1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-23 11:18:54 +00:00

Vendor import of OpenSSH 4.7p1 for posterity's sake

This commit is contained in:
Dag-Erling Smørgrav 2008-07-23 09:23:42 +00:00
parent 8211d6b018
commit 490bfaade9
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/vendor-crypto/openssh/dist/; revision=180744
svn path=/vendor-crypto/openssh/4.7p1/; revision=180745; tag=vendor/openssh/4.7p1
106 changed files with 3190 additions and 535 deletions

370
ChangeLog
View File

@ -1,3 +1,371 @@
20070817
- (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
accounts and that's what the code looks for, so make man page and code
agree. Pointed out by Roumen Petrov.
- (dtucker) [INSTALL] Group the parts describing random options and PAM
implementations together which is hopefully more coherent.
- (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid.
- (dtucker) [INSTALL] Give PAM its own heading.
- (dtucker) [INSTALL] Link to tcpwrappers.
20070816
- (dtucker) [session.c] Call PAM cleanup functions for unauthenticated
connections too. Based on a patch from Sandro Wefel, with & ok djm@
20070815
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2007/08/15 08:14:46
[clientloop.c]
do NOT fall back to the trused x11 cookie if generation of an untrusted
cookie fails; from Jan Pechanec, via security-alert at sun.com;
ok dtucker
- markus@cvs.openbsd.org 2007/08/15 08:16:49
[version.h]
openssh 4.7
- stevesk@cvs.openbsd.org 2007/08/15 12:13:41
[ssh_config.5]
tun device forwarding now honours ExitOnForwardFailure; ok markus@
- (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler.
ok djm@
- (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec
contrib/suse/openssh.spec] Crank version.
20070813
- (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
called with PAM_ESTABLISH_CRED at least once, which resolves a problem
with pam_dhkeys. Patch from David Leonard, ok djm@
20070810
- (dtucker) [auth-pam.c] Use sigdie here too. ok djm@
- (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From
Matt Kraai, ok djm@
20070809
- (dtucker) [openbsd-compat/port-aix.c] Comment typo.
- (dtucker) [README.platform] Document the interaction between PermitRootLogin
and the AIX native login restrictions.
- (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't
used anywhere and are a potential source of warnings.
20070808
- (djm) OpenBSD CVS Sync
- ray@cvs.openbsd.org 2007/07/12 05:48:05
[key.c]
Delint: remove some unreachable statements, from Bret Lambert.
OK markus@ and dtucker@.
- sobrado@cvs.openbsd.org 2007/08/06 19:16:06
[scp.1 scp.c]
the ellipsis is not an optional argument; while here, sync the usage
and synopsis of commands
lots of good ideas by jmc@
ok jmc@
- djm@cvs.openbsd.org 2007/08/07 07:32:53
[clientloop.c clientloop.h ssh.c]
bz#1232: ensure that any specified LocalCommand is executed after the
tunnel device is opened. Also, make failures to open a tunnel device
fatal when ExitOnForwardFailure is active.
Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
20070724
- (tim) [openssh.xml.in] make FMRI match what package scripts use.
- (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call.
Report/patch by David.Leonard AT quest.com (and Bernhard Simon)
- (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5)
- (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}|
20070628
- (djm) bz#1325: Fix SELinux in permissive mode where it would
incorrectly fatal() on errors. patch from cjwatson AT debian.org;
ok dtucker
20070625
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2007/06/13 00:21:27
[scp.c]
don't ftruncate() non-regular files; bz#1236 reported by wood AT
xmission.com; ok dtucker@
- djm@cvs.openbsd.org 2007/06/14 21:43:25
[ssh.c]
handle EINTR when waiting for mux exit status properly
- djm@cvs.openbsd.org 2007/06/14 22:48:05
[ssh.c]
when waiting for the multiplex exit status, read until the master end
writes an entire int of data *and* closes the client_fd; fixes mux
regression spotted by dtucker, ok dtucker@
- djm@cvs.openbsd.org 2007/06/19 02:04:43
[atomicio.c]
if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
avoid a spin if it is not yet ready for reading/writing; ok dtucker@
- dtucker@cvs.openbsd.org 2007/06/25 08:20:03
[channels.c]
Correct test for window updates every three packets; prevents sending
window updates for every single packet. ok markus@
- dtucker@cvs.openbsd.org 2007/06/25 12:02:27
[atomicio.c]
Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@
- (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match
atomicio.
- (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
Add an implementation of poll() built on top of select(2). Code from
OpenNTPD with changes suggested by djm. ok djm@
20070614
- (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
shared with umac.c. Allows building with OpenSSL 0.9.5 again including
umac support. With tim@ djm@, ok djm.
- (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL
sections. Fixes builds with early OpenSSL 0.9.6 versions.
- (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
subsequent <0.9.7 test.
20070612
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2007/06/11 09:14:00
[channels.h]
increase default channel windows; ok djm
- djm@cvs.openbsd.org 2007/06/12 07:41:00
[ssh-add.1]
better document ssh-add's -d option (delete identies from agent), bz#1224
new text based on some provided by andrewmc-debian AT celt.dias.ie;
ok dtucker@
- djm@cvs.openbsd.org 2007/06/12 08:20:00
[ssh-gss.h gss-serv.c gss-genr.c]
relocate server-only GSSAPI code from libssh to server; bz #1225
patch from simon AT sxw.org.uk; ok markus@ dtucker@
- djm@cvs.openbsd.org 2007/06/12 08:24:20
[scp.c]
make scp try to skip FIFOs rather than blocking when nothing is listening.
depends on the platform supporting sane O_NONBLOCK semantics for open
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
bz #856; report by cjwatson AT debian.org; ok markus@
- djm@cvs.openbsd.org 2007/06/12 11:11:08
[ssh.c]
fix slave exit value when a control master goes away without passing the
full exit status by ensuring that the slave reads a full int. bz#1261
reported by frekko AT gmail.com; ok markus@ dtucker@
- djm@cvs.openbsd.org 2007/06/12 11:15:17
[ssh.c ssh.1]
Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
and is useful for hosts with /home on Kerberised NFS; bz #1312
patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
- djm@cvs.openbsd.org 2007/06/12 11:45:27
[ssh.c]
improved exit message from multiplex slave sessions; bz #1262
reported by alexandre.nunes AT gmail.com; ok dtucker@
- dtucker@cvs.openbsd.org 2007/06/12 11:56:15
[gss-genr.c]
Pass GSS OID to gss_display_status to provide better information in
error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
- jmc@cvs.openbsd.org 2007/06/12 13:41:03
[ssh-add.1]
identies -> identities;
- jmc@cvs.openbsd.org 2007/06/12 13:43:55
[ssh.1]
add -K to SYNOPSIS;
- dtucker@cvs.openbsd.org 2007/06/12 13:54:28
[scp.c]
Encode filename with strnvis if the name contains a newline (which can't
be represented in the scp protocol), from bz #891. ok markus@
20070611
- (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
fix; tested by dtucker@ and jochen.kirn AT gmail.com
- pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
- pvalchev@cvs.openbsd.org 2007/06/08 04:40:40
[ssh_config]
Add a "MACs" line after "Ciphers" with the default MAC algorithms,
to ease people who want to tweak both (eg. for performance reasons).
ok deraadt@ djm@ dtucker@
- jmc@cvs.openbsd.org 2007/06/08 07:43:46
[ssh_config.5]
put the MAC list into a display, like we do for ciphers,
since groff has trouble handling wide lines;
- jmc@cvs.openbsd.org 2007/06/08 07:48:09
[sshd_config.5]
oops, here too: put the MAC list into a display, like we do for
ciphers, since groff has trouble with wide lines;
- markus@cvs.openbsd.org 2007/06/11 08:04:44
[channels.c]
send 'window adjust' messages every tree packets and do not wait
until 50% of the window is consumed. ok djm dtucker
- (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then
fallback to provided bit-swizzing functions
- (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
but check anyway in case this changes or the code gets used elsewhere.
- (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
prevent warnings about redefinitions of various things in paths.h.
Spotted by cartmanltd at hotmail.com.
20070605
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2007/05/22 10:18:52
[sshd.c]
zap double include; from p_nowaczyk AT o2.pl
(not required in -portable, Id sync only)
- djm@cvs.openbsd.org 2007/05/30 05:58:13
[kex.c]
tidy: KNF, ARGSUSED and u_int
- jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
- djm@cvs.openbsd.org 2007/05/31 23:34:29
[packet.c]
gc unreachable code; spotted by Tavis Ormandy
- djm@cvs.openbsd.org 2007/06/02 09:04:58
[bufbn.c]
memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
- djm@cvs.openbsd.org 2007/06/05 06:52:37
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
Preserve MAC ctx between packets, saving 2xhash calls per-packet.
Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
committing at his request)
- (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that
OpenBSD's cvs now adds.
- (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so
mindrot's cvs doesn't expand it on us.
- (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.
20070520
- (dtucker) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2007/04/14 22:01:58
[auth2.c]
remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
- stevesk@cvs.openbsd.org 2007/04/18 01:12:43
[sftp-server.c]
cast "%llu" format spec to (unsigned long long); do not assume a
u_int64_t arg is the same as 'unsigned long long'.
from Dmitry V. Levin <ldv@altlinux.org>
ok markus@ 'Yes, that looks correct' millert@
- dtucker@cvs.openbsd.org 2007/04/23 10:15:39
[servconf.c]
Remove debug() left over from development. ok deraadt@
- djm@cvs.openbsd.org 2007/05/17 07:50:31
[log.c]
save and restore errno when logging; ok deraadt@
- djm@cvs.openbsd.org 2007/05/17 07:55:29
[sftp-server.c]
bz#1286 stop reading and processing commands when input or output buffer
is nearly full, otherwise sftp-server would happily try to grow the
input/output buffers past the maximum supported by the buffer API and
promptly fatal()
based on patch from Thue Janus Kristensen; feedback & ok dtucker@
- djm@cvs.openbsd.org 2007/05/17 20:48:13
[sshconnect2.c]
fall back to gethostname() when the outgoing connection is not
on a socket, such as is the case when ProxyCommand is used.
Gives hostbased auth an opportunity to work; bz#616, report
and feedback stuart AT kaloram.com; ok markus@
- djm@cvs.openbsd.org 2007/05/17 20:52:13
[monitor.c]
pass received SIGINT from monitor to postauth child so it can clean
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
ok markus@
- jolan@cvs.openbsd.org 2007/05/17 23:53:41
[sshconnect2.c]
djm owes me a vb and a tism cd for breaking ssh compilation
- (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
ldv at altlinux.org.
- (dtucker) [auth-pam.c] Return empty string if fgets fails in
sshpam_tty_conv. Patch from ldv at altlinux.org.
20070509
- (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
20070429
- (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h
for select(2) prototype.
- (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype.
- (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
platform's _res if it has one. Should fix problem of DNSSEC record lookups
on NetBSD as reported by Curt Sampson.
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
- (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS
so we don't get redefinition warnings.
- (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
- (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__
__nonnull__ for versions of GCC that don't support it.
- (dtucker) [configure.ac defines.h] Have configure check for offsetof
to prevent redefinition warnings.
20070406
- (dtucker) [INSTALL] Update the systems that have PAM as standard. Link
to OpenPAM too.
- (dtucker) [INSTALL] prngd lives at sourceforge these days.
20070326
- (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
20070325
- (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX,
LIBWRAP and LIBPAM variables in Makefile with the general-purpose
SSHDLIBS. "I like" djm@
20070321
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2007/03/09 05:20:06
[servconf.c sshd.c]
Move C/R -> kbdint special case to after the defaults have been
loaded, which makes ChallengeResponse default to yes again. This
was broken by the Match changes and not fixed properly subsequently.
Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
- djm@cvs.openbsd.org 2007/03/19 01:01:29
[sshd_config]
Disable the legacy SSH protocol 1 for new installations via
a configuration override. In the future, we will change the
server's default itself so users who need the legacy protocol
will need to turn it on explicitly
- dtucker@cvs.openbsd.org 2007/03/19 12:16:42
[ssh-agent.c]
Remove the signal handler that checks if the agent's parent process
has gone away, instead check when the select loop returns. Record when
the next key will expire when scanning for expired keys. Set the select
timeout to whichever of these two things happens next. With djm@, with &
ok deraadt@ markus@
- tedu@cvs.openbsd.org 2007/03/20 03:56:12
[readconf.c clientloop.c]
remove some bogus *p tests from charles longeau
ok deraadt millert
- jmc@cvs.openbsd.org 2007/03/20 15:57:15
[sshd.8]
- let synopsis and description agree for -f
- sort FILES
- +.Xr ssh-keyscan 1 ,
from Igor Sobrado
- (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
getpeerucred to implement getpeereid (currently only Solaris 10 and up).
Patch by Jan.Pechanec at Sun.
- (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have
HAVE_GETPEERUCRED too. Also from Jan Pechanec.
20070313
- (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
string.h to prevent warnings, from vapier at gentoo.org.
- (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the
selinux bits in -portable.
- (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in
bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h
in cipher-bf1.c. Patch from Juan Gallego.
- (dtucker) [README.platform] Info about blibpath on AIX.
20070306
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
@ -2816,4 +3184,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $
$Id: ChangeLog,v 1.4738.2.1 2007/09/04 06:49:09 djm Exp $

