diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2004-04-20 09:35:04 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2004-04-20 09:35:04 +0000 |
| commit | 52028650dba51037ac82f766107619f336a00e25 (patch) | |
| tree | aaca3b36adea134d5ba39fa7c38bf759a9ef49c6 /crypto | |
| parent | efcad6b72fe9d4f7ea99c021f4903d09ca31b666 (diff) | |
| download | src-test2-52028650dba51037ac82f766107619f336a00e25.tar.gz src-test2-52028650dba51037ac82f766107619f336a00e25.zip | |
Notes
Diffstat (limited to 'crypto')
95 files changed, 5594 insertions, 1357 deletions
diff --git a/crypto/openssh/.cvsignore b/crypto/openssh/.cvsignore new file mode 100644 index 000000000000..12de9ef50509 --- /dev/null +++ b/crypto/openssh/.cvsignore @@ -0,0 +1,24 @@ +ssh +scp +sshd +ssh-add +ssh-keygen +ssh-keyscan +ssh-keysign +ssh-agent +sftp-server +sftp +configure +config.h.in +config.h +config.status +config.cache +config.log +stamp-h.in +Makefile +ssh_prng_cmds +*.out +*.0 +buildit.sh +autom4te.cache +ssh-rand-helper diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index c2891ba41add..e259be6a3635 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,3 +1,192 @@ +20040418 + - (dtucker) [auth-pam.c] Log username and source host for failed PAM + authentication attempts. With & ok djm@ + - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow + change of user context without a password, so relax auth method + restrictions; from vinschen AT redhat.com; ok dtucker@ + - Release 3.8.1p1 + +20040416 + - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since + FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com + - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache + file using FILE: method, fixes problems on Mac OSX. + Patch from simon@sxw.org.uk; ok dtucker@ + - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and + BROKEN_SETREGID for SCO OpenServer 3 + +20040412 + - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning + from bug #701 (text from jfh at cise.ufl.edu). + - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg + skeychallenge(), eg on NetBSD. ok mouring@ + - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly + 4-arg, with compatibility for 3-arg versions. From djm@, ok me. + - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@ + +20040408 + - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating + pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org. + - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers + back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple) + - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and + simplify loginrec.c. ok tim@ + - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested + limiting scope and dtucker@ agreed. + +20040407 + - (dtucker) [session.c] Flush stdout after displaying loginmsg. From + f_mohr at yahoo.de. + - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see + if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X) + are starting to restrict it as internal since it is not needed by + developers any more. (Patch based on Apple tree) + - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since + krb5 on MacOS/X conflicts. There may be a better solution, but this will + work for now. + +20040406 + - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use + updwtmpx() on IRIX since it seems to clobber utmp. ok djm@ + - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect + broken getaddrinfo and friends on HP-UX. ok djm@ + +20040330 + - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on + Linuxes, since that's what many use. ok djm@ + - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c + to reduce potential confusion with the one in sshd.c. ok djm@ + - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection; + with & ok dtucker@ + +20040327 + - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent + duplicate login messages for mutli-session logins. ok djm@ + +20040322 + - (djm) [sshd.c] Drop supplemental groups if started as root + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/03/09 22:11:05 + [ssh.c] + increase x11 cookie lifetime to 20 minutes; ok djm + - markus@cvs.openbsd.org 2004/03/10 09:45:06 + [ssh.c] + trim usage to match ssh(1) and look more like unix. ok djm@ + - markus@cvs.openbsd.org 2004/03/11 08:36:26 + [sshd.c] + trim usage; ok deraadt + - markus@cvs.openbsd.org 2004/03/11 10:21:17 + [ssh.c sshd.c] + ssh, sshd: sync version output, ok djm + - markus@cvs.openbsd.org 2004/03/20 10:40:59 + [version.h] + 3.8.1 + - (djm) Crank RPM spec versions + +20040311 + - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker + +20040310 + - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo + before redefining it, silences warnings on Tru64. + +20040308 + - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some + platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@ + - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h + openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being + inherited by the child. ok djm@ + - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c + monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized + even if keyboard-interactive is not used by the client. Prevents + segfaults in some cases where the user's password is expired (note this + is not considered a security exposure). ok djm@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/03/03 06:47:52 + [sshd.c] + change proctiltle after accept(2); ok henning, deraadt, djm + - djm@cvs.openbsd.org 2004/03/03 09:30:42 + [sftp-client.c] + Don't print duplicate messages when progressmeter is off + Spotted by job317 AT mailvault.com; ok markus@ + - djm@cvs.openbsd.org 2004/03/03 09:31:20 + [sftp.c] + Fix initialisation of progress meter; ok markus@ + - markus@cvs.openbsd.org 2004/03/05 10:53:58 + [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c] + add IdentitiesOnly; ok djm@, pb@ + - djm@cvs.openbsd.org 2004/03/08 09:38:05 + [ssh-keyscan.c] + explicitly initialise remote_major and remote_minor. + from cjwatson AT debian.org; ok markus@ + - dtucker@cvs.openbsd.org 2004/03/08 10:18:57 + [sshd_config.5] + Document KerberosGetAFSToken; ok markus@ + - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal + +20040307 + - (tim) [regress/login-timeout.sh] fix building outside of source tree. + +20040304 + - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with + -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@ + - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread, + prevent hanging during PAM keyboard-interactive authentications. ok djm@ + - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h + openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when + configured --with-osfsia. ok djm@ + +20040303 + - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent + ok dtucker + +20040229 + - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 + +20040229 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/25 00:22:45 + [sshd.c] + typo in comment + - dtucker@cvs.openbsd.org 2004/02/27 22:42:47 + [dh.c] + Prevent sshd from sending DH groups with a primitive generator of zero or + one, even if they are listed in /etc/moduli. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/27 22:44:56 + [dh.c] + Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone + ever uses one. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/27 22:49:27 + [dh.c] + Reset bit counter at the right time, fixes debug output in the case where + the DH group is rejected. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/17 08:23:20 + [regress/Makefile regress/login-timeout.sh] + Add regression test for LoginGraceTime; ok markus@ + - markus@cvs.openbsd.org 2004/02/24 16:56:30 + [regress/test-exec.sh] + allow arguments in ${TEST_SSH_XXX} + - markus@cvs.openbsd.org 2004/02/24 17:06:52 + [regress/ssh-com-client.sh regress/ssh-com-keygen.sh + regress/ssh-com-sftp.sh regress/ssh-com.sh] + test against recent ssh.com releases + - dtucker@cvs.openbsd.org 2004/02/28 12:16:57 + [regress/dynamic-forward.sh] + Make dynamic-forward understand nc's new output. ok markus@ + - dtucker@cvs.openbsd.org 2004/02/28 13:44:45 + [regress/try-ciphers.sh] + Test acss too; ok markus@ + - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we + built with openssl < 0.9.7) + +20040226 + - (bal) KNF our sshlogin.c even if the code looks nothing like upstream + code due to diversity issues. + +20040225 + - (djm) Trim ChangeLog + - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora + 20040224 - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2004/02/19 21:15:04 @@ -794,1139 +983,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -20030919 - - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; - djast AT cs.toronto.edu - - (djm) Bug #661: Remove duplicate check for basename; from - bugzilla-openssh AT thewrittenword.com - - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from - jason AT devrandom.org - - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim - - (dtucker) [openbsd-compat/port-aix.h] Bug #640: Don't include audit.h - unless required. Reorder to reduce warnings. - - (dtucker) [session.c] Bug #643: Fix size_t -> u_int and fix null deref - when /etc/default/login doesn't exist or isn't readable. Fixes from - jparsons-lists at saffron.net and georg.oppenberg at deu mci com. - - (dtucker) [acconfig.h] Updated basename test needs HAVE_BASENAME - -20030918 - - (djm) Bug #652: Fix empty password auth - -20030917 - - (djm) Sync with V_3_7 branch - - (djm) OpenBSD Sync - - markus@cvs.openbsd.org 2003/09/16 21:02:40 - [buffer.c channels.c version.h] - more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU - - (djm) Crank RPM spec file versions - - (tim) [openbsd-compat/inet_ntoa.c] 20030917 "Sync with V_3_7 branch" undid - 20030916 "Missed dead header in inet_ntoa.c" - -20030916 - - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve - PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it - (eg Solaris, Reliant Unix). Patch from Robert.Dahlem at siemens.com. - ok djm@ - - (bal) OpenBSD Sync - - deraadt@cvs.openbsd.org 2003/09/16 03:03:47 - [buffer.c] - do not expand buffer before attempting to reallocate it; markus ok - - (tim) [configure.ac] Fix portability issues. - - (bal) Missed dead header in inet_ntoa.c - -20030914 - - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing - the regression tests from running with Solaris' make. Patch from Brian - Poole (raj at cerias.purdue.edu). - - (dtucker) [regress/Makefile] AIX's make doesn't like " +=", so replace - with vanilla "=". - -20030913 - - (dtucker) [regress/agent-timeout.sh] Timeout of 5 sec is borderline for - slower hosts, increase to 10 sec. - - (dtucker) [auth-passwd.c] On AIX, call setauthdb() before loginsuccess(), - required to correctly reset failed login count when using a password - registry other than "files" (eg LDAP, see bug #543). - - (tim) [configure.ac] define WITH_ABBREV_NO_TTY for SCO. - Report by Roger Cornelius. - - (dtucker) [auth-pam.c] Use SSHD_PAM_SERVICE for PAM service name, patch - from cjwatson at debian.org. - -20030912 - - (tim) [regress/agent-ptrace.sh] sh doesn't like "if ! shell_function; then". - - (tim) [Makefile.in] only mkdir regress if it does not exist. - - (tim) [regress/yes-head.sh] shell portability fix. - -20030911 - - (dtucker) [configure.ac] Bug #588, #615: Move other libgen tests to after - the dirname test, to allow a broken dirname to be detected correctly. - Based partially on patch supplied by alex.kiernan at thus.net. ok djm@ - - (tim) [configure.ac] Move libgen tests to before libwrap to unbreak - UnixWare 2.03 using --with-tcp-wrappers. - - (tim) [configure.ac] Prefer setuid/setgid on UnixWare and Open Server. - - (tim) [regress/agent-ptrace.sh regress/dynamic-forward.sh - regress/sftp-cmds.sh regress/stderr-after-eof.sh regress/test-exec.sh] - no longer depends on which(1). patch by dtucker@ - -20030910 - - (dtucker) [configure.ac] Bug #636: Add support for Cray's new X1 machine. - Patch from wendyp at cray.com. - - (dtucker) [configure.ac] Part of bug #615: tcsendbreak might be a macro. - - (dtucker) [regressh/yes-head.sh] Some platforms (eg Solaris) don't have - "yes". - -20030909 - - (tim) [regress/Makefile] Fixes for building outside of a read-only - source tree. - - (tim) [regress/agent-timeout.sh] s/TIMEOUT/SSHAGENT_TIMEOUT/ Fixes conflict - with shell read-only variable. - - (tim) [regress/sftp-badcmds.sh regress/sftp-cmds.sh] Fix errors like - UX:rm: ERROR: Cannot remove '.' or '..' - -20030908 - - (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and - _getlong in #ifndef - - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for - HEADER.ad in arpa/nameser.h - - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@ - -20030907 - - (dtucker) [agent-ptrace.sh dynamic-forward.sh (all regress/)] - Put "which" inside quotes. - - (dtucker) [dynamic-forward.sh forwarding.sh sftp-batch.sh (all regress/)] - Add ${EXEEXT}: required to work on Cygwin. - - (dtucker) [regress/sftp-batch.sh] Make temporary batch file name more - distinctive, so "rm ${BATCH}.*" doesn't match the script itself. - - (dtucker) [regress/sftp-cmds.sh] Skip quoted file test on Cygwin. - - (dtucker) [openbsd-compat/xcrypt.c] #elsif -> #elif - - (dtucker) [acconfig.h] Typo. - - (dtucker) [CREDITS Makefile.in configure.ac mdoc2man.awk mdoc2man.pl] - Replace mdoc2man.pl with mdoc2man.awk, provided by Peter Stuge. - -20030906 - - (dtucker) [acconfig.h configure.ac uidswap.c] Prefer setuid/setgid on AIX. - -20030905 - - (dtucker) [Makefile.in] Add distclean target for regress/, fix clean target. - -20030904 - - (dtucker) Portablize regression tests. Parts contributed by Roumen - Petrov, David M. Williams and Corinna Vinschen. - - [Makefile.in] Add "make tests" target and "make clean" hooks. - - [regress/agent-getpeereid.sh] Skip test on platforms that don't support - getpeereid. - - [regress/agent-ptrace.sh] Skip tests if platform doesn't support it or - gdb cannot be found. - - [regress/reconfigure/sh] Make path to sshd fully qualified if required. - - [regress/rekey.sh] Remove dependence on /dev/zero (not all platforms have - it). The sparse file will take less disk space too. - - [regress/sftp-cmds.sh] Ensure files used for test are readable. - - [regress/stderr-after-eof.sh] Search for a usable checksum program. - - [regress/sftp-badcmds.sh regress/sftp-cmds.sh regress/sftp.sh - regress/ssh-com-client.sh regress/ssh-com-sftp.sh regress/stderr-data.sh - regress/transfer.sh] Use ${EXEEXT} where appropriate. - - [regress/sftp.sh regress/ssh-com-sftp.sh] Remove dependency on /dev/stdin. - - [regress/agent-ptrace.sh regress/agent-timeout.sh] - "grep -q" -> "grep >/dev/null" - - [regress/agent.sh regress/proto-version.sh regress/ssh-com.sh - regress/test-exec.sh] Handle different ways of echoing without newlines. - - [regress/dynamic-forward.sh] Some "which" programs output on stderr. - - [regress/sftp-cmds.sh] Use portable "test" option. - - [regress/test-exec.sh] Use sudo, search for "whoami" equivalent, always - use Strictmodes no, wait longer for sshd startup. - - [regress/Makefile] Remove BSDisms. - - [regress/README.regress] Add a basic readme. - - [Makefile.in regress/agent-getpeereid.sh] config.h is now in $BUILDDIR - not $OBJ. - - [Makefile.in regress/agent-ptrace] Fix minor regress issues on Cygwin. - -20030903 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/08/26 09:58:43 - [auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c] - [auth2.c monitor.c] - fix passwd auth for 'username leaks via timing'; with djm@, original - patches from solar - - markus@cvs.openbsd.org 2003/08/28 12:54:34 - [auth.h] - remove kerberos support from ssh1, since it has been replaced with GSSAPI; - but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ... - - markus@cvs.openbsd.org 2003/09/02 16:40:29 - [version.h] - enter 3.7 - - jmc@cvs.openbsd.org 2003/09/02 18:50:06 - [sftp.1 ssh_config.5] - escape punctuation; - ok deraadt@ - -20030902 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2003/08/24 17:36:51 - [auth2-gss.c] - 64 bit cleanups; markus ok - - markus@cvs.openbsd.org 2003/08/28 12:54:34 - [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] - [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] - [sshconnect1.c sshd.c sshd_config sshd_config.5] - remove kerberos support from ssh1, since it has been replaced with GSSAPI; - but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ... - - markus@cvs.openbsd.org 2003/08/29 10:03:15 - [compat.c compat.h] - SSH_BUG_K5USER is unused; ok henning@ - - markus@cvs.openbsd.org 2003/08/29 10:04:36 - [channels.c nchan.c] - be less chatty; debug -> debug2, cleanup; ok henning@ - - markus@cvs.openbsd.org 2003/08/31 10:26:04 - [progressmeter.c] - pass file_size + 1 to snprintf: fixes printing of truncated - file names; fix based on patch/report from sturm@; - - markus@cvs.openbsd.org 2003/08/31 12:14:22 - [progressmeter.c] - do write to buf[-1] - - markus@cvs.openbsd.org 2003/08/31 13:29:05 - [session.c] - call ssh_gssapi_storecreds conditionally from do_exec(); - with sxw@inf.ed.ac.uk - - markus@cvs.openbsd.org 2003/08/31 13:30:18 - [gss-serv.c] - correct string termination in parse_ename(); sxw@inf.ed.ac.uk - - markus@cvs.openbsd.org 2003/08/31 13:31:57 - [gss-serv.c] - whitspace KNF - - markus@cvs.openbsd.org 2003/09/01 09:50:04 - [sshd_config.5] - gss kex is not supported; sxw@inf.ed.ac.uk - - markus@cvs.openbsd.org 2003/09/01 12:50:46 - [readconf.c] - rm gssapidelegatecreds alias; never supported before - - markus@cvs.openbsd.org 2003/09/01 13:52:18 - [ssh.h] - rm whitespace - - markus@cvs.openbsd.org 2003/09/01 18:15:50 - [readconf.c readconf.h servconf.c servconf.h ssh.c] - remove unused kerberos code; ok henning@ - - markus@cvs.openbsd.org 2003/09/01 20:44:54 - [auth2-gss.c] - fix leak - - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler - error. Part of Bug #423, patch from michael_steffens AT hp.com - - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session - management (now done in do_setusercontext). Largely from - michael_steffens AT hp.com - - (djm) Fix openbsd-compat/ again - remove references to strl(cpy|cat).h - -20030829 - - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our - files, and added missing license to header. - -20030826 - - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint" - as deprecated. Remove mention from README.privsep. Patch from - aet AT cc.hut.fi - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/08/22 10:56:09 - [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c - gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c - readconf.h servconf.c servconf.h session.c session.h ssh-gss.h - ssh_config.5 sshconnect2.c sshd_config sshd_config.5] - support GSS API user authentication; patches from Simon Wilkinson, - stripped down and tested by Jakob and myself. - - markus@cvs.openbsd.org 2003/08/22 13:20:03 - [sshconnect2.c] - remove support for "kerberos-2@ssh.com" - - markus@cvs.openbsd.org 2003/08/22 13:22:27 - [auth2.c] (auth2-krb5.c removed) - nuke "kerberos-2@ssh.com" - - markus@cvs.openbsd.org 2003/08/22 20:55:06 - [LICENCE] - add Simon Wilkinson - - deraadt@cvs.openbsd.org 2003/08/24 17:36:52 - [monitor.c monitor_wrap.c sshconnect2.c] - 64 bit cleanups; markus ok - - fgsch@cvs.openbsd.org 2003/08/25 08:13:09 - [sftp-int.c] - fix div by zero when listing for filename lengths longer than width. - markus@ ok. - - djm@cvs.openbsd.org 2003/08/25 10:33:33 - [sshconnect2.c] - fprintf->logit to silence login banner with "ssh -q"; ok markus@ - - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h - configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c - sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. - - (dtucker) [Makefile.in] Remove auth2-krb5. - - (dtucker) [contrib/aix/inventory.sh] Add public domain notice. ok mouring@ - (the original author) - - (dtucker) [auth.c] Do not check for locked accounts when PAM is enabled. - -20030825 - - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from - larsch@trustcenter.de - - (bal) openbsd-compat/ OpenBSD updates. Mostly licensing, ansifications - and minor fixes. OK djm@ - - (bal) redo how we handle 'mysignal()'. Move it to - openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to - be our 'mysignal' by default. OK djm@ - - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny - any access to locked accounts. ok djm@ - - (djm) Bug #564: Perform PAM account checks for all authentications when - UsePAM=yes; ok dtucker - - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on - Tru64, solves getnameinfo and "bad addr or host" errors. ok djm@ - - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix) - Update package builder: correctly handle config variables, use lsuser - rather than /etc/passwd, fix typos, add Id's. - -20030822 - - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal - -lbroken; ok dtucker - - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys - rather that authorized_keys2. Patch from vinschen@redhat.com. - -20030821 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/08/14 16:08:58 - [ssh-keygen.c] - exit after primetest, ok djm@ - - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros, - change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for - consistency. - - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement - and after normal openpty test. - -20030813 - - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/08/13 08:33:02 - [session.c] - use more portable tcsendbreak(3) and ignore break_length; - ok deraadt, millert - - markus@cvs.openbsd.org 2003/08/13 08:46:31 - [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config - ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] - remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, - fgsch@, miod@, henning@, jakob@ and others - - markus@cvs.openbsd.org 2003/08/13 09:07:10 - [readconf.c ssh.c] - socks4->socks, since with support both 4 and 5; dtucker@zip.com.au - - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] - Add a tcsendbreak function for platforms that don't have one, based on the - one from OpenBSD. - -20030811 - - (dtucker) OpenBSD CVS Sync - (thanks to Simon Wilkinson for help with this -dt) - - markus@cvs.openbsd.org 2003/07/16 15:02:06 - [auth-krb5.c] - mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se> - otherwise the kerberos credentinal is stored in a memory cache - in the privileged sshd. ok jabob@, hin@ (some time ago) - - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate - in bsd-cygwin_util.h). - -20030808 - - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and - AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition - separately before defining them. - - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@ - -20030807 - - (dtucker) [session.c] Have session_break_req not attempt to send a break - if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin). - - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is - defined (fixes compile error on really old Linuxes). - - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if - not already defined (eg Linux with some versions of libc5), based on those - from OpenBSD. - - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] - Remove incorrect filenames from comments (file names are in Id tags). - - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin - specific defines and includes to bsd-cygwin_util.h. Fixes build error too. - -20030802 - - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/07/22 13:35:22 - [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c - monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 - ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] - remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); - test+ok henning@ - - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. - - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/07/23 07:42:43 - [sshd_config] - remove AFS; itojun@ - - djm@cvs.openbsd.org 2003/07/28 09:49:56 - [ssh-keygen.1 ssh-keygen.c] - Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. - Based on code from Phil Karn, William Allen Simpson and Niels Provos. - ok markus@, thanks jmc@ - - markus@cvs.openbsd.org 2003/07/29 18:24:00 - [LICENCE progressmeter.c] - replace 4 clause BSD licensed progressmeter code with a replacement - from Nils Nordman and myself; ok deraadt@ - (copied from OpenBSD an re-applied portable changes) - - markus@cvs.openbsd.org 2003/07/29 18:26:46 - [progressmeter.c] - fix length for "- stalled -" (included with previous import) - - markus@cvs.openbsd.org 2003/07/30 07:44:14 - [progressmeter.c] - use only 4 digits in format_size (included with previous import) - - markus@cvs.openbsd.org 2003/07/30 07:53:27 - [progressmeter.c] - whitespace (included with previous import) - - markus@cvs.openbsd.org 2003/07/31 09:21:02 - [auth2-none.c] - check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za - ok henning - - avsm@cvs.openbsd.org 2003/07/31 15:50:16 - [atomicio.c] - correct comment: atomicio takes vwrite, not write; deraadt@ ok - - markus@cvs.openbsd.org 2003/07/31 22:34:03 - [progressmeter.c] - print rate similar old version; round instead truncate; - (included in previous progressmeter.c commit) - - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] - Add a tcgetpgrp function. - - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile. - - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp. - -20030730 - - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal - -20030726 - - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW -> - DISABLE_SHADOW. Fixes HP-UX compile error. - -20030724 - - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c - openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface, - and isolate shadow password functions. Tested in Solaris, but should - not break other platforms too badly (except maybe HP =). Also brings - auth-passwd.c into full sync with OpenBSD tree. - -20030723 - - (dtucker) [configure.ac] Back out change for bug #620. - -20030719 - - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for - Solaris/x86. Patch from jrhett at isite.net. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/07/14 12:36:37 - [sshd.c] - remove undocumented -V option. would be only useful if openssh is used - as ssh v1 server for ssh.com's ssh v2. - - markus@cvs.openbsd.org 2003/07/16 10:34:53 - [ssh.c sshd.c] - don't exit on multiple -v or -d; ok deraadt@ - - markus@cvs.openbsd.org 2003/07/16 10:36:28 - [sshtty.c] - clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@ - - deraadt@cvs.openbsd.org 2003/07/18 01:54:25 - [scp.c] - userid is unsigned, but well, force it anyways; andrushock@korovino.net - - djm@cvs.openbsd.org 2003/07/19 00:45:53 - [sftp-int.c] - fix sftp filename parsing for arguments with escaped quotes. bz #517; - ok markus - - djm@cvs.openbsd.org 2003/07/19 00:46:31 - [regress/sftp-cmds.sh] - regress test for sftp arguments with escaped quotes; ok markus - -20030714 - - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare - loginfailed at all, so assume 3-arg loginfailed if not declared. - - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by - undef'ing it. - - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h] - Call setauthdb() before loginfailed(), which may load password registry- - specific functions. Based on patch by cawlfiel at us.ibm.com. - - (dtucker) [port-aix.h] Fix prototypes. - - (dtucker) OpenBSD CVS Sync - - avsm@cvs.openbsd.org 2003/07/09 13:58:19 - [key.c] - minor tweak: when generating the hex fingerprint, give strlcat the full - bound to the buffer, and add a comment below explaining why the - zero-termination is one less than the bound. markus@ ok - - markus@cvs.openbsd.org 2003/07/10 14:42:28 - [packet.c] - the 2^(blocksize*2) rekeying limit is too expensive for 3DES, - blowfish, etc, so enforce a 1GB limit for small blocksizes. - - markus@cvs.openbsd.org 2003/07/10 20:05:55 - [sftp.c] - sync usage with manpage, add missing -R - -20030708 - - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]] - Include AIX headers for authentication functions and make calls match - prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed. - - (dtucker) [session.c] Check return value of setpcred(). - - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h] - Convert aixloginmsg into platform-independant Buffer loginmsg. - -20030707 - - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before - searching libraries for it. Fixes build errors on NCR MP-RAS. - -20030706 - - (dtucker) [ssh-rand-helper.c loginrec.c] - Apply atomicio typing change to these too. - -20030703 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/06/28 07:48:10 - [sshd.c] - report pidfile creation errors, based on patch from Roumen Petrov; - ok markus@ - - deraadt@cvs.openbsd.org 2003/06/28 16:23:06 - [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c - progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c - sshd.c] - deal with typing of write vs read in atomicio - - markus@cvs.openbsd.org 2003/06/29 12:44:38 - [sshconnect.c] - memset 0, not \0; andrushock@korovino.net - - markus@cvs.openbsd.org 2003/07/02 12:56:34 - [channels.c] - deny dynamic forwarding with -R for v1, too; ok djm@ - - markus@cvs.openbsd.org 2003/07/02 14:51:16 - [channels.c ssh.1 ssh_config.5] - (re)add socks5 suppport to -D; ok djm@ - now ssh(1) can act both as a socks 4 and socks 5 server and - dynamically forward ports. - - markus@cvs.openbsd.org 2003/07/02 20:37:48 - [ssh.c] - convert hostkeyalias to lowercase, otherwise uppercase aliases will - not match at all; ok henning@ - - markus@cvs.openbsd.org 2003/07/03 08:21:46 - [regress/dynamic-forward.sh] - add socks5; speedup; reformat; based on patch from dtucker@zip.com.au - - markus@cvs.openbsd.org 2003/07/03 08:24:13 - [regress/Makefile] - enable tests for dynamic fwd via socks (-D), uses nc(1) - - djm@cvs.openbsd.org 2003/07/03 08:09:06 - [readconf.c readconf.h ssh-keysign.c ssh.c] - fix AddressFamily option in config file, from brent@graveland.net; - ok markus@ - -20030630 - - (djm) Search for support functions necessary to build our - getrrsetbyname() replacement. Patch from Roumen Petrov - -20030629 - - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h - (fixes compiler warnings on Solaris 2.5.1). - - (dtucker) [configure.ac] Add sanity test after system-dependant compiler - flag modifications. - -20030628 - - (djm) Bug #591: use PKCS#15 private key label as a comment in case - of OpenSC. Report and patch from larsch@trustcenter.de - - (djm) Bug #593: Sanity check OpenSC card reader number; patch from - aj@dungeon.inka.de - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/06/23 09:02:44 - [ssh_config.5] - document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@ - - markus@cvs.openbsd.org 2003/06/24 08:23:46 - [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h - monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c] - int -> u_int; ok djm@, deraadt@, mouring@ - - miod@cvs.openbsd.org 2003/06/25 22:39:36 - [sftp-server.c] - Typo police: attribute is better written with an 'r'. - - markus@cvs.openbsd.org 2003/06/26 20:08:33 - [readconf.c] - do not dump core for 'ssh -o proxycommand host'; ok deraadt@ - - (dtucker) [regress/dynamic-forward.sh] Import new regression test. - - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE - actually enable the feature, for those normally disabled. Patch by - openssh (at) roumenpetrov.info. - -20030624 - - (dtucker) Have configure refer the user to config.log and - contrib/findssl.sh for OpenSSL header/library mismatches. - -20030622 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/06/21 09:14:05 - [regress/reconfigure.sh] - missing $SUDO; from dtucker@zip.com.au - - markus@cvs.openbsd.org 2003/06/18 11:28:11 - [ssh-rsa.c] - backout last change, since it violates pkcs#1 - switch to share/misc/license.template - - djm@cvs.openbsd.org 2003/06/20 05:47:58 - [sshd_config.5] - sync description of protocol 2 cipher proposal; ok markus - - djm@cvs.openbsd.org 2003/06/20 05:48:21 - [sshd_config] - sync some implemented options; ok markus@ - - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS. - - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before - testing its value. - -20030618 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/06/12 07:57:38 - [monitor.c sshlogin.c sshpty.c] - typos; dtucker at zip.com.au - - djm@cvs.openbsd.org 2003/06/12 12:22:47 - [LICENCE] - mention more copyright holders; ok markus@ - - nino@cvs.openbsd.org 2003/06/12 15:34:09 - [scp.c] - Typo. Ok markus@. - - markus@cvs.openbsd.org 2003/06/12 19:12:03 - [scard.c scard.h ssh-agent.c ssh.c] - add sc_get_key_label; larsch at trustcenter.de; bugzilla#591 - - markus@cvs.openbsd.org 2003/06/16 08:22:35 - [ssh-rsa.c] - make sure the signature has at least the expected length (don't - insist on len == hlen + oidlen, since this breaks some smartcards) - bugzilla #592; ok djm@ - - markus@cvs.openbsd.org 2003/06/16 10:22:45 - [ssh-add.c] - print out key comment on each prompt; make ssh-askpass more useable; ok djm@ - - markus@cvs.openbsd.org 2003/06/17 18:14:23 - [cipher-ctr.c] - use license from /usr/share/misc/license.template for new code - - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh] - Import new regression tests from OpenBSD - - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS. - - (dtucker) OpenBSD CVS Sync (regress/) - - markus@cvs.openbsd.org 2003/04/02 12:21:13 - [Makefile] - enable rekey test - - djm@cvs.openbsd.org 2003/04/04 09:34:22 - [Makefile sftp-cmds.sh] - More regression tests, including recent directory rename bug; ok markus@ - - markus@cvs.openbsd.org 2003/05/14 22:08:27 - [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh] - test against some new commerical versions - - mouring@cvs.openbsd.org 2003/05/15 04:07:12 - [sftp-cmds.sh] - Advanced put/get testing for sftp. OK @djm - - markus@cvs.openbsd.org 2003/06/12 15:40:01 - [try-ciphers.sh] - add ctr - - markus@cvs.openbsd.org 2003/06/12 15:43:32 - [Makefile] - test -HUP; dtucker at zip.com.au - -20030614 - - (djm) Update license on fake-rfc2553.[ch]; ok itojun@ - -20030611 - - (djm) Mention portable copyright holders in LICENSE - - (djm) Put licenses on substantial header files - - (djm) Sync LICENSE against OpenBSD - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2003/06/10 09:12:11 - [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5] - [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - - section reorder - - COMPATIBILITY merge - - macro cleanup - - kill whitespace at EOL - - new sentence, new line - ssh pages ok markus@ - - deraadt@cvs.openbsd.org 2003/06/10 22:20:52 - [packet.c progressmeter.c] - mostly ansi cleanup; pval ok - - jakob@cvs.openbsd.org 2003/06/11 10:16:16 - [sshconnect.c] - clean up check_host_key() and improve SSHFP feedback. ok markus@ - - jakob@cvs.openbsd.org 2003/06/11 10:18:47 - [dns.c] - sync with check_host_key() change - - djm@cvs.openbsd.org 2003/06/11 11:18:38 - [authfd.c authfd.h ssh-add.c ssh-agent.c] - make agent constraints (lifetime, confirm) work with smartcard keys; - ok markus@ - - -20030609 - - (djm) Sync README.smartcard with OpenBSD -current - - (djm) Re-merge OpenSC info into README.smartcard - -20030606 - - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@ - -20030605 - - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent - canohost.c changes. - - (djm) Implement paranoid priv dropping checks, based on: - "SetUID demystified" - Hao Chen, David Wagner and Drew Dean - Proceedings of USENIX Security Symposium 2002 - - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code - - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch] - - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in - Patch from larsch@trustcenter.de - - (djm) Bug #589 - scard-opensc: load only keys with a private keys - Patch from larsch@trustcenter.de - - (dtucker) Add includes.h to fake-rfc2553.c so it will build. - - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c). - -20030604 - - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from - simon@sxw.org.uk (Also matches a change in OpenBSD a while ago) - - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt. - Patch from larsch@trustcenter.de; ok markus@ - - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from - larsch@trustcenter.de; ok markus@ - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/06/04 08:25:18 - [sshconnect.c] - disable challenge/response and keyboard-interactive auth methods - upon hostkey mismatch. based on patch from fcusack AT fcusack.com. - bz #580; ok markus@ - - djm@cvs.openbsd.org 2003/06/04 10:23:48 - [sshd.c] - remove duplicated group-dropping code; ok markus@ - - djm@cvs.openbsd.org 2003/06/04 12:03:59 - [serverloop.c] - remove bitrotten commet; ok markus@ - - djm@cvs.openbsd.org 2003/06/04 12:18:49 - [scp.c] - ansify; ok markus@ - - djm@cvs.openbsd.org 2003/06/04 12:40:39 - [scp.c] - kill ssh process upon receipt of signal, bz #241. - based on patch from esb AT hawaii.edu; ok markus@ - - djm@cvs.openbsd.org 2003/06/04 12:41:22 - [sftp.c] - kill ssh process on receipt of signal; ok markus@ - - (djm) Update to fix of bug #584: lock card before return. - From larsch@trustcenter.de - - (djm) Always use mysignal() for SIGALRM - -20030603 - - (djm) Replace setproctitle replacement with code derived from - UCB sendmail - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/06/02 09:17:34 - [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] - [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] - [sshd_config.5] - deprecate VerifyReverseMapping since it's dangerous if combined - with IP based access control as noted by Mike Harding; replace with - a UseDNS option, UseDNS is on by default and includes the - VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ - ok deraadt@, djm@ - - millert@cvs.openbsd.org 2003/06/03 02:56:16 - [scp.c] - Remove the advertising clause in the UCB license which Berkeley - rescinded 22 July 1999. Proofed by myself and Theo. - - (djm) Fix portable-specific uses of verify_reverse_mapping too - - (djm) Sync openbsd-compat with OpenBSD CVS. - - No more 4-term BSD licenses in linked code - - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping. - -20030602 - - (djm) Fix segv from bad reordering in auth-pam.c - - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may - clobber - - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing - CVS ID. - - (djm) Remove "noip6" option from RedHat spec file. This may now be - set at runtime using AddressFamily option. - - (djm) Fix use of macro before #define in cipher-aes.c - - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/05/26 12:54:40 - [sshconnect.c] - fix format strings; ok markus@ - - deraadt@cvs.openbsd.org 2003/05/29 16:58:45 - [sshd.c uidswap.c] - seteuid and setegid; markus ok - - jakob@cvs.openbsd.org 2003/06/02 08:31:10 - [ssh_config.5] - VerifyHostKeyDNS is v2 only. ok markus@ - -20030530 - - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at - roumenpetrov.info - - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix. - -20030526 - - (djm) Avoid auth2-chall.c warning when compiling without - PAM, BSD_AUTH and SKEY - -20030525 -- (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/05/24 09:02:22 - [log.c] - pass logged data through strnvis; ok markus - - djm@cvs.openbsd.org 2003/05/24 09:30:40 - [authfile.c monitor.c sftp-common.c sshpty.c] - cast some types for printing; ok markus@ - -20030524 - - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net - -20030523 - - (djm) Use VIS_SAFE on logged strings rather than default strnvis - encoding (which encodes many more characters) - - OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2003/05/20 12:03:35 - [sftp.1] - - new sentence, new line - - added .Xr's - - typos - ok djm@ - - jmc@cvs.openbsd.org 2003/05/20 12:09:31 - [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] - new sentence, new line - - djm@cvs.openbsd.org 2003/05/23 08:29:30 - [sshconnect.c] - fix leak; ok markus@ - -20030520 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2003/05/18 23:22:01 - [log.c] - use syslog_r() in a signal handler called place; markus ok - - (djm) Configure logic to detect syslog_r and friends - -20030519 - - (djm) Sync auth-pam.h with what we actually implement - -20030518 - - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in - recent merge - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/05/16 03:27:12 - [readconf.c ssh_config ssh_config.5 ssh-keysign.c] - add AddressFamily option to ssh_config (like -4, -6 on commandline). - Portable bug #534; ok markus@ - - itojun@cvs.openbsd.org 2003/05/17 03:25:58 - [auth-rhosts.c] - just in case, put numbers to sscanf %s arg. - - markus@cvs.openbsd.org 2003/05/17 04:27:52 - [cipher.c cipher-ctr.c myproposal.h] - experimental support for aes-ctr modes from - http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt - ok djm@ - - (djm) Remove IPv4 by default hack now that we can specify AF in config - - (djm) Tidy and trim TODO - - (djm) Sync openbsd-compat/ with OpenBSD CVS head - - (djm) Big KNF on openbsd-compat/ - - (djm) KNF on md5crypt.[ch] - - (djm) KNF on auth-sia.[ch] - -20030517 - - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD) - -20030516 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/05/15 13:52:10 - [ssh.c] - Make "ssh -V" print the OpenSSL version in a human readable form. Patch - from Craig Leres (mindrot at ee.lbl.gov); ok markus@ - - jakob@cvs.openbsd.org 2003/05/15 14:02:47 - [readconf.c servconf.c] - warn for unsupported config option. ok markus@ - - markus@cvs.openbsd.org 2003/05/15 14:09:21 - [auth2-krb5.c] - fix 64bit issue; report itojun@ - - djm@cvs.openbsd.org 2003/05/15 14:55:25 - [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c] - add a ConnectTimeout option to ssh, based on patch from - Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@ - - (djm) Add warning for UsePAM when built without PAM support - - (djm) A few type mismatch fixes from Bug #565 - - (djm) Guard free_pam_environment against NULL argument. Works around - HP/UX PAM problems debugged by dtucker - -20030515 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2003/05/14 13:11:56 - [ssh-agent.1] - setup -> set up; - from wiz@netbsd - - jakob@cvs.openbsd.org 2003/05/14 18:16:20 - [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] - [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] - add experimental support for verifying hos keys using DNS as described - in draft-ietf-secsh-dns-xx.txt. more information in README.dns. - ok markus@ and henning@ - - markus@cvs.openbsd.org 2003/05/14 22:24:42 - [clientloop.c session.c ssh.1] - allow to send a BREAK to the remote system; ok various - - markus@cvs.openbsd.org 2003/05/15 00:28:28 - [sshconnect2.c] - cleanup unregister of per-method packet handlers; ok djm@ - - jakob@cvs.openbsd.org 2003/05/15 01:48:10 - [readconf.c readconf.h servconf.c servconf.h] - always parse kerberos options. ok djm@ markus@ - - jakob@cvs.openbsd.org 2003/05/15 02:27:15 - [dns.c] - add missing freerrset - - markus@cvs.openbsd.org 2003/05/15 03:08:29 - [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c] - split out custom EVP ciphers - - djm@cvs.openbsd.org 2003/05/15 03:10:52 - [ssh-keygen.c] - avoid warning; ok jakob@ - - mouring@cvs.openbsd.org 2003/05/15 03:39:07 - [sftp-int.c] - Make put/get (globed and nonglobed) code more consistant. OK djm@ - - mouring@cvs.openbsd.org 2003/05/15 03:43:59 - [sftp-int.c sftp.c] - Teach ls how to display multiple column display and allow users - to return to single column format via 'ls -1'. OK @djm - - jakob@cvs.openbsd.org 2003/05/15 04:08:44 - [readconf.c servconf.c] - disable kerberos when not supported. ok markus@ - - markus@cvs.openbsd.org 2003/05/15 04:08:41 - [ssh.1] - ~B is ssh2 only - - (djm) Always parse UsePAM - - (djm) Configure glue for DNS support (code doesn't work in portable yet) - - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) - - (djm) Tidy Makefile clean targets - - (djm) Adapt README.dns for portable - - (djm) Avoid uuencode.c warnings - - (djm) Enable UsePAM when built --with-pam - - (djm) Only build getrrsetbyname replacement when using --with-dns - - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv - correctly) - - (djm) Bug #444: Wrong paths after reconfigure - - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK - -20030514 - - (djm) Bug #117: Don't lie to PAM about username - - (djm) RCSID sync w/ OpenBSD - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/04/09 12:00:37 - [readconf.c] - strip trailing whitespace from config lines before parsing. - Fixes bz 528; ok markus@ - - markus@cvs.openbsd.org 2003/04/12 10:13:57 - [cipher.c] - hide cipher details; ok djm@ - - markus@cvs.openbsd.org 2003/04/12 10:15:36 - [misc.c] - debug->debug2 - - naddy@cvs.openbsd.org 2003/04/12 11:40:15 - [ssh.1] - document -V switch, fix wording; ok markus@ - - markus@cvs.openbsd.org 2003/04/14 14:17:50 - [channels.c sshconnect.c sshd.c ssh-keyscan.c] - avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP - - mouring@cvs.openbsd.org 2003/04/14 21:31:27 - [sftp-int.c] - Missing globfree(&g) in process_put() spotted by Vince Brimhall - <VBrimhall@novell.com>. ok@ Theo - - markus@cvs.openbsd.org 2003/04/16 14:35:27 - [auth.h] - document struct Authctxt; with solar - - deraadt@cvs.openbsd.org 2003/04/26 04:29:49 - [ssh-keyscan.c] - -t in usage(); rogier@quaak.org - - mouring@cvs.openbsd.org 2003/04/30 01:16:20 - [sshd.8 sshd_config.5] - Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable - Bug #550 and * escaping suggested by jmc@. - - david@cvs.openbsd.org 2003/04/30 20:41:07 - [sshd.8] - fix invalid .Pf macro usage introduced in previous commit - ok jmc@ mouring@ - - markus@cvs.openbsd.org 2003/05/11 16:56:48 - [authfile.c ssh-keygen.c] - change key_load_public to try to read a public from: - rsa1 private or rsa1 public and ssh2 keys. - this makes ssh-keygen -e fail for ssh1 keys more gracefully - for example; report from itojun (netbsd pr 20550). - - markus@cvs.openbsd.org 2003/05/11 20:30:25 - [channels.c clientloop.c serverloop.c session.c ssh.c] - make channel_new() strdup the 'remote_name' (not the caller); ok theo - - markus@cvs.openbsd.org 2003/05/12 16:55:37 - [sshconnect2.c] - for pubkey authentication try the user keys in the following order: - 1. agent keys that are found in the config file - 2. other agent keys - 3. keys that are only listed in the config file - this helps when an agent has many keys, where the server might - close the connection before the correct key is used. report & ok pb@ - - markus@cvs.openbsd.org 2003/05/12 18:35:18 - [ssh-keyscan.1] - typo: DSA keys are of type ssh-dss; Brian Poole - - markus@cvs.openbsd.org 2003/05/14 00:52:59 - [ssh2.h] - ranges for per auth method messages - - djm@cvs.openbsd.org 2003/05/14 01:00:44 - [sftp.1] - emphasise the batchmode functionality and make reference to pubkey auth, - both of which are FAQs; ok markus@ - - markus@cvs.openbsd.org 2003/05/14 02:15:47 - [auth2.c monitor.c sshconnect2.c auth2-krb5.c] - implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ - server interops with commercial client; ok jakob@ djm@ - - jmc@cvs.openbsd.org 2003/05/14 08:25:39 - [sftp.1] - - better formatting in SYNOPSIS - - whitespace at EOL - ok djm@ - - markus@cvs.openbsd.org 2003/05/14 08:57:49 - [monitor.c] - http://bugzilla.mindrot.org/show_bug.cgi?id=560 - Privsep child continues to run after monitor killed. - Pass monitor signals through to child; Darren Tucker - - (djm) Make portable build with MIT krb5 (some issues remain) - - (djm) Add new UsePAM configuration directive to allow runtime control - over usage of PAM. This allows non-root use of sshd when built with - --with-pam - - (djm) Die screaming if start_pam() is called when UsePAM=no - - (djm) Avoid KrbV leak for MIT Kerberos - - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@ - - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability - -20030512 - - (djm) Redhat spec: Don't install profile.d scripts when not - building with GNOME/GTK askpass (patch from bet@rahul.net) - -20030510 - - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than - "make install". Patch by roth@feep.net. - - (dtucker) Bug #536: Test for and work around openpty/controlling tty - problem on Linux (fixes "could not set controlling tty" errors). - - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with - proper challenge-response module - - (djm) 2-clause license on loginrec.c, with permission from - andre@ae-35.com - -20030504 - - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h. - Patch from vinschen@redhat.com. - -20030503 - - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted - by wendyp@cray.com. - -20030502 - - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels, - privsep should now work. - - (dtucker) Move handling of bad password authentications into a platform - specific record_failed_login() function (affects AIX & Unicos). ok mouring@ - -20030429 - - (djm) Add back radix.o (used by AFS support), after it went missing from - Makefile many moons ago - - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer - - (djm) Fix blibpath specification for AIX/gcc - - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org - -20030428 - - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit - hacked code. - -20030427 - - (bal) Bug #541: return; was dropped by mistake. Reported by - furrier@iglou.com - - (bal) Since we don't support platforms lacking u_int_64. We may - as well clean out some of those evil #ifdefs - - (bal) auth1.c minor resync while looking at the code. - - (bal) auth2.c same changed as above. - -20030409 - - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report - from matth@eecs.berkeley.edu - - (djm) Make the spec work with Redhat 9.0 (which renames sharutils) - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/04/02 09:48:07 - [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] - [readconf.h serverloop.c sshconnect2.c] - reapply rekeying chage, tested by henning@, ok djm@ - - markus@cvs.openbsd.org 2003/04/02 14:36:26 - [ssh-keysign.c] - potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526 - - itojun@cvs.openbsd.org 2003/04/03 07:25:27 - [progressmeter.c] - $OpenBSD$ - - itojun@cvs.openbsd.org 2003/04/03 10:17:35 - [progressmeter.c] - remove $OpenBSD$, as other *.c does not have it. - - markus@cvs.openbsd.org 2003/04/07 08:29:57 - [monitor_wrap.c] - typo: get correct counters; introduced during rekeying change. - - millert@cvs.openbsd.org 2003/04/07 21:58:05 - [progressmeter.c] - The UCB copyright here is incorrect. This code did not originate - at UCB, it was written by Luke Mewburn. Updated the copyright at - the author's request. markus@ OK - - itojun@cvs.openbsd.org 2003/04/08 20:21:29 - [*.c *.h] - rename log() into logit() to avoid name conflict. markus ok, from - netbsd - - (djm) XXX - Performed locally using: - "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h" - - hin@cvs.openbsd.org 2003/04/09 08:23:52 - [servconf.c] - Don't include <krb.h> when compiling with Kerberos 5 support - - (djm) Fix up missing include for packet.c - - (djm) Fix missed log => logit occurance (reference by function pointer) - -20030402 - - (bal) if IP_TOS is not found or broken don't try to compile in - packet_set_tos() function call. bug #527 - -20030401 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2003/03/28 10:11:43 - [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] - [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - - killed whitespace - - new sentence new line - - .Bk for arguments - ok markus@ - - markus@cvs.openbsd.org 2003/04/01 10:10:23 - [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] - [readconf.h serverloop.c sshconnect2.c] - rekeying bugfixes and automatic rekeying: - * both client and server rekey _automatically_ - (a) after 2^31 packets, because after 2^32 packets - the sequence number for packets wraps - (b) after 2^(blocksize_in_bits/4) blocks - (see: draft-ietf-secsh-newmodes-00.txt) - (a) and (b) are _enabled_ by default, and only disabled for known - openssh versions, that don't support rekeying properly. - * client option 'RekeyLimit' - * do not reply to requests during rekeying - - markus@cvs.openbsd.org 2003/04/01 10:22:21 - [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] - [readconf.h serverloop.c sshconnect2.c] - backout rekeying changes (for 3.6.1) - - markus@cvs.openbsd.org 2003/04/01 10:31:26 - [compat.c compat.h kex.c] - bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; - tested by ho@ and myself - - markus@cvs.openbsd.org 2003/04/01 10:56:46 - [version.h] - 3.6.1 - - (djm) Crank spec file versions - - (djm) Release 3.6.1p1 - -20030326 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 - [sftp-server.c] - one last fix to the tree: race fix broke stuff; pr 3169; - srp@srparish.net, help from djm - -20030325 - - (djm) Fix getpeerid support for 64 bit BE systems. From - Arnd Bergmann <arndb@de.ibm.com> - -20030324 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/03/23 19:02:00 - [monitor.c] - unbreak rekeying for privsep; ok millert@ - - Release 3.6p1 - - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. - Report from murple@murple.net, diagnosis from dtucker@zip.com.au - -$Id: ChangeLog,v 1.3257 2004/02/24 06:13:28 djm Exp $ +$Id: ChangeLog,v 1.3316.2.1 2004/04/18 12:51:12 djm Exp $ diff --git a/crypto/openssh/README b/crypto/openssh/README index 7e918fe08e42..0620d0eee1c2 100644 --- a/crypto/openssh/README +++ b/crypto/openssh/README @@ -1,5 +1,4 @@ -See: -http://www.openssh.com/txt/release-3.8 for the release notes. +See http://www.openssh.com/txt/release-3.8.1 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -66,4 +65,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.53 2004/02/24 05:13:24 dtucker Exp $ +$Id: README,v 1.54 2004/04/18 10:32:56 djm Exp $ diff --git a/crypto/openssh/acconfig.h b/crypto/openssh/acconfig.h index 62252d760f86..f14353519fa6 100644 --- a/crypto/openssh/acconfig.h +++ b/crypto/openssh/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.177 2004/04/15 23:22:40 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -131,6 +131,9 @@ /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ #undef AIX_LOGINFAILED_4ARG +/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ +#undef SKEYCHALLENGE_4ARG + /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ #undef WITH_IRIX_ARRAY @@ -202,6 +205,9 @@ /* Define if you don't want to use lastlog in session.c */ #undef NO_SSH_LASTLOG +/* Define if have krb5_init_ets */ +#undef KRB5_INIT_ETS + /* Define if you don't want to use utmp */ #undef DISABLE_UTMP @@ -347,6 +353,9 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* updwtmpx is broken (if present) */ +#undef BROKEN_UPDWTMPX + /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c index 3913c000c44f..f4aa5418c51b 100644 --- a/crypto/openssh/auth-krb5.c +++ b/crypto/openssh/auth-krb5.c @@ -54,7 +54,9 @@ krb5_init(void *context) problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); +#ifdef KRB5_INIT_ETS krb5_init_ets(authctxt->krb5_ctx); +#endif } return (0); } @@ -70,6 +72,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #endif krb5_error_code problem; krb5_ccache ccache = NULL; + int len; if (!authctxt->valid) return (0); @@ -175,6 +178,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); + out: restore_uid(); diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c index 1a30026d4da0..91f00308c610 100644 --- a/crypto/openssh/auth-pam.c +++ b/crypto/openssh/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD$ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -58,6 +58,7 @@ RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $"); extern ServerOptions options; extern Buffer loginmsg; extern int compat20; +extern u_int utmp_len; #ifdef USE_POSIX_THREADS #include <pthread.h> @@ -117,6 +118,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, { pid_t pid; + sshpam_thread_status = -1; switch ((pid = fork())) { case -1: error("fork(): %s", strerror(errno)); @@ -159,7 +161,7 @@ static int sshpam_session_open = 0; static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; -static int *force_pwchange; +static Authctxt *sshpam_authctxt = NULL; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -179,7 +181,9 @@ void pam_password_change_required(int reqd) { debug3("%s %d", __func__, reqd); - *force_pwchange = reqd; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + sshpam_authctxt->force_pwchange = reqd; if (reqd) { no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; @@ -201,6 +205,7 @@ import_environments(Buffer *b) debug3("PAM: %s entering", __func__); +#ifndef USE_POSIX_THREADS /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); pam_password_change_required(buffer_get_int(b)); @@ -228,6 +233,7 @@ import_environments(Buffer *b) } #endif } +#endif } /* @@ -336,6 +342,9 @@ sshpam_thread(void *ctxtp) sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&sshpam_conv); @@ -348,7 +357,7 @@ sshpam_thread(void *ctxtp) if (compat20) { if (!do_pam_account()) goto auth_fail; - if (*force_pwchange) { + if (sshpam_authctxt->force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) @@ -362,7 +371,7 @@ sshpam_thread(void *ctxtp) #ifndef USE_POSIX_THREADS /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); - buffer_put_int(&buffer, *force_pwchange); + buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -443,11 +452,10 @@ sshpam_cleanup(void) } static int -sshpam_init(const char *user) +sshpam_init(Authctxt *authctxt) { - extern u_int utmp_len; extern char *__progname; - const char *pam_rhost, *pam_user; + const char *pam_rhost, *pam_user, *user = authctxt->user; if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ @@ -461,6 +469,8 @@ sshpam_init(const char *user) debug("PAM: initializing for \"%s\"", user); sshpam_err = pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + sshpam_authctxt = authctxt; + if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -503,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt) return NULL; /* Initialize PAM */ - if (sshpam_init(authctxt->user) == -1) { + if (sshpam_init(authctxt) == -1) { error("PAM: initialization failed"); return (NULL); } @@ -511,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt) ctxt = xmalloc(sizeof *ctxt); memset(ctxt, 0, sizeof(*ctxt)); - force_pwchange = &(authctxt->force_pwchange); - /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); @@ -591,7 +599,10 @@ sshpam_query(void *ctx, char **name, char **info, xfree(msg); return (0); } - error("PAM: %s", msg); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, + get_remote_name_or_ip(utmp_len, options.use_dns)); /* FALLTHROUGH */ default: *num = 0; @@ -671,12 +682,12 @@ KbdintDevice mm_sshpam_device = { * This replaces auth-pam.c */ void -start_pam(const char *user) +start_pam(Authctxt *authctxt) { if (!options.use_pam) fatal("PAM: initialisation requested when UsePAM=no"); - if (sshpam_init(user) == -1) + if (sshpam_init(authctxt) == -1) fatal("PAM: initialisation failed"); } diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h index 4bc8d695528b..1b3706e073d2 100644 --- a/crypto/openssh/auth-pam.h +++ b/crypto/openssh/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */ +/* $Id: auth-pam.h,v 1.25 2004/03/08 12:04:07 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -31,7 +31,7 @@ # define SSHD_PAM_SERVICE __progname #endif -void start_pam(const char *); +void start_pam(Authctxt *); void finish_pam(void); u_int do_pam_account(void); void do_pam_session(void); diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c index b9679abd0c5f..beaf0fa6cbf3 100644 --- a/crypto/openssh/auth-passwd.c +++ b/crypto/openssh/auth-passwd.c @@ -73,13 +73,6 @@ auth_password(Authctxt *authctxt, const char *password) if (*password == '\0' && options.permit_empty_passwd == 0) return 0; -#if defined(HAVE_OSF_SIA) - /* - * XXX: any reason this is before krb? could be moved to - * sys_auth_passwd()? -dt - */ - return auth_sia_password(authctxt, password) && ok; -#endif #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); diff --git a/crypto/openssh/auth-sia.c b/crypto/openssh/auth-sia.c index cd2dcb840655..63f55d07f2d1 100644 --- a/crypto/openssh/auth-sia.c +++ b/crypto/openssh/auth-sia.c @@ -47,7 +47,7 @@ extern int saved_argc; extern char **saved_argv; int -auth_sia_password(Authctxt *authctxt, char *pass) +sys_auth_passwd(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; diff --git a/crypto/openssh/auth-sia.h b/crypto/openssh/auth-sia.h index 38164ff81975..ca55e913ed58 100644 --- a/crypto/openssh/auth-sia.h +++ b/crypto/openssh/auth-sia.h @@ -26,7 +26,7 @@ #ifdef HAVE_OSF_SIA -int auth_sia_password(Authctxt *, char *); +int sys_auth_passwd(Authctxt *, char *); void session_setup_sia(struct passwd *, char *); #endif /* HAVE_OSF_SIA */ diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c index f9ea03fd1a9b..ac1af69ed917 100644 --- a/crypto/openssh/auth-skey.c +++ b/crypto/openssh/auth-skey.c @@ -47,7 +47,8 @@ skey_query(void *ctx, char **name, char **infotxt, int len; struct skey skey; - if (skeychallenge(&skey, authctxt->user, challenge) == -1) + if (_compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) == -1) return -1; *name = xstrdup(""); diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h index de2222aaa362..3a7d222eff77 100644 --- a/crypto/openssh/auth.h +++ b/crypto/openssh/auth.h @@ -66,6 +66,7 @@ struct Authctxt { krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; + char *krb5_ccname; #endif void *methoddata; }; diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 82fe5fb80c2a..f145cf03d66e 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif /* diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index a9490ccfd1f7..1177efa73437 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -150,24 +150,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(authctxt->pw->pw_name)); + PRIVSEP(start_pam(authctxt)); #endif } else { logit("input_userauth_request: illegal user %s", user); authctxt->pw = fakepw(); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif } setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep) diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c index f5145922e6c8..a0067afc191d 100644 --- a/crypto/openssh/canohost.c +++ b/crypto/openssh/canohost.c @@ -44,6 +44,9 @@ get_remote_hostname(int socket, int use_dns) cleanup_exit(255); } + if (from.ss_family == AF_INET) + check_ip_options(socket, ntop); + ipv64_normalise_mapped(&from, &fromlen); if (from.ss_family == AF_INET6) @@ -56,9 +59,6 @@ get_remote_hostname(int socket, int use_dns) if (!use_dns) return xstrdup(ntop); - if (from.ss_family == AF_INET) - check_ip_options(socket, ntop); - debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index 836e31730baf..6ba4d244a1af 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -1,4 +1,18 @@ -# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $ +# $Id: configure.ac,v 1.214 2004/04/17 03:03:07 tim Exp $ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -195,10 +209,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) - case "$host" in - *-*-hpux11.11*) - AC_DEFINE(BROKEN_GETADDRINFO);; - esac + check_for_hpux_broken_getaddrinfo=1 LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; @@ -221,6 +232,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; @@ -230,7 +242,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) check_for_openpty_ctty_bug=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) inet6_default_4in6=yes case `uname -r` in @@ -268,6 +280,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SAVED_UIDS) ;; *-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) @@ -344,6 +359,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(BROKEN_SAVED_UIDS) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man @@ -491,10 +509,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ - sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ - sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ - sys/un.h time.h tmpdir.h ttyent.h usersec.h \ - util.h utime.h utmp.h utmpx.h vis.h) + sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \ + sys/select.h sys/stat.h sys/stream.h sys/stropts.h \ + sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \ + ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) @@ -728,6 +746,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include <stdio.h> + #include <skey.h>], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG)], + [AC_MSG_RESULT(no)] + ) fi ] ) @@ -767,6 +794,9 @@ AC_ARG_WITH(tcp-wrappers, AC_MSG_CHECKING(for libwrap) AC_TRY_LINK( [ +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> #include <tcpd.h> int deny_severity = 0, allow_severity = 0; ], @@ -794,12 +824,12 @@ AC_CHECK_FUNCS(\ getpeereid _getpty getrlimit getttyent glob inet_aton \ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ - pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ + pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ - truncate updwtmpx utimes vhangup vsnprintf waitpid \ + truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ ) # IRIX has a const char return value for gai_strerror() @@ -967,6 +997,74 @@ main() ) fi +if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include <stdio.h> +#include <sys/socket.h> +#include <netdb.h> +#include <errno.h> +#include <netinet/in.h> + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + AC_FUNC_GETPGRP # Check for PAM libs @@ -2157,6 +2255,7 @@ AC_ARG_WITH(kerberos5, LIBS="$LIBS $K5LIBS" AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS)) ] ) diff --git a/crypto/openssh/contrib/Makefile b/crypto/openssh/contrib/Makefile new file mode 100644 index 000000000000..2cef46f6c6d3 --- /dev/null +++ b/crypto/openssh/contrib/Makefile @@ -0,0 +1,15 @@ +all: + @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" + +gnome-ssh-askpass1: gnome-ssh-askpass1.c + $(CC) `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \ + `gnome-config --libs gnome gnomeui` + +gnome-ssh-askpass2: gnome-ssh-askpass2.c + $(CC) `pkg-config --cflags gtk+-2.0` \ + gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ + `pkg-config --libs gtk+-2.0` + +clean: + rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass diff --git a/crypto/openssh/contrib/README b/crypto/openssh/contrib/README new file mode 100644 index 000000000000..9de3d961d495 --- /dev/null +++ b/crypto/openssh/contrib/README @@ -0,0 +1,60 @@ +Other patches and addons for OpenSSH. Please send submissions to +djm@mindrot.org + +Externally maintained +--------------------- + +SSH Proxy Command -- connect.c + +Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand +which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or +https CONNECT style proxy server. His page for connect.c has extensive +documentation on its use as well as compiled versions for Win32. + +http://www.taiyo.co.jp/~gotoh/ssh/connect.html + + +X11 SSH Askpass: + +Jim Knoble <jmknoble@pobox.com> has written an excellent X11 +passphrase requester. This is highly recommended: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + + +In this directory +----------------- + +ssh-copy-id: + +Phil Hands' <phil@hands.com> shell script to automate the process of adding +your public key to a remote machine's ~/.ssh/authorized_keys file. + +gnome-ssh-askpass[12]: + +A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or +"make gnome-ssh-askpass2" to build. + +sshd.pam.generic: + +A generic PAM config file which may be useful on your system. YMMV + +sshd.pam.freebsd: + +A PAM config file which works with FreeBSD's PAM port. Contributed by +Dominik Brettnacher <domi@saargate.de> + +mdoc2man.pl: + +Converts mdoc formated manpages into normal manpages. This can be used +on Solaris machines to provide manpages that are not preformated. +Contributed by Mark D. Roth <roth@feep.net> + +redhat: + +RPM spec file and scripts for building Redhat packages + +suse: + +RPM spec file and scripts for building SuSE packages + diff --git a/crypto/openssh/contrib/aix/README b/crypto/openssh/contrib/aix/README new file mode 100644 index 000000000000..2a299350abb0 --- /dev/null +++ b/crypto/openssh/contrib/aix/README @@ -0,0 +1,50 @@ +Overview: + +This directory contains files to build an AIX native (installp or SMIT +installable) openssh package. + + +Directions: + +(optional) create config.local in your build dir +./configure [options] +contrib/aix/buildbff.sh + +The file config.local or the environment is read to set the following options +(default first): +PERMIT_ROOT_LOGIN=[no|yes] +X11_FORWARDING=[no|yes] +AIX_SRC=[no|yes] + +Acknowledgements: + +The contents of this directory are based on Ben Lindstrom's Solaris +buildpkg.sh. Ben also supplied inventory.sh. + +Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's +and for comparison with the output from this script, however no code +from lppbuild is included and it is not required for operation. + +SRC support based on examples provided by Sandor Sklar and Maarten Kreuger. +PrivSep account handling fixes contributed by W. Earl Allen. + + +Other notes: + +The script treats all packages as USR packages (not ROOT+USR when +appropriate). It seems to work, though...... + +If there are any patches to this that have not yet been integrated they +may be found at http://www.zip.com.au/~dtucker/openssh/. + + +Disclaimer: + +It is hoped that it is useful but there is no warranty. If it breaks +you get to keep both pieces. + + + - Darren Tucker (dtucker at zip dot com dot au) + 2002/03/01 + +$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $ diff --git a/crypto/openssh/contrib/aix/buildbff.sh b/crypto/openssh/contrib/aix/buildbff.sh new file mode 100755 index 000000000000..4a5c32b0ecb9 --- /dev/null +++ b/crypto/openssh/contrib/aix/buildbff.sh @@ -0,0 +1,383 @@ +#!/bin/sh +# +# buildbff.sh: Create AIX SMIT-installable OpenSSH packages +# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $ +# +# Author: Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain and comes with absolutely +# no warranty. +# +# Based originally on Ben Lindstrom's buildpkg.sh for Solaris +# + +# +# Tunable configuration settings +# create a "config.local" in your build directory or set +# environment variables to override these. +# +[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no +[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no +[ -z "$AIX_SRC" ] && AIX_SRC=no + +umask 022 + +startdir=`pwd` + +# Path to inventory.sh: same place as buildbff.sh +if echo $0 | egrep '^/' +then + inventory=`dirname $0`/inventory.sh # absolute path +else + inventory=`pwd`/`dirname $0`/inventory.sh # relative path +fi + +# +# We still support running from contrib/aix, but this is deprecated +# +if pwd | egrep 'contrib/aix$' +then + echo "Changing directory to `pwd`/../.." + echo "Please run buildbff.sh from your build directory in future." + cd ../.. + contribaix=1 +fi + +if [ ! -f Makefile ] +then + echo "Makefile not found (did you run configure?)" + exit 1 +fi + +# +# Directories used during build: +# current dir = $objdir directory you ran ./configure in. +# $objdir/$PKGDIR/ directory package files are constructed in +# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT) +# +objdir=`pwd` +PKGNAME=openssh +PKGDIR=package + +# +# Collect local configuration settings to override defaults +# +if [ -s ./config.local ] +then + echo Reading local settings from config.local + . ./config.local +fi + +# +# Fill in some details from Makefile, like prefix and sysconfdir +# the eval also expands variables like sysconfdir=${prefix}/etc +# provided they are eval'ed in the correct order +# +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir +do + eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2` +done + +# +# Collect values of privsep user and privsep path +# currently only found in config.h +# +for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h` +done + +# Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi +if [ -z "$PRIVSEP_PATH" ] +then + PRIVSEP_PATH=/var/empty +fi + +# Clean package build directory +rm -rf $objdir/$PKGDIR +FAKE_ROOT=$objdir/$PKGDIR/root +mkdir -p $FAKE_ROOT + +# Start by faking root install +echo "Faking root install..." +cd $objdir +make install-nokeys DESTDIR=$FAKE_ROOT + +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +# +# Copy informational files to include in package +# +cp $srcdir/LICENCE $objdir/$PKGDIR/ +cp $srcdir/README* $objdir/$PKGDIR/ + +# +# Extract common info requires for the 'info' part of the package. +# AIX requires 4-part version numbers +# +VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _` +MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .` +MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .` +PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .` +PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'` +[ "$PATCH" = "" ] && PATCH=0 +[ "$PORTABLE" = "" ] && PORTABLE=0 +BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE` + +echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)" + +# +# Set ssh and sshd parameters as per config.local +# +if [ "${PERMIT_ROOT_LOGIN}" = no ] +then + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi +if [ "${X11_FORWARDING}" = yes ] +then + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +fi + + +# Rename config files; postinstall script will copy them if necessary +for cfgfile in ssh_config sshd_config ssh_prng_cmds +do + mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default +done + +# +# Generate lpp control files. +# working dir is $FAKE_ROOT but files are generated in dir above +# and moved into place just before creation of .bff +# +cd $FAKE_ROOT +echo Generating LPP control files +find . ! -name . -print >../openssh.al +$inventory >../openssh.inventory + +cat <<EOD >../openssh.copyright +This software is distributed under a BSD-style license. +For the full text of the license, see /usr/lpp/openssh/LICENCE +EOD + +# +# openssh.size file allows filesystem expansion as required +# generate list of directories containing files +# then calculate disk usage for each directory and store in openssh.size +# +files=`find . -type f -print` +dirs=`for file in $files; do dirname $file; done | sort -u` +for dir in $dirs +do + du $dir +done > ../openssh.size + +# +# Create postinstall script +# +cat <<EOF >>../openssh.post_i +#!/bin/sh + +echo Creating configs from defaults if necessary. +for cfgfile in ssh_config sshd_config ssh_prng_cmds +do + if [ ! -f $sysconfdir/\$cfgfile ] + then + echo "Creating \$cfgfile from default" + cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile + else + echo "\$cfgfile already exists." + fi +done +echo + +# Create PrivSep user if PrivSep not disabled in config +echo Creating PrivSep prereqs if required. +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +then + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user," + echo "group or chroot directory." +else + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + + # create group if required + if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + mkgroup -A $SSH_PRIVSEP_USER + fi + + # Create user if required + if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER + fi + + # create chroot directory if required + if [ -d $PRIVSEP_PATH ] + then + echo "PrivSep chroot directory $PRIVSEP_PATH already exists." + else + echo "Creating PrivSep chroot directory $PRIVSEP_PATH." + mkdir $PRIVSEP_PATH + chown 0 $PRIVSEP_PATH + chgrp 0 $PRIVSEP_PATH + chmod 755 $PRIVSEP_PATH + fi +fi +echo + +# Generate keys unless they already exist +echo Creating host keys if required. +if [ -f "$sysconfdir/ssh_host_key" ] ; then + echo "$sysconfdir/ssh_host_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" +fi +if [ -f $sysconfdir/ssh_host_dsa_key ] ; then + echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." +else + $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" +fi +if [ -f $sysconfdir/ssh_host_rsa_key ] ; then + echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" +fi +echo + +# Set startup command depending on SRC support +if [ "$AIX_SRC" = "yes" ] +then + echo Creating SRC sshd subsystem. + rmssys -s sshd 2>&1 >/dev/null + mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip + startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\"" + oldstartcmd="$sbindir/sshd" +else + startupcmd="$sbindir/sshd" + oldstartcmd="start $sbindir/sshd \\\"$src_running\\\"" +fi + +# If migrating to or from SRC, change previous startup command +# otherwise add to rc.tcpip +if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null +then + if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new + then + chmod 0755 /etc/rc.tcpip.new + mv /etc/rc.tcpip /etc/rc.tcpip.old && \ + mv /etc/rc.tcpip.new /etc/rc.tcpip + else + echo "Updating /etc/rc.tcpip failed, please check." + fi +else + # Add to system startup if required + if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null + then + echo "sshd found in rc.tcpip, not adding." + else + echo "Adding sshd to rc.tcpip" + echo >>/etc/rc.tcpip + echo "# Start sshd" >>/etc/rc.tcpip + echo "\$startupcmd" >>/etc/rc.tcpip + fi +fi +EOF + +# +# Create liblpp.a and move control files into it +# +echo Creating liblpp.a +( + cd .. + for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README* + do + ar -r liblpp.a $i + rm $i + done +) + +# +# Create lpp_name +# +# This will end up looking something like: +# 4 R I OpenSSH { +# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX +# [ +# % +# /usr/local/bin 8073 +# /usr/local/etc 189 +# /usr/local/libexec 185 +# /usr/local/man/man1 145 +# /usr/local/man/man8 83 +# /usr/local/sbin 2105 +# /usr/local/share 3 +# % +# ] +# } + +echo Creating lpp_name +cat <<EOF >../lpp_name +4 R I $PKGNAME { +$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX +[ +% +EOF + +for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh +do + # get size in 512 byte blocks + if [ -d $FAKE_ROOT/$i ] + then + size=`du $FAKE_ROOT/$i | awk '{print $1}'` + echo "$i $size" >>../lpp_name + fi +done + +echo '%' >>../lpp_name +echo ']' >>../lpp_name +echo '}' >>../lpp_name + +# +# Move pieces into place +# +mkdir -p usr/lpp/openssh +mv ../liblpp.a usr/lpp/openssh +mv ../lpp_name . + +# +# Now invoke backup to create .bff file +# note: lpp_name needs to be the first file so we generate the +# file list on the fly and feed it to backup using -i +# +echo Creating $PKGNAME-$VERSION.bff with backup... +rm -f $PKGNAME-$VERSION.bff +( + echo "./lpp_name" + find . ! -name lpp_name -a ! -name . -print +) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist + +# +# Move package into final location and clean up +# +mv ../$PKGNAME-$VERSION.bff $startdir +cd $startdir +rm -rf $objdir/$PKGDIR + +echo $0: done. + diff --git a/crypto/openssh/contrib/aix/inventory.sh b/crypto/openssh/contrib/aix/inventory.sh new file mode 100755 index 000000000000..e2641e79c4f9 --- /dev/null +++ b/crypto/openssh/contrib/aix/inventory.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# +# inventory.sh +# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ +# +# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl +# This file is placed into the public domain. +# +# This will produce an AIX package inventory file, which looks like: +# +# /usr/local/bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=755 +# type=DIRECTORY +# /usr/local/bin/slogin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=777 +# type=SYMLINK +# target=ssh +# /usr/local/share/Ssh.bin: +# class=apply,inventory,openssh +# owner=root +# group=system +# mode=644 +# type=FILE +# size=VOLATILE +# checksum=VOLATILE + +find . ! -name . -print | perl -ne '{ + chomp; + if ( -l $_ ) { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat; + } else { + ($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat; + } + + # Start to display inventory information + $name = $_; + $name =~ s|^.||; # Strip leading dot from path + print "$name:\n"; + print "\tclass=apply,inventory,openssh\n"; + print "\towner=root\n"; + print "\tgroup=system\n"; + printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits + + if ( -l $_ ) { + # Entry is SymLink + print "\ttype=SYMLINK\n"; + printf "\ttarget=%s\n", readlink($_); + } elsif ( -f $_ ) { + # Entry is File + print "\ttype=FILE\n"; + print "\tsize=$sz\n"; + print "\tchecksum=VOLATILE\n"; + } elsif ( -d $_ ) { + # Entry is Directory + print "\ttype=DIRECTORY\n"; + } +}' diff --git a/crypto/openssh/contrib/aix/pam.conf b/crypto/openssh/contrib/aix/pam.conf new file mode 100644 index 000000000000..1495f43cbf82 --- /dev/null +++ b/crypto/openssh/contrib/aix/pam.conf @@ -0,0 +1,20 @@ +# +# PAM configuration file /etc/pam.conf +# Example for OpenSSH on AIX 5.2 +# + +# Authentication Management +sshd auth required /usr/lib/security/pam_aix +OTHER auth required /usr/lib/security/pam_aix + +# Account Management +sshd account required /usr/lib/security/pam_aix +OTHER account required /usr/lib/security/pam_aix + +# Session Management +sshd password required /usr/lib/security/pam_aix +OTHER password required /usr/lib/security/pam_aix + +# Password Management +sshd session required /usr/lib/security/pam_aix +OTHER session required /usr/lib/security/pam_aix diff --git a/crypto/openssh/contrib/caldera/openssh.spec b/crypto/openssh/contrib/caldera/openssh.spec new file mode 100644 index 000000000000..e690f102fb5b --- /dev/null +++ b/crypto/openssh/contrib/caldera/openssh.spec @@ -0,0 +1,366 @@ + +# Some of this will need re-evaluation post-LSB. The SVIdir is there +# because the link appeared broken. The rest is for easy compilation, +# the tradeoff open to discussion. (LC957) + +%define SVIdir /etc/rc.d/init.d +%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages} +%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons} + +%define _mandir %{_prefix}/share/man/en +%define _sysconfdir /etc/ssh +%define _libexecdir %{_libdir}/ssh + +# Do we want to disable root_login? (1=yes 0=no) +%define no_root_login 0 + +#old cvs stuff. please update before use. may be deprecated. +%define use_stable 1 +%if %{use_stable} + %define version 3.8.1p1 + %define cvs %{nil} + %define release 1 +%else + %define version 3.8.1p1 + %define cvs cvs20011009 + %define release 0r1 +%endif +%define xsa x11-ssh-askpass +%define askpass %{xsa}-1.2.4.1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 67 +%define sshd_gid 67 + +Name : openssh +Version : %{version}%{cvs} +Release : %{release} +Group : System/Network + +Summary : OpenSSH free Secure Shell (SSH) implementation. +Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH). +Summary(es) : OpenSSH implementación libre de Secure Shell (SSH). +Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH). +Summary(it) : Implementazione gratuita OpenSSH della Secure Shell. +Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH). +Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH). + +Copyright : BSD +Packager : Raymund Will <ray@caldera.de> +URL : http://www.openssh.com/ + +Obsoletes : ssh, ssh-clients, openssh-clients + +BuildRoot : /tmp/%{name}-%{version} +BuildRequires : XFree86-imake + +# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable +# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs +Source0: see-above:/.../openssh-%{version}.tar.gz +%if %{use_stable} +Source1: see-above:/.../openssh-%{version}.tar.gz.sig +%endif +Source2: http://www.ntrnet.net/~jmknoble/software/%{xsa}/%{askpass}.tar.gz +Source3: http://www.openssh.com/faq.html + +%Package server +Group : System/Network +Requires : openssh = %{version} +Obsoletes : ssh-server + +Summary : OpenSSH Secure Shell protocol server (sshd). +Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd). +Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd). +Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd). +Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd). +Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd). +Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd). + + +%Package askpass +Group : System/Network +Requires : openssh = %{version} +URL : http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ +Obsoletes : ssh-extras + +Summary : OpenSSH X11 pass-phrase dialog. +Summary(de) : OpenSSH X11 Passwort-Dialog. +Summary(es) : Aplicación de petición de frase clave OpenSSH X11. +Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH. +Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH. +Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH. +Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH. + + +%Description +OpenSSH (Secure Shell) provides access to a remote system. It replaces +telnet, rlogin, rexec, and rsh, and provides secure encrypted +communications between two untrusted hosts over an insecure network. +X11 connections and arbitrary TCP/IP ports can also be forwarded over +the secure channel. + +%Description -l de +OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt +telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte +Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres +Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso +über den sicheren Channel weitergeleitet werden. + +%Description -l es +OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a +telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas +entre dos equipos entre los que no se ha establecido confianza a través de una +red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden +ser canalizadas sobre el canal seguro. + +%Description -l fr +OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace +telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées +securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des +connexions X11 et des ports TCP/IP arbitraires peuvent également être +transmis sur le canal sécurisé. + +%Description -l it +OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto. +Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure +e crittate tra due host non fidati su una rete non sicura. Le connessioni +X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso +un canale sicuro. + +%Description -l pt +OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados +pelo canal seguro. + +%Description -l pt_BR +O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o +telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas +entre duas máquinas sem confiança mútua sobre uma rede insegura. +Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas +pelo canal seguro. + +%Description server +This package installs the sshd, the server portion of OpenSSH. + +%Description -l de server +Dieses Paket installiert den sshd, den Server-Teil der OpenSSH. + +%Description -l es server +Este paquete instala sshd, la parte servidor de OpenSSH. + +%Description -l fr server +Ce paquetage installe le 'sshd', partie serveur de OpenSSH. + +%Description -l it server +Questo pacchetto installa sshd, il server di OpenSSH. + +%Description -l pt server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description -l pt_BR server +Este pacote intala o sshd, o servidor do OpenSSH. + +%Description askpass +This package contains an X11-based pass-phrase dialog used per +default by ssh-add(1). It is based on %{askpass} +by Jim Knoble <jmknoble@pobox.com>. + + +%Prep +%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2 +%if ! %{use_stable} + autoreconf +%endif + + +%Build +CFLAGS="$RPM_OPT_FLAGS" \ +%configure \ + --with-pam \ + --with-tcp-wrappers \ + --with-privsep-path=%{_var}/empty/sshd \ + #leave this line for easy edits. + +%__make CFLAGS="$RPM_OPT_FLAGS" + +cd %{askpass} +%configure \ + #leave this line for easy edits. + +xmkmf +%__make includes +%__make + + +%Install +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +make install DESTDIR=%{buildroot} +%makeinstall -C %{askpass} \ + BINDIR=%{_libexecdir} \ + MANPATH=%{_mandir} \ + DESTDIR=%{buildroot} + +# OpenLinux specific configuration +mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}} +mkdir -p %{buildroot}%{_var}/empty/sshd + +# enabling X11 forwarding on the server is convenient and okay, +# on the client side it's a potential security risk! +%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \ + %{buildroot}%{_sysconfdir}/sshd_config + +%if %{no_root_login} +%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \ + %{buildroot}%{_sysconfdir}/sshd_config +%endif + +install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd +# FIXME: disabled, find out why this doesn't work with nis +%__perl -pi -e 's:(.*pam_limits.*):#$1:' \ + %{buildroot}/etc/pam.d/sshd + +install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd + +# the last one is needless, but more future-proof +find %{buildroot}%{SVIdir} -type f -exec \ + %__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\ + s:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:/usr/sbin:%{_sbindir}:g'\ + \{\} \; + +cat <<-EoD > %{buildroot}%{SVIcdir}/sshd + IDENT=sshd + DESCRIPTIVE="OpenSSH secure shell daemon" + # This service will be marked as 'skipped' on boot if there + # is no host key. Use ssh-host-keygen to generate one + ONBOOT="yes" + OPTIONS="" +EoD + +SKG=%{buildroot}%{_sbindir}/ssh-host-keygen +install -m 0755 contrib/caldera/ssh-host-keygen $SKG +# Fix up some path names in the keygen toy^Hol + %__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \ + s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \ + %{buildroot}%{_sbindir}/ssh-host-keygen + +# This looks terrible. Expect it to change. +# install remaining docs +DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}" +mkdir -p $DocD/%{askpass} +cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO $DocD +install -p -m 0444 %{SOURCE3} $DocD/faq.html +cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass} +%if %{use_stable} + cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1 +%else + cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1 + ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1 +%endif + +find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf +rm %{buildroot}%{_mandir}/man1/slogin.1 && \ + ln -s %{_mandir}/man1/ssh.1.gz \ + %{buildroot}%{_mandir}/man1/slogin.1.gz + + +%Clean +#%{rmDESTDIR} +[ %{buildroot} != "/" ] && rm -rf %{buildroot} + +%Post +# Generate host key when none is present to get up and running, +# both client and server require this for host-based auth! +# ssh-host-keygen checks for existing keys. +/usr/sbin/ssh-host-keygen +: # to protect the rpm database + +%pre server +%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || : +: # to protect the rpm database + +%Post server +if [ -x %{LSBinit}-install ]; then + %{LSBinit}-install sshd +else + lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6 +fi + +! %{SVIdir}/sshd status || %{SVIdir}/sshd restart +: # to protect the rpm database + + +%PreUn server +[ "$1" = 0 ] || exit 0 + +! %{SVIdir}/sshd status || %{SVIdir}/sshd stop +: # to protect the rpm database + + +%PostUn server +if [ -x %{LSBinit}-remove ]; then + %{LSBinit}-remove sshd +else + lisa --SysV-init remove sshd $1 +fi +: # to protect the rpm database + + +%Files +%defattr(-,root,root) +%dir %{_sysconfdir} +%config %{_sysconfdir}/ssh_config +%{_bindir}/scp +%{_bindir}/sftp +%{_bindir}/ssh +%{_bindir}/slogin +%{_bindir}/ssh-add +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%{_bindir}/ssh-keygen +%{_bindir}/ssh-keyscan +%dir %{_libexecdir} +%attr(4711,root,root) %{_libexecdir}/ssh-keysign +%{_sbindir}/ssh-host-keygen +%dir %{_defaultdocdir}/%{name}-%{version} +%{_defaultdocdir}/%{name}-%{version}/CREDITS +%{_defaultdocdir}/%{name}-%{version}/ChangeLog +%{_defaultdocdir}/%{name}-%{version}/LICENCE +%{_defaultdocdir}/%{name}-%{version}/OVERVIEW +%{_defaultdocdir}/%{name}-%{version}/README* +%{_defaultdocdir}/%{name}-%{version}/TODO +%{_defaultdocdir}/%{name}-%{version}/faq.html +%{_mandir}/man1/* +%{_mandir}/man8/ssh-keysign.8.gz +%{_mandir}/man5/ssh_config.5.gz + +%Files server +%defattr(-,root,root) +%dir %{_var}/empty/sshd +%config %{SVIdir}/sshd +%config /etc/pam.d/sshd +%config %{_sysconfdir}/moduli +%config %{_sysconfdir}/sshd_config +%config %{SVIcdir}/sshd +%{_libexecdir}/sftp-server +%{_sbindir}/sshd +%{_mandir}/man5/sshd_config.5.gz +%{_mandir}/man8/sftp-server.8.gz +%{_mandir}/man8/sshd.8.gz + +%Files askpass +%defattr(-,root,root) +%{_libexecdir}/ssh-askpass +%{_libexecdir}/x11-ssh-askpass +%{_defaultdocdir}/%{name}-%{version}/%{askpass} + + +%ChangeLog +* Mon Jan 01 1998 ... +Template Version: 1.31 + +$Id: openssh.spec,v 1.49 2004/03/21 22:40:04 djm Exp $ diff --git a/crypto/openssh/contrib/caldera/ssh-host-keygen b/crypto/openssh/contrib/caldera/ssh-host-keygen new file mode 100755 index 000000000000..3c5c1718270a --- /dev/null +++ b/crypto/openssh/contrib/caldera/ssh-host-keygen @@ -0,0 +1,36 @@ +#! /bin/sh +# +# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ +# +# This script is normally run only *once* for a given host +# (in a given period of time) -- on updates/upgrades/recovery +# the ssh_host_key* files _should_ be retained! Otherwise false +# "man-in-the-middle-attack" alerts will frighten unsuspecting +# clients... + +keydir=@sysconfdir@ +keygen=@sshkeygen@ + +if [ -f $keydir/ssh_host_key -o \ + -f $keydir/ssh_host_key.pub ]; then + echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." +else + echo "Generating 1024 bit SSH1 RSA host key." + $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_rsa_key -o \ + -f $keydir/ssh_host_rsa_key.pub ]; then + echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." +else + echo "Generating 1024 bit SSH2 RSA host key." + $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N '' +fi + +if [ -f $keydir/ssh_host_dsa_key -o \ + -f $keydir/ssh_host_dsa_key.pub ]; then + echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." +else + echo "Generating SSH2 DSA host key." + $keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N '' +fi diff --git a/crypto/openssh/contrib/caldera/sshd.init b/crypto/openssh/contrib/caldera/sshd.init new file mode 100755 index 000000000000..983146f4fe00 --- /dev/null +++ b/crypto/openssh/contrib/caldera/sshd.init @@ -0,0 +1,125 @@ +#! /bin/bash +# +# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $ +# +### BEGIN INIT INFO +# Provides: +# Required-Start: $network +# Required-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Description: sshd +# Bring up/down the OpenSSH secure shell daemon. +### END INIT INFO +# +# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>. +# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>. +# Modified for OpenLinux by Raymund Will <ray@caldera.de> + +NAME=sshd +DAEMON=/usr/sbin/$NAME +# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem +# created by recent OpenSSH daemon/ssd combinations. See Caldera internal +# PR [linux/8278] for details... +PIDF=/var/run/$NAME.pid +NAME=$DAEMON + +_status() { + [ -z "$1" ] || local pidf="$1" + local ret=-1 + local pid + if [ -n "$pidf" ] && [ -r "$pidf" ]; then + pid=$(head -1 $pidf) + else + pid=$(pidof $NAME) + fi + + if [ ! -e $SVIlock ]; then + # no lock-file => not started == stopped? + ret=3 + elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then + # pid-file given but not present or no pid => died, but was not stopped + ret=2 + elif [ -r /proc/$pid/cmdline ] && + echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then + # pid-file given and present or pid found => check process... + # but don't compare exe, as this will fail after an update! + # compares OK => all's well, that ends well... + ret=0 + else + # no such process or exe does not match => stale pid-file or process died + # just recently... + ret=1 + fi + return $ret +} + +# Source function library (and set vital variables). +. @SVIdir@/functions + +case "$1" in + start) + [ ! -e $SVIlock ] || exit 0 + [ -x $DAEMON ] || exit 5 + SVIemptyConfig @sysconfdir@/sshd_config && exit 6 + + if [ ! \( -f @sysconfdir@/ssh_host_key -a \ + -f @sysconfdir@/ssh_host_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ + -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ + ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ + -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then + + echo "$SVIsubsys: host key not initialized: skipped!" + echo "$SVIsubsys: use ssh-host-keygen to generate one!" + exit 6 + fi + + echo -n "Starting $SVIsubsys services: " + ssd -S -x $DAEMON -n $NAME -- $OPTIONS + ret=$? + + echo "." + touch $SVIlock + ;; + + stop) + [ -e $SVIlock ] || exit 0 + + echo -n "Stopping $SVIsubsys services: " + ssd -K -p $PIDF -n $NAME + ret=$? + + echo "." + rm -f $SVIlock + ;; + + force-reload|reload) + [ -e $SVIlock ] || exit 0 + + echo "Reloading $SVIsubsys configuration files: " + ssd -K --signal 1 -q -p $PIDF -n $NAME + ret=$? + echo "done." + ;; + + restart) + $0 stop + $0 start + ret=$? + ;; + + status) + _status $PIDF + ret=$? + ;; + + *) + echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}" + ret=2 + ;; + +esac + +exit $ret + diff --git a/crypto/openssh/contrib/caldera/sshd.pam b/crypto/openssh/contrib/caldera/sshd.pam new file mode 100644 index 000000000000..26dcb34d9e94 --- /dev/null +++ b/crypto/openssh/contrib/caldera/sshd.pam @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff --git a/crypto/openssh/contrib/cygwin/Makefile b/crypto/openssh/contrib/cygwin/Makefile new file mode 100644 index 000000000000..09e8ea2db213 --- /dev/null +++ b/crypto/openssh/contrib/cygwin/Makefile @@ -0,0 +1,56 @@ +srcdir=../.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff + $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts + @echo "Cygwin specific configuration finished." diff --git a/crypto/openssh/contrib/cygwin/README b/crypto/openssh/contrib/cygwin/README new file mode 100644 index 000000000000..fc0a2f69bd4b --- /dev/null +++ b/crypto/openssh/contrib/cygwin/README @@ -0,0 +1,224 @@ +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +Build instructions are at the end of the file. + +=========================================================================== +Important change since 3.7.1p2-2: + +The ssh-host-config file doesn't create the /etc/ssh_config and +/etc/sshd_config files from builtin here-scripts anymore, but it uses +skeleton files installed in /etc/defaults/etc. + +Also it now tries hard to create appropriate permissions on files. +Same applies for ssh-user-config. + +After creating the sshd service with ssh-host-config, it's advisable to +call ssh-user-config for all affected users, also already exising user +configurations. In the latter case, file and directory permissions are +checked and changed, if requireed to match the host configuration. + +Important note for Windows 2003 Server users: +--------------------------------------------- + +2003 Server has a funny new feature. When starting services under SYSTEM +account, these services have nearly all user rights which SYSTEM holds... +except for the "Create a token object" right, which is needed to allow +public key authentication :-( + +There's no way around this, except for creating a substitute account which +has the appropriate privileges. Basically, this account should be member +of the administrators group, plus it should have the following user rights: + + Create a token object + Logon as a service + Replace a process level token + Increase Quota + +The ssh-host-config script asks you, if it should create such an account, +called "sshd_server". If you say "no" here, you're on your own. Please +follow the instruction in ssh-host-config exactly if possible. Note that +ssh-user-config sets the permissions on 2003 Server machines dependent of +whether a sshd_server account exists or not. +=========================================================================== + +=========================================================================== +Important change since 3.4p1-2: + +This version adds privilege separation as default setting, see +/usr/doc/openssh/README.privsep. According to that document the +privsep feature requires a non-privileged account called 'sshd'. + +The new ssh-host-config file which is part of this version asks +to create 'sshd' as local user if you want to use privilege +separation. If you confirm, it creates that NT user and adds +the necessary entry to /etc/passwd. + +On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" +since that feature doesn't make any sense on a system which doesn't +differ between privileged and unprivileged users. + +The new ssh-host-config script also adds the /var/empty directory +needed by privilege separation. When creating the /var/empty directory +by yourself, please note that in contrast to the README.privsep document +the owner sshould not be "root" but the user which is running sshd. So, +in the standard configuration this is SYSTEM. The ssh-host-config script +chowns /var/empty accordingly. +=========================================================================== + +=========================================================================== +Important change since 3.0.1p1-2: + +This version introduces the ability to register sshd as service on +Windows 9x/Me systems. This is done only when the options -D and/or +-d are not given. +=========================================================================== + +=========================================================================== +Important change since 2.9p2: + +Since Cygwin is able to switch user context without password beginning +with version 1.3.2, OpenSSH now allows to do so when it's running under +a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to +allow that feature. +=========================================================================== + +=========================================================================== +Important change since 2.3.0p1: + +When using `ntea' or `ntsec' you now have to care for the ownership +and permission bits of your host key files and your private key files. +The host key files have to be owned by the NT account which starts +sshd. The user key files have to be owned by the user. The permission +bits of the private key files (host and user) have to be at least +rw------- (0600)! + +Note that this is forced under `ntsec' only if the files are on a NTFS +filesystem (which is recommended) due to the lack of any basic security +features of the FAT/FAT32 filesystems. +=========================================================================== + +If you are installing OpenSSH the first time, you can generate global config +files and server keys by running + + /usr/bin/ssh-host-config + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +If you are updating your installation you may run the above ssh-host-config +as well to move your configuration files to the new location and to +erase the files at the old location. + +To support testing and unattended installation ssh-host-config got +some options: + +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --cygwin -c <options> Use "options" as value for CYGWIN environment var. + --port -p <n> sshd listens on port n. + --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. + +Additionally ssh-host-config now asks if it should install sshd as a +service when running under NT/W2K. This requires cygrunsrv installed. + +You can create the private and public keys for a user now by running + + /usr/bin/ssh-user-config + +under the users account. + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. + +Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd +(results in very slow deamon startup!) or from the command line (recommended +on 9X/ME). + +If you start sshd as deamon via cygrunsrv.exe you MUST give the +"-D" option to sshd. Otherwise the service can't get started at all. + +If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the +following line to your inetd.conf file: + +ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i + +Moreover you'll have to add the following line to your +${SYSTEMROOT}/system32/drivers/etc/services file: + + ssh 22/tcp #SSH daemon + +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home diretory is set in /etc/passwd, the root directory +is used instead! + +You may use all features of the CYGWIN=ntsec setting the same +way as they are used by Cygwin's login(1) port: + + The pw_gecos field may contain an additional field, that begins + with (upper case!) "U-", followed by the domain and the username + separated by a backslash. + CAUTION: The SID _must_ remain the _last_ field in pw_gecos! + BTW: The field separator in pw_gecos is the comma. + The username in pw_name itself may be any nice name: + + domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... + + Now you may use `domuser' as your login name with telnet! + This is possible additionally for local users, if you don't like + your NT login name ;-) You only have to leave out the domain: + + locuser::1104:513:John Doe,U-user,S-1-5-21-... + +Note that the CYGWIN=ntsec setting is required for public key authentication. + +SSH2 server and user keys are generated by the `ssh-*-config' scripts +as well. + +If you want to build from source, the following options to +configure are used for the Cygwin binary distribution: + + --prefix=/usr \ + --sysconfdir=/etc \ + --libexecdir='$(sbindir)' \ + --localstatedir=/var \ + --datadir='$(prefix)/share' \ + --mandir='$(datadir)/man' \ + --with-tcp-wrappers + +If you want to create a Cygwin package, equivalent to the one +in the Cygwin binary distribution, install like this: + + mkdir /tmp/cygwin-ssh + cd $(builddir) + make install DESTDIR=/tmp/cygwin-ssh + cd $(srcdir)/contrib/cygwin + make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh + cd /tmp/cygwin-ssh + find * \! -type d | tar cvjfT my-openssh.tar.bz2 - + +You must have installed the zlib and openssl-devel packages to be able to +build OpenSSH! + +Please send requests, error reports etc. to cygwin@cygwin.com. + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. diff --git a/crypto/openssh/contrib/cygwin/ssh-host-config b/crypto/openssh/contrib/cygwin/ssh-host-config new file mode 100644 index 000000000000..9c0dabf41b4d --- /dev/null +++ b/crypto/openssh/contrib/cygwin/ssh-host-config @@ -0,0 +1,592 @@ +#!/bin/bash +# +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc +LOCALSTATEDIR=/var + +progname=$0 +auto_answer="" +port_number=22 + +privsep_configured=no +privsep_used=yes +sshd_in_passwd=no +sshd_in_sam=no + +request() +{ + if [ "${auto_answer}" = "yes" ] + then + echo "$1 (yes/no) yes" + return 0 + elif [ "${auto_answer}" = "no" ] + then + echo "$1 (yes/no) no" + return 1 + fi + + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read -e answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check options + +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "${option}" in + -d | --debug ) + set -x + ;; + + -y | --yes ) + auto_answer=yes + ;; + + -n | --no ) + auto_answer=no + ;; + + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + + -p | --port ) + port_number=$1 + shift + ;; + + -w | --pwd ) + password_value="$1" + shift + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH host configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." + echo " --port -p <n> sshd listens on port n." + echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." + echo + exit 1 + ;; + + esac +done + +# Check if running on NT +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running + +if ps -ef | grep -v grep | grep -q ssh +then + echo + echo "There are still ssh processes running. Please shut them down first." + echo + exit 1 +fi + +# Check for ${SYSCONFDIR} directory + +if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] +then + echo + echo "${SYSCONFDIR} is existant but not a directory." + echo "Cannot create global configuration files." + echo + exit 1 +fi + +# Create it if necessary + +if [ ! -e "${SYSCONFDIR}" ] +then + mkdir "${SYSCONFDIR}" + if [ ! -e "${SYSCONFDIR}" ] + then + echo + echo "Creating ${SYSCONFDIR} directory failed" + echo + exit 1 + fi +fi + +# Create /var/log and /var/log/lastlog if not already existing + +if [ -f ${LOCALSTATEDIR}/log ] +then + echo "Creating ${LOCALSTATEDIR}/log failed!" +else + if [ ! -d ${LOCALSTATEDIR}/log ] + then + mkdir -p ${LOCALSTATEDIR}/log + fi + if [ -d ${LOCALSTATEDIR}/log/lastlog ] + then + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] + then + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog + fi +fi + +# Create /var/empty file used as chroot jail for privilege separation +if [ -f ${LOCALSTATEDIR}/empty ] +then + echo "Creating ${LOCALSTATEDIR}/empty failed!" +else + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] + then + chmod 755 ${LOCALSTATEDIR}/empty + fi +fi + +# First generate host keys if not already existing + +if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_key" + ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" + ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" + ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null +fi + +# Check if ssh_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/ssh_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" + then + rm -f "${SYSCONFDIR}/ssh_config" + if [ -f "${SYSCONFDIR}/ssh_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." + fi + fi +fi + +# Create default ssh_config from skeleton file in /etc/defaults/etc + +if [ ! -f "${SYSCONFDIR}/ssh_config" ] +then + echo "Generating ${SYSCONFDIR}/ssh_config file" + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] + then + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config + fi +fi + +# Check if sshd_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/sshd_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" + then + rm -f "${SYSCONFDIR}/sshd_config" + if [ -f "${SYSCONFDIR}/sshd_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." + fi + else + grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes + fi +fi + +# Prior to creating or modifying sshd_config, care for privilege separation + +if [ "${privsep_configured}" != "yes" ] +then + if [ ${_nt} -gt 0 ] + then + echo "Privilege separation is set to yes by default since OpenSSH 3.3." + echo "However, this requires a non-privileged account called 'sshd'." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." + echo + if request "Should privilege separation be used?" + then + privsep_used=yes + grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes + net user sshd >/dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_passwd}" != "yes" ] + then + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: The following function requires administrator privileges!" + if request "Should this script create a local user 'sshd' on this machine?" + then + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: Creating the user 'sshd' failed!" + fi + fi + fi + if [ "${sshd_in_sam}" != "yes" ] + then + echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" + echo " Privilege separation set to 'no' again!" + echo " Check your ${SYSCONFDIR}/sshd_config file!" + privsep_used=no + else + mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + else + privsep_used=no + fi + else + # On 9x don't use privilege separation. Since security isn't + # available it just adds useless additional processes. + privsep_used=no + fi +fi + +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option + +if [ ! -f "${SYSCONFDIR}/sshd_config" ] +then + echo "Generating ${SYSCONFDIR}/sshd_config file" + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] +then + echo >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config +fi + +# Care for services file +_my_etcdir="/ssh-host-config.$$" +if [ ${_nt} -gt 0 ] +then + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" +else + _win_etcdir="${WINDIR}" + _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " +fi +_serv_tmp="${_my_etcdir}/srv.out.$$" + +mount -t -f "${_win_etcdir}" "${_my_etcdir}" + +# Depends on the above mount +_wservices=`cygpath -w "${_services}"` + +# Remove sshd 22/port from services +if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] +then + grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + if [ -f "${_serv_tmp}" ] + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Removing sshd from ${_wservices}" + else + echo "Removing sshd from ${_wservices} failed!" + fi + rm -f "${_serv_tmp}" + else + echo "Removing sshd from ${_wservices} failed!" + fi +fi + +# Add ssh 22/tcp and ssh 22/udp to services +if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] +then + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Added ssh to ${_wservices}" + else + echo "Adding ssh to ${_wservices} failed!" + fi + rm -f "${_serv_tmp}" + else + echo "WARNING: Adding ssh to ${_wservices} failed!" + fi +fi + +umount "${_my_etcdir}" + +# Care for inetd.conf file +_inetcnf="${SYSCONFDIR}/inetd.conf" +_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" + +if [ -f "${_inetcnf}" ] +then + # Check if ssh service is already in use as sshd + with_comment=1 + grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 + # Remove sshd line from inetd.conf + if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then + echo "Removed sshd from ${_inetcnf}" + else + echo "Removing sshd from ${_inetcnf} failed!" + fi + rm -f "${_inetcnf_tmp}" + else + echo "Removing sshd from ${_inetcnf} failed!" + fi + fi + + # Add ssh line to inetd.conf + if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + fi + echo "Added ssh to ${_inetcnf}" + fi +fi + +# On NT ask if sshd should be installed as service +if [ ${_nt} -gt 0 ] +then + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 + then + echo + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" + then + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + if [ -z "${_admingroup}" ] + then + echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" + echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" + echo "and restart this script." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi + fi + fi +fi + +echo +echo "Host configuration finished. Have fun!" diff --git a/crypto/openssh/contrib/cygwin/ssh-user-config b/crypto/openssh/contrib/cygwin/ssh-user-config new file mode 100644 index 000000000000..fe07ce3609bb --- /dev/null +++ b/crypto/openssh/contrib/cygwin/ssh-user-config @@ -0,0 +1,250 @@ +#!/bin/sh +# +# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# Directory where the config files are stored +SYSCONFDIR=/etc + +progname=$0 +auto_answer="" +auto_passphrase="no" +passphrase="" + +request() +{ + if [ "${auto_answer}" = "yes" ] + then + return 0 + elif [ "${auto_answer}" = "no" ] + then + return 1 + fi + + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ $_nt -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + +# Check options + +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "$option" in + -d | --debug ) + set -x + ;; + + -y | --yes ) + auto_answer=yes + ;; + + -n | --no ) + auto_answer=no + ;; + + -p | --passphrase ) + with_passphrase="yes" + passphrase=$1 + shift + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH user configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --passphrase -p word Use \"word\" as passphrase automatically." + echo + exit 1 + ;; + + esac +done + +# Ask user if user identity should be generated + +if [ ! -f ${SYSCONFDIR}/passwd ] +then + echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" + echo 'first using mkpasswd. Check if it contains an entry for you and' + echo 'please care for the home directory in your entry as well.' + exit 1 +fi + +uid=`id -u` +pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` + +if [ "X${pwdhome}" = "X" ] +then + echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." + echo 'Setting $HOME is not sufficient!' + exit 1 +fi + +if [ ! -d "${pwdhome}" ] +then + echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" + echo 'but it is not a valid directory. Cannot create user identity files.' + exit 1 +fi + +# If home is the root dir, set home to empty string to avoid error messages +# in subsequent parts of that script. +if [ "X${pwdhome}" = "X/" ] +then + # But first raise a warning! + echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" + if request "Would you like to proceed anyway?" + then + pwdhome='' + else + exit 1 + fi +fi + +if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] +then + echo + echo 'WARNING: group and other have been revoked write permission to your home' + echo " directory ${pwdhome}." + echo ' This is required by OpenSSH to allow public key authentication using' + echo ' the key files stored in your .ssh subdirectory.' + echo ' Revert this change ONLY if you know what you are doing!' + echo +fi + +if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] +then + echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." + exit 1 +fi + +if [ ! -e "${pwdhome}/.ssh" ] +then + mkdir "${pwdhome}/.ssh" + if [ ! -e "${pwdhome}/.ssh" ] + then + echo "Creating users ${pwdhome}/.ssh directory failed" + exit 1 + fi +fi + +if [ $_nt -gt 0 ] +then + _user="system" + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" + fi + if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" + then + echo "${pwdhome}/.ssh couldn't be given the correct permissions." + echo "Please try to solve this problem first." + exit 1 + fi +fi + +if [ ! -f "${pwdhome}/.ssh/identity" ] +then + if request "Shall I create an SSH1 RSA identity file for you?" + then + echo "Generating ${pwdhome}/.ssh/identity" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null + else + ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ ! -f "${pwdhome}/.ssh/id_rsa" ] +then + if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " + then + echo "Generating ${pwdhome}/.ssh/id_rsa" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null + else + ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ ! -f "${pwdhome}/.ssh/id_dsa" ] +then + if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " + then + echo "Generating ${pwdhome}/.ssh/id_dsa" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null + else + ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null + fi + if request "Do you want to use this identity to login to this machine?" + then + echo "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi +fi + +if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] +then + if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + echo + echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + echo "failed. Please care for the correct permissions. The minimum requirement" + echo "is, the owner and ${_user} both need read permissions." + echo + fi +fi + +echo +echo "Configuration finished. Have fun!" diff --git a/crypto/openssh/contrib/findssl.sh b/crypto/openssh/contrib/findssl.sh new file mode 100644 index 000000000000..0c08d4a189af --- /dev/null +++ b/crypto/openssh/contrib/findssl.sh @@ -0,0 +1,159 @@ +#!/bin/sh +# +# findssl.sh +# Search for all instances of OpenSSL headers and libraries +# and print their versions. +# Intended to help diagnose OpenSSH's "OpenSSL headers do not +# match your library" errors. +# +# Written by Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain. +# +# $Id: findssl.sh,v 1.2 2003/11/21 12:48:56 djm Exp $ +# 2002-07-27: Initial release. +# 2002-08-04: Added public domain notice. +# 2003-06-24: Incorporated readme, set library paths. First cvs version. +# +# "OpenSSL headers do not match your library" are usually caused by +# OpenSSH's configure picking up an older version of OpenSSL headers +# or libraries. You can use the following # procedure to help identify +# the cause. +# +# The output of configure will tell you the versions of the OpenSSL +# headers and libraries that were picked up, for example: +# +# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) +# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) +# checking whether OpenSSL's headers match the library... no +# configure: error: Your OpenSSL headers do not match your library +# +# Now run findssl.sh. This should identify the headers and libraries +# present and their versions. You should be able to identify the +# libraries and headers used and adjust your CFLAGS or remove incorrect +# versions. The output will show OpenSSL's internal version identifier +# and should look something like: + +# $ ./findssl.sh +# Searching for OpenSSL header files. +# 0x0090604fL /usr/include/openssl/opensslv.h +# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h +# +# Searching for OpenSSL shared library files. +# 0x0090602fL /lib/libcrypto.so.0.9.6b +# 0x0090602fL /lib/libcrypto.so.2 +# 0x0090581fL /usr/lib/libcrypto.so.0 +# 0x0090602fL /usr/lib/libcrypto.so +# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a +# 0x0090600fL /usr/lib/libcrypto.so.0.9.6 +# 0x0090600fL /usr/lib/libcrypto.so.1 +# +# Searching for OpenSSL static library files. +# 0x0090602fL /usr/lib/libcrypto.a +# 0x0090604fL /usr/local/ssl/lib/libcrypto.a +# +# In this example, I gave configure no extra flags, so it's picking up +# the OpenSSL header from /usr/include/openssl (90604f) and the library +# from /usr/lib/ (90602f). + +# +# Adjust these to suit your compiler. +# You may also need to set the *LIB*PATH environment variables if +# DEFAULT_LIBPATH is not correct for your system. +# +CC=gcc +STATIC=-static + +# +# Set up conftest C source +# +rm -f findssl.log +cat >conftest.c <<EOD +#include <stdio.h> +int main(){printf("0x%08xL\n", SSLeay());} +EOD + +# +# Set default library paths if not already set +# +DEFAULT_LIBPATH=/usr/lib:/usr/local/lib +LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH} +LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} +LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} +export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + +# +# Search for OpenSSL headers and print versions +# +echo Searching for OpenSSL header files. +if [ -x "`which locate`" ] +then + headers=`locate opensslv.h` +else + headers=`find / -name opensslv.h -print 2>/dev/null` +fi + +for header in $headers +do + ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header` + echo "$ver $header" +done +echo + +# +# Search for shared libraries. +# Relies on shared libraries looking like "libcrypto.s*" +# +echo Searching for OpenSSL shared library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.s` +else + libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null` +fi + +for lib in $libraries +do + (echo "Trying libcrypto $lib" >>findssl.log + dir=`dirname $lib` + LIBPATH="$dir:$LIBPATH" + LD_LIBRARY_PATH="$dir:$LIBPATH" + LIBRARY_PATH="$dir:$LIBPATH" + export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + ${CC} -o conftest conftest.c $lib 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi) +done +echo + +# +# Search for static OpenSSL libraries and print versions +# +echo Searching for OpenSSL static library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.a` +else + libraries=`find / -name libcrypto.a -print 2>/dev/null` +fi + +for lib in $libraries +do + libdir=`dirname $lib` + echo "Trying libcrypto $lib" >>findssl.log + ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi +done + +# +# Clean up +# +rm -f conftest.c diff --git a/crypto/openssh/contrib/gnome-ssh-askpass1.c b/crypto/openssh/contrib/gnome-ssh-askpass1.c new file mode 100644 index 000000000000..4d51032d1d36 --- /dev/null +++ b/crypto/openssh/contrib/gnome-ssh-askpass1.c @@ -0,0 +1,171 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +/* + * Compile with: + * + * cc `gnome-config --cflags gnome gnomeui` \ + * gnome-ssh-askpass1.c -o gnome-ssh-askpass \ + * `gnome-config --libs gnome gnomeui` + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <gnome.h> +#include <X11/Xlib.h> +#include <gdk/gdkx.h> + +void +report_failed_grab (void) +{ + GtkWidget *err; + + err = gnome_message_box_new("Could not grab keyboard or mouse.\n" + "A malicious client may be eavesdropping on your session.", + GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL); + + gnome_dialog_run_and_close(GNOME_DIALOG(err)); +} + +int +passphrase_dialog(char *message) +{ + char *passphrase; + char **messages; + int result, i, grab_server, grab_pointer; + GtkWidget *dialog, *entry, *label; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + messages = g_strsplit(message, "\\n", 0); + if (messages) + for(i = 0; messages[i]; i++) { + label = gtk_label_new(messages[i]); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), + label, FALSE, FALSE, 0); + } + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), + GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + if (grab_server) + XGrabServer(GDK_DISPLAY()); + if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, + NULL, NULL, GDK_CURRENT_TIME)) + goto nograb; + if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) + goto nograbkb; + + /* Make <enter> close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + if (result == 0) + puts(passphrase); + + /* Zero passphrase in memory */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + return (result == 0 ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gnome_dialog_close(GNOME_DIALOG(dialog)); + + report_failed_grab(); + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + + return (result); +} diff --git a/crypto/openssh/contrib/gnome-ssh-askpass2.c b/crypto/openssh/contrib/gnome-ssh-askpass2.c new file mode 100644 index 000000000000..0ce8daec9b14 --- /dev/null +++ b/crypto/openssh/contrib/gnome-ssh-askpass2.c @@ -0,0 +1,220 @@ +/* + * Copyright (c) 2000-2002 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */ + +/* + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * + * There is only two run-time options: if you set the environment variable + * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if + * you don't trust your X server. We grab the keyboard always. + */ + +#define GRAB_TRIES 16 +#define GRAB_WAIT 250 /* milliseconds */ + +/* + * Compile with: + * + * cc -Wall `pkg-config --cflags gtk+-2.0` \ + * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ + * `pkg-config --libs gtk+-2.0` + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <X11/Xlib.h> +#include <gtk/gtk.h> +#include <gdk/gdkx.h> + +static void +report_failed_grab (const char *what) +{ + GtkWidget *err; + + err = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_ERROR, + GTK_BUTTONS_CLOSE, + "Could not grab %s. " + "A malicious client may be eavesdropping " + "on your session.", what); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label), + TRUE); + + gtk_dialog_run(GTK_DIALOG(err)); + + gtk_widget_destroy(err); +} + +static void +ok_dialog(GtkWidget *entry, gpointer dialog) +{ + g_return_if_fail(GTK_IS_DIALOG(dialog)); + gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); +} + +static int +passphrase_dialog(char *message) +{ + const char *failed; + char *passphrase, *local; + int result, grab_tries, grab_server, grab_pointer; + GtkWidget *dialog, *entry; + GdkGrabStatus status; + + grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); + grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); + grab_tries = 0; + + dialog = gtk_message_dialog_new(NULL, 0, + GTK_MESSAGE_QUESTION, + GTK_BUTTONS_OK_CANCEL, + "%s", + message); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + gtk_widget_show(entry); + + gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label), + TRUE); + + /* Make <enter> close dialog */ + gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + g_signal_connect(G_OBJECT(entry), "activate", + G_CALLBACK(ok_dialog), dialog); + + /* Grab focus */ + gtk_widget_show_now(dialog); + if (grab_pointer) { + for(;;) { + status = gdk_pointer_grab( + (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, + NULL, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "mouse"; + goto nograb; + } + } + } + for(;;) { + status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, + FALSE, GDK_CURRENT_TIME); + if (status == GDK_GRAB_SUCCESS) + break; + usleep(GRAB_WAIT * 1000); + if (++grab_tries > GRAB_TRIES) { + failed = "keyboard"; + goto nograbkb; + } + } + if (grab_server) { + gdk_x11_grab_server(); + } + + result = gtk_dialog_run(GTK_DIALOG(dialog)); + + /* Ungrab */ + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + if (grab_pointer) + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); + if (result == GTK_RESPONSE_OK) { + local = g_locale_from_utf8(passphrase, strlen(passphrase), + NULL, NULL, NULL); + if (local != NULL) { + puts(local); + memset(local, '\0', strlen(local)); + g_free(local); + } else { + puts(passphrase); + } + } + + /* Zero passphrase in memory */ + memset(passphrase, '\b', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + memset(passphrase, '\0', strlen(passphrase)); + g_free(passphrase); + + gtk_widget_destroy(dialog); + return (result == GTK_RESPONSE_OK ? 0 : -1); + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + if (grab_server) + XUngrabServer(GDK_DISPLAY()); + gtk_widget_destroy(dialog); + + report_failed_grab(failed); + + return (-1); +} + +int +main(int argc, char **argv) +{ + char *message; + int result; + + gtk_init(&argc, &argv); + + if (argc > 1) { + message = g_strjoinv(" ", argv + 1); + } else { + message = g_strdup("Enter your OpenSSH passphrase:"); + } + + setvbuf(stdout, 0, _IONBF, 0); + result = passphrase_dialog(message); + g_free(message); + + return (result); +} diff --git a/crypto/openssh/contrib/hpux/README b/crypto/openssh/contrib/hpux/README new file mode 100644 index 000000000000..f8bfa84e4986 --- /dev/null +++ b/crypto/openssh/contrib/hpux/README @@ -0,0 +1,45 @@ +README for OpenSSH HP-UX contrib files +Kevin Steves <stevesk@pobox.com> + +sshd: configuration file for sshd.rc +sshd.rc: SSH startup script +egd: configuration file for egd.rc +egd.rc: EGD (entropy gathering daemon) startup script + +To install: + +sshd.rc: + +o Verify paths in sshd.rc match your local installation + (WHAT_PATH and WHAT_PID) +o Customize sshd if needed (SSHD_ARGS) +o Install: + + # cp sshd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/sshd + # cp sshd.rc /sbin/init.d + # chmod 555 /sbin/init.d/sshd.rc + # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd + # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd + +egd.rc: + +o Verify egd.pl path in egd.rc matches your local installation + (WHAT_PATH) +o Customize egd if needed (EGD_ARGS and EGD_LOG) +o Add pseudo account: + + # groupadd egd + # useradd -g egd egd + # mkdir -p /etc/opt/egd + # chown egd:egd /etc/opt/egd + # chmod 711 /etc/opt/egd + +o Install: + + # cp egd /etc/rc.config.d + # chmod 444 /etc/rc.config.d/egd + # cp egd.rc /sbin/init.d + # chmod 555 /sbin/init.d/egd.rc + # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd + # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd diff --git a/crypto/openssh/contrib/hpux/egd b/crypto/openssh/contrib/hpux/egd new file mode 100644 index 000000000000..21af0bd13e7a --- /dev/null +++ b/crypto/openssh/contrib/hpux/egd @@ -0,0 +1,15 @@ +# EGD_START: Set to 1 to start entropy gathering daemon +# EGD_ARGS: Command line arguments to pass to egd +# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log) +# +# To configure the egd environment: + +# groupadd egd +# useradd -g egd egd +# mkdir -p /etc/opt/egd +# chown egd:egd /etc/opt/egd +# chmod 711 /etc/opt/egd + +EGD_START=1 +EGD_ARGS='/etc/opt/egd/entropy' +EGD_LOG= diff --git a/crypto/openssh/contrib/hpux/egd.rc b/crypto/openssh/contrib/hpux/egd.rc new file mode 100755 index 000000000000..919dea7255cd --- /dev/null +++ b/crypto/openssh/contrib/hpux/egd.rc @@ -0,0 +1,98 @@ +#!/sbin/sh + +# +# egd.rc: EGD start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +umask 022 + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='EGD (entropy gathering daemon)' +WHAT_PATH=/opt/perl/bin/egd.pl +WHAT_CONFIG=/etc/rc.config.d/egd +WHAT_LOG=/etc/opt/egd/egd.log + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + + if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then + EGD_LOG=${EGD_LOG:-$WHAT_LOG} + su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" && + echo $WHAT started + set_return + else + rval=2 + fi + ;; + +'stop') + pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'` + if [ "X$pid" != "X" ]; then + if kill "$pid"; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff --git a/crypto/openssh/contrib/hpux/sshd b/crypto/openssh/contrib/hpux/sshd new file mode 100644 index 000000000000..8eb5e92a30bc --- /dev/null +++ b/crypto/openssh/contrib/hpux/sshd @@ -0,0 +1,5 @@ +# SSHD_START: Set to 1 to start SSH daemon +# SSHD_ARGS: Command line arguments to pass to sshd +# +SSHD_START=1 +SSHD_ARGS= diff --git a/crypto/openssh/contrib/hpux/sshd.rc b/crypto/openssh/contrib/hpux/sshd.rc new file mode 100755 index 000000000000..f9a10999b01c --- /dev/null +++ b/crypto/openssh/contrib/hpux/sshd.rc @@ -0,0 +1,90 @@ +#!/sbin/sh + +# +# sshd.rc: SSH daemon start-up and shutdown script +# + +# Allowed exit values: +# 0 = success; causes "OK" to show up in checklist. +# 1 = failure; causes "FAIL" to show up in checklist. +# 2 = skip; causes "N/A" to show up in the checklist. +# Use this value if execution of this script is overridden +# by the use of a control variable, or if this script is not +# appropriate to execute for some other reason. +# 3 = reboot; causes the system to be rebooted after execution. + +# Input and output: +# stdin is redirected from /dev/null +# +# stdout and stderr are redirected to the /etc/rc.log file +# during checklist mode, or to the console in raw mode. + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +WHAT='OpenSSH' +WHAT_PATH=/opt/openssh/sbin/sshd +WHAT_PID=/var/run/sshd.pid +WHAT_CONFIG=/etc/rc.config.d/sshd + +# NOTE: If your script executes in run state 0 or state 1, then /usr might +# not be available. Do not attempt to access commands or files in +# /usr unless your script executes in run state 2 or greater. Other +# file systems typically not mounted until run state 2 include /var +# and /opt. + +rval=0 + +# Check the exit value of a command run by this script. If non-zero, the +# exit code is echoed to the log file and the return value of this script +# is set to indicate failure. + +set_return() { + x=$? + if [ $x -ne 0 ]; then + echo "EXIT CODE: $x" + rval=1 # script FAILed + fi +} + +case $1 in +'start_msg') + echo "Starting $WHAT" + ;; + +'stop_msg') + echo "Stopping $WHAT" + ;; + +'start') + if [ -f $WHAT_CONFIG ] ; then + . $WHAT_CONFIG + else + echo "ERROR: $WHAT_CONFIG defaults file MISSING" + fi + + if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then + $WHAT_PATH $SSHD_ARGS && echo "$WHAT started" + set_return + else + rval=2 + fi + ;; + +'stop') + if kill `cat $WHAT_PID`; then + echo "$WHAT stopped" + else + rval=1 + echo "Unable to stop $WHAT" + fi + set_return + ;; + +*) + echo "usage: $0 {start|stop|start_msg|stop_msg}" + rval=1 + ;; +esac + +exit $rval diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh new file mode 100644 index 000000000000..dd77712cdb3a --- /dev/null +++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh @@ -0,0 +1 @@ +setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass diff --git a/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh new file mode 100644 index 000000000000..355189f45cbe --- /dev/null +++ b/crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh @@ -0,0 +1,2 @@ +SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass +export SSH_ASKPASS diff --git a/crypto/openssh/contrib/redhat/openssh.spec b/crypto/openssh/contrib/redhat/openssh.spec new file mode 100644 index 000000000000..b7470092b50f --- /dev/null +++ b/crypto/openssh/contrib/redhat/openssh.spec @@ -0,0 +1,804 @@ +%define ver 3.8.1p1 +%define rel 1 + +# OpenSSH privilege separation requires a user & group ID +%define sshd_uid 74 +%define sshd_gid 74 + +# Version of ssh-askpass +%define aversion 1.2.4.1 + +# Do we want to disable building of x11-askpass? (1=yes 0=no) +%define no_x11_askpass 0 + +# Do we want to disable building of gnome-askpass? (1=yes 0=no) +%define no_gnome_askpass 0 + +# Do we want to link against a static libcrypto? (1=yes 0=no) +%define static_libcrypto 0 + +# Do we want smartcard support (1=yes 0=no) +%define scard 0 + +# Use GTK2 instead of GNOME in gnome-ssh-askpass +%define gtk2 1 + +# Is this build for RHL 6.x? +%define build6x 0 + +# Do we want kerberos5 support (1=yes 0=no) +%define kerberos5 1 + +# Reserve options to override askpass settings with: +# rpm -ba|--rebuild --define 'skip_xxx 1' +%{?skip_x11_askpass:%define no_x11_askpass 1} +%{?skip_gnome_askpass:%define no_gnome_askpass 1} + +# Add option to build without GTK2 for older platforms with only GTK+. +# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. +# rpm -ba|--rebuild --define 'no_gtk2 1' +%{?no_gtk2:%define gtk2 0} + +# Is this a build for RHL 6.x or earlier? +%{?build_6x:%define build6x 1} + +# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. +%if %{build6x} +%define _sysconfdir /etc +%endif + +# Options for static OpenSSL link: +# rpm -ba|--rebuild --define "static_openssl 1" +%{?static_openssl:%define static_libcrypto 1} + +# Options for Smartcard support: (needs libsectok and openssl-engine) +# rpm -ba|--rebuild --define "smartcard 1" +%{?smartcard:%define scard 1} + +# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) +%define rescue 0 +%{?build_rescue:%define rescue 1} + +# Turn off some stuff for resuce builds +%if %{rescue} +%define kerberos5 0 +%endif + +Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. +Name: openssh +Version: %{ver} +%if %{rescue} +Release: %{rel}rescue +%else +Release: %{rel} +%endif +URL: http://www.openssh.com/portable.html +Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +License: BSD +Group: Applications/Internet +BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot +Obsoletes: ssh +%if %{build6x} +PreReq: initscripts >= 5.00 +%else +PreReq: initscripts >= 5.20 +%endif +BuildPreReq: perl, openssl-devel, tcp_wrappers +BuildPreReq: /bin/login +%if ! %{build6x} +BuildPreReq: glibc-devel, pam +%else +BuildPreReq: /usr/include/security/pam_appl.h +%endif +%if ! %{no_x11_askpass} +BuildPreReq: XFree86-devel +%endif +%if ! %{no_gnome_askpass} +BuildPreReq: pkgconfig +%endif +%if %{kerberos5} +BuildPreReq: krb5-devel +BuildPreReq: krb5-libs +%endif + +%package clients +Summary: OpenSSH clients. +Requires: openssh = %{version}-%{release} +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: The OpenSSH server daemon. +Group: System Environment/Daemons +Obsoletes: ssh-server +PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 +%if ! %{build6x} +Requires: /etc/pam.d/system-auth +%endif + +%package askpass +Summary: A passphrase dialog for OpenSSH and X. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: A passphrase dialog for OpenSSH, X, and GNOME. +Group: Applications/Internet +Requires: openssh = %{version}-%{release} +Obsoletes: ssh-extras + +%description +SSH (Secure SHell) is a program for logging into and executing +commands on a remote machine. SSH is intended to replace rlogin and +rsh, and to provide secure encrypted communications between two +untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's version of the last free version of SSH, bringing +it up to date in terms of security and features, as well as removing +all patented algorithms to separate libraries. + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package includes +the clients necessary to make encrypted connections to SSH servers. +You'll also need to install the openssh package on OpenSSH clients. + +%description server +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the secure shell daemon (sshd). The sshd daemon allows SSH clients to +securely connect to your SSH server. You also need to have the openssh +package installed. + +%description askpass +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH. + +%description askpass-gnome +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop +environment. + +%prep + +%if ! %{no_x11_askpass} +%setup -q -a 1 +%else +%setup -q +%endif + +%build +%if %{rescue} +CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS +%endif + +%if %{kerberos5} +K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` +echo K5DIR=$K5DIR +%endif + +%configure \ + --sysconfdir=%{_sysconfdir}/ssh \ + --libexecdir=%{_libexecdir}/openssh \ + --datadir=%{_datadir}/openssh \ + --with-tcp-wrappers \ + --with-rsh=%{_bindir}/rsh \ + --with-default-path=/usr/local/bin:/bin:/usr/bin \ + --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ + --with-privsep-path=%{_var}/empty/sshd \ + --with-md5-passwords \ +%if %{scard} + --with-smartcard \ +%endif +%if %{rescue} + --without-pam \ +%else + --with-pam \ +%endif +%if %{kerberos5} + --with-kerberos5=$K5DIR \ +%endif + + +%if %{static_libcrypto} +perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile +%endif + +make + +%if ! %{no_x11_askpass} +pushd x11-ssh-askpass-%{aversion} +%configure --libexecdir=%{_libexecdir}/openssh +xmkmf -a +make +popd +%endif + +# Define a variable to toggle gnome1/gtk2 building. This is necessary +# because RPM doesn't handle nested %if statements. +%if %{gtk2} + gtk2=yes +%else + gtk2=no +%endif + +%if ! %{no_gnome_askpass} +pushd contrib +if [ $gtk2 = yes ] ; then + make gnome-ssh-askpass2 + mv gnome-ssh-askpass2 gnome-ssh-askpass +else + make gnome-ssh-askpass1 + mv gnome-ssh-askpass1 gnome-ssh-askpass +fi +popd +%endif + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh +mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd + +make install DESTDIR=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh +%if %{build6x} +install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd +%else +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +%endif +install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +%if ! %{no_x11_askpass} +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass +ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%if ! %{scard} + rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin +%endif + +%if ! %{no_gnome_askpass} +install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ +%endif + +perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* + +%clean +rm -rf $RPM_BUILD_ROOT + +%triggerun server -- ssh-server +if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then + touch /var/run/sshd.restart +fi + +%triggerun server -- openssh-server < 2.5.0p1 +# Count the number of HostKey and HostDsaKey statements we have. +gawk 'BEGIN {IGNORECASE=1} + /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1} + END {exit sawhostkey}' /etc/ssh/sshd_config +# And if we only found one, we know the client was relying on the old default +# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't +# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying +# one nullifies the default, which would have loaded both. +if [ $? -eq 1 ] ; then + echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config + echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config +fi + +%triggerpostun server -- ssh-server +if [ "$1" != 0 ] ; then + /sbin/chkconfig --add sshd + if test -f /var/run/sshd.restart ; then + rm -f /var/run/sshd.restart + /sbin/service sshd start > /dev/null 2>&1 || : + fi +fi + +%pre server +%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || : +%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \ + -g sshd -M -r sshd 2>/dev/null || : + +%post server +/sbin/chkconfig --add sshd + +%postun server +/sbin/service sshd condrestart > /dev/null 2>&1 || : + +%preun server +if [ "$1" = 0 ] +then + /sbin/service sshd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* +%attr(0755,root,root) %{_bindir}/scp +%attr(0644,root,root) %{_mandir}/man1/scp.1* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli +%if ! %{rescue} +%attr(0755,root,root) %{_bindir}/ssh-keygen +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0755,root,root) %dir %{_libexecdir}/openssh +%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign +%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* +%endif +%if %{scard} +%attr(0755,root,root) %dir %{_datadir}/openssh +%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin +%endif + +%files clients +%defattr(-,root,root) +%attr(0755,root,root) %{_bindir}/ssh +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config +%attr(-,root,root) %{_bindir}/slogin +%attr(-,root,root) %{_mandir}/man1/slogin.1* +%if ! %{rescue} +%attr(2755,root,nobody) %{_bindir}/ssh-agent +%attr(0755,root,root) %{_bindir}/ssh-add +%attr(0755,root,root) %{_bindir}/ssh-keyscan +%attr(0755,root,root) %{_bindir}/sftp +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* +%attr(0644,root,root) %{_mandir}/man1/sftp.1* +%endif + +%if ! %{rescue} +%files server +%defattr(-,root,root) +%dir %attr(0111,root,root) %{_var}/empty/sshd +%attr(0755,root,root) %{_sbindir}/sshd +%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd +%endif + +%if ! %{no_x11_askpass} +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass +%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass +%endif + +%if ! %{no_gnome_askpass} +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.* +%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass +%endif + +%changelog +* Mon Jun 2 2003 Damien Miller <djm@mindrot.org> +- Remove noip6 option. This may be controlled at run-time in client config + file using new AddressFamily directive + +* Mon May 12 2003 Damien Miller <djm@mindrot.org> +- Don't install profile.d scripts when not building with GNOME/GTK askpass + (patch from bet@rahul.net) + +* Wed Oct 01 2002 Damien Miller <djm@mindrot.org> +- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks + +* Mon Sep 30 2002 Damien Miller <djm@mindrot.org> +- Use contrib/ Makefile for building askpass programs + +* Fri Jun 21 2002 Damien Miller <djm@mindrot.org> +- Merge in spec changes from seba@iq.pl (Sebastian Pachuta) +- Add new {ssh,sshd}_config.5 manpages +- Add new ssh-keysign program and remove setuid from ssh client + +* Fri May 10 2002 Damien Miller <djm@mindrot.org> +- Merge in spec changes from RedHat, reorgansie a little +- Add Privsep user, group and directory + +* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2 +- bump and grind (through the build system) + +* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1 +- require sharutils for building (mindrot #137) +- require db1-devel only when building for 6.x (#55105), which probably won't + work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck +- require pam-devel by file (not by package name) again +- add Markus's patch to compile with OpenSSL 0.9.5a (from + http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're + building for 6.x + +* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0 +- update to 3.1p1 + +* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305 +- update to SNAP-20020305 +- drop debug patch, fixed upstream + +* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220 +- update to SNAP-20020220 for testing purposes (you've been warned, if there's + anything to be warned about, gss patches won't apply, I don't mind) + +* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3 +- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key + exchange, authentication, and named key support + +* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2 +- remove dependency on db1-devel, which has just been swallowed up whole + by gnome-libs-devel + +* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com> +- adjust build dependencies so that build6x actually works right (fix + from Hugo van der Kooij) + +* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1 +- update to 3.0.2p1 + +* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1 +- update to 3.0.1p1 + +* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to current CVS (not for use in distribution) + +* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1 +- merge some of Damien Miller <djm@mindrot.org> changes from the upstream + 3.0p1 spec file and init script + +* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to 3.0p1 +- update to x11-ssh-askpass 1.2.4.1 +- change build dependency on a file from pam-devel to the pam-devel package +- replace primes with moduli + +* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9 +- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs + +* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8 +- Merge changes to rescue build from current sysadmin survival cd + +* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7 +- fix scp's server's reporting of file sizes, and build with the proper + preprocessor define to get large-file capable open(), stat(), etc. + (sftp has been doing this correctly all along) (#51827) +- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247) +- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298) +- mark profile.d scriptlets as config files (#42337) +- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug +- change a couple of log() statements to debug() statements (#50751) +- pull cvs patch to add -t flag to sshd (#28611) +- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221) + +* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6 +- add db1-devel as a BuildPrerequisite (noted by Hans Ecke) + +* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com> +- pull cvs patch to fix remote port forwarding with protocol 2 + +* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com> +- pull cvs patch to add session initialization to no-pty sessions +- pull cvs patch to not cut off challengeresponse auth needlessly +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed (#49263) + +* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com> +- don't apply patches to code we don't intend to build (spotted by Matt Galgoci) + +* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com> +- pass OPTIONS correctly to initlog (#50151) + +* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> +- switch to x11-ssh-askpass 1.2.2 + +* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com> +- rebuild in new environment + +* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com> +- disable the gssapi patch + +* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to 2.9p2 +- refresh to a new version of the gssapi patch + +* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com> +- change Copyright: BSD to License: BSD +- add Markus Friedl's unverified patch for the cookie file deletion problem + so that we can verify it +- drop patch to check if xauth is present (was folded into cookie patch) +- don't apply gssapi patches for the errata candidate +- clear supplemental groups list at startup + +* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com> +- fix an error parsing the new default sshd_config +- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not + dealing with comments right + +* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com> +- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house, + to be removed before the next beta cycle because it's a big departure + from the upstream version + +* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com> +- finish marking strings in the init script for translation +- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd + at startup (change merged from openssh.com init script, originally by + Pekka Savola) +- refuse to do X11 forwarding if xauth isn't there, handy if you enable + it by default on a system that doesn't have X installed + +* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to 2.9 +- drop various patches that came from or went upstream or to or from CVS + +* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com> +- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer) + +* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> +- remove explicit openssl requirement, fixes builddistro issue +- make initscript stop() function wait until sshd really dead to avoid + races in condrestart + +* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> +- mention that challengereponse supports PAM, so disabling password doesn't + limit users to pubkey and rsa auth (#34378) +- bypass the daemon() function in the init script and call initlog directly, + because daemon() won't start a daemon it detects is already running (like + open connections) +- require the version of openssl we had when we were built + +* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com> +- make do_pam_setcred() smart enough to know when to establish creds and + when to reinitialize them +- add in a couple of other fixes from Damien for inclusion in the errata + +* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to 2.5.2p2 +- call setcred() again after initgroups, because the "creds" could actually + be group memberships + +* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com> +- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation) +- don't enable challenge-response by default until we find a way to not + have too many userauth requests (we may make up to six pubkey and up to + three password attempts as it is) +- remove build dependency on rsh to match openssh.com's packages more closely + +* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com> +- remove dependency on openssl -- would need to be too precise + +* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> +- rebuild in new environment + +* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com> +- Revert the patch to move pam_open_session. +- Init script and spec file changes from Pekka Savola. (#28750) +- Patch sftp to recognize '-o protocol' arguments. (#29540) + +* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com> +- Chuck the closing patch. +- Add a trigger to add host keys for protocol 2 to the config file, now that + configuration file syntax requires us to specify it with HostKey if we + specify any other HostKey values, which we do. + +* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com> +- Redo patch to move pam_open_session after the server setuid()s to the user. +- Rework the nopam patch to use be picked up by autoconf. + +* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com> +- Update for 2.5.1p1. +- Add init script mods from Pekka Savola. +- Tweak the init script to match the CVS contrib script more closely. +- Redo patch to ssh-add to try to adding both identity and id_dsa to also try + adding id_rsa. + +* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com> +- Update for 2.5.0p1. +- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass +- Resync with parts of Damien Miller's openssh.spec from CVS, including + update of x11 askpass to 1.2.0. +- Only require openssl (don't prereq) because we generate keys in the init + script now. + +* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com> +- Don't open a PAM session until we've forked and become the user (#25690). +- Apply Andrew Bartlett's patch for letting pam_authenticate() know which + host the user is attempting a login from. +- Resync with parts of Damien Miller's openssh.spec from CVS. +- Don't expose KbdInt responses in debug messages (from CVS). +- Detect and handle errors in rsa_{public,private}_decrypt (from CVS). + +* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com> +- i18n-tweak to initscript. + +* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com> +- More gettextizing. +- Close all files after going into daemon mode (needs more testing). +- Extract patch from CVS to handle auth banners (in the client). +- Extract patch from CVS to handle compat weirdness. + +* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com> +- Finish with the gettextizing. + +* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com> +- Fix a bug in auth2-pam.c (#23877) +- Gettextize the init script. + +* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com> +- Incorporate a switch for using PAM configs for 6.x, just in case. + +* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com> +- Incorporate Bero's changes for a build specifically for rescue CDs. + +* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com> +- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has + succeeded, to allow public-key authentication after a failure with "none" + authentication. (#21268) + +* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to x11-askpass 1.1.1. (#21301) +- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290) + +* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com> +- Merge multiple PAM text messages into subsequent prompts when possible when + doing keyboard-interactive authentication. + +* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com> +- Disable the built-in MD5 password support. We're using PAM. +- Take a crack at doing keyboard-interactive authentication with PAM, and + enable use of it in the default client configuration so that the client + will try it when the server disallows password authentication. +- Build with debugging flags. Build root policies strip all binaries anyway. + +* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com> +- Use DESTDIR instead of %%makeinstall. +- Remove /usr/X11R6/bin from the path-fixing patch. + +* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> +- Add the primes file from the latest snapshot to the main package (#20884). +- Add the dev package to the prereq list (#19984). +- Remove the default path and mimic login's behavior in the server itself. + +* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com> +- Resync with conditional options in Damien Miller's .spec file for an errata. +- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh. + +* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to OpenSSH 2.3.0p1. +- Update to x11-askpass 1.1.0. +- Enable keyboard-interactive authentication. + +* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to ssh-askpass-x11 1.0.3. +- Change authentication related messages to be private (#19966). + +* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com> +- Patch ssh-keygen to be able to list signatures for DSA public key files + it generates. + +* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> +- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always + build PAM authentication in. +- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. +- Clean out no-longer-used patches. +- Patch ssh-add to try to add both identity and id_dsa, and to error only + when neither exists. + +* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update x11-askpass to 1.0.2. (#17835) +- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will + always find them in the right place. (#17909) +- Set the default path to be the same as the one supplied by /bin/login, but + add /usr/X11R6/bin. (#17909) +- Try to handle obsoletion of ssh-server more cleanly. Package names + are different, but init script name isn't. (#17865) + +* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 2.2.0p1. (#17835) +- Tweak the init script to allow proper restarting. (#18023) + +* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 20000823 snapshot. +- Change subpackage requirements from %%{version} to %%{version}-%%{release} +- Back out the pipe patch. + +* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 2.1.1p4, which includes fixes for config file parsing problems. +- Move the init script back. +- Add Damien's quick fix for wackiness. + +* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok(). + +* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com> +- Move condrestart to server postun. +- Move key generation to init script. +- Actually use the right patch for moving the key generation to the init script. +- Clean up the init script a bit. + +* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com> +- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard. + +* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 2.1.1p2. +- Use of strtok() considered harmful. + +* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com> +- Get the build root out of the man pages. + +* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com> +- Add and use condrestart support in the init script. +- Add newer initscripts as a prereq. + +* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> +- Build in new environment (release 2) +- Move -clients subpackage to Applications/Internet group + +* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com> +- Update to 2.2.1p1 + +* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com> +- Patch to build with neither RSA nor RSAref. +- Miscellaneous FHS-compliance tweaks. +- Fix for possibly-compressed man pages. + +* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> +- Updated for new location +- Updated for new gnome-ssh-askpass build + +* Sun Dec 26 1999 Damien Miller <djm@mindrot.org> +- Added Jim Knoble's <jmknoble@pobox.com> askpass + +* Mon Nov 15 1999 Damien Miller <djm@mindrot.org> +- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> + +* Sat Nov 13 1999 Damien Miller <djm@mindrot.org> +- Added 'Obsoletes' directives + +* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> +- Use make install +- Subpackages + +* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> +- Added links for slogin +- Fixed perms on manpages + +* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> +- Renamed init script + +* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> +- Back to old binary names + +* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> +- Use autoconf +- New binary names + +* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> +- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. diff --git a/crypto/openssh/contrib/redhat/sshd.init b/crypto/openssh/contrib/redhat/sshd.init new file mode 100755 index 000000000000..4ee8630c3954 --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.init @@ -0,0 +1,154 @@ +#!/bin/bash +# +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +SSHD=/usr/sbin/sshd +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +PID_FILE=/var/run/sshd.pid + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY ]; then + echo -n $"Generating SSH1 RSA host key: " + if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + success $"RSA1 key generation" + echo + else + failure $"RSA1 key generation" + echo + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n $"Generating SSH2 RSA host key: " + if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + success $"RSA key generation" + echo + else + failure $"RSA key generation" + echo + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY ]; then + echo -n $"Generating SSH2 DSA host key: " + if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + success $"DSA key generation" + echo + else + failure $"DSA key generation" + echo + exit 1 + fi + fi +} + +do_restart_sanity_check() +{ + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + # Create keys if necessary + do_rsa1_keygen + do_rsa_keygen + do_dsa_keygen + + echo -n $"Starting $prog:" + initlog -c "$SSHD $OPTIONS" && success || failure + RETVAL=$? + [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd + echo +} + +stop() +{ + echo -n $"Stopping $prog:" + killproc $SSHD -TERM + RETVAL=$? + [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd + echo +} + +reload() +{ + echo -n $"Reloading $prog:" + killproc $SSHD -HUP + RETVAL=$? + echo +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + reload) + reload + ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check + if [ "$RETVAL" = 0 ] ; then + stop + # avoid race + sleep 3 + start + fi + fi + ;; + status) + status $SSHD + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac +exit $RETVAL diff --git a/crypto/openssh/contrib/redhat/sshd.pam b/crypto/openssh/contrib/redhat/sshd.pam new file mode 100644 index 000000000000..24f3b46516eb --- /dev/null +++ b/crypto/openssh/contrib/redhat/sshd.pam @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required pam_stack.so service=system-auth +auth required pam_nologin.so +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth +session required pam_limits.so +session optional pam_console.so diff --git a/crypto/openssh/contrib/solaris/README b/crypto/openssh/contrib/solaris/README new file mode 100755 index 000000000000..eb4c590f4eaa --- /dev/null +++ b/crypto/openssh/contrib/solaris/README @@ -0,0 +1,24 @@ +The following is a new package build script for Solaris. This is being +introduced into OpenSSH 3.0 and above in hopes of simplifying the build +process. As of 3.1p2 the script should work on all platforms that have +SVR4 style package tools. + +The build process is called a 'dummy install'.. Which means the software does +a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should +be handled correctly and key are defered until the first time the sshd +is started. + +Directions: + +1. make -F Makefile.in distprep (Only if you are getting from the CVS tree) +2. ./configure --with-pam [..any other options you want..] +3. look at the top of contrib/solaris/buildpkg.sh for the configurable options. +4. ./contrib/solaris/buildpkg.sh + +If all goes well you should have a solaris package ready to be installed. + +If you have any problems with this script please post them to +openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. + +- Ben Lindstrom + diff --git a/crypto/openssh/contrib/solaris/buildpkg.sh b/crypto/openssh/contrib/solaris/buildpkg.sh new file mode 100755 index 000000000000..29d096306488 --- /dev/null +++ b/crypto/openssh/contrib/solaris/buildpkg.sh @@ -0,0 +1,386 @@ +#!/bin/sh +# +# Fake Root Solaris/SVR4/SVR5 Build System - Prototype +# +# The following code has been provide under Public Domain License. I really +# don't care what you use it for. Just as long as you don't complain to me +# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) +# +umask 022 +# +# Options for building the package +# You can create a config.local with your customized options +# +# uncommenting TEST_DIR and using +# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty +# and +# PKGNAME=tOpenSSH should allow testing a package without interfering +# with a real OpenSSH package on a system. This is not needed on systems +# that support the -R option to pkgadd. +#TEST_DIR=/var/tmp # leave commented out for production build +PKGNAME=OpenSSH +SYSVINIT_NAME=opensshd +MAKE=${MAKE:="make"} +SSHDUID=67 # Default privsep uid +SSHDGID=67 # Default privsep gid +# uncomment these next three as needed +#PERMIT_ROOT_LOGIN=no +#X11_FORWARDING=yes +#USR_LOCAL_IS_SYMLINK=yes +# list of system directories we do NOT want to change owner/group/perms +# when installing our package +SYSTEM_DIR="/etc \ +/etc/init.d \ +/etc/rcS.d \ +/etc/rc0.d \ +/etc/rc1.d \ +/etc/rc2.d \ +/etc/opt \ +/opt \ +/opt/bin \ +/usr \ +/usr/bin \ +/usr/lib \ +/usr/sbin \ +/usr/share \ +/usr/share/man \ +/usr/share/man/man1 \ +/usr/share/man/man8 \ +/usr/local \ +/usr/local/bin \ +/usr/local/etc \ +/usr/local/libexec \ +/usr/local/man \ +/usr/local/man/man1 \ +/usr/local/man/man8 \ +/usr/local/sbin \ +/usr/local/share \ +/var \ +/var/opt \ +/var/run \ +/var/tmp \ +/tmp" + +# We may need to build as root so we make sure PATH is set up +# only set the path if it's not set already +[ -d /usr/local/bin ] && { + echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/local/bin +} +[ -d /usr/ccs/bin ] && { + echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1 + [ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin +} +export PATH +# + +[ -f Makefile ] || { + echo "Please run this script from your build directory" + exit 1 +} + +# we will look for config.local to override the above options +[ -s ./config.local ] && . ./config.local + +## Start by faking root install +echo "Faking root install..." +START=`pwd` +OPENSSHD_IN=`dirname $0`/opensshd.in +FAKE_ROOT=$START/package +[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT +mkdir $FAKE_ROOT +${MAKE} install-nokeys DESTDIR=$FAKE_ROOT +if [ $? -gt 0 ] +then + echo "Fake root install failed, stopping." + exit 1 +fi + +## Fill in some details, like prefix and sysconfdir +for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir +do + eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` +done + + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + +## Extract common info requires for the 'info' part of the package. +VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` + +UNAME_S=`uname -s` +case ${UNAME_S} in + SunOS) UNAME_S=Solaris + ARCH=`uname -p` + RCS_D=yes + DEF_MSG="(default: n)" + ;; + *) ARCH=`uname -m` + DEF_MSG="\n" ;; +esac + +## Setup our run level stuff while we are at it. +mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d + +## setup our initscript correctly +sed -e "s#%%configDir%%#${sysconfdir}#g" \ + -e "s#%%openSSHDir%%#$prefix#g" \ + -e "s#%%pidDir%%#${piddir}#g" \ + ${OPENSSHD_IN} > $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} +chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} + +[ "${PERMIT_ROOT_LOGIN}" = no ] && \ + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +[ "${X11_FORWARDING}" = yes ] && \ + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +# fix PrintMotd +perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config + +# We don't want to overwrite config files on multiple installs +mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default +mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default +[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \ +mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default + +cd $FAKE_ROOT + +## Ok, this is outright wrong, but it will work. I'm tired of pkgmk +## whining. +for i in *; do + PROTO_ARGS="$PROTO_ARGS $i=/$i"; +done + +## Build info file +echo "Building pkginfo file..." +cat > pkginfo << _EOF +PKG=$PKGNAME +NAME="OpenSSH Portable for ${UNAME_S}" +DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh." +VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html" +ARCH=$ARCH +VERSION=$VERSION +CATEGORY="Security,application" +BASEDIR=/ +CLASSES="none" +_EOF + +## Build preinstall file +echo "Building preinstall file..." +cat > preinstall << _EOF +#! /sbin/sh +# +[ "\${PRE_INS_STOP}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop +exit 0 +_EOF + +## Build postinstall file +echo "Building postinstall file..." +cat > postinstall << _EOF +#! /sbin/sh +# +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config +[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ] && { + [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ] || \\ + cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\ + \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds +} + +# make rc?.d dirs only if we are doing a test install +[ -n "${TEST_DIR}" ] && { + [ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d + mkdir -p ${TEST_DIR}/etc/rc0.d + mkdir -p ${TEST_DIR}/etc/rc1.d + mkdir -p ${TEST_DIR}/etc/rc2.d +} + +if [ "\${USE_SYM_LINKS}" = yes ] +then + [ "$RCS_D" = yes ] && \ +installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s +else + [ "$RCS_D" = yes ] && \ +installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l + installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l +fi + +# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) +[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys + +installf -f ${PKGNAME} + +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi +# If this is a test build, we will skip the groupadd/useradd/passwd commands +if [ ! -z "${TEST_DIR}" ] +then + chroot=echo +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null +then + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" + echo "or group." +else + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + + # create group if required + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." + else + # Use gid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshdgid="-g $SSHDGID" + fi + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER + fi + + # Create user if required + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + else + # Use uid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshduid="-u $SSHDUID" + fi + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER + fi +fi + +[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start +exit 0 +_EOF + +## Build preremove file +echo "Building preremove file..." +cat > preremove << _EOF +#! /sbin/sh +# +${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop +exit 0 +_EOF + +## Build request file +echo "Building request file..." +cat > request << _EOF +trap 'exit 3' 15 +USE_SYM_LINKS=no +PRE_INS_STOP=no +POST_INS_START=no +# Use symbolic links? +ans=\`ckyorn -d n \ +-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$? +case \$ans in + [y,Y]*) USE_SYM_LINKS=yes ;; +esac + +# determine if should restart the daemon +if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ] +then + ans=\`ckyorn -d n \ +-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) PRE_INS_STOP=yes + POST_INS_START=yes + ;; + esac + +else + +# determine if we should start sshd + ans=\`ckyorn -d n \ +-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$? + case \$ans in + [y,Y]*) POST_INS_START=yes ;; + esac +fi + +# make parameters available to installation service, +# and so to any other packaging scripts +cat >\$1 <<! +USE_SYM_LINKS='\$USE_SYM_LINKS' +PRE_INS_STOP='\$PRE_INS_STOP' +POST_INS_START='\$POST_INS_START' +! +exit 0 + +_EOF + +## Build space file +echo "Building space file..." +cat > space << _EOF +# extra space required by start/stop links added by installf in postinstall +$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME} 0 1 +$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME} 0 1 +$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME} 0 1 +_EOF +[ "$RCS_D" = yes ] && \ +echo "$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME} 0 1" >> space + +## Next Build our prototype +echo "Building prototype file..." +cat >mk-proto.awk << _EOF + BEGIN { print "i pkginfo"; print "i preinstall"; \\ + print "i postinstall"; print "i preremove"; \\ + print "i request"; print "i space"; \\ + split("$SYSTEM_DIR",sys_files); } + { + for (dir in sys_files) { if ( \$3 != sys_files[dir] ) + { \$5="root"; \$6="sys"; } + else + { \$4="?"; \$5="?"; \$6="?"; break;} + } } + { print; } +_EOF +find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ + pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype + +# /usr/local is a symlink on some systems +[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && { + grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new + mv prototype.new prototype +} + +## Step back a directory and now build the package. +echo "Building package.." +cd .. +pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o +echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$UNAME_S-$ARCH-$VERSION.pkg +rm -rf $FAKE_ROOT + diff --git a/crypto/openssh/contrib/solaris/opensshd.in b/crypto/openssh/contrib/solaris/opensshd.in new file mode 100755 index 000000000000..50e18deea314 --- /dev/null +++ b/crypto/openssh/contrib/solaris/opensshd.in @@ -0,0 +1,82 @@ +#!/sbin/sh +# Donated code that was put under PD license. +# +# Stripped PRNGd out of it for the time being. + +umask 022 + +CAT=/usr/bin/cat +KILL=/usr/bin/kill + +prefix=%%openSSHDir%% +etcdir=%%configDir%% +piddir=%%pidDir%% + +SSHD=$prefix/sbin/sshd +PIDFILE=$piddir/sshd.pid +SSH_KEYGEN=$prefix/bin/ssh-keygen +HOST_KEY_RSA1=$etcdir/ssh_host_key +HOST_KEY_DSA=$etcdir/ssh_host_dsa_key +HOST_KEY_RSA=$etcdir/ssh_host_rsa_key + + +checkkeys() { + if [ ! -f $HOST_KEY_RSA1 ]; then + ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" + fi + if [ ! -f $HOST_KEY_DSA ]; then + ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" + fi + if [ ! -f $HOST_KEY_RSA ]; then + ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" + fi +} + +stop_service() { + if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then + PID=`${CAT} ${PIDFILE}` + fi + if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then + ${KILL} ${PID} + else + echo "Unable to read PID file" + fi +} + +start_service() { + # XXX We really should check if the service is already going, but + # XXX we will opt out at this time. - Bal + + # Check to see if we have keys that need to be made + checkkeys + + # Start SSHD + echo "starting $SSHD... \c" ; $SSHD + + sshd_rc=$? + if [ $sshd_rc -ne 0 ]; then + echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." + exit $sshd_rc + fi + echo done. +} + +case $1 in + +'start') + start_service + ;; + +'stop') + stop_service + ;; + +'restart') + stop_service + start_service + ;; + +*) + echo "$0: usage: $0 {start|stop|restart}" + ;; +esac diff --git a/crypto/openssh/contrib/ssh-copy-id b/crypto/openssh/contrib/ssh-copy-id new file mode 100644 index 000000000000..a1c0a9234316 --- /dev/null +++ b/crypto/openssh/contrib/ssh-copy-id @@ -0,0 +1,50 @@ +#!/bin/sh + +# Shell script to install your identity.pub on a remote machine +# Takes the remote machine name as an argument. +# Obviously, the remote machine must accept password authentication, +# or one of the other keys in your ssh-agent, for this to work. + +ID_FILE="${HOME}/.ssh/identity.pub" + +if [ "-i" = "$1" ]; then + shift + # check if we have 2 parameters left, if so the first is the new ID file + if [ -n "$2" ]; then + if expr "$1" : ".*\.pub" ; then + ID_FILE="$1" + else + ID_FILE="$1.pub" + fi + shift # and this should leave $1 as the target name + fi +else + if [ x$SSH_AUTH_SOCK != x ] ; then + GET_ID="$GET_ID ssh-add -L" + fi +fi + +if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then + GET_ID="cat ${ID_FILE}" +fi + +if [ -z "`eval $GET_ID`" ]; then + echo "$0: ERROR: No identities found" >&2 + exit 1 +fi + +if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 + exit 1 +fi + +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 + +cat <<EOF +Now try logging into the machine, with "ssh '$1'", and check in: + + .ssh/authorized_keys + +to make sure we haven't added extra keys that you weren't expecting. + +EOF diff --git a/crypto/openssh/contrib/ssh-copy-id.1 b/crypto/openssh/contrib/ssh-copy-id.1 new file mode 100644 index 000000000000..b331fa149e9e --- /dev/null +++ b/crypto/openssh/contrib/ssh-copy-id.1 @@ -0,0 +1,67 @@ +.ig \" -*- nroff -*- +Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> + +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. + +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. + +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. +.. +.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" +.SH NAME +ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys +.SH SYNOPSIS +.B ssh-copy-id [-i [identity_file]] +.I "[user@]machine" +.br +.SH DESCRIPTION +.BR ssh-copy-id +is a script that uses ssh to log into a remote machine (presumably +using a login password, so password authentication should be enabled, +unless you've done some clever use of multiple identities) +.PP +It also changes the permissions of the remote user's home, +.BR ~/.ssh , +and +.B ~/.ssh/authorized_keys +to remove group writability (which would otherwise prevent you from logging in, if the remote +.B sshd +has +.B StrictModes +set in its configuration). +.PP +If the +.B -i +option is given then the identity file (defaults to +.BR ~/.ssh/identity.pub ) +is used, regardless of whether there are any keys in your +.BR ssh-agent . +Otherwise, if this: +.PP +.B " ssh-add -L" +.PP +provides any output, it uses that in preference to the identity file. +.PP +If the +.B -i +option is used, or the +.B ssh-add +produced no output, then it uses the contents of the identity +file. Once it has one or more fingerprints (by whatever means) it +uses ssh to append them to +.B ~/.ssh/authorized_keys +on the remote machine (creating the file, and directory, if necessary) + +.SH "SEE ALSO" +.BR ssh (1), +.BR ssh-agent (1), +.BR sshd (8) diff --git a/crypto/openssh/contrib/sshd.pam.freebsd b/crypto/openssh/contrib/sshd.pam.freebsd new file mode 100644 index 000000000000..c0bc36410e40 --- /dev/null +++ b/crypto/openssh/contrib/sshd.pam.freebsd @@ -0,0 +1,5 @@ +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff --git a/crypto/openssh/contrib/sshd.pam.generic b/crypto/openssh/contrib/sshd.pam.generic new file mode 100644 index 000000000000..cf5af30248a9 --- /dev/null +++ b/crypto/openssh/contrib/sshd.pam.generic @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff --git a/crypto/openssh/contrib/suse/openssh.spec b/crypto/openssh/contrib/suse/openssh.spec new file mode 100644 index 000000000000..2b43d0368abd --- /dev/null +++ b/crypto/openssh/contrib/suse/openssh.spec @@ -0,0 +1,199 @@ +Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation +Name: openssh +Version: 3.8.1p1 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (nkitb), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl +BuildPrereq: nkitb +BuildPrereq: glibdev +BuildPrereq: gtkdev +BuildPrereq: gnlibsd + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes all files necessary for both the OpenSSH +client and server. Additionally, this package contains the GNOME +passphrase dialog. + +%changelog +* Mon Jun 12 2000 Damien Miller <djm@mindrot.org> +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Chris Saia <csaia@wtower.com> +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia <csaia@wtower.com> +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia <csaia@wtower.com> +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia <csaia@wtower.com> +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller <djm@mindrot.org> +- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com> +* Sat Nov 13 1999 Damien Miller <djm@mindrot.org> +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au> +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au> +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au> +- Renamed init script +* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au> +- Back to old binary names +* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au> +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au> +- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec. + +%prep + +%setup -q + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --datadir=/usr/share/openssh \ + --with-pam \ + --with-gnome-askpass \ + --with-tcp-wrappers \ + --with-ipv4-default \ + --libexecdir=/usr/lib/ssh +make + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/ssh/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -d $RPM_BUILD_ROOT/usr/lib/ssh +install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd +ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass +install -m744 contrib/suse/rc.config.sshd \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if [ "$1" = 1 ]; then + echo "Creating SSH stop/start scripts in the rc directories..." + ln -s ../sshd /sbin/init.d/rc2.d/K20sshd + ln -s ../sshd /sbin/init.d/rc2.d/S20sshd + ln -s ../sshd /sbin/init.d/rc3.d/K20sshd + ln -s ../sshd /sbin/init.d/rc3.d/S20sshd +fi +echo "Updating /etc/rc.config..." +if [ -x /bin/fillup ] ; then + /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd +else + echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." + echo "Update /etc/rc.config by hand from the following template file:" + echo " /var/adm/fillup-templates/rc.config.sshd" +fi +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + echo "Generating SSH host key..." + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + echo "Generating SSH DSA host key..." + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + echo "Restarting the running SSH daemon..." + /usr/sbin/rcsshd restart >&2 +fi + +%preun +if [ "$1" = 0 ] +then + echo "Stopping the SSH daemon..." + /usr/sbin/rcsshd stop >&2 + echo "Removing SSH stop/start scripts from the rc directories..." + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW README* +%doc RFC.nroff TODO CREDITS LICENCE +%attr(0755,root,root) %dir /etc/ssh +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0600,root,root) %config /etc/ssh/moduli +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(4755,root,root) /usr/bin/ssh +%attr(-,root,root) /usr/bin/slogin +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0755,root,root) /usr/bin/ssh-keyscan +%attr(0755,root,root) /usr/bin/sftp +%attr(0755,root,root) /usr/sbin/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0755,root,root) %dir /usr/lib/ssh +%attr(0755,root,root) /usr/lib/ssh/ssh-askpass +%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass +%attr(0644,root,root) %doc /usr/man/man1/scp.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh.1* +%attr(-,root,root) %doc /usr/man/man1/slogin.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* +%attr(0644,root,root) %doc /usr/man/man8/sshd.8* +%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd + diff --git a/crypto/openssh/contrib/suse/rc.config.sshd b/crypto/openssh/contrib/suse/rc.config.sshd new file mode 100644 index 000000000000..baaa7a5a1f44 --- /dev/null +++ b/crypto/openssh/contrib/suse/rc.config.sshd @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff --git a/crypto/openssh/contrib/suse/rc.sshd b/crypto/openssh/contrib/suse/rc.sshd new file mode 100644 index 000000000000..f7d431ebbc1b --- /dev/null +++ b/crypto/openssh/contrib/suse/rc.sshd @@ -0,0 +1,80 @@ +#! /bin/sh +# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# +# Author: Chris Saia <csaia@wtower.com> +# +# /sbin/init.d/sshd +# +# and symbolic its link +# +# /sbin/rcsshd +# + +. /etc/rc.config + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +# Force execution if not called by a runlevel directory. +test $link = $base && START_SSHD=yes +test "$START_SSHD" = yes || exit 0 + +# The echo return value for success (defined in /etc/rc.config). +return=$rc_done +case "$1" in + start) + echo -n "Starting service sshd" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + stop) + echo -n "Stopping service sshd" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -TERM /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + restart) + ## If first returns OK call the second, if first or + ## second command fails, set echo return value. + $0 stop && $0 start || return=$rc_failed + ;; + reload) + ## Choose ONE of the following two cases: + + ## First possibility: A few services accepts a signal + ## to reread the (changed) configuration. + + echo -n "Reload service sshd" + killproc -HUP /usr/sbin/sshd || return=$rc_failed + echo -e "$return" + ;; + status) + echo -n "Checking for service sshd" + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + checkproc /usr/sbin/sshd && echo OK || echo No process + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + exit 1 + ;; +esac + +# Inform the caller not only verbosely and set an exit status. +test "$return" = "$rc_done" || exit 1 +exit 0 diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h index 5e1cac7bcc79..9b72afecb43c 100644 --- a/crypto/openssh/defines.h +++ b/crypto/openssh/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */ +/* $Id: defines.h,v 1.115 2004/04/14 07:24:30 dtucker Exp $ */ /* Constants */ @@ -507,6 +507,10 @@ struct winsize { # undef HAVE_GAI_STRERROR #endif +#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX) +# undef HAVE_UPDWTMPX +#endif + #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ @@ -534,6 +538,12 @@ struct winsize { # define krb5_get_err_text(context,code) error_message(code) #endif +#if defined(SKEYCHALLENGE_4ARG) +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d) +#else +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c) +#endif + /* Maximum number of file descriptors available */ #ifdef HAVE_SYSCONF # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) @@ -611,11 +621,22 @@ struct winsize { #endif +#ifndef UT_LINESIZE +# define UT_LINESIZE 8 +#endif + /* I hope that the presence of LASTLOG_FILE is enough to detect this */ #if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG) # define USE_LASTLOG #endif +#ifdef HAVE_OSF_SIA +# ifdef USE_SHADOW +# undef USE_SHADOW +# endif +# define CUSTOM_SYS_AUTH_PASSWD 1 +#endif + /** end of login recorder definitions */ #endif /* _DEFINES_H */ diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c index c7a3e18be82a..afd1e05d0011 100644 --- a/crypto/openssh/dh.c +++ b/crypto/openssh/dh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.26 2003/12/16 15:51:54 markus Exp $"); +RCSID("$OpenBSD: dh.c,v 1.29 2004/02/27 22:49:27 dtucker Exp $"); #include "xmalloc.h" @@ -91,6 +91,9 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) if (BN_num_bits(dhg->p) != dhg->size) goto failclean; + if (BN_is_zero(dhg->g) || BN_is_one(dhg->g)) + goto failclean; + return (1); failclean: @@ -105,7 +108,7 @@ DH * choose_dh(int min, int wantbits, int max) { FILE *f; - char line[2048]; + char line[4096]; int best, bestcount, which; int linenum; struct dhgroup dhg; @@ -194,7 +197,7 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) void dh_gen_key(DH *dh, int need) { - int i, bits_set = 0, tries = 0; + int i, bits_set, tries = 0; if (dh->p == NULL) fatal("dh_gen_key: dh->p == NULL"); @@ -211,7 +214,7 @@ dh_gen_key(DH *dh, int need) fatal("dh_gen_key: BN_rand failed"); if (DH_generate_key(dh) == 0) fatal("DH_generate_key"); - for (i = 0; i <= BN_num_bits(dh->priv_key); i++) + for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++) if (BN_is_bit_set(dh->priv_key, i)) bits_set++; debug2("dh_gen_key: priv key bits set: %d/%d", diff --git a/crypto/openssh/gss-serv-krb5.c b/crypto/openssh/gss-serv-krb5.c index 8ba3e7182a73..4e3598ead1e9 100644 --- a/crypto/openssh/gss-serv-krb5.c +++ b/crypto/openssh/gss-serv-krb5.c @@ -65,7 +65,9 @@ ssh_gssapi_krb5_init() logit("Cannot initialize krb5 context"); return 0; } +#ifdef KRB5_INIT_ETS krb5_init_ets(krb_context); +#endif return 1; } diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c index 71dbaea15d67..b74d412e6dfb 100644 --- a/crypto/openssh/loginrec.c +++ b/crypto/openssh/loginrec.c @@ -158,7 +158,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.56 2004/04/08 06:16:06 dtucker Exp $"); #ifdef HAVE_UTIL_H # include <util.h> @@ -1354,7 +1354,7 @@ static int syslogin_perform_logout(struct logininfo *li) { # ifdef HAVE_LOGOUT - char line[8]; + char line[UT_LINESIZE]; (void)line_stripname(line, li->line, sizeof(line)); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 009dcf18256b..9c30c1c390e0 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -37,7 +37,13 @@ RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $"); #include "auth.h" #include "kex.h" #include "dh.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "packet.h" #include "auth-options.h" #include "sshpty.h" @@ -738,7 +744,8 @@ mm_answer_skeyquery(int socket, Buffer *m) char challenge[1024]; u_int success; - success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; + success = _compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) < 0 ? 0 : 1; buffer_clear(m); buffer_put_int(m, success); @@ -782,16 +789,10 @@ mm_answer_skeyrespond(int socket, Buffer *m) int mm_answer_pam_start(int socket, Buffer *m) { - char *user; - if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); - user = buffer_get_string(m, NULL); - - start_pam(user); - - xfree(user); + start_pam(authctxt); monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c index e7c15cecd54f..ee2dc20270be 100644 --- a/crypto/openssh/monitor_wrap.c +++ b/crypto/openssh/monitor_wrap.c @@ -40,7 +40,13 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.35 2003/11/17 11:06:07 markus Exp $"); #include "packet.h" #include "mac.h" #include "log.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "monitor.h" #include "monitor_wrap.h" #include "xmalloc.h" @@ -686,7 +692,7 @@ mm_session_pty_cleanup2(Session *s) #ifdef USE_PAM void -mm_start_pam(char *user) +mm_start_pam(Authctxt *authctxt) { Buffer m; @@ -695,8 +701,6 @@ mm_start_pam(char *user) fatal("UsePAM=no, but ended up in %s anyway", __func__); buffer_init(&m); - buffer_put_cstring(&m, user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); buffer_free(&m); diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h index 55be10b19514..2170b13245f0 100644 --- a/crypto/openssh/monitor_wrap.h +++ b/crypto/openssh/monitor_wrap.h @@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); #endif #ifdef USE_PAM -void mm_start_pam(char *); +void mm_start_pam(struct Authctxt *); u_int mm_do_pam_account(void); void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); diff --git a/crypto/openssh/openbsd-compat/.cvsignore b/crypto/openssh/openbsd-compat/.cvsignore new file mode 100644 index 000000000000..f3c7a7c5da68 --- /dev/null +++ b/crypto/openssh/openbsd-compat/.cvsignore @@ -0,0 +1 @@ +Makefile diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c index a87cf3c97bc2..92cdba6e0965 100644 --- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c +++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c @@ -29,7 +29,7 @@ #include "includes.h" -RCSID("$Id: bsd-cygwin_util.c,v 1.11 2003/08/07 06:23:43 dtucker Exp $"); +RCSID("$Id: bsd-cygwin_util.c,v 1.12 2004/04/18 11:15:45 djm Exp $"); #ifdef HAVE_CYGWIN @@ -77,6 +77,7 @@ binary_pipe(int fd[2]) #define HAS_CREATE_TOKEN 1 #define HAS_NTSEC_BY_DEFAULT 2 +#define HAS_CREATE_TOKEN_WO_NTSEC 3 static int has_capability(int what) @@ -84,6 +85,7 @@ has_capability(int what) static int inited; static int has_create_token; static int has_ntsec_by_default; + static int has_create_token_wo_ntsec; /* * has_capability() basically calls uname() and checks if @@ -113,6 +115,9 @@ has_capability(int what) has_create_token = 1; if (api_major_version > 0 || api_minor_version >= 56) has_ntsec_by_default = 1; + if (major_high > 1 || + (major_high == 1 && major_low >= 5)) + has_create_token_wo_ntsec = 1; inited = 1; } } @@ -121,6 +126,8 @@ has_capability(int what) return (has_create_token); case HAS_NTSEC_BY_DEFAULT: return (has_ntsec_by_default); + case HAS_CREATE_TOKEN_WO_NTSEC: + return (has_create_token_wo_ntsec); } return (0); } @@ -151,7 +158,8 @@ check_nt_auth(int pwd_authenticated, struct passwd *pw) if (has_capability(HAS_CREATE_TOKEN) && (ntsec_on(cygwin) || (has_capability(HAS_NTSEC_BY_DEFAULT) && - !ntsec_off(cygwin)))) + !ntsec_off(cygwin)) || + has_capability(HAS_CREATE_TOKEN_WO_NTSEC))) has_create_token = 1; } if (has_create_token < 1 && diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h index c8073942cade..009739b14b80 100644 --- a/crypto/openssh/openbsd-compat/bsd-misc.h +++ b/crypto/openssh/openbsd-compat/bsd-misc.h @@ -1,4 +1,4 @@ -/* $Id: bsd-misc.h,v 1.14 2004/02/17 05:49:55 djm Exp $ */ +/* $Id: bsd-misc.h,v 1.15 2004/03/08 11:59:03 dtucker Exp $ */ /* * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org> @@ -89,6 +89,10 @@ pid_t tcgetpgrp(int); int tcsendbreak(int, int); #endif +#ifndef HAVE_UNSETENV +void unsetenv(const char *); +#endif + /* wrapper for signal interface */ typedef void (*mysig_t)(int); mysig_t mysignal(int sig, mysig_t act); diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h index eb88605fa9a9..baea07038001 100644 --- a/crypto/openssh/openbsd-compat/fake-rfc2553.h +++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h @@ -1,4 +1,4 @@ -/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */ +/* $Id: fake-rfc2553.h,v 1.9 2004/03/10 10:06:33 dtucker Exp $ */ /* * Copyright (C) 2000-2003 Damien Miller. All rights reserved. @@ -133,6 +133,9 @@ struct addrinfo { #endif /* !HAVE_STRUCT_ADDRINFO */ #ifndef HAVE_GETADDRINFO +#ifdef getaddrinfo +# undef getaddrinfo +#endif #define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d)) int getaddrinfo(const char *, const char *, const struct addrinfo *, struct addrinfo **); diff --git a/crypto/openssh/openbsd-compat/setenv.c b/crypto/openssh/openbsd-compat/setenv.c index b7ba0ce83b89..c3a86c651cbc 100644 --- a/crypto/openssh/openbsd-compat/setenv.c +++ b/crypto/openssh/openbsd-compat/setenv.c @@ -30,7 +30,7 @@ */ #include "includes.h" -#ifndef HAVE_SETENV +#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) #if defined(LIBC_SCCS) && !defined(lint) static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $"; @@ -77,6 +77,7 @@ __findenv(name, offset) return (NULL); } +#ifndef HAVE_SETENV /* * setenv -- * Set the value of the environmental variable "name" to be @@ -138,7 +139,9 @@ setenv(name, value, rewrite) ; return (0); } +#endif /* HAVE_SETENV */ +#ifndef HAVE_UNSETENV /* * unsetenv(name) -- * Delete environmental variable "name". @@ -157,5 +160,6 @@ unsetenv(name) if (!(*P = *(P + 1))) break; } +#endif /* HAVE_UNSETENV */ -#endif /* HAVE_SETENV */ +#endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */ diff --git a/crypto/openssh/openbsd-compat/xcrypt.c b/crypto/openssh/openbsd-compat/xcrypt.c index a0fe6c62009d..c3cea3c86893 100644 --- a/crypto/openssh/openbsd-compat/xcrypt.c +++ b/crypto/openssh/openbsd-compat/xcrypt.c @@ -24,8 +24,6 @@ #include "includes.h" -#if !defined(HAVE_OSF_SIA) - # ifdef HAVE_CRYPT_H # include <crypt.h> # endif @@ -108,5 +106,3 @@ shadow_pw(struct passwd *pw) return pw_password; } - -#endif /* !defined(HAVE_OSF_SIA) */ diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 2591e0dba090..ce0d1f7532b2 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -105,7 +105,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, - oServerAliveInterval, oServerAliveCountMax, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oDeprecated, oUnsupported } OpCodes; @@ -147,6 +147,7 @@ static struct { { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* alias */ + { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, @@ -736,6 +737,10 @@ parse_int: intptr = &options->enable_ssh_keysign; goto parse_flag; + case oIdentitiesOnly: + intptr = &options->identities_only; + goto parse_flag; + case oServerAliveInterval: intptr = &options->server_alive_interval; goto parse_time; @@ -869,6 +874,7 @@ initialize_options(Options * options) options->smartcard_device = NULL; options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; + options->identities_only = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; @@ -981,6 +987,8 @@ fill_default_options(Options * options) clear_forwardings(options); if (options->no_host_authentication_for_localhost == - 1) options->no_host_authentication_for_localhost = 0; + if (options->identities_only == -1) + options->identities_only = 0; if (options->enable_ssh_keysign == -1) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 3f27af9616a0..93d833cee3dc 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -100,6 +100,7 @@ typedef struct { int enable_ssh_keysign; int rekey_limit; int no_host_authentication_for_localhost; + int identities_only; int server_alive_interval; int server_alive_count_max; } Options; diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile index 76e28d36d45b..cf65b36303d2 100644 --- a/crypto/openssh/regress/Makefile +++ b/crypto/openssh/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.26 2003/10/11 11:49:49 dtucker Exp $ +# $OpenBSD: Makefile,v 1.27 2004/02/17 08:23:20 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec tests: $(REGRESS_TARGETS) @@ -21,6 +21,7 @@ LTESTS= connect \ broken-pipe \ try-ciphers \ yes-head \ + login-timeout \ agent \ agent-getpeereid \ agent-timeout \ diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress index b479c6c07934..6ff032b684d8 100644 --- a/crypto/openssh/regress/README.regress +++ b/crypto/openssh/regress/README.regress @@ -90,5 +90,8 @@ Known Issues. fail (because it's not a tcp socket) and will be identified as "unknown", which is then checked against tcpwrappers. +- If your build requires ssh-rand-helper regress tests will fail + unless ssh-rand-helper is in pre-installed (the path to + ssh-rand-helper is hard coded). -$Id: README.regress,v 1.3 2004/01/28 01:26:14 dtucker Exp $ +$Id: README.regress,v 1.4 2004/03/08 20:12:18 tim Exp $ diff --git a/crypto/openssh/regress/dynamic-forward.sh b/crypto/openssh/regress/dynamic-forward.sh index 2b0b825d0d6e..3a6e5c1efb50 100644 --- a/crypto/openssh/regress/dynamic-forward.sh +++ b/crypto/openssh/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.2 2003/07/03 08:21:46 markus Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.3 2004/02/28 12:16:57 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -7,7 +7,7 @@ PORT=4242 FWDPORT=4243 DATA=/bin/ls${EXEEXT} -if have_prog nc && nc -h 2>&1 | grep "x proxy address" >/dev/null; then +if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then proxycmd="nc -x 127.0.0.1:$FWDPORT -X" elif have_prog connect; then proxycmd="connect -S 127.0.0.1:$FWDPORT -" diff --git a/crypto/openssh/regress/login-timeout.sh b/crypto/openssh/regress/login-timeout.sh new file mode 100644 index 000000000000..dfc6e6b4485a --- /dev/null +++ b/crypto/openssh/regress/login-timeout.sh @@ -0,0 +1,29 @@ +# $OpenBSD: login-timeout.sh,v 1.1 2004/02/17 08:23:20 dtucker Exp $ +# Placed in the Public Domain. + +tid="connect after login grace timeout" + +trace "test login grace with privsep" +echo "LoginGraceTime 10s" >> $OBJ/sshd_config +echo "MaxStartups 1" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet localhost ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed with privsep" +fi + +kill `cat $PIDFILE` + +trace "test login grace without privsep" +echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config +start_sshd + +(echo SSH-2.0-fake; sleep 60) | telnet localhost ${PORT} >/dev/null 2>&1 & +sleep 15 +${SSH} -F $OBJ/ssh_config somehost true +if [ $? -ne 0 ]; then + fail "ssh connect after login grace timeout failed without privsep" +fi diff --git a/crypto/openssh/regress/sftp-cmds.sh b/crypto/openssh/regress/sftp-cmds.sh index 3669b19ff134..31b21d1f2aca 100644 --- a/crypto/openssh/regress/sftp-cmds.sh +++ b/crypto/openssh/regress/sftp-cmds.sh @@ -85,6 +85,7 @@ echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" cmp $DATA ${COPY} || fail "corrupted copy after get" +if [ "$os" != "cygwin" ]; then rm -f ${QUOTECOPY} cp $DATA ${QUOTECOPY} verbose "$tid: get filename with quotes" @@ -92,6 +93,7 @@ echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" rm -f ${QUOTECOPY} ${COPY} +fi rm -f ${COPY}.dd/* verbose "$tid: get to directory" diff --git a/crypto/openssh/regress/ssh-com-client.sh b/crypto/openssh/regress/ssh-com-client.sh index fc953228e893..324a0a723172 100644 --- a/crypto/openssh/regress/ssh-com-client.sh +++ b/crypto/openssh/regress/ssh-com-client.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-client.sh,v 1.5 2003/05/14 22:08:27 markus Exp $ +# $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $ # Placed in the Public Domain. tid="connect with ssh.com client" @@ -19,6 +19,9 @@ VERSIONS=" 3.2.0 3.2.2 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 3.3.0" # 2.0.10 2.0.12 2.0.13 don't like the test setup diff --git a/crypto/openssh/regress/ssh-com-keygen.sh b/crypto/openssh/regress/ssh-com-keygen.sh index dbe9b0a6b022..29b02d94617f 100644 --- a/crypto/openssh/regress/ssh-com-keygen.sh +++ b/crypto/openssh/regress/ssh-com-keygen.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-keygen.sh,v 1.3 2003/05/14 22:08:27 markus Exp $ +# $OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $ # Placed in the Public Domain. tid="ssh.com key import" @@ -22,6 +22,9 @@ VERSIONS=" 3.2.0 3.2.2 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 3.3.0" COMPRV=${OBJ}/comkey diff --git a/crypto/openssh/regress/ssh-com-sftp.sh b/crypto/openssh/regress/ssh-com-sftp.sh index 6ca7dad51604..936b4cca7f46 100644 --- a/crypto/openssh/regress/ssh-com-sftp.sh +++ b/crypto/openssh/regress/ssh-com-sftp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com-sftp.sh,v 1.4 2003/05/14 22:08:27 markus Exp $ +# $OpenBSD: ssh-com-sftp.sh,v 1.5 2004/02/24 17:06:52 markus Exp $ # Placed in the Public Domain. tid="basic sftp put/get with ssh.com server" @@ -35,6 +35,9 @@ VERSIONS=" 3.2.0 3.2.2 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 3.3.0" # go for it diff --git a/crypto/openssh/regress/ssh-com.sh b/crypto/openssh/regress/ssh-com.sh index c3715a2429a4..7bcd85b65c12 100644 --- a/crypto/openssh/regress/ssh-com.sh +++ b/crypto/openssh/regress/ssh-com.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.6 2003/11/07 10:16:44 jmc Exp $ +# $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -20,6 +20,9 @@ VERSIONS=" 3.2.0 3.2.2 3.2.3 + 3.2.5 + 3.2.9 + 3.2.9.1 3.3.0" # 2.0.10 does not support UserConfigDirectory # 2.3.1 requires a config in $HOME/.ssh2 diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh index 98851dc97424..986d992872d9 100644 --- a/crypto/openssh/regress/test-exec.sh +++ b/crypto/openssh/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.14 2002/04/15 15:19:48 markus Exp $ +# $OpenBSD: test-exec.sh,v 1.15 2004/02/24 16:56:30 markus Exp $ # Placed in the Public Domain. PORT=4242 @@ -49,28 +49,28 @@ SFTP=sftp SFTPSERVER=/usr/libexec/openssh/sftp-server if [ "x$TEST_SSH_SSH" != "x" ]; then - SSH=${TEST_SSH_SSH} + SSH="${TEST_SSH_SSH}" fi if [ "x$TEST_SSH_SSHD" != "x" ]; then - SSHD=${TEST_SSH_SSHD} + SSHD="${TEST_SSH_SSHD}" fi if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then - SSHAGENT=${TEST_SSH_SSHAGENT} + SSHAGENT="${TEST_SSH_SSHAGENT}" fi if [ "x$TEST_SSH_SSHADD" != "x" ]; then - SSHADD=${TEST_SSH_SSHADD} + SSHADD="${TEST_SSH_SSHADD}" fi if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then - SSHKEYGEN=${TEST_SSH_SSHKEYGEN} + SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" fi if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then - SSHKEYSCAN=${TEST_SSH_SSHKEYSCAN} + SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" fi if [ "x$TEST_SSH_SFTP" != "x" ]; then - SFTP=${TEST_SSH_SFTP} + SFTP="${TEST_SSH_SFTP}" fi if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then - SFTPSERVER=${TEST_SSH_SFTPSERVER} + SFTPSERVER="${TEST_SSH_SFTPSERVER}" fi # these should be used in tests diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh index 2c727f66c906..15827e25040f 100644 --- a/crypto/openssh/regress/try-ciphers.sh +++ b/crypto/openssh/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.8 2003/06/12 15:40:01 markus Exp $ +# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -28,3 +28,19 @@ for c in $ciphers; do fail "ssh -1 failed with cipher $c" fi done + +if ! ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null +then + +echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy +c=acss@openssh.org +for m in $macs; do + trace "proto 2 $c mac $m" + verbose "test $tid: proto 2 cipher $c mac $m" + ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true + if [ $? -ne 0 ]; then + fail "ssh -2 failed with mac $m cipher $c" + fi +done + +fi diff --git a/crypto/openssh/scard/.cvsignore b/crypto/openssh/scard/.cvsignore new file mode 100644 index 000000000000..5349d34aeabd --- /dev/null +++ b/crypto/openssh/scard/.cvsignore @@ -0,0 +1,2 @@ +Makefile +Ssh.bin diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1 index f5ca1e45abde..5a3221127cba 100644 --- a/crypto/openssh/scp.1 +++ b/crypto/openssh/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.32 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: scp.1,v 1.33 2004/03/05 10:53:58 markus Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -137,6 +137,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile +.It IdentitiesOnly .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index af2e71992726..55db2ffd2818 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -201,6 +201,7 @@ display_loginmsg(void) printf("%s\n", (char *)buffer_ptr(&loginmsg)); buffer_clear(&loginmsg); } + fflush(stdout); } void @@ -492,6 +493,13 @@ do_exec_no_pty(Session *s, const char *command) close(err[0]); /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + + /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. */ @@ -1085,9 +1093,9 @@ do_setup_env(Session *s, const char *shell) } #endif #ifdef KRB5 - if (s->authctxt->krb5_ticket_file) + if (s->authctxt->krb5_ccname) child_set_env(&env, &envsize, "KRB5CCNAME", - s->authctxt->krb5_ticket_file); + s->authctxt->krb5_ccname); #endif #ifdef USE_PAM /* diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c index 81c5dd49732f..781d9827ae6e 100644 --- a/crypto/openssh/sftp-client.c +++ b/crypto/openssh/sftp-client.c @@ -20,7 +20,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.46 2004/02/17 05:39:51 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.47 2004/03/03 09:30:42 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -805,13 +805,8 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, max_req = 1; progress_counter = 0; - if (showprogress) { - if (size) - start_progress_meter(remote_path, size, - &progress_counter); - else - printf("Fetching %s to %s\n", remote_path, local_path); - } + if (showprogress && size != 0) + start_progress_meter(remote_path, size, &progress_counter); while (num_req > 0 || max_req > 0) { char *data; @@ -1036,8 +1031,6 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, offset = 0; if (showprogress) start_progress_meter(local_path, sb.st_size, &offset); - else - printf("Uploading %s to %s\n", local_path, remote_path); for (;;) { int len; diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1 index 2a67a888e030..b2cab0cdaf3e 100644 --- a/crypto/openssh/sftp.1 +++ b/crypto/openssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.51 2004/01/13 12:17:33 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.52 2004/03/05 10:53:58 markus Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -163,6 +163,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile +.It IdentitiesOnly .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c index 7f7f507311c0..a47ccf5a2ae7 100644 --- a/crypto/openssh/sftp.c +++ b/crypto/openssh/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.44 2004/02/17 11:03:08 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.45 2004/03/03 09:31:20 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -44,7 +44,7 @@ size_t num_requests = 16; static pid_t sshpid = -1; /* This is set to 0 if the progressmeter is not desired. */ -int showprogress; +int showprogress = 1; int remote_glob(struct sftp_conn *, const char *, int, int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */ @@ -1357,6 +1357,9 @@ main(int argc, char **argv) } } + if (!isatty(STDERR_FILENO)) + showprogress = 0; + log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); if (sftp_direct == NULL) { diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index e5232fc9b70a..f5fce6b2aa01 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -57,6 +57,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $"); #include "scard.h" #endif +#if defined(HAVE_SYS_PRCTL_H) +#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ +#endif + typedef enum { AUTH_UNUSED, AUTH_SOCKET, @@ -1023,6 +1027,11 @@ main(int ac, char **av) setegid(getgid()); setgid(getgid()); +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + SSLeay_add_all_algorithms(); __progname = ssh_get_progname(av[0]); diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index 68b6a0ad1c98..266b23cb3503 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -489,7 +489,7 @@ conrecycle(int s) static void congreet(int s) { - int remote_major, remote_minor, n = 0; + int remote_major = 0, remote_minor = 0, n = 0; char buf[256], *cp; char remote_version[sizeof buf]; size_t bufsiz; diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index e2cd5d343877..31eb66c979b5 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -634,6 +634,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile +.It IdentitiesOnly .It LocalForward .It LogLevel .It MACs diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index da390c12db42..e655e68da705 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $"); #include <openssl/evp.h> #include <openssl/err.h> @@ -146,49 +146,12 @@ pid_t proxy_command_pid = 0; static void usage(void) { - fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -l user Log in using this user name.\n"); - fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); - fprintf(stderr, " -F config Config file (default: ~/%s).\n", - _PATH_SSH_USER_CONFFILE); - fprintf(stderr, " -A Enable authentication agent forwarding.\n"); - fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); - fprintf(stderr, " -X Enable X11 connection forwarding.\n"); - fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); - fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); - fprintf(stderr, " -i file Identity for public key authentication " - "(default: ~/.ssh/identity)\n"); -#ifdef SMARTCARD - fprintf(stderr, " -I reader Set smartcard reader.\n"); -#endif - fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); - fprintf(stderr, " -T Do not allocate a tty.\n"); - fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); - fprintf(stderr, " Multiple -v increases verbosity.\n"); - fprintf(stderr, " -V Display version number only.\n"); - fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); - fprintf(stderr, " -f Fork into background after authentication.\n"); - fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); - - fprintf(stderr, " -c cipher Select encryption algorithm\n"); - fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); - fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); - fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); - fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); - fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); - fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); - fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); - fprintf(stderr, " -C Enable compression.\n"); - fprintf(stderr, " -N Do not execute a shell or command.\n"); - fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); - fprintf(stderr, " -1 Force protocol version 1.\n"); - fprintf(stderr, " -2 Force protocol version 2.\n"); - fprintf(stderr, " -4 Use IPv4 only.\n"); - fprintf(stderr, " -6 Use IPv6 only.\n"); - fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); - fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); - fprintf(stderr, " -b addr Local IP address.\n"); + fprintf(stderr, +"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" +" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" +" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" +" [-p port] [-R port:host:hostport] [user@]hostname [command]\n" + ); exit(1); } @@ -347,12 +310,8 @@ again: } /* fallthrough */ case 'V': - fprintf(stderr, - "%s, SSH protocols %d.%d/%d.%d, %s\n", - SSH_VERSION, - PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, - SSLeay_version(SSLEAY_VERSION)); + fprintf(stderr, "%s, %s\n", + SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); break; @@ -777,7 +736,7 @@ x11_get_proto(char **_proto, char **_data) xauthdir); snprintf(cmd, sizeof(cmd), "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout 120 2>" _PATH_DEVNULL, + " untrusted timeout 1200 2>" _PATH_DEVNULL, options.xauth_location, xauthfile, display); debug2("x11_get_proto: %s", cmd); if (system(cmd) == 0) diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 210da059b550..05581ece47c5 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -406,6 +406,24 @@ syntax to refer to a user's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. +.It Cm IdentitiesOnly +Specifies that +.Nm ssh +should only use the authentication identity files configured in the +.Nm +files, +even if the +.Nm ssh-agent +offers more identities. +The argument to this keyword must be +.Dq yes +or +.Dq no . +This option is intented for situations where +.Nm ssh-agent +offers many different identities. +The default is +.Dq no . .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 3a218113cfb2..c261dfd188bb 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1044,7 +1044,7 @@ pubkey_prepare(Authctxt *authctxt) break; } } - if (!found) { + if (!found && !options.identities_only) { id = xmalloc(sizeof(*id)); memset(id, 0, sizeof(*id)); id->key = key; diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 2bb3b9efed78..6342842519c9 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.290 2004/03/11 10:21:17 markus Exp $"); #include <openssl/dh.h> #include <openssl/bn.h> @@ -101,7 +101,6 @@ extern char *__progname; #else char *__progname; #endif -extern char **environ; /* Server configuration options. */ ServerOptions options; @@ -568,7 +567,7 @@ privsep_preauth_child(void) debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); #if 0 - /* XXX not ready, to heavy after chroot */ + /* XXX not ready, too heavy after chroot */ do_setusercontext(pw); #else gidset[0] = pw->pw_gid; @@ -764,26 +763,12 @@ drop_connection(int startups) static void usage(void) { - fprintf(stderr, "sshd version %s, %s\n", + fprintf(stderr, "%s, %s\n", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); - fprintf(stderr, "Usage: %s [options]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE); - fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); - fprintf(stderr, " -i Started from inetd\n"); - fprintf(stderr, " -D Do not fork into daemon mode\n"); - fprintf(stderr, " -t Only test configuration file and keys\n"); - fprintf(stderr, " -q Quiet (no logging)\n"); - fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); - fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); - fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n"); - fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n"); - fprintf(stderr, " -h file File from which to read host key (default: %s)\n", - _PATH_HOST_KEY_FILE); - fprintf(stderr, " -u len Maximum hostname length for utmp recording\n"); - fprintf(stderr, " -4 Use IPv4 only\n"); - fprintf(stderr, " -6 Use IPv6 only\n"); - fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n"); + fprintf(stderr, +"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" + ); exit(1); } @@ -832,6 +817,9 @@ main(int ac, char **av) av = saved_argv; #endif + if (geteuid() == 0 && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -940,6 +928,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); +#ifdef _AIX + /* + * Unset KRB5CCNAME, otherwise the user's session may inherit it from + * root's environment + */ + unsetenv("KRB5CCNAME"); +#endif /* _AIX */ #ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! @@ -1106,11 +1101,6 @@ main(int ac, char **av) unmounted if desired. */ chdir("/"); -#ifndef HAVE_CYGWIN - /* Clear environment */ - environ[0] = NULL; -#endif - /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); @@ -1389,6 +1379,7 @@ main(int ac, char **av) } /* This is the child processing a new connection. */ + setproctitle("%s", "[accepted]"); /* * Create a new session and process group since the 4.4BSD diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 41228248cb69..e15a225f2def 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -300,6 +300,11 @@ To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq no . +.It Cm KerberosGetAFSToken +If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire +an AFS token before accessing the user's home directory. +Default is +.Dq no . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism @@ -429,7 +434,9 @@ The default is .Pp If this option is set to .Dq without-password -password authentication is disabled for root. +password authentication is disabled for root. Note that other authentication +methods (e.g., keyboard-interactive/PAM) may still allow root to login using +a password. .Pp If this option is set to .Dq forced-commands-only diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c index 36b648934b8e..e1cc4cc82ebe 100644 --- a/crypto/openssh/sshlogin.c +++ b/crypto/openssh/sshlogin.c @@ -52,11 +52,11 @@ u_long get_last_login_time(uid_t uid, const char *logname, char *buf, u_int bufsize) { - struct logininfo li; + struct logininfo li; - login_get_lastlog(&li, uid); - strlcpy(buf, li.hostname, bufsize); - return li.tv_sec; + login_get_lastlog(&li, uid); + strlcpy(buf, li.hostname, bufsize); + return li.tv_sec; } /* @@ -67,12 +67,12 @@ void record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr, socklen_t addrlen) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, addrlen); - login_login(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, addrlen); + login_login(li); + login_free_entry(li); } #ifdef LOGIN_NEEDS_UTMPX @@ -80,12 +80,12 @@ void record_utmp_only(pid_t pid, const char *ttyname, const char *user, const char *host, struct sockaddr * addr, socklen_t addrlen) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, addrlen); - login_utmp_only(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, addrlen); + login_utmp_only(li); + login_free_entry(li); } #endif @@ -93,9 +93,9 @@ record_utmp_only(pid_t pid, const char *ttyname, const char *user, void record_logout(pid_t pid, const char *ttyname, const char *user) { - struct logininfo *li; + struct logininfo *li; - li = login_alloc_entry(pid, user, NULL, ttyname); - login_logout(li); - login_free_entry(li); + li = login_alloc_entry(pid, user, NULL, ttyname); + login_logout(li); + login_free_entry(li); } diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index c4266292ce77..e5ba5dda67da 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ +/* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.8p1" +#define SSH_VERSION "OpenSSH_3.8.1p1" |