aboutsummaryrefslogtreecommitdiff
path: root/security/ssh
diff options
context:
space:
mode:
authorDavid E. O'Brien <obrien@FreeBSD.org>2002-06-29 18:13:36 +0000
committerDavid E. O'Brien <obrien@FreeBSD.org>2002-06-29 18:13:36 +0000
commit468e326fba024f6c54ef84256e8f26febeddf08b (patch)
tree851f14bbf5ca541fb6df3b37bfc326a74b2ca6d0 /security/ssh
parent994018cd8ac683bc0c9dc670824739b755a834ec (diff)
downloadports-468e326fba024f6c54ef84256e8f26febeddf08b.tar.gz
ports-468e326fba024f6c54ef84256e8f26febeddf08b.zip
Notes
Diffstat (limited to 'security/ssh')
-rw-r--r--security/ssh/Makefile18
-rw-r--r--security/ssh/distinfo2
-rw-r--r--security/ssh/files/patch-ac107
-rw-r--r--security/ssh/files/patch-af1373
-rw-r--r--security/ssh/files/patch-ax25
-rw-r--r--security/ssh/files/patch-bm26
-rw-r--r--security/ssh/files/patch-bo355
-rw-r--r--security/ssh/files/patch-bp77
-rw-r--r--security/ssh/files/patch-xa167
9 files changed, 800 insertions, 1350 deletions
diff --git a/security/ssh/Makefile b/security/ssh/Makefile
index 00c1456b2648..b8338ef6c4db 100644
--- a/security/ssh/Makefile
+++ b/security/ssh/Makefile
@@ -9,17 +9,13 @@
#
PORTNAME= ssh
-PORTVERSION= 1.2.27 # Note, 1.2.30 is under a more restrictive license
-PORTREVISION= 3
+PORTVERSION= 1.2.28 # Note, 1.2.30 is under a more restrictive license
+PORTREVISION= 0
CATEGORIES= security ipv6
-MASTER_SITES= ftp://ftp.cs.umn.edu/dept/users/rybski/ \
- ftp://ftp.net.ohio-state.edu/disk/d/security/ssh/ \
- ftp://ftp.cronyx.ru/mirror/ssh/old/ \
+MASTER_SITES= ftp://ftp.tokyonet.ad.jp/pub/security/ssh/old/ \
ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/old/ \
- ftp://ftp.tokyonet.ad.jp/.da0/security/ssh/old/ \
- ftp://ftp.comp.hkbu.edu.hk/.6/unix/ \
- ftp://ftp.dei.uc.pt/.disk2/Crypto/SSH/old/
-
+ ftp://ftp.cronyx.ru/mirror/ssh/old/
+
MAINTAINER= ports@FreeBSD.org
USE_AUTOCONF= YES
@@ -66,13 +62,13 @@ CONFIGURE_ARGS+= --without-idea
.include <bsd.port.pre.mk>
.if ${OSVERSION} > 500023
-LIB_DEPENDS+= gmp.5:${PORTSDIR}/math/libgmp4
+LIB_DEPENDS+= gmp.3:${PORTSDIR}/math/libgmp-freebsd
MAKE_ENV+= GMPINCDIR="${LOCALBASE}/include" \
GMPLIBDIR="${LOCALBASE}/lib"
.endif
.if (${OSVERSION} >= 400016 && !defined(REALLY_WANT_SSH))
-FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated and will be removed at some point in the future. To override this warning set the REALLY_WANT_SSH environment variable and rebuild."
+FORBIDDEN= "OpenSSH is a superior version of SSH which has been included in the FreeBSD base system since 4.0-RELEASE. This port is now deprecated. To override this warning set the REALLY_WANT_SSH environment variable and rebuild."
.endif
MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \
diff --git a/security/ssh/distinfo b/security/ssh/distinfo
index bf690165936c..d1c97e753f1c 100644
--- a/security/ssh/distinfo
+++ b/security/ssh/distinfo
@@ -1 +1 @@
-MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395
+MD5 (ssh-1.2.28.tar.gz) = ce811a4844742e2ecadab1a1b53a954a
diff --git a/security/ssh/files/patch-ac b/security/ssh/files/patch-ac
index 29bdcba285ff..02fc5eae34fd 100644
--- a/security/ssh/files/patch-ac
+++ b/security/ssh/files/patch-ac
@@ -1,70 +1,52 @@
---- Makefile.in.orig Wed May 12 14:19:31 1999
-+++ Makefile.in Fri Apr 26 09:19:30 2002
-@@ -301,12 +301,17 @@
+--- Makefile.in.orig Mon Jul 3 10:07:39 2000
++++ Makefile.in Fri Jun 21 17:50:07 2002
+@@ -307,13 +307,15 @@
+
SHELL = /bin/sh
- GMPDIR = gmp-2.0.2-ssh-2
--GMPLIBS = -L$(GMPDIR) -lgmp
+-GMPDIR = gmp-2.0.2-ssh-2
+-GMPLIBS = @ssh_gmp_ldadd_options@
-GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
-+# We have the same libgmp in the system, so use it instead
++# We have the same libgmp in the base system, so use it instead
+GMPINCDIR ?= /usr/include
+GMPLIBDIR ?= /usr/lib
+GMPLIBS = -L$(GMPLIBDIR) -lgmp
+GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
- ZLIBDIR = zlib-1.0.4
--ZLIBDEP = $(ZLIBDIR)/libz.a
--ZLIBLIBS = -L$(ZLIBDIR) -lz
-+ZLIBINCDIR = /usr/include
-+ZLIBLIBDIR = /usr/lib
-+ZLIBDEP = $(ZLIBINCDIR)/libz.a
+-ZLIBDIR = zlib-1.0.4
++ZLIBDIR = /usr/lib
+ ZLIBDEP = $(ZLIBDIR)/libz.a
+-ZLIBLIBS = @ssh_zlib_ldadd_options@
+ZLIBLIBS = -lz
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
-@@ -411,7 +416,7 @@
+@@ -418,7 +420,7 @@
$(CC) -o rfc-pg rfc-pg.o
.c.o:
- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
-+ $(CC) -c -I. $(KERBEROS_INCS) -I$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
-@@ -454,19 +459,19 @@
+@@ -461,12 +463,12 @@
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
-GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
-- mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
++XXX_DONT_GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
+ mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
-$(GMPDIR)/libgmp.a:
-- cd $(GMPDIR); $(MAKE)
--
--$(ZLIBDEP):
-- -if test '!' -d $(ZLIBDIR); then \
-- mkdir $(ZLIBDIR); \
-- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
-- fi
-- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
-- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
-- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
-+#GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
-+# mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
-+#$(GMPDIR)/libgmp.a:
-+# cd $(GMPDIR); $(MAKE)
-+#
-+#$(ZLIBDEP):
-+# -if test '!' -d $(ZLIBDIR); then \
-+# mkdir $(ZLIBDIR); \
-+# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
-+# fi
-+# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
-+# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
-+# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
++XXX_DONT_$(GMPDIR)/libgmp.a:
+ cd $(GMPDIR); $(MAKE)
- $(RSAREFSRCDIR)/librsaref.a:
- -if test '!' -d $(RSAREFDIR); then \
-@@ -523,7 +528,7 @@
+-$(ZLIBDEP):
++XXX_DONT_$(ZLIBDEP):
+ -if test '!' -d $(ZLIBDIR); then \
+ mkdir $(ZLIBDIR); \
+ cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
+@@ -530,7 +532,7 @@
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
@@ -73,49 +55,12 @@
-rm -f $(install_prefix)$(bindir)/ssh1.old
-chmod 755 $(install_prefix)$(bindir)/ssh1
-chmod 755 $(install_prefix)$(bindir)/ssh
-@@ -679,15 +684,15 @@
-
- clean:
- -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
-- cd $(GMPDIR); $(MAKE) clean
-+# cd $(GMPDIR); $(MAKE) clean
- # cd $(RSAREFSRCDIR); rm -f *.o *.a
-- cd $(ZLIBDIR); $(MAKE) clean
-+# cd $(ZLIBDIR); $(MAKE) clean
-
- distclean: clean
- -rm -f Makefile config.status config.cache config.log config.h
- -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
-- cd $(GMPDIR); $(MAKE) distclean
-- cd $(ZLIBDIR); $(MAKE) distclean
-+# cd $(GMPDIR); $(MAKE) distclean
-+# cd $(ZLIBDIR); $(MAKE) distclean
-
- dist: dist-free
-
-@@ -716,12 +721,12 @@
- -mkdir $(DISTNAME)
- cp $(DISTFILES) $(DISTNAME)
- for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
-- (cd $(GMPDIR); make dist)
-- gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
-+# (cd $(GMPDIR); make dist)
-+# gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
- # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
- # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
-- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
-- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
-+# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
-+# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
-
- #ifdef F_SECURE_COMMERCIAL
- #
-@@ -749,7 +754,7 @@
+@@ -756,7 +758,7 @@
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS)
-+ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS)
++ $(MAKEDEP) -I$(srcdir) -I. -I$(GMPINCDIR) $(DEFS) $(SRCS)
tags:
-rm -f TAGS
diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af
index d3fce096361b..857b53f5d028 100644
--- a/security/ssh/files/patch-af
+++ b/security/ssh/files/patch-af
@@ -1,809 +1,564 @@
-*** sshd.c.orig Tue Jan 11 20:40:10 2000
---- sshd.c Tue Jan 11 20:40:07 2000
-***************
-*** 553,558 ****
---- 553,571 ----
- /* Name of the server configuration file. */
- char *config_file_name = SERVER_CONFIG_FILE;
-
-+ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
-+ Default value is AF_UNSPEC means both IPv4 and IPv6. */
-+ #ifdef ENABLE_IPV6
-+ int IPv4or6 = AF_UNSPEC;
-+ #else
-+ int IPv4or6 = AF_INET;
-+ #endif
-+
-+ #ifdef ENABLE_LOG_AUTH
-+ char *unauthenticated_user = NULL;
-+ int log_auth_flag = 0;
-+ #endif /* ENABLE_LOG_AUTH */
-+
- /* Debug mode flag. This can be set on the command line. If debug
- mode is enabled, extra debugging output will be sent to the system
- log, the daemon will not go to background, and will exit after processing
-***************
-*** 576,582 ****
-
- /* This is set to the socket that the server is listening; this is used in
- the SIGHUP signal handler. */
-! int listen_sock;
-
- /* This is not really needed, and could be eliminated if server-specific
- and client-specific code were removed from newchannels.c */
---- 589,605 ----
-
- /* This is set to the socket that the server is listening; this is used in
- the SIGHUP signal handler. */
-! #define MAX_LISTEN_SOCKS 16
-! int listen_socks[MAX_LISTEN_SOCKS];
-! int num_listen_socks = 0;
-! void close_listen_socks()
-! {
-! int i;
-!
-! for (i = 0; i < num_listen_socks; i++)
-! close(listen_socks[i]);
-! num_listen_socks = -1;
-! }
-
- /* This is not really needed, and could be eliminated if server-specific
- and client-specific code were removed from newchannels.c */
-***************
-*** 666,672 ****
- void sighup_restart(void)
- {
- log_msg("Received SIGHUP; restarting.");
-! close(listen_sock);
- execvp(saved_argv[0], saved_argv);
- log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
- saved_argv[0], strerror(errno));
---- 689,695 ----
- void sighup_restart(void)
- {
- log_msg("Received SIGHUP; restarting.");
-! close_listen_socks();
- execvp(saved_argv[0], saved_argv);
- log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
- saved_argv[0], strerror(errno));
-***************
-*** 680,686 ****
- RETSIGTYPE sigterm_handler(int sig)
- {
- log_msg("Received signal %d; terminating.", sig);
-! close(listen_sock);
- exit(255);
- }
-
---- 703,709 ----
- RETSIGTYPE sigterm_handler(int sig)
- {
- log_msg("Received signal %d; terminating.", sig);
-! close_listen_socks();
- exit(255);
- }
-
-***************
-*** 759,765 ****
- int perm_denied = 0;
- int ret;
- fd_set fdset;
-! struct sockaddr_in sin;
- char buf[100]; /* Must not be larger than remote_version. */
- char remote_version[100]; /* Must be at least as big as buf. */
- char *comment;
---- 782,788 ----
- int perm_denied = 0;
- int ret;
- fd_set fdset;
-! struct sockaddr_storage from;
- char buf[100]; /* Must not be larger than remote_version. */
- char remote_version[100]; /* Must be at least as big as buf. */
- char *comment;
-***************
-*** 769,774 ****
---- 792,800 ----
- struct linger linger;
- #endif /* SO_LINGER */
- int done;
-+ struct addrinfo *ai;
-+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
-+ int listen_sock, maxfd;
-
- /* Save argv[0]. */
- saved_argv = av;
-***************
-*** 787,796 ****
- initialize_server_options(&options);
-
- /* Parse command-line arguments. */
-! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
- {
- switch (opt)
- {
- case 'f':
- config_file_name = optarg;
- break;
---- 813,838 ----
- initialize_server_options(&options);
-
- /* Parse command-line arguments. */
-! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
-! #ifdef ENABLE_IPV6
-! "6"
-! #endif
-! )) != EOF)
- {
- switch (opt)
- {
-+ case '4':
-+ #ifdef ENABLE_IPV6
-+ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
-+ #else
-+ IPv4or6 = AF_INET;
-+ #endif
-+ break;
-+ #ifdef ENABLE_IPV6
-+ case '6':
-+ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
-+ break;
-+ #endif
- case 'f':
- config_file_name = optarg;
- break;
-***************
-*** 807,813 ****
- options.server_key_bits = atoi(optarg);
- break;
- case 'p':
-! options.port = atoi(optarg);
- break;
- case 'g':
- options.login_grace_time = atoi(optarg);
---- 849,855 ----
- options.server_key_bits = atoi(optarg);
- break;
- case 'p':
-! options.ports[options.num_ports++] = atoi(optarg);
- break;
- case 'g':
- options.login_grace_time = atoi(optarg);
-***************
-*** 829,834 ****
---- 871,880 ----
- fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
- fprintf(stderr, "Usage: %s [options]\n", av0);
- fprintf(stderr, "Options:\n");
-+ fprintf(stderr, " -4 Use IPv4 only\n");
-+ #ifdef ENABLE_IPV6
-+ fprintf(stderr, " -6 Use IPv6 only\n");
-+ #endif
- fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
- fprintf(stderr, " -d Debugging mode\n");
- fprintf(stderr, " -i Started from inetd\n");
-***************
-*** 857,872 ****
- fprintf(stderr, "fatal: Bad server key size.\n");
- exit(1);
- }
-- if (options.port < 1 || options.port > 65535)
-- {
-- fprintf(stderr, "fatal: Bad port number.\n");
-- exit(1);
-- }
- if (options.umask != -1)
- {
- umask(options.umask);
- }
-
- /* Check that there are no remaining arguments. */
- if (optind < ac)
- {
---- 903,917 ----
- fprintf(stderr, "fatal: Bad server key size.\n");
- exit(1);
- }
- if (options.umask != -1)
- {
- umask(options.umask);
- }
-
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth_flag = options.log_auth;
-+ #endif /* ENABLE_LOG_AUTH */
-+
- /* Check that there are no remaining arguments. */
- if (optind < ac)
- {
-***************
-*** 1034,1043 ****
- }
- else
- {
- /* Create socket for listening. */
-! listen_sock = socket(AF_INET, SOCK_STREAM, 0);
- if (listen_sock < 0)
- fatal("socket: %.100s", strerror(errno));
-
- /* Set socket options. We try to make the port reusable and have it
- close as fast as possible without waiting in unnecessary wait states
---- 1079,1091 ----
- }
- else
- {
-+ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
-+ {
- /* Create socket for listening. */
-! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
- if (listen_sock < 0)
- fatal("socket: %.100s", strerror(errno));
-+ listen_socks[num_listen_socks] = listen_sock;
-
- /* Set socket options. We try to make the port reusable and have it
- close as fast as possible without waiting in unnecessary wait states
-***************
-*** 1051,1071 ****
- sizeof(linger));
- #endif /* SO_LINGER */
-
-! /* Initialize the socket address. */
-! memset(&sin, 0, sizeof(sin));
-! sin.sin_family = AF_INET;
-! sin.sin_addr = options.listen_addr;
-! sin.sin_port = htons(options.port);
-
- /* Bind the socket to the desired port. */
-! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
- {
-! error("bind: %.100s", strerror(errno));
-! shutdown(listen_sock, 2);
- close(listen_sock);
-! fatal("Bind to port %d failed: %.200s.", options.port,
-! strerror(errno));
- }
-
- if (!debug_flag)
- {
---- 1099,1128 ----
- sizeof(linger));
- #endif /* SO_LINGER */
-
-! getnameinfo(ai->ai_addr, ai->ai_addrlen,
-! ntop, sizeof(ntop), strport, sizeof(strport),
-! NI_NUMERICHOST|NI_NUMERICSERV);
-
- /* Bind the socket to the desired port. */
-! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
- {
-! error("Bind to port %s on %s failed: %.200s.",
-! strport, ntop, strerror(errno));
- close(listen_sock);
-! continue;
- }
-+ num_listen_socks++;
-+
-+ /* Start listening on the port. */
-+ log_msg("Server listening on %s port %s.", ntop, strport);
-+ if (listen(listen_sock, 5) < 0)
-+ fatal("listen: %.100s", strerror(errno));
-+
-+ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
-+ freeaddrinfo(options.listen_addrs);
-+
-+ if (!num_listen_socks)
-+ fatal("Cannot bind all addresses.");
-
- if (!debug_flag)
- {
-***************
-*** 1081,1091 ****
- }
- }
-
-- /* Start listening on the port. */
-- log_msg("Server listening on port %d.", options.port);
-- if (listen(listen_sock, 5) < 0)
-- fatal("listen: %.100s", strerror(errno));
--
- /* Generate an rsa key. */
- log_msg("Generating %d bit RSA key.", options.server_key_bits);
- rsa_generate_key(&sensitive_data.private_key, &public_key,
---- 1138,1143 ----
-***************
-*** 1139,1156 ****
-
- /* Wait in select until there is a connection. */
- FD_ZERO(&fdset);
-! FD_SET(listen_sock, &fdset);
-! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
-! if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
- {
- if (errno == EINTR)
- continue;
- error("select: %.100s", strerror(errno));
- continue;
- }
-!