59
INSTALL
View File

@ -14,17 +14,37 @@ Blowfish) do not work correctly.)
The remaining items are optional.
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
supports it. PAM is standard on Redhat and Debian Linux, Solaris and
HP-UX 11.
NB. If you operating system supports /dev/random, you should configure
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
/dev/random. If you don't you will have to rely on ssh-rand-helper, which
is inferior to a good kernel-based solution.
/dev/random, or failing that, either prngd or egd. If you don't have
any of these you will have to rely on ssh-rand-helper, which is inferior
to a good kernel-based solution or prngd.
PRNGD:
If your system lacks kernel-based random collection, the use of Lutz
Jaenicke's PRNGd is recommended.
http://prngd.sourceforge.net/
EGD:
The Entropy Gathering Daemon (EGD) is supported if you have a system which
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
http://www.lothar.com/tech/crypto/
PAM:
http://www.kernel.org/pub/linux/libs/pam/
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
system supports it. PAM is standard most Linux distributions, Solaris,
HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
Information about the various PAM implementations are available:
Solaris PAM: http://www.sun.com/software/solaris/pam/
Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
OpenPAM: http://www.openpam.org/
If you wish to build the GNOME passphrase requester, you will need the GNOME
libraries and headers.
@ -37,19 +57,14 @@ passphrase requester. This is maintained separately at:
http://www.jmknoble.net/software/x11-ssh-askpass/
PRNGD:
TCP Wrappers:
If your system lacks Kernel based random collection, the use of Lutz
Jaenicke's PRNGd is recommended.
If you wish to use the TCP wrappers functionality you will need at least
tcpd.h and libwrap.a, either in the standard include and library paths,
or in the directory specified by --with-tcp-wrappers. Version 7.6 is
known to work.
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
EGD:
The Entropy Gathering Daemon (EGD) is supported if you have a system which
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
http://www.lothar.com/tech/crypto/
http://ftp.porcupine.org/pub/security/index.html
S/Key Libraries:
@ -72,7 +87,7 @@ Autoconf:
If you modify configure.ac or configure doesn't exist (eg if you checked
the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
the automatically generated files by running "autoreconf". Earlier
version may also work but this is not guaranteed.
versions may also work but this is not guaranteed.
http://www.gnu.org/software/autoconf/
@ -162,7 +177,7 @@ Integration Architecture. The default for OSF1 machines is enable.
need the S/Key libraries and header files installed for this to work.
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
support. You will need libwrap.a and tcpd.h installed.
support.
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
@ -180,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this.
--with-default-path=PATH allows you to specify a default $PATH for sessions
started by sshd. This replaces the standard path entirely.
--with-pid-dir=PATH specifies the directory in which the ssh.pid file is
--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
created.
--with-xauth=PATH specifies the location of the xauth binary
@ -251,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at
http://www.openssh.com/
$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $
$Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $

View File

@ -205,6 +205,7 @@ OpenSSH contains no GPL code.
Darren Tucker
Sun Microsystems
The SCO Group
Daniel Walsh
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $
# $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@ -44,11 +44,8 @@ LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
LIBWRAP=@LIBWRAP@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@ -74,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
entropy.o scard-opensc.o gss-genr.o
entropy.o scard-opensc.o gss-genr.o umac.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
@ -139,7 +136,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

4
README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-4.6 for the release notes.
See http://www.openssh.com/txt/release-4.7 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $
$Id: README,v 1.66 2007/08/15 09:22:20 dtucker Exp $

View File

@ -23,6 +23,20 @@ to force the previous IPv4-only behaviour.
IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
IPv6 known broken: 4.3.3ML11 5.1ML4
If you wish to use dynamic libraries that aren't in the normal system
locations (eg IBM's OpenSSL and zlib packages) then you will need to
define the environment variable blibpath before running configure, eg
blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
--with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
by default) then sshd checks that users are permitted via the
loginrestrictions() function, in particular that the user has the
"rlogin" attribute set. This check is not done for the root account,
instead the PermitRootLogin setting in sshd_config is used.
Cygwin
------
To build on Cygwin, OpenSSH requires the following packages:
@ -67,4 +81,4 @@ account stacks which will prevent authentication entirely, but will still
return the output from pam_nologin to the client.
$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $

View File

@ -1,4 +1,4 @@
/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: atomicio.c,v 1.25 2007/06/25 12:02:27 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@ -32,7 +32,11 @@
#include <sys/uio.h>
#include <errno.h>
#ifdef HAVE_POLL_H
#include <poll.h>
#endif
#include <string.h>
#include <unistd.h>
#include "atomicio.h"
@ -45,17 +49,24 @@ atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
char *s = _s;
size_t pos = 0;
ssize_t res;
struct pollfd pfd;
pfd.fd = fd;
pfd.events = f == read ? POLLIN : POLLOUT;
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
#ifdef EWOULDBLOCK
if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
if (errno == EINTR || errno == EWOULDBLOCK)
#else
if (errno == EINTR || errno == EAGAIN)
if (errno == EINTR)
#endif
continue;
if (errno == EAGAIN) {
(void)poll(&pfd, 1, -1);
continue;
}
return 0;
case 0:
errno = EPIPE;
@ -77,6 +88,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
size_t pos = 0, rem;
ssize_t res;
struct iovec iov_array[IOV_MAX], *iov = iov_array;
struct pollfd pfd;
if (iovcnt > IOV_MAX) {
errno = EINVAL;
@ -85,12 +97,22 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
/* Make a copy of the iov array because we may modify it below */
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
pfd.fd = fd;
pfd.events = f == readv ? POLLIN : POLLOUT;
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
if (errno == EINTR || errno == EAGAIN)
#ifdef EWOULDBLOCK
if (errno == EINTR || errno == EWOULDBLOCK)
#else
if (errno == EINTR)
#endif
continue;
if (errno == EAGAIN) {
(void)poll(&pfd, 1, -1);
continue;
}
return 0;
case 0:
errno = EPIPE;

View File

@ -161,9 +161,9 @@ sshpam_sigchld_handler(int sig)
WTERMSIG(sshpam_thread_status) == SIGTERM)
return; /* terminated by pthread_cancel */
if (!WIFEXITED(sshpam_thread_status))
fatal("PAM: authentication thread exited unexpectedly");
sigdie("PAM: authentication thread exited unexpectedly");
if (WEXITSTATUS(sshpam_thread_status) != 0)
fatal("PAM: authentication thread exited uncleanly");
sigdie("PAM: authentication thread exited uncleanly");
}
/* ARGSUSED */
@ -686,8 +686,7 @@ sshpam_init_ctx(Authctxt *authctxt)
return (NULL);
}
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
ctxt = xcalloc(1, sizeof *ctxt);
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
@ -985,7 +984,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
break;
case PAM_PROMPT_ECHO_ON:
fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
fgets(input, sizeof input, stdin);
if (fgets(input, sizeof input, stdin) == NULL)
input[0] = '\0';
if ((reply[i].resp = strdup(input)) == NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
@ -1130,9 +1130,8 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
if ((reply = malloc(n * sizeof(*reply))) == NULL)
if ((reply = calloc(n, sizeof(*reply))) == NULL)
return (PAM_CONV_ERR);
memset(reply, 0, n * sizeof(*reply));
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {

View File

@ -28,6 +28,7 @@
#include <shadow.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#include "key.h"
#include "hostfile.h"

8
auth.c
View File

@ -115,11 +115,11 @@ allowed_user(struct passwd * pw)
/* grab passwd field for locked account check */
#ifdef USE_SHADOW
if (spw != NULL)
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#endif /* USE_LIBIAF */
#else
passwd = pw->pw_passwd;
#endif
@ -141,9 +141,9 @@ allowed_user(struct passwd * pw)
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
free(passwd);
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#endif /* USE_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -281,8 +281,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
}
}
#define DELIM ","
static char *
authmethods_get(void)
{

View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -201,12 +201,14 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
return (-1);
}
if (len > 8 * 1024) {
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
error("buffer_get_bignum2_ret: cannot handle BN of size %d",
len);
xfree(bin);
return (-1);
}
if (BN_bin2bn(bin, len, value) == NULL) {
error("buffer_get_bignum2_ret: BN_bin2bn failed");
xfree(bin);
return (-1);
}
xfree(bin);

View File

@ -49,6 +49,8 @@ PKG_REQUEST_LOCAL=../pkg-request.local
OPENSSHD=opensshd.init
OPENSSH_MANIFEST=openssh.xml
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
SMF_METHOD_DIR=/lib/svc/method/site
SMF_MANIFEST_DIR=/var/svc/manifest/site
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
PATH_USERADD_PROG=@PATH_USERADD_PROG@
@ -196,15 +198,17 @@ then
# For Solaris' SMF, /lib/svc/method/site is the preferred place
# for start/stop scripts that aren't supplied with the OS, and
# similarly /var/svc/manifest/site for manifests.
mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
> $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
cat ${OPENSSH_MANIFEST} | \
sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
-e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
> $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
@ -214,19 +218,19 @@ fi
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
$FAKE_ROOT${sysconfdir}/sshd_config
[ "${X11_FORWARDING}" = yes ] && \
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
$FAKE_ROOT${sysconfdir}/sshd_config
# fix PrintMotd
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
$FAKE_ROOT${sysconfdir}/sshd_config
# We don't want to overwrite config files on multiple installs
mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default
mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default
[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \
mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default
mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
[ -f $FAKE_ROOT${sysconfdir}/ssh_prng_cmds ] && \
mv $FAKE_ROOT${sysconfdir}/ssh_prng_cmds $FAKE_ROOT${sysconfdir}/ssh_prng_cmds.default
# local tweeks here
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
@ -336,7 +340,7 @@ then
svccfg delete -f $OPENSSH_FMRI
fi
# NOTE, The manifest disables sshd by default.
svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
if [ "\${USE_SYM_LINKS}" = yes ]
then

View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
/* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1446,14 +1446,13 @@ static int
channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
{
char buf[CHAN_RBUF];
int len;
int len, force;
if (c->rfd != -1 &&
(c->detach_close || FD_ISSET(c->rfd, readset))) {
force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) {
errno = 0;
len = read(c->rfd, buf, sizeof(buf));
if (len < 0 && (errno == EINTR ||
(errno == EAGAIN && !(c->isatty && c->detach_close))))
if (len < 0 && (errno == EINTR || (errno == EAGAIN && !force)))
return 1;
#ifndef PTY_ZEROREAD
if (len <= 0) {
@ -1658,7 +1657,9 @@ channel_check_window(Channel *c)
{
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
c->local_window < c->local_window_max/2 &&
((c->local_window_max - c->local_window >
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
packet_put_int(c->remote_id);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -122,9 +122,9 @@ struct Channel {
/* default window/packet sizes for tcp/x11-fwd-channel */
#define CHAN_SES_PACKET_DEFAULT (32*1024)
#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
#define CHAN_TCP_PACKET_DEFAULT (32*1024)
#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
#define CHAN_X11_PACKET_DEFAULT (16*1024)
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)

View File

@ -35,9 +35,7 @@
#include "xmalloc.h"
#include "log.h"
#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#endif
#include "openbsd-compat/openssl-compat.h"
/*
* This is used by SSH1:

View File

@ -35,9 +35,7 @@
#include "xmalloc.h"
#include "log.h"
#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#endif
#include "openbsd-compat/openssl-compat.h"
/*
* SSH1 uses a variation on Blowfish, all bytes must be swapped before

