mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-27 08:00:11 +00:00
Pull in all the OpenSSH bits that we'd previously left out because we
didn't use them. This will make future merges from the vendor tree much easier. Approved by: re (gjb)
This commit is contained in:
commit
ce3adf4362
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=255774
459
crypto/openssh/Makefile.in
Normal file
459
crypto/openssh/Makefile.in
Normal file
@ -0,0 +1,459 @@
|
||||
# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
|
||||
AUTORECONF=autoreconf
|
||||
|
||||
prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
bindir=@bindir@
|
||||
sbindir=@sbindir@
|
||||
libexecdir=@libexecdir@
|
||||
datadir=@datadir@
|
||||
datarootdir=@datarootdir@
|
||||
mandir=@mandir@
|
||||
mansubdir=@mansubdir@
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
srcdir=@srcdir@
|
||||
top_srcdir=@top_srcdir@
|
||||
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
|
||||
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
|
||||
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
|
||||
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
|
||||
-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
|
||||
|
||||
CC=@CC@
|
||||
LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHLIBS=@SSHLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
PERL=@PERL@
|
||||
SED=@SED@
|
||||
ENT=@ENT@
|
||||
XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
jpake.o schnorr.o ssh-pkcs11.o krl.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
roaming_common.o roaming_client.o
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
auth.o auth1.o auth2.o auth-options.o session.o \
|
||||
auth-chall.o auth2-chall.o groupaccess.o \
|
||||
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
||||
auth-krb5.o \
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
sandbox-seccomp-filter.o
|
||||
|
||||
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||
|
||||
PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||
-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
|
||||
-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
|
||||
-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
|
||||
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
|
||||
|
||||
FIXPATHSCMD = $(SED) $(PATHSUBS)
|
||||
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
|
||||
@UNSUPPORTED_ALGORITHMS@
|
||||
|
||||
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
|
||||
|
||||
$(LIBSSH_OBJS): Makefile.in config.h
|
||||
$(SSHOBJS): Makefile.in config.h
|
||||
$(SSHDOBJS): Makefile.in config.h
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
||||
$(LIBCOMPAT): always
|
||||
(cd openbsd-compat && $(MAKE))
|
||||
always:
|
||||
|
||||
libssh.a: $(LIBSSH_OBJS)
|
||||
$(AR) rv $@ $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
if test "$(MANTYPE)" = "cat"; then \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||
else \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
|
||||
fi; \
|
||||
if test "$(MANTYPE)" = "man"; then \
|
||||
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
|
||||
$(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
|
||||
else \
|
||||
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
|
||||
fi
|
||||
|
||||
$(CONFIGFILES): $(CONFIGFILES_IN)
|
||||
conffile=`echo $@ | sed 's/.out$$//'`; \
|
||||
$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
|
||||
|
||||
# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
|
||||
moduli:
|
||||
echo
|
||||
|
||||
# special case target for umac128
|
||||
umac128.o: umac.c
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
|
||||
-DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
|
||||
-Dumac_update=umac128_update -Dumac_final=umac128_final \
|
||||
-Dumac_delete=umac128_delete
|
||||
|
||||
clean: regressclean
|
||||
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||
rm -f *.out core survey
|
||||
(cd openbsd-compat && $(MAKE) clean)
|
||||
|
||||
distclean: regressclean
|
||||
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||
rm -f *.out core opensshd.init openssh.xml
|
||||
rm -f Makefile buildpkg.sh config.h config.status
|
||||
rm -f survey.sh openbsd-compat/regress/Makefile *~
|
||||
rm -rf autom4te.cache
|
||||
(cd openbsd-compat && $(MAKE) distclean)
|
||||
if test -d pkg ; then \
|
||||
rm -fr pkg ; \
|
||||
fi
|
||||
|
||||
veryclean: distclean
|
||||
rm -f configure config.h.in *.0
|
||||
|
||||
cleandir: veryclean
|
||||
|
||||
mrproper: veryclean
|
||||
|
||||
realclean: veryclean
|
||||
|
||||
catman-do:
|
||||
@for f in $(MANPAGES_IN) ; do \
|
||||
base=`echo $$f | sed 's/\..*$$//'` ; \
|
||||
echo "$$f -> $$base.0" ; \
|
||||
$(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \
|
||||
>$$base.0 ; \
|
||||
done
|
||||
|
||||
distprep: catman-do
|
||||
$(AUTORECONF)
|
||||
-rm -rf autom4te.cache
|
||||
|
||||
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
|
||||
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
|
||||
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||
|
||||
check-config:
|
||||
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
|
||||
|
||||
install-files:
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
|
||||
(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
|
||||
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
install-sysconf:
|
||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
||||
fi
|
||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
||||
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
|
||||
fi
|
||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
|
||||
$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
|
||||
fi
|
||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
|
||||
if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
|
||||
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
|
||||
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
|
||||
else \
|
||||
$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
|
||||
fi ; \
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
|
||||
echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
|
||||
else \
|
||||
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
|
||||
fi ; \
|
||||
if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
|
||||
echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
|
||||
else \
|
||||
./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
|
||||
fi ; \
|
||||
if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
|
||||
echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
|
||||
else \
|
||||
./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
|
||||
fi ; \
|
||||
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
|
||||
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
|
||||
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
|
||||
else \
|
||||
./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
|
||||
fi ; \
|
||||
fi ; \
|
||||
fi ;
|
||||
|
||||
host-key-force: ssh-keygen$(EXEEXT)
|
||||
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
|
||||
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
|
||||
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
|
||||
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
|
||||
|
||||
uninstallall: uninstall
|
||||
-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
|
||||
-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
|
||||
-rmdir $(DESTDIR)$(sysconfdir)
|
||||
-rmdir $(DESTDIR)$(bindir)
|
||||
-rmdir $(DESTDIR)$(sbindir)
|
||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||
-rmdir $(DESTDIR)$(mandir)
|
||||
-rmdir $(DESTDIR)$(libexecdir)
|
||||
|
||||
uninstall:
|
||||
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
[ -f `pwd`/regress/Makefile ] || \
|
||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
|
||||
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
|
||||
BUILDDIR=`pwd`; \
|
||||
TEST_SHELL="@TEST_SHELL@"; \
|
||||
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
|
||||
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
|
||||
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
|
||||
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
|
||||
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
|
||||
TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
|
||||
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
|
||||
TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
|
||||
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
|
||||
TEST_SSH_PLINK="plink"; \
|
||||
TEST_SSH_PUTTYGEN="puttygen"; \
|
||||
TEST_SSH_CONCH="conch"; \
|
||||
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
|
||||
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
|
||||
TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \
|
||||
cd $(srcdir)/regress || exit $$?; \
|
||||
$(MAKE) \
|
||||
.OBJDIR="$${BUILDDIR}/regress" \
|
||||
.CURDIR="`pwd`" \
|
||||
BUILDDIR="$${BUILDDIR}" \
|
||||
OBJ="$${BUILDDIR}/regress/" \
|
||||
PATH="$${BUILDDIR}:$${PATH}" \
|
||||
TEST_SHELL="$${TEST_SHELL}" \
|
||||
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
|
||||
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
|
||||
TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
|
||||
TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
|
||||
TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
|
||||
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
|
||||
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
|
||||
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
|
||||
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
|
||||
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
|
||||
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
|
||||
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
|
||||
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
|
||||
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
|
||||
TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \
|
||||
EXEEXT="$(EXEEXT)" \
|
||||
$@ && echo all tests passed
|
||||
|
||||
compat-tests: $(LIBCOMPAT)
|
||||
(cd openbsd-compat/regress && $(MAKE))
|
||||
|
||||
regressclean:
|
||||
if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
|
||||
(cd regress && $(MAKE) clean) \
|
||||
fi
|
||||
|
||||
survey: survey.sh ssh
|
||||
@$(SHELL) ./survey.sh > survey
|
||||
@echo 'The survey results have been placed in the file "survey" in the'
|
||||
@echo 'current directory. Please review the file then send with'
|
||||
@echo '"make send-survey".'
|
||||
|
||||
send-survey: survey
|
||||
mail portable-survey@mindrot.org <survey
|
||||
|
||||
package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
|
||||
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
|
||||
sh buildpkg.sh; \
|
||||
fi
|
||||
|
677
crypto/openssh/buildpkg.sh.in
Normal file
677
crypto/openssh/buildpkg.sh.in
Normal file
@ -0,0 +1,677 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
|
||||
#
|
||||
# The following code has been provide under Public Domain License. I really
|
||||
# don't care what you use it for. Just as long as you don't complain to me
|
||||
# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
|
||||
#
|
||||
umask 022
|
||||
#
|
||||
# Options for building the package
|
||||
# You can create a openssh-config.local with your customized options
|
||||
#
|
||||
REMOVE_FAKE_ROOT_WHEN_DONE=yes
|
||||
#
|
||||
# uncommenting TEST_DIR and using
|
||||
# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
|
||||
# and
|
||||
# PKGNAME=tOpenSSH should allow testing a package without interfering
|
||||
# with a real OpenSSH package on a system. This is not needed on systems
|
||||
# that support the -R option to pkgadd.
|
||||
#TEST_DIR=/var/tmp # leave commented out for production build
|
||||
PKGNAME=OpenSSH
|
||||
# revisions within the same version (REV=a)
|
||||
#REV=
|
||||
SYSVINIT_NAME=opensshd
|
||||
AWK=${AWK:="nawk"}
|
||||
MAKE=${MAKE:="make"}
|
||||
SSHDUID=67 # Default privsep uid
|
||||
SSHDGID=67 # Default privsep gid
|
||||
# uncomment these next three as needed
|
||||
#PERMIT_ROOT_LOGIN=no
|
||||
#X11_FORWARDING=yes
|
||||
#USR_LOCAL_IS_SYMLINK=yes
|
||||
# System V init run levels
|
||||
SYSVINITSTART=S98
|
||||
SYSVINITSTOPT=K30
|
||||
# We will source these if they exist
|
||||
POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
|
||||
POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
|
||||
# We'll be one level deeper looking for these
|
||||
PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
|
||||
PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
|
||||
PKG_PREREMOVE_LOCAL=../pkg-preremove.local
|
||||
PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
|
||||
PKG_REQUEST_LOCAL=../pkg-request.local
|
||||
# end of sourced files
|
||||
#
|
||||
OPENSSHD=opensshd.init
|
||||
OPENSSH_MANIFEST=openssh.xml
|
||||
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
|
||||
SMF_METHOD_DIR=/lib/svc/method/site
|
||||
SMF_MANIFEST_DIR=/var/svc/manifest/site
|
||||
|
||||
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
|
||||
PATH_USERADD_PROG=@PATH_USERADD_PROG@
|
||||
PATH_PASSWD_PROG=@PATH_PASSWD_PROG@
|
||||
#
|
||||
# list of system directories we do NOT want to change owner/group/perms
|
||||
# when installing our package
|
||||
SYSTEM_DIR="/etc \
|
||||
/etc/init.d \
|
||||
/etc/rcS.d \
|
||||
/etc/rc0.d \
|
||||
/etc/rc1.d \
|
||||
/etc/rc2.d \
|
||||
/etc/opt \
|
||||
/lib \
|
||||
/lib/svc \
|
||||
/lib/svc/method \
|
||||
/lib/svc/method/site \
|
||||
/opt \
|
||||
/opt/bin \
|
||||
/usr \
|
||||
/usr/bin \
|
||||
/usr/lib \
|
||||
/usr/sbin \
|
||||
/usr/share \
|
||||
/usr/share/man \
|
||||
/usr/share/man/man1 \
|
||||
/usr/share/man/man8 \
|
||||
/usr/local \
|
||||
/usr/local/bin \
|
||||
/usr/local/etc \
|
||||
/usr/local/libexec \
|
||||
/usr/local/man \
|
||||
/usr/local/man/man1 \
|
||||
/usr/local/man/man8 \
|
||||
/usr/local/sbin \
|
||||
/usr/local/share \
|
||||
/var \
|
||||
/var/opt \
|
||||
/var/run \
|
||||
/var/svc \
|
||||
/var/svc/manifest \
|
||||
/var/svc/manifest/site \
|
||||
/var/tmp \
|
||||
/tmp"
|
||||
|
||||
# We may need to build as root so we make sure PATH is set up
|
||||
# only set the path if it's not set already
|
||||
[ -d /opt/bin ] && {
|
||||
echo $PATH | grep ":/opt/bin" > /dev/null 2>&1
|
||||
[ $? -ne 0 ] && PATH=$PATH:/opt/bin
|
||||
}
|
||||
[ -d /usr/local/bin ] && {
|
||||
echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
|
||||
[ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
|
||||
}
|
||||
[ -d /usr/ccs/bin ] && {
|
||||
echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1
|
||||
[ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
|
||||
}
|
||||
export PATH
|
||||
#
|
||||
|
||||
[ -f Makefile ] || {
|
||||
echo "Please run this script from your build directory"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# we will look for openssh-config.local to override the above options
|
||||
[ -s ./openssh-config.local ] && . ./openssh-config.local
|
||||
|
||||
START=`pwd`
|
||||
FAKE_ROOT=$START/pkg
|
||||
|
||||
## Fill in some details, like prefix and sysconfdir
|
||||
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
|
||||
do
|
||||
eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
|
||||
done
|
||||
|
||||
## Are we using Solaris' SMF?
|
||||
DO_SMF=0
|
||||
if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
|
||||
then
|
||||
DO_SMF=1
|
||||
fi
|
||||
|
||||
## Collect value of privsep user
|
||||
for confvar in SSH_PRIVSEP_USER
|
||||
do
|
||||
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
|
||||
done
|
||||
|
||||
## Set privsep defaults if not defined
|
||||
if [ -z "$SSH_PRIVSEP_USER" ]
|
||||
then
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
fi
|
||||
|
||||
## Extract common info requires for the 'info' part of the package.
|
||||
VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
|
||||
|
||||
ARCH=`uname -m`
|
||||
DEF_MSG="\n"
|
||||
OS_VER=`uname -v`
|
||||
SCRIPT_SHELL=/sbin/sh
|
||||
UNAME_R=`uname -r`
|
||||
UNAME_S=`uname -s`
|
||||
case ${UNAME_S} in
|
||||
SunOS) UNAME_S=Solaris
|
||||
OS_VER=${UNAME_R}
|
||||
ARCH=`uname -p`
|
||||
RCS_D=yes
|
||||
DEF_MSG="(default: n)"
|
||||
;;
|
||||
SCO_SV) case ${UNAME_R} in
|
||||
3.2) UNAME_S=OpenServer5
|
||||
OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
|
||||
;;
|
||||
5) UNAME_S=OpenServer6
|
||||
;;
|
||||
esac
|
||||
SCRIPT_SHELL=/bin/sh
|
||||
RC1_D=no
|
||||
DEF_MSG="(default: n)"
|
||||
;;
|
||||
esac
|
||||
|
||||
case `basename $0` in
|
||||
buildpkg.sh)
|
||||
## Start by faking root install
|
||||
echo "Faking root install..."
|
||||
[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT
|
||||
mkdir $FAKE_ROOT
|
||||
${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
echo "Fake root install failed, stopping."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## Setup our run level stuff while we are at it.
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# For Solaris' SMF, /lib/svc/method/site is the preferred place
|
||||
# for start/stop scripts that aren't supplied with the OS, and
|
||||
# similarly /var/svc/manifest/site for manifests.
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
|
||||
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||
|
||||
cat ${OPENSSH_MANIFEST} | \
|
||||
sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
|
||||
-e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
|
||||
> $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
fi
|
||||
|
||||
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
|
||||
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
[ "${X11_FORWARDING}" = yes ] && \
|
||||
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
# fix PrintMotd
|
||||
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
|
||||
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||
|
||||
# We don't want to overwrite config files on multiple installs
|
||||
mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
|
||||
mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
|
||||
|
||||
# local tweeks here
|
||||
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
|
||||
|
||||
cd $FAKE_ROOT
|
||||
|
||||
## Ok, this is outright wrong, but it will work. I'm tired of pkgmk
|
||||
## whining.
|
||||
for i in *; do
|
||||
PROTO_ARGS="$PROTO_ARGS $i=/$i";
|
||||
done
|
||||
|
||||
## Build info file
|
||||
echo "Building pkginfo file..."
|
||||
cat > pkginfo << _EOF
|
||||
PKG=$PKGNAME
|
||||
NAME="OpenSSH Portable for ${UNAME_S}"
|
||||
DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
|
||||
VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
|
||||
ARCH=$ARCH
|
||||
VERSION=$VERSION$REV
|
||||
CATEGORY="Security,application"
|
||||
BASEDIR=/
|
||||
CLASSES="none"
|
||||
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
|
||||
_EOF
|
||||
|
||||
## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
|
||||
echo "Building depend file..."
|
||||
touch depend
|
||||
|
||||
## Build space file
|
||||
echo "Building space file..."
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# XXX Is this necessary? If not, remove space line from mk-proto.awk.
|
||||
touch space
|
||||
else
|
||||
cat > space << _EOF
|
||||
# extra space required by start/stop links added by installf
|
||||
# in postinstall
|
||||
$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
|
||||
$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
|
||||
_EOF
|
||||
[ "$RC1_D" = no ] || \
|
||||
echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
[ "$RCS_D" = yes ] && \
|
||||
echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
fi
|
||||
|
||||
## Build preinstall file
|
||||
echo "Building preinstall file..."
|
||||
cat > preinstall << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
_EOF
|
||||
|
||||
# local preinstall changes here
|
||||
[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL}
|
||||
|
||||
cat >> preinstall << _EOF
|
||||
#
|
||||
if [ "\${PRE_INS_STOP}" = "yes" ]
|
||||
then
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
svcadm disable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
## Build postinstall file
|
||||
echo "Building postinstall file..."
|
||||
cat > postinstall << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
|
||||
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
|
||||
\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
|
||||
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
|
||||
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
|
||||
\${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
|
||||
|
||||
# make rc?.d dirs only if we are doing a test install
|
||||
[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && {
|
||||
[ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
|
||||
mkdir -p ${TEST_DIR}/etc/rc0.d
|
||||
[ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d
|
||||
mkdir -p ${TEST_DIR}/etc/rc2.d
|
||||
}
|
||||
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# Delete the existing service, if it exists, then import the
|
||||
# new one.
|
||||
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||
then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
# NOTE, The manifest disables sshd by default.
|
||||
svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||
else
|
||||
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||
then
|
||||
[ "$RCS_D" = yes ] && \\
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
[ "$RC1_D" = no ] || \\
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
else
|
||||
[ "$RCS_D" = yes ] && \\
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
[ "$RC1_D" = no ] || \\
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
fi
|
||||
fi
|
||||
|
||||
# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
|
||||
[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
|
||||
|
||||
_EOF
|
||||
|
||||
# local postinstall changes here
|
||||
[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL}
|
||||
|
||||
cat >> postinstall << _EOF
|
||||
installf -f ${PKGNAME}
|
||||
|
||||
# Use chroot to handle PKG_INSTALL_ROOT
|
||||
if [ ! -z "\${PKG_INSTALL_ROOT}" ]
|
||||
then
|
||||
chroot="chroot \${PKG_INSTALL_ROOT}"
|
||||
fi
|
||||
# If this is a test build, we will skip the groupadd/useradd/passwd commands
|
||||
if [ ! -z "${TEST_DIR}" ]
|
||||
then
|
||||
chroot=echo
|
||||
fi
|
||||
|
||||
echo "PrivilegeSeparation user always required."
|
||||
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||
then
|
||||
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||
SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
|
||||
SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
|
||||
else
|
||||
DO_PASSWD=yes
|
||||
fi
|
||||
[ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
|
||||
|
||||
# group required?
|
||||
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
|
||||
then
|
||||
echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
|
||||
else
|
||||
DO_GROUP=yes
|
||||
fi
|
||||
|
||||
# create group if required
|
||||
[ "\$DO_GROUP" = yes ] && {
|
||||
# Use gid of 67 if possible
|
||||
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
|
||||
then
|
||||
:
|
||||
else
|
||||
sshdgid="-g $SSHDGID"
|
||||
fi
|
||||
echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
|
||||
\$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
|
||||
}
|
||||
|
||||
# Create user if required
|
||||
[ "\$DO_PASSWD" = yes ] && {
|
||||
# Use uid of 67 if possible
|
||||
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
|
||||
then
|
||||
:
|
||||
else
|
||||
sshduid="-u $SSHDUID"
|
||||
fi
|
||||
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
|
||||
\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
|
||||
\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
|
||||
}
|
||||
|
||||
if [ "\${POST_INS_START}" = "yes" ]
|
||||
then
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
svcadm enable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
## Build preremove file
|
||||
echo "Building preremove file..."
|
||||
cat > preremove << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
svcadm disable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
fi
|
||||
_EOF
|
||||
|
||||
# local preremove changes here
|
||||
[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL}
|
||||
|
||||
cat >> preremove << _EOF
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
## Build postremove file
|
||||
echo "Building postremove file..."
|
||||
cat > postremove << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||
then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
fi
|
||||
_EOF
|
||||
|
||||
# local postremove changes here
|
||||
[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL}
|
||||
|
||||
cat >> postremove << _EOF
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
## Build request file
|
||||
echo "Building request file..."
|
||||
cat > request << _EOF
|
||||
trap 'exit 3' 15
|
||||
|
||||
_EOF
|
||||
|
||||
[ -x /usr/bin/ckyorn ] || cat >> request << _EOF
|
||||
|
||||
ckyorn() {
|
||||
# for some strange reason OpenServer5 has no ckyorn
|
||||
# We build a striped down version here
|
||||
|
||||
DEFAULT=n
|
||||
PROMPT="Yes or No [yes,no,?,quit]"
|
||||
HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no."
|
||||
USAGE="usage: ckyorn [options]
|
||||
where options may include:
|
||||
-d default
|
||||
-h help
|
||||
-p prompt
|
||||
"
|
||||
|
||||
if [ \$# != 0 ]
|
||||
then
|
||||
while getopts d:p:h: c
|
||||
do
|
||||
case \$c in
|
||||
h) HELP_PROMPT="\$OPTARG" ;;
|
||||
d) DEFAULT=\$OPTARG ;;
|
||||
p) PROMPT=\$OPTARG ;;
|
||||
\\?) echo "\$USAGE" 1>&2
|
||||
exit 1 ;;
|
||||
esac
|
||||
done
|
||||
shift \`expr \$OPTIND - 1\`
|
||||
fi
|
||||
|
||||
while true
|
||||
do
|
||||
echo "\${PROMPT}\\c " 1>&2
|
||||
read key
|
||||
[ -z "\$key" ] && key=\$DEFAULT
|
||||
case \$key in
|
||||
[n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c"
|
||||
exit 0 ;;
|
||||
\\?) echo \$HELP_PROMPT 1>&2 ;;
|
||||
q|quit) echo "q\\c" 1>&2
|
||||
exit 3 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
_EOF
|
||||
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# This could get hairy, as the running sshd may not be under SMF.
|
||||
# We'll assume an earlier version of OpenSSH started via SMF.
|
||||
cat >> request << _EOF
|
||||
PRE_INS_STOP=no
|
||||
POST_INS_START=no
|
||||
# determine if should restart the daemon
|
||||
if [ -s ${piddir}/sshd.pid ] && \\
|
||||
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
|
||||
then
|
||||
ans=\`ckyorn -d n \\
|
||||
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) PRE_INS_STOP=yes
|
||||
POST_INS_START=yes
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
|
||||
# determine if we should start sshd
|
||||
ans=\`ckyorn -d n \\
|
||||
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) POST_INS_START=yes ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# make parameters available to installation service,
|
||||
# and so to any other packaging scripts
|
||||
cat >\$1 <<!
|
||||
PRE_INS_STOP='\$PRE_INS_STOP'
|
||||
POST_INS_START='\$POST_INS_START'
|
||||
!
|
||||
|
||||
_EOF
|
||||
else
|
||||
cat >> request << _EOF
|
||||
USE_SYM_LINKS=no
|
||||
PRE_INS_STOP=no
|
||||
POST_INS_START=no
|
||||
# Use symbolic links?
|
||||
ans=\`ckyorn -d n \\
|
||||
-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) USE_SYM_LINKS=yes ;;
|
||||
esac
|
||||
|
||||
# determine if should restart the daemon
|
||||
if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
|
||||
then
|
||||
ans=\`ckyorn -d n \\
|
||||
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) PRE_INS_STOP=yes
|
||||
POST_INS_START=yes
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
|
||||
# determine if we should start sshd
|
||||
ans=\`ckyorn -d n \\
|
||||
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) POST_INS_START=yes ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# make parameters available to installation service,
|
||||
# and so to any other packaging scripts
|
||||
cat >\$1 <<!
|
||||
USE_SYM_LINKS='\$USE_SYM_LINKS'
|
||||
PRE_INS_STOP='\$PRE_INS_STOP'
|
||||
POST_INS_START='\$POST_INS_START'
|
||||
!
|
||||
|
||||
_EOF
|
||||
fi
|
||||
|
||||
# local request changes here
|
||||
[ -s "${PKG_REQUEST_LOCAL}" ] && . ${PKG_REQUEST_LOCAL}
|
||||
|
||||
cat >> request << _EOF
|
||||
exit 0
|
||||
|
||||
_EOF
|
||||
|
||||
## Next Build our prototype
|
||||
echo "Building prototype file..."
|
||||
cat >mk-proto.awk << _EOF
|
||||
BEGIN { print "i pkginfo"; print "i depend"; \\
|
||||
print "i preinstall"; print "i postinstall"; \\
|
||||
print "i preremove"; print "i postremove"; \\
|
||||
print "i request"; print "i space"; \\
|
||||
split("$SYSTEM_DIR",sys_files); }
|
||||
{
|
||||
for (dir in sys_files) { if ( \$3 != sys_files[dir] )
|
||||
{ if ( \$1 == "s" )
|
||||
{ \$5=""; \$6=""; }
|
||||
else
|
||||
{ \$5="root"; \$6="sys"; }
|
||||
}
|
||||
else
|
||||
{ \$4="?"; \$5="?"; \$6="?"; break;}
|
||||
} }
|
||||
{ print; }
|
||||
_EOF
|
||||
|
||||
find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
|
||||
pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
|
||||
|
||||
# /usr/local is a symlink on some systems
|
||||
[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && {
|
||||
grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
|
||||
mv prototype.new prototype
|
||||
}
|
||||
|
||||
## Step back a directory and now build the package.
|
||||
cd ..
|
||||
# local prototype tweeks here
|
||||
[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS}
|
||||
|
||||
echo "Building package.."
|
||||
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
|
||||
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
|
||||
;;
|
||||
|
||||
justpkg.sh)
|
||||
rm -fr ${FAKE_ROOT}/${PKGNAME}
|
||||
grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
|
||||
mv $$tmp $FAKE_ROOT/pkginfo
|
||||
cat >> $FAKE_ROOT/pkginfo << _EOF
|
||||
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
|
||||
_EOF
|
||||
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
|
||||
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT
|
||||
exit 0
|
||||
|
1793
crypto/openssh/config.sub
vendored
Executable file
1793
crypto/openssh/config.sub
vendored
Executable file
File diff suppressed because it is too large
Load Diff
18897
crypto/openssh/configure
vendored
Executable file
18897
crypto/openssh/configure
vendored
Executable file
File diff suppressed because it is too large
Load Diff
4669
crypto/openssh/configure.ac
Normal file
4669
crypto/openssh/configure.ac
Normal file
File diff suppressed because it is too large
Load Diff
17
crypto/openssh/contrib/Makefile
Normal file
17
crypto/openssh/contrib/Makefile
Normal file
@ -0,0 +1,17 @@
|
||||
PKG_CONFIG = pkg-config
|
||||
|
||||
all:
|
||||
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||
|
||||
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||
$(CC) `gnome-config --cflags gnome gnomeui` \
|
||||
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
|
||||
`gnome-config --libs gnome gnomeui`
|
||||
|
||||
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||
$(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
|
||||
|
||||
clean:
|
||||
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
|
70
crypto/openssh/contrib/README
Normal file
70
crypto/openssh/contrib/README
Normal file
@ -0,0 +1,70 @@
|
||||
Other patches and addons for OpenSSH. Please send submissions to
|
||||
djm@mindrot.org
|
||||
|
||||
Externally maintained
|
||||
---------------------
|
||||
|
||||
SSH Proxy Command -- connect.c
|
||||
|
||||
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
|
||||
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
|
||||
https CONNECT style proxy server. His page for connect.c has extensive
|
||||
documentation on its use as well as compiled versions for Win32.
|
||||
|
||||
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
|
||||
|
||||
|
||||
X11 SSH Askpass:
|
||||
|
||||
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
|
||||
passphrase requester. This is highly recommended:
|
||||
|
||||
http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||
|
||||
|
||||
In this directory
|
||||
-----------------
|
||||
|
||||
ssh-copy-id:
|
||||
|
||||
Phil Hands' <phil@hands.com> shell script to automate the process of adding
|
||||
your public key to a remote machine's ~/.ssh/authorized_keys file.
|
||||
|
||||
gnome-ssh-askpass[12]:
|
||||
|
||||
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
|
||||
"make gnome-ssh-askpass2" to build.
|
||||
|
||||
sshd.pam.generic:
|
||||
|
||||
A generic PAM config file which may be useful on your system. YMMV
|
||||
|
||||
sshd.pam.freebsd:
|
||||
|
||||
A PAM config file which works with FreeBSD's PAM port. Contributed by
|
||||
Dominik Brettnacher <domi@saargate.de>
|
||||
|
||||
findssl.sh:
|
||||
|
||||
Search for all instances of OpenSSL headers and libraries and print their
|
||||
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||
match your library" errors.
|
||||
|
||||
aix:
|
||||
Files to build an AIX native (installp or SMIT installable) package.
|
||||
|
||||
caldera:
|
||||
RPM spec file and scripts for building Caldera OpenLinuix packages
|
||||
|
||||
cygwin:
|
||||
Support files for Cygwin
|
||||
|
||||
hpux:
|
||||
Support files for HP-UX
|
||||
|
||||
redhat:
|
||||
RPM spec file and scripts for building Redhat packages
|
||||
|
||||
suse:
|
||||
RPM spec file and scripts for building SuSE packages
|
||||
|
50
crypto/openssh/contrib/aix/README
Normal file
50
crypto/openssh/contrib/aix/README
Normal file
@ -0,0 +1,50 @@
|
||||
Overview:
|
||||
|
||||
This directory contains files to build an AIX native (installp or SMIT
|
||||
installable) openssh package.
|
||||
|
||||
|
||||
Directions:
|
||||
|
||||
(optional) create config.local in your build dir
|
||||
./configure [options]
|
||||
contrib/aix/buildbff.sh
|
||||
|
||||
The file config.local or the environment is read to set the following options
|
||||
(default first):
|
||||
PERMIT_ROOT_LOGIN=[no|yes]
|
||||
X11_FORWARDING=[no|yes]
|
||||
AIX_SRC=[no|yes]
|
||||
|
||||
Acknowledgements:
|
||||
|
||||
The contents of this directory are based on Ben Lindstrom's Solaris
|
||||
buildpkg.sh. Ben also supplied inventory.sh.
|
||||
|
||||
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
|
||||
and for comparison with the output from this script, however no code
|
||||
from lppbuild is included and it is not required for operation.
|
||||
|
||||
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
|
||||
PrivSep account handling fixes contributed by W. Earl Allen.
|
||||
|
||||
|
||||
Other notes:
|
||||
|
||||
The script treats all packages as USR packages (not ROOT+USR when
|
||||
appropriate). It seems to work, though......
|
||||
|
||||
If there are any patches to this that have not yet been integrated they
|
||||
may be found at http://www.zip.com.au/~dtucker/openssh/.
|
||||
|
||||
|
||||
Disclaimer:
|
||||
|
||||
It is hoped that it is useful but there is no warranty. If it breaks
|
||||
you get to keep both pieces.
|
||||
|
||||
|
||||
- Darren Tucker (dtucker at zip dot com dot au)
|
||||
2002/03/01
|
||||
|
||||
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
|
381
crypto/openssh/contrib/aix/buildbff.sh
Executable file
381
crypto/openssh/contrib/aix/buildbff.sh
Executable file
@ -0,0 +1,381 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
|
||||
# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
|
||||
#
|
||||
# Author: Darren Tucker (dtucker at zip dot com dot au)
|
||||
# This file is placed in the public domain and comes with absolutely
|
||||
# no warranty.
|
||||
#
|
||||
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
|
||||
#
|
||||
|
||||
#
|
||||
# Tunable configuration settings
|
||||
# create a "config.local" in your build directory or set
|
||||
# environment variables to override these.
|
||||
#
|
||||
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
|
||||
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
|
||||
[ -z "$AIX_SRC" ] && AIX_SRC=no
|
||||
|
||||
umask 022
|
||||
|
||||
startdir=`pwd`
|
||||
|
||||
perl -v >/dev/null || (echo perl required; exit 1)
|
||||
|
||||
# Path to inventory.sh: same place as buildbff.sh
|
||||
if echo $0 | egrep '^/'
|
||||
then
|
||||
inventory=`dirname $0`/inventory.sh # absolute path
|
||||
else
|
||||
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
|
||||
fi
|
||||
|
||||
#
|
||||
# We still support running from contrib/aix, but this is deprecated
|
||||
#
|
||||
if pwd | egrep 'contrib/aix$'
|
||||
then
|
||||
echo "Changing directory to `pwd`/../.."
|
||||
echo "Please run buildbff.sh from your build directory in future."
|
||||
cd ../..
|
||||
contribaix=1
|
||||
fi
|
||||
|
||||
if [ ! -f Makefile ]
|
||||
then
|
||||
echo "Makefile not found (did you run configure?)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
# Directories used during build:
|
||||
# current dir = $objdir directory you ran ./configure in.
|
||||
# $objdir/$PKGDIR/ directory package files are constructed in
|
||||
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
|
||||
#
|
||||
objdir=`pwd`
|
||||
PKGNAME=openssh
|
||||
PKGDIR=package
|
||||
|
||||
#
|
||||
# Collect local configuration settings to override defaults
|
||||
#
|
||||
if [ -s ./config.local ]
|
||||
then
|
||||
echo Reading local settings from config.local
|
||||
. ./config.local
|
||||
fi
|
||||
|
||||
#
|
||||
# Fill in some details from Makefile, like prefix and sysconfdir
|
||||
# the eval also expands variables like sysconfdir=${prefix}/etc
|
||||
# provided they are eval'ed in the correct order
|
||||
#
|
||||
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
|
||||
do
|
||||
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
|
||||
done
|
||||
|
||||
#
|
||||
# Collect values of privsep user and privsep path
|
||||
# currently only found in config.h
|
||||
#
|
||||
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
|
||||
do
|
||||
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
|
||||
done
|
||||
|
||||
# Set privsep defaults if not defined
|
||||
if [ -z "$SSH_PRIVSEP_USER" ]
|
||||
then
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
fi
|
||||
if [ -z "$PRIVSEP_PATH" ]
|
||||
then
|
||||
PRIVSEP_PATH=/var/empty
|
||||
fi
|
||||
|
||||
# Clean package build directory
|
||||
rm -rf $objdir/$PKGDIR
|
||||
FAKE_ROOT=$objdir/$PKGDIR/root
|
||||
mkdir -p $FAKE_ROOT
|
||||
|
||||
# Start by faking root install
|
||||
echo "Faking root install..."
|
||||
cd $objdir
|
||||
make install-nokeys DESTDIR=$FAKE_ROOT
|
||||
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
echo "Fake root install failed, stopping."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
# Copy informational files to include in package
|
||||
#
|
||||
cp $srcdir/LICENCE $objdir/$PKGDIR/
|
||||
cp $srcdir/README* $objdir/$PKGDIR/
|
||||
|
||||
#
|
||||
# Extract common info requires for the 'info' part of the package.
|
||||
# AIX requires 4-part version numbers
|
||||
#
|
||||
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
|
||||
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
|
||||
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
|
||||
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
|
||||
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
|
||||
[ "$PATCH" = "" ] && PATCH=0
|
||||
[ "$PORTABLE" = "" ] && PORTABLE=0
|
||||
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
|
||||
|
||||
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
|
||||
|
||||
#
|
||||
# Set ssh and sshd parameters as per config.local
|
||||
#
|
||||
if [ "${PERMIT_ROOT_LOGIN}" = no ]
|
||||
then
|
||||
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
fi
|
||||
if [ "${X11_FORWARDING}" = yes ]
|
||||
then
|
||||
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||
fi
|
||||
|
||||
|
||||
# Rename config files; postinstall script will copy them if necessary
|
||||
for cfgfile in ssh_config sshd_config
|
||||
do
|
||||
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
|
||||
done
|
||||
|
||||
#
|
||||
# Generate lpp control files.
|
||||
# working dir is $FAKE_ROOT but files are generated in dir above
|
||||
# and moved into place just before creation of .bff
|
||||
#
|
||||
cd $FAKE_ROOT
|
||||
echo Generating LPP control files
|
||||
find . ! -name . -print >../openssh.al
|
||||
$inventory >../openssh.inventory
|
||||
|
||||
cat <<EOD >../openssh.copyright
|
||||
This software is distributed under a BSD-style license.
|
||||
For the full text of the license, see /usr/lpp/openssh/LICENCE
|
||||
EOD
|
||||
|
||||
#
|
||||
# openssh.size file allows filesystem expansion as required
|
||||
# generate list of directories containing files
|
||||
# then calculate disk usage for each directory and store in openssh.size
|
||||
#
|
||||
files=`find . -type f -print`
|
||||
dirs=`for file in $files; do dirname $file; done | sort -u`
|
||||
for dir in $dirs
|
||||
do
|
||||
du $dir
|
||||
done > ../openssh.size
|
||||
|
||||
#
|
||||
# Create postinstall script
|
||||
#
|
||||
cat <<EOF >>../openssh.post_i
|
||||
#!/bin/sh
|
||||
|
||||
echo Creating configs from defaults if necessary.
|
||||
for cfgfile in ssh_config sshd_config
|
||||
do
|
||||
if [ ! -f $sysconfdir/\$cfgfile ]
|
||||
then
|
||||
echo "Creating \$cfgfile from default"
|
||||
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
|
||||
else
|
||||
echo "\$cfgfile already exists."
|
||||
fi
|
||||
done
|
||||
echo
|
||||
|
||||
# Create PrivilegeSeparation user and group if not present
|
||||
echo Checking for PrivilegeSeparation user and group.
|
||||
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||
then
|
||||
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
|
||||
else
|
||||
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
|
||||
mkgroup -A $SSH_PRIVSEP_USER
|
||||
fi
|
||||
|
||||
# Create user if required
|
||||
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
|
||||
then
|
||||
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||
else
|
||||
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
|
||||
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
|
||||
fi
|
||||
|
||||
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
|
||||
then
|
||||
echo UsePrivilegeSeparation not enabled, privsep directory not required.
|
||||
else
|
||||
# create chroot directory if required
|
||||
if [ -d $PRIVSEP_PATH ]
|
||||
then
|
||||
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
|
||||
else
|
||||
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
|
||||
mkdir $PRIVSEP_PATH
|
||||
chown 0 $PRIVSEP_PATH
|
||||
chgrp 0 $PRIVSEP_PATH
|
||||
chmod 755 $PRIVSEP_PATH
|
||||
fi
|
||||
fi
|
||||
echo
|
||||
|
||||
# Generate keys unless they already exist
|
||||
echo Creating host keys if required.
|
||||
if [ -f "$sysconfdir/ssh_host_key" ] ; then
|
||||
echo "$sysconfdir/ssh_host_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
|
||||
fi
|
||||
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
|
||||
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
|
||||
fi
|
||||
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
|
||||
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
|
||||
else
|
||||
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
|
||||
fi
|
||||
echo
|
||||
|
||||
# Set startup command depending on SRC support
|
||||
if [ "$AIX_SRC" = "yes" ]
|
||||
then
|
||||
echo Creating SRC sshd subsystem.
|
||||
rmssys -s sshd 2>&1 >/dev/null
|
||||
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
|
||||
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
|
||||
oldstartcmd="$sbindir/sshd"
|
||||
else
|
||||
startupcmd="$sbindir/sshd"
|
||||
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
|
||||
fi
|
||||
|
||||
# If migrating to or from SRC, change previous startup command
|
||||
# otherwise add to rc.tcpip
|
||||
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
|
||||
then
|
||||
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
|
||||
then
|
||||
chmod 0755 /etc/rc.tcpip.new
|
||||
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
|
||||
mv /etc/rc.tcpip.new /etc/rc.tcpip
|
||||
else
|
||||
echo "Updating /etc/rc.tcpip failed, please check."
|
||||
fi
|
||||
else
|
||||
# Add to system startup if required
|
||||
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
|
||||
then
|
||||
echo "sshd found in rc.tcpip, not adding."
|
||||
else
|
||||
echo "Adding sshd to rc.tcpip"
|
||||
echo >>/etc/rc.tcpip
|
||||
echo "# Start sshd" >>/etc/rc.tcpip
|
||||
echo "\$startupcmd" >>/etc/rc.tcpip
|
||||
fi
|
||||
fi
|
||||
EOF
|
||||
|
||||
#
|
||||
# Create liblpp.a and move control files into it
|
||||
#
|
||||
echo Creating liblpp.a
|
||||
(
|
||||
cd ..
|
||||
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
|
||||
do
|
||||
ar -r liblpp.a $i
|
||||
rm $i
|
||||
done
|
||||
)
|
||||
|
||||
#
|
||||
# Create lpp_name
|
||||
#
|
||||
# This will end up looking something like:
|
||||
# 4 R I OpenSSH {
|
||||
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
|
||||
# [
|
||||
# %
|
||||
# /usr/local/bin 8073
|
||||
# /usr/local/etc 189
|
||||
# /usr/local/libexec 185
|
||||
# /usr/local/man/man1 145
|
||||
# /usr/local/man/man8 83
|
||||
# /usr/local/sbin 2105
|
||||
# /usr/local/share 3
|
||||
# %
|
||||
# ]
|
||||
# }
|
||||
|
||||
echo Creating lpp_name
|
||||
cat <<EOF >../lpp_name
|
||||
4 R I $PKGNAME {
|
||||
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
|
||||
[
|
||||
%
|
||||
EOF
|
||||
|
||||
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
|
||||
do
|
||||
# get size in 512 byte blocks
|
||||
if [ -d $FAKE_ROOT/$i ]
|
||||
then
|
||||
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
|
||||
echo "$i $size" >>../lpp_name
|
||||
fi
|
||||
done
|
||||
|
||||
echo '%' >>../lpp_name
|
||||
echo ']' >>../lpp_name
|
||||
echo '}' >>../lpp_name
|
||||
|
||||
#
|
||||
# Move pieces into place
|
||||
#
|
||||
mkdir -p usr/lpp/openssh
|
||||
mv ../liblpp.a usr/lpp/openssh
|
||||
mv ../lpp_name .
|
||||
|
||||
#
|
||||
# Now invoke backup to create .bff file
|
||||
# note: lpp_name needs to be the first file so we generate the
|
||||
# file list on the fly and feed it to backup using -i
|
||||
#
|
||||
echo Creating $PKGNAME-$VERSION.bff with backup...
|
||||
rm -f $PKGNAME-$VERSION.bff
|
||||
(
|
||||
echo "./lpp_name"
|
||||
find . ! -name lpp_name -a ! -name . -print
|
||||
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
|
||||
|
||||
#
|
||||
# Move package into final location and clean up
|
||||
#
|
||||
mv ../$PKGNAME-$VERSION.bff $startdir
|
||||
cd $startdir
|
||||
rm -rf $objdir/$PKGDIR
|
||||
|
||||
echo $0: done.
|
||||
|
63
crypto/openssh/contrib/aix/inventory.sh
Executable file
63
crypto/openssh/contrib/aix/inventory.sh
Executable file
@ -0,0 +1,63 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# inventory.sh
|
||||
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
|
||||
#
|
||||
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
|
||||
# This file is placed into the public domain.
|
||||
#
|
||||
# This will produce an AIX package inventory file, which looks like:
|
||||
#
|
||||
# /usr/local/bin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=755
|
||||
# type=DIRECTORY
|
||||
# /usr/local/bin/slogin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=777
|
||||
# type=SYMLINK
|
||||
# target=ssh
|
||||
# /usr/local/share/Ssh.bin:
|
||||
# class=apply,inventory,openssh
|
||||
# owner=root
|
||||
# group=system
|
||||
# mode=644
|
||||
# type=FILE
|
||||
# size=VOLATILE
|
||||
# checksum=VOLATILE
|
||||
|
||||
find . ! -name . -print | perl -ne '{
|
||||
chomp;
|
||||
if ( -l $_ ) {
|
||||
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
|
||||
} else {
|
||||
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
|
||||
}
|
||||
|
||||
# Start to display inventory information
|
||||
$name = $_;
|
||||
$name =~ s|^.||; # Strip leading dot from path
|
||||
print "$name:\n";
|
||||
print "\tclass=apply,inventory,openssh\n";
|
||||
print "\towner=root\n";
|
||||
print "\tgroup=system\n";
|
||||
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
|
||||
|
||||
if ( -l $_ ) {
|
||||
# Entry is SymLink
|
||||
print "\ttype=SYMLINK\n";
|
||||
printf "\ttarget=%s\n", readlink($_);
|
||||
} elsif ( -f $_ ) {
|
||||
# Entry is File
|
||||
print "\ttype=FILE\n";
|
||||
print "\tsize=$sz\n";
|
||||
print "\tchecksum=VOLATILE\n";
|
||||
} elsif ( -d $_ ) {
|
||||
# Entry is Directory
|
||||
print "\ttype=DIRECTORY\n";
|
||||
}
|
||||
}'
|
20
crypto/openssh/contrib/aix/pam.conf
Normal file
20
crypto/openssh/contrib/aix/pam.conf
Normal file
@ -0,0 +1,20 @@
|
||||
#
|
||||
# PAM configuration file /etc/pam.conf
|
||||
# Example for OpenSSH on AIX 5.2
|
||||
#
|
||||
|
||||
# Authentication Management
|
||||
sshd auth required /usr/lib/security/pam_aix
|
||||
OTHER auth required /usr/lib/security/pam_aix
|
||||
|
||||
# Account Management
|
||||
sshd account required /usr/lib/security/pam_aix
|
||||
OTHER account required /usr/lib/security/pam_aix
|
||||
|
||||
# Password Management
|
||||
sshd password required /usr/lib/security/pam_aix
|
||||
OTHER password required /usr/lib/security/pam_aix
|
||||
|
||||
# Session Management
|
||||
sshd session required /usr/lib/security/pam_aix
|
||||
OTHER session required /usr/lib/security/pam_aix
|
366
crypto/openssh/contrib/caldera/openssh.spec
Normal file
366
crypto/openssh/contrib/caldera/openssh.spec
Normal file
@ -0,0 +1,366 @@
|
||||
|
||||
# Some of this will need re-evaluation post-LSB. The SVIdir is there
|
||||
# because the link appeared broken. The rest is for easy compilation,
|
||||
# the tradeoff open to discussion. (LC957)
|
||||
|
||||
%define SVIdir /etc/rc.d/init.d
|
||||
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
|
||||
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
|
||||
|
||||
%define _mandir %{_prefix}/share/man/en
|
||||
%define _sysconfdir /etc/ssh
|
||||
%define _libexecdir %{_libdir}/ssh
|
||||
|
||||
# Do we want to disable root_login? (1=yes 0=no)
|
||||
%define no_root_login 0
|
||||
|
||||
#old cvs stuff. please update before use. may be deprecated.
|
||||
%define use_stable 1
|
||||
%define version 6.3p1
|
||||
%if %{use_stable}
|
||||
%define cvs %{nil}
|
||||
%define release 1
|
||||
%else
|
||||
%define cvs cvs20050315
|
||||
%define release 0r1
|
||||
%endif
|
||||
%define xsa x11-ssh-askpass
|
||||
%define askpass %{xsa}-1.2.4.1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%define sshd_uid 67
|
||||
%define sshd_gid 67
|
||||
|
||||
Name : openssh
|
||||
Version : %{version}%{cvs}
|
||||
Release : %{release}
|
||||
Group : System/Network
|
||||
|
||||
Summary : OpenSSH free Secure Shell (SSH) implementation.
|
||||
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
|
||||
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
|
||||
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
|
||||
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
|
||||
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
|
||||
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
|
||||
|
||||
Copyright : BSD
|
||||
Packager : Raymund Will <ray@caldera.de>
|
||||
URL : http://www.openssh.com/
|
||||
|
||||
Obsoletes : ssh, ssh-clients, openssh-clients
|
||||
|
||||
BuildRoot : /tmp/%{name}-%{version}
|
||||
BuildRequires : XFree86-imake
|
||||
|
||||
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
|
||||
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
|
||||
Source0: see-above:/.../openssh-%{version}.tar.gz
|
||||
%if %{use_stable}
|
||||
Source1: see-above:/.../openssh-%{version}.tar.gz.asc
|
||||
%endif
|
||||
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
|
||||
Source3: http://www.openssh.com/faq.html
|
||||
|
||||
%Package server
|
||||
Group : System/Network
|
||||
Requires : openssh = %{version}
|
||||
Obsoletes : ssh-server
|
||||
|
||||
Summary : OpenSSH Secure Shell protocol server (sshd).
|
||||
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
|
||||
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
|
||||
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
|
||||
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
|
||||
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
|
||||
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
|
||||
|
||||
|
||||
%Package askpass
|
||||
Group : System/Network
|
||||
Requires : openssh = %{version}
|
||||
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||
Obsoletes : ssh-extras
|
||||
|
||||
Summary : OpenSSH X11 pass-phrase dialog.
|
||||
Summary(de) : OpenSSH X11 Passwort-Dialog.
|
||||
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
|
||||
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
|
||||
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
|
||||
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||
|
||||
|
||||
%Description
|
||||
OpenSSH (Secure Shell) provides access to a remote system. It replaces
|
||||
telnet, rlogin, rexec, and rsh, and provides secure encrypted
|
||||
communications between two untrusted hosts over an insecure network.
|
||||
X11 connections and arbitrary TCP/IP ports can also be forwarded over
|
||||
the secure channel.
|
||||
|
||||
%Description -l de
|
||||
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
|
||||
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
|
||||
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
|
||||
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
|
||||
über den sicheren Channel weitergeleitet werden.
|
||||
|
||||
%Description -l es
|
||||
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
|
||||
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
|
||||
entre dos equipos entre los que no se ha establecido confianza a través de una
|
||||
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
|
||||
ser canalizadas sobre el canal seguro.
|
||||
|
||||
%Description -l fr
|
||||
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
|
||||
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
|
||||
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
|
||||
connexions X11 et des ports TCP/IP arbitraires peuvent également être
|
||||
transmis sur le canal sécurisé.
|
||||
|
||||
%Description -l it
|
||||
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
|
||||
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
|
||||
e crittate tra due host non fidati su una rete non sicura. Le connessioni
|
||||
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
|
||||
un canale sicuro.
|
||||
|
||||
%Description -l pt
|
||||
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
|
||||
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
|
||||
pelo canal seguro.
|
||||
|
||||
%Description -l pt_BR
|
||||
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
|
||||
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
|
||||
pelo canal seguro.
|
||||
|
||||
%Description server
|
||||
This package installs the sshd, the server portion of OpenSSH.
|
||||
|
||||
%Description -l de server
|
||||
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
|
||||
|
||||
%Description -l es server
|
||||
Este paquete instala sshd, la parte servidor de OpenSSH.
|
||||
|
||||
%Description -l fr server
|
||||
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
|
||||
|
||||
%Description -l it server
|
||||
Questo pacchetto installa sshd, il server di OpenSSH.
|
||||
|
||||
%Description -l pt server
|
||||
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||
|
||||
%Description -l pt_BR server
|
||||
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||
|
||||
%Description askpass
|
||||
This package contains an X11-based pass-phrase dialog used per
|
||||
default by ssh-add(1). It is based on %{askpass}
|
||||
by Jim Knoble <jmknoble@pobox.com>.
|
||||
|
||||
|
||||
%Prep
|
||||
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
|
||||
%if ! %{use_stable}
|
||||
autoreconf
|
||||
%endif
|
||||
|
||||
|
||||
%Build
|
||||
CFLAGS="$RPM_OPT_FLAGS" \
|
||||
%configure \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
#leave this line for easy edits.
|
||||
|
||||
%__make
|
||||
|
||||
cd %{askpass}
|
||||
%configure \
|
||||
#leave this line for easy edits.
|
||||
|
||||
xmkmf
|
||||
%__make includes
|
||||
%__make
|
||||
|
||||
|
||||
%Install
|
||||
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||
|
||||
make install DESTDIR=%{buildroot}
|
||||
%makeinstall -C %{askpass} \
|
||||
BINDIR=%{_libexecdir} \
|
||||
MANPATH=%{_mandir} \
|
||||
DESTDIR=%{buildroot}
|
||||
|
||||
# OpenLinux specific configuration
|
||||
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
|
||||
mkdir -p %{buildroot}%{_var}/empty/sshd
|
||||
|
||||
# enabling X11 forwarding on the server is convenient and okay,
|
||||
# on the client side it's a potential security risk!
|
||||
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
|
||||
%{buildroot}%{_sysconfdir}/sshd_config
|
||||
|
||||
%if %{no_root_login}
|
||||
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
|
||||
%{buildroot}%{_sysconfdir}/sshd_config
|
||||
%endif
|
||||
|
||||
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
|
||||
# FIXME: disabled, find out why this doesn't work with nis
|
||||
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
|
||||
%{buildroot}/etc/pam.d/sshd
|
||||
|
||||
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
|
||||
|
||||
# the last one is needless, but more future-proof
|
||||
find %{buildroot}%{SVIdir} -type f -exec \
|
||||
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
|
||||
s:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||
s:/usr/sbin:%{_sbindir}:g'\
|
||||
\{\} \;
|
||||
|
||||
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
|
||||
IDENT=sshd
|
||||
DESCRIPTIVE="OpenSSH secure shell daemon"
|
||||
# This service will be marked as 'skipped' on boot if there
|
||||
# is no host key. Use ssh-host-keygen to generate one
|
||||
ONBOOT="yes"
|
||||
OPTIONS=""
|
||||
EoD
|
||||
|
||||
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
|
||||
# Fix up some path names in the keygen toy^Hol
|
||||
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
|
||||
%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||
|
||||
# This looks terrible. Expect it to change.
|
||||
# install remaining docs
|
||||
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
|
||||
mkdir -p $DocD/%{askpass}
|
||||
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
|
||||
install -p -m 0444 %{SOURCE3} $DocD/faq.html
|
||||
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
|
||||
%if %{use_stable}
|
||||
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
|
||||
%else
|
||||
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
|
||||
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
|
||||
%endif
|
||||
|
||||
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
|
||||
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
|
||||
ln -s %{_mandir}/man1/ssh.1.gz \
|
||||
%{buildroot}%{_mandir}/man1/slogin.1.gz
|
||||
|
||||
|
||||
%Clean
|
||||
#%{rmDESTDIR}
|
||||
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||
|
||||
%Post
|
||||
# Generate host key when none is present to get up and running,
|
||||
# both client and server require this for host-based auth!
|
||||
# ssh-host-keygen checks for existing keys.
|
||||
/usr/sbin/ssh-host-keygen
|
||||
: # to protect the rpm database
|
||||
|
||||
%pre server
|
||||
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
|
||||
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
|
||||
: # to protect the rpm database
|
||||
|
||||
%Post server
|
||||
if [ -x %{LSBinit}-install ]; then
|
||||
%{LSBinit}-install sshd
|
||||
else
|
||||
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
|
||||
fi
|
||||
|
||||
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
|
||||
: # to protect the rpm database
|
||||
|
||||
|
||||
%PreUn server
|
||||
[ "$1" = 0 ] || exit 0
|
||||
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
|
||||
if [ -x %{LSBinit}-remove ]; then
|
||||
%{LSBinit}-remove sshd
|
||||
else
|
||||
lisa --SysV-init remove sshd $1
|
||||
fi
|
||||
: # to protect the rpm database
|
||||
|
||||
%Files
|
||||
%defattr(-,root,root)
|
||||
%dir %{_sysconfdir}
|
||||
%config %{_sysconfdir}/ssh_config
|
||||
%{_bindir}/scp
|
||||
%{_bindir}/sftp
|
||||
%{_bindir}/ssh
|
||||
%{_bindir}/slogin
|
||||
%{_bindir}/ssh-add
|
||||
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||
%{_bindir}/ssh-keygen
|
||||
%{_bindir}/ssh-keyscan
|
||||
%dir %{_libexecdir}
|
||||
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
|
||||
%{_libexecdir}/ssh-pkcs11-helper
|
||||
%{_sbindir}/ssh-host-keygen
|
||||
%dir %{_defaultdocdir}/%{name}-%{version}
|
||||
%{_defaultdocdir}/%{name}-%{version}/CREDITS
|
||||
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
|
||||
%{_defaultdocdir}/%{name}-%{version}/LICENCE
|
||||
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
|
||||
%{_defaultdocdir}/%{name}-%{version}/README*
|
||||
%{_defaultdocdir}/%{name}-%{version}/TODO
|
||||
%{_defaultdocdir}/%{name}-%{version}/faq.html
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man8/ssh-keysign.8.gz
|
||||
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
|
||||
%{_mandir}/man5/ssh_config.5.gz
|
||||
|
||||
%Files server
|
||||
%defattr(-,root,root)
|
||||
%dir %{_var}/empty/sshd
|
||||
%config %{SVIdir}/sshd
|
||||
%config /etc/pam.d/sshd
|
||||
%config %{_sysconfdir}/moduli
|
||||
%config %{_sysconfdir}/sshd_config
|
||||
%config %{SVIcdir}/sshd
|
||||
%{_libexecdir}/sftp-server
|
||||
%{_sbindir}/sshd
|
||||
%{_mandir}/man5/moduli.5.gz
|
||||
%{_mandir}/man5/sshd_config.5.gz
|
||||
%{_mandir}/man8/sftp-server.8.gz
|
||||
%{_mandir}/man8/sshd.8.gz
|
||||
|
||||
%Files askpass
|
||||
%defattr(-,root,root)
|
||||
%{_libexecdir}/ssh-askpass
|
||||
%{_libexecdir}/x11-ssh-askpass
|
||||
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
|
||||
|
||||
|
||||
%ChangeLog
|
||||
* Tue Jan 18 2011 Tim Rice <tim@multitalents.net>
|
||||
- Use CFLAGS from Makefile instead of RPM so build completes.
|
||||
- Signatures were changed to .asc since 4.1p1.
|
||||
|
||||
* Mon Jan 01 1998 ...
|
||||
Template Version: 1.31
|
||||
|
||||
$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $
|
36
crypto/openssh/contrib/caldera/ssh-host-keygen
Executable file
36
crypto/openssh/contrib/caldera/ssh-host-keygen
Executable file
@ -0,0 +1,36 @@
|
||||
#! /bin/sh
|
||||
#
|
||||
# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
|
||||
#
|
||||
# This script is normally run only *once* for a given host
|
||||
# (in a given period of time) -- on updates/upgrades/recovery
|
||||
# the ssh_host_key* files _should_ be retained! Otherwise false
|
||||
# "man-in-the-middle-attack" alerts will frighten unsuspecting
|
||||
# clients...
|
||||
|
||||
keydir=@sysconfdir@
|
||||
keygen=@sshkeygen@
|
||||
|
||||
if [ -f $keydir/ssh_host_key -o \
|
||||
-f $keydir/ssh_host_key.pub ]; then
|
||||
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
|
||||
else
|
||||
echo "Generating SSH1 RSA host key."
|
||||
$keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
|
||||
fi
|
||||
|
||||
if [ -f $keydir/ssh_host_rsa_key -o \
|
||||
-f $keydir/ssh_host_rsa_key.pub ]; then
|
||||
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
|
||||
else
|
||||
echo "Generating SSH2 RSA host key."
|
||||
$keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
|
||||
fi
|
||||
|
||||
if [ -f $keydir/ssh_host_dsa_key -o \
|
||||
-f $keydir/ssh_host_dsa_key.pub ]; then
|
||||
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
|
||||
else
|
||||
echo "Generating SSH2 DSA host key."
|
||||
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
|
||||
fi
|
125
crypto/openssh/contrib/caldera/sshd.init
Executable file
125
crypto/openssh/contrib/caldera/sshd.init
Executable file
@ -0,0 +1,125 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides:
|
||||
# Required-Start: $network
|
||||
# Required-Stop:
|
||||
# Default-Start: 3 4 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
# Description: sshd
|
||||
# Bring up/down the OpenSSH secure shell daemon.
|
||||
### END INIT INFO
|
||||
#
|
||||
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
|
||||
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
|
||||
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
|
||||
|
||||
NAME=sshd
|
||||
DAEMON=/usr/sbin/$NAME
|
||||
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
|
||||
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
|
||||
# PR [linux/8278] for details...
|
||||
PIDF=/var/run/$NAME.pid
|
||||
NAME=$DAEMON
|
||||
|
||||
_status() {
|
||||
[ -z "$1" ] || local pidf="$1"
|
||||
local ret=-1
|
||||
local pid
|
||||
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
|
||||
pid=$(head -1 $pidf)
|
||||
else
|
||||
pid=$(pidof $NAME)
|
||||
fi
|
||||
|
||||
if [ ! -e $SVIlock ]; then
|
||||
# no lock-file => not started == stopped?
|
||||
ret=3
|
||||
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
|
||||
# pid-file given but not present or no pid => died, but was not stopped
|
||||
ret=2
|
||||
elif [ -r /proc/$pid/cmdline ] &&
|
||||
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
|
||||
# pid-file given and present or pid found => check process...
|
||||
# but don't compare exe, as this will fail after an update!
|
||||
# compares OK => all's well, that ends well...
|
||||
ret=0
|
||||
else
|
||||
# no such process or exe does not match => stale pid-file or process died
|
||||
# just recently...
|
||||
ret=1
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
|
||||
# Source function library (and set vital variables).
|
||||
. @SVIdir@/functions
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ ! -e $SVIlock ] || exit 0
|
||||
[ -x $DAEMON ] || exit 5
|
||||
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
|
||||
|
||||
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
|
||||
-f @sysconfdir@/ssh_host_key.pub \) -a \
|
||||
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
|
||||
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
|
||||
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
|
||||
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
|
||||
|
||||
echo "$SVIsubsys: host key not initialized: skipped!"
|
||||
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
|
||||
exit 6
|
||||
fi
|
||||
|
||||
echo -n "Starting $SVIsubsys services: "
|
||||
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
|
||||
ret=$?
|
||||
|
||||
echo "."
|
||||
touch $SVIlock
|
||||
;;
|
||||
|
||||
stop)
|
||||
[ -e $SVIlock ] || exit 0
|
||||
|
||||
echo -n "Stopping $SVIsubsys services: "
|
||||
ssd -K -p $PIDF -n $NAME
|
||||
ret=$?
|
||||
|
||||
echo "."
|
||||
rm -f $SVIlock
|
||||
;;
|
||||
|
||||
force-reload|reload)
|
||||
[ -e $SVIlock ] || exit 0
|
||||
|
||||
echo "Reloading $SVIsubsys configuration files: "
|
||||
ssd -K --signal 1 -q -p $PIDF -n $NAME
|
||||
ret=$?
|
||||
echo "done."
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
$0 start
|
||||
ret=$?
|
||||
;;
|
||||
|
||||
status)
|
||||
_status $PIDF
|
||||
ret=$?
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
|
||||
ret=2
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit $ret
|
||||
|
8
crypto/openssh/contrib/caldera/sshd.pam
Normal file
8
crypto/openssh/contrib/caldera/sshd.pam
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||
account required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_pwdb.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_pwdb.so
|
||||
session required /lib/security/pam_limits.so
|
77
crypto/openssh/contrib/cygwin/Makefile
Normal file
77
crypto/openssh/contrib/cygwin/Makefile
Normal file
@ -0,0 +1,77 @@
|
||||
srcdir=../..
|
||||
copyidsrcdir=..
|
||||
prefix=/usr
|
||||
exec_prefix=$(prefix)
|
||||
bindir=$(prefix)/bin
|
||||
datadir=$(prefix)/share
|
||||
mandir=$(datadir)/man
|
||||
docdir=$(datadir)/doc
|
||||
sshdocdir=$(docdir)/openssh
|
||||
cygdocdir=$(docdir)/Cygwin
|
||||
sysconfdir=/etc
|
||||
defaultsdir=$(sysconfdir)/defaults/etc
|
||||
inetdefdir=$(defaultsdir)/inetd.d
|
||||
PRIVSEP_PATH=/var/empty
|
||||
INSTALL=/usr/bin/install -c
|
||||
|
||||
DESTDIR=
|
||||
|
||||
all:
|
||||
@echo
|
||||
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
|
||||
@echo "Be sure having DESTDIR set correctly!"
|
||||
@echo
|
||||
|
||||
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
|
||||
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
|
||||
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
|
||||
|
||||
remove-empty-dir:
|
||||
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
|
||||
|
||||
install-inetd-config:
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
|
||||
$(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
|
||||
|
||||
install-sshdoc:
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
|
||||
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
|
||||
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
|
||||
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
|
||||
-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
|
||||
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
|
||||
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
|
||||
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
|
||||
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
|
||||
-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
|
||||
-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
|
||||
-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
|
||||
-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
|
||||
-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
|
||||
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
|
||||
|
||||
install-cygwindoc: README
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
|
||||
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
|
||||
|
||||
install-doc: install-sshdoc install-cygwindoc
|
||||
|
||||
install-scripts: ssh-host-config ssh-user-config
|
||||
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
|
||||
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
|
||||
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
|
||||
|
||||
install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1
|
||||
$(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id
|
||||
$(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1
|
||||
|
||||
gzip-man-pages:
|
||||
rm $(DESTDIR)$(mandir)/man1/slogin.1
|
||||
gzip $(DESTDIR)$(mandir)/man1/*.1
|
||||
gzip $(DESTDIR)$(mandir)/man5/*.5
|
||||
gzip $(DESTDIR)$(mandir)/man8/*.8
|
||||
cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz
|
||||
|
||||
cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages
|
||||
@echo "Cygwin specific configuration finished."
|
91
crypto/openssh/contrib/cygwin/README
Normal file
91
crypto/openssh/contrib/cygwin/README
Normal file
@ -0,0 +1,91 @@
|
||||
This package describes important Cygwin specific stuff concerning OpenSSH.
|
||||
|
||||
The binary package is usually built for recent Cygwin versions and might
|
||||
not run on older versions. Please check http://cygwin.com/ for information
|
||||
about current Cygwin releases.
|
||||
|
||||
==================
|
||||
Host configuration
|
||||
==================
|
||||
|
||||
If you are installing OpenSSH the first time, you can generate global config
|
||||
files and server keys, as well as installing sshd as a service, by running
|
||||
|
||||
/usr/bin/ssh-host-config
|
||||
|
||||
Note that this binary archive doesn't contain default config files in /etc.
|
||||
That files are only created if ssh-host-config is started.
|
||||
|
||||
To support testing and unattended installation ssh-host-config got
|
||||
some options:
|
||||
|
||||
usage: ssh-host-config [OPTION]...
|
||||
Options:
|
||||
--debug -d Enable shell's debug output.
|
||||
--yes -y Answer all questions with "yes" automatically.
|
||||
--no -n Answer all questions with "no" automatically.
|
||||
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
|
||||
--port -p <n> sshd listens on port n.
|
||||
--user -u <account> privileged user for service, default 'cyg_server'.
|
||||
--pwd -w <passwd> Use "pwd" as password for privileged user.
|
||||
--privileged On Windows XP, require privileged user
|
||||
instead of LocalSystem for sshd service.
|
||||
|
||||
Installing sshd as daemon via ssh-host-config is recommended.
|
||||
|
||||
Alternatively you can start sshd via inetd, if you have the inetutils
|
||||
package installed. Just run ssh-host-config, but answer "no" when asked
|
||||
to install sshd as service. The ssh-host-config script also adds the
|
||||
required lines to /etc/inetd.conf and /etc/services.
|
||||
|
||||
==================
|
||||
User configuration
|
||||
==================
|
||||
|
||||
Any user can simplify creating the own private and public keys by running
|
||||
|
||||
/usr/bin/ssh-user-config
|
||||
|
||||
To support testing and unattended installation ssh-user-config got
|
||||
some options as well:
|
||||
|
||||
usage: ssh-user-config [OPTION]...
|
||||
Options:
|
||||
--debug -d Enable shell's debug output.
|
||||
--yes -y Answer all questions with "yes" automatically.
|
||||
--no -n Answer all questions with "no" automatically.
|
||||
--passphrase -p word Use "word" as passphrase automatically.
|
||||
|
||||
Please note that OpenSSH does never use the value of $HOME to
|
||||
search for the users configuration files! It always uses the
|
||||
value of the pw_dir field in /etc/passwd as the home directory.
|
||||
If no home diretory is set in /etc/passwd, the root directory
|
||||
is used instead!
|
||||
|
||||
================
|
||||
Building OpenSSH
|
||||
================
|
||||
|
||||
Building from source is easy. Just unpack the source archive, cd to that
|
||||
directory, and call cygport:
|
||||
|
||||
cygport openssh.cygport almostall
|
||||
|
||||
You must have installed the following packages to be able to build OpenSSH
|
||||
with the aforementioned cygport script:
|
||||
|
||||
zlib
|
||||
crypt
|
||||
openssl-devel
|
||||
libwrap-devel
|
||||
libedit-devel
|
||||
libkrb5-devel
|
||||
|
||||
Please send requests, error reports etc. to cygwin@cygwin.com.
|
||||
|
||||
|
||||
Have fun,
|
||||
|
||||
Corinna Vinschen
|
||||
Cygwin Developer
|
||||
Red Hat Inc.
|
758
crypto/openssh/contrib/cygwin/ssh-host-config
Normal file
758
crypto/openssh/contrib/cygwin/ssh-host-config
Normal file
@ -0,0 +1,758 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
|
||||
#
|
||||
# This file is part of the Cygwin port of OpenSSH.
|
||||
#
|
||||
# Permission to use, copy, modify, and distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
|
||||
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
# ======================================================================
|
||||
# Initialization
|
||||
# ======================================================================
|
||||
|
||||
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
|
||||
|
||||
# List of apps used. This is checkad for existance in csih_sanity_check
|
||||
# Don't use *any* transient commands before sourcing the csih helper script,
|
||||
# otherwise the sanity checks are short-circuited.
|
||||
declare -a csih_required_commands=(
|
||||
/usr/bin/basename coreutils
|
||||
/usr/bin/cat coreutils
|
||||
/usr/bin/chmod coreutils
|
||||
/usr/bin/dirname coreutils
|
||||
/usr/bin/id coreutils
|
||||
/usr/bin/mv coreutils
|
||||
/usr/bin/rm coreutils
|
||||
/usr/bin/cygpath cygwin
|
||||
/usr/bin/mount cygwin
|
||||
/usr/bin/ps cygwin
|
||||
/usr/bin/setfacl cygwin
|
||||
/usr/bin/umount cygwin
|
||||
/usr/bin/cmp diffutils
|
||||
/usr/bin/grep grep
|
||||
/usr/bin/awk gawk
|
||||
/usr/bin/ssh-keygen openssh
|
||||
/usr/sbin/sshd openssh
|
||||
/usr/bin/sed sed
|
||||
)
|
||||
csih_sanity_check_server=yes
|
||||
source ${CSIH_SCRIPT}
|
||||
|
||||
PROGNAME=$(/usr/bin/basename $0)
|
||||
_tdir=$(/usr/bin/dirname $0)
|
||||
PROGDIR=$(cd $_tdir && pwd)
|
||||
|
||||
# Subdirectory where the new package is being installed
|
||||
PREFIX=/usr
|
||||
|
||||
# Directory where the config files are stored
|
||||
SYSCONFDIR=/etc
|
||||
LOCALSTATEDIR=/var
|
||||
|
||||
port_number=22
|
||||
privsep_configured=no
|
||||
privsep_used=yes
|
||||
cygwin_value=""
|
||||
user_account=
|
||||
password_value=
|
||||
opt_force=no
|
||||
|
||||
# ======================================================================
|
||||
# Routine: create_host_keys
|
||||
# ======================================================================
|
||||
create_host_keys() {
|
||||
local ret=0
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
||||
then
|
||||
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
|
||||
if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
||||
then
|
||||
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
||||
then
|
||||
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
||||
if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
||||
then
|
||||
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
||||
then
|
||||
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
||||
if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
||||
then
|
||||
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
|
||||
then
|
||||
csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
|
||||
if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
|
||||
then
|
||||
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of create_host_keys --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: update_services_file
|
||||
# ======================================================================
|
||||
update_services_file() {
|
||||
local _my_etcdir="/ssh-host-config.$$"
|
||||
local _win_etcdir
|
||||
local _services
|
||||
local _spaces
|
||||
local _serv_tmp
|
||||
local _wservices
|
||||
local ret=0
|
||||
|
||||
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
|
||||
_services="${_my_etcdir}/services"
|
||||
_spaces=" #"
|
||||
_serv_tmp="${_my_etcdir}/srv.out.$$"
|
||||
|
||||
/usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
|
||||
|
||||
# Depends on the above mount
|
||||
_wservices=`cygpath -w "${_services}"`
|
||||
|
||||
# Remove sshd 22/port from services
|
||||
if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
||||
if [ -f "${_serv_tmp}" ]
|
||||
then
|
||||
if /usr/bin/mv "${_serv_tmp}" "${_services}"
|
||||
then
|
||||
csih_inform "Removing sshd from ${_wservices}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
/usr/bin/rm -f "${_serv_tmp}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add ssh 22/tcp and ssh 22/udp to services
|
||||
if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
||||
then
|
||||
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
||||
then
|
||||
if /usr/bin/mv "${_serv_tmp}" "${_services}"
|
||||
then
|
||||
csih_inform "Added ssh to ${_wservices}"
|
||||
else
|
||||
csih_warning "Adding ssh to ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
/usr/bin/rm -f "${_serv_tmp}"
|
||||
else
|
||||
csih_warning "Adding ssh to ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
/usr/bin/umount "${_my_etcdir}"
|
||||
return $ret
|
||||
} # --- End of update_services_file --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: sshd_privsep
|
||||
# MODIFIES: privsep_configured privsep_used
|
||||
# ======================================================================
|
||||
sshd_privsep() {
|
||||
local sshdconfig_tmp
|
||||
local ret=0
|
||||
|
||||
if [ "${privsep_configured}" != "yes" ]
|
||||
then
|
||||
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
|
||||
csih_inform "However, this requires a non-privileged account called 'sshd'."
|
||||
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
||||
if csih_request "Should privilege separation be used?"
|
||||
then
|
||||
privsep_used=yes
|
||||
if ! csih_create_unprivileged_user sshd
|
||||
then
|
||||
csih_error_recoverable "Couldn't create user 'sshd'!"
|
||||
csih_error_recoverable "Privilege separation set to 'no' again!"
|
||||
csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
privsep_used=no
|
||||
fi
|
||||
else
|
||||
privsep_used=no
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
||||
# modify to add the missing privsep configuration option
|
||||
if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||
then
|
||||
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
|
||||
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
|
||||
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
||||
s/^#Port 22/Port ${port_number}/
|
||||
s/^#StrictModes yes/StrictModes no/" \
|
||||
< ${SYSCONFDIR}/sshd_config \
|
||||
> "${sshdconfig_tmp}"
|
||||
if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
|
||||
then
|
||||
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
fi
|
||||
elif [ "${privsep_configured}" != "yes" ]
|
||||
then
|
||||
echo >> ${SYSCONFDIR}/sshd_config
|
||||
if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
||||
then
|
||||
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of sshd_privsep --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: update_inetd_conf
|
||||
# ======================================================================
|
||||
update_inetd_conf() {
|
||||
local _inetcnf="${SYSCONFDIR}/inetd.conf"
|
||||
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
||||
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
|
||||
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
|
||||
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
|
||||
local _with_comment=1
|
||||
local ret=0
|
||||
|
||||
if [ -d "${_inetcnf_dir}" ]
|
||||
then
|
||||
# we have inetutils-1.5 inetd.d support
|
||||
if [ -f "${_inetcnf}" ]
|
||||
then
|
||||
/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
|
||||
|
||||
# check for sshd OR ssh in top-level inetd.conf file, and remove
|
||||
# will be replaced by a file in inetd.d/
|
||||
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
if [ -f "${_inetcnf_tmp}" ]
|
||||
then
|
||||
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||
then
|
||||
csih_inform "Removed ssh[d] from ${_inetcnf}"
|
||||
else
|
||||
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
/usr/bin/rm -f "${_inetcnf_tmp}"
|
||||
else
|
||||
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
|
||||
if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
|
||||
then
|
||||
if [ "${_with_comment}" -eq 0 ]
|
||||
then
|
||||
/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
else
|
||||
/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
fi
|
||||
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
|
||||
then
|
||||
csih_inform "Updated ${_sshd_inetd_conf}"
|
||||
else
|
||||
csih_warning "Updating ${_sshd_inetd_conf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
elif [ -f "${_inetcnf}" ]
|
||||
then
|
||||
/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
|
||||
|
||||
# check for sshd in top-level inetd.conf file, and remove
|
||||
# will be replaced by a file in inetd.d/
|
||||
if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
if [ -f "${_inetcnf_tmp}" ]
|
||||
then
|
||||
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||
then
|
||||
csih_inform "Removed sshd from ${_inetcnf}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
/usr/bin/rm -f "${_inetcnf_tmp}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add ssh line to inetd.conf
|
||||
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
||||
then
|
||||
if [ "${_with_comment}" -eq 0 ]
|
||||
then
|
||||
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||
else
|
||||
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||
fi
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
csih_inform "Added ssh to ${_inetcnf}"
|
||||
else
|
||||
csih_warning "Adding ssh to ${_inetcnf} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of update_inetd_conf --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: check_service_files_ownership
|
||||
# Checks that the files in /etc and /var belong to the right owner
|
||||
# ======================================================================
|
||||
check_service_files_ownership() {
|
||||
local run_service_as=$1
|
||||
local ret=0
|
||||
|
||||
if [ -z "${run_service_as}" ]
|
||||
then
|
||||
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
|
||||
if [ "${accnt_name}" = "LocalSystem" ]
|
||||
then
|
||||
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
|
||||
accnt_name="SYSTEM:"
|
||||
elif [[ "${accnt_name}" =~ ^\.\\ ]]
|
||||
then
|
||||
# Convert "." domain to local machine name
|
||||
accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
|
||||
fi
|
||||
run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
|
||||
if [ -z "${run_service_as}" ]
|
||||
then
|
||||
csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
|
||||
csih_warning "As a result, this script cannot make sure that the files used"
|
||||
csih_warning "by the sshd service belong to the user running the service."
|
||||
csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
|
||||
csih_warning "file is in a good shape."
