diff -ruN --exclude CVS ssh-openbsd-2000070100/COPYING.Ylonen openssh-2.1.1p2/COPYING.Ylonen --- ssh-openbsd-2000070100/COPYING.Ylonen Wed Oct 6 16:53:34 1999 +++ openssh-2.1.1p2/COPYING.Ylonen Sat Oct 30 09:46:20 1999 @@ -24,7 +24,7 @@ [ The make-ssh-known-hosts script is no longer included. ] [ TSS has been removed. ] [ MD5 is now external. ] -[ RC4 support has been removed. ] +[ RC4 support has been removed (RC4 is used internally for arc4random). ] [ Blowfish is now external. ] The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. diff -ruN --exclude CVS ssh-openbsd-2000070100/CREDITS openssh-2.1.1p2/CREDITS --- ssh-openbsd-2000070100/CREDITS Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/CREDITS Wed Jun 28 15:22:41 2000 @@ -0,0 +1,67 @@ +Tatu Ylonen - Creator of SSH + +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt, and Dug Song - Creators of OpenSSH + +Andre Lucas - new login code, many fixes +Andreas Steinmetz - Shadow password expiry support +Andrew McGill - SCO fixes +Andrew Stribblehill - Bugfixes +Andy Sloane - bugfixes +Arkadiusz Miskiewicz - IPv6 compat fixes +Ben Lindstrom - NeXT support +Ben Taylor - Solaris debugging and fixes +Bratislav ILICH - Configure fix +Chip Salzenberg - Assorted patches +Chris Adams - OSF SIA support +Chris Saia - SuSE packaging +Chris, the Young One - Password auth fixes +Christos Zoulas - Autoconf fixes +Chun-Chung Chen - RPM fixes +Dan Brosemer - Autoconf support, build fixes +Darren Hall - AIX patches +David Agraz - Build fixes +David Del Piero - bug fixes +David Hesprich - Configure fixes +David Rankin - libwrap, AIX, NetBSD fixes +Ed Eden - configure fixes +Garrick James - configure fixes +Gary E. Miller - SCO support +Ged Lodder - HPUX fixes and enhancements +Gert Doering - bug and portability fixes +HARUYAMA Seigo - Translations & doc fixes +Hideaki YOSHIFUJI - IPv6 and bug fixes +Hiroshi Takekawa - Configure fixes +Holger Trapp - KRB4/AFS config patch +IWAMURO Motonori - bugfixes +Jani Hakala - Patches +Jarno Huuskonen - Bugfixes +Jim Knoble - Many patches +Jonchen (email unknown) - the original author of PAM support of SSH +Juergen Keil - scp bugfixing +Kees Cook - scp fixes +Kenji Miyake - Configure fixes +Kevin O'Connor - RSAless operation +Kiyokazu SUTO - Bugfixes +Lutz Jaenicke - Bugfixes +Marc G. Fournier - Solaris patches +Matt Richards - AIX patches +Michael Stone - Irix enhancements +Nalin Dahyabhai - PAM environment patch +Niels Kristian Bech Jensen - Assorted patches +Peter Kocks - Makefile fixes +Phil Hands - Debian scripts, assorted patches +Phil Karn - Autoconf fix +Phill Camp - login code fix +SAKAI Kiyotaka - Multiple bugfixes +Simon Wilkinson - PAM fixes +Svante Signell - Bugfixes +Thomas Neumann - Shadow passwords +Tom Bertelson's - AIX auth fixes +Tor-Ake Fransson - AIX support +Tudor Bosman - MD5 password support +Zack Weinberg - GNOME askpass enhancement + +Apologies to anyone I have missed. + +Damien Miller diff -ruN --exclude CVS ssh-openbsd-2000070100/ChangeLog openssh-2.1.1p2/ChangeLog --- ssh-openbsd-2000070100/ChangeLog Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/ChangeLog Sat Jul 1 19:42:32 2000 @@ -0,0 +1,1763 @@ +20000701 + - (djm) Fix Tru64 SIA problems reported by John P Speno + - (djm) Login fixes from Tom Bertelson + - (djm) Replace "/bin/sh" with _PATH_BSHELL. Report from Corinna Vinschen + + - (djm) Replace "/usr/bin/login" with LOGIN_PROGRAM + - (djm) Added check for broken snprintf() functions which do not correctly + terminate output string and attempt to use replacement. + - (djm) Released 2.1.1p2 + +20000628 + - (djm) Fixes to lastlog code for Irix + - (djm) Use atomicio in loginrec + - (djm) Patch from Michael Stone to add support for + Irix 6.x array sessions, project id's, and system audit trail id. + - (djm) Added 'distprep' make target to simplify packaging + - (djm) Added patch from Chris Adams to add OSF SIA + support. Enable using "USE_SIA=1 ./configure [options]" + +20000627 + - (djm) Fixes to login code - not setting li->uid, cleanups + - (djm) Formatting + +20000626 + - (djm) Better fix to aclocal tests from Garrick James + - (djm) Account expiry support from Andreas Steinmetz + - (djm) Added password expiry checking (no password change support) + - (djm) Make EGD failures non-fatal if OpenSSL's entropy pool is still OK + based on patch from Lutz Jaenicke + - (djm) Fix fixed EGD code. + - OpenBSD CVS update + - provos@cvs.openbsd.org 2000/06/25 14:17:58 + [channels.c] + correct check for bad channel ids; from Wei Dai + +20000623 + - (djm) Use sa_family_t in prototype for rresvport_af. Patch from + Svante Signell + - (djm) Autoconf logic to define sa_family_t if it is missing + - OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/06/22 10:32:27 + [sshd.c] + missing atomicio; report from Steve.Marquess@DET.AMEDD.ARMY.MIL + - djm@cvs.openbsd.org 2000/06/22 17:55:00 + [auth-krb4.c key.c radix.c uuencode.c] + Missing CVS idents; ok markus + +20000622 + - (djm) Automatically generate host key during "make install". Suggested + by Gary E. Miller + - (djm) Paranoia before kill() system call + - OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/06/18 18:50:11 + [auth2.c compat.c compat.h sshconnect2.c] + make userauth+pubkey interop with ssh.com-2.2.0 + - markus@cvs.openbsd.org 2000/06/18 20:56:17 + [dsa.c] + mem leak + be more paranoid in dsa_verify. + - markus@cvs.openbsd.org 2000/06/18 21:29:50 + [key.c] + cleanup fingerprinting, less hardcoded sizes + - markus@cvs.openbsd.org 2000/06/19 19:39:45 + [atomicio.c auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] + [auth-rsa.c auth-skey.c authfd.c authfd.h authfile.c bufaux.c bufaux.h] + [buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h] + [clientloop.c compat.c compat.h compress.c compress.h crc32.c crc32.h] + [deattack.c dispatch.c dsa.c fingerprint.c fingerprint.h getput.h hmac.c] + [kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c] + [nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c] + [rsa.c rsa.h scp.c servconf.c servconf.h ssh-add.c ssh-keygen.c ssh.c] + [ssh.h tildexpand.c ttymodes.c ttymodes.h uidswap.c xmalloc.c xmalloc.h] + OpenBSD tag + - markus@cvs.openbsd.org 2000/06/21 10:46:10 + sshconnect2.c missing free; nuke old comment + +20000620 + - (djm) Replace use of '-o' and '-a' logical operators in configure tests + with '||' and '&&'. As suggested by Jim Knoble + to fix SCO Unixware problem reported by Gary E. Miller + - (djm) Typo in loginrec.c + +20000618 + - (djm) Add summary of configure options to end of ./configure run + - (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from + Michael Stone + - (djm) rusage is a privileged operation on some Unices (incl. + Solaris 2.5.1). Report from Paul D. Smith + - (djm) Avoid PAM failures when running without a TTY. Report from + Martin Petrak + - (djm) Include sys/types.h when including netinet/in.h in configure tests. + Patch from Jun-ichiro itojun Hagino + - (djm) Started merge of Ben Lindstrom's NeXT support + - OpenBSD CVS updates: + - deraadt@cvs.openbsd.org 2000/06/17 09:58:46 + [channels.c] + everyone says "nix it" (remove protocol 2 debugging message) + - markus@cvs.openbsd.org 2000/06/17 13:24:34 + [sshconnect.c] + allow extended server banners + - markus@cvs.openbsd.org 2000/06/17 14:30:10 + [sshconnect.c] + missing atomicio, typo + - jakob@cvs.openbsd.org 2000/06/17 16:52:34 + [servconf.c servconf.h session.c sshd.8 sshd_config] + add support for ssh v2 subsystems. ok markus@. + - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 + [readconf.c servconf.c] + include = in WHITESPACE; markus ok + - markus@cvs.openbsd.org 2000/06/17 19:09:10 + [auth2.c] + implement bug compatibility with ssh-2.0.13 pubkey, server side + - markus@cvs.openbsd.org 2000/06/17 21:00:28 + [compat.c] + initial support for ssh.com's 2.2.0 + - markus@cvs.openbsd.org 2000/06/17 21:16:09 + [scp.c] + typo + - markus@cvs.openbsd.org 2000/06/17 22:05:02 + [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] + split auth-rsa option parsing into auth-options + add options support to authorized_keys2 + - markus@cvs.openbsd.org 2000/06/17 22:42:54 + [session.c] + typo + +20000613 + - (djm) Fixes from Andrew McGill : + - Platform define for SCO 3.x which breaks on /dev/ptmx + - Detect and try to fix missing MAXPATHLEN + - (djm) Fix short copy in loginrec.c (based on patch from Phill Camp + + +20000612 + - (djm) Glob manpages in RPM spec files to catch compressed files + - (djm) Full license in auth-pam.c + - (djm) Configure fixes from SAKAI Kiyotaka + - (andre) AIX, lastlog, configure fixes from Tom Bertelson : + - Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is + def'd + - Set AIX to use preformatted manpages + +20000610 + - (djm) Minor doc tweaks + - (djm) Fix for configure on bash2 from Jim Knoble + +20000609 + - (djm) Patch from Kenji Miyake to disable utmp usage + (in favour of utmpx) on Solaris 8 + +20000606 + - (djm) Cleanup of entropy.c. Reorganised code, removed second pass through + list of commands (by default). Removed verbose debugging (by default). + - (djm) Increased command entropy estimates and default entropy collection + timeout + - (djm) Remove duplicate headers from loginrec.c + - (djm) Don't add /usr/local/lib to library search path on Irix + - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III + + - (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg + + - (djm) OpenBSD CVS updates: + - todd@cvs.openbsd.org + [sshconnect2.c] + teach protocol v2 to count login failures properly and also enable an + explanation of why the password prompt comes up again like v1; this is NOT + crypto + - markus@cvs.openbsd.org + [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] + xauth_location support; pr 1234 + [readconf.c sshconnect2.c] + typo, unused + [session.c] + allow use_login only for login sessions, otherwise remote commands are + execed with uid==0 + [sshd.8] + document UseLogin better + [version.h] + OpenSSH 2.1.1 + [auth-rsa.c] + fix match_hostname() logic for auth-rsa: deny access if we have a + negative match or no match at all + [channels.c hostfile.c match.c] + don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via + kris@FreeBSD.org + +20000606 + - (djm) Added --with-cflags, --with-ldflags and --with-libs options to + configure. + +20000604 + - Configure tweaking for new login code on Irix 5.3 + - (andre) login code changes based on djm feedback + +20000603 + - (andre) New login code + - Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c + - Add loginrec.[ch], logintest.c and autoconf code + +20000531 + - Cleanup of auth.c, login.c and fake-* + - Cleanup of auth-pam.c, save and print "account expired" error messages + - Fix EGD read bug by IWAMURO Motonori + - Rewrote bsd-login to use proper utmp API if available. Major cleanup + of fallback DIY code. + +20000530 + - Define atexit for old Solaris + - Fix buffer overrun in login.c for systems which use syslen in utmpx. + patch from YOSHIFUJI Hideaki + - OpenBSD CVS updates: + - markus@cvs.openbsd.org + [session.c] + make x11-fwd work w/ localhost (xauth add host/unix:11) + [cipher.c compat.c readconf.c servconf.c] + check strtok() != NULL; ok niels@ + [key.c] + fix key_read() for uuencoded keys w/o '=' + [serverloop.c] + group ssh1 vs. ssh2 in serverloop + [kex.c kex.h myproposal.h sshconnect2.c sshd.c] + split kexinit/kexdh, factor out common code + [readconf.c ssh.1 ssh.c] + forwardagent defaults to no, add ssh -A + - theo@cvs.openbsd.org + [session.c] + just some line shortening + - Released 2.1.0p3 + +20000520 + - Xauth fix from Markus Friedl + - Don't touch utmp if USE_UTMPX defined + - SunOS 4.x support from Todd C. Miller + - SIGCHLD fix for AIX and HPUX from Tom Bertelson + - HPUX and Configure fixes from Lutz Jaenicke + + - Use mkinstalldirs script to make directories instead of non-portable + "install -d". Suggested by Lutz Jaenicke + - Doc cleanup + +20000518 + - Include Andre Lucas' fixprogs script. Forgot to "cvs add" it yesterday + - OpenBSD CVS updates: + - markus@cvs.openbsd.org + [sshconnect.c] + copy only ai_addrlen bytes; misiek@pld.org.pl + [auth.c] + accept an empty shell in authentication; bug reported by + chris@tinker.ucr.edu + [serverloop.c] + we don't have stderr for interactive terminal sessions (fcntl errors) + +20000517 + - Fix from Andre Lucas + - Fixes command line printing segfaults (spotter: Bladt Norbert) + - Fixes erroneous printing of debug messages to syslog + - Fixes utmp for MacOS X (spotter: Aristedes Maniatis) + - Gives useful error message if PRNG initialisation fails + - Reduced ssh startup delay + - Measures cumulative command time rather than the time between reads + after select() + - 'fixprogs' perl script to eliminate non-working entropy commands, and + optionally run 'ent' to measure command entropy + - Applied Tom Bertelson's AIX authentication fix + - Avoid WCOREDUMP complation errors for systems that lack it + - Avoid SIGCHLD warnings from entropy commands + - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson + - OpenBSD CVS update: + - markus@cvs.openbsd.org + [ssh.c] + fix usage() + [ssh2.h] + draft-ietf-secsh-architecture-05.txt + [ssh.1] + document ssh -T -N (ssh2 only) + [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c] + enable nonblocking IO for sshd w/ proto 1, too; split out common code + [aux.c] + missing include + - Several patches from SAKAI Kiyotaka + - INSTALL typo and URL fix + - Makefile fix + - Solaris fixes + - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka + + - RSAless operation patch from kevin_oconnor@standardandpoors.com + - Detect OpenSSL seperatly from RSA + - Better test for RSA (more compatible with RSAref). Based on work by + Ed Eden + +20000513 + - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz + + +20000511 + - Fix for prng_seed permissions checking from Lutz Jaenicke + + - "make host-key" fix for Irix + +20000509 + - OpenBSD CVS update + - markus@cvs.openbsd.org + [cipher.h myproposal.h readconf.c readconf.h servconf.c ssh.1 ssh.c] + [ssh.h sshconnect1.c sshconnect2.c sshd.8] + - complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only) + - hugh@cvs.openbsd.org + [ssh.1] + - zap typo + [ssh-keygen.1] + - One last nit fix. (markus approved) + [sshd.8] + - some markus certified spelling adjustments + - markus@cvs.openbsd.org + [auth2.c channels.c clientloop.c compat compat.h dsa.c kex.c] + [sshconnect2.c ] + - bug compat w/ ssh-2.0.13 x11, split out bugs + [nchan.c] + - no drain if ibuf_empty, fixes x11fwd problems; tests by fries@ + [ssh-keygen.c] + - handle escapes in real and original key format, ok millert@ + [version.h] + - OpenSSH-2.1 + - Moved all the bsd-* and fake-* stuff into new libopenbsd-compat.a + - Doc updates + - Cleanup of bsd-base64 headers, bugfix definitions of __b64_*. Reported + by Andre Lucas + +20000508 + - Makefile and RPM spec fixes + - Generate DSA host keys during "make key" or RPM installs + - OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c sshconnect2.c] + - make x11-fwd interop w/ ssh-2.0.13 + [README.openssh2] + - interop w/ SecureFX + - Release 2.0.0beta2 + + - Configure caching and cleanup patch from Andre Lucas' + + +20000507 + - Remove references to SSLeay. + - Big OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c] + - typo + [session.c] + - update proctitle on pty alloc/dealloc, e.g. w/ windows client + [session.c] + - update proctitle for proto 1, too + [channels.h nchan.c serverloop.c session.c sshd.c] + - use c-style comments + - deraadt@cvs.openbsd.org + [scp.c] + - more atomicio + - markus@cvs.openbsd.org + [channels.c] + - set O_NONBLOCK + [ssh.1] + - update AUTHOR + [readconf.c ssh-keygen.c ssh.h] + - default DSA key file ~/.ssh/id_dsa + [clientloop.c] + - typo, rm verbose debug + - deraadt@cvs.openbsd.org + [ssh-keygen.1] + - document DSA use of ssh-keygen + [sshd.8] + - a start at describing what i understand of the DSA side + [ssh-keygen.1] + - document -X and -x + [ssh-keygen.c] + - simplify usage + - markus@cvs.openbsd.org + [sshd.8] + - there is no rhosts_dsa + [ssh-keygen.1] + - document -y, update -X,-x + [nchan.c] + - fix close for non-open ssh1 channels + [servconf.c servconf.h ssh.h sshd.8 sshd.c ] + - s/DsaKey/HostDSAKey/, document option + [sshconnect2.c] + - respect number_of_password_prompts + [channels.c channels.h servconf.c servconf.h session.c sshd.8] + - GatewayPorts for sshd, ok deraadt@ + [ssh-add.1 ssh-agent.1 ssh.1] + - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2 + [ssh.1] + - more info on proto 2 + [sshd.8] + - sync AUTHOR w/ ssh.1 + [key.c key.h sshconnect.c] + - print key type when talking about host keys + [packet.c] + - clear padding in ssh2 + [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h] + - replace broken uuencode w/ libc b64_ntop + [auth2.c] + - log failure before sending the reply + [key.c radix.c uuencode.c] + - remote trailing comments before calling __b64_pton + [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1] + [sshconnect2.c sshd.8] + - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8 + - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch]) + +20000502 + - OpenBSD CVS update + [channels.c] + - init all fds, close all fds. + [sshconnect2.c] + - check whether file exists before asking for passphrase + [servconf.c servconf.h sshd.8 sshd.c] + - PidFile, pr 1210 + [channels.c] + - EINTR + [channels.c] + - unbreak, ok niels@ + [sshd.c] + - unlink pid file, ok niels@ + [auth2.c] + - Add missing #ifdefs; ok - markus + - Add Andre Lucas' patch to read entropy + gathering commands from a text file + - Release 2.0.0beta1 + +20000501 + - OpenBSD CVS update + [packet.c] + - send debug messages in SSH2 format + [scp.c] + - fix very rare EAGAIN/EINTR issues; based on work by djm + [packet.c] + - less debug, rm unused + [auth2.c] + - disable kerb,s/key in ssh2 + [sshd.8] + - Minor tweaks and typo fixes. + [ssh-keygen.c] + - Put -d into usage and reorder. markus ok. + - Include missing headers for OpenSSL tests. Fix from Phil Karn + + - Fixed __progname symbol collisions reported by Andre Lucas + + - Merged bsd-login ttyslot and AIX utmp patch from Gert Doering + + - Add some missing ifdefs to auth2.c + - Deprecate perl-tk askpass. + - Irix portability fixes - don't include netinet headers more than once + - Make sure we don't save PRNG seed more than once + +20000430 + - Merge HP-UX fixes and TCB support from Ged Lodder + - Integrate Andre Lucas' entropy collection + patch. + - Adds timeout to entropy collection + - Disables slow entropy sources + - Load and save seed file + - Changed entropy seed code to user per-user seeds only (server seed is + saved in root's .ssh directory) + - Use atexit() and fatal cleanups to save seed on exit + - More OpenBSD updates: + [session.c] + - don't call chan_write_failed() if we are not writing + [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c] + - keysize warnings error() -> log() + +20000429 + - Merge big update to OpenSSH-2.0 from OpenBSD CVS + [README.openssh2] + - interop w/ F-secure windows client + - sync documentation + - ssh_host_dsa_key not ssh_dsa_key + [auth-rsa.c] + - missing fclose + [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c] + [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c] + [sshd.c uuencode.c uuencode.h authfile.h] + - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] + for trading keys with the real and the original SSH, directly from the + people who invented the SSH protocol. + [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h] + [sshconnect1.c sshconnect2.c] + - split auth/sshconnect in one file per protocol version + [sshconnect2.c] + - remove debug + [uuencode.c] + - add trailing = + [version.h] + - OpenSSH-2.0 + [ssh-keygen.1 ssh-keygen.c] + - add -R flag: exit code indicates if RSA is alive + [sshd.c] + - remove unused + silent if -Q is specified + [ssh.h] + - host key becomes /etc/ssh_host_dsa_key + [readconf.c servconf.c ] + - ssh/sshd default to proto 1 and 2 + [uuencode.c] + - remove debug + [auth2.c ssh-keygen.c sshconnect2.c sshd.c] + - xfree DSA blobs + [auth2.c serverloop.c session.c] + - cleanup logging for sshd/2, respect PasswordAuth no + [sshconnect2.c] + - less debug, respect .ssh/config + [README.openssh2 channels.c channels.h] + - clientloop.c session.c ssh.c + - support for x11-fwding, client+server + +20000421 + - Merge fix from OpenBSD CVS + [ssh-agent.c] + - Fix memory leak per connection. Report from Andy Spiegl + via Debian bug #59926 + - Define __progname in session.c if libc doesn't + - Remove indentation on autoconf #include statements to avoid bug in + DEC Tru64 compiler. Report and fix from David Del Piero + + +20000420 + - Make fixpaths work with perl4, patch from Andre Lucas + + - Sync with OpenBSD CVS: + [clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c] + - pid_t + [session.c] + - remove bogus chan_read_failed. this could cause data + corruption (missing data) at end of a SSH2 session. + - Merge fixes from Debian patch from Phil Hands + - Allow setting of PAM service name through CFLAGS (SSHD_PAM_SERVICE) + - Use vhangup to clean up Linux ttys + - Force posix getopt processing on GNU libc systems + - Debian bug #55910 - remove references to ssl(8) manpages + - Debian bug #58031 - ssh_config lies about default cipher + +20000419 + - OpenBSD CVS updates + [channels.c] + - fix pr 1196, listen_port and port_to_connect interchanged + [scp.c] + - after completion, replace the progress bar ETA counter with a final + elapsed time; my idea, aaron wrote the patch + [ssh_config sshd_config] + - show 'Protocol' as an example, ok markus@ + [sshd.c] + - missing xfree() + - Add missing header to bsd-misc.c + +20000416 + - Reduce diff against OpenBSD source + - All OpenSSL includes are now unconditionally referenced as + openssl/foo.h + - Pick up formatting changes + - Other minor changed (typecasts, etc) that I missed + +20000415 + - OpenBSD CVS updates. + [ssh.1 ssh.c] + - ssh -2 + [auth.c channels.c clientloop.c packet.c packet.h serverloop.c] + [session.c sshconnect.c] + - check payload for (illegal) extra data + [ALL] + whitespace cleanup + +20000413 + - INSTALL doc updates + - Merged OpenBSD updates to include paths. + +20000412 + - OpenBSD CVS updates: + - [channels.c] + repair x11-fwd + - [sshconnect.c] + fix passwd prompt for ssh2, less debugging output. + - [clientloop.c compat.c dsa.c kex.c sshd.c] + less debugging output + - [kex.c kex.h sshconnect.c sshd.c] + check for reasonable public DH values + - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c] + [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c] + add Cipher and Protocol options to ssh/sshd, e.g.: + ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers + arcfour,3des-cbc' + - [sshd.c] + print 1.99 only if server supports both + +20000408 + - Avoid some compiler warnings in fake-get*.c + - Add IPTOS macros for systems which lack them + - Only set define entropy collection macros if they are found + - More large OpenBSD CVS updates: + - [auth.c auth.h servconf.c servconf.h serverloop.c session.c] + [session.h ssh.h sshd.c README.openssh2] + ssh2 server side, see README.openssh2; enable with 'sshd -2' + - [channels.c] + no adjust after close + - [sshd.c compat.c ] + interop w/ latest ssh.com windows client. + +20000406 + - OpenBSD CVS update: + - [channels.c] + close efd on eof + - [clientloop.c compat.c ssh.c sshconnect.c myproposal.h] + ssh2 client implementation, interops w/ ssh.com and lsh servers. + - [sshconnect.c] + missing free. + - [authfile.c cipher.c cipher.h packet.c sshconnect.c sshd.c] + remove unused argument, split cipher_mask() + - [clientloop.c] + re-order: group ssh1 vs. ssh2 + - Make Redhat spec require openssl >= 0.9.5a + +20000404 + - Add tests for RAND_add function when searching for OpenSSL + - OpenBSD CVS update: + - [packet.h packet.c] + ssh2 packet format + - [packet.h packet.c nchan2.ms nchan.h compat.h compat.c] + [channels.h channels.c] + channel layer support for ssh2 + - [kex.h kex.c hmac.h hmac.c dsa.c dsa.h] + DSA, keyexchange, algorithm agreement for ssh2 + - Generate manpages before make install not at the end of make all + - Don't seed the rng quite so often + - Always reseed rng when requested + +20000403 + - Wrote entropy collection routines for systems that lack /dev/random + and EGD + - Disable tests and typedefs for 64 bit types. They are currently unused. + +20000401 + - Big OpenBSD CVS update (mainly beginnings of SSH2 infrastructure) + - [auth.c session.c sshd.c auth.h] + split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal + - [bufaux.c bufaux.h] + support ssh2 bignums + - [channels.c channels.h clientloop.c sshd.c nchan.c nchan.h packet.c] + [readconf.c ssh.c ssh.h serverloop.c] + replace big switch() with function tables (prepare for ssh2) + - [ssh2.h] + ssh2 message type codes + - [sshd.8] + reorder Xr to avoid cutting + - [serverloop.c] + close(fdin) if fdin != fdout, shutdown otherwise, ok theo@ + - [channels.c] + missing close + allow bigger packets + - [cipher.c cipher.h] + support ssh2 ciphers + - [compress.c] + cleanup, less code + - [dispatch.c dispatch.h] + function tables for different message types + - [log-server.c] + do not log() if debuggin to stderr + rename a cpp symbol, to avoid param.h collision + - [mpaux.c] + KNF + - [nchan.c] + sync w/ channels.c + +20000326 + - Better tests for OpenSSL w/ RSAref + - Added replacement setenv() function from OpenBSD libc. Suggested by + Ben Lindstrom + - OpenBSD CVS update + - [auth-krb4.c] + -Wall + - [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c] + [match.h ssh.c ssh.h sshconnect.c sshd.c] + initial support for DSA keys. ok deraadt@, niels@ + - [cipher.c cipher.h] + remove unused cipher_attack_detected code + - [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + Fix some formatting problems I missed before. + - [ssh.1 sshd.8] + fix spelling errors, From: FreeBSD + - [ssh.c] + switch to raw mode only if he _get_ a pty (not if we _want_ a pty). + +20000324 + - Released 1.2.3 + +20000317 + - Clarified --with-default-path option. + - Added -blibpath handling for AIX to work around stupid runtime linking. + Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble + + - Checks for 64 bit int types. Problem report from Mats Fredholm + + - OpenBSD CVS updates: + - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] + [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] + [sshd.c] + pedantic: signed vs. unsigned, void*-arithm, etc + - [ssh.1 sshd.8] + Various cleanups and standardizations. + - Runtime error fix for HPUX from Otmar Stahl + + +20000316 + - Fixed configure not passing LDFLAGS to Solaris. Report from David G. + Hesprich + - Propogate LD through to Makefile + - Doc cleanups + - Added blurb about "scp: command not found" errors to UPGRADING + +20000315 + - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list + problems with gcc/Solaris. + - Don't free argument to putenv() after use (in setenv() replacement). + Report from Seigo Tanimura + - Created contrib/ subdirectory. Included helpers from Phil Hands' + Debian package, README file and chroot patch from Ricardo Cerqueira + + - Moved gnome-ssh-askpass.c to contrib directory and removed config + option. + - Slight cleanup to doc files + - Configure fix from Bratislav ILICH + +20000314 + - Include macro for IN6_IS_ADDR_V4MAPPED. Report from + peter@frontierflying.com + - Include /usr/local/include and /usr/local/lib for systems that don't + do it themselves + - -R/usr/local/lib for Solaris + - Fix RSAref detection + - Fix IN6_IS_ADDR_V4MAPPED macro + +20000311 + - Detect RSAref + - OpenBSD CVS change + [sshd.c] + - disallow guessing of root password + - More configure fixes + - IPv6 workarounds from Hideaki YOSHIFUJI + +20000309 + - OpenBSD CVS updates to v1.2.3 + [ssh.h atomicio.c] + - int atomicio -> ssize_t (for alpha). ok deraadt@ + [auth-rsa.c] + - delay MD5 computation until client sends response, free() early, cleanup. + [cipher.c] + - void* -> unsigned char*, ok niels@ + [hostfile.c] + - remove unused variable 'len'. fix comments. + - remove unused variable + [log-client.c log-server.c] + - rename a cpp symbol, to avoid param.h collision + [packet.c] + - missing xfree() + - getsockname() requires initialized tolen; andy@guildsoftware.com + - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + [pty.c pty.h] + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + [readconf.c] + - turn off x11-fwd for the client, too. + [rsa.c] + - PKCS#1 padding + [scp.c] + - allow '.' in usernames; from jedgar@fxp.org + [servconf.c] + - typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de + - sync with sshd_config + [ssh-keygen.c] + - enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@ + [ssh.1] + - Change invalid 'CHAT' loglevel to 'VERBOSE' + [ssh.c] + - suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp + - turn off x11-fwd for the client, too. + [sshconnect.c] + - missing xfree() + - retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp. + - read error vs. "Connection closed by remote host" + [sshd.8] + - ie. -> i.e., + - do not link to a commercial page.. + - sync with sshd_config + [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - log with level log() not fatal() if peer behaves badly. + - don't panic if client behaves strange. ok deraadt@ + - make no-port-forwarding for RSA keys deny both -L and -R style fwding + - delay close() of pty until the pty has been chowned back to root + - oops, fix comment, too. + - missing xfree() + - move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too. + (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907) + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + - create x11 cookie file + - fix pr 1113, fclose() -> pclose(), todo: remote popen() + - version 1.2.3 + - Cleaned up + - Removed warning workaround for Linux and devpts filesystems (no longer + required after OpenBSD updates) + +20000308 + - Configure fix from Hiroshi Takekawa + +20000307 + - Released 1.2.2p1 + +20000305 + - Fix DEC compile fix + - Explicitly seed OpenSSL's PRNG before checking rsa_alive() + - Check for getpagesize in libucb.a if not found in libc. Fix for old + Solaris from Andre Lucas + - Check for libwrap if --with-tcp-wrappers option specified. Suggestion + Mate Wierdl + +20000303 + - Added "make host-key" target, Suggestion from Dominik Brettnacher + + - Don't permanently fail on bind() if getaddrinfo has more choices left for + us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz + Miskiewicz + - DEC Unix compile fix from David Del Piero + - Manpage fix from David Del Piero + +20000302 + - Big cleanup of autoconf code + - Rearranged to be a little more logical + - Added -R option for Solaris + - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program + to detect library and header location _and_ ensure library has proper + RSA support built in (this is a problem with OpenSSL 0.9.5). + - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de + - Avoid warning message with Unix98 ptys + - Warning was valid - possible race condition on PTYs. Avoided using + platform-specific code. + - Document some common problems + - Allow root access to any key. Patch from + markus.friedl@informatik.uni-erlangen.de + +20000207 + - Removed SOCKS code. Will support through a ProxyCommand. + +20000203 + - Fixed SEGVs in authloop, fix from vbzoli@hbrt.hu + - Add --with-ssl-dir option + +20000202 + - Fix lastlog code for directory based lastlogs. Fix from Josh Durham + + - Documentation fixes from HARUYAMA Seigo + - Added URLs to Japanese translations of documents by HARUYAMA Seigo + + +20000201 + - Use socket pairs by default (instead of pipes). Prevents race condition + on several (buggy) OSs. Report and fix from tridge@linuxcare.com + +20000127 + - Seed OpenSSL's random number generator before generating RSA keypairs + - Split random collector into seperate file + - Compile fix from Andre Lucas + +20000126 + - Released 1.2.2 stable + + - NeXT keeps it lastlog in /usr/adm. Report from + mouring@newton.pconline.com + - Added note in UPGRADING re interop with commercial SSH using idea. + Report from Jim Knoble + - Fix linking order for Kerberos/AFS. Fix from Holget Trapp + + +20000125 + - Fix NULL pointer dereference in login.c. Fix from Andre Lucas + + - Reorder PAM initialisation so it does not mess up lastlog. Reported + by Andre Lucas + - Use preformatted manpages on SCO, report from Gary E. Miller + + - New URL for x11-ssh-askpass. + - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble + + - Added 'DESTDIR' option to Makefile to ease package building. Patch from + Jim Knoble + - Updated RPM spec files to use DESTDIR + +20000124 + - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number + increment) + +20000123 + - OpenBSD CVS: + - [packet.c] + getsockname() requires initialized tolen; andy@guildsoftware.com + - AIX patch from Matt Richards and David Rankin + + - Fix lastlog support, patch from Andre Lucas + +20000122 + - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor + + - Merge preformatted manpage patch from Andre Lucas + + - Make IPv4 use the default in RPM packages + - Irix uses preformatted manpages + - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp + + - OpenBSD CVS updates: + - [packet.c] + use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + - [sshd.c] + log with level log() not fatal() if peer behaves badly. + - [readpass.c] + instead of blocking SIGINT, catch it ourselves, so that we can clean + the tty modes up and kill ourselves -- instead of our process group + leader (scp, cvs, ...) going away and leaving us in noecho mode. + people with cbreak shells never even noticed.. + - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + ie. -> i.e., + +20000120 + - Don't use getaddrinfo on AIX + - Update to latest OpenBSD CVS: + - [auth-rsa.c] + - fix user/1056, sshd keeps restrictions; dbt@meat.net + - [sshconnect.c] + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - destroy keys earlier + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - Big manpage and config file cleanup from Andre Lucas + + - Re-added latest (unmodified) OpenBSD manpages + - Doc updates + - NetBSD patch from David Rankin and + Christos Zoulas + +20000119 + - SCO compile fixes from Gary E. Miller + - Compile fix from Darren_Hall@progressive.com + - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC + addresses using getaddrinfo(). Added a configure switch to make the + default lookup mode AF_INET + +20000118 + - Fixed --with-pid-dir option + - Makefile fix from Gary E. Miller + - Compile fix for HPUX and Solaris from Andre Lucas + + +20000117 + - Clean up bsd-bindresvport.c. Use arc4random() for picking initial + port, ignore EINVAL errors (Linux) when searching for free port. + - Revert __snprintf -> snprintf aliasing. Apparently Solaris + __snprintf isn't. Report from Theo de Raadt + - Document location of Redhat PAM file in INSTALL. + - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 + INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to + deliver (no IPv6 kernel support) + - Released 1.2.1pre27 + + - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c) + - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen + + - Fix hang on logout if processes are still using the pty. Needs + further testing. + - Patch from Christos Zoulas + - Try $prefix first when looking for OpenSSL. + - Include sys/types.h when including sys/socket.h in test programs + - Substitute PID directory in sshd.8. Suggestion from Andrew + Stribblehill + +20000116 + - Renamed --with-xauth-path to --with-xauth + - Added --with-pid-dir option + - Released 1.2.1pre26 + + - Compilation fix from Kiyokazu SUTO + - Fixed broken bugfix for /dev/ptmx on Linux systems which lack + openpty(). Report from Kiyokazu SUTO + +20000115 + - Add --with-xauth-path configure directive and explicit test for + /usr/openwin/bin/xauth for Solaris systems. Report from Anders + Nordby + - Fix incorrect detection of /dev/ptmx on Linux systems that lack + openpty. Report from John Seifarth + - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in + sys/types.h. Fixes problems on SCO, report from Gary E. Miller + + - Use __snprintf and __vnsprintf if they are found where snprintf and + vnsprintf are lacking. Suggested by Ben Taylor + and others. + +20000114 + - Merged OpenBSD IPv6 patch: + - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] + [scp.c packet.h packet.c login.c log.c canohost.c channels.c] + [hostfile.c sshd_config] + ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new + features: sshd allows multiple ListenAddress and Port options. note + that libwrap is not IPv6-ready. (based on patches from + fujiwara@rcac.tdi.co.jp) + - [ssh.c canohost.c] + more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, + from itojun@ + - [channels.c] + listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) + - [packet.h] + allow auth-kerberos for IPv4 only + - [scp.1 sshd.8 servconf.h scp.c] + document -4, -6, and 'ssh -L 2022/::1/22' + - [ssh.c] + 'ssh @host' is illegal (null user name), from + karsten@gedankenpolizei.de + - [sshconnect.c] + better error message + - [sshd.c] + allow auth-kerberos for IPv4 only + - Big IPv6 merge: + - Cleanup overrun in sockaddr copying on RHL 6.1 + - Replacements for getaddrinfo, getnameinfo, etc based on versions + from patch from KIKUCHI Takahiro + - Replacement for missing structures on systems that lack IPv6 + - record_login needed to know about AF_INET6 addresses + - Borrowed more code from OpenBSD: rresvport_af and requisites + +20000110 + - Fixes to auth-skey to enable it to use the standard OpenSSL libraries + +20000107 + - New config.sub and config.guess to fix problems on SCO. Supplied + by Gary E. Miller + - SCO build fix from Gary E. Miller + - Released 1.2.1pre25 + +20000106 + - Documentation update & cleanup + - Better KrbIV / AFS detection, based on patch from: + Holger Trapp + +20000105 + - Fixed annoying DES corruption problem. libcrypt has been + overriding symbols in libcrypto. Removed libcrypt and crypt.h + altogether (libcrypto includes its own crypt(1) replacement) + - Added platform-specific rules for Irix 6.x. Included warning that + they are untested. + +20000103 + - Add explicit make rules for files proccessed by fixpaths. + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + + - Removed "nullok" directive from default PAM configuration files. + Added information on enabling EmptyPasswords on openssh+PAM in + UPGRADING file. + - OpenBSD CVS updates + - [ssh-agent.c] + cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and + dgaudet@arctic.org + - [sshconnect.c] + compare correct version for 1.3 compat mode + +20000102 + - Prevent multiple inclusion of config.h and defines.h. Suggested + by Andre Lucas + - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet + + +19991231 + - Fix password support on systems with a mixture of shadowed and + non-shadowed passwords (e.g. NIS). Report and fix from + HARUYAMA Seigo + - Fix broken autoconf typedef detection. Report from Marc G. + Fournier + - Fix occasional crash on LinuxPPC. Patch from Franz Sirl + + - Prevent typedefs from being compiled more than once. Report from + Marc G. Fournier + - Fill in ut_utaddr utmp field. Report from Benjamin Charron + + - Really fix broken default path. Fix from Jim Knoble + + - Remove test for quad_t. No longer needed. + - Released 1.2.1pre24 + + - Added support for directory-based lastlogs + - Really fix typedefs, patch from Ben Taylor + +19991230 + - OpenBSD CVS updates: + - [auth-passwd.c] + check for NULL 1st + - Removed most of the pam code into its own file auth-pam.[ch]. This + cleaned up sshd.c up significantly. + - PAM authentication was incorrectly interpreting + "PermitRootLogin without-password". Report from Matthias Andree + + - Updated documentation with ./configure options + - Released 1.2.1pre23 + +19991229 + - Applied another NetBSD portability patch from David Rankin + + - Fix --with-default-path option. + - Autodetect perl, patch from David Rankin + + - Print whether OpenSSH was compiled with RSARef, patch from + Nalin Dahyabhai + - Calls to pam_setcred, patch from Nalin Dahyabhai + + - Detect missing size_t and typedef it. + - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] + - Minor Makefile cleaning + +19991228 + - Replacement for getpagesize() for systems which lack it + - NetBSD login.c compile fix from David Rankin + + - Fully set ut_tv if present in utmp or utmpx + - Portability fixes for Irix 5.3 (now compiles OK!) + - autoconf and other misc cleanups + - Merged AIX patch from Darren Hall + - Cleaned up defines.h + - Released 1.2.1pre22 + +19991227 + - Automatically correct paths in manpages and configuration files. Patch + and script from Andre Lucas + - Removed credits from README to CREDITS file, updated. + - Added --with-default-path to specify custom path for server + - Removed #ifdef trickery from acconfig.h into defines.h + - PAM bugfix. PermitEmptyPassword was being ignored. + - Fixed PAM config files to allow empty passwords if server does. + - Explained spurious PAM auth warning workaround in UPGRADING + - Use last few chars of tty line as ut_id + - New SuSE RPM spec file from Chris Saia + - OpenBSD CVS updates: + - [packet.h auth-rhosts.c] + check format string for packet_disconnect and packet_send_debug, too + - [channels.c] + use packet_get_maxsize for channels. consistence. + +19991226 + - Enabled utmpx support by default for Solaris + - Cleanup sshd.c PAM a little more + - Revised RPM package to include Jim Knoble's + X11 ssh-askpass program. + - Disable logging of PAM success and failures, PAM is verbose enough. + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM + developers + - OpenBSD CVS update: + - [ssh-keygen.1 ssh.1] + remove ref to .ssh/random_seed, mention .ssh/environment in + .Sh FILES, too + - Released 1.2.1pre21 + - Fixed implicit '.' in default path, report from Jim Knoble + + - Redhat RPM spec fixes from Jim Knoble + +19991225 + - More fixes from Andre Lucas + - Cleanup of auth-passwd.c for shadow and MD5 passwords + - Cleanup and bugfix of PAM authentication code + - Released 1.2.1pre20 + + - Merged fixes from Ben Taylor + - Fixed configure support for PAM. Reported by Naz <96na@eng.cam.ac.uk> + - Disabled logging of PAM password authentication failures when password + is empty. (e.g start of authentication loop). Reported by Naz + <96na@eng.cam.ac.uk>) + +19991223 + - Merged later HPUX patch from Andre Lucas + + - Above patch included better utmpx support from Ben Taylor + + +19991222 + - Fix undefined fd_set type in ssh.h from Povl H. Pedersen + + - Fix login.c breakage on systems which lack ut_host in struct + utmp. Reported by Willard Dawson + +19991221 + - Integration of large HPUX patch from Andre Lucas + . Integrating it had a few other + benefits: + - Ability to disable shadow passwords at configure time + - Ability to disable lastlog support at configure time + - Support for IP address in $DISPLAY + - OpenBSD CVS update: + - [sshconnect.c] + say "REMOTE HOST IDENTIFICATION HAS CHANGED" + - Fix DISABLE_SHADOW support + - Allow MD5 passwords even if shadow passwords are disabled + - Release 1.2.1pre19 + +19991218 + - Redhat init script patch from Chun-Chung Chen + + - Avoid breakage on systems without IPv6 headers + +19991216 + - Makefile changes for Solaris from Peter Kocks + + - Minor updates to docs + - Merged OpenBSD CVS changes: + - [authfd.c ssh-agent.c] + keysize warnings talk about identity files + - [packet.c] + "Connection closed by x.x.x.x": fatal() -> log() + - Correctly handle empty passwords in shadow file. Patch from: + "Chris, the Young One" + - Released 1.2.1pre18 + +19991215 + - Integrated patchs from Juergen Keil + - Avoid void* pointer arithmatic + - Use LDFLAGS correctly + - Fix SIGIO error in scp + - Simplify status line printing in scp + - Added better test for inline functions compiler support from + Darren_Hall@progressive.com + +19991214 + - OpenBSD CVS Changes + - [canohost.c] + fix get_remote_port() and friends for sshd -i; + Holger.Trapp@Informatik.TU-Chemnitz.DE + - [mpaux.c] + make code simpler. no need for memcpy. niels@ ok + - [pty.c] + namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org + fix proto; markus + - [ssh.1] + typo; mark.baushke@solipsa.com + - [channels.c ssh.c ssh.h sshd.c] + type conflict for 'extern Type *options' in channels.c; dot@dotat.at + - [sshconnect.c] + move checking of hostkey into own function. + - [version.h] + OpenSSH-1.2.1 + - Clean up broken includes in pty.c + - Some older systems don't have poll.h, they use sys/poll.h instead + - Doc updates + +19991211 + - Fix compilation on systems with AFS. Reported by + aloomis@glue.umd.edu + - Fix installation on Solaris. Reported by + Gordon Rowell + - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com, + patch from Markus Friedl + - Auto-locate xauth. Patch from David Agraz + - Compile fix from David Agraz + - Avoid compiler warning in bsd-snprintf.c + - Added pam_limits.so to default PAM config. Suggested by + Jim Knoble + +19991209 + - Import of patch from Ben Taylor : + - Improved PAM support + - "uninstall" rule for Makefile + - utmpx support + - Should fix PAM problems on Solaris + - OpenBSD CVS updates: + - [readpass.c] + avoid stdio; based on work by markus, millert, and I + - [sshd.c] + make sure the client selects a supported cipher + - [sshd.c] + fix sighup handling. accept would just restart and daemon handled + sighup only after the next connection was accepted. use poll on + listen sock now. + - [sshd.c] + make that a fatal + - Applied patch from David Rankin + to fix libwrap support on NetBSD + - Released 1.2pre17 + +19991208 + - Compile fix for Solaris with /dev/ptmx from + David Agraz + +19991207 + - sshd Redhat init script patch from Jim Knoble + fixes compatability with 4.x and 5.x + - Fixed default SSH_ASKPASS + - Fix PAM account and session being called multiple times. Problem + reported by Adrian Baugh + - Merged more OpenBSD changes: + - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] + move atomicio into it's own file. wrap all socket write()s which + were doing write(sock, buf, len) != len, with atomicio() calls. + - [auth-skey.c] + fd leak + - [authfile.c] + properly name fd variable + - [channels.c] + display great hatred towards strcpy + - [pty.c pty.h sshd.c] + use openpty() if it exists (it does on BSD4_4) + - [tildexpand.c] + check for ~ expansion past MAXPATHLEN + - Modified helper.c to use new atomicio function. + - Reformat Makefile a little + - Moved RC4 routines from rc4.[ch] into helper.c + - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX) + - Updated SuSE spec from Chris Saia + - Tweaked Redhat spec + - Clean up bad imports of a few files (forgot -kb) + - Released 1.2pre16 + +19991204 + - Small cleanup of PAM code in sshd.c + - Merged OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h] + move skey-auth from auth-passwd.c to auth-skey.c, same for krb4 + - [auth-rsa.c] + warn only about mismatch if key is _used_ + warn about keysize-mismatch with log() not error() + channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c + ports are u_short + - [hostfile.c] + indent, shorter warning + - [nchan.c] + use error() for internal errors + - [packet.c] + set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() + serverloop.c + indent + - [ssh-add.1 ssh-add.c ssh.h] + document $SSH_ASKPASS, reasonable default + - [ssh.1] + CheckHostIP is not available for connects via proxy command + - [sshconnect.c] + typo + easier to read client code for passwd and skey auth + turn of checkhostip for proxy connects, since we don't know the remote ip + +19991126 + - Add definition for __P() + - Added [v]snprintf() replacement for systems that lack it + +19991125 + - More reformatting merged from OpenBSD CVS + - Merged OpenBSD CVS changes: + - [channels.c] + fix packet_integrity_check() for !have_hostname_in_open. + report from mrwizard@psu.edu via djm@ibs.com.au + - [channels.c] + set SO_REUSEADDR and SO_LINGER for forwarded ports. + chip@valinux.com via damien@ibs.com.au + - [nchan.c] + it's not an error() if shutdown_write failes in nchan. + - [readconf.c] + remove dead #ifdef-0-code + - [readconf.c servconf.c] + strcasecmp instead of tolower + - [scp.c] + progress meter overflow fix from damien@ibs.com.au + - [ssh-add.1 ssh-add.c] + SSH_ASKPASS support + - [ssh.1 ssh.c] + postpone fork_after_authentication until command execution, + request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au + plus: use daemon() for backgrounding + - Added BSD compatible install program and autoconf test, thanks to + Niels Kristian Bech Jensen + - Solaris fixing, thanks to Ben Taylor + - Merged beginnings of AIX support from Tor-Ake Fransson + - Release 1.2pre15 + +19991124 + - Merged very large OpenBSD source code reformat + - OpenBSD CVS updates + - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] + [ssh.h sshd.8 sshd.c] + syslog changes: + * Unified Logmessage for all auth-types, for success and for failed + * Standard connections get only ONE line in the LOG when level==LOG: + Auth-attempts are logged only, if authentication is: + a) successfull or + b) with passwd or + c) we had more than AUTH_FAIL_LOG failues + * many log() became verbose() + * old behaviour with level=VERBOSE + - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] + tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE + messages. allows use of s/key in windows (ttssh, securecrt) and + ssh-1.2.27 clients without 'ssh -v', ok: niels@ + - [sshd.8] + -V, for fallback to openssh in SSH2 compatibility mode + - [sshd.c] + fix sigchld race; cjc5@po.cwru.edu + +19991123 + - Added SuSE package files from Chris Saia + - Restructured package-related files under packages/* + - Added generic PAM config + - Numerous little Solaris fixes + - Add recommendation to use GNU make to INSTALL document + +19991122 + - Make close gnome-ssh-askpass (Debian bug #50299) + - OpenBSD CVS Changes + - [ssh-keygen.c] + don't create ~/.ssh only if the user wants to store the private + key there. show fingerprint instead of public-key after + keygeneration. ok niels@ + - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h + - Added timersub() macro + - Tidy RCSIDs of bsd-*.c + - Added autoconf test and macro to deal with old PAM libraries + pam_strerror definition (one arg vs two). + - Fix EGD problems (Thanks to Ben Taylor ) + - Retry /dev/urandom reads interrupted by signal (report from + Robert Hardy ) + - Added a setenv replacement for systems which lack it + - Only display public key comment when presenting ssh-askpass dialog + - Released 1.2pre14 + + - Configure, Make and changelog corrections from Tudor Bosman + and Niels Kristian Bech Jensen + +19991121 + - OpenBSD CVS Changes: + - [channels.c] + make this compile, bad markus + - [log.c readconf.c servconf.c ssh.h] + bugfix: loglevels are per host in clientconfig, + factor out common log-level parsing code. + - [servconf.c] + remove unused index (-Wall) + - [ssh-agent.c] + only one 'extern char *__progname' + - [sshd.8] + document SIGHUP, -Q to synopsis + - [sshconnect.c serverloop.c sshd.c packet.c packet.h] + [channels.c clientloop.c] + SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ + [hope this time my ISP stays alive during commit] + - [OVERVIEW README] typos; green@freebsd + - [ssh-keygen.c] + replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me) + exit if writing the key fails (no infinit loop) + print usage() everytime we get bad options + - [ssh-keygen.c] overflow, djm@mindrot.org + - [sshd.c] fix sigchld race; cjc5@po.cwru.edu + +19991120 + - Merged more Solaris support from Marc G. Fournier + + - Wrote autoconf tests for integer bit-types + - Fixed enabling kerberos support + - Fix segfault in ssh-keygen caused by buffer overrun in filename + handling. + +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + - Merged OpenBSD CVS changes + - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] + more %d vs. %s in fmt-strings + - [authfd.c] + Integers should not be printed with %s + - EGD uses a socket, not a named pipe. Duh. + - Fix includes in fingerprint.c + - Fix scp progress bar bug again. + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of + David Rankin + - Added autoconf option to enable Kerberos 4 support (untested) + - Added autoconf option to enable AFS support (untested) + - Added autoconf option to enable S/Key support (untested) + - Added autoconf option to enable TCP wrappers support (compiles OK) + - Renamed BSD helper function files to bsd-* + - Added tests for login and daemon and enable OpenBSD replacements for + when they are absent. + - Added non-PAM MD5 password support patch from Tudor Bosman + +19991118 + - Merged OpenBSD CVS changes + - [scp.c] foregroundproc() in scp + - [sshconnect.h] include fingerprint.h + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + changes. + - [ssh.1] Spell my name right. + - Added openssh.com info to README + +19991117 + - Merged OpenBSD CVS changes + - [ChangeLog.Ylonen] noone needs this anymore + - [authfd.c] close-on-exec for auth-socket, ok deraadt + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong + modulus length. markus and me. + - [serverloop.c] + bugfix: check for space if child has terminated, from: + iedowse@maths.tcd.ie + - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] + [fingerprint.c fingerprint.h] + rsa key fingerprints, idea from Bjoern Groenvall + - [ssh-agent.1] typo + - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ + - [sshd.c] + force logging to stderr while loading private key file + (lost while converting to new log-levels) + +19991116 + - Fix some Linux libc5 problems reported by Miles Wilson + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] + [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] + the keysize of rsa-parameter 'n' is passed implizit, + a few more checks and warnings about 'pretended' keysizes. + - [cipher.c cipher.h packet.c packet.h sshd.c] + remove support for cipher RC4 + - [ssh.c] + a note for legay systems about secuity issues with permanently_set_uid(), + the private hostkey and ptrace() + - [sshconnect.c] + more detailed messages about adding and checking hostkeys + +19991115 + - Merged OpenBSD CVS changes: + - [ssh-add.c] change passphrase loop logic and remove ref to + $DISPLAY, ok niels + - Changed to ssh-add.c broke askpass support. Revised it to be a little more + modular. + - Revised autoconf support for enabling/disabling askpass support. + - Merged more OpenBSD CVS changes: + [auth-krb4.c] + - disconnect if getpeername() fails + - missing xfree(*client) + [canohost.c] + - disconnect if getpeername() fails + - fix comment: we _do_ disconnect if ip-options are set + [sshd.c] + - disconnect if getpeername() fails + - move checking of remote port to central place + [auth-rhosts.c] move checking of remote port to central place + [log-server.c] avoid extra fd per sshd, from millert@ + [readconf.c] print _all_ bad config-options in ssh(1), too + [readconf.h] print _all_ bad config-options in ssh(1), too + [ssh.c] print _all_ bad config-options in ssh(1), too + [sshconnect.c] disconnect if getpeername() fails + - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. + - Various small cleanups to bring diff (against OpenBSD) size down. + - Merged more Solaris compability from Marc G. Fournier + + - Wrote autoconf tests for __progname symbol + - RPM spec file fixes from Jim Knoble + - Released 1.2pre12 + + - Another OpenBSD CVS update: + - [ssh-keygen.1] fix .Xr + +19991114 + - Solaris compilation fixes (still imcomplete) + +19991113 + - Build patch from Niels Kristian Bech Jensen + - Don't install config files if they already exist + - Fix inclusion of additional preprocessor directives from acconfig.h + - Removed redundant inclusions of config.h + - Added 'Obsoletes' lines to RPM spec file + - Merged OpenBSD CVS changes: + - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + totalsize, ok niels,aaron + - Delay fork (-f option) in ssh until after port forwarded connections + have been initialised. Patch from Jani Hakala + - Added shadow password patch from Thomas Neumann + - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled + - Tidied default config file some more + - Revised Redhat initscript to fix bug: sshd (re)start would fail + if executed from inside a ssh login. + +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + + - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile + - Make ssh-askpass support optional through autoconf + - Fix nasty division-by-zero error in scp.c + - Released 1.2pre11 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. Report and fix + from Kees Cook + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 diff -ruN --exclude CVS ssh-openbsd-2000070100/INSTALL openssh-2.1.1p2/INSTALL --- ssh-openbsd-2000070100/INSTALL Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/INSTALL Sat Jun 10 08:33:38 2000 @@ -0,0 +1,192 @@ +1. Prerequisites +---------------- + +You will need working installations of Zlib and OpenSSL. + +Zlib: +http://www.freesoftware.com/pub/infozip/zlib/ + +OpenSSL 0.9.5a or greater: +http://www.openssl.org/ + +RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system +supports it. PAM is standard on Redhat and Debian Linux and on Solaris. + +PAM: +http://www.kernel.org/pub/linux/libs/pam/ + +If you wish to build the GNOME passphrase requester, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +Alternatively, Jim Knoble has written an excellent X11 +passphrase requester. This is maintained separately at: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + +The Entropy Gathering Daemon (EGD) is supported if you have a system which +lacks /dev/random and don't want to use OpenSSH's internal entropy collection. + +EGD: +http://www.lothar.com/tech/crypto/ + +GNU Make: +ftp://ftp.gnu.org/gnu/make/ + +OpenSSH has only been tested with GNU make. It may work with other +'make' programs, but you are on your own. + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +If you are using PAM, you will need to manually install a PAM +control file as "/etc/pam.d/sshd" (or wherever your system +prefers to keep them). A generic PAM configuration is included as +"contrib/sshd.pam.generic", you may need to edit it before using it on +your system. If you are using a recent version of Redhat Linux, the +config file in contrib/redhat/sshd.pam should be more useful. +Failure to install a valid PAM file may result in an inability to +use password authentication. + +There are a few other options to the configure script: + +--with-rsh=PATH allows you to specify the path to your rsh program. +Normally ./configure will search the current $PATH for 'rsh'. You +may need to specify this option if rsh is not in your path or has a +different name. + +--without-pam will disable PAM support. PAM is automatically detected +and switched on if found. + +--enable-gnome-askpass will build the GNOME passphrase dialog. You +need a working installation of GNOME, including the development +headers, for this to work. + +--with-random=/some/file allows you to specify an alternate source of +random numbers (the default is /dev/urandom). Unless you are absolutely +sure of what you are doing, it is best to leave this alone. + +--with-egd-pool=/some/file allows you to enable Entropy Gathering +Daemon support and to specify a EGD pool socket. Use this if your +Unix lacks /dev/random and you don't want to use OpenSSH's builtin +entropy collection support. + +--with-lastlog=FILE will specify the location of the lastlog file. +./configure searches a few locations for lastlog, but may not find +it if lastlog is installed in a different place. + +--without-lastlog will disable lastlog support entirely. + +--with-kerberos4=PATH will enable Kerberos IV support. You will need +to have the Kerberos libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +Kerberos installation. + +--with-afs=PATH will enable AFS support. You will need to have the +Kerberos IV and the AFS libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +AFS installation. AFS requires Kerberos support to be enabled. + +--with-skey will enable S/Key one time password support. You will need +the S/Key libraries and header files installed for this to work. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. You will need libwrap.a and tcpd.h installed. + +--with-md5-passwords will enable the use of MD5 passwords. Enable this +if your operating system uses MD5 passwords without using PAM. + +--with-utmpx enables utmpx support. utmpx support is automatic for +some platforms. + +--without-shadow disables shadow password support. + +--with-ipaddr-display forces the use of a numeric IP address in the +$DISPLAY environment variable. Some broken systems need this. + +--with-default-path=PATH allows you to specify a default $PATH for sessions +started by sshd. This replaces the standard path entirely. + +--with-pid-dir=PATH specifies the directory in which the ssh.pid file is +created. + +--with-xauth=PATH specifies the location of the xauth binary + +--with-ipv4-default instructs OpenSSH to use IPv4 by default for new +connections. Normally OpenSSH will try attempt to lookup both IPv6 and +IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name +resolution. If this option is specified, you can still attempt to +connect to IPv6 addresses using the command line option '-6'. + +--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries +are installed. + +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to +real (AF_INET) IPv4 addresses. Works around some quirks on Linux. + +If you need to pass special options to the compiler or linker, you +can specify these as environment variables before running ./configure. +For example: + +CFLAGS="-O -m486" LFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, run "make host-key". Alternately you can do so +manually using the following commands: + + ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" + ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" + +Replacing /etc/ssh with the correct path to the configuration directory. +(${prefix}/etc or whatever you specified with --sysconfdir during +configuration) + +If you have configured OpenSSH with EGD support, ensure that EGD is +running and has collected some Entropy. + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + +4. Problems? +------------ + +If you experience problems compiling, installing or running OpenSSH. +Please refer to the "reporting bugs" section of the webpage at +http://www.openssh.com/ + diff -ruN --exclude CVS ssh-openbsd-2000070100/Makefile openssh-2.1.1p2/Makefile --- ssh-openbsd-2000070100/Makefile Sun Jan 16 18:14:50 2000 +++ openssh-2.1.1p2/Makefile Thu Jan 1 10:00:00 1970 @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp - -distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/sshd_config - -.include diff -ruN --exclude CVS ssh-openbsd-2000070100/Makefile.in openssh-2.1.1p2/Makefile.in --- ssh-openbsd-2000070100/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/Makefile.in Wed Jun 28 08:24:49 2000 @@ -0,0 +1,196 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libexecdir=@libexecdir@ +mandir=@mandir@ +mansubdir=@mansubdir@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +DESTDIR= + +VPATH=@srcdir@ + +SSH_PROGRAM=@bindir@/ssh +ASKPASS_LOCATION=@libexecdir@/ssh +ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass + +CC=@CC@ +LD=@LD@ +PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +PERL=@PERL@ +ENT=@ENT@ +LDFLAGS=-L. @LDFLAGS@ + +INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ + +TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) + +LIBSSH_OBJS=atomicio.o authfd.o authfile.o aux.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o + +LIBOPENBSD_COMPAT_OBJS=bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o + +SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o + +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o + +TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 +CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 +MANPAGES = @MANTYPE@ + +CONFIGFILES=sshd_config ssh_config + +PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid + +FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) + +all: $(TARGETS) $(CONFIGFILES) + +manpages: $(MANPAGES) + +$(LIBSSH_OBJS): config.h + +$(LIBOPENBSD_COMPAT_OBJS): config.h + +libopenbsd-compat.a: $(LIBOPENBSD_COMPAT_OBJS) + $(AR) rv $@ $(LIBOPENBSD_COMPAT_OBJS) + $(RANLIB) $@ + +libssh.a: $(LIBSSH_OBJS) + $(AR) rv $@ $(LIBSSH_OBJS) + $(RANLIB) $@ + +ssh: libopenbsd-compat.a libssh.a $(SSHOBJS) + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +sshd: libssh.a libopenbsd-compat.a $(SSHDOBJS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +scp: libopenbsd-compat.a libssh.a scp.o + $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-add: libopenbsd-compat.a libssh.a ssh-add.o log-client.o + $(LD) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-agent: libopenbsd-compat.a libssh.a ssh-agent.o log-client.o + $(LD) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +ssh-keygen: libopenbsd-compat.a libssh.a ssh-keygen.o log-client.o + $(LD) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +# test driver for the loginrec code - not built by default +logintest: logintest.o libopenbsd-compat.a libssh.a log-client.o loginrec.o + $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log-client.o $(LIBS) + +$(MANPAGES) $(CONFIGFILES):: + $(FIXPATHSCMD) $(srcdir)/$@ + +clean: + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core + +distclean: clean + rm -f Makefile config.h config.status ssh_prng_cmds *~ + +mrproper: distclean + +veryclean: distclean + rm -f configure config.h.in *.0 + +catman-do: + @for f in $(TROFFMAN) ; do \ + echo "$$f -> $${f%%.[18]}.0" ; \ + nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + >$${f%%.[18]}.0 ; \ + done + +distprep: catman-do + autoreconf + +install: manpages $(TARGETS) install-files host-key + +install-files: + ./mkinstalldirs $(DESTDIR)$(bindir) + ./mkinstalldirs $(DESTDIR)$(sbindir) + ./mkinstalldirs $(DESTDIR)$(mandir) + ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(INSTALL) -m 4755 -s ssh $(DESTDIR)$(bindir)/ssh + $(INSTALL) -s scp $(DESTDIR)$(bindir)/scp + $(INSTALL) -s ssh-add $(DESTDIR)$(bindir)/ssh-add + $(INSTALL) -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent + $(INSTALL) -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -s sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ssh $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + ./mkinstalldirs $(DESTDIR)$(sysconfdir); \ + $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + fi + if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ + $(PERL) fixprogs ssh_prng_cmds $(ENT); \ + $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ + fi + +host-key: ssh-keygen + if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + else \ + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" ; \ + fi ; \ + if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; + +host-key-force: ssh-keygen + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" + ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" + +uninstallall: uninstall + -rm -f $(DESTDIR)$(sysconfdir)/ssh_config + -rm -f $(DESTDIR)$(sysconfdir)/sshd_config + -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds + -rmdir $(DESTDIR)$(sysconfdir) + -rmdir $(DESTDIR)$(bindir) + -rmdir $(DESTDIR)$(sbindir) + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 + -rmdir $(DESTDIR)$(mandir) + -rmdir $(DESTDIR)$(libexecdir) + +uninstall: + -rm -f $(DESTDIR)$(bindir)/ssh + -rm -f $(DESTDIR)$(bindir)/scp + -rm -f $(DESTDIR)$(bindir)/ssh-add + -rm -f $(DESTDIR)$(bindir)/ssh-agent + -rm -f $(DESTDIR)$(bindir)/ssh-keygen + -rm -f $(DESTDIR)$(sbindir)/sshd + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + -rm -f $(DESTDIR)${ASKPASS_PROGRAM} + -rmdir $(DESTDIR)$(libexecdir)/ssh ; diff -ruN --exclude CVS ssh-openbsd-2000070100/Makefile.inc openssh-2.1.1p2/Makefile.inc --- ssh-openbsd-2000070100/Makefile.inc Sun Jan 16 18:14:50 2000 +++ openssh-2.1.1p2/Makefile.inc Thu Jan 1 10:00:00 1970 @@ -1,11 +0,0 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN --exclude CVS ssh-openbsd-2000070100/README openssh-2.1.1p2/README --- ssh-openbsd-2000070100/README Thu May 18 23:16:10 2000 +++ openssh-2.1.1p2/README Mon Jun 26 13:01:33 2000 @@ -1,567 +1,69 @@ +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +******* IMPORTANT +* On systmes which lack a /dev/random driver, version of this port +* prior to 1.2.2 were not correctly seeding OpenSSL's random number +* pool. This resulted in lower quality RSA keys being generated. If +* you generated host or user keys with v1.2.2 or previous versions, +* please generate new ones using a more recent version. + +This is the port of OpenBSD's excellent OpenSSH to Linux and other +Unices. + +OpenSSH is based on the last free version of Tatu Ylonen's SSH with +all patent-encumbered algorithms removed (to external libraries), all +known security bugs fixed, new features reintroduced and many other +clean-ups. More information about SSH itself can be found in the file +README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck, +Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. It has a +homepage at http://www.openssh.com/ + +This port consists of the re-introduction of autoconf support, PAM +support (for Linux and Solaris), EGD[1] support and replacements for +OpenBSD library functions that are (regrettably) absent from other +unices. This port has been best tested on Linux, Solaris, HPUX, NetBSD +and Irix. Support for AIX, SCO, NeXT and other Unices is underway. +This version actively tracks changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. + +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4]. + +There is now several mailing lists for this port of OpenSSH. Please +refer to http://www.openssh.com/list.html for details on how to join. + +Please send bug reports and patches to the mailing list +openssh-unix-dev@mindrot.org. The list is open to posting by +unsubscribed users. + +If you are a citizen of the USA or another country which restricts +export of cryptographic products, then please refrain from sending +crypto-related code or patches to the list. We cannot accept them. +Other code contribution are accepted, but please follow the OpenBSD +style guidelines[5]. + +Please refer to the INSTALL document for information on how to install +OpenSSH on your system. The UPGRADING document details differences +between this port of OpenSSH and F-Secure SSH 1.x. + +Damien Miller +Internet Business Solutions + +Miscellania - + +This version of SSH is based upon code retrieved from the OpenBSD CVS +repository which in turn was based on the last free +version of SSH released by Tatu Ylonen. + +References - + +[1] http://www.lothar.com/tech/crypto/ +[2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ +[3] http://www.openssl.org/ +[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current -[ Please note that this file has not been updated for OpenSSH and - covers the ssh-1.2.12 release from Dec 1995 only. ] - -Ssh (Secure Shell) is a program to log into another computer over a -network, to execute commands in a remote machine, and to move files -from one machine to another. It provides strong authentication and -secure communications over insecure channels. It is intended as a -replacement for rlogin, rsh, rcp, and rdist. - -See the file INSTALL for installation instructions. See COPYING for -license terms and other legal issues. See RFC for a description of -the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. - -This file has been updated to match ssh-1.2.12. - - -FEATURES - - o Strong authentication. Closes several security holes (e.g., IP, - routing, and DNS spoofing). New authentication methods: .rhosts - together with RSA based host authentication, and pure RSA - authentication. - - o Improved privacy. All communications are automatically and - transparently encrypted. RSA is used for key exchange, and a - conventional cipher (normally IDEA, DES, or triple-DES) for - encrypting the session. Encryption is started before - authentication, and no passwords or other information is - transmitted in the clear. Encryption is also used to protect - against spoofed packets. - - o Secure X11 sessions. The program automatically sets DISPLAY on - the server machine, and forwards any X11 connections over the - secure channel. Fake Xauthority information is automatically - generated and forwarded to the remote machine; the local client - automatically examines incoming X11 connections and replaces the - fake authorization data with the real data (never telling the - remote machine the real information). - - o Arbitrary TCP/IP ports can be redirected through the encrypted channel - in both directions (e.g., for e-cash transactions). - - o No retraining needed for normal users; everything happens - automatically, and old .rhosts files will work with strong - authentication if administration installs host key files. - - o Never trusts the network. Minimal trust on the remote side of - the connection. Minimal trust on domain name servers. Pure RSA - authentication never trusts anything but the private key. - - o Client RSA-authenticates the server machine in the beginning of - every connection to prevent trojan horses (by routing or DNS - spoofing) and man-in-the-middle attacks, and the server - RSA-authenticates the client machine before accepting .rhosts or - /etc/hosts.equiv authentication (to prevent DNS, routing, or - IP-spoofing). - - o Host authentication key distribution can be centrally by the - administration, automatically when the first connection is made - to a machine (the key obtained on the first connection will be - recorded and used for authentication in the future), or manually - by each user for his/her own use. The central and per-user host - key repositories are both used and complement each other. Host - keys can be generated centrally or automatically when the software - is installed. Host authentication keys are typically 1024 bits. - - o Any user can create any number of user authentication RSA keys for - his/her own use. Each user has a file which lists the RSA public - keys for which proof of possession of the corresponding private - key is accepted as authentication. User authentication keys are - typically 1024 bits. - - o The server program has its own server RSA key which is - automatically regenerated every hour. This key is never saved in - any file. Exchanged session keys are encrypted using both the - server key and the server host key. The purpose of the separate - server key is to make it impossible to decipher a captured session by - breaking into the server machine at a later time; one hour from - the connection even the server machine cannot decipher the session - key. The key regeneration interval is configurable. The server - key is normally 768 bits. - - o An authentication agent, running in the user's laptop or local - workstation, can be used to hold the user's RSA authentication - keys. Ssh automatically forwards the connection to the - authentication agent over any connections, and there is no need to - store the RSA authentication keys on any machine in the network - (except the user's own local machine). The authentication - protocols never reveal the keys; they can only be used to verify - that the user's agent has a certain key. Eventually the agent - could rely on a smart card to perform all authentication - computations. - - o The software can be installed and used (with restricted - functionality) even without root privileges. - - o The client is customizable in system-wide and per-user - configuration files. Most aspects of the client's operation can - be configured. Different options can be specified on a per-host basis. - - o Automatically executes conventional rsh (after displaying a - warning) if the server machine is not running sshd. - - o Optional compression of all data with gzip (including forwarded X11 - and TCP/IP port data), which may result in significant speedups on - slow connections. - - o Complete replacement for rlogin, rsh, and rcp. - - -WHY TO USE SECURE SHELL - -Currently, almost all communications in computer networks are done -without encryption. As a consequence, anyone who has access to any -machine connected to the network can listen in on any communication. -This is being done by hackers, curious administrators, employers, -criminals, industrial spies, and governments. Some networks leak off -enough electromagnetic radiation that data may be captured even from a -distance. - -When you log in, your password goes in the network in plain -text. Thus, any listener can then use your account to do any evil he -likes. Many incidents have been encountered worldwide where crackers -have started programs on workstations without the owners knowledge -just to listen to the network and collect passwords. Programs for -doing this are available on the Internet, or can be built by a -competent programmer in a few hours. - -Any information that you type or is printed on your screen can be -monitored, recorded, and analyzed. For example, an intruder who has -penetrated a host connected to a major network can start a program -that listens to all data flowing in the network, and whenever it -encounters a 16-digit string, it checks if it is a valid credit card -number (using the check digit), and saves the number plus any -surrounding text (to catch expiration date and holder) in a file. -When the intruder has collected a few thousand credit card numbers, he -makes smallish mail-order purchases from a few thousand stores around -the world, and disappears when the goods arrive but before anyone -suspects anything. - -Businesses have trade secrets, patent applications in preparation, -pricing information, subcontractor information, client data, personnel -data, financial information, etc. Currently, anyone with access to -the network (any machine on the network) can listen to anything that -goes in the network, without any regard to normal access restrictions. - -Many companies are not aware that information can so easily be -recovered from the network. They trust that their data is safe -since nobody is supposed to know that there is sensitive information -in the network, or because so much other data is transferred in the -network. This is not a safe policy. - -Individual persons also have confidential information, such as -diaries, love letters, health care documents, information about their -personal interests and habits, professional data, job applications, -tax reports, political documents, unpublished manuscripts, etc. - -One should also be aware that economical intelligence and industrial -espionage has recently become a major priority of the intelligence -agencies of major governments. President Clinton recently assigned -economical espionage as the primary task of the CIA, and the French -have repeatedly been publicly boasting about their achievements on -this field. - - -There is also another frightening aspect about the poor security of -communications. Computer storage and analysis capability has -increased so much that it is feasible for governments, major -companies, and criminal organizations to automatically analyze, -identify, classify, and file information about millions of people over -the years. Because most of the work can be automated, the cost of -collecting this information is getting very low. - -Government agencies may be able to monitor major communication -systems, telephones, fax, computer networks, etc., and passively -collect huge amounts of information about all people with any -significant position in the society. Most of this information is not -sensitive, and many people would say there is no harm in someone -getting that information. However, the information starts to get -sensitive when someone has enough of it. You may not mind someone -knowing what you bought from the shop one random day, but you might -not like someone knowing every small thing you have bought in the last -ten years. - -If the government some day starts to move into a more totalitarian -direction (one should remember that Nazi Germany was created by -democratic elections), there is considerable danger of an ultimate -totalitarian state. With enough information (the automatically -collected records of an individual can be manually analyzed when the -person becomes interesting), one can form a very detailed picture of -the individual's interests, opinions, beliefs, habits, friends, -lovers, weaknesses, etc. This information can be used to 1) locate -any persons who might oppose the new system 2) use deception to -disturb any organizations which might rise against the government 3) -eliminate difficult individuals without anyone understanding what -happened. Additionally, if the government can monitor communications -too effectively, it becomes too easy to locate and eliminate any -persons distributing information contrary to the official truth. - -Fighting crime and terrorism are often used as grounds for domestic -surveillance and restricting encryption. These are good goals, but -there is considerable danger that the surveillance data starts to get -used for questionable purposes. I find that it is better to tolerate -a small amount of crime in the society than to let the society become -fully controlled. I am in favor of a fairly strong state, but the -state must never get so strong that people become unable to spread -contra-offical information and unable to overturn the government if it -is bad. The danger is that when you notice that the government is -too powerful, it is too late. Also, the real power may not be where -the official government is. - -For these reasons (privacy, protecting trade secrets, and making it -more difficult to create a totalitarian state), I think that strong -cryptography should be integrated to the tools we use every day. -Using it causes no harm (except for those who wish to monitor -everything), but not using it can cause huge problems. If the society -changes in undesirable ways, then it will be to late to start -encrypting. - -Encryption has had a "military" or "classified" flavor to it. There -are no longer any grounds for this. The military can and will use its -own encryption; that is no excuse to prevent the civilians from -protecting their privacy and secrets. Information on strong -encryption is available in every major bookstore, scientific library, -and patent office around the world, and strong encryption software is -available in every country on the Internet. - -Some people would like to make it illegal to use encryption, or to -force people to use encryption that governments can break. This -approach offers no protection if the government turns bad. Also, the -"bad guys" will be using true strong encryption anyway. Good -encryption techniques are too widely known to make them disappear. -Thus, any "key escrow encryption" or other restrictions will only help -monitor ordinary people and petty criminals. It does not help against -powerful criminals, terrorists, or espionage, because they will know -how to use strong encryption anyway. (One source for internationally -available encryption software is http://www.cs.hut.fi/crypto.) - - -OVERVIEW OF SECURE SHELL - -The software consists of a number of programs. - - sshd Server program run on the server machine. This - listens for connections from client machines, and - whenever it receives a connection, it performs - authentication and starts serving the client. - - ssh This is the client program used to log into another - machine or to execute commands on the other machine. - "slogin" is another name for this program. - - scp Securely copies files from one machine to another. - - ssh-keygen Used to create RSA keys (host keys and user - authentication keys). - - ssh-agent Authentication agent. This can be used to hold RSA - keys for authentication. - - ssh-add Used to register new keys with the agent. - - make-ssh-known-hosts - Used to create the /etc/ssh_known_hosts file. - - -Ssh is the program users normally use. It is started as - - ssh host - -or - - ssh host command - -The first form opens a new shell on the remote machine (after -authentication). The latter form executes the command on the remote -machine. - -When started, the ssh connects sshd on the server machine, verifies -that the server machine really is the machine it wanted to connect, -exchanges encryption keys (in a manner which prevents an outside -listener from getting the keys), performs authentication using .rhosts -and /etc/hosts.equiv, RSA authentication, or conventional password -based authentication. The server then (normally) allocates a -pseudo-terminal and starts an interactive shell or user program. - -The TERM environment variable (describing the type of the user's -terminal) is passed from the client side to the remote side. Also, -terminal modes will be copied from the client side to the remote side -to preserve user preferences (e.g., the erase character). - -If the DISPLAY variable is set on the client side, the server will -create a dummy X server and set DISPLAY accordingly. Any connections -to the dummy X server will be forwarded through the secure channel, -and will be made to the real X server from the client side. An -arbitrary number of X programs can be started during the session, and -starting them does not require anything special from the user. (Note -that the user must not manually set DISPLAY, because then it would -connect directly to the real display instead of going through the -encrypted channel). This behavior can be disabled in the -configuration file or by giving the -x option to the client. - -Arbitrary IP ports can be forwarded over the secure channel. The -program then creates a port on one side, and whenever a connection is -opened to this port, it will be passed over the secure channel, and a -connection will be made from the other side to a specified host:port -pair. Arbitrary IP forwarding must always be explicitly requested, -and cannot be used to forward privileged ports (unless the user is -root). It is possible to specify automatic forwards in a per-user -configuration file, for example to make electronic cash systems work -securely. - -If there is an authentication agent on the client side, connection to -it will be automatically forwarded to the server side. - -For more infomation, see the manual pages ssh(1), sshd(8), scp(1), -ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) -included in this distribution. - - -X11 CONNECTION FORWARDING - -X11 forwarding serves two purposes: it is a convenience to the user -because there is no need to set the DISPLAY variable, and it provides -encrypted X11 connections. I cannot think of any other easy way to -make X11 connections encrypted; modifying the X server, clients or -libraries would require special work for each machine, vendor and -application. Widely used IP-level encryption does not seem likely for -several years. Thus what we have left is faking an X server on the -same machine where the clients are run, and forwarding the connections -to a real X server over the secure channel. - -X11 forwarding works as follows. The client extracts Xauthority -information for the server. It then creates random authorization -data, and sends the random data to the server. The server allocates -an X11 display number, and stores the (fake) Xauthority data for this -display. Whenever an X11 connection is opened, the server forwards -the connection over the secure channel to the client, and the client -parses the first packet of the X11 protocol, substitutes real -authentication data for the fake data (if the fake data matched), and -forwards the connection to the real X server. - -If the display does not have Xauthority data, the server will create a -unix domain socket in /tmp/.X11-unix, and use the unix domain socket -as the display. No authentication information is forwarded in this -case. X11 connections are again forwarded over the secure channel. -To the X server the connections appear to come from the client -machine, and the server must have connections allowed from the local -machine. Using authentication data is always recommended because not -using it makes the display insecure. If XDM is used, it automatically -generates the authentication data. - -One should be careful not to use "xin" or "xstart" or other similar -scripts that explicitly set DISPLAY to start X sessions in a remote -machine, because the connection will then not go over the secure -channel. The recommended way to start a shell in a remote machine is - - xterm -e ssh host & - -and the recommended way to execute an X11 application in a remote -machine is - - ssh -n host emacs & - -If you need to type a password/passphrase for the remote machine, - - ssh -f host emacs - -may be useful. - - - -RSA AUTHENTICATION - -RSA authentication is based on public key cryptograpy. The idea is -that there are two encryption keys, one for encryption and another for -decryption. It is not possible (on human timescale) to derive the -decryption key from the encryption key. The encryption key is called -the public key, because it can be given to anyone and it is not -secret. The decryption key, on the other hand, is secret, and is -called the private key. - -RSA authentication is based on the impossibility of deriving the -private key from the public key. The public key is stored on the -server machine in the user's $HOME/.ssh/authorized_keys file. The -private key is only kept on the user's local machine, laptop, or other -secure storage. Then the user tries to log in, the client tells the -server the public key that the user wishes to use for authentication. -The server then checks if this public key is admissible. If so, it -generates a 256 bit random number, encrypts it with the public key, -and sends the value to the client. The client then decrypts the -number with its private key, computes a 128 bit MD5 checksum from the -resulting data, and sends the checksum back to the server. (Only a -checksum is sent to prevent chosen-plaintext attacks against RSA.) -The server checks computes a checksum from the correct data, -and compares the checksums. Authentication is accepted if the -checksums match. (Theoretically this indicates that the client -only probably knows the correct key, but for all practical purposes -there is no doubt.) - -The RSA private key can be protected with a passphrase. The -passphrase can be any string; it is hashed with MD5 to produce an -encryption key for IDEA, which is used to encrypt the private part of -the key file. With passphrase, authorization requires access to the key -file and the passphrase. Without passphrase, authorization only -depends on possession of the key file. - -RSA authentication is the most secure form of authentication supported -by this software. It does not rely on the network, routers, domain -name servers, or the client machine. The only thing that matters is -access to the private key. - -All this, of course, depends on the security of the RSA algorithm -itself. RSA has been widely known since about 1978, and no effective -methods for breaking it are known if it is used properly. Care has -been taken to avoid the well-known pitfalls. Breaking RSA is widely -believed to be equivalent to factoring, which is a very hard -mathematical problem that has received considerable public research. -So far, no effective methods are known for numbers bigger than about -512 bits. However, as computer speeds and factoring methods are -increasing, 512 bits can no longer be considered secure. The -factoring work is exponential, and 768 or 1024 bits are widely -considered to be secure in the near future. - - -RHOSTS AUTHENTICATION - -Conventional .rhosts and hosts.equiv based authentication mechanisms -are fundamentally insecure due to IP, DNS (domain name server) and -routing spoofing attacks. Additionally this authentication method -relies on the integrity of the client machine. These weaknesses is -tolerable, and been known and exploited for a long time. - -Ssh provides an improved version of these types of authentication, -because they are very convenient for the user (and allow easy -transition from rsh and rlogin). It permits these types of -authentication, but additionally requires that the client host be -authenticated using RSA. - -The server has a list of host keys stored in /etc/ssh_known_host, and -additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh -uses the name servers to obtain the canonical name of the client host, -looks for its public key in its known host files, and requires the -client to prove that it knows the private host key. This prevents IP -and routing spoofing attacks (as long as the client machine private -host key has not been compromized), but is still vulnerable to DNS -attacks (to a limited extent), and relies on the integrity of the -client machine as to who is requesting to log in. This prevents -outsiders from attacking, but does not protect against very powerful -attackers. If maximal security is desired, only RSA authentication -should be used. - -It is possible to enable conventional .rhosts and /etc/hosts.equiv -authentication (without host authentication) at compile time by giving -the option --with-rhosts to configure. However, this is not -recommended, and is not done by default. - -These weaknesses are present in rsh and rlogin. No improvement in -security will be obtained unless rlogin and rsh are completely -disabled (commented out in /etc/inetd.conf). This is highly -recommended. - - -WEAKEST LINKS IN SECURITY - -One should understand that while this software may provide -cryptographically secure communications, it may be easy to -monitor the communications at their endpoints. - -Basically, anyone with root access on the local machine on which you -are running the software may be able to do anything. Anyone with root -access on the server machine may be able to monitor your -communications, and a very talented root user might even be able to -send his/her own requests to your authentication agent. - -One should also be aware that computers send out electromagnetic -radition that can sometimes be picked up hundreds of meters away. -Your keyboard is particularly easy to listen to. The image on your -monitor might also be seen on another monitor in a van parked behind -your house. - -Beware that unwanted visitors might come to your home or office and -use your machine while you are away. They might also make -modifications or install bugs in your hardware or software. - -Beware that the most effective way for someone to decrypt your data -may be with a rubber hose. - - -LEGAL ISSUES - -As far as I am concerned, anyone is permitted to use this software -freely. However, see the file COPYING for detailed copying, -licensing, and distribution information. - -In some countries, particularly France, Russia, Iraq, and Pakistan, -it may be illegal to use any encryption at all without a special -permit, and the rumor has it that you cannot get a permit for any -strong encryption. - -This software may be freely imported into the United States; however, -the United States Government may consider re-exporting it a criminal -offence. - -Note that any information and cryptographic algorithms used in this -software are publicly available on the Internet and at any major -bookstore, scientific library, or patent office worldwide. - -THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file -COPYING for more information. - - -MAILING LISTS AND OTHER INFORMATION - -There is a mailing list for ossh. It is ossh@sics.se. If you would -like to join, send a message to majordomo@sics.se with "subscribe -ssh" in body. - -The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an -archive of the mailing list, and detailed information about new -releases, mailing lists, and other relevant issues. - -Bug reports should be sent to ossh-bugs@sics.se. - - -ABOUT THE AUTHOR - -This software was written by Tatu Ylonen . I work as a -researcher at Helsinki University of Technology, Finland. For more -information, see http://www.cs.hut.fi/~ylo/. My PGP public key is -available via finger from ylo@cs.hut.fi and from the key servers. I -prefer PGP encrypted mail. - -The author can be contacted via ordinary mail at - Tatu Ylonen - Helsinki University of Technology - Otakaari 1 - FIN-02150 ESPOO - Finland - - Fax. +358-0-4513293 - - -ACKNOWLEDGEMENTS - -I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for -their help and comments in the design, implementation and porting of -this software. I also thank numerous contributors, including but not -limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane -Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome -Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, -Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar -Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald -McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan -O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz -Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and -Cristophe Wolfhugel. - -Thanks also go to Philip Zimmermann, whose PGP software and the -associated legal battle provided inspiration, motivation, and many -useful techniques, and to Bruce Schneier whose book Applied -Cryptography has done a great service in widely distributing knowledge -about cryptographic methods. - - -Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-2000070100/README.Ylonen openssh-2.1.1p2/README.Ylonen --- ssh-openbsd-2000070100/README.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/README.Ylonen Sun Mar 26 13:04:52 2000 @@ -0,0 +1,567 @@ + +[ Please note that this file has not been updated for OpenSSH and + covers the ssh-1.2.12 release from Dec 1995 only. ] + +Ssh (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is inteded as a +replacement for rlogin, rsh, rcp, and rdist. + +See the file INSTALL for installation instructions. See COPYING for +license terms and other legal issues. See RFC for a description of +the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. + +This file has been updated to match ssh-1.2.12. + + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, DES, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. + + +WHY TO USE SECURE SHELL + +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owners knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + +Any information that you type or is printed on your screen can be +monitored, recorded, and analyzed. For example, an intruder who has +penetrated a host connected to a major network can start a program +that listens to all data flowing in the network, and whenever it +encounters a 16-digit string, it checks if it is a valid credit card +number (using the check digit), and saves the number plus any +surrounding text (to catch expiration date and holder) in a file. +When the intruder has collected a few thousand credit card numbers, he +makes smallish mail-order purchases from a few thousand stores around +the world, and disappears when the goods arrive but before anyone +suspects anything. + +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + +Individual persons also have confidential information, such as +diaries, love letters, health care documents, information about their +personal interests and habits, professional data, job applications, +tax reports, political documents, unpublished manuscripts, etc. + +One should also be aware that economical intelligence and industrial +espionage has recently become a major priority of the intelligence +agencies of major governments. President Clinton recently assigned +economical espionage as the primary task of the CIA, and the French +have repeatedly been publicly boasting about their achievements on +this field. + + +There is also another frightening aspect about the poor security of +communications. Computer storage and analysis capability has +increased so much that it is feasible for governments, major +companies, and criminal organizations to automatically analyze, +identify, classify, and file information about millions of people over +the years. Because most of the work can be automated, the cost of +collecting this information is getting very low. + +Government agencies may be able to monitor major communication +systems, telephones, fax, computer networks, etc., and passively +collect huge amounts of information about all people with any +significant position in the society. Most of this information is not +sensitive, and many people would say there is no harm in someone +getting that information. However, the information starts to get +sensitive when someone has enough of it. You may not mind someone +knowing what you bought from the shop one random day, but you might +not like someone knowing every small thing you have bought in the last +ten years. + +If the government some day starts to move into a more totalitarian +direction (one should remember that Nazi Germany was created by +democratic elections), there is considerable danger of an ultimate +totalitarian state. With enough information (the automatically +collected records of an individual can be manually analyzed when the +person becomes interesting), one can form a very detailed picture of +the individual's interests, opinions, beliefs, habits, friends, +lovers, weaknesses, etc. This information can be used to 1) locate +any persons who might oppose the new system 2) use deception to +disturb any organizations which might rise against the government 3) +eliminate difficult individuals without anyone understanding what +happened. Additionally, if the government can monitor communications +too effectively, it becomes too easy to locate and eliminate any +persons distributing information contrary to the official truth. + +Fighting crime and terrorism are often used as grounds for domestic +surveillance and restricting encryption. These are good goals, but +there is considerable danger that the surveillance data starts to get +used for questionable purposes. I find that it is better to tolerate +a small amount of crime in the society than to let the society become +fully controlled. I am in favor of a fairly strong state, but the +state must never get so strong that people become unable to spread +contra-offical information and unable to overturn the government if it +is bad. The danger is that when you notice that the government is +too powerful, it is too late. Also, the real power may not be where +the official government is. + +For these reasons (privacy, protecting trade secrets, and making it +more difficult to create a totalitarian state), I think that strong +cryptography should be integrated to the tools we use every day. +Using it causes no harm (except for those who wish to monitor +everything), but not using it can cause huge problems. If the society +changes in undesirable ways, then it will be to late to start +encrypting. + +Encryption has had a "military" or "classified" flavor to it. There +are no longer any grounds for this. The military can and will use its +own encryption; that is no excuse to prevent the civilians from +protecting their privacy and secrets. Information on strong +encryption is available in every major bookstore, scientific library, +and patent office around the world, and strong encryption software is +available in every country on the Internet. + +Some people would like to make it illegal to use encryption, or to +force people to use encryption that governments can break. This +approach offers no protection if the government turns bad. Also, the +"bad guys" will be using true strong encryption anyway. Good +encryption techniques are too widely known to make them disappear. +Thus, any "key escrow encryption" or other restrictions will only help +monitor ordinary people and petty criminals. It does not help against +powerful criminals, terrorists, or espionage, because they will know +how to use strong encryption anyway. (One source for internationally +available encryption software is http://www.cs.hut.fi/crypto.) + + +OVERVIEW OF SECURE SHELL + +The software consists of a number of programs. + + sshd Server program run on the server machine. This + listens for connections from client machines, and + whenever it receives a connection, it performs + authentication and starts serving the client. + + ssh This is the client program used to log into another + machine or to execute commands on the other machine. + "slogin" is another name for this program. + + scp Securely copies files from one machine to another. + + ssh-keygen Used to create RSA keys (host keys and user + authentication keys). + + ssh-agent Authentication agent. This can be used to hold RSA + keys for authentication. + + ssh-add Used to register new keys with the agent. + + make-ssh-known-hosts + Used to create the /etc/ssh_known_hosts file. + + +Ssh is the program users normally use. It is started as + + ssh host + +or + + ssh host command + +The first form opens a new shell on the remote machine (after +authentication). The latter form executes the command on the remote +machine. + +When started, the ssh connects sshd on the server machine, verifies +that the server machine really is the machine it wanted to connect, +exchanges encryption keys (in a manner which prevents an outside +listener from getting the keys), performs authentication using .rhosts +and /etc/hosts.equiv, RSA authentication, or conventional password +based authentication. The server then (normally) allocates a +pseudo-terminal and starts an interactive shell or user program. + +The TERM environment variable (describing the type of the user's +terminal) is passed from the client side to the remote side. Also, +terminal modes will be copied from the client side to the remote side +to preserve user preferences (e.g., the erase character). + +If the DISPLAY variable is set on the client side, the server will +create a dummy X server and set DISPLAY accordingly. Any connections +to the dummy X server will be forwarded through the secure channel, +and will be made to the real X server from the client side. An +arbitrary number of X programs can be started during the session, and +starting them does not require anything special from the user. (Note +that the user must not manually set DISPLAY, because then it would +connect directly to the real display instead of going through the +encrypted channel). This behavior can be disabled in the +configuration file or by giving the -x option to the client. + +Arbitrary IP ports can be forwarded over the secure channel. The +program then creates a port on one side, and whenever a connection is +opened to this port, it will be passed over the secure channel, and a +connection will be made from the other side to a specified host:port +pair. Arbitrary IP forwarding must always be explicitly requested, +and cannot be used to forward privileged ports (unless the user is +root). It is possible to specify automatic forwards in a per-user +configuration file, for example to make electronic cash systems work +securely. + +If there is an authentication agent on the client side, connection to +it will be automatically forwarded to the server side. + +For more infomation, see the manual pages ssh(1), sshd(8), scp(1), +ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) +included in this distribution. + + +X11 CONNECTION FORWARDING + +X11 forwarding serves two purposes: it is a convenience to the user +because there is no need to set the DISPLAY variable, and it provides +encrypted X11 connections. I cannot think of any other easy way to +make X11 connections encrypted; modifying the X server, clients or +libraries would require special work for each machine, vendor and +application. Widely used IP-level encryption does not seem likely for +several years. Thus what we have left is faking an X server on the +same machine where the clients are run, and forwarding the connections +to a real X server over the secure channel. + +X11 forwarding works as follows. The client extracts Xauthority +information for the server. It then creates random authorization +data, and sends the random data to the server. The server allocates +an X11 display number, and stores the (fake) Xauthority data for this +display. Whenever an X11 connection is opened, the server forwards +the connection over the secure channel to the client, and the client +parses the first packet of the X11 protocol, substitutes real +authentication data for the fake data (if the fake data matched), and +forwards the connection to the real X server. + +If the display does not have Xauthority data, the server will create a +unix domain socket in /tmp/.X11-unix, and use the unix domain socket +as the display. No authentication information is forwarded in this +case. X11 connections are again forwarded over the secure channel. +To the X server the connections appear to come from the client +machine, and the server must have connections allowed from the local +machine. Using authentication data is always recommended because not +using it makes the display insecure. If XDM is used, it automatically +generates the authentication data. + +One should be careful not to use "xin" or "xstart" or other similar +scripts that explicitly set DISPLAY to start X sessions in a remote +machine, because the connection will then not go over the secure +channel. The recommended way to start a shell in a remote machine is + + xterm -e ssh host & + +and the recommended way to execute an X11 application in a remote +machine is + + ssh -n host emacs & + +If you need to type a password/passphrase for the remote machine, + + ssh -f host emacs + +may be useful. + + + +RSA AUTHENTICATION + +RSA authentication is based on public key cryptograpy. The idea is +that there are two encryption keys, one for encryption and another for +decryption. It is not possible (on human timescale) to derive the +decryption key from the encryption key. The encryption key is called +the public key, because it can be given to anyone and it is not +secret. The decryption key, on the other hand, is secret, and is +called the private key. + +RSA authentication is based on the impossibility of deriving the +private key from the public key. The public key is stored on the +server machine in the user's $HOME/.ssh/authorized_keys file. The +private key is only kept on the user's local machine, laptop, or other +secure storage. Then the user tries to log in, the client tells the +server the public key that the user wishes to use for authentication. +The server then checks if this public key is admissible. If so, it +generates a 256 bit random number, encrypts it with the public key, +and sends the value to the client. The client then decrypts the +number with its private key, computes a 128 bit MD5 checksum from the +resulting data, and sends the checksum back to the server. (Only a +checksum is sent to prevent chosen-plaintext attacks against RSA.) +The server checks computes a checksum from the correct data, +and compares the checksums. Authentication is accepted if the +checksums match. (Theoretically this indicates that the client +only probably knows the correct key, but for all practical purposes +there is no doubt.) + +The RSA private key can be protected with a passphrase. The +passphrase can be any string; it is hashed with MD5 to produce an +encryption key for IDEA, which is used to encrypt the private part of +the key file. With passphrase, authorization requires access to the key +file and the passphrase. Without passphrase, authorization only +depends on possession of the key file. + +RSA authentication is the most secure form of authentication supported +by this software. It does not rely on the network, routers, domain +name servers, or the client machine. The only thing that matters is +access to the private key. + +All this, of course, depends on the security of the RSA algorithm +itself. RSA has been widely known since about 1978, and no effective +methods for breaking it are known if it is used properly. Care has +been taken to avoid the well-known pitfalls. Breaking RSA is widely +believed to be equivalent to factoring, which is a very hard +mathematical problem that has received considerable public research. +So far, no effective methods are known for numbers bigger than about +512 bits. However, as computer speeds and factoring methods are +increasing, 512 bits can no longer be considered secure. The +factoring work is exponential, and 768 or 1024 bits are widely +considered to be secure in the near future. + + +RHOSTS AUTHENTICATION + +Conventional .rhosts and hosts.equiv based authentication mechanisms +are fundamentally insecure due to IP, DNS (domain name server) and +routing spoofing attacks. Additionally this authentication method +relies on the integrity of the client machine. These weaknesses is +tolerable, and been known and exploited for a long time. + +Ssh provides an improved version of these types of authentication, +because they are very convenient for the user (and allow easy +transition from rsh and rlogin). It permits these types of +authentication, but additionally requires that the client host be +authenticated using RSA. + +The server has a list of host keys stored in /etc/ssh_known_host, and +additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh +uses the name servers to obtain the canonical name of the client host, +looks for its public key in its known host files, and requires the +client to prove that it knows the private host key. This prevents IP +and routing spoofing attacks (as long as the client machine private +host key has not been compromized), but is still vulnerable to DNS +attacks (to a limited extent), and relies on the integrity of the +client machine as to who is requesting to log in. This prevents +outsiders from attacking, but does not protect against very powerful +attackers. If maximal security is desired, only RSA authentication +should be used. + +It is possible to enable conventional .rhosts and /etc/hosts.equiv +authentication (without host authentication) at compile time by giving +the option --with-rhosts to configure. However, this is not +recommended, and is not done by default. + +These weaknesses are present in rsh and rlogin. No improvement in +security will be obtained unless rlogin and rsh are completely +disabled (commented out in /etc/inetd.conf). This is highly +recommended. + + +WEAKEST LINKS IN SECURITY + +One should understand that while this software may provide +cryptographically secure communications, it may be easy to +monitor the communications at their endpoints. + +Basically, anyone with root access on the local machine on which you +are running the software may be able to do anything. Anyone with root +access on the server machine may be able to monitor your +communications, and a very talented root user might even be able to +send his/her own requests to your authentication agent. + +One should also be aware that computers send out electromagnetic +radition that can sometimes be picked up hundreds of meters away. +Your keyboard is particularly easy to listen to. The image on your +monitor might also be seen on another monitor in a van parked behind +your house. + +Beware that unwanted visitors might come to your home or office and +use your machine while you are away. They might also make +modifications or install bugs in your hardware or software. + +Beware that the most effective way for someone to decrypt your data +may be with a rubber hose. + + +LEGAL ISSUES + +As far as I am concerned, anyone is permitted to use this software +freely. However, see the file COPYING for detailed copying, +licensing, and distribution information. + +In some countries, particularly France, Russia, Iraq, and Pakistan, +it may be illegal to use any encryption at all without a special +permit, and the rumor has it that you cannot get a permit for any +strong encryption. + +This software may be freely imported into the United States; however, +the United States Government may consider re-exporting it a criminal +offence. + +Note that any information and cryptographic algorithms used in this +software are publicly available on the Internet and at any major +bookstore, scientific library, or patent office worldwide. + +THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file +COPYING for more information. + + +MAILING LISTS AND OTHER INFORMATION + +There is a mailing list for ossh. It is ossh@sics.se. If you would +like to join, send a message to majordomo@sics.se with "subscribe +ssh" in body. + +The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an +archive of the mailing list, and detailed information about new +releases, mailing lists, and other relevant issues. + +Bug reports should be sent to ossh-bugs@sics.se. + + +ABOUT THE AUTHOR + +This software was written by Tatu Ylonen . I work as a +researcher at Helsinki University of Technology, Finland. For more +information, see http://www.cs.hut.fi/~ylo/. My PGP public key is +available via finger from ylo@cs.hut.fi and from the key servers. I +prefer PGP encrypted mail. + +The author can be contacted via ordinary mail at + Tatu Ylonen + Helsinki University of Technology + Otakaari 1 + FIN-02150 ESPOO + Finland + + Fax. +358-0-4513293 + + +ACKNOWLEDGEMENTS + +I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for +their help and comments in the design, implementation and porting of +this software. I also thank numerous contributors, including but not +limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane +Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome +Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, +Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar +Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald +McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan +O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz +Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and +Cristophe Wolfhugel. + +Thanks also go to Philip Zimmermann, whose PGP software and the +associated legal battle provided inspiration, motivation, and many +useful techniques, and to Bruce Schneier whose book Applied +Cryptography has done a great service in widely distributing knowledge +about cryptographic methods. + + +Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN --exclude CVS ssh-openbsd-2000070100/TODO openssh-2.1.1p2/TODO --- ssh-openbsd-2000070100/TODO Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/TODO Sat Jun 3 21:59:32 2000 @@ -0,0 +1,11 @@ +- Replacement for setproctitle() + +- Improve PAM support (a pam_lastlog module will cause sshd to exit) + +- Better documentation + +- Replace the horror in acconfig.h which tries to comphensate for the + lack of u_intXX_t types. There must be a better way. + +- Cleanup configure.in + diff -ruN --exclude CVS ssh-openbsd-2000070100/UPGRADING openssh-2.1.1p2/UPGRADING --- ssh-openbsd-2000070100/UPGRADING Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/UPGRADING Fri Mar 17 10:54:16 2000 @@ -0,0 +1,132 @@ +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +OpenSSH is almost completely compatible with the commercial SSH 1.2.x. +There are, however, a few exceptions that you will need to bear in +mind while upgrading: + +1. OpenSSH does not support any patented transport algorithms. + +Only 3DES and Blowfish can be selected. This difference may manifest +itself in the ssh command refusing to read its config files. + +Solution: Edit /etc/ssh/ssh_config and select a different "Cipher" +option ("3des" or "blowfish"). + +2. Old versions of commercial SSH encrypt host keys with IDEA + +The old versions of SSH used a patented algorithm to encrypt their +/etc/ssh/ssh_host_key + +This problem will manifest as sshd not being able to read its host +key. + +Solution: You will need to run the *commercial* version of ssh-keygen +on the host's private key: + +ssh-keygen -u -f /etc/ssh/ssh_host_key + +3. Incompatible changes to sshd_config format. + +OpenSSH extends the sshd_config file format in a number of ways. There +is currently one change which is incompatible with the old. + +Commercial SSH controlled logging using the "QuietMode" and +"FascistLogging" directives. OpenSSH introduces a more general set of +logging options "SyslogFacility" and "LogLevel". See the sshd manual +page for details. + +4. Warning messages about key lengths + +Commercial SSH's ssh-keygen program contained a bug which caused it to +occasionally generate RSA keys which had their Most Significant Bit +(MSB) unset. Such keys were advertised as being full-length, but are +actually only half as secure. + +OpenSSH will print warning messages when it encounters such keys. To +rid yourself of these message, edit you known_hosts files and replace +the incorrect key length (usually "1024") with the correct key length +(usually "1023"). + +5. Spurious PAM authentication messages in logfiles + +OpenSSH will generate spurious authentication failures at every login, +similar to "authentication failure; (uid=0) -> root for sshd service". +These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunatly +PAM likes to log all authentication events, this one included. + +If it annoys you too much, set "PermitEmptyPasswords no" in +sshd_config. This will quiet the error message at the expense of +disabling logins to accounts with no password set. This is the +default if you use the supplied sshd_config file. + +6. Empty passwords not allowed with PAM authentication + +To enable empty passwords with a version of OpenSSH built with PAM you +must add the flag "nullok" to the end of the password checking module +in the /etc/pam.d/sshd file. For example: + +auth required/lib/security/pam_unix.so shadow nodelay nullok + +This must be done in addtion to setting "PermitEmptyPasswords yes" +in the sshd_config file. + +There is one caveat when using empty passwords with PAM +authentication: PAM will allow _any_ password when authenticating +an account with an empty password. This breaks the check that sshd +uses to determined whether an account has no password set and grant +users access to the account regardless of the policy specified by +"PermitEmptyPasswords". For this reason, it is recommended that you do +not add the "nullok" directive to your PAM configuration file unless +you specifically wish to allow empty passwords. + +7. X11 and/or agent forwarding does not work + +Check your ssh_config and sshd_config. The default configuration files +disable authentication agent and X11 forwarding. + +8. ssh takes a long time to connect with Linux/glibc 2.1 + +The glibc shipped with Redhat 6.1 appears to take a long time to resolve +"IPv6 or IPv4" addresses from domain names. This can be kludged around +with the --with-ipv4-default configure option. This instructs OpenSSH to +use IPv4-only address resolution. (IPv6 lookups may still be made by +specifying the -6 option). + +9. Logins from commercial ssh generate the error "Selected cipher type + idea not supported by server" + +This error is generated when a commercial ssh which has been configured to +use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify +this, select a different cipher in ssh_config or ~/.ssh/config (3des for +security or blowfish for speed). + +10. "can't locate module net-pf-10" messages in log under Linux + +The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). +Either 1. load the appropriate kernel module, 2. enter the correct alias +in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf. + +For some silly reason /etc/modules.conf may also be named /etc/conf.modules + +11. Password authentication doesn't work on Slackware 7.0 + +Configure OpenSSH with --with-md5-passwords + +12. ./configure or sshd complain about lack of RSA support + +Ensure that your OpenSSL libraries have been built to include RSA support +either internally or through RSAref. + +13. "scp: command not found" errors + +scp must be in the default PATH on both the client and the server. You may +need to use the --with-default-path option to specify a custom path to +search on the server. This option replaces the default path, so you need +to specify all the current directories on your path as well as where you +have installed scp. For example: + +./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp + diff -ruN --exclude CVS ssh-openbsd-2000070100/acconfig.h openssh-2.1.1p2/acconfig.h --- ssh-openbsd-2000070100/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/acconfig.h Sat Jul 1 16:52:55 2000 @@ -0,0 +1,223 @@ +#ifndef _CONFIG_H +#define _CONFIG_H + +/* Generated automatically from acconfig.h by autoheader. */ +/* Please make your changes there */ + +@TOP@ + +/* Define if your snprintf is busted */ +#undef BROKEN_SNPRINTF + +/* Define if you are on NeXT */ +#undef HAVE_NEXT + +/* Define if you want to disable PAM support */ +#undef DISABLE_PAM + +/* Define if you want to enable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + +/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ +#undef WITH_IRIX_ARRAY + +/* Define if you want IRIX project management */ +#undef WITH_IRIX_PROJECT + +/* Define if you want IRIX audit trails */ +#undef WITH_IRIX_AUDIT + +/* Location of random number pool */ +#undef RANDOM_POOL + +/* Location of EGD random number socket */ +#undef EGD_SOCKET + +/* Builtin PRNG command timeout */ +#undef ENTROPY_TIMEOUT_MSEC + +/* Define if you want to install preformatted manpages.*/ +#undef MANTYPE + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + +/* struct utmp and struct utmpx fields */ +#undef HAVE_HOST_IN_UTMP +#undef HAVE_HOST_IN_UTMPX +#undef HAVE_ADDR_IN_UTMP +#undef HAVE_ADDR_IN_UTMPX +#undef HAVE_ADDR_V6_IN_UTMP +#undef HAVE_ADDR_V6_IN_UTMPX +#undef HAVE_SYSLEN_IN_UTMPX +#undef HAVE_PID_IN_UTMP +#undef HAVE_TYPE_IN_UTMP +#undef HAVE_TYPE_IN_UTMPX +#undef HAVE_TV_IN_UTMP +#undef HAVE_TV_IN_UTMPX +#undef HAVE_ID_IN_UTMP +#undef HAVE_ID_IN_UTMPX +#undef HAVE_EXIT_IN_UTMP +#undef HAVE_TIME_IN_UTMP +#undef HAVE_TIME_IN_UTMPX + +/* Define if you don't want to use your system's login() call */ +#undef DISABLE_LOGIN + +/* Define if you don't want to use pututline() etc. to write [uw]tmp */ +#undef DISABLE_PUTUTLINE + +/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */ +#undef DISABLE_PUTUTXLINE + +/* Define if you don't want to use lastlog */ +#undef DISABLE_LASTLOG + +/* Define if you don't want to use utmp */ +#undef DISABLE_UTMP + +/* Define if you don't want to use utmpx */ +#undef DISABLE_UTMPX + +/* Define if you don't want to use wtmp */ +#undef DISABLE_WTMP + +/* Define if you don't want to use wtmpx */ +#undef DISABLE_WTMPX + +/* Define if you want to specify the path to your lastlog file */ +#undef CONF_LASTLOG_FILE + +/* Define if you want to specify the path to your utmp file */ +#undef CONF_UTMP_FILE + +/* Define if you want to specify the path to your wtmp file */ +#undef CONF_WTMP_FILE + +/* Define if you want to specify the path to your utmpx file */ +#undef CONF_UTMPX_FILE + +/* Define if you want to specify the path to your wtmpx file */ +#undef CONF_WTMPX_FILE + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if you want Kerberos 4 support */ +#undef KRB4 + +/* Define if you want AFS support */ +#undef AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if your libraries define getpagesize() */ +#undef HAVE_GETPAGESIZE + +/* Define if xauth is found in your path */ +#undef XAUTH_PATH + +/* Define if rsh is found in your path */ +#undef RSH_PATH + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +/* Define if you want to disable shadow passwords */ +#undef DISABLE_SHADOW + +/* Define if you want to use shadow password expire field */ +#undef HAS_SHADOW_EXPIRE + +/* Define if you want have trusted HPUX */ +#undef HAVE_HPUX_TRUSTED_SYSTEM_PW + +/* Define if you have Digital Unix Security Integration Architecture */ +#undef HAVE_OSF_SIA + +/* Define if you have getpwanam(3) [SunOS 4.x] */ +#undef HAVE_GETPWANAM + +/* Defined if in_systm.h needs to be included with netinet/ip.h (HPUX - ) */ +#undef NEED_IN_SYSTM_H + +/* Define if you have an old version of PAM which takes only one argument */ +/* to pam_strerror */ +#undef HAVE_OLD_PAM + +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + +/* Data types */ +#undef HAVE_INTXX_T +#undef HAVE_U_INTXX_T +#undef HAVE_UINTXX_T +#undef HAVE_SOCKLEN_T +#undef HAVE_SIZE_T +#undef HAVE_SSIZE_T +#undef HAVE_MODE_T +#undef HAVE_PID_T +#undef HAVE_SA_FAMILY_T +#undef HAVE_STRUCT_SOCKADDR_STORAGE +#undef HAVE_STRUCT_ADDRINFO +#undef HAVE_STRUCT_IN6_ADDR +#undef HAVE_STRUCT_SOCKADDR_IN6 + +/* Fields in struct sockaddr_storage */ +#undef HAVE_SS_FAMILY_IN_SS +#undef HAVE___SS_FAMILY_IN_SS + +/* Define if you have /dev/ptmx */ +#undef HAVE_DEV_PTMX + +/* Define if you have /dev/ptc */ +#undef HAVE_DEV_PTS_AND_PTC + +/* Define if you need to use IP address instead of hostname in $DISPLAY */ +#undef IPADDR_IN_DISPLAY + +/* Specify default $PATH */ +#undef USER_PATH + +/* Specify location of ssh.pid */ +#undef PIDDIR + +/* Use IPv4 for connection by default, IPv6 can still if explicity asked */ +#undef IPV4_DEFAULT + +/* getaddrinfo is broken (if present) */ +#undef BROKEN_GETADDRINFO + +/* Workaround more Linux IPv6 quirks */ +#undef DONT_TRY_OTHER_AF + +/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ +#undef IPV4_IN_IPV6 + +@BOTTOM@ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#include "defines.h" + +#endif /* _CONFIG_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/aclocal.m4 openssh-2.1.1p2/aclocal.m4 --- ssh-openbsd-2000070100/aclocal.m4 Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/aclocal.m4 Mon Jun 26 10:20:19 2000 @@ -0,0 +1,45 @@ +dnl $Id: aclocal.m4,v 1.4 2000/06/26 00:20:19 djm Exp $ +dnl +dnl OpenSSH-specific autoconf macros +dnl + + +dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) +dnl Does AC_EGREP_HEADER on 'header' for the string 'field' +dnl If found, set 'symbol' to be defined. Cache the result. +dnl TODO: This is not foolproof, better to compile and read from there +AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [ +# look for field '$1' in header '$2' + dnl This strips characters illegal to m4 from the header filename + ossh_safe=`echo "$2" | sed 'y%./+-%__p_%'` + dnl + ossh_varname="ossh_cv_$ossh_safe""_has_"$1 + AC_MSG_CHECKING(for $1 field in $2) + AC_CACHE_VAL($ossh_varname, [ + AC_EGREP_HEADER($1, $2, [ dnl + eval "$ossh_varname=yes" dnl + ], [ dnl + eval "$ossh_varname=no" dnl + ]) dnl + ]) + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + AC_MSG_RESULT($ossh_result) + if test "x$ossh_result" = "xyes"; then + AC_DEFINE($3) + fi + else + AC_MSG_RESULT(no) + fi +]) + +dnl OSSH_PATH_ENTROPY_PROG(variablename, command): +dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST +AC_DEFUN(OSSH_PATH_ENTROPY_PROG, [ + AC_PATH_PROG($1, $2) + if test -z "[$]$1" ; then + $1="undef" + fi + AC_SUBST($1) +]) + diff -ruN --exclude CVS ssh-openbsd-2000070100/auth-pam.c openssh-2.1.1p2/auth-pam.c --- ssh-openbsd-2000070100/auth-pam.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/auth-pam.c Thu Jun 22 21:44:54 2000 @@ -0,0 +1,305 @@ +/* + * Copyright (c) 2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef USE_PAM +#include "ssh.h" +#include "xmalloc.h" +#include "servconf.h" + +RCSID("$Id: auth-pam.c,v 1.8 2000/06/22 11:44:54 djm Exp $"); + +#define NEW_AUTHTOK_MSG \ + "Warning: You password has expired, please change it now" + +/* Callbacks */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); +void pam_cleanup_proc(void *context); +void pam_msg_cat(const char *msg); + +/* module-local variables */ +static struct pam_conv conv = { + pamconv, + NULL +}; +static struct pam_handle_t *pamh = NULL; +static const char *pampasswd = NULL; +static char *pam_msg = NULL; + +/* PAM conversation function. This is really a kludge to get the password */ +/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *reply; + int count; + + /* PAM will free this later */ + reply = malloc(num_msg * sizeof(*reply)); + if (reply == NULL) + return PAM_CONV_ERR; + + for(count = 0; count < num_msg; count++) { + switch (msg[count]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + break; + case PAM_TEXT_INFO: + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(""); + + if (msg[count]->msg != NULL) + pam_msg_cat(msg[count]->msg); + + break; + default: + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + + return PAM_SUCCESS; +} + +/* Called at exit to cleanly shutdown PAM */ +void pam_cleanup_proc(void *context) +{ + int pam_retval; + + if (pamh != NULL) + { + pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + log("Cannot close PAM session: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) { + log("Cannot release PAM authentication: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } +} + +/* Attempt password authentation using PAM */ +int auth_pam_password(struct passwd *pw, const char *password) +{ + extern ServerOptions options; + int pam_retval; + + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == 2) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + + pampasswd = password; + + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) { + debug("PAM Password authentication accepted for user \"%.100s\"", + pw->pw_name); + return 1; + } else { + debug("PAM Password authentication for \"%.100s\" failed: %s", + pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return 0; + } +} + +/* Do account management using PAM */ +int do_pam_account(char *username, char *remote_user) +{ + int pam_retval; + + debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + get_canonical_hostname()); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set rhost failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + if (remote_user != NULL) { + debug("PAM setting ruser to \"%.200s\"", remote_user); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set ruser failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } + + pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + switch (pam_retval) { + case PAM_SUCCESS: + /* This is what we want */ + break; + case PAM_NEW_AUTHTOK_REQD: + pam_msg_cat(NEW_AUTHTOK_MSG); + break; + default: + log("PAM rejected by account configuration: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return(0); + } + + return(1); +} + +/* Do PAM-specific session initialisation */ +void do_pam_session(char *username, const char *ttyname) +{ + int pam_retval; + + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set tty failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } + + pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM session setup failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } +} + +/* Set PAM credentials */ +void do_pam_setcred() +{ + int pam_retval; + + debug("PAM establishing creds"); + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM setcred failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } +} + +/* Cleanly shutdown PAM */ +void finish_pam(void) +{ + pam_cleanup_proc(NULL); + fatal_remove_cleanup(&pam_cleanup_proc, NULL); +} + +/* Start PAM authentication for specified account */ +void start_pam(struct passwd *pw) +{ + int pam_retval; + + debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + (pam_handle_t**)&pamh); + + if (pam_retval != PAM_SUCCESS) { + fatal("PAM initialisation failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + /* + * Some PAM modules (e.g. pam_time) require a TTY to operate, + * and will fail in various stupid ways if they don't get one. + * sshd doesn't set the tty until too late in the auth process and may + * not even need one (for tty-less connections) + * Kludge: Set a fake PAM_TTY + */ + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set tty failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + fatal_add_cleanup(&pam_cleanup_proc, NULL); +} + +/* Return list of PAM enviornment strings */ +char **fetch_pam_environment(void) +{ +#ifdef HAVE_PAM_GETENVLIST + return(pam_getenvlist((pam_handle_t *)pamh)); +#else /* HAVE_PAM_GETENVLIST */ + return(NULL); +#endif /* HAVE_PAM_GETENVLIST */ +} + +/* Print any messages that have been generated during authentication */ +/* or account checking to stderr */ +void print_pam_messages(void) +{ + if (pam_msg != NULL) + fprintf(stderr, pam_msg); +} + +/* Append a message to the PAM message buffer */ +void pam_msg_cat(const char *msg) +{ + char *p; + size_t new_msg_len; + size_t pam_msg_len; + + new_msg_len = strlen(msg); + + if (pam_msg) { + pam_msg_len = strlen(pam_msg); + pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); + p = pam_msg + pam_msg_len; + } else { + pam_msg = p = xmalloc(new_msg_len + 2); + } + + memcpy(p, msg, new_msg_len); + p[new_msg_len] = '\n'; + p[new_msg_len + 1] = '\0'; +} + +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2000070100/auth-pam.h openssh-2.1.1p2/auth-pam.h --- ssh-openbsd-2000070100/auth-pam.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/auth-pam.h Thu Jan 27 10:55:38 2000 @@ -0,0 +1,15 @@ +#include "includes.h" +#ifdef USE_PAM + +#include /* For struct passwd */ + +void start_pam(struct passwd *pw); +void finish_pam(void); +int auth_pam_password(struct passwd *pw, const char *password); +char **fetch_pam_environment(void); +int do_pam_account(char *username, char *remote_user); +void do_pam_session(char *username, const char *ttyname); +void do_pam_setcred(); +void print_pam_messages(void); + +#endif /* USE_PAM */ diff -ruN --exclude CVS ssh-openbsd-2000070100/auth-passwd.c openssh-2.1.1p2/auth-passwd.c --- ssh-openbsd-2000070100/auth-passwd.c Thu Jun 22 21:08:30 2000 +++ openssh-2.1.1p2/auth-passwd.c Wed Jun 28 15:22:42 2000 @@ -8,13 +8,35 @@ */ #include "includes.h" + RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $"); +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) + #include "packet.h" #include "ssh.h" #include "servconf.h" #include "xmalloc.h" +#ifdef WITH_AIXAUTHENTICATE +# include +#endif +#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +# include +# include +#endif +#ifdef HAVE_SHADOW_H +# include +#endif +#ifdef HAVE_GETPWANAM +# include +# include +# include +#endif +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -24,6 +46,19 @@ { extern ServerOptions options; char *encrypted_password; + char *pw_password; + char *salt; +#ifdef HAVE_SHADOW_H + struct spwd *spw; +#endif +#ifdef HAVE_GETPWANAM + struct passwd_adjunct *spw; +#endif +#ifdef WITH_AIXAUTHENTICATE + char *authmsg; + char *loginmsg; + int reenter = 1; +#endif /* deny if no user. */ if (pw == NULL) @@ -41,6 +76,11 @@ /* Fall back to ordinary passwd authentication. */ } #endif + +#ifdef WITH_AIXAUTHENTICATE + return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); +#endif + #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(pw, password); @@ -53,10 +93,50 @@ /* Check for users with no password. */ if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) return 1; - /* Encrypt the candidate password using the proper salt. */ - encrypted_password = crypt(password, - (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); + + pw_password = pw->pw_passwd; + +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + spw = getspnam(pw->pw_name); + if (spw != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) + return 1; + + pw_password = spw->sp_pwdp; + } +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) + if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0) + return 1; + + pw_password = spw->pwa_passwd; + } +#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ + + if (pw_password[0] != '\0') + salt = pw_password; + else + salt = "xx"; + +#ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(salt)) + encrypted_password = md5_crypt(password, salt); + else + encrypted_password = crypt(password, salt); +#else /* HAVE_MD5_PASSWORDS */ +# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW + encrypted_password = bigcrypt(password, salt); +# else + encrypted_password = crypt(password, salt); +# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */ +#endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw->pw_passwd) == 0); + return (strcmp(encrypted_password, pw_password) == 0); } +#endif /* !USE_PAM && !HAVE_OSF_SIA */ diff -ruN --exclude CVS ssh-openbsd-2000070100/auth-skey.c openssh-2.1.1p2/auth-skey.c --- ssh-openbsd-2000070100/auth-skey.c Thu Jun 22 21:08:32 2000 +++ openssh-2.1.1p2/auth-skey.c Thu Jun 22 21:32:31 2000 @@ -1,10 +1,13 @@ #include "includes.h" +#ifdef SKEY RCSID("$OpenBSD: auth-skey.c,v 1.7 2000/06/20 01:39:38 markus Exp $"); #include "ssh.h" #include "packet.h" #include +/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ + /* * try skey authentication, * return 1 on success, 0 on failure, -1 if skey is not available @@ -69,8 +72,9 @@ static char skeyprompt[SKEY_MAX_CHALLENGE+1]; char *secret = NULL; size_t secretlen = 0; - SHA1_CTX ctx; + SHA_CTX ctx; char *p, *u; + char md[SHA_DIGEST_LENGTH]; /* * Base first 4 chars of seed on hostname. @@ -87,11 +91,16 @@ pbuf[4] = '\0'; /* Hash the username if possible */ - if ((up = SHA1Data(username, strlen(username), NULL)) != NULL) { + up = malloc(SHA_DIGEST_LENGTH); + if (up != NULL) { struct stat sb; time_t t; int fd; + SHA1_Init(&ctx); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); + /* Collapse the hash */ ptr = hash_collapse(up); memset(up, 0, strlen(up)); @@ -121,18 +130,18 @@ /* Put that in your pipe and smoke it */ if (flg == 0) { /* Hash secret value with username */ - SHA1Init(&ctx); - SHA1Update(&ctx, secret, secretlen); - SHA1Update(&ctx, username, strlen(username)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, secret, secretlen); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); /* Zero out */ memset(secret, 0, secretlen); /* Now hash the hash */ - SHA1Init(&ctx); - SHA1Update(&ctx, up, strlen(up)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, up, strlen(up)); + SHA1_End(&ctx, up); ptr = hash_collapse(up + 4); @@ -145,7 +154,7 @@ /* Sequence number */ ptr = ((up[2] + up[3]) % 99) + 1; - memset(up, 0, 20); /* SHA1 specific */ + memset(up, 0, SHA_DIGEST_LENGTH); /* SHA1 specific */ free(up); (void)snprintf(skeyprompt, sizeof skeyprompt, @@ -179,3 +188,5 @@ } return skeyprompt; } + +#endif /* SKEY */ diff -ruN --exclude CVS ssh-openbsd-2000070100/auth.c openssh-2.1.1p2/auth.c --- ssh-openbsd-2000070100/auth.c Thu May 18 07:37:24 2000 +++ openssh-2.1.1p2/auth.c Mon Jun 26 11:31:33 2000 @@ -19,6 +19,12 @@ #include "compat.h" #include "channels.h" #include "match.h" +#ifdef HAVE_LOGIN_H +#include +#endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#include +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ #include "bufaux.h" #include "ssh2.h" @@ -47,11 +53,35 @@ struct group *grp; char *shell; int i; +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ + defined(HAS_SHADOW_EXPIRE) + struct spwd *spw; /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) return 0; + spw = getspnam(pw->pw_name); + if (spw == NULL) + return 0; + + /* Check account expiry */ + if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire)) + return 0; + + /* Check password expiry */ + if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && + ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact))) + return 0; +#else + /* Shouldn't be called if pw is NULL, but better safe than sorry... */ + if (!pw) + return 0; +#endif + /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. @@ -113,6 +143,24 @@ return 0; } } + +#ifdef WITH_AIXAUTHENTICATE + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + if (loginmsg && *loginmsg) { + /* Remove embedded newlines (if any) */ + char *p; + for (p = loginmsg; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; + log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + } + return 0; + } +#endif /* WITH_AIXAUTHENTICATE */ + /* We found no reason not to let this user try to log on... */ return 1; } diff -ruN --exclude CVS ssh-openbsd-2000070100/auth1.c openssh-2.1.1p2/auth1.c --- ssh-openbsd-2000070100/auth1.c Sun Apr 30 04:11:52 2000 +++ openssh-2.1.1p2/auth1.c Sat Jul 1 12:56:09 2000 @@ -18,6 +18,11 @@ #include "auth.h" #include "session.h" +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* import */ extern ServerOptions options; extern char *forced_command; @@ -65,6 +70,10 @@ get_remote_ipaddr(), get_remote_port()); +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -77,8 +86,10 @@ for (attempt = 1;; attempt++) { /* Read a packet. This will not return if the client disconnects. */ int plen; +#ifndef SKEY + (void)packet_read(&plen); +#else /* SKEY */ int type = packet_read(&plen); -#ifdef SKEY unsigned int dlen; char *password, *skeyinfo; password = NULL; @@ -128,13 +139,17 @@ unsigned int bits; RSA *client_host_key; BIGNUM *n; - char *client_user, *password; + char *client_user = NULL, *password = NULL; char user[1024]; unsigned int dlen; int plen, nlen, elen; unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif /* HAVE_OSF_SIA */ /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -227,7 +242,6 @@ authenticated = auth_rhosts(pw, client_user); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -263,7 +277,6 @@ RSA_free(client_host_key); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RSA: @@ -292,8 +305,20 @@ password = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); +#ifdef USE_PAM + /* Do PAM auth with password */ + authenticated = auth_pam_password(pw, password); +#elif defined(HAVE_OSF_SIA) + /* Do SIA auth with password */ + if (sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, + NULL, password) == SIASUCCESS) { + authenticated = 1; + } +#else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); +#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); @@ -375,11 +400,34 @@ get_remote_port(), user); - if (authenticated) +#ifdef USE_PAM + if (authenticated) { + if (!do_pam_account(pw->pw_name, client_user)) { + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } + do_fake_authloop1(pw->pw_name); + } return; + } +#else /* USE_PAM */ + if (authenticated) { + return; + } +#endif /* USE_PAM */ - if (attempt > AUTH_FAIL_MAX) + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } + + if (attempt > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -399,6 +447,9 @@ int plen; unsigned int ulen; char *user; +#ifdef WITH_AIXAUTHENTICATE + extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -433,6 +484,10 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; +#ifdef USE_PAM + start_pam(pw); +#endif + /* * If we are not running as root, the user must have the same uid as * the server. @@ -447,7 +502,15 @@ #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ +#ifdef USE_PAM + auth_pam_password(pw, "")) { +#elif defined(HAVE_OSF_SIA) + (sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, + "") == SIASUCCESS)) { +#else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { +#endif /* USE_PAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -459,6 +522,11 @@ } /* The user has been authenticated and accepted. */ +#ifdef WITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) + aixloginmsg = NULL; +#endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); diff -ruN --exclude CVS ssh-openbsd-2000070100/auth2.c openssh-2.1.1p2/auth2.c --- ssh-openbsd-2000070100/auth2.c Thu Jun 22 21:08:33 2000 +++ openssh-2.1.1p2/auth2.c Wed Jun 28 15:22:42 2000 @@ -56,6 +56,11 @@ #include "uidswap.h" #include "auth-options.h" +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* import */ extern ServerOptions options; extern unsigned char *session_id2; @@ -155,13 +160,19 @@ int authenticated = 0; char *user, *service, *method, *authmsg = NULL; struct passwd *pw; - - if (++attempt == AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); +#ifdef WITH_AIXAUTHENTICATE + extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ user = packet_get_string(&len); service = packet_get_string(&len); method = packet_get_string(&len); + if (++attempt == AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + packet_disconnect("too many failed userauth_requests"); + } debug("userauth-request for user %s service %s method %s", user, service, method); /* XXX we only allow the ssh-connection service */ @@ -181,6 +192,11 @@ get_canonical_hostname()); } +#ifdef USE_PAM + if (authenticated && !do_pam_account(pw->pw_name, NULL)) + authenticated = 0; +#endif /* USE_PAM */ + /* Raise logging level */ if (authenticated == 1 || attempt == AUTH_FAIL_LOG || @@ -204,6 +220,12 @@ /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { +#ifdef WITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh", + &aixloginmsg) < 0) + aixloginmsg = NULL; +#endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS); @@ -227,8 +249,22 @@ int ssh2_auth_none(struct passwd *pw) { +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif + packet_done(); + +#ifdef USE_PAM + return auth_pam_password(pw, ""); +#elif defined(HAVE_OSF_SIA) + return(sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, + "") == SIASUCCESS); +#else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); +#endif /* USE_PAM */ } int ssh2_auth_password(struct passwd *pw) @@ -237,13 +273,25 @@ int authenticated = 0; int change; unsigned int len; +#ifdef HAVE_OSF_SIA + extern int saved_argc; + extern char **saved_argv; +#endif change = packet_get_char(); if (change) log("password change not supported"); password = packet_get_string(&len); packet_done(); if (options.password_authentication && +#ifdef USE_PAM + auth_pam_password(pw, password) == 1) +#elif defined(HAVE_OSF_SIA) + sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, + NULL, password) == SIASUCCESS) +#else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(pw, password) == 1) +#endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); xfree(password); @@ -354,6 +402,9 @@ log("auth_set_user: illegal user %s", u); return NULL; } +#ifdef USE_PAM + start_pam(pw); +#endif copy = &authctxt->pw; memset(copy, 0, sizeof(*copy)); copy->pw_name = xstrdup(pw->pw_name); diff -ruN --exclude CVS ssh-openbsd-2000070100/aux.c openssh-2.1.1p2/aux.c --- ssh-openbsd-2000070100/aux.c Thu Jun 22 21:08:34 2000 +++ openssh-2.1.1p2/aux.c Wed May 17 22:34:23 2000 @@ -1,5 +1,5 @@ #include "includes.h" -RCSID("$OpenBSD: aux.c,v 1.3 2000/06/18 17:13:41 markus Exp $"); +RCSID("$OpenBSD: aux.c,v 1.2 2000/05/17 09:47:59 markus Exp $"); #include "ssh.h" @@ -22,11 +22,6 @@ set_nonblock(int fd) { int val; - if (isatty(fd)) { - /* do not mess with tty's */ - debug("no set_nonblock for tty fd %d", fd); - return; - } val = fcntl(fd, F_GETFL, 0); if (val < 0) { error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno)); diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-base64.c openssh-2.1.1p2/bsd-base64.c --- ssh-openbsd-2000070100/bsd-base64.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-base64.c Tue May 9 15:28:41 2000 @@ -0,0 +1,316 @@ +/* $OpenBSD: base64.c,v 1.3 1997/11/08 20:46:55 deraadt Exp $ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +#include "config.h" + +#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) + +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include "bsd-base64.h" + +#define Assert(Cond) if (!(Cond)) abort() + +static const char Base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; + +/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) + The following encoding technique is taken from RFC 1521 by Borenstein + and Freed. It is reproduced here in a slightly edited form for + convenience. + + A 65-character subset of US-ASCII is used, enabling 6 bits to be + represented per printable character. (The extra 65th character, "=", + is used to signify a special processing function.) + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right, a + 24-bit input group is formed by concatenating 3 8-bit input groups. + These 24 bits are then treated as 4 concatenated 6-bit groups, each + of which is translated into a single digit in the base64 alphabet. + + Each 6-bit group is used as an index into an array of 64 printable + characters. The character referenced by the index is placed in the + output string. + + Table 1: The Base64 Alphabet + + Value Encoding Value Encoding Value Encoding Value Encoding + 0 A 17 R 34 i 51 z + 1 B 18 S 35 j 52 0 + 2 C 19 T 36 k 53 1 + 3 D 20 U 37 l 54 2 + 4 E 21 V 38 m 55 3 + 5 F 22 W 39 n 56 4 + 6 G 23 X 40 o 57 5 + 7 H 24 Y 41 p 58 6 + 8 I 25 Z 42 q 59 7 + 9 J 26 a 43 r 60 8 + 10 K 27 b 44 s 61 9 + 11 L 28 c 45 t 62 + + 12 M 29 d 46 u 63 / + 13 N 30 e 47 v + 14 O 31 f 48 w (pad) = + 15 P 32 g 49 x + 16 Q 33 h 50 y + + Special processing is performed if fewer than 24 bits are available + at the end of the data being encoded. A full encoding quantum is + always completed at the end of a quantity. When fewer than 24 input + bits are available in an input group, zero bits are added (on the + right) to form an integral number of 6-bit groups. Padding at the + end of the data is performed using the '=' character. + + Since all base64 input is an integral number of octets, only the + ------------------------------------------------- + following cases can arise: + + (1) the final quantum of encoding input is an integral + multiple of 24 bits; here, the final unit of encoded + output will be an integral multiple of 4 characters + with no "=" padding, + (2) the final quantum of encoding input is exactly 8 bits; + here, the final unit of encoded output will be two + characters followed by two "=" padding characters, or + (3) the final quantum of encoding input is exactly 16 bits; + here, the final unit of encoded output will be three + characters followed by one "=" padding character. + */ + +int +b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) +{ + size_t datalength = 0; + u_char input[3]; + u_char output[4]; + int i; + + while (2 < srclength) { + input[0] = *src++; + input[1] = *src++; + input[2] = *src++; + srclength -= 3; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + output[3] = input[2] & 0x3f; + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + Assert(output[3] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + target[datalength++] = Base64[output[2]]; + target[datalength++] = Base64[output[3]]; + } + + /* Now we worry about padding. */ + if (0 != srclength) { + /* Get what's left. */ + input[0] = input[1] = input[2] = '\0'; + for (i = 0; i < srclength; i++) + input[i] = *src++; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + if (srclength == 1) + target[datalength++] = Pad64; + else + target[datalength++] = Base64[output[2]]; + target[datalength++] = Pad64; + } + if (datalength >= targsize) + return (-1); + target[datalength] = '\0'; /* Returned value doesn't count \0. */ + return (datalength); +} + +/* skips all whitespace anywhere. + converts characters, four at a time, starting at (or after) + src from base - 64 numbers into three 8 bit bytes in the target area. + it returns the number of data bytes stored at the target, or -1 on error. + */ + +int +b64_pton(char const *src, u_char *target, size_t targsize) +{ + int tarindex, state, ch; + char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (isspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = strchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return (-1); + + switch (state) { + case 0: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] = (pos - Base64) << 2; + } + state = 1; + break; + case 1: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = ((pos - Base64) & 0x0f) + << 4 ; + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = ((pos - Base64) & 0x03) + << 6; + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + +#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-base64.h openssh-2.1.1p2/bsd-base64.h --- ssh-openbsd-2000070100/bsd-base64.