Import vendor patches: the first is written by

Brian Feldman <green@FreeBSD.org>

* Remove the gratuitous dependency on OpenSSL 0.9.5a (preparation for MFC)
* Disable agent forwarding by default in the client (security risk)

Submitted by:	green
Obtained from:	OpenBSD

crypto/openssh/readconf.c

@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.31 2000/05/08 17:12:15 markus Exp $");
+RCSID("$Id: readconf.c,v 1.33 2000/05/29 20:20:46 markus Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -464,6 +464,8 @@ process_config_line(Options *options, const char *host,
 	case oCipher:
 		intptr = &options->cipher;
 		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
 		value = cipher_number(cp);
 		if (value == -1)
 			fatal("%.200s line %d: Bad cipher '%s'.",
@@ -474,6 +476,8 @@ process_config_line(Options *options, const char *host,
 
 	case oCiphers:
 		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
 		if (!ciphers_valid(cp))
 			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
 			      filename, linenum, cp ? cp : "<NONE>");
@@ -484,6 +488,8 @@ process_config_line(Options *options, const char *host,
 	case oProtocol:
 		intptr = &options->protocol;
 		cp = strtok(NULL, WHITESPACE);
+		if (!cp)
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
 		value = proto_spec(cp);
 		if (value == SSH_PROTO_UNKNOWN)
 			fatal("%.200s line %d: Bad protocol spec '%s'.",
@@ -691,7 +697,7 @@ void
 fill_default_options(Options * options)
 {
 	if (options->forward_agent == -1)
-		options->forward_agent = 1;
+		options->forward_agent = 0;
 	if (options->forward_x11 == -1)
 		options->forward_x11 = 0;
 	if (options->gateway_ports == -1)

crypto/openssh/ssh-keygen.c

@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh-keygen.c,v 1.25 2000/05/08 18:23:07 markus Exp $");
+RCSID("$Id: ssh-keygen.c,v 1.26 2000/05/30 17:32:06 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -516,7 +516,7 @@ main(int ac, char **av)
 	extern int optind;
 	extern char *optarg;
 
-	OpenSSL_add_all_algorithms();
+	SSLeay_add_all_algorithms();
 
 	/* we need this for the home * directory.  */
 	pw = getpwuid(getuid());

crypto/openssh/ssh.1

@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.52 2000/05/08 17:21:32 hugh Exp $
+.\" $Id: ssh.1,v 1.54 2000/05/29 20:20:46 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -24,7 +24,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl afgknqtvxCPX246
+.Op Fl afgknqtvxACNPTX246
 .Op Fl c Ar cipher_spec
 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
@@ -332,7 +332,9 @@ host key is not known or has changed.
 .Bl -tag -width Ds
 .It Fl a
 Disables forwarding of the authentication agent connection.
-This may also be specified on a per-host basis in the configuration file.
+.It Fl A
+Enables forwarding of the authentication agent connection.
+This can also be specified on a per-host basis in a configuration file.
 .It Fl c Ar blowfish|3des
 Selects the cipher to use for encrypting the session.
 .Ar 3des
@@ -416,6 +418,10 @@ program will be put in the background.
 needs to ask for a password or passphrase; see also the
 .Fl f
 option.)
+.It Fl N
+Do not execute a remote command.
+This is usefull if you just want to forward ports
+(protocol version 2 only).
 .It Fl o Ar option
 Can be used to give options in the format used in the config file.
 This is useful for specifying options for which there is no separate
@@ -442,6 +448,8 @@ Force pseudo-tty allocation.
 This can be used to execute arbitrary
 screen-based programs on a remote machine, which can be very useful,
 e.g., when implementing menu services.
+.It Fl T
+Disable pseudo-tty allocation (protocol version 2 only).
 .It Fl v
 Verbose mode.
 Causes
@@ -454,9 +462,9 @@ The verbose mode is also used to display
 challenges, if the user entered "s/key" as password.
 .It Fl x
 Disables X11 forwarding.
-This can also be specified on a per-host basis in a configuration file.
 .It Fl X
 Enables X11 forwarding.
+This can also be specified on a per-host basis in a configuration file.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@@ -665,6 +673,8 @@ The argument must be
 .Dq yes
 or
 .Dq no .
+The default is
+.Dq no .
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and

crypto/openssh/ssh.c

@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.51 2000/05/08 17:12:15 markus Exp $");
+RCSID("$Id: ssh.c,v 1.54 2000/05/30 17:32:06 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -108,10 +108,12 @@ usage()
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "  -l user     Log in using this user name.\n");
 	fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
+	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
 	fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
 #ifdef AFS
 	fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
 #endif				/* AFS */
+        fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
 	fprintf(stderr, "  -x          Disable X11 connection forwarding.\n");
 	fprintf(stderr, "  -i file     Identity for RSA authentication (default: ~/.ssh/identity).\n");
 	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
@@ -306,6 +308,9 @@ main(int ac, char **av)
 		case 'a':
 			options.forward_agent = 0;
 			break;
+		case 'A':
+			options.forward_agent = 1;
+			break;
 #ifdef AFS
 		case 'k':
 			options.kerberos_tgt_passing = 0;
@@ -422,7 +427,7 @@ main(int ac, char **av)
 	if (!host)
 		usage();
 
-        OpenSSL_add_all_algorithms();
+	SSLeay_add_all_algorithms();
 
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);