summaryrefslogtreecommitdiffstats
path: root/crypto/openssh
diff options
context:
space:
mode:
authordes <des@FreeBSD.org>2004-04-20 09:46:41 +0000
committerdes <des@FreeBSD.org>2004-04-20 09:46:41 +0000
commite5d801b2d6aab34943ecb74550a852aa69c82f38 (patch)
tree052572b83faf3cab81bed572534efc6912debcbf /crypto/openssh
parentefa35724649769e9a081ef6970590dd0b0a97370 (diff)
downloadFreeBSD-src-e5d801b2d6aab34943ecb74550a852aa69c82f38.zip
FreeBSD-src-e5d801b2d6aab34943ecb74550a852aa69c82f38.tar.gz
Resolve conflicts.
Diffstat (limited to 'crypto/openssh')
-rw-r--r--crypto/openssh/acconfig.h11
-rw-r--r--crypto/openssh/auth-krb5.c8
-rw-r--r--crypto/openssh/auth-pam.c39
-rw-r--r--crypto/openssh/auth-pam.h4
-rw-r--r--crypto/openssh/auth-passwd.c7
-rw-r--r--crypto/openssh/auth-skey.c3
-rw-r--r--crypto/openssh/auth.h1
-rw-r--r--crypto/openssh/auth1.c2
-rw-r--r--crypto/openssh/auth2.c6
-rw-r--r--crypto/openssh/canohost.c6
-rw-r--r--crypto/openssh/configure.ac123
-rw-r--r--crypto/openssh/loginrec.c4
-rw-r--r--crypto/openssh/monitor.c17
-rw-r--r--crypto/openssh/monitor_wrap.c10
-rw-r--r--crypto/openssh/monitor_wrap.h2
-rw-r--r--crypto/openssh/openbsd-compat/fake-rfc2553.h5
-rw-r--r--crypto/openssh/readconf.c14
-rw-r--r--crypto/openssh/readconf.h3
-rw-r--r--crypto/openssh/session.c12
-rw-r--r--crypto/openssh/ssh-agent.c9
-rw-r--r--crypto/openssh/ssh-keyscan.c4
-rw-r--r--crypto/openssh/ssh.13
-rw-r--r--crypto/openssh/ssh.c61
-rw-r--r--crypto/openssh/ssh_config.520
-rw-r--r--crypto/openssh/sshconnect2.c4
-rw-r--r--crypto/openssh/sshd.c45
-rw-r--r--crypto/openssh/sshd_config.511
-rw-r--r--crypto/openssh/sshlogin.c36
-rw-r--r--crypto/openssh/version.h2
29 files changed, 304 insertions, 168 deletions
diff --git a/crypto/openssh/acconfig.h b/crypto/openssh/acconfig.h
index abeecda..02e9e4f 100644
--- a/crypto/openssh/acconfig.h
+++ b/crypto/openssh/acconfig.h
@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */
+/* $Id: acconfig.h,v 1.177 2004/04/15 23:22:40 dtucker Exp $ */
/* $FreeBSD$ */
/*
@@ -132,6 +132,9 @@
/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
#undef AIX_LOGINFAILED_4ARG
+/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */
+#undef SKEYCHALLENGE_4ARG
+
/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
#undef WITH_IRIX_ARRAY
@@ -203,6 +206,9 @@
/* Define if you don't want to use lastlog in session.c */
#undef NO_SSH_LASTLOG
+/* Define if have krb5_init_ets */
+#undef KRB5_INIT_ETS
+
/* Define if you don't want to use utmp */
#undef DISABLE_UTMP
@@ -351,6 +357,9 @@
/* getaddrinfo is broken (if present) */
#undef BROKEN_GETADDRINFO
+/* updwtmpx is broken (if present) */
+#undef BROKEN_UPDWTMPX
+
/* Workaround more Linux IPv6 quirks */
#undef DONT_TRY_OTHER_AF
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
index 7270326..42b8026 100644
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@@ -55,7 +55,9 @@ krb5_init(void *context)
problem = krb5_init_context(&authctxt->krb5_ctx);
if (problem)
return (problem);
+#ifdef KRB5_INIT_ETS
krb5_init_ets(authctxt->krb5_ctx);
+#endif
}
return (0);
}
@@ -71,6 +73,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
+ int len;
if (!authctxt->valid)
return (0);
@@ -176,6 +179,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ len = strlen(authctxt->krb5_ticket_file) + 6;
+ authctxt->krb5_ccname = xmalloc(len);
+ snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+ authctxt->krb5_ticket_file);
+
out:
restore_uid();
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index 0ea983f..9e30219 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -31,7 +31,7 @@
/* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $");
RCSID("$FreeBSD$");
#ifdef USE_PAM
@@ -59,6 +59,7 @@ RCSID("$FreeBSD$");
extern ServerOptions options;
extern Buffer loginmsg;
extern int compat20;
+extern u_int utmp_len;
#ifdef USE_POSIX_THREADS
#include <pthread.h>
@@ -118,6 +119,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
{
pid_t pid;
+ sshpam_thread_status = -1;
switch ((pid = fork())) {
case -1:
error("fork(): %s", strerror(errno));
@@ -160,7 +162,7 @@ static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
-static int *force_pwchange;
+static Authctxt *sshpam_authctxt = NULL;
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -180,7 +182,9 @@ void
pam_password_change_required(int reqd)
{
debug3("%s %d", __func__, reqd);
- *force_pwchange = reqd;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+ sshpam_authctxt->force_pwchange = reqd;
if (reqd) {
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
@@ -202,6 +206,7 @@ import_environments(Buffer *b)
debug3("PAM: %s entering", __func__);
+#ifndef USE_POSIX_THREADS
/* Import variables set by do_pam_account */
sshpam_account_status = buffer_get_int(b);
pam_password_change_required(buffer_get_int(b));
@@ -229,6 +234,7 @@ import_environments(Buffer *b)
}
#endif
}
+#endif
}
/*
@@ -337,6 +343,9 @@ sshpam_thread(void *ctxtp)
sshpam_conv.conv = sshpam_thread_conv;
sshpam_conv.appdata_ptr = ctxt;
+ if (sshpam_authctxt == NULL)
+ fatal("%s: PAM authctxt not initialized", __func__);
+
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
@@ -349,7 +358,7 @@ sshpam_thread(void *ctxtp)
if (compat20) {
if (!do_pam_account())
goto auth_fail;
- if (*force_pwchange) {
+ if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
@@ -363,7 +372,7 @@ sshpam_thread(void *ctxtp)
#ifndef USE_POSIX_THREADS
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
- buffer_put_int(&buffer, *force_pwchange);
+ buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
@@ -444,11 +453,10 @@ sshpam_cleanup(void)
}
static int
-sshpam_init(const char *user)
+sshpam_init(Authctxt *authctxt)
{
- extern u_int utmp_len;
extern char *__progname;
- const char *pam_rhost, *pam_user;
+ const char *pam_rhost, *pam_user, *user = authctxt->user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
@@ -462,6 +470,8 @@ sshpam_init(const char *user)
debug("PAM: initializing for \"%s\"", user);
sshpam_err =
pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+ sshpam_authctxt = authctxt;
+
if (sshpam_err != PAM_SUCCESS) {
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
@@ -504,7 +514,7 @@ sshpam_init_ctx(Authctxt *authctxt)
return NULL;
/* Initialize PAM */
- if (sshpam_init(authctxt->user) == -1) {
+ if (sshpam_init(authctxt) == -1) {
error("PAM: initialization failed");
return (NULL);
}
@@ -512,8 +522,6 @@ sshpam_init_ctx(Authctxt *authctxt)
ctxt = xmalloc(sizeof *ctxt);
memset(ctxt, 0, sizeof(*ctxt));
- force_pwchange = &(authctxt->force_pwchange);
-
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
@@ -592,7 +600,10 @@ sshpam_query(void *ctx, char **name, char **info,
xfree(msg);
return (0);
}
- error("PAM: %s", msg);
+ error("PAM: %s for %s%.100s from %.100s", msg,
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
+ get_remote_name_or_ip(utmp_len, options.use_dns));
/* FALLTHROUGH */
default:
*num = 0;
@@ -672,12 +683,12 @@ KbdintDevice mm_sshpam_device = {
* This replaces auth-pam.c
*/
void
-start_pam(const char *user)
+start_pam(Authctxt *authctxt)
{
if (!options.use_pam)
fatal("PAM: initialisation requested when UsePAM=no");
- if (sshpam_init(user) == -1)
+ if (sshpam_init(authctxt) == -1)
fatal("PAM: initialisation failed");
}
diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h
index cf74dd5..ff4b6f6 100644
--- a/crypto/openssh/auth-pam.h
+++ b/crypto/openssh/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.25 2004/03/08 12:04:07 dtucker Exp $ */
/* $FreeBSD$ */
/*
@@ -32,7 +32,7 @@
# define SSHD_PAM_SERVICE __progname
#endif
-void start_pam(const char *);
+void start_pam(Authctxt *);
void finish_pam(void);
u_int do_pam_account(void);
void do_pam_session(void);
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
index 70e1491..38f610a 100644
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@@ -74,13 +74,6 @@ auth_password(Authctxt *authctxt, const char *password)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
-#if defined(HAVE_OSF_SIA)
- /*
- * XXX: any reason this is before krb? could be moved to
- * sys_auth_passwd()? -dt
- */
- return auth_sia_password(authctxt, password) && ok;
-#endif
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c
index a534e35..331e9a7 100644
--- a/crypto/openssh/auth-skey.c
+++ b/crypto/openssh/auth-skey.c
@@ -56,7 +56,8 @@ skey_query(void *ctx, char **name, char **infotxt,
int len;
struct skey skey;
- if (skeychallenge(&skey, authctxt->user, challenge) == -1)
+ if (_compat_skeychallenge(&skey, authctxt->user, challenge,
+ sizeof(challenge)) == -1)
return -1;
*name = xstrdup("");
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 2a5679b..83841b6 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -67,6 +67,7 @@ struct Authctxt {
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;
+ char *krb5_ccname;
#endif
void *methoddata;
};
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 64aa86e..7dd3a4a 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -308,7 +308,7 @@ do_authentication(Authctxt *authctxt)
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(user));
+ PRIVSEP(start_pam(authctxt));
#endif
/*
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index a6b95dd..756f33c 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -159,24 +159,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
if (authctxt->attempt++ == 0) {
/* setup auth context */
authctxt->pw = PRIVSEP(getpwnamallow(user));
+ authctxt->user = xstrdup(user);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(authctxt->pw->pw_name));
+ PRIVSEP(start_pam(authctxt));
#endif
} else {
logit("input_userauth_request: illegal user %s", user);
authctxt->pw = fakepw();
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(user));
+ PRIVSEP(start_pam(authctxt));
#endif
}
setproctitle("%s%s", authctxt->pw ? user : "unknown",
use_privsep ? " [net]" : "");
- authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep)
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
index f514592..a0067af 100644
--- a/crypto/openssh/canohost.c
+++ b/crypto/openssh/canohost.c
@@ -44,6 +44,9 @@ get_remote_hostname(int socket, int use_dns)
cleanup_exit(255);
}
+ if (from.ss_family == AF_INET)
+ check_ip_options(socket, ntop);
+
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
@@ -56,9 +59,6 @@ get_remote_hostname(int socket, int use_dns)
if (!use_dns)
return xstrdup(ntop);
- if (from.ss_family == AF_INET)
- check_ip_options(socket, ntop);
-
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index e6f4c88..41fdc34 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -1,5 +1,19 @@
-# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $
# $FreeBSD$
+# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $
+#
+# Copyright (c) 1999-2004 Damien Miller
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@@ -196,10 +210,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
- case "$host" in
- *-*-hpux11.11*)
- AC_DEFINE(BROKEN_GETADDRINFO);;
- esac
+ check_for_hpux_broken_getaddrinfo=1
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
@@ -222,6 +233,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
+ AC_DEFINE(BROKEN_UPDWTMPX)
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
@@ -231,7 +243,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
check_for_openpty_ctty_bug=1
AC_DEFINE(DONT_TRY_OTHER_AF)
AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
+ AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
inet6_default_4in6=yes
case `uname -r` in
@@ -269,6 +281,9 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(BROKEN_SAVED_UIDS)
;;
*-*-solaris*)
+ if test "x$withval" != "xno" ; then
+ need_dash_r=1
+ fi
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(LOGIN_NEEDS_TERM)
@@ -345,6 +360,9 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(HAVE_SECUREWARE)
AC_DEFINE(DISABLE_SHADOW)
AC_DEFINE(BROKEN_SAVED_UIDS)
+ AC_DEFINE(SETEUID_BREAKS_SETUID)
+ AC_DEFINE(BROKEN_SETREUID)
+ AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_CHECK_FUNCS(getluid setluid)
MANTYPE=man
@@ -492,10 +510,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
- sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \
- sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
- sys/un.h time.h tmpdir.h ttyent.h usersec.h \
- util.h utime.h utmp.h utmpx.h vis.h)
+ sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
+ sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
+ sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \
+ ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
# Checks for libraries.
AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
@@ -729,6 +747,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
AC_MSG_RESULT(no)
AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
])
+ AC_MSG_CHECKING(if skeychallenge takes 4 arguments)
+ AC_TRY_COMPILE(
+ [#include <stdio.h>
+ #include <skey.h>],
+ [(void)skeychallenge(NULL,"name","",0);],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(SKEYCHALLENGE_4ARG)],
+ [AC_MSG_RESULT(no)]
+ )
fi
]
)
@@ -803,6 +830,9 @@ AC_ARG_WITH(tcp-wrappers,
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
#include <tcpd.h>
int deny_severity = 0, allow_severity = 0;
],
@@ -830,12 +860,12 @@ AC_CHECK_FUNCS(\
getpeereid _getpty getrlimit getttyent glob inet_aton \
inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
- pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
+ pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
setproctitle setregid setreuid setrlimit \
setsid setvbuf sigaction sigvec snprintf socketpair strerror \
strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
- truncate updwtmpx utimes vhangup vsnprintf waitpid \
+ truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
)
# IRIX has a const char return value for gai_strerror()
@@ -1003,6 +1033,74 @@ main()
)
fi
+if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
+ AC_MSG_CHECKING(if getaddrinfo seems to work)
+ AC_TRY_RUN(
+ [
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <errno.h>
+#include <netinet/in.h>
+
+#define TEST_PORT "2222"
+
+int
+main(void)
+{
+ int err, sock;
+ struct addrinfo *gai_ai, *ai, hints;
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_PASSIVE;
+
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+ exit(1);
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+ if (ai->ai_family != AF_INET6)
+ continue;
+
+ err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
+ sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV);
+
+ if (err != 0) {
+ if (err == EAI_SYSTEM)
+ perror("getnameinfo EAI_SYSTEM");
+ else
+ fprintf(stderr, "getnameinfo failed: %s\n",
+ gai_strerror(err));
+ exit(2);
+ }
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (sock < 0)
+ perror("socket");
+ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if (errno == EBADF)
+ exit(3);
+ }
+ }
+ exit(0);
+}
+ ],
+ [
+ AC_MSG_RESULT(yes)
+ ],
+ [
+ AC_MSG_RESULT(no)
+ AC_DEFINE(BROKEN_GETADDRINFO)
+ ]
+ )
+fi
+
AC_FUNC_GETPGRP
# Check for PAM libs
@@ -2197,6 +2295,7 @@ AC_ARG_WITH(kerberos5,
LIBS="$LIBS $K5LIBS"
AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
+ AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
]
)
diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c
index da69da3..90f9f74 100644
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@@ -158,8 +158,8 @@
#include "log.h"
#include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $");
RCSID("$FreeBSD$");
+RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $");
#ifdef HAVE_UTIL_H
# include <util.h>
@@ -1356,7 +1356,7 @@ static int
syslogin_perform_logout(struct logininfo *li)
{
# ifdef HAVE_LOGOUT
- char line[8];
+ char line[UT_LINESIZE];
(void)line_stripname(line, li->line, sizeof(line));
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 0fda0df..c04d1f7 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -46,7 +46,13 @@ RCSID("$FreeBSD$");
#include "auth.h"
#include "kex.h"
#include "dh.h"
+#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
#include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
#include "packet.h"
#include "auth-options.h"
#include "sshpty.h"
@@ -747,7 +753,8 @@ mm_answer_skeyquery(int socket, Buffer *m)
char challenge[1024];
u_int success;
- success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
+ success = _compat_skeychallenge(&skey, authctxt->user, challenge,
+ sizeof(challenge)) < 0 ? 0 : 1;
buffer_clear(m);
buffer_put_int(m, success);
@@ -791,16 +798,10 @@ mm_answer_skeyrespond(int socket, Buffer *m)
int
mm_answer_pam_start(int socket, Buffer *m)
{
- char *user;
-
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
- user = buffer_get_string(m, NULL);
-
- start_pam(user);
