mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-10-24 21:01:20 +00:00
Code Issues Releases Activity

Update to version 1.2.28.

Browse Source
This commit is contained in:
David E. O'Brien 2002-06-29 18:13:36 +00:00
parent 994018cd8a
commit 468e326fba
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=62177
9 changed files with 800 additions and 1350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
security/ssh/Makefile
View File

@ -9,17 +9,13 @@
#
PORTNAME= ssh
PORTVERSION= 1.2.27 # Note, 1.2.30 is under a more restrictive license
PORTREVISION= 3
PORTVERSION= 1.2.28 # Note, 1.2.30 is under a more restrictive license
PORTREVISION= 0
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.cs.umn.edu/dept/users/rybski/ \
ftp://ftp.net.ohio-state.edu/disk/d/security/ssh/ \
ftp://ftp.cronyx.ru/mirror/ssh/old/ \
MASTER_SITES= ftp://ftp.tokyonet.ad.jp/pub/security/ssh/old/ \
ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/old/ \
ftp://ftp.tokyonet.ad.jp/.da0/security/ssh/old/ \
ftp://ftp.comp.hkbu.edu.hk/.6/unix/ \
ftp://ftp.dei.uc.pt/.disk2/Crypto/SSH/old/
ftp://ftp.cronyx.ru/mirror/ssh/old/
MAINTAINER= ports@FreeBSD.org
USE_AUTOCONF= YES
@ -66,13 +62,13 @@ CONFIGURE_ARGS+= --without-idea
.include <bsd.port.pre.mk>
.if ${OSVERSION} > 500023
LIB_DEPENDS+= gmp.5:${PORTSDIR}/math/libgmp4
LIB_DEPENDS+= gmp.3:${PORTSDIR}/math/libgmp-freebsd
MAKE_ENV+= GMPINCDIR="${LOCALBASE}/include" \
GMPLIBDIR="${LOCALBASE}/lib"
.endif
.if (${OSVERSION} >= 400016 && !defined(REALLY_WANT_SSH))
FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated and will be removed at some point in the future. To override this warning set the REALLY_WANT_SSH environment variable and rebuild."
FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated. To override this warning set the REALLY_WANT_SSH environment variable and rebuild."
.endif
MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \

2
security/ssh/distinfo
View File

@ -1 +1 @@
MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395
MD5 (ssh-1.2.28.tar.gz) = ce811a4844742e2ecadab1a1b53a954a

107
security/ssh/files/patch-ac
View File

@ -1,70 +1,52 @@
--- Makefile.in.orig Wed May 12 14:19:31 1999
+++ Makefile.in Fri Apr 26 09:19:30 2002
@@ -301,12 +301,17 @@
--- Makefile.in.orig Mon Jul 3 10:07:39 2000
+++ Makefile.in Fri Jun 21 17:50:07 2002
@@ -307,13 +307,15 @@
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
-GMPLIBS = -L$(GMPDIR) -lgmp
-GMPDIR = gmp-2.0.2-ssh-2
-GMPLIBS = @ssh_gmp_ldadd_options@
-GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
+# We have the same libgmp in the system, so use it instead
+# We have the same libgmp in the base system, so use it instead
+GMPINCDIR ?= /usr/include
+GMPLIBDIR ?= /usr/lib
+GMPLIBS = -L$(GMPLIBDIR) -lgmp
+GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
ZLIBDIR = zlib-1.0.4
-ZLIBDEP = $(ZLIBDIR)/libz.a
-ZLIBLIBS = -L$(ZLIBDIR) -lz
+ZLIBINCDIR = /usr/include
+ZLIBLIBDIR = /usr/lib
+ZLIBDEP = $(ZLIBINCDIR)/libz.a
-ZLIBDIR = zlib-1.0.4
+ZLIBDIR = /usr/lib
ZLIBDEP = $(ZLIBDIR)/libz.a
-ZLIBLIBS = @ssh_zlib_ldadd_options@
+ZLIBLIBS = -lz
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
@@ -411,7 +416,7 @@
@@ -418,7 +420,7 @@
$(CC) -o rfc-pg rfc-pg.o
.c.o:
- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
+ $(CC) -c -I. $(KERBEROS_INCS) -I$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
+ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
@@ -454,19 +459,19 @@
@@ -461,12 +463,12 @@
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
-GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
- mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
+XXX_DONT_GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
-$(GMPDIR)/libgmp.a:
- cd $(GMPDIR); $(MAKE)
-
-$(ZLIBDEP):
- -if test '!' -d $(ZLIBDIR); then \
- mkdir $(ZLIBDIR); \
- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
- fi
- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
+#GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
+# mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
+#$(GMPDIR)/libgmp.a:
+# cd $(GMPDIR); $(MAKE)
+#
+#$(ZLIBDEP):
+# -if test '!' -d $(ZLIBDIR); then \
+# mkdir $(ZLIBDIR); \
+# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
+# fi
+# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
+# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
+# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
+XXX_DONT_$(GMPDIR)/libgmp.a:
cd $(GMPDIR); $(MAKE)
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
@@ -523,7 +528,7 @@
-$(ZLIBDEP):
+XXX_DONT_$(ZLIBDEP):
-if test '!' -d $(ZLIBDIR); then \
mkdir $(ZLIBDIR); \
cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@@ -530,7 +532,7 @@
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
@ -73,49 +55,12 @@
-rm -f $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1
-chmod 755 $(install_prefix)$(bindir)/ssh
@@ -679,15 +684,15 @@
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
- cd $(GMPDIR); $(MAKE) clean
+# cd $(GMPDIR); $(MAKE) clean
# cd $(RSAREFSRCDIR); rm -f *.o *.a
- cd $(ZLIBDIR); $(MAKE) clean
+# cd $(ZLIBDIR); $(MAKE) clean
distclean: clean
-rm -f Makefile config.status config.cache config.log config.h
-rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
- cd $(GMPDIR); $(MAKE) distclean
- cd $(ZLIBDIR); $(MAKE) distclean
+# cd $(GMPDIR); $(MAKE) distclean
+# cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
@@ -716,12 +721,12 @@
-mkdir $(DISTNAME)
cp $(DISTFILES) $(DISTNAME)
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
- (cd $(GMPDIR); make dist)
- gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
+# (cd $(GMPDIR); make dist)
+# gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
# tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
# cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
+# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
+# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
#ifdef F_SECURE_COMMERCIAL
#
@@ -749,7 +754,7 @@
@@ -756,7 +758,7 @@
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS)
+ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS)
+ $(MAKEDEP) -I$(srcdir) -I. -I$(GMPINCDIR) $(DEFS) $(SRCS)
tags:
-rm -f TAGS

1373
security/ssh/files/patch-af
View File

File diff suppressed because it is too large Load Diff

25
security/ssh/files/patch-ax
View File

@ -1,25 +0,0 @@
--- rsaglue.c.orig Tue Nov 9 11:12:32 1999
+++ rsaglue.c Tue Nov 9 11:17:58 1999
@@ -139,6 +139,10 @@
input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);
rsaref_public_key(&public_key, key);
@@ -172,6 +176,10 @@
input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Received session key too long (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);
rsaref_private_key(&private_key, key);

26
security/ssh/files/patch-bm
View File

@ -1,14 +1,12 @@
*** readconf.h.orig Wed May 12 13:19:27 1999
--- readconf.h Mon Jan 10 22:56:13 2000
***************
*** 98,103 ****
--- 98,106 ----
int use_privileged_port; /* Use privileged port */
int port; /* Port to connect. */
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port; /* Port to connect for -A option. */
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
int connection_attempts; /* Max attempts (seconds) before giving up */
int number_of_password_prompts; /* Max number of password prompts */
int password_prompt_login; /* Show remote login at password prompt */
--- readconf.h.orig Thu Jan 17 05:35:34 2002
+++ readconf.h Fri Jun 21 16:36:20 2002
@@ -102,6 +102,9 @@
int use_privileged_port; /* Use privileged port */
int port; /* Port to connect. */
+#ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port; /* Port to connect for -A option. */
+#endif /* ENABLE_ANOTHER_PORT_TRY */
int connection_attempts; /* Max attempts (seconds) before giving up */
int number_of_password_prompts; /* Max number of password prompts */
int password_prompt_login; /* Show remote login at password prompt */

355
security/ssh/files/patch-bo
View File

@ -1,197 +1,158 @@
*** servconf.c.orig Wed May 12 13:19:28 1999
--- servconf.c Mon Jan 10 22:56:13 2000
***************
*** 81,88 ****
void initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
! options->port = -1;
! options->listen_addr.s_addr = INADDR_ANY;
options->host_key_file = NULL;
options->random_seed_file = NULL;
options->pid_file = NULL;
--- 81,88 ----
void initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
! options->num_ports = 0;
! options->listen_addrs = NULL;
options->host_key_file = NULL;
options->random_seed_file = NULL;
options->pid_file = NULL;
***************
*** 92,97 ****
--- 92,100 ----
options->permit_root_login = -1;
options->ignore_rhosts = -1;
options->ignore_root_rhosts = -1;
+ #ifdef ENABLE_LOG_AUTH
+ options->log_auth = -1;
+ #endif /* ENABLE_LOG_AUTH */
options->quiet_mode = -1;
options->fascist_logging = -1;
options->print_motd = -1;
***************
*** 138,153 ****
void fill_default_server_options(ServerOptions *options)
{
! if (options->port == -1)
{
! struct servent *sp;
!
! sp = getservbyname(SSH_SERVICE_NAME, "tcp");
! if (sp)
! options->port = ntohs(sp->s_port);
! else
! options->port = SSH_DEFAULT_PORT;
! endservent();
}
if (options->host_key_file == NULL)
options->host_key_file = HOST_KEY_FILE;
--- 141,171 ----
void fill_default_server_options(ServerOptions *options)
{
! struct addrinfo hints, *ai, *aitop;
! char strport[PORTSTRLEN];
! int i;
!
! if (options->num_ports == 0)
! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
! if (options->listen_addrs == NULL)
{
! for (i = 0; i < options->num_ports; i++)
! {
! memset(&hints, 0, sizeof(hints));
! hints.ai_flags = AI_PASSIVE;
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", options->ports[i]);
! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
! {
! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
! exit(1);
! }
! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
! ai->ai_next = options->listen_addrs;
! options->listen_addrs = aitop;
! }
! /* freeaddrinfo(options->listen_addrs) in sshd.c */
}
if (options->host_key_file == NULL)
options->host_key_file = HOST_KEY_FILE;
***************
*** 243,248 ****
--- 261,269 ----
{
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
+ #ifdef ENABLE_LOG_AUTH
+ sLogAuth,
+ #endif /* ENABLE_LOG_AUTH */
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
***************
*** 275,280 ****
--- 296,304 ----
{ "quietmode", sQuietMode },
{ "fascistlogging", sFascistLogging },
{ "syslogfacility", sLogFacility },
+ #ifdef ENABLE_LOG_AUTH
+ { "logauth", sLogAuth },
+ #endif /* ENABLE_LOG_AUTH */
{ "rhostsauthentication", sRhostsAuthentication },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
{ "rsaauthentication", sRSAAuthentication },
***************
*** 367,372 ****
--- 391,399 ----
char *cp, **charptr;
int linenum, *intptr, i, value;
ServerOpCodes opcode;
+ struct addrinfo hints, *ai, *aitop;
+ char strport[PORTSTRLEN];
+ int gaierr;
f = fopen(filename, "r");
if (!f)
***************
*** 389,395 ****
switch (opcode)
{
case sPort:
! intptr = &options->port;
parse_int:
cp = strtok(NULL, WHITESPACE);
if (!cp)
--- 416,429 ----
switch (opcode)
{
case sPort:
! if (options->num_ports >= MAX_PORTS)
! {
! fprintf(stderr, "%s line %d: too many ports.\n",
! filename, linenum);
! exit(1);
! }
! options->ports[options->num_ports] = -1;
! intptr = &options->ports[options->num_ports++];
parse_int:
cp = strtok(NULL, WHITESPACE);
if (!cp)
***************
*** 452,462 ****
filename, linenum);
exit(1);
}
! #ifdef BROKEN_INET_ADDR
! options->listen_addr.s_addr = inet_network(cp);
! #else /* BROKEN_INET_ADDR */
! options->listen_addr.s_addr = inet_addr(cp);
! #endif /* BROKEN_INET_ADDR */
break;
case sHostKeyFile:
--- 486,510 ----
filename, linenum);
exit(1);
}
! if (options->num_ports == 0)
! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
! for (i = 0; i < options->num_ports; i++)
! {
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", options->ports[i]);
! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
! {
! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
! filename, linenum, gai_strerror(gaierr));
! exit(1);
! }
! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
! ai->ai_next = options->listen_addrs;
! options->listen_addrs = aitop;
! }
! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
break;
case sHostKeyFile:
***************
*** 531,536 ****
--- 579,590 ----
if (*intptr == -1)
*intptr = value;
break;
+
+ #ifdef ENABLE_LOG_AUTH
+ case sLogAuth:
+ intptr = &options->log_auth;
+ goto parse_flag;
+ #endif /* ENABLE_LOG_AUTH */
case sIgnoreRhosts:
intptr = &options->ignore_rhosts;
--- servconf.c.orig Thu Jan 17 05:35:34 2002
+++ servconf.c Fri Jun 21 16:22:56 2002
@@ -88,8 +88,8 @@
void initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
- options->port = -1;
- options->listen_addr.s_addr = INADDR_ANY;
+ options->num_ports = 0;
+ options->listen_addrs = NULL;
options->host_key_file = NULL;
options->random_seed_file = NULL;
options->pid_file = NULL;
@@ -99,6 +99,9 @@
options->permit_root_login = -1;
options->ignore_rhosts = -1;
options->ignore_root_rhosts = -1;
+#ifdef ENABLE_LOG_AUTH
+ options->log_auth = -1;
+#endif /* ENABLE_LOG_AUTH */
options->quiet_mode = -1;
options->fascist_logging = -1;
options->print_motd = -1;
@@ -145,17 +148,33 @@
void fill_default_server_options(ServerOptions *options)
{
- if (options->port == -1)
+ struct addrinfo hints, *ai, *aitop;
+ char strport[PORTSTRLEN];
+ int i;
+
+ if (options->num_ports == 0)
+ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+ if (options->listen_addrs == NULL)
{
- struct servent *sp;
+ for (i = 0; i < options->num_ports; i++)
+ {
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_flags = AI_PASSIVE;
+ hints.ai_family = IPv4or6;
+ hints.ai_socktype = SOCK_STREAM;
+ sprintf(strport, "%d", options->ports[i]);
+ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+ {
+ fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
+ exit(1);
+ }
+ for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+ ai->ai_next = options->listen_addrs;
+ options->listen_addrs = aitop;
+ }
+ /* freeaddrinfo(options->listen_addrs) in sshd.c */
+ }
- sp = getservbyname(SSH_SERVICE_NAME, "tcp");
- if (sp)
- options->port = ntohs(sp->s_port);
- else
- options->port = SSH_DEFAULT_PORT;
- endservent();
- }
if (options->host_key_file == NULL)
options->host_key_file = HOST_KEY_FILE;
if (options->random_seed_file == NULL)
@@ -250,6 +269,9 @@
{
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
+#ifdef ENABLE_LOG_AUTH
+ sLogAuth,
+#endif /* ENABLE_LOG_AUTH */
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
@@ -282,6 +304,9 @@
{ "quietmode", sQuietMode },
{ "fascistlogging", sFascistLogging },
{ "syslogfacility", sLogFacility },
+#ifdef ENABLE_LOG_AUTH
+ { "logauth", sLogAuth },
+#endif /* ENABLE_LOG_AUTH */
{ "rhostsauthentication", sRhostsAuthentication },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
{ "rsaauthentication", sRSAAuthentication },
@@ -375,6 +400,9 @@
char *cp, **charptr;
int linenum, *intptr, i, value;
ServerOpCodes opcode;
+ struct addrinfo hints, *ai, *aitop;
+ char strport[PORTSTRLEN];
+ int gaierr;
f = fopen(filename, "r");
if (!f)
@@ -397,7 +425,14 @@
switch (opcode)
{
case sPort:
- intptr = &options->port;
+ if (options->num_ports >= MAX_PORTS)
+ {
+ fprintf(stderr, "%s line %d: too many ports.\n",
+ filename, linenum);
+ exit(1);
+ }
+ options->ports[options->num_ports] = -1;
+ intptr = &options->ports[options->num_ports++];
parse_int:
cp = strtok(NULL, WHITESPACE);
if (!cp)
@@ -460,12 +495,26 @@
filename, linenum);
exit(1);
}
-#ifdef BROKEN_INET_ADDR
- options->listen_addr.s_addr = inet_network(cp);
-#else /* BROKEN_INET_ADDR */
- options->listen_addr.s_addr = inet_addr(cp);
-#endif /* BROKEN_INET_ADDR */
- break;
+ if (options->num_ports == 0)
+ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+ for (i = 0; i < options->num_ports; i++)
+ {
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_socktype = SOCK_STREAM;
+ sprintf(strport, "%d", options->ports[i]);
+ if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
+ {
+ fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
+ filename, linenum, gai_strerror(gaierr));
+ exit(1);
+ }
+ for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+ ai->ai_next = options->listen_addrs;
+ options->listen_addrs = aitop;
+ }
+ strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
+ break;
case sHostKeyFile:
charptr = &options->host_key_file;
@@ -539,6 +588,12 @@
if (*intptr == -1)
*intptr = value;
break;
+
+#ifdef ENABLE_LOG_AUTH
+ case sLogAuth:
+ intptr = &options->log_auth;
+ goto parse_flag;
+#endif /* ENABLE_LOG_AUTH */
case sIgnoreRhosts:
intptr = &options->ignore_rhosts;

77
security/ssh/files/patch-bp
View File

@ -1,45 +1,32 @@
*** servconf.h.orig Wed May 12 13:19:28 1999
--- servconf.h Mon Jan 10 22:56:13 2000
***************
*** 64,69 ****
--- 64,71 ----
#ifndef SERVCONF_H
#define SERVCONF_H
+ #define MAX_PORTS 256 /* Max # hosts on allow list. */
+
#define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
#define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
#define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
***************
*** 82,89 ****
typedef struct
{
! int port; /* Port number to listen on. */
! struct in_addr listen_addr; /* Address on which the server listens. */
char *host_key_file; /* File containing host key. */
char *random_seed_file; /* File containing random seed. */
char *pid_file; /* File containing process ID number. */
--- 84,92 ----
typedef struct
{
! unsigned int num_ports;
! int ports[MAX_PORTS]; /* Port number to listen on. */
! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
char *host_key_file; /* File containing host key. */
char *random_seed_file; /* File containing random seed. */
char *pid_file; /* File containing process ID number. */
***************
*** 91,96 ****
--- 94,102 ----
int login_grace_time; /* Disconnect if no auth in this time (sec). */
int key_regeneration_time; /* Server key lifetime (seconds). */
int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
+ #ifdef ENABLE_LOG_AUTH
+ int log_auth; /* If true, log authentication info. */
+ #endif /* ENABLE_LOG_AUTH */
int ignore_rhosts; /* Ignore .rhosts and .shosts. */
int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
defaults to ignore_rhosts if not given. */
--- servconf.h.orig Thu Jan 17 05:35:34 2002
+++ servconf.h Fri Jun 21 16:24:35 2002
@@ -68,6 +68,7 @@
#ifndef SERVCONF_H
#define SERVCONF_H
+#define MAX_PORTS 256 /* Max # hosts on allow list. */
#define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
#define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
#define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
@@ -86,8 +87,9 @@
typedef struct
{
- int port; /* Port number to listen on. */
- struct in_addr listen_addr; /* Address on which the server listens. */
+ unsigned int num_ports;
+ int ports[MAX_PORTS]; /* Port number to listen on. */
+ struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
char *host_key_file; /* File containing host key. */
char *random_seed_file; /* File containing random seed. */
char *pid_file; /* File containing process ID number. */
@@ -95,6 +97,9 @@
int login_grace_time; /* Disconnect if no auth in this time (sec). */
int key_regeneration_time; /* Server key lifetime (seconds). */
int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
+#ifdef ENABLE_LOG_AUTH
+ int log_auth; /* If true, log authentication info. */
+#endif /* ENABLE_LOG_AUTH */
int ignore_rhosts; /* Ignore .rhosts and .shosts. */
int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
defaults to ignore_rhosts if not given. */

167
security/ssh/files/patch-xa
View File

@ -1,167 +0,0 @@
Note that this patch has been incorporated into the port due to problems
with patching a autoconf generated configure script. The script itself contains
linenumbers and in case of two patches against that script the second one fails
because it expects something that the first patch has already changed. The
only clean way is to re-generate it with autoconf. *sigh*
This patch was fetched from
http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown
- torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000
Patch for problem with tty ownership with chflags and chown in BSD 4.4
variants. Fixes a security bug in tty allocation.
This patch works for ssh-1.2.27.
Apply with the following commands:
% cd /wherever/you/hold/your/sources/ssh-1.2.27
% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown
% ./configure --whatever-config-flags-you-use
% make clean
% make
% su
Password: ***********
# make install
# kill -HUP `cat /var/run/sshd.pid`
You should be all set.
Sami Lehtinen <sjl@ssh.fi>
--begin patch--
diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c
--- auth-passwd.c.orig Wed May 12 14:19:23 1999
+++ auth-passwd.c Wed Aug 11 19:49:32 1999
@@ -613,7 +613,13 @@
/* get_name pulls out just the name not the
type */
strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache));
- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid);
+ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0)
+ {
+ log_msg("Kerberos: chown failed for %s, error: %s",
+ ccname + 5, strerror(errno));
+ packet_send_debug("Kerberos: chown failed for %s", ccname + 5);
+ goto errout;
+ }
/* If tgt was passed unlink file */
if (ticket)
diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in
--- config.h.in.orig Wed May 12 14:20:04 1999
+++ config.h.in Wed Aug 11 20:20:51 1999
@@ -360,6 +360,9 @@
/* Define if you have the authenticate function. */
#undef HAVE_AUTHENTICATE
+/* Define if you have the chflags function. */
+#undef HAVE_CHFLAGS
+
/* Define if you have the clock function. */
#undef HAVE_CLOCK
diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in
--- configure.in.orig Wed May 12 14:20:02 1999
+++ configure.in Wed Aug 11 20:05:13 1999
@@ -433,6 +433,7 @@
AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit)
AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp)
AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream)
+AC_CHECK_FUNCS(chflags)
AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c
--- sshd.c.orig Wed May 12 14:19:29 1999
+++ sshd.c Wed Aug 11 20:26:31 1999
@@ -2897,9 +2897,87 @@
tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH;
}
+ retry_chown:
+
/* Change ownership of the tty. */
- (void)chown(ttyname, pw->pw_uid, tty_gid);
- (void)chmod(ttyname, tty_mode);
+ if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
+ {
+ /* chown failed. Atleast two possibilities. Either we are not
+ running as root, in which case this is OK, or we are running
+ on BSD, and somebody has put some flags to the tty. */
+
+ /* Check whether we are root or not.*/
+ if (getuid() != UID_ROOT)
+ {
+ /* We are not, and then this is OK. */
+ debug("chown failed (but we're not root anyway) for "
+ "%s, error %s", ttyname, strerror(errno));
+ }
+ else
+ {
+#ifdef HAVE_CHFLAGS
+ static int retrying = 0;
+ struct stat st;
+
+ if (!retrying)
+ {
+ debug("chown failed for %s, error: %s. Removing "
+ "user-settable flags, and retrying.",
+ ttyname, strerror(errno));
+
+ if (stat(ttyname, &st) < 0)
+ {
+ error("stat failed for %s, error: %s",
+ ttyname, strerror(errno));
+ }
+ else
+ {
+ debug("Removing user-settable flags with "
+ "chflags.");
+ /* Remove user definable flags. */
+ if (chflags(ttyname, st.st_flags &
+ ~(UF_NODUMP | UF_IMMUTABLE |
+ UF_APPEND | UF_OPAQUE)) < 0)
+ {
+ debug("chflags failed for %s, error: %s",
+ ttyname, strerror(errno));
+ }
+ else
+ {
+ debug("Retrying...");
+ retrying = 1;
+ goto retry_chown;
+ }
+ }
+ }
+ else
+ {
+ debug("chown failed even with retry. error: %s",
+ strerror(errno));
+ }
+
+#endif /* HAVE_CHFLAGS */
+ error("ssh_pty_allocate_and_fork: chown failed for %s.",
+ ttyname);
+ goto fail;
+ }
+ }
+
+ if (chmod(ttyname, tty_mode) < 0)
+ {
+ if (getuid() != UID_ROOT)
+ {
+ /* We are not, and then this is (probably) OK. */
+ debug("chmod failed (but we're not root anyway) for "
+ "%s, error %s", ttyname, strerror(errno));
+ }
+ else
+ {
+ error("ssh_pty_allocate_and_fork: chmod %s: %s",
+ ttyname, strerror(errno));
+ goto fail;
+ }
+ }
/* Get TERM from the packet. Note that the value may be of arbitrary
length. */