summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authortorstenb <torstenb@FreeBSD.org>2000-01-14 19:37:39 +0000
committertorstenb <torstenb@FreeBSD.org>2000-01-14 19:37:39 +0000
commit4e8a41a4afc4fb5af9326dd2e97e544163c3a74f (patch)
tree3086f628a120a4e417a47b6a77e51f332ca68484 /security
parent6b5d9ad70b97c212bb6b8b4baf36001ed5bb3a46 (diff)
downloadFreeBSD-ports-4e8a41a4afc4fb5af9326dd2e97e544163c3a74f.zip
FreeBSD-ports-4e8a41a4afc4fb5af9326dd2e97e544163c3a74f.tar.gz
Add IPv6 support to ssh.
The IPv6 patch was obtained from the kame repository and has been been writen by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> Due to the whole mess with different patches it was necessary to include both the IPv6 patch and patch-ssh-1.2.27-bsd.tty.chown in ${PATCHDIR}. Since both patches modify the configure script it was also necessary to rebuild it via autoconf from configure.in. I've decided to use USE_AUTOCONF instead of including the re-build configure script in ${FILESDIR} Obtained from: KAME/WIDE
Diffstat (limited to 'security')
-rw-r--r--security/ssh/Makefile17
-rw-r--r--security/ssh/distinfo1
-rw-r--r--security/ssh/files/patch-af719
-rw-r--r--security/ssh/files/patch-ag87
-rw-r--r--security/ssh/files/patch-al409
-rw-r--r--security/ssh/files/patch-ao618
-rw-r--r--security/ssh/files/patch-aw103
-rw-r--r--security/ssh/files/patch-ba176
-rw-r--r--security/ssh/files/patch-bb29
-rw-r--r--security/ssh/files/patch-bc401
-rw-r--r--security/ssh/files/patch-bd49
-rw-r--r--security/ssh/files/patch-be401
-rw-r--r--security/ssh/files/patch-bf17
-rw-r--r--security/ssh/files/patch-bg120
-rw-r--r--security/ssh/files/patch-bh66
-rw-r--r--security/ssh/files/patch-bi56
-rw-r--r--security/ssh/files/patch-bj16
-rw-r--r--security/ssh/files/patch-bl66
-rw-r--r--security/ssh/files/patch-bm14
-rw-r--r--security/ssh/files/patch-bn191
-rw-r--r--security/ssh/files/patch-bo197
-rw-r--r--security/ssh/files/patch-bp45
-rw-r--r--security/ssh/files/patch-br97
-rw-r--r--security/ssh/files/patch-bs94
-rw-r--r--security/ssh/files/patch-xa167
25 files changed, 4026 insertions, 130 deletions
diff --git a/security/ssh/Makefile b/security/ssh/Makefile
index 6bf142b..978841f 100644
--- a/security/ssh/Makefile
+++ b/security/ssh/Makefile
@@ -6,20 +6,17 @@
# $FreeBSD$
#
# Maximal ssh package requires YES values for
-# USE_PERL, USE_TCPWRAP
+# USE_PERL, USE_TCPWRAP, USE_INET6
#
DISTNAME= ssh-1.2.27
CATEGORIES= security net
MASTER_SITES= ftp://ftp.cs.hut.fi/pub/ssh/
-PATCH_SITES= http://www.ssh.org/patches/ \
- ftp://ftp2.inch.com/pub/FreeBSD/
-PATCHFILES= patch-${DISTNAME}-bsd.tty.chown
-PATCH_DIST_STRIP= -p1
-
MAINTAINER= torstenb@FreeBSD.org
+USE_AUTOCONF= YES # unfortunately... see comments in patch-xa for details
+
# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
@@ -139,6 +136,14 @@ LIB_DEPENDS+= wrap.7:${PORTSDIR}/security/tcp_wrapper
.endif
.endif
+# Original IPv6 patches were obtained from ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/
+# ssh-1.2.27-IPv6-1.5-patch.gz
+.if defined(USE_INET6) && ${USE_INET6} == YES
+CONFIGURE_ARGS+= --enable-ipv6
+.else
+CONFIGURE_ARGS+= --disable-ipv6
+.endif
+
# Include SOCKS firewall support
.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5
diff --git a/security/ssh/distinfo b/security/ssh/distinfo
index 9a1aee6..bf69016 100644
--- a/security/ssh/distinfo
+++ b/security/ssh/distinfo
@@ -1,2 +1 @@
MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395
-MD5 (patch-ssh-1.2.27-bsd.tty.chown) = e4d7755994c2fa0d419a60723e8a9d53
diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af
index 17d22fc..d3fce09 100644
--- a/security/ssh/files/patch-af
+++ b/security/ssh/files/patch-af
@@ -1,5 +1,422 @@
-*** sshd.c.orig Wed May 12 20:19:29 1999
---- sshd.c Sun Jun 6 02:37:18 1999
+*** sshd.c.orig Tue Jan 11 20:40:10 2000
+--- sshd.c Tue Jan 11 20:40:07 2000
+***************
+*** 553,558 ****
+--- 553,571 ----
+ /* Name of the server configuration file. */
+ char *config_file_name = SERVER_CONFIG_FILE;
+
++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
++ Default value is AF_UNSPEC means both IPv4 and IPv6. */
++ #ifdef ENABLE_IPV6
++ int IPv4or6 = AF_UNSPEC;
++ #else
++ int IPv4or6 = AF_INET;
++ #endif
++
++ #ifdef ENABLE_LOG_AUTH
++ char *unauthenticated_user = NULL;
++ int log_auth_flag = 0;
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Debug mode flag. This can be set on the command line. If debug
+ mode is enabled, extra debugging output will be sent to the system
+ log, the daemon will not go to background, and will exit after processing
+***************
+*** 576,582 ****
+
+ /* This is set to the socket that the server is listening; this is used in
+ the SIGHUP signal handler. */
+! int listen_sock;
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+--- 589,605 ----
+
+ /* This is set to the socket that the server is listening; this is used in
+ the SIGHUP signal handler. */
+! #define MAX_LISTEN_SOCKS 16
+! int listen_socks[MAX_LISTEN_SOCKS];
+! int num_listen_socks = 0;
+! void close_listen_socks()
+! {
+! int i;
+!
+! for (i = 0; i < num_listen_socks; i++)
+! close(listen_socks[i]);
+! num_listen_socks = -1;
+! }
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+***************
+*** 666,672 ****
+ void sighup_restart(void)
+ {
+ log_msg("Received SIGHUP; restarting.");
+! close(listen_sock);
+ execvp(saved_argv[0], saved_argv);
+ log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
+ saved_argv[0], strerror(errno));
+--- 689,695 ----
+ void sighup_restart(void)
+ {
+ log_msg("Received SIGHUP; restarting.");
+! close_listen_socks();
+ execvp(saved_argv[0], saved_argv);
+ log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
+ saved_argv[0], strerror(errno));
+***************
+*** 680,686 ****
+ RETSIGTYPE sigterm_handler(int sig)
+ {
+ log_msg("Received signal %d; terminating.", sig);
+! close(listen_sock);
+ exit(255);
+ }
+
+--- 703,709 ----
+ RETSIGTYPE sigterm_handler(int sig)
+ {
+ log_msg("Received signal %d; terminating.", sig);
+! close_listen_socks();
+ exit(255);
+ }
+
+***************
+*** 759,765 ****
+ int perm_denied = 0;
+ int ret;
+ fd_set fdset;
+! struct sockaddr_in sin;
+ char buf[100]; /* Must not be larger than remote_version. */
+ char remote_version[100]; /* Must be at least as big as buf. */
+ char *comment;
+--- 782,788 ----
+ int perm_denied = 0;
+ int ret;
+ fd_set fdset;
+! struct sockaddr_storage from;
+ char buf[100]; /* Must not be larger than remote_version. */
+ char remote_version[100]; /* Must be at least as big as buf. */
+ char *comment;
+***************
+*** 769,774 ****
+--- 792,800 ----
+ struct linger linger;
+ #endif /* SO_LINGER */
+ int done;
++ struct addrinfo *ai;
++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
++ int listen_sock, maxfd;
+
+ /* Save argv[0]. */
+ saved_argv = av;
+***************
+*** 787,796 ****
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
+ {
+ switch (opt)
+ {
+ case 'f':
+ config_file_name = optarg;
+ break;
+--- 813,838 ----
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
+! #ifdef ENABLE_IPV6
+! "6"
+! #endif
+! )) != EOF)
+ {
+ switch (opt)
+ {
++ case '4':
++ #ifdef ENABLE_IPV6
++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
++ #else
++ IPv4or6 = AF_INET;
++ #endif
++ break;
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
++ break;
++ #endif
+ case 'f':
+ config_file_name = optarg;
+ break;
+***************
+*** 807,813 ****
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+! options.port = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+--- 849,855 ----
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+! options.ports[options.num_ports++] = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+***************
+*** 829,834 ****
+--- 871,880 ----
+ fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
+ fprintf(stderr, "Usage: %s [options]\n", av0);
+ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -4 Use IPv4 only\n");
++ #ifdef ENABLE_IPV6
++ fprintf(stderr, " -6 Use IPv6 only\n");
++ #endif
+ fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
+ fprintf(stderr, " -d Debugging mode\n");
+ fprintf(stderr, " -i Started from inetd\n");
+***************
+*** 857,872 ****
+ fprintf(stderr, "fatal: Bad server key size.\n");
+ exit(1);
+ }
+- if (options.port < 1 || options.port > 65535)
+- {
+- fprintf(stderr, "fatal: Bad port number.\n");
+- exit(1);
+- }
+ if (options.umask != -1)
+ {
+ umask(options.umask);
+ }
+
+ /* Check that there are no remaining arguments. */
+ if (optind < ac)
+ {
+--- 903,917 ----
+ fprintf(stderr, "fatal: Bad server key size.\n");
+ exit(1);
+ }
+ if (options.umask != -1)
+ {
+ umask(options.umask);
+ }
+
++ #ifdef ENABLE_LOG_AUTH
++ log_auth_flag = options.log_auth;
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Check that there are no remaining arguments. */
+ if (optind < ac)
+ {
+***************
+*** 1034,1043 ****
+ }
+ else
+ {
+ /* Create socket for listening. */
+! listen_sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (listen_sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+
+ /* Set socket options. We try to make the port reusable and have it
+ close as fast as possible without waiting in unnecessary wait states
+--- 1079,1091 ----
+ }
+ else
+ {
++ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
++ {
+ /* Create socket for listening. */
+! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (listen_sock < 0)
+ fatal("socket: %.100s", strerror(errno));
++ listen_socks[num_listen_socks] = listen_sock;
+
+ /* Set socket options. We try to make the port reusable and have it
+ close as fast as possible without waiting in unnecessary wait states
+***************
+*** 1051,1071 ****
+ sizeof(linger));
+ #endif /* SO_LINGER */
+
+! /* Initialize the socket address. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr = options.listen_addr;
+! sin.sin_port = htons(options.port);
+
+ /* Bind the socket to the desired port. */
+! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("bind: %.100s", strerror(errno));
+! shutdown(listen_sock, 2);
+ close(listen_sock);
+! fatal("Bind to port %d failed: %.200s.", options.port,
+! strerror(errno));
+ }
+
+ if (!debug_flag)
+ {
+--- 1099,1128 ----
+ sizeof(linger));
+ #endif /* SO_LINGER */
+
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), strport, sizeof(strport),
+! NI_NUMERICHOST|NI_NUMERICSERV);
+
+ /* Bind the socket to the desired port. */
+! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! error("Bind to port %s on %s failed: %.200s.",
+! strport, ntop, strerror(errno));
+ close(listen_sock);
+! continue;
+ }
++ num_listen_socks++;
++
++ /* Start listening on the port. */
++ log_msg("Server listening on %s port %s.", ntop, strport);
++ if (listen(listen_sock, 5) < 0)
++ fatal("listen: %.100s", strerror(errno));
++
++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
++ freeaddrinfo(options.listen_addrs);
++
++ if (!num_listen_socks)
++ fatal("Cannot bind all addresses.");
+
+ if (!debug_flag)
+ {
+***************
+*** 1081,1091 ****
+ }
+ }
+
+- /* Start listening on the port. */
+- log_msg("Server listening on port %d.", options.port);
+- if (listen(listen_sock, 5) < 0)
+- fatal("listen: %.100s", strerror(errno));
+-
+ /* Generate an rsa key. */
+ log_msg("Generating %d bit RSA key.", options.server_key_bits);
+ rsa_generate_key(&sensitive_data.private_key, &public_key,
+--- 1138,1143 ----
+***************
+*** 1139,1156 ****
+
+ /* Wait in select until there is a connection. */
+ FD_ZERO(&fdset);
+! FD_SET(listen_sock, &fdset);
+! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
+! if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
+ {
+ if (errno == EINTR)
+ continue;
+ error("select: %.100s", strerror(errno));
+ continue;
+ }
+!
+! aux = sizeof(sin);
+! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
+ if (newsock < 0)
+ {
+ if (errno == EINTR)
+--- 1191,1218 ----
+
+ /* Wait in select until there is a connection. */
+ FD_ZERO(&fdset);
+! maxfd = 0;
+! for (i = 0; i < num_listen_socks; i++)
+! {
+! FD_SET(listen_socks[i], &fdset);
+! if (listen_socks[i] > maxfd)
+! maxfd = listen_socks[i];
+! }
+! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
+! if (ret < 0)
+ {
+ if (errno == EINTR)
+ continue;
+ error("select: %.100s", strerror(errno));
+ continue;
+ }
+!
+! for (i = 0; i < num_listen_socks; i++)
+! {
+! if (!FD_ISSET(listen_socks[i], &fdset))
+! continue;
+! aux = sizeof(from);
+! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
+ if (newsock < 0)
+ {
+ if (errno == EINTR)
+***************
+*** 1166,1172 ****
+ /* In debugging mode. Close the listening socket, and start
+ processing the connection without forking. */
+ debug("Server will not fork when running in debugging mode.");
+! close(listen_sock);
+ sock_in = newsock;
+ sock_out = newsock;
+ pid = getpid();
+--- 1228,1234 ----
+ /* In debugging mode. Close the listening socket, and start
+ processing the connection without forking. */
+ debug("Server will not fork when running in debugging mode.");
+! close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ pid = getpid();
+***************
+*** 1195,1201 ****
+ the accepted socket. Reinitialize logging (since our
+ pid has changed). We break out of the loop to handle
+ the connection. */
+! close(listen_sock);
+ sock_in = newsock;
+ sock_out = newsock;
+ #ifdef LIBWRAP
+--- 1257,1263 ----
+ the accepted socket. Reinitialize logging (since our
+ pid has changed). We break out of the loop to handle
+ the connection. */
+! close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ #ifdef LIBWRAP
+***************
+*** 1233,1238 ****
+--- 1295,1304 ----
+
+ /* Close the new socket (the child is now taking care of it). */
+ close(newsock);
++ } /* for (i = 0; i < num_host_socks; i++) */
++ /* child process check (or debug mode) */
++ if (num_listen_socks < 0)
++ break;
+ }
+ }
+
+***************
+*** 2205,2210 ****
+--- 2271,2279 ----
+ krb5_parse_name(ssh_context, user, &client);
+ #endif /* defined(KERBEROS) && defined(KRB5) */
+
++ #ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = user;
++ #endif /* ENABLE_LOG_AUTH */
+ /* Verify that the user is a valid user. We disallow usernames starting
+ with any characters that are commonly used to start NIS entries. */
+ pw = getpwnam(user);
***************
*** 2222,2228 ****
pwcopy.pw_class = xstrdup(pw->pw_class);
@@ -9,7 +426,7 @@
pwcopy.pw_dir = xstrdup(pw->pw_dir);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
---- 2222,2228 ----
+--- 2291,2297 ----
pwcopy.pw_class = xstrdup(pw->pw_class);
pwcopy.pw_change = pw->pw_change;
pwcopy.pw_expire = pw->pw_expire;
@@ -18,7 +435,136 @@
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
***************
-*** 3285,3294 ****
+*** 2260,2265 ****
+--- 2329,2339 ----
+ {
+ /* Authentication with empty password succeeded. */
+ debug("Login for user %.100s accepted without authentication.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "empty password accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ /* Success packet will be sent after loop below. */
+***************
+*** 2334,2339 ****
+--- 2408,2418 ----
+ /* Client has successfully authenticated to us. */
+ log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
+ tkt_user, user, get_canonical_hostname());
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "kerberos authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_KERBEROS;
+ authenticated = 1;
+ break;
+***************
+*** 2382,2387 ****
+--- 2461,2471 ----
+ /* Authentication accepted. */
+ log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
+ user, client_user, get_canonical_hostname());
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS;
+ authenticated = 1;
+ remote_user_name = client_user;
+***************
+*** 2441,2446 ****
+--- 2525,2535 ----
+ options.strict_modes))
+ {
+ /* Authentication accepted. */
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts with RSA host authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS_RSA;
+ authenticated = 1;
+ remote_user_name = client_user;
+***************
+*** 2474,2479 ****
+--- 2563,2573 ----
+ /* Successful authentication. */
+ mpz_clear(&n);
+ log_msg("RSA authentication for %.100s accepted.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "RSA user authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RSA;
+ authenticated = 1;
+ break;
+***************
+*** 2608,2613 ****
+--- 2702,2712 ----
+ auth_close();
+ memset(password, 0, strlen(password));
+ xfree(password);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from @%.700s (%s)",
++ user, get_canonical_hostname(),
++ "TIS authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_TIS;
+ authenticated = 1;
+ break;
+***************
+*** 2668,2673 ****
+--- 2767,2777 ----
+ memset(password, 0, strlen(password));
+ xfree(password);
+ log_msg("Password authentication for %.100s accepted.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "password authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ break;
+***************
+*** 2708,2713 ****
+--- 2812,2822 ----
+ }
+
+ /* Check if the user is logging in as root and root logins are disallowed. */
++ #ifdef ENABLE_LOG_AUTH
++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
++ #endif /* ENABLE_LOG_AUTH */
+ if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
+ {
+ if (authentication_type == SSH_AUTH_PASSWORD)
+***************
+*** 2775,2780 ****
+--- 2884,2892 ----
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
++ #ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = NULL;
++ #endif /* ENABLE_LOG_AUTH */
+
+ /* Perform session preparation. */
+ do_authenticated(pw);
+***************
+*** 3280,3294 ****
+ char line[256];
+ struct stat st;
+ int quiet_login;
+! struct sockaddr_in from;
+ int fromlen;
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
@@ -29,7 +575,12 @@
/* We no longer need the child running on user's privileges. */
userfile_uninit();
---- 3285,3295 ----
+--- 3392,3407 ----
+ char line[256];
+ struct stat st;
+ int quiet_login;
+! struct sockaddr_storage from;
+ int fromlen;
struct pty_cleanup_context cleanup_context;
#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
login_cap_t *lc;
@@ -42,8 +593,25 @@
/* We no longer need the child running on user's privileges. */
userfile_uninit();
***************
+*** 3387,3393 ****
+
+ /* Record that there was a login on that terminal. */
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+! &from);
+
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ lc = login_getclass(pw->pw_class);
+--- 3500,3506 ----
+
+ /* Record that there was a login on that terminal. */
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+! (struct sockaddr *)&from);
+
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ lc = login_getclass(pw->pw_class);
+***************
*** 3446,3451 ****
---- 3447,3460 ----
+--- 3559,3572 ----
"The Regents of the University of California. ",
"All rights reserved.");
}
@@ -67,7 +635,7 @@
if (pw->pw_change || pw->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
---- 3478,3484 ----
+--- 3590,3596 ----
fputs(line, stdout);
fclose(f);
}
@@ -76,6 +644,16 @@
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pw->pw_change)
***************
+*** 3876,3881 ****
+--- 3997,4003 ----
+ char *user_shell;
+ char *remote_ip;
+ int remote_port;
++ int local_port;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
+ char *real_shell;
+***************
*** 3922,3928 ****
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
@@ -84,7 +662,7 @@
if (pw->pw_uid != UID_ROOT &&
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
---- 3931,3937 ----
+--- 4044,4050 ----
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
@@ -93,8 +671,131 @@
!login_getcapbool(lc, "ignorenologin", 0))
exit(254);
***************
+*** 3981,3986 ****
+--- 4103,4109 ----
+ user_shell = xstrdup(pw->pw_shell);
+ remote_ip = xstrdup(get_remote_ipaddr());
+ remote_port = get_remote_port();
++ local_port = get_local_port();
+
+ /* Close the connection descriptors; note that this is the child, and the
+ server will still have the socket open, and it is important that we
+***************
+*** 4000,4006 ****
+ /* Close any extra file descriptors. Note that there may still be
+ descriptors left by system functions. They will be closed later. */
+ endpwent();
+- endhostent();
+
+ /* Set dummy encryption key to clear information about the key from
+ memory. This key will never be used. */
+--- 4123,4128 ----
+***************
+*** 4257,4263 ****
+
+ /* Set SSH_CLIENT. */
+ snprintf(buf, sizeof(buf),
+! "%.50s %d %d", remote_ip, remote_port, options.port);
+ child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+ /* Set SSH_TTY if we have a pty. */
+--- 4379,4385 ----
+
+ /* Set SSH_CLIENT. */
+ snprintf(buf, sizeof(buf),
+! "%.50s %d %d", remote_ip, remote_port, local_port);
+ child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+ /* Set SSH_TTY if we have a pty. */
+***************
+*** 4426,4432 ****
+ int i;
+ char name[255], *p;
+ char line[256];
+! struct hostent *hp;
+
+ strncpy(name, display, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+--- 4548,4555 ----
+ int i;
+ char name[255], *p;
+ char line[256];
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN];
+
+ strncpy(name, display, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+***************
+*** 4443,4449 ****
+ /* Moved this call here to avoid a nasty buf in SunOS
+ 4.1.4 libc where gethostbyname closes an unrelated
+ file descriptor. */
+! hp = gethostbyname(name);
+
+ snprintf(line, sizeof(line),
+ "%.200s -q -", options.xauth_path);
+--- 4566,4575 ----
+ /* Moved this call here to avoid a nasty buf in SunOS
+ 4.1.4 libc where gethostbyname closes an unrelated
+ file descriptor. */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
+! aitop = 0;
+
+ snprintf(line, sizeof(line),
+ "%.200s -q -", options.xauth_path);
+***************
+*** 4461,4481 ****
+ cp - display, display, cp, auth_proto,
+ auth_data);
+ #endif
+! if (hp)
+ {
+! for(i = 0; hp->h_addr_list[i]; i++)
+ {
+ if (debug_flag)
+ {
+ fprintf(stderr, "Running %s add %s%s %s %s\n",
+ options.xauth_path,
+! inet_ntoa(*((struct in_addr *)
+! hp->h_addr_list[i])),
+ cp, auth_proto, auth_data);
+ }
+ fprintf(f, "add %s%s %s %s\n",
+! inet_ntoa(*((struct in_addr *)
+! hp->h_addr_list[i])),
+ cp, auth_proto, auth_data);
+ }
+ }
+--- 4587,4610 ----
+ cp - display, display, cp, auth_proto,
+ auth_data);
+ #endif
+! if (aitop)
+ {
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), NULL, 0,
++ NI_NUMERICHOST);
++ if (strchr(ntop, ':'))
++ continue; /* XXX - xauth doesn't accept it */
+ if (debug_flag)
+ {
+ fprintf(stderr, "Running %s add %s%s %s %s\n",
+ options.xauth_path,
+! ntop,
+ cp, auth_proto, auth_data);
+ }
+ fprintf(f, "add %s%s %s %s\n",
+! ntop,
+ cp, auth_proto, auth_data);
+ }
+ }
+***************
*** 4525,4531 ****
---- 4534,4544 ----
+--- 4654,4664 ----
struct stat mailbuf;
if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
diff --git a/security/ssh/files/patch-ag b/security/ssh/files/patch-ag
index 80e3c3d..71f3b7e 100644
--- a/security/ssh/files/patch-ag
+++ b/security/ssh/files/patch-ag
@@ -1,33 +1,54 @@
---- auth-kerberos.c.orig Sun Jun 6 02:01:32 1999
-+++ auth-kerberos.c Sun Jun 6 02:01:33 1999
-@@ -120,10 +120,18 @@
-
- debug("Kerberos invalid service name (%.100s).", server);
- packet_send_debug("Kerberos invalid service name (%.100s).", server);
-+#ifdef krb5_xfree
- krb5_xfree(server);
-+#else
-+ free(server);
-+#endif
- return 0;
- }
-+#ifdef krb5_xfree
- krb5_xfree(server);
-+#else
-+ free(server);
-+#endif
-
- /* Extract the users name from the ticket client principal */
- problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client,
-@@ -159,7 +167,11 @@
- packet_put_string((char *) reply.data, reply.length);
- packet_send();
- packet_write_wait();
-+#ifdef krb5_xfree
- krb5_xfree(reply.data);
-+#else
-+ krb5_free_data_contents(ssh_context, &reply);
-+#endif
- return 1;
- }
- #endif /* KRB5 */
+*** auth-kerberos.c.orig Tue Jan 11 20:33:46 2000
+--- auth-kerberos.c Tue Jan 11 20:33:38 2000
+***************
+*** 120,129 ****
+--- 120,137 ----
+
+ debug("Kerberos invalid service name (%.100s).", server);
+ packet_send_debug("Kerberos invalid service name (%.100s).", server);
++ #ifdef krb5_xfree
+ krb5_xfree(server);
++ #else
++ free(server);
++ #endif
+ return 0;
+ }
++ #ifdef krb5_xfree
+ krb5_xfree(server);
++ #else
++ free(server);
++ #endif
+
+ /* Extract the users name from the ticket client principal */
+ problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client,
+***************
+*** 159,165 ****
+--- 167,177 ----
+ packet_put_string((char *) reply.data, reply.length);
+ packet_send();
+ packet_write_wait();
++ #ifdef krb5_xfree
+ krb5_xfree(reply.data);
++ #else
++ krb5_free_data_contents(ssh_context, &reply);
++ #endif
+ return 1;
+ }
+ #endif /* KRB5 */
+***************
+*** 177,183 ****
+ extern char *ticket;
+ static krb5_principal rcache_server = 0;
+ static krb5_rcache rcache;
+! struct sockaddr_in local, foreign;
+ krb5_address *local_addr, *remote_addr;
+ int s;
+
+--- 189,195 ----
+ extern char *ticket;
+ static krb5_principal rcache_server = 0;
+ static krb5_rcache rcache;
+! struct sockaddr_storage local, foreign;
+ krb5_address *local_addr, *remote_addr;
+ int s;
+
diff --git a/security/ssh/files/patch-al b/security/ssh/files/patch-al
index 839d1fe..1bfbbb5 100644
--- a/security/ssh/files/patch-al
+++ b/security/ssh/files/patch-al
@@ -1,27 +1,404 @@
-*** sshconnect.c.orig Wed May 12 20:19:29 1999
---- sshconnect.c Sun Jun 6 02:39:02 1999
+*** sshconnect.c.orig Wed May 12 13:19:29 1999
+--- sshconnect.c Wed Jan 12 00:34:55 2000
***************
-*** 347,352 ****
---- 347,358 ----
+*** 337,343 ****
+
+ /* Creates a (possibly privileged) socket for use as the ssh connection. */
+
+! int ssh_create_socket(uid_t original_real_uid, int privileged)
+ {
+ int sock;
+
+--- 337,343 ----
+
+ /* Creates a (possibly privileged) socket for use as the ssh connection. */
+
+! int ssh_create_socket(uid_t original_real_uid, int privileged, int family)
+ {
+ int sock;
+
+***************
+*** 345,385 ****
+ bind our own socket to a privileged port. */
+ if (privileged)
{
- struct sockaddr_in sin;
+! struct sockaddr_in sin;
int p;
-+ #if (defined(__OpenBSD__) || defined(__FreeBSD__)) && !defined(SOCKS)
-+ p = 1023; /* Compat with old FreeBSD */
-+ sock = rresvport(&p);
-+ if (sock < 0)
-+ fatal("rresvport: %.100s", strerror(errno));
-+ #else
for (p = 1023; p > 512; p--)
{
- sock = socket(AF_INET, SOCK_STREAM, 0);
-***************
-*** 374,379 ****
---- 380,386 ----
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+
+! /* Initialize the desired sockaddr_in structure. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr.s_addr = INADDR_ANY;
+! sin.sin_port = htons(p);
+
+ /* Try to bind the socket to the privileged port. */
+ #if defined(SOCKS)
+! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+ break; /* Success. */
+ #else /* SOCKS */
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+ break; /* Success. */
+ #endif /* SOCKS */
+ if (errno == EADDRINUSE)
+ {
+ close(sock);
+ continue;
+ }
+ fatal("bind: %.100s", strerror(errno));
+ }
+ debug("Allocated local port %d.", p);
+ }
+ else
+ {
+ /* Just create an ordinary socket on arbitrary port. */
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+ }
+--- 345,392 ----
+ bind our own socket to a privileged port. */
+ if (privileged)
+ {
+! struct addrinfo hints, *ai = NULL;
+! int errgai;
+! char strport[PORTSTRLEN];
+ int p;
+ for (p = 1023; p > 512; p--)
+ {
+! sock = socket(family, SOCK_STREAM, 0);
+ if (sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+
+! /* Initialize the desired addrinfo structure. */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = family;
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", p);
+! if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0)
+! fatal("getaddrinfo: %.100s", gai_strerror(errgai));
+
+ /* Try to bind the socket to the privileged port. */
+ #if defined(SOCKS)
+! if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ break; /* Success. */
+ #else /* SOCKS */
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ break; /* Success. */
+ #endif /* SOCKS */
+ if (errno == EADDRINUSE)
+ {
+ close(sock);
++ freeaddrinfo(ai);
+ continue;
}
fatal("bind: %.100s", strerror(errno));
}
-+ #endif
debug("Allocated local port %d.", p);
++ freeaddrinfo(ai);
}
else
+ {
+ /* Just create an ordinary socket on arbitrary port. */
+! sock = socket(family, SOCK_STREAM, 0);
+ if (sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+ }
+***************
+*** 396,409 ****
+ the daemon. */
+
+ int ssh_connect(const char *host, int port, int connection_attempts,
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state)
+ {
+ int sock = -1, attempt, i;
+ int on = 1;
+ struct servent *sp;
+! struct hostent *hp;
+! struct sockaddr_in hostaddr;
+ #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
+ struct linger linger;
+ #endif /* SO_LINGER */
+--- 403,421 ----
+ the daemon. */
+
+ int ssh_connect(const char *host, int port, int connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state)
+ {
+ int sock = -1, attempt, i;
+ int on = 1;
+ struct servent *sp;
+! struct addrinfo hints, *ai, *aitop, *aitmp;
+! struct sockaddr_storage hostaddr;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+! int gaierr;
+ #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
+ struct linger linger;
+ #endif /* SO_LINGER */
+***************
+*** 421,430 ****
+ port = SSH_DEFAULT_PORT;
+ }
+
+- /* Map localhost to ip-address locally */
+- if (strcmp(host, "localhost") == 0)
+- host = "127.0.0.1";
+-
+ /* If a proxy command is given, connect using it. */
+ if (proxy_command != NULL && *proxy_command)
+ return ssh_proxy_connect(host, port, original_real_uid, proxy_command,
+--- 433,438 ----
+***************
+*** 432,440 ****
+
+ /* No proxy command. */
+
+! /* No host lookup made yet. */
+! hp = NULL;
+!
