diff options
Diffstat (limited to 'security/hpn-ssh/files')
| -rw-r--r-- | security/hpn-ssh/files/batch.patch | 11 | ||||
| -rw-r--r-- | security/hpn-ssh/files/gss-serv.c.patch | 18 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-auth.c | 29 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-auth1.c | 64 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-auth2.c | 68 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-clientloop.c | 11 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-loginrec.c | 25 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-monitor_wrap.c | 18 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-regress-test-exec.sh | 11 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-session.c | 334 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-sshd.c | 31 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-sshd_config | 18 | ||||
| -rw-r--r-- | security/hpn-ssh/files/patch-sshpty.c | 12 | ||||
| -rw-r--r-- | security/hpn-ssh/files/servconf.c.patch | 17 | ||||
| -rw-r--r-- | security/hpn-ssh/files/sshd.sh | 24 |
15 files changed, 0 insertions, 691 deletions
diff --git a/security/hpn-ssh/files/batch.patch b/security/hpn-ssh/files/batch.patch deleted file mode 100644 index 6d5f60af0470..000000000000 --- a/security/hpn-ssh/files/batch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in.orig Mon Sep 22 03:00:12 2003 -+++ Makefile.in Sun Sep 28 05:02:19 2003 -@@ -224,7 +224,7 @@ - $(AUTORECONF) - (cd scard && $(MAKE) -f Makefile.in distprep) - --install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config -+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config - install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files - - check-config: diff --git a/security/hpn-ssh/files/gss-serv.c.patch b/security/hpn-ssh/files/gss-serv.c.patch deleted file mode 100644 index 434f71e6d057..000000000000 --- a/security/hpn-ssh/files/gss-serv.c.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- gss-serv.c.DIST Tue Sep 2 14:56:42 2003 -+++ gss-serv.c Mon Oct 6 17:56:23 2003 -@@ -138,6 +138,15 @@ - OM_uint32 offset; - OM_uint32 oidl; - -+#if defined(HEIMDAL) -+ if (strcmp(heimdal_version, "Heimdal 0.6") < 0) { -+ name->length = ename->length; -+ name->value = xmalloc(name->length+1); -+ memcpy(name->value,ename->value,name->length); -+ ((char *)name->value)[name->length] = 0; -+ return GSS_S_COMPLETE; -+ } -+#endif - tok=ename->value; - - /* diff --git a/security/hpn-ssh/files/patch-auth.c b/security/hpn-ssh/files/patch-auth.c deleted file mode 100644 index 76103d45cad0..000000000000 --- a/security/hpn-ssh/files/patch-auth.c +++ /dev/null @@ -1,29 +0,0 @@ ---- auth.c.orig Tue Sep 2 23:32:46 2003 -+++ auth.c Tue Sep 16 20:05:44 2003 -@@ -259,6 +259,17 @@ - } - #endif /* WITH_AIXAUTHENTICATE */ - -+#ifdef __FreeBSD__ -+ /* Fail if the account's expiration time has passed. */ -+ if (pw->pw_expire != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_expire) -+ return 0; -+ } -+#endif /* __FreeBSD__ */ -+ - /* We found no reason not to let this user try to log on... */ - return 1; - } -@@ -531,7 +542,7 @@ - if (!allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/hpn-ssh/files/patch-auth1.c b/security/hpn-ssh/files/patch-auth1.c deleted file mode 100644 index 95d8d1a627b5..000000000000 --- a/security/hpn-ssh/files/patch-auth1.c +++ /dev/null @@ -1,64 +0,0 @@ ---- auth1.c.orig Tue Sep 2 23:32:46 2003 -+++ auth1.c Tue Sep 16 20:05:44 2003 -@@ -26,6 +26,7 @@ - #include "session.h" - #include "uidswap.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - /* import */ - extern ServerOptions options; -@@ -71,6 +72,18 @@ - u_int ulen; - int prev, type = 0; - struct passwd *pw = authctxt->pw; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif -+#ifdef USE_PAM -+ struct inverted_pam_cookie *pam_cookie; -+#endif /* USE_PAM */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - debug("Attempting authentication for %s%.100s.", - authctxt->valid ? "" : "illegal user ", authctxt->user); -@@ -214,6 +227,34 @@ - logit("Unknown message during authentication: type %d", type); - break; - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (pw != NULL) { -+ lc = login_getpwclass(pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (pw != NULL && !login_access(pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+ - #ifdef BSD_AUTH - if (authctxt->as) { - auth_close(authctxt->as); diff --git a/security/hpn-ssh/files/patch-auth2.c b/security/hpn-ssh/files/patch-auth2.c deleted file mode 100644 index 6012ce39d7b8..000000000000 --- a/security/hpn-ssh/files/patch-auth2.c +++ /dev/null @@ -1,68 +0,0 @@ ---- auth2.c.orig Tue Sep 2 23:32:46 2003 -+++ auth2.c Tue Sep 16 20:05:44 2003 -@@ -35,6 +35,7 @@ - #include "dispatch.h" - #include "pathnames.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - #ifdef GSSAPI - #include "ssh-gss.h" -@@ -143,6 +144,15 @@ - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; - int authenticated = 0; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif /* HAVE_LOGIN_CAP */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -187,6 +197,41 @@ - "(%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && -+ !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+#ifdef BSD_AUTH -+ if (authctxt->as) { -+ auth_close(authctxt->as); -+ authctxt->as = NULL; -+ } -+#endif -+ - /* reset state */ - auth2_challenge_stop(authctxt); - diff --git a/security/hpn-ssh/files/patch-clientloop.c b/security/hpn-ssh/files/patch-clientloop.c deleted file mode 100644 index 67fc4dcb4f6b..000000000000 --- a/security/hpn-ssh/files/patch-clientloop.c +++ /dev/null @@ -1,11 +0,0 @@ ---- clientloop.c.orig Fri Apr 20 09:17:51 2001 -+++ clientloop.c Sat May 26 15:18:51 2001 -@@ -1131,7 +1131,7 @@ - - if (strcmp(ctype, "forwarded-tcpip") == 0) { - c = client_request_forwarded_tcpip(ctype, rchan); -- } else if (strcmp(ctype, "x11") == 0) { -+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - c = client_request_x11(ctype, rchan); - } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { - c = client_request_agent(ctype, rchan); diff --git a/security/hpn-ssh/files/patch-loginrec.c b/security/hpn-ssh/files/patch-loginrec.c deleted file mode 100644 index 37993edf2097..000000000000 --- a/security/hpn-ssh/files/patch-loginrec.c +++ /dev/null @@ -1,25 +0,0 @@ ---- loginrec.c.orig Thu Sep 26 02:38:49 2002 -+++ loginrec.c Mon Oct 21 06:51:34 2002 -@@ -172,6 +172,9 @@ - #ifdef HAVE_LIBUTIL_H - # include <libutil.h> - #endif -+#ifdef __FreeBSD__ -+#include <osreldate.h> -+#endif - - /** - ** prototypes for helper functions in this file -@@ -654,7 +657,12 @@ - /* Use strncpy because we don't necessarily want null termination */ - strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); - # ifdef HAVE_HOST_IN_UTMP -+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 - strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); -+# else -+ realhostname_sa(ut->ut_host, sizeof ut->ut_host, -+ &li->hostaddr.sa, li->hostaddr.sa.sa_len); -+# endif - # endif - # ifdef HAVE_ADDR_IN_UTMP - /* this is just a 32-bit IP address */ diff --git a/security/hpn-ssh/files/patch-monitor_wrap.c b/security/hpn-ssh/files/patch-monitor_wrap.c deleted file mode 100644 index 7e89d3a40883..000000000000 --- a/security/hpn-ssh/files/patch-monitor_wrap.c +++ /dev/null @@ -1,18 +0,0 @@ ---- monitor_wrap.c.orig Tue Sep 2 14:51:17 2003 -+++ monitor_wrap.c Tue Sep 16 20:05:44 2003 -@@ -894,6 +894,7 @@ - return ((authok == 0) ? -1 : 0); - } - -+#ifdef SKEY - int - mm_skey_query(void *ctx, char **name, char **infotxt, - u_int *numprompts, char ***prompts, u_int **echo_on) -@@ -957,6 +958,7 @@ - - return ((authok == 0) ? -1 : 0); - } -+#endif - - void - mm_ssh1_session_id(u_char session_id[16]) diff --git a/security/hpn-ssh/files/patch-regress-test-exec.sh b/security/hpn-ssh/files/patch-regress-test-exec.sh deleted file mode 100644 index 4abc87c3d4da..000000000000 --- a/security/hpn-ssh/files/patch-regress-test-exec.sh +++ /dev/null @@ -1,11 +0,0 @@ ---- regress/test-exec.sh.orig Fri Sep 12 07:32:17 2003 -+++ regress/test-exec.sh Tue Sep 16 19:56:13 2003 -@@ -163,6 +163,8 @@ - AuthorizedKeysFile $OBJ/authorized_keys_%u - LogLevel QUIET - StrictModes no -+ PermitRootLogin yes -+ UsePrivilegeSeparation no - EOF - - # server config for proxy connects diff --git a/security/hpn-ssh/files/patch-session.c b/security/hpn-ssh/files/patch-session.c deleted file mode 100644 index 1f038e37cebe..000000000000 --- a/security/hpn-ssh/files/patch-session.c +++ /dev/null @@ -1,334 +0,0 @@ ---- session.c.orig Tue Sep 23 10:59:08 2003 -+++ session.c Tue Sep 23 17:29:31 2003 -@@ -62,6 +62,11 @@ - #include "ssh-gss.h" - #endif - -+#ifdef __FreeBSD__ -+#include <syslog.h> -+#define _PATH_CHPASS "/usr/bin/passwd" -+#endif /* __FreeBSD__ */ -+ - /* func */ - - Session *session_new(void); -@@ -411,6 +416,13 @@ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - - /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ -+ /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. - */ -@@ -516,6 +528,9 @@ - { - int fdout, ptyfd, ttyfd, ptymaster; - pid_t pid; -+#if defined(USE_PAM) -+ const char *shorttty; -+#endif - - if (s == NULL) - fatal("do_exec_pty: no session"); -@@ -535,6 +550,14 @@ - - /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ -+ /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ - /* Close the master side of the pseudo tty. */ - close(ptyfd); - -@@ -676,6 +699,18 @@ - struct sockaddr_storage from; - struct passwd * pw = s->pw; - pid_t pid = getpid(); -+#ifdef HAVE_LOGIN_CAP -+ FILE *f; -+ char buf[256]; -+ char *fname; -+ const char *shorttty; -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef __FreeBSD__ -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ char *newcommand; -+ struct timeval tv; -+ time_t warntime = DEFAULT_WARN; -+#endif /* __FreeBSD__ */ - - /* - * Get IP address of client. If the connection is not a socket, let -@@ -710,6 +745,72 @@ - } - #endif - -+#ifdef __FreeBSD__ -+ if (pw->pw_change || pw->pw_expire) -+ (void)gettimeofday(&tv, NULL); -+#ifdef HAVE_LOGIN_CAP -+ warntime = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+#endif /* HAVE_LOGIN_CAP */ -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ logit("%s Password expired - forcing change", -+ pw->pw_name); -+ if (newcommand != NULL) -+ xfree(newcommand); -+ newcommand = xstrdup(_PATH_CHPASS); -+ } else if (pw->pw_change - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your password expires on %s", -+ ctime(&pw->pw_change)); -+ } -+ -+#ifndef USE_PAM -+ if (pw->pw_expire) { -+ if (tv.tv_sec >= pw->pw_expire) { -+ (void)printf( -+ "Sorry -- your account has expired.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } else if (pw->pw_expire - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your account expires on %s", -+ ctime(&pw->pw_expire)); -+ } -+#endif /* !USE_PAM */ -+#endif /* __FreeBSD__ */ -+ -+#ifdef HAVE_LOGIN_CAP -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ if (!auth_ttyok(lc, shorttty)) { -+ (void)printf("Permission denied.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - if (check_quietlogin(s, command)) - return; - -@@ -726,7 +827,17 @@ - buffer_free(&loginmsg); - - #ifndef NO_SSH_LASTLOG -- if (options.print_lastlog && s->last_login_time != 0) { -+ /* -+ * If the user has logged in before, display the time of last -+ * login. However, don't display anything extra if a command -+ * has been specified (so that ssh can be used to execute -+ * commands on a remote machine without users knowing they -+ * are going to another machine). Login(1) will do this for -+ * us as well, so check if login(1) is used -+ */ -+ if (command == NULL && options.print_lastlog && -+ s->last_login_time != 0 && -+ !options.use_login) { - time_string = ctime(&s->last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = 0; -@@ -738,7 +849,30 @@ - } - #endif /* NO_SSH_LASTLOG */ - -- do_motd(); -+#ifdef HAVE_LOGIN_CAP -+ if (command == NULL && -+ !options.use_login) { -+ fname = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { -+ while (fgets(buf, sizeof(buf), f) != NULL) -+ fputs(buf, stdout); -+ fclose(f); -+ } else -+ (void)printf("%s\n\t%s %s\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ -+ /* -+ * Print /etc/motd unless a command was specified or printing -+ * it was disabled in server options or login(1) will be -+ * used. Note that some machines appear to print it in -+ * /etc/profile or similar. -+ */ -+ if (command == NULL && !options.use_login) -+ do_motd(); - } - - /* -@@ -754,9 +888,9 @@ - #ifdef HAVE_LOGIN_CAP - f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", - "/etc/motd"), "r"); --#else -+#else /* !HAVE_LOGIN_CAP */ - f = fopen("/etc/motd", "r"); --#endif -+#endif /* HAVE_LOGIN_CAP */ - if (f) { - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); -@@ -783,10 +917,10 @@ - #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) - return 1; --#else -+#else /* HAVE_LOGIN_CAP */ - if (stat(buf, &st) >= 0) - return 1; --#endif -+#endif /* HAVE_LOGIN_CAP */ - return 0; - } - -@@ -973,6 +1107,10 @@ - char buf[256]; - u_int i, envsize; - char **env, *laddr, *path = NULL; -+#ifdef HAVE_LOGIN_CAP -+ extern char **environ; -+ char **senv, **var; -+#endif /* HAVE_LOGIN_CAP */ - struct passwd *pw = s->pw; - - /* Initialize the environment. */ -@@ -980,6 +1118,9 @@ - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; - -+ /* Moved up to resove confict with gsssapi patches */ -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); - #ifdef HAVE_CYGWIN - /* - * The Windows environment contains some setting which are -@@ -1034,9 +1175,21 @@ - - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); -+#ifdef HAVE_LOGIN_CAP -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ if (setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH) < 0) { -+ perror("unable to set user context enviroment"); -+ } -+ copy_environment(environ, &env, &envsize); -+ for (var = environ; *var != NULL; ++var) -+ xfree(*var); -+ xfree(environ); -+ environ = senv; -+#endif /* HAVE_LOGIN_CAP */ - } -- if (getenv("TZ")) -- child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { -@@ -1245,7 +1398,7 @@ - setpgid(0, 0); - # endif - if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { - perror("unable to set user context"); - exit(1); - } -@@ -1275,7 +1428,16 @@ - * Reestablish them here. - */ - if (options.use_pam) { -- do_pam_session(); -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ do_pam_session(s->pw->pw_name, shorttty); - do_pam_setcred(0); - } - # endif /* USE_PAM */ -@@ -1411,7 +1573,7 @@ - * initgroups, because at least on Solaris 2.3 it leaves file - * descriptors open. - */ -- for (i = 3; i < 64; i++) -+ for (i = 3; i < getdtablesize(); i++) - close(i); - - /* -@@ -1429,6 +1591,31 @@ - exit(1); - #endif - } -+ -+#ifdef __FreeBSD__ -+ if (!options.use_login) { -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ syslog(LOG_INFO, -+ "%s Password expired - forcing change", -+ pw->pw_name); -+ if (system("/usr/bin/passwd") != 0) { -+ perror("/usr/bin/passwd"); -+ exit(1); -+ } -+ } -+ } -+ } -+#endif /* __FreeBSD__ */ - - if (!options.use_login) - do_rc_files(s, shell); diff --git a/security/hpn-ssh/files/patch-sshd.c b/security/hpn-ssh/files/patch-sshd.c deleted file mode 100644 index 09665a42d7bd..000000000000 --- a/security/hpn-ssh/files/patch-sshd.c +++ /dev/null @@ -1,31 +0,0 @@ ---- sshd.c.orig Wed Jun 26 01:24:19 2002 -+++ sshd.c Thu Jul 25 06:32:37 2002 -@@ -53,6 +53,10 @@ - #include <prot.h> - #endif - -+#ifdef __FreeBSD__ -+#include <resolv.h> -+#endif -+ - #include "ssh.h" - #include "ssh1.h" - #include "ssh2.h" -@@ -1409,6 +1413,17 @@ - setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); -+ -+#ifdef __FreeBSD__ -+ /* -+ * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). -+ */ -+ if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); -+ } -+#endif - - /* - * Register our connection. This turns encryption off because we do diff --git a/security/hpn-ssh/files/patch-sshd_config b/security/hpn-ssh/files/patch-sshd_config deleted file mode 100644 index ca7fe10a0234..000000000000 --- a/security/hpn-ssh/files/patch-sshd_config +++ /dev/null @@ -1,18 +0,0 @@ ---- sshd_config.orig Tue Sep 2 14:51:18 2003 -+++ sshd_config Tue Sep 16 20:05:44 2003 -@@ -34,6 +34,7 @@ - - #LoginGraceTime 2m - #PermitRootLogin yes -+PermitRootLogin no - #StrictModes yes - - #RSAAuthentication yes -@@ -56,6 +57,7 @@ - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no diff --git a/security/hpn-ssh/files/patch-sshpty.c b/security/hpn-ssh/files/patch-sshpty.c deleted file mode 100644 index d8cd703dcec7..000000000000 --- a/security/hpn-ssh/files/patch-sshpty.c +++ /dev/null @@ -1,12 +0,0 @@ ---- sshpty.c.orig Wed Jan 21 07:07:17 2004 -+++ sshpty.c Wed Feb 25 11:58:54 2004 -@@ -17,6 +17,9 @@ - #ifdef HAVE_UTIL_H - # include <util.h> - #endif /* HAVE_UTIL_H */ -+#ifdef HAVE_LIBUTIL_H -+#include <libutil.h> -+#endif - - #include "sshpty.h" - #include "log.h" diff --git a/security/hpn-ssh/files/servconf.c.patch b/security/hpn-ssh/files/servconf.c.patch deleted file mode 100644 index dde0a6947e60..000000000000 --- a/security/hpn-ssh/files/servconf.c.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- servconf.c.orig Sat Mar 23 11:02:41 2002 -+++ servconf.c Sat Mar 23 11:07:39 2002 -@@ -17,12 +17,12 @@ - #endif - #if defined(KRB5) - #ifdef HEIMDAL --#include <krb.h> -+#include <krb5.h> - #else - /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V - * keytab */ --#define KEYFILE "/etc/krb5.keytab" - #endif -+#define KEYFILE "/etc/krb5.keytab" - #endif - #ifdef AFS - #include <kafs.h> diff --git a/security/hpn-ssh/files/sshd.sh b/security/hpn-ssh/files/sshd.sh deleted file mode 100644 index a08d61e67a6d..000000000000 --- a/security/hpn-ssh/files/sshd.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -case "$1" in -start) - __PREFIX__/sbin/sshd - echo -n ' sshd' - ;; -stop) - if [ -f /var/run/sshd.pid ]; then - kill -TERM `cat /var/run/sshd.pid` - rm -f /var/run/sshd.pid - echo -n ' sshd' - fi - ;; -restart) - if [ -f /var/run/sshd.pid ]; then - kill -HUP `cat /var/run/sshd.pid` - echo 'sshd restarted' - fi - ;; -*) - echo "Usage: ${0##*/}: { start | stop | restart }" >&2 - exit 64 - ;; -esac |