mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-02-05 11:35:01 +00:00
Code Issues Releases Activity

- update to 3.7.1p2

Browse Source 
more regressions tests successfull
This commit is contained in:
Dirk Meyer 2003-09-26 18:13:52 +00:00
parent 7d8d6a565e
commit 67cde0f8e7
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=89470
48 changed files with 168 additions and 2852 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/hpn-ssh/Makefile
View File

@ -6,8 +6,7 @@
#
PORTNAME= openssh
PORTVERSION= 3.6.1p2
PORTREVISION= 5
PORTVERSION= 3.7.1p2
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
@ -31,7 +30,6 @@ PRECIOUS= ssh_config sshd_config \
ssh_host_rsa_key ssh_host_rsa_key.pub \
ssh_host_dsa_key ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
ADDME+= auth2-pam-freebsd.c
.if exists(/usr/include/security/pam_modules.h)
CONFIGURE_ARGS+= --with-pam
@ -74,11 +72,6 @@ CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR}
EXTRA_PATCHES+= ${FILESDIR}/batch.patch
.endif
post-extract:
.for i in ${ADDME}
@${CP} ${FILESDIR}/${i} ${WRKSRC}/
.endfor
.if defined(KRB5_HOME) && exists(${KRB5_HOME})
PKGNAMESUFFIX= -gssapi
GSSAPI_PATCH= ${PORTNAME}-3.6.1p2-gssapi-20030430.diff

2
security/hpn-ssh/distinfo
View File

@ -1,2 +1,2 @@
MD5 (openssh-3.6.1p2.tar.gz) = f3879270bffe479e1bd057aa36258696
MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94
MD5 (openssh-3.6.1p2-gssapi-20030430.diff) = 520e15f541398efed2763aaf8ac08e6a

626
security/hpn-ssh/files/auth2-pam-freebsd.c
View File

@ -1,626 +0,0 @@
/*-
* Copyright (c) 2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by ThinkSec AS and
* NAI Labs, the Security Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$FreeBSD: /tmp/pcvs/ports/security/hpn-ssh/files/Attic/auth2-pam-freebsd.c,v 1.5 2003-09-26 02:42:39 dinoex Exp $");
#ifdef USE_PAM
#include <security/pam_appl.h>
#include "auth.h"
#include "auth-pam.h"
#include "buffer.h"
#include "bufaux.h"
#include "canohost.h"
#include "log.h"
#include "monitor_wrap.h"
#include "msg.h"
#include "packet.h"
#include "readpass.h"
#include "servconf.h"
#include "ssh2.h"
#include "xmalloc.h"
#ifdef USE_POSIX_THREADS
#include <pthread.h>
#else
/*
* Simulate threads with processes.
*/
typedef pid_t pthread_t;
static void
pthread_exit(void *value __unused)
{
_exit(0);
}
static int
pthread_create(pthread_t *thread, const void *attr __unused,
void *(*thread_start)(void *), void *arg)
{
pid_t pid;
switch ((pid = fork())) {
case -1:
error("fork(): %s", strerror(errno));
return (-1);
case 0:
thread_start(arg);
_exit(1);
default:
*thread = pid;
return (0);
}
}
static int
pthread_cancel(pthread_t thread)
{
return (kill(thread, SIGTERM));
}
static int
pthread_join(pthread_t thread, void **value __unused)
{
int status;
waitpid(thread, &status, 0);
return (status);
}
#endif
static pam_handle_t *pam_handle;
static int pam_err;
static int pam_authenticated;
static int pam_new_authtok_reqd;
static int pam_session_open;
static int pam_cred_established;
struct pam_ctxt {
pthread_t pam_thread;
int pam_psock;
int pam_csock;
int pam_done;
};
static void pam_free_ctx(void *);
/*
* Conversation function for authentication thread.
*/
static int
pam_thread_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
Buffer buffer;
struct pam_ctxt *ctxt;
int i;
ctxt = data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
*resp = xmalloc(n * sizeof **resp);
buffer_init(&buffer);
for (i = 0; i < n; ++i) {
(*resp)[i].resp_retcode = 0;
(*resp)[i].resp = NULL;
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_csock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
(*resp)[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_PROMPT_ECHO_ON:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_csock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
(*resp)[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_ERROR_MSG:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
break;
case PAM_TEXT_INFO:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
break;
default:
goto fail;
}
buffer_clear(&buffer);
}
buffer_free(&buffer);
return (PAM_SUCCESS);
fail:
xfree(*resp);
*resp = NULL;
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
/*
* Authentication thread.
*/
static void *
pam_thread(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
Buffer buffer;
struct pam_conv pam_conv = { pam_thread_conv, ctxt };
#ifndef USE_POSIX_THREADS
{
const char *pam_user;
pam_get_item(pam_handle, PAM_USER, (const void **)&pam_user);
setproctitle("%s [pam]", pam_user);
}
#endif
buffer_init(&buffer);
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_authenticate(pam_handle, 0);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_acct_mgmt(pam_handle, 0);
if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD)
goto auth_fail;
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_csock, pam_err, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
auth_fail:
buffer_put_cstring(&buffer,
pam_strerror(pam_handle, pam_err));
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
}
static void
pam_thread_cleanup(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
pthread_cancel(ctxt->pam_thread);
pthread_join(ctxt->pam_thread, NULL);
close(ctxt->pam_psock);
close(ctxt->pam_csock);
}
static int
pam_null_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
return (PAM_CONV_ERR);
}
static struct pam_conv null_conv = { pam_null_conv, NULL };
static void
pam_cleanup(void *arg)
{
(void)arg;
debug("PAM: cleanup");
pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_cred_established) {
pam_setcred(pam_handle, PAM_DELETE_CRED);
pam_cred_established = 0;
}
if (pam_session_open) {
pam_close_session(pam_handle, PAM_SILENT);
pam_session_open = 0;
}
pam_authenticated = pam_new_authtok_reqd = 0;
pam_end(pam_handle, pam_err);
pam_handle = NULL;
}
static int
pam_init(const char *user)
{
extern ServerOptions options;
extern u_int utmp_len;
const char *pam_rhost, *pam_user;
if (pam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
pam_err = pam_get_item(pam_handle,
PAM_USER, (const void **)&pam_user);
if (pam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
return (0);
fatal_remove_cleanup(pam_cleanup, NULL);
pam_end(pam_handle, pam_err);
pam_handle = NULL;
}
debug("PAM: initializing for \"%s\"", user);
pam_err = pam_start("sshd", user, &null_conv, &pam_handle);
if (pam_err != PAM_SUCCESS)
return (-1);
pam_rhost = get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping);
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
pam_err = pam_set_item(pam_handle, PAM_RHOST, pam_rhost);
if (pam_err != PAM_SUCCESS) {
pam_end(pam_handle, pam_err);
pam_handle = NULL;
return (-1);
}
fatal_add_cleanup(pam_cleanup, NULL);
return (0);
}
static void *
pam_init_ctx(Authctxt *authctxt)
{
struct pam_ctxt *ctxt;
int socks[2];
/* Initialize PAM */
if (pam_init(authctxt->user) == -1) {
error("PAM: initialization failed");
return (NULL);
}
ctxt = xmalloc(sizeof *ctxt);
ctxt->pam_done = 0;
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(ctxt);
return (NULL);
}
ctxt->pam_psock = socks[0];
ctxt->pam_csock = socks[1];
if (pthread_create(&ctxt->pam_thread, NULL, pam_thread, ctxt) == -1) {
error("PAM: failed to start authentication thread: %s",
strerror(errno));
close(socks[0]);
close(socks[1]);
xfree(ctxt);
return (NULL);
}
fatal_add_cleanup(pam_thread_cleanup, ctxt);
return (ctxt);
}
static int
pam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
size_t plen;
u_char type;
char *msg;
buffer_init(&buffer);
*name = xstrdup("");
*info = xstrdup("");
*prompts = xmalloc(sizeof(char *));
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
type = buffer_get_char(&buffer);
msg = buffer_get_string(&buffer, NULL);
switch (type) {
case PAM_PROMPT_ECHO_ON:
case PAM_PROMPT_ECHO_OFF:
*num = 1;
**prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
plen += sprintf(**prompts + plen, "%s", msg);
**echo_on = (type == PAM_PROMPT_ECHO_ON);
xfree(msg);
return (0);
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
/* accumulate messages */
**prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
plen += sprintf(**prompts + plen, "%s", msg);
xfree(msg);
break;
case PAM_NEW_AUTHTOK_REQD:
pam_new_authtok_reqd = 1;
/* FALLTHROUGH */
case PAM_SUCCESS:
case PAM_AUTH_ERR:
if (**prompts != NULL) {
/* drain any accumulated messages */
#if 0 /* not compatible with privsep */
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(**prompts);
packet_put_cstring("");
packet_send();
packet_write_wait();
#endif
xfree(**prompts);
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
xfree(msg);
return (0);
}
error("PAM: %s", msg);
default:
*num = 0;
**echo_on = 0;
xfree(msg);
ctxt->pam_done = -1;
return (-1);
}
}
return (-1);
}
static int
pam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
char *msg;
debug2("PAM: %s", __func__);
switch (ctxt->pam_done) {
case 1:
pam_authenticated = 1;
return (0);
case 0:
break;
default:
return (-1);
}
if (num != 1) {
error("PAM: expected one response, got %u", num);
return (-1);
}
buffer_init(&buffer);
buffer_put_cstring(&buffer, *resp);
ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
buffer_free(&buffer);
return (1);
}
static void
pam_free_ctx(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
fatal_remove_cleanup(pam_thread_cleanup, ctxt);
pam_thread_cleanup(ctxtp);
xfree(ctxt);
/*
* We don't call pam_cleanup() here because we may need the PAM
* handle at a later stage, e.g. when setting up a session. It's
* still on the cleanup list, so pam_end() *will* be called before
* the server process terminates.
*/
}
KbdintDevice pam_device = {
"pam",
pam_init_ctx,
pam_query,
pam_respond,
pam_free_ctx
};
KbdintDevice mm_pam_device = {
"pam",
mm_pam_init_ctx,
mm_pam_query,
mm_pam_respond,
mm_pam_free_ctx
};
/*
* This replaces auth-pam.c
*/
void
start_pam(const char *user)
{
if (pam_init(user) == -1)
fatal("PAM: initialisation failed");
}
void
finish_pam(void)
{
fatal_remove_cleanup(pam_cleanup, NULL);
pam_cleanup(NULL);
}
int
do_pam_account(const char *user, const char *ruser)
{
/* XXX */
return (1);
}
void
do_pam_session(const char *user, const char *tty)
{
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
debug("PAM: setting PAM_TTY to \"%s\"", tty);
pam_err = pam_set_item(pam_handle, PAM_TTY, tty);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_TTY: %s",
pam_strerror(pam_handle, pam_err));
pam_err = pam_open_session(pam_handle, 0);
if (pam_err != PAM_SUCCESS)
fatal("PAM: pam_open_session(): %s",
pam_strerror(pam_handle, pam_err));
pam_session_open = 1;
}
void
do_pam_setcred(int init)
{
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
if (init) {
debug("PAM: establishing credentials");
pam_err = pam_setcred(pam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
pam_err = pam_setcred(pam_handle, PAM_REINITIALIZE_CRED);
}
if (pam_err == PAM_SUCCESS) {
pam_cred_established = 1;
return;
}
if (pam_authenticated)
fatal("PAM: pam_setcred(): %s",
pam_strerror(pam_handle, pam_err));
else
debug("PAM: pam_setcred(): %s",
pam_strerror(pam_handle, pam_err));
}
int
is_pam_password_change_required(void)
{
return (pam_new_authtok_reqd);
}
static int
pam_chauthtok_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
char input[PAM_MAX_MSG_SIZE];
int i;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
*resp = xmalloc(n * sizeof **resp);
for (i = 0; i < n; ++i) {
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
(*resp)[i].resp =
read_passphrase(msg[i]->msg, RP_ALLOW_STDIN);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_PROMPT_ECHO_ON:
fputs(msg[i]->msg, stderr);
fgets(input, sizeof input, stdin);
(*resp)[i].resp = xstrdup(input);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
fputs(msg[i]->msg, stderr);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
default:
goto fail;
}
}
return (PAM_SUCCESS);
fail:
xfree(*resp);
*resp = NULL;
return (PAM_CONV_ERR);
}
/*
* XXX this should be done in the authentication phase, but ssh1 doesn't
* support that
*/
void
do_pam_chauthtok(void)
{
struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
if (use_privsep)
fatal("PAM: chauthtok not supprted with privsep");
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
debug("PAM: changing password");
pam_err = pam_chauthtok(pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
if (pam_err != PAM_SUCCESS)
fatal("PAM: pam_chauthtok(): %s",
pam_strerror(pam_handle, pam_err));
}
void
print_pam_messages(void)
{
/* XXX */
}
char **
fetch_pam_environment(void)
{
#ifdef HAVE_PAM_GETENVLIST
debug("PAM: retrieving environment");
return (pam_getenvlist(pam_handle));
#else
return (NULL);
#endif
}
void
free_pam_environment(char **env)
{
char **envp;
for (envp = env; *envp; envp++)
xfree(*envp);
xfree(env);
}
#endif /* USE_PAM */

11
security/hpn-ssh/files/patch-Makefile.in
View File

@ -1,11 +0,0 @@
--- Makefile.in.orig Wed Jun 26 01:45:42 2002
+++ Makefile.in Mon Jul 22 07:24:41 2002
@@ -70,6 +70,8 @@
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
+SSHDOBJS+= auth2-pam-freebsd.o
+
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
CONFIGFILES_IN=sshd_config ssh_config moduli

36
security/hpn-ssh/files/patch-auth-chall.c
View File

@ -1,36 +0,0 @@
--- auth-chall.c Tue Jun 5 20:56:17 2001
+++ cvs-current/auth-chall.c Wed Sep 24 20:24:27 2003
@@ -76,7 +77,33 @@
return 0;
resp[0] = (char *)response;
res = device->respond(authctxt->kbdintctxt, 1, resp);
+ if (res == 1) {
+ /* postponed - send a null query just in case */
+ char *name, *info, **prompts;
+ u_int i, numprompts, *echo_on;
+
+ res = device->query(authctxt->kbdintctxt, &name, &info,
+ &numprompts, &prompts, &echo_on);
+ if (res == 0) {
+ for (i = 0; i < numprompts; i++)
+ xfree(prompts[i]);
+ xfree(prompts);
+ xfree(name);
+ xfree(echo_on);
+ xfree(info);
+ }
+ /* if we received more prompts, we're screwed */
+ res = (res == 0 && numprompts == 0) ? 0 : -1;
+ }
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return res ? 0 : 1;
+}
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+ if (authctxt->kbdintctxt != NULL) {
+ device->free_ctx(authctxt->kbdintctxt);
+ authctxt->kbdintctxt = NULL;
+ }
}

91
security/hpn-ssh/files/patch-auth-pam.c
View File

@ -1,91 +0,0 @@
--- auth-pam.c.orig Tue Apr 29 11:12:08 2003
+++ auth-pam.c Thu Sep 25 22:42:45 2003
@@ -228,7 +228,7 @@
}
/* Do account management using PAM */
-int do_pam_account(char *username, char *remote_user)
+int old_do_pam_account(const char *username, const char *remote_user)
{
int pam_retval;
@@ -271,7 +271,7 @@
}
/* Do PAM-specific session initialisation */
-void do_pam_session(char *username, const char *ttyname)
+void old_do_pam_session(const char *username, const char *ttyname)
{
int pam_retval;
@@ -294,7 +294,7 @@
}
/* Set PAM credentials */
-void do_pam_setcred(int init)
+void old_do_pam_setcred(int init)
{
int pam_retval;
@@ -318,7 +318,7 @@
}
/* accessor function for file scope static variable */
-int is_pam_password_change_required(void)
+int old_is_pam_password_change_required(void)
{
return password_change_required;
}
@@ -329,7 +329,7 @@
* session is established and the user's pty is connected to
* stdin/stdout/stderr.
*/
-void do_pam_chauthtok(void)
+void old_do_pam_chauthtok(void)
{
int pam_retval;
@@ -357,14 +357,14 @@
}
/* Cleanly shutdown PAM */
-void finish_pam(void)
+void old_finish_pam(void)
{
do_pam_cleanup_proc(NULL);
fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
}
/* Start PAM authentication for specified account */
-void start_pam(const char *user)
+void old_start_pam(const char *user)
{
int pam_retval;
extern ServerOptions options;
@@ -404,7 +404,7 @@
}
/* Return list of PAM environment strings */
-char **fetch_pam_environment(void)
+char **old_fetch_pam_environment(void)
{
#ifdef HAVE_PAM_GETENVLIST
return(pam_getenvlist(__pamh));
@@ -413,7 +413,7 @@
#endif /* HAVE_PAM_GETENVLIST */
}
-void free_pam_environment(char **env)
+void old_free_pam_environment(char **env)
{
int i;
@@ -425,7 +425,7 @@
/* Print any messages that have been generated during authentication */
/* or account checking to stderr */
-void print_pam_messages(void)
+void old_print_pam_messages(void)
{
if (__pam_msg != NULL)
fputs(__pam_msg, stderr);

13
security/hpn-ssh/files/patch-auth-pam.h
View File

@ -1,13 +0,0 @@
--- auth-pam.h Tue Jul 23 02:44:07 2002
+++ cvs-current/auth-pam.h Sat Dec 14 14:52:39 2002
@@ -37,8 +38,8 @@
char **fetch_pam_environment(void);
void free_pam_environment(char **env);
int do_pam_authenticate(int flags);
-int do_pam_account(char *username, char *remote_user);
-void do_pam_session(char *username, const char *ttyname);
+int do_pam_account(const char *username, const char *remote_user);
+void do_pam_session(const char *username, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);

10
security/hpn-ssh/files/patch-auth.c
View File

@ -1,6 +1,6 @@
--- auth.c.orig Tue Mar 5 02:42:43 2002
+++ auth.c Sun Mar 17 20:53:15 2002
@@ -193,6 +193,17 @@
--- auth.c.orig Tue Sep 2 23:32:46 2003
+++ auth.c Tue Sep 16 20:05:44 2003
@@ -259,6 +259,17 @@
}
#endif /* WITH_AIXAUTHENTICATE */
@ -18,8 +18,8 @@
/* We found no reason not to let this user try to log on... */
return 1;
}
@@ -490,7 +480,7 @@
if (pw == NULL || !allowed_user(pw))
@@ -531,7 +542,7 @@
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {

20
security/hpn-ssh/files/patch-auth1.c
View File

@ -1,5 +1,5 @@
--- auth1.c.orig Fri Jun 21 08:21:11 2002
+++ auth1.c Fri Jun 28 06:57:42 2002
--- auth1.c.orig Tue Sep 2 23:32:46 2003
+++ auth1.c Tue Sep 16 20:05:44 2003
@@ -26,6 +26,7 @@
#include "session.h"
#include "uidswap.h"
@ -8,9 +8,9 @@
/* import */
extern ServerOptions options;
@@ -75,6 +76,18 @@
@@ -71,6 +72,18 @@
u_int ulen;
int type = 0;
int prev, type = 0;
struct passwd *pw = authctxt->pw;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
@ -21,14 +21,14 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "illegal user ", authctxt->user);
@@ -282,6 +295,34 @@
log("Unknown message during authentication: type %d", type);
@@ -214,6 +227,34 @@
logit("Unknown message during authentication: type %d", type);
break;
}
+
@ -38,12 +38,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@ -53,7 +53,7 @@
+#endif /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (pw != NULL && !login_access(pw->pw_name, from_host)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }

48
security/hpn-ssh/files/patch-auth2-chall.c
View File

@ -1,48 +0,0 @@
--- auth2-chall.c.orig Wed Jun 26 15:58:40 2002
+++ auth2-chall.c Sun Jun 30 07:12:43 2002
@@ -41,6 +42,9 @@
#ifdef BSD_AUTH
extern KbdintDevice bsdauth_device;
#else
+#ifdef USE_PAM
+extern KbdintDevice pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice skey_device;
#endif
@@ -50,6 +54,9 @@
#ifdef BSD_AUTH
&bsdauth_device,
#else
+#ifdef USE_PAM
+ &pam_device,
+#endif
#ifdef SKEY
&skey_device,
#endif
@@ -323,15 +330,22 @@
#ifdef BSD_AUTH
extern KbdintDevice mm_bsdauth_device;
#endif
+#ifdef USE_PAM
+ extern KbdintDevice mm_pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice mm_skey_device;
#endif
- /* As long as SSHv1 has devices[0] hard coded this is fine */
+ int n = 0;
+
#ifdef BSD_AUTH
- devices[0] = &mm_bsdauth_device;
+ devices[n++] = &mm_bsdauth_device;
#else
+#ifdef USE_PAM
+ devices[n++] = &mm_pam_device;
+#endif
#ifdef SKEY
- devices[0] = &mm_skey_device;
+ devices[n++] = &mm_skey_device;
#endif
#endif
}

22
security/hpn-ssh/files/patch-auth2.c
View File

@ -1,14 +1,14 @@
--- auth2.c.orig Fri Jun 21 08:21:11 2002
+++ auth2.c Fri Jun 28 06:57:56 2002
--- auth2.c.orig Tue Sep 2 23:32:46 2003
+++ auth2.c Tue Sep 16 20:05:44 2003
@@ -35,6 +35,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "canohost.h"
/* import */
extern ServerOptions options;
@@ -137,6 +138,15 @@
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -143,6 +144,15 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@ -18,13 +18,13 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -178,6 +188,41 @@
@@ -187,6 +197,41 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
@ -35,12 +35,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@ -51,7 +51,7 @@
+#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL &&
+ !login_access(authctxt->pw->pw_name, from_host)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
@ -65,4 +65,4 @@
+
/* reset state */
auth2_challenge_stop(authctxt);
authctxt->postponed = 0;

111
security/hpn-ssh/files/patch-buffer.c
View File

@ -1,111 +0,0 @@
Subject: OpenSSH Security Advisory: buffer.adv
This is the 2nd revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.
Other implementations sharing common origin may also have
these issues.
2. Solution:
Upgrade to OpenSSH 3.7.1 or apply the following patch.
===================================================================
Appendix A: patch for OpenSSH 3.6.1 and earlier
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,11 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ buffer->alloc = 0;
+ xfree(buffer->buf);
+ }
}
/*
@@ -69,6 +75,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +105,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}

17
security/hpn-ssh/files/patch-deattack.c
View File

@ -1,17 +0,0 @@
--- deattack.c Tue Mar 5 01:53:05 2002
+++ deattack.c Wed Sep 17 00:18:30 2003
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len
if (h == NULL) {
debug("Installing crc compensation attack detector.");
+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
if (l > n) {
+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
}
}

28
security/hpn-ssh/files/patch-misc.c
View File

@ -1,28 +0,0 @@
--- misc.c Mon Dec 23 02:44:36 2002
+++ misc.c Wed Sep 17 00:50:27 2003
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
{
va_list ap;
char buf[1024];
+ int nalloc;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
+ nalloc = args->nalloc;
if (args->list == NULL) {
- args->nalloc = 32;
+ nalloc = 32;
args->num = 0;
- } else if (args->num+2 >= args->nalloc)
- args->nalloc *= 2;
+ } else if (args->num+2 >= nalloc)
+ nalloc *= 2;
- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
+ args->list = xrealloc(args->list, nalloc * sizeof(char *));
+ args->nalloc = nalloc;
args->list[args->num++] = xstrdup(buf);
args->list[args->num] = NULL;
}

137
security/hpn-ssh/files/patch-monitor.c
View File

@ -1,137 +0,0 @@
--- monitor.c.orig Wed Jun 26 15:27:11 2002
+++ monitor.c Mon Jul 15 21:33:45 2002
@@ -118,6 +118,10 @@
#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -156,6 +160,10 @@
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -198,6 +206,10 @@
#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
{0, 0, NULL}
};
@@ -732,6 +744,101 @@
xfree(user);
return (0);
+}
+
+static void *pam_ctxt, *pam_authok;
+extern KbdintDevice pam_device;
+
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ authctxt->user = buffer_get_string(m, NULL);
+ pam_ctxt = (pam_device.init_ctx)(authctxt);
+ pam_authok = NULL;
+ buffer_clear(m);
+ if (pam_ctxt != NULL) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+ buffer_put_int(m, 1);
+ } else {
+ buffer_put_int(m, 0);
+ }
+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+ return (0);
+}
+
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+ char *name, *info, **prompts;
+ u_int num, *echo_on;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
+ if (num > 1 || name == NULL || info == NULL)
+ ret = -1;
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ buffer_put_cstring(m, name);
+ xfree(name);
+ buffer_put_cstring(m, info);
+ xfree(info);
+ buffer_put_int(m, num);
+ for (i = 0; i < num; ++i) {
+ buffer_put_cstring(m, prompts[i]);
+ xfree(prompts[i]);
+ buffer_put_int(m, echo_on[i]);
+ }
+ if (prompts != NULL)
+ xfree(prompts);
+ if (echo_on != NULL)
+ xfree(echo_on);
+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
+}
+
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+ char **resp;
+ u_int num;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ num = buffer_get_int(m);
+ if (num > 0) {
+ resp = xmalloc(num * sizeof(char *));
+ for (i = 0; i < num; ++i)
+ resp[i] = buffer_get_string(m, NULL);
+ ret = (pam_device.respond)(pam_ctxt, num, resp);
+ for (i = 0; i < num; ++i)
+ xfree(resp[i]);
+ xfree(resp);
+ } else {
+ ret = (pam_device.respond)(pam_ctxt, num, NULL);
+ }
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+ auth_method = "keyboard-interactive/pam";
+ if (ret == 0)
+ pam_authok = pam_ctxt;
+ return (0);
+}
+
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ (pam_device.free_ctx)(pam_ctxt);
+ buffer_clear(m);
+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+ return (pam_authok == pam_ctxt);
}
#endif

13
security/hpn-ssh/files/patch-monitor.h
View File

@ -1,13 +0,0 @@
--- monitor.h.orig Tue Jun 11 18:42:49 2002
+++ monitor.h Sun Jun 30 07:13:09 2002
@@ -50,6 +51,10 @@
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_PAM_START,
+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
MONITOR_REQ_TERM
};

97
security/hpn-ssh/files/patch-monitor_wrap.c
View File

@ -1,95 +1,6 @@
--- monitor_wrap.c.orig Fri Jun 21 02:43:43 2002
+++ monitor_wrap.c Sun Jun 30 07:13:18 2002
@@ -664,6 +665,88 @@
buffer_free(&m);
}
+
+void *
+mm_pam_init_ctx(Authctxt *authctxt)
+{
+ Buffer m;
+ int success;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+ success = buffer_get_int(&m);
+ if (success == 0) {
+ debug3("%s: pam_init_ctx failed", __func__);
+ buffer_free(&m);
+ return (NULL);
+ }
+ buffer_free(&m);
+ return (authctxt);
+}
+
+int
+mm_pam_query(void *ctx, char **name, char **info,
+ u_int *num, char ***prompts, u_int **echo_on)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_query returned %d", __func__, ret);
+ *name = buffer_get_string(&m, NULL);
+ *info = buffer_get_string(&m, NULL);
+ *num = buffer_get_int(&m);
+ *prompts = xmalloc((*num + 1) * sizeof(char *));
+ *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+ for (i = 0; i < *num; ++i) {
+ (*prompts)[i] = buffer_get_string(&m, NULL);
+ (*echo_on)[i] = buffer_get_int(&m);
+ }
+ buffer_free(&m);
+ return (ret);
+}
+
+int
+mm_pam_respond(void *ctx, u_int num, char **resp)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_int(&m, num);
+ for (i = 0; i < num; ++i)
+ buffer_put_cstring(&m, resp[i]);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_respond returned %d", __func__, ret);
+ buffer_free(&m);
+ return (ret);
+}
+
+void
+mm_pam_free_ctx(void *ctxtp)
+{
+ Buffer m;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
+ buffer_free(&m);
+}
#endif /* USE_PAM */
/* Request process termination */
@@ -767,6 +850,7 @@
--- monitor_wrap.c.orig Tue Sep 2 14:51:17 2003
+++ monitor_wrap.c Tue Sep 16 20:05:44 2003
@@ -894,6 +894,7 @@
return ((authok == 0) ? -1 : 0);
}
@ -97,7 +8,7 @@
int
mm_skey_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
@@ -829,6 +913,7 @@
@@ -957,6 +958,7 @@
return ((authok == 0) ? -1 : 0);
}

13
security/hpn-ssh/files/patch-monitor_wrap.h
View File

@ -1,13 +0,0 @@
--- monitor_wrap.h.orig Mon May 13 03:07:42 2002
+++ monitor_wrap.h Sun Jun 30 07:13:18 2002
@@ -57,6 +58,10 @@
#ifdef USE_PAM
void mm_start_pam(char *);
+void *mm_pam_init_ctx(struct Authctxt *);
+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
+int mm_pam_respond(void *, u_int, char **);
+void mm_pam_free_ctx(void *);
#endif
void mm_terminate(void);

19
security/hpn-ssh/files/patch-regress-Makefile
View File

@ -1,19 +0,0 @@
--- regress/Makefile.orig Wed Jan 22 07:53:17 2003
+++ regress/Makefile Tue Apr 1 05:28:43 2003
@@ -1,6 +1,6 @@
# $OpenBSD: Makefile,v 1.20 2003/01/08 23:54:22 djm Exp $
-REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7
+REGRESSTARGETS= t1 t2 t3 t4 t5 t6 t7
CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2
@@ -71,7 +71,7 @@
ssh-keygen -Bf t7.out > /dev/null
.for t in ${LTESTS}
-REGRESS_TARGETS+=t-${t}
+REGRESSTARGETS+=t-${t}
t-${t}:
sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
.endfor

8
security/hpn-ssh/files/patch-regress-test-exec.sh
View File

@ -1,9 +1,9 @@
--- regress/test-exec.sh.orig Wed May 1 05:17:35 2002
+++ regress/test-exec.sh Tue Apr 1 06:03:11 2003
@@ -130,6 +130,8 @@
PidFile $PIDFILE
--- regress/test-exec.sh.orig Fri Sep 12 07:32:17 2003
+++ regress/test-exec.sh Tue Sep 16 19:56:13 2003
@@ -163,6 +163,8 @@
AuthorizedKeysFile $OBJ/authorized_keys_%u
LogLevel QUIET
StrictModes no
+ PermitRootLogin yes
+ UsePrivilegeSeparation no
EOF

116
security/hpn-ssh/files/patch-session.c
View File

@ -1,7 +1,7 @@
--- session.c.orig Thu Mar 20 19:18:09 2003
+++ session.c Wed Sep 17 11:05:26 2003
@@ -64,6 +64,11 @@
#define is_winnt (GetVersion() < 0x80000000)
--- session.c.orig Tue Sep 23 10:59:08 2003
+++ session.c Tue Sep 23 17:29:31 2003
@@ -62,6 +62,11 @@
#include "ssh-gss.h"
#endif
+#ifdef __FreeBSD__
@ -12,7 +12,7 @@
/* func */
Session *session_new(void);
@@ -471,6 +476,13 @@
@@ -411,6 +416,13 @@
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/*
@ -26,7 +26,7 @@
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group.
*/
@@ -576,6 +588,9 @@
@@ -516,6 +528,9 @@
{
int fdout, ptyfd, ttyfd, ptymaster;
pid_t pid;
@ -36,25 +36,7 @@
if (s == NULL)
fatal("do_exec_pty: no session");
@@ -583,7 +598,16 @@
ttyfd = s->ttyfd;
#if defined(USE_PAM)
- do_pam_session(s->pw->pw_name, s->tty);
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ do_pam_session(s->pw->pw_name, shorttty);
do_pam_setcred(1);
#endif
@@ -593,6 +617,14 @@
@@ -535,6 +550,14 @@
/* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -69,7 +51,7 @@
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -726,6 +758,18 @@
@@ -676,6 +699,18 @@
struct sockaddr_storage from;
struct passwd * pw = s->pw;
pid_t pid = getpid();
@ -88,7 +70,7 @@
/*
* Get IP address of client. If the connection is not a socket, let
@@ -759,6 +803,72 @@
@@ -710,6 +745,72 @@
}
#endif
@ -107,7 +89,7 @@
+ if (tv.tv_sec >= pw->pw_change) {
+ (void)printf(
+ "Sorry -- your password has expired.\n");
+ log("%s Password expired - forcing change",
+ logit("%s Password expired - forcing change",
+ pw->pw_name);
+ if (newcommand != NULL)
+ xfree(newcommand);
@ -124,10 +106,10 @@
+ if (tv.tv_sec >= pw->pw_expire) {
+ (void)printf(
+ "Sorry -- your account has expired.\n");
+ log(
+ logit(
+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.verify_reverse_mapping), s->tty);
+ options.use_dns), s->tty);
+ exit(254);
+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
+ !check_quietlogin(s, command))
@ -150,10 +132,10 @@
+ }
+ if (!auth_ttyok(lc, shorttty)) {
+ (void)printf("Permission denied.\n");
+ log(
+ logit(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.verify_reverse_mapping), s->tty);
+ options.use_dns), s->tty);
+ exit(254);
+ }
+#endif /* HAVE_LOGIN_CAP */
@ -161,8 +143,8 @@
if (check_quietlogin(s, command))
return;
@@ -772,7 +882,17 @@
#endif /* WITH_AIXAUTHENTICATE */
@@ -726,7 +827,17 @@
buffer_free(&loginmsg);
#ifndef NO_SSH_LASTLOG
- if (options.print_lastlog && s->last_login_time != 0) {
@ -180,7 +162,7 @@
time_string = ctime(&s->last_login_time);
if (strchr(time_string, '\n'))
*strchr(time_string, '\n') = 0;
@@ -784,7 +904,30 @@
@@ -738,7 +849,30 @@
}
#endif /* NO_SSH_LASTLOG */
@ -212,7 +194,7 @@
}
/*
@@ -800,9 +943,9 @@
@@ -754,9 +888,9 @@
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
@ -224,7 +206,7 @@
if (f) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
@@ -829,10 +972,10 @@
@@ -783,10 +917,10 @@
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
return 1;
@ -237,38 +219,10 @@
return 0;
}
@@ -844,7 +987,7 @@
child_set_env(char ***envp, u_int *envsizep, const char *name,
const char *value)
{
- u_int i, namelen;
+ u_int i, namelen, envsize;
char **env;
/*
@@ -862,12 +1005,14 @@
xfree(env[i]);
} else {
/* New variable. Expand if necessary. */
- if (i >= (*envsizep) - 1) {
- if (*envsizep >= 1000)
+ envsize = *envsizep;
+ if (i >= envsize - 1) {
+ if (envsize >= 1000)
fatal("child_set_env: too many env vars,"
" skipping: %.100s", name);
- (*envsizep) += 50;
- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+ envsize += 50;
+ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+ *envsizep = envsize;
}
/* Need to set the NULL pointer at end of array beyond the new slot. */
env[i + 1] = NULL;
@@ -952,6 +1097,10 @@
@@ -973,6 +1107,10 @@
char buf[256];
u_int i, envsize;
char **env, *laddr;
char **env, *laddr, *path = NULL;
+#ifdef HAVE_LOGIN_CAP
+ extern char **environ;
+ char **senv, **var;
@ -276,7 +230,7 @@
struct passwd *pw = s->pw;
/* Initialize the environment. */
@@ -959,6 +1108,9 @@
@@ -980,6 +1118,9 @@
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
@ -286,7 +240,7 @@
#ifdef HAVE_CYGWIN
/*
* The Windows environment contains some setting which are
@@ -1003,9 +1155,21 @@
@@ -1034,9 +1175,21 @@
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
@ -310,7 +264,7 @@
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
@@ -1219,7 +1383,7 @@
@@ -1245,7 +1398,7 @@
setpgid(0, 0);
# endif
if (setusercontext(lc, pw, pw->pw_uid,
@ -319,7 +273,25 @@
perror("unable to set user context");
exit(1);
}
@@ -1382,7 +1546,7 @@
@@ -1275,7 +1428,16 @@
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ do_pam_session(s->pw->pw_name, shorttty);
do_pam_setcred(0);
}
# endif /* USE_PAM */
@@ -1411,7 +1573,7 @@
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
*/
@ -328,7 +300,7 @@
close(i);
/*
@@ -1412,6 +1576,31 @@
@@ -1429,6 +1591,31 @@
exit(1);
#endif
}

44
security/hpn-ssh/files/patch-ssh-agent.c
View File

@ -1,44 +0,0 @@
--- ssh-agent.c Sat Mar 15 00:37:09 2003
+++ ssh-agent.c Wed Sep 17 00:42:15 2003
@@ -767,7 +767,7 @@ process_message(SocketEntry *e)
static void
new_socket(sock_type type, int fd)
{
- u_int i, old_alloc;
+ u_int i, old_alloc, new_alloc;
if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -778,25 +778,26 @@ new_socket(sock_type type, int fd)
for (i = 0; i < sockets_alloc; i++)
if (sockets[i].type == AUTH_UNUSED) {
sockets[i].fd = fd;
- sockets[i].type = type;
buffer_init(&sockets[i].input);
buffer_init(&sockets[i].output);
buffer_init(&sockets[i].request);
+ sockets[i].type = type;
return;
}
old_alloc = sockets_alloc;
- sockets_alloc += 10;
+ new_alloc = sockets_alloc + 10;
if (sockets)
- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
else
- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
- for (i = old_alloc; i < sockets_alloc; i++)
+ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+ for (i = old_alloc; i < new_alloc; i++)
sockets[i].type = AUTH_UNUSED;
- sockets[old_alloc].type = type;
+ sockets_alloc = new_alloc;
sockets[old_alloc].fd = fd;
buffer_init(&sockets[old_alloc].input);
buffer_init(&sockets[old_alloc].output);
buffer_init(&sockets[old_alloc].request);
+ sockets[old_alloc].type = type;
}
static int

8
security/hpn-ssh/files/patch-sshd_config
View File

@ -1,14 +1,14 @@
--- sshd_config.orig Fri Jun 21 03:11:36 2002
+++ sshd_config Wed Jul 3 06:20:47 2002
--- sshd_config.orig Tue Sep 2 14:51:18 2003
+++ sshd_config Tue Sep 16 20:05:44 2003
@@ -34,6 +34,7 @@
#LoginGraceTime 600
#LoginGraceTime 2m
#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
@@ -58,6 +59,7 @@
@@ -56,6 +57,7 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

11
security/hpn-ssh/files/patch-stderr-after-eof.sh
View File

@ -1,11 +0,0 @@
--- regress/stderr-after-eof.sh.orig Wed May 1 05:17:35 2002
+++ regress/stderr-after-eof.sh Fri Jul 19 07:22:18 2002
@@ -7,7 +7,7 @@
DATA=${OBJ}/data
COPY=${OBJ}/copy
-MD5=md5sum
+MD5=md5
# setup data
rm -f ${DATA} ${COPY}

9
security/openssh-portable/Makefile
View File

@ -6,8 +6,7 @@
#
PORTNAME= openssh
PORTVERSION= 3.6.1p2
PORTREVISION= 5
PORTVERSION= 3.7.1p2
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
@ -31,7 +30,6 @@ PRECIOUS= ssh_config sshd_config \
ssh_host_rsa_key ssh_host_rsa_key.pub \
ssh_host_dsa_key ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
ADDME+= auth2-pam-freebsd.c
.if exists(/usr/include/security/pam_modules.h)
CONFIGURE_ARGS+= --with-pam
@ -74,11 +72,6 @@ CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR}
EXTRA_PATCHES+= ${FILESDIR}/batch.patch
.endif
post-extract:
.for i in ${ADDME}
@${CP} ${FILESDIR}/${i} ${WRKSRC}/
.endfor
.if defined(KRB5_HOME) && exists(${KRB5_HOME})
PKGNAMESUFFIX= -gssapi
GSSAPI_PATCH= ${PORTNAME}-3.6.1p2-gssapi-20030430.diff

2
security/openssh-portable/distinfo
View File

@ -1,2 +1,2 @@
MD5 (openssh-3.6.1p2.tar.gz) = f3879270bffe479e1bd057aa36258696
MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94
MD5 (openssh-3.6.1p2-gssapi-20030430.diff) = 520e15f541398efed2763aaf8ac08e6a

626
security/openssh-portable/files/auth2-pam-freebsd.c
View File

@ -1,626 +0,0 @@
/*-
* Copyright (c) 2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by ThinkSec AS and
* NAI Labs, the Security Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$FreeBSD: /tmp/pcvs/ports/security/openssh-portable/files/Attic/auth2-pam-freebsd.c,v 1.5 2003-09-26 02:42:39 dinoex Exp $");
#ifdef USE_PAM
#include <security/pam_appl.h>
#include "auth.h"
#include "auth-pam.h"
#include "buffer.h"
#include "bufaux.h"
#include "canohost.h"
#include "log.h"
#include "monitor_wrap.h"
#include "msg.h"
#include "packet.h"
#include "readpass.h"
#include "servconf.h"
#include "ssh2.h"
#include "xmalloc.h"
#ifdef USE_POSIX_THREADS
#include <pthread.h>
#else
/*
* Simulate threads with processes.
*/
typedef pid_t pthread_t;
static void
pthread_exit(void *value __unused)
{
_exit(0);
}
static int
pthread_create(pthread_t *thread, const void *attr __unused,
void *(*thread_start)(void *), void *arg)
{
pid_t pid;
switch ((pid = fork())) {
case -1:
error("fork(): %s", strerror(errno));
return (-1);
case 0:
thread_start(arg);
_exit(1);
default:
*thread = pid;
return (0);
}
}
static int
pthread_cancel(pthread_t thread)
{
return (kill(thread, SIGTERM));
}
static int
pthread_join(pthread_t thread, void **value __unused)
{
int status;
waitpid(thread, &status, 0);
return (status);
}
#endif
static pam_handle_t *pam_handle;
static int pam_err;
static int pam_authenticated;
static int pam_new_authtok_reqd;
static int pam_session_open;
static int pam_cred_established;
struct pam_ctxt {
pthread_t pam_thread;
int pam_psock;
int pam_csock;
int pam_done;
};
static void pam_free_ctx(void *);
/*
* Conversation function for authentication thread.
*/
static int
pam_thread_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
Buffer buffer;
struct pam_ctxt *ctxt;
int i;
ctxt = data;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
*resp = xmalloc(n * sizeof **resp);
buffer_init(&buffer);
for (i = 0; i < n; ++i) {
(*resp)[i].resp_retcode = 0;
(*resp)[i].resp = NULL;
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_csock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
(*resp)[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_PROMPT_ECHO_ON:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
ssh_msg_recv(ctxt->pam_csock, &buffer);
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
(*resp)[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_ERROR_MSG:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
break;
case PAM_TEXT_INFO:
buffer_put_cstring(&buffer, msg[i]->msg);
ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
break;
default:
goto fail;
}
buffer_clear(&buffer);
}
buffer_free(&buffer);
return (PAM_SUCCESS);
fail:
xfree(*resp);
*resp = NULL;
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
/*
* Authentication thread.
*/
static void *
pam_thread(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
Buffer buffer;
struct pam_conv pam_conv = { pam_thread_conv, ctxt };
#ifndef USE_POSIX_THREADS
{
const char *pam_user;
pam_get_item(pam_handle, PAM_USER, (const void **)&pam_user);
setproctitle("%s [pam]", pam_user);
}
#endif
buffer_init(&buffer);
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_authenticate(pam_handle, 0);
if (pam_err != PAM_SUCCESS)
goto auth_fail;
pam_err = pam_acct_mgmt(pam_handle, 0);
if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD)
goto auth_fail;
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_csock, pam_err, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
auth_fail:
buffer_put_cstring(&buffer,
pam_strerror(pam_handle, pam_err));
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
}
static void
pam_thread_cleanup(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
pthread_cancel(ctxt->pam_thread);
pthread_join(ctxt->pam_thread, NULL);
close(ctxt->pam_psock);
close(ctxt->pam_csock);
}
static int
pam_null_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
return (PAM_CONV_ERR);
}
static struct pam_conv null_conv = { pam_null_conv, NULL };
static void
pam_cleanup(void *arg)
{
(void)arg;
debug("PAM: cleanup");
pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_cred_established) {
pam_setcred(pam_handle, PAM_DELETE_CRED);
pam_cred_established = 0;
}
if (pam_session_open) {
pam_close_session(pam_handle, PAM_SILENT);
pam_session_open = 0;
}
pam_authenticated = pam_new_authtok_reqd = 0;
pam_end(pam_handle, pam_err);
pam_handle = NULL;
}
static int
pam_init(const char *user)
{
extern ServerOptions options;
extern u_int utmp_len;
const char *pam_rhost, *pam_user;
if (pam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
pam_err = pam_get_item(pam_handle,
PAM_USER, (const void **)&pam_user);
if (pam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
return (0);
fatal_remove_cleanup(pam_cleanup, NULL);
pam_end(pam_handle, pam_err);
pam_handle = NULL;
}
debug("PAM: initializing for \"%s\"", user);
pam_err = pam_start("sshd", user, &null_conv, &pam_handle);
if (pam_err != PAM_SUCCESS)
return (-1);
pam_rhost = get_remote_name_or_ip(utmp_len,
options.verify_reverse_mapping);
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
pam_err = pam_set_item(pam_handle, PAM_RHOST, pam_rhost);
if (pam_err != PAM_SUCCESS) {
pam_end(pam_handle, pam_err);
pam_handle = NULL;
return (-1);
}
fatal_add_cleanup(pam_cleanup, NULL);
return (0);
}
static void *
pam_init_ctx(Authctxt *authctxt)
{
struct pam_ctxt *ctxt;
int socks[2];
/* Initialize PAM */
if (pam_init(authctxt->user) == -1) {
error("PAM: initialization failed");
return (NULL);
}
ctxt = xmalloc(sizeof *ctxt);
ctxt->pam_done = 0;
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(ctxt);
return (NULL);
}
ctxt->pam_psock = socks[0];
ctxt->pam_csock = socks[1];
if (pthread_create(&ctxt->pam_thread, NULL, pam_thread, ctxt) == -1) {
error("PAM: failed to start authentication thread: %s",
strerror(errno));
close(socks[0]);
close(socks[1]);
xfree(ctxt);
return (NULL);
}
fatal_add_cleanup(pam_thread_cleanup, ctxt);
return (ctxt);
}
static int
pam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
size_t plen;
u_char type;
char *msg;
buffer_init(&buffer);
*name = xstrdup("");
*info = xstrdup("");
*prompts = xmalloc(sizeof(char *));
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
type = buffer_get_char(&buffer);
msg = buffer_get_string(&buffer, NULL);
switch (type) {
case PAM_PROMPT_ECHO_ON:
case PAM_PROMPT_ECHO_OFF:
*num = 1;
**prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
plen += sprintf(**prompts + plen, "%s", msg);
**echo_on = (type == PAM_PROMPT_ECHO_ON);
xfree(msg);
return (0);
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
/* accumulate messages */
**prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
plen += sprintf(**prompts + plen, "%s", msg);
xfree(msg);
break;
case PAM_NEW_AUTHTOK_REQD:
pam_new_authtok_reqd = 1;
/* FALLTHROUGH */
case PAM_SUCCESS:
case PAM_AUTH_ERR:
if (**prompts != NULL) {
/* drain any accumulated messages */
#if 0 /* not compatible with privsep */
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(**prompts);
packet_put_cstring("");
packet_send();
packet_write_wait();
#endif
xfree(**prompts);
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
xfree(msg);
return (0);
}
error("PAM: %s", msg);
default:
*num = 0;
**echo_on = 0;
xfree(msg);
ctxt->pam_done = -1;
return (-1);
}
}
return (-1);
}
static int
pam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
char *msg;
debug2("PAM: %s", __func__);
switch (ctxt->pam_done) {
case 1:
pam_authenticated = 1;
return (0);
case 0:
break;
default:
return (-1);
}
if (num != 1) {
error("PAM: expected one response, got %u", num);
return (-1);
}
buffer_init(&buffer);
buffer_put_cstring(&buffer, *resp);
ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
buffer_free(&buffer);
return (1);
}
static void
pam_free_ctx(void *ctxtp)
{
struct pam_ctxt *ctxt = ctxtp;
fatal_remove_cleanup(pam_thread_cleanup, ctxt);
pam_thread_cleanup(ctxtp);
xfree(ctxt);
/*
* We don't call pam_cleanup() here because we may need the PAM
* handle at a later stage, e.g. when setting up a session. It's
* still on the cleanup list, so pam_end() *will* be called before
* the server process terminates.
*/
}
KbdintDevice pam_device = {
"pam",
pam_init_ctx,
pam_query,
pam_respond,
pam_free_ctx
};
KbdintDevice mm_pam_device = {
"pam",
mm_pam_init_ctx,
mm_pam_query,
mm_pam_respond,
mm_pam_free_ctx
};
/*
* This replaces auth-pam.c
*/
void
start_pam(const char *user)
{
if (pam_init(user) == -1)
fatal("PAM: initialisation failed");
}
void
finish_pam(void)
{
fatal_remove_cleanup(pam_cleanup, NULL);
pam_cleanup(NULL);
}
int
do_pam_account(const char *user, const char *ruser)
{
/* XXX */
return (1);
}
void
do_pam_session(const char *user, const char *tty)
{
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
debug("PAM: setting PAM_TTY to \"%s\"", tty);
pam_err = pam_set_item(pam_handle, PAM_TTY, tty);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_TTY: %s",
pam_strerror(pam_handle, pam_err));
pam_err = pam_open_session(pam_handle, 0);
if (pam_err != PAM_SUCCESS)
fatal("PAM: pam_open_session(): %s",
pam_strerror(pam_handle, pam_err));
pam_session_open = 1;
}
void
do_pam_setcred(int init)
{
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
if (init) {
debug("PAM: establishing credentials");
pam_err = pam_setcred(pam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
pam_err = pam_setcred(pam_handle, PAM_REINITIALIZE_CRED);
}
if (pam_err == PAM_SUCCESS) {
pam_cred_established = 1;
return;
}
if (pam_authenticated)
fatal("PAM: pam_setcred(): %s",
pam_strerror(pam_handle, pam_err));
else
debug("PAM: pam_setcred(): %s",
pam_strerror(pam_handle, pam_err));
}
int
is_pam_password_change_required(void)
{
return (pam_new_authtok_reqd);
}
static int
pam_chauthtok_conv(int n,
const struct pam_message **msg,
struct pam_response **resp,
void *data)
{
char input[PAM_MAX_MSG_SIZE];
int i;
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
*resp = xmalloc(n * sizeof **resp);
for (i = 0; i < n; ++i) {
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
(*resp)[i].resp =
read_passphrase(msg[i]->msg, RP_ALLOW_STDIN);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_PROMPT_ECHO_ON:
fputs(msg[i]->msg, stderr);
fgets(input, sizeof input, stdin);
(*resp)[i].resp = xstrdup(input);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
fputs(msg[i]->msg, stderr);
(*resp)[i].resp_retcode = PAM_SUCCESS;
break;
default:
goto fail;
}
}
return (PAM_SUCCESS);
fail:
xfree(*resp);
*resp = NULL;
return (PAM_CONV_ERR);
}
/*
* XXX this should be done in the authentication phase, but ssh1 doesn't
* support that
*/
void
do_pam_chauthtok(void)
{
struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
if (use_privsep)
fatal("PAM: chauthtok not supprted with privsep");
pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
if (pam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(pam_handle, pam_err));
debug("PAM: changing password");
pam_err = pam_chauthtok(pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
if (pam_err != PAM_SUCCESS)
fatal("PAM: pam_chauthtok(): %s",
pam_strerror(pam_handle, pam_err));
}
void
print_pam_messages(void)
{
/* XXX */
}
char **
fetch_pam_environment(void)
{
#ifdef HAVE_PAM_GETENVLIST
debug("PAM: retrieving environment");
return (pam_getenvlist(pam_handle));
#else
return (NULL);
#endif
}
void
free_pam_environment(char **env)
{
char **envp;
for (envp = env; *envp; envp++)
xfree(*envp);
xfree(env);
}
#endif /* USE_PAM */

11
security/openssh-portable/files/patch-Makefile.in
View File

@ -1,11 +0,0 @@
--- Makefile.in.orig Wed Jun 26 01:45:42 2002
+++ Makefile.in Mon Jul 22 07:24:41 2002
@@ -70,6 +70,8 @@
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
+SSHDOBJS+= auth2-pam-freebsd.o
+
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
CONFIGFILES_IN=sshd_config ssh_config moduli

36
security/openssh-portable/files/patch-auth-chall.c
View File

@ -1,36 +0,0 @@
--- auth-chall.c Tue Jun 5 20:56:17 2001
+++ cvs-current/auth-chall.c Wed Sep 24 20:24:27 2003
@@ -76,7 +77,33 @@
return 0;
resp[0] = (char *)response;
res = device->respond(authctxt->kbdintctxt, 1, resp);
+ if (res == 1) {
+ /* postponed - send a null query just in case */
+ char *name, *info, **prompts;
+ u_int i, numprompts, *echo_on;
+
+ res = device->query(authctxt->kbdintctxt, &name, &info,
+ &numprompts, &prompts, &echo_on);
+ if (res == 0) {
+ for (i = 0; i < numprompts; i++)
+ xfree(prompts[i]);
+ xfree(prompts);
+ xfree(name);
+ xfree(echo_on);
+ xfree(info);
+ }
+ /* if we received more prompts, we're screwed */
+ res = (res == 0 && numprompts == 0) ? 0 : -1;
+ }
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return res ? 0 : 1;
+}
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+ if (authctxt->kbdintctxt != NULL) {
+ device->free_ctx(authctxt->kbdintctxt);
+ authctxt->kbdintctxt = NULL;
+ }
}

91
security/openssh-portable/files/patch-auth-pam.c
View File

@ -1,91 +0,0 @@
--- auth-pam.c.orig Tue Apr 29 11:12:08 2003
+++ auth-pam.c Thu Sep 25 22:42:45 2003
@@ -228,7 +228,7 @@
}
/* Do account management using PAM */
-int do_pam_account(char *username, char *remote_user)
+int old_do_pam_account(const char *username, const char *remote_user)
{
int pam_retval;
@@ -271,7 +271,7 @@
}
/* Do PAM-specific session initialisation */
-void do_pam_session(char *username, const char *ttyname)
+void old_do_pam_session(const char *username, const char *ttyname)
{
int pam_retval;
@@ -294,7 +294,7 @@
}
/* Set PAM credentials */
-void do_pam_setcred(int init)
+void old_do_pam_setcred(int init)
{
int pam_retval;
@@ -318,7 +318,7 @@
}
/* accessor function for file scope static variable */
-int is_pam_password_change_required(void)
+int old_is_pam_password_change_required(void)
{
return password_change_required;
}
@@ -329,7 +329,7 @@
* session is established and the user's pty is connected to
* stdin/stdout/stderr.
*/
-void do_pam_chauthtok(void)
+void old_do_pam_chauthtok(void)
{
int pam_retval;
@@ -357,14 +357,14 @@
}
/* Cleanly shutdown PAM */
-void finish_pam(void)
+void old_finish_pam(void)
{
do_pam_cleanup_proc(NULL);
fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
}
/* Start PAM authentication for specified account */
-void start_pam(const char *user)
+void old_start_pam(const char *user)
{
int pam_retval;
extern ServerOptions options;
@@ -404,7 +404,7 @@
}
/* Return list of PAM environment strings */
-char **fetch_pam_environment(void)
+char **old_fetch_pam_environment(void)
{
#ifdef HAVE_PAM_GETENVLIST
return(pam_getenvlist(__pamh));
@@ -413,7 +413,7 @@
#endif /* HAVE_PAM_GETENVLIST */
}
-void free_pam_environment(char **env)
+void old_free_pam_environment(char **env)
{
int i;
@@ -425,7 +425,7 @@
/* Print any messages that have been generated during authentication */
/* or account checking to stderr */
-void print_pam_messages(void)
+void old_print_pam_messages(void)
{
if (__pam_msg != NULL)
fputs(__pam_msg, stderr);

13
security/openssh-portable/files/patch-auth-pam.h
View File

@ -1,13 +0,0 @@
--- auth-pam.h Tue Jul 23 02:44:07 2002
+++ cvs-current/auth-pam.h Sat Dec 14 14:52:39 2002
@@ -37,8 +38,8 @@
char **fetch_pam_environment(void);
void free_pam_environment(char **env);
int do_pam_authenticate(int flags);
-int do_pam_account(char *username, char *remote_user);
-void do_pam_session(char *username, const char *ttyname);
+int do_pam_account(const char *username, const char *remote_user);
+void do_pam_session(const char *username, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);

10
security/openssh-portable/files/patch-auth.c
View File

@ -1,6 +1,6 @@
--- auth.c.orig Tue Mar 5 02:42:43 2002
+++ auth.c Sun Mar 17 20:53:15 2002
@@ -193,6 +193,17 @@
--- auth.c.orig Tue Sep 2 23:32:46 2003
+++ auth.c Tue Sep 16 20:05:44 2003
@@ -259,6 +259,17 @@
}
#endif /* WITH_AIXAUTHENTICATE */
@ -18,8 +18,8 @@
/* We found no reason not to let this user try to log on... */
return 1;
}
@@ -490,7 +480,7 @@
if (pw == NULL || !allowed_user(pw))
@@ -531,7 +542,7 @@
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {

20
security/openssh-portable/files/patch-auth1.c
View File

@ -1,5 +1,5 @@
--- auth1.c.orig Fri Jun 21 08:21:11 2002
+++ auth1.c Fri Jun 28 06:57:42 2002
--- auth1.c.orig Tue Sep 2 23:32:46 2003
+++ auth1.c Tue Sep 16 20:05:44 2003
@@ -26,6 +26,7 @@
#include "session.h"
#include "uidswap.h"
@ -8,9 +8,9 @@
/* import */
extern ServerOptions options;
@@ -75,6 +76,18 @@
@@ -71,6 +72,18 @@
u_int ulen;
int type = 0;
int prev, type = 0;
struct passwd *pw = authctxt->pw;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
@ -21,14 +21,14 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "illegal user ", authctxt->user);
@@ -282,6 +295,34 @@
log("Unknown message during authentication: type %d", type);
@@ -214,6 +227,34 @@
logit("Unknown message during authentication: type %d", type);
break;
}
+
@ -38,12 +38,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@ -53,7 +53,7 @@
+#endif /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (pw != NULL && !login_access(pw->pw_name, from_host)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }

48
security/openssh-portable/files/patch-auth2-chall.c
View File

@ -1,48 +0,0 @@
--- auth2-chall.c.orig Wed Jun 26 15:58:40 2002
+++ auth2-chall.c Sun Jun 30 07:12:43 2002
@@ -41,6 +42,9 @@
#ifdef BSD_AUTH
extern KbdintDevice bsdauth_device;
#else
+#ifdef USE_PAM
+extern KbdintDevice pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice skey_device;
#endif
@@ -50,6 +54,9 @@
#ifdef BSD_AUTH
&bsdauth_device,
#else
+#ifdef USE_PAM
+ &pam_device,
+#endif
#ifdef SKEY
&skey_device,
#endif
@@ -323,15 +330,22 @@
#ifdef BSD_AUTH
extern KbdintDevice mm_bsdauth_device;
#endif
+#ifdef USE_PAM
+ extern KbdintDevice mm_pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice mm_skey_device;
#endif
- /* As long as SSHv1 has devices[0] hard coded this is fine */
+ int n = 0;
+
#ifdef BSD_AUTH
- devices[0] = &mm_bsdauth_device;
+ devices[n++] = &mm_bsdauth_device;
#else
+#ifdef USE_PAM
+ devices[n++] = &mm_pam_device;
+#endif
#ifdef SKEY
- devices[0] = &mm_skey_device;
+ devices[n++] = &mm_skey_device;
#endif
#endif
}

22
security/openssh-portable/files/patch-auth2.c
View File

@ -1,14 +1,14 @@
--- auth2.c.orig Fri Jun 21 08:21:11 2002
+++ auth2.c Fri Jun 28 06:57:56 2002
--- auth2.c.orig Tue Sep 2 23:32:46 2003
+++ auth2.c Tue Sep 16 20:05:44 2003
@@ -35,6 +35,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "canohost.h"
/* import */
extern ServerOptions options;
@@ -137,6 +138,15 @@
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -143,6 +144,15 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@ -18,13 +18,13 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -178,6 +188,41 @@
@@ -187,6 +197,41 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
@ -35,12 +35,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@ -51,7 +51,7 @@
+#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL &&
+ !login_access(authctxt->pw->pw_name, from_host)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
@ -65,4 +65,4 @@
+
/* reset state */
auth2_challenge_stop(authctxt);
authctxt->postponed = 0;

111
security/openssh-portable/files/patch-buffer.c
View File

@ -1,111 +0,0 @@
Subject: OpenSSH Security Advisory: buffer.adv
This is the 2nd revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.
Other implementations sharing common origin may also have
these issues.
2. Solution:
Upgrade to OpenSSH 3.7.1 or apply the following patch.
===================================================================
Appendix A: patch for OpenSSH 3.6.1 and earlier
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,11 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ buffer->alloc = 0;
+ xfree(buffer->buf);
+ }
}
/*
@@ -69,6 +75,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +105,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}

17
security/openssh-portable/files/patch-deattack.c
View File

@ -1,17 +0,0 @@
--- deattack.c Tue Mar 5 01:53:05 2002
+++ deattack.c Wed Sep 17 00:18:30 2003
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len
if (h == NULL) {
debug("Installing crc compensation attack detector.");
+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
if (l > n) {
+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
}
}

28
security/openssh-portable/files/patch-misc.c
View File

@ -1,28 +0,0 @@
--- misc.c Mon Dec 23 02:44:36 2002
+++ misc.c Wed Sep 17 00:50:27 2003
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
{
va_list ap;
char buf[1024];
+ int nalloc;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
+ nalloc = args->nalloc;
if (args->list == NULL) {
- args->nalloc = 32;
+ nalloc = 32;
args->num = 0;
- } else if (args->num+2 >= args->nalloc)
- args->nalloc *= 2;
+ } else if (args->num+2 >= nalloc)
+ nalloc *= 2;
- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
+ args->list = xrealloc(args->list, nalloc * sizeof(char *));
+ args->nalloc = nalloc;
args->list[args->num++] = xstrdup(buf);
args->list[args->num] = NULL;
}

137
security/openssh-portable/files/patch-monitor.c
View File

@ -1,137 +0,0 @@
--- monitor.c.orig Wed Jun 26 15:27:11 2002
+++ monitor.c Mon Jul 15 21:33:45 2002
@@ -118,6 +118,10 @@
#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
#endif
static Authctxt *authctxt;
@@ -156,6 +160,10 @@
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -198,6 +206,10 @@
#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
{0, 0, NULL}
};
@@ -732,6 +744,101 @@
xfree(user);
return (0);
+}
+
+static void *pam_ctxt, *pam_authok;
+extern KbdintDevice pam_device;
+
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ authctxt->user = buffer_get_string(m, NULL);
+ pam_ctxt = (pam_device.init_ctx)(authctxt);
+ pam_authok = NULL;
+ buffer_clear(m);
+ if (pam_ctxt != NULL) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+ buffer_put_int(m, 1);
+ } else {
+ buffer_put_int(m, 0);
+ }
+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+ return (0);
+}
+
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+ char *name, *info, **prompts;
+ u_int num, *echo_on;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
+ if (num > 1 || name == NULL || info == NULL)
+ ret = -1;
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ buffer_put_cstring(m, name);
+ xfree(name);
+ buffer_put_cstring(m, info);
+ xfree(info);
+ buffer_put_int(m, num);
+ for (i = 0; i < num; ++i) {
+ buffer_put_cstring(m, prompts[i]);
+ xfree(prompts[i]);
+ buffer_put_int(m, echo_on[i]);
+ }
+ if (prompts != NULL)
+ xfree(prompts);
+ if (echo_on != NULL)
+ xfree(echo_on);
+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
+}
+
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+ char **resp;
+ u_int num;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ num = buffer_get_int(m);
+ if (num > 0) {
+ resp = xmalloc(num * sizeof(char *));
+ for (i = 0; i < num; ++i)
+ resp[i] = buffer_get_string(m, NULL);
+ ret = (pam_device.respond)(pam_ctxt, num, resp);
+ for (i = 0; i < num; ++i)
+ xfree(resp[i]);
+ xfree(resp);
+ } else {
+ ret = (pam_device.respond)(pam_ctxt, num, NULL);
+ }
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+ auth_method = "keyboard-interactive/pam";
+ if (ret == 0)
+ pam_authok = pam_ctxt;
+ return (0);
+}
+
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ (pam_device.free_ctx)(pam_ctxt);
+ buffer_clear(m);
+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+ return (pam_authok == pam_ctxt);
}
#endif

13
security/openssh-portable/files/patch-monitor.h
View File

@ -1,13 +0,0 @@
--- monitor.h.orig Tue Jun 11 18:42:49 2002
+++ monitor.h Sun Jun 30 07:13:09 2002
@@ -50,6 +51,10 @@
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_PAM_START,
+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
MONITOR_REQ_TERM
};

97
security/openssh-portable/files/patch-monitor_wrap.c
View File

@ -1,95 +1,6 @@
--- monitor_wrap.c.orig Fri Jun 21 02:43:43 2002
+++ monitor_wrap.c Sun Jun 30 07:13:18 2002
@@ -664,6 +665,88 @@
buffer_free(&m);
}
+
+void *
+mm_pam_init_ctx(Authctxt *authctxt)
+{
+ Buffer m;
+ int success;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+ success = buffer_get_int(&m);
+ if (success == 0) {
+ debug3("%s: pam_init_ctx failed", __func__);
+ buffer_free(&m);
+ return (NULL);
+ }
+ buffer_free(&m);
+ return (authctxt);
+}
+
+int
+mm_pam_query(void *ctx, char **name, char **info,
+ u_int *num, char ***prompts, u_int **echo_on)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_query returned %d", __func__, ret);
+ *name = buffer_get_string(&m, NULL);
+ *info = buffer_get_string(&m, NULL);
+ *num = buffer_get_int(&m);
+ *prompts = xmalloc((*num + 1) * sizeof(char *));
+ *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+ for (i = 0; i < *num; ++i) {
+ (*prompts)[i] = buffer_get_string(&m, NULL);
+ (*echo_on)[i] = buffer_get_int(&m);
+ }
+ buffer_free(&m);
+ return (ret);
+}
+
+int
+mm_pam_respond(void *ctx, u_int num, char **resp)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_int(&m, num);
+ for (i = 0; i < num; ++i)
+ buffer_put_cstring(&m, resp[i]);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_respond returned %d", __func__, ret);
+ buffer_free(&m);
+ return (ret);
+}
+
+void
+mm_pam_free_ctx(void *ctxtp)
+{
+ Buffer m;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
+ buffer_free(&m);
+}
#endif /* USE_PAM */
/* Request process termination */
@@ -767,6 +850,7 @@
--- monitor_wrap.c.orig Tue Sep 2 14:51:17 2003
+++ monitor_wrap.c Tue Sep 16 20:05:44 2003
@@ -894,6 +894,7 @@
return ((authok == 0) ? -1 : 0);
}
@ -97,7 +8,7 @@
int
mm_skey_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
@@ -829,6 +913,7 @@
@@ -957,6 +958,7 @@
return ((authok == 0) ? -1 : 0);
}

13
security/openssh-portable/files/patch-monitor_wrap.h
View File

@ -1,13 +0,0 @@
--- monitor_wrap.h.orig Mon May 13 03:07:42 2002
+++ monitor_wrap.h Sun Jun 30 07:13:18 2002
@@ -57,6 +58,10 @@
#ifdef USE_PAM
void mm_start_pam(char *);
+void *mm_pam_init_ctx(struct Authctxt *);
+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
+int mm_pam_respond(void *, u_int, char **);
+void mm_pam_free_ctx(void *);
#endif
void mm_terminate(void);

19
security/openssh-portable/files/patch-regress-Makefile
View File

@ -1,19 +0,0 @@
--- regress/Makefile.orig Wed Jan 22 07:53:17 2003
+++ regress/Makefile Tue Apr 1 05:28:43 2003
@@ -1,6 +1,6 @@
# $OpenBSD: Makefile,v 1.20 2003/01/08 23:54:22 djm Exp $
-REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7
+REGRESSTARGETS= t1 t2 t3 t4 t5 t6 t7
CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2
@@ -71,7 +71,7 @@
ssh-keygen -Bf t7.out > /dev/null
.for t in ${LTESTS}
-REGRESS_TARGETS+=t-${t}
+REGRESSTARGETS+=t-${t}
t-${t}:
sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
.endfor

8
security/openssh-portable/files/patch-regress-test-exec.sh
View File

@ -1,9 +1,9 @@
--- regress/test-exec.sh.orig Wed May 1 05:17:35 2002
+++ regress/test-exec.sh Tue Apr 1 06:03:11 2003
@@ -130,6 +130,8 @@
PidFile $PIDFILE
--- regress/test-exec.sh.orig Fri Sep 12 07:32:17 2003
+++ regress/test-exec.sh Tue Sep 16 19:56:13 2003
@@ -163,6 +163,8 @@
AuthorizedKeysFile $OBJ/authorized_keys_%u
LogLevel QUIET
StrictModes no
+ PermitRootLogin yes
+ UsePrivilegeSeparation no
EOF

116
security/openssh-portable/files/patch-session.c
View File

@ -1,7 +1,7 @@
--- session.c.orig Thu Mar 20 19:18:09 2003
+++ session.c Wed Sep 17 11:05:26 2003
@@ -64,6 +64,11 @@
#define is_winnt (GetVersion() < 0x80000000)
--- session.c.orig Tue Sep 23 10:59:08 2003
+++ session.c Tue Sep 23 17:29:31 2003
@@ -62,6 +62,11 @@
#include "ssh-gss.h"
#endif
+#ifdef __FreeBSD__
@ -12,7 +12,7 @@
/* func */
Session *session_new(void);
@@ -471,6 +476,13 @@
@@ -411,6 +416,13 @@
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/*
@ -26,7 +26,7 @@
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group.
*/
@@ -576,6 +588,9 @@
@@ -516,6 +528,9 @@
{
int fdout, ptyfd, ttyfd, ptymaster;
pid_t pid;
@ -36,25 +36,7 @@
if (s == NULL)
fatal("do_exec_pty: no session");
@@ -583,7 +598,16 @@
ttyfd = s->ttyfd;
#if defined(USE_PAM)
- do_pam_session(s->pw->pw_name, s->tty);
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ do_pam_session(s->pw->pw_name, shorttty);
do_pam_setcred(1);
#endif
@@ -593,6 +617,14 @@
@@ -535,6 +550,14 @@
/* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -69,7 +51,7 @@
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -726,6 +758,18 @@
@@ -676,6 +699,18 @@
struct sockaddr_storage from;
struct passwd * pw = s->pw;
pid_t pid = getpid();
@ -88,7 +70,7 @@
/*
* Get IP address of client. If the connection is not a socket, let
@@ -759,6 +803,72 @@
@@ -710,6 +745,72 @@
}
#endif
@ -107,7 +89,7 @@
+ if (tv.tv_sec >= pw->pw_change) {
+ (void)printf(
+ "Sorry -- your password has expired.\n");
+ log("%s Password expired - forcing change",
+ logit("%s Password expired - forcing change",
+ pw->pw_name);
+ if (newcommand != NULL)
+ xfree(newcommand);
@ -124,10 +106,10 @@
+ if (tv.tv_sec >= pw->pw_expire) {
+ (void)printf(
+ "Sorry -- your account has expired.\n");
+ log(
+ logit(
+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.verify_reverse_mapping), s->tty);
+ options.use_dns), s->tty);
+ exit(254);
+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
+ !check_quietlogin(s, command))
@ -150,10 +132,10 @@
+ }
+ if (!auth_ttyok(lc, shorttty)) {
+ (void)printf("Permission denied.\n");
+ log(
+ logit(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.verify_reverse_mapping), s->tty);
+ options.use_dns), s->tty);
+ exit(254);
+ }
+#endif /* HAVE_LOGIN_CAP */
@ -161,8 +143,8 @@
if (check_quietlogin(s, command))
return;
@@ -772,7 +882,17 @@
#endif /* WITH_AIXAUTHENTICATE */
@@ -726,7 +827,17 @@
buffer_free(&loginmsg);
#ifndef NO_SSH_LASTLOG
- if (options.print_lastlog && s->last_login_time != 0) {
@ -180,7 +162,7 @@
time_string = ctime(&s->last_login_time);
if (strchr(time_string, '\n'))
*strchr(time_string, '\n') = 0;
@@ -784,7 +904,30 @@
@@ -738,7 +849,30 @@
}
#endif /* NO_SSH_LASTLOG */
@ -212,7 +194,7 @@
}
/*
@@ -800,9 +943,9 @@
@@ -754,9 +888,9 @@
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
@ -224,7 +206,7 @@
if (f) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
@@ -829,10 +972,10 @@
@@ -783,10 +917,10 @@
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
return 1;
@ -237,38 +219,10 @@
return 0;
}
@@ -844,7 +987,7 @@
child_set_env(char ***envp, u_int *envsizep, const char *name,
const char *value)
{
- u_int i, namelen;
+ u_int i, namelen, envsize;
char **env;
/*
@@ -862,12 +1005,14 @@
xfree(env[i]);
} else {
/* New variable. Expand if necessary. */
- if (i >= (*envsizep) - 1) {
- if (*envsizep >= 1000)
+ envsize = *envsizep;
+ if (i >= envsize - 1) {
+ if (envsize >= 1000)
fatal("child_set_env: too many env vars,"
" skipping: %.100s", name);
- (*envsizep) += 50;
- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+ envsize += 50;
+ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+ *envsizep = envsize;
}
/* Need to set the NULL pointer at end of array beyond the new slot. */
env[i + 1] = NULL;
@@ -952,6 +1097,10 @@
@@ -973,6 +1107,10 @@
char buf[256];
u_int i, envsize;
char **env, *laddr;
char **env, *laddr, *path = NULL;
+#ifdef HAVE_LOGIN_CAP
+ extern char **environ;
+ char **senv, **var;
@ -276,7 +230,7 @@
struct passwd *pw = s->pw;
/* Initialize the environment. */
@@ -959,6 +1108,9 @@
@@ -980,6 +1118,9 @@
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
@ -286,7 +240,7 @@
#ifdef HAVE_CYGWIN
/*
* The Windows environment contains some setting which are
@@ -1003,9 +1155,21 @@
@@ -1034,9 +1175,21 @@
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
@ -310,7 +264,7 @@
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
@@ -1219,7 +1383,7 @@
@@ -1245,7 +1398,7 @@
setpgid(0, 0);
# endif
if (setusercontext(lc, pw, pw->pw_uid,
@ -319,7 +273,25 @@
perror("unable to set user context");
exit(1);
}
@@ -1382,7 +1546,7 @@
@@ -1275,7 +1428,16 @@
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ do_pam_session(s->pw->pw_name, shorttty);
do_pam_setcred(0);
}
# endif /* USE_PAM */
@@ -1411,7 +1573,7 @@
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
*/
@ -328,7 +300,7 @@
close(i);
/*
@@ -1412,6 +1576,31 @@
@@ -1429,6 +1591,31 @@
exit(1);
#endif
}

44
security/openssh-portable/files/patch-ssh-agent.c
View File

@ -1,44 +0,0 @@
--- ssh-agent.c Sat Mar 15 00:37:09 2003
+++ ssh-agent.c Wed Sep 17 00:42:15 2003
@@ -767,7 +767,7 @@ process_message(SocketEntry *e)
static void
new_socket(sock_type type, int fd)
{
- u_int i, old_alloc;
+ u_int i, old_alloc, new_alloc;
if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -778,25 +778,26 @@ new_socket(sock_type type, int fd)
for (i = 0; i < sockets_alloc; i++)
if (sockets[i].type == AUTH_UNUSED) {
sockets[i].fd = fd;
- sockets[i].type = type;
buffer_init(&sockets[i].input);
buffer_init(&sockets[i].output);
buffer_init(&sockets[i].request);
+ sockets[i].type = type;
return;
}
old_alloc = sockets_alloc;
- sockets_alloc += 10;
+ new_alloc = sockets_alloc + 10;
if (sockets)
- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
else
- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
- for (i = old_alloc; i < sockets_alloc; i++)
+ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+ for (i = old_alloc; i < new_alloc; i++)
sockets[i].type = AUTH_UNUSED;
- sockets[old_alloc].type = type;
+ sockets_alloc = new_alloc;
sockets[old_alloc].fd = fd;
buffer_init(&sockets[old_alloc].input);
buffer_init(&sockets[old_alloc].output);
buffer_init(&sockets[old_alloc].request);
+ sockets[old_alloc].type = type;
}
static int

8
security/openssh-portable/files/patch-sshd_config
View File

@ -1,14 +1,14 @@
--- sshd_config.orig Fri Jun 21 03:11:36 2002
+++ sshd_config Wed Jul 3 06:20:47 2002
--- sshd_config.orig Tue Sep 2 14:51:18 2003
+++ sshd_config Tue Sep 16 20:05:44 2003
@@ -34,6 +34,7 @@
#LoginGraceTime 600
#LoginGraceTime 2m
#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
@@ -58,6 +59,7 @@
@@ -56,6 +57,7 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

11
security/openssh-portable/files/patch-stderr-after-eof.sh
View File

@ -1,11 +0,0 @@
--- regress/stderr-after-eof.sh.orig Wed May 1 05:17:35 2002
+++ regress/stderr-after-eof.sh Fri Jul 19 07:22:18 2002
@@ -7,7 +7,7 @@
DATA=${OBJ}/data
COPY=${OBJ}/copy
-MD5=md5sum
+MD5=md5
# setup data
rm -f ${DATA} ${COPY}