diff -ruN --exclude CVS ssh-openbsd-1999111900/COPYING.Ylonen openssh-1.2pre13/COPYING.Ylonen --- ssh-openbsd-1999111900/COPYING.Ylonen Tue Oct 5 12:35:56 1999 +++ openssh-1.2pre13/COPYING.Ylonen Sat Oct 30 09:46:20 1999 @@ -24,7 +24,7 @@ [ The make-ssh-known-hosts script is no longer included. ] [ TSS has been removed. ] [ MD5 is now external. ] -[ RC4 support has been removed. ] +[ RC4 support has been removed (RC4 is used internally for arc4random). ] [ Blowfish is now external. ] The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. diff -ruN --exclude CVS ssh-openbsd-1999111900/ChangeLog openssh-1.2pre13/ChangeLog --- ssh-openbsd-1999111900/ChangeLog Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/ChangeLog Fri Nov 19 15:53:20 1999 @@ -0,0 +1,287 @@ +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + - Merged OpenBSD CVS changes + - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] + more %d vs. %s in fmt-strings + - [authfd.c] + Integers should not be printed with %s + - EGD uses a socket, not a named pipe. Duh. + - Fix includes in fingerprint.c + - Fix scp progress bar bug again. + - Move scp from ${libdir}/ssh to ${libexecdir}/ssh at request of + David Rankin + - Added autoconf option to enable Kerberos 4 support (untested) + - Added autoconf option to enable AFS support (untested) + - Added autoconf option to enable S/Key support (untested) + - Added autoconf option to enable TCP wrappers support (compiles OK) + - Renamed BSD helper function files to bsd-* + - Added tests for login and daemon and enable OpenBSD replacements for + when they are absent. + - Added non-PAM MD5 password support patch from Tudor Bosman + +19991118 + - Merged OpenBSD CVS changes + - [scp.c] foregroundproc() in scp + - [sshconnect.h] include fingerprint.h + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + changes. + - [ssh.1] Spell my name right. + - Added openssh.com info to README + +19991117 + - Merged OpenBSD CVS changes + - [ChangeLog.Ylonen] noone needs this anymore + - [authfd.c] close-on-exec for auth-socket, ok deraadt + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong + modulus length. markus and me. + - [serverloop.c] + bugfix: check for space if child has terminated, from: + iedowse@maths.tcd.ie + - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] + [fingerprint.c fingerprint.h] + rsa key fingerprints, idea from Bjoern Groenvall + - [ssh-agent.1] typo + - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ + - [sshd.c] + force logging to stderr while loading private key file + (lost while converting to new log-levels) + +19991116 + - Fix some Linux libc5 problems reported by Miles Wilson + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] + [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] + the keysize of rsa-parameter 'n' is passed implizit, + a few more checks and warnings about 'pretended' keysizes. + - [cipher.c cipher.h packet.c packet.h sshd.c] + remove support for cipher RC4 + - [ssh.c] + a note for legay systems about secuity issues with permanently_set_uid(), + the private hostkey and ptrace() + - [sshconnect.c] + more detailed messages about adding and checking hostkeys + +19991115 + - Merged OpenBSD CVS changes: + - [ssh-add.c] change passphrase loop logic and remove ref to + $DISPLAY, ok niels + - Changed to ssh-add.c broke askpass support. Revised it to be a little more + modular. + - Revised autoconf support for enabling/disabling askpass support. + - Merged more OpenBSD CVS changes: + [auth-krb4.c] + - disconnect if getpeername() fails + - missing xfree(*client) + [canohost.c] + - disconnect if getpeername() fails + - fix comment: we _do_ disconnect if ip-options are set + [sshd.c] + - disconnect if getpeername() fails + - move checking of remote port to central place + [auth-rhosts.c] move checking of remote port to central place + [log-server.c] avoid extra fd per sshd, from millert@ + [readconf.c] print _all_ bad config-options in ssh(1), too + [readconf.h] print _all_ bad config-options in ssh(1), too + [ssh.c] print _all_ bad config-options in ssh(1), too + [sshconnect.c] disconnect if getpeername() fails + - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. + - Various small cleanups to bring diff (against OpenBSD) size down. + - Merged more Solaris compability from Marc G. Fournier + + - Wrote autoconf tests for __progname symbol + - RPM spec file fixes from Jim Knoble + - Released 1.2pre12 + + - Another OpenBSD CVS update: + - [ssh-keygen.1] fix .Xr + +19991114 + - Solaris compilation fixes (still imcomplete) + +19991113 + - Build patch from Niels Kristian Bech Jensen + - Don't install config files if they already exist + - Fix inclusion of additional preprocessor directives from acconfig.h + - Removed redundant inclusions of config.h + - Added 'Obsoletes' lines to RPM spec file + - Merged OpenBSD CVS changes: + - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + totalsize, ok niels,aaron + - Delay fork (-f option) in ssh until after port forwarded connections + have been initialised. Patch from Jani Hakala + - Added shadow password patch from Thomas Neumann + - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled + - Tidied default config file some more + - Revised Redhat initscript to fix bug: sshd (re)start would fail + if executed from inside a ssh login. + +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + + - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile + - Make ssh-askpass support optional through autoconf + - Fix nasty division-by-zero error in scp.c + - Released 1.2pre11 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 diff -ruN --exclude CVS ssh-openbsd-1999111900/INSTALL openssh-1.2pre13/INSTALL --- ssh-openbsd-1999111900/INSTALL Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/INSTALL Fri Nov 19 15:53:50 1999 @@ -0,0 +1,111 @@ +1. Prerequisites +---------------- + +You will need working installations of Zlib and OpenSSL. + +Zlib: +http://www.cdrom.com/pub/infozip/zlib/ + +OpenSSL: +http://www.openssl.org/ + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system +supports it. PAM is standard on Redhat and Debian Linux and on Solaris. + +PAM: +http://www.kernel.org/pub/linux/libs/pam/ + +If you wish to build the GNOME passphrase requestor, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +If you are planning to use OpenSSH on a Unix which lacks a Kernel random +number generator (/dev/urandom), you will need to install the Entropy +Gathering Daemon (or similar). You will also need to specify the +--with-egd-pool option to ./configure. + +EGD: +http://www.lothar.com/tech/crypto/ + + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +There are a few other options to the configure script: + +--enable-gnome-askpass will build the GNOME passphrase dialog. You +need a working installation of GNOME, including the development +headers, for this to work. + +--with-random=/some/file allows you to specify an alternate source of +random numbers (the default is /dev/urandom). Unless you are absolutly +sure of what you are doing, it is best to leave this alone. + +--with-egd-pool=/some/file allows you to enable Entropy Gathering +Daemon support and to specify a EGD pool socket. You will need to +use this if your Unix does not support the /dev/urandom device (or +similar). + +--without-askpass will disable X11 password requestor support in +ssh-add + +--with-kerberos4 will enable Kerberos IV support. You will need to +have the Kerberos libraries and header files installed for this to +work. + +--with-afs will enable AFS support. You will need to have the Kerberos +IV and the AFS libraries and header files installed for this to work. + +--with-skey will enable S/Key one time password support. You will need +the S/Key libraries and header files installed for this to work. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. You will need libwrap.a and tcpd.h installed. + +--with-md5-passwords will enable the use of MD5 passwords. Enable this +if your operating system uses MD5 passwords without using PAM. + + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, issue the following command: (replacing +/etc/ssh/ssh_host_key with an appropriate path) + +/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + diff -ruN --exclude CVS ssh-openbsd-1999111900/Makefile openssh-1.2pre13/Makefile --- ssh-openbsd-1999111900/Makefile Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre13/Makefile Thu Jan 1 10:00:00 1970 @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp - -distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/sshd_config - -.include diff -ruN --exclude CVS ssh-openbsd-1999111900/Makefile.in openssh-1.2pre13/Makefile.in --- ssh-openbsd-1999111900/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/Makefile.in Fri Nov 19 17:18:57 1999 @@ -0,0 +1,108 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libdir=@libdir@ +libexecdir=@libexecdir@ +mandir=@mandir@ +sysconfdir=@sysconfdir@ + +SSH_PROGRAM=@bindir@/ssh +ASKPASS_PROGRAM=@libexecdir@/ssh/ssh-askpass + +CC=@CC@ +PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DASKPASS_PROGRAM=\"$(ASKPASS_PROGRAM)\" +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +EXTRA_TARGETS=@GNOME_ASKPASS@ +TARGETS=libssh.a ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ + +GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` +GNOME_LIBS=`gnome-config --libs gnome gnomeui` + +OBJS= authfd.o authfile.o auth-passwd.o auth-rhosts.o auth-rh-rsa.o \ + auth-rsa.o auth-skey.o bufaux.o buffer.o canohost.o channels.o \ + cipher.o clientloop.o compress.o crc32.o deattack.o helper.o \ + hostfile.o log-client.o login.o log-server.o match.o mpaux.o \ + packet.o pty.o readconf.o readpass.o rsa.o servconf.o serverloop.o \ + sshconnect.o tildexpand.o ttymodes.o uidswap.o xmalloc.o \ + helper.o bsd-mktemp.o bsd-strlcpy.o bsd-daemon.o bsd-login.o rc4.o \ + md5crypt.o + +all: $(OBJS) $(TARGETS) + +libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o bsd-mktemp.o bsd-strlcpy.o log.o fingerprint.o + $(AR) rv $@ $^ + $(RANLIB) $@ + +ssh: ssh.o sshconnect.o log-client.o readconf.o clientloop.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +sshd: sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o bsd-daemon.o md5crypt.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +scp: scp.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-add: ssh-add.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-agent: ssh-agent.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +ssh-keygen: ssh-keygen.o log-client.o libssh.a + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + +gnome-ssh-askpass: gnome-ssh-askpass.c + $(CC) $(CFLAGS) $(GNOME_CFLAGS) -o $@ gnome-ssh-askpass.c $(GNOME_LIBS) + +clean: + rm -f *.o core $(TARGETS) config.status config.cache config.log + +install: all + install -d $(bindir) + install -d $(sbindir) + install -d $(mandir) + install -d $(mandir)/man1 + install -d $(mandir)/man8 + install -s -c ssh $(bindir)/ssh + install -s -c scp $(bindir)/scp + install -s -c ssh-add $(bindir)/ssh-add + install -s -c ssh-agent $(bindir)/ssh-agent + install -s -c ssh-keygen $(bindir)/ssh-keygen + install -s -c sshd $(sbindir)/sshd + install -m644 -c ssh.1 $(mandir)/man1/ssh.1 + install -m644 -c scp.1 $(mandir)/man1/scp.1 + install -m644 -c ssh-add.1 $(mandir)/man1/ssh-add.1 + install -m644 -c ssh-agent.1 $(mandir)/man1/ssh-agent.1 + install -m644 -c ssh-keygen.1 $(mandir)/man1/ssh-keygen.1 + install -m644 -c sshd.8 $(mandir)/man8/sshd.8 + ln -sf ssh $(bindir)/slogin + ln -sf ssh.1 $(mandir)/man1/slogin.1 + + if [ "x@INSTALL_ASKPASS@" = "xyes" ] ; then \ + install -d $(libdir) ; \ + install -d $(libexecdir)/ssh ; \ + if [ -z "@GNOME_ASKPASS@" ] ; then \ + install -m755 -c ssh-askpass ${ASKPASS_PROGRAM}; \ + else \ + install -m755 -c gnome-ssh-askpass ${ASKPASS_PROGRAM}; \ + fi ; \ + fi + + if [ ! -f $(sysconfdir)/ssh_config -a ! -f $(sysconfdir)/sshd_config ]; then \ + install -d $(sysconfdir); \ + install -m644 ssh_config $(sysconfdir)/ssh_config; \ + install -m644 sshd_config $(sysconfdir)/sshd_config; \ + fi + +distclean: clean + rm -f Makefile config.h core *~ + +mrproper: distclean + +veryclean: distclean + rm -f configure config.h.in + diff -ruN --exclude CVS ssh-openbsd-1999111900/Makefile.inc openssh-1.2pre13/Makefile.inc --- ssh-openbsd-1999111900/Makefile.inc Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre13/Makefile.inc Thu Jan 1 10:00:00 1970 @@ -1,11 +0,0 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN --exclude CVS ssh-openbsd-1999111900/README openssh-1.2pre13/README --- ssh-openbsd-1999111900/README Mon Sep 27 06:53:32 1999 +++ openssh-1.2pre13/README Fri Nov 19 15:53:50 1999 @@ -1,563 +1,85 @@ -Ssh (Secure Shell) is a program to log into another computer over a -network, to execute commands in a remote machine, and to move files -from one machine to another. It provides strong authentication and -secure communications over insecure channels. It is inteded as a -replacement for rlogin, rsh, rcp, and rdist. - -See the file INSTALL for installation instructions. See COPYING for -license terms and other legal issues. See RFC for a description of -the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. - -This file has been updated to match ssh-1.2.12. - - -FEATURES - - o Strong authentication. Closes several security holes (e.g., IP, - routing, and DNS spoofing). New authentication methods: .rhosts - together with RSA based host authentication, and pure RSA - authentication. - - o Improved privacy. All communications are automatically and - transparently encrypted. RSA is used for key exchange, and a - conventional cipher (normally IDEA, DES, or triple-DES) for - encrypting the session. Encryption is started before - authentication, and no passwords or other information is - transmitted in the clear. Encryption is also used to protect - against spoofed packets. - - o Secure X11 sessions. The program automatically sets DISPLAY on - the server machine, and forwards any X11 connections over the - secure channel. Fake Xauthority information is automatically - generated and forwarded to the remote machine; the local client - automatically examines incoming X11 connections and replaces the - fake authorization data with the real data (never telling the - remote machine the real information). - - o Arbitrary TCP/IP ports can be redirected through the encrypted channel - in both directions (e.g., for e-cash transactions). - - o No retraining needed for normal users; everything happens - automatically, and old .rhosts files will work with strong - authentication if administration installs host key files. - - o Never trusts the network. Minimal trust on the remote side of - the connection. Minimal trust on domain name servers. Pure RSA - authentication never trusts anything but the private key. - - o Client RSA-authenticates the server machine in the beginning of - every connection to prevent trojan horses (by routing or DNS - spoofing) and man-in-the-middle attacks, and the server - RSA-authenticates the client machine before accepting .rhosts or - /etc/hosts.equiv authentication (to prevent DNS, routing, or - IP-spoofing). - - o Host authentication key distribution can be centrally by the - administration, automatically when the first connection is made - to a machine (the key obtained on the first connection will be - recorded and used for authentication in the future), or manually - by each user for his/her own use. The central and per-user host - key repositories are both used and complement each other. Host - keys can be generated centrally or automatically when the software - is installed. Host authentication keys are typically 1024 bits. - - o Any user can create any number of user authentication RSA keys for - his/her own use. Each user has a file which lists the RSA public - keys for which proof of possession of the corresponding private - key is accepted as authentication. User authentication keys are - typically 1024 bits. - - o The server program has its own server RSA key which is - automatically regenerated every hour. This key is never saved in - any file. Exchanged session keys are encrypted using both the - server key and the server host key. The purpose of the separate - server key is to make it impossible to decipher a captured session by - breaking into the server machine at a later time; one hour from - the connection even the server machine cannot decipher the session - key. The key regeneration interval is configurable. The server - key is normally 768 bits. - - o An authentication agent, running in the user's laptop or local - workstation, can be used to hold the user's RSA authentication - keys. Ssh automatically forwards the connection to the - authentication agent over any connections, and there is no need to - store the RSA authentication keys on any machine in the network - (except the user's own local machine). The authentication - protocols never reveal the keys; they can only be used to verify - that the user's agent has a certain key. Eventually the agent - could rely on a smart card to perform all authentication - computations. - - o The software can be installed and used (with restricted - functionality) even without root privileges. - - o The client is customizable in system-wide and per-user - configuration files. Most aspects of the client's operation can - be configured. Different options can be specified on a per-host basis. - - o Automatically executes conventional rsh (after displaying a - warning) if the server machine is not running sshd. - - o Optional compression of all data with gzip (including forwarded X11 - and TCP/IP port data), which may result in significant speedups on - slow connections. - - o Complete replacement for rlogin, rsh, and rcp. - - -WHY TO USE SECURE SHELL - -Currently, almost all communications in computer networks are done -without encryption. As a consequence, anyone who has access to any -machine connected to the network can listen in on any communication. -This is being done by hackers, curious administrators, employers, -criminals, industrial spies, and governments. Some networks leak off -enough electromagnetic radiation that data may be captured even from a -distance. - -When you log in, your password goes in the network in plain -text. Thus, any listener can then use your account to do any evil he -likes. Many incidents have been encountered worldwide where crackers -have started programs on workstations without the owners knowledge -just to listen to the network and collect passwords. Programs for -doing this are available on the Internet, or can be built by a -competent programmer in a few hours. - -Any information that you type or is printed on your screen can be -monitored, recorded, and analyzed. For example, an intruder who has -penetrated a host connected to a major network can start a program -that listens to all data flowing in the network, and whenever it -encounters a 16-digit string, it checks if it is a valid credit card -number (using the check digit), and saves the number plus any -surrounding text (to catch expiration date and holder) in a file. -When the intruder has collected a few thousand credit card numbers, he -makes smallish mail-order purchases from a few thousand stores around -the world, and disappears when the goods arrive but before anyone -suspects anything. - -Businesses have trade secrets, patent applications in preparation, -pricing information, subcontractor information, client data, personnel -data, financial information, etc. Currently, anyone with access to -the network (any machine on the network) can listen to anything that -goes in the network, without any regard to normal access restrictions. - -Many companies are not aware that information can so easily be -recovered from the network. They trust that their data is safe -since nobody is supposed to know that there is sensitive information -in the network, or because so much other data is transferred in the -network. This is not a safe policy. - -Individual persons also have confidential information, such as -diaries, love letters, health care documents, information about their -personal interests and habits, professional data, job applications, -tax reports, political documents, unpublished manuscripts, etc. - -One should also be aware that economical intelligence and industrial -espionage has recently become a major priority of the intelligence -agencies of major governments. President Clinton recently assigned -economical espionage as the primary task of the CIA, and the French -have repeatedly been publicly boasting about their achievements on -this field. - - -There is also another frightening aspect about the poor security of -communications. Computer storage and analysis capability has -increased so much that it is feasible for governments, major -companies, and criminal organizations to automatically analyze, -identify, classify, and file information about millions of people over -the years. Because most of the work can be automated, the cost of -collecting this information is getting very low. - -Government agencies may be able to monitor major communication -systems, telephones, fax, computer networks, etc., and passively -collect huge amounts of information about all people with any -significant position in the society. Most of this information is not -sensitive, and many people would say there is no harm in someone -getting that information. However, the information starts to get -sensitive when someone has enough of it. You may not mind someone -knowing what you bought from the shop one random day, but you might -not like someone knowing every small thing you have bought in the last -ten years. - -If the government some day starts to move into a more totalitarian -direction (one should remember that Nazi Germany was created by -democratic elections), there is considerable danger of an ultimate -totalitarian state. With enough information (the automatically -collected records of an individual can be manually analyzed when the -person becomes interesting), one can form a very detailed picture of -the individual's interests, opinions, beliefs, habits, friends, -lovers, weaknesses, etc. This information can be used to 1) locate -any persons who might oppose the new system 2) use deception to -disturb any organizations which might rise against the government 3) -eliminate difficult individuals without anyone understanding what -happened. Additionally, if the government can monitor communications -too effectively, it becomes too easy to locate and eliminate any -persons distributing information contrary to the official truth. - -Fighting crime and terrorism are often used as grounds for domestic -surveillance and restricting encryption. These are good goals, but -there is considerable danger that the surveillance data starts to get -used for questionable purposes. I find that it is better to tolerate -a small amount of crime in the society than to let the society become -fully controlled. I am in favor of a fairly strong state, but the -state must never get so strong that people become unable to spread -contra-offical information and unable to overturn the government if it -is bad. The danger is that when you notice that the government is -too powerful, it is too late. Also, the real power may not be where -the official government is. - -For these reasons (privacy, protecting trade secrets, and making it -more difficult to create a totalitarian state), I think that strong -cryptography should be integrated to the tools we use every day. -Using it causes no harm (except for those who wish to monitor -everything), but not using it can cause huge problems. If the society -changes in undesirable ways, then it will be to late to start -encrypting. - -Encryption has had a "military" or "classified" flavor to it. There -are no longer any grounds for this. The military can and will use its -own encryption; that is no excuse to prevent the civilians from -protecting their privacy and secrets. Information on strong -encryption is available in every major bookstore, scientific library, -and patent office around the world, and strong encryption software is -available in every country on the Internet. - -Some people would like to make it illegal to use encryption, or to -force people to use encryption that governments can break. This -approach offers no protection if the government turns bad. Also, the -"bad guys" will be using true strong encryption anyway. Good -encryption techniques are too widely known to make them disappear. -Thus, any "key escrow encryption" or other restrictions will only help -monitor ordinary people and petty criminals. It does not help against -powerful criminals, terrorists, or espionage, because they will know -how to use strong encryption anyway. (One source for internationally -available encryption software is http://www.cs.hut.fi/crypto.) - - -OVERVIEW OF SECURE SHELL - -The software consists of a number of programs. - - sshd Server program run on the server machine. This - listens for connections from client machines, and - whenever it receives a connection, it performs - authentication and starts serving the client. - - ssh This is the client program used to log into another - machine or to execute commands on the other machine. - "slogin" is another name for this program. - - scp Securely copies files from one machine to another. - - ssh-keygen Used to create RSA keys (host keys and user - authentication keys). - - ssh-agent Authentication agent. This can be used to hold RSA - keys for authentication. - - ssh-add Used to register new keys with the agent. - - make-ssh-known-hosts - Used to create the /etc/ssh_known_hosts file. - - -Ssh is the program users normally use. It is started as - - ssh host - -or - - ssh host command - -The first form opens a new shell on the remote machine (after -authentication). The latter form executes the command on the remote -machine. - -When started, the ssh connects sshd on the server machine, verifies -that the server machine really is the machine it wanted to connect, -exchanges encryption keys (in a manner which prevents an outside -listener from getting the keys), performs authentication using .rhosts -and /etc/hosts.equiv, RSA authentication, or conventional password -based authentication. The server then (normally) allocates a -pseudo-terminal and starts an interactive shell or user program. - -The TERM environment variable (describing the type of the user's -terminal) is passed from the client side to the remote side. Also, -terminal modes will be copied from the client side to the remote side -to preserve user preferences (e.g., the erase character). - -If the DISPLAY variable is set on the client side, the server will -create a dummy X server and set DISPLAY accordingly. Any connections -to the dummy X server will be forwarded through the secure channel, -and will be made to the real X server from the client side. An -arbitrary number of X programs can be started during the session, and -starting them does not require anything special from the user. (Note -that the user must not manually set DISPLAY, because then it would -connect directly to the real display instead of going through the -encrypted channel). This behavior can be disabled in the -configuration file or by giving the -x option to the client. - -Arbitrary IP ports can be forwarded over the secure channel. The -program then creates a port on one side, and whenever a connection is -opened to this port, it will be passed over the secure channel, and a -connection will be made from the other side to a specified host:port -pair. Arbitrary IP forwarding must always be explicitly requested, -and cannot be used to forward privileged ports (unless the user is -root). It is possible to specify automatic forwards in a per-user -configuration file, for example to make electronic cash systems work -securely. - -If there is an authentication agent on the client side, connection to -it will be automatically forwarded to the server side. - -For more infomation, see the manual pages ssh(1), sshd(8), scp(1), -ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) -included in this distribution. - - -X11 CONNECTION FORWARDING - -X11 forwarding serves two purposes: it is a convenience to the user -because there is no need to set the DISPLAY variable, and it provides -encrypted X11 connections. I cannot think of any other easy way to -make X11 connections encrypted; modifying the X server, clients or -libraries would require special work for each machine, vendor and -application. Widely used IP-level encryption does not seem likely for -several years. Thus what we have left is faking an X server on the -same machine where the clients are run, and forwarding the connections -to a real X server over the secure channel. - -X11 forwarding works as follows. The client extracts Xauthority -information for the server. It then creates random authorization -data, and sends the random data to the server. The server allocates -an X11 display number, and stores the (fake) Xauthority data for this -display. Whenever an X11 connection is opened, the server forwards -the connection over the secure channel to the client, and the client -parses the first packet of the X11 protocol, substitutes real -authentication data for the fake data (if the fake data matched), and -forwards the connection to the real X server. - -If the display does not have Xauthority data, the server will create a -unix domain socket in /tmp/.X11-unix, and use the unix domain socket -as the display. No authentication information is forwarded in this -case. X11 connections are again forwarded over the secure channel. -To the X server the connections appear to come from the client -machine, and the server must have connections allowed from the local -machine. Using authentication data is always recommended because not -using it makes the display insecure. If XDM is used, it automatically -generates the authentication data. - -One should be careful not to use "xin" or "xstart" or other similar -scripts that explicitly set DISPLAY to start X sessions in a remote -machine, because the connection will then not go over the secure -channel. The recommended way to start a shell in a remote machine is - - xterm -e ssh host & - -and the recommended way to execute an X11 application in a remote -machine is - - ssh -n host emacs & - -If you need to type a password/passphrase for the remote machine, - - ssh -f host emacs - -may be useful. - - - -RSA AUTHENTICATION - -RSA authentication is based on public key cryptograpy. The idea is -that there are two encryption keys, one for encryption and another for -decryption. It is not possible (on human timescale) to derive the -decryption key from the encryption key. The encryption key is called -the public key, because it can be given to anyone and it is not -secret. The decryption key, on the other hand, is secret, and is -called the private key. - -RSA authentication is based on the impossibility of deriving the -private key from the public key. The public key is stored on the -server machine in the user's $HOME/.ssh/authorized_keys file. The -private key is only kept on the user's local machine, laptop, or other -secure storage. Then the user tries to log in, the client tells the -server the public key that the user wishes to use for authentication. -The server then checks if this public key is admissible. If so, it -generates a 256 bit random number, encrypts it with the public key, -and sends the value to the client. The client then decrypts the -number with its private key, computes a 128 bit MD5 checksum from the -resulting data, and sends the checksum back to the server. (Only a -checksum is sent to prevent chosen-plaintext attacks against RSA.) -The server checks computes a checksum from the correct data, -and compares the checksums. Authentication is accepted if the -checksums match. (Theoretically this indicates that the client -only probably knows the correct key, but for all practical purposes -there is no doubt.) - -The RSA private key can be protected with a passphrase. The -passphrase can be any string; it is hashed with MD5 to produce an -encryption key for IDEA, which is used to encrypt the private part of -the key file. With passphrase, authorization requires access to the key -file and the passphrase. Without passphrase, authorization only -depends on possession of the key file. - -RSA authentication is the most secure form of authentication supported -by this software. It does not rely on the network, routers, domain -name servers, or the client machine. The only thing that matters is -access to the private key. - -All this, of course, depends on the security of the RSA algorithm -itself. RSA has been widely known since about 1978, and no effective -methods for breaking it are known if it is used properly. Care has -been taken to avoid the well-known pitfalls. Breaking RSA is widely -believed to be equivalent to factoring, which is a very hard -mathematical problem that has received considerable public research. -So far, no effective methods are known for numbers bigger than about -512 bits. However, as computer speeds and factoring methods are -increasing, 512 bits can no longer be considered secure. The -factoring work is exponential, and 768 or 1024 bits are widely -considered to be secure in the near future. - - -RHOSTS AUTHENTICATION - -Conventional .rhosts and hosts.equiv based authentication mechanisms -are fundamentally insecure due to IP, DNS (domain name server) and -routing spoofing attacks. Additionally this authentication method -relies on the integrity of the client machine. These weaknesses is -tolerable, and been known and exploited for a long time. - -Ssh provides an improved version of these types of authentication, -because they are very convenient for the user (and allow easy -transition from rsh and rlogin). It permits these types of -authentication, but additionally requires that the client host be -authenticated using RSA. - -The server has a list of host keys stored in /etc/ssh_known_host, and -additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh -uses the name servers to obtain the canonical name of the client host, -looks for its public key in its known host files, and requires the -client to prove that it knows the private host key. This prevents IP -and routing spoofing attacks (as long as the client machine private -host key has not been compromized), but is still vulnerable to DNS -attacks (to a limited extent), and relies on the integrity of the -client machine as to who is requesting to log in. This prevents -outsiders from attacking, but does not protect against very powerful -attackers. If maximal security is desired, only RSA authentication -should be used. - -It is possible to enable conventional .rhosts and /etc/hosts.equiv -authentication (without host authentication) at compile time by giving -the option --with-rhosts to configure. However, this is not -recommended, and is not done by default. - -These weaknesses are present in rsh and rlogin. No improvement in -security will be obtained unless rlogin and rsh are completely -disabled (commented out in /etc/inetd.conf). This is highly -recommended. - - -WEAKEST LINKS IN SECURITY - -One should understand that while this software may provide -cryptographically secure communications, it may be easy to -monitor the communications at their endpoints. - -Basically, anyone with root access on the local machine on which you -are running the software may be able to do anything. Anyone with root -access on the server machine may be able to monitor your -communications, and a very talented root user might even be able to -send his/her own requests to your authentication agent. - -One should also be aware that computers send out electromagnetic -radition that can sometimes be picked up hundreds of meters away. -Your keyboard is particularly easy to listen to. The image on your -monitor might also be seen on another monitor in a van parked behind -your house. - -Beware that unwanted visitors might come to your home or office and -use your machine while you are away. They might also make -modifications or install bugs in your hardware or software. - -Beware that the most effective way for someone to decrypt your data -may be with a rubber hose. - - -LEGAL ISSUES - -As far as I am concerned, anyone is permitted to use this software -freely. However, see the file COPYING for detailed copying, -licensing, and distribution information. - -In some countries, particularly France, Russia, Iraq, and Pakistan, -it may be illegal to use any encryption at all without a special -permit, and the rumor has it that you cannot get a permit for any -strong encryption. - -This software may be freely imported into the United States; however, -the United States Government may consider re-exporting it a criminal -offence. - -Note that any information and cryptographic algorithms used in this -software are publicly available on the Internet and at any major -bookstore, scientific library, or patent office worldwide. - -THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file -COPYING for more information. - - -MAILING LISTS AND OTHER INFORMATION - -There is a mailing list for ossh. It is ossh@sics.se. If you would -like to join, send a message to majordomo@sics.se with "subscribe -ssh" in body. - -The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an -archive of the mailing list, and detailed information about new -releases, mailing lists, and other relevant issues. - -Bug reports should be sent to ossh-bugs@sics.se. - - -ABOUT THE AUTHOR - -This software was written by Tatu Ylonen . I work as a -researcher at Helsinki University of Technology, Finland. For more -information, see http://www.cs.hut.fi/~ylo/. My PGP public key is -available via finger from ylo@cs.hut.fi and from the key servers. I -prefer PGP encrypted mail. - -The author can be contacted via ordinary mail at - Tatu Ylonen - Helsinki University of Technology - Otakaari 1 - FIN-02150 ESPOO - Finland - - Fax. +358-0-4513293 - - -ACKNOWLEDGEMENTS - -I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for -their help and comments in the design, implementation and porting of -this software. I also thank numerous contributors, including but not -limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane -Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome -Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, -Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar -Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald -McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan -O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz -Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and -Cristophe Wolfhugel. - -Thanks also go to Philip Zimmermann, whose PGP software and the -associated legal battle provided inspiration, motivation, and many -useful techniques, and to Bruce Schneier whose book Applied -Cryptography has done a great service in widely distributing knowledge -about cryptographic methods. +This is the port of OpenBSD's excellent OpenSSH to Linux and other +Unices. +OpenSSH is based on the last free version of Tatu Ylonen's SSH with +all patent-encumbered algorithms removed, all known security bugs +fixed, new features reintroduced and many other clean-ups. More +information about SSH itself can be found in the file README.Ylonen. +OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, +Niels Provos, Theo de Raadt, and Dug Song. It has a homepage at +http://www.openssh.com/ + +This port consists of the re-introduction of autoconf support, PAM +support (for Linux and Solaris), EGD[1] support, and replacements +for OpenBSD library functions that are (regrettably) absent from +other unices. This port has been best tested on Linux, though some +Solaris support is beginning to filter in. This version actively +tracks changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. + +All new code is released under a XFree style license, which is very +liberal. Please refer to the source files for details. The code in +bsd-*.[ch] is from the OpenBSD project and has its own license (again, +see the source files for details). + +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4]. To build +the GNOME[5] pass-phrase requester (--with-gnome-askpass), you will +need the GNOME libraries installed. If you are building OpenSSH on a +Unix which lacks a kernel random number pool (/dev/random), you will +need to install EGD[1]. + +There is now a mailing list for this port of OpenSSH. To +subscribe, send a message consisting of the word 'SUBSCRIBE' to +openssh-unix-dev-request@mindrot.org. This mailing list is intended +for developers who wish to improve on this port or extend it to other +Unices. + +Please refer to the INSTALL document for information on how to install +OpenSSH on your system. + +This patch is developed primarily on Linux, but I am including patches +which improve compatability with other unices. The beginnings of +Solaris support have already been included. + +Damien Miller +Internet Business Solutions + +Credits - + +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt, and Dug Song - Creators of OpenSSH +'jonchen' - the original author of PAM support of SSH +Chip Salzenberg - Assorted patches +Dan Brosemer - Autoconf and build fixes & Debian scripts +Jim Knoble - RPM spec file fixes +Marc G. Fournier - Solaris patches +Nalin Dahyabhai - PAM environment patch +Niels Kristian Bech Jensen - Assorted patches +Phil Hands - Debian scripts, assorted patches +Thomas Neumann - Shadow passwords +Tudor Bosman - MD5 password support + +Miscellania - + +This version of SSH is based upon code retrieved from the OpenBSD CVS +repository on 1999-11-09 which in turn was based on the last free +version of SSH released by Tatu Ylonen. + +Code in helper.[ch] and gnome-ssh-askpass.c is Copyright 1999 +Internet Business Solutions and is released under a X11-style +license (see source files for details). + +(A)RC4 code in rc4.[ch] is Copyright 1999 Damien Miller. It too is +under a X11-style license (see source file for details). + +References - + +[1] http://www.lothar.com/tech/crypto/ +[2] http://www.cdrom.com/pub/infozip/zlib/ +[3] http://www.openssl.org/ +[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[5] http://www.gnome.org/ -Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-1999111900/README.Ylonen openssh-1.2pre13/README.Ylonen --- ssh-openbsd-1999111900/README.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/README.Ylonen Sat Oct 30 11:30:35 1999 @@ -0,0 +1,563 @@ +Ssh (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is inteded as a +replacement for rlogin, rsh, rcp, and rdist. + +See the file INSTALL for installation instructions. See COPYING for +license terms and other legal issues. See RFC for a description of +the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. + +This file has been updated to match ssh-1.2.12. + + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, DES, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. + + +WHY TO USE SECURE SHELL + +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owners knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + +Any information that you type or is printed on your screen can be +monitored, recorded, and analyzed. For example, an intruder who has +penetrated a host connected to a major network can start a program +that listens to all data flowing in the network, and whenever it +encounters a 16-digit string, it checks if it is a valid credit card +number (using the check digit), and saves the number plus any +surrounding text (to catch expiration date and holder) in a file. +When the intruder has collected a few thousand credit card numbers, he +makes smallish mail-order purchases from a few thousand stores around +the world, and disappears when the goods arrive but before anyone +suspects anything. + +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + +Individual persons also have confidential information, such as +diaries, love letters, health care documents, information about their +personal interests and habits, professional data, job applications, +tax reports, political documents, unpublished manuscripts, etc. + +One should also be aware that economical intelligence and industrial +espionage has recently become a major priority of the intelligence +agencies of major governments. President Clinton recently assigned +economical espionage as the primary task of the CIA, and the French +have repeatedly been publicly boasting about their achievements on +this field. + + +There is also another frightening aspect about the poor security of +communications. Computer storage and analysis capability has +increased so much that it is feasible for governments, major +companies, and criminal organizations to automatically analyze, +identify, classify, and file information about millions of people over +the years. Because most of the work can be automated, the cost of +collecting this information is getting very low. + +Government agencies may be able to monitor major communication +systems, telephones, fax, computer networks, etc., and passively +collect huge amounts of information about all people with any +significant position in the society. Most of this information is not +sensitive, and many people would say there is no harm in someone +getting that information. However, the information starts to get +sensitive when someone has enough of it. You may not mind someone +knowing what you bought from the shop one random day, but you might +not like someone knowing every small thing you have bought in the last +ten years. + +If the government some day starts to move into a more totalitarian +direction (one should remember that Nazi Germany was created by +democratic elections), there is considerable danger of an ultimate +totalitarian state. With enough information (the automatically +collected records of an individual can be manually analyzed when the +person becomes interesting), one can form a very detailed picture of +the individual's interests, opinions, beliefs, habits, friends, +lovers, weaknesses, etc. This information can be used to 1) locate +any persons who might oppose the new system 2) use deception to +disturb any organizations which might rise against the government 3) +eliminate difficult individuals without anyone understanding what +happened. Additionally, if the government can monitor communications +too effectively, it becomes too easy to locate and eliminate any +persons distributing information contrary to the official truth. + +Fighting crime and terrorism are often used as grounds for domestic +surveillance and restricting encryption. These are good goals, but +there is considerable danger that the surveillance data starts to get +used for questionable purposes. I find that it is better to tolerate +a small amount of crime in the society than to let the society become +fully controlled. I am in favor of a fairly strong state, but the +state must never get so strong that people become unable to spread +contra-offical information and unable to overturn the government if it +is bad. The danger is that when you notice that the government is +too powerful, it is too late. Also, the real power may not be where +the official government is. + +For these reasons (privacy, protecting trade secrets, and making it +more difficult to create a totalitarian state), I think that strong +cryptography should be integrated to the tools we use every day. +Using it causes no harm (except for those who wish to monitor +everything), but not using it can cause huge problems. If the society +changes in undesirable ways, then it will be to late to start +encrypting. + +Encryption has had a "military" or "classified" flavor to it. There +are no longer any grounds for this. The military can and will use its +own encryption; that is no excuse to prevent the civilians from +protecting their privacy and secrets. Information on strong +encryption is available in every major bookstore, scientific library, +and patent office around the world, and strong encryption software is +available in every country on the Internet. + +Some people would like to make it illegal to use encryption, or to +force people to use encryption that governments can break. This +approach offers no protection if the government turns bad. Also, the +"bad guys" will be using true strong encryption anyway. Good +encryption techniques are too widely known to make them disappear. +Thus, any "key escrow encryption" or other restrictions will only help +monitor ordinary people and petty criminals. It does not help against +powerful criminals, terrorists, or espionage, because they will know +how to use strong encryption anyway. (One source for internationally +available encryption software is http://www.cs.hut.fi/crypto.) + + +OVERVIEW OF SECURE SHELL + +The software consists of a number of programs. + + sshd Server program run on the server machine. This + listens for connections from client machines, and + whenever it receives a connection, it performs + authentication and starts serving the client. + + ssh This is the client program used to log into another + machine or to execute commands on the other machine. + "slogin" is another name for this program. + + scp Securely copies files from one machine to another. + + ssh-keygen Used to create RSA keys (host keys and user + authentication keys). + + ssh-agent Authentication agent. This can be used to hold RSA + keys for authentication. + + ssh-add Used to register new keys with the agent. + + make-ssh-known-hosts + Used to create the /etc/ssh_known_hosts file. + + +Ssh is the program users normally use. It is started as + + ssh host + +or + + ssh host command + +The first form opens a new shell on the remote machine (after +authentication). The latter form executes the command on the remote +machine. + +When started, the ssh connects sshd on the server machine, verifies +that the server machine really is the machine it wanted to connect, +exchanges encryption keys (in a manner which prevents an outside +listener from getting the keys), performs authentication using .rhosts +and /etc/hosts.equiv, RSA authentication, or conventional password +based authentication. The server then (normally) allocates a +pseudo-terminal and starts an interactive shell or user program. + +The TERM environment variable (describing the type of the user's +terminal) is passed from the client side to the remote side. Also, +terminal modes will be copied from the client side to the remote side +to preserve user preferences (e.g., the erase character). + +If the DISPLAY variable is set on the client side, the server will +create a dummy X server and set DISPLAY accordingly. Any connections +to the dummy X server will be forwarded through the secure channel, +and will be made to the real X server from the client side. An +arbitrary number of X programs can be started during the session, and +starting them does not require anything special from the user. (Note +that the user must not manually set DISPLAY, because then it would +connect directly to the real display instead of going through the +encrypted channel). This behavior can be disabled in the +configuration file or by giving the -x option to the client. + +Arbitrary IP ports can be forwarded over the secure channel. The +program then creates a port on one side, and whenever a connection is +opened to this port, it will be passed over the secure channel, and a +connection will be made from the other side to a specified host:port +pair. Arbitrary IP forwarding must always be explicitly requested, +and cannot be used to forward privileged ports (unless the user is +root). It is possible to specify automatic forwards in a per-user +configuration file, for example to make electronic cash systems work +securely. + +If there is an authentication agent on the client side, connection to +it will be automatically forwarded to the server side. + +For more infomation, see the manual pages ssh(1), sshd(8), scp(1), +ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) +included in this distribution. + + +X11 CONNECTION FORWARDING + +X11 forwarding serves two purposes: it is a convenience to the user +because there is no need to set the DISPLAY variable, and it provides +encrypted X11 connections. I cannot think of any other easy way to +make X11 connections encrypted; modifying the X server, clients or +libraries would require special work for each machine, vendor and +application. Widely used IP-level encryption does not seem likely for +several years. Thus what we have left is faking an X server on the +same machine where the clients are run, and forwarding the connections +to a real X server over the secure channel. + +X11 forwarding works as follows. The client extracts Xauthority +information for the server. It then creates random authorization +data, and sends the random data to the server. The server allocates +an X11 display number, and stores the (fake) Xauthority data for this +display. Whenever an X11 connection is opened, the server forwards +the connection over the secure channel to the client, and the client +parses the first packet of the X11 protocol, substitutes real +authentication data for the fake data (if the fake data matched), and +forwards the connection to the real X server. + +If the display does not have Xauthority data, the server will create a +unix domain socket in /tmp/.X11-unix, and use the unix domain socket +as the display. No authentication information is forwarded in this +case. X11 connections are again forwarded over the secure channel. +To the X server the connections appear to come from the client +machine, and the server must have connections allowed from the local +machine. Using authentication data is always recommended because not +using it makes the display insecure. If XDM is used, it automatically +generates the authentication data. + +One should be careful not to use "xin" or "xstart" or other similar +scripts that explicitly set DISPLAY to start X sessions in a remote +machine, because the connection will then not go over the secure +channel. The recommended way to start a shell in a remote machine is + + xterm -e ssh host & + +and the recommended way to execute an X11 application in a remote +machine is + + ssh -n host emacs & + +If you need to type a password/passphrase for the remote machine, + + ssh -f host emacs + +may be useful. + + + +RSA AUTHENTICATION + +RSA authentication is based on public key cryptograpy. The idea is +that there are two encryption keys, one for encryption and another for +decryption. It is not possible (on human timescale) to derive the +decryption key from the encryption key. The encryption key is called +the public key, because it can be given to anyone and it is not +secret. The decryption key, on the other hand, is secret, and is +called the private key. + +RSA authentication is based on the impossibility of deriving the +private key from the public key. The public key is stored on the +server machine in the user's $HOME/.ssh/authorized_keys file. The +private key is only kept on the user's local machine, laptop, or other +secure storage. Then the user tries to log in, the client tells the +server the public key that the user wishes to use for authentication. +The server then checks if this public key is admissible. If so, it +generates a 256 bit random number, encrypts it with the public key, +and sends the value to the client. The client then decrypts the +number with its private key, computes a 128 bit MD5 checksum from the +resulting data, and sends the checksum back to the server. (Only a +checksum is sent to prevent chosen-plaintext attacks against RSA.) +The server checks computes a checksum from the correct data, +and compares the checksums. Authentication is accepted if the +checksums match. (Theoretically this indicates that the client +only probably knows the correct key, but for all practical purposes +there is no doubt.) + +The RSA private key can be protected with a passphrase. The +passphrase can be any string; it is hashed with MD5 to produce an +encryption key for IDEA, which is used to encrypt the private part of +the key file. With passphrase, authorization requires access to the key +file and the passphrase. Without passphrase, authorization only +depends on possession of the key file. + +RSA authentication is the most secure form of authentication supported +by this software. It does not rely on the network, routers, domain +name servers, or the client machine. The only thing that matters is +access to the private key. + +All this, of course, depends on the security of the RSA algorithm +itself. RSA has been widely known since about 1978, and no effective +methods for breaking it are known if it is used properly. Care has +been taken to avoid the well-known pitfalls. Breaking RSA is widely +believed to be equivalent to factoring, which is a very hard +mathematical problem that has received considerable public research. +So far, no effective methods are known for numbers bigger than about +512 bits. However, as computer speeds and factoring methods are +increasing, 512 bits can no longer be considered secure. The +factoring work is exponential, and 768 or 1024 bits are widely +considered to be secure in the near future. + + +RHOSTS AUTHENTICATION + +Conventional .rhosts and hosts.equiv based authentication mechanisms +are fundamentally insecure due to IP, DNS (domain name server) and +routing spoofing attacks. Additionally this authentication method +relies on the integrity of the client machine. These weaknesses is +tolerable, and been known and exploited for a long time. + +Ssh provides an improved version of these types of authentication, +because they are very convenient for the user (and allow easy +transition from rsh and rlogin). It permits these types of +authentication, but additionally requires that the client host be +authenticated using RSA. + +The server has a list of host keys stored in /etc/ssh_known_host, and +additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh +uses the name servers to obtain the canonical name of the client host, +looks for its public key in its known host files, and requires the +client to prove that it knows the private host key. This prevents IP +and routing spoofing attacks (as long as the client machine private +host key has not been compromized), but is still vulnerable to DNS +attacks (to a limited extent), and relies on the integrity of the +client machine as to who is requesting to log in. This prevents +outsiders from attacking, but does not protect against very powerful +attackers. If maximal security is desired, only RSA authentication +should be used. + +It is possible to enable conventional .rhosts and /etc/hosts.equiv +authentication (without host authentication) at compile time by giving +the option --with-rhosts to configure. However, this is not +recommended, and is not done by default. + +These weaknesses are present in rsh and rlogin. No improvement in +security will be obtained unless rlogin and rsh are completely +disabled (commented out in /etc/inetd.conf). This is highly +recommended. + + +WEAKEST LINKS IN SECURITY + +One should understand that while this software may provide +cryptographically secure communications, it may be easy to +monitor the communications at their endpoints. + +Basically, anyone with root access on the local machine on which you +are running the software may be able to do anything. Anyone with root +access on the server machine may be able to monitor your +communications, and a very talented root user might even be able to +send his/her own requests to your authentication agent. + +One should also be aware that computers send out electromagnetic +radition that can sometimes be picked up hundreds of meters away. +Your keyboard is particularly easy to listen to. The image on your +monitor might also be seen on another monitor in a van parked behind +your house. + +Beware that unwanted visitors might come to your home or office and +use your machine while you are away. They might also make +modifications or install bugs in your hardware or software. + +Beware that the most effective way for someone to decrypt your data +may be with a rubber hose. + + +LEGAL ISSUES + +As far as I am concerned, anyone is permitted to use this software +freely. However, see the file COPYING for detailed copying, +licensing, and distribution information. + +In some countries, particularly France, Russia, Iraq, and Pakistan, +it may be illegal to use any encryption at all without a special +permit, and the rumor has it that you cannot get a permit for any +strong encryption. + +This software may be freely imported into the United States; however, +the United States Government may consider re-exporting it a criminal +offence. + +Note that any information and cryptographic algorithms used in this +software are publicly available on the Internet and at any major +bookstore, scientific library, or patent office worldwide. + +THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file +COPYING for more information. + + +MAILING LISTS AND OTHER INFORMATION + +There is a mailing list for ossh. It is ossh@sics.se. If you would +like to join, send a message to majordomo@sics.se with "subscribe +ssh" in body. + +The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an +archive of the mailing list, and detailed information about new +releases, mailing lists, and other relevant issues. + +Bug reports should be sent to ossh-bugs@sics.se. + + +ABOUT THE AUTHOR + +This software was written by Tatu Ylonen . I work as a +researcher at Helsinki University of Technology, Finland. For more +information, see http://www.cs.hut.fi/~ylo/. My PGP public key is +available via finger from ylo@cs.hut.fi and from the key servers. I +prefer PGP encrypted mail. + +The author can be contacted via ordinary mail at + Tatu Ylonen + Helsinki University of Technology + Otakaari 1 + FIN-02150 ESPOO + Finland + + Fax. +358-0-4513293 + + +ACKNOWLEDGEMENTS + +I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for +their help and comments in the design, implementation and porting of +this software. I also thank numerous contributors, including but not +limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane +Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome +Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, +Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar +Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald +McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan +O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz +Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and +Cristophe Wolfhugel. + +Thanks also go to Philip Zimmermann, whose PGP software and the +associated legal battle provided inspiration, motivation, and many +useful techniques, and to Bruce Schneier whose book Applied +Cryptography has done a great service in widely distributing knowledge +about cryptographic methods. + + +Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-1999111900/TODO openssh-1.2pre13/TODO --- ssh-openbsd-1999111900/TODO Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/TODO Fri Nov 12 14:35:58 1999 @@ -0,0 +1,13 @@ +- Replacement for setproctitle() + +- Improve PAM support (a pam_lastlog module will cause sshd to exit) + +- Better documentation + +- Port to other platforms (Finish Solaris support) + +- Fix paths in manpages using autoconf + +- Enable libwrap support using autoconf switch + +- Better testing on non-PAM systems diff -ruN --exclude CVS ssh-openbsd-1999111900/UPGRADING openssh-1.2pre13/UPGRADING --- ssh-openbsd-1999111900/UPGRADING Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/UPGRADING Tue Nov 16 08:02:27 1999 @@ -0,0 +1,35 @@ +OpenSSH is almost completely compatible with the commercial SSH 1.2.x. +There are, however, a few exceptions that you will need to bear in +mind while upgrading: + +1. OpenSSH does not support any patented transport algorithms. + +Only 3DES and Blowfish can be selected. This difference may manifest +itself in the ssh command refusing to read its config files. + +Solution: Edit /etc/ssh/ssh_config and select a different "Cipher" +option ("3des" or "blowfish"). + +2. Old versions of commercial SSH encrypt host keys with IDEA + +The old versions of SSH used a patented algorithm to encrypt their +/etc/ssh/ssh_host_key + +This problem will manifest as sshd not being able to read its host +key. + +Solution: You will need to run the *commercial* version of ssh-keygen +on the host's private key: + +ssh-keygen -u /etc/ssh/ssh_host_key + +3. Incompatible changes to sshd_config format. + +OpenSSH extends the sshd_config file format in a number of ways. There +is currently one change which is incompatible with the old. + +Commercial SSH controlled logging using the "QuietMode" and +"FascistLogging" directives. OpenSSH introduces a more general set of +logging options "SyslogFacility" and "LogLevel". See the sshd manual +page for details. + diff -ruN --exclude CVS ssh-openbsd-1999111900/acconfig.h openssh-1.2pre13/acconfig.h --- ssh-openbsd-1999111900/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/acconfig.h Fri Nov 19 15:53:20 1999 @@ -0,0 +1,121 @@ +/* config.h.in. Generated by hand, don't use autoheader. */ + +/* SSL directory. */ +#undef ssldir + +/* Location of lastlog file */ +#undef LASTLOG_LOCATION + +/* Location of random number pool */ +#undef RANDOM_POOL + +/* Are we using the Entropy gathering daemon */ +#undef HAVE_EGD + +/* Define if your ssl headers are included with #include */ +#undef HAVE_SSL + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define is utmp.h has a ut_host field */ +#undef HAVE_HOST_IN_UTMP + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if you want Kerberos 4 support */ +#undef KRB4 + +/* Define if you want AFS support */ +#undef AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +@BOTTOM@ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#include /* For u_intXX_t */ +#include /* For SHUT_XXXX */ +#include /* For _PATH_XXX */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ +#define SHUT_RD SHUT_RD + SHUT_WR, /* No more transmissions. */ +#define SHUT_WR SHUT_WR + SHUT_RDWR /* No more receptions or transmissions. */ +#define SHUT_RDWR SHUT_RDWR +}; +#endif + +#if !defined(u_int32_t) && defined(uint32_t) +#define u_int32_t uint32_t +#endif + +#if !defined(u_int16_t) && defined(uint16_t) +#define u_int16_t uint16_t +#endif + +#if !defined(quad_t) && defined(int64_t) +#define quad_t int64_t +#endif + +#ifndef _PATH_LASTLOG +# ifdef LASTLOG_LOCATION +# define _PATH_LASTLOG LASTLOG_LOCATION +# endif +#endif + +#ifndef _PATH_UTMP +# ifdef UTMP_FILE +# define _PATH_UTMP UTMP_FILE +# endif +#endif + +#ifndef _PATH_WTMP +# ifdef WTMP_FILE +# define _PATH_WTMP WTMP_FILE +# endif +#endif + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" +#endif + +#ifndef _PATH_MAILDIR +# ifdef MAILDIR +# define _PATH_MAILDIR MAILDIR +# endif +#endif + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif diff -ruN --exclude CVS ssh-openbsd-1999111900/auth-passwd.c openssh-1.2pre13/auth-passwd.c --- ssh-openbsd-1999111900/auth-passwd.c Thu Nov 11 17:21:27 1999 +++ openssh-1.2pre13/auth-passwd.c Fri Nov 19 15:53:20 1999 @@ -15,12 +15,26 @@ */ #include "includes.h" + +#ifndef HAVE_PAM + RCSID("$Id: auth-passwd.c,v 1.9 1999/11/10 22:24:01 markus Exp $"); #include "packet.h" #include "ssh.h" #include "servconf.h" #include "xmalloc.h" +#include "config.h" + +#ifdef HAVE_SHADOW_H +#include +#endif + +#ifdef HAVE_MD5_PASSWORDS +#include "md5crypt.h" +#endif + +/* Don't need anything from here if we are using PAM */ /* Tries to authenticate the user using password. Returns true if authentication succeeds. */ @@ -29,6 +43,9 @@ { extern ServerOptions options; char *encrypted_password; +#ifdef HAVE_SHADOW_H + struct spwd *spw; +#endif if (pw->pw_uid == 0 && options.permit_root_login == 2) { @@ -164,11 +181,38 @@ return 1; /* The user has no password and an empty password was tried. */ } +#ifdef HAVE_SHADOW_H + spw = getspnam(pw->pw_name); + if (spw == NULL) + return(0); + + if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0)) + fatal("Shadow lookup returned garbage."); + + if (strlen(spw->sp_pwdp) < 3) + return(0); + + /* Encrypt the candidate password using the proper salt. */ +#ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(spw->sp_pwdp)) + encrypted_password = md5_crypt(password, spw->sp_pwdp); + else + encrypted_password = crypt(password, spw->sp_pwdp); +#else /* HAVE_MD5_PASSWORDS */ + encrypted_password = crypt(password, spw->sp_pwdp); +#endif /* HAVE_MD5_PASSWORDS */ + + /* Authentication is accepted if the encrypted passwords are identical. */ + return (strcmp(encrypted_password, spw->sp_pwdp) == 0); +#else /* !HAVE_SHADOW_H */ + /* Encrypt the candidate password using the proper salt. */ encrypted_password = crypt(password, (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); - /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw->pw_passwd) == 0); +#endif /* !HAVE_SHADOW_H */ } + +#endif /* !HAVE_PAM */ diff -ruN --exclude CVS ssh-openbsd-1999111900/auth-rsa.c openssh-1.2pre13/auth-rsa.c --- ssh-openbsd-1999111900/auth-rsa.c Fri Nov 19 08:16:23 1999 +++ openssh-1.2pre13/auth-rsa.c Fri Nov 19 08:25:48 1999 @@ -26,8 +26,14 @@ #include "uidswap.h" #include "servconf.h" +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include #include +#endif /* Flags that may be set in authorized_keys options. */ extern int no_port_forwarding_flag; diff -ruN --exclude CVS ssh-openbsd-1999111900/auth-skey.c openssh-1.2pre13/auth-skey.c --- ssh-openbsd-1999111900/auth-skey.c Sun Oct 17 06:57:52 1999 +++ openssh-1.2pre13/auth-skey.c Fri Nov 19 13:03:26 1999 @@ -1,3 +1,5 @@ +#ifdef SKEY + #include "includes.h" RCSID("$Id: auth-skey.c,v 1.2 1999/10/16 20:57:52 deraadt Exp $"); @@ -147,3 +149,5 @@ } return skeyprompt; } + +#endif SKEY diff -ruN --exclude CVS ssh-openbsd-1999111900/authfd.c openssh-1.2pre13/authfd.c --- ssh-openbsd-1999111900/authfd.c Fri Nov 19 08:16:24 1999 +++ openssh-1.2pre13/authfd.c Fri Nov 19 08:25:48 1999 @@ -24,7 +24,12 @@ #include "xmalloc.h" #include "getput.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* Returns the number of the authentication fd, or -1 if there is none. */ diff -ruN --exclude CVS ssh-openbsd-1999111900/authfile.c openssh-1.2pre13/authfile.c --- ssh-openbsd-1999111900/authfile.c Tue Oct 12 06:00:35 1999 +++ openssh-1.2pre13/authfile.c Sat Nov 13 13:07:45 1999 @@ -17,7 +17,13 @@ #include "includes.h" RCSID("$Id: authfile.c,v 1.7 1999/10/11 20:00:35 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-daemon.c openssh-1.2pre13/bsd-daemon.c --- ssh-openbsd-1999111900/bsd-daemon.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-daemon.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,78 @@ +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_DAEMON + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: daemon.c,v 1.2 1996/08/19 08:22:13 tholo Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include + +int +daemon(nochdir, noclose) + int nochdir, noclose; +{ + int fd; + + switch (fork()) { + case -1: + return (-1); + case 0: + break; + default: + _exit(0); + } + + if (setsid() == -1) + return (-1); + + if (!nochdir) + (void)chdir("/"); + + if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + (void)close (fd); + } + return (0); +} + +#endif /* !HAVE_DAEMON */ + diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-daemon.h openssh-1.2pre13/bsd-daemon.h --- ssh-openbsd-1999111900/bsd-daemon.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-daemon.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,9 @@ +#ifndef _BSD_DAEMON_H +#define _BSD_DAEMON_H + +#include "config.h" +#ifndef HAVE_DAEMON +int daemon(int nochdir, int noclose); +#endif /* !HAVE_DAEMON */ + +#endif /* _BSD_DAEMON_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-login.c openssh-1.2pre13/bsd-login.c --- ssh-openbsd-1999111900/bsd-login.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-login.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,83 @@ +/* $OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $ */ +/* + * Copyright (c) 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_LOGIN + +#if defined(LIBC_SCCS) && !defined(lint) +/* from: static char sccsid[] = "@(#)login.c 8.1 (Berkeley) 6/4/93"; */ +static char *rcsid = "$Id: bsd-login.c,v 1.1 1999/11/19 04:32:34 damien Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include + +#include +#include +#include +#include +#include + +void +login(utp) + struct utmp *utp; +{ + struct utmp old_ut; + register int fd; + int tty; + + tty = ttyslot(); + if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + /* + * Prevent luser from zero'ing out ut_host. + * If the new ut_line is empty but the old one is not + * and ut_line and ut_name match, preserve the old ut_line. + */ + if (read(fd, &old_ut, sizeof(struct utmp)) == + sizeof(struct utmp) && utp->ut_host[0] == '\0' && + old_ut.ut_host[0] != '\0' && + strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && + strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) + (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } + if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } +} + +#endif /* HAVE_LOGIN */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-login.h openssh-1.2pre13/bsd-login.h --- ssh-openbsd-1999111900/bsd-login.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-login.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,13 @@ +#ifndef _BSD_LOGIN_H +#define _BSD_LOGIN_H + +#include "config.h" +#ifndef HAVE_LOGIN + +#include + +void login(struct utmp *utp); + +#endif /* !HAVE_LOGIN */ + +#endif /* _BSD_LOGIN_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-mktemp.c openssh-1.2pre13/bsd-mktemp.c --- ssh-openbsd-1999111900/bsd-mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-mktemp.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,189 @@ +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_MKDTEMP + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "helper.h" + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !HAVE_MKDTEMP */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-mktemp.h openssh-1.2pre13/bsd-mktemp.h --- ssh-openbsd-1999111900/bsd-mktemp.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-mktemp.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,11 @@ +#ifndef _BSD_MKTEMP_H +#define _BSD_MKTEMP_H + +#include "config.h" +#ifndef HAVE_MKDTEMP +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif /* !HAVE_MKDTEMP */ + +#endif /* _BSD_MKTEMP_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-strlcpy.c openssh-1.2pre13/bsd-strlcpy.c --- ssh-openbsd-1999111900/bsd-strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-strlcpy.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,73 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCPY + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bsd-strlcpy.h openssh-1.2pre13/bsd-strlcpy.h --- ssh-openbsd-1999111900/bsd-strlcpy.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/bsd-strlcpy.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCPY_H +#define _BSD_STRLCPY_H + +#include "config.h" +#ifndef HAVE_STRLCPY +#include +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCPY */ + +#endif /* _BSD_STRLCPY_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/bufaux.c openssh-1.2pre13/bufaux.c --- ssh-openbsd-1999111900/bufaux.c Mon Nov 15 09:55:40 1999 +++ openssh-1.2pre13/bufaux.c Sat Nov 13 13:22:46 1999 @@ -18,7 +18,14 @@ RCSID("$Id: bufaux.c,v 1.4 1999/11/12 17:28:35 markus Exp $"); #include "ssh.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "bufaux.h" #include "xmalloc.h" #include "getput.h" diff -ruN --exclude CVS ssh-openbsd-1999111900/cipher.c openssh-1.2pre13/cipher.c --- ssh-openbsd-1999111900/cipher.c Tue Nov 16 13:09:40 1999 +++ openssh-1.2pre13/cipher.c Tue Nov 16 13:37:16 1999 @@ -17,7 +17,12 @@ #include "ssh.h" #include "cipher.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* * What kind of tripple DES are these 2 routines? diff -ruN --exclude CVS ssh-openbsd-1999111900/cipher.h openssh-1.2pre13/cipher.h --- ssh-openbsd-1999111900/cipher.h Tue Nov 16 13:00:14 1999 +++ openssh-1.2pre13/cipher.h Tue Nov 16 13:37:16 1999 @@ -16,8 +16,16 @@ #ifndef CIPHER_H #define CIPHER_H +#include "config.h" + +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include #include +#endif /* Cipher types. New types can be added, but old types should not be removed for compatibility. The maximum allowed value is 31. */ diff -ruN --exclude CVS ssh-openbsd-1999111900/config.h.in openssh-1.2pre13/config.h.in --- ssh-openbsd-1999111900/config.h.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/config.h.in Fri Nov 19 20:56:38 1999 @@ -0,0 +1,179 @@ +/* config.h.in. Generated automatically from configure.in by autoheader. */ + +/* SSL directory. */ +#undef ssldir + +/* Location of lastlog file */ +#undef LASTLOG_LOCATION + +/* Location of random number pool */ +#undef RANDOM_POOL + +/* Are we using the Entropy gathering daemon */ +#undef HAVE_EGD + +/* Define if your ssl headers are included with #include */ +#undef HAVE_SSL + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define is utmp.h has a ut_host field */ +#undef HAVE_HOST_IN_UTMP + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if you want Kerberos 4 support */ +#undef KRB4 + +/* Define if you want AFS support */ +#undef AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +/* Define if you have the arc4random function. */ +#undef HAVE_ARC4RANDOM + +/* Define if you have the mkdtemp function. */ +#undef HAVE_MKDTEMP + +/* Define if you have the openpty function. */ +#undef HAVE_OPENPTY + +/* Define if you have the setlogin function. */ +#undef HAVE_SETLOGIN + +/* Define if you have the setproctitle function. */ +#undef HAVE_SETPROCTITLE + +/* Define if you have the strlcpy function. */ +#undef HAVE_STRLCPY + +/* Define if you have the header file. */ +#undef HAVE_ENDIAN_H + +/* Define if you have the header file. */ +#undef HAVE_LASTLOG_H + +/* Define if you have the header file. */ +#undef HAVE_MAILLOCK_H + +/* Define if you have the header file. */ +#undef HAVE_NETGROUP_H + +/* Define if you have the header file. */ +#undef HAVE_PATHS_H + +/* Define if you have the header file. */ +#undef HAVE_PTY_H + +/* Define if you have the header file. */ +#undef HAVE_SHADOW_H + +/* Define if you have the header file. */ +#undef HAVE_SYS_SELECT_H + +/* Define if you have the crypto library (-lcrypto). */ +#undef HAVE_LIBCRYPTO + +/* Define if you have the dl library (-ldl). */ +#undef HAVE_LIBDL + +/* Define if you have the nsl library (-lnsl). */ +#undef HAVE_LIBNSL + +/* Define if you have the pam library (-lpam). */ +#undef HAVE_LIBPAM + +/* Define if you have the socket library (-lsocket). */ +#undef HAVE_LIBSOCKET + +/* Define if you have the z library (-lz). */ +#undef HAVE_LIBZ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#include /* For u_intXX_t */ +#include /* For SHUT_XXXX */ +#include /* For _PATH_XXX */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ +#define SHUT_RD SHUT_RD + SHUT_WR, /* No more transmissions. */ +#define SHUT_WR SHUT_WR + SHUT_RDWR /* No more receptions or transmissions. */ +#define SHUT_RDWR SHUT_RDWR +}; +#endif + +#if !defined(u_int32_t) && defined(uint32_t) +#define u_int32_t uint32_t +#endif + +#if !defined(u_int16_t) && defined(uint16_t) +#define u_int16_t uint16_t +#endif + +#if !defined(quad_t) && defined(int64_t) +#define quad_t int64_t +#endif + +#ifndef _PATH_LASTLOG +# ifdef LASTLOG_LOCATION +# define _PATH_LASTLOG LASTLOG_LOCATION +# endif +#endif + +#ifndef _PATH_UTMP +# ifdef UTMP_FILE +# define _PATH_UTMP UTMP_FILE +# endif +#endif + +#ifndef _PATH_WTMP +# ifdef WTMP_FILE +# define _PATH_WTMP WTMP_FILE +# endif +#endif + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" +#endif + +#ifndef _PATH_MAILDIR +# ifdef MAILDIR +# define _PATH_MAILDIR MAILDIR +# endif +#endif + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif diff -ruN --exclude CVS ssh-openbsd-1999111900/configure openssh-1.2pre13/configure --- ssh-openbsd-1999111900/configure Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/configure Fri Nov 19 20:56:38 1999 @@ -0,0 +1,2194 @@ +#! /bin/sh + +# Guess values for system-dependent variables and create Makefiles. +# Generated automatically using autoconf version 2.13 +# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. + +# Defaults: +ac_help= +ac_default_prefix=/usr/local +# Any additions from configure.in: +ac_help="$ac_help + --with-askpass=yes/no Enable external ssh-askpass support (default=yes)" +ac_help="$ac_help + --with-gnome-askpass Build the GNOME passphrase requester (default=no)" +ac_help="$ac_help + --with-random=FILE read randomness from FILE (default=/dev/urandom)" +ac_help="$ac_help + --with-egd-pool=FILE read randomness from EGD pool FILE (default none)" +ac_help="$ac_help + --with-kerberos4 Enable Kerberos 4 support" +ac_help="$ac_help + --with-afs Enable AFS support" +ac_help="$ac_help + --with-skey Enable S/Key support" +ac_help="$ac_help + --with-tcp-wrappers Enable tcpwrappers support" +ac_help="$ac_help + --with-md5-passwords Enable use of MD5 passwords" + +# Initialize some variables set by options. +# The variables have the same names as the options, with +# dashes changed to underlines. +build=NONE +cache_file=./config.cache +exec_prefix=NONE +host=NONE +no_create= +nonopt=NONE +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +target=NONE +verbose= +x_includes=NONE +x_libraries=NONE +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datadir='${prefix}/share' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +libdir='${exec_prefix}/lib' +includedir='${prefix}/include' +oldincludedir='/usr/include' +infodir='${prefix}/info' +mandir='${prefix}/man' + +# Initialize some other variables. +subdirs= +MFLAGS= MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} +# Maximum number of lines to put in a shell here document. +ac_max_here_lines=12 + +ac_prev= +for ac_option +do + + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval "$ac_prev=\$ac_option" + ac_prev= + continue + fi + + case "$ac_option" in + -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) ac_optarg= ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case "$ac_option" in + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir="$ac_optarg" ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build="$ac_optarg" ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file="$ac_optarg" ;; + + -datadir | --datadir | --datadi | --datad | --data | --dat | --da) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ + | --da=*) + datadir="$ac_optarg" ;; + + -disable-* | --disable-*) + ac_feature=`echo $ac_option|sed -e 's/-*disable-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + eval "enable_${ac_feature}=no" ;; + + -enable-* | --enable-*) + ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "enable_${ac_feature}='$ac_optarg'" ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix="$ac_optarg" ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he) + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat << EOF +Usage: configure [options] [host] +Options: [defaults in brackets after descriptions] +Configuration: + --cache-file=FILE cache test results in FILE + --help print this message + --no-create do not create output files + --quiet, --silent do not print \`checking...' messages + --version print the version of autoconf that created configure +Directory and file names: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [same as prefix] + --bindir=DIR user executables in DIR [EPREFIX/bin] + --sbindir=DIR system admin executables in DIR [EPREFIX/sbin] + --libexecdir=DIR program executables in DIR [EPREFIX/libexec] + --datadir=DIR read-only architecture-independent data in DIR + [PREFIX/share] + --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data in DIR + [PREFIX/com] + --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] + --libdir=DIR object code libraries in DIR [EPREFIX/lib] + --includedir=DIR C header files in DIR [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] + --infodir=DIR info documentation in DIR [PREFIX/info] + --mandir=DIR man documentation in DIR [PREFIX/man] + --srcdir=DIR find the sources in DIR [configure dir or ..] + --program-prefix=PREFIX prepend PREFIX to installed program names + --program-suffix=SUFFIX append SUFFIX to installed program names + --program-transform-name=PROGRAM + run sed PROGRAM on installed program names +EOF + cat << EOF +Host type: + --build=BUILD configure for building on BUILD [BUILD=HOST] + --host=HOST configure for HOST [guessed] + --target=TARGET configure for TARGET [TARGET=HOST] +Features and packages: + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --x-includes=DIR X include files are in DIR + --x-libraries=DIR X library files are in DIR +EOF + if test -n "$ac_help"; then + echo "--enable and --with options recognized:$ac_help" + fi + exit 0 ;; + + -host | --host | --hos | --ho) + ac_prev=host ;; + -host=* | --host=* | --hos=* | --ho=*) + host="$ac_optarg" ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir="$ac_optarg" ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir="$ac_optarg" ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir="$ac_optarg" ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir="$ac_optarg" ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst \ + | --locals | --local | --loca | --loc | --lo) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* \ + | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) + localstatedir="$ac_optarg" ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir="$ac_optarg" ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir="$ac_optarg" ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix="$ac_optarg" ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix="$ac_optarg" ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix="$ac_optarg" ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name="$ac_optarg" ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir="$ac_optarg" ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir="$ac_optarg" ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site="$ac_optarg" ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir="$ac_optarg" ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir="$ac_optarg" ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target="$ac_optarg" ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers) + echo "configure generated by autoconf version 2.13" + exit 0 ;; + + -with-* | --with-*) + ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "with_${ac_package}='$ac_optarg'" ;; + + -without-* | --without-*) + ac_package=`echo $ac_option|sed -e 's/-*without-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + eval "with_${ac_package}=no" ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes="$ac_optarg" ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries="$ac_optarg" ;; + + -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; } + ;; + + *) + if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then + echo "configure: warning: $ac_option: invalid host type" 1>&2 + fi + if test "x$nonopt" != xNONE; then + { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } + fi + nonopt="$ac_option" + ;; + + esac +done + +if test -n "$ac_prev"; then + { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; } +fi + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +# File descriptor usage: +# 0 standard input +# 1 file creation +# 2 errors and warnings +# 3 some systems may open it to /dev/tty +# 4 used on the Kubota Titan +# 6 checking for... messages and results +# 5 compiler messages saved in config.log +if test "$silent" = yes; then + exec 6>/dev/null +else + exec 6>&1 +fi +exec 5>./config.log + +echo "\ +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. +" 1>&5 + +# Strip out --no-create and --no-recursion so they do not pile up. +# Also quote any args containing shell metacharacters. +ac_configure_args= +for ac_arg +do + case "$ac_arg" in + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) ;; + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;; + *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) + ac_configure_args="$ac_configure_args '$ac_arg'" ;; + *) ac_configure_args="$ac_configure_args $ac_arg" ;; + esac +done + +# NLS nuisances. +# Only set these to C if already set. These must not be set unconditionally +# because not all systems understand e.g. LANG=C (notably SCO). +# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'! +# Non-C LC_CTYPE values break the ctype check. +if test "${LANG+set}" = set; then LANG=C; export LANG; fi +if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi +if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi +if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -rf conftest* confdefs.h +# AIX cpp loses on an empty file, so make sure it contains at least a newline. +echo > confdefs.h + +# A filename unique to this package, relative to the directory that +# configure is in, which we can look for to find out if srcdir is correct. +ac_unique_file=ssh.c + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then its parent. + ac_prog=$0 + ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'` + test "x$ac_confdir" = "x$ac_prog" && ac_confdir=. + srcdir=$ac_confdir + if test ! -r $srcdir/$ac_unique_file; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r $srcdir/$ac_unique_file; then + if test "$ac_srcdir_defaulted" = yes; then + { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; } + else + { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; } + fi +fi +srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` + +# Prefer explicitly selected file to automatically selected ones. +if test -z "$CONFIG_SITE"; then + if test "x$prefix" != xNONE; then + CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" + else + CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" + fi +fi +for ac_site_file in $CONFIG_SITE; do + if test -r "$ac_site_file"; then + echo "loading site script $ac_site_file" + . "$ac_site_file" + fi +done + +if test -r "$cache_file"; then + echo "loading cache $cache_file" + . $cache_file +else + echo "creating cache $cache_file" + > $cache_file +fi + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +ac_exeext= +ac_objext=o +if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then + # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. + if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then + ac_n= ac_c=' +' ac_t=' ' + else + ac_n=-n ac_c= ac_t= + fi +else + ac_n= ac_c='\c' ac_t= +fi + + + + + +# Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:549: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="gcc" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:579: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_prog_rejected=no + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + break + fi + done + IFS="$ac_save_ifs" +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# -gt 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + set dummy "$ac_dir/$ac_word" "$@" + shift + ac_cv_prog_CC="$@" + fi +fi +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + + if test -z "$CC"; then + case "`uname -s`" in + *win32* | *WIN32*) + # Extract the first word of "cl", so it can be a program name with args. +set dummy cl; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:630: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="cl" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + ;; + esac + fi + test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } +fi + +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 +echo "configure:662: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +cat > conftest.$ac_ext << EOF + +#line 673 "configure" +#include "confdefs.h" + +main(){return(0);} +EOF +if { (eval echo configure:678: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + ac_cv_prog_cc_works=yes + # If we can't run a trivial program, we are probably using a cross compiler. + if (./conftest; exit) 2>/dev/null; then + ac_cv_prog_cc_cross=no + else + ac_cv_prog_cc_cross=yes + fi +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + ac_cv_prog_cc_works=no +fi +rm -fr conftest* +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 +if test $ac_cv_prog_cc_works = no; then + { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } +fi +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 +echo "configure:704: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 +cross_compiling=$ac_cv_prog_cc_cross + +echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 +echo "configure:709: checking whether we are using GNU C" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.c <&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then + ac_cv_prog_gcc=yes +else + ac_cv_prog_gcc=no +fi +fi + +echo "$ac_t""$ac_cv_prog_gcc" 1>&6 + +if test $ac_cv_prog_gcc = yes; then + GCC=yes +else + GCC= +fi + +ac_test_CFLAGS="${CFLAGS+set}" +ac_save_CFLAGS="$CFLAGS" +CFLAGS= +echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 +echo "configure:737: checking whether ${CC-cc} accepts -g" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + echo 'void f(){}' > conftest.c +if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then + ac_cv_prog_cc_g=yes +else + ac_cv_prog_cc_g=no +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 +if test "$ac_test_CFLAGS" = set; then + CFLAGS="$ac_save_CFLAGS" +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi + +echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 +echo "configure:769: checking how to run the C preprocessor" >&5 +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then +if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + # This must be in double quotes, not single quotes, because CPP may get + # substituted into the Makefile and "${CC-cc}" will confuse make. + CPP="${CC-cc} -E" + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:790: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -E -traditional-cpp" + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:807: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -nologo -E" + cat > conftest.$ac_ext < +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:824: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP=/lib/cpp +fi +rm -f conftest* +fi +rm -f conftest* +fi +rm -f conftest* + ac_cv_prog_CPP="$CPP" +fi + CPP="$ac_cv_prog_CPP" +else + ac_cv_prog_CPP="$CPP" +fi +echo "$ac_t""$CPP" 1>&6 + +# Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:851: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_RANLIB="ranlib" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":" +fi +fi +RANLIB="$ac_cv_prog_RANLIB" +if test -n "$RANLIB"; then + echo "$ac_t""$RANLIB" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "ar", so it can be a program name with args. +set dummy ar; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:881: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_AR="ar" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +AR="$ac_cv_prog_AR" +if test -n "$AR"; then + echo "$ac_t""$AR" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi + +echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6 +echo "configure:910: checking for OpenSSL/SSLeay directory" >&5 +for ssldir in /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local $prefix /usr/pkg ; do + if test -f "$ssldir/include/openssl/crypto.h"; then + cat >> confdefs.h <<\EOF +#define HAVE_OPENSSL 1 +EOF + + GOT_SSL="yes" + break + fi + if test -f "$ssldir/include/ssl/crypto.h"; then + cat >> confdefs.h <<\EOF +#define HAVE_SSL 1 +EOF + + GOT_SSL="yes" + break + fi +done +if test -z "$GOT_SSL" ; then + { echo "configure: error: Could not find SSLeay / OpenSSL libraries, please install" 1>&2; exit 1; } +fi + +cat >> confdefs.h <&6 + +echo $ac_n "checking for RSAref library""... $ac_c" 1>&6 +echo "configure:945: checking for RSAref library" >&5 +saved_LIBS="$LIBS" +LIBS="$saved_LIBS -lRSAglue -lrsaref" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6; +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6; LIBS="$saved_LIBS" +fi +rm -f conftest* + +echo $ac_n "checking for CRYPTO_lock in -lcrypto""... $ac_c" 1>&6 +echo "configure:968: checking for CRYPTO_lock in -lcrypto" >&5 +ac_lib_var=`echo crypto'_'CRYPTO_lock | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lcrypto $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo crypto | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +{ echo "configure: error: *** libcrypto missing - please install first ***" 1>&2; exit 1; } +fi + +echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 +echo "configure:1016: checking for deflate in -lz" >&5 +ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lz $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo z | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +{ echo "configure: error: *** zlib missing - please install first ***" 1>&2; exit 1; } +fi + +echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 +echo "configure:1064: checking for login in -lutil" >&5 +ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lutil $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_LIBUTIL_LOGIN 1 +EOF + LIBS="$LIBS -lutil" +else + echo "$ac_t""no" 1>&6 +fi + +echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 +echo "configure:1107: checking for yp_match in -lnsl" >&5 +ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lnsl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo nsl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + +echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 +echo "configure:1154: checking for main in -lsocket" >&5 +ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lsocket $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo socket | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + +echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 +echo "configure:1198: checking for dlopen in -ldl" >&5 +ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldl $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo dl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + +echo $ac_n "checking for pam_authenticate in -lpam""... $ac_c" 1>&6 +echo "configure:1245: checking for pam_authenticate in -lpam" >&5 +ac_lib_var=`echo pam'_'pam_authenticate | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lpam $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_lib=HAVE_LIB`echo pam | sed -e 's/[^a-zA-Z0-9_]/_/g' \ + -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` + cat >> confdefs.h <&6 +fi + + +for ac_hdr in pty.h endian.h paths.h lastlog.h shadow.h netgroup.h maillock.h sys/select.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:1296: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1306: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <&6 +fi +done + + +for ac_func in openpty strlcpy mkdtemp arc4random setproctitle setlogin +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:1336: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1364: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <&6 +fi +done + + +echo $ac_n "checking for login""... $ac_c" 1>&6 +echo "configure:1390: checking for login" >&5 +if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char login(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_login) || defined (__stub___login) +choke me +#else +login(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1418: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_login=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_login=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'login`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_LOGIN 1 +EOF + +else + echo "$ac_t""no" 1>&6 +echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 +echo "configure:1439: checking for login in -lbsd" >&5 +ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lbsd $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LIBS="$LIBS -lbsd"; cat >> confdefs.h <<\EOF +#define HAVE_LOGIN 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + + +fi + + +echo $ac_n "checking for daemon""... $ac_c" 1>&6 +echo "configure:1486: checking for daemon" >&5 +if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext < +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char daemon(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_daemon) || defined (__stub___daemon) +choke me +#else +daemon(); +#endif + +; return 0; } +EOF +if { (eval echo configure:1514: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_daemon=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_daemon=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'daemon`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_DAEMON 1 +EOF + +else + echo "$ac_t""no" 1>&6 +echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 +echo "configure:1535: checking for daemon in -lbsd" >&5 +ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lbsd $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LIBS="$LIBS -lbsd"; cat >> confdefs.h <<\EOF +#define HAVE_DAEMON 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + + +fi + + +INSTALL_ASKPASS="yes" +echo $ac_n "checking whether to enable external ssh-askpass support""... $ac_c" 1>&6 +echo "configure:1583: checking whether to enable external ssh-askpass support" >&5 +# Check whether --with-askpass or --without-askpass was given. +if test "${with_askpass+set}" = set; then + withval="$with_askpass" + + if test x$withval = xno ; then + INSTALL_ASKPASS="no" + else + INSTALL_ASKPASS="yes" + fi + + +fi + +if test "x$INSTALL_ASKPASS" = "xyes" ; then + cat >> confdefs.h <<\EOF +#define USE_EXTERNAL_ASKPASS 1 +EOF + + + echo "$ac_t""yes" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test "x$INSTALL_ASKPASS" = "xyes" ; then + echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6 +echo "configure:1610: checking whether to build GNOME ssh-askpass" >&5 + # Check whether --with-gnome-askpass or --without-gnome-askpass was given. +if test "${with_gnome_askpass+set}" = set; then + withval="$with_gnome_askpass" + + if test x$withval = xno ; then + GNOME_ASKPASS=""; + else + GNOME_ASKPASS="gnome-ssh-askpass"; + fi + +fi + + + + if test -z "$GNOME_ASKPASS" ; then + echo "$ac_t""no" 1>&6 + else + echo "$ac_t""yes" 1>&6 + fi +fi + +# Check whether --with-random or --without-random was given. +if test "${with_random+set}" = set; then + withval="$with_random" + + RANDOM_POOL="$withval"; + cat >> confdefs.h <&6 +echo "configure:1647: checking for "/dev/urandom"" >&5 +if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$cross_compiling" = yes; then + { echo "configure: error: Cannot check for file existence when cross compiling" 1>&2; exit 1; } +else + if test -r "/dev/urandom"; then + eval "ac_cv_file_$ac_safe=yes" + else + eval "ac_cv_file_$ac_safe=no" + fi +fi +fi +if eval "test \"`echo '$ac_cv_file_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + + RANDOM_POOL="/dev/urandom"; + + cat >> confdefs.h <&6 + +fi + + + +fi + + +# Check whether --with-egd-pool or --without-egd-pool was given. +if test "${with_egd_pool+set}" = set; then + withval="$with_egd_pool" + + RANDOM_POOL="$withval"; + cat >> confdefs.h <<\EOF +#define HAVE_EGD 1 +EOF + + + cat >> confdefs.h <&2; exit 1; } +fi + +echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6 +echo "configure:1706: checking whether utmp.h has ut_host field" >&5 +cat > conftest.$ac_ext < +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "ut_host" >/dev/null 2>&1; then + rm -rf conftest* + cat >> confdefs.h <<\EOF +#define HAVE_HOST_IN_UTMP 1 +EOF + echo "$ac_t""yes" 1>&6; +else + rm -rf conftest* + echo "$ac_t""no" 1>&6 + +fi +rm -f conftest* + + +echo $ac_n "checking location of lastlog file""... $ac_c" 1>&6 +echo "configure:1728: checking location of lastlog file" >&5 +for lastlog in /var/log/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if test -f $lastlog ; then + gotlastlog="yes" + echo "$ac_t""$lastlog" 1>&6 + cat >> confdefs.h <&2; exit 1; } +fi + +echo $ac_n "checking whether libc defines __progname""... $ac_c" 1>&6 +echo "configure:1745: checking whether libc defines __progname" >&5 +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + + cat >> confdefs.h <<\EOF +#define HAVE___PROGNAME 1 +EOF + + echo "$ac_t""yes" 1>&6 + +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + + echo "$ac_t""no" 1>&6 + + +fi +rm -f conftest* + +# Check whether --with-kerberos4 or --without-kerberos4 was given. +if test "${with_kerberos4+set}" = set; then + withval="$with_kerberos4" + + cat >> confdefs.h <<\EOF +#define KRB4 1 +EOF + + LIBS="$LIBS -lkrb" + CFLAGS="$CFLAGS -I/usr/include/kerberosIV" + + +fi + + +# Check whether --with-kerberos4 or --without-kerberos4 was given. +if test "${with_kerberos4+set}" = set; then + withval="$with_kerberos4" + + cat >> confdefs.h <<\EOF +#define AFS 1 +EOF + + LIBS="$LIBS -lkafs" + + +fi + + +# Check whether --with-skey or --without-skey was given. +if test "${with_skey+set}" = set; then + withval="$with_skey" + + cat >> confdefs.h <<\EOF +#define SKEY 1 +EOF + + LIBS="$LIBS -lskey" + + +fi + + +# Check whether --with-skey or --without-skey was given. +if test "${with_skey+set}" = set; then + withval="$with_skey" + + cat >> confdefs.h <<\EOF +#define LIBWRAP 1 +EOF + + LIBS="$LIBS -lwrap" + + +fi + + +# Check whether --with-md5passwords or --without-md5passwords was given. +if test "${with_md5passwords+set}" = set; then + withval="$with_md5passwords" + cat >> confdefs.h <<\EOF +#define HAVE_MD5_PASSWORDS 1 +EOF + + +fi + + +trap '' 1 2 15 +cat > confcache <<\EOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs. It is not useful on other systems. +# If it contains results you don't want to keep, you may remove or edit it. +# +# By default, configure uses ./config.cache as the cache file, +# creating it if it does not exist already. You can give configure +# the --cache-file=FILE option to use a different cache file; that is +# what configure does when it calls configure scripts in +# subdirectories, so they share the cache. +# Giving --cache-file=/dev/null disables caching, for debugging configure. +# config.status only pays attention to the cache file if you give it the +# --recheck option to rerun configure. +# +EOF +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, don't put newlines in cache variables' values. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +(set) 2>&1 | + case `(ac_space=' '; set | grep ac_space) 2>&1` in + *ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote substitution + # turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + -e "s/'/'\\\\''/g" \ + -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" + ;; + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' + ;; + esac >> confcache +if cmp -s $cache_file confcache; then + : +else + if test -w $cache_file; then + echo "updating cache $cache_file" + cat confcache > $cache_file + else + echo "not updating unwritable cache $cache_file" + fi +fi +rm -f confcache + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +# Any assignment to VPATH causes Sun make to only execute +# the first set of double-colon rules, so remove it if not needed. +# If there is a colon in the path, we need to keep it. +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d' +fi + +trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15 + +DEFS=-DHAVE_CONFIG_H + +# Without the "./", some shells look in PATH for config.status. +: ${CONFIG_STATUS=./config.status} + +echo creating $CONFIG_STATUS +rm -f $CONFIG_STATUS +cat > $CONFIG_STATUS </dev/null | sed 1q`: +# +# $0 $ac_configure_args +# +# Compiler output produced by configure, useful for debugging +# configure, is in ./config.log if it exists. + +ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]" +for ac_option +do + case "\$ac_option" in + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" + exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; + -version | --version | --versio | --versi | --vers | --ver | --ve | --v) + echo "$CONFIG_STATUS generated by autoconf version 2.13" + exit 0 ;; + -help | --help | --hel | --he | --h) + echo "\$ac_cs_usage"; exit 0 ;; + *) echo "\$ac_cs_usage"; exit 1 ;; + esac +done + +ac_given_srcdir=$srcdir + +trap 'rm -fr `echo "Makefile config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 +EOF +cat >> $CONFIG_STATUS < conftest.subs <<\\CEOF +$ac_vpsub +$extrasub +s%@SHELL@%$SHELL%g +s%@CFLAGS@%$CFLAGS%g +s%@CPPFLAGS@%$CPPFLAGS%g +s%@CXXFLAGS@%$CXXFLAGS%g +s%@FFLAGS@%$FFLAGS%g +s%@DEFS@%$DEFS%g +s%@LDFLAGS@%$LDFLAGS%g +s%@LIBS@%$LIBS%g +s%@exec_prefix@%$exec_prefix%g +s%@prefix@%$prefix%g +s%@program_transform_name@%$program_transform_name%g +s%@bindir@%$bindir%g +s%@sbindir@%$sbindir%g +s%@libexecdir@%$libexecdir%g +s%@datadir@%$datadir%g +s%@sysconfdir@%$sysconfdir%g +s%@sharedstatedir@%$sharedstatedir%g +s%@localstatedir@%$localstatedir%g +s%@libdir@%$libdir%g +s%@includedir@%$includedir%g +s%@oldincludedir@%$oldincludedir%g +s%@infodir@%$infodir%g +s%@mandir@%$mandir%g +s%@CC@%$CC%g +s%@CPP@%$CPP%g +s%@RANLIB@%$RANLIB%g +s%@AR@%$AR%g +s%@ssldir@%$ssldir%g +s%@INSTALL_ASKPASS@%$INSTALL_ASKPASS%g +s%@GNOME_ASKPASS@%$GNOME_ASKPASS%g +s%@RANDOM_POOL@%$RANDOM_POOL%g + +CEOF +EOF + +cat >> $CONFIG_STATUS <<\EOF + +# Split the substitutions into bite-sized pieces for seds with +# small command number limits, like on Digital OSF/1 and HP-UX. +ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script. +ac_file=1 # Number of current file. +ac_beg=1 # First line for current file. +ac_end=$ac_max_sed_cmds # Line after last line for current file. +ac_more_lines=: +ac_sed_cmds="" +while $ac_more_lines; do + if test $ac_beg -gt 1; then + sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file + else + sed "${ac_end}q" conftest.subs > conftest.s$ac_file + fi + if test ! -s conftest.s$ac_file; then + ac_more_lines=false + rm -f conftest.s$ac_file + else + if test -z "$ac_sed_cmds"; then + ac_sed_cmds="sed -f conftest.s$ac_file" + else + ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file" + fi + ac_file=`expr $ac_file + 1` + ac_beg=$ac_end + ac_end=`expr $ac_end + $ac_max_sed_cmds` + fi +done +if test -z "$ac_sed_cmds"; then + ac_sed_cmds=cat +fi +EOF + +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF +for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories. + + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`" + # A "../" for each directory in $ac_dir_suffix. + ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'` + else + ac_dir_suffix= ac_dots= + fi + + case "$ac_given_srcdir" in + .) srcdir=. + if test -z "$ac_dots"; then top_srcdir=. + else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;; + /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;; + *) # Relative path. + srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix" + top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + + + echo creating "$ac_file" + rm -f "$ac_file" + configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure." + case "$ac_file" in + *Makefile*) ac_comsub="1i\\ +# $configure_input" ;; + *) ac_comsub= ;; + esac + + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + sed -e "$ac_comsub +s%@configure_input@%$configure_input%g +s%@srcdir@%$srcdir%g +s%@top_srcdir@%$top_srcdir%g +" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file +fi; done +rm -f conftest.s* + +# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where +# NAME is the cpp macro being defined and VALUE is the value it is being given. +# +# ac_d sets the value in "#define NAME VALUE" lines. +ac_dA='s%^\([ ]*\)#\([ ]*define[ ][ ]*\)' +ac_dB='\([ ][ ]*\)[^ ]*%\1#\2' +ac_dC='\3' +ac_dD='%g' +# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE". +ac_uA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_uB='\([ ]\)%\1#\2define\3' +ac_uC=' ' +ac_uD='\4%g' +# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE". +ac_eA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_eB='$%\1#\2define\3' +ac_eC=' ' +ac_eD='%g' + +if test "${CONFIG_HEADERS+set}" != set; then +EOF +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF +fi +for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + echo creating $ac_file + + rm -f conftest.frag conftest.in conftest.out + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + cat $ac_file_inputs > conftest.in + +EOF + +# Transform confdefs.h into a sed script conftest.vals that substitutes +# the proper values into config.h.in to produce config.h. And first: +# Protect against being on the right side of a sed subst in config.status. +# Protect against being in an unquoted here document in config.status. +rm -f conftest.vals +cat > conftest.hdr <<\EOF +s/[\\&%]/\\&/g +s%[\\$`]%\\&%g +s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp +s%ac_d%ac_u%gp +s%ac_u%ac_e%gp +EOF +sed -n -f conftest.hdr confdefs.h > conftest.vals +rm -f conftest.hdr + +# This sed command replaces #undef with comments. This is necessary, for +# example, in the case of _POSIX_SOURCE, which is predefined and required +# on some systems where configure will not decide to define it. +cat >> conftest.vals <<\EOF +s%^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */% +EOF + +# Break up conftest.vals because some shells have a limit on +# the size of here documents, and old seds have small limits too. + +rm -f conftest.tail +while : +do + ac_lines=`grep -c . conftest.vals` + # grep -c gives empty output for an empty file on some AIX systems. + if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi + # Write a limited-size here document to conftest.frag. + echo ' cat > conftest.frag <> $CONFIG_STATUS + sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS + echo 'CEOF + sed -f conftest.frag conftest.in > conftest.out + rm -f conftest.in + mv conftest.out conftest.in +' >> $CONFIG_STATUS + sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail + rm -f conftest.vals + mv conftest.tail conftest.vals +done +rm -f conftest.vals + +cat >> $CONFIG_STATUS <<\EOF + rm -f conftest.frag conftest.h + echo "/* $ac_file. Generated automatically by configure. */" > conftest.h + cat conftest.in >> conftest.h + rm -f conftest.in + if cmp -s $ac_file conftest.h 2>/dev/null; then + echo "$ac_file is unchanged" + rm -f conftest.h + else + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + fi + rm -f $ac_file + mv conftest.h $ac_file + fi +fi; done + +EOF +cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF + +exit 0 +EOF +chmod +x $CONFIG_STATUS +rm -fr confdefs* $ac_clean_files +test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1 + diff -ruN --exclude CVS ssh-openbsd-1999111900/configure.in openssh-1.2pre13/configure.in --- ssh-openbsd-1999111900/configure.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/configure.in Fri Nov 19 19:14:04 1999 @@ -0,0 +1,226 @@ +AC_INIT(ssh.c) + +AC_CONFIG_HEADER(config.h) + +dnl Checks for programs. +AC_PROG_CC +AC_PROG_CPP +AC_PROG_RANLIB +AC_CHECK_PROG(AR, ar, ar) +if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi + +dnl Check for OpenSSL/SSLeay directories. +AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) +for ssldir in /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local $prefix /usr/pkg ; do + if test -f "$ssldir/include/openssl/crypto.h"; then + AC_DEFINE(HAVE_OPENSSL) + GOT_SSL="yes" + break + fi + if test -f "$ssldir/include/ssl/crypto.h"; then + AC_DEFINE(HAVE_SSL) + GOT_SSL="yes" + break + fi +done +if test -z "$GOT_SSL" ; then + AC_MSG_ERROR([Could not find SSLeay / OpenSSL libraries, please install]) +fi +AC_SUBST(ssldir) +AC_DEFINE_UNQUOTED(ssldir, "$ssldir") +if test "$ssldir" != "/usr"; then + CFLAGS="$CFLAGS -I$ssldir/include" + LIBS="$LIBS -L$ssldir/lib" +fi +LIBS="$LIBS -lssl -lcrypto" +AC_MSG_RESULT($ssldir) + +dnl Check for RSAref library. +AC_MSG_CHECKING([for RSAref library]) +saved_LIBS="$LIBS" +LIBS="$saved_LIBS -lRSAglue -lrsaref" +AC_TRY_LINK([], [], +[AC_MSG_RESULT(yes); ], +[AC_MSG_RESULT(no)]; LIBS="$saved_LIBS") + +dnl Checks for libraries. +AC_CHECK_LIB(crypto, CRYPTO_lock, ,AC_MSG_ERROR([*** libcrypto missing - please install first ***])) +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") +AC_CHECK_LIB(nsl, yp_match, , ) +AC_CHECK_LIB(socket, main, , ) + +dnl libdl is needed by PAM on Redhat systems +AC_CHECK_LIB(dl, dlopen, , ) +AC_CHECK_LIB(pam, pam_authenticate, , ) + +dnl Checks for header files. +AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h shadow.h netgroup.h maillock.h sys/select.h) + +dnl Checks for library functions. +AC_CHECK_FUNCS(openpty strlcpy mkdtemp arc4random setproctitle setlogin) + +AC_CHECK_FUNC(login, + [AC_DEFINE(HAVE_LOGIN)], + [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] +) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON)], + [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +dnl Check whether use wants to disable the external ssh-askpass +INSTALL_ASKPASS="yes" +AC_MSG_CHECKING([whether to enable external ssh-askpass support]) +AC_ARG_WITH(askpass, + [ --with-askpass=yes/no Enable external ssh-askpass support (default=yes)], + [ + if test x$withval = xno ; then + INSTALL_ASKPASS="no" + else + INSTALL_ASKPASS="yes" + fi + ] +) +if test "x$INSTALL_ASKPASS" = "xyes" ; then + AC_DEFINE(USE_EXTERNAL_ASKPASS) + AC_SUBST(INSTALL_ASKPASS) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + +if test "x$INSTALL_ASKPASS" = "xyes" ; then + AC_MSG_CHECKING([whether to build GNOME ssh-askpass]) + dnl Check whether user wants GNOME ssh-askpass + AC_ARG_WITH(gnome-askpass, + [ --with-gnome-askpass Build the GNOME passphrase requester (default=no)], + [ + if test x$withval = xno ; then + GNOME_ASKPASS=""; + else + GNOME_ASKPASS="gnome-ssh-askpass"; + fi + ]) + AC_SUBST(GNOME_ASKPASS) + + if test -z "$GNOME_ASKPASS" ; then + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi +fi + +dnl Check for user-specified random device +AC_ARG_WITH(random, + [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], + [ + RANDOM_POOL="$withval"; + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ], + [ + dnl Check for random device + AC_CHECK_FILE("/dev/urandom", + [ + RANDOM_POOL="/dev/urandom"; + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] + ) + ] +) + +dnl Check for EGD pool file +AC_ARG_WITH(egd-pool, + [ --with-egd-pool=FILE read randomness from EGD pool FILE (default none)], + [ + RANDOM_POOL="$withval"; + AC_DEFINE(HAVE_EGD) + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] +) + +dnl Make sure we have random number support +if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then + AC_MSG_ERROR([No random device found, and no EGD random pool specified]) +fi + +dnl Check for ut_host field in utmp +AC_MSG_CHECKING([whether utmp.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmp.h, + [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) + +dnl Look for lastlog location +AC_MSG_CHECKING([location of lastlog file]) +for lastlog in /var/log/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if test -f $lastlog ; then + gotlastlog="yes" + AC_MSG_RESULT($lastlog) + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") + break + fi +done +if test -z "$gotlastlog" ; then + AC_MSG_ERROR([*** Cannot find lastlog ***]) +fi + +AC_MSG_CHECKING([whether libc defines __progname]) +AC_TRY_LINK([], + [extern char *__progname; printf("%s", __progname);], + [ + AC_DEFINE(HAVE___PROGNAME) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +dnl Check whether user wants Kerberos support +AC_ARG_WITH(kerberos4, + [ --with-kerberos4 Enable Kerberos 4 support], + [ + AC_DEFINE(KRB4) + LIBS="$LIBS -lkrb" + CFLAGS="$CFLAGS -I/usr/include/kerberosIV" + ] +) + +dnl Check whether user wants AFS support +AC_ARG_WITH(kerberos4, + [ --with-afs Enable AFS support], + [ + AC_DEFINE(AFS) + LIBS="$LIBS -lkafs" + ] +) + +dnl Check whether user wants S/Key support +AC_ARG_WITH(skey, + [ --with-skey Enable S/Key support], + [ + AC_DEFINE(SKEY) + LIBS="$LIBS -lskey" + ] +) + +dnl Check whether user wants TCP wrappers support +AC_ARG_WITH(skey, + [ --with-tcp-wrappers Enable tcpwrappers support], + [ + AC_DEFINE(LIBWRAP) + LIBS="$LIBS -lwrap" + ] +) + +dnl Check whether to enable MD5 passwords +AC_ARG_WITH(md5passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [AC_DEFINE(HAVE_MD5_PASSWORDS)] +) + +AC_OUTPUT(Makefile) diff -ruN --exclude CVS ssh-openbsd-1999111900/fingerprint.c openssh-1.2pre13/fingerprint.c --- ssh-openbsd-1999111900/fingerprint.c Wed Nov 17 09:49:28 1999 +++ openssh-1.2pre13/fingerprint.c Fri Nov 19 12:05:01 1999 @@ -1,9 +1,15 @@ #include "includes.h" -RCSID("$Id: fingerprint.c,v 1.1 1999/11/16 22:49:28 markus Exp $"); +RCSID("$Id: fingerprint.c,v 1.2 1999/11/19 01:05:01 damien Exp $"); #include "ssh.h" #include "xmalloc.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif #define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x" diff -ruN --exclude CVS ssh-openbsd-1999111900/fingerprint.h openssh-1.2pre13/fingerprint.h --- ssh-openbsd-1999111900/fingerprint.h Wed Nov 17 09:49:28 1999 +++ openssh-1.2pre13/fingerprint.h Wed Nov 17 17:29:08 1999 @@ -1,4 +1,4 @@ -/* RCSID("$Id: fingerprint.h,v 1.1 1999/11/16 22:49:28 markus Exp $"); */ +/* RCSID("$Id: fingerprint.h,v 1.1 1999/11/17 06:29:08 damien Exp $"); */ #ifndef FINGERPRINT_H #define FINGERPRINT_H diff -ruN --exclude CVS ssh-openbsd-1999111900/gnome-ssh-askpass.c openssh-1.2pre13/gnome-ssh-askpass.c --- ssh-openbsd-1999111900/gnome-ssh-askpass.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/gnome-ssh-askpass.c Fri Nov 12 12:09:36 1999 @@ -0,0 +1,122 @@ +/* +** +** GNOME ssh passphrase requestor +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include +#include + +int passphrase_dialog(char **passphrase_p, char *message) +{ + char *passphrase; + int result; + + GtkWidget *dialog, *entry, *label; + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + label = gtk_label_new(message); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, + FALSE, 0); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + XGrabServer(GDK_DISPLAY()); + gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); + gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + XUngrabServer(GDK_DISPLAY()); + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + + /* Take copy of passphrase if user selected OK */ + if (result == 0) + *passphrase_p = strdup(passphrase); + else + *passphrase_p = NULL; + + /* Zero existing passphrase */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + + return (result == 0); +} + +int main(int argc, char **argv) +{ + char *passphrase; + char *message; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + if (passphrase_dialog(&passphrase, message)) + { + printf("%s\n", passphrase); + memset(passphrase, '\0', strlen(passphrase)); + } + + return 0; +} diff -ruN --exclude CVS ssh-openbsd-1999111900/helper.c openssh-1.2pre13/helper.c --- ssh-openbsd-1999111900/helper.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/helper.c Fri Nov 19 12:05:01 1999 @@ -0,0 +1,149 @@ +/* +** +** OpenBSD emulation routines +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "rc4.h" +#include "xmalloc.h" +#include "ssh.h" +#include "config.h" +#include "helper.h" + +#ifndef offsetof +#define offsetof(type, member) ((size_t) &((type *)0)->member) +#endif + +#ifndef HAVE_ARC4RANDOM + +void get_random_bytes(unsigned char *buf, int len); + +static rc4_t *rc4 = NULL; + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + get_random_bytes(rand_buf, sizeof(rand_buf)); + rc4_key(rc4, rand_buf, sizeof(rand_buf)); +} + +void get_random_bytes(unsigned char *buf, int len) +{ + static int random_pool; + int c; +#ifdef HAVE_EGD + char egd_message[2] = { 0x02, 0x00 }; + struct sockaddr_un addr; + int addr_len; + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; + + /* FIXME: compile time check? */ + if (sizeof(RANDOM_POOL) > sizeof(addr.sun_path)) + fatal("Random pool path is too long"); + + strncpy(addr.sun_path, RANDOM_POOL, sizeof(addr.sun_path - 1)); + addr.sun_path[sizeof(addr.sun_path - 1)] = '\0'; + + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(RANDOM_POOL); + + random_pool = socket(AF_UNIX, SOCK_STREAM, 0); + + if (random_pool == -1) + fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); + + if (connect(random_pool, (struct sockaddr*)&addr, addr_len) == -1) + fatal("Couldn't connect to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); + + if (len > 255) + fatal("Too many bytes to read from EGD"); + + /* Send blocking read request to EGD */ + egd_message[1] = len; + c = write(random_pool, egd_message, sizeof(egd_message)); + if (c == -1) + fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); + +#else /* HAVE_EGD */ + + random_pool = open(RANDOM_POOL, O_RDONLY); + if (random_pool == -1) + fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + +#endif /* HAVE_EGD */ + + c = read(random_pool, buf, len); + if (c == -1) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + + if (c != len) + fatal("Short read from random pool \"%s\"", RANDOM_POOL); + + close(random_pool); +} +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...) +{ + /* FIXME */ +} +#endif /* !HAVE_SETPROCTITLE */ diff -ruN --exclude CVS ssh-openbsd-1999111900/helper.h openssh-1.2pre13/helper.h --- ssh-openbsd-1999111900/helper.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/helper.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,50 @@ +/* +** +** OpenBSD emulation routines +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#ifndef _HELPER_H +#define _HELPER_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +#endif /* !HAVE_SETPROCTITLE */ + +#endif /* _HELPER_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/includes.h openssh-1.2pre13/includes.h --- ssh-openbsd-1999111900/includes.h Wed Nov 3 15:22:48 1999 +++ openssh-1.2pre13/includes.h Fri Nov 19 15:32:34 1999 @@ -19,12 +19,12 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } +#include "config.h" + #include #include -#include #include #include -#include #include #include #include @@ -38,7 +38,6 @@ #include #include -#include #include #include #include @@ -52,13 +51,38 @@ #include #include #include -#include #include +#ifdef HAVE_NETGROUP_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_LIBPAM +# include +#endif + #include "version.h" +#include "helper.h" +#include "bsd-strlcpy.h" +#include "bsd-mktemp.h" /* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH #define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + +/* Define this to be the path of the rsh program. */ +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif /* _PATH_RSH */ /* Define this to use pipes instead of socketpairs for communicating with the client program. Socketpairs do not seem to work on all systems. */ diff -ruN --exclude CVS ssh-openbsd-1999111900/lib/Makefile openssh-1.2pre13/lib/Makefile --- ssh-openbsd-1999111900/lib/Makefile Wed Nov 17 16:17:32 1999 +++ openssh-1.2pre13/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,25 +0,0 @@ -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ - hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ - rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c - -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS - -.include diff -ruN --exclude CVS ssh-openbsd-1999111900/log-server.c openssh-1.2pre13/log-server.c --- ssh-openbsd-1999111900/log-server.c Mon Nov 15 14:37:32 1999 +++ openssh-1.2pre13/log-server.c Mon Nov 15 17:10:57 1999 @@ -22,6 +22,12 @@ #include "xmalloc.h" #include "ssh.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 0; static int log_facility = LOG_AUTH; @@ -104,7 +110,6 @@ char fmtbuf[MSGBUFSIZE]; char *txt = NULL; int pri = LOG_INFO; - extern char *__progname; if (level > log_level) return; diff -ruN --exclude CVS ssh-openbsd-1999111900/login.c openssh-1.2pre13/login.c --- ssh-openbsd-1999111900/login.c Fri Oct 1 02:55:06 1999 +++ openssh-1.2pre13/login.c Thu Nov 11 10:40:23 1999 @@ -20,8 +20,12 @@ #include "includes.h" RCSID("$Id: login.c,v 1.7 1999/09/30 16:55:06 deraadt Exp $"); -#include #include + +#ifdef HAVE_LASTLOG_H +# include +#endif + #include "ssh.h" /* Returns the time when the user last logged in. Returns 0 if the @@ -77,7 +81,9 @@ strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); u.ut_time = time(NULL); strncpy(u.ut_name, user, sizeof(u.ut_name)); +#ifdef HAVE_HOST_IN_UTMP strncpy(u.ut_host, host, sizeof(u.ut_host)); +#endif /* Figure out the file names. */ utmp = _PATH_UTMP; @@ -109,11 +115,14 @@ } } -/* Records that the user has logged out. */ - void record_logout(int pid, const char *ttyname) { +#ifdef HAVE_LIBUTIL_LOGIN const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) logwtmp(line, "", ""); +#else /* HAVE_LIBUTIL_LOGIN */ + record_login(pid, ttyname, "", -1, "", NULL); +#endif /* HAVE_LIBUTIL_LOGIN */ } + diff -ruN --exclude CVS ssh-openbsd-1999111900/md5crypt.c openssh-1.2pre13/md5crypt.c --- ssh-openbsd-1999111900/md5crypt.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/md5crypt.c Fri Nov 19 15:53:20 1999 @@ -0,0 +1,166 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#include "config.h" + +#ifdef HAVE_MD5_PASSWORDS + +#include +#include + +#ifdef HAVE_OPENSSL +#include +#endif + +#ifdef HAVE_SSL +#include +#endif + +static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static char *magic = "$1$"; /* + * This string is magic for + * this algorithm. Having + * it this way, we can get + * get better later on + */ + +static void +to64(char *s, unsigned long v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +int +is_md5_salt(const char *salt) +{ + return (!strncmp(salt, magic, strlen(magic))); +} + +/* + * UNIX password + * + * Use MD5 for what it is best at... + */ + +char * +md5_crypt(const char *pw, const char *salt) +{ + static char passwd[120], *p; + static const char *sp,*ep; + unsigned char final[16]; + int sl,pl,i,j; + MD5_CTX ctx,ctx1; + unsigned long l; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(!strncmp(sp,magic,strlen(magic))) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) + continue; + + /* get the length of the true salt */ + sl = ep - sp; + + MD5_Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5_Update(&ctx,pw,strlen(pw)); + + /* Then our magic string */ + MD5_Update(&ctx,magic,strlen(magic)); + + /* Then the raw salt */ + MD5_Update(&ctx,sp,sl); + + /* Then just as many characters of the MD5(pw,salt,pw) */ + MD5_Init(&ctx1); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Update(&ctx1,sp,sl); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + for(pl = strlen(pw); pl > 0; pl -= 16) + MD5_Update(&ctx,final,pl>16 ? 16 : pl); + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + /* Then something really weird... */ + for (j=0,i = strlen(pw); i ; i >>= 1) + if(i&1) + MD5_Update(&ctx, final+j, 1); + else + MD5_Update(&ctx, pw+j, 1); + + /* Now make the output string */ + strcpy(passwd,magic); + strncat(passwd,sp,sl); + strcat(passwd,"$"); + + MD5_Final(final,&ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i=0;i<1000;i++) { + MD5_Init(&ctx1); + if(i & 1) + MD5_Update(&ctx1,pw,strlen(pw)); + else + MD5_Update(&ctx1,final,16); + + if(i % 3) + MD5_Update(&ctx1,sp,sl); + + if(i % 7) + MD5_Update(&ctx1,pw,strlen(pw)); + + if(i & 1) + MD5_Update(&ctx1,final,16); + else + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; + l = final[11] ; to64(p,l,2); p += 2; + *p = '\0'; + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + return passwd; +} + +#endif /* HAVE_MD5_PASSWORDS */ diff -ruN --exclude CVS ssh-openbsd-1999111900/md5crypt.h openssh-1.2pre13/md5crypt.h --- ssh-openbsd-1999111900/md5crypt.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/md5crypt.h Fri Nov 19 15:53:20 1999 @@ -0,0 +1,37 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#ifndef _MD5CRYPT_H +#define _MD5CRYPT_H + +#include "config.h" + +#include +#include + +#ifdef HAVE_OPENSSL +#include +#endif + +#ifdef HAVE_SSL +#include +#endif + +int is_md5_salt(const char *salt); +char *md5_crypt(const char *pw, const char *salt); + +#endif /* MD5CRYPT_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/mpaux.c openssh-1.2pre13/mpaux.c --- ssh-openbsd-1999111900/mpaux.c Tue Nov 16 13:00:15 1999 +++ openssh-1.2pre13/mpaux.c Tue Nov 16 13:37:16 1999 @@ -17,11 +17,18 @@ #include "includes.h" RCSID("$Id: mpaux.c,v 1.6 1999/11/15 20:53:24 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include +#include +#endif + #include "getput.h" #include "xmalloc.h" -#include void compute_session_id(unsigned char session_id[16], diff -ruN --exclude CVS ssh-openbsd-1999111900/openssh.spec openssh-1.2pre13/openssh.spec --- ssh-openbsd-1999111900/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/openssh.spec Fri Nov 19 17:25:16 1999 @@ -0,0 +1,185 @@ +Summary: OpenSSH free Secure Shell (SSH) implementation +Name: openssh +Version: 1.2pre13 +Release: 1 +Packager: Damien Miller +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +Obsoletes: ssh + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: System Environment/Daemons +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Requires: openssh chkconfig >= 0.9 +Group: System Environment/Daemons +Obsoletes: ssh-server + +%package askpass +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras +Obsoletes: ssh-askpass + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup + +%build + +CFLAGS="$RPM_OPT_FLAGS" \ + ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass + +make + +%install +rm -rf $RPM_BUILD_ROOT +make install prefix="$RPM_BUILD_ROOT/usr" + +install -d $RPM_BUILD_ROOT/etc/ssh +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -m644 sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 sshd.init.redhat $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd +install -m600 ssh_config $RPM_BUILD_ROOT/etc/ssh/ssh_config +install -m600 sshd_config $RPM_BUILD_ROOT/etc/ssh/sshd_config + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +/sbin/chkconfig --add sshd +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + /etc/rc.d/init.d/sshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + /etc/rc.d/init.d/sshd stop >&2 + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW COPYING.Ylonen README README.Ylonen INSTALL UPGRADING +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) /usr/man/man1/scp.1 +%attr(0755,root,root) %dir /etc/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) /usr/man/man1/ssh.1 +%attr(0644,root,root) /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) /usr/man/man1/ssh-add.1 +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) /usr/man/man1/slogin.1 + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) /usr/man/man8/sshd.8 +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0600,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) %dir /usr/libexec/ssh + diff -ruN --exclude CVS ssh-openbsd-1999111900/packet.h openssh-1.2pre13/packet.h --- ssh-openbsd-1999111900/packet.h Tue Nov 16 13:00:16 1999 +++ openssh-1.2pre13/packet.h Tue Nov 16 13:37:16 1999 @@ -18,7 +18,14 @@ #ifndef PACKET_H #define PACKET_H +#include "config.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* Sets the socket used for communication. Disables encryption until packet_set_encryption_key is called. It is permissible that fd_in diff -ruN --exclude CVS ssh-openbsd-1999111900/pty.c openssh-1.2pre13/pty.c --- ssh-openbsd-1999111900/pty.c Sun Oct 17 06:57:52 1999 +++ openssh-1.2pre13/pty.c Mon Nov 15 15:40:55 1999 @@ -16,6 +16,10 @@ #include "includes.h" RCSID("$Id: pty.c,v 1.5 1999/10/16 20:57:52 deraadt Exp $"); +#ifdef HAVE_PTY_H +#include +#endif /* HAVE_PTY_H */ + #include "pty.h" #include "ssh.h" diff -ruN --exclude CVS ssh-openbsd-1999111900/rc4.c openssh-1.2pre13/rc4.c --- ssh-openbsd-1999111900/rc4.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/rc4.c Thu Oct 28 14:12:54 1999 @@ -0,0 +1,109 @@ +/*! \file rc4.c + \brief Source file for RC4 stream cipher routines + \author Damien Miller + \version 0.0.0 + \date 1999 + + A simple implementation of the RC4 stream cipher, based on the + description given in _Bruce Schneier's_ "Applied Cryptography" + 2nd edition. + + Copyright 1999 Damien Miller + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE + AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER BE LIABLE + FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + \warning None of these functions clears its memory after use. It + \warning is the responsability of the calling routines to ensure + \warning that any sensitive data (keystream, key or plaintext) is + \warning properly erased after use. + + \warning The name "RC4" is trademarked in the United States, + \warning you may need to use "RC4 compatible" or "ARC4" + \warning (Alleged RC4). +*/ + +/* $Id: rc4.c,v 1.1.1.1 1999/10/26 05:48:13 damien Exp $ */ + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +#include "rc4.h" + + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_crypt(rc4_t *r, unsigned char *plaintext, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + plaintext[c] ^= r->s[t]; + c++; + } +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} +#endif /* !HAVE_ARC4RANDOM */ diff -ruN --exclude CVS ssh-openbsd-1999111900/rc4.h openssh-1.2pre13/rc4.h --- ssh-openbsd-1999111900/rc4.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/rc4.h Thu Oct 28 14:12:54 1999 @@ -0,0 +1,115 @@ +/*! \file rc4.h + \brief Header file for RC4 stream cipher routines + \author Damien Miller + \version 0.0.0 + \date 1999 + + A simple implementation of the RC4 stream cipher, based on the + description given in _Bruce Schneier's_ "Applied Cryptography" + 2nd edition. + + Copyright 1999 Damien Miller + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE + AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER BE LIABLE + FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF + CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + \warning None of these functions clears its memory after use. It + \warning is the responsability of the calling routines to ensure + \warning that any sensitive data (keystream, key or plaintext) is + \warning properly erased after use. + + \warning The name "RC4" is trademarked in the United States, + \warning you may need to use "RC4 compatible" or "ARC4" + \warning (Alleged RC4). +*/ + +/* $Id: rc4.h,v 1.1.1.1 1999/10/26 05:48:13 damien Exp $ */ + +#ifndef _RC4_H +#define _RC4_H + +#include "config.h" +#ifndef HAVE_ARC4RANDOM + +/*! \struct rc4_t + \brief RC4 stream cipher state object + \var s State array + \var i Monotonic index + \var j Randomised index + + \warning This structure should not be accessed directly. To + \warning initialise a rc4_t object, you should use the rc4_key() + \warning function + + This structure holds the current state of the RC4 algorithm. +*/ +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +/*! \fn void rc4_key(rc4_t *r, unsigned char *key, int len); + \brief Set up key structure of RC4 stream cipher + \param r pointer to RC4 structure to be seeded + \param key pointer to buffer containing raw key + \param len length of key + + This function set the internal state of the RC4 data structure + pointed to by \a r using the specified \a key of length \a len. + + This function can use up to 256 bytes of key, any more are ignored. + + \warning Stream ciphers (such as RC4) can be insecure if the same + \warning key is used repeatedly. Ensure that any key specified has + \warning an reasonably sized Initialisation Vector component. +*/ +void rc4_key(rc4_t *r, unsigned char *key, int len); + +/*! \fn rc4_crypt(rc4_t *r, unsigned char *plaintext, int len); + \brief Crypt bytes using RC4 algorithm + \param r pointer to RC4 structure to be used + \param plaintext Pointer to bytes to encrypt + \param len number of bytes to crypt + + This function encrypts one or more bytes (pointed to by \a plaintext) + using the RC4 algorithm. \a r is a state structure that must be + initialiased using the rc4_key() function prior to use. + + Since RC4 XORs each byte of plaintext with a byte of keystream, + this function can be used for both encryption and decryption. +*/ +void rc4_crypt(rc4_t *r, unsigned char *plaintext, int len); + +/*! \fn rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + \brief Generate key stream using the RC4 stream cipher + \param r pointer to RC4 structure to be used + \param buffer pointer to buffer in which to deposit keystream + \param len number of bytes to deposit + + This function gives access to the raw RC4 key stream. In this + consiguration RC4 can be used as a fast, strong pseudo-random + number generator with a very long period. +*/ +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +#endif /* !HAVE_ARC4RANDOM */ + +#endif /* _RC4_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/rsa.h openssh-1.2pre13/rsa.h --- ssh-openbsd-1999111900/rsa.h Wed Sep 29 16:15:00 1999 +++ openssh-1.2pre13/rsa.h Thu Nov 11 10:40:23 1999 @@ -14,23 +14,31 @@ */ /* RCSID("$Id: rsa.h,v 1.2 1999/09/29 06:15:00 deraadt Exp $"); */ +#include "config.h" #ifndef RSA_H #define RSA_H +#ifdef HAVE_OPENSSL +#include +#include +#endif + +#ifdef HAVE_SSL #include #include +#endif /* Calls SSL RSA_generate_key, only copies to prv and pub */ void rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits); /* Indicates whether the rsa module is permitted to show messages on the terminal. */ -void rsa_set_verbose __P((int verbose)); +void rsa_set_verbose(int verbose); -int rsa_alive __P((void)); +int rsa_alive(void); -void rsa_public_encrypt __P((BIGNUM *out, BIGNUM *in, RSA *prv)); -void rsa_private_decrypt __P((BIGNUM *out, BIGNUM *in, RSA *prv)); +void rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *prv); +void rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *prv); #endif /* RSA_H */ diff -ruN --exclude CVS ssh-openbsd-1999111900/scp/Makefile openssh-1.2pre13/scp/Makefile --- ssh-openbsd-1999111900/scp/Makefile Tue Oct 26 06:27:26 1999 +++ openssh-1.2pre13/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN --exclude CVS ssh-openbsd-1999111900/scp.c openssh-1.2pre13/scp.c --- ssh-openbsd-1999111900/scp.c Thu Nov 18 09:15:32 1999 +++ openssh-1.2pre13/scp.c Fri Nov 19 12:34:14 1999 @@ -1148,7 +1148,7 @@ (void)gettimeofday(&now, (struct timezone *)0); cursize = statbytes; if (totalbytes != 0) { - ratio = cursize * 100 / totalbytes; + ratio = cursize * 100.0 / totalbytes; ratio = MAX(ratio, 0); ratio = MIN(ratio, 100); } diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh/Makefile openssh-1.2pre13/ssh/Makefile --- ssh-openbsd-1999111900/ssh/Makefile Thu Nov 18 17:58:14 1999 +++ openssh-1.2pre13/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,36 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=4555 -.endif - -BINDIR= /usr/bin -MAN= ssh.1 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c sshconnect.c log-client.c readconf.c clientloop.c - -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.include - -LDADD+= -lutil -lz -lcrypto -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-add/Makefile openssh-1.2pre13/ssh-add/Makefile --- ssh-openbsd-1999111900/ssh-add/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre13/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-add.c openssh-1.2pre13/ssh-add.c --- ssh-openbsd-1999111900/ssh-add.c Wed Nov 17 16:17:16 1999 +++ openssh-1.2pre13/ssh-add.c Wed Nov 17 17:29:08 1999 @@ -22,6 +22,16 @@ #include "authfd.h" #include "fingerprint.h" +#ifdef USE_EXTERNAL_ASKPASS +int askpass(const char *filename, RSA *key, const char *saved_comment, char **comment); +#endif /* USE_EXTERNAL_ASKPASS */ + +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-add"; +#endif /* HAVE___PROGNAME */ + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -74,11 +84,27 @@ success = load_private_key(filename, "", key, &comment); if (!success) { printf("Need passphrase for %s (%s).\n", filename, saved_comment); - if (!isatty(STDIN_FILENO)){ + if (!isatty(STDIN_FILENO)) { +#ifdef USE_EXTERNAL_ASKPASS + int prompts = 3; + + while (prompts && !success) + { + success = askpass(filename, key, saved_comment, &comment); + prompts--; + } + if (!success) + { + xfree(saved_comment); + return; + } +#else /* !USE_EXTERNAL_ASKPASS */ xfree(saved_comment); return; +#endif /* USE_EXTERNAL_ASKPASS */ } - for (;;) { + + while (!success) { char *pass = read_passphrase("Enter passphrase: ", 1); if (strcmp(pass, "") == 0){ xfree(pass); @@ -217,3 +243,85 @@ ssh_close_authentication_connection(ac); exit(0); } + +#ifdef USE_EXTERNAL_ASKPASS +int askpass(const char *filename, RSA *key, const char *saved_comment, char **comment) +{ + int pipes[2]; + char buf[1024]; + int tmp; + pid_t child; + FILE *pipef; + + /* Check that we are X11-capable */ + if (getenv("DISPLAY") == NULL) + exit(1); + + if (pipe(pipes) == -1) { + fprintf(stderr, "Creating pipes failed: %s\n", strerror(errno)); + exit(1); + } + + if (fflush(NULL) == EOF) { + fprintf(stderr, "Cannot flush buffers: %s\n", strerror(errno)); + exit(1); + } + + child = fork(); + if (child == -1) { + fprintf(stderr, "Cannot fork: %s\n", strerror(errno)); + exit(1); + } + + if (child == 0) { + /* In child */ + + close(pipes[0]); + if (dup2(pipes[1], 1) ==-1) { + fprintf(stderr, "dup2 failed: %s\n", strerror(errno)); + exit(1); + } + + tmp = snprintf(buf, sizeof(buf), "Need passphrase for %s (%s)", filename, saved_comment); + /* skip the prompt if it won't fit */ + if ((tmp < 0) || (tmp >= sizeof(buf))) + tmp = execlp(ASKPASS_PROGRAM, "ssh-askpass", 0); + else + tmp = execlp(ASKPASS_PROGRAM, "ssh-askpass", buf, 0); + + /* Shouldn't get this far */ + fprintf(stderr, "Executing ssh-askpass failed: %s\n", strerror(errno)); + exit(1); + } + + /* In parent */ + close(pipes[1]); + + if ((pipef = fdopen(pipes[0], "r")) == NULL) { + fprintf(stderr, "fdopen failed: %s\n", strerror(errno)); + exit(1); + } + + /* Read passphrase back from child, abort if none presented */ + if(fgets(buf, sizeof(buf), pipef) == NULL) + exit(1); + + fclose(pipef); + + if (strchr(buf, '\n')) + *strchr(buf, '\n') = 0; + + if (waitpid(child, NULL, 0) == -1) { + fprintf(stderr, "Waiting for child failed: %s\n", + strerror(errno)); + exit(1); + } + + /* Try password as it was presented */ + tmp = load_private_key(filename, buf, key, comment); + + memset(buf, 0, sizeof(buf)); + + return(tmp); +} +#endif /* USE_EXTERNAL_ASKPASS */ diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-agent/Makefile openssh-1.2pre13/ssh-agent/Makefile --- ssh-openbsd-1999111900/ssh-agent/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre13/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-agent.1 openssh-1.2pre13/ssh-agent.1 --- ssh-openbsd-1999111900/ssh-agent.1 Wed Nov 17 16:17:17 1999 +++ openssh-1.2pre13/ssh-agent.1 Wed Nov 17 17:29:08 1999 @@ -109,6 +109,14 @@ .Pp The agent exits automatically when the command given on the command line terminates. +.Pp +Here's a trick that will allow you to start this up from your .bash_profile (just put it in as the first thing that happens): +.Sp +.Vb 1 + +\& [ ! "$SSH_AGENT_PID" ] && exec ssh-agent -- bash --login +\& ssh-add +.Ve .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/identity diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-agent.c openssh-1.2pre13/ssh-agent.c --- ssh-openbsd-1999111900/ssh-agent.c Fri Nov 19 08:16:25 1999 +++ openssh-1.2pre13/ssh-agent.c Fri Nov 19 08:25:48 1999 @@ -28,7 +28,18 @@ #include "getput.h" #include "mpaux.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-agent"; +#endif /* HAVE___PROGNAME */ typedef struct { @@ -504,8 +515,6 @@ void usage() { - extern char *__progname; - fprintf(stderr, "ssh-agent version %s\n", SSH_VERSION); fprintf(stderr, "Usage: %s [-c | -s] [-k] [command {args...]]\n", __progname); @@ -523,14 +532,17 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); exit(1); } +#if defined(__GNU_LIBRARY__) + while ((ch = getopt(ac, av, "+cks")) != -1) +#else while ((ch = getopt(ac, av, "cks")) != -1) +#endif /* defined(__GNU_LIBRARY__) */ { switch (ch) { diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-askpass openssh-1.2pre13/ssh-askpass --- ssh-openbsd-1999111900/ssh-askpass Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/ssh-askpass Mon Nov 8 15:30:59 1999 @@ -0,0 +1,38 @@ +#!/usr/bin/perl -w + +# Written by Tommi Virtanen . Consider it public domain. + +use strict; +use Tk; + +sub do_it($$;) { + my ($passphrase, $main) = @_; + print $passphrase->get(), "\n"; + $main->destroy(); +} + +sub ask($;) { + my ($prompt)=@_; + my $main=MainWindow->new; + $main->Label(-text=>$prompt)->pack(-fill=>'x'); + my $passphrase=$main->Entry(-show=>'*')->pack(-fill=>'x'); + $passphrase->focus(); + my $buttons=$main->Frame; + $buttons->pack(-side=>'right'); + my $ok=$buttons->Button(-text=>'Ok', + -command=>sub {do_it $passphrase, $main} + )->pack(-side=>'left'); + my $cancel=$buttons->Button(-text=>'Cancel', -command=>[$main=>'destroy']) + ->pack(-side=>'right'); + $main->bind('Tk::Button', '' => 'invoke'); + $main->bind('', [$ok => 'invoke']); + $main->bind('', [$cancel => 'invoke']); + $main->bind('' => [$main => 'grabGlobal']); + + MainLoop; +} + +ask ($#ARGV==0 + ? $ARGV[0] + : 'Please enter your authentication passphrase:'); + diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-keygen/Makefile openssh-1.2pre13/ssh-keygen/Makefile --- ssh-openbsd-1999111900/ssh-keygen/Makefile Thu Oct 28 15:05:00 1999 +++ openssh-1.2pre13/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh-keygen.c openssh-1.2pre13/ssh-keygen.c --- ssh-openbsd-1999111900/ssh-keygen.c Wed Nov 17 16:17:18 1999 +++ openssh-1.2pre13/ssh-keygen.c Wed Nov 17 17:29:08 1999 @@ -21,6 +21,12 @@ #include "xmalloc.h" #include "fingerprint.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-keygen"; +#endif /* HAVE___PROGNAME */ + /* Generated private key. */ RSA *private_key; diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh.1 openssh-1.2pre13/ssh.1 --- ssh-openbsd-1999111900/ssh.1 Thu Nov 18 10:54:49 1999 +++ openssh-1.2pre13/ssh.1 Thu Nov 18 11:35:13 1999 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: ssh.1,v 1.26 1999/11/17 21:08:07 aaron Exp $ +.\" $Id: ssh.1,v 1.25 1999/11/16 22:53:29 provos Exp $ .\" .Dd September 25, 1999 .Dt SSH 1 @@ -66,7 +66,7 @@ First, if the machine the user logs in from is listed in .Pa /etc/hosts.equiv or -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if @@ -89,10 +89,10 @@ .Pa \&.shosts , .Pa /etc/hosts.equiv , or -.Pa /etc/shosts.equiv , +.Pa /etc/ssh/shosts.equiv , and if additionally the server can verify the client's host key (see -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts in the @@ -250,7 +250,7 @@ database is stored in .Pa \&.ssh/known_hosts in the user's home directory. Additionally, the file -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, @@ -418,7 +418,7 @@ command line options, user's configuration file .Pq Pa $HOME/.ssh/config , and system-wide configuration file -.Pq Pa /etc/ssh_config . +.Pq Pa /etc/ssh/ssh_config . For each parameter, the first obtained value will be used. The configuration files contain sections bracketed by "Host" specifications, and that section is only applied for hosts that @@ -542,7 +542,7 @@ .Dq no . .It Cm GlobalKnownHostsFile Specifies a file to use instead of -.Pa /etc/ssh_known_hosts . +.Pa /etc/ssh/ssh_known_hosts . .It Cm HostName Specifies the real host name to log into. This can be used to specify nicnames or abbreviations for hosts. Default is the name given on the @@ -680,7 +680,7 @@ file, and refuses to connect hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts files installed and frequently connect new hosts. Basically this option forces the user to manually add any new hosts. Normally this option is disabled, and new hosts @@ -787,7 +787,7 @@ .It Pa $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into (that are not in -.Pa /etc/ssh_known_hosts ) . +.Pa /etc/ssh/ssh_known_hosts ) . See .Xr sshd 8 . .It Pa $HOME/.ssh/random_seed @@ -832,7 +832,7 @@ modulus, public exponent, modulus, and comment fields, separated by spaces). This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. -.It Pa /etc/ssh_known_hosts +.It Pa /etc/ssh/ssh_known_hosts Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. This file should be world-readable. This file contains @@ -851,7 +851,7 @@ does not convert the user-supplied name to a canonical name before checking the key, because someone with access to the name servers would then be able to fool host authentication. -.It Pa /etc/ssh_config +.It Pa /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must @@ -878,7 +878,7 @@ will be installed so that it requires successful RSA host authentication before permitting \s+2.\s0rhosts authentication. If your server machine does not have the client's host key in -.Pa /etc/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts , you can store it in .Pa $HOME/.ssh/known_hosts . The easiest way to do this is to @@ -905,13 +905,13 @@ automatically permitted provided client and server user names are the same. Additionally, successful RSA host authentication is normally required. This file should only be writable by root. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This file is processed exactly as .Pa /etc/hosts.equiv . This file may be useful to permit logins using .Nm but not using rsh/rlogin. -.It Pa /etc/sshrc +.It Pa /etc/ssh/sshrc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is started. diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh.c openssh-1.2pre13/ssh.c --- ssh-openbsd-1999111900/ssh.c Tue Nov 16 13:00:20 1999 +++ openssh-1.2pre13/ssh.c Tue Nov 16 13:37:16 1999 @@ -28,6 +28,12 @@ #include "readconf.h" #include "uidswap.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ + /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -399,7 +405,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", @@ -607,17 +612,6 @@ /* Close connection cleanly after attack. */ cipher_attack_detected = packet_disconnect; - /* If requested, fork and let ssh continue in the background. */ - if (fork_after_authentication_flag) - { - int ret = fork(); - if (ret == -1) - fatal("fork failed: %.100s", strerror(errno)); - if (ret != 0) - exit(0); - setsid(); - } - /* Enable compression if requested. */ if (options.compression) { @@ -777,6 +771,17 @@ channel_request_remote_forwarding(options.remote_forwards[i].port, options.remote_forwards[i].host, options.remote_forwards[i].host_port); + } + + /* If requested, fork and let ssh continue in the background. */ + if (fork_after_authentication_flag) + { + int ret = fork(); + if (ret == -1) + fatal("fork failed: %.100s", strerror(errno)); + if (ret != 0) + exit(0); + setsid(); } /* If a command was specified on the command line, execute the command now. diff -ruN --exclude CVS ssh-openbsd-1999111900/ssh.h openssh-1.2pre13/ssh.h --- ssh-openbsd-1999111900/ssh.h Tue Nov 16 13:00:22 1999 +++ openssh-1.2pre13/ssh.h Tue Nov 16 13:37:17 1999 @@ -18,6 +18,10 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ + #include "rsa.h" #include "cipher.h" @@ -51,7 +55,10 @@ port if present. */ #define SSH_SERVICE_NAME "ssh" +#ifndef ETCDIR #define ETCDIR "/etc" +#endif /* ETCDIR */ + #define PIDDIR "/var/run" /* System-wide file containing host keys of known hosts. This file should be @@ -64,11 +71,21 @@ are all defined in Makefile.in. Of these, ssh_host_key should be readable only by root, whereas ssh_config should be world-readable. */ -#define HOST_KEY_FILE "/etc/ssh_host_key" -#define SERVER_CONFIG_FILE "/etc/sshd_config" -#define HOST_CONFIG_FILE "/etc/ssh_config" +#define HOST_KEY_FILE ETCDIR "/ssh_host_key" +#define SERVER_CONFIG_FILE ETCDIR "/sshd_config" +#define HOST_CONFIG_FILE ETCDIR "/ssh_config" +#ifndef SSH_PROGRAM #define SSH_PROGRAM "/usr/bin/ssh" +#endif /* SSH_PROGRAM */ + +#ifndef LOGIN_PROGRAM +#define LOGIN_PROGRAM "/usr/bin/login" +#endif /* LOGIN_PROGRAM */ + +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ /* The process id of the daemon listening for connections is saved here to make it easier to kill the correct daemon when necessary. */ diff -ruN --exclude CVS ssh-openbsd-1999111900/sshconnect.c openssh-1.2pre13/sshconnect.c --- ssh-openbsd-1999111900/sshconnect.c Fri Nov 19 08:16:28 1999 +++ openssh-1.2pre13/sshconnect.c Fri Nov 19 08:25:48 1999 @@ -17,7 +17,15 @@ #include "includes.h" RCSID("$Id: sshconnect.c,v 1.35 1999/11/18 14:00:49 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include +#include +#endif + #include "xmalloc.h" #include "rsa.h" #include "ssh.h" @@ -29,8 +37,6 @@ #include "compat.h" #include "readconf.h" #include "fingerprint.h" - -#include /* Session id for the current session. */ unsigned char session_id[16]; diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd/Makefile openssh-1.2pre13/sshd/Makefile --- ssh-openbsd-1999111900/sshd/Makefile Tue Oct 26 06:27:27 1999 +++ openssh-1.2pre13/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,45 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd.8 openssh-1.2pre13/sshd.8 --- ssh-openbsd-1999111900/sshd.8 Fri Nov 12 11:19:22 1999 +++ openssh-1.2pre13/sshd.8 Fri Nov 12 11:33:04 1999 @@ -118,7 +118,7 @@ intended for debugging for the server. .It Fl f Ar configuration_file Specifies the name of the configuration file. The default is -.Pa /etc/sshd_config . +.Pa /etc/ssh/sshd_config . .Nm refuses to start if there is no configuration file. .It Fl g Ar login_grace_time @@ -128,7 +128,7 @@ indicates no limit. .It Fl h Ar host_key_file Specifies the file from which the host key is read (default -.Pa /etc/ssh_host_key ) . +.Pa /etc/ssh/ssh_host_key ) . This option must be given if .Nm is not run as root (as the normal @@ -165,7 +165,7 @@ .Sh CONFIGURATION FILE .Nm reads configuration data from -.Pa /etc/sshd_config +.Pa /etc/ssh/sshd_config (or the file specified with .Fl f on the command line). The file @@ -233,7 +233,7 @@ the user name. .It Cm HostKey Specifies the file containing the private host key (default -.Pa /etc/ssh_host_key ) . +.Pa /etc/ssh/ssh_host_key ) . Note that .Nm does not start if this file is group/world-accessible. @@ -242,7 +242,7 @@ authentication. .Pa /etc/hosts.equiv and -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv are still used. The default is .Dq no . .It Cm IgnoreUserKnownHosts @@ -458,7 +458,7 @@ If .Pa $HOME/.ssh/rc exists, runs it; else if -.Pa /etc/sshrc +.Pa /etc/ssh/sshrc exists, runs it; otherwise runs xauth. The .Dq rc @@ -544,7 +544,7 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. The global file should @@ -567,7 +567,7 @@ .Pp Bits, exponent, and modulus are taken directly from the host key; they can be obtained, e.g., from -.Pa /etc/ssh_host_key.pub . +.Pa /etc/ssh/ssh_host_key.pub . The optional comment field continues to the end of the line, and is not used. .Pp Lines starting with @@ -586,25 +586,25 @@ long, and you definitely don't want to type in the host keys by hand. Rather, generate them by a script or by taking -.Pa /etc/ssh_host_key.pub +.Pa /etc/ssh/ssh_host_key.pub and adding the host names at the front. .Ss Examples closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi .Sh FILES .Bl -tag -width Ds -.It Pa /etc/sshd_config +.It Pa /etc/ssh/sshd_config Contains configuration data for .Nm sshd . This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. -.It Pa /etc/ssh_host_key +.It Pa /etc/ssh/ssh_host_key Contains the private part of the host key. This file should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. -.It Pa /etc/ssh_host_key.pub +.It Pa /etc/ssh/ssh_host_key.pub Contains the public part of the host key. This file should be world-readable but writable only by root. Its contents should match the private part. This file is not @@ -632,7 +632,7 @@ The client uses the same files to verify that the remote host is the one we intended to connect. These files should be writable only by root/the owner. -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts can but need not be world-readable. @@ -694,7 +694,7 @@ of is in negative entries. .Pp Note that this warning also applies to rsh/rlogin. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both @@ -724,13 +724,13 @@ $proto $cookie | xauth -q -; fi". .Pp If this file does not exist, -.Pa /etc/sshrc +.Pa /etc/ssh/sshrc is run, and if that does not exist either, xauth is used to store the cookie. .Pp This file should be writable only by the user, and need not be readable by anyone else. -.It Pa /etc/sshrc +.It Pa /etc/ssh/sshrc Like .Pa $HOME/.ssh/rc . This can be used to specify diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd.c openssh-1.2pre13/sshd.c --- ssh-openbsd-1999111900/sshd.c Fri Nov 19 08:16:33 1999 +++ openssh-1.2pre13/sshd.c Fri Nov 19 08:25:48 1999 @@ -32,6 +32,10 @@ #include "uidswap.h" #include "compat.h" +#ifdef HAVE_MAILLOCK_H +# include +#endif + #ifdef LIBWRAP #include #include @@ -130,6 +134,148 @@ const char *display, const char *auth_proto, const char *auth_data, const char *ttyname); +#ifdef HAVE_LIBPAM +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); +void do_pam_account_and_session(char *username, char *remote_user, + const char *remote_host); +void pam_cleanup_proc(void *context); + +static struct pam_conv conv = { + pamconv, + NULL +}; +struct pam_handle_t *pamh = NULL; +const char *pampasswd = NULL; +char *pamconv_msg = NULL; + +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *reply; + int count; + size_t msg_len; + char *p; + + /* PAM will free this later */ + reply = malloc(num_msg * sizeof(*reply)); + if (reply == NULL) + return PAM_CONV_ERR; + + for(count = 0; count < num_msg; count++) + { + switch (msg[count]->msg_style) + { + case PAM_PROMPT_ECHO_OFF: + if (pampasswd == NULL) + { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + break; + + case PAM_TEXT_INFO: + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(""); + + if (msg[count]->msg == NULL) + break; + debug("Adding PAM message: %s", msg[count]->msg); + + msg_len = strlen(msg[count]->msg); + if (pamconv_msg) + { + size_t n = strlen(pamconv_msg); + pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2); + p = pamconv_msg + n; + } + else + pamconv_msg = p = xmalloc(msg_len + 2); + memcpy(p, msg[count]->msg, msg_len); + p[msg_len] = '\n'; + p[msg_len + 1] = '\0'; + break; + + case PAM_PROMPT_ECHO_ON: + case PAM_ERROR_MSG: + default: + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + + return PAM_SUCCESS; +} + +void pam_cleanup_proc(void *context) +{ + int pam_retval; + + if (pamh != NULL) + { + pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("Cannot close PAM session: %.200s", + pam_strerror((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) + { + log("Cannot release PAM authentication: %.200s", + pam_strerror((pam_handle_t *)pamh, pam_retval)); + } + } +} + +void do_pam_account_and_session(char *username, char *remote_user, + const char *remote_host) +{ + int pam_retval; + + if (remote_host != NULL) + { + debug("PAM setting rhost to \"%.200s\"", remote_host); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); + if (pam_retval != PAM_SUCCESS) + { + log("PAM set rhost failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + do_fake_authloop(username); + } + } + + if (remote_user != NULL) + { + debug("PAM setting ruser to \"%.200s\"", remote_user); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) + { + log("PAM set ruser failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + do_fake_authloop(username); + } + } + + pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("PAM rejected by account configuration: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + do_fake_authloop(username); + } + + pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + { + log("PAM session setup failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + do_fake_authloop(username); + } +} +#endif /* HAVE_LIBPAM */ + /* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; the effect is to reread the configuration file (and to regenerate the server key). */ @@ -718,7 +864,27 @@ /* The connection has been terminated. */ log("Closing connection to %.100s", inet_ntoa(sin.sin_addr)); + +#ifdef HAVE_LIBPAM + { + int retval; + + if (pamh != NULL) + { + debug("Closing PAM session."); + retval = pam_close_session((pam_handle_t *)pamh, 0); + + debug("Terminating PAM library."); + if (pam_end((pam_handle_t *)pamh, retval) != PAM_SUCCESS) + log("Cannot release PAM authentication."); + + fatal_remove_cleanup(&pam_cleanup_proc, NULL); + } + } +#endif /* HAVE_LIBPAM */ + packet_close(); + exit(0); } @@ -1029,6 +1195,20 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; +#ifdef HAVE_LIBPAM + { + int pam_retval; + + debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + + pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh); + if (pam_retval != PAM_SUCCESS) + fatal("PAM initialisation failed: %.200s", pam_strerror((pam_handle_t *)pamh, pam_retval)); + + fatal_add_cleanup(&pam_cleanup_proc, NULL); + } +#endif + /* If we are not running as root, the user must have the same uid as the server. */ if (getuid() != 0 && pw->pw_uid != getuid()) @@ -1083,8 +1263,11 @@ unsigned int bits; BIGNUM *client_host_key_e, *client_host_key_n; BIGNUM *n; - char *client_user, *password; + char *client_user = NULL, *password = NULL; int plen, dlen, nlen, ulen, elen; +#ifdef HAVE_LIBPAM + int pam_retval; +#endif /* HAVE_LIBPAM */ /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -1185,7 +1368,9 @@ log("Rhosts authentication %s for %.100s, remote %.100s on %.700s.", authenticated ? "accepted" : "failed", pw->pw_name, client_user, get_canonical_hostname()); - xfree(client_user); +#ifndef HAVE_LIBPAM + xfree(client_user); +#endif /* HAVE_LIBPAM */ break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -1217,7 +1402,9 @@ log("Rhosts authentication %s for %.100s, remote %.100s.", authenticated ? "accepted" : "failed", pw->pw_name, client_user); - xfree(client_user); +#ifndef HAVE_LIBPAM + xfree(client_user); +#endif /* HAVE_LIBPAM */ BN_clear_free(client_host_key_e); BN_clear_free(client_host_key_n); break; @@ -1254,6 +1441,21 @@ password = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); +#ifdef HAVE_LIBPAM + /* Do PAM auth with password */ + pampasswd = password; + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) + { + log("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); + authenticated = 1; + break; + } + + log("PAM Password authentication for \"%.100s\" failed: %s", + pw->pw_name, pam_strerror((pam_handle_t *)pamh, pam_retval)); + break; +#else /* HAVE_LIBPAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); log("Password authentication %s for %.100s.", @@ -1263,6 +1465,7 @@ memset(password, 0, strlen(password)); xfree(password); break; +#endif /* HAVE_LIBPAM */ case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ @@ -1286,6 +1489,20 @@ packet_send(); packet_write_wait(); } + +#ifdef HAVE_LIBPAM + do_pam_account_and_session(pw->pw_name, client_user, get_canonical_hostname()); + + /* Clean up */ + if (client_user != NULL) + xfree(client_user); + + if (password != NULL) + { + memset(password, 0, strlen(password)); + xfree(password); + } +#endif /* HAVE_LIBPAM */ } /* The user does not exist or access is denied, @@ -1822,7 +2039,13 @@ /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; - + +#ifdef HAVE_LIBPAM + /* output the results of the pamconv() */ + if (!quiet_login && pamconv_msg != NULL) + fprintf(stderr, pamconv_msg); +#endif + /* If the user has logged in before, display the time of last login. However, don't display anything extra if a command has been specified (so that ssh can be used to execute commands on a remote @@ -2011,6 +2234,7 @@ struct stat st; char *argv[10]; +#ifndef HAVE_LIBPAM /* pam_nologin handles this */ /* Check /etc/nologin. */ f = fopen("/etc/nologin", "r"); if (f) @@ -2021,10 +2245,13 @@ if (pw->pw_uid != 0) exit(254); } +#endif /* HAVE_LIBPAM */ +#ifdef HAVE_SETLOGIN /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#endif /* HAVE_SETLOGIN */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, @@ -2137,7 +2364,29 @@ child_set_env(&env, &envsize, "KRBTKFILE", ticket); } #endif /* KRB4 */ - + +#ifdef HAVE_LIBPAM + /* Pull in any environment variables that may have been set by PAM. */ + { + char *equal_sign, var_name[256], var_val[256]; + long this_var; + char **pam_env = pam_getenvlist((pam_handle_t *)pamh); + for(this_var = 0; pam_env && pam_env[this_var]; this_var++) + { + if(strlen(pam_env[this_var]) < (sizeof(var_name) - 1)) + if((equal_sign = strstr(pam_env[this_var], "=")) != NULL) + { + memset(var_name, 0, sizeof(var_name)); + memset(var_val, 0, sizeof(var_val)); + strncpy(var_name, pam_env[this_var], + equal_sign - pam_env[this_var]); + strcpy(var_val, equal_sign + 1); + child_set_env(&env, &envsize, var_name, var_val); + } + } + } +#endif /* HAVE_LIBPAM */ + /* Set XAUTHORITY to always be a local file. */ if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); @@ -2299,7 +2548,7 @@ } else { /* Launch login(1). */ - execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); + execl(LOGIN_PROGRAM, "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd.init.redhat openssh-1.2pre13/sshd.init.redhat --- ssh-openbsd-1999111900/sshd.init.redhat Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/sshd.init.redhat Sat Nov 13 23:56:35 1999 @@ -0,0 +1,50 @@ +#!/bin/bash + +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting sshd: " + if [ ! -f /var/run/sshd.pid ] ; then + /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" + RETVAL=$? + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f /var/run/sshd.pid ] ; then + killproc sshd + fi + echo + ;; + restart) + $0 stop + $0 start + RETVAL=$? + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status}" + exit 1 +esac + +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd.pam openssh-1.2pre13/sshd.pam --- ssh-openbsd-1999111900/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-1.2pre13/sshd.pam Fri Oct 29 09:47:09 1999 @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so diff -ruN --exclude CVS ssh-openbsd-1999111900/sshd_config openssh-1.2pre13/sshd_config --- ssh-openbsd-1999111900/sshd_config Fri Nov 12 11:19:27 1999 +++ openssh-1.2pre13/sshd_config Sat Nov 13 23:56:35 1999 @@ -2,48 +2,58 @@ Port 22 ListenAddress 0.0.0.0 -HostKey /etc/ssh_host_key +HostKey /etc/ssh/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes -# -# Don't read ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes +CheckMail no +UseLogin no -# Logging +# +# Loglevel replaces QuietMode and FascistLogging +# SyslogFacility AUTH LogLevel INFO -#obsoletes QuietMode and FascistLogging -RhostsAuthentication no # -# For this to work you will also need host keys in /etc/ssh_known_hosts +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +# RhostsRSAAuthentication no + # +# Don't read ~/.rhosts and ~/.shosts files +# +IgnoreRhosts yes +RhostsAuthentication no + +# +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +# +#IgnoreUserKnownHosts yes + RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no -# Uncomment to disable s/key passwords + +# +# Uncomment to disable s/key passwords (must be compiled with s/key support) +# #SkeyAuthentication no -# To change Kerberos options +# +# To change Kerberos options (must be compiled with Kerberos support) +# #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no - # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes - -#CheckMail yes -#UseLogin no