Vendor import of OpenSSH 4.6p1 for posterity's sake
This commit is contained in:
parent
e3cfeae816
commit
367fd86546
214
ChangeLog
214
ChangeLog
@ -1,3 +1,214 @@
|
||||
20070306
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
|
||||
[sshd_config.5]
|
||||
sort the `match' keywords;
|
||||
- djm@cvs.openbsd.org 2007/03/06 10:13:14
|
||||
[version.h]
|
||||
openssh-4.6; "please" deraadt@
|
||||
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
|
||||
[contrib/suse/openssh.spec] crank spec files for release
|
||||
- (djm) [README] correct link to release notes
|
||||
- (djm) Release 4.6p1
|
||||
|
||||
20070304
|
||||
- (djm) [configure.ac] add a --without-openssl-header-check option to
|
||||
configure, as some platforms (OS X) ship OpenSSL headers whose version
|
||||
does not match that of the shipping library. ok dtucker@
|
||||
- (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
|
||||
bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
|
||||
ciphers from working correctly (disconnects with "Bad packet length"
|
||||
errors) as found by Ben Harris. ok djm@
|
||||
|
||||
20070303
|
||||
- (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more
|
||||
general to cover newer gdb versions on HP-UX.
|
||||
|
||||
20070302
|
||||
- (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows
|
||||
CRLF as well as LF lineendings) and write in binary mode. Patch from
|
||||
vinschen at redhat.com.
|
||||
- (dtucker) [INSTALL] Update to autoconf-2.61.
|
||||
|
||||
20070301
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2007/03/01 10:28:02
|
||||
[auth2.c sshd_config.5 servconf.c]
|
||||
Remove ChallengeResponseAuthentication support inside a Match
|
||||
block as its interaction with KbdInteractive makes it difficult to
|
||||
support. Also, relocate the CR/kbdint option special-case code into
|
||||
servconf. "please commit" djm@, ok markus@ for the relocation.
|
||||
- (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits.
|
||||
"Looks sane" dtucker@
|
||||
|
||||
20070228
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2007/02/28 00:55:30
|
||||
[ssh-agent.c]
|
||||
Remove expired keys periodically so they don't remain in memory when
|
||||
the agent is entirely idle, as noted by David R. Piegdon. This is the
|
||||
simple fix, a more efficient one will be done later. With markus,
|
||||
deraadt, with & ok djm.
|
||||
|
||||
20070225
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2007/02/20 10:25:14
|
||||
[clientloop.c]
|
||||
set maximum packet and window sizes the same for multiplexed clients
|
||||
as normal connections; ok markus@
|
||||
- dtucker@cvs.openbsd.org 2007/02/21 11:00:05
|
||||
[sshd.c]
|
||||
Clear alarm() before restarting sshd on SIGHUP. Without this, if there's
|
||||
a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the
|
||||
newly exec'ed sshd will get the SIGALRM and not have a handler for it,
|
||||
and the default action will terminate the listening sshd. Analysis and
|
||||
patch from andrew at gaul.org.
|
||||
- dtucker@cvs.openbsd.org 2007/02/22 12:58:40
|
||||
[servconf.c]
|
||||
Check activep so Match and GatewayPorts work together; ok markus@
|
||||
- ray@cvs.openbsd.org 2007/02/24 03:30:11
|
||||
[moduli.c]
|
||||
- strlen returns size_t, not int.
|
||||
- Pass full buffer size to fgets.
|
||||
OK djm@, millert@, and moritz@.
|
||||
|
||||
20070219
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- jmc@cvs.openbsd.org 2007/01/10 13:23:22
|
||||
[ssh_config.5]
|
||||
do not use a list for SYNOPSIS;
|
||||
this is actually part of a larger report sent by eric s. raymond
|
||||
and forwarded by brad, but i only read half of it. spotted by brad.
|
||||
- jmc@cvs.openbsd.org 2007/01/12 20:20:41
|
||||
[ssh-keygen.1 ssh-keygen.c]
|
||||
more secsh -> rfc 4716 updates;
|
||||
spotted by wiz@netbsd
|
||||
ok markus
|
||||
- dtucker@cvs.openbsd.org 2007/01/17 23:22:52
|
||||
[readconf.c]
|
||||
Honour activep for times (eg ServerAliveInterval) while parsing
|
||||
ssh_config and ~/.ssh/config so they work properly with Host directives.
|
||||
From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
|
||||
- stevesk@cvs.openbsd.org 2007/01/21 01:41:54
|
||||
[auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
|
||||
spaces
|
||||
- stevesk@cvs.openbsd.org 2007/01/21 01:45:35
|
||||
[readconf.c]
|
||||
spaces
|
||||
- djm@cvs.openbsd.org 2007/01/22 11:32:50
|
||||
[sftp-client.c]
|
||||
return error from do_upload() when a write fails. fixes bz#1252: zero
|
||||
exit status from sftp when uploading to a full device. report from
|
||||
jirkat AT atlas.cz; ok dtucker@
|
||||
- djm@cvs.openbsd.org 2007/01/22 13:06:21
|
||||
[scp.c]
|
||||
fix detection of whether we should show progress meter or not: scp
|
||||
tested isatty(stderr) but wrote the progress meter to stdout. This patch
|
||||
makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
|
||||
of dtucker@
|
||||
- stevesk@cvs.openbsd.org 2007/02/14 14:32:00
|
||||
[bufbn.c]
|
||||
typos in comments; ok jmc@
|
||||
- dtucker@cvs.openbsd.org 2007/02/19 10:45:58
|
||||
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
|
||||
Teach Match how handle config directives that are used before
|
||||
authentication. This allows configurations such as permitting password
|
||||
authentication from the local net only while requiring pubkey from
|
||||
offsite. ok djm@, man page bits ok jmc@
|
||||
- (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
|
||||
platforms don't have it. Patch from dleonard at vintela.com.
|
||||
- (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
|
||||
an array for signatures when there are none since "calloc(0, n) returns
|
||||
NULL on some platforms (eg Tru64), which is explicitly permitted by
|
||||
POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
|
||||
|
||||
20070128
|
||||
- (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
|
||||
when closing a tty session when a background process still holds tty
|
||||
fds open. Great detective work and patch by Marc Aurele La France,
|
||||
slightly tweaked by me; ok dtucker@
|
||||
|
||||
20070123
|
||||
- (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
|
||||
library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
|
||||
so it works properly and modify its callers so that they don't pre or
|
||||
post decrement arguments that are conditionally evaluated. While there,
|
||||
put SNPRINTF_CONST back as it prevents build failures in some
|
||||
configurations. ok djm@ (for most of it)
|
||||
|
||||
20070122
|
||||
- (djm) [ssh-rand-helper.8] manpage nits;
|
||||
from dleonard AT vintela.com (bz#1529)
|
||||
|
||||
20070117
|
||||
- (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
|
||||
and multiple including it causes problems on old IRIXes. (It snuck back
|
||||
in during a sync.) Found (again) by Georg Schwarz.
|
||||
|
||||
20070114
|
||||
- (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
|
||||
- (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
|
||||
value of snprintf replacement, similar to bugs in various libc
|
||||
implementations. This overflow is not exploitable in OpenSSH.
|
||||
While I'm fiddling with it, make it a fair bit faster by inlining the
|
||||
append-char routine; ok dtucker@
|
||||
|
||||
20070105
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- deraadt@cvs.openbsd.org 2006/11/14 19:41:04
|
||||
[ssh-keygen.c]
|
||||
use argc and argv not some made up short form
|
||||
- ray@cvs.openbsd.org 2006/11/23 01:35:11
|
||||
[misc.c sftp.c]
|
||||
Don't access buf[strlen(buf) - 1] for zero-length strings.
|
||||
``ok by me'' djm@.
|
||||
- markus@cvs.openbsd.org 2006/12/11 21:25:46
|
||||
[ssh-keygen.1 ssh.1]
|
||||
add rfc 4716 (public key format); ok jmc
|
||||
- djm@cvs.openbsd.org 2006/12/12 03:58:42
|
||||
[channels.c compat.c compat.h]
|
||||
bz #1019: some ssh.com versions apparently can't cope with the
|
||||
remote port forwarding bind_address being a hostname, so send
|
||||
them an address for cases where they are not explicitly
|
||||
specified (wildcard or localhost bind). reported by daveroth AT
|
||||
acm.org; ok dtucker@ deraadt@
|
||||
- dtucker@cvs.openbsd.org 2006/12/13 08:34:39
|
||||
[servconf.c]
|
||||
Make PermitOpen work with multiple values like the man pages says.
|
||||
bz #1267 with details from peter at dmtz.com, with & ok djm@
|
||||
- dtucker@cvs.openbsd.org 2006/12/14 10:01:14
|
||||
[servconf.c]
|
||||
Make "PermitOpen all" first-match within a block to match the way other
|
||||
options work. ok markus@ djm@
|
||||
- jmc@cvs.openbsd.org 2007/01/02 09:57:25
|
||||
[sshd_config.5]
|
||||
do not use lists for SYNOPSIS;
|
||||
from eric s. raymond via brad
|
||||
- stevesk@cvs.openbsd.org 2007/01/03 00:53:38
|
||||
[ssh-keygen.c]
|
||||
remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
|
||||
- stevesk@cvs.openbsd.org 2007/01/03 03:01:40
|
||||
[auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
|
||||
spaces
|
||||
- stevesk@cvs.openbsd.org 2007/01/03 04:09:15
|
||||
[sftp.c]
|
||||
ARGSUSED for lint
|
||||
- stevesk@cvs.openbsd.org 2007/01/03 07:22:36
|
||||
[sftp-server.c]
|
||||
spaces
|
||||
|
||||
20061205
|
||||
- (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would
|
||||
occur if the server did not have the privsep user and an invalid user
|
||||
tried to login and both privsep and krb5 auth are disabled; ok dtucker@
|
||||
- (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
|
||||
|
||||
20061108
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- markus@cvs.openbsd.org 2006/11/07 13:02:07
|
||||
[dh.c]
|
||||
BN_hex2bn returns int; from dtucker@
|
||||
|
||||
20061107
|
||||
- (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
|
||||
if we absolutely need it. Pointed out by Corinna, ok djm@
|
||||
@ -13,7 +224,6 @@
|
||||
dtucker@
|
||||
- (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
|
||||
versions.
|
||||
- (dtucker) [dh.c] Type fix for BN_hex2bn; ok markus@
|
||||
- (dtucker) Release 4.5p1.
|
||||
|
||||
20061105
|
||||
@ -2606,4 +2816,4 @@
|
||||
OpenServer 6 and add osr5bigcrypt support so when someone migrates
|
||||
passwords between UnixWare and OpenServer they will still work. OK dtucker@
|
||||
|
||||
$Id: ChangeLog,v 1.4588.2.1 2006/11/07 13:02:59 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $
|
||||
|
7
INSTALL
7
INSTALL
@ -70,8 +70,9 @@ http://sourceforge.net/projects/libedit/
|
||||
Autoconf:
|
||||
|
||||
If you modify configure.ac or configure doesn't exist (eg if you checked
|
||||
the code out of CVS yourself) then you will need autoconf-2.60 to rebuild
|
||||
the automatically generated files by running "autoreconf".
|
||||
the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
|
||||
the automatically generated files by running "autoreconf". Earlier
|
||||
version may also work but this is not guaranteed.
|
||||
|
||||
http://www.gnu.org/software/autoconf/
|
||||
|
||||
@ -250,4 +251,4 @@ Please refer to the "reporting bugs" section of the webpage at
|
||||
http://www.openssh.com/
|
||||
|
||||
|
||||
$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $
|
||||
$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $
|
||||
|
4
README
4
README
@ -1,4 +1,4 @@
|
||||
See http://www.openssh.com/txt/release-4.5 for the release notes.
|
||||
See http://www.openssh.com/txt/release-4.6 for the release notes.
|
||||
|
||||
- A Japanese translation of this document and of the OpenSSH FAQ is
|
||||
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
||||
@ -62,4 +62,4 @@ References -
|
||||
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
||||
[7] http://www.openssh.com/faq.html
|
||||
|
||||
$Id: README,v 1.64 2006/11/07 12:25:45 dtucker Exp $
|
||||
$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */
|
||||
/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -59,8 +59,8 @@ skey_query(void *ctx, char **name, char **infotxt,
|
||||
sizeof(challenge)) == -1)
|
||||
return -1;
|
||||
|
||||
*name = xstrdup("");
|
||||
*infotxt = xstrdup("");
|
||||
*name = xstrdup("");
|
||||
*infotxt = xstrdup("");
|
||||
*numprompts = 1;
|
||||
*prompts = xcalloc(*numprompts, sizeof(char *));
|
||||
*echo_on = xcalloc(*numprompts, sizeof(u_int));
|
||||
|
4
auth.c
4
auth.c
@ -569,8 +569,8 @@ fakepw(void)
|
||||
fake.pw_passwd =
|
||||
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
|
||||
fake.pw_gecos = "NOUSER";
|
||||
fake.pw_uid = privsep_pw->pw_uid;
|
||||
fake.pw_gid = privsep_pw->pw_gid;
|
||||
fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
|
||||
fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
|
||||
#ifdef HAVE_PW_CLASS_IN_PASSWD
|
||||
fake.pw_class = "";
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */
|
||||
/* $OpenBSD: auth2-chall.c,v 1.32 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2001 Per Allansson. All rights reserved.
|
||||
@ -206,7 +206,7 @@ auth2_challenge_stop(Authctxt *authctxt)
|
||||
{
|
||||
/* unregister callback */
|
||||
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
|
||||
if (authctxt->kbdintctxt != NULL) {
|
||||
if (authctxt->kbdintctxt != NULL) {
|
||||
kbdint_free(authctxt->kbdintctxt);
|
||||
authctxt->kbdintctxt = NULL;
|
||||
}
|
||||
|
6
auth2.c
6
auth2.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -96,10 +96,6 @@ int user_key_allowed(struct passwd *, Key *);
|
||||
void
|
||||
do_authentication2(Authctxt *authctxt)
|
||||
{
|
||||
/* challenge-response is implemented via keyboard interactive */
|
||||
if (options.challenge_response_authentication)
|
||||
options.kbd_interactive_authentication = 1;
|
||||
|
||||
dispatch_init(&dispatch_protocol_error);
|
||||
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
|
||||
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
|
||||
|
8
bufbn.c
8
bufbn.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: bufbn.c,v 1.4 2006/11/06 21:25:28 markus Exp $*/
|
||||
/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -93,7 +93,7 @@ buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieves an BIGNUM from the buffer.
|
||||
* Retrieves a BIGNUM from the buffer.
|
||||
*/
|
||||
int
|
||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
@ -101,7 +101,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
u_int bits, bytes;
|
||||
u_char buf[2], *bin;
|
||||
|
||||
/* Get the number for bits. */
|
||||
/* Get the number of bits. */
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
|
||||
error("buffer_get_bignum_ret: invalid length");
|
||||
return (-1);
|
||||
@ -137,7 +137,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer in SSH2 format.
|
||||
* Stores a BIGNUM in the buffer in SSH2 format.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
|
@ -48,7 +48,7 @@ PKG_REQUEST_LOCAL=../pkg-request.local
|
||||
#
|
||||
OPENSSHD=opensshd.init
|
||||
OPENSSH_MANIFEST=openssh.xml
|
||||
OPENSSH_FMRI=svc:/site/openssh:default
|
||||
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
|
||||
|
||||
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
|
||||
PATH_USERADD_PROG=@PATH_USERADD_PROG@
|
||||
@ -202,8 +202,9 @@ then
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
|
||||
cp ${OPENSSH_MANIFEST} $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${OPENSSH_MANIFEST}
|
||||
cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
|
||||
> $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||
|
||||
@ -334,9 +335,8 @@ then
|
||||
then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
# NOTE, if manifest enables sshd by default, this will actually
|
||||
# start the daemon, which may not be what the user wants.
|
||||
svccfg import ${TEST_DIR}/var/svc/manifest/site/$OPENSSH_MANIFEST
|
||||
# NOTE, The manifest disables sshd by default.
|
||||
svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||
then
|
||||
@ -428,8 +428,6 @@ if [ "\${POST_INS_START}" = "yes" ]
|
||||
then
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# See svccfg import note above. The service may already
|
||||
# be started.
|
||||
svcadm enable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
|
||||
@ -544,7 +542,7 @@ PRE_INS_STOP=no
|
||||
POST_INS_START=no
|
||||
# determine if should restart the daemon
|
||||
if [ -s ${piddir}/sshd.pid ] && \
|
||||
/usr/bin/svcs $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
|
||||
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
|
||||
then
|
||||
ans=\`ckyorn -d n \
|
||||
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||
|
31
channels.c
31
channels.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
|
||||
/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -1052,7 +1052,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
if (have < nmethods + 2)
|
||||
return 0;
|
||||
/* look for method: "NO AUTHENTICATION REQUIRED" */
|
||||
for (found = 0, i = 2 ; i < nmethods + 2; i++) {
|
||||
for (found = 0, i = 2; i < nmethods + 2; i++) {
|
||||
if (p[i] == SSH_SOCKS5_NOAUTH) {
|
||||
found = 1;
|
||||
break;
|
||||
@ -1449,10 +1449,11 @@ channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
int len;
|
||||
|
||||
if (c->rfd != -1 &&
|
||||
FD_ISSET(c->rfd, readset)) {
|
||||
(c->detach_close || FD_ISSET(c->rfd, readset))) {
|
||||
errno = 0;
|
||||
len = read(c->rfd, buf, sizeof(buf));
|
||||
if (len < 0 && (errno == EINTR || errno == EAGAIN))
|
||||
if (len < 0 && (errno == EINTR ||
|
||||
(errno == EAGAIN && !(c->isatty && c->detach_close))))
|
||||
return 1;
|
||||
#ifndef PTY_ZEROREAD
|
||||
if (len <= 0) {
|
||||
@ -1604,11 +1605,12 @@ channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
c->local_consumed += len;
|
||||
}
|
||||
} else if (c->extended_usage == CHAN_EXTENDED_READ &&
|
||||
FD_ISSET(c->efd, readset)) {
|
||||
(c->detach_close || FD_ISSET(c->efd, readset))) {
|
||||
len = read(c->efd, buf, sizeof(buf));
|
||||
debug2("channel %d: read %d from efd %d",
|
||||
c->self, len, c->efd);
|
||||
if (len < 0 && (errno == EINTR || errno == EAGAIN))
|
||||
if (len < 0 && (errno == EINTR ||
|
||||
(errno == EAGAIN && !c->detach_close)))
|
||||
return 1;
|
||||
if (len <= 0) {
|
||||
debug2("channel %d: closing read-efd %d",
|
||||
@ -2525,11 +2527,18 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
/* Send the forward request to the remote side. */
|
||||
if (compat20) {
|
||||
const char *address_to_bind;
|
||||
if (listen_host == NULL)
|
||||
address_to_bind = "localhost";
|
||||
else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
|
||||
address_to_bind = "";
|
||||
else
|
||||
if (listen_host == NULL) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
address_to_bind = "127.0.0.1";
|
||||
else
|
||||
address_to_bind = "localhost";
|
||||
} else if (*listen_host == '\0' ||
|
||||
strcmp(listen_host, "*") == 0) {
|
||||
if (datafellows & SSH_BUG_RFWD_ADDR)
|
||||
address_to_bind = "0.0.0.0";
|
||||
else
|
||||
address_to_bind = "";
|
||||
} else
|
||||
address_to_bind = listen_host;
|
||||
|
||||
packet_start(SSH2_MSG_GLOBAL_REQUEST);
|
||||
|
16
clientloop.c
16
clientloop.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: clientloop.c,v 1.176 2006/10/11 12:38:03 markus Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -707,7 +707,7 @@ client_process_control(fd_set *readset)
|
||||
{
|
||||
Buffer m;
|
||||
Channel *c;
|
||||
int client_fd, new_fd[3], ver, allowed;
|
||||
int client_fd, new_fd[3], ver, allowed, window, packetmax;
|
||||
socklen_t addrlen;
|
||||
struct sockaddr_storage addr;
|
||||
struct confirm_ctx *cctx;
|
||||
@ -900,9 +900,15 @@ client_process_control(fd_set *readset)
|
||||
|
||||
set_nonblock(client_fd);
|
||||
|
||||
window = CHAN_SES_WINDOW_DEFAULT;
|
||||
packetmax = CHAN_SES_PACKET_DEFAULT;
|
||||
if (cctx->want_tty) {
|
||||
window >>= 1;
|
||||
packetmax >>= 1;
|
||||
}
|
||||
|
||||
c = channel_new("session", SSH_CHANNEL_OPENING,
|
||||
new_fd[0], new_fd[1], new_fd[2],
|
||||
CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
|
||||
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
|
||||
CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
|
||||
|
||||
/* XXX */
|
||||
@ -1757,7 +1763,7 @@ client_request_agent(const char *request_type, int rchan)
|
||||
error("Warning: this is probably a break-in attempt by a malicious server.");
|
||||
return NULL;
|
||||
}
|
||||
sock = ssh_get_authentication_socket();
|
||||
sock = ssh_get_authentication_socket();
|
||||
if (sock < 0)
|
||||
return NULL;
|
||||
c = channel_new("authentication agent connection",
|
||||
|
5
compat.c
5
compat.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: compat.c,v 1.77 2006/12/12 03:58:42 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -133,7 +133,8 @@ compat_datafellows(const char *version)
|
||||
{ "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
|
||||
SSH_BUG_FIRSTKEX },
|
||||
{ "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */
|
||||
{ "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
|
||||
{ "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
|
||||
SSH_BUG_RFWD_ADDR },
|
||||
{ "3.0.*", SSH_BUG_DEBUG },
|
||||
{ "3.0 SecureCRT*", SSH_OLD_SESSIONID },
|
||||
{ "1.7 SecureFX*", SSH_OLD_SESSIONID },
|
||||
|
3
compat.h
3
compat.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
|
||||
/* $OpenBSD: compat.h,v 1.41 2006/12/12 03:58:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -56,6 +56,7 @@
|
||||
#define SSH_BUG_PROBE 0x00400000
|
||||
#define SSH_BUG_FIRSTKEX 0x00800000
|
||||
#define SSH_OLD_FORWARD_ADDR 0x01000000
|
||||
#define SSH_BUG_RFWD_ADDR 0x02000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
|
1340
config.h.in
Normal file
1340
config.h.in
Normal file
File diff suppressed because it is too large
Load Diff
27
configure.ac
27
configure.ac
@ -1,4 +1,4 @@
|
||||
# $Id: configure.ac,v 1.370 2006/10/06 23:07:21 dtucker Exp $
|
||||
# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
@ -15,7 +15,7 @@
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
|
||||
AC_REVISION($Revision: 1.370 $)
|
||||
AC_REVISION($Revision: 1.372 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
|
||||
AC_CONFIG_HEADER(config.h)
|
||||
@ -360,7 +360,7 @@ int main(void) { exit(0); }
|
||||
;;
|
||||
*-*-cygwin*)
|
||||
check_for_libcrypt_later=1
|
||||
LIBS="$LIBS /usr/lib/textmode.o"
|
||||
LIBS="$LIBS /usr/lib/textreadmode.o"
|
||||
AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
|
||||
AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
|
||||
AC_DEFINE(DISABLE_SHADOW, 1,
|
||||
@ -1857,6 +1857,14 @@ int main(void) {
|
||||
]
|
||||
)
|
||||
|
||||
AC_ARG_WITH(openssl-header-check,
|
||||
[ --without-openssl-header-check Disable OpenSSL version consistency check],
|
||||
[ if test "x$withval" = "xno" ; then
|
||||
openssl_check_nonfatal=1
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
# Sanity check OpenSSL headers
|
||||
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
|
||||
AC_RUN_IFELSE(
|
||||
@ -1870,9 +1878,18 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT(no)
|
||||
AC_MSG_ERROR([Your OpenSSL headers do not match your library.
|
||||
Check config.log for details.
|
||||
if test "x$openssl_check_nonfatal" = "x"; then
|
||||
AC_MSG_ERROR([Your OpenSSL headers do not match your
|
||||
library. Check config.log for details.
|
||||
If you are sure your installation is consistent, you can disable the check
|
||||
by running "./configure --without-openssl-header-check".
|
||||
Also see contrib/findssl.sh for help identifying header/library mismatches.
|
||||
])
|
||||
else
|
||||
AC_MSG_WARN([Your OpenSSL headers do not match your
|
||||
library. Check config.log for details.
|
||||
Also see contrib/findssl.sh for help identifying header/library mismatches.])
|
||||
fi
|
||||
],
|
||||
[
|
||||
AC_MSG_WARN([cross compiling: not checking])
|
||||
|
15
contrib/Makefile
Normal file
15
contrib/Makefile
Normal file
@ -0,0 +1,15 @@
|
||||
all:
|
||||
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||
|
||||
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||
$(CC) `gnome-config --cflags gnome gnomeui` \
|
||||
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
|
||||
`gnome-config --libs gnome gnomeui`
|
||||
|
||||
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||
$(CC) `pkg-config --cflags gtk+-2.0` \
|
||||
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||
`pkg-config --libs gtk+-2.0`
|
||||
|
||||
clean:
|
||||
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
|
70
contrib/README
Normal file
70
contrib/README
Normal file
@ -0,0 +1,70 @@
|
||||
Other patches and addons for OpenSSH. Please send submissions to
|
||||
djm@mindrot.org
|
||||
|
||||
Externally maintained
|
||||
---------------------
|
||||
|
||||
SSH Proxy Command -- connect.c
|
||||
|
||||
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
|
||||
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
|
||||
https CONNECT style proxy server. His page for connect.c has extensive
|
||||
documentation on its use as well as compiled versions for Win32.
|
||||
|
||||
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
|
||||
|
||||
|
||||
X11 SSH Askpass:
|
||||
|
||||
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
|
||||
passphrase requester. This is highly recommended:
|
||||
|
||||
http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||
|
||||
|
||||
In this directory
|
||||
-----------------
|
||||
|
||||
ssh-copy-id:
|
||||
|
||||
Phil Hands' <phil@hands.com> shell script to automate the process of adding
|
||||
your public key to a remote machine's ~/.ssh/authorized_keys file.
|
||||
|
||||
gnome-ssh-askpass[12]:
|
||||
|
||||
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
|
||||
"make gnome-ssh-askpass2" to build.
|
||||
|
||||
sshd.pam.generic:
|
||||
|
||||
A generic PAM config file which may be useful on your system. YMMV
|
||||
|
||||
sshd.pam.freebsd:
|
||||
|
||||
A PAM config file which works with FreeBSD's PAM port. Contributed by
|
||||
Dominik Brettnacher <domi@saargate.de>
|
||||
|
||||
findssl.sh:
|
||||
|
||||
Search for all instances of OpenSSL headers and libraries and print their
|
||||
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||
match your library" errors.
|
||||
|
||||
aix:
|
||||
Files to build an AIX native (installp or SMIT installable) package.
|
||||
|
||||
caldera:
|
||||
RPM spec file and scripts for building Caldera OpenLinuix packages
|
||||
|
||||
cygwin:
|
||||
Support files for Cygwin
|
||||
|
||||
hpux:
|
||||
Support files for HP-UX
|
||||
|
||||
redhat:
|
||||
RPM spec file and scripts for building Redhat packages
|
||||
|
||||
suse:
|
||||
RPM spec file and scripts for building SuSE packages
|
||||
|
50
contrib/aix/README
Normal file
50
contrib/aix/README
Normal file
@ -0,0 +1,50 @@
|
||||
Overview:
|
||||
|
||||
This directory contains files to build an AIX native (installp or SMIT
|
||||
installable) openssh package.
|
||||
|
||||
|
||||
Directions:
|
||||
|
||||
(optional) create config.local in your build dir
|
||||
./configure [options]
|
||||
contrib/aix/buildbff.sh
|
||||
|
||||
The file config.local or the environment is read to set the following options
|
||||
(default first):
|
||||
PERMIT_ROOT_LOGIN=[no|yes]
|
||||
X11_FORWARDING=[no|yes]
|
||||
AIX_SRC=[no|yes]
|
||||
|
||||
Acknowledgements:
|
||||
|
||||
The contents of this directory are based on Ben Lindstrom's Solaris
|
||||
buildpkg.sh. Ben also supplied inventory.sh.
|
||||
|
||||
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
|
||||
and for comparison with the output from this script, however no code
|
||||
from lppbuild is included and it is not required for operation.
|
||||
|
||||
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
|
||||
PrivSep account handling fixes contributed by W. Earl Allen.
|
||||
|
||||
|
||||
Other notes:
|
||||
|
||||
The script treats all packages as USR packages (not ROOT+USR when
|
||||
appropriate). It seems to work, though......
|
||||
|
||||
If there are any patches to this that have not yet been integrated they
|
||||
may be found at http://www.zip.com.au/~dtucker/openssh/.
|
||||
|
||||
|
||||
Disclaimer:
|
||||
|
||||
It is hoped that it is useful but there is no warranty. If it breaks
|
||||
you get to keep both pieces.
|
||||
|
||||
|
||||
- Darren Tucker (dtucker at zip dot com dot au)
|
||||
2002/03/01
|
||||
|
||||
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
|
381
contrib/aix/buildbff.sh
Executable file
381
contrib/aix/buildbff.sh
Executable file
@ -0,0 +1,381 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
|
||||
# $Id$
|
||||
#
|
||||
# Author: Darren Tucker (dtucker at zip dot com dot au)
|
||||
# This file is placed in the public domain and comes with absolutely
|
||||
# no warranty.
|
||||
#
|
||||
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
|
||||
#
|
||||
|
||||
#
|
||||
# Tunable configuration settings
|
||||
# create a "config.local" in your build directory or set
|
||||
# environment variables to override these.
|
||||
#
|
||||
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
|
||||
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
|
||||
[ -z "$AIX_SRC" ] && AIX_SRC=no
|
||||
|
||||
umask 022
|
||||
|
||||
startdir=`pwd`
|
||||
|
||||
perl -v >/dev/null || (echo perl required; exit 1)
|
||||
|
||||
# Path to inventory.sh: same place as buildbff.sh
|
||||
if echo $0 | egrep '^/'
|
||||
then
|
||||
inventory=`dirname $0`/inventory.sh # absolute path
|
||||
else
|
||||
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
|
||||
fi
|
||||
|
||||
#
|
||||
# We still support running from contrib/aix, but this is deprecated
|
||||
#
|
||||
if pwd | egrep 'contrib/aix$'
|
||||
then
|
||||
echo "Changing directory to `pwd`/../.."
|
||||
echo "Please run buildbff.sh from your build directory in future."
|
||||
cd ../..
|
||||
contribaix=1
|
||||
fi
|
||||
|
||||
if [ ! -f Makefile ]
|
||||
then
|
||||
echo "Makefile not found (did you run configure?)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
# Directories used during build:
|
||||
# current dir = $objdir directory you ran ./configure in.
|
||||
# $objdir/$PKGDIR/ directory package files are constructed in
|
||||
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
|
||||
#
|
||||
objdir=`pwd`
|
||||
PKGNAME=openssh
|
||||
PKGDIR=package
|
||||
|
||||
#
|
||||
# Collect local configuration settings to override defaults
|
||||
#
|
||||
if [ -s ./config.local ]
|
||||
then
|
||||
echo Reading local settings from config.local
|
||||
. ./config.local
|
||||
fi
|
||||
|
||||
#
|
||||
# Fill in some details from Makefile, like prefix and sysconfdir
|
||||
# the eval also expands variables like sysconfdir=${prefix}/etc
|
||||
# provided they are eval'ed in the correct order
|
||||
#
|
||||
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
|
||||
do
|
||||
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
|
||||
done
|
||||
|
||||
#
|
||||
# Collect values of privsep user and privsep path
|
||||
# currently only found in config.h
|
||||
#
|
||||
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
|
||||
do
|
||||
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
|
||||
done
|
||||
|
||||
# Set privsep defaults if not defined
|
||||
if [ -z "$SSH_PRIVSEP_USER" ]
|
||||
then
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
fi
|
||||
if [ -z "$PRIVSEP_PATH" ]
|
||||
then
|
||||
PRIVSEP_PATH=/var/empty
|
||||
fi
|
||||
|
||||
# Clean package build directory
|
||||
rm -rf $objdir/$PKGDIR
|
||||
FAKE_ROOT=$objdir/$PKGDIR/root
|
||||
mkdir -p $FAKE_ROOT
|
||||
|
||||
# Start by faking root install
|
||||
echo "Faking root install..."
|
||||
cd $objdir
|
||||
make install-nokeys DESTDIR=$FAKE_ROOT
|
||||
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
echo "Fake root install failed, stopping."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
# Copy informational files to include in package
|
||||
#
|
||||
cp $srcdir/LICENCE $objdir/$PKGDIR/
|
||||
cp $srcdir/README* $objdir/$PKGDIR/
|
||||
|
||||
#
|
||||
# Extract common info requires for the 'info' part of the package.
|
||||
# AIX requires 4-part version numbers
|
||||
#
|
||||
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
|
||||
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
|
||||
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
|
||||
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
|
||||
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
|
||||
[ "$PATCH" = "" ] && PATCH=0
|
||||
[ "$PORTABLE" = "" ] && PORTABLE=0
|
||||
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
|
||||
|
||||
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
|
||||
|
||||
#
|
||||
# Set ssh and sshd parameters as per config.local
|
||||
#
|
||||
if [ "${PERMIT_ROOT_LOGIN}" = no ]
|
||||
then
|
||||
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
fi
|
||||
if [ "${X11_FORWARDING}" = yes ]
|
||||
then
|
||||
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
fi
|
||||
|
||||
|
||||
# Rename config files; postinstall script will copy them if necessary
|
||||
for cfgfile in ssh_config sshd_config ssh_prng_cmds
|
||||
do
|
||||
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
|
||||
done
|
||||
|
||||
#
|
||||
# Generate lpp control files.
|
||||
# working dir is $FAKE_ROOT but files are generated in dir above
|
||||
# and moved into place just before creation of .bff
|
||||
#
|
||||
cd $FAKE_ROOT
|
||||
echo Generating LPP control files
|
||||
find . ! -name . -print >../openssh.al
|
||||
$inventory >../openssh.inventory
|
||||
|
||||
cat <<EOD >../openssh.copyright
|
||||
This software is distributed under a BSD-style license.
|
||||
For the full text of the license, see /usr/lpp/openssh/LICENCE
|
||||
EOD
|
||||
|
||||
#
|
||||
# openssh.size file allows filesystem expansion as required
|
||||
# generate list of directories containing files
|
||||
# then calculate disk usage for each directory and store in openssh.size
|
||||
#
|
||||
files=`find . -type f -print`
|
||||
dirs=`for file in $files; do dirname $file; done | sort -u`
|
||||
for dir in $dirs
|
||||
do
|
||||
du $dir
|
||||
done > ../openssh.size
|
||||
|
||||
#
|
||||
# Create postinstall script
|
||||
#
|
||||
cat <<EOF >>../openssh.post_i
|
||||
#!/bin/sh
|
||||
|
||||
echo Creating configs from defaults if necessary.
|
||||
for cfgfile in ssh_config sshd_config ssh_prng_cmds
|
||||
do
|
||||
if [ ! -f $sysconfdir/\$cfgfile ]
|
||||
then
|
||||
echo "Creating \$cfgfile from default"
|
||||
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
|
||||
else
|
||||
echo "\$cfgfile already exists."
|
||||
fi
|
||||
done
|
||||
echo
|
||||
|
||||
# Create PrivilegeSeparation user and group if not present
|
||||
echo Checking for PrivilegeSeparation user and group.
|
||||
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||
then
|
||||
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
|
||||
else
|
||||
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
|
||||
mkgroup -A $SSH_PRIVSEP_USER
|
||||
fi
|
||||
|
||||
# Create user if required
|
||||
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
|
||||
then
|
||||
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||
else
|
||||
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
|
||||
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
|
||||
fi
|
||||
|
||||
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
|
||||
then
|
||||
echo UsePrivilegeSeparation not enabled, privsep directory not required.
|
||||
else
|
||||
# create chroot directory if required
|
||||
if [ -d $PRIVSEP_PATH ]
|
||||
then
|
||||
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
|
||||
else
|
||||
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
|
||||
mkdir $PRIVSEP_PATH
|
||||
chown 0 $PRIVSEP_PATH
|
||||
chgrp 0 $PRIVSEP_PATH
|
||||
chmod 755 $PRIVSEP_PATH
|
||||
fi
|
||||
fi
|
||||
echo
|
||||
|
||||
# Generate keys unless they already exist
|
||||
echo Creating host keys if required.
|
||||
if [ -f "$sysconfdir/ssh_host_key" ] ; then
|
||||
echo "$sysconfdir/ssh_host_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
|
||||
fi
|
||||
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
|
||||
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
|
||||
fi
|
||||
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
|
||||
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
|
||||
fi
|
||||
echo
|
||||
|
||||
# Set startup command depending on SRC support
|
||||
if [ "$AIX_SRC" = "yes" ]
|
||||
then
|
||||
echo Creating SRC sshd subsystem.
|
||||
rmssys -s sshd 2>&1 >/dev/null
|
||||
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
|
||||
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
|
||||
oldstartcmd="$sbindir/sshd"
|
||||
else
|
||||
startupcmd="$sbindir/sshd"
|
||||
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
|
||||
fi
|
||||
|
||||
# If migrating to or from SRC, change previous startup command
|
||||
# otherwise add to rc.tcpip
|
||||
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
|
||||
then
|
||||
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
|
||||
then
|
||||
chmod 0755 /etc/rc.tcpip.new
|
||||
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
|
||||
mv /etc/rc.tcpip.new /etc/rc.tcpip
|
||||
else
|
||||
echo "Updating /etc/rc.tcpip failed, please check."
|
||||
fi
|
||||
else
|
||||
# Add to system startup if required
|
||||
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
|
||||
then
|
||||
echo "sshd found in rc.tcpip, not adding."
|
||||
else
|
||||
echo "Adding sshd to rc.tcpip"
|
||||
echo >>/etc/rc.tcpip
|
||||
echo "# Start sshd" >>/etc/rc.tcpip
|
||||
echo "\$startupcmd" >>/etc/rc.tcpip
|
||||
fi
|
||||
fi
|
||||
EOF
|
||||
|
||||
#
|
||||
# Create liblpp.a and move control files into it
|
||||
#
|
||||
echo Creating liblpp.a
|
||||
(
|
||||
cd ..
|
||||
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
|
||||
do
|
||||
ar -r liblpp.a $i
|
||||
rm $i
|
||||
done
|
||||
)
|
||||
|
||||
#
|
||||
# Create lpp_name
|
||||
#
|
||||
# This will end up looking something like:
|
||||
# 4 R I OpenSSH {
|
||||
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
|
||||
# [
|
||||
# %
|
||||
# /usr/local/bin 8073
|
||||
# /usr/local/etc 189
|
||||
# /usr/local/libexec 185
|
||||
# /usr/local/man/man1 145
|
||||
# /usr/local/man/man8 83
|
||||
# /usr/local/sbin 2105
|
||||
# /usr/local/share 3
|
||||
# %
|
||||
# ]
|
||||
# }
|
||||
|
||||
echo Creating lpp_name
|
||||
cat <<EOF >../lpp_name
|
||||
4 R I $PKGNAME {
|
||||
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
|
||||
[
|
||||
%
|
||||
EOF
|
||||
|
||||
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
|
||||
do
|
||||
# get size in 512 byte blocks
|
||||
if [ -d $FAKE_ROOT/$i ]
|
||||
then
|
||||
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
|
||||
echo "$i $size" >>../lpp_name
|
||||
fi
|
||||
done
|
||||
|
||||
echo '%' >>../lpp_name
|
||||
echo ']' >>../lpp_name
|
||||
echo '}' >>../lpp_name
|
||||
|
||||
#
|
||||
# Move pieces into place
|
||||
#
|
||||
mkdir -p usr/lpp/openssh
|
||||
mv ../liblpp.a usr/lpp/openssh
|
||||
mv ../lpp_name .
|
||||
|
||||
#
|
||||
# Now invoke backup to create .bff file
|
||||
# note: lpp_name needs to be the first file so we generate the
|
||||
# file list on the fly and feed it to backup using -i
|
||||
#
|
||||
echo Creating $PKGNAME-$VERSION.bff with backup...
|
||||
rm -f $PKGNAME-$VERSION.bff
|
||||
(
|
||||
echo "./lpp_name"
|
||||
find . ! -name lpp_name -a ! -name . -print
|
||||
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
|
||||
|
||||
#
|
||||
# Move package into final location and clean up
|
||||
#
|
||||
mv ../$PKGNAME-$VERSION.bff $startdir
|
||||
cd $startdir
|
||||
rm -rf $objdir/$PKGDIR
|
||||
|
||||
echo $0: done.
|
||||
|
63
contrib/aix/inventory.sh
Executable file
63
contrib/aix/inventory.sh
Executable file
@ -0,0 +1,63 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# inventory.sh
|
||||
# $Id$
|
||||
#
|
||||
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
|
||||
# This file is placed into the public domain.
|
||||
#
|
||||
# This will produce an AIX package inventory file, which looks like:
|
||||
#
|
||||
# /usr/local/bin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=755
|
||||
# type=DIRECTORY
|
||||
# /usr/local/bin/slogin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=777
|
||||
# type=SYMLINK
|
||||
# target=ssh
|
||||
# /usr/local/share/Ssh.bin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=644
|
||||
# type=FILE
|
||||
# size=VOLATILE
|
||||
# checksum=VOLATILE
|
||||
|
||||
find . ! -name . -print | perl -ne '{
|
||||
chomp;
|
||||
if ( -l $_ ) {
|
||||
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
|
||||
} else {
|
||||
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
|
||||
}
|
||||
|
||||
# Start to display inventory information
|
||||
$name = $_;
|
||||
$name =~ s|^.||; # Strip leading dot from path
|
||||
print "$name:\n";
|
||||
print "\tclass=apply,inventory,openssh\n";
|
||||
print "\towner=root\n";
|
||||
print "\tgroup=system\n";
|
||||
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
|
||||
|
||||
if ( -l $_ ) {
|
||||
# Entry is SymLink
|
||||
print "\ttype=SYMLINK\n";
|
||||
printf "\ttarget=%s\n", readlink($_);
|
||||
} elsif ( -f $_ ) {
|
||||
# Entry is File
|
||||
print "\ttype=FILE\n";
|
||||
print "\tsize=$sz\n";
|
||||
print "\tchecksum=VOLATILE\n";
|
||||
} elsif ( -d $_ ) {
|
||||
# Entry is Directory
|
||||
print "\ttype=DIRECTORY\n";
|
||||
}
|
||||
}'
|
20
contrib/aix/pam.conf
Normal file
20
contrib/aix/pam.conf
Normal file
@ -0,0 +1,20 @@
|
||||
#
|
||||
# PAM configuration file /etc/pam.conf
|
||||
# Example for OpenSSH on AIX 5.2
|
||||
#
|
||||
|
||||
# Authentication Management
|
||||
sshd auth required /usr/lib/security/pam_aix
|
||||
OTHER auth required /usr/lib/security/pam_aix
|
||||
|
||||
# Account Management
|
||||
sshd account required /usr/lib/security/pam_aix
|
||||
OTHER account required /usr/lib/security/pam_aix
|
||||
|
||||
# Password Management
|
||||
sshd password required /usr/lib/security/pam_aix
|
||||
OTHER password required /usr/lib/security/pam_aix
|
||||
|
||||
# Session Management
|
||||
sshd session required /usr/lib/security/pam_aix
|
||||
OTHER session required /usr/lib/security/pam_aix
|
360
contrib/caldera/openssh.spec
Normal file
360
contrib/caldera/openssh.spec
Normal file
@ -0,0 +1,360 @@
|
||||
|
||||
# Some of this will need re-evaluation post-LSB. The SVIdir is there
|
||||
# because the link appeared broken. The rest is for easy compilation,
|
||||
# the tradeoff open to discussion. (LC957)
|
||||
|
||||
%define SVIdir /etc/rc.d/init.d
|
||||
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
|
||||
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
|
||||
|
||||
%define _mandir %{_prefix}/share/man/en
|
||||
%define _sysconfdir /etc/ssh
|
||||
%define _libexecdir %{_libdir}/ssh
|
||||
|
||||
# Do we want to disable root_login? (1=yes 0=no)
|
||||
%define no_root_login 0
|
||||
|
||||
#old cvs stuff. please update before use. may be deprecated.
|
||||
%define use_stable 1
|
||||
%if %{use_stable}
|
||||
%define version 4.6p1
|
||||
%define cvs %{nil}
|
||||
%define release 1
|
||||
%else
|
||||
%define version 4.1p1
|
||||
%define cvs cvs20050315
|
||||
%define release 0r1
|
||||
%endif
|
||||
%define xsa x11-ssh-askpass
|
||||
%define askpass %{xsa}-1.2.4.1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%define sshd_uid 67
|
||||
%define sshd_gid 67
|
||||
|
||||
Name : openssh
|
||||
Version : %{version}%{cvs}
|
||||
Release : %{release}
|
||||
Group : System/Network
|
||||
|
||||
Summary : OpenSSH free Secure Shell (SSH) implementation.
|
||||
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
|
||||
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
|
||||
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
|
||||
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
|
||||
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
|
||||
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
|
||||
|
||||
Copyright : BSD
|
||||
Packager : Raymund Will <ray@caldera.de>
|
||||
URL : http://www.openssh.com/
|
||||
|
||||
Obsoletes : ssh, ssh-clients, openssh-clients
|
||||
|
||||
BuildRoot : /tmp/%{name}-%{version}
|
||||
BuildRequires : XFree86-imake
|
||||
|
||||
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
|
||||
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
|
||||
Source0: see-above:/.../openssh-%{version}.tar.gz
|
||||
%if %{use_stable}
|
||||
Source1: see-above:/.../openssh-%{version}.tar.gz.sig
|
||||
%endif
|
||||
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
|
||||
Source3: http://www.openssh.com/faq.html
|
||||
|
||||
%Package server
|
||||
Group : System/Network
|
||||
Requires : openssh = %{version}
|
||||
Obsoletes : ssh-server
|
||||
|
||||
Summary : OpenSSH Secure Shell protocol server (sshd).
