Vendor import of OpenSSH 4.7p1 for posterity's sake
This commit is contained in:
parent
d3d45dd5b2
commit
3d5211603f
370
ChangeLog
370
ChangeLog
@ -1,3 +1,371 @@
|
||||
20070817
|
||||
- (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
|
||||
accounts and that's what the code looks for, so make man page and code
|
||||
agree. Pointed out by Roumen Petrov.
|
||||
- (dtucker) [INSTALL] Group the parts describing random options and PAM
|
||||
implementations together which is hopefully more coherent.
|
||||
- (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid.
|
||||
- (dtucker) [INSTALL] Give PAM its own heading.
|
||||
- (dtucker) [INSTALL] Link to tcpwrappers.
|
||||
|
||||
20070816
|
||||
- (dtucker) [session.c] Call PAM cleanup functions for unauthenticated
|
||||
connections too. Based on a patch from Sandro Wefel, with & ok djm@
|
||||
|
||||
20070815
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- markus@cvs.openbsd.org 2007/08/15 08:14:46
|
||||
[clientloop.c]
|
||||
do NOT fall back to the trused x11 cookie if generation of an untrusted
|
||||
cookie fails; from Jan Pechanec, via security-alert at sun.com;
|
||||
ok dtucker
|
||||
- markus@cvs.openbsd.org 2007/08/15 08:16:49
|
||||
[version.h]
|
||||
openssh 4.7
|
||||
- stevesk@cvs.openbsd.org 2007/08/15 12:13:41
|
||||
[ssh_config.5]
|
||||
tun device forwarding now honours ExitOnForwardFailure; ok markus@
|
||||
- (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler.
|
||||
ok djm@
|
||||
- (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec
|
||||
contrib/suse/openssh.spec] Crank version.
|
||||
|
||||
20070813
|
||||
- (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
|
||||
called with PAM_ESTABLISH_CRED at least once, which resolves a problem
|
||||
with pam_dhkeys. Patch from David Leonard, ok djm@
|
||||
|
||||
20070810
|
||||
- (dtucker) [auth-pam.c] Use sigdie here too. ok djm@
|
||||
- (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From
|
||||
Matt Kraai, ok djm@
|
||||
|
||||
20070809
|
||||
- (dtucker) [openbsd-compat/port-aix.c] Comment typo.
|
||||
- (dtucker) [README.platform] Document the interaction between PermitRootLogin
|
||||
and the AIX native login restrictions.
|
||||
- (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't
|
||||
used anywhere and are a potential source of warnings.
|
||||
|
||||
20070808
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- ray@cvs.openbsd.org 2007/07/12 05:48:05
|
||||
[key.c]
|
||||
Delint: remove some unreachable statements, from Bret Lambert.
|
||||
OK markus@ and dtucker@.
|
||||
- sobrado@cvs.openbsd.org 2007/08/06 19:16:06
|
||||
[scp.1 scp.c]
|
||||
the ellipsis is not an optional argument; while here, sync the usage
|
||||
and synopsis of commands
|
||||
lots of good ideas by jmc@
|
||||
ok jmc@
|
||||
- djm@cvs.openbsd.org 2007/08/07 07:32:53
|
||||
[clientloop.c clientloop.h ssh.c]
|
||||
bz#1232: ensure that any specified LocalCommand is executed after the
|
||||
tunnel device is opened. Also, make failures to open a tunnel device
|
||||
fatal when ExitOnForwardFailure is active.
|
||||
Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
|
||||
|
||||
20070724
|
||||
- (tim) [openssh.xml.in] make FMRI match what package scripts use.
|
||||
- (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call.
|
||||
Report/patch by David.Leonard AT quest.com (and Bernhard Simon)
|
||||
- (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5)
|
||||
- (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}|
|
||||
|
||||
20070628
|
||||
- (djm) bz#1325: Fix SELinux in permissive mode where it would
|
||||
incorrectly fatal() on errors. patch from cjwatson AT debian.org;
|
||||
ok dtucker
|
||||
|
||||
20070625
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2007/06/13 00:21:27
|
||||
[scp.c]
|
||||
don't ftruncate() non-regular files; bz#1236 reported by wood AT
|
||||
xmission.com; ok dtucker@
|
||||
- djm@cvs.openbsd.org 2007/06/14 21:43:25
|
||||
[ssh.c]
|
||||
handle EINTR when waiting for mux exit status properly
|
||||
- djm@cvs.openbsd.org 2007/06/14 22:48:05
|
||||
[ssh.c]
|
||||
when waiting for the multiplex exit status, read until the master end
|
||||
writes an entire int of data *and* closes the client_fd; fixes mux
|
||||
regression spotted by dtucker, ok dtucker@
|
||||
- djm@cvs.openbsd.org 2007/06/19 02:04:43
|
||||
[atomicio.c]
|
||||
if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
|
||||
avoid a spin if it is not yet ready for reading/writing; ok dtucker@
|
||||
- dtucker@cvs.openbsd.org 2007/06/25 08:20:03
|
||||
[channels.c]
|
||||
Correct test for window updates every three packets; prevents sending
|
||||
window updates for every single packet. ok markus@
|
||||
- dtucker@cvs.openbsd.org 2007/06/25 12:02:27
|
||||
[atomicio.c]
|
||||
Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@
|
||||
- (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match
|
||||
atomicio.
|
||||
- (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
|
||||
openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
|
||||
Add an implementation of poll() built on top of select(2). Code from
|
||||
OpenNTPD with changes suggested by djm. ok djm@
|
||||
|
||||
20070614
|
||||
- (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
|
||||
USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
|
||||
shared with umac.c. Allows building with OpenSSL 0.9.5 again including
|
||||
umac support. With tim@ djm@, ok djm.
|
||||
- (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL
|
||||
sections. Fixes builds with early OpenSSL 0.9.6 versions.
|
||||
- (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
|
||||
of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
|
||||
subsequent <0.9.7 test.
|
||||
|
||||
20070612
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- markus@cvs.openbsd.org 2007/06/11 09:14:00
|
||||
[channels.h]
|
||||
increase default channel windows; ok djm
|
||||
- djm@cvs.openbsd.org 2007/06/12 07:41:00
|
||||
[ssh-add.1]
|
||||
better document ssh-add's -d option (delete identies from agent), bz#1224
|
||||
new text based on some provided by andrewmc-debian AT celt.dias.ie;
|
||||
ok dtucker@
|
||||
- djm@cvs.openbsd.org 2007/06/12 08:20:00
|
||||
[ssh-gss.h gss-serv.c gss-genr.c]
|
||||
relocate server-only GSSAPI code from libssh to server; bz #1225
|
||||
patch from simon AT sxw.org.uk; ok markus@ dtucker@
|
||||
- djm@cvs.openbsd.org 2007/06/12 08:24:20
|
||||
[scp.c]
|
||||
make scp try to skip FIFOs rather than blocking when nothing is listening.
|
||||
depends on the platform supporting sane O_NONBLOCK semantics for open
|
||||
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
|
||||
bz #856; report by cjwatson AT debian.org; ok markus@
|
||||
- djm@cvs.openbsd.org 2007/06/12 11:11:08
|
||||
[ssh.c]
|
||||
fix slave exit value when a control master goes away without passing the
|
||||
full exit status by ensuring that the slave reads a full int. bz#1261
|
||||
reported by frekko AT gmail.com; ok markus@ dtucker@
|
||||
- djm@cvs.openbsd.org 2007/06/12 11:15:17
|
||||
[ssh.c ssh.1]
|
||||
Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
|
||||
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
|
||||
and is useful for hosts with /home on Kerberised NFS; bz #1312
|
||||
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
|
||||
- djm@cvs.openbsd.org 2007/06/12 11:45:27
|
||||
[ssh.c]
|
||||
improved exit message from multiplex slave sessions; bz #1262
|
||||
reported by alexandre.nunes AT gmail.com; ok dtucker@
|
||||
- dtucker@cvs.openbsd.org 2007/06/12 11:56:15
|
||||
[gss-genr.c]
|
||||
Pass GSS OID to gss_display_status to provide better information in
|
||||
error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
|
||||
- jmc@cvs.openbsd.org 2007/06/12 13:41:03
|
||||
[ssh-add.1]
|
||||
identies -> identities;
|
||||
- jmc@cvs.openbsd.org 2007/06/12 13:43:55
|
||||
[ssh.1]
|
||||
add -K to SYNOPSIS;
|
||||
- dtucker@cvs.openbsd.org 2007/06/12 13:54:28
|
||||
[scp.c]
|
||||
Encode filename with strnvis if the name contains a newline (which can't
|
||||
be represented in the scp protocol), from bz #891. ok markus@
|
||||
|
||||
20070611
|
||||
- (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
|
||||
fix; tested by dtucker@ and jochen.kirn AT gmail.com
|
||||
- pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
|
||||
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
|
||||
[ssh_config.5 sshd.8 sshd_config.5]
|
||||
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
|
||||
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
|
||||
compared to hmac-md5. Represents a different approach to message
|
||||
authentication to that of HMAC that may be beneficial if HMAC based on
|
||||
one of its underlying hash algorithms is found to be vulnerable to a
|
||||
new attack. http://www.ietf.org/rfc/rfc4418.txt
|
||||
in conjunction with and OK djm@
|
||||
- pvalchev@cvs.openbsd.org 2007/06/08 04:40:40
|
||||
[ssh_config]
|
||||
Add a "MACs" line after "Ciphers" with the default MAC algorithms,
|
||||
to ease people who want to tweak both (eg. for performance reasons).
|
||||
ok deraadt@ djm@ dtucker@
|
||||
- jmc@cvs.openbsd.org 2007/06/08 07:43:46
|
||||
[ssh_config.5]
|
||||
put the MAC list into a display, like we do for ciphers,
|
||||
since groff has trouble handling wide lines;
|
||||
- jmc@cvs.openbsd.org 2007/06/08 07:48:09
|
||||
[sshd_config.5]
|
||||
oops, here too: put the MAC list into a display, like we do for
|
||||
ciphers, since groff has trouble with wide lines;
|
||||
- markus@cvs.openbsd.org 2007/06/11 08:04:44
|
||||
[channels.c]
|
||||
send 'window adjust' messages every tree packets and do not wait
|
||||
until 50% of the window is consumed. ok djm dtucker
|
||||
- (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then
|
||||
fallback to provided bit-swizzing functions
|
||||
- (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
|
||||
argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
|
||||
but check anyway in case this changes or the code gets used elsewhere.
|
||||
- (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
|
||||
prevent warnings about redefinitions of various things in paths.h.
|
||||
Spotted by cartmanltd at hotmail.com.
|
||||
|
||||
20070605
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2007/05/22 10:18:52
|
||||
[sshd.c]
|
||||
zap double include; from p_nowaczyk AT o2.pl
|
||||
(not required in -portable, Id sync only)
|
||||
- djm@cvs.openbsd.org 2007/05/30 05:58:13
|
||||
[kex.c]
|
||||
tidy: KNF, ARGSUSED and u_int
|
||||
- jmc@cvs.openbsd.org 2007/05/31 19:20:16
|
||||
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
|
||||
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
|
||||
convert to new .Dd format;
|
||||
(We will need to teach mdoc2man.awk to understand this too.)
|
||||
- djm@cvs.openbsd.org 2007/05/31 23:34:29
|
||||
[packet.c]
|
||||
gc unreachable code; spotted by Tavis Ormandy
|
||||
- djm@cvs.openbsd.org 2007/06/02 09:04:58
|
||||
[bufbn.c]
|
||||
memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
|
||||
- djm@cvs.openbsd.org 2007/06/05 06:52:37
|
||||
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
|
||||
Preserve MAC ctx between packets, saving 2xhash calls per-packet.
|
||||
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
|
||||
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
|
||||
committing at his request)
|
||||
- (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that
|
||||
OpenBSD's cvs now adds.
|
||||
- (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so
|
||||
mindrot's cvs doesn't expand it on us.
|
||||
- (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.
|
||||
|
||||
20070520
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- stevesk@cvs.openbsd.org 2007/04/14 22:01:58
|
||||
[auth2.c]
|
||||
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
|
||||
- stevesk@cvs.openbsd.org 2007/04/18 01:12:43
|
||||
[sftp-server.c]
|
||||
cast "%llu" format spec to (unsigned long long); do not assume a
|
||||
u_int64_t arg is the same as 'unsigned long long'.
|
||||
from Dmitry V. Levin <ldv@altlinux.org>
|
||||
ok markus@ 'Yes, that looks correct' millert@
|
||||
- dtucker@cvs.openbsd.org 2007/04/23 10:15:39
|
||||
[servconf.c]
|
||||
Remove debug() left over from development. ok deraadt@
|
||||
- djm@cvs.openbsd.org 2007/05/17 07:50:31
|
||||
[log.c]
|
||||
save and restore errno when logging; ok deraadt@
|
||||
- djm@cvs.openbsd.org 2007/05/17 07:55:29
|
||||
[sftp-server.c]
|
||||
bz#1286 stop reading and processing commands when input or output buffer
|
||||
is nearly full, otherwise sftp-server would happily try to grow the
|
||||
input/output buffers past the maximum supported by the buffer API and
|
||||
promptly fatal()
|
||||
based on patch from Thue Janus Kristensen; feedback & ok dtucker@
|
||||
- djm@cvs.openbsd.org 2007/05/17 20:48:13
|
||||
[sshconnect2.c]
|
||||
fall back to gethostname() when the outgoing connection is not
|
||||
on a socket, such as is the case when ProxyCommand is used.
|
||||
Gives hostbased auth an opportunity to work; bz#616, report
|
||||
and feedback stuart AT kaloram.com; ok markus@
|
||||
- djm@cvs.openbsd.org 2007/05/17 20:52:13
|
||||
[monitor.c]
|
||||
pass received SIGINT from monitor to postauth child so it can clean
|
||||
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
|
||||
ok markus@
|
||||
- jolan@cvs.openbsd.org 2007/05/17 23:53:41
|
||||
[sshconnect2.c]
|
||||
djm owes me a vb and a tism cd for breaking ssh compilation
|
||||
- (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
|
||||
ldv at altlinux.org.
|
||||
- (dtucker) [auth-pam.c] Return empty string if fgets fails in
|
||||
sshpam_tty_conv. Patch from ldv at altlinux.org.
|
||||
|
||||
20070509
|
||||
- (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
|
||||
|
||||
20070429
|
||||
- (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h
|
||||
for select(2) prototype.
|
||||
- (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype.
|
||||
- (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
|
||||
platform's _res if it has one. Should fix problem of DNSSEC record lookups
|
||||
on NetBSD as reported by Curt Sampson.
|
||||
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
|
||||
- (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS
|
||||
so we don't get redefinition warnings.
|
||||
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
|
||||
- (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__
|
||||
__nonnull__ for versions of GCC that don't support it.
|
||||
- (dtucker) [configure.ac defines.h] Have configure check for offsetof
|
||||
to prevent redefinition warnings.
|
||||
|
||||
20070406
|
||||
- (dtucker) [INSTALL] Update the systems that have PAM as standard. Link
|
||||
to OpenPAM too.
|
||||
- (dtucker) [INSTALL] prngd lives at sourceforge these days.
|
||||
|
||||
20070326
|
||||
- (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
|
||||
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
|
||||
to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
|
||||
|
||||
20070325
|
||||
- (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX,
|
||||
LIBWRAP and LIBPAM variables in Makefile with the general-purpose
|
||||
SSHDLIBS. "I like" djm@
|
||||
|
||||
20070321
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2007/03/09 05:20:06
|
||||
[servconf.c sshd.c]
|
||||
Move C/R -> kbdint special case to after the defaults have been
|
||||
loaded, which makes ChallengeResponse default to yes again. This
|
||||
was broken by the Match changes and not fixed properly subsequently.
|
||||
Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
|
||||
- djm@cvs.openbsd.org 2007/03/19 01:01:29
|
||||
[sshd_config]
|
||||
Disable the legacy SSH protocol 1 for new installations via
|
||||
a configuration override. In the future, we will change the
|
||||
server's default itself so users who need the legacy protocol
|
||||
will need to turn it on explicitly
|
||||
- dtucker@cvs.openbsd.org 2007/03/19 12:16:42
|
||||
[ssh-agent.c]
|
||||
Remove the signal handler that checks if the agent's parent process
|
||||
has gone away, instead check when the select loop returns. Record when
|
||||
the next key will expire when scanning for expired keys. Set the select
|
||||
timeout to whichever of these two things happens next. With djm@, with &
|
||||
ok deraadt@ markus@
|
||||
- tedu@cvs.openbsd.org 2007/03/20 03:56:12
|
||||
[readconf.c clientloop.c]
|
||||
remove some bogus *p tests from charles longeau
|
||||
ok deraadt millert
|
||||
- jmc@cvs.openbsd.org 2007/03/20 15:57:15
|
||||
[sshd.8]
|
||||
- let synopsis and description agree for -f
|
||||
- sort FILES
|
||||
- +.Xr ssh-keyscan 1 ,
|
||||
from Igor Sobrado
|
||||
- (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
|
||||
getpeerucred to implement getpeereid (currently only Solaris 10 and up).
|
||||
Patch by Jan.Pechanec at Sun.
|
||||
- (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have
|
||||
HAVE_GETPEERUCRED too. Also from Jan Pechanec.
|
||||
|
||||
20070313
|
||||
- (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
|
||||
string.h to prevent warnings, from vapier at gentoo.org.
|
||||
- (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the
|
||||
selinux bits in -portable.
|
||||
- (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in
|
||||
bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h
|
||||
in cipher-bf1.c. Patch from Juan Gallego.
|
||||
- (dtucker) [README.platform] Info about blibpath on AIX.
|
||||
|
||||
20070306
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
|
||||
@ -2816,4 +3184,4 @@
|
||||
OpenServer 6 and add osr5bigcrypt support so when someone migrates
|
||||
passwords between UnixWare and OpenServer they will still work. OK dtucker@
|
||||
|
||||
$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $
|
||||
$Id: ChangeLog,v 1.4738.2.1 2007/09/04 06:49:09 djm Exp $
|
||||
|
59
INSTALL
59
INSTALL
@ -14,17 +14,37 @@ Blowfish) do not work correctly.)
|
||||
|
||||
The remaining items are optional.
|
||||
|
||||
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
|
||||
supports it. PAM is standard on Redhat and Debian Linux, Solaris and
|
||||
HP-UX 11.
|
||||
|
||||
NB. If you operating system supports /dev/random, you should configure
|
||||
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
|
||||
/dev/random. If you don't you will have to rely on ssh-rand-helper, which
|
||||
is inferior to a good kernel-based solution.
