summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2004-04-20 09:35:04 +0000
committerdes <des@FreeBSD.org>2004-04-20 09:35:04 +0000
commit13038249fe2534a8bbf8071e1ce86a5ac3f138ba (patch)
tree9c4c356c89ba7c02d24dd9e9ae86f4b0aa30e4ad
parent52a5485343646a98c4b521830a1c8b2a18aad3fc (diff)
parentc69db9c5a2d88a51f8d2394cf37717ba93f07152 (diff)
downloadFreeBSD-src-13038249fe2534a8bbf8071e1ce86a5ac3f138ba.zip
FreeBSD-src-13038249fe2534a8bbf8071e1ce86a5ac3f138ba.tar.gz
This commit was generated by cvs2svn to compensate for changes in r128456,
which included commits to RCS files with non-trunk default branches.
-rw-r--r--crypto/openssh/.cvsignore24
-rw-r--r--crypto/openssh/ChangeLog1326
-rw-r--r--crypto/openssh/README5
-rw-r--r--crypto/openssh/auth-sia.c2
-rw-r--r--crypto/openssh/auth-sia.h2
-rw-r--r--crypto/openssh/contrib/Makefile15
-rw-r--r--crypto/openssh/contrib/README60
-rw-r--r--crypto/openssh/contrib/aix/README50
-rwxr-xr-xcrypto/openssh/contrib/aix/buildbff.sh383
-rwxr-xr-xcrypto/openssh/contrib/aix/inventory.sh63
-rw-r--r--crypto/openssh/contrib/aix/pam.conf20
-rw-r--r--crypto/openssh/contrib/caldera/openssh.spec366
-rwxr-xr-xcrypto/openssh/contrib/caldera/ssh-host-keygen36
-rwxr-xr-xcrypto/openssh/contrib/caldera/sshd.init125
-rw-r--r--crypto/openssh/contrib/caldera/sshd.pam8
-rw-r--r--crypto/openssh/contrib/cygwin/Makefile56
-rw-r--r--crypto/openssh/contrib/cygwin/README224
-rw-r--r--crypto/openssh/contrib/cygwin/ssh-host-config592
-rw-r--r--crypto/openssh/contrib/cygwin/ssh-user-config250
-rw-r--r--crypto/openssh/contrib/findssl.sh159
-rw-r--r--crypto/openssh/contrib/gnome-ssh-askpass1.c171
-rw-r--r--crypto/openssh/contrib/gnome-ssh-askpass2.c220
-rw-r--r--crypto/openssh/contrib/hpux/README45
-rw-r--r--crypto/openssh/contrib/hpux/egd15
-rwxr-xr-xcrypto/openssh/contrib/hpux/egd.rc98
-rw-r--r--crypto/openssh/contrib/hpux/sshd5
-rwxr-xr-xcrypto/openssh/contrib/hpux/sshd.rc90
-rw-r--r--crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh1
-rw-r--r--crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh2
-rw-r--r--crypto/openssh/contrib/redhat/openssh.spec804
-rwxr-xr-xcrypto/openssh/contrib/redhat/sshd.init154
-rw-r--r--crypto/openssh/contrib/redhat/sshd.pam8
-rwxr-xr-xcrypto/openssh/contrib/solaris/README24
-rwxr-xr-xcrypto/openssh/contrib/solaris/buildpkg.sh386
-rwxr-xr-xcrypto/openssh/contrib/solaris/opensshd.in82
-rw-r--r--crypto/openssh/contrib/ssh-copy-id50
-rw-r--r--crypto/openssh/contrib/ssh-copy-id.167
-rw-r--r--crypto/openssh/contrib/sshd.pam.freebsd5
-rw-r--r--crypto/openssh/contrib/sshd.pam.generic8
-rw-r--r--crypto/openssh/contrib/suse/openssh.spec199
-rw-r--r--crypto/openssh/contrib/suse/rc.config.sshd5
-rw-r--r--crypto/openssh/contrib/suse/rc.sshd80
-rw-r--r--crypto/openssh/defines.h23
-rw-r--r--crypto/openssh/dh.c11
-rw-r--r--crypto/openssh/gss-serv-krb5.c2
-rw-r--r--crypto/openssh/openbsd-compat/.cvsignore1
-rw-r--r--crypto/openssh/openbsd-compat/bsd-cygwin_util.c12
-rw-r--r--crypto/openssh/openbsd-compat/bsd-misc.h6
-rw-r--r--crypto/openssh/openbsd-compat/setenv.c8
-rw-r--r--crypto/openssh/openbsd-compat/xcrypt.c4
-rw-r--r--crypto/openssh/regress/Makefile3
-rw-r--r--crypto/openssh/regress/README.regress5
-rw-r--r--crypto/openssh/regress/dynamic-forward.sh4
-rw-r--r--crypto/openssh/regress/login-timeout.sh29
-rw-r--r--crypto/openssh/regress/sftp-cmds.sh2
-rw-r--r--crypto/openssh/regress/ssh-com-client.sh5
-rw-r--r--crypto/openssh/regress/ssh-com-keygen.sh5
-rw-r--r--crypto/openssh/regress/ssh-com-sftp.sh5
-rw-r--r--crypto/openssh/regress/ssh-com.sh5
-rw-r--r--crypto/openssh/regress/test-exec.sh18
-rw-r--r--crypto/openssh/regress/try-ciphers.sh18
-rw-r--r--crypto/openssh/scard/.cvsignore2
-rw-r--r--crypto/openssh/scp.13
-rw-r--r--crypto/openssh/sftp-client.c13
-rw-r--r--crypto/openssh/sftp.13
-rw-r--r--crypto/openssh/sftp.c7
66 files changed, 5292 insertions, 1187 deletions
diff --git a/crypto/openssh/.cvsignore b/crypto/openssh/.cvsignore
new file mode 100644
index 0000000..12de9ef
--- /dev/null
+++ b/crypto/openssh/.cvsignore
@@ -0,0 +1,24 @@
+ssh
+scp
+sshd
+ssh-add
+ssh-keygen
+ssh-keyscan
+ssh-keysign
+ssh-agent
+sftp-server
+sftp
+configure
+config.h.in
+config.h
+config.status
+config.cache
+config.log
+stamp-h.in
+Makefile
+ssh_prng_cmds
+*.out
+*.0
+buildit.sh
+autom4te.cache
+ssh-rand-helper
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index c2891ba..e259be6 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,3 +1,192 @@
+20040418
+ - (dtucker) [auth-pam.c] Log username and source host for failed PAM
+ authentication attempts. With & ok djm@
+ - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow
+ change of user context without a password, so relax auth method
+ restrictions; from vinschen AT redhat.com; ok dtucker@
+ - Release 3.8.1p1
+
+20040416
+ - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since
+ FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com
+ - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache
+ file using FILE: method, fixes problems on Mac OSX.
+ Patch from simon@sxw.org.uk; ok dtucker@
+ - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and
+ BROKEN_SETREGID for SCO OpenServer 3
+
+20040412
+ - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning
+ from bug #701 (text from jfh at cise.ufl.edu).
+ - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg
+ skeychallenge(), eg on NetBSD. ok mouring@
+ - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly
+ 4-arg, with compatibility for 3-arg versions. From djm@, ok me.
+ - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@
+
+20040408
+ - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating
+ pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org.
+ - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers
+ back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple)
+ - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and
+ simplify loginrec.c. ok tim@
+ - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested
+ limiting scope and dtucker@ agreed.
+
+20040407
+ - (dtucker) [session.c] Flush stdout after displaying loginmsg. From
+ f_mohr at yahoo.de.
+ - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see
+ if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X)
+ are starting to restrict it as internal since it is not needed by
+ developers any more. (Patch based on Apple tree)
+ - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since
+ krb5 on MacOS/X conflicts. There may be a better solution, but this will
+ work for now.
+
+20040406
+ - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use
+ updwtmpx() on IRIX since it seems to clobber utmp. ok djm@
+ - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect
+ broken getaddrinfo and friends on HP-UX. ok djm@
+
+20040330
+ - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on
+ Linuxes, since that's what many use. ok djm@
+ - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c
+ to reduce potential confusion with the one in sshd.c. ok djm@
+ - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection;
+ with & ok dtucker@
+
+20040327
+ - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent
+ duplicate login messages for mutli-session logins. ok djm@
+
+20040322
+ - (djm) [sshd.c] Drop supplemental groups if started as root
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2004/03/09 22:11:05
+ [ssh.c]
+ increase x11 cookie lifetime to 20 minutes; ok djm
+ - markus@cvs.openbsd.org 2004/03/10 09:45:06
+ [ssh.c]
+ trim usage to match ssh(1) and look more like unix. ok djm@
+ - markus@cvs.openbsd.org 2004/03/11 08:36:26
+ [sshd.c]
+ trim usage; ok deraadt
+ - markus@cvs.openbsd.org 2004/03/11 10:21:17
+ [ssh.c sshd.c]
+ ssh, sshd: sync version output, ok djm
+ - markus@cvs.openbsd.org 2004/03/20 10:40:59
+ [version.h]
+ 3.8.1
+ - (djm) Crank RPM spec versions
+
+20040311
+ - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker
+
+20040310
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo
+ before redefining it, silences warnings on Tru64.
+
+20040308
+ - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some
+ platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@
+ - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h
+ openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being
+ inherited by the child. ok djm@
+ - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
+ monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
+ even if keyboard-interactive is not used by the client. Prevents
+ segfaults in some cases where the user's password is expired (note this
+ is not considered a security exposure). ok djm@
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2004/03/03 06:47:52
+ [sshd.c]
+ change proctiltle after accept(2); ok henning, deraadt, djm
+ - djm@cvs.openbsd.org 2004/03/03 09:30:42
+ [sftp-client.c]
+ Don't print duplicate messages when progressmeter is off
+ Spotted by job317 AT mailvault.com; ok markus@
+ - djm@cvs.openbsd.org 2004/03/03 09:31:20
+ [sftp.c]
+ Fix initialisation of progress meter; ok markus@
+ - markus@cvs.openbsd.org 2004/03/05 10:53:58
+ [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c]
+ add IdentitiesOnly; ok djm@, pb@
+ - djm@cvs.openbsd.org 2004/03/08 09:38:05
+ [ssh-keyscan.c]
+ explicitly initialise remote_major and remote_minor.
+ from cjwatson AT debian.org; ok markus@
+ - dtucker@cvs.openbsd.org 2004/03/08 10:18:57
+ [sshd_config.5]
+ Document KerberosGetAFSToken; ok markus@
+ - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal
+
+20040307
+ - (tim) [regress/login-timeout.sh] fix building outside of source tree.
+
+20040304
+ - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with
+ -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@
+ - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread,
+ prevent hanging during PAM keyboard-interactive authentications. ok djm@
+ - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h
+ openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when
+ configured --with-osfsia. ok djm@
+
+20040303
+ - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
+ ok dtucker
+
+20040229
+ - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188
+
+20040229
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2004/02/25 00:22:45
+ [sshd.c]
+ typo in comment
+ - dtucker@cvs.openbsd.org 2004/02/27 22:42:47
+ [dh.c]
+ Prevent sshd from sending DH groups with a primitive generator of zero or
+ one, even if they are listed in /etc/moduli. ok markus@
+ - dtucker@cvs.openbsd.org 2004/02/27 22:44:56
+ [dh.c]
+ Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone
+ ever uses one. ok markus@
+ - dtucker@cvs.openbsd.org 2004/02/27 22:49:27
+ [dh.c]
+ Reset bit counter at the right time, fixes debug output in the case where
+ the DH group is rejected. ok markus@
+ - dtucker@cvs.openbsd.org 2004/02/17 08:23:20
+ [regress/Makefile regress/login-timeout.sh]
+ Add regression test for LoginGraceTime; ok markus@
+ - markus@cvs.openbsd.org 2004/02/24 16:56:30
+ [regress/test-exec.sh]
+ allow arguments in ${TEST_SSH_XXX}
+ - markus@cvs.openbsd.org 2004/02/24 17:06:52
+ [regress/ssh-com-client.sh regress/ssh-com-keygen.sh
+ regress/ssh-com-sftp.sh regress/ssh-com.sh]
+ test against recent ssh.com releases
+ - dtucker@cvs.openbsd.org 2004/02/28 12:16:57
+ [regress/dynamic-forward.sh]
+ Make dynamic-forward understand nc's new output. ok markus@
+ - dtucker@cvs.openbsd.org 2004/02/28 13:44:45
+ [regress/try-ciphers.sh]
+ Test acss too; ok markus@
+ - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we
+ built with openssl < 0.9.7)
+
+20040226
+ - (bal) KNF our sshlogin.c even if the code looks nothing like upstream
+ code due to diversity issues.
+
+20040225
+ - (djm) Trim ChangeLog
+ - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora
+
20040224
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2004/02/19 21:15:04
@@ -794,1139 +983,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-20030919
- - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL;
- djast AT cs.toronto.edu
- - (djm) Bug #661: Remove duplicate check for basename; from
- bugzilla-openssh AT thewrittenword.com
- - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from
- jason AT devrandom.org
- - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim
- - (dtucker) [openbsd-compat/port-aix.h] Bug #640: Don't include audit.h
- unless required. Reorder to reduce warnings.
- - (dtucker) [session.c] Bug #643: Fix size_t -> u_int and fix null deref
- when /etc/default/login doesn't exist or isn't readable. Fixes from
- jparsons-lists at saffron.net and georg.oppenberg at deu mci com.
- - (dtucker) [acconfig.h] Updated basename test needs HAVE_BASENAME
-
-20030918
- - (djm) Bug #652: Fix empty password auth
-
-20030917
- - (djm) Sync with V_3_7 branch
- - (djm) OpenBSD Sync
- - markus@cvs.openbsd.org 2003/09/16 21:02:40
- [buffer.c channels.c version.h]
- more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU
- - (djm) Crank RPM spec file versions
- - (tim) [openbsd-compat/inet_ntoa.c] 20030917 "Sync with V_3_7 branch" undid
- 20030916 "Missed dead header in inet_ntoa.c"
-
-20030916
- - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve
- PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it
- (eg Solaris, Reliant Unix). Patch from Robert.Dahlem at siemens.com.
- ok djm@
- - (bal) OpenBSD Sync
- - deraadt@cvs.openbsd.org 2003/09/16 03:03:47
- [buffer.c]
- do not expand buffer before attempting to reallocate it; markus ok
- - (tim) [configure.ac] Fix portability issues.
- - (bal) Missed dead header in inet_ntoa.c
-
-20030914
- - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing
- the regression tests from running with Solaris' make. Patch from Brian
- Poole (raj at cerias.purdue.edu).
- - (dtucker) [regress/Makefile] AIX's make doesn't like " +=", so replace
- with vanilla "=".
-
-20030913
- - (dtucker) [regress/agent-timeout.sh] Timeout of 5 sec is borderline for
- slower hosts, increase to 10 sec.
- - (dtucker) [auth-passwd.c] On AIX, call setauthdb() before loginsuccess(),
- required to correctly reset failed login count when using a password
- registry other than "files" (eg LDAP, see bug #543).
- - (tim) [configure.ac] define WITH_ABBREV_NO_TTY for SCO.
- Report by Roger Cornelius.
- - (dtucker) [auth-pam.c] Use SSHD_PAM_SERVICE for PAM service name, patch
- from cjwatson at debian.org.
-
-20030912
- - (tim) [regress/agent-ptrace.sh] sh doesn't like "if ! shell_function; then".
- - (tim) [Makefile.in] only mkdir regress if it does not exist.
- - (tim) [regress/yes-head.sh] shell portability fix.
-
-20030911
- - (dtucker) [configure.ac] Bug #588, #615: Move other libgen tests to after
- the dirname test, to allow a broken dirname to be detected correctly.
- Based partially on patch supplied by alex.kiernan at thus.net. ok djm@
- - (tim) [configure.ac] Move libgen tests to before libwrap to unbreak
- UnixWare 2.03 using --with-tcp-wrappers.
- - (tim) [configure.ac] Prefer setuid/setgid on UnixWare and Open Server.
- - (tim) [regress/agent-ptrace.sh regress/dynamic-forward.sh
- regress/sftp-cmds.sh regress/stderr-after-eof.sh regress/test-exec.sh]
- no longer depends on which(1). patch by dtucker@
-
-20030910
- - (dtucker) [configure.ac] Bug #636: Add support for Cray's new X1 machine.
- Patch from wendyp at cray.com.
- - (dtucker) [configure.ac] Part of bug #615: tcsendbreak might be a macro.
- - (dtucker) [regressh/yes-head.sh] Some platforms (eg Solaris) don't have
- "yes".
-
-20030909
- - (tim) [regress/Makefile] Fixes for building outside of a read-only
- source tree.
- - (tim) [regress/agent-timeout.sh] s/TIMEOUT/SSHAGENT_TIMEOUT/ Fixes conflict
- with shell read-only variable.
- - (tim) [regress/sftp-badcmds.sh regress/sftp-cmds.sh] Fix errors like
- UX:rm: ERROR: Cannot remove '.' or '..'
-
-20030908
- - (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and
- _getlong in #ifndef
- - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for
- HEADER.ad in arpa/nameser.h
- - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@
-
-20030907
- - (dtucker) [agent-ptrace.sh dynamic-forward.sh (all regress/)]
- Put "which" inside quotes.
- - (dtucker) [dynamic-forward.sh forwarding.sh sftp-batch.sh (all regress/)]
- Add ${EXEEXT}: required to work on Cygwin.
- - (dtucker) [regress/sftp-batch.sh] Make temporary batch file name more
- distinctive, so "rm ${BATCH}.*" doesn't match the script itself.
- - (dtucker) [regress/sftp-cmds.sh] Skip quoted file test on Cygwin.
- - (dtucker) [openbsd-compat/xcrypt.c] #elsif -> #elif
- - (dtucker) [acconfig.h] Typo.
- - (dtucker) [CREDITS Makefile.in configure.ac mdoc2man.awk mdoc2man.pl]
- Replace mdoc2man.pl with mdoc2man.awk, provided by Peter Stuge.
-
-20030906
- - (dtucker) [acconfig.h configure.ac uidswap.c] Prefer setuid/setgid on AIX.
-
-20030905
- - (dtucker) [Makefile.in] Add distclean target for regress/, fix clean target.
-
-20030904
- - (dtucker) Portablize regression tests. Parts contributed by Roumen
- Petrov, David M. Williams and Corinna Vinschen.
- - [Makefile.in] Add "make tests" target and "make clean" hooks.
- - [regress/agent-getpeereid.sh] Skip test on platforms that don't support
- getpeereid.
- - [regress/agent-ptrace.sh] Skip tests if platform doesn't support it or
- gdb cannot be found.
- - [regress/reconfigure/sh] Make path to sshd fully qualified if required.
- - [regress/rekey.sh] Remove dependence on /dev/zero (not all platforms have
- it). The sparse file will take less disk space too.
- - [regress/sftp-cmds.sh] Ensure files used for test are readable.
- - [regress/stderr-after-eof.sh] Search for a usable checksum program.
- - [regress/sftp-badcmds.sh regress/sftp-cmds.sh regress/sftp.sh
- regress/ssh-com-client.sh regress/ssh-com-sftp.sh regress/stderr-data.sh
- regress/transfer.sh] Use ${EXEEXT} where appropriate.
- - [regress/sftp.sh regress/ssh-com-sftp.sh] Remove dependency on /dev/stdin.
- - [regress/agent-ptrace.sh regress/agent-timeout.sh]
- "grep -q" -> "grep >/dev/null"
- - [regress/agent.sh regress/proto-version.sh regress/ssh-com.sh
- regress/test-exec.sh] Handle different ways of echoing without newlines.
- - [regress/dynamic-forward.sh] Some "which" programs output on stderr.
- - [regress/sftp-cmds.sh] Use portable "test" option.
- - [regress/test-exec.sh] Use sudo, search for "whoami" equivalent, always
- use Strictmodes no, wait longer for sshd startup.
- - [regress/Makefile] Remove BSDisms.
- - [regress/README.regress] Add a basic readme.
- - [Makefile.in regress/agent-getpeereid.sh] config.h is now in $BUILDDIR
- not $OBJ.
- - [Makefile.in regress/agent-ptrace] Fix minor regress issues on Cygwin.
-
-20030903
- - (djm) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/08/26 09:58:43
- [auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c]
- [auth2.c monitor.c]
- fix passwd auth for 'username leaks via timing'; with djm@, original
- patches from solar
- - markus@cvs.openbsd.org 2003/08/28 12:54:34
- [auth.h]
- remove kerberos support from ssh1, since it has been replaced with GSSAPI;
- but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
- - markus@cvs.openbsd.org 2003/09/02 16:40:29
- [version.h]
- enter 3.7
- - jmc@cvs.openbsd.org 2003/09/02 18:50:06
- [sftp.1 ssh_config.5]
- escape punctuation;
- ok deraadt@
-
-20030902
- - (djm) OpenBSD CVS Sync
- - deraadt@cvs.openbsd.org 2003/08/24 17:36:51
- [auth2-gss.c]
- 64 bit cleanups; markus ok
- - markus@cvs.openbsd.org 2003/08/28 12:54:34
- [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
- [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
- [sshconnect1.c sshd.c sshd_config sshd_config.5]
- remove kerberos support from ssh1, since it has been replaced with GSSAPI;
- but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
- - markus@cvs.openbsd.org 2003/08/29 10:03:15
- [compat.c compat.h]
- SSH_BUG_K5USER is unused; ok henning@
- - markus@cvs.openbsd.org 2003/08/29 10:04:36
- [channels.c nchan.c]
- be less chatty; debug -> debug2, cleanup; ok henning@
- - markus@cvs.openbsd.org 2003/08/31 10:26:04
- [progressmeter.c]
- pass file_size + 1 to snprintf: fixes printing of truncated
- file names; fix based on patch/report from sturm@;
- - markus@cvs.openbsd.org 2003/08/31 12:14:22
- [progressmeter.c]
- do write to buf[-1]
- - markus@cvs.openbsd.org 2003/08/31 13:29:05
- [session.c]
- call ssh_gssapi_storecreds conditionally from do_exec();
- with sxw@inf.ed.ac.uk
- - markus@cvs.openbsd.org 2003/08/31 13:30:18
- [gss-serv.c]
- correct string termination in parse_ename(); sxw@inf.ed.ac.uk
- - markus@cvs.openbsd.org 2003/08/31 13:31:57
- [gss-serv.c]
- whitspace KNF
- - markus@cvs.openbsd.org 2003/09/01 09:50:04
- [sshd_config.5]
- gss kex is not supported; sxw@inf.ed.ac.uk
- - markus@cvs.openbsd.org 2003/09/01 12:50:46
- [readconf.c]
- rm gssapidelegatecreds alias; never supported before
- - markus@cvs.openbsd.org 2003/09/01 13:52:18
- [ssh.h]
- rm whitespace
- - markus@cvs.openbsd.org 2003/09/01 18:15:50
- [readconf.c readconf.h servconf.c servconf.h ssh.c]
- remove unused kerberos code; ok henning@
- - markus@cvs.openbsd.org 2003/09/01 20:44:54
- [auth2-gss.c]
- fix leak
- - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler
- error. Part of Bug #423, patch from michael_steffens AT hp.com
- - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session
- management (now done in do_setusercontext). Largely from
- michael_steffens AT hp.com
- - (djm) Fix openbsd-compat/ again - remove references to strl(cpy|cat).h
-
-20030829
- - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our
- files, and added missing license to header.
-
-20030826
- - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint"
- as deprecated. Remove mention from README.privsep. Patch from
- aet AT cc.hut.fi
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/08/22 10:56:09
- [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
- gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
- readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
- ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
- support GSS API user authentication; patches from Simon Wilkinson,
- stripped down and tested by Jakob and myself.
- - markus@cvs.openbsd.org 2003/08/22 13:20:03
- [sshconnect2.c]
- remove support for "kerberos-2@ssh.com"
- - markus@cvs.openbsd.org 2003/08/22 13:22:27
- [auth2.c] (auth2-krb5.c removed)
- nuke "kerberos-2@ssh.com"
- - markus@cvs.openbsd.org 2003/08/22 20:55:06
- [LICENCE]
- add Simon Wilkinson
- - deraadt@cvs.openbsd.org 2003/08/24 17:36:52
- [monitor.c monitor_wrap.c sshconnect2.c]
- 64 bit cleanups; markus ok
- - fgsch@cvs.openbsd.org 2003/08/25 08:13:09
- [sftp-int.c]
- fix div by zero when listing for filename lengths longer than width.
- markus@ ok.
- - djm@cvs.openbsd.org 2003/08/25 10:33:33
- [sshconnect2.c]
- fprintf->logit to silence login banner with "ssh -q"; ok markus@
- - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
- configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
- sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
- - (dtucker) [Makefile.in] Remove auth2-krb5.
- - (dtucker) [contrib/aix/inventory.sh] Add public domain notice. ok mouring@
- (the original author)
- - (dtucker) [auth.c] Do not check for locked accounts when PAM is enabled.
-
-20030825
- - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
- larsch@trustcenter.de
- - (bal) openbsd-compat/ OpenBSD updates. Mostly licensing, ansifications
- and minor fixes. OK djm@
- - (bal) redo how we handle 'mysignal()'. Move it to
- openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to
- be our 'mysignal' by default. OK djm@
- - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
- any access to locked accounts. ok djm@
- - (djm) Bug #564: Perform PAM account checks for all authentications when
- UsePAM=yes; ok dtucker
- - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on
- Tru64, solves getnameinfo and "bad addr or host" errors. ok djm@
- - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix)
- Update package builder: correctly handle config variables, use lsuser
- rather than /etc/passwd, fix typos, add Id's.
-
-20030822
- - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal
- -lbroken; ok dtucker
- - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys
- rather that authorized_keys2. Patch from vinschen@redhat.com.
-
-20030821
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/08/14 16:08:58
- [ssh-keygen.c]
- exit after primetest, ok djm@
- - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros,
- change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for
- consistency.
- - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement
- and after normal openpty test.
-
-20030813
- - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge.
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/08/13 08:33:02
- [session.c]
- use more portable tcsendbreak(3) and ignore break_length;
- ok deraadt, millert
- - markus@cvs.openbsd.org 2003/08/13 08:46:31
- [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
- ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
- remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
- fgsch@, miod@, henning@, jakob@ and others
- - markus@cvs.openbsd.org 2003/08/13 09:07:10
- [readconf.c ssh.c]
- socks4->socks, since with support both 4 and 5; dtucker@zip.com.au
- - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
- Add a tcsendbreak function for platforms that don't have one, based on the
- one from OpenBSD.
