Resolve conflicts.

2004-04-20 09:46:41 +00:00 · 2004-04-20 09:46:41 +00:00 · e5d801b2d6
commit e5d801b2d6
parent efa3572464
29 changed files with 304 additions and 168 deletions
--- a/crypto/openssh/acconfig.h
+++ b/crypto/openssh/acconfig.h
@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */
+/* $Id: acconfig.h,v 1.177 2004/04/15 23:22:40 dtucker Exp $ */
 /* $FreeBSD$ */

 /*
@ -132,6 +132,9 @@
 /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
 #undef AIX_LOGINFAILED_4ARG

+/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */
+#undef SKEYCHALLENGE_4ARG
+
 /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
 #undef WITH_IRIX_ARRAY

@ -203,6 +206,9 @@
 /* Define if you don't want to use lastlog in session.c */
 #undef NO_SSH_LASTLOG

+/* Define if have krb5_init_ets */
+#undef KRB5_INIT_ETS
+
 /* Define if you don't want to use utmp */
 #undef DISABLE_UTMP

@ -351,6 +357,9 @@
 /* getaddrinfo is broken (if present) */
 #undef BROKEN_GETADDRINFO

+/* updwtmpx is broken (if present) */
+#undef BROKEN_UPDWTMPX
+
 /* Workaround more Linux IPv6 quirks */
 #undef DONT_TRY_OTHER_AF

--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@ -55,7 +55,9 @@ krb5_init(void *context)
 		problem = krb5_init_context(&authctxt->krb5_ctx);
 		if (problem)
 			return (problem);
+#ifdef KRB5_INIT_ETS
 		krb5_init_ets(authctxt->krb5_ctx);
+#endif
 	}
 	return (0);
 }
@ -71,6 +73,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 #endif
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
+	int len;

 	if (!authctxt->valid)
 		return (0);
@ -176,6 +179,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)

 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);

+	len = strlen(authctxt->krb5_ticket_file) + 6;
+	authctxt->krb5_ccname = xmalloc(len);
+	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+	    authctxt->krb5_ticket_file);
+
 out:
 	restore_uid();

--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@ -31,7 +31,7 @@

 /* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $");
 RCSID("$FreeBSD$");

 #ifdef USE_PAM
@ -59,6 +59,7 @@ RCSID("$FreeBSD$");
 extern ServerOptions options;
 extern Buffer loginmsg;
 extern int compat20;
+extern u_int utmp_len;

 #ifdef USE_POSIX_THREADS
 #include <pthread.h>
@ -118,6 +119,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
 {
 	pid_t pid;

+	sshpam_thread_status = -1;
 	switch ((pid = fork())) {
 	case -1:
 		error("fork(): %s", strerror(errno));
@ -160,7 +162,7 @@ static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
-static int *force_pwchange;
+static Authctxt *sshpam_authctxt = NULL;

 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@ -180,7 +182,9 @@ void
 pam_password_change_required(int reqd)
 {
 	debug3("%s %d", __func__, reqd);
-	*force_pwchange = reqd;
+	if (sshpam_authctxt == NULL)
+		fatal("%s: PAM authctxt not initialized", __func__);
+	sshpam_authctxt->force_pwchange = reqd;
 	if (reqd) {
 		no_port_forwarding_flag |= 2;
 		no_agent_forwarding_flag |= 2;
@ -202,6 +206,7 @@ import_environments(Buffer *b)

 	debug3("PAM: %s entering", __func__);

+#ifndef USE_POSIX_THREADS
 	/* Import variables set by do_pam_account */
 	sshpam_account_status = buffer_get_int(b);
 	pam_password_change_required(buffer_get_int(b));
@ -229,6 +234,7 @@ import_environments(Buffer *b)
 		}
 #endif
 	}
+#endif
 }

 /*
@ -337,6 +343,9 @@ sshpam_thread(void *ctxtp)
 	sshpam_conv.conv = sshpam_thread_conv;
 	sshpam_conv.appdata_ptr = ctxt;

+	if (sshpam_authctxt == NULL)
+		fatal("%s: PAM authctxt not initialized", __func__);
+
 	buffer_init(&buffer);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&sshpam_conv);
@ -349,7 +358,7 @@ sshpam_thread(void *ctxtp)
 	if (compat20) {
 		if (!do_pam_account())
 			goto auth_fail;
-		if (*force_pwchange) {
+		if (sshpam_authctxt->force_pwchange) {
 			sshpam_err = pam_chauthtok(sshpam_handle,
 			    PAM_CHANGE_EXPIRED_AUTHTOK);
 			if (sshpam_err != PAM_SUCCESS)
@ -363,7 +372,7 @@ sshpam_thread(void *ctxtp)
 #ifndef USE_POSIX_THREADS
 	/* Export variables set by do_pam_account */
 	buffer_put_int(&buffer, sshpam_account_status);
-	buffer_put_int(&buffer, *force_pwchange);
+	buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);

 	/* Export any environment strings set in child */
 	for(i = 0; environ[i] != NULL; i++)
@ -444,11 +453,10 @@ sshpam_cleanup(void)
 }

 static int
-sshpam_init(const char *user)
+sshpam_init(Authctxt *authctxt)
 {
-	extern u_int utmp_len;
 	extern char *__progname;
-	const char *pam_rhost, *pam_user;
+	const char *pam_rhost, *pam_user, *user = authctxt->user;

 	if (sshpam_handle != NULL) {
 		/* We already have a PAM context; check if the user matches */
@ -462,6 +470,8 @@ sshpam_init(const char *user)
 	debug("PAM: initializing for \"%s\"", user);
 	sshpam_err =
 	    pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+	sshpam_authctxt = authctxt;
+
 	if (sshpam_err != PAM_SUCCESS) {
 		pam_end(sshpam_handle, sshpam_err);
 		sshpam_handle = NULL;
@ -504,7 +514,7 @@ sshpam_init_ctx(Authctxt *authctxt)
 		return NULL;

 	/* Initialize PAM */
-	if (sshpam_init(authctxt->user) == -1) {
+	if (sshpam_init(authctxt) == -1) {
 		error("PAM: initialization failed");
 		return (NULL);
 	}
@ -512,8 +522,6 @@ sshpam_init_ctx(Authctxt *authctxt)
 	ctxt = xmalloc(sizeof *ctxt);
 	memset(ctxt, 0, sizeof(*ctxt));

-	force_pwchange = &(authctxt->force_pwchange);
-
 	/* Start the authentication thread */
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
 		error("PAM: failed create sockets: %s", strerror(errno));
@ -592,7 +600,10 @@ sshpam_query(void *ctx, char **name, char **info,
 				xfree(msg);
 				return (0);
 			}
-			error("PAM: %s", msg);
+			error("PAM: %s for %s%.100s from %.100s", msg,
+			    sshpam_authctxt->valid ? "" : "illegal user ",
+			    sshpam_authctxt->user,
+			    get_remote_name_or_ip(utmp_len, options.use_dns));
 			/* FALLTHROUGH */
 		default:
 			*num = 0;
@ -672,12 +683,12 @@ KbdintDevice mm_sshpam_device = {
 * This replaces auth-pam.c
 */
 void
-start_pam(const char *user)
+start_pam(Authctxt *authctxt)
 {
 	if (!options.use_pam)
 		fatal("PAM: initialisation requested when UsePAM=no");

-	if (sshpam_init(user) == -1)
+	if (sshpam_init(authctxt) == -1)
 		fatal("PAM: initialisation failed");
 }

--- a/crypto/openssh/auth-pam.h
+++ b/crypto/openssh/auth-pam.h
@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.25 2004/03/08 12:04:07 dtucker Exp $ */
 /* $FreeBSD$ */

 /*
@ -32,7 +32,7 @@
 # define SSHD_PAM_SERVICE		__progname
 #endif

-void start_pam(const char *);
+void start_pam(Authctxt *);
 void finish_pam(void);
 u_int do_pam_account(void);
 void do_pam_session(void);
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@ -74,13 +74,6 @@ auth_password(Authctxt *authctxt, const char *password)
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;

-#if defined(HAVE_OSF_SIA)
-	/*
-	 * XXX: any reason this is before krb?  could be moved to
-	 * sys_auth_passwd()?  -dt
-	 */
-	return auth_sia_password(authctxt, password) && ok;
-#endif
 #ifdef KRB5
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb5_password(authctxt, password);
--- a/crypto/openssh/auth-skey.c
+++ b/crypto/openssh/auth-skey.c
@ -56,7 +56,8 @@ skey_query(void *ctx, char **name, char **infotxt,
 	int len;
 	struct skey skey;

-	if (skeychallenge(&skey, authctxt->user, challenge) == -1)
+	if (_compat_skeychallenge(&skey, authctxt->user, challenge, 
+	    sizeof(challenge)) == -1)
 		return -1;

 	*name  = xstrdup("");
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@ -67,6 +67,7 @@ struct Authctxt {
 	krb5_ccache	 krb5_fwd_ccache;
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
+	char		*krb5_ccname;
 #endif
 	void		*methoddata;
 };
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@ -308,7 +308,7 @@ do_authentication(Authctxt *authctxt)

 #ifdef USE_PAM
 	if (options.use_pam)
-		PRIVSEP(start_pam(user));
+		PRIVSEP(start_pam(authctxt));
 #endif

 	/*
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@ -159,24 +159,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
+		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt->pw->pw_name));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		} else {
 			logit("input_userauth_request: illegal user %s", user);
 			authctxt->pw = fakepw();
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(user));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		}
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
 		    use_privsep ? " [net]" : "");
-		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 		if (use_privsep)
--- a/crypto/openssh/canohost.c
+++ b/crypto/openssh/canohost.c
@ -44,6 +44,9 @@ get_remote_hostname(int socket, int use_dns)
 		cleanup_exit(255);
 	}

+	if (from.ss_family == AF_INET)
+		check_ip_options(socket, ntop);
+
 	ipv64_normalise_mapped(&from, &fromlen);

 	if (from.ss_family == AF_INET6)
@ -56,9 +59,6 @@ get_remote_hostname(int socket, int use_dns)
 	if (!use_dns)
 		return xstrdup(ntop);

-	if (from.ss_family == AF_INET)
-		check_ip_options(socket, ntop);
-
 	debug3("Trying to reverse map address %.100s.", ntop);
 	/* Map the IP address to a host name. */
 	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@ -1,5 +1,19 @@
-# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $
 # $FreeBSD$
+# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $
+#
+# Copyright (c) 1999-2004 Damien Miller
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@ -196,10 +210,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(DISABLE_UTMP)
 	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-	case "$host" in
-	*-*-hpux11.11*)
-		AC_DEFINE(BROKEN_GETADDRINFO);;
-	esac
+	check_for_hpux_broken_getaddrinfo=1
 	LIBS="$LIBS -lsec"
 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
 	;;
@ -222,6 +233,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
 	AC_DEFINE(BROKEN_SETREUID)
 	AC_DEFINE(BROKEN_SETREGID)
+	AC_DEFINE(BROKEN_UPDWTMPX)
 	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
 	;;
@ -231,7 +243,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	check_for_openpty_ctty_bug=1
 	AC_DEFINE(DONT_TRY_OTHER_AF)
 	AC_DEFINE(PAM_TTY_KLUDGE)
-	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
+	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
 	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
 	inet6_default_4in6=yes
 	case `uname -r` in
@ -269,6 +281,9 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
 	;;
 *-*-solaris*)
+	if test "x$withval" != "xno" ; then	
+		need_dash_r=1
+	fi
 	AC_DEFINE(PAM_SUN_CODEBASE)
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(LOGIN_NEEDS_TERM)
@ -345,6 +360,9 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
+	AC_DEFINE(SETEUID_BREAKS_SETUID)
+	AC_DEFINE(BROKEN_SETREUID)
+	AC_DEFINE(BROKEN_SETREGID)
 	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	AC_CHECK_FUNCS(getluid setluid)
 	MANTYPE=man
@ -492,10 +510,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
 	netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
 	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
-	sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \
-	sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
-	sys/un.h time.h tmpdir.h ttyent.h usersec.h \
-	util.h utime.h utmp.h utmpx.h vis.h)
+	sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
+	sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
+	sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \
+	ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)

 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
@ -729,6 +747,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
 					AC_MSG_RESULT(no)
 					AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
 				])
+                 	AC_MSG_CHECKING(if skeychallenge takes 4 arguments)
+			AC_TRY_COMPILE(
+				[#include <stdio.h>
+				 #include <skey.h>],
+				[(void)skeychallenge(NULL,"name","",0);],
+				[AC_MSG_RESULT(yes)
+				 AC_DEFINE(SKEYCHALLENGE_4ARG)],
+				[AC_MSG_RESULT(no)]
+        		)
 		fi
 	]
 )
@ -803,6 +830,9 @@ AC_ARG_WITH(tcp-wrappers,
 			AC_MSG_CHECKING(for libwrap)
 			AC_TRY_LINK(
 				[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
 #include <tcpd.h>
 					int deny_severity = 0, allow_severity = 0;
 				],
@ -830,12 +860,12 @@ AC_CHECK_FUNCS(\
 	getpeereid _getpty getrlimit getttyent glob inet_aton \
 	inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
 	mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
-	pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
+	pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
 	setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
 	setproctitle setregid setreuid setrlimit \
 	setsid setvbuf sigaction sigvec snprintf socketpair strerror \
 	strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
-	truncate updwtmpx utimes vhangup vsnprintf waitpid \
+	truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
 )

 # IRIX has a const char return value for gai_strerror()
@ -1003,6 +1033,74 @@ main()
 	)
 fi

+if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
+	AC_MSG_CHECKING(if getaddrinfo seems to work)
+	AC_TRY_RUN(
+		[
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <errno.h>
+#include <netinet/in.h>
+
+#define TEST_PORT "2222"
+
+int
+main(void)
+{
+	int err, sock;
+	struct addrinfo *gai_ai, *ai, hints;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE;
+
+	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+	if (err != 0) {
+		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+		exit(1);
+	}
+
+	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+		if (ai->ai_family != AF_INET6)
+			continue;
+
+		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
+		    sizeof(ntop), strport, sizeof(strport),
+		    NI_NUMERICHOST|NI_NUMERICSERV);
+
+		if (err != 0) {
+			if (err == EAI_SYSTEM)
+				perror("getnameinfo EAI_SYSTEM");
+			else
+				fprintf(stderr, "getnameinfo failed: %s\n",
+				    gai_strerror(err));
+			exit(2);
+		}
+
+		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+		if (sock < 0)
+			perror("socket");
+		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			if (errno == EBADF)
+				exit(3);
+		}
+	}
+	exit(0);
+}
+		],
+		[
+			AC_MSG_RESULT(yes)
+		],
+		[
+			AC_MSG_RESULT(no)
+			AC_DEFINE(BROKEN_GETADDRINFO)
+		]
+	)
+fi
+
 AC_FUNC_GETPGRP

 # Check for PAM libs
@ -2197,6 +2295,7 @@ AC_ARG_WITH(kerberos5,

 	LIBS="$LIBS $K5LIBS"
 	AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
+	AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
 	]
 )

--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@ -158,8 +158,8 @@
 #include "log.h"
 #include "atomicio.h"

-RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $");
 RCSID("$FreeBSD$");
+RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $");

 #ifdef HAVE_UTIL_H
 #  include <util.h>
@ -1356,7 +1356,7 @@ static int
 syslogin_perform_logout(struct logininfo *li)
 {
 # ifdef HAVE_LOGOUT
-	char line[8];
+	char line[UT_LINESIZE];

 	(void)line_stripname(line, li->line, sizeof(line));

--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@ -46,7 +46,13 @@ RCSID("$FreeBSD$");
 #include "auth.h"
 #include "kex.h"
 #include "dh.h"
+#ifdef TARGET_OS_MAC	/* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
 #include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
 #include "packet.h"
 #include "auth-options.h"
 #include "sshpty.h"
@ -747,7 +753,8 @@ mm_answer_skeyquery(int socket, Buffer *m)
 	char challenge[1024];
 	u_int success;

-	success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
+	success = _compat_skeychallenge(&skey, authctxt->user, challenge,
+	    sizeof(challenge)) < 0 ? 0 : 1;

 	buffer_clear(m);
 	buffer_put_int(m, success);
@ -791,16 +798,10 @@ mm_answer_skeyrespond(int socket, Buffer *m)
 int
 mm_answer_pam_start(int socket, Buffer *m)
 {
-	char *user;
-
 	if (!options.use_pam)
 		fatal("UsePAM not set, but ended up in %s anyway", __func__);

-	user = buffer_get_string(m, NULL);
-
-	start_pam(user);
-
-	xfree(user);
+	start_pam(authctxt);

 	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);

--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@ -41,7 +41,13 @@ RCSID("$FreeBSD$");
 #include "packet.h"
 #include "mac.h"
 #include "log.h"
+#ifdef TARGET_OS_MAC    /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
 #include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
 #include "monitor.h"
 #include "monitor_wrap.h"
 #include "xmalloc.h"
@ -687,7 +693,7 @@ mm_session_pty_cleanup2(Session *s)

 #ifdef USE_PAM
 void
-mm_start_pam(char *user)
+mm_start_pam(Authctxt *authctxt)
 {
 	Buffer m;

@ -696,8 +702,6 @@ mm_start_pam(char *user)
 		fatal("UsePAM=no, but ended up in %s anyway", __func__);

 	buffer_init(&m);
-	buffer_put_cstring(&m, user);
-
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);

 	buffer_free(&m);
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@ -67,7 +67,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 #endif

 #ifdef USE_PAM
-void mm_start_pam(char *);
+void mm_start_pam(struct Authctxt *);
 u_int mm_do_pam_account(void);
 void *mm_sshpam_init_ctx(struct Authctxt *);
 int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.h
+++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h
@ -1,5 +1,5 @@
-/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */
 /* $FreeBSD$ */
+/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */

 /*
 * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@ -134,6 +134,9 @@ struct addrinfo {
 #endif /* !HAVE_STRUCT_ADDRINFO */

 #ifndef HAVE_GETADDRINFO
+#ifdef getaddrinfo
+# undef getaddrinfo
+#endif
 #define getaddrinfo(a,b,c,d)	(ssh_getaddrinfo(a,b,c,d))
 int getaddrinfo(const char *, const char *, 
    const struct addrinfo *, struct addrinfo **);
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@ -12,8 +12,8 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");
 RCSID("$FreeBSD$");
+RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");

 #include "ssh.h"
 #include "xmalloc.h"
@ -106,8 +106,12 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+<<<<<<< readconf.c
 	oServerAliveInterval, oServerAliveCountMax,
 	oVersionAddendum,
+=======
+	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+>>>>>>> 1.1.1.15
 	oDeprecated, oUnsupported
 } OpCodes;

@ -149,6 +153,7 @@ static struct {
 	{ "usersh", oDeprecated },
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* alias */
+	{ "identitiesonly", oIdentitiesOnly },
 	{ "hostname", oHostName },
 	{ "hostkeyalias", oHostKeyAlias },
 	{ "proxycommand", oProxyCommand },
@ -739,6 +744,10 @@ parse_int:
 		intptr = &options->enable_ssh_keysign;
 		goto parse_flag;

+	case oIdentitiesOnly:
+		intptr = &options->identities_only;
+		goto parse_flag;
+
 	case oServerAliveInterval:
 		intptr = &options->server_alive_interval;
 		goto parse_time;
@ -879,6 +888,7 @@ initialize_options(Options * options)
 	options->smartcard_device = NULL;
 	options->enable_ssh_keysign = - 1;
 	options->no_host_authentication_for_localhost = - 1;
+	options->identities_only = - 1;
 	options->rekey_limit = - 1;
 	options->verify_host_key_dns = -1;
 	options->server_alive_interval = -1;
@ -991,6 +1001,8 @@ fill_default_options(Options * options)
 		clear_forwardings(options);
 	if (options->no_host_authentication_for_localhost == - 1)
 		options->no_host_authentication_for_localhost = 0;
+	if (options->identities_only == -1)
+		options->identities_only = 0;
 	if (options->enable_ssh_keysign == -1)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $	*/

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -100,6 +100,7 @@ typedef struct {
 	int	enable_ssh_keysign;
 	int	rekey_limit;
 	int	no_host_authentication_for_localhost;
+	int	identities_only;
 	int	server_alive_interval; 
 	int	server_alive_count_max;
 }       Options;
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@ -202,6 +202,7 @@ display_loginmsg(void)
 		printf("%s\n", (char *)buffer_ptr(&loginmsg));
 		buffer_clear(&loginmsg);
 	}
+	fflush(stdout);
 }

 void
@ -492,6 +493,13 @@ do_exec_no_pty(Session *s, const char *command)
 	close(inout[0]);
 	close(err[0]);

+	/*
+	 * Clear loginmsg, since it's the child's responsibility to display
+	 * it to the user, otherwise multiple sessions may accumulate
+	 * multiple copies of the login messages.
+	 */
+	buffer_clear(&loginmsg);
+
 	/*
 	 * Enter the interactive session.  Note: server_loop must be able to
 	 * handle the case that fdin and fdout are the same.
@ -1116,9 +1124,9 @@ do_setup_env(Session *s, const char *shell)
 	}
 #endif
 #ifdef KRB5
-	if (s->authctxt->krb5_ticket_file)
+	if (s->authctxt->krb5_ccname)
 		child_set_env(&env, &envsize, "KRB5CCNAME",
-		    s->authctxt->krb5_ticket_file);
+		    s->authctxt->krb5_ccname);
 #endif
 #ifdef USE_PAM
 	/*
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@ -58,6 +58,10 @@ RCSID("$FreeBSD$");
 #include "scard.h"
 #endif

+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
+#endif
+
 typedef enum {
 	AUTH_UNUSED,
 	AUTH_SOCKET,
@ -1025,6 +1029,11 @@ main(int ac, char **av)
 	setgid(getgid());
 	setuid(geteuid());

+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+	/* Disable ptrace on Linux without sgid bit */
+	prctl(PR_SET_DUMPABLE, 0);
+#endif
+
 	SSLeay_add_all_algorithms();

 	__progname = ssh_get_progname(av[0]);
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@ -7,7 +7,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $");

 #include "openbsd-compat/sys-queue.h"

@ -489,7 +489,7 @@ conrecycle(int s)
 static void
 congreet(int s)
 {
-	int remote_major, remote_minor, n = 0;
+	int remote_major = 0, remote_minor = 0, n = 0;
 	char buf[256], *cp;
 	char remote_version[sizeof buf];
 	size_t bufsiz;
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
 .\" $FreeBSD$
+.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@ -636,6 +636,7 @@ For full details of the options listed below, and their possible values, see
 .It HostKeyAlias
 .It HostName
 .It IdentityFile
+.It IdentitiesOnly
 .It LocalForward
 .It LogLevel
 .It MACs
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@ -40,8 +40,8 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");
 RCSID("$FreeBSD$");
+RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");

 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -147,49 +147,12 @@ pid_t proxy_command_pid = 0;
 static void
 usage(void)
 {
-	fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -l user     Log in using this user name.\n");
-	fprintf(stderr, "  -n          Redirect input from " _PATH_DEVNULL ".\n");
-	fprintf(stderr, "  -F config   Config file (default: ~/%s).\n",
-	     _PATH_SSH_USER_CONFFILE);
-	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
-	fprintf(stderr, "  -a          Disable authentication agent forwarding (default).\n");
-	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
-	fprintf(stderr, "  -Y          Enable trusted X11 connection forwarding.\n");
-	fprintf(stderr, "  -x          Disable X11 connection forwarding (default).\n");
-	fprintf(stderr, "  -i file     Identity for public key authentication "
-	    "(default: ~/.ssh/identity)\n");
-#ifdef SMARTCARD
-	fprintf(stderr, "  -I reader   Set smartcard reader.\n");
-#endif
-	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
-	fprintf(stderr, "  -T          Do not allocate a tty.\n");
-	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
-	fprintf(stderr, "              Multiple -v increases verbosity.\n");
-	fprintf(stderr, "  -V          Display version number only.\n");
-	fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
-	fprintf(stderr, "  -f          Fork into background after authentication.\n");
-	fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
-
-	fprintf(stderr, "  -c cipher   Select encryption algorithm\n");
-	fprintf(stderr, "  -m macs     Specify MAC algorithms for protocol version 2.\n");
-	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
-	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
-	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
-	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", __progname);
-	fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
-	fprintf(stderr, "  -D port     Enable dynamic application-level port forwarding.\n");
-	fprintf(stderr, "  -C          Enable compression.\n");
-	fprintf(stderr, "  -N          Do not execute a shell or command.\n");
-	fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
-	fprintf(stderr, "  -1          Force protocol version 1.\n");
-	fprintf(stderr, "  -2          Force protocol version 2.\n");
-	fprintf(stderr, "  -4          Use IPv4 only.\n");
-	fprintf(stderr, "  -6          Use IPv6 only.\n");
-	fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
-	fprintf(stderr, "  -s          Invoke command (mandatory) as SSH2 subsystem.\n");
-	fprintf(stderr, "  -b addr     Local IP address.\n");
+	fprintf(stderr,
+"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+"           [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
+"           [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
+"           [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
+	);
 	exit(1);
 }

@ -348,12 +311,8 @@ again:
 			}
 			/* fallthrough */
 		case 'V':
-			fprintf(stderr,
-			    "%s, SSH protocols %d.%d/%d.%d, %s\n",
-			    SSH_VERSION,
-			    PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
-			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
-			    SSLeay_version(SSLEAY_VERSION));
+			fprintf(stderr, "%s, %s\n",
+			    SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
 			if (opt == 'V')
 				exit(0);
 			break;
@ -795,7 +754,7 @@ x11_get_proto(char **_proto, char **_data)
 				    xauthdir);
 				snprintf(cmd, sizeof(cmd),
 				    "%s -f %s generate %s " SSH_X11_PROTO
-				    " untrusted timeout 120 2>" _PATH_DEVNULL,
+				    " untrusted timeout 1200 2>" _PATH_DEVNULL,
 				    options.xauth_location, xauthfile, display);
 				debug2("x11_get_proto: %s", cmd);
 				if (system(cmd) == 0)
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
 .\" $FreeBSD$
+.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@ -407,6 +407,24 @@ syntax to refer to a user's home directory.
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
+.It Cm IdentitiesOnly
+Specifies that
+.Nm ssh
+should only use the authentication identity files configured in the
+.Nm 
+files,
+even if the
+.Nm ssh-agent
+offers more identities.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option is intented for situations where
+.Nm ssh-agent
+offers many different identities.
+The default is
+.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@ -23,7 +23,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $");

 #include "openbsd-compat/sys-queue.h"

@ -1044,7 +1044,7 @@ pubkey_prepare(Authctxt *authctxt)
 					break;
 				}
 			}
-			if (!found) {
+			if (!found && !options.identities_only) {
 				id = xmalloc(sizeof(*id));
 				memset(id, 0, sizeof(*id));
 				id->key = key;
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@ -42,8 +42,8 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");
 RCSID("$FreeBSD$");
+RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");

 #include <openssl/dh.h>
 #include <openssl/bn.h>
@ -106,7 +106,6 @@ extern char *__progname;
 #else
 char *__progname;
 #endif
-extern char **environ;

 /* Server configuration options. */
 ServerOptions options;
@ -573,7 +572,7 @@ privsep_preauth_child(void)
 	debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
 	    (u_int)pw->pw_gid);
 #if 0
-	/* XXX not ready, to heavy after chroot */
+	/* XXX not ready, too heavy after chroot */
 	do_setusercontext(pw);
 #else
 	gidset[0] = pw->pw_gid;
@ -769,26 +768,12 @@ drop_connection(int startups)
 static void
 usage(void)
 {
-	fprintf(stderr, "sshd version %s, %s\n",
+	fprintf(stderr, "%s, %s\n",
 	    SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
-	fprintf(stderr, "Usage: %s [options]\n", __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -f file    Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
-	fprintf(stderr, "  -d         Debugging mode (multiple -d means more debugging)\n");
-	fprintf(stderr, "  -i         Started from inetd\n");
-	fprintf(stderr, "  -D         Do not fork into daemon mode\n");
-	fprintf(stderr, "  -t         Only test configuration file and keys\n");
-	fprintf(stderr, "  -q         Quiet (no logging)\n");
-	fprintf(stderr, "  -p port    Listen on the specified port (default: 22)\n");
-	fprintf(stderr, "  -k seconds Regenerate server key every this many seconds (default: 3600)\n");
-	fprintf(stderr, "  -g seconds Grace period for authentication (default: 600)\n");
-	fprintf(stderr, "  -b bits    Size of server RSA key (default: 768 bits)\n");
-	fprintf(stderr, "  -h file    File from which to read host key (default: %s)\n",
-	    _PATH_HOST_KEY_FILE);
-	fprintf(stderr, "  -u len     Maximum hostname length for utmp recording\n");
-	fprintf(stderr, "  -4         Use IPv4 only\n");
-	fprintf(stderr, "  -6         Use IPv6 only\n");
-	fprintf(stderr, "  -o option  Process the option as if it was read from a configuration file.\n");
+	fprintf(stderr,
+"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
+"            [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
+	);
 	exit(1);
 }

@ -837,6 +822,9 @@ main(int ac, char **av)
 	av = saved_argv;
 #endif

+	if (geteuid() == 0 && setgroups(0, NULL) == -1)
+		debug("setgroups(): %.200s", strerror(errno));
+
 	/* Initialize configuration options to their default values. */
 	initialize_server_options(&options);

@ -945,6 +933,13 @@ main(int ac, char **av)
 	    SYSLOG_FACILITY_AUTH : options.log_facility,
 	    log_stderr || !inetd_flag);

+#ifdef _AIX
+	/*
+	 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
+	 * root's environment
+	 */ 
+	unsetenv("KRB5CCNAME");
+#endif /* _AIX */
 #ifdef _UNICOS
 	/* Cray can define user privs drop all prives now!
 	 * Not needed on PRIV_SU systems!
@ -1111,11 +1106,6 @@ main(int ac, char **av)
 	   unmounted if desired. */
 	chdir("/");

-#ifndef HAVE_CYGWIN
-	/* Clear environment */
-	environ[0] = NULL;
-#endif
-
 	/* ignore SIGPIPE */
 	signal(SIGPIPE, SIG_IGN);

@ -1394,6 +1384,7 @@ main(int ac, char **av)
 	}

 	/* This is the child processing a new connection. */
+	setproctitle("%s", "[accepted]");

 	/*
 	 * Create a new session and process group since the 4.4BSD
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
 .\" $FreeBSD$
+.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@ -306,6 +306,11 @@ To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
 .Dq no .
+.It Cm KerberosGetAFSToken
+If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+an AFS token before accessing the user's home directory.
+Default is
+.Dq no .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
@ -457,7 +462,9 @@ the root user may be allowed in with its password even if
 .Pp
 If this option is set to
 .Dq without-password
-password authentication is disabled for root.
+password authentication is disabled for root.  Note that other authentication
+methods (e.g., keyboard-interactive/PAM) may still allow root to login using
+a password.
 .Pp
 If this option is set to
 .Dq forced-commands-only
--- a/crypto/openssh/sshlogin.c
+++ b/crypto/openssh/sshlogin.c
@ -52,11 +52,11 @@ u_long
 get_last_login_time(uid_t uid, const char *logname,
    char *buf, u_int bufsize)
 {
-  struct logininfo li;
+	struct logininfo li;

-  login_get_lastlog(&li, uid);
-  strlcpy(buf, li.hostname, bufsize);
-  return li.tv_sec;
+	login_get_lastlog(&li, uid);
+	strlcpy(buf, li.hostname, bufsize);
+	return li.tv_sec;
 }

 /*
@ -67,12 +67,12 @@ void
 record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
    const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
-  struct logininfo *li;
+	struct logininfo *li;

-  li = login_alloc_entry(pid, user, host, ttyname);
-  login_set_addr(li, addr, addrlen);
-  login_login(li);
-  login_free_entry(li);
+	li = login_alloc_entry(pid, user, host, ttyname);
+	login_set_addr(li, addr, addrlen);
+	login_login(li);
+	login_free_entry(li);
 }

 #ifdef LOGIN_NEEDS_UTMPX
@ -80,12 +80,12 @@ void
 record_utmp_only(pid_t pid, const char *ttyname, const char *user,
 		 const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
-  struct logininfo *li;
+	struct logininfo *li;

-  li = login_alloc_entry(pid, user, host, ttyname);
-  login_set_addr(li, addr, addrlen);
-  login_utmp_only(li);
-  login_free_entry(li);
+	li = login_alloc_entry(pid, user, host, ttyname);
+	login_set_addr(li, addr, addrlen);
+	login_utmp_only(li);
+	login_free_entry(li);
 }
 #endif

@ -93,9 +93,9 @@ record_utmp_only(pid_t pid, const char *ttyname, const char *user,
 void
 record_logout(pid_t pid, const char *ttyname, const char *user)
 {
-  struct logininfo *li;
+	struct logininfo *li;

-  li = login_alloc_entry(pid, user, NULL, ttyname);
-  login_logout(li);
-  login_free_entry(li);
+	li = login_alloc_entry(pid, user, NULL, ttyname);
+	login_logout(li);
+	login_free_entry(li);
 }
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@ -1,5 +1,5 @@
-/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
 /* $FreeBSD$ */
+/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */

 #ifndef SSH_VERSION