1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00

Pull in all the OpenSSH bits that we'd previously left out because we

didn't use them.  This will make future merges from the vendor tree much
easier.

Approved by:	re (gjb)
This commit is contained in:
Dag-Erling Smørgrav 2013-09-21 22:24:10 +00:00
commit ce3adf4362
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=255774
146 changed files with 43001 additions and 0 deletions

459
crypto/openssh/Makefile.in Normal file
View File

@ -0,0 +1,459 @@
# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
AUTORECONF=autoreconf
prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
sbindir=@sbindir@
libexecdir=@libexecdir@
datadir=@datadir@
datarootdir=@datarootdir@
mandir=@mandir@
mansubdir=@mansubdir@
sysconfdir=@sysconfdir@
piddir=@piddir@
srcdir=@srcdir@
top_srcdir=@top_srcdir@
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
PERL=@PERL@
SED=@SED@
ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
CONFIGFILES_IN=sshd_config ssh_config moduli
PATHSUBS = \
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-e 's|/usr/libexec|$(libexecdir)|g' \
-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
FIXPATHSCMD = $(SED) $(PATHSUBS)
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h
$(SSHOBJS): Makefile.in config.h
$(SSHDOBJS): Makefile.in config.h
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
$(LIBCOMPAT): always
(cd openbsd-compat && $(MAKE))
always:
libssh.a: $(LIBSSH_OBJS)
$(AR) rv $@ $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
$(MANPAGES): $(MANPAGES_IN)
if test "$(MANTYPE)" = "cat"; then \
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
else \
manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
fi; \
if test "$(MANTYPE)" = "man"; then \
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
$(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
else \
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
fi
$(CONFIGFILES): $(CONFIGFILES_IN)
conffile=`echo $@ | sed 's/.out$$//'`; \
$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
moduli:
echo
# special case target for umac128
umac128.o: umac.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
-DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
-Dumac_update=umac128_update -Dumac_final=umac128_final \
-Dumac_delete=umac128_delete
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core survey
(cd openbsd-compat && $(MAKE) clean)
distclean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
rm -f *.out core opensshd.init openssh.xml
rm -f Makefile buildpkg.sh config.h config.status
rm -f survey.sh openbsd-compat/regress/Makefile *~
rm -rf autom4te.cache
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
fi
veryclean: distclean
rm -f configure config.h.in *.0
cleandir: veryclean
mrproper: veryclean
realclean: veryclean
catman-do:
@for f in $(MANPAGES_IN) ; do \
base=`echo $$f | sed 's/\..*$$//'` ; \
echo "$$f -> $$base.0" ; \
$(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \
>$$base.0 ; \
done
distprep: catman-do
$(AUTORECONF)
-rm -rf autom4te.cache
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
check-config:
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
install-files:
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
fi
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
else \
echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
fi
@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
else \
echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
fi
@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
else \
$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
fi ; \
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \
if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
else \
./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
fi ; \
if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
else \
./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
fi ; \
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
else \
./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
fi ; \
fi ; \
fi ;
host-key-force: ssh-keygen$(EXEEXT)
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
uninstallall: uninstall
-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
-rmdir $(DESTDIR)$(sysconfdir)
-rmdir $(DESTDIR)$(bindir)
-rmdir $(DESTDIR)$(sbindir)
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
-rmdir $(DESTDIR)$(mandir)
-rmdir $(DESTDIR)$(libexecdir)
uninstall:
-rm -f $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
BUILDDIR=`pwd`; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
TEST_SSH_PLINK="plink"; \
TEST_SSH_PUTTYGEN="puttygen"; \
TEST_SSH_CONCH="conch"; \
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \
cd $(srcdir)/regress || exit $$?; \
$(MAKE) \
.OBJDIR="$${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
BUILDDIR="$${BUILDDIR}" \
OBJ="$${BUILDDIR}/regress/" \
PATH="$${BUILDDIR}:$${PATH}" \
TEST_SHELL="$${TEST_SHELL}" \
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \
EXEEXT="$(EXEEXT)" \
$@ && echo all tests passed
compat-tests: $(LIBCOMPAT)
(cd openbsd-compat/regress && $(MAKE))
regressclean:
if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
(cd regress && $(MAKE) clean) \
fi
survey: survey.sh ssh
@$(SHELL) ./survey.sh > survey
@echo 'The survey results have been placed in the file "survey" in the'
@echo 'current directory. Please review the file then send with'
@echo '"make send-survey".'
send-survey: survey
mail portable-survey@mindrot.org <survey
package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
sh buildpkg.sh; \
fi

View File

@ -0,0 +1,677 @@
#!/bin/sh
#
# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
#
# The following code has been provide under Public Domain License. I really
# don't care what you use it for. Just as long as you don't complain to me
# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
#
umask 022
#
# Options for building the package
# You can create a openssh-config.local with your customized options
#
REMOVE_FAKE_ROOT_WHEN_DONE=yes
#
# uncommenting TEST_DIR and using
# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
# and
# PKGNAME=tOpenSSH should allow testing a package without interfering
# with a real OpenSSH package on a system. This is not needed on systems
# that support the -R option to pkgadd.
#TEST_DIR=/var/tmp # leave commented out for production build
PKGNAME=OpenSSH
# revisions within the same version (REV=a)
#REV=
SYSVINIT_NAME=opensshd
AWK=${AWK:="nawk"}
MAKE=${MAKE:="make"}
SSHDUID=67 # Default privsep uid
SSHDGID=67 # Default privsep gid
# uncomment these next three as needed
#PERMIT_ROOT_LOGIN=no
#X11_FORWARDING=yes
#USR_LOCAL_IS_SYMLINK=yes
# System V init run levels
SYSVINITSTART=S98
SYSVINITSTOPT=K30
# We will source these if they exist
POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
# We'll be one level deeper looking for these
PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
PKG_PREREMOVE_LOCAL=../pkg-preremove.local
PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
PKG_REQUEST_LOCAL=../pkg-request.local
# end of sourced files
#
OPENSSHD=opensshd.init
OPENSSH_MANIFEST=openssh.xml
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
SMF_METHOD_DIR=/lib/svc/method/site
SMF_MANIFEST_DIR=/var/svc/manifest/site
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
PATH_USERADD_PROG=@PATH_USERADD_PROG@
PATH_PASSWD_PROG=@PATH_PASSWD_PROG@
#
# list of system directories we do NOT want to change owner/group/perms
# when installing our package
SYSTEM_DIR="/etc \
/etc/init.d \
/etc/rcS.d \
/etc/rc0.d \
/etc/rc1.d \
/etc/rc2.d \
/etc/opt \
/lib \
/lib/svc \
/lib/svc/method \
/lib/svc/method/site \
/opt \
/opt/bin \
/usr \
/usr/bin \
/usr/lib \
/usr/sbin \
/usr/share \
/usr/share/man \
/usr/share/man/man1 \
/usr/share/man/man8 \
/usr/local \
/usr/local/bin \
/usr/local/etc \
/usr/local/libexec \
/usr/local/man \
/usr/local/man/man1 \
/usr/local/man/man8 \
/usr/local/sbin \
/usr/local/share \
/var \
/var/opt \
/var/run \
/var/svc \
/var/svc/manifest \
/var/svc/manifest/site \
/var/tmp \
/tmp"
# We may need to build as root so we make sure PATH is set up
# only set the path if it's not set already
[ -d /opt/bin ] && {
echo $PATH | grep ":/opt/bin" > /dev/null 2>&1
[ $? -ne 0 ] && PATH=$PATH:/opt/bin
}
[ -d /usr/local/bin ] && {
echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
[ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
}
[ -d /usr/ccs/bin ] && {
echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1
[ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
}
export PATH
#
[ -f Makefile ] || {
echo "Please run this script from your build directory"
exit 1
}
# we will look for openssh-config.local to override the above options
[ -s ./openssh-config.local ] && . ./openssh-config.local
START=`pwd`
FAKE_ROOT=$START/pkg
## Fill in some details, like prefix and sysconfdir
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
do
eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
done
## Are we using Solaris' SMF?
DO_SMF=0
if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
then
DO_SMF=1
fi
## Collect value of privsep user
for confvar in SSH_PRIVSEP_USER
do
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
done
## Set privsep defaults if not defined
if [ -z "$SSH_PRIVSEP_USER" ]
then
SSH_PRIVSEP_USER=sshd
fi
## Extract common info requires for the 'info' part of the package.
VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
ARCH=`uname -m`
DEF_MSG="\n"
OS_VER=`uname -v`
SCRIPT_SHELL=/sbin/sh
UNAME_R=`uname -r`
UNAME_S=`uname -s`
case ${UNAME_S} in
SunOS) UNAME_S=Solaris
OS_VER=${UNAME_R}
ARCH=`uname -p`
RCS_D=yes
DEF_MSG="(default: n)"
;;
SCO_SV) case ${UNAME_R} in
3.2) UNAME_S=OpenServer5
OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
;;
5) UNAME_S=OpenServer6
;;
esac
SCRIPT_SHELL=/bin/sh
RC1_D=no
DEF_MSG="(default: n)"
;;
esac
case `basename $0` in
buildpkg.sh)
## Start by faking root install
echo "Faking root install..."
[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT
mkdir $FAKE_ROOT
${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
if [ $? -gt 0 ]
then
echo "Fake root install failed, stopping."
exit 1
fi
## Setup our run level stuff while we are at it.
if [ $DO_SMF -eq 1 ]
then
# For Solaris' SMF, /lib/svc/method/site is the preferred place
# for start/stop scripts that aren't supplied with the OS, and
# similarly /var/svc/manifest/site for manifests.
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
cat ${OPENSSH_MANIFEST} | \
sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
-e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
> $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
fi
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
$FAKE_ROOT${sysconfdir}/sshd_config
[ "${X11_FORWARDING}" = yes ] && \
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
$FAKE_ROOT${sysconfdir}/sshd_config
# fix PrintMotd
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
$FAKE_ROOT${sysconfdir}/sshd_config
# We don't want to overwrite config files on multiple installs
mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
# local tweeks here
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
cd $FAKE_ROOT
## Ok, this is outright wrong, but it will work. I'm tired of pkgmk
## whining.
for i in *; do
PROTO_ARGS="$PROTO_ARGS $i=/$i";
done
## Build info file
echo "Building pkginfo file..."
cat > pkginfo << _EOF
PKG=$PKGNAME
NAME="OpenSSH Portable for ${UNAME_S}"
DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
ARCH=$ARCH
VERSION=$VERSION$REV
CATEGORY="Security,application"
BASEDIR=/
CLASSES="none"
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
_EOF
## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
echo "Building depend file..."
touch depend
## Build space file
echo "Building space file..."
if [ $DO_SMF -eq 1 ]
then
# XXX Is this necessary? If not, remove space line from mk-proto.awk.
touch space
else
cat > space << _EOF
# extra space required by start/stop links added by installf
# in postinstall
$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
_EOF
[ "$RC1_D" = no ] || \
echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
[ "$RCS_D" = yes ] && \
echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
fi
## Build preinstall file
echo "Building preinstall file..."
cat > preinstall << _EOF
#! ${SCRIPT_SHELL}
#
_EOF
# local preinstall changes here
[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL}
cat >> preinstall << _EOF
#
if [ "\${PRE_INS_STOP}" = "yes" ]
then
if [ $DO_SMF -eq 1 ]
then
svcadm disable $OPENSSH_FMRI
else
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
fi
fi
exit 0
_EOF
## Build postinstall file
echo "Building postinstall file..."
cat > postinstall << _EOF
#! ${SCRIPT_SHELL}
#
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
\${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
# make rc?.d dirs only if we are doing a test install
[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && {
[ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
mkdir -p ${TEST_DIR}/etc/rc0.d
[ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d
mkdir -p ${TEST_DIR}/etc/rc2.d
}
if [ $DO_SMF -eq 1 ]
then
# Delete the existing service, if it exists, then import the
# new one.
if svcs $OPENSSH_FMRI > /dev/null 2>&1
then
svccfg delete -f $OPENSSH_FMRI
fi
# NOTE, The manifest disables sshd by default.
svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
if [ "\${USE_SYM_LINKS}" = yes ]
then
[ "$RCS_D" = yes ] && \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
[ "$RC1_D" = no ] || \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
else
[ "$RCS_D" = yes ] && \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
[ "$RC1_D" = no ] || \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
fi
fi
# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
_EOF
# local postinstall changes here
[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL}
cat >> postinstall << _EOF
installf -f ${PKGNAME}
# Use chroot to handle PKG_INSTALL_ROOT
if [ ! -z "\${PKG_INSTALL_ROOT}" ]
then
chroot="chroot \${PKG_INSTALL_ROOT}"
fi
# If this is a test build, we will skip the groupadd/useradd/passwd commands
if [ ! -z "${TEST_DIR}" ]
then
chroot=echo
fi
echo "PrivilegeSeparation user always required."
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
else
DO_PASSWD=yes
fi
[ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
# group required?
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
then
echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
else
DO_GROUP=yes
fi
# create group if required
[ "\$DO_GROUP" = yes ] && {
# Use gid of 67 if possible
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
then
:
else
sshdgid="-g $SSHDGID"
fi
echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
\$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
}
# Create user if required
[ "\$DO_PASSWD" = yes ] && {
# Use uid of 67 if possible
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
then
:
else
sshduid="-u $SSHDUID"
fi
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
}
if [ "\${POST_INS_START}" = "yes" ]
then
if [ $DO_SMF -eq 1 ]
then
svcadm enable $OPENSSH_FMRI
else
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
fi
fi
exit 0
_EOF
## Build preremove file
echo "Building preremove file..."
cat > preremove << _EOF
#! ${SCRIPT_SHELL}
#
if [ $DO_SMF -eq 1 ]
then
svcadm disable $OPENSSH_FMRI
else
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
fi
_EOF
# local preremove changes here
[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL}
cat >> preremove << _EOF
exit 0
_EOF
## Build postremove file
echo "Building postremove file..."
cat > postremove << _EOF
#! ${SCRIPT_SHELL}
#
if [ $DO_SMF -eq 1 ]
then
if svcs $OPENSSH_FMRI > /dev/null 2>&1
then
svccfg delete -f $OPENSSH_FMRI
fi
fi
_EOF
# local postremove changes here
[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL}
cat >> postremove << _EOF
exit 0
_EOF
## Build request file
echo "Building request file..."
cat > request << _EOF
trap 'exit 3' 15
_EOF
[ -x /usr/bin/ckyorn ] || cat >> request << _EOF
ckyorn() {
# for some strange reason OpenServer5 has no ckyorn
# We build a striped down version here
DEFAULT=n
PROMPT="Yes or No [yes,no,?,quit]"
HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no."
USAGE="usage: ckyorn [options]
where options may include:
-d default
-h help
-p prompt
"
if [ \$# != 0 ]
then
while getopts d:p:h: c
do
case \$c in
h) HELP_PROMPT="\$OPTARG" ;;
d) DEFAULT=\$OPTARG ;;
p) PROMPT=\$OPTARG ;;
\\?) echo "\$USAGE" 1>&2
exit 1 ;;
esac
done
shift \`expr \$OPTIND - 1\`
fi
while true
do
echo "\${PROMPT}\\c " 1>&2
read key
[ -z "\$key" ] && key=\$DEFAULT
case \$key in
[n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c"
exit 0 ;;
\\?) echo \$HELP_PROMPT 1>&2 ;;
q|quit) echo "q\\c" 1>&2
exit 3 ;;
esac
done
}
_EOF
if [ $DO_SMF -eq 1 ]
then
# This could get hairy, as the running sshd may not be under SMF.
# We'll assume an earlier version of OpenSSH started via SMF.
cat >> request << _EOF
PRE_INS_STOP=no
POST_INS_START=no
# determine if should restart the daemon
if [ -s ${piddir}/sshd.pid ] && \\
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
then
ans=\`ckyorn -d n \\
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) PRE_INS_STOP=yes
POST_INS_START=yes
;;
esac
else
# determine if we should start sshd
ans=\`ckyorn -d n \\
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) POST_INS_START=yes ;;
esac
fi
# make parameters available to installation service,
# and so to any other packaging scripts
cat >\$1 <<!
PRE_INS_STOP='\$PRE_INS_STOP'
POST_INS_START='\$POST_INS_START'
!
_EOF
else
cat >> request << _EOF
USE_SYM_LINKS=no
PRE_INS_STOP=no
POST_INS_START=no
# Use symbolic links?
ans=\`ckyorn -d n \\
-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) USE_SYM_LINKS=yes ;;
esac
# determine if should restart the daemon
if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
then
ans=\`ckyorn -d n \\
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) PRE_INS_STOP=yes
POST_INS_START=yes
;;
esac
else
# determine if we should start sshd
ans=\`ckyorn -d n \\
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) POST_INS_START=yes ;;
esac
fi
# make parameters available to installation service,
# and so to any other packaging scripts
cat >\$1 <<!
USE_SYM_LINKS='\$USE_SYM_LINKS'
PRE_INS_STOP='\$PRE_INS_STOP'
POST_INS_START='\$POST_INS_START'
!
_EOF
fi
# local request changes here
[ -s "${PKG_REQUEST_LOCAL}" ] && . ${PKG_REQUEST_LOCAL}
cat >> request << _EOF
exit 0
_EOF
## Next Build our prototype
echo "Building prototype file..."
cat >mk-proto.awk << _EOF
BEGIN { print "i pkginfo"; print "i depend"; \\
print "i preinstall"; print "i postinstall"; \\
print "i preremove"; print "i postremove"; \\
print "i request"; print "i space"; \\
split("$SYSTEM_DIR",sys_files); }
{
for (dir in sys_files) { if ( \$3 != sys_files[dir] )
{ if ( \$1 == "s" )
{ \$5=""; \$6=""; }
else
{ \$5="root"; \$6="sys"; }
}
else
{ \$4="?"; \$5="?"; \$6="?"; break;}
} }
{ print; }
_EOF
find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
# /usr/local is a symlink on some systems
[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && {
grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
mv prototype.new prototype
}
## Step back a directory and now build the package.
cd ..
# local prototype tweeks here
[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS}
echo "Building package.."
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
;;
justpkg.sh)
rm -fr ${FAKE_ROOT}/${PKGNAME}
grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
mv $$tmp $FAKE_ROOT/pkginfo
cat >> $FAKE_ROOT/pkginfo << _EOF
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
_EOF
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
;;
esac
[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT
exit 0

1793
crypto/openssh/config.sub vendored Executable file

File diff suppressed because it is too large Load Diff

18897
crypto/openssh/configure vendored Executable file

File diff suppressed because it is too large Load Diff

4669
crypto/openssh/configure.ac Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,17 @@
PKG_CONFIG = pkg-config
all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
$(CC) `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

View File

@ -0,0 +1,70 @@
Other patches and addons for OpenSSH. Please send submissions to
djm@mindrot.org
Externally maintained
---------------------
SSH Proxy Command -- connect.c
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32.
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
X11 SSH Askpass:
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
passphrase requester. This is highly recommended:
http://www.jmknoble.net/software/x11-ssh-askpass/
In this directory
-----------------
ssh-copy-id:
Phil Hands' <phil@hands.com> shell script to automate the process of adding
your public key to a remote machine's ~/.ssh/authorized_keys file.
gnome-ssh-askpass[12]:
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
"make gnome-ssh-askpass2" to build.
sshd.pam.generic:
A generic PAM config file which may be useful on your system. YMMV
sshd.pam.freebsd:
A PAM config file which works with FreeBSD's PAM port. Contributed by
Dominik Brettnacher <domi@saargate.de>
findssl.sh:
Search for all instances of OpenSSL headers and libraries and print their
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
match your library" errors.
aix:
Files to build an AIX native (installp or SMIT installable) package.
caldera:
RPM spec file and scripts for building Caldera OpenLinuix packages
cygwin:
Support files for Cygwin
hpux:
Support files for HP-UX
redhat:
RPM spec file and scripts for building Redhat packages
suse:
RPM spec file and scripts for building SuSE packages

View File

@ -0,0 +1,50 @@
Overview:
This directory contains files to build an AIX native (installp or SMIT
installable) openssh package.
Directions:
(optional) create config.local in your build dir
./configure [options]
contrib/aix/buildbff.sh
The file config.local or the environment is read to set the following options
(default first):
PERMIT_ROOT_LOGIN=[no|yes]
X11_FORWARDING=[no|yes]
AIX_SRC=[no|yes]
Acknowledgements:
The contents of this directory are based on Ben Lindstrom's Solaris
buildpkg.sh. Ben also supplied inventory.sh.
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
and for comparison with the output from this script, however no code
from lppbuild is included and it is not required for operation.
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
PrivSep account handling fixes contributed by W. Earl Allen.
Other notes:
The script treats all packages as USR packages (not ROOT+USR when
appropriate). It seems to work, though......
If there are any patches to this that have not yet been integrated they
may be found at http://www.zip.com.au/~dtucker/openssh/.
Disclaimer:
It is hoped that it is useful but there is no warranty. If it breaks
you get to keep both pieces.
- Darren Tucker (dtucker at zip dot com dot au)
2002/03/01
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $

View File

@ -0,0 +1,381 @@
#!/bin/sh
#
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
#
# Author: Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain and comes with absolutely
# no warranty.
#
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
#
#
# Tunable configuration settings
# create a "config.local" in your build directory or set
# environment variables to override these.
#
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
[ -z "$AIX_SRC" ] && AIX_SRC=no
umask 022
startdir=`pwd`
perl -v >/dev/null || (echo perl required; exit 1)
# Path to inventory.sh: same place as buildbff.sh
if echo $0 | egrep '^/'
then
inventory=`dirname $0`/inventory.sh # absolute path
else
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
fi
#
# We still support running from contrib/aix, but this is deprecated
#
if pwd | egrep 'contrib/aix$'
then
echo "Changing directory to `pwd`/../.."
echo "Please run buildbff.sh from your build directory in future."
cd ../..
contribaix=1
fi
if [ ! -f Makefile ]
then
echo "Makefile not found (did you run configure?)"
exit 1
fi
#
# Directories used during build:
# current dir = $objdir directory you ran ./configure in.
# $objdir/$PKGDIR/ directory package files are constructed in
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
#
objdir=`pwd`
PKGNAME=openssh
PKGDIR=package
#
# Collect local configuration settings to override defaults
#
if [ -s ./config.local ]
then
echo Reading local settings from config.local
. ./config.local
fi
#
# Fill in some details from Makefile, like prefix and sysconfdir
# the eval also expands variables like sysconfdir=${prefix}/etc
# provided they are eval'ed in the correct order
#
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
do
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
done
#
# Collect values of privsep user and privsep path
# currently only found in config.h
#
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
do
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
done
# Set privsep defaults if not defined
if [ -z "$SSH_PRIVSEP_USER" ]
then
SSH_PRIVSEP_USER=sshd
fi
if [ -z "$PRIVSEP_PATH" ]
then
PRIVSEP_PATH=/var/empty
fi
# Clean package build directory
rm -rf $objdir/$PKGDIR
FAKE_ROOT=$objdir/$PKGDIR/root
mkdir -p $FAKE_ROOT
# Start by faking root install
echo "Faking root install..."
cd $objdir
make install-nokeys DESTDIR=$FAKE_ROOT
if [ $? -gt 0 ]
then
echo "Fake root install failed, stopping."
exit 1
fi
#
# Copy informational files to include in package
#
cp $srcdir/LICENCE $objdir/$PKGDIR/
cp $srcdir/README* $objdir/$PKGDIR/
#
# Extract common info requires for the 'info' part of the package.
# AIX requires 4-part version numbers
#
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
[ "$PATCH" = "" ] && PATCH=0
[ "$PORTABLE" = "" ] && PORTABLE=0
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
#
# Set ssh and sshd parameters as per config.local
#
if [ "${PERMIT_ROOT_LOGIN}" = no ]
then
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
if [ "${X11_FORWARDING}" = yes ]
then
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
$FAKE_ROOT/${sysconfdir}/sshd_config
fi
# Rename config files; postinstall script will copy them if necessary
for cfgfile in ssh_config sshd_config
do
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
done
#
# Generate lpp control files.
# working dir is $FAKE_ROOT but files are generated in dir above
# and moved into place just before creation of .bff
#
cd $FAKE_ROOT
echo Generating LPP control files
find . ! -name . -print >../openssh.al
$inventory >../openssh.inventory
cat <<EOD >../openssh.copyright
This software is distributed under a BSD-style license.
For the full text of the license, see /usr/lpp/openssh/LICENCE
EOD
#
# openssh.size file allows filesystem expansion as required
# generate list of directories containing files
# then calculate disk usage for each directory and store in openssh.size
#
files=`find . -type f -print`
dirs=`for file in $files; do dirname $file; done | sort -u`
for dir in $dirs
do
du $dir
done > ../openssh.size
#
# Create postinstall script
#
cat <<EOF >>../openssh.post_i
#!/bin/sh
echo Creating configs from defaults if necessary.
for cfgfile in ssh_config sshd_config
do
if [ ! -f $sysconfdir/\$cfgfile ]
then
echo "Creating \$cfgfile from default"
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
else
echo "\$cfgfile already exists."
fi
done
echo
# Create PrivilegeSeparation user and group if not present
echo Checking for PrivilegeSeparation user and group.
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
mkgroup -A $SSH_PRIVSEP_USER
fi
# Create user if required
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
then
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
else
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
fi
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
then
echo UsePrivilegeSeparation not enabled, privsep directory not required.
else
# create chroot directory if required
if [ -d $PRIVSEP_PATH ]
then
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
else
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
mkdir $PRIVSEP_PATH
chown 0 $PRIVSEP_PATH
chgrp 0 $PRIVSEP_PATH
chmod 755 $PRIVSEP_PATH
fi
fi
echo
# Generate keys unless they already exist
echo Creating host keys if required.
if [ -f "$sysconfdir/ssh_host_key" ] ; then
echo "$sysconfdir/ssh_host_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
fi
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
else
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
fi
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
else
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
fi
echo
# Set startup command depending on SRC support
if [ "$AIX_SRC" = "yes" ]
then
echo Creating SRC sshd subsystem.
rmssys -s sshd 2>&1 >/dev/null
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
oldstartcmd="$sbindir/sshd"
else
startupcmd="$sbindir/sshd"
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
fi
# If migrating to or from SRC, change previous startup command
# otherwise add to rc.tcpip
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
then
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
then
chmod 0755 /etc/rc.tcpip.new
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
mv /etc/rc.tcpip.new /etc/rc.tcpip
else
echo "Updating /etc/rc.tcpip failed, please check."
fi
else
# Add to system startup if required
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
then
echo "sshd found in rc.tcpip, not adding."
else
echo "Adding sshd to rc.tcpip"
echo >>/etc/rc.tcpip
echo "# Start sshd" >>/etc/rc.tcpip
echo "\$startupcmd" >>/etc/rc.tcpip
fi
fi
EOF
#
# Create liblpp.a and move control files into it
#
echo Creating liblpp.a
(
cd ..
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
do
ar -r liblpp.a $i
rm $i
done
)
#
# Create lpp_name
#
# This will end up looking something like:
# 4 R I OpenSSH {
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
# [
# %
# /usr/local/bin 8073
# /usr/local/etc 189
# /usr/local/libexec 185
# /usr/local/man/man1 145
# /usr/local/man/man8 83
# /usr/local/sbin 2105
# /usr/local/share 3
# %
# ]
# }
echo Creating lpp_name
cat <<EOF >../lpp_name
4 R I $PKGNAME {
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
[
%
EOF
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
do
# get size in 512 byte blocks
if [ -d $FAKE_ROOT/$i ]
then
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
echo "$i $size" >>../lpp_name
fi
done
echo '%' >>../lpp_name
echo ']' >>../lpp_name
echo '}' >>../lpp_name
#
# Move pieces into place
#
mkdir -p usr/lpp/openssh
mv ../liblpp.a usr/lpp/openssh
mv ../lpp_name .
#
# Now invoke backup to create .bff file
# note: lpp_name needs to be the first file so we generate the
# file list on the fly and feed it to backup using -i
#
echo Creating $PKGNAME-$VERSION.bff with backup...
rm -f $PKGNAME-$VERSION.bff
(
echo "./lpp_name"
find . ! -name lpp_name -a ! -name . -print
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
#
# Move package into final location and clean up
#
mv ../$PKGNAME-$VERSION.bff $startdir
cd $startdir
rm -rf $objdir/$PKGDIR
echo $0: done.

View File

@ -0,0 +1,63 @@
#!/bin/sh
#
# inventory.sh
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
#
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
# This file is placed into the public domain.
#
# This will produce an AIX package inventory file, which looks like:
#
# /usr/local/bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=755
# type=DIRECTORY
# /usr/local/bin/slogin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=777
# type=SYMLINK
# target=ssh
# /usr/local/share/Ssh.bin:
# class=apply,inventory,openssh
# owner=root
# group=system
# mode=644
# type=FILE
# size=VOLATILE
# checksum=VOLATILE
find . ! -name . -print | perl -ne '{
chomp;
if ( -l $_ ) {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
} else {
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
}
# Start to display inventory information
$name = $_;
$name =~ s|^.||; # Strip leading dot from path
print "$name:\n";
print "\tclass=apply,inventory,openssh\n";
print "\towner=root\n";
print "\tgroup=system\n";
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
if ( -l $_ ) {
# Entry is SymLink
print "\ttype=SYMLINK\n";
printf "\ttarget=%s\n", readlink($_);
} elsif ( -f $_ ) {
# Entry is File
print "\ttype=FILE\n";
print "\tsize=$sz\n";
print "\tchecksum=VOLATILE\n";
} elsif ( -d $_ ) {
# Entry is Directory
print "\ttype=DIRECTORY\n";
}
}'

View File

@ -0,0 +1,20 @@
#
# PAM configuration file /etc/pam.conf
# Example for OpenSSH on AIX 5.2
#
# Authentication Management
sshd auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_aix
# Account Management
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
# Password Management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
# Session Management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix

View File

@ -0,0 +1,366 @@
# Some of this will need re-evaluation post-LSB. The SVIdir is there
# because the link appeared broken. The rest is for easy compilation,
# the tradeoff open to discussion. (LC957)
%define SVIdir /etc/rc.d/init.d
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
%define _mandir %{_prefix}/share/man/en
%define _sysconfdir /etc/ssh
%define _libexecdir %{_libdir}/ssh
# Do we want to disable root_login? (1=yes 0=no)
%define no_root_login 0
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%define version 6.3p1
%if %{use_stable}
%define cvs %{nil}
%define release 1
%else
%define cvs cvs20050315
%define release 0r1
%endif
%define xsa x11-ssh-askpass
%define askpass %{xsa}-1.2.4.1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 67
%define sshd_gid 67
Name : openssh
Version : %{version}%{cvs}
Release : %{release}
Group : System/Network
Summary : OpenSSH free Secure Shell (SSH) implementation.
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
Copyright : BSD
Packager : Raymund Will <ray@caldera.de>
URL : http://www.openssh.com/
Obsoletes : ssh, ssh-clients, openssh-clients
BuildRoot : /tmp/%{name}-%{version}
BuildRequires : XFree86-imake
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
Source0: see-above:/.../openssh-%{version}.tar.gz
%if %{use_stable}
Source1: see-above:/.../openssh-%{version}.tar.gz.asc
%endif
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
Source3: http://www.openssh.com/faq.html
%Package server
Group : System/Network
Requires : openssh = %{version}
Obsoletes : ssh-server
Summary : OpenSSH Secure Shell protocol server (sshd).
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
%Package askpass
Group : System/Network
Requires : openssh = %{version}
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
Obsoletes : ssh-extras
Summary : OpenSSH X11 pass-phrase dialog.
Summary(de) : OpenSSH X11 Passwort-Dialog.
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
%Description
OpenSSH (Secure Shell) provides access to a remote system. It replaces
telnet, rlogin, rexec, and rsh, and provides secure encrypted
communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over
the secure channel.
%Description -l de
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
über den sicheren Channel weitergeleitet werden.
%Description -l es
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
entre dos equipos entre los que no se ha establecido confianza a través de una
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
ser canalizadas sobre el canal seguro.
%Description -l fr
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
connexions X11 et des ports TCP/IP arbitraires peuvent également être
transmis sur le canal sécurisé.
%Description -l it
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
e crittate tra due host non fidati su una rete non sicura. Le connessioni
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
un canale sicuro.
%Description -l pt
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
pelo canal seguro.
%Description -l pt_BR
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
pelo canal seguro.
%Description server
This package installs the sshd, the server portion of OpenSSH.
%Description -l de server
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
%Description -l es server
Este paquete instala sshd, la parte servidor de OpenSSH.
%Description -l fr server
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
%Description -l it server
Questo pacchetto installa sshd, il server di OpenSSH.
%Description -l pt server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description -l pt_BR server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description askpass
This package contains an X11-based pass-phrase dialog used per
default by ssh-add(1). It is based on %{askpass}
by Jim Knoble <jmknoble@pobox.com>.
%Prep
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
%if ! %{use_stable}
autoreconf
%endif
%Build
CFLAGS="$RPM_OPT_FLAGS" \
%configure \
--with-pam \
--with-tcp-wrappers \
--with-privsep-path=%{_var}/empty/sshd \
#leave this line for easy edits.
%__make
cd %{askpass}
%configure \
#leave this line for easy edits.
xmkmf
%__make includes
%__make
%Install
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
%makeinstall -C %{askpass} \
BINDIR=%{_libexecdir} \
MANPATH=%{_mandir} \
DESTDIR=%{buildroot}
# OpenLinux specific configuration
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
mkdir -p %{buildroot}%{_var}/empty/sshd
# enabling X11 forwarding on the server is convenient and okay,
# on the client side it's a potential security risk!
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%if %{no_root_login}
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%endif
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
# FIXME: disabled, find out why this doesn't work with nis
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
%{buildroot}/etc/pam.d/sshd
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
# the last one is needless, but more future-proof
find %{buildroot}%{SVIdir} -type f -exec \
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
s:\@sysconfdir\@:%{_sysconfdir}:g; \
s:/usr/sbin:%{_sbindir}:g'\
\{\} \;
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
IDENT=sshd
DESCRIPTIVE="OpenSSH secure shell daemon"
# This service will be marked as 'skipped' on boot if there
# is no host key. Use ssh-host-keygen to generate one
ONBOOT="yes"
OPTIONS=""
EoD
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
# Fix up some path names in the keygen toy^Hol
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
%{buildroot}%{_sbindir}/ssh-host-keygen
# This looks terrible. Expect it to change.
# install remaining docs
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
mkdir -p $DocD/%{askpass}
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
install -p -m 0444 %{SOURCE3} $DocD/faq.html
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
%if %{use_stable}
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
%else
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
%endif
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
ln -s %{_mandir}/man1/ssh.1.gz \
%{buildroot}%{_mandir}/man1/slogin.1.gz
%Clean
#%{rmDESTDIR}
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
%Post
# Generate host key when none is present to get up and running,
# both client and server require this for host-based auth!
# ssh-host-keygen checks for existing keys.
/usr/sbin/ssh-host-keygen
: # to protect the rpm database
%pre server
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
: # to protect the rpm database
%Post server
if [ -x %{LSBinit}-install ]; then
%{LSBinit}-install sshd
else
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
fi
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
: # to protect the rpm database
%PreUn server
[ "$1" = 0 ] || exit 0
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
if [ -x %{LSBinit}-remove ]; then
%{LSBinit}-remove sshd
else
lisa --SysV-init remove sshd $1
fi
: # to protect the rpm database
%Files
%defattr(-,root,root)
%dir %{_sysconfdir}
%config %{_sysconfdir}/ssh_config
%{_bindir}/scp
%{_bindir}/sftp
%{_bindir}/ssh
%{_bindir}/slogin
%{_bindir}/ssh-add
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%{_bindir}/ssh-keygen
%{_bindir}/ssh-keyscan
%dir %{_libexecdir}
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
%{_libexecdir}/ssh-pkcs11-helper
%{_sbindir}/ssh-host-keygen
%dir %{_defaultdocdir}/%{name}-%{version}
%{_defaultdocdir}/%{name}-%{version}/CREDITS
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
%{_defaultdocdir}/%{name}-%{version}/LICENCE
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
%{_defaultdocdir}/%{name}-%{version}/README*
%{_defaultdocdir}/%{name}-%{version}/TODO
%{_defaultdocdir}/%{name}-%{version}/faq.html
%{_mandir}/man1/*
%{_mandir}/man8/ssh-keysign.8.gz
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
%{_mandir}/man5/ssh_config.5.gz
%Files server
%defattr(-,root,root)
%dir %{_var}/empty/sshd
%config %{SVIdir}/sshd
%config /etc/pam.d/sshd
%config %{_sysconfdir}/moduli
%config %{_sysconfdir}/sshd_config
%config %{SVIcdir}/sshd
%{_libexecdir}/sftp-server
%{_sbindir}/sshd
%{_mandir}/man5/moduli.5.gz
%{_mandir}/man5/sshd_config.5.gz
%{_mandir}/man8/sftp-server.8.gz
%{_mandir}/man8/sshd.8.gz
%Files askpass
%defattr(-,root,root)
%{_libexecdir}/ssh-askpass
%{_libexecdir}/x11-ssh-askpass
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
%ChangeLog
* Tue Jan 18 2011 Tim Rice <tim@multitalents.net>
- Use CFLAGS from Makefile instead of RPM so build completes.
- Signatures were changed to .asc since 4.1p1.
* Mon Jan 01 1998 ...
Template Version: 1.31
$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $

View File

@ -0,0 +1,36 @@
#! /bin/sh
#
# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
#
# This script is normally run only *once* for a given host
# (in a given period of time) -- on updates/upgrades/recovery
# the ssh_host_key* files _should_ be retained! Otherwise false
# "man-in-the-middle-attack" alerts will frighten unsuspecting
# clients...
keydir=@sysconfdir@
keygen=@sshkeygen@
if [ -f $keydir/ssh_host_key -o \
-f $keydir/ssh_host_key.pub ]; then
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
else
echo "Generating SSH1 RSA host key."
$keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_rsa_key -o \
-f $keydir/ssh_host_rsa_key.pub ]; then
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
else
echo "Generating SSH2 RSA host key."
$keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_dsa_key -o \
-f $keydir/ssh_host_dsa_key.pub ]; then
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
else
echo "Generating SSH2 DSA host key."
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
fi

View File

@ -0,0 +1,125 @@
#! /bin/bash
#
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
#
### BEGIN INIT INFO
# Provides:
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Description: sshd
# Bring up/down the OpenSSH secure shell daemon.
### END INIT INFO
#
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
NAME=sshd
DAEMON=/usr/sbin/$NAME
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
# PR [linux/8278] for details...
PIDF=/var/run/$NAME.pid
NAME=$DAEMON
_status() {
[ -z "$1" ] || local pidf="$1"
local ret=-1
local pid
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
pid=$(head -1 $pidf)
else
pid=$(pidof $NAME)
fi
if [ ! -e $SVIlock ]; then
# no lock-file => not started == stopped?
ret=3
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
# pid-file given but not present or no pid => died, but was not stopped
ret=2
elif [ -r /proc/$pid/cmdline ] &&
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
# pid-file given and present or pid found => check process...
# but don't compare exe, as this will fail after an update!
# compares OK => all's well, that ends well...
ret=0
else
# no such process or exe does not match => stale pid-file or process died
# just recently...
ret=1
fi
return $ret
}
# Source function library (and set vital variables).
. @SVIdir@/functions
case "$1" in
start)
[ ! -e $SVIlock ] || exit 0
[ -x $DAEMON ] || exit 5
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
-f @sysconfdir@/ssh_host_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
echo "$SVIsubsys: host key not initialized: skipped!"
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
exit 6
fi
echo -n "Starting $SVIsubsys services: "
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
ret=$?
echo "."
touch $SVIlock
;;
stop)
[ -e $SVIlock ] || exit 0
echo -n "Stopping $SVIsubsys services: "
ssd -K -p $PIDF -n $NAME
ret=$?
echo "."
rm -f $SVIlock
;;
force-reload|reload)
[ -e $SVIlock ] || exit 0
echo "Reloading $SVIsubsys configuration files: "
ssd -K --signal 1 -q -p $PIDF -n $NAME
ret=$?
echo "done."
;;
restart)
$0 stop
$0 start
ret=$?
;;
status)
_status $PIDF
ret=$?
;;
*)
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
ret=2
;;
esac
exit $ret

View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
account required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

View File

@ -0,0 +1,77 @@
srcdir=../..
copyidsrcdir=..
prefix=/usr
exec_prefix=$(prefix)
bindir=$(prefix)/bin
datadir=$(prefix)/share
mandir=$(datadir)/man
docdir=$(datadir)/doc
sshdocdir=$(docdir)/openssh
cygdocdir=$(docdir)/Cygwin
sysconfdir=/etc
defaultsdir=$(sysconfdir)/defaults/etc
inetdefdir=$(defaultsdir)/inetd.d
PRIVSEP_PATH=/var/empty
INSTALL=/usr/bin/install -c
DESTDIR=
all:
@echo
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
@echo "Be sure having DESTDIR set correctly!"
@echo
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
remove-empty-dir:
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
install-inetd-config:
$(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
$(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
install-sshdoc:
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
install-cygwindoc: README
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
install-doc: install-sshdoc install-cygwindoc
install-scripts: ssh-host-config ssh-user-config
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1
$(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id
$(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1
gzip-man-pages:
rm $(DESTDIR)$(mandir)/man1/slogin.1
gzip $(DESTDIR)$(mandir)/man1/*.1
gzip $(DESTDIR)$(mandir)/man5/*.5
gzip $(DESTDIR)$(mandir)/man8/*.8
cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz
cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages
@echo "Cygwin specific configuration finished."

View File

@ -0,0 +1,91 @@
This package describes important Cygwin specific stuff concerning OpenSSH.
The binary package is usually built for recent Cygwin versions and might
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
==================
Host configuration
==================
If you are installing OpenSSH the first time, you can generate global config
files and server keys, as well as installing sshd as a service, by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
To support testing and unattended installation ssh-host-config got
some options:
usage: ssh-host-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
--port -p <n> sshd listens on port n.
--user -u <account> privileged user for service, default 'cyg_server'.
--pwd -w <passwd> Use "pwd" as password for privileged user.
--privileged On Windows XP, require privileged user
instead of LocalSystem for sshd service.
Installing sshd as daemon via ssh-host-config is recommended.
Alternatively you can start sshd via inetd, if you have the inetutils
package installed. Just run ssh-host-config, but answer "no" when asked
to install sshd as service. The ssh-host-config script also adds the
required lines to /etc/inetd.conf and /etc/services.
==================
User configuration
==================
Any user can simplify creating the own private and public keys by running
/usr/bin/ssh-user-config
To support testing and unattended installation ssh-user-config got
some options as well:
usage: ssh-user-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--passphrase -p word Use "word" as passphrase automatically.
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
================
Building OpenSSH
================
Building from source is easy. Just unpack the source archive, cd to that
directory, and call cygport:
cygport openssh.cygport almostall
You must have installed the following packages to be able to build OpenSSH
with the aforementioned cygport script:
zlib
crypt
openssl-devel
libwrap-devel
libedit-devel
libkrb5-devel
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
Corinna Vinschen
Cygwin Developer
Red Hat Inc.