-
-20030811
- - (dtucker) OpenBSD CVS Sync
- (thanks to Simon Wilkinson for help with this -dt)
- - markus@cvs.openbsd.org 2003/07/16 15:02:06
- [auth-krb5.c]
- mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
- otherwise the kerberos credentinal is stored in a memory cache
- in the privileged sshd. ok jabob@, hin@ (some time ago)
- - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate
- in bsd-cygwin_util.h).
-
-20030808
- - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
- AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
- separately before defining them.
- - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@
-
-20030807
- - (dtucker) [session.c] Have session_break_req not attempt to send a break
- if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin).
- - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is
- defined (fixes compile error on really old Linuxes).
- - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if
- not already defined (eg Linux with some versions of libc5), based on those
- from OpenBSD.
- - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
- Remove incorrect filenames from comments (file names are in Id tags).
- - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin
- specific defines and includes to bsd-cygwin_util.h. Fixes build error too.
-
-20030802
- - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/07/22 13:35:22
- [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
- monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
- ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
- remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
- test+ok henning@
- - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
- - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/07/23 07:42:43
- [sshd_config]
- remove AFS; itojun@
- - djm@cvs.openbsd.org 2003/07/28 09:49:56
- [ssh-keygen.1 ssh-keygen.c]
- Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
- Based on code from Phil Karn, William Allen Simpson and Niels Provos.
- ok markus@, thanks jmc@
- - markus@cvs.openbsd.org 2003/07/29 18:24:00
- [LICENCE progressmeter.c]
- replace 4 clause BSD licensed progressmeter code with a replacement
- from Nils Nordman and myself; ok deraadt@
- (copied from OpenBSD an re-applied portable changes)
- - markus@cvs.openbsd.org 2003/07/29 18:26:46
- [progressmeter.c]
- fix length for "- stalled -" (included with previous import)
- - markus@cvs.openbsd.org 2003/07/30 07:44:14
- [progressmeter.c]
- use only 4 digits in format_size (included with previous import)
- - markus@cvs.openbsd.org 2003/07/30 07:53:27
- [progressmeter.c]
- whitespace (included with previous import)
- - markus@cvs.openbsd.org 2003/07/31 09:21:02
- [auth2-none.c]
- check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za
- ok henning
- - avsm@cvs.openbsd.org 2003/07/31 15:50:16
- [atomicio.c]
- correct comment: atomicio takes vwrite, not write; deraadt@ ok
- - markus@cvs.openbsd.org 2003/07/31 22:34:03
- [progressmeter.c]
- print rate similar old version; round instead truncate;
- (included in previous progressmeter.c commit)
- - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
- Add a tcgetpgrp function.
- - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile.
- - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp.
-
-20030730
- - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
-
-20030726
- - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->
- DISABLE_SHADOW. Fixes HP-UX compile error.
-
-20030724
- - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c
- openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
- and isolate shadow password functions. Tested in Solaris, but should
- not break other platforms too badly (except maybe HP =). Also brings
- auth-passwd.c into full sync with OpenBSD tree.
-
-20030723
- - (dtucker) [configure.ac] Back out change for bug #620.
-
-20030719
- - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for
- Solaris/x86. Patch from jrhett at isite.net.
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/07/14 12:36:37
- [sshd.c]
- remove undocumented -V option. would be only useful if openssh is used
- as ssh v1 server for ssh.com's ssh v2.
- - markus@cvs.openbsd.org 2003/07/16 10:34:53
- [ssh.c sshd.c]
- don't exit on multiple -v or -d; ok deraadt@
- - markus@cvs.openbsd.org 2003/07/16 10:36:28
- [sshtty.c]
- clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@
- - deraadt@cvs.openbsd.org 2003/07/18 01:54:25
- [scp.c]
- userid is unsigned, but well, force it anyways; andrushock@korovino.net
- - djm@cvs.openbsd.org 2003/07/19 00:45:53
- [sftp-int.c]
- fix sftp filename parsing for arguments with escaped quotes. bz #517;
- ok markus
- - djm@cvs.openbsd.org 2003/07/19 00:46:31
- [regress/sftp-cmds.sh]
- regress test for sftp arguments with escaped quotes; ok markus
-
-20030714
- - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare
- loginfailed at all, so assume 3-arg loginfailed if not declared.
- - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by
- undef'ing it.
- - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h]
- Call setauthdb() before loginfailed(), which may load password registry-
- specific functions. Based on patch by cawlfiel at us.ibm.com.
- - (dtucker) [port-aix.h] Fix prototypes.
- - (dtucker) OpenBSD CVS Sync
- - avsm@cvs.openbsd.org 2003/07/09 13:58:19
- [key.c]
- minor tweak: when generating the hex fingerprint, give strlcat the full
- bound to the buffer, and add a comment below explaining why the
- zero-termination is one less than the bound. markus@ ok
- - markus@cvs.openbsd.org 2003/07/10 14:42:28
- [packet.c]
- the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
- blowfish, etc, so enforce a 1GB limit for small blocksizes.
- - markus@cvs.openbsd.org 2003/07/10 20:05:55
- [sftp.c]
- sync usage with manpage, add missing -R
-
-20030708
- - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
- Include AIX headers for authentication functions and make calls match
- prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed.
- - (dtucker) [session.c] Check return value of setpcred().
- - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
- Convert aixloginmsg into platform-independant Buffer loginmsg.
-
-20030707
- - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
- searching libraries for it. Fixes build errors on NCR MP-RAS.
-
-20030706
- - (dtucker) [ssh-rand-helper.c loginrec.c]
- Apply atomicio typing change to these too.
-
-20030703
- - (dtucker) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/06/28 07:48:10
- [sshd.c]
- report pidfile creation errors, based on patch from Roumen Petrov;
- ok markus@
- - deraadt@cvs.openbsd.org 2003/06/28 16:23:06
- [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c
- progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c
- sshd.c]
- deal with typing of write vs read in atomicio
- - markus@cvs.openbsd.org 2003/06/29 12:44:38
- [sshconnect.c]
- memset 0, not \0; andrushock@korovino.net
- - markus@cvs.openbsd.org 2003/07/02 12:56:34
- [channels.c]
- deny dynamic forwarding with -R for v1, too; ok djm@
- - markus@cvs.openbsd.org 2003/07/02 14:51:16
- [channels.c ssh.1 ssh_config.5]
- (re)add socks5 suppport to -D; ok djm@
- now ssh(1) can act both as a socks 4 and socks 5 server and
- dynamically forward ports.
- - markus@cvs.openbsd.org 2003/07/02 20:37:48
- [ssh.c]
- convert hostkeyalias to lowercase, otherwise uppercase aliases will
- not match at all; ok henning@
- - markus@cvs.openbsd.org 2003/07/03 08:21:46
- [regress/dynamic-forward.sh]
- add socks5; speedup; reformat; based on patch from dtucker@zip.com.au
- - markus@cvs.openbsd.org 2003/07/03 08:24:13
- [regress/Makefile]
- enable tests for dynamic fwd via socks (-D), uses nc(1)
- - djm@cvs.openbsd.org 2003/07/03 08:09:06
- [readconf.c readconf.h ssh-keysign.c ssh.c]
- fix AddressFamily option in config file, from brent@graveland.net;
- ok markus@
-
-20030630
- - (djm) Search for support functions necessary to build our
- getrrsetbyname() replacement. Patch from Roumen Petrov
-
-20030629
- - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h
- (fixes compiler warnings on Solaris 2.5.1).
- - (dtucker) [configure.ac] Add sanity test after system-dependant compiler
- flag modifications.
-
-20030628
- - (djm) Bug #591: use PKCS#15 private key label as a comment in case
- of OpenSC. Report and patch from larsch@trustcenter.de
- - (djm) Bug #593: Sanity check OpenSC card reader number; patch from
- aj@dungeon.inka.de
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/06/23 09:02:44
- [ssh_config.5]
- document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@
- - markus@cvs.openbsd.org 2003/06/24 08:23:46
- [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
- monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
- int -> u_int; ok djm@, deraadt@, mouring@
- - miod@cvs.openbsd.org 2003/06/25 22:39:36
- [sftp-server.c]
- Typo police: attribute is better written with an 'r'.
- - markus@cvs.openbsd.org 2003/06/26 20:08:33
- [readconf.c]
- do not dump core for 'ssh -o proxycommand host'; ok deraadt@
- - (dtucker) [regress/dynamic-forward.sh] Import new regression test.
- - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE
- actually enable the feature, for those normally disabled. Patch by
- openssh (at) roumenpetrov.info.
-
-20030624
- - (dtucker) Have configure refer the user to config.log and
- contrib/findssl.sh for OpenSSL header/library mismatches.
-
-20030622
- - (dtucker) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/06/21 09:14:05
- [regress/reconfigure.sh]
- missing $SUDO; from dtucker@zip.com.au
- - markus@cvs.openbsd.org 2003/06/18 11:28:11
- [ssh-rsa.c]
- backout last change, since it violates pkcs#1
- switch to share/misc/license.template
- - djm@cvs.openbsd.org 2003/06/20 05:47:58
- [sshd_config.5]
- sync description of protocol 2 cipher proposal; ok markus
- - djm@cvs.openbsd.org 2003/06/20 05:48:21
- [sshd_config]
- sync some implemented options; ok markus@
- - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS.
- - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before
- testing its value.
-
-20030618
- - (djm) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/06/12 07:57:38
- [monitor.c sshlogin.c sshpty.c]
- typos; dtucker at zip.com.au
- - djm@cvs.openbsd.org 2003/06/12 12:22:47
- [LICENCE]
- mention more copyright holders; ok markus@
- - nino@cvs.openbsd.org 2003/06/12 15:34:09
- [scp.c]
- Typo. Ok markus@.
- - markus@cvs.openbsd.org 2003/06/12 19:12:03
- [scard.c scard.h ssh-agent.c ssh.c]
- add sc_get_key_label; larsch at trustcenter.de; bugzilla#591
- - markus@cvs.openbsd.org 2003/06/16 08:22:35
- [ssh-rsa.c]
- make sure the signature has at least the expected length (don't
- insist on len == hlen + oidlen, since this breaks some smartcards)
- bugzilla #592; ok djm@
- - markus@cvs.openbsd.org 2003/06/16 10:22:45
- [ssh-add.c]
- print out key comment on each prompt; make ssh-askpass more useable; ok djm@
- - markus@cvs.openbsd.org 2003/06/17 18:14:23
- [cipher-ctr.c]
- use license from /usr/share/misc/license.template for new code
- - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh]
- Import new regression tests from OpenBSD
- - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS.
- - (dtucker) OpenBSD CVS Sync (regress/)
- - markus@cvs.openbsd.org 2003/04/02 12:21:13
- [Makefile]
- enable rekey test
- - djm@cvs.openbsd.org 2003/04/04 09:34:22
- [Makefile sftp-cmds.sh]
- More regression tests, including recent directory rename bug; ok markus@
- - markus@cvs.openbsd.org 2003/05/14 22:08:27
- [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh]
- test against some new commerical versions
- - mouring@cvs.openbsd.org 2003/05/15 04:07:12
- [sftp-cmds.sh]
- Advanced put/get testing for sftp. OK @djm
- - markus@cvs.openbsd.org 2003/06/12 15:40:01
- [try-ciphers.sh]
- add ctr
- - markus@cvs.openbsd.org 2003/06/12 15:43:32
- [Makefile]
- test -HUP; dtucker at zip.com.au
-
-20030614
- - (djm) Update license on fake-rfc2553.[ch]; ok itojun@
-
-20030611
- - (djm) Mention portable copyright holders in LICENSE
- - (djm) Put licenses on substantial header files
- - (djm) Sync LICENSE against OpenBSD
- - (djm) OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2003/06/10 09:12:11
- [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
- [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
- - section reorder
- - COMPATIBILITY merge
- - macro cleanup
- - kill whitespace at EOL
- - new sentence, new line
- ssh pages ok markus@
- - deraadt@cvs.openbsd.org 2003/06/10 22:20:52
- [packet.c progressmeter.c]
- mostly ansi cleanup; pval ok
- - jakob@cvs.openbsd.org 2003/06/11 10:16:16
- [sshconnect.c]
- clean up check_host_key() and improve SSHFP feedback. ok markus@
- - jakob@cvs.openbsd.org 2003/06/11 10:18:47
- [dns.c]
- sync with check_host_key() change
- - djm@cvs.openbsd.org 2003/06/11 11:18:38
- [authfd.c authfd.h ssh-add.c ssh-agent.c]
- make agent constraints (lifetime, confirm) work with smartcard keys;
- ok markus@
-
-
-20030609
- - (djm) Sync README.smartcard with OpenBSD -current
- - (djm) Re-merge OpenSC info into README.smartcard
-
-20030606
- - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
-
-20030605
- - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent
- canohost.c changes.
- - (djm) Implement paranoid priv dropping checks, based on:
- "SetUID demystified" - Hao Chen, David Wagner and Drew Dean
- Proceedings of USENIX Security Symposium 2002
- - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code
- - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch]
- - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in
- Patch from larsch@trustcenter.de
- - (djm) Bug #589 - scard-opensc: load only keys with a private keys
- Patch from larsch@trustcenter.de
- - (dtucker) Add includes.h to fake-rfc2553.c so it will build.
- - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c).
-
-20030604
- - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from
- simon@sxw.org.uk (Also matches a change in OpenBSD a while ago)
- - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt.
- Patch from larsch@trustcenter.de; ok markus@
- - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
- larsch@trustcenter.de; ok markus@
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/06/04 08:25:18
- [sshconnect.c]
- disable challenge/response and keyboard-interactive auth methods
- upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
- bz #580; ok markus@
- - djm@cvs.openbsd.org 2003/06/04 10:23:48
- [sshd.c]
- remove duplicated group-dropping code; ok markus@
- - djm@cvs.openbsd.org 2003/06/04 12:03:59
- [serverloop.c]
- remove bitrotten commet; ok markus@
- - djm@cvs.openbsd.org 2003/06/04 12:18:49
- [scp.c]
- ansify; ok markus@
- - djm@cvs.openbsd.org 2003/06/04 12:40:39
- [scp.c]
- kill ssh process upon receipt of signal, bz #241.
- based on patch from esb AT hawaii.edu; ok markus@
- - djm@cvs.openbsd.org 2003/06/04 12:41:22
- [sftp.c]
- kill ssh process on receipt of signal; ok markus@
- - (djm) Update to fix of bug #584: lock card before return.
- From larsch@trustcenter.de
- - (djm) Always use mysignal() for SIGALRM
-
-20030603
- - (djm) Replace setproctitle replacement with code derived from
- UCB sendmail
- - (djm) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/06/02 09:17:34
- [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
- [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
- [sshd_config.5]
- deprecate VerifyReverseMapping since it's dangerous if combined
- with IP based access control as noted by Mike Harding; replace with
- a UseDNS option, UseDNS is on by default and includes the
- VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
- ok deraadt@, djm@
- - millert@cvs.openbsd.org 2003/06/03 02:56:16
- [scp.c]
- Remove the advertising clause in the UCB license which Berkeley
- rescinded 22 July 1999. Proofed by myself and Theo.
- - (djm) Fix portable-specific uses of verify_reverse_mapping too
- - (djm) Sync openbsd-compat with OpenBSD CVS.
- - No more 4-term BSD licenses in linked code
- - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping.
-
-20030602
- - (djm) Fix segv from bad reordering in auth-pam.c
- - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may
- clobber
- - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing
- CVS ID.
- - (djm) Remove "noip6" option from RedHat spec file. This may now be
- set at runtime using AddressFamily option.
- - (djm) Fix use of macro before #define in cipher-aes.c
- - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/05/26 12:54:40
- [sshconnect.c]
- fix format strings; ok markus@
- - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
- [sshd.c uidswap.c]
- seteuid and setegid; markus ok
- - jakob@cvs.openbsd.org 2003/06/02 08:31:10
- [ssh_config.5]
- VerifyHostKeyDNS is v2 only. ok markus@
-
-20030530
- - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at
- roumenpetrov.info
- - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix.
-
-20030526
- - (djm) Avoid auth2-chall.c warning when compiling without
- PAM, BSD_AUTH and SKEY
-
-20030525
-- (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/05/24 09:02:22
- [log.c]
- pass logged data through strnvis; ok markus
- - djm@cvs.openbsd.org 2003/05/24 09:30:40
- [authfile.c monitor.c sftp-common.c sshpty.c]
- cast some types for printing; ok markus@
-
-20030524
- - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net
-
-20030523
- - (djm) Use VIS_SAFE on logged strings rather than default strnvis
- encoding (which encodes many more characters)
- - OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2003/05/20 12:03:35
- [sftp.1]
- - new sentence, new line
- - added .Xr's
- - typos
- ok djm@
- - jmc@cvs.openbsd.org 2003/05/20 12:09:31
- [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
- new sentence, new line
- - djm@cvs.openbsd.org 2003/05/23 08:29:30
- [sshconnect.c]
- fix leak; ok markus@
-
-20030520
- - (djm) OpenBSD CVS Sync
- - deraadt@cvs.openbsd.org 2003/05/18 23:22:01
- [log.c]
- use syslog_r() in a signal handler called place; markus ok
- - (djm) Configure logic to detect syslog_r and friends
-
-20030519
- - (djm) Sync auth-pam.h with what we actually implement
-
-20030518
- - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in
- recent merge
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/05/16 03:27:12
- [readconf.c ssh_config ssh_config.5 ssh-keysign.c]
- add AddressFamily option to ssh_config (like -4, -6 on commandline).
- Portable bug #534; ok markus@
- - itojun@cvs.openbsd.org 2003/05/17 03:25:58
- [auth-rhosts.c]
- just in case, put numbers to sscanf %s arg.
- - markus@cvs.openbsd.org 2003/05/17 04:27:52
- [cipher.c cipher-ctr.c myproposal.h]
- experimental support for aes-ctr modes from
- http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt
- ok djm@
- - (djm) Remove IPv4 by default hack now that we can specify AF in config
- - (djm) Tidy and trim TODO
- - (djm) Sync openbsd-compat/ with OpenBSD CVS head
- - (djm) Big KNF on openbsd-compat/
- - (djm) KNF on md5crypt.[ch]
- - (djm) KNF on auth-sia.[ch]
-
-20030517
- - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD)
-
-20030516
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/05/15 13:52:10
- [ssh.c]
- Make "ssh -V" print the OpenSSL version in a human readable form. Patch
- from Craig Leres (mindrot at ee.lbl.gov); ok markus@
- - jakob@cvs.openbsd.org 2003/05/15 14:02:47
- [readconf.c servconf.c]
- warn for unsupported config option. ok markus@
- - markus@cvs.openbsd.org 2003/05/15 14:09:21
- [auth2-krb5.c]
- fix 64bit issue; report itojun@
- - djm@cvs.openbsd.org 2003/05/15 14:55:25
- [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
- add a ConnectTimeout option to ssh, based on patch from
- Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
- - (djm) Add warning for UsePAM when built without PAM support
- - (djm) A few type mismatch fixes from Bug #565
- - (djm) Guard free_pam_environment against NULL argument. Works around
- HP/UX PAM problems debugged by dtucker
-
-20030515
- - (djm) OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2003/05/14 13:11:56
- [ssh-agent.1]
- setup -> set up;
- from wiz@netbsd
- - jakob@cvs.openbsd.org 2003/05/14 18:16:20
- [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
- [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
- add experimental support for verifying hos keys using DNS as described
- in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
- ok markus@ and henning@
- - markus@cvs.openbsd.org 2003/05/14 22:24:42
- [clientloop.c session.c ssh.1]
- allow to send a BREAK to the remote system; ok various
- - markus@cvs.openbsd.org 2003/05/15 00:28:28
- [sshconnect2.c]
- cleanup unregister of per-method packet handlers; ok djm@
- - jakob@cvs.openbsd.org 2003/05/15 01:48:10
- [readconf.c readconf.h servconf.c servconf.h]
- always parse kerberos options. ok djm@ markus@
- - jakob@cvs.openbsd.org 2003/05/15 02:27:15
- [dns.c]
- add missing freerrset
- - markus@cvs.openbsd.org 2003/05/15 03:08:29
- [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c]
- split out custom EVP ciphers
- - djm@cvs.openbsd.org 2003/05/15 03:10:52
- [ssh-keygen.c]
- avoid warning; ok jakob@
- - mouring@cvs.openbsd.org 2003/05/15 03:39:07
- [sftp-int.c]
- Make put/get (globed and nonglobed) code more consistant. OK djm@
- - mouring@cvs.openbsd.org 2003/05/15 03:43:59
- [sftp-int.c sftp.c]
- Teach ls how to display multiple column display and allow users
- to return to single column format via 'ls -1'. OK @djm
- - jakob@cvs.openbsd.org 2003/05/15 04:08:44
- [readconf.c servconf.c]
- disable kerberos when not supported. ok markus@
- - markus@cvs.openbsd.org 2003/05/15 04:08:41
- [ssh.1]
- ~B is ssh2 only
- - (djm) Always parse UsePAM
- - (djm) Configure glue for DNS support (code doesn't work in portable yet)
- - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support)
- - (djm) Tidy Makefile clean targets
- - (djm) Adapt README.dns for portable
- - (djm) Avoid uuencode.c warnings
- - (djm) Enable UsePAM when built --with-pam
- - (djm) Only build getrrsetbyname replacement when using --with-dns
- - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv
- correctly)
- - (djm) Bug #444: Wrong paths after reconfigure
- - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK
-
-20030514
- - (djm) Bug #117: Don't lie to PAM about username
- - (djm) RCSID sync w/ OpenBSD
- - (djm) OpenBSD CVS Sync
- - djm@cvs.openbsd.org 2003/04/09 12:00:37
- [readconf.c]
- strip trailing whitespace from config lines before parsing.
- Fixes bz 528; ok markus@
- - markus@cvs.openbsd.org 2003/04/12 10:13:57
- [cipher.c]
- hide cipher details; ok djm@
- - markus@cvs.openbsd.org 2003/04/12 10:15:36
- [misc.c]
- debug->debug2
- - naddy@cvs.openbsd.org 2003/04/12 11:40:15
- [ssh.1]
- document -V switch, fix wording; ok markus@
- - markus@cvs.openbsd.org 2003/04/14 14:17:50
- [channels.c sshconnect.c sshd.c ssh-keyscan.c]
- avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
- - mouring@cvs.openbsd.org 2003/04/14 21:31:27
- [sftp-int.c]
- Missing globfree(&g) in process_put() spotted by Vince Brimhall
- <VBrimhall@novell.com>. ok@ Theo
- - markus@cvs.openbsd.org 2003/04/16 14:35:27
- [auth.h]
- document struct Authctxt; with solar
- - deraadt@cvs.openbsd.org 2003/04/26 04:29:49
- [ssh-keyscan.c]
- -t in usage(); rogier@quaak.org
- - mouring@cvs.openbsd.org 2003/04/30 01:16:20
- [sshd.8 sshd_config.5]
- Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable
- Bug #550 and * escaping suggested by jmc@.
- - david@cvs.openbsd.org 2003/04/30 20:41:07
- [sshd.8]
- fix invalid .Pf macro usage introduced in previous commit
- ok jmc@ mouring@
- - markus@cvs.openbsd.org 2003/05/11 16:56:48
- [authfile.c ssh-keygen.c]
- change key_load_public to try to read a public from:
- rsa1 private or rsa1 public and ssh2 keys.
- this makes ssh-keygen -e fail for ssh1 keys more gracefully
- for example; report from itojun (netbsd pr 20550).
- - markus@cvs.openbsd.org 2003/05/11 20:30:25
- [channels.c clientloop.c serverloop.c session.c ssh.c]
- make channel_new() strdup the 'remote_name' (not the caller); ok theo
- - markus@cvs.openbsd.org 2003/05/12 16:55:37
- [sshconnect2.c]
- for pubkey authentication try the user keys in the following order:
- 1. agent keys that are found in the config file
- 2. other agent keys
- 3. keys that are only listed in the config file
- this helps when an agent has many keys, where the server might
- close the connection before the correct key is used. report & ok pb@
- - markus@cvs.openbsd.org 2003/05/12 18:35:18
- [ssh-keyscan.1]
- typo: DSA keys are of type ssh-dss; Brian Poole
- - markus@cvs.openbsd.org 2003/05/14 00:52:59
- [ssh2.h]
- ranges for per auth method messages
- - djm@cvs.openbsd.org 2003/05/14 01:00:44
- [sftp.1]
- emphasise the batchmode functionality and make reference to pubkey auth,
- both of which are FAQs; ok markus@
- - markus@cvs.openbsd.org 2003/05/14 02:15:47
- [auth2.c monitor.c sshconnect2.c auth2-krb5.c]
- implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
- server interops with commercial client; ok jakob@ djm@
- - jmc@cvs.openbsd.org 2003/05/14 08:25:39
- [sftp.1]
- - better formatting in SYNOPSIS
- - whitespace at EOL
- ok djm@
- - markus@cvs.openbsd.org 2003/05/14 08:57:49
- [monitor.c]
- http://bugzilla.mindrot.org/show_bug.cgi?id=560
- Privsep child continues to run after monitor killed.
- Pass monitor signals through to child; Darren Tucker
- - (djm) Make portable build with MIT krb5 (some issues remain)
- - (djm) Add new UsePAM configuration directive to allow runtime control
- over usage of PAM. This allows non-root use of sshd when built with
- --with-pam
- - (djm) Die screaming if start_pam() is called when UsePAM=no
- - (djm) Avoid KrbV leak for MIT Kerberos
- - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@
- - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability
-
-20030512
- - (djm) Redhat spec: Don't install profile.d scripts when not
- building with GNOME/GTK askpass (patch from bet@rahul.net)
-
-20030510
- - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than
- "make install". Patch by roth@feep.net.
- - (dtucker) Bug #536: Test for and work around openpty/controlling tty
- problem on Linux (fixes "could not set controlling tty" errors).
- - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
- proper challenge-response module
- - (djm) 2-clause license on loginrec.c, with permission from
- andre@ae-35.com
-
-20030504
- - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h.
- Patch from vinschen@redhat.com.
-
-20030503
- - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted
- by wendyp@cray.com.
-
-20030502
- - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels,
- privsep should now work.
- - (dtucker) Move handling of bad password authentications into a platform
- specific record_failed_login() function (affects AIX & Unicos). ok mouring@
-
-20030429
- - (djm) Add back radix.o (used by AFS support), after it went missing from
- Makefile many moons ago
- - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- - (djm) Fix blibpath specification for AIX/gcc
- - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
-
-20030428
- - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit
- hacked code.
-
-20030427
- - (bal) Bug #541: return; was dropped by mistake. Reported by
- furrier@iglou.com
- - (bal) Since we don't support platforms lacking u_int_64. We may
- as well clean out some of those evil #ifdefs
- - (bal) auth1.c minor resync while looking at the code.