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
|
||||
do
|
||||
if [ -f "$i" ]
|
||||
then
|
||||
if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Couldn't change owner of $i!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
|
||||
let ++ret
|
||||
fi
|
||||
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
|
||||
let ++ret
|
||||
fi
|
||||
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
|
||||
then
|
||||
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
if [ $ret -ne 0 ]
|
||||
then
|
||||
csih_warning "Couldn't change owner of important files to ${run_service_as}!"
|
||||
csih_warning "This may cause the sshd service to fail! Please make sure that"
|
||||
csih_warning "you have suufficient permissions to change the ownership of files"
|
||||
csih_warning "and try to run the ssh-host-config script again."
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of check_service_files_ownership --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: install_service
|
||||
# Install sshd as a service
|
||||
# ======================================================================
|
||||
install_service() {
|
||||
local run_service_as
|
||||
local password
|
||||
local ret=0
|
||||
|
||||
echo
|
||||
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
|
||||
then
|
||||
csih_inform "Sshd service is already installed."
|
||||
check_service_files_ownership "" || let ret+=$?
|
||||
else
|
||||
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
|
||||
if csih_request "(Say \"no\" if it is already installed as a service)"
|
||||
then
|
||||
csih_get_cygenv "${cygwin_value}"
|
||||
|
||||
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
|
||||
then
|
||||
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
|
||||
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
|
||||
csih_inform "sshd requires. You need to have or to create a privileged"
|
||||
csih_inform "account. This script will help you do so."
|
||||
echo
|
||||
|
||||
[ "${opt_force}" = "yes" ] && opt_f=-f
|
||||
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
|
||||
csih_select_privileged_username ${opt_f} ${opt_u} sshd
|
||||
|
||||
if ! csih_create_privileged_user "${password_value}"
|
||||
then
|
||||
csih_error_recoverable "There was a serious problem creating a privileged user."
|
||||
csih_request "Do you want to proceed anyway?" || exit 1
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
# Never returns empty if NT or above
|
||||
run_service_as=$(csih_service_should_run_as)
|
||||
|
||||
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
|
||||
then
|
||||
password="${csih_PRIVILEGED_PASSWORD}"
|
||||
if [ -z "${password}" ]
|
||||
then
|
||||
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
|
||||
password="${csih_value}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# At this point, we either have $run_service_as = "system" and
|
||||
# $password is empty, or $run_service_as is some privileged user and
|
||||
# (hopefully) $password contains the correct password. So, from here
|
||||
# out, we use '-z "${password}"' to discriminate the two cases.
|
||||
|
||||
csih_check_user "${run_service_as}"
|
||||
|
||||
if [ -n "${csih_cygenv}" ]
|
||||
then
|
||||
cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
|
||||
fi
|
||||
if [ -z "${password}" ]
|
||||
then
|
||||
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
|
||||
-a "-D" -y tcpip "${cygwin_env[@]}"
|
||||
then
|
||||
echo
|
||||
csih_inform "The sshd service has been installed under the LocalSystem"
|
||||
csih_inform "account (also known as SYSTEM). To start the service now, call"
|
||||
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
|
||||
csih_inform "will start automatically after the next reboot."
|
||||
fi
|
||||
else
|
||||
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
|
||||
-a "-D" -y tcpip "${cygwin_env[@]}" \
|
||||
-u "${run_service_as}" -w "${password}"
|
||||
then
|
||||
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
|
||||
echo
|
||||
csih_inform "The sshd service has been installed under the '${run_service_as}'"
|
||||
csih_inform "account. To start the service now, call \`net start sshd' or"
|
||||
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
|
||||
csih_inform "after the next reboot."
|
||||
fi
|
||||
fi
|
||||
|
||||
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
|
||||
then
|
||||
check_service_files_ownership "${run_service_as}" || let ret+=$?
|
||||
else
|
||||
csih_error_recoverable "Installing sshd as a service failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi # user allowed us to install as service
|
||||
fi # service not yet installed
|
||||
return $ret
|
||||
} # --- End of install_service --- #
|
||||
|
||||
# ======================================================================
|
||||
# Main Entry Point
|
||||
# ======================================================================
|
||||
|
||||
# Check how the script has been started. If
|
||||
# (1) it has been started by giving the full path and
|
||||
# that path is /etc/postinstall, OR
|
||||
# (2) Otherwise, if the environment variable
|
||||
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
|
||||
# then set auto_answer to "no". This allows automatic
|
||||
# creation of the config files in /etc w/o overwriting
|
||||
# them if they already exist. In both cases, color
|
||||
# escape sequences are suppressed, so as to prevent
|
||||
# cluttering setup's logfiles.
|
||||
if [ "$PROGDIR" = "/etc/postinstall" ]
|
||||
then
|
||||
csih_auto_answer="no"
|
||||
csih_disable_color
|
||||
opt_force=yes
|
||||
fi
|
||||
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
|
||||
then
|
||||
csih_auto_answer="no"
|
||||
csih_disable_color
|
||||
opt_force=yes
|
||||
fi
|
||||
|
||||
# ======================================================================
|
||||
# Parse options
|
||||
# ======================================================================
|
||||
while :
|
||||
do
|
||||
case $# in
|
||||
0)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "${option}" in
|
||||
-d | --debug )
|
||||
set -x
|
||||
csih_trace_on
|
||||
;;
|
||||
|
||||
-y | --yes )
|
||||
csih_auto_answer=yes
|
||||
opt_force=yes
|
||||
;;
|
||||
|
||||
-n | --no )
|
||||
csih_auto_answer=no
|
||||
opt_force=yes
|
||||
;;
|
||||
|
||||
-c | --cygwin )
|
||||
cygwin_value="$1"
|
||||
shift
|
||||
;;
|
||||
|
||||
-p | --port )
|
||||
port_number=$1
|
||||
shift
|
||||
;;
|
||||
|
||||
-u | --user )
|
||||
user_account="$1"
|
||||
shift
|
||||
;;
|
||||
|
||||
-w | --pwd )
|
||||
password_value="$1"
|
||||
shift
|
||||
;;
|
||||
|
||||
--privileged )
|
||||
csih_FORCE_PRIVILEGED_USER=yes
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: ${progname} [OPTION]..."
|
||||
echo
|
||||
echo "This script creates an OpenSSH host configuration."
|
||||
echo
|
||||
echo "Options:"
|
||||
echo " --debug -d Enable shell's debug output."
|
||||
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
||||
echo " --port -p <n> sshd listens on port n."
|
||||
echo " --user -u <account> privileged user for service, default 'cyg_server'."
|
||||
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
|
||||
echo " --privileged On Windows XP, require privileged user"
|
||||
echo " instead of LocalSystem for sshd service."
|
||||
echo
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
# ======================================================================
|
||||
# Action!
|
||||
# ======================================================================
|
||||
|
||||
# Check for running ssh/sshd processes first. Refuse to do anything while
|
||||
# some ssh processes are still running
|
||||
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
|
||||
then
|
||||
echo
|
||||
csih_error "There are still ssh processes running. Please shut them down first."
|
||||
fi
|
||||
|
||||
# Make sure the user is running in an administrative context
|
||||
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
|
||||
if [ "${admin}" != "yes" ]
|
||||
then
|
||||
echo
|
||||
csih_warning "Running this script typically requires administrator privileges!"
|
||||
csih_warning "However, it seems your account does not have these privileges."
|
||||
csih_warning "Here's the list of groups in your user token:"
|
||||
echo
|
||||
for i in $(/usr/bin/id -G)
|
||||
do
|
||||
/usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
|
||||
done
|
||||
echo
|
||||
csih_warning "This usually means you're running this script from a non-admin"
|
||||
csih_warning "desktop session, or in a non-elevated shell under UAC control."
|
||||
echo
|
||||
csih_warning "Make sure you have the appropriate privileges right now,"
|
||||
csih_warning "otherwise parts of this script will probably fail!"
|
||||
echo
|
||||
echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
|
||||
if ! csih_request "you have the required privileges)"
|
||||
then
|
||||
echo
|
||||
csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
|
||||
csih_inform "or to start this script from an elevated shell."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
echo
|
||||
|
||||
warning_cnt=0
|
||||
|
||||
# Check for ${SYSCONFDIR} directory
|
||||
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
|
||||
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${SYSCONFDIR}!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# Check for /var/log directory
|
||||
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
|
||||
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# Create /var/log/lastlog if not already exists
|
||||
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
||||
then
|
||||
echo
|
||||
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
|
||||
"Cannot create ssh host configuration."
|
||||
fi
|
||||
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
|
||||
then
|
||||
/usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
|
||||
if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create /var/empty file used as chroot jail for privilege separation
|
||||
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
|
||||
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# host keys
|
||||
create_host_keys || let warning_cnt+=$?
|
||||
|
||||
# handle ssh_config
|
||||
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
|
||||
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
|
||||
then
|
||||
if [ "${port_number}" != "22" ]
|
||||
then
|
||||
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
|
||||
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
||||
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
|
||||
fi
|
||||
fi
|
||||
|
||||
# handle sshd_config (and privsep)
|
||||
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
|
||||
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||
then
|
||||
/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
||||
fi
|
||||
sshd_privsep || let warning_cnt+=$?
|
||||
|
||||
update_services_file || let warning_cnt+=$?
|
||||
update_inetd_conf || let warning_cnt+=$?
|
||||
install_service || let warning_cnt+=$?
|
||||
|
||||
echo
|
||||
if [ $warning_cnt -eq 0 ]
|
||||
then
|
||||
csih_inform "Host configuration finished. Have fun!"
|
||||
else
|
||||
csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
|
||||
csih_warning "Make sure that all problems reported are fixed,"
|
||||
csih_warning "then re-run ssh-host-config."
|
||||
fi
|
||||
exit $warning_cnt
|
266
crypto/openssh/contrib/cygwin/ssh-user-config
Normal file
266
crypto/openssh/contrib/cygwin/ssh-user-config
Normal file
@ -0,0 +1,266 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
|
||||
#
|
||||
# This file is part of the Cygwin port of OpenSSH.
|
||||
#
|
||||
# Permission to use, copy, modify, and distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
|
||||
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
# ======================================================================
|
||||
# Initialization
|
||||
# ======================================================================
|
||||
PROGNAME=$(basename -- $0)
|
||||
_tdir=$(dirname -- $0)
|
||||
PROGDIR=$(cd $_tdir && pwd)
|
||||
|
||||
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
|
||||
|
||||
# Subdirectory where the new package is being installed
|
||||
PREFIX=/usr
|
||||
|
||||
# Directory where the config files are stored
|
||||
SYSCONFDIR=/etc
|
||||
|
||||
source ${CSIH_SCRIPT}
|
||||
|
||||
auto_passphrase="no"
|
||||
passphrase=""
|
||||
pwdhome=
|
||||
with_passphrase=
|
||||
|
||||
# ======================================================================
|
||||
# Routine: create_identity
|
||||
# optionally create identity of type argument in ~/.ssh
|
||||
# optionally add result to ~/.ssh/authorized_keys
|
||||
# ======================================================================
|
||||
create_identity() {
|
||||
local file="$1"
|
||||
local type="$2"
|
||||
local name="$3"
|
||||
if [ ! -f "${pwdhome}/.ssh/${file}" ]
|
||||
then
|
||||
if csih_request "Shall I create a ${name} identity file for you?"
|
||||
then
|
||||
csih_inform "Generating ${pwdhome}/.ssh/${file}"
|
||||
if [ "${with_passphrase}" = "yes" ]
|
||||
then
|
||||
ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
|
||||
else
|
||||
ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
|
||||
fi
|
||||
if csih_request "Do you want to use this identity to login to this machine?"
|
||||
then
|
||||
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
|
||||
cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
} # === End of create_ssh1_identity() === #
|
||||
readonly -f create_identity
|
||||
|
||||
# ======================================================================
|
||||
# Routine: check_user_homedir
|
||||
# Perform various checks on the user's home directory
|
||||
# SETS GLOBAL VARIABLE:
|
||||
# pwdhome
|
||||
# ======================================================================
|
||||
check_user_homedir() {
|
||||
local uid=$(id -u)
|
||||
pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
|
||||
if [ "X${pwdhome}" = "X" ]
|
||||
then
|
||||
csih_error_multi \
|
||||
"There is no home directory set for you in ${SYSCONFDIR}/passwd." \
|
||||
'Setting $HOME is not sufficient!'
|
||||
fi
|
||||
|
||||
if [ ! -d "${pwdhome}" ]
|
||||
then
|
||||
csih_error_multi \
|
||||
"${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
|
||||
'but it is not a valid directory. Cannot create user identity files.'
|
||||
fi
|
||||
|
||||
# If home is the root dir, set home to empty string to avoid error messages
|
||||
# in subsequent parts of that script.
|
||||
if [ "X${pwdhome}" = "X/" ]
|
||||
then
|
||||
# But first raise a warning!
|
||||
csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
|
||||
if csih_request "Would you like to proceed anyway?"
|
||||
then
|
||||
pwdhome=''
|
||||
else
|
||||
csih_warning "Exiting. Configuration is not complete"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
|
||||
then
|
||||
echo
|
||||
csih_warning 'group and other have been revoked write permission to your home'
|
||||
csih_warning "directory ${pwdhome}."
|
||||
csih_warning 'This is required by OpenSSH to allow public key authentication using'
|
||||
csih_warning 'the key files stored in your .ssh subdirectory.'
|
||||
csih_warning 'Revert this change ONLY if you know what you are doing!'
|
||||
echo
|
||||
fi
|
||||
} # === End of check_user_homedir() === #
|
||||
readonly -f check_user_homedir
|
||||
|
||||
# ======================================================================
|
||||
# Routine: check_user_dot_ssh_dir
|
||||
# Perform various checks on the ~/.ssh directory
|
||||
# PREREQUISITE:
|
||||
# pwdhome -- check_user_homedir()
|
||||
# ======================================================================
|
||||
check_user_dot_ssh_dir() {
|
||||
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
|
||||
then
|
||||
csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
|
||||
fi
|
||||
|
||||
if [ ! -e "${pwdhome}/.ssh" ]
|
||||
then
|
||||
mkdir "${pwdhome}/.ssh"
|
||||
if [ ! -e "${pwdhome}/.ssh" ]
|
||||
then
|
||||
csih_error "Creating users ${pwdhome}/.ssh directory failed"
|
||||
fi
|
||||
fi
|
||||
} # === End of check_user_dot_ssh_dir() === #
|
||||
readonly -f check_user_dot_ssh_dir
|
||||
|
||||
# ======================================================================
|
||||
# Routine: fix_authorized_keys_perms
|
||||
# Corrects the permissions of ~/.ssh/authorized_keys
|
||||
# PREREQUISITE:
|
||||
# pwdhome -- check_user_homedir()
|
||||
# ======================================================================
|
||||
fix_authorized_keys_perms() {
|
||||
if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
|
||||
then
|
||||
if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
|
||||
then
|
||||
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
|
||||
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
|
||||
csih_warning "is, the owner needs read permissions."
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
} # === End of fix_authorized_keys_perms() === #
|
||||
readonly -f fix_authorized_keys_perms
|
||||
|
||||
|
||||
# ======================================================================
|
||||
# Main Entry Point
|
||||
# ======================================================================
|
||||
|
||||
# Check how the script has been started. If
|
||||
# (1) it has been started by giving the full path and
|
||||
# that path is /etc/postinstall, OR
|
||||
# (2) Otherwise, if the environment variable
|
||||
# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
|
||||
# then set auto_answer to "no". This allows automatic
|
||||
# creation of the config files in /etc w/o overwriting
|
||||
# them if they already exist. In both cases, color
|
||||
# escape sequences are suppressed, so as to prevent
|
||||
# cluttering setup's logfiles.
|
||||
if [ "$PROGDIR" = "/etc/postinstall" ]
|
||||
then
|
||||
csih_auto_answer="no"
|
||||
csih_disable_color
|
||||
fi
|
||||
if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
|
||||
then
|
||||
csih_auto_answer="no"
|
||||
csih_disable_color
|
||||
fi
|
||||
|
||||
# ======================================================================
|
||||
# Parse options
|
||||
# ======================================================================
|
||||
while :
|
||||
do
|
||||
case $# in
|
||||
0)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "$option" in
|
||||
-d | --debug )
|
||||
set -x
|
||||
csih_trace_on
|
||||
;;
|
||||
|
||||
-y | --yes )
|
||||
csih_auto_answer=yes
|
||||
;;
|
||||
|
||||
-n | --no )
|
||||
csih_auto_answer=no
|
||||
;;
|
||||
|
||||
-p | --passphrase )
|
||||
with_passphrase="yes"
|
||||
passphrase=$1
|
||||
shift
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: ${PROGNAME} [OPTION]..."
|
||||
echo
|
||||
echo "This script creates an OpenSSH user configuration."
|
||||
echo
|
||||
echo "Options:"
|
||||
echo " --debug -d Enable shell's debug output."
|
||||
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --passphrase -p word Use \"word\" as passphrase automatically."
|
||||
echo
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
# ======================================================================
|
||||
# Action!
|
||||
# ======================================================================
|
||||
|
||||
# Check passwd file
|
||||
if [ ! -f ${SYSCONFDIR}/passwd ]
|
||||
then
|
||||
csih_error_multi \
|
||||
"${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
|
||||
'first using mkpasswd. Check if it contains an entry for you and' \
|
||||
'please care for the home directory in your entry as well.'
|
||||
fi
|
||||
|
||||
check_user_homedir
|
||||
check_user_dot_ssh_dir
|
||||
create_identity id_rsa rsa "SSH2 RSA"
|
||||
create_identity id_dsa dsa "SSH2 DSA"
|
||||
create_identity id_ecdsa ecdsa "SSH2 ECDSA"
|
||||
create_identity identity rsa1 "(deprecated) SSH1 RSA"
|
||||
fix_authorized_keys_perms
|
||||
|
||||
echo
|
||||
csih_inform "Configuration finished. Have fun!"
|
||||
|
||||
|
4
crypto/openssh/contrib/cygwin/sshd-inetd
Normal file
4
crypto/openssh/contrib/cygwin/sshd-inetd
Normal file
@ -0,0 +1,4 @@
|
||||
# This file can be used to enable sshd as a slave of the inetd service
|
||||
# To do so, the line below should be uncommented.
|
||||
@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i
|
||||
|
186
crypto/openssh/contrib/findssl.sh
Executable file
186
crypto/openssh/contrib/findssl.sh
Executable file
@ -0,0 +1,186 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
|
||||
#
|
||||
# findssl.sh
|
||||
# Search for all instances of OpenSSL headers and libraries
|
||||
# and print their versions.
|
||||
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||
# match your library" errors.
|
||||
#
|
||||
# Written by Darren Tucker (dtucker at zip dot com dot au)
|
||||
# This file is placed in the public domain.
|
||||
#
|
||||
# Release history:
|
||||
# 2002-07-27: Initial release.
|
||||
# 2002-08-04: Added public domain notice.
|
||||
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
|
||||
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
|
||||
#
|
||||
# "OpenSSL headers do not match your library" are usually caused by
|
||||
# OpenSSH's configure picking up an older version of OpenSSL headers
|
||||
# or libraries. You can use the following # procedure to help identify
|
||||
# the cause.
|
||||
#
|
||||
# The output of configure will tell you the versions of the OpenSSL
|
||||
# headers and libraries that were picked up, for example:
|
||||
#
|
||||
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
|
||||
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
|
||||
# checking whether OpenSSL's headers match the library... no
|
||||
# configure: error: Your OpenSSL headers do not match your library
|
||||
#
|
||||
# Now run findssl.sh. This should identify the headers and libraries
|
||||
# present and their versions. You should be able to identify the
|
||||
# libraries and headers used and adjust your CFLAGS or remove incorrect
|
||||
# versions. The output will show OpenSSL's internal version identifier
|
||||
# and should look something like:
|
||||
|
||||
# $ ./findssl.sh
|
||||
# Searching for OpenSSL header files.
|
||||
# 0x0090604fL /usr/include/openssl/opensslv.h
|
||||
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
|
||||
#
|
||||
# Searching for OpenSSL shared library files.
|
||||
# 0x0090602fL /lib/libcrypto.so.0.9.6b
|
||||
# 0x0090602fL /lib/libcrypto.so.2
|
||||
# 0x0090581fL /usr/lib/libcrypto.so.0
|
||||
# 0x0090602fL /usr/lib/libcrypto.so
|
||||
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
|
||||
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
|
||||
# 0x0090600fL /usr/lib/libcrypto.so.1
|
||||
#
|
||||
# Searching for OpenSSL static library files.
|
||||
# 0x0090602fL /usr/lib/libcrypto.a
|
||||
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
|
||||
#
|
||||
# In this example, I gave configure no extra flags, so it's picking up
|
||||
# the OpenSSL header from /usr/include/openssl (90604f) and the library
|
||||
# from /usr/lib/ (90602f).
|
||||
|
||||
#
|
||||
# Adjust these to suit your compiler.
|
||||
# You may also need to set the *LIB*PATH environment variables if
|
||||
# DEFAULT_LIBPATH is not correct for your system.
|
||||
#
|
||||
CC=gcc
|
||||
STATIC=-static
|
||||
|
||||
#
|
||||
# Cleanup on interrupt
|
||||
#
|
||||
trap 'rm -f conftest.c' INT HUP TERM
|
||||
|
||||
#
|
||||
# Set up conftest C source
|
||||
#
|
||||
rm -f findssl.log
|
||||
cat >conftest.c <<EOD
|
||||
#include <stdio.h>
|
||||
int main(){printf("0x%08xL\n", SSLeay());}
|
||||
EOD
|
||||
|
||||
#
|
||||
# Set default library paths if not already set
|
||||
#
|
||||
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
|
||||
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
|
||||
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||
|
||||
# not all platforms have a 'which' command
|
||||
if which ls >/dev/null 2>/dev/null; then
|
||||
: which is defined
|
||||
else
|
||||
which () {
|
||||
saveIFS="$IFS"
|
||||
IFS=:
|
||||
for p in $PATH; do
|
||||
if test -x "$p/$1" -a -f "$p/$1"; then
|
||||
IFS="$saveIFS"
|
||||
echo "$p/$1"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
IFS="$saveIFS"
|
||||
return 1
|
||||
}
|
||||
fi
|
||||
|
||||
#
|
||||
# Search for OpenSSL headers and print versions
|
||||
#
|
||||
echo Searching for OpenSSL header files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
headers=`locate opensslv.h`
|
||||
else
|
||||
headers=`find / -name opensslv.h -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for header in $headers
|
||||
do
|
||||
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
|
||||
echo "$ver $header"
|
||||
done
|
||||
echo
|
||||
|
||||
#
|
||||
# Search for shared libraries.
|
||||
# Relies on shared libraries looking like "libcrypto.s*"
|
||||
#
|
||||
echo Searching for OpenSSL shared library files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
libraries=`locate libcrypto.s`
|
||||
else
|
||||
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for lib in $libraries
|
||||
do
|
||||
(echo "Trying libcrypto $lib" >>findssl.log
|
||||
dir=`dirname $lib`
|
||||
LIBPATH="$dir:$LIBPATH"
|
||||
LD_LIBRARY_PATH="$dir:$LIBPATH"
|
||||
LIBRARY_PATH="$dir:$LIBPATH"
|
||||
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||
${CC} -o conftest conftest.c $lib 2>>findssl.log
|
||||
if [ -x ./conftest ]
|
||||
then
|
||||
ver=`./conftest 2>/dev/null`
|
||||
rm -f ./conftest
|
||||
echo "$ver $lib"
|
||||
fi)
|
||||
done
|
||||
echo
|
||||
|
||||
#
|
||||
# Search for static OpenSSL libraries and print versions
|
||||
#
|
||||
echo Searching for OpenSSL static library files.
|
||||
if [ -x "`which locate`" ]
|
||||
then
|
||||
libraries=`locate libcrypto.a`
|
||||
else
|
||||
libraries=`find / -name libcrypto.a -print 2>/dev/null`
|
||||
fi
|
||||
|
||||
for lib in $libraries
|
||||
do
|
||||
libdir=`dirname $lib`
|
||||
echo "Trying libcrypto $lib" >>findssl.log
|
||||
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
|
||||
if [ -x ./conftest ]
|
||||
then
|
||||
ver=`./conftest 2>/dev/null`
|
||||
rm -f ./conftest
|
||||
echo "$ver $lib"
|
||||
fi
|
||||
done
|
||||
|
||||
#
|
||||
# Clean up
|
||||
#
|
||||
rm -f conftest.c
|
171
crypto/openssh/contrib/gnome-ssh-askpass1.c
Normal file
171
crypto/openssh/contrib/gnome-ssh-askpass1.c
Normal file
@ -0,0 +1,171 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/*
|
||||
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||
* environment variable SSH_ASKPASS to point to the location of
|
||||
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||
*
|
||||
* There is only two run-time options: if you set the environment variable
|
||||
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||
* pointer will be grabbed too. These may have some benefit to security if
|
||||
* you don't trust your X server. We grab the keyboard always.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Compile with:
|
||||
*
|
||||
* cc `gnome-config --cflags gnome gnomeui` \
|
||||
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
|
||||
* `gnome-config --libs gnome gnomeui`
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <gnome.h>
|
||||
#include <X11/Xlib.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
void
|
||||
report_failed_grab (void)
|
||||
{
|
||||
GtkWidget *err;
|
||||
|
||||
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
|
||||
"A malicious client may be eavesdropping on your session.",
|
||||
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
|
||||
|
||||
gnome_dialog_run_and_close(GNOME_DIALOG(err));
|
||||
}
|
||||
|
||||
int
|
||||
passphrase_dialog(char *message)
|
||||
{
|
||||
char *passphrase;
|
||||
char **messages;
|
||||
int result, i, grab_server, grab_pointer;
|
||||
GtkWidget *dialog, *entry, *label;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||
|
||||
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
|
||||
GNOME_STOCK_BUTTON_CANCEL, NULL);
|
||||
|
||||
messages = g_strsplit(message, "\\n", 0);
|
||||
if (messages)
|
||||
for(i = 0; messages[i]; i++) {
|
||||
label = gtk_label_new(messages[i]);
|
||||
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
|
||||
label, FALSE, FALSE, 0);
|
||||
}
|
||||
|
||||
entry = gtk_entry_new();
|
||||
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
FALSE, 0);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
|
||||
/* Center window and prepare for grab */
|
||||
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
|
||||
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
|
||||
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
|
||||
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
|
||||
GNOME_PAD);
|
||||
gtk_widget_show_all(dialog);
|
||||
|
||||
/* Grab focus */
|
||||
if (grab_server)
|
||||
XGrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
|
||||
NULL, NULL, GDK_CURRENT_TIME))
|
||||
goto nograb;
|
||||
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
|
||||
goto nograbkb;
|
||||
|
||||
/* Make <enter> close dialog */
|
||||
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
|
||||
|
||||
/* Run dialog */
|
||||
result = gnome_dialog_run(GNOME_DIALOG(dialog));
|
||||
|
||||
/* Ungrab */
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer)
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_flush();
|
||||
|
||||
/* Report passphrase if user selected OK */
|
||||
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
|
||||
if (result == 0)
|
||||
puts(passphrase);
|
||||
|
||||
/* Zero passphrase in memory */
|
||||
memset(passphrase, '\0', strlen(passphrase));
|
||||
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||
|
||||
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||
return (result == 0 ? 0 : -1);
|
||||
|
||||
/* At least one grab failed - ungrab what we got, and report
|
||||
the failure to the user. Note that XGrabServer() cannot
|
||||
fail. */
|
||||
nograbkb:
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
nograb:
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||
|
||||
report_failed_grab();
|
||||
return (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char *message;
|
||||
int result;
|
||||
|
||||
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
|
||||
|
||||
if (argc == 2)
|
||||
message = argv[1];
|
||||
else
|
||||
message = "Enter your OpenSSH passphrase:";
|
||||
|
||||
setvbuf(stdout, 0, _IONBF, 0);
|
||||
result = passphrase_dialog(message);
|
||||
|
||||
return (result);
|
||||
}
|
223
crypto/openssh/contrib/gnome-ssh-askpass2.c
Normal file
223
crypto/openssh/contrib/gnome-ssh-askpass2.c
Normal file
@ -0,0 +1,223 @@
|
||||
/*
|
||||
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
|
||||
|
||||
/*
|
||||
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||
* environment variable SSH_ASKPASS to point to the location of
|
||||
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||
*
|
||||
* There is only two run-time options: if you set the environment variable
|
||||
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||
* pointer will be grabbed too. These may have some benefit to security if
|
||||
* you don't trust your X server. We grab the keyboard always.
|
||||
*/
|
||||
|
||||
#define GRAB_TRIES 16
|
||||
#define GRAB_WAIT 250 /* milliseconds */
|
||||
|
||||
/*
|
||||
* Compile with:
|
||||
*
|
||||
* cc -Wall `pkg-config --cflags gtk+-2.0` \
|
||||
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
|
||||
* `pkg-config --libs gtk+-2.0`
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <X11/Xlib.h>
|
||||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
static void
|
||||
report_failed_grab (const char *what)
|
||||
{
|
||||
GtkWidget *err;
|
||||
|
||||
err = gtk_message_dialog_new(NULL, 0,
|
||||
GTK_MESSAGE_ERROR,
|
||||
GTK_BUTTONS_CLOSE,
|
||||
"Could not grab %s. "
|
||||
"A malicious client may be eavesdropping "
|
||||
"on your session.", what);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||
TRUE);
|
||||
|
||||
gtk_dialog_run(GTK_DIALOG(err));
|
||||
|
||||
gtk_widget_destroy(err);
|
||||
}
|
||||
|
||||
static void
|
||||
ok_dialog(GtkWidget *entry, gpointer dialog)
|
||||
{
|
||||
g_return_if_fail(GTK_IS_DIALOG(dialog));
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
passphrase_dialog(char *message)
|
||||
{
|
||||
const char *failed;
|
||||
char *passphrase, *local;
|
||||
int result, grab_tries, grab_server, grab_pointer;
|
||||
GtkWidget *dialog, *entry;
|
||||
GdkGrabStatus status;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||
grab_tries = 0;
|
||||
|
||||
dialog = gtk_message_dialog_new(NULL, 0,
|
||||
GTK_MESSAGE_QUESTION,
|
||||
GTK_BUTTONS_OK_CANCEL,
|
||||
"%s",
|
||||
message);
|
||||
|
||||
entry = gtk_entry_new();
|
||||
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
FALSE, 0);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
gtk_widget_show(entry);
|
||||
|
||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
|
||||
TRUE);
|
||||
|
||||
/* Make <enter> close dialog */
|
||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
|
||||
/* Grab focus */
|
||||
gtk_widget_show_now(dialog);
|
||||
if (grab_pointer) {
|
||||
for(;;) {
|
||||
status = gdk_pointer_grab(
|
||||
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
|
||||
NULL, GDK_CURRENT_TIME);
|
||||
if (status == GDK_GRAB_SUCCESS)
|
||||
break;
|
||||
usleep(GRAB_WAIT * 1000);
|
||||
if (++grab_tries > GRAB_TRIES) {
|
||||
failed = "mouse";
|
||||
goto nograb;
|
||||
}
|
||||
}
|
||||
}
|
||||
for(;;) {
|
||||
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
|
||||
FALSE, GDK_CURRENT_TIME);
|
||||
if (status == GDK_GRAB_SUCCESS)
|
||||
break;
|
||||
usleep(GRAB_WAIT * 1000);
|
||||
if (++grab_tries > GRAB_TRIES) {
|
||||
failed = "keyboard";
|
||||
goto nograbkb;
|
||||
}
|
||||
}
|
||||
if (grab_server) {
|
||||
gdk_x11_grab_server();
|
||||
}
|
||||
|
||||
result = gtk_dialog_run(GTK_DIALOG(dialog));
|
||||
|
||||
/* Ungrab */
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
if (grab_pointer)
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||
gdk_flush();
|
||||
|
||||
/* Report passphrase if user selected OK */
|
||||
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
|
||||
if (result == GTK_RESPONSE_OK) {
|
||||
local = g_locale_from_utf8(passphrase, strlen(passphrase),
|
||||
NULL, NULL, NULL);
|
||||
if (local != NULL) {
|
||||
puts(local);
|
||||
memset(local, '\0', strlen(local));
|
||||
g_free(local);
|
||||
} else {
|
||||
puts(passphrase);
|
||||
}
|
||||
}
|
||||
|
||||
/* Zero passphrase in memory */
|
||||
memset(passphrase, '\b', strlen(passphrase));
|
||||
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||
memset(passphrase, '\0', strlen(passphrase));
|
||||
g_free(passphrase);
|
||||
|
||||
gtk_widget_destroy(dialog);
|
||||
return (result == GTK_RESPONSE_OK ? 0 : -1);
|
||||
|
||||
/* At least one grab failed - ungrab what we got, and report
|
||||
the failure to the user. Note that XGrabServer() cannot
|
||||
fail. */
|
||||
nograbkb:
|
||||
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||
nograb:
|
||||
if (grab_server)
|
||||
XUngrabServer(GDK_DISPLAY());
|
||||
gtk_widget_destroy(dialog);
|
||||
|
||||
report_failed_grab(failed);
|
||||
|
||||
return (-1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char *message;
|
||||
int result;
|
||||
|
||||
gtk_init(&argc, &argv);
|
||||
|
||||
if (argc > 1) {
|
||||
message = g_strjoinv(" ", argv + 1);
|
||||
} else {
|
||||
message = g_strdup("Enter your OpenSSH passphrase:");
|
||||
}
|
||||
|
||||
setvbuf(stdout, 0, _IONBF, 0);
|
||||
result = passphrase_dialog(message);
|
||||
g_free(message);
|
||||
|
||||
return (result);
|
||||
}
|
45
crypto/openssh/contrib/hpux/README
Normal file
45
crypto/openssh/contrib/hpux/README
Normal file
@ -0,0 +1,45 @@
|
||||
README for OpenSSH HP-UX contrib files
|
||||
Kevin Steves <stevesk@pobox.com>
|
||||
|
||||
sshd: configuration file for sshd.rc
|
||||
sshd.rc: SSH startup script
|
||||
egd: configuration file for egd.rc
|
||||
egd.rc: EGD (entropy gathering daemon) startup script
|
||||
|
||||
To install:
|
||||
|
||||
sshd.rc:
|
||||
|
||||
o Verify paths in sshd.rc match your local installation
|
||||
(WHAT_PATH and WHAT_PID)
|
||||
o Customize sshd if needed (SSHD_ARGS)
|
||||
o Install:
|
||||
|
||||
# cp sshd /etc/rc.config.d
|
||||
# chmod 444 /etc/rc.config.d/sshd
|
||||
# cp sshd.rc /sbin/init.d
|
||||
# chmod 555 /sbin/init.d/sshd.rc
|
||||
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
|
||||
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
|
||||
|
||||
egd.rc:
|
||||
|
||||
o Verify egd.pl path in egd.rc matches your local installation
|
||||
(WHAT_PATH)
|
||||
o Customize egd if needed (EGD_ARGS and EGD_LOG)
|
||||
o Add pseudo account:
|
||||
|
||||
# groupadd egd
|
||||
# useradd -g egd egd
|
||||
# mkdir -p /etc/opt/egd
|
||||
# chown egd:egd /etc/opt/egd
|
||||
# chmod 711 /etc/opt/egd
|
||||
|
||||
o Install:
|
||||
|
||||
# cp egd /etc/rc.config.d
|
||||
# chmod 444 /etc/rc.config.d/egd
|
||||
# cp egd.rc /sbin/init.d
|
||||
# chmod 555 /sbin/init.d/egd.rc
|
||||
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
|
||||
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd
|
15
crypto/openssh/contrib/hpux/egd
Normal file
15
crypto/openssh/contrib/hpux/egd
Normal file
@ -0,0 +1,15 @@
|
||||
# EGD_START: Set to 1 to start entropy gathering daemon
|
||||
# EGD_ARGS: Command line arguments to pass to egd
|
||||
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
|
||||
#
|
||||
# To configure the egd environment:
|
||||
|
||||
# groupadd egd
|
||||
# useradd -g egd egd
|
||||
# mkdir -p /etc/opt/egd
|
||||
# chown egd:egd /etc/opt/egd
|
||||
# chmod 711 /etc/opt/egd
|
||||
|
||||
EGD_START=1
|
||||
EGD_ARGS='/etc/opt/egd/entropy'
|
||||
EGD_LOG=
|
98
crypto/openssh/contrib/hpux/egd.rc
Executable file
98
crypto/openssh/contrib/hpux/egd.rc
Executable file
@ -0,0 +1,98 @@
|
||||
#!/sbin/sh
|
||||
|
||||
#
|
||||
# egd.rc: EGD start-up and shutdown script
|
||||
#
|
||||
|
||||
# Allowed exit values:
|
||||
# 0 = success; causes "OK" to show up in checklist.
|
||||
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||
# Use this value if execution of this script is overridden
|
||||
# by the use of a control variable, or if this script is not
|
||||
# appropriate to execute for some other reason.
|
||||
# 3 = reboot; causes the system to be rebooted after execution.
|
||||
|
||||
# Input and output:
|
||||
# stdin is redirected from /dev/null
|
||||
#
|
||||
# stdout and stderr are redirected to the /etc/rc.log file
|
||||
# during checklist mode, or to the console in raw mode.
|
||||
|
||||
umask 022
|
||||
|
||||
PATH=/usr/sbin:/usr/bin:/sbin
|
||||
export PATH
|
||||
|
||||
WHAT='EGD (entropy gathering daemon)'
|
||||
WHAT_PATH=/opt/perl/bin/egd.pl
|
||||
WHAT_CONFIG=/etc/rc.config.d/egd
|
||||
WHAT_LOG=/etc/opt/egd/egd.log
|
||||
|
||||
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||
# not be available. Do not attempt to access commands or files in
|
||||
# /usr unless your script executes in run state 2 or greater. Other
|
||||
# file systems typically not mounted until run state 2 include /var
|
||||
# and /opt.
|
||||
|
||||
rval=0
|
||||
|
||||
# Check the exit value of a command run by this script. If non-zero, the
|
||||
# exit code is echoed to the log file and the return value of this script
|
||||
# is set to indicate failure.
|
||||
|
||||
set_return() {
|
||||
x=$?
|
||||
if [ $x -ne 0 ]; then
|
||||
echo "EXIT CODE: $x"
|
||||
rval=1 # script FAILed
|
||||
fi
|
||||
}
|
||||
|
||||
case $1 in
|
||||
'start_msg')
|
||||
echo "Starting $WHAT"
|
||||
;;
|
||||
|
||||
'stop_msg')
|
||||
echo "Stopping $WHAT"
|
||||
;;
|
||||
|
||||
'start')
|
||||
if [ -f $WHAT_CONFIG ] ; then
|
||||
. $WHAT_CONFIG
|
||||
else
|
||||
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
|
||||
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
|
||||
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
|
||||
echo $WHAT started
|
||||
set_return
|
||||
else
|
||||
rval=2
|
||||
fi
|
||||
;;
|
||||
|
||||
'stop')
|
||||
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
|
||||
if [ "X$pid" != "X" ]; then
|
||||
if kill "$pid"; then
|
||||
echo "$WHAT stopped"
|
||||
else
|
||||
rval=1
|
||||
echo "Unable to stop $WHAT"
|
||||
fi
|
||||
fi
|
||||
set_return
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||
rval=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $rval
|
5
crypto/openssh/contrib/hpux/sshd
Normal file
5
crypto/openssh/contrib/hpux/sshd
Normal file
@ -0,0 +1,5 @@
|
||||
# SSHD_START: Set to 1 to start SSH daemon
|
||||
# SSHD_ARGS: Command line arguments to pass to sshd
|
||||
#
|
||||
SSHD_START=1
|
||||
SSHD_ARGS=
|
90
crypto/openssh/contrib/hpux/sshd.rc
Executable file
90
crypto/openssh/contrib/hpux/sshd.rc
Executable file
@ -0,0 +1,90 @@
|
||||
#!/sbin/sh
|
||||
|
||||
#
|
||||
# sshd.rc: SSH daemon start-up and shutdown script
|
||||
#
|
||||
|
||||
# Allowed exit values:
|
||||
# 0 = success; causes "OK" to show up in checklist.
|
||||
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||
# Use this value if execution of this script is overridden
|
||||
# by the use of a control variable, or if this script is not
|
||||
# appropriate to execute for some other reason.
|
||||
# 3 = reboot; causes the system to be rebooted after execution.
|
||||
|
||||
# Input and output:
|
||||
# stdin is redirected from /dev/null
|
||||
#
|
||||
# stdout and stderr are redirected to the /etc/rc.log file
|
||||
# during checklist mode, or to the console in raw mode.
|
||||
|
||||
PATH=/usr/sbin:/usr/bin:/sbin
|
||||
export PATH
|
||||
|
||||
WHAT='OpenSSH'
|
||||
WHAT_PATH=/opt/openssh/sbin/sshd
|
||||
WHAT_PID=/var/run/sshd.pid
|
||||
WHAT_CONFIG=/etc/rc.config.d/sshd
|
||||
|
||||
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||
# not be available. Do not attempt to access commands or files in
|
||||
# /usr unless your script executes in run state 2 or greater. Other
|
||||
# file systems typically not mounted until run state 2 include /var
|
||||
# and /opt.
|
||||
|
||||
rval=0
|
||||
|
||||
# Check the exit value of a command run by this script. If non-zero, the
|
||||
# exit code is echoed to the log file and the return value of this script
|
||||
# is set to indicate failure.
|
||||
|
||||
set_return() {
|
||||
x=$?
|
||||
if [ $x -ne 0 ]; then
|
||||
echo "EXIT CODE: $x"
|
||||
rval=1 # script FAILed
|
||||
fi
|
||||
}
|
||||
|
||||
case $1 in
|
||||
'start_msg')
|
||||
echo "Starting $WHAT"
|
||||
;;
|
||||
|
||||
'stop_msg')
|
||||
echo "Stopping $WHAT"
|
||||
;;
|
||||
|
||||
'start')
|
||||
if [ -f $WHAT_CONFIG ] ; then
|
||||
. $WHAT_CONFIG
|
||||
else
|
||||
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||
fi
|
||||
|
||||
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
|
||||
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
|
||||
set_return
|
||||
else
|
||||
rval=2
|
||||
fi
|
||||
;;
|
||||
|
||||
'stop')
|
||||
if kill `cat $WHAT_PID`; then
|
||||
echo "$WHAT stopped"
|
||||
else
|
||||
rval=1
|
||||
echo "Unable to stop $WHAT"
|
||||
fi
|
||||
set_return
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||
rval=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $rval
|
1
crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
Normal file
1
crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
Normal file
@ -0,0 +1 @@
|
||||
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
|
2
crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
Executable file
2
crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
Executable file
@ -0,0 +1,2 @@
|
||||
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
|
||||
export SSH_ASKPASS
|
812
crypto/openssh/contrib/redhat/openssh.spec
Normal file
812
crypto/openssh/contrib/redhat/openssh.spec
Normal file
@ -0,0 +1,812 @@
|
||||
%define ver 6.3p1
|
||||
%define rel 1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%define sshd_uid 74
|
||||
%define sshd_gid 74
|
||||
|
||||
# Version of ssh-askpass
|
||||
%define aversion 1.2.4.1
|
||||
|
||||
# Do we want to disable building of x11-askpass? (1=yes 0=no)
|
||||
%define no_x11_askpass 0
|
||||
|
||||
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||
%define no_gnome_askpass 0
|
||||
|
||||
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
||||
%define static_libcrypto 0
|
||||
|
||||
# Do we want smartcard support (1=yes 0=no)
|
||||
%define scard 0
|
||||
|
||||
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
||||
%define gtk2 1
|
||||
|
||||
# Is this build for RHL 6.x?
|
||||
%define build6x 0
|
||||
|
||||
# Do we want kerberos5 support (1=yes 0=no)
|
||||
%define kerberos5 1
|
||||
|
||||
# Reserve options to override askpass settings with:
|
||||
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
||||
%{?skip_x11_askpass:%define no_x11_askpass 1}
|
||||
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
|
||||
|
||||
# Add option to build without GTK2 for older platforms with only GTK+.
|
||||
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
|
||||
# rpm -ba|--rebuild --define 'no_gtk2 1'
|
||||
%{?no_gtk2:%define gtk2 0}
|
||||
|
||||
# Is this a build for RHL 6.x or earlier?
|
||||
%{?build_6x:%define build6x 1}
|
||||
|
||||
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
|
||||
%if %{build6x}
|
||||
%define _sysconfdir /etc
|
||||
%endif
|
||||
|
||||
# Options for static OpenSSL link:
|
||||
# rpm -ba|--rebuild --define "static_openssl 1"
|
||||
%{?static_openssl:%define static_libcrypto 1}
|
||||
|
||||
# Options for Smartcard support: (needs libsectok and openssl-engine)
|
||||
# rpm -ba|--rebuild --define "smartcard 1"
|
||||
%{?smartcard:%define scard 1}
|
||||
|
||||
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
||||
%define rescue 0
|
||||
%{?build_rescue:%define rescue 1}
|
||||
|
||||
# Turn off some stuff for resuce builds
|
||||
%if %{rescue}
|
||||
%define kerberos5 0
|
||||
%endif
|
||||
|
||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
|
||||
Name: openssh
|
||||
Version: %{ver}
|
||||
%if %{rescue}
|
||||
Release: %{rel}rescue
|
||||
%else
|
||||
Release: %{rel}
|
||||
%endif
|
||||
URL: http://www.openssh.com/portable.html
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
%if ! %{no_x11_askpass}
|
||||
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
|
||||
%endif
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
||||
Obsoletes: ssh
|
||||
%if %{build6x}
|
||||
PreReq: initscripts >= 5.00
|
||||
%else
|
||||
Requires: initscripts >= 5.20
|
||||
%endif
|
||||
BuildRequires: perl, openssl-devel, tcp_wrappers
|
||||
BuildRequires: /bin/login
|
||||
%if ! %{build6x}
|
||||
BuildPreReq: glibc-devel, pam
|
||||
%else
|
||||
BuildRequires: /usr/include/security/pam_appl.h
|
||||
%endif
|
||||
%if ! %{no_x11_askpass}
|
||||
BuildRequires: /usr/include/X11/Xlib.h
|
||||
%endif
|
||||
%if ! %{no_gnome_askpass}
|
||||
BuildRequires: pkgconfig
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-libs
|
||||
%endif
|
||||
|
||||
%package clients
|
||||
Summary: OpenSSH clients.
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Group: Applications/Internet
|
||||
Obsoletes: ssh-clients
|
||||
|
||||
%package server
|
||||
Summary: The OpenSSH server daemon.
|
||||
Group: System Environment/Daemons
|
||||
Obsoletes: ssh-server
|
||||
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
|
||||
%if ! %{build6x}
|
||||
Requires: /etc/pam.d/system-auth
|
||||
%endif
|
||||
|
||||
%package askpass
|
||||
Summary: A passphrase dialog for OpenSSH and X.
|
||||
Group: Applications/Internet
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Obsoletes: ssh-extras
|
||||
|
||||
%package askpass-gnome
|
||||
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
|
||||
Group: Applications/Internet
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Obsoletes: ssh-extras
|
||||
|
||||
%description
|
||||
SSH (Secure SHell) is a program for logging into and executing
|
||||
commands on a remote machine. SSH is intended to replace rlogin and
|
||||
rsh, and to provide secure encrypted communications between two
|
||||
untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
|
||||
it up to date in terms of security and features, as well as removing
|
||||
all patented algorithms to separate libraries.
|
||||
|
||||
This package includes the core files necessary for both the OpenSSH
|
||||
client and server. To make this package useful, you should also
|
||||
install openssh-clients, openssh-server, or both.
|
||||
|
||||
%description clients
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package includes
|
||||
the clients necessary to make encrypted connections to SSH servers.
|
||||
You'll also need to install the openssh package on OpenSSH clients.
|
||||
|
||||
%description server
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
|
||||
securely connect to your SSH server. You also need to have the openssh
|
||||
package installed.
|
||||
|
||||
%description askpass
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
an X11 passphrase dialog for OpenSSH.
|
||||
|
||||
%description askpass-gnome
|
||||
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
|
||||
environment.
|
||||
|
||||
%prep
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
%setup -q -a 1
|
||||
%else
|
||||
%setup -q
|
||||
%endif
|
||||
|
||||
%build
|
||||
%if %{rescue}
|
||||
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
|
||||
%endif
|
||||
|
||||
%if %{kerberos5}
|
||||
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
|
||||
echo K5DIR=$K5DIR
|
||||
%endif
|
||||
|
||||
%configure \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/openssh \
|
||||
--datadir=%{_datadir}/openssh \
|
||||
--with-tcp-wrappers \
|
||||
--with-rsh=%{_bindir}/rsh \
|
||||
--with-default-path=/usr/local/bin:/bin:/usr/bin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
--with-md5-passwords \
|
||||
%if %{scard}
|
||||
--with-smartcard \
|
||||
%endif
|
||||
%if %{rescue}
|
||||
--without-pam \
|
||||
%else
|
||||
--with-pam \
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
--with-kerberos5=$K5DIR \
|
||||
%endif
|
||||
|
||||
|
||||
%if %{static_libcrypto}
|
||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||
%endif
|
||||
|
||||
make
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
pushd x11-ssh-askpass-%{aversion}
|
||||
%configure --libexecdir=%{_libexecdir}/openssh
|
||||
xmkmf -a
|
||||
make
|
||||
popd
|
||||
%endif
|
||||
|
||||
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
||||
# because RPM doesn't handle nested %if statements.
|
||||
%if %{gtk2}
|
||||
gtk2=yes
|
||||
%else
|
||||
gtk2=no
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
pushd contrib
|
||||
if [ $gtk2 = yes ] ; then
|
||||
make gnome-ssh-askpass2
|
||||
mv gnome-ssh-askpass2 gnome-ssh-askpass
|
||||
else
|
||||
make gnome-ssh-askpass1
|
||||
mv gnome-ssh-askpass1 gnome-ssh-askpass
|
||||
fi
|
||||
popd
|
||||
%endif
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||
%if %{build6x}
|
||||
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
%else
|
||||
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
%endif
|
||||
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
|
||||
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{scard}
|
||||
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||
%endif
|
||||
|
||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%triggerun server -- ssh-server
|
||||
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
|
||||
touch /var/run/sshd.restart
|
||||
fi
|
||||
|
||||
%triggerun server -- openssh-server < 2.5.0p1
|
||||
# Count the number of HostKey and HostDsaKey statements we have.
|
||||
gawk 'BEGIN {IGNORECASE=1}
|
||||
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
|
||||
END {exit sawhostkey}' /etc/ssh/sshd_config
|
||||
# And if we only found one, we know the client was relying on the old default
|
||||
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
|
||||
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
|
||||
# one nullifies the default, which would have loaded both.
|
||||
if [ $? -eq 1 ] ; then
|
||||
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
|
||||
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
%triggerpostun server -- ssh-server
|
||||
if [ "$1" != 0 ] ; then
|
||||
/sbin/chkconfig --add sshd
|
||||
if test -f /var/run/sshd.restart ; then
|
||||
rm -f /var/run/sshd.restart
|
||||
/sbin/service sshd start > /dev/null 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%pre server
|
||||
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
|
||||
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||
-g sshd -M -r sshd 2>/dev/null || :
|
||||
|
||||
%post server
|
||||
/sbin/chkconfig --add sshd
|
||||
|
||||
%postun server
|
||||
/sbin/service sshd condrestart > /dev/null 2>&1 || :
|
||||
|
||||
%preun server
|
||||
if [ "$1" = 0 ]
|
||||
then
|
||||
/sbin/service sshd stop > /dev/null 2>&1 || :
|
||||
/sbin/chkconfig --del sshd
|
||||
fi
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%if ! %{rescue}
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
%endif
|
||||
%if %{scard}
|
||||
%attr(0755,root,root) %dir %{_datadir}/openssh
|
||||
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
|
||||
%endif
|
||||
|
||||
%files clients
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%attr(-,root,root) %{_bindir}/slogin
|
||||
%attr(-,root,root) %{_mandir}/man1/slogin.1*
|
||||
%if ! %{rescue}
|
||||
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||
%attr(0755,root,root) %{_bindir}/sftp
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||
%endif
|
||||
|
||||
%if ! %{rescue}
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
%dir %attr(0111,root,root) %{_var}/empty/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
|
||||
%endif
|
||||
|
||||
%if ! %{no_x11_askpass}
|
||||
%files askpass
|
||||
%defattr(-,root,root)
|
||||
%doc x11-ssh-askpass-%{aversion}/README
|
||||
%doc x11-ssh-askpass-%{aversion}/ChangeLog
|
||||
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
|
||||
%endif
|
||||
|
||||
%if ! %{no_gnome_askpass}
|
||||
%files askpass-gnome
|
||||
%defattr(-,root,root)
|
||||
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
|
||||
- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
|
||||
|
||||
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
|
||||
- Remove noip6 option. This may be controlled at run-time in client config
|
||||
file using new AddressFamily directive
|
||||
|
||||
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
|
||||
- Don't install profile.d scripts when not building with GNOME/GTK askpass
|
||||
(patch from bet@rahul.net)
|
||||
|
||||
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
|
||||
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
|
||||
|
||||
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
|
||||
- Use contrib/ Makefile for building askpass programs
|
||||
|
||||
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
|
||||
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
|
||||
- Add new {ssh,sshd}_config.5 manpages
|
||||
- Add new ssh-keysign program and remove setuid from ssh client
|
||||
|
||||
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
|
||||
- Merge in spec changes from RedHat, reorgansie a little
|
||||
- Add Privsep user, group and directory
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
|
||||
- bump and grind (through the build system)
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
|
||||
- require sharutils for building (mindrot #137)
|
||||
- require db1-devel only when building for 6.x (#55105), which probably won't
|
||||
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
|
||||
- require pam-devel by file (not by package name) again
|
||||
- add Markus's patch to compile with OpenSSL 0.9.5a (from
|
||||
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
|
||||
building for 6.x
|
||||
|
||||
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
|
||||
- update to 3.1p1
|
||||
|
||||
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
|
||||
- update to SNAP-20020305
|
||||
- drop debug patch, fixed upstream
|
||||
|
||||
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
|
||||
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
|
||||
anything to be warned about, gss patches won't apply, I don't mind)
|
||||
|
||||
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
|
||||
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
|
||||
exchange, authentication, and named key support
|
||||
|
||||
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
|
||||
- remove dependency on db1-devel, which has just been swallowed up whole
|
||||
by gnome-libs-devel
|
||||
|
||||
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- adjust build dependencies so that build6x actually works right (fix
|
||||
from Hugo van der Kooij)
|
||||
|
||||
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
|
||||
- update to 3.0.2p1
|
||||
|
||||
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
|
||||
- update to 3.0.1p1
|
||||
|
||||
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to current CVS (not for use in distribution)
|
||||
|
||||
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
|
||||
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
|
||||
3.0p1 spec file and init script
|
||||
|
||||
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 3.0p1
|
||||
- update to x11-ssh-askpass 1.2.4.1
|
||||
- change build dependency on a file from pam-devel to the pam-devel package
|
||||
- replace primes with moduli
|
||||
|
||||
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
|
||||
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
|
||||
|
||||
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
|
||||
- Merge changes to rescue build from current sysadmin survival cd
|
||||
|
||||
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
|
||||
- fix scp's server's reporting of file sizes, and build with the proper
|
||||
preprocessor define to get large-file capable open(), stat(), etc.
|
||||
(sftp has been doing this correctly all along) (#51827)
|
||||
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
|
||||
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
|
||||
- mark profile.d scriptlets as config files (#42337)
|
||||
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
|
||||
- change a couple of log() statements to debug() statements (#50751)
|
||||
- pull cvs patch to add -t flag to sshd (#28611)
|
||||
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
|
||||
|
||||
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
|
||||
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
|
||||
|
||||
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull cvs patch to fix remote port forwarding with protocol 2
|
||||
|
||||
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull cvs patch to add session initialization to no-pty sessions
|
||||
- pull cvs patch to not cut off challengeresponse auth needlessly
|
||||
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||
it by default on a system that doesn't have X installed (#49263)
|
||||
|
||||
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
|
||||
|
||||
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pass OPTIONS correctly to initlog (#50151)
|
||||
|
||||
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- switch to x11-ssh-askpass 1.2.2
|
||||
|
||||
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- rebuild in new environment
|
||||
|
||||
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- disable the gssapi patch
|
||||
|
||||
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.9p2
|
||||
- refresh to a new version of the gssapi patch
|
||||
|
||||
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- change Copyright: BSD to License: BSD
|
||||
- add Markus Friedl's unverified patch for the cookie file deletion problem
|
||||
so that we can verify it
|
||||
- drop patch to check if xauth is present (was folded into cookie patch)
|
||||
- don't apply gssapi patches for the errata candidate
|
||||
- clear supplemental groups list at startup
|
||||
|
||||
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- fix an error parsing the new default sshd_config
|
||||
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
|
||||
dealing with comments right
|
||||
|
||||
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
|
||||
to be removed before the next beta cycle because it's a big departure
|
||||
from the upstream version
|
||||
|
||||
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- finish marking strings in the init script for translation
|
||||
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
|
||||
at startup (change merged from openssh.com init script, originally by
|
||||
Pekka Savola)
|
||||
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||
it by default on a system that doesn't have X installed
|
||||
|
||||
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.9
|
||||
- drop various patches that came from or went upstream or to or from CVS
|
||||
|
||||
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
|
||||
|
||||
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
|
||||
- remove explicit openssl requirement, fixes builddistro issue
|
||||
- make initscript stop() function wait until sshd really dead to avoid
|
||||
races in condrestart
|
||||
|
||||
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- mention that challengereponse supports PAM, so disabling password doesn't
|
||||
limit users to pubkey and rsa auth (#34378)
|
||||
- bypass the daemon() function in the init script and call initlog directly,
|
||||
because daemon() won't start a daemon it detects is already running (like
|
||||
open connections)
|
||||
- require the version of openssl we had when we were built
|
||||
|
||||
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- make do_pam_setcred() smart enough to know when to establish creds and
|
||||
when to reinitialize them
|
||||
- add in a couple of other fixes from Damien for inclusion in the errata
|
||||
|
||||
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.5.2p2
|
||||
- call setcred() again after initgroups, because the "creds" could actually
|
||||
be group memberships
|
||||
|
||||
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
|
||||
- don't enable challenge-response by default until we find a way to not
|
||||
have too many userauth requests (we may make up to six pubkey and up to
|
||||
three password attempts as it is)
|
||||
- remove build dependency on rsh to match openssh.com's packages more closely
|
||||
|
||||
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- remove dependency on openssl -- would need to be too precise
|
||||
|
||||
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- rebuild in new environment
|
||||
|
||||
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Revert the patch to move pam_open_session.
|
||||
- Init script and spec file changes from Pekka Savola. (#28750)
|
||||
- Patch sftp to recognize '-o protocol' arguments. (#29540)
|
||||
|
||||
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Chuck the closing patch.
|
||||
- Add a trigger to add host keys for protocol 2 to the config file, now that
|
||||
configuration file syntax requires us to specify it with HostKey if we
|
||||
specify any other HostKey values, which we do.
|
||||
|
||||
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Redo patch to move pam_open_session after the server setuid()s to the user.
|
||||
- Rework the nopam patch to use be picked up by autoconf.
|
||||
|
||||
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update for 2.5.1p1.
|
||||
- Add init script mods from Pekka Savola.
|
||||
- Tweak the init script to match the CVS contrib script more closely.
|
||||
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
|
||||
adding id_rsa.
|
||||
|
||||
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update for 2.5.0p1.
|
||||
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
|
||||
- Resync with parts of Damien Miller's openssh.spec from CVS, including
|
||||
update of x11 askpass to 1.2.0.
|
||||
- Only require openssl (don't prereq) because we generate keys in the init
|
||||
script now.
|
||||
|
||||
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Don't open a PAM session until we've forked and become the user (#25690).
|
||||
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
|
||||
host the user is attempting a login from.
|
||||
- Resync with parts of Damien Miller's openssh.spec from CVS.
|
||||
- Don't expose KbdInt responses in debug messages (from CVS).
|
||||
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
|
||||
|
||||
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
|
||||
- i18n-tweak to initscript.
|
||||
|
||||
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- More gettextizing.
|
||||
- Close all files after going into daemon mode (needs more testing).
|
||||
- Extract patch from CVS to handle auth banners (in the client).
|
||||
- Extract patch from CVS to handle compat weirdness.
|
||||
|
||||
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Finish with the gettextizing.
|
||||
|
||||
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Fix a bug in auth2-pam.c (#23877)
|
||||
- Gettextize the init script.
|
||||
|
||||
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Incorporate a switch for using PAM configs for 6.x, just in case.
|
||||
|
||||
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Incorporate Bero's changes for a build specifically for rescue CDs.
|
||||
|
||||
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
|
||||
succeeded, to allow public-key authentication after a failure with "none"
|
||||
authentication. (#21268)
|
||||
|
||||
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to x11-askpass 1.1.1. (#21301)
|
||||
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
|
||||
|
||||
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Merge multiple PAM text messages into subsequent prompts when possible when
|
||||
doing keyboard-interactive authentication.
|
||||
|
||||
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Disable the built-in MD5 password support. We're using PAM.
|
||||
- Take a crack at doing keyboard-interactive authentication with PAM, and
|
||||
enable use of it in the default client configuration so that the client
|
||||
will try it when the server disallows password authentication.
|
||||
- Build with debugging flags. Build root policies strip all binaries anyway.
|
||||
|
||||
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Use DESTDIR instead of %%makeinstall.
|
||||
- Remove /usr/X11R6/bin from the path-fixing patch.
|
||||
|
||||
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add the primes file from the latest snapshot to the main package (#20884).
|
||||
- Add the dev package to the prereq list (#19984).
|
||||
- Remove the default path and mimic login's behavior in the server itself.
|
||||
|
||||
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Resync with conditional options in Damien Miller's .spec file for an errata.
|
||||
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
|
||||
|
||||
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to OpenSSH 2.3.0p1.
|
||||
- Update to x11-askpass 1.1.0.
|
||||
- Enable keyboard-interactive authentication.
|
||||
|
||||
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to ssh-askpass-x11 1.0.3.
|
||||
- Change authentication related messages to be private (#19966).
|
||||
|
||||
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Patch ssh-keygen to be able to list signatures for DSA public key files
|
||||
it generates.
|
||||
|
||||
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
|
||||
build PAM authentication in.
|
||||
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
|
||||
- Clean out no-longer-used patches.
|
||||
- Patch ssh-add to try to add both identity and id_dsa, and to error only
|
||||
when neither exists.
|
||||
|
||||
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update x11-askpass to 1.0.2. (#17835)
|
||||
- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
|
||||
always find them in the right place. (#17909)
|
||||
- Set the default path to be the same as the one supplied by /bin/login, but
|
||||
add /usr/X11R6/bin. (#17909)
|
||||
- Try to handle obsoletion of ssh-server more cleanly. Package names
|
||||
are different, but init script name isn't. (#17865)
|
||||
|
||||
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.2.0p1. (#17835)
|
||||
- Tweak the init script to allow proper restarting. (#18023)
|
||||
|
||||
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 20000823 snapshot.
|
||||
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
|
||||
- Back out the pipe patch.
|
||||
|
||||
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
|
||||
- Move the init script back.
|
||||
- Add Damien's quick fix for wackiness.
|
||||
|
||||
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
|
||||
|
||||
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Move condrestart to server postun.
|
||||
- Move key generation to init script.
|
||||
- Actually use the right patch for moving the key generation to the init script.
|
||||
- Clean up the init script a bit.
|
||||
|
||||
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
|
||||
|
||||
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.1.1p2.
|
||||
- Use of strtok() considered harmful.
|
||||
|
||||
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Get the build root out of the man pages.
|
||||
|
||||
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Add and use condrestart support in the init script.
|
||||
- Add newer initscripts as a prereq.
|
||||
|
||||
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Build in new environment (release 2)
|
||||
- Move -clients subpackage to Applications/Internet group
|
||||
|
||||
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Update to 2.2.1p1
|
||||
|
||||
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- Patch to build with neither RSA nor RSAref.
|
||||
- Miscellaneous FHS-compliance tweaks.
|
||||
- Fix for possibly-compressed man pages.
|
||||
|
||||
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||
- Updated for new location
|
||||
- Updated for new gnome-ssh-askpass build
|
||||
|
||||
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added Jim Knoble's <jmknoble@pobox.com> askpass
|
||||
|
||||
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||
|
||||
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added 'Obsoletes' directives
|
||||
|
||||
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use make install
|
||||
- Subpackages
|
||||
|
||||
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Added links for slogin
|
||||
- Fixed perms on manpages
|
||||
|
||||
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Renamed init script
|
||||
|
||||
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Back to old binary names
|
||||
|
||||
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use autoconf
|
||||
- New binary names
|
||||
|
||||
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
106
crypto/openssh/contrib/redhat/sshd.init
Executable file
106
crypto/openssh/contrib/redhat/sshd.init
Executable file
@ -0,0 +1,106 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Init file for OpenSSH server daemon
|
||||
#
|
||||
# chkconfig: 2345 55 25
|
||||
# description: OpenSSH server daemon
|
||||
#
|
||||
# processname: sshd
|
||||
# config: /etc/ssh/ssh_host_key
|
||||
# config: /etc/ssh/ssh_host_key.pub
|
||||
# config: /etc/ssh/ssh_random_seed
|
||||
# config: /etc/ssh/sshd_config
|
||||
# pidfile: /var/run/sshd.pid
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
RETVAL=0
|
||||
prog="sshd"
|
||||
|
||||
# Some functions to make the below more readable
|
||||
SSHD=/usr/sbin/sshd
|
||||
PID_FILE=/var/run/sshd.pid
|
||||
|
||||
do_restart_sanity_check()
|
||||
{
|
||||
$SSHD -t
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -ne 0 ]; then
|
||||
failure $"Configuration file or keys are invalid"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
# Create keys if necessary
|
||||
/usr/bin/ssh-keygen -A
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon /etc/ssh/ssh_host_key.pub
|
||||
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
|
||||
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
|
||||
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
|
||||
fi
|
||||
|
||||
echo -n $"Starting $prog:"
|
||||
$SSHD $OPTIONS && success || failure
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
|
||||
echo
|
||||
}
|
||||
|
||||
stop()
|
||||
{
|
||||
echo -n $"Stopping $prog:"
|
||||
killproc $SSHD -TERM
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
|
||||
echo
|
||||
}
|
||||
|
||||
reload()
|
||||
{
|
||||
echo -n $"Reloading $prog:"
|
||||
killproc $SSHD -HUP
|
||||
RETVAL=$?
|
||||
echo
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
reload)
|
||||
reload
|
||||
;;
|
||||
condrestart)
|
||||
if [ -f /var/lock/subsys/sshd ] ; then
|
||||
do_restart_sanity_check
|
||||
if [ $RETVAL -eq 0 ] ; then
|
||||
stop
|
||||
# avoid race
|
||||
sleep 3
|
||||
start
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
status $SSHD
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
|
||||
RETVAL=1
|
||||
esac
|
||||
exit $RETVAL
|
172
crypto/openssh/contrib/redhat/sshd.init.old
Executable file
172
crypto/openssh/contrib/redhat/sshd.init.old
Executable file
@ -0,0 +1,172 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Init file for OpenSSH server daemon
|
||||
#
|
||||
# chkconfig: 2345 55 25
|
||||
# description: OpenSSH server daemon
|
||||
#
|
||||
# processname: sshd
|
||||
# config: /etc/ssh/ssh_host_key
|
||||
# config: /etc/ssh/ssh_host_key.pub
|
||||
# config: /etc/ssh/ssh_random_seed
|
||||
# config: /etc/ssh/sshd_config
|
||||
# pidfile: /var/run/sshd.pid
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
RETVAL=0
|
||||
prog="sshd"
|
||||
|
||||
# Some functions to make the below more readable
|
||||
KEYGEN=/usr/bin/ssh-keygen
|
||||
SSHD=/usr/sbin/sshd
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
PID_FILE=/var/run/sshd.pid
|
||||
|
||||
my_success() {
|
||||
local msg
|
||||
if [ $# -gt 1 ]; then
|
||||
msg="$2"
|
||||
else
|
||||
msg="done"
|
||||
fi
|
||||
case "`type -type success`" in
|
||||
function)
|
||||
success "$1"
|
||||
;;
|
||||
*)
|
||||
echo -n "${msg}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
my_failure() {
|
||||
local msg
|
||||
if [ $# -gt 1 ]; then
|
||||
msg="$2"
|
||||
else
|
||||
msg="FAILED"
|
||||
fi
|
||||
case "`type -type failure`" in
|
||||
function)
|
||||
failure "$1"
|
||||
;;
|
||||
*)
|
||||
echo -n "${msg}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
do_rsa1_keygen() {
|
||||
if [ ! -s $RSA1_KEY ]; then
|
||||
echo -n "Generating SSH1 RSA host key: "
|
||||
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
my_success "RSA1 key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "RSA1 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_rsa_keygen() {
|
||||
if [ ! -s $RSA_KEY ]; then
|
||||
echo -n "Generating SSH2 RSA host key: "
|
||||
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
my_success "RSA key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "RSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY ]; then
|
||||
echo -n "Generating SSH2 DSA host key: "
|
||||
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
my_success "DSA key generation"
|
||||
echo
|
||||
else
|
||||
my_failure "DSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
do_restart_sanity_check() {
|
||||
$SSHD -t
|
||||
RETVAL=$?
|
||||
if [ ! "$RETVAL" = 0 ]; then
|
||||
my_failure "Configuration file or keys"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
# Create keys if necessary
|
||||
do_rsa1_keygen;
|
||||
do_rsa_keygen;
|
||||
do_dsa_keygen;
|
||||
|
||||
echo -n "Starting sshd: "
|
||||
if [ ! -f $PID_FILE ] ; then
|
||||
sshd $OPTIONS
|
||||
RETVAL=$?
|
||||
if [ "$RETVAL" = "0" ] ; then
|
||||
my_success "sshd startup" "sshd"
|
||||
touch /var/lock/subsys/sshd
|
||||
else
|
||||
my_failure "sshd startup" ""
|
||||
fi
|
||||
fi
|
||||
echo
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down sshd: "
|
||||
if [ -f $PID_FILE ] ; then
|
||||
killproc sshd
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
|
||||
fi
|
||||
echo
|
||||
;;
|
||||
restart)
|
||||
do_restart_sanity_check
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart)
|
||||
if [ -f /var/lock/subsys/sshd ] ; then
|
||||
do_restart_sanity_check
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
status sshd
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo "Usage: sshd {start|stop|restart|status|condrestart}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
6
crypto/openssh/contrib/redhat/sshd.pam
Normal file
6
crypto/openssh/contrib/redhat/sshd.pam
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_stack.so service=system-auth
|
||||
account required pam_nologin.so
|
||||
account required pam_stack.so service=system-auth
|
||||
password required pam_stack.so service=system-auth
|
||||
session required pam_stack.so service=system-auth
|
8
crypto/openssh/contrib/redhat/sshd.pam.old
Normal file
8
crypto/openssh/contrib/redhat/sshd.pam.old
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||
auth required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_pwdb.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_pwdb.so
|
||||
session required /lib/security/pam_limits.so
|
30
crypto/openssh/contrib/solaris/README
Executable file
30
crypto/openssh/contrib/solaris/README
Executable file
@ -0,0 +1,30 @@
|
||||
The following is a new package build script for Solaris. This is being
|
||||
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
|
||||
process. As of 3.1p2 the script should work on all platforms that have
|
||||
SVR4 style package tools.
|
||||
|
||||
The build process is called a 'dummy install'.. Which means the software does
|
||||
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
|
||||
be handled correctly and key are defered until the first time the sshd
|
||||
is started.
|
||||
|
||||
Directions:
|
||||
|
||||
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
|
||||
2. ./configure --with-pam [..any other options you want..]
|
||||
3. look at the top of buildpkg.sh for the configurable options and put
|
||||
any changes you want in openssh-config.local. Additional customizations
|
||||
can be done to the build process by creating one or more of the following
|
||||
scripts that will be sourced by buildpkg.sh.
|
||||
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
|
||||
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
|
||||
pkg-postremove.local pkg-request.local
|
||||
4. Run "make package"
|
||||
|
||||
If all goes well you should have a solaris package ready to be installed.
|
||||
|
||||
If you have any problems with this script please post them to
|
||||
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
|
||||
|
||||
- Ben Lindstrom
|
||||
|
300
crypto/openssh/contrib/ssh-copy-id
Normal file
300
crypto/openssh/contrib/ssh-copy-id
Normal file
@ -0,0 +1,300 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
|
||||
# 2013 Martin Kletzander <mkletzan@redhat.com>
|
||||
# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
|
||||
# 2010 Eric Moret <eric.moret@gmail.com>
|
||||
# 2009 Xr <xr@i-jeuxvideo.com>
|
||||
# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
|
||||
# 2004 Reini Urban <rurban@x-ray.at>
|
||||
# 2003 Colin Watson <cjwatson@debian.org>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
# Shell script to install your public key(s) on a remote machine
|
||||
# See the ssh-copy-id(1) man page for details
|
||||
|
||||
# check that we have something mildly sane as our shell, or try to find something better
|
||||
if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
|
||||
then
|
||||
SANE_SH=${SANE_SH:-/usr/bin/ksh}
|
||||
if printf 'true ^ false\n' | "$SANE_SH"
|
||||
then
|
||||
printf "'%s' seems viable.\n" "$SANE_SH"
|
||||
exec "$SANE_SH" "$0" "$@"
|
||||
else
|
||||
cat <<-EOF
|
||||
oh dear.
|
||||
|
||||
If you have a more recent shell available, that supports \$(...) etc.
|
||||
please try setting the environment variable SANE_SH to the path of that
|
||||
shell, and then retry running this script. If that works, please report
|
||||
a bug describing your setup, and the shell you used to make it work.
|
||||
|
||||
EOF
|
||||
printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
||||
|
||||
usage () {
|
||||
printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
# escape any single quotes in an argument
|
||||
quote() {
|
||||
printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
|
||||
}
|
||||
|
||||
use_id_file() {
|
||||
local L_ID_FILE="$1"
|
||||
|
||||
if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
|
||||
PUB_ID_FILE="$L_ID_FILE"
|
||||
else
|
||||
PUB_ID_FILE="$L_ID_FILE.pub"
|
||||
fi
|
||||
|
||||
PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
|
||||
# check that the files are readable
|
||||
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||
ErrMSG=$( { : < $f ; } 2>&1 ) || {
|
||||
printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
GET_ID="cat \"$PUB_ID_FILE\""
|
||||
}
|
||||
|
||||
if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
|
||||
GET_ID="ssh-add -L"
|
||||
fi
|
||||
|
||||
while test "$#" -gt 0
|
||||
do
|
||||
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
|
||||
printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
|
||||
usage
|
||||
}
|
||||
|
||||
OPT= OPTARG=
|
||||
# implement something like getopt to avoid Solaris pain
|
||||
case "$1" in
|
||||
-i?*|-o?*|-p?*)
|
||||
OPT="$(printf -- "$1"|cut -c1-2)"
|
||||
OPTARG="$(printf -- "$1"|cut -c3-)"
|
||||
shift
|
||||
;;
|
||||
-o|-p)
|
||||
OPT="$1"
|
||||
OPTARG="$2"
|
||||
shift 2
|
||||
;;
|
||||
-i)
|
||||
OPT="$1"
|
||||
test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
|
||||
OPTARG="$2"
|
||||
shift
|
||||
}
|
||||
shift
|
||||
;;
|
||||
-n|-h|-\?)
|
||||
OPT="$1"
|
||||
OPTARG=
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
while test "$#" -gt 0
|
||||
do
|
||||
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
|
||||
shift
|
||||
done
|
||||
break
|
||||
;;
|
||||
-*)
|
||||
printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
|
||||
usage
|
||||
;;
|
||||
*)
|
||||
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
|
||||
shift
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$OPT" in
|
||||
-i)
|
||||
SEEN_OPT_I="yes"
|
||||
use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
|
||||
;;
|
||||
-o|-p)
|
||||
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
|
||||
;;
|
||||
-n)
|
||||
DRY_RUN=1
|
||||
;;
|
||||
-h|-\?)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
eval set -- "$SAVEARGS"
|
||||
|
||||
if [ $# = 0 ] ; then
|
||||
usage
|
||||
fi
|
||||
if [ $# != 1 ] ; then
|
||||
printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
|
||||
usage
|
||||
fi
|
||||
|
||||
# drop trailing colon
|
||||
USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
|
||||
# tack the hostname onto SSH_OPTS
|
||||
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
|
||||
# and populate "$@" for later use (only way to get proper quoting of options)
|
||||
eval set -- "$SSH_OPTS"
|
||||
|
||||
if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
|
||||
use_id_file "$PUB_ID_FILE"
|
||||
fi
|
||||
|
||||
if [ -z "$(eval $GET_ID)" ] ; then
|
||||
printf '%s: ERROR: No identities found\n' "$0" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
||||
# and has the side effect of setting $NEW_IDS
|
||||
populate_new_ids() {
|
||||
local L_SUCCESS="$1"
|
||||
|
||||
# repopulate "$@" inside this function
|
||||
eval set -- "$SSH_OPTS"
|
||||
|
||||
umask 0177
|
||||
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
||||
echo "mktemp failed" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
|
||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||
NEW_IDS=$(
|
||||
eval $GET_ID | {
|
||||
while read ID ; do
|
||||
printf '%s\n' "$ID" > $L_TMP_ID_FILE
|
||||
|
||||
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
|
||||
# assumption will break if we implement the possibility of multiple -i options.
|
||||
# The point being that if file based, ssh needs the private key, which it cannot
|
||||
# find if only given the contents of the .pub file in an unrelated tmpfile
|
||||
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
|
||||
-o PreferredAuthentications=publickey \
|
||||
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
|
||||
if [ "$?" = "$L_SUCCESS" ] ; then
|
||||
: > $L_TMP_ID_FILE
|
||||
else
|
||||
grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
|
||||
sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
|
||||
cat >/dev/null #consume the other keys, causing loop to end
|
||||
}
|
||||
fi
|
||||
|
||||
cat $L_TMP_ID_FILE
|
||||
done
|
||||
}
|
||||
)
|
||||
rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
|
||||
|
||||
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
|
||||
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$NEW_IDS" ] ; then
|
||||
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
|
||||
exit 0
|
||||
fi
|
||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||
}
|
||||
|
||||
REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||
sed -ne 's/.*remote software version //p')
|
||||
|
||||
case "$REMOTE_VERSION" in
|
||||
NetScreen*)
|
||||
populate_new_ids 1
|
||||
for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
|
||||
KEY_NO=$(($KEY_NO + 1))
|
||||
printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
|
||||
printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
|
||||
continue
|
||||
}
|
||||
[ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
|
||||
if [ $? = 255 ] ; then
|
||||
printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
|
||||
else
|
||||
ADDED=$(($ADDED + 1))
|
||||
fi
|
||||
done
|
||||
if [ -z "$ADDED" ] ; then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||
populate_new_ids 0
|
||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
|
||||
umask 077 ;
|
||||
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
|
||||
if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|
||||
|| exit 1
|
||||
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$DRY_RUN" ] ; then
|
||||
cat <<-EOF
|
||||
=-=-=-=-=-=-=-=
|
||||
Would have added the following key(s):
|
||||
|
||||
$NEW_IDS
|
||||
=-=-=-=-=-=-=-=
|
||||
EOF
|
||||
else
|
||||
cat <<-EOF
|
||||
|
||||
Number of key(s) added: $ADDED
|
||||
|
||||
Now try logging into the machine, with: "ssh $SSH_OPTS"
|
||||
and check to make sure that only the key(s) you wanted were added.
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
# =-=-=-=
|
186
crypto/openssh/contrib/ssh-copy-id.1
Normal file
186
crypto/openssh/contrib/ssh-copy-id.1
Normal file
@ -0,0 +1,186 @@
|
||||
.ig \" -*- nroff -*-
|
||||
Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
..
|
||||
.Dd $Mdocdate: June 17 2010 $
|
||||
.Dt SSH-COPY-ID 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ssh-copy-id
|
||||
.Nd use locally available keys to authorise logins on a remote machine
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl n
|
||||
.Op Fl i Op Ar identity_file
|
||||
.Op Fl p Ar port
|
||||
.Op Fl o Ar ssh_option
|
||||
.Op Ar user Ns @ Ns
|
||||
.Ar hostname
|
||||
.Nm
|
||||
.Fl h | Fl ?
|
||||
.br
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a script that uses
|
||||
.Xr ssh 1
|
||||
to log into a remote machine (presumably using a login password,
|
||||
so password authentication should be enabled, unless you've done some
|
||||
clever use of multiple identities). It assembles a list of one or more
|
||||
fingerprints (as described below) and tries to log in with each key, to
|
||||
see if any of them are already installed (of course, if you are not using
|
||||
.Xr ssh-agent 1
|
||||
this may result in you being repeatedly prompted for pass-phrases).
|
||||
It then assembles a list of those that failed to log in, and using ssh,
|
||||
enables logins with those keys on the remote server. By default it adds
|
||||
the keys by appending them to the remote user's
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
(creating the file, and directory, if necessary). It is also capable
|
||||
of detecting if the remote system is a NetScreen, and using its
|
||||
.Ql set ssh pka-dsa key ...
|
||||
command instead.
|
||||
.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl i Ar identity_file
|
||||
Use only the key(s) contained in
|
||||
.Ar identity_file
|
||||
(rather than looking for identities via
|
||||
.Xr ssh-add 1
|
||||
or in the
|
||||
.Ic default_ID_file ) .
|
||||
If the filename does not end in
|
||||
.Pa .pub
|
||||
this is added. If the filename is omitted, the
|
||||
.Ic default_ID_file
|
||||
is used.
|
||||
.Pp
|
||||
Note that this can be used to ensure that the keys copied have the
|
||||
comment one prefers and/or extra options applied, by ensuring that the
|
||||
key file has these set as preferred before the copy is attempted.
|
||||
.It Fl n
|
||||
do a dry-run. Instead of installing keys on the remote system simply
|
||||
prints the key(s) that would have been installed.
|
||||
.It Fl h , Fl ?
|
||||
Print Usage summary
|
||||
.It Fl p Ar port , Fl o Ar ssh_option
|
||||
These two options are simply passed through untouched, along with their
|
||||
argument, to allow one to set the port or other
|
||||
.Xr ssh 1
|
||||
options, respectively.
|
||||
.Pp
|
||||
Rather than specifying these as command line options, it is often better to use (per-host) settings in
|
||||
.Xr ssh 1 Ns 's
|
||||
configuration file:
|
||||
.Xr ssh_config 5 .
|
||||
.El
|
||||
.Pp
|
||||
Default behaviour without
|
||||
.Fl i ,
|
||||
is to check if
|
||||
.Ql ssh-add -L
|
||||
provides any output, and if so those keys are used. Note that this results in
|
||||
the comment on the key being the filename that was given to
|
||||
.Xr ssh-add 1
|
||||
when the key was loaded into your
|
||||
.Xr ssh-agent 1
|
||||
rather than the comment contained in that file, which is a bit of a shame.
|
||||
Otherwise, if
|
||||
.Xr ssh-add 1
|
||||
provides no keys contents of the
|
||||
.Ic default_ID_file
|
||||
will be used.
|
||||
.Pp
|
||||
The
|
||||
.Ic default_ID_file
|
||||
is the most recent file that matches:
|
||||
.Pa ~/.ssh/id*.pub ,
|
||||
(excluding those that match
|
||||
.Pa ~/.ssh/*-cert.pub )
|
||||
so if you create a key that is not the one you want
|
||||
.Nm
|
||||
to use, just use
|
||||
.Xr touch 1
|
||||
on your preferred key's
|
||||
.Pa .pub
|
||||
file to reinstate it as the most recent.
|
||||
.Pp
|
||||
.Sh EXAMPLES
|
||||
If you have already installed keys from one system on a lot of remote
|
||||
hosts, and you then create a new key, on a new client machine, say,
|
||||
it can be difficult to keep track of which systems on which you've
|
||||
installed the new key. One way of dealing with this is to load both
|
||||
the new key and old key(s) into your
|
||||
.Xr ssh-agent 1 .
|
||||
Load the new key first, without the
|
||||
.Fl c
|
||||
option, then load one or more old keys into the agent, possibly by
|
||||
ssh-ing to the client machine that has that old key, using the
|
||||
.Fl A
|
||||
option to allow agent forwarding:
|
||||
.Pp
|
||||
.D1 user@newclient$ ssh-add
|
||||
.D1 user@newclient$ ssh -A old.client
|
||||
.D1 user@oldl$ ssh-add -c
|
||||
.D1 No ... prompt for pass-phrase ...
|
||||
.D1 user@old$ logoff
|
||||
.D1 user@newclient$ ssh someserver
|
||||
.Pp
|
||||
now, if the new key is installed on the server, you'll be allowed in
|
||||
unprompted, whereas if you only have the old key(s) enabled, you'll be
|
||||
asked for confirmation, which is your cue to log back out and run
|
||||
.Pp
|
||||
.D1 user@newclient$ ssh-copy-id -i someserver
|
||||
.Pp
|
||||
The reason you might want to specify the -i option in this case is to
|
||||
ensure that the comment on the installed key is the one from the
|
||||
.Pa .pub
|
||||
file, rather than just the filename that was loaded into you agent.
|
||||
It also ensures that only the id you intended is installed, rather than
|
||||
all the keys that you have in your
|
||||
.Xr ssh-agent 1 .
|
||||
Of course, you can specify another id, or use the contents of the
|
||||
.Xr ssh-agent 1
|
||||
as you prefer.
|
||||
.Pp
|
||||
Having mentioned
|
||||
.Xr ssh-add 1 Ns 's
|
||||
.Fl c
|
||||
option, you might consider using this whenever using agent forwarding
|
||||
to avoid your key being hijacked, but it is much better to instead use
|
||||
.Xr ssh 1 Ns 's
|
||||
.Ar ProxyCommand
|
||||
and
|
||||
.Fl W
|
||||
option,
|
||||
to bounce through remote servers while always doing direct end-to-end
|
||||
authentication. This way the middle hop(s) don't get access to your
|
||||
.Xr ssh-agent 1 .
|
||||
A web search for
|
||||
.Ql ssh proxycommand nc
|
||||
should prove enlightening (N.B. the modern approach is to use the
|
||||
.Fl W
|
||||
option, rather than
|
||||
.Xr nc 1 ) .
|
||||
.Sh "SEE ALSO"
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
.Xr sshd 8
|
5
crypto/openssh/contrib/sshd.pam.freebsd
Normal file
5
crypto/openssh/contrib/sshd.pam.freebsd
Normal file
@ -0,0 +1,5 @@
|
||||
sshd auth required pam_unix.so try_first_pass
|
||||
sshd account required pam_unix.so
|
||||
sshd password required pam_permit.so
|
||||
sshd session required pam_permit.so
|
||||
|
8
crypto/openssh/contrib/sshd.pam.generic
Normal file
8
crypto/openssh/contrib/sshd.pam.generic
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth required /lib/security/pam_unix.so shadow nodelay
|
||||
account required /lib/security/pam_nologin.so
|
||||
account required /lib/security/pam_unix.so
|
||||
password required /lib/security/pam_cracklib.so
|
||||
password required /lib/security/pam_unix.so shadow nullok use_authtok
|
||||
session required /lib/security/pam_unix.so
|
||||
session required /lib/security/pam_limits.so
|
246
crypto/openssh/contrib/suse/openssh.spec
Normal file
246
crypto/openssh/contrib/suse/openssh.spec
Normal file
@ -0,0 +1,246 @@
|
||||
# Default values for additional components
|
||||
%define build_x11_askpass 1
|
||||
|
||||
# Define the UID/GID to use for privilege separation
|
||||
%define sshd_gid 65
|
||||
%define sshd_uid 71
|
||||
|
||||
# The version of x11-ssh-askpass to use
|
||||
%define xversion 1.2.4.1
|
||||
|
||||
# Allow the ability to override defaults with -D skip_xxx=1
|
||||
%{?skip_x11_askpass:%define build_x11_askpass 0}
|
||||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 6.3p1
|
||||
URL: http://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
Source1: x11-ssh-askpass-%{xversion}.tar.gz
|
||||
License: BSD
|
||||
Group: Productivity/Networking/SSH
|
||||
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
|
||||
PreReq: openssl
|
||||
Obsoletes: ssh
|
||||
Provides: ssh
|
||||
#
|
||||
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
|
||||
# building prerequisites -- stuff for
|
||||
# OpenSSL (openssl-devel),
|
||||
# TCP Wrappers (tcpd-devel),
|
||||
# and Gnome (glibdev, gtkdev, and gnlibsd)
|
||||
#
|
||||
BuildPrereq: openssl
|
||||
BuildPrereq: tcpd-devel
|
||||
BuildPrereq: zlib-devel
|
||||
#BuildPrereq: glibdev
|
||||
#BuildPrereq: gtkdev
|
||||
#BuildPrereq: gnlibsd
|
||||
|
||||
%package askpass
|
||||
Summary: A passphrase dialog for OpenSSH and the X window System.
|
||||
Group: Productivity/Networking/SSH
|
||||
Requires: openssh = %{version}
|
||||
Obsoletes: ssh-extras
|
||||
Provides: openssh:${_libdir}/ssh/ssh-askpass
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
BuildPrereq: XFree86-devel
|
||||
%endif
|
||||
|
||||
%description
|
||||
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||
executing commands in a remote machine. It is intended to replace
|
||||
rlogin and rsh, and provide secure encrypted communications between
|
||||
two untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||
up to date in terms of security and features, as well as removing all
|
||||
patented algorithms to seperate libraries (OpenSSL).
|
||||
|
||||
This package includes all files necessary for both the OpenSSH
|
||||
client and server.
|
||||
|
||||
%description askpass
|
||||
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||
executing commands in a remote machine. It is intended to replace
|
||||
rlogin and rsh, and provide secure encrypted communications between
|
||||
two untrusted hosts over an insecure network. X11 connections and
|
||||
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||
|
||||
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||
up to date in terms of security and features, as well as removing all
|
||||
patented algorithms to seperate libraries (OpenSSL).
|
||||
|
||||
This package contains an X Window System passphrase dialog for OpenSSH.
|
||||
|
||||
%changelog
|
||||
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||
- Removed accidental inclusion of --without-zlib-version-check
|
||||
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||
- Overhaul to deal with newer versions of SuSE and OpenSSH
|
||||
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
|
||||
- Glob manpages to catch compressed files
|
||||
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||
- Updated for new location
|
||||
- Updated for new gnome-ssh-askpass build
|
||||
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
|
||||
- Made symlink to gnome-ssh-askpass called ssh-askpass
|
||||
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
|
||||
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
|
||||
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
|
||||
his released tarfile
|
||||
- Changed permissions on ssh_config in the install procedure to 644 from 600
|
||||
even though it was correct in the %files section and thus right in the RPMs
|
||||
- Postinstall script for the server now only prints "Generating SSH host
|
||||
key..." if we need to actually do this, in order to eliminate a confusing
|
||||
message if an SSH host key is already in place
|
||||
- Marked all manual pages as %doc(umentation)
|
||||
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
|
||||
- Added flag to configure daemon with TCP Wrappers support
|
||||
- Added building prerequisites (works in RPM 3.0 and newer)
|
||||
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
|
||||
- Made this package correct for SuSE.
|
||||
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
|
||||
with SuSE, and lib_pwdb.so isn't installed by default.
|
||||
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||
- Added 'Obsoletes' directives
|
||||
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use make install
|
||||
- Subpackages
|
||||
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Added links for slogin
|
||||
- Fixed perms on manpages
|
||||
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Renamed init script
|
||||
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Back to old binary names
|
||||
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Use autoconf
|
||||
- New binary names
|
||||
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
||||
|
||||
%prep
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
%setup -q -a 1
|
||||
%else
|
||||
%setup -q
|
||||
%endif
|
||||
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS" \
|
||||
%configure --prefix=/usr \
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--mandir=%{_mandir} \
|
||||
--with-privsep-path=/var/lib/empty \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--libexecdir=%{_libdir}/ssh
|
||||
make
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
cd x11-ssh-askpass-%{xversion}
|
||||
%configure --mandir=/usr/X11R6/man \
|
||||
--libexecdir=%{_libdir}/ssh
|
||||
xmkmf -a
|
||||
make
|
||||
cd ..
|
||||
%endif
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
make install DESTDIR=$RPM_BUILD_ROOT/
|
||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||
install -d $RPM_BUILD_ROOT/etc/init.d/
|
||||
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
|
||||
install -m744 contrib/suse/sysconfig.ssh \
|
||||
$RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
cd x11-ssh-askpass-%{xversion}
|
||||
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
|
||||
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
|
||||
%endif
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
|
||||
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
|
||||
|
||||
%post
|
||||
/usr/bin/ssh-keygen -A
|
||||
%{fillup_and_insserv -n -y ssh sshd}
|
||||
%run_permissions
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
|
||||
|
||||
%preun
|
||||
%stop_on_removal sshd
|
||||
|
||||
%postun
|
||||
%restart_on_update sshd
|
||||
%{insserv_cleanup}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc ChangeLog OVERVIEW README* PROTOCOL*
|
||||
%doc TODO CREDITS LICENCE
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||
%attr(0755,root,root) %config /etc/init.d/sshd
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(-,root,root) %{_bindir}/slogin
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||
%attr(0755,root,root) %{_bindir}/sftp
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %dir %{_libdir}/ssh
|
||||
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
|
||||
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
|
||||
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
|
||||
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
|
||||
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
|
||||
|
||||
%if %{build_x11_askpass}
|
||||
%files askpass
|
||||
%defattr(-,root,root)
|
||||
%doc x11-ssh-askpass-%{xversion}/README
|
||||
%doc x11-ssh-askpass-%{xversion}/ChangeLog
|
||||
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
|
||||
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
|
||||
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
|
||||
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
|
||||
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
|
||||
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
|
||||
%endif
|
5
crypto/openssh/contrib/suse/rc.config.sshd
Normal file
5
crypto/openssh/contrib/suse/rc.config.sshd
Normal file
@ -0,0 +1,5 @@
|
||||
#
|
||||
# Start the Secure Shell (SSH) Daemon?
|
||||
#
|
||||
START_SSHD="yes"
|
||||
|
121
crypto/openssh/contrib/suse/rc.sshd
Normal file
121
crypto/openssh/contrib/suse/rc.sshd
Normal file
@ -0,0 +1,121 @@
|
||||
#! /bin/sh
|
||||
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
|
||||
#
|
||||
# Author: Jiri Smid <feedback@suse.de>
|
||||
#
|
||||
# /etc/init.d/sshd
|
||||
#
|
||||
# and symbolic its link
|
||||
#
|
||||
# /usr/sbin/rcsshd
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: sshd
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: 3 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
# Description: Start the sshd daemon
|
||||
### END INIT INFO
|
||||
|
||||
SSHD_BIN=/usr/sbin/sshd
|
||||
test -x $SSHD_BIN || exit 5
|
||||
|
||||
SSHD_SYSCONFIG=/etc/sysconfig/ssh
|
||||
test -r $SSHD_SYSCONFIG || exit 6
|
||||
. $SSHD_SYSCONFIG
|
||||
|
||||
SSHD_PIDFILE=/var/run/sshd.init.pid
|
||||
|
||||
. /etc/rc.status
|
||||
|
||||
# Shell functions sourced from /etc/rc.status:
|
||||
# rc_check check and set local and overall rc status
|
||||
# rc_status check and set local and overall rc status
|
||||
# rc_status -v ditto but be verbose in local rc status
|
||||
# rc_status -v -r ditto and clear the local rc status
|
||||
# rc_failed set local and overall rc status to failed
|
||||
# rc_reset clear local rc status (overall remains)
|
||||
# rc_exit exit appropriate to overall rc status
|
||||
|
||||
# First reset status of this service
|
||||
rc_reset
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
# Generate any missing host keys
|
||||
ssh-keygen -A
|
||||
echo -n "Starting SSH daemon"
|
||||
## Start daemon with startproc(8). If this fails
|
||||
## the echo return value is set appropriate.
|
||||
|
||||
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down SSH daemon"
|
||||
## Stop daemon with killproc(8) and if this fails
|
||||
## set echo the echo return value.
|
||||
|
||||
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
try-restart)
|
||||
## Stop the service and if this succeeds (i.e. the
|
||||
## service was running before), start it again.
|
||||
$0 status >/dev/null && $0 restart
|
||||
|
||||
# Remember status and be quiet
|
||||
rc_status
|
||||
;;
|
||||
restart)
|
||||
## Stop the service and regardless of whether it was
|
||||
## running or not, start it again.
|
||||
$0 stop
|
||||
$0 start
|
||||
|
||||
# Remember status and be quiet
|
||||
rc_status
|
||||
;;
|
||||
force-reload|reload)
|
||||
## Signal the daemon to reload its config. Most daemons
|
||||
## do this on signal 1 (SIGHUP).
|
||||
|
||||
echo -n "Reload service sshd"
|
||||
|
||||
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
|
||||
|
||||
rc_status -v
|
||||
|
||||
;;
|
||||
status)
|
||||
echo -n "Checking for service sshd "
|
||||
## Check status with checkproc(8), if process is running
|
||||
## checkproc will return with exit status 0.
|
||||
|
||||
# Status has a slightly different for the status command:
|
||||
# 0 - service running
|
||||
# 1 - service dead, but /var/run/ pid file exists
|
||||
# 2 - service dead, but /var/lock/ lock file exists
|
||||
# 3 - service not running
|
||||
|
||||
checkproc -p $SSHD_PIDFILE $SSHD_BIN
|
||||
|
||||
rc_status -v
|
||||
;;
|
||||
probe)
|
||||
## Optional: Probe for the necessity of a reload,
|
||||
## give out the argument which is required for a reload.
|
||||
|
||||
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
rc_exit
|
9
crypto/openssh/contrib/suse/sysconfig.ssh
Normal file
9
crypto/openssh/contrib/suse/sysconfig.ssh
Normal file
@ -0,0 +1,9 @@
|
||||
## Path: Network/Remote access/SSH
|
||||
## Description: SSH server settings
|
||||
## Type: string
|
||||
## Default: ""
|
||||
## ServiceRestart: sshd
|
||||
#
|
||||
# Options for sshd
|
||||
#
|
||||
SSHD_OPTS=""
|
251
crypto/openssh/install-sh
Executable file
251
crypto/openssh/install-sh
Executable file
@ -0,0 +1,251 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# install - install a program, script, or datafile
|
||||
# This comes from X11R5 (mit/util/scripts/install.sh).
|
||||
#
|
||||
# Copyright 1991 by the Massachusetts Institute of Technology
|
||||
#
|
||||
# Permission to use, copy, modify, distribute, and sell this software and its
|
||||
# documentation for any purpose is hereby granted without fee, provided that
|
||||
# the above copyright notice appear in all copies and that both that
|
||||
# copyright notice and this permission notice appear in supporting
|
||||
# documentation, and that the name of M.I.T. not be used in advertising or
|
||||
# publicity pertaining to distribution of the software without specific,
|
||||
# written prior permission. M.I.T. makes no representations about the
|
||||
# suitability of this software for any purpose. It is provided "as is"
|
||||
# without express or implied warranty.
|
||||
#
|
||||
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||
# `make' implicit rules from creating a file called install from it
|
||||
# when there is no Makefile.
|
||||
#
|
||||
# This script is compatible with the BSD install script, but was written
|
||||
# from scratch. It can only install one file at a time, a restriction
|
||||
# shared with many OS's install programs.
|
||||
|
||||
|
||||
# set DOITPROG to echo to test this script
|
||||
|
||||
# Don't use :- since 4.3BSD and earlier shells don't like it.
|
||||
doit="${DOITPROG-}"
|
||||
|
||||
|
||||
# put in absolute paths if you don't have them in your path; or use env. vars.
|
||||
|
||||
mvprog="${MVPROG-mv}"
|
||||
cpprog="${CPPROG-cp}"
|
||||
chmodprog="${CHMODPROG-chmod}"
|
||||
chownprog="${CHOWNPROG-chown}"
|
||||
chgrpprog="${CHGRPPROG-chgrp}"
|
||||
stripprog="${STRIPPROG-strip}"
|
||||
rmprog="${RMPROG-rm}"
|
||||
mkdirprog="${MKDIRPROG-mkdir}"
|
||||
|
||||
transformbasename=""
|
||||
transform_arg=""
|
||||
instcmd="$mvprog"
|
||||
chmodcmd="$chmodprog 0755"
|
||||
chowncmd=""
|
||||
chgrpcmd=""
|
||||
stripcmd=""
|
||||
rmcmd="$rmprog -f"
|
||||
mvcmd="$mvprog"
|
||||
src=""
|
||||
dst=""
|
||||
dir_arg=""
|
||||
|
||||
while [ x"$1" != x ]; do
|
||||
case $1 in
|
||||
-c) instcmd="$cpprog"
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-d) dir_arg=true
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-m) chmodcmd="$chmodprog $2"
|
||||
shift
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-o) chowncmd="$chownprog $2"
|
||||
shift
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-g) chgrpcmd="$chgrpprog $2"
|
||||
shift
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-s) stripcmd="$stripprog"
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
|
||||
shift
|
||||
continue;;
|
||||
|
||||
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
|
||||
shift
|
||||
continue;;
|
||||
|
||||
*) if [ x"$src" = x ]
|
||||
then
|
||||
src=$1
|
||||
else
|
||||
# this colon is to work around a 386BSD /bin/sh bug
|
||||
:
|
||||
dst=$1
|
||||
fi
|
||||
shift
|
||||
continue;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ x"$src" = x ]
|
||||
then
|
||||
echo "install: no input file specified"
|
||||
exit 1
|
||||
else
|
||||
true
|
||||
fi
|
||||
|
||||
if [ x"$dir_arg" != x ]; then
|
||||
dst=$src
|
||||
src=""
|
||||
|
||||
if [ -d $dst ]; then
|
||||
instcmd=:
|
||||
chmodcmd=""
|
||||
else
|
||||
instcmd=mkdir
|
||||
fi
|
||||
else
|
||||
|
||||
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
|
||||
# might cause directories to be created, which would be especially bad
|
||||
# if $src (and thus $dsttmp) contains '*'.
|
||||
|
||||
if [ -f $src -o -d $src ]
|
||||
then
|
||||
true
|
||||
else
|
||||
echo "install: $src does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ x"$dst" = x ]
|
||||
then
|
||||
echo "install: no destination specified"
|
||||
exit 1
|
||||
else
|
||||
true
|
||||
fi
|
||||
|
||||
# If destination is a directory, append the input filename; if your system
|
||||
# does not like double slashes in filenames, you may need to add some logic
|
||||
|
||||
if [ -d $dst ]
|
||||
then
|
||||
dst="$dst"/`basename $src`
|
||||
else
|
||||
true
|
||||
fi
|
||||
fi
|
||||
|
||||
## this sed command emulates the dirname command
|
||||
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
|
||||
|
||||
# Make sure that the destination directory exists.
|
||||
# this part is taken from Noah Friedman's mkinstalldirs script
|
||||
|
||||
# Skip lots of stat calls in the usual case.
|
||||
if [ ! -d "$dstdir" ]; then
|
||||
defaultIFS='
|
||||
'
|
||||
IFS="${IFS-${defaultIFS}}"
|
||||
|
||||
oIFS="${IFS}"
|
||||
# Some sh's can't handle IFS=/ for some reason.
|
||||
IFS='%'
|
||||
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
|
||||
IFS="${oIFS}"
|
||||
|
||||
pathcomp=''
|
||||
|
||||
while [ $# -ne 0 ] ; do
|
||||
pathcomp="${pathcomp}${1}"
|
||||
shift
|
||||
|
||||
if [ ! -d "${pathcomp}" ] ;
|
||||
then
|
||||
$mkdirprog "${pathcomp}"
|
||||
else
|
||||
true
|
||||
fi
|
||||
|
||||
pathcomp="${pathcomp}/"
|
||||
done
|
||||
fi
|
||||
|
||||
if [ x"$dir_arg" != x ]
|
||||
then
|
||||
$doit $instcmd $dst &&
|
||||
|
||||
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
|
||||
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
|
||||
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
|
||||
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
|
||||
else
|
||||
|
||||
# If we're going to rename the final executable, determine the name now.
|
||||
|
||||
if [ x"$transformarg" = x ]
|
||||
then
|
||||
dstfile=`basename $dst`
|
||||
else
|
||||
dstfile=`basename $dst $transformbasename |
|
||||
sed $transformarg`$transformbasename
|
||||
fi
|
||||
|
||||
# don't allow the sed command to completely eliminate the filename
|
||||
|
||||
if [ x"$dstfile" = x ]
|
||||
then
|
||||
dstfile=`basename $dst`
|
||||
else
|
||||
true
|
||||
fi
|
||||
|
||||
# Make a temp file name in the proper directory.
|
||||
|
||||
dsttmp=$dstdir/#inst.$$#
|
||||
|
||||
# Move or copy the file name to the temp name
|
||||
|
||||
$doit $instcmd $src $dsttmp &&
|
||||
|
||||
trap "rm -f ${dsttmp}" 0 &&
|
||||
|
||||
# and set any options; do chmod last to preserve setuid bits
|
||||
|
||||
# If any of these fail, we abort the whole thing. If we want to
|
||||
# ignore errors from any of these, just make sure not to ignore
|
||||
# errors from the above "$doit $instcmd $src $dsttmp" command.
|
||||
|
||||
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
|
||||
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
|
||||
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
|
||||
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
|
||||
|
||||
# Now rename the file to the real destination.
|
||||
|
||||
$doit $rmcmd -f $dstdir/$dstfile &&
|
||||
$doit $mvcmd $dsttmp $dstdir/$dstfile
|
||||
|
||||
fi &&
|
||||
|
||||
|
||||
exit 0
|
370
crypto/openssh/mdoc2man.awk
Normal file
370
crypto/openssh/mdoc2man.awk
Normal file
@ -0,0 +1,370 @@
|
||||
#!/usr/bin/awk
|
||||
#
|
||||
# $Id: mdoc2man.awk,v 1.9 2009/10/24 00:52:42 dtucker Exp $
|
||||
#
|
||||
# Version history:
|
||||
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
|
||||
# v3, I put the program under a proper license
|
||||
# Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
|
||||
# v2, fixed to work on GNU awk --posix and MacOS X
|
||||
# v1, first attempt, didn't work on MacOS X
|
||||
#
|
||||
# Copyright (c) 2003 Peter Stuge <stuge-mdoc2man@cdy.org>
|
||||
#
|
||||
# Permission to use, copy, modify, and distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
BEGIN {
|
||||
optlist=0
|
||||
oldoptlist=0
|
||||
nospace=0
|
||||
synopsis=0
|
||||
reference=0
|
||||
block=0
|
||||
ext=0
|
||||
extopt=0
|
||||
literal=0
|
||||
prenl=0
|
||||
breakw=0
|
||||
line=""
|
||||
}
|
||||
|
||||
function wtail() {
|
||||
retval=""
|
||||
while(w<nwords) {
|
||||
if(length(retval))
|
||||
retval=retval OFS
|
||||
retval=retval words[++w]
|
||||
}
|
||||
return retval
|
||||
}
|
||||
|
||||
function add(str) {
|
||||
for(;prenl;prenl--)
|
||||
line=line "\n"
|
||||
line=line str
|
||||
}
|
||||
|
||||
! /^\./ {
|
||||
for(;prenl;prenl--)
|
||||
print ""
|
||||
print
|
||||
if(literal)
|
||||
print ".br"
|
||||
next
|
||||
}
|
||||
|
||||
/^\.\\"/ { next }
|
||||
|
||||
{
|
||||
option=0
|
||||
parens=0
|
||||
angles=0
|
||||
sub("^\\.","")
|
||||
nwords=split($0,words)
|
||||
for(w=1;w<=nwords;w++) {
|
||||
skip=0
|
||||
if(match(words[w],"^Li|Pf$")) {
|
||||
skip=1
|
||||
} else if(match(words[w],"^Xo$")) {
|
||||
skip=1
|
||||
ext=1
|
||||
if(length(line)&&!(match(line," $")||prenl))
|
||||
add(OFS)
|
||||
} else if(match(words[w],"^Xc$")) {
|
||||
skip=1
|
||||
ext=0
|
||||
if(!extopt)
|
||||
prenl++
|
||||
w=nwords
|
||||
} else if(match(words[w],"^Bd$")) {
|
||||
skip=1
|
||||
if(match(words[w+1],"-literal")) {
|
||||
literal=1
|
||||
prenl++
|
||||
w=nwords
|
||||
}
|
||||
} else if(match(words[w],"^Ed$")) {
|
||||
skip=1
|
||||
literal=0
|
||||
} else if(match(words[w],"^Ns$")) {
|
||||
skip=1
|
||||
if(!nospace)
|
||||
nospace=1
|
||||
sub(" $","",line)
|
||||
} else if(match(words[w],"^No$")) {
|
||||
skip=1
|
||||
sub(" $","",line)
|
||||
add(words[++w])
|
||||
} else if(match(words[w],"^Dq$")) {
|
||||
skip=1
|
||||
add("``")
|
||||
add(words[++w])
|
||||
while(w<nwords&&!match(words[w+1],"^[\\.,]"))
|
||||
add(OFS words[++w])
|
||||
add("''")
|
||||
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||
nospace=1
|
||||
} else if(match(words[w],"^Sq|Ql$")) {
|
||||
skip=1
|
||||
add("`" words[++w] "'")
|
||||
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||
nospace=1
|
||||
} else if(match(words[w],"^Oo$")) {
|
||||
skip=1
|
||||
extopt=1
|
||||
if(!nospace)
|
||||
nospace=1
|
||||
add("[")
|
||||
} else if(match(words[w],"^Oc$")) {
|
||||
skip=1
|
||||
extopt=0
|
||||
add("]")
|
||||
}
|
||||
if(!skip) {
|
||||
if(!nospace&&length(line)&&!(match(line," $")||prenl))
|
||||
add(OFS)
|
||||
if(nospace==1)
|
||||
nospace=0
|
||||
}
|
||||
if(match(words[w],"^Dd$")) {
|
||||
if(match(words[w+1],"^\\$Mdocdate:")) {
|
||||
w++;
|
||||
if(match(words[w+4],"^\\$$")) {
|
||||
words[w+4] = ""
|
||||
}
|
||||
}
|
||||
date=wtail()
|
||||
next
|
||||
} else if(match(words[w],"^Dt$")) {
|
||||
id=wtail()
|
||||
next
|
||||
} else if(match(words[w],"^Ux$")) {
|
||||
add("UNIX")
|
||||
skip=1
|
||||
} else if(match(words[w],"^Ox$")) {
|
||||
add("OpenBSD")
|
||||
skip=1
|
||||
} else if(match(words[w],"^Os$")) {
|
||||
add(".TH " id " \"" date "\" \"" wtail() "\"")
|
||||
} else if(match(words[w],"^Sh$")) {
|
||||
add(".SH")
|
||||
synopsis=match(words[w+1],"SYNOPSIS")
|
||||
} else if(match(words[w],"^Xr$")) {
|
||||
add("\\fB" words[++w] "\\fP(" words[++w] ")" words[++w])
|
||||
} else if(match(words[w],"^Rs$")) {
|
||||
split("",refauthors)
|
||||
nrefauthors=0
|
||||
reftitle=""
|
||||
refissue=""
|
||||
refdate=""
|
||||
refopt=""
|
||||
refreport=""
|
||||
reference=1
|
||||
next
|
||||
} else if(match(words[w],"^Re$")) {
|
||||
prenl++
|
||||
for(i=nrefauthors-1;i>0;i--) {
|
||||
add(refauthors[i])
|
||||
if(i>1)
|
||||
add(", ")
|
||||
}
|
||||
if(nrefauthors>1)
|
||||
add(" and ")
|
||||
if(nrefauthors>0)
|
||||
add(refauthors[0] ", ")
|
||||
add("\\fI" reftitle "\\fP")
|
||||
if(length(refissue))
|
||||
add(", " refissue)
|
||||
if(length(refreport)) {
|
||||
add(", " refreport)
|
||||
}
|
||||
if(length(refdate))
|
||||
add(", " refdate)
|
||||
if(length(refopt))
|
||||
add(", " refopt)
|
||||
add(".")
|
||||
reference=0
|
||||
} else if(reference) {
|
||||
if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() }
|
||||
if(match(words[w],"^%T$")) {
|
||||
reftitle=wtail()
|
||||
sub("^\"","",reftitle)
|
||||
sub("\"$","",reftitle)
|
||||
}
|
||||
if(match(words[w],"^%N$")) { refissue=wtail() }
|
||||
if(match(words[w],"^%D$")) { refdate=wtail() }
|
||||
if(match(words[w],"^%O$")) { refopt=wtail() }
|
||||
if(match(words[w],"^%R$")) { refreport=wtail() }
|
||||
} else if(match(words[w],"^Nm$")) {
|
||||
if(synopsis) {
|
||||
add(".br")
|
||||
prenl++
|
||||
}
|
||||
n=words[++w]
|
||||
if(!length(name))
|
||||
name=n
|
||||
if(!length(n))
|
||||
n=name
|
||||
add("\\fB" n "\\fP")
|
||||
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||
nospace=1
|
||||
} else if(match(words[w],"^Nd$")) {
|
||||
add("\\- " wtail())
|
||||
} else if(match(words[w],"^Fl$")) {
|
||||
add("\\fB\\-" words[++w] "\\fP")
|
||||
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||
nospace=1
|
||||
} else if(match(words[w],"^Ar$")) {
|
||||
add("\\fI")
|
||||
if(w==nwords)
|
||||
add("file ...\\fP")
|
||||
else {
|
||||
add(words[++w] "\\fP")
|
||||
while(match(words[w+1],"^\\|$"))
|
||||
add(OFS words[++w] " \\fI" words[++w] "\\fP")
|
||||
}
|
||||
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||
nospace=1
|
||||
} else if(match(words[w],"^Cm$")) {
|
||||
add("\\fB" words[++w] "\\fP")
|
||||
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
|
||||
add(words[++w])
|
||||
} else if(match(words[w],"^Op$")) {
|
||||
option=1
|
||||
if(!nospace)
|
||||
nospace=1
|
||||
add("[")
|
||||
} else if(match(words[w],"^Pp$")) {
|
||||
prenl++
|
||||
} else if(match(words[w],"^An$")) {
|
||||
prenl++
|
||||
} else if(match(words[w],"^Ss$")) {
|
||||
add(".SS")
|
||||
} else if(match(words[w],"^Pa$")&&!option) {
|
||||
add("\\fI")
|
||||
w++
|
||||
if(match(words[w],"^\\."))
|
||||
add("\\&")
|
||||
add(words[w] "\\fP")
|
||||
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
|
||||
add(words[++w])
|
||||
} else if(match(words[w],"^Dv$")) {
|
||||
add(".BR")
|
||||
} else if(match(words[w],"^Em|Ev$")) {
|
||||
add(".IR")
|
||||
} else if(match(words[w],"^Pq$")) {
|
||||
add("(")
|
||||
nospace=1
|
||||
parens=1
|
||||
} else if(match(words[w],"^Aq$")) {
|
||||
add("<")
|
||||
nospace=1
|
||||
angles=1
|
||||
} else if(match(words[w],"^S[xy]$")) {
|
||||
add(".B " wtail())
|
||||
} else if(match(words[w],"^Ic$")) {
|
||||
plain=1
|
||||
add("\\fB")
|
||||
while(w<nwords) {
|
||||
w++
|
||||
if(match(words[w],"^Op$")) {
|
||||
w++
|
||||
add("[")
|
||||
words[nwords]=words[nwords] "]"
|
||||
}
|
||||
if(match(words[w],"^Ar$")) {
|
||||
add("\\fI" words[++w] "\\fP")
|
||||
} else if(match(words[w],"^[\\.,]")) {
|
||||
sub(" $","",line)
|
||||
if(plain) {
|
||||
add("\\fP")
|
||||
plain=0
|
||||
}
|
||||
add(words[w])
|
||||
} else {
|
||||
if(!plain) {
|
||||
add("\\fB")
|
||||
plain=1
|
||||
}
|
||||
add(words[w])
|
||||
}
|
||||
if(!nospace)
|
||||
add(OFS)
|
||||
}
|
||||
sub(" $","",line)
|
||||
if(plain)
|
||||
add("\\fP")
|
||||
} else if(match(words[w],"^Bl$")) {
|
||||
oldoptlist=optlist
|
||||
if(match(words[w+1],"-bullet"))
|
||||
optlist=1
|
||||
else if(match(words[w+1],"-enum")) {
|
||||
optlist=2
|
||||
enum=0
|
||||
} else if(match(words[w+1],"-tag"))
|
||||
optlist=3
|
||||
else if(match(words[w+1],"-item"))
|
||||
optlist=4
|
||||
else if(match(words[w+1],"-bullet"))
|
||||
optlist=1
|
||||
w=nwords
|
||||
} else if(match(words[w],"^El$")) {
|
||||
optlist=oldoptlist
|
||||
} else if(match(words[w],"^Bk$")) {
|
||||
if(match(words[w+1],"-words")) {
|
||||
w++
|
||||
breakw=1
|
||||
}
|
||||
} else if(match(words[w],"^Ek$")) {
|
||||
breakw=0
|
||||
} else if(match(words[w],"^It$")&&optlist) {
|
||||
if(optlist==1)
|
||||
add(".IP \\(bu")
|
||||
else if(optlist==2)
|
||||
add(".IP " ++enum ".")
|
||||
else if(optlist==3) {
|
||||
add(".TP")
|
||||
prenl++
|
||||
if(match(words[w+1],"^Pa$|^Ev$")) {
|
||||
add(".B")
|
||||
w++
|
||||
}
|
||||
} else if(optlist==4)
|
||||
add(".IP")
|
||||
} else if(match(words[w],"^Sm$")) {
|
||||
if(match(words[w+1],"off"))
|
||||
nospace=2
|
||||
else if(match(words[w+1],"on"))
|
||||
nospace=0
|
||||
w++
|
||||
} else if(!skip) {
|
||||
add(words[w])
|
||||
}
|
||||
}
|
||||
if(match(line,"^\\.[^a-zA-Z]"))
|
||||
sub("^\\.","",line)
|
||||
if(parens)
|
||||
add(")")
|
||||
if(angles)
|
||||
add(">")
|
||||
if(option)
|
||||
add("]")
|
||||
if(ext&&!extopt&&!match(line," $"))
|
||||
add(OFS)
|
||||
if(!ext&&!extopt&&length(line)) {
|
||||
print line
|
||||
prenl=0
|
||||
line=""
|
||||
}
|
||||
}
|
74
crypto/openssh/moduli.0
Normal file
74
crypto/openssh/moduli.0
Normal file
@ -0,0 +1,74 @@
|
||||
MODULI(5) OpenBSD Programmer's Manual MODULI(5)
|
||||
|
||||
NAME
|
||||
moduli - Diffie-Hellman moduli
|
||||
|
||||
DESCRIPTION
|
||||
The /etc/moduli file contains prime numbers and generators for use by
|
||||
sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
|
||||
|
||||
New moduli may be generated with ssh-keygen(1) using a two-step process.
|
||||
An initial candidate generation pass, using ssh-keygen -G, calculates
|
||||
numbers that are likely to be useful. A second primality testing pass,
|
||||
using ssh-keygen -T, provides a high degree of assurance that the numbers
|
||||
are prime and are safe for use in Diffie-Hellman operations by sshd(8).
|
||||
This moduli format is used as the output from each pass.
|
||||
|
||||
The file consists of newline-separated records, one per modulus,
|
||||
containing seven space-separated fields. These fields are as follows:
|
||||
|
||||
timestamp The time that the modulus was last processed as
|
||||
YYYYMMDDHHMMSS.
|
||||
|
||||
type Decimal number specifying the internal structure of
|
||||
the prime modulus. Supported types are:
|
||||
|
||||
0 Unknown, not tested.
|
||||
2 "Safe" prime; (p-1)/2 is also prime.
|
||||
4 Sophie Germain; 2p+1 is also prime.
|
||||
|
||||
Moduli candidates initially produced by ssh-keygen(1)
|
||||
are Sophie Germain primes (type 4). Further primality
|
||||
testing with ssh-keygen(1) produces safe prime moduli
|
||||
(type 2) that are ready for use in sshd(8). Other
|
||||
types are not used by OpenSSH.
|
||||
|
||||
tests Decimal number indicating the type of primality tests
|
||||
that the number has been subjected to represented as a
|
||||
bitmask of the following values:
|
||||
|
||||
0x00 Not tested.
|
||||
0x01 Composite number - not prime.
|
||||
0x02 Sieve of Eratosthenes.
|
||||
0x04 Probabilistic Miller-Rabin primality tests.
|
||||
|
||||
The ssh-keygen(1) moduli candidate generation uses the
|
||||
Sieve of Eratosthenes (flag 0x02). Subsequent
|
||||
ssh-keygen(1) primality tests are Miller-Rabin tests
|
||||
(flag 0x04).
|
||||
|
||||
trials Decimal number indicating the number of primality
|
||||
trials that have been performed on the modulus.
|
||||
|
||||
size Decimal number indicating the size of the prime in
|
||||
bits.
|
||||
|
||||
generator The recommended generator for use with this modulus
|
||||
(hexadecimal).
|
||||
|
||||
modulus The modulus itself in hexadecimal.
|
||||
|
||||
When performing Diffie-Hellman Group Exchange, sshd(8) first estimates
|
||||
the size of the modulus required to produce enough Diffie-Hellman output
|
||||
to sufficiently key the selected symmetric cipher. sshd(8) then randomly
|
||||
selects a modulus from /etc/moduli that best meets the size requirement.
|
||||
|
||||
SEE ALSO
|
||||
ssh-keygen(1), sshd(8)
|
||||
|
||||
STANDARDS
|
||||
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
|
||||
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
|
||||
2006.
|
||||
|
||||
OpenBSD 5.4 September 26, 2012 OpenBSD 5.4
|
99
crypto/openssh/nchan.ms
Normal file
99
crypto/openssh/nchan.ms
Normal file
@ -0,0 +1,99 @@
|
||||
.\" $OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $
|
||||
.\"
|
||||
.\"
|
||||
.\" Copyright (c) 1999 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.TL
|
||||
OpenSSH Channel Close Protocol 1.5 Implementation
|
||||
.SH
|
||||
Channel Input State Diagram
|
||||
.PS
|
||||
reset
|
||||
l=1
|
||||
s=1.2
|
||||
ellipsewid=s*ellipsewid
|
||||
boxwid=s*boxwid
|
||||
ellipseht=s*ellipseht
|
||||
S1: ellipse "INPUT" "OPEN"
|
||||
move right 2*l from last ellipse.e
|
||||
S4: ellipse "INPUT" "CLOSED"
|
||||
move down l from last ellipse.s
|
||||
S3: ellipse "INPUT" "WAIT" "OCLOSED"
|
||||
move down l from 1st ellipse.s
|
||||
S2: ellipse "INPUT" "WAIT" "DRAIN"
|
||||
arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
|
||||
arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
|
||||
arrow from S1.s to S2.n
|
||||
box invis "read_failed/" "shutdown_read" with .e at last arrow.c
|
||||
arrow from S3.n to S4.s
|
||||
box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
|
||||
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||
arrow from S2.ne to S4.sw
|
||||
box invis "rcvd OCLOSE/ " with .e at last arrow.c
|
||||
box invis " send IEOF" with .w at last arrow.c
|
||||
.PE
|
||||
.SH
|
||||
Channel Output State Diagram
|
||||
.PS
|
||||
S1: ellipse "OUTPUT" "OPEN"
|
||||
move right 2*l from last ellipse.e
|
||||
S3: ellipse "OUTPUT" "WAIT" "IEOF"
|
||||
move down l from last ellipse.s
|
||||
S4: ellipse "OUTPUT" "CLOSED"
|
||||
move down l from 1st ellipse.s
|
||||
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
|
||||
arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
|
||||
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
|
||||
arrow from S1.s to S2.n
|
||||
box invis "rcvd IEOF/" "-" with .e at last arrow.c
|
||||
arrow from S3.s to S4.n
|
||||
box invis "rcvd IEOF/" "-" with .w at last arrow.c
|
||||
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||
.PE
|
||||
.SH
|
||||
Notes
|
||||
.PP
|
||||
The input buffer is filled with data from the socket
|
||||
(the socket represents the local consumer/producer of the
|
||||
forwarded channel).
|
||||
The data is then sent over the INPUT-end (transmit-end) of the channel to the
|
||||
remote peer.
|
||||
Data sent by the peer is received on the OUTPUT-end (receive-end),
|
||||
saved in the output buffer and written to the socket.
|
||||
.PP
|
||||
If the local protocol instance has forwarded all data on the
|
||||
INPUT-end of the channel, it sends an IEOF message to the peer.
|
||||
If the peer receives the IEOF and has consumed all
|
||||
data he replies with an OCLOSE.
|
||||
When the local instance receives the OCLOSE
|
||||
he considers the INPUT-half of the channel closed.
|
||||
The peer has his OUTOUT-half closed.
|
||||
.PP
|
||||
A channel can be deallocated by a protocol instance
|
||||
if both the INPUT- and the OUTOUT-half on his
|
||||
side of the channel are closed.
|
||||
Note that when an instance is unable to consume the
|
||||
received data, he is permitted to send an OCLOSE
|
||||
before the matching IEOF is received.
|
88
crypto/openssh/nchan2.ms
Normal file
88
crypto/openssh/nchan2.ms
Normal file
@ -0,0 +1,88 @@
|
||||
.\" $OpenBSD: nchan2.ms,v 1.4 2008/05/15 23:52:24 djm Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.TL
|
||||
OpenSSH Channel Close Protocol 2.0 Implementation
|
||||
.SH
|
||||
Channel Input State Diagram
|
||||
.PS
|
||||
reset
|
||||
l=1
|
||||
s=1.2
|
||||
ellipsewid=s*ellipsewid
|
||||
boxwid=s*boxwid
|
||||
ellipseht=s*ellipseht
|
||||
S1: ellipse "INPUT" "OPEN"
|
||||
move right 2*l from last ellipse.e
|
||||
S3: ellipse invis
|
||||
move down l from last ellipse.s
|
||||
S4: ellipse "INPUT" "CLOSED"
|
||||
move down l from 1st ellipse.s
|
||||
S2: ellipse "INPUT" "WAIT" "DRAIN"
|
||||
arrow from S1.e to S4.n
|
||||
box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
|
||||
arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
|
||||
arrow from S1.s to S2.n
|
||||
box invis "read_failed ||" "rcvd EOW/" "shutdown_read" with .e at last arrow.c
|
||||
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||
.PE
|
||||
.SH
|
||||
Channel Output State Diagram
|
||||
.PS
|
||||
S1: ellipse "OUTPUT" "OPEN"
|
||||
move right 2*l from last ellipse.e
|
||||
S3: ellipse invis
|
||||
move down l from last ellipse.s
|
||||
S4: ellipse "OUTPUT" "CLOSED"
|
||||
move down l from 1st ellipse.s
|
||||
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
|
||||
arrow from S1.e to S4.n
|
||||
box invis "write_failed/" "shutdown_write" "send EOW" with .sw at last arrow.c
|
||||
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
|
||||
arrow from S1.s to S2.n
|
||||
box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
|
||||
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||
.PE
|
||||
.SH
|
||||
Notes
|
||||
.PP
|
||||
The input buffer is filled with data from the socket
|
||||
(the socket represents the local consumer/producer of the
|
||||
forwarded channel).
|
||||
The data is then sent over the INPUT-end (transmit-end) of the channel to the
|
||||
remote peer.
|
||||
Data sent by the peer is received on the OUTPUT-end (receive-end),
|
||||
saved in the output buffer and written to the socket.
|
||||
.PP
|
||||
If the local protocol instance has forwarded all data on the
|
||||
INPUT-end of the channel, it sends an EOF message to the peer.
|
||||
.PP
|
||||
A CLOSE message is sent to the peer if
|
||||
both the INPUT- and the OUTOUT-half of the local
|
||||
end of the channel are closed.
|
||||
.PP
|
||||
The channel can be deallocated by a protocol instance
|
||||
if a CLOSE message he been both sent and received.
|
42
crypto/openssh/openbsd-compat/Makefile.in
Normal file
42
crypto/openssh/openbsd-compat/Makefile.in
Normal file
@ -0,0 +1,42 @@
|
||||
# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
srcdir=@srcdir@
|
||||
top_srcdir=@top_srcdir@
|
||||
|
||||
VPATH=@srcdir@
|
||||
CC=@CC@
|
||||
LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
|
||||
LIBS=@LIBS@
|
||||
AR=@AR@
|
||||
RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
|
||||
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
all: libopenbsd-compat.a
|
||||
|
||||
$(COMPAT): ../config.h
|
||||
$(OPENBSD): ../config.h
|
||||
$(PORTS): ../config.h
|
||||
|
||||
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
|
||||
$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
|
||||
$(RANLIB) $@
|
||||
|
||||
clean:
|
||||
rm -f *.o *.a core
|
||||
|
||||
distclean: clean
|
||||
rm -f Makefile *~
|
38
crypto/openssh/openbsd-compat/regress/Makefile.in
Normal file
38
crypto/openssh/openbsd-compat/regress/Makefile.in
Normal file
@ -0,0 +1,38 @@
|
||||
# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
srcdir=@srcdir@
|
||||
top_srcdir=@top_srcdir@
|
||||
|
||||
VPATH=@srcdir@
|
||||
CC=@CC@
|
||||
LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
|
||||
EXEEXT=@EXEEXT@
|
||||
LIBCOMPAT=../libopenbsd-compat.a
|
||||
LIBS=@LIBS@
|
||||
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
||||
|
||||
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
||||
strtonumtest$(EXEEXT)
|
||||
|
||||
all: t-exec ${OTHERTESTS}
|
||||
|
||||
%$(EXEEXT): %.c
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
|
||||
|
||||
t-exec: $(TESTPROGS)
|
||||
@echo running compat regress tests
|
||||
@for TEST in ""$?; do \
|
||||
echo "run test $${TEST}" ... 1>&2; \
|
||||
./$${TEST}$(EXEEXT) || exit $$? ; \
|
||||
done
|
||||
@echo finished compat regress tests
|
||||
|
||||
clean:
|
||||
rm -f *.o *.a core $(TESTPROGS) valid.out
|
||||
|
||||
distclean: clean
|
||||
rm -f Makefile *~
|
63
crypto/openssh/openbsd-compat/regress/closefromtest.c
Normal file
63
crypto/openssh/openbsd-compat/regress/closefromtest.c
Normal file
@ -0,0 +1,63 @@
|
||||
/*
|
||||
* Copyright (c) 2006 Darren Tucker
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define NUM_OPENS 10
|
||||
|
||||
int closefrom(int);
|
||||
|
||||
void
|
||||
fail(char *msg)
|
||||
{
|
||||
fprintf(stderr, "closefrom: %s\n", msg);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
int i, max, fds[NUM_OPENS];
|
||||
char buf[512];
|
||||
|
||||
for (i = 0; i < NUM_OPENS; i++)
|
||||
if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
|
||||
exit(0); /* can't test */
|
||||
max = i - 1;
|
||||
|
||||
/* should close last fd only */
|
||||
closefrom(fds[max]);
|
||||
if (close(fds[max]) != -1)
|
||||
fail("failed to close highest fd");
|
||||
|
||||
/* make sure we can still use remaining descriptors */
|
||||
for (i = 0; i < max; i++)
|
||||
if (read(fds[i], buf, sizeof(buf)) == -1)
|
||||
fail("closed descriptors it should not have");
|
||||
|
||||
/* should close all fds */
|
||||
closefrom(fds[0]);
|
||||
for (i = 0; i < NUM_OPENS; i++)
|
||||
if (close(fds[i]) != -1)
|
||||
fail("failed to close from lowest fd");
|
||||
return 0;
|
||||
}
|
73
crypto/openssh/openbsd-compat/regress/snprintftest.c
Normal file
73
crypto/openssh/openbsd-compat/regress/snprintftest.c
Normal file
@ -0,0 +1,73 @@
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker
|
||||
* Copyright (c) 2005 Damien Miller
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#define BUFSZ 2048
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
static int failed = 0;
|
||||
|
||||
static void
|
||||
fail(const char *m)
|
||||
{
|
||||
fprintf(stderr, "snprintftest: %s\n", m);
|
||||
failed = 1;
|
||||
}
|
||||
|
||||
int x_snprintf(char *str, size_t count, const char *fmt, ...)
|
||||
{
|
||||
size_t ret;
|
||||
va_list ap;
|
||||
|
||||
va_start(ap, fmt);
|
||||
ret = vsnprintf(str, count, fmt, ap);
|
||||
va_end(ap);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
char b[5];
|
||||
char *src;
|
||||
|
||||
snprintf(b,5,"123456789");
|
||||
if (b[4] != '\0')
|
||||
fail("snprintf does not correctly terminate long strings");
|
||||
|
||||
/* check for read overrun on unterminated string */
|
||||
if ((src = malloc(BUFSZ)) == NULL) {
|
||||
fail("malloc failed");
|
||||
} else {
|
||||
memset(src, 'a', BUFSZ);
|
||||
snprintf(b, sizeof(b), "%.*s", 1, src);
|
||||
if (strcmp(b, "a") != 0)
|
||||
fail("failed with length limit '%%.s'");
|
||||
}
|
||||
|
||||
/* check that snprintf and vsnprintf return sane values */
|
||||
if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
|
||||
fail("snprintf does not return required length");
|
||||
if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
|
||||
fail("vsnprintf does not return required length");
|
||||
|
||||
return failed;
|
||||
}
|
45
crypto/openssh/openbsd-compat/regress/strduptest.c
Normal file
45
crypto/openssh/openbsd-compat/regress/strduptest.c
Normal file
@ -0,0 +1,45 @@
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
static int fail = 0;
|
||||
|
||||
void
|
||||
test(const char *a)
|
||||
{
|
||||
char *b;
|
||||
|
||||
b = strdup(a);
|
||||
if (b == 0) {
|
||||
fail = 1;
|
||||
return;
|
||||
}
|
||||
if (strcmp(a, b) != 0)
|
||||
fail = 1;
|
||||
free(b);
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
test("");
|
||||
test("a");
|
||||
test("\0");
|
||||
test("abcdefghijklmnopqrstuvwxyz");
|
||||
return fail;
|
||||
}
|
80
crypto/openssh/openbsd-compat/regress/strtonumtest.c
Normal file
80
crypto/openssh/openbsd-compat/regress/strtonumtest.c
Normal file
@ -0,0 +1,80 @@
|
||||
/* $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
|
||||
|
||||
#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
/* LLONG_MAX is known as LONGLONG_MAX on AIX */
|
||||
#if defined(LONGLONG_MAX) && !defined(LLONG_MAX)
|
||||
# define LLONG_MAX LONGLONG_MAX
|
||||
# define LLONG_MIN LONGLONG_MIN
|
||||
#endif
|
||||
|
||||
/* LLONG_MAX is known as LONG_LONG_MAX on HP-UX */
|
||||
#if defined(LONG_LONG_MAX) && !defined(LLONG_MAX)
|
||||
# define LLONG_MAX LONG_LONG_MAX
|
||||
# define LLONG_MIN LONG_LONG_MIN
|
||||
#endif
|
||||
|
||||
long long strtonum(const char *, long long, long long, const char **);
|
||||
|
||||
int fail;
|
||||
|
||||
void
|
||||
test(const char *p, long long lb, long long ub, int ok)
|
||||
{
|
||||
long long val;
|
||||
const char *q;
|
||||
|
||||
val = strtonum(p, lb, ub, &q);
|
||||
if (ok && q != NULL) {
|
||||
fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
|
||||
fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
|
||||
fail = 1;
|
||||
} else if (!ok && q == NULL) {
|
||||
fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
|
||||
fprintf(stderr, "NUMBER ACCEPTED\n");
|
||||
fail = 1;
|
||||
}
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
test("1", 0, 10, 1);
|
||||
test("0", -2, 5, 1);
|
||||
test("0", 2, 5, 0);
|
||||
test("0", 2, LLONG_MAX, 0);
|
||||
test("-2", 0, LLONG_MAX, 0);
|
||||
test("0", -5, LLONG_MAX, 1);
|
||||
test("-3", -3, LLONG_MAX, 1);
|
||||
test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
|
||||
test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
|
||||
test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
|
||||
test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
|
||||
test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
|
||||
test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
|
||||
test("-2", 10, -1, 0);
|
||||
test("-2", -10, -1, 1);
|
||||
test("-20", -10, -1, 0);
|
||||
test("20", -10, -1, 0);
|
||||
|
||||
return (fail);
|
||||
}
|
||||
|
90
crypto/openssh/openssh.xml.in
Normal file
90
crypto/openssh/openssh.xml.in
Normal file
@ -0,0 +1,90 @@
|
||||
<?xml version='1.0'?>
|
||||
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
|
||||
<!--
|
||||
Copyright (c) 2006 Chad Mynhier.
|
||||
|
||||
Permission to use, copy, modify, and distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
copyright notice and this permission notice appear in all copies.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<service_bundle type='manifest' name='OpenSSH server'>
|
||||
|
||||
<service
|
||||
name='site/__SYSVINIT_NAME__'
|
||||
type='service'
|
||||
version='1'>
|
||||
|
||||
<!--
|
||||
We default to disabled so administrator can decide to enable or not.
|
||||
-->
|
||||
<create_default_instance enabled='false'/>
|
||||
|
||||
<single_instance/>
|
||||
|
||||
<dependency
|
||||
name='filesystem-local'
|
||||
grouping='require_all'
|
||||
restart_on='none'
|
||||
type='service'>
|
||||
<service_fmri value='svc:/system/filesystem/local'/>
|
||||
</dependency>
|
||||
|
||||
<dependency
|
||||
name='network'
|
||||
grouping='require_all'
|
||||
restart_on='none'
|
||||
type='service'>
|
||||
<service_fmri value='svc:/milestone/network'/>
|
||||
</dependency>
|
||||
|
||||
<dependent
|
||||
name='multi-user-server'
|
||||
restart_on='none'
|
||||
grouping='optional_all'>
|
||||
<service_fmri value='svc:/milestone/multi-user-server'/>
|
||||
</dependent>
|
||||
|
||||
<exec_method
|
||||
name='start'
|
||||
type='method'
|
||||
exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
|
||||
timeout_seconds='60'>
|
||||
<method_context/>
|
||||
</exec_method>
|
||||
|
||||
<exec_method
|
||||
name='stop'
|
||||
type='method'
|
||||
exec=':kill'
|
||||
timeout_seconds='60'>
|
||||
<method_context/>
|
||||
</exec_method>
|
||||
|
||||
<property_group
|
||||
name='startd'
|
||||
type='framework'>
|
||||
<propval name='ignore_error' type='astring' value='core,signal'/>
|
||||
</property_group>
|
||||
|
||||
<template>
|
||||
<common_name>
|
||||
<loctext xml:lang='C'>OpenSSH server</loctext>
|
||||
</common_name>
|
||||
<documentation>
|
||||
<manpage
|
||||
title='sshd'
|
||||
section='1M'
|
||||
manpath='@prefix@/man'/>
|
||||
</documentation>
|
||||
</template>
|
||||
</service>
|
||||
</service_bundle>
|
88
crypto/openssh/opensshd.init.in
Executable file
88
crypto/openssh/opensshd.init.in
Executable file
@ -0,0 +1,88 @@
|
||||
#!@STARTUP_SCRIPT_SHELL@
|
||||
# Donated code that was put under PD license.
|
||||
#
|
||||
# Stripped PRNGd out of it for the time being.
|
||||
|
||||
umask 022
|
||||
|
||||
CAT=@CAT@
|
||||
KILL=@KILL@
|
||||
|
||||
prefix=@prefix@
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
|
||||
SSHD=$prefix/sbin/sshd
|
||||
PIDFILE=$piddir/sshd.pid
|
||||
PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
|
||||
[ X$PidFile = X ] || PIDFILE=$PidFile
|
||||
SSH_KEYGEN=$prefix/bin/ssh-keygen
|
||||
HOST_KEY_RSA1=$sysconfdir/ssh_host_key
|
||||
HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
|
||||
HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
|
||||
@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
|
||||
|
||||
|
||||
checkkeys() {
|
||||
if [ ! -f $HOST_KEY_RSA1 ]; then
|
||||
${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
|
||||
fi
|
||||
if [ ! -f $HOST_KEY_DSA ]; then
|
||||
${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
|
||||
fi
|
||||
if [ ! -f $HOST_KEY_RSA ]; then
|
||||
${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
|
||||
fi
|
||||
@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then
|
||||
@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
|
||||
@COMMENT_OUT_ECC@ fi
|
||||
}
|
||||
|
||||
stop_service() {
|
||||
if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
|
||||
PID=`${CAT} ${PIDFILE}`
|
||||
fi
|
||||
if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
|
||||
${KILL} ${PID}
|
||||
else
|
||||
echo "Unable to read PID file"
|
||||
fi
|
||||
}
|
||||
|
||||
start_service() {
|
||||
# XXX We really should check if the service is already going, but
|
||||
# XXX we will opt out at this time. - Bal
|
||||
|
||||
# Check to see if we have keys that need to be made
|
||||
checkkeys
|
||||
|
||||
# Start SSHD
|
||||
echo "starting $SSHD... \c" ; $SSHD
|
||||
|
||||
sshd_rc=$?
|
||||
if [ $sshd_rc -ne 0 ]; then
|
||||
echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
|
||||
exit $sshd_rc
|
||||
fi
|
||||
echo done.
|
||||
}
|
||||
|
||||
case $1 in
|
||||
|
||||
'start')
|
||||
start_service
|
||||
;;
|
||||
|
||||
'stop')
|
||||
stop_service
|
||||
;;
|
||||
|
||||
'restart')
|
||||
stop_service
|
||||
start_service
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$0: usage: $0 {start|stop|restart}"
|
||||
;;
|
||||
esac
|
169
crypto/openssh/regress/Makefile
Normal file
169
crypto/openssh/regress/Makefile
Normal file
@ -0,0 +1,169 @@
|
||||
# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
|
||||
|
||||
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
|
||||
tests: $(REGRESS_TARGETS)
|
||||
|
||||
# Interop tests are not run by default
|
||||
interop interop-tests: t-exec-interop
|
||||
|
||||
clean:
|
||||
for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
|
||||
test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
|
||||
rm -rf $(OBJ).putty
|
||||
|
||||
distclean: clean
|
||||
|
||||
LTESTS= connect \
|
||||
proxy-connect \
|
||||
connect-privsep \
|
||||
proto-version \
|
||||
proto-mismatch \
|
||||
exit-status \
|
||||
envpass \
|
||||
transfer \
|
||||
banner \
|
||||
rekey \
|
||||
stderr-data \
|
||||
stderr-after-eof \
|
||||
broken-pipe \
|
||||
try-ciphers \
|
||||
yes-head \
|
||||
login-timeout \
|
||||
agent \
|
||||
agent-getpeereid \
|
||||
agent-timeout \
|
||||
agent-ptrace \
|
||||
keyscan \
|
||||
keygen-change \
|
||||
keygen-convert \
|
||||
key-options \
|
||||
scp \
|
||||
sftp \
|
||||
sftp-chroot \
|
||||
sftp-cmds \
|
||||
sftp-badcmds \
|
||||
sftp-batch \
|
||||
sftp-glob \
|
||||
reconfigure \
|
||||
dynamic-forward \
|
||||
forwarding \
|
||||
multiplex \
|
||||
reexec \
|
||||
brokenkeys \
|
||||
cfgmatch \
|
||||
addrmatch \
|
||||
localcommand \
|
||||
forcecommand \
|
||||
portnum \
|
||||
keytype \
|
||||
kextype \
|
||||
cert-hostkey \
|
||||
cert-userkey \
|
||||
host-expand \
|
||||
keys-command \
|
||||
forward-control \
|
||||
integrity \
|
||||
krl
|
||||
|
||||
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
|
||||
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
|
||||
|
||||
#LTESTS= cipher-speed
|
||||
|
||||
USER!= id -un
|
||||
CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
|
||||
t8.out t8.out.pub t9.out t9.out.pub \
|
||||
authorized_keys_${USER} known_hosts pidfile testdata \
|
||||
ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
|
||||
rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
|
||||
rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
|
||||
ls.copy banner.in banner.out empty.in \
|
||||
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
|
||||
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
|
||||
known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
|
||||
putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
|
||||
key.rsa-* key.dsa-* key.ecdsa-* \
|
||||
authorized_principals_${USER} expect actual ready \
|
||||
sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
|
||||
ssh.log failed-ssh.log sshd.log failed-sshd.log \
|
||||
regress.log failed-regress.log ssh-log-wrapper.sh
|
||||
|
||||
SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
|
||||
|
||||
# Enable all malloc(3) randomisations and checks
|
||||
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
|
||||
|
||||
TEST_SSH_SSHKEYGEN?=ssh-keygen
|
||||
|
||||
CPPFLAGS=-I..
|
||||
|
||||
t1:
|
||||
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||
tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
|
||||
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||
awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv
|
||||
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||
|
||||
t2:
|
||||
cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
|
||||
chmod 600 $(OBJ)/t2.out
|
||||
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
|
||||
|
||||
t3:
|
||||
${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out
|
||||
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
|
||||
|
||||
t4:
|
||||
${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
|
||||
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
|
||||
|
||||
t5:
|
||||
${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
|
||||
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
|
||||
|
||||
t6:
|
||||
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
|
||||
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
|
||||
chmod 600 $(OBJ)/t6.out1
|
||||
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
|
||||
|
||||
$(OBJ)/t7.out:
|
||||
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@
|
||||
|
||||
t7: $(OBJ)/t7.out
|
||||
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null
|
||||
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null
|
||||
|
||||
$(OBJ)/t8.out:
|
||||
${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@
|
||||
|
||||
t8: $(OBJ)/t8.out
|
||||
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null
|
||||
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null
|
||||
|
||||
$(OBJ)/t9.out:
|
||||
test "${TEST_SSH_ECC}" != yes || \
|
||||
${TEST_SSH_SSHKEYGEN} -q -t ecdsa -N '' -f $@
|
||||
|
||||
t9: $(OBJ)/t9.out
|
||||
test "${TEST_SSH_ECC}" != yes || \
|
||||
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t9.out > /dev/null
|
||||
test "${TEST_SSH_ECC}" != yes || \
|
||||
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
|
||||
|
||||
t-exec: ${LTESTS:=.sh}
|
||||
@if [ "x$?" = "x" ]; then exit 0; fi; \
|
||||
for TEST in ""$?; do \
|
||||
echo "run test $${TEST}" ... 1>&2; \
|
||||
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
|
||||
done
|
||||
|
||||
t-exec-interop: ${INTEROP_TESTS:=.sh}
|
||||
@if [ "x$?" = "x" ]; then exit 0; fi; \
|
||||
for TEST in ""$?; do \
|
||||
echo "run test $${TEST}" ... 1>&2; \
|
||||
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
|
||||
done
|
||||
|
||||
# Not run by default
|
||||
interop: ${INTEROP_TARGETS}
|
104
crypto/openssh/regress/README.regress
Normal file
104
crypto/openssh/regress/README.regress
Normal file
@ -0,0 +1,104 @@
|
||||
Overview.
|
||||
|
||||
$ ./configure && make tests
|
||||
|
||||
You'll see some progress info. A failure will cause either the make to
|
||||
abort or the driver script to report a "FATAL" failure.
|
||||
|
||||
The test consists of 2 parts. The first is the file-based tests which is
|
||||
driven by the Makefile, and the second is a set of network or proxycommand
|
||||
based tests, which are driven by a driver script (test-exec.sh) which is
|
||||
called multiple times by the Makefile.
|
||||
|
||||
Failures in the first part will cause the Makefile to return an error.
|
||||
Failures in the second part will print a "FATAL" message for the failed
|
||||
test and continue.
|
||||
|
||||
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
|
||||
suite is based on OpenBSD's with modifications.
|
||||
|
||||
|
||||
Environment variables.
|
||||
|
||||
SUDO: path to sudo command, if desired. Note that some systems (notably
|
||||
systems using PAM) require sudo to execute some tests.
|
||||
TEST_SSH_TRACE: set to "yes" for verbose output from tests
|
||||
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
|
||||
TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
|
||||
SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
|
||||
OBJ: used by test scripts to access build dir.
|
||||
TEST_SHELL: shell used for running the test scripts.
|
||||
TEST_SSH_PORT: TCP port to be used for the listening tests.
|
||||
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
|
||||
before running each test.
|
||||
TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
|
||||
before running each test.
|
||||
|
||||
|
||||
Individual tests.
|
||||
|
||||
You can run an individual test from the top-level Makefile, eg:
|
||||
$ make tests LTESTS=agent-timeout
|
||||
|
||||
If you need to manipulate the environment more you can invoke test-exec.sh
|
||||
directly if you set up the path to find the binaries under test and the
|
||||
test scripts themselves, for example:
|
||||
|
||||
$ cd regress
|
||||
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
|
||||
agent-timeout.sh
|
||||
ok agent timeout test
|
||||
|
||||
|
||||
Files.
|
||||
|
||||
test-exec.sh: the main test driver. Sets environment, creates config files
|
||||
and keys and runs the specified test.
|
||||
|
||||
At the time of writing, the individual tests are:
|
||||
agent-timeout.sh: agent timeout test
|
||||
agent.sh: simple agent test
|
||||
broken-pipe.sh: broken pipe test
|
||||
connect-privsep.sh: proxy connect with privsep
|
||||
connect.sh: simple connect
|
||||
exit-status.sh: remote exit status
|
||||
forwarding.sh: local and remote forwarding
|
||||
keygen-change.sh: change passphrase for key
|
||||
keyscan.sh: keyscan
|
||||
proto-mismatch.sh: protocol version mismatch
|
||||
proto-version.sh: sshd version with different protocol combinations
|
||||
proxy-connect.sh: proxy connect
|
||||
sftp.sh: basic sftp put/get
|
||||
ssh-com-client.sh: connect with ssh.com client
|
||||
ssh-com-keygen.sh: ssh.com key import
|
||||
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
|
||||
ssh-com.sh: connect to ssh.com server
|
||||
stderr-after-eof.sh: stderr data after eof
|
||||
stderr-data.sh: stderr data transfer
|
||||
transfer.sh: transfer data
|
||||
try-ciphers.sh: try ciphers
|
||||
yes-head.sh: yes pipe head
|
||||
|
||||
|
||||
Problems?
|
||||
|
||||
Run the failing test with shell tracing (-x) turned on:
|
||||
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
|
||||
|
||||
Failed tests can be difficult to diagnose. Suggestions:
|
||||
- run the individual test via ./test-exec.sh `pwd` [testname]
|
||||
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
|
||||
auth.debug (eg to /var/log/authlog).
|
||||
|
||||
|
||||
Known Issues.
|
||||
|
||||
- Similarly, if you do not have "scp" in your system's $PATH then the
|
||||
multiplex scp tests will fail (since the system's shell startup scripts
|
||||
will determine where the shell started by sshd will look for scp).
|
||||
|
||||
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
|
||||
test to fail. The old behaviour can be restored by setting (and
|
||||
exporting) _POSIX2_VERSION=199209 before running the tests.
|
||||
|
||||
$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $
|
56
crypto/openssh/regress/addrmatch.sh
Executable file
56
crypto/openssh/regress/addrmatch.sh
Executable file
@ -0,0 +1,56 @@
|
||||
# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="address match"
|
||||
|
||||
mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
|
||||
run_trial()
|
||||
{
|
||||
user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5"
|
||||
expected="$6"; descr="$7"
|
||||
|
||||
verbose "test $descr for $user $addr $host"
|
||||
result=`${SSHD} -f $OBJ/sshd_proxy -T \
|
||||
-C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \
|
||||
awk '/^forcecommand/ {print $2}'`
|
||||
if [ "$result" != "$expected" ]; then
|
||||
fail "failed '$descr' expected $expected got $result"
|
||||
fi
|
||||
}
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
cat >>$OBJ/sshd_proxy <<EOD
|
||||
ForceCommand nomatch
|
||||
Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
|
||||
ForceCommand match1
|
||||
Match Address 1.1.1.1,::1,!::3,2000::/16
|
||||
ForceCommand match2
|
||||
Match LocalAddress 127.0.0.1,::1
|
||||
ForceCommand match3
|
||||
Match LocalPort 5678
|
||||
ForceCommand match4
|
||||
EOD
|
||||
|
||||
run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry"
|
||||
run_trial user 192.168.30.1 somehost 1.2.3.4 1234 nomatch "negative match"
|
||||
run_trial user 19.0.0.1 somehost 1.2.3.4 1234 nomatch "no match"
|
||||
run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle"
|
||||
run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname"
|
||||
run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address"
|
||||
run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress"
|
||||
run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport"
|
||||
|
||||
if test "$TEST_SSH_IPV6" != "no"; then
|
||||
run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address"
|
||||
run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6"
|
||||
run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated"
|
||||
run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match"
|
||||
run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network"
|
||||
run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network"
|
||||
run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress"
|
||||
run_trial user ::5 somehost ::2 5678 match4 "IP6 localport"
|
||||
fi
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
rm $OBJ/sshd_proxy_bak
|
45
crypto/openssh/regress/agent-getpeereid.sh
Normal file
45
crypto/openssh/regress/agent-getpeereid.sh
Normal file
@ -0,0 +1,45 @@
|
||||
# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="disallow agent attach from other uid"
|
||||
|
||||
UNPRIV=nobody
|
||||
ASOCK=${OBJ}/agent
|
||||
SSH_AUTH_SOCK=/nonexistent
|
||||
|
||||
if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then
|
||||
:
|
||||
else
|
||||
echo "skipped (not supported on this platform)"
|
||||
exit 0
|
||||
fi
|
||||
if [ -z "$SUDO" ]; then
|
||||
echo "skipped: need SUDO to switch to uid $UNPRIV"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
trace "start agent"
|
||||
eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "could not start ssh-agent: exit code $r"
|
||||
else
|
||||
chmod 644 ${SSH_AUTH_SOCK}
|
||||
|
||||
ssh-add -l > /dev/null 2>&1
|
||||
r=$?
|
||||
if [ $r -ne 1 ]; then
|
||||
fail "ssh-add failed with $r != 1"
|
||||
fi
|
||||
|
||||
< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null
|
||||
r=$?
|
||||
if [ $r -lt 2 ]; then
|
||||
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
|
||||
fi
|
||||
|
||||
trace "kill agent"
|
||||
${SSHAGENT} -k > /dev/null
|
||||
fi
|
||||
|
||||
rm -f ${OBJ}/agent
|
69
crypto/openssh/regress/agent-pkcs11.sh
Executable file
69
crypto/openssh/regress/agent-pkcs11.sh
Executable file
@ -0,0 +1,69 @@
|
||||
# $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="pkcs11 agent test"
|
||||
|
||||
TEST_SSH_PIN=""
|
||||
TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
|
||||
|
||||
# setup environment for soft-pkcs11 token
|
||||
SOFTPKCS11RC=$OBJ/pkcs11.info
|
||||
export SOFTPKCS11RC
|
||||
# prevent ssh-agent from calling ssh-askpass
|
||||
SSH_ASKPASS=/usr/bin/true
|
||||
export SSH_ASKPASS
|
||||
unset DISPLAY
|
||||
|
||||
# start command w/o tty, so ssh-add accepts pin from stdin
|
||||
notty() {
|
||||
perl -e 'use POSIX; POSIX::setsid();
|
||||
if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
|
||||
}
|
||||
|
||||
trace "start agent"
|
||||
eval `${SSHAGENT} -s` > /dev/null
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "could not start ssh-agent: exit code $r"
|
||||
else
|
||||
trace "generating key/cert"
|
||||
rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
|
||||
openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
|
||||
chmod 600 $OBJ/pkcs11.key
|
||||
openssl req -key $OBJ/pkcs11.key -new -x509 \
|
||||
-out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
|
||||
printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
|
||||
# add to authorized keys
|
||||
${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
|
||||
|
||||
trace "add pkcs11 key to agent"
|
||||
echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "ssh-add -s failed: exit code $r"
|
||||
fi
|
||||
|
||||
trace "pkcs11 list via agent"
|
||||
${SSHADD} -l > /dev/null 2>&1
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "ssh-add -l failed: exit code $r"
|
||||
fi
|
||||
|
||||
trace "pkcs11 connect via agent"
|
||||
${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
|
||||
r=$?
|
||||
if [ $r -ne 5 ]; then
|
||||
fail "ssh connect failed (exit code $r)"
|
||||
fi
|
||||
|
||||
trace "remove pkcs11 keys"
|
||||
echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "ssh-add -e failed: exit code $r"
|
||||
fi
|
||||
|
||||
trace "kill agent"
|
||||
${SSHAGENT} -k > /dev/null
|
||||
fi
|
53
crypto/openssh/regress/agent-ptrace.sh
Normal file
53
crypto/openssh/regress/agent-ptrace.sh
Normal file
@ -0,0 +1,53 @@
|
||||
# $OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="disallow agent ptrace attach"
|
||||
|
||||
if have_prog uname ; then
|
||||
case `uname` in
|
||||
AIX|CYGWIN*|OSF1)
|
||||
echo "skipped (not supported on this platform)"
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if have_prog gdb ; then
|
||||
: ok
|
||||
else
|
||||
echo "skipped (gdb not found)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if test -z "$SUDO" ; then
|
||||
echo "skipped (SUDO not set)"
|
||||
exit 0
|
||||
else
|
||||
$SUDO chown 0 ${SSHAGENT}
|
||||
$SUDO chgrp 0 ${SSHAGENT}
|
||||
$SUDO chmod 2755 ${SSHAGENT}
|
||||
fi
|
||||
|
||||
trace "start agent"
|
||||
eval `${SSHAGENT} -s` > /dev/null
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "could not start ssh-agent: exit code $r"
|
||||
else
|
||||
# ls -l ${SSH_AUTH_SOCK}
|
||||
gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
|
||||
quit
|
||||
EOF
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "gdb failed: exit code $?"
|
||||
fi
|
||||
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out
|
||||
r=$?
|
||||
rm -f ${OBJ}/gdb.out
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "ptrace succeeded?: exit code $r"
|
||||
fi
|
||||
|
||||
trace "kill agent"
|
||||
${SSHAGENT} -k > /dev/null
|
||||
fi
|
36
crypto/openssh/regress/agent-timeout.sh
Normal file
36
crypto/openssh/regress/agent-timeout.sh
Normal file
@ -0,0 +1,36 @@
|
||||
# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="agent timeout test"
|
||||
|
||||
SSHAGENT_TIMEOUT=10
|
||||
|
||||
trace "start agent"
|
||||
eval `${SSHAGENT} -s` > /dev/null
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "could not start ssh-agent: exit code $r"
|
||||
else
|
||||
trace "add keys with timeout"
|
||||
for t in rsa rsa1; do
|
||||
${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add did succeed exit code 0"
|
||||
fi
|
||||
done
|
||||
n=`${SSHADD} -l 2> /dev/null | wc -l`
|
||||
trace "agent has $n keys"
|
||||
if [ $n -ne 2 ]; then
|
||||
fail "ssh-add -l did not return 2 keys: $n"
|
||||
fi
|
||||
trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
|
||||
sleep ${SSHAGENT_TIMEOUT}
|
||||
sleep ${SSHAGENT_TIMEOUT}
|
||||
${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add -l still returns keys after timeout"
|
||||
fi
|
||||
|
||||
trace "kill agent"
|
||||
${SSHAGENT} -k > /dev/null
|
||||
fi
|
75
crypto/openssh/regress/agent.sh
Normal file
75
crypto/openssh/regress/agent.sh
Normal file
@ -0,0 +1,75 @@
|
||||
# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="simple agent test"
|
||||
|
||||
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
|
||||
if [ $? -ne 2 ]; then
|
||||
fail "ssh-add -l did not fail with exit code 2"
|
||||
fi
|
||||
|
||||
trace "start agent"
|
||||
eval `${SSHAGENT} -s` > /dev/null
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "could not start ssh-agent: exit code $r"
|
||||
else
|
||||
${SSHADD} -l > /dev/null 2>&1
|
||||
if [ $? -ne 1 ]; then
|
||||
fail "ssh-add -l did not fail with exit code 1"
|
||||
fi
|
||||
trace "overwrite authorized keys"
|
||||
printf '' > $OBJ/authorized_keys_$USER
|
||||
for t in rsa rsa1; do
|
||||
# generate user key for agent
|
||||
rm -f $OBJ/$t-agent
|
||||
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
|
||||
fail "ssh-keygen for $t-agent failed"
|
||||
# add to authorized keys
|
||||
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
|
||||
# add privat key to agent
|
||||
${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add did succeed exit code 0"
|
||||
fi
|
||||
done
|
||||
${SSHADD} -l > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add -l failed: exit code $?"
|
||||
fi
|
||||
# the same for full pubkey output
|
||||
${SSHADD} -L > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add -L failed: exit code $?"
|
||||
fi
|
||||
|
||||
trace "simple connect via agent"
|
||||
for p in 1 2; do
|
||||
${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
|
||||
if [ $? -ne 5$p ]; then
|
||||
fail "ssh connect with protocol $p failed (exit code $?)"
|
||||
fi
|
||||
done
|
||||
|
||||
trace "agent forwarding"
|
||||
for p in 1 2; do
|
||||
${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
|
||||
fi
|
||||
${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
|
||||
"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
|
||||
if [ $? -ne 5$p ]; then
|
||||
fail "agent fwd proto $p failed (exit code $?)"
|
||||
fi
|
||||
done
|
||||
|
||||
trace "delete all agent keys"
|
||||
${SSHADD} -D > /dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-add -D failed: exit code $?"
|
||||
fi
|
||||
|
||||
trace "kill agent"
|
||||
${SSHAGENT} -k > /dev/null
|
||||
fi
|
44
crypto/openssh/regress/banner.sh
Normal file
44
crypto/openssh/regress/banner.sh
Normal file
@ -0,0 +1,44 @@
|
||||
# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="banner"
|
||||
echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
|
||||
|
||||
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
|
||||
touch $OBJ/empty.in
|
||||
|
||||
trace "test missing banner file"
|
||||
verbose "test $tid: missing banner file"
|
||||
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||
cmp $OBJ/empty.in $OBJ/banner.out ) || \
|
||||
fail "missing banner file"
|
||||
|
||||
for s in 0 10 100 1000 10000 100000 ; do
|
||||
if [ "$s" = "0" ]; then
|
||||
# create empty banner
|
||||
touch $OBJ/banner.in
|
||||
elif [ "$s" = "10" ]; then
|
||||
# create 10-byte banner file
|
||||
echo "abcdefghi" >$OBJ/banner.in
|
||||
else
|
||||
# increase size 10x
|
||||
cp $OBJ/banner.in $OBJ/banner.out
|
||||
for i in 0 1 2 3 4 5 6 7 8 ; do
|
||||
cat $OBJ/banner.out >> $OBJ/banner.in
|
||||
done
|
||||
fi
|
||||
|
||||
trace "test banner size $s"
|
||||
verbose "test $tid: size $s"
|
||||
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||
cmp $OBJ/banner.in $OBJ/banner.out ) || \
|
||||
fail "banner size $s mismatch"
|
||||
done
|
||||
|
||||
trace "test suppress banner (-q)"
|
||||
verbose "test $tid: suppress banner (-q)"
|
||||
( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||
cmp $OBJ/empty.in $OBJ/banner.out ) || \
|
||||
fail "suppress banner (-q)"
|
||||
|
||||
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
|
15
crypto/openssh/regress/broken-pipe.sh
Normal file
15
crypto/openssh/regress/broken-pipe.sh
Normal file
@ -0,0 +1,15 @@
|
||||
# $OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="broken pipe test"
|
||||
|
||||
for p in 1 2; do
|
||||
trace "protocol $p"
|
||||
for i in 1 2 3 4; do
|
||||
${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "broken pipe returns $r for protocol $p"
|
||||
fi
|
||||
done
|
||||
done
|
23
crypto/openssh/regress/brokenkeys.sh
Normal file
23
crypto/openssh/regress/brokenkeys.sh
Normal file
@ -0,0 +1,23 @@
|
||||
# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="broken keys"
|
||||
|
||||
KEYS="$OBJ/authorized_keys_${USER}"
|
||||
|
||||
start_sshd
|
||||
|
||||
mv ${KEYS} ${KEYS}.bak
|
||||
|
||||
# Truncated key
|
||||
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
|
||||
cat ${KEYS}.bak >> ${KEYS}
|
||||
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
|
||||
|
||||
${SSH} -2 -F $OBJ/ssh_config somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh connect with protocol $p failed"
|
||||
fi
|
||||
|
||||
mv ${KEYS}.bak ${KEYS}
|
||||
|
256
crypto/openssh/regress/cert-hostkey.sh
Executable file
256
crypto/openssh/regress/cert-hostkey.sh
Executable file
@ -0,0 +1,256 @@
|
||||
# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified host keys"
|
||||
|
||||
# used to disable ECC based tests on platforms without ECC
|
||||
ecdsa=""
|
||||
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||
ecdsa=ecdsa
|
||||
fi
|
||||
|
||||
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
|
||||
HOSTS='localhost-with-alias,127.0.0.1,::1'
|
||||
|
||||
# Create a CA key and add it to known hosts
|
||||
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
|
||||
fail "ssh-keygen of host_ca_key failed"
|
||||
(
|
||||
printf '@cert-authority '
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
|
||||
# Generate and sign host keys
|
||||
for ktype in rsa dsa $ecdsa ; do
|
||||
verbose "$tid: sign host ${ktype} cert"
|
||||
# Generate and sign a host key
|
||||
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||
-f $OBJ/cert_host_key_${ktype} || \
|
||||
fail "ssh-keygen of cert_host_key_${ktype} failed"
|
||||
${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
|
||||
-I "regress host key for $USER" \
|
||||
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
|
||||
fail "couldn't sign cert_host_key_${ktype}"
|
||||
# v00 ecdsa certs do not exist
|
||||
test "${ktype}" = "ecdsa" && continue
|
||||
cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
|
||||
cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
|
||||
${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
|
||||
-I "regress host key for $USER" \
|
||||
-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
|
||||
fail "couldn't sign cert_host_key_${ktype}_v00"
|
||||
done
|
||||
|
||||
# Basic connect tests
|
||||
for privsep in yes no ; do
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
|
||||
verbose "$tid: host ${ktype} cert connect privsep $privsep"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||
echo UsePrivilegeSeparation $privsep
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Revoked certificates with key present
|
||||
(
|
||||
printf '@cert-authority '
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/cert_host_key_rsa.pub
|
||||
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/cert_host_key_ecdsa.pub
|
||||
fi
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/cert_host_key_dsa.pub
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/cert_host_key_rsa_v00.pub
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/cert_host_key_dsa_v00.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
for privsep in yes no ; do
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
|
||||
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||
echo UsePrivilegeSeparation $privsep
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Revoked CA
|
||||
(
|
||||
printf '@cert-authority '
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
printf '@revoked '
|
||||
printf "* "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||
verbose "$tid: host ${ktype} revoked cert"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||
) > $OBJ/sshd_proxy
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
done
|
||||
|
||||
# Create a CA key and add it to known hosts
|
||||
(
|
||||
printf '@cert-authority '
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
|
||||
test_one() {
|
||||
ident=$1
|
||||
result=$2
|
||||
sign_opts=$3
|
||||
|
||||
for kt in rsa rsa_v00 ; do
|
||||
case $kt in
|
||||
*_v00) args="-t v00" ;;
|
||||
*) args="" ;;
|
||||
esac
|
||||
|
||||
verbose "$tid: host cert connect $ident $kt expect $result"
|
||||
${SSHKEYGEN} -q -s $OBJ/host_ca_key \
|
||||
-I "regress host key for $USER" \
|
||||
$sign_opts $args \
|
||||
$OBJ/cert_host_key_${kt} ||
|
||||
fail "couldn't sign cert_host_key_${kt}"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${kt}
|
||||
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
rc=$?
|
||||
if [ "x$result" = "xsuccess" ] ; then
|
||||
if [ $rc -ne 0 ]; then
|
||||
fail "ssh cert connect $ident failed unexpectedly"
|
||||
fi
|
||||
else
|
||||
if [ $rc -eq 0 ]; then
|
||||
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
test_one "user-certificate" failure "-n $HOSTS"
|
||||
test_one "empty principals" success "-h"
|
||||
test_one "wrong principals" failure "-h -n foo"
|
||||
test_one "cert not yet valid" failure "-h -V20200101:20300101"
|
||||
test_one "cert expired" failure "-h -V19800101:19900101"
|
||||
test_one "cert valid interval" success "-h -V-1w:+2w"
|
||||
test_one "cert has constraints" failure "-h -Oforce-command=false"
|
||||
|
||||
# Check downgrade of cert to raw key when no CA found
|
||||
for v in v01 v00 ; do
|
||||
for ktype in rsa dsa $ecdsa ; do
|
||||
# v00 ecdsa certs do not exist.
|
||||
test "${v}${ktype}" = "v00ecdsa" && continue
|
||||
rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
|
||||
verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
|
||||
# Generate and sign a host key
|
||||
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||
-f $OBJ/cert_host_key_${ktype} || \
|
||||
fail "ssh-keygen of cert_host_key_${ktype} failed"
|
||||
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
|
||||
-I "regress host key for $USER" \
|
||||
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
|
||||
fail "couldn't sign cert_host_key_${ktype}"
|
||||
(
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/cert_host_key_${ktype}.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Wrong certificate
|
||||
(
|
||||
printf '@cert-authority '
|
||||
printf "$HOSTS "
|
||||
cat $OBJ/host_ca_key.pub
|
||||
) > $OBJ/known_hosts-cert
|
||||
for v in v01 v00 ; do
|
||||
for kt in rsa dsa $ecdsa ; do
|
||||
# v00 ecdsa certs do not exist.
|
||||
test "${v}${ktype}" = "v00ecdsa" && continue
|
||||
rm -f $OBJ/cert_host_key*
|
||||
# Self-sign key
|
||||
${SSHKEYGEN} -q -N '' -t ${kt} \
|
||||
-f $OBJ/cert_host_key_${kt} || \
|
||||
fail "ssh-keygen of cert_host_key_${kt} failed"
|
||||
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
|
||||
-I "regress host key for $USER" \
|
||||
-n $HOSTS $OBJ/cert_host_key_${kt} ||
|
||||
fail "couldn't sign cert_host_key_${kt}"
|
||||
verbose "$tid: host ${kt} connect wrong cert"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/cert_host_key_${kt}
|
||||
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
|
355
crypto/openssh/regress/cert-userkey.sh
Executable file
355
crypto/openssh/regress/cert-userkey.sh
Executable file
@ -0,0 +1,355 @@
|
||||
# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="certified user keys"
|
||||
|
||||
# used to disable ECC based tests on platforms without ECC
|
||||
ecdsa=""
|
||||
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||
ecdsa=ecdsa
|
||||
fi
|
||||
|
||||
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
|
||||
# Create a CA key
|
||||
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
|
||||
fail "ssh-keygen of user_ca_key failed"
|
||||
|
||||
# Generate and sign user keys
|
||||
for ktype in rsa dsa $ecdsa ; do
|
||||
verbose "$tid: sign user ${ktype} cert"
|
||||
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||
-f $OBJ/cert_user_key_${ktype} || \
|
||||
fail "ssh-keygen of cert_user_key_${ktype} failed"
|
||||
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
|
||||
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
|
||||
fail "couldn't sign cert_user_key_${ktype}"
|
||||
# v00 ecdsa certs do not exist
|
||||
test "${ktype}" = "ecdsa" && continue
|
||||
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
|
||||
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
|
||||
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
|
||||
"regress user key for $USER" \
|
||||
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
|
||||
fail "couldn't sign cert_user_key_${ktype}_v00"
|
||||
done
|
||||
|
||||
# Test explicitly-specified principals
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||
for privsep in yes no ; do
|
||||
_prefix="${ktype} privsep $privsep"
|
||||
|
||||
# Setup for AuthorizedPrincipalsFile
|
||||
rm -f $OBJ/authorized_keys_$USER
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
echo "AuthorizedPrincipalsFile " \
|
||||
"$OBJ/authorized_principals_%u"
|
||||
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Missing authorized_principals
|
||||
verbose "$tid: ${_prefix} missing authorized_principals"
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Empty authorized_principals
|
||||
verbose "$tid: ${_prefix} empty authorized_principals"
|
||||
echo > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Wrong authorized_principals
|
||||
verbose "$tid: ${_prefix} wrong authorized_principals"
|
||||
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Correct authorized_principals
|
||||
verbose "$tid: ${_prefix} correct authorized_principals"
|
||||
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
|
||||
# authorized_principals with bad key option
|
||||
verbose "$tid: ${_prefix} authorized_principals bad key opt"
|
||||
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# authorized_principals with command=false
|
||||
verbose "$tid: ${_prefix} authorized_principals command=false"
|
||||
echo 'command="false" mekmitasdigoat' > \
|
||||
$OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
|
||||
# authorized_principals with command=true
|
||||
verbose "$tid: ${_prefix} authorized_principals command=true"
|
||||
echo 'command="true" mekmitasdigoat' > \
|
||||
$OBJ/authorized_principals_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
|
||||
# Setup for principals= key option
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Wrong principals list
|
||||
verbose "$tid: ${_prefix} wrong principals key option"
|
||||
(
|
||||
printf 'cert-authority,principals="gregorsamsa" '
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpectedly"
|
||||
fi
|
||||
|
||||
# Correct principals list
|
||||
verbose "$tid: ${_prefix} correct principals key option"
|
||||
(
|
||||
printf 'cert-authority,principals="mekmitasdigoat" '
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
basic_tests() {
|
||||
auth=$1
|
||||
if test "x$auth" = "xauthorized_keys" ; then
|
||||
# Add CA to authorized_keys
|
||||
(
|
||||
printf 'cert-authority '
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
else
|
||||
echo > $OBJ/authorized_keys_$USER
|
||||
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||
fi
|
||||
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||
for privsep in yes no ; do
|
||||
_prefix="${ktype} privsep $privsep $auth"
|
||||
# Simple connect
|
||||
verbose "$tid: ${_prefix} connect"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
echo "$extra_sshd"
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
|
||||
# Revoked keys
|
||||
verbose "$tid: ${_prefix} revoked key"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "UsePrivilegeSeparation $privsep"
|
||||
echo "RevokedKeys $OBJ/cert_user_key_revoked"
|
||||
echo "$extra_sshd"
|
||||
) > $OBJ/sshd_proxy
|
||||
cp $OBJ/cert_user_key_${ktype}.pub \
|
||||
$OBJ/cert_user_key_revoked
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpecedly"
|
||||
fi
|
||||
verbose "$tid: ${_prefix} revoked via KRL"
|
||||
rm $OBJ/cert_user_key_revoked
|
||||
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
|
||||
$OBJ/cert_user_key_${ktype}.pub
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpecedly"
|
||||
fi
|
||||
verbose "$tid: ${_prefix} empty KRL"
|
||||
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cert connect failed"
|
||||
fi
|
||||
done
|
||||
|
||||
# Revoked CA
|
||||
verbose "$tid: ${ktype} $auth revoked CA key"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "RevokedKeys $OBJ/user_ca_key.pub"
|
||||
echo "$extra_sshd"
|
||||
) > $OBJ/sshd_proxy
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
|
||||
somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect succeeded unexpecedly"
|
||||
fi
|
||||
done
|
||||
|
||||
verbose "$tid: $auth CA does not authenticate"
|
||||
(
|
||||
cat $OBJ/sshd_proxy_bak
|
||||
echo "$extra_sshd"
|
||||
) > $OBJ/sshd_proxy
|
||||
verbose "$tid: ensure CA key does not authenticate user"
|
||||
${SSH} -2i $OBJ/user_ca_key \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect with CA key succeeded unexpectedly"
|
||||
fi
|
||||
}
|
||||
|
||||
basic_tests authorized_keys
|
||||
basic_tests TrustedUserCAKeys
|
||||
|
||||
test_one() {
|
||||
ident=$1
|
||||
result=$2
|
||||
sign_opts=$3
|
||||
auth_choice=$4
|
||||
auth_opt=$5
|
||||
|
||||
if test "x$auth_choice" = "x" ; then
|
||||
auth_choice="authorized_keys TrustedUserCAKeys"
|
||||
fi
|
||||
|
||||
for auth in $auth_choice ; do
|
||||
for ktype in rsa rsa_v00 ; do
|
||||
case $ktype in
|
||||
*_v00) keyv="-t v00" ;;
|
||||
*) keyv="" ;;
|
||||
esac
|
||||
|
||||
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||
if test "x$auth" = "xauthorized_keys" ; then
|
||||
# Add CA to authorized_keys
|
||||
(
|
||||
printf "cert-authority${auth_opt} "
|
||||
cat $OBJ/user_ca_key.pub
|
||||
) > $OBJ/authorized_keys_$USER
|
||||
else
|
||||
echo > $OBJ/authorized_keys_$USER
|
||||
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
|
||||
>> $OBJ/sshd_proxy
|
||||
if test "x$auth_opt" != "x" ; then
|
||||
echo $auth_opt >> $OBJ/sshd_proxy
|
||||
fi
|
||||
fi
|
||||
|
||||
verbose "$tid: $ident auth $auth expect $result $ktype"
|
||||
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
|
||||
-I "regress user key for $USER" \
|
||||
$sign_opts $keyv \
|
||||
$OBJ/cert_user_key_${ktype} ||
|
||||
fail "couldn't sign cert_user_key_${ktype}"
|
||||
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||
rc=$?
|
||||
if [ "x$result" = "xsuccess" ] ; then
|
||||
if [ $rc -ne 0 ]; then
|
||||
fail "$ident failed unexpectedly"
|
||||
fi
|
||||
else
|
||||
if [ $rc -eq 0 ]; then
|
||||
fail "$ident succeeded unexpectedly"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
test_one "correct principal" success "-n ${USER}"
|
||||
test_one "host-certificate" failure "-n ${USER} -h"
|
||||
test_one "wrong principals" failure "-n foo"
|
||||
test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
|
||||
test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
|
||||
test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
|
||||
test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
|
||||
test_one "force-command" failure "-n ${USER} -Oforce-command=false"
|
||||
|
||||
# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
|
||||
test_one "empty principals" success "" authorized_keys
|
||||
test_one "empty principals" failure "" TrustedUserCAKeys
|
||||
|
||||
# Check explicitly-specified principals: an empty principals list in the cert
|
||||
# should always be refused.
|
||||
|
||||
# AuthorizedPrincipalsFile
|
||||
rm -f $OBJ/authorized_keys_$USER
|
||||
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
|
||||
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||
test_one "AuthorizedPrincipalsFile no principals" failure "" \
|
||||
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||
|
||||
# principals= key option
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
test_one "principals key option principals" success "-n mekmitasdigoat" \
|
||||
authorized_keys ',principals="mekmitasdigoat"'
|
||||
test_one "principals key option no principals" failure "" \
|
||||
authorized_keys ',principals="mekmitasdigoat"'
|
||||
|
||||
# Wrong certificate
|
||||
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||
case $ktype in
|
||||
*_v00) args="-t v00" ;;
|
||||
*) args="" ;;
|
||||
esac
|
||||
# Self-sign
|
||||
${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
|
||||
"regress user key for $USER" \
|
||||
-n $USER $OBJ/cert_user_key_${ktype} ||
|
||||
fail "couldn't sign cert_user_key_${ktype}"
|
||||
verbose "$tid: user ${ktype} connect wrong cert"
|
||||
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
|
||||
somehost true >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||
fi
|
||||
done
|
||||
|
||||
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||
rm -f $OBJ/authorized_principals_$USER
|
||||
|
126
crypto/openssh/regress/cfgmatch.sh
Normal file
126
crypto/openssh/regress/cfgmatch.sh
Normal file
@ -0,0 +1,126 @@
|
||||
# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="sshd_config match"
|
||||
|
||||
pidfile=$OBJ/remote_pid
|
||||
fwdport=3301
|
||||
fwd="-L $fwdport:127.0.0.1:$PORT"
|
||||
|
||||
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
|
||||
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
|
||||
|
||||
start_client()
|
||||
{
|
||||
rm -f $pidfile
|
||||
${SSH} -q -$p $fwd "$@" somehost \
|
||||
exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
|
||||
>>$TEST_REGRESS_LOGFILE 2>&1 &
|
||||
client_pid=$!
|
||||
# Wait for remote end
|
||||
n=0
|
||||
while test ! -f $pidfile ; do
|
||||
sleep 1
|
||||
n=`expr $n + 1`
|
||||
if test $n -gt 60; then
|
||||
kill $client_pid
|
||||
fatal "timeout waiting for background ssh"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
stop_client()
|
||||
{
|
||||
pid=`cat $pidfile`
|
||||
if [ ! -z "$pid" ]; then
|
||||
kill $pid
|
||||
fi
|
||||
wait
|
||||
}
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
|
||||
echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
|
||||
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
|
||||
|
||||
grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||
echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
|
||||
echo "Match user $USER" >>$OBJ/sshd_proxy
|
||||
echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
|
||||
echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
|
||||
|
||||
start_sshd
|
||||
|
||||
#set -x
|
||||
|
||||
# Test Match + PermitOpen in sshd_config. This should be permitted
|
||||
for p in 1 2; do
|
||||
trace "match permitopen localhost proto $p"
|
||||
start_client -F $OBJ/ssh_config
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||
fail "match permitopen permit proto $p"
|
||||
stop_client
|
||||
done
|
||||
|
||||
# Same but from different source. This should not be permitted
|
||||
for p in 1 2; do
|
||||
trace "match permitopen proxy proto $p"
|
||||
start_client -F $OBJ/ssh_proxy
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||
fail "match permitopen deny proto $p"
|
||||
stop_client
|
||||
done
|
||||
|
||||
# Retry previous with key option, should also be denied.
|
||||
printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||
printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||
for p in 1 2; do
|
||||
trace "match permitopen proxy w/key opts proto $p"
|
||||
start_client -F $OBJ/ssh_proxy
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||
fail "match permitopen deny w/key opt proto $p"
|
||||
stop_client
|
||||
done
|
||||
|
||||
# Test both sshd_config and key options permitting the same dst/port pair.
|
||||
# Should be permitted.
|
||||
for p in 1 2; do
|
||||
trace "match permitopen localhost proto $p"
|
||||
start_client -F $OBJ/ssh_config
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||
fail "match permitopen permit proto $p"
|
||||
stop_client
|
||||
done
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
|
||||
echo "Match User $USER" >>$OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
|
||||
|
||||
# Test that a Match overrides a PermitOpen in the global section
|
||||
for p in 1 2; do
|
||||
trace "match permitopen proxy w/key opts proto $p"
|
||||
start_client -F $OBJ/ssh_proxy
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||
fail "match override permitopen proto $p"
|
||||
stop_client
|
||||
done
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
|
||||
echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
|
||||
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
|
||||
|
||||
# Test that a rule that doesn't match doesn't override, plus test a
|
||||
# PermitOpen entry that's not at the start of the list
|
||||
for p in 1 2; do
|
||||
trace "nomatch permitopen proxy w/key opts proto $p"
|
||||
start_client -F $OBJ/ssh_proxy
|
||||
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||
fail "nomatch override permitopen proto $p"
|
||||
stop_client
|
||||
done
|
58
crypto/openssh/regress/cipher-speed.sh
Normal file
58
crypto/openssh/regress/cipher-speed.sh
Normal file
@ -0,0 +1,58 @@
|
||||
# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="cipher speed"
|
||||
|
||||
getbytes ()
|
||||
{
|
||||
sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \
|
||||
-e '/copied/s/.*s, \(.* MB.s\).*/\1/p'
|
||||
}
|
||||
|
||||
tries="1 2"
|
||||
|
||||
ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
|
||||
arcfour128 arcfour256 arcfour
|
||||
aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
|
||||
aes128-ctr aes192-ctr aes256-ctr"
|
||||
config_defined OPENSSL_HAVE_EVPGCM && \
|
||||
ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
|
||||
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
|
||||
hmac-sha1-96 hmac-md5-96"
|
||||
config_defined HAVE_EVP_SHA256 && \
|
||||
macs="$macs hmac-sha2-256 hmac-sha2-512"
|
||||
|
||||
for c in $ciphers; do n=0; for m in $macs; do
|
||||
trace "proto 2 cipher $c mac $m"
|
||||
for x in $tries; do
|
||||
printf "%-60s" "$c/$m:"
|
||||
( ${SSH} -o 'compression no' \
|
||||
-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
|
||||
exec sh -c \'"dd of=/dev/null obs=32k"\' \
|
||||
< ${DATA} ) 2>&1 | getbytes
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh -2 failed with mac $m cipher $c"
|
||||
fi
|
||||
done
|
||||
# No point trying all MACs for GCM since they are ignored.
|
||||
case $c in
|
||||
aes*-gcm@openssh.com) test $n -gt 0 && break;;
|
||||
esac
|
||||
n=`expr $n + 1`
|
||||
done; done
|
||||
|
||||
ciphers="3des blowfish"
|
||||
for c in $ciphers; do
|
||||
trace "proto 1 cipher $c"
|
||||
for x in $tries; do
|
||||
printf "%-60s" "$c:"
|
||||
( ${SSH} -o 'compression no' \
|
||||
-F $OBJ/ssh_proxy -1 -c $c somehost \
|
||||
exec sh -c \'"dd of=/dev/null obs=32k"\' \
|
||||
< ${DATA} ) 2>&1 | getbytes
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh -1 failed with cipher $c"
|
||||
fi
|
||||
done
|
||||
done
|
28
crypto/openssh/regress/conch-ciphers.sh
Executable file
28
crypto/openssh/regress/conch-ciphers.sh
Executable file
@ -0,0 +1,28 @@
|
||||
# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="conch ciphers"
|
||||
|
||||
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
|
||||
echo "conch interop tests not enabled"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
start_sshd
|
||||
|
||||
for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
|
||||
cast128-cbc blowfish 3des-cbc ; do
|
||||
verbose "$tid: cipher $c"
|
||||
rm -f ${COPY}
|
||||
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
|
||||
# in conch
|
||||
${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
|
||||
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
|
||||
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cat $DATA failed"
|
||||
fi
|
||||
cmp ${DATA} ${COPY} || fail "corrupted copy"
|
||||
done
|
||||
rm -f ${COPY}
|
||||
|
36
crypto/openssh/regress/connect-privsep.sh
Normal file
36
crypto/openssh/regress/connect-privsep.sh
Normal file
@ -0,0 +1,36 @@
|
||||
# $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="proxy connect with privsep"
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
|
||||
echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
|
||||
|
||||
for p in 1 2; do
|
||||
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh privsep+proxyconnect protocol $p failed"
|
||||
fi
|
||||
done
|
||||
|
||||
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||
echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
|
||||
|
||||
for p in 1 2; do
|
||||
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||
if [ $? -ne 0 ]; then
|
||||
# XXX replace this with fail once sandbox has stabilised
|
||||
warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
|
||||
fi
|
||||
done
|
||||
|
||||
# Because sandbox is sensitive to changes in libc, especially malloc, retest
|
||||
# with every malloc.conf option (and none).
|
||||
for m in '' A F G H J P R S X Z '<' '>'; do
|
||||
for p in 1 2; do
|
||||
env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
|
||||
fi
|
||||
done
|
||||
done
|
13
crypto/openssh/regress/connect.sh
Normal file
13
crypto/openssh/regress/connect.sh
Normal file
@ -0,0 +1,13 @@
|
||||
# $OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="simple connect"
|
||||
|
||||
start_sshd
|
||||
|
||||
for p in 1 2; do
|
||||
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh connect with protocol $p failed"
|
||||
fi
|
||||
done
|
14
crypto/openssh/regress/dsa_ssh2.prv
Normal file
14
crypto/openssh/regress/dsa_ssh2.prv
Normal file
@ -0,0 +1,14 @@
|
||||
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
||||
Subject: ssh-keygen test
|
||||
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
|
||||
P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
|
||||
AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
|
||||
Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
|
||||
x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
|
||||
MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
|
||||
F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
|
||||
kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
|
||||
ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
|
||||
75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
|
||||
zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
|
||||
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
13
crypto/openssh/regress/dsa_ssh2.pub
Normal file
13
crypto/openssh/regress/dsa_ssh2.pub
Normal file
@ -0,0 +1,13 @@
|
||||
---- BEGIN SSH2 PUBLIC KEY ----
|
||||
Subject: ssh-keygen test
|
||||
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
|
||||
AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
|
||||
NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
|
||||
ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
|
||||
0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
|
||||
MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
|
||||
JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
|
||||
eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
|
||||
JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
|
||||
ixaVivLt8RgTwGF99uI=
|
||||
---- END SSH2 PUBLIC KEY ----
|
59
crypto/openssh/regress/dynamic-forward.sh
Normal file
59
crypto/openssh/regress/dynamic-forward.sh
Normal file
@ -0,0 +1,59 @@
|
||||
# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="dynamic forwarding"
|
||||
|
||||
FWDPORT=`expr $PORT + 1`
|
||||
|
||||
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
|
||||
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
|
||||
elif have_prog connect; then
|
||||
proxycmd="connect -S 127.0.0.1:$FWDPORT -"
|
||||
else
|
||||
echo "skipped (no suitable ProxyCommand found)"
|
||||
exit 0
|
||||
fi
|
||||
trace "will use ProxyCommand $proxycmd"
|
||||
|
||||
start_sshd
|
||||
|
||||
for p in 1 2; do
|
||||
n=0
|
||||
error="1"
|
||||
trace "start dynamic forwarding, fork to background"
|
||||
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
|
||||
n=`expr $n + 1`
|
||||
${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
|
||||
-oExitOnForwardFailure=yes somehost exec sh -c \
|
||||
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
|
||||
error=$?
|
||||
if [ "$error" -ne 0 ]; then
|
||||
trace "forward failed proto $p attempt $n err $error"
|
||||
sleep $n
|
||||
fi
|
||||
done
|
||||
if [ "$error" -ne 0 ]; then
|
||||
fatal "failed to start dynamic forwarding proto $p"
|
||||
fi
|
||||
|
||||
for s in 4 5; do
|
||||
for h in 127.0.0.1 localhost; do
|
||||
trace "testing ssh protocol $p socks version $s host $h"
|
||||
${SSH} -F $OBJ/ssh_config \
|
||||
-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
|
||||
somehost cat $DATA > $OBJ/ls.copy
|
||||
test -f $OBJ/ls.copy || fail "failed copy $DATA"
|
||||
cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
|
||||
done
|
||||
done
|
||||
|
||||
if [ -f $OBJ/remote_pid ]; then
|
||||
remote=`cat $OBJ/remote_pid`
|
||||
trace "terminate remote shell, pid $remote"
|
||||
if [ $remote -gt 1 ]; then
|
||||
kill -HUP $remote
|
||||
fi
|
||||
else
|
||||
fail "no pid file: $OBJ/remote_pid"
|
||||
fi
|
||||
done
|
60
crypto/openssh/regress/envpass.sh
Normal file
60
crypto/openssh/regress/envpass.sh
Normal file
@ -0,0 +1,60 @@
|
||||
# $OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="environment passing"
|
||||
|
||||
# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
|
||||
|
||||
# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
|
||||
cat << EOF > $OBJ/ssh_proxy_envpass
|
||||
Host test-sendenv-confparse-bug
|
||||
SendEnv *
|
||||
EOF
|
||||
cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
|
||||
|
||||
trace "pass env, don't accept"
|
||||
verbose "test $tid: pass env, don't accept"
|
||||
_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
|
||||
sh << 'EOF'
|
||||
test -z "$_TEST_ENV"
|
||||
EOF
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "environment found"
|
||||
fi
|
||||
|
||||
trace "don't pass env, accept"
|
||||
verbose "test $tid: don't pass env, accept"
|
||||
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
|
||||
sh << 'EOF'
|
||||
test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
|
||||
EOF
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "environment found"
|
||||
fi
|
||||
|
||||
trace "pass single env, accept single env"
|
||||
verbose "test $tid: pass single env, accept single env"
|
||||
_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
|
||||
otherhost sh << 'EOF'
|
||||
test X"$_XXX_TEST" = X"blah"
|
||||
EOF
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "environment not found"
|
||||
fi
|
||||
|
||||
trace "pass multiple env, accept multiple env"
|
||||
verbose "test $tid: pass multiple env, accept multiple env"
|
||||
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
|
||||
-F $OBJ/ssh_proxy_envpass otherhost \
|
||||
sh << 'EOF'
|
||||
test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
|
||||
EOF
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "environment not found"
|
||||
fi
|
||||
|
||||
rm -f $OBJ/ssh_proxy_envpass
|
24
crypto/openssh/regress/exit-status.sh
Normal file
24
crypto/openssh/regress/exit-status.sh
Normal file
@ -0,0 +1,24 @@
|
||||
# $OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="remote exit status"
|
||||
|
||||
for p in 1 2; do
|
||||
for s in 0 1 4 5 44; do
|
||||
trace "proto $p status $s"
|
||||
verbose "test $tid: proto $p status $s"
|
||||
${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
|
||||
r=$?
|
||||
if [ $r -ne $s ]; then
|
||||
fail "exit code mismatch for protocol $p: $r != $s"
|
||||
fi
|
||||
|
||||
# same with early close of stdout/err
|
||||
${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
|
||||
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
|
||||
r=$?
|
||||
if [ $r -ne $s ]; then
|
||||
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
|
||||
fi
|
||||
done
|
||||
done
|
42
crypto/openssh/regress/forcecommand.sh
Normal file
42
crypto/openssh/regress/forcecommand.sh
Normal file
@ -0,0 +1,42 @@
|
||||
# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="forced command"
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
|
||||
printf 'command="true" ' >$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||
printf 'command="true" ' >>$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||
|
||||
for p in 1 2; do
|
||||
trace "forced command in key option proto $p"
|
||||
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||
fail "forced command in key proto $p"
|
||||
done
|
||||
|
||||
printf 'command="false" ' >$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||
printf 'command="false" ' >>$OBJ/authorized_keys_$USER
|
||||
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
echo "ForceCommand true" >> $OBJ/sshd_proxy
|
||||
|
||||
for p in 1 2; do
|
||||
trace "forced command in sshd_config overrides key option proto $p"
|
||||
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||
fail "forced command in key proto $p"
|
||||
done
|
||||
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
echo "ForceCommand false" >> $OBJ/sshd_proxy
|
||||
echo "Match User $USER" >> $OBJ/sshd_proxy
|
||||
echo " ForceCommand true" >> $OBJ/sshd_proxy
|
||||
|
||||
for p in 1 2; do
|
||||
trace "forced command with match proto $p"
|
||||
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||
fail "forced command in key proto $p"
|
||||
done
|
168
crypto/openssh/regress/forward-control.sh
Executable file
168
crypto/openssh/regress/forward-control.sh
Executable file
@ -0,0 +1,168 @@
|
||||
# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="sshd control of local and remote forwarding"
|
||||
|
||||
LFWD_PORT=3320
|
||||
RFWD_PORT=3321
|
||||
CTL=$OBJ/ctl-sock
|
||||
READY=$OBJ/ready
|
||||
|
||||
wait_for_file_to_appear() {
|
||||
_path=$1
|
||||
_n=0
|
||||
while test ! -f $_path ; do
|
||||
test $_n -eq 1 && trace "waiting for $_path to appear"
|
||||
_n=`expr $_n + 1`
|
||||
test $_n -ge 20 && return 1
|
||||
sleep 1
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
wait_for_process_to_exit() {
|
||||
_pid=$1
|
||||
_n=0
|
||||
while kill -0 $_pid 2>/dev/null ; do
|
||||
test $_n -eq 1 && trace "waiting for $_pid to exit"
|
||||
_n=`expr $_n + 1`
|
||||
test $_n -ge 20 && return 1
|
||||
sleep 1
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
# usage: check_lfwd protocol Y|N message
|
||||
check_lfwd() {
|
||||
_proto=$1
|
||||
_expected=$2
|
||||
_message=$3
|
||||
rm -f $READY
|
||||
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
|
||||
-L$LFWD_PORT:127.0.0.1:$PORT \
|
||||
-o ExitOnForwardFailure=yes \
|
||||
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
|
||||
>/dev/null 2>&1 &
|
||||
_sshpid=$!
|
||||
wait_for_file_to_appear $READY || \
|
||||
fatal "check_lfwd ssh fail: $_message"
|
||||
${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
|
||||
-oConnectionAttempts=4 host true >/dev/null 2>&1
|
||||
_result=$?
|
||||
kill $_sshpid `cat $READY` 2>/dev/null
|
||||
wait_for_process_to_exit $_sshpid
|
||||
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
|
||||
fail "check_lfwd failed (expecting success): $_message"
|
||||
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
|
||||
fail "check_lfwd succeeded (expecting failure): $_message"
|
||||
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
|
||||
fatal "check_lfwd invalid argument \"$_expected\""
|
||||
else
|
||||
verbose "check_lfwd done (expecting $_expected): $_message"
|
||||
fi
|
||||
}
|
||||
|
||||
# usage: check_rfwd protocol Y|N message
|
||||
check_rfwd() {
|
||||
_proto=$1
|
||||
_expected=$2
|
||||
_message=$3
|
||||
rm -f $READY
|
||||
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
|
||||
-R$RFWD_PORT:127.0.0.1:$PORT \
|
||||
-o ExitOnForwardFailure=yes \
|
||||
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
|
||||
>/dev/null 2>&1 &
|
||||
_sshpid=$!
|
||||
wait_for_file_to_appear $READY
|
||||
_result=$?
|
||||
if test $_result -eq 0 ; then
|
||||
${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
|
||||
-oConnectionAttempts=4 host true >/dev/null 2>&1
|
||||
_result=$?
|
||||
kill $_sshpid `cat $READY` 2>/dev/null
|
||||
wait_for_process_to_exit $_sshpid
|
||||
fi
|
||||
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
|
||||
fail "check_rfwd failed (expecting success): $_message"
|
||||
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
|
||||
fail "check_rfwd succeeded (expecting failure): $_message"
|
||||
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
|
||||
fatal "check_rfwd invalid argument \"$_expected\""
|
||||
else
|
||||
verbose "check_rfwd done (expecting $_expected): $_message"
|
||||
fi
|
||||
}
|
||||
|
||||
start_sshd
|
||||
cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
|
||||
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
|
||||
|
||||
# Sanity check: ensure the default config allows forwarding
|
||||
for p in 1 2 ; do
|
||||
check_lfwd $p Y "proto $p, default configuration"
|
||||
check_rfwd $p Y "proto $p, default configuration"
|
||||
done
|
||||
|
||||
# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
|
||||
all_tests() {
|
||||
_tcpfwd=$1
|
||||
_plain_lfwd=$2
|
||||
_plain_rfwd=$3
|
||||
_nopermit_lfwd=$4
|
||||
_nopermit_rfwd=$5
|
||||
_permit_lfwd=$6
|
||||
_permit_rfwd=$7
|
||||
_badfwd=127.0.0.1:22
|
||||
_goodfwd=127.0.0.1:${PORT}
|
||||
for _proto in 1 2 ; do
|
||||
cp ${OBJ}/authorized_keys_${USER}.bak \
|
||||
${OBJ}/authorized_keys_${USER}
|
||||
_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
|
||||
# No PermitOpen
|
||||
( cat ${OBJ}/sshd_proxy.bak ;
|
||||
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||
> ${OBJ}/sshd_proxy
|
||||
check_lfwd $_proto $_plain_lfwd "$_prefix"
|
||||
check_rfwd $_proto $_plain_rfwd "$_prefix"
|
||||
# PermitOpen via sshd_config that doesn't match
|
||||
( cat ${OBJ}/sshd_proxy.bak ;
|
||||
echo "AllowTcpForwarding $_tcpfwd" ;
|
||||
echo "PermitOpen $_badfwd" ) \
|
||||
> ${OBJ}/sshd_proxy
|
||||
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
|
||||
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
|
||||
# PermitOpen via sshd_config that does match
|
||||
( cat ${OBJ}/sshd_proxy.bak ;
|
||||
echo "AllowTcpForwarding $_tcpfwd" ;
|
||||
echo "PermitOpen $_badfwd $_goodfwd" ) \
|
||||
> ${OBJ}/sshd_proxy
|
||||
# NB. permitopen via authorized_keys should have same
|
||||
# success/fail as via sshd_config
|
||||
# permitopen via authorized_keys that doesn't match
|
||||
sed "s/^/permitopen=\"$_badfwd\" /" \
|
||||
< ${OBJ}/authorized_keys_${USER}.bak \
|
||||
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
|
||||
( cat ${OBJ}/sshd_proxy.bak ;
|
||||
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||
> ${OBJ}/sshd_proxy
|
||||
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
|
||||
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
|
||||
# permitopen via authorized_keys that does match
|
||||
sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
|
||||
< ${OBJ}/authorized_keys_${USER}.bak \
|
||||
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
|
||||
( cat ${OBJ}/sshd_proxy.bak ;
|
||||
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||
> ${OBJ}/sshd_proxy
|
||||
check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
|
||||
check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
|
||||
done
|
||||
}
|
||||
|
||||
# no-permitopen mismatch-permitopen match-permitopen
|
||||
# AllowTcpForwarding local remote local remote local remote
|
||||
all_tests yes Y Y N Y Y Y
|
||||
all_tests local Y N N N Y N
|
||||
all_tests remote N Y N Y N Y
|
||||
all_tests no N N N N N N
|
121
crypto/openssh/regress/forwarding.sh
Normal file
121
crypto/openssh/regress/forwarding.sh
Normal file
@ -0,0 +1,121 @@
|
||||
# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="local and remote forwarding"
|
||||
|
||||
DATA=/bin/ls${EXEEXT}
|
||||
|
||||
start_sshd
|
||||
|
||||
base=33
|
||||
last=$PORT
|
||||
fwd=""
|
||||
for j in 0 1 2; do
|
||||
for i in 0 1 2; do
|
||||
a=$base$j$i
|
||||
b=`expr $a + 50`
|
||||
c=$last
|
||||
# fwd chain: $a -> $b -> $c
|
||||
fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
|
||||
last=$a
|
||||
done
|
||||
done
|
||||
for p in 1 2; do
|
||||
q=`expr 3 - $p`
|
||||
trace "start forwarding, fork to background"
|
||||
${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
|
||||
|
||||
trace "transfer over forwarded channels and check result"
|
||||
${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
|
||||
somehost cat ${DATA} > ${COPY}
|
||||
test -f ${COPY} || fail "failed copy of ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
|
||||
|
||||
sleep 10
|
||||
done
|
||||
|
||||
for p in 1 2; do
|
||||
for d in L R; do
|
||||
trace "exit on -$d forward failure, proto $p"
|
||||
|
||||
# this one should succeed
|
||||
${SSH} -$p -F $OBJ/ssh_config \
|
||||
-$d ${base}01:127.0.0.1:$PORT \
|
||||
-$d ${base}02:127.0.0.1:$PORT \
|
||||
-$d ${base}03:127.0.0.1:$PORT \
|
||||
-$d ${base}04:127.0.0.1:$PORT \
|
||||
-oExitOnForwardFailure=yes somehost true
|
||||
if [ $? != 0 ]; then
|
||||
fail "connection failed, should not"
|
||||
else
|
||||
# this one should fail
|
||||
${SSH} -q -$p -F $OBJ/ssh_config \
|
||||
-$d ${base}01:127.0.0.1:$PORT \
|
||||
-$d ${base}02:127.0.0.1:$PORT \
|
||||
-$d ${base}03:127.0.0.1:$PORT \
|
||||
-$d ${base}01:127.0.0.1:$PORT \
|
||||
-$d ${base}04:127.0.0.1:$PORT \
|
||||
-oExitOnForwardFailure=yes somehost true
|
||||
r=$?
|
||||
if [ $r != 255 ]; then
|
||||
fail "connection not termintated, but should ($r)"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for p in 1 2; do
|
||||
trace "simple clear forwarding proto $p"
|
||||
${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
|
||||
|
||||
trace "clear local forward proto $p"
|
||||
${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
|
||||
-oClearAllForwardings=yes somehost sleep 10
|
||||
if [ $? != 0 ]; then
|
||||
fail "connection failed with cleared local forwarding"
|
||||
else
|
||||
# this one should fail
|
||||
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
|
||||
>>$TEST_REGRESS_LOGFILE 2>&1 && \
|
||||
fail "local forwarding not cleared"
|
||||
fi
|
||||
sleep 10
|
||||
|
||||
trace "clear remote forward proto $p"
|
||||
${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
|
||||
-oClearAllForwardings=yes somehost sleep 10
|
||||
if [ $? != 0 ]; then
|
||||
fail "connection failed with cleared remote forwarding"
|
||||
else
|
||||
# this one should fail
|
||||
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
|
||||
>>$TEST_REGRESS_LOGFILE 2>&1 && \
|
||||
fail "remote forwarding not cleared"
|
||||
fi
|
||||
sleep 10
|
||||
done
|
||||
|
||||
for p in 2; do
|
||||
trace "stdio forwarding proto $p"
|
||||
cmd="${SSH} -$p -F $OBJ/ssh_config"
|
||||
$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
|
||||
somehost true
|
||||
if [ $? != 0 ]; then
|
||||
fail "stdio forwarding proto $p"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
|
||||
echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
|
||||
for p in 1 2; do
|
||||
trace "config file: start forwarding, fork to background"
|
||||
${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
|
||||
|
||||
trace "config file: transfer over forwarded channels and check result"
|
||||
${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
|
||||
somehost cat ${DATA} > ${COPY}
|
||||
test -f ${COPY} || fail "failed copy of ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
|
||||
|
||||
wait
|
||||
done
|
18
crypto/openssh/regress/host-expand.sh
Executable file
18
crypto/openssh/regress/host-expand.sh
Executable file
@ -0,0 +1,18 @@
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="expand %h and %n"
|
||||
|
||||
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
|
||||
printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy
|
||||
|
||||
cat >$OBJ/expect <<EOE
|
||||
somehost
|
||||
127.0.0.1
|
||||
EOE
|
||||
|
||||
for p in 1 2; do
|
||||
verbose "test $tid: proto $p"
|
||||
${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
|
||||
diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
|
||||
done
|
||||
|
76
crypto/openssh/regress/integrity.sh
Executable file
76
crypto/openssh/regress/integrity.sh
Executable file
@ -0,0 +1,76 @@
|
||||
# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="integrity"
|
||||
|
||||
# start at byte 2900 (i.e. after kex) and corrupt at different offsets
|
||||
# XXX the test hangs if we modify the low bytes of the packet length
|
||||
# XXX and ssh tries to read...
|
||||
tries=10
|
||||
startoffset=2900
|
||||
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
|
||||
hmac-sha1-96 hmac-md5-96
|
||||
hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
|
||||
umac-64-etm@openssh.com umac-128-etm@openssh.com
|
||||
hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
|
||||
config_defined HAVE_EVP_SHA256 &&
|
||||
macs="$macs hmac-sha2-256 hmac-sha2-512
|
||||
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
|
||||
# The following are not MACs, but ciphers with integrated integrity. They are
|
||||
# handled specially below.
|
||||
config_defined OPENSSL_HAVE_EVPGCM && \
|
||||
macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
|
||||
|
||||
# avoid DH group exchange as the extra traffic makes it harder to get the
|
||||
# offset into the stream right.
|
||||
echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
|
||||
>> $OBJ/ssh_proxy
|
||||
|
||||
# sshd-command for proxy (see test-exec.sh)
|
||||
cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
|
||||
|
||||
for m in $macs; do
|
||||
trace "test $tid: mac $m"
|
||||
elen=0
|
||||
epad=0
|
||||
emac=0
|
||||
ecnt=0
|
||||
skip=0
|
||||
for off in `jot $tries $startoffset`; do
|
||||
skip=`expr $skip - 1`
|
||||
if [ $skip -gt 0 ]; then
|
||||
# avoid modifying the high bytes of the length
|
||||
continue
|
||||
fi
|
||||
# modify output from sshd at offset $off
|
||||
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
|
||||
case $m in
|
||||
aes*gcm*) macopt="-c $m";;
|
||||
*) macopt="-m $m";;
|
||||
esac
|
||||
verbose "test $tid: $m @$off"
|
||||
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
|
||||
999.999.999.999 'printf "%4096s" " "' >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh -m $m succeeds with bit-flip at $off"
|
||||
fi
|
||||
ecnt=`expr $ecnt + 1`
|
||||
output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
|
||||
tr -s '\r\n' '.')
|
||||
case "$output" in
|
||||
Bad?packet*) elen=`expr $elen + 1`; skip=3;;
|
||||
Corrupted?MAC* | Decryption?integrity?check?failed*)
|
||||
emac=`expr $emac + 1`; skip=0;;
|
||||
padding*) epad=`expr $epad + 1`; skip=0;;
|
||||
*) fail "unexpected error mac $m at $off";;
|
||||
esac
|
||||
done
|
||||
verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
|
||||
if [ $emac -eq 0 ]; then
|
||||
fail "$m: no mac errors"
|
||||
fi
|
||||
expect=`expr $ecnt - $epad - $elen`
|
||||
if [ $emac -ne $expect ]; then
|
||||
fail "$m: expected $expect mac errors, got $emac"
|
||||
fi
|
||||
done
|
30
crypto/openssh/regress/kextype.sh
Executable file
30
crypto/openssh/regress/kextype.sh
Executable file
@ -0,0 +1,30 @@
|
||||
# $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="login with different key exchange algorithms"
|
||||
|
||||
TIME=/usr/bin/time
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
|
||||
if test "$TEST_SSH_ECC" = "yes"; then
|
||||
kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
|
||||
fi
|
||||
if test "$TEST_SSH_SHA256" = "yes"; then
|
||||
kextypes="$kextypes diffie-hellman-group-exchange-sha256"
|
||||
fi
|
||||
kextypes="$kextypes diffie-hellman-group-exchange-sha1"
|
||||
kextypes="$kextypes diffie-hellman-group14-sha1"
|
||||
kextypes="$kextypes diffie-hellman-group1-sha1"
|
||||
|
||||
tries="1 2 3 4"
|
||||
for k in $kextypes; do
|
||||
verbose "kex $k"
|
||||
for i in $tries; do
|
||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh kex $k"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
71
crypto/openssh/regress/key-options.sh
Executable file
71
crypto/openssh/regress/key-options.sh
Executable file
@ -0,0 +1,71 @@
|
||||
# $OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="key options"
|
||||
|
||||
origkeys="$OBJ/authkeys_orig"
|
||||
authkeys="$OBJ/authorized_keys_${USER}"
|
||||
cp $authkeys $origkeys
|
||||
|
||||
# Test command= forced command
|
||||
for p in 1 2; do
|
||||
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
|
||||
sed "s/.*/$c &/" $origkeys >$authkeys
|
||||
verbose "key option proto $p $c"
|
||||
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
|
||||
if [ "$r" = "foo" ]; then
|
||||
fail "key option forced command not restricted"
|
||||
fi
|
||||
if [ "$r" != "bar" ]; then
|
||||
fail "key option forced command not executed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Test no-pty
|
||||
sed 's/.*/no-pty &/' $origkeys >$authkeys
|
||||
for p in 1 2; do
|
||||
verbose "key option proto $p no-pty"
|
||||
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
|
||||
if [ -f "$r" ]; then
|
||||
fail "key option failed proto $p no-pty (pty $r)"
|
||||
fi
|
||||
done
|
||||
|
||||
# Test environment=
|
||||
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
|
||||
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
|
||||
for p in 1 2; do
|
||||
verbose "key option proto $p environment"
|
||||
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
|
||||
if [ "$r" != "bar" ]; then
|
||||
fail "key option environment not set"
|
||||
fi
|
||||
done
|
||||
|
||||
# Test from= restriction
|
||||
start_sshd
|
||||
for p in 1 2; do
|
||||
for f in 127.0.0.1 '127.0.0.0\/8'; do
|
||||
cat $origkeys >$authkeys
|
||||
${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "key option proto $p failed without restriction"
|
||||
fi
|
||||
|
||||
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
|
||||
from=`head -1 $authkeys | cut -f1 -d ' '`
|
||||
verbose "key option proto $p $from"
|
||||
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
|
||||
if [ "$r" = "true" ]; then
|
||||
fail "key option proto $p $from not restricted"
|
||||
fi
|
||||
|
||||
r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
|
||||
if [ "$r" != "true" ]; then
|
||||
fail "key option proto $p $from not allowed but should be"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
rm -f "$origkeys"
|
23
crypto/openssh/regress/keygen-change.sh
Normal file
23
crypto/openssh/regress/keygen-change.sh
Normal file
@ -0,0 +1,23 @@
|
||||
# $OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="change passphrase for key"
|
||||
|
||||
S1="secret1"
|
||||
S2="2secret"
|
||||
|
||||
for t in rsa dsa rsa1; do
|
||||
# generate user key for agent
|
||||
trace "generating $t key"
|
||||
rm -f $OBJ/$t-key
|
||||
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
|
||||
if [ $? -eq 0 ]; then
|
||||
${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh-keygen -p failed for $t-key"
|
||||
fi
|
||||
else
|
||||
fail "ssh-keygen for $t-key failed"
|
||||
fi
|
||||
rm -f $OBJ/$t-key $OBJ/$t-key.pub
|
||||
done
|
33
crypto/openssh/regress/keygen-convert.sh
Executable file
33
crypto/openssh/regress/keygen-convert.sh
Executable file
@ -0,0 +1,33 @@
|
||||
# $OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="convert keys"
|
||||
|
||||
for t in rsa dsa; do
|
||||
# generate user key for agent
|
||||
trace "generating $t key"
|
||||
rm -f $OBJ/$t-key
|
||||
${SSHKEYGEN} -q -N "" -t $t -f $OBJ/$t-key
|
||||
|
||||
trace "export $t private to rfc4716 public"
|
||||
${SSHKEYGEN} -q -e -f $OBJ/$t-key >$OBJ/$t-key-rfc || \
|
||||
fail "export $t private to rfc4716 public"
|
||||
|
||||
trace "export $t public to rfc4716 public"
|
||||
${SSHKEYGEN} -q -e -f $OBJ/$t-key.pub >$OBJ/$t-key-rfc.pub || \
|
||||
fail "$t public to rfc4716 public"
|
||||
|
||||
cmp $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub || \
|
||||
fail "$t rfc4716 exports differ between public and private"
|
||||
|
||||
trace "import $t rfc4716 public"
|
||||
${SSHKEYGEN} -q -i -f $OBJ/$t-key-rfc >$OBJ/$t-rfc-imported || \
|
||||
fail "$t import rfc4716 public"
|
||||
|
||||
cut -f1,2 -d " " $OBJ/$t-key.pub >$OBJ/$t-key-nocomment.pub
|
||||
cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \
|
||||
fail "$t imported differs from original"
|
||||
|
||||
rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \
|
||||
$OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub
|
||||
done
|
39
crypto/openssh/regress/keys-command.sh
Executable file
39
crypto/openssh/regress/keys-command.sh
Executable file
@ -0,0 +1,39 @@
|
||||
# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="authorized keys from command"
|
||||
|
||||
if test -z "$SUDO" ; then
|
||||
echo "skipped (SUDO not set)"
|
||||
echo "need SUDO to create file in /var/run, test won't work without"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Establish a AuthorizedKeysCommand in /var/run where it will have
|
||||
# acceptable directory permissions.
|
||||
KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
|
||||
cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
|
||||
#!/bin/sh
|
||||
test "x\$1" != "x${LOGNAME}" && exit 1
|
||||
exec cat "$OBJ/authorized_keys_${LOGNAME}"
|
||||
_EOF
|
||||
$SUDO chmod 0755 "$KEY_COMMAND"
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
|
||||
(
|
||||
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
|
||||
echo AuthorizedKeysFile none
|
||||
echo AuthorizedKeysCommand $KEY_COMMAND
|
||||
echo AuthorizedKeysCommandUser ${LOGNAME}
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
if [ -x $KEY_COMMAND ]; then
|
||||
${SSH} -F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "connect failed"
|
||||
fi
|
||||
else
|
||||
echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
|
||||
fi
|
||||
|
||||
$SUDO rm -f $KEY_COMMAND
|
19
crypto/openssh/regress/keyscan.sh
Normal file
19
crypto/openssh/regress/keyscan.sh
Normal file
@ -0,0 +1,19 @@
|
||||
# $OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="keyscan"
|
||||
|
||||
# remove DSA hostkey
|
||||
rm -f ${OBJ}/host.dsa
|
||||
|
||||
start_sshd
|
||||
|
||||
for t in rsa1 rsa dsa; do
|
||||
trace "keyscan type $t"
|
||||
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
|
||||
> /dev/null 2>&1
|
||||
r=$?
|
||||
if [ $r -ne 0 ]; then
|
||||
fail "ssh-keyscan -t $t failed with: $r"
|
||||
fi
|
||||
done
|
55
crypto/openssh/regress/keytype.sh
Executable file
55
crypto/openssh/regress/keytype.sh
Executable file
@ -0,0 +1,55 @@
|
||||
# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="login with different key types"
|
||||
|
||||
TIME=`which time 2>/dev/null`
|
||||
if test ! -x "$TIME"; then
|
||||
TIME=""
|
||||
fi
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
|
||||
ktypes="dsa-1024 rsa-2048 rsa-3072"
|
||||
if test "$TEST_SSH_ECC" = "yes"; then
|
||||
ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521"
|
||||
fi
|
||||
|
||||
for kt in $ktypes; do
|
||||
rm -f $OBJ/key.$kt
|
||||
bits=`echo ${kt} | awk -F- '{print $2}'`
|
||||
type=`echo ${kt} | awk -F- '{print $1}'`
|
||||
printf "keygen $type, $bits bits:\t"
|
||||
${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
|
||||
fail "ssh-keygen for type $type, $bits bits failed"
|
||||
done
|
||||
|
||||
tries="1 2 3"
|
||||
for ut in $ktypes; do
|
||||
htypes=$ut
|
||||
#htypes=$ktypes
|
||||
for ht in $htypes; do
|
||||
trace "ssh connect, userkey $ut, hostkey $ht"
|
||||
(
|
||||
grep -v HostKey $OBJ/sshd_proxy_bak
|
||||
echo HostKey $OBJ/key.$ht
|
||||
) > $OBJ/sshd_proxy
|
||||
(
|
||||
grep -v IdentityFile $OBJ/ssh_proxy_bak
|
||||
echo IdentityFile $OBJ/key.$ut
|
||||
) > $OBJ/ssh_proxy
|
||||
(
|
||||
printf 'localhost-with-alias,127.0.0.1,::1 '
|
||||
cat $OBJ/key.$ht.pub
|
||||
) > $OBJ/known_hosts
|
||||
cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
|
||||
for i in $tries; do
|
||||
printf "userkey $ut, hostkey ${ht}:\t"
|
||||
${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh userkey $ut, hostkey $ht failed"
|
||||
fi
|
||||
done
|
||||
done
|
||||
done
|
157
crypto/openssh/regress/krl.sh
Executable file
157
crypto/openssh/regress/krl.sh
Executable file
@ -0,0 +1,157 @@
|
||||
# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="key revocation lists"
|
||||
|
||||
# If we don't support ecdsa keys then this tell will be much slower.
|
||||
ECDSA=ecdsa
|
||||
if test "x$TEST_SSH_ECC" != "xyes"; then
|
||||
ECDSA=rsa
|
||||
fi
|
||||
|
||||
# Do most testing with ssh-keygen; it uses the same verification code as sshd.
|
||||
|
||||
# Old keys will interfere with ssh-keygen.
|
||||
rm -f $OBJ/revoked-* $OBJ/krl-*
|
||||
|
||||
# Generate a CA key
|
||||
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
|
||||
fatal "$SSHKEYGEN CA failed"
|
||||
|
||||
# A specification that revokes some certificates by serial numbers
|
||||
# The serial pattern is chosen to ensure the KRL includes list, range and
|
||||
# bitmap sections.
|
||||
cat << EOF >> $OBJ/revoked-serials
|
||||
serial: 1-4
|
||||
serial: 10
|
||||
serial: 15
|
||||
serial: 30
|
||||
serial: 50
|
||||
serial: 999
|
||||
# The following sum to 500-799
|
||||
serial: 500
|
||||
serial: 501
|
||||
serial: 502
|
||||
serial: 503-600
|
||||
serial: 700-797
|
||||
serial: 798
|
||||
serial: 799
|
||||
serial: 599-701
|
||||
EOF
|
||||
|
||||
# A specification that revokes some certificated by key ID.
|
||||
touch $OBJ/revoked-keyid
|
||||
for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
|
||||
# Fill in by-ID revocation spec.
|
||||
echo "id: revoked $n" >> $OBJ/revoked-keyid
|
||||
done
|
||||
|
||||
keygen() {
|
||||
N=$1
|
||||
f=$OBJ/revoked-`printf "%04d" $N`
|
||||
# Vary the keytype. We use mostly ECDSA since this is fastest by far.
|
||||
keytype=$ECDSA
|
||||
case $N in
|
||||
2 | 10 | 510 | 1001) keytype=rsa;;
|
||||
4 | 30 | 520 | 1002) keytype=dsa;;
|
||||
esac
|
||||
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|
||||
|| fatal "$SSHKEYGEN failed"
|
||||
# Sign cert
|
||||
$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
|
||||
|| fatal "$SSHKEYGEN sign failed"
|
||||
echo $f
|
||||
}
|
||||
|
||||
# Generate some keys.
|
||||
verbose "$tid: generating test keys"
|
||||
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
|
||||
for n in $REVOKED_SERIALS ; do
|
||||
f=`keygen $n`
|
||||
REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
|
||||
REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
|
||||
done
|
||||
NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
|
||||
NOTREVOKED=""
|
||||
for n in $NOTREVOKED_SERIALS ; do
|
||||
NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
|
||||
NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
|
||||
done
|
||||
|
||||
genkrls() {
|
||||
OPTS=$1
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
# KRLs from serial/key-id spec need the CA specified.
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
||||
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
|
||||
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
|
||||
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||
}
|
||||
|
||||
verbose "$tid: generating KRLs"
|
||||
genkrls
|
||||
|
||||
check_krl() {
|
||||
KEY=$1
|
||||
KRL=$2
|
||||
EXPECT_REVOKED=$3
|
||||
TAG=$4
|
||||
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
||||
result=$?
|
||||
if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
|
||||
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
||||
elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
|
||||
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
||||
fi
|
||||
}
|
||||
test_all() {
|
||||
FILES=$1
|
||||
TAG=$2
|
||||
KEYS_RESULT=$3
|
||||
ALL_RESULT=$4
|
||||
SERIAL_RESULT=$5
|
||||
KEYID_RESULT=$6
|
||||
CERTS_RESULT=$7
|
||||
CA_RESULT=$8
|
||||
verbose "$tid: checking revocations for $TAG"
|
||||
for f in $FILES ; do
|
||||
check_krl $f $OBJ/krl-empty no "$TAG"
|
||||
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
||||
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
|
||||
done
|
||||
}
|
||||
# keys all serial keyid certs CA
|
||||
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
||||
|
||||
# Check update. Results should be identical.
|
||||
verbose "$tid: testing KRL update"
|
||||
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
|
||||
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
|
||||
cp -f $OBJ/krl-empty $f
|
||||
genkrls -u
|
||||
done
|
||||
# keys all serial keyid certs CA
|
||||
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
15
crypto/openssh/regress/localcommand.sh
Executable file
15
crypto/openssh/regress/localcommand.sh
Executable file
@ -0,0 +1,15 @@
|
||||
# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="localcommand"
|
||||
|
||||
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
|
||||
echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
|
||||
|
||||
for p in 1 2; do
|
||||
verbose "test $tid: proto $p localcommand"
|
||||
a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
|
||||
if [ "$a" != "foo" ] ; then
|
||||
fail "$tid proto $p"
|
||||
fi
|
||||
done
|
29
crypto/openssh/regress/login-timeout.sh
Normal file
29
crypto/openssh/regress/login-timeout.sh
Normal file
@ -0,0 +1,29 @@
|
||||
# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="connect after login grace timeout"
|
||||
|
||||
trace "test login grace with privsep"
|
||||
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
|
||||
echo "MaxStartups 1" >> $OBJ/sshd_config
|
||||
start_sshd
|
||||
|
||||
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
|
||||
sleep 15
|
||||
${SSH} -F $OBJ/ssh_config somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh connect after login grace timeout failed with privsep"
|
||||
fi
|
||||
|
||||
$SUDO kill `$SUDO cat $PIDFILE`
|
||||
|
||||
trace "test login grace without privsep"
|
||||
echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
|
||||
start_sshd
|
||||
|
||||
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
|
||||
sleep 15
|
||||
${SSH} -F $OBJ/ssh_config somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh connect after login grace timeout failed without privsep"
|
||||
fi
|
175
crypto/openssh/regress/modpipe.c
Executable file
175
crypto/openssh/regress/modpipe.c
Executable file
@ -0,0 +1,175 @@
|
||||
/*
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <errno.h>
|
||||
#include "openbsd-compat/getopt_long.c"
|
||||
|
||||
static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
|
||||
static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
|
||||
|
||||
static void
|
||||
err(int r, const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
fprintf(stderr, "%s: ", strerror(errno));
|
||||
vfprintf(stderr, fmt, args);
|
||||
fputc('\n', stderr);
|
||||
va_end(args);
|
||||
exit(r);
|
||||
}
|
||||
|
||||
static void
|
||||
errx(int r, const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
fputc('\n', stderr);
|
||||
va_end(args);
|
||||
exit(r);
|
||||
}
|
||||
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n");
|
||||
fprintf(stderr, "modspec is one of:\n");
|
||||
fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n");
|
||||
fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#define MAX_MODIFICATIONS 256
|
||||
struct modification {
|
||||
enum { MOD_XOR, MOD_AND_OR } what;
|
||||
u_int64_t offset;
|
||||
u_int8_t m1, m2;
|
||||
};
|
||||
|
||||
static void
|
||||
parse_modification(const char *s, struct modification *m)
|
||||
{
|
||||
char what[16+1];
|
||||
int n, m1, m2;
|
||||
|
||||
bzero(m, sizeof(*m));
|
||||
if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
|
||||
what, &m->offset, &m1, &m2)) < 3)
|
||||
errx(1, "Invalid modification spec \"%s\"", s);
|
||||
if (strcasecmp(what, "xor") == 0) {
|
||||
if (n > 3)
|
||||
errx(1, "Invalid modification spec \"%s\"", s);
|
||||
if (m1 < 0 || m1 > 0xff)
|
||||
errx(1, "Invalid XOR modification value");
|
||||
m->what = MOD_XOR;
|
||||
m->m1 = m1;
|
||||
} else if (strcasecmp(what, "andor") == 0) {
|
||||
if (n != 4)
|
||||
errx(1, "Invalid modification spec \"%s\"", s);
|
||||
if (m1 < 0 || m1 > 0xff)
|
||||
errx(1, "Invalid AND modification value");
|
||||
if (m2 < 0 || m2 > 0xff)
|
||||
errx(1, "Invalid OR modification value");
|
||||
m->what = MOD_AND_OR;
|
||||
m->m1 = m1;
|
||||
m->m2 = m2;
|
||||
} else
|
||||
errx(1, "Invalid modification type \"%s\"", what);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int ch;
|
||||
u_char buf[8192];
|
||||
size_t total;
|
||||
ssize_t r, s, o;
|
||||
struct modification mods[MAX_MODIFICATIONS];
|
||||
u_int i, wflag = 0, num_mods = 0;
|
||||
|
||||
while ((ch = getopt(argc, argv, "wm:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'm':
|
||||
if (num_mods >= MAX_MODIFICATIONS)
|
||||
errx(1, "Too many modifications");
|
||||
parse_modification(optarg, &(mods[num_mods++]));
|
||||
break;
|
||||
case 'w':
|
||||
wflag = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
/* NOTREACHED */
|
||||
}
|
||||
}
|
||||
for (total = 0;;) {
|
||||
r = s = read(STDIN_FILENO, buf, sizeof(buf));
|
||||
if (r == 0)
|
||||
break;
|
||||
if (r < 0) {
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
continue;
|
||||
err(1, "read");
|
||||
}
|
||||
for (i = 0; i < num_mods; i++) {
|
||||
if (mods[i].offset < total ||
|
||||
mods[i].offset >= total + s)
|
||||
continue;
|
||||
switch (mods[i].what) {
|
||||
case MOD_XOR:
|
||||
buf[mods[i].offset - total] ^= mods[i].m1;
|
||||
break;
|
||||
case MOD_AND_OR:
|
||||
buf[mods[i].offset - total] &= mods[i].m1;
|
||||
buf[mods[i].offset - total] |= mods[i].m2;
|
||||
break;
|
||||
}
|
||||
}
|
||||
for (o = 0; o < s; o += r) {
|
||||
r = write(STDOUT_FILENO, buf, s - o);
|
||||
if (r == 0)
|
||||
break;
|
||||
if (r < 0) {
|
||||
if (errno == EAGAIN || errno == EINTR)
|
||||
continue;
|
||||
err(1, "write");
|
||||
}
|
||||
}
|
||||
total += s;
|
||||
}
|
||||
/* Warn if modifications not reached in input stream */
|
||||
r = 0;
|
||||
for (i = 0; wflag && i < num_mods; i++) {
|
||||
if (mods[i].offset < total)
|
||||
continue;
|
||||
r = 1;
|
||||
fprintf(stderr, "modpipe: warning - mod %u not reached\n", i);
|
||||
}
|
||||
return r;
|
||||
}
|
143
crypto/openssh/regress/multiplex.sh
Normal file
143
crypto/openssh/regress/multiplex.sh
Normal file
@ -0,0 +1,143 @@
|
||||
# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
CTL=/tmp/openssh.regress.ctl-sock.$$
|
||||
|
||||
tid="connection multiplexing"
|
||||
|
||||
if config_defined DISABLE_FD_PASSING ; then
|
||||
echo "skipped (not supported on this platform)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
P=3301 # test port
|
||||
|
||||
wait_for_mux_master_ready()
|
||||
{
|
||||
for i in 1 2 3 4 5; do
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
|
||||
>/dev/null 2>&1 && return 0
|
||||
sleep $i
|
||||
done
|
||||
fatal "mux master never becomes ready"
|
||||
}
|
||||
|
||||
start_sshd
|
||||
|
||||
start_mux_master()
|
||||
{
|
||||
trace "start master, fork to background"
|
||||
${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
|
||||
-E $TEST_REGRESS_LOGFILE 2>&1 &
|
||||
MASTER_PID=$!
|
||||
wait_for_mux_master_ready
|
||||
}
|
||||
|
||||
start_mux_master
|
||||
|
||||
verbose "test $tid: envpass"
|
||||
trace "env passing over multiplexed connection"
|
||||
_XXX_TEST=blah ${SSH} -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
|
||||
test X"$_XXX_TEST" = X"blah"
|
||||
EOF
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "environment not found"
|
||||
fi
|
||||
|
||||
verbose "test $tid: transfer"
|
||||
rm -f ${COPY}
|
||||
trace "ssh transfer over multiplexed connection and check result"
|
||||
${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
|
||||
test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}"
|
||||
|
||||
rm -f ${COPY}
|
||||
trace "ssh transfer over multiplexed connection and check result"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
|
||||
test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
|
||||
|
||||
rm -f ${COPY}
|
||||
trace "sftp transfer over multiplexed connection and check result"
|
||||
echo "get ${DATA} ${COPY}" | \
|
||||
${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
|
||||
test -f ${COPY} || fail "sftp: failed copy ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}"
|
||||
|
||||
rm -f ${COPY}
|
||||
trace "scp transfer over multiplexed connection and check result"
|
||||
${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
|
||||
test -f ${COPY} || fail "scp: failed copy ${DATA}"
|
||||
cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}"
|
||||
|
||||
rm -f ${COPY}
|
||||
|
||||
for s in 0 1 4 5 44; do
|
||||
trace "exit status $s over multiplexed connection"
|
||||
verbose "test $tid: status $s"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
|
||||
r=$?
|
||||
if [ $r -ne $s ]; then
|
||||
fail "exit code mismatch for protocol $p: $r != $s"
|
||||
fi
|
||||
|
||||
# same with early close of stdout/err
|
||||
trace "exit status $s with early close over multiplexed connection"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -n otherhost \
|
||||
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
|
||||
r=$?
|
||||
if [ $r -ne $s ]; then
|
||||
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
|
||||
fi
|
||||
done
|
||||
|
||||
verbose "test $tid: cmd check"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||
|| fail "check command failed"
|
||||
|
||||
verbose "test $tid: cmd forward local"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
|
||||
|| fail "request local forward failed"
|
||||
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||
|| fail "connect to local forward port failed"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
|
||||
|| fail "cancel local forward failed"
|
||||
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||
&& fail "local forward port still listening"
|
||||
|
||||
verbose "test $tid: cmd forward remote"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
|
||||
|| fail "request remote forward failed"
|
||||
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||
|| fail "connect to remote forwarded port failed"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
|
||||
|| fail "cancel remote forward failed"
|
||||
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||
&& fail "remote forward port still listening"
|
||||
|
||||
verbose "test $tid: cmd exit"
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||
|| fail "send exit command failed"
|
||||
|
||||
# Wait for master to exit
|
||||
wait $MASTER_PID
|
||||
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
|
||||
|
||||
# Restart master and test -O stop command with master using -N
|
||||
verbose "test $tid: cmd stop"
|
||||
trace "restart master, fork to background"
|
||||
start_mux_master
|
||||
|
||||
# start a long-running command then immediately request a stop
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
|
||||
>>$TEST_REGRESS_LOGFILE 2>&1 &
|
||||
SLEEP_PID=$!
|
||||
${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||
|| fail "send stop command failed"
|
||||
|
||||
# wait until both long-running command and master have exited.
|
||||
wait $SLEEP_PID
|
||||
[ $! != 0 ] || fail "waiting for concurrent command"
|
||||
wait $MASTER_PID
|
||||
[ $! != 0 ] || fail "waiting for master stop"
|
||||
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
|
34
crypto/openssh/regress/portnum.sh
Executable file
34
crypto/openssh/regress/portnum.sh
Executable file
@ -0,0 +1,34 @@
|
||||
# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="port number parsing"
|
||||
|
||||
badport() {
|
||||
port=$1
|
||||
verbose "$tid: invalid port $port"
|
||||
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
|
||||
fail "$tid accepted invalid port $port"
|
||||
fi
|
||||
}
|
||||
goodport() {
|
||||
port=$1
|
||||
verbose "$tid: valid port $port"
|
||||
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
|
||||
:
|
||||
else
|
||||
fail "$tid rejected valid port $port"
|
||||
fi
|
||||
}
|
||||
|
||||
badport 0
|
||||
badport 65536
|
||||
badport 131073
|
||||
badport 2000blah
|
||||
badport blah2000
|
||||
|
||||
goodport 1
|
||||
goodport 22
|
||||
goodport 2222
|
||||
goodport 22222
|
||||
goodport 65535
|
||||
|
19
crypto/openssh/regress/proto-mismatch.sh
Normal file
19
crypto/openssh/regress/proto-mismatch.sh
Normal file
@ -0,0 +1,19 @@
|
||||
# $OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="protocol version mismatch"
|
||||
|
||||
mismatch ()
|
||||
{
|
||||
server=$1
|
||||
client=$2
|
||||
banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
|
||||
r=$?
|
||||
trace "sshd prints ${banner}"
|
||||
if [ $r -ne 255 ]; then
|
||||
fail "sshd prints ${banner} and accepts connect with version ${client}"
|
||||
fi
|
||||
}
|
||||
|
||||
mismatch 2 SSH-1.5-HALLO
|
||||
mismatch 1 SSH-2.0-HALLO
|
34
crypto/openssh/regress/proto-version.sh
Normal file
34
crypto/openssh/regress/proto-version.sh
Normal file
@ -0,0 +1,34 @@
|
||||
# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="sshd version with different protocol combinations"
|
||||
|
||||
# we just start sshd in inetd mode and check the banner
|
||||
check_version ()
|
||||
{
|
||||
version=$1
|
||||
expect=$2
|
||||
banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
|
||||
case ${banner} in
|
||||
SSH-1.99-*)
|
||||
proto=199
|
||||
;;
|
||||
SSH-2.0-*)
|
||||
proto=20
|
||||
;;
|
||||
SSH-1.5-*)
|
||||
proto=15
|
||||
;;
|
||||
*)
|
||||
proto=0
|
||||
;;
|
||||
esac
|
||||
if [ ${expect} -ne ${proto} ]; then
|
||||
fail "wrong protocol version ${banner} for ${version}"
|
||||
fi
|
||||
}
|
||||
|
||||
check_version 2,1 199
|
||||
check_version 1,2 199
|
||||
check_version 2 20
|
||||
check_version 1 15
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user