View File

@ -0,0 +1,758 @@
#!/bin/bash
#
# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ======================================================================
# Initialization
# ======================================================================
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# List of apps used. This is checkad for existance in csih_sanity_check
# Don't use *any* transient commands before sourcing the csih helper script,
# otherwise the sanity checks are short-circuited.
declare -a csih_required_commands=(
/usr/bin/basename coreutils
/usr/bin/cat coreutils
/usr/bin/chmod coreutils
/usr/bin/dirname coreutils
/usr/bin/id coreutils
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/setfacl cygwin
/usr/bin/umount cygwin
/usr/bin/cmp diffutils
/usr/bin/grep grep
/usr/bin/awk gawk
/usr/bin/ssh-keygen openssh
/usr/sbin/sshd openssh
/usr/bin/sed sed
)
csih_sanity_check_server=yes
source ${CSIH_SCRIPT}
PROGNAME=$(/usr/bin/basename $0)
_tdir=$(/usr/bin/dirname $0)
PROGDIR=$(cd $_tdir && pwd)
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
port_number=22
privsep_configured=no
privsep_used=yes
cygwin_value=""
user_account=
password_value=
opt_force=no
# ======================================================================
# Routine: create_host_keys
# ======================================================================
create_host_keys() {
local ret=0
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
return $ret
} # --- End of create_host_keys --- #
# ======================================================================
# Routine: update_services_file
# ======================================================================
update_services_file() {
local _my_etcdir="/ssh-host-config.$$"
local _win_etcdir
local _services
local _spaces
local _serv_tmp
local _wservices
local ret=0
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
_spaces=" #"
_serv_tmp="${_my_etcdir}/srv.out.$$"
/usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Removing sshd from ${_wservices}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
let ++ret
fi
/usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
let ++ret
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to ${_wservices}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
/usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
fi
/usr/bin/umount "${_my_etcdir}"
return $ret
} # --- End of update_services_file --- #
# ======================================================================
# Routine: sshd_privsep
# MODIFIES: privsep_configured privsep_used
# ======================================================================
sshd_privsep() {
local sshdconfig_tmp
local ret=0
if [ "${privsep_configured}" != "yes" ]
then
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
csih_inform "However, this requires a non-privileged account called 'sshd'."
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
if csih_request "Should privilege separation be used?"
then
privsep_used=yes
if ! csih_create_unprivileged_user sshd
then
csih_error_recoverable "Couldn't create user 'sshd'!"
csih_error_recoverable "Privilege separation set to 'no' again!"
csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
privsep_used=no
fi
else
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/sshd_config \
> "${sshdconfig_tmp}"
if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
then
csih_warning "Setting privilege separation to 'yes' failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
then
csih_warning "Setting privilege separation to 'yes' failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
return $ret
} # --- End of sshd_privsep --- #
# ======================================================================
# Routine: update_inetd_conf
# ======================================================================
update_inetd_conf() {
local _inetcnf="${SYSCONFDIR}/inetd.conf"
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
local _with_comment=1
local ret=0
if [ -d "${_inetcnf_dir}" ]
then
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed ssh[d] from ${_inetcnf}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
fi
fi
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
then
if [ "${_with_comment}" -eq 0 ]
then
/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
else
/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
fi
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
then
csih_inform "Updated ${_sshd_inetd_conf}"
else
csih_warning "Updating ${_sshd_inetd_conf} failed!"
let ++ret
fi
fi
elif [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed sshd from ${_inetcnf}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
fi
# Add ssh line to inetd.conf
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${_with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
if [ $? -eq 0 ]
then
csih_inform "Added ssh to ${_inetcnf}"
else
csih_warning "Adding ssh to ${_inetcnf} failed!"
let ++ret
fi
fi
fi
return $ret
} # --- End of update_inetd_conf --- #
# ======================================================================
# Routine: check_service_files_ownership
# Checks that the files in /etc and /var belong to the right owner
# ======================================================================
check_service_files_ownership() {
local run_service_as=$1
local ret=0
if [ -z "${run_service_as}" ]
then
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" = "LocalSystem" ]
then
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
accnt_name="SYSTEM:"
elif [[ "${accnt_name}" =~ ^\.\\ ]]
then
# Convert "." domain to local machine name
accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
fi
run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
if [ -z "${run_service_as}" ]
then
csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
csih_warning "As a result, this script cannot make sure that the files used"
csih_warning "by the sshd service belong to the user running the service."
csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
csih_warning "file is in a good shape."
return 1
fi
fi
for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
do
if [ -f "$i" ]
then
if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
then
csih_warning "Couldn't change owner of $i!"
let ++ret
fi
fi
done
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
let ++ret
fi
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
let ++ret
fi
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
let ++ret
fi
fi
if [ $ret -ne 0 ]
then
csih_warning "Couldn't change owner of important files to ${run_service_as}!"
csih_warning "This may cause the sshd service to fail! Please make sure that"
csih_warning "you have suufficient permissions to change the ownership of files"
csih_warning "and try to run the ssh-host-config script again."
fi
return $ret
} # --- End of check_service_files_ownership --- #
# ======================================================================
# Routine: install_service
# Install sshd as a service
# ======================================================================
install_service() {
local run_service_as
local password
local ret=0
echo
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
then
csih_inform "Sshd service is already installed."
check_service_files_ownership "" || let ret+=$?
else
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
if csih_request "(Say \"no\" if it is already installed as a service)"
then
csih_get_cygenv "${cygwin_value}"
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
then
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
csih_inform "sshd requires. You need to have or to create a privileged"
csih_inform "account. This script will help you do so."
echo
[ "${opt_force}" = "yes" ] && opt_f=-f
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
if ! csih_create_privileged_user "${password_value}"
then
csih_error_recoverable "There was a serious problem creating a privileged user."
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
fi
# Never returns empty if NT or above
run_service_as=$(csih_service_should_run_as)
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
then
password="${csih_PRIVILEGED_PASSWORD}"
if [ -z "${password}" ]
then
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
password="${csih_value}"
fi
fi
# At this point, we either have $run_service_as = "system" and
# $password is empty, or $run_service_as is some privileged user and
# (hopefully) $password contains the correct password. So, from here
# out, we use '-z "${password}"' to discriminate the two cases.
csih_check_user "${run_service_as}"
if [ -n "${csih_cygenv}" ]
then
cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
fi
if [ -z "${password}" ]
then
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}"
then
echo
csih_inform "The sshd service has been installed under the LocalSystem"
csih_inform "account (also known as SYSTEM). To start the service now, call"
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
csih_inform "will start automatically after the next reboot."
fi
else
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}" \
-u "${run_service_as}" -w "${password}"
then
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
echo
csih_inform "The sshd service has been installed under the '${run_service_as}'"
csih_inform "account. To start the service now, call \`net start sshd' or"
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
csih_inform "after the next reboot."
fi
fi
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
then
check_service_files_ownership "${run_service_as}" || let ret+=$?
else
csih_error_recoverable "Installing sshd as a service failed!"
let ++ret
fi
fi # user allowed us to install as service
fi # service not yet installed
return $ret
} # --- End of install_service --- #
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
opt_force=yes
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
opt_force=yes
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
opt_force=yes
;;
-n | --no )
csih_auto_answer=no
opt_force=yes
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-u | --user )
user_account="$1"
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=yes
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
echo " --user -u <account> privileged user for service, default 'cyg_server'."
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
echo " --privileged On Windows XP, require privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
then
echo
csih_error "There are still ssh processes running. Please shut them down first."
fi
# Make sure the user is running in an administrative context
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
if [ "${admin}" != "yes" ]
then
echo
csih_warning "Running this script typically requires administrator privileges!"
csih_warning "However, it seems your account does not have these privileges."
csih_warning "Here's the list of groups in your user token:"
echo
for i in $(/usr/bin/id -G)
do
/usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
done
echo
csih_warning "This usually means you're running this script from a non-admin"
csih_warning "desktop session, or in a non-elevated shell under UAC control."
echo
csih_warning "Make sure you have the appropriate privileges right now,"
csih_warning "otherwise parts of this script will probably fail!"
echo
echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
if ! csih_request "you have the required privileges)"
then
echo
csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
csih_inform "or to start this script from an elevated shell."
exit 1
fi
fi
echo
warning_cnt=0
# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${SYSCONFDIR}!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
let ++warning_cnt
fi
# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
let ++warning_cnt
fi
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
"Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
/usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
let ++warning_cnt
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
# host keys
create_host_keys || let warning_cnt+=$?
# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
if [ "${port_number}" != "22" ]
then
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# handle sshd_config (and privsep)
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
sshd_privsep || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?
echo
if [ $warning_cnt -eq 0 ]
then
csih_inform "Host configuration finished. Have fun!"
else
csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
csih_warning "Make sure that all problems reported are fixed,"
csih_warning "then re-run ssh-host-config."
fi
exit $warning_cnt

View File

@ -0,0 +1,266 @@
#!/bin/bash
#
# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ======================================================================
# Initialization
# ======================================================================
PROGNAME=$(basename -- $0)
_tdir=$(dirname -- $0)
PROGDIR=$(cd $_tdir && pwd)
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
source ${CSIH_SCRIPT}
auto_passphrase="no"
passphrase=""
pwdhome=
with_passphrase=
# ======================================================================
# Routine: create_identity
# optionally create identity of type argument in ~/.ssh
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
create_identity() {
local file="$1"
local type="$2"
local name="$3"
if [ ! -f "${pwdhome}/.ssh/${file}" ]
then
if csih_request "Shall I create a ${name} identity file for you?"
then
csih_inform "Generating ${pwdhome}/.ssh/${file}"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
else
ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh1_identity() === #
readonly -f create_identity
# ======================================================================
# Routine: check_user_homedir
# Perform various checks on the user's home directory
# SETS GLOBAL VARIABLE:
# pwdhome
# ======================================================================
check_user_homedir() {
local uid=$(id -u)
pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
if [ "X${pwdhome}" = "X" ]
then
csih_error_multi \
"There is no home directory set for you in ${SYSCONFDIR}/passwd." \
'Setting $HOME is not sufficient!'
fi
if [ ! -d "${pwdhome}" ]
then
csih_error_multi \
"${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
'but it is not a valid directory. Cannot create user identity files.'
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
if csih_request "Would you like to proceed anyway?"
then
pwdhome=''
else
csih_warning "Exiting. Configuration is not complete"
exit 1
fi
fi
if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
csih_warning 'group and other have been revoked write permission to your home'
csih_warning "directory ${pwdhome}."
csih_warning 'This is required by OpenSSH to allow public key authentication using'
csih_warning 'the key files stored in your .ssh subdirectory.'
csih_warning 'Revert this change ONLY if you know what you are doing!'
echo
fi
} # === End of check_user_homedir() === #
readonly -f check_user_homedir
# ======================================================================
# Routine: check_user_dot_ssh_dir
# Perform various checks on the ~/.ssh directory
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
check_user_dot_ssh_dir() {
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
csih_error "Creating users ${pwdhome}/.ssh directory failed"
fi
fi
} # === End of check_user_dot_ssh_dir() === #
readonly -f check_user_dot_ssh_dir
# ======================================================================
# Routine: fix_authorized_keys_perms
# Corrects the permissions of ~/.ssh/authorized_keys
# PREREQUISITE:
# pwdhome -- check_user_homedir()
# ======================================================================
fix_authorized_keys_perms() {
if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
then
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
csih_warning "is, the owner needs read permissions."
echo
fi
fi
} # === End of fix_authorized_keys_perms() === #
readonly -f fix_authorized_keys_perms
# ======================================================================
# Main Entry Point
# ======================================================================
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
csih_auto_answer="no"
csih_disable_color
fi
if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer="no"
csih_disable_color
fi
# ======================================================================
# Parse options
# ======================================================================
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=yes
;;
-n | --no )
csih_auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
*)
echo "usage: ${PROGNAME} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo
exit 1
;;
esac
done
# ======================================================================
# Action!
# ======================================================================
# Check passwd file
if [ ! -f ${SYSCONFDIR}/passwd ]
then
csih_error_multi \
"${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
'first using mkpasswd. Check if it contains an entry for you and' \
'please care for the home directory in your entry as well.'
fi
check_user_homedir
check_user_dot_ssh_dir
create_identity id_rsa rsa "SSH2 RSA"
create_identity id_dsa dsa "SSH2 DSA"
create_identity id_ecdsa ecdsa "SSH2 ECDSA"
create_identity identity rsa1 "(deprecated) SSH1 RSA"
fix_authorized_keys_perms
echo
csih_inform "Configuration finished. Have fun!"

View File

@ -0,0 +1,4 @@
# This file can be used to enable sshd as a slave of the inetd service
# To do so, the line below should be uncommented.
@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i

186
crypto/openssh/contrib/findssl.sh Executable file
View File

@ -0,0 +1,186 @@
#!/bin/sh
#
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
#
# findssl.sh
# Search for all instances of OpenSSL headers and libraries
# and print their versions.
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
# match your library" errors.
#
# Written by Darren Tucker (dtucker at zip dot com dot au)
# This file is placed in the public domain.
#
# Release history:
# 2002-07-27: Initial release.
# 2002-08-04: Added public domain notice.
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
#
# "OpenSSL headers do not match your library" are usually caused by
# OpenSSH's configure picking up an older version of OpenSSL headers
# or libraries. You can use the following # procedure to help identify
# the cause.
#
# The output of configure will tell you the versions of the OpenSSL
# headers and libraries that were picked up, for example:
#
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
# checking whether OpenSSL's headers match the library... no
# configure: error: Your OpenSSL headers do not match your library
#
# Now run findssl.sh. This should identify the headers and libraries
# present and their versions. You should be able to identify the
# libraries and headers used and adjust your CFLAGS or remove incorrect
# versions. The output will show OpenSSL's internal version identifier
# and should look something like:
# $ ./findssl.sh
# Searching for OpenSSL header files.
# 0x0090604fL /usr/include/openssl/opensslv.h
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
#
# Searching for OpenSSL shared library files.
# 0x0090602fL /lib/libcrypto.so.0.9.6b
# 0x0090602fL /lib/libcrypto.so.2
# 0x0090581fL /usr/lib/libcrypto.so.0
# 0x0090602fL /usr/lib/libcrypto.so
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
# 0x0090600fL /usr/lib/libcrypto.so.1
#
# Searching for OpenSSL static library files.
# 0x0090602fL /usr/lib/libcrypto.a
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
#
# In this example, I gave configure no extra flags, so it's picking up
# the OpenSSL header from /usr/include/openssl (90604f) and the library
# from /usr/lib/ (90602f).
#
# Adjust these to suit your compiler.
# You may also need to set the *LIB*PATH environment variables if
# DEFAULT_LIBPATH is not correct for your system.
#
CC=gcc
STATIC=-static
#
# Cleanup on interrupt
#
trap 'rm -f conftest.c' INT HUP TERM
#
# Set up conftest C source
#
rm -f findssl.log
cat >conftest.c <<EOD
#include <stdio.h>
int main(){printf("0x%08xL\n", SSLeay());}
EOD
#
# Set default library paths if not already set
#
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
# not all platforms have a 'which' command
if which ls >/dev/null 2>/dev/null; then
: which is defined
else
which () {
saveIFS="$IFS"
IFS=:
for p in $PATH; do
if test -x "$p/$1" -a -f "$p/$1"; then
IFS="$saveIFS"
echo "$p/$1"
return 0
fi
done
IFS="$saveIFS"
return 1
}
fi
#
# Search for OpenSSL headers and print versions
#
echo Searching for OpenSSL header files.
if [ -x "`which locate`" ]
then
headers=`locate opensslv.h`
else
headers=`find / -name opensslv.h -print 2>/dev/null`
fi
for header in $headers
do
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
echo "$ver $header"
done
echo
#
# Search for shared libraries.
# Relies on shared libraries looking like "libcrypto.s*"
#
echo Searching for OpenSSL shared library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.s`
else
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
fi
for lib in $libraries
do
(echo "Trying libcrypto $lib" >>findssl.log
dir=`dirname $lib`
LIBPATH="$dir:$LIBPATH"
LD_LIBRARY_PATH="$dir:$LIBPATH"
LIBRARY_PATH="$dir:$LIBPATH"
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
${CC} -o conftest conftest.c $lib 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi)
done
echo
#
# Search for static OpenSSL libraries and print versions
#
echo Searching for OpenSSL static library files.
if [ -x "`which locate`" ]
then
libraries=`locate libcrypto.a`
else
libraries=`find / -name libcrypto.a -print 2>/dev/null`
fi
for lib in $libraries
do
libdir=`dirname $lib`
echo "Trying libcrypto $lib" >>findssl.log
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
if [ -x ./conftest ]
then
ver=`./conftest 2>/dev/null`
rm -f ./conftest
echo "$ver $lib"
fi
done
#
# Clean up
#
rm -f conftest.c

View File

@ -0,0 +1,171 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
/*
* Compile with:
*
* cc `gnome-config --cflags gnome gnomeui` \
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
* `gnome-config --libs gnome gnomeui`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <gnome.h>
#include <X11/Xlib.h>
#include <gdk/gdkx.h>
void
report_failed_grab (void)
{
GtkWidget *err;
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
"A malicious client may be eavesdropping on your session.",
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_run_and_close(GNOME_DIALOG(err));
}
int
passphrase_dialog(char *message)
{
char *passphrase;
char **messages;
int result, i, grab_server, grab_pointer;
GtkWidget *dialog, *entry, *label;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
GNOME_STOCK_BUTTON_CANCEL, NULL);
messages = g_strsplit(message, "\\n", 0);
if (messages)
for(i = 0; messages[i]; i++) {
label = gtk_label_new(messages[i]);
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
label, FALSE, FALSE, 0);
}
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
/* Center window and prepare for grab */
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
GNOME_PAD);
gtk_widget_show_all(dialog);
/* Grab focus */
if (grab_server)
XGrabServer(GDK_DISPLAY());
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
NULL, NULL, GDK_CURRENT_TIME))
goto nograb;
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
goto nograbkb;
/* Make <enter> close dialog */
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
/* Run dialog */
result = gnome_dialog_run(GNOME_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
if (result == 0)
puts(passphrase);
/* Zero passphrase in memory */
memset(passphrase, '\0', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
gnome_dialog_close(GNOME_DIALOG(dialog));
return (result == 0 ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gnome_dialog_close(GNOME_DIALOG(dialog));
report_failed_grab();
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
if (argc == 2)
message = argv[1];
else
message = "Enter your OpenSSH passphrase:";
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
return (result);
}

View File

@ -0,0 +1,223 @@
/*
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
/*
* This is a simple GNOME SSH passphrase grabber. To use it, set the
* environment variable SSH_ASKPASS to point to the location of
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
*
* There is only two run-time options: if you set the environment variable
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
* pointer will be grabbed too. These may have some benefit to security if
* you don't trust your X server. We grab the keyboard always.
*/
#define GRAB_TRIES 16
#define GRAB_WAIT 250 /* milliseconds */
/*
* Compile with:
*
* cc -Wall `pkg-config --cflags gtk+-2.0` \
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
* `pkg-config --libs gtk+-2.0`
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
static void
report_failed_grab (const char *what)
{
GtkWidget *err;
err = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
"Could not grab %s. "
"A malicious client may be eavesdropping "
"on your session.", what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE);
gtk_dialog_run(GTK_DIALOG(err));
gtk_widget_destroy(err);
}
static void
ok_dialog(GtkWidget *entry, gpointer dialog)
{
g_return_if_fail(GTK_IS_DIALOG(dialog));
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
}
static int
passphrase_dialog(char *message)
{
const char *failed;
char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer;
GtkWidget *dialog, *entry;
GdkGrabStatus status;
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
grab_tries = 0;
dialog = gtk_message_dialog_new(NULL, 0,
GTK_MESSAGE_QUESTION,
GTK_BUTTONS_OK_CANCEL,
"%s",
message);
entry = gtk_entry_new();
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
FALSE, 0);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
gtk_widget_show(entry);
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
TRUE);
/* Make <enter> close dialog */
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
/* Grab focus */
gtk_widget_show_now(dialog);
if (grab_pointer) {
for(;;) {
status = gdk_pointer_grab(
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
NULL, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "mouse";
goto nograb;
}
}
}
for(;;) {
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
FALSE, GDK_CURRENT_TIME);
if (status == GDK_GRAB_SUCCESS)
break;
usleep(GRAB_WAIT * 1000);
if (++grab_tries > GRAB_TRIES) {
failed = "keyboard";
goto nograbkb;
}
}
if (grab_server) {
gdk_x11_grab_server();
}
result = gtk_dialog_run(GTK_DIALOG(dialog));
/* Ungrab */
if (grab_server)
XUngrabServer(GDK_DISPLAY());
if (grab_pointer)
gdk_pointer_ungrab(GDK_CURRENT_TIME);
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
gdk_flush();
/* Report passphrase if user selected OK */
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
if (result == GTK_RESPONSE_OK) {
local = g_locale_from_utf8(passphrase, strlen(passphrase),
NULL, NULL, NULL);
if (local != NULL) {
puts(local);
memset(local, '\0', strlen(local));
g_free(local);
} else {
puts(passphrase);
}
}
/* Zero passphrase in memory */
memset(passphrase, '\b', strlen(passphrase));
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
memset(passphrase, '\0', strlen(passphrase));
g_free(passphrase);
gtk_widget_destroy(dialog);
return (result == GTK_RESPONSE_OK ? 0 : -1);
/* At least one grab failed - ungrab what we got, and report
the failure to the user. Note that XGrabServer() cannot
fail. */
nograbkb:
gdk_pointer_ungrab(GDK_CURRENT_TIME);
nograb:
if (grab_server)
XUngrabServer(GDK_DISPLAY());
gtk_widget_destroy(dialog);
report_failed_grab(failed);
return (-1);
}
int
main(int argc, char **argv)
{
char *message;
int result;
gtk_init(&argc, &argv);
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {
message = g_strdup("Enter your OpenSSH passphrase:");
}
setvbuf(stdout, 0, _IONBF, 0);
result = passphrase_dialog(message);
g_free(message);
return (result);
}

View File

@ -0,0 +1,45 @@
README for OpenSSH HP-UX contrib files
Kevin Steves <stevesk@pobox.com>
sshd: configuration file for sshd.rc
sshd.rc: SSH startup script
egd: configuration file for egd.rc
egd.rc: EGD (entropy gathering daemon) startup script
To install:
sshd.rc:
o Verify paths in sshd.rc match your local installation
(WHAT_PATH and WHAT_PID)
o Customize sshd if needed (SSHD_ARGS)
o Install:
# cp sshd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/sshd
# cp sshd.rc /sbin/init.d
# chmod 555 /sbin/init.d/sshd.rc
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
egd.rc:
o Verify egd.pl path in egd.rc matches your local installation
(WHAT_PATH)
o Customize egd if needed (EGD_ARGS and EGD_LOG)
o Add pseudo account:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
o Install:
# cp egd /etc/rc.config.d
# chmod 444 /etc/rc.config.d/egd
# cp egd.rc /sbin/init.d
# chmod 555 /sbin/init.d/egd.rc
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd

View File

@ -0,0 +1,15 @@
# EGD_START: Set to 1 to start entropy gathering daemon
# EGD_ARGS: Command line arguments to pass to egd
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
#
# To configure the egd environment:
# groupadd egd
# useradd -g egd egd
# mkdir -p /etc/opt/egd
# chown egd:egd /etc/opt/egd
# chmod 711 /etc/opt/egd
EGD_START=1
EGD_ARGS='/etc/opt/egd/entropy'
EGD_LOG=

View File

@ -0,0 +1,98 @@
#!/sbin/sh
#
# egd.rc: EGD start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
umask 022
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='EGD (entropy gathering daemon)'
WHAT_PATH=/opt/perl/bin/egd.pl
WHAT_CONFIG=/etc/rc.config.d/egd
WHAT_LOG=/etc/opt/egd/egd.log
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
echo $WHAT started
set_return
else
rval=2
fi
;;
'stop')
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
if [ "X$pid" != "X" ]; then
if kill "$pid"; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

View File

@ -0,0 +1,5 @@
# SSHD_START: Set to 1 to start SSH daemon
# SSHD_ARGS: Command line arguments to pass to sshd
#
SSHD_START=1
SSHD_ARGS=

View File

@ -0,0 +1,90 @@
#!/sbin/sh
#
# sshd.rc: SSH daemon start-up and shutdown script
#
# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
WHAT='OpenSSH'
WHAT_PATH=/opt/openssh/sbin/sshd
WHAT_PID=/var/run/sshd.pid
WHAT_CONFIG=/etc/rc.config.d/sshd
# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.
rval=0
# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.
set_return() {
x=$?
if [ $x -ne 0 ]; then
echo "EXIT CODE: $x"
rval=1 # script FAILed
fi
}
case $1 in
'start_msg')
echo "Starting $WHAT"
;;
'stop_msg')
echo "Stopping $WHAT"
;;
'start')
if [ -f $WHAT_CONFIG ] ; then
. $WHAT_CONFIG
else
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
fi
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
set_return
else
rval=2
fi
;;
'stop')
if kill `cat $WHAT_PID`; then
echo "$WHAT stopped"
else
rval=1
echo "Unable to stop $WHAT"
fi
set_return
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval

View File

@ -0,0 +1 @@
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass

View File

@ -0,0 +1,2 @@
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
export SSH_ASKPASS

View File

@ -0,0 +1,812 @@
%define ver 6.3p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 74
%define sshd_gid 74
# Version of ssh-askpass
%define aversion 1.2.4.1
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%define no_x11_askpass 0
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%define no_gnome_askpass 0
# Do we want to link against a static libcrypto? (1=yes 0=no)
%define static_libcrypto 0
# Do we want smartcard support (1=yes 0=no)
%define scard 0
# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1
# Is this build for RHL 6.x?
%define build6x 0
# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%define gtk2 0}
# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
%endif
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%define static_libcrypto 1}
# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%define scard 1}
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}
# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
%if ! %{no_x11_askpass}
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
%endif
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl, openssl-devel, tcp_wrappers
BuildRequires: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
%endif
%if %{kerberos5}
BuildRequires: krb5-devel
BuildRequires: krb5-libs
%endif
%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.
%prep
%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%if %{kerberos5}
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--with-md5-passwords \
%if %{scard}
--with-smartcard \
%endif
%if %{rescue}
--without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
--with-kerberos5=$K5DIR \
%endif
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif
make
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make
popd
%endif
# Define a variable to toggle gnome1/gtk2 building. This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}
gtk2=yes
%else
gtk2=no
%endif
%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; then
make gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
else
make gnome-ssh-askpass1
mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{scard}
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif
%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
%clean
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
touch /var/run/sshd.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
/sbin/chkconfig --add sshd
if test -f /var/run/sshd.restart ; then
rm -f /var/run/sshd.restart
/sbin/service sshd start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
/sbin/chkconfig --add sshd
%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
/sbin/service sshd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sshd
fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif
%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif
%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%changelog
* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
- Remove noip6 option. This may be controlled at run-time in client config
file using new AddressFamily directive
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
- Don't install profile.d scripts when not building with GNOME/GTK askpass
(patch from bet@rahul.net)
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
- Use contrib/ Makefile for building askpass programs
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
- Add new {ssh,sshd}_config.5 manpages
- Add new ssh-keysign program and remove setuid from ssh client
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from RedHat, reorgansie a little
- Add Privsep user, group and directory
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
- bump and grind (through the build system)
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
- require sharutils for building (mindrot #137)
- require db1-devel only when building for 6.x (#55105), which probably won't
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
- require pam-devel by file (not by package name) again
- add Markus's patch to compile with OpenSSL 0.9.5a (from
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
building for 6.x
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
- update to 3.1p1
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
- update to SNAP-20020305
- drop debug patch, fixed upstream
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
anything to be warned about, gss patches won't apply, I don't mind)
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
exchange, authentication, and named key support
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
- remove dependency on db1-devel, which has just been swallowed up whole
by gnome-libs-devel
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- adjust build dependencies so that build6x actually works right (fix
from Hugo van der Kooij)
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
- update to 3.0.2p1
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
- update to 3.0.1p1
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to current CVS (not for use in distribution)
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
3.0p1 spec file and init script
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.0p1
- update to x11-ssh-askpass 1.2.4.1
- change build dependency on a file from pam-devel to the pam-devel package
- replace primes with moduli
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
- Merge changes to rescue build from current sysadmin survival cd
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
- fix scp's server's reporting of file sizes, and build with the proper
preprocessor define to get large-file capable open(), stat(), etc.
(sftp has been doing this correctly all along) (#51827)
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
- mark profile.d scriptlets as config files (#42337)
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
- change a couple of log() statements to debug() statements (#50751)
- pull cvs patch to add -t flag to sshd (#28611)
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to fix remote port forwarding with protocol 2
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
- pull cvs patch to add session initialization to no-pty sessions
- pull cvs patch to not cut off challengeresponse auth needlessly
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed (#49263)
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- pass OPTIONS correctly to initlog (#50151)
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- switch to x11-ssh-askpass 1.2.2
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- disable the gssapi patch
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9p2
- refresh to a new version of the gssapi patch
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
- change Copyright: BSD to License: BSD
- add Markus Friedl's unverified patch for the cookie file deletion problem
so that we can verify it
- drop patch to check if xauth is present (was folded into cookie patch)
- don't apply gssapi patches for the errata candidate
- clear supplemental groups list at startup
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix an error parsing the new default sshd_config
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
dealing with comments right
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
to be removed before the next beta cycle because it's a big departure
from the upstream version
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- finish marking strings in the init script for translation
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
at startup (change merged from openssh.com init script, originally by
Pekka Savola)
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
it by default on a system that doesn't have X installed
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.9
- drop various patches that came from or went upstream or to or from CVS
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
- remove explicit openssl requirement, fixes builddistro issue
- make initscript stop() function wait until sshd really dead to avoid
races in condrestart
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- mention that challengereponse supports PAM, so disabling password doesn't
limit users to pubkey and rsa auth (#34378)
- bypass the daemon() function in the init script and call initlog directly,
because daemon() won't start a daemon it detects is already running (like
open connections)
- require the version of openssl we had when we were built
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- make do_pam_setcred() smart enough to know when to establish creds and
when to reinitialize them
- add in a couple of other fixes from Damien for inclusion in the errata
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p2
- call setcred() again after initgroups, because the "creds" could actually
be group memberships
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
- don't enable challenge-response by default until we find a way to not
have too many userauth requests (we may make up to six pubkey and up to
three password attempts as it is)
- remove build dependency on rsh to match openssh.com's packages more closely
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
- remove dependency on openssl -- would need to be too precise
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- Revert the patch to move pam_open_session.
- Init script and spec file changes from Pekka Savola. (#28750)
- Patch sftp to recognize '-o protocol' arguments. (#29540)
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- Chuck the closing patch.
- Add a trigger to add host keys for protocol 2 to the config file, now that
configuration file syntax requires us to specify it with HostKey if we
specify any other HostKey values, which we do.
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- Redo patch to move pam_open_session after the server setuid()s to the user.
- Rework the nopam patch to use be picked up by autoconf.
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.1p1.
- Add init script mods from Pekka Savola.
- Tweak the init script to match the CVS contrib script more closely.
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
adding id_rsa.
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- Update for 2.5.0p1.
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
- Resync with parts of Damien Miller's openssh.spec from CVS, including
update of x11 askpass to 1.2.0.
- Only require openssl (don't prereq) because we generate keys in the init
script now.
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- Don't open a PAM session until we've forked and become the user (#25690).
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
host the user is attempting a login from.
- Resync with parts of Damien Miller's openssh.spec from CVS.
- Don't expose KbdInt responses in debug messages (from CVS).
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
- i18n-tweak to initscript.
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- More gettextizing.
- Close all files after going into daemon mode (needs more testing).
- Extract patch from CVS to handle auth banners (in the client).
- Extract patch from CVS to handle compat weirdness.
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- Finish with the gettextizing.
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- Fix a bug in auth2-pam.c (#23877)
- Gettextize the init script.
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate a switch for using PAM configs for 6.x, just in case.
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Incorporate Bero's changes for a build specifically for rescue CDs.
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
succeeded, to allow public-key authentication after a failure with "none"
authentication. (#21268)
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to x11-askpass 1.1.1. (#21301)
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Merge multiple PAM text messages into subsequent prompts when possible when
doing keyboard-interactive authentication.
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
- Disable the built-in MD5 password support. We're using PAM.
- Take a crack at doing keyboard-interactive authentication with PAM, and
enable use of it in the default client configuration so that the client
will try it when the server disallows password authentication.
- Build with debugging flags. Build root policies strip all binaries anyway.
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
- Use DESTDIR instead of %%makeinstall.
- Remove /usr/X11R6/bin from the path-fixing patch.
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add the primes file from the latest snapshot to the main package (#20884).
- Add the dev package to the prereq list (#19984).
- Remove the default path and mimic login's behavior in the server itself.
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Resync with conditional options in Damien Miller's .spec file for an errata.
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to OpenSSH 2.3.0p1.
- Update to x11-askpass 1.1.0.
- Enable keyboard-interactive authentication.
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to ssh-askpass-x11 1.0.3.
- Change authentication related messages to be private (#19966).
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch ssh-keygen to be able to list signatures for DSA public key files
it generates.
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
build PAM authentication in.
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
- Clean out no-longer-used patches.
- Patch ssh-add to try to add both identity and id_dsa, and to error only
when neither exists.
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update x11-askpass to 1.0.2. (#17835)
- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
always find them in the right place. (#17909)
- Set the default path to be the same as the one supplied by /bin/login, but
add /usr/X11R6/bin. (#17909)
- Try to handle obsoletion of ssh-server more cleanly. Package names
are different, but init script name isn't. (#17865)
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.0p1. (#17835)
- Tweak the init script to allow proper restarting. (#18023)
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 20000823 snapshot.
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
- Back out the pipe patch.
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
- Move the init script back.
- Add Damien's quick fix for wackiness.
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
- Move condrestart to server postun.
- Move key generation to init script.
- Actually use the right patch for moving the key generation to the init script.
- Clean up the init script a bit.
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.1.1p2.
- Use of strtok() considered harmful.
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- Get the build root out of the man pages.
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- Add and use condrestart support in the init script.
- Add newer initscripts as a prereq.
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
- Build in new environment (release 2)
- Move -clients subpackage to Applications/Internet group
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
- Update to 2.2.1p1
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- Patch to build with neither RSA nor RSAref.
- Miscellaneous FHS-compliance tweaks.
- Fix for possibly-compressed man pages.
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
- Added Jim Knoble's <jmknoble@pobox.com> askpass
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.

View File

@ -0,0 +1,106 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
SSHD=/usr/sbin/sshd
PID_FILE=/var/run/sshd.pid
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

View File

@ -0,0 +1,172 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
my_success() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="done"
fi
case "`type -type success`" in
function)
success "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
my_failure() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="FAILED"
fi
case "`type -type failure`" in
function)
failure "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n "Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
my_success "RSA1 key generation"
echo
else
my_failure "RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
my_success "RSA key generation"
echo
else
my_failure "RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n "Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
my_success "DSA key generation"
echo
else
my_failure "DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check() {
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
my_failure "Configuration file or keys"
echo
fi
}
case "$1" in
start)
# Create keys if necessary
do_rsa1_keygen;
do_rsa_keygen;
do_dsa_keygen;
echo -n "Starting sshd: "
if [ ! -f $PID_FILE ] ; then
sshd $OPTIONS
RETVAL=$?
if [ "$RETVAL" = "0" ] ; then
my_success "sshd startup" "sshd"
touch /var/lock/subsys/sshd
else
my_failure "sshd startup" ""
fi
fi
echo
;;
stop)
echo -n "Shutting down sshd: "
if [ -f $PID_FILE ] ; then
killproc sshd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
fi
echo
;;
restart)
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
fi
;;
status)
status sshd
RETVAL=$?
;;
*)
echo "Usage: sshd {start|stop|restart|status|condrestart}"
exit 1
;;
esac
exit $RETVAL

View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

View File

@ -0,0 +1,30 @@
The following is a new package build script for Solaris. This is being
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
process. As of 3.1p2 the script should work on all platforms that have
SVR4 style package tools.
The build process is called a 'dummy install'.. Which means the software does
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
be handled correctly and key are defered until the first time the sshd
is started.
Directions:
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
2. ./configure --with-pam [..any other options you want..]
3. look at the top of buildpkg.sh for the configurable options and put
any changes you want in openssh-config.local. Additional customizations
can be done to the build process by creating one or more of the following
scripts that will be sourced by buildpkg.sh.
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
pkg-postremove.local pkg-request.local
4. Run "make package"
If all goes well you should have a solaris package ready to be installed.
If you have any problems with this script please post them to
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
- Ben Lindstrom

View File

@ -0,0 +1,300 @@
#!/bin/sh
# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
# 2013 Martin Kletzander <mkletzan@redhat.com>
# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
# 2010 Eric Moret <eric.moret@gmail.com>
# 2009 Xr <xr@i-jeuxvideo.com>
# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
# 2004 Reini Urban <rurban@x-ray.at>
# 2003 Colin Watson <cjwatson@debian.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Shell script to install your public key(s) on a remote machine
# See the ssh-copy-id(1) man page for details
# check that we have something mildly sane as our shell, or try to find something better
if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
then
SANE_SH=${SANE_SH:-/usr/bin/ksh}
if printf 'true ^ false\n' | "$SANE_SH"
then
printf "'%s' seems viable.\n" "$SANE_SH"
exec "$SANE_SH" "$0" "$@"
else
cat <<-EOF
oh dear.
If you have a more recent shell available, that supports \$(...) etc.
please try setting the environment variable SANE_SH to the path of that
shell, and then retry running this script. If that works, please report
a bug describing your setup, and the shell you used to make it work.
EOF
printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
exit 1
fi
fi
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
usage () {
printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
exit 1
}
# escape any single quotes in an argument
quote() {
printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
}
use_id_file() {
local L_ID_FILE="$1"
if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
PUB_ID_FILE="$L_ID_FILE"
else
PUB_ID_FILE="$L_ID_FILE.pub"
fi
PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
ErrMSG=$( { : < $f ; } 2>&1 ) || {
printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
exit 1
}
done
GET_ID="cat \"$PUB_ID_FILE\""
}
if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
GET_ID="ssh-add -L"
fi
while test "$#" -gt 0
do
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
usage
}
OPT= OPTARG=
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
OPT="$(printf -- "$1"|cut -c1-2)"
OPTARG="$(printf -- "$1"|cut -c3-)"
shift
;;
-o|-p)
OPT="$1"
OPTARG="$2"
shift 2
;;
-i)
OPT="$1"
test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
OPTARG="$2"
shift
}
shift
;;
-n|-h|-\?)
OPT="$1"
OPTARG=
shift
;;
--)
shift
while test "$#" -gt 0
do
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
done
break
;;
-*)
printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
usage
;;
*)
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
continue
;;
esac
case "$OPT" in
-i)
SEEN_OPT_I="yes"
use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
;;
-o|-p)
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
;;
-n)
DRY_RUN=1
;;
-h|-\?)
usage
;;
esac
done
eval set -- "$SAVEARGS"
if [ $# = 0 ] ; then
usage
fi
if [ $# != 1 ] ; then
printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
usage
fi
# drop trailing colon
USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
# tack the hostname onto SSH_OPTS
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
# and populate "$@" for later use (only way to get proper quoting of options)
eval set -- "$SSH_OPTS"
if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
use_id_file "$PUB_ID_FILE"
fi
if [ -z "$(eval $GET_ID)" ] ; then
printf '%s: ERROR: No identities found\n' "$0" >&2
exit 1
fi
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
# and has the side effect of setting $NEW_IDS
populate_new_ids() {
local L_SUCCESS="$1"
# repopulate "$@" inside this function
eval set -- "$SSH_OPTS"
umask 0177
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
echo "mktemp failed" 1>&2
exit 1
fi
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
while read ID ; do
printf '%s\n' "$ID" > $L_TMP_ID_FILE
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
# assumption will break if we implement the possibility of multiple -i options.
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
if [ "$?" = "$L_SUCCESS" ] ; then
: > $L_TMP_ID_FILE
else
grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
cat >/dev/null #consume the other keys, causing loop to end
}
fi
cat $L_TMP_ID_FILE
done
}
)
rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
exit 1
fi
if [ -z "$NEW_IDS" ] ; then
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
}
REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
sed -ne 's/.*remote software version //p')
case "$REMOTE_VERSION" in
NetScreen*)
populate_new_ids 1
for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
KEY_NO=$(($KEY_NO + 1))
printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
continue
}
[ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
if [ $? = 255 ] ; then
printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
else
ADDED=$(($ADDED + 1))
fi
done
if [ -z "$ADDED" ] ; then
exit 1
fi
;;
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
umask 077 ;
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
esac
if [ "$DRY_RUN" ] ; then
cat <<-EOF
=-=-=-=-=-=-=-=
Would have added the following key(s):
$NEW_IDS
=-=-=-=-=-=-=-=
EOF
else
cat <<-EOF
Number of key(s) added: $ADDED
Now try logging into the machine, with: "ssh $SSH_OPTS"
and check to make sure that only the key(s) you wanted were added.
EOF
fi
# =-=-=-=

View File

@ -0,0 +1,186 @@
.ig \" -*- nroff -*-
Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
..
.Dd $Mdocdate: June 17 2010 $
.Dt SSH-COPY-ID 1
.Os
.Sh NAME
.Nm ssh-copy-id
.Nd use locally available keys to authorise logins on a remote machine
.Sh SYNOPSIS
.Nm
.Op Fl n
.Op Fl i Op Ar identity_file
.Op Fl p Ar port
.Op Fl o Ar ssh_option
.Op Ar user Ns @ Ns
.Ar hostname
.Nm
.Fl h | Fl ?
.br
.Sh DESCRIPTION
.Nm
is a script that uses
.Xr ssh 1
to log into a remote machine (presumably using a login password,
so password authentication should be enabled, unless you've done some
clever use of multiple identities). It assembles a list of one or more
fingerprints (as described below) and tries to log in with each key, to
see if any of them are already installed (of course, if you are not using
.Xr ssh-agent 1
this may result in you being repeatedly prompted for pass-phrases).
It then assembles a list of those that failed to log in, and using ssh,
enables logins with those keys on the remote server. By default it adds
the keys by appending them to the remote user's
.Pa ~/.ssh/authorized_keys
(creating the file, and directory, if necessary). It is also capable
of detecting if the remote system is a NetScreen, and using its
.Ql set ssh pka-dsa key ...
command instead.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl i Ar identity_file
Use only the key(s) contained in
.Ar identity_file
(rather than looking for identities via
.Xr ssh-add 1
or in the
.Ic default_ID_file ) .
If the filename does not end in
.Pa .pub
this is added. If the filename is omitted, the
.Ic default_ID_file
is used.
.Pp
Note that this can be used to ensure that the keys copied have the
comment one prefers and/or extra options applied, by ensuring that the
key file has these set as preferred before the copy is attempted.
.It Fl n
do a dry-run. Instead of installing keys on the remote system simply
prints the key(s) that would have been installed.
.It Fl h , Fl ?
Print Usage summary
.It Fl p Ar port , Fl o Ar ssh_option
These two options are simply passed through untouched, along with their
argument, to allow one to set the port or other
.Xr ssh 1
options, respectively.
.Pp
Rather than specifying these as command line options, it is often better to use (per-host) settings in
.Xr ssh 1 Ns 's
configuration file:
.Xr ssh_config 5 .
.El
.Pp
Default behaviour without
.Fl i ,
is to check if
.Ql ssh-add -L
provides any output, and if so those keys are used. Note that this results in
the comment on the key being the filename that was given to
.Xr ssh-add 1
when the key was loaded into your
.Xr ssh-agent 1
rather than the comment contained in that file, which is a bit of a shame.
Otherwise, if
.Xr ssh-add 1
provides no keys contents of the
.Ic default_ID_file
will be used.
.Pp
The
.Ic default_ID_file
is the most recent file that matches:
.Pa ~/.ssh/id*.pub ,
(excluding those that match
.Pa ~/.ssh/*-cert.pub )
so if you create a key that is not the one you want
.Nm
to use, just use
.Xr touch 1
on your preferred key's
.Pa .pub
file to reinstate it as the most recent.
.Pp
.Sh EXAMPLES
If you have already installed keys from one system on a lot of remote
hosts, and you then create a new key, on a new client machine, say,
it can be difficult to keep track of which systems on which you've
installed the new key. One way of dealing with this is to load both
the new key and old key(s) into your
.Xr ssh-agent 1 .
Load the new key first, without the
.Fl c
option, then load one or more old keys into the agent, possibly by
ssh-ing to the client machine that has that old key, using the
.Fl A
option to allow agent forwarding:
.Pp
.D1 user@newclient$ ssh-add
.D1 user@newclient$ ssh -A old.client
.D1 user@oldl$ ssh-add -c
.D1 No ... prompt for pass-phrase ...
.D1 user@old$ logoff
.D1 user@newclient$ ssh someserver
.Pp
now, if the new key is installed on the server, you'll be allowed in
unprompted, whereas if you only have the old key(s) enabled, you'll be
asked for confirmation, which is your cue to log back out and run
.Pp
.D1 user@newclient$ ssh-copy-id -i someserver
.Pp
The reason you might want to specify the -i option in this case is to
ensure that the comment on the installed key is the one from the
.Pa .pub
file, rather than just the filename that was loaded into you agent.
It also ensures that only the id you intended is installed, rather than
all the keys that you have in your
.Xr ssh-agent 1 .
Of course, you can specify another id, or use the contents of the
.Xr ssh-agent 1
as you prefer.
.Pp
Having mentioned
.Xr ssh-add 1 Ns 's
.Fl c
option, you might consider using this whenever using agent forwarding
to avoid your key being hijacked, but it is much better to instead use
.Xr ssh 1 Ns 's
.Ar ProxyCommand
and
.Fl W
option,
to bounce through remote servers while always doing direct end-to-end
authentication. This way the middle hop(s) don't get access to your
.Xr ssh-agent 1 .
A web search for
.Ql ssh proxycommand nc
should prove enlightening (N.B. the modern approach is to use the
.Fl W
option, rather than
.Xr nc 1 ) .
.Sh "SEE ALSO"
.Xr ssh 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8

View File

@ -0,0 +1,5 @@
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so

View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nodelay
account required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so shadow nullok use_authtok
session required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so

View File

@ -0,0 +1,246 @@
# Default values for additional components
%define build_x11_askpass 1
# Define the UID/GID to use for privilege separation
%define sshd_gid 65
%define sshd_uid 71
# The version of x11-ssh-askpass to use
%define xversion 1.2.4.1
# Allow the ability to override defaults with -D skip_xxx=1
%{?skip_x11_askpass:%define build_x11_askpass 0}
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 6.3p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
Source1: x11-ssh-askpass-%{xversion}.tar.gz
License: BSD
Group: Productivity/Networking/SSH
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
PreReq: openssl
Obsoletes: ssh
Provides: ssh
#
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
# building prerequisites -- stuff for
# OpenSSL (openssl-devel),
# TCP Wrappers (tcpd-devel),
# and Gnome (glibdev, gtkdev, and gnlibsd)
#
BuildPrereq: openssl
BuildPrereq: tcpd-devel
BuildPrereq: zlib-devel
#BuildPrereq: glibdev
#BuildPrereq: gtkdev
#BuildPrereq: gnlibsd
%package askpass
Summary: A passphrase dialog for OpenSSH and the X window System.
Group: Productivity/Networking/SSH
Requires: openssh = %{version}
Obsoletes: ssh-extras
Provides: openssh:${_libdir}/ssh/ssh-askpass
%if %{build_x11_askpass}
BuildPrereq: XFree86-devel
%endif
%description
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package includes all files necessary for both the OpenSSH
client and server.
%description askpass
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
up to date in terms of security and features, as well as removing all
patented algorithms to seperate libraries (OpenSSL).
This package contains an X Window System passphrase dialog for OpenSSH.
%changelog
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Removed accidental inclusion of --without-zlib-version-check
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
- Overhaul to deal with newer versions of SuSE and OpenSSH
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
- Glob manpages to catch compressed files
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
- Updated for new location
- Updated for new gnome-ssh-askpass build
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
- Made symlink to gnome-ssh-askpass called ssh-askpass
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
his released tarfile
- Changed permissions on ssh_config in the install procedure to 644 from 600
even though it was correct in the %files section and thus right in the RPMs
- Postinstall script for the server now only prints "Generating SSH host
key..." if we need to actually do this, in order to eliminate a confusing
message if an SSH host key is already in place
- Marked all manual pages as %doc(umentation)
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
- Added flag to configure daemon with TCP Wrappers support
- Added building prerequisites (works in RPM 3.0 and newer)
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
- Made this package correct for SuSE.
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
with SuSE, and lib_pwdb.so isn't installed by default.
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
- Added 'Obsoletes' directives
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
- Use make install
- Subpackages
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
- Added links for slogin
- Fixed perms on manpages
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
- Renamed init script
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
- Back to old binary names
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
- Use autoconf
- New binary names
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
%prep
%if %{build_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
CFLAGS="$RPM_OPT_FLAGS" \
%configure --prefix=/usr \
--sysconfdir=%{_sysconfdir}/ssh \
--mandir=%{_mandir} \
--with-privsep-path=/var/lib/empty \
--with-pam \
--with-tcp-wrappers \
--libexecdir=%{_libdir}/ssh
make
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
%configure --mandir=/usr/X11R6/man \
--libexecdir=%{_libdir}/ssh
xmkmf -a
make
cd ..
%endif
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT/
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/init.d/
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
install -m744 contrib/suse/sysconfig.ssh \
$RPM_BUILD_ROOT/var/adm/fillup-templates
%if %{build_x11_askpass}
cd x11-ssh-askpass-%{xversion}
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
%endif
%clean
rm -rf $RPM_BUILD_ROOT
%pre
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
%post
/usr/bin/ssh-keygen -A
%{fillup_and_insserv -n -y ssh sshd}
%run_permissions
%verifyscript
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
%stop_on_removal sshd
%postun
%restart_on_update sshd
%{insserv_cleanup}
%files
%defattr(-,root,root)
%doc ChangeLog OVERVIEW README* PROTOCOL*
%doc TODO CREDITS LICENCE
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/init.d/sshd
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/scp
%attr(0755,root,root) %{_bindir}/ssh
%attr(-,root,root) %{_bindir}/slogin
%attr(0755,root,root) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %dir %{_libdir}/ssh
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
%if %{build_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{xversion}/README
%doc x11-ssh-askpass-%{xversion}/ChangeLog
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
%endif

View File

@ -0,0 +1,5 @@
#
# Start the Secure Shell (SSH) Daemon?
#
START_SSHD="yes"

View File

@ -0,0 +1,121 @@
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Jiri Smid <feedback@suse.de>
#
# /etc/init.d/sshd
#
# and symbolic its link
#
# /usr/sbin/rcsshd
#
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the sshd daemon
### END INIT INFO
SSHD_BIN=/usr/sbin/sshd
test -x $SSHD_BIN || exit 5
SSHD_SYSCONFIG=/etc/sysconfig/ssh
test -r $SSHD_SYSCONFIG || exit 6
. $SSHD_SYSCONFIG
SSHD_PIDFILE=/var/run/sshd.init.pid
. /etc/rc.status
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
# First reset status of this service
rc_reset
case "$1" in
start)
# Generate any missing host keys
ssh-keygen -A
echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down SSH daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload|reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
echo -n "Reload service sshd"
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
rc_status -v
;;
status)
echo -n "Checking for service sshd "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
checkproc -p $SSHD_PIDFILE $SSHD_BIN
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

View File

@ -0,0 +1,9 @@
## Path: Network/Remote access/SSH
## Description: SSH server settings
## Type: string
## Default: ""
## ServiceRestart: sshd
#
# Options for sshd
#
SSHD_OPTS=""

251
crypto/openssh/install-sh Executable file
View File

@ -0,0 +1,251 @@
#!/bin/sh
#
# install - install a program, script, or datafile
# This comes from X11R5 (mit/util/scripts/install.sh).
#
# Copyright 1991 by the Massachusetts Institute of Technology
#
# Permission to use, copy, modify, distribute, and sell this software and its
# documentation for any purpose is hereby granted without fee, provided that
# the above copyright notice appear in all copies and that both that
# copyright notice and this permission notice appear in supporting
# documentation, and that the name of M.I.T. not be used in advertising or
# publicity pertaining to distribution of the software without specific,
# written prior permission. M.I.T. makes no representations about the
# suitability of this software for any purpose. It is provided "as is"
# without express or implied warranty.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch. It can only install one file at a time, a restriction
# shared with many OS's install programs.
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
# put in absolute paths if you don't have them in your path; or use env. vars.
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
transformbasename=""
transform_arg=""
instcmd="$mvprog"
chmodcmd="$chmodprog 0755"
chowncmd=""
chgrpcmd=""
stripcmd=""
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=""
dst=""
dir_arg=""
while [ x"$1" != x ]; do
case $1 in
-c) instcmd="$cpprog"
shift
continue;;
-d) dir_arg=true
shift
continue;;
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
-s) stripcmd="$stripprog"
shift
continue;;
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
shift
continue;;
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
shift
continue;;
*) if [ x"$src" = x ]
then
src=$1
else
# this colon is to work around a 386BSD /bin/sh bug
:
dst=$1
fi
shift
continue;;
esac
done
if [ x"$src" = x ]
then
echo "install: no input file specified"
exit 1
else
true
fi
if [ x"$dir_arg" != x ]; then
dst=$src
src=""
if [ -d $dst ]; then
instcmd=:
chmodcmd=""
else
instcmd=mkdir
fi
else
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if [ -f $src -o -d $src ]
then
true
else
echo "install: $src does not exist"
exit 1
fi
if [ x"$dst" = x ]
then
echo "install: no destination specified"
exit 1
else
true
fi
# If destination is a directory, append the input filename; if your system
# does not like double slashes in filenames, you may need to add some logic
if [ -d $dst ]
then
dst="$dst"/`basename $src`
else
true
fi
fi
## this sed command emulates the dirname command
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# this part is taken from Noah Friedman's mkinstalldirs script
# Skip lots of stat calls in the usual case.
if [ ! -d "$dstdir" ]; then
defaultIFS='
'
IFS="${IFS-${defaultIFS}}"
oIFS="${IFS}"
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
IFS="${oIFS}"
pathcomp=''
while [ $# -ne 0 ] ; do
pathcomp="${pathcomp}${1}"
shift
if [ ! -d "${pathcomp}" ] ;
then
$mkdirprog "${pathcomp}"
else
true
fi
pathcomp="${pathcomp}/"
done
fi
if [ x"$dir_arg" != x ]
then
$doit $instcmd $dst &&
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
else
# If we're going to rename the final executable, determine the name now.
if [ x"$transformarg" = x ]
then
dstfile=`basename $dst`
else
dstfile=`basename $dst $transformbasename |
sed $transformarg`$transformbasename
fi
# don't allow the sed command to completely eliminate the filename
if [ x"$dstfile" = x ]
then
dstfile=`basename $dst`
else
true
fi
# Make a temp file name in the proper directory.
dsttmp=$dstdir/#inst.$$#
# Move or copy the file name to the temp name
$doit $instcmd $src $dsttmp &&
trap "rm -f ${dsttmp}" 0 &&
# and set any options; do chmod last to preserve setuid bits
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $instcmd $src $dsttmp" command.
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
# Now rename the file to the real destination.
$doit $rmcmd -f $dstdir/$dstfile &&
$doit $mvcmd $dsttmp $dstdir/$dstfile
fi &&
exit 0

370
crypto/openssh/mdoc2man.awk Normal file
View File

@ -0,0 +1,370 @@
#!/usr/bin/awk
#
# $Id: mdoc2man.awk,v 1.9 2009/10/24 00:52:42 dtucker Exp $
#
# Version history:
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
# v3, I put the program under a proper license
# Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
# v2, fixed to work on GNU awk --posix and MacOS X
# v1, first attempt, didn't work on MacOS X
#
# Copyright (c) 2003 Peter Stuge <stuge-mdoc2man@cdy.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
BEGIN {
optlist=0
oldoptlist=0
nospace=0
synopsis=0
reference=0
block=0
ext=0
extopt=0
literal=0
prenl=0
breakw=0
line=""
}
function wtail() {
retval=""
while(w<nwords) {
if(length(retval))
retval=retval OFS
retval=retval words[++w]
}
return retval
}
function add(str) {
for(;prenl;prenl--)
line=line "\n"
line=line str
}
! /^\./ {
for(;prenl;prenl--)
print ""
print
if(literal)
print ".br"
next
}
/^\.\\"/ { next }
{
option=0
parens=0
angles=0
sub("^\\.","")
nwords=split($0,words)
for(w=1;w<=nwords;w++) {
skip=0
if(match(words[w],"^Li|Pf$")) {
skip=1
} else if(match(words[w],"^Xo$")) {
skip=1
ext=1
if(length(line)&&!(match(line," $")||prenl))
add(OFS)
} else if(match(words[w],"^Xc$")) {
skip=1
ext=0
if(!extopt)
prenl++
w=nwords
} else if(match(words[w],"^Bd$")) {
skip=1
if(match(words[w+1],"-literal")) {
literal=1
prenl++
w=nwords
}
} else if(match(words[w],"^Ed$")) {
skip=1
literal=0
} else if(match(words[w],"^Ns$")) {
skip=1
if(!nospace)
nospace=1
sub(" $","",line)
} else if(match(words[w],"^No$")) {
skip=1
sub(" $","",line)
add(words[++w])
} else if(match(words[w],"^Dq$")) {
skip=1
add("``")
add(words[++w])
while(w<nwords&&!match(words[w+1],"^[\\.,]"))
add(OFS words[++w])
add("''")
if(!nospace&&match(words[w+1],"^[\\.,]"))
nospace=1
} else if(match(words[w],"^Sq|Ql$")) {
skip=1
add("`" words[++w] "'")
if(!nospace&&match(words[w+1],"^[\\.,]"))
nospace=1
} else if(match(words[w],"^Oo$")) {
skip=1
extopt=1
if(!nospace)
nospace=1
add("[")
} else if(match(words[w],"^Oc$")) {
skip=1
extopt=0
add("]")
}
if(!skip) {
if(!nospace&&length(line)&&!(match(line," $")||prenl))
add(OFS)
if(nospace==1)
nospace=0
}
if(match(words[w],"^Dd$")) {
if(match(words[w+1],"^\\$Mdocdate:")) {
w++;
if(match(words[w+4],"^\\$$")) {
words[w+4] = ""
}
}
date=wtail()
next
} else if(match(words[w],"^Dt$")) {
id=wtail()
next
} else if(match(words[w],"^Ux$")) {
add("UNIX")
skip=1
} else if(match(words[w],"^Ox$")) {
add("OpenBSD")
skip=1
} else if(match(words[w],"^Os$")) {
add(".TH " id " \"" date "\" \"" wtail() "\"")
} else if(match(words[w],"^Sh$")) {
add(".SH")
synopsis=match(words[w+1],"SYNOPSIS")
} else if(match(words[w],"^Xr$")) {
add("\\fB" words[++w] "\\fP(" words[++w] ")" words[++w])
} else if(match(words[w],"^Rs$")) {
split("",refauthors)
nrefauthors=0
reftitle=""
refissue=""
refdate=""
refopt=""
refreport=""
reference=1
next
} else if(match(words[w],"^Re$")) {
prenl++
for(i=nrefauthors-1;i>0;i--) {
add(refauthors[i])
if(i>1)
add(", ")
}
if(nrefauthors>1)
add(" and ")
if(nrefauthors>0)
add(refauthors[0] ", ")
add("\\fI" reftitle "\\fP")
if(length(refissue))
add(", " refissue)
if(length(refreport)) {
add(", " refreport)
}
if(length(refdate))
add(", " refdate)
if(length(refopt))
add(", " refopt)
add(".")
reference=0
} else if(reference) {
if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() }
if(match(words[w],"^%T$")) {
reftitle=wtail()
sub("^\"","",reftitle)
sub("\"$","",reftitle)
}
if(match(words[w],"^%N$")) { refissue=wtail() }
if(match(words[w],"^%D$")) { refdate=wtail() }
if(match(words[w],"^%O$")) { refopt=wtail() }
if(match(words[w],"^%R$")) { refreport=wtail() }
} else if(match(words[w],"^Nm$")) {
if(synopsis) {
add(".br")
prenl++
}
n=words[++w]
if(!length(name))
name=n
if(!length(n))
n=name
add("\\fB" n "\\fP")
if(!nospace&&match(words[w+1],"^[\\.,]"))
nospace=1
} else if(match(words[w],"^Nd$")) {
add("\\- " wtail())
} else if(match(words[w],"^Fl$")) {
add("\\fB\\-" words[++w] "\\fP")
if(!nospace&&match(words[w+1],"^[\\.,]"))
nospace=1
} else if(match(words[w],"^Ar$")) {
add("\\fI")
if(w==nwords)
add("file ...\\fP")
else {
add(words[++w] "\\fP")
while(match(words[w+1],"^\\|$"))
add(OFS words[++w] " \\fI" words[++w] "\\fP")
}
if(!nospace&&match(words[w+1],"^[\\.,]"))
nospace=1
} else if(match(words[w],"^Cm$")) {
add("\\fB" words[++w] "\\fP")
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
add(words[++w])
} else if(match(words[w],"^Op$")) {
option=1
if(!nospace)
nospace=1
add("[")
} else if(match(words[w],"^Pp$")) {
prenl++
} else if(match(words[w],"^An$")) {
prenl++
} else if(match(words[w],"^Ss$")) {
add(".SS")
} else if(match(words[w],"^Pa$")&&!option) {
add("\\fI")
w++
if(match(words[w],"^\\."))
add("\\&")
add(words[w] "\\fP")
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
add(words[++w])
} else if(match(words[w],"^Dv$")) {
add(".BR")
} else if(match(words[w],"^Em|Ev$")) {
add(".IR")
} else if(match(words[w],"^Pq$")) {
add("(")
nospace=1
parens=1
} else if(match(words[w],"^Aq$")) {
add("<")
nospace=1
angles=1
} else if(match(words[w],"^S[xy]$")) {
add(".B " wtail())
} else if(match(words[w],"^Ic$")) {
plain=1
add("\\fB")
while(w<nwords) {
w++
if(match(words[w],"^Op$")) {
w++
add("[")
words[nwords]=words[nwords] "]"
}
if(match(words[w],"^Ar$")) {
add("\\fI" words[++w] "\\fP")
} else if(match(words[w],"^[\\.,]")) {
sub(" $","",line)
if(plain) {
add("\\fP")
plain=0
}
add(words[w])
} else {
if(!plain) {
add("\\fB")
plain=1
}
add(words[w])
}
if(!nospace)
add(OFS)
}
sub(" $","",line)
if(plain)
add("\\fP")
} else if(match(words[w],"^Bl$")) {
oldoptlist=optlist
if(match(words[w+1],"-bullet"))
optlist=1
else if(match(words[w+1],"-enum")) {
optlist=2
enum=0
} else if(match(words[w+1],"-tag"))
optlist=3
else if(match(words[w+1],"-item"))
optlist=4
else if(match(words[w+1],"-bullet"))
optlist=1
w=nwords
} else if(match(words[w],"^El$")) {
optlist=oldoptlist
} else if(match(words[w],"^Bk$")) {
if(match(words[w+1],"-words")) {
w++
breakw=1
}
} else if(match(words[w],"^Ek$")) {
breakw=0
} else if(match(words[w],"^It$")&&optlist) {
if(optlist==1)
add(".IP \\(bu")
else if(optlist==2)
add(".IP " ++enum ".")
else if(optlist==3) {
add(".TP")
prenl++
if(match(words[w+1],"^Pa$|^Ev$")) {
add(".B")
w++
}
} else if(optlist==4)
add(".IP")
} else if(match(words[w],"^Sm$")) {
if(match(words[w+1],"off"))
nospace=2
else if(match(words[w+1],"on"))
nospace=0
w++
} else if(!skip) {
add(words[w])
}
}
if(match(line,"^\\.[^a-zA-Z]"))
sub("^\\.","",line)
if(parens)
add(")")
if(angles)
add(">")
if(option)
add("]")
if(ext&&!extopt&&!match(line," $"))
add(OFS)
if(!ext&&!extopt&&length(line)) {
print line
prenl=0
line=""
}
}

74
crypto/openssh/moduli.0 Normal file
View File

@ -0,0 +1,74 @@
MODULI(5) OpenBSD Programmer's Manual MODULI(5)
NAME
moduli - Diffie-Hellman moduli
DESCRIPTION
The /etc/moduli file contains prime numbers and generators for use by
sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
New moduli may be generated with ssh-keygen(1) using a two-step process.
An initial candidate generation pass, using ssh-keygen -G, calculates
numbers that are likely to be useful. A second primality testing pass,
using ssh-keygen -T, provides a high degree of assurance that the numbers
are prime and are safe for use in Diffie-Hellman operations by sshd(8).
This moduli format is used as the output from each pass.
The file consists of newline-separated records, one per modulus,
containing seven space-separated fields. These fields are as follows:
timestamp The time that the modulus was last processed as
YYYYMMDDHHMMSS.
type Decimal number specifying the internal structure of
the prime modulus. Supported types are:
0 Unknown, not tested.
2 "Safe" prime; (p-1)/2 is also prime.
4 Sophie Germain; 2p+1 is also prime.
Moduli candidates initially produced by ssh-keygen(1)
are Sophie Germain primes (type 4). Further primality
testing with ssh-keygen(1) produces safe prime moduli
(type 2) that are ready for use in sshd(8). Other
types are not used by OpenSSH.
tests Decimal number indicating the type of primality tests
that the number has been subjected to represented as a
bitmask of the following values:
0x00 Not tested.
0x01 Composite number - not prime.
0x02 Sieve of Eratosthenes.
0x04 Probabilistic Miller-Rabin primality tests.
The ssh-keygen(1) moduli candidate generation uses the
Sieve of Eratosthenes (flag 0x02). Subsequent
ssh-keygen(1) primality tests are Miller-Rabin tests
(flag 0x04).
trials Decimal number indicating the number of primality
trials that have been performed on the modulus.
size Decimal number indicating the size of the prime in
bits.
generator The recommended generator for use with this modulus
(hexadecimal).
modulus The modulus itself in hexadecimal.
When performing Diffie-Hellman Group Exchange, sshd(8) first estimates
the size of the modulus required to produce enough Diffie-Hellman output
to sufficiently key the selected symmetric cipher. sshd(8) then randomly
selects a modulus from /etc/moduli that best meets the size requirement.
SEE ALSO
ssh-keygen(1), sshd(8)
STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
2006.
OpenBSD 5.4 September 26, 2012 OpenBSD 5.4

99
crypto/openssh/nchan.ms Normal file
View File

@ -0,0 +1,99 @@
.\" $OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $
.\"
.\"
.\" Copyright (c) 1999 Markus Friedl. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TL
OpenSSH Channel Close Protocol 1.5 Implementation
.SH
Channel Input State Diagram
.PS
reset
l=1
s=1.2
ellipsewid=s*ellipsewid
boxwid=s*boxwid
ellipseht=s*ellipseht
S1: ellipse "INPUT" "OPEN"
move right 2*l from last ellipse.e
S4: ellipse "INPUT" "CLOSED"
move down l from last ellipse.s
S3: ellipse "INPUT" "WAIT" "OCLOSED"
move down l from 1st ellipse.s
S2: ellipse "INPUT" "WAIT" "DRAIN"
arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
arrow from S1.s to S2.n
box invis "read_failed/" "shutdown_read" with .e at last arrow.c
arrow from S3.n to S4.s
box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
arrow "start" "" from S1.w+(-0.5,0) to S1.w
arrow from S2.ne to S4.sw
box invis "rcvd OCLOSE/ " with .e at last arrow.c
box invis " send IEOF" with .w at last arrow.c
.PE
.SH
Channel Output State Diagram
.PS
S1: ellipse "OUTPUT" "OPEN"
move right 2*l from last ellipse.e
S3: ellipse "OUTPUT" "WAIT" "IEOF"
move down l from last ellipse.s
S4: ellipse "OUTPUT" "CLOSED"
move down l from 1st ellipse.s
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
arrow from S1.s to S2.n
box invis "rcvd IEOF/" "-" with .e at last arrow.c
arrow from S3.s to S4.n
box invis "rcvd IEOF/" "-" with .w at last arrow.c
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
arrow "start" "" from S1.w+(-0.5,0) to S1.w
.PE
.SH
Notes
.PP
The input buffer is filled with data from the socket
(the socket represents the local consumer/producer of the
forwarded channel).
The data is then sent over the INPUT-end (transmit-end) of the channel to the
remote peer.
Data sent by the peer is received on the OUTPUT-end (receive-end),
saved in the output buffer and written to the socket.
.PP
If the local protocol instance has forwarded all data on the
INPUT-end of the channel, it sends an IEOF message to the peer.
If the peer receives the IEOF and has consumed all
data he replies with an OCLOSE.
When the local instance receives the OCLOSE
he considers the INPUT-half of the channel closed.
The peer has his OUTOUT-half closed.
.PP
A channel can be deallocated by a protocol instance
if both the INPUT- and the OUTOUT-half on his
side of the channel are closed.
Note that when an instance is unable to consume the
received data, he is permitted to send an OCLOSE
before the matching IEOF is received.

88
crypto/openssh/nchan2.ms Normal file
View File

@ -0,0 +1,88 @@
.\" $OpenBSD: nchan2.ms,v 1.4 2008/05/15 23:52:24 djm Exp $
.\"
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TL
OpenSSH Channel Close Protocol 2.0 Implementation
.SH
Channel Input State Diagram
.PS
reset
l=1
s=1.2
ellipsewid=s*ellipsewid
boxwid=s*boxwid
ellipseht=s*ellipseht
S1: ellipse "INPUT" "OPEN"
move right 2*l from last ellipse.e
S3: ellipse invis
move down l from last ellipse.s
S4: ellipse "INPUT" "CLOSED"
move down l from 1st ellipse.s
S2: ellipse "INPUT" "WAIT" "DRAIN"
arrow from S1.e to S4.n
box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
arrow from S1.s to S2.n
box invis "read_failed ||" "rcvd EOW/" "shutdown_read" with .e at last arrow.c
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
arrow "start" "" from S1.w+(-0.5,0) to S1.w
.PE
.SH
Channel Output State Diagram
.PS
S1: ellipse "OUTPUT" "OPEN"
move right 2*l from last ellipse.e
S3: ellipse invis
move down l from last ellipse.s
S4: ellipse "OUTPUT" "CLOSED"
move down l from 1st ellipse.s
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
arrow from S1.e to S4.n
box invis "write_failed/" "shutdown_write" "send EOW" with .sw at last arrow.c
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
arrow from S1.s to S2.n
box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
arrow "start" "" from S1.w+(-0.5,0) to S1.w
.PE
.SH
Notes
.PP
The input buffer is filled with data from the socket
(the socket represents the local consumer/producer of the
forwarded channel).
The data is then sent over the INPUT-end (transmit-end) of the channel to the
remote peer.
Data sent by the peer is received on the OUTPUT-end (receive-end),
saved in the output buffer and written to the socket.
.PP
If the local protocol instance has forwarded all data on the
INPUT-end of the channel, it sends an EOF message to the peer.
.PP
A CLOSE message is sent to the peer if
both the INPUT- and the OUTOUT-half of the local
end of the channel are closed.
.PP
The channel can be deallocated by a protocol instance
if a CLOSE message he been both sent and received.

View File

@ -0,0 +1,42 @@
# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
srcdir=@srcdir@
top_srcdir=@top_srcdir@
VPATH=@srcdir@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
LIBS=@LIBS@
AR=@AR@
RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
all: libopenbsd-compat.a
$(COMPAT): ../config.h
$(OPENBSD): ../config.h
$(PORTS): ../config.h
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
$(RANLIB) $@
clean:
rm -f *.o *.a core
distclean: clean
rm -f Makefile *~

View File

@ -0,0 +1,38 @@
# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
srcdir=@srcdir@
top_srcdir=@top_srcdir@
VPATH=@srcdir@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
strtonumtest$(EXEEXT)
all: t-exec ${OTHERTESTS}
%$(EXEEXT): %.c
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
t-exec: $(TESTPROGS)
@echo running compat regress tests
@for TEST in ""$?; do \
echo "run test $${TEST}" ... 1>&2; \
./$${TEST}$(EXEEXT) || exit $$? ; \
done
@echo finished compat regress tests
clean:
rm -f *.o *.a core $(TESTPROGS) valid.out
distclean: clean
rm -f Makefile *~

View File

@ -0,0 +1,63 @@
/*
* Copyright (c) 2006 Darren Tucker
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define NUM_OPENS 10
int closefrom(int);
void
fail(char *msg)
{
fprintf(stderr, "closefrom: %s\n", msg);
exit(1);
}
int
main(void)
{
int i, max, fds[NUM_OPENS];
char buf[512];
for (i = 0; i < NUM_OPENS; i++)
if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
exit(0); /* can't test */
max = i - 1;
/* should close last fd only */
closefrom(fds[max]);
if (close(fds[max]) != -1)
fail("failed to close highest fd");
/* make sure we can still use remaining descriptors */
for (i = 0; i < max; i++)
if (read(fds[i], buf, sizeof(buf)) == -1)
fail("closed descriptors it should not have");
/* should close all fds */
closefrom(fds[0]);
for (i = 0; i < NUM_OPENS; i++)
if (close(fds[i]) != -1)
fail("failed to close from lowest fd");
return 0;
}

View File

@ -0,0 +1,73 @@
/*
* Copyright (c) 2005 Darren Tucker
* Copyright (c) 2005 Damien Miller
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#define BUFSZ 2048
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
static int failed = 0;
static void
fail(const char *m)
{
fprintf(stderr, "snprintftest: %s\n", m);
failed = 1;
}
int x_snprintf(char *str, size_t count, const char *fmt, ...)
{
size_t ret;
va_list ap;
va_start(ap, fmt);
ret = vsnprintf(str, count, fmt, ap);
va_end(ap);
return ret;
}
int
main(void)
{
char b[5];
char *src;
snprintf(b,5,"123456789");
if (b[4] != '\0')
fail("snprintf does not correctly terminate long strings");
/* check for read overrun on unterminated string */
if ((src = malloc(BUFSZ)) == NULL) {
fail("malloc failed");
} else {
memset(src, 'a', BUFSZ);
snprintf(b, sizeof(b), "%.*s", 1, src);
if (strcmp(b, "a") != 0)
fail("failed with length limit '%%.s'");
}
/* check that snprintf and vsnprintf return sane values */
if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
fail("snprintf does not return required length");
if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
fail("vsnprintf does not return required length");
return failed;
}

View File

@ -0,0 +1,45 @@
/*
* Copyright (c) 2005 Darren Tucker
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdlib.h>
#include <string.h>
static int fail = 0;
void
test(const char *a)
{
char *b;
b = strdup(a);
if (b == 0) {
fail = 1;
return;
}
if (strcmp(a, b) != 0)
fail = 1;
free(b);
}
int
main(void)
{
test("");
test("a");
test("\0");
test("abcdefghijklmnopqrstuvwxyz");
return fail;
}

View File

@ -0,0 +1,80 @@
/* $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $ */
/*
* Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
/* LLONG_MAX is known as LONGLONG_MAX on AIX */
#if defined(LONGLONG_MAX) && !defined(LLONG_MAX)
# define LLONG_MAX LONGLONG_MAX
# define LLONG_MIN LONGLONG_MIN
#endif
/* LLONG_MAX is known as LONG_LONG_MAX on HP-UX */
#if defined(LONG_LONG_MAX) && !defined(LLONG_MAX)
# define LLONG_MAX LONG_LONG_MAX
# define LLONG_MIN LONG_LONG_MIN
#endif
long long strtonum(const char *, long long, long long, const char **);
int fail;
void
test(const char *p, long long lb, long long ub, int ok)
{
long long val;
const char *q;
val = strtonum(p, lb, ub, &q);
if (ok && q != NULL) {
fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
fail = 1;
} else if (!ok && q == NULL) {
fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
fprintf(stderr, "NUMBER ACCEPTED\n");
fail = 1;
}
}
int main(int argc, char *argv[])
{
test("1", 0, 10, 1);
test("0", -2, 5, 1);
test("0", 2, 5, 0);
test("0", 2, LLONG_MAX, 0);
test("-2", 0, LLONG_MAX, 0);
test("0", -5, LLONG_MAX, 1);
test("-3", -3, LLONG_MAX, 1);
test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
test("-2", 10, -1, 0);
test("-2", -10, -1, 1);
test("-20", -10, -1, 0);
test("20", -10, -1, 0);
return (fail);
}

View File

@ -0,0 +1,90 @@
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
Copyright (c) 2006 Chad Mynhier.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->
<service_bundle type='manifest' name='OpenSSH server'>
<service
name='site/__SYSVINIT_NAME__'
type='service'
version='1'>
<!--
We default to disabled so administrator can decide to enable or not.
-->
<create_default_instance enabled='false'/>
<single_instance/>
<dependency
name='filesystem-local'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/local'/>
</dependency>
<dependency
name='network'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/milestone/network'/>
</dependency>
<dependent
name='multi-user-server'
restart_on='none'
grouping='optional_all'>
<service_fmri value='svc:/milestone/multi-user-server'/>
</dependent>
<exec_method
name='start'
type='method'
exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
timeout_seconds='60'>
<method_context/>
</exec_method>
<exec_method
name='stop'
type='method'
exec=':kill'
timeout_seconds='60'>
<method_context/>
</exec_method>
<property_group
name='startd'
type='framework'>
<propval name='ignore_error' type='astring' value='core,signal'/>
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>OpenSSH server</loctext>
</common_name>
<documentation>
<manpage
title='sshd'
section='1M'
manpath='@prefix@/man'/>
</documentation>
</template>
</service>
</service_bundle>

88
crypto/openssh/opensshd.init.in Executable file
View File

@ -0,0 +1,88 @@
#!@STARTUP_SCRIPT_SHELL@
# Donated code that was put under PD license.
#
# Stripped PRNGd out of it for the time being.
umask 022
CAT=@CAT@
KILL=@KILL@
prefix=@prefix@
sysconfdir=@sysconfdir@
piddir=@piddir@
SSHD=$prefix/sbin/sshd
PIDFILE=$piddir/sshd.pid
PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
[ X$PidFile = X ] || PIDFILE=$PidFile
SSH_KEYGEN=$prefix/bin/ssh-keygen
HOST_KEY_RSA1=$sysconfdir/ssh_host_key
HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
checkkeys() {
if [ ! -f $HOST_KEY_RSA1 ]; then
${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
fi
if [ ! -f $HOST_KEY_DSA ]; then
${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
fi
if [ ! -f $HOST_KEY_RSA ]; then
${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
fi
@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then
@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
@COMMENT_OUT_ECC@ fi
}
stop_service() {
if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
PID=`${CAT} ${PIDFILE}`
fi
if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
${KILL} ${PID}
else
echo "Unable to read PID file"
fi
}
start_service() {
# XXX We really should check if the service is already going, but
# XXX we will opt out at this time. - Bal
# Check to see if we have keys that need to be made
checkkeys
# Start SSHD
echo "starting $SSHD... \c" ; $SSHD
sshd_rc=$?
if [ $sshd_rc -ne 0 ]; then
echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
exit $sshd_rc
fi
echo done.
}
case $1 in
'start')
start_service
;;
'stop')
stop_service
;;
'restart')
stop_service
start_service
;;
*)
echo "$0: usage: $0 {start|stop|restart}"
;;
esac

View File

@ -0,0 +1,169 @@
# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
tests: $(REGRESS_TARGETS)
# Interop tests are not run by default
interop interop-tests: t-exec-interop
clean:
for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
rm -rf $(OBJ).putty
distclean: clean
LTESTS= connect \
proxy-connect \
connect-privsep \
proto-version \
proto-mismatch \
exit-status \
envpass \
transfer \
banner \
rekey \
stderr-data \
stderr-after-eof \
broken-pipe \
try-ciphers \
yes-head \
login-timeout \
agent \
agent-getpeereid \
agent-timeout \
agent-ptrace \
keyscan \
keygen-change \
keygen-convert \
key-options \
scp \
sftp \
sftp-chroot \
sftp-cmds \
sftp-badcmds \
sftp-batch \
sftp-glob \
reconfigure \
dynamic-forward \
forwarding \
multiplex \
reexec \
brokenkeys \
cfgmatch \
addrmatch \
localcommand \
forcecommand \
portnum \
keytype \
kextype \
cert-hostkey \
cert-userkey \
host-expand \
keys-command \
forward-control \
integrity \
krl
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
#LTESTS= cipher-speed
USER!= id -un
CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
t8.out t8.out.pub t9.out t9.out.pub \
authorized_keys_${USER} known_hosts pidfile testdata \
ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
ls.copy banner.in banner.out empty.in \
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
key.rsa-* key.dsa-* key.ecdsa-* \
authorized_principals_${USER} expect actual ready \
sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
ssh.log failed-ssh.log sshd.log failed-sshd.log \
regress.log failed-regress.log ssh-log-wrapper.sh
SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
# Enable all malloc(3) randomisations and checks
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
TEST_SSH_SSHKEYGEN?=ssh-keygen
CPPFLAGS=-I..
t1:
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv
awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv
t2:
cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
chmod 600 $(OBJ)/t2.out
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
t3:
${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
t4:
${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
t5:
${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
t6:
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
chmod 600 $(OBJ)/t6.out1
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
$(OBJ)/t7.out:
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@
t7: $(OBJ)/t7.out
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null
$(OBJ)/t8.out:
${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@
t8: $(OBJ)/t8.out
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null
$(OBJ)/t9.out:
test "${TEST_SSH_ECC}" != yes || \
${TEST_SSH_SSHKEYGEN} -q -t ecdsa -N '' -f $@
t9: $(OBJ)/t9.out
test "${TEST_SSH_ECC}" != yes || \
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t9.out > /dev/null
test "${TEST_SSH_ECC}" != yes || \
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
t-exec: ${LTESTS:=.sh}
@if [ "x$?" = "x" ]; then exit 0; fi; \
for TEST in ""$?; do \
echo "run test $${TEST}" ... 1>&2; \
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
done
t-exec-interop: ${INTEROP_TESTS:=.sh}
@if [ "x$?" = "x" ]; then exit 0; fi; \
for TEST in ""$?; do \
echo "run test $${TEST}" ... 1>&2; \
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
done
# Not run by default
interop: ${INTEROP_TARGETS}

View File

@ -0,0 +1,104 @@
Overview.
$ ./configure && make tests
You'll see some progress info. A failure will cause either the make to
abort or the driver script to report a "FATAL" failure.
The test consists of 2 parts. The first is the file-based tests which is
driven by the Makefile, and the second is a set of network or proxycommand
based tests, which are driven by a driver script (test-exec.sh) which is
called multiple times by the Makefile.
Failures in the first part will cause the Makefile to return an error.
Failures in the second part will print a "FATAL" message for the failed
test and continue.
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
suite is based on OpenBSD's with modifications.
Environment variables.
SUDO: path to sudo command, if desired. Note that some systems (notably
systems using PAM) require sudo to execute some tests.
TEST_SSH_TRACE: set to "yes" for verbose output from tests
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
OBJ: used by test scripts to access build dir.
TEST_SHELL: shell used for running the test scripts.
TEST_SSH_PORT: TCP port to be used for the listening tests.
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
before running each test.
TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
before running each test.
Individual tests.
You can run an individual test from the top-level Makefile, eg:
$ make tests LTESTS=agent-timeout
If you need to manipulate the environment more you can invoke test-exec.sh
directly if you set up the path to find the binaries under test and the
test scripts themselves, for example:
$ cd regress
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
agent-timeout.sh
ok agent timeout test
Files.
test-exec.sh: the main test driver. Sets environment, creates config files
and keys and runs the specified test.
At the time of writing, the individual tests are:
agent-timeout.sh: agent timeout test
agent.sh: simple agent test
broken-pipe.sh: broken pipe test
connect-privsep.sh: proxy connect with privsep
connect.sh: simple connect
exit-status.sh: remote exit status
forwarding.sh: local and remote forwarding
keygen-change.sh: change passphrase for key
keyscan.sh: keyscan
proto-mismatch.sh: protocol version mismatch
proto-version.sh: sshd version with different protocol combinations
proxy-connect.sh: proxy connect
sftp.sh: basic sftp put/get
ssh-com-client.sh: connect with ssh.com client
ssh-com-keygen.sh: ssh.com key import
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
ssh-com.sh: connect to ssh.com server
stderr-after-eof.sh: stderr data after eof
stderr-data.sh: stderr data transfer
transfer.sh: transfer data
try-ciphers.sh: try ciphers
yes-head.sh: yes pipe head
Problems?
Run the failing test with shell tracing (-x) turned on:
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
Failed tests can be difficult to diagnose. Suggestions:
- run the individual test via ./test-exec.sh `pwd` [testname]
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
auth.debug (eg to /var/log/authlog).
Known Issues.
- Similarly, if you do not have "scp" in your system's $PATH then the
multiplex scp tests will fail (since the system's shell startup scripts
will determine where the shell started by sshd will look for scp).
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
test to fail. The old behaviour can be restored by setting (and
exporting) _POSIX2_VERSION=199209 before running the tests.
$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $

View File

@ -0,0 +1,56 @@
# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $
# Placed in the Public Domain.
tid="address match"
mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
run_trial()
{
user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5"
expected="$6"; descr="$7"
verbose "test $descr for $user $addr $host"
result=`${SSHD} -f $OBJ/sshd_proxy -T \
-C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \
awk '/^forcecommand/ {print $2}'`
if [ "$result" != "$expected" ]; then
fail "failed '$descr' expected $expected got $result"
fi
}
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
cat >>$OBJ/sshd_proxy <<EOD
ForceCommand nomatch
Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
ForceCommand match1
Match Address 1.1.1.1,::1,!::3,2000::/16
ForceCommand match2
Match LocalAddress 127.0.0.1,::1
ForceCommand match3
Match LocalPort 5678
ForceCommand match4
EOD
run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry"
run_trial user 192.168.30.1 somehost 1.2.3.4 1234 nomatch "negative match"
run_trial user 19.0.0.1 somehost 1.2.3.4 1234 nomatch "no match"
run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle"
run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname"
run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address"
run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress"
run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport"
if test "$TEST_SSH_IPV6" != "no"; then
run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address"
run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6"
run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated"
run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match"
run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network"
run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network"
run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress"
run_trial user ::5 somehost ::2 5678 match4 "IP6 localport"
fi
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
rm $OBJ/sshd_proxy_bak

View File

@ -0,0 +1,45 @@
# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
UNPRIV=nobody
ASOCK=${OBJ}/agent
SSH_AUTH_SOCK=/nonexistent
if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then
:
else
echo "skipped (not supported on this platform)"
exit 0
fi
if [ -z "$SUDO" ]; then
echo "skipped: need SUDO to switch to uid $UNPRIV"
exit 0
fi
trace "start agent"
eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
chmod 644 ${SSH_AUTH_SOCK}
ssh-add -l > /dev/null 2>&1
r=$?
if [ $r -ne 1 ]; then
fail "ssh-add failed with $r != 1"
fi
< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null
r=$?
if [ $r -lt 2 ]; then
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi
rm -f ${OBJ}/agent

View File

@ -0,0 +1,69 @@
# $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
TEST_SSH_PIN=""
TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
# setup environment for soft-pkcs11 token
SOFTPKCS11RC=$OBJ/pkcs11.info
export SOFTPKCS11RC
# prevent ssh-agent from calling ssh-askpass
SSH_ASKPASS=/usr/bin/true
export SSH_ASKPASS
unset DISPLAY
# start command w/o tty, so ssh-add accepts pin from stdin
notty() {
perl -e 'use POSIX; POSIX::setsid();
if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
}
trace "start agent"
eval `${SSHAGENT} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
trace "generating key/cert"
rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
chmod 600 $OBJ/pkcs11.key
openssl req -key $OBJ/pkcs11.key -new -x509 \
-out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
# add to authorized keys
${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
trace "add pkcs11 key to agent"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -s failed: exit code $r"
fi
trace "pkcs11 list via agent"
${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l failed: exit code $r"
fi
trace "pkcs11 connect via agent"
${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
fail "ssh connect failed (exit code $r)"
fi
trace "remove pkcs11 keys"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -e failed: exit code $r"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi

View File

@ -0,0 +1,53 @@
# $OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
# Placed in the Public Domain.
tid="disallow agent ptrace attach"
if have_prog uname ; then
case `uname` in
AIX|CYGWIN*|OSF1)
echo "skipped (not supported on this platform)"
exit 0
;;
esac
fi
if have_prog gdb ; then
: ok
else
echo "skipped (gdb not found)"
exit 0
fi
if test -z "$SUDO" ; then
echo "skipped (SUDO not set)"
exit 0
else
$SUDO chown 0 ${SSHAGENT}
$SUDO chgrp 0 ${SSHAGENT}
$SUDO chmod 2755 ${SSHAGENT}
fi
trace "start agent"
eval `${SSHAGENT} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
# ls -l ${SSH_AUTH_SOCK}
gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
quit
EOF
if [ $? -ne 0 ]; then
fail "gdb failed: exit code $?"
fi
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out
r=$?
rm -f ${OBJ}/gdb.out
if [ $r -ne 0 ]; then
fail "ptrace succeeded?: exit code $r"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi

View File

@ -0,0 +1,36 @@
# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
# Placed in the Public Domain.
tid="agent timeout test"
SSHAGENT_TIMEOUT=10
trace "start agent"
eval `${SSHAGENT} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
trace "add keys with timeout"
for t in rsa rsa1; do
${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add did succeed exit code 0"
fi
done
n=`${SSHADD} -l 2> /dev/null | wc -l`
trace "agent has $n keys"
if [ $n -ne 2 ]; then
fail "ssh-add -l did not return 2 keys: $n"
fi
trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
sleep ${SSHAGENT_TIMEOUT}
sleep ${SSHAGENT_TIMEOUT}
${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
if [ $? -ne 0 ]; then
fail "ssh-add -l still returns keys after timeout"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi

View File

@ -0,0 +1,75 @@
# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="simple agent test"
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 2 ]; then
fail "ssh-add -l did not fail with exit code 2"
fi
trace "start agent"
eval `${SSHAGENT} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 1 ]; then
fail "ssh-add -l did not fail with exit code 1"
fi
trace "overwrite authorized keys"
printf '' > $OBJ/authorized_keys_$USER
for t in rsa rsa1; do
# generate user key for agent
rm -f $OBJ/$t-agent
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
fail "ssh-keygen for $t-agent failed"
# add to authorized keys
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
# add privat key to agent
${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add did succeed exit code 0"
fi
done
${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add -l failed: exit code $?"
fi
# the same for full pubkey output
${SSHADD} -L > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add -L failed: exit code $?"
fi
trace "simple connect via agent"
for p in 1 2; do
${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
if [ $? -ne 5$p ]; then
fail "ssh connect with protocol $p failed (exit code $?)"
fi
done
trace "agent forwarding"
for p in 1 2; do
${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
fi
${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
if [ $? -ne 5$p ]; then
fail "agent fwd proto $p failed (exit code $?)"
fi
done
trace "delete all agent keys"
${SSHADD} -D > /dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh-add -D failed: exit code $?"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi

View File

@ -0,0 +1,44 @@
# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
# Placed in the Public Domain.
tid="banner"
echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
touch $OBJ/empty.in
trace "test missing banner file"
verbose "test $tid: missing banner file"
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "missing banner file"
for s in 0 10 100 1000 10000 100000 ; do
if [ "$s" = "0" ]; then
# create empty banner
touch $OBJ/banner.in
elif [ "$s" = "10" ]; then
# create 10-byte banner file
echo "abcdefghi" >$OBJ/banner.in
else
# increase size 10x
cp $OBJ/banner.in $OBJ/banner.out
for i in 0 1 2 3 4 5 6 7 8 ; do
cat $OBJ/banner.out >> $OBJ/banner.in
done
fi
trace "test banner size $s"
verbose "test $tid: size $s"
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/banner.in $OBJ/banner.out ) || \
fail "banner size $s mismatch"
done
trace "test suppress banner (-q)"
verbose "test $tid: suppress banner (-q)"
( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "suppress banner (-q)"
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in

View File

@ -0,0 +1,15 @@
# $OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
# Placed in the Public Domain.
tid="broken pipe test"
for p in 1 2; do
trace "protocol $p"
for i in 1 2 3 4; do
${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
r=$?
if [ $r -ne 0 ]; then
fail "broken pipe returns $r for protocol $p"
fi
done
done

View File

@ -0,0 +1,23 @@
# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
# Placed in the Public Domain.
tid="broken keys"
KEYS="$OBJ/authorized_keys_${USER}"
start_sshd
mv ${KEYS} ${KEYS}.bak
# Truncated key
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
cat ${KEYS}.bak >> ${KEYS}
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
${SSH} -2 -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed"
fi
mv ${KEYS}.bak ${KEYS}

View File

@ -0,0 +1,256 @@
# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="certified host keys"
# used to disable ECC based tests on platforms without ECC
ecdsa=""
if test "x$TEST_SSH_ECC" = "xyes"; then
ecdsa=ecdsa
fi
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
HOSTS='localhost-with-alias,127.0.0.1,::1'
# Create a CA key and add it to known hosts
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
fail "ssh-keygen of host_ca_key failed"
(
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
# Generate and sign host keys
for ktype in rsa dsa $ecdsa ; do
verbose "$tid: sign host ${ktype} cert"
# Generate and sign a host key
${SSHKEYGEN} -q -N '' -t ${ktype} \
-f $OBJ/cert_host_key_${ktype} || \
fail "ssh-keygen of cert_host_key_${ktype} failed"
${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
fail "couldn't sign cert_host_key_${ktype}"
# v00 ecdsa certs do not exist
test "${ktype}" = "ecdsa" && continue
cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
fail "couldn't sign cert_host_key_${ktype}_v00"
done
# Basic connect tests
for privsep in yes no ; do
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
verbose "$tid: host ${ktype} cert connect privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
done
# Revoked certificates with key present
(
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
printf '@revoked '
printf "* "
cat $OBJ/cert_host_key_rsa.pub
if test "x$TEST_SSH_ECC" = "xyes"; then
printf '@revoked '
printf "* "
cat $OBJ/cert_host_key_ecdsa.pub
fi
printf '@revoked '
printf "* "
cat $OBJ/cert_host_key_dsa.pub
printf '@revoked '
printf "* "
cat $OBJ/cert_host_key_rsa_v00.pub
printf '@revoked '
printf "* "
cat $OBJ/cert_host_key_dsa_v00.pub
) > $OBJ/known_hosts-cert
for privsep in yes no ; do
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
echo UsePrivilegeSeparation $privsep
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
done
done
# Revoked CA
(
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
printf '@revoked '
printf "* "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
verbose "$tid: host ${ktype} revoked cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
done
# Create a CA key and add it to known hosts
(
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
test_one() {
ident=$1
result=$2
sign_opts=$3
for kt in rsa rsa_v00 ; do
case $kt in
*_v00) args="-t v00" ;;
*) args="" ;;
esac
verbose "$tid: host cert connect $ident $kt expect $result"
${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
$sign_opts $args \
$OBJ/cert_host_key_${kt} ||
fail "couldn't sign cert_host_key_${kt}"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${kt}
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
if [ $rc -ne 0 ]; then
fail "ssh cert connect $ident failed unexpectedly"
fi
else
if [ $rc -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
fi
done
}
test_one "user-certificate" failure "-n $HOSTS"
test_one "empty principals" success "-h"
test_one "wrong principals" failure "-h -n foo"
test_one "cert not yet valid" failure "-h -V20200101:20300101"
test_one "cert expired" failure "-h -V19800101:19900101"
test_one "cert valid interval" success "-h -V-1w:+2w"
test_one "cert has constraints" failure "-h -Oforce-command=false"
# Check downgrade of cert to raw key when no CA found
for v in v01 v00 ; do
for ktype in rsa dsa $ecdsa ; do
# v00 ecdsa certs do not exist.
test "${v}${ktype}" = "v00ecdsa" && continue
rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
# Generate and sign a host key
${SSHKEYGEN} -q -N '' -t ${ktype} \
-f $OBJ/cert_host_key_${ktype} || \
fail "ssh-keygen of cert_host_key_${ktype} failed"
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
fail "couldn't sign cert_host_key_${ktype}"
(
printf "$HOSTS "
cat $OBJ/cert_host_key_${ktype}.pub
) > $OBJ/known_hosts-cert
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${ktype}
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
done
# Wrong certificate
(
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert
for v in v01 v00 ; do
for kt in rsa dsa $ecdsa ; do
# v00 ecdsa certs do not exist.
test "${v}${ktype}" = "v00ecdsa" && continue
rm -f $OBJ/cert_host_key*
# Self-sign key
${SSHKEYGEN} -q -N '' -t ${kt} \
-f $OBJ/cert_host_key_${kt} || \
fail "ssh-keygen of cert_host_key_${kt} failed"
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-I "regress host key for $USER" \
-n $HOSTS $OBJ/cert_host_key_${kt} ||
fail "couldn't sign cert_host_key_${kt}"
verbose "$tid: host ${kt} connect wrong cert"
(
cat $OBJ/sshd_proxy_bak
echo HostKey $OBJ/cert_host_key_${kt}
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
done
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*

View File

@ -0,0 +1,355 @@
# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="certified user keys"
# used to disable ECC based tests on platforms without ECC
ecdsa=""
if test "x$TEST_SSH_ECC" = "xyes"; then
ecdsa=ecdsa
fi
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
# Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
# Generate and sign user keys
for ktype in rsa dsa $ecdsa ; do
verbose "$tid: sign user ${ktype} cert"
${SSHKEYGEN} -q -N '' -t ${ktype} \
-f $OBJ/cert_user_key_${ktype} || \
fail "ssh-keygen of cert_user_key_${ktype} failed"
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
# v00 ecdsa certs do not exist
test "${ktype}" = "ecdsa" && continue
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
"regress user key for $USER" \
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
fail "couldn't sign cert_user_key_${ktype}_v00"
done
# Test explicitly-specified principals
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep"
# Setup for AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
) > $OBJ/sshd_proxy
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
rm -f $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# authorized_principals with command=false
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# authorized_principals with command=true
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# Setup for principals= key option
rm -f $OBJ/authorized_principals_$USER
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
) > $OBJ/sshd_proxy
# Wrong principals list
verbose "$tid: ${_prefix} wrong principals key option"
(
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
fi
# Correct principals list
verbose "$tid: ${_prefix} correct principals key option"
(
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
done
basic_tests() {
auth=$1
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
printf 'cert-authority '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
verbose "$tid: ${_prefix} connect"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
# Revoked keys
verbose "$tid: ${_prefix} revoked key"
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \
$OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
verbose "$tid: ${_prefix} revoked via KRL"
rm $OBJ/cert_user_key_revoked
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
$OBJ/cert_user_key_${ktype}.pub
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
verbose "$tid: ${_prefix} empty KRL"
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
fi
done
# Revoked CA
verbose "$tid: ${ktype} $auth revoked CA key"
(
cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
done
verbose "$tid: $auth CA does not authenticate"
(
cat $OBJ/sshd_proxy_bak
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly"
fi
}
basic_tests authorized_keys
basic_tests TrustedUserCAKeys
test_one() {
ident=$1
result=$2
sign_opts=$3
auth_choice=$4
auth_opt=$5
if test "x$auth_choice" = "x" ; then
auth_choice="authorized_keys TrustedUserCAKeys"
fi
for auth in $auth_choice ; do
for ktype in rsa rsa_v00 ; do
case $ktype in
*_v00) keyv="-t v00" ;;
*) keyv="" ;;
esac
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
(
printf "cert-authority${auth_opt} "
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
else
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
if test "x$auth_opt" != "x" ; then
echo $auth_opt >> $OBJ/sshd_proxy
fi
fi
verbose "$tid: $ident auth $auth expect $result $ktype"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \
$sign_opts $keyv \
$OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
if [ $rc -ne 0 ]; then
fail "$ident failed unexpectedly"
fi
else
if [ $rc -eq 0 ]; then
fail "$ident succeeded unexpectedly"
fi
fi
done
done
}
test_one "correct principal" success "-n ${USER}"
test_one "host-certificate" failure "-n ${USER} -h"
test_one "wrong principals" failure "-n foo"
test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
test_one "force-command" failure "-n ${USER} -Oforce-command=false"
# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
test_one "empty principals" success "" authorized_keys
test_one "empty principals" failure "" TrustedUserCAKeys
# Check explicitly-specified principals: an empty principals list in the cert
# should always be refused.
# AuthorizedPrincipalsFile
rm -f $OBJ/authorized_keys_$USER
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
test_one "AuthorizedPrincipalsFile no principals" failure "" \
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
# principals= key option
rm -f $OBJ/authorized_principals_$USER
test_one "principals key option principals" success "-n mekmitasdigoat" \
authorized_keys ',principals="mekmitasdigoat"'
test_one "principals key option no principals" failure "" \
authorized_keys ',principals="mekmitasdigoat"'
# Wrong certificate
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
case $ktype in
*_v00) args="-t v00" ;;
*) args="" ;;
esac
# Self-sign
${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
verbose "$tid: user ${ktype} connect wrong cert"
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
fi
done
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
rm -f $OBJ/authorized_principals_$USER

View File

@ -0,0 +1,126 @@
# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="sshd_config match"
pidfile=$OBJ/remote_pid
fwdport=3301
fwd="-L $fwdport:127.0.0.1:$PORT"
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
start_client()
{
rm -f $pidfile
${SSH} -q -$p $fwd "$@" somehost \
exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
>>$TEST_REGRESS_LOGFILE 2>&1 &
client_pid=$!
# Wait for remote end
n=0
while test ! -f $pidfile ; do
sleep 1
n=`expr $n + 1`
if test $n -gt 60; then
kill $client_pid
fatal "timeout waiting for background ssh"
fi
done
}
stop_client()
{
pid=`cat $pidfile`
if [ ! -z "$pid" ]; then
kill $pid
fi
wait
}
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
echo "Match user $USER" >>$OBJ/sshd_proxy
echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
start_sshd
#set -x
# Test Match + PermitOpen in sshd_config. This should be permitted
for p in 1 2; do
trace "match permitopen localhost proto $p"
start_client -F $OBJ/ssh_config
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit proto $p"
stop_client
done
# Same but from different source. This should not be permitted
for p in 1 2; do
trace "match permitopen proxy proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny proto $p"
stop_client
done
# Retry previous with key option, should also be denied.
printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
for p in 1 2; do
trace "match permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny w/key opt proto $p"
stop_client
done
# Test both sshd_config and key options permitting the same dst/port pair.
# Should be permitted.
for p in 1 2; do
trace "match permitopen localhost proto $p"
start_client -F $OBJ/ssh_config
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit proto $p"
stop_client
done
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
echo "Match User $USER" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
# Test that a Match overrides a PermitOpen in the global section
for p in 1 2; do
trace "match permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match override permitopen proto $p"
stop_client
done
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
# Test that a rule that doesn't match doesn't override, plus test a
# PermitOpen entry that's not at the start of the list
for p in 1 2; do
trace "nomatch permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "nomatch override permitopen proto $p"
stop_client
done

View File

@ -0,0 +1,58 @@
# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
# Placed in the Public Domain.
tid="cipher speed"
getbytes ()
{
sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \
-e '/copied/s/.*s, \(.* MB.s\).*/\1/p'
}
tries="1 2"
ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
arcfour128 arcfour256 arcfour
aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
aes128-ctr aes192-ctr aes256-ctr"
config_defined OPENSSL_HAVE_EVPGCM && \
ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
hmac-sha1-96 hmac-md5-96"
config_defined HAVE_EVP_SHA256 && \
macs="$macs hmac-sha2-256 hmac-sha2-512"
for c in $ciphers; do n=0; for m in $macs; do
trace "proto 2 cipher $c mac $m"
for x in $tries; do
printf "%-60s" "$c/$m:"
( ${SSH} -o 'compression no' \
-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
exec sh -c \'"dd of=/dev/null obs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
fail "ssh -2 failed with mac $m cipher $c"
fi
done
# No point trying all MACs for GCM since they are ignored.
case $c in
aes*-gcm@openssh.com) test $n -gt 0 && break;;
esac
n=`expr $n + 1`
done; done
ciphers="3des blowfish"
for c in $ciphers; do
trace "proto 1 cipher $c"
for x in $tries; do
printf "%-60s" "$c:"
( ${SSH} -o 'compression no' \
-F $OBJ/ssh_proxy -1 -c $c somehost \
exec sh -c \'"dd of=/dev/null obs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
fail "ssh -1 failed with cipher $c"
fi
done
done

View File

@ -0,0 +1,28 @@
# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
# Placed in the Public Domain.
tid="conch ciphers"
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
echo "conch interop tests not enabled"
exit 0
fi
start_sshd
for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
cast128-cbc blowfish 3des-cbc ; do
verbose "$tid: cipher $c"
rm -f ${COPY}
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
# in conch
${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
done
rm -f ${COPY}

View File

@ -0,0 +1,36 @@
# $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $
# Placed in the Public Domain.
tid="proxy connect with privsep"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
for p in 1 2; do
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh privsep+proxyconnect protocol $p failed"
fi
done
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
for p in 1 2; do
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
# XXX replace this with fail once sandbox has stabilised
warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
fi
done
# Because sandbox is sensitive to changes in libc, especially malloc, retest
# with every malloc.conf option (and none).
for m in '' A F G H J P R S X Z '<' '>'; do
for p in 1 2; do
env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
fi
done
done

View File

@ -0,0 +1,13 @@
# $OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
# Placed in the Public Domain.
tid="simple connect"
start_sshd
for p in 1 2; do
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed"
fi
done

View File

@ -0,0 +1,14 @@
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Subject: ssh-keygen test
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
---- END SSH2 ENCRYPTED PRIVATE KEY ----

View File

@ -0,0 +1,13 @@
---- BEGIN SSH2 PUBLIC KEY ----
Subject: ssh-keygen test
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
ixaVivLt8RgTwGF99uI=
---- END SSH2 PUBLIC KEY ----

View File

@ -0,0 +1,59 @@
# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
FWDPORT=`expr $PORT + 1`
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
elif have_prog connect; then
proxycmd="connect -S 127.0.0.1:$FWDPORT -"
else
echo "skipped (no suitable ProxyCommand found)"
exit 0
fi
trace "will use ProxyCommand $proxycmd"
start_sshd
for p in 1 2; do
n=0
error="1"
trace "start dynamic forwarding, fork to background"
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
n=`expr $n + 1`
${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
-oExitOnForwardFailure=yes somehost exec sh -c \
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
error=$?
if [ "$error" -ne 0 ]; then
trace "forward failed proto $p attempt $n err $error"
sleep $n
fi
done
if [ "$error" -ne 0 ]; then
fatal "failed to start dynamic forwarding proto $p"
fi
for s in 4 5; do
for h in 127.0.0.1 localhost; do
trace "testing ssh protocol $p socks version $s host $h"
${SSH} -F $OBJ/ssh_config \
-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
somehost cat $DATA > $OBJ/ls.copy
test -f $OBJ/ls.copy || fail "failed copy $DATA"
cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
done
done
if [ -f $OBJ/remote_pid ]; then
remote=`cat $OBJ/remote_pid`
trace "terminate remote shell, pid $remote"
if [ $remote -gt 1 ]; then
kill -HUP $remote
fi
else
fail "no pid file: $OBJ/remote_pid"
fi
done

View File

@ -0,0 +1,60 @@
# $OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
# Placed in the Public Domain.
tid="environment passing"
# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
cat << EOF > $OBJ/ssh_proxy_envpass
Host test-sendenv-confparse-bug
SendEnv *
EOF
cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
trace "pass env, don't accept"
verbose "test $tid: pass env, don't accept"
_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
sh << 'EOF'
test -z "$_TEST_ENV"
EOF
r=$?
if [ $r -ne 0 ]; then
fail "environment found"
fi
trace "don't pass env, accept"
verbose "test $tid: don't pass env, accept"
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
sh << 'EOF'
test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
EOF
r=$?
if [ $r -ne 0 ]; then
fail "environment found"
fi
trace "pass single env, accept single env"
verbose "test $tid: pass single env, accept single env"
_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
otherhost sh << 'EOF'
test X"$_XXX_TEST" = X"blah"
EOF
r=$?
if [ $r -ne 0 ]; then
fail "environment not found"
fi
trace "pass multiple env, accept multiple env"
verbose "test $tid: pass multiple env, accept multiple env"
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
-F $OBJ/ssh_proxy_envpass otherhost \
sh << 'EOF'
test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
EOF
r=$?
if [ $r -ne 0 ]; then
fail "environment not found"
fi
rm -f $OBJ/ssh_proxy_envpass

View File

@ -0,0 +1,24 @@
# $OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
# Placed in the Public Domain.
tid="remote exit status"
for p in 1 2; do
for s in 0 1 4 5 44; do
trace "proto $p status $s"
verbose "test $tid: proto $p status $s"
${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
r=$?
if [ $r -ne $s ]; then
fail "exit code mismatch for protocol $p: $r != $s"
fi
# same with early close of stdout/err
${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
fi
done
done

View File

@ -0,0 +1,42 @@
# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="forced command"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
printf 'command="true" ' >$OBJ/authorized_keys_$USER
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
printf 'command="true" ' >>$OBJ/authorized_keys_$USER
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
for p in 1 2; do
trace "forced command in key option proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done
printf 'command="false" ' >$OBJ/authorized_keys_$USER
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
printf 'command="false" ' >>$OBJ/authorized_keys_$USER
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand true" >> $OBJ/sshd_proxy
for p in 1 2; do
trace "forced command in sshd_config overrides key option proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand false" >> $OBJ/sshd_proxy
echo "Match User $USER" >> $OBJ/sshd_proxy
echo " ForceCommand true" >> $OBJ/sshd_proxy
for p in 1 2; do
trace "forced command with match proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done

View File

@ -0,0 +1,168 @@
# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
# Placed in the Public Domain.
tid="sshd control of local and remote forwarding"
LFWD_PORT=3320
RFWD_PORT=3321
CTL=$OBJ/ctl-sock
READY=$OBJ/ready
wait_for_file_to_appear() {
_path=$1
_n=0
while test ! -f $_path ; do
test $_n -eq 1 && trace "waiting for $_path to appear"
_n=`expr $_n + 1`
test $_n -ge 20 && return 1
sleep 1
done
return 0
}
wait_for_process_to_exit() {
_pid=$1
_n=0
while kill -0 $_pid 2>/dev/null ; do
test $_n -eq 1 && trace "waiting for $_pid to exit"
_n=`expr $_n + 1`
test $_n -ge 20 && return 1
sleep 1
done
return 0
}
# usage: check_lfwd protocol Y|N message
check_lfwd() {
_proto=$1
_expected=$2
_message=$3
rm -f $READY
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
-L$LFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
>/dev/null 2>&1 &
_sshpid=$!
wait_for_file_to_appear $READY || \
fatal "check_lfwd ssh fail: $_message"
${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
-oConnectionAttempts=4 host true >/dev/null 2>&1
_result=$?
kill $_sshpid `cat $READY` 2>/dev/null
wait_for_process_to_exit $_sshpid
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
fail "check_lfwd failed (expecting success): $_message"
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
fail "check_lfwd succeeded (expecting failure): $_message"
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
fatal "check_lfwd invalid argument \"$_expected\""
else
verbose "check_lfwd done (expecting $_expected): $_message"
fi
}
# usage: check_rfwd protocol Y|N message
check_rfwd() {
_proto=$1
_expected=$2
_message=$3
rm -f $READY
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
-R$RFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
>/dev/null 2>&1 &
_sshpid=$!
wait_for_file_to_appear $READY
_result=$?
if test $_result -eq 0 ; then
${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
-oConnectionAttempts=4 host true >/dev/null 2>&1
_result=$?
kill $_sshpid `cat $READY` 2>/dev/null
wait_for_process_to_exit $_sshpid
fi
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
fail "check_rfwd failed (expecting success): $_message"
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
fail "check_rfwd succeeded (expecting failure): $_message"
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
fatal "check_rfwd invalid argument \"$_expected\""
else
verbose "check_rfwd done (expecting $_expected): $_message"
fi
}
start_sshd
cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
# Sanity check: ensure the default config allows forwarding
for p in 1 2 ; do
check_lfwd $p Y "proto $p, default configuration"
check_rfwd $p Y "proto $p, default configuration"
done
# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
all_tests() {
_tcpfwd=$1
_plain_lfwd=$2
_plain_rfwd=$3
_nopermit_lfwd=$4
_nopermit_rfwd=$5
_permit_lfwd=$6
_permit_rfwd=$7
_badfwd=127.0.0.1:22
_goodfwd=127.0.0.1:${PORT}
for _proto in 1 2 ; do
cp ${OBJ}/authorized_keys_${USER}.bak \
${OBJ}/authorized_keys_${USER}
_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
# No PermitOpen
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_plain_lfwd "$_prefix"
check_rfwd $_proto $_plain_rfwd "$_prefix"
# PermitOpen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
# PermitOpen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd $_goodfwd" ) \
> ${OBJ}/sshd_proxy
# NB. permitopen via authorized_keys should have same
# success/fail as via sshd_config
# permitopen via authorized_keys that doesn't match
sed "s/^/permitopen=\"$_badfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
# permitopen via authorized_keys that does match
sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
done
}
# no-permitopen mismatch-permitopen match-permitopen
# AllowTcpForwarding local remote local remote local remote
all_tests yes Y Y N Y Y Y
all_tests local Y N N N Y N
all_tests remote N Y N Y N Y
all_tests no N N N N N N

View File

@ -0,0 +1,121 @@
# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
# Placed in the Public Domain.
tid="local and remote forwarding"
DATA=/bin/ls${EXEEXT}
start_sshd
base=33
last=$PORT
fwd=""
for j in 0 1 2; do
for i in 0 1 2; do
a=$base$j$i
b=`expr $a + 50`
c=$last
# fwd chain: $a -> $b -> $c
fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
last=$a
done
done
for p in 1 2; do
q=`expr 3 - $p`
trace "start forwarding, fork to background"
${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
trace "transfer over forwarded channels and check result"
${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
sleep 10
done
for p in 1 2; do
for d in L R; do
trace "exit on -$d forward failure, proto $p"
# this one should succeed
${SSH} -$p -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
-$d ${base}04:127.0.0.1:$PORT \
-oExitOnForwardFailure=yes somehost true
if [ $? != 0 ]; then
fail "connection failed, should not"
else
# this one should fail
${SSH} -q -$p -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}04:127.0.0.1:$PORT \
-oExitOnForwardFailure=yes somehost true
r=$?
if [ $r != 255 ]; then
fail "connection not termintated, but should ($r)"
fi
fi
done
done
for p in 1 2; do
trace "simple clear forwarding proto $p"
${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
trace "clear local forward proto $p"
${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared local forwarding"
else
# this one should fail
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "local forwarding not cleared"
fi
sleep 10
trace "clear remote forward proto $p"
${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared remote forwarding"
else
# this one should fail
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "remote forwarding not cleared"
fi
sleep 10
done
for p in 2; do
trace "stdio forwarding proto $p"
cmd="${SSH} -$p -F $OBJ/ssh_config"
$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
somehost true
if [ $? != 0 ]; then
fail "stdio forwarding proto $p"
fi
done
echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
for p in 1 2; do
trace "config file: start forwarding, fork to background"
${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
trace "config file: transfer over forwarded channels and check result"
${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
wait
done

View File

@ -0,0 +1,18 @@
# Placed in the Public Domain.
tid="expand %h and %n"
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy
cat >$OBJ/expect <<EOE
somehost
127.0.0.1
EOE
for p in 1 2; do
verbose "test $tid: proto $p"
${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
done

View File

@ -0,0 +1,76 @@
# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
# Placed in the Public Domain.
tid="integrity"
# start at byte 2900 (i.e. after kex) and corrupt at different offsets
# XXX the test hangs if we modify the low bytes of the packet length
# XXX and ssh tries to read...
tries=10
startoffset=2900
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
hmac-sha1-96 hmac-md5-96
hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
umac-64-etm@openssh.com umac-128-etm@openssh.com
hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
config_defined HAVE_EVP_SHA256 &&
macs="$macs hmac-sha2-256 hmac-sha2-512
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
# The following are not MACs, but ciphers with integrated integrity. They are
# handled specially below.
config_defined OPENSSL_HAVE_EVPGCM && \
macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
# avoid DH group exchange as the extra traffic makes it harder to get the
# offset into the stream right.
echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
>> $OBJ/ssh_proxy
# sshd-command for proxy (see test-exec.sh)
cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
for m in $macs; do
trace "test $tid: mac $m"
elen=0
epad=0
emac=0
ecnt=0
skip=0
for off in `jot $tries $startoffset`; do
skip=`expr $skip - 1`
if [ $skip -gt 0 ]; then
# avoid modifying the high bytes of the length
continue
fi
# modify output from sshd at offset $off
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
case $m in
aes*gcm*) macopt="-c $m";;
*) macopt="-m $m";;
esac
verbose "test $tid: $m @$off"
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
999.999.999.999 'printf "%4096s" " "' >/dev/null
if [ $? -eq 0 ]; then
fail "ssh -m $m succeeds with bit-flip at $off"
fi
ecnt=`expr $ecnt + 1`
output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
tr -s '\r\n' '.')
case "$output" in
Bad?packet*) elen=`expr $elen + 1`; skip=3;;
Corrupted?MAC* | Decryption?integrity?check?failed*)
emac=`expr $emac + 1`; skip=0;;
padding*) epad=`expr $epad + 1`; skip=0;;
*) fail "unexpected error mac $m at $off";;
esac
done
verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
if [ $emac -eq 0 ]; then
fail "$m: no mac errors"
fi
expect=`expr $ecnt - $epad - $elen`
if [ $emac -ne $expect ]; then
fail "$m: expected $expect mac errors, got $emac"
fi
done

View File

@ -0,0 +1,30 @@
# $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
# Placed in the Public Domain.
tid="login with different key exchange algorithms"
TIME=/usr/bin/time
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
if test "$TEST_SSH_ECC" = "yes"; then
kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
fi
if test "$TEST_SSH_SHA256" = "yes"; then
kextypes="$kextypes diffie-hellman-group-exchange-sha256"
fi
kextypes="$kextypes diffie-hellman-group-exchange-sha1"
kextypes="$kextypes diffie-hellman-group14-sha1"
kextypes="$kextypes diffie-hellman-group1-sha1"
tries="1 2 3 4"
for k in $kextypes; do
verbose "kex $k"
for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
if [ $? -ne 0 ]; then
fail "ssh kex $k"
fi
done
done

View File

@ -0,0 +1,71 @@
# $OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $
# Placed in the Public Domain.
tid="key options"
origkeys="$OBJ/authkeys_orig"
authkeys="$OBJ/authorized_keys_${USER}"
cp $authkeys $origkeys
# Test command= forced command
for p in 1 2; do
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
sed "s/.*/$c &/" $origkeys >$authkeys
verbose "key option proto $p $c"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
if [ "$r" = "foo" ]; then
fail "key option forced command not restricted"
fi
if [ "$r" != "bar" ]; then
fail "key option forced command not executed"
fi
done
done
# Test no-pty
sed 's/.*/no-pty &/' $origkeys >$authkeys
for p in 1 2; do
verbose "key option proto $p no-pty"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
if [ -f "$r" ]; then
fail "key option failed proto $p no-pty (pty $r)"
fi
done
# Test environment=
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
for p in 1 2; do
verbose "key option proto $p environment"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
if [ "$r" != "bar" ]; then
fail "key option environment not set"
fi
done
# Test from= restriction
start_sshd
for p in 1 2; do
for f in 127.0.0.1 '127.0.0.0\/8'; do
cat $origkeys >$authkeys
${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "key option proto $p failed without restriction"
fi
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
from=`head -1 $authkeys | cut -f1 -d ' '`
verbose "key option proto $p $from"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
if [ "$r" = "true" ]; then
fail "key option proto $p $from not restricted"
fi
r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
if [ "$r" != "true" ]; then
fail "key option proto $p $from not allowed but should be"
fi
done
done
rm -f "$origkeys"

View File

@ -0,0 +1,23 @@
# $OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
S1="secret1"
S2="2secret"
for t in rsa dsa rsa1; do
# generate user key for agent
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
if [ $? -eq 0 ]; then
${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
if [ $? -ne 0 ]; then
fail "ssh-keygen -p failed for $t-key"
fi
else
fail "ssh-keygen for $t-key failed"
fi
rm -f $OBJ/$t-key $OBJ/$t-key.pub
done

View File

@ -0,0 +1,33 @@
# $OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $
# Placed in the Public Domain.
tid="convert keys"
for t in rsa dsa; do
# generate user key for agent
trace "generating $t key"
rm -f $OBJ/$t-key
${SSHKEYGEN} -q -N "" -t $t -f $OBJ/$t-key
trace "export $t private to rfc4716 public"
${SSHKEYGEN} -q -e -f $OBJ/$t-key >$OBJ/$t-key-rfc || \
fail "export $t private to rfc4716 public"
trace "export $t public to rfc4716 public"
${SSHKEYGEN} -q -e -f $OBJ/$t-key.pub >$OBJ/$t-key-rfc.pub || \
fail "$t public to rfc4716 public"
cmp $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub || \
fail "$t rfc4716 exports differ between public and private"
trace "import $t rfc4716 public"
${SSHKEYGEN} -q -i -f $OBJ/$t-key-rfc >$OBJ/$t-rfc-imported || \
fail "$t import rfc4716 public"
cut -f1,2 -d " " $OBJ/$t-key.pub >$OBJ/$t-key-nocomment.pub
cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \
fail "$t imported differs from original"
rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \
$OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub
done

View File

@ -0,0 +1,39 @@
# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
# Placed in the Public Domain.
tid="authorized keys from command"
if test -z "$SUDO" ; then
echo "skipped (SUDO not set)"
echo "need SUDO to create file in /var/run, test won't work without"
exit 0
fi
# Establish a AuthorizedKeysCommand in /var/run where it will have
# acceptable directory permissions.
KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
#!/bin/sh
test "x\$1" != "x${LOGNAME}" && exit 1
exec cat "$OBJ/authorized_keys_${LOGNAME}"
_EOF
$SUDO chmod 0755 "$KEY_COMMAND"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
(
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
echo AuthorizedKeysFile none
echo AuthorizedKeysCommand $KEY_COMMAND
echo AuthorizedKeysCommandUser ${LOGNAME}
) > $OBJ/sshd_proxy
if [ -x $KEY_COMMAND ]; then
${SSH} -F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "connect failed"
fi
else
echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
fi
$SUDO rm -f $KEY_COMMAND

View File

@ -0,0 +1,19 @@
# $OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
# Placed in the Public Domain.
tid="keyscan"
# remove DSA hostkey
rm -f ${OBJ}/host.dsa
start_sshd
for t in rsa1 rsa dsa; do
trace "keyscan type $t"
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
> /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-keyscan -t $t failed with: $r"
fi
done

View File

@ -0,0 +1,55 @@
# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="login with different key types"
TIME=`which time 2>/dev/null`
if test ! -x "$TIME"; then
TIME=""
fi
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
ktypes="dsa-1024 rsa-2048 rsa-3072"
if test "$TEST_SSH_ECC" = "yes"; then
ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521"
fi
for kt in $ktypes; do
rm -f $OBJ/key.$kt
bits=`echo ${kt} | awk -F- '{print $2}'`
type=`echo ${kt} | awk -F- '{print $1}'`
printf "keygen $type, $bits bits:\t"
${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
fail "ssh-keygen for type $type, $bits bits failed"
done
tries="1 2 3"
for ut in $ktypes; do
htypes=$ut
#htypes=$ktypes
for ht in $htypes; do
trace "ssh connect, userkey $ut, hostkey $ht"
(
grep -v HostKey $OBJ/sshd_proxy_bak
echo HostKey $OBJ/key.$ht
) > $OBJ/sshd_proxy
(
grep -v IdentityFile $OBJ/ssh_proxy_bak
echo IdentityFile $OBJ/key.$ut
) > $OBJ/ssh_proxy
(
printf 'localhost-with-alias,127.0.0.1,::1 '
cat $OBJ/key.$ht.pub
) > $OBJ/known_hosts
cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
for i in $tries; do
printf "userkey $ut, hostkey ${ht}:\t"
${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh userkey $ut, hostkey $ht failed"
fi
done
done
done

157
crypto/openssh/regress/krl.sh Executable file
View File

@ -0,0 +1,157 @@
# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
# Placed in the Public Domain.
tid="key revocation lists"
# If we don't support ecdsa keys then this tell will be much slower.
ECDSA=ecdsa
if test "x$TEST_SSH_ECC" != "xyes"; then
ECDSA=rsa
fi
# Do most testing with ssh-keygen; it uses the same verification code as sshd.
# Old keys will interfere with ssh-keygen.
rm -f $OBJ/revoked-* $OBJ/krl-*
# Generate a CA key
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA failed"
# A specification that revokes some certificates by serial numbers
# The serial pattern is chosen to ensure the KRL includes list, range and
# bitmap sections.
cat << EOF >> $OBJ/revoked-serials
serial: 1-4
serial: 10
serial: 15
serial: 30
serial: 50
serial: 999
# The following sum to 500-799
serial: 500
serial: 501
serial: 502
serial: 503-600
serial: 700-797
serial: 798
serial: 799
serial: 599-701
EOF
# A specification that revokes some certificated by key ID.
touch $OBJ/revoked-keyid
for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
# Fill in by-ID revocation spec.
echo "id: revoked $n" >> $OBJ/revoked-keyid
done
keygen() {
N=$1
f=$OBJ/revoked-`printf "%04d" $N`
# Vary the keytype. We use mostly ECDSA since this is fastest by far.
keytype=$ECDSA
case $N in
2 | 10 | 510 | 1001) keytype=rsa;;
4 | 30 | 520 | 1002) keytype=dsa;;
esac
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|| fatal "$SSHKEYGEN failed"
# Sign cert
$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
|| fatal "$SSHKEYGEN sign failed"
echo $f
}
# Generate some keys.
verbose "$tid: generating test keys"
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
for n in $REVOKED_SERIALS ; do
f=`keygen $n`
REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
done
NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
NOTREVOKED=""
for n in $NOTREVOKED_SERIALS ; do
NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
done
genkrls() {
OPTS=$1
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
# KRLs from serial/key-id spec need the CA specified.
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
>/dev/null || fatal "$SSHKEYGEN KRL failed"
}
verbose "$tid: generating KRLs"
genkrls
check_krl() {
KEY=$1
KRL=$2
EXPECT_REVOKED=$3
TAG=$4
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
result=$?
if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
fatal "key $KEY not revoked by KRL $KRL: $TAG"
elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
fi
}
test_all() {
FILES=$1
TAG=$2
KEYS_RESULT=$3
ALL_RESULT=$4
SERIAL_RESULT=$5
KEYID_RESULT=$6
CERTS_RESULT=$7
CA_RESULT=$8
verbose "$tid: checking revocations for $TAG"
for f in $FILES ; do
check_krl $f $OBJ/krl-empty no "$TAG"
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
done
}
# keys all serial keyid certs CA
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
# Check update. Results should be identical.
verbose "$tid: testing KRL update"
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
cp -f $OBJ/krl-empty $f
genkrls -u
done
# keys all serial keyid certs CA
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes

View File

@ -0,0 +1,15 @@
# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
# Placed in the Public Domain.
tid="localcommand"
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
for p in 1 2; do
verbose "test $tid: proto $p localcommand"
a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
if [ "$a" != "foo" ] ; then
fail "$tid proto $p"
fi
done

View File

@ -0,0 +1,29 @@
# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
# Placed in the Public Domain.
tid="connect after login grace timeout"
trace "test login grace with privsep"
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
echo "MaxStartups 1" >> $OBJ/sshd_config
start_sshd
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
sleep 15
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect after login grace timeout failed with privsep"
fi
$SUDO kill `$SUDO cat $PIDFILE`
trace "test login grace without privsep"
echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
start_sshd
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
sleep 15
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect after login grace timeout failed without privsep"
fi

175
crypto/openssh/regress/modpipe.c Executable file
View File

@ -0,0 +1,175 @@
/*
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
#include "includes.h"
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <errno.h>
#include "openbsd-compat/getopt_long.c"
static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
static void
err(int r, const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
fprintf(stderr, "%s: ", strerror(errno));
vfprintf(stderr, fmt, args);
fputc('\n', stderr);
va_end(args);
exit(r);
}
static void
errx(int r, const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
fputc('\n', stderr);
va_end(args);
exit(r);
}
static void
usage(void)
{
fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n");
fprintf(stderr, "modspec is one of:\n");
fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n");
fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n");
exit(1);
}
#define MAX_MODIFICATIONS 256
struct modification {
enum { MOD_XOR, MOD_AND_OR } what;
u_int64_t offset;
u_int8_t m1, m2;
};
static void
parse_modification(const char *s, struct modification *m)
{
char what[16+1];
int n, m1, m2;
bzero(m, sizeof(*m));
if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
what, &m->offset, &m1, &m2)) < 3)
errx(1, "Invalid modification spec \"%s\"", s);
if (strcasecmp(what, "xor") == 0) {
if (n > 3)
errx(1, "Invalid modification spec \"%s\"", s);
if (m1 < 0 || m1 > 0xff)
errx(1, "Invalid XOR modification value");
m->what = MOD_XOR;
m->m1 = m1;
} else if (strcasecmp(what, "andor") == 0) {
if (n != 4)
errx(1, "Invalid modification spec \"%s\"", s);
if (m1 < 0 || m1 > 0xff)
errx(1, "Invalid AND modification value");
if (m2 < 0 || m2 > 0xff)
errx(1, "Invalid OR modification value");
m->what = MOD_AND_OR;
m->m1 = m1;
m->m2 = m2;
} else
errx(1, "Invalid modification type \"%s\"", what);
}
int
main(int argc, char **argv)
{
int ch;
u_char buf[8192];
size_t total;
ssize_t r, s, o;
struct modification mods[MAX_MODIFICATIONS];
u_int i, wflag = 0, num_mods = 0;
while ((ch = getopt(argc, argv, "wm:")) != -1) {
switch (ch) {
case 'm':
if (num_mods >= MAX_MODIFICATIONS)
errx(1, "Too many modifications");
parse_modification(optarg, &(mods[num_mods++]));
break;
case 'w':
wflag = 1;
break;
default:
usage();
/* NOTREACHED */
}
}
for (total = 0;;) {
r = s = read(STDIN_FILENO, buf, sizeof(buf));
if (r == 0)
break;
if (r < 0) {
if (errno == EAGAIN || errno == EINTR)
continue;
err(1, "read");
}
for (i = 0; i < num_mods; i++) {
if (mods[i].offset < total ||
mods[i].offset >= total + s)
continue;
switch (mods[i].what) {
case MOD_XOR:
buf[mods[i].offset - total] ^= mods[i].m1;
break;
case MOD_AND_OR:
buf[mods[i].offset - total] &= mods[i].m1;
buf[mods[i].offset - total] |= mods[i].m2;
break;
}
}
for (o = 0; o < s; o += r) {
r = write(STDOUT_FILENO, buf, s - o);
if (r == 0)
break;
if (r < 0) {
if (errno == EAGAIN || errno == EINTR)
continue;
err(1, "write");
}
}
total += s;
}
/* Warn if modifications not reached in input stream */
r = 0;
for (i = 0; wflag && i < num_mods; i++) {
if (mods[i].offset < total)
continue;
r = 1;
fprintf(stderr, "modpipe: warning - mod %u not reached\n", i);
}
return r;
}

View File

@ -0,0 +1,143 @@
# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
# Placed in the Public Domain.
CTL=/tmp/openssh.regress.ctl-sock.$$
tid="connection multiplexing"
if config_defined DISABLE_FD_PASSING ; then
echo "skipped (not supported on this platform)"
exit 0
fi
P=3301 # test port
wait_for_mux_master_ready()
{
for i in 1 2 3 4 5; do
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
>/dev/null 2>&1 && return 0
sleep $i
done
fatal "mux master never becomes ready"
}
start_sshd
start_mux_master()
{
trace "start master, fork to background"
${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
-E $TEST_REGRESS_LOGFILE 2>&1 &
MASTER_PID=$!
wait_for_mux_master_ready
}
start_mux_master
verbose "test $tid: envpass"
trace "env passing over multiplexed connection"
_XXX_TEST=blah ${SSH} -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
test X"$_XXX_TEST" = X"blah"
EOF
if [ $? -ne 0 ]; then
fail "environment not found"
fi
verbose "test $tid: transfer"
rm -f ${COPY}
trace "ssh transfer over multiplexed connection and check result"
${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}"
rm -f ${COPY}
trace "ssh transfer over multiplexed connection and check result"
${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
rm -f ${COPY}
trace "sftp transfer over multiplexed connection and check result"
echo "get ${DATA} ${COPY}" | \
${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
test -f ${COPY} || fail "sftp: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}"
rm -f ${COPY}
trace "scp transfer over multiplexed connection and check result"
${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
test -f ${COPY} || fail "scp: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}"
rm -f ${COPY}
for s in 0 1 4 5 44; do
trace "exit status $s over multiplexed connection"
verbose "test $tid: status $s"
${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
r=$?
if [ $r -ne $s ]; then
fail "exit code mismatch for protocol $p: $r != $s"
fi
# same with early close of stdout/err
trace "exit status $s with early close over multiplexed connection"
${SSH} -F $OBJ/ssh_config -S $CTL -n otherhost \
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
fi
done
verbose "test $tid: cmd check"
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|| fail "check command failed"
verbose "test $tid: cmd forward local"
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
|| fail "request local forward failed"
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|| fail "connect to local forward port failed"
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
|| fail "cancel local forward failed"
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
&& fail "local forward port still listening"
verbose "test $tid: cmd forward remote"
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
|| fail "request remote forward failed"
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|| fail "connect to remote forwarded port failed"
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
|| fail "cancel remote forward failed"
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
&& fail "remote forward port still listening"
verbose "test $tid: cmd exit"
${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|| fail "send exit command failed"
# Wait for master to exit
wait $MASTER_PID
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
# Restart master and test -O stop command with master using -N
verbose "test $tid: cmd stop"
trace "restart master, fork to background"
start_mux_master
# start a long-running command then immediately request a stop
${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
>>$TEST_REGRESS_LOGFILE 2>&1 &
SLEEP_PID=$!
${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|| fail "send stop command failed"
# wait until both long-running command and master have exited.
wait $SLEEP_PID
[ $! != 0 ] || fail "waiting for concurrent command"
wait $MASTER_PID
[ $! != 0 ] || fail "waiting for master stop"
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"

View File

@ -0,0 +1,34 @@
# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
# Placed in the Public Domain.
tid="port number parsing"
badport() {
port=$1
verbose "$tid: invalid port $port"
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
fail "$tid accepted invalid port $port"
fi
}
goodport() {
port=$1
verbose "$tid: valid port $port"
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
:
else
fail "$tid rejected valid port $port"
fi
}
badport 0
badport 65536
badport 131073
badport 2000blah
badport blah2000
goodport 1
goodport 22
goodport 2222
goodport 22222
goodport 65535

View File

@ -0,0 +1,19 @@
# $OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
# Placed in the Public Domain.
tid="protocol version mismatch"
mismatch ()
{
server=$1
client=$2
banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
r=$?
trace "sshd prints ${banner}"
if [ $r -ne 255 ]; then
fail "sshd prints ${banner} and accepts connect with version ${client}"
fi
}
mismatch 2 SSH-1.5-HALLO
mismatch 1 SSH-2.0-HALLO

View File

@ -0,0 +1,34 @@
# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
# Placed in the Public Domain.
tid="sshd version with different protocol combinations"
# we just start sshd in inetd mode and check the banner
check_version ()
{
version=$1
expect=$2
banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
case ${banner} in
SSH-1.99-*)
proto=199
;;
SSH-2.0-*)
proto=20
;;
SSH-1.5-*)
proto=15
;;
*)
proto=0
;;
esac
if [ ${expect} -ne ${proto} ]; then
fail "wrong protocol version ${banner} for ${version}"
fi
}
check_version 2,1 199
check_version 1,2 199
check_version 2 20
check_version 1 15

Some files were not shown because too many files have changed in this diff Show More