d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of OpenSSH 5.5p1

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2010-04-28 08:37:00 +00:00
parent 5fe13e2e9b
commit f276912e6f
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-crypto/openssh/dist/; revision=207311
svn path=/vendor-crypto/openssh/5.5p1/; revision=207312; tag=vendor/openssh/5.5p1
46 changed files with 574 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
ChangeLog
View File

@ -1,4 +1,120 @@
20100307
20100410
- (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
back so we disable the IPv6 tests if we don't have it.
20100409
- (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
ones. Based on a patch from Roumen Petrov.
- (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
have it and the path is not provided to --with-libedit. Based on a patch
from Iain Morgan.
- (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
20100326
- (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
- (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
by Ingo Weinhold via Scott McCreary, ok djm@
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/25 23:38:28
[servconf.c]
from portable: getcwd(NULL, 0) doesn't work on all platforms, so
use a stack buffer; ok dtucker@
- djm@cvs.openbsd.org 2010/03/26 00:26:58
[ssh.1]
mention that -S none disables connection sharing; from Colin Watson
- (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
set up SELinux execution context before chroot() call. From Russell
Coker via Colin watson; bz#1726 ok dtucker@
- (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
ok dtucker@
- (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
- (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2010/03/26 01:06:13
[ssh_config.5]
Reformat default value of PreferredAuthentications entry (current
formatting implies ", " is acceptable as a separator, which it's not.
ok djm@
20100324
- (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
containing the services file explicitely case-insensitive. This allows to
tweak the Windows services file reliably. Patch from vinschen at redhat.
20100321
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2010/03/08 09:41:27
[ssh-keygen.1]
sort the list of constraints (to -O); ok djm
- jmc@cvs.openbsd.org 2010/03/10 07:40:35
[ssh-keygen.1]
typos; from Ross Richardson
closes prs 6334 and 6335
- djm@cvs.openbsd.org 2010/03/10 23:27:17
[auth2-pubkey.c]
correct certificate logging and make it more consistent between
authorized_keys and TrustedCAKeys; ok markus@
- djm@cvs.openbsd.org 2010/03/12 01:06:25
[servconf.c]
unbreak AuthorizedKeys option with a $HOME-relative path; reported by
vinschen AT redhat.com, ok dtucker@
- markus@cvs.openbsd.org 2010/03/12 11:37:40
[servconf.c]
do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
free() (not xfree()) the buffer returned by getcwd()
- djm@cvs.openbsd.org 2010/03/13 21:10:38
[clientloop.c]
protocol conformance fix: send language tag when disconnecting normally;
spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
- djm@cvs.openbsd.org 2010/03/13 21:45:46
[ssh-keygen.1]
Certificates are named *-cert.pub, not *_cert.pub; committing a diff
from stevesk@ ok me
- jmc@cvs.openbsd.org 2010/03/13 23:38:13
[ssh-keygen.1]
fix a formatting error (args need quoted); noted by stevesk
- stevesk@cvs.openbsd.org 2010/03/15 19:40:02
[key.c key.h ssh-keygen.c]
also print certificate type (user or host) for ssh-keygen -L
ok djm kettenis
- stevesk@cvs.openbsd.org 2010/03/16 15:46:52
[auth-options.c]
spelling in error message. ok djm kettenis
- djm@cvs.openbsd.org 2010/03/16 16:36:49
[version.h]
crank version to openssh-5.5 since we have a few fixes since 5.4;
requested deraadt@ kettenis@
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
20100314
- (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
AT fefe.de
- (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
ssh-pkcs11-helper to repair static builds (we do the same for
ssh-keyscan). Reported by felix-mindrot AT fefe.de
20100312
- (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
- (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
Patch from Corinna Vinschen.
- (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
on a Cygwin installation. Patch from Corinna Vinschen.
20100311
- (tim) [contrib/suse/openssh.spec] crank version number here too.
report by imorgan AT nas.nasa.gov
20100309
- (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
so setting it in CFLAGS correctly skips IPv6 tests.
20100308
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]

29
Makefile.in
View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.306 2010/02/24 07:18:51 djm Exp $
# $Id: Makefile.in,v 1.309 2010/03/13 21:41:34 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@ -160,7 +160,7 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -249,26 +249,25 @@ install-files:
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
$(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh
$(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan
$(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \
fi
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1

4
README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-5.4 for the release notes.
See http://www.openssh.com/txt/release-5.5 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $
$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $

6
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */
/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
goto out;
}
if (strlen(command) != clen) {
error("force-command constrain contains \\0");
error("force-command constraint contains \\0");
goto out;
}
if (cert_forced_command != NULL) {
@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
goto out;
}
if (strlen(allowed) != clen) {
error("source-address constrain contains \\0");
error("source-address constraint contains \\0");
goto out;
}
if (cert_source_address_done++) {

31
auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
continue;
if (!key_equal(found, key->cert->signature_key))
continue;
debug("matching CA found: file %s, line %lu",
file, linenum);
fp = key_fingerprint(found, SSH_FP_MD5,
SSH_FP_HEX);
verbose("Found matching %s CA: %s",
key_type(found), fp);
xfree(fp);
debug("matching CA found: file %s, line %lu, %s %s",
file, linenum, key_type(found), fp);
if (key_cert_check_authority(key, 0, 0, pw->pw_name,
&reason) != 0) {
xfree(fp);
error("%s", reason);
auth_debug_add("%s", reason);
continue;
}
if (auth_cert_constraints(&key->cert->constraints,
pw) != 0)
pw) != 0) {
xfree(fp);
continue;
}
verbose("Accepted certificate ID \"%s\" "
"signed by %s CA %s via %s", key->cert->key_id,
key_type(found), fp, file);
xfree(fp);
found_key = 1;
break;
} else if (!key_is_cert_authority && key_equal(found, key)) {
@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
static int
user_cert_trusted_ca(struct passwd *pw, Key *key)
{
char *key_fp, *ca_fp;
char *ca_fp;
const char *reason;
int ret = 0;
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
ca_fp = key_fingerprint(key->cert->signature_key,
SSH_FP_MD5, SSH_FP_HEX);
if (key_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1) != 1) {
@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
goto out;
verbose("%s certificate %s allowed by trusted %s key %s",
key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp);
verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
ret = 1;
out:
if (key_fp != NULL)
xfree(key_fp);
if (ca_fp != NULL)
xfree(ca_fp);
return ret;

6
channels.c
View File

@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
sock = socket(ai->ai_family, ai->ai_socktype,
ai->ai_protocol);
if (sock < 0) {
if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
#ifdef EPFNOSUPPORT
&& (errno != EPFNOSUPPORT)
#endif
) {
error("socket: %.100s", strerror(errno));
freeaddrinfo(aitop);
return -1;

3
clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
packet_start(SSH2_MSG_DISCONNECT);
packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
packet_put_cstring("disconnected by user");
packet_put_cstring(""); /* language tag */
packet_send();
packet_write_wait();
}

12
config.h.in
View File

@ -80,9 +80,6 @@
/* Define if you want to specify the path to your lastlog file */
#undef CONF_LASTLOG_FILE
/* Define if you want to specify the path to your utmpx file */
#undef CONF_UTMPX_FILE
/* Define if you want to specify the path to your utmp file */
#undef CONF_UTMP_FILE
@ -455,6 +452,9 @@
/* Define to 1 if you have the `getutxline' function. */
#undef HAVE_GETUTXLINE
/* Define to 1 if you have the `getutxuser' function. */
#undef HAVE_GETUTXUSER
/* Define to 1 if you have the `get_default_context_with_level' function. */
#undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@ -551,6 +551,9 @@
/* Define if system has libiaf that supports set_id */
#undef HAVE_LIBIAF
/* Define to 1 if you have the `network' library (-lnetwork). */
#undef HAVE_LIBNETWORK
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL
@ -804,6 +807,9 @@
/* Define to 1 if you have the `setutent' function. */
#undef HAVE_SETUTENT
/* Define to 1 if you have the `setutxdb' function. */
#undef HAVE_SETUTXDB
/* Define to 1 if you have the `setutxent' function. */
#undef HAVE_SETUTXENT

293
configure vendored
View File

@ -1,5 +1,5 @@
#! /bin/sh
# From configure.ac Revision: 1.444 .
# From configure.ac Revision: 1.449 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for OpenSSH Portable.
#
@ -693,6 +693,7 @@ LOGIN_PROGRAM_FALLBACK
PATH_PASSWD_PROG
LD
SSHDLIBS
PKGCONFIG
LIBEDIT
INSTALL_SSH_RAND_HELPER
SSH_PRIVSEP_USER
@ -7435,6 +7436,85 @@ fi
*-*-dragonfly*)
SSHDLIBS="$SSHDLIBS -lcrypt"
;;
*-*-haiku*)
LIBS="$LIBS -lbsd "
{ echo "$as_me:$LINENO: checking for socket in -lnetwork" >&5
echo $ECHO_N "checking for socket in -lnetwork... $ECHO_C" >&6; }
if test "${ac_cv_lib_network_socket+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lnetwork $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char socket ();
int
main ()
{
return socket ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
ac_cv_lib_network_socket=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_lib_network_socket=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_network_socket" >&5
echo "${ECHO_T}$ac_cv_lib_network_socket" >&6; }
if test $ac_cv_lib_network_socket = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBNETWORK 1
_ACEOF
LIBS="-lnetwork $LIBS"
fi
cat >>confdefs.h <<\_ACEOF
#define HAVE_U_INT64_T 1
_ACEOF
MANTYPE=man
;;
*-*-hpux*)
# first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@ -12326,7 +12406,61 @@ LIBEDIT_MSG="no"
# Check whether --with-libedit was given.
if test "${with_libedit+set}" = set; then
withval=$with_libedit; if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes"; then
if test "x$withval" = "xyes" ; then
# Extract the first word of "pkg-config", so it can be a program name with args.
set dummy pkg-config; ac_word=$2
{ echo "$as_me:$LINENO: checking for $ac_word" >&5
echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
if test "${ac_cv_path_PKGCONFIG+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
case $PKGCONFIG in
[\\/]* | ?:[\\/]*)
ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
;;
*)
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_path_PKGCONFIG" && ac_cv_path_PKGCONFIG="no"
;;
esac
fi
PKGCONFIG=$ac_cv_path_PKGCONFIG
if test -n "$PKGCONFIG"; then
{ echo "$as_me:$LINENO: result: $PKGCONFIG" >&5
echo "${ECHO_T}$PKGCONFIG" >&6; }
else
{ echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6; }
fi
if test "x$PKGCONFIG" != "xno"; then
{ echo "$as_me:$LINENO: checking if $PKGCONFIG knows about libedit" >&5
echo $ECHO_N "checking if $PKGCONFIG knows about libedit... $ECHO_C" >&6; }
if "$PKGCONFIG" libedit; then
{ echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6; }
use_pkgconfig_for_libedit=yes
else
{ echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6; }
fi
fi
else
CPPFLAGS="$CPPFLAGS -I${withval}/include"
if test -n "${need_dash_r}"; then
LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@ -12334,13 +12468,20 @@ if test "${with_libedit+set}" = set; then
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
fi
if test "x$use_pkgconfig_for_libedit" == "xyes"; then
LIBEDIT=`$PKGCONFIG --libs-only-l libedit`
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
else
LIBEDIT="-ledit -lcurses"
fi
OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
{ echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6; }
if test "${ac_cv_lib_edit_el_init+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-ledit -lcurses
LIBS="-ledit $OTHERLIBS
$LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
@ -12402,7 +12543,6 @@ cat >>confdefs.h <<\_ACEOF
#define USE_LIBEDIT 1
_ACEOF
LIBEDIT="-ledit -lcurses"
LIBEDIT_MSG="yes"
@ -14961,7 +15101,8 @@ done
for ac_func in endutxent getutxent getutxid getutxline pututxline
for ac_func in endutxent getutxent getutxid getutxline getutxuser pututxline
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
@ -15056,7 +15197,8 @@ done
for ac_func in setutxent utmpxname
for ac_func in setutxdb setutxent utmpxname
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
@ -29373,77 +29515,6 @@ _ACEOF
fi
{ echo "$as_me:$LINENO: checking if your system defines UTMPX_FILE" >&5
echo $ECHO_N "checking if your system defines UTMPX_FILE... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <sys/types.h>
#include <utmp.h>
#ifdef HAVE_UTMPX_H
#include <utmpx.h>
#endif
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
int
main ()
{
char *utmpx = UTMPX_FILE;
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
{ echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6; }
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
{ echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6; }
system_utmpx_path=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
if test -z "$conf_utmpx_location"; then
if test x"$system_utmpx_path" = x"no" ; then
cat >>confdefs.h <<\_ACEOF
#define DISABLE_UTMPX 1
_ACEOF
fi
else
cat >>confdefs.h <<_ACEOF
#define CONF_UTMPX_FILE "$conf_utmpx_location"
_ACEOF
fi
{ echo "$as_me:$LINENO: checking if your system defines WTMPX_FILE" >&5
echo $ECHO_N "checking if your system defines WTMPX_FILE... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@ -29524,14 +29595,69 @@ fi
CFLAGS="$CFLAGS $werror_flags"
if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \
test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
TEST_SSH_IPV6=no
else
TEST_SSH_IPV6=yes
fi
{ echo "$as_me:$LINENO: checking whether BROKEN_GETADDRINFO is declared" >&5
echo $ECHO_N "checking whether BROKEN_GETADDRINFO is declared... $ECHO_C" >&6; }
if test "${ac_cv_have_decl_BROKEN_GETADDRINFO+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
int
main ()
{
#ifndef BROKEN_GETADDRINFO
(void) BROKEN_GETADDRINFO;
#endif
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_cv_have_decl_BROKEN_GETADDRINFO=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_have_decl_BROKEN_GETADDRINFO=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_BROKEN_GETADDRINFO" >&5
echo "${ECHO_T}$ac_cv_have_decl_BROKEN_GETADDRINFO" >&6; }
if test $ac_cv_have_decl_BROKEN_GETADDRINFO = yes; then
TEST_SSH_IPV6=no
fi
TEST_SSH_IPV6=$TEST_SSH_IPV6
ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile ssh_prng_cmds survey.sh"
@ -30236,6 +30362,7 @@ LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
LD!$LD$ac_delim
SSHDLIBS!$SSHDLIBS$ac_delim
PKGCONFIG!$PKGCONFIG$ac_delim
LIBEDIT!$LIBEDIT$ac_delim
INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim
SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim
@ -30255,7 +30382,6 @@ PROG_VMSTAT!$PROG_VMSTAT$ac_delim
PROG_UPTIME!$PROG_UPTIME$ac_delim
PROG_IPCS!$PROG_IPCS$ac_delim
PROG_TAIL!$PROG_TAIL$ac_delim
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@ -30297,6 +30423,7 @@ _ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
KRB5CONF!$KRB5CONF$ac_delim
PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
xauth_path!$xauth_path$ac_delim
@ -30312,7 +30439,7 @@ LIBOBJS!$LIBOBJS$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 13; then
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 14; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

74
configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.444 2010/03/05 04:04:35 djm Exp $
# $Id: configure.ac,v 1.449 2010/04/10 12:58:01 dtucker Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_REVISION($Revision: 1.444 $)
AC_REVISION($Revision: 1.449 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@ -488,6 +488,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
*-*-dragonfly*)
SSHDLIBS="$SSHDLIBS -lcrypt"
;;
*-*-haiku*)
LIBS="$LIBS -lbsd "
AC_CHECK_LIB(network, socket)
AC_DEFINE(HAVE_U_INT64_T)
MANTYPE=man
;;
*-*-hpux*)
# first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@ -1248,7 +1254,18 @@ LIBEDIT_MSG="no"
AC_ARG_WITH(libedit,
[ --with-libedit[[=PATH]] Enable libedit support for sftp],
[ if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes"; then
if test "x$withval" = "xyes" ; then
AC_PATH_PROG(PKGCONFIG, pkg-config, no)
if test "x$PKGCONFIG" != "xno"; then
AC_MSG_CHECKING(if $PKGCONFIG knows about libedit)
if "$PKGCONFIG" libedit; then
AC_MSG_RESULT(yes)
use_pkgconfig_for_libedit=yes
else
AC_MSG_RESULT(no)
fi
fi
else
CPPFLAGS="$CPPFLAGS -I${withval}/include"
if test -n "${need_dash_r}"; then
LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@ -1256,14 +1273,20 @@ AC_ARG_WITH(libedit,
LDFLAGS="-L${withval}/lib ${LDFLAGS}"
fi
fi
if test "x$use_pkgconfig_for_libedit" == "xyes"; then
LIBEDIT=`$PKGCONFIG --libs-only-l libedit`
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
else
LIBEDIT="-ledit -lcurses"
fi
OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
AC_CHECK_LIB(edit, el_init,
[ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
LIBEDIT="-ledit -lcurses"
LIBEDIT_MSG="yes"
AC_SUBST(LIBEDIT)
],
[ AC_MSG_ERROR(libedit not found) ],
[ -lcurses ]
[ $OTHERLIBS ]
)
AC_MSG_CHECKING(if libedit version is compatible)
AC_COMPILE_IFELSE(
@ -1534,8 +1557,8 @@ dnl Checks for utmp functions
AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent)
AC_CHECK_FUNCS(utmpname)
dnl Checks for utmpx functions
AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
AC_CHECK_FUNCS(setutxent utmpxname)
AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline getutxuser pututxline)
AC_CHECK_FUNCS(setutxdb setutxent utmpxname)
dnl Checks for lastlog functions
AC_CHECK_FUNCS(getlastlogxbyname)
@ -4064,34 +4087,6 @@ if test -n "$conf_wtmp_location"; then
fi
dnl utmpx detection - I don't know any system so perverse as to require
dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out
dnl there, though.
AC_MSG_CHECKING([if your system defines UTMPX_FILE])
AC_TRY_COMPILE([
#include <sys/types.h>
#include <utmp.h>
#ifdef HAVE_UTMPX_H
#include <utmpx.h>
#endif
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
],
[ char *utmpx = UTMPX_FILE; ],
[ AC_MSG_RESULT(yes) ],
[ AC_MSG_RESULT(no)
system_utmpx_path=no ]
)
if test -z "$conf_utmpx_location"; then
if test x"$system_utmpx_path" = x"no" ; then
AC_DEFINE(DISABLE_UTMPX)
fi
else
AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
[Define if you want to specify the path to your utmpx file])
fi
dnl wtmpx detection
AC_MSG_CHECKING([if your system defines WTMPX_FILE])
AC_TRY_COMPILE([
@ -4128,12 +4123,13 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running.
dnl Add now.
CFLAGS="$CFLAGS $werror_flags"
if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \
test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
AC_SUBST(TEST_SSH_IPV6, no)
if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
TEST_SSH_IPV6=no
else
AC_SUBST(TEST_SSH_IPV6, yes)
TEST_SSH_IPV6=yes
fi
AC_CHECK_DECL(BROKEN_GETADDRINFO, TEST_SSH_IPV6=no)
AC_SUBST(TEST_SSH_IPV6, $TEST_SSH_IPV6)
AC_EXEEXT
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \

2
contrib/Makefile
View File

@ -9,7 +9,7 @@ gnome-ssh-askpass1: gnome-ssh-askpass1.c
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) `pkg-config --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0`
`pkg-config --libs gtk+-2.0 x11`
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

6
contrib/caldera/openssh.spec
View File

@ -17,11 +17,11 @@
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
%define version 5.4p1
%define version 5.5p1
%define cvs %{nil}
%define release 1
%else
%define version 5.4p1
%define version 5.5p1
%define cvs cvs20050315
%define release 0r1
%endif
@ -360,4 +360,4 @@ fi
* Mon Jan 01 1998 ...
Template Version: 1.31
$Id: openssh.spec,v 1.69 2010/03/07 22:41:03 djm Exp $
$Id: openssh.spec,v 1.70 2010/03/21 19:11:58 djm Exp $

4
contrib/cygwin/Makefile
View File

@ -42,11 +42,13 @@ install-sshdoc:
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
$(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG

2
contrib/cygwin/ssh-host-config
View File

@ -90,7 +90,7 @@ update_services_file() {
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`

2
contrib/redhat/openssh.spec
View File

@ -1,4 +1,4 @@
%define ver 5.4p1
%define ver 5.5p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID

2
contrib/ssh-copy-id
View File

@ -19,7 +19,7 @@ if [ "-i" = "$1" ]; then
shift # and this should leave $1 as the target name
fi
else
if [ x$SSH_AUTH_SOCK != x ] ; then
if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then
GET_ID="$GET_ID ssh-add -L"
fi
fi

2
contrib/suse/openssh.spec
View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 5.3p1
Version: 5.5p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz

4
defines.h
View File

@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */
/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */
/* Constants */
@ -674,7 +674,7 @@ struct winsize {
#else
/* Simply select your favourite login types. */
/* Can't do if-else because some systems use several... <sigh> */
# if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX)
# if !defined(DISABLE_UTMPX)
# define USE_UTMPX
# endif
# if defined(UTMP_FILE) && !defined(DISABLE_UTMP)

15
key.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */
/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -801,6 +801,19 @@ key_type(const Key *k)
return "unknown";
}
const char *
key_cert_type(const Key *k)
{
switch (k->cert->type) {
case SSH2_CERT_TYPE_USER:
return "user";
case SSH2_CERT_TYPE_HOST:
return "host";
default:
return "unknown";
}
}
const char *
key_ssh_name(const Key *k)
{

3
key.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */
/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -82,6 +82,7 @@ int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
int key_read(Key *, char **);
u_int key_size(const Key *);

31
loginrec.c
View File

@ -207,6 +207,7 @@ int syslogin_write_entry(struct logininfo *li);
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
int utmpx_get_entry(struct logininfo *li);
int wtmp_get_entry(struct logininfo *li);
int wtmpx_get_entry(struct logininfo *li);
@ -508,6 +509,10 @@ getlast_entry(struct logininfo *li)
#ifdef USE_LASTLOG
return(lastlog_get_entry(li));
#else /* !USE_LASTLOG */
#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
return (utmpx_get_entry(li));
#endif
#if defined(DISABLE_LASTLOG)
/* On some systems we shouldn't even try to obtain last login
@ -1608,6 +1613,32 @@ lastlog_get_entry(struct logininfo *li)
#endif /* HAVE_GETLASTLOGXBYNAME */
#endif /* USE_LASTLOG */
#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
int
utmpx_get_entry(struct logininfo *li)
{
struct utmpx *utx;
if (setutxdb(UTXDB_LASTLOGIN, NULL) != 0)
return (0);
utx = getutxuser(li->username);
if (utx == NULL) {
endutxent();
return (0);
}
line_fullname(li->line, utx->ut_line,
MIN_SIZEOF(li->line, utx->ut_line));
strlcpy(li->hostname, utx->ut_host,
MIN_SIZEOF(li->hostname, utx->ut_host));
li->tv_sec = utx->ut_tv.tv_sec;
li->tv_usec = utx->ut_tv.tv_usec;
endutxent();
return (1);
}
#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */
#ifdef USE_BTMP
/*
* Logs failed login attempts in _PATH_BTMP if that exists.

2
logintest.c
View File

@ -264,7 +264,7 @@ showOptions(void)
printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
#endif
#ifdef USE_UTMPX
printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE);
printf("\tUSE_UTMPX\n");
#endif
#ifdef USE_WTMP
printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);

2
moduli.0
View File

@ -69,4 +69,4 @@ SEE ALSO
Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
Protocol, RFC 4419, 2006.
OpenBSD 4.6 June 26, 2008 2
OpenBSD 4.7 June 26, 2008 2

4
openbsd-compat/bsd-arc4random.c
View File

@ -84,7 +84,7 @@ arc4random_stir(void)
}
#endif /* !HAVE_ARC4RANDOM */
#ifndef ARC4RANDOM_BUF
#ifndef HAVE_ARC4RANDOM_BUF
void
arc4random_buf(void *_buf, size_t n)
{
@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n)
}
#endif /* !HAVE_ARC4RANDOM_BUF */
#ifndef ARC4RANDOM_UNIFORM
#ifndef HAVE_ARC4RANDOM_UNIFORM
/*
* Calculate a uniformly distributed random number less than upper_bound
* avoiding "modulo bias".

2
scp.0
View File

@ -145,4 +145,4 @@ AUTHORS
Timo Rinne <tri@iki.fi>
Tatu Ylonen <ylo@cs.hut.fi>
OpenBSD 4.6 February 8, 2010 3
OpenBSD 4.7 February 8, 2010 3

19
servconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -470,15 +470,14 @@ parse_token(const char *cp, const char *filename,
char *
derelativise_path(const char *path)
{
char *expanded, *ret, *cwd;
char *expanded, *ret, cwd[MAXPATHLEN];
expanded = tilde_expand_filename(path, getuid());
if (*expanded == '/')
return expanded;
if ((cwd = getcwd(NULL, 0)) == NULL)
if (getcwd(cwd, sizeof(cwd)) == NULL)
fatal("%s: getcwd: %s", __func__, strerror(errno));
xasprintf(&ret, "%s/%s", cwd, expanded);
xfree(cwd);
xfree(expanded);
return ret;
}
@ -1223,7 +1222,17 @@ process_server_config_line(ServerOptions *options, char *line,
charptr = (opcode == sAuthorizedKeysFile) ?
&options->authorized_keys_file :
&options->authorized_keys_file2;
goto parse_filename;
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing file name.",
filename, linenum);
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
if (intptr != NULL)
*intptr = *intptr + 1;
}
break;
case sClientAliveInterval:
intptr = &options->client_alive_interval;

8
session.c
View File

@ -1551,6 +1551,10 @@ do_setusercontext(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
ssh_selinux_setup_exec_context(pw->pw_name);
#endif
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@ -1575,10 +1579,6 @@ do_setusercontext(struct passwd *pw)
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
#ifdef WITH_SELINUX
ssh_selinux_setup_exec_context(pw->pw_name);
#endif
}
static void

2
sftp-server.0
View File

@ -60,4 +60,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.6 January 9, 2010 1
OpenBSD 4.7 January 9, 2010 1

2
sftp.0
View File

@ -316,4 +316,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
OpenBSD 4.6 February 8, 2010 5
OpenBSD 4.7 February 8, 2010 5

2
ssh-add.0
View File

@ -106,4 +106,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.6 March 5, 2010 2
OpenBSD 4.7 March 5, 2010 2

2
ssh-agent.0
View File

@ -115,4 +115,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.6 January 17, 2010 2
OpenBSD 4.7 January 17, 2010 2

44
ssh-keygen.0
View File

@ -165,8 +165,14 @@ DESCRIPTION
section for details. The constraints that are valid for user
certificates are:
no-x11-forwarding
Disable X11 forwarding (permitted by default).
clear Clear all enabled permissions. This is useful for clear-
ing the default set of permissions so permissions may be
added individually.
force-command=command
Forces the execution of command instead of any shell or
command specified by the user when the certificate is
used for authentication.
no-agent-forwarding
Disable ssh-agent(1) forwarding (permitted by default).
@ -180,12 +186,8 @@ DESCRIPTION
Disable execution of ~/.ssh/rc by sshd(8) (permitted by
default).
clear Clear all enabled permissions. This is useful for clear-
ing the default set of permissions so permissions may be
added individually.
permit-x11-forwarding
Allows X11 forwarding.
no-x11-forwarding
Disable X11 forwarding (permitted by default).
permit-agent-forwarding
Allows ssh-agent(1) forwarding.
@ -199,16 +201,14 @@ DESCRIPTION
permit-user-rc
Allows execution of ~/.ssh/rc by sshd(8).
force-command=command
Forces the execution of command instead of any shell or
command specified by the user when the certificate is
used for authentication.
permit-x11-forwarding
Allows X11 forwarding.
source-address=address_list
Restrict the source addresses from which the certificate
is considered valid from. The address_list is a comma-
separated list of one or more address/netmask pairs in
CIDR format.
is considered valid. The address_list is a comma-sepa-
rated list of one or more address/netmask pairs in CIDR
format.
At present, no constraints are valid for host keys.
@ -257,9 +257,9 @@ DESCRIPTION
in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative
time (to the current time) consisting of a minus sign followed by
a relative time in the format described in the TIME FORMATS sec-
tion of ssh_config(5). The end time may be specified as a YYYYM-
MDD date, a YYYYMMDDHHMMSS time or a relative time starting with
a plus character.
tion of sshd_config(5). The end time may be specified as a
YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting
with a plus character.
For example: ``+52w1d'' (valid from now to 52 weeks and one day
from now), ``-4w:+4w'' (valid from four weeks ago to four weeks
@ -329,12 +329,12 @@ CERTIFICATES
$ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
The resultant certificate will be placed in /path/to/user_key_cert.pub.
The resultant certificate will be placed in /path/to/user_key-cert.pub.
A host certificate requires the -h option:
$ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
The host certificate will be output to /path/to/host_key_cert.pub. In
The host certificate will be output to /path/to/host_key-cert.pub. In
both cases, key_id is a "key identifier" that is logged by the server
when the certificate is used for authentication.
@ -344,7 +344,7 @@ CERTIFICATES
pals:
$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
$ ssh-keygen -s ca_key -I key_id -h -n host.domain $0
$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
Additional limitations on the validity and use of user certificates may
be specified through certificate constraints. A constrained certificate
@ -431,4 +431,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.6 March 8, 2010 7
OpenBSD 4.7 March 13, 2010 7

43
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -37,7 +37,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 8 2010 $
.Dd $Mdocdate: March 13 2010 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@ -307,8 +307,15 @@ Please see the
section for details.
The constraints that are valid for user certificates are:
.Bl -tag -width Ds
.It Ic no-x11-forwarding
Disable X11 forwarding (permitted by default).
.It Ic clear
Clear all enabled permissions.
This is useful for clearing the default set of permissions so permissions may
be added individually.
.It Ic force-command Ns = Ns Ar command
Forces the execution of
.Ar command
instead of any shell or command specified by the user when
the certificate is used for authentication.
.It Ic no-agent-forwarding
Disable
.Xr ssh-agent 1
@ -323,12 +330,8 @@ Disable execution of
by
.Xr sshd 8
(permitted by default).
.It Ic clear
Clear all enabled permissions.
This is useful for clearing the default set of permissions so permissions may
be added individually.
.It Ic permit-x11-forwarding
Allows X11 forwarding.
.It Ic no-x11-forwarding
Disable X11 forwarding (permitted by default).
.It Ic permit-agent-forwarding
Allows
.Xr ssh-agent 1
@ -342,14 +345,10 @@ Allows execution of
.Pa ~/.ssh/rc
by
.Xr sshd 8 .
.It Ic force-command=command
Forces the execution of
.Ar command
instead of any shell or command specified by the user when
the certificate is used for authentication.
.It Ic source-address=address_list
Restrict the source addresses from which the certificate is considered valid
from.
.It Ic permit-x11-forwarding
Allows X11 forwarding.
.It Ic source-address Ns = Ns Ar address_list
Restrict the source addresses from which the certificate is considered valid.
The
.Ar address_list
is a comma-separated list of one or more address/netmask pairs in CIDR
@ -414,7 +413,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
of a minus sign followed by a relative time in the format described in the
.Sx TIME FORMATS
section of
.Xr ssh_config 5 .
.Xr sshd_config 5 .
The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
a relative time starting with a plus character.
.Pp
@ -519,7 +518,7 @@ To generate a user certificate:
.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
.Pp
The resultant certificate will be placed in
.Pa /path/to/user_key_cert.pub .
.Pa /path/to/user_key-cert.pub .
A host certificate requires the
.Fl h
option:
@ -527,7 +526,7 @@ option:
.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
.Pp
The host certificate will be output to
.Pa /path/to/host_key_cert.pub .
.Pa /path/to/host_key-cert.pub .
In both cases,
.Ar key_id
is a "key identifier" that is logged by the server when the certificate
@ -539,7 +538,7 @@ By default, generated certificates are valid for all users or hosts.
To generate a certificate for a specified set of principals:
.Pp
.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
.Pp
Additional limitations on the validity and use of user certificates may
be specified through certificate constraints.

5
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw)
SSH_FP_MD5, SSH_FP_HEX);
printf("%s:\n", identity_file);
printf(" %s certificate %s\n", key_type(key), key_fp);
printf(" %s %s certificate %s\n", key_type(key),
key_cert_type(key), key_fp);
printf(" Signed by %s CA %s\n",
key_type(key->cert->signature_key), ca_fp);
printf(" Key ID \"%s\"\n", key->cert->key_id);

2
ssh-keyscan.0
View File

@ -104,4 +104,4 @@ BUGS
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
OpenBSD 4.6 January 9, 2010 2
OpenBSD 4.7 January 9, 2010 2

2
ssh-keysign.0
View File

@ -39,4 +39,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.6 May 31, 2007 1
OpenBSD 4.7 May 31, 2007 1

2
ssh-pkcs11-helper.0
View File

@ -22,4 +22,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.6 February 10, 2010 1
OpenBSD 4.7 February 10, 2010 1

4
ssh-pkcs11-helper.c
View File

@ -17,8 +17,6 @@
#include "includes.h"
#ifdef ENABLE_PKCS11
#include <sys/types.h>
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
@ -39,6 +37,8 @@
#include "authfd.h"
#include "ssh-pkcs11.h"
#ifdef ENABLE_PKCS11
/* borrows code from sftp-server and ssh-agent */
struct pkcs11_keyinfo {

2
ssh-rand-helper.0
View File

@ -48,4 +48,4 @@ AUTHORS
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
OpenBSD 4.6 April 14, 2002 1
OpenBSD 4.7 April 14, 2002 1

9
ssh.0
View File

@ -308,9 +308,10 @@ DESCRIPTION
allocated on the server and reported to the client at run time.
-S ctl_path
Specifies the location of a control socket for connection shar-
ing. Refer to the description of ControlPath and ControlMaster
in ssh_config(5) for details.
Specifies the location of a control socket for connection sharing
or the string ``none'' to disable connection sharing. Refer to
the description of ControlPath and ControlMaster in ssh_config(5)
for details.
-s May be used to request invocation of a subsystem on the remote
system. Subsystems are a feature of the SSH2 protocol which fa-
@ -876,4 +877,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.6 March 5, 2010 14
OpenBSD 4.7 March 26, 2010 14

9
ssh.1
View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
.Dd $Mdocdate: March 5 2010 $
.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $
.Dd $Mdocdate: March 26 2010 $
.Dt SSH 1
.Os
.Sh NAME
@ -558,7 +558,10 @@ argument is
the listen port will be dynamically allocated on the server and reported
to the client at run time.
.It Fl S Ar ctl_path
Specifies the location of a control socket for connection sharing.
Specifies the location of a control socket for connection sharing
or the string
.Dq none
to disable connection sharing.
Refer to the description of
.Cm ControlPath
and

6
ssh_config.0
View File

@ -425,8 +425,8 @@ DESCRIPTION
Specifies the order in which the client should try protocol 2 au-
thentication methods. This allows a client to prefer one method
(e.g. keyboard-interactive) over another method (e.g. password)
The default for this option is: ``gssapi-with-mic,hostbased,
publickey, keyboard-interactive, password''.
The default for this option is: ``gssapi-with-
mic,hostbased,publickey,keyboard-interactive,password''.
Protocol
Specifies the protocol versions ssh(1) should support in order of
@ -673,4 +673,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.6 March 5, 2010 11
OpenBSD 4.7 March 26, 2010 11

10
ssh_config.5
View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
.Dd $Mdocdate: March 5 2010 $
.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $
.Dd $Mdocdate: March 26 2010 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -734,11 +734,7 @@ This allows a client to prefer one method (e.g.\&
over another method (e.g.\&
.Cm password )
The default for this option is:
.Do gssapi-with-mic ,
hostbased,
publickey,
keyboard-interactive,
password
.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
.Dc .
.It Cm Protocol
Specifies the protocol versions

2
sshd.0
View File

@ -614,4 +614,4 @@ CAVEATS
System security is not improved unless rshd, rlogind, and rexecd are dis-
abled (thus completely disabling rlogin and rsh into the machine).
OpenBSD 4.6 March 5, 2010 10
OpenBSD 4.7 March 5, 2010 10

2
sshd_config.0
View File

@ -656,4 +656,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
OpenBSD 4.6 March 4, 2010 10
OpenBSD 4.7 March 4, 2010 10

4
version.h
View File

@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */
/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */
#define SSH_VERSION "OpenSSH_5.4"
#define SSH_VERSION "OpenSSH_5.5"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE