diff -ruN --exclude CVS ssh-openbsd-2000050800/COPYING.Ylonen openssh-2.0.0beta2/COPYING.Ylonen --- ssh-openbsd-2000050800/COPYING.Ylonen Fri Jan 7 09:06:09 2000 +++ openssh-2.0.0beta2/COPYING.Ylonen Sat Oct 30 09:46:20 1999 @@ -24,7 +24,7 @@ [ The make-ssh-known-hosts script is no longer included. ] [ TSS has been removed. ] [ MD5 is now external. ] -[ RC4 support has been removed. ] +[ RC4 support has been removed (RC4 is used internally for arc4random). ] [ Blowfish is now external. ] The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. diff -ruN --exclude CVS ssh-openbsd-2000050800/CREDITS openssh-2.0.0beta2/CREDITS --- ssh-openbsd-2000050800/CREDITS Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/CREDITS Mon May 1 22:53:54 2000 @@ -0,0 +1,50 @@ +Tatu Ylonen - Creator of SSH + +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt, and Dug Song - Creators of OpenSSH + +Andrew Stribblehill - Bugfixes +Andre Lucas - build, login and many other fixes +Andy Sloane - bugfixes +Arkadiusz Miskiewicz - IPv6 compat fixes +Ben Taylor - Solaris debugging and fixes +Bratislav ILICH - Configure fix +Chip Salzenberg - Assorted patches +Chris Saia - SuSE packaging +Chris, the Young One - Password auth fixes +Christos Zoulas - Autoconf fixes +Chun-Chung Chen - RPM fixes +Dan Brosemer - Autoconf support, build fixes +Darren Hall - AIX patches +David Agraz - Build fixes +David Del Piero - bug fixes +David Hesprich - Configure fixes +David Rankin - libwrap, AIX, NetBSD fixes +Gary E. Miller - SCO support +Ged Lodder - HPUX fixes and enhancements +Gert Doering - bug and portability fixes +HARUYAMA Seigo - Translations & doc fixes +Hideaki YOSHIFUJI - IPv6 fixes +Hiroshi Takekawa - Configure fixes +Holger Trapp - KRB4/AFS config patch +Jani Hakala - Patches +Jarno Huuskonen - Bugfixes +Jim Knoble - Many patches +jonchen (email unknown) - the original author of PAM support of SSH +Juergen Keil - scp bugfixing +Kees Cook - scp fixes +Kiyokazu SUTO - Bugfixes +Marc G. Fournier - Solaris patches +Matt Richards - AIX patches +Nalin Dahyabhai - PAM environment patch +Niels Kristian Bech Jensen - Assorted patches +Peter Kocks - Makefile fixes +Phil Hands - Debian scripts, assorted patches +Phil Karn - Autoconf fix +Thomas Neumann - Shadow passwords +Tor-Ake Fransson - AIX support +Tudor Bosman - MD5 password support + +Apologies to anyone I have missed. + +Damien Miller diff -ruN --exclude CVS ssh-openbsd-2000050800/ChangeLog openssh-2.0.0beta2/ChangeLog --- ssh-openbsd-2000050800/ChangeLog Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/ChangeLog Mon May 8 13:44:52 2000 @@ -0,0 +1,1434 @@ +20000508 + - Makefile and RPM spec fixes + - Generate DSA host keys during "make key" or RPM installs + - OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c sshconnect2.c] + - make x11-fwd interop w/ ssh-2.0.13 + [README.openssh2] + - interop w/ SecureFX + - Release 2.0.0beta2 + +20000507 + - Remove references to SSLeay. + - Big OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c] + - typo + [session.c] + - update proctitle on pty alloc/dealloc, e.g. w/ windows client + [session.c] + - update proctitle for proto 1, too + [channels.h nchan.c serverloop.c session.c sshd.c] + - use c-style comments + - deraadt@cvs.openbsd.org + [scp.c] + - more atomicio + - markus@cvs.openbsd.org + [channels.c] + - set O_NONBLOCK + [ssh.1] + - update AUTHOR + [readconf.c ssh-keygen.c ssh.h] + - default DSA key file ~/.ssh/id_dsa + [clientloop.c] + - typo, rm verbose debug + - deraadt@cvs.openbsd.org + [ssh-keygen.1] + - document DSA use of ssh-keygen + [sshd.8] + - a start at describing what i understand of the DSA side + [ssh-keygen.1] + - document -X and -x + [ssh-keygen.c] + - simplify usage + - markus@cvs.openbsd.org + [sshd.8] + - there is no rhosts_dsa + [ssh-keygen.1] + - document -y, update -X,-x + [nchan.c] + - fix close for non-open ssh1 channels + [servconf.c servconf.h ssh.h sshd.8 sshd.c ] + - s/DsaKey/HostDSAKey/, document option + [sshconnect2.c] + - respect number_of_password_prompts + [channels.c channels.h servconf.c servconf.h session.c sshd.8] + - GatewayPorts for sshd, ok deraadt@ + [ssh-add.1 ssh-agent.1 ssh.1] + - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2 + [ssh.1] + - more info on proto 2 + [sshd.8] + - sync AUTHOR w/ ssh.1 + [key.c key.h sshconnect.c] + - print key type when talking about host keys + [packet.c] + - clear padding in ssh2 + [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h] + - replace broken uuencode w/ libc b64_ntop + [auth2.c] + - log failure before sending the reply + [key.c radix.c uuencode.c] + - remote trailing comments before calling __b64_pton + [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1] + [sshconnect2.c sshd.8] + - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8 + - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch]) + +20000502 + - OpenBSD CVS update + [channels.c] + - init all fds, close all fds. + [sshconnect2.c] + - check whether file exists before asking for passphrase + [servconf.c servconf.h sshd.8 sshd.c] + - PidFile, pr 1210 + [channels.c] + - EINTR + [channels.c] + - unbreak, ok niels@ + [sshd.c] + - unlink pid file, ok niels@ + [auth2.c] + - Add missing #ifdefs; ok - markus + - Add Andre Lucas' patch to read entropy + gathering commands from a text file + - Release 2.0.0beta1 + +20000501 + - OpenBSD CVS update + [packet.c] + - send debug messages in SSH2 format + [scp.c] + - fix very rare EAGAIN/EINTR issues; based on work by djm + [packet.c] + - less debug, rm unused + [auth2.c] + - disable kerb,s/key in ssh2 + [sshd.8] + - Minor tweaks and typo fixes. + [ssh-keygen.c] + - Put -d into usage and reorder. markus ok. + - Include missing headers for OpenSSL tests. Fix from Phil Karn + + - Fixed __progname symbol collisions reported by Andre Lucas + + - Merged bsd-login ttyslot and AIX utmp patch from Gert Doering + + - Add some missing ifdefs to auth2.c + - Deprecate perl-tk askpass. + - Irix portability fixes - don't include netinet headers more than once + - Make sure we don't save PRNG seed more than once + +20000430 + - Merge HP-UX fixes and TCB support from Ged Lodder + - Integrate Andre Lucas' entropy collection + patch. + - Adds timeout to entropy collection + - Disables slow entropy sources + - Load and save seed file + - Changed entropy seed code to user per-user seeds only (server seed is + saved in root's .ssh directory) + - Use atexit() and fatal cleanups to save seed on exit + - More OpenBSD updates: + [session.c] + - don't call chan_write_failed() if we are not writing + [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c] + - keysize warnings error() -> log() + +20000429 + - Merge big update to OpenSSH-2.0 from OpenBSD CVS + [README.openssh2] + - interop w/ F-secure windows client + - sync documentation + - ssh_host_dsa_key not ssh_dsa_key + [auth-rsa.c] + - missing fclose + [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c] + [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c] + [sshd.c uuencode.c uuencode.h authfile.h] + - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] + for trading keys with the real and the original SSH, directly from the + people who invented the SSH protocol. + [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h] + [sshconnect1.c sshconnect2.c] + - split auth/sshconnect in one file per protocol version + [sshconnect2.c] + - remove debug + [uuencode.c] + - add trailing = + [version.h] + - OpenSSH-2.0 + [ssh-keygen.1 ssh-keygen.c] + - add -R flag: exit code indicates if RSA is alive + [sshd.c] + - remove unused + silent if -Q is specified + [ssh.h] + - host key becomes /etc/ssh_host_dsa_key + [readconf.c servconf.c ] + - ssh/sshd default to proto 1 and 2 + [uuencode.c] + - remove debug + [auth2.c ssh-keygen.c sshconnect2.c sshd.c] + - xfree DSA blobs + [auth2.c serverloop.c session.c] + - cleanup logging for sshd/2, respect PasswordAuth no + [sshconnect2.c] + - less debug, respect .ssh/config + [README.openssh2 channels.c channels.h] + - clientloop.c session.c ssh.c + - support for x11-fwding, client+server + +20000421 + - Merge fix from OpenBSD CVS + [ssh-agent.c] + - Fix memory leak per connection. Report from Andy Spiegl + via Debian bug #59926 + - Define __progname in session.c if libc doesn't + - Remove indentation on autoconf #include statements to avoid bug in + DEC Tru64 compiler. Report and fix from David Del Piero + + +20000420 + - Make fixpaths work with perl4, patch from Andre Lucas + + - Sync with OpenBSD CVS: + [clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c] + - pid_t + [session.c] + - remove bogus chan_read_failed. this could cause data + corruption (missing data) at end of a SSH2 session. + - Merge fixes from Debian patch from Phil Hands + - Allow setting of PAM service name through CFLAGS (SSHD_PAM_SERVICE) + - Use vhangup to clean up Linux ttys + - Force posix getopt processing on GNU libc systems + - Debian bug #55910 - remove references to ssl(8) manpages + - Debian bug #58031 - ssh_config lies about default cipher + +20000419 + - OpenBSD CVS updates + [channels.c] + - fix pr 1196, listen_port and port_to_connect interchanged + [scp.c] + - after completion, replace the progress bar ETA counter with a final + elapsed time; my idea, aaron wrote the patch + [ssh_config sshd_config] + - show 'Protocol' as an example, ok markus@ + [sshd.c] + - missing xfree() + - Add missing header to bsd-misc.c + +20000416 + - Reduce diff against OpenBSD source + - All OpenSSL includes are now unconditionally referenced as + openssl/foo.h + - Pick up formatting changes + - Other minor changed (typecasts, etc) that I missed + +20000415 + - OpenBSD CVS updates. + [ssh.1 ssh.c] + - ssh -2 + [auth.c channels.c clientloop.c packet.c packet.h serverloop.c] + [session.c sshconnect.c] + - check payload for (illegal) extra data + [ALL] + whitespace cleanup + +20000413 + - INSTALL doc updates + - Merged OpenBSD updates to include paths. + +20000412 + - OpenBSD CVS updates: + - [channels.c] + repair x11-fwd + - [sshconnect.c] + fix passwd prompt for ssh2, less debugging output. + - [clientloop.c compat.c dsa.c kex.c sshd.c] + less debugging output + - [kex.c kex.h sshconnect.c sshd.c] + check for reasonable public DH values + - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c] + [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c] + add Cipher and Protocol options to ssh/sshd, e.g.: + ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers + arcfour,3des-cbc' + - [sshd.c] + print 1.99 only if server supports both + +20000408 + - Avoid some compiler warnings in fake-get*.c + - Add IPTOS macros for systems which lack them + - Only set define entropy collection macros if they are found + - More large OpenBSD CVS updates: + - [auth.c auth.h servconf.c servconf.h serverloop.c session.c] + [session.h ssh.h sshd.c README.openssh2] + ssh2 server side, see README.openssh2; enable with 'sshd -2' + - [channels.c] + no adjust after close + - [sshd.c compat.c ] + interop w/ latest ssh.com windows client. + +20000406 + - OpenBSD CVS update: + - [channels.c] + close efd on eof + - [clientloop.c compat.c ssh.c sshconnect.c myproposal.h] + ssh2 client implementation, interops w/ ssh.com and lsh servers. + - [sshconnect.c] + missing free. + - [authfile.c cipher.c cipher.h packet.c sshconnect.c sshd.c] + remove unused argument, split cipher_mask() + - [clientloop.c] + re-order: group ssh1 vs. ssh2 + - Make Redhat spec require openssl >= 0.9.5a + +20000404 + - Add tests for RAND_add function when searching for OpenSSL + - OpenBSD CVS update: + - [packet.h packet.c] + ssh2 packet format + - [packet.h packet.c nchan2.ms nchan.h compat.h compat.c] + [channels.h channels.c] + channel layer support for ssh2 + - [kex.h kex.c hmac.h hmac.c dsa.c dsa.h] + DSA, keyexchange, algorithm agreement for ssh2 + - Generate manpages before make install not at the end of make all + - Don't seed the rng quite so often + - Always reseed rng when requested + +20000403 + - Wrote entropy collection routines for systems that lack /dev/random + and EGD + - Disable tests and typedefs for 64 bit types. They are currently unused. + +20000401 + - Big OpenBSD CVS update (mainly beginnings of SSH2 infrastructure) + - [auth.c session.c sshd.c auth.h] + split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal + - [bufaux.c bufaux.h] + support ssh2 bignums + - [channels.c channels.h clientloop.c sshd.c nchan.c nchan.h packet.c] + [readconf.c ssh.c ssh.h serverloop.c] + replace big switch() with function tables (prepare for ssh2) + - [ssh2.h] + ssh2 message type codes + - [sshd.8] + reorder Xr to avoid cutting + - [serverloop.c] + close(fdin) if fdin != fdout, shutdown otherwise, ok theo@ + - [channels.c] + missing close + allow bigger packets + - [cipher.c cipher.h] + support ssh2 ciphers + - [compress.c] + cleanup, less code + - [dispatch.c dispatch.h] + function tables for different message types + - [log-server.c] + do not log() if debuggin to stderr + rename a cpp symbol, to avoid param.h collision + - [mpaux.c] + KNF + - [nchan.c] + sync w/ channels.c + +20000326 + - Better tests for OpenSSL w/ RSAref + - Added replacement setenv() function from OpenBSD libc. Suggested by + Ben Lindstrom + - OpenBSD CVS update + - [auth-krb4.c] + -Wall + - [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c] + [match.h ssh.c ssh.h sshconnect.c sshd.c] + initial support for DSA keys. ok deraadt@, niels@ + - [cipher.c cipher.h] + remove unused cipher_attack_detected code + - [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + Fix some formatting problems I missed before. + - [ssh.1 sshd.8] + fix spelling errors, From: FreeBSD + - [ssh.c] + switch to raw mode only if he _get_ a pty (not if we _want_ a pty). + +20000324 + - Released 1.2.3 + +20000317 + - Clarified --with-default-path option. + - Added -blibpath handling for AIX to work around stupid runtime linking. + Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble + + - Checks for 64 bit int types. Problem report from Mats Fredholm + + - OpenBSD CVS updates: + - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] + [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] + [sshd.c] + pedantic: signed vs. unsigned, void*-arithm, etc + - [ssh.1 sshd.8] + Various cleanups and standardizations. + - Runtime error fix for HPUX from Otmar Stahl + + +20000316 + - Fixed configure not passing LDFLAGS to Solaris. Report from David G. + Hesprich + - Propogate LD through to Makefile + - Doc cleanups + - Added blurb about "scp: command not found" errors to UPGRADING + +20000315 + - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list + problems with gcc/Solaris. + - Don't free argument to putenv() after use (in setenv() replacement). + Report from Seigo Tanimura + - Created contrib/ subdirectory. Included helpers from Phil Hands' + Debian package, README file and chroot patch from Ricardo Cerqueira + + - Moved gnome-ssh-askpass.c to contrib directory and removed config + option. + - Slight cleanup to doc files + - Configure fix from Bratislav ILICH + +20000314 + - Include macro for IN6_IS_ADDR_V4MAPPED. Report from + peter@frontierflying.com + - Include /usr/local/include and /usr/local/lib for systems that don't + do it themselves + - -R/usr/local/lib for Solaris + - Fix RSAref detection + - Fix IN6_IS_ADDR_V4MAPPED macro + +20000311 + - Detect RSAref + - OpenBSD CVS change + [sshd.c] + - disallow guessing of root password + - More configure fixes + - IPv6 workarounds from Hideaki YOSHIFUJI + +20000309 + - OpenBSD CVS updates to v1.2.3 + [ssh.h atomicio.c] + - int atomicio -> ssize_t (for alpha). ok deraadt@ + [auth-rsa.c] + - delay MD5 computation until client sends response, free() early, cleanup. + [cipher.c] + - void* -> unsigned char*, ok niels@ + [hostfile.c] + - remove unused variable 'len'. fix comments. + - remove unused variable + [log-client.c log-server.c] + - rename a cpp symbol, to avoid param.h collision + [packet.c] + - missing xfree() + - getsockname() requires initialized tolen; andy@guildsoftware.com + - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + [pty.c pty.h] + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + [readconf.c] + - turn off x11-fwd for the client, too. + [rsa.c] + - PKCS#1 padding + [scp.c] + - allow '.' in usernames; from jedgar@fxp.org + [servconf.c] + - typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de + - sync with sshd_config + [ssh-keygen.c] + - enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@ + [ssh.1] + - Change invalid 'CHAT' loglevel to 'VERBOSE' + [ssh.c] + - suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp + - turn off x11-fwd for the client, too. + [sshconnect.c] + - missing xfree() + - retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp. + - read error vs. "Connection closed by remote host" + [sshd.8] + - ie. -> i.e., + - do not link to a commercial page.. + - sync with sshd_config + [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - log with level log() not fatal() if peer behaves badly. + - don't panic if client behaves strange. ok deraadt@ + - make no-port-forwarding for RSA keys deny both -L and -R style fwding + - delay close() of pty until the pty has been chowned back to root + - oops, fix comment, too. + - missing xfree() + - move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too. + (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907) + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + - create x11 cookie file + - fix pr 1113, fclose() -> pclose(), todo: remote popen() + - version 1.2.3 + - Cleaned up + - Removed warning workaround for Linux and devpts filesystems (no longer + required after OpenBSD updates) + +20000308 + - Configure fix from Hiroshi Takekawa + +20000307 + - Released 1.2.2p1 + +20000305 + - Fix DEC compile fix + - Explicitly seed OpenSSL's PRNG before checking rsa_alive() + - Check for getpagesize in libucb.a if not found in libc. Fix for old + Solaris from Andre Lucas + - Check for libwrap if --with-tcp-wrappers option specified. Suggestion + Mate Wierdl + +20000303 + - Added "make host-key" target, Suggestion from Dominik Brettnacher + + - Don't permanently fail on bind() if getaddrinfo has more choices left for + us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz + Miskiewicz + - DEC Unix compile fix from David Del Piero + - Manpage fix from David Del Piero + +20000302 + - Big cleanup of autoconf code + - Rearranged to be a little more logical + - Added -R option for Solaris + - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program + to detect library and header location _and_ ensure library has proper + RSA support built in (this is a problem with OpenSSL 0.9.5). + - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de + - Avoid warning message with Unix98 ptys + - Warning was valid - possible race condition on PTYs. Avoided using + platform-specific code. + - Document some common problems + - Allow root access to any key. Patch from + markus.friedl@informatik.uni-erlangen.de + +20000207 + - Removed SOCKS code. Will support through a ProxyCommand. + +20000203 + - Fixed SEGVs in authloop, fix from vbzoli@hbrt.hu + - Add --with-ssl-dir option + +20000202 + - Fix lastlog code for directory based lastlogs. Fix from Josh Durham + + - Documentation fixes from HARUYAMA Seigo + - Added URLs to Japanese translations of documents by HARUYAMA Seigo + + +20000201 + - Use socket pairs by default (instead of pipes). Prevents race condition + on several (buggy) OSs. Report and fix from tridge@linuxcare.com + +20000127 + - Seed OpenSSL's random number generator before generating RSA keypairs + - Split random collector into seperate file + - Compile fix from Andre Lucas + +20000126 + - Released 1.2.2 stable + + - NeXT keeps it lastlog in /usr/adm. Report from + mouring@newton.pconline.com + - Added note in UPGRADING re interop with commercial SSH using idea. + Report from Jim Knoble + - Fix linking order for Kerberos/AFS. Fix from Holget Trapp + + +20000125 + - Fix NULL pointer dereference in login.c. Fix from Andre Lucas + + - Reorder PAM initialisation so it does not mess up lastlog. Reported + by Andre Lucas + - Use preformatted manpages on SCO, report from Gary E. Miller + + - New URL for x11-ssh-askpass. + - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble + + - Added 'DESTDIR' option to Makefile to ease package building. Patch from + Jim Knoble + - Updated RPM spec files to use DESTDIR + +20000124 + - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number + increment) + +20000123 + - OpenBSD CVS: + - [packet.c] + getsockname() requires initialized tolen; andy@guildsoftware.com + - AIX patch from Matt Richards and David Rankin + + - Fix lastlog support, patch from Andre Lucas + +20000122 + - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor + + - Merge preformatted manpage patch from Andre Lucas + + - Make IPv4 use the default in RPM packages + - Irix uses preformatted manpages + - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp + + - OpenBSD CVS updates: + - [packet.c] + use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + - [sshd.c] + log with level log() not fatal() if peer behaves badly. + - [readpass.c] + instead of blocking SIGINT, catch it ourselves, so that we can clean + the tty modes up and kill ourselves -- instead of our process group + leader (scp, cvs, ...) going away and leaving us in noecho mode. + people with cbreak shells never even noticed.. + - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + ie. -> i.e., + +20000120 + - Don't use getaddrinfo on AIX + - Update to latest OpenBSD CVS: + - [auth-rsa.c] + - fix user/1056, sshd keeps restrictions; dbt@meat.net + - [sshconnect.c] + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - destroy keys earlier + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - Big manpage and config file cleanup from Andre Lucas + + - Re-added latest (unmodified) OpenBSD manpages + - Doc updates + - NetBSD patch from David Rankin and + Christos Zoulas + +20000119 + - SCO compile fixes from Gary E. Miller + - Compile fix from Darren_Hall@progressive.com + - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC + addresses using getaddrinfo(). Added a configure switch to make the + default lookup mode AF_INET + +20000118 + - Fixed --with-pid-dir option + - Makefile fix from Gary E. Miller + - Compile fix for HPUX and Solaris from Andre Lucas + + +20000117 + - Clean up bsd-bindresvport.c. Use arc4random() for picking initial + port, ignore EINVAL errors (Linux) when searching for free port. + - Revert __snprintf -> snprintf aliasing. Apparently Solaris + __snprintf isn't. Report from Theo de Raadt + - Document location of Redhat PAM file in INSTALL. + - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 + INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to + deliver (no IPv6 kernel support) + - Released 1.2.1pre27 + + - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c) + - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen + + - Fix hang on logout if processes are still using the pty. Needs + further testing. + - Patch from Christos Zoulas + - Try $prefix first when looking for OpenSSL. + - Include sys/types.h when including sys/socket.h in test programs + - Substitute PID directory in sshd.8. Suggestion from Andrew + Stribblehill + +20000116 + - Renamed --with-xauth-path to --with-xauth + - Added --with-pid-dir option + - Released 1.2.1pre26 + + - Compilation fix from Kiyokazu SUTO + - Fixed broken bugfix for /dev/ptmx on Linux systems which lack + openpty(). Report from Kiyokazu SUTO + +20000115 + - Add --with-xauth-path configure directive and explicit test for + /usr/openwin/bin/xauth for Solaris systems. Report from Anders + Nordby + - Fix incorrect detection of /dev/ptmx on Linux systems that lack + openpty. Report from John Seifarth + - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in + sys/types.h. Fixes problems on SCO, report from Gary E. Miller + + - Use __snprintf and __vnsprintf if they are found where snprintf and + vnsprintf are lacking. Suggested by Ben Taylor + and others. + +20000114 + - Merged OpenBSD IPv6 patch: + - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] + [scp.c packet.h packet.c login.c log.c canohost.c channels.c] + [hostfile.c sshd_config] + ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new + features: sshd allows multiple ListenAddress and Port options. note + that libwrap is not IPv6-ready. (based on patches from + fujiwara@rcac.tdi.co.jp) + - [ssh.c canohost.c] + more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, + from itojun@ + - [channels.c] + listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) + - [packet.h] + allow auth-kerberos for IPv4 only + - [scp.1 sshd.8 servconf.h scp.c] + document -4, -6, and 'ssh -L 2022/::1/22' + - [ssh.c] + 'ssh @host' is illegal (null user name), from + karsten@gedankenpolizei.de + - [sshconnect.c] + better error message + - [sshd.c] + allow auth-kerberos for IPv4 only + - Big IPv6 merge: + - Cleanup overrun in sockaddr copying on RHL 6.1 + - Replacements for getaddrinfo, getnameinfo, etc based on versions + from patch from KIKUCHI Takahiro + - Replacement for missing structures on systems that lack IPv6 + - record_login needed to know about AF_INET6 addresses + - Borrowed more code from OpenBSD: rresvport_af and requisites + +20000110 + - Fixes to auth-skey to enable it to use the standard OpenSSL libraries + +20000107 + - New config.sub and config.guess to fix problems on SCO. Supplied + by Gary E. Miller + - SCO build fix from Gary E. Miller + - Released 1.2.1pre25 + +20000106 + - Documentation update & cleanup + - Better KrbIV / AFS detection, based on patch from: + Holger Trapp + +20000105 + - Fixed annoying DES corruption problem. libcrypt has been + overriding symbols in libcrypto. Removed libcrypt and crypt.h + altogether (libcrypto includes its own crypt(1) replacement) + - Added platform-specific rules for Irix 6.x. Included warning that + they are untested. + +20000103 + - Add explicit make rules for files proccessed by fixpaths. + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + + - Removed "nullok" directive from default PAM configuration files. + Added information on enabling EmptyPasswords on openssh+PAM in + UPGRADING file. + - OpenBSD CVS updates + - [ssh-agent.c] + cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and + dgaudet@arctic.org + - [sshconnect.c] + compare correct version for 1.3 compat mode + +20000102 + - Prevent multiple inclusion of config.h and defines.h. Suggested + by Andre Lucas + - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet + + +19991231 + - Fix password support on systems with a mixture of shadowed and + non-shadowed passwords (e.g. NIS). Report and fix from + HARUYAMA Seigo + - Fix broken autoconf typedef detection. Report from Marc G. + Fournier + - Fix occasional crash on LinuxPPC. Patch from Franz Sirl + + - Prevent typedefs from being compiled more than once. Report from + Marc G. Fournier + - Fill in ut_utaddr utmp field. Report from Benjamin Charron + + - Really fix broken default path. Fix from Jim Knoble + + - Remove test for quad_t. No longer needed. + - Released 1.2.1pre24 + + - Added support for directory-based lastlogs + - Really fix typedefs, patch from Ben Taylor + +19991230 + - OpenBSD CVS updates: + - [auth-passwd.c] + check for NULL 1st + - Removed most of the pam code into its own file auth-pam.[ch]. This + cleaned up sshd.c up significantly. + - PAM authentication was incorrectly interpreting + "PermitRootLogin without-password". Report from Matthias Andree + + - Updated documentation with ./configure options + - Released 1.2.1pre23 + +19991229 + - Applied another NetBSD portability patch from David Rankin + + - Fix --with-default-path option. + - Autodetect perl, patch from David Rankin + + - Print whether OpenSSH was compiled with RSARef, patch from + Nalin Dahyabhai + - Calls to pam_setcred, patch from Nalin Dahyabhai + + - Detect missing size_t and typedef it. + - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] + - Minor Makefile cleaning + +19991228 + - Replacement for getpagesize() for systems which lack it + - NetBSD login.c compile fix from David Rankin + + - Fully set ut_tv if present in utmp or utmpx + - Portability fixes for Irix 5.3 (now compiles OK!) + - autoconf and other misc cleanups + - Merged AIX patch from Darren Hall + - Cleaned up defines.h + - Released 1.2.1pre22 + +19991227 + - Automatically correct paths in manpages and configuration files. Patch + and script from Andre Lucas + - Removed credits from README to CREDITS file, updated. + - Added --with-default-path to specify custom path for server + - Removed #ifdef trickery from acconfig.h into defines.h + - PAM bugfix. PermitEmptyPassword was being ignored. + - Fixed PAM config files to allow empty passwords if server does. + - Explained spurious PAM auth warning workaround in UPGRADING + - Use last few chars of tty line as ut_id + - New SuSE RPM spec file from Chris Saia + - OpenBSD CVS updates: + - [packet.h auth-rhosts.c] + check format string for packet_disconnect and packet_send_debug, too + - [channels.c] + use packet_get_maxsize for channels. consistence. + +19991226 + - Enabled utmpx support by default for Solaris + - Cleanup sshd.c PAM a little more + - Revised RPM package to include Jim Knoble's + X11 ssh-askpass program. + - Disable logging of PAM success and failures, PAM is verbose enough. + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM + developers + - OpenBSD CVS update: + - [ssh-keygen.1 ssh.1] + remove ref to .ssh/random_seed, mention .ssh/environment in + .Sh FILES, too + - Released 1.2.1pre21 + - Fixed implicit '.' in default path, report from Jim Knoble + + - Redhat RPM spec fixes from Jim Knoble + +19991225 + - More fixes from Andre Lucas + - Cleanup of auth-passwd.c for shadow and MD5 passwords + - Cleanup and bugfix of PAM authentication code + - Released 1.2.1pre20 + + - Merged fixes from Ben Taylor + - Fixed configure support for PAM. Reported by Naz <96na@eng.cam.ac.uk> + - Disabled logging of PAM password authentication failures when password + is empty. (e.g start of authentication loop). Reported by Naz + <96na@eng.cam.ac.uk>) + +19991223 + - Merged later HPUX patch from Andre Lucas + + - Above patch included better utmpx support from Ben Taylor + + +19991222 + - Fix undefined fd_set type in ssh.h from Povl H. Pedersen + + - Fix login.c breakage on systems which lack ut_host in struct + utmp. Reported by Willard Dawson + +19991221 + - Integration of large HPUX patch from Andre Lucas + . Integrating it had a few other + benefits: + - Ability to disable shadow passwords at configure time + - Ability to disable lastlog support at configure time + - Support for IP address in $DISPLAY + - OpenBSD CVS update: + - [sshconnect.c] + say "REMOTE HOST IDENTIFICATION HAS CHANGED" + - Fix DISABLE_SHADOW support + - Allow MD5 passwords even if shadow passwords are disabled + - Release 1.2.1pre19 + +19991218 + - Redhat init script patch from Chun-Chung Chen + + - Avoid breakage on systems without IPv6 headers + +19991216 + - Makefile changes for Solaris from Peter Kocks + + - Minor updates to docs + - Merged OpenBSD CVS changes: + - [authfd.c ssh-agent.c] + keysize warnings talk about identity files + - [packet.c] + "Connection closed by x.x.x.x": fatal() -> log() + - Correctly handle empty passwords in shadow file. Patch from: + "Chris, the Young One" + - Released 1.2.1pre18 + +19991215 + - Integrated patchs from Juergen Keil + - Avoid void* pointer arithmatic + - Use LDFLAGS correctly + - Fix SIGIO error in scp + - Simplify status line printing in scp + - Added better test for inline functions compiler support from + Darren_Hall@progressive.com + +19991214 + - OpenBSD CVS Changes + - [canohost.c] + fix get_remote_port() and friends for sshd -i; + Holger.Trapp@Informatik.TU-Chemnitz.DE + - [mpaux.c] + make code simpler. no need for memcpy. niels@ ok + - [pty.c] + namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org + fix proto; markus + - [ssh.1] + typo; mark.baushke@solipsa.com + - [channels.c ssh.c ssh.h sshd.c] + type conflict for 'extern Type *options' in channels.c; dot@dotat.at + - [sshconnect.c] + move checking of hostkey into own function. + - [version.h] + OpenSSH-1.2.1 + - Clean up broken includes in pty.c + - Some older systems don't have poll.h, they use sys/poll.h instead + - Doc updates + +19991211 + - Fix compilation on systems with AFS. Reported by + aloomis@glue.umd.edu + - Fix installation on Solaris. Reported by + Gordon Rowell + - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com, + patch from Markus Friedl + - Auto-locate xauth. Patch from David Agraz + - Compile fix from David Agraz + - Avoid compiler warning in bsd-snprintf.c + - Added pam_limits.so to default PAM config. Suggested by + Jim Knoble + +19991209 + - Import of patch from Ben Taylor : + - Improved PAM support + - "uninstall" rule for Makefile + - utmpx support + - Should fix PAM problems on Solaris + - OpenBSD CVS updates: + - [readpass.c] + avoid stdio; based on work by markus, millert, and I + - [sshd.c] + make sure the client selects a supported cipher + - [sshd.c] + fix sighup handling. accept would just restart and daemon handled + sighup only after the next connection was accepted. use poll on + listen sock now. + - [sshd.c] + make that a fatal + - Applied patch from David Rankin + to fix libwrap support on NetBSD + - Released 1.2pre17 + +19991208 + - Compile fix for Solaris with /dev/ptmx from + David Agraz + +19991207 + - sshd Redhat init script patch from Jim Knoble + fixes compatability with 4.x and 5.x + - Fixed default SSH_ASKPASS + - Fix PAM account and session being called multiple times. Problem + reported by Adrian Baugh + - Merged more OpenBSD changes: + - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] + move atomicio into it's own file. wrap all socket write()s which + were doing write(sock, buf, len) != len, with atomicio() calls. + - [auth-skey.c] + fd leak + - [authfile.c] + properly name fd variable + - [channels.c] + display great hatred towards strcpy + - [pty.c pty.h sshd.c] + use openpty() if it exists (it does on BSD4_4) + - [tildexpand.c] + check for ~ expansion past MAXPATHLEN + - Modified helper.c to use new atomicio function. + - Reformat Makefile a little + - Moved RC4 routines from rc4.[ch] into helper.c + - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX) + - Updated SuSE spec from Chris Saia + - Tweaked Redhat spec + - Clean up bad imports of a few files (forgot -kb) + - Released 1.2pre16 + +19991204 + - Small cleanup of PAM code in sshd.c + - Merged OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h] + move skey-auth from auth-passwd.c to auth-skey.c, same for krb4 + - [auth-rsa.c] + warn only about mismatch if key is _used_ + warn about keysize-mismatch with log() not error() + channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c + ports are u_short + - [hostfile.c] + indent, shorter warning + - [nchan.c] + use error() for internal errors + - [packet.c] + set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() + serverloop.c + indent + - [ssh-add.1 ssh-add.c ssh.h] + document $SSH_ASKPASS, reasonable default + - [ssh.1] + CheckHostIP is not available for connects via proxy command + - [sshconnect.c] + typo + easier to read client code for passwd and skey auth + turn of checkhostip for proxy connects, since we don't know the remote ip + +19991126 + - Add definition for __P() + - Added [v]snprintf() replacement for systems that lack it + +19991125 + - More reformatting merged from OpenBSD CVS + - Merged OpenBSD CVS changes: + - [channels.c] + fix packet_integrity_check() for !have_hostname_in_open. + report from mrwizard@psu.edu via djm@ibs.com.au + - [channels.c] + set SO_REUSEADDR and SO_LINGER for forwarded ports. + chip@valinux.com via damien@ibs.com.au + - [nchan.c] + it's not an error() if shutdown_write failes in nchan. + - [readconf.c] + remove dead #ifdef-0-code + - [readconf.c servconf.c] + strcasecmp instead of tolower + - [scp.c] + progress meter overflow fix from damien@ibs.com.au + - [ssh-add.1 ssh-add.c] + SSH_ASKPASS support + - [ssh.1 ssh.c] + postpone fork_after_authentication until command execution, + request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au + plus: use daemon() for backgrounding + - Added BSD compatible install program and autoconf test, thanks to + Niels Kristian Bech Jensen + - Solaris fixing, thanks to Ben Taylor + - Merged beginnings of AIX support from Tor-Ake Fransson + - Release 1.2pre15 + +19991124 + - Merged very large OpenBSD source code reformat + - OpenBSD CVS updates + - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] + [ssh.h sshd.8 sshd.c] + syslog changes: + * Unified Logmessage for all auth-types, for success and for failed + * Standard connections get only ONE line in the LOG when level==LOG: + Auth-attempts are logged only, if authentication is: + a) successfull or + b) with passwd or + c) we had more than AUTH_FAIL_LOG failues + * many log() became verbose() + * old behaviour with level=VERBOSE + - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] + tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE + messages. allows use of s/key in windows (ttssh, securecrt) and + ssh-1.2.27 clients without 'ssh -v', ok: niels@ + - [sshd.8] + -V, for fallback to openssh in SSH2 compatibility mode + - [sshd.c] + fix sigchld race; cjc5@po.cwru.edu + +19991123 + - Added SuSE package files from Chris Saia + - Restructured package-related files under packages/* + - Added generic PAM config + - Numerous little Solaris fixes + - Add recommendation to use GNU make to INSTALL document + +19991122 + - Make close gnome-ssh-askpass (Debian bug #50299) + - OpenBSD CVS Changes + - [ssh-keygen.c] + don't create ~/.ssh only if the user wants to store the private + key there. show fingerprint instead of public-key after + keygeneration. ok niels@ + - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h + - Added timersub() macro + - Tidy RCSIDs of bsd-*.c + - Added autoconf test and macro to deal with old PAM libraries + pam_strerror definition (one arg vs two). + - Fix EGD problems (Thanks to Ben Taylor ) + - Retry /dev/urandom reads interrupted by signal (report from + Robert Hardy ) + - Added a setenv replacement for systems which lack it + - Only display public key comment when presenting ssh-askpass dialog + - Released 1.2pre14 + + - Configure, Make and changelog corrections from Tudor Bosman + and Niels Kristian Bech Jensen + +19991121 + - OpenBSD CVS Changes: + - [channels.c] + make this compile, bad markus + - [log.c readconf.c servconf.c ssh.h] + bugfix: loglevels are per host in clientconfig, + factor out common log-level parsing code. + - [servconf.c] + remove unused index (-Wall) + - [ssh-agent.c] + only one 'extern char *__progname' + - [sshd.8] + document SIGHUP, -Q to synopsis + - [sshconnect.c serverloop.c sshd.c packet.c packet.h] + [channels.c clientloop.c] + SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ + [hope this time my ISP stays alive during commit] + - [OVERVIEW README] typos; green@freebsd + - [ssh-keygen.c] + replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me) + exit if writing the key fails (no infinit loop) + print usage() everytime we get bad options + - [ssh-keygen.c] overflow, djm@mindrot.org + - [sshd.c] fix sigchld race; cjc5@po.cwru.edu + +19991120 + - Merged more Solaris support from Marc G. Fournier + + - Wrote autoconf tests for integer bit-types + - Fixed enabling kerberos support + - Fix segfault in ssh-keygen caused by buffer overrun in filename + handling. + +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + - Merged OpenBSD CVS changes + - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] + more %d vs. %s in fmt-strings + - [authfd.c] + Integers should not be printed with %s + - EGD uses a socket, not a named pipe. Duh. + - Fix includes in fingerprint.c + - Fix scp progress bar bug again. + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of + David Rankin + - Added autoconf option to enable Kerberos 4 support (untested) + - Added autoconf option to enable AFS support (untested) + - Added autoconf option to enable S/Key support (untested) + - Added autoconf option to enable TCP wrappers support (compiles OK) + - Renamed BSD helper function files to bsd-* + - Added tests for login and daemon and enable OpenBSD replacements for + when they are absent. + - Added non-PAM MD5 password support patch from Tudor Bosman + +19991118 + - Merged OpenBSD CVS changes + - [scp.c] foregroundproc() in scp + - [sshconnect.h] include fingerprint.h + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + changes. + - [ssh.1] Spell my name right. + - Added openssh.com info to README + +19991117 + - Merged OpenBSD CVS changes + - [ChangeLog.Ylonen] noone needs this anymore + - [authfd.c] close-on-exec for auth-socket, ok deraadt + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong + modulus length. markus and me. + - [serverloop.c] + bugfix: check for space if child has terminated, from: + iedowse@maths.tcd.ie + - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] + [fingerprint.c fingerprint.h] + rsa key fingerprints, idea from Bjoern Groenvall + - [ssh-agent.1] typo + - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ + - [sshd.c] + force logging to stderr while loading private key file + (lost while converting to new log-levels) + +19991116 + - Fix some Linux libc5 problems reported by Miles Wilson + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] + [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] + the keysize of rsa-parameter 'n' is passed implizit, + a few more checks and warnings about 'pretended' keysizes. + - [cipher.c cipher.h packet.c packet.h sshd.c] + remove support for cipher RC4 + - [ssh.c] + a note for legay systems about secuity issues with permanently_set_uid(), + the private hostkey and ptrace() + - [sshconnect.c] + more detailed messages about adding and checking hostkeys + +19991115 + - Merged OpenBSD CVS changes: + - [ssh-add.c] change passphrase loop logic and remove ref to + $DISPLAY, ok niels + - Changed to ssh-add.c broke askpass support. Revised it to be a little more + modular. + - Revised autoconf support for enabling/disabling askpass support. + - Merged more OpenBSD CVS changes: + [auth-krb4.c] + - disconnect if getpeername() fails + - missing xfree(*client) + [canohost.c] + - disconnect if getpeername() fails + - fix comment: we _do_ disconnect if ip-options are set + [sshd.c] + - disconnect if getpeername() fails + - move checking of remote port to central place + [auth-rhosts.c] move checking of remote port to central place + [log-server.c] avoid extra fd per sshd, from millert@ + [readconf.c] print _all_ bad config-options in ssh(1), too + [readconf.h] print _all_ bad config-options in ssh(1), too + [ssh.c] print _all_ bad config-options in ssh(1), too + [sshconnect.c] disconnect if getpeername() fails + - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. + - Various small cleanups to bring diff (against OpenBSD) size down. + - Merged more Solaris compability from Marc G. Fournier + + - Wrote autoconf tests for __progname symbol + - RPM spec file fixes from Jim Knoble + - Released 1.2pre12 + + - Another OpenBSD CVS update: + - [ssh-keygen.1] fix .Xr + +19991114 + - Solaris compilation fixes (still imcomplete) + +19991113 + - Build patch from Niels Kristian Bech Jensen + - Don't install config files if they already exist + - Fix inclusion of additional preprocessor directives from acconfig.h + - Removed redundant inclusions of config.h + - Added 'Obsoletes' lines to RPM spec file + - Merged OpenBSD CVS changes: + - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + totalsize, ok niels,aaron + - Delay fork (-f option) in ssh until after port forwarded connections + have been initialised. Patch from Jani Hakala + - Added shadow password patch from Thomas Neumann + - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled + - Tidied default config file some more + - Revised Redhat initscript to fix bug: sshd (re)start would fail + if executed from inside a ssh login. + +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + + - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile + - Make ssh-askpass support optional through autoconf + - Fix nasty division-by-zero error in scp.c + - Released 1.2pre11 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. Report and fix + from Kees Cook + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 diff -ruN --exclude CVS ssh-openbsd-2000050800/INSTALL openssh-2.0.0beta2/INSTALL --- ssh-openbsd-2000050800/INSTALL Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/INSTALL Sun Apr 30 09:43:41 2000 @@ -0,0 +1,195 @@ +1. Prerequisites +---------------- + +You will need working installations of Zlib and OpenSSL. + +Zlib: +http://www.cdrom.com/pub/infozip/zlib/ + +OpenSSL 0.9.5a or greater: +http://www.openssl.org/ + +RPMs of OpenSSL are available in the support/ directory of the OpenSSH +mirror site. OpenSSH requires OpenSSL version 0.9.5 or later. + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system +supports it. PAM is standard on Redhat and Debian Linux and on Solaris. + +PAM: +http://www.kernel.org/pub/linux/libs/pam/ + +If you wish to build the GNOME passphrase requester, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +Alternatively, Jim Knoble has written an excellent X11 +passphrase requester. This is maintained separately at: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + +If you are planning to use OpenSSH on a Unix which lacks a Kernel random +number generator (/dev/urandom), you may want to install the Entropy +Gathering Daemon (or similar). You will also need to specify the +--with-egd-pool option to ./configure. OpenSSH 2.0 includes some +peliminary built-in randomness collection, but it is not as well +tested as EGD. + +EGD: +http://www.lothar.com/tech/crypto/ + +GNU Make: +ftp://ftp.gnu.org/gnu/make/ + +OpenSSH has only been tested with GNU make. It may work with other +'make' programs, but you are on your own. + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +If you are using PAM, you will need to manually install a PAM +control file as "/etc/pam.d/sshd" (or wherever your system +prefers to keep them). A generic PAM configuration is included as +"contrib/sshd.pam.generic", you may need to edit it before using it on +your system. If you are using a recent version of Redhat Linux, the +config file in contrib/redhat/sshd.pam should be more useful. + +There are a few other options to the configure script: + +--with-rsh=PATH allows you to specify the path to your rsh program. +Normally ./configure will search the current $PATH for 'rsh'. You +may need to specify this option if rsh is not in your path or has a +different name. + +--without-pam will disable PAM support. PAM is automatically detected +and switched on if found. + +--enable-gnome-askpass will build the GNOME passphrase dialog. You +need a working installation of GNOME, including the development +headers, for this to work. + +--with-random=/some/file allows you to specify an alternate source of +random numbers (the default is /dev/urandom). Unless you are absolutly +sure of what you are doing, it is best to leave this alone. + +--with-egd-pool=/some/file allows you to enable Entropy Gathering +Daemon support and to specify a EGD pool socket. You may want to +use this if your Unix does not support the /dev/urandom device (or +similar). The file argument refers to the EGD pool file, not the +EGD program itself. Please refer to the EGD documentation. + +--with-lastlog=FILE will specify the location of the lastlog file. +./configure searches a few locations for lastlog, but may not find +it if lastlog is installed in a different place. + +--without-lastlog will disable lastlog support entirely. + +--with-kerberos4=PATH will enable Kerberos IV support. You will need +to have the Kerberos libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +Kerberos installation. + +--with-afs=PATH will enable AFS support. You will need to have the +Kerberos IV and the AFS libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +AFS installation. AFS requires Kerberos support to be enabled. + +--with-skey will enable S/Key one time password support. You will need +the S/Key libraries and header files installed for this to work. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. You will need libwrap.a and tcpd.h installed. + +--with-md5-passwords will enable the use of MD5 passwords. Enable this +if your operating system uses MD5 passwords without using PAM. + +--with-utmpx enables utmpx support. utmpx support is automatic for +some platforms. + +--without-shadow disables shadow password support. + +--with-ipaddr-display forces the use of a numeric IP address in the +$DISPLAY environment variable. Some broken systems need this. + +--with-default-path=PATH allows you to specify a default $PATH for sessions +started by sshd. This replaces the standard path entirely. + +--with-pid-dir=PATH specifies the directory in which the ssh.pid file is +created. + +--with-xauth=PATH specifies the location of the xauth binary + +--with-ipv4-default instructs OpenSSH to use IPv4 by default for new +connections. Normally OpenSSH will try attempt to lookup both IPv6 and +IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name +resolution. If this option is specified, you can still attempt to +connect to IPv6 addresses using the command line option '-6'. + +--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries +are installed. + +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to +real (AF_INET) IPv4 addresses. Works around some quirks on Linux. + +If you need to pass special options to the compiler or linker, you +can specify these as enviornment variables before running ./configure. +For example: + +CFLAGS="-O -m486" LFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, run "make host-key". Alternately you can do so +manually using the following command: + +/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' + +Replacing /etc/ssh with the correct path to the configuration directory. +(${prefix}/etc or whatever you specified with --sysconfdir during +configuration) + +If you have configured OpenSSH with EGD support, ensure that EGD is +running and has collected some Entropy. + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + +4. Problems? +------------ + +If you experience problems compiling, installing or running OpenSSH. +Please refer to the "reporting bugs" section of the webpage at +http://violet.ibs.com.au/openssh/ + diff -ruN --exclude CVS ssh-openbsd-2000050800/Makefile openssh-2.0.0beta2/Makefile --- ssh-openbsd-2000050800/Makefile Fri Jan 7 09:06:30 2000 +++ openssh-2.0.0beta2/Makefile Thu Jan 1 10:00:00 1970 @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp - -distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/sshd_config - -.include diff -ruN --exclude CVS ssh-openbsd-2000050800/Makefile.in openssh-2.0.0beta2/Makefile.in --- ssh-openbsd-2000050800/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/Makefile.in Mon May 8 00:05:32 2000 @@ -0,0 +1,166 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libexecdir=@libexecdir@ +mandir=@mandir@ +mansubdir=@mansubdir@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +DESTDIR= + +VPATH=@srcdir@ + +SSH_PROGRAM=@bindir@/ssh +ASKPASS_LOCATION=@libexecdir@/ssh +ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass + +CC=@CC@ +LD=@LD@ +PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +PERL=@PERL@ +LDFLAGS=-L. @LDFLAGS@ + +INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ + +TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) + +LIBOBJS= atomicio.o authfd.o authfile.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o + +SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o + +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o session.o + +TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 +CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 +MANPAGES = @MANTYPE@ + +CONFIGFILES=sshd_config ssh_config + +PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid + +FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) + +all: $(TARGETS) $(CONFIGFILES) + +manpages: $(MANPAGES) + +$(LIBOBJS): config.h + +libssh.a: $(LIBOBJS) + $(AR) rv $@ $(LIBOBJS) + $(RANLIB) $@ + +ssh: libssh.a $(SSHOBJS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh $(LIBS) + +sshd: libssh.a $(SSHDOBJS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh $(LIBS) + +scp: libssh.a scp.o + $(LD) -o $@ scp.o $(LDFLAGS) -lssh $(LIBS) + +ssh-add: libssh.a ssh-add.o log-client.o + $(LD) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +ssh-agent: libssh.a ssh-agent.o log-client.o + $(LD) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +ssh-keygen: libssh.a ssh-keygen.o log-client.o + $(LD) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +$(MANPAGES) $(CONFIGFILES):: + $(FIXPATHSCMD) $(srcdir)/$@ + +clean: + rm -f *.o *.a $(TARGETS) config.status config.cache config.log + rm -f *.out ssh_prng_cmds core + +distclean: clean + rm -f Makefile config.h core *~ + +mrproper: distclean + +veryclean: distclean + rm -f configure config.h.in *.0 + +catman-do: + @for f in $(TROFFMAN) ; do \ + echo "$$f -> $${f%%.[18]}.0" ; \ + nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + >$${f%%.[18]}.0 ; \ + done + +install: manpages $(TARGETS) + $(INSTALL) -d $(DESTDIR)$(bindir) + $(INSTALL) -d $(DESTDIR)$(sbindir) + $(INSTALL) -d $(DESTDIR)$(mandir) + $(INSTALL) -d $(DESTDIR)$(mandir)/$(mansubdir)1 + $(INSTALL) -d $(DESTDIR)$(mandir)/$(mansubdir)8 + $(INSTALL) -m 4755 -s ssh $(DESTDIR)$(bindir)/ssh + $(INSTALL) -s scp $(DESTDIR)$(bindir)/scp + $(INSTALL) -s ssh-add $(DESTDIR)$(bindir)/ssh-add + $(INSTALL) -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent + $(INSTALL) -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -s sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ssh $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + $(INSTALL) -d $(DESTDIR)$(sysconfdir); \ + $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + fi + if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ + $(INSTALL) -m 644 ssh_prng_cmds $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + fi + +host-key: ssh-keygen + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N '' + ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N '' + +uninstallall: uninstall + -rm -f $(DESTDIR)$(sysconfdir)/ssh_config + -rm -f $(DESTDIR)$(sysconfdir)/sshd_config + -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds + -rmdir $(DESTDIR)$(sysconfdir) + -rmdir $(DESTDIR)$(bindir) + -rmdir $(DESTDIR)$(sbindir) + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 + -rmdir $(DESTDIR)$(mandir) + -rmdir $(DESTDIR)$(libexecdir) + +uninstall: + -rm -f $(DESTDIR)$(bindir)/ssh + -rm -f $(DESTDIR)$(bindir)/scp + -rm -f $(DESTDIR)$(bindir)/ssh-add + -rm -f $(DESTDIR)$(bindir)/ssh-agent + -rm -f $(DESTDIR)$(bindir)/ssh-keygen + -rm -f $(DESTDIR)$(sbindir)/sshd + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + -rm -f $(DESTDIR)${ASKPASS_PROGRAM} + -rmdir $(DESTDIR)$(libexecdir)/ssh ; diff -ruN --exclude CVS ssh-openbsd-2000050800/Makefile.inc openssh-2.0.0beta2/Makefile.inc --- ssh-openbsd-2000050800/Makefile.inc Fri Jan 7 09:06:31 2000 +++ openssh-2.0.0beta2/Makefile.inc Thu Jan 1 10:00:00 1970 @@ -1,11 +0,0 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN --exclude CVS ssh-openbsd-2000050800/README openssh-2.0.0beta2/README --- ssh-openbsd-2000050800/README Wed Mar 29 14:51:50 2000 +++ openssh-2.0.0beta2/README Sun Apr 30 09:43:41 2000 @@ -1,567 +1,68 @@ +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +******* IMPORTANT +* On systmes which lack a /dev/random driver, this port of +* OpenSSH-1.2.2 was not correctly seeding OpenSSL's random number +* pool. This resulted in lower quality RSA keys being generated. If +* you generated host or user keys with v1.2.2, please generate new +* ones using a more recent version. + +This is the port of OpenBSD's excellent OpenSSH to Linux and other +Unices. + +OpenSSH is based on the last free version of Tatu Ylonen's SSH with +all patent-encumbered algorithms removed (to external libraries), all +known security bugs fixed, new features reintroduced and many other +clean-ups. More information about SSH itself can be found in the file +README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck, +Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. It has a +homepage at http://www.openssh.com/ + +This port consists of the re-introduction of autoconf support, PAM +support (for Linux and Solaris), EGD[1] support, SOCKS support (using +the Dante [6] libraries and replacements for OpenBSD library functions +that are (regrettably) absent from other unices. This port has been +best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX, +SCO, NeXT and other Unices is underway. This version actively tracks +changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. + +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4] and +Dante[6]. To build the GNOME[5] pass-phrase requester +(--with-gnome-askpass), you will need the GNOME libraries installed. + +There is now several mailing lists for this port of OpenSSH. Please +refer to http://violet.ibs.com.au/openssh/list.html for details on how +to join. + +Please send bug reports and patches to the mailing list +openssh-unix-dev@mindrot.org. The list is currently open to posting by +unsubscribed users. + +Please refer to the INSTALL document for information on how to install +OpenSSH on your system. The UPGRADING document details differences +between this port of OpenSSH and F-Secure SSH 1.x. + +Damien Miller +Internet Business Solutions + +Miscellania - + +This version of SSH is based upon code retrieved from the OpenBSD CVS +repository which in turn was based on the last free +version of SSH released by Tatu Ylonen. + +References - + +[1] http://www.lothar.com/tech/crypto/ +[2] http://www.cdrom.com/pub/infozip/zlib/ +[3] http://www.openssl.org/ +[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[5] http://www.gnome.org/ +[6] http://www.inet.no/dante -[ Please note that this file has not been updated for OpenSSH and - covers the ssh-1.2.12 release from Dec 1995 only. ] - -Ssh (Secure Shell) is a program to log into another computer over a -network, to execute commands in a remote machine, and to move files -from one machine to another. It provides strong authentication and -secure communications over insecure channels. It is intended as a -replacement for rlogin, rsh, rcp, and rdist. - -See the file INSTALL for installation instructions. See COPYING for -license terms and other legal issues. See RFC for a description of -the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. - -This file has been updated to match ssh-1.2.12. - - -FEATURES - - o Strong authentication. Closes several security holes (e.g., IP, - routing, and DNS spoofing). New authentication methods: .rhosts - together with RSA based host authentication, and pure RSA - authentication. - - o Improved privacy. All communications are automatically and - transparently encrypted. RSA is used for key exchange, and a - conventional cipher (normally IDEA, DES, or triple-DES) for - encrypting the session. Encryption is started before - authentication, and no passwords or other information is - transmitted in the clear. Encryption is also used to protect - against spoofed packets. - - o Secure X11 sessions. The program automatically sets DISPLAY on - the server machine, and forwards any X11 connections over the - secure channel. Fake Xauthority information is automatically - generated and forwarded to the remote machine; the local client - automatically examines incoming X11 connections and replaces the - fake authorization data with the real data (never telling the - remote machine the real information). - - o Arbitrary TCP/IP ports can be redirected through the encrypted channel - in both directions (e.g., for e-cash transactions). - - o No retraining needed for normal users; everything happens - automatically, and old .rhosts files will work with strong - authentication if administration installs host key files. - - o Never trusts the network. Minimal trust on the remote side of - the connection. Minimal trust on domain name servers. Pure RSA - authentication never trusts anything but the private key. - - o Client RSA-authenticates the server machine in the beginning of - every connection to prevent trojan horses (by routing or DNS - spoofing) and man-in-the-middle attacks, and the server - RSA-authenticates the client machine before accepting .rhosts or - /etc/hosts.equiv authentication (to prevent DNS, routing, or - IP-spoofing). - - o Host authentication key distribution can be centrally by the - administration, automatically when the first connection is made - to a machine (the key obtained on the first connection will be - recorded and used for authentication in the future), or manually - by each user for his/her own use. The central and per-user host - key repositories are both used and complement each other. Host - keys can be generated centrally or automatically when the software - is installed. Host authentication keys are typically 1024 bits. - - o Any user can create any number of user authentication RSA keys for - his/her own use. Each user has a file which lists the RSA public - keys for which proof of possession of the corresponding private - key is accepted as authentication. User authentication keys are - typically 1024 bits. - - o The server program has its own server RSA key which is - automatically regenerated every hour. This key is never saved in - any file. Exchanged session keys are encrypted using both the - server key and the server host key. The purpose of the separate - server key is to make it impossible to decipher a captured session by - breaking into the server machine at a later time; one hour from - the connection even the server machine cannot decipher the session - key. The key regeneration interval is configurable. The server - key is normally 768 bits. - - o An authentication agent, running in the user's laptop or local - workstation, can be used to hold the user's RSA authentication - keys. Ssh automatically forwards the connection to the - authentication agent over any connections, and there is no need to - store the RSA authentication keys on any machine in the network - (except the user's own local machine). The authentication - protocols never reveal the keys; they can only be used to verify - that the user's agent has a certain key. Eventually the agent - could rely on a smart card to perform all authentication - computations. - - o The software can be installed and used (with restricted - functionality) even without root privileges. - - o The client is customizable in system-wide and per-user - configuration files. Most aspects of the client's operation can - be configured. Different options can be specified on a per-host basis. - - o Automatically executes conventional rsh (after displaying a - warning) if the server machine is not running sshd. - - o Optional compression of all data with gzip (including forwarded X11 - and TCP/IP port data), which may result in significant speedups on - slow connections. - - o Complete replacement for rlogin, rsh, and rcp. - - -WHY TO USE SECURE SHELL - -Currently, almost all communications in computer networks are done -without encryption. As a consequence, anyone who has access to any -machine connected to the network can listen in on any communication. -This is being done by hackers, curious administrators, employers, -criminals, industrial spies, and governments. Some networks leak off -enough electromagnetic radiation that data may be captured even from a -distance. - -When you log in, your password goes in the network in plain -text. Thus, any listener can then use your account to do any evil he -likes. Many incidents have been encountered worldwide where crackers -have started programs on workstations without the owners knowledge -just to listen to the network and collect passwords. Programs for -doing this are available on the Internet, or can be built by a -competent programmer in a few hours. - -Any information that you type or is printed on your screen can be -monitored, recorded, and analyzed. For example, an intruder who has -penetrated a host connected to a major network can start a program -that listens to all data flowing in the network, and whenever it -encounters a 16-digit string, it checks if it is a valid credit card -number (using the check digit), and saves the number plus any -surrounding text (to catch expiration date and holder) in a file. -When the intruder has collected a few thousand credit card numbers, he -makes smallish mail-order purchases from a few thousand stores around -the world, and disappears when the goods arrive but before anyone -suspects anything. - -Businesses have trade secrets, patent applications in preparation, -pricing information, subcontractor information, client data, personnel -data, financial information, etc. Currently, anyone with access to -the network (any machine on the network) can listen to anything that -goes in the network, without any regard to normal access restrictions. - -Many companies are not aware that information can so easily be -recovered from the network. They trust that their data is safe -since nobody is supposed to know that there is sensitive information -in the network, or because so much other data is transferred in the -network. This is not a safe policy. - -Individual persons also have confidential information, such as -diaries, love letters, health care documents, information about their -personal interests and habits, professional data, job applications, -tax reports, political documents, unpublished manuscripts, etc. - -One should also be aware that economical intelligence and industrial -espionage has recently become a major priority of the intelligence -agencies of major governments. President Clinton recently assigned -economical espionage as the primary task of the CIA, and the French -have repeatedly been publicly boasting about their achievements on -this field. - - -There is also another frightening aspect about the poor security of -communications. Computer storage and analysis capability has -increased so much that it is feasible for governments, major -companies, and criminal organizations to automatically analyze, -identify, classify, and file information about millions of people over -the years. Because most of the work can be automated, the cost of -collecting this information is getting very low. - -Government agencies may be able to monitor major communication -systems, telephones, fax, computer networks, etc., and passively -collect huge amounts of information about all people with any -significant position in the society. Most of this information is not -sensitive, and many people would say there is no harm in someone -getting that information. However, the information starts to get -sensitive when someone has enough of it. You may not mind someone -knowing what you bought from the shop one random day, but you might -not like someone knowing every small thing you have bought in the last -ten years. - -If the government some day starts to move into a more totalitarian -direction (one should remember that Nazi Germany was created by -democratic elections), there is considerable danger of an ultimate -totalitarian state. With enough information (the automatically -collected records of an individual can be manually analyzed when the -person becomes interesting), one can form a very detailed picture of -the individual's interests, opinions, beliefs, habits, friends, -lovers, weaknesses, etc. This information can be used to 1) locate -any persons who might oppose the new system 2) use deception to -disturb any organizations which might rise against the government 3) -eliminate difficult individuals without anyone understanding what -happened. Additionally, if the government can monitor communications -too effectively, it becomes too easy to locate and eliminate any -persons distributing information contrary to the official truth. - -Fighting crime and terrorism are often used as grounds for domestic -surveillance and restricting encryption. These are good goals, but -there is considerable danger that the surveillance data starts to get -used for questionable purposes. I find that it is better to tolerate -a small amount of crime in the society than to let the society become -fully controlled. I am in favor of a fairly strong state, but the -state must never get so strong that people become unable to spread -contra-offical information and unable to overturn the government if it -is bad. The danger is that when you notice that the government is -too powerful, it is too late. Also, the real power may not be where -the official government is. - -For these reasons (privacy, protecting trade secrets, and making it -more difficult to create a totalitarian state), I think that strong -cryptography should be integrated to the tools we use every day. -Using it causes no harm (except for those who wish to monitor -everything), but not using it can cause huge problems. If the society -changes in undesirable ways, then it will be to late to start -encrypting. - -Encryption has had a "military" or "classified" flavor to it. There -are no longer any grounds for this. The military can and will use its -own encryption; that is no excuse to prevent the civilians from -protecting their privacy and secrets. Information on strong -encryption is available in every major bookstore, scientific library, -and patent office around the world, and strong encryption software is -available in every country on the Internet. - -Some people would like to make it illegal to use encryption, or to -force people to use encryption that governments can break. This -approach offers no protection if the government turns bad. Also, the -"bad guys" will be using true strong encryption anyway. Good -encryption techniques are too widely known to make them disappear. -Thus, any "key escrow encryption" or other restrictions will only help -monitor ordinary people and petty criminals. It does not help against -powerful criminals, terrorists, or espionage, because they will know -how to use strong encryption anyway. (One source for internationally -available encryption software is http://www.cs.hut.fi/crypto.) - - -OVERVIEW OF SECURE SHELL - -The software consists of a number of programs. - - sshd Server program run on the server machine. This - listens for connections from client machines, and - whenever it receives a connection, it performs - authentication and starts serving the client. - - ssh This is the client program used to log into another - machine or to execute commands on the other machine. - "slogin" is another name for this program. - - scp Securely copies files from one machine to another. - - ssh-keygen Used to create RSA keys (host keys and user - authentication keys). - - ssh-agent Authentication agent. This can be used to hold RSA - keys for authentication. - - ssh-add Used to register new keys with the agent. - - make-ssh-known-hosts - Used to create the /etc/ssh_known_hosts file. - - -Ssh is the program users normally use. It is started as - - ssh host - -or - - ssh host command - -The first form opens a new shell on the remote machine (after -authentication). The latter form executes the command on the remote -machine. - -When started, the ssh connects sshd on the server machine, verifies -that the server machine really is the machine it wanted to connect, -exchanges encryption keys (in a manner which prevents an outside -listener from getting the keys), performs authentication using .rhosts -and /etc/hosts.equiv, RSA authentication, or conventional password -based authentication. The server then (normally) allocates a -pseudo-terminal and starts an interactive shell or user program. - -The TERM environment variable (describing the type of the user's -terminal) is passed from the client side to the remote side. Also, -terminal modes will be copied from the client side to the remote side -to preserve user preferences (e.g., the erase character). - -If the DISPLAY variable is set on the client side, the server will -create a dummy X server and set DISPLAY accordingly. Any connections -to the dummy X server will be forwarded through the secure channel, -and will be made to the real X server from the client side. An -arbitrary number of X programs can be started during the session, and -starting them does not require anything special from the user. (Note -that the user must not manually set DISPLAY, because then it would -connect directly to the real display instead of going through the -encrypted channel). This behavior can be disabled in the -configuration file or by giving the -x option to the client. - -Arbitrary IP ports can be forwarded over the secure channel. The -program then creates a port on one side, and whenever a connection is -opened to this port, it will be passed over the secure channel, and a -connection will be made from the other side to a specified host:port -pair. Arbitrary IP forwarding must always be explicitly requested, -and cannot be used to forward privileged ports (unless the user is -root). It is possible to specify automatic forwards in a per-user -configuration file, for example to make electronic cash systems work -securely. - -If there is an authentication agent on the client side, connection to -it will be automatically forwarded to the server side. - -For more infomation, see the manual pages ssh(1), sshd(8), scp(1), -ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) -included in this distribution. - - -X11 CONNECTION FORWARDING - -X11 forwarding serves two purposes: it is a convenience to the user -because there is no need to set the DISPLAY variable, and it provides -encrypted X11 connections. I cannot think of any other easy way to -make X11 connections encrypted; modifying the X server, clients or -libraries would require special work for each machine, vendor and -application. Widely used IP-level encryption does not seem likely for -several years. Thus what we have left is faking an X server on the -same machine where the clients are run, and forwarding the connections -to a real X server over the secure channel. - -X11 forwarding works as follows. The client extracts Xauthority -information for the server. It then creates random authorization -data, and sends the random data to the server. The server allocates -an X11 display number, and stores the (fake) Xauthority data for this -display. Whenever an X11 connection is opened, the server forwards -the connection over the secure channel to the client, and the client -parses the first packet of the X11 protocol, substitutes real -authentication data for the fake data (if the fake data matched), and -forwards the connection to the real X server. - -If the display does not have Xauthority data, the server will create a -unix domain socket in /tmp/.X11-unix, and use the unix domain socket -as the display. No authentication information is forwarded in this -case. X11 connections are again forwarded over the secure channel. -To the X server the connections appear to come from the client -machine, and the server must have connections allowed from the local -machine. Using authentication data is always recommended because not -using it makes the display insecure. If XDM is used, it automatically -generates the authentication data. - -One should be careful not to use "xin" or "xstart" or other similar -scripts that explicitly set DISPLAY to start X sessions in a remote -machine, because the connection will then not go over the secure -channel. The recommended way to start a shell in a remote machine is - - xterm -e ssh host & - -and the recommended way to execute an X11 application in a remote -machine is - - ssh -n host emacs & - -If you need to type a password/passphrase for the remote machine, - - ssh -f host emacs - -may be useful. - - - -RSA AUTHENTICATION - -RSA authentication is based on public key cryptograpy. The idea is -that there are two encryption keys, one for encryption and another for -decryption. It is not possible (on human timescale) to derive the -decryption key from the encryption key. The encryption key is called -the public key, because it can be given to anyone and it is not -secret. The decryption key, on the other hand, is secret, and is -called the private key. - -RSA authentication is based on the impossibility of deriving the -private key from the public key. The public key is stored on the -server machine in the user's $HOME/.ssh/authorized_keys file. The -private key is only kept on the user's local machine, laptop, or other -secure storage. Then the user tries to log in, the client tells the -server the public key that the user wishes to use for authentication. -The server then checks if this public key is admissible. If so, it -generates a 256 bit random number, encrypts it with the public key, -and sends the value to the client. The client then decrypts the -number with its private key, computes a 128 bit MD5 checksum from the -resulting data, and sends the checksum back to the server. (Only a -checksum is sent to prevent chosen-plaintext attacks against RSA.) -The server checks computes a checksum from the correct data, -and compares the checksums. Authentication is accepted if the -checksums match. (Theoretically this indicates that the client -only probably knows the correct key, but for all practical purposes -there is no doubt.) - -The RSA private key can be protected with a passphrase. The -passphrase can be any string; it is hashed with MD5 to produce an -encryption key for IDEA, which is used to encrypt the private part of -the key file. With passphrase, authorization requires access to the key -file and the passphrase. Without passphrase, authorization only -depends on possession of the key file. - -RSA authentication is the most secure form of authentication supported -by this software. It does not rely on the network, routers, domain -name servers, or the client machine. The only thing that matters is -access to the private key. - -All this, of course, depends on the security of the RSA algorithm -itself. RSA has been widely known since about 1978, and no effective -methods for breaking it are known if it is used properly. Care has -been taken to avoid the well-known pitfalls. Breaking RSA is widely -believed to be equivalent to factoring, which is a very hard -mathematical problem that has received considerable public research. -So far, no effective methods are known for numbers bigger than about -512 bits. However, as computer speeds and factoring methods are -increasing, 512 bits can no longer be considered secure. The -factoring work is exponential, and 768 or 1024 bits are widely -considered to be secure in the near future. - - -RHOSTS AUTHENTICATION - -Conventional .rhosts and hosts.equiv based authentication mechanisms -are fundamentally insecure due to IP, DNS (domain name server) and -routing spoofing attacks. Additionally this authentication method -relies on the integrity of the client machine. These weaknesses is -tolerable, and been known and exploited for a long time. - -Ssh provides an improved version of these types of authentication, -because they are very convenient for the user (and allow easy -transition from rsh and rlogin). It permits these types of -authentication, but additionally requires that the client host be -authenticated using RSA. - -The server has a list of host keys stored in /etc/ssh_known_host, and -additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh -uses the name servers to obtain the canonical name of the client host, -looks for its public key in its known host files, and requires the -client to prove that it knows the private host key. This prevents IP -and routing spoofing attacks (as long as the client machine private -host key has not been compromized), but is still vulnerable to DNS -attacks (to a limited extent), and relies on the integrity of the -client machine as to who is requesting to log in. This prevents -outsiders from attacking, but does not protect against very powerful -attackers. If maximal security is desired, only RSA authentication -should be used. - -It is possible to enable conventional .rhosts and /etc/hosts.equiv -authentication (without host authentication) at compile time by giving -the option --with-rhosts to configure. However, this is not -recommended, and is not done by default. - -These weaknesses are present in rsh and rlogin. No improvement in -security will be obtained unless rlogin and rsh are completely -disabled (commented out in /etc/inetd.conf). This is highly -recommended. - - -WEAKEST LINKS IN SECURITY - -One should understand that while this software may provide -cryptographically secure communications, it may be easy to -monitor the communications at their endpoints. - -Basically, anyone with root access on the local machine on which you -are running the software may be able to do anything. Anyone with root -access on the server machine may be able to monitor your -communications, and a very talented root user might even be able to -send his/her own requests to your authentication agent. - -One should also be aware that computers send out electromagnetic -radition that can sometimes be picked up hundreds of meters away. -Your keyboard is particularly easy to listen to. The image on your -monitor might also be seen on another monitor in a van parked behind -your house. - -Beware that unwanted visitors might come to your home or office and -use your machine while you are away. They might also make -modifications or install bugs in your hardware or software. - -Beware that the most effective way for someone to decrypt your data -may be with a rubber hose. - - -LEGAL ISSUES - -As far as I am concerned, anyone is permitted to use this software -freely. However, see the file COPYING for detailed copying, -licensing, and distribution information. - -In some countries, particularly France, Russia, Iraq, and Pakistan, -it may be illegal to use any encryption at all without a special -permit, and the rumor has it that you cannot get a permit for any -strong encryption. - -This software may be freely imported into the United States; however, -the United States Government may consider re-exporting it a criminal -offence. - -Note that any information and cryptographic algorithms used in this -software are publicly available on the Internet and at any major -bookstore, scientific library, or patent office worldwide. - -THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file -COPYING for more information. - - -MAILING LISTS AND OTHER INFORMATION - -There is a mailing list for ossh. It is ossh@sics.se. If you would -like to join, send a message to majordomo@sics.se with "subscribe -ssh" in body. - -The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an -archive of the mailing list, and detailed information about new -releases, mailing lists, and other relevant issues. - -Bug reports should be sent to ossh-bugs@sics.se. - - -ABOUT THE AUTHOR - -This software was written by Tatu Ylonen . I work as a -researcher at Helsinki University of Technology, Finland. For more -information, see http://www.cs.hut.fi/~ylo/. My PGP public key is -available via finger from ylo@cs.hut.fi and from the key servers. I -prefer PGP encrypted mail. - -The author can be contacted via ordinary mail at - Tatu Ylonen - Helsinki University of Technology - Otakaari 1 - FIN-02150 ESPOO - Finland - - Fax. +358-0-4513293 - - -ACKNOWLEDGEMENTS - -I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for -their help and comments in the design, implementation and porting of -this software. I also thank numerous contributors, including but not -limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane -Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome -Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, -Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar -Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald -McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan -O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz -Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and -Cristophe Wolfhugel. - -Thanks also go to Philip Zimmermann, whose PGP software and the -associated legal battle provided inspiration, motivation, and many -useful techniques, and to Bruce Schneier whose book Applied -Cryptography has done a great service in widely distributing knowledge -about cryptographic methods. - - -Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-2000050800/README.Ylonen openssh-2.0.0beta2/README.Ylonen --- ssh-openbsd-2000050800/README.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/README.Ylonen Sun Mar 26 13:04:52 2000 @@ -0,0 +1,567 @@ + +[ Please note that this file has not been updated for OpenSSH and + covers the ssh-1.2.12 release from Dec 1995 only. ] + +Ssh (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is inteded as a +replacement for rlogin, rsh, rcp, and rdist. + +See the file INSTALL for installation instructions. See COPYING for +license terms and other legal issues. See RFC for a description of +the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. + +This file has been updated to match ssh-1.2.12. + + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, DES, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. + + +WHY TO USE SECURE SHELL + +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owners knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + +Any information that you type or is printed on your screen can be +monitored, recorded, and analyzed. For example, an intruder who has +penetrated a host connected to a major network can start a program +that listens to all data flowing in the network, and whenever it +encounters a 16-digit string, it checks if it is a valid credit card +number (using the check digit), and saves the number plus any +surrounding text (to catch expiration date and holder) in a file. +When the intruder has collected a few thousand credit card numbers, he +makes smallish mail-order purchases from a few thousand stores around +the world, and disappears when the goods arrive but before anyone +suspects anything. + +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + +Individual persons also have confidential information, such as +diaries, love letters, health care documents, information about their +personal interests and habits, professional data, job applications, +tax reports, political documents, unpublished manuscripts, etc. + +One should also be aware that economical intelligence and industrial +espionage has recently become a major priority of the intelligence +agencies of major governments. President Clinton recently assigned +economical espionage as the primary task of the CIA, and the French +have repeatedly been publicly boasting about their achievements on +this field. + + +There is also another frightening aspect about the poor security of +communications. Computer storage and analysis capability has +increased so much that it is feasible for governments, major +companies, and criminal organizations to automatically analyze, +identify, classify, and file information about millions of people over +the years. Because most of the work can be automated, the cost of +collecting this information is getting very low. + +Government agencies may be able to monitor major communication +systems, telephones, fax, computer networks, etc., and passively +collect huge amounts of information about all people with any +significant position in the society. Most of this information is not +sensitive, and many people would say there is no harm in someone +getting that information. However, the information starts to get +sensitive when someone has enough of it. You may not mind someone +knowing what you bought from the shop one random day, but you might +not like someone knowing every small thing you have bought in the last +ten years. + +If the government some day starts to move into a more totalitarian +direction (one should remember that Nazi Germany was created by +democratic elections), there is considerable danger of an ultimate +totalitarian state. With enough information (the automatically +collected records of an individual can be manually analyzed when the +person becomes interesting), one can form a very detailed picture of +the individual's interests, opinions, beliefs, habits, friends, +lovers, weaknesses, etc. This information can be used to 1) locate +any persons who might oppose the new system 2) use deception to +disturb any organizations which might rise against the government 3) +eliminate difficult individuals without anyone understanding what +happened. Additionally, if the government can monitor communications +too effectively, it becomes too easy to locate and eliminate any +persons distributing information contrary to the official truth. + +Fighting crime and terrorism are often used as grounds for domestic +surveillance and restricting encryption. These are good goals, but +there is considerable danger that the surveillance data starts to get +used for questionable purposes. I find that it is better to tolerate +a small amount of crime in the society than to let the society become +fully controlled. I am in favor of a fairly strong state, but the +state must never get so strong that people become unable to spread +contra-offical information and unable to overturn the government if it +is bad. The danger is that when you notice that the government is +too powerful, it is too late. Also, the real power may not be where +the official government is. + +For these reasons (privacy, protecting trade secrets, and making it +more difficult to create a totalitarian state), I think that strong +cryptography should be integrated to the tools we use every day. +Using it causes no harm (except for those who wish to monitor +everything), but not using it can cause huge problems. If the society +changes in undesirable ways, then it will be to late to start +encrypting. + +Encryption has had a "military" or "classified" flavor to it. There +are no longer any grounds for this. The military can and will use its +own encryption; that is no excuse to prevent the civilians from +protecting their privacy and secrets. Information on strong +encryption is available in every major bookstore, scientific library, +and patent office around the world, and strong encryption software is +available in every country on the Internet. + +Some people would like to make it illegal to use encryption, or to +force people to use encryption that governments can break. This +approach offers no protection if the government turns bad. Also, the +"bad guys" will be using true strong encryption anyway. Good +encryption techniques are too widely known to make them disappear. +Thus, any "key escrow encryption" or other restrictions will only help +monitor ordinary people and petty criminals. It does not help against +powerful criminals, terrorists, or espionage, because they will know +how to use strong encryption anyway. (One source for internationally +available encryption software is http://www.cs.hut.fi/crypto.) + + +OVERVIEW OF SECURE SHELL + +The software consists of a number of programs. + + sshd Server program run on the server machine. This + listens for connections from client machines, and + whenever it receives a connection, it performs + authentication and starts serving the client. + + ssh This is the client program used to log into another + machine or to execute commands on the other machine. + "slogin" is another name for this program. + + scp Securely copies files from one machine to another. + + ssh-keygen Used to create RSA keys (host keys and user + authentication keys). + + ssh-agent Authentication agent. This can be used to hold RSA + keys for authentication. + + ssh-add Used to register new keys with the agent. + + make-ssh-known-hosts + Used to create the /etc/ssh_known_hosts file. + + +Ssh is the program users normally use. It is started as + + ssh host + +or + + ssh host command + +The first form opens a new shell on the remote machine (after +authentication). The latter form executes the command on the remote +machine. + +When started, the ssh connects sshd on the server machine, verifies +that the server machine really is the machine it wanted to connect, +exchanges encryption keys (in a manner which prevents an outside +listener from getting the keys), performs authentication using .rhosts +and /etc/hosts.equiv, RSA authentication, or conventional password +based authentication. The server then (normally) allocates a +pseudo-terminal and starts an interactive shell or user program. + +The TERM environment variable (describing the type of the user's +terminal) is passed from the client side to the remote side. Also, +terminal modes will be copied from the client side to the remote side +to preserve user preferences (e.g., the erase character). + +If the DISPLAY variable is set on the client side, the server will +create a dummy X server and set DISPLAY accordingly. Any connections +to the dummy X server will be forwarded through the secure channel, +and will be made to the real X server from the client side. An +arbitrary number of X programs can be started during the session, and +starting them does not require anything special from the user. (Note +that the user must not manually set DISPLAY, because then it would +connect directly to the real display instead of going through the +encrypted channel). This behavior can be disabled in the +configuration file or by giving the -x option to the client. + +Arbitrary IP ports can be forwarded over the secure channel. The +program then creates a port on one side, and whenever a connection is +opened to this port, it will be passed over the secure channel, and a +connection will be made from the other side to a specified host:port +pair. Arbitrary IP forwarding must always be explicitly requested, +and cannot be used to forward privileged ports (unless the user is +root). It is possible to specify automatic forwards in a per-user +configuration file, for example to make electronic cash systems work +securely. + +If there is an authentication agent on the client side, connection to +it will be automatically forwarded to the server side. + +For more infomation, see the manual pages ssh(1), sshd(8), scp(1), +ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) +included in this distribution. + + +X11 CONNECTION FORWARDING + +X11 forwarding serves two purposes: it is a convenience to the user +because there is no need to set the DISPLAY variable, and it provides +encrypted X11 connections. I cannot think of any other easy way to +make X11 connections encrypted; modifying the X server, clients or +libraries would require special work for each machine, vendor and +application. Widely used IP-level encryption does not seem likely for +several years. Thus what we have left is faking an X server on the +same machine where the clients are run, and forwarding the connections +to a real X server over the secure channel. + +X11 forwarding works as follows. The client extracts Xauthority +information for the server. It then creates random authorization +data, and sends the random data to the server. The server allocates +an X11 display number, and stores the (fake) Xauthority data for this +display. Whenever an X11 connection is opened, the server forwards +the connection over the secure channel to the client, and the client +parses the first packet of the X11 protocol, substitutes real +authentication data for the fake data (if the fake data matched), and +forwards the connection to the real X server. + +If the display does not have Xauthority data, the server will create a +unix domain socket in /tmp/.X11-unix, and use the unix domain socket +as the display. No authentication information is forwarded in this +case. X11 connections are again forwarded over the secure channel. +To the X server the connections appear to come from the client +machine, and the server must have connections allowed from the local +machine. Using authentication data is always recommended because not +using it makes the display insecure. If XDM is used, it automatically +generates the authentication data. + +One should be careful not to use "xin" or "xstart" or other similar +scripts that explicitly set DISPLAY to start X sessions in a remote +machine, because the connection will then not go over the secure +channel. The recommended way to start a shell in a remote machine is + + xterm -e ssh host & + +and the recommended way to execute an X11 application in a remote +machine is + + ssh -n host emacs & + +If you need to type a password/passphrase for the remote machine, + + ssh -f host emacs + +may be useful. + + + +RSA AUTHENTICATION + +RSA authentication is based on public key cryptograpy. The idea is +that there are two encryption keys, one for encryption and another for +decryption. It is not possible (on human timescale) to derive the +decryption key from the encryption key. The encryption key is called +the public key, because it can be given to anyone and it is not +secret. The decryption key, on the other hand, is secret, and is +called the private key. + +RSA authentication is based on the impossibility of deriving the +private key from the public key. The public key is stored on the +server machine in the user's $HOME/.ssh/authorized_keys file. The +private key is only kept on the user's local machine, laptop, or other +secure storage. Then the user tries to log in, the client tells the +server the public key that the user wishes to use for authentication. +The server then checks if this public key is admissible. If so, it +generates a 256 bit random number, encrypts it with the public key, +and sends the value to the client. The client then decrypts the +number with its private key, computes a 128 bit MD5 checksum from the +resulting data, and sends the checksum back to the server. (Only a +checksum is sent to prevent chosen-plaintext attacks against RSA.) +The server checks computes a checksum from the correct data, +and compares the checksums. Authentication is accepted if the +checksums match. (Theoretically this indicates that the client +only probably knows the correct key, but for all practical purposes +there is no doubt.) + +The RSA private key can be protected with a passphrase. The +passphrase can be any string; it is hashed with MD5 to produce an +encryption key for IDEA, which is used to encrypt the private part of +the key file. With passphrase, authorization requires access to the key +file and the passphrase. Without passphrase, authorization only +depends on possession of the key file. + +RSA authentication is the most secure form of authentication supported +by this software. It does not rely on the network, routers, domain +name servers, or the client machine. The only thing that matters is +access to the private key. + +All this, of course, depends on the security of the RSA algorithm +itself. RSA has been widely known since about 1978, and no effective +methods for breaking it are known if it is used properly. Care has +been taken to avoid the well-known pitfalls. Breaking RSA is widely +believed to be equivalent to factoring, which is a very hard +mathematical problem that has received considerable public research. +So far, no effective methods are known for numbers bigger than about +512 bits. However, as computer speeds and factoring methods are +increasing, 512 bits can no longer be considered secure. The +factoring work is exponential, and 768 or 1024 bits are widely +considered to be secure in the near future. + + +RHOSTS AUTHENTICATION + +Conventional .rhosts and hosts.equiv based authentication mechanisms +are fundamentally insecure due to IP, DNS (domain name server) and +routing spoofing attacks. Additionally this authentication method +relies on the integrity of the client machine. These weaknesses is +tolerable, and been known and exploited for a long time. + +Ssh provides an improved version of these types of authentication, +because they are very convenient for the user (and allow easy +transition from rsh and rlogin). It permits these types of +authentication, but additionally requires that the client host be +authenticated using RSA. + +The server has a list of host keys stored in /etc/ssh_known_host, and +additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh +uses the name servers to obtain the canonical name of the client host, +looks for its public key in its known host files, and requires the +client to prove that it knows the private host key. This prevents IP +and routing spoofing attacks (as long as the client machine private +host key has not been compromized), but is still vulnerable to DNS +attacks (to a limited extent), and relies on the integrity of the +client machine as to who is requesting to log in. This prevents +outsiders from attacking, but does not protect against very powerful +attackers. If maximal security is desired, only RSA authentication +should be used. + +It is possible to enable conventional .rhosts and /etc/hosts.equiv +authentication (without host authentication) at compile time by giving +the option --with-rhosts to configure. However, this is not +recommended, and is not done by default. + +These weaknesses are present in rsh and rlogin. No improvement in +security will be obtained unless rlogin and rsh are completely +disabled (commented out in /etc/inetd.conf). This is highly +recommended. + + +WEAKEST LINKS IN SECURITY + +One should understand that while this software may provide +cryptographically secure communications, it may be easy to +monitor the communications at their endpoints. + +Basically, anyone with root access on the local machine on which you +are running the software may be able to do anything. Anyone with root +access on the server machine may be able to monitor your +communications, and a very talented root user might even be able to +send his/her own requests to your authentication agent. + +One should also be aware that computers send out electromagnetic +radition that can sometimes be picked up hundreds of meters away. +Your keyboard is particularly easy to listen to. The image on your +monitor might also be seen on another monitor in a van parked behind +your house. + +Beware that unwanted visitors might come to your home or office and +use your machine while you are away. They might also make +modifications or install bugs in your hardware or software. + +Beware that the most effective way for someone to decrypt your data +may be with a rubber hose. + + +LEGAL ISSUES + +As far as I am concerned, anyone is permitted to use this software +freely. However, see the file COPYING for detailed copying, +licensing, and distribution information. + +In some countries, particularly France, Russia, Iraq, and Pakistan, +it may be illegal to use any encryption at all without a special +permit, and the rumor has it that you cannot get a permit for any +strong encryption. + +This software may be freely imported into the United States; however, +the United States Government may consider re-exporting it a criminal +offence. + +Note that any information and cryptographic algorithms used in this +software are publicly available on the Internet and at any major +bookstore, scientific library, or patent office worldwide. + +THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file +COPYING for more information. + + +MAILING LISTS AND OTHER INFORMATION + +There is a mailing list for ossh. It is ossh@sics.se. If you would +like to join, send a message to majordomo@sics.se with "subscribe +ssh" in body. + +The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an +archive of the mailing list, and detailed information about new +releases, mailing lists, and other relevant issues. + +Bug reports should be sent to ossh-bugs@sics.se. + + +ABOUT THE AUTHOR + +This software was written by Tatu Ylonen . I work as a +researcher at Helsinki University of Technology, Finland. For more +information, see http://www.cs.hut.fi/~ylo/. My PGP public key is +available via finger from ylo@cs.hut.fi and from the key servers. I +prefer PGP encrypted mail. + +The author can be contacted via ordinary mail at + Tatu Ylonen + Helsinki University of Technology + Otakaari 1 + FIN-02150 ESPOO + Finland + + Fax. +358-0-4513293 + + +ACKNOWLEDGEMENTS + +I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for +their help and comments in the design, implementation and porting of +this software. I also thank numerous contributors, including but not +limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane +Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome +Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, +Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar +Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald +McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan +O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz +Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and +Cristophe Wolfhugel. + +Thanks also go to Philip Zimmermann, whose PGP software and the +associated legal battle provided inspiration, motivation, and many +useful techniques, and to Bruce Schneier whose book Applied +Cryptography has done a great service in widely distributing knowledge +about cryptographic methods. + + +Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-2000050800/README.openssh2 openssh-2.0.0beta2/README.openssh2 --- ssh-openbsd-2000050800/README.openssh2 Mon May 8 12:53:40 2000 +++ openssh-2.0.0beta2/README.openssh2 Mon May 8 13:44:53 2000 @@ -1,4 +1,4 @@ -$Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $ +$Id: README.openssh2,v 1.6 2000/05/08 03:44:53 damien Exp $ howto: 1) generate server key: @@ -41,4 +41,4 @@ sftp -markus -$Date: 2000/05/07 18:30:03 $ +$Date: 2000/05/08 03:44:53 $ diff -ruN --exclude CVS ssh-openbsd-2000050800/TODO openssh-2.0.0beta2/TODO --- ssh-openbsd-2000050800/TODO Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/TODO Thu Apr 6 12:36:06 2000 @@ -0,0 +1,15 @@ +- Replacement for setproctitle() + +- Improve PAM support (a pam_lastlog module will cause sshd to exit) + +- Better documentation + +- Replace the horror in acconfig.h which tries to comphensate for the + lack of u_intXX_t types. There must be a better way. + +- Move all compatability cruft (bsd-*, fake-*) into subordinate library + +- Cleanup configure.in + +- Load / write random seed on startup / exit + diff -ruN --exclude CVS ssh-openbsd-2000050800/UPGRADING openssh-2.0.0beta2/UPGRADING --- ssh-openbsd-2000050800/UPGRADING Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/UPGRADING Fri Mar 17 10:54:16 2000 @@ -0,0 +1,132 @@ +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +OpenSSH is almost completely compatible with the commercial SSH 1.2.x. +There are, however, a few exceptions that you will need to bear in +mind while upgrading: + +1. OpenSSH does not support any patented transport algorithms. + +Only 3DES and Blowfish can be selected. This difference may manifest +itself in the ssh command refusing to read its config files. + +Solution: Edit /etc/ssh/ssh_config and select a different "Cipher" +option ("3des" or "blowfish"). + +2. Old versions of commercial SSH encrypt host keys with IDEA + +The old versions of SSH used a patented algorithm to encrypt their +/etc/ssh/ssh_host_key + +This problem will manifest as sshd not being able to read its host +key. + +Solution: You will need to run the *commercial* version of ssh-keygen +on the host's private key: + +ssh-keygen -u -f /etc/ssh/ssh_host_key + +3. Incompatible changes to sshd_config format. + +OpenSSH extends the sshd_config file format in a number of ways. There +is currently one change which is incompatible with the old. + +Commercial SSH controlled logging using the "QuietMode" and +"FascistLogging" directives. OpenSSH introduces a more general set of +logging options "SyslogFacility" and "LogLevel". See the sshd manual +page for details. + +4. Warning messages about key lengths + +Commercial SSH's ssh-keygen program contained a bug which caused it to +occasionally generate RSA keys which had their Most Significant Bit +(MSB) unset. Such keys were advertised as being full-length, but are +actually only half as secure. + +OpenSSH will print warning messages when it encounters such keys. To +rid yourself of these message, edit you known_hosts files and replace +the incorrect key length (usually "1024") with the correct key length +(usually "1023"). + +5. Spurious PAM authentication messages in logfiles + +OpenSSH will generate spurious authentication failures at every login, +similar to "authentication failure; (uid=0) -> root for sshd service". +These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunatly +PAM likes to log all authentication events, this one included. + +If it annoys you too much, set "PermitEmptyPasswords no" in +sshd_config. This will quiet the error message at the expense of +disabling logins to accounts with no password set. This is the +default if you use the supplied sshd_config file. + +6. Empty passwords not allowed with PAM authentication + +To enable empty passwords with a version of OpenSSH built with PAM you +must add the flag "nullok" to the end of the password checking module +in the /etc/pam.d/sshd file. For example: + +auth required/lib/security/pam_unix.so shadow nodelay nullok + +This must be done in addtion to setting "PermitEmptyPasswords yes" +in the sshd_config file. + +There is one caveat when using empty passwords with PAM +authentication: PAM will allow _any_ password when authenticating +an account with an empty password. This breaks the check that sshd +uses to determined whether an account has no password set and grant +users access to the account regardless of the policy specified by +"PermitEmptyPasswords". For this reason, it is recommended that you do +not add the "nullok" directive to your PAM configuration file unless +you specifically wish to allow empty passwords. + +7. X11 and/or agent forwarding does not work + +Check your ssh_config and sshd_config. The default configuration files +disable authentication agent and X11 forwarding. + +8. ssh takes a long time to connect with Linux/glibc 2.1 + +The glibc shipped with Redhat 6.1 appears to take a long time to resolve +"IPv6 or IPv4" addresses from domain names. This can be kludged around +with the --with-ipv4-default configure option. This instructs OpenSSH to +use IPv4-only address resolution. (IPv6 lookups may still be made by +specifying the -6 option). + +9. Logins from commercial ssh generate the error "Selected cipher type + idea not supported by server" + +This error is generated when a commercial ssh which has been configured to +use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify +this, select a different cipher in ssh_config or ~/.ssh/config (3des for +security or blowfish for speed). + +10. "can't locate module net-pf-10" messages in log under Linux + +The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). +Either 1. load the appropriate kernel module, 2. enter the correct alias +in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf. + +For some silly reason /etc/modules.conf may also be named /etc/conf.modules + +11. Password authentication doesn't work on Slackware 7.0 + +Configure OpenSSH with --with-md5-passwords + +12. ./configure or sshd complain about lack of RSA support + +Ensure that your OpenSSL libraries have been built to include RSA support +either internally or through RSAref. + +13. "scp: command not found" errors + +scp must be in the default PATH on both the client and the server. You may +need to use the --with-default-path option to specify a custom path to +search on the server. This option replaces the default path, so you need +to specify all the current directories on your path as well as where you +have installed scp. For example: + +./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp + diff -ruN --exclude CVS ssh-openbsd-2000050800/acconfig.h openssh-2.0.0beta2/acconfig.h --- ssh-openbsd-2000050800/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/acconfig.h Tue May 2 09:56:41 2000 @@ -0,0 +1,162 @@ +#ifndef _CONFIG_H +#define _CONFIG_H + +/* Generated automatically from acconfig.h by autoheader. */ +/* Please make your changes there */ + +@TOP@ + +/* Define if you want to disable PAM support */ +#undef DISABLE_PAM + +/* Define if you want to disable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + +/* Define if you want to disable lastlog support */ +#undef DISABLE_LASTLOG + +/* Location of lastlog file */ +#undef LASTLOG_LOCATION + +/* If lastlog is a directory */ +#undef LASTLOG_IS_DIR + +/* Location of random number pool */ +#undef RANDOM_POOL + +/* Location of EGD random number socket */ +#undef EGD_SOCKET + +/* Builtin PRNG command timeout */ +#undef ENTROPY_TIMEOUT_MSEC + +/* Define if you want to install preformatted manpages.*/ +#undef MANTYPE + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + +/* struct utmp and struct utmpx fields */ +#undef HAVE_HOST_IN_UTMP +#undef HAVE_HOST_IN_UTMPX +#undef HAVE_ADDR_IN_UTMP +#undef HAVE_ADDR_IN_UTMPX +#undef HAVE_ADDR_V6_IN_UTMP +#undef HAVE_ADDR_V6_IN_UTMPX +#undef HAVE_SYSLEN_IN_UTMPX +#undef HAVE_PID_IN_UTMP +#undef HAVE_TYPE_IN_UTMP +#undef HAVE_TV_IN_UTMP +#undef HAVE_ID_IN_UTMP + +/* Define if you want to use utmpx */ +#undef USE_UTMPX + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if you want Kerberos 4 support */ +#undef KRB4 + +/* Define if you want AFS support */ +#undef AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if your libraries define getpagesize() */ +#undef HAVE_GETPAGESIZE + +/* Define if xauth is found in your path */ +#undef XAUTH_PATH + +/* Define if rsh is found in your path */ +#undef RSH_PATH + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +/* Define if you want to disable shadow passwords */ +#undef DISABLE_SHADOW + +/* Define if you want have trusted HPUX */ +#undef HAVE_HPUX_TRUSTED_SYSTEM_PW + +/* Defined if in_systm.h needs to be included with netinet/ip.h (HPUX - ) */ +#undef NEED_IN_SYSTM_H + +/* Define if you have an old version of PAM which takes only one argument */ +/* to pam_strerror */ +#undef HAVE_OLD_PAM + +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + +/* Data types */ +#undef HAVE_INTXX_T +#undef HAVE_U_INTXX_T +#undef HAVE_UINTXX_T +#undef HAVE_SOCKLEN_T +#undef HAVE_SIZE_T +#undef HAVE_STRUCT_SOCKADDR_STORAGE +#undef HAVE_STRUCT_ADDRINFO +#undef HAVE_STRUCT_IN6_ADDR +#undef HAVE_STRUCT_SOCKADDR_IN6 + +/* Fields in struct sockaddr_storage */ +#undef HAVE_SS_FAMILY_IN_SS +#undef HAVE___SS_FAMILY_IN_SS + +/* Define if you have /dev/ptmx */ +#undef HAVE_DEV_PTMX + +/* Define if you have /dev/ptc */ +#undef HAVE_DEV_PTS_AND_PTC + +/* Define if you need to use IP address instead of hostname in $DISPLAY */ +#undef IPADDR_IN_DISPLAY + +/* Specify default $PATH */ +#undef USER_PATH + +/* Specify location of ssh.pid */ +#undef PIDDIR + +/* Use IPv4 for connection by default, IPv6 can still if explicity asked */ +#undef IPV4_DEFAULT + +/* getaddrinfo is broken (if present) */ +#undef BROKEN_GETADDRINFO + +/* Workaround more Linux IPv6 quirks */ +#undef DONT_TRY_OTHER_AF + +/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ +#undef IPV4_IN_IPV6 + +@BOTTOM@ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#include "defines.h" + +#endif /* _CONFIG_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/aclocal.m4 openssh-2.0.0beta2/aclocal.m4 --- ssh-openbsd-2000050800/aclocal.m4 Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/aclocal.m4 Tue May 2 09:57:51 2000 @@ -0,0 +1,15 @@ +dnl $Id: aclocal.m4,v 1.1 2000/05/01 23:57:51 damien Exp $ +dnl +dnl OpenSSH-specific autoconf macros +dnl + +dnl AC_PATH_ENTROPY_PROG(variablename, command): +dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST +AC_DEFUN(AC_PATH_ENTROPY_PROG, [ + AC_PATH_PROG([$1], [$2]) + if test -z "[$]$1" ; then + $1="undef" + fi + AC_SUBST([$1]) +]) + diff -ruN --exclude CVS ssh-openbsd-2000050800/auth-pam.c openssh-2.0.0beta2/auth-pam.c --- ssh-openbsd-2000050800/auth-pam.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/auth-pam.c Sun Apr 30 00:47:29 2000 @@ -0,0 +1,244 @@ +/* + * Author: Damien Miller + * Copyright (c) 1999 Damien Miller + * All rights reserved + * Created: Thursday December 30 1999 + * PAM authentication and session management code. + */ + +#include "includes.h" + +#ifdef USE_PAM +#include "ssh.h" +#include "xmalloc.h" +#include "servconf.h" + +RCSID("$Id: auth-pam.c,v 1.4 2000/04/29 14:47:29 damien Exp $"); + +/* Callbacks */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); +void pam_cleanup_proc(void *context); + +/* module-local variables */ +static struct pam_conv conv = { + pamconv, + NULL +}; +static struct pam_handle_t *pamh = NULL; +static const char *pampasswd = NULL; +static char *pamconv_msg = NULL; + +/* PAM conversation function. This is really a kludge to get the password */ +/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *reply; + int count; + size_t msg_len; + char *p; + + /* PAM will free this later */ + reply = malloc(num_msg * sizeof(*reply)); + if (reply == NULL) + return PAM_CONV_ERR; + + for(count = 0; count < num_msg; count++) { + switch (msg[count]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + break; + + case PAM_TEXT_INFO: + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(""); + + if (msg[count]->msg == NULL) + break; + + debug("Adding PAM message: %s", msg[count]->msg); + + msg_len = strlen(msg[count]->msg); + if (pamconv_msg) { + size_t n = strlen(pamconv_msg); + pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2); + p = pamconv_msg + n; + } else { + pamconv_msg = p = xmalloc(msg_len + 2); + } + memcpy(p, msg[count]->msg, msg_len); + p[msg_len] = '\n'; + p[msg_len + 1] = '\0'; + break; + + case PAM_PROMPT_ECHO_ON: + case PAM_ERROR_MSG: + default: + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + + return PAM_SUCCESS; +} + +/* Called at exit to cleanly shutdown PAM */ +void pam_cleanup_proc(void *context) +{ + int pam_retval; + + if (pamh != NULL) + { + pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + log("Cannot close PAM session: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) { + log("Cannot release PAM authentication: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } +} + +/* Attempt password authentation using PAM */ +int auth_pam_password(struct passwd *pw, const char *password) +{ + extern ServerOptions options; + int pam_retval; + + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == 2) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + + pampasswd = password; + + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) { + debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); + return 1; + } else { + debug("PAM Password authentication for \"%.100s\" failed: %s", + pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return 0; + } +} + +/* Do account management using PAM */ +int do_pam_account(char *username, char *remote_user) +{ + int pam_retval; + + debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + get_canonical_hostname()); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set rhost failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + if (remote_user != NULL) { + debug("PAM setting ruser to \"%.200s\"", remote_user); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set ruser failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } + + pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return(0); + } + + return(1); +} + +/* Do PAM-specific session initialisation */ +void do_pam_session(char *username, const char *ttyname) +{ + int pam_retval; + + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} + +/* Set PAM credentials */ +void do_pam_setcred() +{ + int pam_retval; + + debug("PAM establishing creds"); + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + if (pam_retval != PAM_SUCCESS) + fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} + +/* Cleanly shutdown PAM */ +void finish_pam(void) +{ + pam_cleanup_proc(NULL); + fatal_remove_cleanup(&pam_cleanup_proc, NULL); +} + +/* Start PAM authentication for specified account */ +void start_pam(struct passwd *pw) +{ + int pam_retval; + + debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + (pam_handle_t**)&pamh); + if (pam_retval != PAM_SUCCESS) + fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + + fatal_add_cleanup(&pam_cleanup_proc, NULL); +} + +/* Return list of PAM enviornment strings */ +char **fetch_pam_environment(void) +{ +#ifdef HAVE_PAM_GETENVLIST + return(pam_getenvlist((pam_handle_t *)pamh)); +#else /* HAVE_PAM_GETENVLIST */ + return(NULL); +#endif /* HAVE_PAM_GETENVLIST */ +} + +/* Print any messages that have been generated during authentication */ +/* or account checking to stderr */ +void print_pam_messages(void) +{ + if (pamconv_msg != NULL) + fprintf(stderr, pamconv_msg); +} + +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2000050800/auth-pam.h openssh-2.0.0beta2/auth-pam.h --- ssh-openbsd-2000050800/auth-pam.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/auth-pam.h Thu Jan 27 10:55:38 2000 @@ -0,0 +1,15 @@ +#include "includes.h" +#ifdef USE_PAM + +#include /* For struct passwd */ + +void start_pam(struct passwd *pw); +void finish_pam(void); +int auth_pam_password(struct passwd *pw, const char *password); +char **fetch_pam_environment(void); +int do_pam_account(char *username, char *remote_user); +void do_pam_session(char *username, const char *ttyname); +void do_pam_setcred(); +void print_pam_messages(void); + +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2000050800/auth-passwd.c openssh-2.0.0beta2/auth-passwd.c --- ssh-openbsd-2000050800/auth-passwd.c Sun Apr 16 12:53:05 2000 +++ openssh-2.0.0beta2/auth-passwd.c Sun Apr 30 00:47:29 2000 @@ -8,6 +8,9 @@ */ #include "includes.h" + +#ifndef USE_PAM + RCSID("$Id: auth-passwd.c,v 1.15 2000/04/14 10:30:29 markus Exp $"); #include "packet.h" @@ -15,6 +18,20 @@ #include "servconf.h" #include "xmalloc.h" +#ifdef WITH_AIXAUTHENTICATE +# include +#endif +#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +# include +# include +#endif +#ifdef HAVE_SHADOW_H +# include +#endif +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -24,6 +41,16 @@ { extern ServerOptions options; char *encrypted_password; + char *pw_password; + char *salt; +#ifdef HAVE_SHADOW_H + struct spwd *spw; +#endif +#ifdef WITH_AIXAUTHENTICATE + char *authmsg; + char *loginmsg; + int reenter = 1; +#endif /* deny if no user. */ if (pw == NULL) @@ -41,6 +68,11 @@ /* Fall back to ordinary passwd authentication. */ } #endif + +#ifdef WITH_AIXAUTHENTICATE + return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); +#endif + #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(pw, password); @@ -53,10 +85,40 @@ /* Check for users with no password. */ if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) return 1; - /* Encrypt the candidate password using the proper salt. */ - encrypted_password = crypt(password, - (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); + + pw_password = pw->pw_passwd; + +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + spw = getspnam(pw->pw_name); + if (spw != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) + return 1; + + pw_password = spw->sp_pwdp; + } +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + + if (pw_password[0] != '\0') + salt = pw_password; + else + salt = "xx"; + +#ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(salt)) + encrypted_password = md5_crypt(password, salt); + else + encrypted_password = crypt(password, salt); +#else /* HAVE_MD5_PASSWORDS */ +# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW + encrypted_password = bigcrypt(password, salt); +# else + encrypted_password = crypt(password, salt); +# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */ +#endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw->pw_passwd) == 0); + return (strcmp(encrypted_password, pw_password) == 0); } +#endif /* !USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2000050800/auth-skey.c openssh-2.0.0beta2/auth-skey.c --- ssh-openbsd-2000050800/auth-skey.c Sun Apr 16 12:53:06 2000 +++ openssh-2.0.0beta2/auth-skey.c Sun Apr 16 12:31:49 2000 @@ -1,10 +1,13 @@ #include "includes.h" +#ifdef SKEY RCSID("$Id: auth-skey.c,v 1.6 2000/04/14 10:30:29 markus Exp $"); #include "ssh.h" #include "packet.h" #include +/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ + /* * try skey authentication, * return 1 on success, 0 on failure, -1 if skey is not available @@ -69,8 +72,9 @@ static char skeyprompt[SKEY_MAX_CHALLENGE+1]; char *secret = NULL; size_t secretlen = 0; - SHA1_CTX ctx; + SHA_CTX ctx; char *p, *u; + char md[SHA_DIGEST_LENGTH]; /* * Base first 4 chars of seed on hostname. @@ -87,11 +91,16 @@ pbuf[4] = '\0'; /* Hash the username if possible */ - if ((up = SHA1Data(username, strlen(username), NULL)) != NULL) { + up = malloc(SHA_DIGEST_LENGTH); + if (up != NULL) { struct stat sb; time_t t; int fd; + SHA1_Init(&ctx); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); + /* Collapse the hash */ ptr = hash_collapse(up); memset(up, 0, strlen(up)); @@ -121,18 +130,18 @@ /* Put that in your pipe and smoke it */ if (flg == 0) { /* Hash secret value with username */ - SHA1Init(&ctx); - SHA1Update(&ctx, secret, secretlen); - SHA1Update(&ctx, username, strlen(username)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, secret, secretlen); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); /* Zero out */ memset(secret, 0, secretlen); /* Now hash the hash */ - SHA1Init(&ctx); - SHA1Update(&ctx, up, strlen(up)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, up, strlen(up)); + SHA1_End(&ctx, up); ptr = hash_collapse(up + 4); @@ -145,7 +154,7 @@ /* Sequence number */ ptr = ((up[2] + up[3]) % 99) + 1; - memset(up, 0, 20); /* SHA1 specific */ + memset(up, 0, SHA_DIGEST_LENGTH); /* SHA1 specific */ free(up); (void)snprintf(skeyprompt, sizeof skeyprompt, @@ -179,3 +188,5 @@ } return skeyprompt; } + +#endif /* SKEY */ diff -ruN --exclude CVS ssh-openbsd-2000050800/auth.c openssh-2.0.0beta2/auth.c --- ssh-openbsd-2000050800/auth.c Sun Apr 30 09:49:44 2000 +++ openssh-2.0.0beta2/auth.c Sat Apr 29 23:57:09 2000 @@ -46,6 +46,9 @@ struct stat st; struct group *grp; int i; +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) @@ -106,6 +109,12 @@ return 0; } } + +#ifdef WITH_AIXAUTHENTICATE + if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + return 0; +#endif /* WITH_AIXAUTHENTICATE */ + /* We found no reason not to let this user try to log on... */ return 1; } diff -ruN --exclude CVS ssh-openbsd-2000050800/auth1.c openssh-2.0.0beta2/auth1.c --- ssh-openbsd-2000050800/auth1.c Sun Apr 30 04:11:52 2000 +++ openssh-2.0.0beta2/auth1.c Sun Apr 30 10:00:53 2000 @@ -65,6 +65,12 @@ get_remote_ipaddr(), get_remote_port()); +#ifdef WITH_AIXAUTHENTICATE + if (strncmp(get_authname(type),"password", + strlen(get_authname(type))) == 0) + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -77,8 +83,10 @@ for (attempt = 1;; attempt++) { /* Read a packet. This will not return if the client disconnects. */ int plen; +#ifndef SKEY + (void)packet_read(&plen); +#else /* SKEY */ int type = packet_read(&plen); -#ifdef SKEY unsigned int dlen; char *password, *skeyinfo; password = NULL; @@ -128,7 +136,7 @@ unsigned int bits; RSA *client_host_key; BIGNUM *n; - char *client_user, *password; + char *client_user = NULL, *password = NULL; char user[1024]; unsigned int dlen; int plen, nlen, elen; @@ -227,7 +235,6 @@ authenticated = auth_rhosts(pw, client_user); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -263,7 +270,6 @@ RSA_free(client_host_key); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RSA: @@ -292,8 +298,13 @@ password = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); +#ifdef USE_PAM + /* Do PAM auth with password */ + authenticated = auth_pam_password(pw, password); +#else /* USE_PAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); +#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); @@ -375,8 +386,27 @@ get_remote_port(), user); - if (authenticated) +#ifdef USE_PAM + if (authenticated) { + if (!do_pam_account(pw->pw_name, client_user)) { + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } + do_fake_authloop1(pw->pw_name); + } + return; + } +#else /* USE_PAM */ + if (authenticated) { return; + } +#endif /* USE_PAM */ + + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); @@ -399,6 +429,9 @@ int plen; unsigned int ulen; char *user; +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -433,6 +466,10 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; +#ifdef USE_PAM + start_pam(pw); +#endif + /* * If we are not running as root, the user must have the same uid as * the server. @@ -447,7 +484,11 @@ #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ +#ifdef USE_PAM + auth_pam_password(pw, "")) { +#else /* USE_PAM */ auth_password(pw, "")) { +#endif /* USE_PAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -459,6 +500,9 @@ } /* The user has been authenticated and accepted. */ +#ifdef WITH_AIXAUTHENTICATE + loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); +#endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); diff -ruN --exclude CVS ssh-openbsd-2000050800/auth2.c openssh-2.0.0beta2/auth2.c --- ssh-openbsd-2000050800/auth2.c Mon May 8 12:53:40 2000 +++ openssh-2.0.0beta2/auth2.c Sun May 7 12:03:14 2000 @@ -183,6 +183,11 @@ get_canonical_hostname()); } +#ifdef USE_PAM + if (authenticated && !do_pam_account(pw->pw_name, NULL)) + authenticated = 0; +#endif /* USE_PAM */ + /* Raise logging level */ if (authenticated == 1 || attempt == AUTH_FAIL_LOG || @@ -230,7 +235,11 @@ ssh2_auth_none(struct passwd *pw) { packet_done(); +#ifdef USE_PAM + return auth_pam_password(pw, ""); +#else /* USE_PAM */ return auth_password(pw, ""); +#endif /* USE_PAM */ } int ssh2_auth_password(struct passwd *pw) @@ -245,7 +254,11 @@ password = packet_get_string(&len); packet_done(); if (options.password_authentication && +#ifdef USE_PAM + auth_pam_password(pw, password) == 1) +#else /* USE_PAM */ auth_password(pw, password) == 1) +#endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); xfree(password); @@ -345,6 +358,9 @@ log("auth_set_user: illegal user %s", u); return NULL; } +#ifdef USE_PAM + start_pam(pw); +#endif copy = &authctxt->pw; memset(copy, 0, sizeof(*copy)); copy->pw_name = xstrdup(pw->pw_name); diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-base64.c openssh-2.0.0beta2/bsd-base64.c --- ssh-openbsd-2000050800/bsd-base64.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-base64.c Sun May 7 12:03:15 2000 @@ -0,0 +1,315 @@ +/* $OpenBSD: base64.c,v 1.3 1997/11/08 20:46:55 deraadt Exp $ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +#include "config.h" + +#ifndef HAVE_B64_NTOP + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include + +#define Assert(Cond) if (!(Cond)) abort() + +static const char Base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; + +/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) + The following encoding technique is taken from RFC 1521 by Borenstein + and Freed. It is reproduced here in a slightly edited form for + convenience. + + A 65-character subset of US-ASCII is used, enabling 6 bits to be + represented per printable character. (The extra 65th character, "=", + is used to signify a special processing function.) + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right, a + 24-bit input group is formed by concatenating 3 8-bit input groups. + These 24 bits are then treated as 4 concatenated 6-bit groups, each + of which is translated into a single digit in the base64 alphabet. + + Each 6-bit group is used as an index into an array of 64 printable + characters. The character referenced by the index is placed in the + output string. + + Table 1: The Base64 Alphabet + + Value Encoding Value Encoding Value Encoding Value Encoding + 0 A 17 R 34 i 51 z + 1 B 18 S 35 j 52 0 + 2 C 19 T 36 k 53 1 + 3 D 20 U 37 l 54 2 + 4 E 21 V 38 m 55 3 + 5 F 22 W 39 n 56 4 + 6 G 23 X 40 o 57 5 + 7 H 24 Y 41 p 58 6 + 8 I 25 Z 42 q 59 7 + 9 J 26 a 43 r 60 8 + 10 K 27 b 44 s 61 9 + 11 L 28 c 45 t 62 + + 12 M 29 d 46 u 63 / + 13 N 30 e 47 v + 14 O 31 f 48 w (pad) = + 15 P 32 g 49 x + 16 Q 33 h 50 y + + Special processing is performed if fewer than 24 bits are available + at the end of the data being encoded. A full encoding quantum is + always completed at the end of a quantity. When fewer than 24 input + bits are available in an input group, zero bits are added (on the + right) to form an integral number of 6-bit groups. Padding at the + end of the data is performed using the '=' character. + + Since all base64 input is an integral number of octets, only the + ------------------------------------------------- + following cases can arise: + + (1) the final quantum of encoding input is an integral + multiple of 24 bits; here, the final unit of encoded + output will be an integral multiple of 4 characters + with no "=" padding, + (2) the final quantum of encoding input is exactly 8 bits; + here, the final unit of encoded output will be two + characters followed by two "=" padding characters, or + (3) the final quantum of encoding input is exactly 16 bits; + here, the final unit of encoded output will be three + characters followed by one "=" padding character. + */ + +int +b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) +{ + size_t datalength = 0; + u_char input[3]; + u_char output[4]; + int i; + + while (2 < srclength) { + input[0] = *src++; + input[1] = *src++; + input[2] = *src++; + srclength -= 3; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + output[3] = input[2] & 0x3f; + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + Assert(output[3] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + target[datalength++] = Base64[output[2]]; + target[datalength++] = Base64[output[3]]; + } + + /* Now we worry about padding. */ + if (0 != srclength) { + /* Get what's left. */ + input[0] = input[1] = input[2] = '\0'; + for (i = 0; i < srclength; i++) + input[i] = *src++; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + if (srclength == 1) + target[datalength++] = Pad64; + else + target[datalength++] = Base64[output[2]]; + target[datalength++] = Pad64; + } + if (datalength >= targsize) + return (-1); + target[datalength] = '\0'; /* Returned value doesn't count \0. */ + return (datalength); +} + +/* skips all whitespace anywhere. + converts characters, four at a time, starting at (or after) + src from base - 64 numbers into three 8 bit bytes in the target area. + it returns the number of data bytes stored at the target, or -1 on error. + */ + +int +b64_pton(char const *src, u_char *target, size_t targsize) +{ + int tarindex, state, ch; + char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (isspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = strchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return (-1); + + switch (state) { + case 0: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] = (pos - Base64) << 2; + } + state = 1; + break; + case 1: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = ((pos - Base64) & 0x0f) + << 4 ; + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = ((pos - Base64) & 0x03) + << 6; + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + +#endif /* HAVE_B64_NTOP */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-base64.h openssh-2.0.0beta2/bsd-base64.h --- ssh-openbsd-2000050800/bsd-base64.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-base64.h Sun May 7 12:03:15 2000 @@ -0,0 +1,19 @@ +#ifndef _BSD_BASE64_H +#define _BSD_BASE64_H + +#include "config.h" + +#ifndef HAVE___B64_NTOP +# ifdef HAVE_B64_NTOP +# define __b64_ntop b64_ntop +# define __b64_pton b64_pton +# else /* !HAVE_B64_NTOP */ + +int b64_ntop(u_char const *src, size_t srclength, char *target, + size_t targsize); +int b64_pton(char const *src, u_char *target, size_t targsize); + +# endif /* HAVE_B64_NTOP */ +#endif /* HAVE___B64_NTOP */ + +#endif /* _BSD_BINRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-bindresvport.c openssh-2.0.0beta2/bsd-bindresvport.c --- ssh-openbsd-2000050800/bsd-bindresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-bindresvport.c Sat Jan 22 18:17:43 2000 @@ -0,0 +1,112 @@ +/* + * Sun RPC is a product of Sun Microsystems, Inc. and is provided for + * unrestricted use provided that this legend is included on all tape + * media and as a part of the software program in whole or part. Users + * may copy or modify Sun RPC without charge, but are not authorized + * to license or distribute it to anyone else except as part of a product or + * program developed by the user. + * + * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE + * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + * + * Sun RPC is provided with no support and without any obligation on the + * part of Sun Microsystems, Inc. to assist in its use, correction, + * modification or enhancement. + * + * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC + * OR ANY PART THEREOF. + * + * In no event will Sun Microsystems, Inc. be liable for any lost revenue + * or profits or other special, indirect and consequential damages, even if + * Sun has been advised of the possibility of such damages. + * + * Sun Microsystems, Inc. + * 2550 Garcia Avenue + * Mountain View, California 94043 + */ + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: bindresvport.c,v 1.11 1999/12/17 19:22:08 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +/* + * Copyright (c) 1987 by Sun Microsystems, Inc. + * + * Portions Copyright(C) 1996, Jason Downs. All rights reserved. + */ + +#include "includes.h" + +#define STARTPORT 600 +#define ENDPORT (IPPORT_RESERVED - 1) +#define NPORTS (ENDPORT - STARTPORT + 1) + +/* + * Bind a socket to a privileged IP port + */ +int +bindresvport_af(sd, sa, af) + int sd; + struct sockaddr *sa; + int af; +{ + int error; + struct sockaddr_storage myaddr; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + u_int16_t *portp; + u_int16_t port; + int salen; + int i; + + if (sa == NULL) { + memset(&myaddr, 0, sizeof(myaddr)); + sa = (struct sockaddr *)&myaddr; + } + + if (af == AF_INET) { + sin = (struct sockaddr_in *)sa; + salen = sizeof(struct sockaddr_in); + portp = &sin->sin_port; + } else if (af == AF_INET6) { + sin6 = (struct sockaddr_in6 *)sa; + salen = sizeof(struct sockaddr_in6); + portp = &sin6->sin6_port; + } else { + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + port = ntohs(*portp); + if (port == 0) + port = (arc4random() % NPORTS) + STARTPORT; + + for(i = 0; i < NPORTS; i++) { + *portp = htons(port); + + error = bind(sd, sa, salen); + + /* Terminate on success */ + if (error == 0) + break; + + /* Terminate on errors, except "address already in use" */ + if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL))) + break; + + port++; + if (port > ENDPORT) + port = STARTPORT; + } + + return (error); +} + +#endif /* HAVE_BINRESVPORT_AF */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-bindresvport.h openssh-2.0.0beta2/bsd-bindresvport.h --- ssh-openbsd-2000050800/bsd-bindresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-bindresvport.h Fri Jan 14 15:45:47 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_BINRESVPORT_H +#define _BSD_BINRESVPORT_H + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF +int bindresvport_af(int sd, struct sockaddr *sa, int af); +#endif /* !HAVE_BINRESVPORT_AF */ + +#endif /* _BSD_BINRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-daemon.c openssh-2.0.0beta2/bsd-daemon.c --- ssh-openbsd-2000050800/bsd-daemon.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-daemon.c Sat Nov 20 12:18:40 1999 @@ -0,0 +1,81 @@ +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_DAEMON + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: daemon.c,v 1.2 1996/08/19 08:22:13 tholo Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#ifdef HAVE_PATHS_H +# include +#endif + +int +daemon(nochdir, noclose) + int nochdir, noclose; +{ + int fd; + + switch (fork()) { + case -1: + return (-1); + case 0: + break; + default: + _exit(0); + } + + if (setsid() == -1) + return (-1); + + if (!nochdir) + (void)chdir("/"); + + if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + (void)close (fd); + } + return (0); +} + +#endif /* !HAVE_DAEMON */ + diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-daemon.h openssh-2.0.0beta2/bsd-daemon.h --- ssh-openbsd-2000050800/bsd-daemon.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-daemon.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,9 @@ +#ifndef _BSD_DAEMON_H +#define _BSD_DAEMON_H + +#include "config.h" +#ifndef HAVE_DAEMON +int daemon(int nochdir, int noclose); +#endif /* !HAVE_DAEMON */ + +#endif /* _BSD_DAEMON_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-login.c openssh-2.0.0beta2/bsd-login.c --- ssh-openbsd-2000050800/bsd-login.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-login.c Mon May 1 22:53:53 2000 @@ -0,0 +1,181 @@ +/* + * This file has been modified from the original OpenBSD version + */ + +/* $OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $ */ +/* + * Copyright (c) 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_LOGIN + +#include + +#if defined(LIBC_SCCS) && !defined(lint) +/* from: static char sccsid[] = "@(#)login.c 8.1 (Berkeley) 6/4/93"; */ +static char *rcsid = "$OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include + +#include +#include +#include +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include +#endif +#ifdef HAVE_UTMP_H +# include +#endif +#include +#include + +/* + * find first matching slot in utmp, or "-1" for none + * + * algorithm: for USER_PROCESS, check tty name + * for DEAD_PROCESS, check PID and tty name + * + */ +int find_tty_slot( utp ) +struct utmp * utp; +{ + int t = 0; + struct utmp * u; + + setutent(); + + while((u = getutent()) != NULL) { + if (utp->ut_type == USER_PROCESS && + (strncmp(utp->ut_line, u->ut_line, sizeof(utp->ut_line)) == 0)) { + endutent(); + return(t); + } + + if ((utp->ut_type == DEAD_PROCESS) && (utp->ut_pid == u->ut_pid) && + (strncmp(utp->ut_line, u->ut_line, sizeof(utp->ut_line)) == 0 )) { + endutent(); + return(t); + } + t++; + } + + endutent(); + return(-1); +} + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +void +login(utp,utx) + struct utmp *utp; + struct utmpx *utx; +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +void +login(utp) + struct utmp *utp; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +{ +#if defined(HAVE_HOST_IN_UTMP) + struct utmp old_ut; +#endif +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx *old_utx; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + register int fd; + int tty; + + /* can't use ttyslot here, as that will not work for logout + * (record_logout() is called from the master sshd, which does + * not have the correct tty on stdin/out, so ttyslot will return + * "-1" or (worse) a wrong number + */ + tty = find_tty_slot(utp); + + fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644); + if (fd == -1) { + log("Couldn't open %s: %s", _PATH_UTMP, strerror(errno)); + } else { + /* If no tty was found... */ + if (tty == -1) { + /* ... append it to utmp on login */ + if (utp->ut_type == USER_PROCESS) { + if ((fd = open(_PATH_UTMP, O_WRONLY|O_APPEND, 0)) >= 0) { + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } + } else { + /* Shouldn't get to here unless somthing happened to utmp */ + /* Between login and logout */ + log("No tty slot found at logout"); + } + } else { + /* Otherwise, tty was found - update at its location */ +#if defined(HAVE_HOST_IN_UTMP) +# ifndef UT_LINESIZE +# define UT_LINESIZE (sizeof(old_ut.ut_line)) +# define UT_NAMESIZE (sizeof(old_ut.ut_name)) +# define UT_HOSTSIZE (sizeof(old_ut.ut_host)) +# endif + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + /* + * Prevent luser from zero'ing out ut_host. + * If the new ut_line is empty but the old one is not + * and ut_line and ut_name match, preserve the old ut_line. + */ + if (read(fd, &old_ut, sizeof(struct utmp)) == + sizeof(struct utmp) && utp->ut_host[0] == '\0' && + old_ut.ut_host[0] != '\0' && + strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && + strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) + (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); +#endif /* defined(HAVE_HOST_IN_UTMP) */ + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } + } + + if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + old_utx = pututxline(utx); +# ifdef HAVE_UPDWTMPX + updwtmpx(_PATH_WTMPX, utx); +# endif /* HAVE_UPDWTMPX */ + endutxent(); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +} + +#endif /* HAVE_LOGIN */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-login.h openssh-2.0.0beta2/bsd-login.h --- ssh-openbsd-2000050800/bsd-login.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-login.h Sat Dec 25 10:11:29 1999 @@ -0,0 +1,22 @@ +#ifndef _BSD_LOGIN_H +# define _BSD_LOGIN_H + +# include "config.h" +# ifndef HAVE_LOGIN + +# include + +# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include + +void login(struct utmp *utp, struct utmpx *utx); + +# else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +void login(struct utmp *utp); + +# endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +# endif /* !HAVE_LOGIN */ + +#endif /* _BSD_LOGIN_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-misc.c openssh-2.0.0beta2/bsd-misc.c --- ssh-openbsd-2000050800/bsd-misc.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-misc.c Wed Apr 19 16:26:13 2000 @@ -0,0 +1,159 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include +#include +#include +#ifdef HAVE_STDDEF_H +#include +#endif + +#include "xmalloc.h" +#include "ssh.h" +#include "bsd-misc.h" +#include "entropy.h" + +#include + +#ifndef HAVE_ARC4RANDOM + +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +void rc4_key(rc4_t *r, unsigned char *key, int len); +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +static rc4_t *rc4 = NULL; + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + seed_rng(); + RAND_bytes(rand_buf, sizeof(rand_buf)); + + rc4_key(rc4, rand_buf, sizeof(rand_buf)); + memset(rand_buf, 0, sizeof(rand_buf)); +} +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...) +{ + /* FIXME */ +} +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name) +{ + return(0); +} +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain) +{ + return(0); +} +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid) +{ + return(setreuid(-1,euid)); +} +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-misc.h openssh-2.0.0beta2/bsd-misc.h --- ssh-openbsd-2000050800/bsd-misc.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-misc.h Mon Apr 3 14:50:45 2000 @@ -0,0 +1,61 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BSD_MISC_H +#define _BSD_MISC_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETENV +int setenv(const char *name, const char *value, int overwrite); +#endif /* !HAVE_SETENV */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name); +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain); +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid); +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#endif /* _BSD_MISC_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-mktemp.c openssh-2.0.0beta2/bsd-mktemp.c --- ssh-openbsd-2000050800/bsd-mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-mktemp.c Wed Dec 29 19:56:30 1999 @@ -0,0 +1,189 @@ +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_MKDTEMP + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "bsd-misc.h" + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !HAVE_MKDTEMP */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-mktemp.h openssh-2.0.0beta2/bsd-mktemp.h --- ssh-openbsd-2000050800/bsd-mktemp.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-mktemp.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,11 @@ +#ifndef _BSD_MKTEMP_H +#define _BSD_MKTEMP_H + +#include "config.h" +#ifndef HAVE_MKDTEMP +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif /* !HAVE_MKDTEMP */ + +#endif /* _BSD_MKTEMP_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-rresvport.c openssh-2.0.0beta2/bsd-rresvport.c --- ssh-openbsd-2000050800/bsd-rresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-rresvport.c Wed Jan 19 13:45:07 2000 @@ -0,0 +1,107 @@ +/* + * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. + * Copyright (c) 1983, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * This product includes software developed by Theo de Raadt. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: rresvport.c,v 1.4 1999/12/17 20:48:03 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include "includes.h" + +#if 0 +int +rresvport(alport) + int *alport; +{ + return rresvport_af(alport, AF_INET); +} +#endif + +int +rresvport_af(alport, af) + int *alport; + int af; +{ + struct sockaddr_storage ss; + struct sockaddr *sa; + u_int16_t *portp; + int s; + int salen; + + bzero(&ss, sizeof ss); + sa = (struct sockaddr *)&ss; + + switch (af) { + case AF_INET: + salen = sizeof(struct sockaddr_in); + portp = &((struct sockaddr_in *)sa)->sin_port; + break; + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + portp = &((struct sockaddr_in6 *)sa)->sin6_port; + break; + default: + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + s = socket(af, SOCK_STREAM, 0); + if (s < 0) + return (-1); + + *portp = htons(*alport); + if (*alport < IPPORT_RESERVED - 1) { + if (bind(s, sa, salen) >= 0) + return (s); + if (errno != EADDRINUSE) { + (void)close(s); + return (-1); + } + } + + *portp = 0; + if (bindresvport_af(s, sa, af) == -1) { + (void)close(s); + return (-1); + } + *alport = ntohs(*portp); + return (s); +} + +#endif /* HAVE_RRESVPORT_AF */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-rresvport.h openssh-2.0.0beta2/bsd-rresvport.h --- ssh-openbsd-2000050800/bsd-rresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-rresvport.h Fri Jan 14 15:45:48 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_RRESVPORT_H +#define _BSD_RRESVPORT_H + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF +int rresvport_af(int *alport, int af); +#endif /* !HAVE_RRESVPORT_AF */ + +#endif /* _BSD_RRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-setenv.c openssh-2.0.0beta2/bsd-setenv.c --- ssh-openbsd-2000050800/bsd-setenv.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-setenv.c Sun Mar 26 12:12:35 2000 @@ -0,0 +1,161 @@ +/* + * Copyright (c) 1987 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_SETENV + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: setenv.c,v 1.3 1998/02/02 22:44:53 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * __findenv -- + * Returns pointer to value associated with name, if any, else NULL. + * Sets offset to be the offset of the name/value combination in the + * environmental array, for use by setenv(3) and unsetenv(3). + * Explicitly removes '=' in argument name. + * + * This routine *should* be a static; don't use it. + */ +char * +__findenv(name, offset) + register const char *name; + int *offset; +{ + extern char **environ; + register int len, i; + register const char *np; + register char **p, *cp; + + if (name == NULL || environ == NULL) + return (NULL); + for (np = name; *np && *np != '='; ++np) + ; + len = np - name; + for (p = environ; (cp = *p) != NULL; ++p) { + for (np = name, i = len; i && *cp; i--) + if (*cp++ != *np++) + break; + if (i == 0 && *cp++ == '=') { + *offset = p - environ; + return (cp); + } + } + return (NULL); +} + +/* + * setenv -- + * Set the value of the environmental variable "name" to be + * "value". If rewrite is set, replace any current value. + */ +int +setenv(name, value, rewrite) + register const char *name; + register const char *value; + int rewrite; +{ + extern char **environ; + static int alloced; /* if allocated space before */ + register char *C; + int l_value, offset; + char *__findenv(); + + if (*value == '=') /* no `=' in value */ + ++value; + l_value = strlen(value); + if ((C = __findenv(name, &offset))) { /* find if already exists */ + if (!rewrite) + return (0); + if (strlen(C) >= l_value) { /* old larger; copy over */ + while ((*C++ = *value++)); + return (0); + } + } else { /* create new slot */ + register int cnt; + register char **P; + + for (P = environ, cnt = 0; *P; ++P, ++cnt); + if (alloced) { /* just increase size */ + P = (char **)realloc((void *)environ, + (size_t)(sizeof(char *) * (cnt + 2))); + if (!P) + return (-1); + environ = P; + } + else { /* get new space */ + alloced = 1; /* copy old entries into it */ + P = (char **)malloc((size_t)(sizeof(char *) * + (cnt + 2))); + if (!P) + return (-1); + bcopy(environ, P, cnt * sizeof(char *)); + environ = P; + } + environ[cnt + 1] = NULL; + offset = cnt; + } + for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ + if (!(environ[offset] = /* name + `=' + value */ + malloc((size_t)((int)(C - name) + l_value + 2)))) + return (-1); + for (C = environ[offset]; (*C = *name++) && *C != '='; ++C) + ; + for (*C++ = '='; (*C++ = *value++); ) + ; + return (0); +} + +/* + * unsetenv(name) -- + * Delete environmental variable "name". + */ +void +unsetenv(name) + const char *name; +{ + extern char **environ; + register char **P; + int offset; + char *__findenv(); + + while (__findenv(name, &offset)) /* if set multiple times */ + for (P = &environ[offset];; ++P) + if (!(*P = *(P + 1))) + break; +} + +#endif /* HAVE_SETENV */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-setenv.h openssh-2.0.0beta2/bsd-setenv.h --- ssh-openbsd-2000050800/bsd-setenv.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-setenv.h Sun Mar 26 12:12:35 2000 @@ -0,0 +1,12 @@ +#ifndef _BSD_SETENV_H +#define _BSD_SETENV_H + +#include "config.h" + +#ifndef HAVE_SETENV + +int setenv(register const char *name, register const char *value, int rewrite); + +#endif /* !HAVE_SETENV */ + +#endif /* _BSD_SETENV_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-snprintf.c openssh-2.0.0beta2/bsd-snprintf.c --- ssh-openbsd-2000050800/bsd-snprintf.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-snprintf.c Fri Mar 3 22:48:49 2000 @@ -0,0 +1,181 @@ +/* + * Revision 12: http://theos.com/~deraadt/snprintf.c + * + * Copyright (c) 1997 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) + +#include +#include +#include +#include +#include +#include +#include +#if __STDC__ +#include +#include +#else +#include +#endif +#include + +#ifndef roundup +#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) +#endif + +static int pgsize; +static char *curobj; +static int caught; +static sigjmp_buf bail; + +#define EXTRABYTES 2 /* XXX: why 2? you don't want to know */ + +#ifndef HAVE_GETPAGESIZE +int +getpagesize() +{ +#ifdef EXEC_PAGESIZE + return EXEC_PAGESIZE; +#else /* !EXEC_PAGESIZE */ +# ifdef NBPG +# ifndef CLSIZE +# define CLSIZE 1 +# endif /* No CLSIZE */ + return NBPG * CLSIZE; +# else /* !NBPG */ + return NBPC; +# endif /* NBPG */ +#endif /* EXEC_PAGESIZE */ +} +#endif /* HAVE_GETPAGESIZE */ + +static char * +msetup(str, n) + char *str; + size_t n; +{ + char *e; + + if (n == 0) + return NULL; + if (pgsize == 0) + pgsize = getpagesize(); + curobj = (char *)malloc(n + EXTRABYTES + pgsize * 2); + if (curobj == NULL) + return NULL; + e = curobj + n + EXTRABYTES; + e = (char *)roundup((unsigned long)e, pgsize); + if (mprotect(e, pgsize, PROT_NONE) == -1) { + free(curobj); + curobj = NULL; + return NULL; + } + e = e - n - EXTRABYTES; + *e = '\0'; + return (e); +} + +static void +mcatch() +{ + siglongjmp(bail, 1); +} + +static void +mcleanup(str, n, p) + char *str; + size_t n; + char *p; +{ + strncpy(str, p, n-1); + str[n-1] = '\0'; + if (mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE|PROT_EXEC) == -1) + mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE); + free(curobj); +} + +#if !defined(HAVE_VSNPRINTF) +int +vsnprintf(str, n, fmt, ap) + char *str; + size_t n; + char *fmt; + va_list *ap; +{ + struct sigaction osa, nsa; + char *p; + int ret = n + 1; /* if we bail, indicated we overflowed */ + + memset(&nsa, 0, sizeof nsa); + nsa.sa_handler = mcatch; + sigemptyset(&nsa.sa_mask); + + p = msetup(str, n); + if (p == NULL) { + *str = '\0'; + return 0; + } + if (sigsetjmp(bail, 1) == 0) { + if (sigaction(SIGSEGV, &nsa, &osa) == -1) { + mcleanup(str, n, p); + return (0); + } + ret = vsprintf(p, fmt, ap); + } + mcleanup(str, n, p); + (void) sigaction(SIGSEGV, &osa, NULL); + return (ret); +} +#endif /* !defined(HAVE_VSNPRINTF) */ + +#if !defined(HAVE_SNPRINTF) +int +#if __STDC__ +snprintf(char *str, size_t n, char const *fmt, ...) +#else +snprintf(str, n, fmt, va_alist) + char *str; + size_t n; + char *fmt; + va_dcl +#endif +{ + va_list ap; +#if __STDC__ + va_start(ap, fmt); +#else + va_start(ap); +#endif + + return (vsnprintf(str, n, fmt, ap)); + va_end(ap); +} +#endif /* !defined(HAVE_SNPRINTF) */ + +#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-snprintf.h openssh-2.0.0beta2/bsd-snprintf.h --- ssh-openbsd-2000050800/bsd-snprintf.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-snprintf.h Sun Mar 5 16:10:04 2000 @@ -0,0 +1,17 @@ +#ifndef _BSD_SNPRINTF_H +#define _BSD_SNPRINTF_H + +#include "config.h" + +#include /* For size_t */ + +#ifndef HAVE_SNPRINTF +int snprintf(char *str, size_t n, char const *fmt, ...); +#endif /* !HAVE_SNPRINTF */ + +#ifndef HAVE_VSNPRINTF +int vsnprintf(char *str, size_t n, char *fmt, va_list *ap); +#endif /* !HAVE_SNPRINTF */ + + +#endif /* _BSD_SNPRINTF_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-strlcat.c openssh-2.0.0beta2/bsd-strlcat.c --- ssh-openbsd-2000050800/bsd-strlcat.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-strlcat.c Mon Nov 22 13:57:07 1999 @@ -0,0 +1,76 @@ +/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCAT + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcat(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (*d != '\0' && n-- != 0) + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCAT */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-strlcat.h openssh-2.0.0beta2/bsd-strlcat.h --- ssh-openbsd-2000050800/bsd-strlcat.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-strlcat.h Mon Nov 22 13:57:07 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCAT_H +#define _BSD_STRLCAT_H + +#include "config.h" +#ifndef HAVE_STRLCAT +#include +size_t strlcat(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCAT */ + +#endif /* _BSD_STRLCAT_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-strlcpy.c openssh-2.0.0beta2/bsd-strlcpy.c --- ssh-openbsd-2000050800/bsd-strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-strlcpy.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,73 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCPY + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN --exclude CVS ssh-openbsd-2000050800/bsd-strlcpy.h openssh-2.0.0beta2/bsd-strlcpy.h --- ssh-openbsd-2000050800/bsd-strlcpy.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/bsd-strlcpy.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCPY_H +#define _BSD_STRLCPY_H + +#include "config.h" +#ifndef HAVE_STRLCPY +#include +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCPY */ + +#endif /* _BSD_STRLCPY_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/canohost.c openssh-2.0.0beta2/canohost.c --- ssh-openbsd-2000050800/canohost.c Sun Apr 16 12:53:08 2000 +++ openssh-2.0.0beta2/canohost.c Sun Apr 16 11:18:40 2000 @@ -42,6 +42,30 @@ debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } + +#ifdef IPV4_IN_IPV6 + if (from.ss_family == AF_INET6) { + struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; + + /* Detect IPv4 in IPv6 mapped address and convert it to */ + /* plain (AF_INET) IPv4 address */ + if (IN6_IS_ADDR_V4MAPPED(&from6->sin6_addr)) { + struct sockaddr_in *from4 = (struct sockaddr_in *)&from; + struct in_addr addr; + u_int16_t port; + + memcpy(&addr, ((char *)&from6->sin6_addr) + 12, sizeof(addr)); + port = from6->sin6_port; + + memset(&from, 0, sizeof(from)); + + from4->sin_family = AF_INET; + memcpy(&from4->sin_addr, &addr, sizeof(addr)); + from4->sin_port = port; + } + } +#endif + if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); diff -ruN --exclude CVS ssh-openbsd-2000050800/channels.c openssh-2.0.0beta2/channels.c --- ssh-openbsd-2000050800/channels.c Mon May 8 12:53:41 2000 +++ openssh-2.0.0beta2/channels.c Sun May 7 12:03:15 2000 @@ -1477,7 +1477,11 @@ /* Bind the socket to the address. */ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { /* address can be in use ipv6 address is already bound */ - verbose("bind: %.100s", strerror(errno)); + if (!ai->ai_next) + error("bind: %.100s", strerror(errno)); + else + verbose("bind: %.100s", strerror(errno)); + close(sock); continue; } @@ -1627,6 +1631,7 @@ /* success */ return sock; } + /* * This is called after receiving PORT_OPEN message. This attempts to * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION @@ -1734,13 +1739,22 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - error("socket: %.100s", strerror(errno)); - return NULL; + if (errno != EINVAL) { + error("socket: %.100s", strerror(errno)); + return NULL; + } else { + debug("Socket family %d not supported [X11 disp create]", ai->ai_family); + continue; + } } if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { debug("bind port %d: %.100s", port, strerror(errno)); shutdown(sock, SHUT_RDWR); close(sock); + + if (ai->ai_next) + continue; + for (n = 0; n < num_socks; n++) { shutdown(socks[n], SHUT_RDWR); close(socks[n]); @@ -1749,8 +1763,12 @@ break; } socks[num_socks++] = sock; +#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; +#else + break; +#endif } if (num_socks > 0) break; @@ -1771,10 +1789,48 @@ } /* Set up a suitable value for the DISPLAY variable. */ + if (gethostname(hostname, sizeof(hostname)) < 0) fatal("gethostname: %.100s", strerror(errno)); + +#ifdef IPADDR_IN_DISPLAY + /* + * HPUX detects the local hostname in the DISPLAY variable and tries + * to set up a shared memory connection to the server, which it + * incorrectly supposes to be local. + * + * The workaround - as used in later $$H and other programs - is + * is to set display to the host's IP address. + */ + { + struct hostent *he; + struct in_addr my_addr; + + he = gethostbyname(hostname); + if (he == NULL) { + error("[X11-broken-fwd-hostname-workaround] Could not get " + "IP address for hostname %s.", hostname); + + packet_send_debug("[X11-broken-fwd-hostname-workaround]" + "Could not get IP address for hostname %s.", hostname); + + shutdown(sock, SHUT_RDWR); + close(sock); + + return NULL; + } + + memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr)); + + /* Set DISPLAY to :screen.display */ + snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr), + display_number, screen_number); + } +#else /* IPADDR_IN_DISPLAY */ + /* Just set DISPLAY to hostname:screen.display */ snprintf(display, sizeof display, "%.400s:%d.%d", hostname, - display_number, screen_number); + display_number, screen_number); +#endif /* IPADDR_IN_DISPLAY */ /* Allocate a channel for each socket. */ for (n = 0; n < num_socks; n++) { diff -ruN --exclude CVS ssh-openbsd-2000050800/config.guess openssh-2.0.0beta2/config.guess --- ssh-openbsd-2000050800/config.guess Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/config.guess Fri Jan 7 08:56:05 2000 @@ -0,0 +1,1141 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999 +# Free Software Foundation, Inc. +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Written by Per Bothner . +# The master version of this file is at the FSF in /home/gd/gnu/lib. +# Please send patches to . +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# The plan is that this can be called by configure scripts if you +# don't specify an explicit system type (host/target name). +# +# Only a few systems have been added to this list; please add others +# (but try to keep the structure clean). +# + +# Use $HOST_CC if defined. $CC may point to a cross-compiler +if test x"$CC_FOR_BUILD" = x; then + if test x"$HOST_CC" != x; then + CC_FOR_BUILD="$HOST_CC" + else + if test x"$CC" != x; then + CC_FOR_BUILD="$CC" + else + CC_FOR_BUILD=cc + fi + fi +fi + + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 8/24/94.) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +dummy=dummy-$$ +trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15 + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + alpha:OSF1:*:*) + if test $UNAME_RELEASE = "V4.0"; then + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + fi + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + cat <$dummy.s + .data +\$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main +main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit 0 ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit 0 ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit 0 ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-cbm-sysv4 + exit 0;; + amiga:NetBSD:*:*) + echo m68k-cbm-netbsd${UNAME_RELEASE} + exit 0 ;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit 0 ;; + arc64:OpenBSD:*:*) + echo mips64el-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + arc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + hkmips:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + pmax:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sgi:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + wgrisc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit 0 ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit 0;; + arm32:NetBSD:*:*) + echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + exit 0 ;; + SR2?01:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit 0;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit 0 ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit 0 ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + i86pc:SunOS:5.*:*) + echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit 0 ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit 0 ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit 0 ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit 0 ;; + atari*:NetBSD:*:*) + echo m68k-atari-netbsd${UNAME_RELEASE} + exit 0 ;; + atari*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit 0 ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit 0 ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit 0 ;; + sun3*:NetBSD:*:*) + echo m68k-sun-netbsd${UNAME_RELEASE} + exit 0 ;; + sun3*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:NetBSD:*:*) + echo m68k-apple-netbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit 0 ;; + macppc:NetBSD:*:*) + echo powerpc-apple-netbsd${UNAME_RELEASE} + exit 0 ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit 0 ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit 0 ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy \ + && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo mips-mips-riscos${UNAME_RELEASE} + exit 0 ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit 0 ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit 0 ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit 0 ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit 0 ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit 0 ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit 0 ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit 0 ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit 0 ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit 0 ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit 0 ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i?86:AIX:*:*) + echo i386-ibm-aix + exit 0 ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo rs6000-ibm-aix3.2.5 + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit 0 ;; + *:AIX:*:4) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=4.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit 0 ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit 0 ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit 0 ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC NetBSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit 0 ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit 0 ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit 0 ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit 0 ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit 0 ;; + 9000/[34678]??:HP-UX:*:*) + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + sed 's/^ //' << EOF >$dummy.c + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy` + rm -f $dummy.c $dummy + esac + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit 0 ;; + 3050*:HI-UX:*:*) + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo unknown-hitachi-hiuxwe2 + exit 0 ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit 0 ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit 0 ;; + *9??*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit 0 ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit 0 ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit 0 ;; + i?86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit 0 ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit 0 ;; + hppa*:OpenBSD:*:*) + echo hppa-unknown-openbsd + exit 0 ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit 0 ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit 0 ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit 0 ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit 0 ;; + CRAY*X-MP:*:*:*) + echo xmp-cray-unicos + exit 0 ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} + exit 0 ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ + exit 0 ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} + exit 0 ;; + CRAY*T3E:*:*:*) + echo alpha-cray-unicosmk${UNAME_RELEASE} + exit 0 ;; + CRAY-2:*:*:*) + echo cray2-cray-unicos + exit 0 ;; + F300:UNIX_System_V:*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit 0 ;; + F301:UNIX_System_V:*:*) + echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'` + exit 0 ;; + hp3[0-9][05]:NetBSD:*:*) + echo m68k-hp-netbsd${UNAME_RELEASE} + exit 0 ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + i?86:BSD/386:*:* | i?86:BSD/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit 0 ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:FreeBSD:*:*) + if test -x /usr/bin/objformat; then + if test "elf" = "`/usr/bin/objformat`"; then + echo ${UNAME_MACHINE}-unknown-freebsdelf`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'` + exit 0 + fi + fi + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit 0 ;; + *:NetBSD:*:*) + echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'` + exit 0 ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + exit 0 ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit 0 ;; + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit 0 ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i386-pc-interix + exit 0 ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit 0 ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit 0 ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + *:GNU:*:*) + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit 0 ;; + *:Linux:*:*) + + # The BFD linker knows what the default object file format is, so + # first see if it will tell us. cd to the root directory to prevent + # problems with other programs or directories called `ld' in the path. + ld_help_string=`cd /; ld --help 2>&1` + ld_supported_emulations=`echo $ld_help_string \ + | sed -ne '/supported emulations:/!d + s/[ ][ ]*/ /g + s/.*supported emulations: *// + s/ .*// + p'` + case "$ld_supported_emulations" in + *ia64) + echo "${UNAME_MACHINE}-unknown-linux" + exit 0 + ;; + i?86linux) + echo "${UNAME_MACHINE}-pc-linux-gnuaout" + exit 0 + ;; + i?86coff) + echo "${UNAME_MACHINE}-pc-linux-gnucoff" + exit 0 + ;; + sparclinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + armlinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32arm*) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + armelf_linux*) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + m68klinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32ppc) + # Determine Lib Version + cat >$dummy.c < +#if defined(__GLIBC__) +extern char __libc_version[]; +extern char __libc_release[]; +#endif +main(argc, argv) + int argc; + char *argv[]; +{ +#if defined(__GLIBC__) + printf("%s %s\n", __libc_version, __libc_release); +#else + printf("unkown\n"); +#endif + return 0; +} +EOF + LIBC="" + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null + if test "$?" = 0 ; then + ./$dummy | grep 1\.99 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.c $dummy + echo powerpc-unknown-linux-gnu${LIBC} + exit 0 + ;; + esac + + if test "${UNAME_MACHINE}" = "alpha" ; then + cat <$dummy.s + .data + \$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main + main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + LIBC="" + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + + objdump --private-headers $dummy | \ + grep ld.so.1 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0 + elif test "${UNAME_MACHINE}" = "mips" ; then + cat >$dummy.c </dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + else + # Either a pre-BFD a.out linker (linux-gnuoldld) + # or one that does not give us useful --help. + # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout. + # If ld does not provide *any* "supported emulations:" + # that means it is gnuoldld. + echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:" + test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0 + + case "${UNAME_MACHINE}" in + i?86) + VENDOR=pc; + ;; + *) + VENDOR=unknown; + ;; + esac + # Determine whether the default compiler is a.out or elf + cat >$dummy.c < +#ifdef __cplusplus + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif +#ifdef __ELF__ +# ifdef __GLIBC__ +# if __GLIBC__ >= 2 + printf ("%s-${VENDOR}-linux-gnu\n", argv[1]); +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +#else + printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]); +#endif + return 0; +} +EOF + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + fi ;; +# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. earlier versions +# are messed up and put the nodename in both sysname and nodename. + i?86:DYNIX/ptx:4*:*) + echo i386-sequent-sysv4 + exit 0 ;; + i?86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit 0 ;; + i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit 0 ;; + i?86:*:5:7*) + # Fixed at (any) Pentium or better + UNAME_MACHINE=i586 + if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then + echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE} + fi + exit 0 ;; + i?86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` + (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit 0 ;; + pc:*:*:*) + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. + echo i386-pc-msdosdjgpp + exit 0 ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit 0 ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit 0 ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit 0 ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit 0 ;; + M68*:*:R3V[567]*:*) + test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; + 3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4.3${OS_REL} && exit 0 + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4 && exit 0 ;; + m68*:LynxOS:2.*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit 0 ;; + i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit 0 ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit 0 ;; + PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit 0 ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit 0 ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit 0 ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit 0 ;; + news*:NEWS-OS:*:6*) + echo mips-sony-newsos6 + exit 0 ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit 0 ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit 0 ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit 0 ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit 0 ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit 0 ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit 0 ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:QNX:*:4*) + echo i386-qnx-qnx${UNAME_VERSION} + exit 0 ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +#if !defined (ultrix) + printf ("vax-dec-bsd\n"); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0 +rm -f $dummy.c $dummy + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit 0 ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + c34*) + echo c34-convex-bsd + exit 0 ;; + c38*) + echo c38-convex-bsd + exit 0 ;; + c4*) + echo c4-convex-bsd + exit 0 ;; + esac +fi + +#echo '(Unable to guess system type)' 1>&2 + +exit 1 diff -ruN --exclude CVS ssh-openbsd-2000050800/config.sub openssh-2.0.0beta2/config.sub --- ssh-openbsd-2000050800/config.sub Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/config.sub Fri Jan 7 08:56:05 2000 @@ -0,0 +1,1219 @@ +#! /bin/sh +# Configuration validation subroutine script, version 1.1. +# Copyright (C) 1991, 92-97, 1998, 1999 Free Software Foundation, Inc. +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +if [ x$1 = x ] +then + echo Configuration name missing. 1>&2 + echo "Usage: $0 CPU-MFR-OPSYS" 1>&2 + echo "or $0 ALIAS" 1>&2 + echo where ALIAS is a recognized configuration type. 1>&2 + exit 1 +fi + +# First pass through any local machine types. +case $1 in + *local*) + echo $1 + exit 0 + ;; + *) + ;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + linux-gnu*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple) + os= + basic_machine=$1 + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \ + | arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \ + | 580 | i960 | h8300 \ + | hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \ + | alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \ + | we32k | ns16k | clipper | i370 | sh | powerpc | powerpcle \ + | 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \ + | mips64orion | mips64orionel | mipstx39 | mipstx39el \ + | mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \ + | mips64vr5000 | miprs64vr5000el \ + | m88110 | m680[012346]0 | m683?2 | m68360 | m5200 | z8k | v70 \ + | sparc | sparclet | sparclite | sparc64 | sparc86x | sparcv9 \ + | thumb | v850 | c4x | d10v | h8500 | w65 | fr30) + basic_machine=$basic_machine-unknown + ;; + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i[34567]86) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \ + | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \ + | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ + | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ + | xmp-* | ymp-* \ + | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* | hppa2.0n-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \ + | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \ + | clipper-* | orion-* \ + | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \ + | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \ + | mips64el-* | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \ + | mipstx39-* | mipstx39el-* \ + | f301-* | arm*-* | t3e-* \ + | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \ + | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* ) + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-cbm + ;; + amigaos | amigados) + basic_machine=m68k-cbm + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-cbm + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | ymp) + basic_machine=ymp-cray + os=-unicos + ;; + cray2) + basic_machine=cray2-cray + os=-unicos + ;; + [ctj]90-cray) + basic_machine=c90-cray + os=-unicos + ;; + crds | unos) + basic_machine=m68k-crds + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i[34567]86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i[34567]86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i[34567]86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i[34567]86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + i386-go32 | go32) + basic_machine=i386-unknown + os=-go32 + ;; + i386-mingw32 | mingw32) + basic_machine=i386-unknown + os=-mingw32 + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | *MiNT) + basic_machine=m68k-atari + os=-mint + ;; + mipsel*-linux*) + basic_machine=mipsel-unknown + os=-linux-gnu + ;; + mips*-linux*) + basic_machine=mips-unknown + os=-linux-gnu + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + msdos) + basic_machine=i386-unknown + os=-msdos + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-corel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + np1) + basic_machine=np1-gould + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pentium | p5 | k5 | k6 | nexen) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86) + basic_machine=i686-pc + ;; + pentiumii | pentium2) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexen-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=rs6000-ibm + ;; + ppc) basic_machine=powerpc-unknown + ;; + ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sparclite-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=t3e-cray + os=-unicos + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xmp) + basic_machine=xmp-cray + os=-unicos + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + mips) + if [ x$os = x-linux-gnu ]; then + basic_machine=mips-unknown + else + basic_machine=mips-mips + fi + ;; + romp) + basic_machine=romp-ibm + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sparc | sparcv9) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + c4x*) + basic_machine=c4x-none + os=-coff + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* | -opened* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ + | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -rhapsody* | -openstep* | -oskit*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -macos* | -mpw* | -magic* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -ns2 ) + os=-nextstep2 + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -*MiNT) + os=-mint + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + *-acorn) + os=-riscix1.2 + ;; + arm*-corel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 + ;; + m68*-cisco) + os=-aout + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-ibm) + os=-aix + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f301-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -vxsim* | -vxworks*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -*MiNT) + vendor=atari + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os diff -ruN --exclude CVS ssh-openbsd-2000050800/configure.in openssh-2.0.0beta2/configure.in --- ssh-openbsd-2000050800/configure.in Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/configure.in Sun May 7 12:03:16 2000 @@ -0,0 +1,902 @@ +AC_INIT(ssh.c) + +AC_CONFIG_HEADER(config.h) +AC_PROG_CC +AC_CANONICAL_HOST + +# Checks for programs. +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_CHECK_PROG(AR, ar, ar) +AC_PATH_PROG(PERL, perl) +AC_SUBST(PERL) + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST(LD) + +# C Compiler features +AC_C_INLINE +if test "$GCC" = "yes"; then + CFLAGS="$CFLAGS -Wall" +fi + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + AFS_LIBS="-lld" + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + if test "$LD" != "gcc" -a -z "$blibpath"; then + blibpath="/usr/lib:/lib:/usr/local/lib" + fi + AC_DEFINE(BROKEN_GETADDRINFO) + ;; +*-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Aa" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_UTMPX) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; +*-*-hpux11*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_UTMPX) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; +*-*-irix5*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + no_libsocket=1 + no_libnsl=1 + ;; +*-*-irix6*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + AC_MSG_WARN([*** Irix 6.x is not tested, please report you experiences *** ]) + no_libsocket=1 + no_libnsl=1 + ;; +*-*-linux*) + no_dev_ptmx=1 + AC_DEFINE(DONT_TRY_OTHER_AF) + inet6_default_4in6=yes + ;; +*-*-netbsd*) + need_dash_r=1 + ;; +*-*-solaris*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib" + need_dash_r=1 + AC_DEFINE(USE_UTMPX) + ;; +*-*-sysv*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + AC_DEFINE(USE_UTMPX) + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + ;; +esac + +# Checks for libraries. +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") + +if test -z "$no_libsocket" ; then + AC_CHECK_LIB(nsl, yp_match, , ) +fi +if test -z "$no_libnsl" ; then + AC_CHECK_LIB(socket, main, , ) +fi + +# Checks for header files. +AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) + +# Checks for library functions. +AC_CHECK_FUNCS(arc4random b64_ntop bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_ntop) + +AC_CHECK_FUNC(login, + [AC_DEFINE(HAVE_LOGIN)], + [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] +) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON)], + [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +AC_CHECK_FUNC(getpagesize, + [AC_DEFINE(HAVE_GETPAGESIZE)], + [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] +) + +AC_ARG_WITH(pam, + [ --without-pam Disable PAM support ], + [ + if test "x$withval" = "xno" ; then + no_pam=1 + AC_DEFINE(DISABLE_PAM) + fi + ] +) +if test -z "$no_pam" -a "x$ac_cv_header_security_pam_appl_h" = "xyes" ; then + AC_CHECK_LIB(dl, dlopen, , ) + LIBS="$LIBS -lpam" + + AC_CHECK_FUNC(pam_getenvlist) + + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ +#include +#include + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM) + AC_MSG_RESULT(yes) + ] + ) +fi + +# The big search for OpenSSL +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "$xno" ; then + tryssldir=$withval + fi + ] +) + +saved_LIBS="$LIBS" +saved_LDFLAGS="$LDFLAGS" +saved_CFLAGS="$CFLAGS" +if test "x$prefix" != "xNONE" ; then + tryssldir="$tryssldir $prefix" +fi +AC_MSG_CHECKING([for OpenSSL directory]) +for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + if test ! -z "$ssldir" ; then + LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" + CFLAGS="$saved_CFLAGS -I$ssldir/include" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + fi + else + LDFLAGS="$saved_LDFLAGS" + fi + + for WANTS_RSAREF in "" 1 ; do + + if test -z "$WANTS_RSAREF" ; then + LIBS="$saved_LIBS -lcrypto" + else + LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + fi + + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include +int main(void) +{ + RSA *key; char a[2048],b[2048];; + memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); + RAND_add(a, sizeof(a), sizeof(a)); + key=RSA_generate_key(32,3,NULL,NULL); + if (key==NULL) return(1); + return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); +} + ], + [ + AC_DEFINE(HAVE_OPENSSL) + found_crypto=1 + break; + ], [] + ) + done + + if test ! -z "$found_crypto" ; then + break; + fi +done + +if test -z "$found_crypto" ; then + AC_MSG_ERROR([Could not find working SSLeay / OpenSSL libraries, please install]) +fi +if test -z "$ssldir" ; then + ssldir="(system)" +else + CFLAGS="$saved_CFLAGS -I$ssldir/include" + LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:$ssldir:$ssldir/lib" + fi +fi +if test -z "$WANTS_RSAREF" ; then + LIBS="$saved_LIBS -lcrypto" +else + LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" +fi +AC_MSG_RESULT($ssldir) + +# Checks for data types +AC_CHECK_SIZEOF(char, 1) +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +# More checks for data types +AC_MSG_CHECKING([for intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + have_intxx_t=1 + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for u_intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_MSG_RESULT(yes) + have_u_intxx_t=1 + ], + [AC_MSG_RESULT(no)] +) + +if test -z "$have_u_intxx_t" -o -z "$have_intxx_t" -a \ + "x$ac_cv_header_sys_bitypes_h" = "xyes" +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_TRY_COMPILE( + [#include ], + [ + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + ], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + +if test -z "$have_u_intxx_t" ; then + AC_MSG_CHECKING([for uintXX_t types]) + AC_TRY_COMPILE( + [#include ], + [uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], + [ + AC_DEFINE(HAVE_UINTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + +AC_MSG_CHECKING([for socklen_t]) +AC_TRY_COMPILE( + [ +#include +#include + ], + [socklen_t foo; foo = 1235;], + [ + AC_DEFINE(HAVE_SOCKLEN_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for size_t]) +AC_TRY_COMPILE( + [#include ], + [size_t foo; foo = 1235;], + [ + AC_DEFINE(HAVE_SIZE_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct sockaddr_storage]) +AC_TRY_COMPILE( + [ +#include +#include + ], + [struct sockaddr_storage s;], + [ + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct sockaddr_in6]) +AC_TRY_COMPILE( + [#include ], + [struct sockaddr_in6 s; s.sin6_family = 0;], + [ + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct in6_addr]) +AC_TRY_COMPILE( + [#include ], + [struct in6_addr s; s.s6_addr[0] = 0;], + [ + AC_DEFINE(HAVE_STRUCT_IN6_ADDR) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct addrinfo]) +AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [struct addrinfo s; s.ai_flags = AI_PASSIVE;], + [ + AC_DEFINE(HAVE_STRUCT_ADDRINFO) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +# Checks for structure members +AC_MSG_CHECKING([whether utmp.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmp.h, + [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmpx.h, + [AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has syslen field]) +AC_EGREP_HEADER(syslen, utmpx.h, + [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_pid field]) +AC_EGREP_HEADER(ut_pid, utmp.h, + [AC_DEFINE(HAVE_PID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_type field]) +AC_EGREP_HEADER(ut_type, utmp.h, + [AC_DEFINE(HAVE_TYPE_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_tv field]) +AC_EGREP_HEADER(ut_tv, utmp.h, + [AC_DEFINE(HAVE_TV_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_id field]) +AC_EGREP_HEADER(ut_id, utmp.h, + [AC_DEFINE(HAVE_ID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_addr field]) +AC_EGREP_HEADER(ut_addr, utmp.h, + [AC_DEFINE(HAVE_ADDR_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_addr field]) +AC_EGREP_HEADER(ut_addr, utmpx.h, + [AC_DEFINE(HAVE_ADDR_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_addr_v6 field]) +AC_EGREP_HEADER(ut_addr_v6, utmp.h, + [AC_DEFINE(HAVE_ADDR_V6_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_addr_v6 field]) +AC_EGREP_HEADER(ut_addr_v6, utmpx.h, + [AC_DEFINE(HAVE_ADDR_V6_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([whether struct sockaddr_storage has ss_family field]) +AC_TRY_COMPILE( + [ +#include +#include + ], + [struct sockaddr_storage s; s.ss_family = 1;], + [ + AC_DEFINE(HAVE_SS_FAMILY_IN_SS) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether struct sockaddr_storage has __ss_family field]) +AC_TRY_COMPILE( + [ +#include +#include + ], + [struct sockaddr_storage s; s.__ss_family = 1;], + [ + AC_DEFINE(HAVE___SS_FAMILY_IN_SS) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([whether libc defines __progname]) +AC_TRY_LINK([], + [extern char *__progname; printf("%s", __progname);], + [ + AC_DEFINE(HAVE___PROGNAME) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +# Looking for programs, paths and files +AC_ARG_WITH(rsh, + [ --with-rsh=PATH Specify path to remote shell program ], + [ + if test "x$withval" != "$no" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$withval") + fi + ], + [ + AC_PATH_PROG(rsh_path, rsh) + ] +) + +AC_ARG_WITH(xauth, + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test "x$withval" != "$xno" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$withval") + fi + ], + [ + AC_PATH_PROG(xauth_path, xauth) + if test ! -z "$xauth_path" -a -x "/usr/openwin/bin/xauth" ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +if test ! -z "$xauth_path" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") +fi +if test ! -z "$rsh_path" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") +fi + +# Check for mail directory (last resort if we cannot get it from headers) +if test ! -z "$MAIL" ; then + maildir=`dirname $MAIL` + AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") +fi + +# Look for lastlog location +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE Location of lastlog file], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + else + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$withval") + fi + ], + [ + AC_MSG_CHECKING([location of lastlog file]) + for lastlog in /var/log/lastlog /var/adm/lastlog /usr/adm/lastlog /etc/security/lastlog ; do + if test -f $lastlog ; then + gotlastlog="file" + break + fi + if test -d $lastlog ; then + gotlastlog="dir" + break + fi + done + if test -z "$gotlastlog" ; then + AC_MSG_RESULT(not found) + nolastlog=1 + else + if test "x$gotlastlog" = "xdir" ; then + AC_MSG_RESULT(${lastlog}/) + AC_DEFINE(LASTLOG_IS_DIR) + else + AC_MSG_RESULT($lastlog) + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") + fi + fi + ] +) + +if test ! -z "$nolastlog" ; then + AC_MSG_WARN([*** Disabling lastlog support *** ]) + AC_DEFINE(DISABLE_LASTLOG) +fi + +if test -z "$no_dev_ptmx" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) +fi +AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 + ] +) + +# Options from here on. Some of these are preset by platform above + +# Check for user-specified random device, otherwise check /dev/urandom +AC_ARG_WITH(random, + [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], + [ + if test "x$withval" != "xno" ; then + RANDOM_POOL="$withval"; + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + fi + ], + [ + # Check for random device + AC_CHECK_FILE("/dev/urandom", + [ + RANDOM_POOL="/dev/urandom"; + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] + ) + ] +) + +# Check for EGD pool file +AC_ARG_WITH(egd-pool, + [ --with-egd-pool=FILE read randomness from EGD pool FILE (default none)], + [ + if test "x$withval" != "xno" ; then + EGD_SOCKET="$withval"; + AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + fi + ] +) + +# detect pathnames for entropy gathering commands, if we need them +INSTALL_SSH_PRNG_CMDS="" +rm -f prng_commands +if test -z "$RANDOM_POOL" -a -z "$EGD_SOCKET" ; then + # Use these commands to collect entropy + AC_PATH_ENTROPY_PROG(PROG_LS, ls) + AC_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) + AC_PATH_ENTROPY_PROG(PROG_ARP, arp) + AC_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) + AC_PATH_ENTROPY_PROG(PROG_PS, ps) + AC_PATH_ENTROPY_PROG(PROG_W, w) + AC_PATH_ENTROPY_PROG(PROG_WHO, who) + AC_PATH_ENTROPY_PROG(PROG_LAST, last) + AC_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) + AC_PATH_ENTROPY_PROG(PROG_DF, df) + AC_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) + AC_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) + AC_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) + AC_PATH_ENTROPY_PROG(PROG_TAIL, tail) + AC_PATH_ENTROPY_PROG(PROG_LS, ls) + + INSTALL_SSH_PRNG_CMDS="yes" +fi +AC_SUBST(INSTALL_SSH_PRNG_CMDS) + + +AC_ARG_WITH(catman, + [ --with-catman=man|cat Install preformatted manpages[no]], + [ + MANTYPE='$(CATMAN)' + if test x"$withval" != x"yes" ; then + mansubdir=$withval + else + mansubdir=cat + fi + ], [ + if test -z "$MANTYPE" ; then + MANTYPE='$(TROFFMAN)' + mansubdir=man + fi + ] +) +AC_SUBST(MANTYPE) +AC_SUBST(mansubdir) + +# Check whether user wants Kerberos support +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CFLAGS="$CFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + AC_CHECK_LIB(krb, main) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + if test "$ac_cv_lib_krb_main" != yes; then + AC_MSG_WARN([Cannot find libkrb, build may fail]) + fi + + KLIBS="-lkrb -ldes" + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LFLAGS="$LFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="$LIBS -lkafs" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + fi + ] +) +LIBS="$LIBS $KLIBS" + +# Check whether user wants S/Key support +AC_ARG_WITH(skey, + [ --with-skey Enable S/Key support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(SKEY) + LIBS="$LIBS -lskey" + fi + ] +) + +# Check whether user wants TCP wrappers support +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers Enable tcpwrappers support], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ +#include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + ], + [ + AC_MSG_RESULT(no) + AC_MSG_WARN([*** libwrap missing - tcpwrapper support disabled ***]) + LIBS="$saved_LIBS" + ] + ) + fi + ] +) + +# Check whether to enable MD5 passwords +AC_ARG_WITH(md5-passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_MD5_PASSWORDS) + fi + ] +) + +# Check whether to enable utmpx support +AC_ARG_WITH(utmpx, + [ --with-utmpx Enable utmpx support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(USE_UTMPX) + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH(shadow, + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_SHADOW) + fi + ] +) + +# Use ip address instead of hostname in $DISPLAY +AC_ARG_WITH(ipaddr-display, + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(IPADDR_IN_DISPLAY) + fi + ] +) + +# Whether to mess with the default path +AC_ARG_WITH(default-path, + [ --with-default-path=PATH Specify default \$PATH environment for server], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$withval") + fi + ] +) + +# Whether to force IPv4 by default (needed on broken glibc Linux) +AC_ARG_WITH(ipv4-default, + [ --with-ipv4-default Use IPv4 by connections unless '-6' specified], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(IPV4_DEFAULT) + fi + ] +) + +AC_MSG_CHECKING([to convert IPv4 in IPv6-mapped addresses]) +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT([no (default)]) + fi + ] +) + +# Where to place sshd.pid +piddir=/var/run +AC_ARG_WITH(pid-dir, + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test "x$withval" != "xno" ; then + piddir=$withval + fi + ] +) + +AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") +AC_SUBST(piddir) + + +# Change default command timeout for builtin PRNG +entropy_timeout=100 +AC_ARG_WITH(entropy-timeout, + [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], + [ + if test "x$withval" != "xno" ; then + entropy_timeout=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS -blibpath:$blibpath" + AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) +fi + +AC_OUTPUT(Makefile ssh_prng_cmds) + + diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/README openssh-2.0.0beta2/contrib/README --- ssh-openbsd-2000050800/contrib/README Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/README Wed Mar 15 12:25:06 2000 @@ -0,0 +1,67 @@ +Other patches and addons for OpenSSH. Please send submissions to +djm@ibs.com.au + +In this directory +----------------- + +chroot.diff: + +Ricardo Cerqueira's patch to enable chrooting using the +wu-ftpd style magic home directories (containing '/./'). More details in +the head of the patch itself. + +make-ssh-known-hosts: + +Tero Kivinen's PERL script to generate +ssh_known_hosts files by trawling tjhrough the DNS. More details in the +manpage. + +ssh-copy-id: + +Phil Hands' shell script to automate the process of adding +your public key to a remote machine's ~/.ssh/authorized_keys file. + +gnome-ssh-askpass: + +A GNOME passphrase requester of my own creation. Compilation instructions +are in the top of the file. + +sshd.pam.generic: + +A generic PAM config file which may be useful on your system. YMMV + +sshd.pam.freebsd + +A PAM config file which works with FreeBSD's PAM port. Contributed by +Dominik Brettnacher + +redhat: + +RPM spec file an scripts for building Redhat packages + +suse: + +RPM spec file an scripts for building SuSE packages + + +Externally maintained +--------------------- + +liblogin: + +liblogin is Andre Lucas' cross platform login library. It handles all the +yucky details of wtmp, utmp and lastlog (which every OS vendor has +seen fit to implement differently) in one clean library. + +OpenSSH will require liblogin in the near future, but for now it is +recommended for users with login logging problems or curiosity. + +http://dspace.dial.pipex.com/andre.lucas/liblogin.html + +X11 SSH Askpass: + +Jim Knoble has written an excellent X11 +passphrase requester. This is highly recommended: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/chroot.diff openssh-2.0.0beta2/contrib/chroot.diff --- ssh-openbsd-2000050800/contrib/chroot.diff Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/chroot.diff Sun Apr 16 12:50:52 2000 @@ -0,0 +1,61 @@ +From: Ricardo Cerqueira + +A patch to cause sshd to chroot when it encounters the magic token +'/./' in a users home directory. The directory portion before the +token is the directory to chroot() to, the portion after the +token is the user's home directory relative to the new root. + +Index: session.c +=================================================================== +RCS file: /var/cvs/openssh/session.c,v +retrieving revision 1.4 +diff -u -r1.4 session.c +--- session.c 2000/04/16 02:31:51 1.4 ++++ session.c 2000/04/16 02:47:55 +@@ -27,6 +27,8 @@ + #include "ssh2.h" + #include "auth.h" + ++#define CHROOT ++ + /* types */ + + #define TTYSZ 64 +@@ -783,6 +785,10 @@ + extern char **environ; + struct stat st; + char *argv[10]; ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ + + #ifndef USE_PAM /* pam_nologin handles this */ + f = fopen("/etc/nologin", "r"); +@@ -799,6 +805,26 @@ + /* Set login name in the kernel. */ + if (setlogin(pw->pw_name) < 0) + error("setlogin failed: %s", strerror(errno)); ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ + + /* Set uid, gid, and groups. */ + /* Login(1) does this as well, and it needs uid 0 for the "-h" diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/gnome-ssh-askpass.c openssh-2.0.0beta2/contrib/gnome-ssh-askpass.c --- ssh-openbsd-2000050800/contrib/gnome-ssh-askpass.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/gnome-ssh-askpass.c Wed Mar 15 12:13:03 2000 @@ -0,0 +1,134 @@ +/* + Compile with: + + cc `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` + +*/ + +/* +** +** GNOME ssh passphrase requestor +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include +#include + +int passphrase_dialog(char **passphrase_p, char *message) +{ + char *passphrase; + int result; + + GtkWidget *dialog, *entry, *label; + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + label = gtk_label_new(message); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, + FALSE, 0); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + XGrabServer(GDK_DISPLAY()); + gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); + gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME); + + /* Make close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + XUngrabServer(GDK_DISPLAY()); + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + + /* Take copy of passphrase if user selected OK */ + if (result == 0) + *passphrase_p = strdup(passphrase); + else + *passphrase_p = NULL; + + /* Zero existing passphrase */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + + return (result == 0); +} + +int main(int argc, char **argv) +{ + char *passphrase; + char *message; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + if (passphrase_dialog(&passphrase, message)) + { + puts(passphrase); + memset(passphrase, '\0', strlen(passphrase)); + } + + return 0; +} diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/make-ssh-known-hosts.1 openssh-2.0.0beta2/contrib/make-ssh-known-hosts.1 --- ssh-openbsd-2000050800/contrib/make-ssh-known-hosts.1 Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/make-ssh-known-hosts.1 Wed Mar 15 12:13:03 2000 @@ -0,0 +1,432 @@ +.\" -*- nroff -*- +.\" ---------------------------------------------------------------------- +.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file +.\" Copyright (c) 1995 Tero Kivinen +.\" All Rights Reserved. +.\" +.\" Make-ssh-known-hosts is distributed in the hope that it will be +.\" useful, but WITHOUT ANY WARRANTY. No author or distributor accepts +.\" responsibility to anyone for the consequences of using it or for +.\" whether it serves any particular purpose or works at all, unless he +.\" says so in writing. Refer to the General Public License for full +.\" details. +.\" +.\" Everyone is granted permission to copy, modify and redistribute +.\" make-ssh-known-hosts, but only under the conditions described in +.\" the General Public License. A copy of this license is supposed to +.\" have been given to you along with make-ssh-known-hosts so you can +.\" know your rights and responsibilities. It should be in a file named +.\" COPYING. Among other things, the copyright notice and this notice +.\" must be preserved on all copies. +.\" ---------------------------------------------------------------------- +.\" Program: make-ssh-known-hosts.1 +.\" $Source: /var/cvs/openssh/contrib/make-ssh-known-hosts.1,v $ +.\" Author : $Author: damien $ +.\" +.\" (C) Tero Kivinen 1995 +.\" +.\" Creation : 03:51 Jun 28 1995 kivinen +.\" Last Modification : 03:44 Jun 28 1995 kivinen +.\" Last check in : $Date: 2000/03/15 01:13:03 $ +.\" Revision number : $Revision: 1.1 $ +.\" State : $State: Exp $ +.\" Version : 1.1 +.\" +.\" Description : Manual page for make-ssh-known-hosts.pl +.\" +.\" $Log: make-ssh-known-hosts.1,v $ +.\" Revision 1.1 2000/03/15 01:13:03 damien +.\" - Created contrib/ subdirectory. Included helpers from Phil Hands' +.\" Debian package, README file and chroot patch from Ricardo Cerqueira +.\" +.\" - Moved gnome-ssh-askpass.c to contrib directory and reomved config +.\" option. +.\" - Slight cleanup to doc files +.\" +.\" Revision 1.4 1998/07/08 00:40:14 kivinen +.\" Changed to do similar commercial #ifdef processing than other +.\" files. +.\" +.\" Revision 1.3 1998/06/11 00:07:21 kivinen +.\" Fixed comment characters. +.\" +.\" Revision 1.2 1997/04/27 21:48:28 kivinen +.\" Added F-SECURE stuff. +.\" +.\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo +.\" Imported ssh-1.2.13. +.\" +.\" Revision 1.5 1995/10/02 01:23:23 ylo +.\" Make substitutions by configure. +.\" +.\" Revision 1.4 1995/08/31 09:21:35 ylo +.\" Minor cleanup. +.\" +.\" Revision 1.3 1995/08/29 22:37:10 ylo +.\" Minor cleanup. +.\" +.\" Revision 1.2 1995/07/15 13:26:11 ylo +.\" Changes from kivinen. +.\" +.\" Revision 1.1.1.1 1995/07/12 22:41:05 ylo +.\" Imported ssh-1.0.0. +.\" +.\" +.\" +.\" If you have any useful modifications or extensions please send them to +.\" Tero.Kivinen@hut.fi +.\" +.\" +.\" +.\" +.\" +.\" #ifndef F_SECURE_COMMERCIAL +.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS" +.\" #endif F_SECURE_COMMERCIAL +.SH NAME +make-ssh-known-hosts \- make ssh_known_hosts file from DNS data +.SH SYNOPSIS +.na +.TP +.B make-ssh-known-hosts +.RB "[\|" "\-\-initialdns "\c +.I initial_dns\c +\|] +.br +.RB "[\|" "\-\-server "\c +.I domain_name_server\c +\|] +.br +.RB "[\|" "\-\-subdomains "\c +.I comma_separated_list_of_subdomains\c +\|] +.br +.RB "[\|" "\-\-debug "\c +.I debug_level\c +\|] +.br +.RB "[\|" "\-\-timeout "\c +.I ssh_exec_timeout\c +\|] +.br +.RB "[\|" "\-\-pingtimeout "\c +.I ping_timeout\c +\|] +.br +.RB "[\|" "\-\-passwordtimeout "\c +.I timeout_when_asking_password\c +\|] +.br +.RB "[\|" "\-\-notrustdaemon" "\|]" +.br +.RB "[\|" "\-\-norecursive" "\|]" +.br +.RB "[\|" "\-\-domainnamesplit" "\|]" +.br +.RB "[\|" "\-\-silent" "\|]" +.br +.RB "[\|" "\-\-keyscan" "\|]" +.br +.RB "[\|" "\-\-nslookup "\c +.I path_to_nslookup_program\c +\|] +.br +.RB "[\|" "\-\-ssh "\c +.I path_to_ssh_program\c +\|] +.br +.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]" + +.SH DESCRIPTION +.LP +.B make-ssh-known-hosts +is a perl5 script that helps create the +.I /etc/ssh_known_hosts +file, which is used by +.B ssh +to contain the host keys of all publicly known hosts. +.B Ssh +does not normally permit login using rhosts or /etc/hosts.equiv +authentication unless the server knows the client's host key. In +addition, the host keys are used to prevent man-in-the-middle attacks. +.LP +In addition to +.IR /etc/ssh_known_hosts ", +.B ssh +also uses the +.I $HOME/.ssh/known_hosts +file. This file, however, is intended to contain only those hosts +that the particular user needs but are not in the global file. It is +intended that the +.I /etc/ssh_known_hosts +file be maintained by the system administration, and periodically +updated to contain the host keys for any new hosts. +.LP +The +.B make-ssh-known-hosts +program finds all the hosts in a domain by making a DNS query to the +master domain name server of the domain. The master domain name server +is located by searching for the SOA record of the domain from the initial +domain name server (which can be specified with the +.B \-\-initialdns +option). The master domain name server can also be given directly with +the +.B \-\-server +option. +.LP +After getting the hostname list +.B make-ssh-known-hosts +tries to get the public key from every host in the domain. It first +tries to connect ssh port to check check if the host is alive, and if +so, it tries to run the command +.B cat /etc/ssh_host_key.pub +on the remote machine using +.BR ssh ". +If the command succeeds, it knows the remote machine has +.B ssh +installed properly, and it then extracts the public key from the +output, and prints the +.B /etc/ssh_known_hosts +entry for it to +.BR STDOUT ". Because +.B make-ssh-known-hosts +is usually run before +remote machines have /etc/ssh_known_hosts file you may have to use +RSA-authentication to allow access to hosts. +.LP +If the command fails for some reason, it checks if the +.B ssh +client still got the public key from the remote host in the initial dialog, +and if so, it will print a proper entry, and if +.B \-\-notrustdaemon +option is given comment it out. +.LP +.I Domain_name +is the domain name for which the file is to be generated. By default +.B make-ssh-known-hosts +extracts also all subdomains of domain. Many sites will want to +include several domains in their +.I /etc/ssh_known_hosts +file. The entries for each domain should be extracted separately by +running +.B make-ssh-known-hosts +once for each domain. The results should then be combined to create +the final file. +.LP +.I Take_regexp +is a perl regular expression that matches the hosts to be taken from the +domain. The data matched contains all the DNS records in the form "\|\c +.B fieldname=value\c +\|". The fields are separated with newline, and the perl match is made in +multiline mode and it is case insensetive. The multiline mode means +that you can use a regexp like "\|\c +.B ^wks=.*telnet.*$\c +\|" to match all hosts that have WKS (well known services) field that +contains value "telnet". +.LP +.I Remove_regexp +is similar but those hosts that match the regexp are not added (it can +be used for example to filter out PCs and Macs using the hinfo field: "\|\c +.B ^hinfo=.*(mac|pc)\c +\|"). + +.SH OPTIONS +.TP +.BI "\-\-initialdns " "initial_dns"\c +.TP +.BI "\-i " "initial_dns"\c +\&Set the initial domain name server used to query the SOA record of the +domain. + +.TP +.BI "\-\-server " "domain_name_server"\c +.TP +.BI "\-se " "domain_name_server"\c +\&Set the master domain name server of the domain. This host is used +to query the DNS list of the domain. + +.TP +.BI "\-\-subdomains " "subdomainlist"\c +.TP +.BI "\-su " "subdomainlist"\c +\&Comma separated list of subdomains that are added to hostnames. For +example, if subdomainlist is "\|\c +.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|" then when host foobar is added to +.B /etc/ssh_known_hosts +file it has aliases "\|\c +.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c +\|". The default action is to take all subparts of the host but the +second last on a host by host basis. (The last element is usually the +country code, and something like +.I foobar.foo.bar.zappa.hut +would not make sense.) + +.TP +.BI "\-\-debug " "debug_level"\c +.TP +.BI "\-de " "debug_level"\c +\&Set the debug level. Default is 5, bigger values give more output. +Using a big value (like 999) will print lots of debugging output. + +.TP +.BI "\-\-timeout " "ssh_exec_timeout"\c +.TP +.BI "\-ti " "ssh_exec_timeout"\c +\&Timeout when executing +.B ssh +command. The default is 60 seconds. + +.TP +.BI "\-\-pingtimeout " "ping_timeout"\c +.TP +.BI "\-pi " "ping_timeout"\c +\&Timeout when trying to ping the ssh port. The default is 3 seconds. + +.TP +.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c +.TP +.BI "\-pa " "timeout_when_asking_password"\c +\&Timeout when asking password for ssh command. Default is that no +passwords are queried. Use value 0 to have no timeout for password queries. + +.TP +.BI "\-\-notrustdaemon"\c +.TP +.BI "\-notr"\c +\&If the +.B ssh +command fails, use the public key stored in the local known hosts file +and trust it is the correct key for the host. If this option is not +given such entries are commented out in the generated +.B /etc/ssh_known_hosts +file. + +.TP +.BI "\-\-norecursive"\c +.TP +.BI "\-nor"\c +\&Tell +.B make-ssh-known-hosts +that it should only extract keys for the given domain, and not to be +recursive. + +.TP +.BI "\-\-domainnamesplit"\c +.TP +.BI "\-do"\c +\&Split the domainname to get the list of subdomains. Use this option +if you don't want hostname to splitted to pieces automatically. +Default splitting is done host by host basis. If the domain is +zappa.hut.fi, and the host name is foo.bar then default action adds +entries "\|\c +.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|" and this options adds entries "\|\c +.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|"). + +.TP +.BI "\-\-silent"\c +.TP +.BI "\-si"\c +\&Be silent. + +.TP +.BI "\-\-keyscan"\c +.TP +.BI "\-k"\c +\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn +hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries". +The output of this can be feeded to ssh-keyscan to fetch keys. + +.TP +.BI "\-\-nslookup " "path_to_nslookup_program"\c +.TP +.BI "\-n " "path_to_nslookup_program"\c +\&Path to the +.B nslookup +program. + +.TP +.BI "\-\-ssh " "path_to_ssh_program"\c +.TP +.BI "\-ss " "path_to_ssh_program"\c +\&Path to the +.B ssh +program, including all options. + +.SH EXAMPLES +.LP +The following command: +.IP +.B example# make-ssh-known-hosts cs.hut.fi > \c +.B /etc/ssh_known_hosts +.LP +finds all public keys of the hosts in +.B cs.hut.fi +domain and put them to +.B /etc/ssh_known_hosts +file splitting domain names on a per host basis. +.LP +The command +.IP +.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c +.B hut-hosts +.LP +finds all hosts in +.B hut.fi +domain, and its subdomains having own name server (cs.hut.fi, +tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key +to hut-hosts file. This would require that the domain name server of +hut.fi would define all hosts running ssh to have entry ssh in their +WKS record. Because nobody yet adds ssh to WKS, it would be better to +use command +.IP +.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c +.B hut-hosts +.LP +that would take those host having telnet service. This uses default +subdomain list. + +.LP +The command: +.IP +.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c +.B dipoli-hosts +.LP +finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain +(note dipoli.hut.fi does not have own name server so its entries are +in hut.fi-server) and that are not Mac or PC. + +.SH FILES +.ta 3i +/etc/ssh_known_hosts Global host public key list + +.SH "SEE ALSO" +.BR ssh (1), +.BR sshd (8), +.BR ssh-keygen (1), +.BR ping (8), +.BR nslookup (8), +.BR perl (1), +.BR perlre (1) + +.SH AUTHOR +Tero Kivinen + +.SH COPYING +.LP +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. +.LP +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. +.LP +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the the author instead of in the original +English. diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/make-ssh-known-hosts.pl openssh-2.0.0beta2/contrib/make-ssh-known-hosts.pl --- ssh-openbsd-2000050800/contrib/make-ssh-known-hosts.pl Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/make-ssh-known-hosts.pl Wed Mar 15 12:13:03 2000 @@ -0,0 +1,737 @@ +#!/usr/bin/perl -w +# -*- perl -*- +###################################################################### +# make-ssh-known-hosts.pl -- Make ssh-known-hosts file +# Copyright (c) 1995 Tero Kivinen +# All Rights Reserved. +# +# Make-ssh-known-hosts is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY. No author or distributor accepts +# responsibility to anyone for the consequences of using it or for +# whether it serves any particular purpose or works at all, unless he +# says so in writing. Refer to the GNU General Public License for full +# details. +# +# Everyone is granted permission to copy, modify and redistribute +# make-ssh-known-hosts, but only under the conditions described in +# the GNU General Public License. A copy of this license is supposed to +# have been given to you along with make-ssh-known-hosts so you can +# know your rights and responsibilities. It should be in a file named +# gnu-COPYING-GPL. Among other things, the copyright notice and this notice +# must be preserved on all copies. +###################################################################### +# Program: make-ssh-known-hosts.pl +# $Source: /var/cvs/openssh/contrib/make-ssh-known-hosts.pl,v $ +# Author : $Author: damien $ +# +# (C) Tero Kivinen 1995 +# +# Creation : 19:52 Jun 27 1995 kivinen +# Last Modification : 00:07 Jul 8 1998 kivinen +# Last check in : $Date: 2000/03/15 01:13:03 $ +# Revision number : $Revision: 1.1 $ +# State : $State: Exp $ +# Version : 1.343 +# Edit time : 242 min +# +# Description : Make ssh-known-host file from dns data. +# +# $Log: make-ssh-known-hosts.pl,v $ +# Revision 1.1 2000/03/15 01:13:03 damien +# - Created contrib/ subdirectory. Included helpers from Phil Hands' +# Debian package, README file and chroot patch from Ricardo Cerqueira +# +# - Moved gnome-ssh-askpass.c to contrib directory and reomved config +# option. +# - Slight cleanup to doc files +# +# Revision 1.6 1998/07/08 00:44:23 kivinen +# Fixed to understand bind 8 nslookup output. +# +# Revision 1.5 1998/04/30 01:53:33 kivinen +# Moved kill before close and added sending SIGINT first and +# then 1 second sleep before sending SIGKILL. +# +# Revision 1.4 1998/04/17 00:39:19 kivinen +# Changed to close ssh program filedescriptor before killing it. +# Removed ^ from the password matching prompt. +# +# Revision 1.3 1997/04/17 04:21:27 kivinen +# Changed to use 3des by default. +# +# Revision 1.2 1997/03/26 07:14:01 kivinen +# Added EWOULDBLOCK. +# +# Revision 1.1.1.1 1996/02/18 21:38:10 ylo +# Imported ssh-1.2.13. +# +# Revision 1.4 1995/10/02 01:23:45 ylo +# Ping packet size fixes from Kivinen. +# +# Revision 1.3 1995/08/29 22:37:39 ylo +# Now uses GlobalKnownHostsFile and UserKnownHostsFile. +# +# Revision 1.2 1995/07/15 13:26:37 ylo +# Changes from kivinen. +# +# Revision 1.1.1.1 1995/07/12 22:41:05 ylo +# Imported ssh-1.0.0. +# +# +# +# If you have any useful modifications or extensions please send them to +# Tero.Kivinen@hut.fi +# +###################################################################### +# initialization + +require 5.000; +use Getopt::Long; +use FileHandle; +use POSIX; +use Socket; +use Fcntl; + +$version = ' $Id: make-ssh-known-hosts.pl,v 1.1 2000/03/15 01:13:03 damien Exp $ '; + +$command_line = "$0 "; +foreach $a (@ARGV) { + $command_line .= $a . " "; +} +STDERR->autoflush(1); + +###################################################################### +# default values for options + +$debug = 5; +$defserver = ''; +$bell='\a'; +$public_key = '/etc/ssh_host_key.pub'; +$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; +$timeout = 60; +$ping_timeout = 3; +$passwordtimeout = undef; +$trustdaemon = 1; +$domainnamesplit = 0; +$recursive = 1; + +###################################################################### +# Programs and their options + +$nslookup = "nslookup"; + +$ssh="ssh -a -c 3des -x -o 'ConnectionAttempts 1' -o 'FallBackToRsh no' -o 'GlobalKnownHostsFile /dev/null' -o 'KeepAlive yes' -o 'StrictHostKeyChecking no' -o 'UserKnownHostsFile $private_ssh_known_hosts'"; +$sshdisablepasswordoption="-o 'BatchMode yes' -o 'PasswordAuthentication no'"; + +###################################################################### +# Cleanup and initialization + +unlink($private_ssh_known_hosts); +$sockaddr = 'S n a4 x8'; +($junk, $junk, $sshport) = getservbyname("ssh", "tcp"); +if (!defined($sshport)) { + $sshport = 22; +} +($tcpprotoname, $junk, $tcpproto) = getprotobyname('tcp'); +defined($tcpprotoname) || die "getprotobyname : $!"; + +###################################################################### +# Parse options + +GetOptions("initialdns=s", "server=s", "subdomains=s", + "debug=i", "timeout=i", "passwordtimeout=i", + "trustdaemon!", "domainnamesplit", "silent", + "nslookup=s", "pingtimeout=i", "recursive!", + "keyscan", + "ssh=s") + || die "Getopt : $!"; + +if (defined($opt_initialdns)) { $defserver = $opt_initialdns; } + +if (defined($opt_server)) { $server = $opt_server; } + +if (defined($opt_subdomains)) { @subdomains = split(/,/, $opt_subdomains); } + +if (defined($opt_debug)) { $debug = $opt_debug; } + +if (defined($opt_timeout)) { $timeout = $opt_timeout; } + +if (defined($opt_pingtimeout)) { $ping_timeout = $opt_pingtimeout; } + +if (defined($opt_passwordtimeout)) { + $passwordtimeout = $opt_passwordtimeout; + $sshdisablepasswordoption = ''; +} + +if (defined($opt_trustdaemon)) { $trustdaemon = $opt_trustdaemon; } + +if (defined($opt_recursive)) { $recursive = $opt_recursive; } + +if (defined($opt_domainnamesplit)) { $domainnamesplit = $opt_domainnamesplit; } + +if (defined($opt_silent)) { $bell = ''; } + +if (defined($opt_nslookup)) { $nslookup = $opt_nslookup; } + +if (defined($opt_ssh)) { $ssh = $opt_ssh; } else { + $ssh = "$ssh $sshdisablepasswordoption"; +} + +if ($#ARGV == 0) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = '.*'; + $grep_no = '^$'; +} elsif ($#ARGV == 1) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = $ARGV[1]; + $grep_no = '^$'; +} elsif ($#ARGV == 2) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = $ARGV[1]; + $grep_no = $ARGV[2]; +} else { + print(STDERR "$0 [--initialdns initial_dns_server] [--server dns_server] [--subdomains sub.sub.domain,sub.sub,sub,] [--debug debug_level] [--timeout ssh_exec_timeout_in_secs] [--pingtimeout ping_timeout_in_secs] [--passwordtimeout timeout_for_password_in_secs] [--notrustdaemon] [--norecursive] [--domainnamesplit] [--silent] [--keyscan] [--nslookup path_to_nslookup] [--ssh path_to_ssh] full.domain [ host_info_take_regexp [ host_info_remove_regex ]]\n"); + exit(1); +} + +###################################################################### +# Check that ssh program exists + +if (system("$ssh > /dev/null 2>&1 ") != 256) { + print(STDERR "Error: Could not run ssh program ($ssh): $!\nError: Try giving the path to it with --ssh option\n"); + exit(1); +} + +###################################################################### +# Generate subdomains list + +if (!$domainnamesplit) { + debug(6, "Auto splitting host entries"); +} elsif (!defined(@subdomains)) { + debug(6, "Generating subdomain list"); + + # split domain to pieces + @domain_pieces = split(/\./, $domain); + + # add empty domain part + push(@subdomains, ''); + + # add rest parts, except the one before full domain name + $entry=''; + for(; $#domain_pieces > 1; ) { + $entry .= "." . shift(@domain_pieces); + push(@subdomains, $entry); + } + + # add full domain name + push(@subdomains, ".$domain"); + debug(5, "Subdomain list: " . join(',', @subdomains)); +} else { + debug(5, "Using given subdomain list:" . join(',', @subdomains)); +} + +###################################################################### +# finding SOA entry for domain + +@other_servers = (); +if (!defined($server)) { + debug(6, "Finding DNS database SOA entry"); + + ($server, @other_servers) = find_soa($domain, $defserver); + + if (!defined($server)) { + print(STDERR "Error: Could not find DNS SOA entry from default dns server\nError: Try giving the initial nameserver with --initialdns option\n"); + exit(1); + } else { + debug(5, "DNS server found : $server"); + } +} else { + debug(5, "Using given DNS server : $server"); +} + +###################################################################### +# Print header + +($name, $junk, $junk, $junk, $junk, $junk, $gecos) = getpwuid($<); +$gecos =~ s/,.*$//g; + +if (!defined($opt_keyscan)) { + print(STDOUT "# This file is generated with make-ssh-known-hosts.pl\n"); + print(STDOUT "#$version\n"); + print(STDOUT "# with command line :\n"); + print(STDOUT "# $command_line\n"); + print(STDOUT "#\n"); + print(STDOUT "# The script was run by $gecos ($name) at " . localtime() . "\n"); + print(STDOUT "# using perl ($^X) version $].\n"); +} + +###################################################################### +# Get DNS database list from server + +do { + $domains_done{$domain} = 1; + delete $domains_waiting{$domain}; + + $hostcnt = 0; + $cnamecnt = 0; + $lines = 0; + $soa = 0; + undef %host; + undef %cname; + undef %hostdata; + + dnsagain: + debug(1, "Getting DNS database for $domain from server $server"); + open(DNS, "echo ls -d $domain | nslookup - $server 2>&1 |") || + die "Error: Could not start nslookup to make dns list : $!\nError: Try giving --nslookup option and telling the path to nslookup program\n"; + + while() { + $lines++; + chomp; + undef $hostname if/^\s*$/; + if (/^\s{0,1}([a-zA-Z0-9-]\S*)/) { + $hostname = "\L$1\E"; + } + next unless defined $hostname; + if (/^.*\s(SOA)\s+(.*)\s*$/ || $hostname eq "SOA") { + undef $soa if(/^.*\s(SOA)\s+(.*)\s*$/); + $data = $_ if ($hostname eq "SOA"); + $data = $2 unless $hostname eq "SOA"; + $data =~ s/\s*;.*$//; + $data =~ s/^\s+//; + if( defined $soa ) { + $soa .= " \L$data\E"; + } else { + $soa = "\L$data\E"; + } + $hostname = "SOA"; + } elsif (/^.*\s(A|CNAME|NS)\s+(.*)\s*$/) { + $host = $hostname; + $field = "\L$1\E"; + $data = "\L$2\E"; + debug(70, "Line = /$host/$field/$data/"); + if ($host !~ /\.$/) { + $host .= ".$domain"; + } else { + $host =~ s/\.$//g; + } + if ($field eq "a") { + if ($host =~ /$domain$/) { + if (defined($host{$host})) { + $host{$host} .= ",$data"; + } else { + $host{$host} = "$data"; + $hostcnt++; + } + debug(30, "$host A == $host{$host}"); + } + } elsif ($field eq "cname") { + if ($data !~ /\.$/ && ! /^\s/ ) { + $data .= ".$domain"; + } else { + $data =~ s/\.$//g; + } + if ($host =~ /$domain$/) { + if (defined($cname{$data})) { + $cname{$data} .= ",$host"; + } else { + $cname{$data} = "$host"; + $cnamecnt++; + } + debug(30, "$host CNAME $data"); + $junk = $data; + $data = $host; + $host = $junk; + } + } elsif ($field eq "ns") { + if (!defined($domains_done{$host})) { + if (!defined($domains_waiting{$host})) { + debug(10, "Adding subdomain $host to domains list, with NS $data"); + $domains_waiting{$host} = $data; + push(@domains_waiting, $host); + } else { + debug(10, "Adding NS $data for domain $host"); + $domains_waiting{$host} .= ",$data"; + } + } + } + if (!defined($hostdata{$host})) { + $hostdata{$host} = "$host\n$field=$data\n"; + } else { + $hostdata{$host} .= "$field=$data\n"; + } + } + } + close(DNS); + if ($hostcnt == 0 && $cnamecnt == 0) { + if ($#other_servers != -1) { + $server = shift(@other_servers); + goto dnsagain; + } + } + debug(1, "Found $hostcnt hosts, $cnamecnt CNAMEs (total $lines lines)"); + if (!defined($opt_keyscan)) { + print(STDOUT "#\n"); + print(STDOUT "# Domain = $domain, server = $server\n"); + print(STDOUT "# Found $hostcnt hosts, $cnamecnt CNAMEs (total $lines lines)\n"); + print(STDOUT "# SOA = $soa\n"); + print(STDOUT "#\n"); + } + +###################################################################### +# Loop through hosts and try to connect to hosts + + foreach $i (sort (keys %host)) { + debug(50, "Host = $i, Hostdata = $hostdata{$i}"); + if ($hostdata{$i} =~ /$grep_yes/im && + $hostdata{$i} !~ /$grep_no/im && + $i !~ /^localhost\./ && + $host{$i} !~ /^127.0.0.1$|^127.0.0.1,|,127.0.0.1$|,127.0.0.1,/) { + debug(2, "Trying host $i"); + + @hostnames = (); + if (defined($cname{$i})) { + expand($i, \@hostnames, \@subdomains); + foreach $j (split(/,/, $cname{$i})) { + expand($j, \@hostnames, \@subdomains); + } + } else { + expand($i, \@hostnames, \@subdomains); + } + foreach $j (split(/,/, $host{$i})) { + push(@hostnames, $j); + } + $hostnames = join(',', (@hostnames)); + + if (defined($opt_keyscan)) { + printf(STDOUT "$host{$i}\t$hostnames\n"); + } elsif (try_ping($i, $host{$i})) { + $trusted = 1; + $err = 'Timeout expired'; + $ssh_key = try_ssh("$i"); + if (!defined($ssh_key)) { + $ssh_key = find_host_from_known_hosts($i); + $trusted = 0; + } + if (defined($ssh_key)) { + if ($trusted) { + debug(2, "Ssh to $i succeded"); + } else { + debug(2, "Ssh to $i failed, using local known_hosts entry"); + } + debug(4, "adding entries : $hostnames"); + $ssh_key =~ s/root@//i; + if (!$trusted && !$trustdaemon) { + print(STDOUT "# $hostnames $ssh_key\n"); + } else { + print(STDOUT "$hostnames $ssh_key\n"); + } + } else { + debug(2, "ssh failed : $err"); + } + } else { + debug(2, "ping failed"); + } + } else { + debug(10, "Skipped host $i"); + } + } + again: + $domain = shift(@domains_waiting); + if (defined($domain)) { + $server = $domains_waiting{$domain}; + @other_servers = split(',', $server); + $server = shift(@other_servers); + ($server, @other_servers) = find_soa($domain, $server); + if(!defined($server)) { + debug(1, "Skipping domain $domain because no DNS SOA entry found"); + $domains_done{$domain} = 1; + delete $domains_waiting{$domain}; + goto again; + } + } +} while ($recursive && defined($domain)); + +unlink($private_ssh_known_hosts); +exit (0); + +###################################################################### +# try_ping -- try to ping to host and return 1 if success +# $success = try_ping($host, $list_ip_addrs); + +sub try_ping { + my($host, $ipaddrs) = @_; + my(@ipaddrs, $ipaddr, $serv, $ip); + my($rin, $rout, $win, $wout, $nfound, $tmout, $buf, $len, $ret, $err); + + $buf = ''; + debug(51,"Trying to ping host $host"); + @ipaddrs = split(/,/, $ipaddrs); + + while ($ipaddr = shift(@ipaddrs)) { + + debug(55,"Trying ipaddr $ipaddr"); + + #initialize socket + socket(PING, PF_INET, SOCK_STREAM, $tcpproto) || + die "socket failed : $!"; + setsockopt(PING, SOL_SOCKET, SO_REUSEADDR, 1) || + die "setsockopt failed : $!"; + PING->autoflush(1); + fcntl(PING, F_SETFL, fcntl(PING, F_GETFL, 0) | POSIX::O_NONBLOCK) || + die "fcntl failed : $!"; + + $ip = pack('C4', split(/\./, $ipaddr, 4)); + $serv = pack($sockaddr, AF_INET, $sshport, $ip); + + again: + # try connect + $ret = connect(PING, $serv); + $err = $!; + if (!$ret) { + debug(60, "Connect failed : $err"); + if ($err == EINTR) { + goto again; + } + # socket not yet connected, wait for result, it will + # wake up for writing when done + $tmout = $ping_timeout; + + $rin = ''; + $win = ''; + vec($rin, fileno(PING), 1) = 1; + vec($win, fileno(PING), 1) = 1; + debug(60, "Waiting in select, rin = " . unpack('H*', $rin) . + ", win = " . unpack('H*', $win)); + ($nfound) = select($rout = $rin, $wout = $win, undef, $tmout); + $err = $!; + debug(80, "Select returned $nfound, rout = " . unpack('H*', $rout) . + ", wout = " . unpack('H*', $wout)); + if ($nfound != 0) { + # connect done, read the status with sysread + $ret = sysread(PING, $buf, 1); + $err = $!; + if (defined($ret) || $err == EAGAIN || $err == EWOULDBLOCK) { + debug(60, "Select ok, read ok ($err), returning ok"); + # connection done, return ok + shutdown(PING, 2); + close(PING); + return 1; + } else { + # connection failed, try next ipaddr + debug(60, "Select ok, read failed : $err, trying next"); + close(PING); + } + } else { + # timeout exceeded, try next ipaddr + debug(60, "Select failed : $err, trying next"); + close(PING); + } + } else { + # connect succeeded, return ok. + debug(60, "Connect ok, returning ok"); + shutdown(PING, 2); + close(PING); + return 1; + } + } + debug(60, "Returning fail"); + return 0; +} + +###################################################################### +# try_ssh -- try ssh connection to host and return ssh_key if success +# if failure return undef, and set $err string to contain error message. +# $ssh_key = try_ssh($host); + +sub try_ssh { + my($host) = @_; + my($buf, $ret, $pos, $pid, $rin, $nfound, $tmout); + + $pid = open(SSH, "$ssh $host cat $public_key 2>&1 |"); + $err = undef; + + if ($pid == 0) { + $err = "could not open ssh connection to host"; + return undef; + } + $ret = 1; + $pos = 0; + $buf = ''; + $tmout = $timeout; + debug(10, "Starting ssh select loop"); + loop: + while (1) { + + $rin = ''; + vec($rin, fileno(SSH), 1) = 1; + ($nfound, $tmout) = select($rin, undef, undef, $tmout); + + # Timeout + if ($nfound <= 0) { + debug(20, "Ssh select timed out"); + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + $err = "Timeout expired"; + return undef; + } + + $ret = sysread(SSH, $buf, 256, $pos); + # EOF or error + if ($ret <= 0) { + # Yes, close the pipe and return + close(SSH); + debug(20, "Ssh select closed status = $?"); + $err = "No reply from ssh"; + return undef; + } + $pos += $ret; + while ($buf =~ /^(.*)\n\r?([\000-\377]*)$/) { + $_ = $1; + $buf = $2; + $pos = length($buf); + debug(20, "Ssh select loop, line = \"$_\""); + if (/^connection.*refused/i) { + $err = "connection refused"; + } elsif (/^permission/i) { + $err = "permission denied"; + } elsif (/$public_key.*no\s+file/i) { + $err = "$public_key file not found"; + } elsif (/$public_key.*permission\s+denied/i) { + $err = "$public_key file permission denied"; + } elsif (/^\d+\s+\d+\s+\d/) { + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + return $_; + } + if (defined($err)) { + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + return undef; + } + } + if ($buf =~ /password: $/i) { + if (defined($passwordtimeout)) { + $tmout = $passwordtimeout; + print(STDERR "$bell\n\rPassword: "); + if ($tmout == 0) { + $tmout = undef; + } + } else { + $tmout = 0; + } + $buf = ''; + $pos = 0; + } + } +} + +###################################################################### +# find_hosts_from_known_hosts -- find host key from private known_hosts file +# $ssh_key = find_host_from_known_hosts($host); + +sub find_host_from_known_hosts { + my($host) = @_; + open(KNOWNHOSTS, "<$private_ssh_known_hosts") || return undef; + while() { + @_ = split(/\s+/, $_); + if ($_[0] =~ /^$host$|^$host,|,$host$/) { + shift(@_); + close(KNOWNHOSTS); + return join(' ', @_); + } + } + close(KNOWNHOSTS); + return undef; +} + +###################################################################### +# expand -- insert expanded hostnames to hostnames table +# expand($hostname, \@hostnames, \@subdomains); + +sub expand { + my($host, $hostnames, $subdomains) = @_; + my($newhost, $sub, $entry); + + if (!$domainnamesplit) { + my(@domain_pieces); + + # split domain to pieces + @domain_pieces = split(/\./, $host); + + # add rest parts, except the one before full domain name + $entry = shift(@domain_pieces); + + debug(20, "Adding autosplit entry $entry"); + push(@$hostnames, $entry); + + for(; $#domain_pieces > 1; ) { + $entry .= "." . shift(@domain_pieces); + debug(20, "Adding autosplit entry $entry"); + push(@$hostnames, $entry); + } + # add full domain name + debug(20, "Adding autosplit entry $host"); + push(@$hostnames, $host); + } else { + if ($host =~ /^(.*)$domain$/i) { + $newhost = $1; + $newhost =~ s/\.$//g; + foreach $sub (@$subdomains) { + $entry = $newhost . $sub; + $entry =~ s/^\.//g; + if ($entry ne '') { + debug(20, "Adding entry $entry"); + push(@$hostnames, $entry); + } + } + } + } +} + +###################################################################### +# Print debug text +# debug(text_debug_level, string) + +sub debug { + my($level, $str) = @_; + if ($debug > $level) { + print(STDERR "$0:debug[$level]: $str\n"); + } +} + +###################################################################### +# find_soa -- find soa entry for domain +# ($soa_origin, @other_servers) = find_soa($domain, $initial_server) + +sub find_soa { + my($domain, $initial_server) = @_; + my($field, $data, $server, @other_servers); + + open(DNS, "$nslookup -type=soa $domain $initial_server 2>&1 |") || + die "Error: Could not start nslookup to find SOA entry for $domain : $!\nError: Try giving the path to it with --nslookup option\n"; + + while () { + if (/^[^=]*origin\s*=\s*(.*)/) { + $server = $1; + debug(10, "Found origin : $1"); + } elsif (/^[^=]*nameserver\s*=\s*(.*)\s*$/) { + push(@other_servers, $1); + debug(10, "Found nameserver : $1"); + } + } + close(DNS); + return($server, @other_servers); +} + +###################################################################### +# make_perl_happy -- use some symbols, so perl doesn't complain so much +# make_perl_happy(); + +sub make_perl_happy { + if (0) { + print $opt_silent; + } +} + +1; diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/redhat/openssh.spec openssh-2.0.0beta2/contrib/redhat/openssh.spec --- ssh-openbsd-2000050800/contrib/redhat/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/redhat/openssh.spec Mon May 8 00:05:32 2000 @@ -0,0 +1,249 @@ +# Version of OpenSSH +%define oversion 2.0.0beta2 + +# Version of ssh-askpass +%define aversion 1.0 + +Summary: OpenSSH free Secure Shell (SSH) implementation +Name: openssh +Version: %{oversion} +Release: 1 +Packager: Damien Miller +URL: http://www.openssh.com/ +Source0: http://violet.ibs.com.au/openssh/files/openssh-%{oversion}.tar.gz +Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +Obsoletes: ssh +PreReq: openssl >= 0.9.5a +Requires: openssl >= 0.9.5a +BuildPreReq: perl +BuildPreReq: openssl-devel +BuildPreReq: tcp_wrappers +BuildPreReq: gnome-libs-devel + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: System Environment/Daemons +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Group: System Environment/Daemons +Obsoletes: ssh-server +PreReq: openssh chkconfig >= 0.9 + +%package askpass +Summary: OpenSSH X11 passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains Jim Knoble's X11 passphrase +dialog. + +%description askpass-gnome +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -a 1 + +%build + +CFLAGS="$RPM_OPT_FLAGS" \ + ./configure --prefix=/usr --sysconfdir=/etc/ssh \ + --with-tcp-wrappers --with-ipv4-default + +make + +cd x11-ssh-askpass-%{aversion} +xmkmf -a +make +cd .. + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT/usr/libexec/ssh +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/x11-ssh-askpass +ln -s /usr/libexec/ssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass + +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +/sbin/chkconfig --add sshd +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + /etc/rc.d/init.d/sshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + /etc/rc.d/init.d/sshd stop >&2 + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW COPYING.Ylonen README* INSTALL +%doc CREDITS UPGRADING +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) /usr/man/man1/scp.1 +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) /usr/man/man1/ssh.1 +%attr(0644,root,root) /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) /usr/man/man1/ssh-add.1 +%attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) /usr/man/man1/slogin.1 + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) /usr/man/man8/sshd.8 +%attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd + +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/x11-ssh-askpass + +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/redhat/sshd.init openssh-2.0.0beta2/contrib/redhat/sshd.init --- ssh-openbsd-2000050800/contrib/redhat/sshd.init Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/redhat/sshd.init Wed Mar 15 12:25:07 2000 @@ -0,0 +1,60 @@ +#!/bin/bash + +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting sshd: " + if [ ! -f /var/run/sshd.pid ] ; then + case "`type -type success`" in + function) + /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" + RETVAL=$? + ;; + *) + /usr/sbin/sshd && echo -n "sshd " + RETVAL=$? + ;; + esac + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f /var/run/sshd.pid ] ; then + killproc sshd + fi + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + ;; + restart) + $0 stop + $0 start + RETVAL=$? + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status}" + exit 1 +esac + +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/redhat/sshd.pam openssh-2.0.0beta2/contrib/redhat/sshd.pam --- ssh-openbsd-2000050800/contrib/redhat/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/redhat/sshd.pam Wed Mar 15 12:25:07 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/ssh-copy-id openssh-2.0.0beta2/contrib/ssh-copy-id --- ssh-openbsd-2000050800/contrib/ssh-copy-id Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/ssh-copy-id Wed Mar 15 12:13:03 2000 @@ -0,0 +1,45 @@ +#!/bin/sh + +# Shell script to install your identity.pub on a remote machine +# Takes the remote machine name as an argument. +# Obviously, the remote machine must accept password authentication, +# or one of the other keys in your ssh-agent, for this to work. + +ID_FILE="${HOME}/.ssh/identity.pub" + +if [ "-i" = "$1" ]; then + shift + # check if we have 2 parameters left, if so the first is the new ID file + if [ -n "$2" ]; then + if expr "$1" : ".*\.pub" ; then + ID_FILE="$1" + else + ID_FILE="$1.pub" + fi + shift # and this should leave $1 as the target name + fi +else + if [ x$SSH_AUTH_SOCK != x ] ; then + GET_ID="$GET_ID ssh-add -L" + fi +fi + +if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then + GET_ID="cat ${ID_FILE}" +fi + +if [ -z "`eval $GET_ID`" ]; then + echo "$0: ERROR: No identities found" + exit 1 +fi + +{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys ; chmod g-w . .ssh .ssh/authorized_keys" + +cat < + +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. + +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. + +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. +.. +.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" +.SH NAME +ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys +.SH SYNOPSIS +.B ssh-copy-id [-i [identity_file]] +.I "[user@]machine" +.br +.SH DESCRIPTION +.BR ssh-copy-id +is a script that uses ssh to log into a remote machine (presumably +using a login password, so password authentication should be enabled, +unless you've done some clever use of multiple identities) +.PP +It also changes the permissions of the remote user's home, +.BR ~/.ssh , +and +.B ~/.ssh/authorized_keys +to remove group writability (which would otherwise prevent you from logging in, if the remote +.B sshd +has +.B StrictModes +set in its configuration). +.PP +If the +.B -i +option is given then the identity file (defaults to +.BR ~/.ssh/identity.pub ) +is used, regardless of whether there are any keys in your +.BR ssh-agent . +Otherwise, if this: +.PP +.B " ssh-add -L" +.PP +provides any output, it uses that in preference to the identity file. +.PP +If the +.B -i +option is used, or the +.B ssh-add +produced no output, then it uses the contents of the identity +file. Once it has one or more fingerprints (by whatever means) it +uses ssh to append them to +.B ~/.ssh/authorised_keys +on the remote machine (creating the file, and directory, if necessary) + +.SH "SEE ALSO" +.BR ssh (1), +.BR ssh-agent (1), +.BR sshd (8) diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/sshd.pam.freebsd openssh-2.0.0beta2/contrib/sshd.pam.freebsd --- ssh-openbsd-2000050800/contrib/sshd.pam.freebsd Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/sshd.pam.freebsd Wed Mar 15 12:25:06 2000 @@ -0,0 +1,5 @@ +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/sshd.pam.generic openssh-2.0.0beta2/contrib/sshd.pam.generic --- ssh-openbsd-2000050800/contrib/sshd.pam.generic Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/sshd.pam.generic Wed Mar 15 12:25:06 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/suse/openssh.spec openssh-2.0.0beta2/contrib/suse/openssh.spec --- ssh-openbsd-2000050800/contrib/suse/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/suse/openssh.spec Mon May 8 00:05:32 2000 @@ -0,0 +1,259 @@ +Summary: OpenSSH, a free Secure Shell (SSH) implementation +Name: openssh +Version: 2.0.0beta2 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (nkitb), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl-devel +BuildPrereq: nkitb +BuildPrereq: glibdev +BuildPrereq: gtkdev +BuildPrereq: gnlibsd + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Requires: openssh +Group: System Environment/Daemons +PreReq: openssh +Obsoletes: ssh-server + +%package askpass +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras +Obsoletes: ssh-askpass + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Chris Saia +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -q + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ + --with-tcp-wrappers --with-ipv4-default +make + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/ssh/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -d $RPM_BUILD_ROOT/usr/libexec/ssh +install -m644 sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd +ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass +install -m744 contrib/suse/rc.config.sshd \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +if [ "$1" = 1 ]; then + echo "Creating SSH stop/start scripts in the rc directories..." + ln -s ../sshd /sbin/init.d/rc2.d/K20sshd + ln -s ../sshd /sbin/init.d/rc2.d/S20sshd + ln -s ../sshd /sbin/init.d/rc3.d/K20sshd + ln -s ../sshd /sbin/init.d/rc3.d/S20sshd +fi +echo "Updating /etc/rc.config..." +if [ -x /bin/fillup ] ; then + /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd +else + echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." + echo "Update /etc/rc.config by hand from the following template file:" + echo " /var/adm/fillup-templates/rc.config.sshd" +fi +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + echo "Generating SSH host key..." + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + echo "Generating SSH DSA host key..." + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + echo "Restarting the running SSH daemon..." + /usr/sbin/rcsshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + echo "Stopping the SSH daemon..." + /usr/sbin/rcsshd stop >&2 + echo "Removing SSH stop/start scripts from the rc directories..." + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd +fi + +%files +%defattr(-,root,root) +%doc COPYING.Ylonen ChangeLog OVERVIEW README* +%doc RFC.nroff TODO UPGRADING CREDITS +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) %doc /usr/man/man1/scp.1 +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) %doc /usr/man/man1/ssh.1 +%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1 +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) %doc /usr/man/man1/slogin.1 + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) %doc /usr/man/man8/sshd.8 +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass + diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/suse/rc.config.sshd openssh-2.0.0beta2/contrib/suse/rc.config.sshd --- ssh-openbsd-2000050800/contrib/suse/rc.config.sshd Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/suse/rc.config.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff -ruN --exclude CVS ssh-openbsd-2000050800/contrib/suse/rc.sshd openssh-2.0.0beta2/contrib/suse/rc.sshd --- ssh-openbsd-2000050800/contrib/suse/rc.sshd Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/contrib/suse/rc.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,80 @@ +#! /bin/sh +# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# +# Author: Chris Saia +# +# /sbin/init.d/sshd +# +# and symbolic its link +# +# /sbin/rcsshd +# + +. /etc/rc.config + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +# Force execution if not called by a runlevel directory. +test $link = $base && START_SSHD=yes +test "$START_SSHD" = yes || exit 0 + +# The echo return value for success (defined in /etc/rc.config). +return=$rc_done +case "$1" in + start) + echo -n "Starting service sshd" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + stop) + echo -n "Stopping service sshd" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -TERM /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + restart) + ## If first returns OK call the second, if first or + ## second command fails, set echo return value. + $0 stop && $0 start || return=$rc_failed + ;; + reload) + ## Choose ONE of the following two cases: + + ## First possibility: A few services accepts a signal + ## to reread the (changed) configuration. + + echo -n "Reload service sshd" + killproc -HUP /usr/sbin/sshd || return=$rc_failed + echo -e "$return" + ;; + status) + echo -n "Checking for service sshd" + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + checkproc /usr/sbin/sshd && echo OK || echo No process + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + exit 1 + ;; +esac + +# Inform the caller not only verbosely and set an exit status. +test "$return" = "$rc_done" || exit 1 +exit 0 diff -ruN --exclude CVS ssh-openbsd-2000050800/defines.h openssh-2.0.0beta2/defines.h --- ssh-openbsd-2000050800/defines.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/defines.h Tue May 2 00:03:56 2000 @@ -0,0 +1,283 @@ +#ifndef _DEFINES_H +#define _DEFINES_H + +/* Necessary headers */ + +#include /* For [u]intxx_t */ + +#include /* For SHUT_XXXX */ + +# include /* For typedefs */ +#include /* For IPv6 macros */ +#include /* For IPTOS macros */ + +#ifdef HAVE_SYS_BITYPES_H +# include /* For u_intXX_t */ +#endif + +#ifdef HAVE_PATHS_H +# include /* For _PATH_XXX */ +#endif + +#ifdef HAVE_UTMP_H +# include /* For _PATH_XXX */ +#endif + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include /* For _PATH_XXX */ +#endif + +#ifdef HAVE_SYS_TIME_H +# include /* For timersub */ +#endif + +#ifdef HAVE_MAILLOCK_H +# include /* For _PATH_MAILDIR */ +#endif + +#ifdef HAVE_SYS_CDEFS_H +# include /* For __P() */ +#endif + +#ifdef HAVE_SYS_SYSMACROS_H +# include /* For MIN, MAX, etc */ +#endif + +/* Constants */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ + SHUT_WR, /* No more transmissions. */ + SHUT_RDWR /* No more receptions or transmissions. */ +}; +# define SHUT_RD SHUT_RD +# define SHUT_WR SHUT_WR +# define SHUT_RDWR SHUT_RDWR +#endif + +#ifndef IPTOS_LOWDELAY +# define IPTOS_LOWDELAY 0x10 +# define IPTOS_THROUGHPUT 0x08 +# define IPTOS_RELIABILITY 0x04 +# define IPTOS_LOWCOST 0x02 +# define IPTOS_MINCOST IPTOS_LOWCOST +#endif /* IPTOS_LOWDELAY */ + +/* Types */ + +/* If sys/types.h does not supply intXX_t, supply them ourselves */ +/* (or die trying) */ +#ifndef HAVE_INTXX_T +# if (SIZEOF_CHAR == 1) +typedef char int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef short int int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef int int32_t; +# else +# error "32 bit int type not found." +# endif +/* +# if (SIZEOF_LONG_INT == 8) +typedef long int int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef long long int int64_t; +# define HAVE_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +*/ +#endif + +/* If sys/types.h does not supply u_intXX_t, supply them ourselves */ +#ifndef HAVE_U_INTXX_T +# ifdef HAVE_UINTXX_T +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +/* +typedef uint64_t u_int64_t; +*/ +# define HAVE_U_INTXX_T 1 +# else +# if (SIZEOF_CHAR == 1) +typedef unsigned char u_int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef unsigned short int u_int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef unsigned int u_int32_t; +# else +# error "32 bit int type not found." +# endif +/* +# if (SIZEOF_LONG_INT == 8) +typedef unsigned long int u_int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef unsigned long long int u_int64_t; +# define HAVE_U_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +*/ +# endif +#endif + +#ifndef HAVE_SOCKLEN_T +typedef unsigned int socklen_t; +# define HAVE_SOCKLEN_T +#endif /* HAVE_SOCKLEN_T */ + +#ifndef HAVE_SIZE_T +typedef unsigned int size_t; +# define HAVE_SIZE_T +#endif /* HAVE_SIZE_T */ + +#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS) +# define ss_family __ss_family +#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ + +/* Paths */ + +/* If _PATH_LASTLOG is not defined by system headers, set it to the */ +/* lastlog file detected by autoconf */ +#ifndef _PATH_LASTLOG +# ifdef LASTLOG_LOCATION +# define _PATH_LASTLOG LASTLOG_LOCATION +# endif +#endif + +#ifndef _PATH_UTMP +# ifdef UTMP_FILE +# define _PATH_UTMP UTMP_FILE +# else +# define _PATH_UTMP "/var/adm/utmp" +# endif +#endif + +#ifndef _PATH_WTMP +# ifdef WTMP_FILE +# define _PATH_WTMP WTMP_FILE +# else +# define _PATH_WTMP "/var/adm/wtmp" +# endif +#endif + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# ifndef _PATH_UTMPX +# ifdef UTMPX_FILE +# define _PATH_UTMPX UTMPX_FILE +# else +# define _PATH_UTMPX "/var/adm/utmpx" +# endif +# endif +# ifndef _PATH_WTMPX +# ifdef WTMPX_FILE +# define _PATH_WTMPX WTMPX_FILE +# else +# define _PATH_WTMPX "/var/adm/wtmp" +# endif +# endif +#endif + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif + +#ifdef USER_PATH +# ifdef _PATH_STDPATH +# undef _PATH_STDPATH +# endif +# define _PATH_STDPATH USER_PATH +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif + +#ifndef _PATH_DEVNULL +# define _PATH_DEVNULL "/dev/null" +#endif + +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY +#endif + +#if !defined(_PATH_MAILDIR) && defined(MAILDIR) +# define _PATH_MAILDIR MAILDIR +#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ + +#ifndef _PATH_RSH +# ifdef RSH_PATH +# define _PATH_RSH RSH_PATH +# endif /* RSH_PATH */ +#endif /* _PATH_RSH */ + +/* Macros */ + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#ifndef __P +# define __P(x) x +#endif + +#if !defined(IN6_IS_ADDR_V4MAPPED) +# define IN6_IS_ADDR_V4MAPPED(a) \ + ((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \ + (((u_int32_t *) (a))[2] == htonl (0xffff))) +#endif /* !defined(IN6_IS_ADDR_V4MAPPED) */ + +#if !defined(__GNUC__) || (__GNUC__ < 2) +# define __attribute__(x) +#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) +# define USE_PAM +#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */ + +/* Function replacement / compatibility hacks */ + +/* In older versions of libpam, pam_strerror takes a single argument */ +#ifdef HAVE_OLD_PAM +# define PAM_STRERROR(a,b) pam_strerror((b)) +#else +# define PAM_STRERROR(a,b) pam_strerror((a),(b)) +#endif + +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) +# undef HAVE_GETADDRINFO +#endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */ + +#endif /* _DEFINES_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/entropy.c openssh-2.0.0beta2/entropy.c --- ssh-openbsd-2000050800/entropy.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/entropy.c Tue May 2 09:56:41 2000 @@ -0,0 +1,725 @@ +/* + * Copyright (c) 2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include "ssh.h" +#include "xmalloc.h" + +#include +#include + +RCSID("$Id: entropy.c,v 1.8 2000/05/01 23:56:41 damien Exp $"); + +#ifdef EGD_SOCKET +#ifndef offsetof +# define offsetof(type, member) ((size_t) &((type *)0)->member) +#endif +/* Collect entropy from EGD */ +void get_random_bytes(unsigned char *buf, int len) +{ + static int egd_socket = -1; + int c; + char egd_message[2] = { 0x02, 0x00 }; + struct sockaddr_un addr; + int addr_len; + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; + + /* FIXME: compile time check? */ + if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) + fatal("Random pool path is too long"); + + strcpy(addr.sun_path, EGD_SOCKET); + + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); + + if (egd_socket == -1) { + egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); + if (egd_socket == -1) + fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); + if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) + fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + } + + if (len > 255) + fatal("Too many bytes to read from EGD"); + + /* Send blocking read request to EGD */ + egd_message[1] = len; + + c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); + if (c == -1) + fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + + c = atomicio(read, egd_socket, buf, len); + if (c <= 0) + fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + + close(EGD_SOCKET); +} +#else /* !EGD_SOCKET */ +#ifdef RANDOM_POOL +/* Collect entropy from /dev/urandom or pipe */ +void get_random_bytes(unsigned char *buf, int len) +{ + static int random_pool = -1; + int c; + + if (random_pool == -1) { + random_pool = open(RANDOM_POOL, O_RDONLY); + if (random_pool == -1) + fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + } + + c = atomicio(read, random_pool, buf, len); + if (c <= 0) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); +} +#endif /* RANDOM_POOL */ +#endif /* EGD_SOCKET */ + +#if !defined(EGD_SOCKET) && !defined(RANDOM_POOL) +/* + * FIXME: proper entropy estimations. All current values are guesses + * FIXME: (ATL) do estimates at compile time? + * FIXME: More entropy sources + */ + +/* slow command timeouts (all in milliseconds) */ +/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */ +static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; + +static int prng_seed_loaded = 0; +static int prng_seed_saved = 0; +static int prng_commands_loaded = 0; + +typedef struct +{ + /* Proportion of data that is entropy */ + double rate; + /* Counter goes positive if this command times out */ + unsigned int badness; + /* Increases by factor of two each timeout */ + unsigned int sticky_badness; + /* Path to executable */ + char *path; + /* argv to pass to executable */ + char *args[5]; +} entropy_source_t; + +double stir_from_system(void); +double stir_from_programs(void); +double stir_gettimeofday(double entropy_estimate); +double stir_clock(double entropy_estimate); +double stir_rusage(int who, double entropy_estimate); +double hash_output_from_command(entropy_source_t *src, char *hash); + +/* this is initialised from a file, by prng_read_commands() */ +entropy_source_t *entropy_sources = NULL; +#define MIN_ENTROPY_SOURCES 16 + + +double +stir_from_system(void) +{ + double total_entropy_estimate; + long int i; + + total_entropy_estimate = 0; + + i = getpid(); + RAND_add(&i, sizeof(i), 0.1); + total_entropy_estimate += 0.1; + + i = getppid(); + RAND_add(&i, sizeof(i), 0.1); + total_entropy_estimate += 0.1; + + i = getuid(); + RAND_add(&i, sizeof(i), 0.0); + i = getgid(); + RAND_add(&i, sizeof(i), 0.0); + + total_entropy_estimate += stir_gettimeofday(1.0); + total_entropy_estimate += stir_clock(0.2); + total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); + + return(total_entropy_estimate); +} + +double +stir_from_programs(void) +{ + int i; + int c; + double entropy_estimate; + double total_entropy_estimate; + char hash[SHA_DIGEST_LENGTH]; + + /* + * Run through list of programs twice to catch differences + */ + total_entropy_estimate = 0; + for(i = 0; i < 2; i++) { + c = 0; + while (entropy_sources[c].path != NULL) { + + if (!entropy_sources[c].badness) { + /* Hash output from command */ + entropy_estimate = hash_output_from_command(&entropy_sources[c], hash); + + /* Scale back entropy estimate according to command's rate */ + entropy_estimate *= entropy_sources[c].rate; + + /* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */ + if (entropy_estimate > SHA_DIGEST_LENGTH) + entropy_estimate = SHA_DIGEST_LENGTH; + + /* * Scale back estimates for subsequent passes through list */ + entropy_estimate /= 10.0 * (i + 1.0); + + /* Stir it in */ + RAND_add(hash, sizeof(hash), entropy_estimate); + +/* FIXME: turn this off later */ +#if 1 + debug("Got %0.2f bytes of entropy from %s", entropy_estimate, + entropy_sources[c].path); +#endif + + total_entropy_estimate += entropy_estimate; + + /* Execution times should be a little unpredictable */ + total_entropy_estimate += stir_gettimeofday(0.05); + total_entropy_estimate += stir_clock(0.05); + total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1); + total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1); + } else { +/* FIXME: turn this off later */ +#if 1 + debug("Command '%s %s %s' disabled (badness %d)", + entropy_sources[c].path, entropy_sources[c].args[1], + entropy_sources[c].args[2], entropy_sources[c].badness); +#endif + + if (entropy_sources[c].badness > 0) + entropy_sources[c].badness--; + } + + c++; + } + } + + return(total_entropy_estimate); +} + +double +stir_gettimeofday(double entropy_estimate) +{ + struct timeval tv; + + if (gettimeofday(&tv, NULL) == -1) + fatal("Couldn't gettimeofday: %s", strerror(errno)); + + RAND_add(&tv, sizeof(tv), entropy_estimate); + + return(entropy_estimate); +} + +double +stir_clock(double entropy_estimate) +{ +#ifdef HAVE_CLOCK + clock_t c; + + c = clock(); + RAND_add(&c, sizeof(c), entropy_estimate); + + return(entropy_estimate); +#else /* _HAVE_CLOCK */ + return(0); +#endif /* _HAVE_CLOCK */ +} + +double +stir_rusage(int who, double entropy_estimate) +{ +#ifdef HAVE_GETRUSAGE + struct rusage ru; + + if (getrusage(who, &ru) == -1) + fatal("Couldn't getrusage: %s", strerror(errno)); + + RAND_add(&ru, sizeof(ru), 0.1); + + return(entropy_estimate); +#else /* _HAVE_GETRUSAGE */ + return(0); +#endif /* _HAVE_GETRUSAGE */ +} + +double +hash_output_from_command(entropy_source_t *src, char *hash) +{ + static int devnull = -1; + int p[2]; + fd_set rdset; + int cmd_eof = 0, error_abort = 0; + pid_t pid; + int status; + char buf[2048]; + int bytes_read; + int total_bytes_read; + SHA_CTX sha; + + if (devnull == -1) { + devnull = open("/dev/null", O_RDWR); + if (devnull == -1) + fatal("Couldn't open /dev/null: %s", strerror(errno)); + } + + if (pipe(p) == -1) + fatal("Couldn't open pipe: %s", strerror(errno)); + + switch (pid = fork()) { + case -1: /* Error */ + close(p[0]); + close(p[1]); + fatal("Couldn't fork: %s", strerror(errno)); + /* NOTREACHED */ + case 0: /* Child */ + dup2(devnull, STDIN_FILENO); + dup2(p[1], STDOUT_FILENO); + dup2(p[1], STDERR_FILENO); + close(p[0]); + close(p[1]); + close(devnull); + + execv(src->path, (char**)(src->args)); + debug("(child) Couldn't exec '%s %s %s': %s", src->path, + src->args[1], src->args[2], strerror(errno)); + src->badness = src->sticky_badness = 128; + _exit(-1); + default: /* Parent */ + break; + } + + RAND_add(&pid, sizeof(&pid), 0.0); + + close(p[1]); + + /* Hash output from child */ + SHA1_Init(&sha); + total_bytes_read = 0; + + while (!error_abort && !cmd_eof) { + int ret; + struct timeval tv; + + FD_ZERO(&rdset); + FD_SET(p[0], &rdset); + tv.tv_sec = entropy_timeout_current / 1000; + tv.tv_usec = (entropy_timeout_current % 1000) * 1000; + + ret = select(p[0]+1, &rdset, NULL, NULL, &tv); + switch (ret) { + case 0: + /* timer expired */ + error_abort = 1; + break; + + case 1: + /* command input */ + bytes_read = read(p[0], buf, sizeof(buf)); + if (bytes_read == -1) { + error_abort = 1; + break; + } + SHA1_Update(&sha, buf, bytes_read); + total_bytes_read += bytes_read; + RAND_add(&bytes_read, sizeof(&bytes_read), 0.0); + cmd_eof = bytes_read ? 0 : 1; + + break; + + case -1: + default: + error("Command '%s %s': select() failed: %s", src->path, src->args[1], + strerror(errno)); + error_abort = 1; + break; + } /* switch ret */ + + RAND_add(&tv, sizeof(&tv), 0.0); + } /* while !error_abort && !cmd_eof */ + + SHA1_Final(hash, &sha); + + close(p[0]); + + if (waitpid(pid, &status, 0) == -1) { + error("Couldn't wait for child '%s %s' completion: %s", src->path, + src->args[1], strerror(errno)); + /* return(-1); */ /* FIXME: (ATL) this doesn't feel right */ + return(0.0); + } + + RAND_add(&status, sizeof(&status), 0.0); + + if (error_abort) { + /* closing p[0] on timeout causes the entropy command to + * SIGPIPE. Take whatever output we got, and mark this command + * as slow */ + debug("Command %s %s timed out", src->path, src->args[1]); + src->sticky_badness *= 2; + src->badness = src->sticky_badness; + return(total_bytes_read); + } + + if (WIFEXITED(status)) { + if (WEXITSTATUS(status)==0) { + return(total_bytes_read); + } else { + debug("Exit status was %d", WEXITSTATUS(status)); + src->badness = src->sticky_badness = 128; + return (0.0); + } + } else if (WIFSIGNALED(status)) { + debug("Returned on uncaught signal %d !", status); + src->badness = src->sticky_badness = 128; + return(0.0); + } else + return(0.0); +} + +/* + * prng seedfile functions + */ +int +prng_check_seedfile(char *filename) { + + struct stat st; + + /* FIXME raceable: eg replace seed between this stat and subsequent open */ + /* Not such a problem because we don't trust the seed file anyway */ + if (lstat(filename, &st) == -1) { + /* Fail on hard errors */ + if (errno != ENOENT) + fatal("Couldn't stat random seed file \"%s\": %s", filename, + strerror(errno)); + + return(0); + } + + /* regular file? */ + if (!S_ISREG(st.st_mode)) + fatal("PRNG seedfile %.100s is not a regular file", filename); + + /* mode 0600, owned by root or the current user? */ + if (((st.st_mode & 0177) != 0) || !(st.st_uid == geteuid())) + fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d", + filename, getuid()); + + return(1); +} + +void +prng_write_seedfile(void) { + int fd; + char seed[1024]; + char filename[1024]; + struct passwd *pw; + + /* Don't bother if we have already saved a seed */ + if (prng_seed_saved) + return; + + prng_seed_saved = 1; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user (%i): %s", + getuid(), strerror(errno)); + + /* Try to ensure that the parent directory is there */ + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_USER_DIR); + mkdir(filename, 0700); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + debug("writing PRNG seed to file %.100s", filename); + + RAND_bytes(seed, sizeof(seed)); + + /* Don't care if the seed doesn't exist */ + prng_check_seedfile(filename); + + if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) + fatal("couldn't access PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) + fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + close(fd); +} + +void +prng_read_seedfile(void) { + int fd; + char seed[1024]; + char filename[1024]; + struct passwd *pw; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user (%i): %s", + getuid(), strerror(errno)); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + debug("loading PRNG seed from file %.100s", filename); + + if (!prng_check_seedfile(filename)) { + verbose("Random seed file not found, creating new"); + prng_write_seedfile(); + + /* Reseed immediatly */ + (void)stir_from_system(); + (void)stir_from_programs(); + return; + } + + /* open the file and read in the seed */ + fd = open(filename, O_RDONLY); + if (fd == -1) + fatal("could not open PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) { + verbose("invalid or short read from PRNG seedfile %.100s - ignoring", + filename); + memset(seed, '\0', sizeof(seed)); + } + close(fd); + + /* stir in the seed, with estimated entropy zero */ + RAND_add(&seed, sizeof(seed), 0.0); +} + + +/* + * entropy command initialisation functions + */ +#define WHITESPACE " \t\n" + +int +prng_read_commands(char *cmdfilename) +{ + FILE *f; + char line[1024]; + char cmd[1024], path[256]; + double est; + char *cp; + int linenum; + entropy_source_t *entcmd; + int num_cmds = 64; + int cur_cmd = 0; + + f = fopen(cmdfilename, "r"); + if (!f) { + fatal("couldn't read entropy commands file %.100s: %.100s", + cmdfilename, strerror(errno)); + } + + linenum = 0; + + entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t)); + memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t)); + + while (fgets(line, sizeof(line), f)) { + linenum++; + + /* skip leading whitespace, test for blank line or comment */ + cp = line + strspn(line, WHITESPACE); + if ((*cp == 0) || (*cp == '#')) + continue; /* done with this line */ + + switch (*cp) { + int arg; + char *argv; + + case '"': + /* first token, command args (incl. argv[0]) in double quotes */ + cp = strtok(cp, "\""); + if (cp==NULL) { + error("missing or bad command string, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + strncpy(cmd, cp, sizeof(cmd)); + /* second token, full command path */ + if ((cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing command path, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + if (strncmp("undef", cp, 5)==0) /* did configure mark this as dead? */ + continue; + + strncpy(path, cp, sizeof(path)); + /* third token, entropy rate estimate for this command */ + if ( (cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing entropy estimate, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + est = strtod(cp, &argv);/* FIXME: (ATL) no error checking here */ + + /* end of line */ + if ((cp = strtok(NULL, WHITESPACE)) != NULL) { + error("garbage at end of line %d in %.100s -- ignored", + linenum, cmdfilename); + continue; + } + + /* split the command args */ + cp = strtok(cmd, WHITESPACE); + arg = 0; argv = NULL; + do { + char *s = (char*)xmalloc(strlen(cp)+1); + strncpy(s, cp, strlen(cp)+1); + entcmd[cur_cmd].args[arg] = s; + arg++; + } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE))); + if (strtok(NULL, WHITESPACE)) + error("ignored extra command elements (max 5), %.100s line %d", + cmdfilename, linenum); + + /* copy the command path and rate estimate */ + entcmd[cur_cmd].path = (char *)xmalloc(strlen(path)+1); + strncpy(entcmd[cur_cmd].path, path, strlen(path)+1); + entcmd[cur_cmd].rate = est; + /* initialise other values */ + entcmd[cur_cmd].sticky_badness = 1; + + cur_cmd++; + + /* If we've filled the array, reallocate it twice the size */ + /* Do this now because even if this we're on the last command, + we need another slot to mark the last entry */ + if (cur_cmd == num_cmds) { + num_cmds *= 2; + entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t)); + } + break; + + default: + error("bad entropy command, %.100s line %d", cmdfilename, + linenum); + continue; + } + } + + /* zero the last entry */ + memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t)); + /* trim to size */ + entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t)); + + debug("loaded %d entropy commands from %.100s", cur_cmd, cmdfilename); + + return (cur_cmd >= MIN_ENTROPY_SOURCES); +} + + +#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ + +#if defined(EGD_SOCKET) || defined(RANDOM_POOL) + +/* + * Seed OpenSSL's random number pool from Kernel random number generator + * or EGD + */ +void +seed_rng(void) +{ + char buf[32]; + + debug("Seeding random number generator"); + get_random_bytes(buf, sizeof(buf)); + RAND_add(buf, sizeof(buf), sizeof(buf)); + memset(buf, '\0', sizeof(buf)); +} + +#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ + +/* + * Write a keyfile at exit + */ +void +prng_seed_cleanup(void *junk) +{ + prng_write_seedfile(); +} + +/* + * Conditionally Seed OpenSSL's random number pool from + * syscalls and program output + */ +void +seed_rng(void) +{ + if (!prng_commands_loaded) { + if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) + fatal("PRNG initialisation failed -- exiting."); + prng_commands_loaded = 1; + } + + debug("Seeding random number generator."); + debug("OpenSSL random status is now %i\n", RAND_status()); + debug("%i bytes from system calls", (int)stir_from_system()); + debug("%i bytes from programs", (int)stir_from_programs()); + debug("OpenSSL random status is now %i\n", RAND_status()); + + if (!prng_seed_loaded) + { + prng_seed_loaded = 1; + prng_seed_saved = 0; + prng_read_seedfile(); + fatal_add_cleanup(prng_seed_cleanup, NULL); + atexit(prng_write_seedfile); + } +} +#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ diff -ruN --exclude CVS ssh-openbsd-2000050800/entropy.h openssh-2.0.0beta2/entropy.h --- ssh-openbsd-2000050800/entropy.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/entropy.h Mon Apr 3 14:50:45 2000 @@ -0,0 +1,35 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _RANDOMS_H +#define _RANDOMS_H + +void seed_rng(void); + +#endif /* _RANDOMS_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-gai-errnos.h openssh-2.0.0beta2/fake-gai-errnos.h --- ssh-openbsd-2000050800/fake-gai-errnos.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-gai-errnos.h Fri Jan 14 15:45:48 2000 @@ -0,0 +1,12 @@ +/* + * fake library for ssh + * + * This file is included in getaddrinfo.c and getnameinfo.c. + * See getaddrinfo.c and getnameinfo.c. + */ + +/* for old netdb.h */ +#ifndef EAI_NODATA +#define EAI_NODATA 1 +#define EAI_MEMORY 2 +#endif diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-getaddrinfo.c openssh-2.0.0beta2/fake-getaddrinfo.c --- ssh-openbsd-2000050800/fake-getaddrinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-getaddrinfo.c Sat Apr 8 17:48:56 2000 @@ -0,0 +1,119 @@ +/* + * fake library for ssh + * + * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + * + * In the case not using 'configure --enable-ipv6', this getaddrinfo.c + * will be used if you have broken getaddrinfo or no getaddrinfo. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GAI_STRERROR +char * +gai_strerror(ecode) +int ecode; +{ + switch (ecode) { + case EAI_NODATA: + return "no address associated with hostname."; + case EAI_MEMORY: + return "memory allocation failure."; + default: + return "unknown error."; + } +} +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void +freeaddrinfo(ai) +struct addrinfo *ai; +{ + struct addrinfo *next; + + do { + next = ai->ai_next; + free(ai); + } while (NULL != (ai = next)); +} +#endif /* !HAVE_FREEADDRINFO */ + +#ifndef HAVE_GETADDRINFO +static struct addrinfo * +malloc_ai(port, addr) +int port; +u_long addr; +{ + struct addrinfo *ai; + + if (NULL != (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) + + sizeof(struct sockaddr_in)))) { + memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); + ai->ai_addr = (struct sockaddr *)(ai + 1); + /* XXX -- ssh doesn't use sa_len */ + ai->ai_addrlen = sizeof(struct sockaddr_in); + ai->ai_addr->sa_family = ai->ai_family = AF_INET; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; + return ai; + } else { + return NULL; + } +} + +int +getaddrinfo(hostname, servname, hints, res) +const char *hostname, *servname; +const struct addrinfo *hints; +struct addrinfo **res; +{ + struct addrinfo *cur, *prev = NULL; + struct hostent *hp; + int i, port; + + if (servname) + port = htons(atoi(servname)); + else + port = 0; + if (hints && hints->ai_flags & AI_PASSIVE) + if (NULL != (*res = malloc_ai(port, htonl(0x00000000)))) + return 0; + else + return EAI_MEMORY; + if (!hostname) + if (NULL != (*res = malloc_ai(port, htonl(0x7f000001)))) + return 0; + else + return EAI_MEMORY; + if (inet_addr(hostname) != -1) + if (NULL != (*res = malloc_ai(port, inet_addr(hostname)))) + return 0; + else + return EAI_MEMORY; + if ((hp = gethostbyname(hostname)) && + hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { + for (i = 0; hp->h_addr_list[i]; i++) + if (NULL != (cur = malloc_ai(port, + ((struct in_addr *)hp->h_addr_list[i])->s_addr))) { + if (prev) + prev->ai_next = cur; + else + *res = cur; + prev = cur; + } else { + if (*res) + freeaddrinfo(*res); + return EAI_MEMORY; + } + return 0; + } + return EAI_NODATA; +} +#endif /* !HAVE_GETADDRINFO */ diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-getaddrinfo.h openssh-2.0.0beta2/fake-getaddrinfo.h --- ssh-openbsd-2000050800/fake-getaddrinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-getaddrinfo.h Sun Jan 16 18:19:25 2000 @@ -0,0 +1,45 @@ +#ifndef _FAKE_GETADDRINFO_H +#define _FAKE_GETADDRINFO_H + +#include "config.h" + +#include "fake-gai-errnos.h" + +#ifndef AI_PASSIVE +# define AI_PASSIVE 1 +# define AI_CANONNAME 2 +#endif + +#ifndef NI_NUMERICHOST +# define NI_NUMERICHOST 2 +# define NI_NAMEREQD 4 +# define NI_NUMERICSERV 8 +#endif + +#ifndef HAVE_STRUCT_ADDRINFO +struct addrinfo { + int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + size_t ai_addrlen; /* length of ai_addr */ + char *ai_canonname; /* canonical name for hostname */ + struct sockaddr *ai_addr; /* binary address */ + struct addrinfo *ai_next; /* next structure in linked list */ +}; +#endif /* !HAVE_STRUCT_ADDRINFO */ + +#ifndef HAVE_GETADDRINFO +int getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *hints, struct addrinfo **res); +#endif /* !HAVE_GETADDRINFO */ + +#ifndef HAVE_GAI_STRERROR +char *gai_strerror(int ecode); +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void freeaddrinfo(struct addrinfo *ai); +#endif /* !HAVE_FREEADDRINFO */ + +#endif /* _FAKE_GETADDRINFO_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-getnameinfo.c openssh-2.0.0beta2/fake-getnameinfo.c --- ssh-openbsd-2000050800/fake-getnameinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-getnameinfo.c Sat Apr 8 17:48:56 2000 @@ -0,0 +1,61 @@ +/* + * fake library for ssh + * + * This file includes getnameinfo(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + * + * In the case not using 'configure --enable-ipv6', this getnameinfo.c + * will be used if you have broken getnameinfo or no getnameinfo. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GETNAMEINFO +int +getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) +const struct sockaddr *sa; +size_t salen; +char *host; +size_t hostlen; +char *serv; +size_t servlen; +int flags; +{ + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + struct hostent *hp; + char tmpserv[16]; + + if (serv) { + sprintf(tmpserv, "%d", ntohs(sin->sin_port)); + if (strlen(tmpserv) > servlen) + return EAI_MEMORY; + else + strcpy(serv, tmpserv); + } + if (host) + if (flags & NI_NUMERICHOST) + if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) + return EAI_MEMORY; + else { + strcpy(host, inet_ntoa(sin->sin_addr)); + return 0; + } + else + if (NULL != (hp = gethostbyaddr((char *)&sin->sin_addr, + sizeof(struct in_addr), AF_INET))) + if (strlen(hp->h_name) > hostlen) + return EAI_MEMORY; + else { + strcpy(host, hp->h_name); + return 0; + } + else + return EAI_NODATA; + return 0; +} +#endif /* !HAVE_GETNAMEINFO */ diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-getnameinfo.h openssh-2.0.0beta2/fake-getnameinfo.h --- ssh-openbsd-2000050800/fake-getnameinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-getnameinfo.h Fri Jan 14 15:45:49 2000 @@ -0,0 +1,17 @@ +#ifndef _FAKE_GETNAMEINFO_H +#define _FAKE_GETNAMEINFO_H + +#include "config.h" +#ifndef HAVE_GETNAMEINFO +int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags); +#endif /* !HAVE_GETNAMEINFO */ + +#ifndef NI_MAXSERV +# define NI_MAXSERV 32 +#endif /* !NI_MAXSERV */ +#ifndef NI_MAXHOST +# define NI_MAXHOST 1025 +#endif /* !NI_MAXHOST */ + +#endif /* _FAKE_GETNAMEINFO_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/fake-socket.h openssh-2.0.0beta2/fake-socket.h --- ssh-openbsd-2000050800/fake-socket.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fake-socket.h Fri Jan 14 15:45:49 2000 @@ -0,0 +1,49 @@ +#ifndef _FAKE_SOCKET_H +#define _FAKE_SOCKET_H + +#include "config.h" +#include "sys/types.h" + +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +#define _SS_MAXSIZE 128 /* Implementation specific max size */ +#define _SS_ALIGNSIZE (sizeof(int)) +#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) +#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ + _SS_PAD1SIZE + _SS_ALIGNSIZE)) + +struct sockaddr_storage { + u_short ss_family; + char __ss_pad1[_SS_PAD1SIZE]; + int __ss_align; + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +#define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \ + ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef HAVE_STRUCT_IN6_ADDR +struct in6_addr { + u_int8_t s6_addr[16]; +}; +#endif /* !HAVE_STRUCT_IN6_ADDR */ + +#ifndef HAVE_STRUCT_SOCKADDR_IN6 +struct sockaddr_in6 { + unsigned short sin6_family; + u_int16_t sin6_port; + u_int32_t sin6_flowinfo; + struct in6_addr sin6_addr; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + +#endif /* !_FAKE_SOCKET_H */ + diff -ruN --exclude CVS ssh-openbsd-2000050800/fixpaths openssh-2.0.0beta2/fixpaths --- ssh-openbsd-2000050800/fixpaths Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/fixpaths Thu Apr 20 07:33:24 2000 @@ -0,0 +1,50 @@ +#!/usr/bin/perl -w +# +# fixpaths - substitute makefile variables into text files + + +$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; + +$ext="out"; + +if (!defined(@ARGV)) { die ("$usage"); } + +# read in the command line and get some definitions +while ($_=$ARGV[0], /^-/) { + if (/^-[Dx]/) { + # definition + shift(@ARGV); + if ( /-D(.*)=(.*)/ ) { + $def{"$1"}=$2; + } elsif ( /-x\s*(\w+)/ ) { + $ext=$1; + } else { + die ("$usage$0: error in command line arguments.\n"); + } + } else { + @cmd = split(//, $ARGV[0]); $opt = $cmd[1]; + die ("$usage$0: unknown option '-$opt'\n"); + } +} # while parsing arguments + +if (!defined(%def)) { + die ("$0: nothing to do - no substitutions listed!\n"); +} + +for $f (@ARGV) { + + $f =~ /(.*\/)*(.*)$/; + $of = $2.".$ext"; + + open(IN, "<$f") || die ("$0: input file $f missing!\n"); + if (open(OUT, ">$of")) { + while () { + for $s (keys(%def)) { + s#$s#$def{$s}#; + } # for $s + print OUT; + } # while + } # if (outfile open) +} # for $f + +exit 0; diff -ruN --exclude CVS ssh-openbsd-2000050800/includes.h openssh-2.0.0beta2/includes.h --- ssh-openbsd-2000050800/includes.h Sun Apr 16 12:53:10 2000 +++ openssh-2.0.0beta2/includes.h Sun May 7 12:03:16 2000 @@ -19,26 +19,21 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } +#include "config.h" + #include #include -#include #include #include -#include #include #include -#include #include #include -#include -#include #include -#include #include #include -#include #include #include #include @@ -52,18 +47,82 @@ #include #include #include -#include #include +#ifdef HAVE_BSTRING_H +# include +#endif +#ifdef HAVE_NETGROUP_H +# include +#endif +#ifdef HAVE_NETDB_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_SYS_TIME_H +# include +#endif +#ifdef HAVE_SYS_BSDTTY_H +# include +#endif +#ifdef USE_PAM +# include +#endif +#ifdef HAVE_POLL_H +# include +#else +# ifdef HAVE_SYS_POLL_H +# include +# endif +#endif +#ifdef HAVE_SYS_SYSMACROS_H +# include +#endif + #include "version.h" +/* BSD function replacements */ +#include "bsd-bindresvport.h" +#include "bsd-rresvport.h" +#include "bsd-misc.h" +#include "bsd-strlcpy.h" +#include "bsd-strlcat.h" +#include "bsd-mktemp.h" +#include "bsd-snprintf.h" +#include "bsd-daemon.h" +#include "bsd-login.h" +#include "bsd-base64.h" + +/* rfc2553 socket API replacements */ +#include "fake-getaddrinfo.h" +#include "fake-getnameinfo.h" +#include "fake-socket.h" + +/* Entropy collection */ +#include "entropy.h" + /* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH #define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + +/* Define this to be the path of the rsh program. */ +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif /* _PATH_RSH */ /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. */ -#define USE_PIPES 1 +/* #define USE_PIPES 1 */ #endif /* INCLUDES_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/install-sh openssh-2.0.0beta2/install-sh --- ssh-openbsd-2000050800/install-sh Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/install-sh Thu Nov 25 12:31:26 1999 @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 diff -ruN --exclude CVS ssh-openbsd-2000050800/lib/Makefile openssh-2.0.0beta2/lib/Makefile --- ssh-openbsd-2000050800/lib/Makefile Sun Apr 30 09:49:54 2000 +++ openssh-2.0.0beta2/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,26 +0,0 @@ -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ - hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ - rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ - key.c dispatch.c dsa.c kex.c hmac.c uuencode.c - -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS - -.include diff -ruN --exclude CVS ssh-openbsd-2000050800/log-server.c openssh-2.0.0beta2/log-server.c --- ssh-openbsd-2000050800/log-server.c Sun Apr 16 12:53:10 2000 +++ openssh-2.0.0beta2/log-server.c Tue May 2 09:56:42 2000 @@ -22,6 +22,12 @@ #include "xmalloc.h" #include "ssh.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 0; static int log_facility = LOG_AUTH; @@ -100,7 +106,6 @@ char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; - extern char *__progname; if (level > log_level) return; diff -ruN --exclude CVS ssh-openbsd-2000050800/login.c openssh-2.0.0beta2/login.c --- ssh-openbsd-2000050800/login.c Wed Apr 26 12:00:08 2000 +++ openssh-2.0.0beta2/login.c Mon May 1 22:53:53 2000 @@ -20,10 +20,24 @@ #include "includes.h" RCSID("$Id: login.c,v 1.13 2000/04/19 07:05:49 deraadt Exp $"); -#include -#include +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include +#endif +#ifdef HAVE_UTMP_H +# include +#endif #include "ssh.h" +#ifdef HAVE_UTIL_H +# include +#endif +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + /* * Returns the time when the user last logged in. Returns 0 if the * information is not available. This must be called before record_login. @@ -39,17 +53,28 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; int fd; +#ifdef LASTLOG_IS_DIR + char lbuf[1024]; +#endif /* LASTLOG_IS_DIR */ lastlog = _PATH_LASTLOG; buf[0] = '\0'; +#ifndef LASTLOG_IS_DIR fd = open(lastlog, O_RDONLY); if (fd < 0) return 0; lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); +#else /* LASTLOG_IS_DIR */ + snprintf(lbuf, sizeof(buf), "%s/%s", lastlog, logname); + fd = open(lbuf, O_RDONLY); + if (fd < 0) + return 0; +#endif /* LASTLOG_IS_DIR */ if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) { close(fd); return 0; @@ -60,6 +85,49 @@ strncpy(buf, ll.ll_host, bufsize - 1); buf[bufsize - 1] = 0; return ll.ll_time; + +#else /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ + /* Look in wtmp for the last login */ + struct utmp wt; + char *wt_file = _PATH_WTMP; + int fd1; + unsigned long t = 0; + + if ( (fd1 = open(wt_file, O_RDONLY)) < 0 ) { + error("Couldn't open %.100s to find last login time.", wt_file); + return 0; + } + + /* seek to last record of file */ + lseek(fd1, (off_t)(0-sizeof(struct utmp)), SEEK_END); + + /* loop through wtmp for our last user login record */ + do { + if (read(fd1, &wt, sizeof(wt)) != sizeof(wt)) { + close(fd1); + return 0; + } + + if ( wt.ut_type == USER_PROCESS) { + if ( !strncmp(logname, wt.ut_user, 8) ) { + t = (unsigned long) wt.ut_time; +#ifdef HAVE_HOST_IN_UTMP + if (bufsize > sizeof(wt.ut_host) + 1) + bufsize = sizeof(wt.ut_host) + 1; + strncpy(buf, wt.ut_host, bufsize - 1); + buf[bufsize - 1] = 0; +#else /* HAVE_HOST_IN_UTMP */ + buf[0] = 0; +#endif /* HAVE_HOST_IN_UTMP */ + } + } + + if (lseek(fd1, (off_t)(0-2*sizeof(struct utmp)), SEEK_CUR) == -1) + break; + } while (t == 0); + + return t; +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* @@ -71,28 +139,115 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr) { - int fd; +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; +#ifdef LASTLOG_IS_DIR + char buf[1024]; +#endif /* LASTLOG_IS_DIR */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ struct utmp u; - const char *utmp, *wtmp; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx utx; +#endif /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); - u.ut_time = time(NULL); +#if defined(HAVE_ID_IN_UTMP) +#ifdef _AIX + strncpy(u.ut_id, ttyname + 5, sizeof(u.ut_id)); +#else /* !AIX */ + strncpy(u.ut_id, ttyname + 8, sizeof(u.ut_id)); +#endif +#endif /* defined(HAVE_ID_IN_UTMP) */ strncpy(u.ut_name, user, sizeof(u.ut_name)); +#if defined(HAVE_TV_IN_UTMP) + (void)gettimeofday(&u.ut_tv, NULL); +#else /* defined(HAVE_TV_IN_UTMP) */ + u.ut_time = time(NULL); +#endif /* defined(HAVE_TV_IN_UTMP) */ +#if defined(HAVE_PID_IN_UTMP) + u.ut_pid = (pid_t)pid; +#endif /* HAVE_PID_IN_UTMP */ +#if defined(HAVE_TYPE_IN_UTMP) + u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +#endif /* HAVE_TYPE_IN_UTMP */ +#if defined(HAVE_HOST_IN_UTMP) strncpy(u.ut_host, host, sizeof(u.ut_host)); +#endif +#if defined(HAVE_ADDR_IN_UTMP) + if (addr) { + switch (addr->sa_family) { + case AF_INET: { + struct sockaddr_in *in = (struct sockaddr_in*)addr; + memcpy(&(u.ut_addr), &(in->sin_addr), sizeof(&(in->sin_addr))); + break; + } +#if defined(HAVE_ADDR_V6_IN_UTMP) + case AF_INET6: { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)addr; + memcpy(u.ut_addr_v6, &(in6->sin6_addr), sizeof(&(in6->sin6_addr))); + break; + } +#endif + default: + break; + } + } +#endif - /* Figure out the file names. */ - utmp = _PATH_UTMP; - wtmp = _PATH_WTMP; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + memset(&utx, 0, sizeof(utx)); + strncpy(utx.ut_user, user, sizeof(utx.ut_name)); + strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); + strncpy(utx.ut_id, ttyname + 8, sizeof(utx.ut_id)); + utx.ut_pid = (pid_t)pid; + (void)gettimeofday(&utx.ut_tv, NULL); + utx.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +# ifdef HAVE_HOST_IN_UTMPX +# ifdef HAVE_SYSLEN_IN_UTMPX + utx.ut_syslen = strlen(host); + strncpy(utx.ut_host, host, utx.ut_syslen); +# else + strncpy(utx.ut_host, host, sizeof(utx.ut_host)); +# endif /* HAVE_SYSLEN_IN_UTMPX */ +# endif +#if defined(HAVE_ADDR_IN_UTMPX) + if (addr) { + switch (addr->sa_family) { + case AF_INET: { + struct sockaddr_in *in = (struct sockaddr_in*)addr; + memcpy(&(utx.ut_addr), &(in->sin_addr), sizeof(&(in->sin_addr))); + break; + } +#if defined(HAVE_ADDR_V6_IN_UTMPX) + case AF_INET6: { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)addr; + memcpy(utx.ut_addr_v6, &(in6->sin6_addr), sizeof(&(in6->sin6_addr))); + break; + } +#endif + default: + break; + } + } +#endif +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +/*#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN)*/ +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + login(&u, &utx); +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ login(&u); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) lastlog = _PATH_LASTLOG; /* Update lastlog unless actually recording a logout. */ if (strcmp(user, "") != 0) { + int fd; /* * It is safer to bzero the lastlog structure first because * some systems might have some extra fields in it (e.g. SGI) @@ -103,14 +258,21 @@ ll.ll_time = time(NULL); strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line)); strncpy(ll.ll_host, host, sizeof(ll.ll_host)); +#ifdef LASTLOG_IS_DIR + snprintf(buf, sizeof(buf), "%s/%s", lastlog, user); + fd = open(buf, O_RDWR); + if (fd >= 0) { +#else /* LASTLOG_IS_DIR */ fd = open(lastlog, O_RDWR); if (fd >= 0) { lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); +#endif /* LASTLOG_IS_DIR */ if (write(fd, &ll, sizeof(ll)) != sizeof(ll)) log("Could not write %.100s: %.100s", lastlog, strerror(errno)); close(fd); } } +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* Records that the user has logged out. */ @@ -118,7 +280,11 @@ void record_logout(pid_t pid, const char *ttyname) { +#ifdef HAVE_LIBUTIL_LOGIN const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) logwtmp(line, "", ""); +#else /* HAVE_LIBUTIL_LOGIN */ + record_login(pid, ttyname, "", -1, "", NULL); +#endif /* HAVE_LIBUTIL_LOGIN */ } diff -ruN --exclude CVS ssh-openbsd-2000050800/md5crypt.c openssh-2.0.0beta2/md5crypt.c --- ssh-openbsd-2000050800/md5crypt.c Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/md5crypt.c Sun Apr 16 12:31:51 2000 @@ -0,0 +1,159 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +#include +#include +#include + +static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static char *magic = "$1$"; /* + * This string is magic for + * this algorithm. Having + * it this way, we can get + * get better later on + */ + +static void +to64(char *s, unsigned long v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +int +is_md5_salt(const char *salt) +{ + return (!strncmp(salt, magic, strlen(magic))); +} + +/* + * UNIX password + * + * Use MD5 for what it is best at... + */ + +char * +md5_crypt(const char *pw, const char *salt) +{ + static char passwd[120], *p; + static const char *sp,*ep; + unsigned char final[16]; + int sl,pl,i,j; + MD5_CTX ctx,ctx1; + unsigned long l; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(!strncmp(sp,magic,strlen(magic))) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) + continue; + + /* get the length of the true salt */ + sl = ep - sp; + + MD5_Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5_Update(&ctx,pw,strlen(pw)); + + /* Then our magic string */ + MD5_Update(&ctx,magic,strlen(magic)); + + /* Then the raw salt */ + MD5_Update(&ctx,sp,sl); + + /* Then just as many characters of the MD5(pw,salt,pw) */ + MD5_Init(&ctx1); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Update(&ctx1,sp,sl); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + for(pl = strlen(pw); pl > 0; pl -= 16) + MD5_Update(&ctx,final,pl>16 ? 16 : pl); + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + /* Then something really weird... */ + for (j=0,i = strlen(pw); i ; i >>= 1) + if(i&1) + MD5_Update(&ctx, final+j, 1); + else + MD5_Update(&ctx, pw+j, 1); + + /* Now make the output string */ + strcpy(passwd,magic); + strncat(passwd,sp,sl); + strcat(passwd,"$"); + + MD5_Final(final,&ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i=0;i<1000;i++) { + MD5_Init(&ctx1); + if(i & 1) + MD5_Update(&ctx1,pw,strlen(pw)); + else + MD5_Update(&ctx1,final,16); + + if(i % 3) + MD5_Update(&ctx1,sp,sl); + + if(i % 7) + MD5_Update(&ctx1,pw,strlen(pw)); + + if(i & 1) + MD5_Update(&ctx1,final,16); + else + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; + l = final[11] ; to64(p,l,2); p += 2; + *p = '\0'; + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + return passwd; +} + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ diff -ruN --exclude CVS ssh-openbsd-2000050800/md5crypt.h openssh-2.0.0beta2/md5crypt.h --- ssh-openbsd-2000050800/md5crypt.h Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/md5crypt.h Tue Dec 28 15:09:36 1999 @@ -0,0 +1,30 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#ifndef _MD5CRYPT_H +#define _MD5CRYPT_H + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +int is_md5_salt(const char *salt); +char *md5_crypt(const char *pw, const char *salt); + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + +#endif /* MD5CRYPT_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/pty.c openssh-2.0.0beta2/pty.c --- ssh-openbsd-2000050800/pty.c Sun Apr 16 12:53:11 2000 +++ openssh-2.0.0beta2/pty.c Thu Apr 20 23:12:59 2000 @@ -16,7 +16,10 @@ #include "includes.h" RCSID("$Id: pty.c,v 1.13 2000/04/14 10:30:32 markus Exp $"); -#include +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + #include "pty.h" #include "ssh.h" @@ -25,6 +28,13 @@ #undef HAVE_DEV_PTMX #endif +#ifdef HAVE_PTY_H +# include +#endif +#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) +# include +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -74,7 +84,7 @@ } return 1; #else /* HAVE__GETPTY */ -#ifdef HAVE_DEV_PTMX +#if defined(HAVE_DEV_PTMX) /* * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 * also has bsd-style ptys, but they simply do not work.) @@ -113,8 +123,10 @@ error("ioctl I_PUSH ptem: %.100s", strerror(errno)); if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0) error("ioctl I_PUSH ldterm: %.100s", strerror(errno)); +#ifndef _HPUX_SOURCE if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0) error("ioctl I_PUSH ttcompat: %.100s", strerror(errno)); +#endif return 1; #else /* HAVE_DEV_PTMX */ #ifdef HAVE_DEV_PTS_AND_PTC @@ -189,6 +201,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) { int fd; +#ifdef HAVE_VHANGUP + void *old; +#endif /* HAVE_VHANGUP */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -220,12 +235,22 @@ */ ioctl(*ttyfd, TIOCSCTTY, NULL); #endif /* TIOCSCTTY */ +#ifdef HAVE_VHANGUP + old = signal(SIGHUP, SIG_IGN); + vhangup(); + signal(SIGHUP, old); +#endif /* HAVE_VHANGUP */ fd = open(ttyname, O_RDWR); - if (fd < 0) + if (fd < 0) { error("%.100s: %.100s", ttyname, strerror(errno)); - else + } else { +#ifdef HAVE_VHANGUP + close(*ttyfd); + *ttyfd = fd; +#else /* HAVE_VHANGUP */ close(fd); - +#endif /* HAVE_VHANGUP */ + } /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) diff -ruN --exclude CVS ssh-openbsd-2000050800/rsa.c openssh-2.0.0beta2/rsa.c --- ssh-openbsd-2000050800/rsa.c Sun Apr 16 12:53:12 2000 +++ openssh-2.0.0beta2/rsa.c Sun Apr 16 11:18:45 2000 @@ -40,6 +40,7 @@ #include "rsa.h" #include "ssh.h" #include "xmalloc.h" +#include "entropy.h" int rsa_verbose = 1; @@ -48,6 +49,7 @@ { RSA *key; + seed_rng(); key = RSA_generate_key(32, 3, NULL, NULL); if (key == NULL) return (0); @@ -56,6 +58,21 @@ } /* + * Key generation progress meter callback + */ +void +keygen_progress(int p, int n, void *arg) +{ + const char progress_chars[] = ".o+O?"; + + if ((p < 0) || (p > (sizeof(progress_chars) - 2))) + p = sizeof(progress_chars) - 2; + + putchar(progress_chars[p]); + fflush(stdout); +} + +/* * Generates RSA public and private keys. This initializes the data * structures; they should be freed with rsa_clear_private_key and * rsa_clear_public_key. @@ -66,11 +83,16 @@ { RSA *key; + seed_rng(); + if (rsa_verbose) { printf("Generating RSA keys: "); fflush(stdout); + key = RSA_generate_key(bits, 35, keygen_progress, NULL); + printf("\n"); + } else { + key = RSA_generate_key(bits, 35, NULL, NULL); } - key = RSA_generate_key(bits, 35, NULL, NULL); if (key == NULL) fatal("rsa_generate_key: key generation failed."); diff -ruN --exclude CVS ssh-openbsd-2000050800/scp/Makefile openssh-2.0.0beta2/scp/Makefile --- ssh-openbsd-2000050800/scp/Makefile Fri Jan 7 09:16:38 2000 +++ openssh-2.0.0beta2/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN --exclude CVS ssh-openbsd-2000050800/scp.c openssh-2.0.0beta2/scp.c --- ssh-openbsd-2000050800/scp.c Mon May 8 12:53:44 2000 +++ openssh-2.0.0beta2/scp.c Sun May 7 12:03:17 2000 @@ -84,7 +84,7 @@ int verbose_mode = 0; /* This is set to non-zero if compression is desired. */ -int compress = 0; +int compress_flag = 0; /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; @@ -158,7 +158,7 @@ args[i++] = "-oFallBackToRsh no"; if (verbose_mode) args[i++] = "-v"; - if (compress) + if (compress_flag) args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; @@ -296,7 +296,7 @@ batchmode = 1; break; case 'C': - compress = 1; + compress_flag = 1; break; case 'q': showprogress = 0; @@ -954,22 +954,24 @@ { static FILE *fp; va_list ap; - va_start(ap, fmt); ++errs; if (fp == NULL && !(fp = fdopen(remout, "w"))) return; (void) fprintf(fp, "%c", 0x01); (void) fprintf(fp, "scp: "); + va_start(ap, fmt); (void) vfprintf(fp, fmt, ap); + va_end(ap); (void) fprintf(fp, "\n"); (void) fflush(fp); if (!iamremote) { + va_start(ap, fmt); vfprintf(stderr, fmt, ap); + va_end(ap); fprintf(stderr, "\n"); } - va_end(ap); } /* Stuff below is from BSD rcp util.c. */ @@ -1060,7 +1062,7 @@ c = *cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-' && c != '.') + if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') goto bad; } while (*++cp); return (1); @@ -1185,8 +1187,8 @@ i++; abbrevsize >>= 10; } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5qd %c%c ", - (quad_t) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5d %c%c ", + (int) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : 'B'); timersub(&now, &lastupdate, &wait); @@ -1230,7 +1232,11 @@ atomicio(write, fileno(stdout), buf, strlen(buf)); if (flag == -1) { - signal(SIGALRM, updateprogressmeter); + struct sigaction sa; + sa.sa_handler = updateprogressmeter; + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sigaction(SIGALRM, &sa, NULL); alarmtimer(1); } else if (flag == 1) { alarmtimer(0); diff -ruN --exclude CVS ssh-openbsd-2000050800/serverloop.c openssh-2.0.0beta2/serverloop.c --- ssh-openbsd-2000050800/serverloop.c Mon May 8 12:53:45 2000 +++ openssh-2.0.0beta2/serverloop.c Sun May 7 12:03:18 2000 @@ -46,10 +46,15 @@ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. + * + * After SIGCHLD child_has_selected is set to 1 after the first pass + * through the wait_until_can_do_something() select(). This ensures + * that the child's output gets a chance to drain before it is yanked. */ static pid_t child_pid; /* Pid of the child. */ static volatile int child_terminated; /* The child has terminated. */ +static volatile int child_has_selected; /* Child has had chance to drain. */ static volatile int child_wait_status; /* Status from wait(). */ void server_init_dispatch(void); @@ -69,6 +74,7 @@ if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) child_terminated = 1; + child_has_selected = 0; } signal(SIGCHLD, sigchld_handler); errno = save_errno; @@ -232,6 +238,9 @@ else goto retry_select; } + + if (child_terminated) + child_has_selected = 1; } /* @@ -380,6 +389,7 @@ /* Initialize the SIGCHLD kludge. */ child_pid = pid; child_terminated = 0; + child_has_selected = 0; signal(SIGCHLD, sigchld_handler); /* Initialize our global variables. */ @@ -477,8 +487,11 @@ * descriptors, and we have no more data to send to the * client, and there is no pending buffered data. */ - if (fdout_eof && fderr_eof && !packet_have_data_to_write() && - buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { + if (((fdout_eof && fderr_eof) || + (child_terminated && child_has_selected)) && + !packet_have_data_to_write() && + (buffer_len(&stdout_buffer) == 0) && + (buffer_len(&stderr_buffer) == 0)) { if (!channel_still_open()) break; if (!waiting_termination) { diff -ruN --exclude CVS ssh-openbsd-2000050800/session.c openssh-2.0.0beta2/session.c --- ssh-openbsd-2000050800/session.c Mon May 8 12:53:46 2000 +++ openssh-2.0.0beta2/session.c Sun May 7 12:03:18 2000 @@ -68,7 +68,12 @@ /* import */ extern ServerOptions options; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + extern int log_stderr; extern int debug_flag; @@ -397,6 +402,10 @@ session_proctitle(s); +#ifdef USE_PAM + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ @@ -522,6 +531,11 @@ buf, sizeof(buf)); } +#ifdef USE_PAM + do_pam_session(pw->pw_name, s->tty); + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { pid = getpid(); @@ -574,6 +588,11 @@ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef USE_PAM + if (!quiet_login) + print_pam_messages(); +#endif /* USE_PAM */ + /* * If the user has logged in before, display the time of last * login. However, don't display anything extra if a command @@ -725,6 +744,38 @@ fclose(f); } +#ifdef USE_PAM +/* + * Sets any environment variables which have been specified by PAM + */ +void do_pam_environment(char ***env, int *envsize) +{ + char *equals, var_name[512], var_val[512]; + char **pam_env; + int i; + + if ((pam_env = fetch_pam_environment()) == NULL) + return; + + for(i = 0; pam_env[i] != NULL; i++) { + if ((equals = strstr(pam_env[i], "=")) == NULL) + continue; + + if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) { + memset(var_name, '\0', sizeof(var_name)); + memset(var_val, '\0', sizeof(var_val)); + + strncpy(var_name, pam_env[i], equals - pam_env[i]); + strcpy(var_val, equals + 1); + + debug("PAM environment: %s=%s", var_name, var_val); + + child_set_env(env, envsize, var_name, var_val); + } + } +} +#endif /* USE_PAM */ + /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group @@ -744,6 +795,7 @@ struct stat st; char *argv[10]; +#ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ @@ -753,6 +805,8 @@ if (pw->pw_uid != 0) exit(254); } +#endif /* USE_PAM */ + /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); @@ -845,6 +899,18 @@ if (display) child_set_env(&env, &envsize, "DISPLAY", display); +#ifdef _AIX + { + char *authstate,*krb5cc; + + if ((authstate = getenv("AUTHSTATE")) != NULL) + child_set_env(&env,&envsize,"AUTHSTATE",authstate); + + if ((krb5cc = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); + } +#endif + #ifdef KRB4 { extern char *ticket; @@ -853,6 +919,13 @@ child_set_env(&env, &envsize, "KRBTKFILE", ticket); } #endif /* KRB4 */ + +#ifdef USE_PAM + /* Pull in any environment variables that may have been set by PAM. */ + do_pam_environment(&env, &envsize); +#endif /* USE_PAM */ + + read_environment_file(&env,&envsize,"/etc/environment"); if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh/Makefile openssh-2.0.0beta2/ssh/Makefile --- ssh-openbsd-2000050800/ssh/Makefile Sun Apr 30 09:49:54 2000 +++ openssh-2.0.0beta2/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,37 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=4555 -.endif - -BINDIR= /usr/bin -MAN= ssh.1 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c log-client.c readconf.c clientloop.c \ - sshconnect.c sshconnect1.c sshconnect2.c - -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.include - -LDADD+= -lutil -lz -lcrypto -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-add/Makefile openssh-2.0.0beta2/ssh-add/Makefile --- ssh-openbsd-2000050800/ssh-add/Makefile Fri Jan 7 09:17:25 2000 +++ openssh-2.0.0beta2/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-add.1 openssh-2.0.0beta2/ssh-add.1 --- ssh-openbsd-2000050800/ssh-add.1 Mon May 8 12:53:46 2000 +++ openssh-2.0.0beta2/ssh-add.1 Sun May 7 12:03:18 2000 @@ -100,8 +100,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -115,13 +114,8 @@ supports one-time password authentication with .Xr skey 1 . .El -.Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-add.c openssh-2.0.0beta2/ssh-add.c --- ssh-openbsd-2000050800/ssh-add.c Sun Apr 30 09:49:52 2000 +++ openssh-2.0.0beta2/ssh-add.c Mon May 1 20:59:50 2000 @@ -20,6 +20,12 @@ #include "key.h" #include "authfile.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-add"; +#endif /* HAVE___PROGNAME */ + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -206,8 +212,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; - fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-agent/Makefile openssh-2.0.0beta2/ssh-agent/Makefile --- ssh-openbsd-2000050800/ssh-agent/Makefile Fri Jan 7 09:17:40 2000 +++ openssh-2.0.0beta2/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-agent.1 openssh-2.0.0beta2/ssh-agent.1 --- ssh-openbsd-2000050800/ssh-agent.1 Mon May 8 12:53:46 2000 +++ openssh-2.0.0beta2/ssh-agent.1 Sun May 7 12:03:18 2000 @@ -144,8 +144,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -160,12 +159,8 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-agent.c openssh-2.0.0beta2/ssh-agent.c --- ssh-openbsd-2000050800/ssh-agent.c Sun Apr 30 09:49:52 2000 +++ openssh-2.0.0beta2/ssh-agent.c Mon May 1 20:59:51 2000 @@ -52,7 +52,11 @@ char socket_name[1024]; char socket_dir[1024]; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-agent"; +#endif /* HAVE___PROGNAME */ void process_request_identity(SocketEntry *e) @@ -511,7 +515,11 @@ __progname); exit(1); } +#ifdef __GNU_LIBRARY__ + while ((ch = getopt(ac, av, "+cks")) != -1) { +#else /* __GNU_LIBRARY__ */ while ((ch = getopt(ac, av, "cks")) != -1) { +#endif /* __GNU_LIBRARY__ */ switch (ch) { case 'c': if (s_flag) diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-keygen/Makefile openssh-2.0.0beta2/ssh-keygen/Makefile --- ssh-openbsd-2000050800/ssh-keygen/Makefile Fri Jan 7 09:17:51 2000 +++ openssh-2.0.0beta2/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-keygen.1 openssh-2.0.0beta2/ssh-keygen.1 --- ssh-openbsd-2000050800/ssh-keygen.1 Mon May 8 12:53:46 2000 +++ openssh-2.0.0beta2/ssh-keygen.1 Sun May 7 12:03:18 2000 @@ -199,8 +199,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -214,13 +213,8 @@ supports one-time password authentication with .Xr skey 1 . .El -.Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh-keygen.c openssh-2.0.0beta2/ssh-keygen.c --- ssh-openbsd-2000050800/ssh-keygen.c Mon May 8 12:53:46 2000 +++ openssh-2.0.0beta2/ssh-keygen.c Sun May 7 12:03:19 2000 @@ -63,7 +63,11 @@ int dsa_mode = 0; /* argv0 */ +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-keygen"; +#endif /* HAVE___PROGNAME */ char hostname[MAXHOSTNAMELEN]; diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh.1 openssh-2.0.0beta2/ssh.1 --- ssh-openbsd-2000050800/ssh.1 Mon May 8 12:53:48 2000 +++ openssh-2.0.0beta2/ssh.1 Sun May 7 12:03:19 2000 @@ -1179,8 +1179,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -1196,10 +1195,6 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. -.Pp OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. .Pp @@ -1213,4 +1208,3 @@ .Xr ssh-keygen 1 , .Xr telnet 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh.c openssh-2.0.0beta2/ssh.c --- ssh-openbsd-2000050800/ssh.c Sun Apr 30 09:49:52 2000 +++ openssh-2.0.0beta2/ssh.c Mon May 1 20:59:51 2000 @@ -31,11 +31,19 @@ #include "key.h" #include "authfile.h" +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -421,11 +429,11 @@ if (!host) usage(); - OpenSSL_add_all_algorithms(); - /* Initialize the command to execute on remote host. */ buffer_init(&command); + OpenSSL_add_all_algorithms(); + /* * Save the command to execute on the remote host in a buffer. There * is no limit on the length of the command, except by the maximum diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh.h openssh-2.0.0beta2/ssh.h --- ssh-openbsd-2000050800/ssh.h Mon May 8 12:53:48 2000 +++ openssh-2.0.0beta2/ssh.h Sun May 7 12:03:19 2000 @@ -18,6 +18,14 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ +#include /* For struct sockaddr_storage */ +#include "fake-socket.h" /* For struct sockaddr_storage */ +#ifdef HAVE_SYS_SELECT_H +# include +#endif #include "rsa.h" #include "cipher.h" @@ -63,8 +71,17 @@ */ #define SSH_SERVICE_NAME "ssh" +#if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE "sshd" +#endif + +#ifndef ETCDIR #define ETCDIR "/etc" +#endif /* ETCDIR */ + +#ifndef PIDDIR #define PIDDIR "/var/run" +#endif /* PIDDIR */ /* * System-wide file containing host keys of known hosts. This file should be @@ -82,7 +99,17 @@ #define HOST_CONFIG_FILE ETCDIR "/ssh_config" #define HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" -#define SSH_PROGRAM "/usr/bin/ssh" +#ifndef SSH_PROGRAM +#define SSH_PROGRAM "/usr/bin/ssh" +#endif /* SSH_PROGRAM */ + +#ifndef LOGIN_PROGRAM +#define LOGIN_PROGRAM "/usr/bin/login" +#endif /* LOGIN_PROGRAM */ + +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ /* * The process id of the daemon listening for connections is saved here to @@ -97,6 +124,16 @@ #define SSH_USER_DIR ".ssh" /* + * Relevant only when using builtin PRNG. + */ +#ifndef SSH_PRNG_SEED_FILE +# define SSH_PRNG_SEED_FILE SSH_USER_DIR"/prng_seed" +#endif /* SSH_PRNG_SEED_FILE */ +#ifndef SSH_PRNG_COMMAND_FILE +# define SSH_PRNG_COMMAND_FILE ETCDIR "/ssh_prng_cmds" +#endif /* SSH_PRNG_COMMAND_FILE */ + +/* * Per-user file containing host keys of known hosts. This file need not be * readable by anyone except the user him/herself, though this does not * contain anything particularly secret. @@ -161,7 +198,9 @@ * Default path to ssh-askpass used by ssh-add, * environment variable for overwriting the default location */ -#define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#ifndef SSH_ASKPASS_DEFAULT +# define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#endif #define SSH_ASKPASS_ENV "SSH_ASKPASS" /* @@ -503,5 +542,9 @@ /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; + +#ifdef USE_PAM +#include "auth-pam.h" +#endif /* USE_PAM */ #endif /* SSH_H */ diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh_config openssh-2.0.0beta2/ssh_config --- ssh-openbsd-2000050800/ssh_config Wed Apr 19 16:04:01 2000 +++ openssh-2.0.0beta2/ssh_config Thu Apr 20 23:32:48 2000 @@ -27,5 +27,11 @@ # IdentityFile ~/.ssh/identity # Port 22 # Protocol 2,1 -# Cipher blowfish +# Cipher 3des # EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + FallBackToRsh no diff -ruN --exclude CVS ssh-openbsd-2000050800/ssh_prng_cmds.in openssh-2.0.0beta2/ssh_prng_cmds.in --- ssh-openbsd-2000050800/ssh_prng_cmds.in Thu Jan 1 10:00:00 1970 +++ openssh-2.0.0beta2/ssh_prng_cmds.in Tue May 2 09:57:51 2000 @@ -0,0 +1,50 @@ +# entropy gathering commands + +# Format is: "program-name args" path rate + +# The "rate" represents the number of bits of usuable entropy per +# byte of command output. Be conservative. + +"ls -alni /var/log" @PROG_LS@ 0.002 +"ls -alni /var/adm" @PROG_LS@ 0.002 +"ls -alni /var/mail" @PROG_LS@ 0.002 +"ls -alni /var/spool/mail" @PROG_LS@ 0.002 +"ls -alni /proc" @PROG_LS@ 0.002 +"ls -alni /tmp" @PROG_LS@ 0.002 + +"netstat -an" @PROG_NETSTAT@ 0.005 +"netstat -in" @PROG_NETSTAT@ 0.010 +"netstat -rn" @PROG_NETSTAT@ 0.002 +"netstat -s" @PROG_NETSTAT@ 0.002 + +"arp -a -n" @PROG_ARP@ 0.002 + +"ifconfig -a" @PROG_IFCONFIG@ 0.002 + +"ps laxww" @PROG_PS@ 0.003 +"ps -al" @PROG_PS@ 0.003 +"ps -efl" @PROG_PS@ 0.003 + +"w" @PROG_W@ 0.005 + +"who -i" @PROG_WHO@ 0.001 + +"last" @PROG_LAST@ 0.001 + +"lastlog" @PROG_LASTLOG@ 0.001 + +"df" @PROG_DF@ 0.010 +"df -i" @PROG_DF@ 0.010 + +"vmstat" @PROG_VMSTAT@ 0.010 +"uptime" @PROG_UPTIME@ 0.001 + +"ipcs -a" @PROG_IPCS@ 0.001 + +"tail -200 /var/log/messages" @PROG_TAIL@ 0.001 +"tail -200 /var/log/syslog" @PROG_TAIL@ 0.001 +"tail -200 /var/adm/messages" @PROG_TAIL@ 0.001 +"tail -200 /var/adm/syslog" @PROG_TAIL@ 0.001 +"tail -200 /var/adm/syslog/syslog.log" @PROG_TAIL@ 0.001 +"tail -200 /var/log/maillog" @PROG_TAIL@ 0.001 +"tail -200 /var/adm/maillog" @PROG_TAIL@ 0.001 diff -ruN --exclude CVS ssh-openbsd-2000050800/sshconnect.c openssh-2.0.0beta2/sshconnect.c --- ssh-openbsd-2000050800/sshconnect.c Mon May 8 12:53:48 2000 +++ openssh-2.0.0beta2/sshconnect.c Sun May 7 12:03:19 2000 @@ -30,7 +30,11 @@ char *server_version_string = NULL; extern Options options; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ /* * Connect to the given ssh server using a proxy command. @@ -251,7 +255,7 @@ temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, sizeof(*hostaddr)); + memcpy(hostaddr, ai->ai_addr, sizeof(*(ai->ai_addr))); restore_uid(); break; } else { @@ -467,6 +471,7 @@ HostStatus host_status; HostStatus ip_status; int local = 0, host_ip_differ = 0; + int salen; char ntop[NI_MAXHOST]; /* @@ -481,12 +486,15 @@ switch (hostaddr->sa_family) { case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); break; case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); break; default: local = 0; + salen = sizeof(struct sockaddr_storage); break; } if (local) { @@ -502,7 +510,7 @@ options.check_host_ip = 0; if (options.check_host_ip) { - if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), + if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); ip = xstrdup(ntop); diff -ruN --exclude CVS ssh-openbsd-2000050800/sshd/Makefile openssh-2.0.0beta2/sshd/Makefile --- ssh-openbsd-2000050800/sshd/Makefile Sun Apr 30 09:49:54 2000 +++ openssh-2.0.0beta2/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,46 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c \ - auth.c auth1.c auth2.c session.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -ruN --exclude CVS ssh-openbsd-2000050800/sshd.8 openssh-2.0.0beta2/sshd.8 --- ssh-openbsd-2000050800/sshd.8 Mon May 8 12:53:49 2000 +++ openssh-2.0.0beta2/sshd.8 Sun May 7 12:03:20 2000 @@ -951,8 +951,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -968,10 +967,6 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. -.Pp OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. .Pp @@ -982,6 +977,5 @@ .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr ssl 8 , .Xr rlogin 1 , .Xr rsh 1 diff -ruN --exclude CVS ssh-openbsd-2000050800/sshd.c openssh-2.0.0beta2/sshd.c --- ssh-openbsd-2000050800/sshd.c Mon May 8 12:53:50 2000 +++ openssh-2.0.0beta2/sshd.c Sun May 7 12:03:20 2000 @@ -63,7 +63,11 @@ * Flag indicating whether IPv4 or IPv6. This can be set on the command line. * Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* * Debug mode flag. This can be set on the command line. If debug @@ -698,7 +702,8 @@ debug("Bind to port %s on %s.", strport, ntop); /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) && + (!ai->ai_next)) { error("Bind to port %s on %s failed: %.200s.", strport, ntop, strerror(errno)); close(listen_sock); @@ -956,6 +961,11 @@ /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); + +#ifdef USE_PAM + finish_pam(); +#endif /* USE_PAM */ + packet_close(); exit(0); } diff -ruN --exclude CVS ssh-openbsd-2000050800/sshd_config openssh-2.0.0beta2/sshd_config --- ssh-openbsd-2000050800/sshd_config Wed Apr 19 16:04:02 2000 +++ openssh-2.0.0beta2/sshd_config Wed Apr 19 16:26:16 2000 @@ -2,7 +2,7 @@ Port 22 #Protocol 2,1 -#ListenAddress 0.0.0.0 +ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key ServerKeyBits 768 @@ -47,5 +47,5 @@ # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -#CheckMail yes -#UseLogin no +CheckMail no +UseLogin no diff -ruN --exclude CVS ssh-openbsd-2000050800/uidswap.c openssh-2.0.0beta2/uidswap.c --- ssh-openbsd-2000050800/uidswap.c Sun Apr 16 12:53:18 2000 +++ openssh-2.0.0beta2/uidswap.c Sun Apr 16 11:18:49 2000 @@ -25,10 +25,11 @@ /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ #define SAVED_IDS_WORK_WITH_SETEUID -#endif /* _POSIX_SAVED_IDS */ /* Saved effective uid. */ static uid_t saved_euid = 0; + +#endif /* _POSIX_SAVED_IDS */ /* * Temporarily changes to the given uid. If the effective user