- - (bal) auth2.c same changed as above.
-
-20030409
- - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report
- from matth@eecs.berkeley.edu
- - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
- - (djm) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/04/02 09:48:07
- [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
- [readconf.h serverloop.c sshconnect2.c]
- reapply rekeying chage, tested by henning@, ok djm@
- - markus@cvs.openbsd.org 2003/04/02 14:36:26
- [ssh-keysign.c]
- potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
- - itojun@cvs.openbsd.org 2003/04/03 07:25:27
- [progressmeter.c]
- $OpenBSD$
- - itojun@cvs.openbsd.org 2003/04/03 10:17:35
- [progressmeter.c]
- remove $OpenBSD$, as other *.c does not have it.
- - markus@cvs.openbsd.org 2003/04/07 08:29:57
- [monitor_wrap.c]
- typo: get correct counters; introduced during rekeying change.
- - millert@cvs.openbsd.org 2003/04/07 21:58:05
- [progressmeter.c]
- The UCB copyright here is incorrect. This code did not originate
- at UCB, it was written by Luke Mewburn. Updated the copyright at
- the author's request. markus@ OK
- - itojun@cvs.openbsd.org 2003/04/08 20:21:29
- [*.c *.h]
- rename log() into logit() to avoid name conflict. markus ok, from
- netbsd
- - (djm) XXX - Performed locally using:
- "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
- - hin@cvs.openbsd.org 2003/04/09 08:23:52
- [servconf.c]
- Don't include <krb.h> when compiling with Kerberos 5 support
- - (djm) Fix up missing include for packet.c
- - (djm) Fix missed log => logit occurance (reference by function pointer)
-
-20030402
- - (bal) if IP_TOS is not found or broken don't try to compile in
- packet_set_tos() function call. bug #527
-
-20030401
- - (djm) OpenBSD CVS Sync
- - jmc@cvs.openbsd.org 2003/03/28 10:11:43
- [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
- [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
- - killed whitespace
- - new sentence new line
- - .Bk for arguments
- ok markus@
- - markus@cvs.openbsd.org 2003/04/01 10:10:23
- [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
- [readconf.h serverloop.c sshconnect2.c]
- rekeying bugfixes and automatic rekeying:
- * both client and server rekey _automatically_
- (a) after 2^31 packets, because after 2^32 packets
- the sequence number for packets wraps
- (b) after 2^(blocksize_in_bits/4) blocks
- (see: draft-ietf-secsh-newmodes-00.txt)
- (a) and (b) are _enabled_ by default, and only disabled for known
- openssh versions, that don't support rekeying properly.
- * client option 'RekeyLimit'
- * do not reply to requests during rekeying
- - markus@cvs.openbsd.org 2003/04/01 10:22:21
- [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
- [readconf.h serverloop.c sshconnect2.c]
- backout rekeying changes (for 3.6.1)
- - markus@cvs.openbsd.org 2003/04/01 10:31:26
- [compat.c compat.h kex.c]
- bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@;
- tested by ho@ and myself
- - markus@cvs.openbsd.org 2003/04/01 10:56:46
- [version.h]
- 3.6.1
- - (djm) Crank spec file versions
- - (djm) Release 3.6.1p1
-
-20030326
- - (djm) OpenBSD CVS Sync
- - deraadt@cvs.openbsd.org 2003/03/26 04:02:51
- [sftp-server.c]
- one last fix to the tree: race fix broke stuff; pr 3169;
- srp@srparish.net, help from djm
-
-20030325
- - (djm) Fix getpeerid support for 64 bit BE systems. From
- Arnd Bergmann <arndb@de.ibm.com>
-
-20030324
- - (djm) OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2003/03/23 19:02:00
- [monitor.c]
- unbreak rekeying for privsep; ok millert@
- - Release 3.6p1
- - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
- Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-
-$Id: ChangeLog,v 1.3257 2004/02/24 06:13:28 djm Exp $
+$Id: ChangeLog,v 1.3316.2.1 2004/04/18 12:51:12 djm Exp $
diff --git a/crypto/openssh/README b/crypto/openssh/README
index 7e918fe..0620d0e 100644
--- a/crypto/openssh/README
+++ b/crypto/openssh/README
@@ -1,5 +1,4 @@
-See:
-http://www.openssh.com/txt/release-3.8 for the release notes.
+See http://www.openssh.com/txt/release-3.8.1 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -66,4 +65,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.53 2004/02/24 05:13:24 dtucker Exp $
+$Id: README,v 1.54 2004/04/18 10:32:56 djm Exp $
diff --git a/crypto/openssh/auth-sia.c b/crypto/openssh/auth-sia.c
index cd2dcb8..63f55d0 100644
--- a/crypto/openssh/auth-sia.c
+++ b/crypto/openssh/auth-sia.c
@@ -47,7 +47,7 @@ extern int saved_argc;
extern char **saved_argv;
int
-auth_sia_password(Authctxt *authctxt, char *pass)
+sys_auth_passwd(Authctxt *authctxt, char *pass)
{
int ret;
SIAENTITY *ent = NULL;
diff --git a/crypto/openssh/auth-sia.h b/crypto/openssh/auth-sia.h
index 38164ff..ca55e91 100644
--- a/crypto/openssh/auth-sia.h
+++ b/crypto/openssh/auth-sia.h
@@ -26,7 +26,7 @@
#ifdef HAVE_OSF_SIA
-int auth_sia_password(Authctxt *, char *);
+int sys_auth_passwd(Authctxt *, char *);
void session_setup_sia(struct passwd *, char *);
#endif /* HAVE_OSF_SIA */
diff --git a/crypto/openssh/contrib/Makefile b/crypto/openssh/contrib/Makefile
new file mode 100644
index 0000000..2cef46f
--- /dev/null
+++ b/crypto/openssh/contrib/Makefile
@@ -0,0 +1,15 @@
+all:
+ @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
+
+gnome-ssh-askpass1: gnome-ssh-askpass1.c
+ $(CC) `gnome-config --cflags gnome gnomeui` \
+ gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+ `gnome-config --libs gnome gnomeui`
+
+gnome-ssh-askpass2: gnome-ssh-askpass2.c
+ $(CC) `pkg-config --cflags gtk+-2.0` \
+ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+ `pkg-config --libs gtk+-2.0`
+
+clean:
+ rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
diff --git a/crypto/openssh/contrib/README b/crypto/openssh/contrib/README
new file mode 100644
index 0000000..9de3d96
--- /dev/null
+++ b/crypto/openssh/contrib/README
@@ -0,0 +1,60 @@
+Other patches and addons for OpenSSH. Please send submissions to
+djm@mindrot.org
+
+Externally maintained
+---------------------
+
+SSH Proxy Command -- connect.c
+
+Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
+which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
+https CONNECT style proxy server. His page for connect.c has extensive
+documentation on its use as well as compiled versions for Win32.
+
+http://www.taiyo.co.jp/~gotoh/ssh/connect.html
+
+
+X11 SSH Askpass:
+
+Jim Knoble <jmknoble@pobox.com> has written an excellent X11
+passphrase requester. This is highly recommended:
+
+http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
+
+
+In this directory
+-----------------
+
+ssh-copy-id:
+
+Phil Hands' <phil@hands.com> shell script to automate the process of adding
+your public key to a remote machine's ~/.ssh/authorized_keys file.
+
+gnome-ssh-askpass[12]:
+
+A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
+"make gnome-ssh-askpass2" to build.
+
+sshd.pam.generic:
+
+A generic PAM config file which may be useful on your system. YMMV
+
+sshd.pam.freebsd:
+
+A PAM config file which works with FreeBSD's PAM port. Contributed by
+Dominik Brettnacher <domi@saargate.de>
+
+mdoc2man.pl:
+
+Converts mdoc formated manpages into normal manpages. This can be used
+on Solaris machines to provide manpages that are not preformated.
+Contributed by Mark D. Roth <roth@feep.net>
+
+redhat:
+
+RPM spec file and scripts for building Redhat packages
+
+suse:
+
+RPM spec file and scripts for building SuSE packages
+
diff --git a/crypto/openssh/contrib/aix/README b/crypto/openssh/contrib/aix/README
new file mode 100644
index 0000000..2a29935
--- /dev/null
+++ b/crypto/openssh/contrib/aix/README
@@ -0,0 +1,50 @@
+Overview:
+
+This directory contains files to build an AIX native (installp or SMIT
+installable) openssh package.
+
+
+Directions:
+
+(optional) create config.local in your build dir
+./configure [options]
+contrib/aix/buildbff.sh
+
+The file config.local or the environment is read to set the following options
+(default first):
+PERMIT_ROOT_LOGIN=[no|yes]
+X11_FORWARDING=[no|yes]
+AIX_SRC=[no|yes]
+
+Acknowledgements:
+
+The contents of this directory are based on Ben Lindstrom's Solaris
+buildpkg.sh. Ben also supplied inventory.sh.
+
+Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
+and for comparison with the output from this script, however no code
+from lppbuild is included and it is not required for operation.
+
+SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
+PrivSep account handling fixes contributed by W. Earl Allen.
+
+
+Other notes:
+
+The script treats all packages as USR packages (not ROOT+USR when
+appropriate). It seems to work, though......
+
+If there are any patches to this that have not yet been integrated they
+may be found at http://www.zip.com.au/~dtucker/openssh/.
+
+
+Disclaimer:
+
+It is hoped that it is useful but there is no warranty. If it breaks
+you get to keep both pieces.
+
+
+ - Darren Tucker (dtucker at zip dot com dot au)
+ 2002/03/01
+
+$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
diff --git a/crypto/openssh/contrib/aix/buildbff.sh b/crypto/openssh/contrib/aix/buildbff.sh
new file mode 100755
index 0000000..4a5c32b0e
--- /dev/null
+++ b/crypto/openssh/contrib/aix/buildbff.sh
@@ -0,0 +1,383 @@
+#!/bin/sh
+#
+# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
+# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $
+#
+# Author: Darren Tucker (dtucker at zip dot com dot au)
+# This file is placed in the public domain and comes with absolutely
+# no warranty.
+#
+# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
+#
+
+#
+# Tunable configuration settings
+# create a "config.local" in your build directory or set
+# environment variables to override these.
+#
+[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
+[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
+[ -z "$AIX_SRC" ] && AIX_SRC=no
+
+umask 022
+
+startdir=`pwd`
+
+# Path to inventory.sh: same place as buildbff.sh
+if echo $0 | egrep '^/'
+then
+ inventory=`dirname $0`/inventory.sh # absolute path
+else
+ inventory=`pwd`/`dirname $0`/inventory.sh # relative path
+fi
+
+#
+# We still support running from contrib/aix, but this is deprecated
+#
+if pwd | egrep 'contrib/aix$'
+then
+ echo "Changing directory to `pwd`/../.."
+ echo "Please run buildbff.sh from your build directory in future."
+ cd ../..
+ contribaix=1
+fi
+
+if [ ! -f Makefile ]
+then
+ echo "Makefile not found (did you run configure?)"
+ exit 1
+fi
+
+#
+# Directories used during build:
+# current dir = $objdir directory you ran ./configure in.
+# $objdir/$PKGDIR/ directory package files are constructed in
+# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
+#
+objdir=`pwd`
+PKGNAME=openssh
+PKGDIR=package
+
+#
+# Collect local configuration settings to override defaults
+#
+if [ -s ./config.local ]
+then
+ echo Reading local settings from config.local
+ . ./config.local
+fi
+
+#
+# Fill in some details from Makefile, like prefix and sysconfdir
+# the eval also expands variables like sysconfdir=${prefix}/etc
+# provided they are eval'ed in the correct order
+#
+for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
+do
+ eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
+done
+
+#
+# Collect values of privsep user and privsep path
+# currently only found in config.h
+#
+for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
+do
+ eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
+done
+
+# Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+ SSH_PRIVSEP_USER=sshd
+fi
+if [ -z "$PRIVSEP_PATH" ]
+then
+ PRIVSEP_PATH=/var/empty
+fi
+
+# Clean package build directory
+rm -rf $objdir/$PKGDIR
+FAKE_ROOT=$objdir/$PKGDIR/root
+mkdir -p $FAKE_ROOT
+
+# Start by faking root install
+echo "Faking root install..."
+cd $objdir
+make install-nokeys DESTDIR=$FAKE_ROOT
+
+if [ $? -gt 0 ]
+then
+ echo "Fake root install failed, stopping."
+ exit 1
+fi
+
+#
+# Copy informational files to include in package
+#
+cp $srcdir/LICENCE $objdir/$PKGDIR/
+cp $srcdir/README* $objdir/$PKGDIR/
+
+#
+# Extract common info requires for the 'info' part of the package.
+# AIX requires 4-part version numbers
+#
+VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
+MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
+MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
+PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
+PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
+[ "$PATCH" = "" ] && PATCH=0
+[ "$PORTABLE" = "" ] && PORTABLE=0
+BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
+
+echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
+
+#
+# Set ssh and sshd parameters as per config.local
+#
+if [ "${PERMIT_ROOT_LOGIN}" = no ]
+then
+ perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
+ $FAKE_ROOT/${sysconfdir}/sshd_config
+fi
+if [ "${X11_FORWARDING}" = yes ]
+then
+ perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+ $FAKE_ROOT/${sysconfdir}/sshd_config
+fi
+
+
+# Rename config files; postinstall script will copy them if necessary
+for cfgfile in ssh_config sshd_config ssh_prng_cmds
+do
+ mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
+done
+
+#
+# Generate lpp control files.
+# working dir is $FAKE_ROOT but files are generated in dir above
+# and moved into place just before creation of .bff
+#
+cd $FAKE_ROOT
+echo Generating LPP control files
+find . ! -name . -print >../openssh.al
+$inventory >../openssh.inventory
+
+cat <<EOD >../openssh.copyright
+This software is distributed under a BSD-style license.
+For the full text of the license, see /usr/lpp/openssh/LICENCE
+EOD
+
+#
+# openssh.size file allows filesystem expansion as required
+# generate list of directories containing files
+# then calculate disk usage for each directory and store in openssh.size
+#
+files=`find . -type f -print`
+dirs=`for file in $files; do dirname $file; done | sort -u`
+for dir in $dirs
+do
+ du $dir
+done > ../openssh.size
+
+#
+# Create postinstall script
+#
+cat <<EOF >>../openssh.post_i
+#!/bin/sh
+
+echo Creating configs from defaults if necessary.
+for cfgfile in ssh_config sshd_config ssh_prng_cmds
+do
+ if [ ! -f $sysconfdir/\$cfgfile ]
+ then
+ echo "Creating \$cfgfile from default"
+ cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
+ else
+ echo "\$cfgfile already exists."
+ fi
+done
+echo
+
+# Create PrivSep user if PrivSep not disabled in config
+echo Creating PrivSep prereqs if required.
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+then
+ echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user,"
+ echo "group or chroot directory."
+else
+ echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
+
+ # create group if required
+ if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ then
+ echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+ else
+ echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+ mkgroup -A $SSH_PRIVSEP_USER
+ fi
+
+ # Create user if required
+ if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ then
+ echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+ else
+ echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+ mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
+ fi
+
+ # create chroot directory if required
+ if [ -d $PRIVSEP_PATH ]
+ then
+ echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
+ else
+ echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
+ mkdir $PRIVSEP_PATH
+ chown 0 $PRIVSEP_PATH
+ chgrp 0 $PRIVSEP_PATH
+ chmod 755 $PRIVSEP_PATH
+ fi
+fi
+echo
+
+# Generate keys unless they already exist
+echo Creating host keys if required.
+if [ -f "$sysconfdir/ssh_host_key" ] ; then
+ echo "$sysconfdir/ssh_host_key already exists, skipping."
+else
+ $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
+fi
+if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
+ echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
+else
+ $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
+fi
+if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
+ echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
+else
+ $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
+fi
+echo
+
+# Set startup command depending on SRC support
+if [ "$AIX_SRC" = "yes" ]
+then
+ echo Creating SRC sshd subsystem.
+ rmssys -s sshd 2>&1 >/dev/null
+ mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
+ startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
+ oldstartcmd="$sbindir/sshd"
+else
+ startupcmd="$sbindir/sshd"
+ oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
+fi
+
+# If migrating to or from SRC, change previous startup command
+# otherwise add to rc.tcpip
+if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
+then
+ if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
+ then
+ chmod 0755 /etc/rc.tcpip.new
+ mv /etc/rc.tcpip /etc/rc.tcpip.old && \
+ mv /etc/rc.tcpip.new /etc/rc.tcpip
+ else
+ echo "Updating /etc/rc.tcpip failed, please check."
+ fi
+else
+ # Add to system startup if required
+ if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
+ then
+ echo "sshd found in rc.tcpip, not adding."
+ else
+ echo "Adding sshd to rc.tcpip"
+ echo >>/etc/rc.tcpip
+ echo "# Start sshd" >>/etc/rc.tcpip
+ echo "\$startupcmd" >>/etc/rc.tcpip
+ fi
+fi
+EOF
+
+#
+# Create liblpp.a and move control files into it
+#
+echo Creating liblpp.a
+(
+ cd ..
+ for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
+ do
+ ar -r liblpp.a $i
+ rm $i
+ done
+)
+
+#
+# Create lpp_name
+#
+# This will end up looking something like:
+# 4 R I OpenSSH {
+# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
+# [
+# %
+# /usr/local/bin 8073
+# /usr/local/etc 189
+# /usr/local/libexec 185
+# /usr/local/man/man1 145
+# /usr/local/man/man8 83
+# /usr/local/sbin 2105
+# /usr/local/share 3
+# %
+# ]
+# }
+
+echo Creating lpp_name
+cat <<EOF >../lpp_name
+4 R I $PKGNAME {
+$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
+[
+%
+EOF
+
+for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
+do
+ # get size in 512 byte blocks
+ if [ -d $FAKE_ROOT/$i ]
+ then
+ size=`du $FAKE_ROOT/$i | awk '{print $1}'`
+ echo "$i $size" >>../lpp_name
+ fi
+done
+
+echo '%' >>../lpp_name
+echo ']' >>../lpp_name
+echo '}' >>../lpp_name
+
+#
+# Move pieces into place
+#
+mkdir -p usr/lpp/openssh
+mv ../liblpp.a usr/lpp/openssh
+mv ../lpp_name .
+
+#
+# Now invoke backup to create .bff file
+# note: lpp_name needs to be the first file so we generate the
+# file list on the fly and feed it to backup using -i
+#
+echo Creating $PKGNAME-$VERSION.bff with backup...
+rm -f $PKGNAME-$VERSION.bff
+(
+ echo "./lpp_name"
+ find . ! -name lpp_name -a ! -name . -print
+) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
+
+#
+# Move package into final location and clean up
+#
+mv ../$PKGNAME-$VERSION.bff $startdir
+cd $startdir
+rm -rf $objdir/$PKGDIR
+
+echo $0: done.
+
diff --git a/crypto/openssh/contrib/aix/inventory.sh b/crypto/openssh/contrib/aix/inventory.sh
new file mode 100755
index 0000000..e2641e7
--- /dev/null
+++ b/crypto/openssh/contrib/aix/inventory.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# inventory.sh
+# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
+#
+# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
+# This file is placed into the public domain.
+#
+# This will produce an AIX package inventory file, which looks like:
+#
+# /usr/local/bin:
+# class=apply,inventory,openssh
+# owner=root
+# group=system
+# mode=755
+# type=DIRECTORY
+# /usr/local/bin/slogin:
+# class=apply,inventory,openssh
+# owner=root
+# group=system
+# mode=777
+# type=SYMLINK
+# target=ssh
+# /usr/local/share/Ssh.bin:
+# class=apply,inventory,openssh
+# owner=root
+# group=system
+# mode=644
+# type=FILE
+# size=VOLATILE
+# checksum=VOLATILE
+
+find . ! -name . -print | perl -ne '{
+ chomp;
+ if ( -l $_ ) {
+ ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
+ } else {
+ ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
+ }
+
+ # Start to display inventory information
+ $name = $_;
+ $name =~ s|^.||; # Strip leading dot from path
+ print "$name:\n";
+ print "\tclass=apply,inventory,openssh\n";
+ print "\towner=root\n";
+ print "\tgroup=system\n";
+ printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
+
+ if ( -l $_ ) {
+ # Entry is SymLink
+ print "\ttype=SYMLINK\n";
+ printf "\ttarget=%s\n", readlink($_);
+ } elsif ( -f $_ ) {
+ # Entry is File
+ print "\ttype=FILE\n";
+ print "\tsize=$sz\n";
+ print "\tchecksum=VOLATILE\n";
+ } elsif ( -d $_ ) {
+ # Entry is Directory
+ print "\ttype=DIRECTORY\n";
+ }
+}'
diff --git a/crypto/openssh/contrib/aix/pam.conf b/crypto/openssh/contrib/aix/pam.conf
new file mode 100644
index 0000000..1495f43
--- /dev/null
+++ b/crypto/openssh/contrib/aix/pam.conf
@@ -0,0 +1,20 @@
+#
+# PAM configuration file /etc/pam.conf
+# Example for OpenSSH on AIX 5.2
+#
+
+# Authentication Management
+sshd auth required /usr/lib/security/pam_aix
+OTHER auth required /usr/lib/security/pam_aix
+
+# Account Management
+sshd account required /usr/lib/security/pam_aix
+OTHER account required /usr/lib/security/pam_aix
+
+# Session Management
+sshd password required /usr/lib/security/pam_aix
+OTHER password required /usr/lib/security/pam_aix
+
+# Password Management
+sshd session required /usr/lib/security/pam_aix
+OTHER session required /usr/lib/security/pam_aix
diff --git a/crypto/openssh/contrib/caldera/openssh.spec b/crypto/openssh/contrib/caldera/openssh.spec
new file mode 100644
index 0000000..e690f10
--- /dev/null
+++ b/crypto/openssh/contrib/caldera/openssh.spec
@@ -0,0 +1,366 @@
+
+# Some of this will need re-evaluation post-LSB. The SVIdir is there
+# because the link appeared broken. The rest is for easy compilation,
+# the tradeoff open to discussion. (LC957)
+
+%define SVIdir /etc/rc.d/init.d
+%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
+%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
+
+%define _mandir %{_prefix}/share/man/en
+%define _sysconfdir /etc/ssh
+%define _libexecdir %{_libdir}/ssh
+
+# Do we want to disable root_login? (1=yes 0=no)
+%define no_root_login 0
+
+#old cvs stuff. please update before use. may be deprecated.
+%define use_stable 1
+%if %{use_stable}
+ %define version 3.8.1p1
+ %define cvs %{nil}
+ %define release 1
+%else
+ %define version 3.8.1p1
+ %define cvs cvs20011009
+ %define release 0r1
+%endif
+%define xsa x11-ssh-askpass
+%define askpass %{xsa}-1.2.4.1
+
+# OpenSSH privilege separation requires a user & group ID
+%define sshd_uid 67
+%define sshd_gid 67
+
+Name : openssh
+Version : %{version}%{cvs}
+Release : %{release}
+Group : System/Network
+
+Summary : OpenSSH free Secure Shell (SSH) implementation.
+Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
+Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
+Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
+Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
+Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
+Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
+
+Copyright : BSD
+Packager : Raymund Will <ray@caldera.de>
+URL : http://www.openssh.com/
+
+Obsoletes : ssh, ssh-clients, openssh-clients
+
+BuildRoot : /tmp/%{name}-%{version}
+BuildRequires : XFree86-imake
+
+# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
+# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
+Source0: see-above:/.../openssh-%{version}.tar.gz
+%if %{use_stable}
+Source1: see-above:/.../openssh-%{version}.tar.gz.sig
+%endif
+Source2: http://www.ntrnet.net/~jmknoble/software/%{xsa}/%{askpass}.tar.gz
+Source3: http://www.openssh.com/faq.html
+
+%Package server
+Group : System/Network
+Requires : openssh = %{version}
+Obsoletes : ssh-server
+
+Summary : OpenSSH Secure Shell protocol server (sshd).
+Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
+Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
+Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
+Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
+Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
+Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
+
+
+%Package askpass
+Group : System/Network
+Requires : openssh = %{version}
+URL : http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/
+Obsoletes : ssh-extras
+
+Summary : OpenSSH X11 pass-phrase dialog.
+Summary(de) : OpenSSH X11 Passwort-Dialog.
+Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
+Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
+Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
+Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
+Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
+
+
+%Description
+OpenSSH (Secure Shell) provides access to a remote system. It replaces
+telnet, rlogin, rexec, and rsh, and provides secure encrypted
+communications between two untrusted hosts over an insecure network.
+X11 connections and arbitrary TCP/IP ports can also be forwarded over
+the secure channel.
+
+%Description -l de
+OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
+telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
+Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
+Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
+über den sicheren Channel weitergeleitet werden.
+
+%Description -l es
+OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
+telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
+entre dos equipos entre los que no se ha establecido confianza a través de una
+red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
+ser canalizadas sobre el canal seguro.
+
+%Description -l fr
+OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
+telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
+securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
+connexions X11 et des ports TCP/IP arbitraires peuvent également être
+transmis sur le canal sécurisé.
+
+%Description -l it
+OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
+Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
+e crittate tra due host non fidati su una rete non sicura. Le connessioni
+X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
+un canale sicuro.
+
+%Description -l pt
+OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
+telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
+entre duas máquinas sem confiança mútua sobre uma rede insegura.
+Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
+pelo canal seguro.
+
+%Description -l pt_BR
+O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
+telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
+entre duas máquinas sem confiança mútua sobre uma rede insegura.
+Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
+pelo canal seguro.
+
+%Description server
+This package installs the sshd, the server portion of OpenSSH.
+
+%Description -l de server
+Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
+
+%Description -l es server
+Este paquete instala sshd, la parte servidor de OpenSSH.
+
+%Description -l fr server
+Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
+
+%Description -l it server
+Questo pacchetto installa sshd, il server di OpenSSH.
+
+%Description -l pt server
+Este pacote intala o sshd, o servidor do OpenSSH.
+
+%Description -l pt_BR server
+Este pacote intala o sshd, o servidor do OpenSSH.
+
+%Description askpass
+This package contains an X11-based pass-phrase dialog used per
+default by ssh-add(1). It is based on %{askpass}
+by Jim Knoble <jmknoble@pobox.com>.
+
+
+%Prep
+%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
+%if ! %{use_stable}
+ autoreconf
+%endif
+
+
+%Build
+CFLAGS="$RPM_OPT_FLAGS" \
+%configure \
+ --with-pam \
+ --with-tcp-wrappers \
+ --with-privsep-path=%{_var}/empty/sshd \
+ #leave this line for easy edits.
+
+%__make CFLAGS="$RPM_OPT_FLAGS"
+
+cd %{askpass}
+%configure \
+ #leave this line for easy edits.
+
+xmkmf
+%__make includes
+%__make
+
+
+%Install
+[ %{buildroot} != "/" ] && rm -rf %{buildroot}
+
+make install DESTDIR=%{buildroot}
+%makeinstall -C %{askpass} \
+ BINDIR=%{_libexecdir} \
+ MANPATH=%{_mandir} \
+ DESTDIR=%{buildroot}
+
+# OpenLinux specific configuration
+mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
+mkdir -p %{buildroot}%{_var}/empty/sshd
+
+# enabling X11 forwarding on the server is convenient and okay,
+# on the client side it's a potential security risk!
+%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
+ %{buildroot}%{_sysconfdir}/sshd_config
+
+%if %{no_root_login}
+%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
+ %{buildroot}%{_sysconfdir}/sshd_config
+%endif
+
+install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
+# FIXME: disabled, find out why this doesn't work with nis
+%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
+ %{buildroot}/etc/pam.d/sshd
+
+install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
+
+# the last one is needless, but more future-proof
+find %{buildroot}%{SVIdir} -type f -exec \
+ %__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
+ s:\@sysconfdir\@:%{_sysconfdir}:g; \
+ s:/usr/sbin:%{_sbindir}:g'\
+ \{\} \;
+
+cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
+ IDENT=sshd
+ DESCRIPTIVE="OpenSSH secure shell daemon"
+ # This service will be marked as 'skipped' on boot if there
+ # is no host key. Use ssh-host-keygen to generate one
+ ONBOOT="yes"
+ OPTIONS=""
+EoD
+
+SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
+install -m 0755 contrib/caldera/ssh-host-keygen $SKG
+# Fix up some path names in the keygen toy^Hol
+ %__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
+ s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
+ %{buildroot}%{_sbindir}/ssh-host-keygen
+
+# This looks terrible. Expect it to change.
+# install remaining docs
+DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
+mkdir -p $DocD/%{askpass}
+cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD
+install -p -m 0444 %{SOURCE3} $DocD/faq.html
+cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
+%if %{use_stable}
+ cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
+%else
+ cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
+ ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
+%endif
+
+find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
+rm %{buildroot}%{_mandir}/man1/slogin.1 && \
+ ln -s %{_mandir}/man1/ssh.1.gz \
+ %{buildroot}%{_mandir}/man1/slogin.1.gz
+
+
+%Clean
+#%{rmDESTDIR}
+[ %{buildroot} != "/" ] && rm -rf %{buildroot}
+
+%Post
+# Generate host key when none is present to get up and running,
+# both client and server require this for host-based auth!
+# ssh-host-keygen checks for existing keys.
+/usr/sbin/ssh-host-keygen
+: # to protect the rpm database
+
+%pre server
+%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
+ -c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
+: # to protect the rpm database
+
+%Post server
+if [ -x %{LSBinit}-install ]; then
+ %{LSBinit}-install sshd
+else
+ lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
+fi
+
+! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
+: # to protect the rpm database
+
+
+%PreUn server
+[ "$1" = 0 ] || exit 0
+
+! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
+: # to protect the rpm database
+
+
+%PostUn server
+if [ -x %{LSBinit}-remove ]; then
+ %{LSBinit}-remove sshd
+else
+ lisa --SysV-init remove sshd $1
+fi
+: # to protect the rpm database
+
+
+%Files
+%defattr(-,root,root)
+%dir %{_sysconfdir}
+%config %{_sysconfdir}/ssh_config
+%{_bindir}/scp
+%{_bindir}/sftp
+%{_bindir}/ssh
+%{_bindir}/slogin
+%{_bindir}/ssh-add
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
+%{_bindir}/ssh-keygen
+%{_bindir}/ssh-keyscan
+%dir %{_libexecdir}
+%attr(4711,root,root) %{_libexecdir}/ssh-keysign
+%{_sbindir}/ssh-host-keygen
+%dir %{_defaultdocdir}/%{name}-%{version}
+%{_defaultdocdir}/%{name}-%{version}/CREDITS
+%{_defaultdocdir}/%{name}-%{version}/ChangeLog
+%{_defaultdocdir}/%{name}-%{version}/LICENCE
+%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
+%{_defaultdocdir}/%{name}-%{version}/README*
+%{_defaultdocdir}/%{name}-%{version}/TODO
+%{_defaultdocdir}/%{name}-%{version}/faq.html
+%{_mandir}/man1/*
+%{_mandir}/man8/ssh-keysign.8.gz
+%{_mandir}/man5/ssh_config.5.gz
+
+%Files server
+%defattr(-,root,root)
+%dir %{_var}/empty/sshd
+%config %{SVIdir}/sshd
+%config /etc/pam.d/sshd
+%config %{_sysconfdir}/moduli
+%config %{_sysconfdir}/sshd_config
+%config %{SVIcdir}/sshd
+%{_libexecdir}/sftp-server
+%{_sbindir}/sshd
+%{_mandir}/man5/sshd_config.5.gz
+%{_mandir}/man8/sftp-server.8.gz
+%{_mandir}/man8/sshd.8.gz
+
+%Files askpass
+%defattr(-,root,root)
+%{_libexecdir}/ssh-askpass
+%{_libexecdir}/x11-ssh-askpass
+%{_defaultdocdir}/%{name}-%{version}/%{askpass}
+
+
+%ChangeLog
+* Mon Jan 01 1998 ...
+Template Version: 1.31
+
+$Id: openssh.spec,v 1.49 2004/03/21 22:40:04 djm Exp $
diff --git a/crypto/openssh/contrib/caldera/ssh-host-keygen b/crypto/openssh/contrib/caldera/ssh-host-keygen
new file mode 100755
index 0000000..3c5c171
--- /dev/null
+++ b/crypto/openssh/contrib/caldera/ssh-host-keygen
@@ -0,0 +1,36 @@
+#! /bin/sh
+#
+# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $
+#
+# This script is normally run only *once* for a given host
+# (in a given period of time) -- on updates/upgrades/recovery
+# the ssh_host_key* files _should_ be retained! Otherwise false
+# "man-in-the-middle-attack" alerts will frighten unsuspecting
+# clients...
+
+keydir=@sysconfdir@
+keygen=@sshkeygen@
+
+if [ -f $keydir/ssh_host_key -o \
+ -f $keydir/ssh_host_key.pub ]; then
+ echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
+else
+ echo "Generating 1024 bit SSH1 RSA host key."
+ $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
+fi
+
+if [ -f $keydir/ssh_host_rsa_key -o \
+ -f $keydir/ssh_host_rsa_key.pub ]; then
+ echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
+else
+ echo "Generating 1024 bit SSH2 RSA host key."
+ $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
+fi
+
+if [ -f $keydir/ssh_host_dsa_key -o \
+ -f $keydir/ssh_host_dsa_key.pub ]; then
+ echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
+else
+ echo "Generating SSH2 DSA host key."
+ $keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
+fi
diff --git a/crypto/openssh/contrib/caldera/sshd.init b/crypto/openssh/contrib/caldera/sshd.init
new file mode 100755
index 0000000..983146f
--- /dev/null
+++ b/crypto/openssh/contrib/caldera/sshd.init
@@ -0,0 +1,125 @@
+#! /bin/bash
+#
+# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
+#
+### BEGIN INIT INFO
+# Provides:
+# Required-Start: $network
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop: 0 1 2 6
+# Description: sshd
+# Bring up/down the OpenSSH secure shell daemon.
+### END INIT INFO
+#
+# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
+# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+# Modified for OpenLinux by Raymund Will <ray@caldera.de>
+
+NAME=sshd
+DAEMON=/usr/sbin/$NAME
+# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
+# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
+# PR [linux/8278] for details...
+PIDF=/var/run/$NAME.pid
+NAME=$DAEMON
+
+_status() {
+ [ -z "$1" ] || local pidf="$1"
+ local ret=-1
+ local pid
+ if [ -n "$pidf" ] && [ -r "$pidf" ]; then
+ pid=$(head -1 $pidf)
+ else
+ pid=$(pidof $NAME)
+ fi
+
+ if [ ! -e $SVIlock ]; then
+ # no lock-file => not started == stopped?
+ ret=3
+ elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
+ # pid-file given but not present or no pid => died, but was not stopped
+ ret=2
+ elif [ -r /proc/$pid/cmdline ] &&
+ echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
+ # pid-file given and present or pid found => check process...
+ # but don't compare exe, as this will fail after an update!
+ # compares OK => all's well, that ends well...
+ ret=0
+ else
+ # no such process or exe does not match => stale pid-file or process died
+ # just recently...
+ ret=1
+ fi
+ return $ret
+}
+
+# Source function library (and set vital variables).
+. @SVIdir@/functions
+
+case "$1" in
+ start)
+ [ ! -e $SVIlock ] || exit 0
+ [ -x $DAEMON ] || exit 5
+ SVIemptyConfig @sysconfdir@/sshd_config && exit 6
+
+ if [ ! \( -f @sysconfdir@/ssh_host_key -a \
+ -f @sysconfdir@/ssh_host_key.pub \) -a \
+ ! \( -f @sysconfdir@/ssh_host_rsa_key -a \
+ -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
+ ! \( -f @sysconfdir@/ssh_host_dsa_key -a \
+ -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
+
+ echo "$SVIsubsys: host key not initialized: skipped!"
+ echo "$SVIsubsys: use ssh-host-keygen to generate one!"
+ exit 6
+ fi
+
+ echo -n "Starting $SVIsubsys services: "
+ ssd -S -x $DAEMON -n $NAME -- $OPTIONS
+ ret=$?
+
+ echo "."
+ touch $SVIlock
+ ;;
+
+ stop)
+ [ -e $SVIlock ] || exit 0
+
+ echo -n "Stopping $SVIsubsys services: "
+ ssd -K -p $PIDF -n $NAME
+ ret=$?
+
+ echo "."
+ rm -f $SVIlock
+ ;;
+
+ force-reload|reload)
+ [ -e $SVIlock ] || exit 0
+
+ echo "Reloading $SVIsubsys configuration files: "
+ ssd -K --signal 1 -q -p $PIDF -n $NAME
+ ret=$?
+ echo "done."
+ ;;
+
+ restart)
+ $0 stop
+ $0 start
+ ret=$?
+ ;;
+
+ status)
+ _status $PIDF
+ ret=$?
+ ;;
+
+ *)
+ echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
+ ret=2
+ ;;
+
+esac
+
+exit $ret
+
diff --git a/crypto/openssh/contrib/caldera/sshd.pam b/crypto/openssh/contrib/caldera/sshd.pam
new file mode 100644
index 0000000..26dcb34
--- /dev/null
+++ b/crypto/openssh/contrib/caldera/sshd.pam
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth required /lib/security/pam_pwdb.so shadow nodelay
+auth required /lib/security/pam_nologin.so
+account required /lib/security/pam_pwdb.so
+password required /lib/security/pam_cracklib.so
+password required /lib/security/pam_pwdb.so shadow nullok use_authtok
+session required /lib/security/pam_pwdb.so
+session required /lib/security/pam_limits.so
diff --git a/crypto/openssh/contrib/cygwin/Makefile b/crypto/openssh/contrib/cygwin/Makefile
new file mode 100644
index 0000000..09e8ea2
--- /dev/null
+++ b/crypto/openssh/contrib/cygwin/Makefile
@@ -0,0 +1,56 @@
+srcdir=../..
+prefix=/usr
+exec_prefix=$(prefix)
+bindir=$(prefix)/bin
+datadir=$(prefix)/share
+docdir=$(datadir)/doc
+sshdocdir=$(docdir)/openssh
+cygdocdir=$(docdir)/Cygwin
+sysconfdir=/etc
+defaultsdir=$(sysconfdir)/defaults/etc
+PRIVSEP_PATH=/var/empty
+INSTALL=/usr/bin/install -c
+
+DESTDIR=
+
+all:
+ @echo
+ @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
+ @echo "Be sure having DESTDIR set correctly!"
+ @echo
+
+move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
+ mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
+ mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
+
+remove-empty-dir:
+ rm -rf $(DESTDIR)$(PRIVSEP_PATH)
+
+install-sshdoc:
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
+ $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
+ $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
+ $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
+ $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
+ $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
+ $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
+ $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
+ $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
+ $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
+ $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
+ $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
+
+install-cygwindoc: README
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
+ $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
+
+install-doc: install-sshdoc install-cygwindoc
+
+install-scripts: ssh-host-config ssh-user-config
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
+ $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
+ $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
+
+cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
+ @echo "Cygwin specific configuration finished."
diff --git a/crypto/openssh/contrib/cygwin/README b/crypto/openssh/contrib/cygwin/README
new file mode 100644
index 0000000..fc0a2f6
--- /dev/null
+++ b/crypto/openssh/contrib/cygwin/README
@@ -0,0 +1,224 @@
+This package describes important Cygwin specific stuff concerning OpenSSH.
+
+The binary package is usually built for recent Cygwin versions and might
+not run on older versions. Please check http://cygwin.com/ for information
+about current Cygwin releases.
+
+Build instructions are at the end of the file.
+
+===========================================================================
+Important change since 3.7.1p2-2:
+
+The ssh-host-config file doesn't create the /etc/ssh_config and
+/etc/sshd_config files from builtin here-scripts anymore, but it uses
+skeleton files installed in /etc/defaults/etc.
+
+Also it now tries hard to create appropriate permissions on files.
+Same applies for ssh-user-config.
+
+After creating the sshd service with ssh-host-config, it's advisable to
+call ssh-user-config for all affected users, also already exising user
+configurations. In the latter case, file and directory permissions are
+checked and changed, if requireed to match the host configuration.
+
+Important note for Windows 2003 Server users:
+---------------------------------------------
+
+2003 Server has a funny new feature. When starting services under SYSTEM
+account, these services have nearly all user rights which SYSTEM holds...
+except for the "Create a token object" right, which is needed to allow
+public key authentication :-(
+
+There's no way around this, except for creating a substitute account which
+has the appropriate privileges. Basically, this account should be member
+of the administrators group, plus it should have the following user rights:
+
+ Create a token object
+ Logon as a service
+ Replace a process level token
+ Increase Quota
+
+The ssh-host-config script asks you, if it should create such an account,
+called "sshd_server". If you say "no" here, you're on your own. Please
+follow the instruction in ssh-host-config exactly if possible. Note that
+ssh-user-config sets the permissions on 2003 Server machines dependent of
+whether a sshd_server account exists or not.
+===========================================================================
+
+===========================================================================
+Important change since 3.4p1-2:
+
+This version adds privilege separation as default setting, see
+/usr/doc/openssh/README.privsep. According to that document the
+privsep feature requires a non-privileged account called 'sshd'.
+
+The new ssh-host-config file which is part of this version asks
+to create 'sshd' as local user if you want to use privilege
+separation. If you confirm, it creates that NT user and adds
+the necessary entry to /etc/passwd.
+
+On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
+since that feature doesn't make any sense on a system which doesn't
+differ between privileged and unprivileged users.
+
+The new ssh-host-config script also adds the /var/empty directory
+needed by privilege separation. When creating the /var/empty directory
+by yourself, please note that in contrast to the README.privsep document
+the owner sshould not be "root" but the user which is running sshd. So,
+in the standard configuration this is SYSTEM. The ssh-host-config script
+chowns /var/empty accordingly.
+===========================================================================
+
+===========================================================================
+Important change since 3.0.1p1-2:
+
+This version introduces the ability to register sshd as service on
+Windows 9x/Me systems. This is done only when the options -D and/or
+-d are not given.
+===========================================================================
+
+===========================================================================
+Important change since 2.9p2:
+
+Since Cygwin is able to switch user context without password beginning
+with version 1.3.2, OpenSSH now allows to do so when it's running under
+a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
+allow that feature.
+===========================================================================
+
+===========================================================================
+Important change since 2.3.0p1:
+
+When using `ntea' or `ntsec' you now have to care for the ownership
+and permission bits of your host key files and your private key files.
+The host key files have to be owned by the NT account which starts
+sshd. The user key files have to be owned by the user. The permission
+bits of the private key files (host and user) have to be at least
+rw------- (0600)!
+
+Note that this is forced under `ntsec' only if the files are on a NTFS
+filesystem (which is recommended) due to the lack of any basic security
+features of the FAT/FAT32 filesystems.
+===========================================================================
+
+If you are installing OpenSSH the first time, you can generate global config
+files and server keys by running
+
+ /usr/bin/ssh-host-config
+
+Note that this binary archive doesn't contain default config files in /etc.
+That files are only created if ssh-host-config is started.
+
+If you are updating your installation you may run the above ssh-host-config
+as well to move your configuration files to the new location and to
+erase the files at the old location.
+
+To support testing and unattended installation ssh-host-config got
+some options:
+
+usage: ssh-host-config [OPTION]...
+Options:
+ --debug -d Enable shell's debug output.
+ --yes -y Answer all questions with "yes" automatically.
+ --no -n Answer all questions with "no" automatically.
+ --cygwin -c <options> Use "options" as value for CYGWIN environment var.
+ --port -p <n> sshd listens on port n.
+ --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
+
+Additionally ssh-host-config now asks if it should install sshd as a
+service when running under NT/W2K. This requires cygrunsrv installed.
+
+You can create the private and public keys for a user now by running
+
+ /usr/bin/ssh-user-config
+
+under the users account.
+
+To support testing and unattended installation ssh-user-config got
+some options as well:
+
+usage: ssh-user-config [OPTION]...
+Options:
+ --debug -d Enable shell's debug output.
+ --yes -y Answer all questions with "yes" automatically.
+ --no -n Answer all questions with "no" automatically.
+ --passphrase -p word Use "word" as passphrase automatically.
+
+Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
+(results in very slow deamon startup!) or from the command line (recommended
+on 9X/ME).
+
+If you start sshd as deamon via cygrunsrv.exe you MUST give the
+"-D" option to sshd. Otherwise the service can't get started at all.
+
+If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
+following line to your inetd.conf file:
+
+ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
+
+Moreover you'll have to add the following line to your
+${SYSTEMROOT}/system32/drivers/etc/services file:
+
+ ssh 22/tcp #SSH daemon
+
+Please note that OpenSSH does never use the value of $HOME to
+search for the users configuration files! It always uses the
+value of the pw_dir field in /etc/passwd as the home directory.
+If no home diretory is set in /etc/passwd, the root directory
+is used instead!
+
+You may use all features of the CYGWIN=ntsec setting the same
+way as they are used by Cygwin's login(1) port:
+
+ The pw_gecos field may contain an additional field, that begins
+ with (upper case!) "U-", followed by the domain and the username
+ separated by a backslash.
+ CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
+ BTW: The field separator in pw_gecos is the comma.
+ The username in pw_name itself may be any nice name:
+
+ domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
+
+ Now you may use `domuser' as your login name with telnet!
+ This is possible additionally for local users, if you don't like
+ your NT login name ;-) You only have to leave out the domain:
+
+ locuser::1104:513:John Doe,U-user,S-1-5-21-...
+
+Note that the CYGWIN=ntsec setting is required for public key authentication.
+
+SSH2 server and user keys are generated by the `ssh-*-config' scripts
+as well.
+
+If you want to build from source, the following options to
+configure are used for the Cygwin binary distribution:
+
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --libexecdir='$(sbindir)' \
+ --localstatedir=/var \
+ --datadir='$(prefix)/share' \
+ --mandir='$(datadir)/man' \
+ --with-tcp-wrappers
+
+If you want to create a Cygwin package, equivalent to the one
+in the Cygwin binary distribution, install like this:
+
+ mkdir /tmp/cygwin-ssh
+ cd $(builddir)
+ make install DESTDIR=/tmp/cygwin-ssh
+ cd $(srcdir)/contrib/cygwin
+ make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
+ cd /tmp/cygwin-ssh
+ find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
+
+You must have installed the zlib and openssl-devel packages to be able to
+build OpenSSH!
+
+Please send requests, error reports etc. to cygwin@cygwin.com.
+
+Have fun,
+
+Corinna Vinschen
+Cygwin Developer
+Red Hat Inc.
diff --git a/crypto/openssh/contrib/cygwin/ssh-host-config b/crypto/openssh/contrib/cygwin/ssh-host-config
new file mode 100644
index 0000000..9c0dabf
--- /dev/null
+++ b/crypto/openssh/contrib/cygwin/ssh-host-config
@@ -0,0 +1,592 @@
+#!/bin/bash
+#
+# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
+#
+# This file is part of the Cygwin port of OpenSSH.
+
+# Subdirectory where the new package is being installed
+PREFIX=/usr
+
+# Directory where the config files are stored
+SYSCONFDIR=/etc
+LOCALSTATEDIR=/var
+
+progname=$0
+auto_answer=""
+port_number=22
+
+privsep_configured=no
+privsep_used=yes
+sshd_in_passwd=no
+sshd_in_sam=no
+
+request()
+{
+ if [ "${auto_answer}" = "yes" ]
+ then
+ echo "$1 (yes/no) yes"
+ return 0
+ elif [ "${auto_answer}" = "no" ]
+ then
+ echo "$1 (yes/no) no"
+ return 1
+ fi
+
+ answer=""
+ while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
+ do
+ echo -n "$1 (yes/no) "
+ read -e answer
+ done
+ if [ "X${answer}" = "Xyes" ]
+ then
+ return 0
+ else
+ return 1
+ fi
+}
+
+# Check options
+
+while :
+do
+ case $# in
+ 0)
+ break
+ ;;
+ esac
+
+ option=$1
+ shift
+
+ case "${option}" in
+ -d | --debug )
+ set -x
+ ;;
+
+ -y | --yes )
+ auto_answer=yes
+ ;;
+
+ -n | --no )
+ auto_answer=no
+ ;;
+
+ -c | --cygwin )
+ cygwin_value="$1"
+ shift
+ ;;
+
+ -p | --port )
+ port_number=$1
+ shift
+ ;;
+
+ -w | --pwd )
+ password_value="$1"
+ shift
+ ;;
+
+ *)
+ echo "usage: ${progname} [OPTION]..."
+ echo
+ echo "This script creates an OpenSSH host configuration."
+ echo
+ echo "Options:"
+ echo " --debug -d Enable shell's debug output."
+ echo " --yes -y Answer all questions with \"yes\" automatically."
+ echo " --no -n Answer all questions with \"no\" automatically."
+ echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
+ echo " --port -p <n> sshd listens on port n."
+ echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
+ echo
+ exit 1
+ ;;
+
+ esac
+done
+
+# Check if running on NT
+_sys="`uname`"
+_nt=`expr "${_sys}" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ ${_nt} -gt 0 ]
+then
+ _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
+
+# Check for running ssh/sshd processes first. Refuse to do anything while
+# some ssh processes are still running
+
+if ps -ef | grep -v grep | grep -q ssh
+then
+ echo
+ echo "There are still ssh processes running. Please shut them down first."
+ echo
+ exit 1
+fi
+
+# Check for ${SYSCONFDIR} directory
+
+if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
+then
+ echo
+ echo "${SYSCONFDIR} is existant but not a directory."
+ echo "Cannot create global configuration files."
+ echo
+ exit 1
+fi
+
+# Create it if necessary
+
+if [ ! -e "${SYSCONFDIR}" ]
+then
+ mkdir "${SYSCONFDIR}"
+ if [ ! -e "${SYSCONFDIR}" ]
+ then
+ echo
+ echo "Creating ${SYSCONFDIR} directory failed"
+ echo
+ exit 1
+ fi
+fi
+
+# Create /var/log and /var/log/lastlog if not already existing
+
+if [ -f ${LOCALSTATEDIR}/log ]
+then
+ echo "Creating ${LOCALSTATEDIR}/log failed!"
+else
+ if [ ! -d ${LOCALSTATEDIR}/log ]
+ then
+ mkdir -p ${LOCALSTATEDIR}/log
+ fi
+ if [ -d ${LOCALSTATEDIR}/log/lastlog ]
+ then
+ chmod 777 ${LOCALSTATEDIR}/log/lastlog
+ elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
+ then
+ cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+ chmod 666 ${LOCALSTATEDIR}/log/lastlog
+ fi
+fi
+
+# Create /var/empty file used as chroot jail for privilege separation
+if [ -f ${LOCALSTATEDIR}/empty ]
+then
+ echo "Creating ${LOCALSTATEDIR}/empty failed!"
+else
+ mkdir -p ${LOCALSTATEDIR}/empty
+ if [ ${_nt} -gt 0 ]
+ then
+ chmod 755 ${LOCALSTATEDIR}/empty
+ fi
+fi
+
+# First generate host keys if not already existing
+
+if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
+then
+ echo "Generating ${SYSCONFDIR}/ssh_host_key"
+ ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
+fi
+
+if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
+then
+ echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
+ ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
+fi
+
+if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
+then
+ echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
+ ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
+fi
+
+# Check if ssh_config exists. If yes, ask for overwriting
+
+if [ -f "${SYSCONFDIR}/ssh_config" ]
+then
+ if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
+ then
+ rm -f "${SYSCONFDIR}/ssh_config"
+ if [ -f "${SYSCONFDIR}/ssh_config" ]
+ then
+ echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
+ fi
+ fi
+fi
+
+# Create default ssh_config from skeleton file in /etc/defaults/etc
+
+if [ ! -f "${SYSCONFDIR}/ssh_config" ]
+then
+ echo "Generating ${SYSCONFDIR}/ssh_config file"
+ cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
+ if [ "${port_number}" != "22" ]
+ then
+ echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
+ echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
+ fi
+fi
+
+# Check if sshd_config exists. If yes, ask for overwriting
+
+if [ -f "${SYSCONFDIR}/sshd_config" ]
+then
+ if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
+ then
+ rm -f "${SYSCONFDIR}/sshd_config"
+ if [ -f "${SYSCONFDIR}/sshd_config" ]
+ then
+ echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
+ fi
+ else
+ grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+ fi
+fi
+
+# Prior to creating or modifying sshd_config, care for privilege separation
+
+if [ "${privsep_configured}" != "yes" ]
+then
+ if [ ${_nt} -gt 0 ]
+ then
+ echo "Privilege separation is set to yes by default since OpenSSH 3.3."
+ echo "However, this requires a non-privileged account called 'sshd'."
+ echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
+ echo
+ if request "Should privilege separation be used?"
+ then
+ privsep_used=yes
+ grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
+ net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
+ if [ "${sshd_in_passwd}" != "yes" ]
+ then
+ if [ "${sshd_in_sam}" != "yes" ]
+ then
+ echo "Warning: The following function requires administrator privileges!"
+ if request "Should this script create a local user 'sshd' on this machine?"
+ then
+ dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+ net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
+ if [ "${sshd_in_sam}" != "yes" ]
+ then
+ echo "Warning: Creating the user 'sshd' failed!"
+ fi
+ fi
+ fi
+ if [ "${sshd_in_sam}" != "yes" ]
+ then
+ echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
+ echo " Privilege separation set to 'no' again!"
+ echo " Check your ${SYSCONFDIR}/sshd_config file!"
+ privsep_used=no
+ else
+ mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+ fi
+ fi
+ else
+ privsep_used=no
+ fi
+ else
+ # On 9x don't use privilege separation. Since security isn't
+ # available it just adds useless additional processes.
+ privsep_used=no
+ fi
+fi
+
+# Create default sshd_config from skeleton files in /etc/defaults/etc or
+# modify to add the missing privsep configuration option
+
+if [ ! -f "${SYSCONFDIR}/sshd_config" ]
+then
+ echo "Generating ${SYSCONFDIR}/sshd_config file"
+ sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+ s/^#Port 22/Port ${port_number}/
+ s/^#StrictModes yes/StrictModes no/" \
+ < ${SYSCONFDIR}/defaults/etc/sshd_config \
+ > ${SYSCONFDIR}/sshd_config
+elif [ "${privsep_configured}" != "yes" ]
+then
+ echo >> ${SYSCONFDIR}/sshd_config
+ echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+fi
+
+# Care for services file
+_my_etcdir="/ssh-host-config.$$"
+if [ ${_nt} -gt 0 ]
+then
+ _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+ _services="${_my_etcdir}/services"
+ # On NT, 27 spaces, no space after the hash
+ _spaces=" #"
+else
+ _win_etcdir="${WINDIR}"
+ _services="${_my_etcdir}/SERVICES"
+ # On 9x, 18 spaces (95 is very touchy), a space after the hash
+ _spaces=" # "
+fi
+_serv_tmp="${_my_etcdir}/srv.out.$$"
+
+mount -t -f "${_win_etcdir}" "${_my_etcdir}"
+
+# Depends on the above mount
+_wservices=`cygpath -w "${_services}"`
+
+# Remove sshd 22/port from services
+if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
+then
+ grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
+ if [ -f "${_serv_tmp}" ]
+ then
+ if mv "${_serv_tmp}" "${_services}"
+ then
+ echo "Removing sshd from ${_wservices}"
+ else
+ echo "Removing sshd from ${_wservices} failed!"
+ fi
+ rm -f "${_serv_tmp}"
+ else
+ echo "Removing sshd from ${_wservices} failed!"
+ fi
+fi
+
+# Add ssh 22/tcp and ssh 22/udp to services
+if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+then
+ if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
+ then
+ if mv "${_serv_tmp}" "${_services}"
+ then
+ echo "Added ssh to ${_wservices}"
+ else
+ echo "Adding ssh to ${_wservices} failed!"
+ fi
+ rm -f "${_serv_tmp}"
+ else
+ echo "WARNING: Adding ssh to ${_wservices} failed!"
+ fi
+fi
+
+umount "${_my_etcdir}"
+
+# Care for inetd.conf file
+_inetcnf="${SYSCONFDIR}/inetd.conf"
+_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
+
+if [ -f "${_inetcnf}" ]
+then
+ # Check if ssh service is already in use as sshd
+ with_comment=1
+ grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
+ # Remove sshd line from inetd.conf
+ if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+ then
+ grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+ if [ -f "${_inetcnf_tmp}" ]
+ then
+ if mv "${_inetcnf_tmp}" "${_inetcnf}"
+ then
+ echo "Removed sshd from ${_inetcnf}"
+ else
+ echo "Removing sshd from ${_inetcnf} failed!"
+ fi
+ rm -f "${_inetcnf_tmp}"
+ else
+ echo "Removing sshd from ${_inetcnf} failed!"
+ fi
+ fi
+
+ # Add ssh line to inetd.conf
+ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
+ then
+ if [ "${with_comment}" -eq 0 ]
+ then
+ echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+ else
+ echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+ fi
+ echo "Added ssh to ${_inetcnf}"
+ fi
+fi
+
+# On NT ask if sshd should be installed as service
+if [ ${_nt} -gt 0 ]
+then
+ # But only if it is not already installed
+ if ! cygrunsrv -Q sshd > /dev/null 2>&1
+ then
+ echo
+ echo
+ echo "Warning: The following functions require administrator privileges!"
+ echo
+ echo "Do you want to install sshd as service?"
+ if request "(Say \"no\" if it's already installed as service)"
+ then
+ if [ $_nt2003 -gt 0 ]
+ then
+ grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
+ if [ "${sshd_server_in_passwd}" = "yes" ]
+ then
+ # Drop sshd_server from passwd since it could have wrong settings
+ grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
+ rm -f ${SYSCONFDIR}/passwd
+ mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
+ chmod g-w,o-w ${SYSCONFDIR}/passwd
+ fi
+ net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
+ if [ "${sshd_server_in_sam}" != "yes" ]
+ then
+ echo
+ echo "You appear to be running Windows 2003 Server or later. On 2003 and"
+ echo "later systems, it's not possible to use the LocalSystem account"
+ echo "if sshd should allow passwordless logon (e. g. public key authentication)."
+ echo "If you want to enable that functionality, it's required to create a new"
+ echo "account 'sshd_server' with special privileges, which is then used to run"
+ echo "the sshd service under."
+ echo
+ echo "Should this script create a new local account 'sshd_server' which has"
+ if request "the required privileges?"
+ then
+ _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
+ if [ -z "${_admingroup}" ]
+ then
+ echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
+ echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
+ echo "and restart this script."
+ exit 1
+ fi
+ dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+ while [ "${sshd_server_in_sam}" != "yes" ]
+ do
+ if [ -n "${password_value}" ]
+ then
+ _password="${password_value}"
+ # Allow to ask for password if first try fails
+ password_value=""
+ else
+ echo
+ echo "Please enter a password for new user 'sshd_server'. Please be sure that"
+ echo "this password matches the password rules given on your system."
+ echo -n "Entering no password will exit the configuration. PASSWORD="
+ read -e _password
+ if [ -z "${_password}" ]
+ then
+ echo
+ echo "Exiting configuration. No user sshd_server has been created,"
+ echo "no sshd service installed."
+ exit 1
+ fi
+ fi
+ net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
+ if [ "${sshd_server_in_sam}" != "yes" ]
+ then
+ echo "Creating the user 'sshd_server' failed! Reason:"
+ cat /tmp/nu.$$
+ rm /tmp/nu.$$
+ fi
+ done
+ net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
+ if [ "${sshd_server_in_admingroup}" != "yes" ]
+ then
+ echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
+ echo "Please add sshd_server to local group ${_admingroup} before"
+ echo "starting the sshd service!"
+ echo
+ fi
+ passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
+ if [ "${passwd_has_expiry_flags}" != "yes" ]
+ then
+ echo
+ echo "WARNING: User sshd_server has password expiry set to system default."
+ echo "Please check that password never expires or set it to your needs."
+ elif ! passwd -e sshd_server
+ then
+ echo
+ echo "WARNING: Setting password expiry for user sshd_server failed!"
+ echo "Please check that password never expires or set it to your needs."
+ fi
+ editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
+ editrights -a SeCreateTokenPrivilege -u sshd_server &&
+ editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
+ editrights -a SeDenyNetworkLogonRight -u sshd_server &&
+ editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
+ editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
+ editrights -a SeServiceLogonRight -u sshd_server &&
+ sshd_server_got_all_rights="yes"
+ if [ "${sshd_server_got_all_rights}" != "yes" ]
+ then
+ echo
+ echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
+ echo "Can't create sshd service!"
+ exit 1
+ fi
+ echo
+ echo "User 'sshd_server' has been created with password '${_password}'."
+ echo "If you change the password, please keep in mind to change the password"
+ echo "for the sshd service, too."
+ echo
+ echo "Also keep in mind that the user sshd_server needs read permissions on all"
+ echo "users' .ssh/authorized_keys file to allow public key authentication for"
+ echo "these users!. (Re-)running ssh-user-config for each user will set the"
+ echo "required permissions correctly."
+ echo
+ fi
+ fi
+ if [ "${sshd_server_in_sam}" = "yes" ]
+ then
+ mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+ fi
+ fi
+ if [ -n "${cygwin_value}" ]
+ then
+ _cygwin="${cygwin_value}"
+ else
+ echo
+ echo "Which value should the environment variable CYGWIN have when"
+ echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
+ echo "able to change user context without password."
+ echo -n "Default is \"ntsec\". CYGWIN="
+ read -e _cygwin
+ fi
+ [ -z "${_cygwin}" ] && _cygwin="ntsec"
+ if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+ then
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
+ then
+ echo
+ echo "The service has been installed under sshd_server account."
+ echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+ fi
+ else
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+ then
+ echo
+ echo "The service has been installed under LocalSystem account."
+ echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+ fi
+ fi
+ fi
+ # Now check if sshd has been successfully installed. This allows to
+ # set the ownership of the affected files correctly.
+ if cygrunsrv -Q sshd > /dev/null 2>&1
+ then
+ if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+ then
+ _user="sshd_server"
+ else
+ _user="system"
+ fi
+ chown "${_user}" ${SYSCONFDIR}/ssh*
+ chown "${_user}".544 ${LOCALSTATEDIR}/empty
+ if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+ then
+ chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
+ fi
+ fi
+ fi
+fi
+
+echo
+echo "Host configuration finished. Have fun!"
diff --git a/crypto/openssh/contrib/cygwin/ssh-user-config b/crypto/openssh/contrib/cygwin/ssh-user-config
new file mode 100644
index 0000000..fe07ce3
--- /dev/null
+++ b/crypto/openssh/contrib/cygwin/ssh-user-config
@@ -0,0 +1,250 @@
+#!/bin/sh
+#
+# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
+#
+# This file is part of the Cygwin port of OpenSSH.
+
+# Directory where the config files are stored
+SYSCONFDIR=/etc
+
+progname=$0
+auto_answer=""
+auto_passphrase="no"
+passphrase=""
+
+request()
+{
+ if [ "${auto_answer}" = "yes" ]
+ then
+ return 0
+ elif [ "${auto_answer}" = "no" ]
+ then
+ return 1
+ fi
+
+ answer=""
+ while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
+ do
+ echo -n "$1 (yes/no) "
+ read answer
+ done
+ if [ "X${answer}" = "Xyes" ]
+ then
+ return 0
+ else
+ return 1
+ fi
+}
+
+# Check if running on NT
+_sys="`uname -a`"
+_nt=`expr "$_sys" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ $_nt -gt 0 ]
+then
+ _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
+
+# Check options
+
+while :
+do
+ case $# in
+ 0)
+ break
+ ;;
+ esac
+
+ option=$1
+ shift
+
+ case "$option" in
+ -d | --debug )
+ set -x
+ ;;
+
+ -y | --yes )
+ auto_answer=yes
+ ;;
+
+ -n | --no )
+ auto_answer=no
+ ;;
+
+ -p | --passphrase )
+ with_passphrase="yes"
+ passphrase=$1
+ shift
+ ;;
+
+ *)
+ echo "usage: ${progname} [OPTION]..."
+ echo
+ echo "This script creates an OpenSSH user configuration."
+ echo
+ echo "Options:"
+ echo " --debug -d Enable shell's debug output."
+ echo " --yes -y Answer all questions with \"yes\" automatically."
+ echo " --no -n Answer all questions with \"no\" automatically."
+ echo " --passphrase -p word Use \"word\" as passphrase automatically."
+ echo
+ exit 1
+ ;;
+
+ esac
+done
+
+# Ask user if user identity should be generated
+
+if [ ! -f ${SYSCONFDIR}/passwd ]
+then
+ echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
+ echo 'first using mkpasswd. Check if it contains an entry for you and'
+ echo 'please care for the home directory in your entry as well.'
+ exit 1
+fi
+
+uid=`id -u`
+pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
+
+if [ "X${pwdhome}" = "X" ]
+then
+ echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
+ echo 'Setting $HOME is not sufficient!'
+ exit 1
+fi
+
+if [ ! -d "${pwdhome}" ]
+then
+ echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
+ echo 'but it is not a valid directory. Cannot create user identity files.'
+ exit 1
+fi
+
+# If home is the root dir, set home to empty string to avoid error messages
+# in subsequent parts of that script.
+if [ "X${pwdhome}" = "X/" ]
+then
+ # But first raise a warning!
+ echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
+ if request "Would you like to proceed anyway?"
+ then
+ pwdhome=''
+ else
+ exit 1
+ fi
+fi
+
+if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
+then
+ echo
+ echo 'WARNING: group and other have been revoked write permission to your home'
+ echo " directory ${pwdhome}."
+ echo ' This is required by OpenSSH to allow public key authentication using'
+ echo ' the key files stored in your .ssh subdirectory.'
+ echo ' Revert this change ONLY if you know what you are doing!'
+ echo
+fi
+
+if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
+then
+ echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
+ exit 1
+fi
+
+if [ ! -e "${pwdhome}/.ssh" ]
+then
+ mkdir "${pwdhome}/.ssh"
+ if [ ! -e "${pwdhome}/.ssh" ]
+ then
+ echo "Creating users ${pwdhome}/.ssh directory failed"
+ exit 1
+ fi
+fi
+
+if [ $_nt -gt 0 ]
+then
+ _user="system"
+ if [ $_nt2003 -gt 0 ]
+ then
+ grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
+ fi
+ if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
+ then
+ echo "${pwdhome}/.ssh couldn't be given the correct permissions."
+ echo "Please try to solve this problem first."
+ exit 1
+ fi
+fi
+
+if [ ! -f "${pwdhome}/.ssh/identity" ]
+then
+ if request "Shall I create an SSH1 RSA identity file for you?"
+ then
+ echo "Generating ${pwdhome}/.ssh/identity"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
+ else
+ ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
+ fi
+ if request "Do you want to use this identity to login to this machine?"
+ then
+ echo "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+fi
+
+if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
+then
+ if request "Shall I create an SSH2 RSA identity file for you? (yes/no) "
+ then
+ echo "Generating ${pwdhome}/.ssh/id_rsa"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
+ else
+ ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
+ fi
+ if request "Do you want to use this identity to login to this machine?"
+ then
+ echo "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+fi
+
+if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
+then
+ if request "Shall I create an SSH2 DSA identity file for you? (yes/no) "
+ then
+ echo "Generating ${pwdhome}/.ssh/id_dsa"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
+ else
+ ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
+ fi
+ if request "Do you want to use this identity to login to this machine?"
+ then
+ echo "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+fi
+
+if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
+then
+ if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
+ then
+ echo
+ echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
+ echo "failed. Please care for the correct permissions. The minimum requirement"
+ echo "is, the owner and ${_user} both need read permissions."
+ echo
+ fi
+fi
+
+echo
+echo "Configuration finished. Have fun!"
diff --git a/crypto/openssh/contrib/findssl.sh b/crypto/openssh/contrib/findssl.sh
new file mode 100644
index 0000000..0c08d4a
--- /dev/null
+++ b/crypto/openssh/contrib/findssl.sh
@@ -0,0 +1,159 @@
+#!/bin/sh
+#
+# findssl.sh
+# Search for all instances of OpenSSL headers and libraries
+# and print their versions.
+# Intended to help diagnose OpenSSH's "OpenSSL headers do not
+# match your library" errors.
+#
+# Written by Darren Tucker (dtucker at zip dot com dot au)
+# This file is placed in the public domain.
+#
+# $Id: findssl.sh,v 1.2 2003/11/21 12:48:56 djm Exp $
+# 2002-07-27: Initial release.
+# 2002-08-04: Added public domain notice.
+# 2003-06-24: Incorporated readme, set library paths. First cvs version.
+#
+# "OpenSSL headers do not match your library" are usually caused by
+# OpenSSH's configure picking up an older version of OpenSSL headers
+# or libraries. You can use the following # procedure to help identify
+# the cause.
+#
+# The output of configure will tell you the versions of the OpenSSL
+# headers and libraries that were picked up, for example:
+#
+# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
+# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
+# checking whether OpenSSL's headers match the library... no
+# configure: error: Your OpenSSL headers do not match your library
+#
+# Now run findssl.sh. This should identify the headers and libraries
+# present and their versions. You should be able to identify the
+# libraries and headers used and adjust your CFLAGS or remove incorrect
+# versions. The output will show OpenSSL's internal version identifier
+# and should look something like:
+
+# $ ./findssl.sh
+# Searching for OpenSSL header files.
+# 0x0090604fL /usr/include/openssl/opensslv.h
+# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
+#
+# Searching for OpenSSL shared library files.
+# 0x0090602fL /lib/libcrypto.so.0.9.6b
+# 0x0090602fL /lib/libcrypto.so.2
+# 0x0090581fL /usr/lib/libcrypto.so.0
+# 0x0090602fL /usr/lib/libcrypto.so
+# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
+# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
+# 0x0090600fL /usr/lib/libcrypto.so.1
+#
+# Searching for OpenSSL static library files.
+# 0x0090602fL /usr/lib/libcrypto.a
+# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
+#
+# In this example, I gave configure no extra flags, so it's picking up
+# the OpenSSL header from /usr/include/openssl (90604f) and the library
+# from /usr/lib/ (90602f).
+
+#
+# Adjust these to suit your compiler.
+# You may also need to set the *LIB*PATH environment variables if
+# DEFAULT_LIBPATH is not correct for your system.
+#
+CC=gcc
+STATIC=-static
+
+#
+# Set up conftest C source
+#
+rm -f findssl.log
+cat >conftest.c <<EOD
+#include <stdio.h>
+int main(){printf("0x%08xL\n", SSLeay());}
+EOD
+
+#
+# Set default library paths if not already set
+#
+DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
+LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
+LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
+LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
+export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+
+#
+# Search for OpenSSL headers and print versions
+#
+echo Searching for OpenSSL header files.
+if [ -x "`which locate`" ]
+then
+ headers=`locate opensslv.h`
+else
+ headers=`find / -name opensslv.h -print 2>/dev/null`
+fi
+
+for header in $headers
+do
+ ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
+ echo "$ver $header"
+done
+echo
+
+#
+# Search for shared libraries.
+# Relies on shared libraries looking like "libcrypto.s*"
+#
+echo Searching for OpenSSL shared library files.
+if [ -x "`which locate`" ]
+then
+ libraries=`locate libcrypto.s`
+else
+ libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+ (echo "Trying libcrypto $lib" >>findssl.log
+ dir=`dirname $lib`
+ LIBPATH="$dir:$LIBPATH"
+ LD_LIBRARY_PATH="$dir:$LIBPATH"
+ LIBRARY_PATH="$dir:$LIBPATH"
+ export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+ ${CC} -o conftest conftest.c $lib 2>>findssl.log
+ if [ -x ./conftest ]
+ then
+ ver=`./conftest 2>/dev/null`
+ rm -f ./conftest
+ echo "$ver $lib"
+ fi)
+done
+echo
+
+#
+# Search for static OpenSSL libraries and print versions
+#
+echo Searching for OpenSSL static library files.
+if [ -x "`which locate`" ]
+then
+ libraries=`locate libcrypto.a`
+else
+ libraries=`find / -name libcrypto.a -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+ libdir=`dirname $lib`
+ echo "Trying libcrypto $lib" >>findssl.log
+ ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
+ if [ -x ./conftest ]
+ then
+ ver=`./conftest 2>/dev/null`
+ rm -f ./conftest
+ echo "$ver $lib"
+ fi
+done
+
+#
+# Clean up
+#
+rm -f conftest.c
diff --git a/crypto/openssh/contrib/gnome-ssh-askpass1.c b/crypto/openssh/contrib/gnome-ssh-askpass1.c
new file mode 100644
index 0000000..4d51032
--- /dev/null
+++ b/crypto/openssh/contrib/gnome-ssh-askpass1.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
+ * you don't trust your X server. We grab the keyboard always.
+ */
+
+/*
+ * Compile with:
+ *
+ * cc `gnome-config --cflags gnome gnomeui` \
+ * gnome-ssh-askpass1.c -o gnome-ssh-askpass \
+ * `gnome-config --libs gnome gnomeui`
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnome.h>
+#include <X11/Xlib.h>
+#include <gdk/gdkx.h>
+
+void
+report_failed_grab (void)
+{
+ GtkWidget *err;
+
+ err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
+ "A malicious client may be eavesdropping on your session.",
+ GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
+ gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+ gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
+
+ gnome_dialog_run_and_close(GNOME_DIALOG(err));
+}
+
+int
+passphrase_dialog(char *message)
+{
+ char *passphrase;
+ char **messages;
+ int result, i, grab_server, grab_pointer;
+ GtkWidget *dialog, *entry, *label;
+
+ grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+ grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+
+ dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
+ GNOME_STOCK_BUTTON_CANCEL, NULL);
+
+ messages = g_strsplit(message, "\\n", 0);
+ if (messages)
+ for(i = 0; messages[i]; i++) {
+ label = gtk_label_new(messages[i]);
+ gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
+ label, FALSE, FALSE, 0);
+ }
+
+ entry = gtk_entry_new();
+ gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
+ FALSE, 0);
+ gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ gtk_widget_grab_focus(entry);
+
+ /* Center window and prepare for grab */
+ gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
+ gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
+ gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+ gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
+ gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
+ gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
+ GNOME_PAD);
+ gtk_widget_show_all(dialog);
+
+ /* Grab focus */
+ if (grab_server)
+ XGrabServer(GDK_DISPLAY());
+ if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
+ NULL, NULL, GDK_CURRENT_TIME))
+ goto nograb;
+ if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
+ goto nograbkb;
+
+ /* Make <enter> close dialog */
+ gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
+
+ /* Run dialog */
+ result = gnome_dialog_run(GNOME_DIALOG(dialog));
+
+ /* Ungrab */
+ if (grab_server)
+ XUngrabServer(GDK_DISPLAY());
+ if (grab_pointer)
+ gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+ gdk_flush();
+
+ /* Report passphrase if user selected OK */
+ passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
+ if (result == 0)
+ puts(passphrase);
+
+ /* Zero passphrase in memory */
+ memset(passphrase, '\0', strlen(passphrase));
+ gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+
+ gnome_dialog_close(GNOME_DIALOG(dialog));
+ return (result == 0 ? 0 : -1);
+
+ /* At least one grab failed - ungrab what we got, and report
+ the failure to the user. Note that XGrabServer() cannot
+ fail. */
+ nograbkb:
+ gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ nograb:
+ if (grab_server)
+ XUngrabServer(GDK_DISPLAY());
+ gnome_dialog_close(GNOME_DIALOG(dialog));
+
+ report_failed_grab();
+ return (-1);
+}
+
+int
+main(int argc, char **argv)
+{
+ char *message;
+ int result;
+
+ gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
+
+ if (argc == 2)
+ message = argv[1];
+ else
+ message = "Enter your OpenSSH passphrase:";
+
+ setvbuf(stdout, 0, _IONBF, 0);
+ result = passphrase_dialog(message);
+
+ return (result);
+}
diff --git a/crypto/openssh/contrib/gnome-ssh-askpass2.c b/crypto/openssh/contrib/gnome-ssh-askpass2.c
new file mode 100644
index 0000000..0ce8dae
--- /dev/null
+++ b/crypto/openssh/contrib/gnome-ssh-askpass2.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
+
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
+ * you don't trust your X server. We grab the keyboard always.
