mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-01 05:45:45 +00:00
Code Issues Releases Activity

Add IPv6 support to ssh.

Browse Source 
The IPv6 patch was obtained from the kame repository and has been
been writen by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>

Due to the whole mess with different patches it was necessary to include
both the IPv6 patch and patch-ssh-1.2.27-bsd.tty.chown in ${PATCHDIR}.
Since both patches modify the configure script it was also necessary
to rebuild it via autoconf from configure.in. I've decided to use
USE_AUTOCONF instead of including the re-build configure script in
${FILESDIR}

Obtained from:	KAME/WIDE
This commit is contained in:
Torsten Blum 2000-01-14 19:37:39 +00:00
parent ae52ba8025
commit eb66565459
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=24737
25 changed files with 4026 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
security/ssh/Makefile
View File

@ -6,20 +6,17 @@
# $FreeBSD$
#
# Maximal ssh package requires YES values for
# USE_PERL, USE_TCPWRAP
# USE_PERL, USE_TCPWRAP, USE_INET6
#
DISTNAME= ssh-1.2.27
CATEGORIES= security net
MASTER_SITES= ftp://ftp.cs.hut.fi/pub/ssh/
PATCH_SITES= http://www.ssh.org/patches/ \
ftp://ftp2.inch.com/pub/FreeBSD/
PATCHFILES= patch-${DISTNAME}-bsd.tty.chown
PATCH_DIST_STRIP= -p1
MAINTAINER= torstenb@FreeBSD.org
USE_AUTOCONF= YES # unfortunately... see comments in patch-xa for details
# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
@ -139,6 +136,14 @@ LIB_DEPENDS+= wrap.7:${PORTSDIR}/security/tcp_wrapper
.endif
.endif
# Original IPv6 patches were obtained from ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/
# ssh-1.2.27-IPv6-1.5-patch.gz
.if defined(USE_INET6) && ${USE_INET6} == YES
CONFIGURE_ARGS+= --enable-ipv6
.else
CONFIGURE_ARGS+= --disable-ipv6
.endif
# Include SOCKS firewall support
.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5

1
security/ssh/distinfo
View File

@ -1,2 +1 @@
MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395
MD5 (patch-ssh-1.2.27-bsd.tty.chown) = e4d7755994c2fa0d419a60723e8a9d53

719
security/ssh/files/patch-af
View File

@ -1,5 +1,422 @@
*** sshd.c.orig Wed May 12 20:19:29 1999
--- sshd.c Sun Jun 6 02:37:18 1999
*** sshd.c.orig Tue Jan 11 20:40:10 2000
--- sshd.c Tue Jan 11 20:40:07 2000
***************
*** 553,558 ****
--- 553,571 ----
/* Name of the server configuration file. */
char *config_file_name = SERVER_CONFIG_FILE;
+ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
+ Default value is AF_UNSPEC means both IPv4 and IPv6. */
+ #ifdef ENABLE_IPV6
+ int IPv4or6 = AF_UNSPEC;
+ #else
+ int IPv4or6 = AF_INET;
+ #endif
+
+ #ifdef ENABLE_LOG_AUTH
+ char *unauthenticated_user = NULL;
+ int log_auth_flag = 0;
+ #endif /* ENABLE_LOG_AUTH */
+
/* Debug mode flag. This can be set on the command line. If debug
mode is enabled, extra debugging output will be sent to the system
log, the daemon will not go to background, and will exit after processing
***************
*** 576,582 ****
/* This is set to the socket that the server is listening; this is used in
the SIGHUP signal handler. */
! int listen_sock;
/* This is not really needed, and could be eliminated if server-specific
and client-specific code were removed from newchannels.c */
--- 589,605 ----
/* This is set to the socket that the server is listening; this is used in
the SIGHUP signal handler. */
! #define MAX_LISTEN_SOCKS 16
! int listen_socks[MAX_LISTEN_SOCKS];
! int num_listen_socks = 0;
! void close_listen_socks()
! {
! int i;
!
! for (i = 0; i < num_listen_socks; i++)
! close(listen_socks[i]);
! num_listen_socks = -1;
! }
/* This is not really needed, and could be eliminated if server-specific
and client-specific code were removed from newchannels.c */
***************
*** 666,672 ****
void sighup_restart(void)
{
log_msg("Received SIGHUP; restarting.");
! close(listen_sock);
execvp(saved_argv[0], saved_argv);
log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
saved_argv[0], strerror(errno));
--- 689,695 ----
void sighup_restart(void)
{
log_msg("Received SIGHUP; restarting.");
! close_listen_socks();
execvp(saved_argv[0], saved_argv);
log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
saved_argv[0], strerror(errno));
***************
*** 680,686 ****
RETSIGTYPE sigterm_handler(int sig)
{
log_msg("Received signal %d; terminating.", sig);
! close(listen_sock);
exit(255);
}
--- 703,709 ----
RETSIGTYPE sigterm_handler(int sig)
{
log_msg("Received signal %d; terminating.", sig);
! close_listen_socks();
exit(255);
}
***************
*** 759,765 ****
int perm_denied = 0;
int ret;
fd_set fdset;
! struct sockaddr_in sin;
char buf[100]; /* Must not be larger than remote_version. */
char remote_version[100]; /* Must be at least as big as buf. */
char *comment;
--- 782,788 ----
int perm_denied = 0;
int ret;
fd_set fdset;
! struct sockaddr_storage from;
char buf[100]; /* Must not be larger than remote_version. */
char remote_version[100]; /* Must be at least as big as buf. */
char *comment;
***************
*** 769,774 ****
--- 792,800 ----
struct linger linger;
#endif /* SO_LINGER */
int done;
+ struct addrinfo *ai;
+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+ int listen_sock, maxfd;
/* Save argv[0]. */
saved_argv = av;
***************
*** 787,796 ****
initialize_server_options(&options);
/* Parse command-line arguments. */
! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
{
switch (opt)
{
case 'f':
config_file_name = optarg;
break;
--- 813,838 ----
initialize_server_options(&options);
/* Parse command-line arguments. */
! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
! #ifdef ENABLE_IPV6
! "6"
! #endif
! )) != EOF)
{
switch (opt)
{
+ case '4':
+ #ifdef ENABLE_IPV6
+ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
+ #else
+ IPv4or6 = AF_INET;
+ #endif
+ break;
+ #ifdef ENABLE_IPV6
+ case '6':
+ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
+ break;
+ #endif
case 'f':
config_file_name = optarg;
break;
***************
*** 807,813 ****
options.server_key_bits = atoi(optarg);
break;
case 'p':
! options.port = atoi(optarg);
break;
case 'g':
options.login_grace_time = atoi(optarg);
--- 849,855 ----
options.server_key_bits = atoi(optarg);
break;
case 'p':
! options.ports[options.num_ports++] = atoi(optarg);
break;
case 'g':
options.login_grace_time = atoi(optarg);
***************
*** 829,834 ****
--- 871,880 ----
fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
fprintf(stderr, "Usage: %s [options]\n", av0);
fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -4 Use IPv4 only\n");
+ #ifdef ENABLE_IPV6
+ fprintf(stderr, " -6 Use IPv6 only\n");
+ #endif
fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
fprintf(stderr, " -d Debugging mode\n");
fprintf(stderr, " -i Started from inetd\n");
***************
*** 857,872 ****
fprintf(stderr, "fatal: Bad server key size.\n");
exit(1);
}
- if (options.port < 1 || options.port > 65535)
- {
- fprintf(stderr, "fatal: Bad port number.\n");
- exit(1);
- }
if (options.umask != -1)
{
umask(options.umask);
}
/* Check that there are no remaining arguments. */
if (optind < ac)
{
--- 903,917 ----
fprintf(stderr, "fatal: Bad server key size.\n");
exit(1);
}
if (options.umask != -1)
{
umask(options.umask);
}
+ #ifdef ENABLE_LOG_AUTH
+ log_auth_flag = options.log_auth;
+ #endif /* ENABLE_LOG_AUTH */
+
/* Check that there are no remaining arguments. */
if (optind < ac)
{
***************
*** 1034,1043 ****
}
else
{
/* Create socket for listening. */
! listen_sock = socket(AF_INET, SOCK_STREAM, 0);
if (listen_sock < 0)
fatal("socket: %.100s", strerror(errno));
/* Set socket options. We try to make the port reusable and have it
close as fast as possible without waiting in unnecessary wait states
--- 1079,1091 ----
}
else
{
+ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
+ {
/* Create socket for listening. */
! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (listen_sock < 0)
fatal("socket: %.100s", strerror(errno));
+ listen_socks[num_listen_socks] = listen_sock;
/* Set socket options. We try to make the port reusable and have it
close as fast as possible without waiting in unnecessary wait states
***************
*** 1051,1071 ****
sizeof(linger));
#endif /* SO_LINGER */
! /* Initialize the socket address. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr = options.listen_addr;
! sin.sin_port = htons(options.port);
/* Bind the socket to the desired port. */
! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
! error("bind: %.100s", strerror(errno));
! shutdown(listen_sock, 2);
close(listen_sock);
! fatal("Bind to port %d failed: %.200s.", options.port,
! strerror(errno));
}
if (!debug_flag)
{
--- 1099,1128 ----
sizeof(linger));
#endif /* SO_LINGER */
! getnameinfo(ai->ai_addr, ai->ai_addrlen,
! ntop, sizeof(ntop), strport, sizeof(strport),
! NI_NUMERICHOST|NI_NUMERICSERV);
/* Bind the socket to the desired port. */
! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
{
! error("Bind to port %s on %s failed: %.200s.",
! strport, ntop, strerror(errno));
close(listen_sock);
! continue;
}
+ num_listen_socks++;
+
+ /* Start listening on the port. */
+ log_msg("Server listening on %s port %s.", ntop, strport);
+ if (listen(listen_sock, 5) < 0)
+ fatal("listen: %.100s", strerror(errno));
+
+ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
+ freeaddrinfo(options.listen_addrs);
+
+ if (!num_listen_socks)
+ fatal("Cannot bind all addresses.");
if (!debug_flag)
{
***************
*** 1081,1091 ****
}
}
- /* Start listening on the port. */
- log_msg("Server listening on port %d.", options.port);
- if (listen(listen_sock, 5) < 0)
- fatal("listen: %.100s", strerror(errno));
-
/* Generate an rsa key. */
log_msg("Generating %d bit RSA key.", options.server_key_bits);
rsa_generate_key(&sensitive_data.private_key, &public_key,
--- 1138,1143 ----
***************
*** 1139,1156 ****
/* Wait in select until there is a connection. */
FD_ZERO(&fdset);
! FD_SET(listen_sock, &fdset);
! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
! if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
{
if (errno == EINTR)
continue;
error("select: %.100s", strerror(errno));
continue;
}
!
! aux = sizeof(sin);
! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
if (newsock < 0)
{
if (errno == EINTR)
--- 1191,1218 ----
/* Wait in select until there is a connection. */
FD_ZERO(&fdset);
! maxfd = 0;
! for (i = 0; i < num_listen_socks; i++)
! {
! FD_SET(listen_socks[i], &fdset);
! if (listen_socks[i] > maxfd)
! maxfd = listen_socks[i];
! }
! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
! if (ret < 0)
{
if (errno == EINTR)
continue;
error("select: %.100s", strerror(errno));
continue;
}
!
! for (i = 0; i < num_listen_socks; i++)
! {
! if (!FD_ISSET(listen_socks[i], &fdset))
! continue;
! aux = sizeof(from);
! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
if (newsock < 0)
{
if (errno == EINTR)
***************
*** 1166,1172 ****
/* In debugging mode. Close the listening socket, and start
processing the connection without forking. */
debug("Server will not fork when running in debugging mode.");
! close(listen_sock);
sock_in = newsock;
sock_out = newsock;
pid = getpid();
--- 1228,1234 ----
/* In debugging mode. Close the listening socket, and start
processing the connection without forking. */
debug("Server will not fork when running in debugging mode.");
! close_listen_socks();
sock_in = newsock;
sock_out = newsock;
pid = getpid();
***************
*** 1195,1201 ****
the accepted socket. Reinitialize logging (since our
pid has changed). We break out of the loop to handle
the connection. */
! close(listen_sock);
sock_in = newsock;
sock_out = newsock;
#ifdef LIBWRAP
--- 1257,1263 ----
the accepted socket. Reinitialize logging (since our
pid has changed). We break out of the loop to handle
the connection. */
! close_listen_socks();
sock_in = newsock;
sock_out = newsock;
#ifdef LIBWRAP
***************
*** 1233,1238 ****
--- 1295,1304 ----
/* Close the new socket (the child is now taking care of it). */
close(newsock);
+ } /* for (i = 0; i < num_host_socks; i++) */
+ /* child process check (or debug mode) */
+ if (num_listen_socks < 0)
+ break;
}
}
***************
*** 2205,2210 ****
--- 2271,2279 ----
krb5_parse_name(ssh_context, user, &client);
#endif /* defined(KERBEROS) && defined(KRB5) */
+ #ifdef ENABLE_LOG_AUTH
+ unauthenticated_user = user;
+ #endif /* ENABLE_LOG_AUTH */
/* Verify that the user is a valid user. We disallow usernames starting
with any characters that are commonly used to start NIS entries. */
pw = getpwnam(user);
***************
*** 2222,2228 ****
pwcopy.pw_class = xstrdup(pw->pw_class);
@ -9,7 +426,7 @@
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
--- 2222,2228 ----
--- 2291,2297 ----
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
@ -18,7 +435,136 @@
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
***************
*** 3285,3294 ****
*** 2260,2265 ****
--- 2329,2339 ----
{
/* Authentication with empty password succeeded. */
debug("Login for user %.100s accepted without authentication.", user);
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.700s (%s)",
+ user, get_canonical_hostname(),
+ "empty password accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_PASSWORD;
authenticated = 1;
/* Success packet will be sent after loop below. */
***************
*** 2334,2339 ****
--- 2408,2418 ----
/* Client has successfully authenticated to us. */
log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
tkt_user, user, get_canonical_hostname());
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.700s (%s)",
+ user, get_canonical_hostname(),
+ "kerberos authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_KERBEROS;
authenticated = 1;
break;
***************
*** 2382,2387 ****
--- 2461,2471 ----
/* Authentication accepted. */
log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
user, client_user, get_canonical_hostname());
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.100s@%.700s (%s)",
+ user, client_user, get_canonical_hostname(),
+ "rhosts authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_RHOSTS;
authenticated = 1;
remote_user_name = client_user;
***************
*** 2441,2446 ****
--- 2525,2535 ----
options.strict_modes))
{
/* Authentication accepted. */
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.100s@%.700s (%s)",
+ user, client_user, get_canonical_hostname(),
+ "rhosts with RSA host authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_RHOSTS_RSA;
authenticated = 1;
remote_user_name = client_user;
***************
*** 2474,2479 ****
--- 2563,2573 ----
/* Successful authentication. */
mpz_clear(&n);
log_msg("RSA authentication for %.100s accepted.", user);
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.700s (%s)",
+ user, get_canonical_hostname(),
+ "RSA user authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_RSA;
authenticated = 1;
break;
***************
*** 2608,2613 ****
--- 2702,2712 ----
auth_close();
memset(password, 0, strlen(password));
xfree(password);
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from @%.700s (%s)",
+ user, get_canonical_hostname(),
+ "TIS authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_TIS;
authenticated = 1;
break;
***************
*** 2668,2673 ****
--- 2767,2777 ----
memset(password, 0, strlen(password));
xfree(password);
log_msg("Password authentication for %.100s accepted.", user);
+ #ifdef ENABLE_LOG_AUTH
+ log_auth("%.100s from %.700s (%s)",
+ user, get_canonical_hostname(),
+ "password authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
authentication_type = SSH_AUTH_PASSWORD;
authenticated = 1;
break;
***************
*** 2708,2713 ****
--- 2812,2822 ----
}
/* Check if the user is logging in as root and root logins are disallowed. */
+ #ifdef ENABLE_LOG_AUTH
+ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
+ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
+ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
+ #endif /* ENABLE_LOG_AUTH */
if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
{
if (authentication_type == SSH_AUTH_PASSWORD)
***************
*** 2775,2780 ****
--- 2884,2892 ----
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
+ #ifdef ENABLE_LOG_AUTH
+ unauthenticated_user = NULL;
+ #endif /* ENABLE_LOG_AUTH */
/* Perform session preparation. */
do_authenticated(pw);
***************
*** 3280,3294 ****
char line[256];
struct stat st;
int quiet_login;
! struct sockaddr_in from;
int fromlen;
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
@ -29,7 +575,12 @@
/* We no longer need the child running on user's privileges. */
userfile_uninit();
--- 3285,3295 ----
--- 3392,3407 ----
char line[256];
struct stat st;
int quiet_login;
! struct sockaddr_storage from;
int fromlen;
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
@ -42,8 +593,25 @@
/* We no longer need the child running on user's privileges. */
userfile_uninit();
***************
*** 3387,3393 ****
/* Record that there was a login on that terminal. */
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
! &from);
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
lc = login_getclass(pw->pw_class);
--- 3500,3506 ----
/* Record that there was a login on that terminal. */
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
! (struct sockaddr *)&from);
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
lc = login_getclass(pw->pw_class);
***************
*** 3446,3451 ****
--- 3447,3460 ----
--- 3559,3572 ----
"The Regents of the University of California. ",
"All rights reserved.");
}
@ -67,7 +635,7 @@
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
--- 3478,3484 ----
--- 3590,3596 ----
fputs(line, stdout);
fclose(f);
}
@ -76,6 +644,16 @@
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
***************
*** 3876,3881 ****
--- 3997,4003 ----
char *user_shell;
char *remote_ip;
int remote_port;
+ int local_port;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
char *real_shell;
***************
*** 3922,3928 ****
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
@ -84,7 +662,7 @@
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
--- 3931,3937 ----
--- 4044,4050 ----
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
@ -93,8 +671,131 @@
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
***************
*** 3981,3986 ****
--- 4103,4109 ----
user_shell = xstrdup(pw->pw_shell);
remote_ip = xstrdup(get_remote_ipaddr());
remote_port = get_remote_port();
+ local_port = get_local_port();
/* Close the connection descriptors; note that this is the child, and the
server will still have the socket open, and it is important that we
***************
*** 4000,4006 ****
/* Close any extra file descriptors. Note that there may still be
descriptors left by system functions. They will be closed later. */
endpwent();
- endhostent();
/* Set dummy encryption key to clear information about the key from
memory. This key will never be used. */
--- 4123,4128 ----
***************
*** 4257,4263 ****
/* Set SSH_CLIENT. */
snprintf(buf, sizeof(buf),
! "%.50s %d %d", remote_ip, remote_port, options.port);
child_set_env(&env, &envsize, "SSH_CLIENT", buf);
/* Set SSH_TTY if we have a pty. */
--- 4379,4385 ----
/* Set SSH_CLIENT. */
snprintf(buf, sizeof(buf),
! "%.50s %d %d", remote_ip, remote_port, local_port);
child_set_env(&env, &envsize, "SSH_CLIENT", buf);
/* Set SSH_TTY if we have a pty. */
***************
*** 4426,4432 ****
int i;
char name[255], *p;
char line[256];
! struct hostent *hp;
strncpy(name, display, sizeof(name));
name[sizeof(name) - 1] = '\0';
--- 4548,4555 ----
int i;
char name[255], *p;
char line[256];
! struct addrinfo hints, *ai, *aitop;
! char ntop[ADDRSTRLEN];
strncpy(name, display, sizeof(name));
name[sizeof(name) - 1] = '\0';
***************
*** 4443,4449 ****
/* Moved this call here to avoid a nasty buf in SunOS
4.1.4 libc where gethostbyname closes an unrelated
file descriptor. */
! hp = gethostbyname(name);
snprintf(line, sizeof(line),
"%.200s -q -", options.xauth_path);
--- 4566,4575 ----
/* Moved this call here to avoid a nasty buf in SunOS
4.1.4 libc where gethostbyname closes an unrelated
file descriptor. */
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
! aitop = 0;
snprintf(line, sizeof(line),
"%.200s -q -", options.xauth_path);
***************
*** 4461,4481 ****
cp - display, display, cp, auth_proto,
auth_data);
#endif
! if (hp)
{
! for(i = 0; hp->h_addr_list[i]; i++)
{
if (debug_flag)
{
fprintf(stderr, "Running %s add %s%s %s %s\n",
options.xauth_path,
! inet_ntoa(*((struct in_addr *)
! hp->h_addr_list[i])),
cp, auth_proto, auth_data);
}
fprintf(f, "add %s%s %s %s\n",
! inet_ntoa(*((struct in_addr *)
! hp->h_addr_list[i])),
cp, auth_proto, auth_data);
}
}
--- 4587,4610 ----
cp - display, display, cp, auth_proto,
auth_data);
#endif
! if (aitop)
{
! for (ai = aitop; ai; ai = ai->ai_next)
{
+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
+ ntop, sizeof(ntop), NULL, 0,
+ NI_NUMERICHOST);
+ if (strchr(ntop, ':'))
+ continue; /* XXX - xauth doesn't accept it */
if (debug_flag)
{
fprintf(stderr, "Running %s add %s%s %s %s\n",
options.xauth_path,
! ntop,
cp, auth_proto, auth_data);
}
fprintf(f, "add %s%s %s %s\n",
! ntop,
cp, auth_proto, auth_data);
}
}
***************
*** 4525,4531 ****
--- 4534,4544 ----
--- 4654,4664 ----
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)

87
security/ssh/files/patch-ag
View File

@ -1,33 +1,54 @@
--- auth-kerberos.c.orig Sun Jun 6 02:01:32 1999
+++ auth-kerberos.c Sun Jun 6 02:01:33 1999
@@ -120,10 +120,18 @@
debug("Kerberos invalid service name (%.100s).", server);
packet_send_debug("Kerberos invalid service name (%.100s).", server);
+#ifdef krb5_xfree
krb5_xfree(server);
+#else
+ free(server);
+#endif
return 0;
}
+#ifdef krb5_xfree
krb5_xfree(server);
+#else
+ free(server);
+#endif
/* Extract the users name from the ticket client principal */
problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client,
@@ -159,7 +167,11 @@
packet_put_string((char *) reply.data, reply.length);
packet_send();
packet_write_wait();
+#ifdef krb5_xfree
krb5_xfree(reply.data);
+#else
+ krb5_free_data_contents(ssh_context, &reply);
+#endif
return 1;
}
#endif /* KRB5 */
*** auth-kerberos.c.orig Tue Jan 11 20:33:46 2000
--- auth-kerberos.c Tue Jan 11 20:33:38 2000
***************
*** 120,129 ****
--- 120,137 ----
debug("Kerberos invalid service name (%.100s).", server);
packet_send_debug("Kerberos invalid service name (%.100s).", server);
+ #ifdef krb5_xfree
krb5_xfree(server);
+ #else
+ free(server);
+ #endif
return 0;
}
+ #ifdef krb5_xfree
krb5_xfree(server);
+ #else
+ free(server);
+ #endif
/* Extract the users name from the ticket client principal */
problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client,
***************
*** 159,165 ****
--- 167,177 ----
packet_put_string((char *) reply.data, reply.length);
packet_send();
packet_write_wait();
+ #ifdef krb5_xfree
krb5_xfree(reply.data);
+ #else
+ krb5_free_data_contents(ssh_context, &reply);
+ #endif
return 1;
}
#endif /* KRB5 */
***************
*** 177,183 ****
extern char *ticket;
static krb5_principal rcache_server = 0;
static krb5_rcache rcache;
! struct sockaddr_in local, foreign;
krb5_address *local_addr, *remote_addr;
int s;
--- 189,195 ----
extern char *ticket;
static krb5_principal rcache_server = 0;
static krb5_rcache rcache;
! struct sockaddr_storage local, foreign;
krb5_address *local_addr, *remote_addr;
int s;

409
security/ssh/files/patch-al
View File

@ -1,27 +1,404 @@
*** sshconnect.c.orig Wed May 12 20:19:29 1999
--- sshconnect.c Sun Jun 6 02:39:02 1999
*** sshconnect.c.orig Wed May 12 13:19:29 1999
--- sshconnect.c Wed Jan 12 00:34:55 2000
***************
*** 347,352 ****
--- 347,358 ----
*** 337,343 ****
/* Creates a (possibly privileged) socket for use as the ssh connection. */
! int ssh_create_socket(uid_t original_real_uid, int privileged)
{
int sock;
--- 337,343 ----
/* Creates a (possibly privileged) socket for use as the ssh connection. */
! int ssh_create_socket(uid_t original_real_uid, int privileged, int family)
{
int sock;
***************
*** 345,385 ****
bind our own socket to a privileged port. */
if (privileged)
{
struct sockaddr_in sin;
! struct sockaddr_in sin;
int p;
+ #if (defined(__OpenBSD__) || defined(__FreeBSD__)) && !defined(SOCKS)
+ p = 1023; /* Compat with old FreeBSD */
+ sock = rresvport(&p);
+ if (sock < 0)
+ fatal("rresvport: %.100s", strerror(errno));
+ #else
for (p = 1023; p > 512; p--)
{
sock = socket(AF_INET, SOCK_STREAM, 0);
***************
*** 374,379 ****
--- 380,386 ----
! sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
fatal("socket: %.100s", strerror(errno));
! /* Initialize the desired sockaddr_in structure. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr.s_addr = INADDR_ANY;
! sin.sin_port = htons(p);
/* Try to bind the socket to the privileged port. */
#if defined(SOCKS)
! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
break; /* Success. */
#else /* SOCKS */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
break; /* Success. */
#endif /* SOCKS */
if (errno == EADDRINUSE)
{
close(sock);
continue;
}
fatal("bind: %.100s", strerror(errno));
}
+ #endif
debug("Allocated local port %d.", p);
}
else
{
/* Just create an ordinary socket on arbitrary port. */
! sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
fatal("socket: %.100s", strerror(errno));
}
--- 345,392 ----
bind our own socket to a privileged port. */
if (privileged)
{
! struct addrinfo hints, *ai = NULL;
! int errgai;
! char strport[PORTSTRLEN];
int p;
for (p = 1023; p > 512; p--)
{
! sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
fatal("socket: %.100s", strerror(errno));
! /* Initialize the desired addrinfo structure. */
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = family;
! hints.ai_flags = AI_PASSIVE;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", p);
! if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0)
! fatal("getaddrinfo: %.100s", gai_strerror(errgai));
/* Try to bind the socket to the privileged port. */
#if defined(SOCKS)
! if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
break; /* Success. */
#else /* SOCKS */
! if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
break; /* Success. */
#endif /* SOCKS */
if (errno == EADDRINUSE)
{
close(sock);
+ freeaddrinfo(ai);
continue;
}
fatal("bind: %.100s", strerror(errno));
}
debug("Allocated local port %d.", p);
+ freeaddrinfo(ai);
}
else
{
/* Just create an ordinary socket on arbitrary port. */
! sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
fatal("socket: %.100s", strerror(errno));
}
***************
*** 396,409 ****
the daemon. */
int ssh_connect(const char *host, int port, int connection_attempts,
int anonymous, uid_t original_real_uid,
const char *proxy_command, RandomState *random_state)
{
int sock = -1, attempt, i;
int on = 1;
struct servent *sp;
! struct hostent *hp;
! struct sockaddr_in hostaddr;
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
struct linger linger;
#endif /* SO_LINGER */
--- 403,421 ----
the daemon. */
int ssh_connect(const char *host, int port, int connection_attempts,
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port,
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
int anonymous, uid_t original_real_uid,
const char *proxy_command, RandomState *random_state)
{
int sock = -1, attempt, i;
int on = 1;
struct servent *sp;
! struct addrinfo hints, *ai, *aitop, *aitmp;
! struct sockaddr_storage hostaddr;
! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
! int gaierr;
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
struct linger linger;
#endif /* SO_LINGER */
***************
*** 421,430 ****
port = SSH_DEFAULT_PORT;
}
- /* Map localhost to ip-address locally */
- if (strcmp(host, "localhost") == 0)
- host = "127.0.0.1";
-
/* If a proxy command is given, connect using it. */
if (proxy_command != NULL && *proxy_command)
return ssh_proxy_connect(host, port, original_real_uid, proxy_command,
--- 433,438 ----
***************
*** 432,440 ****
/* No proxy command. */
! /* No host lookup made yet. */
! hp = NULL;
!
/* Try to connect several times. On some machines, the first time will
sometimes fail. In general socket code appears to behave quite
magically on many machines. */
--- 440,467 ----
/* No proxy command. */
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", port);
! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
!
! #ifdef ENABLE_ANOTHER_PORT_TRY
! if (another_port)
! {
! aitmp = aitop;
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", another_port);
! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
! ai->ai_next = aitmp;
! }
! #endif /* ENABLE_ANOTHER_PORT_TRY */
!
/* Try to connect several times. On some machines, the first time will
sometimes fail. In general socket code appears to behave quite
magically on many machines. */
***************
*** 443,545 ****
if (attempt > 0)
debug("Trying again...");
- /* Try to parse the host name as a numeric inet address. */
- memset(&hostaddr, 0, sizeof(hostaddr));
- hostaddr.sin_family = AF_INET;
- hostaddr.sin_port = htons(port);
- #ifdef BROKEN_INET_ADDR
- hostaddr.sin_addr.s_addr = inet_network(host);
- #else /* BROKEN_INET_ADDR */
- hostaddr.sin_addr.s_addr = inet_addr(host);
- #endif /* BROKEN_INET_ADDR */
- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
- {
- /* Create a socket. */
- sock = ssh_create_socket(original_real_uid,
- !anonymous && geteuid() == UID_ROOT);
-
- /* Valid numeric IP address */
- debug("Connecting to %.100s port %d.",
- inet_ntoa(hostaddr.sin_addr), port);
-
- /* Connect to the host. */
- #if defined(SOCKS)
- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
- #else /* SOCKS */
- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
- #endif /* SOCKS */
- >= 0)
- {
- /* Successful connect. */
- break;
- }
- debug("connect: %.100s", strerror(errno));
-
- /* Destroy the failed socket. */
- shutdown(sock, 2);
- close(sock);
- }
- else
- {
- /* Not a valid numeric inet address. */
- /* Map host name to an address. */
- if (!hp)
- {
- struct hostent *hp_static;
-
- #if defined(SOCKS5)
- hp_static = Rgethostbyname(host);
- #else
- hp_static = gethostbyname(host);
- #endif
- if (hp_static)
- {
- hp = xmalloc(sizeof(struct hostent));
- memcpy(hp, hp_static, sizeof(struct hostent));
-
- /* Copy list of addresses, not just pointers.
- We don't use h_name & h_aliases so leave them as is */
- for (i = 0; hp_static->h_addr_list[i]; i++)
- ; /* count them */
- hp->h_addr_list = xmalloc((i + 1) *
- sizeof(hp_static->h_addr_list[0]));
- for (i = 0; hp_static->h_addr_list[i]; i++)
- {
- hp->h_addr_list[i] = xmalloc(hp->h_length);
- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i],
- hp->h_length);
- }
- hp->h_addr_list[i] = NULL; /* last one */
- }
- }
- if (!hp)
- fatal("Bad host name: %.100s", host);
- if (!hp->h_addr_list[0])
- fatal("Host does not have an IP address: %.100s", host);
-
/* Loop through addresses for this host, and try each one in
sequence until the connection succeeds. */
! for (i = 0; hp->h_addr_list[i]; i++)
{
! /* Set the address to connect to. */
! hostaddr.sin_family = hp->h_addrtype;
! memcpy(&hostaddr.sin_addr, hp->h_addr_list[i],
! sizeof(hostaddr.sin_addr));
! debug("Connecting to %.200s [%.100s] port %d.",
! host, inet_ntoa(hostaddr.sin_addr), port);
/* Create a socket for connecting. */
sock = ssh_create_socket(original_real_uid,
! !anonymous && geteuid() == UID_ROOT);
/* Connect to the host. */
#if defined(SOCKS)
! if (Rconnect(sock, (struct sockaddr *)&hostaddr,
! sizeof(hostaddr)) >= 0)
#else /* SOCKS */
! if (connect(sock, (struct sockaddr *)&hostaddr,
! sizeof(hostaddr)) >= 0)
#endif /* SOCKS */
{
/* Successful connection. */
--- 470,496 ----
if (attempt > 0)
debug("Trying again...");
/* Loop through addresses for this host, and try each one in
sequence until the connection succeeds. */
! for (ai = aitop; ai; ai = ai->ai_next)
{
! getnameinfo(ai->ai_addr, ai->ai_addrlen,
! ntop, sizeof(ntop), strport, sizeof(strport),
! NI_NUMERICHOST|NI_NUMERICSERV);
! debug("Connecting to %.200s [%.100s] port %s.",
! host, ntop, strport);
/* Create a socket for connecting. */
sock = ssh_create_socket(original_real_uid,
! !anonymous && geteuid() == UID_ROOT,
! ai->ai_family);
/* Connect to the host. */
#if defined(SOCKS)
! if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
#else /* SOCKS */
! if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
#endif /* SOCKS */
{
/* Successful connection. */
***************
*** 552,573 ****
returned an error. */
shutdown(sock, 2);
close(sock);
! }
! if (hp->h_addr_list[i])
break; /* Successful connection. */
- }
/* Sleep a moment before retrying. */
sleep(1);
}
! if (hp)
! {
! for (i = 0; hp->h_addr_list[i]; i++)
! xfree(hp->h_addr_list[i]);
! xfree(hp->h_addr_list);
! xfree(hp);
! }
/* Return failure if we didn't get a successful connection. */
if (attempt >= connection_attempts)
--- 503,517 ----
returned an error. */
shutdown(sock, 2);
close(sock);
! } /* for (ai = aitop; ai; ai = ai->ai_next) */
! if (ai)
break; /* Successful connection. */
/* Sleep a moment before retrying. */
sleep(1);
}
! freeaddrinfo(aitop);
/* Return failure if we didn't get a successful connection. */
if (attempt >= connection_attempts)
***************
*** 578,586 ****
--- 522,532 ----
/* Set socket options. We would like the socket to disappear as soon as
it has been closed for whatever reason. */
/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
+ #if 0 /* XXX */
#if defined(TCP_NODELAY) && defined(ENABLE_TCP_NODELAY)
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on));
#endif /* TCP_NODELAY */
+ #endif /* 0 */
#if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
linger.l_onoff = 1;
linger.l_linger = 15;
***************
*** 946,952 ****
int ap_opts, ret_stat = 0;
krb5_keyblock *session_key = 0;
krb5_ap_rep_enc_part *repl = 0;
! struct sockaddr_in local, foreign;
memset(&auth, 0 , sizeof(auth));
remotehost = (char *) get_canonical_hostname();
--- 892,898 ----
int ap_opts, ret_stat = 0;
krb5_keyblock *session_key = 0;
krb5_ap_rep_enc_part *repl = 0;
! struct sockaddr_storage local, foreign;
memset(&auth, 0 , sizeof(auth));
remotehost = (char *) get_canonical_hostname();

618
security/ssh/files/patch-ao
View File

@ -1,35 +1,583 @@
--- newchannels.c.orig Wed May 12 12:19:27 1999
+++ newchannels.c Fri Jun 18 12:10:26 1999
@@ -282,6 +282,11 @@
#endif /* NEED_SYS_SYSLOG_H */
#endif /* LIBWRAP */
+#ifdef __FreeBSD__
+#include <utmp.h>
+#include <osreldate.h>
+#endif
+
/* Directory in which the fake unix-domain X11 displays reside. */
#ifndef X11_DIR
#define X11_DIR "/tmp/.X11-unix"
@@ -1891,6 +1896,9 @@
fatal("gethostname: %.100s", strerror(errno));
snprintf(buf, sizeof(buf),
"%.400s:%d.%d", hostname, display_number, screen_number);
+#if __FreeBSD_version >= 320000
+ trimdomain(buf, UT_HOSTSIZE);
+#endif
#else /* HAVE_GETHOSTNAME */
if (uname(&uts) < 0)
fatal("uname: %.100s", strerror(errno));
@@ -2412,6 +2420,10 @@
ssh-agent connections on your system */
old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ /* Make sure the socket doesn't already exist, left over from a system
+ crash perhaps. */
+ unlink(channel_forwarded_auth_socket_name);
+
if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
*** newchannels.c.orig Tue Jan 11 20:38:09 2000
--- newchannels.c Tue Jan 11 20:38:02 2000
***************
*** 282,287 ****
--- 282,292 ----
#endif /* NEED_SYS_SYSLOG_H */
#endif /* LIBWRAP */
+ #ifdef __FreeBSD__
+ #include <utmp.h>
+ #include <osreldate.h>
+ #endif
+
/* Directory in which the fake unix-domain X11 displays reside. */
#ifndef X11_DIR
#define X11_DIR "/tmp/.X11-unix"
***************
*** 1405,1417 ****
int host_port, int gatewayports)
{
int ch, sock;
! struct sockaddr_in sin;
if (strlen(host) > sizeof(channels[0].path) - 1)
packet_disconnect("Forward host name too long.");
/* Create a port to listen for the host. */
! sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
packet_disconnect("socket: %.100s", strerror(errno));
--- 1410,1438 ----
int host_port, int gatewayports)
{
int ch, sock;
! struct addrinfo hints, *ai, *aitop;
! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
if (strlen(host) > sizeof(channels[0].path) - 1)
packet_disconnect("Forward host name too long.");
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_flags = gatewayports ? AI_PASSIVE : 0;
+ hints.ai_socktype = SOCK_STREAM;
+ sprintf(strport, "%d", port);
+ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+ packet_disconnect("getaddrinfo: fatal error");
+
+ for (ai = aitop; ai; ai = ai->ai_next)
+ {
+
+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
+ ntop, sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV);
+
/* Create a port to listen for the host. */
! sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0)
packet_disconnect("socket: %.100s", strerror(errno));
***************
*** 1421,1441 ****
(void)fcntl(sock, F_SETFL, O_NDELAY);
#endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
! /* Initialize socket address. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! if (gatewayports)
! sin.sin_addr.s_addr = INADDR_ANY;
! else
! #ifdef BROKEN_INET_ADDR
! sin.sin_addr.s_addr = inet_network("127.0.0.1");
! #else /* BROKEN_INET_ADDR */
! sin.sin_addr.s_addr = inet_addr("127.0.0.1");
! #endif /* BROKEN_INET_ADDR */
! sin.sin_port = htons(port);
!
/* Bind the socket to the address. */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
packet_disconnect("bind: %.100s", strerror(errno));
/* Start listening for connections on the socket. */
--- 1442,1451 ----
(void)fcntl(sock, F_SETFL, O_NDELAY);
#endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
! debug("Listening on %s port %s.", ntop, strport);
!
/* Bind the socket to the address. */
! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
packet_disconnect("bind: %.100s", strerror(errno));
/* Start listening for connections on the socket. */
***************
*** 1448,1453 ****
--- 1458,1466 ----
strcpy(channels[ch].path, host); /* note: host name stored here */
channels[ch].host_port = host_port; /* port on host to connect to */
channels[ch].listening_port = port; /* port being listened */
+
+ } /* for (ai = aitop; ai; ai = ai->ai_next) */
+ freeaddrinfo(aitop);
}
/* Initiate forwarding of connections to port "port" on remote host through
***************
*** 1636,1644 ****
void channel_input_port_open(void)
{
int remote_channel, sock, newch, host_port, i;
- struct sockaddr_in sin;
char *host, *originator_string;
! struct hostent *hp;
/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1649,1658 ----
void channel_input_port_open(void)
{
int remote_channel, sock, newch, host_port, i;
char *host, *originator_string;
! struct addrinfo hints, *ai, *aitop;
! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
! int gaierr;
/* Get remote channel number. */
remote_channel = packet_get_int();
***************
*** 1678,1713 ****
}
}
! memset(&sin, 0, sizeof(sin));
! #ifdef BROKEN_INET_ADDR
! sin.sin_addr.s_addr = inet_network(host);
! #else /* BROKEN_INET_ADDR */
! sin.sin_addr.s_addr = inet_addr(host);
! #endif /* BROKEN_INET_ADDR */
! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
! {
! /* It was a valid numeric host address. */
! sin.sin_family = AF_INET;
! }
! else
{
! /* Look up the host address from the name servers. */
! hp = gethostbyname(host);
! if (!hp)
! {
! error("%.100s: unknown host.", host);
! goto fail;
! }
! if (!hp->h_addr_list[0])
! {
! error("%.100s: host has no IP address.", host);
! goto fail;
! }
! sin.sin_family = hp->h_addrtype;
! memcpy(&sin.sin_addr, hp->h_addr_list[0],
! sizeof(sin.sin_addr));
}
- sin.sin_port = htons(host_port);
#ifdef F_SECURE_COMMERCIAL
--- 1692,1706 ----
}
}
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", host_port);
! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
{
! error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
! goto fail;
}
#ifdef F_SECURE_COMMERCIAL
***************
*** 1744,1751 ****
#endif /* F_SECURE_COMMERCIAL */
/* Create the socket. */
! sock = socket(sin.sin_family, SOCK_STREAM, 0);
if (sock < 0)
{
error("socket: %.100s", strerror(errno));
--- 1737,1751 ----
#endif /* F_SECURE_COMMERCIAL */
+ for (ai = aitop; ai; ai = ai->ai_next)
+ {
+
+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
+ ntop, sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV);
+
/* Create the socket. */
! sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0)
{
error("socket: %.100s", strerror(errno));
***************
*** 1753,1767 ****
}
/* Connect to the host/port. */
! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
! error("connect %.100s:%d: %.100s", host, host_port,
! strerror(errno));
close(sock);
goto fail;
}
/* Successful connection. */
#if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
(void)fcntl(sock, F_SETFL, O_NONBLOCK);
--- 1753,1777 ----
}
/* Connect to the host/port. */
! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
{
! debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno));
close(sock);
+ continue; /* fail -- try next */
+ }
+ break; /* success */
+
+ } /* for (ai = aitop; ai; ai = ai->ai_next) */
+ freeaddrinfo(aitop);
+
+ if (!ai)
+ {
+ error("connect %.100s:%d: failed.", host, host_port);
goto fail;
}
/* Successful connection. */
+ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport);
#if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
(void)fcntl(sock, F_SETFL, O_NONBLOCK);
***************
*** 1803,1809 ****
{
extern ServerOptions options;
int display_number, port, sock;
! struct sockaddr_in sin;
char buf[512];
#ifdef HAVE_GETHOSTNAME
char hostname[257];
--- 1813,1822 ----
{
extern ServerOptions options;
int display_number, port, sock;
! struct addrinfo hints, *ai, *aitop;
! char strport[PORTSTRLEN];
! #define NUM_SOCKS 10
! int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS];
char buf[512];
#ifdef HAVE_GETHOSTNAME
char hostname[257];
***************
*** 1817,1828 ****
for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
{
port = 6000 + display_number;
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr.s_addr = INADDR_ANY;
! sin.sin_port = htons(port);
! sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
error("socket: %.100s", strerror(errno));
--- 1830,1850 ----
for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
{
port = 6000 + display_number;
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_flags = AI_PASSIVE;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", port);
! if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0)
! {
! error("getaddrinfo: %.100s", gai_strerror(gaierr));
! return NULL;
! }
!
! for (ai = aitop; ai; ai = ai->ai_next)
! {
! sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0)
{
error("socket: %.100s", strerror(errno));
***************
*** 1835,1847 ****
(void)fcntl(sock, F_SETFL, O_NDELAY);
#endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
debug("bind port %d: %.100s", port, strerror(errno));
shutdown(sock, 2);
close(sock);
! continue;
}
break;
}
if (display_number >= MAX_DISPLAYS)
--- 1857,1882 ----
(void)fcntl(sock, F_SETFL, O_NDELAY);
#endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
{
debug("bind port %d: %.100s", port, strerror(errno));
shutdown(sock, 2);
close(sock);
! for (n = 0; n < num_socks; n++)
! {
! shutdown(socks[n], 2);
! close(socks[n]);
! }
! num_socks = 0;
! break;
}
+
+ socks[num_socks++] = sock;
+ if (num_socks == NUM_SOCKS)
+ break;
+ } /* for (ai = aitop; ai; ai = ai->ai_next) */
+
+ if (num_socks > 0)
break;
}
if (display_number >= MAX_DISPLAYS)
***************
*** 1851,1863 ****
--- 1886,1907 ----
}
/* Start listening for connections on the socket. */
+ for (n = 0; n < num_socks; n++)
+ {
+ sock = socks[n];
if (listen(sock, 5) < 0)
{
error("listen: %.100s", strerror(errno));
shutdown(sock, 2);
close(sock);
+ for (nn = 0; nn < n; nn++)
+ {
+ shutdown(socks[nn], 2);
+ close(socks[nn]);
+ }
return NULL;
}
+ } /* for (n = 0; n < num_socks; n++) */
/* Set up a suitable value for the DISPLAY variable. */
#ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE
***************
*** 1868,1877 ****
if (gethostname(hostname, sizeof(hostname)) < 0)
fatal("gethostname: %.100s", strerror(errno));
{
! struct hostent *hp;
! struct in_addr addr;
! hp = gethostbyname(hostname);
! if (hp == NULL || !hp->h_addr_list[0])
{
error("Could not get server IP address for %.200s.", hostname);
packet_send_debug("Could not get server IP address for %.200s.",
--- 1912,1922 ----
if (gethostname(hostname, sizeof(hostname)) < 0)
fatal("gethostname: %.100s", strerror(errno));
{
! struct addrinfo hints, *ai;
! char ntop[ADDRSTRLEN];
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai)
{
error("Could not get server IP address for %.200s.", hostname);
packet_send_debug("Could not get server IP address for %.200s.",
***************
*** 1880,1888 ****
close(sock);
return NULL;
}
! memcpy(&addr, hp->h_addr_list[0], sizeof(addr));
snprintf(buf, sizeof(buf),
! "%.100s:%d.%d", inet_ntoa(addr), display_number,
screen_number);
}
#else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
--- 1925,1934 ----
close(sock);
return NULL;
}
! getnameinfo(ai->ai_addr, ai->ai_addrlen,
! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
snprintf(buf, sizeof(buf),
! "%.100s:%d.%d", ntop, display_number,
screen_number);
}
#else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
***************
*** 1891,1896 ****
--- 1937,1945 ----
fatal("gethostname: %.100s", strerror(errno));
snprintf(buf, sizeof(buf),
"%.400s:%d.%d", hostname, display_number, screen_number);
+ #if __FreeBSD_version >= 320000
+ trimdomain(buf, UT_HOSTSIZE);
+ #endif
#else /* HAVE_GETHOSTNAME */
if (uname(&uts) < 0)
fatal("uname: %.100s", strerror(errno));
***************
*** 1900,1907 ****
--- 1949,1960 ----
#endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
/* Allocate a channel for the socket. */
+ for (n = 0; n < num_socks; n++)
+ {
+ sock = socks[n];
(void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
xstrdup("X11 inet listener"));
+ } /* for (n = 0; n < num_socks; n++) */
/* Return a suitable value for the DISPLAY environment variable. */
return xstrdup(buf);
***************
*** 1916,1924 ****
int remote_channel, display_number, sock, newch;
const char *display;
struct sockaddr_un ssun;
- struct sockaddr_in sin;
char buf[255], *cp, *remote_host;
! struct hostent *hp;
/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1969,1978 ----
int remote_channel, display_number, sock, newch;
const char *display;
struct sockaddr_un ssun;
char buf[255], *cp, *remote_host;
! struct addrinfo hints, *ai, *aitop;
! char strport[PORTSTRLEN];
! int gaierr;
/* Get remote channel number. */
remote_channel = packet_get_int();
***************
*** 2058,2110 ****
goto fail;
}
! /* Try to parse the host name as a numeric IP address. */
! memset(&sin, 0, sizeof(sin));
! #ifdef BROKEN_INET_ADDR
! sin.sin_addr.s_addr = inet_network(buf);
! #else /* BROKEN_INET_ADDR */
! sin.sin_addr.s_addr = inet_addr(buf);
! #endif /* BROKEN_INET_ADDR */
! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
{
! /* It was a valid numeric host address. */
! sin.sin_family = AF_INET;
}
! else
{
- /* Not a numeric IP address. */
- /* Look up the host address from the name servers. */
- hp = gethostbyname(buf);
- if (!hp)
- {
- error("%.100s: unknown host.", buf);
- goto fail;
- }
- if (!hp->h_addr_list[0])
- {
- error("%.100s: host has no IP address.", buf);
- goto fail;
- }
- sin.sin_family = hp->h_addrtype;
- memcpy(&sin.sin_addr, hp->h_addr_list[0],
- sizeof(sin.sin_addr));
- }
- /* Set port number. */
- sin.sin_port = htons(6000 + display_number);
/* Create a socket. */
! sock = socket(sin.sin_family, SOCK_STREAM, 0);
if (sock < 0)
{
! error("socket: %.100s", strerror(errno));
! goto fail;
}
/* Connect it to the display. */
! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
! error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
strerror(errno));
close(sock);
goto fail;
}
--- 2112,2155 ----
goto fail;
}
! /* Look up the host address */
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", 6000 + display_number);
! if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0)
{
! error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
! goto fail;
}
!
! for (ai = aitop; ai; ai = ai->ai_next)
{
/* Create a socket. */
! sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0)
{
! debug("socket: %.100s", strerror(errno));
! continue;
}
/* Connect it to the display. */
! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
{
! debug("connect %.100s:%d: %.100s", buf, 6000 + display_number,
strerror(errno));
close(sock);
+ continue;
+ }
+ /* Success */
+ break;
+
+ } /* (ai = aitop, ai; ai = ai->ai_next) */
+ freeaddrinfo(aitop);
+ if (!ai)
+ {
+ error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
+ strerror(errno));
goto fail;
}
***************
*** 2412,2417 ****
--- 2457,2466 ----
ssh-agent connections on your system */
old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ /* Make sure the socket doesn't already exist, left over from a system
+ crash perhaps. */
+ unlink(channel_forwarded_auth_socket_name);
+
if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));

103
security/ssh/files/patch-aw
View File

@ -1,30 +1,73 @@
--- login.c.orig Wed May 12 12:19:26 1999
+++ login.c Fri Jun 18 12:11:20 1999
@@ -117,6 +117,9 @@
#include <hpsecurity.h>
#include <prot.h>
#endif /* HAVE_HPUX_TCB_AUTH */
+#ifdef __FreeBSD__
+#include <osreldate.h>
+#endif
#include "ssh.h"
/* Returns the time when the user last logged in. Returns 0 if the
@@ -301,12 +304,15 @@
strncpy(u.ut_user, user, sizeof(u.ut_user));
#endif /* HAVE_NAME_IN_UTMP */
#ifdef HAVE_HOST_IN_UTMP
- strncpy(u.ut_host, host, sizeof(u.ut_host));
#ifdef __FreeBSD__
+#if __FreeBSD_version >= 320000
+ trimdomain(host, sizeof u.ut_host);
+#endif
if (strlen(host) > sizeof(u.ut_host)) {
strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
- }
+ } else
#endif /* __FreeBSD__ */
+ strncpy(u.ut_host, host, sizeof(u.ut_host));
#endif /* HAVE_HOST_IN_UTMP */
#ifdef HAVE_ADDR_IN_UTMP
if (addr)
*** login.c.orig Tue Jan 11 20:36:37 2000
--- login.c Tue Jan 11 20:36:34 2000
***************
*** 117,122 ****
--- 117,125 ----
#include <hpsecurity.h>
#include <prot.h>
#endif /* HAVE_HPUX_TCB_AUTH */
+ #ifdef __FreeBSD__
+ #include <osreldate.h>
+ #endif
#include "ssh.h"
/* Returns the time when the user last logged in. Returns 0 if the
***************
*** 255,261 ****
were more standardized. */
void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
! const char *host, struct sockaddr_in *addr)
{
int fd;
--- 258,264 ----
were more standardized. */
void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
! const char *host, struct sockaddr *addr)
{
int fd;
***************
*** 301,317 ****
strncpy(u.ut_user, user, sizeof(u.ut_user));
#endif /* HAVE_NAME_IN_UTMP */
#ifdef HAVE_HOST_IN_UTMP
- strncpy(u.ut_host, host, sizeof(u.ut_host));
#ifdef __FreeBSD__
if (strlen(host) > sizeof(u.ut_host)) {
strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
! }
#endif /* __FreeBSD__ */
#endif /* HAVE_HOST_IN_UTMP */
#ifdef HAVE_ADDR_IN_UTMP
if (addr)
memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
else
memset(&u.ut_addr, 0, sizeof(u.ut_addr));
#endif
--- 304,325 ----
strncpy(u.ut_user, user, sizeof(u.ut_user));
#endif /* HAVE_NAME_IN_UTMP */
#ifdef HAVE_HOST_IN_UTMP
#ifdef __FreeBSD__
+ #if __FreeBSD_version >= 320000
+ trimdomain(host, sizeof u.ut_host);
+ #endif
if (strlen(host) > sizeof(u.ut_host)) {
strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
! } else
#endif /* __FreeBSD__ */
+ strncpy(u.ut_host, host, sizeof(u.ut_host));
#endif /* HAVE_HOST_IN_UTMP */
#ifdef HAVE_ADDR_IN_UTMP
+ #if 0 /* XXX */
if (addr)
memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
else
+ #endif /* XXX */
memset(&u.ut_addr, 0, sizeof(u.ut_addr));
#endif

176
security/ssh/files/patch-ba Normal file
View File

@ -0,0 +1,176 @@
*** README-IPv6.orig Mon Jan 10 22:56:13 2000
--- README-IPv6 Mon Jan 10 22:56:13 2000
***************
*** 0 ****
--- 1,171 ----
+ ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6.
+
+ To enable sshd/ssh to handle both IPv4 and IPv6,
+
+ ./configure --enable-ipv6
+
+ Otherwise sshd/ssh handle IPv4 only as same as original ssh.
+
+ * You can have multiple ListenAddress lines in /etc/sshd_config.
+ It means that sshd can listen multiple addresses.
+
+ Example1: sshd will bind on these four adresses.
+
+ ListenAddress 202.249.17.50
+ ListenAddress 202.249.17.137
+ ListenAddress 3ffe:501:c0b::1
+ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc
+
+ Example2: as same as example1.
+ (Because bertemu.rcac.tdi.co.jp has these four addresses.)
+
+ ListenAddress bertemu.rcac.tdi.co.jp
+
+ Example3: sshd will bind on any address both IPv4 and IPv6.
+
+ ListenAddress ::
+ ListenAddress 0.0.0.0
+
+ Example4: as same as example3.
+
+ No ListenAddress line in /etc/sshd_config.
+
+ * You don't mind whether the host has IPv4 or IPv6 address.
+ You can also specify using only IPv4 (or only IPv6).
+
+ Example1: ssh will try all IPv4 and IPv6 addresses that the host has.
+
+ ssh host
+
+ Example2: ssh will try all IPv4 addresses that the host has.
+
+ ssh -4 host
+
+ Example3: ssh will try all IPv6 addresses that the host has.
+
+ ssh -6 host
+
+ * You can have multiple Port lines in /etc/sshd_config and -p options.
+ It means that sshd can listen multiple ports, not only port 22.
+
+ For example, you run sshd that listens port 22 and port 722,
+ and you can use port 22 for slogin and port 722 for scp.
+ It's useful if you have preference for interactive traffic in the router.
+
+ You can have "AnotherPort 722" line in /etc/ssh_config or your
+ config file (maybe ~/.ssh/config). In this case, ssh with -A option
+ try to connect to port 722 at first, and try to connect to original
+ port (maybe port 22) if port 722 fails. scp executes ssh with -A option.
+
+ * IPv6 supported platform
+
+ IPv6 feature is available on follwing platforms now.
+
+ kame -- http://www.kame.net/ (used to be called Hydrangea)
+ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon)
+
+ On the other environments you can compile and run ssh-1.2.27-IPv6 if
+ you have a good getaddrinfo() in your library.
+
+ * How to get ssh-1.2.27-IPv6
+
+ You can get tar.gz or patch to ssh-1.2.27.tar.gz:
+
+ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz
+ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz
+
+ * How to install ssh-1.2.27-IPv6
+
+ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use
+ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27.
+
+ If you want to enable ssh to handle IPv6, for example,
+
+ % ./configure --enable-ipv6
+ % make
+ % make install
+
+ and you will be able to enjoy ssh handling both IPv6 and IPv4.
+
+ * Change Log
+
+ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * for ssh-1.2.27
+ * supported scp with bracketed ipv6 ip address
+ * used struct sockaddr_storage instead of union sockunion
+
+ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * fixed ipv6 address checking bug at match_host() in match.c
+ * cleanup comparing ip address at get_remote_hostname() in canohost.c
+
+ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * fixed ipv6 address checking bug at match_host() in match.c
+ pointed out by Kenji Rikitake <kenji@k2r.org>
+
+ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * fixed IPv6 enable checking bug in configure.in
+
+ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * fixed AuthLog enable handling bug
+
+ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * for ssh-1.2.26
+
+ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * supported AuthLog (logging authenticated info) in /etc/sshd_config
+
+ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * supported multiple Port lines in /etc/sshd_config
+ * supported AnotherPort line in /etc/ssh_config
+ * supported -A option of ssh for another port try
+
+ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * X11 connection forwarding IPv6 support
+ * removeed all hostent and sockaddr_in from *.c
+
+ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
+
+ * configuration support for v6d.
+
+ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
+
+ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c)
+ * configure checks whether getaddrinfo exists or not.
+
+ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * add fakelibinet6.c (including getaddrinfo and getnameinfo)
+ * compilation support on non-IPv6 environment.
+ * fixed port forwarding bug
+
+ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org>
+
+ * add ENABLE_IPV6 flag.
+ * configuration support --enable-ipv6 for IPv6 platforms.
+
+ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
+
+ * first release
+ * IPv6 support except X11 connection forwarding
+
+ * Guideline for making this patch
+
+ * protocol family independent (using AF_UNSPEC)
+ * use getaddrinfo and getnameinfo (see RFC2133)
+ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET)
+ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6)
+ * don't use gethostbyname, gethostbyaddr and hostent
+ * listen to all addresses for all available protocol family
+ * try to connect to all addresses for all available protocol family
+

29
security/ssh/files/patch-bb Normal file
View File

@ -0,0 +1,29 @@
*** acconfig.h.orig Wed May 12 13:19:23 1999
--- acconfig.h Mon Jan 10 22:56:13 2000
***************
*** 274,279 ****
--- 274,297 ----
/etc/nologin.allow. */
#undef NOLOGIN_ALLOW
+ /* Define this if you have struct sockaddr_storage. */
+ #undef HAVE_SOCKADDR_STORAGE
+
+ /* Define this if you have __sa_family in struct sockaddr_storage. */
+ #undef HAVE_NEW_SS_FAMILY
+
+ /* Define this if you have ss_len in struct sockaddr. */
+ #undef HAVE_SOCKADDR_LEN
+
+ /* Define this if you want to enable IPv6 support. */
+ #undef ENABLE_IPV6
+
+ /* Define this if you want to enable another port try support. */
+ #undef ENABLE_ANOTHER_PORT_TRY
+
+ /* Define this if you want to enable logging auth info support. */
+ #undef ENABLE_LOG_AUTH
+
/* Where to find the X11 socket */
#undef X11_DIR

401
security/ssh/files/patch-bc Normal file
View File

@ -0,0 +1,401 @@
*** canohost.c.orig Wed May 12 13:19:24 1999
--- canohost.c Mon Jan 10 22:56:13 2000
***************
*** 59,68 ****
char *get_remote_hostname(int socket)
{
! struct sockaddr_in from;
int fromlen, i;
! struct hostent *hp;
char name[255];
/* Get IP address of client. */
fromlen = sizeof(from);
--- 59,69 ----
char *get_remote_hostname(int socket)
{
! struct sockaddr_storage from;
int fromlen, i;
! struct addrinfo hints, *ai, *aitop;
char name[255];
+ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN];
/* Get IP address of client. */
fromlen = sizeof(from);
***************
*** 73,86 ****
strcpy(name, "UNKNOWN");
goto check_ip_options;
}
/* Map the IP address to a host name. */
! hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr),
! from.sin_family);
! if (hp)
{
/* Got host name. */
- strncpy(name, hp->h_name, sizeof(name));
name[sizeof(name) - 1] = '\0';
/* Convert it to all lowercase (which is expected by the rest of this
--- 74,89 ----
strcpy(name, "UNKNOWN");
goto check_ip_options;
}
+
+ getnameinfo((struct sockaddr *)&from, fromlen,
+ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
/* Map the IP address to a host name. */
! if (getnameinfo((struct sockaddr *)&from, fromlen,
! name, sizeof(name),
! NULL, 0, NI_NAMEREQD) == 0)
{
/* Got host name. */
name[sizeof(name) - 1] = '\0';
/* Convert it to all lowercase (which is expected by the rest of this
***************
*** 95,119 ****
Mapping from name to IP address can be trusted better (but can still
be fooled if the intruder has access to the name server of the
domain). */
! hp = gethostbyname(name);
! if (!hp)
{
log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
! strcpy(name, inet_ntoa(from.sin_addr));
goto check_ip_options;
}
/* Look for the address from the list of addresses. */
! for (i = 0; hp->h_addr_list[i]; i++)
! if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr))
! == 0)
! break;
/* If we reached the end of the list, the address was not there. */
! if (!hp->h_addr_list[i])
{
/* Address not found for the host name. */
log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
! inet_ntoa(from.sin_addr), name);
! strcpy(name, inet_ntoa(from.sin_addr));
goto check_ip_options;
}
/* Address was found for the host name. We accept the host name. */
--- 98,127 ----
Mapping from name to IP address can be trusted better (but can still
be fooled if the intruder has access to the name server of the
domain). */
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = from.__ss_family;
! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
{
log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
! strcpy(name, ntop);
goto check_ip_options;
}
/* Look for the address from the list of addresses. */
! for (ai = aitop; ai; ai = ai->ai_next)
! {
! getnameinfo(ai->ai_addr, ai->ai_addrlen,
! ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST);
! if (strcmp(ntop, ntop2) == 0)
! break;
! }
! freeaddrinfo(aitop);
/* If we reached the end of the list, the address was not there. */
! if (!ai)
{
/* Address not found for the host name. */
log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
! ntop, name);
! strcpy(name, ntop);
goto check_ip_options;
}
/* Address was found for the host name. We accept the host name. */
***************
*** 121,127 ****
else
{
/* Host name not found. Use ascii representation of the address. */
! strcpy(name, inet_ntoa(from.sin_addr));
log_msg("Could not reverse map address %.100s.", name);
}
--- 129,135 ----
else
{
/* Host name not found. Use ascii representation of the address. */
! strcpy(name, ntop);
log_msg("Could not reverse map address %.100s.", name);
}
***************
*** 136,141 ****
--- 144,150 ----
Notice also that if we just dropped source routing here, the other
side could use IP spoofing to do rest of the interaction and could still
bypass security. So we exit here if we detect any IP options. */
+ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */
{
unsigned char options[200], *ucp;
char text[1024], *cp;
***************
*** 157,165 ****
for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
sprintf(cp, " %2.2x", *ucp);
log_msg("Connection from %.100s with IP options:%.800s",
! inet_ntoa(from.sin_addr), text);
packet_disconnect("Connection from %.100s with IP options:%.800s",
! inet_ntoa(from.sin_addr), text);
}
}
#endif
--- 166,174 ----
for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
sprintf(cp, " %2.2x", *ucp);
log_msg("Connection from %.100s with IP options:%.800s",
! ntop, text);
packet_disconnect("Connection from %.100s with IP options:%.800s",
! ntop, text);
}
}
#endif
***************
*** 177,183 ****
const char *get_canonical_hostname(void)
{
int fromlen, tolen;
! struct sockaddr_in from, to;
/* Check if we have previously retrieved this same name. */
if (canonical_host_name != NULL)
--- 186,192 ----
const char *get_canonical_hostname(void)
{
int fromlen, tolen;
! struct sockaddr_storage from, to;
/* Check if we have previously retrieved this same name. */
if (canonical_host_name != NULL)
***************
*** 200,207 ****
&tolen) < 0)
goto no_ip_addr;
! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
! memcmp(&from, &to, sizeof(from)) == 0)
goto return_ip_addr;
no_ip_addr:
--- 209,215 ----
&tolen) < 0)
goto no_ip_addr;
! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
goto return_ip_addr;
no_ip_addr:
***************
*** 221,228 ****
const char *get_remote_ipaddr(void)
{
! struct sockaddr_in from, to;
int fromlen, tolen, socket;
/* Check if we have previously retrieved this same name. */
if (canonical_host_ip != NULL)
--- 229,237 ----
const char *get_remote_ipaddr(void)
{
! struct sockaddr_storage from, to;
int fromlen, tolen, socket;
+ char ntop[ADDRSTRLEN];
/* Check if we have previously retrieved this same name. */
if (canonical_host_ip != NULL)
***************
*** 245,252 ****
&tolen) < 0)
goto no_ip_addr;
! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
! memcmp(&from, &to, sizeof(from)) == 0)
goto return_ip_addr;
no_ip_addr:
--- 254,260 ----
&tolen) < 0)
goto no_ip_addr;
! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
goto return_ip_addr;
no_ip_addr:
***************
*** 269,275 ****
}
/* Get the IP address in ascii. */
! canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr));
/* Return ip address string. */
return canonical_host_ip;
--- 277,285 ----
}
/* Get the IP address in ascii. */
! getnameinfo((struct sockaddr *)&from, fromlen,
! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
! canonical_host_ip = xstrdup(ntop);
/* Return ip address string. */
return canonical_host_ip;
***************
*** 279,286 ****
int get_peer_port(int sock)
{
! struct sockaddr_in from;
int fromlen;
/* Get IP address of client. */
fromlen = sizeof(from);
--- 289,297 ----
int get_peer_port(int sock)
{
! struct sockaddr_storage from;
int fromlen;
+ char strport[PORTSTRLEN];
/* Get IP address of client. */
fromlen = sizeof(from);
***************
*** 292,298 ****
}
/* Return port number. */
! return ntohs(from.sin_port);
}
/* Returns the port number of the remote host. */
--- 303,311 ----
}
/* Return port number. */
! getnameinfo((struct sockaddr *)&from, fromlen,
! NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
! return atoi(strport);
}
/* Returns the port number of the remote host. */
***************
*** 301,307 ****
{
int socket;
int fromlen, tolen;
! struct sockaddr_in from, to;
/* If two different descriptors, check if they are internet-domain, and
have the same address. */
--- 314,320 ----
{
int socket;
int fromlen, tolen;
! struct sockaddr_storage from, to;
/* If two different descriptors, check if they are internet-domain, and
have the same address. */
***************
*** 319,326 ****
&tolen) < 0)
goto no_ip_addr;
! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
! memcmp(&from, &to, sizeof(from)) == 0)
goto return_port;
no_ip_addr:
--- 332,338 ----
&tolen) < 0)
goto no_ip_addr;
! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
goto return_port;
no_ip_addr:
***************
*** 335,337 ****
--- 347,413 ----
/* Get and return the peer port number. */
return get_peer_port(socket);
}
+
+ /* Returns the port of the local of the socket. */
+
+ int get_sock_port(int sock)
+ {
+ struct sockaddr_storage from;
+ int fromlen;
+ char strport[PORTSTRLEN];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0)
+ {
+ error("getsockname failed: %.100s", strerror(errno));
+ return 0;
+ }
+
+ /* Return port number. */
+ getnameinfo((struct sockaddr *)&from, fromlen,
+ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
+ return atoi(strport);
+ }
+
+ /* Returns the port number of the local host. */
+
+ int get_local_port()
+ {
+ int socket;
+ int fromlen, tolen;
+ struct sockaddr_storage from, to;
+
+ /* If two different descriptors, check if they are internet-domain, and
+ have the same address. */
+ if (packet_get_connection_in() != packet_get_connection_out())
+ {
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from,
+ &fromlen) < 0)
+ goto no_ip_addr;
+
+ tolen = sizeof(to);
+ memset(&to, 0, sizeof(to));
+ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to,
+ &tolen) < 0)
+ goto no_ip_addr;
+
+ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_port;
+
+ no_ip_addr:
+ return 65535;
+ }
+
+ return_port:
+
+ /* Get client socket. */
+ socket = packet_get_connection_in();
+
+ /* Get and return the local port number. */
+ return get_sock_port(socket);
+ }
+

49
security/ssh/files/patch-bd Normal file
View File

@ -0,0 +1,49 @@
*** config.h.in.orig Wed May 12 13:20:04 1999
--- config.h.in Mon Jan 10 22:56:13 2000
***************
*** 323,328 ****
--- 323,346 ----
/etc/nologin.allow. */
#undef NOLOGIN_ALLOW
+ /* Define this if you have struct sockaddr_storage. */
+ #undef HAVE_SOCKADDR_STORAGE
+
+ /* Define this if you have __sa_family in struct sockaddr_storage. */
+ #undef HAVE_NEW_SS_FAMILY
+
+ /* Define this if you have ss_len in struct sockaddr. */
+ #undef HAVE_SOCKADDR_LEN
+
+ /* Define this if you want to enable IPv6 support. */
+ #undef ENABLE_IPV6
+
+ /* Define this if you want to enable another port try support. */
+ #undef ENABLE_ANOTHER_PORT_TRY
+
+ /* Define this if you want to enable logging auth info support. */
+ #undef ENABLE_LOG_AUTH
+
/* Where to find the X11 socket */
#undef X11_DIR
***************
*** 375,385 ****
--- 393,409 ----
/* Define if you have the ftruncate function. */
#undef HAVE_FTRUNCATE
+ /* Define if you have the getaddrinfo function. */
+ #undef HAVE_GETADDRINFO
+
/* Define if you have the getdtablesize function. */
#undef HAVE_GETDTABLESIZE
/* Define if you have the gethostname function. */
#undef HAVE_GETHOSTNAME
+
+ /* Define if you have the getnameinfo function. */
+ #undef HAVE_GETNAMEINFO
/* Define if you have the getpseudotty function. */
#undef HAVE_GETPSEUDOTTY

401
security/ssh/files/patch-be Normal file
View File

@ -0,0 +1,401 @@
*** configure.in.orig Wed May 12 13:20:02 1999
--- configure.in Tue Jan 11 22:55:20 2000
***************
*** 30,37 ****
--- 30,163 ----
fi
AC_PROG_CC
+ AC_PROG_CPP
AC_ISC_POSIX
+ AC_MSG_CHECKING([whether to enable ipv6])
+ AC_ARG_ENABLE(ipv6,
+ [ --enable-ipv6 Enable ipv6 (with ipv4) support
+ --disable-ipv6 Disable ipv6 support],
+ [ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ ipv6=no
+ ;;
+ *) AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_IPV6)
+ ipv6=yes
+ ;;
+ esac ],
+
+ AC_TRY_RUN([ /* AF_INET6 avalable check */
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ main()
+ {
+ if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
+ exit(1);
+ else
+ exit(0);
+ }
+ ],
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_IPV6)
+ ipv6=yes,
+ AC_MSG_RESULT(no)
+ ipv6=no,
+ AC_MSG_RESULT(no)
+ ipv6=no
+ ))
+
+ ipv6type=unknown
+ ipv6lib=none
+
+ if test "$ipv6" = "yes"; then
+ AC_MSG_CHECKING([ipv6 stack type])
+ for i in inria kame linux toshiba v6d zeta; do
+ case $i in
+ inria)
+ dnl http://www.kame.net/
+ AC_EGREP_CPP(yes, [dnl
+ #include <netinet/in.h>
+ #ifdef IPV6_INRIA_VERSION
+ yes
+ #endif],
+ [ipv6type=$i;
+ CPPFLAGS="-DINET6 $CPPFLAGS"])
+ ;;
+ kame)
+ dnl http://www.kame.net/
+ AC_EGREP_CPP(yes, [dnl
+ #include <netinet/in.h>
+ #ifdef __KAME__
+ yes
+ #endif],
+ [ipv6type=$i;
+ ipv6lib=inet6;
+ ipv6libdir=/usr/local/v6/lib;
+ CPPFLAGS="-DINET6 $CPPFLAGS"])
+ ;;
+ linux)
+ dnl http://www.v6.linux.or.jp/
+ if test -d /usr/inet6; then
+ ipv6type=$i
+ ipv6lib=inet6
+ ipv6libdir=/usr/inet6/lib
+ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS"
+ fi
+ ;;
+ toshiba)
+ AC_EGREP_CPP(yes, [dnl
+ #include <sys/param.h>
+ #ifdef _TOSHIBA_INET6
+ yes
+ #endif],
+ [ipv6type=$i;
+ ipv6lib=inet6;
+ ipv6libdir=/usr/local/v6/lib;
+ CPPFLAGS="-DINET6 $CPPFLAGS"])
+ ;;
+ v6d)
+ AC_EGREP_CPP(yes, [dnl
+ #include </usr/local/v6/include/sys/v6config.h>
+ #ifdef __V6D__
+ yes
+ #endif],
+ [ipv6type=$i;
+ ipv6lib=v6;
+ ipv6libdir=/usr/local/v6/lib;
+ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"])
+ ;;
+ zeta)
+ AC_EGREP_CPP(yes, [dnl
+ #include <sys/param.h>
+ #ifdef _ZETA_MINAMI_INET6
+ yes
+ #endif],
+ [ipv6type=$i;
+ ipv6lib=inet6;
+ ipv6libdir=/usr/local/v6/lib;
+ CPPFLAGS="-DINET6 $CPPFLAGS"])
+ ;;
+ esac
+ if test "$ipv6type" != "unknown"; then
+ break
+ fi
+ done
+ AC_MSG_RESULT($ipv6type)
+ fi
+
+ if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then
+ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then
+ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS"
+ else
+ echo 'Fatal: no $ipv6lib library found. cannot continue.'
+ echo "You need to fetch lib$ipv6lib.a from appropriate"
+ echo 'ipv6 kit and compile beforehand.'
+ exit 1
+ fi
+ fi
+
AC_DEFINE_UNQUOTED(HOSTTYPE, "$host")
case "$host" in
***************
*** 313,319 ****
# Socket pairs appear to be broken on several systems. I don't know exactly
# where, so I'll use pipes everywhere for now.
! AC_DEFINE(USE_PIPES)
AC_MSG_CHECKING([that the compiler works])
AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
--- 439,445 ----
# Socket pairs appear to be broken on several systems. I don't know exactly
# where, so I'll use pipes everywhere for now.
! # AC_DEFINE(USE_PIPES)
AC_MSG_CHECKING([that the compiler works])
AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
***************
*** 369,375 ****
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h)
AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h)
AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
--- 495,501 ----
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h)
AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h)
AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
***************
*** 399,404 ****
--- 525,540 ----
[ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO)
AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no))
+ AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage])
+ AC_EGREP_HEADER(sockaddr_storage, sys/socket.h,
+ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
+ AC_MSG_CHECKING([whether sys/socket.h have __ss_family])
+ AC_EGREP_HEADER(__ss_family, sys/socket.h,
+ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
+ AC_MSG_CHECKING([whether sys/socket.h have sa_len])
+ AC_EGREP_HEADER(sa_len, sys/socket.h,
+ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
+
AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt))
AC_CHECK_LIB(sec, getspnam)
AC_CHECK_LIB(seq, get_process_stats)
***************
*** 436,441 ****
--- 572,676 ----
AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
+ AC_MSG_CHECKING(getaddrinfo bug)
+ AC_TRY_RUN([
+ #include <sys/types.h>
+ #include <netdb.h>
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+
+ main()
+ {
+ int passive, gaierr, inet4 = 0, inet6 = 0;
+ struct addrinfo hints, *ai, *aitop;
+ char straddr[INET6_ADDRSTRLEN], strport[16];
+
+ for (passive = 0; passive <= 1; passive++) {
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_flags = passive ? AI_PASSIVE : 0;
+ hints.ai_socktype = SOCK_STREAM;
+ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
+ (void)gai_strerror(gaierr);
+ goto bad;
+ }
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (ai->ai_addr == NULL ||
+ ai->ai_addrlen == 0 ||
+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
+ straddr, sizeof(straddr), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+ goto bad;
+ }
+ if (strcmp(strport, "54321") != 0) {
+ goto bad;
+ }
+ switch (ai->ai_family) {
+ case AF_INET:
+ if (passive) {
+ if (strcmp(straddr, "0.0.0.0") != 0) {
+ goto bad;
+ }
+ } else {
+ if (strcmp(straddr, "127.0.0.1") != 0) {
+ goto bad;
+ }
+ }
+ inet4++;
+ break;
+ case AF_INET6:
+ if (passive) {
+ if (strcmp(straddr, "::") != 0) {
+ goto bad;
+ }
+ } else {
+ if (strcmp(straddr, "::1") != 0) {
+ goto bad;
+ }
+ }
+ inet6++;
+ break;
+ case AF_UNSPEC:
+ goto bad;
+ break;
+ default:
+ /* another family support? */
+ break;
+ }
+ }
+ }
+
+ if (inet6 != 2 || inet4 != 2)
+ goto bad;
+
+ if (aitop)
+ freeaddrinfo(aitop);
+ exit(0);
+
+ bad:
+ if (aitop)
+ freeaddrinfo(aitop);
+ exit(1);
+ }
+ ],
+ AC_MSG_RESULT(good)
+ buggygetaddrinfo=no,
+ AC_MSG_RESULT(buggy)
+ buggygetaddrinfo=yes,
+ AC_MSG_RESULT(buggy)
+ buggygetaddrinfo=yes)
+
+ if test "$buggygetaddrinfo" = "yes"; then
+ if test "$ipv6" = "yes"; then
+ echo 'Fatal: You must get working getaddrinfo() function.'
+ echo ' or you can specify "--disable-ipv6"'.
+ exit 1
+ else
+ AC_REPLACE_FUNCS(getaddrinfo getnameinfo)
+ fi
+ fi
+
AC_PROG_LN_S
AC_PROG_INSTALL
AC_CHECK_PROG(AR, ar, ar, echo)
***************
*** 932,938 ****
AC_DEFINE(KRB5)
KERBEROS_ROOT="$with_kerberos5"
KERBEROS_INCS="-I${KERBEROS_ROOT}/include"
! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm")
KERBEROS_OBJS="auth-kerberos.o"
;;
--- 1167,1177 ----
AC_DEFINE(KRB5)
KERBEROS_ROOT="$with_kerberos5"
KERBEROS_INCS="-I${KERBEROS_ROOT}/include"
! if [ -f ${KERBEROS_ROOT}/lib/libk5crypto.a ]; then
! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"
! else
! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
! fi
AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm")
KERBEROS_OBJS="auth-kerberos.o"
;;
***************
*** 1252,1257 ****
--- 1491,1528 ----
AC_DEFINE(ENABLE_TCP_NODELAY)
)
+ AC_MSG_CHECKING(whether to enable another port try support)
+ AC_ARG_ENABLE(another-port-try,
+ [ --enable-another-port-try Enable another port try support (default)
+ --disable-another-port-try Disable another port try support],
+ [ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *) AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
+ )
+
+ AC_MSG_CHECKING(whether to enable logging auth info support)
+ AC_ARG_ENABLE(log-auth,
+ [ --enable-log-auth Enable logging auth info support (default)
+ --disable-log-auth Disable logging auth info support],
+ [ case "$enableval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *) AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_LOG_AUTH)
+ ;;
+ esac ],
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(ENABLE_LOG_AUTH)
+ )
+
AC_MSG_CHECKING(whether to enable SO_LINGER)
AC_ARG_ENABLE(so-linger,
[ --enable-so-linger Enable setting SO_LINGER socket option],
***************
*** 1311,1316 ****
--- 1582,1589 ----
AC_DEFINE(SCP_ALL_STATISTICS_ENABLED)
)
+ CFLAGS="$CPPFLAGS $CFLAGS"
+
# We include this here only to make it visible in --help; this is only used
# in the gmp subdirectory.
AC_ARG_ENABLE(asm,
***************
*** 1324,1330 ****
fi
AC_MSG_RESULT($PIDDIR)
! AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
AC_ARG_PROGRAM
--- 1597,1603 ----
fi
AC_MSG_RESULT($PIDDIR)
! #AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
AC_ARG_PROGRAM
***************
*** 1336,1339 ****
AC_SUBST(SSHDCONFOBJS)
AC_SUBST(SSHINSTALLMODE)
! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile)
--- 1609,1612 ----
AC_SUBST(SSHDCONFOBJS)
AC_SUBST(SSHINSTALLMODE)
! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl)

17
security/ssh/files/patch-bf Normal file
View File

@ -0,0 +1,17 @@
*** gai.h.orig Mon Jan 10 22:56:13 2000
--- gai.h Mon Jan 10 22:56:13 2000
***************
*** 0 ****
--- 1,12 ----
+ /*
+ * fake library for ssh
+ *
+ * This file is included in getaddrinfo.c and getnameinfo.c.
+ * See getaddrinfo.c and getnameinfo.c.
+ */
+
+ /* for old netdb.h */
+ #ifndef EAI_NODATA
+ #define EAI_NODATA 1
+ #define EAI_MEMORY 2
+ #endif

120
security/ssh/files/patch-bg Normal file
View File

@ -0,0 +1,120 @@
*** getaddrinfo.c.orig Mon Jan 10 22:56:13 2000
--- getaddrinfo.c Mon Jan 10 22:56:13 2000
***************
*** 0 ****
--- 1,115 ----
+ /*
+ * fake library for ssh
+ *
+ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror().
+ * These funtions are defined in rfc2133.
+ *
+ * But these functions are not implemented correctly. The minimum subset
+ * is implemented for ssh use only. For exapmle, this routine assumes
+ * that ai_family is AF_INET. Don't use it for another purpose.
+ *
+ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c
+ * will be used if you have broken getaddrinfo or no getaddrinfo.
+ */
+
+ #include "includes.h"
+ #include "ssh.h"
+
+ #include "gai.h"
+
+ static struct addrinfo *
+ malloc_ai(port, addr)
+ int port;
+ u_long addr;
+ {
+ struct addrinfo *ai;
+
+ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
+ sizeof(struct sockaddr_in))) {
+ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in));
+ ai->ai_addr = (struct sockaddr *)(ai + 1);
+ /* XXX -- ssh doesn't use sa_len */
+ ai->ai_addrlen = sizeof(struct sockaddr_in);
+ ai->ai_addr->sa_family = ai->ai_family = AF_INET;
+ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port;
+ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr;
+ return ai;
+ } else {
+ return NULL;
+ }
+ }
+
+ char *
+ gai_strerror(ecode)
+ int ecode;
+ {
+ switch (ecode) {
+ case EAI_NODATA:
+ return "no address associated with hostname.";
+ case EAI_MEMORY:
+ return "memory allocation failure.";
+ default:
+ return "unknown error.";
+ }
+ }
+
+ void
+ freeaddrinfo(ai)
+ struct addrinfo *ai;
+ {
+ struct addrinfo *next;
+
+ do {
+ next = ai->ai_next;
+ free(ai);
+ } while (ai = next);
+ }
+
+ int
+ getaddrinfo(hostname, servname, hints, res)
+ const char *hostname, *servname;
+ const struct addrinfo *hints;
+ struct addrinfo **res;
+ {
+ struct addrinfo *cur, *prev = NULL;
+ struct hostent *hp;
+ int i, port;
+
+ if (servname)
+ port = htons(atoi(servname));
+ else
+ port = 0;
+ if (hints && hints->ai_flags & AI_PASSIVE)
+ if (*res = malloc_ai(port, htonl(0x00000000)))
+ return 0;
+ else
+ return EAI_MEMORY;
+ if (!hostname)
+ if (*res = malloc_ai(port, htonl(0x7f000001)))
+ return 0;
+ else
+ return EAI_MEMORY;
+ if (inet_addr(hostname) != -1)
+ if (*res = malloc_ai(port, inet_addr(hostname)))
+ return 0;
+ else
+ return EAI_MEMORY;
+ if ((hp = gethostbyname(hostname)) &&
+ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
+ for (i = 0; hp->h_addr_list[i]; i++)
+ if (cur = malloc_ai(port,
+ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) {
+ if (prev)
+ prev->ai_next = cur;
+ else
+ *res = cur;
+ prev = cur;
+ } else {
+ if (*res)
+ freeaddrinfo(*res);
+ return EAI_MEMORY;
+ }
+ return 0;
+ }
+ return EAI_NODATA;
+ }

66
security/ssh/files/patch-bh Normal file
View File

@ -0,0 +1,66 @@
*** getnameinfo.c.orig Mon Jan 10 22:56:13 2000
--- getnameinfo.c Mon Jan 10 22:56:13 2000
***************
*** 0 ****
--- 1,61 ----
+ /*
+ * fake library for ssh
+ *
+ * This file includes getnameinfo().
+ * These funtions are defined in rfc2133.
+ *
+ * But these functions are not implemented correctly. The minimum subset
+ * is implemented for ssh use only. For exapmle, this routine assumes
+ * that ai_family is AF_INET. Don't use it for another purpose.
+ *
+ * In the case not using 'configure --enable-ipv6', this getnameinfo.c
+ * will be used if you have broken getnameinfo or no getnameinfo.
+ */
+
+ #include "includes.h"
+ #include "ssh.h"
+
+ #include "gai.h"
+
+ int
+ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
+ const struct sockaddr *sa;
+ size_t salen;
+ char *host;
+ size_t hostlen;
+ char *serv;
+ size_t servlen;
+ int flags;
+ {
+ struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+ struct hostent *hp;
+ char tmpserv[16];
+
+ if (serv) {
+ sprintf(tmpserv, "%d", ntohs(sin->sin_port));
+ if (strlen(tmpserv) > servlen)
+ return EAI_MEMORY;
+ else
+ strcpy(serv, tmpserv);
+ }
+ if (host)
+ if (flags & NI_NUMERICHOST)
+ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
+ return EAI_MEMORY;
+ else {
+ strcpy(host, inet_ntoa(sin->sin_addr));
+ return 0;
+ }
+ else
+ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
+ AF_INET))
+ if (strlen(hp->h_name) > hostlen)
+ return EAI_MEMORY;
+ else {
+ strcpy(host, hp->h_name);
+ return 0;
+ }
+ else
+ return EAI_NODATA;
+ return 0;
+ }

56
security/ssh/files/patch-bi Normal file
View File

@ -0,0 +1,56 @@
*** log-server.c.orig Wed May 12 13:19:26 1999
--- log-server.c Mon Jan 10 22:56:13 2000
***************
*** 146,151 ****
--- 146,170 ----
syslog(LOG_INFO, "log: %.500s", buf);
}
+ #ifdef ENABLE_LOG_AUTH
+ void log_auth(const char *fmt, ...)
+ {
+ char buf[1024];
+ va_list args;
+ extern int log_auth_flag;
+ if (!log_auth_flag)
+ return;
+ if (log_quiet)
+ return;
+ va_start(args, fmt);
+ vsprintf(buf, fmt, args);
+ va_end(args);
+ if (log_on_stderr)
+ fprintf(stderr, "log: %s\n", buf);
+ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf);
+ }
+ #endif /* ENABLE_LOG_AUTH */
+
/* Converts portable syslog severity to machine-specific syslog severity. */
static int syslog_severity(int severity)
***************
*** 322,327 ****
--- 341,349 ----
{
char buf[1024];
va_list args;
+ #ifdef ENABLE_LOG_AUTH
+ extern char *unauthenticated_user;
+ #endif /* ENABLE_LOG_AUTH */
if (log_quiet)
exit(1);
***************
*** 331,336 ****
--- 353,363 ----
if (log_on_stderr)
fprintf(stderr, "fatal: %s\n", buf);
syslog(syslog_severity(severity), "fatal: %.500s", buf);
+ #ifdef ENABLE_LOG_AUTH
+ if (unauthenticated_user)
+ log_auth("LOGIN FAILED %.100s from %.200s",
+ unauthenticated_user, get_canonical_hostname());
+ #endif /* ENABLE_LOG_AUTH */
do_fatal_cleanups();

16
security/ssh/files/patch-bj Normal file
View File

@ -0,0 +1,16 @@
*** match.c.orig Wed May 12 13:19:27 1999
--- match.c Mon Jan 10 22:56:13 2000
***************
*** 129,134 ****
--- 129,139 ----
is_ip_pattern = 0;
break;
}
+ for(p = pattern; *p; p++)
+ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*'))
+ break;
+ if (ip && !*p)
+ is_ip_pattern = 1;
if (is_ip_pattern)
{
return match_pattern(ip, pattern);

66
security/ssh/files/patch-bl Normal file
View File

@ -0,0 +1,66 @@
*** readconf.c.orig Wed May 12 13:19:27 1999
--- readconf.c Mon Jan 10 22:56:13 2000
***************
*** 171,176 ****
--- 171,179 ----
oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel,
oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication,
oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts,
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ oAnotherPort,
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost
} OpCodes;
***************
*** 194,199 ****
--- 197,205 ----
{ "hostname", oHostName },
{ "proxycommand", oProxyCommand },
{ "port", oPort },
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ { "anotherport", oAnotherPort },
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
{ "cipher", oCipher },
{ "remoteforward", oRemoteForward },
{ "localforward", oLocalForward },
***************
*** 497,502 ****
--- 503,514 ----
*intptr = value;
break;
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ case oAnotherPort:
+ intptr = &options->another_port;
+ goto parse_int;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
+
case oConnectionAttempts:
intptr = &options->connection_attempts;
goto parse_int;
***************
*** 689,694 ****
--- 701,709 ----
options->keepalives = -1;
options->compression_level = -1;
options->port = -1;
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ options->another_port = -1;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
options->connection_attempts = -1;
options->number_of_password_prompts = -1;
options->password_prompt_login = -1;
***************
*** 759,764 ****
--- 774,783 ----
options->compression_level = 6;
if (options->port == -1)
options->port = 0; /* Filled in ssh_connect. */
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ if (options->another_port == -1)
+ options->another_port = 0;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
if (options->connection_attempts == -1)
options->connection_attempts = 4;
if (options->number_of_password_prompts == -1)

14
security/ssh/files/patch-bm Normal file
View File

@ -0,0 +1,14 @@
*** readconf.h.orig Wed May 12 13:19:27 1999
--- readconf.h Mon Jan 10 22:56:13 2000
***************
*** 98,103 ****
--- 98,106 ----
int use_privileged_port; /* Use privileged port */
int port; /* Port to connect. */
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port; /* Port to connect for -A option. */
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
int connection_attempts; /* Max attempts (seconds) before giving up */
int number_of_password_prompts; /* Max number of password prompts */
int password_prompt_login; /* Show remote login at password prompt */

191
security/ssh/files/patch-bn Normal file
View File

@ -0,0 +1,191 @@
*** scp.c.orig Wed May 12 13:19:28 1999
--- scp.c Mon Jan 10 22:56:13 2000
***************
*** 180,185 ****
--- 180,193 ----
#define STDERR_FILENO 2
#endif
+ /* This is set to non-zero if IPv4 is desired. */
+ int IPv4 = 0;
+
+ #ifdef ENABLE_IPV6
+ /* This is set to non-zero if IPv6 is desired. */
+ int IPv6 = 0;
+ #endif
+
/* This is set to non-zero to enable verbose mode. */
int verbose = 0;
***************
*** 295,302 ****
--- 303,319 ----
}
args[i++] = "-x";
args[i++] = "-a";
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ args[i++] = "-A";
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
args[i++] = "-oFallBackToRsh no";
args[i++] = "-oClearAllForwardings yes";
+ if (IPv4)
+ args[i++] = "-4";
+ #ifdef ENABLE_IPV6
+ if (IPv6)
+ args[i++] = "-6";
+ #endif
if (verbose)
args[i++] = "-v";
if (compress)
***************
*** 441,448 ****
statistics = 0;
fflag = tflag = 0;
! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF)
switch(ch) { /* User-visible flags. */
case 'S':
ssh_program = optarg;
break;
--- 458,477 ----
statistics = 0;
fflag = tflag = 0;
! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4"
! #ifdef ENABLE_IPV6
! "6"
! #endif
! )) != EOF)
switch(ch) { /* User-visible flags. */
+ case '4':
+ IPv4 = 1;
+ break;
+ #ifdef ENABLE_IPV6
+ case '6':
+ IPv6 = 1;
+ break;
+ #endif
case 'S':
ssh_program = optarg;
break;
***************
*** 589,594 ****
--- 618,634 ----
exit(errs != 0);
}
+ char *
+ cleanhostname(host)
+ char *host;
+ {
+ if (*host == '[' && host[strlen(host) - 1] == ']') {
+ host[strlen(host) - 1] = '\0';
+ return (host + 1);
+ } else
+ return host;
+ }
+
void
toremote(targ, argc, argv)
char *targ, *argv[];
***************
*** 644,649 ****
--- 684,690 ----
bp = xmalloc(len);
if (host) {
*host++ = 0;
+ host = cleanhostname(host);
suser = argv[i];
if (*suser == '\0')
suser = pwd->pw_name;
***************
*** 655,667 ****
suser, host, cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
! } else
(void)snprintf(bp, len,
"exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
ssh_program, verbose ? " -v" : "", options,
! argv[i], cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
if (verbose)
fprintf(stderr, "Executing: %s\n", bp);
if (system(bp)) errs++;
--- 696,710 ----
suser, host, cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
! } else {
! host = cleanhostname(argv[i]);
(void)snprintf(bp, len,
"exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
ssh_program, verbose ? " -v" : "", options,
! host, cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
+ }
if (verbose)
fprintf(stderr, "Executing: %s\n", bp);
if (system(bp)) errs++;
***************
*** 671,677 ****
len = strlen(targ) + CMDNEEDS + 20;
bp = xmalloc(len);
(void)snprintf(bp, len, "%s -t %s", cmd, targ);
! host = thost;
if (do_cmd(host, tuser,
bp, &remin, &remout) < 0)
exit(1);
--- 714,720 ----
len = strlen(targ) + CMDNEEDS + 20;
bp = xmalloc(len);
(void)snprintf(bp, len, "%s -t %s", cmd, targ);
! host = cleanhostname(thost);
if (do_cmd(host, tuser,
bp, &remin, &remout) < 0)
exit(1);
***************
*** 721,726 ****
--- 764,770 ----
else if (!okname(suser))
continue;
}
+ host = cleanhostname(host);
len = strlen(src) + CMDNEEDS + 20;
bp = xmalloc(len);
(void)snprintf(bp, len, "%s -f %s", cmd, src);
***************
*** 1365,1375 ****
colon(cp)
char *cp;
{
if (*cp == ':') /* Leading colon is part of file name. */
return (0);
for (; *cp; ++cp) {
! if (*cp == ':')
return (cp);
if (*cp == '/')
return (0);
--- 1409,1427 ----
colon(cp)
char *cp;
{
+ int flag = 0;
+
if (*cp == ':') /* Leading colon is part of file name. */
return (0);
+ if (*cp == '[')
+ flag = 1;
for (; *cp; ++cp) {
! if (*cp == '@' && *(cp+1) == '[')
! flag = 1;
! if (*cp == ']' && *(cp+1) == ':' && flag)
! return (cp+1);
! if (*cp == ':' && !flag)
return (cp);
if (*cp == '/')
return (0);

197
security/ssh/files/patch-bo Normal file
View File

@ -0,0 +1,197 @@
*** servconf.c.orig Wed May 12 13:19:28 1999
--- servconf.c Mon Jan 10 22:56:13 2000
***************
*** 81,88 ****
void initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
! options->port = -1;
! options->listen_addr.s_addr = INADDR_ANY;
options->host_key_file = NULL;
options->random_seed_file = NULL;
options->pid_file = NULL;
--- 81,88 ----
void initialize_server_options(ServerOptions *options)
{
memset(options, 0, sizeof(*options));
! options->num_ports = 0;
! options->listen_addrs = NULL;
options->host_key_file = NULL;
options->random_seed_file = NULL;
options->pid_file = NULL;
***************
*** 92,97 ****
--- 92,100 ----
options->permit_root_login = -1;
options->ignore_rhosts = -1;
options->ignore_root_rhosts = -1;
+ #ifdef ENABLE_LOG_AUTH
+ options->log_auth = -1;
+ #endif /* ENABLE_LOG_AUTH */
options->quiet_mode = -1;
options->fascist_logging = -1;
options->print_motd = -1;
***************
*** 138,153 ****
void fill_default_server_options(ServerOptions *options)
{
! if (options->port == -1)
{
! struct servent *sp;
!
! sp = getservbyname(SSH_SERVICE_NAME, "tcp");
! if (sp)
! options->port = ntohs(sp->s_port);
! else
! options->port = SSH_DEFAULT_PORT;
! endservent();
}
if (options->host_key_file == NULL)
options->host_key_file = HOST_KEY_FILE;
--- 141,171 ----
void fill_default_server_options(ServerOptions *options)
{
! struct addrinfo hints, *ai, *aitop;
! char strport[PORTSTRLEN];
! int i;
!
! if (options->num_ports == 0)
! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
! if (options->listen_addrs == NULL)
{
! for (i = 0; i < options->num_ports; i++)
! {
! memset(&hints, 0, sizeof(hints));
! hints.ai_flags = AI_PASSIVE;
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", options->ports[i]);
! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
! {
! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
! exit(1);
! }
! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
! ai->ai_next = options->listen_addrs;
! options->listen_addrs = aitop;
! }
! /* freeaddrinfo(options->listen_addrs) in sshd.c */
}
if (options->host_key_file == NULL)
options->host_key_file = HOST_KEY_FILE;
***************
*** 243,248 ****
--- 261,269 ----
{
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
+ #ifdef ENABLE_LOG_AUTH
+ sLogAuth,
+ #endif /* ENABLE_LOG_AUTH */
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
***************
*** 275,280 ****
--- 296,304 ----
{ "quietmode", sQuietMode },
{ "fascistlogging", sFascistLogging },
{ "syslogfacility", sLogFacility },
+ #ifdef ENABLE_LOG_AUTH
+ { "logauth", sLogAuth },
+ #endif /* ENABLE_LOG_AUTH */
{ "rhostsauthentication", sRhostsAuthentication },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
{ "rsaauthentication", sRSAAuthentication },
***************
*** 367,372 ****
--- 391,399 ----
char *cp, **charptr;
int linenum, *intptr, i, value;
ServerOpCodes opcode;
+ struct addrinfo hints, *ai, *aitop;
+ char strport[PORTSTRLEN];
+ int gaierr;
f = fopen(filename, "r");
if (!f)
***************
*** 389,395 ****
switch (opcode)
{
case sPort:
! intptr = &options->port;
parse_int:
cp = strtok(NULL, WHITESPACE);
if (!cp)
--- 416,429 ----
switch (opcode)
{
case sPort:
! if (options->num_ports >= MAX_PORTS)
! {
! fprintf(stderr, "%s line %d: too many ports.\n",
! filename, linenum);
! exit(1);
! }
! options->ports[options->num_ports] = -1;
! intptr = &options->ports[options->num_ports++];
parse_int:
cp = strtok(NULL, WHITESPACE);
if (!cp)
***************
*** 452,462 ****
filename, linenum);
exit(1);
}
! #ifdef BROKEN_INET_ADDR
! options->listen_addr.s_addr = inet_network(cp);
! #else /* BROKEN_INET_ADDR */
! options->listen_addr.s_addr = inet_addr(cp);
! #endif /* BROKEN_INET_ADDR */
break;
case sHostKeyFile:
--- 486,510 ----
filename, linenum);
exit(1);
}
! if (options->num_ports == 0)
! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
! for (i = 0; i < options->num_ports; i++)
! {
! memset(&hints, 0, sizeof(hints));
! hints.ai_family = IPv4or6;
! hints.ai_socktype = SOCK_STREAM;
! sprintf(strport, "%d", options->ports[i]);
! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
! {
! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
! filename, linenum, gai_strerror(gaierr));
! exit(1);
! }
! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
! ai->ai_next = options->listen_addrs;
! options->listen_addrs = aitop;
! }
! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
break;
case sHostKeyFile:
***************
*** 531,536 ****
--- 579,590 ----
if (*intptr == -1)
*intptr = value;
break;
+
+ #ifdef ENABLE_LOG_AUTH
+ case sLogAuth:
+ intptr = &options->log_auth;
+ goto parse_flag;
+ #endif /* ENABLE_LOG_AUTH */
case sIgnoreRhosts:
intptr = &options->ignore_rhosts;

45
security/ssh/files/patch-bp Normal file
View File

@ -0,0 +1,45 @@
*** servconf.h.orig Wed May 12 13:19:28 1999
--- servconf.h Mon Jan 10 22:56:13 2000
***************
*** 64,69 ****
--- 64,71 ----
#ifndef SERVCONF_H
#define SERVCONF_H
+ #define MAX_PORTS 256 /* Max # hosts on allow list. */
+
#define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
#define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
#define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
***************
*** 82,89 ****
typedef struct
{
! int port; /* Port number to listen on. */
! struct in_addr listen_addr; /* Address on which the server listens. */
char *host_key_file; /* File containing host key. */
char *random_seed_file; /* File containing random seed. */
char *pid_file; /* File containing process ID number. */
--- 84,92 ----
typedef struct
{
! unsigned int num_ports;
! int ports[MAX_PORTS]; /* Port number to listen on. */
! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
char *host_key_file; /* File containing host key. */
char *random_seed_file; /* File containing random seed. */
char *pid_file; /* File containing process ID number. */
***************
*** 91,96 ****
--- 94,102 ----
int login_grace_time; /* Disconnect if no auth in this time (sec). */
int key_regeneration_time; /* Server key lifetime (seconds). */
int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
+ #ifdef ENABLE_LOG_AUTH
+ int log_auth; /* If true, log authentication info. */
+ #endif /* ENABLE_LOG_AUTH */
int ignore_rhosts; /* Ignore .rhosts and .shosts. */
int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
defaults to ignore_rhosts if not given. */

97
security/ssh/files/patch-br Normal file
View File

@ -0,0 +1,97 @@
*** ssh.c.orig Wed May 12 13:19:28 1999
--- ssh.c Mon Jan 10 22:56:13 2000
***************
*** 218,223 ****
--- 218,231 ----
other functions. */
RandomState random_state;
+ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
+ Default value is AF_UNSPEC means both IPv4 and IPv6. */
+ #ifdef ENABLE_IPV6
+ int IPv4or6 = AF_UNSPEC;
+ #else
+ int IPv4or6 = AF_INET;
+ #endif
+
/* Flag indicating whether debug mode is on. This can be set on the
command line. */
int debug_flag = 0;
***************
*** 277,282 ****
--- 285,297 ----
{
fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -4 Use IPv4 only.\n");
+ #ifdef ENABLE_IPV6
+ fprintf(stderr, " -6 Use IPv6 only.\n");
+ #endif
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ fprintf(stderr, " -A Try to connect to another port before original port.\n");
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
fprintf(stderr, " -l user Log in using this user name.\n");
fprintf(stderr, " -n Redirect input from /dev/null.\n");
fprintf(stderr, " -a Disable authentication agent forwarding.\n");
***************
*** 413,418 ****
--- 428,436 ----
#ifdef SIGWINCH
struct winsize ws;
#endif /* SIGWINCH */
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port_flag = 0;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
/* Save the original real uid. It will be needed later (uid-swapping may
clobber the real uid). */
***************
*** 522,527 ****
--- 540,565 ----
}
switch (opt)
{
+ case '4':
+ #ifdef ENABLE_IPV6
+ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
+ #else
+ IPv4or6 = AF_INET;
+ #endif
+ break;
+
+ #ifdef ENABLE_IPV6
+ case '6':
+ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
+ break;
+ #endif
+
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ case 'A':
+ another_port_flag = 1;
+ break;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
+
case 'n':
stdin_null_flag = 1;
break;
***************
*** 789,799 ****
--- 827,844 ----
{
use_privileged_port = 0;
}
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ if (!another_port_flag)
+ options.another_port = 0;
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
/* Open a connection to the remote host. This needs root privileges if
rhosts_authentication is true. Note that the random_state is not
yet used by this call, although a pointer to it is stored, and thus it
need not be initialized. */
ok = ssh_connect(host, options.port, options.connection_attempts,
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ options.another_port,
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
!use_privileged_port,
original_real_uid, options.proxy_command, &random_state);

94
security/ssh/files/patch-bs Normal file
View File

@ -0,0 +1,94 @@
*** ssh.h.orig Wed May 12 13:19:28 1999
--- ssh.h Mon Jan 10 22:56:13 2000
***************
*** 430,436 ****
/* Records that the user has logged in. This does many things normally
done by login(1). */
void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
! const char *host, struct sockaddr_in *addr);
/* Records that the user has logged out. This does many thigs normally
done by login(1) or init. */
--- 430,436 ----
/* Records that the user has logged in. This does many things normally
done by login(1). */
void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
! const char *host, struct sockaddr *addr);
/* Records that the user has logged out. This does many thigs normally
done by login(1) or init. */
***************
*** 447,452 ****
--- 447,455 ----
connection is successful, this calls packet_set_connection for the
connection. */
int ssh_connect(const char *host, int port, int connection_attempts,
+ #ifdef ENABLE_ANOTHER_PORT_TRY
+ int another_port,
+ #endif /* ENABLE_ANOTHER_PORT_TRY */
int anonymous, uid_t original_real_uid,
const char *proxy_command, RandomState *random_state);
***************
*** 872,876 ****
--- 875,934 ----
#else
#define UID_ROOT 0
#endif
+
+ #ifdef HAVE_SOCKADDR_STORAGE
+ #ifndef HAVE_NEW_SS_FAMILY
+ #define __ss_len ss_len
+ #define __ss_family ss_family
+ #endif
+ #else
+ #define _SS_MAXSIZE 128 /* Implementation specific max size */
+ #define _SS_ALIGNSIZE (sizeof(int))
+ #define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short))
+ #define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \
+ _SS_PAD1SIZE + _SS_ALIGNSIZE))
+ struct sockaddr_storage {
+ #ifdef HAVE_SOCKADDR_LEN
+ u_char __ss_len;
+ u_char __ss_family;
+ #else
+ u_short __ss_family;
+ #endif
+ char __ss_pad1[_SS_PAD1SIZE];
+ int __ss_align;
+ char __ss_pad2[_SS_PAD2SIZE];
+ };
+ #endif
+
+ #ifdef INET6_ADDRSTRLEN
+ #define ADDRSTRLEN INET6_ADDRSTRLEN
+ #else
+ #define ADDRSTRLEN 46
+ #endif
+
+ #define PORTSTRLEN 16
+
+ /* AF_UNSPEC or AF_INET or AF_INET6 */
+ extern int IPv4or6;
+
+ #ifndef ENABLE_IPV6
+ /* dummy value for old netdb.h */
+ #ifndef AI_PASSIVE
+ #define AI_PASSIVE 1
+ #define NI_NUMERICHOST 2
+ #define NI_NAMEREQD 4
+ #define NI_NUMERICSERV 8
+ struct addrinfo {
+ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
+ int ai_family; /* PF_xxx */
+ int ai_socktype; /* SOCK_xxx */
+ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+ size_t ai_addrlen; /* length of ai_addr */
+ char *ai_canonname; /* canonical name for hostname */
+ struct sockaddr *ai_addr; /* binary address */
+ struct addrinfo *ai_next; /* next structure in linked list */
+ };
+ #endif
+ #endif /* not ENABLE_IPV6 */
#endif /* SSH_H */

167
security/ssh/files/patch-xa Normal file
View File

@ -0,0 +1,167 @@
Note that this patch has been incorporated into the port due to problems
with patching a autoconf generated configure script. The script itself contains
linenumbers and in case of two patches against that script the second one fails
because it expects something that the first patch has already changed. The
only clean way is to re-generate it with autoconf. *sigh*
This patch was fetched from
http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown
- torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000
Patch for problem with tty ownership with chflags and chown in BSD 4.4
variants. Fixes a security bug in tty allocation.
This patch works for ssh-1.2.27.
Apply with the following commands:
% cd /wherever/you/hold/your/sources/ssh-1.2.27
% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown
% ./configure --whatever-config-flags-you-use
% make clean
% make
% su
Password: ***********
# make install
# kill -HUP `cat /var/run/sshd.pid`
You should be all set.
Sami Lehtinen <sjl@ssh.fi>
--begin patch--
diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c
--- auth-passwd.c.orig Wed May 12 14:19:23 1999
+++ auth-passwd.c Wed Aug 11 19:49:32 1999
@@ -613,7 +613,13 @@
/* get_name pulls out just the name not the
type */
strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache));
- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid);
+ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0)
+ {
+ log_msg("Kerberos: chown failed for %s, error: %s",
+ ccname + 5, strerror(errno));
+ packet_send_debug("Kerberos: chown failed for %s", ccname + 5);
+ goto errout;
+ }
/* If tgt was passed unlink file */
if (ticket)
diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in
--- config.h.in.orig Wed May 12 14:20:04 1999
+++ config.h.in Wed Aug 11 20:20:51 1999
@@ -360,6 +360,9 @@
/* Define if you have the authenticate function. */
#undef HAVE_AUTHENTICATE
+/* Define if you have the chflags function. */
+#undef HAVE_CHFLAGS
+
/* Define if you have the clock function. */
#undef HAVE_CLOCK
diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in
--- configure.in.orig Wed May 12 14:20:02 1999
+++ configure.in Wed Aug 11 20:05:13 1999
@@ -433,6 +433,7 @@
AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit)
AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp)
AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream)
+AC_CHECK_FUNCS(chflags)
AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c
--- sshd.c.orig Wed May 12 14:19:29 1999
+++ sshd.c Wed Aug 11 20:26:31 1999
@@ -2897,9 +2897,87 @@
tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH;
}
+ retry_chown:
+
/* Change ownership of the tty. */
- (void)chown(ttyname, pw->pw_uid, tty_gid);
- (void)chmod(ttyname, tty_mode);
+ if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
+ {
+ /* chown failed. Atleast two possibilities. Either we are not
+ running as root, in which case this is OK, or we are running
+ on BSD, and somebody has put some flags to the tty. */
+
+ /* Check whether we are root or not.*/
+ if (getuid() != UID_ROOT)
+ {
+ /* We are not, and then this is OK. */
+ debug("chown failed (but we're not root anyway) for "
+ "%s, error %s", ttyname, strerror(errno));
+ }
+ else
+ {
+#ifdef HAVE_CHFLAGS
+ static int retrying = 0;
+ struct stat st;
+
+ if (!retrying)
+ {
+ debug("chown failed for %s, error: %s. Removing "
+ "user-settable flags, and retrying.",
+ ttyname, strerror(errno));
+
+ if (stat(ttyname, &st) < 0)
+ {
+ error("stat failed for %s, error: %s",
+ ttyname, strerror(errno));
+ }
+ else
+ {
+ debug("Removing user-settable flags with "
+ "chflags.");
+ /* Remove user definable flags. */
+ if (chflags(ttyname, st.st_flags &
+ ~(UF_NODUMP | UF_IMMUTABLE |
+ UF_APPEND | UF_OPAQUE)) < 0)
+ {
+ debug("chflags failed for %s, error: %s",
+ ttyname, strerror(errno));
+ }
+ else
+ {
+ debug("Retrying...");
+ retrying = 1;
+ goto retry_chown;
+ }
+ }
+ }
+ else
+ {
+ debug("chown failed even with retry. error: %s",
+ strerror(errno));
+ }
+
+#endif /* HAVE_CHFLAGS */
+ error("ssh_pty_allocate_and_fork: chown failed for %s.",
+ ttyname);
+ goto fail;
+ }
+ }
+
+ if (chmod(ttyname, tty_mode) < 0)
+ {
+ if (getuid() != UID_ROOT)
+ {
+ /* We are not, and then this is (probably) OK. */
+ debug("chmod failed (but we're not root anyway) for "
+ "%s, error %s", ttyname, strerror(errno));
+ }
+ else
+ {
+ error("ssh_pty_allocate_and_fork: chmod %s: %s",
+ ttyname, strerror(errno));
+ goto fail;
+ }
+ }
/* Get TERM from the packet. Note that the value may be of arbitrary
length. */