diff options
| author | des <des@FreeBSD.org> | 2010-04-28 10:36:33 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2010-04-28 10:36:33 +0000 |
| commit | fc607a2e80dfeb125ae2fe83191d934929997047 (patch) | |
| tree | bd00e72572bcfba5ac7d243462c79d29a987c5a2 /crypto/openssh | |
| parent | c86e821ecb2a324088edbbb87198b4d55833575a (diff) | |
| download | FreeBSD-src-fc607a2e80dfeb125ae2fe83191d934929997047.zip FreeBSD-src-fc607a2e80dfeb125ae2fe83191d934929997047.tar.gz | |
Upgrade to OpenSSH 5.5p1.
Diffstat (limited to 'crypto/openssh')
| -rw-r--r-- | crypto/openssh/ChangeLog | 118 | ||||
| -rw-r--r-- | crypto/openssh/README | 4 | ||||
| -rw-r--r-- | crypto/openssh/auth-options.c | 6 | ||||
| -rw-r--r-- | crypto/openssh/auth2-pubkey.c | 31 | ||||
| -rw-r--r-- | crypto/openssh/channels.c | 6 | ||||
| -rw-r--r-- | crypto/openssh/clientloop.c | 3 | ||||
| -rw-r--r-- | crypto/openssh/config.h | 15 | ||||
| -rw-r--r-- | crypto/openssh/config.h.in | 12 | ||||
| -rw-r--r-- | crypto/openssh/defines.h | 2 | ||||
| -rw-r--r-- | crypto/openssh/key.c | 15 | ||||
| -rw-r--r-- | crypto/openssh/key.h | 3 | ||||
| -rw-r--r-- | crypto/openssh/loginrec.c | 9 | ||||
| -rw-r--r-- | crypto/openssh/logintest.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/openbsd-compat/bsd-arc4random.c | 4 | ||||
| -rw-r--r-- | crypto/openssh/servconf.c | 19 | ||||
| -rw-r--r-- | crypto/openssh/session.c | 8 | ||||
| -rw-r--r-- | crypto/openssh/ssh-keygen.1 | 43 | ||||
| -rw-r--r-- | crypto/openssh/ssh-keygen.c | 5 | ||||
| -rw-r--r-- | crypto/openssh/ssh-pkcs11-helper.c | 4 | ||||
| -rw-r--r-- | crypto/openssh/ssh.1 | 9 | ||||
| -rw-r--r-- | crypto/openssh/ssh_config | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh_config.5 | 12 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config | 2 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config.5 | 2 | ||||
| -rw-r--r-- | crypto/openssh/version.h | 6 |
25 files changed, 254 insertions, 88 deletions
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index d6e4a4a..a08e1a7 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,4 +1,120 @@ -20100307 +20100410 + - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo + back so we disable the IPv6 tests if we don't have it. + +20100409 + - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong + ones. Based on a patch from Roumen Petrov. + - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we + have it and the path is not provided to --with-libedit. Based on a patch + from Iain Morgan. + - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable + utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ + +20100326 + - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection + for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson + - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally + by Ingo Weinhold via Scott McCreary, ok djm@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2010/03/25 23:38:28 + [servconf.c] + from portable: getcwd(NULL, 0) doesn't work on all platforms, so + use a stack buffer; ok dtucker@ + - djm@cvs.openbsd.org 2010/03/26 00:26:58 + [ssh.1] + mention that -S none disables connection sharing; from Colin Watson + - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - + set up SELinux execution context before chroot() call. From Russell + Coker via Colin watson; bz#1726 ok dtucker@ + - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 + ok dtucker@ + - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using + pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). + - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; + bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 + [ssh_config.5] + Reformat default value of PreferredAuthentications entry (current + formatting implies ", " is acceptable as a separator, which it's not. + ok djm@ + +20100324 + - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory + containing the services file explicitely case-insensitive. This allows to + tweak the Windows services file reliably. Patch from vinschen at redhat. + +20100321 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2010/03/08 09:41:27 + [ssh-keygen.1] + sort the list of constraints (to -O); ok djm + - jmc@cvs.openbsd.org 2010/03/10 07:40:35 + [ssh-keygen.1] + typos; from Ross Richardson + closes prs 6334 and 6335 + - djm@cvs.openbsd.org 2010/03/10 23:27:17 + [auth2-pubkey.c] + correct certificate logging and make it more consistent between + authorized_keys and TrustedCAKeys; ok markus@ + - djm@cvs.openbsd.org 2010/03/12 01:06:25 + [servconf.c] + unbreak AuthorizedKeys option with a $HOME-relative path; reported by + vinschen AT redhat.com, ok dtucker@ + - markus@cvs.openbsd.org 2010/03/12 11:37:40 + [servconf.c] + do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths + free() (not xfree()) the buffer returned by getcwd() + - djm@cvs.openbsd.org 2010/03/13 21:10:38 + [clientloop.c] + protocol conformance fix: send language tag when disconnecting normally; + spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ + - djm@cvs.openbsd.org 2010/03/13 21:45:46 + [ssh-keygen.1] + Certificates are named *-cert.pub, not *_cert.pub; committing a diff + from stevesk@ ok me + - jmc@cvs.openbsd.org 2010/03/13 23:38:13 + [ssh-keygen.1] + fix a formatting error (args need quoted); noted by stevesk + - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 + [key.c key.h ssh-keygen.c] + also print certificate type (user or host) for ssh-keygen -L + ok djm kettenis + - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 + [auth-options.c] + spelling in error message. ok djm kettenis + - djm@cvs.openbsd.org 2010/03/16 16:36:49 + [version.h] + crank version to openssh-5.5 since we have a few fixes since 5.4; + requested deraadt@ kettenis@ + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank version numbers + +20100314 + - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix + compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot + AT fefe.de + - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for + ssh-pkcs11-helper to repair static builds (we do the same for + ssh-keyscan). Reported by felix-mindrot AT fefe.de + +20100312 + - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) + - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. + Patch from Corinna Vinschen. + - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install + on a Cygwin installation. Patch from Corinna Vinschen. + +20100311 + - (tim) [contrib/suse/openssh.spec] crank version number here too. + report by imorgan AT nas.nasa.gov + +20100309 + - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO + so setting it in CFLAGS correctly skips IPv6 tests. + +20100428 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/03/07 22:16:01 [ssh-keygen.c] diff --git a/crypto/openssh/README b/crypto/openssh/README index 0ecb670..a29f200 100644 --- a/crypto/openssh/README +++ b/crypto/openssh/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.4 for the release notes. +See http://www.openssh.com/txt/release-5.5 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $ +$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $ diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c index 1293017..69b314f 100644 --- a/crypto/openssh/auth-options.c +++ b/crypto/openssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) goto out; } if (strlen(command) != clen) { - error("force-command constrain contains \\0"); + error("force-command constraint contains \\0"); goto out; } if (cert_forced_command != NULL) { @@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) goto out; } if (strlen(allowed) != clen) { - error("source-address constrain contains \\0"); + error("source-address constraint contains \\0"); goto out; } if (cert_source_address_done++) { diff --git a/crypto/openssh/auth2-pubkey.c b/crypto/openssh/auth2-pubkey.c index 51aa774..c4cadf4 100644 --- a/crypto/openssh/auth2-pubkey.c +++ b/crypto/openssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) continue; if (!key_equal(found, key->cert->signature_key)) continue; - debug("matching CA found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s CA: %s", - key_type(found), fp); - xfree(fp); + debug("matching CA found: file %s, line %lu, %s %s", + file, linenum, key_type(found), fp); if (key_cert_check_authority(key, 0, 0, pw->pw_name, &reason) != 0) { + xfree(fp); error("%s", reason); auth_debug_add("%s", reason); continue; } if (auth_cert_constraints(&key->cert->constraints, - pw) != 0) + pw) != 0) { + xfree(fp); continue; + } + verbose("Accepted certificate ID \"%s\" " + "signed by %s CA %s via %s", key->cert->key_id, + key_type(found), fp, file); + xfree(fp); found_key = 1; break; } else if (!key_is_cert_authority && key_equal(found, key)) { @@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) static int user_cert_trusted_ca(struct passwd *pw, Key *key) { - char *key_fp, *ca_fp; + char *ca_fp; const char *reason; int ret = 0; if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + ca_fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); if (key_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1) != 1) { @@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (auth_cert_constraints(&key->cert->constraints, pw) != 0) goto out; - verbose("%s certificate %s allowed by trusted %s key %s", - key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); + verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", + key->cert->key_id, key_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys); ret = 1; out: - if (key_fp != NULL) - xfree(key_fp); if (ca_fp != NULL) xfree(ca_fp); return ret; diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index d8c53a4..a55d278 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { + if ((errno != EINVAL) && (errno != EAFNOSUPPORT) +#ifdef EPFNOSUPPORT + && (errno != EPFNOSUPPORT) +#endif + ) { error("socket: %.100s", strerror(errno)); freeaddrinfo(aitop); return -1; diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c index 6ffef95..9ab56b4 100644 --- a/crypto/openssh/clientloop.c +++ b/crypto/openssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) packet_start(SSH2_MSG_DISCONNECT); packet_put_int(SSH2_DISCONNECT_BY_APPLICATION); packet_put_cstring("disconnected by user"); + packet_put_cstring(""); /* language tag */ packet_send(); packet_write_wait(); } diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h index 66e3c7a..01fc523 100644 --- a/crypto/openssh/config.h +++ b/crypto/openssh/config.h @@ -124,7 +124,7 @@ #define DISABLE_WTMPX 1 /* Enable for PKCS#11 support */ -#define ENABLE_PKCS11 +#define ENABLE_PKCS11 /**/ /* Builtin PRNG command timeout */ #define ENTROPY_TIMEOUT_MSEC 200 @@ -456,6 +456,9 @@ /* Define to 1 if you have the `getutxline' function. */ #define HAVE_GETUTXLINE 1 +/* Define to 1 if you have the `getutxuser' function. */ +#define HAVE_GETUTXUSER 1 + /* Define to 1 if you have the `get_default_context_with_level' function. */ /* #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL */ @@ -552,6 +555,9 @@ /* Define if system has libiaf that supports set_id */ /* #undef HAVE_LIBIAF */ +/* Define to 1 if you have the `network' library (-lnetwork). */ +/* #undef HAVE_LIBNETWORK */ + /* Define to 1 if you have the `nsl' library (-lnsl). */ /* #undef HAVE_LIBNSL */ @@ -805,6 +811,9 @@ /* Define to 1 if you have the `setutent' function. */ /* #undef HAVE_SETUTENT */ +/* Define to 1 if you have the `setutxdb' function. */ +#define HAVE_SETUTXDB 1 + /* Define to 1 if you have the `setutxent' function. */ #define HAVE_SETUTXENT 1 @@ -1416,8 +1425,8 @@ /* Define if you want SELinux support. */ /* #undef WITH_SELINUX */ -/* Define to 1 if your processor stores words with the most significant byte - first (like Motorola and SPARC, unlike Intel and VAX). */ +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 #elif ! defined __LITTLE_ENDIAN__ diff --git a/crypto/openssh/config.h.in b/crypto/openssh/config.h.in index a61dec6..a43ad57 100644 --- a/crypto/openssh/config.h.in +++ b/crypto/openssh/config.h.in @@ -80,9 +80,6 @@ /* Define if you want to specify the path to your lastlog file */ #undef CONF_LASTLOG_FILE -/* Define if you want to specify the path to your utmpx file */ -#undef CONF_UTMPX_FILE - /* Define if you want to specify the path to your utmp file */ #undef CONF_UTMP_FILE @@ -455,6 +452,9 @@ /* Define to 1 if you have the `getutxline' function. */ #undef HAVE_GETUTXLINE +/* Define to 1 if you have the `getutxuser' function. */ +#undef HAVE_GETUTXUSER + /* Define to 1 if you have the `get_default_context_with_level' function. */ #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL @@ -551,6 +551,9 @@ /* Define if system has libiaf that supports set_id */ #undef HAVE_LIBIAF +/* Define to 1 if you have the `network' library (-lnetwork). */ +#undef HAVE_LIBNETWORK + /* Define to 1 if you have the `nsl' library (-lnsl). */ #undef HAVE_LIBNSL @@ -804,6 +807,9 @@ /* Define to 1 if you have the `setutent' function. */ #undef HAVE_SETUTENT +/* Define to 1 if you have the `setutxdb' function. */ +#undef HAVE_SETUTXDB + /* Define to 1 if you have the `setutxent' function. */ #undef HAVE_SETUTXENT diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h index e592249..fe25170 100644 --- a/crypto/openssh/defines.h +++ b/crypto/openssh/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */ +/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */ /* Constants */ diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c index 0d0c912..66592c7 100644 --- a/crypto/openssh/key.c +++ b/crypto/openssh/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */ +/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -802,6 +802,19 @@ key_type(const Key *k) } const char * +key_cert_type(const Key *k) +{ + switch (k->cert->type) { + case SSH2_CERT_TYPE_USER: + return "user"; + case SSH2_CERT_TYPE_HOST: + return "host"; + default: + return "unknown"; + } +} + +const char * key_ssh_name(const Key *k) { switch (k->type) { diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h index 6a2e049..4f17777 100644 --- a/crypto/openssh/key.h +++ b/crypto/openssh/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -82,6 +82,7 @@ int key_equal(const Key *, const Key *); char *key_fingerprint(Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); const char *key_type(const Key *); +const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); int key_read(Key *, char **); u_int key_size(const Key *); diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c index e6eaf0b..62962ac 100644 --- a/crypto/openssh/loginrec.c +++ b/crypto/openssh/loginrec.c @@ -510,6 +510,10 @@ getlast_entry(struct logininfo *li) #ifdef USE_LASTLOG return(lastlog_get_entry(li)); #else /* !USE_LASTLOG */ +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) + return (utmpx_get_entry(li)); +#endif #if 1 return (utmpx_get_entry(li)); @@ -1614,7 +1618,8 @@ lastlog_get_entry(struct logininfo *li) #endif /* HAVE_GETLASTLOGXBYNAME */ #endif /* USE_LASTLOG */ -#if 1 +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) int utmpx_get_entry(struct logininfo *li) { @@ -1637,7 +1642,7 @@ utmpx_get_entry(struct logininfo *li) endutxent(); return (1); } -#endif +#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */ #ifdef USE_BTMP /* diff --git a/crypto/openssh/logintest.c b/crypto/openssh/logintest.c index 7e9fbbf..4897ae0 100644 --- a/crypto/openssh/logintest.c +++ b/crypto/openssh/logintest.c @@ -264,7 +264,7 @@ showOptions(void) printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE); #endif #ifdef USE_UTMPX - printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE); + printf("\tUSE_UTMPX\n"); #endif #ifdef USE_WTMP printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE); diff --git a/crypto/openssh/openbsd-compat/bsd-arc4random.c b/crypto/openssh/openbsd-compat/bsd-arc4random.c index 9d4c869..d7c5862 100644 --- a/crypto/openssh/openbsd-compat/bsd-arc4random.c +++ b/crypto/openssh/openbsd-compat/bsd-arc4random.c @@ -84,7 +84,7 @@ arc4random_stir(void) } #endif /* !HAVE_ARC4RANDOM */ -#ifndef ARC4RANDOM_BUF +#ifndef HAVE_ARC4RANDOM_BUF void arc4random_buf(void *_buf, size_t n) { @@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n) } #endif /* !HAVE_ARC4RANDOM_BUF */ -#ifndef ARC4RANDOM_UNIFORM +#ifndef HAVE_ARC4RANDOM_UNIFORM /* * Calculate a uniformly distributed random number less than upper_bound * avoiding "modulo bias". diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 603c586..626f38c 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -474,15 +474,14 @@ parse_token(const char *cp, const char *filename, char * derelativise_path(const char *path) { - char *expanded, *ret, *cwd; + char *expanded, *ret, cwd[MAXPATHLEN]; expanded = tilde_expand_filename(path, getuid()); if (*expanded == '/') return expanded; - if ((cwd = getcwd(NULL, 0)) == NULL) + if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(cwd); xfree(expanded); return ret; } @@ -1227,7 +1226,17 @@ process_server_config_line(ServerOptions *options, char *line, charptr = (opcode == sAuthorizedKeysFile) ? &options->authorized_keys_file : &options->authorized_keys_file2; - goto parse_filename; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", + filename, linenum); + if (*activep && *charptr == NULL) { + *charptr = tilde_expand_filename(arg, getuid()); + /* increase optional counter */ + if (intptr != NULL) + *intptr = *intptr + 1; + } + break; case sClientAliveInterval: intptr = &options->client_alive_interval; diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index aad0979..c11a68a 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -1581,6 +1581,10 @@ do_setusercontext(struct passwd *pw) } #endif /* HAVE_SETPCRED */ +#ifdef WITH_SELINUX + ssh_selinux_setup_exec_context(pw->pw_name); +#endif + if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { tmp = tilde_expand_filename(options.chroot_directory, @@ -1605,10 +1609,6 @@ do_setusercontext(struct passwd *pw) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); - -#ifdef WITH_SELINUX - ssh_selinux_setup_exec_context(pw->pw_name); -#endif } static void diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1 index 0da6354..6931842 100644 --- a/crypto/openssh/ssh-keygen.1 +++ b/crypto/openssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ .\" $FreeBSD$ .\" .\" -*- nroff -*- @@ -38,7 +38,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 8 2010 +.Dd March 13 2010 .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -308,8 +308,15 @@ Please see the section for details. The constraints that are valid for user certificates are: .Bl -tag -width Ds -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). +.It Ic clear +Clear all enabled permissions. +This is useful for clearing the default set of permissions so permissions may +be added individually. +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. .It Ic no-agent-forwarding Disable .Xr ssh-agent 1 @@ -324,12 +331,8 @@ Disable execution of by .Xr sshd 8 (permitted by default). -.It Ic clear -Clear all enabled permissions. -This is useful for clearing the default set of permissions so permissions may -be added individually. -.It Ic permit-x11-forwarding -Allows X11 forwarding. +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). .It Ic permit-agent-forwarding Allows .Xr ssh-agent 1 @@ -343,14 +346,10 @@ Allows execution of .Pa ~/.ssh/rc by .Xr sshd 8 . -.It Ic force-command=command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.It Ic source-address=address_list -Restrict the source addresses from which the certificate is considered valid -from. +.It Ic permit-x11-forwarding +Allows X11 forwarding. +.It Ic source-address Ns = Ns Ar address_list +Restrict the source addresses from which the certificate is considered valid. The .Ar address_list is a comma-separated list of one or more address/netmask pairs in CIDR @@ -415,7 +414,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the .Sx TIME FORMATS section of -.Xr ssh_config 5 . +.Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. .Pp @@ -520,7 +519,7 @@ To generate a user certificate: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub .Pp The resultant certificate will be placed in -.Pa /path/to/user_key_cert.pub . +.Pa /path/to/user_key-cert.pub . A host certificate requires the .Fl h option: @@ -528,7 +527,7 @@ option: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub .Pp The host certificate will be output to -.Pa /path/to/host_key_cert.pub . +.Pa /path/to/host_key-cert.pub . In both cases, .Ar key_id is a "key identifier" that is logged by the server when the certificate @@ -540,7 +539,7 @@ By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals: .Pp .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub -.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub +.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" .Pp Additional limitations on the validity and use of user certificates may be specified through certificate constraints. diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c index dd662c9..37e516f 100644 --- a/crypto/openssh/ssh-keygen.c +++ b/crypto/openssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw) SSH_FP_MD5, SSH_FP_HEX); printf("%s:\n", identity_file); - printf(" %s certificate %s\n", key_type(key), key_fp); + printf(" %s %s certificate %s\n", key_type(key), + key_cert_type(key), key_fp); printf(" Signed by %s CA %s\n", key_type(key->cert->signature_key), ca_fp); printf(" Key ID \"%s\"\n", key->cert->key_id); diff --git a/crypto/openssh/ssh-pkcs11-helper.c b/crypto/openssh/ssh-pkcs11-helper.c index d3bfb98..8e3f57a 100644 --- a/crypto/openssh/ssh-pkcs11-helper.c +++ b/crypto/openssh/ssh-pkcs11-helper.c @@ -17,8 +17,6 @@ #include "includes.h" -#ifdef ENABLE_PKCS11 - #include <sys/types.h> #ifdef HAVE_SYS_TIME_H # include <sys/time.h> @@ -39,6 +37,8 @@ #include "authfd.h" #include "ssh-pkcs11.h" +#ifdef ENABLE_PKCS11 + /* borrows code from sftp-server and ssh-agent */ struct pkcs11_keyinfo { diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index e3a826e..80f8d8c 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -34,9 +34,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $ .\" $FreeBSD$ -.Dd March 5 2010 +.Dd March 26 2010 .Dt SSH 1 .Os .Sh NAME @@ -560,7 +560,10 @@ argument is the listen port will be dynamically allocated on the server and reported to the client at run time. .It Fl S Ar ctl_path -Specifies the location of a control socket for connection sharing. +Specifies the location of a control socket for connection sharing +or the string +.Dq none +to disable connection sharing. Refer to the description of .Cm ControlPath and diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 1edf164..3bda1b9 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -46,4 +46,4 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com -# VersionAddendum FreeBSD-20100308 +# VersionAddendum FreeBSD-20100428 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 0f67fdc..88afdad 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -34,9 +34,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $ .\" $FreeBSD$ -.Dd March 5 2010 +.Dd March 26 2010 .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -735,11 +735,7 @@ This allows a client to prefer one method (e.g.\& over another method (e.g.\& .Cm password ) The default for this option is: -.Do gssapi-with-mic , -hostbased, -publickey, -keyboard-interactive, -password +.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password .Dc . .It Cm Protocol Specifies the protocol versions @@ -1087,7 +1083,7 @@ in Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20100308 . +.Dq FreeBSD-20100428 . .It Cm VisualHostKey If this flag is set to .Dq yes , diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 44b7582..3c700f0 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -14,7 +14,7 @@ # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. -#VersionAddendum FreeBSD-20100308 +#VersionAddendum FreeBSD-20100428 #Port 22 #AddressFamily any diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index d0d3053..bd667d7 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -988,7 +988,7 @@ The default is Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20100308 . +.Dq FreeBSD-20100428 . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index d1d1452..6cc8d84 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -1,12 +1,12 @@ -/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */ +/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */ /* $FreeBSD$ */ #ifndef SSH_VERSION #define SSH_VERSION (ssh_version_get()) #define SSH_RELEASE (ssh_version_get()) -#define SSH_VERSION_BASE "OpenSSH_5.4p1" -#define SSH_VERSION_ADDENDUM "FreeBSD-20100308" +#define SSH_VERSION_BASE "OpenSSH_5.5p1" +#define SSH_VERSION_ADDENDUM "FreeBSD-20100428" const char *ssh_version_get(void); void ssh_version_set_addendum(const char *); |
