30 @@ xfree(hostkeyalg); } +static int +proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) +{ + static int check[] = { + PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1 + }; + int *idx; + char *p; + + for (idx = &check[0]; *idx != -1; idx++) { + if ((p = strchr(my[*idx], ',')) != NULL) + *p = '\0'; + if ((p = strchr(peer[*idx], ',')) != NULL) + *p = '\0'; + if (strcmp(my[*idx], peer[*idx]) != 0) { + debug2("proposal mismatch: my %s peer %s", + my[*idx], peer[*idx]); + return (0); + } + } + debug2("proposals match"); + return (1); +} + static void kex_choose_conf(Kex *kex) { @@ -327,9 +344,10 @@ int mode; int ctos; /* direction: if true client-to-server */ int need; + int first_kex_follows, type; - my = kex_buf2prop(&kex->my); - peer = kex_buf2prop(&kex->peer); + my = kex_buf2prop(&kex->my, NULL); + peer = kex_buf2prop(&kex->peer, &first_kex_follows); if (kex->server) { cprop=peer; @@ -373,6 +391,12 @@ /* XXX need runden? */ kex->we_need = need; + /* ignore the next message if the proposals do not match */ + if (first_kex_follows && !proposals_match(my, peer)) { + type = packet_read(); + debug2("skipping next packet (type %u)", type); + } + kex_prop_free(my); kex_prop_free(peer); } @@ -433,7 +457,7 @@ for (i = 0; i < NKEYS; i++) keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); - debug("kex_derive_keys"); + debug2("kex_derive_keys"); for (mode = 0; mode < MODE_MAX; mode++) { current_keys[mode] = kex->newkeys[mode]; kex->newkeys[mode] = NULL; diff -ru openssh-3.5p1/kex.h openssh-3.6p1/kex.h --- openssh-3.5p1/kex.h 2002-09-12 09:49:17.000000000 +1000 +++ openssh-3.6p1/kex.h 2003-02-24 12:03:03.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.32 2002/09/09 14:54:14 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.33 2003/02/16 17:09:57 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -55,8 +55,9 @@ }; enum kex_exchange { - DH_GRP1_SHA1, - DH_GEX_SHA1 + KEX_DH_GRP1_SHA1, + KEX_DH_GEX_SHA1, + KEX_MAX }; #define KEX_INIT_SENT 0x0001 @@ -112,6 +113,7 @@ int (*verify_host_key)(Key *); Key *(*load_host_key)(int); int (*host_key_index)(Key *); + void (*kex[KEX_MAX])(Kex *); }; Kex *kex_setup(char *[PROPOSAL_MAX]); @@ -121,11 +123,20 @@ void kex_input_kexinit(int, u_int32_t, void *); void kex_derive_keys(Kex *, u_char *, BIGNUM *); -void kexdh(Kex *); -void kexgex(Kex *); - Newkeys *kex_get_newkeys(int); +void kexdh_client(Kex *); +void kexdh_server(Kex *); +void kexgex_client(Kex *); +void kexgex_server(Kex *); + +u_char * +kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, + BIGNUM *, BIGNUM *, BIGNUM *); +u_char * +kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int, + int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *); + #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) void dump_digest(char *, u_char *, int); #endif diff -ru openssh-3.5p1/kexdh.c openssh-3.6p1/kexdh.c --- openssh-3.5p1/kexdh.c 2002-03-22 13:30:43.000000000 +1100 +++ openssh-3.6p1/kexdh.c 2003-02-24 12:03:03.000000000 +1100 @@ -23,23 +23,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdh.c,v 1.18 2002/03/18 17:50:31 provos Exp $"); +RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $"); -#include -#include +#include -#include "xmalloc.h" #include "buffer.h" #include "bufaux.h" -#include "key.h" -#include "kex.h" -#include "log.h" -#include "packet.h" -#include "dh.h" #include "ssh2.h" -#include "monitor_wrap.h" +#include "kex.h" -static u_char * +u_char * kex_dh_hash( char *client_version_string, char *server_version_string, @@ -86,222 +79,3 @@ #endif return digest; } - -/* client */ - -static void -kexdh_client(Kex *kex) -{ - BIGNUM *dh_server_pub = NULL, *shared_secret = NULL; - DH *dh; - Key *server_host_key; - u_char *server_host_key_blob = NULL, *signature = NULL; - u_char *kbuf, *hash; - u_int klen, kout, slen, sbloblen; - - /* generate and send 'e', client DH public key */ - dh = dh_new_group1(); - dh_gen_key(dh, kex->we_need * 8); - packet_start(SSH2_MSG_KEXDH_INIT); - packet_put_bignum2(dh->pub_key); - packet_send(); - - debug("sending SSH2_MSG_KEXDH_INIT"); -#ifdef DEBUG_KEXDH - DHparams_print_fp(stderr, dh); - fprintf(stderr, "pub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); -#endif - - debug("expecting SSH2_MSG_KEXDH_REPLY"); - packet_read_expect(SSH2_MSG_KEXDH_REPLY); - - /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = key_from_blob(server_host_key_blob, sbloblen); - if (server_host_key == NULL) - fatal("cannot decode server_host_key_blob"); - if (server_host_key->type != kex->hostkey_type) - fatal("type mismatch for decoded server_host_key_blob"); - if (kex->verify_host_key == NULL) - fatal("cannot verify server_host_key"); - if (kex->verify_host_key(server_host_key) == -1) - fatal("server_host_key verification failed"); - - /* DH paramter f, server public DH key */ - if ((dh_server_pub = BN_new()) == NULL) - fatal("dh_server_pub == NULL"); - packet_get_bignum2(dh_server_pub); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "dh_server_pub= "); - BN_print_fp(stderr, dh_server_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_server_pub)); -#endif - - /* signed H */ - signature = packet_get_string(&slen); - packet_check_eom(); - - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); -#ifdef DEBUG_KEXDH - dump_digest("shared secret", kbuf, kout); -#endif - if ((shared_secret = BN_new()) == NULL) - fatal("kexdh_client: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - /* calc and verify H */ - hash = kex_dh_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->my), buffer_len(&kex->my), - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - server_host_key_blob, sbloblen, - dh->pub_key, - dh_server_pub, - shared_secret - ); - xfree(server_host_key_blob); - BN_clear_free(dh_server_pub); - DH_free(dh); - - if (key_verify(server_host_key, signature, slen, hash, 20) != 1) - fatal("key_verify failed for server_host_key"); - key_free(server_host_key); - xfree(signature); - - /* save session id */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - memcpy(kex->session_id, hash, kex->session_id_len); - } - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - kex_finish(kex); -} - -/* server */ - -static void -kexdh_server(Kex *kex) -{ - BIGNUM *shared_secret = NULL, *dh_client_pub = NULL; - DH *dh; - Key *server_host_key; - u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout; - u_int slen; - - /* generate server DH public key */ - dh = dh_new_group1(); - dh_gen_key(dh, kex->we_need * 8); - - debug("expecting SSH2_MSG_KEXDH_INIT"); - packet_read_expect(SSH2_MSG_KEXDH_INIT); - - if (kex->load_host_key == NULL) - fatal("Cannot load hostkey"); - server_host_key = kex->load_host_key(kex->hostkey_type); - if (server_host_key == NULL) - fatal("Unsupported hostkey type %d", kex->hostkey_type); - - /* key, cert */ - if ((dh_client_pub = BN_new()) == NULL) - fatal("dh_client_pub == NULL"); - packet_get_bignum2(dh_client_pub); - packet_check_eom(); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "dh_client_pub= "); - BN_print_fp(stderr, dh_client_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_client_pub)); -#endif - -#ifdef DEBUG_KEXDH - DHparams_print_fp(stderr, dh); - fprintf(stderr, "pub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); -#endif - if (!dh_pub_is_valid(dh, dh_client_pub)) - packet_disconnect("bad client public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); -#ifdef DEBUG_KEXDH - dump_digest("shared secret", kbuf, kout); -#endif - if ((shared_secret = BN_new()) == NULL) - fatal("kexdh_server: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); - - /* calc H */ - hash = kex_dh_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - buffer_ptr(&kex->my), buffer_len(&kex->my), - server_host_key_blob, sbloblen, - dh_client_pub, - dh->pub_key, - shared_secret - ); - BN_clear_free(dh_client_pub); - - /* save session id := H */ - /* XXX hashlen depends on KEX */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - memcpy(kex->session_id, hash, kex->session_id_len); - } - - /* sign H */ - /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); - - /* destroy_sensitive_data(); */ - - /* send server hostkey, DH pubkey 'f' and singed H */ - packet_start(SSH2_MSG_KEXDH_REPLY); - packet_put_string(server_host_key_blob, sbloblen); - packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string(signature, slen); - packet_send(); - - xfree(signature); - xfree(server_host_key_blob); - /* have keys, free DH */ - DH_free(dh); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - kex_finish(kex); -} - -void -kexdh(Kex *kex) -{ - if (kex->server) - kexdh_server(kex); - else - kexdh_client(kex); -} Only in openssh-3.6p1: kexdhc.c Only in openssh-3.6p1: kexdhs.c diff -ru openssh-3.5p1/kexgex.c openssh-3.6p1/kexgex.c --- openssh-3.5p1/kexgex.c 2002-03-26 13:20:07.000000000 +1100 +++ openssh-3.6p1/kexgex.c 2003-02-24 12:03:03.000000000 +1100 @@ -24,23 +24,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexgex.c,v 1.22 2002/03/24 17:27:03 stevesk Exp $"); +RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $"); -#include +#include -#include "xmalloc.h" #include "buffer.h" #include "bufaux.h" -#include "key.h" #include "kex.h" -#include "log.h" -#include "packet.h" -#include "dh.h" #include "ssh2.h" -#include "compat.h" -#include "monitor_wrap.h" -static u_char * +u_char * kexgex_hash( char *client_version_string, char *server_version_string, @@ -97,318 +90,3 @@ #endif return digest; } - -/* client */ - -static void -kexgex_client(Kex *kex) -{ - BIGNUM *dh_server_pub = NULL, *shared_secret = NULL; - BIGNUM *p = NULL, *g = NULL; - Key *server_host_key; - u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int klen, kout, slen, sbloblen; - int min, max, nbits; - DH *dh; - - nbits = dh_estimate(kex->we_need * 8); - - if (datafellows & SSH_OLD_DHGEX) { - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent"); - - /* Old GEX request */ - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); - packet_put_int(nbits); - min = DH_GRP_MIN; - max = DH_GRP_MAX; - } else { - debug("SSH2_MSG_KEX_DH_GEX_REQUEST sent"); - - /* New GEX request */ - min = DH_GRP_MIN; - max = DH_GRP_MAX; - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); - packet_put_int(min); - packet_put_int(nbits); - packet_put_int(max); - } -#ifdef DEBUG_KEXDH - fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", - min, nbits, max); -#endif - packet_send(); - - debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); - packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP); - - if ((p = BN_new()) == NULL) - fatal("BN_new"); - packet_get_bignum2(p); - if ((g = BN_new()) == NULL) - fatal("BN_new"); - packet_get_bignum2(g); - packet_check_eom(); - - if (BN_num_bits(p) < min || BN_num_bits(p) > max) - fatal("DH_GEX group out of range: %d !< %d !< %d", - min, BN_num_bits(p), max); - - dh = dh_new_group(g, p); - dh_gen_key(dh, kex->we_need * 8); - -#ifdef DEBUG_KEXDH - DHparams_print_fp(stderr, dh); - fprintf(stderr, "pub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); -#endif - - debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); - /* generate and send 'e', client DH public key */ - packet_start(SSH2_MSG_KEX_DH_GEX_INIT); - packet_put_bignum2(dh->pub_key); - packet_send(); - - debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); - packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY); - - /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); - server_host_key = key_from_blob(server_host_key_blob, sbloblen); - if (server_host_key == NULL) - fatal("cannot decode server_host_key_blob"); - if (server_host_key->type != kex->hostkey_type) - fatal("type mismatch for decoded server_host_key_blob"); - if (kex->verify_host_key == NULL) - fatal("cannot verify server_host_key"); - if (kex->verify_host_key(server_host_key) == -1) - fatal("server_host_key verification failed"); - - /* DH paramter f, server public DH key */ - if ((dh_server_pub = BN_new()) == NULL) - fatal("dh_server_pub == NULL"); - packet_get_bignum2(dh_server_pub); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "dh_server_pub= "); - BN_print_fp(stderr, dh_server_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_server_pub)); -#endif - - /* signed H */ - signature = packet_get_string(&slen); - packet_check_eom(); - - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); -#ifdef DEBUG_KEXDH - dump_digest("shared secret", kbuf, kout); -#endif - if ((shared_secret = BN_new()) == NULL) - fatal("kexgex_client: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - if (datafellows & SSH_OLD_DHGEX) - min = max = -1; - - /* calc and verify H */ - hash = kexgex_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->my), buffer_len(&kex->my), - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - server_host_key_blob, sbloblen, - min, nbits, max, - dh->p, dh->g, - dh->pub_key, - dh_server_pub, - shared_secret - ); - /* have keys, free DH */ - DH_free(dh); - xfree(server_host_key_blob); - BN_clear_free(dh_server_pub); - - if (key_verify(server_host_key, signature, slen, hash, 20) != 1) - fatal("key_verify failed for server_host_key"); - key_free(server_host_key); - xfree(signature); - - /* save session id */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - memcpy(kex->session_id, hash, kex->session_id_len); - } - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - - kex_finish(kex); -} - -/* server */ - -static void -kexgex_server(Kex *kex) -{ - BIGNUM *shared_secret = NULL, *dh_client_pub = NULL; - Key *server_host_key; - DH *dh; - u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout, slen; - int min = -1, max = -1, nbits = -1, type; - - if (kex->load_host_key == NULL) - fatal("Cannot load hostkey"); - server_host_key = kex->load_host_key(kex->hostkey_type); - if (server_host_key == NULL) - fatal("Unsupported hostkey type %d", kex->hostkey_type); - - type = packet_read(); - switch (type) { - case SSH2_MSG_KEX_DH_GEX_REQUEST: - debug("SSH2_MSG_KEX_DH_GEX_REQUEST received"); - min = packet_get_int(); - nbits = packet_get_int(); - max = packet_get_int(); - min = MAX(DH_GRP_MIN, min); - max = MIN(DH_GRP_MAX, max); - break; - case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received"); - nbits = packet_get_int(); - min = DH_GRP_MIN; - max = DH_GRP_MAX; - /* unused for old GEX */ - break; - default: - fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type); - } - packet_check_eom(); - - if (max < min || nbits < min || max < nbits) - fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d", - min, nbits, max); - - /* Contact privileged parent */ - dh = PRIVSEP(choose_dh(min, nbits, max)); - if (dh == NULL) - packet_disconnect("Protocol error: no matching DH grp found"); - - debug("SSH2_MSG_KEX_DH_GEX_GROUP sent"); - packet_start(SSH2_MSG_KEX_DH_GEX_GROUP); - packet_put_bignum2(dh->p); - packet_put_bignum2(dh->g); - packet_send(); - - /* flush */ - packet_write_wait(); - - /* Compute our exchange value in parallel with the client */ - dh_gen_key(dh, kex->we_need * 8); - - debug("expecting SSH2_MSG_KEX_DH_GEX_INIT"); - packet_read_expect(SSH2_MSG_KEX_DH_GEX_INIT); - - /* key, cert */ - if ((dh_client_pub = BN_new()) == NULL) - fatal("dh_client_pub == NULL"); - packet_get_bignum2(dh_client_pub); - packet_check_eom(); - -#ifdef DEBUG_KEXDH - fprintf(stderr, "dh_client_pub= "); - BN_print_fp(stderr, dh_client_pub); - fprintf(stderr, "\n"); - debug("bits %d", BN_num_bits(dh_client_pub)); -#endif - -#ifdef DEBUG_KEXDH - DHparams_print_fp(stderr, dh); - fprintf(stderr, "pub= "); - BN_print_fp(stderr, dh->pub_key); - fprintf(stderr, "\n"); -#endif - if (!dh_pub_is_valid(dh, dh_client_pub)) - packet_disconnect("bad client public DH value"); - - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); -#ifdef DEBUG_KEXDH - dump_digest("shared secret", kbuf, kout); -#endif - if ((shared_secret = BN_new()) == NULL) - fatal("kexgex_server: BN_new failed"); - BN_bin2bn(kbuf, kout, shared_secret); - memset(kbuf, 0, klen); - xfree(kbuf); - - key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); - - if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) - min = max = -1; - - /* calc H */ /* XXX depends on 'kex' */ - hash = kexgex_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - buffer_ptr(&kex->my), buffer_len(&kex->my), - server_host_key_blob, sbloblen, - min, nbits, max, - dh->p, dh->g, - dh_client_pub, - dh->pub_key, - shared_secret - ); - BN_clear_free(dh_client_pub); - - /* save session id := H */ - /* XXX hashlen depends on KEX */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - memcpy(kex->session_id, hash, kex->session_id_len); - } - - /* sign H */ - /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); - - /* destroy_sensitive_data(); */ - - /* send server hostkey, DH pubkey 'f' and singed H */ - debug("SSH2_MSG_KEX_DH_GEX_REPLY sent"); - packet_start(SSH2_MSG_KEX_DH_GEX_REPLY); - packet_put_string(server_host_key_blob, sbloblen); - packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string(signature, slen); - packet_send(); - - xfree(signature); - xfree(server_host_key_blob); - /* have keys, free DH */ - DH_free(dh); - - kex_derive_keys(kex, hash, shared_secret); - BN_clear_free(shared_secret); - - kex_finish(kex); -} - -void -kexgex(Kex *kex) -{ - if (kex->server) - kexgex_server(kex); - else - kexgex_client(kex); -} Only in openssh-3.6p1: kexgexc.c Only in openssh-3.6p1: kexgexs.c diff -ru openssh-3.5p1/key.c openssh-3.6p1/key.c --- openssh-3.5p1/key.c 2002-09-12 09:49:17.000000000 +1000 +++ openssh-3.6p1/key.c 2003-02-24 12:01:41.000000000 +1100 @@ -32,15 +32,13 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.49 2002/09/09 14:54:14 markus Exp $"); +RCSID("$OpenBSD: key.c,v 1.51 2003/02/12 09:33:04 markus Exp $"); #include #include "xmalloc.h" #include "key.h" #include "rsa.h" -#include "ssh-dss.h" -#include "ssh-rsa.h" #include "uuencode.h" #include "buffer.h" #include "bufaux.h" @@ -410,14 +408,14 @@ case KEY_DSA: space = strchr(cp, ' '); if (space == NULL) { - debug3("key_read: no space"); + debug3("key_read: missing whitespace"); return -1; } *space = '\0'; type = key_type_from_name(cp); *space = ' '; if (type == KEY_UNSPEC) { - debug3("key_read: no key found"); + debug3("key_read: missing keytype"); return -1; } cp = space+1; diff -ru openssh-3.5p1/key.h openssh-3.6p1/key.h --- openssh-3.5p1/key.h 2002-03-22 12:45:55.000000000 +1100 +++ openssh-3.6p1/key.h 2003-02-24 12:01:41.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.19 2002/03/18 17:23:31 markus Exp $ */ +/* $OpenBSD: key.h,v 1.20 2003/02/12 09:33:04 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -78,4 +78,9 @@ int key_sign(Key *, u_char **, u_int *, u_char *, u_int); int key_verify(Key *, u_char *, u_int, u_char *, u_int); +int ssh_dss_sign(Key *, u_char **, u_int *, u_char *, u_int); +int ssh_dss_verify(Key *, u_char *, u_int, u_char *, u_int); +int ssh_rsa_sign(Key *, u_char **, u_int *, u_char *, u_int); +int ssh_rsa_verify(Key *, u_char *, u_int, u_char *, u_int); + #endif diff -ru openssh-3.5p1/log.c openssh-3.6p1/log.c --- openssh-3.5p1/log.c 2002-07-24 07:01:57.000000000 +1000 +++ openssh-3.6p1/log.c 2003-01-14 22:22:43.000000000 +1100 @@ -34,7 +34,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.24 2002/07/19 15:43:33 markus Exp $"); +RCSID("$OpenBSD: log.c,v 1.25 2003/01/11 18:29:43 markus Exp $"); #include "log.h" #include "xmalloc.h" @@ -233,6 +233,7 @@ next_cu = cu->next; xfree(cu); } + fatal_cleanups = NULL; } /* Cleanup and exit */ @@ -386,11 +387,14 @@ } else { vsnprintf(msgbuf, sizeof(msgbuf), fmt, args); } + /* Escape magic chars in output. */ + strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_OCTAL); + if (log_on_stderr) { - fprintf(stderr, "%s\r\n", msgbuf); + fprintf(stderr, "%s\r\n", fmtbuf); } else { openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); - syslog(pri, "%.500s", msgbuf); + syslog(pri, "%.500s", fmtbuf); closelog(); } } diff -ru openssh-3.5p1/loginrec.c openssh-3.6p1/loginrec.c --- openssh-3.5p1/loginrec.c 2002-09-26 10:38:49.000000000 +1000 +++ openssh-3.6p1/loginrec.c 2003-03-10 11:23:07.000000000 +1100 @@ -163,7 +163,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $"); +RCSID("$Id: loginrec.c,v 1.47 2003/03/10 00:23:07 djm Exp $"); #ifdef HAVE_UTIL_H # include @@ -609,6 +609,9 @@ construct_utmp(struct logininfo *li, struct utmp *ut) { +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif memset(ut, '\0', sizeof(*ut)); /* First fill out fields used for both logins and logouts */ @@ -661,6 +664,19 @@ if (li->hostaddr.sa.sa_family == AF_INET) ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif } #endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ @@ -689,6 +705,9 @@ void construct_utmpx(struct logininfo *li, struct utmpx *utx) { +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif memset(utx, '\0', sizeof(*utx)); # ifdef HAVE_ID_IN_UTMPX line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id)); @@ -725,6 +744,19 @@ if (li->hostaddr.sa.sa_family == AF_INET) utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif # ifdef HAVE_SYSLEN_IN_UTMPX /* ut_syslen is the length of the utx_host string */ utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host)); @@ -1313,6 +1345,7 @@ } construct_utmp(li, ut); login(ut); + free(ut); return 1; } @@ -1490,22 +1523,32 @@ lastlog_get_entry(struct logininfo *li) { struct lastlog last; - int fd; + int fd, ret; if (!lastlog_openseek(li, &fd, O_RDONLY)) - return 0; - - if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) { - close(fd); - log("lastlog_get_entry: Error reading from %s: %s", - LASTLOG_FILE, strerror(errno)); - return 0; - } + return (0); + ret = atomicio(read, fd, &last, sizeof(last)); close(fd); - lastlog_populate_entry(li, &last); + switch (ret) { + case 0: + memset(&last, '\0', sizeof(last)); + /* FALLTHRU */ + case sizeof(last): + lastlog_populate_entry(li, &last); + return (1); + case -1: + error("%s: Error reading from %s: %s", __func__, + LASTLOG_FILE, strerror(errno)); + return (0); + default: + error("%s: Error reading from %s: Expecting %d, got %d", + __func__, LASTLOG_FILE, sizeof(last), ret); + return (0); + } - return 1; + /* NOTREACHED */ + return (0); } #endif /* USE_LASTLOG */ diff -ru openssh-3.5p1/misc.c openssh-3.6p1/misc.c --- openssh-3.5p1/misc.c 2002-03-05 12:53:05.000000000 +1100 +++ openssh-3.6p1/misc.c 2002-12-23 13:44:36.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.19 2002/03/04 17:27:39 stevesk Exp $"); +RCSID("$OpenBSD: misc.c,v 1.20 2002/12/13 10:03:15 markus Exp $"); #include "misc.h" #include "log.h" @@ -105,7 +105,7 @@ return; } opt = 1; - debug("fd %d setting TCP_NODELAY", fd); + debug2("fd %d setting TCP_NODELAY", fd); if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1) error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); } diff -ru openssh-3.5p1/monitor.c openssh-3.6p1/monitor.c --- openssh-3.5p1/monitor.c 2002-09-27 13:26:02.000000000 +1000 +++ openssh-3.6p1/monitor.c 2003-03-24 09:12:50.000000000 +1100 @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.34 2003/03/23 19:02:00 markus Exp $"); #include @@ -634,20 +634,20 @@ u_int numprompts; u_int *echo_on; char **prompts; - int res; + u_int success; - res = bsdauth_query(authctxt, &name, &infotxt, &numprompts, - &prompts, &echo_on); + success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, + &prompts, &echo_on) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, prompts[0]); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m); - if (res != -1) { + if (success) { xfree(name); xfree(infotxt); xfree(prompts); @@ -691,16 +691,16 @@ { struct skey skey; char challenge[1024]; - int res; + u_int success; - res = skeychallenge(&skey, authctxt->user, challenge); + success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, challenge); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m); return (0); @@ -806,8 +806,9 @@ fatal("%s: unknown key type %d", __func__, type); break; } - key_free(key); } + if (key != NULL) + key_free(key); /* clear temporarily storage (used by verify) */ monitor_reset_key_state(); @@ -826,6 +827,7 @@ buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); mm_append_debug(m); @@ -1188,6 +1190,7 @@ } buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); /* clear temporarily storage (used by generate challenge) */ monitor_reset_key_state(); @@ -1202,8 +1205,9 @@ key_blob = blob; key_bloblen = blen; key_blobtype = MM_RSAUSERKEY; - key_free(key); } + if (key != NULL) + key_free(key); mm_append_debug(m); @@ -1244,6 +1248,9 @@ mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m); monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); + + xfree(blob); + key_free(key); return (0); } @@ -1274,6 +1281,7 @@ fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); + xfree(blob); key_free(key); xfree(response); @@ -1458,6 +1466,8 @@ (memcmp(kex->session_id, session_id2, session_id2_len) != 0)) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); @@ -1551,7 +1561,7 @@ void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - size_t len = size * ncount; + size_t len = (size_t) size * ncount; void *address; if (len == 0 || ncount > SIZE_T_MAX / size) diff -ru openssh-3.5p1/monitor_wrap.c openssh-3.6p1/monitor_wrap.c --- openssh-3.5p1/monitor_wrap.c 2002-09-27 13:26:03.000000000 +1000 +++ openssh-3.6p1/monitor_wrap.c 2003-02-24 12:03:39.000000000 +1100 @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.22 2003/02/16 17:30:33 markus Exp $"); #include #include @@ -34,6 +34,7 @@ #include "dh.h" #include "kex.h" #include "auth.h" +#include "auth-options.h" #include "buffer.h" #include "bufaux.h" #include "packet.h" @@ -312,7 +313,7 @@ Buffer m; u_char *blob; u_int len; - int allowed = 0; + int allowed = 0, have_forced = 0; debug3("%s entering", __func__); @@ -334,6 +335,11 @@ allowed = buffer_get_int(&m); + /* fake forced command */ + auth_clear_options(); + have_forced = buffer_get_int(&m); + forced_command = have_forced ? xstrdup("true") : NULL; + /* Send potential debug messages */ mm_send_debug(&m); @@ -714,7 +720,7 @@ u_int *numprompts, char ***prompts, u_int **echo_on) { Buffer m; - int res; + u_int success; char *challenge; debug3("%s: entering", __func__); @@ -724,8 +730,8 @@ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY, &m); - res = buffer_get_int(&m); - if (res == -1) { + success = buffer_get_int(&m); + if (success == 0) { debug3("%s: no challenge", __func__); buffer_free(&m); return (-1); @@ -771,7 +777,8 @@ u_int *numprompts, char ***prompts, u_int **echo_on) { Buffer m; - int len, res; + int len; + u_int success; char *p, *challenge; debug3("%s: entering", __func__); @@ -781,8 +788,8 @@ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY, &m); - res = buffer_get_int(&m); - if (res == -1) { + success = buffer_get_int(&m); + if (success == 0) { debug3("%s: no challenge", __func__); buffer_free(&m); return (-1); @@ -852,7 +859,7 @@ Key *key; u_char *blob; u_int blen; - int allowed = 0; + int allowed = 0, have_forced = 0; debug3("%s entering", __func__); @@ -864,6 +871,11 @@ allowed = buffer_get_int(&m); + /* fake forced command */ + auth_clear_options(); + have_forced = buffer_get_int(&m); + forced_command = have_forced ? xstrdup("true") : NULL; + if (allowed && rkey != NULL) { blob = buffer_get_string(&m, &blen); if ((key = key_from_blob(blob, blen)) == NULL) @@ -969,7 +981,7 @@ xfree(p); } buffer_free(&m); - return (success); + return (success); } #endif diff -ru openssh-3.5p1/msg.c openssh-3.6p1/msg.c --- openssh-3.5p1/msg.c 2002-10-03 15:45:54.000000000 +1000 +++ openssh-3.6p1/msg.c 2002-12-23 13:58:17.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: msg.c,v 1.4 2002/07/01 16:15:25 deraadt Exp $"); +RCSID("$OpenBSD: msg.c,v 1.5 2002/12/19 00:07:02 djm Exp $"); #include "buffer.h" #include "getput.h" diff -ru openssh-3.5p1/msg.h openssh-3.6p1/msg.h --- openssh-3.5p1/msg.h 2002-10-03 15:45:54.000000000 +1000 +++ openssh-3.6p1/msg.h 2002-12-23 13:58:17.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: msg.h,v 1.1 2002/05/23 19:24:30 markus Exp $ */ +/* $OpenBSD: msg.h,v 1.2 2002/12/19 00:07:02 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * diff -ru openssh-3.5p1/openbsd-compat/Makefile.in openssh-3.6p1/openbsd-compat/Makefile.in --- openssh-3.5p1/openbsd-compat/Makefile.in 2002-09-12 10:33:02.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/Makefile.in 2003-02-24 12:55:56.000000000 +1100 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.23 2002/09/12 00:33:02 djm Exp $ +# $Id: Makefile.in,v 1.25 2003/02/24 01:55:56 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o vis.o COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o xmmap.o diff -ru openssh-3.5p1/openbsd-compat/base64.c openssh-3.6p1/openbsd-compat/base64.c --- openssh-3.5p1/openbsd-compat/base64.c 2002-09-11 10:29:12.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/base64.c 2003-02-24 15:45:43.000000000 +1100 @@ -44,7 +44,7 @@ #include "includes.h" -#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) +#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) #include #include @@ -130,6 +130,7 @@ characters followed by one "=" padding character. */ +#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { @@ -190,6 +191,9 @@ target[datalength] = '\0'; /* Returned value doesn't count \0. */ return (datalength); } +#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ + +#if !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) @@ -314,4 +318,5 @@ return (tarindex); } -#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ +#endif /* !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) */ +#endif diff -ru openssh-3.5p1/openbsd-compat/base64.h openssh-3.6p1/openbsd-compat/base64.h --- openssh-3.5p1/openbsd-compat/base64.h 2002-02-27 03:59:59.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/base64.h 2003-02-24 15:45:43.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: base64.h,v 1.3 2002/02/26 16:59:59 stevesk Exp $ */ +/* $Id: base64.h,v 1.4 2003/02/24 04:45:43 djm Exp $ */ #ifndef _BSD_BASE64_H #define _BSD_BASE64_H @@ -9,10 +9,15 @@ # ifndef HAVE_B64_NTOP int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize); -int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_NTOP */ # define __b64_ntop b64_ntop -# define __b64_pton b64_pton #endif /* HAVE___B64_NTOP */ +#ifndef HAVE___B64_PTON +# ifndef HAVE_B64_PTON +int b64_pton(char const *src, u_char *target, size_t targsize); +# endif /* !HAVE_B64_PTON */ +# define __b64_pton b64_pton +#endif /* HAVE___B64_PTON */ + #endif /* _BSD_BASE64_H */ Only in openssh-3.6p1/openbsd-compat: basename.c Only in openssh-3.6p1/openbsd-compat: basename.h diff -ru openssh-3.5p1/openbsd-compat/bsd-arc4random.c openssh-3.6p1/openbsd-compat/bsd-arc4random.c --- openssh-3.5p1/openbsd-compat/bsd-arc4random.c 2002-05-09 08:57:18.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-arc4random.c 2003-03-17 16:13:53.000000000 +1100 @@ -25,7 +25,7 @@ #include "includes.h" #include "log.h" -RCSID("$Id: bsd-arc4random.c,v 1.5 2002/05/08 22:57:18 tim Exp $"); +RCSID("$Id: bsd-arc4random.c,v 1.6 2003/03/17 05:13:53 djm Exp $"); #ifndef HAVE_ARC4RANDOM @@ -66,7 +66,7 @@ unsigned char rand_buf[SEED_SIZE]; memset(&rc4, 0, sizeof(rc4)); - if (!RAND_bytes(rand_buf, sizeof(rand_buf))) + if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) fatal("Couldn't obtain random bytes (error %ld)", ERR_get_error()); RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); diff -ru openssh-3.5p1/openbsd-compat/bsd-cray.h openssh-3.6p1/openbsd-compat/bsd-cray.h --- openssh-3.5p1/openbsd-compat/bsd-cray.h 2002-09-26 10:38:51.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-cray.h 2003-03-21 12:07:45.000000000 +1100 @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.h,v 1.5 2002/09/26 00:38:51 tim Exp $ + * $Id: bsd-cray.h,v 1.6.2.1 2003/03/21 01:07:45 mouring Exp $ * * bsd-cray.h * @@ -49,6 +49,10 @@ #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif +#ifndef _CRAYT3E +#include +#define TIOCGPGRP (tIOC|20) +#endif #endif #endif /* _BSD_CRAY_H */ diff -ru openssh-3.5p1/openbsd-compat/bsd-cygwin_util.c openssh-3.6p1/openbsd-compat/bsd-cygwin_util.c --- openssh-3.5p1/openbsd-compat/bsd-cygwin_util.c 2002-04-16 08:00:52.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-cygwin_util.c 2002-11-10 02:59:29.000000000 +1100 @@ -31,7 +31,7 @@ #include "includes.h" -RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002/04/15 22:00:52 stevesk Exp $"); +RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $"); #ifdef HAVE_CYGWIN @@ -43,6 +43,7 @@ #define is_winnt (GetVersion() < 0x80000000) #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) +#define ntsec_off(c) ((c) && strstr((c),"nontsec")) #define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) #if defined(open) && open == binary_open @@ -74,6 +75,56 @@ return ret; } +#define HAS_CREATE_TOKEN 1 +#define HAS_NTSEC_BY_DEFAULT 2 + +static int has_capability(int what) +{ + /* has_capability() basically calls uname() and checks if + specific capabilities of Cygwin can be evaluated from that. + This simplifies the calling functions which only have to ask + for a capability using has_capability() instead of having + to figure that out by themselves. */ + static int inited; + static int has_create_token; + static int has_ntsec_by_default; + + if (!inited) { + struct utsname uts; + char *c; + + if (!uname(&uts)) { + int major_high = 0; + int major_low = 0; + int minor = 0; + int api_major_version = 0; + int api_minor_version = 0; + char *c; + + sscanf(uts.release, "%d.%d.%d", &major_high, + &major_low, &minor); + c = strchr(uts.release, '('); + if (c) + sscanf(c + 1, "%d.%d", &api_major_version, + &api_minor_version); + if (major_high > 1 || + (major_high == 1 && (major_low > 3 || + (major_low == 3 && minor >= 2)))) + has_create_token = 1; + if (api_major_version > 0 || api_minor_version >= 56) + has_ntsec_by_default = 1; + inited = 1; + } + } + switch (what) { + case HAS_CREATE_TOKEN: + return has_create_token; + case HAS_NTSEC_BY_DEFAULT: + return has_ntsec_by_default; + } + return 0; +} + int check_nt_auth(int pwd_authenticated, struct passwd *pw) { /* @@ -93,19 +144,14 @@ return 0; if (is_winnt) { if (has_create_token < 0) { - struct utsname uts; - int major_high = 0, major_low = 0, minor = 0; char *cygwin = getenv("CYGWIN"); has_create_token = 0; - if (ntsec_on(cygwin) && !uname(&uts)) { - sscanf(uts.release, "%d.%d.%d", - &major_high, &major_low, &minor); - if (major_high > 1 || - (major_high == 1 && (major_low > 3 || - (major_low == 3 && minor >= 2)))) - has_create_token = 1; - } + if (has_capability(HAS_CREATE_TOKEN) && + (ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)))) + has_create_token = 1; } if (has_create_token < 1 && !pwd_authenticated && geteuid() != pw->pw_uid) @@ -128,7 +174,9 @@ /* Evaluate current CYGWIN settings. */ cygwin = getenv("CYGWIN"); allow_ntea = ntea_on(cygwin); - allow_ntsec = ntsec_on(cygwin); + allow_ntsec = ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)); /* * `ntea' is an emulation of POSIX attributes. It doesn't support diff -ru openssh-3.5p1/openbsd-compat/bsd-getpeereid.c openssh-3.6p1/openbsd-compat/bsd-getpeereid.c --- openssh-3.5p1/openbsd-compat/bsd-getpeereid.c 2002-09-12 10:33:02.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-getpeereid.c 2003-03-26 16:02:47.000000000 +1100 @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$Id: bsd-getpeereid.c,v 1.1 2002/09/12 00:33:02 djm Exp $"); +RCSID("$Id: bsd-getpeereid.c,v 1.1.4.1 2003/03/26 05:02:47 djm Exp $"); #if !defined(HAVE_GETPEEREID) @@ -33,7 +33,7 @@ getpeereid(int s, uid_t *euid, gid_t *gid) { struct ucred cred; - size_t len = sizeof(cred); + socklen_t len = sizeof(cred); if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0) return (-1); diff -ru openssh-3.5p1/openbsd-compat/bsd-misc.c openssh-3.6p1/openbsd-compat/bsd-misc.c --- openssh-3.5p1/openbsd-compat/bsd-misc.c 2002-07-09 07:09:41.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-misc.c 2003-03-19 05:21:41.000000000 +1100 @@ -23,15 +23,20 @@ */ #include "includes.h" +#include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.10 2002/07/08 21:09:41 mouring Exp $"); +RCSID("$Id: bsd-misc.c,v 1.12 2003/03/18 18:21:41 tim Exp $"); +/* + * NB. duplicate __progname in case it is an alias for argv[0] + * Otherwise it may get clobbered by setproctitle() + */ char *get_progname(char *argv0) { #ifdef HAVE___PROGNAME extern char *__progname; - return __progname; + return xstrdup(__progname); #else char *p; @@ -42,7 +47,8 @@ p = argv0; else p++; - return p; + + return xstrdup(p); #endif } @@ -129,3 +135,34 @@ } #endif +#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) +int nanosleep(const struct timespec *req, struct timespec *rem) +{ + int rc, saverrno; + extern int errno; + struct timeval tstart, tstop, tremain, time2wait; + + TIMESPEC_TO_TIMEVAL(&time2wait, req) + (void) gettimeofday(&tstart, NULL); + rc = select(0, NULL, NULL, NULL, &time2wait); + if (rc == -1) { + saverrno = errno; + (void) gettimeofday (&tstop, NULL); + errno = saverrno; + tremain.tv_sec = time2wait.tv_sec - + (tstop.tv_sec - tstart.tv_sec); + tremain.tv_usec = time2wait.tv_usec - + (tstop.tv_usec - tstart.tv_usec); + tremain.tv_sec += tremain.tv_usec / 1000000L; + tremain.tv_usec %= 1000000L; + } else { + tremain.tv_sec = 0; + tremain.tv_usec = 0; + } + TIMEVAL_TO_TIMESPEC(&tremain, rem) + + return(rc); +} + +#endif + diff -ru openssh-3.5p1/openbsd-compat/bsd-misc.h openssh-3.6p1/openbsd-compat/bsd-misc.h --- openssh-3.5p1/openbsd-compat/bsd-misc.h 2002-06-14 07:34:58.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/bsd-misc.h 2003-03-19 05:21:41.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: bsd-misc.h,v 1.6 2002/06/13 21:34:58 mouring Exp $ */ +/* $Id: bsd-misc.h,v 1.7 2003/03/18 18:21:41 tim Exp $ */ #ifndef _BSD_MISC_H #define _BSD_MISC_H @@ -80,5 +80,14 @@ int setgroups(size_t size, const gid_t *list); #endif +#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) +#ifndef HAVE_STRUCT_TIMESPEC +struct timespec { + time_t tv_sec; + long tv_nsec; +}; +#endif +int nanosleep(const struct timespec *req, struct timespec *rem); +#endif #endif /* _BSD_MISC_H */ diff -ru openssh-3.5p1/openbsd-compat/fake-getaddrinfo.c openssh-3.6p1/openbsd-compat/fake-getaddrinfo.c --- openssh-3.5p1/openbsd-compat/fake-getaddrinfo.c 2001-02-09 12:55:36.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/fake-getaddrinfo.c 2003-03-26 16:03:06.000000000 +1100 @@ -12,7 +12,7 @@ #include "includes.h" #include "ssh.h" -RCSID("$Id: fake-getaddrinfo.c,v 1.2 2001/02/09 01:55:36 djm Exp $"); +RCSID("$Id: fake-getaddrinfo.c,v 1.4.2.1 2003/03/26 05:03:06 djm Exp $"); #ifndef HAVE_GAI_STRERROR char *gai_strerror(int ecode) @@ -67,16 +67,30 @@ { struct addrinfo *cur, *prev = NULL; struct hostent *hp; + struct servent *sp; struct in_addr in; - int i, port; - - if (servname) - port = htons(atoi(servname)); - else - port = 0; + int i; + long int port; + u_long addr; + + port = 0; + if (servname != NULL) { + char *cp; + + port = strtol(servname, &cp, 10); + if (port > 0 && port <= 65535 && *cp == '\0') + port = htons(port); + else if ((sp = getservbyname(servname, NULL)) != NULL) + port = sp->s_port; + else + port = 0; + } if (hints && hints->ai_flags & AI_PASSIVE) { - if (NULL != (*res = malloc_ai(port, htonl(0x00000000)))) + addr = htonl(0x00000000); + if (hostname && inet_aton(hostname, &in) != 0) + addr = in.s_addr; + if (NULL != (*res = malloc_ai(port, addr))) return 0; else return EAI_MEMORY; diff -ru openssh-3.5p1/openbsd-compat/fake-getaddrinfo.h openssh-3.6p1/openbsd-compat/fake-getaddrinfo.h --- openssh-3.5p1/openbsd-compat/fake-getaddrinfo.h 2001-02-09 12:55:36.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/fake-getaddrinfo.h 2003-02-24 12:35:09.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: fake-getaddrinfo.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: fake-getaddrinfo.h,v 1.4 2003/02/24 01:35:09 djm Exp $ */ #ifndef _FAKE_GETADDRINFO_H #define _FAKE_GETADDRINFO_H diff -ru openssh-3.5p1/openbsd-compat/getcwd.c openssh-3.6p1/openbsd-compat/getcwd.c --- openssh-3.5p1/openbsd-compat/getcwd.c 2002-06-28 04:23:21.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/getcwd.c 2003-01-08 11:16:48.000000000 +1100 @@ -29,7 +29,7 @@ #if !defined(HAVE_GETCWD) #if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: getcwd.c,v 1.6 2000/07/19 15:25:13 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: getcwd.c,v 1.7 2002/11/24 01:52:27 cloder Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -127,7 +127,7 @@ /* * Build pointer to the parent directory, allocating memory * as necessary. Max length is 3 for "../", the largest - * possible component name, plus a trailing NULL. + * possible component name, plus a trailing NUL. */ if (bup + 3 + MAXNAMLEN + 1 >= eup) { char *nup; diff -ru openssh-3.5p1/openbsd-compat/getopt.c openssh-3.6p1/openbsd-compat/getopt.c --- openssh-3.5p1/openbsd-compat/getopt.c 2002-06-28 04:23:21.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/getopt.c 2003-01-08 11:16:48.000000000 +1100 @@ -35,7 +35,7 @@ #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) #if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: getopt.c,v 1.2 1996/08/19 08:33:32 tholo Exp $"; +static char *rcsid = "$OpenBSD: getopt.c,v 1.4 2002/12/08 22:57:14 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -66,6 +66,9 @@ static char *place = EMSG; /* option letter processing */ char *oli; /* option letter list index */ + if (ostr == NULL) + return (-1); + if (BSDoptreset || !*place) { /* update scanning pointer */ BSDoptreset = 0; if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { diff -ru openssh-3.5p1/openbsd-compat/mktemp.c openssh-3.6p1/openbsd-compat/mktemp.c --- openssh-3.5p1/openbsd-compat/mktemp.c 2002-09-11 10:29:13.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/mktemp.c 2003-01-07 15:18:33.000000000 +1100 @@ -36,7 +36,7 @@ #include "includes.h" -#ifndef HAVE_MKDTEMP +#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = "$OpenBSD: mktemp.c,v 1.16 2002/05/27 18:20:45 millert Exp $"; @@ -181,4 +181,4 @@ /*NOTREACHED*/ } -#endif /* !HAVE_MKDTEMP */ +#endif /* !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) */ diff -ru openssh-3.5p1/openbsd-compat/mktemp.h openssh-3.6p1/openbsd-compat/mktemp.h --- openssh-3.5p1/openbsd-compat/mktemp.h 2001-02-09 12:55:36.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/mktemp.h 2003-01-07 15:18:33.000000000 +1100 @@ -1,13 +1,13 @@ -/* $Id: mktemp.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: mktemp.h,v 1.3 2003/01/07 04:18:33 djm Exp $ */ #ifndef _BSD_MKTEMP_H #define _BSD_MKTEMP_H #include "config.h" -#ifndef HAVE_MKDTEMP +#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) int mkstemps(char *path, int slen); int mkstemp(char *path); char *mkdtemp(char *path); -#endif /* !HAVE_MKDTEMP */ +#endif /* !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) */ #endif /* _BSD_MKTEMP_H */ diff -ru openssh-3.5p1/openbsd-compat/openbsd-compat.h openssh-3.6p1/openbsd-compat/openbsd-compat.h --- openssh-3.5p1/openbsd-compat/openbsd-compat.h 2002-09-12 10:33:02.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/openbsd-compat.h 2003-02-24 12:55:56.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.17 2002/09/12 00:33:02 djm Exp $ */ +/* $Id: openbsd-compat.h,v 1.19 2003/02/24 01:55:56 djm Exp $ */ #ifndef _OPENBSD_H #define _OPENBSD_H @@ -6,6 +6,7 @@ #include "config.h" /* OpenBSD function replacements */ +#include "basename.h" #include "bindresvport.h" #include "getcwd.h" #include "realpath.h" @@ -26,6 +27,7 @@ #include "glob.h" #include "readpassphrase.h" #include "getopt.h" +#include "vis.h" /* Home grown routines */ #include "bsd-arc4random.h" diff -ru openssh-3.5p1/openbsd-compat/port-aix.h openssh-3.6p1/openbsd-compat/port-aix.h --- openssh-3.5p1/openbsd-compat/port-aix.h 2002-07-07 12:17:36.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/port-aix.h 2003-02-01 15:43:35.000000000 +1100 @@ -25,5 +25,16 @@ */ #ifdef _AIX + +/* AIX 4.2.x doesn't have nanosleep but does have nsleep which is equivalent */ +#if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP) +# define nanosleep(a,b) nsleep(a,b) +#endif + +/* For struct timespec on AIX 4.2.x */ +#ifdef HAVE_SYS_TIMERS_H +# include +#endif + void aix_usrinfo(struct passwd *pw); #endif /* _AIX */ diff -ru openssh-3.5p1/openbsd-compat/setenv.c openssh-3.6p1/openbsd-compat/setenv.c --- openssh-3.5p1/openbsd-compat/setenv.c 2002-06-28 04:23:22.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/setenv.c 2003-01-08 11:16:48.000000000 +1100 @@ -35,12 +35,14 @@ #ifndef HAVE_SETENV #if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: setenv.c,v 1.4 2001/07/09 06:57:45 deraadt Exp $"; +static char *rcsid = "$OpenBSD: setenv.c,v 1.5 2002/12/10 22:44:13 mickey Exp $"; #endif /* LIBC_SCCS and not lint */ #include #include +char *__findenv(const char *name, int *offset); + /* * __findenv -- * Returns pointer to value associated with name, if any, else NULL. @@ -92,7 +94,6 @@ static int alloced; /* if allocated space before */ register char *C; int l_value, offset; - char *__findenv(); if (*value == '=') /* no `=' in value */ ++value; diff -ru openssh-3.5p1/openbsd-compat/setproctitle.c openssh-3.6p1/openbsd-compat/setproctitle.c --- openssh-3.5p1/openbsd-compat/setproctitle.c 2002-02-13 16:00:16.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/setproctitle.c 2003-01-20 13:15:11.000000000 +1100 @@ -1,102 +1,243 @@ /* - * Modified for OpenSSH by Kevin Steves - * October 2000 + * Based on src/backend/utils/misc/pg_status.c from + * PostgreSQL Database Management System + * + * Portions Copyright (c) 1996-2001, The PostgreSQL Global Development Group + * + * Portions Copyright (c) 1994, The Regents of the University of California + * + * Permission to use, copy, modify, and distribute this software and its + * documentation for any purpose, without fee, and without a written agreement + * is hereby granted, provided that the above copyright notice and this + * paragraph and the following two paragraphs appear in all copies. + * + * IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR + * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING + * LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS + * DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS + * ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO + * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. */ -/* - * Copyright (c) 1994, 1995 Christopher G. Demetriou - * All rights reserved. +/*-------------------------------------------------------------------- + * ps_status.c + * + * Routines to support changing the ps display of PostgreSQL backends + * to contain some useful information. Mechanism differs wildly across + * platforms. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Christopher G. Demetriou - * for the NetBSD Project. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission + * $Header: /var/cvs/openssh/openbsd-compat/setproctitle.c,v 1.5 2003/01/20 02:15:11 djm Exp $ * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * Copyright 2000 by PostgreSQL Global Development Group + * various details abducted from various places + *-------------------------------------------------------------------- */ -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: setproctitle.c,v 1.8 2001/11/06 19:21:40 art Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include "includes.h" #ifndef HAVE_SETPROCTITLE -#define SPT_NONE 0 -#define SPT_PSTAT 1 +#include +#ifdef HAVE_SYS_PSTAT_H +#include /* for HP-UX */ +#endif +#ifdef HAVE_PS_STRINGS +#include /* for old BSD */ +#include +#endif + +/*------ + * Alternative ways of updating ps display: + * + * SETPROCTITLE_STRATEGY == PS_USE_PSTAT + * use the pstat(PSTAT_SETCMD, ) + * (HPUX) + * SETPROCTITLE_STRATEGY == PS_USE_PS_STRINGS + * assign PS_STRINGS->ps_argvstr = "string" + * (some BSD systems) + * SETPROCTITLE_STRATEGY == PS_USE_CHANGE_ARGV + * assign argv[0] = "string" + * (some other BSD systems) + * SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + * write over the argv and environment area + * (most SysV-like systems) + * SETPROCTITLE_STRATEGY == PS_USE_NONE + * don't update ps display + * (This is the default, as it is safest.) + */ + +#define PS_USE_NONE 0 +#define PS_USE_PSTAT 1 +#define PS_USE_PS_STRINGS 2 +#define PS_USE_CHANGE_ARGV 3 +#define PS_USE_CLOBBER_ARGV 4 -#ifndef SPT_TYPE -#define SPT_TYPE SPT_NONE +#ifndef SETPROCTITLE_STRATEGY +# define SETPROCTITLE_STRATEGY PS_USE_NONE #endif -#if SPT_TYPE == SPT_PSTAT -#include -#include -#endif /* SPT_TYPE == SPT_PSTAT */ +#ifndef SETPROCTITLE_PS_PADDING +# define SETPROCTITLE_PS_PADDING ' ' +#endif +#endif /* HAVE_SETPROCTITLE */ -#define MAX_PROCTITLE 2048 +extern char **environ; + +/* + * argv clobbering uses existing argv space, all other methods need a buffer + */ +#if SETPROCTITLE_STRATEGY != PS_USE_CLOBBER_ARGV +static char ps_buffer[256]; +static const size_t ps_buffer_size = sizeof(ps_buffer); +#else +static char *ps_buffer; /* will point to argv area */ +static size_t ps_buffer_size; /* space determined at run time */ +#endif + +/* save the original argv[] location here */ +static int save_argc; +static char **save_argv; extern char *__progname; +#ifndef HAVE_SETPROCTITLE /* - * Set Process Title (SPT) defines. Modeled after sendmail's - * SPT type definition strategy. - * - * SPT_TYPE: - * - * SPT_NONE: Don't set the process title. Default. - * SPT_PSTAT: Use pstat(PSTAT_SETCMD). HP-UX specific. + * Call this to update the ps status display to a fixed prefix plus an + * indication of what you're currently doing passed in the argument. */ - void setproctitle(const char *fmt, ...) { -#if SPT_TYPE != SPT_NONE +#if SETPROCTITLE_STRATEGY == PS_USE_PSTAT + union pstun pst; +#endif +#if SETPROCTITLE_STRATEGY != PS_USE_NONE + ssize_t used; va_list ap; - - char buf[MAX_PROCTITLE]; - size_t used; -#if SPT_TYPE == SPT_PSTAT - union pstun pst; -#endif /* SPT_TYPE == SPT_PSTAT */ + /* no ps display if you didn't call save_ps_display_args() */ + if (save_argv == NULL) + return; +#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + /* If ps_buffer is a pointer, it might still be null */ + if (ps_buffer == NULL) + return; +#endif /* PS_USE_CLOBBER_ARGV */ + + /* + * Overwrite argv[] to point at appropriate space, if needed + */ +#if SETPROCTITLE_STRATEGY == PS_USE_CHANGE_ARGV + save_argv[0] = ps_buffer; + save_argv[1] = NULL; +#endif /* PS_USE_CHANGE_ARGV */ + +#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + save_argv[1] = NULL; +#endif /* PS_USE_CLOBBER_ARGV */ + + /* + * Make fixed prefix of ps display. + */ va_start(ap, fmt); - if (fmt != NULL) { - used = snprintf(buf, MAX_PROCTITLE, "%s: ", __progname); - if (used >= MAX_PROCTITLE) - used = MAX_PROCTITLE - 1; - (void)vsnprintf(buf + used, MAX_PROCTITLE - used, fmt, ap); - } else - (void)snprintf(buf, MAX_PROCTITLE, "%s", __progname); + if (fmt == NULL) + snprintf(ps_buffer, ps_buffer_size, "%s", __progname); + else { + used = snprintf(ps_buffer, ps_buffer_size, "%s: ", __progname); + if (used == -1 || used >= ps_buffer_size) + used = ps_buffer_size; + vsnprintf(ps_buffer + used, ps_buffer_size - used, fmt, ap); + } va_end(ap); - used = strlen(buf); -#if SPT_TYPE == SPT_PSTAT - pst.pst_command = buf; - pstat(PSTAT_SETCMD, pst, used, 0, 0); -#endif /* SPT_TYPE == SPT_PSTAT */ +#if SETPROCTITLE_STRATEGY == PS_USE_PSTAT + pst.pst_command = ps_buffer; + pstat(PSTAT_SETCMD, pst, strlen(ps_buffer), 0, 0); +#endif /* PS_USE_PSTAT */ + +#if SETPROCTITLE_STRATEGY == PS_USE_PS_STRINGS + PS_STRINGS->ps_nargvstr = 1; + PS_STRINGS->ps_argvstr = ps_buffer; +#endif /* PS_USE_PS_STRINGS */ + +#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + /* pad unused memory */ + used = strlen(ps_buffer); + memset(ps_buffer + used, SETPROCTITLE_PS_PADDING, + ps_buffer_size - used); +#endif /* PS_USE_CLOBBER_ARGV */ -#endif /* SPT_TYPE != SPT_NONE */ +#endif /* PS_USE_NONE */ } + #endif /* HAVE_SETPROCTITLE */ + +/* + * Call this early in startup to save the original argc/argv values. + * + * argv[] will not be overwritten by this routine, but may be overwritten + * during setproctitle. Also, the physical location of the environment + * strings may be moved, so this should be called before any code that + * might try to hang onto a getenv() result. + */ +void +compat_init_setproctitle(int argc, char *argv[]) +{ +#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + char *end_of_area = NULL; + char **new_environ; + int i; +#endif + + save_argc = argc; + save_argv = argv; + +#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV + /* + * If we're going to overwrite the argv area, count the available + * space. Also move the environment to make additional room. + */ + + /* + * check for contiguous argv strings + */ + for (i = 0; i < argc; i++) { + if (i == 0 || end_of_area + 1 == argv[i]) + end_of_area = argv[i] + strlen(argv[i]); + } + + /* probably can't happen? */ + if (end_of_area == NULL) { + ps_buffer = NULL; + ps_buffer_size = 0; + return; + } + + /* + * check for contiguous environ strings following argv + */ + for (i = 0; environ[i] != NULL; i++) { + if (end_of_area + 1 == environ[i]) + end_of_area = environ[i] + strlen(environ[i]); + } + + ps_buffer = argv[0]; + ps_buffer_size = end_of_area - argv[0] - 1; + + /* + * Duplicate and move the environment out of the way + */ + new_environ = malloc(sizeof(char *) * (i + 1)); + for (i = 0; environ[i] != NULL; i++) + new_environ[i] = strdup(environ[i]); + new_environ[i] = NULL; + environ = new_environ; +#endif /* PS_USE_CLOBBER_ARGV */ +} + diff -ru openssh-3.5p1/openbsd-compat/setproctitle.h openssh-3.6p1/openbsd-compat/setproctitle.h --- openssh-3.5p1/openbsd-compat/setproctitle.h 2001-02-09 12:55:36.000000000 +1100 +++ openssh-3.6p1/openbsd-compat/setproctitle.h 2003-01-10 09:53:13.000000000 +1100 @@ -1,4 +1,4 @@ -/* $Id: setproctitle.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: setproctitle.h,v 1.3 2003/01/09 22:53:13 djm Exp $ */ #ifndef _BSD_SETPROCTITLE_H #define _BSD_SETPROCTITLE_H @@ -7,6 +7,7 @@ #ifndef HAVE_SETPROCTITLE void setproctitle(const char *fmt, ...); +void compat_init_setproctitle(int argc, char *argv[]); #endif #endif /* _BSD_SETPROCTITLE_H */ diff -ru openssh-3.5p1/openbsd-compat/sys-tree.h openssh-3.6p1/openbsd-compat/sys-tree.h --- openssh-3.5p1/openbsd-compat/sys-tree.h 2002-09-12 10:43:33.000000000 +1000 +++ openssh-3.6p1/openbsd-compat/sys-tree.h 2003-01-08 11:16:48.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: tree.h,v 1.6 2002/06/11 22:09:52 provos Exp $ */ +/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -343,12 +343,13 @@ RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ else \ RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ - RB_AUGMENT(RB_PARENT(elm, field)); \ } else \ (head)->rbh_root = (tmp); \ RB_LEFT(tmp, field) = (elm); \ RB_PARENT(elm, field) = (tmp); \ RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ } while (0) #define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ @@ -362,12 +363,13 @@ RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ else \ RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ - RB_AUGMENT(RB_PARENT(elm, field)); \ } else \ (head)->rbh_root = (tmp); \ RB_RIGHT(tmp, field) = (elm); \ RB_PARENT(elm, field) = (tmp); \ RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ } while (0) /* Generates prototypes and inline functions */ Only in openssh-3.6p1/openbsd-compat: vis.c Only in openssh-3.6p1/openbsd-compat: vis.h diff -ru openssh-3.5p1/packet.c openssh-3.6p1/packet.c --- openssh-3.5p1/packet.c 2002-07-08 08:11:51.000000000 +1000 +++ openssh-3.6p1/packet.c 2002-12-23 13:42:53.000000000 +1100 @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.97 2002/07/04 08:12:15 deraadt Exp $"); +RCSID("$OpenBSD: packet.c,v 1.102 2002/12/10 19:47:14 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -564,7 +564,7 @@ CipherContext *cc; int encrypt; - debug("newkeys: mode %d", mode); + debug2("set_newkeys: mode %d", mode); if (mode == MODE_OUT) { cc = &send_context; @@ -574,7 +574,7 @@ encrypt = CIPHER_DECRYPT; } if (newkeys[mode] != NULL) { - debug("newkeys: rekeying"); + debug("set_newkeys: rekeying"); cipher_cleanup(cc); enc = &newkeys[mode]->enc; mac = &newkeys[mode]->mac; @@ -840,7 +840,7 @@ cp = buffer_ptr(&input); len = GET_32BIT(cp); if (len < 1 + 2 + 2 || len > 256 * 1024) - packet_disconnect("Bad packet length %d.", len); + packet_disconnect("Bad packet length %u.", len); padded_len = (len + 8) & ~7; /* Check if the packet has been entirely received. */ @@ -936,9 +936,9 @@ packet_length = GET_32BIT(cp); if (packet_length < 1 + 4 || packet_length > 256 * 1024) { buffer_dump(&incoming_packet); - packet_disconnect("Bad packet length %d.", packet_length); + packet_disconnect("Bad packet length %u.", packet_length); } - DBG(debug("input: packet len %d", packet_length+4)); + DBG(debug("input: packet len %u", packet_length+4)); buffer_consume(&input, block_size); } /* we have a partial packet of block_size bytes */ @@ -1226,6 +1226,9 @@ vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); + /* Display the error locally */ + log("Disconnecting: %.100s", buf); + /* Send the disconnect message to the other side, and wait for it to get sent. */ if (compat20) { packet_start(SSH2_MSG_DISCONNECT); @@ -1245,8 +1248,6 @@ /* Close the connection. */ packet_close(); - /* Display the error locally and exit. */ - log("Disconnecting: %.100s", buf); fatal_cleanup(); } @@ -1313,16 +1314,26 @@ return buffer_len(&output) < 128 * 1024; } +static void +packet_set_tos(int interactive) +{ + int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT; + + if (!packet_connection_is_on_socket() || + !packet_connection_is_ipv4()) + return; + if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &tos, + sizeof(tos)) < 0) + error("setsockopt IP_TOS %d: %.100s:", + tos, strerror(errno)); +} + /* Informs that the current session is interactive. Sets IP flags for that. */ void packet_set_interactive(int interactive) { static int called = 0; -#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - int lowdelay = IPTOS_LOWDELAY; - int throughput = IPTOS_THROUGHPUT; -#endif if (called) return; @@ -1333,35 +1344,12 @@ /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) - return; - /* - * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only - */ - if (interactive) { - /* - * Set IP options for an interactive connection. Use - * IPTOS_LOWDELAY and TCP_NODELAY. - */ -#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - if (packet_connection_is_ipv4()) { - if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, - &lowdelay, sizeof(lowdelay)) < 0) - error("setsockopt IPTOS_LOWDELAY: %.100s", - strerror(errno)); - } -#endif + if (interactive) set_nodelay(connection_in); - } else if (packet_connection_is_ipv4()) { - /* - * Set IP options for a non-interactive connection. Use - * IPTOS_THROUGHPUT. - */ #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &throughput, - sizeof(throughput)) < 0) - error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno)); + packet_set_tos(interactive); #endif - } + } /* Returns true if the current connection is interactive. */ Only in openssh-3.6p1: progressmeter.c Only in openssh-3.6p1: progressmeter.h diff -ru openssh-3.5p1/readconf.c openssh-3.6p1/readconf.c --- openssh-3.5p1/readconf.c 2002-07-10 00:06:40.000000000 +1000 +++ openssh-3.6p1/readconf.c 2003-02-24 11:56:27.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.102 2003/02/05 09:02:28 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -114,6 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oDeprecated } OpCodes; @@ -185,6 +186,7 @@ { "bindaddress", oBindAddress }, { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, + { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, { NULL, oBadOption } }; @@ -266,14 +268,16 @@ * Processes a single option line as used in the configuration files. This * only sets those values that have not already been set. */ +#define WHITESPACE " \t\r\n" int process_config_line(Options *options, const char *host, char *line, const char *filename, int linenum, int *activep) { - char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg; + char buf[256], *s, **charptr, *endofnumber, *keyword, *arg; int opcode, *intptr, value; + size_t len; u_short fwd_port, fwd_host_port; char sfwd_host_port[6]; @@ -486,16 +490,9 @@ case oProxyCommand: charptr = &options->proxy_command; - string = xstrdup(""); - while ((arg = strdelim(&s)) != NULL && *arg != '\0') { - string = xrealloc(string, strlen(string) + strlen(arg) + 2); - strcat(string, " "); - strcat(string, arg); - } + len = strspn(s, WHITESPACE "="); if (*activep && *charptr == NULL) - *charptr = string; - else - xfree(string); + *charptr = xstrdup(s + len); return 0; case oPort: @@ -669,6 +666,10 @@ *intptr = value; break; + case oEnableSSHKeysign: + intptr = &options->enable_ssh_keysign; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -792,6 +793,7 @@ options->preferred_authentications = NULL; options->bind_address = NULL; options->smartcard_device = NULL; + options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; } @@ -907,6 +909,8 @@ clear_forwardings(options); if (options->no_host_authentication_for_localhost == - 1) options->no_host_authentication_for_localhost = 0; + if (options->enable_ssh_keysign == -1) + options->enable_ssh_keysign = 0; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff -ru openssh-3.5p1/readconf.h openssh-3.6p1/readconf.h --- openssh-3.5p1/readconf.h 2002-06-10 06:04:03.000000000 +1000 +++ openssh-3.6p1/readconf.h 2002-11-10 02:52:33.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.44 2002/11/07 22:08:07 markus Exp $ */ /* * Author: Tatu Ylonen @@ -99,6 +99,8 @@ int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; int clear_forwardings; + + int enable_ssh_keysign; int no_host_authentication_for_localhost; } Options; diff -ru openssh-3.5p1/readpass.c openssh-3.6p1/readpass.c --- openssh-3.5p1/readpass.c 2002-03-28 04:28:47.000000000 +1100 +++ openssh-3.6p1/readpass.c 2003-01-24 11:36:23.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readpass.c,v 1.27 2002/03/26 15:58:46 markus Exp $"); +RCSID("$OpenBSD: readpass.c,v 1.28 2003/01/23 13:50:27 markus Exp $"); #include "xmalloc.h" #include "readpass.h" @@ -46,11 +46,11 @@ fatal("internal error: askpass undefined"); if (pipe(p) < 0) { error("ssh_askpass: pipe: %s", strerror(errno)); - return xstrdup(""); + return NULL; } if ((pid = fork()) < 0) { error("ssh_askpass: fork: %s", strerror(errno)); - return xstrdup(""); + return NULL; } if (pid == 0) { seteuid(getuid()); @@ -79,6 +79,11 @@ if (errno != EINTR) break; + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { + memset(buf, 0, sizeof(buf)); + return NULL; + } + buf[strcspn(buf, "\r\n")] = '\0'; pass = xstrdup(buf); memset(buf, 0, sizeof(buf)); @@ -115,7 +120,10 @@ askpass = getenv(SSH_ASKPASS_ENV); else askpass = _PATH_SSH_ASKPASS_DEFAULT; - return ssh_askpass(askpass, prompt); + if ((ret = ssh_askpass(askpass, prompt)) == NULL) + if (!(flags & RP_ALLOW_EOF)) + return xstrdup(""); + return ret; } if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) { diff -ru openssh-3.5p1/regress/Makefile openssh-3.6p1/regress/Makefile --- openssh-3.5p1/regress/Makefile 2002-05-01 13:17:34.000000000 +1000 +++ openssh-3.6p1/regress/Makefile 2003-01-22 17:53:17.000000000 +1100 @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.13 2002/04/01 22:15:08 markus Exp $ +# $OpenBSD: Makefile,v 1.20 2003/01/08 23:54:22 djm Exp $ -REGRESSTARGETS= t1 t2 t3 t4 t5 t6 t7 +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 -CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub +CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 LTESTS= connect \ proxy-connect \ @@ -17,8 +17,14 @@ try-ciphers \ yes-head \ agent \ + agent-getpeereid \ + agent-timeout \ + agent-ptrace \ keyscan \ + keygen-change \ sftp \ + sftp-cmds \ + sftp-batch \ forwarding USER!= id -un @@ -65,7 +71,7 @@ ssh-keygen -Bf t7.out > /dev/null .for t in ${LTESTS} -REGRESSTARGETS+=t-${t} +REGRESS_TARGETS+=t-${t} t-${t}: sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh .endfor Only in openssh-3.6p1/regress: agent-getpeereid.sh Only in openssh-3.6p1/regress: agent-ptrace.sh Only in openssh-3.6p1/regress: agent-timeout.sh Only in openssh-3.6p1/regress: keygen-change.sh diff -ru openssh-3.5p1/regress/proxy-connect.sh openssh-3.6p1/regress/proxy-connect.sh --- openssh-3.5p1/regress/proxy-connect.sh 2002-05-01 13:17:34.000000000 +1000 +++ openssh-3.6p1/regress/proxy-connect.sh 2003-01-22 17:53:17.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: proxy-connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $ # Placed in the Public Domain. tid="proxy connect" @@ -8,4 +8,11 @@ if [ $? -ne 0 ]; then fail "ssh proxyconnect protocol $p failed" fi + SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'` + if [ $? -ne 0 ]; then + fail "ssh proxyconnect protocol $p failed" + fi + if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then + fail "bad SSH_CONNECTION" + fi done Only in openssh-3.6p1/regress: sftp-batch.sh Only in openssh-3.6p1/regress: sftp-cmds.sh diff -ru openssh-3.5p1/regress/ssh-com-client.sh openssh-3.6p1/regress/ssh-com-client.sh --- openssh-3.5p1/regress/ssh-com-client.sh 2002-05-01 13:17:35.000000000 +1000 +++ openssh-3.6p1/regress/ssh-com-client.sh 2003-01-22 17:53:17.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-client.sh,v 1.3 2002/04/10 08:45:30 markus Exp $ +# $OpenBSD: ssh-com-client.sh,v 1.4 2002/07/16 08:58:16 markus Exp $ # Placed in the Public Domain. tid="connect with ssh.com client" @@ -15,7 +15,9 @@ 2.3.1 2.4.0 3.0.0 - 3.1.0" + 3.1.0 + 3.2.0 + 3.3.0" # 2.0.10 2.0.12 2.0.13 don't like the test setup diff -ru openssh-3.5p1/regress/ssh-com-keygen.sh openssh-3.6p1/regress/ssh-com-keygen.sh --- openssh-3.5p1/regress/ssh-com-keygen.sh 2002-05-01 13:17:35.000000000 +1000 +++ openssh-3.6p1/regress/ssh-com-keygen.sh 2003-01-22 17:53:17.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-keygen.sh,v 1.1 2002/03/27 22:40:27 markus Exp $ +# $OpenBSD: ssh-com-keygen.sh,v 1.2 2002/07/16 08:58:16 markus Exp $ # Placed in the Public Domain. tid="ssh.com key import" @@ -18,7 +18,9 @@ 2.3.1 2.4.0 3.0.0 - 3.1.0" + 3.1.0 + 3.2.0 + 3.3.0" COMPRV=${OBJ}/comkey COMPUB=${COMPRV}.pub diff -ru openssh-3.5p1/regress/ssh-com-sftp.sh openssh-3.6p1/regress/ssh-com-sftp.sh --- openssh-3.5p1/regress/ssh-com-sftp.sh 2002-05-01 13:17:35.000000000 +1000 +++ openssh-3.6p1/regress/ssh-com-sftp.sh 2003-01-22 17:53:17.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-sftp.sh,v 1.2 2002/04/10 08:45:30 markus Exp $ +# $OpenBSD: ssh-com-sftp.sh,v 1.3 2002/07/16 08:58:16 markus Exp $ # Placed in the Public Domain. tid="basic sftp put/get with ssh.com server" @@ -24,7 +24,9 @@ 2.3.1 2.4.0 3.0.0 - 3.1.0" + 3.1.0 + 3.2.0 + 3.3.0" # go for it for v in ${VERSIONS}; do diff -ru openssh-3.5p1/regress/ssh-com.sh openssh-3.6p1/regress/ssh-com.sh --- openssh-3.5p1/regress/ssh-com.sh 2002-05-01 13:17:35.000000000 +1000 +++ openssh-3.6p1/regress/ssh-com.sh 2003-01-22 17:53:17.000000000 +1100 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.3 2002/03/15 13:08:56 markus Exp $ +# $OpenBSD: ssh-com.sh,v 1.4 2002/07/16 08:58:16 markus Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -14,17 +14,19 @@ 2.1.0 2.2.0 2.3.0 - 2.3.1 2.4.0 3.0.0 - 3.1.0" + 3.1.0 + 3.2.0 + 3.3.0" # 2.0.10 does not support UserConfigDirectory +# 2.3.1 requires a config in $HOME/.ssh2 SRC=`dirname ${SCRIPT}` # ssh.com cat << EOF > $OBJ/sshd2_config -*: +#*: # Port and ListenAdress are not used. QuietMode yes Port 4343 diff -ru openssh-3.5p1/scp.0 openssh-3.6p1/scp.0 --- openssh-3.5p1/scp.0 2002-10-04 11:31:43.000000000 +1000 +++ openssh-3.6p1/scp.0 2003-03-26 16:12:37.000000000 +1100 @@ -1,17 +1,17 @@ -SCP(1) System General Commands Manual SCP(1) +SCP(1) BSD General Commands Manual SCP(1) -NAME - scp - secure copy (remote file copy program) +^[[1mNAME^[[0m + ^[[1mscp ^[[22mM-bMM-^R secure copy (remote file copy program) -SYNOPSIS - scp [-pqrvBC46] [-F ssh_config] [-S program] [-P port] [-c cipher] - [-i identity_file] [-o ssh_option] [[user@]host1:]file1 [...] - [[user@]host2:]file2 +^[[1mSYNOPSIS^[[0m + ^[[1mscp ^[[22m[^[[1mM-bMM-^RpqrvBC1246^[[22m] [^[[1mM-bMM-^RF ^[[4m^[[22mssh_config^[[24m] [^[[1mM-bMM-^RS ^[[4m^[[22mprogram^[[24m] [^[[1mM-bMM-^RP ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^Rc ^[[4m^[[22mcipher^[[24m] + [^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[24m] [^[[1mM-bMM-^Rl ^[[4m^[[22mlimit^[[24m] [^[[1mM-bMM-^Ro ^[[4m^[[22mssh_option^[[24m] [[^[[4muser@^[[24m]^[[4mhost1^[[24m:]^[[4mfile1^[[0m + [^[[4m...^[[24m] [[^[[4muser@^[[24m]^[[4mhost2^[[24m:]^[[4mfile2^[[0m -DESCRIPTION - scp copies files between hosts on a network. It uses ssh(1) for data +^[[1mDESCRIPTION^[[0m + ^[[1mscp ^[[22mcopies files between hosts on a network. It uses ssh(1) for data transfer, and uses the same authentication and provides the same security - as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if + as ssh(1). Unlike rcp(1), ^[[1mscp ^[[22mwill ask for passwords or passphrases if they are needed for authentication. Any file name may contain a host and user specification to indicate that @@ -20,69 +20,74 @@ The options are as follows: - -c cipher + ^[[1mM-bMM-^Rc ^[[4m^[[22mcipher^[[0m Selects the cipher to use for encrypting the data transfer. This option is directly passed to ssh(1). - -i identity_file + ^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[0m Selects the file from which the identity (private key) for RSA authentication is read. This option is directly passed to ssh(1). - -p Preserves modification times, access times, and modes from the + ^[[1mM-bMM-^Rl ^[[4m^[[22mlimit^[[0m + Limits the used bandwidth, specified in Kbit/s. + + ^[[1mM-bMM-^Rp ^[[22mPreserves modification times, access times, and modes from the original file. - -r Recursively copy entire directories. + ^[[1mM-bMM-^Rr ^[[22mRecursively copy entire directories. - -v Verbose mode. Causes scp and ssh(1) to print debugging messages + ^[[1mM-bMM-^Rv ^[[22mVerbose mode. Causes ^[[1mscp ^[[22mand ssh(1) to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems. - -B Selects batch mode (prevents asking for passwords or + ^[[1mM-bMM-^RB ^[[22mSelects batch mode (prevents asking for passwords or passphrases). - -q Disables the progress meter. + ^[[1mM-bMM-^Rq ^[[22mDisables the progress meter. - -C Compression enable. Passes the -C flag to ssh(1) to enable comM-- + ^[[1mM-bMM-^RC ^[[22mCompression enable. Passes the ^[[1mM-bMM-^RC ^[[22mflag to ssh(1) to enable comM-bM-^@M-^P pression. - -F ssh_config - Specifies an alternative per-user configuration file for ssh. + ^[[1mM-bMM-^RF ^[[4m^[[22mssh_config^[[0m + Specifies an alternative perM-bM-^@M-^Puser configuration file for ^[[1mssh^[[22m. This option is directly passed to ssh(1). - -P port + ^[[1mM-bMM-^RP ^[[4m^[[22mport^[[0m Specifies the port to connect to on the remote host. Note that - this option is written with a capital `P', because -p is already + this option is written with a capital M-bM-^@M-^XPM-bM-^@M-^Y, because ^[[1mM-bMM-^Rp ^[[22mis already reserved for preserving the times and modes of the file in rcp(1). - -S program - Name of program to use for the encrypted connection. The program + ^[[1mM-bMM-^RS ^[[4m^[[22mprogram^[[0m + Name of ^[[4mprogram^[[24m to use for the encrypted connection. The program must understand ssh(1) options. - -o ssh_option - Can be used to pass options to ssh in the format used in + ^[[1mM-bMM-^Ro ^[[4m^[[22mssh_option^[[0m + Can be used to pass options to ^[[1mssh ^[[22min the format used in ssh_config(5). This is useful for specifying options for which - there is no separate scp command-line flag. For example, forcing - the use of protocol version 1 is specified using scp - -oProtocol=1. + there is no separate ^[[1mscp ^[[22mcommandM-bM-^@M-^Pline flag. + + ^[[1mM-bMM-^R1 ^[[22mForces ^[[1mscp ^[[22mto use protocol 1. + + ^[[1mM-bMM-^R2 ^[[22mForces ^[[1mscp ^[[22mto use protocol 2. - -4 Forces scp to use IPv4 addresses only. + ^[[1mM-bMM-^R4 ^[[22mForces ^[[1mscp ^[[22mto use IPv4 addresses only. - -6 Forces scp to use IPv6 addresses only. + ^[[1mM-bMM-^R6 ^[[22mForces ^[[1mscp ^[[22mto use IPv6 addresses only. -DIAGNOSTICS - scp exits with 0 on success or >0 if an error occurred. +^[[1mDIAGNOSTICS^[[0m + ^[[1mscp ^[[22mexits with 0 on success or >0 if an error occurred. -AUTHORS +^[[1mAUTHORS^[[0m Timo Rinne and Tatu Ylonen -HISTORY - scp is based on the rcp(1) program in BSD source code from the Regents of +^[[1mHISTORY^[[0m + ^[[1mscp ^[[22mis based on the rcp(1) program in BSD source code from the Regents of the University of California. -SEE ALSO - rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), +^[[1mSEE ALSO^[[0m + rcp(1), sftp(1), ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), ssh_config(5), sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1/scp.1 openssh-3.6p1/scp.1 --- openssh-3.5p1/scp.1 2002-06-23 10:34:37.000000000 +1000 +++ openssh-3.6p1/scp.1 2003-02-24 11:51:33.000000000 +1100 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.23 2002/06/22 16:41:57 stevesk Exp $ +.\" $OpenBSD: scp.1,v 1.26 2003/01/28 17:24:51 stevesk Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -19,12 +19,13 @@ .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp -.Op Fl pqrvBC46 +.Op Fl pqrvBC1246 .Op Fl F Ar ssh_config .Op Fl S Ar program .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file +.Op Fl l Ar limit .Op Fl o Ar ssh_option .Sm off .Oo @@ -68,6 +69,8 @@ authentication is read. This option is directly passed to .Xr ssh 1 . +.It Fl l Ar limit +Limits the used bandwidth, specified in Kbit/s. .It Fl p Preserves modification times, access times, and modes from the original file. @@ -122,9 +125,15 @@ This is useful for specifying options for which there is no separate .Nm scp -command-line flag. For example, forcing the use of protocol -version 1 is specified using -.Ic scp -oProtocol=1 . +command-line flag. +.It Fl 1 +Forces +.Nm +to use protocol 1. +.It Fl 2 +Forces +.Nm +to use protocol 2. .It Fl 4 Forces .Nm diff -ru openssh-3.5p1/scp.c openssh-3.6p1/scp.c --- openssh-3.5p1/scp.c 2002-06-21 10:41:52.000000000 +1000 +++ openssh-3.6p1/scp.c 2003-03-21 11:54:04.000000000 +1100 @@ -75,13 +75,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.91 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" #include "pathnames.h" #include "log.h" #include "misc.h" +#include "progressmeter.h" #ifdef HAVE___PROGNAME extern char *__progname; @@ -89,29 +90,13 @@ char *__progname; #endif -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ -#define STALLTIME 5 -/* alarm() interval for updating progress meter */ -#define PROGRESSTIME 1 - -/* Visual statistics about files as they are transferred. */ -void progressmeter(int); - -/* Returns width of the terminal (for progress meter calculations). */ -int getttywidth(void); -int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); +void bwlimit(int); /* Struct for addargs */ arglist args; -/* Time a transfer started. */ -static struct timeval start; - -/* Number of bytes of current file transferred so far. */ -volatile off_t statbytes; - -/* Total size of current file. */ -off_t totalbytes = 0; +/* Bandwidth limit */ +off_t limitbw = 0; /* Name of current file being transferred. */ char *curfile; @@ -125,6 +110,9 @@ /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = _PATH_SSH_PROGRAM; +/* This is used to store the pid of ssh_program */ +pid_t do_cmd_pid; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -159,7 +147,8 @@ close(reserved[1]); /* For a child to execute the command on the remote host using ssh. */ - if (fork() == 0) { + do_cmd_pid = fork(); + if (do_cmd_pid == 0) { /* Child. */ close(pin[1]); close(pout[0]); @@ -177,6 +166,8 @@ execvp(ssh_program, args.list); perror(ssh_program); exit(1); + } else if (do_cmd_pid == -1) { + fatal("fork: %s", strerror(errno)); } /* Parent. Close the other side, and return the local side. */ close(pin[0]); @@ -219,8 +210,9 @@ int argc; char *argv[]; { - int ch, fflag, tflag; - char *targ; + int ch, fflag, tflag, status; + double speed; + char *targ, *endp; extern char *optarg; extern int optind; @@ -233,9 +225,11 @@ addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1) switch (ch) { /* User-visible flags. */ + case '1': + case '2': case '4': case '6': case 'C': @@ -253,6 +247,12 @@ case 'B': addargs(&args, "-oBatchmode yes"); break; + case 'l': + speed = strtod(optarg, &endp); + if (speed <= 0 || *endp != '\0') + usage(); + limitbw = speed * 1024; + break; case 'p': pflag = 1; break; @@ -317,6 +317,7 @@ targetshouldbedirectory = 1; remin = remout = -1; + do_cmd_pid = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", verbose_mode ? " -v" : "", @@ -332,6 +333,22 @@ if (targetshouldbedirectory) verifydir(argv[argc - 1]); } + /* + * Finally check the exit status of the ssh process, if one was forked + * and no error has occured yet + */ + if (do_cmd_pid != -1 && errs == 0) { + if (remin != -1) + (void) close(remin); + if (remout != -1) + (void) close(remout); + if (waitpid(do_cmd_pid, &status, 0) == -1) + errs = 1; + else { + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errs = 1; + } + } exit(errs != 0); } @@ -347,14 +364,12 @@ if (*targ == 0) targ = "."; - if ((thost = strchr(argv[argc - 1], '@'))) { + if ((thost = strrchr(argv[argc - 1], '@'))) { /* user@host */ *thost++ = 0; tuser = argv[argc - 1]; if (*tuser == '\0') tuser = NULL; - else if (!okname(tuser)) - exit(1); } else { thost = argv[argc - 1]; tuser = NULL; @@ -368,7 +383,7 @@ *src++ = 0; if (*src == 0) src = "."; - host = strchr(argv[i], '@'); + host = strrchr(argv[i], '@'); len = strlen(ssh_program) + strlen(argv[i]) + strlen(src) + (tuser ? strlen(tuser) : 0) + strlen(thost) + strlen(targ) + @@ -380,8 +395,14 @@ suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) + else if (!okname(suser)) { + xfree(bp); + continue; + } + if (tuser && !okname(tuser)) { + xfree(bp); continue; + } snprintf(bp, len, "%s%s %s -n " "-l %s %s %s %s '%s%s%s:%s'", @@ -447,7 +468,7 @@ *src++ = 0; if (*src == 0) src = "."; - if ((host = strchr(argv[i], '@')) == NULL) { + if ((host = strrchr(argv[i], '@')) == NULL) { host = argv[i]; suser = NULL; } else { @@ -455,8 +476,6 @@ suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) - continue; } host = cleanhostname(host); len = strlen(src) + CMDNEEDS + 20; @@ -482,7 +501,7 @@ struct stat stb; static BUF buffer; BUF *bp; - off_t i, amt, result; + off_t i, amt, result, statbytes; int fd, haderr, indx; char *last, *name, buf[2048]; int len; @@ -547,7 +566,6 @@ #endif if (verbose_mode) { fprintf(stderr, "Sending file modes: %s", buf); - fflush(stderr); } (void) atomicio(write, remout, buf, strlen(buf)); if (response() < 0) @@ -556,10 +574,8 @@ next: (void) close(fd); continue; } - if (showprogress) { - totalbytes = stb.st_size; - progressmeter(-1); - } + if (showprogress) + start_progress_meter(curfile, stb.st_size, &statbytes); /* Keep writing after an error so that we stay sync'd up. */ for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { amt = bp->cnt; @@ -578,9 +594,11 @@ haderr = result >= 0 ? EIO : errno; statbytes += result; } + if (limitbw) + bwlimit(amt); } if (showprogress) - progressmeter(1); + stop_progress_meter(); if (close(fd) < 0 && !haderr) haderr = errno; @@ -648,6 +666,60 @@ } void +bwlimit(int amount) +{ + static struct timeval bwstart, bwend; + static int lamt, thresh = 16384; + u_int64_t wait; + struct timespec ts, rm; + + if (!timerisset(&bwstart)) { + gettimeofday(&bwstart, NULL); + return; + } + + lamt += amount; + if (lamt < thresh) + return; + + gettimeofday(&bwend, NULL); + timersub(&bwend, &bwstart, &bwend); + if (!timerisset(&bwend)) + return; + + lamt *= 8; + wait = (double)1000000L * lamt / limitbw; + + bwstart.tv_sec = wait / 1000000L; + bwstart.tv_usec = wait % 1000000L; + + if (timercmp(&bwstart, &bwend, >)) { + timersub(&bwstart, &bwend, &bwend); + + /* Adjust the wait time */ + if (bwend.tv_sec) { + thresh /= 2; + if (thresh < 2048) + thresh = 2048; + } else if (bwend.tv_usec < 100) { + thresh *= 2; + if (thresh > 32768) + thresh = 32768; + } + + TIMEVAL_TO_TIMESPEC(&bwend, &ts); + while (nanosleep(&ts, &rm) == -1) { + if (errno != EINTR) + break; + ts = rm; + } + } + + lamt = 0; + gettimeofday(&bwstart, NULL); +} + +void sink(argc, argv) int argc; char *argv[]; @@ -660,7 +732,7 @@ BUF *bp; off_t i, j; int amt, count, exists, first, mask, mode, ofd, omode; - off_t size; + off_t size, statbytes; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; struct timeval tv[2]; @@ -822,11 +894,9 @@ cp = bp->buf; wrerr = NO; - if (showprogress) { - totalbytes = size; - progressmeter(-1); - } statbytes = 0; + if (showprogress) + start_progress_meter(curfile, size, &statbytes); for (count = i = 0; i < size; i += 4096) { amt = 4096; if (i + amt > size) @@ -846,6 +916,10 @@ cp += j; statbytes += j; } while (amt > 0); + + if (limitbw) + bwlimit(4096); + if (count == bp->cnt) { /* Keep reading so we stay sync'd up. */ if (wrerr == NO) { @@ -860,13 +934,13 @@ } } if (showprogress) - progressmeter(1); + stop_progress_meter(); if (count != 0 && wrerr == NO && (j = atomicio(write, ofd, bp->buf, count)) != count) { wrerr = YES; wrerrno = j >= 0 ? EIO : errno; } - if (ftruncate(ofd, size)) { + if (wrerr == NO && ftruncate(ofd, size) != 0) { run_err("%s: truncate: %s", np, strerror(errno)); wrerr = DISPLAYED; } @@ -955,8 +1029,8 @@ usage(void) { (void) fprintf(stderr, - "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n" - " [-c cipher] [-i identity] [-o option]\n" + "usage: scp [-pqrvBC1246] [-F config] [-S program] [-P port]\n" + " [-c cipher] [-i identity] [-l limit] [-o option]\n" " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); exit(1); } @@ -1013,9 +1087,18 @@ c = (int)*cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && - c != '_' && c != '-' && c != '.' && c != '+') - goto bad; + if (!isalpha(c) && !isdigit(c)) { + switch (c) { + case '\'': + case '"': + case '`': + case ' ': + case '#': + goto bad; + default: + break; + } + } } while (*++cp); return (1); @@ -1036,11 +1119,9 @@ run_err("fstat: %s", strerror(errno)); return (0); } - if (stb.st_blksize == 0) + size = roundup(stb.st_blksize, blksize); + if (size == 0) size = blksize; - else - size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % - stb.st_blksize; #else /* HAVE_STRUCT_STAT_ST_BLKSIZE */ size = blksize; #endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */ @@ -1066,149 +1147,3 @@ else exit(1); } - -static void -updateprogressmeter(int ignore) -{ - int save_errno = errno; - - progressmeter(0); - signal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - errno = save_errno; -} - -static int -foregroundproc(void) -{ - static pid_t pgrp = -1; - int ctty_pgrp; - - if (pgrp == -1) - pgrp = getpgrp(); - -#ifdef HAVE_TCGETPGRP - return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && - ctty_pgrp == pgrp); -#else - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && - ctty_pgrp == pgrp)); -#endif -} - -void -progressmeter(int flag) -{ - static const char prefixes[] = " KMGTP"; - static struct timeval lastupdate; - static off_t lastsize; - struct timeval now, td, wait; - off_t cursize, abbrevsize; - double elapsed; - int ratio, barlength, i, remaining; - char buf[512]; - - if (flag == -1) { - (void) gettimeofday(&start, (struct timezone *) 0); - lastupdate = start; - lastsize = 0; - } - if (foregroundproc() == 0) - return; - - (void) gettimeofday(&now, (struct timezone *) 0); - cursize = statbytes; - if (totalbytes != 0) { - ratio = 100.0 * cursize / totalbytes; - ratio = MAX(ratio, 0); - ratio = MIN(ratio, 100); - } else - ratio = 100; - - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); - - barlength = getttywidth() - 51; - if (barlength > 0) { - i = barlength * ratio / 100; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "|%.