summaryrefslogtreecommitdiffstats
path: root/crypto/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh')
-rw-r--r--crypto/openssh/COPYING.Ylonen70
-rw-r--r--crypto/openssh/FREEBSD-Xlist10
-rw-r--r--crypto/openssh/FREEBSD-tricks20
-rw-r--r--crypto/openssh/FREEBSD-upgrade130
-rw-r--r--crypto/openssh/Makefile14
-rw-r--r--crypto/openssh/README.openssh244
-rw-r--r--crypto/openssh/acconfig.h19
-rw-r--r--crypto/openssh/auth-chall.c27
-rw-r--r--crypto/openssh/auth-krb4.c5
-rw-r--r--crypto/openssh/auth-krb5.c7
-rw-r--r--crypto/openssh/auth-pam.c11
-rw-r--r--crypto/openssh/auth-pam.h5
-rw-r--r--crypto/openssh/auth-passwd.c95
-rw-r--r--crypto/openssh/auth-skey.c9
-rw-r--r--crypto/openssh/auth.c53
-rw-r--r--crypto/openssh/auth.h9
-rw-r--r--crypto/openssh/auth1.c23
-rw-r--r--crypto/openssh/auth2-chall.c20
-rw-r--r--crypto/openssh/auth2-kbdint.c5
-rw-r--r--crypto/openssh/auth2-pam-freebsd.c630
-rw-r--r--crypto/openssh/auth2-pam.c6
-rw-r--r--crypto/openssh/auth2-skey.c104
-rw-r--r--crypto/openssh/auth2.c35
-rw-r--r--crypto/openssh/authfd.c11
-rw-r--r--crypto/openssh/authfile.c33
-rw-r--r--crypto/openssh/aux.c36
-rw-r--r--crypto/openssh/bufaux.c5
-rw-r--r--crypto/openssh/canohost.c26
-rw-r--r--crypto/openssh/channels.c24
-rw-r--r--crypto/openssh/channels.h1
-rw-r--r--crypto/openssh/cipher.c5
-rw-r--r--crypto/openssh/cli.c231
-rw-r--r--crypto/openssh/cli.h42
-rw-r--r--crypto/openssh/compat.c23
-rw-r--r--crypto/openssh/compat.h4
-rw-r--r--crypto/openssh/config.h908
-rw-r--r--crypto/openssh/configure.ac162
-rw-r--r--crypto/openssh/dsa.c304
-rw-r--r--crypto/openssh/dsa.h45
-rw-r--r--crypto/openssh/fingerprint.c69
-rw-r--r--crypto/openssh/fingerprint.h34
-rw-r--r--crypto/openssh/hmac.c54
-rw-r--r--crypto/openssh/hmac.h34
-rw-r--r--crypto/openssh/hostfile.c1
-rw-r--r--crypto/openssh/includes.h7
-rw-r--r--crypto/openssh/key.c9
-rw-r--r--crypto/openssh/lib/Makefile35
-rw-r--r--crypto/openssh/log-client.c84
-rw-r--r--crypto/openssh/log-server.c173
-rw-r--r--crypto/openssh/login.c145
-rw-r--r--crypto/openssh/loginrec.c71
-rw-r--r--crypto/openssh/monitor.c164
-rw-r--r--crypto/openssh/monitor.h5
-rw-r--r--crypto/openssh/monitor_wrap.c117
-rw-r--r--crypto/openssh/monitor_wrap.h5
-rw-r--r--crypto/openssh/myproposal.h3
-rw-r--r--crypto/openssh/nchan.h91
-rw-r--r--crypto/openssh/packet.h2
-rw-r--r--crypto/openssh/pty.c275
-rw-r--r--crypto/openssh/pty.h47
-rw-r--r--crypto/openssh/readconf.c36
-rw-r--r--crypto/openssh/readconf.h4
-rw-r--r--crypto/openssh/rijndael.c1
-rw-r--r--crypto/openssh/scard/Makefile20
-rw-r--r--crypto/openssh/scp-common.c98
-rw-r--r--crypto/openssh/scp-common.h64
-rw-r--r--crypto/openssh/scp.c337
-rw-r--r--crypto/openssh/scp/Makefile15
-rw-r--r--crypto/openssh/servconf.c39
-rw-r--r--crypto/openssh/servconf.h1
-rw-r--r--crypto/openssh/serverloop.c3
-rw-r--r--crypto/openssh/session.c118
-rw-r--r--crypto/openssh/session.h1
-rw-r--r--crypto/openssh/sftp-server/Makefile18
-rw-r--r--crypto/openssh/sftp/Makefile19
-rw-r--r--crypto/openssh/ssh-add.c27
-rw-r--r--crypto/openssh/ssh-add/Makefile18
-rw-r--r--crypto/openssh/ssh-agent.c81
-rw-r--r--crypto/openssh/ssh-agent/Makefile18
-rw-r--r--crypto/openssh/ssh-keygen/Makefile18
-rw-r--r--crypto/openssh/ssh-keyscan.c5
-rw-r--r--crypto/openssh/ssh-keyscan/Makefile18
-rw-r--r--crypto/openssh/ssh-keysign/Makefile18
-rw-r--r--crypto/openssh/ssh.147
-rw-r--r--crypto/openssh/ssh.c37
-rw-r--r--crypto/openssh/ssh.h1
-rw-r--r--crypto/openssh/ssh/Makefile40
-rw-r--r--crypto/openssh/ssh_config4
-rw-r--r--crypto/openssh/ssh_config.555
-rw-r--r--crypto/openssh/sshconnect.c13
-rw-r--r--crypto/openssh/sshconnect1.c1
-rw-r--r--crypto/openssh/sshconnect2.c41
-rw-r--r--crypto/openssh/sshd.852
-rw-r--r--crypto/openssh/sshd.c48
-rw-r--r--crypto/openssh/sshd/Makefile56
-rw-r--r--crypto/openssh/sshd_config17
-rw-r--r--crypto/openssh/sshd_config.596
-rw-r--r--crypto/openssh/sshlogin.c1
-rw-r--r--crypto/openssh/sshlogin.h1
-rw-r--r--crypto/openssh/sshpty.c7
-rw-r--r--crypto/openssh/util.c96
-rw-r--r--crypto/openssh/version.c59
-rw-r--r--crypto/openssh/version.h14
103 files changed, 2946 insertions, 3353 deletions
diff --git a/crypto/openssh/COPYING.Ylonen b/crypto/openssh/COPYING.Ylonen
deleted file mode 100644
index 5e681ed..0000000
--- a/crypto/openssh/COPYING.Ylonen
+++ /dev/null
@@ -1,70 +0,0 @@
-This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
-
-
-COPYING POLICY AND OTHER LEGAL ISSUES
-
-As far as I am concerned, the code I have written for this software
-can be used freely for any purpose. Any derived versions of this
-software must be clearly marked as such, and if the derived work is
-incompatible with the protocol description in the RFC file, it must be
-called by a name other than "ssh" or "Secure Shell".
-
-However, I am not implying to give any licenses to any patents or
-copyrights held by third parties, and the software includes parts that
-are not under my direct control. As far as I know, all included
-source code is used in accordance with the relevant license agreements
-and can be used freely for any purpose (the GNU license being the most
-restrictive); see below for details.
-
-[ RSA is no longer included. ]
-[ IDEA is no longer included. ]
-[ DES is now external. ]
-[ GMP is now external. No more GNU licence. ]
-[ Zlib is now external. ]
-[ The make-ssh-known-hosts script is no longer included. ]
-[ TSS has been removed. ]
-[ MD5 is now external. ]
-[ RC4 support has been removed. ]
-[ Blowfish is now external. ]
-
-The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
-Comments in the file indicate it may be used for any purpose without
-restrictions.
-
-The 32-bit CRC compensation attack detector in deattack.c was
-contributed by CORE SDI S.A. under a BSD-style license. See
-http://www.core-sdi.com/english/ssh/ for details.
-
-Note that any information and cryptographic algorithms used in this
-software are publicly available on the Internet and at any major
-bookstore, scientific library, and patent office worldwide. More
-information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-The legal status of this program is some combination of all these
-permissions and restrictions. Use only at your own responsibility.
-You will be responsible for any legal consequences yourself; I am not
-making any claims whether possessing or using this is legal or not in
-your country, and I am not taking any responsibility on your behalf.
-
-
- NO WARRANTY
-
-BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
diff --git a/crypto/openssh/FREEBSD-Xlist b/crypto/openssh/FREEBSD-Xlist
new file mode 100644
index 0000000..4ea54ed
--- /dev/null
+++ b/crypto/openssh/FREEBSD-Xlist
@@ -0,0 +1,10 @@
+$FreeBSD$
+*.0
+*/.cvsignore
+.cvsignore
+autom4te*
+config.h.in
+configure
+contrib
+regress/*.[0-9]
+scard
diff --git a/crypto/openssh/FREEBSD-tricks b/crypto/openssh/FREEBSD-tricks
new file mode 100644
index 0000000..7234126
--- /dev/null
+++ b/crypto/openssh/FREEBSD-tricks
@@ -0,0 +1,20 @@
+# $FreeBSD$
+
+# Shell code to remove FreeBSD tags before merging
+grep -rl '\$Fre.BSD:' . |
+while read f ; do
+ sed -i.orig -e '/\$Fre.BSD:/d' $f
+done
+
+# Shell + Perl code to add FreeBSD tags wherever an OpenBSD or Id tag occurs
+egrep -rl '\$(Id|OpenBSD):' . |
+xargs perl -n -i.orig -e 'print; s/\$(Id|OpenBSD): [^\$]*\$/\$FreeBSD\$/ && print'
+
+# Shell code to reexpand FreeBSD tags
+grep -rl '\$FreeBSD\$' . |
+while read f ; do
+ id=$(cvs diff $f | grep '\$Fre.BSD:' | sed 's/.*\(\$Fre.BSD:.*\$\).*/\1/') ;
+ if [ -n "$id" ] ; then
+ sed -i.orig -e "s@\\\$Fre.BSD\\\$@$id@" $f ;
+ fi ;
+done
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
new file mode 100644
index 0000000..a77b7f4
--- /dev/null
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -0,0 +1,130 @@
+
+
+ FreeBSD maintainer's guide to OpenSSH-portable
+ ==============================================
+
+
+0) Make sure your mail spool has plenty of free space. It'll fill up
+ pretty fast once you're done with this checklist.
+
+1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
+ site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
+
+2) Unpack the tarball in a suitable directory.
+
+3) Remove trash:
+
+ $ eval "rm -rf $(tr '[:space:]' ' ' </usr/src/crypto/openssh/FREEBSD-Xlist)"
+
+ Make sure that took care of everything, and if it didn't, make sure
+ to update FREEBSD-Xlist so you won't miss it the next time.
+
+4) Import the sources:
+
+ $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
+
+5) Resolve conflicts. Remember to bump the version number and
+ addendum in version.h.
+
+6) Generate configure and config.h.in:
+
+ $ autoconf
+ $ autoheader
+
+ Note: this requires a recent version of autoconf, not autoconf213.
+
+7) Run configure with the appropriate arguments:
+
+ $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
+ --with-pam --with-tcp-wrappers
+
+ Note that we don't want to configure OpenSSH for Kerberos using
+ configure since we have to be able to turn it on or off depending
+ on the value of MAKE_KERBEROS[45]. Our Makefiles take care of
+ this.
+
+8) Commit the resulting config.h. Make sure you don't accidentally
+ commit any other files created by autoconf, autoheader or
+ configure; they'll just clutter up the repo and cause trouble at
+ the next upgrade.
+
+9) Build and test.
+
+A) Re-commit everything on freefall (you *did* use a test repo for
+ this, didn't you?)
+
+
+
+ An overview of FreeBSD changes to OpenSSH-portable
+ ==================================================
+
+0) VersionAddendum
+
+ The SSH protocol allows for a human-readable version string of up
+ to 40 characters to be appended to the protocol version string.
+ FreeBSD takes advantage of this to include a date indicating the
+ "patch level", so people can easily determine whether their system
+ is vulnerable when an OpenSSH advisory goes out. Some people,
+ however, dislike advertising their patch level in the protocol
+ handshake, so we've added a VersionAddendum configuration variable
+ to allow them to change or disable it.
+
+1) Modified server-side defaults
+
+ We've modified some configuration defaults in sshd:
+
+ - For protocol version 2, we don't load RSA host keys by
+ default. If both RSA and DSA keys are present, we prefer DSA
+ to RSA.
+
+ - LoginGraceTime defaults to 120 seconds instead of 600.
+
+ - PermitRootLogin defaults to "no".
+
+ - X11Forwarding defaults to "yes" (it's a threat to the client,
+ not to the server.)
+
+ - Unless the config file says otherwise, we automatically enable
+ Kerberos support if an appropriate keytab is present.
+
+ - PAMAuthenticationViaKbdInt defaults to "yes".
+
+2) Modified client-side defaults
+
+ We've modified some configuration defaults in ssh:
+
+ - For protocol version 2, if both RSA and DSA keys are present,
+ we prefer DSA to RSA.
+
+ - CheckHostIP defaults to "no".
+
+3) Canonic host names
+
+ We've added code to ssh.c to canonicize the target host name after
+ reading options but before trying to connect. This eliminates the
+ usual problem with duplicate known_hosts entries.
+
+4) OPIE
+
+ We've added support for using OPIE as a drop-in replacement for
+ S/Key.
+
+5) PAM
+
+ We use our own PAM code, which wraps PAM in a KbdintDevice and
+ works with privsep, instead of OpenSSH's own PAM code.
+
+6) setusercontext() environment
+
+ Our setusercontext(3) can set environment variables, which we must
+ take care to transfer to the child's environment.
+
+
+
+This port was brought to you by (in no particular order) DARPA, NAI
+Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
+Suzanne Vega, and a Sanford's #69 Deluxe Marker.
+
+ -- des@FreeBSD.org
+
+$FreeBSD$
diff --git a/crypto/openssh/Makefile b/crypto/openssh/Makefile
deleted file mode 100644
index 0b9c668..0000000
--- a/crypto/openssh/Makefile
+++ /dev/null
@@ -1,14 +0,0 @@
-# $OpenBSD: Makefile,v 1.11 2002/05/23 19:24:30 markus Exp $
-
-.include <bsd.own.mk>
-
-SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
- ssh-keysign ssh-keyscan sftp scard
-
-distribution:
- install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
- ${DESTDIR}/etc/ssh/ssh_config
- install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
- ${DESTDIR}/etc/ssh/sshd_config
-
-.include <bsd.subdir.mk>
diff --git a/crypto/openssh/README.openssh2 b/crypto/openssh/README.openssh2
deleted file mode 100644
index 12c90aa..0000000
--- a/crypto/openssh/README.openssh2
+++ /dev/null
@@ -1,44 +0,0 @@
-$Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $
-
-howto:
- 1) generate server key:
- $ ssh-keygen -d -f /etc/ssh_host_dsa_key -N ''
- 2) enable ssh2:
- server: add 'Protocol 2,1' to /etc/sshd_config
- client: ssh -o 'Protocol 2,1', or add to .ssh/config
- 3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2)
- interop w/ ssh.com dsa-keys:
- ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
- and vice versa
- ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
- echo Key mykey.pub >> ~/.ssh2/authorization
-
-works:
- secsh-transport: works w/o rekey
- proposal exchange, i.e. different enc/mac/comp per direction
- encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc
- mac: hmac-md5, hmac-sha1, (hmac-ripemd160)
- compression: zlib, none
- secsh-userauth: passwd and pubkey with DSA
- secsh-connection: pty+shell or command, flow control works (window adjust)
- tcp-forwarding: -L works, -R incomplete
- x11-fwd
- dss/dsa: host key database in ~/.ssh/known_hosts2
- client interops w/ sshd2, lshd
- server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0, SecureFX (secure ftp)
- server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
-todo:
- re-keying
- secsh-connection features:
- tcp-forwarding, agent-fwd
- auth other than passwd, and DSA-pubkey:
- keyboard-interactive, (PGP-pubkey?)
- config
- server-auth w/ old host-keys
- cleanup
- advanced key storage?
- keynote
- sftp
-
--markus
-$Date: 2000/05/07 18:30:03 $
diff --git a/crypto/openssh/acconfig.h b/crypto/openssh/acconfig.h
index b6e4b37..3dc5c90 100644
--- a/crypto/openssh/acconfig.h
+++ b/crypto/openssh/acconfig.h
@@ -1,4 +1,5 @@
-/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */
+/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */
+/* $FreeBSD$ */
#ifndef _CONFIG_H
#define _CONFIG_H
@@ -216,6 +217,9 @@
/* Define if you want S/Key support */
#undef SKEY
+/* Define if you want OPIE support */
+#undef OPIE
+
/* Define if you want TCP Wrappers support */
#undef LIBWRAP
@@ -364,19 +368,6 @@
/* Define if your platform needs to skip post auth file descriptor passing */
#undef DISABLE_FD_PASSING
-/* Silly mkstemp() */
-#undef HAVE_STRICT_MKSTEMP
-
-/* Setproctitle emulation */
-#undef SETPROCTITLE_STRATEGY
-#undef SETPROCTITLE_PS_PADDING
-
-/* Some systems put this outside of libc */
-#undef HAVE_NANOSLEEP
-
-/* Pushing STREAMS modules incorrectly acquires a controlling TTY */
-#undef STREAMS_PUSH_ACQUIRES_CTTY
-
@BOTTOM@
/* ******************* Shouldn't need to edit below this line ************** */
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
index 45e0c34..1daa144 100644
--- a/crypto/openssh/auth-chall.c
+++ b/crypto/openssh/auth-chall.c
@@ -24,6 +24,7 @@
#include "includes.h"
RCSID("$OpenBSD: auth-chall.c,v 1.8 2001/05/18 14:13:28 markus Exp $");
+RCSID("$FreeBSD$");
#include "auth.h"
#include "log.h"
@@ -76,7 +77,33 @@ verify_response(Authctxt *authctxt, const char *response)
return 0;
resp[0] = (char *)response;
res = device->respond(authctxt->kbdintctxt, 1, resp);
+ if (res == 1) {
+ /* postponed - send a null query just in case */
+ char *name, *info, **prompts;
+ u_int i, numprompts, *echo_on;
+
+ res = device->query(authctxt->kbdintctxt, &name, &info,
+ &numprompts, &prompts, &echo_on);
+ if (res == 0) {
+ for (i = 0; i < numprompts; i++)
+ xfree(prompts[i]);
+ xfree(prompts);
+ xfree(name);
+ xfree(echo_on);
+ xfree(info);
+ }
+ /* if we received more prompts, we're screwed */
+ res = (numprompts != 0);
+ }
device->free_ctx(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
return res ? 0 : 1;
}
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+ if (authctxt->kbdintctxt != NULL) {
+ device->free_ctx(authctxt->kbdintctxt);
+ authctxt->kbdintctxt = NULL;
+ }
+}
diff --git a/crypto/openssh/auth-krb4.c b/crypto/openssh/auth-krb4.c
index b28df46..9359438 100644
--- a/crypto/openssh/auth-krb4.c
+++ b/crypto/openssh/auth-krb4.c
@@ -23,7 +23,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "ssh1.h"
@@ -271,7 +272,7 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
reply->length = r;
/* Clear session key. */
- memset(&adat.session, 0, sizeof(adat.session));
+ memset(&adat.session, 0, sizeof(&adat.session));
return (1);
}
#endif /* KRB4 */
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
index c1a0069..06eb9b7 100644
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@@ -1,7 +1,7 @@
/*
* Kerberos v5 authentication and ticket-passing routines.
*
- * $FreeBSD$
+ * $xFreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp$
*/
/*
* Copyright (c) 2002 Daniel Kouril. All rights reserved.
@@ -28,7 +28,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "ssh1.h"
@@ -107,7 +108,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
if (problem)
goto err;
- problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
+ problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL ,
KRB5_NT_SRV_HST, &server);
if (problem)
goto err;
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index fe9570f..8ec96b7 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -38,7 +38,8 @@ extern char *__progname;
extern int use_privsep;
-RCSID("$Id: auth-pam.c,v 1.55 2003/01/22 04:42:26 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
+RCSID("$FreeBSD$");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now."
@@ -210,6 +211,14 @@ int auth_pam_password(Authctxt *authctxt, const char *password)
do_pam_set_conv(&conv);
+ /* deny if no user. */
+ if (pw == NULL)
+ return 0;
+ if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD)
+ return 0;
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+ return 0;
+
__pampasswd = password;
pamstate = INITIAL_LOGIN;
diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h
index 7881b6b..376d9ea 100644
--- a/crypto/openssh/auth-pam.h
+++ b/crypto/openssh/auth-pam.h
@@ -1,4 +1,5 @@
/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */
+/* $FreeBSD$ */
/*
* Copyright (c) 2000 Damien Miller. All rights reserved.
@@ -37,8 +38,8 @@ int auth_pam_password(Authctxt *authctxt, const char *password);
char **fetch_pam_environment(void);
void free_pam_environment(char **env);
int do_pam_authenticate(int flags);
-int do_pam_account(char *username, char *remote_user);
-void do_pam_session(char *username, const char *ttyname);
+int do_pam_account(const char *username, const char *remote_user);
+void do_pam_session(const char *username, const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
index 9901d48..8f2056e 100644
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@@ -37,12 +37,20 @@
#include "includes.h"
RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "packet.h"
#include "log.h"
#include "servconf.h"
#include "auth.h"
+/*
+ * Do not try to use PAM for password authentication, as it is
+ * already (and far better) supported by the challenge/response
+ * authentication mechanism.
+ */
+#undef USE_PAM
+
#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
/* Don't need any of these headers for the PAM or SIA cases */
# ifdef HAVE_CRYPT_H
@@ -92,26 +100,33 @@ extern char *aixloginmsg;
int
auth_password(Authctxt *authctxt, const char *password)
{
+#if defined(USE_PAM)
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+ return 0;
+ return auth_pam_password(authctxt, password);
+#elif defined(HAVE_OSF_SIA)
+ if (*password == '\0' && options.permit_empty_passwd == 0)
+ return 0;
+ return auth_sia_password(authctxt, password);
+#else
struct passwd * pw = authctxt->pw;
-#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
char *encrypted_password;
char *pw_password;
char *salt;
-# if defined(__hpux) || defined(HAVE_SECUREWARE)
+#if defined(__hpux) || defined(HAVE_SECUREWARE)
struct pr_passwd *spw;
-# endif /* __hpux || HAVE_SECUREWARE */
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#endif /* __hpux || HAVE_SECUREWARE */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
struct spwd *spw;
-# endif
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+#endif
+#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
-# endif
-# ifdef WITH_AIXAUTHENTICATE
+#endif
+#ifdef WITH_AIXAUTHENTICATE
char *authmsg;
int authsuccess;
int reenter = 1;
-# endif
-#endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */
+#endif
/* deny if no user. */
if (pw == NULL)
@@ -122,21 +137,15 @@ auth_password(Authctxt *authctxt, const char *password)
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
-
-#if defined(USE_PAM)
- return auth_pam_password(authctxt, password);
-#elif defined(HAVE_OSF_SIA)
- return auth_sia_password(authctxt, password);
-#else
-# ifdef KRB5
+#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
-# endif
-# ifdef HAVE_CYGWIN
+#endif
+#ifdef HAVE_CYGWIN
if (is_winnt) {
HANDLE hToken = cygwin_logon_user(pw, password);
@@ -145,8 +154,8 @@ auth_password(Authctxt *authctxt, const char *password)
cygwin_set_impersonation_token(hToken);
return 1;
}
-# endif
-# ifdef WITH_AIXAUTHENTICATE
+#endif
+#ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
if (authsuccess)
@@ -157,47 +166,47 @@ auth_password(Authctxt *authctxt, const char *password)
aixloginmsg = NULL;
return(authsuccess);
-# endif
-# ifdef KRB4
+#endif
+#ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
-# endif
-# ifdef BSD_AUTH
+#endif
+#ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
return 0;
else
return 1;
-# endif
+#endif
pw_password = pw->pw_passwd;
/*
* Various interfaces to shadow or protected password data
*/
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
spw = getspnam(pw->pw_name);
if (spw != NULL)
pw_password = spw->sp_pwdp;
-# endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
pw_password = spw->pwa_passwd;
-# endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
+#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
-# ifdef HAVE_SECUREWARE
+#ifdef HAVE_SECUREWARE
if ((spw = getprpwnam(pw->pw_name)) != NULL)
pw_password = spw->ufld.fd_encrypt;
-# endif /* HAVE_SECUREWARE */
+#endif /* HAVE_SECUREWARE */
-# if defined(__hpux) && !defined(HAVE_SECUREWARE)
+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
pw_password = spw->ufld.fd_encrypt;
-# endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
+#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
/* Check for users with no password. */
if ((password[0] == '\0') && (pw_password[0] == '\0'))
@@ -208,25 +217,25 @@ auth_password(Authctxt *authctxt, const char *password)
else
salt = "xx";
-# ifdef HAVE_MD5_PASSWORDS
+#ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
encrypted_password = md5_crypt(password, salt);
else
encrypted_password = crypt(password, salt);
-# else /* HAVE_MD5_PASSWORDS */
-# if defined(__hpux) && !defined(HAVE_SECUREWARE)
+#else /* HAVE_MD5_PASSWORDS */
+# if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec())
encrypted_password = bigcrypt(password, salt);
else
encrypted_password = crypt(password, salt);
-# else
-# ifdef HAVE_SECUREWARE
+# else
+# ifdef HAVE_SECUREWARE
encrypted_password = bigcrypt(password, salt);
-# else
+# else
encrypted_password = crypt(password, salt);
-# endif /* HAVE_SECUREWARE */
-# endif /* __hpux && !defined(HAVE_SECUREWARE) */
-# endif /* HAVE_MD5_PASSWORDS */
+# endif /* HAVE_SECUREWARE */
+# endif /* __hpux && !defined(HAVE_SECUREWARE) */
+#endif /* HAVE_MD5_PASSWORDS */
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c
index f9ea03f..a534e35 100644
--- a/crypto/openssh/auth-skey.c
+++ b/crypto/openssh/auth-skey.c
@@ -23,10 +23,19 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$FreeBSD$");
#ifdef SKEY
+#ifdef OPIE
+#include <opie.h>
+#define skey opie
+#define skeychallenge(k, u, c) opiechallenge((k), (u), (c))
+#define skey_haskey(u) opie_haskey((u))
+#define skey_passcheck(u, r) opie_passverify((u), (r))
+#else
#include <skey.h>
+#endif
#include "xmalloc.h"
#include "auth.h"
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index 1268acc..b101d4b 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -23,7 +23,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
+RCSID("$FreeBSD$");
#ifdef HAVE_LOGIN_H
#include <login.h>
@@ -79,20 +80,17 @@ allowed_user(struct passwd * pw)
char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */
#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
- !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
struct spwd *spw;
- time_t today;
-#endif
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
if (!pw || !pw->pw_name)
return 0;
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
- !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#define DAY (24L * 60 * 60) /* 1 day in seconds */
- if ((spw = getspnam(pw->pw_name)) != NULL) {
- today = time(NULL) / DAY;
+ spw = getspnam(pw->pw_name);
+ if (spw != NULL) {
+ time_t today = time(NULL) / DAY;
debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
" sp_max %d", (int)today, (int)spw->sp_expire,
(int)spw->sp_lstchg, (int)spw->sp_max);
@@ -119,6 +117,10 @@ allowed_user(struct passwd * pw)
return 0;
}
}
+#else
+ /* Shouldn't be called if pw is NULL, but better safe than sorry... */
+ if (!pw || !pw->pw_name)
+ return 0;
#endif
/*
@@ -201,15 +203,7 @@ allowed_user(struct passwd * pw)
}
#ifdef WITH_AIXAUTHENTICATE
- /*
- * Don't check loginrestrictions() for root account (use
- * PermitRootLogin to control logins via ssh), or if running as
- * non-root user (since loginrestrictions will always fail).
- */
- if ((pw->pw_uid != 0) && (geteuid() == 0) &&
- loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
- int loginrestrict_errno = errno;
-
+ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
if (loginmsg && *loginmsg) {
/* Remove embedded newlines (if any) */
char *p;
@@ -219,13 +213,9 @@ allowed_user(struct passwd * pw)
}
/* Remove trailing newline */
*--p = '\0';
- log("Login restricted for %s: %.100s", pw->pw_name,
- loginmsg);
+ log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
}
- /* Don't fail if /etc/nologin set */
- if (!(loginrestrict_errno == EPERM &&
- stat(_PATH_NOLOGIN, &st) == 0))
- return 0;
+ return 0;
}
#endif /* WITH_AIXAUTHENTICATE */
@@ -428,7 +418,6 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
uid_t uid = pw->pw_uid;
char buf[MAXPATHLEN], homedir[MAXPATHLEN];
char *cp;
- int comparehome = 0;
struct stat st;
if (realpath(file, buf) == NULL) {
@@ -436,8 +425,11 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
strerror(errno));
return -1;
}
- if (realpath(pw->pw_dir, homedir) != NULL)
- comparehome = 1;
+ if (realpath(pw->pw_dir, homedir) == NULL) {
+ snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
+ strerror(errno));
+ return -1;
+ }
/* check the open file to avoid races */
if (fstat(fileno(f), &st) < 0 ||
@@ -466,7 +458,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
}
/* If are passed the homedir then we can stop */
- if (comparehome && strcmp(homedir, buf) == 0) {
+ if (strcmp(homedir, buf) == 0) {
debug3("secure_filename: terminating check at '%s'",
buf);
break;
@@ -496,17 +488,12 @@ getpwnamallow(const char *user)
if (pw == NULL) {
log("Illegal user %.100s from %.100s",
user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,
- get_canonical_hostname(options.verify_reverse_mapping),
- "ssh");
-#endif
return (NULL);
}
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index c75d753..4e19ee4 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -1,4 +1,5 @@
/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
+/* $FreeBSD$ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -159,6 +160,7 @@ struct passwd * getpwnamallow(const char *user);
char *get_challenge(Authctxt *);
int verify_response(Authctxt *, const char *);
+void abandon_challenge_response(Authctxt *);
struct passwd * auth_get_user(void);
@@ -188,5 +190,12 @@ void auth_debug_reset(void);
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
+#ifdef SKEY
+#ifdef OPIE
+#define SKEY_PROMPT "\nOPIE Password: "
+#else
#define SKEY_PROMPT "\nS/Key Password: "
#endif
+#endif
+
+#endif
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index c273f2f..a13f610 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -10,7 +10,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $");
+RCSID("$FreeBSD$");
#include "xmalloc.h"
#include "rsa.h"
@@ -73,7 +74,7 @@ do_authloop(Authctxt *authctxt)
char info[1024];
u_int dlen;
u_int ulen;
- int type = 0;
+ int prev, type = 0;
struct passwd *pw = authctxt->pw;
debug("Attempting authentication for %s%.100s.",
@@ -103,8 +104,20 @@ do_authloop(Authctxt *authctxt)
info[0] = '\0';
/* Get a packet from the client. */
+ prev = type;
type = packet_read();
+ /*
+ * If we started challenge-response authentication but the
+ * next packet is not a response to our challenge, release
+ * the resources allocated by get_challenge() (which would
+ * normally have been released by verify_response() had we
+ * received such a response)
+ */
+ if (prev == SSH_CMSG_AUTH_TIS &&
+ type != SSH_CMSG_AUTH_TIS_RESPONSE)
+ abandon_challenge_response(authctxt);
+
/* Process the packet. */
switch (type) {
@@ -150,7 +163,7 @@ do_authloop(Authctxt *authctxt)
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
-
+
/* Send response to client */
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
@@ -285,6 +298,7 @@ do_authloop(Authctxt *authctxt)
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
if (options.challenge_response_authentication == 1) {
char *response = packet_get_string(&dlen);
+ debug("got response '%s'", response);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
@@ -328,7 +342,8 @@ do_authloop(Authctxt *authctxt)
}
#else
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 &&
+ if (!use_privsep &&
+ authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type)))
authenticated = 0;
#endif
diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
index 0d17093..1e48387 100644
--- a/crypto/openssh/auth2-chall.c
+++ b/crypto/openssh/auth2-chall.c
@@ -24,6 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-chall.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$FreeBSD$");
#include "ssh2.h"
#include "auth.h"
@@ -41,6 +42,9 @@ static void input_userauth_info_response(int, u_int32_t, void *);
#ifdef BSD_AUTH
extern KbdintDevice bsdauth_device;
#else
+#ifdef USE_PAM
+extern KbdintDevice pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice skey_device;
#endif
@@ -50,6 +54,9 @@ KbdintDevice *devices[] = {
#ifdef BSD_AUTH
&bsdauth_device,
#else
+#ifdef USE_PAM
+ &pam_device,
+#endif
#ifdef SKEY
&skey_device,
#endif
@@ -323,15 +330,22 @@ privsep_challenge_enable(void)
#ifdef BSD_AUTH
extern KbdintDevice mm_bsdauth_device;
#endif
+#ifdef USE_PAM
+ extern KbdintDevice mm_pam_device;
+#endif
#ifdef SKEY
extern KbdintDevice mm_skey_device;
#endif
- /* As long as SSHv1 has devices[0] hard coded this is fine */
+ int n = 0;
+
#ifdef BSD_AUTH
- devices[0] = &mm_bsdauth_device;
+ devices[n++] = &mm_bsdauth_device;
#else
+#ifdef USE_PAM
+ devices[n++] = &mm_pam_device;
+#endif
#ifdef SKEY
- devices[0] = &mm_skey_device;
+ devices[n++] = &mm_skey_device;
#endif
#endif
}
diff --git a/crypto/openssh/auth2-kbdint.c b/crypto/openssh/auth2-kbdint.c
index e609928..15c20b3 100644
--- a/crypto/openssh/auth2-kbdint.c
+++ b/crypto/openssh/auth2-kbdint.c
@@ -24,6 +24,7 @@
#include "includes.h"
RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+RCSID("$FreeBSD$");
#include "packet.h"
#include "auth.h"
@@ -49,10 +50,6 @@ userauth_kbdint(Authctxt *authctxt)
if (options.challenge_response_authentication)
authenticated = auth2_challenge(authctxt, devs);
-#ifdef USE_PAM
- if (authenticated == 0 && options.pam_authentication_via_kbd_int)
- authenticated = auth2_pam(authctxt);
-#endif
xfree(devs);
xfree(lang);
#ifdef HAVE_CYGWIN
diff --git a/crypto/openssh/auth2-pam-freebsd.c b/crypto/openssh/auth2-pam-freebsd.c
new file mode 100644
index 0000000..234a67e
--- /dev/null
+++ b/crypto/openssh/auth2-pam-freebsd.c
@@ -0,0 +1,630 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+
+#ifdef USE_PAM
+#include <security/pam_appl.h>
+
+#include "auth.h"
+#include "auth-pam.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "canohost.h"
+#include "log.h"
+#include "monitor_wrap.h"
+#include "msg.h"
+#include "packet.h"
+#include "readpass.h"
+#include "servconf.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+
+#ifdef USE_POSIX_THREADS
+#include <pthread.h>
+#else
+/*
+ * Simulate threads with processes.
+ */
+typedef pid_t pthread_t;
+
+static void
+pthread_exit(void *value __unused)
+{
+ _exit(0);
+}
+
+static int
+pthread_create(pthread_t *thread, const void *attr __unused,
+ void *(*thread_start)(void *), void *arg)
+{
+ pid_t pid;
+
+ switch ((pid = fork())) {
+ case -1:
+ error("fork(): %s", strerror(errno));
+ return (-1);
+ case 0:
+ thread_start(arg);
+ _exit(1);
+ default:
+ *thread = pid;
+ return (0);
+ }
+}
+
+static int
+pthread_cancel(pthread_t thread)
+{
+ return (kill(thread, SIGTERM));
+}
+
+static int
+pthread_join(pthread_t thread, void **value __unused)
+{
+ int status;
+
+ waitpid(thread, &status, 0);
+ return (status);
+}
+#endif
+
+
+static pam_handle_t *pam_handle;
+static int pam_err;
+static int pam_authenticated;
+static int pam_new_authtok_reqd;
+static int pam_session_open;
+static int pam_cred_established;
+
+struct pam_ctxt {
+ pthread_t pam_thread;
+ int pam_psock;
+ int pam_csock;
+ int pam_done;
+};
+
+static void pam_free_ctx(void *);
+
+/*
+ * Conversation function for authentication thread.
+ */
+static int
+pam_thread_conv(int n,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *data)
+{
+ Buffer buffer;
+ struct pam_ctxt *ctxt;
+ int i;
+
+ ctxt = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ *resp = xmalloc(n * sizeof **resp);
+ buffer_init(&buffer);
+ for (i = 0; i < n; ++i) {
+ resp[i]->resp_retcode = 0;
+ resp[i]->resp = NULL;
+ switch (msg[i]->msg_style) {
+ case PAM_PROMPT_ECHO_OFF:
+ buffer_put_cstring(&buffer, msg[i]->msg);
+ ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
+ ssh_msg_recv(ctxt->pam_csock, &buffer);
+ if (buffer_get_char(&buffer) != PAM_AUTHTOK)
+ goto fail;
+ resp[i]->resp = buffer_get_string(&buffer, NULL);
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ buffer_put_cstring(&buffer, msg[i]->msg);
+ ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
+ ssh_msg_recv(ctxt->pam_csock, &buffer);
+ if (buffer_get_char(&buffer) != PAM_AUTHTOK)
+ goto fail;
+ resp[i]->resp = buffer_get_string(&buffer, NULL);
+ break;
+ case PAM_ERROR_MSG:
+ buffer_put_cstring(&buffer, msg[i]->msg);
+ ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
+ break;
+ case PAM_TEXT_INFO:
+ buffer_put_cstring(&buffer, msg[i]->msg);
+ ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
+ break;
+ default:
+ goto fail;
+ }
+ buffer_clear(&buffer);
+ }
+ buffer_free(&buffer);
+ return (PAM_SUCCESS);
+ fail:
+ while (i)
+ xfree(resp[--i]);
+ xfree(*resp);
+ *resp = NULL;
+ buffer_free(&buffer);
+ return (PAM_CONV_ERR);
+}
+
+/*
+ * Authentication thread.
+ */
+static void *
+pam_thread(void *ctxtp)
+{
+ struct pam_ctxt *ctxt = ctxtp;
+ Buffer buffer;
+ struct pam_conv pam_conv = { pam_thread_conv, ctxt };
+
+#ifndef USE_POSIX_THREADS
+ {
+ const char *pam_user;
+
+ pam_get_item(pam_handle, PAM_USER, (const void **)&pam_user);
+ setproctitle("%s [pam]", pam_user);
+ }
+#endif
+ buffer_init(&buffer);
+ pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
+ if (pam_err != PAM_SUCCESS)
+ goto auth_fail;
+ pam_err = pam_authenticate(pam_handle, 0);
+ if (pam_err != PAM_SUCCESS)
+ goto auth_fail;
+ pam_err = pam_acct_mgmt(pam_handle, 0);
+ if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD)
+ goto auth_fail;
+ buffer_put_cstring(&buffer, "OK");
+ ssh_msg_send(ctxt->pam_csock, pam_err, &buffer);
+ buffer_free(&buffer);
+ pthread_exit(NULL);
+ auth_fail:
+ buffer_put_cstring(&buffer,
+ pam_strerror(pam_handle, pam_err));
+ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ buffer_free(&buffer);
+ pthread_exit(NULL);
+}
+
+static void
+pam_thread_cleanup(void *ctxtp)
+{
+ struct pam_ctxt *ctxt = ctxtp;
+
+ pthread_cancel(ctxt->pam_thread);
+ pthread_join(ctxt->pam_thread, NULL);
+ close(ctxt->pam_psock);
+ close(ctxt->pam_csock);
+}
+
+static int
+pam_null_conv(int n,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *data)
+{
+
+ return (PAM_CONV_ERR);
+}
+
+static struct pam_conv null_conv = { pam_null_conv, NULL };
+
+static void
+pam_cleanup(void *arg)
+{
+ (void)arg;
+ debug("PAM: cleanup");
+ pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
+ if (pam_cred_established) {
+ pam_setcred(pam_handle, PAM_DELETE_CRED);
+ pam_cred_established = 0;
+ }
+ if (pam_session_open) {
+ pam_close_session(pam_handle, PAM_SILENT);
+ pam_session_open = 0;
+ }
+ pam_authenticated = pam_new_authtok_reqd = 0;
+ pam_end(pam_handle, pam_err);
+ pam_handle = NULL;
+}
+
+static int
+pam_init(const char *user)
+{
+ extern ServerOptions options;
+ extern u_int utmp_len;
+ const char *pam_rhost, *pam_user;
+
+ if (pam_handle != NULL) {
+ /* We already have a PAM context; check if the user matches */
+ pam_err = pam_get_item(pam_handle,
+ PAM_USER, (const void **)&pam_user);
+ if (pam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
+ return (0);
+ fatal_remove_cleanup(pam_cleanup, NULL);
+ pam_end(pam_handle, pam_err);
+ pam_handle = NULL;
+ }
+ debug("PAM: initializing for \"%s\"", user);
+ pam_err = pam_start("sshd", user, &null_conv, &pam_handle);
+ if (pam_err != PAM_SUCCESS)
+ return (-1);
+ pam_rhost = get_remote_name_or_ip(utmp_len,
+ options.verify_reverse_mapping);
+ debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
+ pam_err = pam_set_item(pam_handle, PAM_RHOST, pam_rhost);
+ if (pam_err != PAM_SUCCESS) {
+ pam_end(pam_handle, pam_err);
+ pam_handle = NULL;
+ return (-1);
+ }
+ fatal_add_cleanup(pam_cleanup, NULL);
+ return (0);
+}
+
+static void *
+pam_init_ctx(Authctxt *authctxt)
+{
+ struct pam_ctxt *ctxt;
+ int socks[2];
+
+ /* Initialize PAM */
+ if (pam_init(authctxt->user) == -1) {
+ error("PAM: initialization failed");
+ return (NULL);
+ }
+
+ ctxt = xmalloc(sizeof *ctxt);
+ ctxt->pam_done = 0;
+
+ /* Start the authentication thread */
+ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
+ error("PAM: failed create sockets: %s", strerror(errno));
+ xfree(ctxt);
+ return (NULL);
+ }
+ ctxt->pam_psock = socks[0];
+ ctxt->pam_csock = socks[1];
+ if (pthread_create(&ctxt->pam_thread, NULL, pam_thread, ctxt) == -1) {
+ error("PAM: failed to start authentication thread: %s",
+ strerror(errno));
+ close(socks[0]);
+ close(socks[1]);
+ xfree(ctxt);
+ return (NULL);
+ }
+ fatal_add_cleanup(pam_thread_cleanup, ctxt);
+ return (ctxt);
+}
+
+static int
+pam_query(void *ctx, char **name, char **info,
+ u_int *num, char ***prompts, u_int **echo_on)
+{
+ Buffer buffer;
+ struct pam_ctxt *ctxt = ctx;
+ size_t plen;
+ u_char type;
+ char *msg;
+
+ buffer_init(&buffer);
+ *name = xstrdup("");
+ *info = xstrdup("");
+ *prompts = xmalloc(sizeof(char *));
+ **prompts = NULL;
+ plen = 0;
+ *echo_on = xmalloc(sizeof(u_int));
+ while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
+ type = buffer_get_char(&buffer);
+ msg = buffer_get_string(&buffer, NULL);
+ switch (type) {
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ *num = 1;
+ **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
+ plen += sprintf(**prompts + plen, "%s", msg);
+ **echo_on = (type == PAM_PROMPT_ECHO_ON);
+ xfree(msg);
+ return (0);
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ /* accumulate messages */
+ **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
+ plen += sprintf(**prompts + plen, "%s", msg);
+ xfree(msg);
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_new_authtok_reqd = 1;
+ /* FALLTHROUGH */
+ case PAM_SUCCESS:
+ case PAM_AUTH_ERR:
+ if (**prompts != NULL) {
+ /* drain any accumulated messages */
+#if 0 /* not compatible with privsep */
+ packet_start(SSH2_MSG_USERAUTH_BANNER);
+ packet_put_cstring(**prompts);
+ packet_put_cstring("");
+ packet_send();
+ packet_write_wait();
+#endif
+ xfree(**prompts);
+ **prompts = NULL;
+ }
+ if (type == PAM_SUCCESS) {
+ *num = 0;
+ **echo_on = 0;
+ ctxt->pam_done = 1;
+ xfree(msg);
+ return (0);
+ }
+ error("PAM: %s", msg);
+ default:
+ *num = 0;
+ **echo_on = 0;
+ xfree(msg);
+ ctxt->pam_done = -1;
+ return (-1);
+ }
+ }
+ return (-1);
+}
+
+static int
+pam_respond(void *ctx, u_int num, char **resp)
+{
+ Buffer buffer;
+ struct pam_ctxt *ctxt = ctx;
+ char *msg;
+
+ debug2("PAM: %s", __func__);
+ switch (ctxt->pam_done) {
+ case 1:
+ pam_authenticated = 1;
+ return (0);
+ case 0:
+ break;
+ default:
+ return (-1);
+ }
+ if (num != 1) {
+ error("PAM: expected one response, got %u", num);
+ return (-1);
+ }
+ buffer_init(&buffer);
+ buffer_put_cstring(&buffer, *resp);
+ ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
+ buffer_free(&buffer);
+ return (1);
+}
+
+static void
+pam_free_ctx(void *ctxtp)
+{
+ struct pam_ctxt *ctxt = ctxtp;
+
+ fatal_remove_cleanup(pam_thread_cleanup, ctxt);
+ pam_thread_cleanup(ctxtp);
+ xfree(ctxt);
+ /*
+ * We don't call pam_cleanup() here because we may need the PAM
+ * handle at a later stage, e.g. when setting up a session. It's
+ * still on the cleanup list, so pam_end() *will* be called before
+ * the server process terminates.
+ */
+}
+
+KbdintDevice pam_device = {
+ "pam",
+ pam_init_ctx,
+ pam_query,
+ pam_respond,
+ pam_free_ctx
+};
+
+KbdintDevice mm_pam_device = {
+ "pam",
+ mm_pam_init_ctx,
+ mm_pam_query,
+ mm_pam_respond,
+ mm_pam_free_ctx
+};
+
+/*
+ * This replaces auth-pam.c
+ */
+void
+start_pam(const char *user)
+{
+ if (pam_init(user) == -1)
+ fatal("PAM: initialisation failed");
+}
+
+void
+finish_pam(void)
+{
+ fatal_remove_cleanup(pam_cleanup, NULL);
+ pam_cleanup(NULL);
+}
+
+int
+do_pam_account(const char *user, const char *ruser)
+{
+ /* XXX */
+ return (1);
+}
+
+void
+do_pam_session(const char *user, const char *tty)
+{
+ pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: failed to set PAM_CONV: %s",
+ pam_strerror(pam_handle, pam_err));
+ debug("PAM: setting PAM_TTY to \"%s\"", tty);
+ pam_err = pam_set_item(pam_handle, PAM_TTY, tty);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: failed to set PAM_TTY: %s",
+ pam_strerror(pam_handle, pam_err));
+ pam_err = pam_open_session(pam_handle, 0);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: pam_open_session(): %s",
+ pam_strerror(pam_handle, pam_err));
+ pam_session_open = 1;
+}
+
+void
+do_pam_setcred(int init)
+{
+ pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: failed to set PAM_CONV: %s",
+ pam_strerror(pam_handle, pam_err));
+ if (init) {
+ debug("PAM: establishing credentials");
+ pam_err = pam_setcred(pam_handle, PAM_ESTABLISH_CRED);
+ } else {
+ debug("PAM: reinitializing credentials");
+ pam_err = pam_setcred(pam_handle, PAM_REINITIALIZE_CRED);
+ }
+ if (pam_err == PAM_SUCCESS) {
+ pam_cred_established = 1;
+ return;
+ }
+ if (pam_authenticated)
+ fatal("PAM: pam_setcred(): %s",
+ pam_strerror(pam_handle, pam_err));
+ else
+ debug("PAM: pam_setcred(): %s",
+ pam_strerror(pam_handle, pam_err));
+}
+
+int
+is_pam_password_change_required(void)
+{
+ return (pam_new_authtok_reqd);
+}
+
+static int
+pam_chauthtok_conv(int n,
+ const struct pam_message **msg,
+ struct pam_response **resp,
+ void *data)
+{
+ char input[PAM_MAX_MSG_SIZE];
+ int i;
+
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ *resp = xmalloc(n * sizeof **resp);
+ for (i = 0; i < n; ++i) {
+ switch (msg[i]->msg_style) {
+ case PAM_PROMPT_ECHO_OFF:
+ resp[i]->resp =
+ read_passphrase(msg[i]->msg, RP_ALLOW_STDIN);
+ resp[i]->resp_retcode = PAM_SUCCESS;
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ fputs(msg[i]->msg, stderr);
+ fgets(input, sizeof input, stdin);
+ resp[i]->resp = xstrdup(input);
+ resp[i]->resp_retcode = PAM_SUCCESS;
+ break;
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ fputs(msg[i]->msg, stderr);
+ resp[i]->resp_retcode = PAM_SUCCESS;
+ break;
+ default:
+ goto fail;
+ }
+ }
+ return (PAM_SUCCESS);
+ fail:
+ while (i)
+ xfree(resp[--i]);
+ xfree(*resp);
+ *resp = NULL;
+ return (PAM_CONV_ERR);
+}
+
+/*
+ * XXX this should be done in the authentication phase, but ssh1 doesn't
+ * support that
+ */
+void
+do_pam_chauthtok(void)
+{
+ struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
+
+ if (use_privsep)
+ fatal("PAM: chauthtok not supprted with privsep");
+ pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: failed to set PAM_CONV: %s",
+ pam_strerror(pam_handle, pam_err));
+ debug("PAM: changing password");
+ pam_err = pam_chauthtok(pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_err != PAM_SUCCESS)
+ fatal("PAM: pam_chauthtok(): %s",
+ pam_strerror(pam_handle, pam_err));
+}
+
+void
+print_pam_messages(void)
+{
+ /* XXX */
+}
+
+char **
+fetch_pam_environment(void)
+{
+#ifdef HAVE_PAM_GETENVLIST
+ debug("PAM: retrieving environment");
+ return (pam_getenvlist(pam_handle));
+#else
+ return (NULL);
+#endif
+}
+
+void
+free_pam_environment(char **env)
+{
+ char **envp;
+
+ for (envp = env; *envp; envp++)
+ xfree(*envp);
+ xfree(env);
+}
+
+#endif /* USE_PAM */
diff --git a/crypto/openssh/auth2-pam.c b/crypto/openssh/auth2-pam.c
index ac28fb2..8454aae 100644
--- a/crypto/openssh/auth2-pam.c
+++ b/crypto/openssh/auth2-pam.c
@@ -1,5 +1,6 @@
#include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.15 2003/01/08 01:37:03 djm Exp $");
+RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $");
+RCSID("$FreeBSD$");
#ifdef USE_PAM
#include <security/pam_appl.h>
@@ -154,7 +155,8 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
resp = packet_get_string(&rlen);
context_pam2.responses[j].resp_retcode = PAM_SUCCESS;
- context_pam2.responses[j].resp = resp;
+ context_pam2.responses[j].resp = xstrdup(resp);
+ xfree(resp);
context_pam2.num_received++;
}
diff --git a/crypto/openssh/auth2-skey.c b/crypto/openssh/auth2-skey.c
deleted file mode 100644
index 9de08fc..0000000
--- a/crypto/openssh/auth2-skey.c
+++ /dev/null
@@ -1,104 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $");
-
-#include "ssh.h"
-#include "ssh2.h"
-#include "auth.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "dispatch.h"
-
-void send_userauth_into_request(Authctxt *authctxt, int echo);
-void input_userauth_info_response(int type, int plen, void *ctxt);
-
-/*
- * try skey authentication, always return -1 (= postponed) since we have to
- * wait for the s/key response.
- */
-int
-auth2_skey(Authctxt *authctxt)
-{
- send_userauth_into_request(authctxt, 0);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
- return -1;
-}
-
-void
-send_userauth_into_request(Authctxt *authctxt, int echo)
-{
- int retval = -1;
- struct skey skey;
- char challenge[SKEY_MAX_CHALLENGE];
- char *fake;
-
- if (authctxt->user == NULL)
- fatal("send_userauth_into_request: internal error: no user");
-
- /* get skey challenge */
- if (authctxt->valid)
- retval = skeychallenge(&skey, authctxt->user, challenge);
-
- if (retval == -1) {
- fake = skey_fake_keyinfo(authctxt->user);
- strlcpy(challenge, fake, sizeof challenge);
- }
- /* send our info request */
- packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
- packet_put_cstring("S/Key Authentication"); /* Name */
- packet_put_cstring(challenge); /* Instruction */
- packet_put_cstring(""); /* Language */
- packet_put_int(1); /* Number of prompts */
- packet_put_cstring(echo ?
- "Response [Echo]: ": "Response: "); /* Prompt */
- packet_put_char(echo); /* Echo */
- packet_send();
- packet_write_wait();
- memset(challenge, 'c', sizeof challenge);
-}
-
-void
-input_userauth_info_response(int type, int plen, void *ctxt)
-{
- Authctxt *authctxt = ctxt;
- int authenticated = 0;
- unsigned int nresp, rlen;
- char *resp, *method;
-
- if (authctxt == NULL)
- fatal("input_userauth_info_response: no authentication context");
-
- if (authctxt->attempt++ >= AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
-
- nresp = packet_get_int();
- if (nresp == 1) {
- /* we only support s/key and assume s/key for nresp == 1 */
- method = "s/key";
- resp = packet_get_string(&rlen);
- packet_done();
- if (strlen(resp) == 0) {
- /*
- * if we received a null response, resend prompt with
- * echo enabled
- */
- authenticated = -1;
- userauth_log(authctxt, authenticated, method);
- send_userauth_into_request(authctxt, 1);
- } else {
- /* verify skey response */
- if (authctxt->valid &&
- skey_haskey(authctxt->pw->pw_name) == 0 &&
- skey_passcheck(authctxt->pw->pw_name, resp) != -1) {
- authenticated = 1;
- } else {
- authenticated = 0;
- }
- memset(resp, 'r', rlen);
- /* unregister callback */
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
- userauth_log(authctxt, authenticated, method);
- userauth_reply(authctxt, authenticated);
- }
- xfree(resp);
- }
-}
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index 1b21eb2..852c616 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -23,8 +23,10 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
+RCSID("$FreeBSD$");
+#include "canohost.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "packet.h"
@@ -137,6 +139,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
+ from_ip = get_remote_ipaddr();
+#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -178,6 +187,27 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL) {
+ lc = login_getpwclass(authctxt->pw);
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ log("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
+ login_close(lc);
+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
auth2_challenge_stop(authctxt);
authctxt->postponed = 0;
@@ -205,7 +235,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
authctxt->user);
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 &&
+ if (!use_privsep &&
+ authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(method))
authenticated = 0;
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
index a186e01..5af92af 100644
--- a/crypto/openssh/authfd.c
+++ b/crypto/openssh/authfd.c
@@ -35,7 +35,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.58 2003/01/23 13:50:27 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $");
+RCSID("$FreeBSD$");
#include <openssl/evp.h>
@@ -499,10 +500,10 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
int
ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
- const char *comment, u_int life, u_int confirm)
+ const char *comment, u_int life)
{
Buffer msg;
- int type, constrained = (life || confirm);
+ int type, constrained = (life != 0);
buffer_init(&msg);
@@ -532,8 +533,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
buffer_put_int(&msg, life);
}
- if (confirm != 0)
- buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
}
if (ssh_request_reply(auth, &msg, &msg) == 0) {
buffer_free(&msg);
@@ -547,7 +546,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
int
ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
{
- return ssh_add_identity_constrained(auth, key, comment, 0, 0);
+ return ssh_add_identity_constrained(auth, key, comment, 0);
}
/*
diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c
index 90618ef..800ee65 100644
--- a/crypto/openssh/authfile.c
+++ b/crypto/openssh/authfile.c
@@ -36,7 +36,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.50 2002/06/24 14:55:38 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -232,17 +233,12 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
{
Buffer buffer;
Key *pub;
- struct stat st;
char *cp;
int i;
off_t len;
- if (fstat(fd, &st) < 0) {
- error("fstat for key file %.200s failed: %.100s",
- filename, strerror(errno));
- return NULL;
- }
- len = st.st_size;
+ len = lseek(fd, (off_t) 0, SEEK_END);
+ lseek(fd, (off_t) 0, SEEK_SET);
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
@@ -323,15 +319,9 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
CipherContext ciphercontext;
Cipher *cipher;
Key *prv = NULL;
- struct stat st;
- if (fstat(fd, &st) < 0) {
- error("fstat for key file %.200s failed: %.100s",
- filename, strerror(errno));
- close(fd);
- return NULL;
- }
- len = st.st_size;
+ len = lseek(fd, (off_t) 0, SEEK_END);
+ lseek(fd, (off_t) 0, SEEK_SET);
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
@@ -421,12 +411,6 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
rsa_generate_additional_parameters(prv->rsa);
buffer_free(&decrypted);
-
- /* enable blinding */
- if (RSA_blinding_on(prv->rsa, NULL) != 1) {
- error("key_load_private_rsa1: RSA_blinding_on failed");
- goto fail;
- }
close(fd);
return prv;
@@ -466,11 +450,6 @@ key_load_private_pem(int fd, int type, const char *passphrase,
#ifdef DEBUG_PK
RSA_print_fp(stderr, prv->rsa, 8);
#endif
- if (RSA_blinding_on(prv->rsa, NULL) != 1) {
- error("key_load_private_pem: RSA_blinding_on failed");
- key_free(prv);
- prv = NULL;
- }
} else if (pk->type == EVP_PKEY_DSA &&
(type == KEY_UNSPEC||type==KEY_DSA)) {
prv = key_new(KEY_UNSPEC);
diff --git a/crypto/openssh/aux.c b/crypto/openssh/aux.c
deleted file mode 100644
index 899142d..0000000
--- a/crypto/openssh/aux.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: aux.c,v 1.2 2000/05/17 09:47:59 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
- char *t = s;
- while (*t) {
- if(*t == '\n' || *t == '\r') {
- *t = '\0';
- return s;
- }
- t++;
- }
- return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
- int val;
- val = fcntl(fd, F_GETFL, 0);
- if (val < 0) {
- error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
- return;
- }
- if (val & O_NONBLOCK)
- return;
- debug("fd %d setting O_NONBLOCK", fd);
- val |= O_NONBLOCK;
- if (fcntl(fd, F_SETFL, val) == -1)
- error("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, strerror(errno));
-}
diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c
index 3c276b8..94836fe 100644
--- a/crypto/openssh/bufaux.c
+++ b/crypto/openssh/bufaux.c
@@ -37,7 +37,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.28 2002/10/23 10:40:16 markus Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/bn.h>
#include "bufaux.h"
@@ -225,7 +226,7 @@ buffer_get_string(Buffer *buffer, u_int *length_ptr)
/* Get the length. */
len = buffer_get_int(buffer);
if (len > 256 * 1024)
- fatal("buffer_get_string: bad string length %u", len);
+ fatal("buffer_get_string: bad string length %d", len);
/* Allocate space for the string. Add one byte for a null character. */
value = xmalloc(len + 1);
/* Get the string. */
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
index 941db23..1685c7e 100644
--- a/crypto/openssh/canohost.c
+++ b/crypto/openssh/canohost.c
@@ -12,7 +12,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.34 2002/09/23 20:46:27 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "packet.h"
#include "xmalloc.h"
@@ -38,7 +39,7 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
/* Get IP address of client. */
fromlen = sizeof(from);
memset(&from, 0, sizeof(from));
- if (getpeername(socket, (struct sockaddr *)&from, &fromlen) < 0) {
+ if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
fatal_cleanup();
}
@@ -59,14 +60,11 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
memset(&from, 0, sizeof(from));
from4->sin_family = AF_INET;
- fromlen = sizeof(*from4);
memcpy(&from4->sin_addr, &addr, sizeof(addr));
from4->sin_port = port;
}
}
#endif
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
NULL, 0, NI_NUMERICHOST) != 0)
@@ -205,8 +203,8 @@ get_canonical_hostname(int verify_reverse_mapping)
}
/*
- * Returns the local/remote IP-address/hostname of socket as a string.
- * The returned string must be freed.
+ * Returns the remote IP-address of socket as a string. The returned
+ * string must be freed.
*/
static char *
get_socket_address(int socket, int remote, int flags)
@@ -228,15 +226,10 @@ get_socket_address(int socket, int remote, int flags)
< 0)
return NULL;
}
-
- /* Work around Linux IPv6 weirdness */
- if (addr.ss_family == AF_INET6)
- addrlen = sizeof(struct sockaddr_in6);
-
/* Get the address in ascii. */
if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
NULL, 0, flags) != 0) {
- error("get_socket_address: getnameinfo %d failed", flags);
+ error("get_socket_ipaddr: getnameinfo %d failed", flags);
return NULL;
}
return xstrdup(ntop);
@@ -322,16 +315,11 @@ get_sock_port(int sock, int local)
return 0;
}
} else {
- if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
+ if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
fatal_cleanup();
}
}
-
- /* Work around Linux IPv6 weirdness */
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
/* Return port number. */
if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
strport, sizeof(strport), NI_NUMERICSERV) != 0)
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index 1937b02..cad8b8e 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -39,7 +39,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "ssh1.h"
@@ -413,13 +414,13 @@ channel_not_very_much_buffered_data(void)
#if 0
if (!compat20 &&
buffer_len(&c->input) > packet_get_maxsize()) {
- debug2("channel %d: big input buffer %d",
+ debug("channel %d: big input buffer %d",
c->self, buffer_len(&c->input));
return 0;
}
#endif
if (buffer_len(&c->output) > packet_get_maxsize()) {
- debug2("channel %d: big output buffer %d > %d",
+ debug("channel %d: big output buffer %d > %d",
c->self, buffer_len(&c->output),
packet_get_maxsize());
return 0;
@@ -578,7 +579,7 @@ channel_send_open(int id)
log("channel_send_open: %d: bad id", id);
return;
}
- debug2("channel %d: send open", id);
+ debug("send channel open %d", id);
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring(c->ctype);
packet_put_int(c->self);
@@ -588,15 +589,15 @@ channel_send_open(int id)
}
void
-channel_request_start(int id, char *service, int wantconfirm)
+channel_request_start(int local_id, char *service, int wantconfirm)
{
- Channel *c = channel_lookup(id);
+ Channel *c = channel_lookup(local_id);
if (c == NULL) {
- log("channel_request_start: %d: unknown channel id", id);
+ log("channel_request_start: %d: unknown channel id", local_id);
return;
}
- debug("channel %d: request %s", id, service) ;
+ debug("channel request %d: %s", local_id, service) ;
packet_start(SSH2_MSG_CHANNEL_REQUEST);
packet_put_int(c->remote_id);
packet_put_cstring(service);
@@ -1997,7 +1998,6 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
c->remote_id = remote_id;
}
if (c == NULL) {
- xfree(originator_string);
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(remote_id);
packet_send();
@@ -2282,10 +2282,7 @@ connect_to(const char *host, u_short port)
}
sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0) {
- if (ai->ai_next == NULL)
- error("socket: %.100s", strerror(errno));
- else
- verbose("socket: %.100s", strerror(errno));
+ error("socket: %.100s", strerror(errno));
continue;
}
if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
@@ -2610,7 +2607,6 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
/* Send refusal to the remote host. */
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(remote_id);
- xfree(remote_host);
} else {
/* Send a confirmation to the remote host. */
packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h
index bd2e925..9ff0fd9 100644
--- a/crypto/openssh/channels.h
+++ b/crypto/openssh/channels.h
@@ -1,4 +1,5 @@
/* $OpenBSD: channels.h,v 1.70 2002/06/24 14:33:27 markus Exp $ */
+/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
index b5d3874..254bd91 100644
--- a/crypto/openssh/cipher.c
+++ b/crypto/openssh/cipher.c
@@ -35,7 +35,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $");
+RCSID("$FreeBSD$");
#include "xmalloc.h"
#include "log.h"
@@ -239,7 +240,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != klen) {
- debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
+ debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
klen, keylen);
diff --git a/crypto/openssh/cli.c b/crypto/openssh/cli.c
deleted file mode 100644
index 8f0b2b8..0000000
--- a/crypto/openssh/cli.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/* $OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "log.h"
-#include "cli.h"
-
-#include <vis.h>
-
-static int cli_input = -1;
-static int cli_output = -1;
-static int cli_from_stdin = 0;
-
-sigset_t oset;
-sigset_t nset;
-struct sigaction nsa;
-struct sigaction osa;
-struct termios ntio;
-struct termios otio;
-int echo_modified;
-
-volatile int intr;
-
-static int
-cli_open(int from_stdin)
-{
- if (cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin)
- return 1;
-
- if (from_stdin) {
- if (!cli_from_stdin && cli_input >= 0) {
- (void)close(cli_input);
- }
- cli_input = STDIN_FILENO;
- cli_output = STDERR_FILENO;
- } else {
- cli_input = cli_output = open(_PATH_TTY, O_RDWR);
- if (cli_input < 0)
- fatal("You have no controlling tty. Cannot read passphrase.");
- }
-
- cli_from_stdin = from_stdin;
-
- return cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin;
-}
-
-static void
-cli_close(void)
-{
- if (!cli_from_stdin && cli_input >= 0)
- close(cli_input);
- cli_input = -1;
- cli_output = -1;
- cli_from_stdin = 0;
- return;
-}
-
-void
-intrcatch(int sig)
-{
- intr = 1;
-}
-
-static void
-cli_echo_disable(void)
-{
- sigemptyset(&nset);
- sigaddset(&nset, SIGTSTP);
- (void) sigprocmask(SIG_BLOCK, &nset, &oset);
-
- intr = 0;
-
- memset(&nsa, 0, sizeof(nsa));
- nsa.sa_handler = intrcatch;
- (void) sigaction(SIGINT, &nsa, &osa);
-
- echo_modified = 0;
- if (tcgetattr(cli_input, &otio) == 0 && (otio.c_lflag & ECHO)) {
- echo_modified = 1;
- ntio = otio;
- ntio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
- (void) tcsetattr(cli_input, TCSANOW, &ntio);
- }
- return;
-}
-
-static void
-cli_echo_restore(void)
-{
- if (echo_modified != 0) {
- tcsetattr(cli_input, TCSANOW, &otio);
- echo_modified = 0;
- }
-
- (void) sigprocmask(SIG_SETMASK, &oset, NULL);
- (void) sigaction(SIGINT, &osa, NULL);
-
- if (intr != 0) {
- kill(getpid(), SIGINT);
- sigemptyset(&nset);
- /* XXX tty has not neccessarily drained by now? */
- sigsuspend(&nset);
- intr = 0;
- }
- return;
-}
-
-static int
-cli_read(char* buf, int size, int echo)
-{
- char ch = 0;
- int i = 0;
- int n;
-
- if (!echo)
- cli_echo_disable();
-
- while (ch != '\n') {
- n = read(cli_input, &ch, 1);
- if (n == -1 && (errno == EAGAIN || errno == EINTR))
- continue;
- if (n != 1)
- break;
- if (ch == '\n' || intr != 0)
- break;
- if (i < size)
- buf[i++] = ch;
- }
- buf[i] = '\0';
-
- if (!echo)
- cli_echo_restore();
- if (!intr && !echo)
- (void) write(cli_output, "\n", 1);
- return i;
-}
-
-static int
-cli_write(char* buf, int size)
-{
- int i, len, pos, ret = 0;
- char *output, *p;
-
- output = xmalloc(4*size);
- for (p = output, i = 0; i < size; i++) {
- if (buf[i] == '\n' || buf[i] == '\r')
- *p++ = buf[i];
- else
- p = vis(p, buf[i], 0, 0);
- }
- len = p - output;
-
- for (pos = 0; pos < len; pos += ret) {
- ret = write(cli_output, output + pos, len - pos);
- if (ret == -1) {
- xfree(output);
- return -1;
- }
- }
- xfree(output);
- return 0;
-}
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg. Optionally disables echo
- * of response depending on arg. Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char*
-cli_read_passphrase(char* prompt, int from_stdin, int echo_enable)
-{
- char buf[BUFSIZ];
- char* p;
-
- if (!cli_open(from_stdin))
- fatal("Cannot read passphrase.");
-
- fflush(stdout);
-
- cli_write(prompt, strlen(prompt));
- cli_read(buf, sizeof buf, echo_enable);
-
- cli_close();
-
- p = xstrdup(buf);
- memset(buf, 0, sizeof(buf));
- return (p);
-}
-
-char*
-cli_prompt(char* prompt, int echo_enable)
-{
- return cli_read_passphrase(prompt, 0, echo_enable);
-}
-
-void
-cli_mesg(char* mesg)
-{
- cli_open(0);
- cli_write(mesg, strlen(mesg));
- cli_write("\n", strlen("\n"));
- cli_close();
- return;
-}
diff --git a/crypto/openssh/cli.h b/crypto/openssh/cli.h
deleted file mode 100644
index 6f57c9b..0000000
--- a/crypto/openssh/cli.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */
-
-#ifndef CLI_H
-#define CLI_H
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg. Optionally disables echo
- * of response depending on arg. Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char * cli_read_passphrase(char * prompt, int from_stdin, int echo_enable);
-char * cli_prompt(char * prompt, int echo_enable);
-void cli_mesg(char * mesg);
-
-#endif /* CLI_H */
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
index 5e1774a..cf78707 100644
--- a/crypto/openssh/compat.c
+++ b/crypto/openssh/compat.c
@@ -23,7 +23,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.66 2003/04/01 10:31:26 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.65 2002/09/27 10:42:09 mickey Exp $");
+RCSID("$FreeBSD$");
#include "buffer.h"
#include "packet.h"
@@ -85,12 +86,10 @@ compat_datafellows(const char *version)
{ "*MindTerm*", 0 },
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
- SSH_BUG_FIRSTKEX },
+ SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
{ "2.1 *", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
- SSH_BUG_FIRSTKEX },
+ SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
{ "2.0.13*,"
"2.0.14*,"
"2.0.15*,"
@@ -102,28 +101,26 @@ compat_datafellows(const char *version)
SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
SSH_BUG_PKOK|SSH_BUG_RSASIGMD5|
SSH_BUG_HBSERVICE|SSH_BUG_OPENFAILURE|
- SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
+ SSH_BUG_DUMMYCHAN },
{ "2.0.11*,"
"2.0.12*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
SSH_BUG_PKAUTH|SSH_BUG_PKOK|
SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
- SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
+ SSH_BUG_DUMMYCHAN },
{ "2.0.*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
SSH_BUG_PKAUTH|SSH_BUG_PKOK|
SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
- SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN|
- SSH_BUG_FIRSTKEX },
+ SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN },
{ "2.2.0*,"
"2.3.0*", SSH_BUG_HMAC|SSH_BUG_DEBUG|
- SSH_BUG_RSASIGMD5|SSH_BUG_FIRSTKEX },
- { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
- SSH_BUG_FIRSTKEX },
+ SSH_BUG_RSASIGMD5 },
+ { "2.3.*", SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5 },
{ "2.4", SSH_OLD_SESSIONID }, /* Van Dyke */
- { "2.*", SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
+ { "2.*", SSH_BUG_DEBUG },
{ "3.0.*", SSH_BUG_DEBUG },
{ "3.0 SecureCRT*", SSH_OLD_SESSIONID },
{ "1.7 SecureFX*", SSH_OLD_SESSIONID },
diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h
index 881e450..4670108 100644
--- a/crypto/openssh/compat.h
+++ b/crypto/openssh/compat.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: compat.h,v 1.34 2003/04/01 10:31:26 markus Exp $ */
+/* $OpenBSD: compat.h,v 1.33 2002/09/27 10:42:09 mickey Exp $ */
+/* $FreeBSD$ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@@ -55,7 +56,6 @@
#define SSH_BUG_EXTEOF 0x00200000
#define SSH_BUG_K5USER 0x00400000
#define SSH_BUG_PROBE 0x00800000
-#define SSH_BUG_FIRSTKEX 0x01000000
void enable_compat13(void);
void enable_compat20(void);
diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
new file mode 100644
index 0000000..3bdc60b
--- /dev/null
+++ b/crypto/openssh/config.h
@@ -0,0 +1,908 @@
+/* config.h. Generated by configure. */
+/* config.h.in. Generated from configure.ac by autoheader. */
+/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */
+/* $FreeBSD$ */
+
+#ifndef _CONFIG_H
+#define _CONFIG_H
+
+/* Generated automatically from acconfig.h by autoheader. */
+/* Please make your changes there */
+
+
+/* Define to a Set Process Title type if your system is */
+/* supported by bsd-setproctitle.c */
+/* #undef SPT_TYPE */
+
+/* setgroups() NOOP allowed */
+/* #undef SETGROUPS_NOOP */
+
+/* SCO workaround */
+/* #undef BROKEN_SYS_TERMIO_H */
+
+/* Define if you have SecureWare-based protected password database */
+/* #undef HAVE_SECUREWARE */
+
+/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
+/* from environment and PATH */
+#define LOGIN_PROGRAM_FALLBACK "/usr/bin/login"
+
+/* Define if your password has a pw_class field */
+#define HAVE_PW_CLASS_IN_PASSWD 1
+
+/* Define if your password has a pw_expire field */
+#define HAVE_PW_EXPIRE_IN_PASSWD 1
+
+/* Define if your password has a pw_change field */
+#define HAVE_PW_CHANGE_IN_PASSWD 1
+
+/* Define if your system uses access rights style file descriptor passing */
+/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */
+
+/* Define if your system uses ancillary data style file descriptor passing */
+#define HAVE_CONTROL_IN_MSGHDR 1
+
+/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
+/* #undef BROKEN_INET_NTOA */
+
+/* Define if your system defines sys_errlist[] */
+#define HAVE_SYS_ERRLIST 1
+
+/* Define if your system defines sys_nerr */
+#define HAVE_SYS_NERR 1
+
+/* Define if your system choked on IP TOS setting */
+/* #undef IP_TOS_IS_BROKEN */
+
+/* Define if you have the getuserattr function. */
+/* #undef HAVE_GETUSERATTR */
+
+/* Work around problematic Linux PAM modules handling of PAM_TTY */
+/* #undef PAM_TTY_KLUDGE */
+
+/* Use PIPES instead of a socketpair() */
+/* #undef USE_PIPES */
+
+/* Define if your snprintf is busted */
+/* #undef BROKEN_SNPRINTF */
+
+/* Define if you are on Cygwin */
+/* #undef HAVE_CYGWIN */
+
+/* Define if you have a broken realpath. */
+/* #undef BROKEN_REALPATH */
+
+/* Define if you are on NeXT */
+/* #undef HAVE_NEXT */
+
+/* Define if you are on NEWS-OS */
+/* #undef HAVE_NEWS4 */
+
+/* Define if you want to enable PAM support */
+#define USE_PAM 1
+
+/* Define if you want to enable AIX4's authenticate function */
+/* #undef WITH_AIXAUTHENTICATE */
+
+/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
+/* #undef WITH_IRIX_ARRAY */
+
+/* Define if you want IRIX project management */
+/* #undef WITH_IRIX_PROJECT */
+
+/* Define if you want IRIX audit trails */
+/* #undef WITH_IRIX_AUDIT */
+
+/* Define if you want IRIX kernel jobs */
+/* #undef WITH_IRIX_JOBS */
+
+/* Location of PRNGD/EGD random number socket */
+/* #undef PRNGD_SOCKET */
+
+/* Port number of PRNGD/EGD random number socket */
+/* #undef PRNGD_PORT */
+
+/* Builtin PRNG command timeout */
+#define ENTROPY_TIMEOUT_MSEC 200
+
+/* non-privileged user for privilege separation */
+#define SSH_PRIVSEP_USER "sshd"
+
+/* Define if you want to install preformatted manpages.*/
+/* #undef MANTYPE */
+
+/* Define if your ssl headers are included with #include <openssl/header.h> */
+#define HAVE_OPENSSL 1
+
+/* Define if you are linking against RSAref. Used only to print the right
+ * message at run-time. */
+/* #undef RSAREF */
+
+/* struct timeval */
+#define HAVE_STRUCT_TIMEVAL 1
+
+/* struct utmp and struct utmpx fields */
+#define HAVE_HOST_IN_UTMP 1
+/* #undef HAVE_HOST_IN_UTMPX */
+/* #undef HAVE_ADDR_IN_UTMP */
+/* #undef HAVE_ADDR_IN_UTMPX */
+/* #undef HAVE_ADDR_V6_IN_UTMP */
+/* #undef HAVE_ADDR_V6_IN_UTMPX */
+/* #undef HAVE_SYSLEN_IN_UTMPX */
+/* #undef HAVE_PID_IN_UTMP */
+/* #undef HAVE_TYPE_IN_UTMP */
+/* #undef HAVE_TYPE_IN_UTMPX */
+/* #undef HAVE_TV_IN_UTMP */
+/* #undef HAVE_TV_IN_UTMPX */
+/* #undef HAVE_ID_IN_UTMP */
+/* #undef HAVE_ID_IN_UTMPX */
+/* #undef HAVE_EXIT_IN_UTMP */
+#define HAVE_TIME_IN_UTMP 1
+/* #undef HAVE_TIME_IN_UTMPX */
+
+/* Define if you don't want to use your system's login() call */
+/* #undef DISABLE_LOGIN */
+
+/* Define if you don't want to use pututline() etc. to write [uw]tmp */
+/* #undef DISABLE_PUTUTLINE */
+
+/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
+/* #undef DISABLE_PUTUTXLINE */
+
+/* Define if you don't want to use lastlog */
+/* #undef DISABLE_LASTLOG */
+
+/* Define if you don't want to use lastlog in session.c */
+/* #undef NO_SSH_LASTLOG */
+
+/* Define if you don't want to use utmp */
+/* #undef DISABLE_UTMP */
+
+/* Define if you don't want to use utmpx */
+#define DISABLE_UTMPX 1
+
+/* Define if you don't want to use wtmp */
+/* #undef DISABLE_WTMP */
+
+/* Define if you don't want to use wtmpx */
+#define DISABLE_WTMPX 1
+
+/* Some systems need a utmpx entry for /bin/login to work */
+/* #undef LOGIN_NEEDS_UTMPX */
+
+/* Some versions of /bin/login need the TERM supplied on the commandline */
+/* #undef LOGIN_NEEDS_TERM */
+
+/* Define if your login program cannot handle end of options ("--") */
+/* #undef LOGIN_NO_ENDOPT */
+
+/* Define if you want to specify the path to your lastlog file */
+/* #undef CONF_LASTLOG_FILE */
+
+/* Define if you want to specify the path to your utmp file */
+#define CONF_UTMP_FILE "/var/run/utmp"
+
+/* Define if you want to specify the path to your wtmp file */
+#define CONF_WTMP_FILE "/var/log/wtmp"
+
+/* Define if you want to specify the path to your utmpx file */
+/* #undef CONF_UTMPX_FILE */
+
+/* Define if you want to specify the path to your wtmpx file */
+/* #undef CONF_WTMPX_FILE */
+
+/* Define if you want external askpass support */
+/* #undef USE_EXTERNAL_ASKPASS */
+
+/* Define if libc defines __progname */
+#define HAVE___PROGNAME 1
+
+/* Define if compiler implements __FUNCTION__ */
+#define HAVE___FUNCTION__ 1
+
+/* Define if compiler implements __func__ */
+#define HAVE___func__ 1
+
+/* Define if you want Kerberos 5 support */
+/* #undef KRB5 */
+
+/* Define this if you are using the Heimdal version of Kerberos V5 */
+/* #undef HEIMDAL */
+
+/* Define if you want Kerberos 4 support */
+/* #undef KRB4 */
+
+/* Define if you want AFS support */
+/* #undef AFS */
+
+/* Define if you want S/Key support */
+/* #undef SKEY */
+
+/* Define if you want OPIE support */
+/* #undef OPIE */
+
+/* Define if you want TCP Wrappers support */
+#define LIBWRAP 1
+
+/* Define if your libraries define login() */
+#define HAVE_LOGIN 1
+
+/* Define if your libraries define daemon() */
+#define HAVE_DAEMON 1
+
+/* Define if your libraries define getpagesize() */
+#define HAVE_GETPAGESIZE 1
+
+/* Define if xauth is found in your path */
+#define XAUTH_PATH "/usr/X11R6/bin/xauth"
+
+/* Define if you want to allow MD5 passwords */
+/* #undef HAVE_MD5_PASSWORDS */
+
+/* Define if you want to disable shadow passwords */
+/* #undef DISABLE_SHADOW */
+
+/* Define if you want to use shadow password expire field */
+/* #undef HAS_SHADOW_EXPIRE */
+
+/* Define if you have Digital Unix Security Integration Architecture */
+/* #undef HAVE_OSF_SIA */
+
+/* Define if you have getpwanam(3) [SunOS 4.x] */
+/* #undef HAVE_GETPWANAM */
+
+/* Define if you have an old version of PAM which takes only one argument */
+/* to pam_strerror */
+/* #undef HAVE_OLD_PAM */
+
+/* Define if you are using Solaris-derived PAM which passes pam_messages */
+/* to the conversation function with an extra level of indirection */
+/* #undef PAM_SUN_CODEBASE */
+
+/* Set this to your mail directory if you don't have maillock.h */
+#define MAIL_DIRECTORY "/var/mail"
+
+/* Data types */
+#define HAVE_U_INT 1
+#define HAVE_INTXX_T 1
+#define HAVE_U_INTXX_T 1
+#define HAVE_UINTXX_T 1
+#define HAVE_INT64_T 1
+#define HAVE_U_INT64_T 1
+#define HAVE_U_CHAR 1
+#define HAVE_SIZE_T 1
+#define HAVE_SSIZE_T 1
+#define HAVE_CLOCK_T 1
+#define HAVE_MODE_T 1
+#define HAVE_PID_T 1
+#define HAVE_SA_FAMILY_T 1
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+#define HAVE_STRUCT_ADDRINFO 1
+#define HAVE_STRUCT_IN6_ADDR 1
+#define HAVE_STRUCT_SOCKADDR_IN6 1
+
+/* Fields in struct sockaddr_storage */
+#define HAVE_SS_FAMILY_IN_SS 1
+/* #undef HAVE___SS_FAMILY_IN_SS */
+
+/* Define if you have /dev/ptmx */
+/* #undef HAVE_DEV_PTMX */
+
+/* Define if you have /dev/ptc */
+/* #undef HAVE_DEV_PTS_AND_PTC */
+
+/* Define if you need to use IP address instead of hostname in $DISPLAY */
+/* #undef IPADDR_IN_DISPLAY */
+
+/* Specify default $PATH */
+/* #undef USER_PATH */
+
+/* Specify location of ssh.pid */
+#define _PATH_SSH_PIDDIR "/var/run"
+
+/* Use IPv4 for connection by default, IPv6 can still if explicity asked */
+/* #undef IPV4_DEFAULT */
+
+/* getaddrinfo is broken (if present) */
+/* #undef BROKEN_GETADDRINFO */
+
+/* Workaround more Linux IPv6 quirks */
+/* #undef DONT_TRY_OTHER_AF */
+
+/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
+/* #undef IPV4_IN_IPV6 */
+
+/* Define if you have BSD auth support */
+/* #undef BSD_AUTH */
+
+/* Define if X11 doesn't support AF_UNIX sockets on that system */
+/* #undef NO_X11_UNIX_SOCKETS */
+
+/* Define if the concept of ports only accessible to superusers isn't known */
+/* #undef NO_IPPORT_RESERVED_CONCEPT */
+
+/* Needed for SCO and NeXT */
+/* #undef BROKEN_SAVED_UIDS */
+
+/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
+#define GLOB_HAS_ALTDIRFUNC 1
+
+/* Define if your system glob() function has gl_matchc options in glob_t */
+/* #undef GLOB_HAS_GL_MATCHC */
+
+/* Define in your struct dirent expects you to allocate extra space for d_name */
+/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */
+
+/* Define if your getopt(3) defines and uses optreset */
+#define HAVE_GETOPT_OPTRESET 1
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_NFDBITS */
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_HOWMANY */
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_FD_MASK */
+
+/* Define if you want smartcard support */
+/* #undef SMARTCARD */
+
+/* Define if you want smartcard support using sectok */
+/* #undef USE_SECTOK */
+
+/* Define if you want smartcard support using OpenSC */
+/* #undef USE_OPENSC */
+
+/* Define if you want to use OpenSSL's internally seeded PRNG only */
+#define OPENSSL_PRNG_ONLY 1
+
+/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
+/* #undef WITH_ABBREV_NO_TTY */
+
+/* Define if you want a different $PATH for the superuser */
+/* #undef SUPERUSER_PATH */
+
+/* Path that unprivileged child will chroot() to in privep mode */
+/* #undef PRIVSEP_PATH */
+
+/* Define if your platform needs to skip post auth file descriptor passing */
+/* #undef DISABLE_FD_PASSING */
+
+
+/* Define to 1 if the `getpgrp' function requires zero arguments. */
+#define GETPGRP_VOID 1
+
+/* Define to 1 if you have the `arc4random' function. */
+#define HAVE_ARC4RANDOM 1
+
+/* Define to 1 if you have the `b64_ntop' function. */
+/* #undef HAVE_B64_NTOP */
+
+/* Define to 1 if you have the `bcopy' function. */
+#define HAVE_BCOPY 1
+
+/* Define to 1 if you have the `bindresvport_sa' function. */
+#define HAVE_BINDRESVPORT_SA 1
+
+/* Define to 1 if you have the <bstring.h> header file. */
+/* #undef HAVE_BSTRING_H */
+
+/* Define to 1 if you have the `clock' function. */
+#define HAVE_CLOCK 1
+
+/* Define to 1 if you have the <crypt.h> header file. */
+/* #undef HAVE_CRYPT_H */
+
+/* Define to 1 if you have the `dirname' function. */
+#define HAVE_DIRNAME 1
+
+/* Define to 1 if you have the <endian.h> header file. */
+/* #undef HAVE_ENDIAN_H */
+
+/* Define to 1 if you have the `endutent' function. */
+/* #undef HAVE_ENDUTENT */
+
+/* Define to 1 if you have the `endutxent' function. */
+/* #undef HAVE_ENDUTXENT */
+
+/* Define to 1 if you have the `fchmod' function. */
+#define HAVE_FCHMOD 1
+
+/* Define to 1 if you have the `fchown' function. */
+#define HAVE_FCHOWN 1
+
+/* Define to 1 if you have the <floatingpoint.h> header file. */
+#define HAVE_FLOATINGPOINT_H 1
+
+/* Define to 1 if you have the `freeaddrinfo' function. */
+#define HAVE_FREEADDRINFO 1
+
+/* Define to 1 if you have the `futimes' function. */
+#define HAVE_FUTIMES 1
+
+/* Define to 1 if you have the `gai_strerror' function. */
+#define HAVE_GAI_STRERROR 1
+
+/* Define to 1 if you have the `getaddrinfo' function. */
+#define HAVE_GETADDRINFO 1
+
+/* Define to 1 if you have the `getcwd' function. */
+#define HAVE_GETCWD 1
+
+/* Define to 1 if you have the `getgrouplist' function. */
+#define HAVE_GETGROUPLIST 1
+
+/* Define to 1 if you have the `getluid' function. */
+/* #undef HAVE_GETLUID */
+
+/* Define to 1 if you have the `getnameinfo' function. */
+#define HAVE_GETNAMEINFO 1
+
+/* Define to 1 if you have the `getopt' function. */
+#define HAVE_GETOPT 1
+
+/* Define to 1 if you have the <getopt.h> header file. */
+#define HAVE_GETOPT_H 1
+
+/* Define to 1 if you have the `getpeereid' function. */
+#define HAVE_GETPEEREID 1
+
+/* Define to 1 if you have the `getpwanam' function. */
+/* #undef HAVE_GETPWANAM */
+
+/* Define to 1 if you have the `getrlimit' function. */
+#define HAVE_GETRLIMIT 1
+
+/* Define to 1 if you have the `getrusage' function. */
+#define HAVE_GETRUSAGE 1
+
+/* Define to 1 if you have the `gettimeofday' function. */
+#define HAVE_GETTIMEOFDAY 1
+
+/* Define to 1 if you have the `getttyent' function. */
+#define HAVE_GETTTYENT 1
+
+/* Define to 1 if you have the `getutent' function. */
+/* #undef HAVE_GETUTENT */
+
+/* Define to 1 if you have the `getutid' function. */
+/* #undef HAVE_GETUTID */
+
+/* Define to 1 if you have the `getutline' function. */
+/* #undef HAVE_GETUTLINE */
+
+/* Define to 1 if you have the `getutxent' function. */
+/* #undef HAVE_GETUTXENT */
+
+/* Define to 1 if you have the `getutxid' function. */
+/* #undef HAVE_GETUTXID */
+
+/* Define to 1 if you have the `getutxline' function. */
+/* #undef HAVE_GETUTXLINE */
+
+/* Define to 1 if you have the `glob' function. */
+#define HAVE_GLOB 1
+
+/* Define to 1 if you have the <glob.h> header file. */
+#define HAVE_GLOB_H 1
+
+/* Define to 1 if you have the <ia.h> header file. */
+/* #undef HAVE_IA_H */
+
+/* Define to 1 if you have the `inet_aton' function. */
+#define HAVE_INET_ATON 1
+
+/* Define to 1 if you have the `inet_ntoa' function. */
+#define HAVE_INET_NTOA 1
+
+/* Define to 1 if you have the `inet_ntop' function. */
+#define HAVE_INET_NTOP 1
+
+/* Define to 1 if you have the `innetgr' function. */
+#define HAVE_INNETGR 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the <krb.h> header file. */
+/* #undef HAVE_KRB_H */
+
+/* Define to 1 if you have the <lastlog.h> header file. */
+/* #undef HAVE_LASTLOG_H */
+
+/* Define to 1 if you have the `crypt' library (-lcrypt). */
+/* #undef HAVE_LIBCRYPT */
+
+/* Define to 1 if you have the `des' library (-ldes). */
+/* #undef HAVE_LIBDES */
+
+/* Define to 1 if you have the `des425' library (-ldes425). */
+/* #undef HAVE_LIBDES425 */
+
+/* Define to 1 if you have the `dl' library (-ldl). */
+/* #undef HAVE_LIBDL */
+
+/* Define to 1 if you have the <libgen.h> header file. */
+#define HAVE_LIBGEN_H 1
+
+/* Define to 1 if you have the `krb' library (-lkrb). */
+/* #undef HAVE_LIBKRB */
+
+/* Define to 1 if you have the `krb4' library (-lkrb4). */
+/* #undef HAVE_LIBKRB4 */
+
+/* Define to 1 if you have the `nsl' library (-lnsl). */
+/* #undef HAVE_LIBNSL */
+
+/* Define to 1 if you have the `pam' library (-lpam). */
+#define HAVE_LIBPAM 1
+
+/* Define to 1 if you have the `resolv' library (-lresolv). */
+/* #undef HAVE_LIBRESOLV */
+
+/* Define to 1 if you have the `sectok' library (-lsectok). */
+/* #undef HAVE_LIBSECTOK */
+
+/* Define to 1 if you have the `socket' library (-lsocket). */
+/* #undef HAVE_LIBSOCKET */
+
+/* Define to 1 if you have the <libutil.h> header file. */
+#define HAVE_LIBUTIL_H 1
+
+/* Define to 1 if you have the `xnet' library (-lxnet). */
+/* #undef HAVE_LIBXNET */
+
+/* Define to 1 if you have the `z' library (-lz). */
+#define HAVE_LIBZ 1
+
+/* Define to 1 if you have the <limits.h> header file. */
+#define HAVE_LIMITS_H 1
+
+/* Define to 1 if you have the <login_cap.h> header file. */
+#define HAVE_LOGIN_CAP_H 1
+
+/* Define to 1 if you have the `login_getcapbool' function. */
+#define HAVE_LOGIN_GETCAPBOOL 1
+
+/* Define to 1 if you have the <login.h> header file. */
+/* #undef HAVE_LOGIN_H */
+
+/* Define to 1 if you have the `logout' function. */
+#define HAVE_LOGOUT 1
+
+/* Define to 1 if you have the `logwtmp' function. */
+#define HAVE_LOGWTMP 1
+
+/* Define to 1 if you have the <maillock.h> header file. */
+/* #undef HAVE_MAILLOCK_H */
+
+/* Define to 1 if you have the `md5_crypt' function. */
+/* #undef HAVE_MD5_CRYPT */
+
+/* Define to 1 if you have the `memmove' function. */
+#define HAVE_MEMMOVE 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the `mkdtemp' function. */
+#define HAVE_MKDTEMP 1
+
+/* Define to 1 if you have the `mmap' function. */
+#define HAVE_MMAP 1
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#define HAVE_NETDB_H 1
+
+/* Define to 1 if you have the <netgroup.h> header file. */
+/* #undef HAVE_NETGROUP_H */
+
+/* Define to 1 if you have the <netinet/in_systm.h> header file. */
+#define HAVE_NETINET_IN_SYSTM_H 1
+
+/* Define to 1 if you have the `ngetaddrinfo' function. */
+/* #undef HAVE_NGETADDRINFO */
+
+/* Define to 1 if you have the `ogetaddrinfo' function. */
+/* #undef HAVE_OGETADDRINFO */
+
+/* Define to 1 if you have the `openpty' function. */
+#define HAVE_OPENPTY 1
+
+/* Define to 1 if you have the `pam_getenvlist' function. */
+#define HAVE_PAM_GETENVLIST 1
+
+/* Define to 1 if you have the <paths.h> header file. */
+#define HAVE_PATHS_H 1
+
+/* Define to 1 if you have the <pty.h> header file. */
+/* #undef HAVE_PTY_H */
+
+/* Define to 1 if you have the `pututline' function. */
+/* #undef HAVE_PUTUTLINE */
+
+/* Define to 1 if you have the `pututxline' function. */
+/* #undef HAVE_PUTUTXLINE */
+
+/* Define to 1 if you have the `readpassphrase' function. */
+#define HAVE_READPASSPHRASE 1
+
+/* Define to 1 if you have the <readpassphrase.h> header file. */
+#define HAVE_READPASSPHRASE_H 1
+
+/* Define to 1 if you have the `realpath' function. */
+#define HAVE_REALPATH 1
+
+/* Define to 1 if you have the `recvmsg' function. */
+#define HAVE_RECVMSG 1
+
+/* Define to 1 if you have the <rpc/types.h> header file. */
+#define HAVE_RPC_TYPES_H 1
+
+/* Define to 1 if you have the `rresvport_af' function. */
+#define HAVE_RRESVPORT_AF 1
+
+/* Define to 1 if you have the <sectok.h> header file. */
+/* #undef HAVE_SECTOK_H */
+
+/* Define to 1 if you have the <security/pam_appl.h> header file. */
+#define HAVE_SECURITY_PAM_APPL_H 1
+
+/* Define to 1 if you have the `sendmsg' function. */
+#define HAVE_SENDMSG 1
+
+/* Define to 1 if you have the `setdtablesize' function. */
+/* #undef HAVE_SETDTABLESIZE */
+
+/* Define to 1 if you have the `setegid' function. */
+#define HAVE_SETEGID 1
+
+/* Define to 1 if you have the `setenv' function. */
+#define HAVE_SETENV 1
+
+/* Define to 1 if you have the `seteuid' function. */
+#define HAVE_SETEUID 1
+
+/* Define to 1 if you have the `setgroups' function. */
+#define HAVE_SETGROUPS 1
+
+/* Define to 1 if you have the `setlogin' function. */
+#define HAVE_SETLOGIN 1
+
+/* Define to 1 if you have the `setluid' function. */
+/* #undef HAVE_SETLUID */
+
+/* Define to 1 if you have the `setpcred' function. */
+/* #undef HAVE_SETPCRED */
+
+/* Define to 1 if you have the `setproctitle' function. */
+#define HAVE_SETPROCTITLE 1
+
+/* Define to 1 if you have the `setresgid' function. */
+#define HAVE_SETRESGID 1
+
+/* Define to 1 if you have the `setreuid' function. */
+#define HAVE_SETREUID 1
+
+/* Define to 1 if you have the `setrlimit' function. */
+#define HAVE_SETRLIMIT 1
+
+/* Define to 1 if you have the `setsid' function. */
+#define HAVE_SETSID 1
+
+/* Define to 1 if you have the `setutent' function. */
+/* #undef HAVE_SETUTENT */
+
+/* Define to 1 if you have the `setutxent' function. */
+/* #undef HAVE_SETUTXENT */
+
+/* Define to 1 if you have the `setvbuf' function. */
+#define HAVE_SETVBUF 1
+
+/* Define to 1 if you have the <shadow.h> header file. */
+/* #undef HAVE_SHADOW_H */
+
+/* Define to 1 if you have the `sigaction' function. */
+#define HAVE_SIGACTION 1
+
+/* Define to 1 if you have the `sigvec' function. */
+#define HAVE_SIGVEC 1
+
+/* Define to 1 if the system has the type `sig_atomic_t'. */
+#define HAVE_SIG_ATOMIC_T 1
+
+/* Define to 1 if you have the `snprintf' function. */
+#define HAVE_SNPRINTF 1
+
+/* Define to 1 if you have the `socketpair' function. */
+#define HAVE_SOCKETPAIR 1
+
+/* Define to 1 if you have the <stddef.h> header file. */
+#define HAVE_STDDEF_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strerror' function. */
+#define HAVE_STRERROR 1
+
+/* Define to 1 if you have the `strftime' function. */
+#define HAVE_STRFTIME 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strlcat' function. */
+#define HAVE_STRLCAT 1
+
+/* Define to 1 if you have the `strlcpy' function. */
+#define HAVE_STRLCPY 1
+
+/* Define to 1 if you have the `strmode' function. */
+#define HAVE_STRMODE 1
+
+/* Define to 1 if you have the `strsep' function. */
+#define HAVE_STRSEP 1
+
+/* Define to 1 if `st_blksize' is member of `struct stat'. */
+#define HAVE_STRUCT_STAT_ST_BLKSIZE 1
+
+/* Define to 1 if you have the `sysconf' function. */
+#define HAVE_SYSCONF 1
+
+/* Define to 1 if you have the <sys/bitypes.h> header file. */
+/* #undef HAVE_SYS_BITYPES_H */
+
+/* Define to 1 if you have the <sys/bsdtty.h> header file. */
+/* #undef HAVE_SYS_BSDTTY_H */
+
+/* Define to 1 if you have the <sys/cdefs.h> header file. */
+#define HAVE_SYS_CDEFS_H 1
+
+/* Define to 1 if you have the <sys/mman.h> header file. */
+#define HAVE_SYS_MMAN_H 1
+
+/* Define to 1 if you have the <sys/select.h> header file. */
+#define HAVE_SYS_SELECT_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/stropts.h> header file. */
+/* #undef HAVE_SYS_STROPTS_H */
+
+/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+/* #undef HAVE_SYS_SYSMACROS_H */
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#define HAVE_SYS_TIME_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <sys/un.h> header file. */
+#define HAVE_SYS_UN_H 1
+
+/* Define to 1 if you have the `tcgetpgrp' function. */
+#define HAVE_TCGETPGRP 1
+
+/* Define to 1 if you have the `time' function. */
+#define HAVE_TIME 1
+
+/* Define to 1 if you have the <time.h> header file. */
+#define HAVE_TIME_H 1
+
+/* Define to 1 if you have the <tmpdir.h> header file. */
+/* #undef HAVE_TMPDIR_H */
+
+/* Define to 1 if you have the `truncate' function. */
+#define HAVE_TRUNCATE 1
+
+/* Define to 1 if you have the <ttyent.h> header file. */
+#define HAVE_TTYENT_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if you have the `updwtmp' function. */
+/* #undef HAVE_UPDWTMP */
+
+/* Define to 1 if you have the <usersec.h> header file. */
+/* #undef HAVE_USERSEC_H */
+
+/* Define to 1 if you have the <util.h> header file. */
+/* #undef HAVE_UTIL_H */
+
+/* Define to 1 if you have the `utimes' function. */
+#define HAVE_UTIMES 1
+
+/* Define to 1 if you have the <utime.h> header file. */
+#define HAVE_UTIME_H 1
+
+/* Define to 1 if you have the `utmpname' function. */
+/* #undef HAVE_UTMPNAME */
+
+/* Define to 1 if you have the `utmpxname' function. */
+/* #undef HAVE_UTMPXNAME */
+
+/* Define to 1 if you have the <utmpx.h> header file. */
+/* #undef HAVE_UTMPX_H */
+
+/* Define to 1 if you have the <utmp.h> header file. */
+#define HAVE_UTMP_H 1
+
+/* Define to 1 if you have the `vhangup' function. */
+/* #undef HAVE_VHANGUP */
+
+/* Define to 1 if you have the `vsnprintf' function. */
+#define HAVE_VSNPRINTF 1
+
+/* Define to 1 if you have the `waitpid' function. */
+#define HAVE_WAITPID 1
+
+/* Define to 1 if you have the `_getpty' function. */
+/* #undef HAVE__GETPTY */
+
+/* Define to 1 if you have the `__b64_ntop' function. */
+#define HAVE___B64_NTOP 1
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT ""
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME ""
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING ""
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION ""
+
+/* The size of a `char', as computed by sizeof. */
+#define SIZEOF_CHAR 1
+
+/* The size of a `int', as computed by sizeof. */
+#define SIZEOF_INT 4
+
+/* The size of a `long int', as computed by sizeof. */
+#define SIZEOF_LONG_INT 4
+
+/* The size of a `long long int', as computed by sizeof. */
+#define SIZEOF_LONG_LONG_INT 8
+
+/* The size of a `short int', as computed by sizeof. */
+#define SIZEOF_SHORT_INT 2
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* Define to 1 if your processor stores words with the most significant byte
+ first (like Motorola and SPARC, unlike Intel and VAX). */
+/* #undef WORDS_BIGENDIAN */
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
+
+/* Define as `__inline' if that's what the C compiler calls it, or to nothing
+ if it is not supported. */
+/* #undef inline */
+
+/* type to use in place of socklen_t if not defined */
+/* #undef socklen_t */
+
+/* ******************* Shouldn't need to edit below this line ************** */
+
+#endif /* _CONFIG_H */
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index 47fef0c..eef77f3 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -1,4 +1,5 @@
-# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $
+# $Id: configure.ac,v 1.89 2002/09/26 00:38:47 tim Exp $
+# $FreeBSD$
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@@ -14,7 +15,6 @@ AC_PROG_RANLIB
AC_PROG_INSTALL
AC_PATH_PROG(AR, ar)
AC_PATH_PROGS(PERL, perl5 perl)
-AC_PATH_PROG(SED, sed)
AC_SUBST(PERL)
AC_PATH_PROG(ENT, ent)
AC_SUBST(ENT)
@@ -82,11 +82,8 @@ case "$host" in
dnl AIX handles lastlog as part of its login message
AC_DEFINE(DISABLE_LASTLOG)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
- AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
;;
*-*-cygwin*)
- check_for_libcrypt_later=1
LIBS="$LIBS /usr/lib/textmode.o"
AC_DEFINE(HAVE_CYGWIN)
AC_DEFINE(USE_PIPES)
@@ -125,7 +122,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(DISABLE_SHADOW)
AC_DEFINE(DISABLE_UTMP)
- AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+ AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec -lsecpw"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
disable_ptmx_check=yes
@@ -141,7 +138,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(DISABLE_SHADOW)
AC_DEFINE(DISABLE_UTMP)
- AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+ AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
@@ -154,7 +151,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(DISABLE_SHADOW)
AC_DEFINE(DISABLE_UTMP)
- AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+ AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
@@ -181,8 +178,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
check_for_libcrypt_later=1
AC_DEFINE(DONT_TRY_OTHER_AF)
AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
- AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
inet6_default_4in6=yes
;;
mips-sony-bsd|mips-sony-newsos4)
@@ -216,7 +211,6 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(LOGIN_NEEDS_TERM)
AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)
# hardwire lastlog location (can't detect it on some versions)
conf_lastlog_location="/var/adm/lastlog"
AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
@@ -285,9 +279,6 @@ mips-sony-bsd|mips-sony-newsos4)
do_sco3_extra_lib_check=yes
;;
*-*-sco3.2v5*)
- if test -z "$GCC"; then
- CFLAGS="$CFLAGS -belf"
- fi
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
LIBS="$LIBS -lprot -lx -ltinfo -lm"
@@ -300,6 +291,8 @@ mips-sony-bsd|mips-sony-newsos4)
MANTYPE=man
;;
*-*-unicosmk*)
+ no_libsocket=1
+ no_libnsl=1
AC_DEFINE(USE_PIPES)
AC_DEFINE(DISABLE_FD_PASSING)
LDFLAGS="$LDFLAGS"
@@ -307,6 +300,8 @@ mips-sony-bsd|mips-sony-newsos4)
MANTYPE=cat
;;
*-*-unicos*)
+ no_libsocket=1
+ no_libnsl=1
AC_DEFINE(USE_PIPES)
AC_DEFINE(DISABLE_FD_PASSING)
AC_DEFINE(NO_SSH_LASTLOG)
@@ -331,13 +326,11 @@ mips-sony-bsd|mips-sony-newsos4)
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_OSF_SIA)
AC_DEFINE(DISABLE_LOGIN)
- AC_DEFINE(DISABLE_FD_PASSING)
LIBS="$LIBS -lsecurity -ldb -lm -laud"
else
AC_MSG_RESULT(no)
fi
fi
- AC_DEFINE(DISABLE_FD_PASSING)
;;
*-*-nto-qnx)
@@ -385,13 +378,13 @@ AC_ARG_WITH(libs,
# Checks for header files.
AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
- getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
+ getopt.h glob.h ia.h lastlog.h limits.h login.h \
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
- sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
- sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
+ sys/mman.h sys/select.h sys/stat.h \
+ sys/stropts.h sys/sysmacros.h sys/time.h \
sys/un.h time.h tmpdir.h ttyent.h usersec.h \
util.h utime.h utmp.h utmpx.h)
@@ -548,6 +541,41 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
]
)
+# Check whether user wants OPIE support
+OPIE_MSG="no"
+AC_ARG_WITH(opie,
+ [ --with-opie[[=PATH]] Enable OPIE support
+ (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+
+ if test "x$withval" != "xyes" ; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ LDFLAGS="$LDFLAGS -L${withval}/lib"
+ fi
+
+ AC_DEFINE(SKEY)
+ AC_DEFINE(OPIE)
+ LIBS="-lopie $LIBS"
+ OPIE_MSG="yes"
+
+ AC_MSG_CHECKING([for opie support])
+ AC_TRY_RUN(
+ [
+#include <sys/types.h>
+#include <stdio.h>
+#include <opie.h>
+int main() { char *ff = opie_keyinfo(""); ff=""; return 0; }
+ ],
+ [AC_MSG_RESULT(yes)],
+ [
+ AC_MSG_RESULT(no)
+ AC_MSG_ERROR([** Incomplete or missing opie libraries.])
+ ])
+ fi
+ ]
+)
+
# Check whether user wants TCP wrappers support
TCPW_MSG="no"
AC_ARG_WITH(tcp-wrappers,
@@ -602,25 +630,18 @@ AC_ARG_WITH(tcp-wrappers,
]
)
-dnl Checks for library functions. Please keep in alphabetical order
-AC_CHECK_FUNCS(\
- arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \
- bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
- gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \
- getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \
- inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
- mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \
- readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \
- setegid setenv seteuid setgroups setlogin setpcred setproctitle \
- setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \
- snprintf socketpair strerror strlcat strlcpy strmode strnvis \
- sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \
-)
-
-AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
-
-dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
-AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
+dnl Checks for library functions.
+AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \
+ clock fchmod fchown freeaddrinfo futimes gai_strerror \
+ getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
+ getrlimit getrusage getttyent glob inet_aton inet_ntoa \
+ inet_ntop innetgr login_getcapbool md5_crypt memmove \
+ mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
+ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
+ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \
+ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
+ socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
+ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty)
dnl IRIX and Solaris 2.5.1 have dirname() in libgen
AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
@@ -695,32 +716,6 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
)
fi
-dnl see whether mkstemp() requires XXXXXX
-if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
-AC_MSG_CHECKING([for (overly) strict mkstemp])
-AC_TRY_RUN(
- [
-#include <stdlib.h>
-main() { char template[]="conftest.mkstemp-test";
-if (mkstemp(template) == -1)
- exit(1);
-unlink(template); exit(0);
-}
- ],
- [
- AC_MSG_RESULT(no)
- ],
- [
- AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_STRICT_MKSTEMP)
- ],
- [
- AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_STRICT_MKSTEMP)
- ]
-)
-fi
-
AC_FUNC_GETPGRP
# Check for PAM libs
@@ -1484,16 +1479,12 @@ if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
have_struct_timeval=1
fi
-AC_CHECK_TYPES(struct timespec)
-
-# We need int64_t or else certian parts of the compile will fail.
+# If we don't have int64_t then we can't compile sftp-server. So don't
+# even attempt to do it.
if test "x$ac_cv_have_int64_t" = "xno" -a \
"x$ac_cv_sizeof_long_int" != "x8" -a \
"x$ac_cv_sizeof_long_long_int" = "x0" ; then
- echo "OpenSSH requires int64_t support. Contact your vendor or install"
- echo "an alternative compiler (I.E., GCC) before continuing."
- echo ""
- exit 1;
+ NO_SFTP='#'
else
dnl test snprintf (broken on SCO w/gcc)
AC_TRY_RUN(
@@ -1523,6 +1514,7 @@ main() { exit(0); }
], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ]
)
fi
+AC_SUBST(NO_SFTP)
dnl Checks for structure members
OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP)
@@ -1712,7 +1704,11 @@ AC_CACHE_CHECK([whether getopt has optreset support],
ac_cv_have_getopt_optreset, [
AC_TRY_LINK(
[
+#if HAVE_GETOPT_H
#include <getopt.h>
+#elif HAVE_UNISTD_H
+#include <unistd.h>
+#endif
],
[ extern int optreset; optreset = 0; ],
[ ac_cv_have_getopt_optreset="yes" ],
@@ -1950,17 +1946,6 @@ AC_ARG_WITH(xauth,
]
)
-STRIP_OPT=-s
-AC_ARG_ENABLE(strip,
- [ --disable-strip Disable calling strip(1) on install],
- [
- if test "x$enableval" = "xno" ; then
- STRIP_OPT=
- fi
- ]
-)
-AC_SUBST(STRIP_OPT)
-
if test -z "$xauth_path" ; then
XAUTH_PATH="undefined"
AC_SUBST(XAUTH_PATH)
@@ -2115,11 +2100,7 @@ Edit /etc/login.conf instead.])
# include <paths.h>
#endif
#ifndef _PATH_STDPATH
-# ifdef _PATH_USERPATH /* Irix */
-# define _PATH_STDPATH _PATH_USERPATH
-# else
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
-# endif
+# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
#endif
#include <sys/types.h>
#include <sys/stat.h>
@@ -2527,6 +2508,7 @@ echo " KerberosV support: $KRB5_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " AFS support: $AFS_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " OPIE support: $OPIE_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
@@ -2557,6 +2539,12 @@ if test "x$PAM_MSG" = "xyes" ; then
echo ""
fi
+if test ! -z "$NO_SFTP"; then
+ echo "sftp-server will be disabled. Your compiler does not "
+ echo "support 64bit integers."
+ echo ""
+fi
+
if test ! -z "$RAND_HELPER_CMDHASH" ; then
echo "WARNING: you are using the builtin random number collection "
echo "service. Please read WARNING.RNG and request that your OS "
diff --git a/crypto/openssh/dsa.c b/crypto/openssh/dsa.c
deleted file mode 100644
index 4ff4b58..0000000
--- a/crypto/openssh/dsa.c
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "compat.h"
-
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/evp.h>
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-
-#include <openssl/hmac.h>
-#include "kex.h"
-#include "key.h"
-#include "uuencode.h"
-
-#define INTBLOB_LEN 20
-#define SIGBLOB_LEN (2*INTBLOB_LEN)
-
-Key *
-dsa_key_from_blob(char *blob, int blen)
-{
- Buffer b;
- char *ktype;
- int rlen;
- DSA *dsa;
- Key *key;
-
-#ifdef DEBUG_DSS
- dump_base64(stderr, blob, blen);
-#endif
- /* fetch & parse DSA/DSS pubkey */
- buffer_init(&b);
- buffer_append(&b, blob, blen);
- ktype = buffer_get_string(&b, NULL);
- if (strcmp(KEX_DSS, ktype) != 0) {
- error("dsa_key_from_blob: cannot handle type %s", ktype);
- buffer_free(&b);
- xfree(ktype);
- return NULL;
- }
- key = key_new(KEY_DSA);
- dsa = key->dsa;
- buffer_get_bignum2(&b, dsa->p);
- buffer_get_bignum2(&b, dsa->q);
- buffer_get_bignum2(&b, dsa->g);
- buffer_get_bignum2(&b, dsa->pub_key);
- rlen = buffer_len(&b);
- if(rlen != 0)
- error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
- buffer_free(&b);
- xfree(ktype);
-
-#ifdef DEBUG_DSS
- DSA_print_fp(stderr, dsa, 8);
-#endif
- return key;
-}
-int
-dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp)
-{
- Buffer b;
- int len;
- unsigned char *buf;
-
- if (key == NULL || key->type != KEY_DSA)
- return 0;
- buffer_init(&b);
- buffer_put_cstring(&b, KEX_DSS);
- buffer_put_bignum2(&b, key->dsa->p);
- buffer_put_bignum2(&b, key->dsa->q);
- buffer_put_bignum2(&b, key->dsa->g);
- buffer_put_bignum2(&b, key->dsa->pub_key);
- len = buffer_len(&b);
- buf = xmalloc(len);
- memcpy(buf, buffer_ptr(&b), len);
- memset(buffer_ptr(&b), 0, len);
- buffer_free(&b);
- if (lenp != NULL)
- *lenp = len;
- if (blobp != NULL)
- *blobp = buf;
- return len;
-}
-int
-dsa_sign(
- Key *key,
- unsigned char **sigp, int *lenp,
- unsigned char *data, int datalen)
-{
- unsigned char *digest;
- unsigned char *ret;
- DSA_SIG *sig;
- EVP_MD *evp_md = EVP_sha1();
- EVP_MD_CTX md;
- unsigned int rlen;
- unsigned int slen;
- unsigned int len;
- unsigned char sigblob[SIGBLOB_LEN];
- Buffer b;
-
- if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- error("dsa_sign: no DSA key");
- return -1;
- }
- digest = xmalloc(evp_md->md_size);
- EVP_DigestInit(&md, evp_md);
- EVP_DigestUpdate(&md, data, datalen);
- EVP_DigestFinal(&md, digest, NULL);
-
- sig = DSA_do_sign(digest, evp_md->md_size, key->dsa);
- if (sig == NULL) {
- fatal("dsa_sign: cannot sign");
- }
-
- rlen = BN_num_bytes(sig->r);
- slen = BN_num_bytes(sig->s);
- if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
- error("bad sig size %d %d", rlen, slen);
- DSA_SIG_free(sig);
- return -1;
- }
- debug("sig size %d %d", rlen, slen);
-
- memset(sigblob, 0, SIGBLOB_LEN);
- BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
- BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
- DSA_SIG_free(sig);
-
- if (datafellows & SSH_BUG_SIGBLOB) {
- debug("datafellows");
- ret = xmalloc(SIGBLOB_LEN);
- memcpy(ret, sigblob, SIGBLOB_LEN);
- if (lenp != NULL)
- *lenp = SIGBLOB_LEN;
- if (sigp != NULL)
- *sigp = ret;
- } else {
- /* ietf-drafts */
- buffer_init(&b);
- buffer_put_cstring(&b, KEX_DSS);
- buffer_put_string(&b, sigblob, SIGBLOB_LEN);
- len = buffer_len(&b);
- ret = xmalloc(len);
- memcpy(ret, buffer_ptr(&b), len);
- buffer_free(&b);
- if (lenp != NULL)
- *lenp = len;
- if (sigp != NULL)
- *sigp = ret;
- }
- return 0;
-}
-int
-dsa_verify(
- Key *key,
- unsigned char *signature, int signaturelen,
- unsigned char *data, int datalen)
-{
- Buffer b;
- unsigned char *digest;
- DSA_SIG *sig;
- EVP_MD *evp_md = EVP_sha1();
- EVP_MD_CTX md;
- unsigned char *sigblob;
- char *txt;
- unsigned int len;
- int rlen;
- int ret;
-
- if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- error("dsa_verify: no DSA key");
- return -1;
- }
-
- if (!(datafellows & SSH_BUG_SIGBLOB) &&
- signaturelen == SIGBLOB_LEN) {
- datafellows |= ~SSH_BUG_SIGBLOB;
- log("autodetect SSH_BUG_SIGBLOB");
- } else if ((datafellows & SSH_BUG_SIGBLOB) &&
- signaturelen != SIGBLOB_LEN) {
- log("autoremove SSH_BUG_SIGBLOB");
- datafellows &= ~SSH_BUG_SIGBLOB;
- }
-
- debug("len %d datafellows %d", signaturelen, datafellows);
-
- /* fetch signature */
- if (datafellows & SSH_BUG_SIGBLOB) {
- sigblob = signature;
- len = signaturelen;
- } else {
- /* ietf-drafts */
- char *ktype;
- buffer_init(&b);
- buffer_append(&b, (char *) signature, signaturelen);
- ktype = buffer_get_string(&b, NULL);
- if (strcmp(KEX_DSS, ktype) != 0) {
- error("dsa_verify: cannot handle type %s", ktype);
- buffer_free(&b);
- return -1;
- }
- sigblob = (unsigned char *)buffer_get_string(&b, &len);
- rlen = buffer_len(&b);
- if(rlen != 0) {
- error("remaining bytes in signature %d", rlen);
- buffer_free(&b);
- return -1;
- }
- buffer_free(&b);
- xfree(ktype);
- }
-
- if (len != SIGBLOB_LEN) {
- fatal("bad sigbloblen %d != SIGBLOB_LEN", len);
- }
-
- /* parse signature */
- sig = DSA_SIG_new();
- sig->r = BN_new();
- sig->s = BN_new();
- BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
- BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
-
- if (!(datafellows & SSH_BUG_SIGBLOB)) {
- memset(sigblob, 0, len);
- xfree(sigblob);
- }
-
- /* sha1 the data */
- digest = xmalloc(evp_md->md_size);
- EVP_DigestInit(&md, evp_md);
- EVP_DigestUpdate(&md, data, datalen);
- EVP_DigestFinal(&md, digest, NULL);
-
- ret = DSA_do_verify(digest, evp_md->md_size, sig, key->dsa);
-
- memset(digest, 0, evp_md->md_size);
- xfree(digest);
- DSA_SIG_free(sig);
-
- switch (ret) {
- case 1:
- txt = "correct";
- break;
- case 0:
- txt = "incorrect";
- break;
- case -1:
- default:
- txt = "error";
- break;
- }
- debug("dsa_verify: signature %s", txt);
- return ret;
-}
-
-Key *
-dsa_generate_key(unsigned int bits)
-{
- DSA *dsa = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
- Key *k;
- if (dsa == NULL) {
- fatal("DSA_generate_parameters failed");
- }
- if (!DSA_generate_key(dsa)) {
- fatal("DSA_generate_keys failed");
- }
-
- k = key_new(KEY_EMPTY);
- k->type = KEY_DSA;
- k->dsa = dsa;
- return k;
-}
diff --git a/crypto/openssh/dsa.h b/crypto/openssh/dsa.h
deleted file mode 100644
index 252e788..0000000
--- a/crypto/openssh/dsa.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef DSA_H
-#define DSA_H
-
-Key *dsa_key_from_blob(char *blob, int blen);
-int dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp);
-
-int
-dsa_sign(
- Key *key,
- unsigned char **sigp, int *lenp,
- unsigned char *data, int datalen);
-
-int
-dsa_verify(
- Key *key,
- unsigned char *signature, int signaturelen,
- unsigned char *data, int datalen);
-
-Key *
-dsa_generate_key(unsigned int bits);
-
-#endif
diff --git a/crypto/openssh/fingerprint.c b/crypto/openssh/fingerprint.c
deleted file mode 100644
index 4b0966d..0000000
--- a/crypto/openssh/fingerprint.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- * derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$Id: fingerprint.c,v 1.6 2000/04/12 09:39:10 markus Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include <openssl/md5.h>
-
-#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
-
-/*
- * Generate key fingerprint in ascii format.
- * Based on ideas and code from Bjoern Groenvall <bg@sics.se>
- */
-char *
-fingerprint(BIGNUM *e, BIGNUM *n)
-{
- static char retval[80];
- MD5_CTX md;
- unsigned char d[16];
- unsigned char *buf;
- int nlen, elen;
-
- nlen = BN_num_bytes(n);
- elen = BN_num_bytes(e);
-
- buf = xmalloc(nlen + elen);
-
- BN_bn2bin(n, buf);
- BN_bn2bin(e, buf + nlen);
-
- MD5_Init(&md);
- MD5_Update(&md, buf, nlen + elen);
- MD5_Final(d, &md);
- snprintf(retval, sizeof(retval), FPRINT,
- d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
- d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
- memset(buf, 0, nlen + elen);
- xfree(buf);
- return retval;
-}
diff --git a/crypto/openssh/fingerprint.h b/crypto/openssh/fingerprint.h
deleted file mode 100644
index fbb0d4c..0000000
--- a/crypto/openssh/fingerprint.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- * derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-/* RCSID("$Id: fingerprint.h,v 1.3 1999/11/24 16:15:25 markus Exp $"); */
-
-#ifndef FINGERPRINT_H
-#define FINGERPRINT_H
-char *fingerprint(BIGNUM * e, BIGNUM * n);
-#endif
diff --git a/crypto/openssh/hmac.c b/crypto/openssh/hmac.c
deleted file mode 100644
index 48a1763..0000000
--- a/crypto/openssh/hmac.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "getput.h"
-
-#include <openssl/hmac.h>
-
-unsigned char *
-hmac(
- EVP_MD *evp_md,
- unsigned int seqno,
- unsigned char *data, int datalen,
- unsigned char *key, int keylen)
-{
- HMAC_CTX c;
- static unsigned char m[EVP_MAX_MD_SIZE];
- unsigned char b[4];
-
- if (key == NULL)
- fatal("hmac: no key");
- HMAC_Init(&c, key, keylen, evp_md);
- PUT_32BIT(b, seqno);
- HMAC_Update(&c, b, sizeof b);
- HMAC_Update(&c, data, datalen);
- HMAC_Final(&c, m, NULL);
- HMAC_cleanup(&c);
- return(m);
-}
diff --git a/crypto/openssh/hmac.h b/crypto/openssh/hmac.h
deleted file mode 100644
index 281300e..0000000
--- a/crypto/openssh/hmac.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef HMAC_H
-#define HMAC_H
-
-unsigned char *
-hmac(
- EVP_MD *evp_md,
- unsigned int seqno,
- unsigned char *data, int datalen,
- unsigned char *key, int len);
-
-#endif
diff --git a/crypto/openssh/hostfile.c b/crypto/openssh/hostfile.c
index dcee034..36753d4 100644
--- a/crypto/openssh/hostfile.c
+++ b/crypto/openssh/hostfile.c
@@ -37,6 +37,7 @@
#include "includes.h"
RCSID("$OpenBSD: hostfile.c,v 1.30 2002/07/24 16:11:18 markus Exp $");
+RCSID("$FreeBSD$");
#include "packet.h"
#include "match.h"
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
index 37d402e..1a98df4 100644
--- a/crypto/openssh/includes.h
+++ b/crypto/openssh/includes.h
@@ -1,4 +1,5 @@
/* $OpenBSD: includes.h,v 1.17 2002/01/26 16:44:22 stevesk Exp $ */
+/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -17,7 +18,7 @@
#define INCLUDES_H
#define RCSID(msg) \
-static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+__RCSID(msg)
#include "config.h"
@@ -157,10 +158,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
# include <tmpdir.h>
#endif
-#ifdef HAVE_LIBUTIL_H
-# include <libutil.h> /* Openpty on FreeBSD at least */
-#endif
-
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#include "defines.h"
diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c
index 060b637..7359bba 100644
--- a/crypto/openssh/key.c
+++ b/crypto/openssh/key.c
@@ -32,13 +32,16 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.51 2003/02/12 09:33:04 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.49 2002/09/09 14:54:14 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/evp.h>
#include "xmalloc.h"
#include "key.h"
#include "rsa.h"
+#include "ssh-dss.h"
+#include "ssh-rsa.h"
#include "uuencode.h"
#include "buffer.h"
#include "bufaux.h"
@@ -408,14 +411,14 @@ key_read(Key *ret, char **cpp)
case KEY_DSA:
space = strchr(cp, ' ');
if (space == NULL) {
- debug3("key_read: missing whitespace");
+ debug3("key_read: no space");
return -1;
}
*space = '\0';
type = key_type_from_name(cp);
*space = ' ';
if (type == KEY_UNSPEC) {
- debug3("key_read: missing keytype");
+ debug3("key_read: no key found");
return -1;
}
cp = space+1;
diff --git a/crypto/openssh/lib/Makefile b/crypto/openssh/lib/Makefile
deleted file mode 100644
index ac950a9..0000000
--- a/crypto/openssh/lib/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-# $OpenBSD: Makefile,v 1.36 2002/06/11 15:23:29 hin Exp $
-
-.PATH: ${.CURDIR}/..
-
-LIB= ssh
-SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
- cipher.c compat.c compress.c crc32.c deattack.c fatal.c \
- hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
- rsa.c tildexpand.c ttymodes.c xmalloc.c atomicio.c \
- key.c dispatch.c kex.c mac.c uuencode.c misc.c \
- rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
- scard.c monitor_wrap.c monitor_fdpass.c msg.c
-
-DEBUGLIBS= no
-NOPROFILE= yes
-NOPIC= yes
-
-install:
- @echo -n
-
-.include <bsd.own.mk>
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-SRCS+= radix.c
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.lib.mk>
diff --git a/crypto/openssh/log-client.c b/crypto/openssh/log-client.c
deleted file mode 100644
index 505c8c3..0000000
--- a/crypto/openssh/log-client.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * Client-side versions of debug(), log(), etc. These print to stderr.
- * This is a stripped down version of log-server.c.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-
-/* Initialize the log.
- * av0 program name (should be argv[0])
- * level logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility ignored1, int ignored2)
-{
- switch (level) {
- case SYSLOG_LEVEL_QUIET:
- case SYSLOG_LEVEL_ERROR:
- case SYSLOG_LEVEL_FATAL:
- case SYSLOG_LEVEL_INFO:
- case SYSLOG_LEVEL_VERBOSE:
- case SYSLOG_LEVEL_DEBUG1:
- case SYSLOG_LEVEL_DEBUG2:
- case SYSLOG_LEVEL_DEBUG3:
- log_level = level;
- break;
- default:
- /* unchanged */
- break;
- }
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
- char msgbuf[MSGBUFSIZ];
-
- if (level > log_level)
- return;
- if (level >= SYSLOG_LEVEL_DEBUG1)
- fprintf(stderr, "debug: ");
- vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
- fprintf(stderr, "%s\r\n", msgbuf);
-}
diff --git a/crypto/openssh/log-server.c b/crypto/openssh/log-server.c
deleted file mode 100644
index de3d5cf..0000000
--- a/crypto/openssh/log-server.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * Server-side versions of debug(), log(), etc. These normally send the output
- * to the system log.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $");
-
-#include <syslog.h>
-#include "packet.h"
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-static int log_on_stderr = 0;
-static int log_facility = LOG_AUTH;
-
-/* Initialize the log.
- * av0 program name (should be argv[0])
- * on_stderr print also on stderr
- * level logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
-{
- switch (level) {
- case SYSLOG_LEVEL_QUIET:
- case SYSLOG_LEVEL_ERROR:
- case SYSLOG_LEVEL_FATAL:
- case SYSLOG_LEVEL_INFO:
- case SYSLOG_LEVEL_VERBOSE:
- case SYSLOG_LEVEL_DEBUG1:
- case SYSLOG_LEVEL_DEBUG2:
- case SYSLOG_LEVEL_DEBUG3:
- log_level = level;
- break;
- default:
- fprintf(stderr, "Unrecognized internal syslog level code %d\n",
- (int) level);
- exit(1);
- }
- switch (facility) {
- case SYSLOG_FACILITY_DAEMON:
- log_facility = LOG_DAEMON;
- break;
- case SYSLOG_FACILITY_USER:
- log_facility = LOG_USER;
- break;
- case SYSLOG_FACILITY_AUTH:
- log_facility = LOG_AUTH;
- break;
- case SYSLOG_FACILITY_LOCAL0:
- log_facility = LOG_LOCAL0;
- break;
- case SYSLOG_FACILITY_LOCAL1:
- log_facility = LOG_LOCAL1;
- break;
- case SYSLOG_FACILITY_LOCAL2:
- log_facility = LOG_LOCAL2;
- break;
- case SYSLOG_FACILITY_LOCAL3:
- log_facility = LOG_LOCAL3;
- break;
- case SYSLOG_FACILITY_LOCAL4:
- log_facility = LOG_LOCAL4;
- break;
- case SYSLOG_FACILITY_LOCAL5:
- log_facility = LOG_LOCAL5;
- break;
- case SYSLOG_FACILITY_LOCAL6:
- log_facility = LOG_LOCAL6;
- break;
- case SYSLOG_FACILITY_LOCAL7:
- log_facility = LOG_LOCAL7;
- break;
- default:
- fprintf(stderr, "Unrecognized internal syslog facility code %d\n",
- (int) facility);
- exit(1);
- }
- log_on_stderr = on_stderr;
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
- char msgbuf[MSGBUFSIZ];
- char fmtbuf[MSGBUFSIZ];
- char *txt = NULL;
- int pri = LOG_INFO;
- extern char *__progname;
-
- if (level > log_level)
- return;
- switch (level) {
- case SYSLOG_LEVEL_ERROR:
- txt = "error";
- pri = LOG_ERR;
- break;
- case SYSLOG_LEVEL_FATAL:
- txt = "fatal";
- pri = LOG_ERR;
- break;
- case SYSLOG_LEVEL_INFO:
- case SYSLOG_LEVEL_VERBOSE:
- pri = LOG_INFO;
- break;
- case SYSLOG_LEVEL_DEBUG1:
- txt = "debug1";
- pri = LOG_DEBUG;
- break;
- case SYSLOG_LEVEL_DEBUG2:
- txt = "debug2";
- pri = LOG_DEBUG;
- break;
- case SYSLOG_LEVEL_DEBUG3:
- txt = "debug3";
- pri = LOG_DEBUG;
- break;
- default:
- txt = "internal error";
- pri = LOG_ERR;
- break;
- }
- if (txt != NULL) {
- snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
- vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
- } else {
- vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
- }
- if (log_on_stderr) {
- fprintf(stderr, "%s\n", msgbuf);
- } else {
- openlog(__progname, LOG_PID, log_facility);
- syslog(pri, "%.500s", msgbuf);
- closelog();
- }
-}
diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c
deleted file mode 100644
index 1d59cd8..0000000
--- a/crypto/openssh/login.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * This file performs some of the things login(1) normally does. We cannot
- * easily use something like login -p -h host -f user, because there are
- * several different logins around, and it is hard to determined what kind of
- * login the current system has. Also, we want to be able to execute commands
- * on a tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Theo de Raadt. All rights reserved.
- * Copyright (c) 1999 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $");
-
-#include <util.h>
-#include <utmp.h>
-#include "ssh.h"
-
-/*
- * Returns the time when the user last logged in. Returns 0 if the
- * information is not available. This must be called before record_login.
- * The host the user logged in from will be returned in buf.
- */
-
-/*
- * Returns the time when the user last logged in (or 0 if no previous login
- * is found). The name of the host used last time is returned in buf.
- */
-
-unsigned long
-get_last_login_time(uid_t uid, const char *logname,
- char *buf, unsigned int bufsize)
-{
- struct lastlog ll;
- char *lastlog;
- int fd;
-
- lastlog = _PATH_LASTLOG;
- buf[0] = '\0';
-
- fd = open(lastlog, O_RDONLY);
- if (fd < 0)
- return 0;
- lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
- if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) {
- close(fd);
- return 0;
- }
- close(fd);
- if (bufsize > sizeof(ll.ll_host) + 1)
- bufsize = sizeof(ll.ll_host) + 1;
- strncpy(buf, ll.ll_host, bufsize - 1);
- buf[bufsize - 1] = 0;
- return ll.ll_time;
-}
-
-/*
- * Records that the user has logged in. I these parts of operating systems
- * were more standardized.
- */
-
-void
-record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
- const char *host, struct sockaddr * addr)
-{
- int fd;
- struct lastlog ll;
- char *lastlog;
- struct utmp u;
- const char *utmp, *wtmp;
-
- /* Construct an utmp/wtmp entry. */
- memset(&u, 0, sizeof(u));
- strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
- u.ut_time = time(NULL);
- strncpy(u.ut_name, user, sizeof(u.ut_name));
- strncpy(u.ut_host, host, sizeof(u.ut_host));
-
- /* Figure out the file names. */
- utmp = _PATH_UTMP;
- wtmp = _PATH_WTMP;
-
- login(&u);
- lastlog = _PATH_LASTLOG;
-
- /* Update lastlog unless actually recording a logout. */
- if (strcmp(user, "") != 0) {
- /*
- * It is safer to bzero the lastlog structure first because
- * some systems might have some extra fields in it (e.g. SGI)
- */
- memset(&ll, 0, sizeof(ll));
-
- /* Update lastlog. */
- ll.ll_time = time(NULL);
- strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line));
- strncpy(ll.ll_host, host, sizeof(ll.ll_host));
- fd = open(lastlog, O_RDWR);
- if (fd >= 0) {
- lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
- if (write(fd, &ll, sizeof(ll)) != sizeof(ll))
- log("Could not write %.100s: %.100s", lastlog, strerror(errno));
- close(fd);
- }
- }
-}
-
-/* Records that the user has logged out. */
-
-void
-record_logout(pid_t pid, const char *ttyname)
-{
- const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */
- if (logout(line))
- logwtmp(line, "", "");
-}
diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c
index 6697ca7..ce2bdab 100644
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@@ -163,7 +163,8 @@
#include "log.h"
#include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.47 2003/03/10 00:23:07 djm Exp $");
+RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $");
+RCSID("$FreeBSD$");
#ifdef HAVE_UTIL_H
# include <util.h>
@@ -609,9 +610,6 @@ void
construct_utmp(struct logininfo *li,
struct utmp *ut)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
- struct sockaddr_in6 *sa6;
-# endif
memset(ut, '\0', sizeof(*ut));
/* First fill out fields used for both logins and logouts */
@@ -657,26 +655,14 @@ construct_utmp(struct logininfo *li,
/* Use strncpy because we don't necessarily want null termination */
strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
- strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname));
+ realhostname_sa(ut->ut_host, sizeof ut->ut_host,
+ &li->hostaddr.sa, li->hostaddr.sa.sa_len);
# endif
# ifdef HAVE_ADDR_IN_UTMP
/* this is just a 32-bit IP address */
if (li->hostaddr.sa.sa_family == AF_INET)
ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
- /* this is just a 128-bit IPv6 address */
- if (li->hostaddr.sa.sa_family == AF_INET6) {
- sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
- memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
- if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
- ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
- ut->ut_addr_v6[1] = 0;
- ut->ut_addr_v6[2] = 0;
- ut->ut_addr_v6[3] = 0;
- }
- }
-# endif
}
#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
@@ -705,9 +691,6 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
void
construct_utmpx(struct logininfo *li, struct utmpx *utx)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
- struct sockaddr_in6 *sa6;
-# endif
memset(utx, '\0', sizeof(*utx));
# ifdef HAVE_ID_IN_UTMPX
line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id));
@@ -744,19 +727,6 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
if (li->hostaddr.sa.sa_family == AF_INET)
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
- /* this is just a 128-bit IPv6 address */
- if (li->hostaddr.sa.sa_family == AF_INET6) {
- sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
- memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
- if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
- ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
- ut->ut_addr_v6[1] = 0;
- ut->ut_addr_v6[2] = 0;
- ut->ut_addr_v6[3] = 0;
- }
- }
-# endif
# ifdef HAVE_SYSLEN_IN_UTMPX
/* ut_syslen is the length of the utx_host string */
utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host));
@@ -1345,7 +1315,6 @@ syslogin_perform_login(struct logininfo *li)
}
construct_utmp(li, ut);
login(ut);
- free(ut);
return 1;
}
@@ -1523,32 +1492,22 @@ int
lastlog_get_entry(struct logininfo *li)
{
struct lastlog last;
- int fd, ret;
+ int fd;
if (!lastlog_openseek(li, &fd, O_RDONLY))
- return (0);
-
- ret = atomicio(read, fd, &last, sizeof(last));
- close(fd);
+ return 0;
- switch (ret) {
- case 0:
- memset(&last, '\0', sizeof(last));
- /* FALLTHRU */
- case sizeof(last):
- lastlog_populate_entry(li, &last);
- return (1);
- case -1:
- error("%s: Error reading from %s: %s", __func__,
+ if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) {
+ close(fd);
+ log("lastlog_get_entry: Error reading from %s: %s",
LASTLOG_FILE, strerror(errno));
- return (0);
- default:
- error("%s: Error reading from %s: Expecting %d, got %d",
- __func__, LASTLOG_FILE, sizeof(last), ret);
- return (0);
+ return 0;
}
- /* NOTREACHED */
- return (0);
+ close(fd);
+
+ lastlog_populate_entry(li, &last);
+
+ return 1;
}
#endif /* USE_LASTLOG */
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index bcd007e..b75c285 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -25,13 +25,22 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/dh.h>
#ifdef SKEY
+#ifdef OPIE
+#include <opie.h>
+#define skey opie
+#define skeychallenge(k, u, c) opiechallenge((k), (u), (c))
+#define skey_haskey(u) opie_haskey((u))
+#define skey_passcheck(u, r) opie_passverify((u), (r))
+#else
#include <skey.h>
#endif
+#endif
#include "ssh.h"
#include "auth.h"
@@ -118,6 +127,10 @@ int mm_answer_sessid(int, Buffer *);
#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
#endif
#ifdef KRB4
@@ -163,6 +176,10 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -205,6 +222,10 @@ struct mon_table mon_dispatch_proto15[] = {
#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef KRB4
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
@@ -285,10 +306,6 @@ monitor_child_preauth(struct monitor *pmonitor)
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
-#ifdef USE_PAM
- if (!do_pam_account(authctxt->pw->pw_name, NULL))
- authenticated = 0;
-#endif
}
if (ent->flags & MON_AUTHDECIDE) {
@@ -634,20 +651,20 @@ mm_answer_bsdauthquery(int socket, Buffer *m)
u_int numprompts;
u_int *echo_on;
char **prompts;
- u_int success;
+ int res;
- success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
- &prompts, &echo_on) < 0 ? 0 : 1;
+ res = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
+ &prompts, &echo_on);
buffer_clear(m);
- buffer_put_int(m, success);
- if (success)
+ buffer_put_int(m, res);
+ if (res != -1)
buffer_put_cstring(m, prompts[0]);
- debug3("%s: sending challenge success: %u", __func__, success);
+ debug3("%s: sending challenge res: %d", __func__, res);
mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
- if (success) {
+ if (res != -1) {
xfree(name);
xfree(infotxt);
xfree(prompts);
@@ -691,16 +708,16 @@ mm_answer_skeyquery(int socket, Buffer *m)
{
struct skey skey;
char challenge[1024];
- u_int success;
+ int res;
- success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
+ res = skeychallenge(&skey, authctxt->user, challenge);
buffer_clear(m);
- buffer_put_int(m, success);
- if (success)
+ buffer_put_int(m, res);
+ if (res != -1)
buffer_put_cstring(m, challenge);
- debug3("%s: sending challenge success: %u", __func__, success);
+ debug3("%s: sending challenge res: %d", __func__, res);
mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
return (0);
@@ -747,6 +764,103 @@ mm_answer_pam_start(int socket, Buffer *m)
return (0);
}
+
+static void *pam_ctxt, *pam_authok;
+extern KbdintDevice pam_device;
+
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ authctxt->user = buffer_get_string(m, NULL);
+ pam_ctxt = (pam_device.init_ctx)(authctxt);
+ pam_authok = NULL;
+ buffer_clear(m);
+ if (pam_ctxt != NULL) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+ buffer_put_int(m, 1);
+ } else {
+ buffer_put_int(m, 0);
+ }
+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+ return (0);
+}
+
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+ char *name, *info, **prompts;
+ u_int num, *echo_on;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
+ if (ret == 0 && num == 0)
+ pam_authok = pam_ctxt;
+ if (num > 1 || name == NULL || info == NULL)
+ ret = -1;
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ buffer_put_cstring(m, name);
+ xfree(name);
+ buffer_put_cstring(m, info);
+ xfree(info);
+ buffer_put_int(m, num);
+ for (i = 0; i < num; ++i) {
+ buffer_put_cstring(m, prompts[i]);
+ xfree(prompts[i]);
+ buffer_put_int(m, echo_on[i]);
+ }
+ if (prompts != NULL)
+ xfree(prompts);
+ if (echo_on != NULL)
+ xfree(echo_on);
+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
+}
+
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+ char **resp;
+ u_int num;
+ int i, ret;
+
+ debug3("%s", __func__);
+ pam_authok = NULL;
+ num = buffer_get_int(m);
+ if (num > 0) {
+ resp = xmalloc(num * sizeof(char *));
+ for (i = 0; i < num; ++i)
+ resp[i] = buffer_get_string(m, NULL);
+ ret = (pam_device.respond)(pam_ctxt, num, resp);
+ for (i = 0; i < num; ++i)
+ xfree(resp[i]);
+ xfree(resp);
+ } else {
+ ret = (pam_device.respond)(pam_ctxt, num, NULL);
+ }
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+ auth_method = "keyboard-interactive/pam";
+ if (ret == 0)
+ pam_authok = pam_ctxt;
+ return (0);
+}
+
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ (pam_device.free_ctx)(pam_ctxt);
+ buffer_clear(m);
+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+ return (pam_authok == pam_ctxt);
+}
#endif
static void
@@ -806,9 +920,8 @@ mm_answer_keyallowed(int socket, Buffer *m)
fatal("%s: unknown key type %d", __func__, type);
break;
}
- }
- if (key != NULL)
key_free(key);
+ }
/* clear temporarily storage (used by verify) */
monitor_reset_key_state();
@@ -827,7 +940,6 @@ mm_answer_keyallowed(int socket, Buffer *m)
buffer_clear(m);
buffer_put_int(m, allowed);
- buffer_put_int(m, forced_command != NULL);
mm_append_debug(m);
@@ -1190,7 +1302,6 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
}
buffer_clear(m);
buffer_put_int(m, allowed);
- buffer_put_int(m, forced_command != NULL);
/* clear temporarily storage (used by generate challenge) */
monitor_reset_key_state();
@@ -1205,9 +1316,8 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
key_blob = blob;
key_bloblen = blen;
key_blobtype = MM_RSAUSERKEY;
- }
- if (key != NULL)
key_free(key);
+ }
mm_append_debug(m);
@@ -1248,9 +1358,6 @@ mm_answer_rsa_challenge(int socket, Buffer *m)
mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
-
- xfree(blob);
- key_free(key);
return (0);
}
@@ -1281,7 +1388,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
fatal("%s: received bad response to challenge", __func__);
success = auth_rsa_verify_response(key, ssh1_challenge, response);
- xfree(blob);
key_free(key);
xfree(response);
@@ -1466,8 +1572,6 @@ mm_get_kex(Buffer *m)
(memcmp(kex->session_id, session_id2, session_id2_len) != 0))
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
- kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
@@ -1561,7 +1665,7 @@ mm_get_keystate(struct monitor *pmonitor)
void *
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
- size_t len = (size_t) size * ncount;
+ size_t len = size * ncount;
void *address;
if (len == 0 || ncount > SIZE_T_MAX / size)
diff --git a/crypto/openssh/monitor.h b/crypto/openssh/monitor.h
index 668ac98..5fd6ec2 100644
--- a/crypto/openssh/monitor.h
+++ b/crypto/openssh/monitor.h
@@ -1,4 +1,5 @@
/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/* $FreeBSD$ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -52,6 +53,10 @@ enum monitor_reqtype {
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_PAM_START,
+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
MONITOR_REQ_TERM
};
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index c971413..4ca5e49 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -25,7 +25,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -34,7 +35,6 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $");
#include "dh.h"
#include "kex.h"
#include "auth.h"
-#include "auth-options.h"
#include "buffer.h"
#include "bufaux.h"
#include "packet.h"
@@ -313,7 +313,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
Buffer m;
u_char *blob;
u_int len;
- int allowed = 0, have_forced = 0;
+ int allowed = 0;
debug3("%s entering", __func__);
@@ -335,11 +335,6 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
allowed = buffer_get_int(&m);
- /* fake forced command */
- auth_clear_options();
- have_forced = buffer_get_int(&m);
- forced_command = have_forced ? xstrdup("true") : NULL;
-
/* Send potential debug messages */
mm_send_debug(&m);
@@ -669,6 +664,88 @@ mm_start_pam(char *user)
buffer_free(&m);
}
+
+void *
+mm_pam_init_ctx(Authctxt *authctxt)
+{
+ Buffer m;
+ int success;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+ success = buffer_get_int(&m);
+ if (success == 0) {
+ debug3("%s: pam_init_ctx failed", __func__);
+ buffer_free(&m);
+ return (NULL);
+ }
+ buffer_free(&m);
+ return (authctxt);
+}
+
+int
+mm_pam_query(void *ctx, char **name, char **info,
+ u_int *num, char ***prompts, u_int **echo_on)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_query returned %d", __func__, ret);
+ *name = buffer_get_string(&m, NULL);
+ *info = buffer_get_string(&m, NULL);
+ *num = buffer_get_int(&m);
+ *prompts = xmalloc((*num + 1) * sizeof(char *));
+ *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+ for (i = 0; i < *num; ++i) {
+ (*prompts)[i] = buffer_get_string(&m, NULL);
+ (*echo_on)[i] = buffer_get_int(&m);
+ }
+ buffer_free(&m);
+ return (ret);
+}
+
+int
+mm_pam_respond(void *ctx, u_int num, char **resp)
+{
+ Buffer m;
+ int i, ret;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ buffer_put_int(&m, num);
+ for (i = 0; i < num; ++i)
+ buffer_put_cstring(&m, resp[i]);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
+ ret = buffer_get_int(&m);
+ debug3("%s: pam_respond returned %d", __func__, ret);
+ buffer_free(&m);
+ return (ret);
+}
+
+void
+mm_pam_free_ctx(void *ctxtp)
+{
+ Buffer m;
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
+ buffer_free(&m);
+}
#endif /* USE_PAM */
/* Request process termination */
@@ -720,7 +797,7 @@ mm_bsdauth_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
{
Buffer m;
- u_int success;
+ int res;
char *challenge;
debug3("%s: entering", __func__);
@@ -730,8 +807,8 @@ mm_bsdauth_query(void *ctx, char **name, char **infotxt,
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY,
&m);
- success = buffer_get_int(&m);
- if (success == 0) {
+ res = buffer_get_int(&m);
+ if (res == -1) {
debug3("%s: no challenge", __func__);
buffer_free(&m);
return (-1);
@@ -772,13 +849,13 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
return ((authok == 0) ? -1 : 0);
}
+#ifdef SKEY
int
mm_skey_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
{
Buffer m;
- int len;
- u_int success;
+ int len, res;
char *p, *challenge;
debug3("%s: entering", __func__);
@@ -788,8 +865,8 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY,
&m);
- success = buffer_get_int(&m);
- if (success == 0) {
+ res = buffer_get_int(&m);
+ if (res == -1) {
debug3("%s: no challenge", __func__);
buffer_free(&m);
return (-1);
@@ -835,6 +912,7 @@ mm_skey_respond(void *ctx, u_int numresponses, char **responses)
return ((authok == 0) ? -1 : 0);
}
+#endif
void
mm_ssh1_session_id(u_char session_id[16])
@@ -859,7 +937,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
Key *key;
u_char *blob;
u_int blen;
- int allowed = 0, have_forced = 0;
+ int allowed = 0;
debug3("%s entering", __func__);
@@ -871,11 +949,6 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
allowed = buffer_get_int(&m);
- /* fake forced command */
- auth_clear_options();
- have_forced = buffer_get_int(&m);
- forced_command = have_forced ? xstrdup("true") : NULL;
-
if (allowed && rkey != NULL) {
blob = buffer_get_string(&m, &blen);
if ((key = key_from_blob(blob, blen)) == NULL)
@@ -981,7 +1054,7 @@ mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
xfree(p);
}
buffer_free(&m);
- return (success);
+ return (success);
}
#endif
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
index d960a3d..e404be5 100644
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@@ -1,4 +1,5 @@
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/* $FreeBSD$ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -57,6 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
#ifdef USE_PAM
void mm_start_pam(char *);
+void *mm_pam_init_ctx(struct Authctxt *);
+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
+int mm_pam_respond(void *, u_int, char **);
+void mm_pam_free_ctx(void *);
#endif
void mm_terminate(void);
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
index 62f5cfb..372ac7e 100644
--- a/crypto/openssh/myproposal.h
+++ b/crypto/openssh/myproposal.h
@@ -1,4 +1,5 @@
/* $OpenBSD: myproposal.h,v 1.14 2002/04/03 09:26:11 markus Exp $ */
+/* $FreeBSD$ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -24,7 +25,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
-#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
+#define KEX_DEFAULT_PK_ALG "ssh-dss,ssh-rsa"
#define KEX_DEFAULT_ENCRYPT \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
diff --git a/crypto/openssh/nchan.h b/crypto/openssh/nchan.h
deleted file mode 100644
index 623eccc..0000000
--- a/crypto/openssh/nchan.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* RCSID("$OpenBSD: nchan.h,v 1.10 2001/02/28 08:54:55 markus Exp $"); */
-
-#ifndef NCHAN_H
-#define NCHAN_H
-
-/*
- * SSH Protocol 1.5 aka New Channel Protocol
- * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
- * Written by Markus Friedl in October 1999
- *
- * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
- * tear down of channels:
- *
- * 1.3: strict request-ack-protocol:
- * CLOSE ->
- * <- CLOSE_CONFIRM
- *
- * 1.5: uses variations of:
- * IEOF ->
- * <- OCLOSE
- * <- IEOF
- * OCLOSE ->
- * i.e. both sides have to close the channel
- *
- * See the debugging output from 'ssh -v' and 'sshd -d' of
- * ssh-1.2.27 as an example.
- *
- */
-
-/* ssh-proto-1.5 overloads prot-1.3-message-types */
-#define SSH_MSG_CHANNEL_INPUT_EOF SSH_MSG_CHANNEL_CLOSE
-#define SSH_MSG_CHANNEL_OUTPUT_CLOSE SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-
-/* possible input states */
-#define CHAN_INPUT_OPEN 0x01
-#define CHAN_INPUT_WAIT_DRAIN 0x02
-#define CHAN_INPUT_WAIT_OCLOSE 0x04
-#define CHAN_INPUT_CLOSED 0x08
-
-/* possible output states */
-#define CHAN_OUTPUT_OPEN 0x10
-#define CHAN_OUTPUT_WAIT_DRAIN 0x20
-#define CHAN_OUTPUT_WAIT_IEOF 0x40
-#define CHAN_OUTPUT_CLOSED 0x80
-
-#define CHAN_CLOSE_SENT 0x01
-#define CHAN_CLOSE_RCVD 0x02
-
-
-/* Channel EVENTS */
-typedef void chan_event_fn(Channel * c);
-
-/* for the input state */
-extern chan_event_fn *chan_rcvd_oclose;
-extern chan_event_fn *chan_read_failed;
-extern chan_event_fn *chan_ibuf_empty;
-
-/* for the output state */
-extern chan_event_fn *chan_rcvd_ieof;
-extern chan_event_fn *chan_write_failed;
-extern chan_event_fn *chan_obuf_empty;
-
-int chan_is_dead(Channel * c);
-
-void chan_init_iostates(Channel * c);
-void chan_init(void);
-#endif
diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h
index 46830c3..3ff7559 100644
--- a/crypto/openssh/packet.h
+++ b/crypto/openssh/packet.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.37 2003/04/01 10:22:21 markus Exp $ */
+/* $OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c
deleted file mode 100644
index 9300bd5..0000000
--- a/crypto/openssh/pty.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * Allocating a pseudo-terminal, and making it the controlling tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $");
-
-#include <util.h>
-#include "pty.h"
-#include "ssh.h"
-
-/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
-#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
-#undef HAVE_DEV_PTMX
-#endif
-
-#ifndef O_NOCTTY
-#define O_NOCTTY 0
-#endif
-
-/*
- * Allocates and opens a pty. Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated. On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-
-int
-pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
-{
-#if defined(HAVE_OPENPTY) || defined(BSD4_4)
- /* openpty(3) exists in OSF/1 and some other os'es */
- char buf[64];
- int i;
-
- i = openpty(ptyfd, ttyfd, buf, NULL, NULL);
- if (i < 0) {
- error("openpty: %.100s", strerror(errno));
- return 0;
- }
- strlcpy(namebuf, buf, namebuflen); /* possible truncation */
- return 1;
-#else /* HAVE_OPENPTY */
-#ifdef HAVE__GETPTY
- /*
- * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
- * pty's automagically when needed
- */
- char *slave;
-
- slave = _getpty(ptyfd, O_RDWR, 0622, 0);
- if (slave == NULL) {
- error("_getpty: %.100s", strerror(errno));
- return 0;
- }
- strlcpy(namebuf, slave, namebuflen);
- /* Open the slave side. */
- *ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
- if (*ttyfd < 0) {
- error("%.200s: %.100s", namebuf, strerror(errno));
- close(*ptyfd);
- return 0;
- }
- return 1;
-#else /* HAVE__GETPTY */
-#ifdef HAVE_DEV_PTMX
- /*
- * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3
- * also has bsd-style ptys, but they simply do not work.)
- */
- int ptm;
- char *pts;
-
- ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY);
- if (ptm < 0) {
- error("/dev/ptmx: %.100s", strerror(errno));
- return 0;
- }
- if (grantpt(ptm) < 0) {
- error("grantpt: %.100s", strerror(errno));
- return 0;
- }
- if (unlockpt(ptm) < 0) {
- error("unlockpt: %.100s", strerror(errno));
- return 0;
- }
- pts = ptsname(ptm);
- if (pts == NULL)
- error("Slave pty side name could not be obtained.");
- strlcpy(namebuf, pts, namebuflen);
- *ptyfd = ptm;
-
- /* Open the slave side. */
- *ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
- if (*ttyfd < 0) {
- error("%.100s: %.100s", namebuf, strerror(errno));
- close(*ptyfd);
- return 0;
- }
- /* Push the appropriate streams modules, as described in Solaris pts(7). */
- if (ioctl(*ttyfd, I_PUSH, "ptem") < 0)
- error("ioctl I_PUSH ptem: %.100s", strerror(errno));
- if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0)
- error("ioctl I_PUSH ldterm: %.100s", strerror(errno));
- if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0)
- error("ioctl I_PUSH ttcompat: %.100s", strerror(errno));
- return 1;
-#else /* HAVE_DEV_PTMX */
-#ifdef HAVE_DEV_PTS_AND_PTC
- /* AIX-style pty code. */
- const char *name;
-
- *ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY);
- if (*ptyfd < 0) {
- error("Could not open /dev/ptc: %.100s", strerror(errno));
- return 0;
- }
- name = ttyname(*ptyfd);
- if (!name)
- fatal("Open of /dev/ptc returns device for which ttyname fails.");
- strlcpy(namebuf, name, namebuflen);
- *ttyfd = open(name, O_RDWR | O_NOCTTY);
- if (*ttyfd < 0) {
- error("Could not open pty slave side %.100s: %.100s",
- name, strerror(errno));
- close(*ptyfd);
- return 0;
- }
- return 1;
-#else /* HAVE_DEV_PTS_AND_PTC */
- /* BSD-style pty code. */
- char buf[64];
- int i;
- const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
- const char *ptyminors = "0123456789abcdef";
- int num_minors = strlen(ptyminors);
- int num_ptys = strlen(ptymajors) * num_minors;
-
- for (i = 0; i < num_ptys; i++) {
- snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors],
- ptyminors[i % num_minors]);
- *ptyfd = open(buf, O_RDWR | O_NOCTTY);
- if (*ptyfd < 0)
- continue;
- snprintf(namebuf, namebuflen, "/dev/tty%c%c",
- ptymajors[i / num_minors], ptyminors[i % num_minors]);
-
- /* Open the slave side. */
- *ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
- if (*ttyfd < 0) {
- error("%.100s: %.100s", namebuf, strerror(errno));
- close(*ptyfd);
- return 0;
- }
- return 1;
- }
- return 0;
-#endif /* HAVE_DEV_PTS_AND_PTC */
-#endif /* HAVE_DEV_PTMX */
-#endif /* HAVE__GETPTY */
-#endif /* HAVE_OPENPTY */
-}
-
-/* Releases the tty. Its ownership is returned to root, and permissions to 0666. */
-
-void
-pty_release(const char *ttyname)
-{
- if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
- error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno));
- if (chmod(ttyname, (mode_t) 0666) < 0)
- error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
-}
-
-/* Makes the tty the processes controlling tty and sets it to sane modes. */
-
-void
-pty_make_controlling_tty(int *ttyfd, const char *ttyname)
-{
- int fd;
-
- /* First disconnect from the old controlling tty. */
-#ifdef TIOCNOTTY
- fd = open("/dev/tty", O_RDWR | O_NOCTTY);
- if (fd >= 0) {
- (void) ioctl(fd, TIOCNOTTY, NULL);
- close(fd);
- }
-#endif /* TIOCNOTTY */
- if (setsid() < 0)
- error("setsid: %.100s", strerror(errno));
-
- /*
- * Verify that we are successfully disconnected from the controlling
- * tty.
- */
- fd = open("/dev/tty", O_RDWR | O_NOCTTY);
- if (fd >= 0) {
- error("Failed to disconnect from controlling tty.");
- close(fd);
- }
- /* Make it our controlling tty. */
-#ifdef TIOCSCTTY
- debug("Setting controlling tty using TIOCSCTTY.");
- /*
- * We ignore errors from this, because HPSUX defines TIOCSCTTY, but
- * returns EINVAL with these arguments, and there is absolutely no
- * documentation.
- */
- ioctl(*ttyfd, TIOCSCTTY, NULL);
-#endif /* TIOCSCTTY */
- fd = open(ttyname, O_RDWR);
- if (fd < 0)
- error("%.100s: %.100s", ttyname, strerror(errno));
- else
- close(fd);
-
- /* Verify that we now have a controlling tty. */
- fd = open("/dev/tty", O_WRONLY);
- if (fd < 0)
- error("open /dev/tty failed - could not set controlling tty: %.100s",
- strerror(errno));
- else {
- close(fd);
- }
-}
-
-/* Changes the window size associated with the pty. */
-
-void
-pty_change_window_size(int ptyfd, int row, int col,
- int xpixel, int ypixel)
-{
- struct winsize w;
- w.ws_row = row;
- w.ws_col = col;
- w.ws_xpixel = xpixel;
- w.ws_ypixel = ypixel;
- (void) ioctl(ptyfd, TIOCSWINSZ, &w);
-}
-
-void
-pty_setowner(struct passwd *pw, const char *ttyname)
-{
- struct group *grp;
- gid_t gid;
- mode_t mode;
-
- /* Determine the group to make the owner of the tty. */
- grp = getgrnam("tty");
- if (grp) {
- gid = grp->gr_gid;
- mode = S_IRUSR | S_IWUSR | S_IWGRP;
- } else {
- gid = pw->pw_gid;
- mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
- }
-
- /* Change ownership of the tty. */
- if (chown(ttyname, pw->pw_uid, gid) < 0)
- fatal("chown(%.100s, %d, %d) failed: %.100s",
- ttyname, pw->pw_uid, gid, strerror(errno));
- if (chmod(ttyname, mode) < 0)
- fatal("chmod(%.100s, 0%o) failed: %.100s",
- ttyname, mode, strerror(errno));
-}
diff --git a/crypto/openssh/pty.h b/crypto/openssh/pty.h
deleted file mode 100644
index 13d8e60..0000000
--- a/crypto/openssh/pty.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- * All rights reserved
- * Functions for allocating a pseudo-terminal and making it the controlling
- * tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose. Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/* RCSID("$OpenBSD: pty.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */
-
-#ifndef PTY_H
-#define PTY_H
-
-/*
- * Allocates and opens a pty. Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated. On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-int pty_allocate(int *ptyfd, int *ttyfd, char *ttyname, int ttynamelen);
-
-/*
- * Releases the tty. Its ownership is returned to root, and permissions to
- * 0666.
- */
-void pty_release(const char *ttyname);
-
-/*
- * Makes the tty the processes controlling tty and sets it to sane modes.
- * This may need to reopen the tty to get rid of possible eavesdroppers.
- */
-void pty_make_controlling_tty(int *ttyfd, const char *ttyname);
-
-/* Changes the window size associated with the pty. */
-void
-pty_change_window_size(int ptyfd, int row, int col,
- int xpixel, int ypixel);
-
-void pty_setowner(struct passwd *pw, const char *ttyname);
-
-#endif /* PTY_H */
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 1df5ce2..716b542 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -12,7 +12,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "xmalloc.h"
@@ -114,7 +115,7 @@ typedef enum {
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign,
+ oVersionAddendum,
oDeprecated
} OpCodes;
@@ -186,8 +187,8 @@ static struct {
{ "bindaddress", oBindAddress },
{ "smartcarddevice", oSmartcardDevice },
{ "clearallforwardings", oClearAllForwardings },
- { "enablesshkeysign", oEnableSSHKeysign },
{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
+ { "versionaddendum", oVersionAddendum },
{ NULL, oBadOption }
};
@@ -268,16 +269,14 @@ parse_token(const char *cp, const char *filename, int linenum)
* Processes a single option line as used in the configuration files. This
* only sets those values that have not already been set.
*/
-#define WHITESPACE " \t\r\n"
int
process_config_line(Options *options, const char *host,
char *line, const char *filename, int linenum,
int *activep)
{
- char buf[256], *s, **charptr, *endofnumber, *keyword, *arg;
+ char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg;
int opcode, *intptr, value;
- size_t len;
u_short fwd_port, fwd_host_port;
char sfwd_host_port[6];
@@ -490,9 +489,16 @@ parse_string:
case oProxyCommand:
charptr = &options->proxy_command;
- len = strspn(s, WHITESPACE "=");
+ string = xstrdup("");
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+ string = xrealloc(string, strlen(string) + strlen(arg) + 2);
+ strcat(string, " ");
+ strcat(string, arg);
+ }
if (*activep && *charptr == NULL)
- *charptr = xstrdup(s + len);
+ *charptr = string;
+ else
+ xfree(string);
return 0;
case oPort:
@@ -666,9 +672,12 @@ parse_int:
*intptr = value;
break;
- case oEnableSSHKeysign:
- intptr = &options->enable_ssh_keysign;
- goto parse_flag;
+ case oVersionAddendum:
+ ssh_version_set_addendum(strtok(s, "\n"));
+ do {
+ arg = strdelim(&s);
+ } while (arg != NULL && *arg != '\0');
+ break;
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
@@ -793,7 +802,6 @@ initialize_options(Options * options)
options->preferred_authentications = NULL;
options->bind_address = NULL;
options->smartcard_device = NULL;
- options->enable_ssh_keysign = - 1;
options->no_host_authentication_for_localhost = - 1;
}
@@ -848,7 +856,7 @@ fill_default_options(Options * options)
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
- options->check_host_ip = 1;
+ options->check_host_ip = 0;
if (options->strict_host_key_checking == -1)
options->strict_host_key_checking = 2; /* 2 is default */
if (options->compression == -1)
@@ -909,8 +917,6 @@ fill_default_options(Options * options)
clear_forwardings(options);
if (options->no_host_authentication_for_localhost == - 1)
options->no_host_authentication_for_localhost = 0;
- if (options->enable_ssh_keysign == -1)
- options->enable_ssh_keysign = 0;
/* options->proxy_command should not be set by default */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index 78e04fe..92af535 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.46 2003/04/01 10:22:21 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -99,8 +99,6 @@ typedef struct {
int num_remote_forwards;
Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
int clear_forwardings;
-
- int enable_ssh_keysign;
int no_host_authentication_for_localhost;
} Options;
diff --git a/crypto/openssh/rijndael.c b/crypto/openssh/rijndael.c
index 6965ca3..5786025 100644
--- a/crypto/openssh/rijndael.c
+++ b/crypto/openssh/rijndael.c
@@ -1,4 +1,5 @@
/* $OpenBSD: rijndael.c,v 1.14 2002/07/10 17:53:54 deraadt Exp $ */
+/* $FreeBSD$ */
/**
* rijndael-alg-fst.c
diff --git a/crypto/openssh/scard/Makefile b/crypto/openssh/scard/Makefile
deleted file mode 100644
index 1cf7bbd..0000000
--- a/crypto/openssh/scard/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-# $OpenBSD: Makefile,v 1.2 2001/06/29 07:02:09 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-CARDLET= Ssh.bin
-DATADIR= /usr/libdata/ssh
-
-all: ${CARDLET}
-
-clean:
- rm -f ${CARDLET}
-
-install: ${CARDLET}
- install -c -m ${LIBMODE} -o ${LIBOWN} -g ${LIBGRP} \
- ${CARDLET} ${DESTDIR}${DATADIR}
-
-Ssh.bin: ${.CURDIR}/Ssh.bin.uu
- uudecode ${.CURDIR}/$@.uu
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/scp-common.c b/crypto/openssh/scp-common.c
deleted file mode 100644
index 7e5f09c..0000000
--- a/crypto/openssh/scp-common.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (c) 1999 Theo de Raadt. All rights reserved.
- * Copyright (c) 1999 Aaron Campbell. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: scp-common.c,v 1.1 2001/04/16 02:31:43 mouring Exp $");
-
-char *
-cleanhostname(host)
- char *host;
-{
- if (*host == '[' && host[strlen(host) - 1] == ']') {
- host[strlen(host) - 1] = '\0';
- return (host + 1);
- } else
- return host;
-}
-
-char *
-colon(cp)
- char *cp;
-{
- int flag = 0;
-
- if (*cp == ':') /* Leading colon is part of file name. */
- return (0);
- if (*cp == '[')
- flag = 1;
-
- for (; *cp; ++cp) {
- if (*cp == '@' && *(cp+1) == '[')
- flag = 1;
- if (*cp == ']' && *(cp+1) == ':' && flag)
- return (cp+1);
- if (*cp == ':' && !flag)
- return (cp);
- if (*cp == '/')
- return (0);
- }
- return (0);
-}
diff --git a/crypto/openssh/scp-common.h b/crypto/openssh/scp-common.h
deleted file mode 100644
index e0ab6ec..0000000
--- a/crypto/openssh/scp-common.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/* $OpenBSD: scp-common.h,v 1.1 2001/04/16 02:31:43 mouring Exp $ */
-/*
- * Copyright (c) 1999 Theo de Raadt. All rights reserved.
- * Copyright (c) 1999 Aaron Campbell. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-char *cleanhostname(char *host);
-char *colon(char *cp);
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
index 35d4c5f..9073dda 100644
--- a/crypto/openssh/scp.c
+++ b/crypto/openssh/scp.c
@@ -75,14 +75,14 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: scp.c,v 1.91 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$FreeBSD$");
#include "xmalloc.h"
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
-#include "progressmeter.h"
#ifdef HAVE___PROGNAME
extern char *__progname;
@@ -90,13 +90,29 @@ extern char *__progname;
char *__progname;
#endif
-void bwlimit(int);
+/* For progressmeter() -- number of seconds before xfer considered "stalled" */
+#define STALLTIME 5
+/* alarm() interval for updating progress meter */
+#define PROGRESSTIME 1
+
+/* Visual statistics about files as they are transferred. */
+void progressmeter(int);
+
+/* Returns width of the terminal (for progress meter calculations). */
+int getttywidth(void);
+int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc);
/* Struct for addargs */
arglist args;
-/* Bandwidth limit */
-off_t limitbw = 0;
+/* Time a transfer started. */
+static struct timeval start;
+
+/* Number of bytes of current file transferred so far. */
+volatile off_t statbytes;
+
+/* Total size of current file. */
+off_t totalbytes = 0;
/* Name of current file being transferred. */
char *curfile;
@@ -110,9 +126,6 @@ int showprogress = 1;
/* This is the program to execute for the secured connection. ("ssh" or -S) */
char *ssh_program = _PATH_SSH_PROGRAM;
-/* This is used to store the pid of ssh_program */
-pid_t do_cmd_pid;
-
/*
* This function executes the given command as the specified user on the
* given host. This returns < 0 if execution fails, and >= 0 otherwise. This
@@ -147,8 +160,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
close(reserved[1]);
/* For a child to execute the command on the remote host using ssh. */
- do_cmd_pid = fork();
- if (do_cmd_pid == 0) {
+ if (fork() == 0) {
/* Child. */
close(pin[1]);
close(pout[0]);
@@ -166,8 +178,6 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
execvp(ssh_program, args.list);
perror(ssh_program);
exit(1);
- } else if (do_cmd_pid == -1) {
- fatal("fork: %s", strerror(errno));
}
/* Parent. Close the other side, and return the local side. */
close(pin[0]);
@@ -210,9 +220,8 @@ main(argc, argv)
int argc;
char *argv[];
{
- int ch, fflag, tflag, status;
- double speed;
- char *targ, *endp;
+ int ch, fflag, tflag;
+ char *targ;
extern char *optarg;
extern int optind;
@@ -225,11 +234,9 @@ main(argc, argv)
addargs(&args, "-oClearAllForwardings yes");
fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
+ while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1)
switch (ch) {
/* User-visible flags. */
- case '1':
- case '2':
case '4':
case '6':
case 'C':
@@ -247,12 +254,6 @@ main(argc, argv)
case 'B':
addargs(&args, "-oBatchmode yes");
break;
- case 'l':
- speed = strtod(optarg, &endp);
- if (speed <= 0 || *endp != '\0')
- usage();
- limitbw = speed * 1024;
- break;
case 'p':
pflag = 1;
break;
@@ -317,7 +318,6 @@ main(argc, argv)
targetshouldbedirectory = 1;
remin = remout = -1;
- do_cmd_pid = -1;
/* Command to be executed on remote system using "ssh". */
(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
verbose_mode ? " -v" : "",
@@ -333,22 +333,6 @@ main(argc, argv)
if (targetshouldbedirectory)
verifydir(argv[argc - 1]);
}
- /*
- * Finally check the exit status of the ssh process, if one was forked
- * and no error has occured yet
- */
- if (do_cmd_pid != -1 && errs == 0) {
- if (remin != -1)
- (void) close(remin);
- if (remout != -1)
- (void) close(remout);
- if (waitpid(do_cmd_pid, &status, 0) == -1)
- errs = 1;
- else {
- if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
- errs = 1;
- }
- }
exit(errs != 0);
}
@@ -364,12 +348,14 @@ toremote(targ, argc, argv)
if (*targ == 0)
targ = ".";
- if ((thost = strrchr(argv[argc - 1], '@'))) {
+ if ((thost = strchr(argv[argc - 1], '@'))) {
/* user@host */
*thost++ = 0;
tuser = argv[argc - 1];
if (*tuser == '\0')
tuser = NULL;
+ else if (!okname(tuser))
+ exit(1);
} else {
thost = argv[argc - 1];
tuser = NULL;
@@ -383,7 +369,7 @@ toremote(targ, argc, argv)
*src++ = 0;
if (*src == 0)
src = ".";
- host = strrchr(argv[i], '@');
+ host = strchr(argv[i], '@');
len = strlen(ssh_program) + strlen(argv[i]) +
strlen(src) + (tuser ? strlen(tuser) : 0) +
strlen(thost) + strlen(targ) +
@@ -395,14 +381,8 @@ toremote(targ, argc, argv)
suser = argv[i];
if (*suser == '\0')
suser = pwd->pw_name;
- else if (!okname(suser)) {
- xfree(bp);
+ else if (!okname(suser))
continue;
- }
- if (tuser && !okname(tuser)) {
- xfree(bp);
- continue;
- }
snprintf(bp, len,
"%s%s %s -n "
"-l %s %s %s %s '%s%s%s:%s'",
@@ -468,7 +448,7 @@ tolocal(argc, argv)
*src++ = 0;
if (*src == 0)
src = ".";
- if ((host = strrchr(argv[i], '@')) == NULL) {
+ if ((host = strchr(argv[i], '@')) == NULL) {
host = argv[i];
suser = NULL;
} else {
@@ -476,6 +456,8 @@ tolocal(argc, argv)
suser = argv[i];
if (*suser == '\0')
suser = pwd->pw_name;
+ else if (!okname(suser))
+ continue;
}
host = cleanhostname(host);
len = strlen(src) + CMDNEEDS + 20;
@@ -501,7 +483,7 @@ source(argc, argv)
struct stat stb;
static BUF buffer;
BUF *bp;
- off_t i, amt, result, statbytes;
+ off_t i, amt, result;
int fd, haderr, indx;
char *last, *name, buf[2048];
int len;
@@ -566,6 +548,7 @@ syserr: run_err("%s: %s", name, strerror(errno));
#endif
if (verbose_mode) {
fprintf(stderr, "Sending file modes: %s", buf);
+ fflush(stderr);
}
(void) atomicio(write, remout, buf, strlen(buf));
if (response() < 0)
@@ -574,8 +557,10 @@ syserr: run_err("%s: %s", name, strerror(errno));
next: (void) close(fd);
continue;
}
- if (showprogress)
- start_progress_meter(curfile, stb.st_size, &statbytes);
+ if (showprogress) {
+ totalbytes = stb.st_size;
+ progressmeter(-1);
+ }
/* Keep writing after an error so that we stay sync'd up. */
for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
amt = bp->cnt;
@@ -594,11 +579,9 @@ next: (void) close(fd);
haderr = result >= 0 ? EIO : errno;
statbytes += result;
}
- if (limitbw)
- bwlimit(amt);
}
if (showprogress)
- stop_progress_meter();
+ progressmeter(1);
if (close(fd) < 0 && !haderr)
haderr = errno;
@@ -666,60 +649,6 @@ rsource(name, statp)
}
void
-bwlimit(int amount)
-{
- static struct timeval bwstart, bwend;
- static int lamt, thresh = 16384;
- u_int64_t wait;
- struct timespec ts, rm;
-
- if (!timerisset(&bwstart)) {
- gettimeofday(&bwstart, NULL);
- return;
- }
-
- lamt += amount;
- if (lamt < thresh)
- return;
-
- gettimeofday(&bwend, NULL);
- timersub(&bwend, &bwstart, &bwend);
- if (!timerisset(&bwend))
- return;
-
- lamt *= 8;
- wait = (double)1000000L * lamt / limitbw;
-
- bwstart.tv_sec = wait / 1000000L;
- bwstart.tv_usec = wait % 1000000L;
-
- if (timercmp(&bwstart, &bwend, >)) {
- timersub(&bwstart, &bwend, &bwend);
-
- /* Adjust the wait time */
- if (bwend.tv_sec) {
- thresh /= 2;
- if (thresh < 2048)
- thresh = 2048;
- } else if (bwend.tv_usec < 100) {
- thresh *= 2;
- if (thresh > 32768)
- thresh = 32768;
- }
-
- TIMEVAL_TO_TIMESPEC(&bwend, &ts);
- while (nanosleep(&ts, &rm) == -1) {
- if (errno != EINTR)
- break;
- ts = rm;
- }
- }
-
- lamt = 0;
- gettimeofday(&bwstart, NULL);
-}
-
-void
sink(argc, argv)
int argc;
char *argv[];
@@ -732,7 +661,7 @@ sink(argc, argv)
BUF *bp;
off_t i, j;
int amt, count, exists, first, mask, mode, ofd, omode;
- off_t size, statbytes;
+ off_t size;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
struct timeval tv[2];
@@ -894,9 +823,11 @@ bad: run_err("%s: %s", np, strerror(errno));
cp = bp->buf;
wrerr = NO;
+ if (showprogress) {
+ totalbytes = size;
+ progressmeter(-1);
+ }
statbytes = 0;
- if (showprogress)
- start_progress_meter(curfile, size, &statbytes);
for (count = i = 0; i < size; i += 4096) {
amt = 4096;
if (i + amt > size)
@@ -916,10 +847,6 @@ bad: run_err("%s: %s", np, strerror(errno));
cp += j;
statbytes += j;
} while (amt > 0);
-
- if (limitbw)
- bwlimit(4096);
-
if (count == bp->cnt) {
/* Keep reading so we stay sync'd up. */
if (wrerr == NO) {
@@ -934,13 +861,13 @@ bad: run_err("%s: %s", np, strerror(errno));
}
}
if (showprogress)
- stop_progress_meter();
+ progressmeter(1);
if (count != 0 && wrerr == NO &&
(j = atomicio(write, ofd, bp->buf, count)) != count) {
wrerr = YES;
wrerrno = j >= 0 ? EIO : errno;
}
- if (wrerr == NO && ftruncate(ofd, size) != 0) {
+ if (ftruncate(ofd, size)) {
run_err("%s: truncate: %s", np, strerror(errno));
wrerr = DISPLAYED;
}
@@ -1029,8 +956,8 @@ void
usage(void)
{
(void) fprintf(stderr,
- "usage: scp [-pqrvBC1246] [-F config] [-S program] [-P port]\n"
- " [-c cipher] [-i identity] [-l limit] [-o option]\n"
+ "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n"
+ " [-c cipher] [-i identity] [-o option]\n"
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
exit(1);
}
@@ -1087,18 +1014,9 @@ okname(cp0)
c = (int)*cp;
if (c & 0200)
goto bad;
- if (!isalpha(c) && !isdigit(c)) {
- switch (c) {
- case '\'':
- case '"':
- case '`':
- case ' ':
- case '#':
- goto bad;
- default:
- break;
- }
- }
+ if (!isalpha(c) && !isdigit(c) &&
+ c != '_' && c != '-' && c != '.' && c != '+')
+ goto bad;
} while (*++cp);
return (1);
@@ -1119,9 +1037,10 @@ allocbuf(bp, fd, blksize)
run_err("fstat: %s", strerror(errno));
return (0);
}
- size = roundup(stb.st_blksize, blksize);
- if (size == 0)
+ if (stb.st_blksize == 0)
size = blksize;
+ else
+ size = roundup(stb.st_blksize, blksize);
#else /* HAVE_STRUCT_STAT_ST_BLKSIZE */
size = blksize;
#endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */
@@ -1147,3 +1066,149 @@ lostconn(signo)
else
exit(1);
}
+
+static void
+updateprogressmeter(int ignore)
+{
+ int save_errno = errno;
+
+ progressmeter(0);
+ signal(SIGALRM, updateprogressmeter);
+ alarm(PROGRESSTIME);
+ errno = save_errno;
+}
+
+static int
+foregroundproc(void)
+{
+ static pid_t pgrp = -1;
+ int ctty_pgrp;
+
+ if (pgrp == -1)
+ pgrp = getpgrp();
+
+#ifdef HAVE_TCGETPGRP
+ return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 &&
+ ctty_pgrp == pgrp);
+#else
+ return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 &&
+ ctty_pgrp == pgrp));
+#endif
+}
+
+void
+progressmeter(int flag)
+{
+ static const char prefixes[] = " KMGTP";
+ static struct timeval lastupdate;
+ static off_t lastsize;
+ struct timeval now, td, wait;
+ off_t cursize, abbrevsize;
+ double elapsed;
+ int ratio, barlength, i, remaining;
+ char buf[512];
+
+ if (flag == -1) {
+ (void) gettimeofday(&start, (struct timezone *) 0);
+ lastupdate = start;
+ lastsize = 0;
+ }
+ if (foregroundproc() == 0)
+ return;
+
+ (void) gettimeofday(&now, (struct timezone *) 0);
+ cursize = statbytes;
+ if (totalbytes != 0) {
+ ratio = 100.0 * cursize / totalbytes;
+ ratio = MAX(ratio, 0);
+ ratio = MIN(ratio, 100);
+ } else
+ ratio = 100;
+
+ snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio);
+
+ barlength = getttywidth() - 51;
+ if (barlength > 0) {
+ i = barlength * ratio / 100;
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ "|%.*s%*s|", i,
+ "*******************************************************"
+ "*******************************************************"
+ "*******************************************************"
+ "*******************************************************"
+ "*******************************************************"
+ "*******************************************************"
+ "*******************************************************",
+ barlength - i, "");
+ }
+ i = 0;
+ abbrevsize = cursize;
+ while (abbrevsize >= 100000 && i < sizeof(prefixes)) {
+ i++;
+ abbrevsize >>= 10;
+ }
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ",
+ (unsigned long) abbrevsize, prefixes[i],
+ prefixes[i] == ' ' ? ' ' : 'B');
+
+ timersub(&now, &lastupdate, &wait);
+ if (cursize > lastsize) {
+ lastupdate = now;
+ lastsize = cursize;
+ if (wait.tv_sec >= STALLTIME) {
+ start.tv_sec += wait.tv_sec;
+ start.tv_usec += wait.tv_usec;
+ }
+ wait.tv_sec = 0;
+ }
+ timersub(&now, &start, &td);
+ elapsed = td.tv_sec + (td.tv_usec / 1000000.0);
+
+ if (flag != 1 &&
+ (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) {
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ " --:-- ETA");
+ } else if (wait.tv_sec >= STALLTIME) {
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ " - stalled -");
+ } else {
+ if (flag != 1)
+ remaining = (int)(totalbytes / (statbytes / elapsed) -
+ elapsed);
+ else
+ remaining = elapsed;
+
+ i = remaining / 3600;
+ if (i)
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ "%2d:", i);
+ else
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ " ");
+ i = remaining % 3600;
+ snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+ "%02d:%02d%s", i / 60, i % 60,
+ (flag != 1) ? " ETA" : " ");
+ }
+ atomicio(write, fileno(stdout), buf, strlen(buf));
+
+ if (flag == -1) {
+ mysignal(SIGALRM, updateprogressmeter);
+ alarm(PROGRESSTIME);
+ } else if (flag == 1) {
+ alarm(0);
+ atomicio(write, fileno(stdout), "\n", 1);
+ statbytes = 0;
+ }
+}
+
+int
+getttywidth(void)
+{
+ struct winsize winsize;
+
+ if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1)
+ return (winsize.ws_col ? winsize.ws_col : 80);
+ else
+ return (80);
+}
diff --git a/crypto/openssh/scp/Makefile b/crypto/openssh/scp/Makefile
deleted file mode 100644
index c8959bb..0000000
--- a/crypto/openssh/scp/Makefile
+++ /dev/null
@@ -1,15 +0,0 @@
-# $OpenBSD: Makefile,v 1.13 2001/05/03 23:09:55 mouring Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= scp
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= scp.1
-
-SRCS= scp.c misc.c
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 2510659..0aa1101 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -10,14 +10,15 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
+RCSID("$FreeBSD$");
#if defined(KRB4)
#include <krb.h>
#endif
#if defined(KRB5)
#ifdef HEIMDAL
-#include <krb.h>
+#include <krb5.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
* keytab */
@@ -145,8 +146,6 @@ fill_default_server_options(ServerOptions *options)
_PATH_HOST_KEY_FILE;
if (options->protocol & SSH_PROTO_2) {
options->host_key_files[options->num_host_key_files++] =
- _PATH_HOST_RSA_KEY_FILE;
- options->host_key_files[options->num_host_key_files++] =
_PATH_HOST_DSA_KEY_FILE;
}
}
@@ -163,7 +162,7 @@ fill_default_server_options(ServerOptions *options)
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_YES;
+ options->permit_root_login = PERMIT_NO;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
@@ -173,7 +172,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 0;
+ options->x11_forwarding = 1;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -200,9 +199,21 @@ fill_default_server_options(ServerOptions *options)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4) && defined(KRB5)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication =
+ (access(KEYFILE, R_OK) == 0 ||
+ access(krb5_defkeyname, R_OK) == 0);
+#elif defined(KRB4)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication =
+ (access(KEYFILE, R_OK) == 0);
+#elif defined(KRB5)
if (options->kerberos_authentication == -1)
- options->kerberos_authentication = 0;
+ options->kerberos_authentication =
+ (access(krb5_defkeyname, R_OK) == 0);
+#endif
+#if defined(KRB4) || defined(KRB5)
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
@@ -302,6 +313,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation,
+ sVersionAddendum,
sDeprecated
} ServerOpCodes;
@@ -311,7 +323,9 @@ static struct {
ServerOpCodes opcode;
} keywords[] = {
/* Portable-specific options */
+#if 0
{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
+#endif
/* Standard Options */
{ "port", sPort },
{ "hostkey", sHostKeyFile },
@@ -380,6 +394,7 @@ static struct {
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
+ { "versionaddendum", sVersionAddendum },
{ NULL, sBadOption }
};
@@ -909,6 +924,13 @@ parse_flag:
intptr = &options->client_alive_count_max;
goto parse_int;
+ case sVersionAddendum:
+ ssh_version_set_addendum(strtok(cp, "\n"));
+ do {
+ arg = strdelim(&cp);
+ } while (arg != NULL && *arg != '\0');
+ break;
+
case sDeprecated:
log("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -935,7 +957,6 @@ read_server_config(ServerOptions *options, const char *filename)
char line[1024];
FILE *f;
- debug2("read_server_config: filename %s", filename);
f = fopen(filename, "r");
if (!f) {
perror(filename);
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index 024987d..ea74f6e 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -1,4 +1,5 @@
/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
+/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
index f4df9cc..f7fa228 100644
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@@ -35,7 +35,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.106 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "xmalloc.h"
#include "packet.h"
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index c75fea9..ee567f0 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -33,7 +33,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "ssh1.h"
@@ -201,8 +202,6 @@ auth_input_request_forwarding(struct passwd * pw)
void
do_authenticated(Authctxt *authctxt)
{
- setproctitle("%s", authctxt->pw->pw_name);
-
/*
* Cancel the alarm we set to limit the time taken for
* authentication.
@@ -795,6 +794,24 @@ do_motd(void)
{
FILE *f;
char buf[256];
+#ifdef HAVE_LOGIN_CAP
+ const char *fname;
+#endif
+
+#ifdef HAVE_LOGIN_CAP
+ fname = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+ while (fgets(buf, sizeof(buf), f) != NULL)
+ fputs(buf, stdout);
+ fclose(f);
+ } else
+#endif /* HAVE_LOGIN_CAP */
+ (void)printf("%s\n\t%s %s\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+
+ (void)printf("\n");
if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
@@ -951,7 +968,11 @@ do_setup_env(Session *s, const char *shell)
{
char buf[256];
u_int i, envsize;
- char **env, *laddr;
+ char **env;
+#ifdef HAVE_LOGIN_CAP
+ extern char **environ;
+ char **senv, **var;
+#endif
struct passwd *pw = s->pw;
/* Initialize the environment. */
@@ -967,19 +988,29 @@ do_setup_env(Session *s, const char *shell)
copy_environment(environ, &env, &envsize);
#endif
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
if (!options.use_login) {
/* Set basic environment. */
child_set_env(&env, &envsize, "USER", pw->pw_name);
child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
-#ifdef _AIX
- child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
-#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+ snprintf(buf, sizeof buf, "%.200s/%.50s",
+ _PATH_MAILDIR, pw->pw_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
#ifdef HAVE_LOGIN_CAP
- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
- else
- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+ child_set_env(&env, &envsize, "TERM", "su");
+ senv = environ;
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid,
+ LOGIN_SETENV|LOGIN_SETPATH);
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
+ xfree(*var);
+ xfree(environ);
+ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
@@ -997,15 +1028,9 @@ do_setup_env(Session *s, const char *shell)
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
- snprintf(buf, sizeof buf, "%.200s/%.50s",
- _PATH_MAILDIR, pw->pw_name);
- child_set_env(&env, &envsize, "MAIL", buf);
-
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
}
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
@@ -1030,10 +1055,9 @@ do_setup_env(Session *s, const char *shell)
get_remote_ipaddr(), get_remote_port(), get_local_port());
child_set_env(&env, &envsize, "SSH_CLIENT", buf);
- laddr = get_local_ipaddr(packet_get_connection_in());
snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
- get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
- xfree(laddr);
+ get_remote_ipaddr(), get_remote_port(),
+ get_local_ipaddr(packet_get_connection_in()), get_local_port());
child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
if (s->ttyfd != -1)
@@ -1152,10 +1176,8 @@ do_rc_files(Session *s, const char *shell)
/* Add authority data to .Xauthority if appropriate. */
if (debug_flag) {
fprintf(stderr,
- "Running %.500s remove %.100s\n",
- options.xauth_location, s->auth_display);
- fprintf(stderr,
- "%.500s add %.100s %.100s %.100s\n",
+ "Running %.500s add "
+ "%.100s %.100s %.100s\n",
options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
}
@@ -1163,8 +1185,6 @@ do_rc_files(Session *s, const char *shell)
options.xauth_location);
f = popen(cmd, "w");
if (f) {
- fprintf(f, "remove %s\n",
- s->auth_display);
fprintf(f, "add %s %s %s\n",
s->auth_display, s->auth_proto,
s->auth_data);
@@ -1197,7 +1217,6 @@ do_nologin(struct passwd *pw)
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
- fflush(NULL);
exit(254);
}
}
@@ -1206,11 +1225,11 @@ do_nologin(struct passwd *pw)
void
do_setusercontext(struct passwd *pw)
{
-#ifndef HAVE_CYGWIN
- if (getuid() == 0 || geteuid() == 0)
+#ifdef HAVE_CYGWIN
+ if (is_winnt) {
+#else /* HAVE_CYGWIN */
+ if (getuid() == 0 || geteuid() == 0) {
#endif /* HAVE_CYGWIN */
- {
-
#ifdef HAVE_SETPCRED
setpcred(pw->pw_name);
#endif /* HAVE_SETPCRED */
@@ -1219,7 +1238,7 @@ do_setusercontext(struct passwd *pw)
setpgid(0, 0);
# endif
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
perror("unable to set user context");
exit(1);
}
@@ -1260,10 +1279,6 @@ do_setusercontext(struct passwd *pw)
permanently_set_uid(pw);
#endif
}
-
-#ifdef HAVE_CYGWIN
- if (is_winnt)
-#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
}
@@ -1303,6 +1318,9 @@ do_child(Session *s, const char *command)
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
u_int i;
+#ifdef HAVE_LOGIN_CAP
+ int lc_requirehome;
+#endif
/* remove hostkey from the child's memory */
destroy_sensitive_data();
@@ -1321,7 +1339,7 @@ do_child(Session *s, const char *command)
*/
if (!options.use_login) {
#ifdef HAVE_OSF_SIA
- session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
+ session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
if (!check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
@@ -1335,17 +1353,12 @@ do_child(Session *s, const char *command)
* legal, and means /bin/sh.
*/
shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-
- /*
- * Make sure $SHELL points to the shell from the password file,
- * even if shell is overridden from login.conf
- */
- env = do_setup_env(s, shell);
-
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
#endif
+ env = do_setup_env(s, shell);
+
/* we have to stash the hostname before we close our socket. */
if (options.use_login)
hostname = get_remote_name_or_ip(utmp_len,
@@ -1370,6 +1383,10 @@ do_child(Session *s, const char *command)
/* XXX better use close-on-exec? -markus */
channel_close_all();
+#ifdef HAVE_LOGIN_CAP
+ lc_requirehome = login_getcapbool(lc, "requirehome", 0);
+ login_close(lc);
+#endif
/*
* Close any extra file descriptors. Note that there may still be
* descriptors left by system functions. They will be closed later.
@@ -1408,7 +1425,7 @@ do_child(Session *s, const char *command)
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
pw->pw_dir, strerror(errno));
#ifdef HAVE_LOGIN_CAP
- if (login_getcapbool(lc, "requirehome", 0))
+ if (lc_requirehome)
exit(1);
#endif
}
@@ -2009,22 +2026,13 @@ session_tty_list(void)
{
static char buf[1024];
int i;
- char *cp;
-
buf[0] = '\0';
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (s->used && s->ttyfd != -1) {
-
- if (strncmp(s->tty, "/dev/", 5) != 0) {
- cp = strrchr(s->tty, '/');
- cp = (cp == NULL) ? s->tty : cp + 1;
- } else
- cp = s->tty + 5;
-
if (buf[0] != '\0')
strlcat(buf, ",", sizeof buf);
- strlcat(buf, cp, sizeof buf);
+ strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf);
}
}
if (buf[0] == '\0')
diff --git a/crypto/openssh/session.h b/crypto/openssh/session.h
index d3ddfab..249e21c 100644
--- a/crypto/openssh/session.h
+++ b/crypto/openssh/session.h
@@ -1,4 +1,5 @@
/* $OpenBSD: session.h,v 1.19 2002/06/30 21:59:45 deraadt Exp $ */
+/* $FreeBSD$ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
diff --git a/crypto/openssh/sftp-server/Makefile b/crypto/openssh/sftp-server/Makefile
deleted file mode 100644
index e068239..0000000
--- a/crypto/openssh/sftp-server/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.5 2001/03/03 23:59:36 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= sftp-server
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/libexec
-MAN= sftp-server.8
-
-SRCS= sftp-server.c sftp-common.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/sftp/Makefile b/crypto/openssh/sftp/Makefile
deleted file mode 100644
index 3f5d866..0000000
--- a/crypto/openssh/sftp/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-# $OpenBSD: Makefile,v 1.5 2001/05/03 23:09:57 mouring Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= sftp
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= sftp.1
-
-SRCS= sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c misc.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
-
diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c
index 9adec30..dd1591f 100644
--- a/crypto/openssh/ssh-add.c
+++ b/crypto/openssh/ssh-add.c
@@ -35,7 +35,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/evp.h>
@@ -70,9 +71,6 @@ static char *default_files[] = {
/* Default lifetime (0 == forever) */
static int lifetime = 0;
-/* User has to confirm key use */
-static int confirm = 0;
-
/* we keep a cache of one passphrases */
static char *pass = NULL;
static void
@@ -168,16 +166,12 @@ add_file(AuthenticationConnection *ac, const char *filename)
}
}
- if (ssh_add_identity_constrained(ac, private, comment, lifetime,
- confirm)) {
+ if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
ret = 0;
if (lifetime != 0)
- fprintf(stderr,
+ fprintf(stderr,
"Lifetime set to %d seconds\n", lifetime);
- if (confirm != 0)
- fprintf(stderr,
- "The user has to confirm each use of the key\n");
} else if (ssh_add_identity(ac, private, comment)) {
fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
ret = 0;
@@ -195,7 +189,6 @@ static int
update_card(AuthenticationConnection *ac, int add, const char *id)
{
char *pin;
- int ret = -1;
pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
if (pin == NULL)
@@ -204,14 +197,12 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
if (ssh_update_card(ac, add, id, pin)) {
fprintf(stderr, "Card %s: %s\n",
add ? "added" : "removed", id);
- ret = 0;
+ return 0;
} else {
fprintf(stderr, "Could not %s card: %s\n",
add ? "add" : "remove", id);
- ret = -1;
+ return -1;
}
- xfree(pin);
- return ret;
}
static int
@@ -302,7 +293,6 @@ usage(void)
fprintf(stderr, " -x Lock agent.\n");
fprintf(stderr, " -X Unlock agent.\n");
fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
- fprintf(stderr, " -c Require confirmation to sign using identities\n");
#ifdef SMARTCARD
fprintf(stderr, " -s reader Add key in smartcard reader.\n");
fprintf(stderr, " -e reader Remove key in smartcard reader.\n");
@@ -330,7 +320,7 @@ main(int argc, char **argv)
fprintf(stderr, "Could not open a connection to your authentication agent.\n");
exit(2);
}
- while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+ while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) {
switch (ch) {
case 'l':
case 'L':
@@ -344,9 +334,6 @@ main(int argc, char **argv)
ret = 1;
goto done;
break;
- case 'c':
- confirm = 1;
- break;
case 'd':
deleting = 1;
break;
diff --git a/crypto/openssh/ssh-add/Makefile b/crypto/openssh/ssh-add/Makefile
deleted file mode 100644
index 2f7bf42..0000000
--- a/crypto/openssh/ssh-add/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.20 2001/03/04 00:51:25 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh-add
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= ssh-add.1
-
-SRCS= ssh-add.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index eb593de..ee8222e 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -35,7 +35,8 @@
#include "includes.h"
#include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.108 2003/03/13 11:44:50 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $");
+RCSID("$FreeBSD$");
#include <openssl/evp.h>
#include <openssl/md5.h>
@@ -50,8 +51,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.108 2003/03/13 11:44:50 markus Exp $");
#include "authfd.h"
#include "compat.h"
#include "log.h"
-#include "readpass.h"
-#include "misc.h"
#ifdef SMARTCARD
#include "scard.h"
@@ -79,7 +78,6 @@ typedef struct identity {
Key *key;
char *comment;
u_int death;
- u_int confirm;
} Identity;
typedef struct {
@@ -109,9 +107,6 @@ extern char *__progname;
char *__progname;
#endif
-/* Default lifetime (0 == forever) */
-static int lifetime = 0;
-
static void
close_socket(SocketEntry *e)
{
@@ -165,30 +160,6 @@ lookup_identity(Key *key, int version)
return (NULL);
}
-/* Check confirmation of keysign request */
-static int
-confirm_key(Identity *id)
-{
- char *p, prompt[1024];
- int ret = -1;
-
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- snprintf(prompt, sizeof(prompt), "Allow use of key %s?\n"
- "Key fingerprint %s.", id->comment, p);
- xfree(p);
- p = read_passphrase(prompt, RP_ALLOW_EOF);
- if (p != NULL) {
- /*
- * Accept empty responses and responses consisting
- * of the word "yes" as affirmative.
- */
- if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0)
- ret = 0;
- xfree(p);
- }
- return (ret);
-}
-
/* send list of supported public keys to 'client' */
static void
process_request_identities(SocketEntry *e, int version)
@@ -252,7 +223,7 @@ process_authentication_challenge1(SocketEntry *e)
goto failure;
id = lookup_identity(key, 1);
- if (id != NULL && (!id->confirm || confirm_key(id) == 0)) {
+ if (id != NULL) {
Key *private = id->key;
/* Decrypt the challenge using the private key. */
if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
@@ -312,7 +283,7 @@ process_sign_request2(SocketEntry *e)
key = key_from_blob(blob, blen);
if (key != NULL) {
Identity *id = lookup_identity(key, 2);
- if (id != NULL && (!id->confirm || confirm_key(id) == 0))
+ if (id != NULL)
ok = key_sign(id->key, &signature, &slen, data, dlen);
}
key_free(key);
@@ -432,7 +403,7 @@ static void
process_add_identity(SocketEntry *e, int version)
{
Idtab *tab = idtab_lookup(version);
- int type, success = 0, death = 0, confirm = 0;
+ int type, success = 0, death = 0;
char *type_name, *comment;
Key *k = NULL;
@@ -483,17 +454,6 @@ process_add_identity(SocketEntry *e, int version)
}
break;
}
- /* enable blinding */
- switch (k->type) {
- case KEY_RSA:
- case KEY_RSA1:
- if (RSA_blinding_on(k->rsa, NULL) != 1) {
- error("process_add_identity: RSA_blinding_on failed");
- key_free(k);
- goto send;
- }
- break;
- }
comment = buffer_get_string(&e->request, NULL);
if (k == NULL) {
xfree(comment);
@@ -505,21 +465,15 @@ process_add_identity(SocketEntry *e, int version)
case SSH_AGENT_CONSTRAIN_LIFETIME:
death = time(NULL) + buffer_get_int(&e->request);
break;
- case SSH_AGENT_CONSTRAIN_CONFIRM:
- confirm = 1;
- break;
default:
break;
}
}
- if (lifetime && !death)
- death = time(NULL) + lifetime;
if (lookup_identity(k, version) == NULL) {
Identity *id = xmalloc(sizeof(Identity));
id->key = k;
id->comment = comment;
id->death = death;
- id->confirm = confirm;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
/* Increment the number of identities. */
tab->nentries++;
@@ -604,7 +558,6 @@ process_add_smartcard_key (SocketEntry *e)
id->key = k;
id->comment = xstrdup("smartcard key");
id->death = 0;
- id->confirm = 0;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
tab->nentries++;
success = 1;
@@ -978,15 +931,13 @@ usage(void)
fprintf(stderr, " -k Kill the current agent.\n");
fprintf(stderr, " -d Debug mode.\n");
fprintf(stderr, " -a socket Bind agent socket to given name.\n");
- fprintf(stderr, " -t life Default identity lifetime (seconds).\n");
exit(1);
}
int
main(int ac, char **av)
{
- int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
- int sock, fd, ch, nalloc;
+ int sock, c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0, ch, nalloc;
char *shell, *format, *pidstr, *agentsocket = NULL;
fd_set *readsetp = NULL, *writesetp = NULL;
struct sockaddr_un sunaddr;
@@ -1004,6 +955,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
+ setuid(geteuid());
SSLeay_add_all_algorithms();
@@ -1011,7 +963,7 @@ main(int ac, char **av)
init_rng();
seed_rng();
- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cdksa:")) != -1) {
switch (ch) {
case 'c':
if (s_flag)
@@ -1034,12 +986,6 @@ main(int ac, char **av)
case 'a':
agentsocket = optarg;
break;
- case 't':
- if ((lifetime = convtime(optarg)) == -1) {
- fprintf(stderr, "Invalid lifetime\n");
- usage();
- }
- break;
default:
usage();
}
@@ -1172,14 +1118,9 @@ main(int ac, char **av)
}
(void)chdir("/");
- if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
- /* XXX might close listen socket */
- (void)dup2(fd, STDIN_FILENO);
- (void)dup2(fd, STDOUT_FILENO);
- (void)dup2(fd, STDERR_FILENO);
- if (fd > 2)
- close(fd);
- }
+ close(0);
+ close(1);
+ close(2);
#ifdef HAVE_SETRLIMIT
/* deny core dumps, since memory contains unencrypted private keys */
diff --git a/crypto/openssh/ssh-agent/Makefile b/crypto/openssh/ssh-agent/Makefile
deleted file mode 100644
index c252dbd..0000000
--- a/crypto/openssh/ssh-agent/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh-agent
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= ssh-agent.1
-
-SRCS= ssh-agent.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keygen/Makefile b/crypto/openssh/ssh-keygen/Makefile
deleted file mode 100644
index d175813..0000000
--- a/crypto/openssh/ssh-keygen/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh-keygen
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= ssh-keygen.1
-
-SRCS= ssh-keygen.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
index 5b4eb82..fb5ca7f 100644
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@@ -7,7 +7,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.41 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.40 2002/07/06 17:47:58 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "openbsd-compat/sys-queue.h"
@@ -354,8 +355,6 @@ keygrab_ssh2(con *c)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
"ssh-dss": "ssh-rsa";
c->c_kex = kex_setup(myproposal);
- c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
- c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
c->c_kex->verify_host_key = hostjump;
if (!(j = setjmp(kexjmp))) {
diff --git a/crypto/openssh/ssh-keyscan/Makefile b/crypto/openssh/ssh-keyscan/Makefile
deleted file mode 100644
index 2ea5c23..0000000
--- a/crypto/openssh/ssh-keyscan/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.4 2001/08/05 23:18:20 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh-keyscan
-BINOWN= root
-
-BINMODE?=555
-
-BINDIR= /usr/bin
-MAN= ssh-keyscan.1
-
-SRCS= ssh-keyscan.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lz
-DPADD+= ${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh-keysign/Makefile b/crypto/openssh/ssh-keysign/Makefile
deleted file mode 100644
index 1a13d9e..0000000
--- a/crypto/openssh/ssh-keysign/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# $OpenBSD: Makefile,v 1.3 2002/05/31 10:30:33 markus Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh-keysign
-BINOWN= root
-
-BINMODE?=4555
-
-BINDIR= /usr/libexec
-MAN= ssh-keysign.8
-
-SRCS= ssh-keysign.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lz
-DPADD+= ${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
index fd822bb..591e15c 100644
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@@ -34,7 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
+.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -48,7 +49,6 @@
.Op Ar command
.Pp
.Nm ssh
-.Bk -words
.Op Fl afgknqstvxACNTX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
@@ -67,8 +67,6 @@
.Sm on
.Xc
.Oc
-.Ek
-.Bk -words
.Oo Fl R Xo
.Sm off
.Ar port :
@@ -80,7 +78,6 @@
.Op Fl D Ar port
.Ar hostname | user@hostname
.Op Ar command
-.Ek
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for
@@ -103,7 +100,7 @@ depending on the protocol version used:
First, if the machine the user logs in from is listed in
.Pa /etc/hosts.equiv
or
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
on the remote machine, and the user names are
the same on both sides, the user is immediately permitted to log in.
Second, if
@@ -127,7 +124,7 @@ It means that if the login would be permitted by
.Pa $HOME/.shosts ,
.Pa /etc/hosts.equiv ,
or
-.Pa /etc/shosts.equiv ,
+.Pa /etc/ssh/shosts.equiv ,
and if additionally the server can verify the client's
host key (see
.Pa /etc/ssh/ssh_known_hosts
@@ -334,6 +331,7 @@ The user should not manually set
.Ev DISPLAY .
Forwarding of X11 connections can be
configured on the command line or in configuration files.
+Take note that X11 forwarding can represent a security hazard.
.Pp
The
.Ev DISPLAY
@@ -365,7 +363,7 @@ variable is set to
.Fl A
and
.Fl a
-options described later) and
+options described later) and
the user is using an authentication agent, the connection to the agent
is automatically forwarded to the remote side.
.Pp
@@ -407,11 +405,10 @@ Disables forwarding of the authentication agent connection.
Enables forwarding of the authentication agent connection.
This can also be specified on a per-host basis in a configuration file.
.Pp
-Agent forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
-can access the local agent through the forwarded connection.
-An attacker cannot obtain key material from the agent,
+Agent forwarding should be enabled with caution. Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection. An attacker cannot obtain key material from the agent,
however they can perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
.It Fl b Ar bind_address
@@ -433,8 +430,8 @@ is only supported in the
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
-cipher.
-Its use is strongly discouraged due to cryptographic weaknesses.
+cipher. Its use is strongly discouraged due to cryptographic
+weaknesses.
.It Fl c Ar cipher_spec
Additionally, for protocol version 2 a comma-separated list of ciphers can
be specified in order of preference.
@@ -571,11 +568,11 @@ Disables X11 forwarding.
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
.Pp
-X11 forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the user's X authorization database)
-can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring.
+X11 forwarding should be enabled with caution. Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection. An attacker may then be able to perform
+activities such as keystroke monitoring.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
@@ -642,8 +639,7 @@ This works by allocating a socket to listen to
on the local side, and whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
-remote machine.
-Currently the SOCKS4 protocol is supported, and
+remote machine. Currently the SOCKS4 protocol is supported, and
.Nm
will act as a SOCKS4 server.
Only root can forward privileged ports.
@@ -684,7 +680,7 @@ It is automatically set by
to point to a value of the form
.Dq hostname:n
where hostname indicates
-the host where the shell runs, and n is an integer >= 1.
+the host where the shell runs, and n is an integer \*(>= 1.
.Nm
uses this special value to forward X11 connections over the secure
channel.
@@ -916,7 +912,8 @@ or
.Xr rsh 1 .
.It Pa /etc/hosts.equiv
This file is used during
-.Pa \&.rhosts authentication.
+.Pa \&.rhosts
+authentication.
It contains
canonical hosts names, one per line (the full format is described on
the
@@ -928,7 +925,7 @@ same.
Additionally, successful RSA host authentication is normally
required.
This file should only be writable by root.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
This file is processed exactly as
.Pa /etc/hosts.equiv .