View File

@ -29,13 +29,7 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
#ifdef USE_BUILTIN_RIJNDAEL
#include "rijndael.h"
#define AES_KEY rijndael_ctx
#define AES_BLOCK_SIZE 16
#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
#else
#ifndef USE_BUILTIN_RIJNDAEL
#include <openssl/aes.h>
#endif

View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -290,19 +290,29 @@ client_x11_get_proto(const char *display, const char *xauth_path,
generated = 1;
}
}
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
/*
* When in untrusted mode, we read the cookie only if it was
* successfully generated as an untrusted one in the step
* above.
*/
if (trusted || generated) {
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
} else
error("Warning: untrusted X11 forwarding setup failed: "
"xauth key data not generated");
}
if (do_unlink) {
@ -935,7 +945,7 @@ process_cmdline(void)
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
if (s == NULL)
goto out;
while (*s && isspace(*s))
while (isspace(*s))
s++;
if (*s == '-')
s++; /* Skip cmdline '-', if any */
@ -982,9 +992,8 @@ process_cmdline(void)
goto out;
}
s++;
while (*s && isspace(*s))
s++;
while (isspace(*++s))
;
if (delete) {
cancel_port = 0;
@ -1774,6 +1783,50 @@ client_request_agent(const char *request_type, int rchan)
return c;
}
int
client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
{
Channel *c;
int fd;
if (tun_mode == SSH_TUNMODE_NO)
return 0;
if (!compat20) {
error("Tunnel forwarding is not support for protocol 1");
return -1;
}
debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
/* Open local tunnel device */
if ((fd = tun_open(local_tun, tun_mode)) == -1) {
error("Tunnel device open failed.");
return -1;
}
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
channel_register_filter(c->self, sys_tun_infilter,
sys_tun_outfilter);
#endif
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("tun@openssh.com");
packet_put_int(c->self);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
packet_put_int(tun_mode);
packet_put_int(remote_tun);
packet_send();
return 0;
}
/* XXXX move to generic input handler */
static void
client_input_channel_open(int type, u_int32_t seq, void *ctxt)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
/* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -44,6 +44,7 @@ void client_x11_get_proto(const char *, const char *, u_int,
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
int, Buffer *, char **, dispatch_fn *);
int client_request_tun_fwd(int, int, int);
/* Multiplexing protocol version */
#define SSHMUX_VER 1

View File

@ -155,6 +155,9 @@
/* OpenBSD's gcc has bounded */
#undef HAVE_ATTRIBUTE__BOUNDED__
/* Have attribute nonnull */
#undef HAVE_ATTRIBUTE__NONNULL__
/* OpenBSD's gcc has sentinel */
#undef HAVE_ATTRIBUTE__SENTINEL__
@ -230,6 +233,14 @@
don't. */
#undef HAVE_DECL_LOGINSUCCESS
/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
don't. */
#undef HAVE_DECL_MAXSYMLINKS
/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
don't. */
#undef HAVE_DECL_OFFSETOF
/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
don't. */
#undef HAVE_DECL_O_NONBLOCK
@ -354,6 +365,9 @@
/* Define to 1 if you have the `getpeereid' function. */
#undef HAVE_GETPEEREID
/* Define to 1 if you have the `getpeerucred' function. */
#undef HAVE_GETPEERUCRED
/* Define to 1 if you have the `getpwanam' function. */
#undef HAVE_GETPWANAM
@ -480,9 +494,6 @@
/* Define to 1 if you have the <libgen.h> header file. */
#undef HAVE_LIBGEN_H
/* Define to 1 if you have the `iaf' library (-liaf). */
#undef HAVE_LIBIAF
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL
@ -619,6 +630,12 @@
/* define if you have pid_t data type */
#undef HAVE_PID_T
/* Define to 1 if you have the `poll' function. */
#undef HAVE_POLL
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define to 1 if you have the `prctl' function. */
#undef HAVE_PRCTL
@ -736,6 +753,9 @@
/* Define to 1 if you have the `setvbuf' function. */
#undef HAVE_SETVBUF
/* Define to 1 if you have the `set_id' function. */
#undef HAVE_SET_ID
/* Define to 1 if you have the `SHA256_Update' function. */
#undef HAVE_SHA256_UPDATE
@ -844,6 +864,9 @@
/* define if you have struct timeval */
#undef HAVE_STRUCT_TIMEVAL
/* Define to 1 if you have the `swap32' function. */
#undef HAVE_SWAP32
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
@ -958,6 +981,9 @@
/* Define if you have ut_type in utmpx.h */
#undef HAVE_TYPE_IN_UTMPX
/* Define to 1 if you have the <ucred.h> header file. */
#undef HAVE_UCRED_H
/* define if you have uintxx_t data type */
#undef HAVE_UINTXX_T
@ -1039,6 +1065,9 @@
/* Define to 1 if you have the `_getshort' function. */
#undef HAVE__GETSHORT
/* Define if you have struct __res_state _res as an extern */
#undef HAVE__RES_EXTERN
/* Define to 1 if you have the `__b64_ntop' function. */
#undef HAVE___B64_NTOP

382
configure vendored
View File

@ -1,5 +1,5 @@
#! /bin/sh
# From configure.ac Revision: 1.372 .
# From configure.ac Revision: 1.383 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for OpenSSH Portable.
#
@ -693,9 +693,7 @@ LOGIN_PROGRAM_FALLBACK
PATH_PASSWD_PROG
LD
SSHDLIBS
LIBWRAP
LIBEDIT
LIBPAM
INSTALL_SSH_RAND_HELPER
SSH_PRIVSEP_USER
PROG_LS
@ -716,7 +714,6 @@ PROG_IPCS
PROG_TAIL
INSTALL_SSH_PRNG_CMDS
OPENSC_CONFIG
LIBSELINUX
PRIVSEP_PATH
xauth_path
STRIP_OPT
@ -5390,9 +5387,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
1.*) ;;
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
2.*) ;;
1.*) no_attrib_nonnull=1 ;;
2.8* | 2.9*)
CFLAGS="$CFLAGS -Wsign-compare"
no_attrib_nonnull=1
;;
2.*) no_attrib_nonnull=1 ;;
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
*) ;;
@ -5466,6 +5466,14 @@ fi
fi
fi
if test "x$no_attrib_nonnull" != "x1" ; then
cat >>confdefs.h <<\_ACEOF
#define HAVE_ATTRIBUTE__NONNULL__ 1
_ACEOF
fi
# Check whether --with-rpath was given.
if test "${with_rpath+set}" = set; then
@ -5601,6 +5609,8 @@ fi
@ -5626,6 +5636,7 @@ for ac_header in \
netgroup.h \
pam/pam_appl.h \
paths.h \
poll.h \
pty.h \
readpassphrase.h \
rpc/types.h \
@ -5657,6 +5668,7 @@ for ac_header in \
time.h \
tmpdir.h \
ttyent.h \
ucred.h \
unistd.h \
usersec.h \
util.h \
@ -8862,6 +8874,14 @@ _ACEOF
_ACEOF
enable_etc_default_login=no # has incompatible /etc/default/login
case "$host" in
*-*-nto-qnx6*)
cat >>confdefs.h <<\_ACEOF
#define DISABLE_FD_PASSING 1
_ACEOF
;;
esac
;;
*-*-ultrix*)
@ -11684,8 +11704,7 @@ if test "${with_tcp_wrappers+set}" = set; then
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
fi
LIBWRAP="-lwrap"
LIBS="$LIBWRAP $LIBS"
LIBS="-lwrap $LIBS"
{ echo "$as_me:$LINENO: checking for libwrap" >&5
echo $ECHO_N "checking for libwrap... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@ -11735,7 +11754,7 @@ cat >>confdefs.h <<\_ACEOF
#define LIBWRAP 1
_ACEOF
SSHDLIBS="$SSHDLIBS -lwrap"
TCPW_MSG="yes"
else
@ -12360,6 +12379,9 @@ fi
@ -12386,6 +12408,7 @@ for ac_func in \
getnameinfo \
getopt \
getpeereid \
getpeerucred \
_getpty \
getrlimit \
getttyent \
@ -12404,6 +12427,7 @@ for ac_func in \
ogetaddrinfo \
openlog_r \
openpty \
poll \
prctl \
pstat \
readpassphrase \
@ -12437,6 +12461,7 @@ for ac_func in \
strtonum \
strtoll \
strtoul \
swap32 \
sysconf \
tcgetpgrp \
truncate \
@ -13538,6 +13563,150 @@ fi
{ echo "$as_me:$LINENO: checking whether MAXSYMLINKS is declared" >&5
echo $ECHO_N "checking whether MAXSYMLINKS is declared... $ECHO_C" >&6; }
if test "${ac_cv_have_decl_MAXSYMLINKS+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <sys/param.h>
int
main ()
{
#ifndef MAXSYMLINKS
(void) MAXSYMLINKS;
#endif
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_cv_have_decl_MAXSYMLINKS=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_have_decl_MAXSYMLINKS=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_MAXSYMLINKS" >&5
echo "${ECHO_T}$ac_cv_have_decl_MAXSYMLINKS" >&6; }
if test $ac_cv_have_decl_MAXSYMLINKS = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_MAXSYMLINKS 1
_ACEOF
else
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_MAXSYMLINKS 0
_ACEOF
fi
{ echo "$as_me:$LINENO: checking whether offsetof is declared" >&5
echo $ECHO_N "checking whether offsetof is declared... $ECHO_C" >&6; }
if test "${ac_cv_have_decl_offsetof+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <stddef.h>
int
main ()
{
#ifndef offsetof
(void) offsetof;
#endif
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_cv_have_decl_offsetof=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_have_decl_offsetof=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_offsetof" >&5
echo "${ECHO_T}$ac_cv_have_decl_offsetof" >&6; }
if test $ac_cv_have_decl_offsetof = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_OFFSETOF 1
_ACEOF
else
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_OFFSETOF 0
_ACEOF
fi
for ac_func in setresuid
do
@ -14853,7 +15022,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
if test "x$ac_cv_func_getpeereid" != "xyes" ; then
if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
{ echo "$as_me:$LINENO: checking whether system supports SO_PEERCRED getsockopt" >&5
echo $ECHO_N "checking whether system supports SO_PEERCRED getsockopt... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@ -16294,7 +16463,7 @@ fi
done
saved_LIBS="$LIBS"
{ echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5
echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; }
if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then
@ -16357,14 +16526,106 @@ fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5
echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6; }
if test $ac_cv_lib_iaf_ia_openinfo = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBIAF 1
_ACEOF
LIBS="-liaf $LIBS"
LIBS="$LIBS -liaf"
for ac_func in set_id
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
For example, HP-UX 11i <limits.h> declares gettimeofday. */
#define $ac_func innocuous_$ac_func
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func (); below.
Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
<limits.h> exists even on freestanding compilers. */
#ifdef __STDC__
# include <limits.h>
#else
# include <assert.h>
#endif
#undef $ac_func
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char $ac_func ();
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined __stub_$ac_func || defined __stub___$ac_func
choke me
#endif
int
main ()
{
return $ac_func ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
eval "$as_ac_var=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
eval "$as_ac_var=no"
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
fi
ac_res=`eval echo '${'$as_ac_var'}'`
{ echo "$as_me:$LINENO: result: $ac_res" >&5
echo "${ECHO_T}$ac_res" >&6; }
if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
SSHDLIBS="$SSHDLIBS -liaf"
fi
done
fi
LIBS="$saved_LIBS"
### Configure cryptographic random number support
@ -16790,7 +17051,7 @@ done
PAM_MSG="yes"
LIBPAM="-lpam"
SSHDLIBS="$SSHDLIBS -lpam"
cat >>confdefs.h <<\_ACEOF
#define USE_PAM 1
@ -16803,11 +17064,10 @@ _ACEOF
# libdl already in LIBS
;;
*)
LIBPAM="$LIBPAM -ldl"
SSHDLIBS="$SSHDLIBS -ldl"
;;
esac
fi
fi
@ -25043,6 +25303,59 @@ fi
fi
{ echo "$as_me:$LINENO: checking if struct __res_state _res is an extern" >&5
echo $ECHO_N "checking if struct __res_state _res is an extern... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
#include <stdio.h>
#if HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>
extern struct __res_state _res;
int main() { return 0; }
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
{ echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6; }
cat >>confdefs.h <<\_ACEOF
#define HAVE__RES_EXTERN 1
_ACEOF
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
{ echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
@ -25050,6 +25363,7 @@ LIBSELINUX=""
# Check whether --with-selinux was given.
if test "${with_selinux+set}" = set; then
withval=$with_selinux; if test "x$withval" != "xno" ; then
save_LIBS="$LIBS"
cat >>confdefs.h <<\_ACEOF
#define WITH_SELINUX 1
@ -25264,8 +25578,7 @@ echo "$as_me: error: SELinux support requires libselinux library" >&2;}
{ (exit 1); exit 1; }; }
fi
save_LIBS="$LIBS"
LIBS="$LIBS $LIBSELINUX"
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
for ac_func in getseuserbyname get_default_context_with_level
@ -25367,7 +25680,6 @@ done
fi
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@ -28781,9 +29093,7 @@ LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
LD!$LD$ac_delim
SSHDLIBS!$SSHDLIBS$ac_delim
LIBWRAP!$LIBWRAP$ac_delim
LIBEDIT!$LIBEDIT$ac_delim
LIBPAM!$LIBPAM$ac_delim
INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim
SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim
PROG_LS!$PROG_LS$ac_delim
@ -28801,6 +29111,8 @@ PROG_DF!$PROG_DF$ac_delim
PROG_VMSTAT!$PROG_VMSTAT$ac_delim
PROG_UPTIME!$PROG_UPTIME$ac_delim
PROG_IPCS!$PROG_IPCS$ac_delim
PROG_TAIL!$PROG_TAIL$ac_delim
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@ -28842,10 +29154,7 @@ _ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
PROG_TAIL!$PROG_TAIL$ac_delim
INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim
LIBSELINUX!$LIBSELINUX$ac_delim
PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
xauth_path!$xauth_path$ac_delim
STRIP_OPT!$STRIP_OPT$ac_delim
@ -28859,7 +29168,7 @@ LIBOBJS!$LIBOBJS$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 15; then
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 12; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@ -29351,7 +29660,10 @@ echo " Compiler: ${CC}"
echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
echo " Libraries: ${LIBS}"
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
echo ""
@ -29377,12 +29689,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
fi
if test ! -z "$NO_PEERCHECK" ; then
echo "WARNING: the operating system that you are using does not "
echo "appear to support either the getpeereid() API nor the "
echo "SO_PEERCRED getsockopt() option. These facilities are used to "
echo "enforce security checks to prevent unauthorised connections to "
echo "ssh-agent. Their absence increases the risk that a malicious "
echo "user can connect to your agent. "
echo "WARNING: the operating system that you are using does not"
echo "appear to support getpeereid(), getpeerucred() or the"
echo "SO_PEERCRED getsockopt() option. These facilities are used to"
echo "enforce security checks to prevent unauthorised connections to"
echo "ssh-agent. Their absence increases the risk that a malicious"
echo "user can connect to your agent."
echo ""
fi

View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
# $Id: configure.ac,v 1.383 2007/08/10 04:36:12 dtucker Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_REVISION($Revision: 1.372 $)
AC_REVISION($Revision: 1.383 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@ -94,9 +94,12 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
1.*) ;;
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
2.*) ;;
1.*) no_attrib_nonnull=1 ;;
2.8* | 2.9*)
CFLAGS="$CFLAGS -Wsign-compare"
no_attrib_nonnull=1
;;
2.*) no_attrib_nonnull=1 ;;
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
*) ;;
@ -115,6 +118,10 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
fi
fi
if test "x$no_attrib_nonnull" != "x1" ; then
AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull])
fi
AC_ARG_WITH(rpath,
[ --without-rpath Disable auto-added -R linker paths],
[
@ -198,6 +205,7 @@ AC_CHECK_HEADERS( \
netgroup.h \
pam/pam_appl.h \
paths.h \
poll.h \
pty.h \
readpassphrase.h \
rpc/types.h \
@ -229,6 +237,7 @@ AC_CHECK_HEADERS( \
time.h \
tmpdir.h \
ttyent.h \
ucred.h \
unistd.h \
usersec.h \
util.h \
@ -777,6 +786,11 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(DISABLE_LASTLOG)
AC_DEFINE(SSHD_ACQUIRES_CTTY)
enable_etc_default_login=no # has incompatible /etc/default/login
case "$host" in
*-*-nto-qnx6*)
AC_DEFINE(DISABLE_FD_PASSING)
;;
esac
;;
*-*-ultrix*)
@ -1109,8 +1123,7 @@ AC_ARG_WITH(tcp-wrappers,
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
fi
LIBWRAP="-lwrap"
LIBS="$LIBWRAP $LIBS"
LIBS="-lwrap $LIBS"
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
@ -1126,7 +1139,7 @@ AC_ARG_WITH(tcp-wrappers,
AC_DEFINE(LIBWRAP, 1,
[Define if you want
TCP Wrappers support])
AC_SUBST(LIBWRAP)
SSHDLIBS="$SSHDLIBS -lwrap"
TCPW_MSG="yes"
],
[
@ -1241,6 +1254,7 @@ AC_CHECK_FUNCS( \
getnameinfo \
getopt \
getpeereid \
getpeerucred \
_getpty \
getrlimit \
getttyent \
@ -1259,6 +1273,7 @@ AC_CHECK_FUNCS( \
ogetaddrinfo \
openlog_r \
openpty \
poll \
prctl \
pstat \
readpassphrase \
@ -1292,6 +1307,7 @@ AC_CHECK_FUNCS( \
strtonum \
strtoll \
strtoul \
swap32 \
sysconf \
tcgetpgrp \
truncate \
@ -1364,6 +1380,14 @@ AC_CHECK_DECLS(writev, , , [
#include <unistd.h>
])
AC_CHECK_DECLS(MAXSYMLINKS, , , [
#include <sys/param.h>
])
AC_CHECK_DECLS(offsetof, , , [
#include <stddef.h>
])
AC_CHECK_FUNCS(setresuid, [
dnl Some platorms have setresuid that isn't implemented, test for this
AC_MSG_CHECKING(if setresuid seems to work)
@ -1489,7 +1513,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
if test "x$ac_cv_func_getpeereid" != "xyes" ; then
if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
AC_TRY_COMPILE(
[#include <sys/types.h>
@ -1977,7 +2001,12 @@ fi
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
AC_CHECK_LIB(iaf, ia_openinfo)
saved_LIBS="$LIBS"
AC_CHECK_LIB(iaf, ia_openinfo, [
LIBS="$LIBS -liaf"
AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"])
])
LIBS="$saved_LIBS"
### Configure cryptographic random number support
@ -2027,7 +2056,7 @@ AC_ARG_WITH(pam,
PAM_MSG="yes"
LIBPAM="-lpam"
SSHDLIBS="$SSHDLIBS -lpam"
AC_DEFINE(USE_PAM, 1,
[Define if you want to enable PAM support])
@ -2037,11 +2066,10 @@ AC_ARG_WITH(pam,
# libdl already in LIBS
;;
*)
LIBPAM="$LIBPAM -ldl"
SSHDLIBS="$SSHDLIBS -ldl"
;;
esac
fi
AC_SUBST(LIBPAM)
fi
]
)
@ -3150,25 +3178,43 @@ int main()
[#include <arpa/nameser.h>])
])
AC_MSG_CHECKING(if struct __res_state _res is an extern)
AC_LINK_IFELSE([
#include <stdio.h>
#if HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>
extern struct __res_state _res;
int main() { return 0; }
],
[AC_MSG_RESULT(yes)
AC_DEFINE(HAVE__RES_EXTERN, 1,
[Define if you have struct __res_state _res as an extern])
],
[ AC_MSG_RESULT(no) ]
)
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
[ --with-selinux Enable SELinux support],
[ if test "x$withval" != "xno" ; then
save_LIBS="$LIBS"
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
AC_MSG_ERROR(SELinux support requires selinux.h header))
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
save_LIBS="$LIBS"
LIBS="$LIBS $LIBSELINUX"
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
)
AC_SUBST(LIBSELINUX)
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@ -4004,7 +4050,10 @@ echo " Compiler: ${CC}"
echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
echo " Libraries: ${LIBS}"
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
echo ""
@ -4030,12 +4079,12 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then
fi
if test ! -z "$NO_PEERCHECK" ; then
echo "WARNING: the operating system that you are using does not "
echo "appear to support either the getpeereid() API nor the "
echo "SO_PEERCRED getsockopt() option. These facilities are used to "
echo "enforce security checks to prevent unauthorised connections to "
echo "ssh-agent. Their absence increases the risk that a malicious "
echo "user can connect to your agent. "
echo "WARNING: the operating system that you are using does not"
echo "appear to support getpeereid(), getpeerucred() or the"
echo "SO_PEERCRED getsockopt() option. These facilities are used to"
echo "enforce security checks to prevent unauthorised connections to"
echo "ssh-agent. Their absence increases the risk that a malicious"
echo "user can connect to your agent."
echo ""
fi

View File

@ -1,7 +1,7 @@
#!/bin/sh
#
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
# $Id: buildbff.sh 180740 2008-07-23 09:15:38Z des $
# $Id: buildbff.sh,v 1.10 2006/09/10 03:24:19 dtucker Exp $
#
# Author: Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain and comes with absolutely

View File

@ -1,7 +1,7 @@
#!/bin/sh
#
# inventory.sh
# $Id: inventory.sh 180740 2008-07-23 09:15:38Z des $
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
#
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
# This file is placed into the public domain.

View File

@ -17,7 +17,7 @@
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
%define version 4.6p1
%define version 4.7p1
%define cvs %{nil}
%define release 1
%else
@ -357,4 +357,4 @@ fi
* Mon Jan 01 1998 ...
Template Version: 1.31
$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $
$Id: openssh.spec,v 1.61 2007/08/15 09:22:20 dtucker Exp $

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# $Id: findssl.sh 180740 2008-07-23 09:15:38Z des $
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
#
# findssl.sh
# Search for all instances of OpenSSL headers and libraries

View File

@ -1,4 +1,4 @@
%define ver 4.6p1
%define ver 4.7p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID

View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 4.6p1
Version: 4.7p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz

View File

@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
/* $Id: defines.h,v 1.143 2007/08/09 04:37:52 dtucker Exp $ */
/* Constants */
@ -68,7 +68,7 @@ enum
# endif
#endif
#ifndef MAXSYMLINKS
#if defined(HAVE_DECL_MAXSYMLINKS) && HAVE_DECL_MAXSYMLINKS == 0
# define MAXSYMLINKS 5
#endif
@ -321,12 +321,6 @@ struct winsize {
#ifndef _PATH_BSHELL
# define _PATH_BSHELL "/bin/sh"
#endif
#ifndef _PATH_CSHELL
# define _PATH_CSHELL "/bin/csh"
#endif
#ifndef _PATH_SHELLS
# define _PATH_SHELLS "/etc/shells"
#endif
#ifdef USER_PATH
# ifdef _PATH_STDPATH
@ -449,6 +443,10 @@ struct winsize {
# define __bounded__(x, y, z)
#endif
#if !defined(HAVE_ATTRIBUTE__NONNULL__) && !defined(__nonnull__)
# define __nonnull__(x)
#endif
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
@ -487,7 +485,7 @@ struct winsize {
(struct cmsghdr *)NULL)
#endif /* CMSG_FIRSTHDR */
#ifndef offsetof
#if defined(HAVE_DECL_OFFSETOF) && HAVE_DECL_OFFSETOF == 0
# define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
@ -696,7 +694,8 @@ struct winsize {
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
#ifdef HAVE_LIBIAF
#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF)
# define USE_LIBIAF
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif

View File

@ -35,8 +35,9 @@
# include <fcntl.h>
#endif
#include <stdarg.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <openssl/rand.h>
#include <openssl/crypto.h>

View File

@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
/*
* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -107,7 +107,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
/* The GSSAPI error */
do {
gss_display_status(&lmin, ctxt->major,
GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg);
buffer_append(&b, msg.value, msg.length);
buffer_put_char(&b, '\n');
@ -118,7 +118,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
/* The mechanism specific error */
do {
gss_display_status(&lmin, ctxt->minor,
GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg);
buffer_append(&b, msg.value, msg.length);
buffer_put_char(&b, '\n');
@ -226,39 +226,6 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
return (ctx->major);
}
/* Acquire credentials for a server running on the current host.
* Requires that the context structure contains a valid OID
*/
/* Returns a GSSAPI error code */
OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
{
OM_uint32 status;
char lname[MAXHOSTNAMELEN];
gss_OID_set oidset;
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
if (gethostname(lname, MAXHOSTNAMELEN)) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
ssh_gssapi_error(ctx);
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
@ -281,16 +248,6 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
buffer_put_cstring(b, context);
}
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
{
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
}
int
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
{

View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -29,6 +29,7 @@
#ifdef GSSAPI
#include <sys/types.h>
#include <sys/param.h>
#include <stdarg.h>
#include <string.h>
@ -64,6 +65,53 @@ ssh_gssapi_mech* supported_mechs[]= {
&gssapi_null_mech,
};
/*
* Acquire credentials for a server running on the current host.
* Requires that the context structure contains a valid OID
*/
/* Returns a GSSAPI error code */
/* Privileged (called from ssh_gssapi_server_ctx) */
static OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
{
OM_uint32 status;
char lname[MAXHOSTNAMELEN];
gss_OID_set oidset;
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
if (gethostname(lname, MAXHOSTNAMELEN)) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
ssh_gssapi_error(ctx);
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
/* Privileged */
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
{
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
}
/* Unprivileged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)

View File

@ -49,7 +49,7 @@
#ifdef HAVE_NEXT
# include <libc.h>
#endif
#ifdef HAVE_PATHS
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif

21
kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -87,7 +87,7 @@ static char **
kex_buf2prop(Buffer *raw, int *first_kex_follows)
{
Buffer b;
int i;
u_int i;
char **proposal;
proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
@ -108,7 +108,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
*first_kex_follows = i;
debug2("kex_parse_kexinit: first_kex_follows %d ", i);
i = buffer_get_int(&b);
debug2("kex_parse_kexinit: reserved %d ", i);
debug2("kex_parse_kexinit: reserved %u ", i);
buffer_free(&b);
return proposal;
}
@ -123,6 +123,7 @@ kex_prop_free(char **proposal)
xfree(proposal);
}
/* ARGSUSED */
static void
kex_protocol_error(int type, u_int32_t seq, void *ctxt)
{
@ -194,6 +195,7 @@ kex_send_kexinit(Kex *kex)
kex->flags |= KEX_INIT_SENT;
}
/* ARGSUSED */
void
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
{
@ -258,7 +260,8 @@ choose_enc(Enc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching cipher found: client %s server %s", client, server);
fatal("no matching cipher found: client %s server %s",
client, server);
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
@ -274,8 +277,9 @@ choose_mac(Mac *mac, char *client, char *server)
{
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching mac found: client %s server %s", client, server);
if (mac_init(mac, name) < 0)
fatal("no matching mac found: client %s server %s",
client, server);
if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name);
/* truncate the key */
if (datafellows & SSH_BUG_HMAC)
@ -308,7 +312,7 @@ choose_kex(Kex *k, char *client, char *server)
{
k->name = match_list(client, server, NULL);
if (k->name == NULL)
fatal("no kex alg");
fatal("Unable to negotiate a key exchange method");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
k->evp_md = EVP_sha1();
@ -388,7 +392,8 @@ kex_choose_conf(Kex *kex)
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = xcalloc(1, sizeof(*newkeys));
kex->newkeys[mode] = newkeys;
ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
ctos = (!kex->server && mode == MODE_OUT) ||
(kex->server && mode == MODE_IN);
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;

8
kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -28,6 +28,7 @@
#include <signal.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14 "diffie-hellman-group14-sha1"
@ -86,10 +87,13 @@ struct Enc {
struct Mac {
char *name;
int enabled;
const EVP_MD *md;
u_int mac_len;
u_char *key;
u_int key_len;
int type;
const EVP_MD *evp_md;
HMAC_CTX evp_ctx;
struct umac_ctx *umac_ctx;
};
struct Comp {
int type;

4
key.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -170,9 +170,7 @@ key_equal(const Key *a, const Key *b)
BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
default:
fatal("key_equal: bad key type %d", a->type);
break;
}
return 0;
}
u_char*

5
log.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
/* $OpenBSD: log.c,v 1.40 2007/05/17 07:50:31 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -44,6 +44,7 @@
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
# include <vis.h>
#endif
@ -313,6 +314,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
int saved_errno = errno;
if (level > log_level)
return;
@ -373,4 +375,5 @@ do_log(LogLevel level, const char *fmt, va_list args)
closelog();
#endif
}
errno = saved_errno;
}

View File

@ -161,6 +161,7 @@
#include <pwd.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include "xmalloc.h"

129
mac.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: mac.c,v 1.14 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -42,63 +42,126 @@
#include "mac.h"
#include "misc.h"
#include "umac.h"
#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
struct {
char *name;
int type;
const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */
int key_len; /* just for UMAC */
int len; /* just for UMAC */
} macs[] = {
{ "hmac-sha1", EVP_sha1, 0, },
{ "hmac-sha1-96", EVP_sha1, 96 },
{ "hmac-md5", EVP_md5, 0 },
{ "hmac-md5-96", EVP_md5, 96 },
{ "hmac-ripemd160", EVP_ripemd160, 0 },
{ "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 },
{ NULL, NULL, 0 }
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
{ "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
{ "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 },
{ "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
{ "hmac-ripemd160@openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
{ "umac-64@openssh.com", SSH_UMAC, NULL, 0, 128, 64 },
{ NULL, 0, NULL, 0, -1, -1 }
};
int
mac_init(Mac *mac, char *name)
static void
mac_setup_by_id(Mac *mac, int which)
{
int i, evp_len;
int evp_len;
mac->type = macs[which].type;
if (mac->type == SSH_EVP) {
mac->evp_md = (*macs[which].mdfunc)();
if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
fatal("mac %s len %d", mac->name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
} else {
mac->mac_len = macs[which].len / 8;
mac->key_len = macs[which].key_len / 8;
mac->umac_ctx = NULL;
}
if (macs[which].truncatebits != 0)
mac->mac_len = macs[which].truncatebits / 8;
}
int
mac_setup(Mac *mac, char *name)
{
int i;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL) {
mac->md = (*macs[i].mdfunc)();
if ((evp_len = EVP_MD_size(mac->md)) <= 0)
fatal("mac %s len %d", name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
if (macs[i].truncatebits != 0)
mac->mac_len = macs[i].truncatebits/8;
}
debug2("mac_init: found %s", name);
if (mac != NULL)
mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name);
return (0);
}
}
debug2("mac_init: unknown %s", name);
debug2("mac_setup: unknown %s", name);
return (-1);
}
int
mac_init(Mac *mac)
{
if (mac->key == NULL)
fatal("mac_init: no key");
switch (mac->type) {
case SSH_EVP:
if (mac->evp_md == NULL)
return -1;
HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
return 0;
case SSH_UMAC:
mac->umac_ctx = umac_new(mac->key);
return 0;
default:
return -1;
}
}
u_char *
mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
{
HMAC_CTX c;
static u_char m[EVP_MAX_MD_SIZE];
u_char b[4];
u_char b[4], nonce[8];
if (mac->key == NULL)
fatal("mac_compute: no key");
if (mac->mac_len > sizeof(m))
fatal("mac_compute: mac too long");
HMAC_Init(&c, mac->key, mac->key_len, mac->md);
put_u32(b, seqno);
HMAC_Update(&c, b, sizeof(b));
HMAC_Update(&c, data, datalen);
HMAC_Final(&c, m, NULL);
HMAC_cleanup(&c);
fatal("mac_compute: mac too long %u %lu",
mac->mac_len, sizeof(m));
switch (mac->type) {
case SSH_EVP:
put_u32(b, seqno);
/* reset HMAC context */
HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
HMAC_Update(&mac->evp_ctx, b, sizeof(b));
HMAC_Update(&mac->evp_ctx, data, datalen);
HMAC_Final(&mac->evp_ctx, m, NULL);
break;
case SSH_UMAC:
put_u64(nonce, seqno);
umac_update(mac->umac_ctx, data, datalen);
umac_final(mac->umac_ctx, m, nonce);
break;
default:
fatal("mac_compute: unknown MAC type");
}
return (m);
}
void
mac_clear(Mac *mac)
{
if (mac->type == SSH_UMAC) {
if (mac->umac_ctx != NULL)
umac_delete(mac->umac_ctx);
} else if (mac->evp_md != NULL)
HMAC_cleanup(&mac->evp_ctx);
mac->evp_md = NULL;
mac->umac_ctx = NULL;
}
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
@ -111,7 +174,7 @@ mac_valid(const char *names)
maclist = cp = xstrdup(names);
for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
(p = strsep(&cp, MAC_SEP))) {
if (mac_init(NULL, p) < 0) {
if (mac_setup(NULL, p) < 0) {
debug("bad mac %s [%s]", p, names);
xfree(maclist);
return (0);

6
mac.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -24,5 +24,7 @@
*/
int mac_valid(const char *);
int mac_init(Mac *, char *);
int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);

View File

@ -1,6 +1,9 @@
#!/usr/bin/awk
#
# $Id: mdoc2man.awk,v 1.8 2007/06/05 10:01:16 dtucker Exp $
#
# Version history:
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
# v3, I put the program under a proper license
# Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
# v2, fixed to work on GNU awk --posix and MacOS X
@ -135,6 +138,12 @@ function add(str) {
nospace=0
}
if(match(words[w],"^Dd$")) {
if(match(words[w+1],"^\\$Mdocdate:")) {
w++;
if(match(words[w+4],"^\\$$")) {
words[w+4] = ""
}
}
date=wtail()
next
} else if(match(words[w],"^Dt$")) {
@ -157,6 +166,7 @@ function add(str) {
refissue=""
refdate=""
refopt=""
refreport=""
reference=1
next
} else if(match(words[w],"^Re$")) {
@ -168,9 +178,14 @@ function add(str) {
}
if(nrefauthors>1)
add(" and ")
add(refauthors[0] ", \\fI" reftitle "\\fP")
if(nrefauthors>0)
add(refauthors[0] ", ")
add("\\fI" reftitle "\\fP")
if(length(refissue))
add(", " refissue)
if(length(refreport)) {
add(", " refreport)
}
if(length(refdate))
add(", " refdate)
if(length(refopt))
@ -187,6 +202,7 @@ function add(str) {
if(match(words[w],"^%N$")) { refissue=wtail() }
if(match(words[w],"^%D$")) { refdate=wtail() }
if(match(words[w],"^%O$")) { refopt=wtail() }
if(match(words[w],"^%R$")) { refreport=wtail() }
} else if(match(words[w],"^Nm$")) {
if(synopsis) {
add(".br")

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
/* $OpenBSD: monitor.c,v 1.91 2007/05/17 20:52:13 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -409,6 +409,7 @@ monitor_child_postauth(struct monitor *pmonitor)
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
signal(SIGINT, &monitor_child_handler);
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -476,8 +476,8 @@ mm_newkeys_from_blob(u_char *blob, int blen)
/* Mac structure */
mac->name = buffer_get_string(&b, NULL);
if (mac->name == NULL || mac_init(mac, mac->name) == -1)
fatal("%s: can not init mac %s", __func__, mac->name);
if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
fatal("%s: can not setup mac %s", __func__, mac->name);
mac->enabled = buffer_get_int(&b);
mac->key = buffer_get_string(&b, &len);
if (len > mac->key_len)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
/* $OpenBSD: myproposal.h,v 1.22 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -47,7 +47,7 @@
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"

View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
# $Id: Makefile.in,v 1.41 2007/06/25 12:15:13 dtucker Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o

View File

@ -1,5 +1,5 @@
/*
* $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
* $Id: bsd-cray.c,v 1.17 2007/08/15 09:17:43 dtucker Exp $
*
* bsd-cray.c
*
@ -751,8 +751,6 @@ cray_job_termination_handler(int sig)
char *login = NULL;
struct jtab jtab;
debug("received signal %d",sig);
if ((jid = waitjob(&jtab)) == -1 ||
(login = uid2nam(jtab.j_uid)) == NULL)
return;

View File

@ -37,6 +37,28 @@ getpeereid(int s, uid_t *euid, gid_t *gid)
return (0);
}
#elif defined(HAVE_GETPEERUCRED)
#ifdef HAVE_UCRED_H
# include <ucred.h>
#endif
int
getpeereid(int s, uid_t *euid, gid_t *gid)
{
ucred_t *ucred = NULL;
if (getpeerucred(s, &ucred) == -1)
return (-1);
if ((*euid = ucred_geteuid(ucred)) == -1)
return (-1);
if ((*gid = ucred_getrgid(ucred)) == -1)
return (-1);
ucred_free(ucred);
return (0);
}
#else
int
getpeereid(int s, uid_t *euid, gid_t *gid)

View File

@ -17,6 +17,7 @@
#include "includes.h"
#include <sys/types.h>
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
@ -27,6 +28,7 @@
#include <string.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include "xmalloc.h"
@ -156,7 +158,8 @@ int nanosleep(const struct timespec *req, struct timespec *rem)
tremain.tv_sec = 0;
tremain.tv_usec = 0;
}
TIMEVAL_TO_TIMESPEC(&tremain, rem)
if (rem != NULL)
TIMEVAL_TO_TIMESPEC(&tremain, rem)
return(rc);
}

117
openbsd-compat/bsd-poll.c Normal file
View File

@ -0,0 +1,117 @@
/* $Id: bsd-poll.c,v 1.1 2007/06/25 12:15:13 dtucker Exp $ */
/*
* Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au).
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#if !defined(HAVE_POLL) && defined(HAVE_SELECT)
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
#include <errno.h>
#include "bsd-poll.h"
/*
* A minimal implementation of poll(2), built on top of select(2).
*
* Only supports POLLIN and POLLOUT flags in pfd.events, and POLLIN, POLLOUT
* and POLLERR flags in revents.
*
* Supports pfd.fd = -1 meaning "unused" although it's not standard.
*/
int
poll(struct pollfd *fds, nfds_t nfds, int timeout)
{
nfds_t i;
int saved_errno, ret, fd, maxfd = 0;
fd_set *readfds = NULL, *writefds = NULL, *exceptfds = NULL;
size_t nmemb;
struct timeval tv, *tvp = NULL;
for (i = 0; i < nfds; i++) {
if (fd >= FD_SETSIZE) {
errno = EINVAL;
return -1;
}
maxfd = MAX(maxfd, fds[i].fd);
}
nmemb = howmany(maxfd + 1 , NFDBITS);
if ((readfds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
(writefds = calloc(nmemb, sizeof(fd_mask))) == NULL ||
(exceptfds = calloc(nmemb, sizeof(fd_mask))) == NULL) {
saved_errno = ENOMEM;
ret = -1;
goto out;
}
/* populate event bit vectors for the events we're interested in */
for (i = 0; i < nfds; i++) {
fd = fds[i].fd;
if (fd == -1)
continue;
if (fds[i].events & POLLIN) {
FD_SET(fd, readfds);
FD_SET(fd, exceptfds);
}
if (fds[i].events & POLLOUT) {
FD_SET(fd, writefds);
FD_SET(fd, exceptfds);
}
}
/* poll timeout is msec, select is timeval (sec + usec) */
if (timeout >= 0) {
tv.tv_sec = timeout / 1000;
tv.tv_usec = (timeout % 1000) * 1000;
tvp = &tv;
}
ret = select(maxfd + 1, readfds, writefds, exceptfds, tvp);
saved_errno = errno;
/* scan through select results and set poll() flags */
for (i = 0; i < nfds; i++) {
fd = fds[i].fd;
fds[i].revents = 0;
if (fd == -1)
continue;
if (FD_ISSET(fd, readfds)) {
fds[i].revents |= POLLIN;
}
if (FD_ISSET(fd, writefds)) {
fds[i].revents |= POLLOUT;
}
if (FD_ISSET(fd, exceptfds)) {
fds[i].revents |= POLLERR;
}
}
out:
if (readfds != NULL)
free(readfds);
if (writefds != NULL)
free(writefds);
if (exceptfds != NULL)
free(exceptfds);
if (ret == -1)
errno = saved_errno;
return ret;
}
#endif

61
openbsd-compat/bsd-poll.h Normal file
View File

@ -0,0 +1,61 @@
/* $OpenBSD: poll.h,v 1.11 2003/12/10 23:10:08 millert Exp $ */
/*
* Copyright (c) 1996 Theo de Raadt
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* OPENBSD ORIGINAL: sys/sys/poll.h */
#if !defined(HAVE_POLL) && !defined(HAVE_POLL_H)
#ifndef _COMPAT_POLL_H_
#define _COMPAT_POLL_H_
typedef struct pollfd {
int fd;
short events;
short revents;
} pollfd_t;
typedef unsigned int nfds_t;
#define POLLIN 0x0001
#define POLLOUT 0x0004
#define POLLERR 0x0008
#if 0
/* the following are currently not implemented */
#define POLLPRI 0x0002
#define POLLHUP 0x0010
#define POLLNVAL 0x0020
#define POLLRDNORM 0x0040
#define POLLNORM POLLRDNORM
#define POLLWRNORM POLLOUT
#define POLLRDBAND 0x0080
#define POLLWRBAND 0x0100
#endif
#define INFTIM (-1) /* not standard */
int poll(struct pollfd *, nfds_t, int);
#endif /* !_COMPAT_POLL_H_ */
#endif /* !HAVE_POLL_H */

View File

@ -67,13 +67,9 @@ extern int h_errno;
#endif
#define _THREAD_PRIVATE(a,b,c) (c)
/* to avoid conflicts where a platform already has _res */
#ifdef _res
# undef _res
#endif
#define _res _compat_res
#ifndef HAVE__RES_EXTERN
struct __res_state _res;
#endif
/* Necessary functions and macros */

View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
/* $Id: openbsd-compat.h,v 1.43 2007/06/25 12:15:13 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -140,6 +140,7 @@ int writev(int, struct iovec *, int);
/* Home grown routines */
#include "bsd-misc.h"
#include "bsd-waitpid.h"
#include "bsd-poll.h"
#ifndef HAVE_GETPEEREID
int getpeereid(int , uid_t *, gid_t *);

View File

@ -1,4 +1,4 @@
/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
/* $Id: openssl-compat.h,v 1.10 2007/06/14 13:47:31 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@ -29,6 +29,11 @@
#endif
#ifdef USE_BUILTIN_RIJNDAEL
# include "rijndael.h"
# define AES_KEY rijndael_ctx
# define AES_BLOCK_SIZE 16
# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
# define EVP_aes_128_cbc evp_rijndael
# define EVP_aes_192_cbc evp_rijndael
# define EVP_aes_256_cbc evp_rijndael

View File

@ -240,7 +240,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
/*
* Don't perform checks for root account (PermitRootLogin controls
* logins via * ssh) or if running as non-root user (since
* logins via ssh) or if running as non-root user (since
* loginrestrictions will always fail due to insufficient privilege).
*/
if (pw->pw_uid == 0 || geteuid() != 0) {

View File

@ -1,4 +1,4 @@
/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -79,6 +79,7 @@ ssh_selinux_getctxbyname(char *pwname)
case 0:
error("%s: Failed to get default SELinux security "
"context for %s", __func__, pwname);
break;
default:
fatal("%s: Failed to get default SELinux security "
"context for %s (in enforcing mode)",
@ -115,6 +116,7 @@ ssh_selinux_setup_exec_context(char *pwname)
case 0:
error("%s: Failed to set SELinux execution "
"context for %s", __func__, pwname);
break;
default:
fatal("%s: Failed to set SELinux execution context "
"for %s (in enforcing mode)", __func__, pwname);

View File

@ -79,7 +79,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
#endif /* UNIXWARE_LONG_PASSWORDS */
result = (strcmp(xcrypt(password, salt), pw_password) == 0);
#if !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
if (authctxt->valid)
free(pw_password);
#endif
@ -127,7 +127,7 @@ nischeck(char *namep)
functions that call shadow_pw() will need to free
*/
#if !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
char *
get_iaf_password(struct passwd *pw)
{
@ -144,6 +144,6 @@ get_iaf_password(struct passwd *pw)
else
fatal("ia_openinfo: Unable to open the shadow passwd file");
}
#endif /* !BROKEN_LIBIAF */
#endif /* USE_LIBIAF */
#endif /* HAVE_LIBIAF */

View File

@ -24,7 +24,7 @@
#include "includes.h"
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
char * get_iaf_password(struct passwd *pw);
#endif

View File

@ -38,7 +38,7 @@ main(void)
char buf[512];
for (i = 0; i < NUM_OPENS; i++)
if ((fds[i] = open("/dev/null", "r")) == -1)
if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
exit(0); /* can't test */
max = i - 1;

View File

@ -98,7 +98,7 @@ shadow_pw(struct passwd *pw)
pw_password = spw->sp_pwdp;
# endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
return(get_iaf_password(pw));
#endif

View File

@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
/* $Id: xmmap.c,v 1.14 2007/06/11 02:52:24 djm Exp $ */
#include "includes.h"
@ -38,12 +38,14 @@
#endif
#include <errno.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "log.h"
void *xmmap(size_t size)
void *
xmmap(size_t size)
{
#ifdef HAVE_MMAP
void *address;

View File

@ -19,7 +19,7 @@
<service_bundle type='manifest' name='OpenSSH server'>
<service
name='site/openssh'
name='site/__SYSVINIT_NAME__'
type='service'
version='1'>
@ -56,7 +56,7 @@
<exec_method
name='start'
type='method'
exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
timeout_seconds='60'>
<method_context/>
</exec_method>

View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
/* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -629,7 +629,7 @@ set_newkeys(int mode)
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
memset(mac->key, 0, mac->key_len);
mac_clear(mac);
xfree(enc->name);
xfree(enc->iv);
xfree(enc->key);
@ -644,14 +644,15 @@ set_newkeys(int mode)
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
if (mac->md != NULL)
if (mac_init(mac) == 0)
mac->enabled = 1;
DBG(debug("cipher_init_context: %d", mode));
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
enc->iv, enc->block_size, crypt_type);
/* Deleting the keys does not gain extra security */
/* memset(enc->iv, 0, enc->block_size);
memset(enc->key, 0, enc->key_len); */
memset(enc->key, 0, enc->key_len);
memset(mac->key, 0, mac->key_len); */
if ((comp->type == COMP_ZLIB ||
(comp->type == COMP_DELAYED && after_authentication)) &&
comp->enabled == 0) {
@ -1235,7 +1236,6 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
logit("Received disconnect from %s: %.400s",
get_remote_ipaddr(), msg);
cleanup_exit(255);
xfree(msg);
break;
default:
if (type)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
/* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1224,7 +1224,7 @@ parse_forward(Forward *fwd, const char *fwdspec)
cp = p = xstrdup(fwdspec);
/* skip leading spaces */
while (*cp && isspace(*cp))
while (isspace(*cp))
cp++;
for (i = 0; i < 4; ++i)

View File

@ -7,7 +7,9 @@ UNPRIV=nobody
ASOCK=${OBJ}/agent
SSH_AUTH_SOCK=/nonexistant
if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 && \
grep "#undef.*HAVE_GETPEERUCRED" ${BUILDDIR}/config.h >/dev/null && \
grep "#undef.*HAVE_SO_PEERCRED" ${BUILDDIR}/config.h >/dev/null
then
echo "skipped (not supported on this platform)"
exit 0

View File

@ -32,6 +32,7 @@
#include <openssl/x509.h>
#include <stdarg.h>
#include <string.h>
#include <opensc/opensc.h>
#include <opensc/pkcs15.h>

4
scp.0
View File

@ -6,7 +6,7 @@ NAME
SYNOPSIS
scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 [...] [[user@]host2:]file2
[[user@]host1:]file1 ... [[user@]host2:]file2
DESCRIPTION
scp copies files between hosts on a network. It uses ssh(1) for data
@ -141,4 +141,4 @@ AUTHORS
Timo Rinne <tri@iki.fi>
Tatu Ylonen <ylo@cs.hut.fi>
OpenBSD 4.1 September 25, 1999 3
OpenBSD 4.2 August 8, 2007 3

6
scp.1
View File

@ -9,9 +9,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
.\" $OpenBSD: scp.1,v 1.42 2007/08/06 19:16:06 sobrado Exp $
.\"
.Dd September 25, 1999
.Dd $Mdocdate: August 8 2007 $
.Dt SCP 1
.Os
.Sh NAME
@ -34,7 +34,7 @@
.Ar host1 No :
.Oc Ns Ar file1
.Sm on
.Op Ar ...
.Ar ...
.Sm off
.Oo
.Op Ar user No @

24
scp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
/* $OpenBSD: scp.c,v 1.160 2007/08/06 19:16:06 sobrado Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -96,6 +96,9 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
#include <vis.h>
#endif
#include "xmalloc.h"
#include "atomicio.h"
@ -582,7 +585,7 @@ source(int argc, char **argv)
off_t i, amt, statbytes;
size_t result;
int fd = -1, haderr, indx;
char *last, *name, buf[2048];
char *last, *name, buf[2048], encname[MAXPATHLEN];
int len;
for (indx = 0; indx < argc; ++indx) {
@ -591,17 +594,17 @@ source(int argc, char **argv)
len = strlen(name);
while (len > 1 && name[len-1] == '/')
name[--len] = '\0';
if (strchr(name, '\n') != NULL) {
run_err("%s: skipping, filename contains a newline",
name);
goto next;
}
if ((fd = open(name, O_RDONLY, 0)) < 0)
if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
goto syserr;
if (strchr(name, '\n') != NULL) {
strnvis(encname, name, sizeof(encname), VIS_NL);
name = encname;
}
if (fstat(fd, &stb) < 0) {
syserr: run_err("%s: %s", name, strerror(errno));
goto next;
}
unset_nonblock(fd);
switch (stb.st_mode & S_IFMT) {
case S_IFREG:
break;
@ -1021,7 +1024,8 @@ bad: run_err("%s: %s", np, strerror(errno));
wrerr = YES;
wrerrno = errno;
}
if (wrerr == NO && ftruncate(ofd, size) != 0) {
if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
wrerr = DISPLAYED;
}
@ -1116,7 +1120,7 @@ usage(void)
(void) fprintf(stderr,
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
" [[user@]host1:]file1 ... [[user@]host2:]file2\n");
exit(1);
}

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -592,7 +592,6 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
debug("address '%s' arg '%s'", address, arg);
if (!address) {
result = 0;
continue;
@ -1387,8 +1386,4 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
/* challenge-response is implemented via keyboard interactive */
if (options->challenge_response_authentication == 1)
options->kbd_interactive_authentication = 1;
}

View File

@ -1310,7 +1310,7 @@ do_setusercontext(struct passwd *pw)
# ifdef USE_PAM
if (options.use_pam) {
do_pam_session();
do_pam_setcred(0);
do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
if (setusercontext(lc, pw, pw->pw_uid,
@ -1352,7 +1352,7 @@ do_setusercontext(struct passwd *pw)
*/
if (options.use_pam) {
do_pam_session();
do_pam_setcred(0);
do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
@ -1361,11 +1361,11 @@ do_setusercontext(struct passwd *pw)
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef USE_LIBIAF
if (set_id(pw->pw_name) != 0) {
exit(1);
}
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#endif /* USE_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@ -2478,8 +2478,19 @@ do_cleanup(Authctxt *authctxt)
return;
called = 1;
if (authctxt == NULL || !authctxt->authenticated)
if (authctxt == NULL)
return;
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
sshpam_thread_cleanup();
}
#endif
if (!authctxt->authenticated)
return;
#ifdef KRB5
if (options.kerberos_ticket_cleanup &&
authctxt->krb5_ctx)
@ -2491,13 +2502,6 @@ do_cleanup(Authctxt *authctxt)
ssh_gssapi_cleanup_creds();
#endif
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
sshpam_thread_cleanup();
}
#endif
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);

View File

@ -43,4 +43,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.1 August 30, 2000 1
OpenBSD 4.2 June 5, 2007 1

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
.\" $OpenBSD: sftp-server.8,v 1.12 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd August 30, 2000
.Dd $Mdocdate: June 5 2007 $
.Dt SFTP-SERVER 8
.Os
.Sh NAME

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
/* $OpenBSD: sftp-server.c,v 1.73 2007/05/17 07:55:29 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@ -319,7 +319,8 @@ handle_log_close(int handle, char *emsg)
logit("%s%sclose \"%s\" bytes read %llu written %llu",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
handle_to_name(handle),
handle_bytes_read(handle), handle_bytes_write(handle));
(unsigned long long)handle_bytes_read(handle),
(unsigned long long)handle_bytes_write(handle));
} else {
logit("%s%sclosedir \"%s\"",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
@ -702,7 +703,8 @@ process_setstat(void)
a = get_attrib();
debug("request %u: setstat name \"%s\"", id, name);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu", name, a->size);
logit("set \"%s\" size %llu",
name, (unsigned long long)a->size);
ret = truncate(name, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@ -754,7 +756,8 @@ process_fsetstat(void)
char *name = handle_to_name(handle);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu", name, a->size);
logit("set \"%s\" size %llu",
name, (unsigned long long)a->size);
ret = ftruncate(fd, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@ -1211,7 +1214,7 @@ main(int argc, char **argv)
int in, out, max, ch, skipargs = 0, log_stderr = 0;
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
char *cp;
char *cp, buf[4*4096];
extern char *optarg;
extern char *__progname;
@ -1295,7 +1298,15 @@ main(int argc, char **argv)
memset(rset, 0, set_size);
memset(wset, 0, set_size);
FD_SET(in, rset);
/*
* Ensure that we can read a full buffer and handle
* the worst-case length packet it can generate,
* otherwise apply backpressure by stopping reads.
*/
if (buffer_check_alloc(&iqueue, sizeof(buf)) &&
buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
FD_SET(in, rset);
olen = buffer_len(&oqueue);
if (olen > 0)
FD_SET(out, wset);
@ -1309,7 +1320,6 @@ main(int argc, char **argv)
/* copy stdin to iqueue */
if (FD_ISSET(in, rset)) {
char buf[4*4096];
len = read(in, buf, sizeof buf);
if (len == 0) {
debug("read eof");
@ -1331,7 +1341,13 @@ main(int argc, char **argv)
buffer_consume(&oqueue, len);
}
}
/* process requests from client */
process();
/*
* Process requests from client if we can fit the results
* into the output buffer, otherwise stop processing input
* and let the output queue drain.
*/
if (buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
process();
}
}

2
sftp.0
View File

@ -263,4 +263,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
OpenBSD 4.1 February 4, 2001 4
OpenBSD 4.2 June 5, 2007 4

4
sftp.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
.\" $OpenBSD: sftp.1,v 1.64 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd February 4, 2001
.Dd $Mdocdate: June 5 2007 $
.Dt SFTP 1
.Os
.Sh NAME

View File

@ -30,8 +30,12 @@ DESCRIPTION
-D Deletes all identities from the agent.
-d Instead of adding the identity, removes the identity from the
agent.
-d Instead of adding identities, removes identities from the agent.
If ssh-add has been run without arguments, the keys for the de-
fault identities will be removed. Otherwise, the argument list
will be interpreted as a list of paths to public key files and
matching keys will be removed from the agent. If no public key
is found at a given path, ssh-add will append .pub and retry.
-e reader
Remove key in smartcard reader.
@ -99,4 +103,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 2
OpenBSD 4.2 June 12, 2007 2

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
.\" $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -37,7 +37,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: June 12 2007 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@ -89,7 +89,18 @@ program, rather than text entered into the requester.
.It Fl D
Deletes all identities from the agent.
.It Fl d
Instead of adding the identity, removes the identity from the agent.
Instead of adding identities, removes identities from the agent.
If
.Nm
has been run without arguments, the keys for the default identities will
be removed.
Otherwise, the argument list will be interpreted as a list of paths to
public key files and matching keys will be removed from the agent.
If no public key is found at a given path,
.Nm
will append
.Pa .pub
and retry.
.It Fl e Ar reader
Remove key in smartcard
.Ar reader .

View File

@ -114,4 +114,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 2
OpenBSD 4.2 June 5, 2007 2

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
.\" $OpenBSD: ssh-agent.1,v 1.45 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: June 5 2007 $
.Dt SSH-AGENT 1
.Os
.Sh NAME

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.155 2007/03/19 12:16:42 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -120,6 +120,7 @@ int max_fd = 0;
/* pid of shell == parent of agent */
pid_t parent_pid = -1;
u_int parent_alive_interval = 0;
/* pathname and directory for AUTH_SOCKET */
char socket_name[MAXPATHLEN];
@ -421,10 +422,11 @@ process_remove_all_identities(SocketEntry *e, int version)
buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
}
static void
/* removes expired keys and returns number of seconds until the next expiry */
static u_int
reaper(void)
{
u_int now = time(NULL);
u_int deadline = 0, now = time(NULL);
Identity *id, *nxt;
int version;
Idtab *tab;
@ -433,14 +435,22 @@ reaper(void)
tab = idtab_lookup(version);
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
if (id->death != 0 && now >= id->death) {
if (id->death == 0)
continue;
if (now >= id->death) {
debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
}
} else
deadline = (deadline == 0) ? id->death :
MIN(deadline, id->death);
}
}
if (deadline == 0 || deadline <= now)
return 0;
else
return (deadline - now);
}
static void
@ -826,10 +836,12 @@ new_socket(sock_type type, int fd)
}
static int
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
struct timeval **tvpp)
{
u_int i, sz;
u_int i, sz, deadline;
int n = 0;
static struct timeval tv;
for (i = 0; i < sockets_alloc; i++) {
switch (sockets[i].type) {
@ -873,6 +885,17 @@ prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
break;
}
}
deadline = reaper();
if (parent_alive_interval != 0)
deadline = (deadline == 0) ? parent_alive_interval :
MIN(deadline, parent_alive_interval);
if (deadline == 0) {
*tvpp = NULL;
} else {
tv.tv_sec = deadline;
tv.tv_usec = 0;
*tvpp = &tv;
}
return (1);
}
@ -980,19 +1003,14 @@ cleanup_handler(int sig)
_exit(2);
}
/*ARGSUSED*/
static void
check_parent_exists(int sig)
check_parent_exists(void)
{
int save_errno = errno;
if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
/* printf("Parent has died - Authentication agent exiting.\n"); */
cleanup_handler(sig); /* safe */
cleanup_socket();
_exit(2);
}
mysignal(SIGALRM, check_parent_exists);
alarm(10);
errno = save_errno;
}
static void
@ -1027,7 +1045,7 @@ main(int ac, char **av)
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval tv;
struct timeval *tvp = NULL;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@ -1228,10 +1246,8 @@ main(int ac, char **av)
skip:
new_socket(AUTH_SOCKET, sock);
if (ac > 0) {
mysignal(SIGALRM, check_parent_exists);
alarm(10);
}
if (ac > 0)
parent_alive_interval = 10;
idtab_init();
if (!d_flag)
signal(SIGINT, SIG_IGN);
@ -1241,12 +1257,12 @@ main(int ac, char **av)
nalloc = 0;
while (1) {
tv.tv_sec = 10;
tv.tv_usec = 0;
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
saved_errno = errno;
reaper(); /* remove expired keys */
if (parent_alive_interval != 0)
check_parent_exists();
(void) reaper(); /* remove expired keys */
if (result < 0) {
if (saved_errno == EINTR)
continue;

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
@ -105,7 +105,6 @@ void ssh_gssapi_supported_oids(gss_OID_set *);
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *);
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
@ -116,11 +115,11 @@ char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *);
void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
/* In the server */
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);

View File

@ -284,4 +284,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 5
OpenBSD 4.2 June 5, 2007 5

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -37,7 +37,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 25, 1999
.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME

View File

@ -104,4 +104,4 @@ BUGS
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
OpenBSD 4.1 January 1, 1996 2
OpenBSD 4.2 June 5, 2007 2

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
.\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
.Dd January 1, 1996
.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME

View File

@ -39,4 +39,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
OpenBSD 4.1 May 24, 2002 1
OpenBSD 4.2 June 5, 2007 1

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd May 24, 2002
.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME

View File

@ -48,4 +48,4 @@ AUTHORS
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
OpenBSD 4.1 April 14, 2002 1
OpenBSD 4.2 April 14, 2002 1

View File

@ -32,6 +32,7 @@
#include <stdarg.h>
#include <stddef.h>
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>

11
ssh.0
View File

@ -4,7 +4,7 @@ NAME
ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
@ -147,6 +147,9 @@ DESCRIPTION
multiple -i options (and multiple identities specified in config-
uration files).
-K Enables GSSAPI-based authentication and forwarding (delegation)
of GSSAPI credentials to the server.
-k Disables forwarding (delegation) of GSSAPI credentials to the
server.
@ -371,8 +374,8 @@ AUTHENTICATION
protocols support similar authentication methods, but protocol 2 is pre-
ferred since it provides additional mechanisms for confidentiality (the
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
strong mechanism for ensuring the integrity of the connection.
integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1
lacks a strong mechanism for ensuring the integrity of the connection.
The methods available for authentication are: GSSAPI-based authentica-
tion, host-based authentication, public key authentication, challenge-re-
@ -829,4 +832,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 13
OpenBSD 4.2 June 12, 2007 13

11
ssh.1
View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
.Dd September 25, 1999
.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
.Dd $Mdocdate: June 12 2007 $
.Dt SSH 1
.Os
.Sh NAME
@ -43,7 +43,7 @@
.Nd OpenSSH SSH client (remote login program)
.Sh SYNOPSIS
.Nm ssh
.Op Fl 1246AaCfgkMNnqsTtVvXxY
.Op Fl 1246AaCfgKkMNnqsTtVvXxY
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Oo Fl D\ \&
@ -315,6 +315,9 @@ It is possible to have multiple
.Fl i
options (and multiple identities specified in
configuration files).
.It Fl K
Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
credentials to the server.
.It Fl k
Disables forwarding (delegation) of GSSAPI credentials to the server.
.It Fl L Xo
@ -674,7 +677,7 @@ Both protocols support similar authentication methods,
but protocol 2 is preferred since
it provides additional mechanisms for confidentiality
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
Protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
.Pp

95
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
/* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -185,7 +185,7 @@ static void
usage(void)
{
fprintf(stderr,
"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@ -272,7 +272,7 @@ main(int ac, char **av)
again:
while ((opt = getopt(ac, av,
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
@ -326,6 +326,10 @@ main(int ac, char **av)
case 'k':
options.gss_deleg_creds = 0;
break;
case 'K':
options.gss_authentication = 1;
options.gss_deleg_creds = 1;
break;
case 'i':
if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s "
@ -853,6 +857,17 @@ ssh_init_forwarding(void)
"forwarding.");
}
}
/* Initiate tunnel forwarding. */
if (options.tun_open != SSH_TUNMODE_NO) {
if (client_request_tun_fwd(options.tun_open,
options.tun_local, options.tun_remote) == -1) {
if (options.exit_on_forward_failure)
fatal("Could not request tunnel forwarding.");
else
error("Could not request tunnel forwarding.");
}
}
}
static void
@ -1115,33 +1130,6 @@ ssh_session2_setup(int id, void *arg)
packet_send();
}
if (options.tun_open != SSH_TUNMODE_NO) {
Channel *c;
int fd;
debug("Requesting tun.");
if ((fd = tun_open(options.tun_local,
options.tun_open)) >= 0) {
c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "tun", 1);
c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
channel_register_filter(c->self, sys_tun_infilter,
sys_tun_outfilter);
#endif
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("tun@openssh.com");
packet_put_int(c->self);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
packet_put_int(options.tun_open);
packet_put_int(options.tun_remote);
packet_send();
}
}
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
@ -1201,7 +1189,6 @@ ssh_session2(void)
/* XXX should be pre-session */
ssh_init_forwarding();
ssh_control_listener();
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open();
@ -1211,6 +1198,9 @@ ssh_session2(void)
options.permit_local_command)
ssh_local_cmd(options.local_command);
/* Start listening for multiplex clients */
ssh_control_listener();
/* If requested, let ssh continue in the background. */
if (fork_after_authentication_flag)
if (daemon(1, 1) < 0)
@ -1307,7 +1297,7 @@ static void
control_client(const char *path)
{
struct sockaddr_un addr;
int i, r, fd, sock, exitval, num_env, addr_len;
int i, r, fd, sock, exitval[2], num_env, addr_len;
Buffer m;
char *term;
extern char **environ;
@ -1456,29 +1446,44 @@ control_client(const char *path)
if (tty_flag)
enter_raw_mode();
/* Stick around until the controlee closes the client_fd */
exitval = 0;
for (;!control_client_terminate;) {
r = read(sock, &exitval, sizeof(exitval));
/*
* Stick around until the controlee closes the client_fd.
* Before it does, it is expected to write this process' exit
* value (one int). This process must read the value and wait for
* the closure of the client_fd; if this one closes early, the
* multiplex master will terminate early too (possibly losing data).
*/
exitval[0] = 0;
for (i = 0; !control_client_terminate && i < (int)sizeof(exitval);) {
r = read(sock, (char *)exitval + i, sizeof(exitval) - i);
if (r == 0) {
debug2("Received EOF from master");
break;
}
if (r > 0)
debug2("Received exit status from master %d", exitval);
if (r == -1 && errno != EINTR)
if (r == -1) {
if (errno == EINTR)
continue;
fatal("%s: read %s", __func__, strerror(errno));
}
i += r;
}
if (control_client_terminate)
debug2("Exiting on signal %d", control_client_terminate);
close(sock);
leave_raw_mode();
if (i > (int)sizeof(int))
fatal("%s: master returned too much data (%d > %lu)",
__func__, i, sizeof(int));
if (control_client_terminate) {
debug2("Exiting on signal %d", control_client_terminate);
exitval[0] = 255;
} else if (i < (int)sizeof(int)) {
debug2("Control master terminated unexpectedly");
exitval[0] = 255;
} else
debug2("Received exit status from master %d", exitval[0]);
if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
fprintf(stderr, "Connection to master closed.\r\n");
fprintf(stderr, "Shared connection to %s closed.\r\n", host);
exit(exitval);
exit(exitval[0]);
}

View File

@ -1,4 +1,4 @@
# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@ -38,6 +38,7 @@
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any

View File

@ -200,9 +200,9 @@ DESCRIPTION
ExitOnForwardFailure
Specifies whether ssh(1) should terminate the connection if it
cannot set up all requested dynamic, local, and remote port for-
wardings. The argument must be ``yes'' or ``no''. The default
is ``no''.
cannot set up all requested dynamic, tunnel, local, and remote
port forwardings. The argument must be ``yes'' or ``no''. The
default is ``no''.
ForwardAgent
Specifies whether the connection to the authentication agent (if
@ -365,8 +365,10 @@ DESCRIPTION
MACs Specifies the MAC (message authentication code) algorithms in or-
der of preference. The MAC algorithm is used in protocol version
2 for data integrity protection. Multiple algorithms must be
comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
ripemd160,hmac-sha1-96,hmac-md5-96''.
comma-separated. The default is:
hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across
@ -642,4 +644,4 @@ AUTHORS
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 4.1 September 25, 1999 10
OpenBSD 4.2 August 15, 2007 10

View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
.Dd September 25, 1999
.\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $
.Dd $Mdocdate: August 15 2007 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -387,7 +387,7 @@ data).
Specifies whether
.Xr ssh 1
should terminate the connection if it cannot set up all requested
dynamic, local, and remote port forwardings.
dynamic, tunnel, local, and remote port forwardings.
The argument must be
.Dq yes
or
@ -641,7 +641,10 @@ The MAC algorithm is used in protocol version 2
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.Bd -literal -offset indent
hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
.Ed
.It Cm NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across machines.
In this case localhost will refer to a different machine on each of

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -31,6 +31,7 @@
#include <sys/stat.h>
#include <errno.h>
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
@ -1307,7 +1308,7 @@ userauth_hostbased(Authctxt *authctxt)
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
char *chost, *pkalg, *p;
char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
@ -1331,7 +1332,16 @@ userauth_hostbased(Authctxt *authctxt)
return 0;
}
/* figure out a name for the client host */
p = get_local_name(packet_get_connection_in());
p = NULL;
if (packet_connection_is_on_socket())
p = get_local_name(packet_get_connection_in());
if (p == NULL) {
if (gethostname(myname, sizeof(myname)) == -1) {
verbose("userauth_hostbased: gethostname: %s",
strerror(errno));
} else
p = xstrdup(myname);
}
if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);

37
sshd.0
View File

@ -9,8 +9,8 @@ SYNOPSIS
DESCRIPTION
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
programs replace rlogin and rsh, and provide secure encrypted communica-
tions between two untrusted hosts over an insecure network.
programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
munications between two untrusted hosts over an insecure network.
sshd listens for connections from clients. It is normally started at
boot from /etc/rc. It forks a new daemon for each incoming connection.
@ -45,7 +45,7 @@ DESCRIPTION
-e When this option is specified, sshd will send the output to the
standard error instead of the system log.
-f configuration_file
-f config_file
Specifies the name of the configuration file. The default is
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
figuration file.
@ -143,7 +143,8 @@ AUTHENTICATION
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
client selects the encryption algorithm to use from those offered by the
server. Additionally, session integrity is provided through a crypto-
graphic message authentication code (hmac-sha1 or hmac-md5).
graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or
hmac-ripemd160).
Finally, the server and the client enter an authentication dialog. The
client tries to authenticate itself using host-based authentication, pub-
@ -156,10 +157,10 @@ AUTHENTICATION
tion of a locked account is system dependant. Some platforms have their
own account database (eg AIX) and some modify the passwd field ( `*LK*'
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
a requirement to disable password authentication for the account while
allowing still public-key, then the passwd field should be set to some-
thing other than these values (eg `NP' or `*NP*' ).
leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If
there is a requirement to disable password authentication for the account
while allowing still public-key, then the passwd field should be set to
something other than these values (eg `NP' or `*NP*' ).
If the client successfully authenticates itself, a dialog for preparing
the session is entered. At this time the client may request things like
@ -477,13 +478,6 @@ FILES
lows host-based authentication without permitting login with
rlogin/rsh.
/etc/ssh/ssh_known_hosts
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization. The format of this file is de-
scribed above. This file should be writable only by root/the
owner and should be world-readable.
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key
@ -502,6 +496,13 @@ FILES
convenience of the user so their contents can be copied to known
hosts files. These files are created using ssh-keygen(1).
/etc/ssh/ssh_known_hosts
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization. The format of this file is de-
scribed above. This file should be writable only by root/the
owner and should be world-readable.
/etc/ssh/sshd_config
Contains configuration data for sshd. The file format and con-
figuration options are described in sshd_config(5).
@ -526,8 +527,8 @@ FILES
SEE ALSO
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
inetd(8), sftp-server(8)
ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5),
sshd_config(5), inetd(8), sftp-server(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@ -541,4 +542,4 @@ CAVEATS
System security is not improved unless rshd, rlogind, and rexecd are dis-
abled (thus completely disabling rlogin and rsh into the machine).
OpenBSD 4.1 September 25, 1999 9
OpenBSD 4.2 August 16, 2007 9

39
sshd.8
View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
.Dd September 25, 1999
.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
.Dd $Mdocdate: August 16 2007 $
.Dt SSHD 8
.Os
.Sh NAME
@ -58,8 +58,11 @@
.Nm
(OpenSSH Daemon) is the daemon program for
.Xr ssh 1 .
Together these programs replace rlogin and rsh, and
provide secure encrypted communications between two untrusted hosts
Together these programs replace
.Xr rlogin 1
and
.Xr rsh 1 ,
and provide secure encrypted communications between two untrusted hosts
over an insecure network.
.Pp
.Nm
@ -117,7 +120,7 @@ Maximum is 3.
When this option is specified,
.Nm
will send the output to the standard error instead of the system log.
.It Fl f Ar configuration_file
.It Fl f Ar config_file
Specifies the name of the configuration file.
The default is
.Pa /etc/ssh/sshd_config .
@ -273,7 +276,7 @@ The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
through a cryptographic message authentication code
(hmac-sha1 or hmac-md5).
(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
.Pp
Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
@ -299,8 +302,9 @@ on Tru64,
a leading
.Ql \&*LOCKED\&*
on FreeBSD and a leading
.Ql \&!!
on Linux). If there is a requirement to disable password authentication
.Ql \&!
on most Linuxes).
If there is a requirement to disable password authentication
for the account while allowing still public-key, then the passwd field
should be set to something other than these values (eg
.Ql NP
@ -758,15 +762,6 @@ This file is used in exactly the same way as
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
.It /etc/ssh/ssh_known_hosts
Systemwide list of known host keys.
This file should be prepared by the
system administrator to contain the public host keys of all machines in the
organization.
The format of this file is described above.
This file should be writable only by root/the owner and
should be world-readable.
.Pp
.It /etc/ssh/ssh_host_key
.It /etc/ssh/ssh_host_dsa_key
.It /etc/ssh/ssh_host_rsa_key
@ -790,6 +785,15 @@ the user so their contents can be copied to known hosts files.
These files are created using
.Xr ssh-keygen 1 .
.Pp
.It /etc/ssh/ssh_known_hosts
Systemwide list of known host keys.
This file should be prepared by the
system administrator to contain the public host keys of all machines in the
organization.
The format of this file is described above.
This file should be writable only by root/the owner and
should be world-readable.
.Pp
.It /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
@ -826,6 +830,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,

6
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1421,6 +1421,10 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
/* set default channel AF */
channel_set_af(options.address_family);

Some files were not shown because too many files have changed in this diff Show More