From e5d801b2d6aab34943ecb74550a852aa69c82f38 Mon Sep 17 00:00:00 2001 From: des Date: Tue, 20 Apr 2004 09:46:41 +0000 Subject: Resolve conflicts. --- crypto/openssh/acconfig.h | 11 ++- crypto/openssh/auth-krb5.c | 8 ++ crypto/openssh/auth-pam.c | 39 ++++++--- crypto/openssh/auth-pam.h | 4 +- crypto/openssh/auth-passwd.c | 7 -- crypto/openssh/auth-skey.c | 3 +- crypto/openssh/auth.h | 1 + crypto/openssh/auth1.c | 2 +- crypto/openssh/auth2.c | 6 +- crypto/openssh/canohost.c | 6 +- crypto/openssh/configure.ac | 123 ++++++++++++++++++++++++--- crypto/openssh/loginrec.c | 4 +- crypto/openssh/monitor.c | 17 ++-- crypto/openssh/monitor_wrap.c | 10 ++- crypto/openssh/monitor_wrap.h | 2 +- crypto/openssh/openbsd-compat/fake-rfc2553.h | 5 +- crypto/openssh/readconf.c | 14 ++- crypto/openssh/readconf.h | 3 +- crypto/openssh/session.c | 12 ++- crypto/openssh/ssh-agent.c | 9 ++ crypto/openssh/ssh-keyscan.c | 4 +- crypto/openssh/ssh.1 | 3 +- crypto/openssh/ssh.c | 61 +++---------- crypto/openssh/ssh_config.5 | 20 ++++- crypto/openssh/sshconnect2.c | 4 +- crypto/openssh/sshd.c | 45 ++++------ crypto/openssh/sshd_config.5 | 11 ++- crypto/openssh/sshlogin.c | 36 ++++---- crypto/openssh/version.h | 2 +- 29 files changed, 304 insertions(+), 168 deletions(-) (limited to 'crypto') diff --git a/crypto/openssh/acconfig.h b/crypto/openssh/acconfig.h index abeecda..02e9e4f 100644 --- a/crypto/openssh/acconfig.h +++ b/crypto/openssh/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.177 2004/04/15 23:22:40 dtucker Exp $ */ /* $FreeBSD$ */ /* @@ -132,6 +132,9 @@ /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ #undef AIX_LOGINFAILED_4ARG +/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ +#undef SKEYCHALLENGE_4ARG + /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ #undef WITH_IRIX_ARRAY @@ -203,6 +206,9 @@ /* Define if you don't want to use lastlog in session.c */ #undef NO_SSH_LASTLOG +/* Define if have krb5_init_ets */ +#undef KRB5_INIT_ETS + /* Define if you don't want to use utmp */ #undef DISABLE_UTMP @@ -351,6 +357,9 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* updwtmpx is broken (if present) */ +#undef BROKEN_UPDWTMPX + /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c index 7270326..42b8026 100644 --- a/crypto/openssh/auth-krb5.c +++ b/crypto/openssh/auth-krb5.c @@ -55,7 +55,9 @@ krb5_init(void *context) problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); +#ifdef KRB5_INIT_ETS krb5_init_ets(authctxt->krb5_ctx); +#endif } return (0); } @@ -71,6 +73,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #endif krb5_error_code problem; krb5_ccache ccache = NULL; + int len; if (!authctxt->valid) return (0); @@ -176,6 +179,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); + out: restore_uid(); diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 0ea983f..9e30219 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $"); RCSID("$FreeBSD$"); #ifdef USE_PAM @@ -59,6 +59,7 @@ RCSID("$FreeBSD$"); extern ServerOptions options; extern Buffer loginmsg; extern int compat20; +extern u_int utmp_len; #ifdef USE_POSIX_THREADS #include @@ -118,6 +119,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, { pid_t pid; + sshpam_thread_status = -1; switch ((pid = fork())) { case -1: error("fork(): %s", strerror(errno)); @@ -160,7 +162,7 @@ static int sshpam_session_open = 0; static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; -static int *force_pwchange; +static Authctxt *sshpam_authctxt = NULL; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -180,7 +182,9 @@ void pam_password_change_required(int reqd) { debug3("%s %d", __func__, reqd); - *force_pwchange = reqd; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + sshpam_authctxt->force_pwchange = reqd; if (reqd) { no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; @@ -202,6 +206,7 @@ import_environments(Buffer *b) debug3("PAM: %s entering", __func__); +#ifndef USE_POSIX_THREADS /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); pam_password_change_required(buffer_get_int(b)); @@ -229,6 +234,7 @@ import_environments(Buffer *b) } #endif } +#endif } /* @@ -337,6 +343,9 @@ sshpam_thread(void *ctxtp) sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&sshpam_conv); @@ -349,7 +358,7 @@ sshpam_thread(void *ctxtp) if (compat20) { if (!do_pam_account()) goto auth_fail; - if (*force_pwchange) { + if (sshpam_authctxt->force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) @@ -363,7 +372,7 @@ sshpam_thread(void *ctxtp) #ifndef USE_POSIX_THREADS /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); - buffer_put_int(&buffer, *force_pwchange); + buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -444,11 +453,10 @@ sshpam_cleanup(void) } static int -sshpam_init(const char *user) +sshpam_init(Authctxt *authctxt) { - extern u_int