This file may be useful to permit logins using
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index 7206043..37eb251 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -40,7 +40,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $");
+RCSID("$FreeBSD$");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -253,7 +254,7 @@ main(int ac, char **av)
/* Get user data. */
pw = getpwuid(original_real_uid);
if (!pw) {
- log("You don't exist, go away!");
+ log("unknown user %d", original_real_uid);
exit(1);
}
/* Take a copy of the returned structure. */
@@ -495,9 +496,9 @@ again:
av += optind;
if (ac > 0 && !host && **av != '-') {
- if (strrchr(*av, '@')) {
+ if (strchr(*av, '@')) {
p = xstrdup(*av);
- cp = strrchr(p, '@');
+ cp = strchr(p, '@');
if (cp == NULL || cp == p)
usage();
options.user = p;
@@ -505,11 +506,12 @@ again:
host = ++cp;
} else
host = *av;
- if (ac > 1) {
- optind = optreset = 1;
+ ac--, av++;
+ if (ac > 0) {
+ optind = 0;
+ optreset = 1;
goto again;
}
- ac--, av++;
}
/* Check that we got a host name. */
@@ -601,9 +603,22 @@ again:
if (options.hostname != NULL)
host = options.hostname;
- if (options.proxy_command != NULL &&
- strcmp(options.proxy_command, "none") == 0)
- options.proxy_command = NULL;
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
+ struct addrinfo hints;
+ struct addrinfo *ai = NULL;
+ int errgai;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_flags = AI_CANONNAME;
+ hints.ai_socktype = SOCK_STREAM;
+ errgai = getaddrinfo(host, NULL, &hints, &ai);
+ if (errgai == 0) {
+ if (ai->ai_canonname != NULL)
+ host = xstrdup(ai->ai_canonname);
+ freeaddrinfo(ai);
+ }
+ }
/* Disable rhosts authentication if not running as root. */
#ifdef HAVE_CYGWIN
@@ -1029,7 +1044,7 @@ ssh_session2_setup(int id, void *arg)
int interactive = 0;
struct termios tio;
- debug2("ssh_session2_setup: id %d", id);
+ debug("ssh_session2_setup: id %d", id);
if (tty_flag) {
struct winsize ws;
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
index 0a6ad13..794af34 100644
--- a/crypto/openssh/ssh.h
+++ b/crypto/openssh/ssh.h
@@ -1,4 +1,5 @@
/* $OpenBSD: ssh.h,v 1.71 2002/06/22 02:00:29 stevesk Exp $ */
+/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/ssh/Makefile b/crypto/openssh/ssh/Makefile
deleted file mode 100644
index 80511de..0000000
--- a/crypto/openssh/ssh/Makefile
+++ /dev/null
@@ -1,40 +0,0 @@
-# $OpenBSD: Makefile,v 1.42 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= ssh
-BINOWN= root
-
-#BINMODE?=4555
-
-BINDIR= /usr/bin
-MAN= ssh.1 ssh_config.5
-LINKS= ${BINDIR}/ssh ${BINDIR}/slogin
-MLINKS= ssh.1 slogin.1
-
-SRCS= ssh.c readconf.c clientloop.c sshtty.c \
- sshconnect.c sshconnect1.c sshconnect2.c
-
-.include <bsd.own.mk> # for AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-LDADD+= -lkrb5 -lasn1 -lcom_err
-DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-LDADD+= -lkrb
-DPADD+= ${LIBKRB}
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+= -lkafs
-DPADD+= ${LIBKAFS}
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lz -ldes
-DPADD+= ${LIBCRYPTO} ${LIBZ} ${LIBDES}
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 94cffbf..7f32bd9 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -1,4 +1,5 @@
# $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
+# $FreeBSD$
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@@ -24,7 +25,7 @@
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
-# CheckHostIP yes
+# CheckHostIP no
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
@@ -34,3 +35,4 @@
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
+# VersionAddendum FreeBSD-20030201
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 44208b4..ae56927 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -34,7 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
+.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -160,7 +161,7 @@ If the option is set to
.Dq no ,
the check will not be executed.
The default is
-.Dq yes .
+.Dq no .
.It Cm Cipher
Specifies the cipher to use for encrypting the session
in protocol version 1.
@@ -176,8 +177,8 @@ is only supported in the
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
-cipher.
-Its use is strongly discouraged due to cryptographic weaknesses.
+cipher. Its use is strongly discouraged due to cryptographic
+weaknesses.
The default is
.Dq 3des .
.It Cm Ciphers
@@ -193,8 +194,7 @@ The default is
.It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings
specified in the configuration files or on the command line be
-cleared.
-This option is primarily useful when used from the
+cleared. This option is primarily useful when used from the
.Nm ssh
command line to clear port forwardings set in
configuration files, and is automatically set by
@@ -231,14 +231,13 @@ The default is 1.
Specifies that a TCP/IP port on the local machine be forwarded
over the secure channel, and the application
protocol is then used to determine where to connect to from the
-remote machine.
-The argument must be a port number.
+remote machine. The argument must be a port number.
Currently the SOCKS4 protocol is supported, and
.Nm ssh
will act as a SOCKS4 server.
Multiple forwardings may be specified, and
-additional forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
+additional forwardings can be given on the command line. Only
+the superuser can forward privileged ports.
.It Cm EscapeChar
Sets the escape character (default:
.Ql ~ ) .
@@ -261,11 +260,10 @@ or
The default is
.Dq no .
.Pp
-Agent forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
-can access the local agent through the forwarded connection.
-An attacker cannot obtain key material from the agent,
+Agent forwarding should be enabled with caution. Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection. An attacker cannot obtain key material from the agent,
however they can perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
.It Cm ForwardX11
@@ -280,18 +278,18 @@ or
The default is
.Dq no .
.Pp
-X11 forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the user's X authorization database)
-can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring.
+X11 forwarding should be enabled with caution. Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection. An attacker may then be able to perform
+activities such as keystroke monitoring.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports.
By default,
.Nm ssh
-binds local port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
+binds local port forwardings to the loopback address. This
+prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm ssh
@@ -398,9 +396,8 @@ Gives the verbosity level that is used when logging messages from
.Nm ssh .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of verbose output.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of verbose output.
.It Cm MACs
Specifies the MAC (message authentication code) algorithms
in order of preference.
@@ -478,9 +475,6 @@ somewhere.
Host key management will be done using the
HostName of the host being connected (defaulting to the name typed by
the user).
-Setting the command to
-.Dq none
-disables this option entirely.
Note that
.Cm CheckHostIP
is not available for connects with a proxy command.
@@ -618,6 +612,11 @@ having to remember to give the user name on the command line.
Specifies a file to use for the user
host key database instead of
.Pa $HOME/.ssh/known_hosts .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-20030201 .
.It Cm XAuthLocation
Specifies the full pathname of the
.Xr xauth 1
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index dae2596..95f47f1 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -13,7 +13,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.137 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $");
+RCSID("$FreeBSD$");
#include <openssl/bn.h>
@@ -247,7 +248,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
*/
int full_failure = 1;
- debug2("ssh_connect: needpriv %d", needpriv);
+ debug("ssh_connect: needpriv %d", needpriv);
/* Get default port if port has not been set. */
if (port == 0) {
@@ -649,10 +650,10 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
"%s key fingerprint is %s.\n"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip,
- has_keys ? ",\nbut keys of different type are already "
- "known for this host." : ".",
- type, fp);
+ host, ip,
+ has_keys ? ",\nbut keys of different type are already "
+ "known for this host." : ".",
+ type, fp);
xfree(fp);
if (!confirm(msg))
goto fail;
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
index 2fc9a98..368b412 100644
--- a/crypto/openssh/sshconnect1.c
+++ b/crypto/openssh/sshconnect1.c
@@ -14,6 +14,7 @@
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
+RCSID("$FreeBSD$");
#include <openssl/bn.h>
#include <openssl/md5.h>
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index 642b34b..8fb098b 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -23,7 +23,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.114 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.107 2002/07/01 19:48:46 markus Exp $");
+RCSID("$FreeBSD$");
#include "ssh.h"
#include "ssh2.h"
@@ -110,8 +111,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
/* start key exchange */
kex = kex_setup(myproposal);
- kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
@@ -130,6 +129,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
packet_send();
packet_write_wait();
#endif
+ debug("done: ssh_kex2.");
}
/*
@@ -225,23 +225,24 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
+ debug("send SSH2_MSG_SERVICE_REQUEST");
packet_start(SSH2_MSG_SERVICE_REQUEST);
packet_put_cstring("ssh-userauth");
packet_send();
- debug("SSH2_MSG_SERVICE_REQUEST sent");
packet_write_wait();
type = packet_read();
- if (type != SSH2_MSG_SERVICE_ACCEPT)
- fatal("Server denied authentication request: %d", type);
+ if (type != SSH2_MSG_SERVICE_ACCEPT) {
+ fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type);
+ }
if (packet_remaining() > 0) {
char *reply = packet_get_string(NULL);
- debug2("service_accept: %s", reply);
+ debug("service_accept: %s", reply);
xfree(reply);
} else {
- debug2("buggy server: service_accept w/o service");
+ debug("buggy server: service_accept w/o service");
}
packet_check_eom();
- debug("SSH2_MSG_SERVICE_ACCEPT received");
+ debug("got SSH2_MSG_SERVICE_ACCEPT");
if (options.preferred_authentications == NULL)
options.preferred_authentications = authmethods_get();
@@ -273,7 +274,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
if (authctxt.agent != NULL)
ssh_close_authentication_connection(authctxt.agent);
- debug("Authentication succeeded (%s).", authctxt.method->name);
+ debug("ssh-userauth2 successful: method %s", authctxt.method->name);
}
void
userauth(Authctxt *authctxt, char *authlist)
@@ -347,7 +348,7 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
if (partial != 0)
log("Authenticated with partial success.");
- debug("Authentications that can continue: %s", authlist);
+ debug("authentications that can continue: %s", authlist);
clear_auth_state(authctxt);
userauth(authctxt, authlist);
@@ -379,7 +380,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
}
packet_check_eom();
- debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d",
+ debug("input_userauth_pk_ok: pkalg %s blen %u lastkey %p hint %d",
pkalg, blen, authctxt->last_key, authctxt->last_key_hint);
do {
@@ -764,7 +765,7 @@ userauth_pubkey_agent(Authctxt *authctxt)
if (k == NULL) {
debug2("userauth_pubkey_agent: no more keys");
} else {
- debug("Offering agent key: %s", comment);
+ debug("userauth_pubkey_agent: testing agent key %s", comment);
xfree(comment);
ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1);
if (ret == 0)
@@ -792,7 +793,7 @@ userauth_pubkey(Authctxt *authctxt)
key = options.identity_keys[idx];
filename = options.identity_files[idx];
if (key == NULL) {
- debug("Trying private key: %s", filename);
+ debug("try privkey: %s", filename);
key = load_identity_file(filename);
if (key != NULL) {
sent = sign_and_send_pubkey(authctxt, key,
@@ -800,7 +801,7 @@ userauth_pubkey(Authctxt *authctxt)
key_free(key);
}
} else if (key->type != KEY_RSA1) {
- debug("Offering public key: %s", filename);
+ debug("try pubkey: %s", filename);
sent = send_pubkey_test(authctxt, key,
identity_sign_cb, idx);
}
@@ -906,7 +907,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
pid_t pid;
int to[2], from[2], status, version = 2;
- debug2("ssh_keysign called");
+ debug("ssh_keysign called");
if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
error("ssh_keysign: no installed: %s", strerror(errno));
@@ -995,7 +996,7 @@ userauth_hostbased(Authctxt *authctxt)
}
}
if (!found) {
- debug("No more client hostkeys for hostbased authentication.");
+ debug("userauth_hostbased: no more client hostkeys");
return 0;
}
if (key_to_blob(private, &blob, &blen) == 0) {
@@ -1014,7 +1015,6 @@ userauth_hostbased(Authctxt *authctxt)
strlcpy(chost, p, len);
strlcat(chost, ".", len);
debug2("userauth_hostbased: chost %s", chost);
- xfree(p);
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
authctxt->service;
@@ -1110,6 +1110,7 @@ static char *preferred = NULL;
static Authmethod *
authmethod_get(char *authlist)
{
+
char *name = NULL;
u_int next;
@@ -1130,7 +1131,7 @@ authmethod_get(char *authlist)
for (;;) {
if ((name = match_list(preferred, supported, &next)) == NULL) {
- debug("No more authentication methods to try.");
+ debug("no more auth methods to try");
current = NULL;
return NULL;
}
@@ -1140,7 +1141,7 @@ authmethod_get(char *authlist)
if ((current = authmethod_lookup(name)) != NULL &&
authmethod_is_enabled(current)) {
debug3("authmethod_is_enabled %s", name);
- debug("Next authentication method: %s", name);
+ debug("next auth method to try is %s", name);
return current;
}
}
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
index a99c4f1..4e00579 100644
--- a/crypto/openssh/sshd.8
+++ b/crypto/openssh/sshd.8
@@ -34,7 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $
+.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -43,7 +44,6 @@
.Nd OpenSSH SSH daemon
.Sh SYNOPSIS
.Nm sshd
-.Bk -words
.Op Fl deiqtD46
.Op Fl b Ar bits
.Op Fl f Ar config_file
@@ -53,7 +53,6 @@
.Op Fl o Ar option
.Op Fl p Ar port
.Op Fl u Ar len
-.Ek
.Sh DESCRIPTION
.Nm
(SSH Daemon) is the daemon program for
@@ -67,7 +66,7 @@ install and use as possible.
.Nm
is the daemon that listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/rc.d/sshd .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -77,7 +76,7 @@ This implementation of
.Nm
supports both SSH protocol version 1 and 2 simultaneously.
.Nm
-works as follows:
+works as follows.
.Pp
.Ss SSH protocol version 1
.Pp
@@ -88,7 +87,7 @@ the daemon starts, it generates a server RSA key (normally 768 bits).
This key is normally regenerated every hour if it has been used, and
is never stored on disk.
.Pp
-Whenever a client connects, the daemon responds with its public
+Whenever a client connects the daemon responds with its public
host and server keys.
The client compares the
RSA host key against its own database to verify that it has not changed.
@@ -121,7 +120,7 @@ System security is not improved unless
.Nm rshd ,
.Nm rlogind ,
and
-.Nm rexecd
+.Xr rexecd
are disabled (thus completely disabling
.Xr rlogin
and
@@ -191,9 +190,7 @@ The server sends verbose debug output to the system
log, and does not put itself in the background.
The server also will not fork and will only process one connection.
This option is only intended for debugging for the server.
-Multiple
-.Fl d
-options increase the debugging level.
+Multiple -d options increase the debugging level.
Maximum is 3.
.It Fl e
When this option is specified,
@@ -220,8 +217,6 @@ host key files are normally not readable by anyone but root).
The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
.Pa /etc/ssh/ssh_host_dsa_key
for protocol version 2.
It is possible to have multiple host key files for
@@ -229,8 +224,7 @@ the different protocol versions and host key algorithms.
.It Fl i
Specifies that
.Nm
-is being run from
-.Xr inetd 8 .
+is being run from inetd.
.Nm
is normally not run
from inetd because it needs to generate the server key before it can
@@ -287,7 +281,7 @@ should be put into the
.Pa utmp
file.
.Fl u0
-may also be used to prevent
+is also be used to prevent
.Nm
from making DNS requests unless the authentication
mechanism or configuration requires it.
@@ -345,8 +339,9 @@ section).
If the login is on a tty, records login time.
.It
Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
(unless root).
.It
Changes to run with normal user privileges.
@@ -368,11 +363,12 @@ If
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
-it; otherwise runs xauth.
+it; otherwise runs
+.Xr xauth 1 .
The
.Dq rc
files are given the X11
-authentication protocol and cookie in standard input.
+authentication protocol and cookie (if applicable) in standard input.
.It
Runs user's shell or command.
.El
@@ -451,7 +447,7 @@ authentication.
The command supplied by the user (if any) is ignored.
The command is run on a pty if the client requests a pty;
otherwise it is run without a tty.
-If an 8-bit clean channel is required,
+If a 8-bit clean channel is required,
one must not request a pty or should specify
.Cm no-pty .
A quote may be included in the command by quoting it with a backslash.
@@ -572,15 +568,15 @@ Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
.Xr sshd_config 5 .
-.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys.
+.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key
+These two files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
accessible to others.
Note that
.Nm
does not start if this file is group/world-accessible.
-.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
-These three files contain the public parts of the host keys.
+.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub
+These two files contain the public parts of the host keys.
These files should be world-readable but writable only by
root.
Their contents should match the respective private parts.
@@ -589,7 +585,7 @@ really used for anything; they are provided for the convenience of
the user so their contents can be copied to known hosts files.
These files are created using
.Xr ssh-keygen 1 .
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
.Xr moduli 5 .
@@ -632,7 +628,7 @@ These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa $HOME/.ssh/known_hosts
-can, but need not be, world-readable.
+can but need not be world-readable.
.It Pa /etc/nologin
If this file exists,
.Nm
@@ -649,7 +645,7 @@ Further details are described in
This file contains host-username pairs, separated by a space, one per
line.
The given user on the corresponding host is permitted to log in
-without a password.
+without password.
The same file is used by rlogind and rshd.
The file must
be writable only by the user; it is recommended that it not be
@@ -701,7 +697,7 @@ The only valid use for user names that I can think
of is in negative entries.
.Pp
Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
This is processed exactly as
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 0f2b2a3..cb25d36 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -42,7 +42,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
+RCSID("$FreeBSD$");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -53,6 +54,10 @@ RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
+#endif
+
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
@@ -202,8 +207,8 @@ int *startup_pipes = NULL;
int startup_pipe; /* in child */
/* variables used for privilege separation */
-int use_privsep;
-struct monitor *pmonitor;
+extern struct monitor *pmonitor;
+extern int use_privsep;
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
@@ -827,17 +832,9 @@ main(int ac, char **av)
__progname = get_progname(av[0]);
init_rng();
- /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
+ /* Save argv. */
saved_argc = ac;
saved_argv = av;
- saved_argv = xmalloc(sizeof(*saved_argv) * ac);
- for (i = 0; i < ac; i++)
- saved_argv[i] = xstrdup(av[i]);
-
-#ifndef HAVE_SETPROCTITLE
- /* Prepare for later setproctitle emulation */
- compat_init_setproctitle(ac, av);
-#endif
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
@@ -952,7 +949,7 @@ main(int ac, char **av)
SYSLOG_LEVEL_INFO : options.log_level,
options.log_facility == SYSLOG_FACILITY_NOT_SET ?
SYSLOG_FACILITY_AUTH : options.log_facility,
- log_stderr || !inetd_flag);
+ !inetd_flag);
#ifdef _UNICOS
/* Cray can define user privs drop all prives now!
@@ -1066,8 +1063,8 @@ main(int ac, char **av)
#else
if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
#endif
- fatal("%s must be owned by root and not group or "
- "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+ fatal("Bad owner or mode for %s",
+ _PATH_PRIVSEP_CHROOT_DIR);
}
/* Configuration looks good, so exit if in test mode. */
@@ -1400,12 +1397,8 @@ main(int ac, char **av)
* setlogin() affects the entire process group. We don't
* want the child to be able to affect the parent.
*/
-#if !defined(STREAMS_PUSH_ACQUIRES_CTTY)
- /*
- * If setsid is called on Solaris, sshd will acquire the controlling
- * terminal while pushing STREAMS modules. This will prevent the
- * shell from acquiring it later.
- */
+#if 0
+ /* XXX: this breaks Solaris */
if (!debug_flag && !inetd_flag && setsid() < 0)
error("setsid: %.100s", strerror(errno));
#endif
@@ -1429,6 +1422,17 @@ main(int ac, char **av)
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
+#endif
+
/*
* Register our connection. This turns encryption off because we do
* not have a key.
@@ -1818,8 +1822,6 @@ do_ssh2_kex(void)
/* start key exchange */
kex = kex_setup(myproposal);
- kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff --git a/crypto/openssh/sshd/Makefile b/crypto/openssh/sshd/Makefile
deleted file mode 100644
index 14ef3e0..0000000
--- a/crypto/openssh/sshd/Makefile
+++ /dev/null
@@ -1,56 +0,0 @@
-# $OpenBSD: Makefile,v 1.51 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH: ${.CURDIR}/..
-
-PROG= sshd
-BINOWN= root
-BINMODE=555
-BINDIR= /usr/sbin
-MAN= sshd.8 sshd_config.5
-CFLAGS+=-DHAVE_LOGIN_CAP -DBSD_AUTH
-
-SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
- sshpty.c sshlogin.c servconf.c serverloop.c uidswap.c \
- auth.c auth1.c auth2.c auth-options.c session.c \
- auth-chall.c auth2-chall.c groupaccess.c \
- auth-skey.c auth-bsdauth.c monitor_mm.c monitor.c \
- auth2-none.c auth2-passwd.c auth2-pubkey.c \
- auth2-hostbased.c auth2-kbdint.c
-
-.include <bsd.own.mk> # for KERBEROS and AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV
-SRCS+= auth-krb5.c
-LDADD+= -lkrb5 -lkafs -lasn1 -lcom_err
-DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+= -lkafs
-DPADD+= ${LIBKAFS}
-.endif # AFS
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-SRCS+= auth-krb4.c
-LDADD+= -lkrb
-DPADD+= ${LIBKRB}
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lutil -lz -ldes
-DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBDES}
-
-.if (${TCP_WRAPPERS:L} == "yes")
-CFLAGS+= -DLIBWRAP
-LDADD+= -lwrap
-DPADD+= ${LIBWRAP}
-.endif
-
-#.if (${SKEY:L} == "yes")
-#CFLAGS+= -DSKEY
-#LDADD+= -lskey
-#DPADD+= ${SKEY}
-#.endif
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 36429c9..a209aa3 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -1,4 +1,5 @@
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+# $FreeBSD$
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -10,6 +11,11 @@
# possible, but leave them commented. Uncommented options change a
# default value.
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#VersionAddendum FreeBSD-20030201
+
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
@@ -18,7 +24,6 @@
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
@@ -33,7 +38,7 @@
# Authentication:
#LoginGraceTime 120
-#PermitRootLogin yes
+#PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
@@ -56,7 +61,7 @@
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
+# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
# Kerberos options
@@ -69,11 +74,7 @@
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
-# Set this to 'yes' to enable PAM keyboard-interactive authentication
-# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
-#PAMAuthenticationViaKbdInt no
-
-#X11Forwarding no
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 6f38a260..117c8b3 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -34,7 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
+.\" $FreeBSD$
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -89,7 +90,7 @@ own forwarders.
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
-If specified, login is allowed only for user names that
+If specified, login is allowed only for users names that
match one of the patterns.
.Ql \&*
and
@@ -125,10 +126,17 @@ This option is only available for protocol version 2.
By default, no banner is displayed.
.Pp
.It Cm ChallengeResponseAuthentication
-Specifies whether challenge response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed.
+Specifically, in
+.Fx ,
+this controls the use of PAM (see
+.Xr pam 3 )
+for authentication.
+Note that this affects the effectiveness of the
+.Cm PasswordAuthentication
+and
+.Cm PermitRootLogin
+variables.
The default is
.Dq yes .
.It Cm Ciphers
@@ -211,8 +219,8 @@ Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
.Nm sshd
-binds remote port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
+binds remote port forwardings to the loopback address. This
+prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
@@ -239,8 +247,6 @@ used by SSH.
The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
.Pa /etc/ssh/ssh_host_dsa_key
for protocol version 2.
Note that
@@ -266,7 +272,7 @@ or
.Pp
.Pa /etc/hosts.equiv
and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
are still used.
The default is
.Dq yes .
@@ -370,8 +376,7 @@ is not specified,
will listen on the address and all prior
.Cm Port
options specified. The default is to listen on all local
-addresses.
-Multiple
+addresses. Multiple
.Cm ListenAddress
options are permitted. Additionally, any
.Cm Port
@@ -386,10 +391,10 @@ Gives the verbosity level that is used when logging messages from
.Nm sshd .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users and is not recommended.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users
+and is not recommended.
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
@@ -422,16 +427,21 @@ The probability increases linearly and all connection attempts
are refused if the number of unauthenticated connections reaches
.Dq full
(60).
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
-.Cm PasswordAuthentication
-is enabled.
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
.Dq yes .
+Note that
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -447,7 +457,14 @@ The argument must be
or
.Dq no .
The default is
-.Dq yes .
+.Dq no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Dq without-password .
.Pp
If this option is set to
.Dq without-password
@@ -535,18 +552,23 @@ The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
+Specifies whether authentication using rhosts or
+.Pa /etc/hosts.equiv
files is sufficient.
Normally, this method should not be permitted because it is insecure.
.Cm RhostsRSAAuthentication
should be used
instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
+to normal rhosts or
+.Pa /etc/hosts.equiv
+authentication.
The default is
.Dq no .
This option applies to protocol version 1 only.
.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
with successful RSA host authentication is allowed.
The default is
.Dq no .
@@ -600,18 +622,16 @@ will be disabled because
.Xr login 1
does not know how to handle
.Xr xauth 1
-cookies.
-If
+cookies. If
.Cm UsePrivilegeSeparation
is specified, it will be disabled after authentication.
.It Cm UsePrivilegeSeparation
Specifies whether
.Nm sshd
separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
+to deal with incoming network traffic. After successful authentication,
+another process will be created that has the privilege of the authenticated
+user. The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
@@ -623,6 +643,11 @@ the resolved host name for the remote IP address maps back to the
very same IP address.
The default is
.Dq no .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-20030201 .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Nm sshd Ns 's
@@ -638,7 +663,7 @@ The argument must be
or
.Dq no .
The default is
-.Dq no .
+.Dq yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
@@ -669,8 +694,7 @@ is enabled.
Specifies whether
.Nm sshd
should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
+the wildcard address. By default,
.Nm sshd
binds the forwarding server to the loopback address and sets the
hostname part of the
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
index 12555d6..6aeaa05 100644
--- a/crypto/openssh/sshlogin.c
+++ b/crypto/openssh/sshlogin.c
@@ -40,6 +40,7 @@
#include "includes.h"
RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $");
+RCSID("$FreeBSD$");
#include "loginrec.h"
diff --git a/crypto/openssh/sshlogin.h b/crypto/openssh/sshlogin.h
index 1c8bfad..2bf9e0d 100644
--- a/crypto/openssh/sshlogin.h
+++ b/crypto/openssh/sshlogin.h
@@ -1,4 +1,5 @@
/* $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $ */
+/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/sshpty.c b/crypto/openssh/sshpty.c
index d28947f..dad1b16 100644
--- a/crypto/openssh/sshpty.c
+++ b/crypto/openssh/sshpty.c
@@ -12,7 +12,8 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshpty.c,v 1.8 2003/02/03 08:56:16 markus Exp $");
+RCSID("$OpenBSD: sshpty.c,v 1.7 2002/06/24 17:57:20 deraadt Exp $");
+RCSID("$FreeBSD$");
#ifdef HAVE_UTIL_H
# include <util.h>
@@ -394,7 +395,7 @@ pty_setowner(struct passwd *pw, const char *ttyname)
if (chown(ttyname, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&
(st.st_uid == pw->pw_uid || st.st_uid == 0))
- debug("chown(%.100s, %u, %u) failed: %.100s",
+ error("chown(%.100s, %u, %u) failed: %.100s",
ttyname, (u_int)pw->pw_uid, (u_int)gid,
strerror(errno));
else
@@ -408,7 +409,7 @@ pty_setowner(struct passwd *pw, const char *ttyname)
if (chmod(ttyname, mode) < 0) {
if (errno == EROFS &&
(st.st_mode & (S_IRGRP | S_IROTH)) == 0)
- debug("chmod(%.100s, 0%o) failed: %.100s",
+ error("chmod(%.100s, 0%o) failed: %.100s",
ttyname, mode, strerror(errno));
else
fatal("chmod(%.100s, 0%o) failed: %.100s",
diff --git a/crypto/openssh/util.c b/crypto/openssh/util.c
deleted file mode 100644
index 1a591a6..0000000
--- a/crypto/openssh/util.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
- char *t = s;
- while (*t) {
- if(*t == '\n' || *t == '\r') {
- *t = '\0';
- return s;
- }
- t++;
- }
- return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
- int val;
- val = fcntl(fd, F_GETFL, 0);
- if (val < 0) {
- error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
- return;
- }
- if (val & O_NONBLOCK) {
- debug("fd %d IS O_NONBLOCK", fd);
- return;
- }
- debug("fd %d setting O_NONBLOCK", fd);
- val |= O_NONBLOCK;
- if (fcntl(fd, F_SETFL, val) == -1)
- if (errno != ENODEV)
- error("fcntl(%d, F_SETFL, O_NONBLOCK): %s",
- fd, strerror(errno));
-}
-
-/* Characters considered whitespace in strsep calls. */
-#define WHITESPACE " \t\r\n"
-
-char *
-strdelim(char **s)
-{
- char *old;
- int wspace = 0;
-
- if (*s == NULL)
- return NULL;
-
- old = *s;
-
- *s = strpbrk(*s, WHITESPACE "=");
- if (*s == NULL)
- return (old);
-
- /* Allow only one '=' to be skipped */
- if (*s[0] == '=')
- wspace = 1;
- *s[0] = '\0';
-
- *s += strspn(*s + 1, WHITESPACE) + 1;
- if (*s[0] == '=' && !wspace)
- *s += strspn(*s + 1, WHITESPACE) + 1;
-
- return (old);
-}
diff --git a/crypto/openssh/version.c b/crypto/openssh/version.c
new file mode 100644
index 0000000..a661439
--- /dev/null
+++ b/crypto/openssh/version.c
@@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2001 Brian Fundakowski Feldman
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+#include "version.h"
+#include "xmalloc.h"
+
+
+static char *version = NULL;
+
+const char *
+ssh_version_get(void) {
+
+ if (version == NULL)
+ version = xstrdup(SSH_VERSION_BASE " " SSH_VERSION_ADDENDUM);
+ return (version);
+}
+
+void
+ssh_version_set_addendum(const char *add) {
+ char *newvers;
+ size_t size;
+
+ if (add != NULL) {
+ size = strlen(SSH_VERSION_BASE) + 1 + strlen(add) + 1;
+ newvers = xmalloc(size);
+ snprintf(newvers, size, "%s %s", SSH_VERSION_BASE, add);
+ } else {
+ newvers = xstrdup(SSH_VERSION_BASE);
+ }
+ if (version != NULL)
+ xfree(version);
+ version = newvers;
+}
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 75a2b25..81a1c45 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -1,3 +1,13 @@
-/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
+/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */
+/* $FreeBSD$ */
+
+#ifndef SSH_VERSION
+
+#define SSH_VERSION (ssh_version_get())
+#define SSH_VERSION_BASE "OpenSSH_3.5p1"
+#define SSH_VERSION_ADDENDUM "FreeBSD-20030201"
+
+const char *ssh_version_get(void);
+void ssh_version_set_addendum(const char *add);
+#endif /* SSH_VERSION */
-#define SSH_VERSION "OpenSSH_3.6.1p1"
OpenPOWER on IntegriCloud