|
||||
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
|
||||
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
|
||||
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
|
||||
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
|
||||
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
|
||||
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
|
||||
|
||||
|
||||
%Package askpass
|
||||
Group : System/Network
|
||||
Requires : openssh = %{version}
|
||||
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||
Obsoletes : ssh-extras
|
||||
|
||||
Summary : OpenSSH X11 pass-phrase dialog.
|
||||
Summary(de) : OpenSSH X11 Passwort-Dialog.
|
||||
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
|
||||
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
|
||||
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
|
||||
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||
|
||||
|
||||
%Description
|
||||
OpenSSH (Secure Shell) provides access to a remote system. It replaces
|
||||
telnet, rlogin, rexec, and rsh, and provides secure encrypted
|
||||
communications between two untrusted hosts over an insecure network.
|
||||
X11 connections and arbitrary TCP/IP ports can also be forwarded over
|
||||
the secure channel.
|
||||
|
||||
%Description -l de
|
||||
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
|
||||
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
|
||||
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
|
||||
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
|
||||
über den sicheren Channel weitergeleitet werden.
|
||||
|
||||
%Description -l es
|
||||
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
|
||||
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
|
||||
entre dos equipos entre los que no se ha establecido confianza a través de una
|
||||
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
|
||||
ser canalizadas sobre el canal seguro.
|
||||
|
||||
%Description -l fr
|
||||
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
|
||||
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
|
||||
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
|
||||
connexions X11 et des ports TCP/IP arbitraires peuvent également être
|
||||
transmis sur le canal sécurisé.
|
||||
|
||||
%Description -l it
|
||||
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
|
||||
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
|
||||
e crittate tra due host non fidati su una rete non sicura. Le connessioni
|
||||
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
|
||||
un canale sicuro.
|
||||
|
||||
%Description -l pt
|
||||
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
|
||||
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
|
||||
pelo canal seguro.
|
||||
|
||||
%Description -l pt_BR
|
||||
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
|
||||
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
|
||||
pelo canal seguro.
|
||||
|
||||
%Description server
|
||||
This package installs the sshd, the server portion of OpenSSH.
|
||||
|
||||
%Description -l de server
|
||||
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
|
||||
|
||||
%Description -l es server
|
||||
Este paquete instala sshd, la parte servidor de OpenSSH.
|
||||
|
||||
%Description -l fr server
|
||||
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
|
||||
|
||||
%Description -l it server
|
||||
Questo pacchetto installa sshd, il server di OpenSSH.
|
||||
|
||||
%Description -l pt server
|
||||
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||
|
||||
%Description -l pt_BR server
|
||||
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||
|
||||
%Description askpass
|
||||
This package contains an X11-based pass-phrase dialog used per
|
||||
default by ssh-add(1). It is based on %{askpass}
|
||||
by Jim Knoble <jmknoble@pobox.com>.
|
||||
|
||||
|
||||
%Prep
|
||||
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
|
||||
%if ! %{use_stable}
|
||||
autoreconf
|
||||
%endif
|
||||
|
||||
|
||||
%Build
|
||||
CFLAGS="$RPM_OPT_FLAGS" \
|
||||
%configure \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
#leave this line for easy edits.
|
||||
|
||||
%__make CFLAGS="$RPM_OPT_FLAGS"
|
||||
|
||||
cd %{askpass}
|
||||
%configure \
|
||||
#leave this line for easy edits.
|
||||
|
||||
xmkmf
|
||||
%__make includes
|
||||
%__make
|
||||
|
||||
|
||||
%Install
|
||||
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||
|
||||
make install DESTDIR=%{buildroot}
|
||||
%makeinstall -C %{askpass} \
|
||||
BINDIR=%{_libexecdir} \
|
||||
MANPATH=%{_mandir} \
|
||||
DESTDIR=%{buildroot}
|
||||
|
||||
# OpenLinux specific configuration
|
||||
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
|
||||
mkdir -p %{buildroot}%{_var}/empty/sshd
|
||||
|
||||
# enabling X11 forwarding on the server is convenient and okay,
|
||||
# on the client side it's a potential security risk!
|
||||
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
|
||||
%{buildroot}%{_sysconfdir}/sshd_config
|
||||
|
||||
%if %{no_root_login}
|
||||
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
|
||||
%{buildroot}%{_sysconfdir}/sshd_config
|
||||
%endif
|
||||
|
||||
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
|
||||
# FIXME: disabled, find out why this doesn't work with nis
|
||||
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
|
||||
%{buildroot}/etc/pam.d/sshd
|
||||
|
||||
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
|
||||
|
||||
# the last one is needless, but more future-proof
|
||||
find %{buildroot}%{SVIdir} -type f -exec \
|
||||
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
|
||||
s:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||
s:/usr/sbin:%{_sbindir}:g'\
|
||||
\{\} \;
|
||||
|
||||
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
|
||||
IDENT=sshd
|
||||
DESCRIPTIVE="OpenSSH secure shell daemon"
|
||||
# This service will be marked as 'skipped' on boot if there
|
||||
# is no host key. Use ssh-host-keygen to generate one
|
||||
ONBOOT="yes"
|
||||
OPTIONS=""
|
||||
EoD
|
||||
|
||||
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
|
||||
# Fix up some path names in the keygen toy^Hol
|
||||
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
|
||||
%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||
|
||||
# This looks terrible. Expect it to change.
|
||||
# install remaining docs
|
||||
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
|
||||
mkdir -p $DocD/%{askpass}
|
||||
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD
|
||||
install -p -m 0444 %{SOURCE3} $DocD/faq.html
|
||||
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
|
||||
%if %{use_stable}
|
||||
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
|
||||
%else
|
||||
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
|
||||
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
|
||||
%endif
|
||||
|
||||
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
|
||||
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
|
||||
ln -s %{_mandir}/man1/ssh.1.gz \
|
||||
%{buildroot}%{_mandir}/man1/slogin.1.gz
|
||||
|
||||
|
||||
%Clean
|
||||
#%{rmDESTDIR}
|
||||
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||
|
||||
%Post
|
||||
# Generate host key when none is present to get up and running,
|
||||
# both client and server require this for host-based auth!
|
||||
# ssh-host-keygen checks for existing keys.
|
||||
/usr/sbin/ssh-host-keygen
|
||||
: # to protect the rpm database
|
||||
|
||||
%pre server
|
||||
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
|
||||
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
|
||||
: # to protect the rpm database
|
||||
|
||||
%Post server
|
||||
if [ -x %{LSBinit}-install ]; then
|
||||
%{LSBinit}-install sshd
|
||||
else
|
||||
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
|
||||
fi
|
||||
|
||||
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
|
||||
: # to protect the rpm database
|
||||
|
||||
|
||||
%PreUn server
|
||||
[ "$1" = 0 ] || exit 0
|
||||
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
|
||||
if [ -x %{LSBinit}-remove ]; then
|
||||
%{LSBinit}-remove sshd
|
||||
else
|
||||
lisa --SysV-init remove sshd $1
|
||||
fi
|
||||
: # to protect the rpm database
|
||||
|
||||
%Files
|
||||
%defattr(-,root,root)
|
||||
%dir %{_sysconfdir}
|
||||
%config %{_sysconfdir}/ssh_config
|
||||
%{_bindir}/scp
|
||||
%{_bindir}/sftp
|
||||
%{_bindir}/ssh
|
||||
%{_bindir}/slogin
|
||||
%{_bindir}/ssh-add
|
||||
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||
%{_bindir}/ssh-keygen
|
||||
%{_bindir}/ssh-keyscan
|
||||
%dir %{_libexecdir}
|
||||
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
|
||||
%{_sbindir}/ssh-host-keygen
|
||||
%dir %{_defaultdocdir}/%{name}-%{version}
|
||||
%{_defaultdocdir}/%{name}-%{version}/CREDITS
|
||||
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
|
||||
%{_defaultdocdir}/%{name}-%{version}/LICENCE
|
||||
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
|
||||
%{_defaultdocdir}/%{name}-%{version}/README*
|
||||
%{_defaultdocdir}/%{name}-%{version}/TODO
|
||||
%{_defaultdocdir}/%{name}-%{version}/faq.html
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man8/ssh-keysign.8.gz
|
||||
%{_mandir}/man5/ssh_config.5.gz
|
||||
|
||||
%Files server
|
||||
%defattr(-,root,root)
|
||||
%dir %{_var}/empty/sshd
|
||||
%config %{SVIdir}/sshd
|
||||
%config /etc/pam.d/sshd
|
||||
%config %{_sysconfdir}/moduli
|
||||
%config %{_sysconfdir}/sshd_config
|
||||
%config %{SVIcdir}/sshd
|
||||
%{_libexecdir}/sftp-server
|
||||
%{_sbindir}/sshd
|
||||
%{_mandir}/man5/sshd_config.5.gz
|
||||
%{_mandir}/man8/sftp-server.8.gz
|
||||
%{_mandir}/man8/sshd.8.gz
|
||||
|
||||
%Files askpass
|
||||
%defattr(-,root,root)
|
||||
%{_libexecdir}/ssh-askpass
|
||||
%{_libexecdir}/x11-ssh-askpass
|
||||
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
|
||||
|
||||
|
||||
%ChangeLog
|
||||
* Mon Jan 01 1998 ...
|
||||
Template Version: 1.31
|
||||
|
||||
$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $
|
36
contrib/caldera/ssh-host-keygen
Executable file
36
contrib/caldera/ssh-host-keygen
Executable file
@ -0,0 +1,36 @@
|
||||
#! /bin/sh
|
||||
#
|
||||
# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $
|
||||
#
|
||||
# This script is normally run only *once* for a given host
|
||||
# (in a given period of time) -- on updates/upgrades/recovery
|
||||
# the ssh_host_key* files _should_ be retained! Otherwise false
|
||||
# "man-in-the-middle-attack" alerts will frighten unsuspecting
|
||||
# clients...
|
||||
|
||||
keydir=@sysconfdir@
|
||||
keygen=@sshkeygen@
|
||||
|
||||
if [ -f $keydir/ssh_host_key -o \
|
||||
-f $keydir/ssh_host_key.pub ]; then
|
||||
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
|
||||
else
|
||||
echo "Generating 1024 bit SSH1 RSA host key."
|
||||
$keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
|
||||
fi
|
||||
|
||||
if [ -f $keydir/ssh_host_rsa_key -o \
|
||||
-f $keydir/ssh_host_rsa_key.pub ]; then
|
||||
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
|
||||
else
|
||||
echo "Generating 1024 bit SSH2 RSA host key."
|
||||
$keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
|
||||
fi
|
||||
|
||||
if [ -f $keydir/ssh_host_dsa_key -o \
|
||||
-f $keydir/ssh_host_dsa_key.pub ]; then
|
||||
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
|
||||
else
|
||||
echo "Generating SSH2 DSA host key."
|
||||
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
|
||||
fi
|
125
contrib/caldera/sshd.init
Executable file
125
contrib/caldera/sshd.init
Executable file
@ -0,0 +1,125 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides:
|
||||
# Required-Start: $network
|
||||
# Required-Stop:
|
||||
# Default-Start: 3 4 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
# Description: sshd
|
||||
# Bring up/down the OpenSSH secure shell daemon.
|
||||
### END INIT INFO
|
||||
#
|
||||
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
|
||||
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
|
||||
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
|
||||
|
||||
NAME=sshd
|
||||
DAEMON=/usr/sbin/$NAME
|
||||
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
|
||||
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
|
||||
# PR [linux/8278] for details...
|
||||
PIDF=/var/run/$NAME.pid
|
||||
NAME=$DAEMON
|
||||
|
||||
_status() {
|
||||
[ -z "$1" ] || local pidf="$1"
|
||||
local ret=-1
|
||||
local pid
|
||||
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
|
||||
pid=$(head -1 $pidf)
|
||||
else
|
||||
pid=$(pidof $NAME)
|
||||
fi
|
||||
|
||||
if [ ! -e $SVIlock ]; then
|
||||
# no lock-file => not started == stopped?
|
||||
ret=3
|
||||
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
|
||||
# pid-file given but not present or no pid => died, but was not stopped
|
||||
ret=2
|
||||
elif [ -r /proc/$pid/cmdline ] &&
|
||||
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
|
||||
# pid-file given and present or pid found => check process...
|
||||
# but don't compare exe, as this will fail after an update!
|
||||
# compares OK => all's well, that ends well...
|
||||
ret=0
|
||||
else
|
||||
# no such process or exe does not match => stale pid-file or process died
|
||||
# just recently...
|
||||
ret=1
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
|
||||
# Source function library (and set vital variables).
|
||||
. @SVIdir@/functions
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ ! -e $SVIlock ] || exit 0
|
||||
[ -x $DAEMON ] || exit 5
|
||||
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
|
||||
|
||||
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
|
||||
-f @sysconfdir@/ssh_host_key.pub \) -a \
|
||||
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
|
||||
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
|
||||
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
|
||||
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
|
||||
|
||||
echo "$SVIsubsys: host key not initialized: skipped!"
|
||||
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
|
||||
exit 6
|
||||
fi
|
||||
|
||||
echo -n "Starting $SVIsubsys services: "
|
||||
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
|
||||
ret=$?
|
||||
|
||||
echo "."
|
||||
touch $SVIlock
|
||||
;;
|
||||
|
||||
stop)
|
||||
[ -e $SVIlock ] || exit 0
|
||||
|
||||
echo -n "Stopping $SVIsubsys services: "
|
||||
ssd -K -p $PIDF -n $NAME
|
||||
ret=$?
|
||||
|
||||
echo "."
|
||||
rm -f $SVIlock
|
||||
;;
|
||||
|
||||
force-reload|reload)
|
||||
[ -e $SVIlock ] || exit 0
|
||||
|
||||
echo "Reloading $SVIsubsys configuration files: "
|
||||
ssd -K --signal 1 -q -p $PIDF -n $NAME
|
||||
ret=$?
|
||||
echo "done."
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
$0 start
|
||||
ret=$?
|
||||
;;
|
||||
|
||||
status)
|
||||
_status $PIDF
|
||||
ret=$?
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
|
||||
ret=2
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit $ret
|
||||
|
8
contrib/caldera/sshd.pam
Normal file
8
contrib/caldera/sshd.pam
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||
auth required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_pwdb.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_pwdb.so
|
||||
session required /lib/security/pam_limits.so
|
56
contrib/cygwin/Makefile
Normal file
56
contrib/cygwin/Makefile
Normal file
@ -0,0 +1,56 @@
|
||||
srcdir=../..
|
||||
prefix=/usr
|
||||
exec_prefix=$(prefix)
|
||||
bindir=$(prefix)/bin
|
||||
datadir=$(prefix)/share
|
||||
docdir=$(datadir)/doc
|
||||
sshdocdir=$(docdir)/openssh
|
||||
cygdocdir=$(docdir)/Cygwin
|
||||
sysconfdir=/etc
|
||||
defaultsdir=$(sysconfdir)/defaults/etc
|
||||
PRIVSEP_PATH=/var/empty
|
||||
INSTALL=/usr/bin/install -c
|
||||
|
||||
DESTDIR=
|
||||
|
||||
all:
|
||||
@echo
|
||||
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
|
||||
@echo "Be sure having DESTDIR set correctly!"
|
||||
@echo
|
||||
|
||||
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
|
||||
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
|
||||
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
|
||||
|
||||
remove-empty-dir:
|
||||
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
|
||||
|
||||
install-sshdoc:
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
|
||||
$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
|
||||
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
|
||||
$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
|
||||
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
|
||||
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
|
||||
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
|
||||
$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
|
||||
$(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
|
||||
$(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
|
||||
$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
|
||||
$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
|
||||
|
||||
install-cygwindoc: README
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
|
||||
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
|
||||
|
||||
install-doc: install-sshdoc install-cygwindoc
|
||||
|
||||
install-scripts: ssh-host-config ssh-user-config
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
|
||||
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
|
||||
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
|
||||
|
||||
cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
|
||||
@echo "Cygwin specific configuration finished."
|
233
contrib/cygwin/README
Normal file
233
contrib/cygwin/README
Normal file
@ -0,0 +1,233 @@
|
||||
This package describes important Cygwin specific stuff concerning OpenSSH.
|
||||
|
||||
The binary package is usually built for recent Cygwin versions and might
|
||||
not run on older versions. Please check http://cygwin.com/ for information
|
||||
about current Cygwin releases.
|
||||
|
||||
Build instructions are at the end of the file.
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.7.1p2-2:
|
||||
|
||||
The ssh-host-config file doesn't create the /etc/ssh_config and
|
||||
/etc/sshd_config files from builtin here-scripts anymore, but it uses
|
||||
skeleton files installed in /etc/defaults/etc.
|
||||
|
||||
Also it now tries hard to create appropriate permissions on files.
|
||||
Same applies for ssh-user-config.
|
||||
|
||||
After creating the sshd service with ssh-host-config, it's advisable to
|
||||
call ssh-user-config for all affected users, also already exising user
|
||||
configurations. In the latter case, file and directory permissions are
|
||||
checked and changed, if requireed to match the host configuration.
|
||||
|
||||
Important note for Windows 2003 Server users:
|
||||
---------------------------------------------
|
||||
|
||||
2003 Server has a funny new feature. When starting services under SYSTEM
|
||||
account, these services have nearly all user rights which SYSTEM holds...
|
||||
except for the "Create a token object" right, which is needed to allow
|
||||
public key authentication :-(
|
||||
|
||||
There's no way around this, except for creating a substitute account which
|
||||
has the appropriate privileges. Basically, this account should be member
|
||||
of the administrators group, plus it should have the following user rights:
|
||||
|
||||
Create a token object
|
||||
Logon as a service
|
||||
Replace a process level token
|
||||
Increase Quota
|
||||
|
||||
The ssh-host-config script asks you, if it should create such an account,
|
||||
called "sshd_server". If you say "no" here, you're on your own. Please
|
||||
follow the instruction in ssh-host-config exactly if possible. Note that
|
||||
ssh-user-config sets the permissions on 2003 Server machines dependent of
|
||||
whether a sshd_server account exists or not.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.4p1-2:
|
||||
|
||||
This version adds privilege separation as default setting, see
|
||||
/usr/doc/openssh/README.privsep. According to that document the
|
||||
privsep feature requires a non-privileged account called 'sshd'.
|
||||
|
||||
The new ssh-host-config file which is part of this version asks
|
||||
to create 'sshd' as local user if you want to use privilege
|
||||
separation. If you confirm, it creates that NT user and adds
|
||||
the necessary entry to /etc/passwd.
|
||||
|
||||
On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
|
||||
since that feature doesn't make any sense on a system which doesn't
|
||||
differ between privileged and unprivileged users.
|
||||
|
||||
The new ssh-host-config script also adds the /var/empty directory
|
||||
needed by privilege separation. When creating the /var/empty directory
|
||||
by yourself, please note that in contrast to the README.privsep document
|
||||
the owner sshould not be "root" but the user which is running sshd. So,
|
||||
in the standard configuration this is SYSTEM. The ssh-host-config script
|
||||
chowns /var/empty accordingly.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.0.1p1-2:
|
||||
|
||||
This version introduces the ability to register sshd as service on
|
||||
Windows 9x/Me systems. This is done only when the options -D and/or
|
||||
-d are not given.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 2.9p2:
|
||||
|
||||
Since Cygwin is able to switch user context without password beginning
|
||||
with version 1.3.2, OpenSSH now allows to do so when it's running under
|
||||
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
|
||||
allow that feature.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 2.3.0p1:
|
||||
|
||||
When using `ntea' or `ntsec' you now have to care for the ownership
|
||||
and permission bits of your host key files and your private key files.
|
||||
The host key files have to be owned by the NT account which starts
|
||||
sshd. The user key files have to be owned by the user. The permission
|
||||
bits of the private key files (host and user) have to be at least
|
||||
rw------- (0600)!
|
||||
|
||||
Note that this is forced under `ntsec' only if the files are on a NTFS
|
||||
filesystem (which is recommended) due to the lack of any basic security
|
||||
features of the FAT/FAT32 filesystems.
|
||||
===========================================================================
|
||||
|
||||
If you are installing OpenSSH the first time, you can generate global config
|
||||
files and server keys by running
|
||||
|
||||
/usr/bin/ssh-host-config
|
||||
|
||||
Note that this binary archive doesn't contain default config files in /etc.
|
||||
That files are only created if ssh-host-config is started.
|
||||
|
||||
If you are updating your installation you may run the above ssh-host-config
|
||||
as well to move your configuration files to the new location and to
|
||||
erase the files at the old location.
|
||||
|
||||
To support testing and unattended installation ssh-host-config got
|
||||
some options:
|
||||
|
||||
usage: ssh-host-config [OPTION]...
|
||||
Options:
|
||||
--debug -d Enable shell's debug output.
|
||||
--yes -y Answer all questions with "yes" automatically.
|
||||
--no -n Answer all questions with "no" automatically.
|
||||
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
|
||||
--port -p <n> sshd listens on port n.
|
||||
--pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
|
||||
|
||||
Additionally ssh-host-config now asks if it should install sshd as a
|
||||
service when running under NT/W2K. This requires cygrunsrv installed.
|
||||
|
||||
You can create the private and public keys for a user now by running
|
||||
|
||||
/usr/bin/ssh-user-config
|
||||
|
||||
under the users account.
|
||||
|
||||
To support testing and unattended installation ssh-user-config got
|
||||
some options as well:
|
||||
|
||||
usage: ssh-user-config [OPTION]...
|
||||
Options:
|
||||
--debug -d Enable shell's debug output.
|
||||
--yes -y Answer all questions with "yes" automatically.
|
||||
--no -n Answer all questions with "no" automatically.
|
||||
--passphrase -p word Use "word" as passphrase automatically.
|
||||
|
||||
Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
|
||||
(results in very slow deamon startup!) or from the command line (recommended
|
||||
on 9X/ME).
|
||||
|
||||
If you start sshd as deamon via cygrunsrv.exe you MUST give the
|
||||
"-D" option to sshd. Otherwise the service can't get started at all.
|
||||
|
||||
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
|
||||
following line to your inetd.conf file:
|
||||
|
||||
ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
|
||||
|
||||
Moreover you'll have to add the following line to your
|
||||
${SYSTEMROOT}/system32/drivers/etc/services file:
|
||||
|
||||
ssh 22/tcp #SSH daemon
|
||||
|
||||
Please note that OpenSSH does never use the value of $HOME to
|
||||
search for the users configuration files! It always uses the
|
||||
value of the pw_dir field in /etc/passwd as the home directory.
|
||||
If no home diretory is set in /etc/passwd, the root directory
|
||||
is used instead!
|
||||
|
||||
You may use all features of the CYGWIN=ntsec setting the same
|
||||
way as they are used by Cygwin's login(1) port:
|
||||
|
||||
The pw_gecos field may contain an additional field, that begins
|
||||
with (upper case!) "U-", followed by the domain and the username
|
||||
separated by a backslash.
|
||||
CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
|
||||
BTW: The field separator in pw_gecos is the comma.
|
||||
The username in pw_name itself may be any nice name:
|
||||
|
||||
domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
|
||||
|
||||
Now you may use `domuser' as your login name with telnet!
|
||||
This is possible additionally for local users, if you don't like
|
||||
your NT login name ;-) You only have to leave out the domain:
|
||||
|
||||
locuser::1104:513:John Doe,U-user,S-1-5-21-...
|
||||
|
||||
Note that the CYGWIN=ntsec setting is required for public key authentication.
|
||||
|
||||
SSH2 server and user keys are generated by the `ssh-*-config' scripts
|
||||
as well.
|
||||
|
||||
If you want to build from source, the following options to
|
||||
configure are used for the Cygwin binary distribution:
|
||||
|
||||
--prefix=/usr \
|
||||
--sysconfdir=/etc \
|
||||
--libexecdir='${sbindir}' \
|
||||
--localstatedir=/var \
|
||||
--datadir='${prefix}/share' \
|
||||
--mandir='${datadir}/man' \
|
||||
--infodir='${datadir}/info'
|
||||
--with-tcp-wrappers
|
||||
|
||||
If you want to create a Cygwin package, equivalent to the one
|
||||
in the Cygwin binary distribution, install like this:
|
||||
|
||||
mkdir /tmp/cygwin-ssh
|
||||
cd ${builddir}
|
||||
make install DESTDIR=/tmp/cygwin-ssh
|
||||
cd ${srcdir}/contrib/cygwin
|
||||
make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
|
||||
cd /tmp/cygwin-ssh
|
||||
find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
|
||||
|
||||
You must have installed the following packages to be able to build OpenSSH:
|
||||
|
||||
- zlib
|
||||
- openssl-devel
|
||||
- minires-devel
|
||||
|
||||
If you want to build with --with-tcp-wrappers, you also need the package
|
||||
|
||||
- tcp_wrappers
|
||||
|
||||
Please send requests, error reports etc. to cygwin@cygwin.com.
|
||||
|
||||
|
||||
Have fun,
|
||||
|
||||
Corinna Vinschen
|
||||
Cygwin Developer
|
||||
Red Hat Inc.
|
611
contrib/cygwin/ssh-host-config
Normal file
611
contrib/cygwin/ssh-host-config
Normal file
@ -0,0 +1,611 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
|
||||
#
|
||||
# This file is part of the Cygwin port of OpenSSH.
|
||||
|
||||
# Subdirectory where the new package is being installed
|
||||
PREFIX=/usr
|
||||
|
||||
# Directory where the config files are stored
|
||||
SYSCONFDIR=/etc
|
||||
LOCALSTATEDIR=/var
|
||||
|
||||
progname=$0
|
||||
auto_answer=""
|
||||
port_number=22
|
||||
|
||||
privsep_configured=no
|
||||
privsep_used=yes
|
||||
sshd_in_passwd=no
|
||||
sshd_in_sam=no
|
||||
|
||||
request()
|
||||
{
|
||||
if [ "${auto_answer}" = "yes" ]
|
||||
then
|
||||
echo "$1 (yes/no) yes"
|
||||
return 0
|
||||
elif [ "${auto_answer}" = "no" ]
|
||||
then
|
||||
echo "$1 (yes/no) no"
|
||||
return 1
|
||||
fi
|
||||
|
||||
answer=""
|
||||
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
|
||||
do
|
||||
echo -n "$1 (yes/no) "
|
||||
read -e answer
|
||||
done
|
||||
if [ "X${answer}" = "Xyes" ]
|
||||
then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Check options
|
||||
|
||||
while :
|
||||
do
|
||||
case $# in
|
||||
0)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "${option}" in
|
||||
-d | --debug )
|
||||
set -x
|
||||
;;
|
||||
|
||||
-y | --yes )
|
||||
auto_answer=yes
|
||||
;;
|
||||
|
||||
-n | --no )
|
||||
auto_answer=no
|
||||
;;
|
||||
|
||||
-c | --cygwin )
|
||||
cygwin_value="$1"
|
||||
shift
|
||||
;;
|
||||
|
||||
-p | --port )
|
||||
port_number=$1
|
||||
shift
|
||||
;;
|
||||
|
||||
-w | --pwd )
|
||||
password_value="$1"
|
||||
shift
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: ${progname} [OPTION]..."
|
||||
echo
|
||||
echo "This script creates an OpenSSH host configuration."
|
||||
echo
|
||||
echo "Options:"
|
||||
echo " --debug -d Enable shell's debug output."
|
||||
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
||||
echo " --port -p <n> sshd listens on port n."
|
||||
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
|
||||
echo
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
# Check if running on NT
|
||||
_sys="`uname`"
|
||||
_nt=`expr "${_sys}" : "CYGWIN_NT"`
|
||||
# If running on NT, check if running under 2003 Server or later
|
||||
if [ ${_nt} -gt 0 ]
|
||||
then
|
||||
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
|
||||
fi
|
||||
|
||||
# Check for running ssh/sshd processes first. Refuse to do anything while
|
||||
# some ssh processes are still running
|
||||
|
||||
if ps -ef | grep -v grep | grep -q ssh
|
||||
then
|
||||
echo
|
||||
echo "There are still ssh processes running. Please shut them down first."
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check for ${SYSCONFDIR} directory
|
||||
|
||||
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
|
||||
then
|
||||
echo
|
||||
echo "${SYSCONFDIR} is existant but not a directory."
|
||||
echo "Cannot create global configuration files."
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create it if necessary
|
||||
|
||||
if [ ! -e "${SYSCONFDIR}" ]
|
||||
then
|
||||
mkdir "${SYSCONFDIR}"
|
||||
if [ ! -e "${SYSCONFDIR}" ]
|
||||
then
|
||||
echo
|
||||
echo "Creating ${SYSCONFDIR} directory failed"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create /var/log and /var/log/lastlog if not already existing
|
||||
|
||||
if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
|
||||
then
|
||||
echo
|
||||
echo "${LOCALSTATEDIR}/log is existant but not a directory."
|
||||
echo "Cannot create ssh host configuration."
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -e ${LOCALSTATEDIR}/log ]
|
||||
then
|
||||
mkdir -p ${LOCALSTATEDIR}/log
|
||||
fi
|
||||
|
||||
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
||||
then
|
||||
echo
|
||||
echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
|
||||
echo "Cannot create ssh host configuration."
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
|
||||
then
|
||||
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
|
||||
chmod 644 ${LOCALSTATEDIR}/log/lastlog
|
||||
fi
|
||||
|
||||
# Create /var/empty file used as chroot jail for privilege separation
|
||||
if [ -f ${LOCALSTATEDIR}/empty ]
|
||||
then
|
||||
echo "Creating ${LOCALSTATEDIR}/empty failed!"
|
||||
else
|
||||
mkdir -p ${LOCALSTATEDIR}/empty
|
||||
if [ ${_nt} -gt 0 ]
|
||||
then
|
||||
chmod 755 ${LOCALSTATEDIR}/empty
|
||||
fi
|
||||
fi
|
||||
|
||||
# First generate host keys if not already existing
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
||||
then
|
||||
echo "Generating ${SYSCONFDIR}/ssh_host_key"
|
||||
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
||||
fi
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
||||
then
|
||||
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
||||
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
||||
fi
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
||||
then
|
||||
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
||||
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
||||
fi
|
||||
|
||||
# Check if ssh_config exists. If yes, ask for overwriting
|
||||
|
||||
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
||||
then
|
||||
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
|
||||
then
|
||||
rm -f "${SYSCONFDIR}/ssh_config"
|
||||
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
||||
then
|
||||
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create default ssh_config from skeleton file in /etc/defaults/etc
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
|
||||
then
|
||||
echo "Generating ${SYSCONFDIR}/ssh_config file"
|
||||
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
|
||||
if [ "${port_number}" != "22" ]
|
||||
then
|
||||
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
||||
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if sshd_config exists. If yes, ask for overwriting
|
||||
|
||||
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
||||
then
|
||||
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
|
||||
then
|
||||
rm -f "${SYSCONFDIR}/sshd_config"
|
||||
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
||||
then
|
||||
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
|
||||
fi
|
||||
else
|
||||
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
||||
fi
|
||||
fi
|
||||
|
||||
# Prior to creating or modifying sshd_config, care for privilege separation
|
||||
|
||||
if [ "${privsep_configured}" != "yes" ]
|
||||
then
|
||||
if [ ${_nt} -gt 0 ]
|
||||
then
|
||||
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
|
||||
echo "However, this requires a non-privileged account called 'sshd'."
|
||||
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
||||
echo
|
||||
if request "Should privilege separation be used?"
|
||||
then
|
||||
privsep_used=yes
|
||||
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
|
||||
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
|
||||
if [ "${sshd_in_passwd}" != "yes" ]
|
||||
then
|
||||
if [ "${sshd_in_sam}" != "yes" ]
|
||||
then
|
||||
echo "Warning: The following function requires administrator privileges!"
|
||||
if request "Should this script create a local user 'sshd' on this machine?"
|
||||
then
|
||||
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
|
||||
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
|
||||
if [ "${sshd_in_sam}" != "yes" ]
|
||||
then
|
||||
echo "Warning: Creating the user 'sshd' failed!"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [ "${sshd_in_sam}" != "yes" ]
|
||||
then
|
||||
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
|
||||
echo " Privilege separation set to 'no' again!"
|
||||
echo " Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
privsep_used=no
|
||||
else
|
||||
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
|
||||
fi
|
||||
fi
|
||||
else
|
||||
privsep_used=no
|
||||
fi
|
||||
else
|
||||
# On 9x don't use privilege separation. Since security isn't
|
||||
# available it just adds useless additional processes.
|
||||
privsep_used=no
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
||||
# modify to add the missing privsep configuration option
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
|
||||
then
|
||||
echo "Generating ${SYSCONFDIR}/sshd_config file"
|
||||
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
||||
s/^#Port 22/Port ${port_number}/
|
||||
s/^#StrictModes yes/StrictModes no/" \
|
||||
< ${SYSCONFDIR}/defaults/etc/sshd_config \
|
||||
> ${SYSCONFDIR}/sshd_config
|
||||
elif [ "${privsep_configured}" != "yes" ]
|
||||
then
|
||||
echo >> ${SYSCONFDIR}/sshd_config
|
||||
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
||||
fi
|
||||
|
||||
# Care for services file
|
||||
_my_etcdir="/ssh-host-config.$$"
|
||||
if [ ${_nt} -gt 0 ]
|
||||
then
|
||||
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
|
||||
_services="${_my_etcdir}/services"
|
||||
# On NT, 27 spaces, no space after the hash
|
||||
_spaces=" #"
|
||||
else
|
||||
_win_etcdir="${WINDIR}"
|
||||
_services="${_my_etcdir}/SERVICES"
|
||||
# On 9x, 18 spaces (95 is very touchy), a space after the hash
|
||||
_spaces=" # "
|
||||
fi
|
||||
_serv_tmp="${_my_etcdir}/srv.out.$$"
|
||||
|
||||
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
|
||||
|
||||
# Depends on the above mount
|
||||
_wservices=`cygpath -w "${_services}"`
|
||||
|
||||
# Remove sshd 22/port from services
|
||||
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
||||
then
|
||||
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
||||
if [ -f "${_serv_tmp}" ]
|
||||
then
|
||||
if mv "${_serv_tmp}" "${_services}"
|
||||
then
|
||||
echo "Removing sshd from ${_wservices}"
|
||||
else
|
||||
echo "Removing sshd from ${_wservices} failed!"
|
||||
fi
|
||||
rm -f "${_serv_tmp}"
|
||||
else
|
||||
echo "Removing sshd from ${_wservices} failed!"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add ssh 22/tcp and ssh 22/udp to services
|
||||
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
||||
then
|
||||
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
||||
then
|
||||
if mv "${_serv_tmp}" "${_services}"
|
||||
then
|
||||
echo "Added ssh to ${_wservices}"
|
||||
else
|
||||
echo "Adding ssh to ${_wservices} failed!"
|
||||
fi
|
||||
rm -f "${_serv_tmp}"
|
||||
else
|
||||
echo "WARNING: Adding ssh to ${_wservices} failed!"
|
||||
fi
|
||||
fi
|
||||
|
||||
umount "${_my_etcdir}"
|
||||
|
||||
# Care for inetd.conf file
|
||||
_inetcnf="${SYSCONFDIR}/inetd.conf"
|
||||
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
||||
|
||||
if [ -f "${_inetcnf}" ]
|
||||
then
|
||||
# Check if ssh service is already in use as sshd
|
||||
with_comment=1
|
||||
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
|
||||
# Remove sshd line from inetd.conf
|
||||
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
then
|
||||
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
if [ -f "${_inetcnf_tmp}" ]
|
||||
then
|
||||
if mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||
then
|
||||
echo "Removed sshd from ${_inetcnf}"
|
||||
else
|
||||
echo "Removing sshd from ${_inetcnf} failed!"
|
||||
fi
|
||||
rm -f "${_inetcnf_tmp}"
|
||||
else
|
||||
echo "Removing sshd from ${_inetcnf} failed!"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add ssh line to inetd.conf
|
||||
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
||||
then
|
||||
if [ "${with_comment}" -eq 0 ]
|
||||
then
|
||||
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||
else
|
||||
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||
fi
|
||||
echo "Added ssh to ${_inetcnf}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# On NT ask if sshd should be installed as service
|
||||
if [ ${_nt} -gt 0 ]
|
||||
then
|
||||
# But only if it is not already installed
|
||||
if ! cygrunsrv -Q sshd > /dev/null 2>&1
|
||||
then
|
||||
echo
|
||||
echo
|
||||
echo "Warning: The following functions require administrator privileges!"
|
||||
echo
|
||||
echo "Do you want to install sshd as service?"
|
||||
if request "(Say \"no\" if it's already installed as service)"
|
||||
then
|
||||
if [ $_nt2003 -gt 0 ]
|
||||
then
|
||||
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
|
||||
if [ "${sshd_server_in_passwd}" = "yes" ]
|
||||
then
|
||||
# Drop sshd_server from passwd since it could have wrong settings
|
||||
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
|
||||
rm -f ${SYSCONFDIR}/passwd
|
||||
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
|
||||
chmod g-w,o-w ${SYSCONFDIR}/passwd
|
||||
fi
|
||||
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
|
||||
if [ "${sshd_server_in_sam}" != "yes" ]
|
||||
then
|
||||
echo
|
||||
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
|
||||
echo "later systems, it's not possible to use the LocalSystem account"
|
||||
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
|
||||
echo "If you want to enable that functionality, it's required to create a new"
|
||||
echo "account 'sshd_server' with special privileges, which is then used to run"
|
||||
echo "the sshd service under."
|
||||
echo
|
||||
echo "Should this script create a new local account 'sshd_server' which has"
|
||||
if request "the required privileges?"
|
||||
then
|
||||
_admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
|
||||
if [ -z "${_admingroup}" ]
|
||||
then
|
||||
echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
|
||||
exit 1
|
||||
fi
|
||||
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
|
||||
while [ "${sshd_server_in_sam}" != "yes" ]
|
||||
do
|
||||
if [ -n "${password_value}" ]
|
||||
then
|
||||
_password="${password_value}"
|
||||
# Allow to ask for password if first try fails
|
||||
password_value=""
|
||||
else
|
||||
echo
|
||||
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
|
||||
echo "this password matches the password rules given on your system."
|
||||
echo -n "Entering no password will exit the configuration. PASSWORD="
|
||||
read -e _password
|
||||
if [ -z "${_password}" ]
|
||||
then
|
||||
echo
|
||||
echo "Exiting configuration. No user sshd_server has been created,"
|
||||
echo "no sshd service installed."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
|
||||
if [ "${sshd_server_in_sam}" != "yes" ]
|
||||
then
|
||||
echo "Creating the user 'sshd_server' failed! Reason:"
|
||||
cat /tmp/nu.$$
|
||||
rm /tmp/nu.$$
|
||||
fi
|
||||
done
|
||||
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
|
||||
if [ "${sshd_server_in_admingroup}" != "yes" ]
|
||||
then
|
||||
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
|
||||
echo "Please add sshd_server to local group ${_admingroup} before"
|
||||
echo "starting the sshd service!"
|
||||
echo
|
||||
fi
|
||||
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
|
||||
if [ "${passwd_has_expiry_flags}" != "yes" ]
|
||||
then
|
||||
echo
|
||||
echo "WARNING: User sshd_server has password expiry set to system default."
|
||||
echo "Please check that password never expires or set it to your needs."
|
||||
elif ! passwd -e sshd_server
|
||||
then
|
||||
echo
|
||||
echo "WARNING: Setting password expiry for user sshd_server failed!"
|
||||
echo "Please check that password never expires or set it to your needs."
|
||||
fi
|
||||
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
|
||||
editrights -a SeCreateTokenPrivilege -u sshd_server &&
|
||||
editrights -a SeTcbPrivilege -u sshd_server &&
|
||||
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
|
||||
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
|
||||
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
|
||||
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
|
||||
editrights -a SeServiceLogonRight -u sshd_server &&
|
||||
sshd_server_got_all_rights="yes"
|
||||
if [ "${sshd_server_got_all_rights}" != "yes" ]
|
||||
then
|
||||
echo
|
||||
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
|
||||
echo "Can't create sshd service!"
|
||||
exit 1
|
||||
fi
|
||||
echo
|
||||
echo "User 'sshd_server' has been created with password '${_password}'."
|
||||
echo "If you change the password, please keep in mind to change the password"
|
||||
echo "for the sshd service, too."
|
||||
echo
|
||||
echo "Also keep in mind that the user sshd_server needs read permissions on all"
|
||||
echo "users' .ssh/authorized_keys file to allow public key authentication for"
|
||||
echo "these users!. (Re-)running ssh-user-config for each user will set the"
|
||||
echo "required permissions correctly."
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
if [ "${sshd_server_in_sam}" = "yes" ]
|
||||
then
|
||||
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
|
||||
fi
|
||||
fi
|
||||
if [ -n "${cygwin_value}" ]
|
||||
then
|
||||
_cygwin="${cygwin_value}"
|
||||
else
|
||||
echo
|
||||
echo "Which value should the environment variable CYGWIN have when"
|
||||
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
|
||||
echo "able to change user context without password."
|
||||
echo -n "Default is \"ntsec\". CYGWIN="
|
||||
read -e _cygwin
|
||||
fi
|
||||
[ -z "${_cygwin}" ] && _cygwin="ntsec"
|
||||
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
|
||||
then
|
||||
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
|
||||
then
|
||||
echo
|
||||
echo "The service has been installed under sshd_server account."
|
||||
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
|
||||
fi
|
||||
else
|
||||
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
|
||||
then
|
||||
echo
|
||||
echo "The service has been installed under LocalSystem account."
|
||||
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
# Now check if sshd has been successfully installed. This allows to
|
||||
# set the ownership of the affected files correctly.
|
||||
if cygrunsrv -Q sshd > /dev/null 2>&1
|
||||
then
|
||||
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
|
||||
then
|
||||
_user="sshd_server"
|
||||
else
|
||||
_user="system"
|
||||
fi
|
||||
chown "${_user}" ${SYSCONFDIR}/ssh*
|
||||
chown "${_user}".544 ${LOCALSTATEDIR}/empty
|
||||
chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
|
||||
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
|
||||
then
|
||||
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
|
||||
fi
|
||||
fi
|
||||
if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
|
||||
then
|
||||
echo
|
||||
echo "Warning: It appears that you have user mode mounts (\"Just me\""
|
||||
echo "chosen during install.) Any daemons installed as services will"
|
||||
echo "fail to function unless system mounts are used. To change this,"
|
||||
echo "re-run setup.exe and choose \"All users\"."
|
||||
echo
|
||||
echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Host configuration finished. Have fun!"
|
250
contrib/cygwin/ssh-user-config
Normal file
250
contrib/cygwin/ssh-user-config
Normal file
@ -0,0 +1,250 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
|
||||
#
|
||||
# This file is part of the Cygwin port of OpenSSH.
|
||||
|
||||
# Directory where the config files are stored
|
||||
SYSCONFDIR=/etc
|
||||
|
||||
progname=$0
|
||||
auto_answer=""
|
||||
auto_passphrase="no"
|
||||
passphrase=""
|
||||
|
||||
request()
|
||||
{
|
||||
if [ "${auto_answer}" = "yes" ]
|
||||
then
|
||||
return 0
|
||||
elif [ "${auto_answer}" = "no" ]
|
||||
then
|
||||
return 1
|
||||
fi
|
||||
|
||||
answer=""
|
||||
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
|
||||
do
|
||||
echo -n "$1 (yes/no) "
|
||||
read answer
|
||||
done
|
||||
if [ "X${answer}" = "Xyes" ]
|
||||
then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Check if running on NT
|
||||
_sys="`uname -a`"
|
||||
_nt=`expr "$_sys" : "CYGWIN_NT"`
|
||||
# If running on NT, check if running under 2003 Server or later
|
||||
if [ $_nt -gt 0 ]
|
||||
then
|
||||
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
|
||||
fi
|
||||
|
||||
# Check options
|
||||
|
||||
while :
|
||||
do
|
||||
case $# in
|
||||
0)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "$option" in
|
||||
-d | --debug )
|
||||
set -x
|
||||
;;
|
||||
|
||||
-y | --yes )
|
||||
auto_answer=yes
|
||||
;;
|
||||
|
||||
-n | --no )
|
||||
auto_answer=no
|
||||
;;
|
||||
|
||||
-p | --passphrase )
|
||||
with_passphrase="yes"
|
||||
passphrase=$1
|
||||
shift
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: ${progname} [OPTION]..."
|
||||
echo
|
||||
echo "This script creates an OpenSSH user configuration."
|
||||
echo
|
||||
echo "Options:"
|
||||
echo " --debug -d Enable shell's debug output."
|
||||
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --passphrase -p word Use \"word\" as passphrase automatically."
|
||||
echo
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
# Ask user if user identity should be generated
|
||||
|
||||
if [ ! -f ${SYSCONFDIR}/passwd ]
|
||||
then
|
||||
echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
|
||||
echo 'first using mkpasswd. Check if it contains an entry for you and'
|
||||
echo 'please care for the home directory in your entry as well.'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
uid=`id -u`
|
||||
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
|
||||
|
||||
if [ "X${pwdhome}" = "X" ]
|
||||
then
|
||||
echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
|
||||
echo 'Setting $HOME is not sufficient!'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "${pwdhome}" ]
|
||||
then
|
||||
echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
|
||||
echo 'but it is not a valid directory. Cannot create user identity files.'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# If home is the root dir, set home to empty string to avoid error messages
|
||||
# in subsequent parts of that script.
|
||||
if [ "X${pwdhome}" = "X/" ]
|
||||
then
|
||||
# But first raise a warning!
|
||||
echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
|
||||
if request "Would you like to proceed anyway?"
|
||||
then
|
||||
pwdhome=''
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
|
||||
then
|
||||
echo
|
||||
echo 'WARNING: group and other have been revoked write permission to your home'
|
||||
echo " directory ${pwdhome}."
|
||||
echo ' This is required by OpenSSH to allow public key authentication using'
|
||||
echo ' the key files stored in your .ssh subdirectory.'
|
||||
echo ' Revert this change ONLY if you know what you are doing!'
|
||||
echo
|
||||
fi
|
||||
|
||||
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
|
||||
then
|
||||
echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e "${pwdhome}/.ssh" ]
|
||||
then
|
||||
mkdir "${pwdhome}/.ssh"
|
||||
if [ ! -e "${pwdhome}/.ssh" ]
|
||||
then
|
||||
echo "Creating users ${pwdhome}/.ssh directory failed"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $_nt -gt 0 ]
|
||||
then
|
||||
_user="system"
|
||||
if [ $_nt2003 -gt 0 ]
|
||||
then
|
||||
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
|
||||
fi
|
||||
if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
|
||||
then
|
||||
echo "${pwdhome}/.ssh couldn't be given the correct permissions."
|
||||
echo "Please try to solve this problem first."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${pwdhome}/.ssh/identity" ]
|
||||
then
|
||||
if request "Shall I create an SSH1 RSA identity file for you?"
|
||||
then
|
||||
echo "Generating ${pwdhome}/.ssh/identity"
|
||||
if [ "${with_passphrase}" = "yes" ]
|
||||
then
|
||||
ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
|
||||
else
|
||||
ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
|
||||
fi
|
||||
if request "Do you want to use this identity to login to this machine?"
|
||||
then
|
||||
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
|
||||
cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
|
||||
then
|
||||
if request "Shall I create an SSH2 RSA identity file for you?"
|
||||
then
|
||||
echo "Generating ${pwdhome}/.ssh/id_rsa"
|
||||
if [ "${with_passphrase}" = "yes" ]
|
||||
then
|
||||
ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
|
||||
else
|
||||
ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
|
||||
fi
|
||||
if request "Do you want to use this identity to login to this machine?"
|
||||
then
|
||||
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
|
||||
cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
|
||||
then
|
||||
if request "Shall I create an SSH2 DSA identity file for you?"
|
||||
then
|
||||
echo "Generating ${pwdhome}/.ssh/id_dsa"
|
||||
if [ "${with_passphrase}" = "yes" ]
|
||||
then
|
||||
ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
|
||||
else
|
||||
ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
|
||||
fi
|
||||
if request "Do you want to use this identity to login to this machine?"
|
||||
then
|
||||
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
|
||||
cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
|
||||
then
|
||||
if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
|
||||
then
|
||||
echo
|
||||
echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
|
||||
echo "failed. Please care for the correct permissions. The minimum requirement"
|
||||
echo "is, the owner and ${_user} both need read permissions."
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Configuration finished. Have fun!"
|
186
contrib/findssl.sh
Executable file
186
contrib/findssl.sh
Executable file
@ -0,0 +1,186 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
# findssl.sh
|
||||
# Search for all instances of OpenSSL headers and libraries
|
||||
# and print their versions.
|
||||
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||
# match your library" errors.
|
||||
#
|
||||
# Written by Darren Tucker (dtucker at zip dot com dot au)
|
||||
# This file is placed in the public domain.
|
||||
#
|
||||
# Release history:
|
||||
# 2002-07-27: Initial release.
|
||||
# 2002-08-04: Added public domain notice.
|
||||
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
|
||||
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
|
||||
#
|
||||
# "OpenSSL headers do not match your library" are usually caused by
|
||||
# OpenSSH's configure picking up an older version of OpenSSL headers
|
||||
# or libraries. You can use the following # procedure to help identify
|
||||
# the cause.
|
||||
#
|
||||
# The output of configure will tell you the versions of the OpenSSL
|
||||
# headers and libraries that were picked up, for example:
|
||||
#
|
||||
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
|
||||
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
|
||||
# checking whether OpenSSL's headers match the library... no
|
||||
# configure: error: Your OpenSSL headers do not match your library
|
||||
#
|
||||
# Now run findssl.sh. This should identify the headers and libraries
|
||||
# present and their versions. You should be able to identify the
|
||||
# libraries and headers used and adjust your CFLAGS or remove incorrect
|
||||
# versions. The output will show OpenSSL's internal version identifier
|
||||
# and should look something like:
|
||||
|
||||
# $ ./findssl.sh
|
||||
# Searching for OpenSSL header files.
|
||||
# 0x0090604fL /usr/include/openssl/opensslv.h
|
||||
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
|
||||
#
|
||||
# Searching for OpenSSL shared library files.
|
||||
# 0x0090602fL /lib/libcrypto.so.0.9.6b
|
||||
# 0x0090602fL /lib/libcrypto.so.2
|
||||
# 0x0090581fL /usr/lib/libcrypto.so.0
|
||||
# 0x0090602fL /usr/lib/libcrypto.so
|
||||
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
|
||||
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
|
||||
# 0x0090600fL /usr/lib/libcrypto.so.1
|
||||
#
|
||||
# Searching for OpenSSL static library files.
|
||||
# 0x0090602fL /usr/lib/libcrypto.a
|
||||
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
|
||||
#
|
||||
# In this example, I gave configure no extra flags, so it's picking up
|
||||
# the OpenSSL header from /usr/include/openssl (90604f) and the library
|
||||
# from /usr/lib/ (90602f).
|
||||
|
||||
#
|
||||
# Adjust these to suit your compiler.
|
||||
# You may also need to set the *LIB*PATH environment variables if
|
||||
# DEFAULT_LIBPATH is not correct for your system.
|
||||
#
|
||||
CC=gcc
|
||||
STATIC=-static
|
||||
|
||||
#
|
||||
# Cleanup on interrupt
|
||||
#
|
||||
trap 'rm -f conftest.c' INT HUP TERM
|
||||
|
||||
#
|
||||
# Set up conftest C source
|
||||
#
|
||||
rm -f findssl.log
|
||||
cat >conftest.c <<EOD
|
||||
#include <stdio.h>
|
||||
int main(){printf("0x%08xL\n", SSLeay());}
|
||||
EOD
|
||||
|
||||
#
|
||||
# Set default library paths if not already set
|
||||
#
|
||||
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
|
||||
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
|
||||
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||
|
||||
# not all platforms have a 'which' command
|
||||
if which ls >/dev/null 2>/dev/null; then
|
||||
: which is defined
|
||||
else
|
||||
which () {
|
||||
saveIFS="$IFS"
|
||||
IFS=:
|
||||
for p in $PATH; do
|
||||
if test -x "$p/$1" -a -f "$p/$1"; then
|
||||
IFS="$saveIFS"
|
||||
echo "$p/$1"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
IFS="$saveIFS"
|
||||
return 1
|
||||
}
|
||||
fi
|
||||
|
||||
#
|
||||
# Search for OpenSSL headers and print versions
|
||||
#
|
||||
echo Searching for OpenSSL header files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
headers=`locate opensslv.h`
|
||||
else
|
||||
headers=`find / -name opensslv.h -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for header in $headers
|
||||
do
|
||||
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
|
||||
echo "$ver $header"
|
||||
done
|
||||
echo
|
||||
|
||||
#
|
||||
# Search for shared libraries.
|
||||
# Relies on shared libraries looking like "libcrypto.s*"
|
||||
#
|
||||
echo Searching for OpenSSL shared library files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
libraries=`locate libcrypto.s`
|
||||
else
|
||||
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for lib in $libraries
|
||||
do
|
||||
(echo "Trying libcrypto $lib" >>findssl.log
|
||||
dir=`dirname $lib`
|
||||
LIBPATH="$dir:$LIBPATH"
|
||||
LD_LIBRARY_PATH="$dir:$LIBPATH"
|
||||
LIBRARY_PATH="$dir:$LIBPATH"
|
||||
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||
${CC} -o conftest conftest.c $lib 2>>findssl.log
|
||||
if [ -x ./conftest ]
|
||||
then
|
||||
ver=`./conftest 2>/dev/null`
|
||||
rm -f ./conftest
|
||||
echo "$ver $lib"
|
||||
fi)
|
||||
done
|
||||
echo
|
||||
|
||||
#
|
||||
# Search for static OpenSSL libraries and print versions
|
||||
#
|
||||
echo Searching for OpenSSL static library files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
libraries=`locate libcrypto.a`
|
||||
else
|
||||
libraries=`find / -name libcrypto.a -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for lib in $libraries
|
||||
do
|
||||
libdir=`dirname $lib`
|
||||
echo "Trying libcrypto $lib" >>findssl.log
|
||||
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
|
||||
if [ -x ./conftest ]
|
||||
then
|
||||
ver=`./conftest 2>/dev/null`
|
||||
rm -f ./conftest
|
||||
echo "$ver $lib"
|
||||
fi
|
||||
done
|
||||
|
||||
#
|
||||
# Clean up
|
||||
#
|
||||
rm -f conftest.c
|
171
contrib/gnome-ssh-askpass1.c
Normal file
171
contrib/gnome-ssh-askpass1.c
Normal file
@ -0,0 +1,171 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/*
|
||||
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||
* environment variable SSH_ASKPASS to point to the location of
|
||||
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||
*
|
||||
* There is only two run-time options: if you set the environment variable
|
||||
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||
* pointer will be grabbed too. These may have some benefit to security if
|
||||
* you don't trust your X server. We grab the keyboard always.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Compile with:
|
||||
*
|
||||
* cc `gnome-config --cflags gnome gnomeui` \
|
||||
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
|
||||
* `gnome-config --libs gnome gnomeui`
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <gnome.h>
|
||||
#include <X11/Xlib.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
void
|
||||
report_failed_grab (void)
|
||||
{
|
||||
GtkWidget *err;
|
||||
|
||||
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
|
||||
"A malicious client may be eavesdropping on your session.",
|
||||
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
|
||||
|
||||
gnome_dialog_run_and_close(GNOME_DIALOG(err));
|
||||
}
|
||||
|
||||
int
|
||||
passphrase_dialog(char *message)
|
||||
{
|
||||
char *passphrase;
|
||||
char **messages;
|
||||
int result, i, grab_server, grab_pointer;
|
||||
GtkWidget *dialog, *entry, *label;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||
|
||||
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
|
||||
GNOME_STOCK_BUTTON_CANCEL, NULL);
|
||||
|
||||
messages = g_strsplit(message, "\\n", 0);
|
||||
if (messages)
|
||||
for(i = 0; messages[i]; i++) {
|
||||
label = gtk_label_new(messages[i]);
|
||||
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
|
||||
label, FALSE, FALSE, 0);
|
||||
}
|
||||
|
||||
entry = gtk_entry_new();
|
||||
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
FALSE, 0);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
|
||||
/* Center window and prepare for grab */
|
||||
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
|
||||
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
|
||||
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
|
||||
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
|
||||
GNOME_PAD);
|
||||
gtk_widget_show_all(dialog);
|
||||
|
||||
/* Grab focus */
|
||||
if (grab_server)
|
||||
XGrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
|
||||
NULL, NULL, GDK_CURRENT_TIME))
|
||||
goto nograb;
|
||||
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
|
||||
goto nograbkb;
|
||||
|
||||
/* Make <enter> close dialog */
|
||||
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
|
||||
|
||||
/* Run dialog */
|
||||
result = gnome_dialog_run(GNOME_DIALOG(dialog));
|
||||
|
||||
/* Ungrab */
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer)
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_flush();
|
||||
|
||||
/* Report passphrase if user selected OK */
|
||||
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
|
||||
if (result == 0)
|
||||
puts(passphrase);
|
||||
|
||||
/* Zero passphrase in memory */
|
||||
memset(passphrase, '\0', strlen(passphrase));
|
||||
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||
|
||||
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||
return (result == 0 ? 0 : -1);
|
||||
|
||||
/* At least one grab failed - ungrab what we got, and report
|
||||
the failure to the user. Note that XGrabServer() cannot
|
||||
fail. */
|
||||
nograbkb:
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
nograb:
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||
|
||||
report_failed_grab();
|
||||
return (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char *message;
|
||||
int result;
|
||||
|
||||
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
|
||||
|
||||
if (argc == 2)
|
||||
message = argv[1];
|
||||
else
|
||||
message = "Enter your OpenSSH passphrase:";
|
||||
|
||||
setvbuf(stdout, 0, _IONBF, 0);
|
||||
result = passphrase_dialog(message);
|
||||
|
||||
return (result);
|
||||
}
|
220
contrib/gnome-ssh-askpass2.c
Normal file
220
contrib/gnome-ssh-askpass2.c
Normal file
@ -0,0 +1,220 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
|
||||
|
||||
/*
|
||||
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||
* environment variable SSH_ASKPASS to point to the location of
|
||||
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||
*
|
||||
* There is only two run-time options: if you set the environment variable
|
||||
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||
* pointer will be grabbed too. These may have some benefit to security if
|
||||
* you don't trust your X server. We grab the keyboard always.
|
||||
*/
|
||||
|
||||
#define GRAB_TRIES 16
|
||||
#define GRAB_WAIT 250 /* milliseconds */
|
||||
|
||||
/*
|
||||
* Compile with:
|
||||
*
|
||||
* cc -Wall `pkg-config --cflags gtk+-2.0` \
|
||||
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
|
||||
* `pkg-config --libs gtk+-2.0`
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <X11/Xlib.h>
|
||||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
static void
|
||||
report_failed_grab (const char *what)
|
||||
{
|
||||
GtkWidget *err;
|
||||
|
||||
err = gtk_message_dialog_new(NULL, 0,
|
||||
GTK_MESSAGE_ERROR,
|
||||
GTK_BUTTONS_CLOSE,
|
||||
"Could not grab %s. "
|
||||
"A malicious client may be eavesdropping "
|
||||
"on your session.", what);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||
TRUE);
|
||||
|
||||
gtk_dialog_run(GTK_DIALOG(err));
|
||||
|
||||
gtk_widget_destroy(err);
|
||||
}
|
||||
|
||||
static void
|
||||
ok_dialog(GtkWidget *entry, gpointer dialog)
|
||||
{
|
||||
g_return_if_fail(GTK_IS_DIALOG(dialog));
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
passphrase_dialog(char *message)
|
||||
{
|
||||
const char *failed;
|
||||
char *passphrase, *local;
|
||||
int result, grab_tries, grab_server, grab_pointer;
|
||||
GtkWidget *dialog, *entry;
|
||||
GdkGrabStatus status;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||
grab_tries = 0;
|
||||
|
||||
dialog = gtk_message_dialog_new(NULL, 0,
|
||||
GTK_MESSAGE_QUESTION,
|
||||
GTK_BUTTONS_OK_CANCEL,
|
||||
"%s",
|
||||
message);
|
||||
|
||||
entry = gtk_entry_new();
|
||||
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
FALSE, 0);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
gtk_widget_show(entry);
|
||||
|
||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
|
||||
TRUE);
|
||||
|
||||
/* Make <enter> close dialog */
|
||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
|
||||
/* Grab focus */
|
||||
gtk_widget_show_now(dialog);
|
||||
if (grab_pointer) {
|
||||
for(;;) {
|
||||
status = gdk_pointer_grab(
|
||||
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
|
||||
NULL, GDK_CURRENT_TIME);
|
||||
if (status == GDK_GRAB_SUCCESS)
|
||||
break;
|
||||
usleep(GRAB_WAIT * 1000);
|
||||
if (++grab_tries > GRAB_TRIES) {
|
||||
failed = "mouse";
|
||||
goto nograb;
|
||||
}
|
||||
}
|
||||
}
|
||||
for(;;) {
|
||||
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
|
||||
FALSE, GDK_CURRENT_TIME);
|
||||
if (status == GDK_GRAB_SUCCESS)
|
||||
break;
|
||||
usleep(GRAB_WAIT * 1000);
|
||||
if (++grab_tries > GRAB_TRIES) {
|
||||
failed = "keyboard";
|
||||
goto nograbkb;
|
||||
}
|
||||
}
|
||||
if (grab_server) {
|
||||
gdk_x11_grab_server();
|
||||
}
|
||||
|
||||
result = gtk_dialog_run(GTK_DIALOG(dialog));
|
||||
|
||||
/* Ungrab */
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer)
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_flush();
|
||||
|
||||
/* Report passphrase if user selected OK */
|
||||
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
|
||||
if (result == GTK_RESPONSE_OK) {
|
||||
local = g_locale_from_utf8(passphrase, strlen(passphrase),
|
||||
NULL, NULL, NULL);
|
||||
if (local != NULL) {
|
||||
puts(local);
|
||||
memset(local, '\0', strlen(local));
|
||||
g_free(local);
|
||||
} else {
|
||||
puts(passphrase);
|
||||
}
|
||||
}
|
||||
|
||||
/* Zero passphrase in memory */
|
||||
memset(passphrase, '\b', strlen(passphrase));
|
||||
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||
memset(passphrase, '\0', strlen(passphrase));
|
||||
g_free(passphrase);
|
||||
|
||||
gtk_widget_destroy(dialog);
|
||||
return (result == GTK_RESPONSE_OK ? 0 : -1);
|
||||
|
||||
/* At least one grab failed - ungrab what we got, and report
|
||||
the failure to the user. Note that XGrabServer() cannot
|
||||
fail. */
|
||||
nograbkb:
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
nograb:
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
gtk_widget_destroy(dialog);
|
||||
|
||||
report_failed_grab(failed);
|
||||
|
||||
return (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char *message;
|
||||
int result;
|
||||
|
||||
gtk_init(&argc, &argv);
|
||||
|
||||
if (argc > 1) {
|
||||
message = g_strjoinv(" ", argv + 1);
|
||||
} else {
|
||||
message = g_strdup("Enter your OpenSSH passphrase:");
|
||||
}
|
||||
|
||||
setvbuf(stdout, 0, _IONBF, 0);
|
||||
result = passphrase_dialog(message);
|
||||
g_free(message);
|
||||
|
||||
return (result);
|
||||
}
|
45
contrib/hpux/README
Normal file
45
contrib/hpux/README
Normal file
@ -0,0 +1,45 @@
|
||||
README for OpenSSH HP-UX contrib files
|
||||
Kevin Steves <stevesk@pobox.com>
|
||||
|
||||
sshd: configuration file for sshd.rc
|
||||
sshd.rc: SSH startup script
|
||||
egd: configuration file for egd.rc
|
||||
egd.rc: EGD (entropy gathering daemon) startup script
|
||||
|
||||
To install:
|
||||
|
||||
sshd.rc:
|
||||
|
||||
o Verify paths in sshd.rc match your local installation
|
||||
(WHAT_PATH and WHAT_PID)
|
||||
o Customize sshd if needed (SSHD_ARGS)
|
||||
o Install:
|
||||
|
||||
# cp sshd /etc/rc.config.d
|
||||
# chmod 444 /etc/rc.config.d/sshd
|
||||
# cp sshd.rc /sbin/init.d
|
||||
# chmod 555 /sbin/init.d/sshd.rc
|
||||
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
|
||||
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
|
||||
|
||||
egd.rc:
|
||||
|
||||
o Verify egd.pl path in egd.rc matches your local installation
|
||||
(WHAT_PATH)
|
||||
o Customize egd if needed (EGD_ARGS and EGD_LOG)
|
||||
o Add pseudo account:
|
||||
|
||||
# groupadd egd
|
||||
# useradd -g egd egd
|
||||
# mkdir -p /etc/opt/egd
|
||||
# chown egd:egd /etc/opt/egd
|
||||
# chmod 711 /etc/opt/egd
|
||||
|
||||
o Install:
|
||||
|
||||
# cp egd /etc/rc.config.d
|
||||
# chmod 444 /etc/rc.config.d/egd
|
||||
# cp egd.rc /sbin/init.d
|
||||
# chmod 555 /sbin/init.d/egd.rc
|
||||
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
|
||||
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd
|
15
contrib/hpux/egd
Normal file
15
contrib/hpux/egd
Normal file
@ -0,0 +1,15 @@
|
||||
# EGD_START: Set to 1 to start entropy gathering daemon
|
||||
# EGD_ARGS: Command line arguments to pass to egd
|
||||
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
|
||||
#
|
||||
# To configure the egd environment:
|
||||
|
||||
# groupadd egd
|
||||
# useradd -g egd egd
|
||||
# mkdir -p /etc/opt/egd
|
||||
# chown egd:egd /etc/opt/egd
|
||||
# chmod 711 /etc/opt/egd
|
||||
|
||||
EGD_START=1
|
||||
EGD_ARGS='/etc/opt/egd/entropy'
|
||||
EGD_LOG=
|
98
contrib/hpux/egd.rc
Executable file
98
contrib/hpux/egd.rc
Executable file
@ -0,0 +1,98 @@
|
||||
#!/sbin/sh
|
||||
|
||||
#
|
||||
# egd.rc: EGD start-up and shutdown script
|
||||
#
|
||||
|
||||
# Allowed exit values:
|
||||
# 0 = success; causes "OK" to show up in checklist.
|
||||
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||
# Use this value if execution of this script is overridden
|
||||
# by the use of a control variable, or if this script is not
|
||||
# appropriate to execute for some other reason.
|
||||
# 3 = reboot; causes the system to be rebooted after execution.
|
||||
|
||||
# Input and output:
|
||||
# stdin is redirected from /dev/null
|
||||
#
|
||||
# stdout and stderr are redirected to the /etc/rc.log file
|
||||
# during checklist mode, or to the console in raw mode.
|
||||
|
||||
umask 022
|
||||
|
||||
PATH=/usr/sbin:/usr/bin:/sbin
|
||||
export PATH
|
||||
|
||||
WHAT='EGD (entropy gathering daemon)'
|
||||
WHAT_PATH=/opt/perl/bin/egd.pl
|
||||
WHAT_CONFIG=/etc/rc.config.d/egd
|
||||
WHAT_LOG=/etc/opt/egd/egd.log
|
||||
|
||||
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||
# not be available. Do not attempt to access commands or files in
|
||||
# /usr unless your script executes in run state 2 or greater. Other
|
||||
# file systems typically not mounted until run state 2 include /var
|
||||
# and /opt.
|
||||
|
||||
rval=0
|
||||
|
||||
# Check the exit value of a command run by this script. If non-zero, the
|
||||
# exit code is echoed to the log file and the return value of this script
|
||||
# is set to indicate failure.
|
||||
|
||||
set_return() {
|
||||
x=$?
|
||||
if [ $x -ne 0 ]; then
|
||||
echo "EXIT CODE: $x"
|
||||
rval=1 # script FAILed
|
||||
fi
|
||||
}
|
||||
|
||||
case $1 in
|
||||
'start_msg')
|
||||
echo "Starting $WHAT"
|
||||
;;
|
||||
|
||||
'stop_msg')
|
||||
echo "Stopping $WHAT"
|
||||
;;
|
||||
|
||||
'start')
|
||||
if [ -f $WHAT_CONFIG ] ; then
|
||||
. $WHAT_CONFIG
|
||||
else
|
||||
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
|
||||
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
|
||||
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
|
||||
echo $WHAT started
|
||||
set_return
|
||||
else
|
||||
rval=2
|
||||
fi
|
||||
;;
|
||||
|
||||
'stop')
|
||||
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
|
||||
if [ "X$pid" != "X" ]; then
|
||||
if kill "$pid"; then
|
||||
echo "$WHAT stopped"
|
||||
else
|
||||
rval=1
|
||||
echo "Unable to stop $WHAT"
|
||||
fi
|
||||
fi
|
||||
set_return
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||
rval=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $rval
|
5
contrib/hpux/sshd
Normal file
5
contrib/hpux/sshd
Normal file
@ -0,0 +1,5 @@
|
||||
# SSHD_START: Set to 1 to start SSH daemon
|
||||
# SSHD_ARGS: Command line arguments to pass to sshd
|
||||
#
|
||||
SSHD_START=1
|
||||
SSHD_ARGS=
|
90
contrib/hpux/sshd.rc
Executable file
90
contrib/hpux/sshd.rc
Executable file
@ -0,0 +1,90 @@
|
||||
#!/sbin/sh
|
||||
|
||||
#
|
||||
# sshd.rc: SSH daemon start-up and shutdown script
|
||||
#
|
||||
|
||||
# Allowed exit values:
|
||||
# 0 = success; causes "OK" to show up in checklist.
|
||||
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||
# Use this value if execution of this script is overridden
|
||||
# by the use of a control variable, or if this script is not
|
||||
# appropriate to execute for some other reason.
|
||||
# 3 = reboot; causes the system to be rebooted after execution.
|
||||
|
||||
# Input and output:
|
||||
# stdin is redirected from /dev/null
|
||||
#
|
||||
# stdout and stderr are redirected to the /etc/rc.log file
|
||||
# during checklist mode, or to the console in raw mode.
|
||||
|
||||
PATH=/usr/sbin:/usr/bin:/sbin
|
||||
export PATH
|
||||
|
||||
WHAT='OpenSSH'
|
||||
WHAT_PATH=/opt/openssh/sbin/sshd
|
||||
WHAT_PID=/var/run/sshd.pid
|
||||
WHAT_CONFIG=/etc/rc.config.d/sshd
|
||||
|
||||
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||
# not be available. Do not attempt to access commands or files in
|
||||
# /usr unless your script executes in run state 2 or greater. Other
|
||||
# file systems typically not mounted until run state 2 include /var
|
||||
# and /opt.
|
||||
|
||||
rval=0
|
||||
|
||||
# Check the exit value of a command run by this script. If non-zero, the
|
||||
# exit code is echoed to the log file and the return value of this script
|
||||
# is set to indicate failure.
|
||||
|
||||
set_return() {
|
||||
x=$?
|
||||
if [ $x -ne 0 ]; then
|
||||
echo "EXIT CODE: $x"
|
||||
rval=1 # script FAILed
|
||||
fi
|
||||
}
|
||||
|
||||
case $1 in
|
||||
'start_msg')
|
||||
echo "Starting $WHAT"
|
||||
;;
|
||||
|
||||
'stop_msg')
|
||||
echo "Stopping $WHAT"
|
||||
;;
|
||||
|
||||
'start')
|
||||
if [ -f $WHAT_CONFIG ] ; then
|
||||
. $WHAT_CONFIG
|
||||
else
|
||||
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||
fi
|
||||
|
||||
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
|
||||
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
|
||||
set_return
|
||||
else
|
||||
rval=2
|
||||
fi
|
||||
;;
|
||||
|
||||
'stop')
|
||||
if kill `cat $WHAT_PID`; then
|
||||
echo "$WHAT stopped"
|
||||
else
|
||||
rval=1
|
||||
echo "Unable to stop $WHAT"
|
||||
fi
|
||||
set_return
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||
rval=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $rval
|
1
contrib/redhat/gnome-ssh-askpass.csh
Normal file
1
contrib/redhat/gnome-ssh-askpass.csh
Normal file
@ -0,0 +1 @@
|
||||
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
|
2
contrib/redhat/gnome-ssh-askpass.sh
Executable file
2
contrib/redhat/gnome-ssh-askpass.sh
Executable file
@ -0,0 +1,2 @@
|
||||
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
|
||||
export SSH_ASKPASS
|
804
contrib/redhat/openssh.spec
Normal file
804
contrib/redhat/openssh.spec
Normal file
@ -0,0 +1,804 @@
|
||||
%define ver 4.6p1
|
||||
%define rel 1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%define sshd_uid 74
|
||||
%define sshd_gid 74
|
||||
|
||||
# Version of ssh-askpass
|
||||
%define aversion 1.2.4.1
|
||||
|
||||
# Do we want to disable building of x11-askpass? (1=yes 0=no)
|
||||
%define no_x11_askpass 0
|
||||
|
||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||
%define no_gnome_askpass 0
|
||||
|
||||
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
||||
%define static_libcrypto 0
|
||||
|
||||
# Do we want smartcard support (1=yes 0=no)
|
||||
%define scard 0
|
||||
|
||||
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
||||
%define gtk2 1
|
||||
|
||||
# Is this build for RHL 6.x?
|
||||
%define build6x 0
|
||||
|
||||
# Do we want kerberos5 support (1=yes 0=no)
|
||||
%define kerberos5 1
|
||||
|
||||
# Reserve options to override askpass settings with:
|
||||
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
||||
%{?skip_x11_askpass:%define no_x11_askpass 1}
|
||||
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
|
||||
|
||||
# Add option to build without GTK2 for older platforms with only GTK+.
|
||||
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
|
||||
# rpm -ba|--rebuild --define 'no_gtk2 1'
|
||||
%{?no_gtk2:%define gtk2 0}
|
||||
|
||||
# Is this a build for RHL 6.x or earlier?
|
||||
%{?build_6x:%define build6x 1}
|
||||
|
||||
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
|
||||
%if %{build6x}
|
||||
%define _sysconfdir /etc
|
||||
%endif
|
||||
|
||||
# Options for static OpenSSL link:
|
||||
# rpm -ba|--rebuild --define "static_openssl 1"
|
||||
%{?static_openssl:%define static_libcrypto 1}
|
||||
|
||||
# Options for Smartcard support: (needs libsectok and openssl-engine)
|
||||
# rpm -ba|--rebuild --define "smartcard 1"
|
||||
%{?smartcard:%define scard 1}
|
||||
|
||||
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
||||
%define rescue 0
|
||||
%{?build_rescue:%define rescue 1}
|
||||
|
||||
# Turn off some stuff for resuce builds
|
||||
%if %{rescue}
|
||||
%define kerberos5 0
|
||||
%endif
|
||||
|
||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
|
||||
Name: openssh
|
||||
Version: %{ver}
|
||||
%if %{rescue}
|
||||
Release: %{rel}rescue
|
||||
%else
|
||||
Release: %{rel}
|
||||
%endif
|
||||
URL: http://www.openssh.com/portable.html
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
||||
Obsoletes: ssh
|
||||
%if %{build6x}
|
||||
PreReq: initscripts >= 5.00
|
||||
%else
|
||||
PreReq: initscripts >= 5.20
|
||||
%endif
|
||||
BuildPreReq: perl, openssl-devel, tcp_wrappers
|
||||
BuildPreReq: /bin/login
|
||||
%if ! %{build6x}
|
||||
BuildPreReq: glibc-devel, pam
|
||||
%else
|
||||
BuildPreReq: /usr/include/security/pam_appl.h
|
||||
%endif
|
||||
%if ! %{no_x11_askpass}
|
||||
BuildPreReq: XFree86-devel
|
||||
%endif
|
||||
%if ! %{no_gnome_askpass}
|
||||
BuildPreReq: pkgconfig
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
BuildPreReq: krb5-devel
|
||||
BuildPreReq: krb5-libs
|
||||
%endif
|
||||
|
||||
%package clients
|
||||
Summary: OpenSSH clients.
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Group: Applications/Internet
|
||||
Obsoletes: ssh-clients
|
||||
|
||||
%package server
|
||||
Summary: The OpenSSH server daemon.
|
||||
Group: System Environment/Daemons
|
||||
Obsoletes: ssh-server
|
||||
PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
|
||||
%if ! %{build6x}
|
||||
Requires: /etc/pam.d/system-auth
|
||||
%endif
|
||||
|
||||
%package askpass
|
||||
Summary: A passphrase dialog for OpenSSH and X.
|
||||
Group: Applications/Internet
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Obsoletes: ssh-extras
|
||||
|
||||
%package askpass-gnome
|
||||
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
|
||||
Group: Applications/Internet
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Obsoletes: ssh-extras
|
||||
|
||||
%description
|
||||
SSH (Secure SHell) is a program for logging into and executing
|
||||
commands on a remote machine. SSH is intended to replace rlogin and
|
||||
rsh, and to provide secure encrypted communications between two
|
||||
untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
|
||||
it up to date in terms of security and features, as well as removing
|
||||
all patented algorithms to separate libraries.
|
||||
|
||||
This package includes the core files necessary for both the OpenSSH
|
||||
client and server. To make this package useful, you should also
|
||||
install openssh-clients, openssh-server, or both.
|
||||
|
||||
%description clients
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package includes
|
||||
the clients necessary to make encrypted connections to SSH servers.
|
||||
You'll also need to install the openssh package on OpenSSH clients.
|
||||
|
||||
%description server
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
|
||||
securely connect to your SSH server. You also need to have the openssh
|
||||
package installed.
|
||||
|
||||
%description askpass
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
an X11 passphrase dialog for OpenSSH.
|
||||
|
||||
%description askpass-gnome
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
|
||||
environment.
|
||||
|
||||
%prep
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
%setup -q -a 1
|
||||
%else
|
||||
%setup -q
|
||||
%endif
|
||||
|
||||
%build
|
||||
%if %{rescue}
|
||||
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
|
||||
%endif
|
||||
|
||||
%if %{kerberos5}
|
||||
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
|
||||
echo K5DIR=$K5DIR
|
||||
%endif
|
||||
|
||||
%configure \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/openssh \
|
||||
--datadir=%{_datadir}/openssh \
|
||||
--with-tcp-wrappers \
|
||||
--with-rsh=%{_bindir}/rsh \
|
||||
--with-default-path=/usr/local/bin:/bin:/usr/bin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
--with-md5-passwords \
|
||||
%if %{scard}
|
||||
--with-smartcard \
|
||||
%endif
|
||||
%if %{rescue}
|
||||
--without-pam \
|
||||
%else
|
||||
--with-pam \
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
--with-kerberos5=$K5DIR \
|
||||
%endif
|
||||
|
||||
|
||||
%if %{static_libcrypto}
|
||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||
%endif
|
||||
|
||||
make
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
pushd x11-ssh-askpass-%{aversion}
|
||||
%configure --libexecdir=%{_libexecdir}/openssh
|
||||
xmkmf -a
|
||||
make
|
||||
popd
|
||||
%endif
|
||||
|
||||
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
||||
# because RPM doesn't handle nested %if statements.
|
||||
%if %{gtk2}
|
||||
gtk2=yes
|
||||
%else
|
||||
gtk2=no
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
pushd contrib
|
||||
if [ $gtk2 = yes ] ; then
|
||||
make gnome-ssh-askpass2
|
||||
mv gnome-ssh-askpass2 gnome-ssh-askpass
|
||||
else
|
||||
make gnome-ssh-askpass1
|
||||
mv gnome-ssh-askpass1 gnome-ssh-askpass
|
||||
fi
|
||||
popd
|
||||
%endif
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||
%if %{build6x}
|
||||
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
%else
|
||||
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
%endif
|
||||
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
|
||||
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{scard}
|
||||
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
%endif
|
||||
|
||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%triggerun server -- ssh-server
|
||||
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
|
||||
touch /var/run/sshd.restart
|
||||
fi
|
||||
|
||||
%triggerun server -- openssh-server < 2.5.0p1
|
||||
# Count the number of HostKey and HostDsaKey statements we have.
|
||||
gawk 'BEGIN {IGNORECASE=1}
|
||||
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
|
||||
END {exit sawhostkey}' /etc/ssh/sshd_config
|
||||
# And if we only found one, we know the client was relying on the old default
|
||||
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
|
||||
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
|
||||
# one nullifies the default, which would have loaded both.
|
||||
if [ $? -eq 1 ] ; then
|
||||
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
|
||||
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
%triggerpostun server -- ssh-server
|
||||
if [ "$1" != 0 ] ; then
|
||||
/sbin/chkconfig --add sshd
|
||||
if test -f /var/run/sshd.restart ; then
|
||||
rm -f /var/run/sshd.restart
|
||||
/sbin/service sshd start > /dev/null 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%pre server
|
||||
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
|
||||
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||
-g sshd -M -r sshd 2>/dev/null || :
|
||||
|
||||
%post server
|
||||
/sbin/chkconfig --add sshd
|
||||
|
||||
%postun server
|
||||
/sbin/service sshd condrestart > /dev/null 2>&1 || :
|
||||
|
||||
%preun server
|
||||
if [ "$1" = 0 ]
|
||||
then
|
||||
/sbin/service sshd stop > /dev/null 2>&1 || :
|
||||
/sbin/chkconfig --del sshd
|
||||
fi
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%if ! %{rescue}
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
%endif
|
||||
%if %{scard}
|
||||
%attr(0755,root,root) %dir %{_datadir}/openssh
|
||||
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%attr(-,root,root) %{_bindir}/slogin
|
||||
%attr(-,root,root) %{_mandir}/man1/slogin.1*
|
||||
%if ! %{rescue}
|
||||
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||
%attr(0755,root,root) %{_bindir}/sftp
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||
%endif
|
||||
|
||||
%if ! %{rescue}
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
%dir %attr(0111,root,root) %{_var}/empty/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
|
||||
%endif
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
%files askpass
|
||||
%defattr(-,root,root)
|
||||
%doc x11-ssh-askpass-%{aversion}/README
|
||||
%doc x11-ssh-askpass-%{aversion}/ChangeLog
|
||||
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
%files askpass-gnome
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
|
||||
- Remove noip6 option. This may be controlled at run-time in client config
|
||||
file using new AddressFamily directive
|
||||
|
||||
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
|
||||
- Don't install profile.d scripts when not building with GNOME/GTK askpass
|
||||
(patch from bet@rahul.net)
|
||||
|
||||
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
|
||||
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
|
||||
|
||||
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
|
||||
- Use contrib/ Makefile for building askpass programs
|
||||
|
||||
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
|
||||
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
|
||||
- Add new {ssh,sshd}_config.5 manpages
|
||||
- Add new ssh-keysign program and remove setuid from ssh client
|
||||
|
||||
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
|
||||
- Merge in spec changes from RedHat, reorgansie a little
|
||||
- Add Privsep user, group and directory
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
|
||||
- bump and grind (through the build system)
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
|
||||
- require sharutils for building (mindrot #137)
|
||||
- require db1-devel only when building for 6.x (#55105), which probably won't
|
||||
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
|
||||
- require pam-devel by file (not by package name) again
|
||||
- add Markus's patch to compile with OpenSSL 0.9.5a (from
|
||||
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
|
||||
building for 6.x
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
|
||||
- update to 3.1p1
|
||||
|
||||
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
|
||||
- update to SNAP-20020305
|
||||
- drop debug patch, fixed upstream
|
||||
|
||||
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
|
||||
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
|
||||
anything to be warned about, gss patches won't apply, I don't mind)
|
||||
|
||||
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
|
||||
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
|
||||
exchange, authentication, and named key support
|
||||
|
||||
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
|
||||
- remove dependency on db1-devel, which has just been swallowed up whole
|
||||
by gnome-libs-devel
|
||||
|
||||
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- adjust build dependencies so that build6x actually works right (fix
|
||||
from Hugo van der Kooij)
|
||||
|
||||
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
|
||||
- update to 3.0.2p1
|
||||
|
||||
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
|
||||
- update to 3.0.1p1
|
||||
|
||||
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to current CVS (not for use in distribution)
|
||||
|
||||
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
|
||||
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
|
||||
3.0p1 spec file and init script
|
||||
|
||||
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 3.0p1
|
||||
- update to x11-ssh-askpass 1.2.4.1
|
||||
- change build dependency on a file from pam-devel to the pam-devel package
|
||||
- replace primes with moduli
|
||||
|
||||
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
|
||||
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
|
||||
|
||||
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
|
||||
- Merge changes to rescue build from current sysadmin survival cd
|
||||
|
||||
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
|
||||
- fix scp's server's reporting of file sizes, and build with the proper
|
||||
preprocessor define to get large-file capable open(), stat(), etc.
|
||||
(sftp has been doing this correctly all along) (#51827)
|
||||
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
|
||||
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
|
||||
- mark profile.d scriptlets as config files (#42337)
|
||||
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
|
||||
- change a couple of log() statements to debug() statements (#50751)
|
||||
- pull cvs patch to add -t flag to sshd (#28611)
|
||||
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
|
||||
|
||||
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
|
||||
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
|
||||
|
||||
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull cvs patch to fix remote port forwarding with protocol 2
|
||||
|
||||
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull cvs patch to add session initialization to no-pty sessions
|
||||
- pull cvs patch to not cut off challengeresponse auth needlessly
|
||||
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||
it by default on a system that doesn't have X installed (#49263)
|
||||
|
||||
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
|
||||
|
||||
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pass OPTIONS correctly to initlog (#50151)
|
||||
|
||||
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- switch to x11-ssh-askpass 1.2.2
|
||||
|
||||
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- rebuild in new environment
|
||||
|
||||
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- disable the gssapi patch
|
||||
|
||||
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.9p2
|
||||
- refresh to a new version of the gssapi patch
|
||||
|
||||
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- change Copyright: BSD to License: BSD
|
||||
- add Markus Friedl's unverified patch for the cookie file deletion problem
|
||||
so that we can verify it
|
||||
- drop patch to check if xauth is present (was folded into cookie patch)
|
||||
- don't apply gssapi patches for the errata candidate
|
||||
- clear supplemental groups list at startup
|
||||
|
||||
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix an error parsing the new default sshd_config
|
||||
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
|
||||
dealing with comments right
|
||||
|
||||
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
|
||||
to be removed before the next beta cycle because it's a big departure
|
||||
from the upstream version
|
||||
|
||||
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- finish marking strings in the init script for translation
|
||||
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
|
||||
at startup (change merged from openssh.com init script, originally by
|
||||
Pekka Savola)
|
||||
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||
it by default on a system that doesn't have X installed
|
||||
|
||||
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.9
|
||||
- drop various patches that came from or went upstream or to or from CVS
|
||||
|
||||
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
|
||||
|
||||
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
|
||||
- remove explicit openssl requirement, fixes builddistro issue
|
||||
- make initscript stop() function wait until sshd really dead to avoid
|
||||
races in condrestart
|
||||
|
||||
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- mention that challengereponse supports PAM, so disabling password doesn't
|
||||
limit users to pubkey and rsa auth (#34378)
|
||||
- bypass the daemon() function in the init script and call initlog directly,
|
||||
because daemon() won't start a daemon it detects is already running (like
|
||||
open connections)
|
||||
- require the version of openssl we had when we were built
|
||||
|
||||
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- make do_pam_setcred() smart enough to know when to establish creds and
|
||||
when to reinitialize them
|
||||
- add in a couple of other fixes from Damien for inclusion in the errata
|
||||
|
||||
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.5.2p2
|
||||
- call setcred() again after initgroups, because the "creds" could actually
|
||||
be group memberships
|
||||
|
||||
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
|
||||
- don't enable challenge-response by default until we find a way to not
|
||||
have too many userauth requests (we may make up to six pubkey and up to
|
||||
three password attempts as it is)
|
||||
- remove build dependency on rsh to match openssh.com's packages more closely
|
||||
|
||||
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- remove dependency on openssl -- would need to be too precise
|
||||
|
||||
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- rebuild in new environment
|
||||
|
||||
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Revert the patch to move pam_open_session.
|
||||
- Init script and spec file changes from Pekka Savola. (#28750)
|
||||
- Patch sftp to recognize '-o protocol' arguments. (#29540)
|
||||
|
||||
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Chuck the closing patch.
|
||||
- Add a trigger to add host keys for protocol 2 to the config file, now that
|
||||
configuration file syntax requires us to specify it with HostKey if we
|
||||
specify any other HostKey values, which we do.
|
||||
|
||||
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Redo patch to move pam_open_session after the server setuid()s to the user.
|
||||
- Rework the nopam patch to use be picked up by autoconf.
|
||||
|
||||
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update for 2.5.1p1.
|
||||
- Add init script mods from Pekka Savola.
|
||||
- Tweak the init script to match the CVS contrib script more closely.
|
||||
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
|
||||
adding id_rsa.
|
||||
|
||||
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update for 2.5.0p1.
|
||||
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
|
||||
- Resync with parts of Damien Miller's openssh.spec from CVS, including
|
||||
update of x11 askpass to 1.2.0.
|
||||
- Only require openssl (don't prereq) because we generate keys in the init
|
||||
script now.
|
||||
|
||||
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Don't open a PAM session until we've forked and become the user (#25690).
|
||||
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
|
||||
host the user is attempting a login from.
|
||||
- Resync with parts of Damien Miller's openssh.spec from CVS.
|
||||
- Don't expose KbdInt responses in debug messages (from CVS).
|
||||
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
|
||||
|
||||
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
|
||||
- i18n-tweak to initscript.
|
||||
|
||||
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- More gettextizing.
|
||||
- Close all files after going into daemon mode (needs more testing).
|
||||
- Extract patch from CVS to handle auth banners (in the client).
|
||||
- Extract patch from CVS to handle compat weirdness.
|
||||
|
||||
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Finish with the gettextizing.
|
||||
|
||||
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Fix a bug in auth2-pam.c (#23877)
|
||||
- Gettextize the init script.
|
||||
|
||||
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Incorporate a switch for using PAM configs for 6.x, just in case.
|
||||
|
||||
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Incorporate Bero's changes for a build specifically for rescue CDs.
|
||||
|
||||
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
|
||||
succeeded, to allow public-key authentication after a failure with "none"
|
||||
authentication. (#21268)
|
||||
|
||||
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to x11-askpass 1.1.1. (#21301)
|
||||
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
|
||||
|
||||
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Merge multiple PAM text messages into subsequent prompts when possible when
|
||||
doing keyboard-interactive authentication.
|
||||
|
||||
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Disable the built-in MD5 password support. We're using PAM.
|
||||
- Take a crack at doing keyboard-interactive authentication with PAM, and
|
||||
enable use of it in the default client configuration so that the client
|
||||
will try it when the server disallows password authentication.
|
||||
- Build with debugging flags. Build root policies strip all binaries anyway.
|
||||
|
||||
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Use DESTDIR instead of %%makeinstall.
|
||||
- Remove /usr/X11R6/bin from the path-fixing patch.
|
||||
|
||||
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add the primes file from the latest snapshot to the main package (#20884).
|
||||
- Add the dev package to the prereq list (#19984).
|
||||
- Remove the default path and mimic login's behavior in the server itself.
|
||||
|
||||
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Resync with conditional options in Damien Miller's .spec file for an errata.
|
||||
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
|
||||
|
||||
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to OpenSSH 2.3.0p1.
|
||||
- Update to x11-askpass 1.1.0.