utmp_len; extern char *__progname; - const char *pam_rhost, *pam_user; + const char *pam_rhost, *pam_user, *user = authctxt->user; if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ @@ -462,6 +470,8 @@ sshpam_init(const char *user) debug("PAM: initializing for \"%s\"", user); sshpam_err = pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + sshpam_authctxt = authctxt; + if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -504,7 +514,7 @@ sshpam_init_ctx(Authctxt *authctxt) return NULL; /* Initialize PAM */ - if (sshpam_init(authctxt->user) == -1) { + if (sshpam_init(authctxt) == -1) { error("PAM: initialization failed"); return (NULL); } @@ -512,8 +522,6 @@ sshpam_init_ctx(Authctxt *authctxt) ctxt = xmalloc(sizeof *ctxt); memset(ctxt, 0, sizeof(*ctxt)); - force_pwchange = &(authctxt->force_pwchange); - /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); @@ -592,7 +600,10 @@ sshpam_query(void *ctx, char **name, char **info, xfree(msg); return (0); } - error("PAM: %s", msg); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, + get_remote_name_or_ip(utmp_len, options.use_dns)); /* FALLTHROUGH */ default: *num = 0; @@ -672,12 +683,12 @@ KbdintDevice mm_sshpam_device = { * This replaces auth-pam.c */ void -start_pam(const char *user) +start_pam(Authctxt *authctxt) { if (!options.use_pam) fatal("PAM: initialisation requested when UsePAM=no"); - if (sshpam_init(user) == -1) + if (sshpam_init(authctxt) == -1) fatal("PAM: initialisation failed"); } diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h index cf74dd5..ff4b6f6 100644 --- a/crypto/openssh/auth-pam.h +++ b/crypto/openssh/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */ +/* $Id: auth-pam.h,v 1.25 2004/03/08 12:04:07 dtucker Exp $ */ /* $FreeBSD$ */ /* @@ -32,7 +32,7 @@ # define SSHD_PAM_SERVICE __progname #endif -void start_pam(const char *); +void start_pam(Authctxt *); void finish_pam(void); u_int do_pam_account(void); void do_pam_session(void); diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c index 70e1491..38f610a 100644 --- a/crypto/openssh/auth-passwd.c +++ b/crypto/openssh/auth-passwd.c @@ -74,13 +74,6 @@ auth_password(Authctxt *authctxt, const char *password) if (*password == '\0' && options.permit_empty_passwd == 0) return 0; -#if defined(HAVE_OSF_SIA) - /* - * XXX: any reason this is before krb? could be moved to - * sys_auth_passwd()? -dt - */ - return auth_sia_password(authctxt, password) && ok; -#endif #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c index a534e35..331e9a7 100644 --- a/crypto/openssh/auth-skey.c +++ b/crypto/openssh/auth-skey.c @@ -56,7 +56,8 @@ skey_query(void *ctx, char **name, char **infotxt, int len; struct skey skey; - if (skeychallenge(&skey, authctxt->user, challenge) == -1) + if (_compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) == -1) return -1; *name = xstrdup(""); diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h index 2a5679b..83841b6 100644 --- a/crypto/openssh/auth.h +++ b/crypto/openssh/auth.h @@ -67,6 +67,7 @@ struct Authctxt { krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; + char *krb5_ccname; #endif void *methoddata; }; diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 64aa86e..7dd3a4a 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -308,7 +308,7 @@ do_authentication(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif /* diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index a6b95dd..756f33c 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -159,24 +159,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(authctxt->pw->pw_name)); + PRIVSEP(start_pam(authctxt)); #endif } else { logit("input_userauth_request: illegal user %s", user); authctxt->pw = fakepw(); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif } setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep) diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c index f514592..a0067af 100644 --- a/crypto/openssh/canohost.c +++ b/crypto/openssh/canohost.c @@ -44,6 +44,9 @@ get_remote_hostname(int socket, int use_dns) cleanup_exit(255); } + if (from.ss_family == AF_INET) + check_ip_options(socket, ntop); + ipv64_normalise_mapped(&from, &fromlen); if (from.ss_family == AF_INET6) @@ -56,9 +59,6 @@ get_remote_hostname(int socket, int use_dns) if (!use_dns) return xstrdup(ntop); - if (from.ss_family == AF_INET) - check_ip_options(socket, ntop); - debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index e6f4c88..41fdc34 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -1,5 +1,19 @@ -# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $ # $FreeBSD$ +# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -196,10 +210,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) - case "$host" in - *-*-hpux11.11*) - AC_DEFINE(BROKEN_GETADDRINFO);; - esac + check_for_hpux_broken_getaddrinfo=1 LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; @@ -222,6 +233,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; @@ -231,7 +243,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) check_for_openpty_ctty_bug=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) inet6_default_4in6=yes case `uname -r` in @@ -269,6 +281,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SAVED_UIDS) ;; *-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) @@ -345,6 +360,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(BROKEN_SAVED_UIDS) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man @@ -492,10 +510,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ - sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ - sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ - sys/un.h time.h tmpdir.h ttyent.h usersec.h \ - util.h utime.h utmp.h utmpx.h vis.h) + sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \ + sys/select.h sys/stat.h sys/stream.h sys/stropts.h \ + sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \ + ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) @@ -729,6 +747,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include + #include ], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG)], + [AC_MSG_RESULT(no)] + ) fi ] ) @@ -803,6 +830,9 @@ AC_ARG_WITH(tcp-wrappers, AC_MSG_CHECKING(for libwrap) AC_TRY_LINK( [ +#include +#include +#include #include int deny_severity = 0, allow_severity = 0; ], @@ -830,12 +860,12 @@ AC_CHECK_FUNCS(\ getpeereid _getpty getrlimit getttyent glob inet_aton \ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ - pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ + pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ - truncate updwtmpx utimes vhangup vsnprintf waitpid \ + truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ ) # IRIX has a const char return value for gai_strerror() @@ -1003,6 +1033,74 @@ main() ) fi +if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + AC_FUNC_GETPGRP # Check for PAM libs @@ -2197,6 +2295,7 @@ AC_ARG_WITH(kerberos5, LIBS="$LIBS $K5LIBS" AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS)) ] ) diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c index da69da3..90f9f74 100644 --- a/crypto/openssh/loginrec.c +++ b/crypto/openssh/loginrec.c @@ -158,8 +158,8 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $"); RCSID("$FreeBSD$"); +RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $"); #ifdef HAVE_UTIL_H # include @@ -1356,7 +1356,7 @@ static int syslogin_perform_logout(struct logininfo *li) { # ifdef HAVE_LOGOUT - char line[8]; + char line[UT_LINESIZE]; (void)line_stripname(line, li->line, sizeof(line)); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 0fda0df..c04d1f7 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -46,7 +46,13 @@ RCSID("$FreeBSD$"); #include "auth.h" #include "kex.h" #include "dh.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "packet.h" #include "auth-options.h" #include "sshpty.h" @@ -747,7 +753,8 @@ mm_answer_skeyquery(int socket, Buffer *m) char challenge[1024]; u_int success; - success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; + success = _compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) < 0 ? 0 : 1; buffer_clear(m); buffer_put_int(m, success); @@ -791,16 +798,10 @@ mm_answer_skeyrespond(int socket, Buffer *m) int mm_answer_pam_start(int socket, Buffer *m) { - char *user; - if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); - user = buffer_get_string(m, NULL); - - start_pam(user); - - xfree(user); + start_pam(authctxt); monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c index b250af5..b4f2a89 100644 --- a/crypto/openssh/monitor_wrap.c +++ b/crypto/openssh/monitor_wrap.c @@ -41,7 +41,13 @@ RCSID("$FreeBSD$"); #include "packet.h" #include "mac.h" #include "log.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "monitor.h" #include "monitor_wrap.h" #include "xmalloc.h" @@ -687,7 +693,7 @@ mm_session_pty_cleanup2(Session *s) #ifdef USE_PAM void -mm_start_pam(char *user) +mm_start_pam(Authctxt *authctxt) { Buffer m; @@ -696,8 +702,6 @@ mm_start_pam(char *user) fatal("UsePAM=no, but ended up in %s anyway", __func__); buffer_init(&m); - buffer_put_cstring(&m, user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); buffer_free(&m); diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h index c31bd2e..a7c9edd 100644 --- a/crypto/openssh/monitor_wrap.h +++ b/crypto/openssh/monitor_wrap.h @@ -67,7 +67,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); #endif #ifdef USE_PAM -void mm_start_pam(char *); +void mm_start_pam(struct Authctxt *); u_int mm_do_pam_account(void); void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h index be93ee8..a19a42f 100644 --- a/crypto/openssh/openbsd-compat/fake-rfc2553.h +++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h @@ -1,5 +1,5 @@ -/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */ /* $FreeBSD$ */ +/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */ /* * Copyright (C) 2000-2003 Damien Miller. All rights reserved. @@ -134,6 +134,9 @@ struct addrinfo { #endif /* !HAVE_STRUCT_ADDRINFO */ #ifndef HAVE_GETADDRINFO +#ifdef getaddrinfo +# undef getaddrinfo +#endif #define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d)) int getaddrinfo(const char *, const char *, const struct addrinfo *, struct addrinfo **); diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 1494abd..9cc6ce7 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -12,8 +12,8 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); RCSID("$FreeBSD$"); +RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -106,8 +106,12 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, +<<<<<<< readconf.c oServerAliveInterval, oServerAliveCountMax, oVersionAddendum, +======= + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, +>>>>>>> 1.1.1.15 oDeprecated, oUnsupported } OpCodes; @@ -149,6 +153,7 @@ static struct { { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* alias */ + { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, @@ -739,6 +744,10 @@ parse_int: intptr = &options->enable_ssh_keysign; goto parse_flag; + case oIdentitiesOnly: + intptr = &options->identities_only; + goto parse_flag; + case oServerAliveInterval: intptr = &options->server_alive_interval; goto parse_time; @@ -879,6 +888,7 @@ initialize_options(Options * options) options->smartcard_device = NULL; options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; + options->identities_only = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; @@ -991,6 +1001,8 @@ fill_default_options(Options * options) clear_forwardings(options); if (options->no_host_authentication_for_localhost == - 1) options->no_host_authentication_for_localhost = 0; + if (options->identities_only == -1) + options->identities_only = 0; if (options->enable_ssh_keysign == -1) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 3f27af9..93d833c 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */ /* * Author: Tatu Ylonen @@ -100,6 +100,7 @@ typedef struct { int enable_ssh_keysign; int rekey_limit; int no_host_authentication_for_localhost; + int identities_only; int server_alive_interval; int server_alive_count_max; } Options; diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 3913214..3f9049f 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -202,6 +202,7 @@ display_loginmsg(void) printf("%s\n", (char *)buffer_ptr(&loginmsg)); buffer_clear(&loginmsg); } + fflush(stdout); } void @@ -493,6 +494,13 @@ do_exec_no_pty(Session *s, const char *command) close(err[0]); /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + + /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. */ @@ -1116,9 +1124,9 @@ do_setup_env(Session *s, const char *shell) } #endif #ifdef KRB5 - if (s->authctxt->krb5_ticket_file) + if (s->authctxt->krb5_ccname) child_set_env(&env, &envsize, "KRB5CCNAME", - s->authctxt->krb5_ticket_file); + s->authctxt->krb5_ccname); #endif #ifdef USE_PAM /* diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index f7fe0cd..29aa7dd 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -58,6 +58,10 @@ RCSID("$FreeBSD$"); #include "scard.h" #endif +#if defined(HAVE_SYS_PRCTL_H) +#include /* For prctl() and PR_SET_DUMPABLE */ +#endif + typedef enum { AUTH_UNUSED, AUTH_SOCKET, @@ -1025,6 +1029,11 @@ main(int ac, char **av) setgid(getgid()); setuid(geteuid()); +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + SSLeay_add_all_algorithms(); __progname = ssh_get_progname(av[0]); diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index 68b6a0a..266b23c 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -489,7 +489,7 @@ conrecycle(int s) static void congreet(int s) { - int remote_major, remote_minor, n = 0; + int remote_major = 0, remote_minor = 0, n = 0; char buf[256], *cp; char remote_version[sizeof buf]; size_t bufsiz; diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index 9a140fa..da812d6 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ .\" $FreeBSD$ +.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -636,6 +636,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile +.It IdentitiesOnly .It LocalForward .It LogLevel .It MACs diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index b47f301..d4535b8 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -40,8 +40,8 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $"); RCSID("$FreeBSD$"); +RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $"); #include #include @@ -147,49 +147,12 @@ pid_t proxy_command_pid = 0; static void usage(void) { - fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -l user Log in using this user name.\n"); - fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); - fprintf(stderr, " -F config Config file (default: ~/%s).\n", - _PATH_SSH_USER_CONFFILE); - fprintf(stderr, " -A Enable authentication agent forwarding.\n"); - fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); - fprintf(stderr, " -X Enable X11 connection forwarding.\n"); - fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); - fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); - fprintf(stderr, " -i file Identity for public key authentication " - "(default: ~/.ssh/identity)\n"); -#ifdef SMARTCARD - fprintf(stderr, " -I reader Set smartcard reader.\n"); -#endif - fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); - fprintf(stderr, " -T Do not allocate a tty.\n"); - fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); - fprintf(stderr, " Multiple -v increases verbosity.\n"); - fprintf(stderr, " -V Display version number only.\n"); - fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); - fprintf(stderr, " -f Fork into background after authentication.\n"); - fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); - - fprintf(stderr, " -c cipher Select encryption algorithm\n"); - fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); - fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); - fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); - fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); - fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); - fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); - fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); - fprintf(stderr, " -C Enable compression.\n"); - fprintf(stderr, " -N Do not execute a shell or command.\n"); - fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); - fprintf(stderr, " -1 Force protocol version 1.\n"); - fprintf(stderr, " -2 Force protocol version 2.\n"); - fprintf(stderr, " -4 Use IPv4 only.\n"); - fprintf(stderr, " -6 Use IPv6 only.\n"); - fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); - fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); - fprintf(stderr, " -b addr Local IP address.\n"); + fprintf(stderr, +"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" +" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" +" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" +" [-p port] [-R port:host:hostport] [user@]hostname [command]\n" + ); exit(1); } @@ -348,12 +311,8 @@ again: } /* fallthrough */ case 'V': - fprintf(stderr, - "%s, SSH protocols %d.%d/%d.%d, %s\n", - SSH_VERSION, - PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, - SSLeay_version(SSLEAY_VERSION)); + fprintf(stderr, "%s, %s\n", + SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); break; @@ -795,7 +754,7 @@ x11_get_proto(char **_proto, char **_data) xauthdir); snprintf(cmd, sizeof(cmd), "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout 120 2>" _PATH_DEVNULL, + " untrusted timeout 1200 2>" _PATH_DEVNULL, options.xauth_location, xauthfile, display); debug2("x11_get_proto: %s", cmd); if (system(cmd) == 0) diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 77df576..ee8baea 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ .\" $FreeBSD$ +.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -407,6 +407,24 @@ syntax to refer to a user's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. +.It Cm IdentitiesOnly +Specifies that +.Nm ssh +should only use the authentication identity files configured in the +.Nm +files, +even if the +.Nm ssh-agent +offers more identities. +The argument to this keyword must be +.Dq yes +or +.Dq no . +This option is intented for situations where +.Nm ssh-agent +offers many different identities. +The default is +.Dq no . .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 3a21811..c261dfd 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1044,7 +1044,7 @@ pubkey_prepare(Authctxt *authctxt) break; } } - if (!found) { + if (!found && !options.identities_only) { id = xmalloc(sizeof(*id)); memset(id, 0, sizeof(*id)); id->key = key; diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index c660fc2..22c2e3d 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -42,8 +42,8 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); RCSID("$FreeBSD$"); +RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); #include #include @@ -106,7 +106,6 @@ extern char *__progname; #else char *__progname; #endif -extern char **environ; /* Server configuration options. */ ServerOptions options; @@ -573,7 +572,7 @@ privsep_preauth_child(void) debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); #if 0 - /* XXX not ready, to heavy after chroot */ + /* XXX not ready, too heavy after chroot */ do_setusercontext(pw); #else gidset[0] = pw->pw_gid; @@ -769,26 +768,12 @@ drop_connection(int startups) static void usage(void) { - fprintf(stderr, "sshd version %s, %s\n", + fprintf(stderr, "%s, %s\n", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); - fprintf(stderr, "Usage: %s [options]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE); - fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); - fprintf(stderr, " -i Started from inetd\n"); - fprintf(stderr, " -D Do not fork into daemon mode\n"); - fprintf(stderr, " -t Only test configuration file and keys\n"); - fprintf(stderr, " -q Quiet (no logging)\n"); - fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); - fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); - fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n"); - fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n"); - fprintf(stderr, " -h file File from which to read host key (default: %s)\n", - _PATH_HOST_KEY_FILE); - fprintf(stderr, " -u len Maximum hostname length for utmp recording\n"); - fprintf(stderr, " -4 Use IPv4 only\n"); - fprintf(stderr, " -6 Use IPv6 only\n"); - fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n"); + fprintf(stderr, +"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" + ); exit(1); } @@ -837,6 +822,9 @@ main(int ac, char **av) av = saved_argv; #endif + if (geteuid() == 0 && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -945,6 +933,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); +#ifdef _AIX + /* + * Unset KRB5CCNAME, otherwise the user's session may inherit it from + * root's environment + */ + unsetenv("KRB5CCNAME"); +#endif /* _AIX */ #ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! @@ -1111,11 +1106,6 @@ main(int ac, char **av) unmounted if desired. */ chdir("/"); -#ifndef HAVE_CYGWIN - /* Clear environment */ - environ[0] = NULL; -#endif - /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); @@ -1394,6 +1384,7 @@ main(int ac, char **av) } /* This is the child processing a new connection. */ + setproctitle("%s", "[accepted]"); /* * Create a new session and process group since the 4.4BSD diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 848bc32..1e62104 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ .\" $FreeBSD$ +.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -306,6 +306,11 @@ To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq no . +.It Cm KerberosGetAFSToken +If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire +an AFS token before accessing the user's home directory. +Default is +.Dq no . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism @@ -457,7 +462,9 @@ the root user may be allowed in with its password even if .Pp If this option is set to .Dq without-password -password authentication is disabled for root. +password authentication is disabled for root. Note that other authentication +methods (e.g., keyboard-interactive/PAM) may still allow root to login using +a password. .Pp If this option is set to .Dq forced-commands-only diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c index 36b6489..e1cc4cc 100644 --- a/crypto/openssh/sshlogin.c +++ b/crypto/openssh/sshlogin.c @@ -52,11 +52,11 @@ u_long get_last_login_time(uid_t uid, const char *logname, char *buf, u_int bufsize) { - struct logininfo li; + struct logininfo li; - login_get_lastlog(&li, uid); - strlcpy(buf, li.hostname, bufsize); - return li.tv_sec; + login_get_lastlog(&li, uid); + strlcpy(buf, li.hostname, bufsize); + return li.tv_sec; } /* @@ -67,12 +67,12 @@ void record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr, socklen_t addrlen) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, addrlen); - login_login(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, addrlen); + login_login(li); + login_free_entry(li); } #ifdef LOGIN_NEEDS_UTMPX @@ -80,12 +80,12 @@ void record_utmp_only(pid_t pid, const char *ttyname, const char *user, const char *host, struct sockaddr * addr, socklen_t addrlen) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, addrlen); - login_utmp_only(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, addrlen); + login_utmp_only(li); + login_free_entry(li); } #endif @@ -93,9 +93,9 @@ record_utmp_only(pid_t pid, const char *ttyname, const char *user, void record_logout(pid_t pid, const char *ttyname, const char *user) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, NULL, ttyname); - login_logout(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, NULL, ttyname); + login_logout(li); + login_free_entry(li); } diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index 51a95f3..7acdecb 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -1,5 +1,5 @@ -/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ /* $FreeBSD$ */ +/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ #ifndef SSH_VERSION -- cgit v1.1