|
||||
/dev/random, or failing that, either prngd or egd. If you don't have
|
||||
any of these you will have to rely on ssh-rand-helper, which is inferior
|
||||
to a good kernel-based solution or prngd.
|
||||
|
||||
PRNGD:
|
||||
|
||||
If your system lacks kernel-based random collection, the use of Lutz
|
||||
Jaenicke's PRNGd is recommended.
|
||||
|
||||
http://prngd.sourceforge.net/
|
||||
|
||||
EGD:
|
||||
|
||||
The Entropy Gathering Daemon (EGD) is supported if you have a system which
|
||||
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
|
||||
|
||||
http://www.lothar.com/tech/crypto/
|
||||
|
||||
PAM:
|
||||
http://www.kernel.org/pub/linux/libs/pam/
|
||||
|
||||
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
|
||||
system supports it. PAM is standard most Linux distributions, Solaris,
|
||||
HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
|
||||
|
||||
Information about the various PAM implementations are available:
|
||||
|
||||
Solaris PAM: http://www.sun.com/software/solaris/pam/
|
||||
Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
|
||||
OpenPAM: http://www.openpam.org/
|
||||
|
||||
If you wish to build the GNOME passphrase requester, you will need the GNOME
|
||||
libraries and headers.
|
||||
@ -37,19 +57,14 @@ passphrase requester. This is maintained separately at:
|
||||
|
||||
http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||
|
||||
PRNGD:
|
||||
TCP Wrappers:
|
||||
|
||||
If your system lacks Kernel based random collection, the use of Lutz
|
||||
Jaenicke's PRNGd is recommended.
|
||||
If you wish to use the TCP wrappers functionality you will need at least
|
||||
tcpd.h and libwrap.a, either in the standard include and library paths,
|
||||
or in the directory specified by --with-tcp-wrappers. Version 7.6 is
|
||||
known to work.
|
||||
|
||||
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
|
||||
|
||||
EGD:
|
||||
|
||||
The Entropy Gathering Daemon (EGD) is supported if you have a system which
|
||||
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
|
||||
|
||||
http://www.lothar.com/tech/crypto/
|
||||
http://ftp.porcupine.org/pub/security/index.html
|
||||
|
||||
S/Key Libraries:
|
||||
|
||||
@ -72,7 +87,7 @@ Autoconf:
|
||||
If you modify configure.ac or configure doesn't exist (eg if you checked
|
||||
the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
|
||||
the automatically generated files by running "autoreconf". Earlier
|
||||
version may also work but this is not guaranteed.
|
||||
versions may also work but this is not guaranteed.
|
||||
|
||||
http://www.gnu.org/software/autoconf/
|
||||
|
||||
@ -162,7 +177,7 @@ Integration Architecture. The default for OSF1 machines is enable.
|
||||
need the S/Key libraries and header files installed for this to work.
|
||||
|
||||
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
|
||||
support. You will need libwrap.a and tcpd.h installed.
|
||||
support.
|
||||
|
||||
--with-md5-passwords will enable the use of MD5 passwords. Enable this
|
||||
if your operating system uses MD5 passwords and the system crypt() does
|
||||
@ -180,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this.
|
||||
--with-default-path=PATH allows you to specify a default $PATH for sessions
|
||||
started by sshd. This replaces the standard path entirely.
|
||||
|
||||
--with-pid-dir=PATH specifies the directory in which the ssh.pid file is
|
||||
--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
|
||||
created.
|
||||
|
||||
--with-xauth=PATH specifies the location of the xauth binary
|
||||
@ -251,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
|
||||
http://www.openssh.com/
|
||||
|
||||
|
||||
$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $
|
||||
$Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $
|
||||
|
1
LICENCE
1
LICENCE
@ -205,6 +205,7 @@ OpenSSH contains no GPL code.
|
||||
Darren Tucker
|
||||
Sun Microsystems
|
||||
The SCO Group
|
||||
Daniel Walsh
|
||||
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $
|
||||
# $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
@ -44,11 +44,8 @@ LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
LIBSELINUX=@LIBSELINUX@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBPAM=@LIBPAM@
|
||||
LIBWRAP=@LIBWRAP@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
@ -74,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
|
||||
entropy.o scard-opensc.o gss-genr.o
|
||||
entropy.o scard-opensc.o gss-genr.o umac.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o
|
||||
@ -139,7 +136,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
4
README
4
README
@ -1,4 +1,4 @@
|
||||
See http://www.openssh.com/txt/release-4.6 for the release notes.
|
||||
See http://www.openssh.com/txt/release-4.7 for the release notes.
|
||||
|
||||
- A Japanese translation of this document and of the OpenSSH FAQ is
|
||||
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
||||
@ -62,4 +62,4 @@ References -
|
||||
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
||||
[7] http://www.openssh.com/faq.html
|
||||
|
||||
$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $
|
||||
$Id: README,v 1.66 2007/08/15 09:22:20 dtucker Exp $
|
||||
|
@ -23,6 +23,20 @@ to force the previous IPv4-only behaviour.
|
||||
IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
|
||||
IPv6 known broken: 4.3.3ML11 5.1ML4
|
||||
|
||||
If you wish to use dynamic libraries that aren't in the normal system
|
||||
locations (eg IBM's OpenSSL and zlib packages) then you will need to
|
||||
define the environment variable blibpath before running configure, eg
|
||||
|
||||
blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
|
||||
--with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
|
||||
|
||||
If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
|
||||
by default) then sshd checks that users are permitted via the
|
||||
loginrestrictions() function, in particular that the user has the
|
||||
"rlogin" attribute set. This check is not done for the root account,
|
||||
instead the PermitRootLogin setting in sshd_config is used.
|
||||
|
||||
|
||||
Cygwin
|
||||
------
|
||||
To build on Cygwin, OpenSSH requires the following packages:
|
||||
@ -67,4 +81,4 @@ account stacks which will prevent authentication entirely, but will still
|
||||
return the output from pam_nologin to the client.
|
||||
|
||||
|
||||
$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
|
||||
$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
|
||||
|
30
atomicio.c
30
atomicio.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/* $OpenBSD: atomicio.c,v 1.25 2007/06/25 12:02:27 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2006 Damien Miller. All rights reserved.
|
||||
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
|
||||
@ -32,7 +32,11 @@
|
||||
#include <sys/uio.h>
|
||||
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_POLL_H
|
||||
#include <poll.h>
|
||||
#endif
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "atomicio.h"
|
||||
|
||||
@ -45,17 +49,24 @@ atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
|
||||
char *s = _s;
|
||||
size_t pos = 0;
|
||||
ssize_t res;
|
||||
struct pollfd pfd;
|
||||
|
||||
pfd.fd = fd;
|
||||
pfd.events = f == read ? POLLIN : POLLOUT;
|
||||
while (n > pos) {
|
||||
res = (f) (fd, s + pos, n - pos);
|
||||
switch (res) {
|
||||
case -1:
|
||||
#ifdef EWOULDBLOCK
|
||||
if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
|
||||
if (errno == EINTR || errno == EWOULDBLOCK)
|
||||
#else
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
if (errno == EINTR)
|
||||
#endif
|
||||
continue;
|
||||
if (errno == EAGAIN) {
|
||||
(void)poll(&pfd, 1, -1);
|
||||
continue;
|
||||
}
|
||||
return 0;
|
||||
case 0:
|
||||
errno = EPIPE;
|
||||
@ -77,6 +88,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
|
||||
size_t pos = 0, rem;
|
||||
ssize_t res;
|
||||
struct iovec iov_array[IOV_MAX], *iov = iov_array;
|
||||
struct pollfd pfd;
|
||||
|
||||
if (iovcnt > IOV_MAX) {
|
||||
errno = EINVAL;
|
||||
@ -85,12 +97,22 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
|
||||
/* Make a copy of the iov array because we may modify it below */
|
||||
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
|
||||
|
||||
pfd.fd = fd;
|
||||
pfd.events = f == readv ? POLLIN : POLLOUT;
|
||||
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
|
||||
res = (f) (fd, iov, iovcnt);
|
||||
switch (res) {
|
||||
case -1:
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
#ifdef EWOULDBLOCK
|
||||
if (errno == EINTR || errno == EWOULDBLOCK)
|
||||
#else
|
||||
if (errno == EINTR)
|
||||
#endif
|
||||
continue;
|
||||
if (errno == EAGAIN) {
|
||||
(void)poll(&pfd, 1, -1);
|
||||
continue;
|
||||
}
|
||||
return 0;
|
||||
case 0:
|
||||
errno = EPIPE;
|
||||
|
13
auth-pam.c
13
auth-pam.c
@ -161,9 +161,9 @@ sshpam_sigchld_handler(int sig)
|
||||
WTERMSIG(sshpam_thread_status) == SIGTERM)
|
||||
return; /* terminated by pthread_cancel */
|
||||
if (!WIFEXITED(sshpam_thread_status))
|
||||
fatal("PAM: authentication thread exited unexpectedly");
|
||||
sigdie("PAM: authentication thread exited unexpectedly");
|
||||
if (WEXITSTATUS(sshpam_thread_status) != 0)
|
||||
fatal("PAM: authentication thread exited uncleanly");
|
||||
sigdie("PAM: authentication thread exited uncleanly");
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
@ -686,8 +686,7 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
ctxt = xmalloc(sizeof *ctxt);
|
||||
memset(ctxt, 0, sizeof(*ctxt));
|
||||
ctxt = xcalloc(1, sizeof *ctxt);
|
||||
|
||||
/* Start the authentication thread */
|
||||
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
|
||||
@ -985,7 +984,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
|
||||
break;
|
||||
case PAM_PROMPT_ECHO_ON:
|
||||
fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
|
||||
fgets(input, sizeof input, stdin);
|
||||
if (fgets(input, sizeof input, stdin) == NULL)
|
||||
input[0] = '\0';
|
||||
if ((reply[i].resp = strdup(input)) == NULL)
|
||||
goto fail;
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
@ -1130,9 +1130,8 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
if ((reply = calloc(n, sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
for (i = 0; i < n; ++i) {
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
|
@ -28,6 +28,7 @@
|
||||
#include <shadow.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
|
8
auth.c
8
auth.c
@ -115,11 +115,11 @@ allowed_user(struct passwd * pw)
|
||||
/* grab passwd field for locked account check */
|
||||
#ifdef USE_SHADOW
|
||||
if (spw != NULL)
|
||||
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
passwd = get_iaf_password(pw);
|
||||
#else
|
||||
passwd = spw->sp_pwdp;
|
||||
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
|
||||
#endif /* USE_LIBIAF */
|
||||
#else
|
||||
passwd = pw->pw_passwd;
|
||||
#endif
|
||||
@ -141,9 +141,9 @@ allowed_user(struct passwd * pw)
|
||||
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
|
||||
locked = 1;
|
||||
#endif
|
||||
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
free(passwd);
|
||||
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
|
||||
#endif /* USE_LIBIAF */
|
||||
if (locked) {
|
||||
logit("User %.100s not allowed because account is locked",
|
||||
pw->pw_name);
|
||||
|
4
auth2.c
4
auth2.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
|
||||
/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -281,8 +281,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||
}
|
||||
}
|
||||
|
||||
#define DELIM ","
|
||||
|
||||
static char *
|
||||
authmethods_get(void)
|
||||
{
|
||||
|
6
bufbn.c
6
bufbn.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
|
||||
/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -201,12 +201,14 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
|
||||
return (-1);
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d",
|
||||
len);
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
if (BN_bin2bn(bin, len, value) == NULL) {
|
||||
error("buffer_get_bignum2_ret: BN_bin2bn failed");
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
xfree(bin);
|
||||
|
@ -49,6 +49,8 @@ PKG_REQUEST_LOCAL=../pkg-request.local
|
||||
OPENSSHD=opensshd.init
|
||||
OPENSSH_MANIFEST=openssh.xml
|
||||
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
|
||||
SMF_METHOD_DIR=/lib/svc/method/site
|
||||
SMF_MANIFEST_DIR=/var/svc/manifest/site
|
||||
|
||||
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
|
||||
PATH_USERADD_PROG=@PATH_USERADD_PROG@
|
||||
@ -196,15 +198,17 @@ then
|
||||
# For Solaris' SMF, /lib/svc/method/site is the preferred place
|
||||
# for start/stop scripts that aren't supplied with the OS, and
|
||||
# similarly /var/svc/manifest/site for manifests.
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
|
||||
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||
|
||||
cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
|
||||
> $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
cat ${OPENSSH_MANIFEST} | \
|
||||
sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
|
||||
-e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
|
||||
> $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||
|
||||
@ -214,19 +218,19 @@ fi
|
||||
|
||||
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
|
||||
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
[ "${X11_FORWARDING}" = yes ] && \
|
||||
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
# fix PrintMotd
|
||||
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
|
||||
# We don't want to overwrite config files on multiple installs
|
||||
mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default
|
||||
mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default
|
||||
[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \
|
||||
mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default
|
||||
mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
|
||||
mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
|
||||
[ -f $FAKE_ROOT${sysconfdir}/ssh_prng_cmds ] && \
|
||||
mv $FAKE_ROOT${sysconfdir}/ssh_prng_cmds $FAKE_ROOT${sysconfdir}/ssh_prng_cmds.default
|
||||
|
||||
# local tweeks here
|
||||
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
|
||||
@ -336,7 +340,7 @@ then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
# NOTE, The manifest disables sshd by default.
|
||||
svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
|
||||
svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||
then
|
||||
|
15
channels.c
15
channels.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
/* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -1446,14 +1446,13 @@ static int
|
||||
channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
char buf[CHAN_RBUF];
|
||||
int len;
|
||||
int len, force;
|
||||
|
||||
if (c->rfd != -1 &&
|
||||
(c->detach_close || FD_ISSET(c->rfd, readset))) {
|
||||
force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
|
||||
if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) {
|
||||
errno = 0;
|
||||
len = read(c->rfd, buf, sizeof(buf));
|
||||
if (len < 0 && (errno == EINTR ||
|
||||
(errno == EAGAIN && !(c->isatty && c->detach_close))))
|
||||
if (len < 0 && (errno == EINTR || (errno == EAGAIN && !force)))
|
||||
return 1;
|
||||
#ifndef PTY_ZEROREAD
|
||||
if (len <= 0) {
|
||||
@ -1658,7 +1657,9 @@ channel_check_window(Channel *c)
|
||||
{
|
||||
if (c->type == SSH_CHANNEL_OPEN &&
|
||||
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
|
||||
c->local_window < c->local_window_max/2 &&
|
||||
((c->local_window_max - c->local_window >
|
||||
c->local_maxpacket*3) ||
|
||||
c->local_window < c->local_window_max/2) &&
|
||||
c->local_consumed > 0) {
|
||||
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
|
||||
packet_put_int(c->remote_id);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -122,9 +122,9 @@ struct Channel {
|
||||
|
||||
/* default window/packet sizes for tcp/x11-fwd-channel */
|
||||
#define CHAN_SES_PACKET_DEFAULT (32*1024)
|
||||
#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
|
||||
#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
|
||||
#define CHAN_TCP_PACKET_DEFAULT (32*1024)
|
||||
#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
|
||||
#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
|
||||
#define CHAN_X11_PACKET_DEFAULT (16*1024)
|
||||
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
|
||||
|
||||
|
@ -35,9 +35,7 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x00906000L
|
||||
#define SSH_OLD_EVP
|
||||
#endif
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
/*
|
||||
* This is used by SSH1:
|
||||
|
@ -35,9 +35,7 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x00906000L
|
||||
#define SSH_OLD_EVP
|
||||
#endif
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
/*
|
||||
* SSH1 uses a variation on Blowfish, all bytes must be swapped before
|
||||
|
@ -29,13 +29,7 @@
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
#include "rijndael.h"
|
||||
#define AES_KEY rijndael_ctx
|
||||
#define AES_BLOCK_SIZE 16
|
||||
#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
|
||||
#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
|
||||
#else
|
||||
#ifndef USE_BUILTIN_RIJNDAEL
|
||||
#include <openssl/aes.h>
|
||||
#endif
|
||||
|
||||
|
89
clientloop.c
89
clientloop.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -290,19 +290,29 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
generated = 1;
|
||||
}
|
||||
}
|
||||
snprintf(cmd, sizeof(cmd),
|
||||
"%s %s%s list %s 2>" _PATH_DEVNULL,
|
||||
xauth_path,
|
||||
generated ? "-f " : "" ,
|
||||
generated ? xauthfile : "",
|
||||
display);
|
||||
debug2("x11_get_proto: %s", cmd);
|
||||
f = popen(cmd, "r");
|
||||
if (f && fgets(line, sizeof(line), f) &&
|
||||
sscanf(line, "%*s %511s %511s", proto, data) == 2)
|
||||
got_data = 1;
|
||||
if (f)
|
||||
pclose(f);
|
||||
|
||||
/*
|
||||
* When in untrusted mode, we read the cookie only if it was
|
||||
* successfully generated as an untrusted one in the step
|
||||
* above.
|
||||
*/
|
||||
if (trusted || generated) {
|
||||
snprintf(cmd, sizeof(cmd),
|
||||
"%s %s%s list %s 2>" _PATH_DEVNULL,
|
||||
xauth_path,
|
||||
generated ? "-f " : "" ,
|
||||
generated ? xauthfile : "",
|
||||
display);
|
||||
debug2("x11_get_proto: %s", cmd);
|
||||
f = popen(cmd, "r");
|
||||
if (f && fgets(line, sizeof(line), f) &&
|
||||
sscanf(line, "%*s %511s %511s", proto, data) == 2)
|
||||
got_data = 1;
|
||||
if (f)
|
||||
pclose(f);
|
||||
} else
|
||||
error("Warning: untrusted X11 forwarding setup failed: "
|
||||
"xauth key data not generated");
|
||||
}
|
||||
|
||||
if (do_unlink) {
|
||||
@ -935,7 +945,7 @@ process_cmdline(void)
|
||||
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
|
||||
if (s == NULL)
|
||||
goto out;
|
||||
while (*s && isspace(*s))
|
||||
while (isspace(*s))
|
||||
s++;
|
||||
if (*s == '-')
|
||||
s++; /* Skip cmdline '-', if any */
|
||||
@ -982,9 +992,8 @@ process_cmdline(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
s++;
|
||||
while (*s && isspace(*s))
|
||||
s++;
|
||||
while (isspace(*++s))
|
||||
;
|
||||
|
||||
if (delete) {
|
||||
cancel_port = 0;
|
||||
@ -1774,6 +1783,50 @@ client_request_agent(const char *request_type, int rchan)
|
||||
return c;
|
||||
}
|
||||
|
||||
int
|
||||
client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
|
||||
{
|
||||
Channel *c;
|
||||
int fd;
|
||||
|
||||
if (tun_mode == SSH_TUNMODE_NO)
|
||||
return 0;
|
||||
|
||||
if (!compat20) {
|
||||
error("Tunnel forwarding is not support for protocol 1");
|
||||
return -1;
|
||||
}
|
||||
|
||||
debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
|
||||
|
||||
/* Open local tunnel device */
|
||||
if ((fd = tun_open(local_tun, tun_mode)) == -1) {
|
||||
error("Tunnel device open failed.");
|
||||
return -1;
|
||||
}
|
||||
|
||||
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
||||
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
|
||||
c->datagram = 1;
|
||||
|
||||
#if defined(SSH_TUN_FILTER)
|
||||
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
|
||||
channel_register_filter(c->self, sys_tun_infilter,
|
||||
sys_tun_outfilter);
|
||||
#endif
|
||||
|
||||
packet_start(SSH2_MSG_CHANNEL_OPEN);
|
||||
packet_put_cstring("tun@openssh.com");
|
||||
packet_put_int(c->self);
|
||||
packet_put_int(c->local_window_max);
|
||||
packet_put_int(c->local_maxpacket);
|
||||
packet_put_int(tun_mode);
|
||||
packet_put_int(remote_tun);
|
||||
packet_send();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* XXXX move to generic input handler */
|
||||
static void
|
||||
client_input_channel_open(int type, u_int32_t seq, void *ctxt)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -44,6 +44,7 @@ void client_x11_get_proto(const char *, const char *, u_int,
|
||||
void client_global_request_reply_fwd(int, u_int32_t, void *);
|
||||
void client_session2_setup(int, int, int, const char *, struct termios *,
|
||||
int, Buffer *, char **, dispatch_fn *);
|
||||
int client_request_tun_fwd(int, int, int);
|
||||
|
||||
/* Multiplexing protocol version */
|
||||
#define SSHMUX_VER 1
|
||||
|
35
config.h.in
35
config.h.in
@ -155,6 +155,9 @@
|
||||
/* OpenBSD's gcc has bounded */
|
||||
#undef HAVE_ATTRIBUTE__BOUNDED__
|
||||
|
||||
/* Have attribute nonnull */
|
||||
#undef HAVE_ATTRIBUTE__NONNULL__
|
||||
|
||||
/* OpenBSD's gcc has sentinel */
|
||||
#undef HAVE_ATTRIBUTE__SENTINEL__
|
||||
|
||||
@ -230,6 +233,14 @@
|
||||
don't. */
|
||||
#undef HAVE_DECL_LOGINSUCCESS
|
||||
|
||||
/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_MAXSYMLINKS
|
||||
|
||||
/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_OFFSETOF
|
||||
|
||||
/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_O_NONBLOCK
|
||||
@ -354,6 +365,9 @@
|
||||
/* Define to 1 if you have the `getpeereid' function. */
|
||||
#undef HAVE_GETPEEREID
|
||||
|
||||
/* Define to 1 if you have the `getpeerucred' function. */
|
||||
#undef HAVE_GETPEERUCRED
|
||||
|
||||
/* Define to 1 if you have the `getpwanam' function. */
|
||||
#undef HAVE_GETPWANAM
|
||||
|
||||
@ -480,9 +494,6 @@
|
||||
/* Define to 1 if you have the <libgen.h> header file. */
|
||||
#undef HAVE_LIBGEN_H
|
||||
|
||||
/* Define to 1 if you have the `iaf' library (-liaf). */
|
||||
#undef HAVE_LIBIAF
|
||||
|
||||
/* Define to 1 if you have the `nsl' library (-lnsl). */
|
||||
#undef HAVE_LIBNSL
|
||||
|
||||
@ -619,6 +630,12 @@
|
||||
/* define if you have pid_t data type */
|
||||
#undef HAVE_PID_T
|
||||
|
||||
/* Define to 1 if you have the `poll' function. */
|
||||
#undef HAVE_POLL
|
||||
|
||||
/* Define to 1 if you have the <poll.h> header file. */
|
||||
#undef HAVE_POLL_H
|
||||
|
||||
/* Define to 1 if you have the `prctl' function. */
|
||||
#undef HAVE_PRCTL
|
||||
|
||||
@ -736,6 +753,9 @@
|
||||
/* Define to 1 if you have the `setvbuf' function. */
|
||||
#undef HAVE_SETVBUF
|
||||
|
||||
/* Define to 1 if you have the `set_id' function. */
|
||||
#undef HAVE_SET_ID
|
||||
|
||||
/* Define to 1 if you have the `SHA256_Update' function. */
|
||||
#undef HAVE_SHA256_UPDATE
|
||||
|
||||
@ -844,6 +864,9 @@
|
||||
/* define if you have struct timeval */
|
||||
#undef HAVE_STRUCT_TIMEVAL
|
||||
|
||||
/* Define to 1 if you have the `swap32' function. */
|
||||
#undef HAVE_SWAP32
|
||||
|
||||
/* Define to 1 if you have the `sysconf' function. */
|
||||
#undef HAVE_SYSCONF
|
||||
|
||||
@ -958,6 +981,9 @@
|
||||
/* Define if you have ut_type in utmpx.h */
|
||||
#undef HAVE_TYPE_IN_UTMPX
|
||||
|
||||
/* Define to 1 if you have the <ucred.h> header file. */
|
||||
#undef HAVE_UCRED_H
|
||||
|
||||
/* define if you have uintxx_t data type */
|
||||
#undef HAVE_UINTXX_T
|
||||
|
||||
@ -1039,6 +1065,9 @@
|
||||
/* Define to 1 if you have the `_getshort' function. */
|
||||
#undef HAVE__GETSHORT
|
||||
|
||||
/* Define if you have struct __res_state _res as an extern */
|
||||
#undef HAVE__RES_EXTERN
|
||||
|
||||
/* Define to 1 if you have the `__b64_ntop' function. */
|
||||
#undef HAVE___B64_NTOP
|
||||
|
||||
|
382
configure
vendored
382
configure
vendored
@ -1,5 +1,5 @@
|
||||
#! /bin/sh
|
||||
# From configure.ac Revision: 1.372 .
|
||||
# From configure.ac Revision: 1.383 .
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.61 for OpenSSH Portable.
|
||||
#
|
||||
@ -693,9 +693,7 @@ LOGIN_PROGRAM_FALLBACK
|
||||
PATH_PASSWD_PROG
|
||||
LD
|
||||
SSHDLIBS
|
||||
LIBWRAP
|
||||
LIBEDIT
|
||||
LIBPAM
|
||||
INSTALL_SSH_RAND_HELPER
|
||||
SSH_PRIVSEP_USER
|
||||
PROG_LS
|
||||
@ -716,7 +714,6 @@ PROG_IPCS
|
||||
PROG_TAIL
|
||||
INSTALL_SSH_PRNG_CMDS
|
||||
OPENSC_CONFIG
|
||||
LIBSELINUX
|
||||
PRIVSEP_PATH
|
||||
xauth_path
|
||||
STRIP_OPT
|
||||
@ -5390,9 +5387,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
|
||||
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
|
||||
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
|
||||
case $GCC_VER in
|
||||
1.*) ;;
|
||||
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
|
||||
2.*) ;;
|
||||
1.*) no_attrib_nonnull=1 ;;
|
||||
2.8* | 2.9*)
|
||||
CFLAGS="$CFLAGS -Wsign-compare"
|
||||
no_attrib_nonnull=1
|
||||
;;
|
||||
2.*) no_attrib_nonnull=1 ;;
|
||||
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
|
||||
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
|
||||
*) ;;
|
||||
@ -5466,6 +5466,14 @@ fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "x$no_attrib_nonnull" != "x1" ; then
|
||||
|
||||
cat >>confdefs.h <<\_ACEOF
|
||||
#define HAVE_ATTRIBUTE__NONNULL__ 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --with-rpath was given.
|
||||
if test "${with_rpath+set}" = set; then
|
||||
@ -5601,6 +5609,8 @@ fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -5626,6 +5636,7 @@ for ac_header in \
|
||||
netgroup.h \
|
||||
pam/pam_appl.h \
|
||||
paths.h \
|
||||
poll.h \
|
||||
pty.h \
|
||||
readpassphrase.h \
|
||||
rpc/types.h \
|
||||
@ -5657,6 +5668,7 @@ for ac_header in \
|
||||
time.h \
|
||||
tmpdir.h \
|
||||
ttyent.h \
|
||||
ucred.h \
|
||||
unistd.h \
|
||||
usersec.h \
|
||||
util.h \
|
||||
@ -8862,6 +8874,14 @@ _ACEOF
|
||||
_ACEOF
|
||||
|
||||
enable_etc_default_login=no # has incompatible /etc/default/login
|
||||
case "$host" in
|
||||
*-*-nto-qnx6*)
|
||||
cat >>confdefs.h <<\_ACEOF
|
||||
#define DISABLE_FD_PASSING 1
|
||||
_ACEOF
|
||||
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
|
||||
*-*-ultrix*)
|
||||
@ -11684,8 +11704,7 @@ if test "${with_tcp_wrappers+set}" = set; then
|
||||
CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
fi
|
||||
fi
|
||||
LIBWRAP="-lwrap"
|
||||
LIBS="$LIBWRAP $LIBS"
|
||||
LIBS="-lwrap $LIBS"
|
||||
{ echo "$as_me:$LINENO: checking for libwrap" >&5
|
||||
echo $ECHO_N "checking for libwrap... $ECHO_C" >&6; }
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
@ -11735,7 +11754,7 @@ cat >>confdefs.h <<\_ACEOF
|
||||
#define LIBWRAP 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
TCPW_MSG="yes"
|
||||
|
||||
else
|
||||
@ -12360,6 +12379,9 @@ fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -12386,6 +12408,7 @@ for ac_func in \
|
||||
getnameinfo \
|
||||
getopt \
|
||||
getpeereid \
|
||||
getpeerucred \
|
||||
_getpty \
|
||||
getrlimit \
|
||||
getttyent \
|
||||
@ -12404,6 +12427,7 @@ for ac_func in \
|
||||
ogetaddrinfo \
|
||||
openlog_r \
|
||||
openpty \
|
||||
poll \
|
||||
prctl \
|
||||
pstat \
|
||||
readpassphrase \
|
||||
@ -12437,6 +12461,7 @@ for ac_func in \
|
||||
strtonum \
|
||||
strtoll \
|
||||
strtoul \
|
||||
swap32 \
|
||||
sysconf \
|
||||
tcgetpgrp \
|
||||
truncate \
|
||||
@ -13538,6 +13563,150 @@ fi
|
||||
|
||||
|
||||
|
||||
{ echo "$as_me:$LINENO: checking whether MAXSYMLINKS is declared" >&5
|
||||
echo $ECHO_N "checking whether MAXSYMLINKS is declared... $ECHO_C" >&6; }
|
||||
if test "${ac_cv_have_decl_MAXSYMLINKS+set}" = set; then
|
||||
echo $ECHO_N "(cached) $ECHO_C" >&6
|
||||
else
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
/* confdefs.h. */
|
||||
_ACEOF
|
||||
cat confdefs.h >>conftest.$ac_ext
|
||||
cat >>conftest.$ac_ext <<_ACEOF
|
||||
/* end confdefs.h. */
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
#ifndef MAXSYMLINKS
|
||||
(void) MAXSYMLINKS;
|
||||
#endif
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
rm -f conftest.$ac_objext
|
||||
if { (ac_try="$ac_compile"
|
||||
case "(($ac_try" in
|
||||
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
|
||||
*) ac_try_echo=$ac_try;;
|
||||
esac
|
||||
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
|
||||
(eval "$ac_compile") 2>conftest.er1
|
||||
ac_status=$?
|
||||
grep -v '^ *+' conftest.er1 >conftest.err
|
||||
rm -f conftest.er1
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
(exit $ac_status); } && {
|
||||
test -z "$ac_c_werror_flag" ||
|
||||
test ! -s conftest.err
|
||||
} && test -s conftest.$ac_objext; then
|
||||
ac_cv_have_decl_MAXSYMLINKS=yes
|
||||
else
|
||||
echo "$as_me: failed program was:" >&5
|
||||
sed 's/^/| /' conftest.$ac_ext >&5
|
||||
|
||||
ac_cv_have_decl_MAXSYMLINKS=no
|
||||
fi
|
||||
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
fi
|
||||
{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_MAXSYMLINKS" >&5
|
||||
echo "${ECHO_T}$ac_cv_have_decl_MAXSYMLINKS" >&6; }
|
||||
if test $ac_cv_have_decl_MAXSYMLINKS = yes; then
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_MAXSYMLINKS 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
else
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_MAXSYMLINKS 0
|
||||
_ACEOF
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
|
||||
{ echo "$as_me:$LINENO: checking whether offsetof is declared" >&5
|
||||
echo $ECHO_N "checking whether offsetof is declared... $ECHO_C" >&6; }
|
||||
if test "${ac_cv_have_decl_offsetof+set}" = set; then
|
||||
echo $ECHO_N "(cached) $ECHO_C" >&6
|
||||
else
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
/* confdefs.h. */
|
||||
_ACEOF
|
||||
cat confdefs.h >>conftest.$ac_ext
|
||||
cat >>conftest.$ac_ext <<_ACEOF
|
||||
/* end confdefs.h. */
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
#ifndef offsetof
|
||||
(void) offsetof;
|
||||
#endif
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
rm -f conftest.$ac_objext
|
||||
if { (ac_try="$ac_compile"
|
||||
case "(($ac_try" in
|
||||
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
|
||||
*) ac_try_echo=$ac_try;;
|
||||
esac
|
||||
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
|
||||
(eval "$ac_compile") 2>conftest.er1
|
||||
ac_status=$?
|
||||
grep -v '^ *+' conftest.er1 >conftest.err
|
||||
rm -f conftest.er1
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
(exit $ac_status); } && {
|
||||
test -z "$ac_c_werror_flag" ||
|
||||
test ! -s conftest.err
|
||||
} && test -s conftest.$ac_objext; then
|
||||
ac_cv_have_decl_offsetof=yes
|
||||
else
|
||||
echo "$as_me: failed program was:" >&5
|
||||
sed 's/^/| /' conftest.$ac_ext >&5
|
||||
|
||||
ac_cv_have_decl_offsetof=no
|
||||
fi
|
||||
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
fi
|
||||
{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_offsetof" >&5
|
||||
echo "${ECHO_T}$ac_cv_have_decl_offsetof" >&6; }
|
||||
if test $ac_cv_have_decl_offsetof = yes; then
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_OFFSETOF 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
else
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_OFFSETOF 0
|
||||
_ACEOF
|
||||
|
||||
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
for ac_func in setresuid
|
||||
do
|
||||
@ -14853,7 +15022,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
|
||||
# Check for missing getpeereid (or equiv) support
|
||||
NO_PEERCHECK=""
|
||||
if test "x$ac_cv_func_getpeereid" != "xyes" ; then
|
||||
if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
|
||||
{ echo "$as_me:$LINENO: checking whether system supports SO_PEERCRED getsockopt" >&5
|
||||
echo $ECHO_N "checking whether system supports SO_PEERCRED getsockopt... $ECHO_C" >&6; }
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
@ -16294,7 +16463,7 @@ fi
|
||||
done
|
||||
|
||||
|
||||
|
||||
saved_LIBS="$LIBS"
|
||||
{ echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5
|
||||
echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; }
|
||||
if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then
|
||||
@ -16357,14 +16526,106 @@ fi
|
||||
{ echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5
|
||||
echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6; }
|
||||
if test $ac_cv_lib_iaf_ia_openinfo = yes; then
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_LIBIAF 1
|
||||
_ACEOF
|
||||
|
||||
LIBS="-liaf $LIBS"
|
||||
LIBS="$LIBS -liaf"
|
||||
|
||||
for ac_func in set_id
|
||||
do
|
||||
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
|
||||
echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
|
||||
if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
|
||||
echo $ECHO_N "(cached) $ECHO_C" >&6
|
||||
else
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
/* confdefs.h. */
|
||||
_ACEOF
|
||||
cat confdefs.h >>conftest.$ac_ext
|
||||
cat >>conftest.$ac_ext <<_ACEOF
|
||||
/* end confdefs.h. */
|
||||
/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
|
||||
For example, HP-UX 11i <limits.h> declares gettimeofday. */
|
||||
#define $ac_func innocuous_$ac_func
|
||||
|
||||
/* System header to define __stub macros and hopefully few prototypes,
|
||||
which can conflict with char $ac_func (); below.
|
||||
Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
|
||||
<limits.h> exists even on freestanding compilers. */
|
||||
|
||||
#ifdef __STDC__
|
||||
# include <limits.h>
|
||||
#else
|
||||
# include <assert.h>
|
||||
#endif
|
||||
|
||||
#undef $ac_func
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char $ac_func ();
|
||||
/* The GNU C library defines this for functions which it implements
|
||||
to always fail with ENOSYS. Some functions are actually named
|
||||
something starting with __ and the normal name is an alias. */
|
||||
#if defined __stub_$ac_func || defined __stub___$ac_func
|
||||
choke me
|
||||
#endif
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return $ac_func ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
rm -f conftest.$ac_objext conftest$ac_exeext
|
||||
if { (ac_try="$ac_link"
|
||||
case "(($ac_try" in
|
||||
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
|
||||
*) ac_try_echo=$ac_try;;
|
||||
esac
|
||||
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
|
||||
(eval "$ac_link") 2>conftest.er1
|
||||
ac_status=$?