|
||||
- Enable keyboard-interactive authentication.
|
||||
|
||||
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to ssh-askpass-x11 1.0.3.
|
||||
- Change authentication related messages to be private (#19966).
|
||||
|
||||
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Patch ssh-keygen to be able to list signatures for DSA public key files
|
||||
it generates.
|
||||
|
||||
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
|
||||
build PAM authentication in.
|
||||
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
|
||||
- Clean out no-longer-used patches.
|
||||
- Patch ssh-add to try to add both identity and id_dsa, and to error only
|
||||
when neither exists.
|
||||
|
||||
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update x11-askpass to 1.0.2. (#17835)
|
||||
- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
|
||||
always find them in the right place. (#17909)
|
||||
- Set the default path to be the same as the one supplied by /bin/login, but
|
||||
add /usr/X11R6/bin. (#17909)
|
||||
- Try to handle obsoletion of ssh-server more cleanly. Package names
|
||||
are different, but init script name isn't. (#17865)
|
||||
|
||||
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.2.0p1. (#17835)
|
||||
- Tweak the init script to allow proper restarting. (#18023)
|
||||
|
||||
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 20000823 snapshot.
|
||||
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
|
||||
- Back out the pipe patch.
|
||||
|
||||
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
|
||||
- Move the init script back.
|
||||
- Add Damien's quick fix for wackiness.
|
||||
|
||||
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
|
||||
|
||||
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Move condrestart to server postun.
|
||||
- Move key generation to init script.
|
||||
- Actually use the right patch for moving the key generation to the init script.
|
||||
- Clean up the init script a bit.
|
||||
|
||||
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
|
||||
|
||||
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p2.
|
||||
- Use of strtok() considered harmful.
|
||||
|
||||
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Get the build root out of the man pages.
|
||||
|
||||
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add and use condrestart support in the init script.
|
||||
- Add newer initscripts as a prereq.
|
||||
|
||||
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Build in new environment (release 2)
|
||||
- Move -clients subpackage to Applications/Internet group
|
||||
|
||||
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.2.1p1
|
||||
|
||||
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Patch to build with neither RSA nor RSAref.
|
||||
- Miscellaneous FHS-compliance tweaks.
|
||||
- Fix for possibly-compressed man pages.
|
||||
|
||||
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||
- Updated for new location
|
||||
- Updated for new gnome-ssh-askpass build
|
||||
|
||||
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added Jim Knoble's <jmknoble@pobox.com> askpass
|
||||
|
||||
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||
|
||||
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added 'Obsoletes' directives
|
||||
|
||||
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use make install
|
||||
- Subpackages
|
||||
|
||||
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Added links for slogin
|
||||
- Fixed perms on manpages
|
||||
|
||||
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Renamed init script
|
||||
|
||||
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Back to old binary names
|
||||
|
||||
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use autoconf
|
||||
- New binary names
|
||||
|
||||
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
163
contrib/redhat/sshd.init
Executable file
163
contrib/redhat/sshd.init
Executable file
@ -0,0 +1,163 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Init file for OpenSSH server daemon
|
||||
#
|
||||
# chkconfig: 2345 55 25
|
||||
# description: OpenSSH server daemon
|
||||
#
|
||||
# processname: sshd
|
||||
# config: /etc/ssh/ssh_host_key
|
||||
# config: /etc/ssh/ssh_host_key.pub
|
||||
# config: /etc/ssh/ssh_random_seed
|
||||
# config: /etc/ssh/sshd_config
|
||||
# pidfile: /var/run/sshd.pid
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
RETVAL=0
|
||||
prog="sshd"
|
||||
|
||||
# Some functions to make the below more readable
|
||||
KEYGEN=/usr/bin/ssh-keygen
|
||||
SSHD=/usr/sbin/sshd
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
PID_FILE=/var/run/sshd.pid
|
||||
|
||||
do_rsa1_keygen() {
|
||||
if [ ! -s $RSA1_KEY ]; then
|
||||
echo -n $"Generating SSH1 RSA host key: "
|
||||
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA1_KEY.pub
|
||||
fi
|
||||
success $"RSA1 key generation"
|
||||
echo
|
||||
else
|
||||
failure $"RSA1 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_rsa_keygen() {
|
||||
if [ ! -s $RSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 RSA host key: "
|
||||
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA_KEY.pub
|
||||
fi
|
||||
success $"RSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"RSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 DSA host key: "
|
||||
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $DSA_KEY.pub
|
||||
fi
|
||||
success $"DSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"DSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_restart_sanity_check()
|
||||
{
|
||||
$SSHD -t
|
||||
RETVAL=$?
|
||||
if [ ! "$RETVAL" = 0 ]; then
|
||||
failure $"Configuration file or keys are invalid"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
# Create keys if necessary
|
||||
do_rsa1_keygen
|
||||
do_rsa_keygen
|
||||
do_dsa_keygen
|
||||
|
||||
echo -n $"Starting $prog:"
|
||||
initlog -c "$SSHD $OPTIONS" && success || failure
|
||||
RETVAL=$?
|
||||
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
|
||||
echo
|
||||
}
|
||||
|
||||
stop()
|
||||
{
|
||||
echo -n $"Stopping $prog:"
|
||||
killproc $SSHD -TERM
|
||||
RETVAL=$?
|
||||
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
|
||||
echo
|
||||
}
|
||||
|
||||
reload()
|
||||
{
|
||||
echo -n $"Reloading $prog:"
|
||||
killproc $SSHD -HUP
|
||||
RETVAL=$?
|
||||
echo
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
reload)
|
||||
reload
|
||||
;;
|
||||
condrestart)
|
||||
if [ -f /var/lock/subsys/sshd ] ; then
|
||||
do_restart_sanity_check
|
||||
if [ "$RETVAL" = 0 ] ; then
|
||||
stop
|
||||
# avoid race
|
||||
sleep 3
|
||||
start
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
status $SSHD
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
|
||||
RETVAL=1
|
||||
esac
|
||||
exit $RETVAL
|
172
contrib/redhat/sshd.init.old
Executable file
172
contrib/redhat/sshd.init.old
Executable file
@ -0,0 +1,172 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Init file for OpenSSH server daemon
|
||||
#
|
||||
# chkconfig: 2345 55 25
|
||||
# description: OpenSSH server daemon
|
||||
#
|
||||
# processname: sshd
|
||||
# config: /etc/ssh/ssh_host_key
|
||||
# config: /etc/ssh/ssh_host_key.pub
|
||||
# config: /etc/ssh/ssh_random_seed
|
||||
# config: /etc/ssh/sshd_config
|
||||
# pidfile: /var/run/sshd.pid
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
RETVAL=0
|
||||
prog="sshd"
|
||||
|
||||
# Some functions to make the below more readable
|
||||
KEYGEN=/usr/bin/ssh-keygen
|
||||
SSHD=/usr/sbin/sshd
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
PID_FILE=/var/run/sshd.pid
|
||||
|
||||
my_success() {
|
||||
local msg
|
||||
if [ $# -gt 1 ]; then
|
||||
msg="$2"
|
||||
else
|
||||
msg="done"
|
||||
fi
|
||||
case "`type -type success`" in
|
||||
function)
|
||||
success "$1"
|
||||
;;
|
||||
*)
|
||||
echo -n "${msg}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
my_failure() {
|
||||
local msg
|
||||
if [ $# -gt 1 ]; then
|
||||
msg="$2"
|
||||
else
|
||||
msg="FAILED"
|
||||
fi
|
||||
case "`type -type failure`" in
|
||||
function)
|
||||
failure "$1"
|
||||
;;
|
||||
*)
|
||||
echo -n "${msg}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
do_rsa1_keygen() {
|
||||
if [ ! -s $RSA1_KEY ]; then
|
||||
echo -n "Generating SSH1 RSA host key: "
|
||||
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
my_success "RSA1 key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "RSA1 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_rsa_keygen() {
|
||||
if [ ! -s $RSA_KEY ]; then
|
||||
echo -n "Generating SSH2 RSA host key: "
|
||||
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
my_success "RSA key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "RSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY ]; then
|
||||
echo -n "Generating SSH2 DSA host key: "
|
||||
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
my_success "DSA key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "DSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_restart_sanity_check() {
|
||||
$SSHD -t
|
||||
RETVAL=$?
|
||||
if [ ! "$RETVAL" = 0 ]; then
|
||||
my_failure "Configuration file or keys"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
# Create keys if necessary
|
||||
do_rsa1_keygen;
|
||||
do_rsa_keygen;
|
||||
do_dsa_keygen;
|
||||
|
||||
echo -n "Starting sshd: "
|
||||
if [ ! -f $PID_FILE ] ; then
|
||||
sshd $OPTIONS
|
||||
RETVAL=$?
|
||||
if [ "$RETVAL" = "0" ] ; then
|
||||
my_success "sshd startup" "sshd"
|
||||
touch /var/lock/subsys/sshd
|
||||
else
|
||||
my_failure "sshd startup" ""
|
||||
fi
|
||||
fi
|
||||
echo
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down sshd: "
|
||||
if [ -f $PID_FILE ] ; then
|
||||
killproc sshd
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
|
||||
fi
|
||||
echo
|
||||
;;
|
||||
restart)
|
||||
do_restart_sanity_check
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart)
|
||||
if [ -f /var/lock/subsys/sshd ] ; then
|
||||
do_restart_sanity_check
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
status sshd
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo "Usage: sshd {start|stop|restart|status|condrestart}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
6
contrib/redhat/sshd.pam
Normal file
6
contrib/redhat/sshd.pam
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_stack.so service=system-auth
|
||||
auth required pam_nologin.so
|
||||
account required pam_stack.so service=system-auth
|
||||
password required pam_stack.so service=system-auth
|
||||
session required pam_stack.so service=system-auth
|
8
contrib/redhat/sshd.pam.old
Normal file
8
contrib/redhat/sshd.pam.old
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||
auth required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_pwdb.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_pwdb.so
|
||||
session required /lib/security/pam_limits.so
|
30
contrib/solaris/README
Executable file
30
contrib/solaris/README
Executable file
@ -0,0 +1,30 @@
|
||||
The following is a new package build script for Solaris. This is being
|
||||
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
|
||||
process. As of 3.1p2 the script should work on all platforms that have
|
||||
SVR4 style package tools.
|
||||
|
||||
The build process is called a 'dummy install'.. Which means the software does
|
||||
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
|
||||
be handled correctly and key are defered until the first time the sshd
|
||||
is started.
|
||||
|
||||
Directions:
|
||||
|
||||
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
|
||||
2. ./configure --with-pam [..any other options you want..]
|
||||
3. look at the top of buildpkg.sh for the configurable options and put
|
||||
any changes you want in openssh-config.local. Additional customizations
|
||||
can be done to the build process by creating one or more of the following
|
||||
scripts that will be sourced by buildpkg.sh.
|
||||
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
|
||||
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
|
||||
pkg-postremove.local pkg-request.local
|
||||
4. Run "make package"
|
||||
|
||||
If all goes well you should have a solaris package ready to be installed.
|
||||
|
||||
If you have any problems with this script please post them to
|
||||
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
|
||||
|
||||
- Ben Lindstrom
|
||||
|
50
contrib/ssh-copy-id
Normal file
50
contrib/ssh-copy-id
Normal file
@ -0,0 +1,50 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Shell script to install your identity.pub on a remote machine
|
||||
# Takes the remote machine name as an argument.
|
||||
# Obviously, the remote machine must accept password authentication,
|
||||
# or one of the other keys in your ssh-agent, for this to work.
|
||||
|
||||
ID_FILE="${HOME}/.ssh/identity.pub"
|
||||
|
||||
if [ "-i" = "$1" ]; then
|
||||
shift
|
||||
# check if we have 2 parameters left, if so the first is the new ID file
|
||||
if [ -n "$2" ]; then
|
||||
if expr "$1" : ".*\.pub" ; then
|
||||
ID_FILE="$1"
|
||||
else
|
||||
ID_FILE="$1.pub"
|
||||
fi
|
||||
shift # and this should leave $1 as the target name
|
||||
fi
|
||||
else
|
||||
if [ x$SSH_AUTH_SOCK != x ] ; then
|
||||
GET_ID="$GET_ID ssh-add -L"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
|
||||
GET_ID="cat ${ID_FILE}"
|
||||
fi
|
||||
|
||||
if [ -z "`eval $GET_ID`" ]; then
|
||||
echo "$0: ERROR: No identities found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
||||
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
|
||||
|
||||
cat <<EOF
|
||||
Now try logging into the machine, with "ssh '$1'", and check in:
|
||||
|
||||
.ssh/authorized_keys
|
||||
|
||||
to make sure we haven't added extra keys that you weren't expecting.
|
||||
|
||||
EOF
|
67
contrib/ssh-copy-id.1
Normal file
67
contrib/ssh-copy-id.1
Normal file
@ -0,0 +1,67 @@
|
||||
.ig \" -*- nroff -*-
|
||||
Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
|
||||
|
||||
Permission is granted to make and distribute verbatim copies of
|
||||
this manual provided the copyright notice and this permission notice
|
||||
are preserved on all copies.
|
||||
|
||||
Permission is granted to copy and distribute modified versions of this
|
||||
manual under the conditions for verbatim copying, provided that the
|
||||
entire resulting derived work is distributed under the terms of a
|
||||
permission notice identical to this one.
|
||||
|
||||
Permission is granted to copy and distribute translations of this
|
||||
manual into another language, under the above conditions for modified
|
||||
versions, except that this permission notice may be included in
|
||||
translations approved by the Free Software Foundation instead of in
|
||||
the original English.
|
||||
..
|
||||
.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
|
||||
.SH NAME
|
||||
ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys
|
||||
.SH SYNOPSIS
|
||||
.B ssh-copy-id [-i [identity_file]]
|
||||
.I "[user@]machine"
|
||||
.br
|
||||
.SH DESCRIPTION
|
||||
.BR ssh-copy-id
|
||||
is a script that uses ssh to log into a remote machine (presumably
|
||||
using a login password, so password authentication should be enabled,
|
||||
unless you've done some clever use of multiple identities)
|
||||
.PP
|
||||
It also changes the permissions of the remote user's home,
|
||||
.BR ~/.ssh ,
|
||||
and
|
||||
.B ~/.ssh/authorized_keys
|
||||
to remove group writability (which would otherwise prevent you from logging in, if the remote
|
||||
.B sshd
|
||||
has
|
||||
.B StrictModes
|
||||
set in its configuration).
|
||||
.PP
|
||||
If the
|
||||
.B -i
|
||||
option is given then the identity file (defaults to
|
||||
.BR ~/.ssh/identity.pub )
|
||||
is used, regardless of whether there are any keys in your
|
||||
.BR ssh-agent .
|
||||
Otherwise, if this:
|
||||
.PP
|
||||
.B " ssh-add -L"
|
||||
.PP
|
||||
provides any output, it uses that in preference to the identity file.
|
||||
.PP
|
||||
If the
|
||||
.B -i
|
||||
option is used, or the
|
||||
.B ssh-add
|
||||
produced no output, then it uses the contents of the identity
|
||||
file. Once it has one or more fingerprints (by whatever means) it
|
||||
uses ssh to append them to
|
||||
.B ~/.ssh/authorized_keys
|
||||
on the remote machine (creating the file, and directory, if necessary)
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.BR ssh (1),
|
||||
.BR ssh-agent (1),
|
||||
.BR sshd (8)
|
5
contrib/sshd.pam.freebsd
Normal file
5
contrib/sshd.pam.freebsd
Normal file
@ -0,0 +1,5 @@
|
||||
sshd auth required pam_unix.so try_first_pass
|
||||
sshd account required pam_unix.so
|
||||
sshd password required pam_permit.so
|
||||
sshd session required pam_permit.so
|
||||
|
8
contrib/sshd.pam.generic
Normal file
8
contrib/sshd.pam.generic
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_unix.so shadow nodelay
|
||||
auth required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_unix.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_unix.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_unix.so
|
||||
session required /lib/security/pam_limits.so
|
249
contrib/suse/openssh.spec
Normal file
249
contrib/suse/openssh.spec
Normal file
@ -0,0 +1,249 @@
|
||||
# Default values for additional components
|
||||
%define build_x11_askpass 1
|
||||
|
||||
# Define the UID/GID to use for privilege separation
|
||||
%define sshd_gid 65
|
||||
%define sshd_uid 71
|
||||
|
||||
# The version of x11-ssh-askpass to use
|
||||
%define xversion 1.2.4.1
|
||||
|
||||
# Allow the ability to override defaults with -D skip_xxx=1
|
||||
%{?skip_x11_askpass:%define build_x11_askpass 0}
|
||||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 4.6p1
|
||||
URL: http://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
Source1: x11-ssh-askpass-%{xversion}.tar.gz
|
||||
License: BSD
|
||||
Group: Productivity/Networking/SSH
|
||||
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
|
||||
PreReq: openssl
|
||||
Obsoletes: ssh
|
||||
Provides: ssh
|
||||
#
|
||||
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
|
||||
# building prerequisites -- stuff for
|
||||
# OpenSSL (openssl-devel),
|
||||
# TCP Wrappers (nkitb),
|
||||
# and Gnome (glibdev, gtkdev, and gnlibsd)
|
||||
#
|
||||
BuildPrereq: openssl
|
||||
BuildPrereq: nkitb
|
||||
#BuildPrereq: glibdev
|
||||
#BuildPrereq: gtkdev
|
||||
#BuildPrereq: gnlibsd
|
||||
|
||||
%package askpass
|
||||
Summary: A passphrase dialog for OpenSSH and the X window System.
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: openssh = %{version}
|
||||
Obsoletes: ssh-extras
|
||||
Provides: openssh:${_libdir}/ssh/ssh-askpass
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
BuildPrereq: XFree86-devel
|
||||
%endif
|
||||
|
||||
%description
|
||||
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||
executing commands in a remote machine. It is intended to replace
|
||||
rlogin and rsh, and provide secure encrypted communications between
|
||||
two untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||
up to date in terms of security and features, as well as removing all
|
||||
patented algorithms to seperate libraries (OpenSSL).
|
||||
|
||||
This package includes all files necessary for both the OpenSSH
|
||||
client and server.
|
||||
|
||||
%description askpass
|
||||
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||
executing commands in a remote machine. It is intended to replace
|
||||
rlogin and rsh, and provide secure encrypted communications between
|
||||
two untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||
up to date in terms of security and features, as well as removing all
|
||||
patented algorithms to seperate libraries (OpenSSL).
|
||||
|
||||
This package contains an X Window System passphrase dialog for OpenSSH.
|
||||
|
||||
%changelog
|
||||
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||
- Removed accidental inclusion of --without-zlib-version-check
|
||||
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||
- Overhaul to deal with newer versions of SuSE and OpenSSH
|
||||
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
|
||||
- Glob manpages to catch compressed files
|
||||
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||
- Updated for new location
|
||||
- Updated for new gnome-ssh-askpass build
|
||||
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
|
||||
- Made symlink to gnome-ssh-askpass called ssh-askpass
|
||||
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
|
||||
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
|
||||
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
|
||||
his released tarfile
|
||||
- Changed permissions on ssh_config in the install procedure to 644 from 600
|
||||
even though it was correct in the %files section and thus right in the RPMs
|
||||
- Postinstall script for the server now only prints "Generating SSH host
|
||||
key..." if we need to actually do this, in order to eliminate a confusing
|
||||
message if an SSH host key is already in place
|
||||
- Marked all manual pages as %doc(umentation)
|
||||
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
|
||||
- Added flag to configure daemon with TCP Wrappers support
|
||||
- Added building prerequisites (works in RPM 3.0 and newer)
|
||||
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
|
||||
- Made this package correct for SuSE.
|
||||
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
|
||||
with SuSE, and lib_pwdb.so isn't installed by default.
|
||||
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added 'Obsoletes' directives
|
||||
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use make install
|
||||
- Subpackages
|
||||
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Added links for slogin
|
||||
- Fixed perms on manpages
|
||||
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Renamed init script
|
||||
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Back to old binary names
|
||||
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use autoconf
|
||||
- New binary names
|
||||
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
||||
|
||||
%prep
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
%setup -q -a 1
|
||||
%else
|
||||
%setup -q
|
||||
%endif
|
||||
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS" \
|
||||
%configure --prefix=/usr \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--mandir=%{_mandir} \
|
||||
--with-privsep-path=/var/lib/empty \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--libexecdir=%{_libdir}/ssh
|
||||
make
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
cd x11-ssh-askpass-%{xversion}
|
||||
%configure --mandir=/usr/X11R6/man \
|
||||
--libexecdir=%{_libdir}/ssh
|
||||
xmkmf -a
|
||||
make
|
||||
cd ..
|
||||
%endif
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
make install DESTDIR=$RPM_BUILD_ROOT/
|
||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||
install -d $RPM_BUILD_ROOT/etc/init.d/
|
||||
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
|
||||
install -m744 contrib/suse/sysconfig.ssh \
|
||||
$RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
cd x11-ssh-askpass-%{xversion}
|
||||
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
|
||||
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
|
||||
%endif
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
|
||||
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
|
||||
|
||||
%post
|
||||
if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
|
||||
echo "Generating SSH RSA host key..."
|
||||
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
|
||||
fi
|
||||
if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
|
||||
echo "Generating SSH DSA host key..."
|
||||
/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
|
||||
fi
|
||||
%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
|
||||
%run_permissions
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
|
||||
|
||||
%preun
|
||||
%stop_on_removal sshd
|
||||
|
||||
%postun
|
||||
%restart_on_update sshd
|
||||
%{insserv_cleanup}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc ChangeLog OVERVIEW README*
|
||||
%doc RFC.nroff TODO CREDITS LICENCE
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||
%attr(0755,root,root) %config /etc/init.d/sshd
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(-,root,root) %{_bindir}/slogin
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||
%attr(0755,root,root) %{_bindir}/sftp
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %dir %{_libdir}/ssh
|
||||
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
|
||||
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
|
||||
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
|
||||
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
%files askpass
|
||||
%defattr(-,root,root)
|
||||
%doc x11-ssh-askpass-%{xversion}/README
|
||||
%doc x11-ssh-askpass-%{xversion}/ChangeLog
|
||||
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
|
||||
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
|
||||
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
|
||||
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
|
||||
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
|
||||
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
|
||||
%endif
|
5
contrib/suse/rc.config.sshd
Normal file
5
contrib/suse/rc.config.sshd
Normal file
@ -0,0 +1,5 @@
|
||||
#
|
||||
# Start the Secure Shell (SSH) Daemon?
|
||||
#
|
||||
START_SSHD="yes"
|
||||
|
133
contrib/suse/rc.sshd
Normal file
133
contrib/suse/rc.sshd
Normal file
@ -0,0 +1,133 @@
|
||||
#! /bin/sh
|
||||
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
|
||||
#
|
||||
# Author: Jiri Smid <feedback@suse.de>
|
||||
#
|
||||
# /etc/init.d/sshd
|
||||
#
|
||||
# and symbolic its link
|
||||
#
|
||||
# /usr/sbin/rcsshd
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: sshd
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: 3 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
# Description: Start the sshd daemon
|
||||
### END INIT INFO
|
||||
|
||||
SSHD_BIN=/usr/sbin/sshd
|
||||
test -x $SSHD_BIN || exit 5
|
||||
|
||||
SSHD_SYSCONFIG=/etc/sysconfig/ssh
|
||||
test -r $SSHD_SYSCONFIG || exit 6
|
||||
. $SSHD_SYSCONFIG
|
||||
|
||||
SSHD_PIDFILE=/var/run/sshd.init.pid
|
||||
|
||||
. /etc/rc.status
|
||||
|
||||
# Shell functions sourced from /etc/rc.status:
|
||||
# rc_check check and set local and overall rc status
|
||||
# rc_status check and set local and overall rc status
|
||||
# rc_status -v ditto but be verbose in local rc status
|
||||
# rc_status -v -r ditto and clear the local rc status
|
||||
# rc_failed set local and overall rc status to failed
|
||||
# rc_reset clear local rc status (overall remains)
|
||||
# rc_exit exit appropriate to overall rc status
|
||||
|
||||
# First reset status of this service
|
||||
rc_reset
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
if ! test -f /etc/ssh/ssh_host_key ; then
|
||||
echo Generating /etc/ssh/ssh_host_key.
|
||||
ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
|
||||
fi
|
||||
if ! test -f /etc/ssh/ssh_host_dsa_key ; then
|
||||
echo Generating /etc/ssh/ssh_host_dsa_key.
|
||||
|
||||
ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
|
||||
fi
|
||||
if ! test -f /etc/ssh/ssh_host_rsa_key ; then
|
||||
echo Generating /etc/ssh/ssh_host_rsa_key.
|
||||
|
||||
ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
|
||||
fi
|
||||
echo -n "Starting SSH daemon"
|
||||
## Start daemon with startproc(8). If this fails
|
||||
## the echo return value is set appropriate.
|
||||
|
||||
startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down SSH daemon"
|
||||
## Stop daemon with killproc(8) and if this fails
|
||||
## set echo the echo return value.
|
||||
|
||||
killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
try-restart)
|
||||
## Stop the service and if this succeeds (i.e. the
|
||||
## service was running before), start it again.
|
||||
$0 status >/dev/null && $0 restart
|
||||
|
||||
# Remember status and be quiet
|
||||
rc_status
|
||||
;;
|
||||
restart)
|
||||
## Stop the service and regardless of whether it was
|
||||
## running or not, start it again.
|
||||
$0 stop
|
||||
$0 start
|
||||
|
||||
# Remember status and be quiet
|
||||
rc_status
|
||||
;;
|
||||
force-reload|reload)
|
||||
## Signal the daemon to reload its config. Most daemons
|
||||
## do this on signal 1 (SIGHUP).
|
||||
|
||||
echo -n "Reload service sshd"
|
||||
|
||||
killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
|
||||
|
||||
rc_status -v
|
||||
|
||||
;;
|
||||
status)
|
||||
echo -n "Checking for service sshd "
|
||||
## Check status with checkproc(8), if process is running
|
||||
## checkproc will return with exit status 0.
|
||||
|
||||
# Status has a slightly different for the status command:
|
||||
# 0 - service running
|
||||
# 1 - service dead, but /var/run/ pid file exists
|
||||
# 2 - service dead, but /var/lock/ lock file exists
|
||||
# 3 - service not running
|
||||
|
||||
checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
|
||||
|
||||
rc_status -v
|
||||
;;
|
||||
probe)
|
||||
## Optional: Probe for the necessity of a reload,
|
||||
## give out the argument which is required for a reload.
|
||||
|
||||
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
rc_exit
|
9
contrib/suse/sysconfig.ssh
Normal file
9
contrib/suse/sysconfig.ssh
Normal file
@ -0,0 +1,9 @@
|
||||
## Path: Network/Remote access/SSH
|
||||
## Description: SSH server settings
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: sshd
|
||||
#
|
||||
# Options for sshd
|
||||
#
|
||||
SSHD_OPTS=""
|
2
dh.c
2
dh.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dh.c,v 1.43 2006/11/06 21:25:28 markus Exp $ */
|
||||
/* $OpenBSD: dh.c,v 1.44 2006/11/07 13:02:07 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
*
|
||||
|
4
dns.c
4
dns.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: dns.c,v 1.24 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
||||
@ -217,7 +217,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
|
||||
if (fingerprints->rri_nrdatas)
|
||||
*flags |= DNS_VERIFY_FOUND;
|
||||
|
||||
for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
|
||||
for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
|
||||
/*
|
||||
* Extract the key from the answer. Ignore any badly
|
||||
* formatted fingerprints.
|
||||
|
4
kex.c
4
kex.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -552,7 +552,7 @@ dump_digest(char *msg, u_char *digest, int len)
|
||||
u_int i;
|
||||
|
||||
fprintf(stderr, "%s\n", msg);
|
||||
for (i = 0; i< len; i++) {
|
||||
for (i = 0; i < len; i++) {
|
||||
fprintf(stderr, "%02x", digest[i]);
|
||||
if (i%32 == 31)
|
||||
fprintf(stderr, "\n");
|
||||
|
4
misc.c
4
misc.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.65 2006/11/23 01:35:11 ray Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
|
||||
@ -616,6 +616,8 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
|
||||
u_long *lineno)
|
||||
{
|
||||
while (fgets(buf, bufsz, f) != NULL) {
|
||||
if (buf[0] == '\0')
|
||||
continue;
|
||||
(*lineno)++;
|
||||
if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
|
||||
return 0;
|
||||
|
8
moduli.c
8
moduli.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: moduli.c,v 1.19 2006/11/06 21:25:28 markus Exp $ */
|
||||
/* $OpenBSD: moduli.c,v 1.20 2007/02/24 03:30:11 ray Exp $ */
|
||||
/*
|
||||
* Copyright 1994 Phil Karn <karn@qualcomm.com>
|
||||
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
|
||||
@ -490,11 +490,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
|
||||
|
||||
res = 0;
|
||||
lp = xmalloc(QLINESIZE + 1);
|
||||
while (fgets(lp, QLINESIZE, in) != NULL) {
|
||||
int ll = strlen(lp);
|
||||
|
||||
while (fgets(lp, QLINESIZE + 1, in) != NULL) {
|
||||
count_in++;
|
||||
if (ll < 14 || *lp == '!' || *lp == '#') {
|
||||
if (strlen(lp) < 14 || *lp == '!' || *lp == '#') {
|
||||
debug2("%10u: comment or short line", count_in);
|
||||
continue;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
|
||||
#endif
|
||||
buffer_put_cstring(m, pwent->pw_dir);
|
||||
buffer_put_cstring(m, pwent->pw_shell);
|
||||
buffer_put_string(m, &options, sizeof(options));
|
||||
if (options.banner != NULL)
|
||||
buffer_put_cstring(m, options.banner);
|
||||
|
||||
out:
|
||||
debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -73,6 +73,7 @@
|
||||
|
||||
#include "channels.h"
|
||||
#include "session.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* Imports */
|
||||
extern int compat20;
|
||||
@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username)
|
||||
{
|
||||
Buffer m;
|
||||
struct passwd *pw;
|
||||
u_int pwlen;
|
||||
u_int len;
|
||||
ServerOptions *newopts;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username)
|
||||
buffer_free(&m);
|
||||
return (NULL);
|
||||
}
|
||||
pw = buffer_get_string(&m, &pwlen);
|
||||
if (pwlen != sizeof(struct passwd))
|
||||
pw = buffer_get_string(&m, &len);
|
||||
if (len != sizeof(struct passwd))
|
||||
fatal("%s: struct passwd size mismatch", __func__);
|
||||
pw->pw_name = buffer_get_string(&m, NULL);
|
||||
pw->pw_passwd = buffer_get_string(&m, NULL);
|
||||
@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username)
|
||||
#endif
|
||||
pw->pw_dir = buffer_get_string(&m, NULL);
|
||||
pw->pw_shell = buffer_get_string(&m, NULL);
|
||||
|
||||
/* copy options block as a Match directive may have changed some */
|
||||
newopts = buffer_get_string(&m, &len);
|
||||
if (len != sizeof(*newopts))
|
||||
fatal("%s: option block size mismatch", __func__);
|
||||
if (newopts->banner != NULL)
|
||||
newopts->banner = buffer_get_string(&m, NULL);
|
||||
copy_set_server_options(&options, newopts, 1);
|
||||
xfree(newopts);
|
||||
|
||||
buffer_free(&m);
|
||||
|
||||
return (pw);
|
||||
|
@ -39,7 +39,8 @@
|
||||
|
||||
#define INIT_SZ 128
|
||||
|
||||
int vasprintf(char **str, const char *fmt, va_list ap)
|
||||
int
|
||||
vasprintf(char **str, const char *fmt, va_list ap)
|
||||
{
|
||||
int ret = -1;
|
||||
va_list ap2;
|
||||
@ -53,7 +54,7 @@ int vasprintf(char **str, const char *fmt, va_list ap)
|
||||
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
|
||||
if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
|
||||
*str = string;
|
||||
} else if (ret == INT_MAX) { /* shouldn't happen */
|
||||
} else if (ret == INT_MAX || ret < 0) { /* Bad length */
|
||||
goto fail;
|
||||
} else { /* bigger than initial, realloc allowing for nul */
|
||||
len = (size_t)ret + 1;
|
||||
|
@ -85,6 +85,11 @@
|
||||
*
|
||||
* Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
|
||||
* if the C library has some snprintf functions already.
|
||||
*
|
||||
* Damien Miller (djm@mindrot.org) Jan 2007
|
||||
* Fix integer overflows in return value.
|
||||
* Make formatting quite a bit faster by inlining dopr_outch()
|
||||
*
|
||||
**************************************************************/
|
||||
|
||||
#include "includes.h"
|
||||
@ -112,6 +117,8 @@
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
#include <errno.h>
|
||||
|
||||
#ifdef HAVE_LONG_DOUBLE
|
||||
# define LDOUBLE long double
|
||||
@ -159,17 +166,28 @@
|
||||
# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
|
||||
#endif
|
||||
|
||||
static size_t dopr(char *buffer, size_t maxlen, const char *format,
|
||||
va_list args_in);
|
||||
static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
char *value, int flags, int min, int max);
|
||||
static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LLONG value, int base, int min, int max, int flags);
|
||||
static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LDOUBLE fvalue, int min, int max, int flags);
|
||||
static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
|
||||
#define DOPR_OUTCH(buf, pos, buflen, thechar) \
|
||||
do { \
|
||||
if (pos + 1 >= INT_MAX) { \
|
||||
errno = ERANGE; \
|
||||
return -1; \
|
||||
} \
|
||||
if (pos < buflen) \
|
||||
buf[pos] = thechar; \
|
||||
(pos)++; \
|
||||
} while (0)
|
||||
|
||||
static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
|
||||
static int dopr(char *buffer, size_t maxlen, const char *format,
|
||||
va_list args_in);
|
||||
static int fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
char *value, int flags, int min, int max);
|
||||
static int fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LLONG value, int base, int min, int max, int flags);
|
||||
static int fmtfp(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LDOUBLE fvalue, int min, int max, int flags);
|
||||
|
||||
static int
|
||||
dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
|
||||
{
|
||||
char ch;
|
||||
LLONG value;
|
||||
@ -198,8 +216,8 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
case DP_S_DEFAULT:
|
||||
if (ch == '%')
|
||||
state = DP_S_FLAGS;
|
||||
else
|
||||
dopr_outch (buffer, &currlen, maxlen, ch);
|
||||
else
|
||||
DOPR_OUTCH(buffer, currlen, maxlen, ch);
|
||||
ch = *format++;
|
||||
break;
|
||||
case DP_S_FLAGS:
|
||||
@ -298,7 +316,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
value = va_arg (args, LLONG);
|
||||
else
|
||||
value = va_arg (args, int);
|
||||
fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
|
||||
if (fmtint(buffer, &currlen, maxlen,
|
||||
value, 10, min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'o':
|
||||
flags |= DP_F_UNSIGNED;
|
||||
@ -310,7 +330,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
value = (long)va_arg (args, unsigned LLONG);
|
||||
else
|
||||
value = (long)va_arg (args, unsigned int);
|
||||
fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
|
||||
if (fmtint(buffer, &currlen, maxlen, value,
|
||||
8, min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'u':
|
||||
flags |= DP_F_UNSIGNED;
|
||||
@ -322,7 +344,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
value = (LLONG)va_arg (args, unsigned LLONG);
|
||||
else
|
||||
value = (long)va_arg (args, unsigned int);
|
||||
fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
|
||||
if (fmtint(buffer, &currlen, maxlen, value,
|
||||
10, min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'X':
|
||||
flags |= DP_F_UP;
|
||||
@ -336,15 +360,18 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
value = (LLONG)va_arg (args, unsigned LLONG);
|
||||
else
|
||||
value = (long)va_arg (args, unsigned int);
|
||||
fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
|
||||
if (fmtint(buffer, &currlen, maxlen, value,
|
||||
16, min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'f':
|
||||
if (cflags == DP_C_LDOUBLE)
|
||||
fvalue = va_arg (args, LDOUBLE);
|
||||
else
|
||||
fvalue = va_arg (args, double);
|
||||
/* um, floating point? */
|
||||
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
|
||||
if (fmtfp(buffer, &currlen, maxlen, fvalue,
|
||||
min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'E':
|
||||
flags |= DP_F_UP;
|
||||
@ -353,7 +380,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
fvalue = va_arg (args, LDOUBLE);
|
||||
else
|
||||
fvalue = va_arg (args, double);
|
||||
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
|
||||
if (fmtfp(buffer, &currlen, maxlen, fvalue,
|
||||
min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'G':
|
||||
flags |= DP_F_UP;
|
||||
@ -362,10 +391,13 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
fvalue = va_arg (args, LDOUBLE);
|
||||
else
|
||||
fvalue = va_arg (args, double);
|
||||
fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
|
||||
if (fmtfp(buffer, &currlen, maxlen, fvalue,
|
||||
min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'c':
|
||||
dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
|
||||
DOPR_OUTCH(buffer, currlen, maxlen,
|
||||
va_arg (args, int));
|
||||
break;
|
||||
case 's':
|
||||
strvalue = va_arg (args, char *);
|
||||
@ -374,11 +406,15 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
max = strlen(strvalue);
|
||||
}
|
||||
if (min > 0 && max >= 0 && min > max) max = min;
|
||||
fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
|
||||
if (fmtstr(buffer, &currlen, maxlen,
|
||||
strvalue, flags, min, max) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'p':
|
||||
strvalue = va_arg (args, void *);
|
||||
fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
|
||||
if (fmtint(buffer, &currlen, maxlen,
|
||||
(long) strvalue, 16, min, max, flags) == -1)
|
||||
return -1;
|
||||
break;
|
||||
case 'n':
|
||||
if (cflags == DP_C_SHORT) {
|
||||
@ -400,7 +436,7 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
}
|
||||
break;
|
||||
case '%':
|
||||
dopr_outch (buffer, &currlen, maxlen, ch);
|
||||
DOPR_OUTCH(buffer, currlen, maxlen, ch);
|
||||
break;
|
||||
case 'w':
|
||||
/* not supported yet, treat as next char */
|
||||
@ -429,11 +465,12 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
|
||||
buffer[maxlen - 1] = '\0';
|
||||
}
|
||||
|
||||
return currlen;
|
||||
return currlen < INT_MAX ? (int)currlen : -1;
|
||||
}
|
||||
|
||||
static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
char *value, int flags, int min, int max)
|
||||
static int
|
||||
fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
char *value, int flags, int min, int max)
|
||||
{
|
||||
int padlen, strln; /* amount to pad */
|
||||
int cnt = 0;
|
||||
@ -453,24 +490,27 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
padlen = -padlen; /* Left Justify */
|
||||
|
||||
while ((padlen > 0) && (cnt < max)) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
--padlen;
|
||||
++cnt;
|
||||
}
|
||||
while (*value && (cnt < max)) {
|
||||
dopr_outch (buffer, currlen, maxlen, *value++);
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, *value);
|
||||
*value++;
|
||||
++cnt;
|
||||
}
|
||||
while ((padlen < 0) && (cnt < max)) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
++padlen;
|
||||
++cnt;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
|
||||
|
||||
static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
static int
|
||||
fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LLONG value, int base, int min, int max, int flags)
|
||||
{
|
||||
int signvalue = 0;
|
||||
@ -527,31 +567,34 @@ static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
|
||||
/* Spaces */
|
||||
while (spadlen > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
--spadlen;
|
||||
}
|
||||
|
||||
/* Sign */
|
||||
if (signvalue)
|
||||
dopr_outch (buffer, currlen, maxlen, signvalue);
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
|
||||
|
||||
/* Zeros */
|
||||
if (zpadlen > 0) {
|
||||
while (zpadlen > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, '0');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
|
||||
--zpadlen;
|
||||
}
|
||||
}
|
||||
|
||||
/* Digits */
|
||||
while (place > 0)
|
||||
dopr_outch (buffer, currlen, maxlen, convert[--place]);
|
||||
while (place > 0) {
|
||||
--place;
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]);
|
||||
}
|
||||
|
||||
/* Left Justified spaces */
|
||||
while (spadlen < 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
++spadlen;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static LDOUBLE abs_val(LDOUBLE value)
|
||||
@ -564,13 +607,13 @@ static LDOUBLE abs_val(LDOUBLE value)
|
||||
return result;
|
||||
}
|
||||
|
||||
static LDOUBLE POW10(int exp)
|
||||
static LDOUBLE POW10(int val)
|
||||
{
|
||||
LDOUBLE result = 1;
|
||||
|
||||
while (exp) {
|
||||
while (val) {
|
||||
result *= 10;
|
||||
exp--;
|
||||
val--;
|
||||
}
|
||||
|
||||
return result;
|
||||
@ -604,7 +647,10 @@ static double my_modf(double x0, double *iptr)
|
||||
}
|
||||
|
||||
if (i == 100) {
|
||||
/* yikes! the number is beyond what we can handle. What do we do? */
|
||||
/*
|
||||
* yikes! the number is beyond what we can handle.
|
||||
* What do we do?
|
||||
*/
|
||||
(*iptr) = 0;
|
||||
return 0;
|
||||
}
|
||||
@ -623,8 +669,9 @@ static double my_modf(double x0, double *iptr)
|
||||
}
|
||||
|
||||
|
||||
static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
|
||||
LDOUBLE fvalue, int min, int max, int flags)
|
||||
static int
|
||||
fmtfp (char *buffer, size_t *currlen, size_t maxlen,
|
||||
LDOUBLE fvalue, int min, int max, int flags)
|
||||
{
|
||||
int signvalue = 0;
|
||||
double ufvalue;
|
||||
@ -729,24 +776,26 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
|
||||
|
||||
if ((flags & DP_F_ZERO) && (padlen > 0)) {
|
||||
if (signvalue) {
|
||||
dopr_outch (buffer, currlen, maxlen, signvalue);
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
|
||||
--padlen;
|
||||
signvalue = 0;
|
||||
}
|
||||
while (padlen > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, '0');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
|
||||
--padlen;
|
||||
}
|
||||
}
|
||||
while (padlen > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
--padlen;
|
||||
}
|
||||
if (signvalue)
|
||||
dopr_outch (buffer, currlen, maxlen, signvalue);
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
|
||||
|
||||
while (iplace > 0)
|
||||
dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
|
||||
while (iplace > 0) {
|
||||
--iplace;
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]);
|
||||
}
|
||||
|
||||
#ifdef DEBUG_SNPRINTF
|
||||
printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
|
||||
@ -757,41 +806,38 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
|
||||
* char to print out.
|
||||
*/
|
||||
if (max > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, '.');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, '.');
|
||||
|
||||
while (zpadlen > 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, '0');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, '0');
|
||||
--zpadlen;
|
||||
}
|
||||
|
||||
while (fplace > 0)
|
||||
dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
|
||||
while (fplace > 0) {
|
||||
--fplace;
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, fconvert[fplace]);
|
||||
}
|
||||
}
|
||||
|
||||
while (padlen < 0) {
|
||||
dopr_outch (buffer, currlen, maxlen, ' ');
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
|
||||
++padlen;
|
||||
}
|
||||
}
|
||||
|
||||
static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
|
||||
{
|
||||
if (*currlen < maxlen) {
|
||||
buffer[(*currlen)] = c;
|
||||
}
|
||||
(*currlen)++;
|
||||
return 0;
|
||||
}
|
||||
#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
|
||||
|
||||
#if !defined(HAVE_VSNPRINTF)
|
||||
int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
|
||||
int
|
||||
vsnprintf (char *str, size_t count, const char *fmt, va_list args)
|
||||
{
|
||||
return dopr(str, count, fmt, args);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_SNPRINTF)
|
||||
int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
|
||||
int
|
||||
snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
|
||||
{
|
||||
size_t ret;
|
||||
va_list ap;
|
||||
@ -802,4 +848,3 @@ int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
@ -303,10 +303,12 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
|
||||
}
|
||||
|
||||
/* allocate memory for signatures */
|
||||
rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
|
||||
if (rrset->rri_sigs == NULL) {
|
||||
result = ERRSET_NOMEMORY;
|
||||
goto fail;
|
||||
if (rrset->rri_nsigs > 0) {
|
||||
rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
|
||||
if (rrset->rri_sigs == NULL) {
|
||||
result = ERRSET_NOMEMORY;
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
/* copy answers & signatures */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openssl-compat.h,v 1.6 2006/02/22 11:24:47 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* OpenSSL 0.9.8e returns cipher key len not context key len */
|
||||
#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
|
||||
# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* We overload some of the OpenSSL crypto functions with ssh_* equivalents
|
||||
* which cater for older and/or less featureful OpenSSL version.
|
||||
|
@ -23,6 +23,9 @@
|
||||
type='service'
|
||||
version='1'>
|
||||
|
||||
<!--
|
||||
We default to disabled so administrator can decide to enable or not.
|
||||
-->
|
||||
<create_default_instance enabled='false'/>
|
||||
|
||||
<single_instance/>
|
||||
@ -53,7 +56,7 @@
|
||||
<exec_method
|
||||
name='start'
|
||||
type='method'
|
||||
exec='/lib/svc/method/site/opensshd start'
|
||||
exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
|
||||
timeout_seconds='60'>
|
||||
<method_context/>
|
||||
</exec_method>
|
||||
|
1
packet.c
1
packet.c
@ -47,7 +47,6 @@
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <arpa/inet.h>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -364,7 +364,7 @@ process_config_line(Options *options, const char *host,
|
||||
if ((value = convtime(arg)) == -1)
|
||||
fatal("%s line %d: invalid time value.",
|
||||
filename, linenum);
|
||||
if (*intptr == -1)
|
||||
if (*activep && *intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
@ -545,7 +545,7 @@ process_config_line(Options *options, const char *host,
|
||||
if (*intptr >= SSH_MAX_IDENTITY_FILES)
|
||||
fatal("%.200s line %d: Too many identity files specified (max %d).",
|
||||
filename, linenum, SSH_MAX_IDENTITY_FILES);
|
||||
charptr = &options->identity_files[*intptr];
|
||||
charptr = &options->identity_files[*intptr];
|
||||
*charptr = xstrdup(arg);
|
||||
*intptr = *intptr + 1;
|
||||
}
|
||||
|
@ -41,7 +41,7 @@ EOF
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "gdb failed: exit code $?"
|
||||
fi
|
||||
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
|
||||
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
|
||||
r=$?
|
||||
rm -f ${OBJ}/gdb.out
|
||||
if [ $r -ne 0 ]; then
|
||||
|
144
scp.0
Normal file
144
scp.0
Normal file
@ -0,0 +1,144 @@
|
||||
SCP(1) OpenBSD Reference Manual SCP(1)
|
||||
|
||||
NAME
|
||||
scp - secure copy (remote file copy program)
|
||||
|
||||
SYNOPSIS
|
||||
scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
|
||||
[-l limit] [-o ssh_option] [-P port] [-S program]
|
||||
[[user@]host1:]file1 [...] [[user@]host2:]file2
|
||||
|
||||
DESCRIPTION
|
||||
scp copies files between hosts on a network. It uses ssh(1) for data
|
||||
transfer, and uses the same authentication and provides the same security
|
||||
as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if
|
||||
they are needed for authentication.
|
||||
|
||||
Any file name may contain a host and user specification to indicate that
|
||||
the file is to be copied to/from that host. Copies between two remote
|
||||
hosts are permitted.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-1 Forces scp to use protocol 1.
|
||||
|
||||
-2 Forces scp to use protocol 2.
|
||||
|
||||
-4 Forces scp to use IPv4 addresses only.
|
||||
|
||||
-6 Forces scp to use IPv6 addresses only.
|
||||
|
||||
-B Selects batch mode (prevents asking for passwords or passphras-
|
||||
es).
|
||||
|
||||
-C Compression enable. Passes the -C flag to ssh(1) to enable com-
|
||||
pression.
|
||||
|
||||
-c cipher
|
||||
Selects the cipher to use for encrypting the data transfer. This
|
||||
option is directly passed to ssh(1).
|
||||
|
||||
-F ssh_config
|
||||
Specifies an alternative per-user configuration file for ssh.
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-i identity_file
|
||||
Selects the file from which the identity (private key) for RSA
|
||||
authentication is read. This option is directly passed to
|
||||
ssh(1).
|
||||
|
||||
-l limit
|
||||
Limits the used bandwidth, specified in Kbit/s.
|
||||
|
||||
-o ssh_option
|
||||
Can be used to pass options to ssh in the format used in
|
||||
ssh_config(5). This is useful for specifying options for which
|
||||
there is no separate scp command-line flag. For full details of
|
||||
the options listed below, and their possible values, see
|
||||
ssh_config(5).
|
||||
|
||||
AddressFamily
|
||||
BatchMode
|
||||
BindAddress
|
||||
ChallengeResponseAuthentication
|
||||
CheckHostIP
|
||||
Cipher
|
||||
Ciphers
|
||||
Compression
|
||||
CompressionLevel
|
||||
ConnectionAttempts
|
||||
ConnectTimeout
|
||||
ControlMaster
|
||||
ControlPath
|
||||
GlobalKnownHostsFile
|
||||
GSSAPIAuthentication
|
||||
GSSAPIDelegateCredentials
|
||||
HashKnownHosts
|
||||
Host
|
||||
HostbasedAuthentication
|
||||
HostKeyAlgorithms
|
||||
HostKeyAlias
|
||||
HostName
|
||||
IdentityFile
|
||||
IdentitiesOnly
|
||||
KbdInteractiveDevices
|
||||
LogLevel
|
||||
MACs
|
||||
NoHostAuthenticationForLocalhost
|
||||
NumberOfPasswordPrompts
|
||||
PasswordAuthentication
|
||||
Port
|
||||
PreferredAuthentications
|
||||
Protocol
|
||||
ProxyCommand
|
||||
PubkeyAuthentication
|
||||
RekeyLimit
|
||||
RhostsRSAAuthentication
|
||||
RSAAuthentication
|
||||
SendEnv
|
||||
ServerAliveInterval
|
||||
ServerAliveCountMax
|
||||
SmartcardDevice
|
||||
StrictHostKeyChecking
|
||||
TCPKeepAlive
|
||||
UsePrivilegedPort
|
||||
User
|
||||
UserKnownHostsFile
|
||||
VerifyHostKeyDNS
|
||||
|
||||
-P port
|
||||
Specifies the port to connect to on the remote host. Note that
|
||||
this option is written with a capital `P', because -p is already
|
||||
reserved for preserving the times and modes of the file in
|
||||
rcp(1).
|
||||
|
||||
-p Preserves modification times, access times, and modes from the
|
||||
original file.
|
||||
|
||||
-q Disables the progress meter.
|
||||
|
||||
-r Recursively copy entire directories.
|
||||
|
||||
-S program
|
||||
Name of program to use for the encrypted connection. The program
|
||||
must understand ssh(1) options.
|
||||
|
||||
-v Verbose mode. Causes scp and ssh(1) to print debugging messages
|
||||
about their progress. This is helpful in debugging connection,
|
||||
authentication, and configuration problems.
|
||||
|
||||
The scp utility exits 0 on success, and >0 if an error occurs.
|
||||
|
||||
SEE ALSO
|
||||
rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
|
||||
ssh_config(5), sshd(8)
|
||||
|
||||
HISTORY
|
||||
scp is based on the rcp(1) program in BSD source code from the Regents of
|
||||
the University of California.
|
||||
|
||||
AUTHORS
|
||||
Timo Rinne <tri@iki.fi>
|
||||
Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 3
|
4
scp.c
4
scp.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@ -380,7 +380,7 @@ main(int argc, char **argv)
|
||||
if ((pwd = getpwuid(userid = getuid())) == NULL)
|
||||
fatal("unknown user %u", (u_int) userid);
|
||||
|
||||
if (!isatty(STDERR_FILENO))
|
||||
if (!isatty(STDOUT_FILENO))
|
||||
showprogress = 0;
|
||||
|
||||
remin = STDIN_FILENO;
|
||||
|
100
servconf.c
100
servconf.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -325,14 +325,14 @@ static struct {
|
||||
{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
|
||||
{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
|
||||
{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
|
||||
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
|
||||
{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
|
||||
{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
|
||||
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
|
||||
{ "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
|
||||
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
|
||||
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
|
||||
#ifdef KRB5
|
||||
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
|
||||
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
|
||||
#ifdef USE_AFS
|
||||
@ -341,7 +341,7 @@ static struct {
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
@ -349,14 +349,14 @@ static struct {
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
|
||||
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
|
||||
@ -389,7 +389,7 @@ static struct {
|
||||
{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
|
||||
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
|
||||
{ "banner", sBanner, SSHCFG_GLOBAL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@ -968,7 +968,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
else
|
||||
fatal("%s line %d: Bad yes/no/clientspecified "
|
||||
"argument: %s", filename, linenum, arg);
|
||||
if (*intptr == -1)
|
||||
if (*activep && *intptr == -1)
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
@ -1220,13 +1220,16 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: missing PermitOpen specification",
|
||||
filename, linenum);
|
||||
n = options->num_permitted_opens; /* modified later */
|
||||
if (strcmp(arg, "any") == 0) {
|
||||
if (*activep) {
|
||||
if (*activep && n == -1) {
|
||||
channel_clear_adm_permitted_opens();
|
||||
options->num_permitted_opens = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (*activep && n == -1)
|
||||
channel_clear_adm_permitted_opens();
|
||||
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
|
||||
p = hpdelim(&arg);
|
||||
if (p == NULL)
|
||||
@ -1236,11 +1239,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
if (arg == NULL || (port = a2port(arg)) == 0)
|
||||
fatal("%s line %d: bad port number in "
|
||||
"PermitOpen", filename, linenum);
|
||||
if (*activep && options->num_permitted_opens == -1) {
|
||||
channel_clear_adm_permitted_opens();
|
||||
if (*activep && n == -1)
|
||||
options->num_permitted_opens =
|
||||
channel_add_adm_permitted_opens(p, port);
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
@ -1316,30 +1317,55 @@ parse_server_match_config(ServerOptions *options, const char *user,
|
||||
|
||||
initialize_server_options(&mo);
|
||||
parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
|
||||
copy_set_server_options(options, &mo);
|
||||
copy_set_server_options(options, &mo, 0);
|
||||
}
|
||||
|
||||
/* Copy any (supported) values that are set */
|
||||
/* Helper macros */
|
||||
#define M_CP_INTOPT(n) do {\
|
||||
if (src->n != -1) \
|
||||
dst->n = src->n; \
|
||||
} while (0)
|
||||
#define M_CP_STROPT(n) do {\
|
||||
if (src->n != NULL) { \
|
||||
if (dst->n != NULL) \
|
||||
xfree(dst->n); \
|
||||
dst->n = src->n; \
|
||||
} \
|
||||
} while(0)
|
||||
|
||||
/*
|
||||
* Copy any supported values that are set.
|
||||
*
|
||||
* If the preauth flag is set, we do not bother copying the the string or
|
||||
* array values that are not used pre-authentication, because any that we
|
||||
* do use must be explictly sent in mm_getpwnamallow().
|
||||
*/
|
||||
void
|
||||
copy_set_server_options(ServerOptions *dst, ServerOptions *src)
|
||||
copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
{
|
||||
if (src->allow_tcp_forwarding != -1)
|
||||
dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
|
||||
if (src->gateway_ports != -1)
|
||||
dst->gateway_ports = src->gateway_ports;
|
||||
if (src->adm_forced_command != NULL) {
|
||||
if (dst->adm_forced_command != NULL)
|
||||
xfree(dst->adm_forced_command);
|
||||
dst->adm_forced_command = src->adm_forced_command;
|
||||
}
|
||||
if (src->x11_display_offset != -1)
|
||||
dst->x11_display_offset = src->x11_display_offset;
|
||||
if (src->x11_forwarding != -1)
|
||||
dst->x11_forwarding = src->x11_forwarding;
|
||||
if (src->x11_use_localhost != -1)
|
||||
dst->x11_use_localhost = src->x11_use_localhost;
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
M_CP_INTOPT(kerberos_authentication);
|
||||
M_CP_INTOPT(hostbased_authentication);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
|
||||
M_CP_INTOPT(allow_tcp_forwarding);
|
||||
M_CP_INTOPT(gateway_ports);
|
||||
M_CP_INTOPT(x11_display_offset);
|
||||
M_CP_INTOPT(x11_forwarding);
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
|
||||
M_CP_STROPT(banner);
|
||||
if (preauth)
|
||||
return;
|
||||
M_CP_STROPT(adm_forced_command);
|
||||
}
|
||||
|
||||
#undef M_CP_INTOPT
|
||||
#undef M_CP_STROPT
|
||||
|
||||
void
|
||||
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
|
||||
const char *user, const char *host, const char *address)
|
||||
@ -1361,4 +1387,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
|
||||
if (bad_options > 0)
|
||||
fatal("%s: terminating, %d bad configuration options",
|
||||
filename, bad_options);
|
||||
|
||||
/* challenge-response is implemented via keyboard interactive */
|
||||
if (options->challenge_response_authentication == 1)
|
||||
options->kbd_interactive_authentication = 1;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *,
|
||||
const char *, const char *, const char *);
|
||||
void parse_server_match_config(ServerOptions *, const char *, const char *,
|
||||
const char *);
|
||||
void copy_set_server_options(ServerOptions *, ServerOptions *);
|
||||
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
|
||||
|
||||
#endif /* SERVCONF_H */
|
||||
|
20
serverloop.c
20
serverloop.c
@ -280,6 +280,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
|
||||
struct timeval tv, *tvp;
|
||||
int ret;
|
||||
int client_alive_scheduled = 0;
|
||||
int program_alive_scheduled = 0;
|
||||
|
||||
/*
|
||||
* if using client_alive, set the max timeout accordingly,
|
||||
@ -317,6 +318,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
|
||||
* the client, try to get some more data from the program.
|
||||
*/
|
||||
if (packet_not_very_much_data_to_write()) {
|
||||
program_alive_scheduled = child_terminated;
|
||||
if (!fdout_eof)
|
||||
FD_SET(fdout, *readsetp);
|
||||
if (!fderr_eof)
|
||||
@ -362,8 +364,16 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
|
||||
memset(*writesetp, 0, *nallocp);
|
||||
if (errno != EINTR)
|
||||
error("select: %.100s", strerror(errno));
|
||||
} else if (ret == 0 && client_alive_scheduled)
|
||||
client_alive_check();
|
||||
} else {
|
||||
if (ret == 0 && client_alive_scheduled)
|
||||
client_alive_check();
|
||||
if (!compat20 && program_alive_scheduled && fdin_is_tty) {
|
||||
if (!fdout_eof)
|
||||
FD_SET(fdout, *readsetp);
|
||||
if (!fderr_eof)
|
||||
FD_SET(fderr, *readsetp);
|
||||
}
|
||||
}
|
||||
|
||||
notify_done(*readsetp);
|
||||
}
|
||||
@ -407,7 +417,8 @@ process_input(fd_set *readset)
|
||||
if (!fdout_eof && FD_ISSET(fdout, readset)) {
|
||||
errno = 0;
|
||||
len = read(fdout, buf, sizeof(buf));
|
||||
if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
|
||||
if (len < 0 && (errno == EINTR ||
|
||||
(errno == EAGAIN && !child_terminated))) {
|
||||
/* do nothing */
|
||||
#ifndef PTY_ZEROREAD
|
||||
} else if (len <= 0) {
|
||||
@ -425,7 +436,8 @@ process_input(fd_set *readset)
|
||||
if (!fderr_eof && FD_ISSET(fderr, readset)) {
|
||||
errno = 0;
|
||||
len = read(fderr, buf, sizeof(buf));
|
||||
if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
|
||||
if (len < 0 && (errno == EINTR ||
|
||||
(errno == EAGAIN && !child_terminated))) {
|
||||
/* do nothing */
|
||||
#ifndef PTY_ZEROREAD
|
||||
} else if (len <= 0) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */
|
||||
/* $OpenBSD: session.c,v 1.221 2007/01/21 01:41:54 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -2027,7 +2027,7 @@ session_input_channel_req(Channel *c, const char *rtype)
|
||||
} else if (strcmp(rtype, "exec") == 0) {
|
||||
success = session_exec_req(s);
|
||||
} else if (strcmp(rtype, "pty-req") == 0) {
|
||||
success = session_pty_req(s);
|
||||
success = session_pty_req(s);
|
||||
} else if (strcmp(rtype, "x11-req") == 0) {
|
||||
success = session_x11_req(s);
|
||||
} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
|
||||
@ -2152,7 +2152,7 @@ session_close_single_x11(int id, void *arg)
|
||||
|
||||
debug3("session_close_single_x11: channel %d", id);
|
||||
channel_cancel_cleanup(id);
|
||||
if ((s = session_by_x11_channel(id)) == NULL)
|
||||
if ((s = session_by_x11_channel(id)) == NULL)
|
||||
fatal("session_close_single_x11: no x11 channel %d", id);
|
||||
for (i = 0; s->x11_chanids[i] != -1; i++) {
|
||||
debug("session_close_single_x11: session %d: "
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-client.c,v 1.75 2006/10/22 02:25:50 djm Exp $ */
|
||||
/* $OpenBSD: sftp-client.c,v 1.76 2007/01/22 11:32:50 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -1140,6 +1140,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
|
||||
close(local_fd);
|
||||
xfree(data);
|
||||
xfree(ack);
|
||||
status = -1;
|
||||
goto done;
|
||||
}
|
||||
debug3("In write loop, ack for %u %u bytes at %llu",
|
||||
|
46
sftp-server.0
Normal file
46
sftp-server.0
Normal file
@ -0,0 +1,46 @@
|
||||
SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8)
|
||||
|
||||
NAME
|
||||
sftp-server - SFTP server subsystem
|
||||
|
||||
SYNOPSIS
|
||||
sftp-server [-f log_facility] [-l log_level]
|
||||
|
||||
DESCRIPTION
|
||||
sftp-server is a program that speaks the server side of SFTP protocol to
|
||||
stdout and expects client requests from stdin. sftp-server is not in-
|
||||
tended to be called directly, but from sshd(8) using the Subsystem op-
|
||||
tion.
|
||||
|
||||
Command-line flags to sftp-server should be specified in the Subsystem
|
||||
declaration. See sshd_config(5) for more information.
|
||||
|
||||
Valid options are:
|
||||
|
||||
-f log_facility
|
||||
Specifies the facility code that is used when logging messages
|
||||
from sftp-server. The possible values are: DAEMON, USER, AUTH,
|
||||
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
|
||||
-l log_level
|
||||
Specifies which messages will be logged by sftp-server. The pos-
|
||||
sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DE-
|
||||
BUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions that
|
||||
sftp-server performs on behalf of the client. DEBUG and DEBUG1
|
||||
are equivalent. DEBUG2 and DEBUG3 each specify higher levels of
|
||||
debugging output. The default is ERROR.
|
||||
|
||||
SEE ALSO
|
||||
sftp(1), ssh(1), sshd_config(5), sshd(8)
|
||||
|
||||
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
|
||||
filexfer-00.txt, January 2001, work in progress material.
|
||||
|
||||
HISTORY
|
||||
sftp-server first appeared in OpenBSD 2.8.
|
||||
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 4.1 August 30, 2000 1
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -663,7 +663,7 @@ process_fstat(void)
|
||||
debug("request %u: fstat \"%s\" (handle %u)",
|
||||
id, handle_to_name(handle), handle);
|
||||
fd = handle_to_fd(handle);
|
||||
if (fd >= 0) {
|
||||
if (fd >= 0) {
|
||||
ret = fstat(fd, &st);
|
||||
if (ret < 0) {
|
||||
status = errno_to_portable(errno);
|
||||
|
266
sftp.0
Normal file
266
sftp.0
Normal file
@ -0,0 +1,266 @@
|
||||
SFTP(1) OpenBSD Reference Manual SFTP(1)
|
||||
|
||||
NAME
|
||||
sftp - secure file transfer program
|
||||
|
||||
SYNOPSIS
|
||||
sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]
|
||||
[-o ssh_option] [-P sftp_server_path] [-R num_requests] [-S program]
|
||||
[-s subsystem | sftp_server] host
|
||||
sftp [[user@]host[:file [file]]]
|
||||
sftp [[user@]host[:dir[/]]]
|
||||
sftp -b batchfile [user@]host
|
||||
|
||||
DESCRIPTION
|
||||
sftp is an interactive file transfer program, similar to ftp(1), which
|
||||
performs all operations over an encrypted ssh(1) transport. It may also
|
||||
use many features of ssh, such as public key authentication and compres-
|
||||
sion. sftp connects and logs into the specified host, then enters an in-
|
||||
teractive command mode.
|
||||
|
||||
The second usage format will retrieve files automatically if a non-inter-
|
||||
active authentication method is used; otherwise it will do so after suc-
|
||||
cessful interactive authentication.
|
||||
|
||||
The third usage format allows sftp to start in a remote directory.
|
||||
|
||||
The final usage format allows for automated sessions using the -b option.
|
||||
In such cases, it is necessary to configure non-interactive authentica-
|
||||
tion to obviate the need to enter a password at connection time (see
|
||||
sshd(8) and ssh-keygen(1) for details). The options are as follows:
|
||||
|
||||
-1 Specify the use of protocol version 1.
|
||||
|
||||
-B buffer_size
|
||||
Specify the size of the buffer that sftp uses when transferring
|
||||
files. Larger buffers require fewer round trips at the cost of
|
||||
higher memory consumption. The default is 32768 bytes.
|
||||
|
||||
-b batchfile
|
||||
Batch mode reads a series of commands from an input batchfile in-
|
||||
stead of stdin. Since it lacks user interaction it should be
|
||||
used in conjunction with non-interactive authentication. A
|
||||
batchfile of `-' may be used to indicate standard input. sftp
|
||||
will abort if any of the following commands fail: get, put,
|
||||
rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp,
|
||||
lpwd and lmkdir. Termination on error can be suppressed on a
|
||||
command by command basis by prefixing the command with a `-'
|
||||
character (for example, -rm /tmp/blah*).
|
||||
|
||||
-C Enables compression (via ssh's -C flag).
|
||||
|
||||
-F ssh_config
|
||||
Specifies an alternative per-user configuration file for ssh(1).
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-o ssh_option
|
||||
Can be used to pass options to ssh in the format used in
|
||||
ssh_config(5). This is useful for specifying options for which
|
||||
there is no separate sftp command-line flag. For example, to
|
||||
specify an alternate port use: sftp -oPort=24. For full details
|
||||
of the options listed below, and their possible values, see
|
||||
ssh_config(5).
|
||||
|
||||
AddressFamily
|
||||
BatchMode
|
||||
BindAddress
|
||||
ChallengeResponseAuthentication
|
||||
CheckHostIP
|
||||
Cipher
|
||||
Ciphers
|
||||
Compression
|
||||
CompressionLevel
|
||||
ConnectionAttempts
|
||||
ConnectTimeout
|
||||
ControlMaster
|
||||
ControlPath
|
||||
GlobalKnownHostsFile
|
||||
GSSAPIAuthentication
|
||||
GSSAPIDelegateCredentials
|
||||
HashKnownHosts
|
||||
Host
|
||||
HostbasedAuthentication
|
||||
HostKeyAlgorithms
|
||||
HostKeyAlias
|
||||
HostName
|
||||
IdentityFile
|
||||
IdentitiesOnly
|
||||
KbdInteractiveDevices
|
||||
LogLevel
|
||||
MACs
|
||||
NoHostAuthenticationForLocalhost
|
||||
NumberOfPasswordPrompts
|
||||
PasswordAuthentication
|
||||
Port
|
||||
PreferredAuthentications
|
||||
Protocol
|
||||
ProxyCommand
|
||||
PubkeyAuthentication
|
||||
RekeyLimit
|
||||
RhostsRSAAuthentication
|
||||
RSAAuthentication
|
||||
SendEnv
|
||||
ServerAliveInterval
|
||||
ServerAliveCountMax
|
||||
SmartcardDevice
|
||||
StrictHostKeyChecking
|
||||
TCPKeepAlive
|
||||
UsePrivilegedPort
|
||||
User
|
||||
UserKnownHostsFile
|
||||
VerifyHostKeyDNS
|
||||
|
||||
-P sftp_server_path
|
||||
Connect directly to a local sftp server (rather than via ssh(1)).
|
||||
This option may be useful in debugging the client and server.
|
||||
|
||||
-R num_requests
|
||||
Specify how many requests may be outstanding at any one time.
|
||||
Increasing this may slightly improve file transfer speed but will
|
||||
increase memory usage. The default is 16 outstanding requests.
|
||||
|
||||
-S program
|
||||
Name of the program to use for the encrypted connection. The
|
||||
program must understand ssh(1) options.
|
||||
|
||||
-s subsystem | sftp_server
|
||||
Specifies the SSH2 subsystem or the path for an sftp server on
|
||||
the remote host. A path is useful for using sftp over protocol
|
||||
version 1, or when the remote sshd(8) does not have an sftp sub-
|
||||
system configured.
|
||||
|
||||
-v Raise logging level. This option is also passed to ssh.
|
||||
|
||||
INTERACTIVE COMMANDS
|
||||
Once in interactive mode, sftp understands a set of commands similar to
|
||||
those of ftp(1). Commands are case insensitive. Pathnames that contain
|
||||
spaces must be enclosed in quotes. Any special characters contained
|
||||
within pathnames that are recognized by glob(3) must be escaped with
|
||||
backslashes (`\').
|
||||
|
||||
bye Quit sftp.
|
||||
|
||||
cd path
|
||||
Change remote directory to path.
|
||||
|
||||
chgrp grp path
|
||||
Change group of file path to grp. path may contain glob(3) char-
|
||||
acters and may match multiple files. grp must be a numeric GID.
|
||||
|
||||
chmod mode path
|
||||
Change permissions of file path to mode. path may contain
|
||||
glob(3) characters and may match multiple files.
|
||||
|
||||
chown own path
|
||||
Change owner of file path to own. path may contain glob(3) char-
|
||||
acters and may match multiple files. own must be a numeric UID.
|
||||
|
||||
exit Quit sftp.
|
||||
|
||||
get [-P] remote-path [local-path]
|
||||
Retrieve the remote-path and store it on the local machine. If
|
||||
the local path name is not specified, it is given the same name
|
||||
it has on the remote machine. remote-path may contain glob(3)
|
||||
characters and may match multiple files. If it does and local-
|
||||
path is specified, then local-path must specify a directory. If
|
||||
the -P flag is specified, then full file permissions and access
|
||||
times are copied too.
|
||||
|
||||
help Display help text.
|
||||
|
||||
lcd path
|
||||
Change local directory to path.
|
||||
|
||||
lls [ls-options [path]]
|
||||
Display local directory listing of either path or current direc-
|
||||
tory if path is not specified. ls-options may contain any flags
|
||||
supported by the local system's ls(1) command. path may contain
|
||||
glob(3) characters and may match multiple files.
|
||||
|
||||
lmkdir path
|
||||
Create local directory specified by path.
|
||||
|
||||
ln oldpath newpath
|
||||
Create a symbolic link from oldpath to newpath.
|
||||
|
||||
lpwd Print local working directory.
|
||||
|
||||
ls [-1aflnrSt] [path]
|
||||
Display a remote directory listing of either path or the current
|
||||
directory if path is not specified. path may contain glob(3)
|
||||
characters and may match multiple files.
|
||||
|
||||
The following flags are recognized and alter the behaviour of ls
|
||||
accordingly:
|
||||
|
||||
-1 Produce single columnar output.
|
||||
|
||||
-a List files beginning with a dot (`.').
|
||||
|
||||
-f Do not sort the listing. The default sort order is lexi-
|
||||
cographical.
|
||||
|
||||
-l Display additional details including permissions and own-
|
||||
ership information.
|
||||
|
||||
-n Produce a long listing with user and group information
|
||||
presented numerically.
|
||||
|
||||
-r Reverse the sort order of the listing.
|
||||
|
||||
-S Sort the listing by file size.
|
||||
|
||||
-t Sort the listing by last modification time.
|
||||
|
||||
lumask umask
|
||||
Set local umask to umask.
|
||||
|
||||
mkdir path
|
||||
Create remote directory specified by path.
|
||||
|
||||
progress
|
||||
Toggle display of progress meter.
|
||||
|
||||
put [-P] local-path [remote-path]
|
||||
Upload local-path and store it on the remote machine. If the re-
|
||||
mote path name is not specified, it is given the same name it has
|
||||
on the local machine. local-path may contain glob(3) characters
|
||||
and may match multiple files. If it does and remote-path is
|
||||
specified, then remote-path must specify a directory. If the -P
|
||||
flag is specified, then the file's full permission and access
|
||||
time are copied too.
|
||||
|
||||
pwd Display remote working directory.
|
||||
|
||||
quit Quit sftp.
|
||||
|
||||
rename oldpath newpath
|
||||
Rename remote file from oldpath to newpath.
|
||||
|
||||
rm path
|
||||
Delete remote file specified by path.
|
||||
|
||||
rmdir path
|
||||
Remove remote directory specified by path.
|
||||
|
||||
symlink oldpath newpath
|
||||
Create a symbolic link from oldpath to newpath.
|
||||
|
||||
version
|
||||
Display the sftp protocol version.
|
||||
|
||||
! command
|
||||
Execute command in local shell.
|
||||
|
||||
! Escape to local shell.
|
||||
|
||||
? Synonym for help.
|
||||
|
||||
SEE ALSO
|
||||
ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), glob(3),
|
||||
ssh_config(5), sftp-server(8), sshd(8)
|
||||
|
||||
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
|
||||
filexfer-00.txt, January 2001, work in progress material.
|
||||
|
||||
OpenBSD 4.1 February 4, 2001 4
|
10
sftp.c
10
sftp.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp.c,v 1.93 2006/09/30 17:48:22 ray Exp $ */
|
||||
/* $OpenBSD: sftp.c,v 1.96 2007/01/03 04:09:15 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -166,6 +166,7 @@ static const struct CMD cmds[] = {
|
||||
|
||||
int interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
killchild(int signo)
|
||||
{
|
||||
@ -177,6 +178,7 @@ killchild(int signo)
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
cmd_interrupt(int signo)
|
||||
{
|
||||
@ -298,11 +300,11 @@ static char *
|
||||
path_append(char *p1, char *p2)
|
||||
{
|
||||
char *ret;
|
||||
int len = strlen(p1) + strlen(p2) + 2;
|
||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||
|
||||
ret = xmalloc(len);
|
||||
strlcpy(ret, p1, len);
|
||||
if (p1[strlen(p1) - 1] != '/')
|
||||
if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/')
|
||||
strlcat(ret, "/", len);
|
||||
strlcat(ret, p2, len);
|
||||
|
||||
@ -1566,7 +1568,7 @@ main(int argc, char **argv)
|
||||
fprintf(stderr, "Missing username\n");
|
||||
usage();
|
||||
}
|
||||
addargs(&args, "-l%s",userhost);
|
||||
addargs(&args, "-l%s", userhost);
|
||||
}
|
||||
|
||||
if ((cp = colon(host)) != NULL) {
|
||||
|
102
ssh-add.0
Normal file
102
ssh-add.0
Normal file
@ -0,0 +1,102 @@
|
||||
SSH-ADD(1) OpenBSD Reference Manual SSH-ADD(1)
|
||||
|
||||
NAME
|
||||
ssh-add - adds RSA or DSA identities to the authentication agent
|
||||
|
||||
SYNOPSIS
|
||||
ssh-add [-cDdLlXx] [-t life] [file ...]
|
||||
ssh-add -s reader
|
||||
ssh-add -e reader
|
||||
|
||||
DESCRIPTION
|
||||
ssh-add adds RSA or DSA identities to the authentication agent,
|
||||
ssh-agent(1). When run without arguments, it adds the files
|
||||
~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. Alternative file names
|
||||
can be given on the command line. If any file requires a passphrase,
|
||||
ssh-add asks for the passphrase from the user. The passphrase is read
|
||||
from the user's tty. ssh-add retries the last passphrase if multiple
|
||||
identity files are given.
|
||||
|
||||
The authentication agent must be running and the SSH_AUTH_SOCK environ-
|
||||
ment variable must contain the name of its socket for ssh-add to work.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-c Indicates that added identities should be subject to confirmation
|
||||
before being used for authentication. Confirmation is performed
|
||||
by the SSH_ASKPASS program mentioned below. Successful confirma-
|
||||
tion is signaled by a zero exit status from the SSH_ASKPASS pro-
|
||||
gram, rather than text entered into the requester.
|
||||
|
||||
-D Deletes all identities from the agent.
|
||||
|
||||
-d Instead of adding the identity, removes the identity from the
|
||||
agent.
|
||||
|
||||
-e reader
|
||||
Remove key in smartcard reader.
|
||||
|
||||
-L Lists public key parameters of all identities currently repre-
|
||||
sented by the agent.
|
||||
|
||||
-l Lists fingerprints of all identities currently represented by the
|
||||
agent.
|
||||
|
||||
-s reader
|
||||
Add key in smartcard reader.
|
||||
|
||||
-t life
|
||||
Set a maximum lifetime when adding identities to an agent. The
|
||||
lifetime may be specified in seconds or in a time format speci-
|
||||
fied in sshd_config(5).
|
||||
|
||||
-X Unlock the agent.
|
||||
|
||||
-x Lock the agent with a password.
|
||||
|
||||
ENVIRONMENT
|
||||
DISPLAY and SSH_ASKPASS
|
||||
If ssh-add needs a passphrase, it will read the passphrase from
|
||||
the current terminal if it was run from a terminal. If ssh-add
|
||||
does not have a terminal associated with it but DISPLAY and
|
||||
SSH_ASKPASS are set, it will execute the program specified by
|
||||
SSH_ASKPASS and open an X11 window to read the passphrase. This
|
||||
is particularly useful when calling ssh-add from a .xsession or
|
||||
related script. (Note that on some machines it may be necessary
|
||||
to redirect the input from /dev/null to make this work.)
|
||||
|
||||
SSH_AUTH_SOCK
|
||||
Identifies the path of a unix-domain socket used to communicate
|
||||
with the agent.
|
||||
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
the user.
|
||||
|
||||
~/.ssh/id_dsa
|
||||
Contains the protocol version 2 DSA authentication identity of
|
||||
the user.
|
||||
|
||||
~/.ssh/id_rsa
|
||||
Contains the protocol version 2 RSA authentication identity of
|
||||
the user.
|
||||
|
||||
Identity files should not be readable by anyone but the user. Note that
|
||||
ssh-add ignores identity files if they are accessible by others.
|
||||
|
||||
DIAGNOSTICS
|
||||
Exit status is 0 on success, 1 if the specified command fails, and 2 if
|
||||
ssh-add is unable to contact the authentication agent.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 2
|
117
ssh-agent.0
Normal file
117
ssh-agent.0
Normal file
@ -0,0 +1,117 @@
|
||||
SSH-AGENT(1) OpenBSD Reference Manual SSH-AGENT(1)
|
||||
|
||||
NAME
|
||||
ssh-agent - authentication agent
|
||||
|
||||
SYNOPSIS
|
||||
ssh-agent [-a bind_address] [-c | -s] [-t life] [-d] [command [args ...]]
|
||||
ssh-agent [-c | -s] -k
|
||||
|
||||
DESCRIPTION
|
||||
ssh-agent is a program to hold private keys used for public key authenti-
|
||||
cation (RSA, DSA). The idea is that ssh-agent is started in the begin-
|
||||
ning of an X-session or a login session, and all other windows or pro-
|
||||
grams are started as clients to the ssh-agent program. Through use of
|
||||
environment variables the agent can be located and automatically used for
|
||||
authentication when logging in to other machines using ssh(1).
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-a bind_address
|
||||
Bind the agent to the unix-domain socket bind_address. The de-
|
||||
fault is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.
|
||||
|
||||
-c Generate C-shell commands on stdout. This is the default if
|
||||
SHELL looks like it's a csh style of shell.
|
||||
|
||||
-s Generate Bourne shell commands on stdout. This is the default if
|
||||
SHELL does not look like it's a csh style of shell.
|
||||
|
||||
-k Kill the current agent (given by the SSH_AGENT_PID environment
|
||||
variable).
|
||||
|
||||
-t life
|
||||
Set a default value for the maximum lifetime of identities added
|
||||
to the agent. The lifetime may be specified in seconds or in a
|
||||
time format specified in sshd_config(5). A lifetime specified
|
||||
for an identity with ssh-add(1) overrides this value. Without
|
||||
this option the default maximum lifetime is forever.
|
||||
|
||||
-d Debug mode. When this option is specified ssh-agent will not
|
||||
fork.
|
||||
|
||||
If a commandline is given, this is executed as a subprocess of the agent.
|
||||
When the command dies, so does the agent.
|
||||
|
||||
The agent initially does not have any private keys. Keys are added using
|
||||
ssh-add(1). When executed without arguments, ssh-add(1) adds the files
|
||||
~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a
|
||||
passphrase, ssh-add(1) asks for the passphrase (using a small X11 appli-
|
||||
cation if running under X11, or from the terminal if running without X).
|
||||
It then sends the identity to the agent. Several identities can be
|
||||
stored in the agent; the agent can automatically use any of these identi-
|
||||
ties. ssh-add -l displays the identities currently held by the agent.
|
||||
|
||||
The idea is that the agent is run in the user's local PC, laptop, or ter-
|
||||
minal. Authentication data need not be stored on any other machine, and
|
||||
authentication passphrases never go over the network. However, the con-
|
||||
nection to the agent is forwarded over SSH remote logins, and the user
|
||||
can thus use the privileges given by the identities anywhere in the net-
|
||||
work in a secure way.
|
||||
|
||||
There are two main ways to get an agent set up: The first is that the
|
||||
agent starts a new subcommand into which some environment variables are
|
||||
exported, eg ssh-agent xterm &. The second is that the agent prints the
|
||||
needed shell commands (either sh(1) or csh(1) syntax can be generated)
|
||||
which can be evalled in the calling shell, eg eval `ssh-agent -s` for
|
||||
Bourne-type shells such as sh(1) or ksh(1) and eval `ssh-agent -c` for
|
||||
csh(1) and derivatives.
|
||||
|
||||
Later ssh(1) looks at these variables and uses them to establish a con-
|
||||
nection to the agent.
|
||||
|
||||
The agent will never send a private key over its request channel. In-
|
||||
stead, operations that require a private key will be performed by the
|
||||
agent, and the result will be returned to the requester. This way, pri-
|
||||
vate keys are not exposed to clients using the agent.
|
||||
|
||||
A unix-domain socket is created and the name of this socket is stored in
|
||||
the SSH_AUTH_SOCK environment variable. The socket is made accessible
|
||||
only to the current user. This method is easily abused by root or anoth-
|
||||
er instance of the same user.
|
||||
|
||||
The SSH_AGENT_PID environment variable holds the agent's process ID.
|
||||
|
||||
The agent exits automatically when the command given on the command line
|
||||
terminates.
|
||||
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
the user.
|
||||
|
||||
~/.ssh/id_dsa
|
||||
Contains the protocol version 2 DSA authentication identity of
|
||||
the user.
|
||||
|
||||
~/.ssh/id_rsa
|
||||
Contains the protocol version 2 RSA authentication identity of
|
||||
the user.
|
||||
|
||||
/tmp/ssh-XXXXXXXXXX/agent.<ppid>
|
||||
Unix-domain sockets used to contain the connection to the authen-
|
||||
tication agent. These sockets should only be readable by the
|
||||
owner. The sockets should get automatically removed when the
|
||||
agent exits.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 2
|
24
ssh-agent.c
24
ssh-agent.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */
|
||||
/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -434,6 +434,7 @@ reaper(void)
|
||||
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
|
||||
nxt = TAILQ_NEXT(id, next);
|
||||
if (id->death != 0 && now >= id->death) {
|
||||
debug("expiring key '%s'", id->comment);
|
||||
TAILQ_REMOVE(&tab->idlist, id, next);
|
||||
free_identity(id);
|
||||
tab->nentries--;
|
||||
@ -698,9 +699,6 @@ process_message(SocketEntry *e)
|
||||
u_int msg_len, type;
|
||||
u_char *cp;
|
||||
|
||||
/* kill dead keys */
|
||||
reaper();
|
||||
|
||||
if (buffer_len(&e->input) < 5)
|
||||
return; /* Incomplete message. */
|
||||
cp = buffer_ptr(&e->input);
|
||||
@ -1016,7 +1014,7 @@ int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
|
||||
int sock, fd, ch;
|
||||
int sock, fd, ch, result, saved_errno;
|
||||
u_int nalloc;
|
||||
char *shell, *format, *pidstr, *agentsocket = NULL;
|
||||
fd_set *readsetp = NULL, *writesetp = NULL;
|
||||
@ -1029,6 +1027,7 @@ main(int ac, char **av)
|
||||
extern char *optarg;
|
||||
pid_t pid;
|
||||
char pidstrbuf[1 + 3 * sizeof pid];
|
||||
struct timeval tv;
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
@ -1242,13 +1241,18 @@ main(int ac, char **av)
|
||||
nalloc = 0;
|
||||
|
||||
while (1) {
|
||||
tv.tv_sec = 10;
|
||||
tv.tv_usec = 0;
|
||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
|
||||
if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
|
||||
if (errno == EINTR)
|
||||
result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
|
||||
saved_errno = errno;
|
||||
reaper(); /* remove expired keys */
|
||||
if (result < 0) {
|
||||
if (saved_errno == EINTR)
|
||||
continue;
|
||||
fatal("select: %s", strerror(errno));
|
||||
}
|
||||
after_select(readsetp, writesetp);
|
||||
fatal("select: %s", strerror(saved_errno));
|
||||
} else if (result > 0)
|
||||
after_select(readsetp, writesetp);
|
||||
}
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
287
ssh-keygen.0
Normal file
287
ssh-keygen.0
Normal file
@ -0,0 +1,287 @@
|
||||
SSH-KEYGEN(1) OpenBSD Reference Manual SSH-KEYGEN(1)
|
||||
|
||||
NAME
|
||||
ssh-keygen - authentication key generation, management and conversion
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
|
||||
[-f output_keyfile]
|
||||
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
|
||||
ssh-keygen -i [-f input_keyfile]
|
||||
ssh-keygen -e [-f input_keyfile]
|
||||
ssh-keygen -y [-f input_keyfile]
|
||||
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
|
||||
ssh-keygen -l [-f input_keyfile]
|
||||
ssh-keygen -B [-f input_keyfile]
|
||||
ssh-keygen -D reader
|
||||
ssh-keygen -F hostname [-f known_hosts_file]
|
||||
ssh-keygen -H [-f known_hosts_file]
|
||||
ssh-keygen -R hostname [-f known_hosts_file]
|
||||
ssh-keygen -U reader [-f input_keyfile]
|
||||
ssh-keygen -r hostname [-f input_keyfile] [-g]
|
||||
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
|
||||
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W
|
||||
generator]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keygen generates, manages and converts authentication keys for
|
||||
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
|
||||
and RSA or DSA keys for use by SSH protocol version 2. The type of key
|
||||
to be generated is specified with the -t option. If invoked without any
|
||||
arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
|
||||
connections.
|
||||
|
||||
ssh-keygen is also used to generate groups for use in Diffie-Hellman
|
||||
group exchange (DH-GEX). See the MODULI GENERATION section for details.
|
||||
|
||||
Normally each user wishing to use SSH with RSA or DSA authentication runs
|
||||
this once to create the authentication key in ~/.ssh/identity,
|
||||
~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the system administrator
|
||||
may use this to generate host keys, as seen in /etc/rc.
|
||||
|
||||
Normally this program generates the key and asks for a file in which to
|
||||
store the private key. The public key is stored in a file with the same
|
||||
name but ``.pub'' appended. The program also asks for a passphrase. The
|
||||
passphrase may be empty to indicate no passphrase (host keys must have an
|
||||
empty passphrase), or it may be a string of arbitrary length. A
|
||||
passphrase is similar to a password, except it can be a phrase with a se-
|
||||
ries of words, punctuation, numbers, whitespace, or any string of charac-
|
||||
ters you want. Good passphrases are 10-30 characters long, are not sim-
|
||||
ple sentences or otherwise easily guessable (English prose has only 1-2
|
||||
bits of entropy per character, and provides very bad passphrases), and
|
||||
contain a mix of upper and lowercase letters, numbers, and non-alphanu-
|
||||
meric characters. The passphrase can be changed later by using the -p
|
||||
option.
|
||||
|
||||
There is no way to recover a lost passphrase. If the passphrase is lost
|
||||
or forgotten, a new key must be generated and copied to the corresponding
|
||||
public key to other machines.
|
||||
|
||||
For RSA1 keys, there is also a comment field in the key file that is only
|
||||
for convenience to the user to help identify the key. The comment can
|
||||
tell what the key is for, or whatever is useful. The comment is initial-
|
||||
ized to ``user@host'' when the key is created, but can be changed using
|
||||
the -c option.
|
||||
|
||||
After a key is generated, instructions below detail where the keys should
|
||||
be placed to be activated.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-a trials
|
||||
Specifies the number of primality tests to perform when screening
|
||||
DH-GEX candidates using the -T command.
|
||||
|
||||
-B Show the bubblebabble digest of specified private or public key
|
||||
file.
|
||||
|
||||
-b bits
|
||||
Specifies the number of bits in the key to create. For RSA keys,
|
||||
the minimum size is 768 bits and the default is 2048 bits. Gen-
|
||||
erally, 2048 bits is considered sufficient. DSA keys must be ex-
|
||||
actly 1024 bits as specified by FIPS 186-2.
|
||||
|
||||
-C comment
|
||||
Provides a new comment.
|
||||
|
||||
-c Requests changing the comment in the private and public key
|
||||
files. This operation is only supported for RSA1 keys. The pro-
|
||||
gram will prompt for the file containing the private keys, for
|
||||
the passphrase if the key has one, and for the new comment.
|
||||
|
||||
-D reader
|
||||
Download the RSA public key stored in the smartcard in reader.
|
||||
|
||||
-e This option will read a private or public OpenSSH key file and
|
||||
print the key in RFC 4716 SSH Public Key File Format to stdout.
|
||||
This option allows exporting keys for use by several commercial
|
||||
SSH implementations.
|
||||
|
||||
-F hostname
|
||||
Search for the specified hostname in a known_hosts file, listing
|
||||
any occurrences found. This option is useful to find hashed host
|
||||
names or addresses and may also be used in conjunction with the
|
||||
-H option to print found keys in a hashed format.
|
||||
|
||||
-f filename
|
||||
Specifies the filename of the key file.
|
||||
|
||||
-G output_file
|
||||
Generate candidate primes for DH-GEX. These primes must be
|
||||
screened for safety (using the -T option) before use.
|
||||
|
||||
-g Use generic DNS format when printing fingerprint resource records
|
||||
using the -r command.
|
||||
|
||||
-H Hash a known_hosts file. This replaces all hostnames and ad-
|
||||
dresses with hashed representations within the specified file;
|
||||
the original content is moved to a file with a .old suffix.
|
||||
These hashes may be used normally by ssh and sshd, but they do
|
||||
not reveal identifying information should the file's contents be
|
||||
disclosed. This option will not modify existing hashed hostnames
|
||||
and is therefore safe to use on files that mix hashed and non-
|
||||
hashed names.
|
||||
|
||||
-i This option will read an unencrypted private (or public) key file
|
||||
in SSH2-compatible format and print an OpenSSH compatible private
|
||||
(or public) key to stdout. ssh-keygen also reads the RFC 4716
|
||||
SSH Public Key File Format. This option allows importing keys
|
||||
from several commercial SSH implementations.
|
||||
|
||||
-l Show fingerprint of specified public key file. Private RSA1 keys
|
||||
are also supported. For RSA and DSA keys ssh-keygen tries to
|
||||
find the matching public key file and prints its fingerprint.
|
||||
|
||||
-M memory
|
||||
Specify the amount of memory to use (in megabytes) when generat-
|
||||
ing candidate moduli for DH-GEX.
|
||||
|
||||
-N new_passphrase
|
||||
Provides the new passphrase.
|
||||
|
||||
-P passphrase
|
||||
Provides the (old) passphrase.
|
||||
|
||||
-p Requests changing the passphrase of a private key file instead of
|
||||
creating a new private key. The program will prompt for the file
|
||||
containing the private key, for the old passphrase, and twice for
|
||||
the new passphrase.
|
||||
|
||||
-q Silence ssh-keygen. Used by /etc/rc when creating a new key.
|
||||
|
||||
-R hostname
|
||||
Removes all keys belonging to hostname from a known_hosts file.
|
||||
This option is useful to delete hashed hosts (see the -H option
|
||||
above).
|
||||
|
||||
-r hostname
|
||||
Print the SSHFP fingerprint resource record named hostname for
|
||||
the specified public key file.
|
||||
|
||||
-S start
|
||||
Specify start point (in hex) when generating candidate moduli for
|
||||
DH-GEX.
|
||||
|
||||
-T output_file
|
||||
Test DH group exchange candidate primes (generated using the -G
|
||||
option) for safety.
|
||||
|
||||
-t type
|
||||
Specifies the type of key to create. The possible values are
|
||||
``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto-
|
||||
col version 2.
|
||||
|
||||
-U reader
|
||||
Upload an existing RSA private key into the smartcard in reader.
|
||||
|
||||
-v Verbose mode. Causes ssh-keygen to print debugging messages
|
||||
about its progress. This is helpful for debugging moduli genera-
|
||||
tion. Multiple -v options increase the verbosity. The maximum
|
||||
is 3.
|
||||
|
||||
-W generator
|
||||
Specify desired generator when testing candidate moduli for DH-
|
||||
GEX.
|
||||
|
||||
-y This option will read a private OpenSSH format file and print an
|
||||
OpenSSH public key to stdout.
|
||||
|
||||
MODULI GENERATION
|
||||
ssh-keygen may be used to generate groups for the Diffie-Hellman Group
|
||||
Exchange (DH-GEX) protocol. Generating these groups is a two-step pro-
|
||||
cess: first, candidate primes are generated using a fast, but memory in-
|
||||
tensive process. These candidate primes are then tested for suitability
|
||||
(a CPU-intensive process).
|
||||
|
||||
Generation of primes is performed using the -G option. The desired
|
||||
length of the primes may be specified by the -b option. For example:
|
||||
|
||||
# ssh-keygen -G moduli-2048.candidates -b 2048
|
||||
|
||||
By default, the search for primes begins at a random point in the desired
|
||||
length range. This may be overridden using the -S option, which speci-
|
||||
fies a different start point (in hex).
|
||||
|
||||
Once a set of candidates have been generated, they must be tested for
|
||||
suitability. This may be performed using the -T option. In this mode
|
||||
ssh-keygen will read candidates from standard input (or a file specified
|
||||
using the -f option). For example:
|
||||
|
||||
# ssh-keygen -T moduli-2048 -f moduli-2048.candidates
|
||||
|
||||
By default, each candidate will be subjected to 100 primality tests.
|
||||
This may be overridden using the -a option. The DH generator value will
|
||||
be chosen automatically for the prime under consideration. If a specific
|
||||
generator is desired, it may be requested using the -W option. Valid
|
||||
generator values are 2, 3, and 5.
|
||||
|
||||
Screened DH groups may be installed in /etc/moduli. It is important that
|
||||
this file contains moduli of a range of bit lengths and that both ends of
|
||||
a connection share common moduli.
|
||||
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
the user. This file should not be readable by anyone but the us-
|
||||
er. It is possible to specify a passphrase when generating the
|
||||
key; that passphrase will be used to encrypt the private part of
|
||||
this file using 3DES. This file is not automatically accessed by
|
||||
ssh-keygen but it is offered as the default file for the private
|
||||
key. ssh(1) will read this file when a login attempt is made.
|
||||
|
||||
~/.ssh/identity.pub
|
||||
Contains the protocol version 1 RSA public key for authentica-
|
||||
tion. The contents of this file should be added to
|
||||
~/.ssh/authorized_keys on all machines where the user wishes to
|
||||
log in using RSA authentication. There is no need to keep the
|
||||
contents of this file secret.
|
||||
|
||||
~/.ssh/id_dsa
|
||||
Contains the protocol version 2 DSA authentication identity of
|
||||
the user. This file should not be readable by anyone but the us-
|
||||
er. It is possible to specify a passphrase when generating the
|
||||
key; that passphrase will be used to encrypt the private part of
|
||||
this file using 3DES. This file is not automatically accessed by
|
||||
ssh-keygen but it is offered as the default file for the private
|
||||
key. ssh(1) will read this file when a login attempt is made.
|
||||
|
||||
~/.ssh/id_dsa.pub
|
||||
Contains the protocol version 2 DSA public key for authentica-
|
||||
tion. The contents of this file should be added to
|
||||
~/.ssh/authorized_keys on all machines where the user wishes to
|
||||
log in using public key authentication. There is no need to keep
|
||||
the contents of this file secret.
|
||||
|
||||
~/.ssh/id_rsa
|
||||
Contains the protocol version 2 RSA authentication identity of
|
||||
the user. This file should not be readable by anyone but the us-
|
||||
er. It is possible to specify a passphrase when generating the
|
||||
key; that passphrase will be used to encrypt the private part of
|
||||
this file using 3DES. This file is not automatically accessed by
|
||||
ssh-keygen but it is offered as the default file for the private
|
||||
key. ssh(1) will read this file when a login attempt is made.
|
||||
|
||||
~/.ssh/id_rsa.pub
|
||||
Contains the protocol version 2 RSA public key for authentica-
|
||||
tion. The contents of this file should be added to
|
||||
~/.ssh/authorized_keys on all machines where the user wishes to
|
||||
log in using public key authentication. There is no need to keep
|
||||
the contents of this file secret.
|
||||
|
||||
/etc/moduli
|
||||
Contains Diffie-Hellman groups used for DH-GEX. The file format
|
||||
is described in moduli(5).
