1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-05 01:55:52 +00:00

- Update to 5.2p1

- Assign maintainership to the submitter

PR:		ports/134160
Submitted by:	Denis Barov <dindin@dindin.ru>
This commit is contained in:
Pav Lucistnik 2009-05-15 11:00:27 +00:00
parent 7391bca721
commit 73a15551c8
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=233924
7 changed files with 2740 additions and 258 deletions

View File

@ -6,7 +6,7 @@
#
PORTNAME= openssh
DISTVERSION= 5.1p1
DISTVERSION= 5.2p1
PORTEPOCH= 1
CATEGORIES= security ipv6
.if defined(OPENSSH_SNAPSHOT)
@ -18,7 +18,7 @@ MASTER_SITE_SUBDIR= OpenSSH/portable
PKGNAMESUFFIX= ${PORTABLE_SUFFIX}${GSSAPI_SUFFIX}${BASE_SUFFIX}
DISTNAME= # empty
MAINTAINER= ports@FreeBSD.org
MAINTAINER= dindin@dindin.ru
COMMENT= The portable version of OpenBSD's OpenSSH
.if defined(OPENSSH_SNAPSHOT)
@ -72,7 +72,10 @@ OPTIONS= PAM "Enable pam(3) support" on \
BROKEN= does not compile
.endif
# Preserve deprecated OPENSSH_OVERWRITE_BASE settings
.if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK))
BROKEN= X509 patch incompatible with HPN and LPK patches
.endif
.if defined(OPENSSH_OVERWRITE_BASE)
WITH_OVERWRITE_BASE= yes
.endif
@ -96,6 +99,7 @@ CONFIGURE_ARGS+= --disable-suid-ssh
.if !defined(WITHOUT_KERBEROS)
.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
.if defined(WITH_KERB_GSSAPI)
BROKEN= KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
PATCH_DIST_STRIP= -p0
PATCH_SITES+= http://www.sxw.org.uk/computing/patches/
PATCHFILES+= openssh-5.0p1-gsskex-20080404.patch
@ -136,19 +140,13 @@ CONFIGURE_ARGS+= --with-opensc=${LOCALBASE}
EXTRA_PATCHES+= ${FILESDIR}/scardpin.patch
.endif
.if defined(WITH_HPN) && defined(WITH_LPK)
BROKEN= HPN and LPK patches are incompatible
.endif
.if defined(WITH_HPN)
PATCH_DIST_STRIP= -p1
PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/
PATCHFILES+= openssh-5.1p1-hpn13v5.diff.gz
EXTRA_PATCHES+= ${FILESDIR}/openssh-5.2p1-hpn.patch
.endif
# See http://dev.inversepath.com/trac/openssh-lpk
.if defined(WITH_LPK)
EXTRA_PATCHES= ${FILESDIR}/openssh-lpk-5.0p1-0.3.9.patch
EXTRA_PATCHES+= ${FILESDIR}/openssh-lpk-5.0p1-0.3.9.patch
.if ${ARCH} == "amd64"
EXTRA_PATCHES+= ${FILESDIR}/openssh-lpk-5.0p1-64bit.patch
.endif
@ -158,11 +156,21 @@ CONFIGURE_ARGS+= --with-libs='-lldap' --with-ldflags='-L${LOCALBASE}/lib' \
--with-cppflags='-I${LOCALBASE}/include -DWITH_LDAP_PUBKEY'
.endif
# resolve some patches incompatibility between LPK and HPN patches
.if defined(WITH_HPN) && defined(WITH_LPK)
EXTRA_PATCHES+= ${FILESDIR}/openssh-lpk+hpn-servconf.patch
.elif defined(WITH_HPN) && !defined(WITH_LPK)
EXTRA_PATCHES+= ${FILESDIR}/openssh-5.2p1-hpn-servconf.patch
.elif defined(WITH_LPK) && !defined(WITH_HPN)
EXTRA_PATCHES+= ${FILESDIR}/openssh-lpk-5.0p1-0.3.9-servconv.patch
.endif
# See http://www.roumenpetrov.info/openssh/
.if defined(WITH_X509)
PATCH_DIST_STRIP= -p1
PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-6.1.1/
PATCHFILES+= openssh-5.1p1+x509-6.1.1.diff.gz
PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-6.2/
PATCHFILES+= openssh-5.2p1+x509-6.2.diff.gz
.endif
.if defined(WITH_OVERWRITE_BASE)

View File

@ -1,9 +1,6 @@
MD5 (openssh-5.1p1.tar.gz) = 03f2d0c1b5ec60d4ac9997a146d2faec
SHA256 (openssh-5.1p1.tar.gz) = f05358164dae1021386ae57be53a5e9f5cba7a1f8c9beaa428299e28a5666d75
SIZE (openssh-5.1p1.tar.gz) = 1040041
MD5 (openssh-5.1p1-hpn13v5.diff.gz) = 614f2cc34817bb9460e3b700be21b94b
SHA256 (openssh-5.1p1-hpn13v5.diff.gz) = 81bebd71fb0aa8a265c0576aa3c42c0fdf263712db771f12d35c8aff09523aab
SIZE (openssh-5.1p1-hpn13v5.diff.gz) = 23017
MD5 (openssh-5.1p1+x509-6.1.1.diff.gz) = 9be4b5f1104e51333199423802e97fe7
SHA256 (openssh-5.1p1+x509-6.1.1.diff.gz) = 2821d8fe003337569d6551fd26a387f53b4adc9b59f2b0131659936e11966eb3
SIZE (openssh-5.1p1+x509-6.1.1.diff.gz) = 152642
MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad
SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
SIZE (openssh-5.2p1.tar.gz) = 1016612
MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010

View File

@ -0,0 +1,32 @@
--- servconf.c.orig 2009-05-02 18:22:38.000000000 +0400
+++ servconf.c 2009-05-02 18:24:15.000000000 +0400
@@ -127,12 +127,21 @@
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
options->zero_knowledge_password_authentication = -1;
}
void
fill_default_server_options(ServerOptions *options)
{
+ /* needed for hpn socket tests */
+ int sock;
+ int socksize;
+ int socksizelen = sizeof(int);
+
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 1;
@@ -345,6 +354,7 @@
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sZeroKnowledgePasswordAuthentication,
sDeprecated, sUnsupported
} ServerOpCodes;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,240 @@
--- servconf.c.orig 2009-05-02 19:35:42.000000000 +0400
+++ servconf.c 2009-05-02 19:37:13.000000000 +0400
@@ -42,6 +42,10 @@
#include "channels.h"
#include "groupaccess.h"
+#ifdef WITH_LDAP_PUBKEY
+#include "ldapauth.h"
+#endif
+
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -74,7 +78,7 @@
options->ignore_user_known_hosts = -1;
options->print_motd = -1;
options->print_lastlog = -1;
- options->x11_forwarding = -1;
+ options->x11_forwarding = 1;
options->x11_display_offset = -1;
options->x11_use_localhost = -1;
options->xauth_location = NULL;
@@ -127,12 +131,39 @@
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
options->zero_knowledge_password_authentication = -1;
+#ifdef WITH_LDAP_PUBKEY
+ /* XXX dirty */
+ options->lpk.ld = NULL;
+ options->lpk.on = -1;
+ options->lpk.servers = NULL;
+ options->lpk.u_basedn = NULL;
+ options->lpk.g_basedn = NULL;
+ options->lpk.binddn = NULL;
+ options->lpk.bindpw = NULL;
+ options->lpk.sgroup = NULL;
+ options->lpk.filter = NULL;
+ options->lpk.fgroup = NULL;
+ options->lpk.l_conf = NULL;
+ options->lpk.tls = -1;
+ options->lpk.b_timeout.tv_sec = -1;
+ options->lpk.s_timeout.tv_sec = -1;
+ options->lpk.flags = FLAG_EMPTY;
+#endif
}
void
fill_default_server_options(ServerOptions *options)
{
+ /* needed for hpn socket tests */
+ int sock;
+ int socksize;
+ int socksizelen = sizeof(int);
+
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 1;
@@ -265,6 +296,32 @@
options->permit_tun = SSH_TUNMODE_NO;
if (options->zero_knowledge_password_authentication == -1)
options->zero_knowledge_password_authentication = 0;
+#ifdef WITH_LDAP_PUBKEY
+ if (options->lpk.on == -1)
+ options->lpk.on = _DEFAULT_LPK_ON;
+ if (options->lpk.servers == NULL)
+ options->lpk.servers = _DEFAULT_LPK_SERVERS;
+ if (options->lpk.u_basedn == NULL)
+ options->lpk.u_basedn = _DEFAULT_LPK_UDN;
+ if (options->lpk.g_basedn == NULL)
+ options->lpk.g_basedn = _DEFAULT_LPK_GDN;
+ if (options->lpk.binddn == NULL)
+ options->lpk.binddn = _DEFAULT_LPK_BINDDN;
+ if (options->lpk.bindpw == NULL)
+ options->lpk.bindpw = _DEFAULT_LPK_BINDPW;
+ if (options->lpk.sgroup == NULL)
+ options->lpk.sgroup = _DEFAULT_LPK_SGROUP;
+ if (options->lpk.filter == NULL)
+ options->lpk.filter = _DEFAULT_LPK_FILTER;
+ if (options->lpk.tls == -1)
+ options->lpk.tls = _DEFAULT_LPK_TLS;
+ if (options->lpk.b_timeout.tv_sec == -1)
+ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT;
+ if (options->lpk.s_timeout.tv_sec == -1)
+ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT;
+ if (options->lpk.l_conf == NULL)
+ options->lpk.l_conf = _DEFAULT_LPK_LDP;
+#endif
if (options->hpn_disabled == -1)
options->hpn_disabled = 0;
@@ -345,8 +402,15 @@
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sZeroKnowledgePasswordAuthentication,
sDeprecated, sUnsupported
+#ifdef WITH_LDAP_PUBKEY
+ ,sLdapPublickey, sLdapServers, sLdapUserDN
+ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
+ ,sLdapFilter, sForceTLS, sBindTimeout
+ ,sSearchTimeout, sLdapConf
+#endif
} ServerOpCodes;
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -457,6 +521,20 @@
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+#ifdef WITH_LDAP_PUBKEY
+ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL },
+ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL },
+ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL },
+ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL },
+ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL },
+ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL },
+ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL },
+ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL },
+#endif
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
@@ -1368,6 +1446,107 @@
while (arg)
arg = strdelim(&cp);
break;
+#ifdef WITH_LDAP_PUBKEY
+ case sLdapPublickey:
+ intptr = &options->lpk.on;
+ goto parse_flag;
+ case sLdapServers:
+ /* arg = strdelim(&cp); */
+ p = line;
+ while(*p++);
+ arg = p;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL)
+ fatal("%s line %d: error in ldap servers", filename, linenum);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapUserDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.u_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapGroupDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.g_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing binddn",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.binddn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindPw:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing bindpw",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.bindpw = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sMyGroup:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing groupname",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.sgroup = xstrdup(arg);
+ if (options->lpk.sgroup)
+ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapFilter:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing filter",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.filter = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sForceTLS:
+ intptr = &options->lpk.tls;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing yes/no argument.",
+ filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcmp(arg, "yes") == 0)
+ value = 1;
+ else if (strcmp(arg, "no") == 0)
+ value = 0;
+ else if (strcmp(arg, "try") == 0)
+ value = -1;
+ else
+ fatal("%s line %d: Bad yes/no argument: %s",
+ filename, linenum, arg);
+ if (*intptr == -1)
+ *intptr = value;
+ break;
+ case sBindTimeout:
+ intptr = (int *) &options->lpk.b_timeout.tv_sec;
+ goto parse_int;
+ case sSearchTimeout:
+ intptr = (int *) &options->lpk.s_timeout.tv_sec;
+ goto parse_int;
+ break;
+ case sLdapConf:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing LpkLdapConf", filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.l_conf = xstrdup(arg);
+ memset(arg, 0, strlen(arg));
+ break;
+#endif
default:
fatal("%s line %d: Missing handler for opcode %s (%d)",

View File

@ -0,0 +1,222 @@
--- servconf.c.orig 2009-05-02 19:24:09.000000000 +0400
+++ servconf.c 2009-05-02 19:29:37.000000000 +0400
@@ -42,6 +42,10 @@
#include "channels.h"
#include "groupaccess.h"
+#ifdef WITH_LDAP_PUBKEY
+#include "ldapauth.h"
+#endif
+
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -74,7 +78,7 @@
options->ignore_user_known_hosts = -1;
options->print_motd = -1;
options->print_lastlog = -1;
- options->x11_forwarding = -1;
+ options->x11_forwarding = 1;
options->x11_display_offset = -1;
options->x11_use_localhost = -1;
options->xauth_location = NULL;
@@ -128,6 +132,24 @@
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->zero_knowledge_password_authentication = -1;
+#ifdef WITH_LDAP_PUBKEY
+ /* XXX dirty */
+ options->lpk.ld = NULL;
+ options->lpk.on = -1;
+ options->lpk.servers = NULL;
+ options->lpk.u_basedn = NULL;
+ options->lpk.g_basedn = NULL;
+ options->lpk.binddn = NULL;
+ options->lpk.bindpw = NULL;
+ options->lpk.sgroup = NULL;
+ options->lpk.filter = NULL;
+ options->lpk.fgroup = NULL;
+ options->lpk.l_conf = NULL;
+ options->lpk.tls = -1;
+ options->lpk.b_timeout.tv_sec = -1;
+ options->lpk.s_timeout.tv_sec = -1;
+ options->lpk.flags = FLAG_EMPTY;
+#endif
}
void
@@ -265,6 +287,32 @@
options->permit_tun = SSH_TUNMODE_NO;
if (options->zero_knowledge_password_authentication == -1)
options->zero_knowledge_password_authentication = 0;
+#ifdef WITH_LDAP_PUBKEY
+ if (options->lpk.on == -1)
+ options->lpk.on = _DEFAULT_LPK_ON;
+ if (options->lpk.servers == NULL)
+ options->lpk.servers = _DEFAULT_LPK_SERVERS;
+ if (options->lpk.u_basedn == NULL)
+ options->lpk.u_basedn = _DEFAULT_LPK_UDN;
+ if (options->lpk.g_basedn == NULL)
+ options->lpk.g_basedn = _DEFAULT_LPK_GDN;
+ if (options->lpk.binddn == NULL)
+ options->lpk.binddn = _DEFAULT_LPK_BINDDN;
+ if (options->lpk.bindpw == NULL)
+ options->lpk.bindpw = _DEFAULT_LPK_BINDPW;
+ if (options->lpk.sgroup == NULL)
+ options->lpk.sgroup = _DEFAULT_LPK_SGROUP;
+ if (options->lpk.filter == NULL)
+ options->lpk.filter = _DEFAULT_LPK_FILTER;
+ if (options->lpk.tls == -1)
+ options->lpk.tls = _DEFAULT_LPK_TLS;
+ if (options->lpk.b_timeout.tv_sec == -1)
+ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT;
+ if (options->lpk.s_timeout.tv_sec == -1)
+ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT;
+ if (options->lpk.l_conf == NULL)
+ options->lpk.l_conf = _DEFAULT_LPK_LDP;
+#endif
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -311,6 +359,12 @@
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
sDeprecated, sUnsupported
+#ifdef WITH_LDAP_PUBKEY
+ ,sLdapPublickey, sLdapServers, sLdapUserDN
+ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
+ ,sLdapFilter, sForceTLS, sBindTimeout
+ ,sSearchTimeout, sLdapConf
+#endif
} ServerOpCodes;
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -421,6 +475,20 @@
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+#ifdef WITH_LDAP_PUBKEY
+ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL },
+ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL },
+ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL },
+ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL },
+ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL },
+ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL },
+ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL },
+ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL },
+#endif
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
@@ -1311,6 +1379,107 @@
while (arg)
arg = strdelim(&cp);
break;
+#ifdef WITH_LDAP_PUBKEY
+ case sLdapPublickey:
+ intptr = &options->lpk.on;
+ goto parse_flag;
+ case sLdapServers:
+ /* arg = strdelim(&cp); */
+ p = line;
+ while(*p++);
+ arg = p;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL)
+ fatal("%s line %d: error in ldap servers", filename, linenum);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapUserDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.u_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapGroupDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.g_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing binddn",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.binddn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindPw:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing bindpw",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.bindpw = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sMyGroup:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing groupname",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.sgroup = xstrdup(arg);
+ if (options->lpk.sgroup)
+ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapFilter:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing filter",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.filter = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sForceTLS:
+ intptr = &options->lpk.tls;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing yes/no argument.",
+ filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcmp(arg, "yes") == 0)
+ value = 1;
+ else if (strcmp(arg, "no") == 0)
+ value = 0;
+ else if (strcmp(arg, "try") == 0)
+ value = -1;
+ else
+ fatal("%s line %d: Bad yes/no argument: %s",
+ filename, linenum, arg);
+ if (*intptr == -1)
+ *intptr = value;
+ break;
+ case sBindTimeout:
+ intptr = (int *) &options->lpk.b_timeout.tv_sec;
+ goto parse_int;
+ case sSearchTimeout:
+ intptr = (int *) &options->lpk.s_timeout.tv_sec;
+ goto parse_int;
+ break;
+ case sLdapConf:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing LpkLdapConf", filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.l_conf = xstrdup(arg);
+ memset(arg, 0, strlen(arg));
+ break;
+#endif
default:
fatal("%s line %d: Missing handler for opcode %s (%d)",

View File

@ -1509,242 +1509,6 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
--- servconf.c.orig 2008-02-10 09:48:55.000000000 -0200
+++ servconf.c 2008-04-17 21:27:34.000000000 -0300
@@ -40,6 +40,10 @@
#include "channels.h"
#include "groupaccess.h"
+#ifdef WITH_LDAP_PUBKEY
+#include "ldapauth.h"
+#endif
+
static void add_listen_addr(ServerOptions *, char *, u_short);
static void add_one_listen_addr(ServerOptions *, char *, u_short);
@@ -123,6 +127,24 @@
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+#ifdef WITH_LDAP_PUBKEY
+ /* XXX dirty */
+ options->lpk.ld = NULL;
+ options->lpk.on = -1;
+ options->lpk.servers = NULL;
+ options->lpk.u_basedn = NULL;
+ options->lpk.g_basedn = NULL;
+ options->lpk.binddn = NULL;
+ options->lpk.bindpw = NULL;
+ options->lpk.sgroup = NULL;
+ options->lpk.filter = NULL;
+ options->lpk.fgroup = NULL;
+ options->lpk.l_conf = NULL;
+ options->lpk.tls = -1;
+ options->lpk.b_timeout.tv_sec = -1;
+ options->lpk.s_timeout.tv_sec = -1;
+ options->lpk.flags = FLAG_EMPTY;
+#endif
}
void
@@ -250,6 +272,32 @@
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+#ifdef WITH_LDAP_PUBKEY
+ if (options->lpk.on == -1)
+ options->lpk.on = _DEFAULT_LPK_ON;
+ if (options->lpk.servers == NULL)
+ options->lpk.servers = _DEFAULT_LPK_SERVERS;
+ if (options->lpk.u_basedn == NULL)
+ options->lpk.u_basedn = _DEFAULT_LPK_UDN;
+ if (options->lpk.g_basedn == NULL)
+ options->lpk.g_basedn = _DEFAULT_LPK_GDN;
+ if (options->lpk.binddn == NULL)
+ options->lpk.binddn = _DEFAULT_LPK_BINDDN;
+ if (options->lpk.bindpw == NULL)
+ options->lpk.bindpw = _DEFAULT_LPK_BINDPW;
+ if (options->lpk.sgroup == NULL)
+ options->lpk.sgroup = _DEFAULT_LPK_SGROUP;
+ if (options->lpk.filter == NULL)
+ options->lpk.filter = _DEFAULT_LPK_FILTER;
+ if (options->lpk.tls == -1)
+ options->lpk.tls = _DEFAULT_LPK_TLS;
+ if (options->lpk.b_timeout.tv_sec == -1)
+ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT;
+ if (options->lpk.s_timeout.tv_sec == -1)
+ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT;
+ if (options->lpk.l_conf == NULL)
+ options->lpk.l_conf = _DEFAULT_LPK_LDP;
+#endif
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -295,6 +343,12 @@
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
+#ifdef WITH_LDAP_PUBKEY
+ ,sLdapPublickey, sLdapServers, sLdapUserDN
+ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
+ ,sLdapFilter, sForceTLS, sBindTimeout
+ ,sSearchTimeout, sLdapConf
+#endif
} ServerOpCodes;
#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
@@ -398,6 +452,20 @@
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+#ifdef WITH_LDAP_PUBKEY
+ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL },
+ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL },
+ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL },
+ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL },
+ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL },
+ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL },
+ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL },
+ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL },
+ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL },
+ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL },
+#endif
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
@@ -1282,6 +1350,107 @@
while (arg)
arg = strdelim(&cp);
break;
+#ifdef WITH_LDAP_PUBKEY
+ case sLdapPublickey:
+ intptr = &options->lpk.on;
+ goto parse_flag;
+ case sLdapServers:
+ /* arg = strdelim(&cp); */
+ p = line;
+ while(*p++);
+ arg = p;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL)
+ fatal("%s line %d: error in ldap servers", filename, linenum);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapUserDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.u_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapGroupDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing ldap server",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.g_basedn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindDN:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing binddn",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.binddn = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sBindPw:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing bindpw",filename,linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.bindpw = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sMyGroup:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing groupname",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.sgroup = xstrdup(arg);
+ if (options->lpk.sgroup)
+ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup);
+ memset(arg,0,strlen(arg));
+ break;
+ case sLdapFilter:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing filter",filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.filter = xstrdup(arg);
+ memset(arg,0,strlen(arg));
+ break;
+ case sForceTLS:
+ intptr = &options->lpk.tls;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing yes/no argument.",
+ filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcmp(arg, "yes") == 0)
+ value = 1;
+ else if (strcmp(arg, "no") == 0)
+ value = 0;
+ else if (strcmp(arg, "try") == 0)
+ value = -1;
+ else
+ fatal("%s line %d: Bad yes/no argument: %s",
+ filename, linenum, arg);
+ if (*intptr == -1)
+ *intptr = value;
+ break;
+ case sBindTimeout:
+ intptr = (int *) &options->lpk.b_timeout.tv_sec;
+ goto parse_int;
+ case sSearchTimeout:
+ intptr = (int *) &options->lpk.s_timeout.tv_sec;
+ goto parse_int;
+ break;
+ case sLdapConf:
+ arg = cp;
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing LpkLdapConf", filename, linenum);
+ arg[strlen(arg)] = '\0';
+ options->lpk.l_conf = xstrdup(arg);
+ memset(arg, 0, strlen(arg));
+ break;
+#endif
default:
fatal("%s line %d: Missing handler for opcode %s (%d)",
--- servconf.h.orig 2008-03-07 04:31:24.000000000 -0300
+++ servconf.h 2008-04-17 21:24:57.000000000 -0300
@@ -16,6 +16,10 @@
#ifndef SERVCONF_H
#define SERVCONF_H
+#ifdef WITH_LDAP_PUBKEY
+#include "ldapauth.h"
+#endif
+
#define MAX_PORTS 256 /* Max # ports. */
#define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
@@ -142,6 +146,9 @@
int use_pam; /* Enable auth via PAM */
int permit_tun;
+#ifdef WITH_LDAP_PUBKEY
+ ldap_opt_t lpk;
+#endif
int num_permitted_opens;
--- sshd.c.orig 2008-03-11 08:58:25.000000000 -0300
+++ sshd.c 2008-04-17 21:24:57.000000000 -0300
@@ -126,6 +126,10 @@
@ -1864,3 +1628,26 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
--- servconf.h.orig 2008-03-07 04:31:24.000000000 -0300
+++ servconf.h 2008-04-17 21:24:57.000000000 -0300
@@ -16,6 +16,10 @@
#ifndef SERVCONF_H
#define SERVCONF_H
+#ifdef WITH_LDAP_PUBKEY
+#include "ldapauth.h"
+#endif
+
#define MAX_PORTS 256 /* Max # ports. */
#define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
@@ -142,6 +146,9 @@
int use_pam; /* Enable auth via PAM */
int permit_tun;
+#ifdef WITH_LDAP_PUBKEY
+ ldap_opt_t lpk;
+#endif
int num_permitted_opens;