-! aux = sizeof(sin);
-! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
- if (newsock < 0)
- {
- if (errno == EINTR)
---- 1191,1218 ----
-
- /* Wait in select until there is a connection. */
- FD_ZERO(&fdset);
-! maxfd = 0;
-! for (i = 0; i < num_listen_socks; i++)
-! {
-! FD_SET(listen_socks[i], &fdset);
-! if (listen_socks[i] > maxfd)
-! maxfd = listen_socks[i];
-! }
-! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
-! if (ret < 0)
- {
- if (errno == EINTR)
- continue;
- error("select: %.100s", strerror(errno));
- continue;
- }
-!
-! for (i = 0; i < num_listen_socks; i++)
-! {
-! if (!FD_ISSET(listen_socks[i], &fdset))
-! continue;
-! aux = sizeof(from);
-! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
- if (newsock < 0)
- {
- if (errno == EINTR)
-***************
-*** 1166,1172 ****
- /* In debugging mode. Close the listening socket, and start
- processing the connection without forking. */
- debug("Server will not fork when running in debugging mode.");
-! close(listen_sock);
- sock_in = newsock;
- sock_out = newsock;
- pid = getpid();
---- 1228,1234 ----
- /* In debugging mode. Close the listening socket, and start
- processing the connection without forking. */
- debug("Server will not fork when running in debugging mode.");
-! close_listen_socks();
- sock_in = newsock;
- sock_out = newsock;
- pid = getpid();
-***************
-*** 1195,1201 ****
- the accepted socket. Reinitialize logging (since our
- pid has changed). We break out of the loop to handle
- the connection. */
-! close(listen_sock);
- sock_in = newsock;
- sock_out = newsock;
- #ifdef LIBWRAP
---- 1257,1263 ----
- the accepted socket. Reinitialize logging (since our
- pid has changed). We break out of the loop to handle
- the connection. */
-! close_listen_socks();
- sock_in = newsock;
- sock_out = newsock;
- #ifdef LIBWRAP
-***************
-*** 1233,1238 ****
---- 1295,1304 ----
-
- /* Close the new socket (the child is now taking care of it). */
- close(newsock);
-+ } /* for (i = 0; i < num_host_socks; i++) */
-+ /* child process check (or debug mode) */
-+ if (num_listen_socks < 0)
-+ break;
- }
- }
-
-***************
-*** 2205,2210 ****
---- 2271,2279 ----
- krb5_parse_name(ssh_context, user, &client);
- #endif /* defined(KERBEROS) && defined(KRB5) */
-
-+ #ifdef ENABLE_LOG_AUTH
-+ unauthenticated_user = user;
-+ #endif /* ENABLE_LOG_AUTH */
- /* Verify that the user is a valid user. We disallow usernames starting
- with any characters that are commonly used to start NIS entries. */
- pw = getpwnam(user);
-***************
-*** 2222,2228 ****
- pwcopy.pw_class = xstrdup(pw->pw_class);
- pwcopy.pw_change = pw->pw_change;
- pwcopy.pw_expire = pw->pw_expire;
-! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
- pwcopy.pw_dir = xstrdup(pw->pw_dir);
- pwcopy.pw_shell = xstrdup(pw->pw_shell);
- pw = &pwcopy;
---- 2291,2297 ----
- pwcopy.pw_class = xstrdup(pw->pw_class);
- pwcopy.pw_change = pw->pw_change;
- pwcopy.pw_expire = pw->pw_expire;
-! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
- pwcopy.pw_dir = xstrdup(pw->pw_dir);
- pwcopy.pw_shell = xstrdup(pw->pw_shell);
- pw = &pwcopy;
-***************
-*** 2260,2265 ****
---- 2329,2339 ----
- {
- /* Authentication with empty password succeeded. */
- debug("Login for user %.100s accepted without authentication.", user);
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "empty password accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_PASSWORD;
- authenticated = 1;
- /* Success packet will be sent after loop below. */
-***************
-*** 2334,2339 ****
---- 2408,2418 ----
- /* Client has successfully authenticated to us. */
- log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
- tkt_user, user, get_canonical_hostname());
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "kerberos authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_KERBEROS;
- authenticated = 1;
- break;
-***************
-*** 2382,2387 ****
---- 2461,2471 ----
- /* Authentication accepted. */
- log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
- user, client_user, get_canonical_hostname());
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.100s@%.700s (%s)",
-+ user, client_user, get_canonical_hostname(),
-+ "rhosts authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RHOSTS;
- authenticated = 1;
- remote_user_name = client_user;
-***************
-*** 2441,2446 ****
---- 2525,2535 ----
- options.strict_modes))
- {
- /* Authentication accepted. */
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.100s@%.700s (%s)",
-+ user, client_user, get_canonical_hostname(),
-+ "rhosts with RSA host authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RHOSTS_RSA;
- authenticated = 1;
- remote_user_name = client_user;
-***************
-*** 2474,2479 ****
---- 2563,2573 ----
- /* Successful authentication. */
- mpz_clear(&n);
- log_msg("RSA authentication for %.100s accepted.", user);
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "RSA user authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RSA;
- authenticated = 1;
- break;
-***************
-*** 2608,2613 ****
---- 2702,2712 ----
- auth_close();
- memset(password, 0, strlen(password));
- xfree(password);
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from @%.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "TIS authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_TIS;
- authenticated = 1;
- break;
-***************
-*** 2668,2673 ****
---- 2767,2777 ----
- memset(password, 0, strlen(password));
- xfree(password);
- log_msg("Password authentication for %.100s accepted.", user);
-+ #ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "password authentication accepted");
-+ #endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_PASSWORD;
- authenticated = 1;
- break;
-***************
-*** 2708,2713 ****
---- 2812,2822 ----
- }
-
- /* Check if the user is logging in as root and root logins are disallowed. */
-+ #ifdef ENABLE_LOG_AUTH
-+ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
-+ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
-+ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
-+ #endif /* ENABLE_LOG_AUTH */
- if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
- {
- if (authentication_type == SSH_AUTH_PASSWORD)
-***************
-*** 2775,2780 ****
---- 2884,2892 ----
- packet_start(SSH_SMSG_SUCCESS);
- packet_send();
- packet_write_wait();
-+ #ifdef ENABLE_LOG_AUTH
-+ unauthenticated_user = NULL;
-+ #endif /* ENABLE_LOG_AUTH */
-
- /* Perform session preparation. */
- do_authenticated(pw);
-***************
-*** 3280,3294 ****
- char line[256];
- struct stat st;
- int quiet_login;
-! struct sockaddr_in from;
- int fromlen;
- struct pty_cleanup_context cleanup_context;
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- login_cap_t *lc;
- #endif
-! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
- struct timeval tp;
-! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
-
- /* We no longer need the child running on user's privileges. */
- userfile_uninit();
---- 3392,3407 ----
- char line[256];
- struct stat st;
- int quiet_login;
-! struct sockaddr_storage from;
- int fromlen;
- struct pty_cleanup_context cleanup_context;
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- login_cap_t *lc;
-+ time_t warnpassword, warnexpire;
- #endif
-! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
- struct timeval tp;
-! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
-
- /* We no longer need the child running on user's privileges. */
- userfile_uninit();
-***************
-*** 3387,3393 ****
-
- /* Record that there was a login on that terminal. */
- record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
-! &from);
-
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- lc = login_getclass(pw->pw_class);
---- 3500,3506 ----
-
- /* Record that there was a login on that terminal. */
- record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
-! (struct sockaddr *)&from);
-
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- lc = login_getclass(pw->pw_class);
-***************
-*** 3446,3451 ****
---- 3559,3572 ----
- "The Regents of the University of California. ",
- "All rights reserved.");
- }
-+ #ifdef HAVE_LOGIN_CAP_H
-+ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
-+
-+ warnpassword = login_getcaptime(lc, "warnpassword",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+ warnexpire = login_getcaptime(lc, "warnexpire",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+ #endif
- #endif
-
- /* Print /etc/motd unless a command was specified or printing it was
-***************
-*** 3469,3475 ****
- fputs(line, stdout);
- fclose(f);
- }
-! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
- if (pw->pw_change || pw->pw_expire)
- (void)gettimeofday(&tp, (struct timezone *)NULL);
- if (pw->pw_change)
---- 3590,3596 ----
- fputs(line, stdout);
- fclose(f);
- }
-! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
- if (pw->pw_change || pw->pw_expire)
- (void)gettimeofday(&tp, (struct timezone *)NULL);
- if (pw->pw_change)
-***************
-*** 3876,3881 ****
---- 3997,4003 ----
- char *user_shell;
- char *remote_ip;
- int remote_port;
-+ int local_port;
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- login_cap_t *lc;
- char *real_shell;
-***************
-*** 3922,3928 ****
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stderr);
- fclose(f);
-! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
- if (pw->pw_uid != UID_ROOT &&
- !login_getcapbool(lc, "ignorenologin", 0))
- exit(254);
---- 4044,4050 ----
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stderr);
- fclose(f);
-! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
- if (pw->pw_uid != UID_ROOT &&
- !login_getcapbool(lc, "ignorenologin", 0))
- exit(254);
-***************
-*** 3981,3986 ****
---- 4103,4109 ----
- user_shell = xstrdup(pw->pw_shell);
- remote_ip = xstrdup(get_remote_ipaddr());
- remote_port = get_remote_port();
-+ local_port = get_local_port();
-
- /* Close the connection descriptors; note that this is the child, and the
- server will still have the socket open, and it is important that we
-***************
-*** 4000,4006 ****
- /* Close any extra file descriptors. Note that there may still be
- descriptors left by system functions. They will be closed later. */
- endpwent();
-- endhostent();
-
- /* Set dummy encryption key to clear information about the key from
- memory. This key will never be used. */
---- 4123,4128 ----
-***************
-*** 4257,4263 ****
-
- /* Set SSH_CLIENT. */
- snprintf(buf, sizeof(buf),
-! "%.50s %d %d", remote_ip, remote_port, options.port);
- child_set_env(&env, &envsize, "SSH_CLIENT", buf);
-
- /* Set SSH_TTY if we have a pty. */
---- 4379,4385 ----
-
- /* Set SSH_CLIENT. */
- snprintf(buf, sizeof(buf),
-! "%.50s %d %d", remote_ip, remote_port, local_port);
- child_set_env(&env, &envsize, "SSH_CLIENT", buf);
-
- /* Set SSH_TTY if we have a pty. */
-***************
-*** 4426,4432 ****
- int i;
- char name[255], *p;
- char line[256];
-! struct hostent *hp;
-
- strncpy(name, display, sizeof(name));
- name[sizeof(name) - 1] = '\0';
---- 4548,4555 ----
- int i;
- char name[255], *p;
- char line[256];
-! struct addrinfo hints, *ai, *aitop;
-! char ntop[ADDRSTRLEN];
-
- strncpy(name, display, sizeof(name));
- name[sizeof(name) - 1] = '\0';
-***************
-*** 4443,4449 ****
- /* Moved this call here to avoid a nasty buf in SunOS
- 4.1.4 libc where gethostbyname closes an unrelated
- file descriptor. */
-! hp = gethostbyname(name);
-
- snprintf(line, sizeof(line),
- "%.200s -q -", options.xauth_path);
---- 4566,4575 ----
- /* Moved this call here to avoid a nasty buf in SunOS
- 4.1.4 libc where gethostbyname closes an unrelated
- file descriptor. */
-! memset(&hints, 0, sizeof(hints));
-! hints.ai_family = IPv4or6;
-! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
-! aitop = 0;
-
- snprintf(line, sizeof(line),
- "%.200s -q -", options.xauth_path);
-***************
-*** 4461,4481 ****
- cp - display, display, cp, auth_proto,
- auth_data);
- #endif
-! if (hp)
- {
-! for(i = 0; hp->h_addr_list[i]; i++)
- {
- if (debug_flag)
- {
- fprintf(stderr, "Running %s add %s%s %s %s\n",
- options.xauth_path,
-! inet_ntoa(*((struct in_addr *)
-! hp->h_addr_list[i])),
- cp, auth_proto, auth_data);
- }
- fprintf(f, "add %s%s %s %s\n",
-! inet_ntoa(*((struct in_addr *)
-! hp->h_addr_list[i])),
- cp, auth_proto, auth_data);
- }
- }
---- 4587,4610 ----
- cp - display, display, cp, auth_proto,
- auth_data);
- #endif
-! if (aitop)
- {
-! for (ai = aitop; ai; ai = ai->ai_next)
- {
-+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
-+ ntop, sizeof(ntop), NULL, 0,
-+ NI_NUMERICHOST);
-+ if (strchr(ntop, ':'))
-+ continue; /* XXX - xauth doesn't accept it */
- if (debug_flag)
- {
- fprintf(stderr, "Running %s add %s%s %s %s\n",
- options.xauth_path,
-! ntop,
- cp, auth_proto, auth_data);
- }
- fprintf(f, "add %s%s %s %s\n",
-! ntop,
- cp, auth_proto, auth_data);
- }
- }
-***************
-*** 4525,4531 ****
---- 4654,4664 ----
- struct stat mailbuf;
-
- if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
-+ #ifdef __FreeBSD__
-+ ;
-+ #else
- printf("No mail.\n");
-+ #endif
- else if (mailbuf.st_atime > mailbuf.st_mtime)
- printf("You have mail.\n");
- else
+--- sshd.c.orig Mon Jul 3 10:07:35 2000
++++ sshd.c Fri Jun 21 17:57:21 2002
+@@ -567,6 +567,19 @@
+ /* Name of the server configuration file. */
+ char *config_file_name = SERVER_CONFIG_FILE;
+
++/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
++ Default value is AF_UNSPEC means both IPv4 and IPv6. */
++#ifdef ENABLE_IPV6
++int IPv4or6 = AF_UNSPEC;
++#else
++int IPv4or6 = AF_INET;
++#endif
++
++#ifdef ENABLE_LOG_AUTH
++char *unauthenticated_user = NULL;
++int log_auth_flag = 0;
++#endif /* ENABLE_LOG_AUTH */
++
+ /* Debug mode flag. This can be set on the command line. If debug
+ mode is enabled, extra debugging output will be sent to the system
+ log, the daemon will not go to background, and will exit after processing
+@@ -590,7 +603,17 @@
+
+ /* This is set to the socket that the server is listening; this is used in
+ the SIGHUP signal handler. */
+-int listen_sock;
++#define MAX_LISTEN_SOCKS 16
++int listen_socks[MAX_LISTEN_SOCKS];
++int num_listen_socks = 0;
++void close_listen_socks()
++{
++ int i;
++
++ for (i = 0; i < num_listen_socks; i++)
++ close(listen_socks[i]);
++ num_listen_socks = -1;
++}
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+@@ -680,7 +703,7 @@
+ void sighup_restart(void)
+ {
+ log_msg("Received SIGHUP; restarting.");
+- close(listen_sock);
++ close_listen_socks();
+ execvp(saved_argv[0], saved_argv);
+ log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
+ saved_argv[0], strerror(errno));
+@@ -694,7 +717,7 @@
+ RETSIGTYPE sigterm_handler(int sig)
+ {
+ log_msg("Received signal %d; terminating.", sig);
+- close(listen_sock);
++ close_listen_socks();
+ exit(255);
+ }
+
+@@ -773,7 +796,7 @@
+ int perm_denied = 0;
+ int ret;
+ fd_set fdset;
+- struct sockaddr_in sin;
++ struct sockaddr_storage from;
+ char buf[100]; /* Must not be larger than remote_version. */
+ char remote_version[100]; /* Must be at least as big as buf. */
+ char *comment;
+@@ -783,6 +806,9 @@
+ struct linger linger;
+ #endif /* SO_LINGER */
+ int done;
++ struct addrinfo *ai;
++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
++ int listen_sock, maxfd;
+
+ /* Save argv[0]. */
+ saved_argv = av;
+@@ -801,10 +827,26 @@
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+- while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
++ while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
++#ifdef ENABLE_IPV6
++ "6"
++#endif
++ )) != EOF)
+ {
+ switch (opt)
+ {
++ case '4':
++#ifdef ENABLE_IPV6
++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
++#else
++ IPv4or6 = AF_INET;
++#endif
++ break;
++#ifdef ENABLE_IPV6
++ case '6':
++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
++ break;
++#endif
+ case 'f':
+ config_file_name = optarg;
+ break;
+@@ -821,7 +863,7 @@
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+- options.port = atoi(optarg);
++ options.ports[options.num_ports++] = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+@@ -843,6 +885,10 @@
+ fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
+ fprintf(stderr, "Usage: %s [options]\n", av0);
+ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -4 Use IPv4 only\n");
++#ifdef ENABLE_IPV6
++ fprintf(stderr, " -6 Use IPv6 only\n");
++#endif
+ fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
+ fprintf(stderr, " -d Debugging mode\n");
+ fprintf(stderr, " -i Started from inetd\n");
+@@ -871,16 +917,15 @@
+ fprintf(stderr, "fatal: Bad server key size.\n");
+ exit(1);
+ }
+- if (options.port < 1 || options.port > 65535)
+- {
+- fprintf(stderr, "fatal: Bad port number.\n");
+- exit(1);
+- }
+ if (options.umask != -1)
+ {
+ umask(options.umask);
+ }
+
++#ifdef ENABLE_LOG_AUTH
++ log_auth_flag = options.log_auth;
++#endif /* ENABLE_LOG_AUTH */
++
+ /* Check that there are no remaining arguments. */
+ if (optind < ac)
+ {
+@@ -1048,10 +1093,13 @@
+ }
+ else
+ {
++ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
++ {
+ /* Create socket for listening. */
+- listen_sock = socket(AF_INET, SOCK_STREAM, 0);
++ listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (listen_sock < 0)
+ fatal("socket: %.100s", strerror(errno));
++ listen_socks[num_listen_socks] = listen_sock;
+
+ /* Set socket options. We try to make the port reusable and have it
+ close as fast as possible without waiting in unnecessary wait states
+@@ -1065,21 +1113,30 @@
+ sizeof(linger));
+ #endif /* SO_LINGER */
+
+- /* Initialize the socket address. */
+- memset(&sin, 0, sizeof(sin));
+- sin.sin_family = AF_INET;
+- sin.sin_addr = options.listen_addr;
+- sin.sin_port = htons(options.port);
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV);
+
+ /* Bind the socket to the desired port. */
+- if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
++ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+- error("bind: %.100s", strerror(errno));
+- shutdown(listen_sock, 2);
++ error("Bind to port %s on %s failed: %.200s.",
++ strport, ntop, strerror(errno));
+ close(listen_sock);
+- fatal("Bind to port %d failed: %.200s.", options.port,
+- strerror(errno));
++ continue;
+ }
++ num_listen_socks++;
++
++ /* Start listening on the port. */
++ log_msg("Server listening on %s port %s.", ntop, strport);
++ if (listen(listen_sock, 5) < 0)
++ fatal("listen: %.100s", strerror(errno));
++
++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
++ freeaddrinfo(options.listen_addrs);
++
++ if (!num_listen_socks)
++ fatal("Cannot bind all addresses.");
+
+ if (!debug_flag)
+ {
+@@ -1095,11 +1152,6 @@
+ }
+ }
+
+- /* Start listening on the port. */
+- log_msg("Server listening on port %d.", options.port);
+- if (listen(listen_sock, 5) < 0)
+- fatal("listen: %.100s", strerror(errno));
+-
+ /* Generate an rsa key. */
+ log_msg("Generating %d bit RSA key.", options.server_key_bits);
+ rsa_generate_key(&sensitive_data.private_key, &public_key,
+@@ -1153,18 +1205,28 @@
+
+ /* Wait in select until there is a connection. */
+ FD_ZERO(&fdset);
+- FD_SET(listen_sock, &fdset);
+- ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
+- if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
++ maxfd = 0;
++ for (i = 0; i < num_listen_socks; i++)
++ {
++ FD_SET(listen_socks[i], &fdset);
++ if (listen_socks[i] > maxfd)
++ maxfd = listen_socks[i];
++ }
++ ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
++ if (ret < 0)
+ {
+ if (errno == EINTR)
+ continue;
+ error("select: %.100s", strerror(errno));
+ continue;
+ }
+-
+- aux = sizeof(sin);
+- newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
++
++ for (i = 0; i < num_listen_socks; i++)
++ {
++ if (!FD_ISSET(listen_socks[i], &fdset))
++ continue;
++ aux = sizeof(from);
++ newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
+ if (newsock < 0)
+ {
+ if (errno == EINTR)
+@@ -1180,7 +1242,7 @@
+ /* In debugging mode. Close the listening socket, and start
+ processing the connection without forking. */
+ debug("Server will not fork when running in debugging mode.");
+- close(listen_sock);
++ close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ pid = getpid();
+@@ -1209,7 +1271,7 @@
+ the accepted socket. Reinitialize logging (since our
+ pid has changed). We break out of the loop to handle
+ the connection. */
+- close(listen_sock);
++ close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ #ifdef LIBWRAP
+@@ -1247,6 +1309,10 @@
+
+ /* Close the new socket (the child is now taking care of it). */
+ close(newsock);
++ } /* for (i = 0; i < num_host_socks; i++) */
++ /* child process check (or debug mode) */
++ if (num_listen_socks < 0)
++ break;
+ }
+ }
+
+@@ -2219,6 +2285,9 @@
+ krb5_parse_name(ssh_context, user, &client);
+ #endif /* defined(KERBEROS) && defined(KRB5) */
+
++#ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = user;
++#endif /* ENABLE_LOG_AUTH */
+ /* Verify that the user is a valid user. We disallow usernames starting
+ with any characters that are commonly used to start NIS entries. */
+ pw = getpwnam(user);
+@@ -2236,7 +2305,7 @@
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ pwcopy.pw_change = pw->pw_change;
+ pwcopy.pw_expire = pw->pw_expire;
+-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
++#endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
+ pwcopy.pw_dir = xstrdup(pw->pw_dir);
+ pwcopy.pw_shell = xstrdup(pw->pw_shell);
+ pw = &pwcopy;
+@@ -2274,6 +2343,11 @@
+ {
+ /* Authentication with empty password succeeded. */
+ debug("Login for user %.100s accepted without authentication.", user);
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "empty password accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ /* Success packet will be sent after loop below. */
+@@ -2348,6 +2422,11 @@
+ /* Client has successfully authenticated to us. */
+ log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
+ tkt_user, user, get_canonical_hostname());
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "kerberos authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_KERBEROS;
+ authenticated = 1;
+ break;
+@@ -2396,6 +2475,11 @@
+ /* Authentication accepted. */
+ log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
+ user, client_user, get_canonical_hostname());
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS;
+ authenticated = 1;
+ remote_user_name = client_user;
+@@ -2455,6 +2539,11 @@
+ options.strict_modes))
+ {
+ /* Authentication accepted. */
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts with RSA host authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS_RSA;
+ authenticated = 1;
+ remote_user_name = client_user;
+@@ -2488,6 +2577,11 @@
+ /* Successful authentication. */
+ mpz_clear(&n);
+ log_msg("RSA authentication for %.100s accepted.", user);
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "RSA user authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RSA;
+ authenticated = 1;
+ break;
+@@ -2622,6 +2716,11 @@
+ auth_close();
+ memset(password, 0, strlen(password));
+ xfree(password);
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from @%.700s (%s)",
++ user, get_canonical_hostname(),
++ "TIS authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_TIS;
+ authenticated = 1;
+ break;
+@@ -2682,6 +2781,11 @@
+ memset(password, 0, strlen(password));
+ xfree(password);
+ log_msg("Password authentication for %.100s accepted.", user);
++#ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "password authentication accepted");
++#endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ break;
+@@ -2722,6 +2826,11 @@
+ }
+
+ /* Check if the user is logging in as root and root logins are disallowed. */
++#ifdef ENABLE_LOG_AUTH
++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
++#endif /* ENABLE_LOG_AUTH */
+ if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
+ {
+ if (authentication_type == SSH_AUTH_PASSWORD)
+@@ -2789,6 +2898,9 @@
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
++#ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = NULL;
++#endif /* ENABLE_LOG_AUTH */
+
+ /* Perform session preparation. */
+ do_authenticated(pw);
+@@ -3383,15 +3495,16 @@
+ char line[256];
+ struct stat st;
+ int quiet_login;
+- struct sockaddr_in from;
++ struct sockaddr_storage from;
+ int fromlen;
+ struct pty_cleanup_context cleanup_context;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
++ time_t warnpassword, warnexpire;
+ #endif
+-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
++#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
+ struct timeval tp;
+-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
++#endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
+
+ /* We no longer need the child running on user's privileges. */
+ userfile_uninit();
+@@ -3490,7 +3603,7 @@
+
+ /* Record that there was a login on that terminal. */
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+- &from);
++ (struct sockaddr *)&from);
+
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ lc = login_getclass(pw->pw_class);
+@@ -3549,6 +3662,14 @@
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
++#ifdef HAVE_LOGIN_CAP_H
++#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
++
++ warnpassword = login_getcaptime(lc, "warnpassword",
++ DEFAULT_WARN, DEFAULT_WARN);
++ warnexpire = login_getcaptime(lc, "warnexpire",
++ DEFAULT_WARN, DEFAULT_WARN);
++#endif
+ #endif
+
+ /* Print /etc/motd unless a command was specified or printing it was
+@@ -3572,7 +3693,7 @@
+ fputs(line, stdout);
+ fclose(f);
+ }
+-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
++#if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
+ if (pw->pw_change || pw->pw_expire)
+ (void)gettimeofday(&tp, (struct timezone *)NULL);
+ if (pw->pw_change)
+@@ -3979,6 +4100,7 @@
+ char *user_shell;
+ char *remote_ip;
+ int remote_port;
++ int local_port;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
+ char *real_shell;
+@@ -4025,7 +4147,7 @@
+ while (fgets(buf, sizeof(buf), f))
+ fputs(buf, stderr);
+ fclose(f);
+-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
++#if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
+ if (pw->pw_uid != UID_ROOT &&
+ !login_getcapbool(lc, "ignorenologin", 0))
+ exit(254);
+@@ -4084,6 +4206,7 @@
+ user_shell = xstrdup(pw->pw_shell);
+ remote_ip = xstrdup(get_remote_ipaddr());
+ remote_port = get_remote_port();
++ local_port = get_local_port();
+
+ /* Close the connection descriptors; note that this is the child, and the
+ server will still have the socket open, and it is important that we
+@@ -4103,7 +4226,6 @@
+ /* Close any extra file descriptors. Note that there may still be
+ descriptors left by system functions. They will be closed later. */
+ endpwent();
+- endhostent();
+
+ /* Set dummy encryption key to clear information about the key from
+ memory. This key will never be used. */
+@@ -4360,7 +4482,7 @@
+
+ /* Set SSH_CLIENT. */
+ snprintf(buf, sizeof(buf),
+- "%.50s %d %d", remote_ip, remote_port, options.port);
++ "%.50s %d %d", remote_ip, remote_port, local_port);
+ child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+ /* Set SSH_TTY if we have a pty. */
+@@ -4533,7 +4655,8 @@
+ int i;
+ char name[255], *p;
+ char line[256];
+- struct hostent *hp;
++ struct addrinfo hints, *ai, *aitop;
++ char ntop[ADDRSTRLEN];
+
+ strncpy(name, display, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+@@ -4550,7 +4673,10 @@
+ /* Moved this call here to avoid a nasty buf in SunOS
+ 4.1.4 libc where gethostbyname closes an unrelated
+ file descriptor. */
+- hp = gethostbyname(name);
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = IPv4or6;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
++ aitop = 0;
+
+ snprintf(line, sizeof(line),
+ "%.200s -q -", options.xauth_path);
+@@ -4568,21 +4694,24 @@
+ cp - display, display, cp, auth_proto,
+ auth_data);
+ #endif
+- if (hp)
++ if (aitop)
+ {
+- for(i = 0; hp->h_addr_list[i]; i++)
++ for (ai = aitop; ai; ai = ai->ai_next)
+ {
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), NULL, 0,
++ NI_NUMERICHOST);
++ if (strchr(ntop, ':'))
++ continue; /* XXX - xauth doesn't accept it */
+ if (debug_flag)
+ {
+ fprintf(stderr, "Running %s add %s%s %s %s\n",
+ options.xauth_path,
+- inet_ntoa(*((struct in_addr *)
+- hp->h_addr_list[i])),
++ ntop,
+ cp, auth_proto, auth_data);
+ }
+ fprintf(f, "add %s%s %s %s\n",
+- inet_ntoa(*((struct in_addr *)
+- hp->h_addr_list[i])),
++ ntop,
+ cp, auth_proto, auth_data);
+ }
+ }
+@@ -4632,7 +4761,11 @@
+ struct stat mailbuf;
+
+ if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
++#ifdef __FreeBSD__
++ ;
++#else
+ printf("No mail.\n");
++#endif
+ else if (mailbuf.st_atime > mailbuf.st_mtime)
+ printf("You have mail.\n");
+ else
diff --git a/security/ssh/files/patch-ax b/security/ssh/files/patch-ax
deleted file mode 100644
index c4a114fc306e..000000000000
--- a/security/ssh/files/patch-ax
+++ /dev/null
@@ -1,25 +0,0 @@
---- rsaglue.c.orig Tue Nov 9 11:12:32 1999
-+++ rsaglue.c Tue Nov 9 11:17:58 1999
-@@ -139,6 +139,10 @@
-
- input_bits = mpz_sizeinbase(input, 2);
- input_len = (input_bits + 7) / 8;
-+ if(input_bits > MAX_RSA_MODULUS_BITS)
-+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
-+ input_bits, MAX_RSA_MODULUS_BITS);
-+
- gmp_to_rsaref(input_data, input_len, input);
-
- rsaref_public_key(&public_key, key);
-@@ -172,6 +176,10 @@
-
- input_bits = mpz_sizeinbase(input, 2);
- input_len = (input_bits + 7) / 8;
-+ if(input_bits > MAX_RSA_MODULUS_BITS)
-+ fatal("Received session key too long (%d bits, %d max) (malicious?).",
-+ input_bits, MAX_RSA_MODULUS_BITS);
-+
- gmp_to_rsaref(input_data, input_len, input);
-
- rsaref_private_key(&private_key, key);
-
diff --git a/security/ssh/files/patch-bm b/security/ssh/files/patch-bm
index a394777b4841..78c9833bb6bf 100644
--- a/security/ssh/files/patch-bm
+++ b/security/ssh/files/patch-bm
@@ -1,14 +1,12 @@
-*** readconf.h.orig Wed May 12 13:19:27 1999
---- readconf.h Mon Jan 10 22:56:13 2000
-***************
-*** 98,103 ****
---- 98,106 ----
- int use_privileged_port; /* Use privileged port */
-
- int port; /* Port to connect. */
-+ #ifdef ENABLE_ANOTHER_PORT_TRY
-+ int another_port; /* Port to connect for -A option. */
-+ #endif /* ENABLE_ANOTHER_PORT_TRY */
- int connection_attempts; /* Max attempts (seconds) before giving up */
- int number_of_password_prompts; /* Max number of password prompts */
- int password_prompt_login; /* Show remote login at password prompt */
+--- readconf.h.orig Thu Jan 17 05:35:34 2002
++++ readconf.h Fri Jun 21 16:36:20 2002
+@@ -102,6 +102,9 @@
+ int use_privileged_port; /* Use privileged port */
+
+ int port; /* Port to connect. */
++#ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port; /* Port to connect for -A option. */
++#endif /* ENABLE_ANOTHER_PORT_TRY */
+ int connection_attempts; /* Max attempts (seconds) before giving up */
+ int number_of_password_prompts; /* Max number of password prompts */
+ int password_prompt_login; /* Show remote login at password prompt */
diff --git a/security/ssh/files/patch-bo b/security/ssh/files/patch-bo
index 886720df255d..941fef6346e7 100644
--- a/security/ssh/files/patch-bo
+++ b/security/ssh/files/patch-bo
@@ -1,197 +1,158 @@
-*** servconf.c.orig Wed May 12 13:19:28 1999
---- servconf.c Mon Jan 10 22:56:13 2000
-***************
-*** 81,88 ****
- void initialize_server_options(ServerOptions *options)
- {
- memset(options, 0, sizeof(*options));
-! options->port = -1;
-! options->listen_addr.s_addr = INADDR_ANY;
- options->host_key_file = NULL;
- options->random_seed_file = NULL;
- options->pid_file = NULL;
---- 81,88 ----
- void initialize_server_options(ServerOptions *options)
- {
- memset(options, 0, sizeof(*options));
-! options->num_ports = 0;
-! options->listen_addrs = NULL;
- options->host_key_file = NULL;
- options->random_seed_file = NULL;
- options->pid_file = NULL;
-***************
-*** 92,97 ****
---- 92,100 ----
- options->permit_root_login = -1;
- options->ignore_rhosts = -1;
- options->ignore_root_rhosts = -1;
-+ #ifdef ENABLE_LOG_AUTH
-+ options->log_auth = -1;
-+ #endif /* ENABLE_LOG_AUTH */
- options->quiet_mode = -1;
- options->fascist_logging = -1;
- options->print_motd = -1;
-***************
-*** 138,153 ****
-
- void fill_default_server_options(ServerOptions *options)
- {
-! if (options->port == -1)
- {
-! struct servent *sp;
-!
-! sp = getservbyname(SSH_SERVICE_NAME, "tcp");
-! if (sp)
-! options->port = ntohs(sp->s_port);
-! else
-! options->port = SSH_DEFAULT_PORT;
-! endservent();
- }
- if (options->host_key_file == NULL)
- options->host_key_file = HOST_KEY_FILE;
---- 141,171 ----
-
- void fill_default_server_options(ServerOptions *options)
- {
-! struct addrinfo hints, *ai, *aitop;
-! char strport[PORTSTRLEN];
-! int i;
-!
-! if (options->num_ports == 0)
-! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
-! if (options->listen_addrs == NULL)
- {
-! for (i = 0; i < options->num_ports; i++)
-! {
-! memset(&hints, 0, sizeof(hints));
-! hints.ai_flags = AI_PASSIVE;
-! hints.ai_family = IPv4or6;
-! hints.ai_socktype = SOCK_STREAM;
-! sprintf(strport, "%d", options->ports[i]);
-! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
-! {
-! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
-! exit(1);
-! }
-! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
-! ai->ai_next = options->listen_addrs;
-! options->listen_addrs = aitop;
-! }
-! /* freeaddrinfo(options->listen_addrs) in sshd.c */
- }
- if (options->host_key_file == NULL)
- options->host_key_file = HOST_KEY_FILE;
-***************
-*** 243,248 ****
---- 261,269 ----
- {
- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
- sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
-+ #ifdef ENABLE_LOG_AUTH
-+ sLogAuth,
-+ #endif /* ENABLE_LOG_AUTH */
- sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
- sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
- sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
-***************
-*** 275,280 ****
---- 296,304 ----
- { "quietmode", sQuietMode },
- { "fascistlogging", sFascistLogging },
- { "syslogfacility", sLogFacility },
-+ #ifdef ENABLE_LOG_AUTH
-+ { "logauth", sLogAuth },
-+ #endif /* ENABLE_LOG_AUTH */
- { "rhostsauthentication", sRhostsAuthentication },
- { "rhostsrsaauthentication", sRhostsRSAAuthentication },
- { "rsaauthentication", sRSAAuthentication },
-***************
-*** 367,372 ****
---- 391,399 ----
- char *cp, **charptr;
- int linenum, *intptr, i, value;
- ServerOpCodes opcode;
-+ struct addrinfo hints, *ai, *aitop;
-+ char strport[PORTSTRLEN];
-+ int gaierr;
-
- f = fopen(filename, "r");
- if (!f)
-***************
-*** 389,395 ****
- switch (opcode)
- {
- case sPort:
-! intptr = &options->port;
- parse_int:
- cp = strtok(NULL, WHITESPACE);
- if (!cp)
---- 416,429 ----
- switch (opcode)
- {
- case sPort:
-! if (options->num_ports >= MAX_PORTS)
-! {
-! fprintf(stderr, "%s line %d: too many ports.\n",
-! filename, linenum);
-! exit(1);
-! }
-! options->ports[options->num_ports] = -1;
-! intptr = &options->ports[options->num_ports++];
- parse_int:
- cp = strtok(NULL, WHITESPACE);
- if (!cp)
-***************
-*** 452,462 ****
- filename, linenum);
- exit(1);
- }
-! #ifdef BROKEN_INET_ADDR
-! options->listen_addr.s_addr = inet_network(cp);
-! #else /* BROKEN_INET_ADDR */
-! options->listen_addr.s_addr = inet_addr(cp);
-! #endif /* BROKEN_INET_ADDR */
- break;
-
- case sHostKeyFile:
---- 486,510 ----
- filename, linenum);
- exit(1);
- }
-! if (options->num_ports == 0)
-! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
-! for (i = 0; i < options->num_ports; i++)
-! {
-! memset(&hints, 0, sizeof(hints));
-! hints.ai_family = IPv4or6;
-! hints.ai_socktype = SOCK_STREAM;
-! sprintf(strport, "%d", options->ports[i]);
-! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
-! {
-! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
-! filename, linenum, gai_strerror(gaierr));
-! exit(1);
-! }
-! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
-! ai->ai_next = options->listen_addrs;
-! options->listen_addrs = aitop;
-! }
-! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
- break;
-
- case sHostKeyFile:
-***************
-*** 531,536 ****
---- 579,590 ----
- if (*intptr == -1)
- *intptr = value;
- break;
-+
-+ #ifdef ENABLE_LOG_AUTH
-+ case sLogAuth:
-+ intptr = &options->log_auth;
-+ goto parse_flag;
-+ #endif /* ENABLE_LOG_AUTH */
-
- case sIgnoreRhosts:
- intptr = &options->ignore_rhosts;
+--- servconf.c.orig Thu Jan 17 05:35:34 2002
++++ servconf.c Fri Jun 21 16:22:56 2002
+@@ -88,8 +88,8 @@
+ void initialize_server_options(ServerOptions *options)
+ {
+ memset(options, 0, sizeof(*options));
+- options->port = -1;
+- options->listen_addr.s_addr = INADDR_ANY;
++ options->num_ports = 0;
++ options->listen_addrs = NULL;
+ options->host_key_file = NULL;
+ options->random_seed_file = NULL;
+ options->pid_file = NULL;
+@@ -99,6 +99,9 @@
+ options->permit_root_login = -1;
+ options->ignore_rhosts = -1;
+ options->ignore_root_rhosts = -1;
++#ifdef ENABLE_LOG_AUTH
++ options->log_auth = -1;
++#endif /* ENABLE_LOG_AUTH */
+ options->quiet_mode = -1;
+ options->fascist_logging = -1;
+ options->print_motd = -1;
+@@ -145,17 +148,33 @@
+
+ void fill_default_server_options(ServerOptions *options)
+ {
+- if (options->port == -1)
++ struct addrinfo hints, *ai, *aitop;
++ char strport[PORTSTRLEN];
++ int i;
++
++ if (options->num_ports == 0)
++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
++ if (options->listen_addrs == NULL)
+ {
+- struct servent *sp;
++ for (i = 0; i < options->num_ports; i++)
++ {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_flags = AI_PASSIVE;
++ hints.ai_family = IPv4or6;
++ hints.ai_socktype = SOCK_STREAM;
++ sprintf(strport, "%d", options->ports[i]);
++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
++ {
++ fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
++ exit(1);
++ }
++ for (ai = aitop; ai->ai_next; ai = ai->ai_next);
++ ai->ai_next = options->listen_addrs;
++ options->listen_addrs = aitop;
++ }
++ /* freeaddrinfo(options->listen_addrs) in sshd.c */
++ }
+
+- sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+- if (sp)
+- options->port = ntohs(sp->s_port);
+- else
+- options->port = SSH_DEFAULT_PORT;
+- endservent();
+- }
+ if (options->host_key_file == NULL)
+ options->host_key_file = HOST_KEY_FILE;
+ if (options->random_seed_file == NULL)
+@@ -250,6 +269,9 @@
+ {
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
++#ifdef ENABLE_LOG_AUTH
++ sLogAuth,
++#endif /* ENABLE_LOG_AUTH */
+ sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+ sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
+ sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+@@ -282,6 +304,9 @@
+ { "quietmode", sQuietMode },
+ { "fascistlogging", sFascistLogging },
+ { "syslogfacility", sLogFacility },
++#ifdef ENABLE_LOG_AUTH
++ { "logauth", sLogAuth },
++#endif /* ENABLE_LOG_AUTH */
+ { "rhostsauthentication", sRhostsAuthentication },
+ { "rhostsrsaauthentication", sRhostsRSAAuthentication },
+ { "rsaauthentication", sRSAAuthentication },
+@@ -375,6 +400,9 @@
+ char *cp, **charptr;
+ int linenum, *intptr, i, value;
+ ServerOpCodes opcode;
++ struct addrinfo hints, *ai, *aitop;
++ char strport[PORTSTRLEN];
++ int gaierr;
+
+ f = fopen(filename, "r");
+ if (!f)
+@@ -397,7 +425,14 @@
+ switch (opcode)
+ {
+ case sPort:
+- intptr = &options->port;
++ if (options->num_ports >= MAX_PORTS)
++ {
++ fprintf(stderr, "%s line %d: too many ports.\n",
++ filename, linenum);
++ exit(1);
++ }
++ options->ports[options->num_ports] = -1;
++ intptr = &options->ports[options->num_ports++];
+ parse_int:
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+@@ -460,12 +495,26 @@
+ filename, linenum);
+ exit(1);
+ }
+-#ifdef BROKEN_INET_ADDR
+- options->listen_addr.s_addr = inet_network(cp);
+-#else /* BROKEN_INET_ADDR */
+- options->listen_addr.s_addr = inet_addr(cp);
+-#endif /* BROKEN_INET_ADDR */
+- break;
++ if (options->num_ports == 0)
++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
++ for (i = 0; i < options->num_ports; i++)
++ {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = IPv4or6;
++ hints.ai_socktype = SOCK_STREAM;
++ sprintf(strport, "%d", options->ports[i]);
++ if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
++ {
++ fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
++ filename, linenum, gai_strerror(gaierr));
++ exit(1);
++ }
++ for (ai = aitop; ai->ai_next; ai = ai->ai_next);
++ ai->ai_next = options->listen_addrs;
++ options->listen_addrs = aitop;
++ }
++ strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
++ break;
+
+ case sHostKeyFile:
+ charptr = &options->host_key_file;
+@@ -539,6 +588,12 @@
+ if (*intptr == -1)
+ *intptr = value;
+ break;
++
++#ifdef ENABLE_LOG_AUTH
++ case sLogAuth:
++ intptr = &options->log_auth;
++ goto parse_flag;
++#endif /* ENABLE_LOG_AUTH */
+
+ case sIgnoreRhosts:
+ intptr = &options->ignore_rhosts;
diff --git a/security/ssh/files/patch-bp b/security/ssh/files/patch-bp
index 40b10db36c4c..a9cd9987ef37 100644
--- a/security/ssh/files/patch-bp
+++ b/security/ssh/files/patch-bp
@@ -1,45 +1,32 @@
-*** servconf.h.orig Wed May 12 13:19:28 1999
---- servconf.h Mon Jan 10 22:56:13 2000
-***************
-*** 64,69 ****
---- 64,71 ----
- #ifndef SERVCONF_H
- #define SERVCONF_H
-
-+ #define MAX_PORTS 256 /* Max # hosts on allow list. */
-+
- #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
- #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
- #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
-***************
-*** 82,89 ****
-
- typedef struct
- {
-! int port; /* Port number to listen on. */
-! struct in_addr listen_addr; /* Address on which the server listens. */
- char *host_key_file; /* File containing host key. */
- char *random_seed_file; /* File containing random seed. */
- char *pid_file; /* File containing process ID number. */
---- 84,92 ----
-
- typedef struct
- {
-! unsigned int num_ports;
-! int ports[MAX_PORTS]; /* Port number to listen on. */
-! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
- char *host_key_file; /* File containing host key. */
- char *random_seed_file; /* File containing random seed. */
- char *pid_file; /* File containing process ID number. */
-***************
-*** 91,96 ****
---- 94,102 ----
- int login_grace_time; /* Disconnect if no auth in this time (sec). */
- int key_regeneration_time; /* Server key lifetime (seconds). */
- int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
-+ #ifdef ENABLE_LOG_AUTH
-+ int log_auth; /* If true, log authentication info. */
-+ #endif /* ENABLE_LOG_AUTH */
- int ignore_rhosts; /* Ignore .rhosts and .shosts. */
- int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
- defaults to ignore_rhosts if not given. */
+--- servconf.h.orig Thu Jan 17 05:35:34 2002
++++ servconf.h Fri Jun 21 16:24:35 2002
+@@ -68,6 +68,7 @@
+ #ifndef SERVCONF_H
+ #define SERVCONF_H
+
++#define MAX_PORTS 256 /* Max # hosts on allow list. */
+ #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
+ #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
+ #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
+@@ -86,8 +87,9 @@
+
+ typedef struct
+ {
+- int port; /* Port number to listen on. */
+- struct in_addr listen_addr; /* Address on which the server listens. */
++ unsigned int num_ports;
++ int ports[MAX_PORTS]; /* Port number to listen on. */
++ struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
+ char *host_key_file; /* File containing host key. */
+ char *random_seed_file; /* File containing random seed. */
+ char *pid_file; /* File containing process ID number. */
+@@ -95,6 +97,9 @@
+ int login_grace_time; /* Disconnect if no auth in this time (sec). */
+ int key_regeneration_time; /* Server key lifetime (seconds). */
+ int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
++#ifdef ENABLE_LOG_AUTH
++ int log_auth; /* If true, log authentication info. */
++#endif /* ENABLE_LOG_AUTH */
+ int ignore_rhosts; /* Ignore .rhosts and .shosts. */
+ int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
+ defaults to ignore_rhosts if not given. */
diff --git a/security/ssh/files/patch-xa b/security/ssh/files/patch-xa
deleted file mode 100644
index a775ff6820da..000000000000
--- a/security/ssh/files/patch-xa
+++ /dev/null
@@ -1,167 +0,0 @@
-Note that this patch has been incorporated into the port due to problems
-with patching a autoconf generated configure script. The script itself contains
-linenumbers and in case of two patches against that script the second one fails
-because it expects something that the first patch has already changed. The
-only clean way is to re-generate it with autoconf. *sigh*
-This patch was fetched from
-http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown
- - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000
-
-
-Patch for problem with tty ownership with chflags and chown in BSD 4.4
-variants. Fixes a security bug in tty allocation.
-
-This patch works for ssh-1.2.27.
-
-Apply with the following commands:
-
-% cd /wherever/you/hold/your/sources/ssh-1.2.27
-% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown
-% ./configure --whatever-config-flags-you-use
-% make clean
-% make
-% su
-Password: ***********
-# make install
-# kill -HUP `cat /var/run/sshd.pid`
-
-You should be all set.
-
-Sami Lehtinen <sjl@ssh.fi>
-
---begin patch--
-diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c
---- auth-passwd.c.orig Wed May 12 14:19:23 1999
-+++ auth-passwd.c Wed Aug 11 19:49:32 1999
-@@ -613,7 +613,13 @@
- /* get_name pulls out just the name not the
- type */
- strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache));
-- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid);
-+ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0)
-+ {
-+ log_msg("Kerberos: chown failed for %s, error: %s",
-+ ccname + 5, strerror(errno));
-+ packet_send_debug("Kerberos: chown failed for %s", ccname + 5);
-+ goto errout;
-+ }
-
- /* If tgt was passed unlink file */
- if (ticket)
-diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in
---- config.h.in.orig Wed May 12 14:20:04 1999
-+++ config.h.in Wed Aug 11 20:20:51 1999
-@@ -360,6 +360,9 @@
- /* Define if you have the authenticate function. */
- #undef HAVE_AUTHENTICATE
-
-+/* Define if you have the chflags function. */
-+#undef HAVE_CHFLAGS
-+
- /* Define if you have the clock function. */
- #undef HAVE_CLOCK
-
-diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in
---- configure.in.orig Wed May 12 14:20:02 1999
-+++ configure.in Wed Aug 11 20:05:13 1999
-@@ -433,6 +433,7 @@
- AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit)
- AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp)
- AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream)
-+AC_CHECK_FUNCS(chflags)
-
- AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
-
-diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c
---- sshd.c.orig Wed May 12 14:19:29 1999
-+++ sshd.c Wed Aug 11 20:26:31 1999
-@@ -2897,9 +2897,87 @@
- tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH;
- }
-
-+ retry_chown:
-+
- /* Change ownership of the tty. */
-- (void)chown(ttyname, pw->pw_uid, tty_gid);
-- (void)chmod(ttyname, tty_mode);
-+ if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
-+ {
-+ /* chown failed. Atleast two possibilities. Either we are not
-+ running as root, in which case this is OK, or we are running
-+ on BSD, and somebody has put some flags to the tty. */
-+
-+ /* Check whether we are root or not.*/
-+ if (getuid() != UID_ROOT)
-+ {
-+ /* We are not, and then this is OK. */
-+ debug("chown failed (but we're not root anyway) for "
-+ "%s, error %s", ttyname, strerror(errno));
-+ }
-+ else
-+ {
-+#ifdef HAVE_CHFLAGS
-+ static int retrying = 0;
-+ struct stat st;
-+
-+ if (!retrying)
-+ {
-+ debug("chown failed for %s, error: %s. Removing "
-+ "user-settable flags, and retrying.",
-+ ttyname, strerror(errno));
-+
-+ if (stat(ttyname, &st) < 0)
-+ {
-+ error("stat failed for %s, error: %s",
-+ ttyname, strerror(errno));
-+ }
-+ else
-+ {
-+ debug("Removing user-settable flags with "
-+ "chflags.");
-+ /* Remove user definable flags. */
-+ if (chflags(ttyname, st.st_flags &
-+ ~(UF_NODUMP | UF_IMMUTABLE |
-+ UF_APPEND | UF_OPAQUE)) < 0)
-+ {
-+ debug("chflags failed for %s, error: %s",
-+ ttyname, strerror(errno));
-+ }
-+ else
-+ {
-+ debug("Retrying...");
-+ retrying = 1;
-+ goto retry_chown;
-+ }
-+ }
-+ }
-+ else
-+ {
-+ debug("chown failed even with retry. error: %s",
-+ strerror(errno));
-+ }
-+
-+#endif /* HAVE_CHFLAGS */
-+ error("ssh_pty_allocate_and_fork: chown failed for %s.",
-+ ttyname);
-+ goto fail;
-+ }
-+ }
-+
-+ if (chmod(ttyname, tty_mode) < 0)
-+ {
-+ if (getuid() != UID_ROOT)
-+ {
-+ /* We are not, and then this is (probably) OK. */
-+ debug("chmod failed (but we're not root anyway) for "
-+ "%s, error %s", ttyname, strerror(errno));
-+ }
-+ else
-+ {
-+ error("ssh_pty_allocate_and_fork: chmod %s: %s",
-+ ttyname, strerror(errno));
-+ goto fail;
-+ }
-+ }
-
- /* Get TERM from the packet. Note that the value may be of arbitrary
- length. */