d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)

Browse Source
This commit is contained in:
Mark Murray 2000-02-24 15:29:42 +00:00
parent 8e3e42fe07
commit 42f71286cd
12 changed files with 328 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
crypto/openssh/includes.h
View File

@ -11,6 +11,7 @@
*
* This file includes most of the needed system headers.
*
* $FreeBSD$
*/
#ifndef INCLUDES_H
@ -24,12 +25,12 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
#include <sys/select.h>
#include <sys/param.h>
#include <sys/ioctl.h>
#include <sys/endian.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/un.h>
#include <sys/resource.h>
#include <machine/endian.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@ -38,7 +39,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
#include <arpa/inet.h>
#include <netdb.h>
#include <netgroup.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>
@ -66,4 +66,29 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
*/
#define USE_PIPES 1
#if defined(__FreeBSD__) && __FreeBSD__ <= 3
/*
* Data types.
*/
typedef u_char sa_family_t;
typedef u_int32_t socklen_t;
/*
* bsd-api-new-02a: protocol-independent placeholder for socket addresses
*/
#define _SS_MAXSIZE 128
#define _SS_ALIGNSIZE (sizeof(int64_t))
#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_char) * 2)
#define _SS_PAD2SIZE (_SS_MAXSIZE - sizeof(u_char) * 2 - \
_SS_PAD1SIZE - _SS_ALIGNSIZE)
struct sockaddr_storage {
u_char ss_len; /* address length */
sa_family_t ss_family; /* address family */
char __ss_pad1[_SS_PAD1SIZE];
int64_t __ss_align; /* force desired structure storage alignment */
char __ss_pad2[_SS_PAD2SIZE];
};
#endif
#endif /* INCLUDES_H */

5
crypto/openssh/login.c
View File

@ -15,12 +15,17 @@
* login the current system has. Also, we want to be able to execute commands
* on a tty.
*
* $FreeBSD$
*/
#include "includes.h"
RCSID("$Id: login.c,v 1.11 2000/01/04 00:07:59 markus Exp $");
#ifdef __FreeBSD__
#include <libutil.h>
#else
#include <util.h>
#endif /* __FreeBSD__ */
#include <utmp.h>
#include "ssh.h"

5
crypto/openssh/pty.c
View File

@ -11,12 +11,17 @@
*
* Allocating a pseudo-terminal, and making it the controlling tty.
*
* $FreeBSD$
*/
#include "includes.h"
RCSID("$Id: pty.c,v 1.12 2000/02/15 16:52:58 markus Exp $");
#ifdef __FreeBSD__
#include <libutil.h>
#else
#include <util.h>
#endif
#include "pty.h"
#include "ssh.h"

76
crypto/openssh/servconf.c
View File

@ -9,6 +9,7 @@
*
* Created: Mon Aug 21 15:48:58 1995 ylo
*
* $FreeBSD$
*/
#include "includes.h"
@ -67,6 +68,8 @@ initialize_server_options(ServerOptions *options)
options->num_deny_users = 0;
options->num_allow_groups = 0;
options->num_deny_groups = 0;
options->connections_per_period = 0;
options->connections_period = 0;
}
void
@ -159,7 +162,7 @@ typedef enum {
sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts
sIgnoreUserKnownHosts, sConnectionsPerPeriod
} ServerOpCodes;
/* Textual representation of the tokens. */
@ -207,6 +210,7 @@ static struct {
{ "denyusers", sDenyUsers },
{ "allowgroups", sAllowGroups },
{ "denygroups", sDenyGroups },
{ "connectionsperperiod", sConnectionsPerPeriod },
{ NULL, 0 }
};
@ -316,7 +320,11 @@ read_server_config(ServerOptions *options, const char *filename)
filename, linenum);
exit(1);
}
value = atoi(cp);
if (sscanf(cp, " %d ", &value) != 1) {
fprintf(stderr, "%s line %d: invalid integer value.\n",
filename, linenum);
exit(1);
}
if (*intptr == -1)
*intptr = value;
break;
@ -506,63 +514,65 @@ read_server_config(ServerOptions *options, const char *filename)
case sAllowUsers:
while ((cp = strtok(NULL, WHITESPACE))) {
if (options->num_allow_users >= MAX_ALLOW_USERS) {
fprintf(stderr, "%s line %d: too many allow users.\n",
filename, linenum);
exit(1);
}
if (options->num_allow_users >= MAX_ALLOW_USERS)
fatal("%.200s line %d: too many allow users.\n", filename,
linenum);
options->allow_users[options->num_allow_users++] = xstrdup(cp);
}
break;
case sDenyUsers:
while ((cp = strtok(NULL, WHITESPACE))) {
if (options->num_deny_users >= MAX_DENY_USERS) {
fprintf(stderr, "%s line %d: too many deny users.\n",
filename, linenum);
exit(1);
}
if (options->num_deny_users >= MAX_DENY_USERS)
fatal("%.200s line %d: too many deny users.\n", filename,
linenum);
options->deny_users[options->num_deny_users++] = xstrdup(cp);
}
break;
case sAllowGroups:
while ((cp = strtok(NULL, WHITESPACE))) {
if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
fprintf(stderr, "%s line %d: too many allow groups.\n",
filename, linenum);
exit(1);
}
if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
fatal("%.200s line %d: too many allow groups.\n", filename,
linenum);
options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
}
break;
case sDenyGroups:
while ((cp = strtok(NULL, WHITESPACE))) {
if (options->num_deny_groups >= MAX_DENY_GROUPS) {
fprintf(stderr, "%s line %d: too many deny groups.\n",
filename, linenum);
exit(1);
}
if (options->num_deny_groups >= MAX_DENY_GROUPS)
fatal("%.200s line %d: too many deny groups.\n", filename,
linenum);
options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
}
break;
case sConnectionsPerPeriod:
cp = strtok(NULL, WHITESPACE);
if (cp == NULL)
fatal("%.200s line %d: missing (>= 0) number argument.\n",
filename, linenum);
if (sscanf(cp, " %u/%u ", &options->connections_per_period,
&options->connections_period) != 2)
fatal("%.200s line %d: invalid numerical argument(s).\n",
filename, linenum);
if (options->connections_per_period != 0 &&
options->connections_period == 0)
fatal("%.200s line %d: invalid connections period.\n",
filename, linenum);
break;
default:
fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
filename, linenum, cp, opcode);
exit(1);
}
if (strtok(NULL, WHITESPACE) != NULL) {
fprintf(stderr, "%s line %d: garbage at end of line.\n",
filename, linenum);
exit(1);
}
if (strtok(NULL, WHITESPACE) != NULL)
fatal("%.200s line %d: garbage at end of line.\n", filename,
linenum);
}
fclose(f);
if (bad_options > 0) {
fprintf(stderr, "%s: terminating, %d bad configuration options\n",
if (bad_options > 0)
fatal("%.200s: terminating, %d bad configuration options\n",
filename, bad_options);
exit(1);
}
}

7
crypto/openssh/servconf.h
View File

@ -11,6 +11,7 @@
*
* Definitions for server configuration data and for the functions reading it.
*
* $FreeBSD$
*/
/* RCSID("$Id: servconf.h,v 1.15 2000/01/04 00:08:00 markus Exp $"); */
@ -87,6 +88,12 @@ typedef struct {
char *allow_groups[MAX_ALLOW_GROUPS];
unsigned int num_deny_groups;
char *deny_groups[MAX_DENY_GROUPS];
unsigned int connections_per_period; /*
* If not 0, number of sshd
* connections accepted per
* connections_period.
*/
unsigned int connections_period;
} ServerOptions;
/*
* Initializes the server options to special values that indicate that they

5
crypto/openssh/ssh.c
View File

@ -8,6 +8,8 @@
* of X11, TCP/IP, and authentication connections.
*
* Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
*
* $FreeBSD$
*/
#include "includes.h"
@ -131,6 +133,9 @@ rsh_connect(char *host, char *user, Buffer * command)
log("Using rsh. WARNING: Connection will not be encrypted.");
/* Build argument list for rsh. */
i = 0;
#ifndef _PATH_RSH
#define _PATH_RSH "/usr/bin/rsh"
#endif
args[i++] = _PATH_RSH;
/* host may have to come after user on some systems */
args[i++] = host;

5
crypto/openssh/ssh.h
View File

@ -11,6 +11,7 @@
*
* Generic header file for ssh.
*
* $FreeBSD$
*/
/* RCSID("$Id: ssh.h,v 1.33 2000/02/01 22:32:53 d Exp $"); */
@ -61,7 +62,7 @@
*/
#define SSH_SERVICE_NAME "ssh"
#define ETCDIR "/etc"
#define ETCDIR "__PREFIX__/etc"
#define PIDDIR "/var/run"
/*
@ -78,7 +79,7 @@
#define SERVER_CONFIG_FILE ETCDIR "/sshd_config"
#define HOST_CONFIG_FILE ETCDIR "/ssh_config"
#define SSH_PROGRAM "/usr/bin/ssh"
#define SSH_PROGRAM "__PREFIX__/bin/ssh"
/*
* The process id of the daemon listening for connections is saved here to

2
crypto/openssh/ssh_config
View File

@ -1,6 +1,8 @@
# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
#
# $FreeBSD$
# Configuration data is parsed as follows:
# 1. command line options

4
crypto/openssh/sshconnect.c
View File

@ -5,6 +5,8 @@
* Created: Sat Mar 18 22:15:47 1995 ylo
* Code to connect to a remote host, and to perform the client side of the
* login (authentication) dialog.
*
* $FreeBSD$
*/
#include "includes.h"
@ -1085,9 +1087,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key)
case AF_INET:
local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
break;
#ifdef INET6
case AF_INET6:
local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
break;
#endif
default:
local = 0;
break;

31
crypto/openssh/sshd.8
View File

@ -10,6 +10,7 @@
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
.\" $Id: sshd.8,v 1.33 2000/02/21 14:19:09 deraadt Exp $
.\" $FreeBSD$
.\"
.Dd September 25, 1999
.Dt SSHD 8
@ -228,6 +229,31 @@ Specifies whether
should check for new mail for interactive logins.
The default is
.Dq no .
.It Cm ConnectionsPerPeriod
This keyword allows for rate-limiting of connections, and
is followed by two numbers in the format
.Dq n/s ,
where
.Ar n
is the number of connections from a certain address group
accepted per period of
.Ar s
seconds. Any connection after the number
.Ar n
connection in the period of
.Ar s
seconds will be dropped, and an informational message will be logged.
A connection will belong to a certain group, of which there are 13
by default, according to its IP address.
The default for this keyword is
.Dq 0/0 ,
and rate-limiting can be explicitly turned off by using an
.Ar n
parameter of
.Ql 0
and any
.Ar s
parameter.
.It Cm DenyGroups
This keyword can be followed by a number of group names, separated
by spaces. Users whose primary group matches one of the patterns
@ -466,8 +492,9 @@ section).
If the login is on a tty, records login time.
.It
Checks
.Pa /etc/nologin ;
if it exists, prints contents and quits
.Pa /etc/nologin and
.Pa /var/run/nologin ;
if one exists, it prints the contents and quits
(unless root).
.It
Changes to run with normal user privileges.

201
crypto/openssh/sshd.c
View File

@ -8,6 +8,8 @@
* information to/from the application to the user client over an encrypted
* connection. This can also handle forwarding of X11, TCP/IP, and authentication
* agent connections.
*
* $FreeBSD$
*/
#include "includes.h"
@ -24,6 +26,8 @@ RCSID("$OpenBSD: sshd.c,v 1.88 2000/02/15 16:52:57 markus Exp $");
#include "servconf.h"
#include "uidswap.h"
#include "compat.h"
#include <poll.h>
#include <time.h>
#ifdef LIBWRAP
#include <tcpd.h>
@ -32,6 +36,16 @@ int allow_severity = LOG_INFO;
int deny_severity = LOG_WARNING;
#endif /* LIBWRAP */
#ifdef __FreeBSD__
#include <libutil.h>
#include <syslog.h>
#define LOGIN_CAP
#endif /* __FreeBSD__ */
#ifdef LOGIN_CAP
#include <login_cap.h>
#endif /* LOGIN_CAP */
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@ -126,6 +140,32 @@ int received_sighup = 0;
the private key. */
RSA *public_key;
/* These are used to implement connections_per_period. */
struct magic_connection {
struct timeval connections_begin;
unsigned int connections_this_period;
} *magic_connections;
/* Magic number, too! TODO: this doesn't have to be static. */
const size_t MAGIC_CONNECTIONS_SIZE = 1;
static __inline int
magic_hash(struct sockaddr *sa) {
return 0;
}
static __inline struct timeval
timevaldiff(struct timeval *tv1, struct timeval *tv2) {
struct timeval diff;
int carry;
carry = tv1->tv_usec > tv2->tv_usec;
diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
return diff;
}
/* Prototypes for various functions defined later in this file. */
void do_ssh_kex();
void do_authentication();
@ -321,6 +361,7 @@ main(int ac, char **av)
extern int optind;
int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1;
socklen_t fromlen;
int connections_per_period_exceeded = 0;
int remote_major, remote_minor;
int silentrsa = 0;
fd_set *fdset;
@ -640,6 +681,12 @@ main(int ac, char **av)
fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
fdset = (fd_set *)xmalloc(fdsetsz);
/* Initialize the magic_connections table. It's magical! */
magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
sizeof(struct magic_connection));
if (magic_connections == NULL)
fatal("calloc: %s", strerror(errno));
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
@ -671,9 +718,31 @@ main(int ac, char **av)
error("newsock del O_NONBLOCK: %s", strerror(errno));
continue;
}
if (options.connections_per_period != 0) {
struct timeval diff, connections_end;
struct magic_connection *mc;
(void)gettimeofday(&connections_end, NULL);
mc = &magic_connections[magic_hash(ai->ai_addr)];
diff = timevaldiff(&mc->connections_begin, &connections_end);
if (diff.tv_sec >= options.connections_period) {
/*
* Slide the window forward only after completely
* leaving it.
*/
mc->connections_begin = connections_end;
mc->connections_this_period = 1;
} else {
if (++mc->connections_this_period >
options.connections_per_period)
connections_per_period_exceeded = 1;
}
}
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
* Got connection. Fork a child to handle it unless
* we are in debugging mode or the maximum number of
* connections per period has been exceeded.
*/
if (debug_flag) {
/*
@ -687,6 +756,12 @@ main(int ac, char **av)
sock_out = newsock;
pid = getpid();
break;
} else if (connections_per_period_exceeded) {
log("Connection rate limit of %u/%us has been exceeded; "
"dropping connection from %s.",
options.connections_per_period, options.connections_period,
ntop);
connections_per_period_exceeded = 0;
} else {
/*
* Normal production daemon. Fork, and have
@ -1171,6 +1246,14 @@ allowed_user(struct passwd * pw)
return 0;
}
}
/* Fail if the account's expiration time has passed. */
if (pw->pw_expire != 0) {
struct timeval tv;
(void)gettimeofday(&tv, NULL);
if (tv.tv_sec >= pw->pw_expire)
return 0;
}
/* We found no reason not to let this user try to log on... */
return 1;
}
@ -1217,6 +1300,9 @@ do_authentication()
pwcopy.pw_gid = pw->pw_gid;
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_expire = pw->pw_expire;
pwcopy.pw_change = pw->pw_change;
pw = &pwcopy;
/*
@ -1996,6 +2082,10 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
struct sockaddr_storage from;
socklen_t fromlen;
struct pty_cleanup_context cleanup_context;
#ifdef LOGIN_CAP
login_cap_t *lc;
char *fname;
#endif /* LOGIN_CAP */
/* Get remote host name. */
hostname = get_canonical_hostname();
@ -2060,6 +2150,12 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
/* Check if .hushlogin exists. */
snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
#ifdef LOGIN_CAP
lc = login_getpwclass(pw);
if (lc == NULL)
lc = login_getclassbyname(NULL, pw);
quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
#endif /* LOGIN_CAP */
/*
* If the user has logged in before, display the time of last
@ -2083,6 +2179,20 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
else
printf("Last login: %s from %s\r\n", time_string, buf);
}
#ifdef LOGIN_CAP
if (command == NULL && !quiet_login && !options.use_login) {
fname = login_getcapstr(lc, "copyright", NULL, NULL);
if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
while (fgets(line, sizeof(line), f) != NULL)
fputs(line, stdout);
fclose(f);
} else
(void)printf("%s\n\t%s %s\n",
"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
"The Regents of the University of California. ",
"All rights reserved.");
}
#endif /* LOGIN_CAP */
/*
* Print /etc/motd unless a command was specified or printing
* it was disabled in server options or login(1) will be
@ -2091,14 +2201,22 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd,
*/
if (command == NULL && options.print_motd && !quiet_login &&
!options.use_login) {
/* Print /etc/motd if it exists. */
#ifdef LOGIN_CAP
fname = login_getcapstr(lc, "welcome", NULL, NULL);
login_close(lc);
if (fname == NULL || (f = fopen(fname, "r")) == NULL)
f = fopen("/etc/motd", "r");
#else /* LOGIN_CAP */
f = fopen("/etc/motd", "r");
#endif /* LOGIN_CAP */
/* Print /etc/motd if it exists. */
if (f) {
while (fgets(line, sizeof(line), f))
fputs(line, stdout);
fclose(f);
}
}
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
/* NOTREACHED */
@ -2240,7 +2358,8 @@ do_child(const char *command, struct passwd * pw, const char *term,
const char *display, const char *auth_proto,
const char *auth_data, const char *ttyname)
{
const char *shell, *cp = NULL;
char *shell;
const char *cp = NULL;
char buf[256];
FILE *f;
unsigned int envsize, i;
@ -2248,15 +2367,34 @@ do_child(const char *command, struct passwd * pw, const char *term,
extern char **environ;
struct stat st;
char *argv[10];
#ifdef LOGIN_CAP
login_cap_t *lc;
lc = login_getpwclass(pw);
if (lc == NULL)
lc = login_getclassbyname(NULL, pw);
#endif /* LOGIN_CAP */
f = fopen("/etc/nologin", "r");
#ifdef __FreeBSD__
if (f == NULL)
f = fopen("/var/run/nologin", "r");
#endif /* __FreeBSD__ */
if (f) {
/* /etc/nologin exists. Print its contents and exit. */
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
if (pw->pw_uid != 0)
exit(254);
#ifdef LOGIN_CAP
/* On FreeBSD, etc., allow overriding nologin via login.conf. */
if (!login_getcapbool(lc, "ignorenologin", 0)) {
#else /* LOGIN_CAP */
if (1) {
#endif /* LOGIN_CAP */
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
if (pw->pw_uid != 0)
exit(254);
}
}
/* Set login name in the kernel. */
if (setlogin(pw->pw_name) < 0)
@ -2266,6 +2404,13 @@ do_child(const char *command, struct passwd * pw, const char *term,
/* Login(1) does this as well, and it needs uid 0 for the "-h"
switch, so we let login(1) to this for us. */
if (!options.use_login) {
#ifdef LOGIN_CAP
if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
perror("setclasscontext");
exit(1);
}
#endif /* LOGIN_CAP */
if (getuid() == 0 || geteuid() == 0) {
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
@ -2288,7 +2433,14 @@ do_child(const char *command, struct passwd * pw, const char *term,
* Get the shell from the password data. An empty shell field is
* legal, and means /bin/sh.
*/
#ifdef LOGIN_CAP
shell = pw->pw_shell;
shell = login_getcapstr(lc, "shell", shell, shell);
if (shell[0] == '\0')
shell = _PATH_BSHELL;
#else /* LOGIN_CAP */
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
#endif /* LOGIN_CAP */
#ifdef AFS
/* Try to get AFS tokens for the local cell. */
@ -2312,7 +2464,12 @@ do_child(const char *command, struct passwd * pw, const char *term,
child_set_env(&env, &envsize, "USER", pw->pw_name);
child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
#ifdef LOGIN_CAP
child_set_env(&env, &envsize, "PATH",
login_getpath(lc, "path", _PATH_STDPATH));
#else /* LOGIN_CAP */
child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
#endif /* LOGIN_CAP */
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
@ -2402,13 +2559,17 @@ do_child(const char *command, struct passwd * pw, const char *term,
*/
endpwent();
#ifdef LOGIN_CAP
login_close(lc);
#endif /* LOGIN_CAP */
/*
* Close any extra open file descriptors so that we don\'t have them
* hanging around in clients. Note that we want to do this after
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
*/
for (i = 3; i < 64; i++)
for (i = 3; i < getdtablesize(); i++)
close(i);
/* Change current directory to the user\'s home directory. */
@ -2427,6 +2588,26 @@ do_child(const char *command, struct passwd * pw, const char *term,
* in this order).
*/
if (!options.use_login) {
#ifdef __FreeBSD__
/*
* If the password change time is set and has passed, give the
* user a password expiry notice and chance to change it.
*/
if (pw->pw_change != 0) {
struct timeval tv;
(void)gettimeofday(&tv, NULL);
if (tv.tv_sec >= pw->pw_change) {
(void)printf(
"Sorry -- your password has expired.\n");
syslog(LOG_INFO,
"%s Password expired - forcing change",
pw->pw_name);
if (system("/usr/bin/passwd") != 0)
perror("/usr/bin/passwd");
}
}
#endif /* __FreeBSD__ */
if (stat(SSH_USER_RC, &st) >= 0) {
if (debug_flag)
fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);

11
crypto/openssh/sshd_config
View File

@ -1,14 +1,17 @@
# This is ssh server systemwide configuration file.
#
# $FreeBSD$
Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh_host_key
HostKey __PREFIX__/etc/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
LoginGraceTime 60
KeyRegenerationInterval 3600
PermitRootLogin yes
#
PermitRootLogin no
# Rate-limit sshd connections to 5 connections per 10 seconds
ConnectionsPerPeriod 5/10
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication