diff options
Diffstat (limited to 'security/hpn-ssh')
26 files changed, 0 insertions, 1563 deletions
diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile deleted file mode 100644 index 096b45944305..000000000000 --- a/security/hpn-ssh/Makefile +++ /dev/null @@ -1,145 +0,0 @@ -# New ports collection makefile for: openssh -# Date created: 18 Mar 1999 -# Whom: dwcjr@inethouston.net -# -# $FreeBSD$ -# - -PORTNAME= openssh -PORTVERSION= 3.5p1 -CATEGORIES= security ipv6 -MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ - ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ -PKGNAMESUFFIX?= -portable - -MAINTAINER= dinoex@FreeBSD.org - -MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 -MLINKS= ssh.1 slogin.1 -MAN5= ssh_config.5 sshd_config.5 -MAN8= sftp-server.8 sshd.8 ssh-keysign.8 - -CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto -GNU_CONFIGURE= yes -CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords -PRECIOUS= ssh_config sshd_config \ - ssh_host_key ssh_host_key.pub \ - ssh_host_rsa_key ssh_host_rsa_key.pub \ - ssh_host_dsa_key ssh_host_dsa_key.pub -ETCOLD= ${PREFIX}/etc -ADDME+= auth2-pam-freebsd.c - -.if exists(/usr/include/security/pam_modules.h) -CONFIGURE_ARGS+= --with-pam -.endif - -.if exists(/usr/include/tcpd.h) -CONFIGURE_ARGS+= --with-tcp-wrappers -.endif - -.if !defined(ENABLE_SUID_SSH) -CONFIGURE_ARGS+= --disable-suid-ssh -.endif - -.if defined(OPENSSH_OVERWRITE_BASE) -USE_OPENSSL_BASE= yes -PKGNAMESUFFIX= -overwrite-base -PREFIX= /usr -MANPREFIX= ${PREFIX}/share -CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var -EMPTYDIR= /var/empty -ETCSSH= /etc/ssh -PLIST_SUB+= NOTBASE="@comment " -PLIST_SUB+= BASE="" -PKGMESSAGE= pkg-message.empty -.else -.if exists(/var/empty) -EMPTYDIR= /var/empty -.else -EMPTYDIR= ${PREFIX}/empty -.endif -ETCSSH= ${PREFIX}/etc/ssh -PLIST_SUB+= NOTBASE="" -PLIST_SUB+= BASE="@comment " -.endif -PLIST_SUB+= EMPTYDIR=${EMPTYDIR} -CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} -CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR} - -.if defined(BATCH) -EXTRA_PATCHES+= ${FILESDIR}/batch.patch -.endif - -post-extract: -.for i in ${ADDME} - @${CP} ${FILESDIR}/${i} ${WRKSRC}/ -.endfor - -.if defined(KRB5_HOME) && exists(${KRB5_HOME}) -BROKEN= patch conflicts with 3.5p1 -PKGNAMESUFFIX= -gssapi -GSSAPI_PATCH= ${PORTNAME}-3.4p1-gssapi-20020627.diff -GSSAPI_SITE= http://www.sxw.org.uk/computing/patches/ -MASTER_SITES+= ${GSSAPI_SITE} -DISTFILES= ${EXTRACT_ONLY} ${GSSAPI_PATCH} -EXTRACT_ONLY= ${PORTNAME}-${PORTVERSION}${EXTRACT_SUFX} -EXTRA_PATCHES+= ${FILESDIR}/servconf.c.patch -BUILD_DEPENDS= autoconf:${PORTSDIR}/devel/autoconf -# USE_AUTOCONF_VER= 252 # broken -CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} -AUTOCONF= autoconf -AUTOHEADER= autoheader - -post-patch: - @${ECHO_MSG} Applying extra patch for GSS-API key-exchange... - @${PATCH} ${PATCH_DIST_ARGS:S/-p0/-p1/} \ - < ${DISTDIR}/${GSSAPI_PATCH} - -pre-configure: - @${ECHO_MSG} !!!! Warning this option uses autoconf/autoheader !!! - (cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOCONF_ENV} ${AUTOCONF} \ - ${AUTOCONF_ARGS}) - (cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOCONF_ENV} ${AUTOHEADER}) -.endif - -post-configure: - ${SED} -e 's:__PREFIX__:${PREFIX}:g' \ - ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh - -pre-install: -.if defined(OPENSSH_OVERWRITE_BASE) - -${MKDIR} ${EMPTYDIR} -.else - -${MKDIR} ${PREFIX}/empty -.endif - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ - -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi - -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH} -.for i in ${PRECIOUS} - -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ - ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ - ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} -.endfor - -post-install: -.if !defined(OPENSSH_OVERWRITE_BASE) - ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample -.endif - ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist - ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist -.if !defined(OPENSSH_OVERWRITE_BASE) - @${CAT} ${PKGMESSAGE} -.endif - -test: - (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \ - PATH=${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ - ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ) - -.include <bsd.port.pre.mk> - -.include "${PORTSDIR}/security/openssl/Makefile.ssl" -CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} - -.include <bsd.port.post.mk> diff --git a/security/hpn-ssh/distinfo b/security/hpn-ssh/distinfo deleted file mode 100644 index 17bee19d09e1..000000000000 --- a/security/hpn-ssh/distinfo +++ /dev/null @@ -1,2 +0,0 @@ -MD5 (openssh-3.5p1.tar.gz) = 42bd78508d208b55843c84dd54dea848 -MD5 (openssh-3.4p1-gssapi-20020627.diff) = bd58f041a44538ab532efe261c904973 diff --git a/security/hpn-ssh/files/auth2-pam-freebsd.c b/security/hpn-ssh/files/auth2-pam-freebsd.c deleted file mode 100644 index 8840a61f93a7..000000000000 --- a/security/hpn-ssh/files/auth2-pam-freebsd.c +++ /dev/null @@ -1,336 +0,0 @@ -/*- - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * NAI Labs, the Security Research Division of Network Associates, Inc. - * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the - * DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "includes.h" -RCSID("$FreeBSD: /tmp/pcvs/ports/security/hpn-ssh/files/Attic/auth2-pam-freebsd.c,v 1.4 2002-10-17 04:40:20 dinoex Exp $"); - -#ifdef USE_PAM -#include <security/pam_appl.h> - -#include "auth.h" -#include "buffer.h" -#include "bufaux.h" -#include "log.h" -#include "monitor_wrap.h" -#include "msg.h" -#include "packet.h" -#include "ssh2.h" -#include "xmalloc.h" - -struct pam_ctxt { - char *pam_user; - pid_t pam_pid; - int pam_sock; - int pam_done; -}; - -static void pam_free_ctx(void *); - -/* - * Conversation function for child process. - */ -static int -pam_child_conv(int n, - const struct pam_message **msg, - struct pam_response **resp, - void *data) -{ - Buffer buffer; - struct pam_ctxt *ctxt; - int i; - - ctxt = data; - if (n <= 0 || n > PAM_MAX_NUM_MSG) - return (PAM_CONV_ERR); - *resp = xmalloc(n * sizeof **resp); - buffer_init(&buffer); - for (i = 0; i < n; ++i) { - resp[i]->resp_retcode = 0; - resp[i]->resp = NULL; - switch (msg[i]->msg_style) { - case PAM_PROMPT_ECHO_OFF: - buffer_put_cstring(&buffer, msg[i]->msg); - ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer); - ssh_msg_recv(ctxt->pam_sock, &buffer); - if (buffer_get_char(&buffer) != PAM_AUTHTOK) - goto fail; - resp[i]->resp = buffer_get_string(&buffer, NULL); - break; - case PAM_PROMPT_ECHO_ON: - buffer_put_cstring(&buffer, msg[i]->msg); - ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer); - ssh_msg_recv(ctxt->pam_sock, &buffer); - if (buffer_get_char(&buffer) != PAM_AUTHTOK) - goto fail; - resp[i]->resp = buffer_get_string(&buffer, NULL); - break; - case PAM_ERROR_MSG: - buffer_put_cstring(&buffer, msg[i]->msg); - ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer); - break; - case PAM_TEXT_INFO: - buffer_put_cstring(&buffer, msg[i]->msg); - ssh_msg_send(ctxt->pam_sock, msg[i]->msg_style, &buffer); - break; - default: - goto fail; - } - buffer_clear(&buffer); - } - buffer_free(&buffer); - return (PAM_SUCCESS); - fail: - while (i) - xfree(resp[--i]); - xfree(*resp); - *resp = NULL; - buffer_free(&buffer); - return (PAM_CONV_ERR); -} - -/* - * Child process. - */ -static void * -pam_child(struct pam_ctxt *ctxt) -{ - Buffer buffer; - struct pam_conv pam_conv; - pam_handle_t *pamh; - int pam_err; - - pam_conv.conv = pam_child_conv; - pam_conv.appdata_ptr = ctxt; - buffer_init(&buffer); - setproctitle("%s [pam]", ctxt->pam_user); - pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh); - if (pam_err != PAM_SUCCESS) - goto auth_fail; - pam_err = pam_authenticate(pamh, 0); - if (pam_err != PAM_SUCCESS) - goto auth_fail; - pam_err = pam_acct_mgmt(pamh, 0); - if (pam_err != PAM_SUCCESS) - goto auth_fail; - buffer_put_cstring(&buffer, "OK"); - ssh_msg_send(ctxt->pam_sock, PAM_SUCCESS, &buffer); - buffer_free(&buffer); - pam_end(pamh, pam_err); - exit(0); - auth_fail: - buffer_put_cstring(&buffer, pam_strerror(pamh, pam_err)); - ssh_msg_send(ctxt->pam_sock, PAM_AUTH_ERR, &buffer); - buffer_free(&buffer); - pam_end(pamh, pam_err); - exit(0); -} - -static void -pam_cleanup(void *ctxtp) -{ - struct pam_ctxt *ctxt = ctxtp; - int status; - - close(ctxt->pam_sock); - kill(ctxt->pam_pid, SIGHUP); - waitpid(ctxt->pam_pid, &status, 0); -} - -static void * -pam_init_ctx(Authctxt *authctxt) -{ - struct pam_ctxt *ctxt; - int socks[2]; - int i; - - ctxt = xmalloc(sizeof *ctxt); - ctxt->pam_user = xstrdup(authctxt->user); - ctxt->pam_done = 0; - if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { - error("%s: failed create sockets: %s", - __func__, strerror(errno)); - xfree(ctxt); - return (NULL); - } - if ((ctxt->pam_pid = fork()) == -1) { - error("%s: failed to fork auth-pam child: %s", - __func__, strerror(errno)); - close(socks[0]); - close(socks[1]); - xfree(ctxt); - return (NULL); - } - if (ctxt->pam_pid == 0) { - /* close everything except our end of the pipe */ - ctxt->pam_sock = socks[1]; - for (i = 3; i < getdtablesize(); ++i) - if (i != ctxt->pam_sock) - close(i); - pam_child(ctxt); - /* not reached */ - exit(1); - } - ctxt->pam_sock = socks[0]; - close(socks[1]); - fatal_add_cleanup(pam_cleanup, ctxt); - return (ctxt); -} - -static int -pam_query(void *ctx, char **name, char **info, - u_int *num, char ***prompts, u_int **echo_on) -{ - Buffer buffer; - struct pam_ctxt *ctxt = ctx; - size_t plen; - u_char type; - char *msg; - - buffer_init(&buffer); - *name = xstrdup(""); - *info = xstrdup(""); - *prompts = xmalloc(sizeof(char *)); - **prompts = NULL; - plen = 0; - *echo_on = xmalloc(sizeof(u_int)); - while (ssh_msg_recv(ctxt->pam_sock, &buffer) == 0) { - type = buffer_get_char(&buffer); - msg = buffer_get_string(&buffer, NULL); - switch (type) { - case PAM_PROMPT_ECHO_ON: - case PAM_PROMPT_ECHO_OFF: - *num = 1; - **prompts = xrealloc(**prompts, plen + strlen(msg) + 1); - plen += sprintf(**prompts + plen, "%s", msg); - **echo_on = (type == PAM_PROMPT_ECHO_ON); - xfree(msg); - return (0); - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - /* accumulate messages */ - **prompts = xrealloc(**prompts, plen + strlen(msg) + 1); - plen += sprintf(**prompts + plen, "%s", msg); - xfree(msg); - break; - case PAM_SUCCESS: - case PAM_AUTH_ERR: - if (**prompts != NULL) { - /* drain any accumulated messages */ -#if 0 /* not compatible with privsep */ - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(**prompts); - packet_put_cstring(""); - packet_send(); - packet_write_wait(); -#endif - xfree(**prompts); - **prompts = NULL; - } - if (type == PAM_SUCCESS) { - *num = 0; - **echo_on = 0; - ctxt->pam_done = 1; - xfree(msg); - return (0); - } - error("%s", msg); - default: - *num = 0; - **echo_on = 0; - xfree(msg); - ctxt->pam_done = -1; - return (-1); - } - } - return (-1); -} - -static int -pam_respond(void *ctx, u_int num, char **resp) -{ - Buffer buffer; - struct pam_ctxt *ctxt = ctx; - char *msg; - - debug2(__func__); - switch (ctxt->pam_done) { - case 1: - return (0); - case 0: - break; - default: - return (-1); - } - if (num != 1) { - error("expected one response, got %u", num); - return (-1); - } - buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); - ssh_msg_send(ctxt->pam_sock, PAM_AUTHTOK, &buffer); - buffer_free(&buffer); - return (1); -} - -static void -pam_free_ctx(void *ctxtp) -{ - struct pam_ctxt *ctxt = ctxtp; - int status; - - fatal_remove_cleanup(pam_cleanup, ctxt); - close(ctxt->pam_sock); - kill(ctxt->pam_pid, SIGHUP); - waitpid(ctxt->pam_pid, &status, 0); - xfree(ctxt->pam_user); - xfree(ctxt); -} - -KbdintDevice pam_device = { - "pam", - pam_init_ctx, - pam_query, - pam_respond, - pam_free_ctx -}; - -KbdintDevice mm_pam_device = { - "pam", - mm_pam_init_ctx, - mm_pam_query, - mm_pam_respond, - mm_pam_free_ctx -}; - -#endif /* USE_PAM */ diff --git a/security/hpn-ssh/files/batch.patch b/security/hpn-ssh/files/batch.patch deleted file mode 100644 index 1e99a5d92180..000000000000 --- a/security/hpn-ssh/files/batch.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- Makefile.in.orig Sun Jul 14 19:02:21 2002 -+++ Makefile.in Sat Oct 26 05:49:23 2002 -@@ -198,7 +198,7 @@ - $(AUTORECONF) - (cd scard && $(MAKE) -f Makefile.in distprep) - --install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-config -+install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files check-config - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files - - check-config: -@@ -251,24 +251,6 @@ - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ - $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ -- fi -- @if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \ -- $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ -- else \ -- echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \ -- fi -- @if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ -- $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ -- else \ -- echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ -- fi -- @if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ -- $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ -- if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ -- $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ -- else \ -- echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \ -- fi ; \ - fi - @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \ - if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \ diff --git a/security/hpn-ssh/files/patch-Makefile.in b/security/hpn-ssh/files/patch-Makefile.in deleted file mode 100644 index d354787aeee4..000000000000 --- a/security/hpn-ssh/files/patch-Makefile.in +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in.orig Wed Jun 26 01:45:42 2002 -+++ Makefile.in Mon Jul 22 07:24:41 2002 -@@ -70,6 +70,8 @@ - MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 - MANTYPE = @MANTYPE@ - -+SSHDOBJS+= auth2-pam-freebsd.o -+ - CONFIGFILES=sshd_config.out ssh_config.out moduli.out - CONFIGFILES_IN=sshd_config ssh_config moduli - diff --git a/security/hpn-ssh/files/patch-auth.c b/security/hpn-ssh/files/patch-auth.c deleted file mode 100644 index e8f640a16936..000000000000 --- a/security/hpn-ssh/files/patch-auth.c +++ /dev/null @@ -1,29 +0,0 @@ ---- auth.c.orig Tue Mar 5 02:42:43 2002 -+++ auth.c Sun Mar 17 20:53:15 2002 -@@ -193,6 +193,17 @@ - } - #endif /* WITH_AIXAUTHENTICATE */ - -+#ifdef __FreeBSD__ -+ /* Fail if the account's expiration time has passed. */ -+ if (pw->pw_expire != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_expire) -+ return 0; -+ } -+#endif /* __FreeBSD__ */ -+ - /* We found no reason not to let this user try to log on... */ - return 1; - } -@@ -490,7 +480,7 @@ - if (pw == NULL || !allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/hpn-ssh/files/patch-auth1.c b/security/hpn-ssh/files/patch-auth1.c deleted file mode 100644 index e8ecdbef3917..000000000000 --- a/security/hpn-ssh/files/patch-auth1.c +++ /dev/null @@ -1,64 +0,0 @@ ---- auth1.c.orig Fri Jun 21 08:21:11 2002 -+++ auth1.c Fri Jun 28 06:57:42 2002 -@@ -26,6 +26,7 @@ - #include "session.h" - #include "uidswap.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - /* import */ - extern ServerOptions options; -@@ -75,6 +76,18 @@ - u_int ulen; - int type = 0; - struct passwd *pw = authctxt->pw; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif -+#ifdef USE_PAM -+ struct inverted_pam_cookie *pam_cookie; -+#endif /* USE_PAM */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.verify_reverse_mapping); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - debug("Attempting authentication for %s%.100s.", - authctxt->valid ? "" : "illegal user ", authctxt->user); -@@ -282,6 +295,34 @@ - log("Unknown message during authentication: type %d", type); - break; - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (pw != NULL) { -+ lc = login_getpwclass(pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ log("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (pw != NULL && !login_access(pw->pw_name, from_host)) { -+ log("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+ - #ifdef BSD_AUTH - if (authctxt->as) { - auth_close(authctxt->as); diff --git a/security/hpn-ssh/files/patch-auth2-chall.c b/security/hpn-ssh/files/patch-auth2-chall.c deleted file mode 100644 index 77b5778ac6af..000000000000 --- a/security/hpn-ssh/files/patch-auth2-chall.c +++ /dev/null @@ -1,48 +0,0 @@ ---- auth2-chall.c.orig Wed Jun 26 15:58:40 2002 -+++ auth2-chall.c Sun Jun 30 07:12:43 2002 -@@ -41,6 +42,9 @@ - #ifdef BSD_AUTH - extern KbdintDevice bsdauth_device; - #else -+#ifdef USE_PAM -+extern KbdintDevice pam_device; -+#endif - #ifdef SKEY - extern KbdintDevice skey_device; - #endif -@@ -50,6 +54,9 @@ - #ifdef BSD_AUTH - &bsdauth_device, - #else -+#ifdef USE_PAM -+ &pam_device, -+#endif - #ifdef SKEY - &skey_device, - #endif -@@ -323,15 +330,22 @@ - #ifdef BSD_AUTH - extern KbdintDevice mm_bsdauth_device; - #endif -+#ifdef USE_PAM -+ extern KbdintDevice mm_pam_device; -+#endif - #ifdef SKEY - extern KbdintDevice mm_skey_device; - #endif -- /* As long as SSHv1 has devices[0] hard coded this is fine */ -+ int n = 0; -+ - #ifdef BSD_AUTH -- devices[0] = &mm_bsdauth_device; -+ devices[n++] = &mm_bsdauth_device; - #else -+#ifdef USE_PAM -+ devices[n++] = &mm_pam_device; -+#endif - #ifdef SKEY -- devices[0] = &mm_skey_device; -+ devices[n++] = &mm_skey_device; - #endif - #endif - } diff --git a/security/hpn-ssh/files/patch-auth2.c b/security/hpn-ssh/files/patch-auth2.c deleted file mode 100644 index 8d999bf1bbd9..000000000000 --- a/security/hpn-ssh/files/patch-auth2.c +++ /dev/null @@ -1,68 +0,0 @@ ---- auth2.c.orig Fri Jun 21 08:21:11 2002 -+++ auth2.c Fri Jun 28 06:57:56 2002 -@@ -35,6 +35,7 @@ - #include "dispatch.h" - #include "pathnames.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - /* import */ - extern ServerOptions options; -@@ -137,6 +138,15 @@ - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; - int authenticated = 0; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif /* HAVE_LOGIN_CAP */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.verify_reverse_mapping); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -178,6 +188,41 @@ - "(%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ log("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && -+ !login_access(authctxt->pw->pw_name, from_host)) { -+ log("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+#ifdef BSD_AUTH -+ if (authctxt->as) { -+ auth_close(authctxt->as); -+ authctxt->as = NULL; -+ } -+#endif -+ - /* reset state */ - auth2_challenge_stop(authctxt); - authctxt->postponed = 0; diff --git a/security/hpn-ssh/files/patch-clientloop.c b/security/hpn-ssh/files/patch-clientloop.c deleted file mode 100644 index 67fc4dcb4f6b..000000000000 --- a/security/hpn-ssh/files/patch-clientloop.c +++ /dev/null @@ -1,11 +0,0 @@ ---- clientloop.c.orig Fri Apr 20 09:17:51 2001 -+++ clientloop.c Sat May 26 15:18:51 2001 -@@ -1131,7 +1131,7 @@ - - if (strcmp(ctype, "forwarded-tcpip") == 0) { - c = client_request_forwarded_tcpip(ctype, rchan); -- } else if (strcmp(ctype, "x11") == 0) { -+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - c = client_request_x11(ctype, rchan); - } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { - c = client_request_agent(ctype, rchan); diff --git a/security/hpn-ssh/files/patch-loginrec.c b/security/hpn-ssh/files/patch-loginrec.c deleted file mode 100644 index 37993edf2097..000000000000 --- a/security/hpn-ssh/files/patch-loginrec.c +++ /dev/null @@ -1,25 +0,0 @@ ---- loginrec.c.orig Thu Sep 26 02:38:49 2002 -+++ loginrec.c Mon Oct 21 06:51:34 2002 -@@ -172,6 +172,9 @@ - #ifdef HAVE_LIBUTIL_H - # include <libutil.h> - #endif -+#ifdef __FreeBSD__ -+#include <osreldate.h> -+#endif - - /** - ** prototypes for helper functions in this file -@@ -654,7 +657,12 @@ - /* Use strncpy because we don't necessarily want null termination */ - strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); - # ifdef HAVE_HOST_IN_UTMP -+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 - strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); -+# else -+ realhostname_sa(ut->ut_host, sizeof ut->ut_host, -+ &li->hostaddr.sa, li->hostaddr.sa.sa_len); -+# endif - # endif - # ifdef HAVE_ADDR_IN_UTMP - /* this is just a 32-bit IP address */ diff --git a/security/hpn-ssh/files/patch-monitor.c b/security/hpn-ssh/files/patch-monitor.c deleted file mode 100644 index cca169c55f02..000000000000 --- a/security/hpn-ssh/files/patch-monitor.c +++ /dev/null @@ -1,137 +0,0 @@ ---- monitor.c.orig Wed Jun 26 15:27:11 2002 -+++ monitor.c Mon Jul 15 21:33:45 2002 -@@ -118,6 +118,10 @@ - - #ifdef USE_PAM - int mm_answer_pam_start(int, Buffer *); -+int mm_answer_pam_init_ctx(int, Buffer *); -+int mm_answer_pam_query(int, Buffer *); -+int mm_answer_pam_respond(int, Buffer *); -+int mm_answer_pam_free_ctx(int, Buffer *); - #endif - - static Authctxt *authctxt; -@@ -156,6 +160,10 @@ - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM - {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, -+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, -+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, -+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, -+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, - #endif - #ifdef BSD_AUTH - {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -198,6 +206,10 @@ - #endif - #ifdef USE_PAM - {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, -+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, -+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, -+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, -+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, - #endif - {0, 0, NULL} - }; -@@ -732,6 +744,101 @@ - xfree(user); - - return (0); -+} -+ -+static void *pam_ctxt, *pam_authok; -+extern KbdintDevice pam_device; -+ -+int -+mm_answer_pam_init_ctx(int socket, Buffer *m) -+{ -+ -+ debug3("%s", __func__); -+ authctxt->user = buffer_get_string(m, NULL); -+ pam_ctxt = (pam_device.init_ctx)(authctxt); -+ pam_authok = NULL; -+ buffer_clear(m); -+ if (pam_ctxt != NULL) { -+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); -+ buffer_put_int(m, 1); -+ } else { -+ buffer_put_int(m, 0); -+ } -+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m); -+ return (0); -+} -+ -+int -+mm_answer_pam_query(int socket, Buffer *m) -+{ -+ char *name, *info, **prompts; -+ u_int num, *echo_on; -+ int i, ret; -+ -+ debug3("%s", __func__); -+ pam_authok = NULL; -+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on); -+ if (num > 1 || name == NULL || info == NULL) -+ ret = -1; -+ buffer_clear(m); -+ buffer_put_int(m, ret); -+ buffer_put_cstring(m, name); -+ xfree(name); -+ buffer_put_cstring(m, info); -+ xfree(info); -+ buffer_put_int(m, num); -+ for (i = 0; i < num; ++i) { -+ buffer_put_cstring(m, prompts[i]); -+ xfree(prompts[i]); -+ buffer_put_int(m, echo_on[i]); -+ } -+ if (prompts != NULL) -+ xfree(prompts); -+ if (echo_on != NULL) -+ xfree(echo_on); -+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m); -+ return (0); -+} -+ -+int -+mm_answer_pam_respond(int socket, Buffer *m) -+{ -+ char **resp; -+ u_int num; -+ int i, ret; -+ -+ debug3("%s", __func__); -+ pam_authok = NULL; -+ num = buffer_get_int(m); -+ if (num > 0) { -+ resp = xmalloc(num * sizeof(char *)); -+ for (i = 0; i < num; ++i) -+ resp[i] = buffer_get_string(m, NULL); -+ ret = (pam_device.respond)(pam_ctxt, num, resp); -+ for (i = 0; i < num; ++i) -+ xfree(resp[i]); -+ xfree(resp); -+ } else { -+ ret = (pam_device.respond)(pam_ctxt, num, NULL); -+ } -+ buffer_clear(m); -+ buffer_put_int(m, ret); -+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m); -+ auth_method = "keyboard-interactive/pam"; -+ if (ret == 0) -+ pam_authok = pam_ctxt; -+ return (0); -+} -+ -+int -+mm_answer_pam_free_ctx(int socket, Buffer *m) -+{ -+ -+ debug3("%s", __func__); -+ (pam_device.free_ctx)(pam_ctxt); -+ buffer_clear(m); -+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m); -+ return (pam_authok == pam_ctxt); - } - #endif - diff --git a/security/hpn-ssh/files/patch-monitor.h b/security/hpn-ssh/files/patch-monitor.h deleted file mode 100644 index 2c42831b40ab..000000000000 --- a/security/hpn-ssh/files/patch-monitor.h +++ /dev/null @@ -1,13 +0,0 @@ ---- monitor.h.orig Tue Jun 11 18:42:49 2002 -+++ monitor.h Sun Jun 30 07:13:09 2002 -@@ -50,6 +51,10 @@ - MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, - MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, - MONITOR_REQ_PAM_START, -+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, -+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, -+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, -+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, - MONITOR_REQ_TERM - }; - diff --git a/security/hpn-ssh/files/patch-monitor_wrap.c b/security/hpn-ssh/files/patch-monitor_wrap.c deleted file mode 100644 index 99ad633a6028..000000000000 --- a/security/hpn-ssh/files/patch-monitor_wrap.c +++ /dev/null @@ -1,107 +0,0 @@ ---- monitor_wrap.c.orig Fri Jun 21 02:43:43 2002 -+++ monitor_wrap.c Sun Jun 30 07:13:18 2002 -@@ -664,6 +665,88 @@ - - buffer_free(&m); - } -+ -+void * -+mm_pam_init_ctx(Authctxt *authctxt) -+{ -+ Buffer m; -+ int success; -+ -+ debug3("%s", __func__); -+ buffer_init(&m); -+ buffer_put_cstring(&m, authctxt->user); -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); -+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); -+ success = buffer_get_int(&m); -+ if (success == 0) { -+ debug3("%s: pam_init_ctx failed", __func__); -+ buffer_free(&m); -+ return (NULL); -+ } -+ buffer_free(&m); -+ return (authctxt); -+} -+ -+int -+mm_pam_query(void *ctx, char **name, char **info, -+ u_int *num, char ***prompts, u_int **echo_on) -+{ -+ Buffer m; -+ int i, ret; -+ -+ debug3("%s", __func__); -+ buffer_init(&m); -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); -+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); -+ ret = buffer_get_int(&m); -+ debug3("%s: pam_query returned %d", __func__, ret); -+ *name = buffer_get_string(&m, NULL); -+ *info = buffer_get_string(&m, NULL); -+ *num = buffer_get_int(&m); -+ *prompts = xmalloc((*num + 1) * sizeof(char *)); -+ *echo_on = xmalloc((*num + 1) * sizeof(u_int)); -+ for (i = 0; i < *num; ++i) { -+ (*prompts)[i] = buffer_get_string(&m, NULL); -+ (*echo_on)[i] = buffer_get_int(&m); -+ } -+ buffer_free(&m); -+ return (ret); -+} -+ -+int -+mm_pam_respond(void *ctx, u_int num, char **resp) -+{ -+ Buffer m; -+ int i, ret; -+ -+ debug3("%s", __func__); -+ buffer_init(&m); -+ buffer_put_int(&m, num); -+ for (i = 0; i < num; ++i) -+ buffer_put_cstring(&m, resp[i]); -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); -+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); -+ ret = buffer_get_int(&m); -+ debug3("%s: pam_respond returned %d", __func__, ret); -+ buffer_free(&m); -+ return (ret); -+} -+ -+void -+mm_pam_free_ctx(void *ctxtp) -+{ -+ Buffer m; -+ -+ debug3("%s", __func__); -+ buffer_init(&m); -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); -+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); -+ buffer_free(&m); -+} - #endif /* USE_PAM */ - - /* Request process termination */ -@@ -767,6 +850,7 @@ - return ((authok == 0) ? -1 : 0); - } - -+#ifdef SKEY - int - mm_skey_query(void *ctx, char **name, char **infotxt, - u_int *numprompts, char ***prompts, u_int **echo_on) -@@ -829,6 +913,7 @@ - - return ((authok == 0) ? -1 : 0); - } -+#endif - - void - mm_ssh1_session_id(u_char session_id[16]) diff --git a/security/hpn-ssh/files/patch-monitor_wrap.h b/security/hpn-ssh/files/patch-monitor_wrap.h deleted file mode 100644 index e4495c7ba12e..000000000000 --- a/security/hpn-ssh/files/patch-monitor_wrap.h +++ /dev/null @@ -1,13 +0,0 @@ ---- monitor_wrap.h.orig Mon May 13 03:07:42 2002 -+++ monitor_wrap.h Sun Jun 30 07:13:18 2002 -@@ -57,6 +58,10 @@ - - #ifdef USE_PAM - void mm_start_pam(char *); -+void *mm_pam_init_ctx(struct Authctxt *); -+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **); -+int mm_pam_respond(void *, u_int, char **); -+void mm_pam_free_ctx(void *); - #endif - - void mm_terminate(void); diff --git a/security/hpn-ssh/files/patch-session.c b/security/hpn-ssh/files/patch-session.c deleted file mode 100644 index 7ec065eab175..000000000000 --- a/security/hpn-ssh/files/patch-session.c +++ /dev/null @@ -1,334 +0,0 @@ ---- session.c.orig Thu Sep 26 02:38:50 2002 -+++ session.c Mon Oct 21 06:49:56 2002 -@@ -64,6 +64,11 @@ - #define is_winnt (GetVersion() < 0x80000000) - #endif - -+#ifdef __FreeBSD__ -+#include <syslog.h> -+#define _PATH_CHPASS "/usr/bin/passwd" -+#endif /* __FreeBSD__ */ -+ - /* func */ - - Session *session_new(void); -@@ -469,6 +474,13 @@ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - - /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ -+ /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. - */ -@@ -574,6 +586,9 @@ - { - int fdout, ptyfd, ttyfd, ptymaster; - pid_t pid; -+#if defined(USE_PAM) -+ const char *shorttty; -+#endif - - if (s == NULL) - fatal("do_exec_pty: no session"); -@@ -581,7 +596,16 @@ - ttyfd = s->ttyfd; - - #if defined(USE_PAM) -- do_pam_session(s->pw->pw_name, s->tty); -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ do_pam_session(s->pw->pw_name, shorttty); - do_pam_setcred(1); - #endif - -@@ -591,6 +615,14 @@ - - /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ -+ /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ - /* Close the master side of the pseudo tty. */ - close(ptyfd); - -@@ -724,6 +756,18 @@ - struct sockaddr_storage from; - struct passwd * pw = s->pw; - pid_t pid = getpid(); -+#ifdef HAVE_LOGIN_CAP -+ FILE *f; -+ char buf[256]; -+ char *fname; -+ const char *shorttty; -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef __FreeBSD__ -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ char *newcommand; -+ struct timeval tv; -+ time_t warntime = DEFAULT_WARN; -+#endif /* __FreeBSD__ */ - - /* - * Get IP address of client. If the connection is not a socket, let -@@ -757,6 +801,72 @@ - } - #endif - -+#ifdef __FreeBSD__ -+ if (pw->pw_change || pw->pw_expire) -+ (void)gettimeofday(&tv, NULL); -+#ifdef HAVE_LOGIN_CAP -+ warntime = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+#endif /* HAVE_LOGIN_CAP */ -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ log("%s Password expired - forcing change", -+ pw->pw_name); -+ if (newcommand != NULL) -+ xfree(newcommand); -+ newcommand = xstrdup(_PATH_CHPASS); -+ } else if (pw->pw_change - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your password expires on %s", -+ ctime(&pw->pw_change)); -+ } -+ -+#ifndef USE_PAM -+ if (pw->pw_expire) { -+ if (tv.tv_sec >= pw->pw_expire) { -+ (void)printf( -+ "Sorry -- your account has expired.\n"); -+ log( -+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.verify_reverse_mapping), s->tty); -+ exit(254); -+ } else if (pw->pw_expire - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your account expires on %s", -+ ctime(&pw->pw_expire)); -+ } -+#endif /* !USE_PAM */ -+#endif /* __FreeBSD__ */ -+ -+#ifdef HAVE_LOGIN_CAP -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ if (!auth_ttyok(lc, shorttty)) { -+ (void)printf("Permission denied.\n"); -+ log( -+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.verify_reverse_mapping), s->tty); -+ exit(254); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - if (check_quietlogin(s, command)) - return; - -@@ -770,7 +880,17 @@ - #endif /* WITH_AIXAUTHENTICATE */ - - #ifndef NO_SSH_LASTLOG -- if (options.print_lastlog && s->last_login_time != 0) { -+ /* -+ * If the user has logged in before, display the time of last -+ * login. However, don't display anything extra if a command -+ * has been specified (so that ssh can be used to execute -+ * commands on a remote machine without users knowing they -+ * are going to another machine). Login(1) will do this for -+ * us as well, so check if login(1) is used -+ */ -+ if (command == NULL && options.print_lastlog && -+ s->last_login_time != 0 && -+ !options.use_login) { - time_string = ctime(&s->last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = 0; -@@ -782,7 +902,30 @@ - } - #endif /* NO_SSH_LASTLOG */ - -- do_motd(); -+#ifdef HAVE_LOGIN_CAP -+ if (command == NULL && -+ !options.use_login) { -+ fname = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { -+ while (fgets(buf, sizeof(buf), f) != NULL) -+ fputs(buf, stdout); -+ fclose(f); -+ } else -+ (void)printf("%s\n\t%s %s\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ -+ /* -+ * Print /etc/motd unless a command was specified or printing -+ * it was disabled in server options or login(1) will be -+ * used. Note that some machines appear to print it in -+ * /etc/profile or similar. -+ */ -+ if (command == NULL && !options.use_login) -+ do_motd(); - } - - /* -@@ -798,9 +941,9 @@ - #ifdef HAVE_LOGIN_CAP - f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", - "/etc/motd"), "r"); --#else -+#else /* !HAVE_LOGIN_CAP */ - f = fopen("/etc/motd", "r"); --#endif -+#endif /* HAVE_LOGIN_CAP */ - if (f) { - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); -@@ -827,10 +970,10 @@ - #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) - return 1; --#else -+#else /* HAVE_LOGIN_CAP */ - if (stat(buf, &st) >= 0) - return 1; --#endif -+#endif /* HAVE_LOGIN_CAP */ - return 0; - } - -@@ -950,6 +1093,10 @@ - char buf[256]; - u_int i, envsize; - char **env; -+#ifdef HAVE_LOGIN_CAP -+ extern char **environ; -+ char **senv, **var; -+#endif /* HAVE_LOGIN_CAP */ - struct passwd *pw = s->pw; - - /* Initialize the environment. */ -@@ -957,6 +1104,9 @@ - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; - -+ /* Moved up to resove confict with gsssapi patches */ -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); - #ifdef HAVE_CYGWIN - /* - * The Windows environment contains some setting which are -@@ -998,9 +1148,21 @@ - - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); -+#ifdef HAVE_LOGIN_CAP -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ if (setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH) < 0) { -+ perror("unable to set user context enviroment"); -+ } -+ copy_environment(environ, &env, &envsize); -+ for (var = environ; *var != NULL; ++var) -+ xfree(*var); -+ xfree(environ); -+ environ = senv; -+#endif /* HAVE_LOGIN_CAP */ - } -- if (getenv("TZ")) -- child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { -@@ -1208,7 +1370,7 @@ - setpgid(0, 0); - # endif - if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { - perror("unable to set user context"); - exit(1); - } -@@ -1362,7 +1524,7 @@ - * initgroups, because at least on Solaris 2.3 it leaves file - * descriptors open. - */ -- for (i = 3; i < 64; i++) -+ for (i = 3; i < getdtablesize(); i++) - close(i); - - /* -@@ -1392,6 +1554,31 @@ - exit(1); - #endif - } -+ -+#ifdef __FreeBSD__ -+ if (!options.use_login) { -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ syslog(LOG_INFO, -+ "%s Password expired - forcing change", -+ pw->pw_name); -+ if (system("/usr/bin/passwd") != 0) { -+ perror("/usr/bin/passwd"); -+ exit(1); -+ } -+ } -+ } -+ } -+#endif /* __FreeBSD__ */ - - if (!options.use_login) - do_rc_files(s, shell); diff --git a/security/hpn-ssh/files/patch-sshd.c b/security/hpn-ssh/files/patch-sshd.c deleted file mode 100644 index 09665a42d7bd..000000000000 --- a/security/hpn-ssh/files/patch-sshd.c +++ /dev/null @@ -1,31 +0,0 @@ ---- sshd.c.orig Wed Jun 26 01:24:19 2002 -+++ sshd.c Thu Jul 25 06:32:37 2002 -@@ -53,6 +53,10 @@ - #include <prot.h> - #endif - -+#ifdef __FreeBSD__ -+#include <resolv.h> -+#endif -+ - #include "ssh.h" - #include "ssh1.h" - #include "ssh2.h" -@@ -1409,6 +1413,17 @@ - setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); -+ -+#ifdef __FreeBSD__ -+ /* -+ * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). -+ */ -+ if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); -+ } -+#endif - - /* - * Register our connection. This turns encryption off because we do diff --git a/security/hpn-ssh/files/patch-sshd_config b/security/hpn-ssh/files/patch-sshd_config deleted file mode 100644 index 3d84a8c64d0f..000000000000 --- a/security/hpn-ssh/files/patch-sshd_config +++ /dev/null @@ -1,18 +0,0 @@ ---- sshd_config.orig Fri Jun 21 03:11:36 2002 -+++ sshd_config Wed Jul 3 06:20:47 2002 -@@ -34,6 +34,7 @@ - - #LoginGraceTime 600 - #PermitRootLogin yes -+PermitRootLogin no - #StrictModes yes - - #RSAAuthentication yes -@@ -58,6 +59,7 @@ - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no diff --git a/security/hpn-ssh/files/patch-sshpty.c b/security/hpn-ssh/files/patch-sshpty.c deleted file mode 100644 index 090be41de9ef..000000000000 --- a/security/hpn-ssh/files/patch-sshpty.c +++ /dev/null @@ -1,12 +0,0 @@ ---- sshpty.c.orig Wed Jun 26 01:21:42 2002 -+++ sshpty.c Fri Jun 28 07:09:38 2002 -@@ -30,6 +30,9 @@ - #ifdef HAVE_PTY_H - # include <pty.h> - #endif -+#ifdef HAVE_LIBUTIL_H -+#include <libutil.h> -+#endif - #if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) - # include <sys/stropts.h> - #endif diff --git a/security/hpn-ssh/files/patch-stderr-after-eof.sh b/security/hpn-ssh/files/patch-stderr-after-eof.sh deleted file mode 100644 index 38969b8d51a3..000000000000 --- a/security/hpn-ssh/files/patch-stderr-after-eof.sh +++ /dev/null @@ -1,11 +0,0 @@ ---- regress/stderr-after-eof.sh.orig Wed May 1 05:17:35 2002 -+++ regress/stderr-after-eof.sh Fri Jul 19 07:22:18 2002 -@@ -7,7 +7,7 @@ - DATA=${OBJ}/data - COPY=${OBJ}/copy - --MD5=md5sum -+MD5=md5 - - # setup data - rm -f ${DATA} ${COPY} diff --git a/security/hpn-ssh/files/servconf.c.patch b/security/hpn-ssh/files/servconf.c.patch deleted file mode 100644 index dde0a6947e60..000000000000 --- a/security/hpn-ssh/files/servconf.c.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- servconf.c.orig Sat Mar 23 11:02:41 2002 -+++ servconf.c Sat Mar 23 11:07:39 2002 -@@ -17,12 +17,12 @@ - #endif - #if defined(KRB5) - #ifdef HEIMDAL --#include <krb.h> -+#include <krb5.h> - #else - /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V - * keytab */ --#define KEYFILE "/etc/krb5.keytab" - #endif -+#define KEYFILE "/etc/krb5.keytab" - #endif - #ifdef AFS - #include <kafs.h> diff --git a/security/hpn-ssh/files/sshd.sh b/security/hpn-ssh/files/sshd.sh deleted file mode 100644 index ba52de02fe7b..000000000000 --- a/security/hpn-ssh/files/sshd.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -case "$1" in -start) - __PREFIX__/sbin/sshd - echo -n ' sshd' - ;; -stop) - if [ -f /var/run/sshd.pid ]; then - kill -TERM `cat /var/run/sshd.pid` - rm -f /var/run/sshd.pid - echo -n ' sshd' - fi - ;; -restart) - if [ -f /var/run/sshd.pid ]; then - kill -HUP `cat /var/run/sshd.pid` - echo 'sshd restarted' - fi - ;; -*) - echo "Usage: ${0##*/}: { start | stop | restart }" 2>&1 - exit 65 - ;; -esac diff --git a/security/hpn-ssh/pkg-comment b/security/hpn-ssh/pkg-comment deleted file mode 100644 index d96c7bfa9b13..000000000000 --- a/security/hpn-ssh/pkg-comment +++ /dev/null @@ -1 +0,0 @@ -The portable version of OpenBSD's OpenSSH diff --git a/security/hpn-ssh/pkg-descr b/security/hpn-ssh/pkg-descr deleted file mode 100644 index 99ac07bfd209..000000000000 --- a/security/hpn-ssh/pkg-descr +++ /dev/null @@ -1,15 +0,0 @@ -OpenBSD's OpenSSH portable version - -Normal OpenSSH development produces a very small, secure, and easy to maintain -version for the OpenBSD project. The OpenSSH Portability Team takes that pure -version and adds portability code so that OpenSSH can run on many other -operating systems (Unfortunately, in particular since OpenSSH does -authentication, it runs into a *lot* of differences between Unix operating -systems). - -The portable OpenSSH follows development of the official version, but releases -are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). -The official OpenBSD source will never use the 'p' suffix, but will instead -increment the version number when they hit 'stable spots' in their development. - -WWW: http://www.openssh.com/portable.html diff --git a/security/hpn-ssh/pkg-message b/security/hpn-ssh/pkg-message deleted file mode 100644 index b0908ddd4486..000000000000 --- a/security/hpn-ssh/pkg-message +++ /dev/null @@ -1,17 +0,0 @@ -To enable this port, please add sshd_program=/usr/local/sbin/sshd and make -sure sshd_enable is set to YES in your /etc/rc.conf - -You may also want to put NO_OPENSSH= true in your /etc/make.conf -and make sure your path is setup to /usr/local/bin before /usr/bin so that -you are running the port version of openssh and not the version that comes -with FreeBSD - -'PermitRootLogin no' is the new default for the OpenSSH port. -This now matches the PermitRootLogin configuration of OpenSSH in -the base system. Please be aware of this when upgrading your -OpenSSH port, and if truly necessary, re-enable remote root login -by readjusting this option in your sshd_config. - -Users are encouraged to create single-purpose users with ssh keys -and very narrowly defined sudo privileges instead of using root -for automated tasks. diff --git a/security/hpn-ssh/pkg-plist b/security/hpn-ssh/pkg-plist deleted file mode 100644 index a20e02c1426b..000000000000 --- a/security/hpn-ssh/pkg-plist +++ /dev/null @@ -1,38 +0,0 @@ -@comment slogin must be deleted first -bin/slogin -bin/scp -bin/sftp -bin/ssh -bin/ssh-add -bin/ssh-agent -bin/ssh-keygen -bin/ssh-keyscan -%%NOTBASE%%etc/rc.d/sshd.sh.sample -%%NOTBASE%%etc/ssh/moduli -%%NOTBASE%%@exec [ -f %D/etc/ssh_config ] && [ ! -f %D/etc/ssh/ssh_config ] && ln %D/etc/ssh_config %D/etc/ssh/ssh_config -%%NOTBASE%%@exec [ -f %D/etc/sshd_config ] && [ ! -f %D/etc/ssh/sshd_config ] && ln %D/etc/sshd_config %D/etc/ssh/sshd_config -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key ] && [ ! -f %D/etc/ssh/ssh_host_key ] && ln %D/etc/ssh_host_key %D/etc/ssh/ssh_host_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_key.pub ] && ln %D/etc/ssh_host_key.pub %D/etc/ssh/ssh_host_key.pub -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key ] && ln %D/etc/ssh_host_rsa_key %D/etc/ssh/ssh_host_rsa_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key.pub ] && ln %D/etc/ssh_host_rsa_key.pub %D/etc/ssh/ssh_host_rsa_key.pub -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key ] && ln %D/etc/ssh_host_dsa_key %D/etc/ssh/ssh_host_dsa_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key.pub ] && ln %D/etc/ssh_host_dsa_key.pub %D/etc/ssh/ssh_host_dsa_key.pub -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi -%%NOTBASE%%etc/ssh/ssh_config-dist -%%NOTBASE%%etc/ssh/sshd_config-dist -%%NOTBASE%%@exec [ ! -f %D/etc/ssh/ssh_config ] && cp %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config -%%NOTBASE%%@exec [ ! -f %D/etc/ssh/sshd_config ] && cp %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config -%%NOTBASE%%@dirrm etc/ssh -sbin/sshd -share/Ssh.bin -libexec/sftp-server -libexec/ssh-keysign -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_key ]; then echo ">> Generating a secret RSA1 host key."; %D/bin/ssh-keygen -t rsa1 -N "" -f %D/etc/ssh/ssh_host_key; fi -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_rsa_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -t rsa -N "" -f %D/etc/ssh/ssh_host_rsa_key; fi -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -t dsa -N "" -f %D/etc/ssh/ssh_host_dsa_key; fi -%%NOTBASE%%@exec mkdir -p %D/empty -%%NOTBASE%%@dirrm empty -%%BASE%%@exec mkdir -p %%EMPTYDIR%% -@exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi -@exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi |