This commit was generated by cvs2svn to compensate for changes in r146998,

which included commits to RCS files with non-trunk default branches.

16 files changed, 267 insertions, 83 deletions

diff --git a/crypto/openssh/openbsd-compat/bsd-arc4random.c b/crypto/openssh/openbsd-compat/bsd-arc4random.c
index 5284e1a..1eeb695 100644
--- a/crypto/openssh/openbsd-compat/bsd-arc4random.c
+++ b/crypto/openssh/openbsd-compat/bsd-arc4random.c
@@ -17,7 +17,7 @@
 #include "includes.h"
 #include "log.h"
 
-RCSID("$Id: bsd-arc4random.c,v 1.9 2004/07/18 23:30:40 djm Exp $");
+RCSID("$Id: bsd-arc4random.c,v 1.10 2005/02/16 02:01:28 djm Exp $");
 
 #ifndef HAVE_ARC4RANDOM
 
@@ -34,7 +34,8 @@ RCSID("$Id: bsd-arc4random.c,v 1.9 2004/07/18 23:30:40 djm Exp $");
 static int rc4_ready = 0;
 static RC4_KEY rc4;
 
-unsigned int arc4random(void)
+unsigned int
+arc4random(void)
 {
 	unsigned int r = 0;
 	static int first_time = 1;
@@ -53,7 +54,8 @@ unsigned int arc4random(void)
 	return(r);
 }
 
-void arc4random_stir(void)
+void
+arc4random_stir(void)
 {
 	unsigned char rand_buf[SEED_SIZE];
 	int i;
diff --git a/crypto/openssh/openbsd-compat/bsd-cray.c b/crypto/openssh/openbsd-compat/bsd-cray.c
index f630366..d1f1c05 100644
--- a/crypto/openssh/openbsd-compat/bsd-cray.c
+++ b/crypto/openssh/openbsd-compat/bsd-cray.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.c,v 1.13 2004/01/30 03:34:22 dtucker Exp $
+ * $Id: bsd-cray.c,v 1.14 2005/02/02 06:10:11 dtucker Exp $
  *
  * bsd-cray.c
  *
@@ -171,7 +171,7 @@ cray_access_denied(char *username)
  * record_failed_login: generic "login failed" interface function
  */
 void
-record_failed_login(const char *user, const char *ttyname)
+record_failed_login(const char *user, const char *hostname, const char *ttyname)
 {
 	cray_login_failure((char *)user, IA_UDBERR);
 }
diff --git a/crypto/openssh/openbsd-compat/bsd-cray.h b/crypto/openssh/openbsd-compat/bsd-cray.h
index de6ba1a..774eceb 100644
--- a/crypto/openssh/openbsd-compat/bsd-cray.h
+++ b/crypto/openssh/openbsd-compat/bsd-cray.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-cray.h,v 1.11 2004/01/30 03:34:22 dtucker Exp $ */
+/* $Id: bsd-cray.h,v 1.12 2005/02/02 06:10:11 dtucker Exp $ */
 
 /*
  * Copyright (c) 2002, Cray Inc.  (Wendy Palm <wendyp@cray.com>)
@@ -42,10 +42,10 @@ void cray_init_job(struct passwd *);
 void cray_job_termination_handler(int);
 void cray_login_failure(char *, int );
 int cray_access_denied(char *);
-#define CUSTOM_FAILED_LOGIN 1
-void record_failed_login(const char *, const char *);
 extern char cray_tmpdir[];
 
+#define CUSTOM_FAILED_LOGIN 1
+
 #ifndef IA_SSHD
 # define IA_SSHD IA_LOGIN
 #endif
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
index 92cdba6..f53abb6 100644
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
+++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.12 2004/04/18 11:15:45 djm Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.13 2004/08/30 10:42:08 dtucker Exp $");
 
 #ifdef HAVE_CYGWIN
 
@@ -38,6 +38,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.12 2004/04/18 11:15:45 djm Exp $");
 #include <sys/utsname.h>
 #include <sys/vfs.h>
 #include <windows.h>
+#include "xmalloc.h"
 #define is_winnt       (GetVersion() < 0x80000000)
 
 #define ntsec_on(c)	((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
@@ -96,7 +97,6 @@ has_capability(int what)
 	 */
 	if (!inited) {
 		struct utsname uts;
-		char *c;
 		
 		if (!uname(&uts)) {
 			int major_high = 0, major_low = 0, minor = 0;
@@ -236,4 +236,54 @@ register_9x_service(void)
 	RegisterServiceProcess(0, 1);
 }
 
+#define NL(x) x, (sizeof (x) - 1)
+#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
+
+static struct wenv {
+	const char *name;
+	size_t namelen;
+} wenv_arr[] = {
+	{ NL("ALLUSERSPROFILE=") },
+	{ NL("COMMONPROGRAMFILES=") },
+	{ NL("COMPUTERNAME=") },
+	{ NL("COMSPEC=") },
+	{ NL("NUMBER_OF_PROCESSORS=") },
+	{ NL("OS=") },
+	{ NL("PATH=") },
+	{ NL("PATHEXT=") },
+	{ NL("PROCESSOR_ARCHITECTURE=") },
+	{ NL("PROCESSOR_IDENTIFIER=") },
+	{ NL("PROCESSOR_LEVEL=") },
+	{ NL("PROCESSOR_REVISION=") },
+	{ NL("PROGRAMFILES=") },
+	{ NL("SYSTEMDRIVE=") },
+	{ NL("SYSTEMROOT=") },
+	{ NL("TMP=") },
+	{ NL("TEMP=") },
+	{ NL("WINDIR=") },
+};
+
+char **
+fetch_windows_environment(void)
+{
+	char **e, **p;
+	int i, idx = 0;
+
+	p = xmalloc(WENV_SIZ * sizeof(char *));
+	for (e = environ; *e != NULL; ++e) {
+		for (i = 0; i < WENV_SIZ; ++i) {
+			if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
+				p[idx++] = *e;
+		}
+	}
+	p[idx] = NULL;
+	return p;
+}
+
+void
+free_windows_environment(char **p)
+{
+	xfree(p);
+}
+
 #endif /* HAVE_CYGWIN */
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
index 5ccb0fb..6719b8a 100644
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
+++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-cygwin_util.h,v 1.10 2003/08/07 06:28:16 dtucker Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
@@ -46,6 +46,8 @@ int binary_pipe(int fd[2]);
 int check_nt_auth(int, struct passwd *);
 int check_ntsec(const char *);
 void register_9x_service(void);
+char **fetch_windows_environment(void);
+void free_windows_environment(char **);
 
 #define open binary_open
 #define pipe binary_pipe
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c
index 1b276b4..41f92cc 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.c
+++ b/crypto/openssh/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
 #include "includes.h"
 #include "xmalloc.h"
 
-RCSID("$Id: bsd-misc.c,v 1.25 2004/08/15 08:41:00 djm Exp $");
+RCSID("$Id: bsd-misc.c,v 1.26 2005/02/25 23:07:38 dtucker Exp $");
 
 #ifndef HAVE___PROGNAME
 char *__progname;
@@ -122,17 +122,6 @@ int truncate(const char *path, off_t length)
 }
 #endif /* HAVE_TRUNCATE */
 
-#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP)
-/*
- * Cygwin setgroups should be a noop.
- */
-int
-setgroups(size_t size, const gid_t *list)
-{
-	return (0);
-}
-#endif 
-
 #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
 int nanosleep(const struct timespec *req, struct timespec *rem)
 {
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h
index 33a1d70..b61ec42 100644
--- a/crypto/openssh/openbsd-compat/bsd-misc.h
+++ b/crypto/openssh/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-misc.h,v 1.17 2004/08/15 08:41:00 djm Exp $ */
+/* $Id: bsd-misc.h,v 1.18 2005/02/25 23:07:38 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -67,10 +67,6 @@ int utimes(char *, struct timeval *);
 int truncate (const char *, off_t);
 #endif /* HAVE_TRUNCATE */
 
-#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP)
-int setgroups(size_t, const gid_t *);
-#endif
-
 #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
 #ifndef HAVE_STRUCT_TIMESPEC
 struct timespec {
diff --git a/crypto/openssh/openbsd-compat/bsd-openpty.c b/crypto/openssh/openbsd-compat/bsd-openpty.c
index daf5f8b..8eb62b7 100644
--- a/crypto/openssh/openbsd-compat/bsd-openpty.c
+++ b/crypto/openssh/openbsd-compat/bsd-openpty.c
@@ -102,7 +102,6 @@ openpty(int *amaster, int *aslave, char *name, struct termios *termp,
 		return (-1);
 	}
 
-#ifndef HAVE_CYGWIN
 	/*
 	 * Try to push the appropriate streams modules, as described 
 	 * in Solaris pts(7).
@@ -112,7 +111,6 @@ openpty(int *amaster, int *aslave, char *name, struct termios *termp,
 # ifndef __hpux
 	ioctl(*aslave, I_PUSH, "ttcompat");
 # endif /* __hpux */
-#endif /* HAVE_CYGWIN */
 
 	return (0);
 
diff --git a/crypto/openssh/openbsd-compat/bsd-snprintf.c b/crypto/openssh/openbsd-compat/bsd-snprintf.c
index e4d8a43..b5a7ef7 100644
--- a/crypto/openssh/openbsd-compat/bsd-snprintf.c
+++ b/crypto/openssh/openbsd-compat/bsd-snprintf.c
@@ -58,7 +58,7 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-snprintf.c,v 1.7 2003/05/18 14:13:39 djm Exp $");
+RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $");
 
 #if defined(BROKEN_SNPRINTF)		/* For those with broken snprintf() */
 # undef HAVE_SNPRINTF
@@ -369,7 +369,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 	if (value == 0) 
 		value = "<NULL>";
 
-	for (strln = 0; value[strln]; ++strln); /* strlen */
+	for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
 	padlen = min - strln;
 	if (padlen < 0) 
 		padlen = 0;
diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname.c b/crypto/openssh/openbsd-compat/getrrsetbyname.c
index 660427c..4e869c4 100644
--- a/crypto/openssh/openbsd-compat/getrrsetbyname.c
+++ b/crypto/openssh/openbsd-compat/getrrsetbyname.c
@@ -277,7 +277,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 
 	/* allocate memory for signatures */
 	rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
+	if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) {
 		result = ERRSET_NOMEMORY;
 		goto fail;
 	}
diff --git a/crypto/openssh/openbsd-compat/inet_ntop.c b/crypto/openssh/openbsd-compat/inet_ntop.c
index 7031625..47796c3 100644
--- a/crypto/openssh/openbsd-compat/inet_ntop.c
+++ b/crypto/openssh/openbsd-compat/inet_ntop.c
@@ -35,9 +35,7 @@ static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Ex
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#ifndef HAVE_CYGWIN
 #include <arpa/nameser.h>
-#endif
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
diff --git a/crypto/openssh/openbsd-compat/mktemp.c b/crypto/openssh/openbsd-compat/mktemp.c
index aff8d20..969f695 100644
--- a/crypto/openssh/openbsd-compat/mktemp.c
+++ b/crypto/openssh/openbsd-compat/mktemp.c
@@ -40,11 +40,6 @@
 static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 
-#ifdef HAVE_CYGWIN
-#define open binary_open
-extern int binary_open();
-#endif
-
 static int _gettemp(char *, int *, int, int);
 
 int
diff --git a/crypto/openssh/openbsd-compat/port-aix.c b/crypto/openssh/openbsd-compat/port-aix.c
index 78f4fae..fa6a4ff 100644
--- a/crypto/openssh/openbsd-compat/port-aix.c
+++ b/crypto/openssh/openbsd-compat/port-aix.c
@@ -1,6 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,19 +28,15 @@
 #include "auth.h"
 #include "ssh.h"
 #include "log.h"
-#include "servconf.h"
-#include "canohost.h"
 #include "xmalloc.h"
 #include "buffer.h"
 
 #ifdef _AIX
 
 #include <uinfo.h>
+#include <sys/socket.h>
 #include "port-aix.h"
 
-extern ServerOptions options;
-extern Buffer loginmsg;
-
 # ifdef HAVE_SETAUTHDB
 static char old_registry[REGISTRY_SIZE] = "";
 # endif
@@ -51,6 +48,8 @@ static char old_registry[REGISTRY_SIZE] = "";
  * NOTE: TTY= should be set, but since no one uses it and it's hard to
  * acquire due to privsep code.  We will just drop support.
  */
+
+
 void
 aix_usrinfo(struct passwd *pw)
 {
@@ -92,6 +91,59 @@ aix_remove_embedded_newlines(char *p)
 }
 
 /*
+ * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
+ * anything other than NONE or SYSTEM, which indicates that the admin has
+ * configured the account for purely AUTH1-type authentication.
+ *
+ * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
+ * AUTH1 itself, in such a case authenticate() will allow access without
+ * authentation, which is almost certainly not what the admin intends.
+ *
+ * (The native tools, eg login, will process the AUTH1 list in addition to
+ * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
+ * have been deprecated since AIX 4.2.x and would be very difficult for sshd
+ * to support.
+ *
+ * Returns 0 if an unsupportable combination is found, 1 otherwise.
+ */
+static int
+aix_valid_authentications(const char *user)
+{
+	char *auth1, *sys, *p;
+	int valid = 1;
+
+	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
+		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
+		    user, strerror(errno));
+		return 0;
+	}
+
+	debug3("AIX SYSTEM attribute %s", sys);
+	if (strcmp(sys, "NONE") != 0)
+		return 1;	/* not "NONE", so is OK */
+
+	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
+		logit("Can't retrieve attribute auth1 for %s: %.100s",
+		    user, strerror(errno));
+		return 0;
+	}
+
+	p = auth1;
+	/* A SEC_LIST is concatenated strings, ending with two NULs. */
+	while (p[0] != '\0' && p[1] != '\0') {
+		debug3("AIX auth1 attribute list member %s", p);
+		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
+			logit("Account %s has unsupported auth1 value '%s'",
+			    user, p);
+			valid = 0;
+		}
+		p += strlen(p) + 1;
+	}
+
+	return (valid);
+}
+
+/*
  * Do authentication via AIX's authenticate routine.  We loop until the
  * reenter parameter is 0, but normally authenticate is called only once.
  *
@@ -99,7 +151,7 @@ aix_remove_embedded_newlines(char *p)
  * returns 0.
  */
 int
-sys_auth_passwd(Authctxt *ctxt, const char *password)
+sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
 {
 	char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
 	int authsuccess = 0, expired, reenter, result;
@@ -112,6 +164,9 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 		    authmsg);
 	} while (reenter);
 
+	if (!aix_valid_authentications(name))
+		result = -1;
+
 	if (result == 0) {
 		authsuccess = 1;
 
@@ -126,7 +181,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 		 */
 		expired = passwdexpired(name, &msg);
 		if (msg && *msg) {
-			buffer_append(&loginmsg, msg, strlen(msg));
+			buffer_append(loginmsg, msg, strlen(msg));
 			aix_remove_embedded_newlines(msg);
 		}
 		debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
@@ -136,7 +191,6 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
 			break;
 		case 1: /* expired, password change required */
 			ctxt->force_pwchange = 1;
-			disable_forwarding();
 			break;
 		default: /* user can't change(2) or other error (-1) */
 			logit("Password can't be changed for user %s: %.100s",
@@ -160,7 +214,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
  * Returns 1 if login is allowed, 0 if not allowed.
  */
 int
-sys_auth_allowed_user(struct passwd *pw)
+sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
 {
 	char *msg = NULL;
 	int result, permitted = 0;
@@ -187,7 +241,7 @@ sys_auth_allowed_user(struct passwd *pw)
 	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
 		permitted = 1;
 	else if (msg != NULL)
-		buffer_append(&loginmsg, msg, strlen(msg));
+		buffer_append(loginmsg, msg, strlen(msg));
 	if (msg == NULL)
 		msg = xstrdup("(none)");
 	aix_remove_embedded_newlines(msg);
@@ -200,17 +254,18 @@ sys_auth_allowed_user(struct passwd *pw)
 }
 
 int
-sys_auth_record_login(const char *user, const char *host, const char *ttynm)
+sys_auth_record_login(const char *user, const char *host, const char *ttynm,
+    Buffer *loginmsg)
 {
 	char *msg;
 	int success = 0;
 
 	aix_setauthdb(user);
-	if (loginsuccess((char *)user, host, ttynm, &msg) == 0) {
+	if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
 		success = 1;
 		if (msg != NULL) {
-			debug("AIX/loginsuccess: msg %s", __func__, msg);
-			buffer_append(&loginmsg, msg, strlen(msg));
+			debug("AIX/loginsuccess: msg %s", msg);
+			buffer_append(loginmsg, msg, strlen(msg));
 			xfree(msg);
 		}
 	}
@@ -223,18 +278,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm)
  * record_failed_login: generic "login failed" interface function
  */
 void
-record_failed_login(const char *user, const char *ttyname)
+record_failed_login(const char *user, const char *hostname, const char *ttyname)
 {
-	char *hostname = (char *)get_canonical_hostname(options.use_dns);
-
 	if (geteuid() != 0)
 		return;
 
 	aix_setauthdb(user);
 #   ifdef AIX_LOGINFAILED_4ARG
-	loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
+	loginfailed((char *)user, (char *)hostname, (char *)ttyname,
+	    AUDIT_FAIL_AUTH);
 #   else
-	loginfailed((char *)user, hostname, (char *)ttyname);
+	loginfailed((char *)user, (char *)hostname, (char *)ttyname);
 #   endif
 	aix_restoreauthdb();
 }
@@ -291,4 +345,33 @@ aix_restoreauthdb(void)
 