|
||||
grep -v '^ *+' conftest.er1 >conftest.err
|
||||
rm -f conftest.er1
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
(exit $ac_status); } && {
|
||||
test -z "$ac_c_werror_flag" ||
|
||||
test ! -s conftest.err
|
||||
} && test -s conftest$ac_exeext &&
|
||||
$as_test_x conftest$ac_exeext; then
|
||||
eval "$as_ac_var=yes"
|
||||
else
|
||||
echo "$as_me: failed program was:" >&5
|
||||
sed 's/^/| /' conftest.$ac_ext >&5
|
||||
|
||||
eval "$as_ac_var=no"
|
||||
fi
|
||||
|
||||
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
fi
|
||||
ac_res=`eval echo '${'$as_ac_var'}'`
|
||||
{ echo "$as_me:$LINENO: result: $ac_res" >&5
|
||||
echo "${ECHO_T}$ac_res" >&6; }
|
||||
if test `eval echo '${'$as_ac_var'}'` = yes; then
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
|
||||
_ACEOF
|
||||
SSHDLIBS="$SSHDLIBS -liaf"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
fi
|
||||
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
### Configure cryptographic random number support
|
||||
|
||||
@ -16790,7 +17051,7 @@ done
|
||||
|
||||
PAM_MSG="yes"
|
||||
|
||||
LIBPAM="-lpam"
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
|
||||
cat >>confdefs.h <<\_ACEOF
|
||||
#define USE_PAM 1
|
||||
@ -16803,11 +17064,10 @@ _ACEOF
|
||||
# libdl already in LIBS
|
||||
;;
|
||||
*)
|
||||
LIBPAM="$LIBPAM -ldl"
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
|
||||
@ -25043,6 +25303,59 @@ fi
|
||||
fi
|
||||
|
||||
|
||||
{ echo "$as_me:$LINENO: checking if struct __res_state _res is an extern" >&5
|
||||
echo $ECHO_N "checking if struct __res_state _res is an extern... $ECHO_C" >&6; }
|
||||
cat >conftest.$ac_ext <<_ACEOF
|
||||
|
||||
#include <stdio.h>
|
||||
#if HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
extern struct __res_state _res;
|
||||
int main() { return 0; }
|
||||
|
||||
_ACEOF
|
||||
rm -f conftest.$ac_objext conftest$ac_exeext
|
||||
if { (ac_try="$ac_link"
|
||||
case "(($ac_try" in
|
||||
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
|
||||
*) ac_try_echo=$ac_try;;
|
||||
esac
|
||||
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
|
||||
(eval "$ac_link") 2>conftest.er1
|
||||
ac_status=$?
|
||||
grep -v '^ *+' conftest.er1 >conftest.err
|
||||
rm -f conftest.er1
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
(exit $ac_status); } && {
|
||||
test -z "$ac_c_werror_flag" ||
|
||||
test ! -s conftest.err
|
||||
} && test -s conftest$ac_exeext &&
|
||||
$as_test_x conftest$ac_exeext; then
|
||||
{ echo "$as_me:$LINENO: result: yes" >&5
|
||||
echo "${ECHO_T}yes" >&6; }
|
||||
|
||||
cat >>confdefs.h <<\_ACEOF
|
||||
#define HAVE__RES_EXTERN 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
else
|
||||
echo "$as_me: failed program was:" >&5
|
||||
sed 's/^/| /' conftest.$ac_ext >&5
|
||||
|
||||
{ echo "$as_me:$LINENO: result: no" >&5
|
||||
echo "${ECHO_T}no" >&6; }
|
||||
|
||||
fi
|
||||
|
||||
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
# Check whether user wants SELinux support
|
||||
SELINUX_MSG="no"
|
||||
LIBSELINUX=""
|
||||
@ -25050,6 +25363,7 @@ LIBSELINUX=""
|
||||
# Check whether --with-selinux was given.
|
||||
if test "${with_selinux+set}" = set; then
|
||||
withval=$with_selinux; if test "x$withval" != "xno" ; then
|
||||
save_LIBS="$LIBS"
|
||||
|
||||
cat >>confdefs.h <<\_ACEOF
|
||||
#define WITH_SELINUX 1
|
||||
@ -25264,8 +25578,7 @@ echo "$as_me: error: SELinux support requires libselinux library" >&2;}
|
||||
{ (exit 1); exit 1; }; }
|
||||
fi
|
||||
|
||||
save_LIBS="$LIBS"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
|
||||
|
||||
for ac_func in getseuserbyname get_default_context_with_level
|
||||
@ -25367,7 +25680,6 @@ done
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
|
||||
@ -28781,9 +29093,7 @@ LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
|
||||
PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
|
||||
LD!$LD$ac_delim
|
||||
SSHDLIBS!$SSHDLIBS$ac_delim
|
||||
LIBWRAP!$LIBWRAP$ac_delim
|
||||
LIBEDIT!$LIBEDIT$ac_delim
|
||||
LIBPAM!$LIBPAM$ac_delim
|
||||
INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim
|
||||
SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim
|
||||
PROG_LS!$PROG_LS$ac_delim
|
||||
@ -28801,6 +29111,8 @@ PROG_DF!$PROG_DF$ac_delim
|
||||
PROG_VMSTAT!$PROG_VMSTAT$ac_delim
|
||||
PROG_UPTIME!$PROG_UPTIME$ac_delim
|
||||
PROG_IPCS!$PROG_IPCS$ac_delim
|
||||
PROG_TAIL!$PROG_TAIL$ac_delim
|
||||
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
|
||||
_ACEOF
|
||||
|
||||
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
|
||||
@ -28842,10 +29154,7 @@ _ACEOF
|
||||
ac_delim='%!_!# '
|
||||
for ac_last_try in false false false false false :; do
|
||||
cat >conf$$subs.sed <<_ACEOF
|
||||
PROG_TAIL!$PROG_TAIL$ac_delim
|
||||
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
|
||||
OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim
|
||||
LIBSELINUX!$LIBSELINUX$ac_delim
|
||||
PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
|
||||
xauth_path!$xauth_path$ac_delim
|
||||
STRIP_OPT!$STRIP_OPT$ac_delim
|
||||
@ -28859,7 +29168,7 @@ LIBOBJS!$LIBOBJS$ac_delim
|
||||
LTLIBOBJS!$LTLIBOBJS$ac_delim
|
||||
_ACEOF
|
||||
|
||||
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 15; then
|
||||
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 12; then
|
||||
break
|
||||
elif $ac_last_try; then
|
||||
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
|
||||
@ -29351,7 +29660,10 @@ echo " Compiler: ${CC}"
|
||||
echo " Compiler flags: ${CFLAGS}"
|
||||
echo "Preprocessor flags: ${CPPFLAGS}"
|
||||
echo " Linker flags: ${LDFLAGS}"
|
||||
echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
|
||||
echo " Libraries: ${LIBS}"
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
@ -29377,12 +29689,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
|
||||
fi
|
||||
|
||||
if test ! -z "$NO_PEERCHECK" ; then
|
||||
echo "WARNING: the operating system that you are using does not "
|
||||
echo "appear to support either the getpeereid() API nor the "
|
||||
echo "SO_PEERCRED getsockopt() option. These facilities are used to "
|
||||
echo "enforce security checks to prevent unauthorised connections to "
|
||||
echo "ssh-agent. Their absence increases the risk that a malicious "
|
||||
echo "user can connect to your agent. "
|
||||
echo "WARNING: the operating system that you are using does not"
|
||||
echo "appear to support getpeereid(), getpeerucred() or the"
|
||||
echo "SO_PEERCRED getsockopt() option. These facilities are used to"
|
||||
echo "enforce security checks to prevent unauthorised connections to"
|
||||
echo "ssh-agent. Their absence increases the risk that a malicious"
|
||||
echo "user can connect to your agent."
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
95
configure.ac
95
configure.ac
@ -1,4 +1,4 @@
|
||||
# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
|
||||
# $Id: configure.ac,v 1.383 2007/08/10 04:36:12 dtucker Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
@ -15,7 +15,7 @@
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
|
||||
AC_REVISION($Revision: 1.372 $)
|
||||
AC_REVISION($Revision: 1.383 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
|
||||
AC_CONFIG_HEADER(config.h)
|
||||
@ -94,9 +94,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
|
||||
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
|
||||
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
|
||||
case $GCC_VER in
|
||||
1.*) ;;
|
||||
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
|
||||
2.*) ;;
|
||||
1.*) no_attrib_nonnull=1 ;;
|
||||
2.8* | 2.9*)
|
||||
CFLAGS="$CFLAGS -Wsign-compare"
|
||||
no_attrib_nonnull=1
|
||||
;;
|
||||
2.*) no_attrib_nonnull=1 ;;
|
||||
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
|
||||
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
|
||||
*) ;;
|
||||
@ -115,6 +118,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "x$no_attrib_nonnull" != "x1" ; then
|
||||
AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull])
|
||||
fi
|
||||
|
||||
AC_ARG_WITH(rpath,
|
||||
[ --without-rpath Disable auto-added -R linker paths],
|
||||
[
|
||||
@ -198,6 +205,7 @@ AC_CHECK_HEADERS( \
|
||||
netgroup.h \
|
||||
pam/pam_appl.h \
|
||||
paths.h \
|
||||
poll.h \
|
||||
pty.h \
|
||||
readpassphrase.h \
|
||||
rpc/types.h \
|
||||
@ -229,6 +237,7 @@ AC_CHECK_HEADERS( \
|
||||
time.h \
|
||||
tmpdir.h \
|
||||
ttyent.h \
|
||||
ucred.h \
|
||||
unistd.h \
|
||||
usersec.h \
|
||||
util.h \
|
||||
@ -777,6 +786,11 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
AC_DEFINE(DISABLE_LASTLOG)
|
||||
AC_DEFINE(SSHD_ACQUIRES_CTTY)
|
||||
enable_etc_default_login=no # has incompatible /etc/default/login
|
||||
case "$host" in
|
||||
*-*-nto-qnx6*)
|
||||
AC_DEFINE(DISABLE_FD_PASSING)
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
|
||||
*-*-ultrix*)
|
||||
@ -1109,8 +1123,7 @@ AC_ARG_WITH(tcp-wrappers,
|
||||
CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
fi
|
||||
fi
|
||||
LIBWRAP="-lwrap"
|
||||
LIBS="$LIBWRAP $LIBS"
|
||||
LIBS="-lwrap $LIBS"
|
||||
AC_MSG_CHECKING(for libwrap)
|
||||
AC_TRY_LINK(
|
||||
[
|
||||
@ -1126,7 +1139,7 @@ AC_ARG_WITH(tcp-wrappers,
|
||||
AC_DEFINE(LIBWRAP, 1,
|
||||
[Define if you want
|
||||
TCP Wrappers support])
|
||||
AC_SUBST(LIBWRAP)
|
||||
SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
TCPW_MSG="yes"
|
||||
],
|
||||
[
|
||||
@ -1241,6 +1254,7 @@ AC_CHECK_FUNCS( \
|
||||
getnameinfo \
|
||||
getopt \
|
||||
getpeereid \
|
||||
getpeerucred \
|
||||
_getpty \
|
||||
getrlimit \
|
||||
getttyent \
|
||||
@ -1259,6 +1273,7 @@ AC_CHECK_FUNCS( \
|
||||
ogetaddrinfo \
|
||||
openlog_r \
|
||||
openpty \
|
||||
poll \
|
||||
prctl \
|
||||
pstat \
|
||||
readpassphrase \
|
||||
@ -1292,6 +1307,7 @@ AC_CHECK_FUNCS( \
|
||||
strtonum \
|
||||
strtoll \
|
||||
strtoul \
|
||||
swap32 \
|
||||
sysconf \
|
||||
tcgetpgrp \
|
||||
truncate \
|
||||
@ -1364,6 +1380,14 @@ AC_CHECK_DECLS(writev, , , [
|
||||
#include <unistd.h>
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS(MAXSYMLINKS, , , [
|
||||
#include <sys/param.h>
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS(offsetof, , , [
|
||||
#include <stddef.h>
|
||||
])
|
||||
|
||||
AC_CHECK_FUNCS(setresuid, [
|
||||
dnl Some platorms have setresuid that isn't implemented, test for this
|
||||
AC_MSG_CHECKING(if setresuid seems to work)
|
||||
@ -1489,7 +1513,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
|
||||
|
||||
# Check for missing getpeereid (or equiv) support
|
||||
NO_PEERCHECK=""
|
||||
if test "x$ac_cv_func_getpeereid" != "xyes" ; then
|
||||
if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
|
||||
AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
|
||||
AC_TRY_COMPILE(
|
||||
[#include <sys/types.h>
|
||||
@ -1977,7 +2001,12 @@ fi
|
||||
# Search for SHA256 support in libc and/or OpenSSL
|
||||
AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
|
||||
|
||||
AC_CHECK_LIB(iaf, ia_openinfo)
|
||||
saved_LIBS="$LIBS"
|
||||
AC_CHECK_LIB(iaf, ia_openinfo, [
|
||||
LIBS="$LIBS -liaf"
|
||||
AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"])
|
||||
])
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
### Configure cryptographic random number support
|
||||
|
||||
@ -2027,7 +2056,7 @@ AC_ARG_WITH(pam,
|
||||
|
||||
PAM_MSG="yes"
|
||||
|
||||
LIBPAM="-lpam"
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
AC_DEFINE(USE_PAM, 1,
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
@ -2037,11 +2066,10 @@ AC_ARG_WITH(pam,
|
||||
# libdl already in LIBS
|
||||
;;
|
||||
*)
|
||||
LIBPAM="$LIBPAM -ldl"
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
AC_SUBST(LIBPAM)
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -3150,25 +3178,43 @@ int main()
|
||||
[#include <arpa/nameser.h>])
|
||||
])
|
||||
|
||||
AC_MSG_CHECKING(if struct __res_state _res is an extern)
|
||||
AC_LINK_IFELSE([
|
||||
#include <stdio.h>
|
||||
#if HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
extern struct __res_state _res;
|
||||
int main() { return 0; }
|
||||
],
|
||||
[AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE__RES_EXTERN, 1,
|
||||
[Define if you have struct __res_state _res as an extern])
|
||||
],
|
||||
[ AC_MSG_RESULT(no) ]
|
||||
)
|
||||
|
||||
# Check whether user wants SELinux support
|
||||
SELINUX_MSG="no"
|
||||
LIBSELINUX=""
|
||||
AC_ARG_WITH(selinux,
|
||||
[ --with-selinux Enable SELinux support],
|
||||
[ if test "x$withval" != "xno" ; then
|
||||
save_LIBS="$LIBS"
|
||||
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
|
||||
SELINUX_MSG="yes"
|
||||
AC_CHECK_HEADER([selinux/selinux.h], ,
|
||||
AC_MSG_ERROR(SELinux support requires selinux.h header))
|
||||
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
save_LIBS="$LIBS"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST(LIBSELINUX)
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@ -4004,7 +4050,10 @@ echo " Compiler: ${CC}"
|
||||
echo " Compiler flags: ${CFLAGS}"
|
||||
echo "Preprocessor flags: ${CPPFLAGS}"
|
||||
echo " Linker flags: ${LDFLAGS}"
|
||||
echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
|
||||
echo " Libraries: ${LIBS}"
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
@ -4030,12 +4079,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
|
||||
fi
|
||||
|
||||
if test ! -z "$NO_PEERCHECK" ; then
|
||||
echo "WARNING: the operating system that you are using does not "
|
||||
echo "appear to support either the getpeereid() API nor the "
|
||||
echo "SO_PEERCRED getsockopt() option. These facilities are used to "
|
||||
echo "enforce security checks to prevent unauthorised connections to "
|
||||
echo "ssh-agent. Their absence increases the risk that a malicious "
|
||||
echo "user can connect to your agent. "
|
||||
echo "WARNING: the operating system that you are using does not"
|
||||
echo "appear to support getpeereid(), getpeerucred() or the"
|
||||
echo "SO_PEERCRED getsockopt() option. These facilities are used to"
|
||||
echo "enforce security checks to prevent unauthorised connections to"
|
||||
echo "ssh-agent. Their absence increases the risk that a malicious"
|
||||
echo "user can connect to your agent."
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
|
||||
# $Id: buildbff.sh 180740 2008-07-23 09:15:38Z des $
|
||||
# $Id: buildbff.sh,v 1.10 2006/09/10 03:24:19 dtucker Exp $
|
||||
#
|
||||
# Author: Darren Tucker (dtucker at zip dot com dot au)
|
||||
# This file is placed in the public domain and comes with absolutely
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# inventory.sh
|
||||
# $Id: inventory.sh 180740 2008-07-23 09:15:38Z des $
|
||||
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
|
||||
#
|
||||
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
|
||||
# This file is placed into the public domain.
|
||||
|
@ -17,7 +17,7 @@
|
||||
#old cvs stuff. please update before use. may be deprecated.
|
||||
%define use_stable 1
|
||||
%if %{use_stable}
|
||||
%define version 4.6p1
|
||||
%define version 4.7p1
|
||||
%define cvs %{nil}
|
||||
%define release 1
|
||||
%else
|
||||
@ -357,4 +357,4 @@ fi
|
||||
* Mon Jan 01 1998 ...
|
||||
Template Version: 1.31
|
||||
|
||||
$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $
|
||||
$Id: openssh.spec,v 1.61 2007/08/15 09:22:20 dtucker Exp $
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $Id: findssl.sh 180740 2008-07-23 09:15:38Z des $
|
||||
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
|
||||
#
|
||||
# findssl.sh
|
||||
# Search for all instances of OpenSSL headers and libraries
|
||||
|
@ -1,4 +1,4 @@
|
||||
%define ver 4.6p1
|
||||
%define ver 4.7p1
|
||||
%define rel 1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
|
@ -13,7 +13,7 @@
|
||||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 4.6p1
|
||||
Version: 4.7p1
|
||||
URL: http://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
|
19
defines.h
19
defines.h
@ -25,7 +25,7 @@
|
||||
#ifndef _DEFINES_H
|
||||
#define _DEFINES_H
|
||||
|
||||
/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
|
||||
/* $Id: defines.h,v 1.143 2007/08/09 04:37:52 dtucker Exp $ */
|
||||
|
||||
|
||||
/* Constants */
|
||||
@ -68,7 +68,7 @@ enum
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef MAXSYMLINKS
|
||||
#if defined(HAVE_DECL_MAXSYMLINKS) && HAVE_DECL_MAXSYMLINKS == 0
|
||||
# define MAXSYMLINKS 5
|
||||
#endif
|
||||
|
||||
@ -321,12 +321,6 @@ struct winsize {
|
||||
#ifndef _PATH_BSHELL
|
||||
# define _PATH_BSHELL "/bin/sh"
|
||||
#endif
|
||||
#ifndef _PATH_CSHELL
|
||||
# define _PATH_CSHELL "/bin/csh"
|
||||
#endif
|
||||
#ifndef _PATH_SHELLS
|
||||
# define _PATH_SHELLS "/etc/shells"
|
||||
#endif
|
||||
|
||||
#ifdef USER_PATH
|
||||
# ifdef _PATH_STDPATH
|
||||
@ -449,6 +443,10 @@ struct winsize {
|
||||
# define __bounded__(x, y, z)
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_ATTRIBUTE__NONNULL__) && !defined(__nonnull__)
|
||||
# define __nonnull__(x)
|
||||
#endif
|
||||
|
||||
/* *-*-nto-qnx doesn't define this macro in the system headers */
|
||||
#ifdef MISSING_HOWMANY
|
||||
# define howmany(x,y) (((x)+((y)-1))/(y))
|
||||
@ -487,7 +485,7 @@ struct winsize {
|
||||
(struct cmsghdr *)NULL)
|
||||
#endif /* CMSG_FIRSTHDR */
|
||||
|
||||
#ifndef offsetof
|
||||
#if defined(HAVE_DECL_OFFSETOF) && HAVE_DECL_OFFSETOF == 0
|
||||
# define offsetof(type, member) ((size_t) &((type *)0)->member)
|
||||
#endif
|
||||
|
||||
@ -696,7 +694,8 @@ struct winsize {
|
||||
# define CUSTOM_SYS_AUTH_PASSWD 1
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LIBIAF
|
||||
#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF)
|
||||
# define USE_LIBIAF
|
||||
# define CUSTOM_SYS_AUTH_PASSWD 1
|
||||
#endif
|
||||
|
||||
|
@ -35,8 +35,9 @@
|
||||
# include <fcntl.h>
|
||||
#endif
|
||||
#include <stdarg.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
51
gss-genr.c
51
gss-genr.c
@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
|
||||
/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
|
||||
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -107,7 +107,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
|
||||
/* The GSSAPI error */
|
||||
do {
|
||||
gss_display_status(&lmin, ctxt->major,
|
||||
GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
|
||||
GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg);
|
||||
|
||||
buffer_append(&b, msg.value, msg.length);
|
||||
buffer_put_char(&b, '\n');
|
||||
@ -118,7 +118,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
|
||||
/* The mechanism specific error */
|
||||
do {
|
||||
gss_display_status(&lmin, ctxt->minor,
|
||||
GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
|
||||
GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg);
|
||||
|
||||
buffer_append(&b, msg.value, msg.length);
|
||||
buffer_put_char(&b, '\n');
|
||||
@ -226,39 +226,6 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
/* Acquire credentials for a server running on the current host.