+ /* Try to connect several times. On some machines, the first time will
+ sometimes fail. In general socket code appears to behave quite
+ magically on many machines. */
+--- 440,467 ----
+
+ /* No proxy command. */
+
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", port);
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+!
+! #ifdef ENABLE_ANOTHER_PORT_TRY
+! if (another_port)
+! {
+! aitmp = aitop;
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", another_port);
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = aitmp;
+! }
+! #endif /* ENABLE_ANOTHER_PORT_TRY */
+!
+ /* Try to connect several times. On some machines, the first time will
+ sometimes fail. In general socket code appears to behave quite
+ magically on many machines. */
+***************
+*** 443,545 ****
+ if (attempt > 0)
+ debug("Trying again...");
+
+- /* Try to parse the host name as a numeric inet address. */
+- memset(&hostaddr, 0, sizeof(hostaddr));
+- hostaddr.sin_family = AF_INET;
+- hostaddr.sin_port = htons(port);
+- #ifdef BROKEN_INET_ADDR
+- hostaddr.sin_addr.s_addr = inet_network(host);
+- #else /* BROKEN_INET_ADDR */
+- hostaddr.sin_addr.s_addr = inet_addr(host);
+- #endif /* BROKEN_INET_ADDR */
+- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+- {
+- /* Create a socket. */
+- sock = ssh_create_socket(original_real_uid,
+- !anonymous && geteuid() == UID_ROOT);
+-
+- /* Valid numeric IP address */
+- debug("Connecting to %.100s port %d.",
+- inet_ntoa(hostaddr.sin_addr), port);
+-
+- /* Connect to the host. */
+- #if defined(SOCKS)
+- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
+- #else /* SOCKS */
+- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
+- #endif /* SOCKS */
+- >= 0)
+- {
+- /* Successful connect. */
+- break;
+- }
+- debug("connect: %.100s", strerror(errno));
+-
+- /* Destroy the failed socket. */
+- shutdown(sock, 2);
+- close(sock);
+- }
+- else
+- {
+- /* Not a valid numeric inet address. */
+- /* Map host name to an address. */
+- if (!hp)
+- {
+- struct hostent *hp_static;
+-
+- #if defined(SOCKS5)
+- hp_static = Rgethostbyname(host);
+- #else
+- hp_static = gethostbyname(host);
+- #endif
+- if (hp_static)
+- {
+- hp = xmalloc(sizeof(struct hostent));
+- memcpy(hp, hp_static, sizeof(struct hostent));
+-
+- /* Copy list of addresses, not just pointers.
+- We don't use h_name & h_aliases so leave them as is */
+- for (i = 0; hp_static->h_addr_list[i]; i++)
+- ; /* count them */
+- hp->h_addr_list = xmalloc((i + 1) *
+- sizeof(hp_static->h_addr_list[0]));
+- for (i = 0; hp_static->h_addr_list[i]; i++)
+- {
+- hp->h_addr_list[i] = xmalloc(hp->h_length);
+- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i],
+- hp->h_length);
+- }
+- hp->h_addr_list[i] = NULL; /* last one */
+- }
+- }
+- if (!hp)
+- fatal("Bad host name: %.100s", host);
+- if (!hp->h_addr_list[0])
+- fatal("Host does not have an IP address: %.100s", host);
+-
+ /* Loop through addresses for this host, and try each one in
+ sequence until the connection succeeds. */
+! for (i = 0; hp->h_addr_list[i]; i++)
+ {
+! /* Set the address to connect to. */
+! hostaddr.sin_family = hp->h_addrtype;
+! memcpy(&hostaddr.sin_addr, hp->h_addr_list[i],
+! sizeof(hostaddr.sin_addr));
+
+! debug("Connecting to %.200s [%.100s] port %d.",
+! host, inet_ntoa(hostaddr.sin_addr), port);
+
+ /* Create a socket for connecting. */
+ sock = ssh_create_socket(original_real_uid,
+! !anonymous && geteuid() == UID_ROOT);
+
+ /* Connect to the host. */
+ #if defined(SOCKS)
+! if (Rconnect(sock, (struct sockaddr *)&hostaddr,
+! sizeof(hostaddr)) >= 0)
+ #else /* SOCKS */
+! if (connect(sock, (struct sockaddr *)&hostaddr,
+! sizeof(hostaddr)) >= 0)
+ #endif /* SOCKS */
+ {
+ /* Successful connection. */
+--- 470,496 ----
+ if (attempt > 0)
+ debug("Trying again...");
+
+ /* Loop through addresses for this host, and try each one in
+ sequence until the connection succeeds. */
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), strport, sizeof(strport),
+! NI_NUMERICHOST|NI_NUMERICSERV);
+
+! debug("Connecting to %.200s [%.100s] port %s.",
+! host, ntop, strport);
+
+ /* Create a socket for connecting. */
+ sock = ssh_create_socket(original_real_uid,
+! !anonymous && geteuid() == UID_ROOT,
+! ai->ai_family);
+
+ /* Connect to the host. */
+ #if defined(SOCKS)
+! if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ #else /* SOCKS */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ #endif /* SOCKS */
+ {
+ /* Successful connection. */
+***************
+*** 552,573 ****
+ returned an error. */
+ shutdown(sock, 2);
+ close(sock);
+! }
+! if (hp->h_addr_list[i])
+ break; /* Successful connection. */
+- }
+
+ /* Sleep a moment before retrying. */
+ sleep(1);
+ }
+
+! if (hp)
+! {
+! for (i = 0; hp->h_addr_list[i]; i++)
+! xfree(hp->h_addr_list[i]);
+! xfree(hp->h_addr_list);
+! xfree(hp);
+! }
+
+ /* Return failure if we didn't get a successful connection. */
+ if (attempt >= connection_attempts)
+--- 503,517 ----
+ returned an error. */
+ shutdown(sock, 2);
+ close(sock);
+! } /* for (ai = aitop; ai; ai = ai->ai_next) */
+! if (ai)
+ break; /* Successful connection. */
+
+ /* Sleep a moment before retrying. */
+ sleep(1);
+ }
+
+! freeaddrinfo(aitop);
+
+ /* Return failure if we didn't get a successful connection. */
+ if (attempt >= connection_attempts)
+***************
+*** 578,586 ****
+--- 522,532 ----
+ /* Set socket options. We would like the socket to disappear as soon as
+ it has been closed for whatever reason. */
+ /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
++ #if 0 /* XXX */
+ #if defined(TCP_NODELAY) && defined(ENABLE_TCP_NODELAY)
+ setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on));
+ #endif /* TCP_NODELAY */
++ #endif /* 0 */
+ #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
+ linger.l_onoff = 1;
+ linger.l_linger = 15;
+***************
+*** 946,952 ****
+ int ap_opts, ret_stat = 0;
+ krb5_keyblock *session_key = 0;
+ krb5_ap_rep_enc_part *repl = 0;
+! struct sockaddr_in local, foreign;
+
+ memset(&auth, 0 , sizeof(auth));
+ remotehost = (char *) get_canonical_hostname();
+--- 892,898 ----
+ int ap_opts, ret_stat = 0;
+ krb5_keyblock *session_key = 0;
+ krb5_ap_rep_enc_part *repl = 0;
+! struct sockaddr_storage local, foreign;
+
+ memset(&auth, 0 , sizeof(auth));
+ remotehost = (char *) get_canonical_hostname();
diff --git a/security/ssh/files/patch-ao b/security/ssh/files/patch-ao
index 223dd44..0c5f76b 100644
--- a/security/ssh/files/patch-ao
+++ b/security/ssh/files/patch-ao
@@ -1,35 +1,583 @@
---- newchannels.c.orig Wed May 12 12:19:27 1999
-+++ newchannels.c Fri Jun 18 12:10:26 1999
-@@ -282,6 +282,11 @@
- #endif /* NEED_SYS_SYSLOG_H */
- #endif /* LIBWRAP */
-
-+#ifdef __FreeBSD__
-+#include <utmp.h>
-+#include <osreldate.h>
-+#endif
-+
- /* Directory in which the fake unix-domain X11 displays reside. */
- #ifndef X11_DIR
- #define X11_DIR "/tmp/.X11-unix"
-@@ -1891,6 +1896,9 @@
- fatal("gethostname: %.100s", strerror(errno));
- snprintf(buf, sizeof(buf),
- "%.400s:%d.%d", hostname, display_number, screen_number);
-+#if __FreeBSD_version >= 320000
-+ trimdomain(buf, UT_HOSTSIZE);
-+#endif
- #else /* HAVE_GETHOSTNAME */
- if (uname(&uts) < 0)
- fatal("uname: %.100s", strerror(errno));
-@@ -2412,6 +2420,10 @@
- ssh-agent connections on your system */
- old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-
-+ /* Make sure the socket doesn't already exist, left over from a system
-+ crash perhaps. */
-+ unlink(channel_forwarded_auth_socket_name);
-+
- if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
- packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
-
+*** newchannels.c.orig Tue Jan 11 20:38:09 2000
+--- newchannels.c Tue Jan 11 20:38:02 2000
+***************
+*** 282,287 ****
+--- 282,292 ----
+ #endif /* NEED_SYS_SYSLOG_H */
+ #endif /* LIBWRAP */
+
++ #ifdef __FreeBSD__
++ #include <utmp.h>
++ #include <osreldate.h>
++ #endif
++
+ /* Directory in which the fake unix-domain X11 displays reside. */
+ #ifndef X11_DIR
+ #define X11_DIR "/tmp/.X11-unix"
+***************
+*** 1405,1417 ****
+ int host_port, int gatewayports)
+ {
+ int ch, sock;
+! struct sockaddr_in sin;
+
+ if (strlen(host) > sizeof(channels[0].path) - 1)
+ packet_disconnect("Forward host name too long.");
+
+ /* Create a port to listen for the host. */
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ packet_disconnect("socket: %.100s", strerror(errno));
+
+--- 1410,1438 ----
+ int host_port, int gatewayports)
+ {
+ int ch, sock;
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+
+ if (strlen(host) > sizeof(channels[0].path) - 1)
+ packet_disconnect("Forward host name too long.");
+
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = IPv4or6;
++ hints.ai_flags = gatewayports ? AI_PASSIVE : 0;
++ hints.ai_socktype = SOCK_STREAM;
++ sprintf(strport, "%d", port);
++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
++ packet_disconnect("getaddrinfo: fatal error");
++
++ for (ai = aitop; ai; ai = ai->ai_next)
++ {
++
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV);
++
+ /* Create a port to listen for the host. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ packet_disconnect("socket: %.100s", strerror(errno));
+
+***************
+*** 1421,1441 ****
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! /* Initialize socket address. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! if (gatewayports)
+! sin.sin_addr.s_addr = INADDR_ANY;
+! else
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network("127.0.0.1");
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+! #endif /* BROKEN_INET_ADDR */
+! sin.sin_port = htons(port);
+!
+ /* Bind the socket to the address. */
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ packet_disconnect("bind: %.100s", strerror(errno));
+
+ /* Start listening for connections on the socket. */
+--- 1442,1451 ----
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! debug("Listening on %s port %s.", ntop, strport);
+!
