diff options
author | torstenb <torstenb@FreeBSD.org> | 2000-01-14 19:37:39 +0000 |
---|---|---|
committer | torstenb <torstenb@FreeBSD.org> | 2000-01-14 19:37:39 +0000 |
commit | 4e8a41a4afc4fb5af9326dd2e97e544163c3a74f (patch) | |
tree | 3086f628a120a4e417a47b6a77e51f332ca68484 /security | |
parent | 6b5d9ad70b97c212bb6b8b4baf36001ed5bb3a46 (diff) | |
download | FreeBSD-ports-4e8a41a4afc4fb5af9326dd2e97e544163c3a74f.zip FreeBSD-ports-4e8a41a4afc4fb5af9326dd2e97e544163c3a74f.tar.gz |
Add IPv6 support to ssh.
The IPv6 patch was obtained from the kame repository and has been
been writen by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
Due to the whole mess with different patches it was necessary to include
both the IPv6 patch and patch-ssh-1.2.27-bsd.tty.chown in ${PATCHDIR}.
Since both patches modify the configure script it was also necessary
to rebuild it via autoconf from configure.in. I've decided to use
USE_AUTOCONF instead of including the re-build configure script in
${FILESDIR}
Obtained from: KAME/WIDE
Diffstat (limited to 'security')
-rw-r--r-- | security/ssh/Makefile | 17 | ||||
-rw-r--r-- | security/ssh/distinfo | 1 | ||||
-rw-r--r-- | security/ssh/files/patch-af | 719 | ||||
-rw-r--r-- | security/ssh/files/patch-ag | 87 | ||||
-rw-r--r-- | security/ssh/files/patch-al | 409 | ||||
-rw-r--r-- | security/ssh/files/patch-ao | 618 | ||||
-rw-r--r-- | security/ssh/files/patch-aw | 103 | ||||
-rw-r--r-- | security/ssh/files/patch-ba | 176 | ||||
-rw-r--r-- | security/ssh/files/patch-bb | 29 | ||||
-rw-r--r-- | security/ssh/files/patch-bc | 401 | ||||
-rw-r--r-- | security/ssh/files/patch-bd | 49 | ||||
-rw-r--r-- | security/ssh/files/patch-be | 401 | ||||
-rw-r--r-- | security/ssh/files/patch-bf | 17 | ||||
-rw-r--r-- | security/ssh/files/patch-bg | 120 | ||||
-rw-r--r-- | security/ssh/files/patch-bh | 66 | ||||
-rw-r--r-- | security/ssh/files/patch-bi | 56 | ||||
-rw-r--r-- | security/ssh/files/patch-bj | 16 | ||||
-rw-r--r-- | security/ssh/files/patch-bl | 66 | ||||
-rw-r--r-- | security/ssh/files/patch-bm | 14 | ||||
-rw-r--r-- | security/ssh/files/patch-bn | 191 | ||||
-rw-r--r-- | security/ssh/files/patch-bo | 197 | ||||
-rw-r--r-- | security/ssh/files/patch-bp | 45 | ||||
-rw-r--r-- | security/ssh/files/patch-br | 97 | ||||
-rw-r--r-- | security/ssh/files/patch-bs | 94 | ||||
-rw-r--r-- | security/ssh/files/patch-xa | 167 |
25 files changed, 4026 insertions, 130 deletions
diff --git a/security/ssh/Makefile b/security/ssh/Makefile index 6bf142b..978841f 100644 --- a/security/ssh/Makefile +++ b/security/ssh/Makefile @@ -6,20 +6,17 @@ # $FreeBSD$ # # Maximal ssh package requires YES values for -# USE_PERL, USE_TCPWRAP +# USE_PERL, USE_TCPWRAP, USE_INET6 # DISTNAME= ssh-1.2.27 CATEGORIES= security net MASTER_SITES= ftp://ftp.cs.hut.fi/pub/ssh/ -PATCH_SITES= http://www.ssh.org/patches/ \ - ftp://ftp2.inch.com/pub/FreeBSD/ -PATCHFILES= patch-${DISTNAME}-bsd.tty.chown -PATCH_DIST_STRIP= -p1 - MAINTAINER= torstenb@FreeBSD.org +USE_AUTOCONF= YES # unfortunately... see comments in patch-xa for details + # You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you.. .if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES @@ -139,6 +136,14 @@ LIB_DEPENDS+= wrap.7:${PORTSDIR}/security/tcp_wrapper .endif .endif +# Original IPv6 patches were obtained from ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ +# ssh-1.2.27-IPv6-1.5-patch.gz +.if defined(USE_INET6) && ${USE_INET6} == YES +CONFIGURE_ARGS+= --enable-ipv6 +.else +CONFIGURE_ARGS+= --disable-ipv6 +.endif + # Include SOCKS firewall support .if defined(USE_SOCKS) && ${USE_SOCKS} == YES CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5 diff --git a/security/ssh/distinfo b/security/ssh/distinfo index 9a1aee6..bf69016 100644 --- a/security/ssh/distinfo +++ b/security/ssh/distinfo @@ -1,2 +1 @@ MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395 -MD5 (patch-ssh-1.2.27-bsd.tty.chown) = e4d7755994c2fa0d419a60723e8a9d53 diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af index 17d22fc..d3fce09 100644 --- a/security/ssh/files/patch-af +++ b/security/ssh/files/patch-af @@ -1,5 +1,422 @@ -*** sshd.c.orig Wed May 12 20:19:29 1999 ---- sshd.c Sun Jun 6 02:37:18 1999 +*** sshd.c.orig Tue Jan 11 20:40:10 2000 +--- sshd.c Tue Jan 11 20:40:07 2000 +*************** +*** 553,558 **** +--- 553,571 ---- + /* Name of the server configuration file. */ + char *config_file_name = SERVER_CONFIG_FILE; + ++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++ #ifdef ENABLE_IPV6 ++ int IPv4or6 = AF_UNSPEC; ++ #else ++ int IPv4or6 = AF_INET; ++ #endif ++ ++ #ifdef ENABLE_LOG_AUTH ++ char *unauthenticated_user = NULL; ++ int log_auth_flag = 0; ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Debug mode flag. This can be set on the command line. If debug + mode is enabled, extra debugging output will be sent to the system + log, the daemon will not go to background, and will exit after processing +*************** +*** 576,582 **** + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +! int listen_sock; + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +--- 589,605 ---- + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +! #define MAX_LISTEN_SOCKS 16 +! int listen_socks[MAX_LISTEN_SOCKS]; +! int num_listen_socks = 0; +! void close_listen_socks() +! { +! int i; +! +! for (i = 0; i < num_listen_socks; i++) +! close(listen_socks[i]); +! num_listen_socks = -1; +! } + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +*************** +*** 666,672 **** + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +! close(listen_sock); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +--- 689,695 ---- + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +! close_listen_socks(); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +*************** +*** 680,686 **** + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +! close(listen_sock); + exit(255); + } + +--- 703,709 ---- + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +! close_listen_socks(); + exit(255); + } + +*************** +*** 759,765 **** + int perm_denied = 0; + int ret; + fd_set fdset; +! struct sockaddr_in sin; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +--- 782,788 ---- + int perm_denied = 0; + int ret; + fd_set fdset; +! struct sockaddr_storage from; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +*************** +*** 769,774 **** +--- 792,800 ---- + struct linger linger; + #endif /* SO_LINGER */ + int done; ++ struct addrinfo *ai; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int listen_sock, maxfd; + + /* Save argv[0]. */ + saved_argv = av; +*************** +*** 787,796 **** + initialize_server_options(&options); + + /* Parse command-line arguments. */ +! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF) + { + switch (opt) + { + case 'f': + config_file_name = optarg; + break; +--- 813,838 ---- + initialize_server_options(&options); + + /* Parse command-line arguments. */ +! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4" +! #ifdef ENABLE_IPV6 +! "6" +! #endif +! )) != EOF) + { + switch (opt) + { ++ case '4': ++ #ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++ #else ++ IPv4or6 = AF_INET; ++ #endif ++ break; ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++ #endif + case 'f': + config_file_name = optarg; + break; +*************** +*** 807,813 **** + options.server_key_bits = atoi(optarg); + break; + case 'p': +! options.port = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +--- 849,855 ---- + options.server_key_bits = atoi(optarg); + break; + case 'p': +! options.ports[options.num_ports++] = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +*************** +*** 829,834 **** +--- 871,880 ---- + fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE); + fprintf(stderr, "Usage: %s [options]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only\n"); ++ #ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only\n"); ++ #endif + fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR); + fprintf(stderr, " -d Debugging mode\n"); + fprintf(stderr, " -i Started from inetd\n"); +*************** +*** 857,872 **** + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } +- if (options.port < 1 || options.port > 65535) +- { +- fprintf(stderr, "fatal: Bad port number.\n"); +- exit(1); +- } + if (options.umask != -1) + { + umask(options.umask); + } + + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +--- 903,917 ---- + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } + if (options.umask != -1) + { + umask(options.umask); + } + ++ #ifdef ENABLE_LOG_AUTH ++ log_auth_flag = options.log_auth; ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +*************** +*** 1034,1043 **** + } + else + { + /* Create socket for listening. */ +! listen_sock = socket(AF_INET, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +--- 1079,1091 ---- + } + else + { ++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) ++ { + /* Create socket for listening. */ +! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); ++ listen_socks[num_listen_socks] = listen_sock; + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +*************** +*** 1051,1071 **** + sizeof(linger)); + #endif /* SO_LINGER */ + +! /* Initialize the socket address. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr = options.listen_addr; +! sin.sin_port = htons(options.port); + + /* Bind the socket to the desired port. */ +! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("bind: %.100s", strerror(errno)); +! shutdown(listen_sock, 2); + close(listen_sock); +! fatal("Bind to port %d failed: %.200s.", options.port, +! strerror(errno)); + } + + if (!debug_flag) + { +--- 1099,1128 ---- + sizeof(linger)); + #endif /* SO_LINGER */ + +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), strport, sizeof(strport), +! NI_NUMERICHOST|NI_NUMERICSERV); + + /* Bind the socket to the desired port. */ +! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! error("Bind to port %s on %s failed: %.200s.", +! strport, ntop, strerror(errno)); + close(listen_sock); +! continue; + } ++ num_listen_socks++; ++ ++ /* Start listening on the port. */ ++ log_msg("Server listening on %s port %s.", ntop, strport); ++ if (listen(listen_sock, 5) < 0) ++ fatal("listen: %.100s", strerror(errno)); ++ ++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */ ++ freeaddrinfo(options.listen_addrs); ++ ++ if (!num_listen_socks) ++ fatal("Cannot bind all addresses."); + + if (!debug_flag) + { +*************** +*** 1081,1091 **** + } + } + +- /* Start listening on the port. */ +- log_msg("Server listening on port %d.", options.port); +- if (listen(listen_sock, 5) < 0) +- fatal("listen: %.100s", strerror(errno)); +- + /* Generate an rsa key. */ + log_msg("Generating %d bit RSA key.", options.server_key_bits); + rsa_generate_key(&sensitive_data.private_key, &public_key, +--- 1138,1143 ---- +*************** +*** 1139,1156 **** + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +! FD_SET(listen_sock, &fdset); +! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL); +! if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) + { + if (errno == EINTR) + continue; + error("select: %.100s", strerror(errno)); + continue; + } +! +! aux = sizeof(sin); +! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux); + if (newsock < 0) + { + if (errno == EINTR) +--- 1191,1218 ---- + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +! maxfd = 0; +! for (i = 0; i < num_listen_socks; i++) +! { +! FD_SET(listen_socks[i], &fdset); +! if (listen_socks[i] > maxfd) +! maxfd = listen_socks[i]; +! } +! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL); +! if (ret < 0) + { + if (errno == EINTR) + continue; + error("select: %.100s", strerror(errno)); + continue; + } +! +! for (i = 0; i < num_listen_socks; i++) +! { +! if (!FD_ISSET(listen_socks[i], &fdset)) +! continue; +! aux = sizeof(from); +! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux); + if (newsock < 0) + { + if (errno == EINTR) +*************** +*** 1166,1172 **** + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +! close(listen_sock); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +--- 1228,1234 ---- + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +! close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +*************** +*** 1195,1201 **** + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +! close(listen_sock); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +--- 1257,1263 ---- + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +! close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +*************** +*** 1233,1238 **** +--- 1295,1304 ---- + + /* Close the new socket (the child is now taking care of it). */ + close(newsock); ++ } /* for (i = 0; i < num_host_socks; i++) */ ++ /* child process check (or debug mode) */ ++ if (num_listen_socks < 0) ++ break; + } + } + +*************** +*** 2205,2210 **** +--- 2271,2279 ---- + krb5_parse_name(ssh_context, user, &client); + #endif /* defined(KERBEROS) && defined(KRB5) */ + ++ #ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = user; ++ #endif /* ENABLE_LOG_AUTH */ + /* Verify that the user is a valid user. We disallow usernames starting + with any characters that are commonly used to start NIS entries. */ + pw = getpwnam(user); *************** *** 2222,2228 **** pwcopy.pw_class = xstrdup(pw->pw_class); @@ -9,7 +426,7 @@ pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; ---- 2222,2228 ---- +--- 2291,2297 ---- pwcopy.pw_class = xstrdup(pw->pw_class); pwcopy.pw_change = pw->pw_change; pwcopy.pw_expire = pw->pw_expire; @@ -18,7 +435,136 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; *************** -*** 3285,3294 **** +*** 2260,2265 **** +--- 2329,2339 ---- + { + /* Authentication with empty password succeeded. */ + debug("Login for user %.100s accepted without authentication.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "empty password accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + /* Success packet will be sent after loop below. */ +*************** +*** 2334,2339 **** +--- 2408,2418 ---- + /* Client has successfully authenticated to us. */ + log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s", + tkt_user, user, get_canonical_hostname()); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "kerberos authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_KERBEROS; + authenticated = 1; + break; +*************** +*** 2382,2387 **** +--- 2461,2471 ---- + /* Authentication accepted. */ + log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", + user, client_user, get_canonical_hostname()); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS; + authenticated = 1; + remote_user_name = client_user; +*************** +*** 2441,2446 **** +--- 2525,2535 ---- + options.strict_modes)) + { + /* Authentication accepted. */ ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts with RSA host authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS_RSA; + authenticated = 1; + remote_user_name = client_user; +*************** +*** 2474,2479 **** +--- 2563,2573 ---- + /* Successful authentication. */ + mpz_clear(&n); + log_msg("RSA authentication for %.100s accepted.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "RSA user authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RSA; + authenticated = 1; + break; +*************** +*** 2608,2613 **** +--- 2702,2712 ---- + auth_close(); + memset(password, 0, strlen(password)); + xfree(password); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from @%.700s (%s)", ++ user, get_canonical_hostname(), ++ "TIS authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_TIS; + authenticated = 1; + break; +*************** +*** 2668,2673 **** +--- 2767,2777 ---- + memset(password, 0, strlen(password)); + xfree(password); + log_msg("Password authentication for %.100s accepted.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "password authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + break; +*************** +*** 2708,2713 **** +--- 2812,2822 ---- + } + + /* Check if the user is logging in as root and root logins are disallowed. */ ++ #ifdef ENABLE_LOG_AUTH ++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) || ++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command)) ++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); ++ #endif /* ENABLE_LOG_AUTH */ + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + { + if (authentication_type == SSH_AUTH_PASSWORD) +*************** +*** 2775,2780 **** +--- 2884,2892 ---- + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); ++ #ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = NULL; ++ #endif /* ENABLE_LOG_AUTH */ + + /* Perform session preparation. */ + do_authenticated(pw); +*************** +*** 3280,3294 **** + char line[256]; + struct stat st; + int quiet_login; +! struct sockaddr_in from; + int fromlen; struct pty_cleanup_context cleanup_context; #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) login_cap_t *lc; @@ -29,7 +575,12 @@ /* We no longer need the child running on user's privileges. */ userfile_uninit(); ---- 3285,3295 ---- +--- 3392,3407 ---- + char line[256]; + struct stat st; + int quiet_login; +! struct sockaddr_storage from; + int fromlen; struct pty_cleanup_context cleanup_context; #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) login_cap_t *lc; @@ -42,8 +593,25 @@ /* We no longer need the child running on user's privileges. */ userfile_uninit(); *************** +*** 3387,3393 **** + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +! &from); + + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); +--- 3500,3506 ---- + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +! (struct sockaddr *)&from); + + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); +*************** *** 3446,3451 **** ---- 3447,3460 ---- +--- 3559,3572 ---- "The Regents of the University of California. ", "All rights reserved."); } @@ -67,7 +635,7 @@ if (pw->pw_change || pw->pw_expire) (void)gettimeofday(&tp, (struct timezone *)NULL); if (pw->pw_change) ---- 3478,3484 ---- +--- 3590,3596 ---- fputs(line, stdout); fclose(f); } @@ -76,6 +644,16 @@ (void)gettimeofday(&tp, (struct timezone *)NULL); if (pw->pw_change) *************** +*** 3876,3881 **** +--- 3997,4003 ---- + char *user_shell; + char *remote_ip; + int remote_port; ++ int local_port; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + char *real_shell; +*************** *** 3922,3928 **** while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); @@ -84,7 +662,7 @@ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) exit(254); ---- 3931,3937 ---- +--- 4044,4050 ---- while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); @@ -93,8 +671,131 @@ !login_getcapbool(lc, "ignorenologin", 0)) exit(254); *************** +*** 3981,3986 **** +--- 4103,4109 ---- + user_shell = xstrdup(pw->pw_shell); + remote_ip = xstrdup(get_remote_ipaddr()); + remote_port = get_remote_port(); ++ local_port = get_local_port(); + + /* Close the connection descriptors; note that this is the child, and the + server will still have the socket open, and it is important that we +*************** +*** 4000,4006 **** + /* Close any extra file descriptors. Note that there may still be + descriptors left by system functions. They will be closed later. */ + endpwent(); +- endhostent(); + + /* Set dummy encryption key to clear information about the key from + memory. This key will never be used. */ +--- 4123,4128 ---- +*************** +*** 4257,4263 **** + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +! "%.50s %d %d", remote_ip, remote_port, options.port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +--- 4379,4385 ---- + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +! "%.50s %d %d", remote_ip, remote_port, local_port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +*************** +*** 4426,4432 **** + int i; + char name[255], *p; + char line[256]; +! struct hostent *hp; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +--- 4548,4555 ---- + int i; + char name[255], *p; + char line[256]; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN]; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +*************** +*** 4443,4449 **** + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +! hp = gethostbyname(name); + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +--- 4566,4575 ---- + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! if (getaddrinfo(name, NULL, &hints, &aitop) != 0) +! aitop = 0; + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +*************** +*** 4461,4481 **** + cp - display, display, cp, auth_proto, + auth_data); + #endif +! if (hp) + { +! for(i = 0; hp->h_addr_list[i]; i++) + { + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +! inet_ntoa(*((struct in_addr *) +! hp->h_addr_list[i])), + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +! inet_ntoa(*((struct in_addr *) +! hp->h_addr_list[i])), + cp, auth_proto, auth_data); + } + } +--- 4587,4610 ---- + cp - display, display, cp, auth_proto, + auth_data); + #endif +! if (aitop) + { +! for (ai = aitop; ai; ai = ai->ai_next) + { ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), NULL, 0, ++ NI_NUMERICHOST); ++ if (strchr(ntop, ':')) ++ continue; /* XXX - xauth doesn't accept it */ + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +! ntop, + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +! ntop, + cp, auth_proto, auth_data); + } + } +*************** *** 4525,4531 **** ---- 4534,4544 ---- +--- 4654,4664 ---- struct stat mailbuf; if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) diff --git a/security/ssh/files/patch-ag b/security/ssh/files/patch-ag index 80e3c3d..71f3b7e 100644 --- a/security/ssh/files/patch-ag +++ b/security/ssh/files/patch-ag @@ -1,33 +1,54 @@ ---- auth-kerberos.c.orig Sun Jun 6 02:01:32 1999 -+++ auth-kerberos.c Sun Jun 6 02:01:33 1999 -@@ -120,10 +120,18 @@ - - debug("Kerberos invalid service name (%.100s).", server); - packet_send_debug("Kerberos invalid service name (%.100s).", server); -+#ifdef krb5_xfree - krb5_xfree(server); -+#else -+ free(server); -+#endif - return 0; - } -+#ifdef krb5_xfree - krb5_xfree(server); -+#else -+ free(server); -+#endif - - /* Extract the users name from the ticket client principal */ - problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client, -@@ -159,7 +167,11 @@ - packet_put_string((char *) reply.data, reply.length); - packet_send(); - packet_write_wait(); -+#ifdef krb5_xfree - krb5_xfree(reply.data); -+#else -+ krb5_free_data_contents(ssh_context, &reply); -+#endif - return 1; - } - #endif /* KRB5 */ +*** auth-kerberos.c.orig Tue Jan 11 20:33:46 2000 +--- auth-kerberos.c Tue Jan 11 20:33:38 2000 +*************** +*** 120,129 **** +--- 120,137 ---- + + debug("Kerberos invalid service name (%.100s).", server); + packet_send_debug("Kerberos invalid service name (%.100s).", server); ++ #ifdef krb5_xfree + krb5_xfree(server); ++ #else ++ free(server); ++ #endif + return 0; + } ++ #ifdef krb5_xfree + krb5_xfree(server); ++ #else ++ free(server); ++ #endif + + /* Extract the users name from the ticket client principal */ + problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client, +*************** +*** 159,165 **** +--- 167,177 ---- + packet_put_string((char *) reply.data, reply.length); + packet_send(); + packet_write_wait(); ++ #ifdef krb5_xfree + krb5_xfree(reply.data); ++ #else ++ krb5_free_data_contents(ssh_context, &reply); ++ #endif + return 1; + } + #endif /* KRB5 */ +*************** +*** 177,183 **** + extern char *ticket; + static krb5_principal rcache_server = 0; + static krb5_rcache rcache; +! struct sockaddr_in local, foreign; + krb5_address *local_addr, *remote_addr; + int s; + +--- 189,195 ---- + extern char *ticket; + static krb5_principal rcache_server = 0; + static krb5_rcache rcache; +! struct sockaddr_storage local, foreign; + krb5_address *local_addr, *remote_addr; + int s; + diff --git a/security/ssh/files/patch-al b/security/ssh/files/patch-al index 839d1fe..1bfbbb5 100644 --- a/security/ssh/files/patch-al +++ b/security/ssh/files/patch-al @@ -1,27 +1,404 @@ -*** sshconnect.c.orig Wed May 12 20:19:29 1999 ---- sshconnect.c Sun Jun 6 02:39:02 1999 +*** sshconnect.c.orig Wed May 12 13:19:29 1999 +--- sshconnect.c Wed Jan 12 00:34:55 2000 *************** -*** 347,352 **** ---- 347,358 ---- +*** 337,343 **** + + /* Creates a (possibly privileged) socket for use as the ssh connection. */ + +! int ssh_create_socket(uid_t original_real_uid, int privileged) + { + int sock; + +--- 337,343 ---- + + /* Creates a (possibly privileged) socket for use as the ssh connection. */ + +! int ssh_create_socket(uid_t original_real_uid, int privileged, int family) + { + int sock; + +*************** +*** 345,385 **** + bind our own socket to a privileged port. */ + if (privileged) { - struct sockaddr_in sin; +! struct sockaddr_in sin; int p; -+ #if (defined(__OpenBSD__) || defined(__FreeBSD__)) && !defined(SOCKS) -+ p = 1023; /* Compat with old FreeBSD */ -+ sock = rresvport(&p); -+ if (sock < 0) -+ fatal("rresvport: %.100s", strerror(errno)); -+ #else for (p = 1023; p > 512; p--) { - sock = socket(AF_INET, SOCK_STREAM, 0); -*************** -*** 374,379 **** ---- 380,386 ---- +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + fatal("socket: %.100s", strerror(errno)); + +! /* Initialize the desired sockaddr_in structure. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr.s_addr = INADDR_ANY; +! sin.sin_port = htons(p); + + /* Try to bind the socket to the privileged port. */ + #if defined(SOCKS) +! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) + break; /* Success. */ + #else /* SOCKS */ +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) + break; /* Success. */ + #endif /* SOCKS */ + if (errno == EADDRINUSE) + { + close(sock); + continue; + } + fatal("bind: %.100s", strerror(errno)); + } + debug("Allocated local port %d.", p); + } + else + { + /* Just create an ordinary socket on arbitrary port. */ +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + fatal("socket: %.100s", strerror(errno)); + } +--- 345,392 ---- + bind our own socket to a privileged port. */ + if (privileged) + { +! struct addrinfo hints, *ai = NULL; +! int errgai; +! char strport[PORTSTRLEN]; + int p; + for (p = 1023; p > 512; p--) + { +! sock = socket(family, SOCK_STREAM, 0); + if (sock < 0) + fatal("socket: %.100s", strerror(errno)); + +! /* Initialize the desired addrinfo structure. */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = family; +! hints.ai_flags = AI_PASSIVE; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", p); +! if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0) +! fatal("getaddrinfo: %.100s", gai_strerror(errgai)); + + /* Try to bind the socket to the privileged port. */ + #if defined(SOCKS) +! if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #else /* SOCKS */ +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #endif /* SOCKS */ + if (errno == EADDRINUSE) + { + close(sock); ++ freeaddrinfo(ai); + continue; } fatal("bind: %.100s", strerror(errno)); } -+ #endif debug("Allocated local port %d.", p); ++ freeaddrinfo(ai); } else + { + /* Just create an ordinary socket on arbitrary port. */ +! sock = socket(family, SOCK_STREAM, 0); + if (sock < 0) + fatal("socket: %.100s", strerror(errno)); + } +*************** +*** 396,409 **** + the daemon. */ + + int ssh_connect(const char *host, int port, int connection_attempts, + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state) + { + int sock = -1, attempt, i; + int on = 1; + struct servent *sp; +! struct hostent *hp; +! struct sockaddr_in hostaddr; + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + struct linger linger; + #endif /* SO_LINGER */ +--- 403,421 ---- + the daemon. */ + + int ssh_connect(const char *host, int port, int connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state) + { + int sock = -1, attempt, i; + int on = 1; + struct servent *sp; +! struct addrinfo hints, *ai, *aitop, *aitmp; +! struct sockaddr_storage hostaddr; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; +! int gaierr; + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + struct linger linger; + #endif /* SO_LINGER */ +*************** +*** 421,430 **** + port = SSH_DEFAULT_PORT; + } + +- /* Map localhost to ip-address locally */ +- if (strcmp(host, "localhost") == 0) +- host = "127.0.0.1"; +- + /* If a proxy command is given, connect using it. */ + if (proxy_command != NULL && *proxy_command) + return ssh_proxy_connect(host, port, original_real_uid, proxy_command, +--- 433,438 ---- +*************** +*** 432,440 **** + + /* No proxy command. */ + +! /* No host lookup made yet. */ +! hp = NULL; +! + /* Try to connect several times. On some machines, the first time will + sometimes fail. In general socket code appears to behave quite + magically on many machines. */ +--- 440,467 ---- + + /* No proxy command. */ + +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", port); +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! +! #ifdef ENABLE_ANOTHER_PORT_TRY +! if (another_port) +! { +! aitmp = aitop; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", another_port); +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = aitmp; +! } +! #endif /* ENABLE_ANOTHER_PORT_TRY */ +! + /* Try to connect several times. On some machines, the first time will + sometimes fail. In general socket code appears to behave quite + magically on many machines. */ +*************** +*** 443,545 **** + if (attempt > 0) + debug("Trying again..."); + +- /* Try to parse the host name as a numeric inet address. */ +- memset(&hostaddr, 0, sizeof(hostaddr)); +- hostaddr.sin_family = AF_INET; +- hostaddr.sin_port = htons(port); +- #ifdef BROKEN_INET_ADDR +- hostaddr.sin_addr.s_addr = inet_network(host); +- #else /* BROKEN_INET_ADDR */ +- hostaddr.sin_addr.s_addr = inet_addr(host); +- #endif /* BROKEN_INET_ADDR */ +- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff) +- { +- /* Create a socket. */ +- sock = ssh_create_socket(original_real_uid, +- !anonymous && geteuid() == UID_ROOT); +- +- /* Valid numeric IP address */ +- debug("Connecting to %.100s port %d.", +- inet_ntoa(hostaddr.sin_addr), port); +- +- /* Connect to the host. */ +- #if defined(SOCKS) +- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +- #else /* SOCKS */ +- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +- #endif /* SOCKS */ +- >= 0) +- { +- /* Successful connect. */ +- break; +- } +- debug("connect: %.100s", strerror(errno)); +- +- /* Destroy the failed socket. */ +- shutdown(sock, 2); +- close(sock); +- } +- else +- { +- /* Not a valid numeric inet address. */ +- /* Map host name to an address. */ +- if (!hp) +- { +- struct hostent *hp_static; +- +- #if defined(SOCKS5) +- hp_static = Rgethostbyname(host); +- #else +- hp_static = gethostbyname(host); +- #endif +- if (hp_static) +- { +- hp = xmalloc(sizeof(struct hostent)); +- memcpy(hp, hp_static, sizeof(struct hostent)); +- +- /* Copy list of addresses, not just pointers. +- We don't use h_name & h_aliases so leave them as is */ +- for (i = 0; hp_static->h_addr_list[i]; i++) +- ; /* count them */ +- hp->h_addr_list = xmalloc((i + 1) * +- sizeof(hp_static->h_addr_list[0])); +- for (i = 0; hp_static->h_addr_list[i]; i++) +- { +- hp->h_addr_list[i] = xmalloc(hp->h_length); +- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i], +- hp->h_length); +- } +- hp->h_addr_list[i] = NULL; /* last one */ +- } +- } +- if (!hp) +- fatal("Bad host name: %.100s", host); +- if (!hp->h_addr_list[0]) +- fatal("Host does not have an IP address: %.100s", host); +- + /* Loop through addresses for this host, and try each one in + sequence until the connection succeeds. */ +! for (i = 0; hp->h_addr_list[i]; i++) + { +! /* Set the address to connect to. */ +! hostaddr.sin_family = hp->h_addrtype; +! memcpy(&hostaddr.sin_addr, hp->h_addr_list[i], +! sizeof(hostaddr.sin_addr)); + +! debug("Connecting to %.200s [%.100s] port %d.", +! host, inet_ntoa(hostaddr.sin_addr), port); + + /* Create a socket for connecting. */ + sock = ssh_create_socket(original_real_uid, +! !anonymous && geteuid() == UID_ROOT); + + /* Connect to the host. */ + #if defined(SOCKS) +! if (Rconnect(sock, (struct sockaddr *)&hostaddr, +! sizeof(hostaddr)) >= 0) + #else /* SOCKS */ +! if (connect(sock, (struct sockaddr *)&hostaddr, +! sizeof(hostaddr)) >= 0) + #endif /* SOCKS */ + { + /* Successful connection. */ +--- 470,496 ---- + if (attempt > 0) + debug("Trying again..."); + + /* Loop through addresses for this host, and try each one in + sequence until the connection succeeds. */ +! for (ai = aitop; ai; ai = ai->ai_next) + { +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), strport, sizeof(strport), +! NI_NUMERICHOST|NI_NUMERICSERV); + +! debug("Connecting to %.200s [%.100s] port %s.", +! host, ntop, strport); + + /* Create a socket for connecting. */ + sock = ssh_create_socket(original_real_uid, +! !anonymous && geteuid() == UID_ROOT, +! ai->ai_family); + + /* Connect to the host. */ + #if defined(SOCKS) +! if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #else /* SOCKS */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #endif /* SOCKS */ + { + /* Successful connection. */ +*************** +*** 552,573 **** + returned an error. */ + shutdown(sock, 2); + close(sock); +! } +! if (hp->h_addr_list[i]) + break; /* Successful connection. */ +- } + + /* Sleep a moment before retrying. */ + sleep(1); + } + +! if (hp) +! { +! for (i = 0; hp->h_addr_list[i]; i++) +! xfree(hp->h_addr_list[i]); +! xfree(hp->h_addr_list); +! xfree(hp); +! } + + /* Return failure if we didn't get a successful connection. */ + if (attempt >= connection_attempts) +--- 503,517 ---- + returned an error. */ + shutdown(sock, 2); + close(sock); +! } /* for (ai = aitop; ai; ai = ai->ai_next) */ +! if (ai) + break; /* Successful connection. */ + + /* Sleep a moment before retrying. */ + sleep(1); + } + +! freeaddrinfo(aitop); + + /* Return failure if we didn't get a successful connection. */ + if (attempt >= connection_attempts) +*************** +*** 578,586 **** +--- 522,532 ---- + /* Set socket options. We would like the socket to disappear as soon as + it has been closed for whatever reason. */ + /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ ++ #if 0 /* XXX */ + #if defined(TCP_NODELAY) && defined(ENABLE_TCP_NODELAY) + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&on, sizeof(on)); + #endif /* TCP_NODELAY */ ++ #endif /* 0 */ + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + linger.l_onoff = 1; + linger.l_linger = 15; +*************** +*** 946,952 **** + int ap_opts, ret_stat = 0; + krb5_keyblock *session_key = 0; + krb5_ap_rep_enc_part *repl = 0; +! struct sockaddr_in local, foreign; + + memset(&auth, 0 , sizeof(auth)); + remotehost = (char *) get_canonical_hostname(); +--- 892,898 ---- + int ap_opts, ret_stat = 0; + krb5_keyblock *session_key = 0; + krb5_ap_rep_enc_part *repl = 0; +! struct sockaddr_storage local, foreign; + + memset(&auth, 0 , sizeof(auth)); + remotehost = (char *) get_canonical_hostname(); diff --git a/security/ssh/files/patch-ao b/security/ssh/files/patch-ao index 223dd44..0c5f76b 100644 --- a/security/ssh/files/patch-ao +++ b/security/ssh/files/patch-ao @@ -1,35 +1,583 @@ ---- newchannels.c.orig Wed May 12 12:19:27 1999 -+++ newchannels.c Fri Jun 18 12:10:26 1999 -@@ -282,6 +282,11 @@ - #endif /* NEED_SYS_SYSLOG_H */ - #endif /* LIBWRAP */ - -+#ifdef __FreeBSD__ -+#include <utmp.h> -+#include <osreldate.h> -+#endif -+ - /* Directory in which the fake unix-domain X11 displays reside. */ - #ifndef X11_DIR - #define X11_DIR "/tmp/.X11-unix" -@@ -1891,6 +1896,9 @@ - fatal("gethostname: %.100s", strerror(errno)); - snprintf(buf, sizeof(buf), - "%.400s:%d.%d", hostname, display_number, screen_number); -+#if __FreeBSD_version >= 320000 -+ trimdomain(buf, UT_HOSTSIZE); -+#endif - #else /* HAVE_GETHOSTNAME */ - if (uname(&uts) < 0) - fatal("uname: %.100s", strerror(errno)); -@@ -2412,6 +2420,10 @@ - ssh-agent connections on your system */ - old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); - -+ /* Make sure the socket doesn't already exist, left over from a system -+ crash perhaps. */ -+ unlink(channel_forwarded_auth_socket_name); -+ - if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) - packet_disconnect("Agent socket bind failed: %.100s", strerror(errno)); - +*** newchannels.c.orig Tue Jan 11 20:38:09 2000 +--- newchannels.c Tue Jan 11 20:38:02 2000 +*************** +*** 282,287 **** +--- 282,292 ---- + #endif /* NEED_SYS_SYSLOG_H */ + #endif /* LIBWRAP */ + ++ #ifdef __FreeBSD__ ++ #include <utmp.h> ++ #include <osreldate.h> ++ #endif ++ + /* Directory in which the fake unix-domain X11 displays reside. */ + #ifndef X11_DIR + #define X11_DIR "/tmp/.X11-unix" +*************** +*** 1405,1417 **** + int host_port, int gatewayports) + { + int ch, sock; +! struct sockaddr_in sin; + + if (strlen(host) > sizeof(channels[0].path) - 1) + packet_disconnect("Forward host name too long."); + + /* Create a port to listen for the host. */ +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + packet_disconnect("socket: %.100s", strerror(errno)); + +--- 1410,1438 ---- + int host_port, int gatewayports) + { + int ch, sock; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; + + if (strlen(host) > sizeof(channels[0].path) - 1) + packet_disconnect("Forward host name too long."); + ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_flags = gatewayports ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", port); ++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) ++ packet_disconnect("getaddrinfo: fatal error"); ++ ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create a port to listen for the host. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + packet_disconnect("socket: %.100s", strerror(errno)); + +*************** +*** 1421,1441 **** + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! /* Initialize socket address. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! if (gatewayports) +! sin.sin_addr.s_addr = INADDR_ANY; +! else +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network("127.0.0.1"); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr("127.0.0.1"); +! #endif /* BROKEN_INET_ADDR */ +! sin.sin_port = htons(port); +! + /* Bind the socket to the address. */ +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + packet_disconnect("bind: %.100s", strerror(errno)); + + /* Start listening for connections on the socket. */ +--- 1442,1451 ---- + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! debug("Listening on %s port %s.", ntop, strport); +! + /* Bind the socket to the address. */ +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + packet_disconnect("bind: %.100s", strerror(errno)); + + /* Start listening for connections on the socket. */ +*************** +*** 1448,1453 **** +--- 1458,1466 ---- + strcpy(channels[ch].path, host); /* note: host name stored here */ + channels[ch].host_port = host_port; /* port on host to connect to */ + channels[ch].listening_port = port; /* port being listened */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); + } + + /* Initiate forwarding of connections to port "port" on remote host through +*************** +*** 1636,1644 **** + void channel_input_port_open(void) + { + int remote_channel, sock, newch, host_port, i; +- struct sockaddr_in sin; + char *host, *originator_string; +! struct hostent *hp; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +--- 1649,1658 ---- + void channel_input_port_open(void) + { + int remote_channel, sock, newch, host_port, i; + char *host, *originator_string; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; +! int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +*************** +*** 1678,1713 **** + } + } + +! memset(&sin, 0, sizeof(sin)); +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network(host); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr(host); +! #endif /* BROKEN_INET_ADDR */ +! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) +! { +! /* It was a valid numeric host address. */ +! sin.sin_family = AF_INET; +! } +! else + { +! /* Look up the host address from the name servers. */ +! hp = gethostbyname(host); +! if (!hp) +! { +! error("%.100s: unknown host.", host); +! goto fail; +! } +! if (!hp->h_addr_list[0]) +! { +! error("%.100s: host has no IP address.", host); +! goto fail; +! } +! sin.sin_family = hp->h_addrtype; +! memcpy(&sin.sin_addr, hp->h_addr_list[0], +! sizeof(sin.sin_addr)); + } +- sin.sin_port = htons(host_port); + + #ifdef F_SECURE_COMMERCIAL + +--- 1692,1706 ---- + } + } + +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", host_port); +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) + { +! error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); +! goto fail; + } + + #ifdef F_SECURE_COMMERCIAL + +*************** +*** 1744,1751 **** + + #endif /* F_SECURE_COMMERCIAL */ + + /* Create the socket. */ +! sock = socket(sin.sin_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +--- 1737,1751 ---- + + #endif /* F_SECURE_COMMERCIAL */ + ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create the socket. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +*************** +*** 1753,1767 **** + } + + /* Connect to the host/port. */ +! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("connect %.100s:%d: %.100s", host, host_port, +! strerror(errno)); + close(sock); + goto fail; + } + + /* Successful connection. */ + + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); +--- 1753,1777 ---- + } + + /* Connect to the host/port. */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno)); + close(sock); ++ continue; /* fail -- try next */ ++ } ++ break; /* success */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ ++ if (!ai) ++ { ++ error("connect %.100s:%d: failed.", host, host_port); + goto fail; + } + + /* Successful connection. */ ++ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport); + + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); +*************** +*** 1803,1809 **** + { + extern ServerOptions options; + int display_number, port, sock; +! struct sockaddr_in sin; + char buf[512]; + #ifdef HAVE_GETHOSTNAME + char hostname[257]; +--- 1813,1822 ---- + { + extern ServerOptions options; + int display_number, port, sock; +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! #define NUM_SOCKS 10 +! int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS]; + char buf[512]; + #ifdef HAVE_GETHOSTNAME + char hostname[257]; +*************** +*** 1817,1828 **** + for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) + { + port = 6000 + display_number; +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr.s_addr = INADDR_ANY; +! sin.sin_port = htons(port); + +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +--- 1830,1850 ---- + for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) + { + port = 6000 + display_number; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_flags = AI_PASSIVE; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", port); +! if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) +! { +! error("getaddrinfo: %.100s", gai_strerror(gaierr)); +! return NULL; +! } +! +! for (ai = aitop; ai; ai = ai->ai_next) +! { + +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +*************** +*** 1835,1847 **** + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { + debug("bind port %d: %.100s", port, strerror(errno)); + shutdown(sock, 2); + close(sock); +! continue; + } + break; + } + if (display_number >= MAX_DISPLAYS) +--- 1857,1882 ---- + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { + debug("bind port %d: %.100s", port, strerror(errno)); + shutdown(sock, 2); + close(sock); +! for (n = 0; n < num_socks; n++) +! { +! shutdown(socks[n], 2); +! close(socks[n]); +! } +! num_socks = 0; +! break; + } ++ ++ socks[num_socks++] = sock; ++ if (num_socks == NUM_SOCKS) ++ break; ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ ++ if (num_socks > 0) + break; + } + if (display_number >= MAX_DISPLAYS) +*************** +*** 1851,1863 **** +--- 1886,1907 ---- + } + + /* Start listening for connections on the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + if (listen(sock, 5) < 0) + { + error("listen: %.100s", strerror(errno)); + shutdown(sock, 2); + close(sock); ++ for (nn = 0; nn < n; nn++) ++ { ++ shutdown(socks[nn], 2); ++ close(socks[nn]); ++ } + return NULL; + } ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Set up a suitable value for the DISPLAY variable. */ + #ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE +*************** +*** 1868,1877 **** + if (gethostname(hostname, sizeof(hostname)) < 0) + fatal("gethostname: %.100s", strerror(errno)); + { +! struct hostent *hp; +! struct in_addr addr; +! hp = gethostbyname(hostname); +! if (hp == NULL || !hp->h_addr_list[0]) + { + error("Could not get server IP address for %.200s.", hostname); + packet_send_debug("Could not get server IP address for %.200s.", +--- 1912,1922 ---- + if (gethostname(hostname, sizeof(hostname)) < 0) + fatal("gethostname: %.100s", strerror(errno)); + { +! struct addrinfo hints, *ai; +! char ntop[ADDRSTRLEN]; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai) + { + error("Could not get server IP address for %.200s.", hostname); + packet_send_debug("Could not get server IP address for %.200s.", +*************** +*** 1880,1888 **** + close(sock); + return NULL; + } +! memcpy(&addr, hp->h_addr_list[0], sizeof(addr)); + snprintf(buf, sizeof(buf), +! "%.100s:%d.%d", inet_ntoa(addr), display_number, + screen_number); + } + #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ +--- 1925,1934 ---- + close(sock); + return NULL; + } +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + snprintf(buf, sizeof(buf), +! "%.100s:%d.%d", ntop, display_number, + screen_number); + } + #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ +*************** +*** 1891,1896 **** +--- 1937,1945 ---- + fatal("gethostname: %.100s", strerror(errno)); + snprintf(buf, sizeof(buf), + "%.400s:%d.%d", hostname, display_number, screen_number); ++ #if __FreeBSD_version >= 320000 ++ trimdomain(buf, UT_HOSTSIZE); ++ #endif + #else /* HAVE_GETHOSTNAME */ + if (uname(&uts) < 0) + fatal("uname: %.100s", strerror(errno)); +*************** +*** 1900,1907 **** +--- 1949,1960 ---- + #endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ + + /* Allocate a channel for the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock, + xstrdup("X11 inet listener")); ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Return a suitable value for the DISPLAY environment variable. */ + return xstrdup(buf); +*************** +*** 1916,1924 **** + int remote_channel, display_number, sock, newch; + const char *display; + struct sockaddr_un ssun; +- struct sockaddr_in sin; + char buf[255], *cp, *remote_host; +! struct hostent *hp; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +--- 1969,1978 ---- + int remote_channel, display_number, sock, newch; + const char *display; + struct sockaddr_un ssun; + char buf[255], *cp, *remote_host; +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +*************** +*** 2058,2110 **** + goto fail; + } + +! /* Try to parse the host name as a numeric IP address. */ +! memset(&sin, 0, sizeof(sin)); +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network(buf); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr(buf); +! #endif /* BROKEN_INET_ADDR */ +! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) + { +! /* It was a valid numeric host address. */ +! sin.sin_family = AF_INET; + } +! else + { +- /* Not a numeric IP address. */ +- /* Look up the host address from the name servers. */ +- hp = gethostbyname(buf); +- if (!hp) +- { +- error("%.100s: unknown host.", buf); +- goto fail; +- } +- if (!hp->h_addr_list[0]) +- { +- error("%.100s: host has no IP address.", buf); +- goto fail; +- } +- sin.sin_family = hp->h_addrtype; +- memcpy(&sin.sin_addr, hp->h_addr_list[0], +- sizeof(sin.sin_addr)); +- } +- /* Set port number. */ +- sin.sin_port = htons(6000 + display_number); + + /* Create a socket. */ +! sock = socket(sin.sin_family, SOCK_STREAM, 0); + if (sock < 0) + { +! error("socket: %.100s", strerror(errno)); +! goto fail; + } + /* Connect it to the display. */ +! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("connect %.100s:%d: %.100s", buf, 6000 + display_number, + strerror(errno)); + close(sock); + goto fail; + } + +--- 2112,2155 ---- + goto fail; + } + +! /* Look up the host address */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", 6000 + display_number); +! if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) + { +! error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); +! goto fail; + } +! +! for (ai = aitop; ai; ai = ai->ai_next) + { + + /* Create a socket. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { +! debug("socket: %.100s", strerror(errno)); +! continue; + } + /* Connect it to the display. */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! debug("connect %.100s:%d: %.100s", buf, 6000 + display_number, + strerror(errno)); + close(sock); ++ continue; ++ } ++ /* Success */ ++ break; ++ ++ } /* (ai = aitop, ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ if (!ai) ++ { ++ error("connect %.100s:%d: %.100s", buf, 6000 + display_number, ++ strerror(errno)); + goto fail; + } + +*************** +*** 2412,2417 **** +--- 2457,2466 ---- + ssh-agent connections on your system */ + old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + ++ /* Make sure the socket doesn't already exist, left over from a system ++ crash perhaps. */ ++ unlink(channel_forwarded_auth_socket_name); ++ + if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) + packet_disconnect("Agent socket bind failed: %.100s", strerror(errno)); + diff --git a/security/ssh/files/patch-aw b/security/ssh/files/patch-aw index 2f0b5a8..697f323 100644 --- a/security/ssh/files/patch-aw +++ b/security/ssh/files/patch-aw @@ -1,30 +1,73 @@ ---- login.c.orig Wed May 12 12:19:26 1999 -+++ login.c Fri Jun 18 12:11:20 1999 -@@ -117,6 +117,9 @@ - #include <hpsecurity.h> - #include <prot.h> - #endif /* HAVE_HPUX_TCB_AUTH */ -+#ifdef __FreeBSD__ -+#include <osreldate.h> -+#endif - #include "ssh.h" - - /* Returns the time when the user last logged in. Returns 0 if the -@@ -301,12 +304,15 @@ - strncpy(u.ut_user, user, sizeof(u.ut_user)); - #endif /* HAVE_NAME_IN_UTMP */ - #ifdef HAVE_HOST_IN_UTMP -- strncpy(u.ut_host, host, sizeof(u.ut_host)); - #ifdef __FreeBSD__ -+#if __FreeBSD_version >= 320000 -+ trimdomain(host, sizeof u.ut_host); -+#endif - if (strlen(host) > sizeof(u.ut_host)) { - strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); -- } -+ } else - #endif /* __FreeBSD__ */ -+ strncpy(u.ut_host, host, sizeof(u.ut_host)); - #endif /* HAVE_HOST_IN_UTMP */ - #ifdef HAVE_ADDR_IN_UTMP - if (addr) +*** login.c.orig Tue Jan 11 20:36:37 2000 +--- login.c Tue Jan 11 20:36:34 2000 +*************** +*** 117,122 **** +--- 117,125 ---- + #include <hpsecurity.h> + #include <prot.h> + #endif /* HAVE_HPUX_TCB_AUTH */ ++ #ifdef __FreeBSD__ ++ #include <osreldate.h> ++ #endif + #include "ssh.h" + + /* Returns the time when the user last logged in. Returns 0 if the +*************** +*** 255,261 **** + were more standardized. */ + + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr_in *addr) + { + int fd; + +--- 258,264 ---- + were more standardized. */ + + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr *addr) + { + int fd; + +*************** +*** 301,317 **** + strncpy(u.ut_user, user, sizeof(u.ut_user)); + #endif /* HAVE_NAME_IN_UTMP */ + #ifdef HAVE_HOST_IN_UTMP +- strncpy(u.ut_host, host, sizeof(u.ut_host)); + #ifdef __FreeBSD__ + if (strlen(host) > sizeof(u.ut_host)) { + strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); +! } + #endif /* __FreeBSD__ */ + #endif /* HAVE_HOST_IN_UTMP */ + #ifdef HAVE_ADDR_IN_UTMP + if (addr) + memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr)); + else + memset(&u.ut_addr, 0, sizeof(u.ut_addr)); + #endif + +--- 304,325 ---- + strncpy(u.ut_user, user, sizeof(u.ut_user)); + #endif /* HAVE_NAME_IN_UTMP */ + #ifdef HAVE_HOST_IN_UTMP + #ifdef __FreeBSD__ ++ #if __FreeBSD_version >= 320000 ++ trimdomain(host, sizeof u.ut_host); ++ #endif + if (strlen(host) > sizeof(u.ut_host)) { + strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); +! } else + #endif /* __FreeBSD__ */ ++ strncpy(u.ut_host, host, sizeof(u.ut_host)); + #endif /* HAVE_HOST_IN_UTMP */ + #ifdef HAVE_ADDR_IN_UTMP ++ #if 0 /* XXX */ + if (addr) + memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr)); + else ++ #endif /* XXX */ + memset(&u.ut_addr, 0, sizeof(u.ut_addr)); + #endif + diff --git a/security/ssh/files/patch-ba b/security/ssh/files/patch-ba new file mode 100644 index 0000000..69ad90067 --- /dev/null +++ b/security/ssh/files/patch-ba @@ -0,0 +1,176 @@ +*** README-IPv6.orig Mon Jan 10 22:56:13 2000 +--- README-IPv6 Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,171 ---- ++ ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6. ++ ++ To enable sshd/ssh to handle both IPv4 and IPv6, ++ ++ ./configure --enable-ipv6 ++ ++ Otherwise sshd/ssh handle IPv4 only as same as original ssh. ++ ++ * You can have multiple ListenAddress lines in /etc/sshd_config. ++ It means that sshd can listen multiple addresses. ++ ++ Example1: sshd will bind on these four adresses. ++ ++ ListenAddress 202.249.17.50 ++ ListenAddress 202.249.17.137 ++ ListenAddress 3ffe:501:c0b::1 ++ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc ++ ++ Example2: as same as example1. ++ (Because bertemu.rcac.tdi.co.jp has these four addresses.) ++ ++ ListenAddress bertemu.rcac.tdi.co.jp ++ ++ Example3: sshd will bind on any address both IPv4 and IPv6. ++ ++ ListenAddress :: ++ ListenAddress 0.0.0.0 ++ ++ Example4: as same as example3. ++ ++ No ListenAddress line in /etc/sshd_config. ++ ++ * You don't mind whether the host has IPv4 or IPv6 address. ++ You can also specify using only IPv4 (or only IPv6). ++ ++ Example1: ssh will try all IPv4 and IPv6 addresses that the host has. ++ ++ ssh host ++ ++ Example2: ssh will try all IPv4 addresses that the host has. ++ ++ ssh -4 host ++ ++ Example3: ssh will try all IPv6 addresses that the host has. ++ ++ ssh -6 host ++ ++ * You can have multiple Port lines in /etc/sshd_config and -p options. ++ It means that sshd can listen multiple ports, not only port 22. ++ ++ For example, you run sshd that listens port 22 and port 722, ++ and you can use port 22 for slogin and port 722 for scp. ++ It's useful if you have preference for interactive traffic in the router. ++ ++ You can have "AnotherPort 722" line in /etc/ssh_config or your ++ config file (maybe ~/.ssh/config). In this case, ssh with -A option ++ try to connect to port 722 at first, and try to connect to original ++ port (maybe port 22) if port 722 fails. scp executes ssh with -A option. ++ ++ * IPv6 supported platform ++ ++ IPv6 feature is available on follwing platforms now. ++ ++ kame -- http://www.kame.net/ (used to be called Hydrangea) ++ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon) ++ ++ On the other environments you can compile and run ssh-1.2.27-IPv6 if ++ you have a good getaddrinfo() in your library. ++ ++ * How to get ssh-1.2.27-IPv6 ++ ++ You can get tar.gz or patch to ssh-1.2.27.tar.gz: ++ ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz ++ ++ * How to install ssh-1.2.27-IPv6 ++ ++ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use ++ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27. ++ ++ If you want to enable ssh to handle IPv6, for example, ++ ++ % ./configure --enable-ipv6 ++ % make ++ % make install ++ ++ and you will be able to enjoy ssh handling both IPv6 and IPv4. ++ ++ * Change Log ++ ++ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.27 ++ * supported scp with bracketed ipv6 ip address ++ * used struct sockaddr_storage instead of union sockunion ++ ++ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ * cleanup comparing ip address at get_remote_hostname() in canohost.c ++ ++ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ pointed out by Kenji Rikitake <kenji@k2r.org> ++ ++ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed IPv6 enable checking bug in configure.in ++ ++ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed AuthLog enable handling bug ++ ++ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.26 ++ ++ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported AuthLog (logging authenticated info) in /etc/sshd_config ++ ++ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported multiple Port lines in /etc/sshd_config ++ * supported AnotherPort line in /etc/ssh_config ++ * supported -A option of ssh for another port try ++ ++ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * X11 connection forwarding IPv6 support ++ * removeed all hostent and sockaddr_in from *.c ++ ++ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * configuration support for v6d. ++ ++ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c) ++ * configure checks whether getaddrinfo exists or not. ++ ++ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * add fakelibinet6.c (including getaddrinfo and getnameinfo) ++ * compilation support on non-IPv6 environment. ++ * fixed port forwarding bug ++ ++ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add ENABLE_IPV6 flag. ++ * configuration support --enable-ipv6 for IPv6 platforms. ++ ++ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * first release ++ * IPv6 support except X11 connection forwarding ++ ++ * Guideline for making this patch ++ ++ * protocol family independent (using AF_UNSPEC) ++ * use getaddrinfo and getnameinfo (see RFC2133) ++ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET) ++ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6) ++ * don't use gethostbyname, gethostbyaddr and hostent ++ * listen to all addresses for all available protocol family ++ * try to connect to all addresses for all available protocol family ++ diff --git a/security/ssh/files/patch-bb b/security/ssh/files/patch-bb new file mode 100644 index 0000000..945e1fd --- /dev/null +++ b/security/ssh/files/patch-bb @@ -0,0 +1,29 @@ +*** acconfig.h.orig Wed May 12 13:19:23 1999 +--- acconfig.h Mon Jan 10 22:56:13 2000 +*************** +*** 274,279 **** +--- 274,297 ---- + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW + ++ /* Define this if you have struct sockaddr_storage. */ ++ #undef HAVE_SOCKADDR_STORAGE ++ ++ /* Define this if you have __sa_family in struct sockaddr_storage. */ ++ #undef HAVE_NEW_SS_FAMILY ++ ++ /* Define this if you have ss_len in struct sockaddr. */ ++ #undef HAVE_SOCKADDR_LEN ++ ++ /* Define this if you want to enable IPv6 support. */ ++ #undef ENABLE_IPV6 ++ ++ /* Define this if you want to enable another port try support. */ ++ #undef ENABLE_ANOTHER_PORT_TRY ++ ++ /* Define this if you want to enable logging auth info support. */ ++ #undef ENABLE_LOG_AUTH ++ + /* Where to find the X11 socket */ + #undef X11_DIR + diff --git a/security/ssh/files/patch-bc b/security/ssh/files/patch-bc new file mode 100644 index 0000000..63b079f --- /dev/null +++ b/security/ssh/files/patch-bc @@ -0,0 +1,401 @@ +*** canohost.c.orig Wed May 12 13:19:24 1999 +--- canohost.c Mon Jan 10 22:56:13 2000 +*************** +*** 59,68 **** + + char *get_remote_hostname(int socket) + { +! struct sockaddr_in from; + int fromlen, i; +! struct hostent *hp; + char name[255]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +--- 59,69 ---- + + char *get_remote_hostname(int socket) + { +! struct sockaddr_storage from; + int fromlen, i; +! struct addrinfo hints, *ai, *aitop; + char name[255]; ++ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +*************** +*** 73,86 **** + strcpy(name, "UNKNOWN"); + goto check_ip_options; + } + + /* Map the IP address to a host name. */ +! hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr), +! from.sin_family); +! if (hp) + { + /* Got host name. */ +- strncpy(name, hp->h_name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + + /* Convert it to all lowercase (which is expected by the rest of this +--- 74,89 ---- + strcpy(name, "UNKNOWN"); + goto check_ip_options; + } ++ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + + /* Map the IP address to a host name. */ +! if (getnameinfo((struct sockaddr *)&from, fromlen, +! name, sizeof(name), +! NULL, 0, NI_NAMEREQD) == 0) + { + /* Got host name. */ + name[sizeof(name) - 1] = '\0'; + + /* Convert it to all lowercase (which is expected by the rest of this +*************** +*** 95,119 **** + Mapping from name to IP address can be trusted better (but can still + be fooled if the intruder has access to the name server of the + domain). */ +! hp = gethostbyname(name); +! if (!hp) + { + log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); +! strcpy(name, inet_ntoa(from.sin_addr)); + goto check_ip_options; + } + /* Look for the address from the list of addresses. */ +! for (i = 0; hp->h_addr_list[i]; i++) +! if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr)) +! == 0) +! break; + /* If we reached the end of the list, the address was not there. */ +! if (!hp->h_addr_list[i]) + { + /* Address not found for the host name. */ + log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", +! inet_ntoa(from.sin_addr), name); +! strcpy(name, inet_ntoa(from.sin_addr)); + goto check_ip_options; + } + /* Address was found for the host name. We accept the host name. */ +--- 98,127 ---- + Mapping from name to IP address can be trusted better (but can still + be fooled if the intruder has access to the name server of the + domain). */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = from.__ss_family; +! if (getaddrinfo(name, NULL, &hints, &aitop) != 0) + { + log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); +! strcpy(name, ntop); + goto check_ip_options; + } + /* Look for the address from the list of addresses. */ +! for (ai = aitop; ai; ai = ai->ai_next) +! { +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST); +! if (strcmp(ntop, ntop2) == 0) +! break; +! } +! freeaddrinfo(aitop); + /* If we reached the end of the list, the address was not there. */ +! if (!ai) + { + /* Address not found for the host name. */ + log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", +! ntop, name); +! strcpy(name, ntop); + goto check_ip_options; + } + /* Address was found for the host name. We accept the host name. */ +*************** +*** 121,127 **** + else + { + /* Host name not found. Use ascii representation of the address. */ +! strcpy(name, inet_ntoa(from.sin_addr)); + log_msg("Could not reverse map address %.100s.", name); + } + +--- 129,135 ---- + else + { + /* Host name not found. Use ascii representation of the address. */ +! strcpy(name, ntop); + log_msg("Could not reverse map address %.100s.", name); + } + +*************** +*** 136,141 **** +--- 144,150 ---- + Notice also that if we just dropped source routing here, the other + side could use IP spoofing to do rest of the interaction and could still + bypass security. So we exit here if we detect any IP options. */ ++ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */ + { + unsigned char options[200], *ucp; + char text[1024], *cp; +*************** +*** 157,165 **** + for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) + sprintf(cp, " %2.2x", *ucp); + log_msg("Connection from %.100s with IP options:%.800s", +! inet_ntoa(from.sin_addr), text); + packet_disconnect("Connection from %.100s with IP options:%.800s", +! inet_ntoa(from.sin_addr), text); + } + } + #endif +--- 166,174 ---- + for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) + sprintf(cp, " %2.2x", *ucp); + log_msg("Connection from %.100s with IP options:%.800s", +! ntop, text); + packet_disconnect("Connection from %.100s with IP options:%.800s", +! ntop, text); + } + } + #endif +*************** +*** 177,183 **** + const char *get_canonical_hostname(void) + { + int fromlen, tolen; +! struct sockaddr_in from, to; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_name != NULL) +--- 186,192 ---- + const char *get_canonical_hostname(void) + { + int fromlen, tolen; +! struct sockaddr_storage from, to; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_name != NULL) +*************** +*** 200,207 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_ip_addr; + + no_ip_addr: +--- 209,215 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +*************** +*** 221,228 **** + + const char *get_remote_ipaddr(void) + { +! struct sockaddr_in from, to; + int fromlen, tolen, socket; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_ip != NULL) +--- 229,237 ---- + + const char *get_remote_ipaddr(void) + { +! struct sockaddr_storage from, to; + int fromlen, tolen, socket; ++ char ntop[ADDRSTRLEN]; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_ip != NULL) +*************** +*** 245,252 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_ip_addr; + + no_ip_addr: +--- 254,260 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +*************** +*** 269,275 **** + } + + /* Get the IP address in ascii. */ +! canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr)); + + /* Return ip address string. */ + return canonical_host_ip; +--- 277,285 ---- + } + + /* Get the IP address in ascii. */ +! getnameinfo((struct sockaddr *)&from, fromlen, +! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); +! canonical_host_ip = xstrdup(ntop); + + /* Return ip address string. */ + return canonical_host_ip; +*************** +*** 279,286 **** + + int get_peer_port(int sock) + { +! struct sockaddr_in from; + int fromlen; + + /* Get IP address of client. */ + fromlen = sizeof(from); +--- 289,297 ---- + + int get_peer_port(int sock) + { +! struct sockaddr_storage from; + int fromlen; ++ char strport[PORTSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +*************** +*** 292,298 **** + } + + /* Return port number. */ +! return ntohs(from.sin_port); + } + + /* Returns the port number of the remote host. */ +--- 303,311 ---- + } + + /* Return port number. */ +! getnameinfo((struct sockaddr *)&from, fromlen, +! NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); +! return atoi(strport); + } + + /* Returns the port number of the remote host. */ +*************** +*** 301,307 **** + { + int socket; + int fromlen, tolen; +! struct sockaddr_in from, to; + + /* If two different descriptors, check if they are internet-domain, and + have the same address. */ +--- 314,320 ---- + { + int socket; + int fromlen, tolen; +! struct sockaddr_storage from, to; + + /* If two different descriptors, check if they are internet-domain, and + have the same address. */ +*************** +*** 319,326 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_port; + + no_ip_addr: +--- 332,338 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_port; + + no_ip_addr: +*************** +*** 335,337 **** +--- 347,413 ---- + /* Get and return the peer port number. */ + return get_peer_port(socket); + } ++ ++ /* Returns the port of the local of the socket. */ ++ ++ int get_sock_port(int sock) ++ { ++ struct sockaddr_storage from; ++ int fromlen; ++ char strport[PORTSTRLEN]; ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) ++ { ++ error("getsockname failed: %.100s", strerror(errno)); ++ return 0; ++ } ++ ++ /* Return port number. */ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); ++ return atoi(strport); ++ } ++ ++ /* Returns the port number of the local host. */ ++ ++ int get_local_port() ++ { ++ int socket; ++ int fromlen, tolen; ++ struct sockaddr_storage from, to; ++ ++ /* If two different descriptors, check if they are internet-domain, and ++ have the same address. */ ++ if (packet_get_connection_in() != packet_get_connection_out()) ++ { ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from, ++ &fromlen) < 0) ++ goto no_ip_addr; ++ ++ tolen = sizeof(to); ++ memset(&to, 0, sizeof(to)); ++ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to, ++ &tolen) < 0) ++ goto no_ip_addr; ++ ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) ++ goto return_port; ++ ++ no_ip_addr: ++ return 65535; ++ } ++ ++ return_port: ++ ++ /* Get client socket. */ ++ socket = packet_get_connection_in(); ++ ++ /* Get and return the local port number. */ ++ return get_sock_port(socket); ++ } ++ diff --git a/security/ssh/files/patch-bd b/security/ssh/files/patch-bd new file mode 100644 index 0000000..d6c0361 --- /dev/null +++ b/security/ssh/files/patch-bd @@ -0,0 +1,49 @@ +*** config.h.in.orig Wed May 12 13:20:04 1999 +--- config.h.in Mon Jan 10 22:56:13 2000 +*************** +*** 323,328 **** +--- 323,346 ---- + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW + ++ /* Define this if you have struct sockaddr_storage. */ ++ #undef HAVE_SOCKADDR_STORAGE ++ ++ /* Define this if you have __sa_family in struct sockaddr_storage. */ ++ #undef HAVE_NEW_SS_FAMILY ++ ++ /* Define this if you have ss_len in struct sockaddr. */ ++ #undef HAVE_SOCKADDR_LEN ++ ++ /* Define this if you want to enable IPv6 support. */ ++ #undef ENABLE_IPV6 ++ ++ /* Define this if you want to enable another port try support. */ ++ #undef ENABLE_ANOTHER_PORT_TRY ++ ++ /* Define this if you want to enable logging auth info support. */ ++ #undef ENABLE_LOG_AUTH ++ + /* Where to find the X11 socket */ + #undef X11_DIR + +*************** +*** 375,385 **** +--- 393,409 ---- + /* Define if you have the ftruncate function. */ + #undef HAVE_FTRUNCATE + ++ /* Define if you have the getaddrinfo function. */ ++ #undef HAVE_GETADDRINFO ++ + /* Define if you have the getdtablesize function. */ + #undef HAVE_GETDTABLESIZE + + /* Define if you have the gethostname function. */ + #undef HAVE_GETHOSTNAME ++ ++ /* Define if you have the getnameinfo function. */ ++ #undef HAVE_GETNAMEINFO + + /* Define if you have the getpseudotty function. */ + #undef HAVE_GETPSEUDOTTY diff --git a/security/ssh/files/patch-be b/security/ssh/files/patch-be new file mode 100644 index 0000000..d84d41f --- /dev/null +++ b/security/ssh/files/patch-be @@ -0,0 +1,401 @@ +*** configure.in.orig Wed May 12 13:20:02 1999 +--- configure.in Tue Jan 11 22:55:20 2000 +*************** +*** 30,37 **** +--- 30,163 ---- + fi + + AC_PROG_CC ++ AC_PROG_CPP + AC_ISC_POSIX + ++ AC_MSG_CHECKING([whether to enable ipv6]) ++ AC_ARG_ENABLE(ipv6, ++ [ --enable-ipv6 Enable ipv6 (with ipv4) support ++ --disable-ipv6 Disable ipv6 support], ++ [ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ipv6=no ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes ++ ;; ++ esac ], ++ ++ AC_TRY_RUN([ /* AF_INET6 avalable check */ ++ #include <sys/types.h> ++ #include <sys/socket.h> ++ main() ++ { ++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0) ++ exit(1); ++ else ++ exit(0); ++ } ++ ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes, ++ AC_MSG_RESULT(no) ++ ipv6=no, ++ AC_MSG_RESULT(no) ++ ipv6=no ++ )) ++ ++ ipv6type=unknown ++ ipv6lib=none ++ ++ if test "$ipv6" = "yes"; then ++ AC_MSG_CHECKING([ipv6 stack type]) ++ for i in inria kame linux toshiba v6d zeta; do ++ case $i in ++ inria) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++ #include <netinet/in.h> ++ #ifdef IPV6_INRIA_VERSION ++ yes ++ #endif], ++ [ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ kame) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++ #include <netinet/in.h> ++ #ifdef __KAME__ ++ yes ++ #endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ linux) ++ dnl http://www.v6.linux.or.jp/ ++ if test -d /usr/inet6; then ++ ipv6type=$i ++ ipv6lib=inet6 ++ ipv6libdir=/usr/inet6/lib ++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" ++ fi ++ ;; ++ toshiba) ++ AC_EGREP_CPP(yes, [dnl ++ #include <sys/param.h> ++ #ifdef _TOSHIBA_INET6 ++ yes ++ #endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ v6d) ++ AC_EGREP_CPP(yes, [dnl ++ #include </usr/local/v6/include/sys/v6config.h> ++ #ifdef __V6D__ ++ yes ++ #endif], ++ [ipv6type=$i; ++ ipv6lib=v6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"]) ++ ;; ++ zeta) ++ AC_EGREP_CPP(yes, [dnl ++ #include <sys/param.h> ++ #ifdef _ZETA_MINAMI_INET6 ++ yes ++ #endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ esac ++ if test "$ipv6type" != "unknown"; then ++ break ++ fi ++ done ++ AC_MSG_RESULT($ipv6type) ++ fi ++ ++ if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then ++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then ++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS" ++ else ++ echo 'Fatal: no $ipv6lib library found. cannot continue.' ++ echo "You need to fetch lib$ipv6lib.a from appropriate" ++ echo 'ipv6 kit and compile beforehand.' ++ exit 1 ++ fi ++ fi ++ + AC_DEFINE_UNQUOTED(HOSTTYPE, "$host") + + case "$host" in +*************** +*** 313,319 **** + + # Socket pairs appear to be broken on several systems. I don't know exactly + # where, so I'll use pipes everywhere for now. +! AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +--- 439,445 ---- + + # Socket pairs appear to be broken on several systems. I don't know exactly + # where, so I'll use pipes everywhere for now. +! # AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +*************** +*** 369,375 **** + + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h) + AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h) + AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) +--- 495,501 ---- + + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h) + AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h) + AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) +*************** +*** 399,404 **** +--- 525,540 ---- + [ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO) + AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no)) + ++ AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage]) ++ AC_EGREP_HEADER(sockaddr_storage, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++ AC_MSG_CHECKING([whether sys/socket.h have __ss_family]) ++ AC_EGREP_HEADER(__ss_family, sys/socket.h, ++ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++ AC_MSG_CHECKING([whether sys/socket.h have sa_len]) ++ AC_EGREP_HEADER(sa_len, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++ + AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt)) + AC_CHECK_LIB(sec, getspnam) + AC_CHECK_LIB(seq, get_process_stats) +*************** +*** 436,441 **** +--- 572,676 ---- + + AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) + ++ AC_MSG_CHECKING(getaddrinfo bug) ++ AC_TRY_RUN([ ++ #include <sys/types.h> ++ #include <netdb.h> ++ #include <string.h> ++ #include <sys/socket.h> ++ #include <netinet/in.h> ++ ++ main() ++ { ++ int passive, gaierr, inet4 = 0, inet6 = 0; ++ struct addrinfo hints, *ai, *aitop; ++ char straddr[INET6_ADDRSTRLEN], strport[16]; ++ ++ for (passive = 0; passive <= 1; passive++) { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_UNSPEC; ++ hints.ai_flags = passive ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { ++ (void)gai_strerror(gaierr); ++ goto bad; ++ } ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (ai->ai_addr == NULL || ++ ai->ai_addrlen == 0 || ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ straddr, sizeof(straddr), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { ++ goto bad; ++ } ++ if (strcmp(strport, "54321") != 0) { ++ goto bad; ++ } ++ switch (ai->ai_family) { ++ case AF_INET: ++ if (passive) { ++ if (strcmp(straddr, "0.0.0.0") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "127.0.0.1") != 0) { ++ goto bad; ++ } ++ } ++ inet4++; ++ break; ++ case AF_INET6: ++ if (passive) { ++ if (strcmp(straddr, "::") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "::1") != 0) { ++ goto bad; ++ } ++ } ++ inet6++; ++ break; ++ case AF_UNSPEC: ++ goto bad; ++ break; ++ default: ++ /* another family support? */ ++ break; ++ } ++ } ++ } ++ ++ if (inet6 != 2 || inet4 != 2) ++ goto bad; ++ ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(0); ++ ++ bad: ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(1); ++ } ++ ], ++ AC_MSG_RESULT(good) ++ buggygetaddrinfo=no, ++ AC_MSG_RESULT(buggy) ++ buggygetaddrinfo=yes, ++ AC_MSG_RESULT(buggy) ++ buggygetaddrinfo=yes) ++ ++ if test "$buggygetaddrinfo" = "yes"; then ++ if test "$ipv6" = "yes"; then ++ echo 'Fatal: You must get working getaddrinfo() function.' ++ echo ' or you can specify "--disable-ipv6"'. ++ exit 1 ++ else ++ AC_REPLACE_FUNCS(getaddrinfo getnameinfo) ++ fi ++ fi ++ + AC_PROG_LN_S + AC_PROG_INSTALL + AC_CHECK_PROG(AR, ar, ar, echo) +*************** +*** 932,938 **** + AC_DEFINE(KRB5) + KERBEROS_ROOT="$with_kerberos5" + KERBEROS_INCS="-I${KERBEROS_ROOT}/include" +! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" + AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm") + KERBEROS_OBJS="auth-kerberos.o" + ;; +--- 1167,1177 ---- + AC_DEFINE(KRB5) + KERBEROS_ROOT="$with_kerberos5" + KERBEROS_INCS="-I${KERBEROS_ROOT}/include" +! if [ -f ${KERBEROS_ROOT}/lib/libk5crypto.a ]; then +! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" +! else +! KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" +! fi + AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm") + KERBEROS_OBJS="auth-kerberos.o" + ;; +*************** +*** 1252,1257 **** +--- 1491,1528 ---- + AC_DEFINE(ENABLE_TCP_NODELAY) + ) + ++ AC_MSG_CHECKING(whether to enable another port try support) ++ AC_ARG_ENABLE(another-port-try, ++ [ --enable-another-port-try Enable another port try support (default) ++ --disable-another-port-try Disable another port try support], ++ [ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++ ) ++ ++ AC_MSG_CHECKING(whether to enable logging auth info support) ++ AC_ARG_ENABLE(log-auth, ++ [ --enable-log-auth Enable logging auth info support (default) ++ --disable-log-auth Disable logging auth info support], ++ [ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++ ) ++ + AC_MSG_CHECKING(whether to enable SO_LINGER) + AC_ARG_ENABLE(so-linger, + [ --enable-so-linger Enable setting SO_LINGER socket option], +*************** +*** 1311,1316 **** +--- 1582,1589 ---- + AC_DEFINE(SCP_ALL_STATISTICS_ENABLED) + ) + ++ CFLAGS="$CPPFLAGS $CFLAGS" ++ + # We include this here only to make it visible in --help; this is only used + # in the gmp subdirectory. + AC_ARG_ENABLE(asm, +*************** +*** 1324,1330 **** + fi + AC_MSG_RESULT($PIDDIR) + +! AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2) + + AC_ARG_PROGRAM + +--- 1597,1603 ---- + fi + AC_MSG_RESULT($PIDDIR) + +! #AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2) + + AC_ARG_PROGRAM + +*************** +*** 1336,1339 **** + AC_SUBST(SSHDCONFOBJS) + AC_SUBST(SSHINSTALLMODE) + +! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile) +--- 1609,1612 ---- + AC_SUBST(SSHDCONFOBJS) + AC_SUBST(SSHINSTALLMODE) + +! AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl) diff --git a/security/ssh/files/patch-bf b/security/ssh/files/patch-bf new file mode 100644 index 0000000..d8d53bc --- /dev/null +++ b/security/ssh/files/patch-bf @@ -0,0 +1,17 @@ +*** gai.h.orig Mon Jan 10 22:56:13 2000 +--- gai.h Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,12 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file is included in getaddrinfo.c and getnameinfo.c. ++ * See getaddrinfo.c and getnameinfo.c. ++ */ ++ ++ /* for old netdb.h */ ++ #ifndef EAI_NODATA ++ #define EAI_NODATA 1 ++ #define EAI_MEMORY 2 ++ #endif diff --git a/security/ssh/files/patch-bg b/security/ssh/files/patch-bg new file mode 100644 index 0000000..6899820 --- /dev/null +++ b/security/ssh/files/patch-bg @@ -0,0 +1,120 @@ +*** getaddrinfo.c.orig Mon Jan 10 22:56:13 2000 +--- getaddrinfo.c Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,115 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c ++ * will be used if you have broken getaddrinfo or no getaddrinfo. ++ */ ++ ++ #include "includes.h" ++ #include "ssh.h" ++ ++ #include "gai.h" ++ ++ static struct addrinfo * ++ malloc_ai(port, addr) ++ int port; ++ u_long addr; ++ { ++ struct addrinfo *ai; ++ ++ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) + ++ sizeof(struct sockaddr_in))) { ++ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); ++ ai->ai_addr = (struct sockaddr *)(ai + 1); ++ /* XXX -- ssh doesn't use sa_len */ ++ ai->ai_addrlen = sizeof(struct sockaddr_in); ++ ai->ai_addr->sa_family = ai->ai_family = AF_INET; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; ++ return ai; ++ } else { ++ return NULL; ++ } ++ } ++ ++ char * ++ gai_strerror(ecode) ++ int ecode; ++ { ++ switch (ecode) { ++ case EAI_NODATA: ++ return "no address associated with hostname."; ++ case EAI_MEMORY: ++ return "memory allocation failure."; ++ default: ++ return "unknown error."; ++ } ++ } ++ ++ void ++ freeaddrinfo(ai) ++ struct addrinfo *ai; ++ { ++ struct addrinfo *next; ++ ++ do { ++ next = ai->ai_next; ++ free(ai); ++ } while (ai = next); ++ } ++ ++ int ++ getaddrinfo(hostname, servname, hints, res) ++ const char *hostname, *servname; ++ const struct addrinfo *hints; ++ struct addrinfo **res; ++ { ++ struct addrinfo *cur, *prev = NULL; ++ struct hostent *hp; ++ int i, port; ++ ++ if (servname) ++ port = htons(atoi(servname)); ++ else ++ port = 0; ++ if (hints && hints->ai_flags & AI_PASSIVE) ++ if (*res = malloc_ai(port, htonl(0x00000000))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (!hostname) ++ if (*res = malloc_ai(port, htonl(0x7f000001))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (inet_addr(hostname) != -1) ++ if (*res = malloc_ai(port, inet_addr(hostname))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if ((hp = gethostbyname(hostname)) && ++ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { ++ for (i = 0; hp->h_addr_list[i]; i++) ++ if (cur = malloc_ai(port, ++ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) { ++ if (prev) ++ prev->ai_next = cur; ++ else ++ *res = cur; ++ prev = cur; ++ } else { ++ if (*res) ++ freeaddrinfo(*res); ++ return EAI_MEMORY; ++ } ++ return 0; ++ } ++ return EAI_NODATA; ++ } diff --git a/security/ssh/files/patch-bh b/security/ssh/files/patch-bh new file mode 100644 index 0000000..3e50aae --- /dev/null +++ b/security/ssh/files/patch-bh @@ -0,0 +1,66 @@ +*** getnameinfo.c.orig Mon Jan 10 22:56:13 2000 +--- getnameinfo.c Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,61 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file includes getnameinfo(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getnameinfo.c ++ * will be used if you have broken getnameinfo or no getnameinfo. ++ */ ++ ++ #include "includes.h" ++ #include "ssh.h" ++ ++ #include "gai.h" ++ ++ int ++ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) ++ const struct sockaddr *sa; ++ size_t salen; ++ char *host; ++ size_t hostlen; ++ char *serv; ++ size_t servlen; ++ int flags; ++ { ++ struct sockaddr_in *sin = (struct sockaddr_in *)sa; ++ struct hostent *hp; ++ char tmpserv[16]; ++ ++ if (serv) { ++ sprintf(tmpserv, "%d", ntohs(sin->sin_port)); ++ if (strlen(tmpserv) > servlen) ++ return EAI_MEMORY; ++ else ++ strcpy(serv, tmpserv); ++ } ++ if (host) ++ if (flags & NI_NUMERICHOST) ++ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, inet_ntoa(sin->sin_addr)); ++ return 0; ++ } ++ else ++ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr), ++ AF_INET)) ++ if (strlen(hp->h_name) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, hp->h_name); ++ return 0; ++ } ++ else ++ return EAI_NODATA; ++ return 0; ++ } diff --git a/security/ssh/files/patch-bi b/security/ssh/files/patch-bi new file mode 100644 index 0000000..77ff392 --- /dev/null +++ b/security/ssh/files/patch-bi @@ -0,0 +1,56 @@ +*** log-server.c.orig Wed May 12 13:19:26 1999 +--- log-server.c Mon Jan 10 22:56:13 2000 +*************** +*** 146,151 **** +--- 146,170 ---- + syslog(LOG_INFO, "log: %.500s", buf); + } + ++ #ifdef ENABLE_LOG_AUTH ++ void log_auth(const char *fmt, ...) ++ { ++ char buf[1024]; ++ va_list args; ++ extern int log_auth_flag; ++ if (!log_auth_flag) ++ return; ++ if (log_quiet) ++ return; ++ va_start(args, fmt); ++ vsprintf(buf, fmt, args); ++ va_end(args); ++ if (log_on_stderr) ++ fprintf(stderr, "log: %s\n", buf); ++ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf); ++ } ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Converts portable syslog severity to machine-specific syslog severity. */ + + static int syslog_severity(int severity) +*************** +*** 322,327 **** +--- 341,349 ---- + { + char buf[1024]; + va_list args; ++ #ifdef ENABLE_LOG_AUTH ++ extern char *unauthenticated_user; ++ #endif /* ENABLE_LOG_AUTH */ + + if (log_quiet) + exit(1); +*************** +*** 331,336 **** +--- 353,363 ---- + if (log_on_stderr) + fprintf(stderr, "fatal: %s\n", buf); + syslog(syslog_severity(severity), "fatal: %.500s", buf); ++ #ifdef ENABLE_LOG_AUTH ++ if (unauthenticated_user) ++ log_auth("LOGIN FAILED %.100s from %.200s", ++ unauthenticated_user, get_canonical_hostname()); ++ #endif /* ENABLE_LOG_AUTH */ + + do_fatal_cleanups(); + diff --git a/security/ssh/files/patch-bj b/security/ssh/files/patch-bj new file mode 100644 index 0000000..fb897af --- /dev/null +++ b/security/ssh/files/patch-bj @@ -0,0 +1,16 @@ +*** match.c.orig Wed May 12 13:19:27 1999 +--- match.c Mon Jan 10 22:56:13 2000 +*************** +*** 129,134 **** +--- 129,139 ---- + is_ip_pattern = 0; + break; + } ++ for(p = pattern; *p; p++) ++ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*')) ++ break; ++ if (ip && !*p) ++ is_ip_pattern = 1; + if (is_ip_pattern) + { + return match_pattern(ip, pattern); diff --git a/security/ssh/files/patch-bl b/security/ssh/files/patch-bl new file mode 100644 index 0000000..60296a9 --- /dev/null +++ b/security/ssh/files/patch-bl @@ -0,0 +1,66 @@ +*** readconf.c.orig Wed May 12 13:19:27 1999 +--- readconf.c Mon Jan 10 22:56:13 2000 +*************** +*** 171,176 **** +--- 171,179 ---- + oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel, + oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication, + oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ oAnotherPort, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost + } OpCodes; + +*************** +*** 194,199 **** +--- 197,205 ---- + { "hostname", oHostName }, + { "proxycommand", oProxyCommand }, + { "port", oPort }, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ { "anotherport", oAnotherPort }, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + { "cipher", oCipher }, + { "remoteforward", oRemoteForward }, + { "localforward", oLocalForward }, +*************** +*** 497,502 **** +--- 503,514 ---- + *intptr = value; + break; + ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ case oAnotherPort: ++ intptr = &options->another_port; ++ goto parse_int; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case oConnectionAttempts: + intptr = &options->connection_attempts; + goto parse_int; +*************** +*** 689,694 **** +--- 701,709 ---- + options->keepalives = -1; + options->compression_level = -1; + options->port = -1; ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ options->another_port = -1; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + options->connection_attempts = -1; + options->number_of_password_prompts = -1; + options->password_prompt_login = -1; +*************** +*** 759,764 **** +--- 774,783 ---- + options->compression_level = 6; + if (options->port == -1) + options->port = 0; /* Filled in ssh_connect. */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ if (options->another_port == -1) ++ options->another_port = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + if (options->connection_attempts == -1) + options->connection_attempts = 4; + if (options->number_of_password_prompts == -1) diff --git a/security/ssh/files/patch-bm b/security/ssh/files/patch-bm new file mode 100644 index 0000000..a394777 --- /dev/null +++ b/security/ssh/files/patch-bm @@ -0,0 +1,14 @@ +*** readconf.h.orig Wed May 12 13:19:27 1999 +--- readconf.h Mon Jan 10 22:56:13 2000 +*************** +*** 98,103 **** +--- 98,106 ---- + int use_privileged_port; /* Use privileged port */ + + int port; /* Port to connect. */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port; /* Port to connect for -A option. */ ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int connection_attempts; /* Max attempts (seconds) before giving up */ + int number_of_password_prompts; /* Max number of password prompts */ + int password_prompt_login; /* Show remote login at password prompt */ diff --git a/security/ssh/files/patch-bn b/security/ssh/files/patch-bn new file mode 100644 index 0000000..7f625fc --- /dev/null +++ b/security/ssh/files/patch-bn @@ -0,0 +1,191 @@ +*** scp.c.orig Wed May 12 13:19:28 1999 +--- scp.c Mon Jan 10 22:56:13 2000 +*************** +*** 180,185 **** +--- 180,193 ---- + #define STDERR_FILENO 2 + #endif + ++ /* This is set to non-zero if IPv4 is desired. */ ++ int IPv4 = 0; ++ ++ #ifdef ENABLE_IPV6 ++ /* This is set to non-zero if IPv6 is desired. */ ++ int IPv6 = 0; ++ #endif ++ + /* This is set to non-zero to enable verbose mode. */ + int verbose = 0; + +*************** +*** 295,302 **** +--- 303,319 ---- + } + args[i++] = "-x"; + args[i++] = "-a"; ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ args[i++] = "-A"; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + args[i++] = "-oFallBackToRsh no"; + args[i++] = "-oClearAllForwardings yes"; ++ if (IPv4) ++ args[i++] = "-4"; ++ #ifdef ENABLE_IPV6 ++ if (IPv6) ++ args[i++] = "-6"; ++ #endif + if (verbose) + args[i++] = "-v"; + if (compress) +*************** +*** 441,448 **** + statistics = 0; + + fflag = tflag = 0; +! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF) + switch(ch) { /* User-visible flags. */ + case 'S': + ssh_program = optarg; + break; +--- 458,477 ---- + statistics = 0; + + fflag = tflag = 0; +! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4" +! #ifdef ENABLE_IPV6 +! "6" +! #endif +! )) != EOF) + switch(ch) { /* User-visible flags. */ ++ case '4': ++ IPv4 = 1; ++ break; ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv6 = 1; ++ break; ++ #endif + case 'S': + ssh_program = optarg; + break; +*************** +*** 589,594 **** +--- 618,634 ---- + exit(errs != 0); + } + ++ char * ++ cleanhostname(host) ++ char *host; ++ { ++ if (*host == '[' && host[strlen(host) - 1] == ']') { ++ host[strlen(host) - 1] = '\0'; ++ return (host + 1); ++ } else ++ return host; ++ } ++ + void + toremote(targ, argc, argv) + char *targ, *argv[]; +*************** +*** 644,649 **** +--- 684,690 ---- + bp = xmalloc(len); + if (host) { + *host++ = 0; ++ host = cleanhostname(host); + suser = argv[i]; + if (*suser == '\0') + suser = pwd->pw_name; +*************** +*** 655,667 **** + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); +! } else + (void)snprintf(bp, len, + "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'", + ssh_program, verbose ? " -v" : "", options, +! argv[i], cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); + if (verbose) + fprintf(stderr, "Executing: %s\n", bp); + if (system(bp)) errs++; +--- 696,710 ---- + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); +! } else { +! host = cleanhostname(argv[i]); + (void)snprintf(bp, len, + "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'", + ssh_program, verbose ? " -v" : "", options, +! host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); ++ } + if (verbose) + fprintf(stderr, "Executing: %s\n", bp); + if (system(bp)) errs++; +*************** +*** 671,677 **** + len = strlen(targ) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -t %s", cmd, targ); +! host = thost; + if (do_cmd(host, tuser, + bp, &remin, &remout) < 0) + exit(1); +--- 714,720 ---- + len = strlen(targ) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -t %s", cmd, targ); +! host = cleanhostname(thost); + if (do_cmd(host, tuser, + bp, &remin, &remout) < 0) + exit(1); +*************** +*** 721,726 **** +--- 764,770 ---- + else if (!okname(suser)) + continue; + } ++ host = cleanhostname(host); + len = strlen(src) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -f %s", cmd, src); +*************** +*** 1365,1375 **** + colon(cp) + char *cp; + { + if (*cp == ':') /* Leading colon is part of file name. */ + return (0); + + for (; *cp; ++cp) { +! if (*cp == ':') + return (cp); + if (*cp == '/') + return (0); +--- 1409,1427 ---- + colon(cp) + char *cp; + { ++ int flag = 0; ++ + if (*cp == ':') /* Leading colon is part of file name. */ + return (0); ++ if (*cp == '[') ++ flag = 1; + + for (; *cp; ++cp) { +! if (*cp == '@' && *(cp+1) == '[') +! flag = 1; +! if (*cp == ']' && *(cp+1) == ':' && flag) +! return (cp+1); +! if (*cp == ':' && !flag) + return (cp); + if (*cp == '/') + return (0); diff --git a/security/ssh/files/patch-bo b/security/ssh/files/patch-bo new file mode 100644 index 0000000..886720d --- /dev/null +++ b/security/ssh/files/patch-bo @@ -0,0 +1,197 @@ +*** servconf.c.orig Wed May 12 13:19:28 1999 +--- servconf.c Mon Jan 10 22:56:13 2000 +*************** +*** 81,88 **** + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +! options->port = -1; +! options->listen_addr.s_addr = INADDR_ANY; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +--- 81,88 ---- + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +! options->num_ports = 0; +! options->listen_addrs = NULL; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +*************** +*** 92,97 **** +--- 92,100 ---- + options->permit_root_login = -1; + options->ignore_rhosts = -1; + options->ignore_root_rhosts = -1; ++ #ifdef ENABLE_LOG_AUTH ++ options->log_auth = -1; ++ #endif /* ENABLE_LOG_AUTH */ + options->quiet_mode = -1; + options->fascist_logging = -1; + options->print_motd = -1; +*************** +*** 138,153 **** + + void fill_default_server_options(ServerOptions *options) + { +! if (options->port == -1) + { +! struct servent *sp; +! +! sp = getservbyname(SSH_SERVICE_NAME, "tcp"); +! if (sp) +! options->port = ntohs(sp->s_port); +! else +! options->port = SSH_DEFAULT_PORT; +! endservent(); + } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; +--- 141,171 ---- + + void fill_default_server_options(ServerOptions *options) + { +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! int i; +! +! if (options->num_ports == 0) +! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; +! if (options->listen_addrs == NULL) + { +! for (i = 0; i < options->num_ports; i++) +! { +! memset(&hints, 0, sizeof(hints)); +! hints.ai_flags = AI_PASSIVE; +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", options->ports[i]); +! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) +! { +! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n"); +! exit(1); +! } +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = options->listen_addrs; +! options->listen_addrs = aitop; +! } +! /* freeaddrinfo(options->listen_addrs) in sshd.c */ + } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; +*************** +*** 243,248 **** +--- 261,269 ---- + { + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, ++ #ifdef ENABLE_LOG_AUTH ++ sLogAuth, ++ #endif /* ENABLE_LOG_AUTH */ + sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts, + sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, +*************** +*** 275,280 **** +--- 296,304 ---- + { "quietmode", sQuietMode }, + { "fascistlogging", sFascistLogging }, + { "syslogfacility", sLogFacility }, ++ #ifdef ENABLE_LOG_AUTH ++ { "logauth", sLogAuth }, ++ #endif /* ENABLE_LOG_AUTH */ + { "rhostsauthentication", sRhostsAuthentication }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication }, + { "rsaauthentication", sRSAAuthentication }, +*************** +*** 367,372 **** +--- 391,399 ---- + char *cp, **charptr; + int linenum, *intptr, i, value; + ServerOpCodes opcode; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int gaierr; + + f = fopen(filename, "r"); + if (!f) +*************** +*** 389,395 **** + switch (opcode) + { + case sPort: +! intptr = &options->port; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +--- 416,429 ---- + switch (opcode) + { + case sPort: +! if (options->num_ports >= MAX_PORTS) +! { +! fprintf(stderr, "%s line %d: too many ports.\n", +! filename, linenum); +! exit(1); +! } +! options->ports[options->num_ports] = -1; +! intptr = &options->ports[options->num_ports++]; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +*************** +*** 452,462 **** + filename, linenum); + exit(1); + } +! #ifdef BROKEN_INET_ADDR +! options->listen_addr.s_addr = inet_network(cp); +! #else /* BROKEN_INET_ADDR */ +! options->listen_addr.s_addr = inet_addr(cp); +! #endif /* BROKEN_INET_ADDR */ + break; + + case sHostKeyFile: +--- 486,510 ---- + filename, linenum); + exit(1); + } +! if (options->num_ports == 0) +! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; +! for (i = 0; i < options->num_ports; i++) +! { +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", options->ports[i]); +! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0) +! { +! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n", +! filename, linenum, gai_strerror(gaierr)); +! exit(1); +! } +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = options->listen_addrs; +! options->listen_addrs = aitop; +! } +! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */ + break; + + case sHostKeyFile: +*************** +*** 531,536 **** +--- 579,590 ---- + if (*intptr == -1) + *intptr = value; + break; ++ ++ #ifdef ENABLE_LOG_AUTH ++ case sLogAuth: ++ intptr = &options->log_auth; ++ goto parse_flag; ++ #endif /* ENABLE_LOG_AUTH */ + + case sIgnoreRhosts: + intptr = &options->ignore_rhosts; diff --git a/security/ssh/files/patch-bp b/security/ssh/files/patch-bp new file mode 100644 index 0000000..40b10db --- /dev/null +++ b/security/ssh/files/patch-bp @@ -0,0 +1,45 @@ +*** servconf.h.orig Wed May 12 13:19:28 1999 +--- servconf.h Mon Jan 10 22:56:13 2000 +*************** +*** 64,69 **** +--- 64,71 ---- + #ifndef SERVCONF_H + #define SERVCONF_H + ++ #define MAX_PORTS 256 /* Max # hosts on allow list. */ ++ + #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */ + #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */ + #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */ +*************** +*** 82,89 **** + + typedef struct + { +! int port; /* Port number to listen on. */ +! struct in_addr listen_addr; /* Address on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +--- 84,92 ---- + + typedef struct + { +! unsigned int num_ports; +! int ports[MAX_PORTS]; /* Port number to listen on. */ +! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +*************** +*** 91,96 **** +--- 94,102 ---- + int login_grace_time; /* Disconnect if no auth in this time (sec). */ + int key_regeneration_time; /* Server key lifetime (seconds). */ + int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */ ++ #ifdef ENABLE_LOG_AUTH ++ int log_auth; /* If true, log authentication info. */ ++ #endif /* ENABLE_LOG_AUTH */ + int ignore_rhosts; /* Ignore .rhosts and .shosts. */ + int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root, + defaults to ignore_rhosts if not given. */ diff --git a/security/ssh/files/patch-br b/security/ssh/files/patch-br new file mode 100644 index 0000000..28dd08a --- /dev/null +++ b/security/ssh/files/patch-br @@ -0,0 +1,97 @@ +*** ssh.c.orig Wed May 12 13:19:28 1999 +--- ssh.c Mon Jan 10 22:56:13 2000 +*************** +*** 218,223 **** +--- 218,231 ---- + other functions. */ + RandomState random_state; + ++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++ #ifdef ENABLE_IPV6 ++ int IPv4or6 = AF_UNSPEC; ++ #else ++ int IPv4or6 = AF_INET; ++ #endif ++ + /* Flag indicating whether debug mode is on. This can be set on the + command line. */ + int debug_flag = 0; +*************** +*** 277,282 **** +--- 285,297 ---- + { + fprintf(stderr, "Usage: %s [options] host [command]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only.\n"); ++ #ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only.\n"); ++ #endif ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ fprintf(stderr, " -A Try to connect to another port before original port.\n"); ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + fprintf(stderr, " -l user Log in using this user name.\n"); + fprintf(stderr, " -n Redirect input from /dev/null.\n"); + fprintf(stderr, " -a Disable authentication agent forwarding.\n"); +*************** +*** 413,418 **** +--- 428,436 ---- + #ifdef SIGWINCH + struct winsize ws; + #endif /* SIGWINCH */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port_flag = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + + /* Save the original real uid. It will be needed later (uid-swapping may + clobber the real uid). */ +*************** +*** 522,527 **** +--- 540,565 ---- + } + switch (opt) + { ++ case '4': ++ #ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++ #else ++ IPv4or6 = AF_INET; ++ #endif ++ break; ++ ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++ #endif ++ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ case 'A': ++ another_port_flag = 1; ++ break; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case 'n': + stdin_null_flag = 1; + break; +*************** +*** 789,799 **** +--- 827,844 ---- + { + use_privileged_port = 0; + } ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ if (!another_port_flag) ++ options.another_port = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + /* Open a connection to the remote host. This needs root privileges if + rhosts_authentication is true. Note that the random_state is not + yet used by this call, although a pointer to it is stored, and thus it + need not be initialized. */ + ok = ssh_connect(host, options.port, options.connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ options.another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + !use_privileged_port, + original_real_uid, options.proxy_command, &random_state); + diff --git a/security/ssh/files/patch-bs b/security/ssh/files/patch-bs new file mode 100644 index 0000000..ec0e1a8 --- /dev/null +++ b/security/ssh/files/patch-bs @@ -0,0 +1,94 @@ +*** ssh.h.orig Wed May 12 13:19:28 1999 +--- ssh.h Mon Jan 10 22:56:13 2000 +*************** +*** 430,436 **** + /* Records that the user has logged in. This does many things normally + done by login(1). */ + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr_in *addr); + + /* Records that the user has logged out. This does many thigs normally + done by login(1) or init. */ +--- 430,436 ---- + /* Records that the user has logged in. This does many things normally + done by login(1). */ + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr *addr); + + /* Records that the user has logged out. This does many thigs normally + done by login(1) or init. */ +*************** +*** 447,452 **** +--- 447,455 ---- + connection is successful, this calls packet_set_connection for the + connection. */ + int ssh_connect(const char *host, int port, int connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state); + +*************** +*** 872,876 **** +--- 875,934 ---- + #else + #define UID_ROOT 0 + #endif ++ ++ #ifdef HAVE_SOCKADDR_STORAGE ++ #ifndef HAVE_NEW_SS_FAMILY ++ #define __ss_len ss_len ++ #define __ss_family ss_family ++ #endif ++ #else ++ #define _SS_MAXSIZE 128 /* Implementation specific max size */ ++ #define _SS_ALIGNSIZE (sizeof(int)) ++ #define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) ++ #define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ ++ _SS_PAD1SIZE + _SS_ALIGNSIZE)) ++ struct sockaddr_storage { ++ #ifdef HAVE_SOCKADDR_LEN ++ u_char __ss_len; ++ u_char __ss_family; ++ #else ++ u_short __ss_family; ++ #endif ++ char __ss_pad1[_SS_PAD1SIZE]; ++ int __ss_align; ++ char __ss_pad2[_SS_PAD2SIZE]; ++ }; ++ #endif ++ ++ #ifdef INET6_ADDRSTRLEN ++ #define ADDRSTRLEN INET6_ADDRSTRLEN ++ #else ++ #define ADDRSTRLEN 46 ++ #endif ++ ++ #define PORTSTRLEN 16 ++ ++ /* AF_UNSPEC or AF_INET or AF_INET6 */ ++ extern int IPv4or6; ++ ++ #ifndef ENABLE_IPV6 ++ /* dummy value for old netdb.h */ ++ #ifndef AI_PASSIVE ++ #define AI_PASSIVE 1 ++ #define NI_NUMERICHOST 2 ++ #define NI_NAMEREQD 4 ++ #define NI_NUMERICSERV 8 ++ struct addrinfo { ++ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ ++ int ai_family; /* PF_xxx */ ++ int ai_socktype; /* SOCK_xxx */ ++ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ ++ size_t ai_addrlen; /* length of ai_addr */ ++ char *ai_canonname; /* canonical name for hostname */ ++ struct sockaddr *ai_addr; /* binary address */ ++ struct addrinfo *ai_next; /* next structure in linked list */ ++ }; ++ #endif ++ #endif /* not ENABLE_IPV6 */ + + #endif /* SSH_H */ diff --git a/security/ssh/files/patch-xa b/security/ssh/files/patch-xa new file mode 100644 index 0000000..a775ff6 --- /dev/null +++ b/security/ssh/files/patch-xa @@ -0,0 +1,167 @@ +Note that this patch has been incorporated into the port due to problems +with patching a autoconf generated configure script. The script itself contains +linenumbers and in case of two patches against that script the second one fails +because it expects something that the first patch has already changed. The +only clean way is to re-generate it with autoconf. *sigh* +This patch was fetched from +http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown + - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000 + + +Patch for problem with tty ownership with chflags and chown in BSD 4.4 +variants. Fixes a security bug in tty allocation. + +This patch works for ssh-1.2.27. + +Apply with the following commands: + +% cd /wherever/you/hold/your/sources/ssh-1.2.27 +% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown +% ./configure --whatever-config-flags-you-use +% make clean +% make +% su +Password: *********** +# make install +# kill -HUP `cat /var/run/sshd.pid` + +You should be all set. + +Sami Lehtinen <sjl@ssh.fi> + +--begin patch-- +diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c +--- auth-passwd.c.orig Wed May 12 14:19:23 1999 ++++ auth-passwd.c Wed Aug 11 19:49:32 1999 +@@ -613,7 +613,13 @@ + /* get_name pulls out just the name not the + type */ + strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache)); +- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid); ++ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0) ++ { ++ log_msg("Kerberos: chown failed for %s, error: %s", ++ ccname + 5, strerror(errno)); ++ packet_send_debug("Kerberos: chown failed for %s", ccname + 5); ++ goto errout; ++ } + + /* If tgt was passed unlink file */ + if (ticket) +diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in +--- config.h.in.orig Wed May 12 14:20:04 1999 ++++ config.h.in Wed Aug 11 20:20:51 1999 +@@ -360,6 +360,9 @@ + /* Define if you have the authenticate function. */ + #undef HAVE_AUTHENTICATE + ++/* Define if you have the chflags function. */ ++#undef HAVE_CHFLAGS ++ + /* Define if you have the clock function. */ + #undef HAVE_CLOCK + +diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in +--- configure.in.orig Wed May 12 14:20:02 1999 ++++ configure.in Wed Aug 11 20:05:13 1999 +@@ -433,6 +433,7 @@ + AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit) + AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp) + AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream) ++AC_CHECK_FUNCS(chflags) + + AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) + +diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c +--- sshd.c.orig Wed May 12 14:19:29 1999 ++++ sshd.c Wed Aug 11 20:26:31 1999 +@@ -2897,9 +2897,87 @@ + tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH; + } + ++ retry_chown: ++ + /* Change ownership of the tty. */ +- (void)chown(ttyname, pw->pw_uid, tty_gid); +- (void)chmod(ttyname, tty_mode); ++ if (chown(ttyname, pw->pw_uid, tty_gid) < 0) ++ { ++ /* chown failed. Atleast two possibilities. Either we are not ++ running as root, in which case this is OK, or we are running ++ on BSD, and somebody has put some flags to the tty. */ ++ ++ /* Check whether we are root or not.*/ ++ if (getuid() != UID_ROOT) ++ { ++ /* We are not, and then this is OK. */ ++ debug("chown failed (but we're not root anyway) for " ++ "%s, error %s", ttyname, strerror(errno)); ++ } ++ else ++ { ++#ifdef HAVE_CHFLAGS ++ static int retrying = 0; ++ struct stat st; ++ ++ if (!retrying) ++ { ++ debug("chown failed for %s, error: %s. Removing " ++ "user-settable flags, and retrying.", ++ ttyname, strerror(errno)); ++ ++ if (stat(ttyname, &st) < 0) ++ { ++ error("stat failed for %s, error: %s", ++ ttyname, strerror(errno)); ++ } ++ else ++ { ++ debug("Removing user-settable flags with " ++ "chflags."); ++ /* Remove user definable flags. */ ++ if (chflags(ttyname, st.st_flags & ++ ~(UF_NODUMP | UF_IMMUTABLE | ++ UF_APPEND | UF_OPAQUE)) < 0) ++ { ++ debug("chflags failed for %s, error: %s", ++ ttyname, strerror(errno)); ++ } ++ else ++ { ++ debug("Retrying..."); ++ retrying = 1; ++ goto retry_chown; ++ } ++ } ++ } ++ else ++ { ++ debug("chown failed even with retry. error: %s", ++ strerror(errno)); ++ } ++ ++#endif /* HAVE_CHFLAGS */ ++ error("ssh_pty_allocate_and_fork: chown failed for %s.", ++ ttyname); ++ goto fail; ++ } ++ } ++ ++ if (chmod(ttyname, tty_mode) < 0) ++ { ++ if (getuid() != UID_ROOT) ++ { ++ /* We are not, and then this is (probably) OK. */ ++ debug("chmod failed (but we're not root anyway) for " ++ "%s, error %s", ttyname, strerror(errno)); ++ } ++ else ++ { ++ error("ssh_pty_allocate_and_fork: chmod %s: %s", ++ ttyname, strerror(errno)); ++ goto fail; ++ } ++ } + + /* Get TERM from the packet. Note that the value may be of arbitrary + length. */ |