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-base64.h Tue May 9 15:28:41 2000 @@ -0,0 +1,16 @@ +#ifndef _BSD_BASE64_H +#define _BSD_BASE64_H + +#include "config.h" + +#ifndef HAVE___B64_NTOP +# ifndef HAVE_B64_NTOP +int b64_ntop(u_char const *src, size_t srclength, char *target, + size_t targsize); +int b64_pton(char const *src, u_char *target, size_t targsize); +# endif /* !HAVE_B64_NTOP */ +# define __b64_ntop b64_ntop +# define __b64_pton b64_pton +#endif /* HAVE___B64_NTOP */ + +#endif /* _BSD_BINRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-bindresvport.c openssh-2.1.1p2/bsd-bindresvport.c --- ssh-openbsd-2000070100/bsd-bindresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-bindresvport.c Sat Jan 22 18:17:43 2000 @@ -0,0 +1,112 @@ +/* + * Sun RPC is a product of Sun Microsystems, Inc. and is provided for + * unrestricted use provided that this legend is included on all tape + * media and as a part of the software program in whole or part. Users + * may copy or modify Sun RPC without charge, but are not authorized + * to license or distribute it to anyone else except as part of a product or + * program developed by the user. + * + * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE + * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + * + * Sun RPC is provided with no support and without any obligation on the + * part of Sun Microsystems, Inc. to assist in its use, correction, + * modification or enhancement. + * + * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC + * OR ANY PART THEREOF. + * + * In no event will Sun Microsystems, Inc. be liable for any lost revenue + * or profits or other special, indirect and consequential damages, even if + * Sun has been advised of the possibility of such damages. + * + * Sun Microsystems, Inc. + * 2550 Garcia Avenue + * Mountain View, California 94043 + */ + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: bindresvport.c,v 1.11 1999/12/17 19:22:08 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +/* + * Copyright (c) 1987 by Sun Microsystems, Inc. + * + * Portions Copyright(C) 1996, Jason Downs. All rights reserved. + */ + +#include "includes.h" + +#define STARTPORT 600 +#define ENDPORT (IPPORT_RESERVED - 1) +#define NPORTS (ENDPORT - STARTPORT + 1) + +/* + * Bind a socket to a privileged IP port + */ +int +bindresvport_af(sd, sa, af) + int sd; + struct sockaddr *sa; + int af; +{ + int error; + struct sockaddr_storage myaddr; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + u_int16_t *portp; + u_int16_t port; + int salen; + int i; + + if (sa == NULL) { + memset(&myaddr, 0, sizeof(myaddr)); + sa = (struct sockaddr *)&myaddr; + } + + if (af == AF_INET) { + sin = (struct sockaddr_in *)sa; + salen = sizeof(struct sockaddr_in); + portp = &sin->sin_port; + } else if (af == AF_INET6) { + sin6 = (struct sockaddr_in6 *)sa; + salen = sizeof(struct sockaddr_in6); + portp = &sin6->sin6_port; + } else { + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + port = ntohs(*portp); + if (port == 0) + port = (arc4random() % NPORTS) + STARTPORT; + + for(i = 0; i < NPORTS; i++) { + *portp = htons(port); + + error = bind(sd, sa, salen); + + /* Terminate on success */ + if (error == 0) + break; + + /* Terminate on errors, except "address already in use" */ + if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL))) + break; + + port++; + if (port > ENDPORT) + port = STARTPORT; + } + + return (error); +} + +#endif /* HAVE_BINRESVPORT_AF */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-bindresvport.h openssh-2.1.1p2/bsd-bindresvport.h --- ssh-openbsd-2000070100/bsd-bindresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-bindresvport.h Fri Jan 14 15:45:47 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_BINRESVPORT_H +#define _BSD_BINRESVPORT_H + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF +int bindresvport_af(int sd, struct sockaddr *sa, int af); +#endif /* !HAVE_BINRESVPORT_AF */ + +#endif /* _BSD_BINRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-daemon.c openssh-2.1.1p2/bsd-daemon.c --- ssh-openbsd-2000070100/bsd-daemon.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-daemon.c Sat Nov 20 12:18:40 1999 @@ -0,0 +1,81 @@ +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_DAEMON + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: daemon.c,v 1.2 1996/08/19 08:22:13 tholo Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#ifdef HAVE_PATHS_H +# include +#endif + +int +daemon(nochdir, noclose) + int nochdir, noclose; +{ + int fd; + + switch (fork()) { + case -1: + return (-1); + case 0: + break; + default: + _exit(0); + } + + if (setsid() == -1) + return (-1); + + if (!nochdir) + (void)chdir("/"); + + if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + (void)close (fd); + } + return (0); +} + +#endif /* !HAVE_DAEMON */ + diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-daemon.h openssh-2.1.1p2/bsd-daemon.h --- ssh-openbsd-2000070100/bsd-daemon.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-daemon.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,9 @@ +#ifndef _BSD_DAEMON_H +#define _BSD_DAEMON_H + +#include "config.h" +#ifndef HAVE_DAEMON +int daemon(int nochdir, int noclose); +#endif /* !HAVE_DAEMON */ + +#endif /* _BSD_DAEMON_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-misc.c openssh-2.1.1p2/bsd-misc.c --- ssh-openbsd-2000070100/bsd-misc.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-misc.c Wed Apr 19 16:26:13 2000 @@ -0,0 +1,159 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include +#include +#include +#ifdef HAVE_STDDEF_H +#include +#endif + +#include "xmalloc.h" +#include "ssh.h" +#include "bsd-misc.h" +#include "entropy.h" + +#include + +#ifndef HAVE_ARC4RANDOM + +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +void rc4_key(rc4_t *r, unsigned char *key, int len); +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +static rc4_t *rc4 = NULL; + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + seed_rng(); + RAND_bytes(rand_buf, sizeof(rand_buf)); + + rc4_key(rc4, rand_buf, sizeof(rand_buf)); + memset(rand_buf, 0, sizeof(rand_buf)); +} +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...) +{ + /* FIXME */ +} +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name) +{ + return(0); +} +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain) +{ + return(0); +} +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid) +{ + return(setreuid(-1,euid)); +} +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-misc.h openssh-2.1.1p2/bsd-misc.h --- ssh-openbsd-2000070100/bsd-misc.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-misc.h Mon Apr 3 14:50:45 2000 @@ -0,0 +1,61 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BSD_MISC_H +#define _BSD_MISC_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETENV +int setenv(const char *name, const char *value, int overwrite); +#endif /* !HAVE_SETENV */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name); +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain); +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid); +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#endif /* _BSD_MISC_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-mktemp.c openssh-2.1.1p2/bsd-mktemp.c --- ssh-openbsd-2000070100/bsd-mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-mktemp.c Wed Dec 29 19:56:30 1999 @@ -0,0 +1,189 @@ +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_MKDTEMP + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "bsd-misc.h" + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !HAVE_MKDTEMP */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-mktemp.h openssh-2.1.1p2/bsd-mktemp.h --- ssh-openbsd-2000070100/bsd-mktemp.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-mktemp.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,11 @@ +#ifndef _BSD_MKTEMP_H +#define _BSD_MKTEMP_H + +#include "config.h" +#ifndef HAVE_MKDTEMP +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif /* !HAVE_MKDTEMP */ + +#endif /* _BSD_MKTEMP_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-rresvport.c openssh-2.1.1p2/bsd-rresvport.c --- ssh-openbsd-2000070100/bsd-rresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-rresvport.c Fri Jun 23 08:23:34 2000 @@ -0,0 +1,107 @@ +/* + * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. + * Copyright (c) 1983, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * This product includes software developed by Theo de Raadt. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: rresvport.c,v 1.4 1999/12/17 20:48:03 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include "includes.h" + +#if 0 +int +rresvport(alport) + int *alport; +{ + return rresvport_af(alport, AF_INET); +} +#endif + +int +rresvport_af(alport, af) + int *alport; + sa_family_t af; +{ + struct sockaddr_storage ss; + struct sockaddr *sa; + u_int16_t *portp; + int s; + int salen; + + bzero(&ss, sizeof ss); + sa = (struct sockaddr *)&ss; + + switch (af) { + case AF_INET: + salen = sizeof(struct sockaddr_in); + portp = &((struct sockaddr_in *)sa)->sin_port; + break; + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + portp = &((struct sockaddr_in6 *)sa)->sin6_port; + break; + default: + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + s = socket(af, SOCK_STREAM, 0); + if (s < 0) + return (-1); + + *portp = htons(*alport); + if (*alport < IPPORT_RESERVED - 1) { + if (bind(s, sa, salen) >= 0) + return (s); + if (errno != EADDRINUSE) { + (void)close(s); + return (-1); + } + } + + *portp = 0; + if (bindresvport_af(s, sa, af) == -1) { + (void)close(s); + return (-1); + } + *alport = ntohs(*portp); + return (s); +} + +#endif /* HAVE_RRESVPORT_AF */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-rresvport.h openssh-2.1.1p2/bsd-rresvport.h --- ssh-openbsd-2000070100/bsd-rresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-rresvport.h Fri Jun 23 08:23:34 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_RRESVPORT_H +#define _BSD_RRESVPORT_H + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF +int rresvport_af(int *alport, sa_family_t af); +#endif /* !HAVE_RRESVPORT_AF */ + +#endif /* _BSD_RRESVPORT_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-setenv.c openssh-2.1.1p2/bsd-setenv.c --- ssh-openbsd-2000070100/bsd-setenv.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-setenv.c Sun Mar 26 12:12:35 2000 @@ -0,0 +1,161 @@ +/* + * Copyright (c) 1987 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_SETENV + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: setenv.c,v 1.3 1998/02/02 22:44:53 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * __findenv -- + * Returns pointer to value associated with name, if any, else NULL. + * Sets offset to be the offset of the name/value combination in the + * environmental array, for use by setenv(3) and unsetenv(3). + * Explicitly removes '=' in argument name. + * + * This routine *should* be a static; don't use it. + */ +char * +__findenv(name, offset) + register const char *name; + int *offset; +{ + extern char **environ; + register int len, i; + register const char *np; + register char **p, *cp; + + if (name == NULL || environ == NULL) + return (NULL); + for (np = name; *np && *np != '='; ++np) + ; + len = np - name; + for (p = environ; (cp = *p) != NULL; ++p) { + for (np = name, i = len; i && *cp; i--) + if (*cp++ != *np++) + break; + if (i == 0 && *cp++ == '=') { + *offset = p - environ; + return (cp); + } + } + return (NULL); +} + +/* + * setenv -- + * Set the value of the environmental variable "name" to be + * "value". If rewrite is set, replace any current value. + */ +int +setenv(name, value, rewrite) + register const char *name; + register const char *value; + int rewrite; +{ + extern char **environ; + static int alloced; /* if allocated space before */ + register char *C; + int l_value, offset; + char *__findenv(); + + if (*value == '=') /* no `=' in value */ + ++value; + l_value = strlen(value); + if ((C = __findenv(name, &offset))) { /* find if already exists */ + if (!rewrite) + return (0); + if (strlen(C) >= l_value) { /* old larger; copy over */ + while ((*C++ = *value++)); + return (0); + } + } else { /* create new slot */ + register int cnt; + register char **P; + + for (P = environ, cnt = 0; *P; ++P, ++cnt); + if (alloced) { /* just increase size */ + P = (char **)realloc((void *)environ, + (size_t)(sizeof(char *) * (cnt + 2))); + if (!P) + return (-1); + environ = P; + } + else { /* get new space */ + alloced = 1; /* copy old entries into it */ + P = (char **)malloc((size_t)(sizeof(char *) * + (cnt + 2))); + if (!P) + return (-1); + bcopy(environ, P, cnt * sizeof(char *)); + environ = P; + } + environ[cnt + 1] = NULL; + offset = cnt; + } + for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ + if (!(environ[offset] = /* name + `=' + value */ + malloc((size_t)((int)(C - name) + l_value + 2)))) + return (-1); + for (C = environ[offset]; (*C = *name++) && *C != '='; ++C) + ; + for (*C++ = '='; (*C++ = *value++); ) + ; + return (0); +} + +/* + * unsetenv(name) -- + * Delete environmental variable "name". + */ +void +unsetenv(name) + const char *name; +{ + extern char **environ; + register char **P; + int offset; + char *__findenv(); + + while (__findenv(name, &offset)) /* if set multiple times */ + for (P = &environ[offset];; ++P) + if (!(*P = *(P + 1))) + break; +} + +#endif /* HAVE_SETENV */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-setenv.h openssh-2.1.1p2/bsd-setenv.h --- ssh-openbsd-2000070100/bsd-setenv.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-setenv.h Sun Mar 26 12:12:35 2000 @@ -0,0 +1,12 @@ +#ifndef _BSD_SETENV_H +#define _BSD_SETENV_H + +#include "config.h" + +#ifndef HAVE_SETENV + +int setenv(register const char *name, register const char *value, int rewrite); + +#endif /* !HAVE_SETENV */ + +#endif /* _BSD_SETENV_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-snprintf.c openssh-2.1.1p2/bsd-snprintf.c --- ssh-openbsd-2000070100/bsd-snprintf.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-snprintf.c Sat Jul 1 16:52:55 2000 @@ -0,0 +1,181 @@ +/* + * Revision 12: http://theos.com/~deraadt/snprintf.c + * + * Copyright (c) 1997 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#if defined(BROKEN_SNPRINTF) || !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) + +#include +#include +#include +#include +#include +#include +#include +#if __STDC__ +#include +#include +#else +#include +#endif +#include + +#ifndef roundup +#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) +#endif + +static int pgsize; +static char *curobj; +static int caught; +static sigjmp_buf bail; + +#define EXTRABYTES 2 /* XXX: why 2? you don't want to know */ + +#ifndef HAVE_GETPAGESIZE +int +getpagesize() +{ +#ifdef EXEC_PAGESIZE + return EXEC_PAGESIZE; +#else /* !EXEC_PAGESIZE */ +# ifdef NBPG +# ifndef CLSIZE +# define CLSIZE 1 +# endif /* No CLSIZE */ + return NBPG * CLSIZE; +# else /* !NBPG */ + return NBPC; +# endif /* NBPG */ +#endif /* EXEC_PAGESIZE */ +} +#endif /* HAVE_GETPAGESIZE */ + +static char * +msetup(str, n) + char *str; + size_t n; +{ + char *e; + + if (n == 0) + return NULL; + if (pgsize == 0) + pgsize = getpagesize(); + curobj = (char *)malloc(n + EXTRABYTES + pgsize * 2); + if (curobj == NULL) + return NULL; + e = curobj + n + EXTRABYTES; + e = (char *)roundup((unsigned long)e, pgsize); + if (mprotect(e, pgsize, PROT_NONE) == -1) { + free(curobj); + curobj = NULL; + return NULL; + } + e = e - n - EXTRABYTES; + *e = '\0'; + return (e); +} + +static void +mcatch() +{ + siglongjmp(bail, 1); +} + +static void +mcleanup(str, n, p) + char *str; + size_t n; + char *p; +{ + strncpy(str, p, n-1); + str[n-1] = '\0'; + if (mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE|PROT_EXEC) == -1) + mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE); + free(curobj); +} + +#if !defined(HAVE_VSNPRINTF) || defined(BROKEN_SNPRINTF) +int +vsnprintf(str, n, fmt, ap) + char *str; + size_t n; + char *fmt; + va_list ap; +{ + struct sigaction osa, nsa; + char *p; + int ret = n + 1; /* if we bail, indicated we overflowed */ + + memset(&nsa, 0, sizeof nsa); + nsa.sa_handler = mcatch; + sigemptyset(&nsa.sa_mask); + + p = msetup(str, n); + if (p == NULL) { + *str = '\0'; + return 0; + } + if (sigsetjmp(bail, 1) == 0) { + if (sigaction(SIGSEGV, &nsa, &osa) == -1) { + mcleanup(str, n, p); + return (0); + } + ret = vsprintf(p, fmt, ap); + } + mcleanup(str, n, p); + (void) sigaction(SIGSEGV, &osa, NULL); + return (ret); +} +#endif /* !defined(HAVE_VSNPRINTF) || defined(BROKEN_SNPRINTF) */ + +#if !defined(HAVE_SNPRINTF) || defined(BROKEN_SNPRINTF) +int +#if __STDC__ +snprintf(char *str, size_t n, char const *fmt, ...) +#else +snprintf(str, n, fmt, va_alist) + char *str; + size_t n; + char *fmt; + va_dcl +#endif +{ + va_list ap; +#if __STDC__ + va_start(ap, fmt); +#else + va_start(ap); +#endif + + return (vsnprintf(str, n, fmt, ap)); + va_end(ap); +} +#endif /* !defined(HAVE_SNPRINTF) || defined(BROKEN_SNPRINTF) */ + +#endif /* defined(BROKEN_SNPRINTF) || !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-snprintf.h openssh-2.1.1p2/bsd-snprintf.h --- ssh-openbsd-2000070100/bsd-snprintf.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-snprintf.h Wed Jun 28 15:22:42 2000 @@ -0,0 +1,17 @@ +#ifndef _BSD_SNPRINTF_H +#define _BSD_SNPRINTF_H + +#include "config.h" + +#include /* For size_t */ + +#ifndef HAVE_SNPRINTF +int snprintf(char *str, size_t n, char const *fmt, ...); +#endif /* !HAVE_SNPRINTF */ + +#ifndef HAVE_VSNPRINTF +int vsnprintf(char *str, size_t n, char *fmt, va_list ap); +#endif /* !HAVE_SNPRINTF */ + + +#endif /* _BSD_SNPRINTF_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-strlcat.c openssh-2.1.1p2/bsd-strlcat.c --- ssh-openbsd-2000070100/bsd-strlcat.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-strlcat.c Mon Nov 22 13:57:07 1999 @@ -0,0 +1,76 @@ +/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCAT + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcat(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (*d != '\0' && n-- != 0) + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCAT */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-strlcat.h openssh-2.1.1p2/bsd-strlcat.h --- ssh-openbsd-2000070100/bsd-strlcat.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-strlcat.h Mon Nov 22 13:57:07 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCAT_H +#define _BSD_STRLCAT_H + +#include "config.h" +#ifndef HAVE_STRLCAT +#include +size_t strlcat(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCAT */ + +#endif /* _BSD_STRLCAT_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-strlcpy.c openssh-2.1.1p2/bsd-strlcpy.c --- ssh-openbsd-2000070100/bsd-strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-strlcpy.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,73 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCPY + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN --exclude CVS ssh-openbsd-2000070100/bsd-strlcpy.h openssh-2.1.1p2/bsd-strlcpy.h --- ssh-openbsd-2000070100/bsd-strlcpy.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/bsd-strlcpy.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCPY_H +#define _BSD_STRLCPY_H + +#include "config.h" +#ifndef HAVE_STRLCPY +#include +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCPY */ + +#endif /* _BSD_STRLCPY_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/canohost.c openssh-2.1.1p2/canohost.c --- ssh-openbsd-2000070100/canohost.c Thu Jun 22 21:08:36 2000 +++ openssh-2.1.1p2/canohost.c Thu Jun 22 21:32:31 2000 @@ -42,6 +42,30 @@ debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } + +#ifdef IPV4_IN_IPV6 + if (from.ss_family == AF_INET6) { + struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; + + /* Detect IPv4 in IPv6 mapped address and convert it to */ + /* plain (AF_INET) IPv4 address */ + if (IN6_IS_ADDR_V4MAPPED(&from6->sin6_addr)) { + struct sockaddr_in *from4 = (struct sockaddr_in *)&from; + struct in_addr addr; + u_int16_t port; + + memcpy(&addr, ((char *)&from6->sin6_addr) + 12, sizeof(addr)); + port = from6->sin6_port; + + memset(&from, 0, sizeof(from)); + + from4->sin_family = AF_INET; + memcpy(&from4->sin_addr, &addr, sizeof(addr)); + from4->sin_port = port; + } + } +#endif + if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); diff -ruN --exclude CVS ssh-openbsd-2000070100/channels.c openssh-2.1.1p2/channels.c --- ssh-openbsd-2000070100/channels.c Sat Jul 1 19:41:29 2000 +++ openssh-2.1.1p2/channels.c Mon Jun 26 10:22:53 2000 @@ -17,7 +17,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.62 2000/06/20 01:39:39 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $"); #include "ssh.h" #include "packet.h" @@ -135,7 +135,7 @@ channel_lookup(int id) { Channel *c; - if (id < 0 && id > channels_alloc) { + if (id < 0 || id > channels_alloc) { log("channel_lookup: %d: bad id", id); return NULL; } @@ -1466,7 +1466,11 @@ /* Bind the socket to the address. */ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { /* address can be in use ipv6 address is already bound */ - verbose("bind: %.100s", strerror(errno)); + if (!ai->ai_next) + error("bind: %.100s", strerror(errno)); + else + verbose("bind: %.100s", strerror(errno)); + close(sock); continue; } @@ -1616,6 +1620,7 @@ /* success */ return sock; } + /* * This is called after receiving PORT_OPEN message. This attempts to * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION @@ -1723,13 +1728,22 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - error("socket: %.100s", strerror(errno)); - return NULL; + if (errno != EINVAL) { + error("socket: %.100s", strerror(errno)); + return NULL; + } else { + debug("Socket family %d not supported [X11 disp create]", ai->ai_family); + continue; + } } if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { debug("bind port %d: %.100s", port, strerror(errno)); shutdown(sock, SHUT_RDWR); close(sock); + + if (ai->ai_next) + continue; + for (n = 0; n < num_socks; n++) { shutdown(socks[n], SHUT_RDWR); close(socks[n]); @@ -1738,8 +1752,12 @@ break; } socks[num_socks++] = sock; +#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; +#else + break; +#endif } if (num_socks > 0) break; @@ -1760,10 +1778,48 @@ } /* Set up a suitable value for the DISPLAY variable. */ + if (gethostname(hostname, sizeof(hostname)) < 0) fatal("gethostname: %.100s", strerror(errno)); + +#ifdef IPADDR_IN_DISPLAY + /* + * HPUX detects the local hostname in the DISPLAY variable and tries + * to set up a shared memory connection to the server, which it + * incorrectly supposes to be local. + * + * The workaround - as used in later $$H and other programs - is + * is to set display to the host's IP address. + */ + { + struct hostent *he; + struct in_addr my_addr; + + he = gethostbyname(hostname); + if (he == NULL) { + error("[X11-broken-fwd-hostname-workaround] Could not get " + "IP address for hostname %s.", hostname); + + packet_send_debug("[X11-broken-fwd-hostname-workaround]" + "Could not get IP address for hostname %s.", hostname); + + shutdown(sock, SHUT_RDWR); + close(sock); + + return NULL; + } + + memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr)); + + /* Set DISPLAY to :screen.display */ + snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr), + display_number, screen_number); + } +#else /* IPADDR_IN_DISPLAY */ + /* Just set DISPLAY to hostname:screen.display */ snprintf(display, sizeof display, "%.400s:%d.%d", hostname, - display_number, screen_number); + display_number, screen_number); +#endif /* IPADDR_IN_DISPLAY */ /* Allocate a channel for each socket. */ for (n = 0; n < num_socks; n++) { diff -ruN --exclude CVS ssh-openbsd-2000070100/config.guess openssh-2.1.1p2/config.guess --- ssh-openbsd-2000070100/config.guess Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/config.guess Mon Jun 12 23:01:02 2000 @@ -0,0 +1,1270 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000 +# Free Software Foundation, Inc. + +version='2000-05-30' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Written by Per Bothner . +# Please send patches to . +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# The plan is that this can be called by configure scripts if you +# don't specify an explicit system type (host/target name). +# +# Only a few systems have been added to this list; please add others +# (but try to keep the structure clean). +# + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of this system. + +Operation modes: + -h, --help print this help, then exit + -V, --version print version number, then exit" + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case "$1" in + --version | --vers* | -V ) + echo "$version" ; exit 0 ;; + --help | --h* | -h ) + echo "$usage"; exit 0 ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + exec >&2 + echo "$me: invalid option $1" + echo "$help" + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +# Use $HOST_CC if defined. $CC may point to a cross-compiler +if test x"$CC_FOR_BUILD" = x; then + if test x"$HOST_CC" != x; then + CC_FOR_BUILD="$HOST_CC" + else + if test x"$CC" != x; then + CC_FOR_BUILD="$CC" + else + CC_FOR_BUILD=cc + fi + fi +fi + + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 8/24/94.) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +dummy=dummy-$$ +trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15 + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # Netbsd (nbsd) targets should (where applicable) match one or + # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # Determine the machine/vendor (is the vendor relevant). + case "${UNAME_MACHINE}" in + amiga) machine=m68k-cbm ;; + arm32) machine=arm-unknown ;; + atari*) machine=m68k-atari ;; + sun3*) machine=m68k-sun ;; + mac68k) machine=m68k-apple ;; + macppc) machine=powerpc-apple ;; + hp3[0-9][05]) machine=m68k-hp ;; + ibmrt|romp-ibm) machine=romp-ibm ;; + *) machine=${UNAME_MACHINE}-unknown ;; + esac + # The Operating System including object format. + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep __ELF__ >/dev/null + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + # The OS release + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + echo "${machine}-${os}${release}" + exit 0 ;; + alpha:OSF1:*:*) + if test $UNAME_RELEASE = "V4.0"; then + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + fi + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + cat <$dummy.s + .data +\$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main +main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit 0 ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit 0 ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit 0 ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-cbm-sysv4 + exit 0;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit 0 ;; + arc64:OpenBSD:*:*) + echo mips64el-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + arc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + hkmips:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + pmax:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sgi:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + wgrisc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit 0 ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit 0;; + SR2?01:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit 0;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit 0 ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit 0 ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + i86pc:SunOS:5.*:*) + echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit 0 ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit 0 ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit 0 ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit 0 ;; + atari*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit 0 ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit 0 ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit 0 ;; + sun3*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit 0 ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit 0 ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit 0 ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy \ + && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo mips-mips-riscos${UNAME_RELEASE} + exit 0 ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit 0 ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit 0 ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit 0 ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit 0 ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit 0 ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit 0 ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit 0 ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit 0 ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit 0 ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit 0 ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i?86:AIX:*:*) + echo i386-ibm-aix + exit 0 ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo rs6000-ibm-aix3.2.5 + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit 0 ;; + *:AIX:*:4) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=4.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit 0 ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit 0 ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit 0 ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit 0 ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit 0 ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit 0 ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit 0 ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit 0 ;; + 9000/[34678]??:HP-UX:*:*) + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy` + rm -f $dummy.c $dummy + esac + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit 0 ;; + 3050*:HI-UX:*:*) + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo unknown-hitachi-hiuxwe2 + exit 0 ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit 0 ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit 0 ;; + *9??*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit 0 ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit 0 ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit 0 ;; + i?86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit 0 ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit 0 ;; + hppa*:OpenBSD:*:*) + echo hppa-unknown-openbsd + exit 0 ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit 0 ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit 0 ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit 0 ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit 0 ;; + CRAY*X-MP:*:*:*) + echo xmp-cray-unicos + exit 0 ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} + exit 0 ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ + exit 0 ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; + CRAY*T3E:*:*:*) + echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; + CRAY*SV1:*:*:*) + echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; + CRAY-2:*:*:*) + echo cray2-cray-unicos + exit 0 ;; + F300:UNIX_System_V:*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit 0 ;; + F301:UNIX_System_V:*:*) + echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'` + exit 0 ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + i?86:BSD/386:*:* | i?86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit 0 ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:FreeBSD:*:*) + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit 0 ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + exit 0 ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit 0 ;; + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit 0 ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i386-pc-interix + exit 0 ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit 0 ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit 0 ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + *:GNU:*:*) + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit 0 ;; + *:Linux:*:*) + + # The BFD linker knows what the default object file format is, so + # first see if it will tell us. cd to the root directory to prevent + # problems with other programs or directories called `ld' in the path. + ld_help_string=`cd /; ld --help 2>&1` + ld_supported_emulations=`echo $ld_help_string \ + | sed -ne '/supported emulations:/!d + s/[ ][ ]*/ /g + s/.*supported emulations: *// + s/ .*// + p'` + case "$ld_supported_emulations" in + *ia64) + echo "${UNAME_MACHINE}-unknown-linux" + exit 0 + ;; + i?86linux) + echo "${UNAME_MACHINE}-pc-linux-gnuaout" + exit 0 + ;; + elf_i?86) + echo "${UNAME_MACHINE}-pc-linux" + exit 0 + ;; + i?86coff) + echo "${UNAME_MACHINE}-pc-linux-gnucoff" + exit 0 + ;; + sparclinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + armlinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32arm*) + echo "${UNAME_MACHINE}-unknown-linux-gnuoldld" + exit 0 + ;; + armelf_linux*) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + m68klinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32ppc | elf32ppclinux) + # Determine Lib Version + cat >$dummy.c < +#if defined(__GLIBC__) +extern char __libc_version[]; +extern char __libc_release[]; +#endif +main(argc, argv) + int argc; + char *argv[]; +{ +#if defined(__GLIBC__) + printf("%s %s\n", __libc_version, __libc_release); +#else + printf("unkown\n"); +#endif + return 0; +} +EOF + LIBC="" + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null + if test "$?" = 0 ; then + ./$dummy | grep 1\.99 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.c $dummy + echo powerpc-unknown-linux-gnu${LIBC} + exit 0 + ;; + shelf_linux) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + esac + + if test "${UNAME_MACHINE}" = "alpha" ; then + cat <$dummy.s + .data + \$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main + main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + LIBC="" + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + + objdump --private-headers $dummy | \ + grep ld.so.1 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0 + elif test "${UNAME_MACHINE}" = "mips" ; then + cat >$dummy.c < /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif +#ifdef __MIPSEB__ + printf ("%s-unknown-linux-gnu\n", argv[1]); +#endif +#ifdef __MIPSEL__ + printf ("%sel-unknown-linux-gnu\n", argv[1]); +#endif + return 0; +} +EOF + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + elif test "${UNAME_MACHINE}" = "s390"; then + echo s390-ibm-linux && exit 0 + else + # Either a pre-BFD a.out linker (linux-gnuoldld) + # or one that does not give us useful --help. + # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout. + # If ld does not provide *any* "supported emulations:" + # that means it is gnuoldld. + echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:" + test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0 + + case "${UNAME_MACHINE}" in + i?86) + VENDOR=pc; + ;; + *) + VENDOR=unknown; + ;; + esac + # Determine whether the default compiler is a.out or elf + cat >$dummy.c < +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif +#ifdef __ELF__ +# ifdef __GLIBC__ +# if __GLIBC__ >= 2 + printf ("%s-${VENDOR}-linux-gnu\n", argv[1]); +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +#else + printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]); +#endif + return 0; +} +EOF + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + fi ;; +# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. earlier versions +# are messed up and put the nodename in both sysname and nodename. + i?86:DYNIX/ptx:4*:*) + echo i386-sequent-sysv4 + exit 0 ;; + i?86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit 0 ;; + i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit 0 ;; + i?86:*:5:7*) + # Fixed at (any) Pentium or better + UNAME_MACHINE=i586 + if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then + echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE} + fi + exit 0 ;; + i?86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` + (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit 0 ;; + i?86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit 0 ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. + echo i386-pc-msdosdjgpp + exit 0 ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit 0 ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit 0 ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit 0 ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit 0 ;; + M68*:*:R3V[567]*:*) + test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; + 3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4.3${OS_REL} && exit 0 + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4 && exit 0 ;; + m68*:LynxOS:2.*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit 0 ;; + i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit 0 ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit 0 ;; + PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit 0 ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit 0 ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit 0 ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit 0 ;; + news*:NEWS-OS:*:6*) + echo mips-sony-newsos6 + exit 0 ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit 0 ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit 0 ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit 0 ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit 0 ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit 0 ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit 0 ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:Darwin:*:*) + echo `uname -p`-apple-darwin${UNAME_RELEASE} + exit 0 ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + if test "${UNAME_MACHINE}" = "x86pc"; then + UNAME_MACHINE=pc + fi + echo `uname -p`-${UNAME_MACHINE}-nto-qnx + exit 0 ;; + *:QNX:*:4*) + echo i386-pc-qnx + exit 0 ;; + NSR-W:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit 0 ;; + BS2000:POSIX*:*:*) + echo bs2000-siemens-sysv + exit 0 ;; + DS/*:UNIX_System_V:*:*) + echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + exit 0 ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +#if !defined (ultrix) + printf ("vax-dec-bsd\n"); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0 +rm -f $dummy.c $dummy + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit 0 ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + c34*) + echo c34-convex-bsd + exit 0 ;; + c38*) + echo c38-convex-bsd + exit 0 ;; + c4*) + echo c4-convex-bsd + exit 0 ;; + esac +fi + +cat >&2 < in order to provide the needed +information to handle your system. + +config.guess version = $version + +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = ${UNAME_MACHINE} +UNAME_RELEASE = ${UNAME_RELEASE} +UNAME_SYSTEM = ${UNAME_SYSTEM} +UNAME_VERSION = ${UNAME_VERSION} +EOF + +exit 1 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "version='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff -ruN --exclude CVS ssh-openbsd-2000070100/config.sub openssh-2.1.1p2/config.sub --- ssh-openbsd-2000070100/config.sub Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/config.sub Mon Jun 12 23:01:02 2000 @@ -0,0 +1,1312 @@ +#! /bin/sh +# Configuration validation subroutine script, version 1.1. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000 +# Free Software Foundation, Inc. + +version='2000-06-10' + +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Written by Per Bothner . +# Please send patches to . +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS + $0 [OPTION] ALIAS + +Canonicalize a configuration name. + +Operation modes: + -h, --help print this help, then exit + -V, --version print version number, then exit" + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case "$1" in + --version | --vers* | -V ) + echo "$version" ; exit 0 ;; + --help | --h* | -h ) + echo "$usage"; exit 0 ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + exec >&2 + echo "$me: invalid option $1" + echo "$help" + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo $1 + exit 0;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + nto-qnx* | linux-gnu*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple | -axis) + os= + basic_machine=$1 + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; + -mint | -mint[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \ + | arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \ + | 580 | i960 | h8300 \ + | x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \ + | hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \ + | hppa64 \ + | alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \ + | alphaev6[78] \ + | we32k | ns16k | clipper | i370 | sh | powerpc | powerpcle \ + | 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \ + | mips64orion | mips64orionel | mipstx39 | mipstx39el \ + | mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \ + | mips64vr5000 | miprs64vr5000el | mcore \ + | sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \ + | thumb | d10v | fr30 | avr) + basic_machine=$basic_machine-unknown + ;; + m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl) + ;; + + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i[34567]86) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + # FIXME: clean up the formatting here. + vax-* | tahoe-* | i[34567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \ + | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \ + | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ + | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ + | xmp-* | ymp-* \ + | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \ + | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \ + | hppa2.0n-* | hppa64-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \ + | alphaev6[78]-* \ + | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \ + | clipper-* | orion-* \ + | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \ + | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \ + | mips64el-* | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \ + | mipstx39-* | mipstx39el-* | mcore-* \ + | f301-* | armv*-* | s390-* | sv1-* | t3e-* \ + | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \ + | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \ + | bs2000-*) + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-cbm + ;; + amigaos | amigados) + basic_machine=m68k-cbm + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-cbm + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | ymp) + basic_machine=ymp-cray + os=-unicos + ;; + cray2) + basic_machine=cray2-cray + os=-unicos + ;; + [ctj]90-cray) + basic_machine=c90-cray + os=-unicos + ;; + crds | unos) + basic_machine=m68k-crds + ;; + cris | cris-* | etrax*) + basic_machine=cris-axis + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i[34567]86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i[34567]86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i[34567]86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i[34567]86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + i386-go32 | go32) + basic_machine=i386-unknown + os=-go32 + ;; + i386-mingw32 | mingw32) + basic_machine=i386-unknown + os=-mingw32 + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; + mipsel*-linux*) + basic_machine=mipsel-unknown + os=-linux-gnu + ;; + mips*-linux*) + basic_machine=mips-unknown + os=-linux-gnu + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + mmix*) + basic_machine=mmix-knuth + os=-mmixware + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + msdos) + basic_machine=i386-unknown + os=-msdos + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + np1) + basic_machine=np1-gould + ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pentium | p5 | k5 | k6 | nexen) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86 | athlon) + basic_machine=i686-pc + ;; + pentiumii | pentium2) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexen-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-* | athlon-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=rs6000-ibm + ;; + ppc) basic_machine=powerpc-unknown + ;; + ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sparclite-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + sv1) + basic_machine=sv1-cray + os=-unicos + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=t3e-cray + os=-unicos + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xmp) + basic_machine=xmp-cray + os=-unicos + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + mips) + if [ x$os = x-linux-gnu ]; then + basic_machine=mips-unknown + else + basic_machine=mips-mips + fi + ;; + romp) + basic_machine=romp-ibm + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sparc | sparcv9) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + c4x*) + basic_machine=c4x-none + os=-coff + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ + | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) + case $basic_machine in + x86-* | i[34567]86-*) + ;; + *) + os=-nto$os + ;; + esac + ;; + -nto*) + os=-nto-qnx + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -wince*) + os=-wince + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -ns2 ) + os=-nextstep2 + ;; + -nsk) + os=-nsk + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -*MiNT) + os=-mint + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + *-acorn) + os=-riscix1.2 + ;; + arm*-rebel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 + ;; + m68*-cisco) + os=-aout + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-ibm) + os=-aix + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f301-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -vxsim* | -vxworks*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -*MiNT) + vendor=atari + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os +exit 0 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "version='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff -ruN --exclude CVS ssh-openbsd-2000070100/configure.in openssh-2.1.1p2/configure.in --- ssh-openbsd-2000070100/configure.in Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/configure.in Sat Jul 1 16:52:55 2000 @@ -0,0 +1,1353 @@ +AC_INIT(ssh.c) + +AC_CONFIG_HEADER(config.h) +AC_PROG_CC +AC_CANONICAL_HOST + +# Checks for programs. +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_CHECK_PROG(AR, ar, ar) +AC_PATH_PROG(PERL, perl) +AC_SUBST(PERL) +AC_PATH_PROG(ENT, ent) +AC_SUBST(ENT) + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST(LD) + +# C Compiler features +AC_C_INLINE +if test "$GCC" = "yes"; then + CFLAGS="$CFLAGS -Wall" +fi + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + AFS_LIBS="-lld" + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + if (test "$LD" != "gcc" && test -z "$blibpath"); then + blibpath="/usr/lib:/lib:/usr/local/lib" + fi + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) + AC_DEFINE(BROKEN_GETADDRINFO) + MANTYPE='$(CATMAN)' + mansubdir=cat + dnl AIX handles lastlog as part of its login message + AC_DEFINE(DISABLE_LASTLOG) + ;; +*-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; +*-*-hpux11*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; +*-*-irix5*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS" + MANTYPE='$(CATMAN)' + no_libsocket=1 + no_libnsl=1 + ;; +*-*-irix6*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS" + MANTYPE='$(CATMAN)' + AC_DEFINE(WITH_IRIX_ARRAY) + AC_DEFINE(WITH_IRIX_PROJECT) + AC_DEFINE(WITH_IRIX_AUDIT) + no_libsocket=1 + no_libnsl=1 + ;; +*-*-linux*) + no_dev_ptmx=1 + AC_DEFINE(DONT_TRY_OTHER_AF) + inet6_default_4in6=yes + ;; +*-*-netbsd*) + need_dash_r=1 + ;; +*-next-*) + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/usr/adm/lastlog" + AC_DEFINE(HAVE_NEXT) + CFLAGS="$CFLAGS -I/usr/local/include" + MAIL=/usr/spool/mail + conf_utmp_location=/etc/utmp + AC_MSG_WARN([*** Tested: PA-RISC/m68k Untested: Sparc/Intel]) + AC_MSG_WARN([*** Expect 'scp' to fail!]) + AC_MSG_WARN([*** Please report any problems, thanks]) + ;; +*-*-solaris*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib" + need_dash_r=1 + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT(yes) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(DISABLE_WTMP) + else + AC_MSG_RESULT(no) + fi + ;; +*-*-sunos4*) + CFLAGS="$CFLAGS -DSUNOS4" + AC_CHECK_FUNCS(getpwanam) + ;; +*-*-sysv*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + ;; +*-*-sco3*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + no_dev_ptmx=1 + ;; +*-dec-osf*) +# This is untested + if test ! -z "USE_SIA" ; then + AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) + if test -f /etc/sia/matrix.conf; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_OSF_SIA) + AC_DEFINE(DISABLE_LOGIN) + LIBS="$LIBS -lsecurity -ldb -lm -laud" + else + AC_MSG_RESULT(no) + fi + fi + ;; +esac + +# Allow user to specify flags +AC_ARG_WITH(cflags, + [ --with-cflags Specify additional flags to pass to compiler], + [ + if test "x$withval" != "xno" ; then + CFLAGS="$CFLAGS $withval" + fi + ] +) +AC_ARG_WITH(ldflags, + [ --with-ldlags Specify additional flags to pass to linker], + [ + if test "x$withval" != "xno" ; then + LDFLAGS="$LDFLAGS $withval" + fi + ] +) +AC_ARG_WITH(libs, + [ --with-libs Specify additional libraries to link with], + [ + if test "x$withval" != "xno" ; then + LIBS="$LIBS $withval" + fi + ] +) + + +# Checks for libraries. +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") + +if test -z "$no_libsocket" ; then + AC_CHECK_LIB(nsl, yp_match, , ) +fi +if test -z "$no_libnsl" ; then + AC_CHECK_LIB(socket, main, , ) +fi + +# Checks for header files. +AC_CHECK_HEADERS(bstring.h endian.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h) + +# Checks for library functions. +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop) +dnl checks for time functions +AC_CHECK_FUNCS(gettimeofday time) +dnl checks for libutil functions +AC_CHECK_FUNCS(login logout updwtmp logwtmp) +dnl checks for utmp functions +AC_CHECK_FUNCS(entutent getutent getutid getutline pututline setutent) +AC_CHECK_FUNCS(utmpname) +dnl checks for utmpx functions +AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline ) +AC_CHECK_FUNCS(setutxent utmpxname) + +AC_CHECK_FUNC(login, + [AC_DEFINE(HAVE_LOGIN)], + [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] +) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON)], + [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +AC_CHECK_FUNC(getpagesize, + [AC_DEFINE(HAVE_GETPAGESIZE)], + [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] +) + +# Check for broken snprintf +if test "x$ac_cv_func_snprintf" = "xyes" ; then + AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) + AC_TRY_RUN( + [ +#include +int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} + ], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_SNPRINTF) + AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ] + ) +fi + +PAM_MSG="no" +AC_ARG_WITH(pam, + [ --without-pam Disable PAM support ], + [ + if test "x$withval" = "xno" ; then + no_pam=1 + AC_DEFINE(DISABLE_PAM) + PAM_MSG="disabled" + fi + ] +) +if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then + AC_CHECK_LIB(dl, dlopen, , ) + LIBS="$LIBS -lpam" + + AC_CHECK_FUNCS(pam_getenvlist) + + disable_shadow=yes + + PAM_MSG="yes" + + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ +#include +#include + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM) + AC_MSG_RESULT(yes) + PAM_MSG="yes (old library)" + ] + ) +fi + +# The big search for OpenSSL +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "$xno" ; then + tryssldir=$withval + fi + ] +) + +saved_LIBS="$LIBS" +saved_LDFLAGS="$LDFLAGS" +saved_CFLAGS="$CFLAGS" +if test "x$prefix" != "xNONE" ; then + tryssldir="$tryssldir $prefix" +fi +AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ + + for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + if test ! -z "$ssldir" ; then + LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" + CFLAGS="$saved_CFLAGS -I$ssldir/include" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + fi + else + LDFLAGS="$saved_LDFLAGS" + fi + + LIBS="$saved_LIBS -lcrypto" + + # Basic test to check for compatible version and correct linking + # *does not* test for RSA - that comes later. + AC_TRY_RUN( + [ +#include +#include +int main(void) +{ + char a[2048]; + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); +} + ], + [ + found_crypto=1 + break; + ], [] + ) + + if test ! -z "$found_crypto" ; then + break; + fi + done + + if test -z "$found_crypto" ; then + AC_MSG_ERROR([Could not find working SSLeay / OpenSSL libraries, please install]) + fi + if test -z "$ssldir" ; then + ssldir="(system)" + fi + + ac_cv_openssldir=$ssldir +]) + +if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then + AC_DEFINE(HAVE_OPENSSL) + dnl Need to recover ssldir - test above runs in subshell + ssldir=$ac_cv_openssldir + CFLAGS="$saved_CFLAGS -I$ssldir/include" + LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:$ssldir:$ssldir/lib" + fi +fi +LIBS="$saved_LIBS -lcrypto" + +# Now test RSA support +saved_LIBS="$LIBS" +AC_MSG_CHECKING([for RSA support]) +for WANTS_RSAREF in "" 1 ; do + if test -z "$WANTS_RSAREF" ; then + LIBS="$saved_LIBS" + else + LIBS="$saved_LIBS -lRSAglue -lrsaref" + fi + AC_TRY_RUN([ +#include +#include +#include +#include +#include +int main(void) +{ + int num; RSA *key; static unsigned char p_in[] = "blahblah"; + unsigned char c[256], p[256]; + memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); + if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); + num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); + return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); +} + ], + [ + rsa_works=1 + break; + ], []) +done + +if test ! -z "$no_rsa" ; then + AC_MSG_RESULT(disabled) + RSA_MSG="disabled" +else + if test -z "$rsa_works" ; then + AC_MSG_WARN([*** No RSA support found *** ]) + RSA_MSG="no" + else + if test -z "$WANTS_RSAREF" ; then + AC_MSG_RESULT(yes) + RSA_MSG="yes" + else + RSA_MSG="yes (using RSAref)" + AC_MSG_RESULT(using RSAref) + LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + fi + fi +fi + +# Checks for data types +AC_CHECK_SIZEOF(char, 1) +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +# More checks for data types +AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ ac_cv_have_intxx_t="yes" ], + [ ac_cv_have_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_INTXX_T) + have_intxx_t=1 +fi + +AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ + AC_TRY_COMPILE( + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ ac_cv_have_u_intxx_t="yes" ], + [ ac_cv_have_u_intxx_t="no" ] + ) +]) +if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INTXX_T) + have_u_intxx_t=1 +fi + + +if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_TRY_COMPILE( + [ +#include + ], + [ + int8_t a; int16_t b; int32_t c; + u_int8_t e; u_int16_t f; u_int32_t g; + a = b = c = e = f = g = 1; + ], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + +if test -z "$have_u_intxx_t" ; then + AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ], + [ ac_cv_have_uintxx_t="yes" ], + [ ac_cv_have_uintxx_t="no" ] + ) + ]) + if test "x$ac_cv_have_uintxx_t" = "xyes" ; then + AC_DEFINE(HAVE_UINTXX_T) + fi +fi + +AC_CACHE_CHECK([for socklen_t], ac_cv_have_socklen_t, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [socklen_t foo; foo = 1235;], + [ ac_cv_have_socklen_t="yes" ], + [ ac_cv_have_socklen_t="no" ] + ) +]) +if test "x$ac_cv_have_socklen_t" = "xyes" ; then + AC_DEFINE(HAVE_SOCKLEN_T) +fi + +AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ size_t foo; foo = 1235; ], + [ ac_cv_have_size_t="yes" ], + [ ac_cv_have_size_t="no" ] + ) +]) +if test "x$ac_cv_have_size_t" = "xyes" ; then + AC_DEFINE(HAVE_SIZE_T) +fi + +AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ ssize_t foo; foo = 1235; ], + [ ac_cv_have_ssize_t="yes" ], + [ ac_cv_have_ssize_t="no" ] + ) +]) +if test "x$ac_cv_have_ssize_t" = "xyes" ; then + AC_DEFINE(HAVE_SSIZE_T) +fi + +AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ sa_family_t foo; foo = 1235; ], + [ ac_cv_have_sa_family_t="yes" ], + [ ac_cv_have_sa_family_t="no" ] + ) +]) +if test "x$ac_cv_have_sa_family_t" = "xyes" ; then + AC_DEFINE(HAVE_SA_FAMILY_T) +fi + +AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ pid_t foo; foo = 1235; ], + [ ac_cv_have_pid_t="yes" ], + [ ac_cv_have_pid_t="no" ] + ) +]) +if test "x$ac_cv_have_pid_t" = "xyes" ; then + AC_DEFINE(HAVE_PID_T) +fi + +AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ + AC_TRY_COMPILE( + [ +#include + ], + [ mode_t foo; foo = 1235; ], + [ ac_cv_have_mode_t="yes" ], + [ ac_cv_have_mode_t="no" ] + ) +]) +if test "x$ac_cv_have_mode_t" = "xyes" ; then + AC_DEFINE(HAVE_MODE_T) +fi + + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; ], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_in6 s; s.sin6_family = 0; ], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct in6_addr s; s.s6_addr[0] = 0; ], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" ] + ) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_IN6_ADDR) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" ] + ) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_ADDRINFO) +fi + + +# Checks for structure members + +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmpx.h, HAVE_ID_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmpx.h, HAVE_ADDR_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmp.h, HAVE_ADDR_V6_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmpx.h, HAVE_ADDR_V6_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_exit, utmp.h, HAVE_EXIT_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmp.h, HAVE_TIME_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) + +AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], + ac_cv_have_ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.ss_family = 1; ], + [ ac_cv_have_ss_family_in_struct_ss="yes" ], + [ ac_cv_have_ss_family_in_struct_ss="no" ], + ) +]) +if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE_SS_FAMILY_IN_SS) +fi + +AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], + ac_cv_have___ss_family_in_struct_ss, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; s.__ss_family = 1; ], + [ ac_cv_have___ss_family_in_struct_ss="yes" ], + [ ac_cv_have___ss_family_in_struct_ss="no" ] + ) +]) +if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then + AC_DEFINE(HAVE___SS_FAMILY_IN_SS) +fi + + +AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ + AC_TRY_LINK([], + [ extern char *__progname; printf("%s", __progname); ], + [ ac_cv_libc_defines___progname="yes" ], + [ ac_cv_libc_defines___progname="no" ] + ) +]) +if test "x$ac_cv_libc_defines___progname" = "xyes" ; then + AC_DEFINE(HAVE___PROGNAME) +fi + + +# Looking for programs, paths and files +AC_ARG_WITH(rsh, + [ --with-rsh=PATH Specify path to remote shell program ], + [ + if test "x$withval" != "$no" ; then + rsa_path=$withval + fi + ], + [ + AC_PATH_PROG(rsh_path, rsh) + ] +) + +AC_ARG_WITH(xauth, + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test "x$withval" != "$xno" ; then + xauth_path=$withval + fi + ], + [ + AC_PATH_PROG(xauth_path, xauth) + if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +if test ! -z "$xauth_path" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") +fi +if test ! -z "$rsh_path" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") +fi + +# Check for mail directory (last resort if we cannot get it from headers) +if test ! -z "$MAIL" ; then + maildir=`dirname $MAIL` + AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") +fi + +if test -z "$no_dev_ptmx" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) +fi +AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 + ] +) + +# Options from here on. Some of these are preset by platform above + +# Check for user-specified random device, otherwise check /dev/urandom +AC_ARG_WITH(random, + [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], + [ + if test "x$withval" != "xno" ; then + RANDOM_POOL="$withval"; + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + fi + ], + [ + # Check for random device + AC_CHECK_FILE("/dev/urandom", + [ + RANDOM_POOL="/dev/urandom"; + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] + ) + ] +) + +# Check for EGD pool file +AC_ARG_WITH(egd-pool, + [ --with-egd-pool=FILE read randomness from EGD pool FILE (default none)], + [ + if test "x$withval" != "xno" ; then + EGD_SOCKET="$withval"; + AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + fi + ] +) + +# detect pathnames for entropy gathering commands, if we need them +INSTALL_SSH_PRNG_CMDS="" +rm -f prng_commands +if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then + # Use these commands to collect entropy + OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) + OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) + OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) + OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) + OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) + OSSH_PATH_ENTROPY_PROG(PROG_W, w) + OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) + OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) + OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) + OSSH_PATH_ENTROPY_PROG(PROG_DF, df) + OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) + OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) + OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) + OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) + OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) + + INSTALL_SSH_PRNG_CMDS="yes" +fi +AC_SUBST(INSTALL_SSH_PRNG_CMDS) + + +AC_ARG_WITH(catman, + [ --with-catman=man|cat Install preformatted manpages[no]], + [ + MANTYPE='$(CATMAN)' + if test x"$withval" != x"yes" ; then + mansubdir=$withval + else + mansubdir=cat + fi + ], [ + if test -z "$MANTYPE" ; then + MANTYPE='$(TROFFMAN)' + mansubdir=man + fi + ] +) +AC_SUBST(MANTYPE) +AC_SUBST(mansubdir) + +# Check whether user wants Kerberos support +KRB4_MSG="no" +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CFLAGS="$CFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + AC_CHECK_LIB(krb, main) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + if test "$ac_cv_lib_krb_main" != yes; then + AC_MSG_WARN([Cannot find libkrb, build may fail]) + fi + + KLIBS="-lkrb -ldes" + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + KRB4_MSG="yes" + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AFS_MSG="no" +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LFLAGS="$LFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="$LIBS -lkafs" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + AFS_MSG="yes" + fi + ] +) +LIBS="$LIBS $KLIBS" + +# Check whether user wants S/Key support +SKEY_MSG="no" +AC_ARG_WITH(skey, + [ --with-skey Enable S/Key support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(SKEY) + LIBS="$LIBS -lskey" + SKEY_MSG="yes" + fi + ] +) + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers Enable tcpwrappers support], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ +#include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + TCPW_MSG="yes" + ], + [ + AC_MSG_ERROR([*** libwrap missing]) + ] + ) + fi + ] +) + +# Check whether to enable MD5 passwords +MD5_MSG="no" +AC_ARG_WITH(md5-passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_MD5_PASSWORDS) + MD5_MSG="yes" + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH(shadow, + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_SHADOW) + disable_shadow=yes + fi + ] +) + +if test -z "$disable_shadow" ; then + AC_MSG_CHECKING([if the systems has expire shadow information]) + AC_TRY_COMPILE( + [ +#include +#include + struct spwd sp; + ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], + [ sp_expire_available=yes ], [] + ) + + if test "x$sp_expire_available" = "xyes" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAS_SHADOW_EXPIRE) + else + AC_MSG_RESULT(no) + fi +fi + +# Use ip address instead of hostname in $DISPLAY +DISPLAY_HACK_MSG="no" +AC_ARG_WITH(ipaddr-display, + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(IPADDR_IN_DISPLAY) + DISPLAY_HACK_MSG="yes" + fi + ] +) + +# Whether to mess with the default path +SERVER_PATH_MSG="(default)" +AC_ARG_WITH(default-path, + [ --with-default-path=PATH Specify default \$PATH environment for server], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$withval") + SERVER_PATH_MSG="$withval" + fi + ] +) + +# Whether to force IPv4 by default (needed on broken glibc Linux) +IPV4_HACK_MSG="no" +AC_ARG_WITH(ipv4-default, + [ --with-ipv4-default Use IPv4 by connections unless '-6' specified], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(IPV4_DEFAULT) + IPV4_HACK_MSG="yes" + fi + ] +) + +AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) +IPV4_IN6_HACK_MSG="no" +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + IPV4_IN6_HACK_MSG="yes" + else + AC_MSG_RESULT([no (default)]) + fi + ] +) + +# Where to place sshd.pid +piddir=/var/run +AC_ARG_WITH(pid-dir, + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test "x$withval" != "xno" ; then + piddir=$withval + fi + ] +) + +AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") +AC_SUBST(piddir) + +dnl allow user to disable some login recording features +AC_ARG_ENABLE(lastlog, + [ --disable-lastlog disable use of lastlog even if detected [no]], + [ AC_DEFINE(DISABLE_LASTLOG) ] +) +AC_ARG_ENABLE(utmp, + [ --disable-utmp disable use of utmp even if detected [no]], + [ AC_DEFINE(DISABLE_UTMP) ] +) +AC_ARG_ENABLE(utmpx, + [ --disable-utmpx disable use of utmpx even if detected [no]], + [ AC_DEFINE(DISABLE_UTMPX) ] +) +AC_ARG_ENABLE(wtmp, + [ --disable-wtmp disable use of wtmp even if detected [no]], + [ AC_DEFINE(DISABLE_WTMP) ] +) +AC_ARG_ENABLE(wtmpx, + [ --disable-wtmpx disable use of wtmpx even if detected [no]], + [ AC_DEFINE(DISABLE_WTMPX) ] +) +AC_ARG_ENABLE(libutil, + [ --disable-libutil disable use of libutil (login() etc.) [no]], + [ AC_DEFINE(DISABLE_LOGIN) ] +) +AC_ARG_ENABLE(pututline, + [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], + [ AC_DEFINE(DISABLE_PUTUTLINE) ] +) +AC_ARG_ENABLE(pututxline, + [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], + [ AC_DEFINE(DISABLE_PUTUTXLINE) ] +) +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], + [ conf_lastlog_location="$withval"; ],) + +dnl lastlog, [uw]tmpx? detection +dnl NOTE: set the paths in the platform section to avoid the +dnl need for command-line parameters +dnl lastlog and [uw]tmp are subject to a file search if all else fails + +dnl lastlog detection +dnl NOTE: the code itself will detect if lastlog is a directory +AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *lastlog = LASTLOG_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *lastlog = _PATH_LASTLOG; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + system_lastlog_path=no + ]) + ] +) + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + AC_MSG_WARN([** Cannot find lastlog **]) + dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") +fi + +dnl utmp detection +AC_MSG_CHECKING([if your system defines UTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmp = UTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmp_path=no ] +) +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + AC_DEFINE(DISABLE_UTMP) + fi + fi +fi +if test -n "$conf_utmp_location"; then + AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") +fi + +dnl wtmp detection +AC_MSG_CHECKING([if your system defines WTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmp = WTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmp_path=no ] +) +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + AC_DEFINE(DISABLE_WTMP) + fi + fi +fi +if test -n "$conf_wtmp_location"; then + AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") +fi + + +dnl utmpx detection - I don't know any system so perverse as to require +dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out +dnl there, though. +AC_MSG_CHECKING([if your system defines UTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmpx = UTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmpx_path=no ] +) +if test -z "$conf_utmpx_location"; then + if test x"$system_utmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_UTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") +fi + +dnl wtmpx detection +AC_MSG_CHECKING([if your system defines WTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmpx = WTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmpx_path=no ] +) +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_WTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") +fi + + +# Change default command timeout for builtin PRNG +entropy_timeout=200 +AC_ARG_WITH(entropy-timeout, + [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], + [ + if test "x$withval" != "xno" ; then + entropy_timeout=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) + + +if test ! -z "$blibpath" ; then + LDFLAGS="$LDFLAGS -blibpath:$blibpath" + AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) +fi + +AC_OUTPUT(Makefile ssh_prng_cmds) + +# Print summary of options + +if test x$MANTYPE = x'$(CATMAN)' ; then + MAN_MSG=cat +else + MAN_MSG=man +fi +if test ! -z "$RANDOM_POOL" ; then + RAND_MSG="Device ($RANDOM_POOL)" +else + if test ! -z "$EGD_SOCKET" ; then + RAND_MSG="EGD ($EGD_SOCKET)" + else + RAND_MSG="Builtin (timeout $entropy_timeout)" + fi +fi + +# Someone please show me a better way :) +A=`eval echo ${prefix}` ; A=`eval echo ${A}` +B=`eval echo ${bindir}` ; B=`eval echo ${B}` +C=`eval echo ${sbindir}` ; C=`eval echo ${C}` +D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` +E=`eval echo ${libexecdir}/ssh/ssh-askpass` ; E=`eval echo ${E}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +G=`eval echo ${piddir}` ; G=`eval echo ${G}` + +echo "" +echo "OpenSSH configured has been configured with the following options." +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Random number collection: $RAND_MSG" +echo " Manpage format: $MAN_MSG" +echo " PAM support: ${PAM_MSG}" +echo " KerberosIV support: $KRB4_MSG" +echo " AFS support: $AFS_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Use IPv4 by default hack: $IPV4_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + +echo "" + +echo "Compiler flags: ${CFLAGS}" +echo "Linker flags: ${LDFLAGS}" +echo "Libraries: ${LIBS}" + +echo "" + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/README openssh-2.1.1p2/contrib/README --- ssh-openbsd-2000070100/contrib/README Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/README Wed Mar 15 12:25:06 2000 @@ -0,0 +1,67 @@ +Other patches and addons for OpenSSH. Please send submissions to +djm@ibs.com.au + +In this directory +----------------- + +chroot.diff: + +Ricardo Cerqueira's patch to enable chrooting using the +wu-ftpd style magic home directories (containing '/./'). More details in +the head of the patch itself. + +make-ssh-known-hosts: + +Tero Kivinen's PERL script to generate +ssh_known_hosts files by trawling tjhrough the DNS. More details in the +manpage. + +ssh-copy-id: + +Phil Hands' shell script to automate the process of adding +your public key to a remote machine's ~/.ssh/authorized_keys file. + +gnome-ssh-askpass: + +A GNOME passphrase requester of my own creation. Compilation instructions +are in the top of the file. + +sshd.pam.generic: + +A generic PAM config file which may be useful on your system. YMMV + +sshd.pam.freebsd + +A PAM config file which works with FreeBSD's PAM port. Contributed by +Dominik Brettnacher + +redhat: + +RPM spec file an scripts for building Redhat packages + +suse: + +RPM spec file an scripts for building SuSE packages + + +Externally maintained +--------------------- + +liblogin: + +liblogin is Andre Lucas' cross platform login library. It handles all the +yucky details of wtmp, utmp and lastlog (which every OS vendor has +seen fit to implement differently) in one clean library. + +OpenSSH will require liblogin in the near future, but for now it is +recommended for users with login logging problems or curiosity. + +http://dspace.dial.pipex.com/andre.lucas/liblogin.html + +X11 SSH Askpass: + +Jim Knoble has written an excellent X11 +passphrase requester. This is highly recommended: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/chroot.diff openssh-2.1.1p2/contrib/chroot.diff --- ssh-openbsd-2000070100/contrib/chroot.diff Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/chroot.diff Sun Apr 16 12:50:52 2000 @@ -0,0 +1,61 @@ +From: Ricardo Cerqueira + +A patch to cause sshd to chroot when it encounters the magic token +'/./' in a users home directory. The directory portion before the +token is the directory to chroot() to, the portion after the +token is the user's home directory relative to the new root. + +Index: session.c +=================================================================== +RCS file: /var/cvs/openssh/session.c,v +retrieving revision 1.4 +diff -u -r1.4 session.c +--- session.c 2000/04/16 02:31:51 1.4 ++++ session.c 2000/04/16 02:47:55 +@@ -27,6 +27,8 @@ + #include "ssh2.h" + #include "auth.h" + ++#define CHROOT ++ + /* types */ + + #define TTYSZ 64 +@@ -783,6 +785,10 @@ + extern char **environ; + struct stat st; + char *argv[10]; ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ + + #ifndef USE_PAM /* pam_nologin handles this */ + f = fopen("/etc/nologin", "r"); +@@ -799,6 +805,26 @@ + /* Set login name in the kernel. */ + if (setlogin(pw->pw_name) < 0) + error("setlogin failed: %s", strerror(errno)); ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ + + /* Set uid, gid, and groups. */ + /* Login(1) does this as well, and it needs uid 0 for the "-h" diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/gnome-ssh-askpass.c openssh-2.1.1p2/contrib/gnome-ssh-askpass.c --- ssh-openbsd-2000070100/contrib/gnome-ssh-askpass.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/gnome-ssh-askpass.c Wed Jun 7 20:08:19 2000 @@ -0,0 +1,155 @@ +/* + Compile with: + + cc `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` + +*/ + +/* +** +** GNOME ssh passphrase requestor +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include +#include + +void +report_failed_grab (void) +{ + GtkWidget *err; + + err = gnome_message_box_new("Could not grab keyboard or mouse.\n" + "A malicious client may be eavesdropping on your session.", + GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL); + gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); + gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL); + + gnome_dialog_run_and_close(GNOME_DIALOG(err)); +} + +void +passphrase_dialog(char *message) +{ + char *passphrase; + int result; + + GtkWidget *dialog, *entry, *label; + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + label = gtk_label_new(message); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, + FALSE, 0); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + XGrabServer(GDK_DISPLAY()); + if (gdk_pointer_grab(dialog->window, TRUE, 0, + NULL, NULL, GDK_CURRENT_TIME)) + goto nograb; + if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) + goto nograbkb; + + /* Make close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + XUngrabServer(GDK_DISPLAY()); + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + /* Report passphrase if user selected OK */ + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + if (result == 0) + puts(passphrase); + + /* Zero passphrase in memory */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + return; + + /* At least one grab failed - ungrab what we got, and report + the failure to the user. Note that XGrabServer() cannot + fail. */ + nograbkb: + gdk_pointer_ungrab(GDK_CURRENT_TIME); + nograb: + XUngrabServer(GDK_DISPLAY()); + gnome_dialog_close(GNOME_DIALOG(dialog)); + + report_failed_grab(); +} + +int +main(int argc, char **argv) +{ + char *message; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + setvbuf(stdout, 0, _IONBF, 0); + passphrase_dialog(message); + return 0; +} diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/make-ssh-known-hosts.1 openssh-2.1.1p2/contrib/make-ssh-known-hosts.1 --- ssh-openbsd-2000070100/contrib/make-ssh-known-hosts.1 Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/make-ssh-known-hosts.1 Wed Mar 15 12:13:03 2000 @@ -0,0 +1,432 @@ +.\" -*- nroff -*- +.\" ---------------------------------------------------------------------- +.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file +.\" Copyright (c) 1995 Tero Kivinen +.\" All Rights Reserved. +.\" +.\" Make-ssh-known-hosts is distributed in the hope that it will be +.\" useful, but WITHOUT ANY WARRANTY. No author or distributor accepts +.\" responsibility to anyone for the consequences of using it or for +.\" whether it serves any particular purpose or works at all, unless he +.\" says so in writing. Refer to the General Public License for full +.\" details. +.\" +.\" Everyone is granted permission to copy, modify and redistribute +.\" make-ssh-known-hosts, but only under the conditions described in +.\" the General Public License. A copy of this license is supposed to +.\" have been given to you along with make-ssh-known-hosts so you can +.\" know your rights and responsibilities. It should be in a file named +.\" COPYING. Among other things, the copyright notice and this notice +.\" must be preserved on all copies. +.\" ---------------------------------------------------------------------- +.\" Program: make-ssh-known-hosts.1 +.\" $Source: /var/cvs/openssh/contrib/make-ssh-known-hosts.1,v $ +.\" Author : $Author: damien $ +.\" +.\" (C) Tero Kivinen 1995 +.\" +.\" Creation : 03:51 Jun 28 1995 kivinen +.\" Last Modification : 03:44 Jun 28 1995 kivinen +.\" Last check in : $Date: 2000/03/15 01:13:03 $ +.\" Revision number : $Revision: 1.1 $ +.\" State : $State: Exp $ +.\" Version : 1.1 +.\" +.\" Description : Manual page for make-ssh-known-hosts.pl +.\" +.\" $Log: make-ssh-known-hosts.1,v $ +.\" Revision 1.1 2000/03/15 01:13:03 damien +.\" - Created contrib/ subdirectory. Included helpers from Phil Hands' +.\" Debian package, README file and chroot patch from Ricardo Cerqueira +.\" +.\" - Moved gnome-ssh-askpass.c to contrib directory and reomved config +.\" option. +.\" - Slight cleanup to doc files +.\" +.\" Revision 1.4 1998/07/08 00:40:14 kivinen +.\" Changed to do similar commercial #ifdef processing than other +.\" files. +.\" +.\" Revision 1.3 1998/06/11 00:07:21 kivinen +.\" Fixed comment characters. +.\" +.\" Revision 1.2 1997/04/27 21:48:28 kivinen +.\" Added F-SECURE stuff. +.\" +.\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo +.\" Imported ssh-1.2.13. +.\" +.\" Revision 1.5 1995/10/02 01:23:23 ylo +.\" Make substitutions by configure. +.\" +.\" Revision 1.4 1995/08/31 09:21:35 ylo +.\" Minor cleanup. +.\" +.\" Revision 1.3 1995/08/29 22:37:10 ylo +.\" Minor cleanup. +.\" +.\" Revision 1.2 1995/07/15 13:26:11 ylo +.\" Changes from kivinen. +.\" +.\" Revision 1.1.1.1 1995/07/12 22:41:05 ylo +.\" Imported ssh-1.0.0. +.\" +.\" +.\" +.\" If you have any useful modifications or extensions please send them to +.\" Tero.Kivinen@hut.fi +.\" +.\" +.\" +.\" +.\" +.\" #ifndef F_SECURE_COMMERCIAL +.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS" +.\" #endif F_SECURE_COMMERCIAL +.SH NAME +make-ssh-known-hosts \- make ssh_known_hosts file from DNS data +.SH SYNOPSIS +.na +.TP +.B make-ssh-known-hosts +.RB "[\|" "\-\-initialdns "\c +.I initial_dns\c +\|] +.br +.RB "[\|" "\-\-server "\c +.I domain_name_server\c +\|] +.br +.RB "[\|" "\-\-subdomains "\c +.I comma_separated_list_of_subdomains\c +\|] +.br +.RB "[\|" "\-\-debug "\c +.I debug_level\c +\|] +.br +.RB "[\|" "\-\-timeout "\c +.I ssh_exec_timeout\c +\|] +.br +.RB "[\|" "\-\-pingtimeout "\c +.I ping_timeout\c +\|] +.br +.RB "[\|" "\-\-passwordtimeout "\c +.I timeout_when_asking_password\c +\|] +.br +.RB "[\|" "\-\-notrustdaemon" "\|]" +.br +.RB "[\|" "\-\-norecursive" "\|]" +.br +.RB "[\|" "\-\-domainnamesplit" "\|]" +.br +.RB "[\|" "\-\-silent" "\|]" +.br +.RB "[\|" "\-\-keyscan" "\|]" +.br +.RB "[\|" "\-\-nslookup "\c +.I path_to_nslookup_program\c +\|] +.br +.RB "[\|" "\-\-ssh "\c +.I path_to_ssh_program\c +\|] +.br +.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]" + +.SH DESCRIPTION +.LP +.B make-ssh-known-hosts +is a perl5 script that helps create the +.I /etc/ssh_known_hosts +file, which is used by +.B ssh +to contain the host keys of all publicly known hosts. +.B Ssh +does not normally permit login using rhosts or /etc/hosts.equiv +authentication unless the server knows the client's host key. In +addition, the host keys are used to prevent man-in-the-middle attacks. +.LP +In addition to +.IR /etc/ssh_known_hosts ", +.B ssh +also uses the +.I $HOME/.ssh/known_hosts +file. This file, however, is intended to contain only those hosts +that the particular user needs but are not in the global file. It is +intended that the +.I /etc/ssh_known_hosts +file be maintained by the system administration, and periodically +updated to contain the host keys for any new hosts. +.LP +The +.B make-ssh-known-hosts +program finds all the hosts in a domain by making a DNS query to the +master domain name server of the domain. The master domain name server +is located by searching for the SOA record of the domain from the initial +domain name server (which can be specified with the +.B \-\-initialdns +option). The master domain name server can also be given directly with +the +.B \-\-server +option. +.LP +After getting the hostname list +.B make-ssh-known-hosts +tries to get the public key from every host in the domain. It first +tries to connect ssh port to check check if the host is alive, and if +so, it tries to run the command +.B cat /etc/ssh_host_key.pub +on the remote machine using +.BR ssh ". +If the command succeeds, it knows the remote machine has +.B ssh +installed properly, and it then extracts the public key from the +output, and prints the +.B /etc/ssh_known_hosts +entry for it to +.BR STDOUT ". Because +.B make-ssh-known-hosts +is usually run before +remote machines have /etc/ssh_known_hosts file you may have to use +RSA-authentication to allow access to hosts. +.LP +If the command fails for some reason, it checks if the +.B ssh +client still got the public key from the remote host in the initial dialog, +and if so, it will print a proper entry, and if +.B \-\-notrustdaemon +option is given comment it out. +.LP +.I Domain_name +is the domain name for which the file is to be generated. By default +.B make-ssh-known-hosts +extracts also all subdomains of domain. Many sites will want to +include several domains in their +.I /etc/ssh_known_hosts +file. The entries for each domain should be extracted separately by +running +.B make-ssh-known-hosts +once for each domain. The results should then be combined to create +the final file. +.LP +.I Take_regexp +is a perl regular expression that matches the hosts to be taken from the +domain. The data matched contains all the DNS records in the form "\|\c +.B fieldname=value\c +\|". The fields are separated with newline, and the perl match is made in +multiline mode and it is case insensetive. The multiline mode means +that you can use a regexp like "\|\c +.B ^wks=.*telnet.*$\c +\|" to match all hosts that have WKS (well known services) field that +contains value "telnet". +.LP +.I Remove_regexp +is similar but those hosts that match the regexp are not added (it can +be used for example to filter out PCs and Macs using the hinfo field: "\|\c +.B ^hinfo=.*(mac|pc)\c +\|"). + +.SH OPTIONS +.TP +.BI "\-\-initialdns " "initial_dns"\c +.TP +.BI "\-i " "initial_dns"\c +\&Set the initial domain name server used to query the SOA record of the +domain. + +.TP +.BI "\-\-server " "domain_name_server"\c +.TP +.BI "\-se " "domain_name_server"\c +\&Set the master domain name server of the domain. This host is used +to query the DNS list of the domain. + +.TP +.BI "\-\-subdomains " "subdomainlist"\c +.TP +.BI "\-su " "subdomainlist"\c +\&Comma separated list of subdomains that are added to hostnames. For +example, if subdomainlist is "\|\c +.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|" then when host foobar is added to +.B /etc/ssh_known_hosts +file it has aliases "\|\c +.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c +\|". The default action is to take all subparts of the host but the +second last on a host by host basis. (The last element is usually the +country code, and something like +.I foobar.foo.bar.zappa.hut +would not make sense.) + +.TP +.BI "\-\-debug " "debug_level"\c +.TP +.BI "\-de " "debug_level"\c +\&Set the debug level. Default is 5, bigger values give more output. +Using a big value (like 999) will print lots of debugging output. + +.TP +.BI "\-\-timeout " "ssh_exec_timeout"\c +.TP +.BI "\-ti " "ssh_exec_timeout"\c +\&Timeout when executing +.B ssh +command. The default is 60 seconds. + +.TP +.BI "\-\-pingtimeout " "ping_timeout"\c +.TP +.BI "\-pi " "ping_timeout"\c +\&Timeout when trying to ping the ssh port. The default is 3 seconds. + +.TP +.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c +.TP +.BI "\-pa " "timeout_when_asking_password"\c +\&Timeout when asking password for ssh command. Default is that no +passwords are queried. Use value 0 to have no timeout for password queries. + +.TP +.BI "\-\-notrustdaemon"\c +.TP +.BI "\-notr"\c +\&If the +.B ssh +command fails, use the public key stored in the local known hosts file +and trust it is the correct key for the host. If this option is not +given such entries are commented out in the generated +.B /etc/ssh_known_hosts +file. + +.TP +.BI "\-\-norecursive"\c +.TP +.BI "\-nor"\c +\&Tell +.B make-ssh-known-hosts +that it should only extract keys for the given domain, and not to be +recursive. + +.TP +.BI "\-\-domainnamesplit"\c +.TP +.BI "\-do"\c +\&Split the domainname to get the list of subdomains. Use this option +if you don't want hostname to splitted to pieces automatically. +Default splitting is done host by host basis. If the domain is +zappa.hut.fi, and the host name is foo.bar then default action adds +entries "\|\c +.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|" and this options adds entries "\|\c +.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c +\|"). + +.TP +.BI "\-\-silent"\c +.TP +.BI "\-si"\c +\&Be silent. + +.TP +.BI "\-\-keyscan"\c +.TP +.BI "\-k"\c +\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn +hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries". +The output of this can be feeded to ssh-keyscan to fetch keys. + +.TP +.BI "\-\-nslookup " "path_to_nslookup_program"\c +.TP +.BI "\-n " "path_to_nslookup_program"\c +\&Path to the +.B nslookup +program. + +.TP +.BI "\-\-ssh " "path_to_ssh_program"\c +.TP +.BI "\-ss " "path_to_ssh_program"\c +\&Path to the +.B ssh +program, including all options. + +.SH EXAMPLES +.LP +The following command: +.IP +.B example# make-ssh-known-hosts cs.hut.fi > \c +.B /etc/ssh_known_hosts +.LP +finds all public keys of the hosts in +.B cs.hut.fi +domain and put them to +.B /etc/ssh_known_hosts +file splitting domain names on a per host basis. +.LP +The command +.IP +.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c +.B hut-hosts +.LP +finds all hosts in +.B hut.fi +domain, and its subdomains having own name server (cs.hut.fi, +tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key +to hut-hosts file. This would require that the domain name server of +hut.fi would define all hosts running ssh to have entry ssh in their +WKS record. Because nobody yet adds ssh to WKS, it would be better to +use command +.IP +.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c +.B hut-hosts +.LP +that would take those host having telnet service. This uses default +subdomain list. + +.LP +The command: +.IP +.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c +.B dipoli-hosts +.LP +finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain +(note dipoli.hut.fi does not have own name server so its entries are +in hut.fi-server) and that are not Mac or PC. + +.SH FILES +.ta 3i +/etc/ssh_known_hosts Global host public key list + +.SH "SEE ALSO" +.BR ssh (1), +.BR sshd (8), +.BR ssh-keygen (1), +.BR ping (8), +.BR nslookup (8), +.BR perl (1), +.BR perlre (1) + +.SH AUTHOR +Tero Kivinen + +.SH COPYING +.LP +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. +.LP +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. +.LP +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the the author instead of in the original +English. diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/make-ssh-known-hosts.pl openssh-2.1.1p2/contrib/make-ssh-known-hosts.pl --- ssh-openbsd-2000070100/contrib/make-ssh-known-hosts.pl Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/make-ssh-known-hosts.pl Wed Mar 15 12:13:03 2000 @@ -0,0 +1,737 @@ +#!/usr/bin/perl -w +# -*- perl -*- +###################################################################### +# make-ssh-known-hosts.pl -- Make ssh-known-hosts file +# Copyright (c) 1995 Tero Kivinen +# All Rights Reserved. +# +# Make-ssh-known-hosts is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY. No author or distributor accepts +# responsibility to anyone for the consequences of using it or for +# whether it serves any particular purpose or works at all, unless he +# says so in writing. Refer to the GNU General Public License for full +# details. +# +# Everyone is granted permission to copy, modify and redistribute +# make-ssh-known-hosts, but only under the conditions described in +# the GNU General Public License. A copy of this license is supposed to +# have been given to you along with make-ssh-known-hosts so you can +# know your rights and responsibilities. It should be in a file named +# gnu-COPYING-GPL. Among other things, the copyright notice and this notice +# must be preserved on all copies. +###################################################################### +# Program: make-ssh-known-hosts.pl +# $Source: /var/cvs/openssh/contrib/make-ssh-known-hosts.pl,v $ +# Author : $Author: damien $ +# +# (C) Tero Kivinen 1995 +# +# Creation : 19:52 Jun 27 1995 kivinen +# Last Modification : 00:07 Jul 8 1998 kivinen +# Last check in : $Date: 2000/03/15 01:13:03 $ +# Revision number : $Revision: 1.1 $ +# State : $State: Exp $ +# Version : 1.343 +# Edit time : 242 min +# +# Description : Make ssh-known-host file from dns data. +# +# $Log: make-ssh-known-hosts.pl,v $ +# Revision 1.1 2000/03/15 01:13:03 damien +# - Created contrib/ subdirectory. Included helpers from Phil Hands' +# Debian package, README file and chroot patch from Ricardo Cerqueira +# +# - Moved gnome-ssh-askpass.c to contrib directory and reomved config +# option. +# - Slight cleanup to doc files +# +# Revision 1.6 1998/07/08 00:44:23 kivinen +# Fixed to understand bind 8 nslookup output. +# +# Revision 1.5 1998/04/30 01:53:33 kivinen +# Moved kill before close and added sending SIGINT first and +# then 1 second sleep before sending SIGKILL. +# +# Revision 1.4 1998/04/17 00:39:19 kivinen +# Changed to close ssh program filedescriptor before killing it. +# Removed ^ from the password matching prompt. +# +# Revision 1.3 1997/04/17 04:21:27 kivinen +# Changed to use 3des by default. +# +# Revision 1.2 1997/03/26 07:14:01 kivinen +# Added EWOULDBLOCK. +# +# Revision 1.1.1.1 1996/02/18 21:38:10 ylo +# Imported ssh-1.2.13. +# +# Revision 1.4 1995/10/02 01:23:45 ylo +# Ping packet size fixes from Kivinen. +# +# Revision 1.3 1995/08/29 22:37:39 ylo +# Now uses GlobalKnownHostsFile and UserKnownHostsFile. +# +# Revision 1.2 1995/07/15 13:26:37 ylo +# Changes from kivinen. +# +# Revision 1.1.1.1 1995/07/12 22:41:05 ylo +# Imported ssh-1.0.0. +# +# +# +# If you have any useful modifications or extensions please send them to +# Tero.Kivinen@hut.fi +# +###################################################################### +# initialization + +require 5.000; +use Getopt::Long; +use FileHandle; +use POSIX; +use Socket; +use Fcntl; + +$version = ' $Id: make-ssh-known-hosts.pl,v 1.1 2000/03/15 01:13:03 damien Exp $ '; + +$command_line = "$0 "; +foreach $a (@ARGV) { + $command_line .= $a . " "; +} +STDERR->autoflush(1); + +###################################################################### +# default values for options + +$debug = 5; +$defserver = ''; +$bell='\a'; +$public_key = '/etc/ssh_host_key.pub'; +$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; +$timeout = 60; +$ping_timeout = 3; +$passwordtimeout = undef; +$trustdaemon = 1; +$domainnamesplit = 0; +$recursive = 1; + +###################################################################### +# Programs and their options + +$nslookup = "nslookup"; + +$ssh="ssh -a -c 3des -x -o 'ConnectionAttempts 1' -o 'FallBackToRsh no' -o 'GlobalKnownHostsFile /dev/null' -o 'KeepAlive yes' -o 'StrictHostKeyChecking no' -o 'UserKnownHostsFile $private_ssh_known_hosts'"; +$sshdisablepasswordoption="-o 'BatchMode yes' -o 'PasswordAuthentication no'"; + +###################################################################### +# Cleanup and initialization + +unlink($private_ssh_known_hosts); +$sockaddr = 'S n a4 x8'; +($junk, $junk, $sshport) = getservbyname("ssh", "tcp"); +if (!defined($sshport)) { + $sshport = 22; +} +($tcpprotoname, $junk, $tcpproto) = getprotobyname('tcp'); +defined($tcpprotoname) || die "getprotobyname : $!"; + +###################################################################### +# Parse options + +GetOptions("initialdns=s", "server=s", "subdomains=s", + "debug=i", "timeout=i", "passwordtimeout=i", + "trustdaemon!", "domainnamesplit", "silent", + "nslookup=s", "pingtimeout=i", "recursive!", + "keyscan", + "ssh=s") + || die "Getopt : $!"; + +if (defined($opt_initialdns)) { $defserver = $opt_initialdns; } + +if (defined($opt_server)) { $server = $opt_server; } + +if (defined($opt_subdomains)) { @subdomains = split(/,/, $opt_subdomains); } + +if (defined($opt_debug)) { $debug = $opt_debug; } + +if (defined($opt_timeout)) { $timeout = $opt_timeout; } + +if (defined($opt_pingtimeout)) { $ping_timeout = $opt_pingtimeout; } + +if (defined($opt_passwordtimeout)) { + $passwordtimeout = $opt_passwordtimeout; + $sshdisablepasswordoption = ''; +} + +if (defined($opt_trustdaemon)) { $trustdaemon = $opt_trustdaemon; } + +if (defined($opt_recursive)) { $recursive = $opt_recursive; } + +if (defined($opt_domainnamesplit)) { $domainnamesplit = $opt_domainnamesplit; } + +if (defined($opt_silent)) { $bell = ''; } + +if (defined($opt_nslookup)) { $nslookup = $opt_nslookup; } + +if (defined($opt_ssh)) { $ssh = $opt_ssh; } else { + $ssh = "$ssh $sshdisablepasswordoption"; +} + +if ($#ARGV == 0) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = '.*'; + $grep_no = '^$'; +} elsif ($#ARGV == 1) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = $ARGV[1]; + $grep_no = '^$'; +} elsif ($#ARGV == 2) { + $domain = "\L$ARGV[0]\E"; + $grep_yes = $ARGV[1]; + $grep_no = $ARGV[2]; +} else { + print(STDERR "$0 [--initialdns initial_dns_server] [--server dns_server] [--subdomains sub.sub.domain,sub.sub,sub,] [--debug debug_level] [--timeout ssh_exec_timeout_in_secs] [--pingtimeout ping_timeout_in_secs] [--passwordtimeout timeout_for_password_in_secs] [--notrustdaemon] [--norecursive] [--domainnamesplit] [--silent] [--keyscan] [--nslookup path_to_nslookup] [--ssh path_to_ssh] full.domain [ host_info_take_regexp [ host_info_remove_regex ]]\n"); + exit(1); +} + +###################################################################### +# Check that ssh program exists + +if (system("$ssh > /dev/null 2>&1 ") != 256) { + print(STDERR "Error: Could not run ssh program ($ssh): $!\nError: Try giving the path to it with --ssh option\n"); + exit(1); +} + +###################################################################### +# Generate subdomains list + +if (!$domainnamesplit) { + debug(6, "Auto splitting host entries"); +} elsif (!defined(@subdomains)) { + debug(6, "Generating subdomain list"); + + # split domain to pieces + @domain_pieces = split(/\./, $domain); + + # add empty domain part + push(@subdomains, ''); + + # add rest parts, except the one before full domain name + $entry=''; + for(; $#domain_pieces > 1; ) { + $entry .= "." . shift(@domain_pieces); + push(@subdomains, $entry); + } + + # add full domain name + push(@subdomains, ".$domain"); + debug(5, "Subdomain list: " . join(',', @subdomains)); +} else { + debug(5, "Using given subdomain list:" . join(',', @subdomains)); +} + +###################################################################### +# finding SOA entry for domain + +@other_servers = (); +if (!defined($server)) { + debug(6, "Finding DNS database SOA entry"); + + ($server, @other_servers) = find_soa($domain, $defserver); + + if (!defined($server)) { + print(STDERR "Error: Could not find DNS SOA entry from default dns server\nError: Try giving the initial nameserver with --initialdns option\n"); + exit(1); + } else { + debug(5, "DNS server found : $server"); + } +} else { + debug(5, "Using given DNS server : $server"); +} + +###################################################################### +# Print header + +($name, $junk, $junk, $junk, $junk, $junk, $gecos) = getpwuid($<); +$gecos =~ s/,.*$//g; + +if (!defined($opt_keyscan)) { + print(STDOUT "# This file is generated with make-ssh-known-hosts.pl\n"); + print(STDOUT "#$version\n"); + print(STDOUT "# with command line :\n"); + print(STDOUT "# $command_line\n"); + print(STDOUT "#\n"); + print(STDOUT "# The script was run by $gecos ($name) at " . localtime() . "\n"); + print(STDOUT "# using perl ($^X) version $].\n"); +} + +###################################################################### +# Get DNS database list from server + +do { + $domains_done{$domain} = 1; + delete $domains_waiting{$domain}; + + $hostcnt = 0; + $cnamecnt = 0; + $lines = 0; + $soa = 0; + undef %host; + undef %cname; + undef %hostdata; + + dnsagain: + debug(1, "Getting DNS database for $domain from server $server"); + open(DNS, "echo ls -d $domain | nslookup - $server 2>&1 |") || + die "Error: Could not start nslookup to make dns list : $!\nError: Try giving --nslookup option and telling the path to nslookup program\n"; + + while() { + $lines++; + chomp; + undef $hostname if/^\s*$/; + if (/^\s{0,1}([a-zA-Z0-9-]\S*)/) { + $hostname = "\L$1\E"; + } + next unless defined $hostname; + if (/^.*\s(SOA)\s+(.*)\s*$/ || $hostname eq "SOA") { + undef $soa if(/^.*\s(SOA)\s+(.*)\s*$/); + $data = $_ if ($hostname eq "SOA"); + $data = $2 unless $hostname eq "SOA"; + $data =~ s/\s*;.*$//; + $data =~ s/^\s+//; + if( defined $soa ) { + $soa .= " \L$data\E"; + } else { + $soa = "\L$data\E"; + } + $hostname = "SOA"; + } elsif (/^.*\s(A|CNAME|NS)\s+(.*)\s*$/) { + $host = $hostname; + $field = "\L$1\E"; + $data = "\L$2\E"; + debug(70, "Line = /$host/$field/$data/"); + if ($host !~ /\.$/) { + $host .= ".$domain"; + } else { + $host =~ s/\.$//g; + } + if ($field eq "a") { + if ($host =~ /$domain$/) { + if (defined($host{$host})) { + $host{$host} .= ",$data"; + } else { + $host{$host} = "$data"; + $hostcnt++; + } + debug(30, "$host A == $host{$host}"); + } + } elsif ($field eq "cname") { + if ($data !~ /\.$/ && ! /^\s/ ) { + $data .= ".$domain"; + } else { + $data =~ s/\.$//g; + } + if ($host =~ /$domain$/) { + if (defined($cname{$data})) { + $cname{$data} .= ",$host"; + } else { + $cname{$data} = "$host"; + $cnamecnt++; + } + debug(30, "$host CNAME $data"); + $junk = $data; + $data = $host; + $host = $junk; + } + } elsif ($field eq "ns") { + if (!defined($domains_done{$host})) { + if (!defined($domains_waiting{$host})) { + debug(10, "Adding subdomain $host to domains list, with NS $data"); + $domains_waiting{$host} = $data; + push(@domains_waiting, $host); + } else { + debug(10, "Adding NS $data for domain $host"); + $domains_waiting{$host} .= ",$data"; + } + } + } + if (!defined($hostdata{$host})) { + $hostdata{$host} = "$host\n$field=$data\n"; + } else { + $hostdata{$host} .= "$field=$data\n"; + } + } + } + close(DNS); + if ($hostcnt == 0 && $cnamecnt == 0) { + if ($#other_servers != -1) { + $server = shift(@other_servers); + goto dnsagain; + } + } + debug(1, "Found $hostcnt hosts, $cnamecnt CNAMEs (total $lines lines)"); + if (!defined($opt_keyscan)) { + print(STDOUT "#\n"); + print(STDOUT "# Domain = $domain, server = $server\n"); + print(STDOUT "# Found $hostcnt hosts, $cnamecnt CNAMEs (total $lines lines)\n"); + print(STDOUT "# SOA = $soa\n"); + print(STDOUT "#\n"); + } + +###################################################################### +# Loop through hosts and try to connect to hosts + + foreach $i (sort (keys %host)) { + debug(50, "Host = $i, Hostdata = $hostdata{$i}"); + if ($hostdata{$i} =~ /$grep_yes/im && + $hostdata{$i} !~ /$grep_no/im && + $i !~ /^localhost\./ && + $host{$i} !~ /^127.0.0.1$|^127.0.0.1,|,127.0.0.1$|,127.0.0.1,/) { + debug(2, "Trying host $i"); + + @hostnames = (); + if (defined($cname{$i})) { + expand($i, \@hostnames, \@subdomains); + foreach $j (split(/,/, $cname{$i})) { + expand($j, \@hostnames, \@subdomains); + } + } else { + expand($i, \@hostnames, \@subdomains); + } + foreach $j (split(/,/, $host{$i})) { + push(@hostnames, $j); + } + $hostnames = join(',', (@hostnames)); + + if (defined($opt_keyscan)) { + printf(STDOUT "$host{$i}\t$hostnames\n"); + } elsif (try_ping($i, $host{$i})) { + $trusted = 1; + $err = 'Timeout expired'; + $ssh_key = try_ssh("$i"); + if (!defined($ssh_key)) { + $ssh_key = find_host_from_known_hosts($i); + $trusted = 0; + } + if (defined($ssh_key)) { + if ($trusted) { + debug(2, "Ssh to $i succeded"); + } else { + debug(2, "Ssh to $i failed, using local known_hosts entry"); + } + debug(4, "adding entries : $hostnames"); + $ssh_key =~ s/root@//i; + if (!$trusted && !$trustdaemon) { + print(STDOUT "# $hostnames $ssh_key\n"); + } else { + print(STDOUT "$hostnames $ssh_key\n"); + } + } else { + debug(2, "ssh failed : $err"); + } + } else { + debug(2, "ping failed"); + } + } else { + debug(10, "Skipped host $i"); + } + } + again: + $domain = shift(@domains_waiting); + if (defined($domain)) { + $server = $domains_waiting{$domain}; + @other_servers = split(',', $server); + $server = shift(@other_servers); + ($server, @other_servers) = find_soa($domain, $server); + if(!defined($server)) { + debug(1, "Skipping domain $domain because no DNS SOA entry found"); + $domains_done{$domain} = 1; + delete $domains_waiting{$domain}; + goto again; + } + } +} while ($recursive && defined($domain)); + +unlink($private_ssh_known_hosts); +exit (0); + +###################################################################### +# try_ping -- try to ping to host and return 1 if success +# $success = try_ping($host, $list_ip_addrs); + +sub try_ping { + my($host, $ipaddrs) = @_; + my(@ipaddrs, $ipaddr, $serv, $ip); + my($rin, $rout, $win, $wout, $nfound, $tmout, $buf, $len, $ret, $err); + + $buf = ''; + debug(51,"Trying to ping host $host"); + @ipaddrs = split(/,/, $ipaddrs); + + while ($ipaddr = shift(@ipaddrs)) { + + debug(55,"Trying ipaddr $ipaddr"); + + #initialize socket + socket(PING, PF_INET, SOCK_STREAM, $tcpproto) || + die "socket failed : $!"; + setsockopt(PING, SOL_SOCKET, SO_REUSEADDR, 1) || + die "setsockopt failed : $!"; + PING->autoflush(1); + fcntl(PING, F_SETFL, fcntl(PING, F_GETFL, 0) | POSIX::O_NONBLOCK) || + die "fcntl failed : $!"; + + $ip = pack('C4', split(/\./, $ipaddr, 4)); + $serv = pack($sockaddr, AF_INET, $sshport, $ip); + + again: + # try connect + $ret = connect(PING, $serv); + $err = $!; + if (!$ret) { + debug(60, "Connect failed : $err"); + if ($err == EINTR) { + goto again; + } + # socket not yet connected, wait for result, it will + # wake up for writing when done + $tmout = $ping_timeout; + + $rin = ''; + $win = ''; + vec($rin, fileno(PING), 1) = 1; + vec($win, fileno(PING), 1) = 1; + debug(60, "Waiting in select, rin = " . unpack('H*', $rin) . + ", win = " . unpack('H*', $win)); + ($nfound) = select($rout = $rin, $wout = $win, undef, $tmout); + $err = $!; + debug(80, "Select returned $nfound, rout = " . unpack('H*', $rout) . + ", wout = " . unpack('H*', $wout)); + if ($nfound != 0) { + # connect done, read the status with sysread + $ret = sysread(PING, $buf, 1); + $err = $!; + if (defined($ret) || $err == EAGAIN || $err == EWOULDBLOCK) { + debug(60, "Select ok, read ok ($err), returning ok"); + # connection done, return ok + shutdown(PING, 2); + close(PING); + return 1; + } else { + # connection failed, try next ipaddr + debug(60, "Select ok, read failed : $err, trying next"); + close(PING); + } + } else { + # timeout exceeded, try next ipaddr + debug(60, "Select failed : $err, trying next"); + close(PING); + } + } else { + # connect succeeded, return ok. + debug(60, "Connect ok, returning ok"); + shutdown(PING, 2); + close(PING); + return 1; + } + } + debug(60, "Returning fail"); + return 0; +} + +###################################################################### +# try_ssh -- try ssh connection to host and return ssh_key if success +# if failure return undef, and set $err string to contain error message. +# $ssh_key = try_ssh($host); + +sub try_ssh { + my($host) = @_; + my($buf, $ret, $pos, $pid, $rin, $nfound, $tmout); + + $pid = open(SSH, "$ssh $host cat $public_key 2>&1 |"); + $err = undef; + + if ($pid == 0) { + $err = "could not open ssh connection to host"; + return undef; + } + $ret = 1; + $pos = 0; + $buf = ''; + $tmout = $timeout; + debug(10, "Starting ssh select loop"); + loop: + while (1) { + + $rin = ''; + vec($rin, fileno(SSH), 1) = 1; + ($nfound, $tmout) = select($rin, undef, undef, $tmout); + + # Timeout + if ($nfound <= 0) { + debug(20, "Ssh select timed out"); + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + $err = "Timeout expired"; + return undef; + } + + $ret = sysread(SSH, $buf, 256, $pos); + # EOF or error + if ($ret <= 0) { + # Yes, close the pipe and return + close(SSH); + debug(20, "Ssh select closed status = $?"); + $err = "No reply from ssh"; + return undef; + } + $pos += $ret; + while ($buf =~ /^(.*)\n\r?([\000-\377]*)$/) { + $_ = $1; + $buf = $2; + $pos = length($buf); + debug(20, "Ssh select loop, line = \"$_\""); + if (/^connection.*refused/i) { + $err = "connection refused"; + } elsif (/^permission/i) { + $err = "permission denied"; + } elsif (/$public_key.*no\s+file/i) { + $err = "$public_key file not found"; + } elsif (/$public_key.*permission\s+denied/i) { + $err = "$public_key file permission denied"; + } elsif (/^\d+\s+\d+\s+\d/) { + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + return $_; + } + if (defined($err)) { + kill(2, $pid); sleep(1); kill(9, $pid); + close(SSH); + return undef; + } + } + if ($buf =~ /password: $/i) { + if (defined($passwordtimeout)) { + $tmout = $passwordtimeout; + print(STDERR "$bell\n\rPassword: "); + if ($tmout == 0) { + $tmout = undef; + } + } else { + $tmout = 0; + } + $buf = ''; + $pos = 0; + } + } +} + +###################################################################### +# find_hosts_from_known_hosts -- find host key from private known_hosts file +# $ssh_key = find_host_from_known_hosts($host); + +sub find_host_from_known_hosts { + my($host) = @_; + open(KNOWNHOSTS, "<$private_ssh_known_hosts") || return undef; + while() { + @_ = split(/\s+/, $_); + if ($_[0] =~ /^$host$|^$host,|,$host$/) { + shift(@_); + close(KNOWNHOSTS); + return join(' ', @_); + } + } + close(KNOWNHOSTS); + return undef; +} + +###################################################################### +# expand -- insert expanded hostnames to hostnames table +# expand($hostname, \@hostnames, \@subdomains); + +sub expand { + my($host, $hostnames, $subdomains) = @_; + my($newhost, $sub, $entry); + + if (!$domainnamesplit) { + my(@domain_pieces); + + # split domain to pieces + @domain_pieces = split(/\./, $host); + + # add rest parts, except the one before full domain name + $entry = shift(@domain_pieces); + + debug(20, "Adding autosplit entry $entry"); + push(@$hostnames, $entry); + + for(; $#domain_pieces > 1; ) { + $entry .= "." . shift(@domain_pieces); + debug(20, "Adding autosplit entry $entry"); + push(@$hostnames, $entry); + } + # add full domain name + debug(20, "Adding autosplit entry $host"); + push(@$hostnames, $host); + } else { + if ($host =~ /^(.*)$domain$/i) { + $newhost = $1; + $newhost =~ s/\.$//g; + foreach $sub (@$subdomains) { + $entry = $newhost . $sub; + $entry =~ s/^\.//g; + if ($entry ne '') { + debug(20, "Adding entry $entry"); + push(@$hostnames, $entry); + } + } + } + } +} + +###################################################################### +# Print debug text +# debug(text_debug_level, string) + +sub debug { + my($level, $str) = @_; + if ($debug > $level) { + print(STDERR "$0:debug[$level]: $str\n"); + } +} + +###################################################################### +# find_soa -- find soa entry for domain +# ($soa_origin, @other_servers) = find_soa($domain, $initial_server) + +sub find_soa { + my($domain, $initial_server) = @_; + my($field, $data, $server, @other_servers); + + open(DNS, "$nslookup -type=soa $domain $initial_server 2>&1 |") || + die "Error: Could not start nslookup to find SOA entry for $domain : $!\nError: Try giving the path to it with --nslookup option\n"; + + while () { + if (/^[^=]*origin\s*=\s*(.*)/) { + $server = $1; + debug(10, "Found origin : $1"); + } elsif (/^[^=]*nameserver\s*=\s*(.*)\s*$/) { + push(@other_servers, $1); + debug(10, "Found nameserver : $1"); + } + } + close(DNS); + return($server, @other_servers); +} + +###################################################################### +# make_perl_happy -- use some symbols, so perl doesn't complain so much +# make_perl_happy(); + +sub make_perl_happy { + if (0) { + print $opt_silent; + } +} + +1; diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/redhat/openssh.spec openssh-2.1.1p2/contrib/redhat/openssh.spec --- ssh-openbsd-2000070100/contrib/redhat/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/redhat/openssh.spec Thu Jun 22 21:37:38 2000 @@ -0,0 +1,253 @@ +# Version of OpenSSH +%define oversion 2.1.1p2 + +# Version of ssh-askpass +%define aversion 1.0 + +Summary: OpenSSH free Secure Shell (SSH) implementation +Name: openssh +Version: %{oversion} +Release: 1 +Packager: Damien Miller +URL: http://www.openssh.com/ +Source0: http://violet.ibs.com.au/openssh/files/openssh-%{oversion}.tar.gz +Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +Obsoletes: ssh +PreReq: openssl >= 0.9.5a +Requires: openssl >= 0.9.5a +BuildPreReq: perl +BuildPreReq: openssl-devel +BuildPreReq: tcp_wrappers +BuildPreReq: gnome-libs-devel + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: System Environment/Daemons +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Group: System Environment/Daemons +Obsoletes: ssh-server +PreReq: openssh chkconfig >= 0.9 + +%package askpass +Summary: OpenSSH X11 passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains Jim Knoble's X11 passphrase +dialog. + +%description askpass-gnome +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Mon Jun 12 2000 Damien Miller +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -a 1 + +%build + +CFLAGS="$RPM_OPT_FLAGS" \ + ./configure --prefix=/usr --sysconfdir=/etc/ssh \ + --with-tcp-wrappers --with-ipv4-default \ + --with-rsh=/usr/bin/rsh + +make + +cd x11-ssh-askpass-%{aversion} +xmkmf -a +make +cd .. + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -d $RPM_BUILD_ROOT/usr/libexec/ssh +install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/x11-ssh-askpass +ln -s /usr/libexec/ssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass + +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +/sbin/chkconfig --add sshd +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + /etc/rc.d/init.d/sshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + /etc/rc.d/init.d/sshd stop >&2 + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW COPYING.Ylonen README* INSTALL +%doc CREDITS UPGRADING +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1* +%attr(0644,root,root) /usr/man/man1/scp.1* +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) /usr/man/man1/ssh.1* +%attr(0644,root,root) /usr/man/man1/ssh-agent.1* +%attr(0644,root,root) /usr/man/man1/ssh-add.1* +%attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) /usr/man/man1/slogin.1* + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) /usr/man/man8/sshd.8* +%attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd + +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/x11-ssh-askpass + +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/redhat/sshd.init openssh-2.1.1p2/contrib/redhat/sshd.init --- ssh-openbsd-2000070100/contrib/redhat/sshd.init Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/redhat/sshd.init Wed Mar 15 12:25:07 2000 @@ -0,0 +1,60 @@ +#!/bin/bash + +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting sshd: " + if [ ! -f /var/run/sshd.pid ] ; then + case "`type -type success`" in + function) + /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" + RETVAL=$? + ;; + *) + /usr/sbin/sshd && echo -n "sshd " + RETVAL=$? + ;; + esac + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f /var/run/sshd.pid ] ; then + killproc sshd + fi + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + ;; + restart) + $0 stop + $0 start + RETVAL=$? + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status}" + exit 1 +esac + +exit $RETVAL diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/redhat/sshd.pam openssh-2.1.1p2/contrib/redhat/sshd.pam --- ssh-openbsd-2000070100/contrib/redhat/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/redhat/sshd.pam Wed Mar 15 12:25:07 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/ssh-copy-id openssh-2.1.1p2/contrib/ssh-copy-id --- ssh-openbsd-2000070100/contrib/ssh-copy-id Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/ssh-copy-id Wed Mar 15 12:13:03 2000 @@ -0,0 +1,45 @@ +#!/bin/sh + +# Shell script to install your identity.pub on a remote machine +# Takes the remote machine name as an argument. +# Obviously, the remote machine must accept password authentication, +# or one of the other keys in your ssh-agent, for this to work. + +ID_FILE="${HOME}/.ssh/identity.pub" + +if [ "-i" = "$1" ]; then + shift + # check if we have 2 parameters left, if so the first is the new ID file + if [ -n "$2" ]; then + if expr "$1" : ".*\.pub" ; then + ID_FILE="$1" + else + ID_FILE="$1.pub" + fi + shift # and this should leave $1 as the target name + fi +else + if [ x$SSH_AUTH_SOCK != x ] ; then + GET_ID="$GET_ID ssh-add -L" + fi +fi + +if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then + GET_ID="cat ${ID_FILE}" +fi + +if [ -z "`eval $GET_ID`" ]; then + echo "$0: ERROR: No identities found" + exit 1 +fi + +{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys ; chmod g-w . .ssh .ssh/authorized_keys" + +cat < + +Permission is granted to make and distribute verbatim copies of +this manual provided the copyright notice and this permission notice +are preserved on all copies. + +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. + +Permission is granted to copy and distribute translations of this +manual into another language, under the above conditions for modified +versions, except that this permission notice may be included in +translations approved by the Free Software Foundation instead of in +the original English. +.. +.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" +.SH NAME +ssh-copy-id \- install your identity.pub in a remote machine's authorized_keys +.SH SYNOPSIS +.B ssh-copy-id [-i [identity_file]] +.I "[user@]machine" +.br +.SH DESCRIPTION +.BR ssh-copy-id +is a script that uses ssh to log into a remote machine (presumably +using a login password, so password authentication should be enabled, +unless you've done some clever use of multiple identities) +.PP +It also changes the permissions of the remote user's home, +.BR ~/.ssh , +and +.B ~/.ssh/authorized_keys +to remove group writability (which would otherwise prevent you from logging in, if the remote +.B sshd +has +.B StrictModes +set in its configuration). +.PP +If the +.B -i +option is given then the identity file (defaults to +.BR ~/.ssh/identity.pub ) +is used, regardless of whether there are any keys in your +.BR ssh-agent . +Otherwise, if this: +.PP +.B " ssh-add -L" +.PP +provides any output, it uses that in preference to the identity file. +.PP +If the +.B -i +option is used, or the +.B ssh-add +produced no output, then it uses the contents of the identity +file. Once it has one or more fingerprints (by whatever means) it +uses ssh to append them to +.B ~/.ssh/authorised_keys +on the remote machine (creating the file, and directory, if necessary) + +.SH "SEE ALSO" +.BR ssh (1), +.BR ssh-agent (1), +.BR sshd (8) diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/sshd.pam.freebsd openssh-2.1.1p2/contrib/sshd.pam.freebsd --- ssh-openbsd-2000070100/contrib/sshd.pam.freebsd Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/sshd.pam.freebsd Wed Mar 15 12:25:06 2000 @@ -0,0 +1,5 @@ +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/sshd.pam.generic openssh-2.1.1p2/contrib/sshd.pam.generic --- ssh-openbsd-2000070100/contrib/sshd.pam.generic Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/sshd.pam.generic Wed Mar 15 12:25:06 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/suse/openssh.spec openssh-2.1.1p2/contrib/suse/openssh.spec --- ssh-openbsd-2000070100/contrib/suse/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/suse/openssh.spec Thu Jun 22 21:37:38 2000 @@ -0,0 +1,261 @@ +Summary: OpenSSH, a free Secure Shell (SSH) implementation +Name: openssh +Version: 2.1.1p2 +URL: http://www.openssh.com/ +Release: 1 +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (nkitb), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl-devel +BuildPrereq: nkitb +BuildPrereq: glibdev +BuildPrereq: gtkdev +BuildPrereq: gnlibsd + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Requires: openssh +Group: System Environment/Daemons +PreReq: openssh +Obsoletes: ssh-server + +%package askpass +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras +Obsoletes: ssh-askpass + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Mon Jun 12 2000 Damien Miller +- Glob manpages to catch compressed files +* Wed Mar 15 2000 Damien Miller +- Updated for new location +- Updated for new gnome-ssh-askpass build +* Sun Dec 26 1999 Chris Saia +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -q + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ + --with-tcp-wrappers --with-ipv4-default +make + +cd contrib +gcc -O -g `gnome-config --cflags gnome gnomeui` \ + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/ssh/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -d $RPM_BUILD_ROOT/usr/libexec/ssh +install -m644 sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd +ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd +install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass +install -m744 contrib/suse/rc.config.sshd \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +if [ "$1" = 1 ]; then + echo "Creating SSH stop/start scripts in the rc directories..." + ln -s ../sshd /sbin/init.d/rc2.d/K20sshd + ln -s ../sshd /sbin/init.d/rc2.d/S20sshd + ln -s ../sshd /sbin/init.d/rc3.d/K20sshd + ln -s ../sshd /sbin/init.d/rc3.d/S20sshd +fi +echo "Updating /etc/rc.config..." +if [ -x /bin/fillup ] ; then + /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd +else + echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." + echo "Update /etc/rc.config by hand from the following template file:" + echo " /var/adm/fillup-templates/rc.config.sshd" +fi +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + echo "Generating SSH host key..." + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then + echo "Generating SSH DSA host key..." + /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + echo "Restarting the running SSH daemon..." + /usr/sbin/rcsshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + echo "Stopping the SSH daemon..." + /usr/sbin/rcsshd stop >&2 + echo "Removing SSH stop/start scripts from the rc directories..." + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd +fi + +%files +%defattr(-,root,root) +%doc COPYING.Ylonen ChangeLog OVERVIEW README* +%doc RFC.nroff TODO UPGRADING CREDITS +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* +%attr(0644,root,root) %doc /usr/man/man1/scp.1* +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) %doc /usr/man/man1/ssh.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* +%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) %doc /usr/man/man1/slogin.1* + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) %doc /usr/man/man8/sshd.8* +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/suse/rc.config.sshd openssh-2.1.1p2/contrib/suse/rc.config.sshd --- ssh-openbsd-2000070100/contrib/suse/rc.config.sshd Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/suse/rc.config.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff -ruN --exclude CVS ssh-openbsd-2000070100/contrib/suse/rc.sshd openssh-2.1.1p2/contrib/suse/rc.sshd --- ssh-openbsd-2000070100/contrib/suse/rc.sshd Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/contrib/suse/rc.sshd Wed Mar 15 12:25:07 2000 @@ -0,0 +1,80 @@ +#! /bin/sh +# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# +# Author: Chris Saia +# +# /sbin/init.d/sshd +# +# and symbolic its link +# +# /sbin/rcsshd +# + +. /etc/rc.config + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +# Force execution if not called by a runlevel directory. +test $link = $base && START_SSHD=yes +test "$START_SSHD" = yes || exit 0 + +# The echo return value for success (defined in /etc/rc.config). +return=$rc_done +case "$1" in + start) + echo -n "Starting service sshd" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + stop) + echo -n "Stopping service sshd" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -TERM /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + restart) + ## If first returns OK call the second, if first or + ## second command fails, set echo return value. + $0 stop && $0 start || return=$rc_failed + ;; + reload) + ## Choose ONE of the following two cases: + + ## First possibility: A few services accepts a signal + ## to reread the (changed) configuration. + + echo -n "Reload service sshd" + killproc -HUP /usr/sbin/sshd || return=$rc_failed + echo -e "$return" + ;; + status) + echo -n "Checking for service sshd" + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + checkproc /usr/sbin/sshd && echo OK || echo No process + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + exit 1 + ;; +esac + +# Inform the caller not only verbosely and set an exit status. +test "$return" = "$rc_done" || exit 1 +exit 0 diff -ruN --exclude CVS ssh-openbsd-2000070100/defines.h openssh-2.1.1p2/defines.h --- ssh-openbsd-2000070100/defines.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/defines.h Fri Jun 23 08:23:34 2000 @@ -0,0 +1,381 @@ +#ifndef _DEFINES_H +#define _DEFINES_H + +/* Necessary headers */ + +#include /* For [u]intxx_t */ +#include /* For SHUT_XXXX */ +#include /* For MAXPATHLEN */ +#include /* For typedefs */ +#include /* For IPv6 macros */ +#include /* For IPTOS macros */ +#ifdef HAVE_SYS_BITYPES_H +# include /* For u_intXX_t */ +#endif +#ifdef HAVE_PATHS_H +# include /* For _PATH_XXX */ +#endif +#ifdef HAVE_LIMITS_H +# include /* For PATH_MAX */ +#endif +#ifdef HAVE_SYS_TIME_H +# include /* For timersub */ +#endif +#ifdef HAVE_MAILLOCK_H +# include /* For _PATH_MAILDIR */ +#endif +#ifdef HAVE_SYS_CDEFS_H +# include /* For __P() */ +#endif +#ifdef HAVE_SYS_SYSMACROS_H +# include /* For MIN, MAX, etc */ +#endif +#ifdef HAVE_SYS_STAT_H +# include /* For S_* constants and macros */ +#endif + +#include /* For STDIN_FILENO, etc */ + +/* Constants */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ + SHUT_WR, /* No more transmissions. */ + SHUT_RDWR /* No more receptions or transmissions. */ +}; +# define SHUT_RD SHUT_RD +# define SHUT_WR SHUT_WR +# define SHUT_RDWR SHUT_RDWR +#endif + +#ifndef IPTOS_LOWDELAY +# define IPTOS_LOWDELAY 0x10 +# define IPTOS_THROUGHPUT 0x08 +# define IPTOS_RELIABILITY 0x04 +# define IPTOS_LOWCOST 0x02 +# define IPTOS_MINCOST IPTOS_LOWCOST +#endif /* IPTOS_LOWDELAY */ + +#ifndef MAXPATHLEN +# ifdef PATH_MAX +# define MAXPATHLEN PATH_MAX +# else /* PATH_MAX */ +# define MAXPATHLEN 64 /* Should be safe */ +# endif /* PATH_MAX */ +#endif /* MAXPATHLEN */ + +#ifndef STDIN_FILENO +# define STDIN_FILENO 0 +#endif +#ifndef STDOUT_FILENO +# define STDOUT_FILENO 1 +#endif +#ifndef STDERR_FILENO +# define STDERR_FILENO 2 +#endif + +#ifndef S_ISREG +# define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) +# define S_ISREG(mode) (((mode) & (_S_IFMT)) == (_S_IFREG)) +#endif /* S_ISREG */ + +#ifndef S_IXUSR +# define S_IXUSR 0000100 /* execute/search permission, */ +# define S_IXGRP 0000010 /* execute/search permission, */ +# define S_IXOTH 0000001 /* execute/search permission, */ +# define _S_IWUSR 0000200 /* write permission, */ +# define S_IWUSR _S_IWUSR /* write permission, owner */ +# define S_IWGRP 0000020 /* write permission, group */ +# define S_IWOTH 0000002 /* write permission, other */ +# define S_IRUSR 0000400 /* read permission, owner */ +# define S_IRGRP 0000040 /* read permission, group */ +# define S_IROTH 0000004 /* read permission, other */ +# define S_IRWXU 0000700 /* read, write, execute */ +# define S_IRWXG 0000070 /* read, write, execute */ +# define S_IRWXO 0000007 /* read, write, execute */ +#endif /* S_IXUSR */ + +/* Types */ + +/* If sys/types.h does not supply intXX_t, supply them ourselves */ +/* (or die trying) */ +#ifndef HAVE_INTXX_T +# if (SIZEOF_CHAR == 1) +typedef char int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef short int int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef int int32_t; +# else +# error "32 bit int type not found." +# endif +/* +# if (SIZEOF_LONG_INT == 8) +typedef long int int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef long long int int64_t; +# define HAVE_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +*/ +#endif + +/* If sys/types.h does not supply u_intXX_t, supply them ourselves */ +#ifndef HAVE_U_INTXX_T +# ifdef HAVE_UINTXX_T +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +/* +typedef uint64_t u_int64_t; +*/ +# define HAVE_U_INTXX_T 1 +# else +# if (SIZEOF_CHAR == 1) +typedef unsigned char u_int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef unsigned short int u_int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef unsigned int u_int32_t; +# else +# error "32 bit int type not found." +# endif +/* +# if (SIZEOF_LONG_INT == 8) +typedef unsigned long int u_int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef unsigned long long int u_int64_t; +# define HAVE_U_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +*/ +# endif +#endif + +#ifndef HAVE_SOCKLEN_T +typedef unsigned int socklen_t; +# define HAVE_SOCKLEN_T +#endif /* HAVE_SOCKLEN_T */ + +#ifndef HAVE_SIZE_T +typedef unsigned int size_t; +# define HAVE_SIZE_T +#endif /* HAVE_SIZE_T */ + +#ifndef HAVE_SSIZE_T +typedef int ssize_t; +# define HAVE_SSIZE_T +#endif /* HAVE_SSIZE_T */ + +#ifndef HAVE_SA_FAMILY_T +typedef int sa_family_t; +# define HAVE_SA_FAMILY_T +#endif /* HAVE_SA_FAMILY_T */ + +#ifndef HAVE_PID_T +typedef int pid_t; +# define HAVE_PID_T +#endif /* HAVE_PID_T */ + +#ifndef HAVE_MODE_T +typedef int mode_t; +# define HAVE_MODE_T +#endif /* HAVE_MODE_T */ + +#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS) +# define ss_family __ss_family +#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ + +/* Paths */ + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif + +#ifdef USER_PATH +# ifdef _PATH_STDPATH +# undef _PATH_STDPATH +# endif +# define _PATH_STDPATH USER_PATH +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif + +#ifndef _PATH_DEVNULL +# define _PATH_DEVNULL "/dev/null" +#endif + +#ifndef MAIL_DIRECTORY +# define MAIL_DIRECTORY "/var/spool/mail" +#endif + +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY +#endif + +#if !defined(_PATH_MAILDIR) && defined(MAILDIR) +# define _PATH_MAILDIR MAILDIR +#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ + +#ifndef _PATH_RSH +# ifdef RSH_PATH +# define _PATH_RSH RSH_PATH +# endif /* RSH_PATH */ +#endif /* _PATH_RSH */ + +/* Macros */ + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#ifndef __P +# define __P(x) x +#endif + +#if !defined(IN6_IS_ADDR_V4MAPPED) +# define IN6_IS_ADDR_V4MAPPED(a) \ + ((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \ + (((u_int32_t *) (a))[2] == htonl (0xffff))) +#endif /* !defined(IN6_IS_ADDR_V4MAPPED) */ + +#if !defined(__GNUC__) || (__GNUC__ < 2) +# define __attribute__(x) +#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) +# define USE_PAM +#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */ + +/* Function replacement / compatibility hacks */ + +/* In older versions of libpam, pam_strerror takes a single argument */ +#ifdef HAVE_OLD_PAM +# define PAM_STRERROR(a,b) pam_strerror((b)) +#else +# define PAM_STRERROR(a,b) pam_strerror((a),(b)) +#endif + +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) +# undef HAVE_GETADDRINFO +#endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */ + +#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) +# define memmove(s1, s2, n) bcopy((s2), (s1), (n)) +#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ + +#if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) +# define atexit(a) on_exit(a) +#endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ + +/** + ** login recorder definitions + **/ + +/* preprocess */ + +#ifdef HAVE_UTMP_H +# ifdef HAVE_TIME_IN_UTMP +# include +# endif +# include +#endif +#ifdef HAVE_UTMPX_H +# ifdef HAVE_TV_IN_UTMPX +# include +# endif +# include +#endif +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + +/* FIXME: put default paths back in */ +#if !defined(UTMP_FILE) && defined(_PATH_UTMP) +# define UTMP_FILE _PATH_UTMP +#endif +#if !defined(WTMP_FILE) && defined(_PATH_WTMP) +# define WTMP_FILE _PATH_WTMP +#endif +/* pick up the user's location for lastlog if given */ +#if !defined(LASTLOG_FILE) && defined(_PATH_LASTLOG) +# define LASTLOG_FILE _PATH_LASTLOG +#endif +#if !defined(LASTLOG_FILE) && defined(CONF_LASTLOG_FILE) +# define LASTLOG_FILE CONF_LASTLOG_FILE +#endif + + +/* The login() library function in libutil is first choice */ +#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN) +# define USE_LOGIN + +#else +/* Simply select your favourite login types. */ +/* Can't do if-else because some systems use several... */ +# if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX) +# define USE_UTMPX +# endif +# if defined(UTMP_FILE) && !defined(DISABLE_UTMP) +# define USE_UTMP +# endif +# if defined(WTMPX_FILE) && !defined(DISABLE_WTMPX) +# define USE_WTMPX +# endif +# if defined(WTMP_FILE) && !defined(DISABLE_WTMP) +# define USE_WTMP +# endif + +#endif + +/* I hope that the presence of LASTLOG_FILE is enough to detect this */ +#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG) +# define USE_LASTLOG +#endif + +/* which type of time to use? (api.c) */ +#ifdef HAVE_SYS_TIME_H +# define USE_TIMEVAL +#endif + +/** end of login recorder definitions */ + +#endif /* _DEFINES_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/entropy.c openssh-2.1.1p2/entropy.c --- ssh-openbsd-2000070100/entropy.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/entropy.c Mon Jun 26 13:55:31 2000 @@ -0,0 +1,811 @@ +/* + * Copyright (c) 2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#include "ssh.h" +#include "xmalloc.h" + +#include +#include + +RCSID("$Id: entropy.c,v 1.16 2000/06/26 03:55:31 djm Exp $"); + +#ifndef offsetof +# define offsetof(type, member) ((size_t) &((type *)0)->member) +#endif + +/* Print lots of detail */ +/* #define DEBUG_ENTROPY */ + +/* Number of times to pass through command list gathering entropy */ +#define NUM_ENTROPY_RUNS 1 + +/* Scale entropy estimates back by this amount on subsequent runs */ +#define SCALE_PER_RUN 10.0 + +/* Minimum number of commands to be considered valid */ +#define MIN_ENTROPY_SOURCES 16 + +#define WHITESPACE " \t\n" + +#ifndef RUSAGE_SELF +# define RUSAGE_SELF 0 +#endif +#ifndef RUSAGE_CHILDREN +# define RUSAGE_CHILDREN 0 +#endif + +#if defined(EGD_SOCKET) || defined(RANDOM_POOL) + +#ifdef EGD_SOCKET +/* Collect entropy from EGD */ +int get_random_bytes(unsigned char *buf, int len) +{ + int fd; + char msg[2]; + struct sockaddr_un addr; + int addr_len; + + /* Sanity checks */ + if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) + fatal("Random pool path is too long"); + if (len > 255) + fatal("Too many bytes to read from EGD"); + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; + strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); + + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create AF_UNIX socket: %s", strerror(errno)); + return(0); + } + + if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { + error("Couldn't connect to EGD socket \"%s\": %s", + addr.sun_path, strerror(errno)); + close(fd); + return(0); + } + + /* Send blocking read request to EGD */ + msg[0] = 0x02; + msg[1] = len; + + if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) { + error("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + if (atomicio(read, fd, buf, len) != len) { + error("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + close(fd); + + return(1); +} +#else /* !EGD_SOCKET */ +#ifdef RANDOM_POOL +/* Collect entropy from /dev/urandom or pipe */ +int get_random_bytes(unsigned char *buf, int len) +{ + int random_pool; + + random_pool = open(RANDOM_POOL, O_RDONLY); + if (random_pool == -1) { + error("Couldn't open random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + return(0); + } + + if (atomicio(read, random_pool, buf, len) != len) { + error("Couldn't read from random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + close(random_pool); + return(0); + } + + close(random_pool); + + return(1); +} +#endif /* RANDOM_POOL */ +#endif /* EGD_SOCKET */ + +/* + * Seed OpenSSL's random number pool from Kernel random number generator + * or EGD + */ +void +seed_rng(void) +{ + char buf[32]; + + debug("Seeding random number generator"); + + if (!get_random_bytes(buf, sizeof(buf))) { + if (!RAND_status()) + fatal("Entropy collection failed and entropy exhausted"); + } else { + RAND_add(buf, sizeof(buf), sizeof(buf)); + } + + memset(buf, '\0', sizeof(buf)); +} + +#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ + +/* + * FIXME: proper entropy estimations. All current values are guesses + * FIXME: (ATL) do estimates at compile time? + * FIXME: More entropy sources + */ + +/* slow command timeouts (all in milliseconds) */ +/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */ +static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; + +static int prng_seed_loaded = 0; +static int prng_seed_saved = 0; +static int prng_commands_loaded = 0; + +typedef struct +{ + /* Proportion of data that is entropy */ + double rate; + /* Counter goes positive if this command times out */ + unsigned int badness; + /* Increases by factor of two each timeout */ + unsigned int sticky_badness; + /* Path to executable */ + char *path; + /* argv to pass to executable */ + char *args[5]; + /* full command string (debug) */ + char *cmdstring; +} entropy_source_t; + +double stir_from_system(void); +double stir_from_programs(void); +double stir_gettimeofday(double entropy_estimate); +double stir_clock(double entropy_estimate); +double stir_rusage(int who, double entropy_estimate); +double hash_output_from_command(entropy_source_t *src, char *hash); + +/* this is initialised from a file, by prng_read_commands() */ +entropy_source_t *entropy_sources = NULL; + +double +stir_from_system(void) +{ + double total_entropy_estimate; + long int i; + + total_entropy_estimate = 0; + + i = getpid(); + RAND_add(&i, sizeof(i), 0.5); + total_entropy_estimate += 0.1; + + i = getppid(); + RAND_add(&i, sizeof(i), 0.5); + total_entropy_estimate += 0.1; + + i = getuid(); + RAND_add(&i, sizeof(i), 0.0); + i = getgid(); + RAND_add(&i, sizeof(i), 0.0); + + total_entropy_estimate += stir_gettimeofday(1.0); + total_entropy_estimate += stir_clock(0.5); + total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); + + return(total_entropy_estimate); +} + +double +stir_from_programs(void) +{ + int i; + int c; + double entropy_estimate; + double total_entropy_estimate; + char hash[SHA_DIGEST_LENGTH]; + + total_entropy_estimate = 0; + for(i = 0; i < NUM_ENTROPY_RUNS; i++) { + c = 0; + while (entropy_sources[c].path != NULL) { + + if (!entropy_sources[c].badness) { + /* Hash output from command */ + entropy_estimate = hash_output_from_command(&entropy_sources[c], hash); + + /* Scale back entropy estimate according to command's rate */ + entropy_estimate *= entropy_sources[c].rate; + + /* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */ + if (entropy_estimate > SHA_DIGEST_LENGTH) + entropy_estimate = SHA_DIGEST_LENGTH; + + /* Scale back estimates for subsequent passes through list */ + entropy_estimate /= SCALE_PER_RUN * (i + 1.0); + + /* Stir it in */ + RAND_add(hash, sizeof(hash), entropy_estimate); + +#ifdef DEBUG_ENTROPY + debug("Got %0.2f bytes of entropy from '%s'", entropy_estimate, + entropy_sources[c].cmdstring); +#endif + + total_entropy_estimate += entropy_estimate; + + /* Execution times should be a little unpredictable */ + total_entropy_estimate += stir_gettimeofday(0.05); + total_entropy_estimate += stir_clock(0.05); + total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1); + total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1); + } else { +#ifdef DEBUG_ENTROPY + debug("Command '%s' disabled (badness %d)", + entropy_sources[c].cmdstring, entropy_sources[c].badness); +#endif + + if (entropy_sources[c].badness > 0) + entropy_sources[c].badness--; + } + + c++; + } + } + + return(total_entropy_estimate); +} + +double +stir_gettimeofday(double entropy_estimate) +{ + struct timeval tv; + + if (gettimeofday(&tv, NULL) == -1) + fatal("Couldn't gettimeofday: %s", strerror(errno)); + + RAND_add(&tv, sizeof(tv), entropy_estimate); + + return(entropy_estimate); +} + +double +stir_clock(double entropy_estimate) +{ +#ifdef HAVE_CLOCK + clock_t c; + + c = clock(); + RAND_add(&c, sizeof(c), entropy_estimate); + + return(entropy_estimate); +#else /* _HAVE_CLOCK */ + return(0); +#endif /* _HAVE_CLOCK */ +} + +double +stir_rusage(int who, double entropy_estimate) +{ +#ifdef HAVE_GETRUSAGE + struct rusage ru; + + if (getrusage(who, &ru) == -1) + return(0); + + RAND_add(&ru, sizeof(ru), entropy_estimate); + + return(entropy_estimate); +#else /* _HAVE_GETRUSAGE */ + return(0); +#endif /* _HAVE_GETRUSAGE */ +} + + +static +int +_get_timeval_msec_difference(struct timeval *t1, struct timeval *t2) { + int secdiff, usecdiff; + + secdiff = t2->tv_sec - t1->tv_sec; + usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec); + return (int)(usecdiff / 1000); +} + +double +hash_output_from_command(entropy_source_t *src, char *hash) +{ + static int devnull = -1; + int p[2]; + fd_set rdset; + int cmd_eof = 0, error_abort = 0; + struct timeval tv_start, tv_current; + int msec_elapsed = 0; + pid_t pid; + int status; + char buf[16384]; + int bytes_read; + int total_bytes_read; + SHA_CTX sha; + + if (devnull == -1) { + devnull = open("/dev/null", O_RDWR); + if (devnull == -1) + fatal("Couldn't open /dev/null: %s", strerror(errno)); + } + + if (pipe(p) == -1) + fatal("Couldn't open pipe: %s", strerror(errno)); + + (void)gettimeofday(&tv_start, NULL); /* record start time */ + + switch (pid = fork()) { + case -1: /* Error */ + close(p[0]); + close(p[1]); + fatal("Couldn't fork: %s", strerror(errno)); + /* NOTREACHED */ + case 0: /* Child */ + dup2(devnull, STDIN_FILENO); + dup2(p[1], STDOUT_FILENO); + dup2(p[1], STDERR_FILENO); + close(p[0]); + close(p[1]); + close(devnull); + + execv(src->path, (char**)(src->args)); + debug("(child) Couldn't exec '%s': %s", src->cmdstring, + strerror(errno)); + src->badness = src->sticky_badness = 128; + _exit(-1); + default: /* Parent */ + break; + } + + RAND_add(&pid, sizeof(&pid), 0.0); + + close(p[1]); + + /* Hash output from child */ + SHA1_Init(&sha); + total_bytes_read = 0; + + while (!error_abort && !cmd_eof) { + int ret; + struct timeval tv; + int msec_remaining; + + (void) gettimeofday(&tv_current, 0); + msec_elapsed = _get_timeval_msec_difference(&tv_start, &tv_current); + if (msec_elapsed >= entropy_timeout_current) { + error_abort=1; + continue; + } + msec_remaining = entropy_timeout_current - msec_elapsed; + + FD_ZERO(&rdset); + FD_SET(p[0], &rdset); + tv.tv_sec = msec_remaining / 1000; + tv.tv_usec = (msec_remaining % 1000) * 1000; + + ret = select(p[0]+1, &rdset, NULL, NULL, &tv); + + switch (ret) { + case 0: + /* timer expired */ + error_abort = 1; + break; + + case 1: + /* command input */ + bytes_read = read(p[0], buf, sizeof(buf)); + if (bytes_read == -1) { + error_abort = 1; + break; + } + if (bytes_read) { + SHA1_Update(&sha, buf, bytes_read); + total_bytes_read += bytes_read; + RAND_add(&bytes_read, sizeof(&bytes_read), 0.0); + } else + cmd_eof = 1; + + break; + + case -1: + default: + debug("Command '%s': select() failed: %s", src->cmdstring, + strerror(errno)); + error_abort = 1; + break; + } /* switch ret */ + + RAND_add(&tv, sizeof(&tv), 0.0); + } /* while !error_abort && !cmd_eof */ + + SHA1_Final(hash, &sha); + + close(p[0]); + +#ifdef DEBUG_ENTROPY + debug("Time elapsed: %d msec", msec_elapsed); +#endif + + if (waitpid(pid, &status, 0) == -1) { + debug("Couldn't wait for child '%s' completion: %s", src->cmdstring, + strerror(errno)); + return(0.0); + } + + RAND_add(&status, sizeof(&status), 0.0); + + if (error_abort) { + /* closing p[0] on timeout causes the entropy command to + * SIGPIPE. Take whatever output we got, and mark this command + * as slow */ + debug("Command '%s' timed out", src->cmdstring); + src->sticky_badness *= 2; + src->badness = src->sticky_badness; + return(total_bytes_read); + } + + if (WIFEXITED(status)) { + if (WEXITSTATUS(status)==0) { + return(total_bytes_read); + } else { + debug("Command '%s' exit status was %d", src->cmdstring, + WEXITSTATUS(status)); + src->badness = src->sticky_badness = 128; + return (0.0); + } + } else if (WIFSIGNALED(status)) { + debug("Command '%s' returned on uncaught signal %d !", src->cmdstring, + status); + src->badness = src->sticky_badness = 128; + return(0.0); + } else + return(0.0); +} + +/* + * prng seedfile functions + */ +int +prng_check_seedfile(char *filename) { + + struct stat st; + + /* FIXME raceable: eg replace seed between this stat and subsequent open */ + /* Not such a problem because we don't trust the seed file anyway */ + if (lstat(filename, &st) == -1) { + /* Fail on hard errors */ + if (errno != ENOENT) + fatal("Couldn't stat random seed file \"%s\": %s", filename, + strerror(errno)); + + return(0); + } + + /* regular file? */ + if (!S_ISREG(st.st_mode)) + fatal("PRNG seedfile %.100s is not a regular file", filename); + + /* mode 0600, owned by root or the current user? */ + if (((st.st_mode & 0177) != 0) || !(st.st_uid == getuid())) + fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d", + filename, getuid()); + + return(1); +} + +void +prng_write_seedfile(void) { + int fd; + char seed[1024]; + char filename[1024]; + struct passwd *pw; + + /* Don't bother if we have already saved a seed */ + if (prng_seed_saved) + return; + + prng_seed_saved = 1; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user (%i): %s", + getuid(), strerror(errno)); + + /* Try to ensure that the parent directory is there */ + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_USER_DIR); + mkdir(filename, 0700); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + debug("writing PRNG seed to file %.100s", filename); + + RAND_bytes(seed, sizeof(seed)); + + /* Don't care if the seed doesn't exist */ + prng_check_seedfile(filename); + + if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) + fatal("couldn't access PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) + fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + close(fd); +} + +void +prng_read_seedfile(void) { + int fd; + char seed[1024]; + char filename[1024]; + struct passwd *pw; + + pw = getpwuid(getuid()); + if (pw == NULL) + fatal("Couldn't get password entry for current user (%i): %s", + getuid(), strerror(errno)); + + snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, + SSH_PRNG_SEED_FILE); + + debug("loading PRNG seed from file %.100s", filename); + + if (!prng_check_seedfile(filename)) { + verbose("Random seed file not found, creating new"); + prng_write_seedfile(); + + /* Reseed immediatly */ + (void)stir_from_system(); + (void)stir_from_programs(); + return; + } + + /* open the file and read in the seed */ + fd = open(filename, O_RDONLY); + if (fd == -1) + fatal("could not open PRNG seedfile %.100s (%.100s)", filename, + strerror(errno)); + + if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) { + verbose("invalid or short read from PRNG seedfile %.100s - ignoring", + filename); + memset(seed, '\0', sizeof(seed)); + } + close(fd); + + /* stir in the seed, with estimated entropy zero */ + RAND_add(&seed, sizeof(seed), 0.0); +} + + +/* + * entropy command initialisation functions + */ +int +prng_read_commands(char *cmdfilename) +{ + FILE *f; + char *cp; + char line[1024]; + char cmd[1024]; + char path[256]; + int linenum; + int num_cmds = 64; + int cur_cmd = 0; + double est; + entropy_source_t *entcmd; + + f = fopen(cmdfilename, "r"); + if (!f) { + fatal("couldn't read entropy commands file %.100s: %.100s", + cmdfilename, strerror(errno)); + } + + entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t)); + memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t)); + + /* Read in file */ + linenum = 0; + while (fgets(line, sizeof(line), f)) { + int arg; + char *argv; + + linenum++; + + /* skip leading whitespace, test for blank line or comment */ + cp = line + strspn(line, WHITESPACE); + if ((*cp == 0) || (*cp == '#')) + continue; /* done with this line */ + + /* First non-whitespace char should be double quote delimiting */ + /* commandline */ + if (*cp != '"') { + error("bad entropy command, %.100s line %d", cmdfilename, + linenum); + continue; + } + + /* first token, command args (incl. argv[0]) in double quotes */ + cp = strtok(cp, "\""); + if (cp == NULL) { + error("missing or bad command string, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + strlcpy(cmd, cp, sizeof(cmd)); + + /* second token, full command path */ + if ((cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing command path, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + + /* did configure mark this as dead? */ + if (strncmp("undef", cp, 5) == 0) + continue; + + strlcpy(path, cp, sizeof(path)); + + /* third token, entropy rate estimate for this command */ + if ((cp = strtok(NULL, WHITESPACE)) == NULL) { + error("missing entropy estimate, %.100s line %d -- ignored", + cmdfilename, linenum); + continue; + } + est = strtod(cp, &argv); + + /* end of line */ + if ((cp = strtok(NULL, WHITESPACE)) != NULL) { + error("garbage at end of line %d in %.100s -- ignored", linenum, + cmdfilename); + continue; + } + + /* save the command for debug messages */ + entcmd[cur_cmd].cmdstring = xstrdup(cmd); + + /* split the command args */ + cp = strtok(cmd, WHITESPACE); + arg = 0; + argv = NULL; + do { + char *s = (char*)xmalloc(strlen(cp) + 1); + strncpy(s, cp, strlen(cp) + 1); + entcmd[cur_cmd].args[arg] = s; + arg++; + } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE))); + + if (strtok(NULL, WHITESPACE)) + error("ignored extra command elements (max 5), %.100s line %d", + cmdfilename, linenum); + + /* Copy the command path and rate estimate */ + entcmd[cur_cmd].path = xstrdup(path); + entcmd[cur_cmd].rate = est; + + /* Initialise other values */ + entcmd[cur_cmd].sticky_badness = 1; + + cur_cmd++; + + /* If we've filled the array, reallocate it twice the size */ + /* Do this now because even if this we're on the last command, + we need another slot to mark the last entry */ + if (cur_cmd == num_cmds) { + num_cmds *= 2; + entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t)); + } + } + + /* zero the last entry */ + memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t)); + + /* trim to size */ + entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t)); + + debug("loaded %d entropy commands from %.100s", cur_cmd, cmdfilename); + + return (cur_cmd >= MIN_ENTROPY_SOURCES); +} + +/* + * Write a keyfile at exit + */ +void +prng_seed_cleanup(void *junk) +{ + prng_write_seedfile(); +} + +/* + * Conditionally Seed OpenSSL's random number pool from + * syscalls and program output + */ +void +seed_rng(void) +{ + void *old_sigchld_handler; + + if (!prng_commands_loaded) { + if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) + fatal("PRNG initialisation failed -- exiting."); + prng_commands_loaded = 1; + } + + /* Make sure some other sigchld handler doesn't reap our entropy */ + /* commands */ + old_sigchld_handler = signal(SIGCHLD, SIG_DFL); + + debug("Seeding random number generator."); + debug("OpenSSL random status is now %i\n", RAND_status()); + debug("%i bytes from system calls", (int)stir_from_system()); + debug("%i bytes from programs", (int)stir_from_programs()); + debug("OpenSSL random status is now %i\n", RAND_status()); + + signal(SIGCHLD, old_sigchld_handler); + + if (!RAND_status()) + fatal("Couldn't initialise builtin random number generator -- exiting."); + + if (!prng_seed_loaded) + { + prng_seed_loaded = 1; + prng_seed_saved = 0; + prng_read_seedfile(); + fatal_add_cleanup(prng_seed_cleanup, NULL); + atexit(prng_write_seedfile); + } +} +#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ diff -ruN --exclude CVS ssh-openbsd-2000070100/entropy.h openssh-2.1.1p2/entropy.h --- ssh-openbsd-2000070100/entropy.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/entropy.h Mon Apr 3 14:50:45 2000 @@ -0,0 +1,35 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _RANDOMS_H +#define _RANDOMS_H + +void seed_rng(void); + +#endif /* _RANDOMS_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-gai-errnos.h openssh-2.1.1p2/fake-gai-errnos.h --- ssh-openbsd-2000070100/fake-gai-errnos.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-gai-errnos.h Fri Jan 14 15:45:48 2000 @@ -0,0 +1,12 @@ +/* + * fake library for ssh + * + * This file is included in getaddrinfo.c and getnameinfo.c. + * See getaddrinfo.c and getnameinfo.c. + */ + +/* for old netdb.h */ +#ifndef EAI_NODATA +#define EAI_NODATA 1 +#define EAI_MEMORY 2 +#endif diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-getaddrinfo.c openssh-2.1.1p2/fake-getaddrinfo.c --- ssh-openbsd-2000070100/fake-getaddrinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-getaddrinfo.c Wed May 31 11:20:12 2000 @@ -0,0 +1,118 @@ +/* + * fake library for ssh + * + * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GAI_STRERROR +char *gai_strerror(int ecode) +{ + switch (ecode) { + case EAI_NODATA: + return "no address associated with hostname."; + case EAI_MEMORY: + return "memory allocation failure."; + default: + return "unknown error."; + } +} +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void freeaddrinfo(struct addrinfo *ai) +{ + struct addrinfo *next; + + do { + next = ai->ai_next; + free(ai); + } while (NULL != (ai = next)); +} +#endif /* !HAVE_FREEADDRINFO */ + +#ifndef HAVE_GETADDRINFO +static struct addrinfo *malloc_ai(int port, u_long addr) +{ + struct addrinfo *ai; + + ai = malloc(sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); + if (ai == NULL) + return(NULL); + + memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); + + ai->ai_addr = (struct sockaddr *)(ai + 1); + /* XXX -- ssh doesn't use sa_len */ + ai->ai_addrlen = sizeof(struct sockaddr_in); + ai->ai_addr->sa_family = ai->ai_family = AF_INET; + + ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; + + return(ai); +} + +int getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *hints, struct addrinfo **res) +{ + struct addrinfo *cur, *prev = NULL; + struct hostent *hp; + int i, port; + + if (servname) + port = htons(atoi(servname)); + else + port = 0; + + if (hints && hints->ai_flags & AI_PASSIVE) { + if (NULL != (*res = malloc_ai(port, htonl(0x00000000)))) + return 0; + else + return EAI_MEMORY; + } + + if (!hostname) { + if (NULL != (*res = malloc_ai(port, htonl(0x7f000001)))) + return 0; + else + return EAI_MEMORY; + } + + if (inet_addr(hostname) != -1) { + if (NULL != (*res = malloc_ai(port, inet_addr(hostname)))) + return 0; + else + return EAI_MEMORY; + } + + hp = gethostbyname(hostname); + if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { + for (i = 0; hp->h_addr_list[i]; i++) { + cur = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr); + if (cur == NULL) { + if (*res) + freeaddrinfo(*res); + return EAI_MEMORY; + } + + if (prev) + prev->ai_next = cur; + else + *res = cur; + + prev = cur; + } + return 0; + } + + return EAI_NODATA; +} +#endif /* !HAVE_GETADDRINFO */ diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-getaddrinfo.h openssh-2.1.1p2/fake-getaddrinfo.h --- ssh-openbsd-2000070100/fake-getaddrinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-getaddrinfo.h Sun Jan 16 18:19:25 2000 @@ -0,0 +1,45 @@ +#ifndef _FAKE_GETADDRINFO_H +#define _FAKE_GETADDRINFO_H + +#include "config.h" + +#include "fake-gai-errnos.h" + +#ifndef AI_PASSIVE +# define AI_PASSIVE 1 +# define AI_CANONNAME 2 +#endif + +#ifndef NI_NUMERICHOST +# define NI_NUMERICHOST 2 +# define NI_NAMEREQD 4 +# define NI_NUMERICSERV 8 +#endif + +#ifndef HAVE_STRUCT_ADDRINFO +struct addrinfo { + int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + size_t ai_addrlen; /* length of ai_addr */ + char *ai_canonname; /* canonical name for hostname */ + struct sockaddr *ai_addr; /* binary address */ + struct addrinfo *ai_next; /* next structure in linked list */ +}; +#endif /* !HAVE_STRUCT_ADDRINFO */ + +#ifndef HAVE_GETADDRINFO +int getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *hints, struct addrinfo **res); +#endif /* !HAVE_GETADDRINFO */ + +#ifndef HAVE_GAI_STRERROR +char *gai_strerror(int ecode); +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void freeaddrinfo(struct addrinfo *ai); +#endif /* !HAVE_FREEADDRINFO */ + +#endif /* _FAKE_GETADDRINFO_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-getnameinfo.c openssh-2.1.1p2/fake-getnameinfo.c --- ssh-openbsd-2000070100/fake-getnameinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-getnameinfo.c Wed May 31 11:20:12 2000 @@ -0,0 +1,53 @@ +/* + * fake library for ssh + * + * This file includes getnameinfo(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GETNAMEINFO +int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags) +{ + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + struct hostent *hp; + char tmpserv[16]; + + if (serv) { + snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port)); + if (strlen(tmpserv) > servlen) + return EAI_MEMORY; + else + strcpy(serv, tmpserv); + } + + if (host) { + if (flags & NI_NUMERICHOST) { + if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) + return EAI_MEMORY; + + strcpy(host, inet_ntoa(sin->sin_addr)); + return 0; + } else { + hp = gethostbyaddr((char *)&sin->sin_addr, + sizeof(struct in_addr), AF_INET); + if (hp == NULL) + return EAI_NODATA; + + if (strlen(hp->h_name) > hostlen) + return EAI_MEMORY; + + strcpy(host, hp->h_name); + return 0; + } + } + return 0; +} +#endif /* !HAVE_GETNAMEINFO */ diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-getnameinfo.h openssh-2.1.1p2/fake-getnameinfo.h --- ssh-openbsd-2000070100/fake-getnameinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-getnameinfo.h Wed May 31 11:20:12 2000 @@ -0,0 +1,18 @@ +#ifndef _FAKE_GETNAMEINFO_H +#define _FAKE_GETNAMEINFO_H + +#include "config.h" + +#ifndef HAVE_GETNAMEINFO +int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags); +#endif /* !HAVE_GETNAMEINFO */ + +#ifndef NI_MAXSERV +# define NI_MAXSERV 32 +#endif /* !NI_MAXSERV */ +#ifndef NI_MAXHOST +# define NI_MAXHOST 1025 +#endif /* !NI_MAXHOST */ + +#endif /* _FAKE_GETNAMEINFO_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/fake-socket.h openssh-2.1.1p2/fake-socket.h --- ssh-openbsd-2000070100/fake-socket.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fake-socket.h Wed May 31 11:20:12 2000 @@ -0,0 +1,49 @@ +#ifndef _FAKE_SOCKET_H +#define _FAKE_SOCKET_H + +#include "config.h" +#include "sys/types.h" + +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +# define _SS_MAXSIZE 128 /* Implementation specific max size */ +# define _SS_ALIGNSIZE (sizeof(int)) +# define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) +# define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ + _SS_PAD1SIZE + _SS_ALIGNSIZE)) + +struct sockaddr_storage { + u_short ss_family; + char __ss_pad1[_SS_PAD1SIZE]; + int __ss_align; + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +# define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \ + ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef HAVE_STRUCT_IN6_ADDR +struct in6_addr { + u_int8_t s6_addr[16]; +}; +#endif /* !HAVE_STRUCT_IN6_ADDR */ + +#ifndef HAVE_STRUCT_SOCKADDR_IN6 +struct sockaddr_in6 { + unsigned short sin6_family; + u_int16_t sin6_port; + u_int32_t sin6_flowinfo; + struct in6_addr sin6_addr; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + +#endif /* !_FAKE_SOCKET_H */ + diff -ruN --exclude CVS ssh-openbsd-2000070100/fixpaths openssh-2.1.1p2/fixpaths --- ssh-openbsd-2000070100/fixpaths Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fixpaths Thu Apr 20 07:33:24 2000 @@ -0,0 +1,50 @@ +#!/usr/bin/perl -w +# +# fixpaths - substitute makefile variables into text files + + +$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; + +$ext="out"; + +if (!defined(@ARGV)) { die ("$usage"); } + +# read in the command line and get some definitions +while ($_=$ARGV[0], /^-/) { + if (/^-[Dx]/) { + # definition + shift(@ARGV); + if ( /-D(.*)=(.*)/ ) { + $def{"$1"}=$2; + } elsif ( /-x\s*(\w+)/ ) { + $ext=$1; + } else { + die ("$usage$0: error in command line arguments.\n"); + } + } else { + @cmd = split(//, $ARGV[0]); $opt = $cmd[1]; + die ("$usage$0: unknown option '-$opt'\n"); + } +} # while parsing arguments + +if (!defined(%def)) { + die ("$0: nothing to do - no substitutions listed!\n"); +} + +for $f (@ARGV) { + + $f =~ /(.*\/)*(.*)$/; + $of = $2.".$ext"; + + open(IN, "<$f") || die ("$0: input file $f missing!\n"); + if (open(OUT, ">$of")) { + while () { + for $s (keys(%def)) { + s#$s#$def{$s}#; + } # for $s + print OUT; + } # while + } # if (outfile open) +} # for $f + +exit 0; diff -ruN --exclude CVS ssh-openbsd-2000070100/fixprogs openssh-2.1.1p2/fixprogs --- ssh-openbsd-2000070100/fixprogs Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/fixprogs Thu May 18 23:12:50 2000 @@ -0,0 +1,72 @@ +#!/usr/bin/perl +# +# fixprogs - run through the list of entropy commands and +# score out the losers +# + +$entscale = 50; # divisor for optional entropy measurement + +sub usage { + return("Usage: $0 \n"); +} + +if (($#ARGV == -1) || ($#ARGV>1)) { + die(&usage); +} + +# 'undocumented' option - run ent (in second param) on the output +if ($#ARGV==1) { + $entcmd=$ARGV[1] +} else { + $entcmd = "" +}; + +$infilename = $ARGV[0]; + +if (!open(IN, "<".$infilename)) { + die("Couldn't open input file"); +} +$outfilename=$infilename.".out"; +if (!open(OUT, ">$outfilename")) { + die("Couldn't open output file $outfilename"); +} +@infile=; + +select(OUT); $|=1; select(STDOUT); + +foreach (@infile) { + if (/^\s*\#/ || /^\s*$/) { + print OUT; + next; + } + ($cmd, $path, $est) = /^\"([^\"]+)\"\s+([\w\/_-]+)\s+([\d\.\-]+)/o; + @args = split(/ /, $cmd); + if (! ($pid = fork())) { + # child + close STDIN; close STDOUT; close STDERR; + open STDIN, "/dev/null"; + open STDERR, ">/dev/null"; + exec $path @args; + exit 1; # shouldn't be here + } + # parent + waitpid ($pid, 0); $ret=$? >> 8; + + if ($ret != 0) { + $path = "undef"; + } else { + if ($entcmd ne "") { + # now try to run ent on the command + $mostargs=join(" ", splice(@args,1)); + print "Evaluating '$path $mostargs'\n"; + @ent = qx{$path $mostargs | $entcmd -b -t}; + @ent = grep(/^1,/, @ent); + ($null, $null, $rate) = split(/,/, $ent[0]); + $est = $rate / $entscale; # scale the estimate back + } + } + print OUT "\"$cmd\" $path $est\n"; +} + +close(IN); diff -ruN --exclude CVS ssh-openbsd-2000070100/includes.h openssh-2.1.1p2/includes.h --- ssh-openbsd-2000070100/includes.h Thu May 18 23:16:34 2000 +++ openssh-2.1.1p2/includes.h Sun Jun 18 15:43:26 2000 @@ -19,26 +19,21 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } +#include "config.h" + +#include "next-posix.h" + #include #include -#include -#include #include -#include -#include #include -#include #include #include -#include -#include #include -#include #include #include -#include #include #include #include @@ -50,20 +45,66 @@ #include #include #include -#include #include -#include #include +#ifdef HAVE_BSTRING_H +# include +#endif +#ifdef HAVE_NETGROUP_H +# include +#endif +#ifdef HAVE_NETDB_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_SYS_TIME_H +# include +#endif +#ifdef HAVE_SYS_BSDTTY_H +# include +#endif +#ifdef USE_PAM +# include +#endif +#ifdef HAVE_POLL_H +# include +#else +# ifdef HAVE_SYS_POLL_H +# include +# endif +#endif +#ifdef HAVE_SYS_SYSMACROS_H +# include +#endif + #include "version.h" +/* OpenBSD function replacements */ +#include "openbsd-compat.h" + +/* Entropy collection */ +#include "entropy.h" + /* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH #define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + +/* Define this to be the path of the rsh program. */ +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif /* _PATH_RSH */ /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. */ -#define USE_PIPES 1 +/* #define USE_PIPES 1 */ #endif /* INCLUDES_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/install-sh openssh-2.1.1p2/install-sh --- ssh-openbsd-2000070100/install-sh Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/install-sh Thu Nov 25 12:31:26 1999 @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 diff -ruN --exclude CVS ssh-openbsd-2000070100/lib/Makefile openssh-2.1.1p2/lib/Makefile --- ssh-openbsd-2000070100/lib/Makefile Thu May 18 23:17:26 2000 +++ openssh-2.1.1p2/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,26 +0,0 @@ -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ - hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ - rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ - key.c dispatch.c dsa.c kex.c hmac.c uuencode.c aux.c - -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS - -.include Binary files ssh-openbsd-2000070100/lib/atomicio.o and openssh-2.1.1p2/lib/atomicio.o differ Binary files ssh-openbsd-2000070100/lib/authfd.o and openssh-2.1.1p2/lib/authfd.o differ Binary files ssh-openbsd-2000070100/lib/authfile.o and openssh-2.1.1p2/lib/authfile.o differ Binary files ssh-openbsd-2000070100/lib/bufaux.o and openssh-2.1.1p2/lib/bufaux.o differ Binary files ssh-openbsd-2000070100/lib/buffer.o and openssh-2.1.1p2/lib/buffer.o differ Binary files ssh-openbsd-2000070100/lib/canohost.o and openssh-2.1.1p2/lib/canohost.o differ Binary files ssh-openbsd-2000070100/lib/channels.o and openssh-2.1.1p2/lib/channels.o differ Binary files ssh-openbsd-2000070100/lib/cipher.o and openssh-2.1.1p2/lib/cipher.o differ Binary files ssh-openbsd-2000070100/lib/compat.o and openssh-2.1.1p2/lib/compat.o differ Binary files ssh-openbsd-2000070100/lib/compress.o and openssh-2.1.1p2/lib/compress.o differ Binary files ssh-openbsd-2000070100/lib/crc32.o and openssh-2.1.1p2/lib/crc32.o differ Binary files ssh-openbsd-2000070100/lib/deattack.o and openssh-2.1.1p2/lib/deattack.o differ Binary files ssh-openbsd-2000070100/lib/fingerprint.o and openssh-2.1.1p2/lib/fingerprint.o differ Binary files ssh-openbsd-2000070100/lib/hostfile.o and openssh-2.1.1p2/lib/hostfile.o differ Binary files ssh-openbsd-2000070100/lib/libssh.a and openssh-2.1.1p2/lib/libssh.a differ Binary files ssh-openbsd-2000070100/lib/log.o and openssh-2.1.1p2/lib/log.o differ Binary files ssh-openbsd-2000070100/lib/match.o and openssh-2.1.1p2/lib/match.o differ Binary files ssh-openbsd-2000070100/lib/mpaux.o and openssh-2.1.1p2/lib/mpaux.o differ Binary files ssh-openbsd-2000070100/lib/nchan.o and openssh-2.1.1p2/lib/nchan.o differ Binary files ssh-openbsd-2000070100/lib/packet.o and openssh-2.1.1p2/lib/packet.o differ Binary files ssh-openbsd-2000070100/lib/radix.o and openssh-2.1.1p2/lib/radix.o differ Binary files ssh-openbsd-2000070100/lib/readpass.o and openssh-2.1.1p2/lib/readpass.o differ Binary files ssh-openbsd-2000070100/lib/rsa.o and openssh-2.1.1p2/lib/rsa.o differ Binary files ssh-openbsd-2000070100/lib/tildexpand.o and openssh-2.1.1p2/lib/tildexpand.o differ Binary files ssh-openbsd-2000070100/lib/ttymodes.o and openssh-2.1.1p2/lib/ttymodes.o differ Binary files ssh-openbsd-2000070100/lib/uidswap.o and openssh-2.1.1p2/lib/uidswap.o differ Binary files ssh-openbsd-2000070100/lib/xmalloc.o and openssh-2.1.1p2/lib/xmalloc.o differ diff -ruN --exclude CVS ssh-openbsd-2000070100/log-server.c openssh-2.1.1p2/log-server.c --- ssh-openbsd-2000070100/log-server.c Thu Jun 22 21:08:47 2000 +++ openssh-2.1.1p2/log-server.c Thu Jun 22 21:32:31 2000 @@ -22,6 +22,12 @@ #include "xmalloc.h" #include "ssh.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 0; static int log_facility = LOG_AUTH; @@ -100,7 +106,6 @@ char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; - extern char *__progname; if (level > log_level) return; diff -ruN --exclude CVS ssh-openbsd-2000070100/login.c openssh-2.1.1p2/login.c --- ssh-openbsd-2000070100/login.c Thu Jun 22 21:08:47 2000 +++ openssh-2.1.1p2/login.c Thu Jun 22 21:32:31 2000 @@ -20,9 +20,7 @@ #include "includes.h" RCSID("$OpenBSD: login.c,v 1.14 2000/06/20 01:39:42 markus Exp $"); -#include -#include -#include "ssh.h" +#include "loginrec.h" /* * Returns the time when the user last logged in. Returns 0 if the @@ -30,36 +28,15 @@ * The host the user logged in from will be returned in buf. */ -/* - * Returns the time when the user last logged in (or 0 if no previous login - * is found). The name of the host used last time is returned in buf. - */ - unsigned long get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { - struct lastlog ll; - char *lastlog; - int fd; - - lastlog = _PATH_LASTLOG; - buf[0] = '\0'; - - fd = open(lastlog, O_RDONLY); - if (fd < 0) - return 0; - lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); - if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) { - close(fd); - return 0; - } - close(fd); - if (bufsize > sizeof(ll.ll_host) + 1) - bufsize = sizeof(ll.ll_host) + 1; - strncpy(buf, ll.ll_host, bufsize - 1); - buf[bufsize - 1] = 0; - return ll.ll_time; + struct logininfo li; + + login_get_lastlog(&li, uid); + strlcpy(buf, li.hostname, bufsize); + return li.tv_sec; } /* @@ -71,46 +48,12 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr) { - int fd; - struct lastlog ll; - char *lastlog; - struct utmp u; - const char *utmp, *wtmp; - - /* Construct an utmp/wtmp entry. */ - memset(&u, 0, sizeof(u)); - strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); - u.ut_time = time(NULL); - strncpy(u.ut_name, user, sizeof(u.ut_name)); - strncpy(u.ut_host, host, sizeof(u.ut_host)); - - /* Figure out the file names. */ - utmp = _PATH_UTMP; - wtmp = _PATH_WTMP; - - login(&u); - lastlog = _PATH_LASTLOG; - - /* Update lastlog unless actually recording a logout. */ - if (strcmp(user, "") != 0) { - /* - * It is safer to bzero the lastlog structure first because - * some systems might have some extra fields in it (e.g. SGI) - */ - memset(&ll, 0, sizeof(ll)); - - /* Update lastlog. */ - ll.ll_time = time(NULL); - strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line)); - strncpy(ll.ll_host, host, sizeof(ll.ll_host)); - fd = open(lastlog, O_RDWR); - if (fd >= 0) { - lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); - if (write(fd, &ll, sizeof(ll)) != sizeof(ll)) - log("Could not write %.100s: %.100s", lastlog, strerror(errno)); - close(fd); - } - } + struct logininfo *li; + + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, sizeof(struct sockaddr)); + login_login(li); + login_free_entry(li); } /* Records that the user has logged out. */ @@ -118,7 +61,9 @@ void record_logout(pid_t pid, const char *ttyname) { - const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ - if (logout(line)) - logwtmp(line, "", ""); + struct logininfo *li; + + li = login_alloc_entry(pid, NULL, NULL, ttyname); + login_logout(li); + login_free_entry(li); } diff -ruN --exclude CVS ssh-openbsd-2000070100/loginrec.c openssh-2.1.1p2/loginrec.c --- ssh-openbsd-2000070100/loginrec.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/loginrec.c Sat Jul 1 13:17:42 2000 @@ -0,0 +1,1444 @@ +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * Portions copyright (c) 1998 Todd C. Miller + * Portions copyright (c) 1996 Jason Downs + * Portions copyright (c) 1996 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + ** loginrec.c: platform-independent login recording and lastlog retrieval + **/ + +/* + The new login code explained + ============================ + + This code attempts to provide a common interface to login recording + (utmp and friends) and last login time retrieval. + + Its primary means of achieving this is to use 'struct logininfo', a + union of all the useful fields in the various different types of + system login record structures one finds on UNIX variants. + + We depend on autoconf to define which recording methods are to be + used, and which fields are contained in the relevant data structures + on the local system. Many C preprocessor symbols affect which code + gets compiled here. + + The code is designed to make it easy to modify a particular + recording method, without affecting other methods nor requiring so + many nested conditional compilation blocks as were commonplace in + the old code. + + For login recording, we try to use the local system's libraries as + these are clearly most likely to work correctly. For utmp systems + this usually means login() and logout() or setutent() etc., probably + in libutil, along with logwtmp() etc. On these systems, we fall back + to writing the files directly if we have to, though this method + requires very thorough testing so we do not corrupt local auditing + information. These files and their access methods are very system + specific indeed. + + For utmpx systems, the corresponding library functions are + setutxent() etc. To the author's knowledge, all utmpx systems have + these library functions and so no direct write is attempted. If such + a system exists and needs support, direct analogues of the [uw]tmp + code should suffice. + + Retrieving the time of last login ('lastlog') is in some ways even + more problemmatic than login recording. Some systems provide a + simple table of all users which we seek based on uid and retrieve a + relatively standard structure. Others record the same information in + a directory with a separate file, and others don't record the + information separately at all. For systems in the latter category, + we look backwards in the wtmp or wtmpx file for the last login entry + for our user. Naturally this is slower and on busy systems could + incur a significant performance penalty. + + Calling the new code + -------------------- + + In OpenSSH all login recording and retrieval is performed in + login.c. Here you'll find working examples. Also, in the logintest.c + program there are more examples. + + Internal handler calling method + ------------------------------- + + When a call is made to login_login() or login_logout(), both + routines set a struct logininfo flag defining which action (log in, + or log out) is to be taken. They both then call login_write(), which + calls whichever of the many structure-specific handlers autoconf + selects for the local system. + + The handlers themselves handle system data structure specifics. Both + struct utmp and struct utmpx have utility functions (see + construct_utmp*()) to try to make it simpler to add extra systems + that introduce new features to either structure. + + While it may seem terribly wasteful to replicate so much similar + code for each method, experience has shown that maintaining code to + write both struct utmp and utmpx in one function, whilst maintaining + support for all systems whether they have library support or not, is + a difficult and time-consuming task. + + Lastlog support proceeds similarly. Functions login_get_lastlog() + (and its OpenSSH-tuned friend login_get_lastlog_time()) call + getlast_entry(), which tries one of three methods to find the last + login time. It uses local system lastlog support if it can, + otherwise it tries wtmp or wtmpx before giving up and returning 0, + meaning "tilt". + + Maintenance + ----------- + + In many cases it's possible to tweak autoconf to select the correct + methods for a particular platform, either by improving the detection + code (best), or by presetting DISABLE_ or CONF__FILE + symbols for the platform. + + Use logintest to check which symbols are defined before modifying + configure.in and loginrec.c. (You have to build logintest yourself + with 'make logintest' as it's not built by default.) + + Otherwise, patches to the specific method(s) are very helpful! + +*/ + +/** + ** TODO: + ** homegrown ttyslot()q + ** test, test, test + ** + ** Platform status: + ** ---------------- + ** + ** Known good: + ** Linux (Redhat 6.2, need more variants) + ** HP-UX 10.20 (gcc only) + ** IRIX + ** + ** Testing required: Please send reports! + ** Solaris + ** NetBSD + ** HP-UX 11 + ** AIX + ** + ** Platforms with known problems: + ** NeXT + ** + **/ + +#include "includes.h" + +#if HAVE_UTMP_H +# include +#endif +#if HAVE_UTMPX_H +# include +#endif +#if HAVE_LASTLOG_H +# include +#endif + +#include "ssh.h" +#include "xmalloc.h" +#include "loginrec.h" + +RCSID("$Id: loginrec.c,v 1.13 2000/07/01 03:17:42 djm Exp $"); + +/** + ** prototypes for helper functions in this file + **/ + +#if HAVE_UTMP_H +void set_utmp_time(struct logininfo *li, struct utmp *ut); +void construct_utmp(struct logininfo *li, struct utmp *ut); +#endif + +#ifdef HAVE_UTMPX_H +void set_utmpx_time(struct logininfo *li, struct utmpx *ut); +void construct_utmpx(struct logininfo *li, struct utmpx *ut); +#endif + +int utmp_write_entry(struct logininfo *li); +int utmpx_write_entry(struct logininfo *li); +int wtmp_write_entry(struct logininfo *li); +int wtmpx_write_entry(struct logininfo *li); +int lastlog_write_entry(struct logininfo *li); +int syslogin_write_entry(struct logininfo *li); + +int getlast_entry(struct logininfo *li); +int lastlog_get_entry(struct logininfo *li); +int wtmp_get_entry(struct logininfo *li); +int wtmpx_get_entry(struct logininfo *li); + +/* pick the shortest string */ +#define MIN_SIZEOF(s1,s2) ( sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2) ) + +/** + ** platform-independent login functions + **/ + +/* login_login(struct logininfo *) -Record a login + * + * Call with a pointer to a struct logininfo initialised with + * login_init_entry() or login_alloc_entry() + * + * Returns: + * >0 if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + */ +int +login_login (struct logininfo *li) +{ + li->type = LTYPE_LOGIN; + return login_write(li); +} + + +/* login_logout(struct logininfo *) - Record a logout + * + * Call as with login_login() + * + * Returns: + * >0 if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + */ +int +login_logout(struct logininfo *li) +{ + li->type = LTYPE_LOGOUT; + return login_write(li); +} + +/* login_get_lastlog_time(int) - Retrieve the last login time + * + * Retrieve the last login time for the given uid. Will try to use the + * system lastlog facilities if they are available, but will fall back + * to looking in wtmp/wtmpx if necessary + * + * Returns: + * 0 on failure, or if user has never logged in + * Time in seconds from the epoch if successful + * + * Useful preprocessor symbols: + * DISABLE_LASTLOG: If set, *never* even try to retrieve lastlog + * info + * USE_LASTLOG: If set, indicates the presence of system lastlog + * facilities. If this and DISABLE_LASTLOG are not set, + * try to retrieve lastlog information from wtmp/wtmpx. + */ +unsigned int +login_get_lastlog_time(const int uid) +{ + struct logininfo li; + + if (login_get_lastlog(&li, uid)) + return li.tv_sec; + else + return 0; +} + +/* login_get_lastlog(struct logininfo *, int) - Retrieve a lastlog entry + * + * Retrieve a logininfo structure populated (only partially) with + * information from the system lastlog data, or from wtmp/wtmpx if no + * system lastlog information exists. + * + * Note this routine must be given a pre-allocated logininfo. + * + * Returns: + * >0: A pointer to your struct logininfo if successful + * 0 on failure (will use OpenSSH's logging facilities for diagnostics) + * + */ +struct logininfo * +login_get_lastlog(struct logininfo *li, const int uid) +{ + struct passwd *pw; + + memset(li, '\0', sizeof(struct logininfo)); + li->uid = uid; + + /* + * If we don't have a 'real' lastlog, we need the username to + * reliably search wtmp(x) for the last login (see + * wtmp_get_entry().) + */ + pw = getpwuid(uid); + if (pw == NULL) + fatal("login_get_lastlog: Cannot find account for uid %i", uid); + + /* No MIN_SIZEOF here - we absolutely *must not* truncate the + * username */ + strlcpy(li->username, pw->pw_name, sizeof(li->username)); + + if (getlast_entry(li)) + return li; + else + return NULL; +} + + +/* login_alloc_entry(int, char*, char*, char*) - Allocate and initialise + * a logininfo structure + * + * This function creates a new struct logininfo, a data structure + * meant to carry the information required to portably record login info. + * + * Returns a pointer to a newly created struct logininfo. If memory + * allocation fails, the program halts. + */ +struct +logininfo *login_alloc_entry(int pid, const char *username, + const char *hostname, const char *line) +{ + struct logininfo *newli; + + newli = (struct logininfo *) xmalloc (sizeof(struct logininfo)); + (void)login_init_entry(newli, pid, username, hostname, line); + return newli; +} + + +/* login_free_entry(struct logininfo *) - free struct memory */ +void +login_free_entry(struct logininfo *li) +{ + xfree(li); +} + + +/* login_init_entry(struct logininfo *, int, char*, char*, char*) + * - initialise a struct logininfo + * + * Populates a new struct logininfo, a data structure meant to carry + * the information required to portably record login info. + * + * Returns: 1 + */ +int +login_init_entry(struct logininfo *li, int pid, const char *username, + const char *hostname, const char *line) +{ + struct passwd *pw; + + memset(li, 0, sizeof(struct logininfo)); + + li->pid = pid; + + /* set the line information */ + if (line) + line_fullname(li->line, line, sizeof(li->line)); + + if (username) { + strlcpy(li->username, username, sizeof(li->username)); + pw = getpwnam(li->username); + if (pw == NULL) + fatal("login_init_entry: Cannot find user \"%s\"", li->username); + li->uid = pw->pw_uid; + } + + if (hostname) + strlcpy(li->hostname, hostname, sizeof(li->hostname)); + + return 1; +} + +/* login_set_current_time(struct logininfo *) - set the current time + * + * Set the current time in a logininfo structure. This function is + * meant to eliminate the need to deal with system dependencies for + * time handling. + */ +void +login_set_current_time(struct logininfo *li) +{ + struct timeval tv; + + gettimeofday(&tv, NULL); + + li->tv_sec = tv.tv_sec; + li->tv_usec = tv.tv_usec; +} + +/* copy a sockaddr_* into our logininfo */ +void +login_set_addr(struct logininfo *li, const struct sockaddr *sa, + const unsigned int sa_size) +{ + unsigned int bufsize = sa_size; + + /* make sure we don't overrun our union */ + if (sizeof(li->hostaddr) < sa_size) + bufsize = sizeof(li->hostaddr); + + memcpy((void *)&(li->hostaddr.sa), (const void *)sa, bufsize); +} + + +/** + ** login_write: Call low-level recording functions based on autoconf + ** results + **/ +int +login_write (struct logininfo *li) +{ + if ((int)geteuid() != 0) { + log("Attempt to write login records by non-root user (aborting)"); + return 1; + } + + /* set the timestamp */ + login_set_current_time(li); +#ifdef USE_LOGIN + syslogin_write_entry(li); +#endif +#ifdef USE_LASTLOG + if (li->type == LTYPE_LOGIN) { + lastlog_write_entry(li); + } +#endif +#ifdef USE_UTMP + utmp_write_entry(li); +#endif +#ifdef USE_WTMP + wtmp_write_entry(li); +#endif +#ifdef USE_UTMPX + utmpx_write_entry(li); +#endif +#ifdef USE_WTMPX + wtmpx_write_entry(li); +#endif + return 0; +} + +/** + ** getlast_entry: Call low-level functions to retrieve the last login + ** time. + **/ + +/* take the uid in li and return the last login time */ +int +getlast_entry(struct logininfo *li) +{ +#ifdef USE_LASTLOG + return(lastlog_get_entry(li)); +#else /* !USE_LASTLOG */ + +#ifdef DISABLE_LASTLOG + /* On some systems we shouldn't even try to obtain last login + * time, e.g. AIX */ + return 0; +# else /* DISABLE_LASTLOG */ + /* Try to retrieve the last login time from wtmp */ +# if defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) + /* retrieve last login time from utmp */ + return (wtmp_get_entry(li)); +# else /* defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) */ + /* If wtmp isn't available, try wtmpx */ +# if defined(USE_WTMPX) && (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX)) + /* retrieve last login time from utmpx */ + return (wtmpx_get_entry(li)); +# else + /* Give up: No means of retrieving last login time */ + return 0; +# endif /* USE_WTMPX && (HAVE_TIME_IN_UTMPX || HAVE_TV_IN_UTMPX) */ +# endif /* USE_WTMP && (HAVE_TIME_IN_UTMP || HAVE_TV_IN_UTMP) */ +# endif /* DISABLE_LASTLOG */ +#endif /* USE_LASTLOG */ +} + + + +/* + * 'line' string utility functions + * + * These functions process the 'line' string into one of three forms: + * + * 1. The full filename (including '/dev') + * 2. The stripped name (excluding '/dev') + * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 + * /dev/pts/1 -> ts/1 ) + * + * Form 3 is used on some systems to identify a .tmp.? entry when + * attempting to remove it. Typically both addition and removal is + * performed by one application - say, sshd - so as long as the choice + * uniquely identifies a terminal it's ok. + */ + + +/* line_fullname(): add the leading '/dev/' if it doesn't exist make + * sure dst has enough space, if not just copy src (ugh) */ +char * +line_fullname(char *dst, const char *src, int dstsize) +{ + memset(dst, '\0', dstsize); + if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5))) + strlcpy(dst, src, dstsize); + else { + strlcpy(dst, "/dev/", dstsize); + strlcat(dst, src, dstsize); + } + return dst; +} + +/* line_stripname(): strip the leading '/dev' if it exists, return dst */ +char * +line_stripname(char *dst, const char *src, int dstsize) +{ + memset(dst, '\0', dstsize); + if (strncmp(src, "/dev/", 5) == 0) + strlcpy(dst, &src[5], dstsize); + else + strlcpy(dst, src, dstsize); + return dst; +} + +/* line_abbrevname(): Return the abbreviated (usually four-character) + * form of the line (Just use the last characters of the + * full name.) + * + * NOTE: use strncpy because we do NOT necessarily want zero + * termination */ +char * +line_abbrevname(char *dst, const char *src, int dstsize) +{ + size_t len; + + memset(dst, '\0', dstsize); + + /* Always skip prefix if present */ + if (strncmp(src, "/dev/", 5) == 0) + src += 5; + + len = strlen(src); + + if (len > 0) { + if (((int)len - dstsize) > 0) + src += ((int)len - dstsize); + + /* note: _don't_ change this to strlcpy */ + strncpy(dst, src, (size_t)dstsize); + } + + return dst; +} + +/** + ** utmp utility functions + ** + ** These functions manipulate struct utmp, taking system differences + ** into account. + **/ + +#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) + +/* build the utmp structure */ +void +set_utmp_time(struct logininfo *li, struct utmp *ut) +{ +# ifdef HAVE_TV_IN_UTMP + ut->ut_tv.tv_sec = li->tv_sec; + ut->ut_tv.tv_usec = li->tv_usec; +# else +# ifdef HAVE_TIME_IN_UTMP + ut->ut_time = li->tv_sec; +# endif +# endif +} + +void +construct_utmp(struct logininfo *li, + struct utmp *ut) +{ + memset(ut, '\0', sizeof(struct utmp)); + + /* First fill out fields used for both logins and logouts */ + +# ifdef HAVE_ID_IN_UTMP + line_abbrevname(ut->ut_id, li->line, sizeof(ut->ut_id)); +# endif + +# ifdef HAVE_TYPE_IN_UTMP + /* This is done here to keep utmp constants out of struct logininfo */ + switch (li->type) { + case LTYPE_LOGIN: + ut->ut_type = USER_PROCESS; + break; + case LTYPE_LOGOUT: + ut->ut_type = DEAD_PROCESS; + break; + } +# endif + set_utmp_time(li, ut); + + line_stripname(ut->ut_line, li->line, sizeof(ut->ut_line)); + +# ifdef HAVE_PID_IN_UTMP + ut->ut_pid = li->pid; +# endif + + /* If we're logging out, leave all other fields blank */ + if (li->type == LTYPE_LOGOUT) + return; + + /* + * These fields are only used when logging in, and are blank + * for logouts. + */ + + /* Use strncpy because we don't necessarily want null termination */ + strncpy(ut->ut_user, li->username, MIN_SIZEOF(ut->ut_user, li->username)); +# ifdef HAVE_HOST_IN_UTMP + strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); +# endif +# ifdef HAVE_ADDR_IN_UTMP + /* this is just a 32-bit IP address */ + if (li->hostaddr.sa.sa_family == AF_INET) + ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; +# endif +} +#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ + +/** + ** utmpx utility functions + ** + ** These functions manipulate struct utmpx, accounting for system + ** variations. + **/ + +#if defined(USE_UTMPX) || defined (USE_WTMPX) +/* build the utmpx structure */ +void +set_utmpx_time(struct logininfo *li, struct utmpx *utx) +{ +# ifdef HAVE_TV_IN_UTMPX + utx->ut_tv.tv_sec = li->tv_sec; + utx->ut_tv.tv_usec = li->tv_usec; +# else /* HAVE_TV_IN_UTMPX */ +# ifdef HAVE_TIME_IN_UTMPX + utx->ut_time = li->tv_sec; +# endif /* HAVE_TIME_IN_UTMPX */ +# endif /* HAVE_TV_IN_UTMPX */ +} + +void +construct_utmpx(struct logininfo *li, struct utmpx *utx) +{ + memset(utx, '\0', sizeof(struct utmpx)); +# ifdef HAVE_ID_IN_UTMPX + line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id)); +# endif + + /* this is done here to keep utmp constants out of loginrec.h */ + switch (li->type) { + case LTYPE_LOGIN: + utx->ut_type = USER_PROCESS; + break; + case LTYPE_LOGOUT: + utx->ut_type = DEAD_PROCESS; + break; + } + line_stripname(utx->ut_line, li->line, sizeof(utx->ut_line)); + set_utmpx_time(li, utx); + utx->ut_pid = li->pid; + + if (li->type == LTYPE_LOGOUT) + return; + + /* + * These fields are only used when logging in, and are blank + * for logouts. + */ + + /* strncpy(): Don't necessarily want null termination */ + strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username)); +# ifdef HAVE_HOST_IN_UTMPX + strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); +# endif +# ifdef HAVE_ADDR_IN_UTMPX + /* FIXME: (ATL) not supported yet */ +# endif +# ifdef HAVE_SYSLEN_IN_UTMPX + /* ut_syslen is the length of the utx_host string */ + utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host)); +# endif +} +#endif /* USE_UTMPX || USE_WTMPX */ + +/** + ** Low-level utmp functions + **/ + +/* FIXME: (ATL) utmp_write_direct needs testing */ +#ifdef USE_UTMP + +/* if we can, use pututline() etc. */ +# if !defined(DISABLE_PUTUTLINE) && defined(HAVE_SETUTENT) && \ + defined(HAVE_PUTUTLINE) +# define UTMP_USE_LIBRARY +# endif + + +/* write a utmp entry with the system's help (pututline() and pals) */ +# ifdef UTMP_USE_LIBRARY +static int +utmp_write_library(struct logininfo *li, struct utmp *ut) +{ + setutent(); + pututline(ut); + +# ifdef HAVE_ENDUTENT + endutent(); +# endif + return 1; +} +# else /* UTMP_USE_LIBRARY */ + +/* write a utmp entry direct to the file */ +/* This is a slightly modification of code in OpenBSD's login.c */ +static int +utmp_write_direct(struct logininfo *li, struct utmp *ut) +{ + struct utmp old_ut; + register int fd; + int tty; + + /* FIXME: (ATL) ttyslot() needs local implementation */ + tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ + + if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + /* + * Prevent luser from zero'ing out ut_host. + * If the new ut_line is empty but the old one is not + * and ut_line and ut_name match, preserve the old ut_line. + */ + if (atomicio(read, fd, &old_ut, sizeof(old_ut)) == sizeof(old_ut) && + (ut->ut_host[0] == '\0') && (old_ut.ut_host[0] != '\0') && + (strncmp(old_ut.ut_line, ut->ut_line, sizeof(ut->ut_line)) == 0) && + (strncmp(old_ut.ut_name, ut->ut_name, sizeof(ut->ut_name)) == 0)) { + (void)memcpy(ut->ut_host, old_ut.ut_host, sizeof(ut->ut_host)); + } + + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + if (atomicio(write, fd, ut, sizeof(ut)) != sizeof(ut)) + log("utmp_write_direct: error writing %s: %s", + UTMP_FILE, strerror(errno)); + + (void)close(fd); + return 1; + } else { + return 0; + } +} +# endif /* UTMP_USE_LIBRARY */ + +static int +utmp_perform_login(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); +# ifdef UTMP_USE_LIBRARY + if (!utmp_write_library(li, &ut)) { + log("utmp_perform_login: utmp_write_library() failed"); + return 0; + } +# else + if (!utmp_write_direct(li, &ut)) { + log("utmp_perform_login: utmp_write_direct() failed"); + return 0; + } +# endif + return 1; +} + + +static int +utmp_perform_logout(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); +# ifdef UTMP_USE_LIBRARY + if (!utmp_write_library(li, &ut)) { + log("utmp_perform_logout: utmp_write_library() failed"); + return 0; + } +# else + if (!utmp_write_direct(li, &ut)) { + log("utmp_perform_logout: utmp_write_direct() failed"); + return 0; + } +# endif + return 1; +} + + +int +utmp_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return utmp_perform_login(li); + + case LTYPE_LOGOUT: + return utmp_perform_logout(li); + + default: + log("utmp_write_entry: invalid type field"); + return 0; + } +} +#endif /* USE_UTMP */ + + +/** + ** Low-level utmpx functions + **/ + +/* not much point if we don't want utmpx entries */ +#ifdef USE_UTMPX + +/* if we have the wherewithall, use pututxline etc. */ +# if !defined(DISABLE_PUTUTXLINE) && defined(HAVE_SETUTXENT) && \ + defined(HAVE_PUTUTXLINE) +# define UTMPX_USE_LIBRARY +# endif + + +/* write a utmpx entry with the system's help (pututxline() and pals) */ +# ifdef UTMPX_USE_LIBRARY +static int +utmpx_write_library(struct logininfo *li, struct utmpx *utx) +{ + setutxent(); + pututxline(utx); + +# ifdef HAVE_ENDUTXENT + endutxent(); +# endif + return 1; +} + +# else /* UTMPX_USE_LIBRARY */ + +/* write a utmp entry direct to the file */ +static int +utmpx_write_direct(struct logininfo *li, struct utmpx *utx) +{ + log("utmpx_write_direct: not implemented!"); + return 0; +} +# endif /* UTMPX_USE_LIBRARY */ + +static int +utmpx_perform_login(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); +# ifdef UTMPX_USE_LIBRARY + if (!utmpx_write_library(li, &utx)) { + log("utmpx_perform_login: utmp_write_library() failed"); + return 0; + } +# else + if (!utmpx_write_direct(li, &ut)) { + log("utmpx_perform_login: utmp_write_direct() failed"); + return 0; + } +# endif + return 1; +} + + +static int +utmpx_perform_logout(struct logininfo *li) +{ + struct utmpx utx; + + memset(&utx, '\0', sizeof(utx)); + set_utmpx_time(li, &utx); + line_stripname(utx.ut_line, li->line, sizeof(utx.ut_line)); +# ifdef HAVE_ID_IN_UTMPX + line_abbrevname(utx.ut_id, li->line, sizeof(utx.ut_id)); +# endif +# ifdef HAVE_TYPE_IN_UTMPX + utx.ut_type = DEAD_PROCESS; +# endif + +# ifdef UTMPX_USE_LIBRARY + utmpx_write_library(li, &utx); +# else + utmpx_write_direct(li, &utx); +# endif + return 1; +} + +int +utmpx_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return utmpx_perform_login(li); + case LTYPE_LOGOUT: + return utmpx_perform_logout(li); + default: + log("utmpx_write_entry: invalid type field"); + return 0; + } +} +#endif /* USE_UTMPX */ + + +/** + ** Low-level wtmp functions + **/ + +#ifdef USE_WTMP + +/* write a wtmp entry direct to the end of the file */ +/* This is a slight modification of code in OpenBSD's logwtmp.c */ +static int +wtmp_write(struct logininfo *li, struct utmp *ut) +{ + struct stat buf; + int fd, ret = 1; + + if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0) { + log("wtmp_write: problem writing %s: %s", + WTMP_FILE, strerror(errno)); + return 0; + } + if (fstat(fd, &buf) == 0) + if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) { + ftruncate(fd, buf.st_size); + log("wtmp_write: problem writing %s: %s", + WTMP_FILE, strerror(errno)); + ret = 0; + } + (void)close(fd); + return ret; +} + +static int +wtmp_perform_login(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); + return wtmp_write(li, &ut); +} + + +static int +wtmp_perform_logout(struct logininfo *li) +{ + struct utmp ut; + + construct_utmp(li, &ut); + return wtmp_write(li, &ut); +} + + +int +wtmp_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return wtmp_perform_login(li); + case LTYPE_LOGOUT: + return wtmp_perform_logout(li); + default: + log("wtmp_write_entry: invalid type field"); + return 0; + } +} + + +/* Notes on fetching login data from wtmp/wtmpx + * + * Logouts are usually recorded with (amongst other things) a blank + * username on a given tty line. However, some systems (HP-UX is one) + * leave all fields set, but change the ut_type field to DEAD_PROCESS. + * + * Since we're only looking for logins here, we know that the username + * must be set correctly. On systems that leave it in, we check for + * ut_type==USER_PROCESS (indicating a login.) + * + * Portability: Some systems may set something other than USER_PROCESS + * to indicate a login process. I don't know of any as I write. Also, + * it's possible that some systems may both leave the username in + * place and not have ut_type. + */ + +/* return true if this wtmp entry indicates a login */ +static int +wtmp_islogin(struct logininfo *li, struct utmp *ut) +{ + if (strncmp(li->username, ut->ut_user, + MIN_SIZEOF(li->username, ut->ut_user)) == 0) { +# ifdef HAVE_TYPE_IN_UTMP + if (ut->ut_type & USER_PROCESS) + return 1; +# else + return 1; +# endif + } + return 0; +} + +int +wtmp_get_entry(struct logininfo *li) +{ + struct stat st; + struct utmp ut; + int fd, found=0; + + /* Clear the time entries in our logininfo */ + li->tv_sec = li->tv_usec = 0; + + if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) { + log("wtmp_get_entry: problem opening %s: %s", + WTMP_FILE, strerror(errno)); + return 0; + } + if (fstat(fd, &st) != 0) { + log("wtmp_get_entry: couldn't stat %s: %s", + WTMP_FILE, strerror(errno)); + close(fd); + return 0; + } + + /* Seek to the start of the last struct utmp */ + if (lseek(fd, (off_t)(0-sizeof(struct utmp)), SEEK_END) == -1) { + /* Looks like we've got a fresh wtmp file */ + close(fd); + return 0; + } + + while (!found) { + if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) { + log("wtmp_get_entry: read of %s failed: %s", + WTMP_FILE, strerror(errno)); + close (fd); + return 0; + } + if ( wtmp_islogin(li, &ut) ) { + found = 1; + /* We've already checked for a time in struct + * utmp, in login_getlast(). */ +# ifdef HAVE_TIME_IN_UTMP + li->tv_sec = ut.ut_time; +# else +# if HAVE_TV_IN_UTMP + li->tv_sec = ut.ut_tv.tv_sec; +# endif +# endif + line_fullname(li->line, ut.ut_line, + MIN_SIZEOF(li->line, ut.ut_line)); +# ifdef HAVE_HOST_IN_UTMP + strlcpy(li->hostname, ut.ut_host, + MIN_SIZEOF(li->hostname, ut.ut_host)); +# endif + continue; + } + /* Seek back 2 x struct utmp */ + if (lseek(fd, (off_t)(0-2*sizeof(struct utmp)), SEEK_CUR) == -1) { + /* We've found the start of the file, so quit */ + close (fd); + return 0; + } + } + + /* We found an entry. Tidy up and return */ + close(fd); + return 1; +} +# endif /* USE_WTMP */ + + +/** + ** Low-level wtmpx functions + **/ + +#ifdef USE_WTMPX +/* write a wtmpx entry direct to the end of the file */ +/* This is a slight modification of code in OpenBSD's logwtmp.c */ +static int +wtmpx_write(struct logininfo *li, struct utmpx *utx) +{ + struct stat buf; + int fd, ret = 1; + + if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) { + log("wtmpx_write: problem opening %s: %s", + WTMPX_FILE, strerror(errno)); + return 0; + } + + if (fstat(fd, &buf) == 0) + if (atomicio(write, fd, utx, sizeof(*utx)) != sizeof(*utx)) { + ftruncate(fd, buf.st_size); + log("wtmpx_write: problem writing %s: %s", + WTMPX_FILE, strerror(errno)); + ret = 0; + } + (void)close(fd); + + return ret; +} + + +static int +wtmpx_perform_login(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); + return wtmpx_write(li, &utx); +} + + +static int +wtmpx_perform_logout(struct logininfo *li) +{ + struct utmpx utx; + + construct_utmpx(li, &utx); + return wtmpx_write(li, &utx); +} + + +int +wtmpx_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return wtmpx_perform_login(li); + case LTYPE_LOGOUT: + return wtmpx_perform_logout(li); + default: + log("wtmpx_write_entry: invalid type field"); + return 0; + } +} + +/* Please see the notes above wtmp_islogin() for information about the + next two functions */ + +/* Return true if this wtmpx entry indicates a login */ +static int +wtmpx_islogin(struct logininfo *li, struct utmpx *utx) +{ + if ( strncmp(li->username, utx->ut_user, + MIN_SIZEOF(li->username, utx->ut_user)) == 0 ) { +# ifdef HAVE_TYPE_IN_UTMPX + if (utx->ut_type == USER_PROCESS) + return 1; +# else + return 1; +# endif + } + return 0; +} + + +int +wtmpx_get_entry(struct logininfo *li) +{ + struct stat st; + struct utmpx utx; + int fd, found=0; + + /* Clear the time entries */ + li->tv_sec = li->tv_usec = 0; + + if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) { + log("wtmpx_get_entry: problem opening %s: %s", + WTMPX_FILE, strerror(errno)); + return 0; + } + if (fstat(fd, &st) != 0) { + log("wtmpx_get_entry: couldn't stat %s: %s", + WTMP_FILE, strerror(errno)); + close(fd); + return 0; + } + + /* Seek to the start of the last struct utmpx */ + if (lseek(fd, (off_t)(0-sizeof(struct utmpx)), SEEK_END) == -1 ) { + /* probably a newly rotated wtmpx file */ + close(fd); + return 0; + } + + while (!found) { + if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) { + log("wtmpx_get_entry: read of %s failed: %s", + WTMPX_FILE, strerror(errno)); + close (fd); + return 0; + } + /* Logouts are recorded as a blank username on a particular line. + * So, we just need to find the username in struct utmpx */ + if ( wtmpx_islogin(li, &utx) ) { +# ifdef HAVE_TV_IN_UTMPX + li->tv_sec = utx.ut_tv.tv_sec; +# else +# ifdef HAVE_TIME_IN_UTMPX + li->tv_sec = utx.ut_time; +# endif +# endif + line_fullname(li->line, utx.ut_line, sizeof(li->line)); +# ifdef HAVE_HOST_IN_UTMPX + strlcpy(li->hostname, utx.ut_host, + MIN_SIZEOF(li->hostname, utx.ut_host)); +# endif + continue; + } + if (lseek(fd, (off_t)(0-2*sizeof(struct utmpx)), SEEK_CUR) == -1) { + close (fd); + return 0; + } + } + + close(fd); + return 1; +} +#endif /* USE_WTMPX */ + +/** + ** Low-level libutil login() functions + **/ + +#ifdef USE_LOGIN +static int +syslogin_perform_login(struct logininfo *li) +{ + struct utmp *ut; + + if (! (ut = (struct utmp *)malloc(sizeof(struct utmp)))) { + log("syslogin_perform_login: couldn't malloc()"); + return 0; + } + construct_utmp(li, ut); + login(ut); + + return 1; +} + +static int +syslogin_perform_logout(struct logininfo *li) +{ +# ifdef HAVE_LOGOUT + char line[8]; + + (void)line_stripname(line, li->line, sizeof(line)); + + if (!logout(line)) { + log("syslogin_perform_logout: logout() returned an error"); +# ifdef HAVE_LOGWTMP + } else { + logwtmp(line, "", ""); + } +# endif + /* FIXME: (ATL - if the need arises) What to do if we have + * login, but no logout? what if logout but no logwtmp? All + * routines are in libutil so they should all be there, + * but... */ +# endif + return 1; +} + +int +syslogin_write_entry(struct logininfo *li) +{ + switch (li->type) { + case LTYPE_LOGIN: + return syslogin_perform_login(li); + case LTYPE_LOGOUT: + return syslogin_perform_logout(li); + default: + log("syslogin_write_entry: Invalid type field"); + return 0; + } +} +#endif /* USE_LOGIN */ + +/* end of file log-syslogin.c */ + +/** + ** Low-level lastlog functions + **/ + +#ifdef USE_LASTLOG +#define LL_FILE 1 +#define LL_DIR 2 +#define LL_OTHER 3 + +static void +lastlog_construct(struct logininfo *li, struct lastlog *last) +{ + /* clear the structure */ + memset(last, '\0', sizeof(struct lastlog)); + + (void)line_stripname(last->ll_line, li->line, sizeof(last->ll_line)); + strlcpy(last->ll_host, li->hostname, + MIN_SIZEOF(last->ll_host, li->hostname)); + last->ll_time = li->tv_sec; +} + +static int +lastlog_filetype(char *filename) +{ + struct stat st; + + if (stat(LASTLOG_FILE, &st) != 0) { + log("lastlog_perform_login: Couldn't stat %s: %s", LASTLOG_FILE, + strerror(errno)); + return 0; + } + if (S_ISDIR(st.st_mode)) + return LL_DIR; + else if (S_ISREG(st.st_mode)) + return LL_FILE; + else + return LL_OTHER; +} + + +/* open the file (using filemode) and seek to the login entry */ +static int +lastlog_openseek(struct logininfo *li, int *fd, int filemode) +{ + off_t offset; + int type; + char lastlog_file[1024]; + + type = lastlog_filetype(LASTLOG_FILE); + switch (type) { + case LL_FILE: + strlcpy(lastlog_file, LASTLOG_FILE, sizeof(lastlog_file)); + break; + case LL_DIR: + snprintf(lastlog_file, sizeof(lastlog_file), "%s/%s", + LASTLOG_FILE, li->username); + break; + default: + log("lastlog_openseek: %.100s is not a file or directory!", + LASTLOG_FILE); + return 0; + } + + *fd = open(lastlog_file, filemode); + if ( *fd < 0) { + debug("lastlog_openseek: Couldn't open %s: %s", + lastlog_file, strerror(errno)); + return 0; + } + + /* find this uid's offset in the lastlog file */ + offset = (off_t) ( (long)li->uid * sizeof(struct lastlog)); + + if ( lseek(*fd, offset, SEEK_SET) != offset ) { + log("lastlog_openseek: %s->lseek(): %s", + lastlog_file, strerror(errno)); + return 0; + } + return 1; +} + +static int +lastlog_perform_login(struct logininfo *li) +{ + struct lastlog last; + int fd; + + /* create our struct lastlog */ + lastlog_construct(li, &last); + + /* write the entry */ + if (lastlog_openseek(li, &fd, O_RDWR|O_CREAT)) { + if (atomicio(write, fd, &last, sizeof(last)) != sizeof(last)) { + log("lastlog_write_filemode: Error writing to %s: %s", + LASTLOG_FILE, strerror(errno)); + return 0; + } + return 1; + } else { + return 0; + } +} + +int +lastlog_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return lastlog_perform_login(li); + default: + log("lastlog_write_entry: Invalid type field"); + return 0; + } +} + +static void +lastlog_populate_entry(struct logininfo *li, struct lastlog *last) +{ + line_fullname(li->line, last->ll_line, sizeof(li->line)); + strlcpy(li->hostname, last->ll_host, + MIN_SIZEOF(li->hostname, last->ll_host)); + li->tv_sec = last->ll_time; +} + +int +lastlog_get_entry(struct logininfo *li) +{ + struct lastlog last; + int fd; + + if (lastlog_openseek(li, &fd, O_RDONLY)) { + if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) { + log("lastlog_get_entry: Error reading from %s: %s", + LASTLOG_FILE, strerror(errno)); + return 0; + } else { + lastlog_populate_entry(li, &last); + return 1; + } + } else { + return 0; + } +} +#endif /* USE_LASTLOG */ diff -ruN --exclude CVS ssh-openbsd-2000070100/loginrec.h openssh-2.1.1p2/loginrec.h --- ssh-openbsd-2000070100/loginrec.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/loginrec.h Tue Jun 27 11:18:27 2000 @@ -0,0 +1,137 @@ +#ifndef _HAVE_LOGINREC_H_ +#define _HAVE_LOGINREC_H_ + +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + ** loginrec.h: platform-independent login recording and lastlog retrieval + **/ + +#include "includes.h" + +#include +#include +#include + +/* RCSID("$Id: loginrec.h,v 1.4 2000/06/27 01:18:27 djm Exp $"); */ + +/** + ** you should use the login_* calls to work around platform dependencies + **/ + +/* + * login_netinfo structure + */ + +union login_netinfo { + struct sockaddr sa; + struct sockaddr_in sa_in; + struct sockaddr_storage sa_storage; +}; + +/* + * * logininfo structure * + */ +/* types - different to utmp.h 'type' macros */ +/* (though set to the same value as linux, openbsd and others...) */ +#define LTYPE_LOGIN 7 +#define LTYPE_LOGOUT 8 + +/* string lengths - set very long */ +#define LINFO_PROGSIZE 64 +#define LINFO_LINESIZE 64 +#define LINFO_NAMESIZE 64 +#define LINFO_HOSTSIZE 256 + +struct logininfo { + char progname[LINFO_PROGSIZE]; /* name of program (for PAM) */ + int progname_null; + short int type; /* type of login (LTYPE_*) */ + int pid; /* PID of login process */ + int uid; /* UID of this user */ + char line[LINFO_LINESIZE]; /* tty/pty name */ + char username[LINFO_NAMESIZE]; /* login username */ + char hostname[LINFO_HOSTSIZE]; /* remote hostname */ + /* 'exit_status' structure components */ + int exit; /* process exit status */ + int termination; /* process termination status */ + /* struct timeval (sys/time.h) isn't always available, if it isn't we'll + * use time_t's value as tv_sec and set tv_usec to 0 + */ + unsigned int tv_sec; + unsigned int tv_usec; + union login_netinfo hostaddr; /* caller's host address(es) */ +}; /* struct logininfo */ + +/* + * login recording functions + */ + +/** 'public' functions */ + +/* construct a new login entry */ +struct logininfo *login_alloc_entry(int pid, const char *username, + const char *hostname, const char *line); +/* free a structure */ +void login_free_entry(struct logininfo *li); +/* fill out a pre-allocated structure with useful information */ +int login_init_entry(struct logininfo *li, int pid, const char *username, + const char *hostname, const char *line); +/* place the current time in a logininfo struct */ +void login_set_current_time(struct logininfo *li); + +/* record the entry */ +int login_login (struct logininfo *li); +int login_logout(struct logininfo *li); + +/** End of public functions */ + +/* record the entry */ +int login_write (struct logininfo *li); +int login_log_entry(struct logininfo *li); + +/* set the network address based on network address type */ +void login_set_addr(struct logininfo *li, const struct sockaddr *sa, + const unsigned int sa_size); + +/* + * lastlog retrieval functions + */ +/* lastlog *entry* functions fill out a logininfo */ +struct logininfo *login_get_lastlog(struct logininfo *li, const int uid); +/* lastlog *time* functions return time_t equivalent (uint) */ +unsigned int login_get_lastlog_time(const int uid); + +/* produce various forms of the line filename */ +char *line_fullname(char *dst, const char *src, int dstsize); +char *line_stripname(char *dst, const char *src, int dstsize); +char *line_abbrevname(char *dst, const char *src, int dstsize); + +#endif /* _HAVE_LOGINREC_H_ */ diff -ruN --exclude CVS ssh-openbsd-2000070100/logintest.c openssh-2.1.1p2/logintest.c --- ssh-openbsd-2000070100/logintest.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/logintest.c Mon Jun 19 18:25:36 2000 @@ -0,0 +1,309 @@ +/* + * Copyright (c) 2000 Andre Lucas. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + ** logintest.c: simple test driver for platform-independent login recording + ** and lastlog retrieval + **/ + +#include "includes.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_TIME_H +#include +#endif + +#include "loginrec.h" + +RCSID("$Id: logintest.c,v 1.6 2000/06/19 08:25:36 andre Exp $"); + + +#define PAUSE_BEFORE_LOGOUT 3 + +int nologtest = 0; +int compile_opts_only = 0; +int be_verbose = 0; + + +/* Dump a logininfo to stdout. Assumes a tab size of 8 chars. */ +void +dump_logininfo(struct logininfo *li, char *descname) +{ + /* yes I know how nasty this is */ + printf("struct logininfo %s = {\n\t" + "progname\t'%s'\n\ttype\t\t%d\n\t" + "pid\t\t%d\n\tuid\t\t%d\n\t" + "line\t\t'%s'\n\tusername\t'%s'\n\t" + "hostname\t'%s'\n\texit\t\t%d\n\ttermination\t%d\n\t" + "tv_sec\t%d\n\ttv_usec\t%d\n\t" + "struct login_netinfo hostaddr {\n\t\t" + "struct sockaddr sa {\n" + "\t\t\tfamily\t%d\n\t\t}\n" + "\t}\n" + "}\n", + descname, li->progname, li->type, + li->pid, li->uid, li->line, + li->username, li->hostname, li->exit, + li->termination, li->tv_sec, li->tv_usec, + li->hostaddr.sa.sa_family); +} + + +int +testAPI() +{ + struct logininfo *li1; + struct passwd *pw; + struct hostent *he; + struct sockaddr_in sa_in4; + char cmdstring[256], stripline[8]; + char username[32]; +#ifdef HAVE_TIME_H + time_t t0, t1, t2, logintime, logouttime; + char s_t0[64],s_t1[64],s_t2[64]; + char s_logintime[64], s_logouttime[64]; /* ctime() strings */ +#endif + + printf("**\n** Testing the API...\n**\n"); + + pw = getpwuid(getuid()); + strlcpy(username, pw->pw_name, sizeof(username)); + + /* gethostname(hostname, sizeof(hostname)); */ + + printf("login_alloc_entry test (no host info):\n"); + + /* FIXME fake tty more effectively - this could upset some platforms */ + li1 = login_alloc_entry((int)getpid(), username, NULL, ttyname(0)); + strlcpy(li1->progname, "OpenSSH-logintest", sizeof(li1->progname)); + + if (be_verbose) + dump_logininfo(li1, "li1"); + + printf("Setting host address info for 'localhost' (may call out):\n"); + if (! (he = gethostbyname("localhost"))) { + printf("Couldn't set hostname(lookup failed)\n"); + } else { + /* NOTE: this is messy, but typically a program wouldn't have to set + * any of this, a sockaddr_in* would be already prepared */ + memcpy((void *)&(sa_in4.sin_addr), (void *)&(he->h_addr_list[0][0]), + sizeof(struct in_addr)); + login_set_addr(li1, (struct sockaddr *) &sa_in4, sizeof(sa_in4)); + strlcpy(li1->hostname, "localhost", sizeof(li1->hostname)); + } + if (be_verbose) + dump_logininfo(li1, "li1"); + + if ((int)geteuid() != 0) { + printf("NOT RUNNING LOGIN TESTS - you are not root!\n"); + return 1; + } + + if (nologtest) + return 1; + + line_stripname(stripline, li1->line, sizeof(stripline)); + + printf("Performing an invalid login attempt (no type field)\n--\n"); + login_write(li1); + printf("--\n(Should have written errors to stderr)\n"); + +#ifdef HAVE_TIME_H + (void)time(&t0); + strlcpy(s_t0, ctime(&t0), sizeof(s_t0)); + t1 = login_get_lastlog_time(getuid()); + strlcpy(s_t1, ctime(&t1), sizeof(s_t1)); + printf("Before logging in:\n\tcurrent time is %d - %s\t" + "lastlog time is %d - %s\n", + (int)t0, s_t0, (int)t1, s_t1); +#endif + + printf("Performing a login on line %s ", stripline); +#ifdef HAVE_TIME_H + (void)time(&logintime); + strlcpy(s_logintime, ctime(&logintime), sizeof(s_logintime)); + printf("at %d - %s", (int)logintime, s_logintime); +#endif + printf("--\n"); + login_login(li1); + + snprintf(cmdstring, sizeof(cmdstring), "who | grep '%s '", + stripline); + system(cmdstring); + + printf("--\nPausing for %d second(s)...\n", PAUSE_BEFORE_LOGOUT); + sleep(PAUSE_BEFORE_LOGOUT); + + printf("Performing a logout "); +#ifdef HAVE_TIME_H + (void)time(&logouttime); + strlcpy(s_logouttime, ctime(&logouttime), sizeof(s_logouttime)); + printf("at %d - %s", (int)logouttime, s_logouttime); +#endif + printf("\nThe root login shown above should be gone.\n" + "If the root login hasn't gone, but another user on the same\n" + "pty has, this is OK - we're hacking it here, and there\n" + "shouldn't be two users on one pty in reality...\n" + "-- ('who' output follows)\n"); + login_logout(li1); + + system(cmdstring); + printf("-- ('who' output ends)\n"); + +#ifdef HAVE_TIME_H + t2 = login_get_lastlog_time(getuid()); + strlcpy(s_t2, ctime(&t2), sizeof(s_t2)); + printf("After logging in, lastlog time is %d - %s\n", (int)t2, s_t2); + if (t1 == t2) + printf("The lastlog times before and after logging in are the " + "same.\nThis indicates that lastlog is ** NOT WORKING " + "CORRECTLY **\n"); + else if (t0 != t2) + /* We can be off by a second or so, even when recording works fine. + * I'm not 100% sure why, but it's true. */ + printf("** The login time and the lastlog time differ.\n" + "** This indicates that lastlog is either recording the " + "wrong time,\n** or retrieving the wrong entry.\n" + "If it's off by less than %d second(s) " + "run the test again.\n", PAUSE_BEFORE_LOGOUT); + else + printf("lastlog agrees with the login time. This is a good thing.\n"); + +#endif + + printf("--\nThe output of 'last' shown next should have " + "an entry for root \n on %s for the time shown above:\n--\n", + stripline); + snprintf(cmdstring, sizeof(cmdstring), "last | grep '%s ' | head -3", + stripline); + system(cmdstring); + + printf("--\nEnd of login test.\n"); + + login_free_entry(li1); + + return 1; +} /* testAPI() */ + + +void +testLineName(char *line) +{ + /* have to null-terminate - these functions are designed for + * structures with fixed-length char arrays, and don't null-term.*/ + char full[17], strip[9], abbrev[5]; + + memset(full, '\0', sizeof(full)); + memset(strip, '\0', sizeof(strip)); + memset(abbrev, '\0', sizeof(abbrev)); + + line_fullname(full, line, sizeof(full)-1); + line_stripname(strip, full, sizeof(strip)-1); + line_abbrevname(abbrev, full, sizeof(abbrev)-1); + printf("%s: %s, %s, %s\n", line, full, strip, abbrev); + +} /* testLineName() */ + + +int +testOutput() +{ + printf("**\n** Testing linename functions\n**\n"); + testLineName("/dev/pts/1"); + testLineName("pts/1"); + testLineName("pts/999"); + testLineName("/dev/ttyp00"); + testLineName("ttyp00"); + + return 1; +} /* testOutput() */ + + +/* show which options got compiled in */ +void +showOptions(void) +{ + printf("**\n** Compile-time options\n**\n"); + + printf("login recording methods selected:\n"); +#ifdef USE_LOGIN + printf("\tUSE_LOGIN\n"); +#endif +#ifdef USE_UTMP + printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE); +#endif +#ifdef USE_UTMPX + printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE); +#endif +#ifdef USE_WTMP + printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE); +#endif +#ifdef USE_WTMPX + printf("\tUSE_WTMPX (WTMPX_FILE=%s)\n", WTMPX_FILE); +#endif +#ifdef USE_LASTLOG + printf("\tUSE_LASTLOG (LASTLOG_FILE=%s)\n", LASTLOG_FILE); +#endif + printf("\n"); + +} /* showOptions() */ + + +int +main(int argc, char *argv[]) +{ + printf("Platform-independent login recording test driver\n"); + + if (argc == 2) { + if (strncmp(argv[1], "-i", 3) == 0) + compile_opts_only = 1; + else if (strncmp(argv[1], "-v", 3) == 0) + be_verbose=1; + } + + if (!compile_opts_only) { + if (be_verbose && !testOutput()) + return 1; + + if (!testAPI()) + return 1; + } + + showOptions(); + + return 0; +} /* main() */ + diff -ruN --exclude CVS ssh-openbsd-2000070100/md5crypt.c openssh-2.1.1p2/md5crypt.c --- ssh-openbsd-2000070100/md5crypt.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/md5crypt.c Sun Apr 16 12:31:51 2000 @@ -0,0 +1,159 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +#include +#include +#include + +static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static char *magic = "$1$"; /* + * This string is magic for + * this algorithm. Having + * it this way, we can get + * get better later on + */ + +static void +to64(char *s, unsigned long v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +int +is_md5_salt(const char *salt) +{ + return (!strncmp(salt, magic, strlen(magic))); +} + +/* + * UNIX password + * + * Use MD5 for what it is best at... + */ + +char * +md5_crypt(const char *pw, const char *salt) +{ + static char passwd[120], *p; + static const char *sp,*ep; + unsigned char final[16]; + int sl,pl,i,j; + MD5_CTX ctx,ctx1; + unsigned long l; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(!strncmp(sp,magic,strlen(magic))) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) + continue; + + /* get the length of the true salt */ + sl = ep - sp; + + MD5_Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5_Update(&ctx,pw,strlen(pw)); + + /* Then our magic string */ + MD5_Update(&ctx,magic,strlen(magic)); + + /* Then the raw salt */ + MD5_Update(&ctx,sp,sl); + + /* Then just as many characters of the MD5(pw,salt,pw) */ + MD5_Init(&ctx1); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Update(&ctx1,sp,sl); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + for(pl = strlen(pw); pl > 0; pl -= 16) + MD5_Update(&ctx,final,pl>16 ? 16 : pl); + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + /* Then something really weird... */ + for (j=0,i = strlen(pw); i ; i >>= 1) + if(i&1) + MD5_Update(&ctx, final+j, 1); + else + MD5_Update(&ctx, pw+j, 1); + + /* Now make the output string */ + strcpy(passwd,magic); + strncat(passwd,sp,sl); + strcat(passwd,"$"); + + MD5_Final(final,&ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i=0;i<1000;i++) { + MD5_Init(&ctx1); + if(i & 1) + MD5_Update(&ctx1,pw,strlen(pw)); + else + MD5_Update(&ctx1,final,16); + + if(i % 3) + MD5_Update(&ctx1,sp,sl); + + if(i % 7) + MD5_Update(&ctx1,pw,strlen(pw)); + + if(i & 1) + MD5_Update(&ctx1,final,16); + else + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; + l = final[11] ; to64(p,l,2); p += 2; + *p = '\0'; + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + return passwd; +} + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ diff -ruN --exclude CVS ssh-openbsd-2000070100/md5crypt.h openssh-2.1.1p2/md5crypt.h --- ssh-openbsd-2000070100/md5crypt.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/md5crypt.h Tue Dec 28 15:09:36 1999 @@ -0,0 +1,30 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#ifndef _MD5CRYPT_H +#define _MD5CRYPT_H + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +int is_md5_salt(const char *salt); +char *md5_crypt(const char *pw, const char *salt); + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + +#endif /* MD5CRYPT_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/mkinstalldirs openssh-2.1.1p2/mkinstalldirs --- ssh-openbsd-2000070100/mkinstalldirs Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/mkinstalldirs Sat May 20 15:33:45 2000 @@ -0,0 +1,40 @@ +#! /bin/sh +# mkinstalldirs --- make directory hierarchy +# Author: Noah Friedman +# Created: 1993-05-16 +# Public domain + +# $Id: mkinstalldirs,v 1.1 2000/05/20 05:33:45 damien Exp $ + +errstatus=0 + +for file +do + set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` + shift + + pathcomp= + for d + do + pathcomp="$pathcomp$d" + case "$pathcomp" in + -* ) pathcomp=./$pathcomp ;; + esac + + if test ! -d "$pathcomp"; then + echo "mkdir $pathcomp" + + mkdir "$pathcomp" || lasterr=$? + + if test ! -d "$pathcomp"; then + errstatus=$lasterr + fi + fi + + pathcomp="$pathcomp/" + done +done + +exit $errstatus + +# mkinstalldirs ends here diff -ruN --exclude CVS ssh-openbsd-2000070100/next-posix.c openssh-2.1.1p2/next-posix.c --- ssh-openbsd-2000070100/next-posix.c Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/next-posix.c Sun Jun 18 15:43:26 2000 @@ -0,0 +1,148 @@ +#include "config.h" + +#ifdef HAVE_NEXT +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_STDDEF_H +#include +#endif + +#include "xmalloc.h" +#include "ssh.h" +#include "next-posix.h" + +int +waitpid(int pid, int *stat_loc, int options) +{ + if (pid <= 0) { + if (pid != -1) { + errno = EINVAL; + return -1; + } + pid = 0; /* wait4() expects pid=0 for indiscriminate wait. */ + } + return wait4(pid, (union wait *)stat_loc, options, NULL); +} + +pid_t setsid(void) +{ + return setpgrp(0, getpid()); +} + +int +tcgetattr(int fd, struct termios *t) +{ + return (ioctl(fd, TIOCGETA, t)); +} + +int +tcsetattr(int fd, int opt, const struct termios *t) +{ + struct termios localterm; + + if (opt & TCSASOFT) { + localterm = *t; + localterm.c_cflag |= CIGNORE; + t = &localterm; + } + switch (opt & ~TCSASOFT) { + case TCSANOW: + return (ioctl(fd, TIOCSETA, t)); + case TCSADRAIN: + return (ioctl(fd, TIOCSETAW, t)); + case TCSAFLUSH: + return (ioctl(fd, TIOCSETAF, t)); + default: + errno = EINVAL; + return (-1); + } +} + +int tcsetpgrp(int fd, pid_t pgrp) +{ + int s; + + s = pgrp; + return (ioctl(fd, TIOCSPGRP, &s)); +} + +speed_t cfgetospeed(const struct termios *t) +{ + return (t->c_ospeed); +} + +speed_t cfgetispeed(const struct termios *t) +{ + return (t->c_ispeed); +} + +int +cfsetospeed(struct termios *t,int speed) +{ + t->c_ospeed = speed; + return (0); +} + +int +cfsetispeed(struct termios *t, speed_t speed) +{ + t->c_ispeed = speed; + return (0); +} + +#if 0 + +/*define sigset_t int*/ + +/* This whole thing is insane. It's purely wrong, but it's a first + go a it. -bl */ + +int sigemptyset(sigset_t *set) +{ + return 0; +} + +int sigaddset(sigset_t *set, int signum) +{ + *set |= (1 << (signum - 1)); + return set; +} + +int sigprocmask(int how, const sigset_t *set, sigset_t *oldset) +{ + switch(how) { + case SIG_BLOCK: + return 0; + case SIG_UNBLOCK: + return ( 0 & ~ *set); + default: + return 0; + } +} + +int sigsuspend(const sigset_t *mask) +{ +} + +int sigaction(int signum,const struct sigaction *act, struct sigaction *oldact) +{ +} + +#endif /* 0 */ + +#endif /* HAVE_NEXT */ diff -ruN --exclude CVS ssh-openbsd-2000070100/next-posix.h openssh-2.1.1p2/next-posix.h --- ssh-openbsd-2000070100/next-posix.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/next-posix.h Sun Jun 18 15:43:26 2000 @@ -0,0 +1,62 @@ +/* + * Defines and prototypes specific to NeXT system + */ + +#ifndef _NEXT_POSIX_H +#define _NEXT_POSIX_H + +#ifdef HAVE_NEXT + +#include +#include + +/* FILE */ +#define O_NONBLOCK 00004 /* non-blocking open */ + +/* WAITPID */ +#undef WIFEXITED +#undef WIFSTOPPED +#undef WIFSIGNALED + +#define _W_INT(w) (*(int*)&(w)) /* convert union wait to int */ +#define WIFEXITED(w) (!((_W_INT(w)) & 0377)) +#define WIFSTOPPED(w) ((_W_INT(w)) & 0100) +#define WIFSIGNALED(w) (!WIFEXITED(x) && !WIFSTOPPED(x)) +#define WEXITSTATUS(w) (int)(WIFEXITED(x) ? ((_W_INT(w) >> 8) & 0377) : -1) +#define WTERMSIG(w) (int)(WIFSIGNALED(x) ? (_W_INT(w) & 0177) : -1) +#define WCOREFLAG 0x80 +#define WCOREDUMP(w) ((_W_INT(w)) & WCOREFLAG) + +int waitpid(int pid,int *stat_loc,int options); +#define getpgrp() getpgrp(0) +pid_t setsid(void); + +/* TC */ +int tcgetattr(int fd,struct termios *t); +int tcsetattr(int fd,int opt,const struct termios *t); +int tcsetpgrp(int fd, pid_t pgrp); +speed_t cfgetospeed(const struct termios *t); +speed_t cfgetispeed(const struct termios *t); +int cfsetospeed(struct termios *t,int speed); + +/* Sig*() */ +typedef sigset_t; +#define SIG_BLOCK 00 +#define SIG_UNBLOCK 01 +#define SIG_SETMASK 02 +#define SA_RESTART 00 +struct sigaction { + void (*sa_handler)(); + sigset_t sa_mask; + int sa_flags; +}; + +int sigemptyset(sigset_t *set); +int sigaddset(sigset_t *set, int signum); +int sigprocmask(int how, const sigset_t *set, sigset_t *oldset); +int sigsuspend(const sigset_t *mask); +int sigaction(int signum,const struct sigaction *act, struct sigaction *oldact); + +#endif /* HAVE_NEXT */ + +#endif /* _NEXT_POSIX_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/openbsd-compat.h openssh-2.1.1p2/openbsd-compat.h --- ssh-openbsd-2000070100/openbsd-compat.h Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/openbsd-compat.h Sun Jun 4 00:57:40 2000 @@ -0,0 +1,22 @@ +#ifndef _OPENBSD_H +#define _OPENBSD_H + +#include "config.h" + +/* BSD function replacements */ +#include "bsd-bindresvport.h" +#include "bsd-rresvport.h" +#include "bsd-misc.h" +#include "bsd-strlcpy.h" +#include "bsd-strlcat.h" +#include "bsd-mktemp.h" +#include "bsd-snprintf.h" +#include "bsd-daemon.h" +#include "bsd-base64.h" + +/* rfc2553 socket API replacements */ +#include "fake-getaddrinfo.h" +#include "fake-getnameinfo.h" +#include "fake-socket.h" + +#endif /* _OPENBSD_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/packet.c openssh-2.1.1p2/packet.c --- ssh-openbsd-2000070100/packet.c Thu Jun 22 21:08:50 2000 +++ openssh-2.1.1p2/packet.c Thu Jun 22 21:32:31 2000 @@ -1237,10 +1237,12 @@ * Set IP options for an interactive connection. Use * IPTOS_LOWDELAY and TCP_NODELAY. */ +#ifdef IP_TOS int lowdelay = IPTOS_LOWDELAY; if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &lowdelay, sizeof(lowdelay)) < 0) error("setsockopt IPTOS_LOWDELAY: %.100s", strerror(errno)); +#endif if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on, sizeof(on)) < 0) error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); @@ -1249,10 +1251,12 @@ * Set IP options for a non-interactive connection. Use * IPTOS_THROUGHPUT. */ +#ifdef IP_TOS int throughput = IPTOS_THROUGHPUT; if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput, sizeof(throughput)) < 0) error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno)); +#endif } } diff -ruN --exclude CVS ssh-openbsd-2000070100/pty.c openssh-2.1.1p2/pty.c --- ssh-openbsd-2000070100/pty.c Thu Jun 22 21:08:52 2000 +++ openssh-2.1.1p2/pty.c Thu Jun 22 21:32:31 2000 @@ -16,7 +16,10 @@ #include "includes.h" RCSID("$OpenBSD: pty.c,v 1.14 2000/06/20 01:39:43 markus Exp $"); -#include +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + #include "pty.h" #include "ssh.h" @@ -25,6 +28,13 @@ #undef HAVE_DEV_PTMX #endif +#ifdef HAVE_PTY_H +# include +#endif +#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) +# include +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -74,7 +84,7 @@ } return 1; #else /* HAVE__GETPTY */ -#ifdef HAVE_DEV_PTMX +#if defined(HAVE_DEV_PTMX) /* * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 * also has bsd-style ptys, but they simply do not work.) @@ -113,8 +123,10 @@ error("ioctl I_PUSH ptem: %.100s", strerror(errno)); if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0) error("ioctl I_PUSH ldterm: %.100s", strerror(errno)); +#ifndef _HPUX_SOURCE if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0) error("ioctl I_PUSH ttcompat: %.100s", strerror(errno)); +#endif return 1; #else /* HAVE_DEV_PTMX */ #ifdef HAVE_DEV_PTS_AND_PTC @@ -189,6 +201,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) { int fd; +#ifdef HAVE_VHANGUP + void *old; +#endif /* HAVE_VHANGUP */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -220,12 +235,22 @@ */ ioctl(*ttyfd, TIOCSCTTY, NULL); #endif /* TIOCSCTTY */ +#ifdef HAVE_VHANGUP + old = signal(SIGHUP, SIG_IGN); + vhangup(); + signal(SIGHUP, old); +#endif /* HAVE_VHANGUP */ fd = open(ttyname, O_RDWR); - if (fd < 0) + if (fd < 0) { error("%.100s: %.100s", ttyname, strerror(errno)); - else + } else { +#ifdef HAVE_VHANGUP + close(*ttyfd); + *ttyfd = fd; +#else /* HAVE_VHANGUP */ close(fd); - +#endif /* HAVE_VHANGUP */ + } /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) diff -ruN --exclude CVS ssh-openbsd-2000070100/rsa.c openssh-2.1.1p2/rsa.c --- ssh-openbsd-2000070100/rsa.c Thu Jun 22 21:08:54 2000 +++ openssh-2.1.1p2/rsa.c Thu Jun 22 21:32:32 2000 @@ -40,6 +40,7 @@ #include "rsa.h" #include "ssh.h" #include "xmalloc.h" +#include "entropy.h" int rsa_verbose = 1; @@ -48,6 +49,7 @@ { RSA *key; + seed_rng(); key = RSA_generate_key(32, 3, NULL, NULL); if (key == NULL) return (0); @@ -56,6 +58,21 @@ } /* + * Key generation progress meter callback + */ +void +keygen_progress(int p, int n, void *arg) +{ + const char progress_chars[] = ".o+O?"; + + if ((p < 0) || (p > (sizeof(progress_chars) - 2))) + p = sizeof(progress_chars) - 2; + + putchar(progress_chars[p]); + fflush(stdout); +} + +/* * Generates RSA public and private keys. This initializes the data * structures; they should be freed with rsa_clear_private_key and * rsa_clear_public_key. @@ -66,11 +83,16 @@ { RSA *key; + seed_rng(); + if (rsa_verbose) { printf("Generating RSA keys: "); fflush(stdout); + key = RSA_generate_key(bits, 35, keygen_progress, NULL); + printf("\n"); + } else { + key = RSA_generate_key(bits, 35, NULL, NULL); } - key = RSA_generate_key(bits, 35, NULL, NULL); if (key == NULL) fatal("rsa_generate_key: key generation failed."); diff -ruN --exclude CVS ssh-openbsd-2000070100/scp/Makefile openssh-2.1.1p2/scp/Makefile --- ssh-openbsd-2000070100/scp/Makefile Sun Jan 16 18:16:56 2000 +++ openssh-2.1.1p2/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN --exclude CVS ssh-openbsd-2000070100/scp.c openssh-2.1.1p2/scp.c --- ssh-openbsd-2000070100/scp.c Thu Jun 22 21:08:56 2000 +++ openssh-2.1.1p2/scp.c Thu Jun 22 21:32:32 2000 @@ -84,7 +84,7 @@ int verbose_mode = 0; /* This is set to non-zero if compression is desired. */ -int compress = 0; +int compress_flag = 0; /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; @@ -157,7 +157,7 @@ args[i++] = "-6"; if (verbose_mode) args[i++] = "-v"; - if (compress) + if (compress_flag) args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; @@ -295,7 +295,7 @@ batchmode = 1; break; case 'C': - compress = 1; + compress_flag = 1; break; case 'q': showprogress = 0; @@ -953,22 +953,24 @@ { static FILE *fp; va_list ap; - va_start(ap, fmt); ++errs; if (fp == NULL && !(fp = fdopen(remout, "w"))) return; (void) fprintf(fp, "%c", 0x01); (void) fprintf(fp, "scp: "); + va_start(ap, fmt); (void) vfprintf(fp, fmt, ap); + va_end(ap); (void) fprintf(fp, "\n"); (void) fflush(fp); if (!iamremote) { + va_start(ap, fmt); vfprintf(stderr, fmt, ap); + va_end(ap); fprintf(stderr, "\n"); } - va_end(ap); } /* Stuff below is from BSD rcp util.c. */ @@ -1059,7 +1061,7 @@ c = *cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-' && c != '.') + if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') goto bad; } while (*++cp); return (1); @@ -1184,8 +1186,8 @@ i++; abbrevsize >>= 10; } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5qd %c%c ", - (quad_t) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5d %c%c ", + (int) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : 'B'); timersub(&now, &lastupdate, &wait); @@ -1229,7 +1231,13 @@ atomicio(write, fileno(stdout), buf, strlen(buf)); if (flag == -1) { - signal(SIGALRM, updateprogressmeter); + struct sigaction sa; + sa.sa_handler = updateprogressmeter; + sigemptyset(&sa.sa_mask); +#ifdef SA_RESTART + sa.sa_flags = SA_RESTART; +#endif + sigaction(SIGALRM, &sa, NULL); alarmtimer(1); } else if (flag == 1) { alarmtimer(0); diff -ruN --exclude CVS ssh-openbsd-2000070100/serverloop.c openssh-2.1.1p2/serverloop.c --- ssh-openbsd-2000070100/serverloop.c Sun Jun 18 14:21:29 2000 +++ openssh-2.1.1p2/serverloop.c Sun Jun 18 14:50:44 2000 @@ -47,10 +47,15 @@ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. + * + * After SIGCHLD child_has_selected is set to 1 after the first pass + * through the wait_until_can_do_something() select(). This ensures + * that the child's output gets a chance to drain before it is yanked. */ static pid_t child_pid; /* Pid of the child. */ static volatile int child_terminated; /* The child has terminated. */ +static volatile int child_has_selected; /* Child has had chance to drain. */ static volatile int child_wait_status; /* Status from wait(). */ void server_init_dispatch(void); @@ -70,6 +75,7 @@ if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) child_terminated = 1; + child_has_selected = 0; } signal(SIGCHLD, sigchld_handler); errno = save_errno; @@ -80,7 +86,6 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); errno = save_errno; } @@ -232,6 +237,9 @@ else goto retry_select; } + + if (child_terminated) + child_has_selected = 1; } /* @@ -383,6 +391,7 @@ /* Initialize the SIGCHLD kludge. */ child_pid = pid; child_terminated = 0; + child_has_selected = 0; signal(SIGCHLD, sigchld_handler); /* Initialize our global variables. */ @@ -487,8 +496,11 @@ * descriptors, and we have no more data to send to the * client, and there is no pending buffered data. */ - if (fdout_eof && fderr_eof && !packet_have_data_to_write() && - buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { + if (((fdout_eof && fderr_eof) || + (child_terminated && child_has_selected)) && + !packet_have_data_to_write() && + (buffer_len(&stdout_buffer) == 0) && + (buffer_len(&stderr_buffer) == 0)) { if (!channel_still_open()) break; if (!waiting_termination) { @@ -637,6 +649,7 @@ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; + signal(SIGCHLD, sigchld_handler2); } channel_after_select(&readset, &writeset); process_input(&readset); diff -ruN --exclude CVS ssh-openbsd-2000070100/session.c openssh-2.1.1p2/session.c --- ssh-openbsd-2000070100/session.c Sat Jul 1 19:41:33 2000 +++ openssh-2.1.1p2/session.c Sat Jul 1 13:24:21 2000 @@ -28,6 +28,15 @@ #include "auth.h" #include "auth-options.h" +#ifdef WITH_IRIX_PROJECT +#include +#endif /* WITH_IRIX_PROJECT */ + +#ifdef HAVE_OSF_SIA +# include +# include +#endif + /* types */ #define TTYSZ 64 @@ -69,7 +78,12 @@ /* import */ extern ServerOptions options; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + extern int log_stderr; extern int debug_flag; @@ -79,6 +93,10 @@ /* data */ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +#ifdef WITH_AIXAUTHENTICATE +/* AIX's lastlogin message, set in auth1.c */ +char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* * Remove local Xauthority file. @@ -384,6 +402,10 @@ session_proctitle(s); +#ifdef USE_PAM + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ @@ -509,6 +531,11 @@ buf, sizeof(buf)); } +#ifdef USE_PAM + do_pam_session(pw->pw_name, s->tty); + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { pid = getpid(); @@ -561,6 +588,11 @@ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef USE_PAM + if (!quiet_login) + print_pam_messages(); +#endif /* USE_PAM */ + /* * If the user has logged in before, display the time of last * login. However, don't display anything extra if a command @@ -599,6 +631,15 @@ fclose(f); } } +#if defined(WITH_AIXAUTHENTICATE) + /* + * AIX handles the lastlog info differently. Display it here. + */ + if (command == NULL && aixloginmsg && *aixloginmsg && + !quiet_login && !options.use_login) { + printf("%s\n", aixloginmsg); + } +#endif /* Do common processing for the child, such as execing the command. */ do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); @@ -716,6 +757,38 @@ fclose(f); } +#ifdef USE_PAM +/* + * Sets any environment variables which have been specified by PAM + */ +void do_pam_environment(char ***env, int *envsize) +{ + char *equals, var_name[512], var_val[512]; + char **pam_env; + int i; + + if ((pam_env = fetch_pam_environment()) == NULL) + return; + + for(i = 0; pam_env[i] != NULL; i++) { + if ((equals = strstr(pam_env[i], "=")) == NULL) + continue; + + if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) { + memset(var_name, '\0', sizeof(var_name)); + memset(var_val, '\0', sizeof(var_val)); + + strncpy(var_name, pam_env[i], equals - pam_env[i]); + strcpy(var_val, equals + 1); + + debug("PAM environment: %s=%s", var_name, var_val); + + child_set_env(env, envsize, var_name, var_val); + } + } +} +#endif /* USE_PAM */ + /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group @@ -735,11 +808,15 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef WITH_IRIX_PROJECT + prid_t projid; +#endif /* WITH_IRIX_PROJECT */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; +#ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ @@ -749,14 +826,34 @@ if (pw->pw_uid != 0) exit(254); } +#endif /* USE_PAM */ + +#ifndef HAVE_OSF_SIA /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#endif /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef HAVE_OSF_SIA + extern char **saved_argv; + extern int saved_argc; + char *host = get_canonical_hostname (); + + if (sia_become_user(NULL, saved_argc, saved_argv, host, + pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != + SIASUCCESS) { + perror("sia_become_user"); + exit(1); + } + if (setreuid(geteuid(), geteuid()) < 0) { + perror("setreuid"); + exit(1); + } +#else /* HAVE_OSF_SIA */ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); @@ -769,11 +866,31 @@ } endgrent(); +#ifdef WITH_IRIX_ARRAY + /* initialize array session */ + if (newarraysess() != 0) + fatal("Failed to set up new array session: %.100s", + strerror(errno)); +#endif /* WITH_IRIX_ARRAY */ + +#ifdef WITH_IRIX_PROJECT + /* initialize irix project info */ + if ((projid = getdfltprojuser(pw->pw_name)) == -1) { + debug("Failed to get project id, using projid 0"); + projid = 0; + } + + if (setprid(projid)) + fatal("Failed to initialize project %d for %s: %.100s", + (int)projid, pw->pw_name, strerror(errno)); +#endif /* WITH_IRIX_PROJECT */ + /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %d.", (int) pw->pw_uid); +#endif /* HAVE_OSF_SIA */ } /* * Get the shell from the password data. An empty shell field is @@ -841,6 +958,18 @@ if (display) child_set_env(&env, &envsize, "DISPLAY", display); +#ifdef _AIX + { + char *authstate,*krb5cc; + + if ((authstate = getenv("AUTHSTATE")) != NULL) + child_set_env(&env,&envsize,"AUTHSTATE",authstate); + + if ((krb5cc = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); + } +#endif + #ifdef KRB4 { extern char *ticket; @@ -850,6 +979,13 @@ } #endif /* KRB4 */ +#ifdef USE_PAM + /* Pull in any environment variables that may have been set by PAM. */ + do_pam_environment(&env, &envsize); +#endif /* USE_PAM */ + + read_environment_file(&env,&envsize,"/etc/environment"); + if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); if (auth_get_socket_name() != NULL) @@ -921,9 +1057,9 @@ if (!options.use_login) { if (stat(SSH_USER_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); + fprintf(stderr, "Running "_PATH_BSHELL" %s\n", SSH_USER_RC); - f = popen("/bin/sh " SSH_USER_RC, "w"); + f = popen(_PATH_BSHELL " " SSH_USER_RC, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); @@ -932,9 +1068,9 @@ fprintf(stderr, "Could not run %s\n", SSH_USER_RC); } else if (stat(SSH_SYSTEM_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running /bin/sh %s\n", SSH_SYSTEM_RC); + fprintf(stderr, "Running "_PATH_BSHELL" %s\n", SSH_SYSTEM_RC); - f = popen("/bin/sh " SSH_SYSTEM_RC, "w"); + f = popen(_PATH_BSHELL " " SSH_SYSTEM_RC, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); @@ -1024,7 +1160,7 @@ } else { /* Launch login(1). */ - execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(), + execl(LOGIN_PROGRAM, "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ @@ -1437,7 +1573,11 @@ channel_request_start(s->chanid, "exit-signal", 0); packet_put_int(WTERMSIG(status)); +#ifdef WCOREDUMP packet_put_char(WCOREDUMP(status)); +#else /* WCOREDUMP */ + packet_put_char(0); +#endif /* WCOREDUMP */ packet_put_cstring(""); packet_put_cstring(""); packet_send(); @@ -1518,6 +1658,8 @@ session_close(s); } else { /* notify child, delay session cleanup */ + if (s->pid <= 1) + fatal("session_close_by_channel: Unsafe s->pid = %d", s->pid); if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) error("session_close_by_channel: kill %d: %s", s->pid, strerror(errno)); diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh/Makefile openssh-2.1.1p2/ssh/Makefile --- ssh-openbsd-2000070100/ssh/Makefile Thu May 18 23:17:26 2000 +++ openssh-2.1.1p2/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,37 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=4555 -.endif - -BINDIR= /usr/bin -MAN= ssh.1 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c log-client.c readconf.c clientloop.c \ - sshconnect.c sshconnect1.c sshconnect2.c - -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.include - -LDADD+= -lutil -lz -lcrypto -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} Binary files ssh-openbsd-2000070100/ssh/clientloop.o and openssh-2.1.1p2/ssh/clientloop.o differ Binary files ssh-openbsd-2000070100/ssh/log-client.o and openssh-2.1.1p2/ssh/log-client.o differ Binary files ssh-openbsd-2000070100/ssh/readconf.o and openssh-2.1.1p2/ssh/readconf.o differ Binary files ssh-openbsd-2000070100/ssh/ssh.o and openssh-2.1.1p2/ssh/ssh.o differ Binary files ssh-openbsd-2000070100/ssh/sshconnect.o and openssh-2.1.1p2/ssh/sshconnect.o differ diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-add/Makefile openssh-2.1.1p2/ssh-add/Makefile --- ssh-openbsd-2000070100/ssh-add/Makefile Sun Jan 16 18:16:57 2000 +++ openssh-2.1.1p2/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-add.1 openssh-2.1.1p2/ssh-add.1 --- ssh-openbsd-2000070100/ssh-add.1 Thu May 18 23:17:00 2000 +++ openssh-2.1.1p2/ssh-add.1 Sun May 7 12:03:18 2000 @@ -100,8 +100,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -115,13 +114,8 @@ supports one-time password authentication with .Xr skey 1 . .El -.Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-add.c openssh-2.1.1p2/ssh-add.c --- ssh-openbsd-2000070100/ssh-add.c Thu Jun 22 21:08:58 2000 +++ openssh-2.1.1p2/ssh-add.c Thu Jun 22 21:32:32 2000 @@ -20,6 +20,12 @@ #include "key.h" #include "authfile.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-add"; +#endif /* HAVE___PROGNAME */ + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -206,8 +212,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; - fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-agent/Makefile openssh-2.1.1p2/ssh-agent/Makefile --- ssh-openbsd-2000070100/ssh-agent/Makefile Sun Jan 16 18:16:57 2000 +++ openssh-2.1.1p2/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-agent.1 openssh-2.1.1p2/ssh-agent.1 --- ssh-openbsd-2000070100/ssh-agent.1 Thu May 18 23:17:08 2000 +++ openssh-2.1.1p2/ssh-agent.1 Sun May 7 12:03:18 2000 @@ -144,8 +144,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -160,12 +159,8 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-agent.c openssh-2.1.1p2/ssh-agent.c --- ssh-openbsd-2000070100/ssh-agent.c Thu May 18 23:17:08 2000 +++ openssh-2.1.1p2/ssh-agent.c Wed May 17 22:53:35 2000 @@ -52,7 +52,11 @@ char socket_name[1024]; char socket_dir[1024]; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-agent"; +#endif /* HAVE___PROGNAME */ void process_request_identity(SocketEntry *e) @@ -503,6 +507,7 @@ struct sockaddr_un sunaddr; pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; + extern int optind; /* check if RSA support exists */ if (rsa_alive() == 0) { @@ -511,7 +516,11 @@ __progname); exit(1); } +#ifdef __GNU_LIBRARY__ + while ((ch = getopt(ac, av, "+cks")) != -1) { +#else /* __GNU_LIBRARY__ */ while ((ch = getopt(ac, av, "cks")) != -1) { +#endif /* __GNU_LIBRARY__ */ switch (ch) { case 'c': if (s_flag) diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-keygen/Makefile openssh-2.1.1p2/ssh-keygen/Makefile --- ssh-openbsd-2000070100/ssh-keygen/Makefile Sun Jan 16 18:16:57 2000 +++ openssh-2.1.1p2/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-keygen.1 openssh-2.1.1p2/ssh-keygen.1 --- ssh-openbsd-2000070100/ssh-keygen.1 Thu May 18 23:17:08 2000 +++ openssh-2.1.1p2/ssh-keygen.1 Tue May 9 11:03:02 2000 @@ -199,8 +199,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -214,13 +213,8 @@ supports one-time password authentication with .Xr skey 1 . .El -.Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh-keygen.c openssh-2.1.1p2/ssh-keygen.c --- ssh-openbsd-2000070100/ssh-keygen.c Thu Jun 22 21:09:00 2000 +++ openssh-2.1.1p2/ssh-keygen.c Thu Jun 22 21:32:32 2000 @@ -63,7 +63,11 @@ int dsa_mode = 0; /* argv0 */ +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh-keygen"; +#endif /* HAVE___PROGNAME */ char hostname[MAXHOSTNAMELEN]; diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh.1 openssh-2.1.1p2/ssh.1 --- ssh-openbsd-2000070100/ssh.1 Sun Jun 18 14:20:28 2000 +++ openssh-2.1.1p2/ssh.1 Wed Jun 7 19:55:44 2000 @@ -1200,8 +1200,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -1217,10 +1216,6 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. -.Pp OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. .Pp @@ -1234,4 +1229,3 @@ .Xr ssh-keygen 1 , .Xr telnet 1 , .Xr sshd 8 , -.Xr ssl 8 diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh.c openssh-2.1.1p2/ssh.c --- ssh-openbsd-2000070100/ssh.c Thu Jun 22 21:09:02 2000 +++ openssh-2.1.1p2/ssh.c Thu Jun 22 21:32:32 2000 @@ -31,11 +31,19 @@ #include "key.h" #include "authfile.h" +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -427,10 +435,10 @@ if (!host) usage(); - SSLeay_add_all_algorithms(); - /* Initialize the command to execute on remote host. */ buffer_init(&command); + + SSLeay_add_all_algorithms(); /* * Save the command to execute on the remote host in a buffer. There diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh.h openssh-2.1.1p2/ssh.h --- ssh-openbsd-2000070100/ssh.h Thu Jun 22 21:09:05 2000 +++ openssh-2.1.1p2/ssh.h Thu Jun 22 21:32:32 2000 @@ -18,6 +18,14 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ +#include /* For struct sockaddr_storage */ +#include "fake-socket.h" /* For struct sockaddr_storage */ +#ifdef HAVE_SYS_SELECT_H +# include +#endif #include "rsa.h" #include "cipher.h" @@ -64,8 +72,17 @@ */ #define SSH_SERVICE_NAME "ssh" +#if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE "sshd" +#endif + +#ifndef ETCDIR #define ETCDIR "/etc" +#endif /* ETCDIR */ + +#ifndef PIDDIR #define PIDDIR "/var/run" +#endif /* PIDDIR */ /* * System-wide file containing host keys of known hosts. This file should be @@ -83,7 +100,17 @@ #define HOST_CONFIG_FILE ETCDIR "/ssh_config" #define HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" -#define SSH_PROGRAM "/usr/bin/ssh" +#ifndef SSH_PROGRAM +#define SSH_PROGRAM "/usr/bin/ssh" +#endif /* SSH_PROGRAM */ + +#ifndef LOGIN_PROGRAM +#define LOGIN_PROGRAM "/usr/bin/login" +#endif /* LOGIN_PROGRAM */ + +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ /* * The process id of the daemon listening for connections is saved here to @@ -98,6 +125,16 @@ #define SSH_USER_DIR ".ssh" /* + * Relevant only when using builtin PRNG. + */ +#ifndef SSH_PRNG_SEED_FILE +# define SSH_PRNG_SEED_FILE SSH_USER_DIR"/prng_seed" +#endif /* SSH_PRNG_SEED_FILE */ +#ifndef SSH_PRNG_COMMAND_FILE +# define SSH_PRNG_COMMAND_FILE ETCDIR "/ssh_prng_cmds" +#endif /* SSH_PRNG_COMMAND_FILE */ + +/* * Per-user file containing host keys of known hosts. This file need not be * readable by anyone except the user him/herself, though this does not * contain anything particularly secret. @@ -162,7 +199,9 @@ * Default path to ssh-askpass used by ssh-add, * environment variable for overwriting the default location */ -#define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#ifndef SSH_ASKPASS_DEFAULT +# define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#endif #define SSH_ASKPASS_ENV "SSH_ASKPASS" /* @@ -510,5 +549,9 @@ /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; + +#ifdef USE_PAM +#include "auth-pam.h" +#endif /* USE_PAM */ #endif /* SSH_H */ diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh_config openssh-2.1.1p2/ssh_config --- ssh-openbsd-2000070100/ssh_config Thu May 18 23:17:17 2000 +++ openssh-2.1.1p2/ssh_config Thu Apr 20 23:32:48 2000 @@ -27,5 +27,11 @@ # IdentityFile ~/.ssh/identity # Port 22 # Protocol 2,1 -# Cipher blowfish +# Cipher 3des # EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + FallBackToRsh no diff -ruN --exclude CVS ssh-openbsd-2000070100/ssh_prng_cmds.in openssh-2.1.1p2/ssh_prng_cmds.in --- ssh-openbsd-2000070100/ssh_prng_cmds.in Thu Jan 1 10:00:00 1970 +++ openssh-2.1.1p2/ssh_prng_cmds.in Wed Jun 7 22:20:23 2000 @@ -0,0 +1,50 @@ +# entropy gathering commands + +# Format is: "program-name args" path rate + +# The "rate" represents the number of bits of usuable entropy per +# byte of command output. Be conservative. + +"ls -alni /var/log" @PROG_LS@ 0.02 +"ls -alni /var/adm" @PROG_LS@ 0.02 +"ls -alni /var/mail" @PROG_LS@ 0.02 +"ls -alni /var/spool/mail" @PROG_LS@ 0.02 +"ls -alni /proc" @PROG_LS@ 0.02 +"ls -alni /tmp" @PROG_LS@ 0.02 + +"netstat -an" @PROG_NETSTAT@ 0.05 +"netstat -in" @PROG_NETSTAT@ 0.05 +"netstat -rn" @PROG_NETSTAT@ 0.02 +"netstat -s" @PROG_NETSTAT@ 0.02 + +"arp -a -n" @PROG_ARP@ 0.02 + +"ifconfig -a" @PROG_IFCONFIG@ 0.02 + +"ps laxww" @PROG_PS@ 0.03 +"ps -al" @PROG_PS@ 0.03 +"ps -efl" @PROG_PS@ 0.03 + +"w" @PROG_W@ 0.05 + +"who -i" @PROG_WHO@ 0.01 + +"last" @PROG_LAST@ 0.01 + +"lastlog" @PROG_LASTLOG@ 0.01 + +"df" @PROG_DF@ 0.01 +"df -i" @PROG_DF@ 0.01 + +"vmstat" @PROG_VMSTAT@ 0.01 +"uptime" @PROG_UPTIME@ 0.01 + +"ipcs -a" @PROG_IPCS@ 0.01 + +"tail -200 /var/log/messages" @PROG_TAIL@ 0.01 +"tail -200 /var/log/syslog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/messages" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/syslog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/syslog/syslog.log" @PROG_TAIL@ 0.01 +"tail -200 /var/log/maillog" @PROG_TAIL@ 0.01 +"tail -200 /var/adm/maillog" @PROG_TAIL@ 0.01 diff -ruN --exclude CVS ssh-openbsd-2000070100/sshconnect.c openssh-2.1.1p2/sshconnect.c --- ssh-openbsd-2000070100/sshconnect.c Sun Jun 18 14:20:31 2000 +++ openssh-2.1.1p2/sshconnect.c Sat Jul 1 13:24:21 2000 @@ -30,7 +30,11 @@ char *server_version_string = NULL; extern Options options; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +static const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ /* * Connect to the given ssh server using a proxy command. @@ -104,15 +108,15 @@ /* Stderr is left as it is so that error messages get printed on the user's terminal. */ - argv[0] = "/bin/sh"; + argv[0] = _PATH_BSHELL; argv[1] = "-c"; argv[2] = command_string; argv[3] = NULL; /* Execute the proxy command. Note that we gave up any extra privileges above. */ - execv("/bin/sh", argv); - perror("/bin/sh"); + execv(_PATH_BSHELL, argv); + perror(_PATH_BSHELL); exit(1); } /* Parent. */ @@ -251,7 +255,7 @@ temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); + memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); restore_uid(); break; } else { @@ -457,6 +461,7 @@ HostStatus host_status; HostStatus ip_status; int local = 0, host_ip_differ = 0; + int salen; char ntop[NI_MAXHOST]; /* @@ -471,12 +476,15 @@ switch (hostaddr->sa_family) { case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); break; case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); break; default: local = 0; + salen = sizeof(struct sockaddr_storage); break; } if (local) { @@ -492,7 +500,7 @@ options.check_host_ip = 0; if (options.check_host_ip) { - if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), + if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); ip = xstrdup(ntop); diff -ruN --exclude CVS ssh-openbsd-2000070100/sshd/Makefile openssh-2.1.1p2/sshd/Makefile --- ssh-openbsd-2000070100/sshd/Makefile Sun Jun 18 14:20:38 2000 +++ openssh-2.1.1p2/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,46 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c \ - auth.c auth1.c auth2.c auth-options.c session.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -ruN --exclude CVS ssh-openbsd-2000070100/sshd.8 openssh-2.1.1p2/sshd.8 --- ssh-openbsd-2000070100/sshd.8 Sat Jul 1 19:41:38 2000 +++ openssh-2.1.1p2/sshd.8 Sun Jun 18 14:50:45 2000 @@ -965,8 +965,7 @@ This version of OpenSSH .Bl -bullet .It -has all components of a restrictive nature (i.e., patents, see -.Xr ssl 8 ) +has all components of a restrictive nature (i.e., patents) directly removed from the source code; any licensed or patented components are chosen from external libraries. @@ -982,10 +981,6 @@ .Xr skey 1 . .El .Pp -The libraries described in -.Xr ssl 8 -are required for proper operation. -.Pp OpenSSH has been created by Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. .Pp @@ -996,6 +991,5 @@ .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr ssl 8 , .Xr rlogin 1 , .Xr rsh 1 diff -ruN --exclude CVS ssh-openbsd-2000070100/sshd.c openssh-2.1.1p2/sshd.c --- ssh-openbsd-2000070100/sshd.c Sat Jul 1 19:41:38 2000 +++ openssh-2.1.1p2/sshd.c Wed Jun 28 15:22:42 2000 @@ -63,7 +63,11 @@ * Flag indicating whether IPv4 or IPv6. This can be set on the command line. * Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* * Debug mode flag. This can be set on the command line. If debug @@ -84,6 +88,7 @@ /* Saved arguments to main(). */ char **saved_argv; +int saved_argc; /* * The sockets that the server is listening; this is used in the SIGHUP @@ -418,6 +423,7 @@ int listen_sock, maxfd; /* Save argv[0]. */ + saved_argc = ac; saved_argv = av; if (strchr(av[0], '/')) av0 = strrchr(av[0], '/') + 1; @@ -686,7 +692,8 @@ debug("Bind to port %s on %s.", strport, ntop); /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) && + (!ai->ai_next)) { error("Bind to port %s on %s failed: %.200s.", strport, ntop, strerror(errno)); close(listen_sock); @@ -944,6 +951,11 @@ /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); + +#ifdef USE_PAM + finish_pam(); +#endif /* USE_PAM */ + packet_close(); exit(0); } diff -ruN --exclude CVS ssh-openbsd-2000070100/sshd_config openssh-2.1.1p2/sshd_config --- ssh-openbsd-2000070100/sshd_config Sun Jun 18 14:20:38 2000 +++ openssh-2.1.1p2/sshd_config Sun Jun 18 14:50:45 2000 @@ -2,7 +2,7 @@ Port 22 #Protocol 2,1 -#ListenAddress 0.0.0.0 +ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key ServerKeyBits 768 @@ -47,7 +47,7 @@ # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -#CheckMail yes -#UseLogin no +CheckMail no +UseLogin no #Subsystem sftp /usr/local/sbin/sftpd diff -ruN --exclude CVS ssh-openbsd-2000070100/uidswap.c openssh-2.1.1p2/uidswap.c --- ssh-openbsd-2000070100/uidswap.c Thu Jun 22 21:09:05 2000 +++ openssh-2.1.1p2/uidswap.c Wed Jun 28 08:22:29 2000 @@ -11,6 +11,9 @@ #include "ssh.h" #include "uidswap.h" +#ifdef WITH_IRIX_AUDIT +#include +#endif /* WITH_IRIX_AUDIT */ /* * Note: all these functions must work in all of the following cases: @@ -25,11 +28,12 @@ /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ #define SAVED_IDS_WORK_WITH_SETEUID -#endif /* _POSIX_SAVED_IDS */ /* Saved effective uid. */ static uid_t saved_euid = 0; +#endif /* _POSIX_SAVED_IDS */ + /* * Temporarily changes to the given uid. If the effective user * id is not root, this does nothing. This call cannot be nested. @@ -82,6 +86,14 @@ void permanently_set_uid(uid_t uid) { +#ifdef WITH_IRIX_AUDIT + if (sysconf(_SC_AUDIT)) { + debug("Setting sat id to %d", (int) uid); + if (satsetid(uid)) + fatal("error setting satid: %.100s", strerror(errno)); + } +#endif /* WITH_IRIX_AUDIT */ + if (setuid(uid) < 0) debug("setuid %d: %.100s", (int) uid, strerror(errno)); } diff -ruN --exclude CVS ssh-openbsd-2000070100/uuencode.c openssh-2.1.1p2/uuencode.c --- ssh-openbsd-2000070100/uuencode.c Fri Jun 23 09:55:00 2000 +++ openssh-2.1.1p2/uuencode.c Fri Jun 23 10:16:39 2000 @@ -4,8 +4,6 @@ #include "includes.h" #include "xmalloc.h" -#include - RCSID("$OpenBSD: uuencode.c,v 1.6 2000/06/22 23:55:00 djm Exp $"); int