+ /* Bind the socket to the address. */
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ packet_disconnect("bind: %.100s", strerror(errno));
+
+ /* Start listening for connections on the socket. */
+***************
+*** 1448,1453 ****
+--- 1458,1466 ----
+ strcpy(channels[ch].path, host); /* note: host name stored here */
+ channels[ch].host_port = host_port; /* port on host to connect to */
+ channels[ch].listening_port = port; /* port being listened */
++
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
+ }
+
+ /* Initiate forwarding of connections to port "port" on remote host through
+***************
+*** 1636,1644 ****
+ void channel_input_port_open(void)
+ {
+ int remote_channel, sock, newch, host_port, i;
+- struct sockaddr_in sin;
+ char *host, *originator_string;
+! struct hostent *hp;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+--- 1649,1658 ----
+ void channel_input_port_open(void)
+ {
+ int remote_channel, sock, newch, host_port, i;
+ char *host, *originator_string;
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+! int gaierr;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+***************
+*** 1678,1713 ****
+ }
+ }
+
+! memset(&sin, 0, sizeof(sin));
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network(host);
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr(host);
+! #endif /* BROKEN_INET_ADDR */
+! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+! {
+! /* It was a valid numeric host address. */
+! sin.sin_family = AF_INET;
+! }
+! else
+ {
+! /* Look up the host address from the name servers. */
+! hp = gethostbyname(host);
+! if (!hp)
+! {
+! error("%.100s: unknown host.", host);
+! goto fail;
+! }
+! if (!hp->h_addr_list[0])
+! {
+! error("%.100s: host has no IP address.", host);
+! goto fail;
+! }
+! sin.sin_family = hp->h_addrtype;
+! memcpy(&sin.sin_addr, hp->h_addr_list[0],
+! sizeof(sin.sin_addr));
+ }
+- sin.sin_port = htons(host_port);
+
+ #ifdef F_SECURE_COMMERCIAL
+
+--- 1692,1706 ----
+ }
+ }
+
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", host_port);
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+ {
+! error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+! goto fail;
+ }
+
+ #ifdef F_SECURE_COMMERCIAL
+
+***************
+*** 1744,1751 ****
+
+ #endif /* F_SECURE_COMMERCIAL */
+
+ /* Create the socket. */
+! sock = socket(sin.sin_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+--- 1737,1751 ----
+
+ #endif /* F_SECURE_COMMERCIAL */
+
++ for (ai = aitop; ai; ai = ai->ai_next)
++ {
++
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV);
++
+ /* Create the socket. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+***************
+*** 1753,1767 ****
+ }
+
+ /* Connect to the host/port. */
+! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("connect %.100s:%d: %.100s", host, host_port,
+! strerror(errno));
+ close(sock);
+ goto fail;
+ }
+
+ /* Successful connection. */
+
+ #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
+ (void)fcntl(sock, F_SETFL, O_NONBLOCK);
+--- 1753,1777 ----
+ }
+
+ /* Connect to the host/port. */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno));
+ close(sock);
++ continue; /* fail -- try next */
++ }
++ break; /* success */
++
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
++
++ if (!ai)
++ {
++ error("connect %.100s:%d: failed.", host, host_port);
+ goto fail;
+ }
+
+ /* Successful connection. */
++ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport);
+
+ #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
+ (void)fcntl(sock, F_SETFL, O_NONBLOCK);
+***************
+*** 1803,1809 ****
+ {
+ extern ServerOptions options;
+ int display_number, port, sock;
+! struct sockaddr_in sin;
+ char buf[512];
+ #ifdef HAVE_GETHOSTNAME
+ char hostname[257];
+--- 1813,1822 ----
+ {
+ extern ServerOptions options;
+ int display_number, port, sock;
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! #define NUM_SOCKS 10
+! int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS];
+ char buf[512];
+ #ifdef HAVE_GETHOSTNAME
+ char hostname[257];
+***************
+*** 1817,1828 ****
+ for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
+ {
+ port = 6000 + display_number;
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr.s_addr = INADDR_ANY;
+! sin.sin_port = htons(port);
+
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+--- 1830,1850 ----
+ for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
+ {
+ port = 6000 + display_number;
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", port);
+! if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0)
+! {
+! error("getaddrinfo: %.100s", gai_strerror(gaierr));
+! return NULL;
+! }
+!
+! for (ai = aitop; ai; ai = ai->ai_next)
+! {
+
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+***************
+*** 1835,1847 ****
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+ debug("bind port %d: %.100s", port, strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
+! continue;
+ }
+ break;
+ }
+ if (display_number >= MAX_DISPLAYS)
+--- 1857,1882 ----
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+ debug("bind port %d: %.100s", port, strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
+! for (n = 0; n < num_socks; n++)
+! {
+! shutdown(socks[n], 2);
+! close(socks[n]);
+! }
+! num_socks = 0;
+! break;
+ }
++
++ socks[num_socks++] = sock;
++ if (num_socks == NUM_SOCKS)
++ break;
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++
++ if (num_socks > 0)
+ break;
+ }
+ if (display_number >= MAX_DISPLAYS)
+***************
+*** 1851,1863 ****
+--- 1886,1907 ----
+ }
+
+ /* Start listening for connections on the socket. */
++ for (n = 0; n < num_socks; n++)
++ {
++ sock = socks[n];
+ if (listen(sock, 5) < 0)
+ {
+ error("listen: %.100s", strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
++ for (nn = 0; nn < n; nn++)
++ {
++ shutdown(socks[nn], 2);
++ close(socks[nn]);
++ }
+ return NULL;
+ }
++ } /* for (n = 0; n < num_socks; n++) */
+
+ /* Set up a suitable value for the DISPLAY variable. */
+ #ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE
+***************
+*** 1868,1877 ****
+ if (gethostname(hostname, sizeof(hostname)) < 0)
+ fatal("gethostname: %.100s", strerror(errno));
+ {
+! struct hostent *hp;
+! struct in_addr addr;
+! hp = gethostbyname(hostname);
+! if (hp == NULL || !hp->h_addr_list[0])
+ {
+ error("Could not get server IP address for %.200s.", hostname);
+ packet_send_debug("Could not get server IP address for %.200s.",
+--- 1912,1922 ----
+ if (gethostname(hostname, sizeof(hostname)) < 0)
+ fatal("gethostname: %.100s", strerror(errno));
+ {
+! struct addrinfo hints, *ai;
+! char ntop[ADDRSTRLEN];
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai)
+ {
+ error("Could not get server IP address for %.200s.", hostname);
+ packet_send_debug("Could not get server IP address for %.200s.",
+***************
+*** 1880,1888 ****
+ close(sock);
+ return NULL;
+ }
+! memcpy(&addr, hp->h_addr_list[0], sizeof(addr));
+ snprintf(buf, sizeof(buf),
+! "%.100s:%d.%d", inet_ntoa(addr), display_number,
+ screen_number);
+ }
+ #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+--- 1925,1934 ----
+ close(sock);
+ return NULL;
+ }
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+ snprintf(buf, sizeof(buf),
+! "%.100s:%d.%d", ntop, display_number,
+ screen_number);
+ }
+ #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+***************
+*** 1891,1896 ****
+--- 1937,1945 ----
+ fatal("gethostname: %.100s", strerror(errno));
+ snprintf(buf, sizeof(buf),
+ "%.400s:%d.%d", hostname, display_number, screen_number);
++ #if __FreeBSD_version >= 320000
++ trimdomain(buf, UT_HOSTSIZE);
++ #endif
+ #else /* HAVE_GETHOSTNAME */
+ if (uname(&uts) < 0)
+ fatal("uname: %.100s", strerror(errno));
+***************
+*** 1900,1907 ****
+--- 1949,1960 ----
+ #endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+
+ /* Allocate a channel for the socket. */
++ for (n = 0; n < num_socks; n++)
++ {
++ sock = socks[n];
+ (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
+ xstrdup("X11 inet listener"));
++ } /* for (n = 0; n < num_socks; n++) */
+
+ /* Return a suitable value for the DISPLAY environment variable. */
+ return xstrdup(buf);
+***************
+*** 1916,1924 ****
+ int remote_channel, display_number, sock, newch;
+ const char *display;
+ struct sockaddr_un ssun;
+- struct sockaddr_in sin;
+ char buf[255], *cp, *remote_host;
+! struct hostent *hp;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+--- 1969,1978 ----
+ int remote_channel, display_number, sock, newch;
+ const char *display;
+ struct sockaddr_un ssun;
+ char buf[255], *cp, *remote_host;
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! int gaierr;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+***************
+*** 2058,2110 ****
+ goto fail;
+ }
+
+! /* Try to parse the host name as a numeric IP address. */
+! memset(&sin, 0, sizeof(sin));
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network(buf);
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr(buf);
+! #endif /* BROKEN_INET_ADDR */
+! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+ {
+! /* It was a valid numeric host address. */
+! sin.sin_family = AF_INET;
+ }
+! else
+ {
+- /* Not a numeric IP address. */
+- /* Look up the host address from the name servers. */
+- hp = gethostbyname(buf);
+- if (!hp)
+- {
+- error("%.100s: unknown host.", buf);
+- goto fail;
+- }
+- if (!hp->h_addr_list[0])
+- {
+- error("%.100s: host has no IP address.", buf);
+- goto fail;
+- }
+- sin.sin_family = hp->h_addrtype;
+- memcpy(&sin.sin_addr, hp->h_addr_list[0],
+- sizeof(sin.sin_addr));
+- }
+- /* Set port number. */
+- sin.sin_port = htons(6000 + display_number);
+
+ /* Create a socket. */
+! sock = socket(sin.sin_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+! error("socket: %.100s", strerror(errno));
+! goto fail;
+ }
+ /* Connect it to the display. */
+! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
+ strerror(errno));
+ close(sock);
+ goto fail;
+ }
+
+--- 2112,2155 ----
+ goto fail;
+ }
+
+! /* Look up the host address */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", 6000 + display_number);
+! if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0)
+ {
+! error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
+! goto fail;
+ }
+!
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
+
+ /* Create a socket. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+! debug("socket: %.100s", strerror(errno));
+! continue;
+ }
+ /* Connect it to the display. */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! debug("connect %.100s:%d: %.100s", buf, 6000 + display_number,
+ strerror(errno));
+ close(sock);
++ continue;
++ }
++ /* Success */
++ break;
++
++ } /* (ai = aitop, ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
++ if (!ai)
++ {
++ error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
++ strerror(errno));
+ goto fail;
+ }
+
+***************
+*** 2412,2417 ****
+--- 2457,2466 ----
+ ssh-agent connections on your system */
+ old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+
++ /* Make sure the socket doesn't already exist, left over from a system
++ crash perhaps. */
++ unlink(channel_forwarded_auth_socket_name);
++
+ if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
+ packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
+
diff --git a/security/ssh/files/patch-aw b/security/ssh/files/patch-aw
index 2f0b5a8..697f323 100644
--- a/security/ssh/files/patch-aw
+++ b/security/ssh/files/patch-aw
@@ -1,30 +1,73 @@
---- login.c.orig Wed May 12 12:19:26 1999
-+++ login.c Fri Jun 18 12:11:20 1999
-@@ -117,6 +117,9 @@
- #include <hpsecurity.h>
- #include <prot.h>
- #endif /* HAVE_HPUX_TCB_AUTH */
-+#ifdef __FreeBSD__
-+#include <osreldate.h>
-+#endif
- #include "ssh.h"
-
- /* Returns the time when the user last logged in. Returns 0 if the
-@@ -301,12 +304,15 @@
- strncpy(u.ut_user, user, sizeof(u.ut_user));
- #endif /* HAVE_NAME_IN_UTMP */
- #ifdef HAVE_HOST_IN_UTMP
-- strncpy(u.ut_host, host, sizeof(u.ut_host));
- #ifdef __FreeBSD__
-+#if __FreeBSD_version >= 320000
-+ trimdomain(host, sizeof u.ut_host);
-+#endif
- if (strlen(host) > sizeof(u.ut_host)) {
- strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
-- }
-+ } else
- #endif /* __FreeBSD__ */
-+ strncpy(u.ut_host, host, sizeof(u.ut_host));
- #endif /* HAVE_HOST_IN_UTMP */
- #ifdef HAVE_ADDR_IN_UTMP
- if (addr)
+*** login.c.orig Tue Jan 11 20:36:37 2000
+--- login.c Tue Jan 11 20:36:34 2000
+***************
+*** 117,122 ****
+--- 117,125 ----
+ #include <hpsecurity.h>
+ #include <prot.h>
+ #endif /* HAVE_HPUX_TCB_AUTH */
++ #ifdef __FreeBSD__
++ #include <osreldate.h>
++ #endif
+ #include "ssh.h"
+
+ /* Returns the time when the user last logged in. Returns 0 if the
+***************
+*** 255,261 ****
+ were more standardized. */
+
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr_in *addr)
+ {
+ int fd;
+
+--- 258,264 ----
+ were more standardized. */
+
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr *addr)
+ {
+ int fd;
+
+***************
+*** 301,317 ****
+ strncpy(u.ut_user, user, sizeof(u.ut_user));
+ #endif /* HAVE_NAME_IN_UTMP */
+ #ifdef HAVE_HOST_IN_UTMP
+- strncpy(u.ut_host, host, sizeof(u.ut_host));
+ #ifdef __FreeBSD__
+ if (strlen(host) > sizeof(u.ut_host)) {
+ strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
+! }
+ #endif /* __FreeBSD__ */
+ #endif /* HAVE_HOST_IN_UTMP */
+ #ifdef HAVE_ADDR_IN_UTMP
+ if (addr)
+ memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
+ else
+ memset(&u.ut_addr, 0, sizeof(u.ut_addr));
+ #endif
+
+--- 304,325 ----
+ strncpy(u.ut_user, user, sizeof(u.ut_user));
+ #endif /* HAVE_NAME_IN_UTMP */
+ #ifdef HAVE_HOST_IN_UTMP
+ #ifdef __FreeBSD__
++ #if __FreeBSD_version >= 320000
++ trimdomain(host, sizeof u.ut_host);
++ #endif
+ if (strlen(host) > sizeof(u.ut_host)) {
+ strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
+! } else
+ #endif /* __FreeBSD__ */
++ strncpy(u.ut_host, host, sizeof(u.ut_host));
+ #endif /* HAVE_HOST_IN_UTMP */
+ #ifdef HAVE_ADDR_IN_UTMP
++ #if 0 /* XXX */
+ if (addr)
+ memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
+ else
++ #endif /* XXX */
+ memset(&u.ut_addr, 0, sizeof(u.ut_addr));
+ #endif
+
diff --git a/security/ssh/files/patch-ba b/security/ssh/files/patch-ba
new file mode 100644
index 0000000..69ad90067
--- /dev/null
+++ b/security/ssh/files/patch-ba
@@ -0,0 +1,176 @@
+*** README-IPv6.orig Mon Jan 10 22:56:13 2000
+--- README-IPv6 Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,171 ----
++ ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6.
++
++ To enable sshd/ssh to handle both IPv4 and IPv6,
++
++ ./configure --enable-ipv6
++
++ Otherwise sshd/ssh handle IPv4 only as same as original ssh.
++
++ * You can have multiple ListenAddress lines in /etc/sshd_config.
++ It means that sshd can listen multiple addresses.
++
++ Example1: sshd will bind on these four adresses.
++
++ ListenAddress 202.249.17.50
++ ListenAddress 202.249.17.137
++ ListenAddress 3ffe:501:c0b::1
++ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc
++
++ Example2: as same as example1.
++ (Because bertemu.rcac.tdi.co.jp has these four addresses.)
++
++ ListenAddress bertemu.rcac.tdi.co.jp
++
++ Example3: sshd will bind on any address both IPv4 and IPv6.
++
++ ListenAddress ::
++ ListenAddress 0.0.0.0
++
++ Example4: as same as example3.
++
++ No ListenAddress line in /etc/sshd_config.
++
++ * You don't mind whether the host has IPv4 or IPv6 address.
++ You can also specify using only IPv4 (or only IPv6).
++
++ Example1: ssh will try all IPv4 and IPv6 addresses that the host has.
++
++ ssh host
++
++ Example2: ssh will try all IPv4 addresses that the host has.
++
++ ssh -4 host
++
++ Example3: ssh will try all IPv6 addresses that the host has.
++
++ ssh -6 host
++
++ * You can have multiple Port lines in /etc/sshd_config and -p options.
++ It means that sshd can listen multiple ports, not only port 22.
++
++ For example, you run sshd that listens port 22 and port 722,
++ and you can use port 22 for slogin and port 722 for scp.
++ It's useful if you have preference for interactive traffic in the router.
++
++ You can have "AnotherPort 722" line in /etc/ssh_config or your
++ config file (maybe ~/.ssh/config). In this case, ssh with -A option
++ try to connect to port 722 at first, and try to connect to original
++ port (maybe port 22) if port 722 fails. scp executes ssh with -A option.