+ */
+
+#define GRAB_TRIES 16
+#define GRAB_WAIT 250 /* milliseconds */
+
+/*
+ * Compile with:
+ *
+ * cc -Wall `pkg-config --cflags gtk+-2.0` \
+ * gnome-ssh-askpass2.c -o gnome-ssh-askpass \
+ * `pkg-config --libs gtk+-2.0`
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <X11/Xlib.h>
+#include <gtk/gtk.h>
+#include <gdk/gdkx.h>
+
+static void
+report_failed_grab (const char *what)
+{
+ GtkWidget *err;
+
+ err = gtk_message_dialog_new(NULL, 0,
+ GTK_MESSAGE_ERROR,
+ GTK_BUTTONS_CLOSE,
+ "Could not grab %s. "
+ "A malicious client may be eavesdropping "
+ "on your session.", what);
+ gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+ gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
+ TRUE);
+
+ gtk_dialog_run(GTK_DIALOG(err));
+
+ gtk_widget_destroy(err);
+}
+
+static void
+ok_dialog(GtkWidget *entry, gpointer dialog)
+{
+ g_return_if_fail(GTK_IS_DIALOG(dialog));
+ gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+}
+
+static int
+passphrase_dialog(char *message)
+{
+ const char *failed;
+ char *passphrase, *local;
+ int result, grab_tries, grab_server, grab_pointer;
+ GtkWidget *dialog, *entry;
+ GdkGrabStatus status;
+
+ grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+ grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+ grab_tries = 0;
+
+ dialog = gtk_message_dialog_new(NULL, 0,
+ GTK_MESSAGE_QUESTION,
+ GTK_BUTTONS_OK_CANCEL,
+ "%s",
+ message);
+
+ entry = gtk_entry_new();
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
+ FALSE, 0);
+ gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ gtk_widget_grab_focus(entry);
+ gtk_widget_show(entry);
+
+ gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+ gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+ gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
+ TRUE);
+
+ /* Make <enter> close dialog */
+ gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ g_signal_connect(G_OBJECT(entry), "activate",
+ G_CALLBACK(ok_dialog), dialog);
+
+ /* Grab focus */
+ gtk_widget_show_now(dialog);
+ if (grab_pointer) {
+ for(;;) {
+ status = gdk_pointer_grab(
+ (GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
+ NULL, GDK_CURRENT_TIME);
+ if (status == GDK_GRAB_SUCCESS)
+ break;
+ usleep(GRAB_WAIT * 1000);
+ if (++grab_tries > GRAB_TRIES) {
+ failed = "mouse";
+ goto nograb;
+ }
+ }
+ }
+ for(;;) {
+ status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
+ FALSE, GDK_CURRENT_TIME);
+ if (status == GDK_GRAB_SUCCESS)
+ break;
+ usleep(GRAB_WAIT * 1000);
+ if (++grab_tries > GRAB_TRIES) {
+ failed = "keyboard";
+ goto nograbkb;
+ }
+ }
+ if (grab_server) {
+ gdk_x11_grab_server();
+ }
+
+ result = gtk_dialog_run(GTK_DIALOG(dialog));
+
+ /* Ungrab */
+ if (grab_server)
+ XUngrabServer(GDK_DISPLAY());
+ if (grab_pointer)
+ gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+ gdk_flush();
+
+ /* Report passphrase if user selected OK */
+ passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
+ if (result == GTK_RESPONSE_OK) {
+ local = g_locale_from_utf8(passphrase, strlen(passphrase),
+ NULL, NULL, NULL);
+ if (local != NULL) {
+ puts(local);
+ memset(local, '\0', strlen(local));
+ g_free(local);
+ } else {
+ puts(passphrase);
+ }
+ }
+
+ /* Zero passphrase in memory */
+ memset(passphrase, '\b', strlen(passphrase));
+ gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+ memset(passphrase, '\0', strlen(passphrase));
+ g_free(passphrase);
+
+ gtk_widget_destroy(dialog);
+ return (result == GTK_RESPONSE_OK ? 0 : -1);
+
+ /* At least one grab failed - ungrab what we got, and report
+ the failure to the user. Note that XGrabServer() cannot
+ fail. */
+ nograbkb:
+ gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ nograb:
+ if (grab_server)
+ XUngrabServer(GDK_DISPLAY());
+ gtk_widget_destroy(dialog);
+
+ report_failed_grab(failed);
+
+ return (-1);
+}
+
+int
+main(int argc, char **argv)
+{
+ char *message;
+ int result;
+
+ gtk_init(&argc, &argv);
+
+ if (argc > 1) {
+ message = g_strjoinv(" ", argv + 1);
+ } else {
+ message = g_strdup("Enter your OpenSSH passphrase:");
+ }
+
+ setvbuf(stdout, 0, _IONBF, 0);
+ result = passphrase_dialog(message);
+ g_free(message);
+
+ return (result);
+}
diff --git a/crypto/openssh/contrib/hpux/README b/crypto/openssh/contrib/hpux/README
new file mode 100644
index 0000000..f8bfa84
--- /dev/null
+++ b/crypto/openssh/contrib/hpux/README
@@ -0,0 +1,45 @@
+README for OpenSSH HP-UX contrib files
+Kevin Steves <stevesk@pobox.com>
+
+sshd: configuration file for sshd.rc
+sshd.rc: SSH startup script
+egd: configuration file for egd.rc
+egd.rc: EGD (entropy gathering daemon) startup script
+
+To install:
+
+sshd.rc:
+
+o Verify paths in sshd.rc match your local installation
+ (WHAT_PATH and WHAT_PID)
+o Customize sshd if needed (SSHD_ARGS)
+o Install:
+
+ # cp sshd /etc/rc.config.d
+ # chmod 444 /etc/rc.config.d/sshd
+ # cp sshd.rc /sbin/init.d
+ # chmod 555 /sbin/init.d/sshd.rc
+ # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
+ # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
+
+egd.rc:
+
+o Verify egd.pl path in egd.rc matches your local installation
+ (WHAT_PATH)
+o Customize egd if needed (EGD_ARGS and EGD_LOG)
+o Add pseudo account:
+
+ # groupadd egd
+ # useradd -g egd egd
+ # mkdir -p /etc/opt/egd
+ # chown egd:egd /etc/opt/egd
+ # chmod 711 /etc/opt/egd
+
+o Install:
+
+ # cp egd /etc/rc.config.d
+ # chmod 444 /etc/rc.config.d/egd
+ # cp egd.rc /sbin/init.d
+ # chmod 555 /sbin/init.d/egd.rc
+ # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
+ # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd
diff --git a/crypto/openssh/contrib/hpux/egd b/crypto/openssh/contrib/hpux/egd
new file mode 100644
index 0000000..21af0bd
--- /dev/null
+++ b/crypto/openssh/contrib/hpux/egd
@@ -0,0 +1,15 @@
+# EGD_START: Set to 1 to start entropy gathering daemon
+# EGD_ARGS: Command line arguments to pass to egd
+# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
+#
+# To configure the egd environment:
+
+# groupadd egd
+# useradd -g egd egd
+# mkdir -p /etc/opt/egd
+# chown egd:egd /etc/opt/egd
+# chmod 711 /etc/opt/egd
+
+EGD_START=1
+EGD_ARGS='/etc/opt/egd/entropy'
+EGD_LOG=
diff --git a/crypto/openssh/contrib/hpux/egd.rc b/crypto/openssh/contrib/hpux/egd.rc
new file mode 100755
index 0000000..919dea7
--- /dev/null
+++ b/crypto/openssh/contrib/hpux/egd.rc
@@ -0,0 +1,98 @@
+#!/sbin/sh
+
+#
+# egd.rc: EGD start-up and shutdown script
+#
+
+# Allowed exit values:
+# 0 = success; causes "OK" to show up in checklist.
+# 1 = failure; causes "FAIL" to show up in checklist.
+# 2 = skip; causes "N/A" to show up in the checklist.
+# Use this value if execution of this script is overridden
+# by the use of a control variable, or if this script is not
+# appropriate to execute for some other reason.
+# 3 = reboot; causes the system to be rebooted after execution.
+
+# Input and output:
+# stdin is redirected from /dev/null
+#
+# stdout and stderr are redirected to the /etc/rc.log file
+# during checklist mode, or to the console in raw mode.
+
+umask 022
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+WHAT='EGD (entropy gathering daemon)'
+WHAT_PATH=/opt/perl/bin/egd.pl
+WHAT_CONFIG=/etc/rc.config.d/egd
+WHAT_LOG=/etc/opt/egd/egd.log
+
+# NOTE: If your script executes in run state 0 or state 1, then /usr might
+# not be available. Do not attempt to access commands or files in
+# /usr unless your script executes in run state 2 or greater. Other
+# file systems typically not mounted until run state 2 include /var
+# and /opt.
+
+rval=0
+
+# Check the exit value of a command run by this script. If non-zero, the
+# exit code is echoed to the log file and the return value of this script
+# is set to indicate failure.
+
+set_return() {
+ x=$?
+ if [ $x -ne 0 ]; then
+ echo "EXIT CODE: $x"
+ rval=1 # script FAILed
+ fi
+}
+
+case $1 in
+'start_msg')
+ echo "Starting $WHAT"
+ ;;
+
+'stop_msg')
+ echo "Stopping $WHAT"
+ ;;
+
+'start')
+ if [ -f $WHAT_CONFIG ] ; then
+ . $WHAT_CONFIG
+ else
+ echo "ERROR: $WHAT_CONFIG defaults file MISSING"
+ fi
+
+
+ if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
+ EGD_LOG=${EGD_LOG:-$WHAT_LOG}
+ su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
+ echo $WHAT started
+ set_return
+ else
+ rval=2
+ fi
+ ;;
+
+'stop')
+ pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
+ if [ "X$pid" != "X" ]; then
+ if kill "$pid"; then
+ echo "$WHAT stopped"
+ else
+ rval=1
+ echo "Unable to stop $WHAT"
+ fi
+ fi
+ set_return
+ ;;
+
+*)
+ echo "usage: $0 {start|stop|start_msg|stop_msg}"
+ rval=1
+ ;;
+esac
+
+exit $rval
diff --git a/crypto/openssh/contrib/hpux/sshd b/crypto/openssh/contrib/hpux/sshd
new file mode 100644
index 0000000..8eb5e92
--- /dev/null
+++ b/crypto/openssh/contrib/hpux/sshd
@@ -0,0 +1,5 @@
+# SSHD_START: Set to 1 to start SSH daemon
+# SSHD_ARGS: Command line arguments to pass to sshd
+#
+SSHD_START=1
+SSHD_ARGS=
diff --git a/crypto/openssh/contrib/hpux/sshd.rc b/crypto/openssh/contrib/hpux/sshd.rc
new file mode 100755
index 0000000..f9a1099
--- /dev/null
+++ b/crypto/openssh/contrib/hpux/sshd.rc
@@ -0,0 +1,90 @@
+#!/sbin/sh
+
+#
+# sshd.rc: SSH daemon start-up and shutdown script
+#
+
+# Allowed exit values:
+# 0 = success; causes "OK" to show up in checklist.
+# 1 = failure; causes "FAIL" to show up in checklist.
+# 2 = skip; causes "N/A" to show up in the checklist.
+# Use this value if execution of this script is overridden
+# by the use of a control variable, or if this script is not
+# appropriate to execute for some other reason.
+# 3 = reboot; causes the system to be rebooted after execution.
+
+# Input and output:
+# stdin is redirected from /dev/null
+#
+# stdout and stderr are redirected to the /etc/rc.log file
+# during checklist mode, or to the console in raw mode.
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+WHAT='OpenSSH'
+WHAT_PATH=/opt/openssh/sbin/sshd
+WHAT_PID=/var/run/sshd.pid
+WHAT_CONFIG=/etc/rc.config.d/sshd
+
+# NOTE: If your script executes in run state 0 or state 1, then /usr might
+# not be available. Do not attempt to access commands or files in
+# /usr unless your script executes in run state 2 or greater. Other
+# file systems typically not mounted until run state 2 include /var
+# and /opt.
+
+rval=0
+
+# Check the exit value of a command run by this script. If non-zero, the
+# exit code is echoed to the log file and the return value of this script
+# is set to indicate failure.
+
+set_return() {
+ x=$?
+ if [ $x -ne 0 ]; then
+ echo "EXIT CODE: $x"
+ rval=1 # script FAILed
+ fi
+}
+
+case $1 in
+'start_msg')
+ echo "Starting $WHAT"
+ ;;
+
+'stop_msg')
+ echo "Stopping $WHAT"
+ ;;
+
+'start')
+ if [ -f $WHAT_CONFIG ] ; then
+ . $WHAT_CONFIG
+ else
+ echo "ERROR: $WHAT_CONFIG defaults file MISSING"
+ fi
+
+ if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
+ $WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
+ set_return
+ else
+ rval=2
+ fi
+ ;;
+
+'stop')
+ if kill `cat $WHAT_PID`; then
+ echo "$WHAT stopped"
+ else
+ rval=1
+ echo "Unable to stop $WHAT"
+ fi
+ set_return
+ ;;
+
+*)
+ echo "usage: $0 {start|stop|start_msg|stop_msg}"
+ rval=1
+ ;;
+esac
+
+exit $rval
diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
new file mode 100644
index 0000000..dd77712
--- /dev/null
+++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
@@ -0,0 +1 @@
+setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
new file mode 100644
index 0000000..355189f
--- /dev/null
+++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
@@ -0,0 +1,2 @@
+SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
+export SSH_ASKPASS
diff --git a/crypto/openssh/contrib/redhat/openssh.spec b/crypto/openssh/contrib/redhat/openssh.spec
new file mode 100644
index 0000000..b747009
--- /dev/null
+++ b/crypto/openssh/contrib/redhat/openssh.spec
@@ -0,0 +1,804 @@
+%define ver 3.8.1p1
+%define rel 1
+
+# OpenSSH privilege separation requires a user & group ID
+%define sshd_uid 74
+%define sshd_gid 74
+
+# Version of ssh-askpass
+%define aversion 1.2.4.1
+
+# Do we want to disable building of x11-askpass? (1=yes 0=no)
+%define no_x11_askpass 0
+
+# Do we want to disable building of gnome-askpass? (1=yes 0=no)
+%define no_gnome_askpass 0
+
+# Do we want to link against a static libcrypto? (1=yes 0=no)
+%define static_libcrypto 0
+
+# Do we want smartcard support (1=yes 0=no)
+%define scard 0
+
+# Use GTK2 instead of GNOME in gnome-ssh-askpass
+%define gtk2 1
+
+# Is this build for RHL 6.x?
+%define build6x 0
+
+# Do we want kerberos5 support (1=yes 0=no)
+%define kerberos5 1
+
+# Reserve options to override askpass settings with:
+# rpm -ba|--rebuild --define 'skip_xxx 1'
+%{?skip_x11_askpass:%define no_x11_askpass 1}
+%{?skip_gnome_askpass:%define no_gnome_askpass 1}
+
+# Add option to build without GTK2 for older platforms with only GTK+.
+# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
+# rpm -ba|--rebuild --define 'no_gtk2 1'
+%{?no_gtk2:%define gtk2 0}
+
+# Is this a build for RHL 6.x or earlier?
+%{?build_6x:%define build6x 1}
+
+# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
+%if %{build6x}
+%define _sysconfdir /etc
+%endif
+
+# Options for static OpenSSL link:
+# rpm -ba|--rebuild --define "static_openssl 1"
+%{?static_openssl:%define static_libcrypto 1}
+
+# Options for Smartcard support: (needs libsectok and openssl-engine)
+# rpm -ba|--rebuild --define "smartcard 1"
+%{?smartcard:%define scard 1}
+
+# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
+%define rescue 0
+%{?build_rescue:%define rescue 1}
+
+# Turn off some stuff for resuce builds
+%if %{rescue}
+%define kerberos5 0
+%endif
+
+Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
+Name: openssh
+Version: %{ver}
+%if %{rescue}
+Release: %{rel}rescue
+%else
+Release: %{rel}
+%endif
+URL: http://www.openssh.com/portable.html
+Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
+License: BSD
+Group: Applications/Internet
+BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
+Obsoletes: ssh
+%if %{build6x}
+PreReq: initscripts >= 5.00
+%else
+PreReq: initscripts >= 5.20
+%endif
+BuildPreReq: perl, openssl-devel, tcp_wrappers
+BuildPreReq: /bin/login
+%if ! %{build6x}
+BuildPreReq: glibc-devel, pam
+%else
+BuildPreReq: /usr/include/security/pam_appl.h
+%endif
+%if ! %{no_x11_askpass}
+BuildPreReq: XFree86-devel
+%endif
+%if ! %{no_gnome_askpass}
+BuildPreReq: pkgconfig
+%endif
+%if %{kerberos5}
+BuildPreReq: krb5-devel
+BuildPreReq: krb5-libs
+%endif
+
+%package clients
+Summary: OpenSSH clients.
+Requires: openssh = %{version}-%{release}
+Group: Applications/Internet
+Obsoletes: ssh-clients
+
+%package server
+Summary: The OpenSSH server daemon.
+Group: System Environment/Daemons
+Obsoletes: ssh-server
+PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
+%if ! %{build6x}
+Requires: /etc/pam.d/system-auth
+%endif
+
+%package askpass
+Summary: A passphrase dialog for OpenSSH and X.
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: ssh-extras
+
+%package askpass-gnome
+Summary: A passphrase dialog for OpenSSH, X, and GNOME.
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: ssh-extras
+
+%description
+SSH (Secure SHell) is a program for logging into and executing
+commands on a remote machine. SSH is intended to replace rlogin and
+rsh, and to provide secure encrypted communications between two
+untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's version of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to separate libraries.
+
+This package includes the core files necessary for both the OpenSSH
+client and server. To make this package useful, you should also
+install openssh-clients, openssh-server, or both.
+
+%description clients
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package includes
+the clients necessary to make encrypted connections to SSH servers.
+You'll also need to install the openssh package on OpenSSH clients.
+
+%description server
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+the secure shell daemon (sshd). The sshd daemon allows SSH clients to
+securely connect to your SSH server. You also need to have the openssh
+package installed.
+
+%description askpass
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH.
+
+%description askpass-gnome
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
+environment.
+
+%prep
+
+%if ! %{no_x11_askpass}
+%setup -q -a 1
+%else
+%setup -q
+%endif
+
+%build
+%if %{rescue}
+CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
+%endif
+
+%if %{kerberos5}
+K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
+echo K5DIR=$K5DIR
+%endif
+
+%configure \
+ --sysconfdir=%{_sysconfdir}/ssh \
+ --libexecdir=%{_libexecdir}/openssh \
+ --datadir=%{_datadir}/openssh \
+ --with-tcp-wrappers \
+ --with-rsh=%{_bindir}/rsh \
+ --with-default-path=/usr/local/bin:/bin:/usr/bin \
+ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+ --with-privsep-path=%{_var}/empty/sshd \
+ --with-md5-passwords \
+%if %{scard}
+ --with-smartcard \
+%endif
+%if %{rescue}
+ --without-pam \
+%else
+ --with-pam \
+%endif
+%if %{kerberos5}
+ --with-kerberos5=$K5DIR \
+%endif
+
+
+%if %{static_libcrypto}
+perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
+%endif
+
+make
+
+%if ! %{no_x11_askpass}
+pushd x11-ssh-askpass-%{aversion}
+%configure --libexecdir=%{_libexecdir}/openssh
+xmkmf -a
+make
+popd
+%endif
+
+# Define a variable to toggle gnome1/gtk2 building. This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+ gtk2=yes
+%else
+ gtk2=no
+%endif
+
+%if ! %{no_gnome_askpass}
+pushd contrib
+if [ $gtk2 = yes ] ; then
+ make gnome-ssh-askpass2
+ mv gnome-ssh-askpass2 gnome-ssh-askpass
+else
+ make gnome-ssh-askpass1
+ mv gnome-ssh-askpass1 gnome-ssh-askpass
+fi
+popd
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+
+make install DESTDIR=$RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT/etc/pam.d/
+install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
+install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
+%if %{build6x}
+install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
+%else
+install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
+%endif
+install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+
+%if ! %{no_x11_askpass}
+install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
+ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
+%endif
+
+%if ! %{no_gnome_askpass}
+install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
+%endif
+
+%if ! %{scard}
+ rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
+%endif
+
+%if ! %{no_gnome_askpass}
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+%endif
+
+perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%triggerun server -- ssh-server
+if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
+ touch /var/run/sshd.restart
+fi
+
+%triggerun server -- openssh-server < 2.5.0p1
+# Count the number of HostKey and HostDsaKey statements we have.
+gawk 'BEGIN {IGNORECASE=1}
+ /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
+ END {exit sawhostkey}' /etc/ssh/sshd_config
+# And if we only found one, we know the client was relying on the old default
+# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
+# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
+# one nullifies the default, which would have loaded both.
+if [ $? -eq 1 ] ; then
+ echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+ echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
+fi
+
+%triggerpostun server -- ssh-server
+if [ "$1" != 0 ] ; then
+ /sbin/chkconfig --add sshd
+ if test -f /var/run/sshd.restart ; then
+ rm -f /var/run/sshd.restart
+ /sbin/service sshd start > /dev/null 2>&1 || :
+ fi
+fi
+
+%pre server
+%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
+ -g sshd -M -r sshd 2>/dev/null || :
+
+%post server
+/sbin/chkconfig --add sshd
+
+%postun server
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
+
+%preun server
+if [ "$1" = 0 ]
+then
+ /sbin/service sshd stop > /dev/null 2>&1 || :
+ /sbin/chkconfig --del sshd
+fi
+
+%files
+%defattr(-,root,root)
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
+%attr(0755,root,root) %{_bindir}/scp
+%attr(0644,root,root) %{_mandir}/man1/scp.1*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%if ! %{rescue}
+%attr(0755,root,root) %{_bindir}/ssh-keygen
+%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
+%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
+%endif
+%if %{scard}
+%attr(0755,root,root) %dir %{_datadir}/openssh
+%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
+%endif
+
+%files clients
+%defattr(-,root,root)
+%attr(0755,root,root) %{_bindir}/ssh
+%attr(0644,root,root) %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%attr(-,root,root) %{_bindir}/slogin
+%attr(-,root,root) %{_mandir}/man1/slogin.1*
+%if ! %{rescue}
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
+%attr(0755,root,root) %{_bindir}/ssh-add
+%attr(0755,root,root) %{_bindir}/ssh-keyscan
+%attr(0755,root,root) %{_bindir}/sftp
+%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
+%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
+%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
+%attr(0644,root,root) %{_mandir}/man1/sftp.1*
+%endif
+
+%if ! %{rescue}
+%files server
+%defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/empty/sshd
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
+%attr(0644,root,root) %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
+%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
+%endif
+
+%if ! %{no_x11_askpass}
+%files askpass
+%defattr(-,root,root)
+%doc x11-ssh-askpass-%{aversion}/README
+%doc x11-ssh-askpass-%{aversion}/ChangeLog
+%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
+%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
+%endif
+
+%if ! %{no_gnome_askpass}
+%files askpass-gnome
+%defattr(-,root,root)
+%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
+%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
+%endif
+
+%changelog
+* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
+- Remove noip6 option. This may be controlled at run-time in client config
+ file using new AddressFamily directive
+
+* Mon May 12 2003 Damien Miller <djm@mindrot.org>
+- Don't install profile.d scripts when not building with GNOME/GTK askpass
+ (patch from bet@rahul.net)
+
+* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
+- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
+
+* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
+- Use contrib/ Makefile for building askpass programs
+
+* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
+- Add new {ssh,sshd}_config.5 manpages
+- Add new ssh-keysign program and remove setuid from ssh client
+
+* Fri May 10 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from RedHat, reorgansie a little
+- Add Privsep user, group and directory
+
+* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
+- bump and grind (through the build system)
+
+* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
+- require sharutils for building (mindrot #137)
+- require db1-devel only when building for 6.x (#55105), which probably won't
+ work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
+- require pam-devel by file (not by package name) again
+- add Markus's patch to compile with OpenSSL 0.9.5a (from
+ http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
+ building for 6.x
+
+* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
+- update to 3.1p1
+
+* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
+- update to SNAP-20020305
+- drop debug patch, fixed upstream
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
+- update to SNAP-20020220 for testing purposes (you've been warned, if there's
+ anything to be warned about, gss patches won't apply, I don't mind)
+
+* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
+- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
+ exchange, authentication, and named key support
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
+- remove dependency on db1-devel, which has just been swallowed up whole
+ by gnome-libs-devel
+
+* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- adjust build dependencies so that build6x actually works right (fix
+ from Hugo van der Kooij)
+
+* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
+- update to 3.0.2p1
+
+* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
+- update to 3.0.1p1
+
+* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to current CVS (not for use in distribution)
+
+* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
+- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
+ 3.0p1 spec file and init script
+
+* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 3.0p1
+- update to x11-ssh-askpass 1.2.4.1
+- change build dependency on a file from pam-devel to the pam-devel package
+- replace primes with moduli
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
+- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
+
+* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
+- Merge changes to rescue build from current sysadmin survival cd
+
+* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
+- fix scp's server's reporting of file sizes, and build with the proper
+ preprocessor define to get large-file capable open(), stat(), etc.
+ (sftp has been doing this correctly all along) (#51827)
+- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
+- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
+- mark profile.d scriptlets as config files (#42337)
+- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
+- change a couple of log() statements to debug() statements (#50751)
+- pull cvs patch to add -t flag to sshd (#28611)
+- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
+
+* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
+- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to fix remote port forwarding with protocol 2
+
+* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to add session initialization to no-pty sessions
+- pull cvs patch to not cut off challengeresponse auth needlessly
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+ it by default on a system that doesn't have X installed (#49263)
+
+* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
+
+* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pass OPTIONS correctly to initlog (#50151)
+
+* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- switch to x11-ssh-askpass 1.2.2
+
+* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable the gssapi patch
+
+* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9p2
+- refresh to a new version of the gssapi patch
+
+* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- change Copyright: BSD to License: BSD
+- add Markus Friedl's unverified patch for the cookie file deletion problem
+ so that we can verify it
+- drop patch to check if xauth is present (was folded into cookie patch)
+- don't apply gssapi patches for the errata candidate
+- clear supplemental groups list at startup
+
+* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix an error parsing the new default sshd_config
+- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
+ dealing with comments right
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
+ to be removed before the next beta cycle because it's a big departure
+ from the upstream version
+
+* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- finish marking strings in the init script for translation
+- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
+ at startup (change merged from openssh.com init script, originally by
+ Pekka Savola)
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+ it by default on a system that doesn't have X installed
+
+* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9
+- drop various patches that came from or went upstream or to or from CVS
+
+* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
+
+* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
+- remove explicit openssl requirement, fixes builddistro issue
+- make initscript stop() function wait until sshd really dead to avoid
+ races in condrestart
+
+* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- mention that challengereponse supports PAM, so disabling password doesn't
+ limit users to pubkey and rsa auth (#34378)
+- bypass the daemon() function in the init script and call initlog directly,
+ because daemon() won't start a daemon it detects is already running (like
+ open connections)
+- require the version of openssl we had when we were built
+
+* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make do_pam_setcred() smart enough to know when to establish creds and
+ when to reinitialize them
+- add in a couple of other fixes from Damien for inclusion in the errata
+
+* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p2
+- call setcred() again after initgroups, because the "creds" could actually
+ be group memberships
+
+* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
+- don't enable challenge-response by default until we find a way to not
+ have too many userauth requests (we may make up to six pubkey and up to
+ three password attempts as it is)
+- remove build dependency on rsh to match openssh.com's packages more closely
+
+* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- remove dependency on openssl -- would need to be too precise
+
+* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Revert the patch to move pam_open_session.
+- Init script and spec file changes from Pekka Savola. (#28750)
+- Patch sftp to recognize '-o protocol' arguments. (#29540)
+
+* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Chuck the closing patch.
+- Add a trigger to add host keys for protocol 2 to the config file, now that
+ configuration file syntax requires us to specify it with HostKey if we
+ specify any other HostKey values, which we do.
+
+* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Redo patch to move pam_open_session after the server setuid()s to the user.
+- Rework the nopam patch to use be picked up by autoconf.
+
+* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.1p1.
+- Add init script mods from Pekka Savola.
+- Tweak the init script to match the CVS contrib script more closely.
+- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
+ adding id_rsa.
+
+* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.0p1.
+- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
+- Resync with parts of Damien Miller's openssh.spec from CVS, including
+ update of x11 askpass to 1.2.0.
+- Only require openssl (don't prereq) because we generate keys in the init
+ script now.
+
+* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Don't open a PAM session until we've forked and become the user (#25690).
+- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
+ host the user is attempting a login from.
+- Resync with parts of Damien Miller's openssh.spec from CVS.
+- Don't expose KbdInt responses in debug messages (from CVS).
+- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
+
+* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
+- i18n-tweak to initscript.
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- More gettextizing.
+- Close all files after going into daemon mode (needs more testing).
+- Extract patch from CVS to handle auth banners (in the client).
+- Extract patch from CVS to handle compat weirdness.
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Finish with the gettextizing.
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Fix a bug in auth2-pam.c (#23877)
+- Gettextize the init script.
+
+* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate a switch for using PAM configs for 6.x, just in case.
+
+* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate Bero's changes for a build specifically for rescue CDs.
+
+* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
+ succeeded, to allow public-key authentication after a failure with "none"
+ authentication. (#21268)
+
+* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to x11-askpass 1.1.1. (#21301)
+- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Merge multiple PAM text messages into subsequent prompts when possible when
+ doing keyboard-interactive authentication.
+
+* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Disable the built-in MD5 password support. We're using PAM.
+- Take a crack at doing keyboard-interactive authentication with PAM, and
+ enable use of it in the default client configuration so that the client
+ will try it when the server disallows password authentication.
+- Build with debugging flags. Build root policies strip all binaries anyway.
+
+* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Use DESTDIR instead of %%makeinstall.
+- Remove /usr/X11R6/bin from the path-fixing patch.
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add the primes file from the latest snapshot to the main package (#20884).
+- Add the dev package to the prereq list (#19984).
+- Remove the default path and mimic login's behavior in the server itself.
+
+* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Resync with conditional options in Damien Miller's .spec file for an errata.
+- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
+
+* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to OpenSSH 2.3.0p1.
+- Update to x11-askpass 1.1.0.
+- Enable keyboard-interactive authentication.
+
+* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to ssh-askpass-x11 1.0.3.
+- Change authentication related messages to be private (#19966).
+
+* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch ssh-keygen to be able to list signatures for DSA public key files
+ it generates.
+
+* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always
+ build PAM authentication in.
+- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
+- Clean out no-longer-used patches.
+- Patch ssh-add to try to add both identity and id_dsa, and to error only
+ when neither exists.
+
+* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update x11-askpass to 1.0.2. (#17835)
+- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will
+ always find them in the right place. (#17909)
+- Set the default path to be the same as the one supplied by /bin/login, but
+ add /usr/X11R6/bin. (#17909)
+- Try to handle obsoletion of ssh-server more cleanly. Package names
+ are different, but init script name isn't. (#17865)
+
+* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.0p1. (#17835)
+- Tweak the init script to allow proper restarting. (#18023)
+
+* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 20000823 snapshot.
+- Change subpackage requirements from %%{version} to %%{version}-%%{release}
+- Back out the pipe patch.
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p4, which includes fixes for config file parsing problems.
+- Move the init script back.
+- Add Damien's quick fix for wackiness.
+
+* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
+
+* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Move condrestart to server postun.
+- Move key generation to init script.
+- Actually use the right patch for moving the key generation to the init script.
+- Clean up the init script a bit.
+
+* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
+
+* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p2.
+- Use of strtok() considered harmful.
+
+* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Get the build root out of the man pages.
+
+* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add and use condrestart support in the init script.
+- Add newer initscripts as a prereq.
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Build in new environment (release 2)
+- Move -clients subpackage to Applications/Internet group
+
+* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.1p1
+
+* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch to build with neither RSA nor RSAref.
+- Miscellaneous FHS-compliance tweaks.
+- Fix for possibly-compressed man pages.
+
+* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
+- Updated for new location
+- Updated for new gnome-ssh-askpass build
+
+* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
+- Added Jim Knoble's <jmknoble@pobox.com> askpass
+
+* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
+- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
+
+* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
+- Added 'Obsoletes' directives
+
+* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
+- Use make install
+- Subpackages
+
+* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
+- Added links for slogin
+- Fixed perms on manpages
+
+* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
+- Renamed init script
+
+* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
+- Back to old binary names
+
+* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
+- Use autoconf
+- New binary names
+
+* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
+- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
diff --git a/crypto/openssh/contrib/redhat/sshd.init b/crypto/openssh/contrib/redhat/sshd.init
new file mode 100755
index 0000000..4ee8630
--- /dev/null
+++ b/crypto/openssh/contrib/redhat/sshd.init
@@ -0,0 +1,154 @@
+#!/bin/bash
+#
+# Init file for OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: OpenSSH server daemon
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+# source function library
+. /etc/rc.d/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+RETVAL=0
+prog="sshd"
+
+# Some functions to make the below more readable
+KEYGEN=/usr/bin/ssh-keygen
+SSHD=/usr/sbin/sshd
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
+
+do_rsa1_keygen() {
+ if [ ! -s $RSA1_KEY ]; then
+ echo -n $"Generating SSH1 RSA host key: "
+ if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $RSA1_KEY
+ chmod 644 $RSA1_KEY.pub
+ success $"RSA1 key generation"
+ echo
+ else
+ failure $"RSA1 key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_rsa_keygen() {
+ if [ ! -s $RSA_KEY ]; then
+ echo -n $"Generating SSH2 RSA host key: "
+ if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $RSA_KEY
+ chmod 644 $RSA_KEY.pub
+ success $"RSA key generation"
+ echo
+ else
+ failure $"RSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_dsa_keygen() {
+ if [ ! -s $DSA_KEY ]; then
+ echo -n $"Generating SSH2 DSA host key: "
+ if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $DSA_KEY
+ chmod 644 $DSA_KEY.pub
+ success $"DSA key generation"
+ echo
+ else
+ failure $"DSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_restart_sanity_check()
+{
+ $SSHD -t
+ RETVAL=$?
+ if [ ! "$RETVAL" = 0 ]; then
+ failure $"Configuration file or keys are invalid"
+ echo
+ fi
+}
+
+start()
+{
+ # Create keys if necessary
+ do_rsa1_keygen
+ do_rsa_keygen
+ do_dsa_keygen
+
+ echo -n $"Starting $prog:"
+ initlog -c "$SSHD $OPTIONS" && success || failure
+ RETVAL=$?
+ [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
+ echo
+}
+
+stop()
+{
+ echo -n $"Stopping $prog:"
+ killproc $SSHD -TERM
+ RETVAL=$?
+ [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
+ echo
+}
+
+reload()
+{
+ echo -n $"Reloading $prog:"
+ killproc $SSHD -HUP
+ RETVAL=$?
+ echo
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ stop
+ start
+ ;;
+ reload)
+ reload
+ ;;
+ condrestart)
+ if [ -f /var/lock/subsys/sshd ] ; then
+ do_restart_sanity_check
+ if [ "$RETVAL" = 0 ] ; then
+ stop
+ # avoid race
+ sleep 3
+ start
+ fi
+ fi
+ ;;
+ status)
+ status $SSHD
+ RETVAL=$?
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
+ RETVAL=1
+esac
+exit $RETVAL
diff --git a/crypto/openssh/contrib/redhat/sshd.pam b/crypto/openssh/contrib/redhat/sshd.pam
new file mode 100644
index 0000000..24f3b46
--- /dev/null
+++ b/crypto/openssh/contrib/redhat/sshd.pam
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth required pam_stack.so service=system-auth
+auth required pam_nologin.so
+account required pam_stack.so service=system-auth
+password required pam_stack.so service=system-auth
+session required pam_stack.so service=system-auth
+session required pam_limits.so
+session optional pam_console.so
diff --git a/crypto/openssh/contrib/solaris/README b/crypto/openssh/contrib/solaris/README
new file mode 100755
index 0000000..eb4c590
--- /dev/null
+++ b/crypto/openssh/contrib/solaris/README
@@ -0,0 +1,24 @@
+The following is a new package build script for Solaris. This is being
+introduced into OpenSSH 3.0 and above in hopes of simplifying the build
+process. As of 3.1p2 the script should work on all platforms that have
+SVR4 style package tools.
+
+The build process is called a 'dummy install'.. Which means the software does
+a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
+be handled correctly and key are defered until the first time the sshd
+is started.
+
+Directions:
+
+1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
+2. ./configure --with-pam [..any other options you want..]
+3. look at the top of contrib/solaris/buildpkg.sh for the configurable options.
+4. ./contrib/solaris/buildpkg.sh
+
+If all goes well you should have a solaris package ready to be installed.
+
+If you have any problems with this script please post them to
+openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
+
+- Ben Lindstrom
+
diff --git a/crypto/openssh/contrib/solaris/buildpkg.sh b/crypto/openssh/contrib/solaris/buildpkg.sh
new file mode 100755
index 0000000..29d0963
--- /dev/null
+++ b/crypto/openssh/contrib/solaris/buildpkg.sh
@@ -0,0 +1,386 @@
+#!/bin/sh
+#
+# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
+#
+# The following code has been provide under Public Domain License. I really
+# don't care what you use it for. Just as long as you don't complain to me
+# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
+#
+umask 022
+#
+# Options for building the package
+# You can create a config.local with your customized options
+#
+# uncommenting TEST_DIR and using
+# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
+# and
+# PKGNAME=tOpenSSH should allow testing a package without interfering
+# with a real OpenSSH package on a system. This is not needed on systems
+# that support the -R option to pkgadd.
+#TEST_DIR=/var/tmp # leave commented out for production build
+PKGNAME=OpenSSH
+SYSVINIT_NAME=opensshd
+MAKE=${MAKE:="make"}
+SSHDUID=67 # Default privsep uid
+SSHDGID=67 # Default privsep gid
+# uncomment these next three as needed
+#PERMIT_ROOT_LOGIN=no
+#X11_FORWARDING=yes
+#USR_LOCAL_IS_SYMLINK=yes
+# list of system directories we do NOT want to change owner/group/perms
+# when installing our package
+SYSTEM_DIR="/etc \
+/etc/init.d \
+/etc/rcS.d \
+/etc/rc0.d \
+/etc/rc1.d \
+/etc/rc2.d \
+/etc/opt \
+/opt \
+/opt/bin \
+/usr \
+/usr/bin \
+/usr/lib \
+/usr/sbin \
+/usr/share \
+/usr/share/man \
+/usr/share/man/man1 \
+/usr/share/man/man8 \
+/usr/local \
+/usr/local/bin \
+/usr/local/etc \
+/usr/local/libexec \
+/usr/local/man \
+/usr/local/man/man1 \
+/usr/local/man/man8 \
+/usr/local/sbin \
+/usr/local/share \
+/var \
+/var/opt \
+/var/run \
+/var/tmp \
+/tmp"
+
+# We may need to build as root so we make sure PATH is set up
+# only set the path if it's not set already
+[ -d /usr/local/bin ] && {
+ echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
+ [ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
+}
+[ -d /usr/ccs/bin ] && {
+ echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1
+ [ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
+}
+export PATH
+#
+
+[ -f Makefile ] || {
+ echo "Please run this script from your build directory"
+ exit 1
+}
+
+# we will look for config.local to override the above options
+[ -s ./config.local ] && . ./config.local
+
+## Start by faking root install
+echo "Faking root install..."
+START=`pwd`
+OPENSSHD_IN=`dirname $0`/opensshd.in
+FAKE_ROOT=$START/package
+[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT
+mkdir $FAKE_ROOT
+${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
+if [ $? -gt 0 ]
+then
+ echo "Fake root install failed, stopping."
+ exit 1
+fi
+
+## Fill in some details, like prefix and sysconfdir
+for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir
+do
+ eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
+done
+
+
+## Collect value of privsep user
+for confvar in SSH_PRIVSEP_USER
+do
+ eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
+done
+
+## Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+ SSH_PRIVSEP_USER=sshd
+fi
+
+## Extract common info requires for the 'info' part of the package.
+VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
+
+UNAME_S=`uname -s`
+case ${UNAME_S} in
+ SunOS) UNAME_S=Solaris
+ ARCH=`uname -p`
+ RCS_D=yes
+ DEF_MSG="(default: n)"
+ ;;
+ *) ARCH=`uname -m`
+ DEF_MSG="\n" ;;
+esac
+
+## Setup our run level stuff while we are at it.
+mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
+
+## setup our initscript correctly
+sed -e "s#%%configDir%%#${sysconfdir}#g" \
+ -e "s#%%openSSHDir%%#$prefix#g" \
+ -e "s#%%pidDir%%#${piddir}#g" \
+ ${OPENSSHD_IN} > $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+
+[ "${PERMIT_ROOT_LOGIN}" = no ] && \
+ perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
+ $FAKE_ROOT/${sysconfdir}/sshd_config
+[ "${X11_FORWARDING}" = yes ] && \
+ perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+ $FAKE_ROOT/${sysconfdir}/sshd_config
+# fix PrintMotd
+perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
+ $FAKE_ROOT/${sysconfdir}/sshd_config
+
+# We don't want to overwrite config files on multiple installs
+mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default
+mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default
+[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \
+mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default
+
+cd $FAKE_ROOT
+
+## Ok, this is outright wrong, but it will work. I'm tired of pkgmk
+## whining.
+for i in *; do
+ PROTO_ARGS="$PROTO_ARGS $i=/$i";
+done
+
+## Build info file
+echo "Building pkginfo file..."
+cat > pkginfo << _EOF
+PKG=$PKGNAME
+NAME="OpenSSH Portable for ${UNAME_S}"
+DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
+VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
+ARCH=$ARCH
+VERSION=$VERSION
+CATEGORY="Security,application"
+BASEDIR=/
+CLASSES="none"
+_EOF
+
+## Build preinstall file
+echo "Building preinstall file..."
+cat > preinstall << _EOF
+#! /sbin/sh
+#
+[ "\${PRE_INS_STOP}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+exit 0
+_EOF
+
+## Build postinstall file
+echo "Building postinstall file..."
+cat > postinstall << _EOF
+#! /sbin/sh
+#
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
+ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
+ \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
+ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
+ \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && {
+ [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\
+ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\
+ \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds
+}
+
+# make rc?.d dirs only if we are doing a test install
+[ -n "${TEST_DIR}" ] && {
+ [ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
+ mkdir -p ${TEST_DIR}/etc/rc0.d
+ mkdir -p ${TEST_DIR}/etc/rc1.d
+ mkdir -p ${TEST_DIR}/etc/rc2.d
+}
+
+if [ "\${USE_SYM_LINKS}" = yes ]
+then
+ [ "$RCS_D" = yes ] && \
+installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+else
+ [ "$RCS_D" = yes ] && \
+installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+fi
+
+# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
+[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys
+
+installf -f ${PKGNAME}
+
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+ chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+# If this is a test build, we will skip the groupadd/useradd/passwd commands
+if [ ! -z "${TEST_DIR}" ]
+then
+ chroot=echo
+fi
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
+then
+ echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
+ echo "or group."
+else
+ echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
+
+ # create group if required
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ then
+ echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+ else
+ # Use gid of 67 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+ then
+ :
+ else
+ sshdgid="-g $SSHDGID"
+ fi
+ echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+ \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
+ fi
+
+ # Create user if required
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ then
+ echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+ else
+ # Use uid of 67 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+ then
+ :
+ else
+ sshduid="-u $SSHDUID"
+ fi
+ echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+ \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+ \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
+ fi
+fi
+
+[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
+exit 0
+_EOF
+
+## Build preremove file
+echo "Building preremove file..."
+cat > preremove << _EOF
+#! /sbin/sh
+#
+${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+exit 0
+_EOF
+
+## Build request file
+echo "Building request file..."
+cat > request << _EOF
+trap 'exit 3' 15
+USE_SYM_LINKS=no
+PRE_INS_STOP=no
+POST_INS_START=no
+# Use symbolic links?
+ans=\`ckyorn -d n \
+-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
+case \$ans in
+ [y,Y]*) USE_SYM_LINKS=yes ;;
+esac
+
+# determine if should restart the daemon
+if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
+then
+ ans=\`ckyorn -d n \
+-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) PRE_INS_STOP=yes
+ POST_INS_START=yes
+ ;;
+ esac
+
+else
+
+# determine if we should start sshd
+ ans=\`ckyorn -d n \
+-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) POST_INS_START=yes ;;
+ esac
+fi
+
+# make parameters available to installation service,
+# and so to any other packaging scripts
+cat >\$1 <<!
+USE_SYM_LINKS='\$USE_SYM_LINKS'
+PRE_INS_STOP='\$PRE_INS_STOP'
+POST_INS_START='\$POST_INS_START'
+!
+exit 0
+
+_EOF
+
+## Build space file
+echo "Building space file..."
+cat > space << _EOF
+# extra space required by start/stop links added by installf in postinstall
+$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME} 0 1
+$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME} 0 1
+$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME} 0 1
+_EOF
+[ "$RCS_D" = yes ] && \
+echo "$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME} 0 1" >> space
+
+## Next Build our prototype
+echo "Building prototype file..."
+cat >mk-proto.awk << _EOF
+ BEGIN { print "i pkginfo"; print "i preinstall"; \\
+ print "i postinstall"; print "i preremove"; \\
+ print "i request"; print "i space"; \\
+ split("$SYSTEM_DIR",sys_files); }
+ {
+ for (dir in sys_files) { if ( \$3 != sys_files[dir] )
+ { \$5="root"; \$6="sys"; }
+ else
+ { \$4="?"; \$5="?"; \$6="?"; break;}
+ } }
+ { print; }
+_EOF
+find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
+ pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype
+
+# /usr/local is a symlink on some systems
+[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && {
+ grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
+ mv prototype.new prototype
+}
+
+## Step back a directory and now build the package.
+echo "Building package.."
+cd ..
+pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
+echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$UNAME_S-$ARCH-$VERSION.pkg
+rm -rf $FAKE_ROOT
+
diff --git a/crypto/openssh/contrib/solaris/opensshd.in b/crypto/openssh/contrib/solaris/opensshd.in
new file mode 100755
index 0000000..50e18de
--- /dev/null
+++ b/crypto/openssh/contrib/solaris/opensshd.in
@@ -0,0 +1,82 @@
+#!/sbin/sh
+# Donated code that was put under PD license.
+#
+# Stripped PRNGd out of it for the time being.
+
+umask 022
+
+CAT=/usr/bin/cat
+KILL=/usr/bin/kill
+
+prefix=%%openSSHDir%%
+etcdir=%%configDir%%
+piddir=%%pidDir%%
+
+SSHD=$prefix/sbin/sshd
+PIDFILE=$piddir/sshd.pid
+SSH_KEYGEN=$prefix/bin/ssh-keygen
+HOST_KEY_RSA1=$etcdir/ssh_host_key
+HOST_KEY_DSA=$etcdir/ssh_host_dsa_key
+HOST_KEY_RSA=$etcdir/ssh_host_rsa_key
+
+
+checkkeys() {
+ if [ ! -f $HOST_KEY_RSA1 ]; then
+ ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
+ fi
+ if [ ! -f $HOST_KEY_DSA ]; then
+ ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
+ fi
+ if [ ! -f $HOST_KEY_RSA ]; then
+ ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
+ fi
+}
+
+stop_service() {
+ if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
+ PID=`${CAT} ${PIDFILE}`
+ fi
+ if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
+ ${KILL} ${PID}
+ else
+ echo "Unable to read PID file"
+ fi
+}
+
+start_service() {
+ # XXX We really should check if the service is already going, but
+ # XXX we will opt out at this time. - Bal
+
+ # Check to see if we have keys that need to be made
+ checkkeys
+
+ # Start SSHD
+ echo "starting $SSHD... \c" ; $SSHD
+
+ sshd_rc=$?
+ if [ $sshd_rc -ne 0 ]; then
+ echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
+ exit $sshd_rc
+ fi
+ echo done.
+}
+
+case $1 in
+
+'start')
+ start_service
+ ;;
+
+'stop')
+ stop_service
+ ;;
+
+'restart')
+ stop_service
+ start_service
+ ;;
+
+*)
+ echo "$0: usage: $0 {start|stop|restart}"
+ ;;
+esac
diff --git a/crypto/openssh/contrib/ssh-copy-id b/crypto/openssh/contrib/ssh-copy-id
new file mode 100644
index 0000000..a1c0a92
--- /dev/null
+++ b/crypto/openssh/contrib/ssh-copy-id
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Shell script to install your identity.pub on a remote machine
+# Takes the remote machine name as an argument.
+# Obviously, the remote machine must accept password authentication,
+# or one of the other keys in your ssh-agent, for this to work.
+
+ID_FILE="${HOME}/.ssh/identity.pub"
+
+if [ "-i" = "$1" ]; then
+ shift
+ # check if we have 2 parameters left, if so the first is the new ID file
+ if [ -n "$2" ]; then
+ if expr "$1" : ".*\.pub" ; then
+ ID_FILE="$1"
+ else
+ ID_FILE="$1.pub"
+ fi
+ shift # and this should leave $1 as the target name
+ fi
+else
+ if [ x$SSH_AUTH_SOCK != x ] ; then
+ GET_ID="$GET_ID ssh-add -L"
+ fi
+fi
+
+if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then
+ GET_ID="cat ${ID_FILE}"
+fi
+
+if [ -z "`eval $GET_ID`" ]; then
+ echo "$0: ERROR: No identities found" >&2
+ exit 1
+fi
+
+if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+ echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
+ exit 1
+fi
+
+{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
+
+cat <<EOF
+Now try logging into the machine, with "ssh '$1'", and check in:
+
+ .ssh/authorized_keys
+
+to make sure we haven't added extra keys that you weren't expecting.
+
+EOF
diff --git a/crypto/openssh/contrib/ssh-copy-id.1 b/crypto/openssh/contrib/ssh-copy-id.1
new file mode 100644
index 0000000..b331fa1
--- /dev/null
+++ b/crypto/openssh/contrib/ssh-copy-id.1
@@ -0,0 +1,67 @@
+.ig \" -*- nroff -*-
+Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
+
+Permission is granted to make and distribute verbatim copies of
+this manual provided the copyright notice and this permission notice
+are preserved on all copies.
+
+Permission is granted to copy and distribute modified versions of this
+manual under the conditions for verbatim copying, provided that the
+entire resulting derived work is distributed under the terms of a
+permission notice identical to this one.
+
+Permission is granted to copy and distribute translations of this
+manual into another language, under the above conditions for modified
+versions, except that this permission notice may be included in
+translations approved by the Free Software Foundation instead of in
+the original English.
+..
+.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
+.SH NAME
+ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys
+.SH SYNOPSIS
+.B ssh-copy-id [-i [identity_file]]
+.I "[user@]machine"
+.br
+.SH DESCRIPTION
+.BR ssh-copy-id
+is a script that uses ssh to log into a remote machine (presumably
+using a login password, so password authentication should be enabled,
+unless you've done some clever use of multiple identities)
+.PP
+It also changes the permissions of the remote user's home,
+.BR ~/.ssh ,
+and
+.B ~/.ssh/authorized_keys
+to remove group writability (which would otherwise prevent you from logging in, if the remote
+.B sshd
+has
+.B StrictModes
+set in its configuration).
+.PP
+If the
+.B -i
+option is given then the identity file (defaults to
+.BR ~/.ssh/identity.pub )
+is used, regardless of whether there are any keys in your
+.BR ssh-agent .
+Otherwise, if this:
+.PP
+.B " ssh-add -L"
+.PP
+provides any output, it uses that in preference to the identity file.
+.PP
+If the
+.B -i
+option is used, or the
+.B ssh-add
+produced no output, then it uses the contents of the identity
+file. Once it has one or more fingerprints (by whatever means) it
+uses ssh to append them to
+.B ~/.ssh/authorized_keys
+on the remote machine (creating the file, and directory, if necessary)
+
+.SH "SEE ALSO"
+.BR ssh (1),
+.BR ssh-agent (1),
+.BR sshd (8)
diff --git a/crypto/openssh/contrib/sshd.pam.freebsd b/crypto/openssh/contrib/sshd.pam.freebsd
new file mode 100644
index 0000000..c0bc364
--- /dev/null
+++ b/crypto/openssh/contrib/sshd.pam.freebsd
@@ -0,0 +1,5 @@
+sshd auth required pam_unix.so try_first_pass
+sshd account required pam_unix.so
+sshd password required pam_permit.so
+sshd session required pam_permit.so
+
diff --git a/crypto/openssh/contrib/sshd.pam.generic b/crypto/openssh/contrib/sshd.pam.generic
new file mode 100644
index 0000000..cf5af30
--- /dev/null
+++ b/crypto/openssh/contrib/sshd.pam.generic
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth required /lib/security/pam_unix.so shadow nodelay
+auth required /lib/security/pam_nologin.so
+account required /lib/security/pam_unix.so
+password required /lib/security/pam_cracklib.so
+password required /lib/security/pam_unix.so shadow nullok use_authtok
+session required /lib/security/pam_unix.so
+session required /lib/security/pam_limits.so
diff --git a/crypto/openssh/contrib/suse/openssh.spec b/crypto/openssh/contrib/suse/openssh.spec
new file mode 100644
index 0000000..2b43d03
--- /dev/null
+++ b/crypto/openssh/contrib/suse/openssh.spec
@@ -0,0 +1,199 @@
+Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
+Name: openssh
+Version: 3.8.1p1
+URL: http://www.openssh.com/
+Release: 1
+Source0: openssh-%{version}.tar.gz
+Copyright: BSD
+Group: Applications/Internet
+BuildRoot: /tmp/openssh-%{version}-buildroot
+PreReq: openssl
+Obsoletes: ssh
+#
+# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
+# building prerequisites -- stuff for
+# OpenSSL (openssl-devel),
+# TCP Wrappers (nkitb),
+# and Gnome (glibdev, gtkdev, and gnlibsd)
+#
+BuildPrereq: openssl
+BuildPrereq: nkitb
+BuildPrereq: glibdev
+BuildPrereq: gtkdev
+BuildPrereq: gnlibsd
+
+%description
+Ssh (Secure Shell) a program for logging into a remote machine and for
+executing commands in a remote machine. It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
+up to date in terms of security and features, as well as removing all
+patented algorithms to seperate libraries (OpenSSL).
+
+This package includes all files necessary for both the OpenSSH
+client and server. Additionally, this package contains the GNOME
+passphrase dialog.
+
+%changelog
+* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
+- Glob manpages to catch compressed files
+* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
+- Updated for new location
+- Updated for new gnome-ssh-askpass build
+* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
+- Made symlink to gnome-ssh-askpass called ssh-askpass
+* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
+- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
+ /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
+ his released tarfile
+- Changed permissions on ssh_config in the install procedure to 644 from 600
+ even though it was correct in the %files section and thus right in the RPMs
+- Postinstall script for the server now only prints "Generating SSH host
+ key..." if we need to actually do this, in order to eliminate a confusing
+ message if an SSH host key is already in place
+- Marked all manual pages as %doc(umentation)
+* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
+- Added flag to configure daemon with TCP Wrappers support
+- Added building prerequisites (works in RPM 3.0 and newer)
+* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
+- Made this package correct for SuSE.
+- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
+ with SuSE, and lib_pwdb.so isn't installed by default.
+* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
+- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
+* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
+- Added 'Obsoletes' directives
+* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
+- Use make install
+- Subpackages
+* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
+- Added links for slogin
+- Fixed perms on manpages
+* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
+- Renamed init script
+* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
+- Back to old binary names
+* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
+- Use autoconf
+- New binary names
+* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
+- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
+
+%prep
+
+%setup -q
+
+%build
+CFLAGS="$RPM_OPT_FLAGS" \
+./configure --prefix=/usr \
+ --sysconfdir=/etc/ssh \
+ --datadir=/usr/share/openssh \
+ --with-pam \
+ --with-gnome-askpass \
+ --with-tcp-wrappers \
+ --with-ipv4-default \
+ --libexecdir=/usr/lib/ssh
+make
+
+cd contrib
+gcc -O -g `gnome-config --cflags gnome gnomeui` \
+ gnome-ssh-askpass.c -o gnome-ssh-askpass \
+ `gnome-config --libs gnome gnomeui`
+cd ..
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT/
+install -d $RPM_BUILD_ROOT/etc/ssh/
+install -d $RPM_BUILD_ROOT/etc/pam.d/
+install -d $RPM_BUILD_ROOT/sbin/init.d/
+install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
+install -d $RPM_BUILD_ROOT/usr/lib/ssh
+install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd
+ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd
+install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass
+ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass
+install -m744 contrib/suse/rc.config.sshd \
+ $RPM_BUILD_ROOT/var/adm/fillup-templates
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ "$1" = 1 ]; then
+ echo "Creating SSH stop/start scripts in the rc directories..."
+ ln -s ../sshd /sbin/init.d/rc2.d/K20sshd
+ ln -s ../sshd /sbin/init.d/rc2.d/S20sshd
+ ln -s ../sshd /sbin/init.d/rc3.d/K20sshd
+ ln -s ../sshd /sbin/init.d/rc3.d/S20sshd
+fi
+echo "Updating /etc/rc.config..."
+if [ -x /bin/fillup ] ; then
+ /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd
+else
+ echo "ERROR: fillup not found. This should NOT happen in SuSE Linux."
+ echo "Update /etc/rc.config by hand from the following template file:"
+ echo " /var/adm/fillup-templates/rc.config.sshd"
+fi
+if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
+ echo "Generating SSH host key..."
+ /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2
+fi
+if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
+ echo "Generating SSH DSA host key..."
+ /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2
+fi
+if test -r /var/run/sshd.pid
+then
+ echo "Restarting the running SSH daemon..."
+ /usr/sbin/rcsshd restart >&2
+fi
+
+%preun
+if [ "$1" = 0 ]
+then
+ echo "Stopping the SSH daemon..."
+ /usr/sbin/rcsshd stop >&2
+ echo "Removing SSH stop/start scripts from the rc directories..."
+ rm /sbin/init.d/rc2.d/K20sshd
+ rm /sbin/init.d/rc2.d/S20sshd
+ rm /sbin/init.d/rc3.d/K20sshd
+ rm /sbin/init.d/rc3.d/S20sshd
+fi
+
+%files
+%defattr(-,root,root)
+%doc ChangeLog OVERVIEW README*
+%doc RFC.nroff TODO CREDITS LICENCE
+%attr(0755,root,root) %dir /etc/ssh
+%attr(0644,root,root) %config /etc/ssh/ssh_config
+%attr(0600,root,root) %config /etc/ssh/sshd_config
+%attr(0600,root,root) %config /etc/ssh/moduli
+%attr(0644,root,root) %config /etc/pam.d/sshd
+%attr(0755,root,root) %config /sbin/init.d/sshd
+%attr(0755,root,root) /usr/bin/ssh-keygen
+%attr(0755,root,root) /usr/bin/scp
+%attr(4755,root,root) /usr/bin/ssh
+%attr(-,root,root) /usr/bin/slogin
+%attr(0755,root,root) /usr/bin/ssh-agent
+%attr(0755,root,root) /usr/bin/ssh-add
+%attr(0755,root,root) /usr/bin/ssh-keyscan
+%attr(0755,root,root) /usr/bin/sftp
+%attr(0755,root,root) /usr/sbin/sshd
+%attr(-,root,root) /usr/sbin/rcsshd
+%attr(0755,root,root) %dir /usr/lib/ssh
+%attr(0755,root,root) /usr/lib/ssh/ssh-askpass
+%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass
+%attr(0644,root,root) %doc /usr/man/man1/scp.1*
+%attr(0644,root,root) %doc /usr/man/man1/ssh.1*
+%attr(-,root,root) %doc /usr/man/man1/slogin.1*
+%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1*
+%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1*
+%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1*
+%attr(0644,root,root) %doc /usr/man/man8/sshd.8*
+%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd
+
diff --git a/crypto/openssh/contrib/suse/rc.config.sshd b/crypto/openssh/contrib/suse/rc.config.sshd
new file mode 100644
index 0000000..baaa7a5
--- /dev/null
+++ b/crypto/openssh/contrib/suse/rc.config.sshd
@@ -0,0 +1,5 @@
+#
+# Start the Secure Shell (SSH) Daemon?
+#
+START_SSHD="yes"
+
diff --git a/crypto/openssh/contrib/suse/rc.sshd b/crypto/openssh/contrib/suse/rc.sshd
new file mode 100644
index 0000000..f7d431e
--- /dev/null
+++ b/crypto/openssh/contrib/suse/rc.sshd
@@ -0,0 +1,80 @@
+#! /bin/sh
+# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany.
+#
+# Author: Chris Saia <csaia@wtower.com>
+#
+# /sbin/init.d/sshd
+#
+# and symbolic its link
+#
+# /sbin/rcsshd
+#
+
+. /etc/rc.config
+
+# Determine the base and follow a runlevel link name.
+base=${0##*/}
+link=${base#*[SK][0-9][0-9]}
+
+# Force execution if not called by a runlevel directory.
+test $link = $base && START_SSHD=yes
+test "$START_SSHD" = yes || exit 0
+
+# The echo return value for success (defined in /etc/rc.config).
+return=$rc_done
+case "$1" in
+ start)
+ echo -n "Starting service sshd"
+ ## Start daemon with startproc(8). If this fails
+ ## the echo return value is set appropriate.
+
+ startproc /usr/sbin/sshd || return=$rc_failed
+
+ echo -e "$return"
+ ;;
+ stop)
+ echo -n "Stopping service sshd"
+ ## Stop daemon with killproc(8) and if this fails
+ ## set echo the echo return value.
+
+ killproc -TERM /usr/sbin/sshd || return=$rc_failed
+
+ echo -e "$return"
+ ;;
+ restart)
+ ## If first returns OK call the second, if first or
+ ## second command fails, set echo return value.
+ $0 stop && $0 start || return=$rc_failed
+ ;;
+ reload)
+ ## Choose ONE of the following two cases:
+
+ ## First possibility: A few services accepts a signal
+ ## to reread the (changed) configuration.
+
+ echo -n "Reload service sshd"
+ killproc -HUP /usr/sbin/sshd || return=$rc_failed
+ echo -e "$return"
+ ;;
+ status)
+ echo -n "Checking for service sshd"
+ ## Check status with checkproc(8), if process is running
+ ## checkproc will return with exit status 0.
+
+ checkproc /usr/sbin/sshd && echo OK || echo No process
+ ;;
+ probe)
+ ## Optional: Probe for the necessity of a reload,
+ ## give out the argument which is required for a reload.
+
+ test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|status|restart|reload[|probe]}"
+ exit 1
+ ;;
+esac
+
+# Inform the caller not only verbosely and set an exit status.
+test "$return" = "$rc_done" || exit 1
+exit 0
diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h
index 5e1cac7..9b72afe 100644
--- a/crypto/openssh/defines.h
+++ b/crypto/openssh/defines.h
@@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
-/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */
+/* $Id: defines.h,v 1.115 2004/04/14 07:24:30 dtucker Exp $ */
/* Constants */
@@ -507,6 +507,10 @@ struct winsize {
# undef HAVE_GAI_STRERROR
#endif
+#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX)
+# undef HAVE_UPDWTMPX
+#endif
+
#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
@@ -534,6 +538,12 @@ struct winsize {
# define krb5_get_err_text(context,code) error_message(code)
#endif
+#if defined(SKEYCHALLENGE_4ARG)
+# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
+#else
+# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
+#endif
+
/* Maximum number of file descriptors available */
#ifdef HAVE_SYSCONF
# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
@@ -611,11 +621,22 @@ struct winsize {
#endif
+#ifndef UT_LINESIZE
+# define UT_LINESIZE 8
+#endif
+
/* I hope that the presence of LASTLOG_FILE is enough to detect this */
#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG)
# define USE_LASTLOG
#endif
+#ifdef HAVE_OSF_SIA
+# ifdef USE_SHADOW
+# undef USE_SHADOW
+# endif
+# define CUSTOM_SYS_AUTH_PASSWD 1
+#endif
+
/** end of login recorder definitions */
#endif /* _DEFINES_H */
diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c
index c7a3e18..afd1e05 100644
--- a/crypto/openssh/dh.c
+++ b/crypto/openssh/dh.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: dh.c,v 1.26 2003/12/16 15:51:54 markus Exp $");
+RCSID("$OpenBSD: dh.c,v 1.29 2004/02/27 22:49:27 dtucker Exp $");
#include "xmalloc.h"
@@ -91,6 +91,9 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
if (BN_num_bits(dhg->p) != dhg->size)
goto failclean;
+ if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
+ goto failclean;
+
return (1);
failclean:
@@ -105,7 +108,7 @@ DH *
choose_dh(int min, int wantbits, int max)
{
FILE *f;
- char line[2048];
+ char line[4096];
int best, bestcount, which;
int linenum;
struct dhgroup dhg;
@@ -194,7 +197,7 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
void
dh_gen_key(DH *dh, int need)
{
- int i, bits_set = 0, tries = 0;
+ int i, bits_set, tries = 0;
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
@@ -211,7 +214,7 @@ dh_gen_key(DH *dh, int need)
fatal("dh_gen_key: BN_rand failed");
if (DH_generate_key(dh) == 0)
fatal("DH_generate_key");
- for (i = 0; i <= BN_num_bits(dh->priv_key); i++)
+ for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
if (BN_is_bit_set(dh->priv_key, i))
bits_set++;
debug2("dh_gen_key: priv key bits set: %d/%d",
diff --git a/crypto/openssh/gss-serv-krb5.c b/crypto/openssh/gss-serv-krb5.c
index 8ba3e71..4e3598e 100644
--- a/crypto/openssh/gss-serv-krb5.c
+++ b/crypto/openssh/gss-serv-krb5.c
@@ -65,7 +65,9 @@ ssh_gssapi_krb5_init()
logit("Cannot initialize krb5 context");
return 0;
}
+#ifdef KRB5_INIT_ETS
krb5_init_ets(krb_context);
+#endif
return 1;
}
diff --git a/crypto/openssh/openbsd-compat/.cvsignore b/crypto/openssh/openbsd-compat/.cvsignore
new file mode 100644
index 0000000..f3c7a7c
--- /dev/null
+++ b/crypto/openssh/openbsd-compat/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
index a87cf3c..92cdba6 100644
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
+++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
#include "includes.h"
-RCSID("$Id: bsd-cygwin_util.c,v 1.11 2003/08/07 06:23:43 dtucker Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.12 2004/04/18 11:15:45 djm Exp $");
#ifdef HAVE_CYGWIN
@@ -77,6 +77,7 @@ binary_pipe(int fd[2])
#define HAS_CREATE_TOKEN 1
#define HAS_NTSEC_BY_DEFAULT 2
+#define HAS_CREATE_TOKEN_WO_NTSEC 3
static int
has_capability(int what)
@@ -84,6 +85,7 @@ has_capability(int what)
static int inited;
static int has_create_token;
static int has_ntsec_by_default;
+ static int has_create_token_wo_ntsec;
/*
* has_capability() basically calls uname() and checks if
@@ -113,6 +115,9 @@ has_capability(int what)
has_create_token = 1;
if (api_major_version > 0 || api_minor_version >= 56)
has_ntsec_by_default = 1;
+ if (major_high > 1 ||
+ (major_high == 1 && major_low >= 5))
+ has_create_token_wo_ntsec = 1;
inited = 1;
}
}
@@ -121,6 +126,8 @@ has_capability(int what)
return (has_create_token);
case HAS_NTSEC_BY_DEFAULT:
return (has_ntsec_by_default);
+ case HAS_CREATE_TOKEN_WO_NTSEC:
+ return (has_create_token_wo_ntsec);
}
return (0);
}
@@ -151,7 +158,8 @@ check_nt_auth(int pwd_authenticated, struct passwd *pw)
if (has_capability(HAS_CREATE_TOKEN) &&
(ntsec_on(cygwin) ||
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
- !ntsec_off(cygwin))))
+ !ntsec_off(cygwin)) ||
+ has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
has_create_token = 1;
}
if (has_create_token < 1 &&
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h
index c807394..009739b 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.h
+++ b/crypto/openssh/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-misc.h,v 1.14 2004/02/17 05:49:55 djm Exp $ */
+/* $Id: bsd-misc.h,v 1.15 2004/03/08 11:59:03 dtucker Exp $ */
/*
* Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -89,6 +89,10 @@ pid_t tcgetpgrp(int);
int tcsendbreak(int, int);
#endif
+#ifndef HAVE_UNSETENV
+void unsetenv(const char *);
+#endif
+
/* wrapper for signal interface */
typedef void (*mysig_t)(int);
mysig_t mysignal(int sig, mysig_t act);
diff --git a/crypto/openssh/openbsd-compat/setenv.c b/crypto/openssh/openbsd-compat/setenv.c
index b7ba0ce..c3a86c6 100644
--- a/crypto/openssh/openbsd-compat/setenv.c
+++ b/crypto/openssh/openbsd-compat/setenv.c
@@ -30,7 +30,7 @@
*/
#include "includes.h"
-#ifndef HAVE_SETENV
+#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
#if defined(LIBC_SCCS) && !defined(lint)
static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
@@ -77,6 +77,7 @@ __findenv(name, offset)
return (NULL);
}
+#ifndef HAVE_SETENV
/*
* setenv --
* Set the value of the environmental variable "name" to be
@@ -138,7 +139,9 @@ setenv(name, value, rewrite)
;
return (0);
}
+#endif /* HAVE_SETENV */
+#ifndef HAVE_UNSETENV
/*
* unsetenv(name) --
* Delete environmental variable "name".
@@ -157,5 +160,6 @@ unsetenv(name)
if (!(*P = *(P + 1)))
break;
}
+#endif /* HAVE_UNSETENV */
-#endif /* HAVE_SETENV */
+#endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */
diff --git a/crypto/openssh/openbsd-compat/xcrypt.c b/crypto/openssh/openbsd-compat/xcrypt.c
index a0fe6c6..c3cea3c 100644
--- a/crypto/openssh/openbsd-compat/xcrypt.c
+++ b/crypto/openssh/openbsd-compat/xcrypt.c
@@ -24,8 +24,6 @@
#include "includes.h"
-#if !defined(HAVE_OSF_SIA)
-
# ifdef HAVE_CRYPT_H
# include <crypt.h>
# endif
@@ -108,5 +106,3 @@ shadow_pw(struct passwd *pw)
return pw_password;
}
-
-#endif /* !defined(HAVE_OSF_SIA) */
diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile
index 76e28d3..cf65b36 100644
--- a/crypto/openssh/regress/Makefile
+++ b/crypto/openssh/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.26 2003/10/11 11:49:49 dtucker Exp $
+# $OpenBSD: Makefile,v 1.27 2004/02/17 08:23:20 dtucker Exp $
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
tests: $(REGRESS_TARGETS)
@@ -21,6 +21,7 @@ LTESTS= connect \
broken-pipe \
try-ciphers \
yes-head \
+ login-timeout \
agent \
agent-getpeereid \
agent-timeout \
diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress
index b479c6c..6ff032b 100644
--- a/crypto/openssh/regress/README.regress
+++ b/crypto/openssh/regress/README.regress
@@ -90,5 +90,8 @@ Known Issues.
fail (because it's not a tcp socket) and will be identified as
"unknown", which is then checked against tcpwrappers.
+- If your build requires ssh-rand-helper regress tests will fail
+ unless ssh-rand-helper is in pre-installed (the path to
+ ssh-rand-helper is hard coded).
-$Id: README.regress,v 1.3 2004/01/28 01:26:14 dtucker Exp $
+$Id: README.regress,v 1.4 2004/03/08 20:12:18 tim Exp $
diff --git a/crypto/openssh/regress/dynamic-forward.sh b/crypto/openssh/regress/dynamic-forward.sh
index 2b0b825..3a6e5c1 100644
--- a/crypto/openssh/regress/dynamic-forward.sh
+++ b/crypto/openssh/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dynamic-forward.sh,v 1.2 2003/07/03 08:21:46 markus Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.3 2004/02/28 12:16:57 dtucker Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
@@ -7,7 +7,7 @@ PORT=4242
FWDPORT=4243
DATA=/bin/ls${EXEEXT}
-if have_prog nc && nc -h 2>&1 | grep "x proxy address" >/dev/null; then
+if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
elif have_prog connect; then
proxycmd="connect -S 127.0.0.1:$FWDPORT -"
diff --git a/crypto/openssh/regress/login-timeout.sh b/crypto/openssh/regress/login-timeout.sh
new file mode 100644
index 0000000..dfc6e6b
--- /dev/null
+++ b/crypto/openssh/regress/login-timeout.sh
@@ -0,0 +1,29 @@
+# $OpenBSD: login-timeout.sh,v 1.1 2004/02/17 08:23:20 dtucker Exp $
+# Placed in the Public Domain.
+
+tid="connect after login grace timeout"
+
+trace "test login grace with privsep"
+echo "LoginGraceTime 10s" >> $OBJ/sshd_config
+echo "MaxStartups 1" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet localhost ${PORT} >/dev/null 2>&1 &
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+ fail "ssh connect after login grace timeout failed with privsep"
+fi
+
+kill `cat $PIDFILE`
+
+trace "test login grace without privsep"
+echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet localhost ${PORT} >/dev/null 2>&1 &
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+ fail "ssh connect after login grace timeout failed without privsep"
+fi
diff --git a/crypto/openssh/regress/sftp-cmds.sh b/crypto/openssh/regress/sftp-cmds.sh
index 3669b19..31b21d1 100644
--- a/crypto/openssh/regress/sftp-cmds.sh
+++ b/crypto/openssh/regress/sftp-cmds.sh
@@ -85,6 +85,7 @@ echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "get failed"
cmp $DATA ${COPY} || fail "corrupted copy after get"
+if [ "$os" != "cygwin" ]; then
rm -f ${QUOTECOPY}
cp $DATA ${QUOTECOPY}
verbose "$tid: get filename with quotes"
@@ -92,6 +93,7 @@ echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1
|| fail "put failed"
cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes"
rm -f ${QUOTECOPY} ${COPY}
+fi
rm -f ${COPY}.dd/*
verbose "$tid: get to directory"
diff --git a/crypto/openssh/regress/ssh-com-client.sh b/crypto/openssh/regress/ssh-com-client.sh
index fc95322..324a0a7 100644
--- a/crypto/openssh/regress/ssh-com-client.sh
+++ b/crypto/openssh/regress/ssh-com-client.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh-com-client.sh,v 1.5 2003/05/14 22:08:27 markus Exp $
+# $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $
# Placed in the Public Domain.
tid="connect with ssh.com client"
@@ -19,6 +19,9 @@ VERSIONS="
3.2.0
3.2.2
3.2.3
+ 3.2.5
+ 3.2.9
+ 3.2.9.1
3.3.0"
# 2.0.10 2.0.12 2.0.13 don't like the test setup
diff --git a/crypto/openssh/regress/ssh-com-keygen.sh b/crypto/openssh/regress/ssh-com-keygen.sh
index dbe9b0a..29b02d9 100644
--- a/crypto/openssh/regress/ssh-com-keygen.sh
+++ b/crypto/openssh/regress/ssh-com-keygen.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh-com-keygen.sh,v 1.3 2003/05/14 22:08:27 markus Exp $
+# $OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $
# Placed in the Public Domain.
tid="ssh.com key import"
@@ -22,6 +22,9 @@ VERSIONS="
3.2.0
3.2.2
3.2.3
+ 3.2.5
+ 3.2.9
+ 3.2.9.1
3.3.0"
COMPRV=${OBJ}/comkey
diff --git a/crypto/openssh/regress/ssh-com-sftp.sh b/crypto/openssh/regress/ssh-com-sftp.sh
index 6ca7dad..936b4cc 100644
--- a/crypto/openssh/regress/ssh-com-sftp.sh
+++ b/crypto/openssh/regress/ssh-com-sftp.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh-com-sftp.sh,v 1.4 2003/05/14 22:08:27 markus Exp $
+# $OpenBSD: ssh-com-sftp.sh,v 1.5 2004/02/24 17:06:52 markus Exp $
# Placed in the Public Domain.
tid="basic sftp put/get with ssh.com server"
@@ -35,6 +35,9 @@ VERSIONS="
3.2.0
3.2.2
3.2.3
+ 3.2.5
+ 3.2.9
+ 3.2.9.1
3.3.0"
# go for it
diff --git a/crypto/openssh/regress/ssh-com.sh b/crypto/openssh/regress/ssh-com.sh
index c3715a2..7bcd85b 100644
--- a/crypto/openssh/regress/ssh-com.sh
+++ b/crypto/openssh/regress/ssh-com.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh-com.sh,v 1.6 2003/11/07 10:16:44 jmc Exp $
+# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $
# Placed in the Public Domain.
tid="connect to ssh.com server"
@@ -20,6 +20,9 @@ VERSIONS="
3.2.0
3.2.2
3.2.3
+ 3.2.5
+ 3.2.9
+ 3.2.9.1
3.3.0"
# 2.0.10 does not support UserConfigDirectory
# 2.3.1 requires a config in $HOME/.ssh2
diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh
index 98851dc..986d992 100644
--- a/crypto/openssh/regress/test-exec.sh
+++ b/crypto/openssh/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.14 2002/04/15 15:19:48 markus Exp $
+# $OpenBSD: test-exec.sh,v 1.15 2004/02/24 16:56:30 markus Exp $
# Placed in the Public Domain.
PORT=4242
@@ -49,28 +49,28 @@ SFTP=sftp
SFTPSERVER=/usr/libexec/openssh/sftp-server
if [ "x$TEST_SSH_SSH" != "x" ]; then
- SSH=${TEST_SSH_SSH}
+ SSH="${TEST_SSH_SSH}"
fi
if [ "x$TEST_SSH_SSHD" != "x" ]; then
- SSHD=${TEST_SSH_SSHD}
+ SSHD="${TEST_SSH_SSHD}"
fi
if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
- SSHAGENT=${TEST_SSH_SSHAGENT}
+ SSHAGENT="${TEST_SSH_SSHAGENT}"
fi
if [ "x$TEST_SSH_SSHADD" != "x" ]; then
- SSHADD=${TEST_SSH_SSHADD}
+ SSHADD="${TEST_SSH_SSHADD}"
fi
if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
- SSHKEYGEN=${TEST_SSH_SSHKEYGEN}
+ SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
fi
if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
- SSHKEYSCAN=${TEST_SSH_SSHKEYSCAN}
+ SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
fi
if [ "x$TEST_SSH_SFTP" != "x" ]; then
- SFTP=${TEST_SSH_SFTP}
+ SFTP="${TEST_SSH_SFTP}"
fi
if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
- SFTPSERVER=${TEST_SSH_SFTPSERVER}
+ SFTPSERVER="${TEST_SSH_SFTPSERVER}"
fi
# these should be used in tests
diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh
index 2c727f6..15827e2 100644
--- a/crypto/openssh/regress/try-ciphers.sh
+++ b/crypto/openssh/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: try-ciphers.sh,v 1.8 2003/06/12 15:40:01 markus Exp $
+# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $
# Placed in the Public Domain.
tid="try ciphers"
@@ -28,3 +28,19 @@ for c in $ciphers; do
fail "ssh -1 failed with cipher $c"
fi
done
+
+if ! ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null
+then
+
+echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
+c=acss@openssh.org
+for m in $macs; do
+ trace "proto 2 $c mac $m"
+ verbose "test $tid: proto 2 cipher $c mac $m"
+ ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+ if [ $? -ne 0 ]; then
+ fail "ssh -2 failed with mac $m cipher $c"
+ fi
+done
+
+fi
diff --git a/crypto/openssh/scard/.cvsignore b/crypto/openssh/scard/.cvsignore
new file mode 100644
index 0000000..5349d34
--- /dev/null
+++ b/crypto/openssh/scard/.cvsignore
@@ -0,0 +1,2 @@
+Makefile
+Ssh.bin
diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1
index f5ca1e4..5a32211 100644
--- a/crypto/openssh/scp.1
+++ b/crypto/openssh/scp.1
@@ -9,7 +9,7 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.32 2003/12/16 15:49:51 markus Exp $
+.\" $OpenBSD: scp.1,v 1.33 2004/03/05 10:53:58 markus Exp $
.\"
.Dd September 25, 1999
.Dt SCP 1
@@ -137,6 +137,7 @@ For full details of the options listed below, and their possible values, see
.It HostKeyAlias
.It HostName
.It IdentityFile
+.It IdentitiesOnly
.It LogLevel
.It MACs
.It NoHostAuthenticationForLocalhost
diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c
index 81c5dd4..781d982 100644
--- a/crypto/openssh/sftp-client.c
+++ b/crypto/openssh/sftp-client.c
@@ -20,7 +20,7 @@
/* XXX: copy between two remote sites */
#include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.46 2004/02/17 05:39:51 djm Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.47 2004/03/03 09:30:42 djm Exp $");
#include "openbsd-compat/sys-queue.h"
@@ -805,13 +805,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
max_req = 1;
progress_counter = 0;
- if (showprogress) {
- if (size)
- start_progress_meter(remote_path, size,
- &progress_counter);
- else
- printf("Fetching %s to %s\n", remote_path, local_path);
- }
+ if (showprogress && size != 0)
+ start_progress_meter(remote_path, size, &progress_counter);
while (num_req > 0 || max_req > 0) {
char *data;
@@ -1036,8 +1031,6 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
offset = 0;
if (showprogress)
start_progress_meter(local_path, sb.st_size, &offset);
- else
- printf("Uploading %s to %s\n", local_path, remote_path);
for (;;) {
int len;
diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1
index 2a67a88..b2cab0c 100644
--- a/crypto/openssh/sftp.1
+++ b/crypto/openssh/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.51 2004/01/13 12:17:33 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.52 2004/03/05 10:53:58 markus Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@@ -163,6 +163,7 @@ For full details of the options listed below, and their possible values, see
.It HostKeyAlias
.It HostName
.It IdentityFile
+.It IdentitiesOnly
.It LogLevel
.It MACs
.It NoHostAuthenticationForLocalhost
diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c
index 7f7f507..a47ccf5 100644
--- a/crypto/openssh/sftp.c
+++ b/crypto/openssh/sftp.c
@@ -16,7 +16,7 @@
#include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.44 2004/02/17 11:03:08 djm Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.45 2004/03/03 09:31:20 djm Exp $");
#include "buffer.h"
#include "xmalloc.h"
@@ -44,7 +44,7 @@ size_t num_requests = 16;
static pid_t sshpid = -1;
/* This is set to 0 if the progressmeter is not desired. */
-int showprogress;
+int showprogress = 1;
int remote_glob(struct sftp_conn *, const char *, int,
int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
@@ -1357,6 +1357,9 @@ main(int argc, char **argv)
}
}
+ if (!isatty(STDERR_FILENO))
+ showprogress = 0;
+
log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
if (sftp_direct == NULL) {
OpenPOWER on IntegriCloud