 # endif /* WITH_AIXAUTHENTICATE */
 
+# if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
+# undef getnameinfo
+/*
+ * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
+ * IPv6 address into its textual representation ("::"), so we wrap it
+ * with a function that will.
+ */
+int
+sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
+    size_t hostlen, char *serv, size_t servlen, int flags)
+{
+	struct sockaddr_in6 *sa6;
+	u_int32_t *a6;
+
+	if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) &&
+	    sa->sa_family == AF_INET6) {
+		sa6 = (struct sockaddr_in6 *)sa;
+		a6 = sa6->sin6_addr.u6_addr.u6_addr32;
+
+		if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
+			strlcpy(host, "::", hostlen);
+			snprintf(serv, servlen, "%d", sa6->sin6_port);
+			return 0;
+		}
+	}
+	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
+}
+# endif /* AIX_GETNAMEINFO_HACK */
+
 #endif /* _AIX */
diff --git a/crypto/openssh/openbsd-compat/port-aix.h b/crypto/openssh/openbsd-compat/port-aix.h
index 29e9751..a05ce970 100644
--- a/crypto/openssh/openbsd-compat/port-aix.h
+++ b/crypto/openssh/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.21 2004/08/14 14:09:12 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.24 2005/02/16 11:49:31 dtucker Exp $ */
 
 /*
  *
@@ -27,6 +27,13 @@
 
 #ifdef _AIX
 
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>	/* for seteuid() */
+#endif
+
 #ifdef WITH_AIXAUTHENTICATE
 # include <login.h>
 # include <userpw.h>
@@ -36,6 +43,28 @@
 # include <usersec.h>
 #endif
 
+#include "buffer.h"
+
+/* These should be in the system headers but are not. */
+int usrinfo(int, char *, int);
+int setauthdb(const char *, char *);
+/* these may or may not be in the headers depending on the version */
+#if (HAVE_DECL_AUTHENTICATE == 0)
+int authenticate(char *, char *, int *, char **);
+#endif
+#if (HAVE_DECL_LOGINFAILED == 0)
+int loginfailed(char *, char *, char *);
+#endif
+#if (HAVE_DECL_LOGINRESTRICTIONS == 0)
+int loginrestrictions(char *, int, char *, char **);
+#endif
+#if (HAVE_DECL_LOGINSUCCESS == 0)
+int loginsuccess(char *, char *, char *, char **);
+#endif
+#if (HAVE_DECL_PASSWDEXPIRED == 0)
+int passwdexpired(char *, char **);
+#endif
+
 /* Some versions define r_type in the above headers, which causes a conflict */
 #ifdef r_type
 # undef r_type
@@ -64,14 +93,23 @@ void aix_usrinfo(struct passwd *);
 #ifdef WITH_AIXAUTHENTICATE
 # define CUSTOM_SYS_AUTH_PASSWD 1
 # define CUSTOM_SYS_AUTH_ALLOWED_USER 1
-int sys_auth_allowed_user(struct passwd *);
+int sys_auth_allowed_user(struct passwd *, Buffer *);
 # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
-int sys_auth_record_login(const char *, const char *, const char *);
+int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
 # define CUSTOM_FAILED_LOGIN 1
-void record_failed_login(const char *, const char *);
 #endif
 
 void aix_setauthdb(const char *);
 void aix_restoreauthdb(void);
 void aix_remove_embedded_newlines(char *);
+
+#if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_GETADDRINFO)
+# ifdef getnameinfo
+#  undef getnameinfo
+# endif
+int sshaix_getnameinfo(const struct sockaddr *, size_t, char *, size_t,
+    char *, size_t, int);
+# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g))
+#endif
+
 #endif /* _AIX */
diff --git a/crypto/openssh/openbsd-compat/realpath.c b/crypto/openssh/openbsd-compat/realpath.c
index 218fbec..7f73bd9 100644
--- a/crypto/openssh/openbsd-compat/realpath.c
+++ b/crypto/openssh/openbsd-compat/realpath.c
@@ -37,7 +37,7 @@
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.10 2003/08/01 21:04:59 millert Exp $";
+static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <sys/param.h>
@@ -67,17 +67,25 @@ char *
 realpath(const char *path, char *resolved)
 {
 	struct stat sb;
-	int fd, n, needslash, serrno = 0;
-	char *p, *q, wbuf[MAXPATHLEN], start[MAXPATHLEN];
+	int fd, n, needslash, serrno;
+	char *p, *q, wbuf[MAXPATHLEN];
 	int symlinks = 0;
 
 	/* Save the starting point. */
-	getcwd(start,MAXPATHLEN);	
+#ifndef HAVE_FCHDIR
+	char start[MAXPATHLEN];
+	/* this is potentially racy but without fchdir we have no option */
+	if (getcwd(start, sizeof(start)) == NULL) {
+		resolved[0] = '.';
+		resolved[1] = '\0';
+		return (NULL);
+	}
+#endif
 	if ((fd = open(".", O_RDONLY)) < 0) {
-		(void)strlcpy(resolved, ".", MAXPATHLEN);
+		resolved[0] = '.';
+		resolved[1] = '\0';
 		return (NULL);
 	}
-	close(fd);
 
 	/* Convert "." -> "" to optimize away a needless lstat() and chdir() */
 	if (path[0] == '.' && path[1] == '\0')
@@ -91,7 +99,10 @@ realpath(const char *path, char *resolved)
 	 *     if it is a directory, then change to that directory.
 	 * get the current directory name and append the basename.
 	 */
-	strlcpy(resolved, path, MAXPATHLEN);
+	if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) {
+		serrno = ENAMETOOLONG;
+		goto err2;
+	}
 loop:
 	q = strrchr(resolved, '/');
 	if (q != NULL) {
@@ -114,11 +125,10 @@ loop:
 	if (*p != '\0' && lstat(p, &sb) == 0) {
 		if (S_ISLNK(sb.st_mode)) {
 			if (++symlinks > MAXSYMLINKS) {
-				serrno = ELOOP;
+				errno = ELOOP;
 				goto err1;
 			}
-			n = readlink(p, resolved, MAXPATHLEN-1);
-			if (n < 0)
+			if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0)
 				goto err1;
 			resolved[n] = '\0';
 			goto loop;
@@ -134,8 +144,11 @@ loop:
 	 * Save the last component name and get the full pathname of
 	 * the current directory.
 	 */
-	(void)strlcpy(wbuf, p, sizeof wbuf);
-	if (getcwd(resolved, MAXPATHLEN) == 0)
+	if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
+		errno = ENAMETOOLONG;
+		goto err1;
+	}
+	if (getcwd(resolved, MAXPATHLEN) == NULL)
 		goto err1;
 
 	/*
@@ -149,23 +162,43 @@ loop:
 
 	if (*wbuf) {
 		if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
-			serrno = ENAMETOOLONG;
+			errno = ENAMETOOLONG;
+			goto err1;
+		}
+		if (needslash) {
+			if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) {
+				errno = ENAMETOOLONG;
+				goto err1;
+			}
+		}
+		if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) {
+			errno = ENAMETOOLONG;
 			goto err1;
 		}
-		if (needslash)
-			strlcat(resolved, "/", MAXPATHLEN);
-		strlcat(resolved, wbuf, MAXPATHLEN);
 	}
 
 	/* Go back to where we came from. */
+#ifdef HAVE_FCHDIR
+	if (fchdir(fd) < 0) {
+#else
 	if (chdir(start) < 0) {
+#endif
 		serrno = errno;
 		goto err2;
 	}
+
+	/* It's okay if the close fails, what's an fd more or less? */
+	(void)close(fd);
 	return (resolved);
 
-err1:	chdir(start);
-err2:	errno = serrno;
+err1:	serrno = errno;
+#ifdef HAVE_FCHDIR
+	(void)fchdir(fd);
+#else
+	chdir(start);
+#endif
+err2:	(void)close(fd);
+	errno = serrno;
 	return (NULL);
 }
 #endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/crypto/openssh/openbsd-compat/xmmap.c b/crypto/openssh/openbsd-compat/xmmap.c
index c8d59de..74e8a8b 100644
--- a/crypto/openssh/openbsd-compat/xmmap.c
+++ b/crypto/openssh/openbsd-compat/xmmap.c
@@ -23,7 +23,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: xmmap.c,v 1.5 2004/08/14 13:55:38 dtucker Exp $ */
+/* $Id: xmmap.c,v 1.6 2004/10/06 13:15:44 dtucker Exp $ */
 
 #include "includes.h"
 
@@ -47,7 +47,7 @@ void *xmmap(size_t size)
 # endif
 
 #define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
-	if (address == MAP_FAILED) {
+	if (address == (void *)MAP_FAILED) {
 		char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
 		int tmpfd;
 		mode_t old_umask;