++
++ * IPv6 supported platform
++
++ IPv6 feature is available on follwing platforms now.
++
++ kame -- http://www.kame.net/ (used to be called Hydrangea)
++ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon)
++
++ On the other environments you can compile and run ssh-1.2.27-IPv6 if
++ you have a good getaddrinfo() in your library.
++
++ * How to get ssh-1.2.27-IPv6
++
++ You can get tar.gz or patch to ssh-1.2.27.tar.gz:
++
++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz
++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz
++
++ * How to install ssh-1.2.27-IPv6
++
++ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use
++ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27.
++
++ If you want to enable ssh to handle IPv6, for example,
++
++ % ./configure --enable-ipv6
++ % make
++ % make install
++
++ and you will be able to enjoy ssh handling both IPv6 and IPv4.
++
++ * Change Log
++
++ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * for ssh-1.2.27
++ * supported scp with bracketed ipv6 ip address
++ * used struct sockaddr_storage instead of union sockunion
++
++ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed ipv6 address checking bug at match_host() in match.c
++ * cleanup comparing ip address at get_remote_hostname() in canohost.c
++
++ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed ipv6 address checking bug at match_host() in match.c
++ pointed out by Kenji Rikitake <kenji@k2r.org>
++
++ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed IPv6 enable checking bug in configure.in
++
++ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed AuthLog enable handling bug
++
++ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * for ssh-1.2.26
++
++ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * supported AuthLog (logging authenticated info) in /etc/sshd_config
++
++ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * supported multiple Port lines in /etc/sshd_config
++ * supported AnotherPort line in /etc/ssh_config
++ * supported -A option of ssh for another port try
++
++ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * X11 connection forwarding IPv6 support
++ * removeed all hostent and sockaddr_in from *.c
++
++ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * configuration support for v6d.
++
++ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c)
++ * configure checks whether getaddrinfo exists or not.
++
++ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * add fakelibinet6.c (including getaddrinfo and getnameinfo)
++ * compilation support on non-IPv6 environment.
++ * fixed port forwarding bug
++
++ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * add ENABLE_IPV6 flag.
++ * configuration support --enable-ipv6 for IPv6 platforms.
++
++ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * first release
++ * IPv6 support except X11 connection forwarding
++
++ * Guideline for making this patch
++
++ * protocol family independent (using AF_UNSPEC)
++ * use getaddrinfo and getnameinfo (see RFC2133)
++ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET)
++ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6)
++ * don't use gethostbyname, gethostbyaddr and hostent
++ * listen to all addresses for all available protocol family
++ * try to connect to all addresses for all available protocol family
++
diff --git a/security/ssh/files/patch-bb b/security/ssh/files/patch-bb
new file mode 100644
index 0000000..945e1fd
--- /dev/null
+++ b/security/ssh/files/patch-bb
@@ -0,0 +1,29 @@
+*** acconfig.h.orig Wed May 12 13:19:23 1999
+--- acconfig.h Mon Jan 10 22:56:13 2000
+***************
+*** 274,279 ****
+--- 274,297 ----
+ /etc/nologin.allow. */
+ #undef NOLOGIN_ALLOW
+
++ /* Define this if you have struct sockaddr_storage. */
++ #undef HAVE_SOCKADDR_STORAGE
++
++ /* Define this if you have __sa_family in struct sockaddr_storage. */
++ #undef HAVE_NEW_SS_FAMILY
++
++ /* Define this if you have ss_len in struct sockaddr. */
++ #undef HAVE_SOCKADDR_LEN
++
++ /* Define this if you want to enable IPv6 support. */
++ #undef ENABLE_IPV6
++
++ /* Define this if you want to enable another port try support. */
++ #undef ENABLE_ANOTHER_PORT_TRY
++
++ /* Define this if you want to enable logging auth info support. */
++ #undef ENABLE_LOG_AUTH
++
+ /* Where to find the X11 socket */
+ #undef X11_DIR
+
diff --git a/security/ssh/files/patch-bc b/security/ssh/files/patch-bc
new file mode 100644
index 0000000..63b079f
--- /dev/null
+++ b/security/ssh/files/patch-bc
@@ -0,0 +1,401 @@
+*** canohost.c.orig Wed May 12 13:19:24 1999
+--- canohost.c Mon Jan 10 22:56:13 2000
+***************
+*** 59,68 ****
+
+ char *get_remote_hostname(int socket)
+ {
+! struct sockaddr_in from;
+ int fromlen, i;
+! struct hostent *hp;
+ char name[255];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+--- 59,69 ----
+
+ char *get_remote_hostname(int socket)
+ {
+! struct sockaddr_storage from;
+ int fromlen, i;
+! struct addrinfo hints, *ai, *aitop;
+ char name[255];
++ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+***************
+*** 73,86 ****
+ strcpy(name, "UNKNOWN");
+ goto check_ip_options;
+ }
+
+ /* Map the IP address to a host name. */
+! hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr),
+! from.sin_family);
+! if (hp)
+ {
+ /* Got host name. */
+- strncpy(name, hp->h_name, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+
+ /* Convert it to all lowercase (which is expected by the rest of this
+--- 74,89 ----
+ strcpy(name, "UNKNOWN");
+ goto check_ip_options;
+ }
++
++ getnameinfo((struct sockaddr *)&from, fromlen,
++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+
+ /* Map the IP address to a host name. */
+! if (getnameinfo((struct sockaddr *)&from, fromlen,
+! name, sizeof(name),
+! NULL, 0, NI_NAMEREQD) == 0)
+ {
+ /* Got host name. */
+ name[sizeof(name) - 1] = '\0';
+
+ /* Convert it to all lowercase (which is expected by the rest of this
+***************
+*** 95,119 ****
+ Mapping from name to IP address can be trusted better (but can still
+ be fooled if the intruder has access to the name server of the
+ domain). */
+! hp = gethostbyname(name);
+! if (!hp)
+ {
+ log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
+! strcpy(name, inet_ntoa(from.sin_addr));
+ goto check_ip_options;
+ }
+ /* Look for the address from the list of addresses. */
+! for (i = 0; hp->h_addr_list[i]; i++)
+! if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr))
+! == 0)
+! break;
+ /* If we reached the end of the list, the address was not there. */
+! if (!hp->h_addr_list[i])
+ {
+ /* Address not found for the host name. */
+ log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+! inet_ntoa(from.sin_addr), name);
+! strcpy(name, inet_ntoa(from.sin_addr));
+ goto check_ip_options;
+ }
+ /* Address was found for the host name. We accept the host name. */
+--- 98,127 ----
+ Mapping from name to IP address can be trusted better (but can still
+ be fooled if the intruder has access to the name server of the
+ domain). */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = from.__ss_family;
+! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
+ {
+ log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
+! strcpy(name, ntop);
+ goto check_ip_options;
+ }
+ /* Look for the address from the list of addresses. */
+! for (ai = aitop; ai; ai = ai->ai_next)
+! {
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST);
+! if (strcmp(ntop, ntop2) == 0)
+! break;
+! }
+! freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+! if (!ai)
+ {
+ /* Address not found for the host name. */
+ log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+! ntop, name);
+! strcpy(name, ntop);
+ goto check_ip_options;
+ }
+ /* Address was found for the host name. We accept the host name. */
+***************
+*** 121,127 ****
+ else
+ {
+ /* Host name not found. Use ascii representation of the address. */
+! strcpy(name, inet_ntoa(from.sin_addr));
+ log_msg("Could not reverse map address %.100s.", name);
+ }
+
+--- 129,135 ----
+ else
+ {
+ /* Host name not found. Use ascii representation of the address. */
+! strcpy(name, ntop);
+ log_msg("Could not reverse map address %.100s.", name);
+ }
+
+***************
+*** 136,141 ****
+--- 144,150 ----
+ Notice also that if we just dropped source routing here, the other
+ side could use IP spoofing to do rest of the interaction and could still
+ bypass security. So we exit here if we detect any IP options. */
++ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */
+ {
+ unsigned char options[200], *ucp;
+ char text[1024], *cp;
+***************
+*** 157,165 ****
+ for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+ sprintf(cp, " %2.2x", *ucp);
+ log_msg("Connection from %.100s with IP options:%.800s",
+! inet_ntoa(from.sin_addr), text);
+ packet_disconnect("Connection from %.100s with IP options:%.800s",
+! inet_ntoa(from.sin_addr), text);
+ }
+ }
+ #endif
+--- 166,174 ----
+ for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+ sprintf(cp, " %2.2x", *ucp);
+ log_msg("Connection from %.100s with IP options:%.800s",
+! ntop, text);
+ packet_disconnect("Connection from %.100s with IP options:%.800s",
+! ntop, text);
+ }
+ }
+ #endif
+***************
+*** 177,183 ****
+ const char *get_canonical_hostname(void)
+ {
+ int fromlen, tolen;
+! struct sockaddr_in from, to;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_name != NULL)
+--- 186,192 ----
+ const char *get_canonical_hostname(void)
+ {
+ int fromlen, tolen;
+! struct sockaddr_storage from, to;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_name != NULL)
+***************
+*** 200,207 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+--- 209,215 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+***************
+*** 221,228 ****
+
+ const char *get_remote_ipaddr(void)
+ {
+! struct sockaddr_in from, to;
+ int fromlen, tolen, socket;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_ip != NULL)
+--- 229,237 ----
+
+ const char *get_remote_ipaddr(void)
+ {
+! struct sockaddr_storage from, to;
+ int fromlen, tolen, socket;
++ char ntop[ADDRSTRLEN];
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_ip != NULL)
+***************
+*** 245,252 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+--- 254,260 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+***************
+*** 269,275 ****
+ }
+
+ /* Get the IP address in ascii. */
+! canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr));
+
+ /* Return ip address string. */
+ return canonical_host_ip;
+--- 277,285 ----
+ }
+
+ /* Get the IP address in ascii. */
+! getnameinfo((struct sockaddr *)&from, fromlen,
+! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+! canonical_host_ip = xstrdup(ntop);
+
+ /* Return ip address string. */
+ return canonical_host_ip;
+***************
+*** 279,286 ****
+
+ int get_peer_port(int sock)
+ {
+! struct sockaddr_in from;
+ int fromlen;
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+--- 289,297 ----
+
+ int get_peer_port(int sock)
+ {
+! struct sockaddr_storage from;
+ int fromlen;
++ char strport[PORTSTRLEN];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+***************
+*** 292,298 ****
+ }
+
+ /* Return port number. */
+! return ntohs(from.sin_port);
+ }
+
+ /* Returns the port number of the remote host. */
+--- 303,311 ----
+ }
+
+ /* Return port number. */
+! getnameinfo((struct sockaddr *)&from, fromlen,
+! NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
+! return atoi(strport);
+ }
+
+ /* Returns the port number of the remote host. */
+***************
+*** 301,307 ****
+ {
+ int socket;
+ int fromlen, tolen;
+! struct sockaddr_in from, to;
+
+ /* If two different descriptors, check if they are internet-domain, and
+ have the same address. */
+--- 314,320 ----
+ {
+ int socket;
+ int fromlen, tolen;
+! struct sockaddr_storage from, to;
+
+ /* If two different descriptors, check if they are internet-domain, and
+ have the same address. */
+***************
+*** 319,326 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_port;
+
+ no_ip_addr:
+--- 332,338 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_port;
+
+ no_ip_addr:
+***************
+*** 335,337 ****
+--- 347,413 ----
+ /* Get and return the peer port number. */
+ return get_peer_port(socket);
+ }
++
++ /* Returns the port of the local of the socket. */
++
++ int get_sock_port(int sock)
++ {
++ struct sockaddr_storage from;
++ int fromlen;
++ char strport[PORTSTRLEN];
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0)
++ {
++ error("getsockname failed: %.100s", strerror(errno));
++ return 0;
++ }
++
++ /* Return port number. */
++ getnameinfo((struct sockaddr *)&from, fromlen,
++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
++ return atoi(strport);
++ }
++
++ /* Returns the port number of the local host. */
++
++ int get_local_port()
++ {
++ int socket;
++ int fromlen, tolen;
++ struct sockaddr_storage from, to;
++
++ /* If two different descriptors, check if they are internet-domain, and
++ have the same address. */
++ if (packet_get_connection_in() != packet_get_connection_out())
++ {
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from,
++ &fromlen) < 0)
++ goto no_ip_addr;
++
++ tolen = sizeof(to);
++ memset(&to, 0, sizeof(to));
++ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to,
++ &tolen) < 0)
++ goto no_ip_addr;
++
++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
++ goto return_port;
++
++ no_ip_addr:
++ return 65535;
++ }
++
++ return_port:
++
++ /* Get client socket. */
++ socket = packet_get_connection_in();
++
++ /* Get and return the local port number. */
++ return get_sock_port(socket);
++ }
++
diff --git a/security/ssh/files/patch-bd b/security/ssh/files/patch-bd
new file mode 100644
index 0000000..d6c0361
--- /dev/null
+++ b/security/ssh/files/patch-bd
@@ -0,0 +1,49 @@
+*** config.h.in.orig Wed May 12 13:20:04 1999
+--- config.h.in Mon Jan 10 22:56:13 2000
+***************
+*** 323,328 ****
+--- 323,346 ----
+ /etc/nologin.allow. */
+ #undef NOLOGIN_ALLOW
+
++ /* Define this if you have struct sockaddr_storage. */
++ #undef HAVE_SOCKADDR_STORAGE
++
++ /* Define this if you have __sa_family in struct sockaddr_storage. */
++ #undef HAVE_NEW_SS_FAMILY
++
++ /* Define this if you have ss_len in struct sockaddr. */
++ #undef HAVE_SOCKADDR_LEN
++
++ /* Define this if you want to enable IPv6 support. */
++ #undef ENABLE_IPV6
++
++ /* Define this if you want to enable another port try support. */
++ #undef ENABLE_ANOTHER_PORT_TRY
++
++ /* Define this if you want to enable logging auth info support. */
++ #undef ENABLE_LOG_AUTH
++
+ /* Where to find the X11 socket */
+ #undef X11_DIR
+
+***************
+*** 375,385 ****
+--- 393,409 ----
+ /* Define if you have the ftruncate function. */
+ #undef HAVE_FTRUNCATE
+
++ /* Define if you have the getaddrinfo function. */
++ #undef HAVE_GETADDRINFO
++
+ /* Define if you have the getdtablesize function. */
+ #undef HAVE_GETDTABLESIZE
+
+ /* Define if you have the gethostname function. */
+ #undef HAVE_GETHOSTNAME
++
++ /* Define if you have the getnameinfo function. */
++ #undef HAVE_GETNAMEINFO
+
+ /* Define if you have the getpseudotty function. */
+ #undef HAVE_GETPSEUDOTTY
diff --git a/security/ssh/files/patch-be b/security/ssh/files/patch-be
new file mode 100644
index 0000000..d84d41f
--- /dev/null
+++ b/security/ssh/files/patch-be
@@ -0,0 +1,401 @@
+*** configure.in.orig Wed May 12 13:20:02 1999
+--- configure.in Tue Jan 11 22:55:20 2000
+***************
+*** 30,37 ****
+--- 30,163 ----
+ fi
+
+ AC_PROG_CC
++ AC_PROG_CPP
+ AC_ISC_POSIX
+
++ AC_MSG_CHECKING([whether to enable ipv6])
++ AC_ARG_ENABLE(ipv6,
++ [ --enable-ipv6 Enable ipv6 (with ipv4) support
++ --disable-ipv6 Disable ipv6 support],
++ [ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ipv6=no
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_IPV6)
++ ipv6=yes
++ ;;
++ esac ],
++
++ AC_TRY_RUN([ /* AF_INET6 avalable check */
++ #include <sys/types.h>
++ #include <sys/socket.h>
++ main()
++ {
++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
++ exit(1);
++ else
++ exit(0);
++ }
++ ],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_IPV6)
++ ipv6=yes,
++ AC_MSG_RESULT(no)
++ ipv6=no,
++ AC_MSG_RESULT(no)
++ ipv6=no
++ ))
++
++ ipv6type=unknown
++ ipv6lib=none
++
++ if test "$ipv6" = "yes"; then
++ AC_MSG_CHECKING([ipv6 stack type])
++ for i in inria kame linux toshiba v6d zeta; do
++ case $i in
++ inria)
++ dnl http://www.kame.net/
++ AC_EGREP_CPP(yes, [dnl
++ #include <netinet/in.h>
++ #ifdef IPV6_INRIA_VERSION
++ yes
++ #endif],
++ [ipv6type=$i;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ kame)
++ dnl http://www.kame.net/
++ AC_EGREP_CPP(yes, [dnl
++ #include <netinet/in.h>
++ #ifdef __KAME__
++ yes
++ #endif],
++ [ipv6type=$i;
++ ipv6lib=inet6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ linux)
++ dnl http://www.v6.linux.or.jp/
++ if test -d /usr/inet6; then
++ ipv6type=$i
++ ipv6lib=inet6
++ ipv6libdir=/usr/inet6/lib
++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS"
++ fi
++ ;;
++ toshiba)
++ AC_EGREP_CPP(yes, [dnl
++ #include <sys/param.h>
++ #ifdef _TOSHIBA_INET6
++ yes
++ #endif],
++ [ipv6type=$i;
++ ipv6lib=inet6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ v6d)
++ AC_EGREP_CPP(yes, [dnl
++ #include </usr/local/v6/include/sys/v6config.h>
++ #ifdef __V6D__
++ yes
++ #endif],
++ [ipv6type=$i;
++ ipv6lib=v6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"])
++ ;;
++ zeta)
++ AC_EGREP_CPP(yes, [dnl
++ #include <sys/param.h>
++ #ifdef _ZETA_MINAMI_INET6
++ yes
++ #endif],
++ [ipv6type=$i;
++ ipv6lib=inet6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ esac
++ if test "$ipv6type" != "unknown"; then
++ break
++ fi
++ done
++ AC_MSG_RESULT($ipv6type)
++ fi
++
++ if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then
++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then
++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS"
++ else
++ echo 'Fatal: no $ipv6lib library found. cannot continue.'
++ echo "You need to fetch lib$ipv6lib.a from appropriate"
++ echo 'ipv6 kit and compile beforehand.'
++ exit 1
++ fi
++ fi
++
+ AC_DEFINE_UNQUOTED(HOSTTYPE, "$host")
+
+ case "$host" in
+***************
+*** 313,319 ****
+
+ # Socket pairs appear to be broken on several systems. I don't know exactly
+ # where, so I'll use pipes everywhere for now.
+! AC_DEFINE(USE_PIPES)
+
+ AC_MSG_CHECKING([that the compiler works])
+ AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
+--- 439,445 ----
+
+ # Socket pairs appear to be broken on several systems. I don't know exactly
+ # where, so I'll use pipes everywhere for now.
+! # AC_DEFINE(USE_PIPES)
+
+ AC_MSG_CHECKING([that the compiler works])
+ AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
+***************
+*** 369,375 ****
+
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h)
+ AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
+ AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h)
+ AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
+--- 495,501 ----
+
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h)
+ AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
+ AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h)
+ AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
+***************
+*** 399,404 ****
+--- 525,540 ----
+ [ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO)
+ AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no))
+
++ AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage])
++ AC_EGREP_HEADER(sockaddr_storage, sys/socket.h,
++ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++ AC_MSG_CHECKING([whether sys/socket.h have __ss_family])
++ AC_EGREP_HEADER(__ss_family, sys/socket.h,
++ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++ AC_MSG_CHECKING([whether sys/socket.h have sa_len])
++ AC_EGREP_HEADER(sa_len, sys/socket.h,
++ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++
+ AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt))
+ AC_CHECK_LIB(sec, getspnam)
+ AC_CHECK_LIB(seq, get_process_stats)
+***************
+*** 436,441 ****
+--- 572,676 ----
+
+ AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
+
++ AC_MSG_CHECKING(getaddrinfo bug)
++ AC_TRY_RUN([
++ #include <sys/types.h>
++ #include <netdb.h>
++ #include <string.h>
++ #include <sys/socket.h>
++ #include <netinet/in.h>
++
++ main()
++ {
++ int passive, gaierr, inet4 = 0, inet6 = 0;
++ struct addrinfo hints, *ai, *aitop;
++ char straddr[INET6_ADDRSTRLEN], strport[16];
++
++ for (passive = 0; passive <= 1; passive++) {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_UNSPEC;
++ hints.ai_flags = passive ? AI_PASSIVE : 0;
++ hints.ai_socktype = SOCK_STREAM;
++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
++ (void)gai_strerror(gaierr);
++ goto bad;
++ }
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (ai->ai_addr == NULL ||
++ ai->ai_addrlen == 0 ||
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ straddr, sizeof(straddr), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
++ goto bad;
++ }
++ if (strcmp(strport, "54321") != 0) {
++ goto bad;
++ }
++ switch (ai->ai_family) {
++ case AF_INET:
++ if (passive) {
++ if (strcmp(straddr, "0.0.0.0") != 0) {
++ goto bad;
++ }
++ } else {
++ if (strcmp(straddr, "127.0.0.1") != 0) {
++ goto bad;
++ }
++ }
++ inet4++;
++ break;
++ case AF_INET6:
++ if (passive) {
++ if (strcmp(straddr, "::") != 0) {
++ goto bad;
++ }
++ } else {
++ if (strcmp(straddr, "::1") != 0) {
++ goto bad;
++ }
++ }
++ inet6++;
++ break;
++ case AF_UNSPEC:
++ goto bad;
++ break;
++ default:
++ /* another family support? */
++ break;
++ }
++ }
++ }
++
++ if (inet6 != 2 || inet4 != 2)
++ goto bad;
++
++ if (aitop)
++ freeaddrinfo(aitop);
++ exit(0);
++
++ bad:
++ if (aitop)
++ freeaddrinfo(aitop);
++ exit(1);
++ }
++ ],
++ AC_MSG_RESULT(good)
++ buggygetaddrinfo=no,
++ AC_MSG_RESULT(buggy)
++ buggygetaddrinfo=yes,
++ AC_MSG_RESULT(buggy)
++ buggygetaddrinfo=yes)
++
++ if test "$buggygetaddrinfo" = "yes"; then
++ if test "$ipv6" = "yes"; then
++ echo 'Fatal: You must get working getaddrinfo() function.'
++ echo ' or you can specify "--disable-ipv6"'.
++ exit 1
++ else
++ AC_REPLACE_FUNCS(getaddrinfo getnameinfo)
++ fi
++ fi
++
+ AC_PROG_LN_S
+ AC_PROG_INSTALL
+ AC_CHECK_PROG(AR, ar, ar, echo)
+***************
+*** 932,938 ****
+ AC_DEFINE(KRB5)
+ KERBEROS_ROOT="$with_kerberos5"
+ KERBEROS_INCS="-I${KERBEROS_ROOT}/include"
+! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
+ AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm")
+ KERBEROS_OBJS="auth-kerberos.o"
+ ;;
+--- 1167,1177 ----
+ AC_DEFINE(KRB5)
+ KERBEROS_ROOT="$with_kerberos5"
+ KERBEROS_INCS="-I${KERBEROS_ROOT}/include"
+! if [ -f ${KERBEROS_ROOT}/lib/libk5crypto.a ]; then
+! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"
+! else
+! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
+! fi
+ AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm")
+ KERBEROS_OBJS="auth-kerberos.o"
+ ;;
+***************
+*** 1252,1257 ****
+--- 1491,1528 ----
+ AC_DEFINE(ENABLE_TCP_NODELAY)
+ )
+
++ AC_MSG_CHECKING(whether to enable another port try support)
++ AC_ARG_ENABLE(another-port-try,
++ [ --enable-another-port-try Enable another port try support (default)
++ --disable-another-port-try Disable another port try support],
++ [ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
++ ;;
++ esac ],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
++ )
++
++ AC_MSG_CHECKING(whether to enable logging auth info support)
++ AC_ARG_ENABLE(log-auth,
++ [ --enable-log-auth Enable logging auth info support (default)
++ --disable-log-auth Disable logging auth info support],
++ [ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_LOG_AUTH)
++ ;;
++ esac ],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_LOG_AUTH)
++ )
++
+ AC_MSG_CHECKING(whether to enable SO_LINGER)
+ AC_ARG_ENABLE(so-linger,
+ [ --enable-so-linger Enable setting SO_LINGER socket option],
+***************
+*** 1311,1316 ****
+--- 1582,1589 ----
+ AC_DEFINE(SCP_ALL_STATISTICS_ENABLED)
+ )
+
++ CFLAGS="$CPPFLAGS $CFLAGS"
++
+ # We include this here only to make it visible in --help; this is only used
+ # in the gmp subdirectory.
+ AC_ARG_ENABLE(asm,
+***************
+*** 1324,1330 ****
+ fi
+ AC_MSG_RESULT($PIDDIR)
+
+! AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
+
+ AC_ARG_PROGRAM
+
+--- 1597,1603 ----
+ fi
+ AC_MSG_RESULT($PIDDIR)
+
+! #AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
+
+ AC_ARG_PROGRAM
+
+***************
+*** 1336,1339 ****
+ AC_SUBST(SSHDCONFOBJS)
+ AC_SUBST(SSHINSTALLMODE)
+
+! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile)
+--- 1609,1612 ----
+ AC_SUBST(SSHDCONFOBJS)
+ AC_SUBST(SSHINSTALLMODE)
+
+! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl)
diff --git a/security/ssh/files/patch-bf b/security/ssh/files/patch-bf
new file mode 100644
index 0000000..d8d53bc
--- /dev/null
+++ b/security/ssh/files/patch-bf
@@ -0,0 +1,17 @@
+*** gai.h.orig Mon Jan 10 22:56:13 2000
+--- gai.h Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,12 ----
++ /*
++ * fake library for ssh
++ *
++ * This file is included in getaddrinfo.c and getnameinfo.c.
++ * See getaddrinfo.c and getnameinfo.c.
++ */
++
++ /* for old netdb.h */
++ #ifndef EAI_NODATA
++ #define EAI_NODATA 1
++ #define EAI_MEMORY 2
++ #endif
diff --git a/security/ssh/files/patch-bg b/security/ssh/files/patch-bg
new file mode 100644
index 0000000..6899820
--- /dev/null
+++ b/security/ssh/files/patch-bg
@@ -0,0 +1,120 @@
+*** getaddrinfo.c.orig Mon Jan 10 22:56:13 2000
+--- getaddrinfo.c Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,115 ----
++ /*
++ * fake library for ssh
++ *
++ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror().
++ * These funtions are defined in rfc2133.
++ *
++ * But these functions are not implemented correctly. The minimum subset
++ * is implemented for ssh use only. For exapmle, this routine assumes
++ * that ai_family is AF_INET. Don't use it for another purpose.
++ *
++ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c
++ * will be used if you have broken getaddrinfo or no getaddrinfo.
++ */
++
++ #include "includes.h"
++ #include "ssh.h"
++
++ #include "gai.h"
++
++ static struct addrinfo *
++ malloc_ai(port, addr)
++ int port;
++ u_long addr;
++ {
++ struct addrinfo *ai;
++
++ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
++ sizeof(struct sockaddr_in))) {
++ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in));
++ ai->ai_addr = (struct sockaddr *)(ai + 1);
++ /* XXX -- ssh doesn't use sa_len */
++ ai->ai_addrlen = sizeof(struct sockaddr_in);
++ ai->ai_addr->sa_family = ai->ai_family = AF_INET;
++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port;
++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr;
++ return ai;
++ } else {
++ return NULL;
++ }
++ }
++
++ char *
++ gai_strerror(ecode)
++ int ecode;
++ {
++ switch (ecode) {
++ case EAI_NODATA:
++ return "no address associated with hostname.";
++ case EAI_MEMORY:
++ return "memory allocation failure.";
++ default:
++ return "unknown error.";
++ }
++ }
++
++ void
++ freeaddrinfo(ai)
++ struct addrinfo *ai;
++ {
++ struct addrinfo *next;
++
++ do {
++ next = ai->ai_next;
++ free(ai);
++ } while (ai = next);
++ }
++
++ int
++ getaddrinfo(hostname, servname, hints, res)
++ const char *hostname, *servname;
++ const struct addrinfo *hints;
++ struct addrinfo **res;
++ {
++ struct addrinfo *cur, *prev = NULL;
++ struct hostent *hp;
++ int i, port;
++
++ if (servname)
++ port = htons(atoi(servname));
++ else
++ port = 0;
++ if (hints && hints->ai_flags & AI_PASSIVE)
++ if (*res = malloc_ai(port, htonl(0x00000000)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if (!hostname)
++ if (*res = malloc_ai(port, htonl(0x7f000001)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if (inet_addr(hostname) != -1)
++ if (*res = malloc_ai(port, inet_addr(hostname)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if ((hp = gethostbyname(hostname)) &&
++ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
++ for (i = 0; hp->h_addr_list[i]; i++)
++ if (cur = malloc_ai(port,
++ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) {
++ if (prev)
++ prev->ai_next = cur;
++ else
++ *res = cur;
++ prev = cur;
++ } else {
++ if (*res)
++ freeaddrinfo(*res);
++ return EAI_MEMORY;
++ }
++ return 0;
++ }
++ return EAI_NODATA;
++ }
diff --git a/security/ssh/files/patch-bh b/security/ssh/files/patch-bh
new file mode 100644
index 0000000..3e50aae
--- /dev/null
+++ b/security/ssh/files/patch-bh
@@ -0,0 +1,66 @@
+*** getnameinfo.c.orig Mon Jan 10 22:56:13 2000
+--- getnameinfo.c Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,61 ----
++ /*
++ * fake library for ssh
++ *
++ * This file includes getnameinfo().
++ * These funtions are defined in rfc2133.
++ *
++ * But these functions are not implemented correctly. The minimum subset
++ * is implemented for ssh use only. For exapmle, this routine assumes
++ * that ai_family is AF_INET. Don't use it for another purpose.
++ *
++ * In the case not using 'configure --enable-ipv6', this getnameinfo.c
++ * will be used if you have broken getnameinfo or no getnameinfo.
++ */
++
++ #include "includes.h"
++ #include "ssh.h"
++
++ #include "gai.h"
++
++ int
++ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
++ const struct sockaddr *sa;
++ size_t salen;
++ char *host;
++ size_t hostlen;
++ char *serv;
++ size_t servlen;
++ int flags;
++ {
++ struct sockaddr_in *sin = (struct sockaddr_in *)sa;
++ struct hostent *hp;
++ char tmpserv[16];
++
++ if (serv) {
++ sprintf(tmpserv, "%d", ntohs(sin->sin_port));
++ if (strlen(tmpserv) > servlen)
++ return EAI_MEMORY;
++ else
++ strcpy(serv, tmpserv);
++ }
++ if (host)
++ if (flags & NI_NUMERICHOST)
++ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
++ return EAI_MEMORY;
++ else {
++ strcpy(host, inet_ntoa(sin->sin_addr));
++ return 0;
++ }
++ else
++ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
++ AF_INET))
++ if (strlen(hp->h_name) > hostlen)
++ return EAI_MEMORY;
++ else {
++ strcpy(host, hp->h_name);
++ return 0;
++ }
++ else
++ return EAI_NODATA;
++ return 0;
++ }
diff --git a/security/ssh/files/patch-bi b/security/ssh/files/patch-bi
new file mode 100644
index 0000000..77ff392
--- /dev/null
+++ b/security/ssh/files/patch-bi
@@ -0,0 +1,56 @@
+*** log-server.c.orig Wed May 12 13:19:26 1999
+--- log-server.c Mon Jan 10 22:56:13 2000
+***************
+*** 146,151 ****
+--- 146,170 ----
+ syslog(LOG_INFO, "log: %.500s", buf);
+ }
+
++ #ifdef ENABLE_LOG_AUTH
++ void log_auth(const char *fmt, ...)
++ {
++ char buf[1024];
++ va_list args;
++ extern int log_auth_flag;
++ if (!log_auth_flag)
++ return;
++ if (log_quiet)
++ return;
++ va_start(args, fmt);
++ vsprintf(buf, fmt, args);
++ va_end(args);
++ if (log_on_stderr)
++ fprintf(stderr, "log: %s\n", buf);
++ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf);
++ }
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Converts portable syslog severity to machine-specific syslog severity. */
+
+ static int syslog_severity(int severity)
+***************
+*** 322,327 ****
+--- 341,349 ----
+ {
+ char buf[1024];
+ va_list args;
++ #ifdef ENABLE_LOG_AUTH
++ extern char *unauthenticated_user;
++ #endif /* ENABLE_LOG_AUTH */
+
+ if (log_quiet)
+ exit(1);
+***************
+*** 331,336 ****
+--- 353,363 ----
+ if (log_on_stderr)
+ fprintf(stderr, "fatal: %s\n", buf);
+ syslog(syslog_severity(severity), "fatal: %.500s", buf);
++ #ifdef ENABLE_LOG_AUTH
++ if (unauthenticated_user)
++ log_auth("LOGIN FAILED %.100s from %.200s",
++ unauthenticated_user, get_canonical_hostname());
++ #endif /* ENABLE_LOG_AUTH */
+
+ do_fatal_cleanups();
+
diff --git a/security/ssh/files/patch-bj b/security/ssh/files/patch-bj
new file mode 100644
index 0000000..fb897af
--- /dev/null
+++ b/security/ssh/files/patch-bj
@@ -0,0 +1,16 @@
+*** match.c.orig Wed May 12 13:19:27 1999
+--- match.c Mon Jan 10 22:56:13 2000
+***************
+*** 129,134 ****
+--- 129,139 ----
+ is_ip_pattern = 0;
+ break;
+ }
++ for(p = pattern; *p; p++)
++ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*'))
++ break;
++ if (ip && !*p)
++ is_ip_pattern = 1;
+ if (is_ip_pattern)
+ {
+ return match_pattern(ip, pattern);
diff --git a/security/ssh/files/patch-bl b/security/ssh/files/patch-bl
new file mode 100644
index 0000000..60296a9
--- /dev/null
+++ b/security/ssh/files/patch-bl
@@ -0,0 +1,66 @@
+*** readconf.c.orig Wed May 12 13:19:27 1999
+--- readconf.c Mon Jan 10 22:56:13 2000
+***************
+*** 171,176 ****
+--- 171,179 ----
+ oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel,
+ oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication,
+ oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ oAnotherPort,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost
+ } OpCodes;
+
+***************
+*** 194,199 ****
+--- 197,205 ----
+ { "hostname", oHostName },
+ { "proxycommand", oProxyCommand },
+ { "port", oPort },
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ { "anotherport", oAnotherPort },
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ { "cipher", oCipher },
+ { "remoteforward", oRemoteForward },
+ { "localforward", oLocalForward },
+***************
+*** 497,502 ****
+--- 503,514 ----
+ *intptr = value;
+ break;
+
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ case oAnotherPort:
++ intptr = &options->another_port;
++ goto parse_int;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
++
+ case oConnectionAttempts:
+ intptr = &options->connection_attempts;
+ goto parse_int;
+***************
+*** 689,694 ****
+--- 701,709 ----
+ options->keepalives = -1;
+ options->compression_level = -1;
+ options->port = -1;
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ options->another_port = -1;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ options->connection_attempts = -1;
+ options->number_of_password_prompts = -1;
+ options->password_prompt_login = -1;
+***************
+*** 759,764 ****
+--- 774,783 ----
+ options->compression_level = 6;
+ if (options->port == -1)
+ options->port = 0; /* Filled in ssh_connect. */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ if (options->another_port == -1)
++ options->another_port = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ if (options->connection_attempts == -1)
+ options->connection_attempts = 4;
+ if (options->number_of_password_prompts == -1)
diff --git a/security/ssh/files/patch-bm b/security/ssh/files/patch-bm
new file mode 100644
index 0000000..a394777
--- /dev/null
+++ b/security/ssh/files/patch-bm
@@ -0,0 +1,14 @@
+*** readconf.h.orig Wed May 12 13:19:27 1999
+--- readconf.h Mon Jan 10 22:56:13 2000
+***************
+*** 98,103 ****
+--- 98,106 ----
+ int use_privileged_port; /* Use privileged port */
+
+ int port; /* Port to connect. */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port; /* Port to connect for -A option. */
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int connection_attempts; /* Max attempts (seconds) before giving up */
+ int number_of_password_prompts; /* Max number of password prompts */
+ int password_prompt_login; /* Show remote login at password prompt */
diff --git a/security/ssh/files/patch-bn b/security/ssh/files/patch-bn
new file mode 100644
index 0000000..7f625fc
--- /dev/null
+++ b/security/ssh/files/patch-bn
@@ -0,0 +1,191 @@
+*** scp.c.orig Wed May 12 13:19:28 1999
+--- scp.c Mon Jan 10 22:56:13 2000
+***************
+*** 180,185 ****
+--- 180,193 ----
+ #define STDERR_FILENO 2
+ #endif
+
++ /* This is set to non-zero if IPv4 is desired. */
++ int IPv4 = 0;
++
++ #ifdef ENABLE_IPV6
++ /* This is set to non-zero if IPv6 is desired. */
++ int IPv6 = 0;
++ #endif
++
+ /* This is set to non-zero to enable verbose mode. */
+ int verbose = 0;
+
+***************
+*** 295,302 ****
+--- 303,319 ----
+ }
+ args[i++] = "-x";
+ args[i++] = "-a";
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ args[i++] = "-A";
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ args[i++] = "-oFallBackToRsh no";
+ args[i++] = "-oClearAllForwardings yes";
++ if (IPv4)
++ args[i++] = "-4";
++ #ifdef ENABLE_IPV6
++ if (IPv6)
++ args[i++] = "-6";
++ #endif
+ if (verbose)
+ args[i++] = "-v";
+ if (compress)
+***************
+*** 441,448 ****
+ statistics = 0;
+
+ fflag = tflag = 0;
+! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF)
+ switch(ch) { /* User-visible flags. */
+ case 'S':
+ ssh_program = optarg;
+ break;
+--- 458,477 ----
+ statistics = 0;
+
+ fflag = tflag = 0;
+! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4"
+! #ifdef ENABLE_IPV6
+! "6"
+! #endif
+! )) != EOF)
+ switch(ch) { /* User-visible flags. */
++ case '4':
++ IPv4 = 1;
++ break;
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv6 = 1;
++ break;
++ #endif
+ case 'S':
+ ssh_program = optarg;
+ break;
+***************
+*** 589,594 ****
+--- 618,634 ----
+ exit(errs != 0);
+ }
+
++ char *
++ cleanhostname(host)
++ char *host;
++ {
++ if (*host == '[' && host[strlen(host) - 1] == ']') {
++ host[strlen(host) - 1] = '\0';
++ return (host + 1);
++ } else
++ return host;
++ }
++
+ void
+ toremote(targ, argc, argv)
+ char *targ, *argv[];
+***************
+*** 644,649 ****
+--- 684,690 ----
+ bp = xmalloc(len);
+ if (host) {
+ *host++ = 0;
++ host = cleanhostname(host);
+ suser = argv[i];
+ if (*suser == '\0')
+ suser = pwd->pw_name;
+***************
+*** 655,667 ****
+ suser, host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+! } else
+ (void)snprintf(bp, len,
+ "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
+ ssh_program, verbose ? " -v" : "", options,
+! argv[i], cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+ if (verbose)
+ fprintf(stderr, "Executing: %s\n", bp);
+ if (system(bp)) errs++;
+--- 696,710 ----
+ suser, host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+! } else {
+! host = cleanhostname(argv[i]);
+ (void)snprintf(bp, len,
+ "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
+ ssh_program, verbose ? " -v" : "", options,
+! host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
++ }
+ if (verbose)
+ fprintf(stderr, "Executing: %s\n", bp);
+ if (system(bp)) errs++;
+***************
+*** 671,677 ****
+ len = strlen(targ) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -t %s", cmd, targ);
+! host = thost;
+ if (do_cmd(host, tuser,
+ bp, &remin, &remout) < 0)
+ exit(1);
+--- 714,720 ----
+ len = strlen(targ) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -t %s", cmd, targ);
+! host = cleanhostname(thost);
+ if (do_cmd(host, tuser,
+ bp, &remin, &remout) < 0)
+ exit(1);
+***************
+*** 721,726 ****
+--- 764,770 ----
+ else if (!okname(suser))
+ continue;
+ }
++ host = cleanhostname(host);
+ len = strlen(src) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -f %s", cmd, src);
+***************
+*** 1365,1375 ****
+ colon(cp)
+ char *cp;
+ {
+ if (*cp == ':') /* Leading colon is part of file name. */
+ return (0);
+
+ for (; *cp; ++cp) {
+! if (*cp == ':')
+ return (cp);
+ if (*cp == '/')
+ return (0);
+--- 1409,1427 ----
+ colon(cp)
+ char *cp;
+ {
++ int flag = 0;
++
+ if (*cp == ':') /* Leading colon is part of file name. */
+ return (0);
++ if (*cp == '[')
++ flag = 1;
+
+ for (; *cp; ++cp) {
+! if (*cp == '@' && *(cp+1) == '[')
+! flag = 1;
+! if (*cp == ']' && *(cp+1) == ':' && flag)
+! return (cp+1);
+! if (*cp == ':' && !flag)
+ return (cp);
+ if (*cp == '/')
+ return (0);
diff --git a/security/ssh/files/patch-bo b/security/ssh/files/patch-bo
new file mode 100644
index 0000000..886720d
--- /dev/null
+++ b/security/ssh/files/patch-bo
@@ -0,0 +1,197 @@
+*** servconf.c.orig Wed May 12 13:19:28 1999
+--- servconf.c Mon Jan 10 22:56:13 2000
+***************
+*** 81,88 ****
+ void initialize_server_options(ServerOptions *options)
+ {
+ memset(options, 0, sizeof(*options));
+! options->port = -1;
+! options->listen_addr.s_addr = INADDR_ANY;
+ options->host_key_file = NULL;
+ options->random_seed_file = NULL;
+ options->pid_file = NULL;
+--- 81,88 ----
+ void initialize_server_options(ServerOptions *options)
+ {
+ memset(options, 0, sizeof(*options));
+! options->num_ports = 0;
+! options->listen_addrs = NULL;
+ options->host_key_file = NULL;
+ options->random_seed_file = NULL;
+ options->pid_file = NULL;
+***************
+*** 92,97 ****
+--- 92,100 ----
+ options->permit_root_login = -1;
+ options->ignore_rhosts = -1;
+ options->ignore_root_rhosts = -1;
++ #ifdef ENABLE_LOG_AUTH
++ options->log_auth = -1;
++ #endif /* ENABLE_LOG_AUTH */
+ options->quiet_mode = -1;
+ options->fascist_logging = -1;
+ options->print_motd = -1;
+***************
+*** 138,153 ****
+
+ void fill_default_server_options(ServerOptions *options)
+ {
+! if (options->port == -1)
+ {
+! struct servent *sp;
+!
+! sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+! if (sp)
+! options->port = ntohs(sp->s_port);
+! else
+! options->port = SSH_DEFAULT_PORT;
+! endservent();
+ }
+ if (options->host_key_file == NULL)
+ options->host_key_file = HOST_KEY_FILE;
+--- 141,171 ----
+
+ void fill_default_server_options(ServerOptions *options)
+ {
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! int i;
+!
+! if (options->num_ports == 0)
+! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+! if (options->listen_addrs == NULL)
+ {
+! for (i = 0; i < options->num_ports; i++)
+! {
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", options->ports[i]);
+! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+! {
+! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
+! exit(1);
+! }
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = options->listen_addrs;
+! options->listen_addrs = aitop;
+! }
+! /* freeaddrinfo(options->listen_addrs) in sshd.c */
+ }
+ if (options->host_key_file == NULL)
+ options->host_key_file = HOST_KEY_FILE;
+***************
+*** 243,248 ****
+--- 261,269 ----
+ {
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
++ #ifdef ENABLE_LOG_AUTH
++ sLogAuth,
++ #endif /* ENABLE_LOG_AUTH */
+ sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+ sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
+ sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+***************
+*** 275,280 ****
+--- 296,304 ----
+ { "quietmode", sQuietMode },
+ { "fascistlogging", sFascistLogging },
+ { "syslogfacility", sLogFacility },
++ #ifdef ENABLE_LOG_AUTH
++ { "logauth", sLogAuth },
++ #endif /* ENABLE_LOG_AUTH */
+ { "rhostsauthentication", sRhostsAuthentication },
+ { "rhostsrsaauthentication", sRhostsRSAAuthentication },
+ { "rsaauthentication", sRSAAuthentication },
+***************
+*** 367,372 ****
+--- 391,399 ----
+ char *cp, **charptr;
+ int linenum, *intptr, i, value;
+ ServerOpCodes opcode;
++ struct addrinfo hints, *ai, *aitop;
++ char strport[PORTSTRLEN];
++ int gaierr;
+
+ f = fopen(filename, "r");
+ if (!f)
+***************
+*** 389,395 ****
+ switch (opcode)
+ {
+ case sPort:
+! intptr = &options->port;
+ parse_int:
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+--- 416,429 ----
+ switch (opcode)
+ {
+ case sPort:
+! if (options->num_ports >= MAX_PORTS)
+! {
+! fprintf(stderr, "%s line %d: too many ports.\n",
+! filename, linenum);
+! exit(1);
+! }
+! options->ports[options->num_ports] = -1;
+! intptr = &options->ports[options->num_ports++];
+ parse_int:
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+***************
+*** 452,462 ****
+ filename, linenum);
+ exit(1);
+ }
+! #ifdef BROKEN_INET_ADDR
+! options->listen_addr.s_addr = inet_network(cp);
+! #else /* BROKEN_INET_ADDR */
+! options->listen_addr.s_addr = inet_addr(cp);
+! #endif /* BROKEN_INET_ADDR */
+ break;
+
+ case sHostKeyFile:
+--- 486,510 ----
+ filename, linenum);
+ exit(1);
+ }
+! if (options->num_ports == 0)
+! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+! for (i = 0; i < options->num_ports; i++)
+! {
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", options->ports[i]);
+! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
+! {
+! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
+! filename, linenum, gai_strerror(gaierr));
+! exit(1);
+! }
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = options->listen_addrs;
+! options->listen_addrs = aitop;
+! }
+! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
+ break;
+
+ case sHostKeyFile:
+***************
+*** 531,536 ****
+--- 579,590 ----
+ if (*intptr == -1)
+ *intptr = value;
+ break;
++
++ #ifdef ENABLE_LOG_AUTH
++ case sLogAuth:
++ intptr = &options->log_auth;
++ goto parse_flag;
++ #endif /* ENABLE_LOG_AUTH */
+
+ case sIgnoreRhosts:
+ intptr = &options->ignore_rhosts;
diff --git a/security/ssh/files/patch-bp b/security/ssh/files/patch-bp
new file mode 100644
index 0000000..40b10db
--- /dev/null
+++ b/security/ssh/files/patch-bp
@@ -0,0 +1,45 @@
+*** servconf.h.orig Wed May 12 13:19:28 1999
+--- servconf.h Mon Jan 10 22:56:13 2000
+***************
+*** 64,69 ****
+--- 64,71 ----
+ #ifndef SERVCONF_H
+ #define SERVCONF_H
+
++ #define MAX_PORTS 256 /* Max # hosts on allow list. */
++
+ #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
+ #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
+ #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
+***************
+*** 82,89 ****
+
+ typedef struct
+ {
+! int port; /* Port number to listen on. */
+! struct in_addr listen_addr; /* Address on which the server listens. */
+ char *host_key_file; /* File containing host key. */
+ char *random_seed_file; /* File containing random seed. */
+ char *pid_file; /* File containing process ID number. */
+--- 84,92 ----
+
+ typedef struct
+ {
+! unsigned int num_ports;
+! int ports[MAX_PORTS]; /* Port number to listen on. */
+! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
+ char *host_key_file; /* File containing host key. */
+ char *random_seed_file; /* File containing random seed. */
+ char *pid_file; /* File containing process ID number. */
+***************
+*** 91,96 ****
+--- 94,102 ----
+ int login_grace_time; /* Disconnect if no auth in this time (sec). */
+ int key_regeneration_time; /* Server key lifetime (seconds). */
+ int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
++ #ifdef ENABLE_LOG_AUTH
++ int log_auth; /* If true, log authentication info. */
++ #endif /* ENABLE_LOG_AUTH */
+ int ignore_rhosts; /* Ignore .rhosts and .shosts. */
+ int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
+ defaults to ignore_rhosts if not given. */
diff --git a/security/ssh/files/patch-br b/security/ssh/files/patch-br
new file mode 100644
index 0000000..28dd08a
--- /dev/null
+++ b/security/ssh/files/patch-br
@@ -0,0 +1,97 @@
+*** ssh.c.orig Wed May 12 13:19:28 1999
+--- ssh.c Mon Jan 10 22:56:13 2000
+***************
+*** 218,223 ****
+--- 218,231 ----
+ other functions. */
+ RandomState random_state;
+
++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
++ Default value is AF_UNSPEC means both IPv4 and IPv6. */
++ #ifdef ENABLE_IPV6
++ int IPv4or6 = AF_UNSPEC;
++ #else
++ int IPv4or6 = AF_INET;
++ #endif
++
+ /* Flag indicating whether debug mode is on. This can be set on the
+ command line. */
+ int debug_flag = 0;
+***************
+*** 277,282 ****
+--- 285,297 ----
+ {
+ fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
+ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -4 Use IPv4 only.\n");
++ #ifdef ENABLE_IPV6
++ fprintf(stderr, " -6 Use IPv6 only.\n");
++ #endif
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ fprintf(stderr, " -A Try to connect to another port before original port.\n");
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ fprintf(stderr, " -l user Log in using this user name.\n");
+ fprintf(stderr, " -n Redirect input from /dev/null.\n");
+ fprintf(stderr, " -a Disable authentication agent forwarding.\n");
+***************
+*** 413,418 ****
+--- 428,436 ----
+ #ifdef SIGWINCH
+ struct winsize ws;
+ #endif /* SIGWINCH */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port_flag = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+
+ /* Save the original real uid. It will be needed later (uid-swapping may
+ clobber the real uid). */
+***************
+*** 522,527 ****
+--- 540,565 ----
+ }
+ switch (opt)
+ {
++ case '4':
++ #ifdef ENABLE_IPV6
++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
++ #else
++ IPv4or6 = AF_INET;
++ #endif
++ break;
++
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
++ break;
++ #endif
++
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ case 'A':
++ another_port_flag = 1;
++ break;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
++
+ case 'n':
+ stdin_null_flag = 1;
+ break;
+***************
+*** 789,799 ****
+--- 827,844 ----
+ {
+ use_privileged_port = 0;
+ }
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ if (!another_port_flag)
++ options.another_port = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ /* Open a connection to the remote host. This needs root privileges if
+ rhosts_authentication is true. Note that the random_state is not
+ yet used by this call, although a pointer to it is stored, and thus it
+ need not be initialized. */
+ ok = ssh_connect(host, options.port, options.connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ options.another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ !use_privileged_port,
+ original_real_uid, options.proxy_command, &random_state);
+
diff --git a/security/ssh/files/patch-bs b/security/ssh/files/patch-bs
new file mode 100644
index 0000000..ec0e1a8
--- /dev/null
+++ b/security/ssh/files/patch-bs
@@ -0,0 +1,94 @@
+*** ssh.h.orig Wed May 12 13:19:28 1999
+--- ssh.h Mon Jan 10 22:56:13 2000
+***************
+*** 430,436 ****
+ /* Records that the user has logged in. This does many things normally
+ done by login(1). */
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr_in *addr);
+
+ /* Records that the user has logged out. This does many thigs normally
+ done by login(1) or init. */
+--- 430,436 ----
+ /* Records that the user has logged in. This does many things normally
+ done by login(1). */
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr *addr);
+
+ /* Records that the user has logged out. This does many thigs normally
+ done by login(1) or init. */
+***************
+*** 447,452 ****
+--- 447,455 ----
+ connection is successful, this calls packet_set_connection for the
+ connection. */
+ int ssh_connect(const char *host, int port, int connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state);
+
+***************
+*** 872,876 ****
+--- 875,934 ----
+ #else
+ #define UID_ROOT 0
+ #endif
++
++ #ifdef HAVE_SOCKADDR_STORAGE
++ #ifndef HAVE_NEW_SS_FAMILY
++ #define __ss_len ss_len
++ #define __ss_family ss_family
++ #endif
++ #else
++ #define _SS_MAXSIZE 128 /* Implementation specific max size */
++ #define _SS_ALIGNSIZE (sizeof(int))
++ #define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short))
++ #define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \
++ _SS_PAD1SIZE + _SS_ALIGNSIZE))
++ struct sockaddr_storage {
++ #ifdef HAVE_SOCKADDR_LEN
++ u_char __ss_len;
++ u_char __ss_family;
++ #else
++ u_short __ss_family;
++ #endif
++ char __ss_pad1[_SS_PAD1SIZE];
++ int __ss_align;
++ char __ss_pad2[_SS_PAD2SIZE];
++ };
++ #endif
++
++ #ifdef INET6_ADDRSTRLEN
++ #define ADDRSTRLEN INET6_ADDRSTRLEN
++ #else
++ #define ADDRSTRLEN 46
++ #endif
++
++ #define PORTSTRLEN 16
++
++ /* AF_UNSPEC or AF_INET or AF_INET6 */
++ extern int IPv4or6;
++
++ #ifndef ENABLE_IPV6
++ /* dummy value for old netdb.h */
++ #ifndef AI_PASSIVE
++ #define AI_PASSIVE 1
++ #define NI_NUMERICHOST 2
++ #define NI_NAMEREQD 4
++ #define NI_NUMERICSERV 8
++ struct addrinfo {
++ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
++ int ai_family; /* PF_xxx */
++ int ai_socktype; /* SOCK_xxx */
++ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
++ size_t ai_addrlen; /* length of ai_addr */
++ char *ai_canonname; /* canonical name for hostname */
++ struct sockaddr *ai_addr; /* binary address */
++ struct addrinfo *ai_next; /* next structure in linked list */
++ };
++ #endif
++ #endif /* not ENABLE_IPV6 */
+
+ #endif /* SSH_H */
diff --git a/security/ssh/files/patch-xa b/security/ssh/files/patch-xa
new file mode 100644
index 0000000..a775ff6
--- /dev/null
+++ b/security/ssh/files/patch-xa
@@ -0,0 +1,167 @@
+Note that this patch has been incorporated into the port due to problems
+with patching a autoconf generated configure script. The script itself contains
+linenumbers and in case of two patches against that script the second one fails
+because it expects something that the first patch has already changed. The
+only clean way is to re-generate it with autoconf. *sigh*
+This patch was fetched from
+http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown
+ - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000
+
+
+Patch for problem with tty ownership with chflags and chown in BSD 4.4
+variants. Fixes a security bug in tty allocation.
+
+This patch works for ssh-1.2.27.
+
+Apply with the following commands:
+
+% cd /wherever/you/hold/your/sources/ssh-1.2.27
+% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown
+% ./configure --whatever-config-flags-you-use
+% make clean
+% make
+% su
+Password: ***********
+# make install
+# kill -HUP `cat /var/run/sshd.pid`
+
+You should be all set.
+
+Sami Lehtinen <sjl@ssh.fi>
+
+--begin patch--
+diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c
+--- auth-passwd.c.orig Wed May 12 14:19:23 1999
++++ auth-passwd.c Wed Aug 11 19:49:32 1999
+@@ -613,7 +613,13 @@
+ /* get_name pulls out just the name not the
+ type */
+ strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache));
+- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid);
++ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0)
++ {
++ log_msg("Kerberos: chown failed for %s, error: %s",
++ ccname + 5, strerror(errno));
++ packet_send_debug("Kerberos: chown failed for %s", ccname + 5);
++ goto errout;
++ }
+
+ /* If tgt was passed unlink file */
+ if (ticket)
+diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in
+--- config.h.in.orig Wed May 12 14:20:04 1999
++++ config.h.in Wed Aug 11 20:20:51 1999
+@@ -360,6 +360,9 @@
+ /* Define if you have the authenticate function. */
+ #undef HAVE_AUTHENTICATE
+
++/* Define if you have the chflags function. */
++#undef HAVE_CHFLAGS
++
+ /* Define if you have the clock function. */
+ #undef HAVE_CLOCK
+
+diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in
+--- configure.in.orig Wed May 12 14:20:02 1999
++++ configure.in Wed Aug 11 20:05:13 1999
+@@ -433,6 +433,7 @@
+ AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit)
+ AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp)
+ AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream)
++AC_CHECK_FUNCS(chflags)
+
+ AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
+
+diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c
+--- sshd.c.orig Wed May 12 14:19:29 1999
++++ sshd.c Wed Aug 11 20:26:31 1999
+@@ -2897,9 +2897,87 @@
+ tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH;
+ }
+
++ retry_chown:
++
+ /* Change ownership of the tty. */
+- (void)chown(ttyname, pw->pw_uid, tty_gid);
+- (void)chmod(ttyname, tty_mode);
++ if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
++ {
++ /* chown failed. Atleast two possibilities. Either we are not
++ running as root, in which case this is OK, or we are running
++ on BSD, and somebody has put some flags to the tty. */
++
++ /* Check whether we are root or not.*/
++ if (getuid() != UID_ROOT)
++ {
++ /* We are not, and then this is OK. */
++ debug("chown failed (but we're not root anyway) for "
++ "%s, error %s", ttyname, strerror(errno));
++ }
++ else
++ {
++#ifdef HAVE_CHFLAGS
++ static int retrying = 0;
++ struct stat st;
++
++ if (!retrying)
++ {
++ debug("chown failed for %s, error: %s. Removing "
++ "user-settable flags, and retrying.",
++ ttyname, strerror(errno));
++
++ if (stat(ttyname, &st) < 0)
++ {
++ error("stat failed for %s, error: %s",
++ ttyname, strerror(errno));
++ }
++ else
++ {
++ debug("Removing user-settable flags with "
++ "chflags.");
++ /* Remove user definable flags. */
++ if (chflags(ttyname, st.st_flags &
++ ~(UF_NODUMP | UF_IMMUTABLE |
++ UF_APPEND | UF_OPAQUE)) < 0)
++ {
++ debug("chflags failed for %s, error: %s",
++ ttyname, strerror(errno));
++ }
++ else
++ {
++ debug("Retrying...");
++ retrying = 1;
++ goto retry_chown;
++ }
++ }
++ }
++ else
++ {
++ debug("chown failed even with retry. error: %s",
++ strerror(errno));
++ }
++
++#endif /* HAVE_CHFLAGS */
++ error("ssh_pty_allocate_and_fork: chown failed for %s.",
++ ttyname);
++ goto fail;
++ }
++ }
++
++ if (chmod(ttyname, tty_mode) < 0)
++ {
++ if (getuid() != UID_ROOT)
++ {
++ /* We are not, and then this is (probably) OK. */
++ debug("chmod failed (but we're not root anyway) for "
++ "%s, error %s", ttyname, strerror(errno));
++ }
++ else
++ {
++ error("ssh_pty_allocate_and_fork: chmod %s: %s",
++ ttyname, strerror(errno));
++ goto fail;
++ }
++ }
+
+ /* Get TERM from the packet. Note that the value may be of arbitrary
+ length. */
OpenPOWER on IntegriCloud