-
- xfree(user);
+ start_pam(authctxt);
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index b250af5..b4f2a89 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -41,7 +41,13 @@ RCSID("$FreeBSD$");
#include "packet.h"
#include "mac.h"
#include "log.h"
+#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
#include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
#include "monitor.h"
#include "monitor_wrap.h"
#include "xmalloc.h"
@@ -687,7 +693,7 @@ mm_session_pty_cleanup2(Session *s)
#ifdef USE_PAM
void
-mm_start_pam(char *user)
+mm_start_pam(Authctxt *authctxt)
{
Buffer m;
@@ -696,8 +702,6 @@ mm_start_pam(char *user)
fatal("UsePAM=no, but ended up in %s anyway", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, user);
-
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
buffer_free(&m);
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
index c31bd2e..a7c9edd 100644
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@@ -67,7 +67,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
#endif
#ifdef USE_PAM
-void mm_start_pam(char *);
+void mm_start_pam(struct Authctxt *);
u_int mm_do_pam_account(void);
void *mm_sshpam_init_ctx(struct Authctxt *);
int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h
index be93ee8..a19a42f 100644
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.h
+++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h
@@ -1,5 +1,5 @@
-/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */
/* $FreeBSD$ */
+/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */
/*
* Copyright (C) 2000-2003 Damien Miller. All rights reserved.
@@ -134,6 +134,9 @@ struct addrinfo {
#endif /* !HAVE_STRUCT_ADDRINFO */
#ifndef HAVE_GETADDRINFO
+#ifdef getaddrinfo
+# undef getaddrinfo
+#endif
#define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d))
int getaddrinfo(const char *, const char *,
const struct addrinfo *, struct addrinfo **);
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 1494abd..9cc6ce7 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -12,8 +12,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");
RCSID("$FreeBSD$");
+RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -106,8 +106,12 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+<<<<<<< readconf.c
oServerAliveInterval, oServerAliveCountMax,
oVersionAddendum,
+=======
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+>>>>>>> 1.1.1.15
oDeprecated, oUnsupported
} OpCodes;
@@ -149,6 +153,7 @@ static struct {
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* alias */
+ { "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
{ "proxycommand", oProxyCommand },
@@ -739,6 +744,10 @@ parse_int:
intptr = &options->enable_ssh_keysign;
goto parse_flag;
+ case oIdentitiesOnly:
+ intptr = &options->identities_only;
+ goto parse_flag;
+
case oServerAliveInterval:
intptr = &options->server_alive_interval;
goto parse_time;
@@ -879,6 +888,7 @@ initialize_options(Options * options)
options->smartcard_device = NULL;
options->enable_ssh_keysign = - 1;
options->no_host_authentication_for_localhost = - 1;
+ options->identities_only = - 1;
options->rekey_limit = - 1;
options->verify_host_key_dns = -1;
options->server_alive_interval = -1;
@@ -991,6 +1001,8 @@ fill_default_options(Options * options)
clear_forwardings(options);
if (options->no_host_authentication_for_localhost == - 1)
options->no_host_authentication_for_localhost = 0;
+ if (options->identities_only == -1)
+ options->identities_only = 0;
if (options->enable_ssh_keysign == -1)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index 3f27af9..93d833c 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -100,6 +100,7 @@ typedef struct {
int enable_ssh_keysign;
int rekey_limit;
int no_host_authentication_for_localhost;
+ int identities_only;
int server_alive_interval;
int server_alive_count_max;
} Options;
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 3913214..3f9049f 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -202,6 +202,7 @@ display_loginmsg(void)
printf("%s\n", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
+ fflush(stdout);
}
void
@@ -493,6 +494,13 @@ do_exec_no_pty(Session *s, const char *command)
close(err[0]);
/*
+ * Clear loginmsg, since it's the child's responsibility to display
+ * it to the user, otherwise multiple sessions may accumulate
+ * multiple copies of the login messages.
+ */
+ buffer_clear(&loginmsg);
+
+ /*
* Enter the interactive session. Note: server_loop must be able to
* handle the case that fdin and fdout are the same.
*/
@@ -1116,9 +1124,9 @@ do_setup_env(Session *s, const char *shell)
}
#endif
#ifdef KRB5
- if (s->authctxt->krb5_ticket_file)
+ if (s->authctxt->krb5_ccname)
child_set_env(&env, &envsize, "KRB5CCNAME",
- s->authctxt->krb5_ticket_file);
+ s->authctxt->krb5_ccname);
#endif
#ifdef USE_PAM
/*
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index f7fe0cd..29aa7dd 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -58,6 +58,10 @@ RCSID("$FreeBSD$");
#include "scard.h"
#endif
+#if defined(HAVE_SYS_PRCTL_H)
+#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
+#endif
+
typedef enum {
AUTH_UNUSED,
AUTH_SOCKET,
@@ -1025,6 +1029,11 @@ main(int ac, char **av)
setgid(getgid());
setuid(geteuid());
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
+ prctl(PR_SET_DUMPABLE, 0);
+#endif
+
SSLeay_add_all_algorithms();
__progname = ssh_get_progname(av[0]);
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
index 68b6a0a..266b23c 100644
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@@ -7,7 +7,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $");
#include "openbsd-compat/sys-queue.h"
@@ -489,7 +489,7 @@ conrecycle(int s)
static void
congreet(int s)
{
- int remote_major, remote_minor, n = 0;
+ int remote_major = 0, remote_minor = 0, n = 0;
char buf[256], *cp;
char remote_version[sizeof buf];
size_t bufsiz;
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
index 9a140fa..da812d6 100644
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
.\" $FreeBSD$
+.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -636,6 +636,7 @@ For full details of the options listed below, and their possible values, see
.It HostKeyAlias
.It HostName
.It IdentityFile
+.It IdentitiesOnly
.It LocalForward
.It LogLevel
.It MACs
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index b47f301..d4535b8 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -40,8 +40,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");
RCSID("$FreeBSD$");
+RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -147,49 +147,12 @@ pid_t proxy_command_pid = 0;
static void
usage(void)
{
- fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -l user Log in using this user name.\n");
- fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n");
- fprintf(stderr, " -F config Config file (default: ~/%s).\n",
- _PATH_SSH_USER_CONFFILE);
- fprintf(stderr, " -A Enable authentication agent forwarding.\n");
- fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
- fprintf(stderr, " -X Enable X11 connection forwarding.\n");
- fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n");
- fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
- fprintf(stderr, " -i file Identity for public key authentication "
- "(default: ~/.ssh/identity)\n");
-#ifdef SMARTCARD
- fprintf(stderr, " -I reader Set smartcard reader.\n");
-#endif
- fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n");
- fprintf(stderr, " -T Do not allocate a tty.\n");
- fprintf(stderr, " -v Verbose; display verbose debugging messages.\n");
- fprintf(stderr, " Multiple -v increases verbosity.\n");
- fprintf(stderr, " -V Display version number only.\n");
- fprintf(stderr, " -q Quiet; don't display any warning messages.\n");
- fprintf(stderr, " -f Fork into background after authentication.\n");
- fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n");
-
- fprintf(stderr, " -c cipher Select encryption algorithm\n");
- fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n");
- fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n");
- fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n");
- fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n");
- fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname);
- fprintf(stderr, " forward them to the other side by connecting to host:port.\n");
- fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n");
- fprintf(stderr, " -C Enable compression.\n");
- fprintf(stderr, " -N Do not execute a shell or command.\n");
- fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n");
- fprintf(stderr, " -1 Force protocol version 1.\n");
- fprintf(stderr, " -2 Force protocol version 2.\n");
- fprintf(stderr, " -4 Use IPv4 only.\n");
- fprintf(stderr, " -6 Use IPv6 only.\n");
- fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n");
- fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n");
- fprintf(stderr, " -b addr Local IP address.\n");
+ fprintf(stderr,
+"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
+" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
+" [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
+ );
exit(1);
}
@@ -348,12 +311,8 @@ again:
}
/* fallthrough */
case 'V':
- fprintf(stderr,
- "%s, SSH protocols %d.%d/%d.%d, %s\n",
- SSH_VERSION,
- PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
- SSLeay_version(SSLEAY_VERSION));
+ fprintf(stderr, "%s, %s\n",
+ SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
if (opt == 'V')
exit(0);
break;
@@ -795,7 +754,7 @@ x11_get_proto(char **_proto, char **_data)
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 120 2>" _PATH_DEVNULL,
+ " untrusted timeout 1200 2>" _PATH_DEVNULL,
options.xauth_location, xauthfile, display);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 77df576..ee8baea 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
.\" $FreeBSD$
+.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -407,6 +407,24 @@ syntax to refer to a user's home directory.
It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
+.It Cm IdentitiesOnly
+Specifies that
+.Nm ssh
+should only use the authentication identity files configured in the
+.Nm
+files,
+even if the
+.Nm ssh-agent
+offers more identities.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option is intented for situations where
+.Nm ssh-agent
+offers many different identities.
+The default is
+.Dq no .
.It Cm LocalForward
Specifies that a TCP/IP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote machine.
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index 3a21811..c261dfd 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $");
#include "openbsd-compat/sys-queue.h"
@@ -1044,7 +1044,7 @@ pubkey_prepare(Authctxt *authctxt)
break;
}
}
- if (!found) {
+ if (!found && !options.identities_only) {
id = xmalloc(sizeof(*id));
memset(id, 0, sizeof(*id));
id->key = key;
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index c660fc2..22c2e3d 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -42,8 +42,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");
RCSID("$FreeBSD$");
+RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -106,7 +106,6 @@ extern char *__progname;
#else
char *__progname;
#endif
-extern char **environ;
/* Server configuration options. */
ServerOptions options;
@@ -573,7 +572,7 @@ privsep_preauth_child(void)
debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
#if 0
- /* XXX not ready, to heavy after chroot */
+ /* XXX not ready, too heavy after chroot */
do_setusercontext(pw);
#else
gidset[0] = pw->pw_gid;
@@ -769,26 +768,12 @@ drop_connection(int startups)
static void
usage(void)
{
- fprintf(stderr, "sshd version %s, %s\n",
+ fprintf(stderr, "%s, %s\n",
SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
- fprintf(stderr, "Usage: %s [options]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
- fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n");
- fprintf(stderr, " -i Started from inetd\n");
- fprintf(stderr, " -D Do not fork into daemon mode\n");
- fprintf(stderr, " -t Only test configuration file and keys\n");
- fprintf(stderr, " -q Quiet (no logging)\n");
- fprintf(stderr, " -p port Listen on the specified port (default: 22)\n");
- fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n");
- fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n");
- fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n");
- fprintf(stderr, " -h file File from which to read host key (default: %s)\n",
- _PATH_HOST_KEY_FILE);
- fprintf(stderr, " -u len Maximum hostname length for utmp recording\n");
- fprintf(stderr, " -4 Use IPv4 only\n");
- fprintf(stderr, " -6 Use IPv6 only\n");
- fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n");
+ fprintf(stderr,
+"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
+" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
+ );
exit(1);
}
@@ -837,6 +822,9 @@ main(int ac, char **av)
av = saved_argv;
#endif
+ if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
@@ -945,6 +933,13 @@ main(int ac, char **av)
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
+#ifdef _AIX
+ /*
+ * Unset KRB5CCNAME, otherwise the user's session may inherit it from
+ * root's environment
+ */
+ unsetenv("KRB5CCNAME");
+#endif /* _AIX */
#ifdef _UNICOS
/* Cray can define user privs drop all prives now!
* Not needed on PRIV_SU systems!
@@ -1111,11 +1106,6 @@ main(int ac, char **av)
unmounted if desired. */
chdir("/");
-#ifndef HAVE_CYGWIN
- /* Clear environment */
- environ[0] = NULL;
-#endif
-
/* ignore SIGPIPE */
signal(SIGPIPE, SIG_IGN);
@@ -1394,6 +1384,7 @@ main(int ac, char **av)
}
/* This is the child processing a new connection. */
+ setproctitle("%s", "[accepted]");
/*
* Create a new session and process group since the 4.4BSD
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 848bc32..1e62104 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
.\" $FreeBSD$
+.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -306,6 +306,11 @@ To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
.Dq no .
+.It Cm KerberosGetAFSToken
+If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+an AFS token before accessing the user's home directory.
+Default is
+.Dq no .
.It Cm KerberosOrLocalPasswd
If set then if password authentication through Kerberos fails then
the password will be validated via any additional local mechanism
@@ -457,7 +462,9 @@ the root user may be allowed in with its password even if
.Pp
If this option is set to
.Dq without-password
-password authentication is disabled for root.
+password authentication is disabled for root. Note that other authentication
+methods (e.g., keyboard-interactive/PAM) may still allow root to login using
+a password.
.Pp
If this option is set to
.Dq forced-commands-only
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
index 36b6489..e1cc4cc 100644
--- a/crypto/openssh/sshlogin.c
+++ b/crypto/openssh/sshlogin.c
@@ -52,11 +52,11 @@ u_long
get_last_login_time(uid_t uid, const char *logname,
char *buf, u_int bufsize)
{
- struct logininfo li;
+ struct logininfo li;
- login_get_lastlog(&li, uid);
- strlcpy(buf, li.hostname, bufsize);
- return li.tv_sec;
+ login_get_lastlog(&li, uid);
+ strlcpy(buf, li.hostname, bufsize);
+ return li.tv_sec;
}
/*
@@ -67,12 +67,12 @@ void
record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
const char *host, struct sockaddr * addr, socklen_t addrlen)
{
- struct logininfo *li;
+ struct logininfo *li;
- li = login_alloc_entry(pid, user, host, ttyname);
- login_set_addr(li, addr, addrlen);
- login_login(li);
- login_free_entry(li);
+ li = login_alloc_entry(pid, user, host, ttyname);
+ login_set_addr(li, addr, addrlen);
+ login_login(li);
+ login_free_entry(li);
}
#ifdef LOGIN_NEEDS_UTMPX
@@ -80,12 +80,12 @@ void
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
const char *host, struct sockaddr * addr, socklen_t addrlen)
{
- struct logininfo *li;
+ struct logininfo *li;
- li = login_alloc_entry(pid, user, host, ttyname);
- login_set_addr(li, addr, addrlen);
- login_utmp_only(li);
- login_free_entry(li);
+ li = login_alloc_entry(pid, user, host, ttyname);
+ login_set_addr(li, addr, addrlen);
+ login_utmp_only(li);
+ login_free_entry(li);
}
#endif
@@ -93,9 +93,9 @@ record_utmp_only(pid_t pid, const char *ttyname, const char *user,
void
record_logout(pid_t pid, const char *ttyname, const char *user)
{
- struct logininfo *li;
+ struct logininfo *li;
- li = login_alloc_entry(pid, user, NULL, ttyname);
- login_logout(li);
- login_free_entry(li);
+ li = login_alloc_entry(pid, user, NULL, ttyname);
+ login_logout(li);
+ login_free_entry(li);
}
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 51a95f3..7acdecb 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -1,5 +1,5 @@
-/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
/* $FreeBSD$ */
+/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
#ifndef SSH_VERSION
OpenPOWER on IntegriCloud