*s%*s|", i, - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************", - barlength - i, ""); - } - i = 0; - abbrevsize = cursize; - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { - i++; - abbrevsize >>= 10; - } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", - (unsigned long) abbrevsize, prefixes[i], - prefixes[i] == ' ' ? ' ' : 'B'); - - timersub(&now, &lastupdate, &wait); - if (cursize > lastsize) { - lastupdate = now; - lastsize = cursize; - if (wait.tv_sec >= STALLTIME) { - start.tv_sec += wait.tv_sec; - start.tv_usec += wait.tv_usec; - } - wait.tv_sec = 0; - } - timersub(&now, &start, &td); - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); - - if (flag != 1 && - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " --:-- ETA"); - } else if (wait.tv_sec >= STALLTIME) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " - stalled -"); - } else { - if (flag != 1) - remaining = (int)(totalbytes / (statbytes / elapsed) - - elapsed); - else - remaining = elapsed; - - i = remaining / 3600; - if (i) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%2d:", i); - else - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " "); - i = remaining % 3600; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%02d:%02d%s", i / 60, i % 60, - (flag != 1) ? " ETA" : " "); - } - atomicio(write, fileno(stdout), buf, strlen(buf)); - - if (flag == -1) { - mysignal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - } else if (flag == 1) { - alarm(0); - atomicio(write, fileno(stdout), "\n", 1); - statbytes = 0; - } -} - -int -getttywidth(void) -{ - struct winsize winsize; - - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) - return (winsize.ws_col ? winsize.ws_col : 80); - else - return (80); -} diff -ru openssh-3.5p1/servconf.c openssh-3.6p1/servconf.c --- openssh-3.5p1/servconf.c 2002-09-05 14:35:15.000000000 +1000 +++ openssh-3.6p1/servconf.c 2003-02-24 12:04:34.000000000 +1100 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $"); #if defined(KRB4) #include @@ -935,6 +935,7 @@ char line[1024]; FILE *f; + debug2("read_server_config: filename %s", filename); f = fopen(filename, "r"); if (!f) { perror(filename); diff -ru openssh-3.5p1/session.c openssh-3.6p1/session.c --- openssh-3.5p1/session.c 2002-09-26 10:38:50.000000000 +1000 +++ openssh-3.6p1/session.c 2003-03-21 12:15:18.000000000 +1100 @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $"); +RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -201,6 +201,8 @@ void do_authenticated(Authctxt *authctxt) { + setproctitle("%s", authctxt->pw->pw_name); + /* * Cancel the alarm we set to limit the time taken for * authentication. @@ -689,7 +691,7 @@ record_utmp_only(pid, s->tty, s->pw->pw_name, get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), - (struct sockaddr *)&from); + (struct sockaddr *)&from, fromlen); } #endif @@ -730,8 +732,8 @@ * the address be 0.0.0.0. */ memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); if (packet_connection_is_on_socket()) { - fromlen = sizeof(from); if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); @@ -949,7 +951,7 @@ { char buf[256]; u_int i, envsize; - char **env; + char **env, *laddr; struct passwd *pw = s->pw; /* Initialize the environment. */ @@ -969,6 +971,9 @@ /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); +#ifdef _AIX + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); +#endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) @@ -1025,9 +1030,10 @@ get_remote_ipaddr(), get_remote_port(), get_local_port()); child_set_env(&env, &envsize, "SSH_CLIENT", buf); + laddr = get_local_ipaddr(packet_get_connection_in()); snprintf(buf, sizeof buf, "%.50s %d %.50s %d", - get_remote_ipaddr(), get_remote_port(), - get_local_ipaddr(packet_get_connection_in()), get_local_port()); + get_remote_ipaddr(), get_remote_port(), laddr, get_local_port()); + xfree(laddr); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); if (s->ttyfd != -1) @@ -1146,8 +1152,10 @@ /* Add authority data to .Xauthority if appropriate. */ if (debug_flag) { fprintf(stderr, - "Running %.500s add " - "%.100s %.100s %.100s\n", + "Running %.500s remove %.100s\n", + options.xauth_location, s->auth_display); + fprintf(stderr, + "%.500s add %.100s %.100s %.100s\n", options.xauth_location, s->auth_display, s->auth_proto, s->auth_data); } @@ -1155,6 +1163,8 @@ options.xauth_location); f = popen(cmd, "w"); if (f) { + fprintf(f, "remove %s\n", + s->auth_display); fprintf(f, "add %s %s %s\n", s->auth_display, s->auth_proto, s->auth_data); @@ -1187,6 +1197,7 @@ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); + fflush(NULL); exit(254); } } @@ -1195,11 +1206,11 @@ void do_setusercontext(struct passwd *pw) { -#ifdef HAVE_CYGWIN - if (is_winnt) { -#else /* HAVE_CYGWIN */ - if (getuid() == 0 || geteuid() == 0) { +#ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ + { + #ifdef HAVE_SETPCRED setpcred(pw->pw_name); #endif /* HAVE_SETPCRED */ @@ -1249,6 +1260,10 @@ permanently_set_uid(pw); #endif } + +#ifdef HAVE_CYGWIN + if (is_winnt) +#endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); } @@ -1306,7 +1321,7 @@ */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ @@ -1320,12 +1335,17 @@ * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; + + /* + * Make sure $SHELL points to the shell from the password file, + * even if shell is overridden from login.conf + */ + env = do_setup_env(s, shell); + #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - env = do_setup_env(s, shell); - /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, @@ -1989,13 +2009,22 @@ { static char buf[1024]; int i; + char *cp; + buf[0] = '\0'; for (i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1) { + + if (strncmp(s->tty, "/dev/", 5) != 0) { + cp = strrchr(s->tty, '/'); + cp = (cp == NULL) ? s->tty : cp + 1; + } else + cp = s->tty + 5; + if (buf[0] != '\0') strlcat(buf, ",", sizeof buf); - strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf); + strlcat(buf, cp, sizeof buf); } } if (buf[0] == '\0') diff -ru openssh-3.5p1/sftp-client.c openssh-3.6p1/sftp-client.c --- openssh-3.5p1/sftp-client.c 2002-09-12 10:43:31.000000000 +1000 +++ openssh-3.6p1/sftp-client.c 2003-03-10 11:21:18.000000000 +1100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2003 Damien Miller. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,7 +28,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.35 2002/09/11 22:41:49 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.42 2003/03/05 22:33:43 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -38,14 +38,20 @@ #include "xmalloc.h" #include "log.h" #include "atomicio.h" +#include "progressmeter.h" #include "sftp.h" #include "sftp-common.h" #include "sftp-client.h" +extern int showprogress; + /* Minimum amount of data to read at at time */ #define MIN_READ_SIZE 512 +/* Maximum packet size */ +#define MAX_MSG_LENGTH (256 * 1024) + struct sftp_conn { int fd_in; int fd_out; @@ -58,48 +64,45 @@ static void send_msg(int fd, Buffer *m) { - int mlen = buffer_len(m); - int len; - Buffer oqueue; - - buffer_init(&oqueue); - buffer_put_int(&oqueue, mlen); - buffer_append(&oqueue, buffer_ptr(m), mlen); - buffer_consume(m, mlen); + u_char mlen[4]; + + if (buffer_len(m) > MAX_MSG_LENGTH) + fatal("Outbound message too long %u", buffer_len(m)); - len = atomicio(write, fd, buffer_ptr(&oqueue), buffer_len(&oqueue)); - if (len <= 0) + /* Send length first */ + PUT_32BIT(mlen, buffer_len(m)); + if (atomicio(write, fd, mlen, sizeof(mlen)) <= 0) fatal("Couldn't send packet: %s", strerror(errno)); - buffer_free(&oqueue); + if (atomicio(write, fd, buffer_ptr(m), buffer_len(m)) <= 0) + fatal("Couldn't send packet: %s", strerror(errno)); + + buffer_clear(m); } static void get_msg(int fd, Buffer *m) { - u_int len, msg_len; - unsigned char buf[4096]; + ssize_t len; + u_int msg_len; - len = atomicio(read, fd, buf, 4); + buffer_append_space(m, 4); + len = atomicio(read, fd, buffer_ptr(m), 4); if (len == 0) fatal("Connection closed"); else if (len == -1) fatal("Couldn't read packet: %s", strerror(errno)); - msg_len = GET_32BIT(buf); - if (msg_len > 256 * 1024) + msg_len = buffer_get_int(m); + if (msg_len > MAX_MSG_LENGTH) fatal("Received message too long %u", msg_len); - while (msg_len) { - len = atomicio(read, fd, buf, MIN(msg_len, sizeof(buf))); - if (len == 0) - fatal("Connection closed"); - else if (len == -1) - fatal("Couldn't read packet: %s", strerror(errno)); - - msg_len -= len; - buffer_append(m, buf, len); - } + buffer_append_space(m, msg_len); + len = atomicio(read, fd, buffer_ptr(m), msg_len); + if (len == 0) + fatal("Connection closed"); + else if (len == -1) + fatal("Read packet: %s", strerror(errno)); } static void @@ -371,6 +374,7 @@ error("Couldn't read directory: %s", fx2txt(status)); do_close(conn, handle, handle_len); + xfree(handle); return(status); } } else if (type != SSH2_FXP_NAME) @@ -660,7 +664,7 @@ status = get_status(conn->fd_in, id); if (status != SSH2_FX_OK) - error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, + error("Couldn't symlink file \"%s\" to \"%s\": %s", oldpath, newpath, fx2txt(status)); return(status); @@ -741,6 +745,7 @@ int read_error, write_errno; u_int64_t offset, size; u_int handle_len, mode, type, id, buflen; + off_t progress_counter; struct request { u_int id; u_int len; @@ -758,13 +763,13 @@ /* XXX: should we preserve set[ug]id? */ if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) - mode = S_IWRITE | (a->perm & 0777); + mode = a->perm & 0777; else mode = 0666; if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && - (a->perm & S_IFDIR)) { - error("Cannot download a directory: %s", remote_path); + (!S_ISREG(a->perm))) { + error("Cannot download non-regular file: %s", remote_path); return(-1); } @@ -793,7 +798,8 @@ return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, mode); + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + mode | S_IWRITE); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); @@ -805,6 +811,16 @@ /* Read from remote and write to local */ write_error = read_error = write_errno = num_req = offset = 0; max_req = 1; + progress_counter = 0; + + if (showprogress) { + if (size) + start_progress_meter(remote_path, size, + &progress_counter); + else + printf("Fetching %s to %s\n", remote_path, local_path); + } + while (num_req > 0 || max_req > 0) { char *data; u_int len; @@ -857,14 +873,15 @@ (unsigned long long)req->offset + len - 1); if (len > req->len) fatal("Received more data than asked for " - "%u > %u", len, req->len); + "%u > %u", len, req->len); if ((lseek(local_fd, req->offset, SEEK_SET) == -1 || - atomicio(write, local_fd, data, len) != len) && + atomicio(write, local_fd, data, len) != len) && !write_error) { write_errno = errno; write_error = 1; max_req = 0; } + progress_counter += len; xfree(data); if (len == req->len) { @@ -907,6 +924,9 @@ } } + if (showprogress && size) + stop_progress_meter(); + /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) fatal("Transfer complete, but requests still in queue"); @@ -930,7 +950,7 @@ if (pflag && chmod(local_path, mode) == -1) #endif /* HAVE_FCHMOD */ error("Couldn't set mode on \"%s\": %s", local_path, - strerror(errno)); + strerror(errno)); if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { struct timeval tv[2]; tv[0].tv_sec = a->atime; @@ -938,7 +958,7 @@ tv[0].tv_usec = tv[1].tv_usec = 0; if (utimes(local_path, tv) == -1) error("Can't set times on \"%s\": %s", - local_path, strerror(errno)); + local_path, strerror(errno)); } } close(local_fd); @@ -983,6 +1003,11 @@ close(local_fd); return(-1); } + if (!S_ISREG(sb.st_mode)) { + error("%s is not a regular file", local_path); + close(local_fd); + return(-1); + } stat_to_attrib(&sb, &a); a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; @@ -1017,6 +1042,11 @@ /* Read from local and write to remote */ offset = 0; + if (showprogress) + start_progress_meter(local_path, sb.st_size, &offset); + else + printf("Uploading %s to %s\n", local_path, remote_path); + for (;;) { int len; @@ -1047,7 +1077,7 @@ buffer_put_string(&msg, data, len); send_msg(conn->fd_out, &msg); debug3("Sent message SSH2_FXP_WRITE I:%u O:%llu S:%u", - id, (unsigned long long)offset, len); + id, (unsigned long long)offset, len); } else if (TAILQ_FIRST(&acks) == NULL) break; @@ -1081,9 +1111,11 @@ if (status != SSH2_FX_OK) { error("Couldn't write to remote file \"%s\": %s", - remote_path, fx2txt(status)); + remote_path, fx2txt(status)); do_close(conn, handle, handle_len); close(local_fd); + xfree(data); + xfree(ack); goto done; } debug3("In write loop, ack for %u %u bytes at %llu", @@ -1093,6 +1125,8 @@ } offset += len; } + if (showprogress) + stop_progress_meter(); xfree(data); if (close(local_fd) == -1) { diff -ru openssh-3.5p1/sftp-common.c openssh-3.6p1/sftp-common.c --- openssh-3.5p1/sftp-common.c 2002-09-12 09:54:26.000000000 +1000 +++ openssh-3.6p1/sftp-common.c 2002-11-10 02:40:36.000000000 +1100 @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sftp-common.c,v 1.7 2002/09/11 22:41:50 djm Exp $"); +RCSID("$OpenBSD: sftp-common.c,v 1.8 2002/10/16 14:31:48 itojun Exp $"); #include "buffer.h" #include "bufaux.h" @@ -208,6 +208,6 @@ glen = MAX(strlen(group), 8); snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode, st->st_nlink, ulen, user, glen, group, - (u_int64_t)st->st_size, tbuf, name); + (unsigned long long)st->st_size, tbuf, name); return xstrdup(buf); } diff -ru openssh-3.5p1/sftp-int.c openssh-3.6p1/sftp-int.c --- openssh-3.5p1/sftp-int.c 2002-09-12 10:34:15.000000000 +1000 +++ openssh-3.6p1/sftp-int.c 2003-03-10 11:21:18.000000000 +1100 @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.49 2002/09/12 00:13:06 djm Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.57 2003/03/05 22:33:43 markus Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -47,6 +47,9 @@ /* Number of concurrent outstanding requests */ extern int num_requests; +/* This is set to 0 if the progressmeter is not desired. */ +int showprogress = 1; + /* Seperators for interactive commands */ #define WHITESPACE " \t\r\n" @@ -73,13 +76,14 @@ #define I_SHELL 20 #define I_SYMLINK 21 #define I_VERSION 22 +#define I_PROGRESS 23 struct CMD { const char *c; const int n; }; -const struct CMD cmds[] = { +static const struct CMD cmds[] = { { "bye", I_QUIT }, { "cd", I_CHDIR }, { "chdir", I_CHDIR }, @@ -100,6 +104,7 @@ { "ls", I_LS }, { "lumask", I_LUMASK }, { "mkdir", I_MKDIR }, + { "progress", I_PROGRESS }, { "put", I_PUT }, { "mput", I_PUT }, { "pwd", I_PWD }, @@ -132,6 +137,7 @@ printf("ls [path] Display remote directory listing\n"); printf("lumask umask Set local umask to 'umask'\n"); printf("mkdir path Create remote directory\n"); + printf("progress Toggle display of progress meter\n"); printf("put local-path [remote-path] Upload file\n"); printf("pwd Display remote working directory\n"); printf("exit Quit sftp\n"); @@ -375,6 +381,17 @@ } static int +is_reg(char *path) +{ + struct stat sb; + + if (stat(path, &sb) == -1) + fatal("stat %s: %s", path, strerror(errno)); + + return(S_ISREG(sb.st_mode)); +} + +static int remote_is_dir(struct sftp_conn *conn, char *path) { Attrib *a; @@ -425,7 +442,6 @@ err = -1; goto out; } - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); err = do_download(conn, g.gl_pathv[0], abs_dst, pflag); goto out; } @@ -489,6 +505,12 @@ /* Only one match, dst may be file, directory or unspecified */ if (g.gl_pathv[0] && g.gl_matchc == 1) { + if (!is_reg(g.gl_pathv[0])) { + error("Can't upload %s: not a regular file", + g.gl_pathv[0]); + err = 1; + goto out; + } if (tmp_dst) { /* If directory specified, append filename */ if (remote_is_dir(conn, tmp_dst)) { @@ -507,7 +529,6 @@ } abs_dst = make_absolute(abs_dst, pwd); } - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); err = do_upload(conn, g.gl_pathv[0], abs_dst, pflag); goto out; } @@ -521,6 +542,11 @@ } for (i = 0; g.gl_pathv[i]; i++) { + if (!is_reg(g.gl_pathv[i])) { + error("skipping non-regular file %s", + g.gl_pathv[i]); + continue; + } if (infer_path(g.gl_pathv[i], &tmp)) { err = -1; goto out; @@ -550,7 +576,7 @@ SFTP_DIRENT *a = *(SFTP_DIRENT **)aa; SFTP_DIRENT *b = *(SFTP_DIRENT **)bb; - return (strcmp(a->filename, b->filename)); + return (strcmp(a->filename, b->filename)); } /* sftp ls.1 replacement for directories */ @@ -563,7 +589,7 @@ if ((n = do_readdir(conn, path, &d)) != 0) return (n); - /* Count entries for sort */ + /* Count entries for sort */ for (n = 0; d[n] != NULL; n++) ; @@ -571,7 +597,7 @@ for (n = 0; d[n] != NULL; n++) { char *tmp, *fname; - + tmp = path_append(path, d[n]->filename); fname = path_strip(tmp, strip_path); xfree(tmp); @@ -589,7 +615,7 @@ /* XXX - multicolumn display would be nice here */ printf("%s\n", fname); } - + xfree(fname); } @@ -599,7 +625,7 @@ /* sftp ls.1 replacement which handles path globs */ static int -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, +do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, int lflag) { glob_t g; @@ -609,23 +635,23 @@ memset(&g, 0, sizeof(g)); - if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE, + if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE, NULL, &g)) { error("Can't ls: \"%s\" not found", path); return (-1); } /* - * If the glob returns a single match, which is the same as the + * If the glob returns a single match, which is the same as the * input glob, and it is a directory, then just list its contents */ - if (g.gl_pathc == 1 && + if (g.gl_pathc == 1 && strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) { if ((a = do_lstat(conn, path, 1)) == NULL) { globfree(&g); return (-1); } - if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && + if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && S_ISDIR(a->perm)) { globfree(&g); return (do_ls_dir(conn, path, strip_path, lflag)); @@ -640,8 +666,8 @@ if (lflag) { /* * XXX: this is slow - 1 roundtrip per path - * A solution to this is to fork glob() and - * build a sftp specific version which keeps the + * A solution to this is to fork glob() and + * build a sftp specific version which keeps the * attribs (which currently get thrown away) * that the server returns as well as the filenames. */ @@ -666,7 +692,7 @@ } static int -parse_args(const char **cpp, int *pflag, int *lflag, +parse_args(const char **cpp, int *pflag, int *lflag, int *iflag, unsigned long *n_arg, char **path1, char **path2) { const char *cmd, *cp = *cpp; @@ -678,10 +704,17 @@ /* Skip leading whitespace */ cp = cp + strspn(cp, WHITESPACE); - /* Ignore blank lines */ - if (!*cp) - return(-1); + /* Ignore blank lines and lines which begin with comment '#' char */ + if (*cp == '\0' || *cp == '#') + return (0); + /* Check for leading '-' (disable error processing) */ + *iflag = 0; + if (*cp == '-') { + *iflag = 1; + cp++; + } + /* Figure out which command we have */ for (i = 0; cmds[i].c; i++) { int cmdlen = strlen(cmds[i].c); @@ -703,7 +736,7 @@ cmdnum = I_SHELL; } else if (cmdnum == -1) { error("Invalid command."); - return(-1); + return (-1); } /* Get arguments and parse flags */ @@ -803,6 +836,7 @@ case I_LPWD: case I_HELP: case I_VERSION: + case I_PROGRESS: break; default: fatal("Command not implemented"); @@ -813,10 +847,11 @@ } static int -parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd) +parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, + int err_abort) { char *path1, *path2, *tmp; - int pflag, lflag, cmdnum, i; + int pflag, lflag, iflag, cmdnum, i; unsigned long n_arg; Attrib a, *aa; char path_buf[MAXPATHLEN]; @@ -824,14 +859,22 @@ glob_t g; path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &lflag, &n_arg, + cmdnum = parse_args(&cmd, &pflag, &lflag, &iflag, &n_arg, &path1, &path2); + if (iflag != 0) + err_abort = 0; + memset(&g, 0, sizeof(g)); /* Perform command */ switch (cmdnum) { + case 0: + /* Blank line */ + break; case -1: + /* Unrecognized command */ + err = -1; break; case I_GET: err = process_get(conn, path1, path2, *pwd, pflag); @@ -853,8 +896,9 @@ remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i]; i++) { printf("Removing %s\n", g.gl_pathv[i]); - if (do_rm(conn, g.gl_pathv[i]) == -1) - err = -1; + err = do_rm(conn, g.gl_pathv[i]); + if (err != 0 && err_abort) + break; } break; case I_MKDIR: @@ -900,15 +944,14 @@ do_globbed_ls(conn, *pwd, *pwd, lflag); break; } - + /* Strip pwd off beginning of non-absolute paths */ tmp = NULL; if (*path1 != '/') tmp = *pwd; path1 = make_absolute(path1, *pwd); - - do_globbed_ls(conn, path1, tmp, lflag); + err = do_globbed_ls(conn, path1, tmp, lflag); break; case I_LCHDIR: if (chdir(path1) == -1) { @@ -942,62 +985,70 @@ remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i]; i++) { printf("Changing mode on %s\n", g.gl_pathv[i]); - do_setstat(conn, g.gl_pathv[i], &a); + err = do_setstat(conn, g.gl_pathv[i], &a); + if (err != 0 && err_abort) + break; } break; case I_CHOWN: - path1 = make_absolute(path1, *pwd); - remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) - continue; - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", g.gl_pathv[i]); - continue; - } - printf("Changing owner on %s\n", g.gl_pathv[i]); - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->uid = n_arg; - do_setstat(conn, g.gl_pathv[i], aa); - } - break; case I_CHGRP: path1 = make_absolute(path1, *pwd); remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); for (i = 0; g.gl_pathv[i]; i++) { - if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) - continue; + if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) { + if (err != 0 && err_abort) + break; + else + continue; + } if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { error("Can't get current ownership of " "remote file \"%s\"", g.gl_pathv[i]); - continue; + if (err != 0 && err_abort) + break; + else + continue; } - printf("Changing group on %s\n", g.gl_pathv[i]); aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->gid = n_arg; - do_setstat(conn, g.gl_pathv[i], aa); + if (cmdnum == I_CHOWN) { + printf("Changing owner on %s\n", g.gl_pathv[i]); + aa->uid = n_arg; + } else { + printf("Changing group on %s\n", g.gl_pathv[i]); + aa->gid = n_arg; + } + err = do_setstat(conn, g.gl_pathv[i], aa); + if (err != 0 && err_abort) + break; } break; case I_PWD: printf("Remote working directory: %s\n", *pwd); break; case I_LPWD: - if (!getcwd(path_buf, sizeof(path_buf))) - error("Couldn't get local cwd: %s", - strerror(errno)); - else - printf("Local working directory: %s\n", - path_buf); + if (!getcwd(path_buf, sizeof(path_buf))) { + error("Couldn't get local cwd: %s", strerror(errno)); + err = -1; + break; + } + printf("Local working directory: %s\n", path_buf); break; case I_QUIT: - return(-1); + /* Processed below */ + break; case I_HELP: help(); break; case I_VERSION: printf("SFTP protocol version %u\n", sftp_proto_version(conn)); break; + case I_PROGRESS: + showprogress = !showprogress; + if (showprogress) + printf("Progress meter enabled\n"); + else + printf("Progress meter disabled\n"); + break; default: fatal("%d is not implemented", cmdnum); } @@ -1009,20 +1060,23 @@ if (path2) xfree(path2); - /* If an error occurs in batch mode we should abort. */ - if (infile != stdin && err > 0) - return -1; + /* If an unignored error occurs in batch mode we should abort. */ + if (err_abort && err != 0) + return (-1); + else if (cmdnum == I_QUIT) + return (1); - return(0); + return (0); } -void +int interactive_loop(int fd_in, int fd_out, char *file1, char *file2) { char *pwd; char *dir = NULL; char cmd[2048]; struct sftp_conn *conn; + int err; conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests); if (conn == NULL) @@ -1039,7 +1093,8 @@ if (remote_is_dir(conn, dir) && file2 == NULL) { printf("Changing to: %s\n", dir); snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); - parse_dispatch_command(conn, cmd, &pwd); + if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) + return (-1); } else { if (file2 == NULL) snprintf(cmd, sizeof cmd, "get %s", dir); @@ -1047,12 +1102,14 @@ snprintf(cmd, sizeof cmd, "get %s %s", dir, file2); - parse_dispatch_command(conn, cmd, &pwd); + err = parse_dispatch_command(conn, cmd, &pwd, 1); xfree(dir); - return; + xfree(pwd); + return (err); } xfree(dir); } + #if HAVE_SETVBUF setvbuf(stdout, NULL, _IOLBF, 0); setvbuf(infile, NULL, _IOLBF, 0); @@ -1061,6 +1118,7 @@ setlinebuf(infile); #endif + err = 0; for (;;) { char *cp; @@ -1077,8 +1135,13 @@ if (cp) *cp = '\0'; - if (parse_dispatch_command(conn, cmd, &pwd)) + err = parse_dispatch_command(conn, cmd, &pwd, infile != stdin); + if (err != 0) break; } xfree(pwd); + + /* err == 1 signifies normal "quit" exit */ + return (err >= 0 ? 0 : -1); } + diff -ru openssh-3.5p1/sftp-int.h openssh-3.6p1/sftp-int.h --- openssh-3.5p1/sftp-int.h 2002-02-13 14:10:33.000000000 +1100 +++ openssh-3.6p1/sftp-int.h 2003-01-10 21:40:00.000000000 +1100 @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-int.h,v 1.5 2002/02/13 00:59:23 djm Exp $ */ +/* $OpenBSD: sftp-int.h,v 1.6 2003/01/08 23:53:26 djm Exp $ */ /* * Copyright (c) 2001,2002 Damien Miller. All rights reserved. @@ -24,4 +24,4 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -void interactive_loop(int, int, char *, char *); +int interactive_loop(int, int, char *, char *); diff -ru openssh-3.5p1/sftp-server.0 openssh-3.6p1/sftp-server.0 --- openssh-3.5p1/sftp-server.0 2002-10-04 11:31:45.000000000 +1000 +++ openssh-3.6p1/sftp-server.0 2003-03-26 16:12:38.000000000 +1100 @@ -1,27 +1,27 @@ -SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8) +SFTPM-bM-^@M-^PSERVER(8) BSD System ManagerM-bM-^@M-^Ys Manual SFTPM-bM-^@M-^PSERVER(8) -NAME - sftp-server - SFTP server subsystem +^[[1mNAME^[[0m + ^[[1msftpM-bM-^@M-^Pserver ^[[22mM-bMM-^R SFTP server subsystem -SYNOPSIS - sftp-server +^[[1mSYNOPSIS^[[0m + ^[[1msftpM-bM-^@M-^Pserver^[[0m -DESCRIPTION - sftp-server is a program that speaks the server side of SFTP protocol to - stdout and expects client requests from stdin. sftp-server is not - intended to be called directly, but from sshd(8) using the Subsystem +^[[1mDESCRIPTION^[[0m + ^[[1msftpM-bM-^@M-^Pserver ^[[22mis a program that speaks the server side of SFTP protocol to + stdout and expects client requests from stdin. ^[[1msftpM-bM-^@M-^Pserver ^[[22mis not + intended to be called directly, but from sshd(8) using the ^[[1mSubsystem^[[0m option. See sshd(8) for more information. -SEE ALSO +^[[1mSEE ALSO^[[0m sftp(1), ssh(1), sshd(8) - T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- - filexfer-00.txt, January 2001, work in progress material. + T. Ylonen and S. Lehtinen, ^[[4mSSH^[[24m ^[[4mFile^[[24m ^[[4mTransfer^[[24m ^[[4mProtocol^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^P + filexferM-bM-^@M-^P00.txt, January 2001, work in progress material. -AUTHORS +^[[1mAUTHORS^[[0m Markus Friedl -HISTORY - sftp-server first appeared in OpenBSD 2.8 . +^[[1mHISTORY^[[0m + ^[[1msftpM-bM-^@M-^Pserver ^[[22mfirst appeared in OpenBSD 2.8 . BSD August 30, 2000 BSD diff -ru openssh-3.5p1/sftp-server.c openssh-3.6p1/sftp-server.c --- openssh-3.5p1/sftp-server.c 2002-09-12 09:54:27.000000000 +1000 +++ openssh-3.6p1/sftp-server.c 2003-03-26 15:59:47.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.38 2002/09/11 22:41:50 djm Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.41 2003/03/26 04:02:51 deraadt Exp $"); #include "buffer.h" #include "bufaux.h" @@ -158,7 +158,7 @@ handles[i].use = use; handles[i].dirp = dirp; handles[i].fd = fd; - handles[i].name = name; + handles[i].name = xstrdup(name); return i; } } @@ -230,9 +230,11 @@ if (handle_is_ok(handle, HANDLE_FILE)) { ret = close(handles[handle].fd); handles[handle].use = HANDLE_UNUSED; + xfree(handles[handle].name); } else if (handle_is_ok(handle, HANDLE_DIR)) { ret = closedir(handles[handle].dirp); handles[handle].use = HANDLE_UNUSED; + xfree(handles[handle].name); } else { errno = ENOENT; } @@ -396,7 +398,7 @@ if (fd < 0) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_FILE, xstrdup(name), fd, NULL); + handle = handle_new(HANDLE_FILE, name, fd, NULL); if (handle < 0) { close(fd); } else { @@ -681,7 +683,7 @@ if (dirp == NULL) { status = errno_to_portable(errno); } else { - handle = handle_new(HANDLE_DIR, xstrdup(path), 0, dirp); + handle = handle_new(HANDLE_DIR, path, 0, dirp); if (handle < 0) { closedir(dirp); } else { @@ -832,18 +834,32 @@ process_rename(void) { u_int32_t id; - struct stat st; char *oldpath, *newpath; - int ret, status = SSH2_FX_FAILURE; + int status; + struct stat sb; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("rename id %u old %s new %s", id, oldpath, newpath); - /* fail if 'newpath' exists */ - if (stat(newpath, &st) == -1) { - ret = rename(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + status = SSH2_FX_FAILURE; + if (lstat(oldpath, &sb) == -1) + status = errno_to_portable(errno); + else if (S_ISREG(sb.st_mode)) { + /* Race-free rename of regular files */ + if (link(oldpath, newpath) == -1) + status = errno_to_portable(errno); + else if (unlink(oldpath) == -1) { + status = errno_to_portable(errno); + /* clean spare link */ + unlink(newpath); + } else + status = SSH2_FX_OK; + } else if (stat(newpath, &sb) == -1) { + if (rename(oldpath, newpath) == -1) + status = errno_to_portable(errno); + else + status = SSH2_FX_OK; } send_status(id, status); xfree(oldpath); @@ -878,19 +894,16 @@ process_symlink(void) { u_int32_t id; - struct stat st; char *oldpath, *newpath; - int ret, status = SSH2_FX_FAILURE; + int ret, status; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("symlink id %u old %s new %s", id, oldpath, newpath); - /* fail if 'newpath' exists */ - if (stat(newpath, &st) == -1) { - ret = symlink(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + /* this will fail if 'newpath' exists */ + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); xfree(oldpath); xfree(newpath); diff -ru openssh-3.5p1/sftp.0 openssh-3.6p1/sftp.0 --- openssh-3.5p1/sftp.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.6p1/sftp.0 2003-03-26 16:12:38.000000000 +1100 @@ -1,171 +1,180 @@ -SFTP(1) System General Commands Manual SFTP(1) +SFTP(1) BSD General Commands Manual SFTP(1) -NAME - sftp - Secure file transfer program +^[[1mNAME^[[0m + ^[[1msftp ^[[22mM-bMM-^R Secure file transfer program -SYNOPSIS - sftp [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem | sftp_server] - [-B buffer_size] [-F ssh_config] [-P sftp_server path] - [-R num_requests] [-S program] host - sftp [[user@]host[:file [file]]] - sftp [[user@]host[:dir[/]]] +^[[1mSYNOPSIS^[[0m + ^[[1msftp ^[[22m[^[[1mM-bMM-^RvC1^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbatchfile^[[24m] [^[[1mM-bMM-^Ro ^[[4m^[[22mssh_option^[[24m] [^[[1mM-bMM-^Rs ^[[4m^[[22msubsystem^[[24m | ^[[4msftp_server^[[24m] + [^[[1mM-bMM-^RB ^[[4m^[[22mbuffer_size^[[24m] [^[[1mM-bMM-^RF ^[[4m^[[22mssh_config^[[24m] [^[[1mM-bMM-^RP ^[[4m^[[22msftp_server^[[24m ^[[4mpath^[[24m] + [^[[1mM-bMM-^RR ^[[4m^[[22mnum_requests^[[24m] [^[[1mM-bMM-^RS ^[[4m^[[22mprogram^[[24m] ^[[4mhost^[[0m + ^[[1msftp ^[[22m[[^[[4muser^[[24m@]^[[4mhost^[[24m[:^[[4mfile^[[24m [^[[4mfile^[[24m]]] + ^[[1msftp ^[[22m[[^[[4muser^[[24m@]^[[4mhost^[[24m[:^[[4mdir^[[24m[^[[4m/^[[24m]]] -DESCRIPTION - sftp is an interactive file transfer program, similar to ftp(1), which +^[[1mDESCRIPTION^[[0m + ^[[1msftp ^[[22mis an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also - use many features of ssh, such as public key authentication and compresM-- - sion. sftp connects and logs into the specified host, then enters an + use many features of ssh, such as public key authentication and compresM-bM-^@M-^P + sion. ^[[1msftp ^[[22mconnects and logs into the specified ^[[4mhost^[[24m, then enters an interactive command mode. - The second usage format will retrieve files automatically if a non-interM-- - active authentication method is used; otherwise it will do so after sucM-- + The second usage format will retrieve files automatically if a nonM-bM-^@M-^PinterM-bM-^@M-^P + active authentication method is used; otherwise it will do so after sucM-bM-^@M-^P cessful interactive authentication. - The last usage format allows the sftp client to start in a remote direcM-- + The last usage format allows the sftp client to start in a remote direcM-bM-^@M-^P tory. The options are as follows: - -b batchfile - Batch mode reads a series of commands from an input batchfile - instead of stdin. Since it lacks user interaction it should be - used in conjunction with non-interactive authentication. sftp - will abort if any of the following commands fail: get, put, - rename, ln, rm, mkdir, chdir, lchdir and lmkdir. + ^[[1mM-bMM-^Rb ^[[4m^[[22mbatchfile^[[0m + Batch mode reads a series of commands from an input ^[[4mbatchfile^[[0m + instead of ^[[4mstdin^[[24m. Since it lacks user interaction it should be + used in conjunction with nonM-bM-^@M-^Pinteractive authentication. ^[[1msftp^[[0m + will abort if any of the following commands fail: ^[[1mget^[[22m, ^[[1mput^[[22m, + ^[[1mrename^[[22m, ^[[1mln^[[22m, ^[[1mrm^[[22m, ^[[1mmkdir^[[22m, ^[[1mchdir^[[22m, ^[[1mls^[[22m, ^[[1mlchdir^[[22m, ^[[1mchmod^[[22m, ^[[1mchown^[[22m, ^[[1mchgrp^[[22m, + ^[[1mlpwd ^[[22mand ^[[1mlmkdir^[[22m. Termination on error can be suppressed on a + command by command basis by prefixing the command with a ^[[1mM-bM-^@M-^YM-bM-^@M-^PM-bM-^@M-^Y^[[0m + character (For example, ^[[1mM-bM-^@M-^Prm /tmp/blah* ^[[22m). - -o ssh_option - Can be used to pass options to ssh in the format used in + ^[[1mM-bMM-^Ro ^[[4m^[[22mssh_option^[[0m + Can be used to pass options to ^[[1mssh ^[[22min the format used in ssh_config(5). This is useful for specifying options for which - there is no separate sftp command-line flag. For example, to - specify an alternate port use: sftp -oPort=24. + there is no separate ^[[1msftp ^[[22mcommandM-bM-^@M-^Pline flag. For example, to + specify an alternate port use: ^[[1msftp M-bM-^@M-^PoPort=24^[[22m. - -s subsystem | sftp_server + ^[[1mM-bMM-^Rs ^[[4m^[[22msubsystem^[[24m | ^[[4msftp_server^[[0m Specifies the SSH2 subsystem or the path for an sftp server on the remote host. A path is useful for using sftp over protocol - version 1, or when the remote sshd does not have an sftp subsysM-- + version 1, or when the remote ^[[1msshd ^[[22mdoes not have an sftp subsysM-bM-^@M-^P tem configured. - -v Raise logging level. This option is also passed to ssh. + ^[[1mM-bMM-^Rv ^[[22mRaise logging level. This option is also passed to ssh. - -B buffer_size - Specify the size of the buffer that sftp uses when transferring + ^[[1mM-bMM-^RB ^[[4m^[[22mbuffer_size^[[0m + Specify the size of the buffer that ^[[1msftp ^[[22muses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. - -C Enables compression (via ssh's -C flag). + ^[[1mM-bMM-^RC ^[[22mEnables compression (via sshM-bM-^@M-^Ys ^[[1mM-bMM-^RC ^[[22mflag). - -F ssh_config - Specifies an alternative per-user configuration file for ssh. + ^[[1mM-bMM-^RF ^[[4m^[[22mssh_config^[[0m + Specifies an alternative perM-bM-^@M-^Puser configuration file for ^[[1mssh^[[22m. This option is directly passed to ssh(1). - -P sftp_server path - Connect directly to a local sftp-server (rather than via ssh) + ^[[1mM-bMM-^RP ^[[4m^[[22msftp_server^[[24m ^[[4mpath^[[0m + Connect directly to a local ^[[1msftpM-bM-^@M-^Pserver ^[[22m(rather than via ^[[1mssh^[[22m) This option may be useful in debugging the client and server. - -R num_requests + ^[[1mM-bMM-^RR ^[[4m^[[22mnum_requests^[[0m Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. The default is 16 outstanding requests. - -S program - Name of the program to use for the encrypted connection. The + ^[[1mM-bMM-^RS ^[[4m^[[22mprogram^[[0m + Name of the ^[[4mprogram^[[24m to use for the encrypted connection. The program must understand ssh(1) options. - -1 Specify the use of protocol version 1. + ^[[1mM-bMM-^R1 ^[[22mSpecify the use of protocol version 1. -INTERACTIVE COMMANDS - Once in interactive mode, sftp understands a set of commands similar to +^[[1mINTERACTIVE COMMANDS^[[0m + Once in interactive mode, ^[[1msftp ^[[22munderstands a set of commands similar to those of ftp(1). Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces. - bye Quit sftp. + ^[[1mbye ^[[22mQuit sftp. - cd path - Change remote directory to path. + ^[[1mcd ^[[4m^[[22mpath^[[0m + Change remote directory to ^[[4mpath^[[24m. - lcd path - Change local directory to path. + ^[[1mlcd ^[[4m^[[22mpath^[[0m + Change local directory to ^[[4mpath^[[24m. - chgrp grp path - Change group of file path to grp. grp must be a numeric GID. + ^[[1mchgrp ^[[4m^[[22mgrp^[[24m ^[[4mpath^[[0m + Change group of file ^[[4mpath^[[24m to ^[[4mgrp^[[24m. ^[[4mgrp^[[24m must be a numeric GID. - chmod mode path - Change permissions of file path to mode. + ^[[1mchmod ^[[4m^[[22mmode^[[24m ^[[4mpath^[[0m + Change permissions of file ^[[4mpath^[[24m to ^[[4mmode^[[24m. - chown own path - Change owner of file path to own. own must be a numeric UID. + ^[[1mchown ^[[4m^[[22mown^[[24m ^[[4mpath^[[0m + Change owner of file ^[[4mpath^[[24m to ^[[4mown^[[24m. ^[[4mown^[[24m must be a numeric UID. - exit Quit sftp. + ^[[1mexit ^[[22mQuit sftp. - get [flags] remote-path [local-path] - Retrieve the remote-path and store it on the local machine. If + ^[[1mget ^[[22m[^[[4mflags^[[24m] ^[[4mremoteM-bM-^@M-^Ppath^[[24m [^[[4mlocalM-bM-^@M-^Ppath^[[24m] + Retrieve the ^[[4mremoteM-bM-^@M-^Ppath^[[24m and store it on the local machine. If the local path name is not specified, it is given the same name - it has on the remote machine. If the -P flag is specified, then - the file's full permission and access time are copied too. + it has on the remote machine. If the ^[[1mM-bMM-^RP ^[[22mflag is specified, then + the fileM-bM-^@M-^Ys full permission and access time are copied too. - help Display help text. + ^[[1mhelp ^[[22mDisplay help text. - lls [ls-options [path]] - Display local directory listing of either path or current direcM-- - tory if path is not specified. + ^[[1mlls ^[[22m[^[[4mlsM-bM-^@M-^Poptions^[[24m [^[[4mpath^[[24m]] + Display local directory listing of either ^[[4mpath^[[24m or current direcM-bM-^@M-^P + tory if ^[[4mpath^[[24m is not specified. - lmkdir path - Create local directory specified by path. + ^[[1mlmkdir ^[[4m^[[22mpath^[[0m + Create local directory specified by ^[[4mpath^[[24m. - ln oldpath newpath - Create a symbolic link from oldpath to newpath. + ^[[1mln ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Create a symbolic link from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - lpwd Print local working directory. + ^[[1mlpwd ^[[22mPrint local working directory. - ls [flags] [path] - Display remote directory listing of either path or current direcM-- - tory if path is not specified. If the -l flag is specified, then + ^[[1mls ^[[22m[^[[4mflags^[[24m] [^[[4mpath^[[24m] + Display remote directory listing of either ^[[4mpath^[[24m or current direcM-bM-^@M-^P + tory if ^[[4mpath^[[24m is not specified. If the ^[[1mM-bMM-^Rl ^[[22mflag is specified, then display additional details including permissions and ownership information. - lumask umask - Set local umask to umask. + ^[[1mlumask ^[[4m^[[22mumask^[[0m + Set local umask to ^[[4mumask^[[24m. - mkdir path - Create remote directory specified by path. + ^[[1mmkdir ^[[4m^[[22mpath^[[0m + Create remote directory specified by ^[[4mpath^[[24m. - put [flags] local-path [local-path] - Upload local-path and store it on the remote machine. If the + ^[[1mprogress^[[0m + Toggle display of progress meter. + + ^[[1mput ^[[22m[^[[4mflags^[[24m] ^[[4mlocalM-bM-^@M-^Ppath^[[24m [^[[4mremoteM-bM-^@M-^Ppath^[[24m] + Upload ^[[4mlocalM-bM-^@M-^Ppath^[[24m and store it on the remote machine. If the remote path name is not specified, it is given the same name it - has on the local machine. If the -P flag is specified, then the - file's full permission and access time are copied too. + has on the local machine. If the ^[[1mM-bMM-^RP ^[[22mflag is specified, then the + fileM-bM-^@M-^Ys full permission and access time are copied too. + + ^[[1mpwd ^[[22mDisplay remote working directory. - pwd Display remote working directory. + ^[[1mquit ^[[22mQuit sftp. - quit Quit sftp. + ^[[1mrename ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Rename remote file from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - rename oldpath newpath - Rename remote file from oldpath to newpath. + ^[[1mrmdir ^[[4m^[[22mpath^[[0m + Remove remote directory specified by ^[[4mpath^[[24m. - rmdir path - Remove remote directory specified by path. + ^[[1mrm ^[[4m^[[22mpath^[[0m + Delete remote file specified by ^[[4mpath^[[24m. - rm path - Delete remote file specified by path. + ^[[1msymlink ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Create a symbolic link from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - symlink oldpath newpath - Create a symbolic link from oldpath to newpath. + ^[[1mversion^[[0m + Display the ^[[1msftp ^[[22mprotocol version. - ! command - Execute command in local shell. + ! ^[[4mcommand^[[0m + Execute ^[[4mcommand^[[24m in local shell. ! Escape to local shell. ? Synonym for help. -AUTHORS +^[[1mAUTHORS^[[0m Damien Miller -SEE ALSO - scp(1), ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sftp-server(8), +^[[1mSEE ALSO^[[0m + scp(1), ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pkeygen(1), ssh_config(5), sftpM-bM-^@M-^Pserver(8), sshd(8) - T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- - filexfer-00.txt, January 2001, work in progress material. + T. Ylonen and S. Lehtinen, ^[[4mSSH^[[24m ^[[4mFile^[[24m ^[[4mTransfer^[[24m ^[[4mProtocol^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^P + filexferM-bM-^@M-^P00.txt, January 2001, work in progress material. BSD February 4, 2001 BSD diff -ru openssh-3.5p1/sftp.1 openssh-3.6p1/sftp.1 --- openssh-3.5p1/sftp.1 2002-09-12 09:54:27.000000000 +1000 +++ openssh-3.6p1/sftp.1 2003-01-10 21:43:25.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.36 2002/09/11 22:41:50 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.40 2003/01/10 08:19:07 fgsch Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -77,9 +77,16 @@ will abort if any of the following commands fail: .Ic get , put , rename , ln , -.Ic rm , mkdir , chdir , lchdir +.Ic rm , mkdir , chdir , ls , +.Ic lchdir , chmod , chown , chgrp , lpwd and .Ic lmkdir . +Termination on error can be suppressed on a command by command basis by +prefixing the command with a +.Ic '-' +character (For example, +.Ic -rm /tmp/blah* +). .It Fl o Ar ssh_option Can be used to pass options to .Nm ssh @@ -221,10 +228,12 @@ .It Ic mkdir Ar path Create remote directory specified by .Ar path . +.It Ic progress +Toggle display of progress meter. .It Xo Ic put .Op Ar flags .Ar local-path -.Op Ar local-path +.Op Ar remote-path .Xc Upload .Ar local-path @@ -253,6 +262,10 @@ .Ar oldpath to .Ar newpath . +.It Ic version +Display the +.Nm +protocol version. .It Ic ! Ar command Execute .Ar command diff -ru openssh-3.5p1/sftp.c openssh-3.6p1/sftp.c --- openssh-3.5p1/sftp.c 2002-08-01 11:25:01.000000000 +1000 +++ openssh-3.6p1/sftp.c 2003-01-10 21:43:25.000000000 +1100 @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.31 2002/07/25 01:16:59 mouring Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.34 2003/01/10 08:19:07 fgsch Exp $"); /* XXX: short-form remote directory listings (like 'ls -C') */ @@ -49,6 +49,8 @@ size_t copy_buffer_len = 32768; size_t num_requests = 16; +extern int showprogress; + static void connect_to_server(char *path, char **args, int *in, int *out, pid_t *sshpid) { @@ -108,7 +110,7 @@ int main(int argc, char **argv) { - int in, out, ch; + int in, out, ch, err; pid_t sshpid; char *host, *userhost, *cp, *file2; int debug_level = 0, sshver = 2; @@ -162,6 +164,7 @@ fatal("%s (%s).", strerror(errno), optarg); } else fatal("Filename already specified."); + showprogress = 0; break; case 'P': sftp_direct = optarg; @@ -197,7 +200,7 @@ file1 = cp; } - if ((host = strchr(userhost, '@')) == NULL) + if ((host = strrchr(userhost, '@')) == NULL) host = userhost; else { *host++ = '\0'; @@ -237,7 +240,7 @@ &sshpid); } - interactive_loop(in, out, file1, file2); + err = interactive_loop(in, out, file1, file2); #if !defined(USE_PIPES) shutdown(in, SHUT_RDWR); @@ -254,5 +257,5 @@ fatal("Couldn't wait for ssh process: %s", strerror(errno)); - exit(0); + exit(err == 0 ? 0 : 1); } diff -ru openssh-3.5p1/ssh-add.0 openssh-3.6p1/ssh-add.0 --- openssh-3.5p1/ssh-add.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.6p1/ssh-add.0 2003-03-26 16:12:37.000000000 +1100 @@ -1,54 +1,60 @@ -SSH-ADD(1) System General Commands Manual SSH-ADD(1) +SSHM-bM-^@M-^PADD(1) BSD General Commands Manual SSHM-bM-^@M-^PADD(1) -NAME - ssh-add - adds RSA or DSA identities to the authentication agent +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^Padd ^[[22mM-bMM-^R adds RSA or DSA identities to the authentication agent -SYNOPSIS - ssh-add [-lLdDxX] [-t life] [file ...] - ssh-add -s reader - ssh-add -e reader - -DESCRIPTION - ssh-add adds RSA or DSA identities to the authentication agent, - ssh-agent(1). When run without arguments, it adds the files - $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. AlternaM-- +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^Padd ^[[22m[^[[1mM-bMM-^RlLdDxXc^[[22m] [^[[1mM-bMM-^Rt ^[[4m^[[22mlife^[[24m] [^[[4mfile^[[24m ^[[4m...^[[24m] + ^[[1msshM-bM-^@M-^Padd M-bMM-^Rs ^[[4m^[[22mreader^[[0m + ^[[1msshM-bM-^@M-^Padd M-bMM-^Re ^[[4m^[[22mreader^[[0m + +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^Padd ^[[22madds RSA or DSA identities to the authentication agent, + sshM-bM-^@M-^Pagent(1). When run without arguments, it adds the files + ^[[4m$HOME/.ssh/id_rsa^[[24m, ^[[4m$HOME/.ssh/id_dsa^[[24m and ^[[4m$HOME/.ssh/identity^[[24m. AlternaM-bM-^@M-^P tive file names can be given on the command line. If any file requires a - passphrase, ssh-add asks for the passphrase from the user. The - passphrase is read from the user's tty. ssh-add retries the last + passphrase, ^[[1msshM-bM-^@M-^Padd ^[[22masks for the passphrase from the user. The + passphrase is read from the userM-bM-^@M-^Ys tty. ^[[1msshM-bM-^@M-^Padd ^[[22mretries the last passphrase if multiple identity files are given. The authentication agent must be running and must be an ancestor of the - current process for ssh-add to work. + current process for ^[[1msshM-bM-^@M-^Padd ^[[22mto work. The options are as follows: - -l Lists fingerprints of all identities currently represented by the + ^[[1mM-bMM-^Rl ^[[22mLists fingerprints of all identities currently represented by the agent. - -L Lists public key parameters of all identities currently repreM-- + ^[[1mM-bMM-^RL ^[[22mLists public key parameters of all identities currently repreM-bM-^@M-^P sented by the agent. - -d Instead of adding the identity, removes the identity from the + ^[[1mM-bMM-^Rd ^[[22mInstead of adding the identity, removes the identity from the agent. - -D Deletes all identities from the agent. + ^[[1mM-bMM-^RD ^[[22mDeletes all identities from the agent. - -x Lock the agent with a password. + ^[[1mM-bMM-^Rx ^[[22mLock the agent with a password. - -X Unlock the agent. + ^[[1mM-bMM-^RX ^[[22mUnlock the agent. - -t life + ^[[1mM-bMM-^Rt ^[[4m^[[22mlife^[[0m Set a maximum lifetime when adding identities to an agent. The - lifetime may be specified in seconds or in a time format speciM-- - fied in sshd(8). + lifetime may be specified in seconds or in a time format speciM-bM-^@M-^P + fied in sshd_config(5). - -s reader - Add key in smartcard reader. + ^[[1mM-bMM-^Rc ^[[22mIndicates that added identities should be subject to confirmation + before being used for authentication. Confirmation is performed + by the SSH_ASKPASS program mentioned below. Successful confirmaM-bM-^@M-^P + tion is signaled by a zero exit status from the SSH_ASKPASS proM-bM-^@M-^P + gram, rather than text entered into the requester. - -e reader - Remove key in smartcard reader. + ^[[1mM-bMM-^Rs ^[[4m^[[22mreader^[[0m + Add key in smartcard ^[[4mreader^[[24m. -FILES + ^[[1mM-bMM-^Re ^[[4m^[[22mreader^[[0m + Remove key in smartcard ^[[4mreader^[[24m. + +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. @@ -62,35 +68,35 @@ the user. Identity files should not be readable by anyone but the user. Note that - ssh-add ignores identity files if they are accessible by others. + ^[[1msshM-bM-^@M-^Padd ^[[22mignores identity files if they are accessible by others. -ENVIRONMENT +^[[1mENVIRONMENT^[[0m DISPLAY and SSH_ASKPASS - If ssh-add needs a passphrase, it will read the passphrase from - the current terminal if it was run from a terminal. If ssh-add + If ^[[1msshM-bM-^@M-^Padd ^[[22mneeds a passphrase, it will read the passphrase from + the current terminal if it was run from a terminal. If ^[[1msshM-bM-^@M-^Padd^[[0m does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This - is particularly useful when calling ssh-add from a .Xsession or + is particularly useful when calling ^[[1msshM-bM-^@M-^Padd ^[[22mfrom a ^[[4m.Xsession^[[24m or related script. (Note that on some machines it may be necessary - to redirect the input from /dev/null to make this work.) + to redirect the input from ^[[4m/dev/null^[[24m to make this work.) SSH_AUTH_SOCK - Identifies the path of a unix-domain socket used to communicate + Identifies the path of a unixM-bM-^@M-^Pdomain socket used to communicate with the agent. -DIAGNOSTICS +^[[1mDIAGNOSTICS^[[0m Exit status is 0 on success, 1 if the specified command fails, and 2 if - ssh-add is unable to contact the authentication agent. + ^[[1msshM-bM-^@M-^Padd ^[[22mis unable to contact the authentication agent. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO - ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) +^[[1mSEE ALSO^[[0m + ssh(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1/ssh-add.1 openssh-3.6p1/ssh-add.1 --- openssh-3.5p1/ssh-add.1 2002-06-21 10:41:52.000000000 +1000 +++ openssh-3.6p1/ssh-add.1 2003-02-24 12:00:17.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.35 2002/06/19 00:27:55 deraadt Exp $ +.\" $OpenBSD: ssh-add.1,v 1.37 2003/02/10 11:51:47 markus Exp $ .\" .\" -*- nroff -*- .\" @@ -45,7 +45,7 @@ .Nd adds RSA or DSA identities to the authentication agent .Sh SYNOPSIS .Nm ssh-add -.Op Fl lLdDxX +.Op Fl lLdDxXc .Op Fl t Ar life .Op Ar .Nm ssh-add @@ -92,7 +92,15 @@ Set a maximum lifetime when adding identities to an agent. The lifetime may be specified in seconds or in a time format specified in -.Xr sshd 8 . +.Xr sshd_config 5 . +.It Fl c +Indicates that added identities should be subject to confirmation before +being used for authentication. Confirmation is performed by the +.Ev SSH_ASKPASS +program mentioned below. Successful confirmation is signaled by a zero +exit status from the +.Ev SSH_ASKPASS +program, rather than text entered into the requester. .It Fl s Ar reader Add key in smartcard .Ar reader . diff -ru openssh-3.5p1/ssh-add.c openssh-3.6p1/ssh-add.c --- openssh-3.5p1/ssh-add.c 2002-09-22 01:26:02.000000000 +1000 +++ openssh-3.6p1/ssh-add.c 2003-03-10 11:21:18.000000000 +1100 @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $"); #include @@ -70,6 +70,9 @@ /* Default lifetime (0 == forever) */ static int lifetime = 0; +/* User has to confirm key use */ +static int confirm = 0; + /* we keep a cache of one passphrases */ static char *pass = NULL; static void @@ -165,12 +168,16 @@ } } - if (ssh_add_identity_constrained(ac, private, comment, lifetime)) { + if (ssh_add_identity_constrained(ac, private, comment, lifetime, + confirm)) { fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); ret = 0; if (lifetime != 0) - fprintf(stderr, + fprintf(stderr, "Lifetime set to %d seconds\n", lifetime); + if (confirm != 0) + fprintf(stderr, + "The user has to confirm each use of the key\n"); } else if (ssh_add_identity(ac, private, comment)) { fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); ret = 0; @@ -188,6 +195,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id) { char *pin; + int ret = -1; pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN); if (pin == NULL) @@ -196,12 +204,14 @@ if (ssh_update_card(ac, add, id, pin)) { fprintf(stderr, "Card %s: %s\n", add ? "added" : "removed", id); - return 0; + ret = 0; } else { fprintf(stderr, "Could not %s card: %s\n", add ? "add" : "remove", id); - return -1; + ret = -1; } + xfree(pin); + return ret; } static int @@ -292,6 +302,7 @@ fprintf(stderr, " -x Lock agent.\n"); fprintf(stderr, " -X Unlock agent.\n"); fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n"); + fprintf(stderr, " -c Require confirmation to sign using identities\n"); #ifdef SMARTCARD fprintf(stderr, " -s reader Add key in smartcard reader.\n"); fprintf(stderr, " -e reader Remove key in smartcard reader.\n"); @@ -319,7 +330,7 @@ fprintf(stderr, "Could not open a connection to your authentication agent.\n"); exit(2); } - while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) { + while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { switch (ch) { case 'l': case 'L': @@ -333,6 +344,9 @@ ret = 1; goto done; break; + case 'c': + confirm = 1; + break; case 'd': deleting = 1; break; diff -ru openssh-3.5p1/ssh-agent.0 openssh-3.6p1/ssh-agent.0 --- openssh-3.5p1/ssh-agent.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.6p1/ssh-agent.0 2003-03-26 16:12:37.000000000 +1100 @@ -1,56 +1,63 @@ -SSH-AGENT(1) System General Commands Manual SSH-AGENT(1) +SSHM-bM-^@M-^PAGENT(1) BSD General Commands Manual SSHM-bM-^@M-^PAGENT(1) -NAME - ssh-agent - authentication agent +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^Pagent ^[[22mM-bMM-^R authentication agent -SYNOPSIS - ssh-agent [-a bind_address] [-c | -s] [-d] [command [args ...]] - ssh-agent [-c | -s] -k - -DESCRIPTION - ssh-agent is a program to hold private keys used for public key authentiM-- - cation (RSA, DSA). The idea is that ssh-agent is started in the beginM-- - ning of an X-session or a login session, and all other windows or proM-- - grams are started as clients to the ssh-agent program. Through use of +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^Pagent ^[[22m[^[[1mM-bMM-^Ra ^[[4m^[[22mbind_address^[[24m] [^[[1mM-bMM-^Rc ^[[22m| ^[[1mM-bMM-^Rs^[[22m] [^[[1mM-bMM-^Rt ^[[4m^[[22mlife^[[24m] [^[[1mM-bMM-^Rd^[[22m] [^[[4mcommand^[[24m [^[[4margs^[[24m ^[[4m...^[[24m]] + ^[[1msshM-bM-^@M-^Pagent ^[[22m[^[[1mM-bMM-^Rc ^[[22m| ^[[1mM-bMM-^Rs^[[22m] ^[[1mM-bMM-^Rk^[[0m + +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^Pagent ^[[22mis a program to hold private keys used for public key authentiM-bM-^@M-^P + cation (RSA, DSA). The idea is that ^[[1msshM-bM-^@M-^Pagent ^[[22mis started in the beginM-bM-^@M-^P + ning of an XM-bM-^@M-^Psession or a login session, and all other windows or proM-bM-^@M-^P + grams are started as clients to the sshM-bM-^@M-^Pagent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1). The options are as follows: - -a bind_address - Bind the agent to the unix-domain socket bind_address. The - default is /tmp/ssh-XXXXXXXX/agent.. + ^[[1mM-bMM-^Ra ^[[4m^[[22mbind_address^[[0m + Bind the agent to the unixM-bM-^@M-^Pdomain socket ^[[4mbind_address^[[24m. The + default is ^[[4m/tmp/sshM-bM-^@M-^PXXXXXXXX/agent.^[[24m. - -c Generate C-shell commands on stdout. This is the default if - SHELL looks like it's a csh style of shell. + ^[[1mM-bMM-^Rc ^[[22mGenerate CM-bM-^@M-^Pshell commands on stdout. This is the default if + SHELL looks like itM-bM-^@M-^Ys a csh style of shell. - -s Generate Bourne shell commands on stdout. This is the default if - SHELL does not look like it's a csh style of shell. + ^[[1mM-bMM-^Rs ^[[22mGenerate Bourne shell commands on stdout. This is the default if + SHELL does not look like itM-bM-^@M-^Ys a csh style of shell. - -k Kill the current agent (given by the SSH_AGENT_PID environment + ^[[1mM-bMM-^Rk ^[[22mKill the current agent (given by the SSH_AGENT_PID environment variable). - -d Debug mode. When this option is specified ssh-agent will not + ^[[1mM-bMM-^Rt ^[[4m^[[22mlife^[[0m + Set a default value for the maximum lifetime of identities added + to the agent. The lifetime may be specified in seconds or in a + time format specified in sshd(8). A lifetime specified for an + identity with sshM-bM-^@M-^Padd(1) overrides this value. Without this + option the default maximum lifetime is forever. + + ^[[1mM-bMM-^Rd ^[[22mDebug mode. When this option is specified ^[[1msshM-bM-^@M-^Pagent ^[[22mwill not fork. If a commandline is given, this is executed as a subprocess of the agent. When the command dies, so does the agent. The agent initially does not have any private keys. Keys are added using - ssh-add(1). When executed without arguments, ssh-add(1) adds the files - $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the - identity has a passphrase, ssh-add(1) asks for the passphrase (using a - small X11 application if running under X11, or from the terminal if runM-- - ning without X). It then sends the identity to the agent. Several idenM-- + sshM-bM-^@M-^Padd(1). When executed without arguments, sshM-bM-^@M-^Padd(1) adds the files + ^[[4m$HOME/.ssh/id_rsa^[[24m, ^[[4m$HOME/.ssh/id_dsa^[[24m and ^[[4m$HOME/.ssh/identity^[[24m. If the + identity has a passphrase, sshM-bM-^@M-^Padd(1) asks for the passphrase (using a + small X11 application if running under X11, or from the terminal if runM-bM-^@M-^P + ning without X). It then sends the identity to the agent. Several idenM-bM-^@M-^P tities can be stored in the agent; the agent can automatically use any of - these identities. ssh-add -l displays the identities currently held by + these identities. ^[[1msshM-bM-^@M-^Padd M-bM-^@M-^Pl ^[[22mdisplays the identities currently held by the agent. - The idea is that the agent is run in the user's local PC, laptop, or terM-- + The idea is that the agent is run in the userM-bM-^@M-^Ys local PC, laptop, or terM-bM-^@M-^P minal. Authentication data need not be stored on any other machine, and - authentication passphrases never go over the network. However, the conM-- + authentication passphrases never go over the network. However, the conM-bM-^@M-^P nection to the agent is forwarded over SSH remote logins, and the user - can thus use the privileges given by the identities anywhere in the netM-- + can thus use the privileges given by the identities anywhere in the netM-bM-^@M-^P work in a secure way. There are two main ways to get an agent setup: Either the agent starts a @@ -62,20 +69,20 @@ The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the - agent, and the result will be returned to the requester. This way, priM-- + agent, and the result will be returned to the requester. This way, priM-bM-^@M-^P vate keys are not exposed to clients using the agent. - A unix-domain socket is created and the name of this socket is stored in + A unixM-bM-^@M-^Pdomain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user. - The SSH_AGENT_PID environment variable holds the agent's process ID. + The SSH_AGENT_PID environment variable holds the agentM-bM-^@M-^Ys process ID. The agent exits automatically when the command given on the command line terminates. -FILES +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. @@ -88,20 +95,20 @@ Contains the protocol version 2 RSA authentication identity of the user. - /tmp/ssh-XXXXXXXX/agent. - Unix-domain sockets used to contain the connection to the authenM-- + /tmp/sshM-bM-^@M-^PXXXXXXXX/agent. + UnixM-bM-^@M-^Pdomain sockets used to contain the connection to the authenM-bM-^@M-^P tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) +^[[1mSEE ALSO^[[0m + ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pkeygen(1), sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1/ssh-agent.1 openssh-3.6p1/ssh-agent.1 --- openssh-3.5p1/ssh-agent.1 2002-06-26 09:16:32.000000000 +1000 +++ openssh-3.6p1/ssh-agent.1 2003-01-22 11:47:19.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.35 2002/06/24 13:12:23 markus Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.36 2003/01/21 18:14:36 marc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -44,6 +44,7 @@ .Nm ssh-agent .Op Fl a Ar bind_address .Op Fl c Li | Fl s +.Op Fl t Ar life .Op Fl d .Op Ar command Op Ar args ... .Nm ssh-agent @@ -86,6 +87,14 @@ Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). +.It Fl t Ar life +Set a default value for the maximum lifetime of identities added to the agent. +The lifetime may be specified in seconds or in a time format specified in +.Xr sshd 8 . +A lifetime specified for an identity with +.Xr ssh-add 1 +overrides this value. +Without this option the default maximum lifetime is forever. .It Fl d Debug mode. When this option is specified .Nm diff -ru openssh-3.5p1/ssh-agent.c openssh-3.6p1/ssh-agent.c --- openssh-3.5p1/ssh-agent.c 2002-10-03 11:54:36.000000000 +1000 +++ openssh-3.6p1/ssh-agent.c 2003-03-15 11:37:09.000000000 +1100 @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.108 2003/03/13 11:44:50 markus Exp $"); #include #include @@ -50,6 +50,8 @@ #include "authfd.h" #include "compat.h" #include "log.h" +#include "readpass.h" +#include "misc.h" #ifdef SMARTCARD #include "scard.h" @@ -77,6 +79,7 @@ Key *key; char *comment; u_int death; + u_int confirm; } Identity; typedef struct { @@ -106,6 +109,9 @@ char *__progname; #endif +/* Default lifetime (0 == forever) */ +static int lifetime = 0; + static void close_socket(SocketEntry *e) { @@ -159,6 +165,30 @@ return (NULL); } +/* Check confirmation of keysign request */ +static int +confirm_key(Identity *id) +{ + char *p, prompt[1024]; + int ret = -1; + + p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); + snprintf(prompt, sizeof(prompt), "Allow use of key %s?\n" + "Key fingerprint %s.", id->comment, p); + xfree(p); + p = read_passphrase(prompt, RP_ALLOW_EOF); + if (p != NULL) { + /* + * Accept empty responses and responses consisting + * of the word "yes" as affirmative. + */ + if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) + ret = 0; + xfree(p); + } + return (ret); +} + /* send list of supported public keys to 'client' */ static void process_request_identities(SocketEntry *e, int version) @@ -222,7 +252,7 @@ goto failure; id = lookup_identity(key, 1); - if (id != NULL) { + if (id != NULL && (!id->confirm || confirm_key(id) == 0)) { Key *private = id->key; /* Decrypt the challenge using the private key. */ if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) @@ -282,7 +312,7 @@ key = key_from_blob(blob, blen); if (key != NULL) { Identity *id = lookup_identity(key, 2); - if (id != NULL) + if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); } key_free(key); @@ -402,7 +432,7 @@ process_add_identity(SocketEntry *e, int version) { Idtab *tab = idtab_lookup(version); - int type, success = 0, death = 0; + int type, success = 0, death = 0, confirm = 0; char *type_name, *comment; Key *k = NULL; @@ -453,6 +483,17 @@ } break; } + /* enable blinding */ + switch (k->type) { + case KEY_RSA: + case KEY_RSA1: + if (RSA_blinding_on(k->rsa, NULL) != 1) { + error("process_add_identity: RSA_blinding_on failed"); + key_free(k); + goto send; + } + break; + } comment = buffer_get_string(&e->request, NULL); if (k == NULL) { xfree(comment); @@ -464,15 +505,21 @@ case SSH_AGENT_CONSTRAIN_LIFETIME: death = time(NULL) + buffer_get_int(&e->request); break; + case SSH_AGENT_CONSTRAIN_CONFIRM: + confirm = 1; + break; default: break; } } + if (lifetime && !death) + death = time(NULL) + lifetime; if (lookup_identity(k, version) == NULL) { Identity *id = xmalloc(sizeof(Identity)); id->key = k; id->comment = comment; id->death = death; + id->confirm = confirm; TAILQ_INSERT_TAIL(&tab->idlist, id, next); /* Increment the number of identities. */ tab->nentries++; @@ -557,6 +604,7 @@ id->key = k; id->comment = xstrdup("smartcard key"); id->death = 0; + id->confirm = 0; TAILQ_INSERT_TAIL(&tab->idlist, id, next); tab->nentries++; success = 1; @@ -930,13 +978,15 @@ fprintf(stderr, " -k Kill the current agent.\n"); fprintf(stderr, " -d Debug mode.\n"); fprintf(stderr, " -a socket Bind agent socket to given name.\n"); + fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); exit(1); } int main(int ac, char **av) { - int sock, c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0, ch, nalloc; + int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0; + int sock, fd, ch, nalloc; char *shell, *format, *pidstr, *agentsocket = NULL; fd_set *readsetp = NULL, *writesetp = NULL; struct sockaddr_un sunaddr; @@ -961,7 +1011,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "cdksa:")) != -1) { + while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { switch (ch) { case 'c': if (s_flag) @@ -984,6 +1034,12 @@ case 'a': agentsocket = optarg; break; + case 't': + if ((lifetime = convtime(optarg)) == -1) { + fprintf(stderr, "Invalid lifetime\n"); + usage(); + } + break; default: usage(); } @@ -1116,9 +1172,14 @@ } (void)chdir("/"); - close(0); - close(1); - close(2); + if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + /* XXX might close listen socket */ + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + close(fd); + } #ifdef HAVE_SETRLIMIT /* deny core dumps, since memory contains unencrypted private keys */ diff -ru openssh-3.5p1/ssh-dss.c openssh-3.6p1/ssh-dss.c --- openssh-3.5p1/ssh-dss.c 2002-07-08 08:13:31.000000000 +1000 +++ openssh-3.6p1/ssh-dss.c 2003-02-24 12:01:41.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-dss.c,v 1.17 2002/07/04 10:41:47 markus Exp $"); +RCSID("$OpenBSD: ssh-dss.c,v 1.18 2003/02/12 09:33:04 markus Exp $"); #include #include @@ -34,7 +34,6 @@ #include "compat.h" #include "log.h" #include "key.h" -#include "ssh-dss.h" #define INTBLOB_LEN 20 #define SIGBLOB_LEN (2*INTBLOB_LEN) Only in openssh-3.5p1: ssh-dss.h diff -ru openssh-3.5p1/ssh-keygen.0 openssh-3.6p1/ssh-keygen.0 --- openssh-3.5p1/ssh-keygen.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.6p1/ssh-keygen.0 2003-03-26 16:12:37.000000000 +1100 @@ -1,45 +1,45 @@ -SSH-KEYGEN(1) System General Commands Manual SSH-KEYGEN(1) +SSHM-bM-^@M-^PKEYGEN(1) BSD General Commands Manual SSHM-bM-^@M-^PKEYGEN(1) -NAME - ssh-keygen - authentication key generation, management and conversion +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^Pkeygen ^[[22mM-bMM-^R authentication key generation, management and conversion -SYNOPSIS - ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] - [-f output_keyfile] - ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] - ssh-keygen -i [-f input_keyfile] - ssh-keygen -e [-f input_keyfile] - ssh-keygen -y [-f input_keyfile] - ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] - ssh-keygen -l [-f input_keyfile] - ssh-keygen -B [-f input_keyfile] - ssh-keygen -D reader - ssh-keygen -U reader [-f input_keyfile] - -DESCRIPTION - ssh-keygen generates, manages and converts authentication keys for - ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^Pkeygen ^[[22m[^[[1mM-bMM-^Rq^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[24m] ^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[24m [^[[1mM-bMM-^RN ^[[4m^[[22mnew_passphrase^[[24m] [^[[1mM-bMM-^RC ^[[4m^[[22mcomment^[[24m] + [^[[1mM-bMM-^Rf ^[[4m^[[22moutput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Rp ^[[22m[^[[1mM-bMM-^RP ^[[4m^[[22mold_passphrase^[[24m] [^[[1mM-bMM-^RN ^[[4m^[[22mnew_passphrase^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mkeyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Ri ^[[22m[^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Re ^[[22m[^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Ry ^[[22m[^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Rc ^[[22m[^[[1mM-bMM-^RP ^[[4m^[[22mpassphrase^[[24m] [^[[1mM-bMM-^RC ^[[4m^[[22mcomment^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mkeyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^Rl ^[[22m[^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^RB ^[[22m[^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^RD ^[[4m^[[22mreader^[[0m + ^[[1msshM-bM-^@M-^Pkeygen M-bMM-^RU ^[[4m^[[22mreader^[[24m [^[[1mM-bMM-^Rf ^[[4m^[[22minput_keyfile^[[24m] + +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^Pkeygen ^[[22mgenerates, manages and converts authentication keys for + ssh(1). ^[[1msshM-bM-^@M-^Pkeygen ^[[22mcan create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to - be generated is specified with the -t option. + be generated is specified with the ^[[1mM-bMM-^Rt ^[[22moption. Normally each user wishing to use SSH with RSA or DSA authentication runs - this once to create the authentication key in $HOME/.ssh/identity, - $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system adminM-- - istrator may use this to generate host keys, as seen in /etc/rc. + this once to create the authentication key in ^[[4m$HOME/.ssh/identity^[[24m, + ^[[4m$HOME/.ssh/id_dsa^[[24m or ^[[4m$HOME/.ssh/id_rsa^[[24m. Additionally, the system adminM-bM-^@M-^P + istrator may use this to generate host keys, as seen in ^[[4m/etc/rc^[[24m. Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same - name but ``.pub'' appended. The program also asks for a passphrase. The + name but M-bM-^@M-^\.pubM-bM-^@M-^] appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a - series of words, punctuation, numbers, whitespace, or any string of charM-- - acters you want. Good passphrases are 10-30 characters long, are not + series of words, punctuation, numbers, whitespace, or any string of charM-bM-^@M-^P + acters you want. Good passphrases are 10M-bM-^@M-^P30 characters long, are not simple sentences or otherwise easily guessable (English prose has only - 1-2 bits of entropy per character, and provides very bad passphrases), - and contain a mix of upper and lowercase letters, numbers, and non- + 1M-bM-^@M-^P2 bits of entropy per character, and provides very bad passphrases), + and contain a mix of upper and lowercase letters, numbers, and nonM-bM-^@M-^P alphanumeric characters. The passphrase can be changed later by using - the -p option. + the ^[[1mM-bMM-^Rp ^[[22moption. There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding @@ -47,91 +47,90 @@ For RSA1 keys, there is also a comment field in the key file that is only for convenience to the user to help identify the key. The comment can - tell what the key is for, or whatever is useful. The comment is initialM-- - ized to ``user@host'' when the key is created, but can be changed using - the -c option. + tell what the key is for, or whatever is useful. The comment is initialM-bM-^@M-^P + ized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is created, but can be changed using the + ^[[1mM-bMM-^Rc ^[[22moption. After a key is generated, instructions below detail where the keys should be placed to be activated. The options are as follows: - -b bits + ^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[0m Specifies the number of bits in the key to create. Minimum is - 512 bits. Generally 1024 bits is considered sufficient, and key - sizes above that no longer improve security but make things - slower. The default is 1024 bits. + 512 bits. Generally, 1024 bits is considered sufficient. The + default is 1024 bits. - -c Requests changing the comment in the private and public key - files. This operation is only supported for RSA1 keys. The proM-- + ^[[1mM-bMM-^Rc ^[[22mRequests changing the comment in the private and public key + files. This operation is only supported for RSA1 keys. The proM-bM-^@M-^P gram will prompt for the file containing the private keys, for the passphrase if the key has one, and for the new comment. - -e This option will read a private or public OpenSSH key file and - print the key in a `SECSH Public Key File Format' to stdout. + ^[[1mM-bMM-^Re ^[[22mThis option will read a private or public OpenSSH key file and + print the key in a M-bM-^@M-^XSECSH Public Key File FormatM-bM-^@M-^Y to stdout. This option allows exporting keys for use by several commercial SSH implementations. - -f filename + ^[[1mM-bMM-^Rf ^[[4m^[[22mfilename^[[0m Specifies the filename of the key file. - -i This option will read an unencrypted private (or public) key file - in SSH2-compatible format and print an OpenSSH compatible private - (or public) key to stdout. ssh-keygen also reads the `SECSH - Public Key File Format'. This option allows importing keys from + ^[[1mM-bMM-^Ri ^[[22mThis option will read an unencrypted private (or public) key file + in SSH2M-bM-^@M-^Pcompatible format and print an OpenSSH compatible private + (or public) key to stdout. ^[[1msshM-bM-^@M-^Pkeygen ^[[22malso reads the M-bM-^@M-^XSECSH + Public Key File FormatM-bM-^@M-^Y. This option allows importing keys from several commercial SSH implementations. - -l Show fingerprint of specified public key file. Private RSA1 keys - are also supported. For RSA and DSA keys ssh-keygen tries to + ^[[1mM-bMM-^Rl ^[[22mShow fingerprint of specified public key file. Private RSA1 keys + are also supported. For RSA and DSA keys ^[[1msshM-bM-^@M-^Pkeygen ^[[22mtries to find the matching public key file and prints its fingerprint. - -p Requests changing the passphrase of a private key file instead of + ^[[1mM-bMM-^Rp ^[[22mRequests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. - -q Silence ssh-keygen. Used by /etc/rc when creating a new key. + ^[[1mM-bMM-^Rq ^[[22mSilence ^[[1msshM-bM-^@M-^Pkeygen^[[22m. Used by ^[[4m/etc/rc^[[24m when creating a new key. - -y This option will read a private OpenSSH format file and print an + ^[[1mM-bMM-^Ry ^[[22mThis option will read a private OpenSSH format file and print an OpenSSH public key to stdout. - -t type + ^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[0m Specifies the type of the key to create. The possible values are - ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for protoM-- - col version 2. + M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\rsaM-bM-^@M-^] or M-bM-^@M-^\dsaM-bM-^@M-^] for protocol + version 2. - -B Show the bubblebabble digest of specified private or public key + ^[[1mM-bMM-^RB ^[[22mShow the bubblebabble digest of specified private or public key file. - -C comment + ^[[1mM-bMM-^RC ^[[4m^[[22mcomment^[[0m Provides the new comment. - -D reader - Download the RSA public key stored in the smartcard in reader. + ^[[1mM-bMM-^RD ^[[4m^[[22mreader^[[0m + Download the RSA public key stored in the smartcard in ^[[4mreader^[[24m. - -N new_passphrase + ^[[1mM-bMM-^RN ^[[4m^[[22mnew_passphrase^[[0m Provides the new passphrase. - -P passphrase + ^[[1mM-bMM-^RP ^[[4m^[[22mpassphrase^[[0m Provides the (old) passphrase. - -U reader - Upload an existing RSA private key into the smartcard in reader. + ^[[1mM-bMM-^RU ^[[4m^[[22mreader^[[0m + Upload an existing RSA private key into the smartcard in ^[[4mreader^[[24m. -FILES +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1msshM-bM-^@M-^Pkeygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/identity.pub - Contains the protocol version 1 RSA public key for authenticaM-- + Contains the protocol version 1 RSA public key for authenticaM-bM-^@M-^P tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using RSA authentication. There is no need to keep the contents of this file secret. @@ -141,13 +140,13 @@ user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1msshM-bM-^@M-^Pkeygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/id_dsa.pub - Contains the protocol version 2 DSA public key for authenticaM-- + Contains the protocol version 2 DSA public key for authenticaM-bM-^@M-^P tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. @@ -157,27 +156,27 @@ user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1msshM-bM-^@M-^Pkeygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/id_rsa.pub - Contains the protocol version 2 RSA public key for authenticaM-- + Contains the protocol version 2 RSA public key for authenticaM-bM-^@M-^P tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO - ssh(1), ssh-add(1), ssh-agent(1), sshd(8) +^[[1mSEE ALSO^[[0m + ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshd(8) - J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- - secsh-publickeyfile-01.txt, March 2001, work in progress material. + J. Galbraith and R. Thayer, ^[[4mSECSH^[[24m ^[[4mPublic^[[24m ^[[4mKey^[[24m ^[[4mFile^[[24m ^[[4mFormat^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^P + secshM-bM-^@M-^PpublickeyfileM-bM-^@M-^P01.txt, March 2001, work in progress material. BSD September 25, 1999 BSD diff -ru openssh-3.5p1/ssh-keygen.1 openssh-3.6p1/ssh-keygen.1 --- openssh-3.5p1/ssh-keygen.1 2002-06-21 10:41:52.000000000 +1000 +++ openssh-3.6p1/ssh-keygen.1 2002-12-23 13:11:55.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.54 2002/06/19 00:27:55 deraadt Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.55 2002/11/26 02:35:30 stevesk Exp $ .\" .\" -*- nroff -*- .\" @@ -147,8 +147,7 @@ .It Fl b Ar bits Specifies the number of bits in the key to create. Minimum is 512 bits. -Generally 1024 bits is considered sufficient, and key sizes -above that no longer improve security but make things slower. +Generally, 1024 bits is considered sufficient. The default is 1024 bits. .It Fl c Requests changing the comment in the private and public key files. diff -ru openssh-3.5p1/ssh-keygen.c openssh-3.6p1/ssh-keygen.c --- openssh-3.5p1/ssh-keygen.c 2002-07-21 05:05:40.000000000 +1000 +++ openssh-3.6p1/ssh-keygen.c 2002-12-23 13:11:03.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.101 2002/06/23 09:39:55 deraadt Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.102 2002/11/26 00:45:03 wcobb Exp $"); #include #include @@ -109,7 +109,6 @@ snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name); fprintf(stderr, "%s (%s): ", prompt, identity_file); - fflush(stderr); if (fgets(buf, sizeof(buf), stdin) == NULL) exit(1); if (strchr(buf, '\n')) diff -ru openssh-3.5p1/ssh-keyscan.0 openssh-3.6p1/ssh-keyscan.0 --- openssh-3.5p1/ssh-keyscan.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.6p1/ssh-keyscan.0 2003-03-26 16:12:37.000000000 +1100 @@ -1,101 +1,100 @@ -SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) +SSHM-bM-^@M-^PKEYSCAN(1) BSD General Commands Manual SSHM-bM-^@M-^PKEYSCAN(1) -NAME - ssh-keyscan - gather ssh public keys +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mM-bMM-^R gather ssh public keys -SYNOPSIS - ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] - [host | addrlist namelist] [...] +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^Pkeyscan ^[[22m[^[[1mM-bMM-^Rv46^[[22m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^RT ^[[4m^[[22mtimeout^[[24m] [^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mfile^[[24m] + [^[[4mhost^[[24m | ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m] [^[[4m...^[[24m] -DESCRIPTION - ssh-keyscan is a utility for gathering the public ssh host keys of a numM-- +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mis a utility for gathering the public ssh host keys of a numM-bM-^@M-^P ber of hosts. It was designed to aid in building and verifying - ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable + ^[[4mssh_known_hosts^[[24m files. ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mprovides a minimal interface suitable for use by shell and perl scripts. - ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM-- + ^[[1msshM-bM-^@M-^Pkeyscan ^[[22muses nonM-bM-^@M-^Pblocking socket I/O to contact as many hosts as posM-bM-^@M-^P sible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. For scanning, one does not need login - access to the machines that are being scanned, nor does the scanning proM-- + access to the machines that are being scanned, nor does the scanning proM-bM-^@M-^P cess involve any encryption. The options are as follows: - -p port + ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m Port to connect to on the remote host. - -T timeout - Set the timeout for connection attempts. If timeout seconds have + ^[[1mM-bMM-^RT ^[[4m^[[22mtimeout^[[0m + Set the timeout for connection attempts. If ^[[4mtimeout^[[24m seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. - -t type + ^[[1mM-bMM-^Rt ^[[4m^[[22mtype^[[0m Specifies the type of the key to fetch from the scanned hosts. - The possible values are ``rsa1'' for protocol version 1 and - ``rsa'' or ``dsa'' for protocol version 2. Multiple values may - be specified by separating them with commas. The default is - ``rsa1''. - - -f filename - Read hosts or addrlist namelist pairs from this file, one per - line. If - is supplied instead of a filename, ssh-keyscan will - read hosts or addrlist namelist pairs from the standard input. + The possible values are M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\rsaM-bM-^@M-^] + or M-bM-^@M-^\dsaM-bM-^@M-^] for protocol version 2. Multiple values may be speciM-bM-^@M-^P + fied by separating them with commas. The default is M-bM-^@M-^\rsa1M-bM-^@M-^]. + + ^[[1mM-bMM-^Rf ^[[4m^[[22mfilename^[[0m + Read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from this file, one per + line. If ^[[4mM-bM-^@M-^P^[[24m is supplied instead of a filename, ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mwill + read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from the standard input. - -v Verbose mode. Causes ssh-keyscan to print debugging messages + ^[[1mM-bMM-^Rv ^[[22mVerbose mode. Causes ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto print debugging messages about its progress. - -4 Forces ssh-keyscan to use IPv4 addresses only. + ^[[1mM-bMM-^R4 ^[[22mForces ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto use IPv4 addresses only. - -6 Forces ssh-keyscan to use IPv6 addresses only. + ^[[1mM-bMM-^R6 ^[[22mForces ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mto use IPv6 addresses only. -SECURITY - If a ssh_known_hosts file is constructed using ssh-keyscan without veriM-- +^[[1mSECURITY^[[0m + If a ssh_known_hosts file is constructed using ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mwithout veriM-bM-^@M-^P fying the keys, users will be vulnerable to attacks. On the other hand, - if the security model allows such a risk, ssh-keyscan can help in the + if the security model allows such a risk, ^[[1msshM-bM-^@M-^Pkeyscan ^[[22mcan help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hosts file was created. -EXAMPLES - Print the rsa1 host key for machine hostname: +^[[1mEXAMPLES^[[0m + Print the ^[[4mrsa1^[[24m host key for machine ^[[4mhostname^[[24m: - $ ssh-keyscan hostname + $ sshM-bM-^@M-^Pkeyscan hostname - Find all hosts from the file ssh_hosts which have new or different keys - from those in the sorted file ssh_known_hosts: + Find all hosts from the file ^[[4mssh_hosts^[[24m which have new or different keys + from those in the sorted file ^[[4mssh_known_hosts^[[24m: - $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ - sort -u - ssh_known_hosts | diff ssh_known_hosts - + $ sshM-bM-^@M-^Pkeyscan M-bM-^@M-^Pt rsa,dsa M-bM-^@M-^Pf ssh_hosts | \ + sort M-bM-^@M-^Pu M-bM-^@M-^P ssh_known_hosts | diff ssh_known_hosts M-bM-^@M-^P -FILES - Input format: +^[[1mFILES^[[0m + ^[[4mInput^[[24m ^[[4mformat:^[[0m 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 - Output format for rsa1 keys: + ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa1^[[24m ^[[4mkeys:^[[0m - host-or-namelist bits exponent modulus + hostM-bM-^@M-^PorM-bM-^@M-^Pnamelist bits exponent modulus - Output format for rsa and dsa keys: + ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa^[[24m ^[[4mand^[[24m ^[[4mdsa^[[24m ^[[4mkeys:^[[0m - host-or-namelist keytype base64-encoded-key + hostM-bM-^@M-^PorM-bM-^@M-^Pnamelist keytype base64M-bM-^@M-^PencodedM-bM-^@M-^Pkey - Where keytype is either ``ssh-rsa'' or ``ssh-dsa''. + Where ^[[4mkeytype^[[24m is either M-bM-^@M-^\sshM-bM-^@M-^PrsaM-bM-^@M-^] or M-bM-^@M-^\sshM-bM-^@M-^PdsaM-bM-^@M-^]. - /etc/ssh/ssh_known_hosts + ^[[4m/etc/ssh/ssh_known_hosts^[[0m -BUGS +^[[1mBUGS^[[0m It generates "Connection closed by remote host" messages on the consoles of all the machines it scans if the server is older than version 2.9. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), sshd(8) -AUTHORS +^[[1mAUTHORS^[[0m David Mazieres wrote the initial version, and Wayne Davison added support for protocol version 2. diff -ru openssh-3.5p1/ssh-keyscan.c openssh-3.6p1/ssh-keyscan.c --- openssh-3.5p1/ssh-keyscan.c 2002-09-12 10:43:32.000000000 +1000 +++ openssh-3.6p1/ssh-keyscan.c 2003-02-24 12:03:03.000000000 +1100 @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.40 2002/07/06 17:47:58 stevesk Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.41 2003/02/16 17:09:57 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -354,6 +354,8 @@ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? "ssh-dss": "ssh-rsa"; c->c_kex = kex_setup(myproposal); + c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; + c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; c->c_kex->verify_host_key = hostjump; if (!(j = setjmp(kexjmp))) { diff -ru openssh-3.5p1/ssh-keysign.0 openssh-3.6p1/ssh-keysign.0 --- openssh-3.5p1/ssh-keysign.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.6p1/ssh-keysign.0 2003-03-26 16:12:39.000000000 +1100 @@ -1,42 +1,42 @@ -SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8) +SSHM-bM-^@M-^PKEYSIGN(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHM-bM-^@M-^PKEYSIGN(8) -NAME - ssh-keysign - ssh helper program for hostbased authentication +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^Pkeysign ^[[22mM-bMM-^R ssh helper program for hostbased authentication -SYNOPSIS - ssh-keysign +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^Pkeysign^[[0m -DESCRIPTION - ssh-keysign is used by ssh(1) to access the local host keys and generate +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^Pkeysign ^[[22mis used by ssh(1) to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. - ssh-keysign is disabled by default and can only be enabled in the the - global client configuration file /etc/ssh/ssh_config by setting - HostbasedAuthentication to ``yes''. + ^[[1msshM-bM-^@M-^Pkeysign ^[[22mis disabled by default and can only be enabled in the global + client configuration file ^[[4m/etc/ssh/ssh_config^[[24m by setting ^[[1mEnableSSHKeysign^[[0m + to M-bM-^@M-^\yesM-bM-^@M-^]. - ssh-keysign is not intended to be invoked by the user, but from ssh(1). - See ssh(1) and sshd(8) for more information about hostbased authenticaM-- + ^[[1msshM-bM-^@M-^Pkeysign ^[[22mis not intended to be invoked by the user, but from ssh(1). + See ssh(1) and sshd(8) for more information about hostbased authenticaM-bM-^@M-^P tion. -FILES +^[[1mFILES^[[0m /etc/ssh/ssh_config - Controls whether ssh-keysign is enabled. + Controls whether ^[[1msshM-bM-^@M-^Pkeysign ^[[22mis enabled. /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys used to generate the digital signature. They should be owned by root, readable only by root, and not accessible to others. Since they - are readable only by root, ssh-keysign must be set-uid root if + are readable only by root, ^[[1msshM-bM-^@M-^Pkeysign ^[[22mmust be setM-bM-^@M-^Puid root if hostbased authentication is used. -SEE ALSO - ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) +^[[1mSEE ALSO^[[0m + ssh(1), sshM-bM-^@M-^Pkeygen(1), ssh_config(5), sshd(8) -AUTHORS +^[[1mAUTHORS^[[0m Markus Friedl -HISTORY - ssh-keysign first appeared in OpenBSD 3.2. +^[[1mHISTORY^[[0m + ^[[1msshM-bM-^@M-^Pkeysign ^[[22mfirst appeared in OpenBSD 3.2. BSD May 24, 2002 BSD diff -ru openssh-3.5p1/ssh-keysign.8 openssh-3.6p1/ssh-keysign.8 --- openssh-3.5p1/ssh-keysign.8 2002-07-04 10:19:41.000000000 +1000 +++ openssh-3.6p1/ssh-keysign.8 2002-12-23 13:10:00.000000000 +1100 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.5 2002/11/24 21:46:24 stevesk Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -39,10 +39,10 @@ .Pp .Nm is disabled by default and can only be enabled in the -the global client configuration file +global client configuration file .Pa /etc/ssh/ssh_config by setting -.Cm HostbasedAuthentication +.Cm EnableSSHKeysign to .Dq yes . .Pp diff -ru openssh-3.5p1/ssh-keysign.c openssh-3.6p1/ssh-keysign.c --- openssh-3.5p1/ssh-keysign.c 2002-10-03 15:45:55.000000000 +1000 +++ openssh-3.6p1/ssh-keysign.c 2003-03-15 11:36:18.000000000 +1100 @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.10 2003/03/13 11:42:19 markus Exp $"); #include #include @@ -168,8 +168,8 @@ initialize_options(&options); (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options); fill_default_options(&options); - if (options.hostbased_authentication != 1) - fatal("Hostbased authentication not enabled in %s", + if (options.enable_ssh_keysign != 1) + fatal("ssh-keysign not enabled in %s", _PATH_HOST_CONFIG_FILE); if (key_fd[0] == -1 && key_fd[1] == -1) @@ -192,13 +192,6 @@ keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, NULL, NULL); close(key_fd[i]); - if (keys[i] != NULL && keys[i]->type == KEY_RSA) { - if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) { - error("RSA_blinding_on failed"); - key_free(keys[i]); - keys[i] = NULL; - } - } if (keys[i] != NULL) found = 1; } diff -ru openssh-3.5p1/ssh-rand-helper.0 openssh-3.6p1/ssh-rand-helper.0 --- openssh-3.5p1/ssh-rand-helper.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.6p1/ssh-rand-helper.0 2003-03-26 16:12:39.000000000 +1100 @@ -1,49 +1,49 @@ -SSH-RAND-HELPER(8) System Manager's Manual SSH-RAND-HELPER(8) +SSHM-bM-^@M-^PRANDM-bM-^@M-^PHELPER(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHM-bM-^@M-^PRANDM-bM-^@M-^PHELPER(8) -NAME - ssh-rand-helper - Random number gatherer for OpenSSH +^[[1mNAME^[[0m + ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mM-bMM-^R Random number gatherer for OpenSSH -SYNOPSIS - ssh-rand-hlper [-vxXh] [-b bytes] +^[[1mSYNOPSIS^[[0m + ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phlper ^[[22m[^[[1mM-bMM-^RvxXh^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbytes^[[24m] -DESCRIPTION - ssh-rand-helper is a small helper program used by ssh(1), ssh-add(1), - ssh-agent(1), ssh-keygen(1), ssh-keyscan(1) and sshd(8) to gather random +^[[1mDESCRIPTION^[[0m + ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mis a small helper program used by ssh(1), sshM-bM-^@M-^Padd(1), + sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), sshM-bM-^@M-^Pkeyscan(1) and sshd(8) to gather random numbers of cryptographic quality if the openssl(4) library has not been configured to provide them itself. - Normally ssh-rand-helper will generate a strong random seed and provide + Normally ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mwill generate a strong random seed and provide it to the calling program via standard output. If standard output is a - tty, ssh-rand-helper will instead print the seed in hexidecimal format + tty, ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mwill instead print the seed in hexidecimal format unless told otherwise. - ssh-rand-helper will by default gather random numbers from the system - commands listed in /etc/ssh/ssh_prng_cmds. The output of each of the + ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mwill by default gather random numbers from the system + commands listed in ^[[4m/etc/ssh/ssh_prng_cmds^[[24m. The output of each of the commands listed will be hashed and used to generate a random seed for the - calling program. ssh-rand-helper will also store seed files in - ~/.ssh/prng_seed between executions. + calling program. ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mwill also store seed files in + ^[[4m~/.ssh/prng_seed^[[24m between executions. - Alternately, ssh-rand-helper may be configured at build time to collect + Alternately, ^[[1msshM-bM-^@M-^PrandM-bM-^@M-^Phelper ^[[22mmay be configured at build time to collect random numbers from a EGD/PRNGd server via a unix domain or localhost tcp socket. - This program is not intended to be run by the end-user, so the few comM-- + This program is not intended to be run by the endM-bM-^@M-^Puser, so the few comM-bM-^@M-^P mandline options are for debugging purposes only. - -b bytes + ^[[1mM-bMM-^Rb ^[[4m^[[22mbytes^[[0m Specify the number of random bytes to include in the output. - -x Output a hexidecimal instead of a binary seed. + ^[[1mM-bMM-^Rx ^[[22mOutput a hexidecimal instead of a binary seed. - -X Force output of a binary seed, even if standard output is a tty + ^[[1mM-bMM-^RX ^[[22mForce output of a binary seed, even if standard output is a tty - -v Turn on debugging message. Multiple -v options will increase the - debugging level. -h Display a summary of options. + ^[[1mM-bMM-^Rv ^[[22mTurn on debugging message. Multiple ^[[1mM-bMM-^Rv ^[[22moptions will increase the + debugging level. ^[[1mM-bMM-^Rh ^[[22mDisplay a summary of options. -AUTHORS +^[[1mAUTHORS^[[0m Damien Miller -SEE ALSO - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) +^[[1mSEE ALSO^[[0m + ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pkeygen(1), sshd(8) BSD April 14, 2002 BSD diff -ru openssh-3.5p1/ssh-rand-helper.c openssh-3.6p1/ssh-rand-helper.c --- openssh-3.5p1/ssh-rand-helper.c 2002-07-29 06:42:24.000000000 +1000 +++ openssh-3.6p1/ssh-rand-helper.c 2003-03-17 16:13:53.000000000 +1100 @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.8 2002/07/28 20:42:24 stevesk Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.10 2003/03/17 05:13:53 djm Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -355,6 +355,7 @@ case 0: /* timer expired */ error_abort = 1; + kill(pid, SIGINT); break; case 1: /* command input */ @@ -561,7 +562,8 @@ debug("writing PRNG seed to file %.100s", filename); - RAND_bytes(seed, sizeof(seed)); + if (RAND_bytes(seed, sizeof(seed)) <= 0) + fatal("PRNG seed extration failed"); /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); @@ -848,7 +850,8 @@ if (!RAND_status()) fatal("Not enough entropy in RNG"); - RAND_bytes(buf, bytes); + if (RAND_bytes(buf, bytes) <= 0) + fatal("Couldn't extract entropy from PRNG"); if (output_hex) { for(ret = 0; ret < bytes; ret++) diff -ru openssh-3.5p1/ssh-rsa.c openssh-3.6p1/ssh-rsa.c --- openssh-3.5p1/ssh-rsa.c 2002-09-04 16:39:49.000000000 +1000 +++ openssh-3.6p1/ssh-rsa.c 2003-02-24 12:01:41.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-rsa.c,v 1.26 2002/08/27 17:13:56 stevesk Exp $"); +RCSID("$OpenBSD: ssh-rsa.c,v 1.28 2003/02/12 09:33:04 markus Exp $"); #include #include @@ -33,11 +33,10 @@ #include "buffer.h" #include "bufaux.h" #include "key.h" -#include "ssh-rsa.h" #include "compat.h" #include "ssh.h" -static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *); +static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int Only in openssh-3.5p1: ssh-rsa.h diff -ru openssh-3.5p1/ssh.0 openssh-3.6p1/ssh.0 --- openssh-3.5p1/ssh.0 2002-10-04 11:31:45.000000000 +1000 +++ openssh-3.6p1/ssh.0 2003-03-26 16:12:38.000000000 +1100 @@ -1,455 +1,455 @@ -SSH(1) System General Commands Manual SSH(1) +SSH(1) BSD General Commands Manual SSH(1) -NAME - ssh - OpenSSH SSH client (remote login program) +^[[1mNAME^[[0m + ^[[1mssh ^[[22mM-bMM-^R OpenSSH SSH client (remote login program) -SYNOPSIS - ssh [-l login_name] hostname | user@hostname [command] +^[[1mSYNOPSIS^[[0m + ^[[1mssh ^[[22m[^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] - ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] - [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] - [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R - port:host:hostport] [-D port] hostname | user@hostname [command] + ^[[1mssh ^[[22m[^[[1mM-bMM-^RafgknqstvxACNTX1246^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbind_address^[[24m] [^[[1mM-bMM-^Rc ^[[4m^[[22mcipher_spec^[[24m] + [^[[1mM-bMM-^Re ^[[4m^[[22mescape_char^[[24m] [^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[24m] [^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[24m] [^[[1mM-bMM-^Rm ^[[4m^[[22mmac_spec^[[24m] + [^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[24m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^RF ^[[4m^[[22mconfigfile^[[24m] [^[[1mM-bMM-^RL ^[[4m^[[22mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] [^[[1mM-bMM-^RR^[[0m + ^[[4mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] [^[[1mM-bMM-^RD ^[[4m^[[22mport^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] -DESCRIPTION - ssh (SSH client) is a program for logging into a remote machine and for +^[[1mDESCRIPTION^[[0m + ^[[1mssh ^[[22m(SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. - ssh connects and logs into the specified hostname. The user must prove + ^[[1mssh ^[[22mconnects and logs into the specified ^[[4mhostname^[[24m. The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used: - SSH protocol version 1 + ^[[1mSSH protocol version 1^[[0m - First, if the machine the user logs in from is listed in /etc/hosts.equiv - or /etc/shosts.equiv on the remote machine, and the user names are the + First, if the machine the user logs in from is listed in ^[[4m/etc/hosts.equiv^[[0m + or ^[[4m/etc/shosts.equiv^[[24m on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, - if .rhosts or .shosts exists in the user's home directory on the remote + if ^[[4m.rhosts^[[24m or ^[[4m.shosts^[[24m exists in the userM-bM-^@M-^Ys home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure. - The second authentication method is the rhosts or hosts.equiv method comM-- - bined with RSA-based host authentication. It means that if the login - would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or - /etc/shosts.equiv, and if additionally the server can verify the client's - host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the - FILES section), only then login is permitted. This authentication method - closes security holes due to IP spoofing, DNS spoofing and routing spoofM-- - ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and + The second authentication method is the ^[[4mrhosts^[[24m or ^[[4mhosts.equiv^[[24m method comM-bM-^@M-^P + bined with RSAM-bM-^@M-^Pbased host authentication. It means that if the login + would be permitted by ^[[4m$HOME/.rhosts^[[24m, ^[[4m$HOME/.shosts^[[24m, ^[[4m/etc/hosts.equiv^[[24m, or + ^[[4m/etc/shosts.equiv^[[24m, and if additionally the server can verify the clientM-bM-^@M-^Ys + host key (see ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m in the + ^[[4mFILES^[[24m section), only then login is permitted. This authentication method + closes security holes due to IP spoofing, DNS spoofing and routing spoofM-bM-^@M-^P + ing. [Note to the administrator: ^[[4m/etc/hosts.equiv^[[24m, ^[[4m$HOME/.rhosts^[[24m, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] - As a third authentication method, ssh supports RSA based authentication. - The scheme is based on public-key cryptography: there are cryptosystems + As a third authentication method, ^[[1mssh ^[[22msupports RSA based authentication. + The scheme is based on publicM-bM-^@M-^Pkey cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file - $HOME/.ssh/authorized_keys lists the public keys that are permitted for - logging in. When the user logs in, the ssh program tells the server + ^[[4m$HOME/.ssh/authorized_keys^[[24m lists the public keys that are permitted for + logging in. When the user logs in, the ^[[1mssh ^[[22mprogram tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the - ssh program running on behalf of the user) a challenge, a random number, - encrypted by the user's public key. The challenge can only be decrypted - using the proper private key. The user's client then decrypts the chalM-- + ^[[1mssh ^[[22mprogram running on behalf of the user) a challenge, a random number, + encrypted by the userM-bM-^@M-^Ys public key. The challenge can only be decrypted + using the proper private key. The userM-bM-^@M-^Ys client then decrypts the chalM-bM-^@M-^P lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. - ssh implements the RSA authentication protocol automatically. The user - creates his/her RSA key pair by running ssh-keygen(1). This stores the - private key in $HOME/.ssh/identity and the public key in - $HOME/.ssh/identity.pub in the user's home directory. The user should - then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home - directory on the remote machine (the authorized_keys file corresponds to - the conventional $HOME/.rhosts file, and has one key per line, though the + ^[[1mssh ^[[22mimplements the RSA authentication protocol automatically. The user + creates his/her RSA key pair by running sshM-bM-^@M-^Pkeygen(1). This stores the + private key in ^[[4m$HOME/.ssh/identity^[[24m and the public key in + ^[[4m$HOME/.ssh/identity.pub^[[24m in the userM-bM-^@M-^Ys home directory. The user should + then copy the ^[[4midentity.pub^[[24m to ^[[4m$HOME/.ssh/authorized_keys^[[24m in his/her home + directory on the remote machine (the ^[[4mauthorized_keys^[[24m file corresponds to + the conventional ^[[4m$HOME/.rhosts^[[24m file, and has one key per line, though the lines can be very long). After this, the user can log in without giving - the password. RSA authentication is much more secure than rhosts authenM-- + the password. RSA authentication is much more secure than rhosts authenM-bM-^@M-^P tication. - The most convenient way to use RSA authentication may be with an authenM-- - tication agent. See ssh-agent(1) for more information. + The most convenient way to use RSA authentication may be with an authenM-bM-^@M-^P + tication agent. See sshM-bM-^@M-^Pagent(1) for more information. - If other authentication methods fail, ssh prompts the user for a passM-- + If other authentication methods fail, ^[[1mssh ^[[22mprompts the user for a passM-bM-^@M-^P word. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. - SSH protocol version 2 + ^[[1mSSH protocol version 2^[[0m When a user connects using protocol version 2 similar authentication methods are available. Using the default values for - PreferredAuthentications, the client will try to authenticate first using + ^[[1mPreferredAuthentications^[[22m, the client will try to authenticate first using the hostbased method; if this method fails public key authentication is - attempted, and finally if this method fails keyboard-interactive and + attempted, and finally if this method fails keyboardM-bM-^@M-^Pinteractive and password authentication are tried. The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The - client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to + client uses his private key, ^[[4m$HOME/.ssh/id_dsa^[[24m or ^[[4m$HOME/.ssh/id_rsa^[[24m, to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in - $HOME/.ssh/authorized_keys and grants access if both the key is found and + ^[[4m$HOME/.ssh/authorized_keys^[[24m and grants access if both the key is found and the signature is correct. The session identifier is derived from a - shared Diffie-Hellman value and is only known to the client and the + shared DiffieM-bM-^@M-^PHellman value and is only known to the client and the server. If public key authentication fails or is not available a password can be - sent encrypted to the remote host for proving the user's identity. + sent encrypted to the remote host for proving the userM-bM-^@M-^Ys identity. - Additionally, ssh supports hostbased or challenge response authenticaM-- + Additionally, ^[[1mssh ^[[22msupports hostbased or challenge response authenticaM-bM-^@M-^P tion. - Protocol 2 provides additional mechanisms for confidentiality (the trafM-- + Protocol 2 provides additional mechanisms for confidentiality (the trafM-bM-^@M-^P fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity - (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for + (hmacM-bM-^@M-^Pmd5, hmacM-bM-^@M-^Psha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. - Login session and remote execution + ^[[1mLogin session and remote execution^[[0m - When the user's identity has been accepted by the server, the server + When the userM-bM-^@M-^Ys identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. All communication with the remote command or shell will be automatically encrypted. - If a pseudo-terminal has been allocated (normal login session), the user + If a pseudoM-bM-^@M-^Pterminal has been allocated (normal login session), the user may use the escape characters noted below. If no pseudo tty has been allocated, the session is transparent and can be used to reliably transfer binary data. On most systems, setting the - escape character to ``none'' will also make the session transparent even - if a tty is used. + escape character to M-bM-^@M-^\noneM-bM-^@M-^] will also make the session transparent even if + a tty is used. The session terminates when the command or shell on the remote machine - exits and all X11 and TCP/IP connections have been closed. The exit staM-- - tus of the remote program is returned as the exit status of ssh. + exits and all X11 and TCP/IP connections have been closed. The exit staM-bM-^@M-^P + tus of the remote program is returned as the exit status of ^[[1mssh^[[22m. - Escape Characters + ^[[1mEscape Characters^[[0m - When a pseudo terminal has been requested, ssh supports a number of funcM-- + When a pseudo terminal has been requested, ssh supports a number of funcM-bM-^@M-^P tions through the use of an escape character. - A single tilde character can be sent as ~~ or by following the tilde by a + A single tilde character can be sent as ^[[1m~~ ^[[22mor by following the tilde by a character other than those described below. The escape character must - always follow a newline to be interpreted as special. The escape characM-- - ter can be changed in configuration files using the EscapeChar configuraM-- - tion directive or on the command line by the -e option. + always follow a newline to be interpreted as special. The escape characM-bM-^@M-^P + ter can be changed in configuration files using the ^[[1mEscapeChar ^[[22mconfiguraM-bM-^@M-^P + tion directive or on the command line by the ^[[1mM-bMM-^Re ^[[22moption. - The supported escapes (assuming the default `~') are: + The supported escapes (assuming the default M-bM-^@M-^X~M-bM-^@M-^Y) are: - ~. Disconnect + ^[[1m~. ^[[22mDisconnect - ~^Z Background ssh + ^[[1m~^Z ^[[22mBackground ssh - ~# List forwarded connections + ^[[1m~# ^[[22mList forwarded connections - ~& Background ssh at logout when waiting for forwarded connection / + ^[[1m~& ^[[22mBackground ssh at logout when waiting for forwarded connection / X11 sessions to terminate - ~? Display a list of escape characters + ^[[1m~? ^[[22mDisplay a list of escape characters - ~C Open command line (only useful for adding port forwardings using - the -L and -R options) + ^[[1m~C ^[[22mOpen command line (only useful for adding port forwardings using + the ^[[1mM-bMM-^RL ^[[22mand ^[[1mM-bMM-^RR ^[[22moptions) - ~R Request rekeying of the connection (only useful for SSH protocol + ^[[1m~R ^[[22mRequest rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it) - X11 and TCP forwarding + ^[[1mX11 and TCP forwarding^[[0m - If the ForwardX11 variable is set to ``yes'' (or, see the description of - the -X and -x options described later) and the user is using X11 (the + If the ^[[1mForwardX11 ^[[22mvariable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of + the ^[[1mM-bMM-^RX ^[[22mand ^[[1mM-bMM-^Rx ^[[22moptions described later) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made - from the local machine. The user should not manually set DISPLAY. ForM-- + from the local machine. The user should not manually set DISPLAY. ForM-bM-^@M-^P warding of X11 connections can be configured on the command line or in configuration files. - The DISPLAY value set by ssh will point to the server machine, but with a + The DISPLAY value set by ^[[1mssh ^[[22mwill point to the server machine, but with a display number greater than zero. This is normal, and happens because - ssh creates a ``proxy'' X server on the server machine for forwarding the + ^[[1mssh ^[[22mcreates a M-bM-^@M-^\proxyM-bM-^@M-^] X server on the server machine for forwarding the connections over the encrypted channel. - ssh will also automatically set up Xauthority data on the server machine. + ^[[1mssh ^[[22mwill also automatically set up Xauthority data on the server machine. For this purpose, it will generate a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain). - If the ForwardAgent variable is set to ``yes'' (or, see the description - of the -A and -a options described later) and the user is using an - authentication agent, the connection to the agent is automatically forM-- - warded to the remote side. + If the ^[[1mForwardAgent ^[[22mvariable is set to M-bM-^@M-^\yesM-bM-^@M-^] (or, see the description of + the ^[[1mM-bMM-^RA ^[[22mand ^[[1mM-bMM-^Ra ^[[22moptions described later) and the user is using an authentiM-bM-^@M-^P + cation agent, the connection to the agent is automatically forwarded to + the remote side. Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. - Server authentication + ^[[1mServer authentication^[[0m - ssh automatically maintains and checks a database containing identificaM-- + ^[[1mssh ^[[22mautomatically maintains and checks a database containing identificaM-bM-^@M-^P tions for all hosts it has ever been used with. Host keys are stored in - $HOME/.ssh/known_hosts in the user's home directory. Additionally, the - file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. - Any new hosts are automatically added to the user's file. If a host's - identification ever changes, ssh warns about this and disables password - authentication to prevent a trojan horse from getting the user's passM-- - word. Another purpose of this mechanism is to prevent man-in-the-middle + ^[[4m$HOME/.ssh/known_hosts^[[24m in the userM-bM-^@M-^Ys home directory. Additionally, the + file ^[[4m/etc/ssh/ssh_known_hosts^[[24m is automatically checked for known hosts. + Any new hosts are automatically added to the userM-bM-^@M-^Ys file. If a hostM-bM-^@M-^Ys + identification ever changes, ^[[1mssh ^[[22mwarns about this and disables password + authentication to prevent a trojan horse from getting the userM-bM-^@M-^Ys passM-bM-^@M-^P + word. Another purpose of this mechanism is to prevent manM-bM-^@M-^PinM-bM-^@M-^PtheM-bM-^@M-^Pmiddle attacks which could otherwise be used to circumvent the encryption. The - StrictHostKeyChecking option can be used to prevent logins to machines + ^[[1mStrictHostKeyChecking ^[[22moption can be used to prevent logins to machines whose host key is not known or has changed. The options are as follows: - -a Disables forwarding of the authentication agent connection. + ^[[1mM-bMM-^Ra ^[[22mDisables forwarding of the authentication agent connection. - -A Enables forwarding of the authentication agent connection. This - can also be specified on a per-host basis in a configuration + ^[[1mM-bMM-^RA ^[[22mEnables forwarding of the authentication agent connection. This + can also be specified on a perM-bM-^@M-^Phost basis in a configuration file. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the - agent's Unix-domain socket) can access the local agent through + agentM-bM-^@M-^Ys UnixM-bM-^@M-^Pdomain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. - -b bind_address + ^[[1mM-bMM-^Rb ^[[4m^[[22mbind_address^[[0m Specify the interface to transmit from on machines with multiple interfaces or aliased addresses. - -c blowfish|3des|des - Selects the cipher to use for encrypting the session. 3des is - used by default. It is believed to be secure. 3des (triple-des) - is an encrypt-decrypt-encrypt triple with three different keys. - blowfish is a fast block cipher, it appears very secure and is - much faster than 3des. des is only supported in the ssh client + ^[[1mM-bMM-^Rc ^[[4m^[[22mblowfish|3des|des^[[0m + Selects the cipher to use for encrypting the session. ^[[4m3des^[[24m is + used by default. It is believed to be secure. ^[[4m3des^[[24m (tripleM-bM-^@M-^Pdes) + is an encryptM-bM-^@M-^PdecryptM-bM-^@M-^Pencrypt triple with three different keys. + ^[[4mblowfish^[[24m is a fast block cipher, it appears very secure and is + much faster than ^[[4m3des^[[24m. ^[[4mdes^[[24m is only supported in the ^[[1mssh ^[[22mclient for interoperability with legacy protocol 1 implementations that - do not support the 3des cipher. Its use is strongly discouraged + do not support the ^[[4m3des^[[24m cipher. Its use is strongly discouraged due to cryptographic weaknesses. - -c cipher_spec - Additionally, for protocol version 2 a comma-separated list of - ciphers can be specified in order of preference. See Ciphers for + ^[[1mM-bMM-^Rc ^[[4m^[[22mcipher_spec^[[0m + Additionally, for protocol version 2 a commaM-bM-^@M-^Pseparated list of + ciphers can be specified in order of preference. See ^[[1mCiphers ^[[22mfor more information. - -e ch|^ch|none - Sets the escape character for sessions with a pty (default: `~'). + ^[[1mM-bMM-^Re ^[[4m^[[22mch|^ch|none^[[0m + Sets the escape character for sessions with a pty (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character is only recognized at the beginning of a - line. The escape character followed by a dot (`.') closes the - connection, followed by control-Z suspends the connection, and + line. The escape character followed by a dot (M-bM-^@M-^X.M-bM-^@M-^Y) closes the + connection, followed by controlM-bM-^@M-^PZ suspends the connection, and followed by itself sends the escape character once. Setting the - character to ``none'' disables any escapes and makes the session + character to M-bM-^@M-^\noneM-bM-^@M-^] disables any escapes and makes the session fully transparent. - -f Requests ssh to go to background just before command execution. - This is useful if ssh is going to ask for passwords or + ^[[1mM-bMM-^Rf ^[[22mRequests ^[[1mssh ^[[22mto go to background just before command execution. + This is useful if ^[[1mssh ^[[22mis going to ask for passwords or passphrases, but the user wants it in the background. This - implies -n. The recommended way to start X11 programs at a - remote site is with something like ssh -f host xterm. + implies ^[[1mM-bMM-^Rn^[[22m. The recommended way to start X11 programs at a + remote site is with something like ^[[1mssh M-bM-^@M-^Pf host xterm^[[22m. - -g Allows remote hosts to connect to local forwarded ports. + ^[[1mM-bMM-^Rg ^[[22mAllows remote hosts to connect to local forwarded ports. - -i identity_file + ^[[1mM-bMM-^Ri ^[[4m^[[22midentity_file^[[0m Selects a file from which the identity (private key) for RSA or - DSA authentication is read. The default is $HOME/.ssh/identity - for protocol version 1, and $HOME/.ssh/id_rsa and - $HOME/.ssh/id_dsa for protocol version 2. Identity files may - also be specified on a per-host basis in the configuration file. - It is possible to have multiple -i options (and multiple identiM-- + DSA authentication is read. The default is ^[[4m$HOME/.ssh/identity^[[0m + for protocol version 1, and ^[[4m$HOME/.ssh/id_rsa^[[24m and + ^[[4m$HOME/.ssh/id_dsa^[[24m for protocol version 2. Identity files may + also be specified on a perM-bM-^@M-^Phost basis in the configuration file. + It is possible to have multiple ^[[1mM-bMM-^Ri ^[[22moptions (and multiple identiM-bM-^@M-^P ties specified in configuration files). - -I smartcard_device + ^[[1mM-bMM-^RI ^[[4m^[[22msmartcard_device^[[0m Specifies which smartcard device to use. The argument is the - device ssh should use to communicate with a smartcard used for - storing the user's private RSA key. + device ^[[1mssh ^[[22mshould use to communicate with a smartcard used for + storing the userM-bM-^@M-^Ys private RSA key. - -k Disables forwarding of Kerberos tickets and AFS tokens. This may - also be specified on a per-host basis in the configuration file. + ^[[1mM-bMM-^Rk ^[[22mDisables forwarding of Kerberos tickets and AFS tokens. This may + also be specified on a perM-bM-^@M-^Phost basis in the configuration file. - -l login_name + ^[[1mM-bMM-^Rl ^[[4m^[[22mlogin_name^[[0m Specifies the user to log in as on the remote machine. This also - may be specified on a per-host basis in the configuration file. + may be specified on a perM-bM-^@M-^Phost basis in the configuration file. - -m mac_spec - Additionally, for protocol version 2 a comma-separated list of + ^[[1mM-bMM-^Rm ^[[4m^[[22mmac_spec^[[0m + Additionally, for protocol version 2 a commaM-bM-^@M-^Pseparated list of MAC (message authentication code) algorithms can be specified in - order of preference. See the MACs keyword for more information. + order of preference. See the ^[[1mMACs ^[[22mkeyword for more information. - -n Redirects stdin from /dev/null (actually, prevents reading from - stdin). This must be used when ssh is run in the background. A + ^[[1mM-bMM-^Rn ^[[22mRedirects stdin from ^[[4m/dev/null^[[24m (actually, prevents reading from + stdin). This must be used when ^[[1mssh ^[[22mis run in the background. A common trick is to use this to run X11 programs on a remote - machine. For example, ssh -n shadows.cs.hut.fi emacs & will + machine. For example, ^[[1mssh M-bM-^@M-^Pn shadows.cs.hut.fi emacs & ^[[22mwill start an emacs on shadows.cs.hut.fi, and the X11 connection will - be automatically forwarded over an encrypted channel. The ssh + be automatically forwarded over an encrypted channel. The ^[[1mssh^[[0m program will be put in the background. (This does not work if - ssh needs to ask for a password or passphrase; see also the -f + ^[[1mssh ^[[22mneeds to ask for a password or passphrase; see also the ^[[1mM-bMM-^Rf^[[0m option.) - -N Do not execute a remote command. This is useful for just forM-- + ^[[1mM-bMM-^RN ^[[22mDo not execute a remote command. This is useful for just forM-bM-^@M-^P warding ports (protocol version 2 only). - -o option - Can be used to give options in the format used in the configuraM-- + ^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[0m + Can be used to give options in the format used in the configuraM-bM-^@M-^P tion file. This is useful for specifying options for which there - is no separate command-line flag. + is no separate commandM-bM-^@M-^Pline flag. - -p port + ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m Port to connect to on the remote host. This can be specified on - a per-host basis in the configuration file. + a perM-bM-^@M-^Phost basis in the configuration file. - -q Quiet mode. Causes all warning and diagnostic messages to be + ^[[1mM-bMM-^Rq ^[[22mQuiet mode. Causes all warning and diagnostic messages to be suppressed. - -s May be used to request invocation of a subsystem on the remote + ^[[1mM-bMM-^Rs ^[[22mMay be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which - facilitate the use of SSH as a secure transport for other appliM-- - cations (eg. sftp). The subsystem is specified as the remote comM-- + facilitate the use of SSH as a secure transport for other appliM-bM-^@M-^P + cations (eg. sftp). The subsystem is specified as the remote comM-bM-^@M-^P mand. - -t Force pseudo-tty allocation. This can be used to execute arbiM-- - trary screen-based programs on a remote machine, which can be - very useful, e.g., when implementing menu services. Multiple -t - options force tty allocation, even if ssh has no local tty. - - -T Disable pseudo-tty allocation. - - -v Verbose mode. Causes ssh to print debugging messages about its - progress. This is helpful in debugging connection, authenticaM-- - tion, and configuration problems. Multiple -v options increases + ^[[1mM-bMM-^Rt ^[[22mForce pseudoM-bM-^@M-^Ptty allocation. This can be used to execute arbiM-bM-^@M-^P + trary screenM-bM-^@M-^Pbased programs on a remote machine, which can be + very useful, e.g., when implementing menu services. Multiple ^[[1mM-bMM-^Rt^[[0m + options force tty allocation, even if ^[[1mssh ^[[22mhas no local tty. + + ^[[1mM-bMM-^RT ^[[22mDisable pseudoM-bM-^@M-^Ptty allocation. + + ^[[1mM-bMM-^Rv ^[[22mVerbose mode. Causes ^[[1mssh ^[[22mto print debugging messages about its + progress. This is helpful in debugging connection, authenticaM-bM-^@M-^P + tion, and configuration problems. Multiple ^[[1mM-bMM-^Rv ^[[22moptions increases the verbosity. Maximum is 3. - -x Disables X11 forwarding. + ^[[1mM-bMM-^Rx ^[[22mDisables X11 forwarding. - -X Enables X11 forwarding. This can also be specified on a per-host + ^[[1mM-bMM-^RX ^[[22mEnables X11 forwarding. This can also be specified on a perM-bM-^@M-^Phost basis in a configuration file. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the - user's X authorization database) can access the local X11 display + userM-bM-^@M-^Ys X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. - -C Requests compression of all data (including stdin, stdout, + ^[[1mM-bMM-^RC ^[[22mRequests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP/IP connections). The compression algorithm is the same used by gzip(1), and the - ``level'' can be controlled by the CompressionLevel option for - protocol version 1. Compression is desirable on modem lines and + M-bM-^@M-^\levelM-bM-^@M-^] can be controlled by the ^[[1mCompressionLevel ^[[22moption for proM-bM-^@M-^P + tocol version 1. Compression is desirable on modem lines and other slow connections, but will only slow down things on fast - networks. The default value can be set on a host-by-host basis - in the configuration files; see the Compression option. + networks. The default value can be set on a hostM-bM-^@M-^PbyM-bM-^@M-^Phost basis + in the configuration files; see the ^[[1mCompression ^[[22moption. - -F configfile - Specifies an alternative per-user configuration file. If a conM-- - figuration file is given on the command line, the system-wide - configuration file (/etc/ssh/ssh_config) will be ignored. The - default for the per-user configuration file is $HOME/.ssh/config. + ^[[1mM-bMM-^RF ^[[4m^[[22mconfigfile^[[0m + Specifies an alternative perM-bM-^@M-^Puser configuration file. If a conM-bM-^@M-^P + figuration file is given on the command line, the systemM-bM-^@M-^Pwide + configuration file (^[[4m/etc/ssh/ssh_config^[[24m) will be ignored. The + default for the perM-bM-^@M-^Puser configuration file is ^[[4m$HOME/.ssh/config^[[24m. - -L port:host:hostport + ^[[1mM-bMM-^RL ^[[4m^[[22mport:host:hostport^[[0m Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This - works by allocating a socket to listen to port on the local side, + works by allocating a socket to listen to ^[[4mport^[[24m on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to - host port hostport from the remote machine. Port forwardings can - also be specified in the configuration file. Only root can forM-- + ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the remote machine. Port forwardings can + also be specified in the configuration file. Only root can forM-bM-^@M-^P ward privileged ports. IPv6 addresses can be specified with an - alternative syntax: port/host/hostport + alternative syntax: ^[[4mport/host/hostport^[[0m - -R port:host:hostport + ^[[1mM-bMM-^RR ^[[4m^[[22mport:host:hostport^[[0m Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This - works by allocating a socket to listen to port on the remote - side, and whenever a connection is made to this port, the connecM-- + works by allocating a socket to listen to ^[[4mport^[[24m on the remote + side, and whenever a connection is made to this port, the connecM-bM-^@M-^P tion is forwarded over the secure channel, and a connection is - made to host port hostport from the local machine. Port forwardM-- + made to ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the local machine. Port forwardM-bM-^@M-^P ings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified with an alternative - syntax: port/host/hostport + syntax: ^[[4mport/host/hostport^[[0m - -D port - Specifies a local ``dynamic'' application-level port forwarding. - This works by allocating a socket to listen to port on the local - side, and whenever a connection is made to this port, the connecM-- + ^[[1mM-bMM-^RD ^[[4m^[[22mport^[[0m + Specifies a local M-bM-^@M-^\dynamicM-bM-^@M-^] applicationM-bM-^@M-^Plevel port forwarding. + This works by allocating a socket to listen to ^[[4mport^[[24m on the local + side, and whenever a connection is made to this port, the connecM-bM-^@M-^P tion is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 protocol is supported, and - ssh will act as a SOCKS4 server. Only root can forward priviM-- + ^[[1mssh ^[[22mwill act as a SOCKS4 server. Only root can forward priviM-bM-^@M-^P leged ports. Dynamic port forwardings can also be specified in the configuration file. - -1 Forces ssh to try protocol version 1 only. + ^[[1mM-bMM-^R1 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 1 only. - -2 Forces ssh to try protocol version 2 only. + ^[[1mM-bMM-^R2 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 2 only. - -4 Forces ssh to use IPv4 addresses only. + ^[[1mM-bMM-^R4 ^[[22mForces ^[[1mssh ^[[22mto use IPv4 addresses only. - -6 Forces ssh to use IPv6 addresses only. + ^[[1mM-bMM-^R6 ^[[22mForces ^[[1mssh ^[[22mto use IPv6 addresses only. -CONFIGURATION FILES - ssh may additionally obtain configuration data from a per-user configuraM-- - tion file and a system-wide configuration file. The file format and conM-- +^[[1mCONFIGURATION FILES^[[0m + ^[[1mssh ^[[22mmay additionally obtain configuration data from a perM-bM-^@M-^Puser configuraM-bM-^@M-^P + tion file and a systemM-bM-^@M-^Pwide configuration file. The file format and conM-bM-^@M-^P figuration options are described in ssh_config(5). -ENVIRONMENT - ssh will normally set the following environment variables: +^[[1mENVIRONMENT^[[0m + ^[[1mssh ^[[22mwill normally set the following environment variables: DISPLAY The DISPLAY variable indicates the location of the X11 server. - It is automatically set by ssh to point to a value of the form - ``hostname:n'' where hostname indicates the host where the shell - runs, and n is an integer >= 1. ssh uses this special value to + It is automatically set by ^[[1mssh ^[[22mto point to a value of the form + M-bM-^@M-^\hostname:nM-bM-^@M-^] where hostname indicates the host where the shell + runs, and n is an integer >= 1. ^[[1mssh ^[[22muses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 connection insecure (and will require the user to manually copy any required authorization cookies). - HOME Set to the path of the user's home directory. + HOME Set to the path of the userM-bM-^@M-^Ys home directory. LOGNAME Synonym for USER; set for compatibility with systems that use this variable. - MAIL Set to the path of the user's mailbox. + MAIL Set to the path of the userM-bM-^@M-^Ys mailbox. - PATH Set to the default PATH, as specified when compiling ssh. + PATH Set to the default PATH, as specified when compiling ^[[1mssh^[[22m. SSH_ASKPASS - If ssh needs a passphrase, it will read the passphrase from the - current terminal if it was run from a terminal. If ssh does not + If ^[[1mssh ^[[22mneeds a passphrase, it will read the passphrase from the + current terminal if it was run from a terminal. If ^[[1mssh ^[[22mdoes not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly - useful when calling ssh from a .Xsession or related script. + useful when calling ^[[1mssh ^[[22mfrom a ^[[4m.Xsession^[[24m or related script. (Note that on some machines it may be necessary to redirect the - input from /dev/null to make this work.) + input from ^[[4m/dev/null^[[24m to make this work.) SSH_AUTH_SOCK - Identifies the path of a unix-domain socket used to communicate + Identifies the path of a unixM-bM-^@M-^Pdomain socket used to communicate with the agent. SSH_CONNECTION Identifies the client and server ends of the connection. The - variable contains four space-separated values: client ip-address, - client port number, server ip-address and server port number. + variable contains four spaceM-bM-^@M-^Pseparated values: client ipM-bM-^@M-^Paddress, + client port number, server ipM-bM-^@M-^Paddress and server port number. SSH_ORIGINAL_COMMAND - The variable contains the original command line if a forced comM-- - mand is executed. It can be used to extract the original arguM-- + The variable contains the original command line if a forced comM-bM-^@M-^P + mand is executed. It can be used to extract the original arguM-bM-^@M-^P ments. SSH_TTY - This is set to the name of the tty (path to the device) associM-- + This is set to the name of the tty (path to the device) associM-bM-^@M-^P ated with the current shell or command. If the current session has no tty, this variable is not set. @@ -459,42 +459,42 @@ USER Set to the name of the user logging in. - Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the - format ``VARNAME=value'' to the environment if the file exists and if - users are allowed to change their environment. See the - PermitUserEnvironment option in sshd_config(5). + Additionally, ^[[1mssh ^[[22mreads ^[[4m$HOME/.ssh/environment^[[24m, and adds lines of the + format M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and if users + are allowed to change their environment. See the ^[[1mPermitUserEnvironment^[[0m + option in sshd_config(5). -FILES +^[[1mFILES^[[0m $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into that are - not in /etc/ssh/ssh_known_hosts. See sshd(8). + not in ^[[4m/etc/ssh/ssh_known_hosts^[[24m. See sshd(8). $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). Note - that ssh ignores a private key file if it is accessible by othM-- + that ^[[1mssh ^[[22mignores a private key file if it is accessible by othM-bM-^@M-^P ers. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the - identity file in human-readable form). The contents of the - $HOME/.ssh/identity.pub file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes - to log in using protocol version 1 RSA authentication. The conM-- - tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file - should be added to $HOME/.ssh/authorized_keys on all machines + identity file in humanM-bM-^@M-^Preadable form). The contents of the + ^[[4m$HOME/.ssh/identity.pub^[[24m file should be added to + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes + to log in using protocol version 1 RSA authentication. The conM-bM-^@M-^P + tents of the ^[[4m$HOME/.ssh/id_dsa.pub^[[24m and ^[[4m$HOME/.ssh/id_rsa.pub^[[24m file + should be added to ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. These files are not sensitive and can (but need - not) be readable by anyone. These files are never used automatiM-- - cally and are not necessary; they are only provided for the conM-- + not) be readable by anyone. These files are never used automatiM-bM-^@M-^P + cally and are not necessary; they are only provided for the conM-bM-^@M-^P venience of the user. $HOME/.ssh/config - This is the per-user configuration file. The file format and + This is the perM-bM-^@M-^Puser configuration file. The file format and configuration options are described in ssh_config(5). $HOME/.ssh/authorized_keys @@ -508,17 +508,17 @@ /etc/ssh/ssh_known_hosts Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of - all machines in the organization. This file should be world- + all machines in the organization. This file should be worldM-bM-^@M-^P readable. This file contains public keys, one per line, in the - following format (fields separated by spaces): system name, pubM-- + following format (fields separated by spaces): system name, pubM-bM-^@M-^P lic key and optional comment field. When different names are - used for the same machine, all such names should be listed, sepaM-- + used for the same machine, all such names should be listed, sepaM-bM-^@M-^P rated by commas. The format is described on the sshd(8) manual page. The canonical system name (as returned by name servers) is used by sshd(8) to verify the client host when logging in; other names - are needed because ssh does not convert the user-supplied name to + are needed because ^[[1mssh ^[[22mdoes not convert the userM-bM-^@M-^Psupplied name to a canonical name before checking the key, because someone with access to the name servers would then be able to fool host authentication. @@ -530,22 +530,22 @@ /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and - are used for RhostsRSAAuthentication and HostbasedAuthentication. - If the protocol version 1 RhostsRSAAuthentication method is used, - ssh must be setuid root, since the host key is readable only by - root. For protocol version 2, ssh uses ssh-keysign(8) to access - the host keys for HostbasedAuthentication. This eliminates the - requirement that ssh be setuid root when that authentication - method is used. By default ssh is not setuid root. + are used for ^[[1mRhostsRSAAuthentication ^[[22mand ^[[1mHostbasedAuthentication^[[22m. + If the protocol version 1 ^[[1mRhostsRSAAuthentication ^[[22mmethod is used, + ^[[1mssh ^[[22mmust be setuid root, since the host key is readable only by + root. For protocol version 2, ^[[1mssh ^[[22muses sshM-bM-^@M-^Pkeysign(8) to access + the host keys for ^[[1mHostbasedAuthentication^[[22m. This eliminates the + requirement that ^[[1mssh ^[[22mbe setuid root when that authentication + method is used. By default ^[[1mssh ^[[22mis not setuid root. $HOME/.rhosts - This file is used in .rhosts authentication to list the host/user + This file is used in ^[[4m.rhosts^[[24m authentication to list the host/user pairs that are permitted to log in. (Note that this file is also used by rlogin and rsh, which makes using this file insecure.) Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, separated by a space. On some machines this file may need to be - world-readable if the user's home directory is on a NFS partiM-- + worldM-bM-^@M-^Preadable if the userM-bM-^@M-^Ys home directory is on a NFS partiM-bM-^@M-^P tion, because sshd(8) reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. The recommended permission for most machines is @@ -554,18 +554,18 @@ Note that by default sshd(8) will be installed so that it requires successful RSA host authentication before permitting .rhosts authentication. If the server machine does not have the - client's host key in /etc/ssh/ssh_known_hosts, it can be stored - in $HOME/.ssh/known_hosts. The easiest way to do this is to conM-- + clientM-bM-^@M-^Ys host key in ^[[4m/etc/ssh/ssh_known_hosts^[[24m, it can be stored + in ^[[4m$HOME/.ssh/known_hosts^[[24m. The easiest way to do this is to conM-bM-^@M-^P nect back to the client from the server machine using ssh; this - will automatically add the host key to $HOME/.ssh/known_hosts. + will automatically add the host key to ^[[4m$HOME/.ssh/known_hosts^[[24m. $HOME/.shosts - This file is used exactly the same way as .rhosts. The purpose + This file is used exactly the same way as ^[[4m.rhosts^[[24m. The purpose for having this file is to be able to use rhosts authentication - with ssh without permitting login with rlogin or rsh(1). + with ^[[1mssh ^[[22mwithout permitting login with ^[[1mrlogin ^[[22mor rsh(1). /etc/hosts.equiv - This file is used during .rhosts authentication. It contains + This file is used during ^[[4m.rhosts^[[24m ^[[4mauthentication.^[[24m It contains canonical hosts names, one per line (the full format is described on the sshd(8) manual page). If the client host is found in this file, login is automatically permitted provided client and server @@ -574,41 +574,41 @@ writable by root. /etc/shosts.equiv - This file is processed exactly as /etc/hosts.equiv. This file - may be useful to permit logins using ssh but not using + This file is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. This file + may be useful to permit logins using ^[[1mssh ^[[22mbut not using rsh/rlogin. /etc/ssh/sshrc - Commands in this file are executed by ssh when the user logs in - just before the user's shell (or command) is started. See the + Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in + just before the userM-bM-^@M-^Ys shell (or command) is started. See the sshd(8) manual page for more information. $HOME/.ssh/rc - Commands in this file are executed by ssh when the user logs in - just before the user's shell (or command) is started. See the + Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in + just before the userM-bM-^@M-^Ys shell (or command) is started. See the sshd(8) manual page for more information. $HOME/.ssh/environment Contains additional definitions for environment variables, see - section ENVIRONMENT above. + section ^[[4mENVIRONMENT^[[24m above. -DIAGNOSTICS - ssh exits with the exit status of the remote command or with 255 if an +^[[1mDIAGNOSTICS^[[0m + ^[[1mssh ^[[22mexits with the exit status of the remote command or with 255 if an error occurred. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO - rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), - telnet(1), ssh_config(5), ssh-keysign(8), sshd(8) +^[[1mSEE ALSO^[[0m + rsh(1), scp(1), sftp(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), + telnet(1), ssh_config(5), sshM-bM-^@M-^Pkeysign(8), sshd(8) - T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH - Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January + T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, ^[[4mSSH^[[0m + ^[[4mProtocol^[[24m ^[[4mArchitecture^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^ParchitectureM-bM-^@M-^P12.txt, January 2002, work in progress material. BSD September 25, 1999 BSD diff -ru openssh-3.5p1/ssh.c openssh-3.6p1/ssh.c --- openssh-3.5p1/ssh.c 2002-09-19 12:05:04.000000000 +1000 +++ openssh-3.6p1/ssh.c 2003-02-24 11:57:32.000000000 +1100 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $"); #include #include @@ -495,9 +495,9 @@ av += optind; if (ac > 0 && !host && **av != '-') { - if (strchr(*av, '@')) { + if (strrchr(*av, '@')) { p = xstrdup(*av); - cp = strchr(p, '@'); + cp = strrchr(p, '@'); if (cp == NULL || cp == p) usage(); options.user = p; @@ -505,12 +505,11 @@ host = ++cp; } else host = *av; - ac--, av++; - if (ac > 0) { - optind = 0; - optreset = 1; + if (ac > 1) { + optind = optreset = 1; goto again; } + ac--, av++; } /* Check that we got a host name. */ @@ -602,6 +601,10 @@ if (options.hostname != NULL) host = options.hostname; + if (options.proxy_command != NULL && + strcmp(options.proxy_command, "none") == 0) + options.proxy_command = NULL; + /* Disable rhosts authentication if not running as root. */ #ifdef HAVE_CYGWIN /* Ignore uid if running under Windows */ @@ -1026,7 +1029,7 @@ int interactive = 0; struct termios tio; - debug("ssh_session2_setup: id %d", id); + debug2("ssh_session2_setup: id %d", id); if (tty_flag) { struct winsize ws; diff -ru openssh-3.5p1/ssh_config.0 openssh-3.6p1/ssh_config.0 --- openssh-3.5p1/ssh_config.0 2002-10-04 11:31:47.000000000 +1000 +++ openssh-3.6p1/ssh_config.0 2003-03-26 16:12:39.000000000 +1100 @@ -1,403 +1,400 @@ -SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) +SSH_CONFIG(5) BSD File Formats Manual SSH_CONFIG(5) -NAME - ssh_config - OpenSSH SSH client configuration files +^[[1mNAME^[[0m + ^[[1mssh_config ^[[22mM-bMM-^R OpenSSH SSH client configuration files -SYNOPSIS - $HOME/.ssh/config - /etc/ssh/ssh_config +^[[1mSYNOPSIS^[[0m + ^[[4m$HOME/.ssh/config^[[0m + ^[[4m/etc/ssh/ssh_config^[[0m -DESCRIPTION - ssh obtains configuration data from the following sources in the followM-- +^[[1mDESCRIPTION^[[0m + ^[[1mssh ^[[22mobtains configuration data from the following sources in the followM-bM-^@M-^P ing order: - 1. command-line options - 2. user's configuration file ($HOME/.ssh/config) - 3. system-wide configuration file (/etc/ssh/ssh_config) + 1. commandM-bM-^@M-^Pline options + 2. userM-bM-^@M-^Ys configuration file (^[[4m$HOME/.ssh/config^[[24m) + 3. systemM-bM-^@M-^Pwide configuration file (^[[4m/etc/ssh/ssh_config^[[24m) - For each parameter, the first obtained value will be used. The configuM-- - ration files contain sections bracketed by ``Host'' specifications, and + For each parameter, the first obtained value will be used. The configuM-bM-^@M-^P + ration files contain sections bracketed by M-bM-^@M-^\HostM-bM-^@M-^] specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line. - Since the first obtained value for each parameter is used, more host-speM-- + Since the first obtained value for each parameter is used, more hostM-bM-^@M-^PspeM-bM-^@M-^P cific declarations should be given near the beginning of the file, and general defaults at the end. The configuration file has the following format: - Empty lines and lines starting with `#' are comments. + Empty lines and lines starting with M-bM-^@M-^X#M-bM-^@M-^Y are comments. - Otherwise a line is of the format ``keyword arguments''. Configuration + Otherwise a line is of the format M-bM-^@M-^\keyword argumentsM-bM-^@M-^]. Configuration options may be separated by whitespace or optional whitespace and exactly - one `='; the latter format is useful to avoid the need to quote whitesM-- - pace when specifying configuration options using the ssh, scp and sftp -o + one M-bM-^@M-^X=M-bM-^@M-^Y; the latter format is useful to avoid the need to quote whitesM-bM-^@M-^P + pace when specifying configuration options using the ^[[1mssh^[[22m, ^[[1mscp ^[[22mand ^[[1msftp M-bMM-^Ro^[[0m option. - The possible keywords and their meanings are as follows (note that keyM-- - words are case-insensitive and arguments are case-sensitive): + The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P + words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive): - Host Restricts the following declarations (up to the next Host keyM-- + ^[[1mHost ^[[22mRestricts the following declarations (up to the next ^[[1mHost ^[[22mkeyM-bM-^@M-^P word) to be only for those hosts that match one of the patterns - given after the keyword. `*' and `'? can be used as wildcards - in the patterns. A single `*' as a pattern can be used to proM-- - vide global defaults for all hosts. The host is the hostname - argument given on the command line (i.e., the name is not conM-- + given after the keyword. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards + in the patterns. A single M-bM-^@M-^X*M-bM-^@M-^Y as a pattern can be used to proM-bM-^@M-^P + vide global defaults for all hosts. The host is the ^[[4mhostname^[[0m + argument given on the command line (i.e., the name is not conM-bM-^@M-^P verted to a canonicalized host name before matching). - AFSTokenPassing - Specifies whether to pass AFS tokens to remote host. The arguM-- - ment to this keyword must be ``yes'' or ``no''. This option - applies to protocol version 1 only. + ^[[1mAFSTokenPassing^[[0m + Specifies whether to pass AFS tokens to remote host. The arguM-bM-^@M-^P + ment to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. This option applies + to protocol version 1 only. - BatchMode - If set to ``yes'', passphrase/password querying will be disabled. + ^[[1mBatchMode^[[0m + If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be - ``yes'' or ``no''. The default is ``no''. + M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - BindAddress + ^[[1mBindAddress^[[0m Specify the interface to transmit from on machines with multiple interfaces or aliased addresses. Note that this option does not - work if UsePrivilegedPort is set to ``yes''. + work if ^[[1mUsePrivilegedPort ^[[22mis set to M-bM-^@M-^\yesM-bM-^@M-^]. - ChallengeResponseAuthentication + ^[[1mChallengeResponseAuthentication^[[0m Specifies whether to use challenge response authentication. The - argument to this keyword must be ``yes'' or ``no''. The default - is ``yes''. + argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is + M-bM-^@M-^\yesM-bM-^@M-^]. - CheckHostIP - If this flag is set to ``yes'', ssh will additionally check the - host IP address in the known_hosts file. This allows ssh to + ^[[1mCheckHostIP^[[0m + If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ssh will additionally check the + host IP address in the ^[[4mknown_hosts^[[24m file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option - is set to ``no'', the check will not be executed. The default is - ``yes''. + is set to M-bM-^@M-^\noM-bM-^@M-^], the check will not be executed. The default is + M-bM-^@M-^\yesM-bM-^@M-^]. - Cipher Specifies the cipher to use for encrypting the session in protoM-- - col version 1. Currently, ``blowfish'', ``3des'', and ``des'' - are supported. des is only supported in the ssh client for - interoperability with legacy protocol 1 implementations that do - not support the 3des cipher. Its use is strongly discouraged due - to cryptographic weaknesses. The default is ``3des''. + ^[[1mCipher ^[[22mSpecifies the cipher to use for encrypting the session in protoM-bM-^@M-^P + col version 1. Currently, M-bM-^@M-^\blowfishM-bM-^@M-^], M-bM-^@M-^\3desM-bM-^@M-^], and M-bM-^@M-^\desM-bM-^@M-^] are supM-bM-^@M-^P + ported. ^[[4mdes^[[24m is only supported in the ^[[1mssh ^[[22mclient for interoperM-bM-^@M-^P + ability with legacy protocol 1 implementations that do not supM-bM-^@M-^P + port the ^[[4m3des^[[24m cipher. Its use is strongly discouraged due to + cryptographic weaknesses. The default is M-bM-^@M-^\3desM-bM-^@M-^]. - Ciphers + ^[[1mCiphers^[[0m Specifies the ciphers allowed for protocol version 2 in order of - preference. Multiple ciphers must be comma-separated. The + preference. Multiple ciphers must be commaM-bM-^@M-^Pseparated. The default is - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour, + aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y - ClearAllForwardings + ^[[1mClearAllForwardings^[[0m Specifies that all local, remote and dynamic port forwardings specified in the configuration files or on the command line be - cleared. This option is primarily useful when used from the ssh + cleared. This option is primarily useful when used from the ^[[1mssh^[[0m command line to clear port forwardings set in configuration - files, and is automatically set by scp(1) and sftp(1). The arguM-- - ment must be ``yes'' or ``no''. The default is ``no''. + files, and is automatically set by scp(1) and sftp(1). The arguM-bM-^@M-^P + ment must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - Compression - Specifies whether to use compression. The argument must be - ``yes'' or ``no''. The default is ``no''. + ^[[1mCompression^[[0m + Specifies whether to use compression. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] + or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - CompressionLevel + ^[[1mCompressionLevel^[[0m Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, which is good for most applications. The meaning of the values is the same as in gzip(1). Note that this option applies to protocol version 1 only. - ConnectionAttempts + ^[[1mConnectionAttempts^[[0m Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. - DynamicForward + ^[[1mDynamicForward^[[0m Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. - The argument must be a port number. Currently the SOCKS4 protoM-- - col is supported, and ssh will act as a SOCKS4 server. Multiple + The argument must be a port number. Currently the SOCKS4 protoM-bM-^@M-^P + col is supported, and ^[[1mssh ^[[22mwill act as a SOCKS4 server. Multiple forwardings may be specified, and additional forwardings can be - given on the command line. Only the superuser can forward priviM-- + given on the command line. Only the superuser can forward priviM-bM-^@M-^P leged ports. - EscapeChar - Sets the escape character (default: `~'). The escape character + ^[[1mEscapeChar^[[0m + Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y). The escape character can also be set on the command line. The argument should be a - single character, `^' followed by a letter, or ``none'' to disM-- - able the escape character entirely (making the connection transM-- - parent for binary data). + single character, M-bM-^@M-^X^M-bM-^@M-^Y followed by a letter, or M-bM-^@M-^\noneM-bM-^@M-^] to disable + the escape character entirely (making the connection transparent + for binary data). - ForwardAgent + ^[[1mForwardAgent^[[0m Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must - be ``yes'' or ``no''. The default is ``no''. + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the - agent's Unix-domain socket) can access the local agent through + agentM-bM-^@M-^Ys UnixM-bM-^@M-^Pdomain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. - ForwardX11 - Specifies whether X11 connections will be automatically rediM-- + ^[[1mForwardX11^[[0m + Specifies whether X11 connections will be automatically rediM-bM-^@M-^P rected over the secure channel and DISPLAY set. The argument - must be ``yes'' or ``no''. The default is ``no''. + must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the - user's X authorization database) can access the local X11 display + userM-bM-^@M-^Ys X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. - GatewayPorts + ^[[1mGatewayPorts^[[0m Specifies whether remote hosts are allowed to connect to local - forwarded ports. By default, ssh binds local port forwardings to - the loopback address. This prevents other remote hosts from conM-- - necting to forwarded ports. GatewayPorts can be used to specify - that ssh should bind local port forwardings to the wildcard + forwarded ports. By default, ^[[1mssh ^[[22mbinds local port forwardings to + the loopback address. This prevents other remote hosts from conM-bM-^@M-^P + necting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be used to specify + that ^[[1mssh ^[[22mshould bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded - ports. The argument must be ``yes'' or ``no''. The default is - ``no''. + ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. - GlobalKnownHostsFile + ^[[1mGlobalKnownHostsFile^[[0m Specifies a file to use for the global host key database instead - of /etc/ssh/ssh_known_hosts. + of ^[[4m/etc/ssh/ssh_known_hosts^[[24m. - HostbasedAuthentication + ^[[1mHostbasedAuthentication^[[0m Specifies whether to try rhosts based authentication with public - key authentication. The argument must be ``yes'' or ``no''. The - default is ``no''. This option applies to protocol version 2 - only and is similar to RhostsRSAAuthentication. + key authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 2 only + and is similar to ^[[1mRhostsRSAAuthentication^[[22m. - HostKeyAlgorithms + ^[[1mHostKeyAlgorithms^[[0m Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this - option is: ``ssh-rsa,ssh-dss''. + option is: M-bM-^@M-^\sshM-bM-^@M-^Prsa,sshM-bM-^@M-^PdssM-bM-^@M-^]. - HostKeyAlias + ^[[1mHostKeyAlias^[[0m Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key - database files. This option is useful for tunneling ssh connecM-- + database files. This option is useful for tunneling ssh connecM-bM-^@M-^P tions or for multiple servers running on a single host. - HostName + ^[[1mHostName^[[0m Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. Default is the name given on the command line. Numeric IP addresses are also - permitted (both on the command line and in HostName specificaM-- + permitted (both on the command line and in ^[[1mHostName ^[[22mspecificaM-bM-^@M-^P tions). - IdentityFile - Specifies a file from which the user's RSA or DSA authentication - identity is read. The default is $HOME/.ssh/identity for protocol - version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protoM-- + ^[[1mIdentityFile^[[0m + Specifies a file from which the userM-bM-^@M-^Ys RSA or DSA authentication + identity is read. The default is ^[[4m$HOME/.ssh/identity^[[24m for protocol + version 1, and ^[[4m$HOME/.ssh/id_rsa^[[24m and ^[[4m$HOME/.ssh/id_dsa^[[24m for protoM-bM-^@M-^P col version 2. Additionally, any identities represented by the authentication agent will be used for authentication. The file - name may use the tilde syntax to refer to a user's home direcM-- + name may use the tilde syntax to refer to a userM-bM-^@M-^Ys home direcM-bM-^@M-^P tory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. - KeepAlive + ^[[1mKeepAlive^[[0m Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down temM-- + this means that connections will die if the route is down temM-bM-^@M-^P porarily, and some people find it annoying. - The default is ``yes'' (to send keepalives), and the client will + The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. - To disable keepalives, the value should be set to ``no''. + To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. - KerberosAuthentication + ^[[1mKerberosAuthentication^[[0m Specifies whether Kerberos authentication will be used. The - argument to this keyword must be ``yes'' or ``no''. + argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. - KerberosTgtPassing + ^[[1mKerberosTgtPassing^[[0m Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS - kaserver. The argument to this keyword must be ``yes'' or - ``no''. + kaserver. The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. - LocalForward + ^[[1mLocalForward^[[0m Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be a port number, and - the second must be host:port. IPv6 addresses can be specified - with an alternative syntax: host/port. Multiple forwardings may - be specified, and additional forwardings can be given on the comM-- + the second must be ^[[4mhost:port^[[24m. IPv6 addresses can be specified + with an alternative syntax: ^[[4mhost/port^[[24m. Multiple forwardings may + be specified, and additional forwardings can be given on the comM-bM-^@M-^P mand line. Only the superuser can forward privileged ports. - LogLevel + ^[[1mLogLevel^[[0m Gives the verbosity level that is used when logging messages from - ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- + ^[[1mssh^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. - MACs Specifies the MAC (message authentication code) algorithms in - order of preference. The MAC algorithm is used in protocol verM-- + ^[[1mMACs ^[[22mSpecifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used in protocol verM-bM-^@M-^P sion 2 for data integrity protection. Multiple algorithms must - be comma-separated. The default is - ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. + be commaM-bM-^@M-^Pseparated. The default is + M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^]. - NoHostAuthenticationForLocalhost + ^[[1mNoHostAuthenticationForLocalhost^[[0m This option can be used if the home directory is shared across machines. In this case localhost will refer to a different - machine on each of the machines and the user will get many warnM-- + machine on each of the machines and the user will get many warnM-bM-^@M-^P ings about changed host keys. However, this option disables host authentication for localhost. The argument to this keyword must - be ``yes'' or ``no''. The default is to check the host key for + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is to check the host key for localhost. - NumberOfPasswordPrompts + ^[[1mNumberOfPasswordPrompts^[[0m Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. - PasswordAuthentication + ^[[1mPasswordAuthentication^[[0m Specifies whether to use password authentication. The argument - to this keyword must be ``yes'' or ``no''. The default is - ``yes''. + to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - Port Specifies the port number to connect on the remote host. Default + ^[[1mPort ^[[22mSpecifies the port number to connect on the remote host. Default is 22. - PreferredAuthentications + ^[[1mPreferredAuthentications^[[0m Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method - (e.g. keyboard-interactive) over another method (e.g. password) + (e.g. ^[[1mkeyboardM-bM-^@M-^Pinteractive^[[22m) over another method (e.g. ^[[1mpassword^[[22m) The default for this option is: - ``hostbased,publickey,keyboard-interactive,password''. + M-bM-^@M-^\hostbased,publickey,keyboardM-bM-^@M-^Pinteractive,passwordM-bM-^@M-^]. - Protocol - Specifies the protocol versions ssh should support in order of - preference. The possible values are ``1'' and ``2''. Multiple - versions must be comma-separated. The default is ``2,1''. This - means that ssh tries version 2 and falls back to version 1 if - version 2 is not available. + ^[[1mProtocol^[[0m + Specifies the protocol versions ^[[1mssh ^[[22mshould support in order of + preference. The possible values are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple verM-bM-^@M-^P + sions must be commaM-bM-^@M-^Pseparated. The default is M-bM-^@M-^\2,1M-bM-^@M-^]. This means + that ^[[1mssh ^[[22mtries version 2 and falls back to version 1 if version 2 + is not available. - ProxyCommand - Specifies the command to use to connect to the server. The comM-- + ^[[1mProxyCommand^[[0m + Specifies the command to use to connect to the server. The comM-bM-^@M-^P mand string extends to the end of the line, and is executed with - /bin/sh. In the command string, `%h' will be substituted by the - host name to connect and `%p' by the port. The command can be + ^[[4m/bin/sh^[[24m. In the command string, M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the + host name to connect and M-bM-^@M-^X%pM-bM-^@M-^Y by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an - sshd(8) server running on some machine, or execute sshd -i someM-- + sshd(8) server running on some machine, or execute ^[[1msshd M-bM-^@M-^Pi ^[[22msomeM-bM-^@M-^P where. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the - user). Note that CheckHostIP is not available for connects with - a proxy command. + user). Setting the command to M-bM-^@M-^\noneM-bM-^@M-^] disables this option + entirely. Note that ^[[1mCheckHostIP ^[[22mis not available for connects + with a proxy command. - PubkeyAuthentication + ^[[1mPubkeyAuthentication^[[0m Specifies whether to try public key authentication. The argument - to this keyword must be ``yes'' or ``no''. The default is - ``yes''. This option applies to protocol version 2 only. + to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. + This option applies to protocol version 2 only. - RemoteForward + ^[[1mRemoteForward^[[0m Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be a port number, and the - second must be host:port. IPv6 addresses can be specified with - an alternative syntax: host/port. Multiple forwardings may be + second must be ^[[4mhost:port^[[24m. IPv6 addresses can be specified with + an alternative syntax: ^[[4mhost/port^[[24m. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. - RhostsAuthentication + ^[[1mRhostsAuthentication^[[0m Specifies whether to try rhosts based authentication. Note that this declaration only affects the client side and has no effect - whatsoever on security. Most servers do not permit RhostsAuthenM-- - tication because it is not secure (see RhostsRSAAuthentication). - The argument to this keyword must be ``yes'' or ``no''. The - default is ``no''. This option applies to protocol version 1 - only and requires ssh to be setuid root and UsePrivilegedPort to - be set to ``yes''. + whatsoever on security. Most servers do not permit RhostsAuthenM-bM-^@M-^P + tication because it is not secure (see ^[[1mRhostsRSAAuthentication^[[22m). + The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default + is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only and + requires ^[[1mssh ^[[22mto be setuid root and ^[[1mUsePrivilegedPort ^[[22mto be set to + M-bM-^@M-^\yesM-bM-^@M-^]. - RhostsRSAAuthentication + ^[[1mRhostsRSAAuthentication^[[0m Specifies whether to try rhosts based authentication with RSA - host authentication. The argument must be ``yes'' or ``no''. - The default is ``no''. This option applies to protocol version 1 - only and requires ssh to be setuid root. + host authentication. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only + and requires ^[[1mssh ^[[22mto be setuid root. - RSAAuthentication + ^[[1mRSAAuthentication^[[0m Specifies whether to try RSA authentication. The argument to - this keyword must be ``yes'' or ``no''. RSA authentication will - only be attempted if the identity file exists, or an authenticaM-- - tion agent is running. The default is ``yes''. Note that this - option applies to protocol version 1 only. + this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. RSA authentication will only + be attempted if the identity file exists, or an authentication + agent is running. The default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option + applies to protocol version 1 only. - SmartcardDevice + ^[[1mSmartcardDevice^[[0m Specifies which smartcard device to use. The argument to this - keyword is the device ssh should use to communicate with a smartM-- - card used for storing the user's private RSA key. By default, no + keyword is the device ^[[1mssh ^[[22mshould use to communicate with a smartM-bM-^@M-^P + card used for storing the userM-bM-^@M-^Ys private RSA key. By default, no device is specified and smartcard support is not activated. - StrictHostKeyChecking - If this flag is set to ``yes'', ssh will never automatically add - host keys to the $HOME/.ssh/known_hosts file, and refuses to conM-- + ^[[1mStrictHostKeyChecking^[[0m + If this flag is set to M-bM-^@M-^\yesM-bM-^@M-^], ^[[1mssh ^[[22mwill never automatically add + host keys to the ^[[4m$HOME/.ssh/known_hosts^[[24m file, and refuses to conM-bM-^@M-^P nect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying - when the /etc/ssh/ssh_known_hosts file is poorly maintained, or + when the ^[[4m/etc/ssh/ssh_known_hosts^[[24m file is poorly maintained, or connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to - ``no'', ssh will automatically add new host keys to the user - known hosts files. If this flag is set to ``ask'', new host keys - will be added to the user known host files only after the user - has confirmed that is what they really want to do, and ssh will - refuse to connect to hosts whose host key has changed. The host - keys of known hosts will be verified automatically in all cases. - The argument must be ``yes'', ``no'' or ``ask''. The default is - ``ask''. - - UsePrivilegedPort - Specifies whether to use a privileged port for outgoing connecM-- - tions. The argument must be ``yes'' or ``no''. The default is - ``no''. If set to ``yes'' ssh must be setuid root. Note that - this option must be set to ``yes'' if RhostsAuthentication and - RhostsRSAAuthentication authentications are needed with older + M-bM-^@M-^\noM-bM-^@M-^], ^[[1mssh ^[[22mwill automatically add new host keys to the user known + hosts files. If this flag is set to M-bM-^@M-^\askM-bM-^@M-^], new host keys will be + added to the user known host files only after the user has conM-bM-^@M-^P + firmed that is what they really want to do, and ^[[1mssh ^[[22mwill refuse + to connect to hosts whose host key has changed. The host keys of + known hosts will be verified automatically in all cases. The + argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\askM-bM-^@M-^]. The default is M-bM-^@M-^\askM-bM-^@M-^]. + + ^[[1mUsePrivilegedPort^[[0m + Specifies whether to use a privileged port for outgoing connecM-bM-^@M-^P + tions. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. + If set to M-bM-^@M-^\yesM-bM-^@M-^] ^[[1mssh ^[[22mmust be setuid root. Note that this option + must be set to M-bM-^@M-^\yesM-bM-^@M-^] if ^[[1mRhostsAuthentication ^[[22mand + ^[[1mRhostsRSAAuthentication ^[[22mauthentications are needed with older servers. - User Specifies the user to log in as. This can be useful when a difM-- + ^[[1mUser ^[[22mSpecifies the user to log in as. This can be useful when a difM-bM-^@M-^P ferent user name is used on different machines. This saves the - trouble of having to remember to give the user name on the comM-- + trouble of having to remember to give the user name on the comM-bM-^@M-^P mand line. - UserKnownHostsFile + ^[[1mUserKnownHostsFile^[[0m Specifies a file to use for the user host key database instead of - $HOME/.ssh/known_hosts. + ^[[4m$HOME/.ssh/known_hosts^[[24m. - XAuthLocation + ^[[1mXAuthLocation^[[0m Specifies the full pathname of the xauth(1) program. The default - is /usr/X11R6/bin/xauth. + is ^[[4m/usr/X11R6/bin/xauth^[[24m. -FILES +^[[1mFILES^[[0m $HOME/.ssh/config - This is the per-user configuration file. The format of this file - is described above. This file is used by the ssh client. This + This is the perM-bM-^@M-^Puser configuration file. The format of this file + is described above. This file is used by the ^[[1mssh ^[[22mclient. This file does not usually contain any sensitive information, but the recommended permissions are read/write for the user, and not accessible by others. /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for - those values that are not specified in the user's configuration + those values that are not specified in the userM-bM-^@M-^Ys configuration file, and for those users who do not have a configuration file. - This file must be world-readable. + This file must be worldM-bM-^@M-^Preadable. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1) BSD September 25, 1999 BSD diff -ru openssh-3.5p1/ssh_config.5 openssh-3.6p1/ssh_config.5 --- openssh-3.5p1/ssh_config.5 2002-09-04 16:51:05.000000000 +1000 +++ openssh-3.6p1/ssh_config.5 2003-02-24 11:57:33.000000000 +1100 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $ +.\" $OpenBSD: ssh_config.5,v 1.6 2003/02/06 09:27:29 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -474,6 +474,9 @@ Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). +Setting the command to +.Dq none +disables this option entirely. Note that .Cm CheckHostIP is not available for connects with a proxy command. diff -ru openssh-3.5p1/sshconnect.c openssh-3.6p1/sshconnect.c --- openssh-3.5p1/sshconnect.c 2002-09-19 12:05:04.000000000 +1000 +++ openssh-3.6p1/sshconnect.c 2002-12-23 13:06:20.000000000 +1100 @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.137 2002/11/21 23:03:51 deraadt Exp $"); #include @@ -247,7 +247,7 @@ */ int full_failure = 1; - debug("ssh_connect: needpriv %d", needpriv); + debug2("ssh_connect: needpriv %d", needpriv); /* Get default port if port has not been set. */ if (port == 0) { @@ -649,10 +649,10 @@ "%s key fingerprint is %s.\n" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, - has_keys ? ",\nbut keys of different type are already " - "known for this host." : ".", - type, fp); + host, ip, + has_keys ? ",\nbut keys of different type are already " + "known for this host." : ".", + type, fp); xfree(fp); if (!confirm(msg)) goto fail; diff -ru openssh-3.5p1/sshconnect2.c openssh-3.6p1/sshconnect2.c --- openssh-3.5p1/sshconnect2.c 2002-10-03 15:45:55.000000000 +1000 +++ openssh-3.6p1/sshconnect2.c 2003-03-10 11:21:18.000000000 +1100 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.107 2002/07/01 19:48:46 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.112 2003/03/05 22:33:43 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -110,6 +110,8 @@ /* start key exchange */ kex = kex_setup(myproposal); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; @@ -128,7 +130,6 @@ packet_send(); packet_write_wait(); #endif - debug("done: ssh_kex2."); } /* @@ -224,24 +225,23 @@ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - debug("send SSH2_MSG_SERVICE_REQUEST"); packet_start(SSH2_MSG_SERVICE_REQUEST); packet_put_cstring("ssh-userauth"); packet_send(); + debug("SSH2_MSG_SERVICE_REQUEST sent"); packet_write_wait(); type = packet_read(); - if (type != SSH2_MSG_SERVICE_ACCEPT) { - fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type); - } + if (type != SSH2_MSG_SERVICE_ACCEPT) + fatal("Server denied authentication request: %d", type); if (packet_remaining() > 0) { char *reply = packet_get_string(NULL); - debug("service_accept: %s", reply); + debug2("service_accept: %s", reply); xfree(reply); } else { - debug("buggy server: service_accept w/o service"); + debug2("buggy server: service_accept w/o service"); } packet_check_eom(); - debug("got SSH2_MSG_SERVICE_ACCEPT"); + debug("SSH2_MSG_SERVICE_ACCEPT received"); if (options.preferred_authentications == NULL) options.preferred_authentications = authmethods_get(); @@ -273,7 +273,7 @@ if (authctxt.agent != NULL) ssh_close_authentication_connection(authctxt.agent); - debug("ssh-userauth2 successful: method %s", authctxt.method->name); + debug("Authentication succeeded (%s).", authctxt.method->name); } void userauth(Authctxt *authctxt, char *authlist) @@ -347,7 +347,7 @@ if (partial != 0) log("Authenticated with partial success."); - debug("authentications that can continue: %s", authlist); + debug("Authentications that can continue: %s", authlist); clear_auth_state(authctxt); userauth(authctxt, authlist); @@ -379,7 +379,7 @@ } packet_check_eom(); - debug("input_userauth_pk_ok: pkalg %s blen %u lastkey %p hint %d", + debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d", pkalg, blen, authctxt->last_key, authctxt->last_key_hint); do { @@ -764,7 +764,7 @@ if (k == NULL) { debug2("userauth_pubkey_agent: no more keys"); } else { - debug("userauth_pubkey_agent: testing agent key %s", comment); + debug("Offering agent key: %s", comment); xfree(comment); ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1); if (ret == 0) @@ -792,7 +792,7 @@ key = options.identity_keys[idx]; filename = options.identity_files[idx]; if (key == NULL) { - debug("try privkey: %s", filename); + debug("Trying private key: %s", filename); key = load_identity_file(filename); if (key != NULL) { sent = sign_and_send_pubkey(authctxt, key, @@ -800,7 +800,7 @@ key_free(key); } } else if (key->type != KEY_RSA1) { - debug("try pubkey: %s", filename); + debug("Offering public key: %s", filename); sent = send_pubkey_test(authctxt, key, identity_sign_cb, idx); } @@ -906,7 +906,7 @@ pid_t pid; int to[2], from[2], status, version = 2; - debug("ssh_keysign called"); + debug2("ssh_keysign called"); if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) { error("ssh_keysign: no installed: %s", strerror(errno)); @@ -995,7 +995,7 @@ } } if (!found) { - debug("userauth_hostbased: no more client hostkeys"); + debug("No more client hostkeys for hostbased authentication."); return 0; } if (key_to_blob(private, &blob, &blen) == 0) { @@ -1014,6 +1014,7 @@ strlcpy(chost, p, len); strlcat(chost, ".", len); debug2("userauth_hostbased: chost %s", chost); + xfree(p); service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; @@ -1109,7 +1110,6 @@ static Authmethod * authmethod_get(char *authlist) { - char *name = NULL; u_int next; @@ -1130,7 +1130,7 @@ for (;;) { if ((name = match_list(preferred, supported, &next)) == NULL) { - debug("no more auth methods to try"); + debug("No more authentication methods to try."); current = NULL; return NULL; } @@ -1140,7 +1140,7 @@ if ((current = authmethod_lookup(name)) != NULL && authmethod_is_enabled(current)) { debug3("authmethod_is_enabled %s", name); - debug("next auth method to try is %s", name); + debug("Next authentication method: %s", name); return current; } } diff -ru openssh-3.5p1/sshd.0 openssh-3.6p1/sshd.0 --- openssh-3.5p1/sshd.0 2002-10-04 11:31:45.000000000 +1000 +++ openssh-3.6p1/sshd.0 2003-03-26 16:12:38.000000000 +1100 @@ -1,33 +1,33 @@ -SSHD(8) System Manager's Manual SSHD(8) +SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8) -NAME - sshd - OpenSSH SSH daemon +^[[1mNAME^[[0m + ^[[1msshd ^[[22mM-bMM-^R OpenSSH SSH daemon -SYNOPSIS - sshd [-deiqtD46] [-b bits] [-f config_file] [-g login_grace_time] - [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] +^[[1mSYNOPSIS^[[0m + ^[[1msshd ^[[22m[^[[1mM-bMM-^RdeiqtD46^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mconfig_file^[[24m] [^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[24m] + [^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[24m] [^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[24m] [^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[24m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m] -DESCRIPTION - sshd (SSH Daemon) is the daemon program for ssh(1). Together these proM-- +^[[1mDESCRIPTION^[[0m + ^[[1msshd ^[[22m(SSH Daemon) is the daemon program for ssh(1). Together these proM-bM-^@M-^P grams replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. The programs are intended to be as easy to install and use as possible. - sshd is the daemon that listens for connections from clients. It is norM-- - mally started at boot from /etc/rc. It forks a new daemon for each + ^[[1msshd ^[[22mis the daemon that listens for connections from clients. It is norM-bM-^@M-^P + mally started at boot from ^[[4m/etc/rc^[[24m. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, - authentication, command execution, and data exchange. This implementaM-- - tion of sshd supports both SSH protocol version 1 and 2 simultaneously. - sshd works as follows. + authentication, command execution, and data exchange. This implementaM-bM-^@M-^P + tion of ^[[1msshd ^[[22msupports both SSH protocol version 1 and 2 simultaneously. + ^[[1msshd ^[[22mworks as follows: - SSH protocol version 1 + ^[[1mSSH protocol version 1^[[0m - Each host has a host-specific RSA key (normally 1024 bits) used to idenM-- + Each host has a hostM-bM-^@M-^Pspecific RSA key (normally 1024 bits) used to idenM-bM-^@M-^P tify the host. Additionally, when the daemon starts, it generates a server RSA key (normally 768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk. - Whenever a client connects the daemon responds with its public host and + Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. The client then generates a 256 bit random number. It encrypts this random number using both the @@ -35,24 +35,24 @@ server. Both sides then use this random number as a session key which is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher, currently Blowfish - or 3DES, with 3DES being used by default. The client selects the encrypM-- + or 3DES, with 3DES being used by default. The client selects the encrypM-bM-^@M-^P tion algorithm to use from those offered by the server. Next, the server and the client enter an authentication dialog. The - client tries to authenticate itself using .rhosts authentication, .rhosts - authentication combined with RSA host authentication, RSA challenge- + client tries to authenticate itself using ^[[4m.rhosts^[[24m authentication, ^[[4m.rhosts^[[0m + authentication combined with RSA host authentication, RSA challengeM-bM-^@M-^P response authentication, or password based authentication. Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. - System security is not improved unless rshd, rlogind, and rexecd are disM-- + System security is not improved unless ^[[1mrshd^[[22m, ^[[1mrlogind^[[22m, and ^[[1mrexecd ^[[22mare disM-bM-^@M-^P abled (thus completely disabling rlogin and rsh into the machine). - SSH protocol version 2 + ^[[1mSSH protocol version 2^[[0m - Version 2 works similarly: Each host has a host-specific key (RSA or DSA) + Version 2 works similarly: Each host has a hostM-bM-^@M-^Pspecific key (RSA or DSA) used to identify the host. However, when the daemon starts, it does not - generate a server key. Forward security is provided through a Diffie- + generate a server key. Forward security is provided through a DiffieM-bM-^@M-^P Hellman key agreement. This key agreement results in a shared session key. @@ -60,19 +60,19 @@ 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided - through a cryptographic message authentication code (hmac-sha1 or hmac- + through a cryptographic message authentication code (hmacM-bM-^@M-^Psha1 or hmacM-bM-^@M-^P md5). - Protocol version 2 provides a public key based user (PubkeyAuthenticaM-- + Protocol version 2 provides a public key based user (PubkeyAuthenticaM-bM-^@M-^P tion) or client host (HostbasedAuthentication) authentication method, - conventional password authentication and challenge response based methM-- + conventional password authentication and challenge response based methM-bM-^@M-^P ods. - Command execution and data forwarding + ^[[1mCommand execution and data forwarding^[[0m If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like - allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP + allocating a pseudoM-bM-^@M-^Ptty, forwarding X11 connections, forwarding TCP/IP connections, or forwarding the authentication agent connection over the secure channel. @@ -81,390 +81,390 @@ data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side. - When the user program terminates and all forwarded X11 and other connecM-- + When the user program terminates and all forwarded X11 and other connecM-bM-^@M-^P tions have been closed, the server sends command exit status to the client, and both sides exit. - sshd can be configured using command-line options or a configuration - file. Command-line options override values specified in the configuraM-- + ^[[1msshd ^[[22mcan be configured using commandM-bM-^@M-^Pline options or a configuration + file. CommandM-bM-^@M-^Pline options override values specified in the configuraM-bM-^@M-^P tion file. - sshd rereads its configuration file when it receives a hangup signal, + ^[[1msshd ^[[22mrereads its configuration file when it receives a hangup signal, SIGHUP, by executing itself with the name it was started as, i.e., - /usr/sbin/sshd. + ^[[4m/usr/sbin/sshd^[[24m. The options are as follows: - -b bits + ^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[0m Specifies the number of bits in the ephemeral protocol version 1 server key (default 768). - -d Debug mode. The server sends verbose debug output to the system + ^[[1mM-bMM-^Rd ^[[22mDebug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option - is only intended for debugging for the server. Multiple -d + is only intended for debugging for the server. Multiple ^[[1mM-bMM-^Rd^[[0m options increase the debugging level. Maximum is 3. - -e When this option is specified, sshd will send the output to the + ^[[1mM-bMM-^Re ^[[22mWhen this option is specified, ^[[1msshd ^[[22mwill send the output to the standard error instead of the system log. - -f configuration_file + ^[[1mM-bMM-^Rf ^[[4m^[[22mconfiguration_file^[[0m Specifies the name of the configuration file. The default is - /etc/ssh/sshd_config. sshd refuses to start if there is no conM-- + ^[[4m/etc/ssh/sshd_config^[[24m. ^[[1msshd ^[[22mrefuses to start if there is no conM-bM-^@M-^P figuration file. - -g login_grace_time + ^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[0m Gives the grace time for clients to authenticate themselves (default 120 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. - -h host_key_file + ^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[0m Specifies a file from which a host key is read. This option must - be given if sshd is not run as root (as the normal host key files + be given if ^[[1msshd ^[[22mis not run as root (as the normal host key files are normally not readable by anyone but root). The default is - /etc/ssh/ssh_host_key for protocol version 1, and - /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- + ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and + ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P tocol version 2. It is possible to have multiple host key files for the different protocol versions and host key algorithms. - -i Specifies that sshd is being run from inetd. sshd is normally + ^[[1mM-bMM-^Ri ^[[22mSpecifies that ^[[1msshd ^[[22mis being run from inetd(8). ^[[1msshd ^[[22mis normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (e.g., - 512) using sshd from inetd may be feasible. + 512) using ^[[1msshd ^[[22mfrom inetd may be feasible. - -k key_gen_time + ^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[0m Specifies how often the ephemeral protocol version 1 server key - is regenerated (default 3600 seconds, or one hour). The motivaM-- + is regenerated (default 3600 seconds, or one hour). The motivaM-bM-^@M-^P tion for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour, it becomes impossible to recover the key for decrypting intercepted communications even if the machine is cracked into or physically seized. A value of zero indicates that the key will never be regenerated. - -o option - Can be used to give options in the format used in the configuraM-- + ^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[0m + Can be used to give options in the format used in the configuraM-bM-^@M-^P tion file. This is useful for specifying options for which there - is no separate command-line flag. + is no separate commandM-bM-^@M-^Pline flag. - -p port + ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m Specifies the port on which the server listens for connections - (default 22). Multiple port options are permitted. Ports speciM-- - fied in the configuration file are ignored when a command-line + (default 22). Multiple port options are permitted. Ports speciM-bM-^@M-^P + fied in the configuration file are ignored when a commandM-bM-^@M-^Pline port is specified. - -q Quiet mode. Nothing is sent to the system log. Normally the + ^[[1mM-bMM-^Rq ^[[22mQuiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. - -t Test mode. Only check the validity of the configuration file and - sanity of the keys. This is useful for updating sshd reliably as + ^[[1mM-bMM-^Rt ^[[22mTest mode. Only check the validity of the configuration file and + sanity of the keys. This is useful for updating ^[[1msshd ^[[22mreliably as configuration options may change. - -u len This option is used to specify the size of the field in the utmp + ^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m This option is used to specify the size of the field in the utmp structure that holds the remote host name. If the resolved host - name is longer than len, the dotted decimal value will be used - instead. This allows hosts with very long host names that overM-- - flow this field to still be uniquely identified. Specifying -u0 + name is longer than ^[[4mlen^[[24m, the dotted decimal value will be used + instead. This allows hosts with very long host names that overM-bM-^@M-^P + flow this field to still be uniquely identified. Specifying ^[[1mM-bMM-^Ru0^[[0m indicates that only dotted decimal addresses should be put into - the utmp file. -u0 is also be used to prevent sshd from making + the ^[[4mutmp^[[24m file. ^[[1mM-bMM-^Ru0 ^[[22mmay also be used to prevent ^[[1msshd ^[[22mfrom making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS - include RhostsAuthentication, RhostsRSAAuthentication, - HostbasedAuthentication and using a from="pattern-list" option in + include ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication^[[22m, + ^[[1mHostbasedAuthentication ^[[22mand using a ^[[1mfrom="patternM-bM-^@M-^Plist" ^[[22moption in a key file. Configuration options that require DNS include using - a USER@HOST pattern in AllowUsers or DenyUsers. + a USER@HOST pattern in ^[[1mAllowUsers ^[[22mor ^[[1mDenyUsers^[[22m. - -D When this option is specified sshd will not detach and does not - become a daemon. This allows easy monitoring of sshd. + ^[[1mM-bMM-^RD ^[[22mWhen this option is specified ^[[1msshd ^[[22mwill not detach and does not + become a daemon. This allows easy monitoring of ^[[1msshd^[[22m. - -4 Forces sshd to use IPv4 addresses only. + ^[[1mM-bMM-^R4 ^[[22mForces ^[[1msshd ^[[22mto use IPv4 addresses only. - -6 Forces sshd to use IPv6 addresses only. + ^[[1mM-bMM-^R6 ^[[22mForces ^[[1msshd ^[[22mto use IPv6 addresses only. -CONFIGURATION FILE - sshd reads configuration data from /etc/ssh/sshd_config (or the file - specified with -f on the command line). The file format and configuraM-- +^[[1mCONFIGURATION FILE^[[0m + ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file + specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file format and configuraM-bM-^@M-^P tion options are described in sshd_config(5). -LOGIN PROCESS - When a user successfully logs in, sshd does the following: +^[[1mLOGIN PROCESS^[[0m + When a user successfully logs in, ^[[1msshd ^[[22mdoes the following: 1. If the login is on a tty, and no command has been specified, - prints last login time and /etc/motd (unless prevented in the - configuration file or by $HOME/.hushlogin; see the FILES secM-- + prints last login time and ^[[4m/etc/motd^[[24m (unless prevented in the + configuration file or by ^[[4m$HOME/.hushlogin^[[24m; see the ^[[4mFILES^[[24m secM-bM-^@M-^P tion). 2. If the login is on a tty, records login time. - 3. Checks /etc/nologin; if it exists, prints contents and quits + 3. Checks ^[[4m/etc/nologin^[[24m; if it exists, prints contents and quits (unless root). 4. Changes to run with normal user privileges. 5. Sets up basic environment. - 6. Reads $HOME/.ssh/environment if it exists and users are + 6. Reads ^[[4m$HOME/.ssh/environment^[[24m if it exists and users are allowed to change their environment. See the - PermitUserEnvironment option in sshd_config(5). + ^[[1mPermitUserEnvironment ^[[22moption in sshd_config(5). - 7. Changes to user's home directory. + 7. Changes to userM-bM-^@M-^Ys home directory. - 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc - exists, runs it; otherwise runs xauth. The ``rc'' files are + 8. If ^[[4m$HOME/.ssh/rc^[[24m exists, runs it; else if ^[[4m/etc/ssh/sshrc^[[0m + exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are given the X11 authentication protocol and cookie in standard input. - 9. Runs user's shell or command. + 9. Runs userM-bM-^@M-^Ys shell or command. -AUTHORIZED_KEYS FILE FORMAT - $HOME/.ssh/authorized_keys is the default file that lists the public keys +^[[1mAUTHORIZED_KEYS FILE FORMAT^[[0m + ^[[4m$HOME/.ssh/authorized_keys^[[24m is the default file that lists the public keys that are permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) in protocol version 2. - AuthorizedKeysFile may be used to specify an alternative file. + ^[[1mAuthorizedKeysFile ^[[22mmay be used to specify an alternative file. Each line of the file contains one key (empty lines and lines starting - with a `#' are ignored as comments). Each RSA public key consists of the + with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the following fields, separated by spaces: options, bits, exponent, modulus, - comment. Each protocol version 2 public key consists of: options, keyM-- + comment. Each protocol version 2 public key consists of: options, keyM-bM-^@M-^P type, base64 encoded key, comment. The options field is optional; its presence is determined by whether the line starts with a number or not - (the options field never starts with a number). The bits, exponent, modM-- - ulus and comment fields give the RSA key for protocol version 1; the comM-- + (the options field never starts with a number). The bits, exponent, modM-bM-^@M-^P + ulus and comment fields give the RSA key for protocol version 1; the comM-bM-^@M-^P ment field is not used for anything (but may be convenient for the user - to identify the key). For protocol version 2 the keytype is ``ssh-dss'' - or ``ssh-rsa''. + to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\sshM-bM-^@M-^PdssM-bM-^@M-^] or + M-bM-^@M-^\sshM-bM-^@M-^PrsaM-bM-^@M-^]. Note that lines in this file are usually several hundred bytes long - (because of the size of the public key encoding). You don't want to type - them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub + (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type + them in; instead, copy the ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m or the ^[[4mid_rsa.pub^[[0m file and edit it. - sshd enforces a minimum RSA key modulus size for protocol 1 and protocol + ^[[1msshd ^[[22menforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. - The options (if present) consist of comma-separated option specificaM-- - tions. No spaces are permitted, except within double quotes. The folM-- + The options (if present) consist of commaM-bM-^@M-^Pseparated option specificaM-bM-^@M-^P + tions. No spaces are permitted, except within double quotes. The folM-bM-^@M-^P lowing option specifications are supported (note that option keywords are - case-insensitive): + caseM-bM-^@M-^Pinsensitive): - from="pattern-list" + ^[[1mfrom="patternM-bM-^@M-^Plist"^[[0m Specifies that in addition to public key authentication, the - canonical name of the remote host must be present in the comma- - separated list of patterns (`*' and `'? serve as wildcards). + canonical name of the remote host must be present in the commaM-bM-^@M-^P + separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? serve as wildcards). The list may also contain patterns negated by prefixing them with - `'!; if the canonical host name matches a negated pattern, the + M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not - trust the network or name servers or anything (but the key); howM-- + trust the network or name servers or anything (but the key); howM-bM-^@M-^P ever, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). - command="command" + ^[[1mcommand="command"^[[0m Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a - pty; otherwise it is run without a tty. If a 8-bit clean channel - is required, one must not request a pty or should specify no-pty. - A quote may be included in the command by quoting it with a backM-- - slash. This option might be useful to restrict certain public - keys to perform just a specific operation. An example might be a - key that permits remote backups but nothing else. Note that the - client may specify TCP/IP and/or X11 forwarding unless they are - explicitly prohibited. Note that this option applies to shell, - command or subsystem execution. + pty; otherwise it is run without a tty. If an 8M-bM-^@M-^Pbit clean chanM-bM-^@M-^P + nel is required, one must not request a pty or should specify + ^[[1mnoM-bM-^@M-^Ppty^[[22m. A quote may be included in the command by quoting it + with a backslash. This option might be useful to restrict cerM-bM-^@M-^P + tain public keys to perform just a specific operation. An examM-bM-^@M-^P + ple might be a key that permits remote backups but nothing else. + Note that the client may specify TCP/IP and/or X11 forwarding + unless they are explicitly prohibited. Note that this option + applies to shell, command or subsystem execution. - environment="NAME=value" + ^[[1menvironment="NAME=value"^[[0m Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted. Environment processing is disabled by - default and is controlled via the PermitUserEnvironment option. - This option is automatically disabled if UseLogin is enabled. + default and is controlled via the ^[[1mPermitUserEnvironment ^[[22moption. + This option is automatically disabled if ^[[1mUseLogin ^[[22mis enabled. - no-port-forwarding - Forbids TCP/IP forwarding when this key is used for authenticaM-- + ^[[1mnoM-bM-^@M-^PportM-bM-^@M-^Pforwarding^[[0m + Forbids TCP/IP forwarding when this key is used for authenticaM-bM-^@M-^P tion. Any port forward requests by the client will return an - error. This might be used, e.g., in connection with the command + error. This might be used, e.g., in connection with the ^[[1mcommand^[[0m option. - no-X11-forwarding + ^[[1mnoM-bM-^@M-^PX11M-bM-^@M-^Pforwarding^[[0m Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. - no-agent-forwarding + ^[[1mnoM-bM-^@M-^PagentM-bM-^@M-^Pforwarding^[[0m Forbids authentication agent forwarding when this key is used for authentication. - no-pty Prevents tty allocation (a request to allocate a pty will fail). + ^[[1mnoM-bM-^@M-^Ppty ^[[22mPrevents tty allocation (a request to allocate a pty will fail). - permitopen="host:port" - Limit local ``ssh -L'' port forwarding such that it may only conM-- - nect to the specified host and port. IPv6 addresses can be specM-- - ified with an alternative syntax: host/port. Multiple permitopen + ^[[1mpermitopen="host:port"^[[0m + Limit local M-bM-^@M-^XM-bM-^@M-^Xssh M-bM-^@M-^PLM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only conM-bM-^@M-^P + nect to the specified host and port. IPv6 addresses can be specM-bM-^@M-^P + ified with an alternative syntax: ^[[4mhost/port^[[24m. Multiple ^[[1mpermitopen^[[0m options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. - Examples + ^[[1mExamples^[[0m 1024 33 12121...312314325 ylo@foo.bar from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula - command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 + command="dump /home",noM-bM-^@M-^Ppty,noM-bM-^@M-^PportM-bM-^@M-^Pforwarding 1024 33 23...2323 backup.hut.fi permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 -SSH_KNOWN_HOSTS FILE FORMAT - The /etc/ssh/ssh_known_hosts, and $HOME/.ssh/known_hosts files contain +^[[1mSSH_KNOWN_HOSTS FILE FORMAT^[[0m + The ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m files contain host public keys for all known hosts. The global file should be prepared - by the administrator (optional), and the per-user file is maintained + by the administrator (optional), and the perM-bM-^@M-^Puser file is maintained automatically: whenever the user connects from an unknown host its key is - added to the per-user file. + added to the perM-bM-^@M-^Puser file. Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. - Hostnames is a comma-separated list of patterns ('*' and '?' act as wildM-- + Hostnames is a commaM-bM-^@M-^Pseparated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wildM-bM-^@M-^P cards); each pattern in turn is matched against the canonical host name - (when authenticating a client) or against the user-supplied name (when - authenticating a server). A pattern may also be preceded by `'! to + (when authenticating a client) or against the userM-bM-^@M-^Psupplied name (when + authenticating a server). A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y! to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. Bits, exponent, and modulus are taken directly from the RSA host key; - they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional + they can be obtained, e.g., from ^[[4m/etc/ssh/ssh_host_key.pub^[[24m. The optional comment field continues to the end of the line, and is not used. - Lines starting with `#' and empty lines are ignored as comments. + Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. When performing host authentication, authentication is accepted if any - matching line has the proper key. It is thus permissible (but not recomM-- + matching line has the proper key. It is thus permissible (but not recomM-bM-^@M-^P mended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different - domains are put in the file. It is possible that the files contain conM-- + domains are put in the file. It is possible that the files contain conM-bM-^@M-^P flicting information; authentication is accepted if valid information can be found from either file. Note that the lines in these files are typically hundreds of characters - long, and you definitely don't want to type in the host keys by hand. - Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub + long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand. + Rather, generate them by a script or by taking ^[[4m/etc/ssh/ssh_host_key.pub^[[0m and adding the host names at the front. - Examples + ^[[1mExamples^[[0m closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi - cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= + cvs.openbsd.org,199.185.137.3 sshM-bM-^@M-^Prsa AAAA1234.....= -FILES +^[[1mFILES^[[0m /etc/ssh/sshd_config - Contains configuration data for sshd. The file format and conM-- + Contains configuration data for ^[[1msshd^[[22m. The file format and conM-bM-^@M-^P figuration options are described in sshd_config(5). /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, - and not accessible to others. Note that sshd does not start if - this file is group/world-accessible. + and not accessible to others. Note that ^[[1msshd ^[[22mdoes not start if + this file is group/worldM-bM-^@M-^Paccessible. /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub These three files contain the public parts of the host keys. - These files should be world-readable but writable only by root. + These files should be worldM-bM-^@M-^Preadable but writable only by root. Their contents should match the respective private parts. These files are not really used for anything; they are provided for the convenience of the user so their contents can be copied to known - hosts files. These files are created using ssh-keygen(1). + hosts files. These files are created using sshM-bM-^@M-^Pkeygen(1). /etc/moduli - Contains Diffie-Hellman groups used for the "Diffie-Hellman Group + Contains DiffieM-bM-^@M-^PHellman groups used for the "DiffieM-bM-^@M-^PHellman Group Exchange". The file format is described in moduli(5). /var/empty - chroot(2) directory used by sshd during privilege separation in - the pre-authentication phase. The directory should not contain - any files and must be owned by root and not group or world- + chroot(2) directory used by ^[[1msshd ^[[22mduring privilege separation in + the preM-bM-^@M-^Pauthentication phase. The directory should not contain + any files and must be owned by root and not group or worldM-bM-^@M-^P writable. /var/run/sshd.pid - Contains the process ID of the sshd listening for connections (if + Contains the process ID of the ^[[1msshd ^[[22mlistening for connections (if there are several daemons running concurrently for different ports, this contains the process ID of the one started last). - The content of this file is not sensitive; it can be world-readM-- + The content of this file is not sensitive; it can be worldM-bM-^@M-^PreadM-bM-^@M-^P able. $HOME/.ssh/authorized_keys Lists the public keys (RSA or DSA) that can be used to log into - the user's account. This file must be readable by root (which - may on some machines imply it being world-readable if the user's + the userM-bM-^@M-^Ys account. This file must be readable by root (which + may on some machines imply it being worldM-bM-^@M-^Preadable if the userM-bM-^@M-^Ys home directory resides on an NFS volume). It is recommended that it not be accessible by others. The format of this file is described above. Users will place the contents of their - identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, - as described in ssh-keygen(1). + ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m and/or ^[[4mid_rsa.pub^[[24m files into this file, + as described in sshM-bM-^@M-^Pkeygen(1). /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts - These files are consulted when using rhosts with RSA host authenM-- + These files are consulted when using rhosts with RSA host authenM-bM-^@M-^P tication or protocol version 2 hostbased authentication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the same files to verify that it is connecting to the correct remote host. These files should be writable only by root/the owner. - /etc/ssh/ssh_known_hosts should be world-readable, and - $HOME/.ssh/known_hosts can but need not be world-readable. + ^[[4m/etc/ssh/ssh_known_hosts^[[24m should be worldM-bM-^@M-^Preadable, and + ^[[4m$HOME/.ssh/known_hosts^[[24m can, but need not be, worldM-bM-^@M-^Preadable. /etc/nologin - If this file exists, sshd refuses to let anyone except root log + If this file exists, ^[[1msshd ^[[22mrefuses to let anyone except root log in. The contents of the file are displayed to anyone trying to - log in, and non-root connections are refused. The file should be - world-readable. + log in, and nonM-bM-^@M-^Proot connections are refused. The file should be + worldM-bM-^@M-^Preadable. /etc/hosts.allow, /etc/hosts.deny - Access controls that should be enforced by tcp-wrappers are + Access controls that should be enforced by tcpM-bM-^@M-^Pwrappers are defined here. Further details are described in hosts_access(5). $HOME/.rhosts - This file contains host-username pairs, separated by a space, one + This file contains hostM-bM-^@M-^Pusername pairs, separated by a space, one per line. The given user on the corresponding host is permitted - to log in without password. The same file is used by rlogind and - rshd. The file must be writable only by the user; it is recomM-- - mended that it not be accessible by others. + to log in without a password. The same file is used by rlogind + and rshd. The file must be writable only by the user; it is recM-bM-^@M-^P + ommended that it not be accessible by others. If is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. $HOME/.shosts - For ssh, this file is exactly the same as for .rhosts. However, + For ssh, this file is exactly the same as for ^[[4m.rhosts^[[24m. However, this file is not used by rlogin and rshd, so using this permits access using SSH only. /etc/hosts.equiv - This file is used during .rhosts authentication. In the simplest + This file is used during ^[[4m.rhosts^[[24m authentication. In the simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log - in as any user on this machine (except root). Additionally, the - syntax ``+@group'' can be used to specify netgroups. Negated - entries start with `-'. + in as ^[[4many^[[24m user on this machine (except root). Additionally, the + syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated + entries start with M-bM-^@M-^XM-bM-^@M-^PM-bM-^@M-^Y. If the client host/user is successfully matched in this file, login is automatically permitted provided the client and server user names are the same. Additionally, successful RSA host authentication is normally required. This file must be writable - only by root; it is recommended that it be world-readable. + only by root; it is recommended that it be worldM-bM-^@M-^Preadable. - Warning: It is almost never a good idea to use user names in - hosts.equiv. Beware that it really means that the named user(s) - can log in as anybody, which includes bin, daemon, adm, and other + ^[[1mWarning: It is almost never a good idea to use user names in^[[0m + ^[[4mhosts.equiv^[[24m. Beware that it really means that the named user(s) + can log in as ^[[4manybody^[[24m, which includes bin, daemon, adm, and other accounts that own critical binaries and directories. Using a user name practically grants the user root access. The only valid use for user names that I can think of is in negative @@ -473,75 +473,75 @@ Note that this warning also applies to rsh/rlogin. /etc/shosts.equiv - This is processed exactly as /etc/hosts.equiv. However, this + This is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. However, this file may be useful in environments that want to run both rsh/rlogin and ssh. $HOME/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with - `#'), and assignment lines of the form name=value. The file + M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. Environment processing is disabled by default and - is controlled via the PermitUserEnvironment option. + is controlled via the ^[[1mPermitUserEnvironment ^[[22moption. $HOME/.ssh/rc - If this file exists, it is run with /bin/sh after reading the - environment files but before starting the user's shell or comM-- + If this file exists, it is run with ^[[4m/bin/sh^[[24m after reading the + environment files but before starting the userM-bM-^@M-^Ys shell or comM-bM-^@M-^P mand. It must not produce any output on stdout; stderr must be used instead. If X11 forwarding is in use, it will receive the "proto cookie" pair in its standard input (and DISPLAY in its - environment). The script must call xauth(1) because sshd will + environment). The script must call xauth(1) because ^[[1msshd ^[[22mwill not run xauth automatically to add X11 cookies. The primary purpose of this file is to run any initialization - routines which may be needed before the user's home directory - becomes accessible; AFS is a particular example of such an enviM-- + routines which may be needed before the userM-bM-^@M-^Ys home directory + becomes accessible; AFS is a particular example of such an enviM-bM-^@M-^P ronment. This file will probably contain some initialization code followed by something similar to: - if read proto cookie && [ -n "$DISPLAY" ]; then - if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then + if read proto cookie && [ M-bM-^@M-^Pn "$DISPLAY" ]; then + if [ M-bM-^@M-^Xecho $DISPLAY | cut M-bM-^@M-^Pc1M-bM-^@M-^P10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then # X11UseLocalhost=yes - echo add unix:`echo $DISPLAY | - cut -c11-` $proto $cookie + echo add unix:M-bM-^@M-^Xecho $DISPLAY | + cut M-bM-^@M-^Pc11M-bM-^@M-^PM-bM-^@M-^X $proto $cookie else # X11UseLocalhost=no echo add $DISPLAY $proto $cookie - fi | xauth -q - + fi | xauth M-bM-^@M-^Pq M-bM-^@M-^P fi - If this file does not exist, /etc/ssh/sshrc is run, and if that + If this file does not exist, ^[[4m/etc/ssh/sshrc^[[24m is run, and if that does not exist either, xauth is used to add the cookie. This file should be writable only by the user, and need not be readable by anyone else. /etc/ssh/sshrc - Like $HOME/.ssh/rc. This can be used to specify machine-specific - login-time initializations globally. This file should be - writable only by root, and should be world-readable. + Like ^[[4m$HOME/.ssh/rc^[[24m. This can be used to specify machineM-bM-^@M-^Pspecific + loginM-bM-^@M-^Ptime initializations globally. This file should be + writable only by root, and should be worldM-bM-^@M-^Preadable. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -SEE ALSO - scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), - login.conf(5), moduli(5), sshd_config(5), sftp-server(8) +^[[1mSEE ALSO^[[0m + scp(1), sftp(1), ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), + login.conf(5), moduli(5), sshd_config(5), sftpM-bM-^@M-^Pserver(8) - T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH - Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January + T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, ^[[4mSSH^[[0m + ^[[4mProtocol^[[24m ^[[4mArchitecture^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^ParchitectureM-bM-^@M-^P12.txt, January 2002, work in progress material. - M. Friedl, N. Provos, and W. A. Simpson, Diffie-Hellman Group Exchange - for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- - exchange-02.txt, January 2002, work in progress material. + M. Friedl, N. Provos, and W. A. Simpson, ^[[4mDiffieM-bM-^@M-^PHellman^[[24m ^[[4mGroup^[[24m ^[[4mExchange^[[0m + ^[[4mfor^[[24m ^[[4mthe^[[24m ^[[4mSSH^[[24m ^[[4mTransport^[[24m ^[[4mLayer^[[24m ^[[4mProtocol^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^PdhM-bM-^@M-^PgroupM-bM-^@M-^P + exchangeM-bM-^@M-^P02.txt, January 2002, work in progress material. BSD September 25, 1999 BSD diff -ru openssh-3.5p1/sshd.8 openssh-3.6p1/sshd.8 --- openssh-3.5p1/sshd.8 2002-09-25 12:20:54.000000000 +1000 +++ openssh-3.6p1/sshd.8 2003-02-24 11:52:27.000000000 +1100 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $ +.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -43,6 +43,7 @@ .Nd OpenSSH SSH daemon .Sh SYNOPSIS .Nm sshd +.Bk -words .Op Fl deiqtD46 .Op Fl b Ar bits .Op Fl f Ar config_file @@ -52,6 +53,7 @@ .Op Fl o Ar option .Op Fl p Ar port .Op Fl u Ar len +.Ek .Sh DESCRIPTION .Nm (SSH Daemon) is the daemon program for @@ -75,7 +77,7 @@ .Nm supports both SSH protocol version 1 and 2 simultaneously. .Nm -works as follows. +works as follows: .Pp .Ss SSH protocol version 1 .Pp @@ -86,7 +88,7 @@ This key is normally regenerated every hour if it has been used, and is never stored on disk. .Pp -Whenever a client connects the daemon responds with its public +Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. @@ -119,7 +121,7 @@ .Nm rshd , .Nm rlogind , and -.Xr rexecd +.Nm rexecd are disabled (thus completely disabling .Xr rlogin and @@ -189,7 +191,9 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. -Multiple -d options increase the debugging level. +Multiple +.Fl d +options increase the debugging level. Maximum is 3. .It Fl e When this option is specified, @@ -225,7 +229,8 @@ .It Fl i Specifies that .Nm -is being run from inetd. +is being run from +.Xr inetd 8 . .Nm is normally not run from inetd because it needs to generate the server key before it can @@ -282,7 +287,7 @@ .Pa utmp file. .Fl u0 -is also be used to prevent +may also be used to prevent .Nm from making DNS requests unless the authentication mechanism or configuration requires it. @@ -446,7 +451,7 @@ The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. -If a 8-bit clean channel is required, +If an 8-bit clean channel is required, one must not request a pty or should specify .Cm no-pty . A quote may be included in the command by quoting it with a backslash. @@ -506,7 +511,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. @@ -627,7 +632,7 @@ .Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts -can but need not be world-readable. +can, but need not be, world-readable. .It Pa /etc/nologin If this file exists, .Nm @@ -644,7 +649,7 @@ This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in -without password. +without a password. The same file is used by rlogind and rshd. The file must be writable only by the user; it is recommended that it not be @@ -713,7 +718,9 @@ .Cm PermitUserEnvironment option. .It Pa $HOME/.ssh/rc -If this file exists, it is run with /bin/sh after reading the +If this file exists, it is run with +.Pa /bin/sh +after reading the environment files but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. diff -ru openssh-3.5p1/sshd.c openssh-3.6p1/sshd.c --- openssh-3.5p1/sshd.c 2002-09-30 11:59:23.000000000 +1000 +++ openssh-3.6p1/sshd.c 2003-03-10 11:38:10.000000000 +1100 @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $"); #include #include @@ -202,8 +202,8 @@ int startup_pipe; /* in child */ /* variables used for privilege separation */ -extern struct monitor *pmonitor; -extern int use_privsep; +int use_privsep; +struct monitor *pmonitor; /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); @@ -827,9 +827,17 @@ __progname = get_progname(av[0]); init_rng(); - /* Save argv. */ + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; saved_argv = av; + saved_argv = xmalloc(sizeof(*saved_argv) * ac); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + +#ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + compat_init_setproctitle(ac, av); +#endif /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -944,7 +952,7 @@ SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == SYSLOG_FACILITY_NOT_SET ? SYSLOG_FACILITY_AUTH : options.log_facility, - !inetd_flag); + log_stderr || !inetd_flag); #ifdef _UNICOS /* Cray can define user privs drop all prives now! @@ -1058,8 +1066,8 @@ #else if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) #endif - fatal("Bad owner or mode for %s", - _PATH_PRIVSEP_CHROOT_DIR); + fatal("%s must be owned by root and not group or " + "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); } /* Configuration looks good, so exit if in test mode. */ @@ -1392,8 +1400,12 @@ * setlogin() affects the entire process group. We don't * want the child to be able to affect the parent. */ -#if 0 - /* XXX: this breaks Solaris */ +#if !defined(STREAMS_PUSH_ACQUIRES_CTTY) + /* + * If setsid is called on Solaris, sshd will acquire the controlling + * terminal while pushing STREAMS modules. This will prevent the + * shell from acquiring it later. + */ if (!debug_flag && !inetd_flag && setsid() < 0) error("setsid: %.100s", strerror(errno)); #endif @@ -1806,6 +1818,8 @@ /* start key exchange */ kex = kex_setup(myproposal); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; diff -ru openssh-3.5p1/sshd_config.0 openssh-3.6p1/sshd_config.0 --- openssh-3.5p1/sshd_config.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.6p1/sshd_config.0 2003-03-26 16:12:39.000000000 +1100 @@ -1,445 +1,444 @@ -SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) +SSHD_CONFIG(5) BSD File Formats Manual SSHD_CONFIG(5) -NAME - sshd_config - OpenSSH SSH daemon configuration file +^[[1mNAME^[[0m + ^[[1msshd_config ^[[22mM-bMM-^R OpenSSH SSH daemon configuration file -SYNOPSIS - /etc/ssh/sshd_config +^[[1mSYNOPSIS^[[0m + ^[[4m/etc/ssh/sshd_config^[[0m -DESCRIPTION - sshd reads configuration data from /etc/ssh/sshd_config (or the file - specified with -f on the command line). The file contains keyword-arguM-- - ment pairs, one per line. Lines starting with `#' and empty lines are +^[[1mDESCRIPTION^[[0m + ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file + specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file contains keywordM-bM-^@M-^ParguM-bM-^@M-^P + ment pairs, one per line. Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are interpreted as comments. - The possible keywords and their meanings are as follows (note that keyM-- - words are case-insensitive and arguments are case-sensitive): + The possible keywords and their meanings are as follows (note that keyM-bM-^@M-^P + words are caseM-bM-^@M-^Pinsensitive and arguments are caseM-bM-^@M-^Psensitive): - AFSTokenPassing + ^[[1mAFSTokenPassing^[[0m Specifies whether an AFS token may be forwarded to the server. - Default is ``no''. + Default is M-bM-^@M-^\noM-bM-^@M-^]. - AllowGroups + ^[[1mAllowGroups^[[0m This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one - of the patterns. `*' and `'? can be used as wildcards in the + of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. - AllowTcpForwarding + ^[[1mAllowTcpForwarding^[[0m Specifies whether TCP forwarding is permitted. The default is - ``yes''. Note that disabling TCP forwarding does not improve - security unless users are also denied shell access, as they can + M-bM-^@M-^\yesM-bM-^@M-^]. Note that disabling TCP forwarding does not improve secuM-bM-^@M-^P + rity unless users are also denied shell access, as they can always install their own forwarders. - AllowUsers + ^[[1mAllowUsers^[[0m This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for - users names that match one of the patterns. `*' and `'? can be + user names that match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. - AuthorizedKeysFile + ^[[1mAuthorizedKeysFile^[[0m Specifies the file that contains the public keys that can be used - for user authentication. AuthorizedKeysFile may contain tokens - of the form %T which are substituted during connection set-up. + for user authentication. ^[[1mAuthorizedKeysFile ^[[22mmay contain tokens + of the form %T which are substituted during connection setM-bM-^@M-^Pup. The following tokens are defined: %% is replaced by a literal - '%', %h is replaced by the home directory of the user being + M-bM-^@M-^Y%M-bM-^@M-^Y, %h is replaced by the home directory of the user being authenticated and %u is replaced by the username of that user. - After expansion, AuthorizedKeysFile is taken to be an absolute - path or one relative to the user's home directory. The default - is ``.ssh/authorized_keys''. + After expansion, ^[[1mAuthorizedKeysFile ^[[22mis taken to be an absolute + path or one relative to the userM-bM-^@M-^Ys home directory. The default + is M-bM-^@M-^\.ssh/authorized_keysM-bM-^@M-^]. - Banner In some jurisdictions, sending a warning message before authentiM-- - cation may be relevant for getting legal protection. The conM-- + ^[[1mBanner ^[[22mIn some jurisdictions, sending a warning message before authentiM-bM-^@M-^P + cation may be relevant for getting legal protection. The conM-bM-^@M-^P tents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. - ChallengeResponseAuthentication + ^[[1mChallengeResponseAuthentication^[[0m Specifies whether challenge response authentication is allowed. All authentication styles from login.conf(5) are supported. The - default is ``yes''. + default is M-bM-^@M-^\yesM-bM-^@M-^]. - Ciphers + ^[[1mCiphers^[[0m Specifies the ciphers allowed for protocol version 2. Multiple - ciphers must be comma-separated. The default is + ciphers must be commaM-bM-^@M-^Pseparated. The default is - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + M-bM-^@M-^XM-bM-^@M-^Xaes128M-bM-^@M-^Pcbc,3desM-bM-^@M-^Pcbc,blowfishM-bM-^@M-^Pcbc,cast128M-bM-^@M-^Pcbc,arcfour, + aes192M-bM-^@M-^Pcbc,aes256M-bM-^@M-^PcbcM-bM-^@M-^YM-bM-^@M-^Y - ClientAliveInterval + ^[[1mClientAliveInterval^[[0m Sets a timeout interval in seconds after which if no data has - been received from the client, sshd will send a message through + been received from the client, ^[[1msshd ^[[22mwill send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only. - ClientAliveCountMax + ^[[1mClientAliveCountMax^[[0m Sets the number of client alive messages (see above) which may be - sent without sshd receiving any messages back from the client. If + sent without ^[[1msshd ^[[22mreceiving any messages back from the client. If this threshold is reached while client alive messages are being - sent, sshd will disconnect the client, terminating the session. + sent, ^[[1msshd ^[[22mwill disconnect the client, terminating the session. It is important to note that the use of client alive messages is - very different from KeepAlive (below). The client alive messages + very different from ^[[1mKeepAlive ^[[22m(below). The client alive messages are sent through the encrypted channel and therefore will not be - spoofable. The TCP keepalive option enabled by KeepAlive is + spoofable. The TCP keepalive option enabled by ^[[1mKeepAlive ^[[22mis spoofable. The client alive mechanism is valuable when the client - or server depend on knowing when a connection has become inacM-- + or server depend on knowing when a connection has become inacM-bM-^@M-^P tive. - The default value is 3. If ClientAliveInterval (above) is set to - 15, and ClientAliveCountMax is left at the default, unresponsive + The default value is 3. If ^[[1mClientAliveInterval ^[[22m(above) is set to + 15, and ^[[1mClientAliveCountMax ^[[22mis left at the default, unresponsive ssh clients will be disconnected after approximately 45 seconds. - Compression + ^[[1mCompression^[[0m Specifies whether compression is allowed. The argument must be - ``yes'' or ``no''. The default is ``yes''. + M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - DenyGroups + ^[[1mDenyGroups^[[0m This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. - `*' and `'? can be used as wildcards in the patterns. Only + M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. - DenyUsers + ^[[1mDenyUsers^[[0m This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that - match one of the patterns. `*' and `'? can be used as wildcards + match one of the patterns. M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. - GatewayPorts + ^[[1mGatewayPorts^[[0m Specifies whether remote hosts are allowed to connect to ports - forwarded for the client. By default, sshd binds remote port + forwarded for the client. By default, ^[[1msshd ^[[22mbinds remote port forwardings to the loopback address. This prevents other remote - hosts from connecting to forwarded ports. GatewayPorts can be - used to specify that sshd should bind remote port forwardings to + hosts from connecting to forwarded ports. ^[[1mGatewayPorts ^[[22mcan be + used to specify that ^[[1msshd ^[[22mshould bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to - forwarded ports. The argument must be ``yes'' or ``no''. The - default is ``no''. + forwarded ports. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The + default is M-bM-^@M-^\noM-bM-^@M-^]. - HostbasedAuthentication + ^[[1mHostbasedAuthentication^[[0m Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (hostbased authentication). This option is similar to - RhostsRSAAuthentication and applies to protocol version 2 only. - The default is ``no''. + ^[[1mRhostsRSAAuthentication ^[[22mand applies to protocol version 2 only. + The default is M-bM-^@M-^\noM-bM-^@M-^]. - HostKey + ^[[1mHostKey^[[0m Specifies a file containing a private host key used by SSH. The - default is /etc/ssh/ssh_host_key for protocol version 1, and - /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for proM-- - tocol version 2. Note that sshd will refuse to use a file if it - is group/world-accessible. It is possible to have multiple host - key files. ``rsa1'' keys are used for version 1 and ``dsa'' or - ``rsa'' are used for version 2 of the SSH protocol. - - IgnoreRhosts - Specifies that .rhosts and .shosts files will not be used in - RhostsAuthentication, RhostsRSAAuthentication or - HostbasedAuthentication. - - /etc/hosts.equiv and /etc/shosts.equiv are still used. The - default is ``yes''. - - IgnoreUserKnownHosts - Specifies whether sshd should ignore the user's - $HOME/.ssh/known_hosts during RhostsRSAAuthentication or - HostbasedAuthentication. The default is ``no''. + default is ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and + ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P + tocol version 2. Note that ^[[1msshd ^[[22mwill refuse to use a file if it + is group/worldM-bM-^@M-^Paccessible. It is possible to have multiple host + key files. M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^] or M-bM-^@M-^\rsaM-bM-^@M-^] + are used for version 2 of the SSH protocol. + + ^[[1mIgnoreRhosts^[[0m + Specifies that ^[[4m.rhosts^[[24m and ^[[4m.shosts^[[24m files will not be used in + ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication ^[[22mor + ^[[1mHostbasedAuthentication^[[22m. + + ^[[4m/etc/hosts.equiv^[[24m and ^[[4m/etc/shosts.equiv^[[24m are still used. The + default is M-bM-^@M-^\yesM-bM-^@M-^]. + + ^[[1mIgnoreUserKnownHosts^[[0m + Specifies whether ^[[1msshd ^[[22mshould ignore the userM-bM-^@M-^Ys + ^[[4m$HOME/.ssh/known_hosts^[[24m during ^[[1mRhostsRSAAuthentication ^[[22mor + ^[[1mHostbasedAuthentication^[[22m. The default is M-bM-^@M-^\noM-bM-^@M-^]. - KeepAlive + ^[[1mKeepAlive^[[0m Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, - this means that connections will die if the route is down temM-- + this means that connections will die if the route is down temM-bM-^@M-^P porarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the - server, leaving ``ghost'' users and consuming server resources. + server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming server resources. - The default is ``yes'' (to send keepalives), and the server will + The default is M-bM-^@M-^\yesM-bM-^@M-^] (to send keepalives), and the server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions. - To disable keepalives, the value should be set to ``no''. + To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^]. - KerberosAuthentication + ^[[1mKerberosAuthentication^[[0m Specifies whether Kerberos authentication is allowed. This can - be in the form of a Kerberos ticket, or if PasswordAuthentication + be in the form of a Kerberos ticket, or if ^[[1mPasswordAuthentication^[[0m is yes, the password provided by the user will be validated through the Kerberos KDC. To use this option, the server needs a - Kerberos servtab which allows the verification of the KDC's idenM-- - tity. Default is ``no''. + Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys idenM-bM-^@M-^P + tity. Default is M-bM-^@M-^\noM-bM-^@M-^]. - KerberosOrLocalPasswd + ^[[1mKerberosOrLocalPasswd^[[0m If set then if password authentication through Kerberos fails then the password will be validated via any additional local - mechanism such as /etc/passwd. Default is ``yes''. + mechanism such as ^[[4m/etc/passwd^[[24m. Default is M-bM-^@M-^\yesM-bM-^@M-^]. - KerberosTgtPassing + ^[[1mKerberosTgtPassing^[[0m Specifies whether a Kerberos TGT may be forwarded to the server. - Default is ``no'', as this only works when the Kerberos KDC is + Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is actually an AFS kaserver. - KerberosTicketCleanup - Specifies whether to automatically destroy the user's ticket - cache file on logout. Default is ``yes''. + ^[[1mKerberosTicketCleanup^[[0m + Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket + cache file on logout. Default is M-bM-^@M-^\yesM-bM-^@M-^]. - KeyRegenerationInterval + ^[[1mKeyRegenerationInterval^[[0m In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The - purpose of regeneration is to prevent decrypting captured sesM-- + purpose of regeneration is to prevent decrypting captured sesM-bM-^@M-^P sions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds). - ListenAddress - Specifies the local addresses sshd should listen on. The followM-- + ^[[1mListenAddress^[[0m + Specifies the local addresses ^[[1msshd ^[[22mshould listen on. The followM-bM-^@M-^P ing forms may be used: - ListenAddress host|IPv4_addr|IPv6_addr - ListenAddress host|IPv4_addr:port - ListenAddress [host|IPv6_addr]:port - - If port is not specified, sshd will listen on the address and all - prior Port options specified. The default is to listen on all - local addresses. Multiple ListenAddress options are permitted. - Additionally, any Port options must precede this option for non + ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m|^[[4mIPv6_addr^[[0m + ^[[1mListenAddress ^[[4m^[[22mhost^[[24m|^[[4mIPv4_addr^[[24m:^[[4mport^[[0m + ^[[1mListenAddress ^[[22m[^[[4mhost^[[24m|^[[4mIPv6_addr^[[24m]:^[[4mport^[[0m + + If ^[[4mport^[[24m is not specified, ^[[1msshd ^[[22mwill listen on the address and all + prior ^[[1mPort ^[[22moptions specified. The default is to listen on all + local addresses. Multiple ^[[1mListenAddress ^[[22moptions are permitted. + Additionally, any ^[[1mPort ^[[22moptions must precede this option for non port qualified addresses. - LoginGraceTime - The server disconnects after this time if the user has not sucM-- + ^[[1mLoginGraceTime^[[0m + The server disconnects after this time if the user has not sucM-bM-^@M-^P cessfully logged in. If the value is 0, there is no time limit. The default is 120 seconds. - LogLevel + ^[[1mLogLevel^[[0m Gives the verbosity level that is used when logging messages from - sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-- + ^[[1msshd^[[22m. The possible values are: QUIET, FATAL, ERROR, INFO, VERM-bM-^@M-^P BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. - MACs Specifies the available MAC (message authentication code) algoM-- + ^[[1mMACs ^[[22mSpecifies the available MAC (message authentication code) algoM-bM-^@M-^P rithms. The MAC algorithm is used in protocol version 2 for data - integrity protection. Multiple algorithms must be comma-sepaM-- + integrity protection. Multiple algorithms must be commaM-bM-^@M-^PsepaM-bM-^@M-^P rated. The default is - ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. + M-bM-^@M-^\hmacM-bM-^@M-^Pmd5,hmacM-bM-^@M-^Psha1,hmacM-bM-^@M-^Pripemd160,hmacM-bM-^@M-^Psha1M-bM-^@M-^P96,hmacM-bM-^@M-^Pmd5M-bM-^@M-^P96M-bM-^@M-^]. - MaxStartups - Specifies the maximum number of concurrent unauthenticated conM-- - nections to the sshd daemon. Additional connections will be - dropped until authentication succeeds or the LoginGraceTime + ^[[1mMaxStartups^[[0m + Specifies the maximum number of concurrent unauthenticated conM-bM-^@M-^P + nections to the ^[[1msshd ^[[22mdaemon. Additional connections will be + dropped until authentication succeeds or the ^[[1mLoginGraceTime^[[0m expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the - three colon separated values ``start:rate:full'' (e.g., - "10:30:60"). sshd will refuse connection attempts with a probaM-- - bility of ``rate/100'' (30%) if there are currently ``start'' - (10) unauthenticated connections. The probability increases linM-- - early and all connection attempts are refused if the number of - unauthenticated connections reaches ``full'' (60). + three colon separated values M-bM-^@M-^\start:rate:fullM-bM-^@M-^] (e.g., + "10:30:60"). ^[[1msshd ^[[22mwill refuse connection attempts with a probaM-bM-^@M-^P + bility of M-bM-^@M-^\rate/100M-bM-^@M-^] (30%) if there are currently M-bM-^@M-^\startM-bM-^@M-^] (10) + unauthenticated connections. The probability increases linearly + and all connection attempts are refused if the number of unauM-bM-^@M-^P + thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60). - PAMAuthenticationViaKbdInt + ^[[1mPAMAuthenticationViaKbdInt^[[0m Specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules, but it will allow password authentication - regardless of whether PasswordAuthentication is enabled. + regardless of whether ^[[1mPasswordAuthentication ^[[22mis enabled. - PasswordAuthentication + ^[[1mPasswordAuthentication^[[0m Specifies whether password authentication is allowed. The - default is ``yes''. + default is M-bM-^@M-^\yesM-bM-^@M-^]. - PermitEmptyPasswords + ^[[1mPermitEmptyPasswords^[[0m When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The - default is ``no''. + default is M-bM-^@M-^\noM-bM-^@M-^]. - PermitRootLogin + ^[[1mPermitRootLogin^[[0m Specifies whether root can login using ssh(1). The argument must - be ``yes'', ``without-password'', ``forced-commands-only'' or - ``no''. The default is ``yes''. + be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^], M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. + The default is M-bM-^@M-^\yesM-bM-^@M-^]. - If this option is set to ``without-password'' password authentiM-- - cation is disabled for root. + If this option is set to M-bM-^@M-^\withoutM-bM-^@M-^PpasswordM-bM-^@M-^] password authenticaM-bM-^@M-^P + tion is disabled for root. - If this option is set to ``forced-commands-only'' root login with + If this option is set to M-bM-^@M-^\forcedM-bM-^@M-^PcommandsM-bM-^@M-^PonlyM-bM-^@M-^] root login with public key authentication will be allowed, but only if the - command option has been specified (which may be useful for taking + ^[[4mcommand^[[24m option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. - If this option is set to ``no'' root is not allowed to login. + If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login. - PermitUserEnvironment - Specifies whether ~/.ssh/environment and environment= options in - ~/.ssh/authorized_keys are processed by sshd. The default is - ``no''. Enabling environment processing may enable users to - bypass access restrictions in some configurations using mechaM-- - nisms such as LD_PRELOAD. - - PidFile - Specifies the file that contains the process ID of the sshd daeM-- - mon. The default is /var/run/sshd.pid. + ^[[1mPermitUserEnvironment^[[0m + Specifies whether ^[[4m~/.ssh/environment^[[24m and ^[[1menvironment= ^[[22moptions in + ^[[4m~/.ssh/authorized_keys^[[24m are processed by ^[[1msshd^[[22m. The default is + M-bM-^@M-^\noM-bM-^@M-^]. Enabling environment processing may enable users to bypass + access restrictions in some configurations using mechanisms such + as LD_PRELOAD. + + ^[[1mPidFile^[[0m + Specifies the file that contains the process ID of the ^[[1msshd ^[[22mdaeM-bM-^@M-^P + mon. The default is ^[[4m/var/run/sshd.pid^[[24m. - Port Specifies the port number that sshd listens on. The default is + ^[[1mPort ^[[22mSpecifies the port number that ^[[1msshd ^[[22mlistens on. The default is 22. Multiple options of this type are permitted. See also - ListenAddress. + ^[[1mListenAddress^[[22m. - PrintLastLog - Specifies whether sshd should print the date and time when the - user last logged in. The default is ``yes''. + ^[[1mPrintLastLog^[[0m + Specifies whether ^[[1msshd ^[[22mshould print the date and time when the + user last logged in. The default is M-bM-^@M-^\yesM-bM-^@M-^]. - PrintMotd - Specifies whether sshd should print /etc/motd when a user logs in + ^[[1mPrintMotd^[[0m + Specifies whether ^[[1msshd ^[[22mshould print ^[[4m/etc/motd^[[24m when a user logs in interactively. (On some systems it is also printed by the shell, - /etc/profile, or equivalent.) The default is ``yes''. + ^[[4m/etc/profile^[[24m, or equivalent.) The default is M-bM-^@M-^\yesM-bM-^@M-^]. - Protocol - Specifies the protocol versions sshd supports. The possible valM-- - ues are ``1'' and ``2''. Multiple versions must be comma-sepaM-- - rated. The default is ``2,1''. Note that the order of the proM-- - tocol list does not indicate preference, because the client - selects among multiple protocol versions offered by the server. - Specifying ``2,1'' is identical to ``1,2''. + ^[[1mProtocol^[[0m + Specifies the protocol versions ^[[1msshd ^[[22msupports. The possible valM-bM-^@M-^P + ues are M-bM-^@M-^\1M-bM-^@M-^] and M-bM-^@M-^\2M-bM-^@M-^]. Multiple versions must be commaM-bM-^@M-^Pseparated. + The default is M-bM-^@M-^\2,1M-bM-^@M-^]. Note that the order of the protocol list + does not indicate preference, because the client selects among + multiple protocol versions offered by the server. Specifying + M-bM-^@M-^\2,1M-bM-^@M-^] is identical to M-bM-^@M-^\1,2M-bM-^@M-^]. - PubkeyAuthentication + ^[[1mPubkeyAuthentication^[[0m Specifies whether public key authentication is allowed. The - default is ``yes''. Note that this option applies to protocol - version 2 only. + default is M-bM-^@M-^\yesM-bM-^@M-^]. Note that this option applies to protocol verM-bM-^@M-^P + sion 2 only. - RhostsAuthentication + ^[[1mRhostsAuthentication^[[0m Specifies whether authentication using rhosts or /etc/hosts.equiv - files is sufficient. Normally, this method should not be permitM-- - ted because it is insecure. RhostsRSAAuthentication should be - used instead, because it performs RSA-based host authentication + files is sufficient. Normally, this method should not be permitM-bM-^@M-^P + ted because it is insecure. ^[[1mRhostsRSAAuthentication ^[[22mshould be + used instead, because it performs RSAM-bM-^@M-^Pbased host authentication in addition to normal rhosts or /etc/hosts.equiv authentication. - The default is ``no''. This option applies to protocol version 1 + The default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. - RhostsRSAAuthentication + ^[[1mRhostsRSAAuthentication^[[0m Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The - default is ``no''. This option applies to protocol version 1 - only. + default is M-bM-^@M-^\noM-bM-^@M-^]. This option applies to protocol version 1 only. - RSAAuthentication + ^[[1mRSAAuthentication^[[0m Specifies whether pure RSA authentication is allowed. The - default is ``yes''. This option applies to protocol version 1 + default is M-bM-^@M-^\yesM-bM-^@M-^]. This option applies to protocol version 1 only. - ServerKeyBits + ^[[1mServerKeyBits^[[0m Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. - StrictModes - Specifies whether sshd should check file modes and ownership of - the user's files and home directory before accepting login. This + ^[[1mStrictModes^[[0m + Specifies whether ^[[1msshd ^[[22mshould check file modes and ownership of + the userM-bM-^@M-^Ys files and home directory before accepting login. This is normally desirable because novices sometimes accidentally - leave their directory or files world-writable. The default is - ``yes''. + leave their directory or files worldM-bM-^@M-^Pwritable. The default is + M-bM-^@M-^\yesM-bM-^@M-^]. - Subsystem + ^[[1mSubsystem^[[0m Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command to execute - upon subsystem request. The command sftp-server(8) implements - the ``sftp'' file transfer subsystem. By default no subsystems - are defined. Note that this option applies to protocol version 2 + upon subsystem request. The command sftpM-bM-^@M-^Pserver(8) implements + the M-bM-^@M-^\sftpM-bM-^@M-^] file transfer subsystem. By default no subsystems are + defined. Note that this option applies to protocol version 2 only. - SyslogFacility + ^[[1mSyslogFacility^[[0m Gives the facility code that is used when logging messages from - sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, + ^[[1msshd^[[22m. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. - UseLogin - Specifies whether login(1) is used for interactive login sesM-- - sions. The default is ``no''. Note that login(1) is never used + ^[[1mUseLogin^[[0m + Specifies whether login(1) is used for interactive login sesM-bM-^@M-^P + sions. The default is M-bM-^@M-^\noM-bM-^@M-^]. Note that login(1) is never used for remote command execution. Note also, that if this is - enabled, X11Forwarding will be disabled because login(1) does not - know how to handle xauth(1) cookies. If UsePrivilegeSeparation + enabled, ^[[1mX11Forwarding ^[[22mwill be disabled because login(1) does not + know how to handle xauth(1) cookies. If ^[[1mUsePrivilegeSeparation^[[0m is specified, it will be disabled after authentication. - UsePrivilegeSeparation - Specifies whether sshd separates privileges by creating an + ^[[1mUsePrivilegeSeparation^[[0m + Specifies whether ^[[1msshd ^[[22mseparates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of - privilege separation is to prevent privilege escalation by conM-- + privilege separation is to prevent privilege escalation by conM-bM-^@M-^P taining any corruption within the unprivileged processes. The - default is ``yes''. + default is M-bM-^@M-^\yesM-bM-^@M-^]. - VerifyReverseMapping - Specifies whether sshd should try to verify the remote host name + ^[[1mVerifyReverseMapping^[[0m + Specifies whether ^[[1msshd ^[[22mshould try to verify the remote host name and check that the resolved host name for the remote IP address - maps back to the very same IP address. The default is ``no''. + maps back to the very same IP address. The default is M-bM-^@M-^\noM-bM-^@M-^]. - X11DisplayOffset - Specifies the first display number available for sshd's X11 forM-- - warding. This prevents sshd from interfering with real X11 + ^[[1mX11DisplayOffset^[[0m + Specifies the first display number available for ^[[1msshd^[[22mM-bM-^@M-^Ys X11 forM-bM-^@M-^P + warding. This prevents ^[[1msshd ^[[22mfrom interfering with real X11 servers. The default is 10. - X11Forwarding + ^[[1mX11Forwarding^[[0m Specifies whether X11 forwarding is permitted. The argument must - be ``yes'' or ``no''. The default is ``no''. + be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default is M-bM-^@M-^\noM-bM-^@M-^]. When X11 forwarding is enabled, there may be additional exposure - to the server and to client displays if the sshd proxy display is - configured to listen on the wildcard address (see X11UseLocalhost + to the server and to client displays if the ^[[1msshd ^[[22mproxy display is + configured to listen on the wildcard address (see ^[[1mX11UseLocalhost^[[0m below), however this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of - using X11 forwarding is that the client's X11 display server may + using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may be exposed to attack when the ssh client requests forwarding (see - the warnings for ForwardX11 in ssh_config(5) ). A system adminisM-- + the warnings for ^[[1mForwardX11 ^[[22min ssh_config(5) ). A system adminisM-bM-^@M-^P trator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting - X11 forwarding, which can warrant a ``no'' setting. + X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting. Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own - forwarders. X11 forwarding is automatically disabled if UseLogin + forwarders. X11 forwarding is automatically disabled if ^[[1mUseLogin^[[0m is enabled. - X11UseLocalhost - Specifies whether sshd should bind the X11 forwarding server to + ^[[1mX11UseLocalhost^[[0m + Specifies whether ^[[1msshd ^[[22mshould bind the X11 forwarding server to the loopback address or to the wildcard address. By default, - sshd binds the forwarding server to the loopback address and sets + ^[[1msshd ^[[22mbinds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to - ``localhost''. This prevents remote hosts from connecting to the + M-bM-^@M-^\localhostM-bM-^@M-^]. This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function - with this configuration. X11UseLocalhost may be set to ``no'' to - specify that the forwarding server should be bound to the wildM-- - card address. The argument must be ``yes'' or ``no''. The - default is ``yes''. + with this configuration. ^[[1mX11UseLocalhost ^[[22mmay be set to M-bM-^@M-^\noM-bM-^@M-^] to + specify that the forwarding server should be bound to the wildM-bM-^@M-^P + card address. The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^]. The default + is M-bM-^@M-^\yesM-bM-^@M-^]. - XAuthLocation + ^[[1mXAuthLocation^[[0m Specifies the full pathname of the xauth(1) program. The default - is /usr/X11R6/bin/xauth. + is ^[[4m/usr/X11R6/bin/xauth^[[24m. - Time Formats + ^[[1mTime Formats^[[0m - sshd command-line arguments and configuration file options that specify - time may be expressed using a sequence of the form: time[qualifier], - where time is a positive integer value and qualifier is one of the folM-- + ^[[1msshd ^[[22mcommandM-bM-^@M-^Pline arguments and configuration file options that specify + time may be expressed using a sequence of the form: ^[[4mtime^[[24m[^[[4mqualifier^[[24m], + where ^[[4mtime^[[24m is a positive integer value and ^[[4mqualifier^[[24m is one of the folM-bM-^@M-^P lowing: - seconds - s | S seconds - m | M minutes - h | H hours - d | D days - w | W weeks + ^[[1m ^[[22mseconds + ^[[1ms ^[[22m| ^[[1mS ^[[22mseconds + ^[[1mm ^[[22m| ^[[1mM ^[[22mminutes + ^[[1mh ^[[22m| ^[[1mH ^[[22mhours + ^[[1md ^[[22m| ^[[1mD ^[[22mdays + ^[[1mw ^[[22m| ^[[1mW ^[[22mweeks Each member of the sequence is added together to calculate the total time value. @@ -450,21 +449,21 @@ 10m 10 minutes 1h30m 1 hour 30 minutes (90 minutes) -FILES +^[[1mFILES^[[0m /etc/ssh/sshd_config - Contains configuration data for sshd. This file should be - writable by root only, but it is recommended (though not necesM-- - sary) that it be world-readable. + Contains configuration data for ^[[1msshd^[[22m. This file should be + writable by root only, but it is recommended (though not necesM-bM-^@M-^P + sary) that it be worldM-bM-^@M-^Preadable. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -SEE ALSO +^[[1mSEE ALSO^[[0m sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1/sshd_config.5 openssh-3.6p1/sshd_config.5 --- openssh-3.5p1/sshd_config.5 2002-09-19 11:51:22.000000000 +1000 +++ openssh-3.6p1/sshd_config.5 2003-01-24 11:34:52.000000000 +1100 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -89,7 +89,7 @@ .It Cm AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. -If specified, login is allowed only for users names that +If specified, login is allowed only for user names that match one of the patterns. .Ql \&* and diff -ru openssh-3.5p1/sshlogin.c openssh-3.6p1/sshlogin.c --- openssh-3.5p1/sshlogin.c 2002-09-04 16:45:11.000000000 +1000 +++ openssh-3.6p1/sshlogin.c 2003-01-02 10:43:56.000000000 +1100 @@ -70,7 +70,7 @@ struct logininfo *li; li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, sizeof(struct sockaddr)); + login_set_addr(li, addr, addrlen); login_login(li); login_free_entry(li); } @@ -78,12 +78,12 @@ #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t pid, const char *ttyname, const char *user, - const char *host, struct sockaddr * addr) + const char *host, struct sockaddr * addr, socklen_t addrlen) { struct logininfo *li; li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, sizeof(struct sockaddr)); + login_set_addr(li, addr, addrlen); login_utmp_only(li); login_free_entry(li); } diff -ru openssh-3.5p1/sshlogin.h openssh-3.6p1/sshlogin.h --- openssh-3.5p1/sshlogin.h 2002-09-04 16:45:11.000000000 +1000 +++ openssh-3.6p1/sshlogin.h 2003-01-02 10:43:56.000000000 +1100 @@ -22,7 +22,7 @@ #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t, const char *, const char *, const char *, - struct sockaddr *); + struct sockaddr *, socklen_t); #endif #endif diff -ru openssh-3.5p1/sshpty.c openssh-3.6p1/sshpty.c --- openssh-3.5p1/sshpty.c 2002-09-26 10:38:50.000000000 +1000 +++ openssh-3.6p1/sshpty.c 2003-02-24 11:54:10.000000000 +1100 @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshpty.c,v 1.7 2002/06/24 17:57:20 deraadt Exp $"); +RCSID("$OpenBSD: sshpty.c,v 1.8 2003/02/03 08:56:16 markus Exp $"); #ifdef HAVE_UTIL_H # include @@ -394,7 +394,7 @@ if (chown(ttyname, pw->pw_uid, gid) < 0) { if (errno == EROFS && (st.st_uid == pw->pw_uid || st.st_uid == 0)) - error("chown(%.100s, %u, %u) failed: %.100s", + debug("chown(%.100s, %u, %u) failed: %.100s", ttyname, (u_int)pw->pw_uid, (u_int)gid, strerror(errno)); else @@ -408,7 +408,7 @@ if (chmod(ttyname, mode) < 0) { if (errno == EROFS && (st.st_mode & (S_IRGRP | S_IROTH)) == 0) - error("chmod(%.100s, 0%o) failed: %.100s", + debug("chmod(%.100s, 0%o) failed: %.100s", ttyname, mode, strerror(errno)); else fatal("chmod(%.100s, 0%o) failed: %.100s", diff -ru openssh-3.5p1/version.h openssh-3.6p1/version.h --- openssh-3.5p1/version.h 2002-10-03 11:55:38.000000000 +1000 +++ openssh-3.6p1/version.h 2003-03-20 10:11:34.000000000 +1100 @@ -1,4 +1,3 @@ -/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */ - -#define SSH_VERSION "OpenSSH_3.5p1" - +/* $OpenBSD: version.h,v 1.36 2003/03/17 11:43:47 markus Exp $ */ + +#define SSH_VERSION "OpenSSH_3.6p1"