|
||||
* Requires that the context structure contains a valid OID
|
||||
*/
|
||||
|
||||
/* Returns a GSSAPI error code */
|
||||
OM_uint32
|
||||
ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
{
|
||||
OM_uint32 status;
|
||||
char lname[MAXHOSTNAMELEN];
|
||||
gss_OID_set oidset;
|
||||
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
ssh_gssapi_error(ctx);
|
||||
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
|
||||
{
|
||||
@ -281,16 +248,6 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
|
||||
buffer_put_cstring(b, context);
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
|
||||
{
|
||||
if (*ctx)
|
||||
ssh_gssapi_delete_ctx(ctx);
|
||||
ssh_gssapi_build_ctx(ctx);
|
||||
ssh_gssapi_set_oid(*ctx, oid);
|
||||
return (ssh_gssapi_acquire_cred(*ctx));
|
||||
}
|
||||
|
||||
int
|
||||
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
|
||||
{
|
||||
|
50
gss-serv.c
50
gss-serv.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -29,6 +29,7 @@
|
||||
#ifdef GSSAPI
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
@ -64,6 +65,53 @@ ssh_gssapi_mech* supported_mechs[]= {
|
||||
&gssapi_null_mech,
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
* Acquire credentials for a server running on the current host.
|
||||
* Requires that the context structure contains a valid OID
|
||||
*/
|
||||
|
||||
/* Returns a GSSAPI error code */
|
||||
/* Privileged (called from ssh_gssapi_server_ctx) */
|
||||
static OM_uint32
|
||||
ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
{
|
||||
OM_uint32 status;
|
||||
char lname[MAXHOSTNAMELEN];
|
||||
gss_OID_set oidset;
|
||||
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
ssh_gssapi_error(ctx);
|
||||
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
/* Privileged */
|
||||
OM_uint32
|
||||
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
|
||||
{
|
||||
if (*ctx)
|
||||
ssh_gssapi_delete_ctx(ctx);
|
||||
ssh_gssapi_build_ctx(ctx);
|
||||
ssh_gssapi_set_oid(*ctx, oid);
|
||||
return (ssh_gssapi_acquire_cred(*ctx));
|
||||
}
|
||||
|
||||
/* Unprivileged */
|
||||
void
|
||||
ssh_gssapi_supported_oids(gss_OID_set *oidset)
|
||||
|
@ -49,7 +49,7 @@
|
||||
#ifdef HAVE_NEXT
|
||||
# include <libc.h>
|
||||
#endif
|
||||
#ifdef HAVE_PATHS
|
||||
#ifdef HAVE_PATHS_H
|
||||
# include <paths.h>
|
||||
#endif
|
||||
|
||||
|
21
kex.c
21
kex.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
|
||||
/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -87,7 +87,7 @@ static char **
|
||||
kex_buf2prop(Buffer *raw, int *first_kex_follows)
|
||||
{
|
||||
Buffer b;
|
||||
int i;
|
||||
u_int i;
|
||||
char **proposal;
|
||||
|
||||
proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
|
||||
@ -108,7 +108,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
|
||||
*first_kex_follows = i;
|
||||
debug2("kex_parse_kexinit: first_kex_follows %d ", i);
|
||||
i = buffer_get_int(&b);
|
||||
debug2("kex_parse_kexinit: reserved %d ", i);
|
||||
debug2("kex_parse_kexinit: reserved %u ", i);
|
||||
buffer_free(&b);
|
||||
return proposal;
|
||||
}
|
||||
@ -123,6 +123,7 @@ kex_prop_free(char **proposal)
|
||||
xfree(proposal);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
kex_protocol_error(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -194,6 +195,7 @@ kex_send_kexinit(Kex *kex)
|
||||
kex->flags |= KEX_INIT_SENT;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -258,7 +260,8 @@ choose_enc(Enc *enc, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
if (name == NULL)
|
||||
fatal("no matching cipher found: client %s server %s", client, server);
|
||||
fatal("no matching cipher found: client %s server %s",
|
||||
client, server);
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL)
|
||||
fatal("matching cipher is not supported: %s", name);
|
||||
enc->name = name;
|
||||
@ -274,8 +277,9 @@ choose_mac(Mac *mac, char *client, char *server)
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
if (name == NULL)
|
||||
fatal("no matching mac found: client %s server %s", client, server);
|
||||
if (mac_init(mac, name) < 0)
|
||||
fatal("no matching mac found: client %s server %s",
|
||||
client, server);
|
||||
if (mac_setup(mac, name) < 0)
|
||||
fatal("unsupported mac %s", name);
|
||||
/* truncate the key */
|
||||
if (datafellows & SSH_BUG_HMAC)
|
||||
@ -308,7 +312,7 @@ choose_kex(Kex *k, char *client, char *server)
|
||||
{
|
||||
k->name = match_list(client, server, NULL);
|
||||
if (k->name == NULL)
|
||||
fatal("no kex alg");
|
||||
fatal("Unable to negotiate a key exchange method");
|
||||
if (strcmp(k->name, KEX_DH1) == 0) {
|
||||
k->kex_type = KEX_DH_GRP1_SHA1;
|
||||
k->evp_md = EVP_sha1();
|
||||
@ -388,7 +392,8 @@ kex_choose_conf(Kex *kex)
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
newkeys = xcalloc(1, sizeof(*newkeys));
|
||||
kex->newkeys[mode] = newkeys;
|
||||
ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
|
||||
ctos = (!kex->server && mode == MODE_OUT) ||
|
||||
(kex->server && mode == MODE_IN);
|
||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
||||
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
|
||||
|
8
kex.h
8
kex.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -28,6 +28,7 @@
|
||||
|
||||
#include <signal.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/hmac.h>
|
||||
|
||||
#define KEX_DH1 "diffie-hellman-group1-sha1"
|
||||
#define KEX_DH14 "diffie-hellman-group14-sha1"
|
||||
@ -86,10 +87,13 @@ struct Enc {
|
||||
struct Mac {
|
||||
char *name;
|
||||
int enabled;
|
||||
const EVP_MD *md;
|
||||
u_int mac_len;
|
||||
u_char *key;
|
||||
u_int key_len;
|
||||
int type;
|
||||
const EVP_MD *evp_md;
|
||||
HMAC_CTX evp_ctx;
|
||||
struct umac_ctx *umac_ctx;
|
||||
};
|
||||
struct Comp {
|
||||
int type;
|
||||
|
4
key.c
4
key.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
|
||||
/* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */
|
||||
/*
|
||||
* read_bignum():
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -170,9 +170,7 @@ key_equal(const Key *a, const Key *b)
|
||||
BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
|
||||
default:
|
||||
fatal("key_equal: bad key type %d", a->type);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
u_char*
|
||||
|
5
log.c
5
log.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
|
||||
/* $OpenBSD: log.c,v 1.40 2007/05/17 07:50:31 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -44,6 +44,7 @@
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
@ -313,6 +314,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
|
||||
char fmtbuf[MSGBUFSIZ];
|
||||
char *txt = NULL;
|
||||
int pri = LOG_INFO;
|
||||
int saved_errno = errno;
|
||||
|
||||
if (level > log_level)
|
||||
return;
|
||||
@ -373,4 +375,5 @@ do_log(LogLevel level, const char *fmt, va_list args)
|
||||
closelog();
|
||||
#endif
|
||||
}
|
||||
errno = saved_errno;
|
||||
}
|
||||
|
@ -161,6 +161,7 @@
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
|
129
mac.c
129
mac.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/* $OpenBSD: mac.c,v 1.14 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -42,63 +42,126 @@
|
||||
#include "mac.h"
|
||||
#include "misc.h"
|
||||
|
||||
#include "umac.h"
|
||||
|
||||
#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
|
||||
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
|
||||
|
||||
struct {
|
||||
char *name;
|
||||
int type;
|
||||
const EVP_MD * (*mdfunc)(void);
|
||||
int truncatebits; /* truncate digest if != 0 */
|
||||
int key_len; /* just for UMAC */
|
||||
int len; /* just for UMAC */
|
||||
} macs[] = {
|
||||
{ "hmac-sha1", EVP_sha1, 0, },
|
||||
{ "hmac-sha1-96", EVP_sha1, 96 },
|
||||
{ "hmac-md5", EVP_md5, 0 },
|
||||
{ "hmac-md5-96", EVP_md5, 96 },
|
||||
{ "hmac-ripemd160", EVP_ripemd160, 0 },
|
||||
{ "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 },
|
||||
{ NULL, NULL, 0 }
|
||||
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
|
||||
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
|
||||
{ "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
|
||||
{ "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 },
|
||||
{ "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
|
||||
{ "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
|
||||
{ "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 },
|
||||
{ NULL, 0, NULL, 0, -1, -1 }
|
||||
};
|
||||
|
||||
int
|
||||
mac_init(Mac *mac, char *name)
|
||||
static void
|
||||
mac_setup_by_id(Mac *mac, int which)
|
||||
{
|
||||
int i, evp_len;
|
||||
int evp_len;
|
||||
mac->type = macs[which].type;
|
||||
if (mac->type == SSH_EVP) {
|
||||
mac->evp_md = (*macs[which].mdfunc)();
|
||||
if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
|
||||
fatal("mac %s len %d", mac->name, evp_len);
|
||||
mac->key_len = mac->mac_len = (u_int)evp_len;
|
||||
} else {
|
||||
mac->mac_len = macs[which].len / 8;
|
||||
mac->key_len = macs[which].key_len / 8;
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
if (macs[which].truncatebits != 0)
|
||||
mac->mac_len = macs[which].truncatebits / 8;
|
||||
}
|
||||
|
||||
int
|
||||
mac_setup(Mac *mac, char *name)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; macs[i].name; i++) {
|
||||
if (strcmp(name, macs[i].name) == 0) {
|
||||
if (mac != NULL) {
|
||||
mac->md = (*macs[i].mdfunc)();
|
||||
if ((evp_len = EVP_MD_size(mac->md)) <= 0)
|
||||
fatal("mac %s len %d", name, evp_len);
|
||||
mac->key_len = mac->mac_len = (u_int)evp_len;
|
||||
if (macs[i].truncatebits != 0)
|
||||
mac->mac_len = macs[i].truncatebits/8;
|
||||
}
|
||||
debug2("mac_init: found %s", name);
|
||||
if (mac != NULL)
|
||||
mac_setup_by_id(mac, i);
|
||||
debug2("mac_setup: found %s", name);
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
debug2("mac_init: unknown %s", name);
|
||||
debug2("mac_setup: unknown %s", name);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
int
|
||||
mac_init(Mac *mac)
|
||||
{
|
||||
if (mac->key == NULL)
|
||||
fatal("mac_init: no key");
|
||||
switch (mac->type) {
|
||||
case SSH_EVP:
|
||||
if (mac->evp_md == NULL)
|
||||
return -1;
|
||||
HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
|
||||
return 0;
|
||||
case SSH_UMAC:
|
||||
mac->umac_ctx = umac_new(mac->key);
|
||||
return 0;
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
u_char *
|
||||
mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
|
||||
{
|
||||
HMAC_CTX c;
|
||||
static u_char m[EVP_MAX_MD_SIZE];
|
||||
u_char b[4];
|
||||
u_char b[4], nonce[8];
|
||||
|
||||
if (mac->key == NULL)
|
||||
fatal("mac_compute: no key");
|
||||
if (mac->mac_len > sizeof(m))
|
||||
fatal("mac_compute: mac too long");
|
||||
HMAC_Init(&c, mac->key, mac->key_len, mac->md);
|
||||
put_u32(b, seqno);
|
||||
HMAC_Update(&c, b, sizeof(b));
|
||||
HMAC_Update(&c, data, datalen);
|
||||
HMAC_Final(&c, m, NULL);
|
||||
HMAC_cleanup(&c);
|
||||
fatal("mac_compute: mac too long %u %lu",
|
||||
mac->mac_len, sizeof(m));
|
||||
|
||||
switch (mac->type) {
|
||||
case SSH_EVP:
|
||||
put_u32(b, seqno);
|
||||
/* reset HMAC context */
|
||||
HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
|
||||
HMAC_Update(&mac->evp_ctx, b, sizeof(b));
|
||||
HMAC_Update(&mac->evp_ctx, data, datalen);
|
||||
HMAC_Final(&mac->evp_ctx, m, NULL);
|
||||
break;
|
||||
case SSH_UMAC:
|
||||
put_u64(nonce, seqno);
|
||||
umac_update(mac->umac_ctx, data, datalen);
|
||||
umac_final(mac->umac_ctx, m, nonce);
|
||||
break;
|
||||
default:
|
||||
fatal("mac_compute: unknown MAC type");
|
||||
}
|
||||
return (m);
|
||||
}
|
||||
|
||||
void
|
||||
mac_clear(Mac *mac)
|
||||
{
|
||||
if (mac->type == SSH_UMAC) {
|
||||
if (mac->umac_ctx != NULL)
|
||||
umac_delete(mac->umac_ctx);
|
||||
} else if (mac->evp_md != NULL)
|
||||
HMAC_cleanup(&mac->evp_ctx);
|
||||
mac->evp_md = NULL;
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
@ -111,7 +174,7 @@ mac_valid(const char *names)
|
||||
maclist = cp = xstrdup(names);
|
||||
for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
|
||||
(p = strsep(&cp, MAC_SEP))) {
|
||||
if (mac_init(NULL, p) < 0) {
|
||||
if (mac_setup(NULL, p) < 0) {
|
||||
debug("bad mac %s [%s]", p, names);
|
||||
xfree(maclist);
|
||||
return (0);
|
||||
|
6
mac.h
6
mac.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
|
||||
/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -24,5 +24,7 @@
|
||||
*/
|
||||
|
||||
int mac_valid(const char *);
|
||||
int mac_init(Mac *, char *);
|
||||
int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
|
18
mdoc2man.awk
18
mdoc2man.awk
@ -1,6 +1,9 @@
|
||||
#!/usr/bin/awk
|
||||
#
|
||||
# $Id: mdoc2man.awk,v 1.8 2007/06/05 10:01:16 dtucker Exp $
|
||||
#
|
||||
# Version history:
|
||||
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
|
||||
# v3, I put the program under a proper license
|
||||
# Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
|
||||
# v2, fixed to work on GNU awk --posix and MacOS X
|
||||
@ -135,6 +138,12 @@ function add(str) {
|
||||
nospace=0
|
||||
}
|
||||
if(match(words[w],"^Dd$")) {
|
||||
if(match(words[w+1],"^\\$Mdocdate:")) {
|
||||
w++;
|
||||
if(match(words[w+4],"^\\$$")) {
|
||||
words[w+4] = ""
|
||||
}
|
||||
}
|
||||
date=wtail()
|
||||
next
|
||||
} else if(match(words[w],"^Dt$")) {
|
||||
@ -157,6 +166,7 @@ function add(str) {
|
||||
refissue=""
|
||||
refdate=""
|
||||
refopt=""
|
||||
refreport=""
|
||||
reference=1
|
||||
next
|
||||
} else if(match(words[w],"^Re$")) {
|
||||
@ -168,9 +178,14 @@ function add(str) {
|
||||
}
|
||||
if(nrefauthors>1)
|
||||
add(" and ")
|
||||
add(refauthors[0] ", \\fI" reftitle "\\fP")
|
||||
if(nrefauthors>0)
|
||||
add(refauthors[0] ", ")
|
||||
add("\\fI" reftitle "\\fP")
|
||||
if(length(refissue))
|
||||
add(", " refissue)
|
||||
if(length(refreport)) {
|
||||
add(", " refreport)
|
||||
}
|
||||
if(length(refdate))
|
||||
add(", " refdate)
|
||||
if(length(refopt))
|
||||
@ -187,6 +202,7 @@ function add(str) {
|
||||
if(match(words[w],"^%N$")) { refissue=wtail() }
|
||||
if(match(words[w],"^%D$")) { refdate=wtail() }
|
||||
if(match(words[w],"^%O$")) { refopt=wtail() }
|
||||
if(match(words[w],"^%R$")) { refreport=wtail() }
|
||||
} else if(match(words[w],"^Nm$")) {
|
||||
if(synopsis) {
|
||||
add(".br")
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.91 2007/05/17 20:52:13 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -409,6 +409,7 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
monitor_set_child_handler(pmonitor->m_pid);
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
signal(SIGINT, &monitor_child_handler);
|
||||
|
||||
if (compat20) {
|
||||
mon_dispatch = mon_dispatch_postauth20;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -476,8 +476,8 @@ mm_newkeys_from_blob(u_char *blob, int blen)
|
||||
|
||||
/* Mac structure */
|
||||
mac->name = buffer_get_string(&b, NULL);
|
||||
if (mac->name == NULL || mac_init(mac, mac->name) == -1)
|
||||
fatal("%s: can not init mac %s", __func__, mac->name);
|
||||
if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
|
||||
fatal("%s: can not setup mac %s", __func__, mac->name);
|
||||
mac->enabled = buffer_get_int(&b);
|
||||
mac->key = buffer_get_string(&b, &len);
|
||||
if (len > mac->key_len)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.22 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -47,7 +47,7 @@
|
||||
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr"
|
||||
#define KEX_DEFAULT_MAC \
|
||||
"hmac-md5,hmac-sha1,hmac-ripemd160," \
|
||||
"hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
|
||||
"hmac-ripemd160@openssh.com," \
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
|
||||
# $Id: Makefile.in,v 1.41 2007/06/25 12:15:13 dtucker Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
|
||||
* $Id: bsd-cray.c,v 1.17 2007/08/15 09:17:43 dtucker Exp $
|
||||
*
|
||||
* bsd-cray.c
|
||||
*
|
||||
@ -751,8 +751,6 @@ cray_job_termination_handler(int sig)
|
||||
char *login = NULL;
|
||||
struct jtab jtab;
|
||||
|
||||
debug("received signal %d",sig);
|
||||
|
||||
if ((jid = waitjob(&jtab)) == -1 ||
|
||||
(login = uid2nam(jtab.j_uid)) == NULL)
|
||||
return;
|
||||
|
@ -37,6 +37,28 @@ getpeereid(int s, uid_t *euid, gid_t *gid)
|
||||
|
||||
return (0);
|
||||
}
|
||||
#elif defined(HAVE_GETPEERUCRED)
|
||||
|
||||
#ifdef HAVE_UCRED_H
|
||||
# include <ucred.h>
|
||||
#endif
|
||||
|
||||
int
|
||||
getpeereid(int s, uid_t *euid, gid_t *gid)
|
||||
{
|
||||
ucred_t *ucred = NULL;
|
||||
|
||||
if (getpeerucred(s, &ucred) == -1)
|
||||
return (-1);
|
||||
if ((*euid = ucred_geteuid(ucred)) == -1)
|
||||
return (-1);
|
||||
if ((*gid = ucred_getrgid(ucred)) == -1)
|
||||
return (-1);
|
||||
|
||||
ucred_free(ucred);
|
||||
|
||||
return (0);
|
||||
}
|
||||
#else
|
||||
int
|
||||
getpeereid(int s, uid_t *euid, gid_t *gid)
|
||||
|
@ -17,6 +17,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
# include <sys/select.h>
|
||||
#endif
|
||||
@ -27,6 +28,7 @@
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
|
||||
@ -156,7 +158,8 @@ int nanosleep(const struct timespec *req, struct timespec *rem)
|
||||
tremain.tv_sec = 0;
|
||||
tremain.tv_usec = 0;
|
||||
}
|
||||
TIMEVAL_TO_TIMESPEC(&tremain, rem)
|
||||
if (rem != NULL)
|
||||
TIMEVAL_TO_TIMESPEC(&tremain, rem)
|
||||
|
||||
return(rc);
|
||||
}
|
||||
|
117
openbsd-compat/bsd-poll.c
Normal file
117
openbsd-compat/bsd-poll.c
Normal file
@ -0,0 +1,117 @@
|
||||
/* $Id: bsd-poll.c,v 1.1 2007/06/25 12:15:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au).
