From 468e326fba024f6c54ef84256e8f26febeddf08b Mon Sep 17 00:00:00 2001 From: "David E. O'Brien" Date: Sat, 29 Jun 2002 18:13:36 +0000 Subject: [PATCH] Update to version 1.2.28. --- security/ssh/Makefile | 18 +- security/ssh/distinfo | 2 +- security/ssh/files/patch-ac | 107 +-- security/ssh/files/patch-af | 1373 ++++++++++++++--------------------- security/ssh/files/patch-ax | 25 - security/ssh/files/patch-bm | 26 +- security/ssh/files/patch-bo | 355 ++++----- security/ssh/files/patch-bp | 77 +- security/ssh/files/patch-xa | 167 ----- 9 files changed, 800 insertions(+), 1350 deletions(-) delete mode 100644 security/ssh/files/patch-ax delete mode 100644 security/ssh/files/patch-xa diff --git a/security/ssh/Makefile b/security/ssh/Makefile index 00c1456b2648..b8338ef6c4db 100644 --- a/security/ssh/Makefile +++ b/security/ssh/Makefile @@ -9,17 +9,13 @@ # PORTNAME= ssh -PORTVERSION= 1.2.27 # Note, 1.2.30 is under a more restrictive license -PORTREVISION= 3 +PORTVERSION= 1.2.28 # Note, 1.2.30 is under a more restrictive license +PORTREVISION= 0 CATEGORIES= security ipv6 -MASTER_SITES= ftp://ftp.cs.umn.edu/dept/users/rybski/ \ - ftp://ftp.net.ohio-state.edu/disk/d/security/ssh/ \ - ftp://ftp.cronyx.ru/mirror/ssh/old/ \ +MASTER_SITES= ftp://ftp.tokyonet.ad.jp/pub/security/ssh/old/ \ ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/old/ \ - ftp://ftp.tokyonet.ad.jp/.da0/security/ssh/old/ \ - ftp://ftp.comp.hkbu.edu.hk/.6/unix/ \ - ftp://ftp.dei.uc.pt/.disk2/Crypto/SSH/old/ - + ftp://ftp.cronyx.ru/mirror/ssh/old/ + MAINTAINER= ports@FreeBSD.org USE_AUTOCONF= YES @@ -66,13 +62,13 @@ CONFIGURE_ARGS+= --without-idea .include .if ${OSVERSION} > 500023 -LIB_DEPENDS+= gmp.5:${PORTSDIR}/math/libgmp4 +LIB_DEPENDS+= gmp.3:${PORTSDIR}/math/libgmp-freebsd MAKE_ENV+= GMPINCDIR="${LOCALBASE}/include" \ GMPLIBDIR="${LOCALBASE}/lib" .endif .if (${OSVERSION} >= 400016 && !defined(REALLY_WANT_SSH)) -FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated and will be removed at some point in the future. To override this warning set the REALLY_WANT_SSH environment variable and rebuild." +FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated. To override this warning set the REALLY_WANT_SSH environment variable and rebuild." .endif MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \ diff --git a/security/ssh/distinfo b/security/ssh/distinfo index bf690165936c..d1c97e753f1c 100644 --- a/security/ssh/distinfo +++ b/security/ssh/distinfo @@ -1 +1 @@ -MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395 +MD5 (ssh-1.2.28.tar.gz) = ce811a4844742e2ecadab1a1b53a954a diff --git a/security/ssh/files/patch-ac b/security/ssh/files/patch-ac index 29bdcba285ff..02fc5eae34fd 100644 --- a/security/ssh/files/patch-ac +++ b/security/ssh/files/patch-ac @@ -1,70 +1,52 @@ ---- Makefile.in.orig Wed May 12 14:19:31 1999 -+++ Makefile.in Fri Apr 26 09:19:30 2002 -@@ -301,12 +301,17 @@ +--- Makefile.in.orig Mon Jul 3 10:07:39 2000 ++++ Makefile.in Fri Jun 21 17:50:07 2002 +@@ -307,13 +307,15 @@ + SHELL = /bin/sh - GMPDIR = gmp-2.0.2-ssh-2 --GMPLIBS = -L$(GMPDIR) -lgmp +-GMPDIR = gmp-2.0.2-ssh-2 +-GMPLIBS = @ssh_gmp_ldadd_options@ -GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a -+# We have the same libgmp in the system, so use it instead ++# We have the same libgmp in the base system, so use it instead +GMPINCDIR ?= /usr/include +GMPLIBDIR ?= /usr/lib +GMPLIBS = -L$(GMPLIBDIR) -lgmp +GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a - ZLIBDIR = zlib-1.0.4 --ZLIBDEP = $(ZLIBDIR)/libz.a --ZLIBLIBS = -L$(ZLIBDIR) -lz -+ZLIBINCDIR = /usr/include -+ZLIBLIBDIR = /usr/lib -+ZLIBDEP = $(ZLIBINCDIR)/libz.a +-ZLIBDIR = zlib-1.0.4 ++ZLIBDIR = /usr/lib + ZLIBDEP = $(ZLIBDIR)/libz.a +-ZLIBLIBS = @ssh_zlib_ldadd_options@ +ZLIBLIBS = -lz RSAREFDIR = rsaref2 RSAREFSRCDIR = $(RSAREFDIR)/source -@@ -411,7 +416,7 @@ +@@ -418,7 +420,7 @@ $(CC) -o rfc-pg rfc-pg.o .c.o: - $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< -+ $(CC) -c -I. $(KERBEROS_INCS) -I$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< ++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd -@@ -454,19 +459,19 @@ +@@ -461,12 +463,12 @@ sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts chmod +x make-ssh-known-hosts -GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \ -- mpz_mul.c mpz_cmp.c mpz_sqrtrem.c ++XXX_DONT_GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \ + mpz_mul.c mpz_cmp.c mpz_sqrtrem.c -$(GMPDIR)/libgmp.a: -- cd $(GMPDIR); $(MAKE) -- --$(ZLIBDEP): -- -if test '!' -d $(ZLIBDIR); then \ -- mkdir $(ZLIBDIR); \ -- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ -- fi -- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ -- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ -- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a -+#GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \ -+# mpz_mul.c mpz_cmp.c mpz_sqrtrem.c -+#$(GMPDIR)/libgmp.a: -+# cd $(GMPDIR); $(MAKE) -+# -+#$(ZLIBDEP): -+# -if test '!' -d $(ZLIBDIR); then \ -+# mkdir $(ZLIBDIR); \ -+# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ -+# fi -+# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ -+# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ -+# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a ++XXX_DONT_$(GMPDIR)/libgmp.a: + cd $(GMPDIR); $(MAKE) - $(RSAREFSRCDIR)/librsaref.a: - -if test '!' -d $(RSAREFDIR); then \ -@@ -523,7 +528,7 @@ +-$(ZLIBDEP): ++XXX_DONT_$(ZLIBDEP): + -if test '!' -d $(ZLIBDIR); then \ + mkdir $(ZLIBDIR); \ + cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ +@@ -530,7 +532,7 @@ # (otherwise it can only log in as the user it runs as, and must be # bound to a non-privileged port). Also, password authentication may # not be available if non-root and using shadow passwords. @@ -73,49 +55,12 @@ -rm -f $(install_prefix)$(bindir)/ssh1.old -chmod 755 $(install_prefix)$(bindir)/ssh1 -chmod 755 $(install_prefix)$(bindir)/ssh -@@ -679,15 +684,15 @@ - - clean: - -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg -- cd $(GMPDIR); $(MAKE) clean -+# cd $(GMPDIR); $(MAKE) clean - # cd $(RSAREFSRCDIR); rm -f *.o *.a -- cd $(ZLIBDIR); $(MAKE) clean -+# cd $(ZLIBDIR); $(MAKE) clean - - distclean: clean - -rm -f Makefile config.status config.cache config.log config.h - -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1 -- cd $(GMPDIR); $(MAKE) distclean -- cd $(ZLIBDIR); $(MAKE) distclean -+# cd $(GMPDIR); $(MAKE) distclean -+# cd $(ZLIBDIR); $(MAKE) distclean - - dist: dist-free - -@@ -716,12 +721,12 @@ - -mkdir $(DISTNAME) - cp $(DISTFILES) $(DISTNAME) - for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done -- (cd $(GMPDIR); make dist) -- gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) -+# (cd $(GMPDIR); make dist) -+# gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) - # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -) - # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a -- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) -- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS -+# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) -+# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS - - #ifdef F_SECURE_COMMERCIAL - # -@@ -749,7 +754,7 @@ +@@ -756,7 +758,7 @@ (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null depend: - $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS) -+ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS) ++ $(MAKEDEP) -I$(srcdir) -I. -I$(GMPINCDIR) $(DEFS) $(SRCS) tags: -rm -f TAGS diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af index d3fce096361b..857b53f5d028 100644 --- a/security/ssh/files/patch-af +++ b/security/ssh/files/patch-af @@ -1,809 +1,564 @@ -*** sshd.c.orig Tue Jan 11 20:40:10 2000 ---- sshd.c Tue Jan 11 20:40:07 2000 -*************** -*** 553,558 **** ---- 553,571 ---- - /* Name of the server configuration file. */ - char *config_file_name = SERVER_CONFIG_FILE; - -+ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. -+ Default value is AF_UNSPEC means both IPv4 and IPv6. */ -+ #ifdef ENABLE_IPV6 -+ int IPv4or6 = AF_UNSPEC; -+ #else -+ int IPv4or6 = AF_INET; -+ #endif -+ -+ #ifdef ENABLE_LOG_AUTH -+ char *unauthenticated_user = NULL; -+ int log_auth_flag = 0; -+ #endif /* ENABLE_LOG_AUTH */ -+ - /* Debug mode flag. This can be set on the command line. If debug - mode is enabled, extra debugging output will be sent to the system - log, the daemon will not go to background, and will exit after processing -*************** -*** 576,582 **** - - /* This is set to the socket that the server is listening; this is used in - the SIGHUP signal handler. */ -! int listen_sock; - - /* This is not really needed, and could be eliminated if server-specific - and client-specific code were removed from newchannels.c */ ---- 589,605 ---- - - /* This is set to the socket that the server is listening; this is used in - the SIGHUP signal handler. */ -! #define MAX_LISTEN_SOCKS 16 -! int listen_socks[MAX_LISTEN_SOCKS]; -! int num_listen_socks = 0; -! void close_listen_socks() -! { -! int i; -! -! for (i = 0; i < num_listen_socks; i++) -! close(listen_socks[i]); -! num_listen_socks = -1; -! } - - /* This is not really needed, and could be eliminated if server-specific - and client-specific code were removed from newchannels.c */ -*************** -*** 666,672 **** - void sighup_restart(void) - { - log_msg("Received SIGHUP; restarting."); -! close(listen_sock); - execvp(saved_argv[0], saved_argv); - log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", - saved_argv[0], strerror(errno)); ---- 689,695 ---- - void sighup_restart(void) - { - log_msg("Received SIGHUP; restarting."); -! close_listen_socks(); - execvp(saved_argv[0], saved_argv); - log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", - saved_argv[0], strerror(errno)); -*************** -*** 680,686 **** - RETSIGTYPE sigterm_handler(int sig) - { - log_msg("Received signal %d; terminating.", sig); -! close(listen_sock); - exit(255); - } - ---- 703,709 ---- - RETSIGTYPE sigterm_handler(int sig) - { - log_msg("Received signal %d; terminating.", sig); -! close_listen_socks(); - exit(255); - } - -*************** -*** 759,765 **** - int perm_denied = 0; - int ret; - fd_set fdset; -! struct sockaddr_in sin; - char buf[100]; /* Must not be larger than remote_version. */ - char remote_version[100]; /* Must be at least as big as buf. */ - char *comment; ---- 782,788 ---- - int perm_denied = 0; - int ret; - fd_set fdset; -! struct sockaddr_storage from; - char buf[100]; /* Must not be larger than remote_version. */ - char remote_version[100]; /* Must be at least as big as buf. */ - char *comment; -*************** -*** 769,774 **** ---- 792,800 ---- - struct linger linger; - #endif /* SO_LINGER */ - int done; -+ struct addrinfo *ai; -+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; -+ int listen_sock, maxfd; - - /* Save argv[0]. */ - saved_argv = av; -*************** -*** 787,796 **** - initialize_server_options(&options); - - /* Parse command-line arguments. */ -! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF) - { - switch (opt) - { - case 'f': - config_file_name = optarg; - break; ---- 813,838 ---- - initialize_server_options(&options); - - /* Parse command-line arguments. */ -! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4" -! #ifdef ENABLE_IPV6 -! "6" -! #endif -! )) != EOF) - { - switch (opt) - { -+ case '4': -+ #ifdef ENABLE_IPV6 -+ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; -+ #else -+ IPv4or6 = AF_INET; -+ #endif -+ break; -+ #ifdef ENABLE_IPV6 -+ case '6': -+ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; -+ break; -+ #endif - case 'f': - config_file_name = optarg; - break; -*************** -*** 807,813 **** - options.server_key_bits = atoi(optarg); - break; - case 'p': -! options.port = atoi(optarg); - break; - case 'g': - options.login_grace_time = atoi(optarg); ---- 849,855 ---- - options.server_key_bits = atoi(optarg); - break; - case 'p': -! options.ports[options.num_ports++] = atoi(optarg); - break; - case 'g': - options.login_grace_time = atoi(optarg); -*************** -*** 829,834 **** ---- 871,880 ---- - fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE); - fprintf(stderr, "Usage: %s [options]\n", av0); - fprintf(stderr, "Options:\n"); -+ fprintf(stderr, " -4 Use IPv4 only\n"); -+ #ifdef ENABLE_IPV6 -+ fprintf(stderr, " -6 Use IPv6 only\n"); -+ #endif - fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR); - fprintf(stderr, " -d Debugging mode\n"); - fprintf(stderr, " -i Started from inetd\n"); -*************** -*** 857,872 **** - fprintf(stderr, "fatal: Bad server key size.\n"); - exit(1); - } -- if (options.port < 1 || options.port > 65535) -- { -- fprintf(stderr, "fatal: Bad port number.\n"); -- exit(1); -- } - if (options.umask != -1) - { - umask(options.umask); - } - - /* Check that there are no remaining arguments. */ - if (optind < ac) - { ---- 903,917 ---- - fprintf(stderr, "fatal: Bad server key size.\n"); - exit(1); - } - if (options.umask != -1) - { - umask(options.umask); - } - -+ #ifdef ENABLE_LOG_AUTH -+ log_auth_flag = options.log_auth; -+ #endif /* ENABLE_LOG_AUTH */ -+ - /* Check that there are no remaining arguments. */ - if (optind < ac) - { -*************** -*** 1034,1043 **** - } - else - { - /* Create socket for listening. */ -! listen_sock = socket(AF_INET, SOCK_STREAM, 0); - if (listen_sock < 0) - fatal("socket: %.100s", strerror(errno)); - - /* Set socket options. We try to make the port reusable and have it - close as fast as possible without waiting in unnecessary wait states ---- 1079,1091 ---- - } - else - { -+ for (ai = options.listen_addrs; ai; ai = ai->ai_next) -+ { - /* Create socket for listening. */ -! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); - if (listen_sock < 0) - fatal("socket: %.100s", strerror(errno)); -+ listen_socks[num_listen_socks] = listen_sock; - - /* Set socket options. We try to make the port reusable and have it - close as fast as possible without waiting in unnecessary wait states -*************** -*** 1051,1071 **** - sizeof(linger)); - #endif /* SO_LINGER */ - -! /* Initialize the socket address. */ -! memset(&sin, 0, sizeof(sin)); -! sin.sin_family = AF_INET; -! sin.sin_addr = options.listen_addr; -! sin.sin_port = htons(options.port); - - /* Bind the socket to the desired port. */ -! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) - { -! error("bind: %.100s", strerror(errno)); -! shutdown(listen_sock, 2); - close(listen_sock); -! fatal("Bind to port %d failed: %.200s.", options.port, -! strerror(errno)); - } - - if (!debug_flag) - { ---- 1099,1128 ---- - sizeof(linger)); - #endif /* SO_LINGER */ - -! getnameinfo(ai->ai_addr, ai->ai_addrlen, -! ntop, sizeof(ntop), strport, sizeof(strport), -! NI_NUMERICHOST|NI_NUMERICSERV); - - /* Bind the socket to the desired port. */ -! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) - { -! error("Bind to port %s on %s failed: %.200s.", -! strport, ntop, strerror(errno)); - close(listen_sock); -! continue; - } -+ num_listen_socks++; -+ -+ /* Start listening on the port. */ -+ log_msg("Server listening on %s port %s.", ntop, strport); -+ if (listen(listen_sock, 5) < 0) -+ fatal("listen: %.100s", strerror(errno)); -+ -+ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */ -+ freeaddrinfo(options.listen_addrs); -+ -+ if (!num_listen_socks) -+ fatal("Cannot bind all addresses."); - - if (!debug_flag) - { -*************** -*** 1081,1091 **** - } - } - -- /* Start listening on the port. */ -- log_msg("Server listening on port %d.", options.port); -- if (listen(listen_sock, 5) < 0) -- fatal("listen: %.100s", strerror(errno)); -- - /* Generate an rsa key. */ - log_msg("Generating %d bit RSA key.", options.server_key_bits); - rsa_generate_key(&sensitive_data.private_key, &public_key, ---- 1138,1143 ---- -*************** -*** 1139,1156 **** - - /* Wait in select until there is a connection. */ - FD_ZERO(&fdset); -! FD_SET(listen_sock, &fdset); -! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL); -! if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) - { - if (errno == EINTR) - continue; - error("select: %.100s", strerror(errno)); - continue; - } -! -! aux = sizeof(sin); -! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux); - if (newsock < 0) - { - if (errno == EINTR) ---- 1191,1218 ---- - - /* Wait in select until there is a connection. */ - FD_ZERO(&fdset); -! maxfd = 0; -! for (i = 0; i < num_listen_socks; i++) -! { -! FD_SET(listen_socks[i], &fdset); -! if (listen_socks[i] > maxfd) -! maxfd = listen_socks[i]; -! } -! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL); -! if (ret < 0) - { - if (errno == EINTR) - continue; - error("select: %.100s", strerror(errno)); - continue; - } -! -! for (i = 0; i < num_listen_socks; i++) -! { -! if (!FD_ISSET(listen_socks[i], &fdset)) -! continue; -! aux = sizeof(from); -! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux); - if (newsock < 0) - { - if (errno == EINTR) -*************** -*** 1166,1172 **** - /* In debugging mode. Close the listening socket, and start - processing the connection without forking. */ - debug("Server will not fork when running in debugging mode."); -! close(listen_sock); - sock_in = newsock; - sock_out = newsock; - pid = getpid(); ---- 1228,1234 ---- - /* In debugging mode. Close the listening socket, and start - processing the connection without forking. */ - debug("Server will not fork when running in debugging mode."); -! close_listen_socks(); - sock_in = newsock; - sock_out = newsock; - pid = getpid(); -*************** -*** 1195,1201 **** - the accepted socket. Reinitialize logging (since our - pid has changed). We break out of the loop to handle - the connection. */ -! close(listen_sock); - sock_in = newsock; - sock_out = newsock; - #ifdef LIBWRAP ---- 1257,1263 ---- - the accepted socket. Reinitialize logging (since our - pid has changed). We break out of the loop to handle - the connection. */ -! close_listen_socks(); - sock_in = newsock; - sock_out = newsock; - #ifdef LIBWRAP -*************** -*** 1233,1238 **** ---- 1295,1304 ---- - - /* Close the new socket (the child is now taking care of it). */ - close(newsock); -+ } /* for (i = 0; i < num_host_socks; i++) */ -+ /* child process check (or debug mode) */ -+ if (num_listen_socks < 0) -+ break; - } - } - -*************** -*** 2205,2210 **** ---- 2271,2279 ---- - krb5_parse_name(ssh_context, user, &client); - #endif /* defined(KERBEROS) && defined(KRB5) */ - -+ #ifdef ENABLE_LOG_AUTH -+ unauthenticated_user = user; -+ #endif /* ENABLE_LOG_AUTH */ - /* Verify that the user is a valid user. We disallow usernames starting - with any characters that are commonly used to start NIS entries. */ - pw = getpwnam(user); -*************** -*** 2222,2228 **** - pwcopy.pw_class = xstrdup(pw->pw_class); - pwcopy.pw_change = pw->pw_change; - pwcopy.pw_expire = pw->pw_expire; -! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); - pw = &pwcopy; ---- 2291,2297 ---- - pwcopy.pw_class = xstrdup(pw->pw_class); - pwcopy.pw_change = pw->pw_change; - pwcopy.pw_expire = pw->pw_expire; -! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */ - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); - pw = &pwcopy; -*************** -*** 2260,2265 **** ---- 2329,2339 ---- - { - /* Authentication with empty password succeeded. */ - debug("Login for user %.100s accepted without authentication.", user); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.700s (%s)", -+ user, get_canonical_hostname(), -+ "empty password accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_PASSWORD; - authenticated = 1; - /* Success packet will be sent after loop below. */ -*************** -*** 2334,2339 **** ---- 2408,2418 ---- - /* Client has successfully authenticated to us. */ - log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s", - tkt_user, user, get_canonical_hostname()); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.700s (%s)", -+ user, get_canonical_hostname(), -+ "kerberos authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_KERBEROS; - authenticated = 1; - break; -*************** -*** 2382,2387 **** ---- 2461,2471 ---- - /* Authentication accepted. */ - log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", - user, client_user, get_canonical_hostname()); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.100s@%.700s (%s)", -+ user, client_user, get_canonical_hostname(), -+ "rhosts authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_RHOSTS; - authenticated = 1; - remote_user_name = client_user; -*************** -*** 2441,2446 **** ---- 2525,2535 ---- - options.strict_modes)) - { - /* Authentication accepted. */ -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.100s@%.700s (%s)", -+ user, client_user, get_canonical_hostname(), -+ "rhosts with RSA host authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_RHOSTS_RSA; - authenticated = 1; - remote_user_name = client_user; -*************** -*** 2474,2479 **** ---- 2563,2573 ---- - /* Successful authentication. */ - mpz_clear(&n); - log_msg("RSA authentication for %.100s accepted.", user); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.700s (%s)", -+ user, get_canonical_hostname(), -+ "RSA user authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_RSA; - authenticated = 1; - break; -*************** -*** 2608,2613 **** ---- 2702,2712 ---- - auth_close(); - memset(password, 0, strlen(password)); - xfree(password); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from @%.700s (%s)", -+ user, get_canonical_hostname(), -+ "TIS authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_TIS; - authenticated = 1; - break; -*************** -*** 2668,2673 **** ---- 2767,2777 ---- - memset(password, 0, strlen(password)); - xfree(password); - log_msg("Password authentication for %.100s accepted.", user); -+ #ifdef ENABLE_LOG_AUTH -+ log_auth("%.100s from %.700s (%s)", -+ user, get_canonical_hostname(), -+ "password authentication accepted"); -+ #endif /* ENABLE_LOG_AUTH */ - authentication_type = SSH_AUTH_PASSWORD; - authenticated = 1; - break; -*************** -*** 2708,2713 **** ---- 2812,2822 ---- - } - - /* Check if the user is logging in as root and root logins are disallowed. */ -+ #ifdef ENABLE_LOG_AUTH -+ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) || -+ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command)) -+ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); -+ #endif /* ENABLE_LOG_AUTH */ - if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) - { - if (authentication_type == SSH_AUTH_PASSWORD) -*************** -*** 2775,2780 **** ---- 2884,2892 ---- - packet_start(SSH_SMSG_SUCCESS); - packet_send(); - packet_write_wait(); -+ #ifdef ENABLE_LOG_AUTH -+ unauthenticated_user = NULL; -+ #endif /* ENABLE_LOG_AUTH */ - - /* Perform session preparation. */ - do_authenticated(pw); -*************** -*** 3280,3294 **** - char line[256]; - struct stat st; - int quiet_login; -! struct sockaddr_in from; - int fromlen; - struct pty_cleanup_context cleanup_context; - #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) - login_cap_t *lc; - #endif -! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 - struct timeval tp; -! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ - - /* We no longer need the child running on user's privileges. */ - userfile_uninit(); ---- 3392,3407 ---- - char line[256]; - struct stat st; - int quiet_login; -! struct sockaddr_storage from; - int fromlen; - struct pty_cleanup_context cleanup_context; - #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) - login_cap_t *lc; -+ time_t warnpassword, warnexpire; - #endif -! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - struct timeval tp; -! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */ - - /* We no longer need the child running on user's privileges. */ - userfile_uninit(); -*************** -*** 3387,3393 **** - - /* Record that there was a login on that terminal. */ - record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, -! &from); - - #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) - lc = login_getclass(pw->pw_class); ---- 3500,3506 ---- - - /* Record that there was a login on that terminal. */ - record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, -! (struct sockaddr *)&from); - - #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) - lc = login_getclass(pw->pw_class); -*************** -*** 3446,3451 **** ---- 3559,3572 ---- - "The Regents of the University of California. ", - "All rights reserved."); - } -+ #ifdef HAVE_LOGIN_CAP_H -+ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ -+ warnpassword = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+ warnexpire = login_getcaptime(lc, "warnexpire", -+ DEFAULT_WARN, DEFAULT_WARN); -+ #endif - #endif - - /* Print /etc/motd unless a command was specified or printing it was -*************** -*** 3469,3475 **** - fputs(line, stdout); - fclose(f); - } -! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 - if (pw->pw_change || pw->pw_expire) - (void)gettimeofday(&tp, (struct timezone *)NULL); - if (pw->pw_change) ---- 3590,3596 ---- - fputs(line, stdout); - fclose(f); - } -! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510) - if (pw->pw_change || pw->pw_expire) - (void)gettimeofday(&tp, (struct timezone *)NULL); - if (pw->pw_change) -*************** -*** 3876,3881 **** ---- 3997,4003 ---- - char *user_shell; - char *remote_ip; - int remote_port; -+ int local_port; - #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) - login_cap_t *lc; - char *real_shell; -*************** -*** 3922,3928 **** - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); - fclose(f); -! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 - if (pw->pw_uid != UID_ROOT && - !login_getcapbool(lc, "ignorenologin", 0)) - exit(254); ---- 4044,4050 ---- - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); - fclose(f); -! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - if (pw->pw_uid != UID_ROOT && - !login_getcapbool(lc, "ignorenologin", 0)) - exit(254); -*************** -*** 3981,3986 **** ---- 4103,4109 ---- - user_shell = xstrdup(pw->pw_shell); - remote_ip = xstrdup(get_remote_ipaddr()); - remote_port = get_remote_port(); -+ local_port = get_local_port(); - - /* Close the connection descriptors; note that this is the child, and the - server will still have the socket open, and it is important that we -*************** -*** 4000,4006 **** - /* Close any extra file descriptors. Note that there may still be - descriptors left by system functions. They will be closed later. */ - endpwent(); -- endhostent(); - - /* Set dummy encryption key to clear information about the key from - memory. This key will never be used. */ ---- 4123,4128 ---- -*************** -*** 4257,4263 **** - - /* Set SSH_CLIENT. */ - snprintf(buf, sizeof(buf), -! "%.50s %d %d", remote_ip, remote_port, options.port); - child_set_env(&env, &envsize, "SSH_CLIENT", buf); - - /* Set SSH_TTY if we have a pty. */ ---- 4379,4385 ---- - - /* Set SSH_CLIENT. */ - snprintf(buf, sizeof(buf), -! "%.50s %d %d", remote_ip, remote_port, local_port); - child_set_env(&env, &envsize, "SSH_CLIENT", buf); - - /* Set SSH_TTY if we have a pty. */ -*************** -*** 4426,4432 **** - int i; - char name[255], *p; - char line[256]; -! struct hostent *hp; - - strncpy(name, display, sizeof(name)); - name[sizeof(name) - 1] = '\0'; ---- 4548,4555 ---- - int i; - char name[255], *p; - char line[256]; -! struct addrinfo hints, *ai, *aitop; -! char ntop[ADDRSTRLEN]; - - strncpy(name, display, sizeof(name)); - name[sizeof(name) - 1] = '\0'; -*************** -*** 4443,4449 **** - /* Moved this call here to avoid a nasty buf in SunOS - 4.1.4 libc where gethostbyname closes an unrelated - file descriptor. */ -! hp = gethostbyname(name); - - snprintf(line, sizeof(line), - "%.200s -q -", options.xauth_path); ---- 4566,4575 ---- - /* Moved this call here to avoid a nasty buf in SunOS - 4.1.4 libc where gethostbyname closes an unrelated - file descriptor. */ -! memset(&hints, 0, sizeof(hints)); -! hints.ai_family = IPv4or6; -! if (getaddrinfo(name, NULL, &hints, &aitop) != 0) -! aitop = 0; - - snprintf(line, sizeof(line), - "%.200s -q -", options.xauth_path); -*************** -*** 4461,4481 **** - cp - display, display, cp, auth_proto, - auth_data); - #endif -! if (hp) - { -! for(i = 0; hp->h_addr_list[i]; i++) - { - if (debug_flag) - { - fprintf(stderr, "Running %s add %s%s %s %s\n", - options.xauth_path, -! inet_ntoa(*((struct in_addr *) -! hp->h_addr_list[i])), - cp, auth_proto, auth_data); - } - fprintf(f, "add %s%s %s %s\n", -! inet_ntoa(*((struct in_addr *) -! hp->h_addr_list[i])), - cp, auth_proto, auth_data); - } - } ---- 4587,4610 ---- - cp - display, display, cp, auth_proto, - auth_data); - #endif -! if (aitop) - { -! for (ai = aitop; ai; ai = ai->ai_next) - { -+ getnameinfo(ai->ai_addr, ai->ai_addrlen, -+ ntop, sizeof(ntop), NULL, 0, -+ NI_NUMERICHOST); -+ if (strchr(ntop, ':')) -+ continue; /* XXX - xauth doesn't accept it */ - if (debug_flag) - { - fprintf(stderr, "Running %s add %s%s %s %s\n", - options.xauth_path, -! ntop, - cp, auth_proto, auth_data); - } - fprintf(f, "add %s%s %s %s\n", -! ntop, - cp, auth_proto, auth_data); - } - } -*************** -*** 4525,4531 **** ---- 4654,4664 ---- - struct stat mailbuf; - - if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) -+ #ifdef __FreeBSD__ -+ ; -+ #else - printf("No mail.\n"); -+ #endif - else if (mailbuf.st_atime > mailbuf.st_mtime) - printf("You have mail.\n"); - else +--- sshd.c.orig Mon Jul 3 10:07:35 2000 ++++ sshd.c Fri Jun 21 17:57:21 2002 +@@ -567,6 +567,19 @@ + /* Name of the server configuration file. */ + char *config_file_name = SERVER_CONFIG_FILE; + ++/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++#ifdef ENABLE_IPV6 ++int IPv4or6 = AF_UNSPEC; ++#else ++int IPv4or6 = AF_INET; ++#endif ++ ++#ifdef ENABLE_LOG_AUTH ++char *unauthenticated_user = NULL; ++int log_auth_flag = 0; ++#endif /* ENABLE_LOG_AUTH */ ++ + /* Debug mode flag. This can be set on the command line. If debug + mode is enabled, extra debugging output will be sent to the system + log, the daemon will not go to background, and will exit after processing +@@ -590,7 +603,17 @@ + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +-int listen_sock; ++#define MAX_LISTEN_SOCKS 16 ++int listen_socks[MAX_LISTEN_SOCKS]; ++int num_listen_socks = 0; ++void close_listen_socks() ++{ ++ int i; ++ ++ for (i = 0; i < num_listen_socks; i++) ++ close(listen_socks[i]); ++ num_listen_socks = -1; ++} + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +@@ -680,7 +703,7 @@ + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +- close(listen_sock); ++ close_listen_socks(); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +@@ -694,7 +717,7 @@ + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +- close(listen_sock); ++ close_listen_socks(); + exit(255); + } + +@@ -773,7 +796,7 @@ + int perm_denied = 0; + int ret; + fd_set fdset; +- struct sockaddr_in sin; ++ struct sockaddr_storage from; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +@@ -783,6 +806,9 @@ + struct linger linger; + #endif /* SO_LINGER */ + int done; ++ struct addrinfo *ai; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int listen_sock, maxfd; + + /* Save argv[0]. */ + saved_argv = av; +@@ -801,10 +827,26 @@ + initialize_server_options(&options); + + /* Parse command-line arguments. */ +- while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF) ++ while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4" ++#ifdef ENABLE_IPV6 ++ "6" ++#endif ++ )) != EOF) + { + switch (opt) + { ++ case '4': ++#ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++#else ++ IPv4or6 = AF_INET; ++#endif ++ break; ++#ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++#endif + case 'f': + config_file_name = optarg; + break; +@@ -821,7 +863,7 @@ + options.server_key_bits = atoi(optarg); + break; + case 'p': +- options.port = atoi(optarg); ++ options.ports[options.num_ports++] = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +@@ -843,6 +885,10 @@ + fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE); + fprintf(stderr, "Usage: %s [options]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only\n"); ++#ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only\n"); ++#endif + fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR); + fprintf(stderr, " -d Debugging mode\n"); + fprintf(stderr, " -i Started from inetd\n"); +@@ -871,16 +917,15 @@ + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } +- if (options.port < 1 || options.port > 65535) +- { +- fprintf(stderr, "fatal: Bad port number.\n"); +- exit(1); +- } + if (options.umask != -1) + { + umask(options.umask); + } + ++#ifdef ENABLE_LOG_AUTH ++ log_auth_flag = options.log_auth; ++#endif /* ENABLE_LOG_AUTH */ ++ + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +@@ -1048,10 +1093,13 @@ + } + else + { ++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) ++ { + /* Create socket for listening. */ +- listen_sock = socket(AF_INET, SOCK_STREAM, 0); ++ listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); ++ listen_socks[num_listen_socks] = listen_sock; + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +@@ -1065,21 +1113,30 @@ + sizeof(linger)); + #endif /* SO_LINGER */ + +- /* Initialize the socket address. */ +- memset(&sin, 0, sizeof(sin)); +- sin.sin_family = AF_INET; +- sin.sin_addr = options.listen_addr; +- sin.sin_port = htons(options.port); ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); + + /* Bind the socket to the desired port. */ +- if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +- error("bind: %.100s", strerror(errno)); +- shutdown(listen_sock, 2); ++ error("Bind to port %s on %s failed: %.200s.", ++ strport, ntop, strerror(errno)); + close(listen_sock); +- fatal("Bind to port %d failed: %.200s.", options.port, +- strerror(errno)); ++ continue; + } ++ num_listen_socks++; ++ ++ /* Start listening on the port. */ ++ log_msg("Server listening on %s port %s.", ntop, strport); ++ if (listen(listen_sock, 5) < 0) ++ fatal("listen: %.100s", strerror(errno)); ++ ++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */ ++ freeaddrinfo(options.listen_addrs); ++ ++ if (!num_listen_socks) ++ fatal("Cannot bind all addresses."); + + if (!debug_flag) + { +@@ -1095,11 +1152,6 @@ + } + } + +- /* Start listening on the port. */ +- log_msg("Server listening on port %d.", options.port); +- if (listen(listen_sock, 5) < 0) +- fatal("listen: %.100s", strerror(errno)); +- + /* Generate an rsa key. */ + log_msg("Generating %d bit RSA key.", options.server_key_bits); + rsa_generate_key(&sensitive_data.private_key, &public_key, +@@ -1153,18 +1205,28 @@ + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +- FD_SET(listen_sock, &fdset); +- ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL); +- if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) ++ maxfd = 0; ++ for (i = 0; i < num_listen_socks; i++) ++ { ++ FD_SET(listen_socks[i], &fdset); ++ if (listen_socks[i] > maxfd) ++ maxfd = listen_socks[i]; ++ } ++ ret = select(maxfd + 1, &fdset, NULL, NULL, NULL); ++ if (ret < 0) + { + if (errno == EINTR) + continue; + error("select: %.100s", strerror(errno)); + continue; + } +- +- aux = sizeof(sin); +- newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux); ++ ++ for (i = 0; i < num_listen_socks; i++) ++ { ++ if (!FD_ISSET(listen_socks[i], &fdset)) ++ continue; ++ aux = sizeof(from); ++ newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux); + if (newsock < 0) + { + if (errno == EINTR) +@@ -1180,7 +1242,7 @@ + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +- close(listen_sock); ++ close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +@@ -1209,7 +1271,7 @@ + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +- close(listen_sock); ++ close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +@@ -1247,6 +1309,10 @@ + + /* Close the new socket (the child is now taking care of it). */ + close(newsock); ++ } /* for (i = 0; i < num_host_socks; i++) */ ++ /* child process check (or debug mode) */ ++ if (num_listen_socks < 0) ++ break; + } + } + +@@ -2219,6 +2285,9 @@ + krb5_parse_name(ssh_context, user, &client); + #endif /* defined(KERBEROS) && defined(KRB5) */ + ++#ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = user; ++#endif /* ENABLE_LOG_AUTH */ + /* Verify that the user is a valid user. We disallow usernames starting + with any characters that are commonly used to start NIS entries. */ + pw = getpwnam(user); +@@ -2236,7 +2305,7 @@ + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ ++#endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +@@ -2274,6 +2343,11 @@ + { + /* Authentication with empty password succeeded. */ + debug("Login for user %.100s accepted without authentication.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "empty password accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + /* Success packet will be sent after loop below. */ +@@ -2348,6 +2422,11 @@ + /* Client has successfully authenticated to us. */ + log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s", + tkt_user, user, get_canonical_hostname()); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "kerberos authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_KERBEROS; + authenticated = 1; + break; +@@ -2396,6 +2475,11 @@ + /* Authentication accepted. */ + log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", + user, client_user, get_canonical_hostname()); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS; + authenticated = 1; + remote_user_name = client_user; +@@ -2455,6 +2539,11 @@ + options.strict_modes)) + { + /* Authentication accepted. */ ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts with RSA host authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS_RSA; + authenticated = 1; + remote_user_name = client_user; +@@ -2488,6 +2577,11 @@ + /* Successful authentication. */ + mpz_clear(&n); + log_msg("RSA authentication for %.100s accepted.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "RSA user authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RSA; + authenticated = 1; + break; +@@ -2622,6 +2716,11 @@ + auth_close(); + memset(password, 0, strlen(password)); + xfree(password); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from @%.700s (%s)", ++ user, get_canonical_hostname(), ++ "TIS authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_TIS; + authenticated = 1; + break; +@@ -2682,6 +2781,11 @@ + memset(password, 0, strlen(password)); + xfree(password); + log_msg("Password authentication for %.100s accepted.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "password authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + break; +@@ -2722,6 +2826,11 @@ + } + + /* Check if the user is logging in as root and root logins are disallowed. */ ++#ifdef ENABLE_LOG_AUTH ++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) || ++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command)) ++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); ++#endif /* ENABLE_LOG_AUTH */ + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + { + if (authentication_type == SSH_AUTH_PASSWORD) +@@ -2789,6 +2898,9 @@ + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); ++#ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = NULL; ++#endif /* ENABLE_LOG_AUTH */ + + /* Perform session preparation. */ + do_authenticated(pw); +@@ -3383,15 +3495,16 @@ + char line[256]; + struct stat st; + int quiet_login; +- struct sockaddr_in from; ++ struct sockaddr_storage from; + int fromlen; + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; ++ time_t warnpassword, warnexpire; + #endif +-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 ++#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + struct timeval tp; +-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ ++#endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */ + + /* We no longer need the child running on user's privileges. */ + userfile_uninit(); +@@ -3490,7 +3603,7 @@ + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +- &from); ++ (struct sockaddr *)&from); + + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); +@@ -3549,6 +3662,14 @@ + "The Regents of the University of California. ", + "All rights reserved."); + } ++#ifdef HAVE_LOGIN_CAP_H ++#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ ++ ++ warnpassword = login_getcaptime(lc, "warnpassword", ++ DEFAULT_WARN, DEFAULT_WARN); ++ warnexpire = login_getcaptime(lc, "warnexpire", ++ DEFAULT_WARN, DEFAULT_WARN); ++#endif + #endif + + /* Print /etc/motd unless a command was specified or printing it was +@@ -3572,7 +3693,7 @@ + fputs(line, stdout); + fclose(f); + } +-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 ++#if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +@@ -3979,6 +4100,7 @@ + char *user_shell; + char *remote_ip; + int remote_port; ++ int local_port; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + char *real_shell; +@@ -4025,7 +4147,7 @@ + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 ++#if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +@@ -4084,6 +4206,7 @@ + user_shell = xstrdup(pw->pw_shell); + remote_ip = xstrdup(get_remote_ipaddr()); + remote_port = get_remote_port(); ++ local_port = get_local_port(); + + /* Close the connection descriptors; note that this is the child, and the + server will still have the socket open, and it is important that we +@@ -4103,7 +4226,6 @@ + /* Close any extra file descriptors. Note that there may still be + descriptors left by system functions. They will be closed later. */ + endpwent(); +- endhostent(); + + /* Set dummy encryption key to clear information about the key from + memory. This key will never be used. */ +@@ -4360,7 +4482,7 @@ + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +- "%.50s %d %d", remote_ip, remote_port, options.port); ++ "%.50s %d %d", remote_ip, remote_port, local_port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +@@ -4533,7 +4655,8 @@ + int i; + char name[255], *p; + char line[256]; +- struct hostent *hp; ++ struct addrinfo hints, *ai, *aitop; ++ char ntop[ADDRSTRLEN]; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +@@ -4550,7 +4673,10 @@ + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +- hp = gethostbyname(name); ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) ++ aitop = 0; + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +@@ -4568,21 +4694,24 @@ + cp - display, display, cp, auth_proto, + auth_data); + #endif +- if (hp) ++ if (aitop) + { +- for(i = 0; hp->h_addr_list[i]; i++) ++ for (ai = aitop; ai; ai = ai->ai_next) + { ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), NULL, 0, ++ NI_NUMERICHOST); ++ if (strchr(ntop, ':')) ++ continue; /* XXX - xauth doesn't accept it */ + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +- inet_ntoa(*((struct in_addr *) +- hp->h_addr_list[i])), ++ ntop, + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +- inet_ntoa(*((struct in_addr *) +- hp->h_addr_list[i])), ++ ntop, + cp, auth_proto, auth_data); + } + } +@@ -4632,7 +4761,11 @@ + struct stat mailbuf; + + if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) ++#ifdef __FreeBSD__ ++ ; ++#else + printf("No mail.\n"); ++#endif + else if (mailbuf.st_atime > mailbuf.st_mtime) + printf("You have mail.\n"); + else diff --git a/security/ssh/files/patch-ax b/security/ssh/files/patch-ax deleted file mode 100644 index c4a114fc306e..000000000000 --- a/security/ssh/files/patch-ax +++ /dev/null @@ -1,25 +0,0 @@ ---- rsaglue.c.orig Tue Nov 9 11:12:32 1999 -+++ rsaglue.c Tue Nov 9 11:17:58 1999 -@@ -139,6 +139,10 @@ - - input_bits = mpz_sizeinbase(input, 2); - input_len = (input_bits + 7) / 8; -+ if(input_bits > MAX_RSA_MODULUS_BITS) -+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).", -+ input_bits, MAX_RSA_MODULUS_BITS); -+ - gmp_to_rsaref(input_data, input_len, input); - - rsaref_public_key(&public_key, key); -@@ -172,6 +176,10 @@ - - input_bits = mpz_sizeinbase(input, 2); - input_len = (input_bits + 7) / 8; -+ if(input_bits > MAX_RSA_MODULUS_BITS) -+ fatal("Received session key too long (%d bits, %d max) (malicious?).", -+ input_bits, MAX_RSA_MODULUS_BITS); -+ - gmp_to_rsaref(input_data, input_len, input); - - rsaref_private_key(&private_key, key); - diff --git a/security/ssh/files/patch-bm b/security/ssh/files/patch-bm index a394777b4841..78c9833bb6bf 100644 --- a/security/ssh/files/patch-bm +++ b/security/ssh/files/patch-bm @@ -1,14 +1,12 @@ -*** readconf.h.orig Wed May 12 13:19:27 1999 ---- readconf.h Mon Jan 10 22:56:13 2000 -*************** -*** 98,103 **** ---- 98,106 ---- - int use_privileged_port; /* Use privileged port */ - - int port; /* Port to connect. */ -+ #ifdef ENABLE_ANOTHER_PORT_TRY -+ int another_port; /* Port to connect for -A option. */ -+ #endif /* ENABLE_ANOTHER_PORT_TRY */ - int connection_attempts; /* Max attempts (seconds) before giving up */ - int number_of_password_prompts; /* Max number of password prompts */ - int password_prompt_login; /* Show remote login at password prompt */ +--- readconf.h.orig Thu Jan 17 05:35:34 2002 ++++ readconf.h Fri Jun 21 16:36:20 2002 +@@ -102,6 +102,9 @@ + int use_privileged_port; /* Use privileged port */ + + int port; /* Port to connect. */ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port; /* Port to connect for -A option. */ ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + int connection_attempts; /* Max attempts (seconds) before giving up */ + int number_of_password_prompts; /* Max number of password prompts */ + int password_prompt_login; /* Show remote login at password prompt */ diff --git a/security/ssh/files/patch-bo b/security/ssh/files/patch-bo index 886720df255d..941fef6346e7 100644 --- a/security/ssh/files/patch-bo +++ b/security/ssh/files/patch-bo @@ -1,197 +1,158 @@ -*** servconf.c.orig Wed May 12 13:19:28 1999 ---- servconf.c Mon Jan 10 22:56:13 2000 -*************** -*** 81,88 **** - void initialize_server_options(ServerOptions *options) - { - memset(options, 0, sizeof(*options)); -! options->port = -1; -! options->listen_addr.s_addr = INADDR_ANY; - options->host_key_file = NULL; - options->random_seed_file = NULL; - options->pid_file = NULL; ---- 81,88 ---- - void initialize_server_options(ServerOptions *options) - { - memset(options, 0, sizeof(*options)); -! options->num_ports = 0; -! options->listen_addrs = NULL; - options->host_key_file = NULL; - options->random_seed_file = NULL; - options->pid_file = NULL; -*************** -*** 92,97 **** ---- 92,100 ---- - options->permit_root_login = -1; - options->ignore_rhosts = -1; - options->ignore_root_rhosts = -1; -+ #ifdef ENABLE_LOG_AUTH -+ options->log_auth = -1; -+ #endif /* ENABLE_LOG_AUTH */ - options->quiet_mode = -1; - options->fascist_logging = -1; - options->print_motd = -1; -*************** -*** 138,153 **** - - void fill_default_server_options(ServerOptions *options) - { -! if (options->port == -1) - { -! struct servent *sp; -! -! sp = getservbyname(SSH_SERVICE_NAME, "tcp"); -! if (sp) -! options->port = ntohs(sp->s_port); -! else -! options->port = SSH_DEFAULT_PORT; -! endservent(); - } - if (options->host_key_file == NULL) - options->host_key_file = HOST_KEY_FILE; ---- 141,171 ---- - - void fill_default_server_options(ServerOptions *options) - { -! struct addrinfo hints, *ai, *aitop; -! char strport[PORTSTRLEN]; -! int i; -! -! if (options->num_ports == 0) -! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; -! if (options->listen_addrs == NULL) - { -! for (i = 0; i < options->num_ports; i++) -! { -! memset(&hints, 0, sizeof(hints)); -! hints.ai_flags = AI_PASSIVE; -! hints.ai_family = IPv4or6; -! hints.ai_socktype = SOCK_STREAM; -! sprintf(strport, "%d", options->ports[i]); -! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) -! { -! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n"); -! exit(1); -! } -! for (ai = aitop; ai->ai_next; ai = ai->ai_next); -! ai->ai_next = options->listen_addrs; -! options->listen_addrs = aitop; -! } -! /* freeaddrinfo(options->listen_addrs) in sshd.c */ - } - if (options->host_key_file == NULL) - options->host_key_file = HOST_KEY_FILE; -*************** -*** 243,248 **** ---- 261,269 ---- - { - sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, - sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, -+ #ifdef ENABLE_LOG_AUTH -+ sLogAuth, -+ #endif /* ENABLE_LOG_AUTH */ - sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, - sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts, - sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, -*************** -*** 275,280 **** ---- 296,304 ---- - { "quietmode", sQuietMode }, - { "fascistlogging", sFascistLogging }, - { "syslogfacility", sLogFacility }, -+ #ifdef ENABLE_LOG_AUTH -+ { "logauth", sLogAuth }, -+ #endif /* ENABLE_LOG_AUTH */ - { "rhostsauthentication", sRhostsAuthentication }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication }, - { "rsaauthentication", sRSAAuthentication }, -*************** -*** 367,372 **** ---- 391,399 ---- - char *cp, **charptr; - int linenum, *intptr, i, value; - ServerOpCodes opcode; -+ struct addrinfo hints, *ai, *aitop; -+ char strport[PORTSTRLEN]; -+ int gaierr; - - f = fopen(filename, "r"); - if (!f) -*************** -*** 389,395 **** - switch (opcode) - { - case sPort: -! intptr = &options->port; - parse_int: - cp = strtok(NULL, WHITESPACE); - if (!cp) ---- 416,429 ---- - switch (opcode) - { - case sPort: -! if (options->num_ports >= MAX_PORTS) -! { -! fprintf(stderr, "%s line %d: too many ports.\n", -! filename, linenum); -! exit(1); -! } -! options->ports[options->num_ports] = -1; -! intptr = &options->ports[options->num_ports++]; - parse_int: - cp = strtok(NULL, WHITESPACE); - if (!cp) -*************** -*** 452,462 **** - filename, linenum); - exit(1); - } -! #ifdef BROKEN_INET_ADDR -! options->listen_addr.s_addr = inet_network(cp); -! #else /* BROKEN_INET_ADDR */ -! options->listen_addr.s_addr = inet_addr(cp); -! #endif /* BROKEN_INET_ADDR */ - break; - - case sHostKeyFile: ---- 486,510 ---- - filename, linenum); - exit(1); - } -! if (options->num_ports == 0) -! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; -! for (i = 0; i < options->num_ports; i++) -! { -! memset(&hints, 0, sizeof(hints)); -! hints.ai_family = IPv4or6; -! hints.ai_socktype = SOCK_STREAM; -! sprintf(strport, "%d", options->ports[i]); -! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0) -! { -! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n", -! filename, linenum, gai_strerror(gaierr)); -! exit(1); -! } -! for (ai = aitop; ai->ai_next; ai = ai->ai_next); -! ai->ai_next = options->listen_addrs; -! options->listen_addrs = aitop; -! } -! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */ - break; - - case sHostKeyFile: -*************** -*** 531,536 **** ---- 579,590 ---- - if (*intptr == -1) - *intptr = value; - break; -+ -+ #ifdef ENABLE_LOG_AUTH -+ case sLogAuth: -+ intptr = &options->log_auth; -+ goto parse_flag; -+ #endif /* ENABLE_LOG_AUTH */ - - case sIgnoreRhosts: - intptr = &options->ignore_rhosts; +--- servconf.c.orig Thu Jan 17 05:35:34 2002 ++++ servconf.c Fri Jun 21 16:22:56 2002 +@@ -88,8 +88,8 @@ + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +- options->port = -1; +- options->listen_addr.s_addr = INADDR_ANY; ++ options->num_ports = 0; ++ options->listen_addrs = NULL; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +@@ -99,6 +99,9 @@ + options->permit_root_login = -1; + options->ignore_rhosts = -1; + options->ignore_root_rhosts = -1; ++#ifdef ENABLE_LOG_AUTH ++ options->log_auth = -1; ++#endif /* ENABLE_LOG_AUTH */ + options->quiet_mode = -1; + options->fascist_logging = -1; + options->print_motd = -1; +@@ -145,17 +148,33 @@ + + void fill_default_server_options(ServerOptions *options) + { +- if (options->port == -1) ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int i; ++ ++ if (options->num_ports == 0) ++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT; ++ if (options->listen_addrs == NULL) + { +- struct servent *sp; ++ for (i = 0; i < options->num_ports; i++) ++ { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_flags = AI_PASSIVE; ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", options->ports[i]); ++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) ++ { ++ fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n"); ++ exit(1); ++ } ++ for (ai = aitop; ai->ai_next; ai = ai->ai_next); ++ ai->ai_next = options->listen_addrs; ++ options->listen_addrs = aitop; ++ } ++ /* freeaddrinfo(options->listen_addrs) in sshd.c */ ++ } + +- sp = getservbyname(SSH_SERVICE_NAME, "tcp"); +- if (sp) +- options->port = ntohs(sp->s_port); +- else +- options->port = SSH_DEFAULT_PORT; +- endservent(); +- } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; + if (options->random_seed_file == NULL) +@@ -250,6 +269,9 @@ + { + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, ++#ifdef ENABLE_LOG_AUTH ++ sLogAuth, ++#endif /* ENABLE_LOG_AUTH */ + sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts, + sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, +@@ -282,6 +304,9 @@ + { "quietmode", sQuietMode }, + { "fascistlogging", sFascistLogging }, + { "syslogfacility", sLogFacility }, ++#ifdef ENABLE_LOG_AUTH ++ { "logauth", sLogAuth }, ++#endif /* ENABLE_LOG_AUTH */ + { "rhostsauthentication", sRhostsAuthentication }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication }, + { "rsaauthentication", sRSAAuthentication }, +@@ -375,6 +400,9 @@ + char *cp, **charptr; + int linenum, *intptr, i, value; + ServerOpCodes opcode; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int gaierr; + + f = fopen(filename, "r"); + if (!f) +@@ -397,7 +425,14 @@ + switch (opcode) + { + case sPort: +- intptr = &options->port; ++ if (options->num_ports >= MAX_PORTS) ++ { ++ fprintf(stderr, "%s line %d: too many ports.\n", ++ filename, linenum); ++ exit(1); ++ } ++ options->ports[options->num_ports] = -1; ++ intptr = &options->ports[options->num_ports++]; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +@@ -460,12 +495,26 @@ + filename, linenum); + exit(1); + } +-#ifdef BROKEN_INET_ADDR +- options->listen_addr.s_addr = inet_network(cp); +-#else /* BROKEN_INET_ADDR */ +- options->listen_addr.s_addr = inet_addr(cp); +-#endif /* BROKEN_INET_ADDR */ +- break; ++ if (options->num_ports == 0) ++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT; ++ for (i = 0; i < options->num_ports; i++) ++ { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", options->ports[i]); ++ if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0) ++ { ++ fprintf(stderr, "%s line %d: bad addr or host. (%s)\n", ++ filename, linenum, gai_strerror(gaierr)); ++ exit(1); ++ } ++ for (ai = aitop; ai->ai_next; ai = ai->ai_next); ++ ai->ai_next = options->listen_addrs; ++ options->listen_addrs = aitop; ++ } ++ strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */ ++ break; + + case sHostKeyFile: + charptr = &options->host_key_file; +@@ -539,6 +588,12 @@ + if (*intptr == -1) + *intptr = value; + break; ++ ++#ifdef ENABLE_LOG_AUTH ++ case sLogAuth: ++ intptr = &options->log_auth; ++ goto parse_flag; ++#endif /* ENABLE_LOG_AUTH */ + + case sIgnoreRhosts: + intptr = &options->ignore_rhosts; diff --git a/security/ssh/files/patch-bp b/security/ssh/files/patch-bp index 40b10db36c4c..a9cd9987ef37 100644 --- a/security/ssh/files/patch-bp +++ b/security/ssh/files/patch-bp @@ -1,45 +1,32 @@ -*** servconf.h.orig Wed May 12 13:19:28 1999 ---- servconf.h Mon Jan 10 22:56:13 2000 -*************** -*** 64,69 **** ---- 64,71 ---- - #ifndef SERVCONF_H - #define SERVCONF_H - -+ #define MAX_PORTS 256 /* Max # hosts on allow list. */ -+ - #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */ - #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */ - #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */ -*************** -*** 82,89 **** - - typedef struct - { -! int port; /* Port number to listen on. */ -! struct in_addr listen_addr; /* Address on which the server listens. */ - char *host_key_file; /* File containing host key. */ - char *random_seed_file; /* File containing random seed. */ - char *pid_file; /* File containing process ID number. */ ---- 84,92 ---- - - typedef struct - { -! unsigned int num_ports; -! int ports[MAX_PORTS]; /* Port number to listen on. */ -! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */ - char *host_key_file; /* File containing host key. */ - char *random_seed_file; /* File containing random seed. */ - char *pid_file; /* File containing process ID number. */ -*************** -*** 91,96 **** ---- 94,102 ---- - int login_grace_time; /* Disconnect if no auth in this time (sec). */ - int key_regeneration_time; /* Server key lifetime (seconds). */ - int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */ -+ #ifdef ENABLE_LOG_AUTH -+ int log_auth; /* If true, log authentication info. */ -+ #endif /* ENABLE_LOG_AUTH */ - int ignore_rhosts; /* Ignore .rhosts and .shosts. */ - int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root, - defaults to ignore_rhosts if not given. */ +--- servconf.h.orig Thu Jan 17 05:35:34 2002 ++++ servconf.h Fri Jun 21 16:24:35 2002 +@@ -68,6 +68,7 @@ + #ifndef SERVCONF_H + #define SERVCONF_H + ++#define MAX_PORTS 256 /* Max # hosts on allow list. */ + #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */ + #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */ + #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */ +@@ -86,8 +87,9 @@ + + typedef struct + { +- int port; /* Port number to listen on. */ +- struct in_addr listen_addr; /* Address on which the server listens. */ ++ unsigned int num_ports; ++ int ports[MAX_PORTS]; /* Port number to listen on. */ ++ struct addrinfo *listen_addrs;/* Addresses on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +@@ -95,6 +97,9 @@ + int login_grace_time; /* Disconnect if no auth in this time (sec). */ + int key_regeneration_time; /* Server key lifetime (seconds). */ + int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */ ++#ifdef ENABLE_LOG_AUTH ++ int log_auth; /* If true, log authentication info. */ ++#endif /* ENABLE_LOG_AUTH */ + int ignore_rhosts; /* Ignore .rhosts and .shosts. */ + int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root, + defaults to ignore_rhosts if not given. */ diff --git a/security/ssh/files/patch-xa b/security/ssh/files/patch-xa deleted file mode 100644 index a775ff6820da..000000000000 --- a/security/ssh/files/patch-xa +++ /dev/null @@ -1,167 +0,0 @@ -Note that this patch has been incorporated into the port due to problems -with patching a autoconf generated configure script. The script itself contains -linenumbers and in case of two patches against that script the second one fails -because it expects something that the first patch has already changed. The -only clean way is to re-generate it with autoconf. *sigh* -This patch was fetched from -http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown - - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000 - - -Patch for problem with tty ownership with chflags and chown in BSD 4.4 -variants. Fixes a security bug in tty allocation. - -This patch works for ssh-1.2.27. - -Apply with the following commands: - -% cd /wherever/you/hold/your/sources/ssh-1.2.27 -% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown -% ./configure --whatever-config-flags-you-use -% make clean -% make -% su -Password: *********** -# make install -# kill -HUP `cat /var/run/sshd.pid` - -You should be all set. - -Sami Lehtinen - ---begin patch-- -diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c ---- auth-passwd.c.orig Wed May 12 14:19:23 1999 -+++ auth-passwd.c Wed Aug 11 19:49:32 1999 -@@ -613,7 +613,13 @@ - /* get_name pulls out just the name not the - type */ - strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache)); -- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid); -+ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0) -+ { -+ log_msg("Kerberos: chown failed for %s, error: %s", -+ ccname + 5, strerror(errno)); -+ packet_send_debug("Kerberos: chown failed for %s", ccname + 5); -+ goto errout; -+ } - - /* If tgt was passed unlink file */ - if (ticket) -diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in ---- config.h.in.orig Wed May 12 14:20:04 1999 -+++ config.h.in Wed Aug 11 20:20:51 1999 -@@ -360,6 +360,9 @@ - /* Define if you have the authenticate function. */ - #undef HAVE_AUTHENTICATE - -+/* Define if you have the chflags function. */ -+#undef HAVE_CHFLAGS -+ - /* Define if you have the clock function. */ - #undef HAVE_CLOCK - -diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in ---- configure.in.orig Wed May 12 14:20:02 1999 -+++ configure.in Wed Aug 11 20:05:13 1999 -@@ -433,6 +433,7 @@ - AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit) - AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp) - AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream) -+AC_CHECK_FUNCS(chflags) - - AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) - -diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c ---- sshd.c.orig Wed May 12 14:19:29 1999 -+++ sshd.c Wed Aug 11 20:26:31 1999 -@@ -2897,9 +2897,87 @@ - tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH; - } - -+ retry_chown: -+ - /* Change ownership of the tty. */ -- (void)chown(ttyname, pw->pw_uid, tty_gid); -- (void)chmod(ttyname, tty_mode); -+ if (chown(ttyname, pw->pw_uid, tty_gid) < 0) -+ { -+ /* chown failed. Atleast two possibilities. Either we are not -+ running as root, in which case this is OK, or we are running -+ on BSD, and somebody has put some flags to the tty. */ -+ -+ /* Check whether we are root or not.*/ -+ if (getuid() != UID_ROOT) -+ { -+ /* We are not, and then this is OK. */ -+ debug("chown failed (but we're not root anyway) for " -+ "%s, error %s", ttyname, strerror(errno)); -+ } -+ else -+ { -+#ifdef HAVE_CHFLAGS -+ static int retrying = 0; -+ struct stat st; -+ -+ if (!retrying) -+ { -+ debug("chown failed for %s, error: %s. Removing " -+ "user-settable flags, and retrying.", -+ ttyname, strerror(errno)); -+ -+ if (stat(ttyname, &st) < 0) -+ { -+ error("stat failed for %s, error: %s", -+ ttyname, strerror(errno)); -+ } -+ else -+ { -+ debug("Removing user-settable flags with " -+ "chflags."); -+ /* Remove user definable flags. */ -+ if (chflags(ttyname, st.st_flags & -+ ~(UF_NODUMP | UF_IMMUTABLE | -+ UF_APPEND | UF_OPAQUE)) < 0) -+ { -+ debug("chflags failed for %s, error: %s", -+ ttyname, strerror(errno)); -+ } -+ else -+ { -+ debug("Retrying..."); -+ retrying = 1; -+ goto retry_chown; -+ } -+ } -+ } -+ else -+ { -+ debug("chown failed even with retry. error: %s", -+ strerror(errno)); -+ } -+ -+#endif /* HAVE_CHFLAGS */ -+ error("ssh_pty_allocate_and_fork: chown failed for %s.", -+ ttyname); -+ goto fail; -+ } -+ } -+ -+ if (chmod(ttyname, tty_mode) < 0) -+ { -+ if (getuid() != UID_ROOT) -+ { -+ /* We are not, and then this is (probably) OK. */ -+ debug("chmod failed (but we're not root anyway) for " -+ "%s, error %s", ttyname, strerror(errno)); -+ } -+ else -+ { -+ error("ssh_pty_allocate_and_fork: chmod %s: %s", -+ ttyname, strerror(errno)); -+ goto fail; -+ } -+ } - - /* Get TERM from the packet. Note that the value may be of arbitrary - length. */