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
|
||||
|
||||
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 5
|
17
ssh-keygen.1
17
ssh-keygen.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
@ -205,8 +205,8 @@ Download the RSA public key stored in the smartcard in
|
||||
.Ar reader .
|
||||
.It Fl e
|
||||
This option will read a private or public OpenSSH key file and
|
||||
print the key in a
|
||||
.Sq SECSH Public Key File Format
|
||||
print the key in
|
||||
RFC 4716 SSH Public Key File Format
|
||||
to stdout.
|
||||
This option allows exporting keys for use by several commercial
|
||||
SSH implementations.
|
||||
@ -253,7 +253,7 @@ in SSH2-compatible format and print an OpenSSH compatible private
|
||||
(or public) key to stdout.
|
||||
.Nm
|
||||
also reads the
|
||||
.Sq SECSH Public Key File Format .
|
||||
RFC 4716 SSH Public Key File Format.
|
||||
This option allows importing keys from several commercial
|
||||
SSH implementations.
|
||||
.It Fl l
|
||||
@ -450,12 +450,9 @@ The file format is described in
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd 8
|
||||
.Rs
|
||||
.%A J. Galbraith
|
||||
.%A R. Thayer
|
||||
.%T "SECSH Public Key File Format"
|
||||
.%N draft-ietf-secsh-publickeyfile-01.txt
|
||||
.%D March 2001
|
||||
.%O work in progress material
|
||||
.%R RFC 4716
|
||||
.%T "The Secure Shell (SSH) Public Key File Format"
|
||||
.%D 2006
|
||||
.Re
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
|
31
ssh-keygen.c
31
ssh-keygen.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.155 2006/11/06 21:25:28 markus Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -241,7 +241,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
|
||||
buffer_init(&b);
|
||||
buffer_append(&b, blob, blen);
|
||||
|
||||
magic = buffer_get_int(&b);
|
||||
magic = buffer_get_int(&b);
|
||||
if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
|
||||
error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
|
||||
buffer_free(&b);
|
||||
@ -253,7 +253,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
|
||||
i2 = buffer_get_int(&b);
|
||||
i3 = buffer_get_int(&b);
|
||||
i4 = buffer_get_int(&b);
|
||||
debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
|
||||
debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
|
||||
if (strcmp(cipher, "none") != 0) {
|
||||
error("unsupported cipher %s", cipher);
|
||||
xfree(cipher);
|
||||
@ -284,7 +284,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
|
||||
buffer_get_bignum_bits(&b, key->dsa->priv_key);
|
||||
break;
|
||||
case KEY_RSA:
|
||||
e = buffer_get_char(&b);
|
||||
e = buffer_get_char(&b);
|
||||
debug("e %lx", e);
|
||||
if (e < 30) {
|
||||
e <<= 8;
|
||||
@ -346,9 +346,8 @@ get_line(FILE *fp, char *line, size_t len)
|
||||
line[pos++] = c;
|
||||
line[pos] = '\0';
|
||||
}
|
||||
if (c == EOF)
|
||||
return -1;
|
||||
return pos;
|
||||
/* We reached EOF */
|
||||
return -1;
|
||||
}
|
||||
|
||||
static void
|
||||
@ -554,7 +553,7 @@ do_fingerprint(struct passwd *pw)
|
||||
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
|
||||
;
|
||||
if (!*cp || *cp == '\n' || *cp == '#')
|
||||
continue ;
|
||||
continue;
|
||||
i = strtol(cp, &ep, 10);
|
||||
if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
|
||||
int quoted = 0;
|
||||
@ -1017,13 +1016,13 @@ usage(void)
|
||||
#ifdef SMARTCARD
|
||||
fprintf(stderr, " -D reader Download public key from smartcard.\n");
|
||||
#endif /* SMARTCARD */
|
||||
fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
|
||||
fprintf(stderr, " -e Convert OpenSSH to RFC 4716 key file.\n");
|
||||
fprintf(stderr, " -F hostname Find hostname in known hosts file.\n");
|
||||
fprintf(stderr, " -f filename Filename of the key file.\n");
|
||||
fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n");
|
||||
fprintf(stderr, " -g Use generic DNS resource record format.\n");
|
||||
fprintf(stderr, " -H Hash names in known_hosts file.\n");
|
||||
fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
|
||||
fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");
|
||||
fprintf(stderr, " -l Show fingerprint of key file.\n");
|
||||
fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
|
||||
fprintf(stderr, " -N phrase Provide new passphrase.\n");
|
||||
@ -1049,7 +1048,7 @@ usage(void)
|
||||
* Main program for key management.
|
||||
*/
|
||||
int
|
||||
main(int ac, char **av)
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
|
||||
char out_file[MAXPATHLEN], *reader_id = NULL;
|
||||
@ -1071,10 +1070,10 @@ main(int ac, char **av)
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
|
||||
SSLeay_add_all_algorithms();
|
||||
log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
init_rng();
|
||||
seed_rng();
|
||||
@ -1090,7 +1089,7 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
while ((opt = getopt(ac, av,
|
||||
while ((opt = getopt(argc, argv,
|
||||
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
|
||||
switch (opt) {
|
||||
case 'b':
|
||||
@ -1223,9 +1222,9 @@ main(int ac, char **av)
|
||||
}
|
||||
|
||||
/* reinit */
|
||||
log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
|
||||
log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
if (optind < ac) {
|
||||
if (optind < argc) {
|
||||
printf("Too many arguments.\n");
|
||||
usage();
|
||||
}
|
||||
|
107
ssh-keyscan.0
Normal file
107
ssh-keyscan.0
Normal file
@ -0,0 +1,107 @@
|
||||
SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1)
|
||||
|
||||
NAME
|
||||
ssh-keyscan - gather ssh public keys
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keyscan [-46Hv] [-f file] [-p port] [-T timeout] [-t type]
|
||||
[host | addrlist namelist] [...]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keyscan is a utility for gathering the public ssh host keys of a num-
|
||||
ber of hosts. It was designed to aid in building and verifying
|
||||
ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable
|
||||
for use by shell and perl scripts.
|
||||
|
||||
ssh-keyscan uses non-blocking socket I/O to contact as many hosts as pos-
|
||||
sible in parallel, so it is very efficient. The keys from a domain of
|
||||
1,000 hosts can be collected in tens of seconds, even when some of those
|
||||
hosts are down or do not run ssh. For scanning, one does not need login
|
||||
access to the machines that are being scanned, nor does the scanning pro-
|
||||
cess involve any encryption.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-4 Forces ssh-keyscan to use IPv4 addresses only.
|
||||
|
||||
-6 Forces ssh-keyscan to use IPv6 addresses only.
|
||||
|
||||
-f file
|
||||
Read hosts or addrlist namelist pairs from this file, one per
|
||||
line. If - is supplied instead of a filename, ssh-keyscan will
|
||||
read hosts or addrlist namelist pairs from the standard input.
|
||||
|
||||
-H Hash all hostnames and addresses in the output. Hashed names may
|
||||
be used normally by ssh and sshd, but they do not reveal identi-
|
||||
fying information should the file's contents be disclosed.
|
||||
|
||||
-p port
|
||||
Port to connect to on the remote host.
|
||||
|
||||
-T timeout
|
||||
Set the timeout for connection attempts. If timeout seconds have
|
||||
elapsed since a connection was initiated to a host or since the
|
||||
last time anything was read from that host, then the connection
|
||||
is closed and the host in question considered unavailable. De-
|
||||
fault is 5 seconds.
|
||||
|
||||
-t type
|
||||
Specifies the type of the key to fetch from the scanned hosts.
|
||||
The possible values are ``rsa1'' for protocol version 1 and
|
||||
``rsa'' or ``dsa'' for protocol version 2. Multiple values may
|
||||
be specified by separating them with commas. The default is
|
||||
``rsa1''.
|
||||
|
||||
-v Verbose mode. Causes ssh-keyscan to print debugging messages
|
||||
about its progress.
|
||||
|
||||
SECURITY
|
||||
If an ssh_known_hosts file is constructed using ssh-keyscan without veri-
|
||||
fying the keys, users will be vulnerable to man in the middle attacks.
|
||||
On the other hand, if the security model allows such a risk, ssh-keyscan
|
||||
can help in the detection of tampered keyfiles or man in the middle at-
|
||||
tacks which have begun after the ssh_known_hosts file was created.
|
||||
|
||||
FILES
|
||||
Input format:
|
||||
|
||||
1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
|
||||
|
||||
Output format for rsa1 keys:
|
||||
|
||||
host-or-namelist bits exponent modulus
|
||||
|
||||
Output format for rsa and dsa keys:
|
||||
|
||||
host-or-namelist keytype base64-encoded-key
|
||||
|
||||
Where keytype is either ``ssh-rsa'' or ``ssh-dss''.
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
|
||||
EXAMPLES
|
||||
Print the rsa1 host key for machine hostname:
|
||||
|
||||
$ ssh-keyscan hostname
|
||||
|
||||
Find all hosts from the file ssh_hosts which have new or different keys
|
||||
from those in the sorted file ssh_known_hosts:
|
||||
|
||||
$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
|
||||
sort -u - ssh_known_hosts | diff ssh_known_hosts -
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), sshd(8)
|
||||
|
||||
AUTHORS
|
||||
David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
|
||||
Davison <wayned@users.sourceforge.net> added support for protocol version
|
||||
2.
|
||||
|
||||
BUGS
|
||||
It generates "Connection closed by remote host" messages on the consoles
|
||||
of all the machines it scans if the server is older than version 2.9.
|
||||
This is because it opens a connection to the ssh port, reads the public
|
||||
key, and drops the connection as soon as it gets the key.
|
||||
|
||||
OpenBSD 4.1 January 1, 1996 2
|
42
ssh-keysign.0
Normal file
42
ssh-keysign.0
Normal file
@ -0,0 +1,42 @@
|
||||
SSH-KEYSIGN(8) OpenBSD System Manager's Manual SSH-KEYSIGN(8)
|
||||
|
||||
NAME
|
||||
ssh-keysign - ssh helper program for host-based authentication
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keysign
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keysign is used by ssh(1) to access the local host keys and generate
|
||||
the digital signature required during host-based authentication with SSH
|
||||
protocol version 2.
|
||||
|
||||
ssh-keysign is disabled by default and can only be enabled in the global
|
||||
client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign
|
||||
to ``yes''.
|
||||
|
||||
ssh-keysign is not intended to be invoked by the user, but from ssh(1).
|
||||
See ssh(1) and sshd(8) for more information about host-based authentica-
|
||||
tion.
|
||||
|
||||
FILES
|
||||
/etc/ssh/ssh_config
|
||||
Controls whether ssh-keysign is enabled.
|
||||
|
||||
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
|
||||
These files contain the private parts of the host keys used to
|
||||
generate the digital signature. They should be owned by root,
|
||||
readable only by root, and not accessible to others. Since they
|
||||
are readable only by root, ssh-keysign must be set-uid root if
|
||||
host-based authentication is used.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
|
||||
|
||||
HISTORY
|
||||
ssh-keysign first appeared in OpenBSD 3.2.
|
||||
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 4.1 May 24, 2002 1
|
51
ssh-rand-helper.0
Normal file
51
ssh-rand-helper.0
Normal file
@ -0,0 +1,51 @@
|
||||
SSH-RAND-HELPER(8) OpenBSD System Manager's Manual SSH-RAND-HELPER(8)
|
||||
|
||||
NAME
|
||||
ssh-rand-helper - random number gatherer for OpenSSH
|
||||
|
||||
SYNOPSIS
|
||||
ssh-rand-hlper [-vxXh] [-b bytes]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-rand-helper is a small helper program used by ssh(1), ssh-add(1),
|
||||
ssh-agent(1), ssh-keygen(1), ssh-keyscan(1) and sshd(8) to gather random
|
||||
numbers of cryptographic quality if the openssl(4) library has not been
|
||||
configured to provide them itself.
|
||||
|
||||
Normally ssh-rand-helper will generate a strong random seed and provide
|
||||
it to the calling program via standard output. If standard output is a
|
||||
tty, ssh-rand-helper will instead print the seed in hexidecimal format
|
||||
unless told otherwise.
|
||||
|
||||
ssh-rand-helper will by default gather random numbers from the system
|
||||
commands listed in /etc/ssh/ssh_prng_cmds. The output of each of the
|
||||
commands listed will be hashed and used to generate a random seed for the
|
||||
calling program. ssh-rand-helper will also store seed files in
|
||||
~/.ssh/prng_seed between executions.
|
||||
|
||||
Alternately, ssh-rand-helper may be configured at build time to collect
|
||||
random numbers from a EGD/PRNGd server via a unix domain or localhost tcp
|
||||
socket.
|
||||
|
||||
This program is not intended to be run by the end-user, so the few com-
|
||||
mandline options are for debugging purposes only.
|
||||
|
||||
-b bytes
|
||||
Specify the number of random bytes to include in the output.
|
||||
|
||||
-x Output a hexidecimal instead of a binary seed.
|
||||
|
||||
-X Force output of a binary seed, even if standard output is a tty
|
||||
|
||||
-v Turn on debugging message. Multiple -v options will increase the
|
||||
debugging level.
|
||||
|
||||
-h Display a summary of options.
|
||||
|
||||
AUTHORS
|
||||
Damien Miller <djm@mindrot.org>
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
|
||||
|
||||
OpenBSD 4.1 April 14, 2002 1
|
@ -1,4 +1,4 @@
|
||||
.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $
|
||||
.\" $Id: ssh-rand-helper.8,v 1.3 2007/01/22 01:44:53 djm Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
@ -27,7 +27,7 @@
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ssh-rand-helper
|
||||
.Nd Random number gatherer for OpenSSH
|
||||
.Nd random number gatherer for OpenSSH
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-rand-hlper
|
||||
.Op Fl vxXh
|
||||
@ -82,7 +82,7 @@ Force output of a binary seed, even if standard output is a tty
|
||||
Turn on debugging message. Multiple
|
||||
.Fl v
|
||||
options will increase the debugging level.
|
||||
.Fl h
|
||||
.It Fl h
|
||||
Display a summary of options.
|
||||
.El
|
||||
.Sh AUTHORS
|
||||
|
832
ssh.0
Normal file
832
ssh.0
Normal file
@ -0,0 +1,832 @@
|
||||
SSH(1) OpenBSD Reference Manual SSH(1)
|
||||
|
||||
NAME
|
||||
ssh - OpenSSH SSH client (remote login program)
|
||||
|
||||
SYNOPSIS
|
||||
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
|
||||
[-D [bind_address:]port] [-e escape_char] [-F configfile]
|
||||
[-i identity_file] [-L [bind_address:]port:host:hostport]
|
||||
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
|
||||
[-R [bind_address:]port:host:hostport] [-S ctl_path]
|
||||
[-w local_tun[:remote_tun]] [user@]hostname [command]
|
||||
|
||||
DESCRIPTION
|
||||
ssh (SSH client) is a program for logging into a remote machine and for
|
||||
executing commands on a remote machine. It is intended to replace rlogin
|
||||
and rsh, and provide secure encrypted communications between two untrust-
|
||||
ed hosts over an insecure network. X11 connections and arbitrary TCP
|
||||
ports can also be forwarded over the secure channel.
|
||||
|
||||
ssh connects and logs into the specified hostname (with optional user
|
||||
name). The user must prove his/her identity to the remote machine using
|
||||
one of several methods depending on the protocol version used (see be-
|
||||
low).
|
||||
|
||||
If command is specified, it is executed on the remote host instead of a
|
||||
login shell.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-1 Forces ssh to try protocol version 1 only.
|
||||
|
||||
-2 Forces ssh to try protocol version 2 only.
|
||||
|
||||
-4 Forces ssh to use IPv4 addresses only.
|
||||
|
||||
-6 Forces ssh to use IPv6 addresses only.
|
||||
|
||||
-A Enables forwarding of the authentication agent connection. This
|
||||
can also be specified on a per-host basis in a configuration
|
||||
file.
|
||||
|
||||
Agent forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the
|
||||
agent's Unix-domain socket) can access the local agent through
|
||||
the forwarded connection. An attacker cannot obtain key material
|
||||
from the agent, however they can perform operations on the keys
|
||||
that enable them to authenticate using the identities loaded into
|
||||
the agent.
|
||||
|
||||
-a Disables forwarding of the authentication agent connection.
|
||||
|
||||
-b bind_address
|
||||
Use bind_address on the local machine as the source address of
|
||||
the connection. Only useful on systems with more than one ad-
|
||||
dress.
|
||||
|
||||
-C Requests compression of all data (including stdin, stdout,
|
||||
stderr, and data for forwarded X11 and TCP connections). The
|
||||
compression algorithm is the same used by gzip(1), and the
|
||||
``level'' can be controlled by the CompressionLevel option for
|
||||
protocol version 1. Compression is desirable on modem lines and
|
||||
other slow connections, but will only slow down things on fast
|
||||
networks. The default value can be set on a host-by-host basis
|
||||
in the configuration files; see the Compression option.
|
||||
|
||||
-c cipher_spec
|
||||
Selects the cipher specification for encrypting the session.
|
||||
|
||||
Protocol version 1 allows specification of a single cipher. The
|
||||
supported values are ``3des'', ``blowfish'', and ``des''. 3des
|
||||
(triple-des) is an encrypt-decrypt-encrypt triple with three dif-
|
||||
ferent keys. It is believed to be secure. blowfish is a fast
|
||||
block cipher; it appears very secure and is much faster than
|
||||
3des. des is only supported in the ssh client for interoperabil-
|
||||
ity with legacy protocol 1 implementations that do not support
|
||||
the 3des cipher. Its use is strongly discouraged due to crypto-
|
||||
graphic weaknesses. The default is ``3des''.
|
||||
|
||||
For protocol version 2, cipher_spec is a comma-separated list of
|
||||
ciphers listed in order of preference. The supported ciphers
|
||||
are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
|
||||
aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blow-
|
||||
fish-cbc, and cast128-cbc. The default is:
|
||||
|
||||
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
|
||||
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
|
||||
aes192-ctr,aes256-ctr
|
||||
|
||||
-D [bind_address:]port
|
||||
Specifies a local ``dynamic'' application-level port forwarding.
|
||||
This works by allocating a socket to listen to port on the local
|
||||
side, optionally bound to the specified bind_address. Whenever a
|
||||
connection is made to this port, the connection is forwarded over
|
||||
the secure channel, and the application protocol is then used to
|
||||
determine where to connect to from the remote machine. Currently
|
||||
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
|
||||
as a SOCKS server. Only root can forward privileged ports. Dy-
|
||||
namic port forwardings can also be specified in the configuration
|
||||
file.
|
||||
|
||||
IPv6 addresses can be specified with an alternative syntax:
|
||||
[bind_address/]port or by enclosing the address in square brack-
|
||||
ets. Only the superuser can forward privileged ports. By de-
|
||||
fault, the local port is bound in accordance with the
|
||||
GatewayPorts setting. However, an explicit bind_address may be
|
||||
used to bind the connection to a specific address. The
|
||||
bind_address of ``localhost'' indicates that the listening port
|
||||
be bound for local use only, while an empty address or `*' indi-
|
||||
cates that the port should be available from all interfaces.
|
||||
|
||||
-e escape_char
|
||||
Sets the escape character for sessions with a pty (default: `~').
|
||||
The escape character is only recognized at the beginning of a
|
||||
line. The escape character followed by a dot (`.') closes the
|
||||
connection; followed by control-Z suspends the connection; and
|
||||
followed by itself sends the escape character once. Setting the
|
||||
character to ``none'' disables any escapes and makes the session
|
||||
fully transparent.
|
||||
|
||||
-F configfile
|
||||
Specifies an alternative per-user configuration file. If a con-
|
||||
figuration file is given on the command line, the system-wide
|
||||
configuration file (/etc/ssh/ssh_config) will be ignored. The
|
||||
default for the per-user configuration file is ~/.ssh/config.
|
||||
|
||||
-f Requests ssh to go to background just before command execution.
|
||||
This is useful if ssh is going to ask for passwords or passphras-
|
||||
es, but the user wants it in the background. This implies -n.
|
||||
The recommended way to start X11 programs at a remote site is
|
||||
with something like ssh -f host xterm.
|
||||
|
||||
-g Allows remote hosts to connect to local forwarded ports.
|
||||
|
||||
-I smartcard_device
|
||||
Specify the device ssh should use to communicate with a smartcard
|
||||
used for storing the user's private RSA key. This option is only
|
||||
available if support for smartcard devices is compiled in (de-
|
||||
fault is no support).
|
||||
|
||||
-i identity_file
|
||||
Selects a file from which the identity (private key) for RSA or
|
||||
DSA authentication is read. The default is ~/.ssh/identity for
|
||||
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
|
||||
tocol version 2. Identity files may also be specified on a per-
|
||||
host basis in the configuration file. It is possible to have
|
||||
multiple -i options (and multiple identities specified in config-
|
||||
uration files).
|
||||
|
||||
-k Disables forwarding (delegation) of GSSAPI credentials to the
|
||||
server.
|
||||
|
||||
-L [bind_address:]port:host:hostport
|
||||
Specifies that the given port on the local (client) host is to be
|
||||
forwarded to the given host and port on the remote side. This
|
||||
works by allocating a socket to listen to port on the local side,
|
||||
optionally bound to the specified bind_address. Whenever a con-
|
||||
nection is made to this port, the connection is forwarded over
|
||||
the secure channel, and a connection is made to host port
|
||||
hostport from the remote machine. Port forwardings can also be
|
||||
specified in the configuration file. IPv6 addresses can be spec-
|
||||
ified with an alternative syntax: [bind_address/]port/host/host-
|
||||
port or by enclosing the address in square brackets. Only the
|
||||
superuser can forward privileged ports. By default, the local
|
||||
port is bound in accordance with the GatewayPorts setting. How-
|
||||
ever, an explicit bind_address may be used to bind the connection
|
||||
to a specific address. The bind_address of ``localhost'' indi-
|
||||
cates that the listening port be bound for local use only, while
|
||||
an empty address or `*' indicates that the port should be avail-
|
||||
able from all interfaces.
|
||||
|
||||
-l login_name
|
||||
Specifies the user to log in as on the remote machine. This also
|
||||
may be specified on a per-host basis in the configuration file.
|
||||
|
||||
-M Places the ssh client into ``master'' mode for connection shar-
|
||||
ing. Multiple -M options places ssh into ``master'' mode with
|
||||
confirmation required before slave connections are accepted. Re-
|
||||
fer to the description of ControlMaster in ssh_config(5) for de-
|
||||
tails.
|
||||
|
||||
-m mac_spec
|
||||
Additionally, for protocol version 2 a comma-separated list of
|
||||
MAC (message authentication code) algorithms can be specified in
|
||||
order of preference. See the MACs keyword for more information.
|
||||
|
||||
-N Do not execute a remote command. This is useful for just for-
|
||||
warding ports (protocol version 2 only).
|
||||
|
||||
-n Redirects stdin from /dev/null (actually, prevents reading from
|
||||
stdin). This must be used when ssh is run in the background. A
|
||||
common trick is to use this to run X11 programs on a remote ma-
|
||||
chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
|
||||
an emacs on shadows.cs.hut.fi, and the X11 connection will be au-
|
||||
tomatically forwarded over an encrypted channel. The ssh program
|
||||
will be put in the background. (This does not work if ssh needs
|
||||
to ask for a password or passphrase; see also the -f option.)
|
||||
|
||||
-O ctl_cmd
|
||||
Control an active connection multiplexing master process. When
|
||||
the -O option is specified, the ctl_cmd argument is interpreted
|
||||
and passed to the master process. Valid commands are: ``check''
|
||||
(check that the master process is running) and ``exit'' (request
|
||||
the master to exit).
|
||||
|
||||
-o option
|
||||
Can be used to give options in the format used in the configura-
|
||||
tion file. This is useful for specifying options for which there
|
||||
is no separate command-line flag. For full details of the op-
|
||||
tions listed below, and their possible values, see ssh_config(5).
|
||||
|
||||
AddressFamily
|
||||
BatchMode
|
||||
BindAddress
|
||||
ChallengeResponseAuthentication
|
||||
CheckHostIP
|
||||
Cipher
|
||||
Ciphers
|
||||
ClearAllForwardings
|
||||
Compression
|
||||
CompressionLevel
|
||||
ConnectionAttempts
|
||||
ConnectTimeout
|
||||
ControlMaster
|
||||
ControlPath
|
||||
DynamicForward
|
||||
EscapeChar
|
||||
ExitOnForwardFailure
|
||||
ForwardAgent
|
||||
ForwardX11
|
||||
ForwardX11Trusted
|
||||
GatewayPorts
|
||||
GlobalKnownHostsFile
|
||||
GSSAPIAuthentication
|
||||
GSSAPIDelegateCredentials
|
||||
HashKnownHosts
|
||||
Host
|
||||
HostbasedAuthentication
|
||||
HostKeyAlgorithms
|
||||
HostKeyAlias
|
||||
HostName
|
||||
IdentityFile
|
||||
IdentitiesOnly
|
||||
KbdInteractiveDevices
|
||||
LocalCommand
|
||||
LocalForward
|
||||
LogLevel
|
||||
MACs
|
||||
NoHostAuthenticationForLocalhost
|
||||
NumberOfPasswordPrompts
|
||||
PasswordAuthentication
|
||||
PermitLocalCommand
|
||||
Port
|
||||
PreferredAuthentications
|
||||
Protocol
|
||||
ProxyCommand
|
||||
PubkeyAuthentication
|
||||
RekeyLimit
|
||||
RemoteForward
|
||||
RhostsRSAAuthentication
|
||||
RSAAuthentication
|
||||
SendEnv
|
||||
ServerAliveInterval
|
||||
ServerAliveCountMax
|
||||
SmartcardDevice
|
||||
StrictHostKeyChecking
|
||||
TCPKeepAlive
|
||||
Tunnel
|
||||
TunnelDevice
|
||||
UsePrivilegedPort
|
||||
User
|
||||
UserKnownHostsFile
|
||||
VerifyHostKeyDNS
|
||||
XAuthLocation
|
||||
|
||||
-p port
|
||||
Port to connect to on the remote host. This can be specified on
|
||||
a per-host basis in the configuration file.
|
||||
|
||||
-q Quiet mode. Causes all warning and diagnostic messages to be
|
||||
suppressed.
|
||||
|
||||
-R [bind_address:]port:host:hostport
|
||||
Specifies that the given port on the remote (server) host is to
|
||||
be forwarded to the given host and port on the local side. This
|
||||
works by allocating a socket to listen to port on the remote
|
||||
side, and whenever a connection is made to this port, the connec-
|
||||
tion is forwarded over the secure channel, and a connection is
|
||||
made to host port hostport from the local machine.
|
||||
|
||||
Port forwardings can also be specified in the configuration file.
|
||||
Privileged ports can be forwarded only when logging in as root on
|
||||
the remote machine. IPv6 addresses can be specified by enclosing
|
||||
the address in square braces or using an alternative syntax:
|
||||
[bind_address/]host/port/hostport.
|
||||
|
||||
By default, the listening socket on the server will be bound to
|
||||
the loopback interface only. This may be overriden by specifying
|
||||
a bind_address. An empty bind_address, or the address `*', indi-
|
||||
cates that the remote socket should listen on all interfaces.
|
||||
Specifying a remote bind_address will only succeed if the serv-
|
||||
er's GatewayPorts option is enabled (see sshd_config(5)).
|
||||
|
||||
-S ctl_path
|
||||
Specifies the location of a control socket for connection shar-
|
||||
ing. Refer to the description of ControlPath and ControlMaster
|
||||
in ssh_config(5) for details.
|
||||
|
||||
-s May be used to request invocation of a subsystem on the remote
|
||||
system. Subsystems are a feature of the SSH2 protocol which fa-
|
||||
cilitate the use of SSH as a secure transport for other applica-
|
||||
tions (eg. sftp(1)). The subsystem is specified as the remote
|
||||
command.
|
||||
|
||||
-T Disable pseudo-tty allocation.
|
||||
|
||||
-t Force pseudo-tty allocation. This can be used to execute arbi-
|
||||
trary screen-based programs on a remote machine, which can be
|
||||
very useful, e.g. when implementing menu services. Multiple -t
|
||||
options force tty allocation, even if ssh has no local tty.
|
||||
|
||||
-V Display the version number and exit.
|
||||
|
||||
-v Verbose mode. Causes ssh to print debugging messages about its
|
||||
progress. This is helpful in debugging connection, authentica-
|
||||
tion, and configuration problems. Multiple -v options increase
|
||||
the verbosity. The maximum is 3.
|
||||
|
||||
-w local_tun[:remote_tun]
|
||||
Requests tunnel device forwarding with the specified tun(4) de-
|
||||
vices between the client (local_tun) and the server (remote_tun).
|
||||
|
||||
The devices may be specified by numerical ID or the keyword
|
||||
``any'', which uses the next available tunnel device. If
|
||||
remote_tun is not specified, it defaults to ``any''. See also
|
||||
the Tunnel and TunnelDevice directives in ssh_config(5). If the
|
||||
Tunnel directive is unset, it is set to the default tunnel mode,
|
||||
which is ``point-to-point''.
|
||||
|
||||
-X Enables X11 forwarding. This can also be specified on a per-host
|
||||
basis in a configuration file.
|
||||
|
||||
X11 forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the
|
||||
user's X authorization database) can access the local X11 display
|
||||
through the forwarded connection. An attacker may then be able
|
||||
to perform activities such as keystroke monitoring.
|
||||
|
||||
For this reason, X11 forwarding is subjected to X11 SECURITY ex-
|
||||
tension restrictions by default. Please refer to the ssh -Y op-
|
||||
tion and the ForwardX11Trusted directive in ssh_config(5) for
|
||||
more information.
|
||||
|
||||
-x Disables X11 forwarding.
|
||||
|
||||
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
|
||||
subjected to the X11 SECURITY extension controls.
|
||||
|
||||
ssh may additionally obtain configuration data from a per-user configura-
|
||||
tion file and a system-wide configuration file. The file format and con-
|
||||
figuration options are described in ssh_config(5).
|
||||
|
||||
ssh exits with the exit status of the remote command or with 255 if an
|
||||
error occurred.
|
||||
|
||||
AUTHENTICATION
|
||||
The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the
|
||||
default, with ssh falling back to protocol 1 if it detects protocol 2 is
|
||||
unsupported. These settings may be altered using the Protocol option in
|
||||
ssh_config(5), or enforced using the -1 and -2 options (see above). Both
|
||||
protocols support similar authentication methods, but protocol 2 is pre-
|
||||
ferred since it provides additional mechanisms for confidentiality (the
|
||||
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
|
||||
integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
|
||||
strong mechanism for ensuring the integrity of the connection.
|
||||
|
||||
The methods available for authentication are: GSSAPI-based authentica-
|
||||
tion, host-based authentication, public key authentication, challenge-re-
|
||||
sponse authentication, and password authentication. Authentication meth-
|
||||
ods are tried in the order specified above, though protocol 2 has a con-
|
||||
figuration option to change the default order: PreferredAuthentications.
|
||||
|
||||
Host-based authentication works as follows: If the machine the user logs
|
||||
in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
|
||||
machine, and the user names are the same on both sides, or if the files
|
||||
~/.rhosts or ~/.shosts exist in the user's home directory on the remote
|
||||
machine and contain a line containing the name of the client machine and
|
||||
the name of the user on that machine, the user is considered for login.
|
||||
Additionally, the server must be able to verify the client's host key
|
||||
(see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
|
||||
below) for login to be permitted. This authentication method closes se-
|
||||
curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
|
||||
[Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
|
||||
rlogin/rsh protocol in general, are inherently insecure and should be
|
||||
disabled if security is desired.]
|
||||
|
||||
Public key authentication works as follows: The scheme is based on pub-
|
||||
lic-key cryptography, using cryptosystems where encryption and decryption
|
||||
are done using separate keys, and it is unfeasible to derive the decryp-
|
||||
tion key from the encryption key. The idea is that each user creates a
|
||||
public/private key pair for authentication purposes. The server knows
|
||||
the public key, and only the user knows the private key. ssh implements
|
||||
public key authentication protocol automatically, using either the RSA or
|
||||
DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
|
||||
protocol 2 may use either. The HISTORY section of ssl(8) contains a
|
||||
brief discussion of the two algorithms.
|
||||
|
||||
The file ~/.ssh/authorized_keys lists the public keys that are permitted
|
||||
for logging in. When the user logs in, the ssh program tells the server
|
||||
which key pair it would like to use for authentication. The client
|
||||
proves that it has access to the private key and the server checks that
|
||||
the corresponding public key is authorized to accept the account.
|
||||
|
||||
The user creates his/her key pair by running ssh-keygen(1). This stores
|
||||
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
|
||||
2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
|
||||
~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
|
||||
~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us-
|
||||
er should then copy the public key to ~/.ssh/authorized_keys in his/her
|
||||
home directory on the remote machine. The authorized_keys file corre-
|
||||
sponds to the conventional ~/.rhosts file, and has one key per line,
|
||||
though the lines can be very long. After this, the user can log in with-
|
||||
out giving the password.
|
||||
|
||||
The most convenient way to use public key authentication may be with an
|
||||
authentication agent. See ssh-agent(1) for more information.
|
||||
|
||||
Challenge-response authentication works as follows: The server sends an
|
||||
arbitrary "challenge" text, and prompts for a response. Protocol 2 al-
|
||||
lows multiple challenges and responses; protocol 1 is restricted to just
|
||||
one challenge/response. Examples of challenge-response authentication
|
||||
include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD
|
||||
systems).
|
||||
|
||||
Finally, if other authentication methods fail, ssh prompts the user for a
|
||||
password. The password is sent to the remote host for checking; however,
|
||||
since all communications are encrypted, the password cannot be seen by
|
||||
someone listening on the network.
|
||||
|
||||
ssh automatically maintains and checks a database containing identifica-
|
||||
tion for all hosts it has ever been used with. Host keys are stored in
|
||||
~/.ssh/known_hosts in the user's home directory. Additionally, the file
|
||||
/etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
|
||||
new hosts are automatically added to the user's file. If a host's iden-
|
||||
tification ever changes, ssh warns about this and disables password au-
|
||||
thentication to prevent server spoofing or man-in-the-middle attacks,
|
||||
which could otherwise be used to circumvent the encryption. The
|
||||
StrictHostKeyChecking option can be used to control logins to machines
|
||||
whose host key is not known or has changed.
|
||||
|
||||
When the user's identity has been accepted by the server, the server ei-
|
||||
ther executes the given command, or logs into the machine and gives the
|
||||
user a normal shell on the remote machine. All communication with the
|
||||
remote command or shell will be automatically encrypted.
|
||||
|
||||
If a pseudo-terminal has been allocated (normal login session), the user
|
||||
may use the escape characters noted below.
|
||||
|
||||
If no pseudo-tty has been allocated, the session is transparent and can
|
||||
be used to reliably transfer binary data. On most systems, setting the
|
||||
escape character to ``none'' will also make the session transparent even
|
||||
if a tty is used.
|
||||
|
||||
The session terminates when the command or shell on the remote machine
|
||||
exits and all X11 and TCP connections have been closed.
|
||||
|
||||
ESCAPE CHARACTERS
|
||||
When a pseudo-terminal has been requested, ssh supports a number of func-
|
||||
tions through the use of an escape character.
|
||||
|
||||
A single tilde character can be sent as ~~ or by following the tilde by a
|
||||
character other than those described below. The escape character must
|
||||
always follow a newline to be interpreted as special. The escape charac-
|
||||
ter can be changed in configuration files using the EscapeChar configura-
|
||||
tion directive or on the command line by the -e option.
|
||||
|
||||
The supported escapes (assuming the default `~') are:
|
||||
|
||||
~. Disconnect.
|
||||
|
||||
~^Z Background ssh.
|
||||
|
||||
~# List forwarded connections.
|
||||
|
||||
~& Background ssh at logout when waiting for forwarded connection /
|
||||
X11 sessions to terminate.
|
||||
|
||||
~? Display a list of escape characters.
|
||||
|
||||
~B Send a BREAK to the remote system (only useful for SSH protocol
|
||||
version 2 and if the peer supports it).
|
||||
|
||||
~C Open command line. Currently this allows the addition of port
|
||||
forwardings using the -L and -R options (see above). It also al-
|
||||
lows the cancellation of existing remote port-forwardings using
|
||||
-KR[bind_address:]port. !command allows the user to execute a
|
||||
local command if the PermitLocalCommand option is enabled in
|
||||
ssh_config(5). Basic help is available, using the -h option.
|
||||
|
||||
~R Request rekeying of the connection (only useful for SSH protocol
|
||||
version 2 and if the peer supports it).
|
||||
|
||||
TCP FORWARDING
|
||||
Forwarding of arbitrary TCP connections over the secure channel can be
|
||||
specified either on the command line or in a configuration file. One
|
||||
possible application of TCP forwarding is a secure connection to a mail
|
||||
server; another is going through firewalls.
|
||||
|
||||
In the example below, we look at encrypting communication between an IRC
|
||||
client and server, even though the IRC server does not directly support
|
||||
encrypted communications. This works as follows: the user connects to
|
||||
the remote host using ssh, specifying a port to be used to forward con-
|
||||
nections to the remote server. After that it is possible to start the
|
||||
service which is to be encrypted on the client machine, connecting to the
|
||||
same local port, and ssh will encrypt and forward the connection.
|
||||
|
||||
The following example tunnels an IRC session from client machine
|
||||
``127.0.0.1'' (localhost) to remote server ``server.example.com'':
|
||||
|
||||
$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
|
||||
$ irc -c '#users' -p 1234 pinky 127.0.0.1
|
||||
|
||||
This tunnels a connection to IRC server ``server.example.com'', joining
|
||||
channel ``#users'', nickname ``pinky'', using port 1234. It doesn't mat-
|
||||
ter which port is used, as long as it's greater than 1023 (remember, only
|
||||
root can open sockets on privileged ports) and doesn't conflict with any
|
||||
ports already in use. The connection is forwarded to port 6667 on the
|
||||
remote server, since that's the standard port for IRC services.
|
||||
|
||||
The -f option backgrounds ssh and the remote command ``sleep 10'' is
|
||||
specified to allow an amount of time (10 seconds, in the example) to
|
||||
start the service which is to be tunnelled. If no connections are made
|
||||
within the time specified, ssh will exit.
|
||||
|
||||
X11 FORWARDING
|
||||
If the ForwardX11 variable is set to ``yes'' (or see the description of
|
||||
the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
|
||||
environment variable is set), the connection to the X11 display is auto-
|
||||
matically forwarded to the remote side in such a way that any X11 pro-
|
||||
grams started from the shell (or command) will go through the encrypted
|
||||
channel, and the connection to the real X server will be made from the
|
||||
local machine. The user should not manually set DISPLAY. Forwarding of
|
||||
X11 connections can be configured on the command line or in configuration
|
||||
files.
|
||||
|
||||
The DISPLAY value set by ssh will point to the server machine, but with a
|
||||
display number greater than zero. This is normal, and happens because
|
||||
ssh creates a ``proxy'' X server on the server machine for forwarding the
|
||||
connections over the encrypted channel.
|
||||
|
||||
ssh will also automatically set up Xauthority data on the server machine.
|
||||
For this purpose, it will generate a random authorization cookie, store
|
||||
it in Xauthority on the server, and verify that any forwarded connections
|
||||
carry this cookie and replace it by the real cookie when the connection
|
||||
is opened. The real authentication cookie is never sent to the server
|
||||
machine (and no cookies are sent in the plain).
|
||||
|
||||
If the ForwardAgent variable is set to ``yes'' (or see the description of
|
||||
the -A and -a options above) and the user is using an authentication
|
||||
agent, the connection to the agent is automatically forwarded to the re-
|
||||
mote side.
|
||||
|
||||
VERIFYING HOST KEYS
|
||||
When connecting to a server for the first time, a fingerprint of the
|
||||
server's public key is presented to the user (unless the option
|
||||
StrictHostKeyChecking has been disabled). Fingerprints can be determined
|
||||
using ssh-keygen(1):
|
||||
|
||||
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
If the fingerprint is already known, it can be matched and verified, and
|
||||
the key can be accepted. If the fingerprint is unknown, an alternative
|
||||
method of verification is available: SSH fingerprints verified by DNS.
|
||||
An additional resource record (RR), SSHFP, is added to a zonefile and the
|
||||
connecting client is able to match the fingerprint with that of the key
|
||||
presented.
|
||||
|
||||
In this example, we are connecting a client to a server,
|
||||
``host.example.com''. The SSHFP resource records should first be added
|
||||
to the zonefile for host.example.com:
|
||||
|
||||
$ ssh-keygen -r host.example.com.
|
||||
|
||||
The output lines will have to be added to the zonefile. To check that
|
||||
the zone is answering fingerprint queries:
|
||||
|
||||
$ dig -t SSHFP host.example.com
|
||||
|
||||
Finally the client connects:
|
||||
|
||||
$ ssh -o "VerifyHostKeyDNS ask" host.example.com
|
||||
[...]
|
||||
Matching host key fingerprint found in DNS.
|
||||
Are you sure you want to continue connecting (yes/no)?
|
||||
|
||||
See the VerifyHostKeyDNS option in ssh_config(5) for more information.
|
||||
|
||||
SSH-BASED VIRTUAL PRIVATE NETWORKS
|
||||
ssh contains support for Virtual Private Network (VPN) tunnelling using
|
||||
the tun(4) network pseudo-device, allowing two networks to be joined se-
|
||||
curely. The sshd_config(5) configuration option PermitTunnel controls
|
||||
whether the server supports this, and at what level (layer 2 or 3 traf-
|
||||
fic).
|
||||
|
||||
The following example would connect client network 10.0.50.0/24 with re-
|
||||
mote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1
|
||||
to 10.1.1.2, provided that the SSH server running on the gateway to the
|
||||
remote network, at 192.168.1.15, allows it.
|
||||
|
||||
On the client:
|
||||
|
||||
# ssh -f -w 0:1 192.168.1.15 true
|
||||
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
|
||||
# route add 10.0.99.0/24 10.1.1.2
|
||||
|
||||
On the server:
|
||||
|
||||
# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
|
||||
# route add 10.0.50.0/24 10.1.1.1
|
||||
|
||||
Client access may be more finely tuned via the /root/.ssh/authorized_keys
|
||||
file (see below) and the PermitRootLogin server option. The following
|
||||
entry would permit connections on tun(4) device 1 from user ``jane'' and
|
||||
on tun device 2 from user ``john'', if PermitRootLogin is set to
|
||||
``forced-commands-only'':
|
||||
|
||||
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
|
||||
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
|
||||
|
||||
Since an SSH-based setup entails a fair amount of overhead, it may be
|
||||
more suited to temporary setups, such as for wireless VPNs. More perma-
|
||||
nent VPNs are better provided by tools such as ipsecctl(8) and
|
||||
isakmpd(8).
|
||||
|
||||
ENVIRONMENT
|
||||
ssh will normally set the following environment variables:
|
||||
|
||||
DISPLAY The DISPLAY variable indicates the location of the
|
||||
X11 server. It is automatically set by ssh to
|
||||
point to a value of the form ``hostname:n'', where
|
||||
``hostname'' indicates the host where the shell
|
||||
runs, and `n' is an integer >= 1. ssh uses this
|
||||
special value to forward X11 connections over the
|
||||
secure channel. The user should normally not set
|
||||
DISPLAY explicitly, as that will render the X11
|
||||
connection insecure (and will require the user to
|
||||
manually copy any required authorization cookies).
|
||||
|
||||
HOME Set to the path of the user's home directory.
|
||||
|
||||
LOGNAME Synonym for USER; set for compatibility with sys-
|
||||
tems that use this variable.
|
||||
|
||||
MAIL Set to the path of the user's mailbox.
|
||||
|
||||
PATH Set to the default PATH, as specified when compil-
|
||||
ing ssh.
|
||||
|
||||
SSH_ASKPASS If ssh needs a passphrase, it will read the
|
||||
passphrase from the current terminal if it was run
|
||||
from a terminal. If ssh does not have a terminal
|
||||
associated with it but DISPLAY and SSH_ASKPASS are
|
||||
set, it will execute the program specified by
|
||||
SSH_ASKPASS and open an X11 window to read the
|
||||
passphrase. This is particularly useful when call-
|
||||
ing ssh from a .xsession or related script. (Note
|
||||
that on some machines it may be necessary to redi-
|
||||
rect the input from /dev/null to make this work.)
|
||||
|
||||
SSH_AUTH_SOCK Identifies the path of a UNIX-domain socket used to
|
||||
communicate with the agent.
|
||||
|
||||
SSH_CONNECTION Identifies the client and server ends of the con-
|
||||
nection. The variable contains four space-separat-
|
||||
ed values: client IP address, client port number,
|
||||
server IP address, and server port number.
|
||||
|
||||
SSH_ORIGINAL_COMMAND This variable contains the original command line if
|
||||
a forced command is executed. It can be used to
|
||||
extract the original arguments.
|
||||
|
||||
SSH_TTY This is set to the name of the tty (path to the de-
|
||||
vice) associated with the current shell or command.
|
||||
If the current session has no tty, this variable is
|
||||
not set.
|
||||
|
||||
TZ This variable is set to indicate the present time
|
||||
zone if it was set when the daemon was started
|
||||
(i.e. the daemon passes the value on to new connec-
|
||||
tions).
|
||||
|
||||
USER Set to the name of the user logging in.
|
||||
|
||||
Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
|
||||
``VARNAME=value'' to the environment if the file exists and users are al-
|
||||
lowed to change their environment. For more information, see the
|
||||
PermitUserEnvironment option in sshd_config(5).
|
||||
|
||||
FILES
|
||||
~/.rhosts
|
||||
This file is used for host-based authentication (see above). On
|
||||
some machines this file may need to be world-readable if the us-
|
||||
er's home directory is on an NFS partition, because sshd(8) reads
|
||||
it as root. Additionally, this file must be owned by the user,
|
||||
and must not have write permissions for anyone else. The recom-
|
||||
mended permission for most machines is read/write for the user,
|
||||
and not accessible by others.
|
||||
|
||||
~/.shosts
|
||||
This file is used in exactly the same way as .rhosts, but allows
|
||||
host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
~/.ssh/authorized_keys
|
||||
Lists the public keys (RSA/DSA) that can be used for logging in
|
||||
as this user. The format of this file is described in the
|
||||
sshd(8) manual page. This file is not highly sensitive, but the
|
||||
recommended permissions are read/write for the user, and not ac-
|
||||
cessible by others.
|
||||
|
||||
~/.ssh/config
|
||||
This is the per-user configuration file. The file format and
|
||||
configuration options are described in ssh_config(5). Because of
|
||||
the potential for abuse, this file must have strict permissions:
|
||||
read/write for the user, and not accessible by others.
|
||||
|
||||
~/.ssh/environment
|
||||
Contains additional definitions for environment variables; see
|
||||
ENVIRONMENT, above.
|
||||
|
||||
~/.ssh/identity
|
||||
~/.ssh/id_dsa
|
||||
~/.ssh/id_rsa
|
||||
Contains the private key for authentication. These files contain
|
||||
sensitive data and should be readable by the user but not acces-
|
||||
sible by others (read/write/execute). ssh will simply ignore a
|
||||
private key file if it is accessible by others. It is possible
|
||||
to specify a passphrase when generating the key which will be
|
||||
used to encrypt the sensitive part of this file using 3DES.
|
||||
|
||||
~/.ssh/identity.pub
|
||||
~/.ssh/id_dsa.pub
|
||||
~/.ssh/id_rsa.pub
|
||||
Contains the public key for authentication. These files are not
|
||||
sensitive and can (but need not) be readable by anyone.
|
||||
|
||||
~/.ssh/known_hosts
|
||||
Contains a list of host keys for all hosts the user has logged
|
||||
into that are not already in the systemwide list of known host
|
||||
keys. See sshd(8) for further details of the format of this
|
||||
file.
|
||||
|
||||
~/.ssh/rc
|
||||
Commands in this file are executed by ssh when the user logs in,
|
||||
just before the user's shell (or command) is started. See the
|
||||
sshd(8) manual page for more information.
|
||||
|
||||
/etc/hosts.equiv
|
||||
This file is for host-based authentication (see above). It
|
||||
should only be writable by root.
|
||||
|
||||
/etc/shosts.equiv
|
||||
This file is used in exactly the same way as hosts.equiv, but al-
|
||||
lows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
/etc/ssh/ssh_config
|
||||
Systemwide configuration file. The file format and configuration
|
||||
options are described in ssh_config(5).
|
||||
|
||||
/etc/ssh/ssh_host_key
|
||||
/etc/ssh/ssh_host_dsa_key
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
These three files contain the private parts of the host keys and
|
||||
are used for host-based authentication. If protocol version 1 is
|
||||
used, ssh must be setuid root, since the host key is readable on-
|
||||
ly by root. For protocol version 2, ssh uses ssh-keysign(8) to
|
||||
access the host keys, eliminating the requirement that ssh be se-
|
||||
tuid root when host-based authentication is used. By default ssh
|
||||
is not setuid root.
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys. This file should be prepared
|
||||
by the system administrator to contain the public host keys of
|
||||
all machines in the organization. It should be world-readable.
|
||||
See sshd(8) for further details of the format of this file.
|
||||
|
||||
/etc/ssh/sshrc
|
||||
Commands in this file are executed by ssh when the user logs in,
|
||||
just before the user's shell (or command) is started. See the
|
||||
sshd(8) manual page for more information.
|
||||
|
||||
SEE ALSO
|
||||
scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
|
||||
tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
|
||||
|
||||
The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, 2006.
|
||||
|
||||
The Secure Shell (SSH) Protocol Architecture, RFC 4251, 2006.
|
||||
|
||||
The Secure Shell (SSH) Authentication Protocol, RFC 4252, 2006.
|
||||
|
||||
The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, 2006.
|
||||
|
||||
The Secure Shell (SSH) Connection Protocol, RFC 4254, 2006.
|
||||
|
||||
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
|
||||
4255, 2006.
|
||||
|
||||
Generic Message Exchange Authentication for the Secure Shell Protocol
|
||||
(SSH), RFC 4256, 2006.
|
||||
|
||||
The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, 2006.
|
||||
|
||||
The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, 2006.
|
||||
|
||||
Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer
|
||||
Protocol, RFC 4345, 2006.
|
||||
|
||||
Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
|
||||
Protocol, RFC 4419, 2006.
|
||||
|
||||
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 13
|
7
ssh.1
7
ssh.1
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
@ -1418,6 +1418,11 @@ manual page for more information.
|
||||
.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
|
||||
.%D 2006
|
||||
.Re
|
||||
.Rs
|
||||
.%R RFC 4716
|
||||
.%T "The Secure Shell (SSH) Public Key File Format"
|
||||
.%D 2006
|
||||
.Re
|
||||
.Sh AUTHORS
|
||||
OpenSSH is a derivative of the original and free
|
||||
ssh 1.2.12 release by Tatu Ylonen.
|
||||
|
4
ssh.c
4
ssh.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -614,7 +614,7 @@ main(int ac, char **av)
|
||||
if (!read_config_file(config, host, &options, 0))
|
||||
fatal("Can't open user config file %.100s: "
|
||||
"%.100s", config, strerror(errno));
|
||||
} else {
|
||||
} else {
|
||||
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
|
||||
_PATH_SSH_USER_CONFFILE);
|
||||
(void)read_config_file(buf, host, &options, 1);
|
||||
|
645
ssh_config.0
Normal file
645
ssh_config.0
Normal file
@ -0,0 +1,645 @@
|
||||
SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5)
|
||||
|
||||
NAME
|
||||
ssh_config - OpenSSH SSH client configuration files
|
||||
|
||||
SYNOPSIS
|
||||
~/.ssh/config
|
||||
/etc/ssh/ssh_config
|
||||
|
||||
DESCRIPTION
|
||||
ssh(1) obtains configuration data from the following sources in the fol-
|
||||
lowing order:
|
||||
|
||||
1. command-line options
|
||||
2. user's configuration file (~/.ssh/config)
|
||||
3. system-wide configuration file (/etc/ssh/ssh_config)
|
||||
|
||||
For each parameter, the first obtained value will be used. The configu-
|
||||
ration files contain sections separated by ``Host'' specifications, and
|
||||
that section is only applied for hosts that match one of the patterns
|
||||
given in the specification. The matched host name is the one given on
|
||||
the command line.
|
||||
|
||||
Since the first obtained value for each parameter is used, more host-spe-
|
||||
cific declarations should be given near the beginning of the file, and
|
||||
general defaults at the end.
|
||||
|
||||
The configuration file has the following format:
|
||||
|
||||
Empty lines and lines starting with `#' are comments. Otherwise a line
|
||||
is of the format ``keyword arguments''. Configuration options may be
|
||||
separated by whitespace or optional whitespace and exactly one `='; the
|
||||
latter format is useful to avoid the need to quote whitespace when speci-
|
||||
fying configuration options using the ssh, scp, and sftp -o option. Ar-
|
||||
guments may optionally be enclosed in double quotes (") in order to rep-
|
||||
resent arguments containing spaces.
|
||||
|
||||
The possible keywords and their meanings are as follows (note that key-
|
||||
words are case-insensitive and arguments are case-sensitive):
|
||||
|
||||
Host Restricts the following declarations (up to the next Host key-
|
||||
word) to be only for those hosts that match one of the patterns
|
||||
given after the keyword. A single `*' as a pattern can be used
|
||||
to provide global defaults for all hosts. The host is the
|
||||
hostname argument given on the command line (i.e. the name is not
|
||||
converted to a canonicalized host name before matching).
|
||||
|
||||
See PATTERNS for more information on patterns.
|
||||
|
||||
AddressFamily
|
||||
Specifies which address family to use when connecting. Valid ar-
|
||||
guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use
|
||||
IPv6 only).
|
||||
|
||||
BatchMode
|
||||
If set to ``yes'', passphrase/password querying will be disabled.
|
||||
This option is useful in scripts and other batch jobs where no
|
||||
user is present to supply the password. The argument must be
|
||||
``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
BindAddress
|
||||
Use the specified address on the local machine as the source ad-
|
||||
dress of the connection. Only useful on systems with more than
|
||||
one address. Note that this option does not work if
|
||||
UsePrivilegedPort is set to ``yes''.
|
||||
|
||||
ChallengeResponseAuthentication
|
||||
Specifies whether to use challenge-response authentication. The
|
||||
argument to this keyword must be ``yes'' or ``no''. The default
|
||||
is ``yes''.
|
||||
|
||||
CheckHostIP
|
||||
If this flag is set to ``yes'', ssh(1) will additionally check
|
||||
the host IP address in the known_hosts file. This allows ssh to
|
||||
detect if a host key changed due to DNS spoofing. If the option
|
||||
is set to ``no'', the check will not be executed. The default is
|
||||
``yes''.
|
||||
|
||||
Cipher Specifies the cipher to use for encrypting the session in proto-
|
||||
col version 1. Currently, ``blowfish'', ``3des'', and ``des''
|
||||
are supported. des is only supported in the ssh(1) client for
|
||||
interoperability with legacy protocol 1 implementations that do
|
||||
not support the 3des cipher. Its use is strongly discouraged due
|
||||
to cryptographic weaknesses. The default is ``3des''.
|
||||
|
||||
Ciphers
|
||||
Specifies the ciphers allowed for protocol version 2 in order of
|
||||
preference. Multiple ciphers must be comma-separated. The sup-
|
||||
ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
|
||||
``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
|
||||
``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
|
||||
and ``cast128-cbc''. The default is:
|
||||
|
||||
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
|
||||
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
|
||||
aes192-ctr,aes256-ctr
|
||||
|
||||
ClearAllForwardings
|
||||
Specifies that all local, remote, and dynamic port forwardings
|
||||
specified in the configuration files or on the command line be
|
||||
cleared. This option is primarily useful when used from the
|
||||
ssh(1) command line to clear port forwardings set in configura-
|
||||
tion files, and is automatically set by scp(1) and sftp(1). The
|
||||
argument must be ``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
Compression
|
||||
Specifies whether to use compression. The argument must be
|
||||
``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
CompressionLevel
|
||||
Specifies the compression level to use if compression is enabled.
|
||||
The argument must be an integer from 1 (fast) to 9 (slow, best).
|
||||
The default level is 6, which is good for most applications. The
|
||||
meaning of the values is the same as in gzip(1). Note that this
|
||||
option applies to protocol version 1 only.
|
||||
|
||||
ConnectionAttempts
|
||||
Specifies the number of tries (one per second) to make before ex-
|
||||
iting. The argument must be an integer. This may be useful in
|
||||
scripts if the connection sometimes fails. The default is 1.
|
||||
|
||||
ConnectTimeout
|
||||
Specifies the timeout (in seconds) used when connecting to the
|
||||
SSH server, instead of using the default system TCP timeout.
|
||||
This value is used only when the target is down or really un-
|
||||
reachable, not when it refuses the connection.
|
||||
|
||||
ControlMaster
|
||||
Enables the sharing of multiple sessions over a single network
|
||||
connection. When set to ``yes'', ssh(1) will listen for connec-
|
||||
tions on a control socket specified using the ControlPath argu-
|
||||
ment. Additional sessions can connect to this socket using the
|
||||
same ControlPath with ControlMaster set to ``no'' (the default).
|
||||
These sessions will try to reuse the master instance's network
|
||||
connection rather than initiating new ones, but will fall back to
|
||||
connecting normally if the control socket does not exist, or is
|
||||
not listening.
|
||||
|
||||
Setting this to ``ask'' will cause ssh to listen for control con-
|
||||
nections, but require confirmation using the SSH_ASKPASS program
|
||||
before they are accepted (see ssh-add(1) for details). If the
|
||||
ControlPath cannot be opened, ssh will continue without connect-
|
||||
ing to a master instance.
|
||||
|
||||
X11 and ssh-agent(1) forwarding is supported over these multi-
|
||||
plexed connections, however the display and agent forwarded will
|
||||
be the one belonging to the master connection i.e. it is not pos-
|
||||
sible to forward multiple displays or agents.
|
||||
|
||||
Two additional options allow for opportunistic multiplexing: try
|
||||
to use a master connection but fall back to creating a new one if
|
||||
one does not already exist. These options are: ``auto'' and
|
||||
``autoask''. The latter requires confirmation like the ``ask''
|
||||
option.
|
||||
|
||||
ControlPath
|
||||
Specify the path to the control socket used for connection shar-
|
||||
ing as described in the ControlMaster section above or the string
|
||||
``none'' to disable connection sharing. In the path, `%l' will
|
||||
be substituted by the local host name, `%h' will be substituted
|
||||
by the target host name, `%p' the port, and `%r' by the remote
|
||||
login username. It is recommended that any ControlPath used for
|
||||
opportunistic connection sharing include at least %h, %p, and %r.
|
||||
This ensures that shared connections are uniquely identified.
|
||||
|
||||
DynamicForward
|
||||
Specifies that a TCP port on the local machine be forwarded over
|
||||
the secure channel, and the application protocol is then used to
|
||||
determine where to connect to from the remote machine.
|
||||
|
||||
The argument must be [bind_address:]port. IPv6 addresses can be
|
||||
specified by enclosing addresses in square brackets or by using
|
||||
an alternative syntax: [bind_address/]port. By default, the lo-
|
||||
cal port is bound in accordance with the GatewayPorts setting.
|
||||
However, an explicit bind_address may be used to bind the connec-
|
||||
tion to a specific address. The bind_address of ``localhost''
|
||||
indicates that the listening port be bound for local use only,
|
||||
while an empty address or `*' indicates that the port should be
|
||||
available from all interfaces.
|
||||
|
||||
Currently the SOCKS4 and SOCKS5 protocols are supported, and
|
||||
ssh(1) will act as a SOCKS server. Multiple forwardings may be
|
||||
specified, and additional forwardings can be given on the command
|
||||
line. Only the superuser can forward privileged ports.
|
||||
|
||||
EnableSSHKeysign
|
||||
Setting this option to ``yes'' in the global client configuration
|
||||
file /etc/ssh/ssh_config enables the use of the helper program
|
||||
ssh-keysign(8) during HostbasedAuthentication. The argument must
|
||||
be ``yes'' or ``no''. The default is ``no''. This option should
|
||||
be placed in the non-hostspecific section. See ssh-keysign(8)
|
||||
for more information.
|
||||
|
||||
EscapeChar
|
||||
Sets the escape character (default: `~'). The escape character
|
||||
can also be set on the command line. The argument should be a
|
||||
single character, `^' followed by a letter, or ``none'' to dis-
|
||||
able the escape character entirely (making the connection trans-
|
||||
parent for binary data).
|
||||
|
||||
ExitOnForwardFailure
|
||||
Specifies whether ssh(1) should terminate the connection if it
|
||||
cannot set up all requested dynamic, local, and remote port for-
|
||||
wardings. The argument must be ``yes'' or ``no''. The default
|
||||
is ``no''.
|
||||
|
||||
ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if
|
||||
any) will be forwarded to the remote machine. The argument must
|
||||
be ``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
Agent forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the
|
||||
agent's Unix-domain socket) can access the local agent through
|
||||
the forwarded connection. An attacker cannot obtain key material
|
||||
from the agent, however they can perform operations on the keys
|
||||
that enable them to authenticate using the identities loaded into
|
||||
the agent.
|
||||
|
||||
ForwardX11
|
||||
Specifies whether X11 connections will be automatically redirect-
|
||||
ed over the secure channel and DISPLAY set. The argument must be
|
||||
``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
X11 forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the
|
||||
user's X11 authorization database) can access the local X11 dis-
|
||||
play through the forwarded connection. An attacker may then be
|
||||
able to perform activities such as keystroke monitoring if the
|
||||
ForwardX11Trusted option is also enabled.
|
||||
|
||||
ForwardX11Trusted
|
||||
If this option is set to ``yes'', remote X11 clients will have
|
||||
full access to the original X11 display.
|
||||
|
||||
If this option is set to ``no'', remote X11 clients will be con-
|
||||
sidered untrusted and prevented from stealing or tampering with
|
||||
data belonging to trusted X11 clients. Furthermore, the xauth(1)
|
||||
token used for the session will be set to expire after 20 min-
|
||||
utes. Remote clients will be refused access after this time.
|
||||
|
||||
The default is ``no''.
|
||||
|
||||
See the X11 SECURITY extension specification for full details on
|
||||
the restrictions imposed on untrusted clients.
|
||||
|
||||
GatewayPorts
|
||||
Specifies whether remote hosts are allowed to connect to local
|
||||
forwarded ports. By default, ssh(1) binds local port forwardings
|
||||
to the loopback address. This prevents other remote hosts from
|
||||
connecting to forwarded ports. GatewayPorts can be used to spec-
|
||||
ify that ssh should bind local port forwardings to the wildcard
|
||||
address, thus allowing remote hosts to connect to forwarded
|
||||
ports. The argument must be ``yes'' or ``no''. The default is
|
||||
``no''.
|
||||
|
||||
GlobalKnownHostsFile
|
||||
Specifies a file to use for the global host key database instead
|
||||
of /etc/ssh/ssh_known_hosts.
|
||||
|
||||
GSSAPIAuthentication
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is ``no''. Note that this option applies to protocol
|
||||
version 2 only.
|
||||
|
||||
GSSAPIDelegateCredentials
|
||||
Forward (delegate) credentials to the server. The default is
|
||||
``no''. Note that this option applies to protocol version 2 on-
|
||||
ly.
|
||||
|
||||
HashKnownHosts
|
||||
Indicates that ssh(1) should hash host names and addresses when
|
||||
they are added to ~/.ssh/known_hosts. These hashed names may be
|
||||
used normally by ssh(1) and sshd(8), but they do not reveal iden-
|
||||
tifying information should the file's contents be disclosed. The
|
||||
default is ``no''. Note that existing names and addresses in
|
||||
known hosts files will not be converted automatically, but may be
|
||||
manually hashed using ssh-keygen(1).
|
||||
|
||||
HostbasedAuthentication
|
||||
Specifies whether to try rhosts based authentication with public
|
||||
key authentication. The argument must be ``yes'' or ``no''. The
|
||||
default is ``no''. This option applies to protocol version 2 on-
|
||||
ly and is similar to RhostsRSAAuthentication.
|
||||
|
||||
HostKeyAlgorithms
|
||||
Specifies the protocol version 2 host key algorithms that the
|
||||
client wants to use in order of preference. The default for this
|
||||
option is: ``ssh-rsa,ssh-dss''.
|
||||
|
||||
HostKeyAlias
|
||||
Specifies an alias that should be used instead of the real host
|
||||
name when looking up or saving the host key in the host key
|
||||
database files. This option is useful for tunneling SSH connec-
|
||||
tions or for multiple servers running on a single host.
|
||||
|
||||
HostName
|
||||
Specifies the real host name to log into. This can be used to
|
||||
specify nicknames or abbreviations for hosts. The default is the
|
||||
name given on the command line. Numeric IP addresses are also
|
||||
permitted (both on the command line and in HostName specifica-
|
||||
tions).
|
||||
|
||||
IdentitiesOnly
|
||||
Specifies that ssh(1) should only use the authentication identity
|
||||
files configured in the ssh_config files, even if ssh-agent(1)
|
||||
offers more identities. The argument to this keyword must be
|
||||
``yes'' or ``no''. This option is intended for situations where
|
||||
ssh-agent offers many different identities. The default is
|
||||
``no''.
|
||||
|
||||
IdentityFile
|
||||
Specifies a file from which the user's RSA or DSA authentication
|
||||
identity is read. The default is ~/.ssh/identity for protocol
|
||||
version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
|
||||
sion 2. Additionally, any identities represented by the authen-
|
||||
tication agent will be used for authentication.
|
||||
|
||||
The file name may use the tilde syntax to refer to a user's home
|
||||
directory or one of the following escape characters: `%d' (local
|
||||
user's home directory), `%u' (local user name), `%l' (local host
|
||||
name), `%h' (remote host name) or `%r' (remote user name).
|
||||
|
||||
It is possible to have multiple identity files specified in con-
|
||||
figuration files; all these identities will be tried in sequence.
|
||||
|
||||
KbdInteractiveDevices
|
||||
Specifies the list of methods to use in keyboard-interactive au-
|
||||
thentication. Multiple method names must be comma-separated.
|
||||
The default is to use the server specified list. The methods
|
||||
available vary depending on what the server supports. For an
|
||||
OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'',
|
||||
and ``skey''.
|
||||
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after suc-
|
||||
cessfully connecting to the server. The command string extends
|
||||
to the end of the line, and is executed with /bin/sh. This di-
|
||||
rective is ignored unless PermitLocalCommand has been enabled.
|
||||
|
||||
LocalForward
|
||||
Specifies that a TCP port on the local machine be forwarded over
|
||||
the secure channel to the specified host and port from the remote
|
||||
machine. The first argument must be [bind_address:]port and the
|
||||
second argument must be host:hostport. IPv6 addresses can be
|
||||
specified by enclosing addresses in square brackets or by using
|
||||
an alternative syntax: [bind_address/]port and host/hostport.
|
||||
Multiple forwardings may be specified, and additional forwardings
|
||||
can be given on the command line. Only the superuser can forward
|
||||
privileged ports. By default, the local port is bound in accor-
|
||||
dance with the GatewayPorts setting. However, an explicit
|
||||
bind_address may be used to bind the connection to a specific ad-
|
||||
dress. The bind_address of ``localhost'' indicates that the lis-
|
||||
tening port be bound for local use only, while an empty address
|
||||
or `*' indicates that the port should be available from all in-
|
||||
terfaces.
|
||||
|
||||
LogLevel
|
||||
Gives the verbosity level that is used when logging messages from
|
||||
ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER-
|
||||
BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
|
||||
higher levels of verbose output.
|
||||
|
||||
MACs Specifies the MAC (message authentication code) algorithms in or-
|
||||
der of preference. The MAC algorithm is used in protocol version
|
||||
2 for data integrity protection. Multiple algorithms must be
|
||||
comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
|
||||
ripemd160,hmac-sha1-96,hmac-md5-96''.
|
||||
|
||||
NoHostAuthenticationForLocalhost
|
||||
This option can be used if the home directory is shared across
|
||||
machines. In this case localhost will refer to a different ma-
|
||||
chine on each of the machines and the user will get many warnings
|
||||
about changed host keys. However, this option disables host au-
|
||||
thentication for localhost. The argument to this keyword must be
|
||||
``yes'' or ``no''. The default is to check the host key for lo-
|
||||
calhost.
|
||||
|
||||
NumberOfPasswordPrompts
|
||||
Specifies the number of password prompts before giving up. The
|
||||
argument to this keyword must be an integer. The default is 3.
|
||||
|
||||
PasswordAuthentication
|
||||
Specifies whether to use password authentication. The argument
|
||||
to this keyword must be ``yes'' or ``no''. The default is
|
||||
``yes''.
|
||||
|
||||
PermitLocalCommand
|
||||
Allow local command execution via the LocalCommand option or us-
|
||||
ing the !command escape sequence in ssh(1). The argument must be
|
||||
``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
Port Specifies the port number to connect on the remote host. The de-
|
||||
fault is 22.
|
||||
|
||||
PreferredAuthentications
|
||||
Specifies the order in which the client should try protocol 2 au-
|
||||
thentication methods. This allows a client to prefer one method
|
||||
(e.g. keyboard-interactive) over another method (e.g. password)
|
||||
The default for this option is: ``gssapi-with-mic,hostbased,
|
||||
publickey, keyboard-interactive, password''.
|
||||
|
||||
Protocol
|
||||
Specifies the protocol versions ssh(1) should support in order of
|
||||
preference. The possible values are `1' and `2'. Multiple ver-
|
||||
sions must be comma-separated. The default is ``2,1''. This
|
||||
means that ssh tries version 2 and falls back to version 1 if
|
||||
version 2 is not available.
|
||||
|
||||
ProxyCommand
|
||||
Specifies the command to use to connect to the server. The com-
|
||||
mand string extends to the end of the line, and is executed with
|
||||
/bin/sh. In the command string, `%h' will be substituted by the
|
||||
host name to connect and `%p' by the port. The command can be
|
||||
basically anything, and should read from its standard input and
|
||||
write to its standard output. It should eventually connect an
|
||||
sshd(8) server running on some machine, or execute sshd -i some-
|
||||
where. Host key management will be done using the HostName of
|
||||
the host being connected (defaulting to the name typed by the us-
|
||||
er). Setting the command to ``none'' disables this option en-
|
||||
tirely. Note that CheckHostIP is not available for connects with
|
||||
a proxy command.
|
||||
|
||||
This directive is useful in conjunction with nc(1) and its proxy
|
||||
support. For example, the following directive would connect via
|
||||
an HTTP proxy at 192.0.2.0:
|
||||
|
||||
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
|
||||
|
||||
PubkeyAuthentication
|
||||
Specifies whether to try public key authentication. The argument
|
||||
to this keyword must be ``yes'' or ``no''. The default is
|
||||
``yes''. This option applies to protocol version 2 only.
|
||||
|
||||
RekeyLimit
|
||||
Specifies the maximum amount of data that may be transmitted be-
|
||||
fore the session key is renegotiated. The argument is the number
|
||||
of bytes, with an optional suffix of `K', `M', or `G' to indicate
|
||||
Kilobytes, Megabytes, or Gigabytes, respectively. The default is
|
||||
between `1G' and `4G', depending on the cipher. This option ap-
|
||||
plies to protocol version 2 only.
|
||||
|
||||
RemoteForward
|
||||
Specifies that a TCP port on the remote machine be forwarded over
|
||||
the secure channel to the specified host and port from the local
|
||||
machine. The first argument must be [bind_address:]port and the
|
||||
second argument must be host:hostport. IPv6 addresses can be
|
||||
specified by enclosing addresses in square brackets or by using
|
||||
an alternative syntax: [bind_address/]port and host/hostport.
|
||||
Multiple forwardings may be specified, and additional forwardings
|
||||
can be given on the command line. Only the superuser can forward
|
||||
privileged ports.
|
||||
|
||||
If the bind_address is not specified, the default is to only bind
|
||||
to loopback addresses. If the bind_address is `*' or an empty
|
||||
string, then the forwarding is requested to listen on all inter-
|
||||
faces. Specifying a remote bind_address will only succeed if the
|
||||
server's GatewayPorts option is enabled (see sshd_config(5)).
|
||||
|
||||
RhostsRSAAuthentication
|
||||
Specifies whether to try rhosts based authentication with RSA
|
||||
host authentication. The argument must be ``yes'' or ``no''.
|
||||
The default is ``no''. This option applies to protocol version 1
|
||||
only and requires ssh(1) to be setuid root.
|
||||
|
||||
RSAAuthentication
|
||||
Specifies whether to try RSA authentication. The argument to
|
||||
this keyword must be ``yes'' or ``no''. RSA authentication will
|
||||
only be attempted if the identity file exists, or an authentica-
|
||||
tion agent is running. The default is ``yes''. Note that this
|
||||
option applies to protocol version 1 only.
|
||||
|
||||
SendEnv
|
||||
Specifies what variables from the local environ(7) should be sent
|
||||
to the server. Note that environment passing is only supported
|
||||
for protocol 2. The server must also support it, and the server
|
||||
must be configured to accept these environment variables. Refer
|
||||
to AcceptEnv in sshd_config(5) for how to configure the server.
|
||||
Variables are specified by name, which may contain wildcard char-
|
||||
acters. Multiple environment variables may be separated by
|
||||
whitespace or spread across multiple SendEnv directives. The de-
|
||||
fault is not to send any environment variables.
|
||||
|
||||
See PATTERNS for more information on patterns.
|
||||
|
||||
ServerAliveCountMax
|
||||
Sets the number of server alive messages (see below) which may be
|
||||
sent without ssh(1) receiving any messages back from the server.
|
||||
If this threshold is reached while server alive messages are be-
|
||||
ing sent, ssh will disconnect from the server, terminating the
|
||||
session. It is important to note that the use of server alive
|
||||
messages is very different from TCPKeepAlive (below). The server
|
||||
alive messages are sent through the encrypted channel and there-
|
||||
fore will not be spoofable. The TCP keepalive option enabled by
|
||||
TCPKeepAlive is spoofable. The server alive mechanism is valu-
|
||||
able when the client or server depend on knowing when a connec-
|
||||
tion has become inactive.
|
||||
|
||||
The default value is 3. If, for example, ServerAliveInterval
|
||||
(see below) is set to 15 and ServerAliveCountMax is left at the
|
||||
default, if the server becomes unresponsive, ssh will disconnect
|
||||
after approximately 45 seconds. This option applies to protocol
|
||||
version 2 only.
|
||||
|
||||
ServerAliveInterval
|
||||
Sets a timeout interval in seconds after which if no data has
|
||||
been received from the server, ssh(1) will send a message through
|
||||
the encrypted channel to request a response from the server. The
|
||||
default is 0, indicating that these messages will not be sent to
|
||||
the server. This option applies to protocol version 2 only.
|
||||
|
||||
SmartcardDevice
|
||||
Specifies which smartcard device to use. The argument to this
|
||||
keyword is the device ssh(1) should use to communicate with a
|
||||
smartcard used for storing the user's private RSA key. By de-
|
||||
fault, no device is specified and smartcard support is not acti-
|
||||
vated.
|
||||
|
||||
StrictHostKeyChecking
|
||||
If this flag is set to ``yes'', ssh(1) will never automatically
|
||||
add host keys to the ~/.ssh/known_hosts file, and refuses to con-
|
||||
nect to hosts whose host key has changed. This provides maximum
|
||||
protection against trojan horse attacks, though it can be annoy-
|
||||
ing when the /etc/ssh/ssh_known_hosts file is poorly maintained
|
||||
or when connections to new hosts are frequently made. This op-
|
||||
tion forces the user to manually add all new hosts. If this flag
|
||||
is set to ``no'', ssh will automatically add new host keys to the
|
||||
user known hosts files. If this flag is set to ``ask'', new host
|
||||
keys will be added to the user known host files only after the
|
||||
user has confirmed that is what they really want to do, and ssh
|
||||
will refuse to connect to hosts whose host key has changed. The
|
||||
host keys of known hosts will be verified automatically in all
|
||||
cases. The argument must be ``yes'', ``no'', or ``ask''. The
|
||||
default is ``ask''.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
to the other side. If they are sent, death of the connection or
|
||||
crash of one of the machines will be properly noticed. However,
|
||||
this means that connections will die if the route is down tem-
|
||||
porarily, and some people find it annoying.
|
||||
|
||||
The default is ``yes'' (to send TCP keepalive messages), and the
|
||||
client will notice if the network goes down or the remote host
|
||||
dies. This is important in scripts, and many users want it too.
|
||||
|
||||
To disable TCP keepalive messages, the value should be set to
|
||||
``no''.
|
||||
|
||||
Tunnel Request tun(4) device forwarding between the client and the serv-
|
||||
er. The argument must be ``yes'', ``point-to-point'' (layer 3),
|
||||
``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests
|
||||
the default tunnel mode, which is ``point-to-point''. The de-
|
||||
fault is ``no''.
|
||||
|
||||
TunnelDevice
|
||||
Specifies the tun(4) devices to open on the client (local_tun)
|
||||
and the server (remote_tun).
|
||||
|
||||
The argument must be local_tun[:remote_tun]. The devices may be
|
||||
specified by numerical ID or the keyword ``any'', which uses the
|
||||
next available tunnel device. If remote_tun is not specified, it
|
||||
defaults to ``any''. The default is ``any:any''.
|
||||
|
||||
UsePrivilegedPort
|
||||
Specifies whether to use a privileged port for outgoing connec-
|
||||
tions. The argument must be ``yes'' or ``no''. The default is
|
||||
``no''. If set to ``yes'', ssh(1) must be setuid root. Note
|
||||
that this option must be set to ``yes'' for
|
||||
RhostsRSAAuthentication with older servers.
|
||||
|
||||
User Specifies the user to log in as. This can be useful when a dif-
|
||||
ferent user name is used on different machines. This saves the
|
||||
trouble of having to remember to give the user name on the com-
|
||||
mand line.
|
||||
|
||||
UserKnownHostsFile
|
||||
Specifies a file to use for the user host key database instead of
|
||||
~/.ssh/known_hosts.
|
||||
|
||||
VerifyHostKeyDNS
|
||||
Specifies whether to verify the remote key using DNS and SSHFP
|
||||
resource records. If this option is set to ``yes'', the client
|
||||
will implicitly trust keys that match a secure fingerprint from
|
||||
DNS. Insecure fingerprints will be handled as if this option was
|
||||
set to ``ask''. If this option is set to ``ask'', information on
|
||||
fingerprint match will be displayed, but the user will still need
|
||||
to confirm new host keys according to the StrictHostKeyChecking
|
||||
option. The argument must be ``yes'', ``no'', or ``ask''. The
|
||||
default is ``no''. Note that this option applies to protocol
|
||||
version 2 only.
|
||||
|
||||
See also VERIFYING HOST KEYS in ssh(1).
|
||||
|
||||
XAuthLocation
|
||||
Specifies the full pathname of the xauth(1) program. The default
|
||||
is /usr/X11R6/bin/xauth.
|
||||
|
||||
PATTERNS
|
||||
A pattern consists of zero or more non-whitespace characters, `*' (a
|
||||
wildcard that matches zero or more characters), or `?' (a wildcard that
|
||||
matches exactly one character). For example, to specify a set of decla-
|
||||
rations for any host in the ``.co.uk'' set of domains, the following pat-
|
||||
tern could be used:
|
||||
|
||||
Host *.co.uk
|
||||
|
||||
The following pattern would match any host in the 192.168.0.[0-9] network
|
||||
range:
|
||||
|
||||
Host 192.168.0.?
|
||||
|
||||
A pattern-list is a comma-separated list of patterns. Patterns within
|
||||
pattern-lists may be negated by preceding them with an exclamation mark
|
||||
(`!'). For example, to allow a key to be used from anywhere within an
|
||||
organisation except from the ``dialup'' pool, the following entry (in au-
|
||||
thorized_keys) could be used:
|
||||
|
||||
from="!*.dialup.example.com,*.example.com"
|
||||
|
||||
FILES
|
||||
~/.ssh/config
|
||||
This is the per-user configuration file. The format of this file
|
||||
is described above. This file is used by the SSH client. Be-
|
||||
cause of the potential for abuse, this file must have strict per-
|
||||
missions: read/write for the user, and not accessible by others.
|
||||
|
||||
/etc/ssh/ssh_config
|
||||
Systemwide configuration file. This file provides defaults for
|
||||
those values that are not specified in the user's configuration
|
||||
file, and for those users who do not have a configuration file.
|
||||
This file must be world-readable.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 10
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
@ -42,10 +42,8 @@
|
||||
.Nm ssh_config
|
||||
.Nd OpenSSH SSH client configuration files
|
||||
.Sh SYNOPSIS
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.ssh/config
|
||||
.It Pa /etc/ssh/ssh_config
|
||||
.El
|
||||
.Nm ~/.ssh/config
|
||||
.Nm /etc/ssh/ssh_config
|
||||
.Sh DESCRIPTION
|
||||
.Xr ssh 1
|
||||
obtains configuration data from the following sources in
|
||||
|
544
sshd.0
Normal file
544
sshd.0
Normal file
@ -0,0 +1,544 @@
|
||||
SSHD(8) OpenBSD System Manager's Manual SSHD(8)
|
||||
|
||||
NAME
|
||||
sshd - OpenSSH SSH daemon
|
||||
|
||||
SYNOPSIS
|
||||
sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]
|
||||
[-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
|
||||
|
||||
DESCRIPTION
|
||||
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
|
||||
programs replace rlogin and rsh, and provide secure encrypted communica-
|
||||
tions between two untrusted hosts over an insecure network.
|
||||
|
||||
sshd listens for connections from clients. It is normally started at
|
||||
boot from /etc/rc. It forks a new daemon for each incoming connection.
|
||||
The forked daemons handle key exchange, encryption, authentication, com-
|
||||
mand execution, and data exchange.
|
||||
|
||||
sshd can be configured using command-line options or a configuration file
|
||||
(by default sshd_config(5)); command-line options override values speci-
|
||||
fied in the configuration file. sshd rereads its configuration file when
|
||||
it receives a hangup signal, SIGHUP, by executing itself with the name
|
||||
and options it was started with, e.g. /usr/sbin/sshd.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-4 Forces sshd to use IPv4 addresses only.
|
||||
|
||||
-6 Forces sshd to use IPv6 addresses only.
|
||||
|
||||
-b bits
|
||||
Specifies the number of bits in the ephemeral protocol version 1
|
||||
server key (default 768).
|
||||
|
||||
-D When this option is specified, sshd will not detach and does not
|
||||
become a daemon. This allows easy monitoring of sshd.
|
||||
|
||||
-d Debug mode. The server sends verbose debug output to the system
|
||||
log, and does not put itself in the background. The server also
|
||||
will not fork and will only process one connection. This option
|
||||
is only intended for debugging for the server. Multiple -d op-
|
||||
tions increase the debugging level. Maximum is 3.
|
||||
|
||||
-e When this option is specified, sshd will send the output to the
|
||||
standard error instead of the system log.
|
||||
|
||||
-f configuration_file
|
||||
Specifies the name of the configuration file. The default is
|
||||
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
|
||||
figuration file.
|
||||
|
||||
-g login_grace_time
|
||||
Gives the grace time for clients to authenticate themselves (de-
|
||||
fault 120 seconds). If the client fails to authenticate the user
|
||||
within this many seconds, the server disconnects and exits. A
|
||||
value of zero indicates no limit.
|
||||
|
||||
-h host_key_file
|
||||
Specifies a file from which a host key is read. This option must
|
||||
be given if sshd is not run as root (as the normal host key files
|
||||
are normally not readable by anyone but root). The default is
|
||||
/etc/ssh/ssh_host_key for protocol version 1, and
|
||||
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
|
||||
tocol version 2. It is possible to have multiple host key files
|
||||
for the different protocol versions and host key algorithms.
|
||||
|
||||
-i Specifies that sshd is being run from inetd(8). sshd is normally
|
||||
not run from inetd because it needs to generate the server key
|
||||
before it can respond to the client, and this may take tens of
|
||||
seconds. Clients would have to wait too long if the key was re-
|
||||
generated every time. However, with small key sizes (e.g. 512)
|
||||
using sshd from inetd may be feasible.
|
||||
|
||||
-k key_gen_time
|
||||
Specifies how often the ephemeral protocol version 1 server key
|
||||
is regenerated (default 3600 seconds, or one hour). The motiva-
|
||||
tion for regenerating the key fairly often is that the key is not
|
||||
stored anywhere, and after about an hour it becomes impossible to
|
||||
recover the key for decrypting intercepted communications even if
|
||||
the machine is cracked into or physically seized. A value of ze-
|
||||
ro indicates that the key will never be regenerated.
|
||||
|
||||
-o option
|
||||
Can be used to give options in the format used in the configura-
|
||||
tion file. This is useful for specifying options for which there
|
||||
is no separate command-line flag. For full details of the op-
|
||||
tions, and their values, see sshd_config(5).
|
||||
|
||||
-p port
|
||||
Specifies the port on which the server listens for connections
|
||||
(default 22). Multiple port options are permitted. Ports speci-
|
||||
fied in the configuration file with the Port option are ignored
|
||||
when a command-line port is specified. Ports specified using the
|
||||
ListenAddress option override command-line ports.
|
||||
|
||||
-q Quiet mode. Nothing is sent to the system log. Normally the be-
|
||||
ginning, authentication, and termination of each connection is
|
||||
logged.
|
||||
|
||||
-t Test mode. Only check the validity of the configuration file and
|
||||
sanity of the keys. This is useful for updating sshd reliably as
|
||||
configuration options may change.
|
||||
|
||||
-u len This option is used to specify the size of the field in the utmp
|
||||
structure that holds the remote host name. If the resolved host
|
||||
name is longer than len, the dotted decimal value will be used
|
||||
instead. This allows hosts with very long host names that over-
|
||||
flow this field to still be uniquely identified. Specifying -u0
|
||||
indicates that only dotted decimal addresses should be put into
|
||||
the utmp file. -u0 may also be used to prevent sshd from making
|
||||
DNS requests unless the authentication mechanism or configuration
|
||||
requires it. Authentication mechanisms that may require DNS in-
|
||||
clude RhostsRSAAuthentication, HostbasedAuthentication, and using
|
||||
a from="pattern-list" option in a key file. Configuration op-
|
||||
tions that require DNS include using a USER@HOST pattern in
|
||||
AllowUsers or DenyUsers.
|
||||
|
||||
AUTHENTICATION
|
||||
The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols
|
||||
are supported by default, though this can be changed via the Protocol op-
|
||||
tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro-
|
||||
tocol 1 only supports RSA keys. For both protocols, each host has a
|
||||
host-specific key, normally 2048 bits, used to identify the host.
|
||||
|
||||
Forward security for protocol 1 is provided through an additional server
|
||||
key, normally 768 bits, generated when the server starts. This key is
|
||||
normally regenerated every hour if it has been used, and is never stored
|
||||
on disk. Whenever a client connects, the daemon responds with its public
|
||||
host and server keys. The client compares the RSA host key against its
|
||||
own database to verify that it has not changed. The client then gener-
|
||||
ates a 256-bit random number. It encrypts this random number using both
|
||||
the host key and the server key, and sends the encrypted number to the
|
||||
server. Both sides then use this random number as a session key which is
|
||||
used to encrypt all further communications in the session. The rest of
|
||||
the session is encrypted using a conventional cipher, currently Blowfish
|
||||
or 3DES, with 3DES being used by default. The client selects the encryp-
|
||||
tion algorithm to use from those offered by the server.
|
||||
|
||||
For protocol 2, forward security is provided through a Diffie-Hellman key
|
||||
agreement. This key agreement results in a shared session key. The rest
|
||||
of the session is encrypted using a symmetric cipher, currently 128-bit
|
||||
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
|
||||
client selects the encryption algorithm to use from those offered by the
|
||||
server. Additionally, session integrity is provided through a crypto-
|
||||
graphic message authentication code (hmac-sha1 or hmac-md5).
|
||||
|
||||
Finally, the server and the client enter an authentication dialog. The
|
||||
client tries to authenticate itself using host-based authentication, pub-
|
||||
lic key authentication, challenge-response authentication, or password
|
||||
authentication.
|
||||
|
||||
Regardless of the authentication type, the account is checked to ensure
|
||||
that it is accessible. An account is not accessible if it is locked,
|
||||
listed in DenyUsers or its group is listed in DenyGroups . The defini-
|
||||
tion of a locked account is system dependant. Some platforms have their
|
||||
own account database (eg AIX) and some modify the passwd field ( `*LK*'
|
||||
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
|
||||
leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
|
||||
a requirement to disable password authentication for the account while
|
||||
allowing still public-key, then the passwd field should be set to some-
|
||||
thing other than these values (eg `NP' or `*NP*' ).
|
||||
|
||||
If the client successfully authenticates itself, a dialog for preparing
|
||||
the session is entered. At this time the client may request things like
|
||||
allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con-
|
||||
nections, or forwarding the authentication agent connection over the se-
|
||||
cure channel.
|
||||
|
||||
After this, the client either requests a shell or execution of a command.
|
||||
The sides then enter session mode. In this mode, either side may send
|
||||
data at any time, and such data is forwarded to/from the shell or command
|
||||
on the server side, and the user terminal in the client side.
|
||||
|
||||
When the user program terminates and all forwarded X11 and other connec-
|
||||
tions have been closed, the server sends command exit status to the
|
||||
client, and both sides exit.
|
||||
|
||||
LOGIN PROCESS
|
||||
When a user successfully logs in, sshd does the following:
|
||||
|
||||
1. If the login is on a tty, and no command has been specified,
|
||||
prints last login time and /etc/motd (unless prevented in the
|
||||
configuration file or by ~/.hushlogin; see the FILES section).
|
||||
|
||||
2. If the login is on a tty, records login time.
|
||||
|
||||
3. Checks /etc/nologin; if it exists, prints contents and quits
|
||||
(unless root).
|
||||
|
||||
4. Changes to run with normal user privileges.
|
||||
|
||||
5. Sets up basic environment.
|
||||
|
||||
6. Reads the file ~/.ssh/environment, if it exists, and users are
|
||||
allowed to change their environment. See the
|
||||
PermitUserEnvironment option in sshd_config(5).
|
||||
|
||||
7. Changes to user's home directory.
|
||||
|
||||
8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
|
||||
runs it; otherwise runs xauth. The ``rc'' files are given the
|
||||
X11 authentication protocol and cookie in standard input. See
|
||||
SSHRC, below.
|
||||
|
||||
9. Runs user's shell or command.
|
||||
|
||||
SSHRC
|
||||
If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
|
||||
files but before starting the user's shell or command. It must not pro-
|
||||
duce any output on stdout; stderr must be used instead. If X11 forward-
|
||||
ing is in use, it will receive the "proto cookie" pair in its standard
|
||||
input (and DISPLAY in its environment). The script must call xauth(1)
|
||||
because sshd will not run xauth automatically to add X11 cookies.
|
||||
|
||||
The primary purpose of this file is to run any initialization routines
|
||||
which may be needed before the user's home directory becomes accessible;
|
||||
AFS is a particular example of such an environment.
|
||||
|
||||
This file will probably contain some initialization code followed by
|
||||
something similar to:
|
||||
|
||||
if read proto cookie && [ -n "$DISPLAY" ]; then
|
||||
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
|
||||
# X11UseLocalhost=yes
|
||||
echo add unix:`echo $DISPLAY |
|
||||
cut -c11-` $proto $cookie
|
||||
else
|
||||
# X11UseLocalhost=no
|
||||
echo add $DISPLAY $proto $cookie
|
||||
fi | xauth -q -
|
||||
fi
|
||||
|
||||
If this file does not exist, /etc/ssh/sshrc is run, and if that does not
|
||||
exist either, xauth is used to add the cookie.
|
||||
|
||||
AUTHORIZED_KEYS FILE FORMAT
|
||||
AuthorizedKeysFile specifies the file containing public keys for public
|
||||
key authentication; if none is specified, the default is
|
||||
~/.ssh/authorized_keys. Each line of the file contains one key (empty
|
||||
lines and lines starting with a `#' are ignored as comments). Protocol 1
|
||||
public keys consist of the following space-separated fields: options,
|
||||
bits, exponent, modulus, comment. Protocol 2 public key consist of: op-
|
||||
tions, keytype, base64-encoded key, comment. The options field is op-
|
||||
tional; its presence is determined by whether the line starts with a num-
|
||||
ber or not (the options field never starts with a number). The bits, ex-
|
||||
ponent, modulus, and comment fields give the RSA key for protocol version
|
||||
1; the comment field is not used for anything (but may be convenient for
|
||||
the user to identify the key). For protocol version 2 the keytype is
|
||||
``ssh-dss'' or ``ssh-rsa''.
|
||||
|
||||
Note that lines in this file are usually several hundred bytes long (be-
|
||||
cause of the size of the public key encoding) up to a limit of 8 kilo-
|
||||
bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
|
||||
kilobits. You don't want to type them in; instead, copy the
|
||||
identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it.
|
||||
|
||||
sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
|
||||
2 keys of 768 bits.
|
||||
|
||||
The options (if present) consist of comma-separated option specifica-
|
||||
tions. No spaces are permitted, except within double quotes. The fol-
|
||||
lowing option specifications are supported (note that option keywords are
|
||||
case-insensitive):
|
||||
|
||||
command="command"
|
||||
Specifies that the command is executed whenever this key is used
|
||||
for authentication. The command supplied by the user (if any) is
|
||||
ignored. The command is run on a pty if the client requests a
|
||||
pty; otherwise it is run without a tty. If an 8-bit clean chan-
|
||||
nel is required, one must not request a pty or should specify no-
|
||||
pty. A quote may be included in the command by quoting it with a
|
||||
backslash. This option might be useful to restrict certain pub-
|
||||
lic keys to perform just a specific operation. An example might
|
||||
be a key that permits remote backups but nothing else. Note that
|
||||
the client may specify TCP and/or X11 forwarding unless they are
|
||||
explicitly prohibited. The command originally supplied by the
|
||||
client is available in the SSH_ORIGINAL_COMMAND environment vari-
|
||||
able. Note that this option applies to shell, command or subsys-
|
||||
tem execution.
|
||||
|
||||
environment="NAME=value"
|
||||
Specifies that the string is to be added to the environment when
|
||||
logging in using this key. Environment variables set this way
|
||||
override other default environment values. Multiple options of
|
||||
this type are permitted. Environment processing is disabled by
|
||||
default and is controlled via the PermitUserEnvironment option.
|
||||
This option is automatically disabled if UseLogin is enabled.
|
||||
|
||||
from="pattern-list"
|
||||
Specifies that in addition to public key authentication, the
|
||||
canonical name of the remote host must be present in the comma-
|
||||
separated list of patterns. The purpose of this option is to op-
|
||||
tionally increase security: public key authentication by itself
|
||||
does not trust the network or name servers or anything (but the
|
||||
key); however, if somebody somehow steals the key, the key per-
|
||||
mits an intruder to log in from anywhere in the world. This ad-
|
||||
ditional option makes using a stolen key more difficult (name
|
||||
servers and/or routers would have to be compromised in addition
|
||||
to just the key).
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
||||
no-agent-forwarding
|
||||
Forbids authentication agent forwarding when this key is used for
|
||||
authentication.
|
||||
|
||||
no-port-forwarding
|
||||
Forbids TCP forwarding when this key is used for authentication.
|
||||
Any port forward requests by the client will return an error.
|
||||
This might be used, e.g. in connection with the command option.
|
||||
|
||||
no-pty Prevents tty allocation (a request to allocate a pty will fail).
|
||||
|
||||
no-X11-forwarding
|
||||
Forbids X11 forwarding when this key is used for authentication.
|
||||
Any X11 forward requests by the client will return an error.
|
||||
|
||||
permitopen="host:port"
|
||||
Limit local ``ssh -L'' port forwarding such that it may only con-
|
||||
nect to the specified host and port. IPv6 addresses can be spec-
|
||||
ified with an alternative syntax: host/port. Multiple permitopen
|
||||
options may be applied separated by commas. No pattern matching
|
||||
is performed on the specified hostnames, they must be literal do-
|
||||
mains or addresses.
|
||||
|
||||
tunnel="n"
|
||||
Force a tun(4) device on the server. Without this option, the
|
||||
next available device will be used if the client requests a tun-
|
||||
nel.
|
||||
|
||||
An example authorized_keys file:
|
||||
|
||||
# Comments allowed at start of line
|
||||
ssh-rsa AAAAB3Nza...LiPk== user@example.net
|
||||
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
|
||||
AAAAB2...19Q== john@example.net
|
||||
command="dump /home",no-pty,no-port-forwarding ssh-dss
|
||||
AAAAC3...51R== example.net
|
||||
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
|
||||
AAAAB5...21S==
|
||||
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
|
||||
jane@example.net
|
||||
|
||||
SSH_KNOWN_HOSTS FILE FORMAT
|
||||
The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
|
||||
public keys for all known hosts. The global file should be prepared by
|
||||
the administrator (optional), and the per-user file is maintained auto-
|
||||
matically: whenever the user connects from an unknown host, its key is
|
||||
added to the per-user file.
|
||||
|
||||
Each line in these files contains the following fields: hostnames, bits,
|
||||
exponent, modulus, comment. The fields are separated by spaces.
|
||||
|
||||
Hostnames is a comma-separated list of patterns (`*' and `?' act as wild-
|
||||
cards); each pattern in turn is matched against the canonical host name
|
||||
(when authenticating a client) or against the user-supplied name (when
|
||||
authenticating a server). A pattern may also be preceded by `!' to indi-
|
||||
cate negation: if the host name matches a negated pattern, it is not ac-
|
||||
cepted (by that line) even if it matched another pattern on the line. A
|
||||
hostname or address may optionally be enclosed within `[' and `]' brack-
|
||||
ets then followed by `:' and a non-standard port number.
|
||||
|
||||
Alternately, hostnames may be stored in a hashed form which hides host
|
||||
names and addresses should the file's contents be disclosed. Hashed
|
||||
hostnames start with a `|' character. Only one hashed hostname may ap-
|
||||
pear on a single line and none of the above negation or wildcard opera-
|
||||
tors may be applied.
|
||||
|
||||
Bits, exponent, and modulus are taken directly from the RSA host key;
|
||||
they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The
|
||||
optional comment field continues to the end of the line, and is not used.
|
||||
|
||||
Lines starting with `#' and empty lines are ignored as comments.
|
||||
|
||||
When performing host authentication, authentication is accepted if any
|
||||
matching line has the proper key. It is thus permissible (but not recom-
|
||||
mended) to have several lines or different host keys for the same names.
|
||||
This will inevitably happen when short forms of host names from different
|
||||
domains are put in the file. It is possible that the files contain con-
|
||||
flicting information; authentication is accepted if valid information can
|
||||
be found from either file.
|
||||
|
||||
Note that the lines in these files are typically hundreds of characters
|
||||
long, and you definitely don't want to type in the host keys by hand.
|
||||
Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub
|
||||
and adding the host names at the front.
|
||||
|
||||
An example ssh_known_hosts file:
|
||||
|
||||
# Comments allowed at start of line
|
||||
closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
|
||||
cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
|
||||
# A hashed hostname
|
||||
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
|
||||
AAAA1234.....=
|
||||
|
||||
FILES
|
||||
~/.hushlogin
|
||||
This file is used to suppress printing the last login time and
|
||||
/etc/motd, if PrintLastLog and PrintMotd, respectively, are en-
|
||||
abled. It does not suppress printing of the banner specified by
|
||||
Banner.
|
||||
|
||||
~/.rhosts
|
||||
This file is used for host-based authentication (see ssh(1) for
|
||||
more information). On some machines this file may need to be
|
||||
world-readable if the user's home directory is on an NFS parti-
|
||||
tion, because sshd reads it as root. Additionally, this file
|
||||
must be owned by the user, and must not have write permissions
|
||||
for anyone else. The recommended permission for most machines is
|
||||
read/write for the user, and not accessible by others.
|
||||
|
||||
~/.shosts
|
||||
This file is used in exactly the same way as .rhosts, but allows
|
||||
host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
~/.ssh/authorized_keys
|
||||
Lists the public keys (RSA/DSA) that can be used for logging in
|
||||
as this user. The format of this file is described above. The
|
||||
content of the file is not highly sensitive, but the recommended
|
||||
permissions are read/write for the user, and not accessible by
|
||||
others.
|
||||
|
||||
If this file, the ~/.ssh directory, or the user's home directory
|
||||
are writable by other users, then the file could be modified or
|
||||
replaced by unauthorized users. In this case, sshd will not al-
|
||||
low it to be used unless the StrictModes option has been set to
|
||||
``no''. The recommended permissions can be set by executing
|
||||
``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''.
|
||||
|
||||
~/.ssh/environment
|
||||
This file is read into the environment at login (if it exists).
|
||||
It can only contain empty lines, comment lines (that start with
|
||||
`#'), and assignment lines of the form name=value. The file
|
||||
should be writable only by the user; it need not be readable by
|
||||
anyone else. Environment processing is disabled by default and
|
||||
is controlled via the PermitUserEnvironment option.
|
||||
|
||||
~/.ssh/known_hosts
|
||||
Contains a list of host keys for all hosts the user has logged
|
||||
into that are not already in the systemwide list of known host
|
||||
keys. The format of this file is described above. This file
|
||||
should be writable only by root/the owner and can, but need not
|
||||
be, world-readable.
|
||||
|
||||
~/.ssh/rc
|
||||
Contains initialization routines to be run before the user's home
|
||||
directory becomes accessible. This file should be writable only
|
||||
by the user, and need not be readable by anyone else.
|
||||
|
||||
/etc/hosts.allow
|
||||
/etc/hosts.deny
|
||||
Access controls that should be enforced by tcp-wrappers are de-
|
||||
fined here. Further details are described in hosts_access(5).
|
||||
|
||||
/etc/hosts.equiv
|
||||
This file is for host-based authentication (see ssh(1)). It
|
||||
should only be writable by root.
|
||||
|
||||
/etc/moduli
|
||||
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
|
||||
Exchange". The file format is described in moduli(5).
|
||||
|
||||
/etc/motd
|
||||
See motd(5).
|
||||
|
||||
/etc/nologin
|
||||
If this file exists, sshd refuses to let anyone except root log
|
||||
in. The contents of the file are displayed to anyone trying to
|
||||
log in, and non-root connections are refused. The file should be
|
||||
world-readable.
|
||||
|
||||
/etc/shosts.equiv
|
||||
This file is used in exactly the same way as hosts.equiv, but al-
|
||||
lows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys. This file should be prepared
|
||||
by the system administrator to contain the public host keys of
|
||||
all machines in the organization. The format of this file is de-
|
||||
scribed above. This file should be writable only by root/the
|
||||
owner and should be world-readable.
|
||||
|
||||
/etc/ssh/ssh_host_key
|
||||
/etc/ssh/ssh_host_dsa_key
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
These three files contain the private parts of the host keys.
|
||||
These files should only be owned by root, readable only by root,
|
||||
and not accessible to others. Note that sshd does not start if
|
||||
these files are group/world-accessible.
|
||||
|
||||
/etc/ssh/ssh_host_key.pub
|
||||
/etc/ssh/ssh_host_dsa_key.pub
|
||||
/etc/ssh/ssh_host_rsa_key.pub
|
||||
These three files contain the public parts of the host keys.
|
||||
These files should be world-readable but writable only by root.
|
||||
Their contents should match the respective private parts. These
|
||||
files are not really used for anything; they are provided for the
|
||||
convenience of the user so their contents can be copied to known
|
||||
hosts files. These files are created using ssh-keygen(1).
|
||||
|
||||
/etc/ssh/sshd_config
|
||||
Contains configuration data for sshd. The file format and con-
|
||||
figuration options are described in sshd_config(5).
|
||||
|
||||
/etc/ssh/sshrc
|
||||
Similar to ~/.ssh/rc, it can be used to specify machine-specific
|
||||
login-time initializations globally. This file should be
|
||||
writable only by root, and should be world-readable.
|
||||
|
||||
/var/empty
|
||||
chroot(2) directory used by sshd during privilege separation in
|
||||
the pre-authentication phase. The directory should not contain
|
||||
any files and must be owned by root and not group or world-
|
||||
writable.
|
||||
|
||||
/var/run/sshd.pid
|
||||
Contains the process ID of the sshd listening for connections (if
|
||||
there are several daemons running concurrently for different
|
||||
ports, this contains the process ID of the one started last).
|
||||
The content of this file is not sensitive; it can be world-read-
|
||||
able.
|
||||
|
||||
SEE ALSO
|
||||
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
|
||||
chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
|
||||
inetd(8), sftp-server(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
|
||||
for privilege separation.
|
||||
|
||||
CAVEATS
|
||||
System security is not improved unless rshd, rlogind, and rexecd are dis-
|
||||
abled (thus completely disabling rlogin and rsh into the machine).
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 9
|
3
sshd.c
3
sshd.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -305,6 +305,7 @@ sighup_restart(void)
|
||||
logit("Received SIGHUP; restarting.");
|
||||
close_listen_socks();
|
||||
close_startup_pipes();
|
||||
alarm(0); /* alarm timer persists across exec */
|
||||
execv(saved_argv[0], saved_argv);
|
||||
logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
|
||||
strerror(errno));
|
||||
|
573
sshd_config.0
Normal file
573
sshd_config.0
Normal file
@ -0,0 +1,573 @@
|
||||
SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5)
|
||||
|
||||
NAME
|
||||
sshd_config - OpenSSH SSH daemon configuration file
|
||||
|
||||
SYNOPSIS
|
||||
/etc/ssh/sshd_config
|
||||
|
||||
DESCRIPTION
|
||||
sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file
|
||||
specified with -f on the command line). The file contains keyword-argu-
|
||||
ment pairs, one per line. Lines starting with `#' and empty lines are
|
||||
interpreted as comments. Arguments may optionally be enclosed in double
|
||||
quotes (") in order to represent arguments containing spaces.
|
||||
|
||||
The possible keywords and their meanings are as follows (note that key-
|
||||
words are case-insensitive and arguments are case-sensitive):
|
||||
|
||||
AcceptEnv
|
||||
Specifies what environment variables sent by the client will be
|
||||
copied into the session's environ(7). See SendEnv in
|
||||
ssh_config(5) for how to configure the client. Note that envi-
|
||||
ronment passing is only supported for protocol 2. Variables are
|
||||
specified by name, which may contain the wildcard characters `*'
|
||||
and `?'. Multiple environment variables may be separated by
|
||||
whitespace or spread across multiple AcceptEnv directives. Be
|
||||
warned that some environment variables could be used to bypass
|
||||
restricted user environments. For this reason, care should be
|
||||
taken in the use of this directive. The default is not to accept
|
||||
any environment variables.
|
||||
|
||||
AddressFamily
|
||||
Specifies which address family should be used by sshd(8). Valid
|
||||
arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6''
|
||||
(use IPv6 only). The default is ``any''.
|
||||
|
||||
AllowGroups
|
||||
This keyword can be followed by a list of group name patterns,
|
||||
separated by spaces. If specified, login is allowed only for
|
||||
users whose primary group or supplementary group list matches one
|
||||
of the patterns. Only group names are valid; a numerical group
|
||||
ID is not recognized. By default, login is allowed for all
|
||||
groups. The allow/deny directives are processed in the following
|
||||
order: DenyUsers, AllowUsers, DenyGroups, and finally
|
||||
AllowGroups.
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
||||
AllowTcpForwarding
|
||||
Specifies whether TCP forwarding is permitted. The default is
|
||||
``yes''. Note that disabling TCP forwarding does not improve se-
|
||||
curity unless users are also denied shell access, as they can al-
|
||||
ways install their own forwarders.
|
||||
|
||||
AllowUsers
|
||||
This keyword can be followed by a list of user name patterns,
|
||||
separated by spaces. If specified, login is allowed only for us-
|
||||
er names that match one of the patterns. Only user names are
|
||||
valid; a numerical user ID is not recognized. By default, login
|
||||
is allowed for all users. If the pattern takes the form US-
|
||||
ER@HOST then USER and HOST are separately checked, restricting
|
||||
logins to particular users from particular hosts. The allow/deny
|
||||
directives are processed in the following order: DenyUsers,
|
||||
AllowUsers, DenyGroups, and finally AllowGroups.
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
||||
AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication. AuthorizedKeysFile may contain tokens
|
||||
of the form %T which are substituted during connection setup.
|
||||
The following tokens are defined: %% is replaced by a literal
|
||||
'%', %h is replaced by the home directory of the user being au-
|
||||
thenticated, and %u is replaced by the username of that user.
|
||||
After expansion, AuthorizedKeysFile is taken to be an absolute
|
||||
path or one relative to the user's home directory. The default
|
||||
is ``.ssh/authorized_keys''.
|
||||
|
||||
Banner In some jurisdictions, sending a warning message before authenti-
|
||||
cation may be relevant for getting legal protection. The con-
|
||||
tents of the specified file are sent to the remote user before
|
||||
authentication is allowed. This option is only available for
|
||||
protocol version 2. By default, no banner is displayed.
|
||||
|
||||
ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed.
|
||||
All authentication styles from login.conf(5) are supported. The
|
||||
default is ``yes''.
|
||||
|
||||
Ciphers
|
||||
Specifies the ciphers allowed for protocol version 2. Multiple
|
||||
ciphers must be comma-separated. The supported ciphers are
|
||||
``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
|
||||
``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
|
||||
``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
|
||||
``cast128-cbc''. The default is:
|
||||
|
||||
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
|
||||
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
|
||||
aes192-ctr,aes256-ctr
|
||||
|
||||
ClientAliveCountMax
|
||||
Sets the number of client alive messages (see below) which may be
|
||||
sent without sshd(8) receiving any messages back from the client.
|
||||
If this threshold is reached while client alive messages are be-
|
||||
ing sent, sshd will disconnect the client, terminating the ses-
|
||||
sion. It is important to note that the use of client alive mes-
|
||||
sages is very different from TCPKeepAlive (below). The client
|
||||
alive messages are sent through the encrypted channel and there-
|
||||
fore will not be spoofable. The TCP keepalive option enabled by
|
||||
TCPKeepAlive is spoofable. The client alive mechanism is valu-
|
||||
able when the client or server depend on knowing when a connec-
|
||||
tion has become inactive.
|
||||
|
||||
The default value is 3. If ClientAliveInterval (see below) is
|
||||
set to 15, and ClientAliveCountMax is left at the default, unre-
|
||||
sponsive SSH clients will be disconnected after approximately 45
|
||||
seconds. This option applies to protocol version 2 only.
|
||||
|
||||
ClientAliveInterval
|
||||
Sets a timeout interval in seconds after which if no data has
|
||||
been received from the client, sshd(8) will send a message
|
||||
through the encrypted channel to request a response from the
|
||||
client. The default is 0, indicating that these messages will
|
||||
not be sent to the client. This option applies to protocol ver-
|
||||
sion 2 only.
|
||||
|
||||
Compression
|
||||
Specifies whether compression is allowed, or delayed until the
|
||||
user has authenticated successfully. The argument must be
|
||||
``yes'', ``delayed'', or ``no''. The default is ``delayed''.
|
||||
|
||||
DenyGroups
|
||||
This keyword can be followed by a list of group name patterns,
|
||||
separated by spaces. Login is disallowed for users whose primary
|
||||
group or supplementary group list matches one of the patterns.
|
||||
Only group names are valid; a numerical group ID is not recog-
|
||||
nized. By default, login is allowed for all groups. The al-
|
||||
low/deny directives are processed in the following order:
|
||||
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
||||
DenyUsers
|
||||
This keyword can be followed by a list of user name patterns,
|
||||
separated by spaces. Login is disallowed for user names that
|
||||
match one of the patterns. Only user names are valid; a numeri-
|
||||
cal user ID is not recognized. By default, login is allowed for
|
||||
all users. If the pattern takes the form USER@HOST then USER and
|
||||
HOST are separately checked, restricting logins to particular
|
||||
users from particular hosts. The allow/deny directives are pro-
|
||||
cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
|
||||
and finally AllowGroups.
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
||||
ForceCommand
|
||||
Forces the execution of the command specified by ForceCommand,
|
||||
ignoring any command supplied by the client. The command is in-
|
||||
voked by using the user's login shell with the -c option. This
|
||||
applies to shell, command, or subsystem execution. It is most
|
||||
useful inside a Match block. The command originally supplied by
|
||||
the client is available in the SSH_ORIGINAL_COMMAND environment
|
||||
variable.
|
||||
|
||||
GatewayPorts
|
||||
Specifies whether remote hosts are allowed to connect to ports
|
||||
forwarded for the client. By default, sshd(8) binds remote port
|
||||
forwardings to the loopback address. This prevents other remote
|
||||
hosts from connecting to forwarded ports. GatewayPorts can be
|
||||
used to specify that sshd should allow remote port forwardings to
|
||||
bind to non-loopback addresses, thus allowing other hosts to con-
|
||||
nect. The argument may be ``no'' to force remote port forward-
|
||||
ings to be available to the local host only, ``yes'' to force re-
|
||||
mote port forwardings to bind to the wildcard address, or
|
||||
``clientspecified'' to allow the client to select the address to
|
||||
which the forwarding is bound. The default is ``no''.
|
||||
|
||||
GSSAPIAuthentication
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is ``no''. Note that this option applies to protocol
|
||||
version 2 only.
|
||||
|
||||
GSSAPICleanupCredentials
|
||||
Specifies whether to automatically destroy the user's credentials
|
||||
cache on logout. The default is ``yes''. Note that this option
|
||||
applies to protocol version 2 only.
|
||||
|
||||
HostbasedAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication to-
|
||||
gether with successful public key client host authentication is
|
||||
allowed (host-based authentication). This option is similar to
|
||||
RhostsRSAAuthentication and applies to protocol version 2 only.
|
||||
The default is ``no''.
|
||||
|
||||
HostbasedUsesNameFromPacketOnly
|
||||
Specifies whether or not the server will attempt to perform a re-
|
||||
verse name lookup when matching the name in the ~/.shosts,
|
||||
~/.rhosts, and /etc/hosts.equiv files during
|
||||
HostbasedAuthentication. A setting of ``yes'' means that sshd(8)
|
||||
uses the name supplied by the client rather than attempting to
|
||||
resolve the name from the TCP connection itself. The default is
|
||||
``no''.
|
||||
|
||||
HostKey
|
||||
Specifies a file containing a private host key used by SSH. The
|
||||
default is /etc/ssh/ssh_host_key for protocol version 1, and
|
||||
/etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro-
|
||||
tocol version 2. Note that sshd(8) will refuse to use a file if
|
||||
it is group/world-accessible. It is possible to have multiple
|
||||
host key files. ``rsa1'' keys are used for version 1 and ``dsa''
|
||||
or ``rsa'' are used for version 2 of the SSH protocol.
|
||||
|
||||
IgnoreRhosts
|
||||
Specifies that .rhosts and .shosts files will not be used in
|
||||
RhostsRSAAuthentication or HostbasedAuthentication.
|
||||
|
||||
/etc/hosts.equiv and /etc/shosts.equiv are still used. The de-
|
||||
fault is ``yes''.
|
||||
|
||||
IgnoreUserKnownHosts
|
||||
Specifies whether sshd(8) should ignore the user's
|
||||
~/.ssh/known_hosts during RhostsRSAAuthentication or
|
||||
HostbasedAuthentication. The default is ``no''.
|
||||
|
||||
KerberosAuthentication
|
||||
Specifies whether the password provided by the user for
|
||||
PasswordAuthentication will be validated through the Kerberos
|
||||
KDC. To use this option, the server needs a Kerberos servtab
|
||||
which allows the verification of the KDC's identity. The default
|
||||
is ``no''.
|
||||
|
||||
KerberosGetAFSToken
|
||||
If AFS is active and the user has a Kerberos 5 TGT, attempt to
|
||||
acquire an AFS token before accessing the user's home directory.
|
||||
The default is ``no''.
|
||||
|
||||
KerberosOrLocalPasswd
|
||||
If password authentication through Kerberos fails then the pass-
|
||||
word will be validated via any additional local mechanism such as
|
||||
/etc/passwd. The default is ``yes''.
|
||||
|
||||
KerberosTicketCleanup
|
||||
Specifies whether to automatically destroy the user's ticket
|
||||
cache file on logout. The default is ``yes''.
|
||||
|
||||
KeyRegenerationInterval
|
||||
In protocol version 1, the ephemeral server key is automatically
|
||||
regenerated after this many seconds (if it has been used). The
|
||||
purpose of regeneration is to prevent decrypting captured ses-
|
||||
sions by later breaking into the machine and stealing the keys.
|
||||
The key is never stored anywhere. If the value is 0, the key is
|
||||
never regenerated. The default is 3600 (seconds).
|
||||
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The fol-
|
||||
lowing forms may be used:
|
||||
|
||||
ListenAddress host|IPv4_addr|IPv6_addr
|
||||
ListenAddress host|IPv4_addr:port
|
||||
ListenAddress [host|IPv6_addr]:port
|
||||
|
||||
If port is not specified, sshd will listen on the address and all
|
||||
prior Port options specified. The default is to listen on all
|
||||
local addresses. Multiple ListenAddress options are permitted.
|
||||
Additionally, any Port options must precede this option for non-
|
||||
port qualified addresses.
|
||||
|
||||
LoginGraceTime
|
||||
The server disconnects after this time if the user has not suc-
|
||||
cessfully logged in. If the value is 0, there is no time limit.
|
||||
The default is 120 seconds.
|
||||
|
||||
LogLevel
|
||||
Gives the verbosity level that is used when logging messages from
|
||||
sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
|
||||
VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
|
||||
higher levels of debugging output. Logging with a DEBUG level
|
||||
violates the privacy of users and is not recommended.
|
||||
|
||||
MACs Specifies the available MAC (message authentication code) algo-
|
||||
rithms. The MAC algorithm is used in protocol version 2 for data
|
||||
integrity protection. Multiple algorithms must be comma-separat-
|
||||
ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
|
||||
sha1-96,hmac-md5-96''.
|
||||
|
||||
Match Introduces a conditional block. If all of the criteria on the
|
||||
Match line are satisfied, the keywords on the following lines
|
||||
override those set in the global section of the config file, un-
|
||||
til either another Match line or the end of the file. The argu-
|
||||
ments to Match are one or more criteria-pattern pairs. The
|
||||
available criteria are User, Group, Host, and Address. Only a
|
||||
subset of keywords may be used on the lines following a Match
|
||||
keyword. Available keywords are AllowTcpForwarding, Banner,
|
||||
ForceCommand, GatewayPorts, GSSApiAuthentication,
|
||||
KbdInteractiveAuthentication, KerberosAuthentication,
|
||||
PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
|
||||
RSAAuthentication, X11DisplayOffset, X11Forwarding, and
|
||||
X11UseLocalHost.
|
||||
|
||||
MaxAuthTries
|
||||
Specifies the maximum number of authentication attempts permitted
|
||||
per connection. Once the number of failures reaches half this
|
||||
value, additional failures are logged. The default is 6.
|
||||
|
||||
MaxStartups
|
||||
Specifies the maximum number of concurrent unauthenticated con-
|
||||
nections to the SSH daemon. Additional connections will be
|
||||
dropped until authentication succeeds or the LoginGraceTime ex-
|
||||
pires for a connection. The default is 10.
|
||||
|
||||
Alternatively, random early drop can be enabled by specifying the
|
||||
three colon separated values ``start:rate:full'' (e.g.
|
||||
"10:30:60"). sshd(8) will refuse connection attempts with a
|
||||
probability of ``rate/100'' (30%) if there are currently
|
||||
``start'' (10) unauthenticated connections. The probability in-
|
||||
creases linearly and all connection attempts are refused if the
|
||||
number of unauthenticated connections reaches ``full'' (60).
|
||||
|
||||
PasswordAuthentication
|
||||
Specifies whether password authentication is allowed. The de-
|
||||
fault is ``yes''.
|
||||
|
||||
PermitEmptyPasswords
|
||||
When password authentication is allowed, it specifies whether the
|
||||
server allows login to accounts with empty password strings. The
|
||||
default is ``no''.
|
||||
|
||||
PermitOpen
|
||||
Specifies the destinations to which TCP port forwarding is per-
|
||||
mitted. The forwarding specification must be one of the follow-
|
||||
ing forms:
|
||||
|
||||
PermitOpen host:port
|
||||
PermitOpen IPv4_addr:port
|
||||
PermitOpen [IPv6_addr]:port
|
||||
|
||||
Multiple forwards may be specified by separating them with
|
||||
whitespace. An argument of ``any'' can be used to remove all re-
|
||||
strictions and permit any forwarding requests. By default all
|
||||
port forwarding requests are permitted.
|
||||
|
||||
PermitRootLogin
|
||||
Specifies whether root can log in using ssh(1). The argument
|
||||
must be ``yes'', ``without-password'', ``forced-commands-only'',
|
||||
or ``no''. The default is ``yes''.
|
||||
|
||||
If this option is set to ``without-password'', password authenti-
|
||||
cation is disabled for root.
|
||||
|
||||
If this option is set to ``forced-commands-only'', root login
|
||||
with public key authentication will be allowed, but only if the
|
||||
command option has been specified (which may be useful for taking
|
||||
remote backups even if root login is normally not allowed). All
|
||||
other authentication methods are disabled for root.
|
||||
|
||||
If this option is set to ``no'', root is not allowed to log in.
|
||||
|
||||
PermitTunnel
|
||||
Specifies whether tun(4) device forwarding is allowed. The argu-
|
||||
ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet''
|
||||
(layer 2), or ``no''. Specifying ``yes'' permits both ``point-
|
||||
to-point'' and ``ethernet''. The default is ``no''.
|
||||
|
||||
PermitUserEnvironment
|
||||
Specifies whether ~/.ssh/environment and environment= options in
|
||||
~/.ssh/authorized_keys are processed by sshd(8). The default is
|
||||
``no''. Enabling environment processing may enable users to by-
|
||||
pass access restrictions in some configurations using mechanisms
|
||||
such as LD_PRELOAD.
|
||||
|
||||
PidFile
|
||||
Specifies the file that contains the process ID of the SSH dae-
|
||||
mon. The default is /var/run/sshd.pid.
|
||||
|
||||
Port Specifies the port number that sshd(8) listens on. The default
|
||||
is 22. Multiple options of this type are permitted. See also
|
||||
ListenAddress.
|
||||
|
||||
PrintLastLog
|
||||
Specifies whether sshd(8) should print the date and time of the
|
||||
last user login when a user logs in interactively. The default
|
||||
is ``yes''.
|
||||
|
||||
PrintMotd
|
||||
Specifies whether sshd(8) should print /etc/motd when a user logs
|
||||
in interactively. (On some systems it is also printed by the
|
||||
shell, /etc/profile, or equivalent.) The default is ``yes''.
|
||||
|
||||
Protocol
|
||||
Specifies the protocol versions sshd(8) supports. The possible
|
||||
values are `1' and `2'. Multiple versions must be comma-separat-
|
||||
ed. The default is ``2,1''. Note that the order of the protocol
|
||||
list does not indicate preference, because the client selects
|
||||
among multiple protocol versions offered by the server. Specify-
|
||||
ing ``2,1'' is identical to ``1,2''.
|
||||
|
||||
PubkeyAuthentication
|
||||
Specifies whether public key authentication is allowed. The de-
|
||||
fault is ``yes''. Note that this option applies to protocol ver-
|
||||
sion 2 only.
|
||||
|
||||
RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication to-
|
||||
gether with successful RSA host authentication is allowed. The
|
||||
default is ``no''. This option applies to protocol version 1 on-
|
||||
ly.
|
||||
|
||||
RSAAuthentication
|
||||
Specifies whether pure RSA authentication is allowed. The de-
|
||||
fault is ``yes''. This option applies to protocol version 1 on-
|
||||
ly.
|
||||
|
||||
ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 768.
|
||||
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
This is normally desirable because novices sometimes accidentally
|
||||
leave their directory or files world-writable. The default is
|
||||
``yes''.
|
||||
|
||||
Subsystem
|
||||
Configures an external subsystem (e.g. file transfer daemon).
|
||||
Arguments should be a subsystem name and a command (with optional
|
||||
arguments) to execute upon subsystem request. The command
|
||||
sftp-server(8) implements the ``sftp'' file transfer subsystem.
|
||||
By default no subsystems are defined. Note that this option ap-
|
||||
plies to protocol version 2 only.
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
|
||||
fault is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
to the other side. If they are sent, death of the connection or
|
||||
crash of one of the machines will be properly noticed. However,
|
||||
this means that connections will die if the route is down tem-
|
||||
porarily, and some people find it annoying. On the other hand,
|
||||
if TCP keepalives are not sent, sessions may hang indefinitely on
|
||||
the server, leaving ``ghost'' users and consuming server re-
|
||||
sources.
|
||||
|
||||
The default is ``yes'' (to send TCP keepalive messages), and the
|
||||
server will notice if the network goes down or the client host
|
||||
crashes. This avoids infinitely hanging sessions.
|
||||
|
||||
To disable TCP keepalive messages, the value should be set to
|
||||
``no''.
|
||||
|
||||
UseDNS Specifies whether sshd(8) should look up the remote host name and
|
||||
check that the resolved host name for the remote IP address maps
|
||||
back to the very same IP address. The default is ``yes''.
|
||||
|
||||
UseLogin
|
||||
Specifies whether login(1) is used for interactive login ses-
|
||||
sions. The default is ``no''. Note that login(1) is never used
|
||||
for remote command execution. Note also, that if this is en-
|
||||
abled, X11Forwarding will be disabled because login(1) does not
|
||||
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
|
||||
is specified, it will be disabled after authentication.
|
||||
|
||||
UsePAM Enables the Pluggable Authentication Module interface. If set to
|
||||
``yes'' this will enable PAM authentication using
|
||||
ChallengeResponseAuthentication and PasswordAuthentication in ad-
|
||||
dition to PAM account and session module processing for all au-
|
||||
thentication types.
|
||||
|
||||
Because PAM challenge-response authentication usually serves an
|
||||
equivalent role to password authentication, you should disable
|
||||
either PasswordAuthentication or ChallengeResponseAuthentication.
|
||||
|
||||
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
||||
non-root user. The default is ``no''.
|
||||
|
||||
UsePrivilegeSeparation
|
||||
Specifies whether sshd(8) separates privileges by creating an un-
|
||||
privileged child process to deal with incoming network traffic.
|
||||
After successful authentication, another process will be created
|
||||
that has the privilege of the authenticated user. The goal of
|
||||
privilege separation is to prevent privilege escalation by con-
|
||||
taining any corruption within the unprivileged processes. The
|
||||
default is ``yes''.
|
||||
|
||||
X11DisplayOffset
|
||||
Specifies the first display number available for sshd(8)'s X11
|
||||
forwarding. This prevents sshd from interfering with real X11
|
||||
servers. The default is 10.
|
||||
|
||||
X11Forwarding
|
||||
Specifies whether X11 forwarding is permitted. The argument must
|
||||
be ``yes'' or ``no''. The default is ``no''.
|
||||
|
||||
When X11 forwarding is enabled, there may be additional exposure
|
||||
to the server and to client displays if the sshd(8) proxy display
|
||||
is configured to listen on the wildcard address (see
|
||||
X11UseLocalhost below), though this is not the default. Addi-
|
||||
tionally, the authentication spoofing and authentication data
|
||||
verification and substitution occur on the client side. The se-
|
||||
curity risk of using X11 forwarding is that the client's X11 dis-
|
||||
play server may be exposed to attack when the SSH client requests
|
||||
forwarding (see the warnings for ForwardX11 in ssh_config(5)). A
|
||||
system administrator may have a stance in which they want to pro-
|
||||
tect clients that may expose themselves to attack by unwittingly
|
||||
requesting X11 forwarding, which can warrant a ``no'' setting.
|
||||
|
||||
Note that disabling X11 forwarding does not prevent users from
|
||||
forwarding X11 traffic, as users can always install their own
|
||||
forwarders. X11 forwarding is automatically disabled if UseLogin
|
||||
is enabled.
|
||||
|
||||
X11UseLocalhost
|
||||
Specifies whether sshd(8) should bind the X11 forwarding server
|
||||
to the loopback address or to the wildcard address. By default,
|
||||
sshd binds the forwarding server to the loopback address and sets
|
||||
the hostname part of the DISPLAY environment variable to
|
||||
``localhost''. This prevents remote hosts from connecting to the
|
||||
proxy display. However, some older X11 clients may not function
|
||||
with this configuration. X11UseLocalhost may be set to ``no'' to
|
||||
specify that the forwarding server should be bound to the wild-
|
||||
card address. The argument must be ``yes'' or ``no''. The de-
|
||||
fault is ``yes''.
|
||||
|
||||
XAuthLocation
|
||||
Specifies the full pathname of the xauth(1) program. The default
|
||||
is /usr/X11R6/bin/xauth.
|
||||
|
||||
TIME FORMATS
|
||||
sshd(8) command-line arguments and configuration file options that speci-
|
||||
fy time may be expressed using a sequence of the form: time[qualifier],
|
||||
where time is a positive integer value and qualifier is one of the fol-
|
||||
lowing:
|
||||
|
||||
<none> seconds
|
||||
s | S seconds
|
||||
m | M minutes
|
||||
h | H hours
|
||||
d | D days
|
||||
w | W weeks
|
||||
|
||||
Each member of the sequence is added together to calculate the total time
|
||||
value.
|
||||
|
||||
Time format examples:
|
||||
|
||||
600 600 seconds (10 minutes)
|
||||
10m 10 minutes
|
||||
1h30m 1 hour 30 minutes (90 minutes)
|
||||
|
||||
FILES
|
||||
/etc/ssh/sshd_config
|
||||
Contains configuration data for sshd(8). This file should be
|
||||
writable by root only, but it is recommended (though not neces-
|
||||
sary) that it be world-readable.
|
||||
|
||||
SEE ALSO
|
||||
sshd(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and cre-
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
|
||||
for privilege separation.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 9
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
@ -42,9 +42,7 @@
|
||||
.Nm sshd_config
|
||||
.Nd OpenSSH SSH daemon configuration file
|
||||
.Sh SYNOPSIS
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa /etc/ssh/sshd_config
|
||||
.El
|
||||
.Nm /etc/ssh/sshd_config
|
||||
.Sh DESCRIPTION
|
||||
.Xr sshd 8
|
||||
reads configuration data from
|
||||
@ -514,9 +512,16 @@ Only a subset of keywords may be used on the lines following a
|
||||
keyword.
|
||||
Available keywords are
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm Banner ,
|
||||
.Cm ForceCommand ,
|
||||
.Cm GatewayPorts ,
|
||||
.Cm GSSApiAuthentication ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitOpen ,
|
||||
.Cm RhostsRSAAuthentication ,
|
||||
.Cm RSAAuthentication ,
|
||||
.Cm X11DisplayOffset ,
|
||||
.Cm X11Forwarding ,
|
||||
and
|
||||
|
@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */
|
||||
/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
|
||||
|
||||
#define SSH_VERSION "OpenSSH_4.5"
|
||||
#define SSH_VERSION "OpenSSH_4.6"
|
||||
|
||||
#define SSH_PORTABLE "p1"
|
||||
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
|
Loading…
Reference in New Issue
Block a user