mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-26 00:55:14 +00:00
Code Issues Releases Activity

1.2.22 -> 1.2.25

Browse Source 
Somebody needs to go through patch-af to check it, since I'm not sure
about some of the stuff.

This version fixes a security flaw in previous version.
This commit is contained in:
Dima Ruban 1998-06-12 07:55:14 +00:00
parent 6c276731a8
commit 64e630d83b
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=11400
10 changed files with 352 additions and 872 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
security/ssh/Makefile
View File

@ -1,15 +1,15 @@
# New ports collection makefile for: ssh
# Version required: 1.2.22
# Version required: 1.2.25
# Date created: 30 Jul 1995
# Whom: torstenb@FreeBSD.ORG
#
# $Id: Makefile,v 1.53 1998/05/22 06:05:43 mph Exp $
# $Id: Makefile,v 1.54 1998/05/23 08:53:38 obrien Exp $
#
# Maximal ssh package requires YES values for
# USE_PERL, USE_TCPWRAP
#
DISTNAME= ssh-1.2.22
DISTNAME= ssh-1.2.25
CATEGORIES= security net
MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/
@ -32,10 +32,11 @@ MASTER_SITES= \
# Download by hand from http://www.cryptography.org/cgi-bin/crypto.cgi/ssh/
# and put in distfiles directory.
#
.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES
PATCHFILES=ssh-1.2.22-patchkit
PATCH_DIST_STRIP=-p1
.endif
# Disabled for now, since there's not such a patchkit for 1.2.25 version.
#.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES
#PATCHFILES=ssh-1.2.22-patchkit
#PATCH_DIST_STRIP=-p1
#.endif
RESTRICTED= "Crypto; export-controlled"
IS_INTERACTIVE= YES
@ -70,9 +71,9 @@ CONFIGURE_ARGS+= --with-secureid
CONFIGURE_ARGS+= --without-idea
.endif
MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \
make-ssh-known-hosts.1
MAN8= sshd.8
MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \
make-ssh-known-hosts1.1
MAN8= sshd1.8
pre-patch:
@ -103,8 +104,17 @@ post-install:
${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
fi
.if !defined(NOMANCOMPRESS)
for file in make-ssh-known-hosts scp ssh-add ssh-agent \
ssh-keygen ssh; do \
rm -f ${PREFIX}/man/man1/$${file}.1; \
ln -sf $${file}1.1.gz ${PREFIX}/man/man1/$${file}.1.gz; \
done
rm -f ${PREFIX}/man/man1/slogin.1
rm -f ${PREFIX}/man/man1/slogin1.1
rm -f ${PREFIX}/man/man8/sshd.8
ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz
ln -sf ssh1.1.gz ${PREFIX}/man/man1/slogin1.1.gz
ln -sf sshd1.8.gz ${PREFIX}/man/man8/sshd.8.gz
.endif
@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \

2
security/ssh/distinfo
View File

@ -1,3 +1,3 @@
MD5 (ssh-1.2.22.tar.gz) = 011f2b6d1935c59be0dae299db4ed7fa
MD5 (ssh-1.2.25.tar.gz) = f16c579f8d60d2f0eaabd3c30e46ca2c
MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
MD5 (ssh-1.2.22-patchkit) = 5228897d59be91ad3ae88e992d61cd50

62
security/ssh/files/patch-ac
View File

@ -1,7 +1,7 @@
*** Makefile.in.orig Tue Sep 16 01:59:13 1997
--- Makefile.in Tue Sep 16 02:06:08 1997
*** Makefile.in.orig Thu Jun 11 07:01:13 1998
--- Makefile.in Thu Jun 11 20:48:59 1998
***************
*** 259,270 ****
*** 287,298 ****
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
@ -14,7 +14,7 @@
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
--- 259,275 ----
--- 287,303 ----
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
@ -33,7 +33,7 @@
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
***************
*** 368,374 ****
*** 397,403 ****
$(CC) -o rfc-pg rfc-pg.o
.c.o:
@ -41,7 +41,7 @@
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
--- 373,379 ----
--- 402,408 ----
$(CC) -o rfc-pg rfc-pg.o
.c.o:
@ -50,7 +50,7 @@
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
***************
*** 411,429 ****
*** 440,458 ****
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
@ -70,7 +70,7 @@
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
--- 416,434 ----
--- 445,463 ----
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
@ -91,24 +91,24 @@
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
***************
*** 480,486 ****
*** 509,515 ****
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs generate-host-key install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
--- 485,491 ----
-rm -f $(install_prefix)$(bindir)/ssh1.old
-mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1.old
--- 514,520 ----
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
-rm -f $(install_prefix)$(bindir)/ssh1.old
-mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1.old
***************
*** 589,603 ****
*** 665,679 ****
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
@ -122,9 +122,9 @@
! cd $(GMPDIR); $(MAKE) distclean
! cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
dist: dist-commercial
--- 594,608 ----
--- 670,684 ----
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
@ -138,12 +138,12 @@
! # cd $(GMPDIR); $(MAKE) distclean
! # cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
dist: dist-commercial
***************
*** 628,639 ****
#
#endif F_SECURE_COMMERCIAL
*** 702,713 ****
-mkdir $(DISTNAME)
cp $(DISTFILES) $(DISTNAME)
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! (cd $(GMPDIR); make dist)
! gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
@ -152,11 +152,11 @@
! (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
--- 633,644 ----
#ifdef F_SECURE_COMMERCIAL
#
#endif F_SECURE_COMMERCIAL
--- 707,718 ----
-mkdir $(DISTNAME)
cp $(DISTFILES) $(DISTNAME)
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! # (cd $(GMPDIR); make dist)
! # gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
@ -165,10 +165,10 @@
! # (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! # cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
#ifdef F_SECURE_COMMERCIAL
#
***************
*** 656,662 ****
*** 735,741 ****
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
@ -176,7 +176,7 @@
tags:
-rm -f TAGS
--- 661,667 ----
--- 740,746 ----
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:

502
security/ssh/files/patch-af
View File

@ -1,394 +1,108 @@
--- sshd.c.orig Tue Jan 20 15:24:10 1998
+++ sshd.c Thu Jan 22 16:29:19 1998
@@ -428,6 +428,10 @@
#include "firewall.h" /* TIS authsrv authentication */
#endif
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
+
#ifdef _PATH_BSHELL
#define DEFAULT_SHELL _PATH_BSHELL
#else
@@ -1594,6 +1598,38 @@
endspent();
}
#endif /* HAVE_ETC_SHADOW */
+#ifdef __FreeBSD__
+ {
+ time_t currtime;
+
+ if (pwd->pw_change || pwd->pw_expire)
+ currtime = time(NULL);
+
+ /*
+ * Check for an expired password
+ */
+ if (pwd->pw_change && pwd->pw_change <= currtime)
+ {
+ debug("Account %.100s's password is too old - forced to change.",
+ user);
+ if (options.forced_passwd_change)
+ forced_command = "/usr/bin/passwd";
+ else
+ {
+ return 0;
+ }
+ }
+
+ /*
+ * Check for expired account
+ */
+ if (pwd->pw_expire && pwd->pw_expire <= currtime)
+ {
+ debug("Account %.100s has expired - access denied.", user);
+ return 0;
+ }
+ }
+#else /* !FreeBSD */
/*
* Check if account is locked. Check if encrypted password starts
* with "*LK*".
@@ -1605,6 +1641,7 @@
return 0;
}
}
+#endif /* !FreeBSD */
#ifdef CHECK_ETC_SHELLS
{
int invalid = 1;
@@ -1819,8 +1856,10 @@
pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
pwcopy.pw_uid = pw->pw_uid;
pwcopy.pw_gid = pw->pw_gid;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined (HAVE_LOGIN_CAP_H) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
pwcopy.pw_class = xstrdup(pw->pw_class);
+#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#if defined (__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
@@ -2793,9 +2832,13 @@
struct sockaddr_in from;
int fromlen;
struct pty_cleanup_context cleanup_context;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
struct timeval tp;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ time_t warnpassword, warnexpire;
+#endif
/* We no longer need the child running on user's privileges. */
userfile_uninit();
@@ -2867,10 +2910,18 @@
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
+#ifdef HAVE_LOGIN_CAP_H
+ lc = login_getclass(pw->pw_class);
+ quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+ if (!quiet_login) {
+#endif
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
+#ifdef HAVE_LOGIN_CAP_H
+ }
+#endif
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
@@ -2890,6 +2941,38 @@
else
printf("Last login: %s from %s\r\n", time_string, buf);
}
+#ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+#ifdef HAVE_LOGIN_CAP_H
+ char *cw;
+ FILE *f;
+
+ cw = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+ {
+ while (fgets(line, sizeof(line), f))
+ fputs(line, stdout);
+ fclose(f);
+ }
+ else
+#endif
+ printf("%s\n\t%s %s\n\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
+#endif
+
+#ifdef HAVE_LOGIN_CAP_H
+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
+
+ warnpassword = login_getcaptime(lc, "warnpassword",
+ DEFAULT_WARN, DEFAULT_WARN);
+ warnexpire = login_getcaptime(lc, "warnexpire",
+ DEFAULT_WARN, DEFAULT_WARN);
+ login_close(lc);
+#endif
/* Print /etc/motd unless a command was specified or printing it was
disabled in server options. Note that some machines appear to
@@ -2900,14 +2983,18 @@
FILE *f;
/* Print /etc/motd if it exists. */
- f = fopen("/etc/motd", "r");
+#ifdef HAVE_LOGIN_CAP_H
+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+#else
+ f = fopen("/etc/motd", "r");
+#endif
if (f)
{
while (fgets(line, sizeof(line), f))
fputs(line, stdout);
fclose(f);
}
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
@@ -2915,7 +3002,11 @@
fprintf(stderr,"Sorry -- your password has expired.\n");
exit(254);
} else if (pw->pw_change - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+ warnpassword)
+#else
2 * DAYSPERWEEK * SECSPERDAY)
+#endif
fprintf(stderr,"Warning: your password expires on %s",
ctime(&pw->pw_change));
if (pw->pw_expire)
@@ -2923,7 +3014,11 @@
fprintf(stderr,"Sorry -- your account has expired.\n");
exit(254);
} else if (pw->pw_expire - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+ warnexpire)
+#else
2 * DAYSPERWEEK * SECSPERDAY)
+#endif
fprintf(stderr,"Warning: your account expires on %s",
ctime(&pw->pw_expire));
#endif /* __bsdi__ & _BSDI_VERSION >= 199510 */
@@ -3182,6 +3277,13 @@
#if defined (__bsdi__) && _BSDI_VERSION >= 199510
login_cap_t *lc = 0;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ char *real_shell;
+
+ lc = login_getclass(pw->pw_class);
+ auth_checknologin(lc);
+#else /* !HAVE_LOGIN_CAP_H */
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
@@ -3199,10 +3301,16 @@
if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
exit(254);
#else
+#ifdef HAVE_LOGIN_CAP_H
+ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
+ exit(254);
+#else
if (pw->pw_uid != UID_ROOT)
exit(254);
+#endif
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
}
+#endif /* HAVE_LOGIN_CAP_H */
if (command != NULL)
{
@@ -3216,6 +3324,7 @@
log_msg("executing remote command as user %.200s", pw->pw_name);
}
+#ifndef HAVE_LOGIN_CAP_H
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
@@ -3236,6 +3345,7 @@
if (setpcred((char *)pw->pw_name, NULL))
log_msg("setpcred %.100s: %.100s", strerror(errno));
#endif /* HAVE_USERSEC_H */
+#endif /* !HAVE_LOGIN_CAP_H */
/* Save some data that will be needed so that we can do certain cleanups
before we switch to user's uid. (We must clear all sensitive data
@@ -3306,6 +3416,66 @@
if (command != NULL || !options.use_login)
#endif /* USELOGIN */
{
+#ifdef HAVE_LOGIN_CAP_H
+ char *p, *s, **tmpenv;
+
+ /* Initialize the new environment.
+ */
+ envsize = 64;
+ env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
+
+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+
+#ifdef MAIL_SPOOL_DIRECTORY
+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
+#else /* MAIL_SPOOL_DIRECTORY */
+#ifdef MAIL_SPOOL_FILE
+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+ child_set_env(&env, &envsize, "MAIL", buf);
+#endif /* MAIL_SPOOL_FILE */
+#endif /* MAIL_SPOOL_DIRECTORY */
+
+ /* Let it inherit timezone if we have one. */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+ /* Save previous environment array
+ */
+ tmpenv = environ;
+ environ = env;
+
+ /* Set the user's login environment
+ */
+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+ {
+ perror("setusercontext");
+ exit(1);
+ }
+
+ p = getenv("PATH");
+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+ *s = '\0';
+ if (p != NULL)
+ {
+ strcat(s, p);
+ strcat(s, ":");
+ }
+ strcat(s, SSH_BINDIR);
+
+ env = environ;
+ environ = tmpenv; /* Restore parent environment */
+ for (envsize = 0; env[envsize] != NULL; ++envsize)
+ ;
+ /* Reallocate this to what is expected */
+ envsize = (envsize < 100) ? 100 : envsize + 16;
+ env = xrealloc(env, envsize * sizeof(char *));
+
+ child_set_env(&env, &envsize, "PATH", s);
+ xfree(s);
+
+#else /* !HAVE_LOGIN_CAP_H */
/* Set uid, gid, and groups. */
if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
{
@@ -3337,6 +3507,7 @@
if (getuid() != user_uid || geteuid() != user_uid)
fatal("Failed to set uids to %d.", (int)user_uid);
+#endif /* HAVE_LOGIN_CAP_H */
}
/* Reset signals to their default settings before starting the user
@@ -3364,11 +3535,16 @@
and means /bin/sh. */
shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
+#ifdef HAVE_LOGIN_CAP_H
+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+ login_close(lc);
+#else /* !HAVE_LOGIN_CAP_H */
/* Initialize the environment. In the first part we allocate space for
all environment variables. */
envsize = 100;
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+#endif /* HAVE_LOGIN_CAP_H */
#ifdef USELOGIN
if (command != NULL || !options.use_login)
@@ -3378,6 +3554,8 @@
child_set_env(&env, &envsize, "HOME", user_dir);
child_set_env(&env, &envsize, "USER", user_name);
child_set_env(&env, &envsize, "LOGNAME", user_name);
+
+#ifndef HAVE_LOGIN_CAP_H
child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
#ifdef MAIL_SPOOL_DIRECTORY
@@ -3389,6 +3567,7 @@
child_set_env(&env, &envsize, "MAIL", buf);
#endif /* MAIL_SPOOL_FILE */
#endif /* MAIL_SPOOL_DIRECTORY */
+#endif /* !HAVE_LOGIN_CAP_H */
#ifdef HAVE_ETC_DEFAULT_LOGIN
/* Read /etc/default/login; this exists at least on Solaris 2.x. Note
@@ -3404,9 +3583,11 @@
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+#ifndef HAVE_LOGIN_CAP_H
/* Let it inherit timezone if we have one. */
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+#endif /* !HAVE_LOGIN_CAP_H */
/* Set custom environment options from RSA authentication. */
while (custom_environment)
@@ -3632,7 +3813,11 @@
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+#ifdef __FreeBSD__
+ ;
+#else
printf("No mail.\n");
+#endif
else if (mailbuf.st_atime > mailbuf.st_mtime)
printf("You have mail.\n");
else
@@ -3647,7 +3832,11 @@
/* Execute the shell. */
argv[0] = buf;
argv[1] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+#else
execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
/* Executing the shell failed. */
perror(shell);
exit(1);
@@ -3668,7 +3857,11 @@
argv[1] = "-c";
argv[2] = (char *)command;
argv[3] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+#else
execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
perror(shell);
exit(1);
}
*** sshd.c.WAS Thu Jun 11 23:11:47 1998
--- sshd.c Thu Jun 11 23:30:30 1998
***************
*** 2014,2020 ****
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
--- 2014,2020 ----
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
***************
*** 3045,3054 ****
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
#endif
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
struct timeval tp;
! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
#ifdef HAVE_OSF1_C2_SECURITY
{
--- 3045,3055 ----
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
+ time_t warnpassword, warnexpire;
#endif
! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
struct timeval tp;
! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
#ifdef HAVE_OSF1_C2_SECURITY
{
***************
*** 3183,3188 ****
--- 3184,3197 ----
"The Regents of the University of California. ",
"All rights reserved.");
}
+ #ifdef HAVE_LOGIN_CAP_H
+ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
+
+ warnpassword = login_getcaptime(lc, "warnpassword",
+ DEFAULT_WARN, DEFAULT_WARN);
+ warnexpire = login_getcaptime(lc, "warnexpire",
+ DEFAULT_WARN, DEFAULT_WARN);
+ #endif
#endif
/* Print /etc/motd unless a command was specified or printing it was
***************
*** 3206,3212 ****
fputs(line, stdout);
fclose(f);
}
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
--- 3215,3221 ----
fputs(line, stdout);
fclose(f);
}
! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
***************
*** 3575,3581 ****
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
--- 3584,3590 ----
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
***************
*** 4121,4127 ****
--- 4130,4140 ----
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+ #ifdef __FreeBSD__
+ ;
+ #else
printf("No mail.\n");
+ #endif
else if (mailbuf.st_atime > mailbuf.st_mtime)
printf("You have mail.\n");
else

16
security/ssh/pkg-plist
View File

@ -1,23 +1,39 @@
etc/rc.d/sshd.sh
bin/scp
bin/scp1
bin/ssh
bin/ssh1
@exec ln -fs %f %B/slogin
@unexec rm -f %B/slogin
bin/ssh-add
bin/ssh-add1
bin/ssh-agent
bin/ssh-agent1
bin/ssh-askpass
bin/ssh-askpass1
bin/ssh-keygen
bin/ssh-keygen1
bin/make-ssh-known-hosts
bin/make-ssh-known-hosts1
etc/ssh_config
etc/sshd_config
man/man1/make-ssh-known-hosts.1.gz
man/man1/make-ssh-known-hosts1.1.gz
man/man1/scp.1.gz
man/man1/scp1.1.gz
man/man1/ssh-add.1.gz
man/man1/ssh-add1.1.gz
man/man1/ssh-agent.1.gz
man/man1/ssh-agent1.1.gz
man/man1/ssh-keygen.1.gz
man/man1/ssh-keygen1.1.gz
man/man1/ssh.1.gz
man/man1/ssh1.1.gz
@exec ln -fs %f %B/slogin.1.gz
@unexec rm -f %B/slogin.1.gz
@unexec rm -f %B/slogin1.1.gz
man/man8/sshd.8.gz
man/man8/sshd1.8.gz
sbin/sshd
sbin/sshd1
@exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi

30
security/ssh2/Makefile
View File

@ -1,15 +1,15 @@
# New ports collection makefile for: ssh
# Version required: 1.2.22
# Version required: 1.2.25
# Date created: 30 Jul 1995
# Whom: torstenb@FreeBSD.ORG
#
# $Id: Makefile,v 1.53 1998/05/22 06:05:43 mph Exp $
# $Id: Makefile,v 1.54 1998/05/23 08:53:38 obrien Exp $
#
# Maximal ssh package requires YES values for
# USE_PERL, USE_TCPWRAP
#
DISTNAME= ssh-1.2.22
DISTNAME= ssh-1.2.25
CATEGORIES= security net
MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/
@ -32,10 +32,11 @@ MASTER_SITES= \
# Download by hand from http://www.cryptography.org/cgi-bin/crypto.cgi/ssh/
# and put in distfiles directory.
#
.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES
PATCHFILES=ssh-1.2.22-patchkit
PATCH_DIST_STRIP=-p1
.endif
# Disabled for now, since there's not such a patchkit for 1.2.25 version.
#.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES
#PATCHFILES=ssh-1.2.22-patchkit
#PATCH_DIST_STRIP=-p1
#.endif
RESTRICTED= "Crypto; export-controlled"
IS_INTERACTIVE= YES
@ -70,9 +71,9 @@ CONFIGURE_ARGS+= --with-secureid
CONFIGURE_ARGS+= --without-idea
.endif
MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \
make-ssh-known-hosts.1
MAN8= sshd.8
MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \
make-ssh-known-hosts1.1
MAN8= sshd1.8
pre-patch:
@ -103,8 +104,17 @@ post-install:
${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
fi
.if !defined(NOMANCOMPRESS)
for file in make-ssh-known-hosts scp ssh-add ssh-agent \
ssh-keygen ssh; do \
rm -f ${PREFIX}/man/man1/$${file}.1; \
ln -sf $${file}1.1.gz ${PREFIX}/man/man1/$${file}.1.gz; \
done
rm -f ${PREFIX}/man/man1/slogin.1
rm -f ${PREFIX}/man/man1/slogin1.1
rm -f ${PREFIX}/man/man8/sshd.8
ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz
ln -sf ssh1.1.gz ${PREFIX}/man/man1/slogin1.1.gz
ln -sf sshd1.8.gz ${PREFIX}/man/man8/sshd.8.gz
.endif
@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \

2
security/ssh2/distinfo
View File

@ -1,3 +1,3 @@
MD5 (ssh-1.2.22.tar.gz) = 011f2b6d1935c59be0dae299db4ed7fa
MD5 (ssh-1.2.25.tar.gz) = f16c579f8d60d2f0eaabd3c30e46ca2c
MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
MD5 (ssh-1.2.22-patchkit) = 5228897d59be91ad3ae88e992d61cd50

62
security/ssh2/files/patch-ac
View File

@ -1,7 +1,7 @@
*** Makefile.in.orig Tue Sep 16 01:59:13 1997
--- Makefile.in Tue Sep 16 02:06:08 1997
*** Makefile.in.orig Thu Jun 11 07:01:13 1998
--- Makefile.in Thu Jun 11 20:48:59 1998
***************
*** 259,270 ****
*** 287,298 ****
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
@ -14,7 +14,7 @@
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
--- 259,275 ----
--- 287,303 ----
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
@ -33,7 +33,7 @@
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
***************
*** 368,374 ****
*** 397,403 ****
$(CC) -o rfc-pg rfc-pg.o
.c.o:
@ -41,7 +41,7 @@
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
--- 373,379 ----
--- 402,408 ----
$(CC) -o rfc-pg rfc-pg.o
.c.o:
@ -50,7 +50,7 @@
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
***************
*** 411,429 ****
*** 440,458 ****
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
@ -70,7 +70,7 @@
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
--- 416,434 ----
--- 445,463 ----
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
@ -91,24 +91,24 @@
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
***************
*** 480,486 ****
*** 509,515 ****
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs generate-host-key install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
--- 485,491 ----
-rm -f $(install_prefix)$(bindir)/ssh1.old
-mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1.old
--- 514,520 ----
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
-rm -f $(install_prefix)$(bindir)/ssh1.old
-mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1.old
***************
*** 589,603 ****
*** 665,679 ****
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
@ -122,9 +122,9 @@
! cd $(GMPDIR); $(MAKE) distclean
! cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
dist: dist-commercial
--- 594,608 ----
--- 670,684 ----
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
@ -138,12 +138,12 @@
! # cd $(GMPDIR); $(MAKE) distclean
! # cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
dist: dist-commercial
***************
*** 628,639 ****
#
#endif F_SECURE_COMMERCIAL
*** 702,713 ****
-mkdir $(DISTNAME)
cp $(DISTFILES) $(DISTNAME)
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! (cd $(GMPDIR); make dist)
! gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
@ -152,11 +152,11 @@
! (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
--- 633,644 ----
#ifdef F_SECURE_COMMERCIAL
#
#endif F_SECURE_COMMERCIAL
--- 707,718 ----
-mkdir $(DISTNAME)
cp $(DISTFILES) $(DISTNAME)
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! # (cd $(GMPDIR); make dist)
! # gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
@ -165,10 +165,10 @@
! # (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! # cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
#ifdef F_SECURE_COMMERCIAL
#
***************
*** 656,662 ****
*** 735,741 ****
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
@ -176,7 +176,7 @@
tags:
-rm -f TAGS
--- 661,667 ----
--- 740,746 ----
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:

502
security/ssh2/files/patch-af
View File

@ -1,394 +1,108 @@
--- sshd.c.orig Tue Jan 20 15:24:10 1998
+++ sshd.c Thu Jan 22 16:29:19 1998
@@ -428,6 +428,10 @@
#include "firewall.h" /* TIS authsrv authentication */
#endif
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
+
#ifdef _PATH_BSHELL
#define DEFAULT_SHELL _PATH_BSHELL
#else
@@ -1594,6 +1598,38 @@
endspent();
}
#endif /* HAVE_ETC_SHADOW */
+#ifdef __FreeBSD__
+ {
+ time_t currtime;
+
+ if (pwd->pw_change || pwd->pw_expire)
+ currtime = time(NULL);
+
+ /*
+ * Check for an expired password
+ */
+ if (pwd->pw_change && pwd->pw_change <= currtime)
+ {
+ debug("Account %.100s's password is too old - forced to change.",
+ user);
+ if (options.forced_passwd_change)
+ forced_command = "/usr/bin/passwd";
+ else
+ {
+ return 0;
+ }
+ }
+
+ /*
+ * Check for expired account
+ */
+ if (pwd->pw_expire && pwd->pw_expire <= currtime)
+ {
+ debug("Account %.100s has expired - access denied.", user);
+ return 0;
+ }
+ }
+#else /* !FreeBSD */
/*
* Check if account is locked. Check if encrypted password starts
* with "*LK*".
@@ -1605,6 +1641,7 @@
return 0;
}
}
+#endif /* !FreeBSD */
#ifdef CHECK_ETC_SHELLS
{
int invalid = 1;
@@ -1819,8 +1856,10 @@
pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
pwcopy.pw_uid = pw->pw_uid;
pwcopy.pw_gid = pw->pw_gid;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined (HAVE_LOGIN_CAP_H) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
pwcopy.pw_class = xstrdup(pw->pw_class);
+#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#if defined (__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
@@ -2793,9 +2832,13 @@
struct sockaddr_in from;
int fromlen;
struct pty_cleanup_context cleanup_context;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
struct timeval tp;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ time_t warnpassword, warnexpire;
+#endif
/* We no longer need the child running on user's privileges. */
userfile_uninit();
@@ -2867,10 +2910,18 @@
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
+#ifdef HAVE_LOGIN_CAP_H
+ lc = login_getclass(pw->pw_class);
+ quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+ if (!quiet_login) {
+#endif
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
+#ifdef HAVE_LOGIN_CAP_H
+ }
+#endif
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
@@ -2890,6 +2941,38 @@
else
printf("Last login: %s from %s\r\n", time_string, buf);
}
+#ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+#ifdef HAVE_LOGIN_CAP_H
+ char *cw;
+ FILE *f;
+
+ cw = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+ {
+ while (fgets(line, sizeof(line), f))
+ fputs(line, stdout);
+ fclose(f);
+ }
+ else
+#endif
+ printf("%s\n\t%s %s\n\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
+#endif
+
+#ifdef HAVE_LOGIN_CAP_H
+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
+
+ warnpassword = login_getcaptime(lc, "warnpassword",
+ DEFAULT_WARN, DEFAULT_WARN);
+ warnexpire = login_getcaptime(lc, "warnexpire",
+ DEFAULT_WARN, DEFAULT_WARN);
+ login_close(lc);
+#endif
/* Print /etc/motd unless a command was specified or printing it was
disabled in server options. Note that some machines appear to
@@ -2900,14 +2983,18 @@
FILE *f;
/* Print /etc/motd if it exists. */
- f = fopen("/etc/motd", "r");
+#ifdef HAVE_LOGIN_CAP_H
+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+#else
+ f = fopen("/etc/motd", "r");
+#endif
if (f)
{
while (fgets(line, sizeof(line), f))
fputs(line, stdout);
fclose(f);
}
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
@@ -2915,7 +3002,11 @@
fprintf(stderr,"Sorry -- your password has expired.\n");
exit(254);
} else if (pw->pw_change - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+ warnpassword)
+#else
2 * DAYSPERWEEK * SECSPERDAY)
+#endif
fprintf(stderr,"Warning: your password expires on %s",
ctime(&pw->pw_change));
if (pw->pw_expire)
@@ -2923,7 +3014,11 @@
fprintf(stderr,"Sorry -- your account has expired.\n");
exit(254);
} else if (pw->pw_expire - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+ warnexpire)
+#else
2 * DAYSPERWEEK * SECSPERDAY)
+#endif
fprintf(stderr,"Warning: your account expires on %s",
ctime(&pw->pw_expire));
#endif /* __bsdi__ & _BSDI_VERSION >= 199510 */
@@ -3182,6 +3277,13 @@
#if defined (__bsdi__) && _BSDI_VERSION >= 199510
login_cap_t *lc = 0;
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+#ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ char *real_shell;
+
+ lc = login_getclass(pw->pw_class);
+ auth_checknologin(lc);
+#else /* !HAVE_LOGIN_CAP_H */
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
@@ -3199,10 +3301,16 @@
if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
exit(254);
#else
+#ifdef HAVE_LOGIN_CAP_H
+ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
+ exit(254);
+#else
if (pw->pw_uid != UID_ROOT)
exit(254);
+#endif
#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
}
+#endif /* HAVE_LOGIN_CAP_H */
if (command != NULL)
{
@@ -3216,6 +3324,7 @@
log_msg("executing remote command as user %.200s", pw->pw_name);
}
+#ifndef HAVE_LOGIN_CAP_H
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
@@ -3236,6 +3345,7 @@
if (setpcred((char *)pw->pw_name, NULL))
log_msg("setpcred %.100s: %.100s", strerror(errno));
#endif /* HAVE_USERSEC_H */
+#endif /* !HAVE_LOGIN_CAP_H */
/* Save some data that will be needed so that we can do certain cleanups
before we switch to user's uid. (We must clear all sensitive data
@@ -3306,6 +3416,66 @@
if (command != NULL || !options.use_login)
#endif /* USELOGIN */
{
+#ifdef HAVE_LOGIN_CAP_H
+ char *p, *s, **tmpenv;
+
+ /* Initialize the new environment.
+ */
+ envsize = 64;
+ env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
+
+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+
+#ifdef MAIL_SPOOL_DIRECTORY
+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
+#else /* MAIL_SPOOL_DIRECTORY */
+#ifdef MAIL_SPOOL_FILE
+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+ child_set_env(&env, &envsize, "MAIL", buf);
+#endif /* MAIL_SPOOL_FILE */
+#endif /* MAIL_SPOOL_DIRECTORY */
+
+ /* Let it inherit timezone if we have one. */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+ /* Save previous environment array
+ */
+ tmpenv = environ;
+ environ = env;
+
+ /* Set the user's login environment
+ */
+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+ {
+ perror("setusercontext");
+ exit(1);
+ }
+
+ p = getenv("PATH");
+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+ *s = '\0';
+ if (p != NULL)
+ {
+ strcat(s, p);
+ strcat(s, ":");
+ }
+ strcat(s, SSH_BINDIR);
+
+ env = environ;
+ environ = tmpenv; /* Restore parent environment */
+ for (envsize = 0; env[envsize] != NULL; ++envsize)
+ ;
+ /* Reallocate this to what is expected */
+ envsize = (envsize < 100) ? 100 : envsize + 16;
+ env = xrealloc(env, envsize * sizeof(char *));
+
+ child_set_env(&env, &envsize, "PATH", s);
+ xfree(s);
+
+#else /* !HAVE_LOGIN_CAP_H */
/* Set uid, gid, and groups. */
if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
{
@@ -3337,6 +3507,7 @@
if (getuid() != user_uid || geteuid() != user_uid)
fatal("Failed to set uids to %d.", (int)user_uid);
+#endif /* HAVE_LOGIN_CAP_H */
}
/* Reset signals to their default settings before starting the user
@@ -3364,11 +3535,16 @@
and means /bin/sh. */
shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
+#ifdef HAVE_LOGIN_CAP_H
+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+ login_close(lc);
+#else /* !HAVE_LOGIN_CAP_H */
/* Initialize the environment. In the first part we allocate space for
all environment variables. */
envsize = 100;
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+#endif /* HAVE_LOGIN_CAP_H */
#ifdef USELOGIN
if (command != NULL || !options.use_login)
@@ -3378,6 +3554,8 @@
child_set_env(&env, &envsize, "HOME", user_dir);
child_set_env(&env, &envsize, "USER", user_name);
child_set_env(&env, &envsize, "LOGNAME", user_name);
+
+#ifndef HAVE_LOGIN_CAP_H
child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
#ifdef MAIL_SPOOL_DIRECTORY
@@ -3389,6 +3567,7 @@
child_set_env(&env, &envsize, "MAIL", buf);
#endif /* MAIL_SPOOL_FILE */
#endif /* MAIL_SPOOL_DIRECTORY */
+#endif /* !HAVE_LOGIN_CAP_H */
#ifdef HAVE_ETC_DEFAULT_LOGIN
/* Read /etc/default/login; this exists at least on Solaris 2.x. Note
@@ -3404,9 +3583,11 @@
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+#ifndef HAVE_LOGIN_CAP_H
/* Let it inherit timezone if we have one. */
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+#endif /* !HAVE_LOGIN_CAP_H */
/* Set custom environment options from RSA authentication. */
while (custom_environment)
@@ -3632,7 +3813,11 @@
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+#ifdef __FreeBSD__
+ ;
+#else
printf("No mail.\n");
+#endif
else if (mailbuf.st_atime > mailbuf.st_mtime)
printf("You have mail.\n");
else
@@ -3647,7 +3832,11 @@
/* Execute the shell. */
argv[0] = buf;
argv[1] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+#else
execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
/* Executing the shell failed. */
perror(shell);
exit(1);
@@ -3668,7 +3857,11 @@
argv[1] = "-c";
argv[2] = (char *)command;
argv[3] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+#else
execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
perror(shell);
exit(1);
}
*** sshd.c.WAS Thu Jun 11 23:11:47 1998
--- sshd.c Thu Jun 11 23:30:30 1998
***************
*** 2014,2020 ****
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
--- 2014,2020 ----
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
***************
*** 3045,3054 ****
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
#endif
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
struct timeval tp;
! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
#ifdef HAVE_OSF1_C2_SECURITY
{
--- 3045,3055 ----
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
+ time_t warnpassword, warnexpire;
#endif
! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
struct timeval tp;
! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
#ifdef HAVE_OSF1_C2_SECURITY
{
***************
*** 3183,3188 ****
--- 3184,3197 ----
"The Regents of the University of California. ",
"All rights reserved.");
}
+ #ifdef HAVE_LOGIN_CAP_H
+ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
+
+ warnpassword = login_getcaptime(lc, "warnpassword",
+ DEFAULT_WARN, DEFAULT_WARN);
+ warnexpire = login_getcaptime(lc, "warnexpire",
+ DEFAULT_WARN, DEFAULT_WARN);
+ #endif
#endif
/* Print /etc/motd unless a command was specified or printing it was
***************
*** 3206,3212 ****
fputs(line, stdout);
fclose(f);
}
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
--- 3215,3221 ----
fputs(line, stdout);
fclose(f);
}
! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
***************
*** 3575,3581 ****
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
--- 3584,3590 ----
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
***************
*** 4121,4127 ****
--- 4130,4140 ----
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+ #ifdef __FreeBSD__
+ ;
+ #else
printf("No mail.\n");
+ #endif
else if (mailbuf.st_atime > mailbuf.st_mtime)
printf("You have mail.\n");
else

16
security/ssh2/pkg-plist
View File

@ -1,23 +1,39 @@
etc/rc.d/sshd.sh
bin/scp
bin/scp1
bin/ssh
bin/ssh1
@exec ln -fs %f %B/slogin
@unexec rm -f %B/slogin
bin/ssh-add
bin/ssh-add1
bin/ssh-agent
bin/ssh-agent1
bin/ssh-askpass
bin/ssh-askpass1
bin/ssh-keygen
bin/ssh-keygen1
bin/make-ssh-known-hosts
bin/make-ssh-known-hosts1
etc/ssh_config
etc/sshd_config
man/man1/make-ssh-known-hosts.1.gz
man/man1/make-ssh-known-hosts1.1.gz
man/man1/scp.1.gz
man/man1/scp1.1.gz
man/man1/ssh-add.1.gz
man/man1/ssh-add1.1.gz
man/man1/ssh-agent.1.gz
man/man1/ssh-agent1.1.gz
man/man1/ssh-keygen.1.gz
man/man1/ssh-keygen1.1.gz
man/man1/ssh.1.gz
man/man1/ssh1.1.gz
@exec ln -fs %f %B/slogin.1.gz
@unexec rm -f %B/slogin.1.gz
@unexec rm -f %B/slogin1.1.gz
man/man8/sshd.8.gz
man/man8/sshd1.8.gz
sbin/sshd
sbin/sshd1
@exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi