diff -ruN --exclude CVS ssh-openbsd-1999111200/COPYING.Ylonen openssh-1.2pre10/COPYING.Ylonen --- ssh-openbsd-1999111200/COPYING.Ylonen Tue Oct 5 12:35:56 1999 +++ openssh-1.2pre10/COPYING.Ylonen Sat Oct 30 09:46:20 1999 @@ -24,7 +24,7 @@ [ The make-ssh-known-hosts script is no longer included. ] [ TSS has been removed. ] [ MD5 is now external. ] -[ RC4 support has been removed. ] +[ RC4 support has been removed (RC4 is used internally for arc4random). ] [ Blowfish is now external. ] The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. diff -ruN --exclude CVS ssh-openbsd-1999111200/ChangeLog openssh-1.2pre10/ChangeLog --- ssh-openbsd-1999111200/ChangeLog Mon Sep 27 06:53:32 1999 +++ openssh-1.2pre10/ChangeLog Fri Nov 12 12:22:31 1999 @@ -1,578 +1,150 @@ -Fri Nov 17 16:19:20 1995 Tatu Ylonen - - * Released 1.2.12. - - * channels.c: Commented out debugging messages about output draining. - - * Added file OVERVIEW to give some idea about the structure of the - ssh software. - -Thu Nov 16 16:40:17 1995 Tatu Ylonen - - * canohost.c (get_remote_hostname): Don't ever return NULL (causes - segmentation violation). - - * sshconnect.c: Host ip address printed incorrectly with -v. - - * Implemented SSH_TTY environment variable. - -Wed Nov 15 01:47:40 1995 Tatu Ylonen - - * Implemented server and client option KeepAlive to specify - whether to set SO_KEEPALIVE. Both default to "yes"; to disable - keepalives, set the value to "no" in both the server and the - client configuration files. Updated manual pages. - - * sshd.c: Fixed Solaris utmp problem: wrong pid stored in utmp - (patch from Petri Virkkula ). - - * login.c (record_logout): Fixed removing user from utmp on BSD - (with HAVE_LIBUTIL_LOGIN). - - * Added cleanup functions to be called from fatal(). Arranged for - utmp to be cleaned if sshd terminates by calling fatal (e.g., - after dropping connection). Eliminated separate client-side - fatal() functions and moved fatal() to log-client.c. Made all - cleanups, including channel_stop_listening() and packet_close() - be called using this mechanism. - -Thu Nov 9 09:58:05 1995 Tatu Ylonen - - * sshd.c: Permit immediate login with empty password only if - password authentication is allowed. - -Wed Nov 8 00:43:55 1995 Tatu Ylonen - - * Eliminated unix-domain X11 forwarding. Inet-domain forwarding is - now the only supported form. Renamed server option - X11InetForwarding to X11Forwarding, and eliminated - X11UnixForwarding. Updated documentation. Updated RFC (marked - the SSH_CMSG_X11_REQUEST_FORWARDING message (code 26) as - obsolete, and removed all references to it). Increased protocol - version number to 1.3. - - * scp.c (main): Added -B (BatchMode). Updated manual page. - - * Cleaned up and updated all manual pages. - - * clientloop.c: Added new escape sequences ~# (lists forwarded - connections), ~& (background ssh when waiting for forwarded - connections to terminate), ~? (list available escapes). - Polished the output of the connection listing. Updated - documentation. - - * uidswap.c: If _POSIX_SAVED_IDS is defined, don't change the real - uid. Assume that _POSIX_SAVED_IDS also applies to seteuid. - This may solve problems with tcp_wrappers (libwrap) showing - connections as coming from root. - -Tue Nov 7 20:28:57 1995 Tatu Ylonen - - * Added RandomSeed server configuration option. The argument - specifies the location of the random seed file. Updated - documentation. - - * Locate perl5 in configure. Generate make-ssh-known-hosts (with - the correct path for perl5) in Makefile.in, and install it with - the other programs. Updated manual page. - - * sshd.c (main): Added a call to umask to set the umask to a - reasonable value. - - * compress.c (buffer_compress): Fixed to follow the zlib - documentation (which is slightly confusing). - - * INSTALL: Added information about Linux libc.so.4 problem. - -Mon Nov 6 15:42:36 1995 Tatu Ylonen - - * (Actually autoconf fix) Installed patch to AC_ARG_PROGRAM. - - * sshd.c, sshd.8.in: Renamed $HOME/.environment -> - $HOME/.ssh/environment. - - * configure.in: Disable shadow password checking on convex. - Convex has /etc/shadow, but sets pw_passwd automatically if - running as root. - - * Eliminated HAVE_ETC_MASTER_PASSWD (NetBSD, FreeBSD); the - pw_passwd field is automatically filled if running as root. - Put explicit code in configure.in to prevent shadow password - checking on FreeBSD and NetBSD. - - * serverloop.c (signchld_handler): Don't print error if wait - returns -1. - - * Makefile.in (install): Fixed modes of data files. - - * Makefile.in (install): Make links for slogin.1. - - * make-ssh-known-hosts: Merged a patch from melo@ci.uminho.pt to - fix the ping command. - -Fri Nov 3 16:25:28 1995 Tatu Ylonen - - * ssh.1.in: Added more information about X11 forwarding. - -Thu Nov 2 18:42:13 1995 Tatu Ylonen - - * Changes to use O_NONBLOCK_BROKEN consistently. - - * pty.c (pty_make_controlling_tty): Use setpgid instead of - setsid() on Ultrix. - - * includes.h: Removed redundant #undefs for Ultrix and Sony News; - these are already handled in configure.in. - -Tue Oct 31 13:31:28 1995 Tatu Ylonen - - * configure.in: Define SSH_WTMP to /var/adm/wtmp is wtmp not found. - - * configure.in: Disable vhangup on Ultrix. I am told this fixes - the server problems. - -Sat Oct 28 14:22:05 1995 Tatu Ylonen - - * sshconnect.c: Fixed a bug in connecting to a multi-homed host. - Restructured the connecting code to never try to use the same - socket a second time after a failed connection. - - * Makefile.in: Added explicit -m option to install, and umask 022 - when creating directories and the host key. - -Fri Oct 27 01:05:10 1995 Tatu Ylonen - - * Makefile.in: Added cleaning of $(ZLIBDIR) to clean and distclean. - - * login.c (get_last_login_time): Fixed a typo (define -> defined). - -Thu Oct 26 01:28:07 1995 Tatu Ylonen - - * configure.in: Moved testing for ANSI C compiler after the host - specific code (problems on HPUX). - - * Minor fixes to /etc/default/login stuff from Bryan O'Sullivan. - - * Fixed .SH NAME sections in manual pages. - - * compress.c: Trying to fix a mysterious bug in the compression - glue. - - * ssh-1.2.11. - - * scp.c: disable agent forwarding when running ssh from scp. - - * Added compression of plaintext packets using the gzip library - (zlib). Client configuration options Compression and - CompressionLevel (1-9 as in gzip). New ssh and scp option -C - (to enable compression). Updated RFC. - -Wed Oct 25 05:11:55 1995 Tatu Ylonen - - * Implemented ProxyCommand stuff based on patches from Bryan - O'Sullivan . - - * Merged BSD login/logout/lastlog patches from Mark Treacy - . - - * sshd.c: Added chdir("/"). - -Tue Oct 24 00:29:01 1995 Tatu Ylonen - - * Merged RSA environment= patches from Felix Leitner - with some changes. - - * sshd.c: Made the packet code use two separate descriptors for - the connection (one for input, the other for output). This will - make future extensions easier (e.g., non-socket transports, etc.). - sshd -i now uses both stdin and stdout separately. - -Mon Oct 23 21:29:28 1995 Tatu Ylonen - - * sshd.c: Merged execle -> execve patches from Mark Martinec - . This may help with execle bugs on - Convex (environment not getting passed properly). This might - also solve similar problems on Sonys; please test! - - * Removed all compatibility code for protocol version 1.0. - THIS MEANS THAT WE ARE NO LONGER COMPATIBLE WITH SSH VERSIONS - PRIOR TO 1.1.0. - - * randoms.c (random_acquire_light_environmental_noise): If - /dev/random is available, read up to 32 bytes (256 bits) from - there in non-blocking mode, and mix the new random bytes into - the pool. - - * Added client configuration option StrictHostKeyChecking - (disabled by default). If this is enabled, the client will not - automatically add new host keys to $HOME/.ssh/known_hosts; - instead the connection will be refused if the host key is not - known. Similarly, if the host key has changed, the connection - will be refused instead if just issuing a warning. This - provides additional security against man-in-the-middle/trojan - horse attacks (especially in scripts where there is no-one to - see the warnings), but may be quite inconvenient in everyday - interactive use unless /etc/ssh_known_hosts is very complete, - because new host keys must now be added manually. - - * sshconnect.c (ssh_connect): Use the user's uid when creating the - socket and connecting it. I am hoping that this might help with - tcp_wrappers showing the remote user as root. - - * ssh.c: Try inet-domain X11 forwarding regardless of whether we - can get local authorization information. If we don't, we just - come up with fake information; the forwarding code will anyway - generate its own fake information and validate that the client - knows that information. It will then substitute our fake - information for that, but that info should get ignored by the - server if it doesn't support it. - - * Added option BatchMode to disable password/passphrase querying - in scripts. - - * auth-rh-rsa.c: Changed to use uid-swapping when reading - .ssh/known_hosts. - - * sshd.8.in (command): Improved documentation of file permissions - on the manual pages. - -Thu Oct 19 21:05:51 1995 Tatu Ylonen - - * ssh-add.c (add_file): Fixed a bug causing ssh to sometimes refer - to freed memory (comment -> saved_comment). - - * log-server.c: Added a prefix to debug/warning/error/fatal - messages describing message types. Syslog does not include that - information automatically. - -Sun Oct 8 01:56:01 1995 Tatu Ylonen - - * Merged /etc/default/login and MAIL environment variable changes - from Bryan O'Sullivan . - - mail spool file location - - process /etc/default/login - - add HAVE_ETC_DEFAULT_LOGIN - - new function child_get_env and read_etc_default_login (sshd.c) - - * ssh-add.c (add_file): Fixed asking for passphrase. - - * Makefile.in: Fixed installing configure-generated man pages when - compiling in a separate object directory. - - * sshd.c (main): Moved RSA key generation until after allocating - the port number. (Actually, the code got duplicated because we - never listen when run from inetd.) - - * ssh.c: Fixed a problem that caused scp to hang when called with - stdin closed. - -Sat Oct 7 03:08:06 1995 Tatu Ylonen - - * Added server config option StrictModes. It specifies whether to - check ownership and modes of home directory and .rhosts files. - - * ssh.c: If ssh is renamed/linked to a host name, connect to that - host. - - * serverloop.c, clientloop.c: Ignore EAGAIN reported on read from - connection. Solaris has a kernel bug which causes select() to - sometimes wake up even though there is no data available. - - * Display all open connections when printing the "Waiting for - forwarded connections to terminate" message. - - * sshd.c, readconf.c: Added X11InetForwarding and - X11UnixForwarding server config options. - -Thu Oct 5 17:41:16 1995 Tatu Ylonen - - * Some more SCO fixes. - -Tue Oct 3 01:04:34 1995 Tatu Ylonen - - * Fixes and cleanups in README, INSTALL, COPYING. - -Mon Oct 2 03:36:08 1995 Tatu Ylonen - - * ssh-add.c (add_file): Fixed a bug in ssh-add (xfree: NULL ...). - - * Removed .BR from ".SH NAME" in man pages. - -Sun Oct 1 04:16:07 1995 Tatu Ylonen - - * ssh-1.2.10. - - * configure.in: When checking that the compiler works, check that - it understands ANSI C prototypes. - - * Made uidswap error message a debug() to avoid confusing errors - on AIX (AIX geteuid is brain-damaged and fails even for root). - - * Fixed an error in sshd.8 (FacistLogging -> FascistLogging). - - * Fixed distribution in Makefile.in (missing manual page .in files). - -Sat Sep 30 17:38:46 1995 Tatu Ylonen - - * auth-rhosts.c: Fixed serious security problem in - /etc/hosts.equiv authentication. - -Fri Sep 29 00:41:02 1995 Tatu Ylonen - - * Include machine/endian.h on Paragon. - - * ssh-add.c (add_file): Made ssh-add keep asking for the - passphrase until the user just types return or cancels. - Make the dialog display the comment of the key. - - * Read use shosts.equiv in addition to /etc/hosts.equiv. - - * sshd.8 is now sshd.8.in and is processed by configure to - substitute the proper paths for various files. Ditto for ssh.1. - Ditto for make-ssh-known-hosts.1. - - * configure.in: Moved /etc/sshd_pid to PIDDIR/sshd.pid. PIDDIR - will be /var/run if it exists, and ETCDIR otherwise. - -Thu Sep 28 21:52:42 1995 Tatu Ylonen - - * On Ultrix, check if sys/syslog.h needs to be included in - addition to syslog.h. - - * make-ssh-known-hosts.pl: Merged Kivinen's fixes for HPUX. - - * configure.in: Put -lwrap, -lsocks, etc. at the head of LIBS. - - * Fixed case-insensitivity in auth-rhosts.c. - - * Added missing socketpair.c to EXTRA_SRCS (needed on SCO), plus - other SCO fixes. - - * Makefile.in: Fixed missing install_prefixes. - -Wed Sep 27 03:57:00 1995 Tatu Ylonen - - * ssh-1.2.9. - - * Added SOCKS support. - - * Fixed default setting of IgnoreRhosts option. - - * Pass the magic cookie to xauth in stdin instead of command line; - the command line is visible in ps. - - * Added processing $HOME/.ssh/rc and /etc/sshrc. - - * Added a section to sshd.8 on what happens at login time. - -Tue Sep 26 01:27:40 1995 Tatu Ylonen - - * Don't define speed_t on SunOS 4.1.1; it conflicts with system - headers. - - * Added support for .hushlogin. - - * Added --with-etcdir. - - * Read $HOME/.environment after /etc/environment. - -Mon Sep 25 03:26:06 1995 Tatu Ylonen - - * Merged patches for SCO Unix (from Michael Henits). - -Sun Sep 24 22:28:02 1995 Tatu Ylonen - - * Added ssh option ConnectionAttempts. - -Sat Sep 23 12:30:15 1995 Tatu Ylonen - - * sshd.c: Don't print last login time and /etc/motd if a command - has been specified (with ssh -t host command). - - * Added support for passing the screen number in X11 forwarding. - It is implemented as a compatible protocol extension, signalled - by SSH_PROTOFLAG_SCREEN_NUMBER by the child. - - * clientloop.c: Fixed bugs in the order in which things were - processed. This may solve problems with some data not getting - sent to the server as soon as possible (probably solves the TCP - forwarding delayed close problem). Also, it looked like window - changes might not get transmitted as early as possible in some - cases. - - * clientloop.c: Changed to detect window size change that - happened while ssh was suspended. - - * ssh.c: Moved the do_session function (client main loop) to - clientloop.c. Divided it into smaller functions. General cleanup. - - * ssh-1.2.8 - -Fri Sep 22 22:07:46 1995 Tatu Ylonen - - * sshconnect.c (ssh_login): Made ssh_login take the options - structure as argument, instead of the individual arguments. - - * auth-rhosts.c (check_rhosts_file): Added support for netgroups. - - * auth-rhosts.c (check_rhosts_file): Added support for negated - entries. - -Thu Sep 21 00:07:56 1995 Tatu Ylonen - - * auth-rhosts.c: Restructured rhosts authentication code. - Hosts.equiv now has same format as .rhosts: user names are allowed. - - * Added support for the Intel Paragon. - - * sshd.c: Don't use X11 forwarding with spoofing if no xauth - program. Changed configure.in to not define XAUTH_PATH if - there is no xauth program. - - * ssh-1.2.7 - - * sshd.c: Rewrote the code to build the environment. Now also reads - /etc/environment. - - * sshd.c: Fixed problems in libwrap code. --with-libwrap now - takes optional library name/path. - - * ssh-1.2.6 - - * Define USE_PIPES by default. - - * Added support for Univel Unixware and MachTen. - - * Added IgnoreRhosts server option. - - * Added USE_STRLEN_FOR_AF_UNIX; it is needed at least on MachTen. - -Wed Sep 20 02:41:02 1995 Tatu Ylonen - - * sshd.c (do_child): don't call packet_close when /etc/nologin, - because packet_close does shutdown, and the message does not get - sent. - - * pty.c (pty_allocate): Push ttcompat streams module. - - * randoms.c (random_acquire_light_environmental_noise): Don't use - the second argument to gettimeofday as it is not supported on - all systems. - - * login.c (record_login): Added NULL second argument to gettimeofday. - -Tue Sep 19 13:25:48 1995 Tatu Ylonen - - * fixed pclose wait() in sshd key regeneration (now only collects - easily available noise). - - * configure.in: test for bsdi before bsd*. - - * ssh.c: Don't print "Connection closed" if -q. - -Wed Sep 13 04:19:52 1995 Tatu Ylonen - - * Released ssh-1.2.5. - - * Hopefully fixed "Waiting for forwarded connections to terminate" - message. - - * randoms.c, md5.c: Large modifications to make these work on Cray - (which has no 32 bit integer type). - - * Fixed a problem with forwarded connection closes not being - reported immediately. - - * ssh.c: fixed rhosts authentication (broken by uid-swapping). - - * scp.c: Don't use -l if server user not specified (it made - setting User in the configuration file not work). - - * configure.in: don't use -pipe on BSDI. - - * randoms.c: Major modifications to make it work without 32 bit - integers (e.g. Cray). - - * md5.c: Major modifications to make it work without 32 bit - integers (e.g. Cray). - - * Eliminated HPSUX_BROKEN_PTYS. The code is now enabled by - default on all systems. - -Mon Sep 11 00:53:12 1995 Tatu Ylonen - - * sshd.c: don't include sshd pathname in log messages. - - * Added libwrap stuff (includes support for identd). - - * Added OSF/1 C2 extended security stuff. - - * Fixed interactions between getuid() and uid-swap stuff. - -Sun Sep 10 00:29:27 1995 Tatu Ylonen - - * serverloop.c: Don't send stdout data to client until after a few - milliseconds if there is very little data. This is because some - systems give data from pty one character at a time, which would - multiply data size by about 16. - - * serverloop.c: Moved server do_session to a separate file and - renamed it server_loop. Split it into several functions and - partially rewrote it. Fixed "cat /etc/termcap | ssh foo cat" hangup. - - * Screwed up something while checking stuff in under cvs. No harm, - but bogus log entries... - -Sat Sep 9 02:24:51 1995 Tatu Ylonen - - * minfd.c (_get_permanent_fd): Use SHELL environment variable. - - * channels.c (x11_create_display_inet): Created - HPSUX_NONSTANDARD_X11_KLUDGE; it causes DISPLAY to contain the - IP address of the host instead of the name, because HPSUX uses - some magic shared memory communication for local connections. - - * Changed SIGHUP processing in server; it should now work multiple - times. - - * Added length limits in many debug/log/error/fatal calls just in - case. - - * login.c (get_last_login_time): Fixed location of lastlog. - - * Rewrote all uid-swapping code. New files uidswap.h, uidswap.c. - - * Fixed several security problems involving chmod and chgrp (race - conditions). Added warnings about dubious modes for /tmp/.X11-unix. - -Fri Sep 8 20:03:36 1995 Tatu Ylonen - - * Changed readconf.c to never display anything from the config - file. This should now be prevented otherwise, but let's play safe. - - * log-server.c: Use %.500s in syslog() just to be sure (they - should already be shorter than 1024 though). - - * sshd.c: Moved setuid in child a little earlier (just to be - conservative, there was no security problem that I could detect). - - * README, INSTALL: Added info about mailing list and WWW page. - - * sshd.c: Added code to use SIGCHLD and wait zombies immediately. - - * Merged patch to set ut_addr in utmp. - - * Created ChangeLog and added it to Makefile.in. - - * Use read_passphrase instead of getpass(). - - * Added SSH_FALLBACK_CIPHER. Fixed a bug in default cipher - selection (IDEA used to be selected even if not supported by the - server). - - * Use no encryption for key files if empty passphrase. - - * Added section about --without-idea in INSTALL. - - * Version 1.2.0 was released a couple of days ago. - +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 diff -ruN --exclude CVS ssh-openbsd-1999111200/ChangeLog.Ylonen openssh-1.2pre10/ChangeLog.Ylonen --- ssh-openbsd-1999111200/ChangeLog.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/ChangeLog.Ylonen Thu Oct 28 14:19:25 1999 @@ -0,0 +1,578 @@ +Fri Nov 17 16:19:20 1995 Tatu Ylonen + + * Released 1.2.12. + + * channels.c: Commented out debugging messages about output draining. + + * Added file OVERVIEW to give some idea about the structure of the + ssh software. + +Thu Nov 16 16:40:17 1995 Tatu Ylonen + + * canohost.c (get_remote_hostname): Don't ever return NULL (causes + segmentation violation). + + * sshconnect.c: Host ip address printed incorrectly with -v. + + * Implemented SSH_TTY environment variable. + +Wed Nov 15 01:47:40 1995 Tatu Ylonen + + * Implemented server and client option KeepAlive to specify + whether to set SO_KEEPALIVE. Both default to "yes"; to disable + keepalives, set the value to "no" in both the server and the + client configuration files. Updated manual pages. + + * sshd.c: Fixed Solaris utmp problem: wrong pid stored in utmp + (patch from Petri Virkkula ). + + * login.c (record_logout): Fixed removing user from utmp on BSD + (with HAVE_LIBUTIL_LOGIN). + + * Added cleanup functions to be called from fatal(). Arranged for + utmp to be cleaned if sshd terminates by calling fatal (e.g., + after dropping connection). Eliminated separate client-side + fatal() functions and moved fatal() to log-client.c. Made all + cleanups, including channel_stop_listening() and packet_close() + be called using this mechanism. + +Thu Nov 9 09:58:05 1995 Tatu Ylonen + + * sshd.c: Permit immediate login with empty password only if + password authentication is allowed. + +Wed Nov 8 00:43:55 1995 Tatu Ylonen + + * Eliminated unix-domain X11 forwarding. Inet-domain forwarding is + now the only supported form. Renamed server option + X11InetForwarding to X11Forwarding, and eliminated + X11UnixForwarding. Updated documentation. Updated RFC (marked + the SSH_CMSG_X11_REQUEST_FORWARDING message (code 26) as + obsolete, and removed all references to it). Increased protocol + version number to 1.3. + + * scp.c (main): Added -B (BatchMode). Updated manual page. + + * Cleaned up and updated all manual pages. + + * clientloop.c: Added new escape sequences ~# (lists forwarded + connections), ~& (background ssh when waiting for forwarded + connections to terminate), ~? (list available escapes). + Polished the output of the connection listing. Updated + documentation. + + * uidswap.c: If _POSIX_SAVED_IDS is defined, don't change the real + uid. Assume that _POSIX_SAVED_IDS also applies to seteuid. + This may solve problems with tcp_wrappers (libwrap) showing + connections as coming from root. + +Tue Nov 7 20:28:57 1995 Tatu Ylonen + + * Added RandomSeed server configuration option. The argument + specifies the location of the random seed file. Updated + documentation. + + * Locate perl5 in configure. Generate make-ssh-known-hosts (with + the correct path for perl5) in Makefile.in, and install it with + the other programs. Updated manual page. + + * sshd.c (main): Added a call to umask to set the umask to a + reasonable value. + + * compress.c (buffer_compress): Fixed to follow the zlib + documentation (which is slightly confusing). + + * INSTALL: Added information about Linux libc.so.4 problem. + +Mon Nov 6 15:42:36 1995 Tatu Ylonen + + * (Actually autoconf fix) Installed patch to AC_ARG_PROGRAM. + + * sshd.c, sshd.8.in: Renamed $HOME/.environment -> + $HOME/.ssh/environment. + + * configure.in: Disable shadow password checking on convex. + Convex has /etc/shadow, but sets pw_passwd automatically if + running as root. + + * Eliminated HAVE_ETC_MASTER_PASSWD (NetBSD, FreeBSD); the + pw_passwd field is automatically filled if running as root. + Put explicit code in configure.in to prevent shadow password + checking on FreeBSD and NetBSD. + + * serverloop.c (signchld_handler): Don't print error if wait + returns -1. + + * Makefile.in (install): Fixed modes of data files. + + * Makefile.in (install): Make links for slogin.1. + + * make-ssh-known-hosts: Merged a patch from melo@ci.uminho.pt to + fix the ping command. + +Fri Nov 3 16:25:28 1995 Tatu Ylonen + + * ssh.1.in: Added more information about X11 forwarding. + +Thu Nov 2 18:42:13 1995 Tatu Ylonen + + * Changes to use O_NONBLOCK_BROKEN consistently. + + * pty.c (pty_make_controlling_tty): Use setpgid instead of + setsid() on Ultrix. + + * includes.h: Removed redundant #undefs for Ultrix and Sony News; + these are already handled in configure.in. + +Tue Oct 31 13:31:28 1995 Tatu Ylonen + + * configure.in: Define SSH_WTMP to /var/adm/wtmp is wtmp not found. + + * configure.in: Disable vhangup on Ultrix. I am told this fixes + the server problems. + +Sat Oct 28 14:22:05 1995 Tatu Ylonen + + * sshconnect.c: Fixed a bug in connecting to a multi-homed host. + Restructured the connecting code to never try to use the same + socket a second time after a failed connection. + + * Makefile.in: Added explicit -m option to install, and umask 022 + when creating directories and the host key. + +Fri Oct 27 01:05:10 1995 Tatu Ylonen + + * Makefile.in: Added cleaning of $(ZLIBDIR) to clean and distclean. + + * login.c (get_last_login_time): Fixed a typo (define -> defined). + +Thu Oct 26 01:28:07 1995 Tatu Ylonen + + * configure.in: Moved testing for ANSI C compiler after the host + specific code (problems on HPUX). + + * Minor fixes to /etc/default/login stuff from Bryan O'Sullivan. + + * Fixed .SH NAME sections in manual pages. + + * compress.c: Trying to fix a mysterious bug in the compression + glue. + + * ssh-1.2.11. + + * scp.c: disable agent forwarding when running ssh from scp. + + * Added compression of plaintext packets using the gzip library + (zlib). Client configuration options Compression and + CompressionLevel (1-9 as in gzip). New ssh and scp option -C + (to enable compression). Updated RFC. + +Wed Oct 25 05:11:55 1995 Tatu Ylonen + + * Implemented ProxyCommand stuff based on patches from Bryan + O'Sullivan . + + * Merged BSD login/logout/lastlog patches from Mark Treacy + . + + * sshd.c: Added chdir("/"). + +Tue Oct 24 00:29:01 1995 Tatu Ylonen + + * Merged RSA environment= patches from Felix Leitner + with some changes. + + * sshd.c: Made the packet code use two separate descriptors for + the connection (one for input, the other for output). This will + make future extensions easier (e.g., non-socket transports, etc.). + sshd -i now uses both stdin and stdout separately. + +Mon Oct 23 21:29:28 1995 Tatu Ylonen + + * sshd.c: Merged execle -> execve patches from Mark Martinec + . This may help with execle bugs on + Convex (environment not getting passed properly). This might + also solve similar problems on Sonys; please test! + + * Removed all compatibility code for protocol version 1.0. + THIS MEANS THAT WE ARE NO LONGER COMPATIBLE WITH SSH VERSIONS + PRIOR TO 1.1.0. + + * randoms.c (random_acquire_light_environmental_noise): If + /dev/random is available, read up to 32 bytes (256 bits) from + there in non-blocking mode, and mix the new random bytes into + the pool. + + * Added client configuration option StrictHostKeyChecking + (disabled by default). If this is enabled, the client will not + automatically add new host keys to $HOME/.ssh/known_hosts; + instead the connection will be refused if the host key is not + known. Similarly, if the host key has changed, the connection + will be refused instead if just issuing a warning. This + provides additional security against man-in-the-middle/trojan + horse attacks (especially in scripts where there is no-one to + see the warnings), but may be quite inconvenient in everyday + interactive use unless /etc/ssh_known_hosts is very complete, + because new host keys must now be added manually. + + * sshconnect.c (ssh_connect): Use the user's uid when creating the + socket and connecting it. I am hoping that this might help with + tcp_wrappers showing the remote user as root. + + * ssh.c: Try inet-domain X11 forwarding regardless of whether we + can get local authorization information. If we don't, we just + come up with fake information; the forwarding code will anyway + generate its own fake information and validate that the client + knows that information. It will then substitute our fake + information for that, but that info should get ignored by the + server if it doesn't support it. + + * Added option BatchMode to disable password/passphrase querying + in scripts. + + * auth-rh-rsa.c: Changed to use uid-swapping when reading + .ssh/known_hosts. + + * sshd.8.in (command): Improved documentation of file permissions + on the manual pages. + +Thu Oct 19 21:05:51 1995 Tatu Ylonen + + * ssh-add.c (add_file): Fixed a bug causing ssh to sometimes refer + to freed memory (comment -> saved_comment). + + * log-server.c: Added a prefix to debug/warning/error/fatal + messages describing message types. Syslog does not include that + information automatically. + +Sun Oct 8 01:56:01 1995 Tatu Ylonen + + * Merged /etc/default/login and MAIL environment variable changes + from Bryan O'Sullivan . + - mail spool file location + - process /etc/default/login + - add HAVE_ETC_DEFAULT_LOGIN + - new function child_get_env and read_etc_default_login (sshd.c) + + * ssh-add.c (add_file): Fixed asking for passphrase. + + * Makefile.in: Fixed installing configure-generated man pages when + compiling in a separate object directory. + + * sshd.c (main): Moved RSA key generation until after allocating + the port number. (Actually, the code got duplicated because we + never listen when run from inetd.) + + * ssh.c: Fixed a problem that caused scp to hang when called with + stdin closed. + +Sat Oct 7 03:08:06 1995 Tatu Ylonen + + * Added server config option StrictModes. It specifies whether to + check ownership and modes of home directory and .rhosts files. + + * ssh.c: If ssh is renamed/linked to a host name, connect to that + host. + + * serverloop.c, clientloop.c: Ignore EAGAIN reported on read from + connection. Solaris has a kernel bug which causes select() to + sometimes wake up even though there is no data available. + + * Display all open connections when printing the "Waiting for + forwarded connections to terminate" message. + + * sshd.c, readconf.c: Added X11InetForwarding and + X11UnixForwarding server config options. + +Thu Oct 5 17:41:16 1995 Tatu Ylonen + + * Some more SCO fixes. + +Tue Oct 3 01:04:34 1995 Tatu Ylonen + + * Fixes and cleanups in README, INSTALL, COPYING. + +Mon Oct 2 03:36:08 1995 Tatu Ylonen + + * ssh-add.c (add_file): Fixed a bug in ssh-add (xfree: NULL ...). + + * Removed .BR from ".SH NAME" in man pages. + +Sun Oct 1 04:16:07 1995 Tatu Ylonen + + * ssh-1.2.10. + + * configure.in: When checking that the compiler works, check that + it understands ANSI C prototypes. + + * Made uidswap error message a debug() to avoid confusing errors + on AIX (AIX geteuid is brain-damaged and fails even for root). + + * Fixed an error in sshd.8 (FacistLogging -> FascistLogging). + + * Fixed distribution in Makefile.in (missing manual page .in files). + +Sat Sep 30 17:38:46 1995 Tatu Ylonen + + * auth-rhosts.c: Fixed serious security problem in + /etc/hosts.equiv authentication. + +Fri Sep 29 00:41:02 1995 Tatu Ylonen + + * Include machine/endian.h on Paragon. + + * ssh-add.c (add_file): Made ssh-add keep asking for the + passphrase until the user just types return or cancels. + Make the dialog display the comment of the key. + + * Read use shosts.equiv in addition to /etc/hosts.equiv. + + * sshd.8 is now sshd.8.in and is processed by configure to + substitute the proper paths for various files. Ditto for ssh.1. + Ditto for make-ssh-known-hosts.1. + + * configure.in: Moved /etc/sshd_pid to PIDDIR/sshd.pid. PIDDIR + will be /var/run if it exists, and ETCDIR otherwise. + +Thu Sep 28 21:52:42 1995 Tatu Ylonen + + * On Ultrix, check if sys/syslog.h needs to be included in + addition to syslog.h. + + * make-ssh-known-hosts.pl: Merged Kivinen's fixes for HPUX. + + * configure.in: Put -lwrap, -lsocks, etc. at the head of LIBS. + + * Fixed case-insensitivity in auth-rhosts.c. + + * Added missing socketpair.c to EXTRA_SRCS (needed on SCO), plus + other SCO fixes. + + * Makefile.in: Fixed missing install_prefixes. + +Wed Sep 27 03:57:00 1995 Tatu Ylonen + + * ssh-1.2.9. + + * Added SOCKS support. + + * Fixed default setting of IgnoreRhosts option. + + * Pass the magic cookie to xauth in stdin instead of command line; + the command line is visible in ps. + + * Added processing $HOME/.ssh/rc and /etc/sshrc. + + * Added a section to sshd.8 on what happens at login time. + +Tue Sep 26 01:27:40 1995 Tatu Ylonen + + * Don't define speed_t on SunOS 4.1.1; it conflicts with system + headers. + + * Added support for .hushlogin. + + * Added --with-etcdir. + + * Read $HOME/.environment after /etc/environment. + +Mon Sep 25 03:26:06 1995 Tatu Ylonen + + * Merged patches for SCO Unix (from Michael Henits). + +Sun Sep 24 22:28:02 1995 Tatu Ylonen + + * Added ssh option ConnectionAttempts. + +Sat Sep 23 12:30:15 1995 Tatu Ylonen + + * sshd.c: Don't print last login time and /etc/motd if a command + has been specified (with ssh -t host command). + + * Added support for passing the screen number in X11 forwarding. + It is implemented as a compatible protocol extension, signalled + by SSH_PROTOFLAG_SCREEN_NUMBER by the child. + + * clientloop.c: Fixed bugs in the order in which things were + processed. This may solve problems with some data not getting + sent to the server as soon as possible (probably solves the TCP + forwarding delayed close problem). Also, it looked like window + changes might not get transmitted as early as possible in some + cases. + + * clientloop.c: Changed to detect window size change that + happened while ssh was suspended. + + * ssh.c: Moved the do_session function (client main loop) to + clientloop.c. Divided it into smaller functions. General cleanup. + + * ssh-1.2.8 + +Fri Sep 22 22:07:46 1995 Tatu Ylonen + + * sshconnect.c (ssh_login): Made ssh_login take the options + structure as argument, instead of the individual arguments. + + * auth-rhosts.c (check_rhosts_file): Added support for netgroups. + + * auth-rhosts.c (check_rhosts_file): Added support for negated + entries. + +Thu Sep 21 00:07:56 1995 Tatu Ylonen + + * auth-rhosts.c: Restructured rhosts authentication code. + Hosts.equiv now has same format as .rhosts: user names are allowed. + + * Added support for the Intel Paragon. + + * sshd.c: Don't use X11 forwarding with spoofing if no xauth + program. Changed configure.in to not define XAUTH_PATH if + there is no xauth program. + + * ssh-1.2.7 + + * sshd.c: Rewrote the code to build the environment. Now also reads + /etc/environment. + + * sshd.c: Fixed problems in libwrap code. --with-libwrap now + takes optional library name/path. + + * ssh-1.2.6 + + * Define USE_PIPES by default. + + * Added support for Univel Unixware and MachTen. + + * Added IgnoreRhosts server option. + + * Added USE_STRLEN_FOR_AF_UNIX; it is needed at least on MachTen. + +Wed Sep 20 02:41:02 1995 Tatu Ylonen + + * sshd.c (do_child): don't call packet_close when /etc/nologin, + because packet_close does shutdown, and the message does not get + sent. + + * pty.c (pty_allocate): Push ttcompat streams module. + + * randoms.c (random_acquire_light_environmental_noise): Don't use + the second argument to gettimeofday as it is not supported on + all systems. + + * login.c (record_login): Added NULL second argument to gettimeofday. + +Tue Sep 19 13:25:48 1995 Tatu Ylonen + + * fixed pclose wait() in sshd key regeneration (now only collects + easily available noise). + + * configure.in: test for bsdi before bsd*. + + * ssh.c: Don't print "Connection closed" if -q. + +Wed Sep 13 04:19:52 1995 Tatu Ylonen + + * Released ssh-1.2.5. + + * Hopefully fixed "Waiting for forwarded connections to terminate" + message. + + * randoms.c, md5.c: Large modifications to make these work on Cray + (which has no 32 bit integer type). + + * Fixed a problem with forwarded connection closes not being + reported immediately. + + * ssh.c: fixed rhosts authentication (broken by uid-swapping). + + * scp.c: Don't use -l if server user not specified (it made + setting User in the configuration file not work). + + * configure.in: don't use -pipe on BSDI. + + * randoms.c: Major modifications to make it work without 32 bit + integers (e.g. Cray). + + * md5.c: Major modifications to make it work without 32 bit + integers (e.g. Cray). + + * Eliminated HPSUX_BROKEN_PTYS. The code is now enabled by + default on all systems. + +Mon Sep 11 00:53:12 1995 Tatu Ylonen + + * sshd.c: don't include sshd pathname in log messages. + + * Added libwrap stuff (includes support for identd). + + * Added OSF/1 C2 extended security stuff. + + * Fixed interactions between getuid() and uid-swap stuff. + +Sun Sep 10 00:29:27 1995 Tatu Ylonen + + * serverloop.c: Don't send stdout data to client until after a few + milliseconds if there is very little data. This is because some + systems give data from pty one character at a time, which would + multiply data size by about 16. + + * serverloop.c: Moved server do_session to a separate file and + renamed it server_loop. Split it into several functions and + partially rewrote it. Fixed "cat /etc/termcap | ssh foo cat" hangup. + + * Screwed up something while checking stuff in under cvs. No harm, + but bogus log entries... + +Sat Sep 9 02:24:51 1995 Tatu Ylonen + + * minfd.c (_get_permanent_fd): Use SHELL environment variable. + + * channels.c (x11_create_display_inet): Created + HPSUX_NONSTANDARD_X11_KLUDGE; it causes DISPLAY to contain the + IP address of the host instead of the name, because HPSUX uses + some magic shared memory communication for local connections. + + * Changed SIGHUP processing in server; it should now work multiple + times. + + * Added length limits in many debug/log/error/fatal calls just in + case. + + * login.c (get_last_login_time): Fixed location of lastlog. + + * Rewrote all uid-swapping code. New files uidswap.h, uidswap.c. + + * Fixed several security problems involving chmod and chgrp (race + conditions). Added warnings about dubious modes for /tmp/.X11-unix. + +Fri Sep 8 20:03:36 1995 Tatu Ylonen + + * Changed readconf.c to never display anything from the config + file. This should now be prevented otherwise, but let's play safe. + + * log-server.c: Use %.500s in syslog() just to be sure (they + should already be shorter than 1024 though). + + * sshd.c: Moved setuid in child a little earlier (just to be + conservative, there was no security problem that I could detect). + + * README, INSTALL: Added info about mailing list and WWW page. + + * sshd.c: Added code to use SIGCHLD and wait zombies immediately. + + * Merged patch to set ut_addr in utmp. + + * Created ChangeLog and added it to Makefile.in. + + * Use read_passphrase instead of getpass(). + + * Added SSH_FALLBACK_CIPHER. Fixed a bug in default cipher + selection (IDEA used to be selected even if not supported by the + server). + + * Use no encryption for key files if empty passphrase. + + * Added section about --without-idea in INSTALL. + + * Version 1.2.0 was released a couple of days ago. + diff -ruN --exclude CVS ssh-openbsd-1999111200/Makefile openssh-1.2pre10/Makefile --- ssh-openbsd-1999111200/Makefile Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre10/Makefile Thu Jan 1 10:00:00 1970 @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp - -distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/sshd_config - -.include diff -ruN --exclude CVS ssh-openbsd-1999111200/Makefile.in openssh-1.2pre10/Makefile.in --- ssh-openbsd-1999111200/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/Makefile.in Thu Nov 11 17:57:39 1999 @@ -0,0 +1,96 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libdir=@libdir@ +mandir=@mandir@ + +SSH_PROGRAM=@bindir@/ssh +ASKPASS_PROGRAM=@libdir@/ssh/ssh-askpass + +CC=@CC@ +PATHS=-DETCDIR=\"@sysconfdir@\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DASKPASS_PROGRAM=\"$(ASKPASS_PROGRAM)\" +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +EXTRA_TARGETS=@GNOME_ASKPASS@ +TARGETS=libssh.a ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ + +GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` +GNOME_LIBS=`gnome-config --libs gnome gnomeui` + +OBJS= authfd.o authfile.o auth-passwd.o auth-rhosts.o auth-rh-rsa.o \ + auth-rsa.o bufaux.o buffer.o canohost.o channels.o cipher.o \ + clientloop.o compress.o crc32.o deattack.o helper.o hostfile.o \ + log-client.o login.o log-server.o match.o mpaux.o packet.o pty.o \ + readconf.o readpass.o rsa.o servconf.o serverloop.o \ + sshconnect.o tildexpand.o ttymodes.o uidswap.o xmalloc.o \ + helper.o mktemp.o strlcpy.o rc4.o + +all: $(OBJS) $(TARGETS) + +libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o mktemp.o strlcpy.o log.o + $(AR) rv $@ $^ + $(RANLIB) $@ + +ssh: ssh.o sshconnect.o log-client.o readconf.o clientloop.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +sshd: sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +scp: scp.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-add: ssh-add.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-agent: ssh-agent.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-keygen: ssh-keygen.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +gnome-ssh-askpass: gnome-ssh-askpass.c + $(CC) $(CFLAGS) $(GNOME_CFLAGS) -o $@ gnome-ssh-askpass.c $(GNOME_LIBS) + +clean: + rm -f *.o core $(TARGETS) config.status config.cache config.log + +install: all + install -d $(bindir) + install -d $(sbindir) + install -d $(mandir) + install -d $(mandir)/man1 + install -d $(mandir)/man8 + install -d $(libdir) + install -d $(libdir)/ssh + install -s -c ssh $(bindir)/ssh + ln -sf ssh $(bindir)/slogin + install -s -c scp $(bindir)/scp + install -s -c ssh-add $(bindir)/ssh-add + if [ -z "@GNOME_ASKPASS@" ] ; then \ + install -m755 -c ssh-askpass $(libdir)/ssh/ssh-askpass; \ + else \ + install -m755 -c gnome-ssh-askpass $(libdir)/ssh/ssh-askpass; \ + fi + install -s -c ssh-agent $(bindir)/ssh-agent + install -s -c ssh-keygen $(bindir)/ssh-keygen + install -s -c sshd $(sbindir)/sshd + install -m644 -c ssh.1 $(mandir)/man1/ssh.1 + ln -sf ssh.1 $(mandir)/man1/slogin.1 + install -m644 -c scp.1 $(mandir)/man1/scp.1 + install -m644 -c ssh-add.1 $(mandir)/man1/ssh-add.1 + install -m644 -c ssh-agent.1 $(mandir)/man1/ssh-agent.1 + install -m644 -c ssh-keygen.1 $(mandir)/man1/ssh-keygen.1 + install -m644 -c sshd.8 $(mandir)/man8/sshd.8 + +distclean: clean + rm -f Makefile config.h core *~ + +mrproper: distclean + +veryclean: distclean + rm -f configure config.h.in + diff -ruN --exclude CVS ssh-openbsd-1999111200/Makefile.inc openssh-1.2pre10/Makefile.inc --- ssh-openbsd-1999111200/Makefile.inc Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre10/Makefile.inc Thu Jan 1 10:00:00 1970 @@ -1,11 +0,0 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN --exclude CVS ssh-openbsd-1999111200/README openssh-1.2pre10/README --- ssh-openbsd-1999111200/README Mon Sep 27 06:53:32 1999 +++ openssh-1.2pre10/README Thu Nov 11 10:50:04 1999 @@ -1,563 +1,73 @@ -Ssh (Secure Shell) is a program to log into another computer over a -network, to execute commands in a remote machine, and to move files -from one machine to another. It provides strong authentication and -secure communications over insecure channels. It is inteded as a -replacement for rlogin, rsh, rcp, and rdist. - -See the file INSTALL for installation instructions. See COPYING for -license terms and other legal issues. See RFC for a description of -the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. - -This file has been updated to match ssh-1.2.12. - - -FEATURES - - o Strong authentication. Closes several security holes (e.g., IP, - routing, and DNS spoofing). New authentication methods: .rhosts - together with RSA based host authentication, and pure RSA - authentication. - - o Improved privacy. All communications are automatically and - transparently encrypted. RSA is used for key exchange, and a - conventional cipher (normally IDEA, DES, or triple-DES) for - encrypting the session. Encryption is started before - authentication, and no passwords or other information is - transmitted in the clear. Encryption is also used to protect - against spoofed packets. - - o Secure X11 sessions. The program automatically sets DISPLAY on - the server machine, and forwards any X11 connections over the - secure channel. Fake Xauthority information is automatically - generated and forwarded to the remote machine; the local client - automatically examines incoming X11 connections and replaces the - fake authorization data with the real data (never telling the - remote machine the real information). - - o Arbitrary TCP/IP ports can be redirected through the encrypted channel - in both directions (e.g., for e-cash transactions). - - o No retraining needed for normal users; everything happens - automatically, and old .rhosts files will work with strong - authentication if administration installs host key files. - - o Never trusts the network. Minimal trust on the remote side of - the connection. Minimal trust on domain name servers. Pure RSA - authentication never trusts anything but the private key. - - o Client RSA-authenticates the server machine in the beginning of - every connection to prevent trojan horses (by routing or DNS - spoofing) and man-in-the-middle attacks, and the server - RSA-authenticates the client machine before accepting .rhosts or - /etc/hosts.equiv authentication (to prevent DNS, routing, or - IP-spoofing). - - o Host authentication key distribution can be centrally by the - administration, automatically when the first connection is made - to a machine (the key obtained on the first connection will be - recorded and used for authentication in the future), or manually - by each user for his/her own use. The central and per-user host - key repositories are both used and complement each other. Host - keys can be generated centrally or automatically when the software - is installed. Host authentication keys are typically 1024 bits. - - o Any user can create any number of user authentication RSA keys for - his/her own use. Each user has a file which lists the RSA public - keys for which proof of possession of the corresponding private - key is accepted as authentication. User authentication keys are - typically 1024 bits. - - o The server program has its own server RSA key which is - automatically regenerated every hour. This key is never saved in - any file. Exchanged session keys are encrypted using both the - server key and the server host key. The purpose of the separate - server key is to make it impossible to decipher a captured session by - breaking into the server machine at a later time; one hour from - the connection even the server machine cannot decipher the session - key. The key regeneration interval is configurable. The server - key is normally 768 bits. - - o An authentication agent, running in the user's laptop or local - workstation, can be used to hold the user's RSA authentication - keys. Ssh automatically forwards the connection to the - authentication agent over any connections, and there is no need to - store the RSA authentication keys on any machine in the network - (except the user's own local machine). The authentication - protocols never reveal the keys; they can only be used to verify - that the user's agent has a certain key. Eventually the agent - could rely on a smart card to perform all authentication - computations. - - o The software can be installed and used (with restricted - functionality) even without root privileges. - - o The client is customizable in system-wide and per-user - configuration files. Most aspects of the client's operation can - be configured. Different options can be specified on a per-host basis. - - o Automatically executes conventional rsh (after displaying a - warning) if the server machine is not running sshd. - - o Optional compression of all data with gzip (including forwarded X11 - and TCP/IP port data), which may result in significant speedups on - slow connections. - - o Complete replacement for rlogin, rsh, and rcp. - - -WHY TO USE SECURE SHELL - -Currently, almost all communications in computer networks are done -without encryption. As a consequence, anyone who has access to any -machine connected to the network can listen in on any communication. -This is being done by hackers, curious administrators, employers, -criminals, industrial spies, and governments. Some networks leak off -enough electromagnetic radiation that data may be captured even from a -distance. - -When you log in, your password goes in the network in plain -text. Thus, any listener can then use your account to do any evil he -likes. Many incidents have been encountered worldwide where crackers -have started programs on workstations without the owners knowledge -just to listen to the network and collect passwords. Programs for -doing this are available on the Internet, or can be built by a -competent programmer in a few hours. - -Any information that you type or is printed on your screen can be -monitored, recorded, and analyzed. For example, an intruder who has -penetrated a host connected to a major network can start a program -that listens to all data flowing in the network, and whenever it -encounters a 16-digit string, it checks if it is a valid credit card -number (using the check digit), and saves the number plus any -surrounding text (to catch expiration date and holder) in a file. -When the intruder has collected a few thousand credit card numbers, he -makes smallish mail-order purchases from a few thousand stores around -the world, and disappears when the goods arrive but before anyone -suspects anything. - -Businesses have trade secrets, patent applications in preparation, -pricing information, subcontractor information, client data, personnel -data, financial information, etc. Currently, anyone with access to -the network (any machine on the network) can listen to anything that -goes in the network, without any regard to normal access restrictions. - -Many companies are not aware that information can so easily be -recovered from the network. They trust that their data is safe -since nobody is supposed to know that there is sensitive information -in the network, or because so much other data is transferred in the -network. This is not a safe policy. - -Individual persons also have confidential information, such as -diaries, love letters, health care documents, information about their -personal interests and habits, professional data, job applications, -tax reports, political documents, unpublished manuscripts, etc. - -One should also be aware that economical intelligence and industrial -espionage has recently become a major priority of the intelligence -agencies of major governments. President Clinton recently assigned -economical espionage as the primary task of the CIA, and the French -have repeatedly been publicly boasting about their achievements on -this field. - - -There is also another frightening aspect about the poor security of -communications. Computer storage and analysis capability has -increased so much that it is feasible for governments, major -companies, and criminal organizations to automatically analyze, -identify, classify, and file information about millions of people over -the years. Because most of the work can be automated, the cost of -collecting this information is getting very low. - -Government agencies may be able to monitor major communication -systems, telephones, fax, computer networks, etc., and passively -collect huge amounts of information about all people with any -significant position in the society. Most of this information is not -sensitive, and many people would say there is no harm in someone -getting that information. However, the information starts to get -sensitive when someone has enough of it. You may not mind someone -knowing what you bought from the shop one random day, but you might -not like someone knowing every small thing you have bought in the last -ten years. - -If the government some day starts to move into a more totalitarian -direction (one should remember that Nazi Germany was created by -democratic elections), there is considerable danger of an ultimate -totalitarian state. With enough information (the automatically -collected records of an individual can be manually analyzed when the -person becomes interesting), one can form a very detailed picture of -the individual's interests, opinions, beliefs, habits, friends, -lovers, weaknesses, etc. This information can be used to 1) locate -any persons who might oppose the new system 2) use deception to -disturb any organizations which might rise against the government 3) -eliminate difficult individuals without anyone understanding what -happened. Additionally, if the government can monitor communications -too effectively, it becomes too easy to locate and eliminate any -persons distributing information contrary to the official truth. - -Fighting crime and terrorism are often used as grounds for domestic -surveillance and restricting encryption. These are good goals, but -there is considerable danger that the surveillance data starts to get -used for questionable purposes. I find that it is better to tolerate -a small amount of crime in the society than to let the society become -fully controlled. I am in favor of a fairly strong state, but the -state must never get so strong that people become unable to spread -contra-offical information and unable to overturn the government if it -is bad. The danger is that when you notice that the government is -too powerful, it is too late. Also, the real power may not be where -the official government is. - -For these reasons (privacy, protecting trade secrets, and making it -more difficult to create a totalitarian state), I think that strong -cryptography should be integrated to the tools we use every day. -Using it causes no harm (except for those who wish to monitor -everything), but not using it can cause huge problems. If the society -changes in undesirable ways, then it will be to late to start -encrypting. - -Encryption has had a "military" or "classified" flavor to it. There -are no longer any grounds for this. The military can and will use its -own encryption; that is no excuse to prevent the civilians from -protecting their privacy and secrets. Information on strong -encryption is available in every major bookstore, scientific library, -and patent office around the world, and strong encryption software is -available in every country on the Internet. - -Some people would like to make it illegal to use encryption, or to -force people to use encryption that governments can break. This -approach offers no protection if the government turns bad. Also, the -"bad guys" will be using true strong encryption anyway. Good -encryption techniques are too widely known to make them disappear. -Thus, any "key escrow encryption" or other restrictions will only help -monitor ordinary people and petty criminals. It does not help against -powerful criminals, terrorists, or espionage, because they will know -how to use strong encryption anyway. (One source for internationally -available encryption software is http://www.cs.hut.fi/crypto.) - - -OVERVIEW OF SECURE SHELL - -The software consists of a number of programs. - - sshd Server program run on the server machine. This - listens for connections from client machines, and - whenever it receives a connection, it performs - authentication and starts serving the client. - - ssh This is the client program used to log into another - machine or to execute commands on the other machine. - "slogin" is another name for this program. - - scp Securely copies files from one machine to another. - - ssh-keygen Used to create RSA keys (host keys and user - authentication keys). - - ssh-agent Authentication agent. This can be used to hold RSA - keys for authentication. - - ssh-add Used to register new keys with the agent. - - make-ssh-known-hosts - Used to create the /etc/ssh_known_hosts file. - - -Ssh is the program users normally use. It is started as - - ssh host - -or - - ssh host command - -The first form opens a new shell on the remote machine (after -authentication). The latter form executes the command on the remote -machine. - -When started, the ssh connects sshd on the server machine, verifies -that the server machine really is the machine it wanted to connect, -exchanges encryption keys (in a manner which prevents an outside -listener from getting the keys), performs authentication using .rhosts -and /etc/hosts.equiv, RSA authentication, or conventional password -based authentication. The server then (normally) allocates a -pseudo-terminal and starts an interactive shell or user program. - -The TERM environment variable (describing the type of the user's -terminal) is passed from the client side to the remote side. Also, -terminal modes will be copied from the client side to the remote side -to preserve user preferences (e.g., the erase character). - -If the DISPLAY variable is set on the client side, the server will -create a dummy X server and set DISPLAY accordingly. Any connections -to the dummy X server will be forwarded through the secure channel, -and will be made to the real X server from the client side. An -arbitrary number of X programs can be started during the session, and -starting them does not require anything special from the user. (Note -that the user must not manually set DISPLAY, because then it would -connect directly to the real display instead of going through the -encrypted channel). This behavior can be disabled in the -configuration file or by giving the -x option to the client. - -Arbitrary IP ports can be forwarded over the secure channel. The -program then creates a port on one side, and whenever a connection is -opened to this port, it will be passed over the secure channel, and a -connection will be made from the other side to a specified host:port -pair. Arbitrary IP forwarding must always be explicitly requested, -and cannot be used to forward privileged ports (unless the user is -root). It is possible to specify automatic forwards in a per-user -configuration file, for example to make electronic cash systems work -securely. - -If there is an authentication agent on the client side, connection to -it will be automatically forwarded to the server side. - -For more infomation, see the manual pages ssh(1), sshd(8), scp(1), -ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) -included in this distribution. - - -X11 CONNECTION FORWARDING - -X11 forwarding serves two purposes: it is a convenience to the user -because there is no need to set the DISPLAY variable, and it provides -encrypted X11 connections. I cannot think of any other easy way to -make X11 connections encrypted; modifying the X server, clients or -libraries would require special work for each machine, vendor and -application. Widely used IP-level encryption does not seem likely for -several years. Thus what we have left is faking an X server on the -same machine where the clients are run, and forwarding the connections -to a real X server over the secure channel. - -X11 forwarding works as follows. The client extracts Xauthority -information for the server. It then creates random authorization -data, and sends the random data to the server. The server allocates -an X11 display number, and stores the (fake) Xauthority data for this -display. Whenever an X11 connection is opened, the server forwards -the connection over the secure channel to the client, and the client -parses the first packet of the X11 protocol, substitutes real -authentication data for the fake data (if the fake data matched), and -forwards the connection to the real X server. - -If the display does not have Xauthority data, the server will create a -unix domain socket in /tmp/.X11-unix, and use the unix domain socket -as the display. No authentication information is forwarded in this -case. X11 connections are again forwarded over the secure channel. -To the X server the connections appear to come from the client -machine, and the server must have connections allowed from the local -machine. Using authentication data is always recommended because not -using it makes the display insecure. If XDM is used, it automatically -generates the authentication data. - -One should be careful not to use "xin" or "xstart" or other similar -scripts that explicitly set DISPLAY to start X sessions in a remote -machine, because the connection will then not go over the secure -channel. The recommended way to start a shell in a remote machine is - - xterm -e ssh host & - -and the recommended way to execute an X11 application in a remote -machine is - - ssh -n host emacs & - -If you need to type a password/passphrase for the remote machine, - - ssh -f host emacs - -may be useful. - - - -RSA AUTHENTICATION - -RSA authentication is based on public key cryptograpy. The idea is -that there are two encryption keys, one for encryption and another for -decryption. It is not possible (on human timescale) to derive the -decryption key from the encryption key. The encryption key is called -the public key, because it can be given to anyone and it is not -secret. The decryption key, on the other hand, is secret, and is -called the private key. - -RSA authentication is based on the impossibility of deriving the -private key from the public key. The public key is stored on the -server machine in the user's $HOME/.ssh/authorized_keys file. The -private key is only kept on the user's local machine, laptop, or other -secure storage. Then the user tries to log in, the client tells the -server the public key that the user wishes to use for authentication. -The server then checks if this public key is admissible. If so, it -generates a 256 bit random number, encrypts it with the public key, -and sends the value to the client. The client then decrypts the -number with its private key, computes a 128 bit MD5 checksum from the -resulting data, and sends the checksum back to the server. (Only a -checksum is sent to prevent chosen-plaintext attacks against RSA.) -The server checks computes a checksum from the correct data, -and compares the checksums. Authentication is accepted if the -checksums match. (Theoretically this indicates that the client -only probably knows the correct key, but for all practical purposes -there is no doubt.) - -The RSA private key can be protected with a passphrase. The -passphrase can be any string; it is hashed with MD5 to produce an -encryption key for IDEA, which is used to encrypt the private part of -the key file. With passphrase, authorization requires access to the key -file and the passphrase. Without passphrase, authorization only -depends on possession of the key file. - -RSA authentication is the most secure form of authentication supported -by this software. It does not rely on the network, routers, domain -name servers, or the client machine. The only thing that matters is -access to the private key. - -All this, of course, depends on the security of the RSA algorithm -itself. RSA has been widely known since about 1978, and no effective -methods for breaking it are known if it is used properly. Care has -been taken to avoid the well-known pitfalls. Breaking RSA is widely -believed to be equivalent to factoring, which is a very hard -mathematical problem that has received considerable public research. -So far, no effective methods are known for numbers bigger than about -512 bits. However, as computer speeds and factoring methods are -increasing, 512 bits can no longer be considered secure. The -factoring work is exponential, and 768 or 1024 bits are widely -considered to be secure in the near future. - - -RHOSTS AUTHENTICATION - -Conventional .rhosts and hosts.equiv based authentication mechanisms -are fundamentally insecure due to IP, DNS (domain name server) and -routing spoofing attacks. Additionally this authentication method -relies on the integrity of the client machine. These weaknesses is -tolerable, and been known and exploited for a long time. - -Ssh provides an improved version of these types of authentication, -because they are very convenient for the user (and allow easy -transition from rsh and rlogin). It permits these types of -authentication, but additionally requires that the client host be -authenticated using RSA. - -The server has a list of host keys stored in /etc/ssh_known_host, and -additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh -uses the name servers to obtain the canonical name of the client host, -looks for its public key in its known host files, and requires the -client to prove that it knows the private host key. This prevents IP -and routing spoofing attacks (as long as the client machine private -host key has not been compromized), but is still vulnerable to DNS -attacks (to a limited extent), and relies on the integrity of the -client machine as to who is requesting to log in. This prevents -outsiders from attacking, but does not protect against very powerful -attackers. If maximal security is desired, only RSA authentication -should be used. - -It is possible to enable conventional .rhosts and /etc/hosts.equiv -authentication (without host authentication) at compile time by giving -the option --with-rhosts to configure. However, this is not -recommended, and is not done by default. - -These weaknesses are present in rsh and rlogin. No improvement in -security will be obtained unless rlogin and rsh are completely -disabled (commented out in /etc/inetd.conf). This is highly -recommended. - - -WEAKEST LINKS IN SECURITY - -One should understand that while this software may provide -cryptographically secure communications, it may be easy to -monitor the communications at their endpoints. - -Basically, anyone with root access on the local machine on which you -are running the software may be able to do anything. Anyone with root -access on the server machine may be able to monitor your -communications, and a very talented root user might even be able to -send his/her own requests to your authentication agent. - -One should also be aware that computers send out electromagnetic -radition that can sometimes be picked up hundreds of meters away. -Your keyboard is particularly easy to listen to. The image on your -monitor might also be seen on another monitor in a van parked behind -your house. - -Beware that unwanted visitors might come to your home or office and -use your machine while you are away. They might also make -modifications or install bugs in your hardware or software. - -Beware that the most effective way for someone to decrypt your data -may be with a rubber hose. - - -LEGAL ISSUES - -As far as I am concerned, anyone is permitted to use this software -freely. However, see the file COPYING for detailed copying, -licensing, and distribution information. - -In some countries, particularly France, Russia, Iraq, and Pakistan, -it may be illegal to use any encryption at all without a special -permit, and the rumor has it that you cannot get a permit for any -strong encryption. - -This software may be freely imported into the United States; however, -the United States Government may consider re-exporting it a criminal -offence. - -Note that any information and cryptographic algorithms used in this -software are publicly available on the Internet and at any major -bookstore, scientific library, or patent office worldwide. - -THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file -COPYING for more information. - - -MAILING LISTS AND OTHER INFORMATION - -There is a mailing list for ossh. It is ossh@sics.se. If you would -like to join, send a message to majordomo@sics.se with "subscribe -ssh" in body. - -The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an -archive of the mailing list, and detailed information about new -releases, mailing lists, and other relevant issues. - -Bug reports should be sent to ossh-bugs@sics.se. - - -ABOUT THE AUTHOR - -This software was written by Tatu Ylonen . I work as a -researcher at Helsinki University of Technology, Finland. For more -information, see http://www.cs.hut.fi/~ylo/. My PGP public key is -available via finger from ylo@cs.hut.fi and from the key servers. I -prefer PGP encrypted mail. - -The author can be contacted via ordinary mail at - Tatu Ylonen - Helsinki University of Technology - Otakaari 1 - FIN-02150 ESPOO - Finland - - Fax. +358-0-4513293 - - -ACKNOWLEDGEMENTS - -I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for -their help and comments in the design, implementation and porting of -this software. I also thank numerous contributors, including but not -limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane -Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome -Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, -Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar -Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald -McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan -O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz -Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and -Cristophe Wolfhugel. - -Thanks also go to Philip Zimmermann, whose PGP software and the -associated legal battle provided inspiration, motivation, and many -useful techniques, and to Bruce Schneier whose book Applied -Cryptography has done a great service in widely distributing knowledge -about cryptographic methods. +This is the Unix port of OpenBSD's excellent OpenSSH. +OpenSSH is based on the last free version of Tatu Ylonen's SSH with +all patent-encumbered algorithms removed, all known security bugs +fixed, new features reintroduced and many other clean-ups. + +This port consists of the re-introduction of autoconf support, PAM +support (for Linux and Solaris), EGD[1] support, and replacements for +OpenBSD library functions that are (regrettably) absent from most +other unices. The only well tested platform currently is Linux, though +some Solaris support is beginning to filter in. This version actively +tracks changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. This code is +very new and needs further testing. + +All new code is released under a XFree style license, which is very +liberal. Please refer to the source files for details. The code in +strlcpy.c and mktemp.c is from the OpenBSD project and has its own +license (again, see source file for details). + +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4]. To build +the GNOME[5] passphrase requestor (--with-gnome-askpass), you will +need the GNOME libraries installed. If you are building OpenSSH on a +Unix which lacks a kernel random number pool (/dev/random), you will +need to install EGD[1]. + +To build OpenSSH, use the configure script provided. For example: + +./configure --prefix=/opt/openssh +make +make install + +Will install the OpenSSH binaries in /opt/openssh/bin, the +configuration files in /opt/openssh/etc, and so forth. + +Damien Miller +Internet Business Solutions + +Credits - + +The OpenBSD team +'jonchen' - the original author of PAM support of SSH +Dan Brosemer - Autoconf and build fixes & Debian scripts +Niels Kristian Bech Jensen - Makefile patch +Nalin Dahyabhai - PAM environment patch +Phil Hands - Debian scripts, assorted patches +Niels Kristian Bech Jensen - Makefile patches +Marc G. Fournier" - Solaris patches + +Miscellania - + +This version of SSH is based upon code retrieved from the OpenBSD CVS +repository on 1999-11-09 which in turn was based on the last free +version of SSH released by Tatu Ylonen. + +Code in helper.[ch] and gnome-ssh-askpass.c is Copyright 1999 +Internet Business Solutions and is released under a X11-style +license (see source files for details). + +(A)RC4 code in rc4.[ch] is Copyright 1999 Damien Miller. It too is +under a X11-style license (see source file for details). + +References - + +[1] http://www.lothar.com/tech/crypto/ +[2] http://www.cdrom.com/pub/infozip/zlib/ +[3] http://www.openssl.org/ +[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[5] http://www.gnome.org/ -Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-1999111200/README.Ylonen openssh-1.2pre10/README.Ylonen --- ssh-openbsd-1999111200/README.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/README.Ylonen Sat Oct 30 11:30:35 1999 @@ -0,0 +1,563 @@ +Ssh (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is inteded as a +replacement for rlogin, rsh, rcp, and rdist. + +See the file INSTALL for installation instructions. See COPYING for +license terms and other legal issues. See RFC for a description of +the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. + +This file has been updated to match ssh-1.2.12. + + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, DES, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. + + +WHY TO USE SECURE SHELL + +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owners knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + +Any information that you type or is printed on your screen can be +monitored, recorded, and analyzed. For example, an intruder who has +penetrated a host connected to a major network can start a program +that listens to all data flowing in the network, and whenever it +encounters a 16-digit string, it checks if it is a valid credit card +number (using the check digit), and saves the number plus any +surrounding text (to catch expiration date and holder) in a file. +When the intruder has collected a few thousand credit card numbers, he +makes smallish mail-order purchases from a few thousand stores around +the world, and disappears when the goods arrive but before anyone +suspects anything. + +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + +Individual persons also have confidential information, such as +diaries, love letters, health care documents, information about their +personal interests and habits, professional data, job applications, +tax reports, political documents, unpublished manuscripts, etc. + +One should also be aware that economical intelligence and industrial +espionage has recently become a major priority of the intelligence +agencies of major governments. President Clinton recently assigned +economical espionage as the primary task of the CIA, and the French +have repeatedly been publicly boasting about their achievements on +this field. + + +There is also another frightening aspect about the poor security of +communications. Computer storage and analysis capability has +increased so much that it is feasible for governments, major +companies, and criminal organizations to automatically analyze, +identify, classify, and file information about millions of people over +the years. Because most of the work can be automated, the cost of +collecting this information is getting very low. + +Government agencies may be able to monitor major communication +systems, telephones, fax, computer networks, etc., and passively +collect huge amounts of information about all people with any +significant position in the society. Most of this information is not +sensitive, and many people would say there is no harm in someone +getting that information. However, the information starts to get +sensitive when someone has enough of it. You may not mind someone +knowing what you bought from the shop one random day, but you might +not like someone knowing every small thing you have bought in the last +ten years. + +If the government some day starts to move into a more totalitarian +direction (one should remember that Nazi Germany was created by +democratic elections), there is considerable danger of an ultimate +totalitarian state. With enough information (the automatically +collected records of an individual can be manually analyzed when the +person becomes interesting), one can form a very detailed picture of +the individual's interests, opinions, beliefs, habits, friends, +lovers, weaknesses, etc. This information can be used to 1) locate +any persons who might oppose the new system 2) use deception to +disturb any organizations which might rise against the government 3) +eliminate difficult individuals without anyone understanding what +happened. Additionally, if the government can monitor communications +too effectively, it becomes too easy to locate and eliminate any +persons distributing information contrary to the official truth. + +Fighting crime and terrorism are often used as grounds for domestic +surveillance and restricting encryption. These are good goals, but +there is considerable danger that the surveillance data starts to get +used for questionable purposes. I find that it is better to tolerate +a small amount of crime in the society than to let the society become +fully controlled. I am in favor of a fairly strong state, but the +state must never get so strong that people become unable to spread +contra-offical information and unable to overturn the government if it +is bad. The danger is that when you notice that the government is +too powerful, it is too late. Also, the real power may not be where +the official government is. + +For these reasons (privacy, protecting trade secrets, and making it +more difficult to create a totalitarian state), I think that strong +cryptography should be integrated to the tools we use every day. +Using it causes no harm (except for those who wish to monitor +everything), but not using it can cause huge problems. If the society +changes in undesirable ways, then it will be to late to start +encrypting. + +Encryption has had a "military" or "classified" flavor to it. There +are no longer any grounds for this. The military can and will use its +own encryption; that is no excuse to prevent the civilians from +protecting their privacy and secrets. Information on strong +encryption is available in every major bookstore, scientific library, +and patent office around the world, and strong encryption software is +available in every country on the Internet. + +Some people would like to make it illegal to use encryption, or to +force people to use encryption that governments can break. This +approach offers no protection if the government turns bad. Also, the +"bad guys" will be using true strong encryption anyway. Good +encryption techniques are too widely known to make them disappear. +Thus, any "key escrow encryption" or other restrictions will only help +monitor ordinary people and petty criminals. It does not help against +powerful criminals, terrorists, or espionage, because they will know +how to use strong encryption anyway. (One source for internationally +available encryption software is http://www.cs.hut.fi/crypto.) + + +OVERVIEW OF SECURE SHELL + +The software consists of a number of programs. + + sshd Server program run on the server machine. This + listens for connections from client machines, and + whenever it receives a connection, it performs + authentication and starts serving the client. + + ssh This is the client program used to log into another + machine or to execute commands on the other machine. + "slogin" is another name for this program. + + scp Securely copies files from one machine to another. + + ssh-keygen Used to create RSA keys (host keys and user + authentication keys). + + ssh-agent Authentication agent. This can be used to hold RSA + keys for authentication. + + ssh-add Used to register new keys with the agent. + + make-ssh-known-hosts + Used to create the /etc/ssh_known_hosts file. + + +Ssh is the program users normally use. It is started as + + ssh host + +or + + ssh host command + +The first form opens a new shell on the remote machine (after +authentication). The latter form executes the command on the remote +machine. + +When started, the ssh connects sshd on the server machine, verifies +that the server machine really is the machine it wanted to connect, +exchanges encryption keys (in a manner which prevents an outside +listener from getting the keys), performs authentication using .rhosts +and /etc/hosts.equiv, RSA authentication, or conventional password +based authentication. The server then (normally) allocates a +pseudo-terminal and starts an interactive shell or user program. + +The TERM environment variable (describing the type of the user's +terminal) is passed from the client side to the remote side. Also, +terminal modes will be copied from the client side to the remote side +to preserve user preferences (e.g., the erase character). + +If the DISPLAY variable is set on the client side, the server will +create a dummy X server and set DISPLAY accordingly. Any connections +to the dummy X server will be forwarded through the secure channel, +and will be made to the real X server from the client side. An +arbitrary number of X programs can be started during the session, and +starting them does not require anything special from the user. (Note +that the user must not manually set DISPLAY, because then it would +connect directly to the real display instead of going through the +encrypted channel). This behavior can be disabled in the +configuration file or by giving the -x option to the client. + +Arbitrary IP ports can be forwarded over the secure channel. The +program then creates a port on one side, and whenever a connection is +opened to this port, it will be passed over the secure channel, and a +connection will be made from the other side to a specified host:port +pair. Arbitrary IP forwarding must always be explicitly requested, +and cannot be used to forward privileged ports (unless the user is +root). It is possible to specify automatic forwards in a per-user +configuration file, for example to make electronic cash systems work +securely. + +If there is an authentication agent on the client side, connection to +it will be automatically forwarded to the server side. + +For more infomation, see the manual pages ssh(1), sshd(8), scp(1), +ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) +included in this distribution. + + +X11 CONNECTION FORWARDING + +X11 forwarding serves two purposes: it is a convenience to the user +because there is no need to set the DISPLAY variable, and it provides +encrypted X11 connections. I cannot think of any other easy way to +make X11 connections encrypted; modifying the X server, clients or +libraries would require special work for each machine, vendor and +application. Widely used IP-level encryption does not seem likely for +several years. Thus what we have left is faking an X server on the +same machine where the clients are run, and forwarding the connections +to a real X server over the secure channel. + +X11 forwarding works as follows. The client extracts Xauthority +information for the server. It then creates random authorization +data, and sends the random data to the server. The server allocates +an X11 display number, and stores the (fake) Xauthority data for this +display. Whenever an X11 connection is opened, the server forwards +the connection over the secure channel to the client, and the client +parses the first packet of the X11 protocol, substitutes real +authentication data for the fake data (if the fake data matched), and +forwards the connection to the real X server. + +If the display does not have Xauthority data, the server will create a +unix domain socket in /tmp/.X11-unix, and use the unix domain socket +as the display. No authentication information is forwarded in this +case. X11 connections are again forwarded over the secure channel. +To the X server the connections appear to come from the client +machine, and the server must have connections allowed from the local +machine. Using authentication data is always recommended because not +using it makes the display insecure. If XDM is used, it automatically +generates the authentication data. + +One should be careful not to use "xin" or "xstart" or other similar +scripts that explicitly set DISPLAY to start X sessions in a remote +machine, because the connection will then not go over the secure +channel. The recommended way to start a shell in a remote machine is + + xterm -e ssh host & + +and the recommended way to execute an X11 application in a remote +machine is + + ssh -n host emacs & + +If you need to type a password/passphrase for the remote machine, + + ssh -f host emacs + +may be useful. + + + +RSA AUTHENTICATION + +RSA authentication is based on public key cryptograpy. The idea is +that there are two encryption keys, one for encryption and another for +decryption. It is not possible (on human timescale) to derive the +decryption key from the encryption key. The encryption key is called +the public key, because it can be given to anyone and it is not +secret. The decryption key, on the other hand, is secret, and is +called the private key. + +RSA authentication is based on the impossibility of deriving the +private key from the public key. The public key is stored on the +server machine in the user's $HOME/.ssh/authorized_keys file. The +private key is only kept on the user's local machine, laptop, or other +secure storage. Then the user tries to log in, the client tells the +server the public key that the user wishes to use for authentication. +The server then checks if this public key is admissible. If so, it +generates a 256 bit random number, encrypts it with the public key, +and sends the value to the client. The client then decrypts the +number with its private key, computes a 128 bit MD5 checksum from the +resulting data, and sends the checksum back to the server. (Only a +checksum is sent to prevent chosen-plaintext attacks against RSA.) +The server checks computes a checksum from the correct data, +and compares the checksums. Authentication is accepted if the +checksums match. (Theoretically this indicates that the client +only probably knows the correct key, but for all practical purposes +there is no doubt.) + +The RSA private key can be protected with a passphrase. The +passphrase can be any string; it is hashed with MD5 to produce an +encryption key for IDEA, which is used to encrypt the private part of +the key file. With passphrase, authorization requires access to the key +file and the passphrase. Without passphrase, authorization only +depends on possession of the key file. + +RSA authentication is the most secure form of authentication supported +by this software. It does not rely on the network, routers, domain +name servers, or the client machine. The only thing that matters is +access to the private key. + +All this, of course, depends on the security of the RSA algorithm +itself. RSA has been widely known since about 1978, and no effective +methods for breaking it are known if it is used properly. Care has +been taken to avoid the well-known pitfalls. Breaking RSA is widely +believed to be equivalent to factoring, which is a very hard +mathematical problem that has received considerable public research. +So far, no effective methods are known for numbers bigger than about +512 bits. However, as computer speeds and factoring methods are +increasing, 512 bits can no longer be considered secure. The +factoring work is exponential, and 768 or 1024 bits are widely +considered to be secure in the near future. + + +RHOSTS AUTHENTICATION + +Conventional .rhosts and hosts.equiv based authentication mechanisms +are fundamentally insecure due to IP, DNS (domain name server) and +routing spoofing attacks. Additionally this authentication method +relies on the integrity of the client machine. These weaknesses is +tolerable, and been known and exploited for a long time. + +Ssh provides an improved version of these types of authentication, +because they are very convenient for the user (and allow easy +transition from rsh and rlogin). It permits these types of +authentication, but additionally requires that the client host be +authenticated using RSA. + +The server has a list of host keys stored in /etc/ssh_known_host, and +additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh +uses the name servers to obtain the canonical name of the client host, +looks for its public key in its known host files, and requires the +client to prove that it knows the private host key. This prevents IP +and routing spoofing attacks (as long as the client machine private +host key has not been compromized), but is still vulnerable to DNS +attacks (to a limited extent), and relies on the integrity of the +client machine as to who is requesting to log in. This prevents +outsiders from attacking, but does not protect against very powerful +attackers. If maximal security is desired, only RSA authentication +should be used. + +It is possible to enable conventional .rhosts and /etc/hosts.equiv +authentication (without host authentication) at compile time by giving +the option --with-rhosts to configure. However, this is not +recommended, and is not done by default. + +These weaknesses are present in rsh and rlogin. No improvement in +security will be obtained unless rlogin and rsh are completely +disabled (commented out in /etc/inetd.conf). This is highly +recommended. + + +WEAKEST LINKS IN SECURITY + +One should understand that while this software may provide +cryptographically secure communications, it may be easy to +monitor the communications at their endpoints. + +Basically, anyone with root access on the local machine on which you +are running the software may be able to do anything. Anyone with root +access on the server machine may be able to monitor your +communications, and a very talented root user might even be able to +send his/her own requests to your authentication agent. + +One should also be aware that computers send out electromagnetic +radition that can sometimes be picked up hundreds of meters away. +Your keyboard is particularly easy to listen to. The image on your +monitor might also be seen on another monitor in a van parked behind +your house. + +Beware that unwanted visitors might come to your home or office and +use your machine while you are away. They might also make +modifications or install bugs in your hardware or software. + +Beware that the most effective way for someone to decrypt your data +may be with a rubber hose. + + +LEGAL ISSUES + +As far as I am concerned, anyone is permitted to use this software +freely. However, see the file COPYING for detailed copying, +licensing, and distribution information. + +In some countries, particularly France, Russia, Iraq, and Pakistan, +it may be illegal to use any encryption at all without a special +permit, and the rumor has it that you cannot get a permit for any +strong encryption. + +This software may be freely imported into the United States; however, +the United States Government may consider re-exporting it a criminal +offence. + +Note that any information and cryptographic algorithms used in this +software are publicly available on the Internet and at any major +bookstore, scientific library, or patent office worldwide. + +THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file +COPYING for more information. + + +MAILING LISTS AND OTHER INFORMATION + +There is a mailing list for ossh. It is ossh@sics.se. If you would +like to join, send a message to majordomo@sics.se with "subscribe +ssh" in body. + +The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an +archive of the mailing list, and detailed information about new +releases, mailing lists, and other relevant issues. + +Bug reports should be sent to ossh-bugs@sics.se. + + +ABOUT THE AUTHOR + +This software was written by Tatu Ylonen . I work as a +researcher at Helsinki University of Technology, Finland. For more +information, see http://www.cs.hut.fi/~ylo/. My PGP public key is +available via finger from ylo@cs.hut.fi and from the key servers. I +prefer PGP encrypted mail. + +The author can be contacted via ordinary mail at + Tatu Ylonen + Helsinki University of Technology + Otakaari 1 + FIN-02150 ESPOO + Finland + + Fax. +358-0-4513293 + + +ACKNOWLEDGEMENTS + +I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for +their help and comments in the design, implementation and porting of +this software. I also thank numerous contributors, including but not +limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane +Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome +Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, +Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar +Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald +McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan +O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz +Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and +Cristophe Wolfhugel. + +Thanks also go to Philip Zimmermann, whose PGP software and the +associated legal battle provided inspiration, motivation, and many +useful techniques, and to Bruce Schneier whose book Applied +Cryptography has done a great service in widely distributing knowledge +about cryptographic methods. + + +Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-1999111200/TODO openssh-1.2pre10/TODO --- ssh-openbsd-1999111200/TODO Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/TODO Tue Nov 9 10:28:04 1999 @@ -0,0 +1,11 @@ +- Replacement for setproctitle() + +- Improve PAM support (a pam_lastlog module will cause sshd to exit) + +- Better documentation + +- Port to other platforms + +- Fix paths in manpages using autoconf + +- Enable libwrap support using autoconf switch diff -ruN --exclude CVS ssh-openbsd-1999111200/acconfig.h openssh-1.2pre10/acconfig.h --- ssh-openbsd-1999111200/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/acconfig.h Thu Nov 11 17:57:39 1999 @@ -0,0 +1,36 @@ +/* config.h.in. Generated by hand, don't use autoheader. */ + +/* SSL directory. */ +#undef ssldir + +/* Random number pool */ +#undef RANDOM_POOL + +/* Are we using the Entropy gathering daemon */ +#undef HAVE_EGD + +/* Define if your ssl headers are included with #include */ +#undef HAVE_SSL + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define is utmp.h has a ut_host field */ +#undef HAVE_HOST_IN_UTMP + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + + +/* Shouldn't need to edit below this line *************************** */ +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ +#define SHUT_RD SHUT_RD + SHUT_WR, /* No more transmissions. */ +#define SHUT_WR SHUT_WR + SHUT_RDWR /* No more receptions or transmissions. */ +#define SHUT_RDWR SHUT_RDWR +}; +#endif diff -ruN --exclude CVS ssh-openbsd-1999111200/auth-rsa.c openssh-1.2pre10/auth-rsa.c --- ssh-openbsd-1999111200/auth-rsa.c Wed Nov 3 15:22:42 1999 +++ openssh-1.2pre10/auth-rsa.c Mon Nov 8 16:15:55 1999 @@ -15,6 +15,7 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: auth-rsa.c,v 1.7 1999/11/02 19:42:34 markus Exp $"); @@ -25,8 +26,14 @@ #include "mpaux.h" #include "uidswap.h" +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include #include +#endif /* Flags that may be set in authorized_keys options. */ extern int no_port_forwarding_flag; @@ -93,6 +100,7 @@ len = BN_num_bytes(challenge); if (len <= 0 || len > 32) fatal("auth_rsa_challenge_dialog: bad challenge length %d", len); + memset(buf, 0, 32); BN_bn2bin(challenge, buf + 32 - len); MD5_Init(&md); diff -ruN --exclude CVS ssh-openbsd-1999111200/authfd.c openssh-1.2pre10/authfd.c --- ssh-openbsd-1999111200/authfd.c Fri Oct 15 04:17:41 1999 +++ openssh-1.2pre10/authfd.c Thu Oct 28 13:25:17 1999 @@ -13,6 +13,7 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: authfd.c,v 1.8 1999/10/14 18:17:41 markus Exp $"); @@ -24,7 +25,12 @@ #include "xmalloc.h" #include "getput.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* Returns the number of the authentication fd, or -1 if there is none. */ diff -ruN --exclude CVS ssh-openbsd-1999111200/authfile.c openssh-1.2pre10/authfile.c --- ssh-openbsd-1999111200/authfile.c Tue Oct 12 06:00:35 1999 +++ openssh-1.2pre10/authfile.c Thu Oct 28 13:25:17 1999 @@ -14,10 +14,17 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: authfile.c,v 1.7 1999/10/11 20:00:35 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" diff -ruN --exclude CVS ssh-openbsd-1999111200/bufaux.c openssh-1.2pre10/bufaux.c --- ssh-openbsd-1999111200/bufaux.c Wed Nov 3 15:22:42 1999 +++ openssh-1.2pre10/bufaux.c Mon Nov 8 16:15:55 1999 @@ -14,11 +14,19 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: bufaux.c,v 1.3 1999/11/02 19:42:35 markus Exp $"); #include "ssh.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "bufaux.h" #include "xmalloc.h" #include "getput.h" diff -ruN --exclude CVS ssh-openbsd-1999111200/cipher.c openssh-1.2pre10/cipher.c --- ssh-openbsd-1999111200/cipher.c Wed Nov 3 15:22:47 1999 +++ openssh-1.2pre10/cipher.c Mon Nov 8 16:15:55 1999 @@ -11,13 +11,19 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: cipher.c,v 1.13 1999/11/02 19:42:35 markus Exp $"); #include "ssh.h" #include "cipher.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* * What kind of tripple DES are these 2 routines? diff -ruN --exclude CVS ssh-openbsd-1999111200/cipher.h openssh-1.2pre10/cipher.h --- ssh-openbsd-1999111200/cipher.h Sun Oct 3 05:14:54 1999 +++ openssh-1.2pre10/cipher.h Thu Oct 28 13:25:17 1999 @@ -13,11 +13,19 @@ /* RCSID("$Id: cipher.h,v 1.7 1999/10/02 19:14:54 deraadt Exp $"); */ +#include "config.h" + #ifndef CIPHER_H #define CIPHER_H -#include +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL +#include #include +#endif /* Cipher types. New types can be added, but old types should not be removed for compatibility. The maximum allowed value is 31. */ diff -ruN --exclude CVS ssh-openbsd-1999111200/config.h.in openssh-1.2pre10/config.h.in --- ssh-openbsd-1999111200/config.h.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/config.h.in Fri Nov 12 12:24:13 1999 @@ -0,0 +1,70 @@ +/* config.h.in. Generated automatically from configure.in by autoheader. */ + +/* SSL directory. */ +#undef ssldir + +/* Random number pool */ +#undef RANDOM_POOL + +/* Are we using the Entropy gathering daemon */ +#undef HAVE_EGD + +/* Define if your ssl headers are included with #include */ +#undef HAVE_SSL + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define is utmp.h has a ut_host field */ +#undef HAVE_HOST_IN_UTMP + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you have the arc4random function. */ +#undef HAVE_ARC4RANDOM + +/* Define if you have the mkdtemp function. */ +#undef HAVE_MKDTEMP + +/* Define if you have the openpty function. */ +#undef HAVE_OPENPTY + +/* Define if you have the setlogin function. */ +#undef HAVE_SETLOGIN + +/* Define if you have the setproctitle function. */ +#undef HAVE_SETPROCTITLE + +/* Define if you have the strlcpy function. */ +#undef HAVE_STRLCPY + +/* Define if you have the header file. */ +#undef HAVE_ENDIAN_H + +/* Define if you have the header file. */ +#undef HAVE_LASTLOG_H + +/* Define if you have the header file. */ +#undef HAVE_PATHS_H + +/* Define if you have the header file. */ +#undef HAVE_PTY_H + +/* Define if you have the crypto library (-lcrypto). */ +#undef HAVE_LIBCRYPTO + +/* Define if you have the dl library (-ldl). */ +#undef HAVE_LIBDL + +/* Define if you have the nsl library (-lnsl). */ +#undef HAVE_LIBNSL + +/* Define if you have the pam library (-lpam). */ +#undef HAVE_LIBPAM + +/* Define if you have the socket library (-lsocket). */ +#undef HAVE_LIBSOCKET + +/* Define if you have the z library (-lz). */ +#undef HAVE_LIBZ diff -ruN --exclude CVS ssh-openbsd-1999111200/configure openssh-1.2pre10/configure --- ssh-openbsd-1999111200/configure Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/configure Fri Nov 12 12:24:13 1999 @@ -0,0 +1,1878 @@ +#! /bin/sh + +# Guess values for system-dependent variables and create Makefiles. +# Generated automatically using autoconf version 2.13 +# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. + +# Defaults: +ac_help= +ac_default_prefix=/usr/local +# Any additions from configure.in: +ac_help="$ac_help + --with-gnome-askpass Build and use the GNOME passphrase requester" +ac_help="$ac_help + --with-random=FILE read randomness from FILE (default /dev/urandom)" +ac_help="$ac_help + --with-egd-pool=FILE read randomness from EGD pool FILE" + +# Initialize some variables set by options. +# The variables have the same names as the options, with +# dashes changed to underlines. +build=NONE +cache_file=./config.cache +exec_prefix=NONE +host=NONE +no_create= +nonopt=NONE +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +target=NONE +verbose= +x_includes=NONE +x_libraries=NONE +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datadir='${prefix}/share' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +libdir='${exec_prefix}/lib' +includedir='${prefix}/include' +oldincludedir='/usr/include' +infodir='${prefix}/info' +mandir='${prefix}/man' + +# Initialize some other variables. +subdirs= +MFLAGS= MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} +# Maximum number of lines to put in a shell here document. +ac_max_here_lines=12 + +ac_prev= +for ac_option +do + + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval "$ac_prev=\$ac_option" + ac_prev= + continue + fi + + case "$ac_option" in + -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) ac_optarg= ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case "$ac_option" in + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir="$ac_optarg" ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build="$ac_optarg" ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file="$ac_optarg" ;; + + -datadir | --datadir | --datadi | --datad | --data | --dat | --da) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ + | --da=*) + datadir="$ac_optarg" ;; + + -disable-* | --disable-*) + ac_feature=`echo $ac_option|sed -e 's/-*disable-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + eval "enable_${ac_feature}=no" ;; + + -enable-* | --enable-*) + ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "enable_${ac_feature}='$ac_optarg'" ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix="$ac_optarg" ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he) + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat << EOF +Usage: configure [options] [host] +Options: [defaults in brackets after descriptions] +Configuration: + --cache-file=FILE cache test results in FILE + --help print this message + --no-create do not create output files + --quiet, --silent do not print \`checking...' messages + --version print the version of autoconf that created configure +Directory and file names: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [same as prefix] + --bindir=DIR user executables in DIR [EPREFIX/bin] + --sbindir=DIR system admin executables in DIR [EPREFIX/sbin] + --libexecdir=DIR program executables in DIR [EPREFIX/libexec] + --datadir=DIR read-only architecture-independent data in DIR + [PREFIX/share] + --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data in DIR + [PREFIX/com] + --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] + --libdir=DIR object code libraries in DIR [EPREFIX/lib] + --includedir=DIR C header files in DIR [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] + --infodir=DIR info documentation in DIR [PREFIX/info] + --mandir=DIR man documentation in DIR [PREFIX/man] + --srcdir=DIR find the sources in DIR [configure dir or ..] + --program-prefix=PREFIX prepend PREFIX to installed program names + --program-suffix=SUFFIX append SUFFIX to installed program names + --program-transform-name=PROGRAM + run sed PROGRAM on installed program names +EOF + cat << EOF +Host type: + --build=BUILD configure for building on BUILD [BUILD=HOST] + --host=HOST configure for HOST [guessed] + --target=TARGET configure for TARGET [TARGET=HOST] +Features and packages: + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --x-includes=DIR X include files are in DIR + --x-libraries=DIR X library files are in DIR +EOF + if test -n "$ac_help"; then + echo "--enable and --with options recognized:$ac_help" + fi + exit 0 ;; + + -host | --host | --hos | --ho) + ac_prev=host ;; + -host=* | --host=* | --hos=* | --ho=*) + host="$ac_optarg" ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir="$ac_optarg" ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir="$ac_optarg" ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir="$ac_optarg" ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir="$ac_optarg" ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst \ + | --locals | --local | --loca | --loc | --lo) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* \ + | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) + localstatedir="$ac_optarg" ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir="$ac_optarg" ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir="$ac_optarg" ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix="$ac_optarg" ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix="$ac_optarg" ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix="$ac_optarg" ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name="$ac_optarg" ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir="$ac_optarg" ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir="$ac_optarg" ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site="$ac_optarg" ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir="$ac_optarg" ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir="$ac_optarg" ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target="$ac_optarg" ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers) + echo "configure generated by autoconf version 2.13" + exit 0 ;; + + -with-* | --with-*) + ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "with_${ac_package}='$ac_optarg'" ;; + + -without-* | --without-*) + ac_package=`echo $ac_option|sed -e 's/-*without-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + eval "with_${ac_package}=no" ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes="$ac_optarg" ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries="$ac_optarg" ;; + + -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; } + ;; + + *) + if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then + echo "configure: warning: $ac_option: invalid host type" 1>&2 + fi + if test "x$nonopt" != xNONE; then + { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } + fi + nonopt="$ac_option" + ;; + + esac +done + +if test -n "$ac_prev"; then + { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; } +fi + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +# File descriptor usage: +# 0 standard input +# 1 file creation +# 2 errors and warnings +# 3 some systems may open it to /dev/tty +# 4 used on the Kubota Titan +# 6 checking for... messages and results +# 5 compiler messages saved in config.log +if test "$silent" = yes; then + exec 6>/dev/null +else + exec 6>&1 +fi +exec 5>./config.log + +echo "\ +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. +" 1>&5 + +# Strip out --no-create and --no-recursion so they do not pile up. +# Also quote any args containing shell metacharacters. +ac_configure_args= +for ac_arg +do + case "$ac_arg" in + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) ;; + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;; + *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) + ac_configure_args="$ac_configure_args '$ac_arg'" ;; + *) ac_configure_args="$ac_configure_args $ac_arg" ;; + esac +done + +# NLS nuisances. +# Only set these to C if already set. These must not be set unconditionally +# because not all systems understand e.g. LANG=C (notably SCO). +# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'! +# Non-C LC_CTYPE values break the ctype check. +if test "${LANG+set}" = set; then LANG=C; export LANG; fi +if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi +if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi +if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -rf conftest* confdefs.h +# AIX cpp loses on an empty file, so make sure it contains at least a newline. +echo > confdefs.h + +# A filename unique to this package, relative to the directory that +# configure is in, which we can look for to find out if srcdir is correct. +ac_unique_file=ssh.c + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then its parent. + ac_prog=$0 + ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'` + test "x$ac_confdir" = "x$ac_prog" && ac_confdir=. + srcdir=$ac_confdir + if test ! -r $srcdir/$ac_unique_file; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r $srcdir/$ac_unique_file; then + if test "$ac_srcdir_defaulted" = yes; then + { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; } + else + { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; } + fi +fi +srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` + +# Prefer explicitly selected file to automatically selected ones. +if test -z "$CONFIG_SITE"; then + if test "x$prefix" != xNONE; then + CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" + else + CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" + fi +fi +for ac_site_file in $CONFIG_SITE; do + if test -r "$ac_site_file"; then + echo "loading site script $ac_site_file" + . "$ac_site_file" + fi +done + +if test -r "$cache_file"; then + echo "loading cache $cache_file" + . $cache_file +else + echo "creating cache $cache_file" + > $cache_file +fi + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +ac_exeext= +ac_objext=o +if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then + # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. + if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then + ac_n= ac_c=' +' ac_t=' ' + else + ac_n=-n ac_c= ac_t= + fi +else + ac_n= ac_c='\c' ac_t= +fi + + + + + +# Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:537: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="gcc" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:567: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_prog_rejected=no + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + break + fi + done + IFS="$ac_save_ifs" +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# -gt 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + set dummy "$ac_dir/$ac_word" "$@" + shift + ac_cv_prog_CC="$@" + fi +fi +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + + if test -z "$CC"; then + case "`uname -s`" in + *win32* | *WIN32*) + # Extract the first word of "cl", so it can be a program name with args. +set dummy cl; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:618: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="cl" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + ;; + esac + fi + test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } +fi + +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 +echo "configure:650: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +cat > conftest.$ac_ext << EOF + +#line 661 "configure" +#include "confdefs.h" + +main(){return(0);} +EOF +if { (eval echo configure:666: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + ac_cv_prog_cc_works=yes + # If we can't run a trivial program, we are probably using a cross compiler. + if (./conftest; exit) 2>/dev/null; then + ac_cv_prog_cc_cross=no + else + ac_cv_prog_cc_cross=yes + fi +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + ac_cv_prog_cc_works=no +fi +rm -fr conftest* +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 +if test $ac_cv_prog_cc_works = no; then + { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } +fi +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 +echo "configure:692: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 +cross_compiling=$ac_cv_prog_cc_cross + +echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 +echo "configure:697: checking whether we are using GNU C" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.c <&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then + ac_cv_prog_gcc=yes +else + ac_cv_prog_gcc=no +fi +fi + +echo "$ac_t""$ac_cv_prog_gcc" 1>&6 + +if test $ac_cv_prog_gcc = yes; then + GCC=yes +else + GCC= +fi + +ac_test_CFLAGS="${CFLAGS+set}" +ac_save_CFLAGS="$CFLAGS" +CFLAGS= +echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 +echo "configure:725: checking whether ${CC-cc} accepts -g" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + echo 'void f(){}' > conftest.c +if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then + ac_cv_prog_cc_g=yes +else + ac_cv_prog_cc_g=no +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 +if test "$ac_test_CFLAGS" = set; then + CFLAGS="$ac_save_CFLAGS" +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi + +echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 +echo "configure:757: checking how to run the C preprocessor" >&5 +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then +if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + # This must be in double quotes, not single quotes, because CPP may get + # substituted into the Makefile and "${CC-cc}" will confuse make. + CPP="${CC-cc} -E" + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:778: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -E -traditional-cpp" + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:795: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -nologo -E" + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:812: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP=/lib/cpp +fi +rm -f conftest* +fi +rm -f conftest* +fi +rm -f conftest* + ac_cv_prog_CPP="$CPP" +fi + CPP="$ac_cv_prog_CPP" +else + ac_cv_prog_CPP="$CPP" +fi +echo "$ac_t""$CPP" 1>&6 + +# Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:839: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_RANLIB="ranlib" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":" +fi +fi +RANLIB="$ac_cv_prog_RANLIB" +if test -n "$RANLIB"; then + echo "$ac_t""$RANLIB" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "ar", so it can be a program name with args. +set dummy ar; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:869: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_AR="ar" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +AR="$ac_cv_prog_AR" +if test -n "$AR"; then + echo "$ac_t""$AR" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi + +echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6 +echo "configure:898: checking for OpenSSL/SSLeay directory" >&5 +for ssldir in /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local $prefix /usr/pkg ; do + if test -f "$ssldir/include/openssl/crypto.h"; then + cat >> confdefs.h <<\EOF +#define HAVE_OPENSSL 1 +EOF + + GOT_SSL="yes" + break + fi + if test -f "$ssldir/include/ssl/crypto.h"; then + cat >> confdefs.h <<\EOF +#define HAVE_SSL 1 +EOF + + GOT_SSL="yes" + break + fi +done +if test -z "$GOT_SSL" ; then + { echo "configure: error: Could not find SSLeay / OpenSSL libraries, please install" 1>&2; exit 1; } +fi + +cat >> confdefs.h <&6 + +echo $ac_n "checking for RSAref library""... $ac_c" 1>&6 +echo "configure:933: checking for RSAref library" >&5 +saved_LIBS="$LIBS" +LIBS="$saved_LIBS -lRSAglue -lrsaref" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6; +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6; LIBS="$saved_LIBS" +fi +rm -f conftest* + +echo $ac_n "checking for CRYPTO_lock in -lcrypto""... $ac_c" 1>&6 +echo "configure:956: checking for CRYPTO_lock in -lcrypto" >&5 +ac_lib_var=`echo crypto'_'CRYPTO_lock | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lcrypto $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo crypto | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +{ echo "configure: error: *** libcrypto missing - please install first ***" 1>&2; exit 1; } +fi + +echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 +echo "configure:1004: checking for deflate in -lz" >&5 +ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lz $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo z | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +{ echo "configure: error: *** zlib missing - please install first ***" 1>&2; exit 1; } +fi + +echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 +echo "configure:1052: checking for login in -lutil" >&5 +ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lutil $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_LIBUTIL_LOGIN 1 +EOF + LIBS="$LIBS -lutil" +else + echo "$ac_t""no" 1>&6 +fi + +echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 +echo "configure:1095: checking for yp_match in -lnsl" >&5 +ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lnsl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + +echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 +echo "configure:1142: checking for main in -lsocket" >&5 +ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lsocket $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + +echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 +echo "configure:1186: checking for dlopen in -ldl" >&5 +ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo dl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + +echo $ac_n "checking for pam_authenticate in -lpam""... $ac_c" 1>&6 +echo "configure:1233: checking for pam_authenticate in -lpam" >&5 +ac_lib_var=`echo pam'_'pam_authenticate | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lpam $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo pam | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + +for ac_hdr in pty.h endian.h paths.h lastlog.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:1284: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1294: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <&6 +fi +done + + +if test $ac_cv_prog_gcc = yes; then + echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6 +echo "configure:1323: checking whether ${CC-cc} needs -traditional" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_pattern="Autoconf.*'x'" + cat > conftest.$ac_ext < +Autoconf TIOCGETP +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "$ac_pattern" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_prog_gcc_traditional=yes +else + rm -rf conftest* + ac_cv_prog_gcc_traditional=no +fi +rm -f conftest* + + + if test $ac_cv_prog_gcc_traditional = no; then + cat > conftest.$ac_ext < +Autoconf TCGETA +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "$ac_pattern" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_prog_gcc_traditional=yes +fi +rm -f conftest* + + fi +fi + +echo "$ac_t""$ac_cv_prog_gcc_traditional" 1>&6 + if test $ac_cv_prog_gcc_traditional = yes; then + CC="$CC -traditional" + fi +fi + +for ac_func in openpty strlcpy mkdtemp arc4random setproctitle setlogin +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:1371: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1399: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + + +echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6 +echo "configure:1425: checking whether utmp.h has ut_host field" >&5 +cat > conftest.$ac_ext < +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "ut_host" >/dev/null 2>&1; then + rm -rf conftest* + cat >> confdefs.h <<\EOF +#define HAVE_HOST_IN_UTMP 1 +EOF + echo "$ac_t""yes" 1>&6; +else + rm -rf conftest* + echo "$ac_t""no" 1>&6 + +fi +rm -f conftest* + + +# Check whether --with-gnome-askpass or --without-gnome-askpass was given. +if test "${with_gnome_askpass+set}" = set; then + withval="$with_gnome_askpass" + GNOME_ASKPASS="gnome-ssh-askpass" +fi + + + +# Check whether --with-random or --without-random was given. +if test "${with_random+set}" = set; then + withval="$with_random" + + RANDOM_POOL="$withval"; + cat >> confdefs.h <<\EOF +#define RANDOM_POOL "$RANDOM_POOL" +EOF + + +else + + +ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 +echo "configure:1469: checking for "/dev/urandom"" >&5 +if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$cross_compiling" = yes; then + { echo "configure: error: Cannot check for file existence when cross compiling" 1>&2; exit 1; } +else + if test -r "/dev/urandom"; then + eval "ac_cv_file_$ac_safe=yes" + else + eval "ac_cv_file_$ac_safe=no" + fi +fi +fi +if eval "test \"`echo '$ac_cv_file_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + + RANDOM_POOL="/dev/urandom"; + + cat >> confdefs.h <&6 + +fi + + + +fi + + +# Check whether --with-egd-pool or --without-egd-pool was given. +if test "${with_egd_pool+set}" = set; then + withval="$with_egd_pool" + + RANDOM_POOL="$withval"; + cat >> confdefs.h <<\EOF +#define HAVE_EGD 1 +EOF + + + cat >> confdefs.h <&2; exit 1; } +fi + +trap '' 1 2 15 +cat > confcache <<\EOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs. It is not useful on other systems. +# If it contains results you don't want to keep, you may remove or edit it. +# +# By default, configure uses ./config.cache as the cache file, +# creating it if it does not exist already. You can give configure +# the --cache-file=FILE option to use a different cache file; that is +# what configure does when it calls configure scripts in +# subdirectories, so they share the cache. +# Giving --cache-file=/dev/null disables caching, for debugging configure. +# config.status only pays attention to the cache file if you give it the +# --recheck option to rerun configure. +# +EOF +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, don't put newlines in cache variables' values. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +(set) 2>&1 | + case `(ac_space=' '; set | grep ac_space) 2>&1` in + *ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote substitution + # turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + -e "s/'/'\\\\''/g" \ + -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" + ;; + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' + ;; + esac >> confcache +if cmp -s $cache_file confcache; then + : +else + if test -w $cache_file; then + echo "updating cache $cache_file" + cat confcache > $cache_file + else + echo "not updating unwritable cache $cache_file" + fi +fi +rm -f confcache + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +# Any assignment to VPATH causes Sun make to only execute +# the first set of double-colon rules, so remove it if not needed. +# If there is a colon in the path, we need to keep it. +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d' +fi + +trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15 + +DEFS=-DHAVE_CONFIG_H + +# Without the "./", some shells look in PATH for config.status. +: ${CONFIG_STATUS=./config.status} + +echo creating $CONFIG_STATUS +rm -f $CONFIG_STATUS +cat > $CONFIG_STATUS </dev/null | sed 1q`: +# +# $0 $ac_configure_args +# +# Compiler output produced by configure, useful for debugging +# configure, is in ./config.log if it exists. + +ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]" +for ac_option +do + case "\$ac_option" in + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" + exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; + -version | --version | --versio | --versi | --vers | --ver | --ve | --v) + echo "$CONFIG_STATUS generated by autoconf version 2.13" + exit 0 ;; + -help | --help | --hel | --he | --h) + echo "\$ac_cs_usage"; exit 0 ;; + *) echo "\$ac_cs_usage"; exit 1 ;; + esac +done + +ac_given_srcdir=$srcdir + +trap 'rm -fr `echo "Makefile config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 +EOF +cat >> $CONFIG_STATUS < conftest.subs <<\\CEOF +$ac_vpsub +$extrasub +s%@SHELL@%$SHELL%g +s%@CFLAGS@%$CFLAGS%g +s%@CPPFLAGS@%$CPPFLAGS%g +s%@CXXFLAGS@%$CXXFLAGS%g +s%@FFLAGS@%$FFLAGS%g +s%@DEFS@%$DEFS%g +s%@LDFLAGS@%$LDFLAGS%g +s%@LIBS@%$LIBS%g +s%@exec_prefix@%$exec_prefix%g +s%@prefix@%$prefix%g +s%@program_transform_name@%$program_transform_name%g +s%@bindir@%$bindir%g +s%@sbindir@%$sbindir%g +s%@libexecdir@%$libexecdir%g +s%@datadir@%$datadir%g +s%@sysconfdir@%$sysconfdir%g +s%@sharedstatedir@%$sharedstatedir%g +s%@localstatedir@%$localstatedir%g +s%@libdir@%$libdir%g +s%@includedir@%$includedir%g +s%@oldincludedir@%$oldincludedir%g +s%@infodir@%$infodir%g +s%@mandir@%$mandir%g +s%@CC@%$CC%g +s%@CPP@%$CPP%g +s%@RANLIB@%$RANLIB%g +s%@AR@%$AR%g +s%@ssldir@%$ssldir%g +s%@GNOME_ASKPASS@%$GNOME_ASKPASS%g +s%@RANDOM_POOL@%$RANDOM_POOL%g + +CEOF +EOF + +cat >> $CONFIG_STATUS <<\EOF + +# Split the substitutions into bite-sized pieces for seds with +# small command number limits, like on Digital OSF/1 and HP-UX. +ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script. +ac_file=1 # Number of current file. +ac_beg=1 # First line for current file. +ac_end=$ac_max_sed_cmds # Line after last line for current file. +ac_more_lines=: +ac_sed_cmds="" +while $ac_more_lines; do + if test $ac_beg -gt 1; then + sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file + else + sed "${ac_end}q" conftest.subs > conftest.s$ac_file + fi + if test ! -s conftest.s$ac_file; then + ac_more_lines=false + rm -f conftest.s$ac_file + else + if test -z "$ac_sed_cmds"; then + ac_sed_cmds="sed -f conftest.s$ac_file" + else + ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file" + fi + ac_file=`expr $ac_file + 1` + ac_beg=$ac_end + ac_end=`expr $ac_end + $ac_max_sed_cmds` + fi +done +if test -z "$ac_sed_cmds"; then + ac_sed_cmds=cat +fi +EOF + +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF +for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories. + + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`" + # A "../" for each directory in $ac_dir_suffix. + ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'` + else + ac_dir_suffix= ac_dots= + fi + + case "$ac_given_srcdir" in + .) srcdir=. + if test -z "$ac_dots"; then top_srcdir=. + else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;; + /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;; + *) # Relative path. + srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix" + top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + + + echo creating "$ac_file" + rm -f "$ac_file" + configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure." + case "$ac_file" in + *Makefile*) ac_comsub="1i\\ +# $configure_input" ;; + *) ac_comsub= ;; + esac + + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + sed -e "$ac_comsub +s%@configure_input@%$configure_input%g +s%@srcdir@%$srcdir%g +s%@top_srcdir@%$top_srcdir%g +" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file +fi; done +rm -f conftest.s* + +# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where +# NAME is the cpp macro being defined and VALUE is the value it is being given. +# +# ac_d sets the value in "#define NAME VALUE" lines. +ac_dA='s%^\([ ]*\)#\([ ]*define[ ][ ]*\)' +ac_dB='\([ ][ ]*\)[^ ]*%\1#\2' +ac_dC='\3' +ac_dD='%g' +# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE". +ac_uA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_uB='\([ ]\)%\1#\2define\3' +ac_uC=' ' +ac_uD='\4%g' +# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE". +ac_eA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_eB='$%\1#\2define\3' +ac_eC=' ' +ac_eD='%g' + +if test "${CONFIG_HEADERS+set}" != set; then +EOF +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF +fi +for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + echo creating $ac_file + + rm -f conftest.frag conftest.in conftest.out + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + cat $ac_file_inputs > conftest.in + +EOF + +# Transform confdefs.h into a sed script conftest.vals that substitutes +# the proper values into config.h.in to produce config.h. And first: +# Protect against being on the right side of a sed subst in config.status. +# Protect against being in an unquoted here document in config.status. +rm -f conftest.vals +cat > conftest.hdr <<\EOF +s/[\\&%]/\\&/g +s%[\\$`]%\\&%g +s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp +s%ac_d%ac_u%gp +s%ac_u%ac_e%gp +EOF +sed -n -f conftest.hdr confdefs.h > conftest.vals +rm -f conftest.hdr + +# This sed command replaces #undef with comments. This is necessary, for +# example, in the case of _POSIX_SOURCE, which is predefined and required +# on some systems where configure will not decide to define it. +cat >> conftest.vals <<\EOF +s%^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */% +EOF + +# Break up conftest.vals because some shells have a limit on +# the size of here documents, and old seds have small limits too. + +rm -f conftest.tail +while : +do + ac_lines=`grep -c . conftest.vals` + # grep -c gives empty output for an empty file on some AIX systems. + if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi + # Write a limited-size here document to conftest.frag. + echo ' cat > conftest.frag <> $CONFIG_STATUS + sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS + echo 'CEOF + sed -f conftest.frag conftest.in > conftest.out + rm -f conftest.in + mv conftest.out conftest.in +' >> $CONFIG_STATUS + sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail + rm -f conftest.vals + mv conftest.tail conftest.vals +done +rm -f conftest.vals + +cat >> $CONFIG_STATUS <<\EOF + rm -f conftest.frag conftest.h + echo "/* $ac_file. Generated automatically by configure. */" > conftest.h + cat conftest.in >> conftest.h + rm -f conftest.in + if cmp -s $ac_file conftest.h 2>/dev/null; then + echo "$ac_file is unchanged" + rm -f conftest.h + else + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + fi + rm -f $ac_file + mv conftest.h $ac_file + fi +fi; done + +EOF +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF + +exit 0 +EOF +chmod +x $CONFIG_STATUS +rm -fr confdefs* $ac_clean_files +test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1 + diff -ruN --exclude CVS ssh-openbsd-1999111200/configure.in openssh-1.2pre10/configure.in --- ssh-openbsd-1999111200/configure.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/configure.in Fri Nov 12 08:49:09 1999 @@ -0,0 +1,111 @@ +AC_INIT(ssh.c) + +AC_CONFIG_HEADER(config.h) + +dnl Checks for programs. +AC_PROG_CC +AC_PROG_CPP +AC_PROG_RANLIB +AC_CHECK_PROG(AR, ar, ar) +if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi + +dnl Check for OpenSSL/SSLeay directories. +AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) +for ssldir in /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local $prefix /usr/pkg ; do + if test -f "$ssldir/include/openssl/crypto.h"; then + AC_DEFINE(HAVE_OPENSSL) + GOT_SSL="yes" + break + fi + if test -f "$ssldir/include/ssl/crypto.h"; then + AC_DEFINE(HAVE_SSL) + GOT_SSL="yes" + break + fi +done +if test -z "$GOT_SSL" ; then + AC_MSG_ERROR([Could not find SSLeay / OpenSSL libraries, please install]) +fi +AC_SUBST(ssldir) +AC_DEFINE_UNQUOTED(ssldir, "$ssldir") +if test "$ssldir" != "/usr"; then + CFLAGS="$CFLAGS -I$ssldir/include" + LIBS="$LIBS -L$ssldir/lib" +fi +LIBS="$LIBS -lssl -lcrypto" +AC_MSG_RESULT($ssldir) + +dnl Check for RSAref library. +AC_MSG_CHECKING([for RSAref library]) +saved_LIBS="$LIBS" +LIBS="$saved_LIBS -lRSAglue -lrsaref" +AC_TRY_LINK([], [], +[AC_MSG_RESULT(yes); ], +[AC_MSG_RESULT(no)]; LIBS="$saved_LIBS") + +dnl Checks for libraries. +AC_CHECK_LIB(crypto, CRYPTO_lock, ,AC_MSG_ERROR([*** libcrypto missing - please install first ***])) +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") +AC_CHECK_LIB(nsl, yp_match, , ) +AC_CHECK_LIB(socket, main, , ) + +dnl libdl is needed by PAM on Redhat systems +AC_CHECK_LIB(dl, dlopen, , ) +AC_CHECK_LIB(pam, pam_authenticate, , ) + +dnl Checks for header files. +AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h) + +dnl Checks for library functions. +AC_PROG_GCC_TRADITIONAL +AC_CHECK_FUNCS(openpty strlcpy mkdtemp arc4random setproctitle setlogin) + +dnl Check for ut_host field in utmp +AC_MSG_CHECKING([whether utmp.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmp.h, + [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) + +dnl Check whether user wants GNOME ssh-askpass +AC_ARG_WITH(gnome-askpass, + [ --with-gnome-askpass Build and use the GNOME passphrase requester], + [GNOME_ASKPASS="gnome-ssh-askpass"]) +AC_SUBST(GNOME_ASKPASS) + +dnl Check for user-specified random device +AC_ARG_WITH(random, + [ --with-random=FILE read randomness from FILE (default /dev/urandom)], + [ + RANDOM_POOL="$withval"; + AC_DEFINE(RANDOM_POOL, "$RANDOM_POOL") + ], + [ + dnl Check for random device + AC_CHECK_FILE("/dev/urandom", + [ + RANDOM_POOL="/dev/urandom"; + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] + ) + ] +) + +dnl Check for EGD pool file +AC_ARG_WITH(egd-pool, + [ --with-egd-pool=FILE read randomness from EGD pool FILE], + [ + RANDOM_POOL="$withval"; + AC_DEFINE(HAVE_EGD) + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] +) + +if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then + AC_MSG_ERROR([No random device found, and no EGD random pool specified]) +fi + +AC_OUTPUT(Makefile) diff -ruN --exclude CVS ssh-openbsd-1999111200/gnome-ssh-askpass.c openssh-1.2pre10/gnome-ssh-askpass.c --- ssh-openbsd-1999111200/gnome-ssh-askpass.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/gnome-ssh-askpass.c Fri Nov 12 12:09:36 1999 @@ -0,0 +1,122 @@ +/* +** +** GNOME ssh passphrase requestor +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include +#include + +int passphrase_dialog(char **passphrase_p, char *message) +{ + char *passphrase; + int result; + + GtkWidget *dialog, *entry, *label; + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + label = gtk_label_new(message); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, + FALSE, 0); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + XGrabServer(GDK_DISPLAY()); + gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); + gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + XUngrabServer(GDK_DISPLAY()); + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + + /* Take copy of passphrase if user selected OK */ + if (result == 0) + *passphrase_p = strdup(passphrase); + else + *passphrase_p = NULL; + + /* Zero existing passphrase */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + + return (result == 0); +} + +int main(int argc, char **argv) +{ + char *passphrase; + char *message; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + if (passphrase_dialog(&passphrase, message)) + { + printf("%s\n", passphrase); + memset(passphrase, '\0', strlen(passphrase)); + } + + return 0; +} diff -ruN --exclude CVS ssh-openbsd-1999111200/helper.c openssh-1.2pre10/helper.c --- ssh-openbsd-1999111200/helper.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/helper.c Thu Nov 11 10:40:23 1999 @@ -0,0 +1,120 @@ +/* +** +** OpenBSD emulation routines +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include "rc4.h" +#include "xmalloc.h" +#include "ssh.h" +#include "config.h" +#include "helper.h" + +#ifndef HAVE_ARC4RANDOM + +void get_random_bytes(unsigned char *buf, int len); + +static rc4_t *rc4 = NULL; + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + get_random_bytes(rand_buf, sizeof(rand_buf)); + rc4_key(rc4, rand_buf, sizeof(rand_buf)); +} + +void get_random_bytes(unsigned char *buf, int len) +{ + int random_pool; + int c; +#ifdef HAVE_EGD + char egd_message[2] = { 0x02, 0x00 }; +#endif /* HAVE_EGD */ + + random_pool = open(RANDOM_POOL, O_RDONLY); + if (random_pool == -1) + fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + +#ifdef HAVE_EGD + if (len > 255) + fatal("Too many bytes to read from EGD"); + + /* Send blocking read request to EGD */ + egd_message[1] = len; + c = write(random_pool, egd_message, sizeof(egd_message)); + if (c == -1) + fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); +#endif /* HAVE_EGD */ + + c = read(random_pool, buf, len); + if (c == -1) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + + if (c != len) + fatal("Short read from random pool \"%s\"", RANDOM_POOL); + + close(random_pool); +} +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...) +{ + /* FIXME */ +} +#endif /* !HAVE_SETPROCTITLE */ diff -ruN --exclude CVS ssh-openbsd-1999111200/helper.h openssh-1.2pre10/helper.h --- ssh-openbsd-1999111200/helper.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/helper.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,50 @@ +/* +** +** OpenBSD emulation routines +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#ifndef _HELPER_H +#define _HELPER_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +#endif /* !HAVE_SETPROCTITLE */ + +#endif /* _HELPER_H */ diff -ruN --exclude CVS ssh-openbsd-1999111200/includes.h openssh-1.2pre10/includes.h --- ssh-openbsd-1999111200/includes.h Wed Nov 3 15:22:48 1999 +++ openssh-1.2pre10/includes.h Thu Nov 11 10:40:23 1999 @@ -24,7 +24,6 @@ #include #include #include -#include #include #include #include @@ -38,11 +37,11 @@ #include #include -#include #include #include #include #include +#include #include #include #include @@ -52,13 +51,35 @@ #include #include #include -#include #include +#include "config.h" + +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif + #include "version.h" +#include "helper.h" +#include "mktemp.h" +#include "strlcpy.h" + +#ifdef HAVE_LIBPAM +#include +#endif /* HAVE_PAM */ /* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH #define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + +/* Define this to be the path of the rsh program. */ +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif /* _PATH_RSH */ /* Define this to use pipes instead of socketpairs for communicating with the client program. Socketpairs do not seem to work on all systems. */ diff -ruN --exclude CVS ssh-openbsd-1999111200/lib/Makefile openssh-1.2pre10/lib/Makefile --- ssh-openbsd-1999111200/lib/Makefile Thu Nov 11 17:21:59 1999 +++ openssh-1.2pre10/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,25 +0,0 @@ -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c compat.c compress.c crc32.c deattack.c hostfile.c \ - log.c match.c mpaux.c nchan.c packet.c readpass.c rsa.c \ - tildexpand.c ttymodes.c uidswap.c xmalloc.c - -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS - -.include diff -ruN --exclude CVS ssh-openbsd-1999111200/login.c openssh-1.2pre10/login.c --- ssh-openbsd-1999111200/login.c Fri Oct 1 02:55:06 1999 +++ openssh-1.2pre10/login.c Thu Nov 11 10:40:23 1999 @@ -20,8 +20,12 @@ #include "includes.h" RCSID("$Id: login.c,v 1.7 1999/09/30 16:55:06 deraadt Exp $"); -#include #include + +#ifdef HAVE_LASTLOG_H +# include +#endif + #include "ssh.h" /* Returns the time when the user last logged in. Returns 0 if the @@ -77,7 +81,9 @@ strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); u.ut_time = time(NULL); strncpy(u.ut_name, user, sizeof(u.ut_name)); +#ifdef HAVE_HOST_IN_UTMP strncpy(u.ut_host, host, sizeof(u.ut_host)); +#endif /* Figure out the file names. */ utmp = _PATH_UTMP; @@ -109,11 +115,14 @@ } } -/* Records that the user has logged out. */ - void record_logout(int pid, const char *ttyname) { +#ifdef HAVE_LIBUTIL_LOGIN const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) logwtmp(line, "", ""); +#else /* HAVE_LIBUTIL_LOGIN */ + record_login(pid, ttyname, "", -1, "", NULL); +#endif /* HAVE_LIBUTIL_LOGIN */ } + diff -ruN --exclude CVS ssh-openbsd-1999111200/mktemp.c openssh-1.2pre10/mktemp.c --- ssh-openbsd-1999111200/mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/mktemp.c Thu Nov 11 10:40:23 1999 @@ -0,0 +1,188 @@ +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "helper.h" + +#ifndef HAVE_MKDTEMP + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !HAVE_MKDTEMP */ diff -ruN --exclude CVS ssh-openbsd-1999111200/mktemp.h openssh-1.2pre10/mktemp.h --- ssh-openbsd-1999111200/mktemp.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/mktemp.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,11 @@ +#ifndef _MKTEMP_H +#define _MKTEMP_H + +#include "config.h" +#ifndef HAVE_MKDTEMP +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif /* !HAVE_MKDTEMP */ + +#endif /* _MKTEMP_H */ diff -ruN --exclude CVS ssh-openbsd-1999111200/mpaux.c openssh-1.2pre10/mpaux.c --- ssh-openbsd-1999111200/mpaux.c Thu Oct 28 15:04:49 1999 +++ openssh-1.2pre10/mpaux.c Thu Oct 28 15:23:30 1999 @@ -14,14 +14,22 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: mpaux.c,v 1.4 1999/10/27 16:37:45 deraadt Exp $"); +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include +#include +#endif + #include "getput.h" #include "xmalloc.h" -#include void compute_session_id(unsigned char session_id[16], diff -ruN --exclude CVS ssh-openbsd-1999111200/openssh.spec openssh-1.2pre10/openssh.spec --- ssh-openbsd-1999111200/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/openssh.spec Thu Nov 11 12:55:45 1999 @@ -0,0 +1,151 @@ +Summary: OpenSSH free Secure Shell (SSH) implementation +Name: openssh +Version: 1.2pre10 +Release: 1 +Packager: Damien Miller +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot + +%package server +Summary: Secure Shell protocol server (sshd) +Requires: openssh chkconfig >= 0.9 +Group: System Environment/Daemons + +%package askpass +Summary: GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon and its documentation. +The sshd is the server part of the secure shell protocol and allows +ssh clients to connect to your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup + +%build + +CFLAGS="$RPM_OPT_FLAGS" \ + ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass + +make + +%install +rm -rf $RPM_BUILD_ROOT +make install prefix="$RPM_BUILD_ROOT/usr" + +install -d $RPM_BUILD_ROOT/etc/ssh +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -m644 sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 sshd.init.redhat $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +install -m600 ssh_config $RPM_BUILD_ROOT/etc/ssh/ssh_config +install -m600 sshd_config $RPM_BUILD_ROOT/etc/ssh/sshd_config + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +/sbin/chkconfig --add sshd +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + /etc/rc.d/init.d/sshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + /etc/rc.d/init.d/sshd stop >&2 + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc COPYING.Ylonen ChangeLog ChangeLog.Ylonen OVERVIEW +%doc README README.Ylonen +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0755,root,root) /usr/bin/scp +%attr(-,root,root) /usr/bin/slogin +%attr(0644,root,root) /usr/man/man1/ssh.1 +%attr(0644,root,root) /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) /usr/man/man1/ssh-add.1 +%attr(0644,root,root) /usr/man/man1/scp.1 +%attr(-,root,root) /usr/man/man1/slogin.1 +%attr(0644,root,root) %config /etc/ssh/ssh_config + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) /usr/man/man8/sshd.8 +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0600,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/lib/ssh/ssh-askpass diff -ruN --exclude CVS ssh-openbsd-1999111200/packet.h openssh-1.2pre10/packet.h --- ssh-openbsd-1999111200/packet.h Tue Sep 28 14:45:36 1999 +++ openssh-1.2pre10/packet.h Thu Oct 28 13:25:17 1999 @@ -15,10 +15,16 @@ /* RCSID("$Id: packet.h,v 1.2 1999/09/28 04:45:36 provos Exp $"); */ +#include "config.h" #ifndef PACKET_H #define PACKET_H +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* Sets the socket used for communication. Disables encryption until packet_set_encryption_key is called. It is permissible that fd_in diff -ruN --exclude CVS ssh-openbsd-1999111200/pty.c openssh-1.2pre10/pty.c --- ssh-openbsd-1999111200/pty.c Sun Oct 17 06:57:52 1999 +++ openssh-1.2pre10/pty.c Mon Nov 8 15:30:59 1999 @@ -16,6 +16,11 @@ #include "includes.h" RCSID("$Id: pty.c,v 1.5 1999/10/16 20:57:52 deraadt Exp $"); +#ifdef HAVE_PTY_H +/* Unfortunate namespace collision */ +#include +#endif /* HAVE_PTY_H */ + #include "pty.h" #include "ssh.h" diff -ruN --exclude CVS ssh-openbsd-1999111200/rc4.c openssh-1.2pre10/rc4.c --- ssh-openbsd-1999111200/rc4.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/rc4.c Thu Oct 28 14:12:54 1999 @@ -0,0 +1,109 @@ +/*! \file rc4.c + \brief Source file for RC4 stream cipher routines + \author Damien Miller + \version 0.0.0 + \date 1999 + + A simple implementation of the RC4 stream cipher, based on the + description given in _Bruce Schneier's_ "Applied Cryptography" + 2nd edition. + + Copyright 1999 Damien Miller + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE + AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER BE LIABLE + FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + \warning None of these functions clears its memory after use. It + \warning is the responsability of the calling routines to ensure + \warning that any sensitive data (keystream, key or plaintext) is + \warning properly erased after use. + + \warning The name "RC4" is trademarked in the United States, + \warning you may need to use "RC4 compatible" or "ARC4" + \warning (Alleged RC4). +*/ + +/* $Id: rc4.c,v 1.1.1.1 1999/10/26 05:48:13 damien Exp $ */ + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +#include "rc4.h" + + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_crypt(rc4_t *r, unsigned char *plaintext, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + plaintext[c] ^= r->s[t]; + c++; + } +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} +#endif /* !HAVE_ARC4RANDOM */ diff -ruN --exclude CVS ssh-openbsd-1999111200/rc4.h openssh-1.2pre10/rc4.h --- ssh-openbsd-1999111200/rc4.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/rc4.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,115 @@ +/*! \file rc4.h + \brief Header file for RC4 stream cipher routines + \author Damien Miller + \version 0.0.0 + \date 1999 + + A simple implementation of the RC4 stream cipher, based on the + description given in _Bruce Schneier's_ "Applied Cryptography" + 2nd edition. + + Copyright 1999 Damien Miller + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE + AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER BE LIABLE + FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + \warning None of these functions clears its memory after use. It + \warning is the responsability of the calling routines to ensure + \warning that any sensitive data (keystream, key or plaintext) is + \warning properly erased after use. + + \warning The name "RC4" is trademarked in the United States, + \warning you may need to use "RC4 compatible" or "ARC4" + \warning (Alleged RC4). +*/ + +/* $Id: rc4.h,v 1.1.1.1 1999/10/26 05:48:13 damien Exp $ */ + +#ifndef _RC4_H +#define _RC4_H + +#include "config.h" +#ifndef HAVE_ARC4RANDOM + +/*! \struct rc4_t + \brief RC4 stream cipher state object + \var s State array + \var i Monotonic index + \var j Randomised index + + \warning This structure should not be accessed directly. To + \warning initialise a rc4_t object, you should use the rc4_key() + \warning function + + This structure holds the current state of the RC4 algorithm. +*/ +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +/*! \fn void rc4_key(rc4_t *r, unsigned char *key, int len); + \brief Set up key structure of RC4 stream cipher + \param r pointer to RC4 structure to be seeded + \param key pointer to buffer containing raw key + \param len length of key + + This function set the internal state of the RC4 data structure + pointed to by \a r using the specified \a key of length \a len. + + This function can use up to 256 bytes of key, any more are ignored. + + \warning Stream ciphers (such as RC4) can be insecure if the same + \warning key is used repeatedly. Ensure that any key specified has + \warning an reasonably sized Initialisation Vector component. +*/ +void rc4_key(rc4_t *r, unsigned char *key, int len); + +/*! \fn rc4_crypt(rc4_t *r, unsigned char *plaintext, int len); + \brief Crypt bytes using RC4 algorithm + \param r pointer to RC4 structure to be used + \param plaintext Pointer to bytes to encrypt + \param len number of bytes to crypt + + This function encrypts one or more bytes (pointed to by \a plaintext) + using the RC4 algorithm. \a r is a state structure that must be + initialiased using the rc4_key() function prior to use. + + Since RC4 XORs each byte of plaintext with a byte of keystream, + this function can be used for both encryption and decryption. +*/ +void rc4_crypt(rc4_t *r, unsigned char *plaintext, int len); + +/*! \fn rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + \brief Generate key stream using the RC4 stream cipher + \param r pointer to RC4 structure to be used + \param buffer pointer to buffer in which to deposit keystream + \param len number of bytes to deposit + + This function gives access to the raw RC4 key stream. In this + consiguration RC4 can be used as a fast, strong pseudo-random + number generator with a very long period. +*/ +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +#endif /* !HAVE_ARC4RANDOM */ + +#endif /* _RC4_H */ diff -ruN --exclude CVS ssh-openbsd-1999111200/rsa.h openssh-1.2pre10/rsa.h --- ssh-openbsd-1999111200/rsa.h Wed Sep 29 16:15:00 1999 +++ openssh-1.2pre10/rsa.h Thu Nov 11 10:40:23 1999 @@ -14,23 +14,31 @@ */ /* RCSID("$Id: rsa.h,v 1.2 1999/09/29 06:15:00 deraadt Exp $"); */ +#include "config.h" #ifndef RSA_H #define RSA_H +#ifdef HAVE_OPENSSL +#include +#include +#endif + +#ifdef HAVE_SSL #include #include +#endif /* Calls SSL RSA_generate_key, only copies to prv and pub */ void rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits); /* Indicates whether the rsa module is permitted to show messages on the terminal. */ -void rsa_set_verbose __P((int verbose)); +void rsa_set_verbose(int verbose); -int rsa_alive __P((void)); +int rsa_alive(void); -void rsa_public_encrypt __P((BIGNUM *out, BIGNUM *in, RSA *prv)); -void rsa_private_decrypt __P((BIGNUM *out, BIGNUM *in, RSA *prv)); +void rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *prv); +void rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *prv); #endif /* RSA_H */ diff -ruN --exclude CVS ssh-openbsd-1999111200/scp/Makefile openssh-1.2pre10/scp/Makefile --- ssh-openbsd-1999111200/scp/Makefile Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre10/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN --exclude CVS ssh-openbsd-1999111200/scp.c openssh-1.2pre10/scp.c --- ssh-openbsd-1999111200/scp.c Thu Oct 28 15:04:51 1999 +++ openssh-1.2pre10/scp.c Thu Nov 11 21:39:50 1999 @@ -1132,7 +1132,7 @@ (void)gettimeofday(&now, (struct timezone *)0); cursize = statbytes; if (totalbytes != 0) { - ratio = cursize * 100 / totalbytes; + ratio = (cursize >> 10) * 100 / (totalbytes >> 10); ratio = MAX(ratio, 0); ratio = MIN(ratio, 100); } diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh/Makefile openssh-1.2pre10/ssh/Makefile --- ssh-openbsd-1999111200/ssh/Makefile Tue Oct 26 06:27:27 1999 +++ openssh-1.2pre10/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,36 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=4555 -.endif - -BINDIR= /usr/bin -MAN= ssh.1 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c sshconnect.c log-client.c readconf.c clientloop.c - -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.include - -LDADD+= -lutil -lz -lcrypto -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-add/Makefile openssh-1.2pre10/ssh-add/Makefile --- ssh-openbsd-1999111200/ssh-add/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre10/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-add.c openssh-1.2pre10/ssh-add.c --- ssh-openbsd-1999111200/ssh-add.c Wed Nov 3 15:22:51 1999 +++ openssh-1.2pre10/ssh-add.c Tue Nov 9 10:28:04 1999 @@ -52,6 +52,7 @@ fprintf(stderr, "Failed to remove all identitities.\n"); } +#define BUFSIZE 1024 void add_file(AuthenticationConnection *ac, const char *filename) { @@ -59,6 +60,11 @@ RSA *public_key; char *saved_comment, *comment, *pass; int first; + int pipes[2]; + char buf[BUFSIZE]; + int tmp; + pid_t child; + FILE *pipef; key = RSA_new(); public_key = RSA_new(); @@ -80,8 +86,72 @@ /* Ask for a passphrase. */ if (getenv("DISPLAY") && !isatty(fileno(stdin))) { - xfree(saved_comment); - return; + if (pipe(pipes) ==-1) + { + fprintf(stderr, "Creating pipes failed: %s\n", strerror(errno)); + exit(1); + } + if (fflush(NULL)==EOF) + { + fprintf(stderr, "Cannot flush buffers: %s\n", strerror(errno)); + exit(1); + } + switch (child=fork()) + { + case -1: + fprintf(stderr, "Cannot fork: %s\n", strerror(errno)); + exit(1); + case 0: + close(pipes[0]); + if (dup2(pipes[1], 1) ==-1) + { + fprintf(stderr, "dup2 failed: %s\n", strerror(errno)); + exit(1); + } + tmp=snprintf(buf, BUFSIZE, "Need passphrase for %s (%s)", + filename, saved_comment); + /* skip the prompt if it won't fit */ + if (tmp < 0 || tmp >= BUFSIZE) + tmp=execlp(ASKPASS_PROGRAM, "ssh-askpass", 0); + else + tmp=execlp(ASKPASS_PROGRAM, "ssh-askpass", buf, 0); + if (tmp==-1) + { + fprintf(stderr, "Executing ssh-askpass failed: %s\n", + strerror(errno)); + exit(1); + } + break; + default: + close(pipes[1]); + if ( (pipef=fdopen(pipes[0], "r")) ==NULL) + { + fprintf(stderr, "fdopen failed: %s\n", strerror(errno)); + exit(1); + } + if(fgets(buf, sizeof(buf), pipef)==NULL) + { + xfree(saved_comment); + return; + } + fclose(pipef); + if (strchr(buf, '\n')) + *strchr(buf, '\n') = 0; + pass = xstrdup(buf); + memset(buf, 0, sizeof(buf)); + if (waitpid(child, NULL, 0) ==-1) + { + fprintf(stderr, "Waiting for child failed: %s\n", + strerror(errno)); + exit(1); + } + if (strcmp(pass, "") == 0) + { + xfree(saved_comment); + xfree(pass); + return; + } + } } else { diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-agent/Makefile openssh-1.2pre10/ssh-agent/Makefile --- ssh-openbsd-1999111200/ssh-agent/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre10/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-agent.1 openssh-1.2pre10/ssh-agent.1 --- ssh-openbsd-1999111200/ssh-agent.1 Fri Oct 29 08:54:40 1999 +++ openssh-1.2pre10/ssh-agent.1 Mon Nov 8 15:30:59 1999 @@ -109,6 +109,14 @@ .Pp The agent exits automatically when the command given on the command line terminates. +.Pp +Here's a trick that will allow you to start this up from your .bash_profile (just put it in as the first thing that happens): +.Sp +.Vb 1 + +\& [ ! "$SSH_AGENT_PID" ] && exec ssh-agent -- bash --login +\& ssh-add +.Ve .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-agent.c openssh-1.2pre10/ssh-agent.c --- ssh-openbsd-1999111200/ssh-agent.c Wed Nov 3 15:22:53 1999 +++ openssh-1.2pre10/ssh-agent.c Wed Nov 10 12:48:08 1999 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.17 1999/11/02 19:42:36 markus Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.16 1999/10/28 20:41:23 markus Exp $ */ /* @@ -28,7 +28,12 @@ #include "getput.h" #include "mpaux.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif typedef struct { @@ -526,7 +531,11 @@ exit(1); } +#if defined(__GNU_LIBRARY__) + while ((ch = getopt(ac, av, "+cks")) != -1) +#else while ((ch = getopt(ac, av, "cks")) != -1) +#endif /* defined(__GNU_LIBRARY__) */ { switch (ch) { diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-askpass openssh-1.2pre10/ssh-askpass --- ssh-openbsd-1999111200/ssh-askpass Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/ssh-askpass Mon Nov 8 15:30:59 1999 @@ -0,0 +1,38 @@ +#!/usr/bin/perl -w + +# Written by Tommi Virtanen . Consider it public domain. + +use strict; +use Tk; + +sub do_it($$;) { + my ($passphrase, $main) = @_; + print $passphrase->get(), "\n"; + $main->destroy(); +} + +sub ask($;) { + my ($prompt)=@_; + my $main=MainWindow->new; + $main->Label(-text=>$prompt)->pack(-fill=>'x'); + my $passphrase=$main->Entry(-show=>'*')->pack(-fill=>'x'); + $passphrase->focus(); + my $buttons=$main->Frame; + $buttons->pack(-side=>'right'); + my $ok=$buttons->Button(-text=>'Ok', + -command=>sub {do_it $passphrase, $main} + )->pack(-side=>'left'); + my $cancel=$buttons->Button(-text=>'Cancel', -command=>[$main=>'destroy']) + ->pack(-side=>'right'); + $main->bind('Tk::Button', '' => 'invoke'); + $main->bind('', [$ok => 'invoke']); + $main->bind('', [$cancel => 'invoke']); + $main->bind('' => [$main => 'grabGlobal']); + + MainLoop; +} + +ask ($#ARGV==0 + ? $ARGV[0] + : 'Please enter your authentication passphrase:'); + diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-keygen/Makefile openssh-1.2pre10/ssh-keygen/Makefile --- ssh-openbsd-1999111200/ssh-keygen/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre10/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh-keygen.c openssh-1.2pre10/ssh-keygen.c --- ssh-openbsd-1999111200/ssh-keygen.c Fri Oct 1 12:38:09 1999 +++ openssh-1.2pre10/ssh-keygen.c Mon Nov 8 15:30:59 1999 @@ -117,7 +117,7 @@ xfree(old_passphrase); } printf("Key has comment '%s'\n", comment); - + /* Ask the new passphrase (twice). */ if (identity_new_passphrase) { diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh.1 openssh-1.2pre10/ssh.1 --- ssh-openbsd-1999111200/ssh.1 Thu Nov 11 17:21:41 1999 +++ openssh-1.2pre10/ssh.1 Thu Nov 11 17:57:40 1999 @@ -66,7 +66,7 @@ First, if the machine the user logs in from is listed in .Pa /etc/hosts.equiv or -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if @@ -89,10 +89,10 @@ .Pa \&.shosts , .Pa /etc/hosts.equiv , or -.Pa /etc/shosts.equiv , +.Pa /etc/ssh/shosts.equiv , and if additionally the server can verify the client's host key (see -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts in the @@ -250,7 +250,7 @@ database is stored in .Pa \&.ssh/known_hosts in the user's home directory. Additionally, the file -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, @@ -418,7 +418,7 @@ command line options, user's configuration file .Pq Pa $HOME/.ssh/config , and system-wide configuration file -.Pq Pa /etc/ssh_config . +.Pq Pa /etc/ssh/ssh_config . For each parameter, the first obtained value will be used. The configuration files contain sections bracketed by "Host" specifications, and that section is only applied for hosts that @@ -542,7 +542,7 @@ .Dq no . .It Cm GlobalKnownHostsFile Specifies a file to use instead of -.Pa /etc/ssh_known_hosts . +.Pa /etc/ssh/ssh_known_hosts . .It Cm HostName Specifies the real host name to log into. This can be used to specify nicnames or abbreviations for hosts. Default is the name given on the @@ -680,7 +680,7 @@ file, and refuses to connect hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts files installed and frequently connect new hosts. Basically this option forces the user to manually add any new hosts. Normally this option is disabled, and new hosts @@ -787,7 +787,7 @@ .It Pa $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into (that are not in -.Pa /etc/ssh_known_hosts ) . +.Pa /etc/ssh/ssh_known_hosts ) . See .Xr sshd 8 . .It Pa $HOME/.ssh/random_seed @@ -832,7 +832,7 @@ modulus, public exponent, modulus, and comment fields, separated by spaces). This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. -.It Pa /etc/ssh_known_hosts +.It Pa /etc/ssh/ssh_known_hosts Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. This file should be world-readable. This file contains @@ -851,7 +851,7 @@ does not convert the user-supplied name to a canonical name before checking the key, because someone with access to the name servers would then be able to fool host authentication. -.It Pa /etc/ssh_config +.It Pa /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must @@ -878,7 +878,7 @@ will be installed so that it requires successful RSA host authentication before permitting \s+2.\s0rhosts authentication. If your server machine does not have the client's host key in -.Pa /etc/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts , you can store it in .Pa $HOME/.ssh/known_hosts . The easiest way to do this is to @@ -905,13 +905,13 @@ automatically permitted provided client and server user names are the same. Additionally, successful RSA host authentication is normally required. This file should only be writable by root. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This file is processed exactly as .Pa /etc/hosts.equiv . This file may be useful to permit logins using .Nm but not using rsh/rlogin. -.It Pa /etc/sshrc +.It Pa /etc/ssh/sshrc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is started. diff -ruN --exclude CVS ssh-openbsd-1999111200/ssh.h openssh-1.2pre10/ssh.h --- ssh-openbsd-1999111200/ssh.h Fri Nov 12 11:19:20 1999 +++ openssh-1.2pre10/ssh.h Fri Nov 12 11:33:04 1999 @@ -18,6 +18,10 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ + #include "rsa.h" #include "cipher.h" @@ -51,7 +55,10 @@ port if present. */ #define SSH_SERVICE_NAME "ssh" +#ifndef ETCDIR #define ETCDIR "/etc" +#endif /* ETCDIR */ + #define PIDDIR "/var/run" /* System-wide file containing host keys of known hosts. This file should be @@ -64,11 +71,21 @@ are all defined in Makefile.in. Of these, ssh_host_key should be readable only by root, whereas ssh_config should be world-readable. */ -#define HOST_KEY_FILE "/etc/ssh_host_key" -#define SERVER_CONFIG_FILE "/etc/sshd_config" -#define HOST_CONFIG_FILE "/etc/ssh_config" +#define HOST_KEY_FILE ETCDIR "/ssh_host_key" +#define SERVER_CONFIG_FILE ETCDIR "/sshd_config" +#define HOST_CONFIG_FILE ETCDIR "/ssh_config" +#ifndef SSH_PROGRAM #define SSH_PROGRAM "/usr/bin/ssh" +#endif /* SSH_PROGRAM */ + +#ifndef LOGIN_PROGRAM +#define LOGIN_PROGRAM "/usr/bin/login" +#endif /* LOGIN_PROGRAM */ + +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ /* The process id of the daemon listening for connections is saved here to make it easier to kill the correct daemon when necessary. */ diff -ruN --exclude CVS ssh-openbsd-1999111200/sshconnect.c openssh-1.2pre10/sshconnect.c --- ssh-openbsd-1999111200/sshconnect.c Tue Nov 9 10:30:54 1999 +++ openssh-1.2pre10/sshconnect.c Tue Nov 9 10:35:52 1999 @@ -14,10 +14,19 @@ */ +#include "config.h" #include "includes.h" RCSID("$Id: sshconnect.c,v 1.26 1999/11/07 22:38:39 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include +#include +#endif + #include "xmalloc.h" #include "rsa.h" #include "ssh.h" @@ -28,7 +37,6 @@ #include "uidswap.h" #include "compat.h" -#include /* Session id for the current session. */ unsigned char session_id[16]; diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd/Makefile openssh-1.2pre10/sshd/Makefile --- ssh-openbsd-1999111200/sshd/Makefile Tue Oct 26 06:27:27 1999 +++ openssh-1.2pre10/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,45 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd.8 openssh-1.2pre10/sshd.8 --- ssh-openbsd-1999111200/sshd.8 Fri Nov 12 11:19:22 1999 +++ openssh-1.2pre10/sshd.8 Fri Nov 12 11:33:04 1999 @@ -118,7 +118,7 @@ intended for debugging for the server. .It Fl f Ar configuration_file Specifies the name of the configuration file. The default is -.Pa /etc/sshd_config . +.Pa /etc/ssh/sshd_config . .Nm refuses to start if there is no configuration file. .It Fl g Ar login_grace_time @@ -128,7 +128,7 @@ indicates no limit. .It Fl h Ar host_key_file Specifies the file from which the host key is read (default -.Pa /etc/ssh_host_key ) . +.Pa /etc/ssh/ssh_host_key ) . This option must be given if .Nm is not run as root (as the normal @@ -165,7 +165,7 @@ .Sh CONFIGURATION FILE .Nm reads configuration data from -.Pa /etc/sshd_config +.Pa /etc/ssh/sshd_config (or the file specified with .Fl f on the command line). The file @@ -233,7 +233,7 @@ the user name. .It Cm HostKey Specifies the file containing the private host key (default -.Pa /etc/ssh_host_key ) . +.Pa /etc/ssh/ssh_host_key ) . Note that .Nm does not start if this file is group/world-accessible. @@ -242,7 +242,7 @@ authentication. .Pa /etc/hosts.equiv and -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv are still used. The default is .Dq no . .It Cm IgnoreUserKnownHosts @@ -458,7 +458,7 @@ If .Pa $HOME/.ssh/rc exists, runs it; else if -.Pa /etc/sshrc +.Pa /etc/ssh/sshrc exists, runs it; otherwise runs xauth. The .Dq rc @@ -544,7 +544,7 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. The global file should @@ -567,7 +567,7 @@ .Pp Bits, exponent, and modulus are taken directly from the host key; they can be obtained, e.g., from -.Pa /etc/ssh_host_key.pub . +.Pa /etc/ssh/ssh_host_key.pub . The optional comment field continues to the end of the line, and is not used. .Pp Lines starting with @@ -586,25 +586,25 @@ long, and you definitely don't want to type in the host keys by hand. Rather, generate them by a script or by taking -.Pa /etc/ssh_host_key.pub +.Pa /etc/ssh/ssh_host_key.pub and adding the host names at the front. .Ss Examples closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi .Sh FILES .Bl -tag -width Ds -.It Pa /etc/sshd_config +.It Pa /etc/ssh/sshd_config Contains configuration data for .Nm sshd . This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. -.It Pa /etc/ssh_host_key +.It Pa /etc/ssh/ssh_host_key Contains the private part of the host key. This file should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. -.It Pa /etc/ssh_host_key.pub +.It Pa /etc/ssh/ssh_host_key.pub Contains the public part of the host key. This file should be world-readable but writable only by root. Its contents should match the private part. This file is not @@ -632,7 +632,7 @@ The client uses the same files to verify that the remote host is the one we intended to connect. These files should be writable only by root/the owner. -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts can but need not be world-readable. @@ -694,7 +694,7 @@ of is in negative entries. .Pp Note that this warning also applies to rsh/rlogin. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both @@ -724,13 +724,13 @@ $proto $cookie | xauth -q -; fi". .Pp If this file does not exist, -.Pa /etc/sshrc +.Pa /etc/ssh/sshrc is run, and if that does not exist either, xauth is used to store the cookie. .Pp This file should be writable only by the user, and need not be readable by anyone else. -.It Pa /etc/sshrc +.It Pa /etc/ssh/sshrc Like .Pa $HOME/.ssh/rc . This can be used to specify diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd.c openssh-1.2pre10/sshd.c --- ssh-openbsd-1999111200/sshd.c Fri Nov 12 11:19:27 1999 +++ openssh-1.2pre10/sshd.c Fri Nov 12 11:33:04 1999 @@ -116,6 +116,7 @@ /* Prototypes for various functions defined later in this file. */ void do_connection(int privileged_port); void do_authentication(char *user, int privileged_port); +void eat_packets_and_disconnect(const char *user); void do_authenticated(struct passwd *pw); void do_exec_pty(const char *command, int ptyfd, int ttyfd, const char *ttyname, struct passwd *pw, const char *term, @@ -127,6 +128,147 @@ void do_child(const char *command, struct passwd *pw, const char *term, const char *display, const char *auth_proto, const char *auth_data, const char *ttyname); +#ifdef HAVE_LIBPAM +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); +void do_pam_account_and_session(const char *username, const char *password, + const char *remote_user, const char *remote_host); +void pam_cleanup_proc(void *context); + +static struct pam_conv conv = { + pamconv, + NULL +}; +struct pam_handle_t *pamh = NULL; +const char *pampasswd = NULL; +char *pamconv_msg = NULL; + +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + int count = 0; + struct pam_response *reply = NULL; + + /* PAM will free this later */ + reply = malloc(num_msg * sizeof(*reply)); + if (reply == NULL) + return PAM_CONV_ERR; + + for(count = 0; count < num_msg; count++) + { + switch (msg[count]->msg_style) + { + case PAM_PROMPT_ECHO_OFF: + if (pampasswd == NULL) + { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + break; + + case PAM_TEXT_INFO: + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(""); + + if (msg[count]->msg == NULL) break; + debug("Adding PAM message: %s", msg[count]->msg); + if (pamconv_msg == NULL) + { + pamconv_msg = malloc(strlen(msg[count]->msg) + 2); + + if (pamconv_msg == NULL) + return PAM_CONV_ERR; + + strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg)); + pamconv_msg[strlen(msg[count]->msg)] = '\n'; + pamconv_msg[strlen(msg[count]->msg) + 1] = '\0'; + } else + { + pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2); + strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg)); + pamconv_msg[strlen(pamconv_msg)] = '\n'; + pamconv_msg[strlen(pamconv_msg) + 1] = '\0'; + } + break; + + case PAM_PROMPT_ECHO_ON: + case PAM_ERROR_MSG: + default: + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + + return PAM_SUCCESS; +} + +void pam_cleanup_proc(void *context) +{ + int pam_retval; + + if (pamh != NULL) + { + pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("Cannot close PAM session: %.200s", + pam_strerror((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) + { + log("Cannot release PAM authentication: %.200s", + pam_strerror((pam_handle_t *)pamh, pam_retval)); + } + } +} + +void do_pam_account_and_session(const char *username, const char *password, const char *remote_user, const char *remote_host) +{ + int pam_retval; + + if (remote_host != NULL) + { + debug("PAM setting rhost to \"%.200s\"", remote_host); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); + if (pam_retval != PAM_SUCCESS) + { + log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + eat_packets_and_disconnect(username); + } + } + + if (remote_user != NULL) + { + debug("PAM setting ruser to \"%.200s\"", remote_user); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) + { + log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + eat_packets_and_disconnect(username); + } + } + + pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + eat_packets_and_disconnect(username); + } + + pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + eat_packets_and_disconnect(username); + } +} +#endif /* HAVE_LIBPAM */ /* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; the effect is to reread the configuration file (and to regenerate @@ -709,7 +851,27 @@ /* The connection has been terminated. */ log("Closing connection to %.100s", inet_ntoa(sin.sin_addr)); + +#ifdef HAVE_LIBPAM + { + int retval; + + if (pamh != NULL) + { + debug("Closing PAM session."); + retval = pam_close_session((pam_handle_t *)pamh, 0); + + debug("Terminating PAM library."); + if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) + log("Cannot release PAM authentication."); + + fatal_remove_cleanup(&pam_cleanup_proc, NULL); + } + } +#endif /* HAVE_LIBPAM */ + packet_close(); + exit(0); } @@ -1003,12 +1165,15 @@ int type; int authenticated = 0; int authentication_failures = 0; - char *password; + char *password = NULL; struct passwd *pw, pwcopy; - char *client_user; + char *client_user = NULL; unsigned int client_host_key_bits; BIGNUM *client_host_key_e, *client_host_key_n; - +#ifdef HAVE_LIBPAM + int pam_retval; +#endif /* HAVE_LIBPAM */ + #ifdef AFS /* If machine has AFS, set process authentication group. */ if (k_hasafs()) { @@ -1020,48 +1185,8 @@ /* Verify that the user is a valid user. */ pw = getpwnam(user); if (!pw || !allowed_user(pw)) - { - /* The user does not exist or access is denied, - but fake indication that authentication is needed. */ - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - - /* Keep reading packets, and always respond with a failure. This is to - avoid disclosing whether such a user really exists. */ - for (;;) - { - /* Read a packet. This will not return if the client disconnects. */ - int plen; - int type = packet_read(&plen); -#ifdef SKEY - int passw_len; - char *password, *skeyinfo; - if (options.password_authentication && - options.skey_authentication == 1 && - type == SSH_CMSG_AUTH_PASSWORD && - (password = packet_get_string(&passw_len)) != NULL && - passw_len == 5 && - strncasecmp(password, "s/key", 5) == 0 && - (skeyinfo = skey_fake_keyinfo(user)) != NULL ){ - /* Send a fake s/key challenge. */ - packet_send_debug(skeyinfo); - } -#endif - if (++authentication_failures >= MAX_AUTH_FAILURES) { - packet_disconnect("Too many authentication failures for %.100s from %.200s", - user, get_canonical_hostname()); - } - /* Send failure. This should be indistinguishable from a failed - authentication. */ - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - } - /*NOTREACHED*/ - abort(); - } - + eat_packets_and_disconnect(user); + /* Take a copy of the returned structure. */ memset(&pwcopy, 0, sizeof(pwcopy)); pwcopy.pw_name = xstrdup(pw->pw_name); @@ -1072,6 +1197,17 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; +#ifdef HAVE_LIBPAM + debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh); + if (pam_retval != PAM_SUCCESS) + { + log("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + eat_packets_and_disconnect(user); + } + fatal_add_cleanup(&pam_cleanup_proc, NULL); +#endif + /* If we are not running as root, the user must have the same uid as the server. */ if (getuid() != 0 && pw->pw_uid != getuid()) @@ -1214,12 +1350,16 @@ log("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", user, client_user, get_canonical_hostname()); authenticated = 1; +#ifndef HAVE_LIBPAM xfree(client_user); +#endif /* HAVE_LIBPAM */ break; } log("Rhosts authentication failed for %.100s, remote %.100s.", user, client_user); +#ifndef HAVE_LIBPAM xfree(client_user); +#endif /* HAVE_LIBPAM */ break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -1259,14 +1399,18 @@ { /* Authentication accepted. */ authenticated = 1; +#ifndef HAVE_LIBPAM xfree(client_user); +#endif /* HAVE_LIBPAM */ BN_clear_free(client_host_key_e); BN_clear_free(client_host_key_n); break; } log("Rhosts authentication failed for %.100s, remote %.100s.", user, client_user); - xfree(client_user); +#ifndef HAVE_LIBPAM + xfree(client_user); +#endif /* HAVE_LIBPAM */ BN_clear_free(client_host_key_e); BN_clear_free(client_host_key_n); break; @@ -1317,6 +1461,22 @@ packet_integrity_check(plen, 4 + passw_len, type); } +#ifdef HAVE_LIBPAM + pampasswd = password; + + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) + { + log("PAM Password authentication accepted for \"%.100s\"", user); + authenticated = 1; + break; + } else + { + log("PAM Password authentication for \"%.100s\" failed: %s", + user, pam_strerror((pam_handle_t *)pamh, pam_retval)); + break; + } +#else /* HAVE_LIBPAM */ /* Try authentication with the password. */ if (auth_password(pw, password)) { @@ -1332,6 +1492,7 @@ memset(password, 0, strlen(password)); xfree(password); break; +#endif /* HAVE_LIBPAM */ case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ @@ -1369,6 +1530,20 @@ get_canonical_hostname()); } +#ifdef HAVE_LIBPAM + do_pam_account_and_session(pw->pw_name, password, client_user, get_canonical_hostname()); + + /* Clean up */ + if (client_user != NULL) + xfree(client_user); + + if (password != NULL) + { + memset(password, 0, strlen(password)); + xfree(password); + } +#endif /* HAVE_LIBPAM */ + /* The user has been authenticated and accepted. */ packet_start(SSH_SMSG_SUCCESS); packet_send(); @@ -1378,6 +1553,55 @@ do_authenticated(pw); } +/* Read authentication messages, but return only failures until */ +/* max auth attempts exceeded, then disconnect */ +void eat_packets_and_disconnect(const char *user) +{ + int authentication_failures = 0; + + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + + /* Keep reading packets, and always respond with a failure. This is to + avoid disclosing whether such a user really exists. */ + while(1) + { + /* Read a packet. This will not return if the client disconnects. */ + int plen; +#ifndef SKEY + (void) packet_read(&plen); +#else /* SKEY */ + int type = packet_read(&plen); + int passw_len; + char *password, *skeyinfo; + if (options.password_authentication && + options.skey_authentication == 1 && + type == SSH_CMSG_AUTH_PASSWORD && + (password = packet_get_string(&passw_len)) != NULL && + passw_len == 5 && + strncasecmp(password, "s/key", 5) == 0 && + (skeyinfo = skey_fake_keyinfo(user)) != NULL ) + { + /* Send a fake s/key challenge. */ + packet_send_debug(skeyinfo); + } +#endif /* SKEY */ + if (++authentication_failures >= MAX_AUTH_FAILURES) + { + packet_disconnect("Too many authentication failures for %.100s from %.200s", + user, get_canonical_hostname()); + } + /* Send failure. This should be indistinguishable from a failed + authentication. */ + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + } + /*NOTREACHED*/ + abort(); +} + /* Remove local Xauthority file. */ static void xauthfile_cleanup_proc(void *ignore) @@ -1863,7 +2087,13 @@ /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; - + +#ifdef HAVE_LIBPAM + /* output the results of the pamconv() */ + if (!quiet_login && pamconv_msg != NULL) + fprintf(stderr, pamconv_msg); +#endif + /* If the user has logged in before, display the time of last login. However, don't display anything extra if a command has been specified (so that ssh can be used to execute commands on a remote @@ -2052,6 +2282,7 @@ struct stat st; char *argv[10]; +#ifndef HAVE_LIBPAM /* pam_nologin handles this */ /* Check /etc/nologin. */ f = fopen("/etc/nologin", "r"); if (f) @@ -2062,10 +2293,13 @@ if (pw->pw_uid != 0) exit(254); } +#endif /* HAVE_LIBPAM */ +#ifdef HAVE_SETLOGIN /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#endif /* HAVE_SETLOGIN */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, @@ -2178,7 +2412,29 @@ child_set_env(&env, &envsize, "KRBTKFILE", ticket); } #endif /* KRB4 */ - + +#ifdef HAVE_LIBPAM + /* Pull in any environment variables that may have been set by PAM. */ + { + char *equal_sign, var_name[256], var_val[256]; + long this_var; + char **pam_env = pam_getenvlist((pam_handle_t *)pamh); + for(this_var = 0; pam_env && pam_env[this_var]; this_var++) + { + if(strlen(pam_env[this_var]) < (sizeof(var_name) - 1)) + if((equal_sign = strstr(pam_env[this_var], "=")) != NULL) + { + memset(var_name, 0, sizeof(var_name)); + memset(var_val, 0, sizeof(var_val)); + strncpy(var_name, pam_env[this_var], + equal_sign - pam_env[this_var]); + strcpy(var_val, equal_sign + 1); + child_set_env(&env, &envsize, var_name, var_val); + } + } + } +#endif /* HAVE_LIBPAM */ + /* Set XAUTHORITY to always be a local file. */ if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); @@ -2340,7 +2596,7 @@ } else { /* Launch login(1). */ - execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); + execl(LOGIN_PROGRAM, "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd.init.redhat openssh-1.2pre10/sshd.init.redhat --- ssh-openbsd-1999111200/sshd.init.redhat Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/sshd.init.redhat Sat Oct 30 09:46:20 1999 @@ -0,0 +1,49 @@ +#!/bin/bash + +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting sshd: " + daemon /usr/sbin/sshd + RETVAL=$? + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd + echo + ;; + stop) + echo -n "Shutting down sshd: " + killproc sshd + RETVAL=$? + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + echo + ;; + restart) + $0 stop + $0 start + RETVAL=$? + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status}" + exit 1 +esac + +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd.pam openssh-1.2pre10/sshd.pam --- ssh-openbsd-1999111200/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/sshd.pam Fri Oct 29 09:47:09 1999 @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so diff -ruN --exclude CVS ssh-openbsd-1999111200/sshd_config openssh-1.2pre10/sshd_config --- ssh-openbsd-1999111200/sshd_config Fri Nov 12 11:19:27 1999 +++ openssh-1.2pre10/sshd_config Fri Nov 12 12:17:52 1999 @@ -2,48 +2,62 @@ Port 22 ListenAddress 0.0.0.0 -HostKey /etc/ssh_host_key +HostKey /etc/ssh/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes + +# +# Loglevel replaces QuietMode and FascistLogging +# +SyslogFacility AUTH +LogLevel INFO + # # Don't read ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes - -# Logging +CheckMail no +UseLogin no SyslogFacility AUTH -LogLevel INFO -#obsoletes QuietMode and FascistLogging - RhostsAuthentication no + +# +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # -# For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no + # +# Don't read ~/.rhosts and ~/.shosts files +# +IgnoreRhosts yes + +# +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +# +#IgnoreUserKnownHosts yes + RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no -# Uncomment to disable s/key passwords + +# +# Uncomment to disable s/key passwords (must be compiled with s/key support) +# #SkeyAuthentication no -# To change Kerberos options +# +# To change Kerberos options (must be compiled with Kerberos support) +# #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no - # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes - -#CheckMail yes -#UseLogin no diff -ruN --exclude CVS ssh-openbsd-1999111200/strlcpy.c openssh-1.2pre10/strlcpy.c --- ssh-openbsd-1999111200/strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/strlcpy.c Thu Oct 28 14:12:54 1999 @@ -0,0 +1,73 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#include "config.h" +#ifndef HAVE_STRLCPY + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN --exclude CVS ssh-openbsd-1999111200/strlcpy.h openssh-1.2pre10/strlcpy.h --- ssh-openbsd-1999111200/strlcpy.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre10/strlcpy.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,9 @@ +#ifndef _STRLCPY_H +#define _STRLCPY_H + +#include "config.h" +#ifndef HAVE_STRLCPY +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCPY */ + +#endif /* _STRLCPY_H */