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#if !defined(HAVE_POLL) && defined(HAVE_SELECT)
|
||||
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
# include <sys/select.h>
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include "bsd-poll.h"
|
||||
|
||||
/*
|
||||
* A minimal implementation of poll(2), built on top of select(2).
|
||||
*
|
||||
* Only supports POLLIN and POLLOUT flags in pfd.events, and POLLIN, POLLOUT
|
||||
* and POLLERR flags in revents.
|
||||
*
|
||||
* Supports pfd.fd = -1 meaning "unused" although it's not standard.
|
||||
*/
|
||||
|
||||
int
|
||||
poll(struct pollfd *fds, nfds_t nfds, int timeout)
|
||||
{
|
||||
nfds_t i;
|
||||
int saved_errno, ret, fd, maxfd = 0;
|
||||
fd_set *readfds = NULL, *writefds = NULL, *exceptfds = NULL;
|
||||
size_t nmemb;
|
||||
struct timeval tv, *tvp = NULL;
|
||||
|
||||
for (i = 0; i < nfds; i++) {
|
||||
if (fd >= FD_SETSIZE) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
maxfd = MAX(maxfd, fds[i].fd);
|
||||
}
|
||||
|
||||
nmemb = howmany(maxfd + 1 , NFDBITS);
|
||||
if ((readfds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
|
||||
(writefds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
|
||||
(exceptfds = calloc(nmemb, sizeof(fd_mask))) == NULL) {
|
||||
saved_errno = ENOMEM;
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* populate event bit vectors for the events we're interested in */
|
||||
for (i = 0; i < nfds; i++) {
|
||||
fd = fds[i].fd;
|
||||
if (fd == -1)
|
||||
continue;
|
||||
if (fds[i].events & POLLIN) {
|
||||
FD_SET(fd, readfds);
|
||||
FD_SET(fd, exceptfds);
|
||||
}
|
||||
if (fds[i].events & POLLOUT) {
|
||||
FD_SET(fd, writefds);
|
||||
FD_SET(fd, exceptfds);
|
||||
}
|
||||
}
|
||||
|
||||
/* poll timeout is msec, select is timeval (sec + usec) */
|
||||
if (timeout >= 0) {
|
||||
tv.tv_sec = timeout / 1000;
|
||||
tv.tv_usec = (timeout % 1000) * 1000;
|
||||
tvp = &tv;
|
||||
}
|
||||
|
||||
ret = select(maxfd + 1, readfds, writefds, exceptfds, tvp);
|
||||
saved_errno = errno;
|
||||
|
||||
/* scan through select results and set poll() flags */
|
||||
for (i = 0; i < nfds; i++) {
|
||||
fd = fds[i].fd;
|
||||
fds[i].revents = 0;
|
||||
if (fd == -1)
|
||||
continue;
|
||||
if (FD_ISSET(fd, readfds)) {
|
||||
fds[i].revents |= POLLIN;
|
||||
}
|
||||
if (FD_ISSET(fd, writefds)) {
|
||||
fds[i].revents |= POLLOUT;
|
||||
}
|
||||
if (FD_ISSET(fd, exceptfds)) {
|
||||
fds[i].revents |= POLLERR;
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
if (readfds != NULL)
|
||||
free(readfds);
|
||||
if (writefds != NULL)
|
||||
free(writefds);
|
||||
if (exceptfds != NULL)
|
||||
free(exceptfds);
|
||||
if (ret == -1)
|
||||
errno = saved_errno;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
61
openbsd-compat/bsd-poll.h
Normal file
61
openbsd-compat/bsd-poll.h
Normal file
@ -0,0 +1,61 @@
|
||||
/* $OpenBSD: poll.h,v 1.11 2003/12/10 23:10:08 millert Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1996 Theo de Raadt
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* OPENBSD ORIGINAL: sys/sys/poll.h */
|
||||
|
||||
#if !defined(HAVE_POLL) && !defined(HAVE_POLL_H)
|
||||
#ifndef _COMPAT_POLL_H_
|
||||
#define _COMPAT_POLL_H_
|
||||
|
||||
typedef struct pollfd {
|
||||
int fd;
|
||||
short events;
|
||||
short revents;
|
||||
} pollfd_t;
|
||||
|
||||
typedef unsigned int nfds_t;
|
||||
|
||||
#define POLLIN 0x0001
|
||||
#define POLLOUT 0x0004
|
||||
#define POLLERR 0x0008
|
||||
#if 0
|
||||
/* the following are currently not implemented */
|
||||
#define POLLPRI 0x0002
|
||||
#define POLLHUP 0x0010
|
||||
#define POLLNVAL 0x0020
|
||||
#define POLLRDNORM 0x0040
|
||||
#define POLLNORM POLLRDNORM
|
||||
#define POLLWRNORM POLLOUT
|
||||
#define POLLRDBAND 0x0080
|
||||
#define POLLWRBAND 0x0100
|
||||
#endif
|
||||
|
||||
#define INFTIM (-1) /* not standard */
|
||||
|
||||
int poll(struct pollfd *, nfds_t, int);
|
||||
#endif /* !_COMPAT_POLL_H_ */
|
||||
#endif /* !HAVE_POLL_H */
|
@ -67,13 +67,9 @@ extern int h_errno;
|
||||
#endif
|
||||
#define _THREAD_PRIVATE(a,b,c) (c)
|
||||
|
||||
/* to avoid conflicts where a platform already has _res */
|
||||
#ifdef _res
|
||||
# undef _res
|
||||
#endif
|
||||
#define _res _compat_res
|
||||
|
||||
#ifndef HAVE__RES_EXTERN
|
||||
struct __res_state _res;
|
||||
#endif
|
||||
|
||||
/* Necessary functions and macros */
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
|
||||
/* $Id: openbsd-compat.h,v 1.43 2007/06/25 12:15:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
|
||||
@ -140,6 +140,7 @@ int writev(int, struct iovec *, int);
|
||||
/* Home grown routines */
|
||||
#include "bsd-misc.h"
|
||||
#include "bsd-waitpid.h"
|
||||
#include "bsd-poll.h"
|
||||
|
||||
#ifndef HAVE_GETPEEREID
|
||||
int getpeereid(int , uid_t *, gid_t *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.h,v 1.10 2007/06/14 13:47:31 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
@ -29,6 +29,11 @@
|
||||
#endif
|
||||
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
# include "rijndael.h"
|
||||
# define AES_KEY rijndael_ctx
|
||||
# define AES_BLOCK_SIZE 16
|
||||
# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
|
||||
# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
|
||||
# define EVP_aes_128_cbc evp_rijndael
|
||||
# define EVP_aes_192_cbc evp_rijndael
|
||||
# define EVP_aes_256_cbc evp_rijndael
|
||||
|
@ -240,7 +240,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
|
||||
|
||||
/*
|
||||
* Don't perform checks for root account (PermitRootLogin controls
|
||||
* logins via * ssh) or if running as non-root user (since
|
||||
* logins via ssh) or if running as non-root user (since
|
||||
* loginrestrictions will always fail due to insufficient privilege).
|
||||
*/
|
||||
if (pw->pw_uid == 0 || geteuid() != 0) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
|
||||
/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
@ -79,6 +79,7 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
case 0:
|
||||
error("%s: Failed to get default SELinux security "
|
||||
"context for %s", __func__, pwname);
|
||||
break;
|
||||
default:
|
||||
fatal("%s: Failed to get default SELinux security "
|
||||
"context for %s (in enforcing mode)",
|
||||
@ -115,6 +116,7 @@ ssh_selinux_setup_exec_context(char *pwname)
|
||||
case 0:
|
||||
error("%s: Failed to set SELinux execution "
|
||||
"context for %s", __func__, pwname);
|
||||
break;
|
||||
default:
|
||||
fatal("%s: Failed to set SELinux execution context "
|
||||
"for %s (in enforcing mode)", __func__, pwname);
|
||||
|
@ -79,7 +79,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
#endif /* UNIXWARE_LONG_PASSWORDS */
|
||||
result = (strcmp(xcrypt(password, salt), pw_password) == 0);
|
||||
|
||||
#if !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
if (authctxt->valid)
|
||||
free(pw_password);
|
||||
#endif
|
||||
@ -127,7 +127,7 @@ nischeck(char *namep)
|
||||
functions that call shadow_pw() will need to free
|
||||
*/
|
||||
|
||||
#if !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
char *
|
||||
get_iaf_password(struct passwd *pw)
|
||||
{
|
||||
@ -144,6 +144,6 @@ get_iaf_password(struct passwd *pw)
|
||||
else
|
||||
fatal("ia_openinfo: Unable to open the shadow passwd file");
|
||||
}
|
||||
#endif /* !BROKEN_LIBIAF */
|
||||
#endif /* USE_LIBIAF */
|
||||
#endif /* HAVE_LIBIAF */
|
||||
|
||||
|
@ -24,7 +24,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
char * get_iaf_password(struct passwd *pw);
|
||||
#endif
|
||||
|
||||
|
@ -38,7 +38,7 @@ main(void)
|
||||
char buf[512];
|
||||
|
||||
for (i = 0; i < NUM_OPENS; i++)
|
||||
if ((fds[i] = open("/dev/null", "r")) == -1)
|
||||
if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
|
||||
exit(0); /* can't test */
|
||||
max = i - 1;
|
||||
|
||||
|
@ -98,7 +98,7 @@ shadow_pw(struct passwd *pw)
|
||||
pw_password = spw->sp_pwdp;
|
||||
# endif
|
||||
|
||||
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
return(get_iaf_password(pw));
|
||||
#endif
|
||||
|
||||
|
@ -23,7 +23,7 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
|
||||
/* $Id: xmmap.c,v 1.14 2007/06/11 02:52:24 djm Exp $ */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
@ -38,12 +38,14 @@
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
|
||||
void *xmmap(size_t size)
|
||||
void *
|
||||
xmmap(size_t size)
|
||||
{
|
||||
#ifdef HAVE_MMAP
|
||||
void *address;
|
||||
|
@ -19,7 +19,7 @@
|
||||
<service_bundle type='manifest' name='OpenSSH server'>
|
||||
|
||||
<service
|
||||
name='site/openssh'
|
||||
name='site/__SYSVINIT_NAME__'
|
||||
type='service'
|
||||
version='1'>
|
||||
|
||||
@ -56,7 +56,7 @@
|
||||
<exec_method
|
||||
name='start'
|
||||
type='method'
|
||||
exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
|
||||
exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
|
||||
timeout_seconds='60'>
|
||||
<method_context/>
|
||||
</exec_method>
|
||||
|
10
packet.c
10
packet.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
|
||||
/* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -629,7 +629,7 @@ set_newkeys(int mode)
|
||||
enc = &newkeys[mode]->enc;
|
||||
mac = &newkeys[mode]->mac;
|
||||
comp = &newkeys[mode]->comp;
|
||||
memset(mac->key, 0, mac->key_len);
|
||||
mac_clear(mac);
|
||||
xfree(enc->name);
|
||||
xfree(enc->iv);
|
||||
xfree(enc->key);
|
||||
@ -644,14 +644,15 @@ set_newkeys(int mode)
|
||||
enc = &newkeys[mode]->enc;
|
||||
mac = &newkeys[mode]->mac;
|
||||
comp = &newkeys[mode]->comp;
|
||||
if (mac->md != NULL)
|
||||
if (mac_init(mac) == 0)
|
||||
mac->enabled = 1;
|
||||
DBG(debug("cipher_init_context: %d", mode));
|
||||
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
|
||||
enc->iv, enc->block_size, crypt_type);
|
||||
/* Deleting the keys does not gain extra security */
|
||||
/* memset(enc->iv, 0, enc->block_size);
|
||||
memset(enc->key, 0, enc->key_len); */
|
||||
memset(enc->key, 0, enc->key_len);
|
||||
memset(mac->key, 0, mac->key_len); */
|
||||
if ((comp->type == COMP_ZLIB ||
|
||||
(comp->type == COMP_DELAYED && after_authentication)) &&
|
||||
comp->enabled == 0) {
|
||||
@ -1235,7 +1236,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
|
||||
logit("Received disconnect from %s: %.400s",
|
||||
get_remote_ipaddr(), msg);
|
||||
cleanup_exit(255);
|
||||
xfree(msg);
|
||||
break;
|
||||
default:
|
||||
if (type)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -1224,7 +1224,7 @@ parse_forward(Forward *fwd, const char *fwdspec)
|
||||
cp = p = xstrdup(fwdspec);
|
||||
|
||||
/* skip leading spaces */
|
||||
while (*cp && isspace(*cp))
|
||||
while (isspace(*cp))
|
||||
cp++;
|
||||
|
||||
for (i = 0; i < 4; ++i)
|
||||
|
@ -7,7 +7,9 @@ UNPRIV=nobody
|
||||
ASOCK=${OBJ}/agent
|
||||
SSH_AUTH_SOCK=/nonexistant
|
||||
|
||||
if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
|
||||
if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 && \
|
||||
grep "#undef.*HAVE_GETPEERUCRED" ${BUILDDIR}/config.h >/dev/null && \
|
||||
grep "#undef.*HAVE_SO_PEERCRED" ${BUILDDIR}/config.h >/dev/null
|
||||
then
|
||||
echo "skipped (not supported on this platform)"
|
||||
exit 0
|
||||
|
@ -32,6 +32,7 @@
|
||||
#include <openssl/x509.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <opensc/opensc.h>
|
||||
#include <opensc/pkcs15.h>
|
||||
|
4
scp.0
4
scp.0
@ -6,7 +6,7 @@ NAME
|
||||
SYNOPSIS
|
||||
scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
|
||||
[-l limit] [-o ssh_option] [-P port] [-S program]
|
||||
[[user@]host1:]file1 [...] [[user@]host2:]file2
|
||||
[[user@]host1:]file1 ... [[user@]host2:]file2
|
||||
|
||||
DESCRIPTION
|
||||
scp copies files between hosts on a network. It uses ssh(1) for data
|
||||
@ -141,4 +141,4 @@ AUTHORS
|
||||
Timo Rinne <tri@iki.fi>
|
||||
Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 3
|
||||
OpenBSD 4.2 August 8, 2007 3
|
||||
|
6
scp.1
6
scp.1
@ -9,9 +9,9 @@
|
||||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
|
||||
.\" $OpenBSD: scp.1,v 1.42 2007/08/06 19:16:06 sobrado Exp $
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dd $Mdocdate: August 8 2007 $
|
||||
.Dt SCP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -34,7 +34,7 @@
|
||||
.Ar host1 No :
|
||||
.Oc Ns Ar file1
|
||||
.Sm on
|
||||
.Op Ar ...
|
||||
.Ar ...
|
||||
.Sm off
|
||||
.Oo
|
||||
.Op Ar user No @
|
||||
|
24
scp.c
24
scp.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.160 2007/08/06 19:16:06 sobrado Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@ -96,6 +96,9 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "atomicio.h"
|
||||
@ -582,7 +585,7 @@ source(int argc, char **argv)
|
||||
off_t i, amt, statbytes;
|
||||
size_t result;
|
||||
int fd = -1, haderr, indx;
|
||||
char *last, *name, buf[2048];
|
||||
char *last, *name, buf[2048], encname[MAXPATHLEN];
|
||||
int len;
|
||||
|
||||
for (indx = 0; indx < argc; ++indx) {
|
||||
@ -591,17 +594,17 @@ source(int argc, char **argv)
|
||||
len = strlen(name);
|
||||
while (len > 1 && name[len-1] == '/')
|
||||
name[--len] = '\0';
|
||||
if (strchr(name, '\n') != NULL) {
|
||||
run_err("%s: skipping, filename contains a newline",
|
||||
name);
|
||||
goto next;
|
||||
}
|
||||
if ((fd = open(name, O_RDONLY, 0)) < 0)
|
||||
if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
|
||||
goto syserr;
|
||||
if (strchr(name, '\n') != NULL) {
|
||||
strnvis(encname, name, sizeof(encname), VIS_NL);
|
||||
name = encname;
|
||||
}
|
||||
if (fstat(fd, &stb) < 0) {
|
||||
syserr: run_err("%s: %s", name, strerror(errno));
|
||||
goto next;
|
||||
}
|
||||
unset_nonblock(fd);
|
||||
switch (stb.st_mode & S_IFMT) {
|
||||
case S_IFREG:
|
||||
break;
|
||||
@ -1021,7 +1024,8 @@ bad: run_err("%s: %s", np, strerror(errno));
|
||||
wrerr = YES;
|
||||
wrerrno = errno;
|
||||
}
|
||||
if (wrerr == NO && ftruncate(ofd, size) != 0) {
|
||||
if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
|
||||
ftruncate(ofd, size) != 0) {
|
||||
run_err("%s: truncate: %s", np, strerror(errno));
|
||||
wrerr = DISPLAYED;
|
||||
}
|
||||
@ -1116,7 +1120,7 @@ usage(void)
|
||||
(void) fprintf(stderr,
|
||||
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
|
||||
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
|
||||
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
|
||||
" [[user@]host1:]file1 ... [[user@]host2:]file2\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -592,7 +592,6 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
|
||||
debug("connection from %.100s matched 'Host "
|
||||
"%.100s' at line %d", host, arg, line);
|
||||
} else if (strcasecmp(attrib, "address") == 0) {
|
||||
debug("address '%s' arg '%s'", address, arg);
|
||||
if (!address) {
|
||||
result = 0;
|
||||
continue;
|
||||
@ -1387,8 +1386,4 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
|
||||
if (bad_options > 0)
|
||||
fatal("%s: terminating, %d bad configuration options",
|
||||
filename, bad_options);
|
||||
|
||||
/* challenge-response is implemented via keyboard interactive */
|
||||
if (options->challenge_response_authentication == 1)
|
||||
options->kbd_interactive_authentication = 1;
|
||||
}
|
||||
|
28
session.c
28
session.c
@ -1310,7 +1310,7 @@ do_setusercontext(struct passwd *pw)
|
||||
# ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_session();
|
||||
do_pam_setcred(0);
|
||||
do_pam_setcred(use_privsep);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
@ -1352,7 +1352,7 @@ do_setusercontext(struct passwd *pw)
|
||||
*/
|
||||
if (options.use_pam) {
|
||||
do_pam_session();
|
||||
do_pam_setcred(0);
|
||||
do_pam_setcred(use_privsep);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
|
||||
@ -1361,11 +1361,11 @@ do_setusercontext(struct passwd *pw)
|
||||
# ifdef _AIX
|
||||
aix_usrinfo(pw);
|
||||
# endif /* _AIX */
|
||||
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
|
||||
#ifdef USE_LIBIAF
|
||||
if (set_id(pw->pw_name) != 0) {
|
||||
exit(1);
|
||||
}
|
||||
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
|
||||
#endif /* USE_LIBIAF */
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
@ -2478,8 +2478,19 @@ do_cleanup(Authctxt *authctxt)
|
||||
return;
|
||||
called = 1;
|
||||
|
||||
if (authctxt == NULL || !authctxt->authenticated)
|
||||
if (authctxt == NULL)
|
||||
return;
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
sshpam_cleanup();
|
||||
sshpam_thread_cleanup();
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!authctxt->authenticated)
|
||||
return;
|
||||
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_ticket_cleanup &&
|
||||
authctxt->krb5_ctx)
|
||||
@ -2491,13 +2502,6 @@ do_cleanup(Authctxt *authctxt)
|
||||
ssh_gssapi_cleanup_creds();
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
sshpam_cleanup();
|
||||
sshpam_thread_cleanup();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* remove agent socket */
|
||||
auth_sock_cleanup_proc(authctxt->pw);
|
||||
|
||||
|
@ -43,4 +43,4 @@ HISTORY
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 4.1 August 30, 2000 1
|
||||
OpenBSD 4.2 June 5, 2007 1
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
|
||||
.\" $OpenBSD: sftp-server.8,v 1.12 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd August 30, 2000
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SFTP-SERVER 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
|
||||
/* $OpenBSD: sftp-server.c,v 1.73 2007/05/17 07:55:29 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -319,7 +319,8 @@ handle_log_close(int handle, char *emsg)
|
||||
logit("%s%sclose \"%s\" bytes read %llu written %llu",
|
||||
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
|
||||
handle_to_name(handle),
|
||||
handle_bytes_read(handle), handle_bytes_write(handle));
|
||||
(unsigned long long)handle_bytes_read(handle),
|
||||
(unsigned long long)handle_bytes_write(handle));
|
||||
} else {
|
||||
logit("%s%sclosedir \"%s\"",
|
||||
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
|
||||
@ -702,7 +703,8 @@ process_setstat(void)
|
||||
a = get_attrib();
|
||||
debug("request %u: setstat name \"%s\"", id, name);
|
||||
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
|
||||
logit("set \"%s\" size %llu", name, a->size);
|
||||
logit("set \"%s\" size %llu",
|
||||
name, (unsigned long long)a->size);
|
||||
ret = truncate(name, a->size);
|
||||
if (ret == -1)
|
||||
status = errno_to_portable(errno);
|
||||
@ -754,7 +756,8 @@ process_fsetstat(void)
|
||||
char *name = handle_to_name(handle);
|
||||
|
||||
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
|
||||
logit("set \"%s\" size %llu", name, a->size);
|
||||
logit("set \"%s\" size %llu",
|
||||
name, (unsigned long long)a->size);
|
||||
ret = ftruncate(fd, a->size);
|
||||
if (ret == -1)
|
||||
status = errno_to_portable(errno);
|
||||
@ -1211,7 +1214,7 @@ main(int argc, char **argv)
|
||||
int in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
ssize_t len, olen, set_size;
|
||||
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
|
||||
char *cp;
|
||||
char *cp, buf[4*4096];
|
||||
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
@ -1295,7 +1298,15 @@ main(int argc, char **argv)
|
||||
memset(rset, 0, set_size);
|
||||
memset(wset, 0, set_size);
|
||||
|
||||
FD_SET(in, rset);
|
||||
/*
|
||||
* Ensure that we can read a full buffer and handle
|
||||
* the worst-case length packet it can generate,
|
||||
* otherwise apply backpressure by stopping reads.
|
||||
*/
|
||||
if (buffer_check_alloc(&iqueue, sizeof(buf)) &&
|
||||
buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
|
||||
FD_SET(in, rset);
|
||||
|
||||
olen = buffer_len(&oqueue);
|
||||
if (olen > 0)
|
||||
FD_SET(out, wset);
|
||||
@ -1309,7 +1320,6 @@ main(int argc, char **argv)
|
||||
|
||||
/* copy stdin to iqueue */
|
||||
if (FD_ISSET(in, rset)) {
|
||||
char buf[4*4096];
|
||||
len = read(in, buf, sizeof buf);
|
||||
if (len == 0) {
|
||||
debug("read eof");
|
||||
@ -1331,7 +1341,13 @@ main(int argc, char **argv)
|
||||
buffer_consume(&oqueue, len);
|
||||
}
|
||||
}
|
||||
/* process requests from client */
|
||||
process();
|
||||
|
||||
/*
|
||||
* Process requests from client if we can fit the results
|
||||
* into the output buffer, otherwise stop processing input
|
||||
* and let the output queue drain.
|
||||
*/
|
||||
if (buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
|
||||
process();
|
||||
}
|
||||
}
|
||||
|
2
sftp.0
2
sftp.0
@ -263,4 +263,4 @@ SEE ALSO
|
||||
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
|
||||
filexfer-00.txt, January 2001, work in progress material.
|
||||
|
||||
OpenBSD 4.1 February 4, 2001 4
|
||||
OpenBSD 4.2 June 5, 2007 4
|
||||
|
4
sftp.1
4
sftp.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
|
||||
.\" $OpenBSD: sftp.1,v 1.64 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd February 4, 2001
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SFTP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
10
ssh-add.0
10
ssh-add.0
@ -30,8 +30,12 @@ DESCRIPTION
|
||||
|
||||
-D Deletes all identities from the agent.
|
||||
|
||||
-d Instead of adding the identity, removes the identity from the
|
||||
agent.
|
||||
-d Instead of adding identities, removes identities from the agent.
|
||||
If ssh-add has been run without arguments, the keys for the de-
|
||||
fault identities will be removed. Otherwise, the argument list
|
||||
will be interpreted as a list of paths to public key files and
|
||||
matching keys will be removed from the agent. If no public key
|
||||
is found at a given path, ssh-add will append .pub and retry.
|
||||
|
||||
-e reader
|
||||
Remove key in smartcard reader.
|
||||
@ -99,4 +103,4 @@ AUTHORS
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 2
|
||||
OpenBSD 4.2 June 12, 2007 2
|
||||
|
17
ssh-add.1
17
ssh-add.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
@ -37,7 +37,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dd $Mdocdate: June 12 2007 $
|
||||
.Dt SSH-ADD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -89,7 +89,18 @@ program, rather than text entered into the requester.
|
||||
.It Fl D
|
||||
Deletes all identities from the agent.
|
||||
.It Fl d
|
||||
Instead of adding the identity, removes the identity from the agent.
|
||||
Instead of adding identities, removes identities from the agent.
|
||||
If
|
||||
.Nm
|
||||
has been run without arguments, the keys for the default identities will
|
||||
be removed.
|
||||
Otherwise, the argument list will be interpreted as a list of paths to
|
||||
public key files and matching keys will be removed from the agent.
|
||||
If no public key is found at a given path,
|
||||
.Nm
|
||||
will append
|
||||
.Pa .pub
|
||||
and retry.
|
||||
.It Fl e Ar reader
|
||||
Remove key in smartcard
|
||||
.Ar reader .
|
||||
|
@ -114,4 +114,4 @@ AUTHORS
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 2
|
||||
OpenBSD 4.2 June 5, 2007 2
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.45 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SSH-AGENT 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
66
ssh-agent.c
66
ssh-agent.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
|
||||
/* $OpenBSD: ssh-agent.c,v 1.155 2007/03/19 12:16:42 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -120,6 +120,7 @@ int max_fd = 0;
|
||||
|
||||
/* pid of shell == parent of agent */
|
||||
pid_t parent_pid = -1;
|
||||
u_int parent_alive_interval = 0;
|
||||
|
||||
/* pathname and directory for AUTH_SOCKET */
|
||||
char socket_name[MAXPATHLEN];
|
||||
@ -421,10 +422,11 @@ process_remove_all_identities(SocketEntry *e, int version)
|
||||
buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
|
||||
}
|
||||
|
||||
static void
|
||||
/* removes expired keys and returns number of seconds until the next expiry */
|
||||
static u_int
|
||||
reaper(void)
|
||||
{
|
||||
u_int now = time(NULL);
|
||||
u_int deadline = 0, now = time(NULL);
|
||||
Identity *id, *nxt;
|
||||
int version;
|
||||
Idtab *tab;
|
||||
@ -433,14 +435,22 @@ reaper(void)
|
||||
tab = idtab_lookup(version);
|
||||
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
|
||||
nxt = TAILQ_NEXT(id, next);
|
||||
if (id->death != 0 && now >= id->death) {
|
||||
if (id->death == 0)
|
||||
continue;
|
||||
if (now >= id->death) {
|
||||
debug("expiring key '%s'", id->comment);
|
||||
TAILQ_REMOVE(&tab->idlist, id, next);
|
||||
free_identity(id);
|
||||
tab->nentries--;
|
||||
}
|
||||
} else
|
||||
deadline = (deadline == 0) ? id->death :
|
||||
MIN(deadline, id->death);
|
||||
}
|
||||
}
|
||||
if (deadline == 0 || deadline <= now)
|
||||
return 0;
|
||||
else
|
||||
return (deadline - now);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -826,10 +836,12 @@ new_socket(sock_type type, int fd)
|
||||
}
|
||||
|
||||
static int
|
||||
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
|
||||
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
|
||||
struct timeval **tvpp)
|
||||
{
|
||||
u_int i, sz;
|
||||
u_int i, sz, deadline;
|
||||
int n = 0;
|
||||
static struct timeval tv;
|
||||
|
||||
for (i = 0; i < sockets_alloc; i++) {
|
||||
switch (sockets[i].type) {
|
||||
@ -873,6 +885,17 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
|
||||
break;
|
||||
}
|
||||
}
|
||||
deadline = reaper();
|
||||
if (parent_alive_interval != 0)
|
||||
deadline = (deadline == 0) ? parent_alive_interval :
|
||||
MIN(deadline, parent_alive_interval);
|
||||
if (deadline == 0) {
|
||||
*tvpp = NULL;
|
||||
} else {
|
||||
tv.tv_sec = deadline;
|
||||
tv.tv_usec = 0;
|
||||
*tvpp = &tv;
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
|
||||
@ -980,19 +1003,14 @@ cleanup_handler(int sig)
|
||||
_exit(2);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static void
|
||||
check_parent_exists(int sig)
|
||||
check_parent_exists(void)
|
||||
{
|
||||
int save_errno = errno;
|
||||
|
||||
if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
|
||||
/* printf("Parent has died - Authentication agent exiting.\n"); */
|
||||
cleanup_handler(sig); /* safe */
|
||||
cleanup_socket();
|
||||
_exit(2);
|
||||
}
|
||||
mysignal(SIGALRM, check_parent_exists);
|
||||
alarm(10);
|
||||
errno = save_errno;
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1027,7 +1045,7 @@ main(int ac, char **av)
|
||||
extern char *optarg;
|
||||
pid_t pid;
|
||||
char pidstrbuf[1 + 3 * sizeof pid];
|
||||
struct timeval tv;
|
||||
struct timeval *tvp = NULL;
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
@ -1228,10 +1246,8 @@ main(int ac, char **av)
|
||||
|
||||
skip:
|
||||
new_socket(AUTH_SOCKET, sock);
|
||||
if (ac > 0) {
|
||||
mysignal(SIGALRM, check_parent_exists);
|
||||
alarm(10);
|
||||
}
|
||||
if (ac > 0)
|
||||
parent_alive_interval = 10;
|
||||
idtab_init();
|
||||
if (!d_flag)
|
||||
signal(SIGINT, SIG_IGN);
|
||||
@ -1241,12 +1257,12 @@ skip:
|
||||
nalloc = 0;
|
||||
|
||||
while (1) {
|
||||
tv.tv_sec = 10;
|
||||
tv.tv_usec = 0;
|
||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
|
||||
result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
|
||||
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
|
||||
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
|
||||
saved_errno = errno;
|
||||
reaper(); /* remove expired keys */
|
||||
if (parent_alive_interval != 0)
|
||||
check_parent_exists();
|
||||
(void) reaper(); /* remove expired keys */
|
||||
if (result < 0) {
|
||||
if (saved_errno == EINTR)
|
||||
continue;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
|
||||
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
*
|
||||
@ -105,7 +105,6 @@ void ssh_gssapi_supported_oids(gss_OID_set *);
|
||||
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
|
||||
|
||||
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
|
||||
OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *);
|
||||
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
|
||||
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
|
||||
OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -116,11 +115,11 @@ char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *);
|
||||
void ssh_gssapi_build_ctx(Gssctxt **);
|
||||
void ssh_gssapi_delete_ctx(Gssctxt **);
|
||||
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
|
||||
int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
||||
|
||||
/* In the server */
|
||||
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
int ssh_gssapi_userok(char *name);
|
||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||
void ssh_gssapi_do_child(char ***, u_int *);
|
||||
|
@ -284,4 +284,4 @@ AUTHORS
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 5
|
||||
OpenBSD 4.2 June 5, 2007 5
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
@ -37,7 +37,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -104,4 +104,4 @@ BUGS
|
||||
This is because it opens a connection to the ssh port, reads the public
|
||||
key, and drops the connection as soon as it gets the key.
|
||||
|
||||
OpenBSD 4.1 January 1, 1996 2
|
||||
OpenBSD 4.2 June 5, 2007 2
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
.\"
|
||||
@ -6,7 +6,7 @@
|
||||
.\" permitted provided that due credit is given to the author and the
|
||||
.\" OpenBSD project by leaving this copyright notice intact.
|
||||
.\"
|
||||
.Dd January 1, 1996
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SSH-KEYSCAN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -39,4 +39,4 @@ HISTORY
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 4.1 May 24, 2002 1
|
||||
OpenBSD 4.2 June 5, 2007 1
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd May 24, 2002
|
||||
.Dd $Mdocdate: June 5 2007 $
|
||||
.Dt SSH-KEYSIGN 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -48,4 +48,4 @@ AUTHORS
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
|
||||
|
||||
OpenBSD 4.1 April 14, 2002 1
|
||||
OpenBSD 4.2 April 14, 2002 1
|
||||
|
@ -32,6 +32,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stddef.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
11
ssh.0
11
ssh.0
@ -4,7 +4,7 @@ NAME
|
||||
ssh - OpenSSH SSH client (remote login program)
|
||||
|
||||
SYNOPSIS
|
||||
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
|
||||
ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
|
||||
[-D [bind_address:]port] [-e escape_char] [-F configfile]
|
||||
[-i identity_file] [-L [bind_address:]port:host:hostport]
|
||||
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
|
||||
@ -147,6 +147,9 @@ DESCRIPTION
|
||||
multiple -i options (and multiple identities specified in config-
|
||||
uration files).
|
||||
|
||||
-K Enables GSSAPI-based authentication and forwarding (delegation)
|
||||
of GSSAPI credentials to the server.
|
||||
|
||||
-k Disables forwarding (delegation) of GSSAPI credentials to the
|
||||
server.
|
||||
|
||||
@ -371,8 +374,8 @@ AUTHENTICATION
|
||||
protocols support similar authentication methods, but protocol 2 is pre-
|
||||
ferred since it provides additional mechanisms for confidentiality (the
|
||||
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
|
||||
integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
|
||||
strong mechanism for ensuring the integrity of the connection.
|
||||
integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1
|
||||
lacks a strong mechanism for ensuring the integrity of the connection.
|
||||
|
||||
The methods available for authentication are: GSSAPI-based authentica-
|
||||
tion, host-based authentication, public key authentication, challenge-re-
|
||||
@ -829,4 +832,4 @@ AUTHORS
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 13
|
||||
OpenBSD 4.2 June 12, 2007 13
|
||||
|
11
ssh.1
11
ssh.1
@ -34,8 +34,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
|
||||
.Dd $Mdocdate: June 12 2007 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -43,7 +43,7 @@
|
||||
.Nd OpenSSH SSH client (remote login program)
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh
|
||||
.Op Fl 1246AaCfgkMNnqsTtVvXxY
|
||||
.Op Fl 1246AaCfgKkMNnqsTtVvXxY
|
||||
.Op Fl b Ar bind_address
|
||||
.Op Fl c Ar cipher_spec
|
||||
.Oo Fl D\ \&
|
||||
@ -315,6 +315,9 @@ It is possible to have multiple
|
||||
.Fl i
|
||||
options (and multiple identities specified in
|
||||
configuration files).
|
||||
.It Fl K
|
||||
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
|
||||
credentials to the server.
|
||||
.It Fl k
|
||||
Disables forwarding (delegation) of GSSAPI credentials to the server.
|
||||
.It Fl L Xo
|
||||
@ -674,7 +677,7 @@ Both protocols support similar authentication methods,
|
||||
but protocol 2 is preferred since
|
||||
it provides additional mechanisms for confidentiality
|
||||
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
|
||||
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
|
||||
and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
|
||||
Protocol 1 lacks a strong mechanism for ensuring the
|
||||
integrity of the connection.
|
||||
.Pp
|
||||
|
95
ssh.c
95
ssh.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -185,7 +185,7 @@ static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
|
||||
"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
|
||||
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
|
||||
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
|
||||
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
|
||||
@ -272,7 +272,7 @@ main(int ac, char **av)
|
||||
|
||||
again:
|
||||
while ((opt = getopt(ac, av,
|
||||
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
|
||||
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
options.protocol = SSH_PROTO_1;
|
||||
@ -326,6 +326,10 @@ main(int ac, char **av)
|
||||
case 'k':
|
||||
options.gss_deleg_creds = 0;
|
||||
break;
|
||||
case 'K':
|
||||
options.gss_authentication = 1;
|
||||
options.gss_deleg_creds = 1;
|
||||
break;
|
||||
case 'i':
|
||||
if (stat(optarg, &st) < 0) {
|
||||
fprintf(stderr, "Warning: Identity file %s "
|
||||
@ -853,6 +857,17 @@ ssh_init_forwarding(void)
|
||||
"forwarding.");
|
||||
}
|
||||
}
|
||||
|
||||
/* Initiate tunnel forwarding. */
|
||||
if (options.tun_open != SSH_TUNMODE_NO) {
|
||||
if (client_request_tun_fwd(options.tun_open,
|
||||
options.tun_local, options.tun_remote) == -1) {
|
||||
if (options.exit_on_forward_failure)
|
||||
fatal("Could not request tunnel forwarding.");
|
||||
else
|
||||
error("Could not request tunnel forwarding.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
@ -1115,33 +1130,6 @@ ssh_session2_setup(int id, void *arg)
|
||||
packet_send();
|
||||
}
|
||||
|
||||
if (options.tun_open != SSH_TUNMODE_NO) {
|
||||
Channel *c;
|
||||
int fd;
|
||||
|
||||
debug("Requesting tun.");
|
||||
if ((fd = tun_open(options.tun_local,
|
||||
options.tun_open)) >= 0) {
|
||||
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
||||
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
|
||||
0, "tun", 1);
|
||||
c->datagram = 1;
|
||||
#if defined(SSH_TUN_FILTER)
|
||||
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
|
||||
channel_register_filter(c->self, sys_tun_infilter,
|
||||
sys_tun_outfilter);
|
||||
#endif
|
||||
packet_start(SSH2_MSG_CHANNEL_OPEN);
|
||||
packet_put_cstring("tun@openssh.com");
|
||||
packet_put_int(c->self);
|
||||
packet_put_int(c->local_window_max);
|
||||
packet_put_int(c->local_maxpacket);
|
||||
packet_put_int(options.tun_open);
|
||||
packet_put_int(options.tun_remote);
|
||||
packet_send();
|
||||
}
|
||||
}
|
||||
|
||||
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
|
||||
NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
|
||||
|
||||
@ -1201,7 +1189,6 @@ ssh_session2(void)
|
||||
|
||||
/* XXX should be pre-session */
|
||||
ssh_init_forwarding();
|
||||
ssh_control_listener();
|
||||
|
||||
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
|
||||
id = ssh_session2_open();
|
||||
@ -1211,6 +1198,9 @@ ssh_session2(void)
|
||||
options.permit_local_command)
|
||||
ssh_local_cmd(options.local_command);
|
||||
|
||||
/* Start listening for multiplex clients */
|
||||
ssh_control_listener();
|
||||
|
||||
/* If requested, let ssh continue in the background. */
|
||||
if (fork_after_authentication_flag)
|
||||
if (daemon(1, 1) < 0)
|
||||
@ -1307,7 +1297,7 @@ static void
|
||||
control_client(const char *path)
|
||||
{
|
||||
struct sockaddr_un addr;
|
||||
int i, r, fd, sock, exitval, num_env, addr_len;
|
||||
int i, r, fd, sock, exitval[2], num_env, addr_len;
|
||||
Buffer m;
|
||||
char *term;
|
||||
extern char **environ;
|
||||
@ -1456,29 +1446,44 @@ control_client(const char *path)
|
||||
if (tty_flag)
|
||||
enter_raw_mode();
|
||||
|
||||
/* Stick around until the controlee closes the client_fd */
|
||||
exitval = 0;
|
||||
for (;!control_client_terminate;) {
|
||||
r = read(sock, &exitval, sizeof(exitval));
|
||||
/*
|
||||
* Stick around until the controlee closes the client_fd.
|
||||
* Before it does, it is expected to write this process' exit
|
||||
* value (one int). This process must read the value and wait for
|
||||
* the closure of the client_fd; if this one closes early, the
|
||||
* multiplex master will terminate early too (possibly losing data).
|
||||
*/
|
||||
exitval[0] = 0;
|
||||
for (i = 0; !control_client_terminate && i < (int)sizeof(exitval);) {
|
||||
r = read(sock, (char *)exitval + i, sizeof(exitval) - i);
|
||||
if (r == 0) {
|
||||
debug2("Received EOF from master");
|
||||
break;
|
||||
}
|
||||
if (r > 0)
|
||||
debug2("Received exit status from master %d", exitval);
|
||||
if (r == -1 && errno != EINTR)
|
||||
if (r == -1) {
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
fatal("%s: read %s", __func__, strerror(errno));
|
||||
}
|
||||
i += r;
|
||||
}
|
||||
|
||||
if (control_client_terminate)
|
||||
debug2("Exiting on signal %d", control_client_terminate);
|
||||
|
||||
close(sock);
|
||||
|
||||
leave_raw_mode();
|
||||
if (i > (int)sizeof(int))
|
||||
fatal("%s: master returned too much data (%d > %lu)",
|
||||
__func__, i, sizeof(int));
|
||||
if (control_client_terminate) {
|
||||
debug2("Exiting on signal %d", control_client_terminate);
|
||||
exitval[0] = 255;
|
||||
} else if (i < (int)sizeof(int)) {
|
||||
debug2("Control master terminated unexpectedly");
|
||||
exitval[0] = 255;
|
||||
} else
|
||||
debug2("Received exit status from master %d", exitval[0]);
|
||||
|
||||
if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
|
||||
fprintf(stderr, "Connection to master closed.\r\n");
|
||||
fprintf(stderr, "Shared connection to %s closed.\r\n", host);
|
||||
|
||||
exit(exitval);
|
||||
exit(exitval[0]);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
|
||||
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
@ -38,6 +38,7 @@
|
||||
# Protocol 2,1
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
|
14
ssh_config.0
14
ssh_config.0
@ -200,9 +200,9 @@ DESCRIPTION
|
||||
|
||||
ExitOnForwardFailure
|
||||
Specifies whether ssh(1) should terminate the connection if it
|
||||
cannot set up all requested dynamic, local, and remote port for-
|
||||
wardings. The argument must be ``yes'' or ``no''. The default
|
||||
is ``no''.
|
||||
cannot set up all requested dynamic, tunnel, local, and remote
|
||||
port forwardings. The argument must be ``yes'' or ``no''. The
|
||||
default is ``no''.
|
||||
|
||||
ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if
|
||||
@ -365,8 +365,10 @@ DESCRIPTION
|
||||
MACs Specifies the MAC (message authentication code) algorithms in or-
|
||||
der of preference. The MAC algorithm is used in protocol version
|
||||
2 for data integrity protection. Multiple algorithms must be
|
||||
comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
|
||||
ripemd160,hmac-sha1-96,hmac-md5-96''.
|
||||
comma-separated. The default is:
|
||||
|
||||
hmac-md5,hmac-sha1,umac-64@openssh.com,
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
|
||||
|
||||
NoHostAuthenticationForLocalhost
|
||||
This option can be used if the home directory is shared across
|
||||
@ -642,4 +644,4 @@ AUTHORS
|
||||
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 10
|
||||
OpenBSD 4.2 August 15, 2007 10
|
||||
|
11
ssh_config.5
11
ssh_config.5
@ -34,8 +34,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $
|
||||
.Dd $Mdocdate: August 15 2007 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -387,7 +387,7 @@ data).
|
||||
Specifies whether
|
||||
.Xr ssh 1
|
||||
should terminate the connection if it cannot set up all requested
|
||||
dynamic, local, and remote port forwardings.
|
||||
dynamic, tunnel, local, and remote port forwardings.
|
||||
The argument must be
|
||||
.Dq yes
|
||||
or
|
||||
@ -641,7 +641,10 @@ The MAC algorithm is used in protocol version 2
|
||||
for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
The default is:
|
||||
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
|
||||
.Bd -literal -offset indent
|
||||
hmac-md5,hmac-sha1,umac-64@openssh.com,
|
||||
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
|
||||
.Ed
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
This option can be used if the home directory is shared across machines.
|
||||
In this case localhost will refer to a different machine on each of
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -31,6 +31,7 @@
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
@ -1307,7 +1308,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
Sensitive *sensitive = authctxt->sensitive;
|
||||
Buffer b;
|
||||
u_char *signature, *blob;
|
||||
char *chost, *pkalg, *p;
|
||||
char *chost, *pkalg, *p, myname[NI_MAXHOST];
|
||||
const char *service;
|
||||
u_int blen, slen;
|
||||
int ok, i, len, found = 0;
|
||||
@ -1331,7 +1332,16 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
return 0;
|
||||
}
|
||||
/* figure out a name for the client host */
|
||||
p = get_local_name(packet_get_connection_in());
|
||||
p = NULL;
|
||||
if (packet_connection_is_on_socket())
|
||||
p = get_local_name(packet_get_connection_in());
|
||||
if (p == NULL) {
|
||||
if (gethostname(myname, sizeof(myname)) == -1) {
|
||||
verbose("userauth_hostbased: gethostname: %s",
|
||||
strerror(errno));
|
||||
} else
|
||||
p = xstrdup(myname);
|
||||
}
|
||||
if (p == NULL) {
|
||||
error("userauth_hostbased: cannot get local ipaddr/name");
|
||||
key_free(private);
|
||||
|
37
sshd.0
37
sshd.0
@ -9,8 +9,8 @@ SYNOPSIS
|
||||
|
||||
DESCRIPTION
|
||||
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
|
||||
programs replace rlogin and rsh, and provide secure encrypted communica-
|
||||
tions between two untrusted hosts over an insecure network.
|
||||
programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
|
||||
munications between two untrusted hosts over an insecure network.
|
||||
|
||||
sshd listens for connections from clients. It is normally started at
|
||||
boot from /etc/rc. It forks a new daemon for each incoming connection.
|
||||
@ -45,7 +45,7 @@ DESCRIPTION
|
||||
-e When this option is specified, sshd will send the output to the
|
||||
standard error instead of the system log.
|
||||
|
||||
-f configuration_file
|
||||
-f config_file
|
||||
Specifies the name of the configuration file. The default is
|
||||
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
|
||||
figuration file.
|
||||
@ -143,7 +143,8 @@ AUTHENTICATION
|
||||
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
|
||||
client selects the encryption algorithm to use from those offered by the
|
||||
server. Additionally, session integrity is provided through a crypto-
|
||||
graphic message authentication code (hmac-sha1 or hmac-md5).
|
||||
graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or
|
||||
hmac-ripemd160).
|
||||
|
||||
Finally, the server and the client enter an authentication dialog. The
|
||||
client tries to authenticate itself using host-based authentication, pub-
|
||||
@ -156,10 +157,10 @@ AUTHENTICATION
|
||||
tion of a locked account is system dependant. Some platforms have their
|
||||
own account database (eg AIX) and some modify the passwd field ( `*LK*'
|
||||
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
|
||||
leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
|
||||
a requirement to disable password authentication for the account while
|
||||
allowing still public-key, then the passwd field should be set to some-
|
||||
thing other than these values (eg `NP' or `*NP*' ).
|
||||
leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If
|
||||
there is a requirement to disable password authentication for the account
|
||||
while allowing still public-key, then the passwd field should be set to
|
||||
something other than these values (eg `NP' or `*NP*' ).
|
||||
|
||||
If the client successfully authenticates itself, a dialog for preparing
|
||||
the session is entered. At this time the client may request things like
|
||||
@ -477,13 +478,6 @@ FILES
|
||||
lows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys. This file should be prepared
|
||||
by the system administrator to contain the public host keys of
|
||||
all machines in the organization. The format of this file is de-
|
||||
scribed above. This file should be writable only by root/the
|
||||
owner and should be world-readable.
|
||||
|
||||
/etc/ssh/ssh_host_key
|
||||
/etc/ssh/ssh_host_dsa_key
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
@ -502,6 +496,13 @@ FILES
|
||||
convenience of the user so their contents can be copied to known
|
||||
hosts files. These files are created using ssh-keygen(1).
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys. This file should be prepared
|
||||
by the system administrator to contain the public host keys of
|
||||
all machines in the organization. The format of this file is de-
|
||||
scribed above. This file should be writable only by root/the
|
||||
owner and should be world-readable.
|
||||
|
||||
/etc/ssh/sshd_config
|
||||
Contains configuration data for sshd. The file format and con-
|
||||
figuration options are described in sshd_config(5).
|
||||
@ -526,8 +527,8 @@ FILES
|
||||
|
||||
SEE ALSO
|
||||
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
|
||||
chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
|
||||
inetd(8), sftp-server(8)
|
||||
ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5),
|
||||
sshd_config(5), inetd(8), sftp-server(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
@ -541,4 +542,4 @@ CAVEATS
|
||||
System security is not improved unless rshd, rlogind, and rexecd are dis-
|
||||
abled (thus completely disabling rlogin and rsh into the machine).
|
||||
|
||||
OpenBSD 4.1 September 25, 1999 9
|
||||
OpenBSD 4.2 August 16, 2007 9
|
||||
|
39
sshd.8
39
sshd.8
@ -34,8 +34,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
|
||||
.Dd September 25, 1999
|
||||
.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
|
||||
.Dd $Mdocdate: August 16 2007 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -58,8 +58,11 @@
|
||||
.Nm
|
||||
(OpenSSH Daemon) is the daemon program for
|
||||
.Xr ssh 1 .
|
||||
Together these programs replace rlogin and rsh, and
|
||||
provide secure encrypted communications between two untrusted hosts
|
||||
Together these programs replace
|
||||
.Xr rlogin 1
|
||||
and
|
||||
.Xr rsh 1 ,
|
||||
and provide secure encrypted communications between two untrusted hosts
|
||||
over an insecure network.
|
||||
.Pp
|
||||
.Nm
|
||||
@ -117,7 +120,7 @@ Maximum is 3.
|
||||
When this option is specified,
|
||||
.Nm
|
||||
will send the output to the standard error instead of the system log.
|
||||
.It Fl f Ar configuration_file
|
||||
.It Fl f Ar config_file
|
||||
Specifies the name of the configuration file.
|
||||
The default is
|
||||
.Pa /etc/ssh/sshd_config .
|
||||
@ -273,7 +276,7 @@ The client selects the encryption algorithm
|
||||
to use from those offered by the server.
|
||||
Additionally, session integrity is provided
|
||||
through a cryptographic message authentication code
|
||||
(hmac-sha1 or hmac-md5).
|
||||
(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
|
||||
.Pp
|
||||
Finally, the server and the client enter an authentication dialog.
|
||||
The client tries to authenticate itself using
|
||||
@ -299,8 +302,9 @@ on Tru64,
|
||||
a leading
|
||||
.Ql \&*LOCKED\&*
|
||||
on FreeBSD and a leading
|
||||
.Ql \&!!
|
||||
on Linux). If there is a requirement to disable password authentication
|
||||
.Ql \&!
|
||||
on most Linuxes).
|
||||
If there is a requirement to disable password authentication
|
||||
for the account while allowing still public-key, then the passwd field
|
||||
should be set to something other than these values (eg
|
||||
.Ql NP
|
||||
@ -758,15 +762,6 @@ This file is used in exactly the same way as
|
||||
but allows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
.Pp
|
||||
.It /etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys.
|
||||
This file should be prepared by the
|
||||
system administrator to contain the public host keys of all machines in the
|
||||
organization.
|
||||
The format of this file is described above.
|
||||
This file should be writable only by root/the owner and
|
||||
should be world-readable.
|
||||
.Pp
|
||||
.It /etc/ssh/ssh_host_key
|
||||
.It /etc/ssh/ssh_host_dsa_key
|
||||
.It /etc/ssh/ssh_host_rsa_key
|
||||
@ -790,6 +785,15 @@ the user so their contents can be copied to known hosts files.
|
||||
These files are created using
|
||||
.Xr ssh-keygen 1 .
|
||||
.Pp
|
||||
.It /etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys.
|
||||
This file should be prepared by the
|
||||
system administrator to contain the public host keys of all machines in the
|
||||
organization.
|
||||
The format of this file is described above.
|
||||
This file should be writable only by root/the owner and
|
||||
should be world-readable.
|
||||
.Pp
|
||||
.It /etc/ssh/sshd_config
|
||||
Contains configuration data for
|
||||
.Nm sshd .
|
||||
@ -826,6 +830,7 @@ The content of this file is not sensitive; it can be world-readable.
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
|
6
sshd.c
6
sshd.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -1421,6 +1421,10 @@ main(int ac, char **av)
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
fill_default_server_options(&options);
|
||||
|
||||
/* challenge-response is implemented via keyboard interactive */
|
||||
if (options.challenge_response_authentication)
|
||||
options.kbd_interactive_authentication = 1;
|
||||
|
||||
/* set default channel AF */
|
||||
channel_set_af(options.address_family);
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user