diff -ruN ssh-openbsd-2000012700/COPYING.Ylonen openssh-1.2.2p1/COPYING.Ylonen --- ssh-openbsd-2000012700/COPYING.Ylonen Tue Oct 5 12:35:56 1999 +++ openssh-1.2.2p1/COPYING.Ylonen Sat Oct 30 09:46:20 1999 @@ -24,7 +24,7 @@ [ The make-ssh-known-hosts script is no longer included. ] [ TSS has been removed. ] [ MD5 is now external. ] -[ RC4 support has been removed. ] +[ RC4 support has been removed (RC4 is used internally for arc4random). ] [ Blowfish is now external. ] The 32-bit CRC implementation in crc32.c is due to Gary S. Brown. diff -ruN ssh-openbsd-2000012700/CREDITS openssh-1.2.2p1/CREDITS --- ssh-openbsd-2000012700/CREDITS Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/CREDITS Fri Mar 3 22:35:33 2000 @@ -0,0 +1,42 @@ +Tatu Ylonen - Creator of SSH + +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt, and Dug Song - Creators of OpenSSH + +Andrew Stribblehill - Bugfixes +Andre Lucas - build, login and many other fixes +Andy Sloane - bugfixes +Arkadiusz Miskiewicz - IPv6 compat fixes +Ben Taylor - Solaris debugging and fixes +Chip Salzenberg - Assorted patches +Chris Saia - SuSE packaging +Chris, the Young One - Password auth fixes +Christos Zoulas - Autoconf fixes +Chun-Chung Chen - RPM fixes +Dan Brosemer - Autoconf support, build fixes +Darren Hall - AIX patches +David Agraz - Build fixes +David Rankin - libwrap, AIX, NetBSD fixes +Gary E. Miller - SCO support +HARUYAMA Seigo - Translations & doc fixes +Holger Trapp - KRB4/AFS config patch +Jani Hakala - Patches +Jarno Huuskonen - Bugfixes +Jim Knoble - Many patches +jonchen (email unknown) - the original author of PAM support of SSH +Juergen Keil - scp bugfixing +Kees Cook - scp fixes +Kiyokazu SUTO - Bugfixes +Marc G. Fournier - Solaris patches +Matt Richards - AIX patches +Nalin Dahyabhai - PAM environment patch +Niels Kristian Bech Jensen - Assorted patches +Peter Kocks - Makefile fixes +Phil Hands - Debian scripts, assorted patches +Thomas Neumann - Shadow passwords +Tor-Ake Fransson - AIX support +Tudor Bosman - MD5 password support + +Apologies to anyone I have missed. + +Damien Miller diff -ruN ssh-openbsd-2000012700/ChangeLog openssh-1.2.2p1/ChangeLog --- ssh-openbsd-2000012700/ChangeLog Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/ChangeLog Sun Mar 5 17:02:45 2000 @@ -0,0 +1,949 @@ +20000305 + - Fix DEC compile fix + - Explicitly seed OpenSSL's PRNG before checking rsa_alive() + - Check for getpagesize in libucb.a if not found in libc. Fix for old + Solaris from Andre Lucas + - Check for libwrap if --with-tcp-wrappers option specified. Suggestion + Mate Wierdl + +20000303 + - Added "make host-key" target, Suggestion from Dominik Brettnacher + + - Don't permanently fail on bind() if getaddrinfo has more choices left for + us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz + Miskiewicz + - DEC Unix compile fix from David Del Piero + - Manpage fix from David Del Piero + +20000302 + - Big cleanup of autoconf code + - Rearranged to be a little more logical + - Added -R option for Solaris + - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program + to detect library and header location _and_ ensure library has proper + RSA support built in (this is a problem with OpenSSL 0.9.5). + - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de + - Avoid warning message with Unix98 ptys + - Warning was valid - possible race condition on PTYs. Avoided using + platform-specific code. + - Document some common problems + - Allow root access to any key. Patch from + markus.friedl@informatik.uni-erlangen.de + +20000207 + - Removed SOCKS code. Will support through a ProxyCommand. + +20000203 + - Fixed SEGVs in authloop, fix from vbzoli@hbrt.hu + - Add --with-ssl-dir option + +20000202 + - Fix lastlog code for directory based lastlogs. Fix from Josh Durham + + - Documentation fixes from HARUYAMA Seigo + - Added URLs to Japanese translations of documents by HARUYAMA Seigo + + +20000201 + - Use socket pairs by default (instead of pipes). Prevents race condition + on several (buggy) OSs. Report and fix from tridge@linuxcare.com + +20000127 + - Seed OpenSSL's random number generator before generating RSA keypairs + - Split random collector into seperate file + - Compile fix from Andre Lucas + +20000126 + - Released 1.2.2 stable + + - NeXT keeps it lastlog in /usr/adm. Report from + mouring@newton.pconline.com + - Added note in UPGRADING re interop with commercial SSH using idea. + Report from Jim Knoble + - Fix linking order for Kerberos/AFS. Fix from Holget Trapp + + +20000125 + - Fix NULL pointer dereference in login.c. Fix from Andre Lucas + + - Reorder PAM initialisation so it does not mess up lastlog. Reported + by Andre Lucas + - Use preformatted manpages on SCO, report from Gary E. Miller + + - New URL for x11-ssh-askpass. + - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble + + - Added 'DESTDIR' option to Makefile to ease package building. Patch from + Jim Knoble + - Updated RPM spec files to use DESTDIR + +20000124 + - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number + increment) + +20000123 + - OpenBSD CVS: + - [packet.c] + getsockname() requires initialized tolen; andy@guildsoftware.com + - AIX patch from Matt Richards and David Rankin + + - Fix lastlog support, patch from Andre Lucas + +20000122 + - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor + + - Merge preformatted manpage patch from Andre Lucas + + - Make IPv4 use the default in RPM packages + - Irix uses preformatted manpages + - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp + + - OpenBSD CVS updates: + - [packet.c] + use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + - [sshd.c] + log with level log() not fatal() if peer behaves badly. + - [readpass.c] + instead of blocking SIGINT, catch it ourselves, so that we can clean + the tty modes up and kill ourselves -- instead of our process group + leader (scp, cvs, ...) going away and leaving us in noecho mode. + people with cbreak shells never even noticed.. + - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + ie. -> i.e., + +20000120 + - Don't use getaddrinfo on AIX + - Update to latest OpenBSD CVS: + - [auth-rsa.c] + - fix user/1056, sshd keeps restrictions; dbt@meat.net + - [sshconnect.c] + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - destroy keys earlier + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - Big manpage and config file cleanup from Andre Lucas + + - Re-added latest (unmodified) OpenBSD manpages + - Doc updates + - NetBSD patch from David Rankin and + Christos Zoulas + +20000119 + - SCO compile fixes from Gary E. Miller + - Compile fix from Darren_Hall@progressive.com + - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC + addresses using getaddrinfo(). Added a configure switch to make the + default lookup mode AF_INET + +20000118 + - Fixed --with-pid-dir option + - Makefile fix from Gary E. Miller + - Compile fix for HPUX and Solaris from Andre Lucas + + +20000117 + - Clean up bsd-bindresvport.c. Use arc4random() for picking initial + port, ignore EINVAL errors (Linux) when searching for free port. + - Revert __snprintf -> snprintf aliasing. Apparently Solaris + __snprintf isn't. Report from Theo de Raadt + - Document location of Redhat PAM file in INSTALL. + - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 + INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to + deliver (no IPv6 kernel support) + - Released 1.2.1pre27 + + - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c) + - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen + + - Fix hang on logout if processes are still using the pty. Needs + further testing. + - Patch from Christos Zoulas + - Try $prefix first when looking for OpenSSL. + - Include sys/types.h when including sys/socket.h in test programs + - Substitute PID directory in sshd.8. Suggestion from Andrew + Stribblehill + +20000116 + - Renamed --with-xauth-path to --with-xauth + - Added --with-pid-dir option + - Released 1.2.1pre26 + + - Compilation fix from Kiyokazu SUTO + - Fixed broken bugfix for /dev/ptmx on Linux systems which lack + openpty(). Report from Kiyokazu SUTO + +20000115 + - Add --with-xauth-path configure directive and explicit test for + /usr/openwin/bin/xauth for Solaris systems. Report from Anders + Nordby + - Fix incorrect detection of /dev/ptmx on Linux systems that lack + openpty. Report from John Seifarth + - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in + sys/types.h. Fixes problems on SCO, report from Gary E. Miller + + - Use __snprintf and __vnsprintf if they are found where snprintf and + vnsprintf are lacking. Suggested by Ben Taylor + and others. + +20000114 + - Merged OpenBSD IPv6 patch: + - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] + [scp.c packet.h packet.c login.c log.c canohost.c channels.c] + [hostfile.c sshd_config] + ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new + features: sshd allows multiple ListenAddress and Port options. note + that libwrap is not IPv6-ready. (based on patches from + fujiwara@rcac.tdi.co.jp) + - [ssh.c canohost.c] + more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, + from itojun@ + - [channels.c] + listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) + - [packet.h] + allow auth-kerberos for IPv4 only + - [scp.1 sshd.8 servconf.h scp.c] + document -4, -6, and 'ssh -L 2022/::1/22' + - [ssh.c] + 'ssh @host' is illegal (null user name), from + karsten@gedankenpolizei.de + - [sshconnect.c] + better error message + - [sshd.c] + allow auth-kerberos for IPv4 only + - Big IPv6 merge: + - Cleanup overrun in sockaddr copying on RHL 6.1 + - Replacements for getaddrinfo, getnameinfo, etc based on versions + from patch from KIKUCHI Takahiro + - Replacement for missing structures on systems that lack IPv6 + - record_login needed to know about AF_INET6 addresses + - Borrowed more code from OpenBSD: rresvport_af and requisites + +20000110 + - Fixes to auth-skey to enable it to use the standard OpenSSL libraries + +20000107 + - New config.sub and config.guess to fix problems on SCO. Supplied + by Gary E. Miller + - SCO build fix from Gary E. Miller + - Released 1.2.1pre25 + +20000106 + - Documentation update & cleanup + - Better KrbIV / AFS detection, based on patch from: + Holger Trapp + +20000105 + - Fixed annoying DES corruption problem. libcrypt has been + overriding symbols in libcrypto. Removed libcrypt and crypt.h + altogether (libcrypto includes its own crypt(1) replacement) + - Added platform-specific rules for Irix 6.x. Included warning that + they are untested. + +20000103 + - Add explicit make rules for files proccessed by fixpaths. + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + + - Removed "nullok" directive from default PAM configuration files. + Added information on enabling EmptyPasswords on openssh+PAM in + UPGRADING file. + - OpenBSD CVS updates + - [ssh-agent.c] + cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and + dgaudet@arctic.org + - [sshconnect.c] + compare correct version for 1.3 compat mode + +20000102 + - Prevent multiple inclusion of config.h and defines.h. Suggested + by Andre Lucas + - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet + + +19991231 + - Fix password support on systems with a mixture of shadowed and + non-shadowed passwords (e.g. NIS). Report and fix from + HARUYAMA Seigo + - Fix broken autoconf typedef detection. Report from Marc G. + Fournier + - Fix occasional crash on LinuxPPC. Patch from Franz Sirl + + - Prevent typedefs from being compiled more than once. Report from + Marc G. Fournier + - Fill in ut_utaddr utmp field. Report from Benjamin Charron + + - Really fix broken default path. Fix from Jim Knoble + + - Remove test for quad_t. No longer needed. + - Released 1.2.1pre24 + + - Added support for directory-based lastlogs + - Really fix typedefs, patch from Ben Taylor + +19991230 + - OpenBSD CVS updates: + - [auth-passwd.c] + check for NULL 1st + - Removed most of the pam code into its own file auth-pam.[ch]. This + cleaned up sshd.c up significantly. + - PAM authentication was incorrectly interpreting + "PermitRootLogin without-password". Report from Matthias Andree + + - Updated documentation with ./configure options + - Released 1.2.1pre23 + +19991229 + - Applied another NetBSD portability patch from David Rankin + + - Fix --with-default-path option. + - Autodetect perl, patch from David Rankin + + - Print whether OpenSSH was compiled with RSARef, patch from + Nalin Dahyabhai + - Calls to pam_setcred, patch from Nalin Dahyabhai + + - Detect missing size_t and typedef it. + - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] + - Minor Makefile cleaning + +19991228 + - Replacement for getpagesize() for systems which lack it + - NetBSD login.c compile fix from David Rankin + + - Fully set ut_tv if present in utmp or utmpx + - Portability fixes for Irix 5.3 (now compiles OK!) + - autoconf and other misc cleanups + - Merged AIX patch from Darren Hall + - Cleaned up defines.h + - Released 1.2.1pre22 + +19991227 + - Automatically correct paths in manpages and configuration files. Patch + and script from Andre Lucas + - Removed credits from README to CREDITS file, updated. + - Added --with-default-path to specify custom path for server + - Removed #ifdef trickery from acconfig.h into defines.h + - PAM bugfix. PermitEmptyPassword was being ignored. + - Fixed PAM config files to allow empty passwords if server does. + - Explained spurious PAM auth warning workaround in UPGRADING + - Use last few chars of tty line as ut_id + - New SuSE RPM spec file from Chris Saia + - OpenBSD CVS updates: + - [packet.h auth-rhosts.c] + check format string for packet_disconnect and packet_send_debug, too + - [channels.c] + use packet_get_maxsize for channels. consistence. + +19991226 + - Enabled utmpx support by default for Solaris + - Cleanup sshd.c PAM a little more + - Revised RPM package to include Jim Knoble's + X11 ssh-askpass program. + - Disable logging of PAM success and failures, PAM is verbose enough. + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM + developers + - OpenBSD CVS update: + - [ssh-keygen.1 ssh.1] + remove ref to .ssh/random_seed, mention .ssh/environment in + .Sh FILES, too + - Released 1.2.1pre21 + - Fixed implicit '.' in default path, report from Jim Knoble + + - Redhat RPM spec fixes from Jim Knoble + +19991225 + - More fixes from Andre Lucas + - Cleanup of auth-passwd.c for shadow and MD5 passwords + - Cleanup and bugfix of PAM authentication code + - Released 1.2.1pre20 + + - Merged fixes from Ben Taylor + - Fixed configure support for PAM. Reported by Naz <96na@eng.cam.ac.uk> + - Disabled logging of PAM password authentication failures when password + is empty. (e.g start of authentication loop). Reported by Naz + <96na@eng.cam.ac.uk>) + +19991223 + - Merged later HPUX patch from Andre Lucas + + - Above patch included better utmpx support from Ben Taylor + + +19991222 + - Fix undefined fd_set type in ssh.h from Povl H. Pedersen + + - Fix login.c breakage on systems which lack ut_host in struct + utmp. Reported by Willard Dawson + +19991221 + - Integration of large HPUX patch from Andre Lucas + . Integrating it had a few other + benefits: + - Ability to disable shadow passwords at configure time + - Ability to disable lastlog support at configure time + - Support for IP address in $DISPLAY + - OpenBSD CVS update: + - [sshconnect.c] + say "REMOTE HOST IDENTIFICATION HAS CHANGED" + - Fix DISABLE_SHADOW support + - Allow MD5 passwords even if shadow passwords are disabled + - Release 1.2.1pre19 + +19991218 + - Redhat init script patch from Chun-Chung Chen + + - Avoid breakage on systems without IPv6 headers + +19991216 + - Makefile changes for Solaris from Peter Kocks + + - Minor updates to docs + - Merged OpenBSD CVS changes: + - [authfd.c ssh-agent.c] + keysize warnings talk about identity files + - [packet.c] + "Connection closed by x.x.x.x": fatal() -> log() + - Correctly handle empty passwords in shadow file. Patch from: + "Chris, the Young One" + - Released 1.2.1pre18 + +19991215 + - Integrated patchs from Juergen Keil + - Avoid void* pointer arithmatic + - Use LDFLAGS correctly + - Fix SIGIO error in scp + - Simplify status line printing in scp + - Added better test for inline functions compiler support from + Darren_Hall@progressive.com + +19991214 + - OpenBSD CVS Changes + - [canohost.c] + fix get_remote_port() and friends for sshd -i; + Holger.Trapp@Informatik.TU-Chemnitz.DE + - [mpaux.c] + make code simpler. no need for memcpy. niels@ ok + - [pty.c] + namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org + fix proto; markus + - [ssh.1] + typo; mark.baushke@solipsa.com + - [channels.c ssh.c ssh.h sshd.c] + type conflict for 'extern Type *options' in channels.c; dot@dotat.at + - [sshconnect.c] + move checking of hostkey into own function. + - [version.h] + OpenSSH-1.2.1 + - Clean up broken includes in pty.c + - Some older systems don't have poll.h, they use sys/poll.h instead + - Doc updates + +19991211 + - Fix compilation on systems with AFS. Reported by + aloomis@glue.umd.edu + - Fix installation on Solaris. Reported by + Gordon Rowell + - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com, + patch from Markus Friedl + - Auto-locate xauth. Patch from David Agraz + - Compile fix from David Agraz + - Avoid compiler warning in bsd-snprintf.c + - Added pam_limits.so to default PAM config. Suggested by + Jim Knoble + +19991209 + - Import of patch from Ben Taylor : + - Improved PAM support + - "uninstall" rule for Makefile + - utmpx support + - Should fix PAM problems on Solaris + - OpenBSD CVS updates: + - [readpass.c] + avoid stdio; based on work by markus, millert, and I + - [sshd.c] + make sure the client selects a supported cipher + - [sshd.c] + fix sighup handling. accept would just restart and daemon handled + sighup only after the next connection was accepted. use poll on + listen sock now. + - [sshd.c] + make that a fatal + - Applied patch from David Rankin + to fix libwrap support on NetBSD + - Released 1.2pre17 + +19991208 + - Compile fix for Solaris with /dev/ptmx from + David Agraz + +19991207 + - sshd Redhat init script patch from Jim Knoble + fixes compatability with 4.x and 5.x + - Fixed default SSH_ASKPASS + - Fix PAM account and session being called multiple times. Problem + reported by Adrian Baugh + - Merged more OpenBSD changes: + - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] + move atomicio into it's own file. wrap all socket write()s which + were doing write(sock, buf, len) != len, with atomicio() calls. + - [auth-skey.c] + fd leak + - [authfile.c] + properly name fd variable + - [channels.c] + display great hatred towards strcpy + - [pty.c pty.h sshd.c] + use openpty() if it exists (it does on BSD4_4) + - [tildexpand.c] + check for ~ expansion past MAXPATHLEN + - Modified helper.c to use new atomicio function. + - Reformat Makefile a little + - Moved RC4 routines from rc4.[ch] into helper.c + - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX) + - Updated SuSE spec from Chris Saia + - Tweaked Redhat spec + - Clean up bad imports of a few files (forgot -kb) + - Released 1.2pre16 + +19991204 + - Small cleanup of PAM code in sshd.c + - Merged OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h] + move skey-auth from auth-passwd.c to auth-skey.c, same for krb4 + - [auth-rsa.c] + warn only about mismatch if key is _used_ + warn about keysize-mismatch with log() not error() + channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c + ports are u_short + - [hostfile.c] + indent, shorter warning + - [nchan.c] + use error() for internal errors + - [packet.c] + set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() + serverloop.c + indent + - [ssh-add.1 ssh-add.c ssh.h] + document $SSH_ASKPASS, reasonable default + - [ssh.1] + CheckHostIP is not available for connects via proxy command + - [sshconnect.c] + typo + easier to read client code for passwd and skey auth + turn of checkhostip for proxy connects, since we don't know the remote ip + +19991126 + - Add definition for __P() + - Added [v]snprintf() replacement for systems that lack it + +19991125 + - More reformatting merged from OpenBSD CVS + - Merged OpenBSD CVS changes: + - [channels.c] + fix packet_integrity_check() for !have_hostname_in_open. + report from mrwizard@psu.edu via djm@ibs.com.au + - [channels.c] + set SO_REUSEADDR and SO_LINGER for forwarded ports. + chip@valinux.com via damien@ibs.com.au + - [nchan.c] + it's not an error() if shutdown_write failes in nchan. + - [readconf.c] + remove dead #ifdef-0-code + - [readconf.c servconf.c] + strcasecmp instead of tolower + - [scp.c] + progress meter overflow fix from damien@ibs.com.au + - [ssh-add.1 ssh-add.c] + SSH_ASKPASS support + - [ssh.1 ssh.c] + postpone fork_after_authentication until command execution, + request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au + plus: use daemon() for backgrounding + - Added BSD compatible install program and autoconf test, thanks to + Niels Kristian Bech Jensen + - Solaris fixing, thanks to Ben Taylor + - Merged beginnings of AIX support from Tor-Ake Fransson + - Release 1.2pre15 + +19991124 + - Merged very large OpenBSD source code reformat + - OpenBSD CVS updates + - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] + [ssh.h sshd.8 sshd.c] + syslog changes: + * Unified Logmessage for all auth-types, for success and for failed + * Standard connections get only ONE line in the LOG when level==LOG: + Auth-attempts are logged only, if authentication is: + a) successfull or + b) with passwd or + c) we had more than AUTH_FAIL_LOG failues + * many log() became verbose() + * old behaviour with level=VERBOSE + - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] + tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE + messages. allows use of s/key in windows (ttssh, securecrt) and + ssh-1.2.27 clients without 'ssh -v', ok: niels@ + - [sshd.8] + -V, for fallback to openssh in SSH2 compatibility mode + - [sshd.c] + fix sigchld race; cjc5@po.cwru.edu + +19991123 + - Added SuSE package files from Chris Saia + - Restructured package-related files under packages/* + - Added generic PAM config + - Numerous little Solaris fixes + - Add recommendation to use GNU make to INSTALL document + +19991122 + - Make close gnome-ssh-askpass (Debian bug #50299) + - OpenBSD CVS Changes + - [ssh-keygen.c] + don't create ~/.ssh only if the user wants to store the private + key there. show fingerprint instead of public-key after + keygeneration. ok niels@ + - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h + - Added timersub() macro + - Tidy RCSIDs of bsd-*.c + - Added autoconf test and macro to deal with old PAM libraries + pam_strerror definition (one arg vs two). + - Fix EGD problems (Thanks to Ben Taylor ) + - Retry /dev/urandom reads interrupted by signal (report from + Robert Hardy ) + - Added a setenv replacement for systems which lack it + - Only display public key comment when presenting ssh-askpass dialog + - Released 1.2pre14 + + - Configure, Make and changelog corrections from Tudor Bosman + and Niels Kristian Bech Jensen + +19991121 + - OpenBSD CVS Changes: + - [channels.c] + make this compile, bad markus + - [log.c readconf.c servconf.c ssh.h] + bugfix: loglevels are per host in clientconfig, + factor out common log-level parsing code. + - [servconf.c] + remove unused index (-Wall) + - [ssh-agent.c] + only one 'extern char *__progname' + - [sshd.8] + document SIGHUP, -Q to synopsis + - [sshconnect.c serverloop.c sshd.c packet.c packet.h] + [channels.c clientloop.c] + SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ + [hope this time my ISP stays alive during commit] + - [OVERVIEW README] typos; green@freebsd + - [ssh-keygen.c] + replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me) + exit if writing the key fails (no infinit loop) + print usage() everytime we get bad options + - [ssh-keygen.c] overflow, djm@mindrot.org + - [sshd.c] fix sigchld race; cjc5@po.cwru.edu + +19991120 + - Merged more Solaris support from Marc G. Fournier + + - Wrote autoconf tests for integer bit-types + - Fixed enabling kerberos support + - Fix segfault in ssh-keygen caused by buffer overrun in filename + handling. + +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + - Merged OpenBSD CVS changes + - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] + more %d vs. %s in fmt-strings + - [authfd.c] + Integers should not be printed with %s + - EGD uses a socket, not a named pipe. Duh. + - Fix includes in fingerprint.c + - Fix scp progress bar bug again. + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of + David Rankin + - Added autoconf option to enable Kerberos 4 support (untested) + - Added autoconf option to enable AFS support (untested) + - Added autoconf option to enable S/Key support (untested) + - Added autoconf option to enable TCP wrappers support (compiles OK) + - Renamed BSD helper function files to bsd-* + - Added tests for login and daemon and enable OpenBSD replacements for + when they are absent. + - Added non-PAM MD5 password support patch from Tudor Bosman + +19991118 + - Merged OpenBSD CVS changes + - [scp.c] foregroundproc() in scp + - [sshconnect.h] include fingerprint.h + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + changes. + - [ssh.1] Spell my name right. + - Added openssh.com info to README + +19991117 + - Merged OpenBSD CVS changes + - [ChangeLog.Ylonen] noone needs this anymore + - [authfd.c] close-on-exec for auth-socket, ok deraadt + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong + modulus length. markus and me. + - [serverloop.c] + bugfix: check for space if child has terminated, from: + iedowse@maths.tcd.ie + - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] + [fingerprint.c fingerprint.h] + rsa key fingerprints, idea from Bjoern Groenvall + - [ssh-agent.1] typo + - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ + - [sshd.c] + force logging to stderr while loading private key file + (lost while converting to new log-levels) + +19991116 + - Fix some Linux libc5 problems reported by Miles Wilson + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] + [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] + the keysize of rsa-parameter 'n' is passed implizit, + a few more checks and warnings about 'pretended' keysizes. + - [cipher.c cipher.h packet.c packet.h sshd.c] + remove support for cipher RC4 + - [ssh.c] + a note for legay systems about secuity issues with permanently_set_uid(), + the private hostkey and ptrace() + - [sshconnect.c] + more detailed messages about adding and checking hostkeys + +19991115 + - Merged OpenBSD CVS changes: + - [ssh-add.c] change passphrase loop logic and remove ref to + $DISPLAY, ok niels + - Changed to ssh-add.c broke askpass support. Revised it to be a little more + modular. + - Revised autoconf support for enabling/disabling askpass support. + - Merged more OpenBSD CVS changes: + [auth-krb4.c] + - disconnect if getpeername() fails + - missing xfree(*client) + [canohost.c] + - disconnect if getpeername() fails + - fix comment: we _do_ disconnect if ip-options are set + [sshd.c] + - disconnect if getpeername() fails + - move checking of remote port to central place + [auth-rhosts.c] move checking of remote port to central place + [log-server.c] avoid extra fd per sshd, from millert@ + [readconf.c] print _all_ bad config-options in ssh(1), too + [readconf.h] print _all_ bad config-options in ssh(1), too + [ssh.c] print _all_ bad config-options in ssh(1), too + [sshconnect.c] disconnect if getpeername() fails + - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. + - Various small cleanups to bring diff (against OpenBSD) size down. + - Merged more Solaris compability from Marc G. Fournier + + - Wrote autoconf tests for __progname symbol + - RPM spec file fixes from Jim Knoble + - Released 1.2pre12 + + - Another OpenBSD CVS update: + - [ssh-keygen.1] fix .Xr + +19991114 + - Solaris compilation fixes (still imcomplete) + +19991113 + - Build patch from Niels Kristian Bech Jensen + - Don't install config files if they already exist + - Fix inclusion of additional preprocessor directives from acconfig.h + - Removed redundant inclusions of config.h + - Added 'Obsoletes' lines to RPM spec file + - Merged OpenBSD CVS changes: + - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + totalsize, ok niels,aaron + - Delay fork (-f option) in ssh until after port forwarded connections + have been initialised. Patch from Jani Hakala + - Added shadow password patch from Thomas Neumann + - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled + - Tidied default config file some more + - Revised Redhat initscript to fix bug: sshd (re)start would fail + if executed from inside a ssh login. + +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + + - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile + - Make ssh-askpass support optional through autoconf + - Fix nasty division-by-zero error in scp.c + - Released 1.2pre11 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. Report and fix + from Kees Cook + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 diff -ruN ssh-openbsd-2000012700/INSTALL openssh-1.2.2p1/INSTALL --- ssh-openbsd-2000012700/INSTALL Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/INSTALL Fri Mar 3 22:13:52 2000 @@ -0,0 +1,197 @@ +1. Prerequisites +---------------- + +You will need working installations of Zlib and OpenSSL. + +Zlib: +http://www.cdrom.com/pub/infozip/zlib/ + +OpenSSL: +http://www.openssl.org/ + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system +supports it. PAM is standard on Redhat and Debian Linux and on Solaris. + +PAM: +http://www.kernel.org/pub/linux/libs/pam/ + +Dante: +http://www.inet.no/dante + +OpenSSH can also use the Dante SOCKS libraries, version 1.1.1pre1 or higher, +if you have them installed on your system. + +If you wish to build the GNOME passphrase requester, you will need the GNOME +libraries and headers. + +GNOME: +http://www.gnome.org/ + +Alternatively, Jim Knoble has written an excellent X11 +passphrase requester. This is maintained separately at: + +http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html + +If you are planning to use OpenSSH on a Unix which lacks a Kernel random +number generator (/dev/urandom), you will need to install the Entropy +Gathering Daemon (or similar). You will also need to specify the +--with-egd-pool option to ./configure. + +EGD: +http://www.lothar.com/tech/crypto/ + +GNU Make: +ftp://ftp.gnu.org/gnu/make/ + +OpenSSH has only been tested with GNU make. It may work with other +'make' programs, but you are on your own. + +2. Building / Installation +-------------------------- + +To install OpenSSH with default options: + +./configure +make +make install + +This will install the OpenSSH binaries in /usr/local/bin, configuration files +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different +installation prefix, use the --prefix option to configure: + +./configure --prefix=/opt +make +make install + +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +specific paths, for example: + +./configure --prefix=/opt --sysconfdir=/etc/ssh +make +make install + +This will install the binaries in /opt/{bin,lib,sbin}, but will place the +configuration files in /etc/ssh. + +If you are using PAM, you will need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). A generic PAM configuration is included as "sshd.pam.generic", +you may need to edit it before using it on your system. If you are +using a recent version of Redhat Linux, the config file in +packages/redhat/sshd.pam should be more useful. + +There are a few other options to the configure script: + +--with-rsh=PATH allows you to specify the path to your rsh program. +Normally ./configure will search the current $PATH for 'rsh'. You +may need to specify this option if rsh is not in your path or has a +different name. + +--without-pam will disable PAM support. PAM is automatically detected +and switched on if found. + +--enable-gnome-askpass will build the GNOME passphrase dialog. You +need a working installation of GNOME, including the development +headers, for this to work. + +--with-random=/some/file allows you to specify an alternate source of +random numbers (the default is /dev/urandom). Unless you are absolutly +sure of what you are doing, it is best to leave this alone. + +--with-egd-pool=/some/file allows you to enable Entropy Gathering +Daemon support and to specify a EGD pool socket. You will need to +use this if your Unix does not support the /dev/urandom device (or +similar). The file argument refers to the EGD pool file, not the +EGD program itself. Please refer to the EGD documentation. + +--with-lastlog=FILE will specify the location of the lastlog file. +./configure searches a few locations for lastlog, but may not find +it if lastlog is installed in a different place. + +--without-lastlog will disable lastlog support entirely. + +--with-kerberos4=PATH will enable Kerberos IV support. You will need +to have the Kerberos libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +Kerberos installation. + +--with-afs=PATH will enable AFS support. You will need to have the +Kerberos IV and the AFS libraries and header files installed for this +to work. Use the optional PATH argument to specify the root of your +AFS installation. AFS requires Kerberos support to be enabled. + +--with-skey will enable S/Key one time password support. You will need +the S/Key libraries and header files installed for this to work. + +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) +support. You will need libwrap.a and tcpd.h installed. + +--with-md5-passwords will enable the use of MD5 passwords. Enable this +if your operating system uses MD5 passwords without using PAM. + +--with-utmpx enables utmpx support. utmpx support is automatic for +some platforms. + +--without-shadow disables shadow password support. + +--with-ipaddr-display forces the use of a numeric IP address in the +$DISPLAY environment variable. Some broken systems need this. + +--with-default-path=PATH allows you to specify a default $PATH for sessions +started by sshd. + +--with-pid-dir=PATH specifies the directory in which the ssh.pid file is +created. + +--with-xauth=PATH specifies the location of the xauth binary + +--with-dante[=DIR] will enable Dante SOCKS library support. If the Dante +libsocks library isn't installed in a library searched by the compiler, +add the directory name as the option. + +--with-ipv4-default instructs OpenSSH to use IPv4 by default for new +connections. Normally OpenSSH will try attempt to lookup both IPv6 and +IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name +resolution. If this option is specified, you can still attempt to +connect to IPv6 addresses using the command line option '-6'. + +--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries +are installed. + +If you need to pass special options to the compiler or linker, you +can specify these as enviornment variables before running ./configure. +For example: + +CFLAGS="-O -m486" LFLAGS="-s" ./configure + +3. Configuration +---------------- + +The runtime configuration files are installed by in ${prefix}/etc or +whatever you specified as your --sysconfdir (/usr/local/etc by default). + +The default configuration should be instantly usable, though you should +review it to ensure that it matches your security requirements. + +To generate a host key, run "make host-key". Alternately you can do so +manually using the following command: + +/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' + +Replacing /etc/ssh with the correct path to the configuration directory. +(${prefix}/etc or whatever you specified with --sysconfdir during +configuration) + +If you have configured OpenSSH with EGD support, ensure that EGD is +running and has collected some Entropy. + +For more information on configuration, please refer to the manual pages +for sshd, ssh and ssh-agent. + +4. Problems? +------------ + +If you experience problems compiling, installing or running OpenSSH. +Please refer to the "reporting bugs" section of the webpage at +http://violet.ibs.com.au/openssh/ + diff -ruN ssh-openbsd-2000012700/Makefile openssh-1.2.2p1/Makefile --- ssh-openbsd-2000012700/Makefile Tue Oct 26 06:27:26 1999 +++ openssh-1.2.2p1/Makefile Thu Jan 1 10:00:00 1970 @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ - -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp - -distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ - ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ - ${DESTDIR}/etc/sshd_config - -.include diff -ruN ssh-openbsd-2000012700/Makefile.in openssh-1.2.2p1/Makefile.in --- ssh-openbsd-2000012700/Makefile.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/Makefile.in Fri Mar 3 22:13:52 2000 @@ -0,0 +1,169 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +bindir=@bindir@ +sbindir=@sbindir@ +libexecdir=@libexecdir@ +mandir=@mandir@ +mansubdir=@mansubdir@ +sysconfdir=@sysconfdir@ +piddir=@piddir@ +srcdir=@srcdir@ +top_srcdir=@top_srcdir@ + +DESTDIR= + +VPATH=@srcdir@ + +SSH_PROGRAM=@bindir@/ssh +ASKPASS_LOCATION=@libexecdir@/ssh +ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass + +CC=@CC@ +PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" +CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +EXTRA_TARGETS=@GNOME_ASKPASS@ +LIBS=@LIBS@ +AR=@AR@ +RANLIB=@RANLIB@ +INSTALL=@INSTALL@ +PERL=@PERL@ +LDFLAGS=-L. @LDFLAGS@ + +GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` +GNOME_LIBS=`gnome-config --libs gnome gnomeui` + +TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) + +LIBOBJS= atomicio.o authfd.o authfile.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o random.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o + +SSHOBJS= ssh.o sshconnect.o log-client.o readconf.o clientloop.o + +SSHDOBJS= sshd.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o + +TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 +CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 +MANPAGES = @MANTYPE@ + +CONFIGFILES=sshd_config ssh_config + +PATHSUBS = -D/etc/ssh_config=$(sysconfdir)/ssh_config -D/etc/known_hosts=$(sysconfdir)/ssh_known_hosts -D/etc/sshd_config=$(sysconfdir)/sshd_config -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv -D/etc/ssh_host_key=$(sysconfdir)/ssh_host_key -D/var/run/sshd.pid=$(piddir)/sshd.pid + +FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) + +all: $(TARGETS) $(MANPAGES) $(CONFIGFILES) + +$(LIBOBJS): config.h + +libssh.a: $(LIBOBJS) + $(AR) rv $@ $(LIBOBJS) + $(RANLIB) $@ + +ssh: libssh.a $(SSHOBJS) + $(CC) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh $(LIBS) + +sshd: libssh.a $(SSHDOBJS) + $(CC) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh $(LIBS) + +scp: libssh.a scp.o + $(CC) -o $@ scp.o $(LDFLAGS) -lssh $(LIBS) + +ssh-add: libssh.a ssh-add.o log-client.o + $(CC) -o $@ ssh-add.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +ssh-agent: libssh.a ssh-agent.o log-client.o + $(CC) -o $@ ssh-agent.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +ssh-keygen: libssh.a ssh-keygen.o log-client.o + $(CC) -o $@ ssh-keygen.o log-client.o $(LDFLAGS) -lssh $(LIBS) + +gnome-ssh-askpass: gnome-ssh-askpass.c + $(CC) $(CFLAGS) $(GNOME_CFLAGS) -o $@ gnome-ssh-askpass.c $(GNOME_LIBS) + +$(MANPAGES) $(CONFIGFILES):: + $(FIXPATHSCMD) $(srcdir)/$@ + +clean: + rm -f *.o *.a $(TARGETS) config.status config.cache config.log + rm -f *.out core + +distclean: clean + rm -f Makefile config.h core *~ + +mrproper: distclean + +veryclean: distclean + rm -f configure config.h.in *.0 + +catman-do: + @for f in $(TROFFMAN) ; do \ + echo "$$f -> $${f%%.[18]}.0" ; \ + nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ + >$${f%%.[18]}.0 ; \ + done + +install: $(TARGETS) + $(INSTALL) -d $(DESTDIR)$(bindir) + $(INSTALL) -d $(DESTDIR)$(sbindir) + $(INSTALL) -d $(DESTDIR)$(mandir) + $(INSTALL) -d $(DESTDIR)$(mandir)/$(mansubdir)1 + $(INSTALL) -d $(DESTDIR)$(mandir)/$(mansubdir)8 + $(INSTALL) -m 4755 -s ssh $(DESTDIR)$(bindir)/ssh + $(INSTALL) -s scp $(DESTDIR)$(bindir)/scp + $(INSTALL) -s ssh-add $(DESTDIR)$(bindir)/ssh-add + $(INSTALL) -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent + $(INSTALL) -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -s sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ssh $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + + if [ ! -z "@GNOME_ASKPASS@" ] ; then \ + $(INSTALL) -d $(DESTDIR)$(libexecdir) ; \ + $(INSTALL) -d $(DESTDIR)$(libexecdir)/ssh ; \ + $(INSTALL) -s @GNOME_ASKPASS@ $(DESTDIR)${ASKPASS_LOCATION} ; \ + fi + + if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ + $(INSTALL) -d $(DESTDIR)$(sysconfdir); \ + $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ + $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ + fi + +host-key: ssh-keygen + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N '' + +uninstallall: uninstall + -rm -f $(DESTDIR)$(sysconfdir)/ssh_config + -rm -f $(DESTDIR)$(sysconfdir)/sshd_config + -rmdir $(DESTDIR)$(sysconfdir) + -rmdir $(DESTDIR)$(bindir) + -rmdir $(DESTDIR)$(sbindir) + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 + -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 + -rmdir $(DESTDIR)$(mandir) + -rmdir $(DESTDIR)$(libexecdir) + +uninstall: + -rm -f $(DESTDIR)$(bindir)/ssh + -rm -f $(DESTDIR)$(bindir)/scp + -rm -f $(DESTDIR)$(bindir)/ssh-add + -rm -f $(DESTDIR)$(bindir)/ssh-agent + -rm -f $(DESTDIR)$(bindir)/ssh-keygen + -rm -f $(DESTDIR)$(sbindir)/sshd + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + -rm -f $(DESTDIR)$(bindir)/slogin + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + -rm -f $(DESTDIR)${ASKPASS_PROGRAM} + -rmdir $(DESTDIR)$(libexecdir)/ssh ; diff -ruN ssh-openbsd-2000012700/Makefile.inc openssh-1.2.2p1/Makefile.inc --- ssh-openbsd-2000012700/Makefile.inc Tue Oct 26 06:27:26 1999 +++ openssh-1.2.2p1/Makefile.inc Thu Jan 1 10:00:00 1970 @@ -1,11 +0,0 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif diff -ruN ssh-openbsd-2000012700/README openssh-1.2.2p1/README --- ssh-openbsd-2000012700/README Sat Nov 20 21:42:35 1999 +++ openssh-1.2.2p1/README Wed Feb 2 20:56:21 2000 @@ -1,563 +1,72 @@ -Ssh (Secure Shell) is a program to log into another computer over a -network, to execute commands in a remote machine, and to move files -from one machine to another. It provides strong authentication and -secure communications over insecure channels. It is intended as a -replacement for rlogin, rsh, rcp, and rdist. - -See the file INSTALL for installation instructions. See COPYING for -license terms and other legal issues. See RFC for a description of -the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. - -This file has been updated to match ssh-1.2.12. - - -FEATURES - - o Strong authentication. Closes several security holes (e.g., IP, - routing, and DNS spoofing). New authentication methods: .rhosts - together with RSA based host authentication, and pure RSA - authentication. - - o Improved privacy. All communications are automatically and - transparently encrypted. RSA is used for key exchange, and a - conventional cipher (normally IDEA, DES, or triple-DES) for - encrypting the session. Encryption is started before - authentication, and no passwords or other information is - transmitted in the clear. Encryption is also used to protect - against spoofed packets. - - o Secure X11 sessions. The program automatically sets DISPLAY on - the server machine, and forwards any X11 connections over the - secure channel. Fake Xauthority information is automatically - generated and forwarded to the remote machine; the local client - automatically examines incoming X11 connections and replaces the - fake authorization data with the real data (never telling the - remote machine the real information). - - o Arbitrary TCP/IP ports can be redirected through the encrypted channel - in both directions (e.g., for e-cash transactions). - - o No retraining needed for normal users; everything happens - automatically, and old .rhosts files will work with strong - authentication if administration installs host key files. - - o Never trusts the network. Minimal trust on the remote side of - the connection. Minimal trust on domain name servers. Pure RSA - authentication never trusts anything but the private key. - - o Client RSA-authenticates the server machine in the beginning of - every connection to prevent trojan horses (by routing or DNS - spoofing) and man-in-the-middle attacks, and the server - RSA-authenticates the client machine before accepting .rhosts or - /etc/hosts.equiv authentication (to prevent DNS, routing, or - IP-spoofing). - - o Host authentication key distribution can be centrally by the - administration, automatically when the first connection is made - to a machine (the key obtained on the first connection will be - recorded and used for authentication in the future), or manually - by each user for his/her own use. The central and per-user host - key repositories are both used and complement each other. Host - keys can be generated centrally or automatically when the software - is installed. Host authentication keys are typically 1024 bits. - - o Any user can create any number of user authentication RSA keys for - his/her own use. Each user has a file which lists the RSA public - keys for which proof of possession of the corresponding private - key is accepted as authentication. User authentication keys are - typically 1024 bits. - - o The server program has its own server RSA key which is - automatically regenerated every hour. This key is never saved in - any file. Exchanged session keys are encrypted using both the - server key and the server host key. The purpose of the separate - server key is to make it impossible to decipher a captured session by - breaking into the server machine at a later time; one hour from - the connection even the server machine cannot decipher the session - key. The key regeneration interval is configurable. The server - key is normally 768 bits. - - o An authentication agent, running in the user's laptop or local - workstation, can be used to hold the user's RSA authentication - keys. Ssh automatically forwards the connection to the - authentication agent over any connections, and there is no need to - store the RSA authentication keys on any machine in the network - (except the user's own local machine). The authentication - protocols never reveal the keys; they can only be used to verify - that the user's agent has a certain key. Eventually the agent - could rely on a smart card to perform all authentication - computations. - - o The software can be installed and used (with restricted - functionality) even without root privileges. - - o The client is customizable in system-wide and per-user - configuration files. Most aspects of the client's operation can - be configured. Different options can be specified on a per-host basis. - - o Automatically executes conventional rsh (after displaying a - warning) if the server machine is not running sshd. - - o Optional compression of all data with gzip (including forwarded X11 - and TCP/IP port data), which may result in significant speedups on - slow connections. - - o Complete replacement for rlogin, rsh, and rcp. - - -WHY TO USE SECURE SHELL - -Currently, almost all communications in computer networks are done -without encryption. As a consequence, anyone who has access to any -machine connected to the network can listen in on any communication. -This is being done by hackers, curious administrators, employers, -criminals, industrial spies, and governments. Some networks leak off -enough electromagnetic radiation that data may be captured even from a -distance. - -When you log in, your password goes in the network in plain -text. Thus, any listener can then use your account to do any evil he -likes. Many incidents have been encountered worldwide where crackers -have started programs on workstations without the owners knowledge -just to listen to the network and collect passwords. Programs for -doing this are available on the Internet, or can be built by a -competent programmer in a few hours. - -Any information that you type or is printed on your screen can be -monitored, recorded, and analyzed. For example, an intruder who has -penetrated a host connected to a major network can start a program -that listens to all data flowing in the network, and whenever it -encounters a 16-digit string, it checks if it is a valid credit card -number (using the check digit), and saves the number plus any -surrounding text (to catch expiration date and holder) in a file. -When the intruder has collected a few thousand credit card numbers, he -makes smallish mail-order purchases from a few thousand stores around -the world, and disappears when the goods arrive but before anyone -suspects anything. - -Businesses have trade secrets, patent applications in preparation, -pricing information, subcontractor information, client data, personnel -data, financial information, etc. Currently, anyone with access to -the network (any machine on the network) can listen to anything that -goes in the network, without any regard to normal access restrictions. - -Many companies are not aware that information can so easily be -recovered from the network. They trust that their data is safe -since nobody is supposed to know that there is sensitive information -in the network, or because so much other data is transferred in the -network. This is not a safe policy. - -Individual persons also have confidential information, such as -diaries, love letters, health care documents, information about their -personal interests and habits, professional data, job applications, -tax reports, political documents, unpublished manuscripts, etc. - -One should also be aware that economical intelligence and industrial -espionage has recently become a major priority of the intelligence -agencies of major governments. President Clinton recently assigned -economical espionage as the primary task of the CIA, and the French -have repeatedly been publicly boasting about their achievements on -this field. - - -There is also another frightening aspect about the poor security of -communications. Computer storage and analysis capability has -increased so much that it is feasible for governments, major -companies, and criminal organizations to automatically analyze, -identify, classify, and file information about millions of people over -the years. Because most of the work can be automated, the cost of -collecting this information is getting very low. - -Government agencies may be able to monitor major communication -systems, telephones, fax, computer networks, etc., and passively -collect huge amounts of information about all people with any -significant position in the society. Most of this information is not -sensitive, and many people would say there is no harm in someone -getting that information. However, the information starts to get -sensitive when someone has enough of it. You may not mind someone -knowing what you bought from the shop one random day, but you might -not like someone knowing every small thing you have bought in the last -ten years. - -If the government some day starts to move into a more totalitarian -direction (one should remember that Nazi Germany was created by -democratic elections), there is considerable danger of an ultimate -totalitarian state. With enough information (the automatically -collected records of an individual can be manually analyzed when the -person becomes interesting), one can form a very detailed picture of -the individual's interests, opinions, beliefs, habits, friends, -lovers, weaknesses, etc. This information can be used to 1) locate -any persons who might oppose the new system 2) use deception to -disturb any organizations which might rise against the government 3) -eliminate difficult individuals without anyone understanding what -happened. Additionally, if the government can monitor communications -too effectively, it becomes too easy to locate and eliminate any -persons distributing information contrary to the official truth. - -Fighting crime and terrorism are often used as grounds for domestic -surveillance and restricting encryption. These are good goals, but -there is considerable danger that the surveillance data starts to get -used for questionable purposes. I find that it is better to tolerate -a small amount of crime in the society than to let the society become -fully controlled. I am in favor of a fairly strong state, but the -state must never get so strong that people become unable to spread -contra-offical information and unable to overturn the government if it -is bad. The danger is that when you notice that the government is -too powerful, it is too late. Also, the real power may not be where -the official government is. - -For these reasons (privacy, protecting trade secrets, and making it -more difficult to create a totalitarian state), I think that strong -cryptography should be integrated to the tools we use every day. -Using it causes no harm (except for those who wish to monitor -everything), but not using it can cause huge problems. If the society -changes in undesirable ways, then it will be to late to start -encrypting. - -Encryption has had a "military" or "classified" flavor to it. There -are no longer any grounds for this. The military can and will use its -own encryption; that is no excuse to prevent the civilians from -protecting their privacy and secrets. Information on strong -encryption is available in every major bookstore, scientific library, -and patent office around the world, and strong encryption software is -available in every country on the Internet. - -Some people would like to make it illegal to use encryption, or to -force people to use encryption that governments can break. This -approach offers no protection if the government turns bad. Also, the -"bad guys" will be using true strong encryption anyway. Good -encryption techniques are too widely known to make them disappear. -Thus, any "key escrow encryption" or other restrictions will only help -monitor ordinary people and petty criminals. It does not help against -powerful criminals, terrorists, or espionage, because they will know -how to use strong encryption anyway. (One source for internationally -available encryption software is http://www.cs.hut.fi/crypto.) - - -OVERVIEW OF SECURE SHELL - -The software consists of a number of programs. - - sshd Server program run on the server machine. This - listens for connections from client machines, and - whenever it receives a connection, it performs - authentication and starts serving the client. - - ssh This is the client program used to log into another - machine or to execute commands on the other machine. - "slogin" is another name for this program. - - scp Securely copies files from one machine to another. - - ssh-keygen Used to create RSA keys (host keys and user - authentication keys). - - ssh-agent Authentication agent. This can be used to hold RSA - keys for authentication. - - ssh-add Used to register new keys with the agent. - - make-ssh-known-hosts - Used to create the /etc/ssh_known_hosts file. - - -Ssh is the program users normally use. It is started as - - ssh host - -or - - ssh host command - -The first form opens a new shell on the remote machine (after -authentication). The latter form executes the command on the remote -machine. - -When started, the ssh connects sshd on the server machine, verifies -that the server machine really is the machine it wanted to connect, -exchanges encryption keys (in a manner which prevents an outside -listener from getting the keys), performs authentication using .rhosts -and /etc/hosts.equiv, RSA authentication, or conventional password -based authentication. The server then (normally) allocates a -pseudo-terminal and starts an interactive shell or user program. - -The TERM environment variable (describing the type of the user's -terminal) is passed from the client side to the remote side. Also, -terminal modes will be copied from the client side to the remote side -to preserve user preferences (e.g., the erase character). - -If the DISPLAY variable is set on the client side, the server will -create a dummy X server and set DISPLAY accordingly. Any connections -to the dummy X server will be forwarded through the secure channel, -and will be made to the real X server from the client side. An -arbitrary number of X programs can be started during the session, and -starting them does not require anything special from the user. (Note -that the user must not manually set DISPLAY, because then it would -connect directly to the real display instead of going through the -encrypted channel). This behavior can be disabled in the -configuration file or by giving the -x option to the client. - -Arbitrary IP ports can be forwarded over the secure channel. The -program then creates a port on one side, and whenever a connection is -opened to this port, it will be passed over the secure channel, and a -connection will be made from the other side to a specified host:port -pair. Arbitrary IP forwarding must always be explicitly requested, -and cannot be used to forward privileged ports (unless the user is -root). It is possible to specify automatic forwards in a per-user -configuration file, for example to make electronic cash systems work -securely. - -If there is an authentication agent on the client side, connection to -it will be automatically forwarded to the server side. - -For more infomation, see the manual pages ssh(1), sshd(8), scp(1), -ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) -included in this distribution. - - -X11 CONNECTION FORWARDING - -X11 forwarding serves two purposes: it is a convenience to the user -because there is no need to set the DISPLAY variable, and it provides -encrypted X11 connections. I cannot think of any other easy way to -make X11 connections encrypted; modifying the X server, clients or -libraries would require special work for each machine, vendor and -application. Widely used IP-level encryption does not seem likely for -several years. Thus what we have left is faking an X server on the -same machine where the clients are run, and forwarding the connections -to a real X server over the secure channel. - -X11 forwarding works as follows. The client extracts Xauthority -information for the server. It then creates random authorization -data, and sends the random data to the server. The server allocates -an X11 display number, and stores the (fake) Xauthority data for this -display. Whenever an X11 connection is opened, the server forwards -the connection over the secure channel to the client, and the client -parses the first packet of the X11 protocol, substitutes real -authentication data for the fake data (if the fake data matched), and -forwards the connection to the real X server. - -If the display does not have Xauthority data, the server will create a -unix domain socket in /tmp/.X11-unix, and use the unix domain socket -as the display. No authentication information is forwarded in this -case. X11 connections are again forwarded over the secure channel. -To the X server the connections appear to come from the client -machine, and the server must have connections allowed from the local -machine. Using authentication data is always recommended because not -using it makes the display insecure. If XDM is used, it automatically -generates the authentication data. - -One should be careful not to use "xin" or "xstart" or other similar -scripts that explicitly set DISPLAY to start X sessions in a remote -machine, because the connection will then not go over the secure -channel. The recommended way to start a shell in a remote machine is - - xterm -e ssh host & - -and the recommended way to execute an X11 application in a remote -machine is - - ssh -n host emacs & - -If you need to type a password/passphrase for the remote machine, - - ssh -f host emacs - -may be useful. - - - -RSA AUTHENTICATION - -RSA authentication is based on public key cryptograpy. The idea is -that there are two encryption keys, one for encryption and another for -decryption. It is not possible (on human timescale) to derive the -decryption key from the encryption key. The encryption key is called -the public key, because it can be given to anyone and it is not -secret. The decryption key, on the other hand, is secret, and is -called the private key. - -RSA authentication is based on the impossibility of deriving the -private key from the public key. The public key is stored on the -server machine in the user's $HOME/.ssh/authorized_keys file. The -private key is only kept on the user's local machine, laptop, or other -secure storage. Then the user tries to log in, the client tells the -server the public key that the user wishes to use for authentication. -The server then checks if this public key is admissible. If so, it -generates a 256 bit random number, encrypts it with the public key, -and sends the value to the client. The client then decrypts the -number with its private key, computes a 128 bit MD5 checksum from the -resulting data, and sends the checksum back to the server. (Only a -checksum is sent to prevent chosen-plaintext attacks against RSA.) -The server checks computes a checksum from the correct data, -and compares the checksums. Authentication is accepted if the -checksums match. (Theoretically this indicates that the client -only probably knows the correct key, but for all practical purposes -there is no doubt.) - -The RSA private key can be protected with a passphrase. The -passphrase can be any string; it is hashed with MD5 to produce an -encryption key for IDEA, which is used to encrypt the private part of -the key file. With passphrase, authorization requires access to the key -file and the passphrase. Without passphrase, authorization only -depends on possession of the key file. - -RSA authentication is the most secure form of authentication supported -by this software. It does not rely on the network, routers, domain -name servers, or the client machine. The only thing that matters is -access to the private key. - -All this, of course, depends on the security of the RSA algorithm -itself. RSA has been widely known since about 1978, and no effective -methods for breaking it are known if it is used properly. Care has -been taken to avoid the well-known pitfalls. Breaking RSA is widely -believed to be equivalent to factoring, which is a very hard -mathematical problem that has received considerable public research. -So far, no effective methods are known for numbers bigger than about -512 bits. However, as computer speeds and factoring methods are -increasing, 512 bits can no longer be considered secure. The -factoring work is exponential, and 768 or 1024 bits are widely -considered to be secure in the near future. - - -RHOSTS AUTHENTICATION - -Conventional .rhosts and hosts.equiv based authentication mechanisms -are fundamentally insecure due to IP, DNS (domain name server) and -routing spoofing attacks. Additionally this authentication method -relies on the integrity of the client machine. These weaknesses is -tolerable, and been known and exploited for a long time. - -Ssh provides an improved version of these types of authentication, -because they are very convenient for the user (and allow easy -transition from rsh and rlogin). It permits these types of -authentication, but additionally requires that the client host be -authenticated using RSA. - -The server has a list of host keys stored in /etc/ssh_known_host, and -additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh -uses the name servers to obtain the canonical name of the client host, -looks for its public key in its known host files, and requires the -client to prove that it knows the private host key. This prevents IP -and routing spoofing attacks (as long as the client machine private -host key has not been compromized), but is still vulnerable to DNS -attacks (to a limited extent), and relies on the integrity of the -client machine as to who is requesting to log in. This prevents -outsiders from attacking, but does not protect against very powerful -attackers. If maximal security is desired, only RSA authentication -should be used. - -It is possible to enable conventional .rhosts and /etc/hosts.equiv -authentication (without host authentication) at compile time by giving -the option --with-rhosts to configure. However, this is not -recommended, and is not done by default. - -These weaknesses are present in rsh and rlogin. No improvement in -security will be obtained unless rlogin and rsh are completely -disabled (commented out in /etc/inetd.conf). This is highly -recommended. - - -WEAKEST LINKS IN SECURITY - -One should understand that while this software may provide -cryptographically secure communications, it may be easy to -monitor the communications at their endpoints. - -Basically, anyone with root access on the local machine on which you -are running the software may be able to do anything. Anyone with root -access on the server machine may be able to monitor your -communications, and a very talented root user might even be able to -send his/her own requests to your authentication agent. - -One should also be aware that computers send out electromagnetic -radition that can sometimes be picked up hundreds of meters away. -Your keyboard is particularly easy to listen to. The image on your -monitor might also be seen on another monitor in a van parked behind -your house. - -Beware that unwanted visitors might come to your home or office and -use your machine while you are away. They might also make -modifications or install bugs in your hardware or software. - -Beware that the most effective way for someone to decrypt your data -may be with a rubber hose. - - -LEGAL ISSUES - -As far as I am concerned, anyone is permitted to use this software -freely. However, see the file COPYING for detailed copying, -licensing, and distribution information. - -In some countries, particularly France, Russia, Iraq, and Pakistan, -it may be illegal to use any encryption at all without a special -permit, and the rumor has it that you cannot get a permit for any -strong encryption. - -This software may be freely imported into the United States; however, -the United States Government may consider re-exporting it a criminal -offence. - -Note that any information and cryptographic algorithms used in this -software are publicly available on the Internet and at any major -bookstore, scientific library, or patent office worldwide. - -THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file -COPYING for more information. - - -MAILING LISTS AND OTHER INFORMATION - -There is a mailing list for ossh. It is ossh@sics.se. If you would -like to join, send a message to majordomo@sics.se with "subscribe -ssh" in body. - -The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an -archive of the mailing list, and detailed information about new -releases, mailing lists, and other relevant issues. - -Bug reports should be sent to ossh-bugs@sics.se. - - -ABOUT THE AUTHOR - -This software was written by Tatu Ylonen . I work as a -researcher at Helsinki University of Technology, Finland. For more -information, see http://www.cs.hut.fi/~ylo/. My PGP public key is -available via finger from ylo@cs.hut.fi and from the key servers. I -prefer PGP encrypted mail. - -The author can be contacted via ordinary mail at - Tatu Ylonen - Helsinki University of Technology - Otakaari 1 - FIN-02150 ESPOO - Finland - - Fax. +358-0-4513293 - - -ACKNOWLEDGEMENTS - -I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for -their help and comments in the design, implementation and porting of -this software. I also thank numerous contributors, including but not -limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane -Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome -Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, -Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar -Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald -McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan -O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz -Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and -Cristophe Wolfhugel. - -Thanks also go to Philip Zimmermann, whose PGP software and the -associated legal battle provided inspiration, motivation, and many -useful techniques, and to Bruce Schneier whose book Applied -Cryptography has done a great service in widely distributing knowledge -about cryptographic methods. +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +This is the port of OpenBSD's excellent OpenSSH to Linux and other +Unices. + +OpenSSH is based on the last free version of Tatu Ylonen's SSH with +all patent-encumbered algorithms removed (to external libraries), all +known security bugs fixed, new features reintroduced and many other +clean-ups. More information about SSH itself can be found in the file +README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck, +Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. It has a +homepage at http://www.openssh.com/ + +This port consists of the re-introduction of autoconf support, PAM +support (for Linux and Solaris), EGD[1] support, SOCKS support (using +the Dante [6] libraries and replacements for OpenBSD library functions +that are (regrettably) absent from other unices. This port has been +best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX, +SCO, NeXT and other Unices is underway. This version actively tracks +changes in the OpenBSD CVS repository. + +The PAM support is now more functional than the popular packages of +commercial ssh-1.2.x. It checks "account" and "session" modules for +all logins, not just when using password authentication. + +All new code is released under a XFree style license, which is very +liberal. Please refer to the source files for details. The code in +bsd-*.[ch] is from the OpenBSD project and has its own license (again, +see the source files for details). + +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4] and +Dante[6]. To build the GNOME[5] pass-phrase requester +(--with-gnome-askpass), you will need the GNOME libraries installed. +If you are building OpenSSH on a Unix which lacks a kernel random +number pool (/dev/random), you will need to install EGD[1]. + +There is now several mailing lists for this port of OpenSSH. Please +refer to http://violet.ibs.com.au/openssh/list.html for details on how +to join. + +Please send bug reports and patches to the mailing list +openssh-unix-dev@mindrot.org. The list is currently open to posting by +unsubscribed users. + +Please refer to the INSTALL document for information on how to install +OpenSSH on your system. The UPGRADING document details differences +between this port of OpenSSH and F-Secure SSH 1.x. + +Damien Miller +Internet Business Solutions + +Miscellania - + +This version of SSH is based upon code retrieved from the OpenBSD CVS +repository which in turn was based on the last free +version of SSH released by Tatu Ylonen. + +Code in bsd-misc.[ch] and gnome-ssh-askpass.c is Copyright 1999 Damien +Miller & Internet Business Solutions and is released under a X11-style +license (see source files for details). + +References - + +[1] http://www.lothar.com/tech/crypto/ +[2] http://www.cdrom.com/pub/infozip/zlib/ +[3] http://www.openssl.org/ +[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) +[5] http://www.gnome.org/ +[6] http://www.inet.no/dante - -Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN ssh-openbsd-2000012700/README.Ylonen openssh-1.2.2p1/README.Ylonen --- ssh-openbsd-2000012700/README.Ylonen Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/README.Ylonen Sat Oct 30 11:30:35 1999 @@ -0,0 +1,563 @@ +Ssh (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is inteded as a +replacement for rlogin, rsh, rcp, and rdist. + +See the file INSTALL for installation instructions. See COPYING for +license terms and other legal issues. See RFC for a description of +the protocol. There is a WWW page for ssh; see http://www.cs.hut.fi/ssh. + +This file has been updated to match ssh-1.2.12. + + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, DES, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. + + +WHY TO USE SECURE SHELL + +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owners knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + +Any information that you type or is printed on your screen can be +monitored, recorded, and analyzed. For example, an intruder who has +penetrated a host connected to a major network can start a program +that listens to all data flowing in the network, and whenever it +encounters a 16-digit string, it checks if it is a valid credit card +number (using the check digit), and saves the number plus any +surrounding text (to catch expiration date and holder) in a file. +When the intruder has collected a few thousand credit card numbers, he +makes smallish mail-order purchases from a few thousand stores around +the world, and disappears when the goods arrive but before anyone +suspects anything. + +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + +Individual persons also have confidential information, such as +diaries, love letters, health care documents, information about their +personal interests and habits, professional data, job applications, +tax reports, political documents, unpublished manuscripts, etc. + +One should also be aware that economical intelligence and industrial +espionage has recently become a major priority of the intelligence +agencies of major governments. President Clinton recently assigned +economical espionage as the primary task of the CIA, and the French +have repeatedly been publicly boasting about their achievements on +this field. + + +There is also another frightening aspect about the poor security of +communications. Computer storage and analysis capability has +increased so much that it is feasible for governments, major +companies, and criminal organizations to automatically analyze, +identify, classify, and file information about millions of people over +the years. Because most of the work can be automated, the cost of +collecting this information is getting very low. + +Government agencies may be able to monitor major communication +systems, telephones, fax, computer networks, etc., and passively +collect huge amounts of information about all people with any +significant position in the society. Most of this information is not +sensitive, and many people would say there is no harm in someone +getting that information. However, the information starts to get +sensitive when someone has enough of it. You may not mind someone +knowing what you bought from the shop one random day, but you might +not like someone knowing every small thing you have bought in the last +ten years. + +If the government some day starts to move into a more totalitarian +direction (one should remember that Nazi Germany was created by +democratic elections), there is considerable danger of an ultimate +totalitarian state. With enough information (the automatically +collected records of an individual can be manually analyzed when the +person becomes interesting), one can form a very detailed picture of +the individual's interests, opinions, beliefs, habits, friends, +lovers, weaknesses, etc. This information can be used to 1) locate +any persons who might oppose the new system 2) use deception to +disturb any organizations which might rise against the government 3) +eliminate difficult individuals without anyone understanding what +happened. Additionally, if the government can monitor communications +too effectively, it becomes too easy to locate and eliminate any +persons distributing information contrary to the official truth. + +Fighting crime and terrorism are often used as grounds for domestic +surveillance and restricting encryption. These are good goals, but +there is considerable danger that the surveillance data starts to get +used for questionable purposes. I find that it is better to tolerate +a small amount of crime in the society than to let the society become +fully controlled. I am in favor of a fairly strong state, but the +state must never get so strong that people become unable to spread +contra-offical information and unable to overturn the government if it +is bad. The danger is that when you notice that the government is +too powerful, it is too late. Also, the real power may not be where +the official government is. + +For these reasons (privacy, protecting trade secrets, and making it +more difficult to create a totalitarian state), I think that strong +cryptography should be integrated to the tools we use every day. +Using it causes no harm (except for those who wish to monitor +everything), but not using it can cause huge problems. If the society +changes in undesirable ways, then it will be to late to start +encrypting. + +Encryption has had a "military" or "classified" flavor to it. There +are no longer any grounds for this. The military can and will use its +own encryption; that is no excuse to prevent the civilians from +protecting their privacy and secrets. Information on strong +encryption is available in every major bookstore, scientific library, +and patent office around the world, and strong encryption software is +available in every country on the Internet. + +Some people would like to make it illegal to use encryption, or to +force people to use encryption that governments can break. This +approach offers no protection if the government turns bad. Also, the +"bad guys" will be using true strong encryption anyway. Good +encryption techniques are too widely known to make them disappear. +Thus, any "key escrow encryption" or other restrictions will only help +monitor ordinary people and petty criminals. It does not help against +powerful criminals, terrorists, or espionage, because they will know +how to use strong encryption anyway. (One source for internationally +available encryption software is http://www.cs.hut.fi/crypto.) + + +OVERVIEW OF SECURE SHELL + +The software consists of a number of programs. + + sshd Server program run on the server machine. This + listens for connections from client machines, and + whenever it receives a connection, it performs + authentication and starts serving the client. + + ssh This is the client program used to log into another + machine or to execute commands on the other machine. + "slogin" is another name for this program. + + scp Securely copies files from one machine to another. + + ssh-keygen Used to create RSA keys (host keys and user + authentication keys). + + ssh-agent Authentication agent. This can be used to hold RSA + keys for authentication. + + ssh-add Used to register new keys with the agent. + + make-ssh-known-hosts + Used to create the /etc/ssh_known_hosts file. + + +Ssh is the program users normally use. It is started as + + ssh host + +or + + ssh host command + +The first form opens a new shell on the remote machine (after +authentication). The latter form executes the command on the remote +machine. + +When started, the ssh connects sshd on the server machine, verifies +that the server machine really is the machine it wanted to connect, +exchanges encryption keys (in a manner which prevents an outside +listener from getting the keys), performs authentication using .rhosts +and /etc/hosts.equiv, RSA authentication, or conventional password +based authentication. The server then (normally) allocates a +pseudo-terminal and starts an interactive shell or user program. + +The TERM environment variable (describing the type of the user's +terminal) is passed from the client side to the remote side. Also, +terminal modes will be copied from the client side to the remote side +to preserve user preferences (e.g., the erase character). + +If the DISPLAY variable is set on the client side, the server will +create a dummy X server and set DISPLAY accordingly. Any connections +to the dummy X server will be forwarded through the secure channel, +and will be made to the real X server from the client side. An +arbitrary number of X programs can be started during the session, and +starting them does not require anything special from the user. (Note +that the user must not manually set DISPLAY, because then it would +connect directly to the real display instead of going through the +encrypted channel). This behavior can be disabled in the +configuration file or by giving the -x option to the client. + +Arbitrary IP ports can be forwarded over the secure channel. The +program then creates a port on one side, and whenever a connection is +opened to this port, it will be passed over the secure channel, and a +connection will be made from the other side to a specified host:port +pair. Arbitrary IP forwarding must always be explicitly requested, +and cannot be used to forward privileged ports (unless the user is +root). It is possible to specify automatic forwards in a per-user +configuration file, for example to make electronic cash systems work +securely. + +If there is an authentication agent on the client side, connection to +it will be automatically forwarded to the server side. + +For more infomation, see the manual pages ssh(1), sshd(8), scp(1), +ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1) +included in this distribution. + + +X11 CONNECTION FORWARDING + +X11 forwarding serves two purposes: it is a convenience to the user +because there is no need to set the DISPLAY variable, and it provides +encrypted X11 connections. I cannot think of any other easy way to +make X11 connections encrypted; modifying the X server, clients or +libraries would require special work for each machine, vendor and +application. Widely used IP-level encryption does not seem likely for +several years. Thus what we have left is faking an X server on the +same machine where the clients are run, and forwarding the connections +to a real X server over the secure channel. + +X11 forwarding works as follows. The client extracts Xauthority +information for the server. It then creates random authorization +data, and sends the random data to the server. The server allocates +an X11 display number, and stores the (fake) Xauthority data for this +display. Whenever an X11 connection is opened, the server forwards +the connection over the secure channel to the client, and the client +parses the first packet of the X11 protocol, substitutes real +authentication data for the fake data (if the fake data matched), and +forwards the connection to the real X server. + +If the display does not have Xauthority data, the server will create a +unix domain socket in /tmp/.X11-unix, and use the unix domain socket +as the display. No authentication information is forwarded in this +case. X11 connections are again forwarded over the secure channel. +To the X server the connections appear to come from the client +machine, and the server must have connections allowed from the local +machine. Using authentication data is always recommended because not +using it makes the display insecure. If XDM is used, it automatically +generates the authentication data. + +One should be careful not to use "xin" or "xstart" or other similar +scripts that explicitly set DISPLAY to start X sessions in a remote +machine, because the connection will then not go over the secure +channel. The recommended way to start a shell in a remote machine is + + xterm -e ssh host & + +and the recommended way to execute an X11 application in a remote +machine is + + ssh -n host emacs & + +If you need to type a password/passphrase for the remote machine, + + ssh -f host emacs + +may be useful. + + + +RSA AUTHENTICATION + +RSA authentication is based on public key cryptograpy. The idea is +that there are two encryption keys, one for encryption and another for +decryption. It is not possible (on human timescale) to derive the +decryption key from the encryption key. The encryption key is called +the public key, because it can be given to anyone and it is not +secret. The decryption key, on the other hand, is secret, and is +called the private key. + +RSA authentication is based on the impossibility of deriving the +private key from the public key. The public key is stored on the +server machine in the user's $HOME/.ssh/authorized_keys file. The +private key is only kept on the user's local machine, laptop, or other +secure storage. Then the user tries to log in, the client tells the +server the public key that the user wishes to use for authentication. +The server then checks if this public key is admissible. If so, it +generates a 256 bit random number, encrypts it with the public key, +and sends the value to the client. The client then decrypts the +number with its private key, computes a 128 bit MD5 checksum from the +resulting data, and sends the checksum back to the server. (Only a +checksum is sent to prevent chosen-plaintext attacks against RSA.) +The server checks computes a checksum from the correct data, +and compares the checksums. Authentication is accepted if the +checksums match. (Theoretically this indicates that the client +only probably knows the correct key, but for all practical purposes +there is no doubt.) + +The RSA private key can be protected with a passphrase. The +passphrase can be any string; it is hashed with MD5 to produce an +encryption key for IDEA, which is used to encrypt the private part of +the key file. With passphrase, authorization requires access to the key +file and the passphrase. Without passphrase, authorization only +depends on possession of the key file. + +RSA authentication is the most secure form of authentication supported +by this software. It does not rely on the network, routers, domain +name servers, or the client machine. The only thing that matters is +access to the private key. + +All this, of course, depends on the security of the RSA algorithm +itself. RSA has been widely known since about 1978, and no effective +methods for breaking it are known if it is used properly. Care has +been taken to avoid the well-known pitfalls. Breaking RSA is widely +believed to be equivalent to factoring, which is a very hard +mathematical problem that has received considerable public research. +So far, no effective methods are known for numbers bigger than about +512 bits. However, as computer speeds and factoring methods are +increasing, 512 bits can no longer be considered secure. The +factoring work is exponential, and 768 or 1024 bits are widely +considered to be secure in the near future. + + +RHOSTS AUTHENTICATION + +Conventional .rhosts and hosts.equiv based authentication mechanisms +are fundamentally insecure due to IP, DNS (domain name server) and +routing spoofing attacks. Additionally this authentication method +relies on the integrity of the client machine. These weaknesses is +tolerable, and been known and exploited for a long time. + +Ssh provides an improved version of these types of authentication, +because they are very convenient for the user (and allow easy +transition from rsh and rlogin). It permits these types of +authentication, but additionally requires that the client host be +authenticated using RSA. + +The server has a list of host keys stored in /etc/ssh_known_host, and +additionally each user has host keys in $HOME/.ssh/known_hosts. Ssh +uses the name servers to obtain the canonical name of the client host, +looks for its public key in its known host files, and requires the +client to prove that it knows the private host key. This prevents IP +and routing spoofing attacks (as long as the client machine private +host key has not been compromized), but is still vulnerable to DNS +attacks (to a limited extent), and relies on the integrity of the +client machine as to who is requesting to log in. This prevents +outsiders from attacking, but does not protect against very powerful +attackers. If maximal security is desired, only RSA authentication +should be used. + +It is possible to enable conventional .rhosts and /etc/hosts.equiv +authentication (without host authentication) at compile time by giving +the option --with-rhosts to configure. However, this is not +recommended, and is not done by default. + +These weaknesses are present in rsh and rlogin. No improvement in +security will be obtained unless rlogin and rsh are completely +disabled (commented out in /etc/inetd.conf). This is highly +recommended. + + +WEAKEST LINKS IN SECURITY + +One should understand that while this software may provide +cryptographically secure communications, it may be easy to +monitor the communications at their endpoints. + +Basically, anyone with root access on the local machine on which you +are running the software may be able to do anything. Anyone with root +access on the server machine may be able to monitor your +communications, and a very talented root user might even be able to +send his/her own requests to your authentication agent. + +One should also be aware that computers send out electromagnetic +radition that can sometimes be picked up hundreds of meters away. +Your keyboard is particularly easy to listen to. The image on your +monitor might also be seen on another monitor in a van parked behind +your house. + +Beware that unwanted visitors might come to your home or office and +use your machine while you are away. They might also make +modifications or install bugs in your hardware or software. + +Beware that the most effective way for someone to decrypt your data +may be with a rubber hose. + + +LEGAL ISSUES + +As far as I am concerned, anyone is permitted to use this software +freely. However, see the file COPYING for detailed copying, +licensing, and distribution information. + +In some countries, particularly France, Russia, Iraq, and Pakistan, +it may be illegal to use any encryption at all without a special +permit, and the rumor has it that you cannot get a permit for any +strong encryption. + +This software may be freely imported into the United States; however, +the United States Government may consider re-exporting it a criminal +offence. + +Note that any information and cryptographic algorithms used in this +software are publicly available on the Internet and at any major +bookstore, scientific library, or patent office worldwide. + +THERE IS NO WARRANTY FOR THIS PROGRAM. Please consult the file +COPYING for more information. + + +MAILING LISTS AND OTHER INFORMATION + +There is a mailing list for ossh. It is ossh@sics.se. If you would +like to join, send a message to majordomo@sics.se with "subscribe +ssh" in body. + +The WWW home page for ssh is http://www.cs.hut.fi/ssh. It contains an +archive of the mailing list, and detailed information about new +releases, mailing lists, and other relevant issues. + +Bug reports should be sent to ossh-bugs@sics.se. + + +ABOUT THE AUTHOR + +This software was written by Tatu Ylonen . I work as a +researcher at Helsinki University of Technology, Finland. For more +information, see http://www.cs.hut.fi/~ylo/. My PGP public key is +available via finger from ylo@cs.hut.fi and from the key servers. I +prefer PGP encrypted mail. + +The author can be contacted via ordinary mail at + Tatu Ylonen + Helsinki University of Technology + Otakaari 1 + FIN-02150 ESPOO + Finland + + Fax. +358-0-4513293 + + +ACKNOWLEDGEMENTS + +I thank Tero Kivinen, Timo Rinne, Janne Snabb, and Heikki Suonsivu for +their help and comments in the design, implementation and porting of +this software. I also thank numerous contributors, including but not +limited to Walker Aumann, Jurgen Botz, Hans-Werner Braun, Stephane +Bortzmeyer, Adrian Colley, Michael Cooper, David Dombek, Jerome +Etienne, Bill Fithen, Mark Fullmer, Bert Gijsbers, Andreas Gustafsson, +Michael Henits, Steve Johnson, Thomas Koenig, Felix Leitner, Gunnar +Lindberg, Andrew Macpherson, Marc Martinec, Paul Mauvais, Donald +McKillican, Leon Mlakar, Robert Muchsel, Mark Treacy, Bryan +O'Sullivan, Mikael Suokas, Ollivier Robert, Jakob Schlyter, Tomasz +Surmacz, Alvar Vinacua, Petri Virkkula, Michael Warfield, and +Cristophe Wolfhugel. + +Thanks also go to Philip Zimmermann, whose PGP software and the +associated legal battle provided inspiration, motivation, and many +useful techniques, and to Bruce Schneier whose book Applied +Cryptography has done a great service in widely distributing knowledge +about cryptographic methods. + + +Copyright (c) 1995 Tatu Ylonen, Espoo, Finland. diff -ruN ssh-openbsd-2000012700/TODO openssh-1.2.2p1/TODO --- ssh-openbsd-2000012700/TODO Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/TODO Thu Mar 2 23:09:20 2000 @@ -0,0 +1,14 @@ +- Replacement for setproctitle() + +- Improve PAM support (a pam_lastlog module will cause sshd to exit) + +- Better documentation + +- Replace the horror in acconfig.h which tries to comphensate for the + lack of u_intXX_t types. There must be a better way. + +- Move all compatability cruft (bsd-*, fake-*) into subordinate library + +- Cleanup configure.in + +- A good source of strong random numbers. Waiting on a Yarrow port. diff -ruN ssh-openbsd-2000012700/UPGRADING openssh-1.2.2p1/UPGRADING --- ssh-openbsd-2000012700/UPGRADING Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/UPGRADING Thu Mar 2 23:56:12 2000 @@ -0,0 +1,122 @@ +[ A Japanese translation of this document is available at +[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html +[ Thanks to HARUYAMA Seigo + +OpenSSH is almost completely compatible with the commercial SSH 1.2.x. +There are, however, a few exceptions that you will need to bear in +mind while upgrading: + +1. OpenSSH does not support any patented transport algorithms. + +Only 3DES and Blowfish can be selected. This difference may manifest +itself in the ssh command refusing to read its config files. + +Solution: Edit /etc/ssh/ssh_config and select a different "Cipher" +option ("3des" or "blowfish"). + +2. Old versions of commercial SSH encrypt host keys with IDEA + +The old versions of SSH used a patented algorithm to encrypt their +/etc/ssh/ssh_host_key + +This problem will manifest as sshd not being able to read its host +key. + +Solution: You will need to run the *commercial* version of ssh-keygen +on the host's private key: + +ssh-keygen -u -f /etc/ssh/ssh_host_key + +3. Incompatible changes to sshd_config format. + +OpenSSH extends the sshd_config file format in a number of ways. There +is currently one change which is incompatible with the old. + +Commercial SSH controlled logging using the "QuietMode" and +"FascistLogging" directives. OpenSSH introduces a more general set of +logging options "SyslogFacility" and "LogLevel". See the sshd manual +page for details. + +4. Warning messages about key lengths + +Commercial SSH's ssh-keygen program contained a bug which caused it to +occasionally generate RSA keys which had their Most Significant Bit +(MSB) unset. Such keys were advertised as being full-length, but are +actually only half as secure. + +OpenSSH will print warning messages when it encounters such keys. To +rid yourself of these message, edit you known_hosts files and replace +the incorrect key length (usually "1024") with the correct key length +(usually "1023"). + +5. Spurious PAM authentication messages in logfiles + +OpenSSH will generate spurious authentication failures at every login, +similar to "authentication failure; (uid=0) -> root for sshd service". +These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunatly +PAM likes to log all authentication events, this one included. + +If it annoys you too much, set "PermitEmptyPasswords no" in +sshd_config. This will quiet the error message at the expense of +disabling logins to accounts with no password set. This is the +default if you use the supplied sshd_config file. + +6. Empty passwords not allowed with PAM authentication + +To enable empty passwords with a version of OpenSSH built with PAM you +must add the flag "nullok" to the end of the password checking module +in the /etc/pam.d/sshd file. For example: + +auth required/lib/security/pam_unix.so shadow nodelay nullok + +This must be done in addtion to setting "PermitEmptyPasswords yes" +in the sshd_config file. + +There is one caveat when using empty passwords with PAM +authentication: PAM will allow _any_ password when authenticating +an account with an empty password. This breaks the check that sshd +uses to determined whether an account has no password set and grant +users access to the account regardless of the policy specified by +"PermitEmptyPasswords". For this reason, it is recommended that you do +not add the "nullok" directive to your PAM configuration file unless +you specifically wish to allow empty passwords. + +7. X11 and/or agent forwarding does not work + +Check your ssh_config and sshd_config. The default configuration files +disable authentication agent and X11 forwarding. + +8. ssh takes a long time to connect with Linux/glibc 2.1 + +The glibc shipped with Redhat 6.1 appears to take a long time to resolve +"IPv6 or IPv4" addresses from domain names. This can be kludged around +with the --with-ipv4-default configure option. This instructs OpenSSH to +use IPv4-only address resolution. (IPv6 lookups may still be made by +specifying the -6 option). + +9. Logins from commercial ssh generate the error "Selected cipher type + idea not supported by server" + +This error is generated when a commercial ssh which has been configured to +use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify +this, select a different cipher in ssh_config or ~/.ssh/config (3des for +security or blowfish for speed). + +10. "can't locate module net-pf-10" messages in log under Linux + +The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). +Either 1. load the appropriate kernel module, 2. enter the correct alias +in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf. + +For some silly reason /etc/modules.conf may also be named /etc/conf.modules + +11. Password authentication doesn't work on Slackware 7.0 + +Configure OpenSSH with --with-md5-passwords + +12. ./configure or sshd complain about lack of RSA support + +Ensure that your OpenSSL libraries have been built to include RSA support +either internally or through RSAref. + diff -ruN ssh-openbsd-2000012700/acconfig.h openssh-1.2.2p1/acconfig.h --- ssh-openbsd-2000012700/acconfig.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/acconfig.h Sun Mar 5 16:22:59 2000 @@ -0,0 +1,165 @@ +#ifndef _CONFIG_H +#define _CONFIG_H + +/* Generated automatically from acconfig.h by autoheader. */ +/* Please make your changes there */ + +@TOP@ + +/* Define if you want to disable PAM support */ +#undef DISABLE_PAM + +/* Define if you want to disable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + +/* Define if you want to disable lastlog support */ +#undef DISABLE_LASTLOG + +/* Location of lastlog file */ +#undef LASTLOG_LOCATION + +/* If lastlog is a directory */ +#undef LASTLOG_IS_DIR + +/* Location of random number pool */ +#undef RANDOM_POOL + +/* Are we using the Entropy gathering daemon */ +#undef HAVE_EGD + +/* Define if using the Dante SOCKS library. */ +#undef HAVE_DANTE + +/* Define if using the Socks4 SOCKS library. */ +#undef HAVE_SOCKS4 + +/* Define if using the Socks5 SOCKS library. */ +#undef HAVE_SOCKS5 + +/* Define if you want to install preformatted manpages.*/ +#undef MANTYPE + +/* Define if your ssl headers are included with #include */ +#undef HAVE_SSL + +/* Define if your ssl headers are included with #include */ +#undef HAVE_OPENSSL + +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + +/* struct utmp and struct utmpx fields */ +#undef HAVE_HOST_IN_UTMP +#undef HAVE_HOST_IN_UTMPX +#undef HAVE_ADDR_IN_UTMP +#undef HAVE_ADDR_IN_UTMPX +#undef HAVE_ADDR_V6_IN_UTMP +#undef HAVE_ADDR_V6_IN_UTMPX +#undef HAVE_SYSLEN_IN_UTMPX +#undef HAVE_PID_IN_UTMP +#undef HAVE_TYPE_IN_UTMP +#undef HAVE_TV_IN_UTMP +#undef HAVE_ID_IN_UTMP + +/* Define if you want to use utmpx */ +#undef USE_UTMPX + +/* Define is libutil has login() function */ +#undef HAVE_LIBUTIL_LOGIN + +/* Define if you want external askpass support */ +#undef USE_EXTERNAL_ASKPASS + +/* Define if libc defines __progname */ +#undef HAVE___PROGNAME + +/* Define if you want Kerberos 4 support */ +#undef KRB4 + +/* Define if you want AFS support */ +#undef AFS + +/* Define if you want S/Key support */ +#undef SKEY + +/* Define if you want TCP Wrappers support */ +#undef LIBWRAP + +/* Define if your libraries define login() */ +#undef HAVE_LOGIN + +/* Define if your libraries define daemon() */ +#undef HAVE_DAEMON + +/* Define if your libraries define getpagesize() */ +#undef HAVE_GETPAGESIZE + +/* Define if xauth is found in your path */ +#undef XAUTH_PATH + +/* Define if rsh is found in your path */ +#undef RSH_PATH + +/* Define if you want to allow MD5 passwords */ +#undef HAVE_MD5_PASSWORDS + +/* Define if you want to disable shadow passwords */ +#undef DISABLE_SHADOW + +/* Define if you want have trusted HPUX */ +#undef HAVE_HPUX_TRUSTED_SYSTEM_PW + +/* Define if you have an old version of PAM which takes only one argument */ +/* to pam_strerror */ +#undef HAVE_OLD_PAM + +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + +/* Data types */ +#undef HAVE_INTXX_T +#undef HAVE_U_INTXX_T +#undef HAVE_UINTXX_T +#undef HAVE_SOCKLEN_T +#undef HAVE_SIZE_T +#undef HAVE_STRUCT_SOCKADDR_STORAGE +#undef HAVE_STRUCT_ADDRINFO +#undef HAVE_STRUCT_IN6_ADDR +#undef HAVE_STRUCT_SOCKADDR_IN6 + +/* Fields in struct sockaddr_storage */ +#undef HAVE_SS_FAMILY_IN_SS +#undef HAVE___SS_FAMILY_IN_SS + +/* Define if you have /dev/ptmx */ +#undef HAVE_DEV_PTMX + +/* Define if you have /dev/ptc */ +#undef HAVE_DEV_PTS_AND_PTC + +/* Define if you need to use IP address instead of hostname in $DISPLAY */ +#undef IPADDR_IN_DISPLAY + +/* Specify default $PATH */ +#undef USER_PATH + +/* Specify location of ssh.pid */ +#undef PIDDIR + +/* Use IPv4 for connection by default, IPv6 can still if explicity asked */ +#undef IPV4_DEFAULT + +/* getaddrinfo is broken (if present) */ +#undef BROKEN_GETADDRINFO + +/* Whether Unix98 ptys are automatically removed when they are closed */ +#undef PTY_REMOVED_ON_CLOSE + +@BOTTOM@ + +/* ******************* Shouldn't need to edit below this line ************** */ + +#include "defines.h" + +#endif /* _CONFIG_H */ diff -ruN ssh-openbsd-2000012700/atomicio.c openssh-1.2.2p1/atomicio.c --- ssh-openbsd-2000012700/atomicio.c Tue Dec 7 07:15:25 1999 +++ openssh-1.2.2p1/atomicio.c Wed Dec 15 09:06:28 1999 @@ -42,7 +42,7 @@ int res, pos = 0; while (n > pos) { - res = (f) (fd, s + pos, n - pos); + res = (f) (fd, (char*)s + pos, n - pos); switch (res) { case -1: if (errno == EINTR || errno == EAGAIN) diff -ruN ssh-openbsd-2000012700/auth-pam.c openssh-1.2.2p1/auth-pam.c --- ssh-openbsd-2000012700/auth-pam.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/auth-pam.c Thu Jan 27 10:55:38 2000 @@ -0,0 +1,239 @@ +/* + * Author: Damien Miller + * Copyright (c) 1999 Damien Miller + * All rights reserved + * Created: Thursday December 30 1999 + * PAM authentication and session management code. + */ + +#include "includes.h" + +#ifdef USE_PAM +#include "ssh.h" +#include "xmalloc.h" +#include "servconf.h" + +RCSID("$Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $"); + +/* Callbacks */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); +void pam_cleanup_proc(void *context); + +/* module-local variables */ +static struct pam_conv conv = { + pamconv, + NULL +}; +static struct pam_handle_t *pamh = NULL; +static const char *pampasswd = NULL; +static char *pamconv_msg = NULL; + +/* PAM conversation function. This is really a kludge to get the password */ +/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +static int pamconv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *reply; + int count; + size_t msg_len; + char *p; + + /* PAM will free this later */ + reply = malloc(num_msg * sizeof(*reply)); + if (reply == NULL) + return PAM_CONV_ERR; + + for(count = 0; count < num_msg; count++) { + switch (msg[count]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + break; + + case PAM_TEXT_INFO: + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(""); + + if (msg[count]->msg == NULL) + break; + + debug("Adding PAM message: %s", msg[count]->msg); + + msg_len = strlen(msg[count]->msg); + if (pamconv_msg) { + size_t n = strlen(pamconv_msg); + pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2); + p = pamconv_msg + n; + } else { + pamconv_msg = p = xmalloc(msg_len + 2); + } + memcpy(p, msg[count]->msg, msg_len); + p[msg_len] = '\n'; + p[msg_len + 1] = '\0'; + break; + + case PAM_PROMPT_ECHO_ON: + case PAM_ERROR_MSG: + default: + free(reply); + return PAM_CONV_ERR; + } + } + + *resp = reply; + + return PAM_SUCCESS; +} + +/* Called at exit to cleanly shutdown PAM */ +void pam_cleanup_proc(void *context) +{ + int pam_retval; + + if (pamh != NULL) + { + pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + log("Cannot close PAM session: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + if (pam_retval != PAM_SUCCESS) { + log("Cannot release PAM authentication: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } +} + +/* Attempt password authentation using PAM */ +int auth_pam_password(struct passwd *pw, const char *password) +{ + extern ServerOptions options; + int pam_retval; + + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == 2) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + + pampasswd = password; + + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + if (pam_retval == PAM_SUCCESS) { + debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); + return 1; + } else { + debug("PAM Password authentication for \"%.100s\" failed: %s", + pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return 0; + } +} + +/* Do account management using PAM */ +int do_pam_account(char *username, char *remote_user) +{ + int pam_retval; + + debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + get_canonical_hostname()); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set rhost failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + if (remote_user != NULL) { + debug("PAM setting ruser to \"%.200s\"", remote_user); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set ruser failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + } + + pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) { + log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return(0); + } + + return(1); +} + +/* Do PAM-specific session initialisation */ +void do_pam_session(char *username, const char *ttyname) +{ + int pam_retval; + + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + + pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + if (pam_retval != PAM_SUCCESS) + fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} + +/* Set PAM credentials */ +void do_pam_setcred() +{ + int pam_retval; + + debug("PAM establishing creds"); + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + if (pam_retval != PAM_SUCCESS) + fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} + +/* Cleanly shutdown PAM */ +void finish_pam(void) +{ + pam_cleanup_proc(NULL); + fatal_remove_cleanup(&pam_cleanup_proc, NULL); +} + +/* Start PAM authentication for specified account */ +void start_pam(struct passwd *pw) +{ + int pam_retval; + + debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + + pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh); + if (pam_retval != PAM_SUCCESS) + fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + + fatal_add_cleanup(&pam_cleanup_proc, NULL); +} + +/* Return list of PAM enviornment strings */ +char **fetch_pam_environment(void) +{ + return(pam_getenvlist((pam_handle_t *)pamh)); +} + +/* Print any messages that have been generated during authentication */ +/* or account checking to stderr */ +void print_pam_messages(void) +{ + if (pamconv_msg != NULL) + fprintf(stderr, pamconv_msg); +} + +#endif /* USE_PAM */ diff -ruN ssh-openbsd-2000012700/auth-pam.h openssh-1.2.2p1/auth-pam.h --- ssh-openbsd-2000012700/auth-pam.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/auth-pam.h Thu Jan 27 10:55:38 2000 @@ -0,0 +1,15 @@ +#include "includes.h" +#ifdef USE_PAM + +#include /* For struct passwd */ + +void start_pam(struct passwd *pw); +void finish_pam(void); +int auth_pam_password(struct passwd *pw, const char *password); +char **fetch_pam_environment(void); +int do_pam_account(char *username, char *remote_user); +void do_pam_session(char *username, const char *ttyname); +void do_pam_setcred(); +void print_pam_messages(void); + +#endif /* USE_PAM */ diff -ruN ssh-openbsd-2000012700/auth-passwd.c openssh-1.2.2p1/auth-passwd.c --- ssh-openbsd-2000012700/auth-passwd.c Wed Dec 29 23:47:46 1999 +++ openssh-1.2.2p1/auth-passwd.c Sun Jan 23 10:32:03 2000 @@ -8,6 +8,9 @@ */ #include "includes.h" + +#ifndef USE_PAM + RCSID("$Id: auth-passwd.c,v 1.14 1999/12/29 12:47:46 markus Exp $"); #include "packet.h" @@ -15,6 +18,17 @@ #include "servconf.h" #include "xmalloc.h" +#ifdef WITH_AIXAUTHENTICATE +#include +#endif + +#ifdef HAVE_SHADOW_H +# include +#endif +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -24,6 +38,16 @@ { extern ServerOptions options; char *encrypted_password; + char *pw_password; + char *salt; +#ifdef HAVE_SHADOW_H + struct spwd *spw; +#endif +#ifdef WITH_AIXAUTHENTICATE + char *authmsg; + char *loginmsg; + int reenter = 1; +#endif /* deny if no user. */ if (pw == NULL) @@ -41,6 +65,11 @@ /* Fall back to ordinary passwd authentication. */ } #endif + +#ifdef WITH_AIXAUTHENTICATE + return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); +#endif + #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(pw, password); @@ -53,10 +82,36 @@ /* Check for users with no password. */ if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) return 1; - /* Encrypt the candidate password using the proper salt. */ - encrypted_password = crypt(password, - (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); + + pw_password = pw->pw_passwd; + +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + spw = getspnam(pw->pw_name); + if (spw != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) + return 1; + + pw_password = spw->sp_pwdp; + } +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + + if (pw_password[0] != '\0') + salt = pw_password; + else + salt = "xx"; + +#ifdef HAVE_MD5_PASSWORDS + if (is_md5_salt(salt)) + encrypted_password = md5_crypt(password, salt); + else + encrypted_password = crypt(password, salt); +#else /* HAVE_MD5_PASSWORDS */ + encrypted_password = crypt(password, salt); +#endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw->pw_passwd) == 0); + return (strcmp(encrypted_password, pw_password) == 0); } +#endif /* !USE_PAM */ diff -ruN ssh-openbsd-2000012700/auth-rsa.c openssh-1.2.2p1/auth-rsa.c --- ssh-openbsd-2000012700/auth-rsa.c Tue Jan 18 20:41:05 2000 +++ openssh-1.2.2p1/auth-rsa.c Thu Jan 20 22:44:09 2000 @@ -26,8 +26,14 @@ #include "uidswap.h" #include "servconf.h" +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include #include +#endif /* Flags that may be set in authorized_keys options. */ extern int no_port_forwarding_flag; diff -ruN ssh-openbsd-2000012700/auth-skey.c openssh-1.2.2p1/auth-skey.c --- ssh-openbsd-2000012700/auth-skey.c Tue Dec 7 06:04:57 1999 +++ openssh-1.2.2p1/auth-skey.c Tue Jan 11 10:59:47 2000 @@ -1,9 +1,19 @@ #include "includes.h" + +#ifdef SKEY RCSID("$Id: auth-skey.c,v 1.5 1999/12/06 19:04:57 deraadt Exp $"); #include "ssh.h" #include "packet.h" -#include + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL +#include +#endif + +/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ /* * try skey authentication, @@ -69,8 +79,9 @@ static char skeyprompt[SKEY_MAX_CHALLENGE+1]; char *secret = NULL; size_t secretlen = 0; - SHA1_CTX ctx; + SHA_CTX ctx; char *p, *u; + char md[SHA_DIGEST_LENGTH]; /* * Base first 4 chars of seed on hostname. @@ -87,11 +98,16 @@ pbuf[4] = '\0'; /* Hash the username if possible */ - if ((up = SHA1Data(username, strlen(username), NULL)) != NULL) { + up = malloc(SHA_DIGEST_LENGTH); + if (up != NULL) { struct stat sb; time_t t; int fd; + SHA1_Init(&ctx); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); + /* Collapse the hash */ ptr = hash_collapse(up); memset(up, 0, strlen(up)); @@ -121,18 +137,18 @@ /* Put that in your pipe and smoke it */ if (flg == 0) { /* Hash secret value with username */ - SHA1Init(&ctx); - SHA1Update(&ctx, secret, secretlen); - SHA1Update(&ctx, username, strlen(username)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, secret, secretlen); + SHA1_Update(&ctx, username, strlen(username)); + SHA1_End(&ctx, up); /* Zero out */ memset(secret, 0, secretlen); /* Now hash the hash */ - SHA1Init(&ctx); - SHA1Update(&ctx, up, strlen(up)); - SHA1End(&ctx, up); + SHA1_Init(&ctx); + SHA1_Update(&ctx, up, strlen(up)); + SHA1_End(&ctx, up); ptr = hash_collapse(up + 4); @@ -145,7 +161,7 @@ /* Sequence number */ ptr = ((up[2] + up[3]) % 99) + 1; - memset(up, 0, 20); /* SHA1 specific */ + memset(up, 0, SHA_DIGEST_LENGTH); /* SHA1 specific */ free(up); (void)snprintf(skeyprompt, sizeof skeyprompt, @@ -179,3 +195,5 @@ } return skeyprompt; } + +#endif /* SKEY */ diff -ruN ssh-openbsd-2000012700/authfd.c openssh-1.2.2p1/authfd.c --- ssh-openbsd-2000012700/authfd.c Thu Dec 16 06:43:10 1999 +++ openssh-1.2.2p1/authfd.c Thu Dec 16 13:18:04 1999 @@ -24,7 +24,12 @@ #include "xmalloc.h" #include "getput.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* Returns the number of the authentication fd, or -1 if there is none. */ diff -ruN ssh-openbsd-2000012700/authfile.c openssh-1.2.2p1/authfile.c --- ssh-openbsd-2000012700/authfile.c Tue Dec 7 06:11:15 1999 +++ openssh-1.2.2p1/authfile.c Thu Mar 2 23:57:18 2000 @@ -17,7 +17,13 @@ #include "includes.h" RCSID("$Id: authfile.c,v 1.11 1999/12/06 19:11:15 deraadt Exp $"); +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "xmalloc.h" #include "buffer.h" #include "bufaux.h" @@ -222,7 +228,7 @@ /* check owner and modes */ if (fstat(fd, &st) < 0 || - (st.st_uid != 0 && st.st_uid != getuid()) || + (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) || (st.st_mode & 077) != 0) { close(fd); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); diff -ruN ssh-openbsd-2000012700/bsd-bindresvport.c openssh-1.2.2p1/bsd-bindresvport.c --- ssh-openbsd-2000012700/bsd-bindresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-bindresvport.c Sat Jan 22 18:17:43 2000 @@ -0,0 +1,112 @@ +/* + * Sun RPC is a product of Sun Microsystems, Inc. and is provided for + * unrestricted use provided that this legend is included on all tape + * media and as a part of the software program in whole or part. Users + * may copy or modify Sun RPC without charge, but are not authorized + * to license or distribute it to anyone else except as part of a product or + * program developed by the user. + * + * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE + * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + * + * Sun RPC is provided with no support and without any obligation on the + * part of Sun Microsystems, Inc. to assist in its use, correction, + * modification or enhancement. + * + * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC + * OR ANY PART THEREOF. + * + * In no event will Sun Microsystems, Inc. be liable for any lost revenue + * or profits or other special, indirect and consequential damages, even if + * Sun has been advised of the possibility of such damages. + * + * Sun Microsystems, Inc. + * 2550 Garcia Avenue + * Mountain View, California 94043 + */ + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: bindresvport.c,v 1.11 1999/12/17 19:22:08 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +/* + * Copyright (c) 1987 by Sun Microsystems, Inc. + * + * Portions Copyright(C) 1996, Jason Downs. All rights reserved. + */ + +#include "includes.h" + +#define STARTPORT 600 +#define ENDPORT (IPPORT_RESERVED - 1) +#define NPORTS (ENDPORT - STARTPORT + 1) + +/* + * Bind a socket to a privileged IP port + */ +int +bindresvport_af(sd, sa, af) + int sd; + struct sockaddr *sa; + int af; +{ + int error; + struct sockaddr_storage myaddr; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + u_int16_t *portp; + u_int16_t port; + int salen; + int i; + + if (sa == NULL) { + memset(&myaddr, 0, sizeof(myaddr)); + sa = (struct sockaddr *)&myaddr; + } + + if (af == AF_INET) { + sin = (struct sockaddr_in *)sa; + salen = sizeof(struct sockaddr_in); + portp = &sin->sin_port; + } else if (af == AF_INET6) { + sin6 = (struct sockaddr_in6 *)sa; + salen = sizeof(struct sockaddr_in6); + portp = &sin6->sin6_port; + } else { + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + port = ntohs(*portp); + if (port == 0) + port = (arc4random() % NPORTS) + STARTPORT; + + for(i = 0; i < NPORTS; i++) { + *portp = htons(port); + + error = bind(sd, sa, salen); + + /* Terminate on success */ + if (error == 0) + break; + + /* Terminate on errors, except "address already in use" */ + if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL))) + break; + + port++; + if (port > ENDPORT) + port = STARTPORT; + } + + return (error); +} + +#endif /* HAVE_BINRESVPORT_AF */ diff -ruN ssh-openbsd-2000012700/bsd-bindresvport.h openssh-1.2.2p1/bsd-bindresvport.h --- ssh-openbsd-2000012700/bsd-bindresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-bindresvport.h Fri Jan 14 15:45:47 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_BINRESVPORT_H +#define _BSD_BINRESVPORT_H + +#include "config.h" + +#ifndef HAVE_BINRESVPORT_AF +int bindresvport_af(int sd, struct sockaddr *sa, int af); +#endif /* !HAVE_BINRESVPORT_AF */ + +#endif /* _BSD_BINRESVPORT_H */ diff -ruN ssh-openbsd-2000012700/bsd-daemon.c openssh-1.2.2p1/bsd-daemon.c --- ssh-openbsd-2000012700/bsd-daemon.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-daemon.c Sat Nov 20 12:18:40 1999 @@ -0,0 +1,81 @@ +/*- + * Copyright (c) 1990, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_DAEMON + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: daemon.c,v 1.2 1996/08/19 08:22:13 tholo Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#ifdef HAVE_PATHS_H +# include +#endif + +int +daemon(nochdir, noclose) + int nochdir, noclose; +{ + int fd; + + switch (fork()) { + case -1: + return (-1); + case 0: + break; + default: + _exit(0); + } + + if (setsid() == -1) + return (-1); + + if (!nochdir) + (void)chdir("/"); + + if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { + (void)dup2(fd, STDIN_FILENO); + (void)dup2(fd, STDOUT_FILENO); + (void)dup2(fd, STDERR_FILENO); + if (fd > 2) + (void)close (fd); + } + return (0); +} + +#endif /* !HAVE_DAEMON */ + diff -ruN ssh-openbsd-2000012700/bsd-daemon.h openssh-1.2.2p1/bsd-daemon.h --- ssh-openbsd-2000012700/bsd-daemon.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-daemon.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,9 @@ +#ifndef _BSD_DAEMON_H +#define _BSD_DAEMON_H + +#include "config.h" +#ifndef HAVE_DAEMON +int daemon(int nochdir, int noclose); +#endif /* !HAVE_DAEMON */ + +#endif /* _BSD_DAEMON_H */ diff -ruN ssh-openbsd-2000012700/bsd-login.c openssh-1.2.2p1/bsd-login.c --- ssh-openbsd-2000012700/bsd-login.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-login.c Sun Dec 26 10:21:48 1999 @@ -0,0 +1,116 @@ +/* $OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $ */ +/* + * Copyright (c) 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_LOGIN + +#if defined(LIBC_SCCS) && !defined(lint) +/* from: static char sccsid[] = "@(#)login.c 8.1 (Berkeley) 6/4/93"; */ +static char *rcsid = "$OpenBSD: login.c,v 1.5 1998/07/13 02:11:12 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include + +#include +#include +#include +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include +#endif +#ifdef HAVE_UTMP_H +# include +#endif +#include +#include + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +void +login(utp,utx) + struct utmp *utp; + struct utmpx *utx; +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +void +login(utp) + struct utmp *utp; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +{ +#if defined(HAVE_HOST_IN_UTMP) + struct utmp old_ut; +#endif +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx *old_utx; +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + register int fd; + int tty; + + tty = ttyslot(); + if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { + +#if defined(HAVE_HOST_IN_UTMP) +# ifndef UT_LINESIZE +# define UT_LINESIZE (sizeof(old_ut.ut_line)) +# define UT_NAMESIZE (sizeof(old_ut.ut_name)) +# define UT_HOSTSIZE (sizeof(old_ut.ut_host)) +# endif + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + /* + * Prevent luser from zero'ing out ut_host. + * If the new ut_line is empty but the old one is not + * and ut_line and ut_name match, preserve the old ut_line. + */ + if (read(fd, &old_ut, sizeof(struct utmp)) == + sizeof(struct utmp) && utp->ut_host[0] == '\0' && + old_ut.ut_host[0] != '\0' && + strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && + strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) + (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); +#endif /* defined(HAVE_HOST_IN_UTMP) */ + (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } + if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { + (void)write(fd, utp, sizeof(struct utmp)); + (void)close(fd); + } +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + old_utx = pututxline(utx); +# ifdef HAVE_UPDWTMPX + updwtmpx(_PATH_WTMPX, utx); +# endif /* HAVE_UPDWTMPX */ + endutxent(); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +} + +#endif /* HAVE_LOGIN */ diff -ruN ssh-openbsd-2000012700/bsd-login.h openssh-1.2.2p1/bsd-login.h --- ssh-openbsd-2000012700/bsd-login.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-login.h Sat Dec 25 10:11:29 1999 @@ -0,0 +1,22 @@ +#ifndef _BSD_LOGIN_H +# define _BSD_LOGIN_H + +# include "config.h" +# ifndef HAVE_LOGIN + +# include + +# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include + +void login(struct utmp *utp, struct utmpx *utx); + +# else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +void login(struct utmp *utp); + +# endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +# endif /* !HAVE_LOGIN */ + +#endif /* _BSD_LOGIN_H */ diff -ruN ssh-openbsd-2000012700/bsd-misc.c openssh-1.2.2p1/bsd-misc.c --- ssh-openbsd-2000012700/bsd-misc.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-misc.c Sat Jan 29 20:40:22 2000 @@ -0,0 +1,183 @@ +/* +** +** OpenBSD replacement routines +** +** Damien Miller +** +** Copyright 1999 Damien Miller +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include +#include +#include +#ifdef HAVE_STDDEF_H +#include +#endif + +#include "xmalloc.h" +#include "ssh.h" +#include "bsd-misc.h" +#include "random.h" + +#ifndef HAVE_ARC4RANDOM + +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +void rc4_key(rc4_t *r, unsigned char *key, int len); +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +static rc4_t *rc4 = NULL; + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + get_random_bytes(rand_buf, sizeof(rand_buf)); + rc4_key(rc4, rand_buf, sizeof(rand_buf)); + memset(rand_buf, 0, sizeof(rand_buf)); +} +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...) +{ + /* FIXME */ +} +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETENV +int setenv(const char *name, const char *value, int overwrite) +{ + char *env_string; + int result; + + /* Don't overwrite existing env. var if overwrite is 0 */ + if (!overwrite && (getenv(name) != NULL)) + return(0); + + env_string = xmalloc(strlen(name) + strlen(value) + 2); + sprintf(env_string, "%s=%s", name, value); + + result = putenv(env_string); + + xfree(env_string); + + return(result); +} +#endif /* !HAVE_SETENV */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name) +{ + return(0); +} +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain) +{ + return(0); +} +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid) +{ + return(setreuid(-1,euid)); +} +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ diff -ruN ssh-openbsd-2000012700/bsd-misc.h openssh-1.2.2p1/bsd-misc.h --- ssh-openbsd-2000012700/bsd-misc.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-misc.h Thu Jan 6 20:28:41 2000 @@ -0,0 +1,68 @@ +/* +** +** OpenBSD replacement routines +** +** Damien Miller +** +** Copyright 1999 Damien Miller +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#ifndef _BSD_MISC_H +#define _BSD_MISC_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#ifndef HAVE_SETPROCTITLE +void setproctitle(const char *fmt, ...); +#endif /* !HAVE_SETPROCTITLE */ + +#ifndef HAVE_SETENV +int setenv(const char *name, const char *value, int overwrite); +#endif /* !HAVE_SETENV */ + +#ifndef HAVE_SETLOGIN +int setlogin(const char *name); +#endif /* !HAVE_SETLOGIN */ + +#ifndef HAVE_INNETGR +int innetgr(const char *netgroup, const char *host, + const char *user, const char *domain); +#endif /* HAVE_INNETGR */ + +#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) +int seteuid(uid_t euid); +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#endif /* _BSD_MISC_H */ diff -ruN ssh-openbsd-2000012700/bsd-mktemp.c openssh-1.2.2p1/bsd-mktemp.c --- ssh-openbsd-2000012700/bsd-mktemp.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-mktemp.c Wed Dec 29 19:56:30 1999 @@ -0,0 +1,189 @@ +/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ +/* Changes: Removed mktemp */ + +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_MKDTEMP + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "bsd-misc.h" + +static int _gettemp(char *, int *, int, int); + +int +mkstemps(path, slen) + char *path; + int slen; +{ + int fd; + + return (_gettemp(path, &fd, 0, slen) ? fd : -1); +} + +int +mkstemp(path) + char *path; +{ + int fd; + + return (_gettemp(path, &fd, 0, 0) ? fd : -1); +} + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} + +#endif /* !HAVE_MKDTEMP */ diff -ruN ssh-openbsd-2000012700/bsd-mktemp.h openssh-1.2.2p1/bsd-mktemp.h --- ssh-openbsd-2000012700/bsd-mktemp.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-mktemp.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,11 @@ +#ifndef _BSD_MKTEMP_H +#define _BSD_MKTEMP_H + +#include "config.h" +#ifndef HAVE_MKDTEMP +int mkstemps(char *path, int slen); +int mkstemp(char *path); +char *mkdtemp(char *path); +#endif /* !HAVE_MKDTEMP */ + +#endif /* _BSD_MKTEMP_H */ diff -ruN ssh-openbsd-2000012700/bsd-rresvport.c openssh-1.2.2p1/bsd-rresvport.c --- ssh-openbsd-2000012700/bsd-rresvport.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-rresvport.c Wed Jan 19 13:45:07 2000 @@ -0,0 +1,107 @@ +/* + * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. + * Copyright (c) 1983, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * This product includes software developed by Theo de Raadt. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: rresvport.c,v 1.4 1999/12/17 20:48:03 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include "includes.h" + +#if 0 +int +rresvport(alport) + int *alport; +{ + return rresvport_af(alport, AF_INET); +} +#endif + +int +rresvport_af(alport, af) + int *alport; + int af; +{ + struct sockaddr_storage ss; + struct sockaddr *sa; + u_int16_t *portp; + int s; + int salen; + + bzero(&ss, sizeof ss); + sa = (struct sockaddr *)&ss; + + switch (af) { + case AF_INET: + salen = sizeof(struct sockaddr_in); + portp = &((struct sockaddr_in *)sa)->sin_port; + break; + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + portp = &((struct sockaddr_in6 *)sa)->sin6_port; + break; + default: + errno = EPFNOSUPPORT; + return (-1); + } + sa->sa_family = af; + + s = socket(af, SOCK_STREAM, 0); + if (s < 0) + return (-1); + + *portp = htons(*alport); + if (*alport < IPPORT_RESERVED - 1) { + if (bind(s, sa, salen) >= 0) + return (s); + if (errno != EADDRINUSE) { + (void)close(s); + return (-1); + } + } + + *portp = 0; + if (bindresvport_af(s, sa, af) == -1) { + (void)close(s); + return (-1); + } + *alport = ntohs(*portp); + return (s); +} + +#endif /* HAVE_RRESVPORT_AF */ diff -ruN ssh-openbsd-2000012700/bsd-rresvport.h openssh-1.2.2p1/bsd-rresvport.h --- ssh-openbsd-2000012700/bsd-rresvport.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-rresvport.h Fri Jan 14 15:45:48 2000 @@ -0,0 +1,10 @@ +#ifndef _BSD_RRESVPORT_H +#define _BSD_RRESVPORT_H + +#include "config.h" + +#ifndef HAVE_RRESVPORT_AF +int rresvport_af(int *alport, int af); +#endif /* !HAVE_RRESVPORT_AF */ + +#endif /* _BSD_RRESVPORT_H */ diff -ruN ssh-openbsd-2000012700/bsd-snprintf.c openssh-1.2.2p1/bsd-snprintf.c --- ssh-openbsd-2000012700/bsd-snprintf.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-snprintf.c Fri Mar 3 22:48:49 2000 @@ -0,0 +1,181 @@ +/* + * Revision 12: http://theos.com/~deraadt/snprintf.c + * + * Copyright (c) 1997 Theo de Raadt + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) + +#include +#include +#include +#include +#include +#include +#include +#if __STDC__ +#include +#include +#else +#include +#endif +#include + +#ifndef roundup +#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) +#endif + +static int pgsize; +static char *curobj; +static int caught; +static sigjmp_buf bail; + +#define EXTRABYTES 2 /* XXX: why 2? you don't want to know */ + +#ifndef HAVE_GETPAGESIZE +int +getpagesize() +{ +#ifdef EXEC_PAGESIZE + return EXEC_PAGESIZE; +#else /* !EXEC_PAGESIZE */ +# ifdef NBPG +# ifndef CLSIZE +# define CLSIZE 1 +# endif /* No CLSIZE */ + return NBPG * CLSIZE; +# else /* !NBPG */ + return NBPC; +# endif /* NBPG */ +#endif /* EXEC_PAGESIZE */ +} +#endif /* HAVE_GETPAGESIZE */ + +static char * +msetup(str, n) + char *str; + size_t n; +{ + char *e; + + if (n == 0) + return NULL; + if (pgsize == 0) + pgsize = getpagesize(); + curobj = (char *)malloc(n + EXTRABYTES + pgsize * 2); + if (curobj == NULL) + return NULL; + e = curobj + n + EXTRABYTES; + e = (char *)roundup((unsigned long)e, pgsize); + if (mprotect(e, pgsize, PROT_NONE) == -1) { + free(curobj); + curobj = NULL; + return NULL; + } + e = e - n - EXTRABYTES; + *e = '\0'; + return (e); +} + +static void +mcatch() +{ + siglongjmp(bail, 1); +} + +static void +mcleanup(str, n, p) + char *str; + size_t n; + char *p; +{ + strncpy(str, p, n-1); + str[n-1] = '\0'; + if (mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE|PROT_EXEC) == -1) + mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, + PROT_READ|PROT_WRITE); + free(curobj); +} + +#if !defined(HAVE_VSNPRINTF) +int +vsnprintf(str, n, fmt, ap) + char *str; + size_t n; + char *fmt; + va_list *ap; +{ + struct sigaction osa, nsa; + char *p; + int ret = n + 1; /* if we bail, indicated we overflowed */ + + memset(&nsa, 0, sizeof nsa); + nsa.sa_handler = mcatch; + sigemptyset(&nsa.sa_mask); + + p = msetup(str, n); + if (p == NULL) { + *str = '\0'; + return 0; + } + if (sigsetjmp(bail, 1) == 0) { + if (sigaction(SIGSEGV, &nsa, &osa) == -1) { + mcleanup(str, n, p); + return (0); + } + ret = vsprintf(p, fmt, ap); + } + mcleanup(str, n, p); + (void) sigaction(SIGSEGV, &osa, NULL); + return (ret); +} +#endif /* !defined(HAVE_VSNPRINTF) */ + +#if !defined(HAVE_SNPRINTF) +int +#if __STDC__ +snprintf(char *str, size_t n, char const *fmt, ...) +#else +snprintf(str, n, fmt, va_alist) + char *str; + size_t n; + char *fmt; + va_dcl +#endif +{ + va_list ap; +#if __STDC__ + va_start(ap, fmt); +#else + va_start(ap); +#endif + + return (vsnprintf(str, n, fmt, ap)); + va_end(ap); +} +#endif /* !defined(HAVE_SNPRINTF) */ + +#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ diff -ruN ssh-openbsd-2000012700/bsd-snprintf.h openssh-1.2.2p1/bsd-snprintf.h --- ssh-openbsd-2000012700/bsd-snprintf.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-snprintf.h Sun Mar 5 16:10:04 2000 @@ -0,0 +1,17 @@ +#ifndef _BSD_SNPRINTF_H +#define _BSD_SNPRINTF_H + +#include "config.h" + +#include /* For size_t */ + +#ifndef HAVE_SNPRINTF +int snprintf(char *str, size_t n, char const *fmt, ...); +#endif /* !HAVE_SNPRINTF */ + +#ifndef HAVE_VSNPRINTF +int vsnprintf(char *str, size_t n, char *fmt, va_list *ap); +#endif /* !HAVE_SNPRINTF */ + + +#endif /* _BSD_SNPRINTF_H */ diff -ruN ssh-openbsd-2000012700/bsd-strlcat.c openssh-1.2.2p1/bsd-strlcat.c --- ssh-openbsd-2000012700/bsd-strlcat.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-strlcat.c Mon Nov 22 13:57:07 1999 @@ -0,0 +1,76 @@ +/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCAT + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcat(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (*d != '\0' && n-- != 0) + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCAT */ diff -ruN ssh-openbsd-2000012700/bsd-strlcat.h openssh-1.2.2p1/bsd-strlcat.h --- ssh-openbsd-2000012700/bsd-strlcat.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-strlcat.h Mon Nov 22 13:57:07 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCAT_H +#define _BSD_STRLCAT_H + +#include "config.h" +#ifndef HAVE_STRLCAT +#include +size_t strlcat(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCAT */ + +#endif /* _BSD_STRLCAT_H */ diff -ruN ssh-openbsd-2000012700/bsd-strlcpy.c openssh-1.2.2p1/bsd-strlcpy.c --- ssh-openbsd-2000012700/bsd-strlcpy.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-strlcpy.c Fri Nov 19 15:32:34 1999 @@ -0,0 +1,73 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#ifndef HAVE_STRLCPY + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} + +#endif /* !HAVE_STRLCPY */ diff -ruN ssh-openbsd-2000012700/bsd-strlcpy.h openssh-1.2.2p1/bsd-strlcpy.h --- ssh-openbsd-2000012700/bsd-strlcpy.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/bsd-strlcpy.h Fri Nov 19 15:32:34 1999 @@ -0,0 +1,10 @@ +#ifndef _BSD_STRLCPY_H +#define _BSD_STRLCPY_H + +#include "config.h" +#ifndef HAVE_STRLCPY +#include +size_t strlcpy(char *dst, const char *src, size_t siz); +#endif /* !HAVE_STRLCPY */ + +#endif /* _BSD_STRLCPY_H */ diff -ruN ssh-openbsd-2000012700/bufaux.c openssh-1.2.2p1/bufaux.c --- ssh-openbsd-2000012700/bufaux.c Thu Nov 25 06:53:44 1999 +++ openssh-1.2.2p1/bufaux.c Thu Nov 25 11:54:58 1999 @@ -18,7 +18,14 @@ RCSID("$Id: bufaux.c,v 1.7 1999/11/24 19:53:44 markus Exp $"); #include "ssh.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif + #include "bufaux.h" #include "xmalloc.h" #include "getput.h" diff -ruN ssh-openbsd-2000012700/channels.c openssh-1.2.2p1/channels.c --- ssh-openbsd-2000012700/channels.c Tue Jan 25 07:37:29 2000 +++ openssh-1.2.2p1/channels.c Fri Mar 3 22:35:33 2000 @@ -16,7 +16,7 @@ */ #include "includes.h" -RCSID("$Id: channels.c,v 1.38 2000/01/24 20:37:29 markus Exp $"); +RCSID("$Id: channels.c,v 1.37 2000/01/10 10:12:52 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -935,7 +935,11 @@ /* Bind the socket to the address. */ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { /* address can be in use ipv6 address is already bound */ - verbose("bind: %.100s", strerror(errno)); + if (!ai->ai_next) + error("bind: %.100s", strerror(errno)); + else + verbose("bind: %.100s", strerror(errno)); + close(sock); continue; } @@ -1077,7 +1081,9 @@ /* The port is not permitted. */ log("Received request to connect to %.100s:%d, but the request was denied.", host, host_port); - goto fail; + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(remote_channel); + packet_send(); } } @@ -1185,13 +1191,22 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - error("socket: %.100s", strerror(errno)); - return NULL; + if (errno != EINVAL) { + error("socket: %.100s", strerror(errno)); + return NULL; + } else { + debug("Socket family %d not supported [X11 disp create]", ai->ai_family); + continue; + } } if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { debug("bind port %d: %.100s", port, strerror(errno)); shutdown(sock, SHUT_RDWR); close(sock); + + if (ai->ai_next) + continue; + for (n = 0; n < num_socks; n++) { shutdown(socks[n], SHUT_RDWR); close(socks[n]); @@ -1222,10 +1237,48 @@ } /* Set up a suitable value for the DISPLAY variable. */ + if (gethostname(hostname, sizeof(hostname)) < 0) fatal("gethostname: %.100s", strerror(errno)); + +#ifdef IPADDR_IN_DISPLAY + /* + * HPUX detects the local hostname in the DISPLAY variable and tries + * to set up a shared memory connection to the server, which it + * incorrectly supposes to be local. + * + * The workaround - as used in later $$H and other programs - is + * is to set display to the host's IP address. + */ + { + struct hostent *he; + struct in_addr my_addr; + + he = gethostbyname(hostname); + if (he == NULL) { + error("[X11-broken-fwd-hostname-workaround] Could not get " + "IP address for hostname %s.", hostname); + + packet_send_debug("[X11-broken-fwd-hostname-workaround]" + "Could not get IP address for hostname %s.", hostname); + + shutdown(sock, SHUT_RDWR); + close(sock); + + return NULL; + } + + memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr)); + + /* Set DISPLAY to :screen.display */ + snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr), + display_number, screen_number); + } +#else /* IPADDR_IN_DISPLAY */ + /* Just set DISPLAY to hostname:screen.display */ snprintf(display, sizeof display, "%.400s:%d.%d", hostname, - display_number, screen_number); + display_number, screen_number); +#endif /* IPADDR_IN_DISPLAY */ /* Allocate a channel for each socket. */ for (n = 0; n < num_socks; n++) { diff -ruN ssh-openbsd-2000012700/cipher.c openssh-1.2.2p1/cipher.c --- ssh-openbsd-2000012700/cipher.c Thu Nov 25 06:53:45 1999 +++ openssh-1.2.2p1/cipher.c Sun Jan 23 10:32:03 2000 @@ -16,8 +16,14 @@ #include "ssh.h" #include "cipher.h" +#include "config.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* * What kind of tripple DES are these 2 routines? @@ -43,13 +49,13 @@ memcpy(&iv1, iv2, 8); des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT); - memcpy(&iv1, dest + len - 8, 8); + memcpy(&iv1, (char *)dest + len - 8, 8); des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT); memcpy(iv2, &iv1, 8); /* Note how iv1 == iv2 on entry and exit. */ des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT); - memcpy(iv3, dest + len - 8, 8); + memcpy(iv3, (char *)dest + len - 8, 8); } void @@ -64,10 +70,10 @@ memcpy(&iv1, iv2, 8); des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT); - memcpy(iv3, src + len - 8, 8); + memcpy(iv3, (char *)src + len - 8, 8); des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT); - memcpy(iv2, dest + len - 8, 8); + memcpy(iv2, (char *)dest + len - 8, 8); des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT); /* memcpy(&iv1, iv2, 8); */ diff -ruN ssh-openbsd-2000012700/cipher.h openssh-1.2.2p1/cipher.h --- ssh-openbsd-2000012700/cipher.h Thu Nov 25 06:53:46 1999 +++ openssh-1.2.2p1/cipher.h Thu Nov 25 11:54:58 1999 @@ -16,8 +16,16 @@ #ifndef CIPHER_H #define CIPHER_H +#include "config.h" + +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include #include +#endif /* Cipher types. New types can be added, but old types should not be removed for compatibility. The maximum allowed value is 31. */ diff -ruN ssh-openbsd-2000012700/config.guess openssh-1.2.2p1/config.guess --- ssh-openbsd-2000012700/config.guess Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/config.guess Fri Jan 7 08:56:05 2000 @@ -0,0 +1,1141 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999 +# Free Software Foundation, Inc. +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Written by Per Bothner . +# The master version of this file is at the FSF in /home/gd/gnu/lib. +# Please send patches to . +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# The plan is that this can be called by configure scripts if you +# don't specify an explicit system type (host/target name). +# +# Only a few systems have been added to this list; please add others +# (but try to keep the structure clean). +# + +# Use $HOST_CC if defined. $CC may point to a cross-compiler +if test x"$CC_FOR_BUILD" = x; then + if test x"$HOST_CC" != x; then + CC_FOR_BUILD="$HOST_CC" + else + if test x"$CC" != x; then + CC_FOR_BUILD="$CC" + else + CC_FOR_BUILD=cc + fi + fi +fi + + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 8/24/94.) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +dummy=dummy-$$ +trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15 + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + alpha:OSF1:*:*) + if test $UNAME_RELEASE = "V4.0"; then + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + fi + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + cat <$dummy.s + .data +\$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main +main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit 0 ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit 0 ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit 0 ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-cbm-sysv4 + exit 0;; + amiga:NetBSD:*:*) + echo m68k-cbm-netbsd${UNAME_RELEASE} + exit 0 ;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit 0 ;; + arc64:OpenBSD:*:*) + echo mips64el-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + arc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + hkmips:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + pmax:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sgi:OpenBSD:*:*) + echo mips-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + wgrisc:OpenBSD:*:*) + echo mipsel-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit 0 ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit 0;; + arm32:NetBSD:*:*) + echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + exit 0 ;; + SR2?01:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit 0;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit 0 ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit 0 ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + i86pc:SunOS:5.*:*) + echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit 0 ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit 0 ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit 0 ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit 0 ;; + atari*:NetBSD:*:*) + echo m68k-atari-netbsd${UNAME_RELEASE} + exit 0 ;; + atari*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit 0 ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit 0 ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit 0 ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit 0 ;; + sun3*:NetBSD:*:*) + echo m68k-sun-netbsd${UNAME_RELEASE} + exit 0 ;; + sun3*:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:NetBSD:*:*) + echo m68k-apple-netbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit 0 ;; + macppc:NetBSD:*:*) + echo powerpc-apple-netbsd${UNAME_RELEASE} + exit 0 ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit 0 ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit 0 ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit 0 ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy \ + && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo mips-mips-riscos${UNAME_RELEASE} + exit 0 ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit 0 ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit 0 ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit 0 ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit 0 ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit 0 ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit 0 ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit 0 ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit 0 ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit 0 ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit 0 ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i?86:AIX:*:*) + echo i386-ibm-aix + exit 0 ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo rs6000-ibm-aix3.2.5 + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit 0 ;; + *:AIX:*:4) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=4.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit 0 ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit 0 ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit 0 ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC NetBSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit 0 ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit 0 ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit 0 ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit 0 ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit 0 ;; + 9000/[34678]??:HP-UX:*:*) + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + sed 's/^ //' << EOF >$dummy.c + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy` + rm -f $dummy.c $dummy + esac + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit 0 ;; + 3050*:HI-UX:*:*) + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + echo unknown-hitachi-hiuxwe2 + exit 0 ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit 0 ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit 0 ;; + *9??*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit 0 ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit 0 ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit 0 ;; + i?86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit 0 ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit 0 ;; + hppa*:OpenBSD:*:*) + echo hppa-unknown-openbsd + exit 0 ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit 0 ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit 0 ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit 0 ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit 0 ;; + CRAY*X-MP:*:*:*) + echo xmp-cray-unicos + exit 0 ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} + exit 0 ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ + exit 0 ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} + exit 0 ;; + CRAY*T3E:*:*:*) + echo alpha-cray-unicosmk${UNAME_RELEASE} + exit 0 ;; + CRAY-2:*:*:*) + echo cray2-cray-unicos + exit 0 ;; + F300:UNIX_System_V:*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit 0 ;; + F301:UNIX_System_V:*:*) + echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'` + exit 0 ;; + hp3[0-9][05]:NetBSD:*:*) + echo m68k-hp-netbsd${UNAME_RELEASE} + exit 0 ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + i?86:BSD/386:*:* | i?86:BSD/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit 0 ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit 0 ;; + *:FreeBSD:*:*) + if test -x /usr/bin/objformat; then + if test "elf" = "`/usr/bin/objformat`"; then + echo ${UNAME_MACHINE}-unknown-freebsdelf`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'` + exit 0 + fi + fi + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit 0 ;; + *:NetBSD:*:*) + echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'` + exit 0 ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + exit 0 ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit 0 ;; + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit 0 ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i386-pc-interix + exit 0 ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit 0 ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit 0 ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit 0 ;; + *:GNU:*:*) + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit 0 ;; + *:Linux:*:*) + + # The BFD linker knows what the default object file format is, so + # first see if it will tell us. cd to the root directory to prevent + # problems with other programs or directories called `ld' in the path. + ld_help_string=`cd /; ld --help 2>&1` + ld_supported_emulations=`echo $ld_help_string \ + | sed -ne '/supported emulations:/!d + s/[ ][ ]*/ /g + s/.*supported emulations: *// + s/ .*// + p'` + case "$ld_supported_emulations" in + *ia64) + echo "${UNAME_MACHINE}-unknown-linux" + exit 0 + ;; + i?86linux) + echo "${UNAME_MACHINE}-pc-linux-gnuaout" + exit 0 + ;; + i?86coff) + echo "${UNAME_MACHINE}-pc-linux-gnucoff" + exit 0 + ;; + sparclinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + armlinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32arm*) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + armelf_linux*) + echo "${UNAME_MACHINE}-unknown-linux-gnu" + exit 0 + ;; + m68klinux) + echo "${UNAME_MACHINE}-unknown-linux-gnuaout" + exit 0 + ;; + elf32ppc) + # Determine Lib Version + cat >$dummy.c < +#if defined(__GLIBC__) +extern char __libc_version[]; +extern char __libc_release[]; +#endif +main(argc, argv) + int argc; + char *argv[]; +{ +#if defined(__GLIBC__) + printf("%s %s\n", __libc_version, __libc_release); +#else + printf("unkown\n"); +#endif + return 0; +} +EOF + LIBC="" + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null + if test "$?" = 0 ; then + ./$dummy | grep 1\.99 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.c $dummy + echo powerpc-unknown-linux-gnu${LIBC} + exit 0 + ;; + esac + + if test "${UNAME_MACHINE}" = "alpha" ; then + cat <$dummy.s + .data + \$Lformat: + .byte 37,100,45,37,120,10,0 # "%d-%x\n" + + .text + .globl main + .align 4 + .ent main + main: + .frame \$30,16,\$26,0 + ldgp \$29,0(\$27) + .prologue 1 + .long 0x47e03d80 # implver \$0 + lda \$2,-1 + .long 0x47e20c21 # amask \$2,\$1 + lda \$16,\$Lformat + mov \$0,\$17 + not \$1,\$18 + jsr \$26,printf + ldgp \$29,0(\$26) + mov 0,\$16 + jsr \$26,exit + .end main +EOF + LIBC="" + $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null + if test "$?" = 0 ; then + case `./$dummy` in + 0-0) + UNAME_MACHINE="alpha" + ;; + 1-0) + UNAME_MACHINE="alphaev5" + ;; + 1-1) + UNAME_MACHINE="alphaev56" + ;; + 1-101) + UNAME_MACHINE="alphapca56" + ;; + 2-303) + UNAME_MACHINE="alphaev6" + ;; + 2-307) + UNAME_MACHINE="alphaev67" + ;; + esac + + objdump --private-headers $dummy | \ + grep ld.so.1 > /dev/null + if test "$?" = 0 ; then + LIBC="libc1" + fi + fi + rm -f $dummy.s $dummy + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0 + elif test "${UNAME_MACHINE}" = "mips" ; then + cat >$dummy.c </dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + else + # Either a pre-BFD a.out linker (linux-gnuoldld) + # or one that does not give us useful --help. + # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout. + # If ld does not provide *any* "supported emulations:" + # that means it is gnuoldld. + echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:" + test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0 + + case "${UNAME_MACHINE}" in + i?86) + VENDOR=pc; + ;; + *) + VENDOR=unknown; + ;; + esac + # Determine whether the default compiler is a.out or elf + cat >$dummy.c < +#ifdef __cplusplus + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif +#ifdef __ELF__ +# ifdef __GLIBC__ +# if __GLIBC__ >= 2 + printf ("%s-${VENDOR}-linux-gnu\n", argv[1]); +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +# else + printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); +# endif +#else + printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]); +#endif + return 0; +} +EOF + $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0 + rm -f $dummy.c $dummy + fi ;; +# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. earlier versions +# are messed up and put the nodename in both sysname and nodename. + i?86:DYNIX/ptx:4*:*) + echo i386-sequent-sysv4 + exit 0 ;; + i?86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit 0 ;; + i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit 0 ;; + i?86:*:5:7*) + # Fixed at (any) Pentium or better + UNAME_MACHINE=i586 + if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then + echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE} + fi + exit 0 ;; + i?86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` + (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit 0 ;; + pc:*:*:*) + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. + echo i386-pc-msdosdjgpp + exit 0 ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit 0 ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit 0 ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit 0 ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit 0 ;; + M68*:*:R3V[567]*:*) + test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; + 3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4.3${OS_REL} && exit 0 + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4 && exit 0 ;; + m68*:LynxOS:2.*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit 0 ;; + i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit 0 ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit 0 ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit 0 ;; + PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit 0 ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit 0 ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit 0 ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit 0 ;; + news*:NEWS-OS:*:6*) + echo mips-sony-newsos6 + exit 0 ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit 0 ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit 0 ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit 0 ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit 0 ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit 0 ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit 0 ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit 0 ;; + *:QNX:*:4*) + echo i386-qnx-qnx${UNAME_VERSION} + exit 0 ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +#if !defined (ultrix) + printf ("vax-dec-bsd\n"); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0 +rm -f $dummy.c $dummy + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit 0 ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit 0 ;; + c34*) + echo c34-convex-bsd + exit 0 ;; + c38*) + echo c38-convex-bsd + exit 0 ;; + c4*) + echo c4-convex-bsd + exit 0 ;; + esac +fi + +#echo '(Unable to guess system type)' 1>&2 + +exit 1 diff -ruN ssh-openbsd-2000012700/config.sub openssh-1.2.2p1/config.sub --- ssh-openbsd-2000012700/config.sub Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/config.sub Fri Jan 7 08:56:05 2000 @@ -0,0 +1,1219 @@ +#! /bin/sh +# Configuration validation subroutine script, version 1.1. +# Copyright (C) 1991, 92-97, 1998, 1999 Free Software Foundation, Inc. +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +if [ x$1 = x ] +then + echo Configuration name missing. 1>&2 + echo "Usage: $0 CPU-MFR-OPSYS" 1>&2 + echo "or $0 ALIAS" 1>&2 + echo where ALIAS is a recognized configuration type. 1>&2 + exit 1 +fi + +# First pass through any local machine types. +case $1 in + *local*) + echo $1 + exit 0 + ;; + *) + ;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + linux-gnu*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple) + os= + basic_machine=$1 + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \ + | arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \ + | 580 | i960 | h8300 \ + | hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \ + | alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \ + | we32k | ns16k | clipper | i370 | sh | powerpc | powerpcle \ + | 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \ + | mips64orion | mips64orionel | mipstx39 | mipstx39el \ + | mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \ + | mips64vr5000 | miprs64vr5000el \ + | m88110 | m680[012346]0 | m683?2 | m68360 | m5200 | z8k | v70 \ + | sparc | sparclet | sparclite | sparc64 | sparc86x | sparcv9 \ + | thumb | v850 | c4x | d10v | h8500 | w65 | fr30) + basic_machine=$basic_machine-unknown + ;; + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i[34567]86) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \ + | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \ + | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ + | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ + | xmp-* | ymp-* \ + | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* | hppa2.0n-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \ + | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \ + | clipper-* | orion-* \ + | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \ + | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \ + | mips64el-* | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \ + | mipstx39-* | mipstx39el-* \ + | f301-* | arm*-* | t3e-* \ + | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \ + | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* ) + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-cbm + ;; + amigaos | amigados) + basic_machine=m68k-cbm + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-cbm + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | ymp) + basic_machine=ymp-cray + os=-unicos + ;; + cray2) + basic_machine=cray2-cray + os=-unicos + ;; + [ctj]90-cray) + basic_machine=c90-cray + os=-unicos + ;; + crds | unos) + basic_machine=m68k-crds + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i[34567]86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i[34567]86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i[34567]86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i[34567]86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + i386-go32 | go32) + basic_machine=i386-unknown + os=-go32 + ;; + i386-mingw32 | mingw32) + basic_machine=i386-unknown + os=-mingw32 + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | *MiNT) + basic_machine=m68k-atari + os=-mint + ;; + mipsel*-linux*) + basic_machine=mipsel-unknown + os=-linux-gnu + ;; + mips*-linux*) + basic_machine=mips-unknown + os=-linux-gnu + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + msdos) + basic_machine=i386-unknown + os=-msdos + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-corel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + np1) + basic_machine=np1-gould + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pentium | p5 | k5 | k6 | nexen) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86) + basic_machine=i686-pc + ;; + pentiumii | pentium2) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexen-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=rs6000-ibm + ;; + ppc) basic_machine=powerpc-unknown + ;; + ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sparclite-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=t3e-cray + os=-unicos + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xmp) + basic_machine=xmp-cray + os=-unicos + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + mips) + if [ x$os = x-linux-gnu ]; then + basic_machine=mips-unknown + else + basic_machine=mips-mips + fi + ;; + romp) + basic_machine=romp-ibm + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sparc | sparcv9) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + c4x*) + basic_machine=c4x-none + os=-coff + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* | -opened* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ + | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -rhapsody* | -openstep* | -oskit*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -macos* | -mpw* | -magic* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -ns2 ) + os=-nextstep2 + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -*MiNT) + os=-mint + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + *-acorn) + os=-riscix1.2 + ;; + arm*-corel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 + ;; + m68*-cisco) + os=-aout + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-ibm) + os=-aix + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f301-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -vxsim* | -vxworks*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -*MiNT) + vendor=atari + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os diff -ruN ssh-openbsd-2000012700/configure.in openssh-1.2.2p1/configure.in --- ssh-openbsd-2000012700/configure.in Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/configure.in Sun Mar 5 17:02:46 2000 @@ -0,0 +1,798 @@ +AC_INIT(ssh.c) + +AC_CONFIG_HEADER(config.h) +AC_CANONICAL_HOST + +# C Compiler features +if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi +AC_C_INLINE + +# Checks for programs. +AC_PROG_CC +AC_PROG_CPP +AC_PROG_RANLIB +AC_PROG_INSTALL +AC_CHECK_PROG(AR, ar, ar) +AC_PATH_PROG(PERL, perl) +AC_SUBST(PERL) + +# Check for some target-specific stuff +case "$host" in +*-*-aix*) + AFS_LIBS="-lld" + AC_DEFINE(BROKEN_GETADDRINFO) + ;; +*-*-hpux10*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Aa" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_UTMPX) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; +*-*-irix5*) + MANTYPE='$(CATMAN)' + no_libsocket=1 + no_libnsl=1 + ;; +*-*-irix6*) + MANTYPE='$(CATMAN)' + AC_MSG_WARN([*** Irix 6.x is not tested, please report you experiences *** ]) + no_libsocket=1 + no_libnsl=1 + ;; +*-*-linux*) + no_dev_ptmx=1 + need_pty_removed_on_close=1 + ;; +*-*-netbsd*) + need_dash_r=1 + ;; +*-*-solaris*) + need_dash_r=1 + LDFLAGS="-L/usr/ucblib" + AC_DEFINE(USE_UTMPX) + ;; +*-*-sysv*) + AC_DEFINE(USE_UTMPX) + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lsocket" + ;; +esac + +# Checks for libraries. +AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) +AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") + +if test -z "$no_libsocket" ; then + AC_CHECK_LIB(nsl, yp_match, , ) +fi +if test -z "$no_libnsl" ; then + AC_CHECK_LIB(socket, main, , ) +fi + +# Checks for header files. +AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) + +# Checks for library functions. +AC_CHECK_FUNCS(arc4random bindresvport_af freeaddrinfo gai_strerror getaddrinfo getnameinfo innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf _getpty) + +AC_CHECK_FUNC(login, + [AC_DEFINE(HAVE_LOGIN)], + [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] +) + +AC_CHECK_FUNC(daemon, + [AC_DEFINE(HAVE_DAEMON)], + [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] +) + +AC_CHECK_FUNC(getpagesize, + [AC_DEFINE(HAVE_GETPAGESIZE)], + [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] +) + +AC_ARG_WITH(pam, + [ --without-pam Disable PAM support ], + [ + if test "x$withval" = "xno" ; then + no_pam=1 + AC_DEFINE(DISABLE_PAM) + fi + ] +) +if test -z "$no_pam" -a "x$ac_cv_header_security_pam_appl_h" = "xyes" ; then + AC_CHECK_LIB(dl, dlopen, , ) + LIBS="$LIBS -lpam" + + # Check PAM strerror arguments (old PAM) + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ + #include + #include + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM) + AC_MSG_RESULT(yes) + ] + ) +fi + +# The big search for OpenSSL +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "$xno" ; then + tryssldir=$withval + fi + ] +) + +saved_LIBS="$LIBS" +saved_CFLAGS="$CFLAGS" +if test "x$prefix" != "xNONE" ; then + tryssldir="$tryssldir $prefix" +fi +AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) +for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + if test ! -z "$ssldir" ; then + LIBS="$saved_LIBS -L$ssldir" + CFLAGS="$CFLAGS -I$ssldir/include" + if test "x$need_dash_r" = "x1" ; then + LIBS="$LIBS -R$ssldir" + fi + fi + LIBS="$LIBS -lcrypto" + + AC_TRY_RUN( + [ + #include + #include + #include + int main(void) + {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); + RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); + return(key==NULL);} + ], + [ + AC_DEFINE(HAVE_OPENSSL) + found_crypto=1 + break; + ], [] + ) + AC_TRY_RUN( + [ + #include + #include + #include + int main(void) + {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); + RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); + return(key==NULL);} + ], + [ + AC_DEFINE(HAVE_SSL) + found_crypto=1 + break; + ], [] + ) +done + +if test -z "$found_crypto" ; then + AC_MSG_ERROR([Could not find working SSLeay / OpenSSL libraries, please install]) +fi +if test -z "$ssldir" ; then + ssldir="(system)" +else + CFLAGS="$CFLAGS -I$ssldir/include" + LDFLAGS="$LDFLAGS -L$ssldir/lib" + if test "x$need_dash_r" = "x1" ; then + LDFLAGS="$LDFLAGS -R$ssldir" + fi +fi +LIBS="$saved_LIBS -lcrypto" +AC_MSG_RESULT($ssldir) + +# Checks for data types +AC_CHECK_SIZEOF(char, 1) +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +# More checks for data types +AC_MSG_CHECKING([for intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [int16_t a; int32_t b; a = 1235; b = 1235;], + [ + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + have_intxx_t=1 + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for u_intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [u_int16_t c; u_int32_t d; c = 1235; d = 1235;], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_MSG_RESULT(yes) + have_u_intxx_t=1 + ], + [AC_MSG_RESULT(no)] +) + +if test -z "$have_u_intxx_t" -o -z "$have_intxx_t" -a \ + "x$ac_cv_header_sys_bitypes_h" = "xyes" +then + AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) + AC_TRY_COMPILE( + [#include ], + [ + u_int16_t c; u_int32_t d; + int16_t e; int32_t f; + c = 1235; d = 1235; + e = 1235; f = 1235; + ], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) +fi + +AC_MSG_CHECKING([for uintXX_t types]) +AC_TRY_COMPILE( + [#include ], + [uint16_t c; uint32_t d; c = 1235; d = 1235;], + [ + AC_DEFINE(HAVE_UINTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for socklen_t]) +AC_TRY_COMPILE( + [ + #include + #include + ], + [socklen_t foo; foo = 1235;], + [ + AC_DEFINE(HAVE_SOCKLEN_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for size_t]) +AC_TRY_COMPILE( + [#include ], + [size_t foo; foo = 1235;], + [ + AC_DEFINE(HAVE_SIZE_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct sockaddr_storage]) +AC_TRY_COMPILE( + [ + #include + #include + ], + [struct sockaddr_storage s;], + [ + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct sockaddr_in6]) +AC_TRY_COMPILE( + [#include ], + [struct sockaddr_in6 s; s.sin6_family = 0;], + [ + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct in6_addr]) +AC_TRY_COMPILE( + [#include ], + [struct in6_addr s; s.s6_addr[0] = 0;], + [ + AC_DEFINE(HAVE_STRUCT_IN6_ADDR) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([for struct addrinfo]) +AC_TRY_COMPILE( + [ + #include + #include + #include + ], + [struct addrinfo s; s.ai_flags = AI_PASSIVE;], + [ + AC_DEFINE(HAVE_STRUCT_ADDRINFO) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +# Checks for structure members +AC_MSG_CHECKING([whether utmp.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmp.h, + [AC_DEFINE(HAVE_HOST_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_host field]) +AC_EGREP_HEADER(ut_host, utmpx.h, + [AC_DEFINE(HAVE_HOST_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has syslen field]) +AC_EGREP_HEADER(syslen, utmpx.h, + [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_pid field]) +AC_EGREP_HEADER(ut_pid, utmp.h, + [AC_DEFINE(HAVE_PID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_type field]) +AC_EGREP_HEADER(ut_type, utmp.h, + [AC_DEFINE(HAVE_TYPE_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_tv field]) +AC_EGREP_HEADER(ut_tv, utmp.h, + [AC_DEFINE(HAVE_TV_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_id field]) +AC_EGREP_HEADER(ut_id, utmp.h, + [AC_DEFINE(HAVE_ID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_addr field]) +AC_EGREP_HEADER(ut_addr, utmp.h, + [AC_DEFINE(HAVE_ADDR_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_addr field]) +AC_EGREP_HEADER(ut_addr, utmpx.h, + [AC_DEFINE(HAVE_ADDR_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_addr_v6 field]) +AC_EGREP_HEADER(ut_addr_v6, utmp.h, + [AC_DEFINE(HAVE_ADDR_V6_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmpx.h has ut_addr_v6 field]) +AC_EGREP_HEADER(ut_addr_v6, utmpx.h, + [AC_DEFINE(HAVE_ADDR_V6_IN_UTMPX) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([whether struct sockaddr_storage has ss_family field]) +AC_TRY_COMPILE( + [ + #include + #include + ], + [struct sockaddr_storage s; s.ss_family = 1;], + [ + AC_DEFINE(HAVE_SS_FAMILY_IN_SS) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether struct sockaddr_storage has __ss_family field]) +AC_TRY_COMPILE( + [ + #include + #include + ], + [struct sockaddr_storage s; s.__ss_family = 1;], + [ + AC_DEFINE(HAVE___SS_FAMILY_IN_SS) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([whether libc defines __progname]) +AC_TRY_LINK([], + [extern char *__progname; printf("%s", __progname);], + [ + AC_DEFINE(HAVE___PROGNAME) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] +) + +# Looking for programs, paths and files +AC_ARG_WITH(rsh, + [ --with-rsh=PATH Specify path to remote shell program ], + [ + if test "x$withval" != "$xno" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$withval") + fi + ], + [ + AC_PATH_PROG(rsh_path, rsh) + ] +) + +AC_ARG_WITH(xauth, + [ --with-xauth=PATH Specify path to xauth program ], + [ + if test "x$withval" != "$xno" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$withval") + fi + ], + [ + AC_PATH_PROG(xauth_path, xauth) + if test ! -z "$xauth_path" -a -x "/usr/openwin/bin/xauth" ; then + xauth_path="/usr/openwin/bin/xauth" + fi + ] +) + +if test ! -z "$xauth_path" ; then + AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") +fi +if test ! -z "$rsh_path" ; then + AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") +fi + +# Check for mail directory (last resort if we cannot get it from headers) +if test ! -z "$MAIL" ; then + maildir=`dirname $MAIL` + AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") +fi + +# Look for lastlog location +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE Location of lastlog file], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + else + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$withval") + fi + ], + [ + AC_MSG_CHECKING([location of lastlog file]) + for lastlog in /var/log/lastlog /var/adm/lastlog /usr/adm/lastlog /etc/security/lastlog ; do + if test -f $lastlog ; then + gotlastlog="file" + break + fi + if test -d $lastlog ; then + gotlastlog="dir" + break + fi + done + if test -z "$gotlastlog" ; then + AC_MSG_RESULT(not found) + nolastlog=1 + else + if test "x$gotlastlog" = "xdir" ; then + AC_MSG_RESULT(${lastlog}/) + AC_DEFINE(LASTLOG_IS_DIR) + else + AC_MSG_RESULT($lastlog) + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") + fi + fi + ] +) + +if test ! -z "$nolastlog" ; then + AC_MSG_WARN([*** Disabling lastlog support *** ]) + AC_DEFINE(DISABLE_LASTLOG) +fi + +if test -z "$no_dev_ptmx" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) +fi +AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 + ] +) + +# Some systems (defined in platform-specific code above) automagically remove +# Unix98 ptys when they are closed +if test "x$ac_cv_func_openpty" = "xyes" -o "x$have_dev_ptmx" = "x1" -o "x$have_dev_ptc" = "x1" ; then + if test "x$need_pty_removed_on_close" = "x1" ; then + AC_DEFINE(PTY_REMOVED_ON_CLOSE) + fi +fi + +# Options from here on. Some of these are preset by platform above + +# Check whether user wants GNOME ssh-askpass +AC_MSG_CHECKING([whether to build GNOME ssh-askpass]) +AC_ARG_WITH(gnome-askpass, + [ --with-gnome-askpass Build the GNOME passphrase requester (default=no)], + [ + if test x$withval = xno ; then + GNOME_ASKPASS=""; + else + GNOME_ASKPASS="gnome-ssh-askpass"; + fi + ]) +AC_SUBST(GNOME_ASKPASS) + +if test -z "$GNOME_ASKPASS" ; then + AC_MSG_RESULT(no) +else + AC_MSG_RESULT(yes) +fi + +# Check for user-specified random device, otherwise check /dev/urandom +AC_ARG_WITH(random, + [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], + [ + RANDOM_POOL="$withval"; + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ], + [ + # Check for random device + AC_CHECK_FILE("/dev/urandom", + [ + RANDOM_POOL="/dev/urandom"; + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] + ) + ] +) + +# Check for EGD pool file +AC_ARG_WITH(egd-pool, + [ --with-egd-pool=FILE read randomness from EGD pool FILE (default none)], + [ + RANDOM_POOL="$withval"; + AC_DEFINE(HAVE_EGD) + AC_SUBST(RANDOM_POOL) + AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") + ] +) + +# Make sure we have some random number support +if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then + AC_MSG_ERROR([No random device found, and no EGD random pool specified]) +fi + +AC_ARG_WITH(catman, + [ --with-catman=man|cat Install preformatted manpages[no]], + [ + MANTYPE='$(CATMAN)' + if test x"$withval" != x"yes" ; then + mansubdir=$withval + else + mansubdir=cat + fi + ], [ + if test -z "$MANTYPE" ; then + MANTYPE='$(TROFFMAN)' + mansubdir=man + fi + ] +) +AC_SUBST(MANTYPE) +AC_SUBST(mansubdir) + +# Check whether user wants Kerberos support +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "$xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + else + if test -d /usr/include/kerberosIV ; then + CFLAGS="$CFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + AC_CHECK_LIB(krb, main) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + if test "$ac_cv_lib_krb_main" != yes; then + AC_MSG_WARN([Cannot find libkrb, build may fail]) + fi + + KLIBS="-lkrb -ldes" + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "$xno" ; then + + if test "x$withval" != "$xyes" ; then + CFLAGS="$CFLAGS -I${withval}/include" + LFLAGS="$LFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="$LIBS -lkafs" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + fi + ] +) +LIBS="$LIBS $KLIBS" + +# Check whether user wants S/Key support +AC_ARG_WITH(skey, + [ --with-skey Enable S/Key support], + [ + if test "x$withval" != "$xno" ; then + AC_DEFINE(SKEY) + LIBS="$LIBS -lskey" + fi + ] +) + +# Check whether user wants TCP wrappers support +AC_ARG_WITH(tcp-wrappers, + [ --with-tcp-wrappers Enable tcpwrappers support], + [ + if test "x$withval" != "$xno" ; then + saved_LIBS="$LIBS" + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_TRY_LINK( + [ + #include + int deny_severity = 0, allow_severity = 0; + ], + [hosts_access(0);], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(LIBWRAP) + ], + [ + AC_MSG_RESULT(no) + AC_MSG_WARN([*** libwrap missing - tcpwrapper support disabled ***]) + LIBS="$saved_LIBS" + ] + ) + fi + ] +) + +# Check whether to enable MD5 passwords +AC_ARG_WITH(md5-passwords, + [ --with-md5-passwords Enable use of MD5 passwords], + [ + if test "x$withval" != "$xno" ; then + AC_DEFINE(HAVE_MD5_PASSWORDS) + fi + ] +) + +# Check whether to enable utmpx support +AC_ARG_WITH(utmpx, + [ --with-utmpx Enable utmpx support], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(USE_UTMPX) + fi + ] +) + +# Whether to disable shadow password support +AC_ARG_WITH(shadow, + [ --without-shadow Disable shadow password support], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_SHADOW) + fi + ] +) + +# Use ip address instead of hostname in $DISPLAY +AC_ARG_WITH(ipaddr-display, + [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(IPADDR_IN_DISPLAY) + fi + ] +) + +# Whether to mess with the default path +AC_ARG_WITH(default-path, + [ --with-default-path=PATH Specify default \$PATH environment for server], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$withval") + fi + ] +) + +# Whether to force IPv4 by default (needed on broken glibc Linux) +AC_ARG_WITH(ipv4-default, + [ --with-ipv4-default Use IPv4 by connections unless '-6' specified], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(IPV4_DEFAULT) + fi + ] +) + +# Where to place sshd.pid +piddir=/var/run +AC_ARG_WITH(pid-dir, + [ --with-pid-dir=PATH Specify location of ssh.pid file], + [ + if test "x$withval" != "xno" ; then + piddir=$withval + fi + ] +) +AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") +AC_SUBST(piddir) + +AC_OUTPUT(Makefile) diff -ruN ssh-openbsd-2000012700/defines.h openssh-1.2.2p1/defines.h --- ssh-openbsd-2000012700/defines.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/defines.h Fri Jan 21 00:18:15 2000 @@ -0,0 +1,258 @@ +#ifndef _DEFINES_H +#define _DEFINES_H + +/* Necessary headers */ + +#include +#include /* For SHUT_XXXX */ + +#ifdef HAVE_SYS_BITYPES_H +# include /* For u_intXX_t */ +#endif + +#ifdef HAVE_PATHS_H +# include /* For _PATH_XXX */ +#endif + +#ifdef HAVE_UTMP_H +# include /* For _PATH_XXX */ +#endif + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include /* For _PATH_XXX */ +#endif + +#ifdef HAVE_SYS_TIME_H +# include /* For timersub */ +#endif + +#ifdef HAVE_MAILLOCK_H +# include /* For _PATH_MAILDIR */ +#endif + +#ifdef HAVE_SYS_CDEFS_H +# include /* For __P() */ +#endif + +#ifdef HAVE_SYS_SYSMACROS_H +# include /* For MIN, MAX, etc */ +#endif + +/* Constants */ + +#ifndef SHUT_RDWR +enum +{ + SHUT_RD = 0, /* No more receptions. */ + SHUT_WR, /* No more transmissions. */ + SHUT_RDWR /* No more receptions or transmissions. */ +}; +# define SHUT_RD SHUT_RD +# define SHUT_WR SHUT_WR +# define SHUT_RDWR SHUT_RDWR +#endif + +/* Types */ + +/* If sys/types.h does not supply intXX_t, supply them ourselves */ +/* (or die trying) */ +#ifndef HAVE_INTXX_T +# if (SIZEOF_CHAR == 1) +typedef char int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef short int int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef int int32_t; +# else +# error "32 bit int type not found." +# endif +# if (SIZEOF_LONG_INT == 8) +typedef long int int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef long long int int64_t; +# define HAVE_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +#endif + +/* If sys/types.h does not supply u_intXX_t, supply them ourselves */ +#ifndef HAVE_U_INTXX_T +# ifdef HAVE_UINTXX_T +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +typedef uint64_t u_int64_t; +# define HAVE_U_INTXX_T 1 +# else +# if (SIZEOF_CHAR == 1) +typedef unsigned char u_int8_t; +# else +# error "8 bit int type not found." +# endif +# if (SIZEOF_SHORT_INT == 2) +typedef unsigned short int u_int16_t; +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +typedef unsigned int u_int32_t; +# else +# error "32 bit int type not found." +# endif +# if (SIZEOF_LONG_INT == 8) +typedef unsigned long int u_int64_t; +# else +# if (SIZEOF_LONG_LONG_INT == 8) +typedef unsigned long long int u_int64_t; +# define HAVE_U_INTXX_T 1 +# else +# error "64 bit int type not found." +# endif +# endif +# endif +#endif + +#ifndef HAVE_SOCKLEN_T +typedef unsigned int socklen_t; +# define HAVE_SOCKLEN_T +#endif /* HAVE_SOCKLEN_T */ + +#ifndef HAVE_SIZE_T +typedef unsigned int size_t; +# define HAVE_SIZE_T +#endif /* HAVE_SIZE_T */ + +#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS) +# define ss_family __ss_family +#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ + +/* Paths */ + +/* If _PATH_LASTLOG is not defined by system headers, set it to the */ +/* lastlog file detected by autoconf */ +#ifndef _PATH_LASTLOG +# ifdef LASTLOG_LOCATION +# define _PATH_LASTLOG LASTLOG_LOCATION +# endif +#endif + +#ifndef _PATH_UTMP +# ifdef UTMP_FILE +# define _PATH_UTMP UTMP_FILE +# else +# define _PATH_UTMP "/var/adm/utmp" +# endif +#endif + +#ifndef _PATH_WTMP +# ifdef WTMP_FILE +# define _PATH_WTMP WTMP_FILE +# else +# define _PATH_WTMP "/var/adm/wtmp" +# endif +#endif + +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# ifndef _PATH_UTMPX +# ifdef UTMPX_FILE +# define _PATH_UTMPX UTMPX_FILE +# else +# define _PATH_UTMPX "/var/adm/utmpx" +# endif +# endif +# ifndef _PATH_WTMPX +# ifdef WTMPX_FILE +# define _PATH_WTMPX WTMPX_FILE +# else +# define _PATH_WTMPX "/var/adm/wtmp" +# endif +# endif +#endif + +#ifndef _PATH_BSHELL +# define _PATH_BSHELL "/bin/sh" +#endif + +#ifdef USER_PATH +# ifdef _PATH_STDPATH +# undef _PATH_STDPATH +# endif +# define _PATH_STDPATH USER_PATH +#endif + +#ifndef _PATH_STDPATH +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +#endif + +#ifndef _PATH_DEVNULL +# define _PATH_DEVNULL "/dev/null" +#endif + +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY +#endif + +#if !defined(_PATH_MAILDIR) && defined(MAILDIR) +# define _PATH_MAILDIR MAILDIR +#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ + +#ifndef _PATH_RSH +# ifdef RSH_PATH +# define _PATH_RSH RSH_PATH +# endif /* RSH_PATH */ +#endif /* _PATH_RSH */ + +/* Macros */ + +#ifndef MAX +# define MAX(a,b) (((a)>(b))?(a):(b)) +# define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#ifndef __P +# define __P(x) x +#endif + +#if !defined(__GNUC__) || (__GNUC__ < 2) +# define __attribute__(x) +#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ + +#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) +# define USE_PAM +#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */ + +/* Function replacement / compatibility hacks */ + +/* In older versions of libpam, pam_strerror takes a single argument */ +#ifdef HAVE_OLD_PAM +# define PAM_STRERROR(a,b) pam_strerror((b)) +#else +# define PAM_STRERROR(a,b) pam_strerror((a),(b)) +#endif + +#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) +# undef HAVE_GETADDRINFO +#endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */ + +#endif /* _DEFINES_H */ diff -ruN ssh-openbsd-2000012700/fake-gai-errnos.h openssh-1.2.2p1/fake-gai-errnos.h --- ssh-openbsd-2000012700/fake-gai-errnos.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-gai-errnos.h Fri Jan 14 15:45:48 2000 @@ -0,0 +1,12 @@ +/* + * fake library for ssh + * + * This file is included in getaddrinfo.c and getnameinfo.c. + * See getaddrinfo.c and getnameinfo.c. + */ + +/* for old netdb.h */ +#ifndef EAI_NODATA +#define EAI_NODATA 1 +#define EAI_MEMORY 2 +#endif diff -ruN ssh-openbsd-2000012700/fake-getaddrinfo.c openssh-1.2.2p1/fake-getaddrinfo.c --- ssh-openbsd-2000012700/fake-getaddrinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-getaddrinfo.c Fri Jan 14 15:45:49 2000 @@ -0,0 +1,119 @@ +/* + * fake library for ssh + * + * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + * + * In the case not using 'configure --enable-ipv6', this getaddrinfo.c + * will be used if you have broken getaddrinfo or no getaddrinfo. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GAI_STRERROR +char * +gai_strerror(ecode) +int ecode; +{ + switch (ecode) { + case EAI_NODATA: + return "no address associated with hostname."; + case EAI_MEMORY: + return "memory allocation failure."; + default: + return "unknown error."; + } +} +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void +freeaddrinfo(ai) +struct addrinfo *ai; +{ + struct addrinfo *next; + + do { + next = ai->ai_next; + free(ai); + } while (ai = next); +} +#endif /* !HAVE_FREEADDRINFO */ + +#ifndef HAVE_GETADDRINFO +static struct addrinfo * +malloc_ai(port, addr) +int port; +u_long addr; +{ + struct addrinfo *ai; + + if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) + + sizeof(struct sockaddr_in))) { + memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); + ai->ai_addr = (struct sockaddr *)(ai + 1); + /* XXX -- ssh doesn't use sa_len */ + ai->ai_addrlen = sizeof(struct sockaddr_in); + ai->ai_addr->sa_family = ai->ai_family = AF_INET; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; + ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; + return ai; + } else { + return NULL; + } +} + +int +getaddrinfo(hostname, servname, hints, res) +const char *hostname, *servname; +const struct addrinfo *hints; +struct addrinfo **res; +{ + struct addrinfo *cur, *prev = NULL; + struct hostent *hp; + int i, port; + + if (servname) + port = htons(atoi(servname)); + else + port = 0; + if (hints && hints->ai_flags & AI_PASSIVE) + if (*res = malloc_ai(port, htonl(0x00000000))) + return 0; + else + return EAI_MEMORY; + if (!hostname) + if (*res = malloc_ai(port, htonl(0x7f000001))) + return 0; + else + return EAI_MEMORY; + if (inet_addr(hostname) != -1) + if (*res = malloc_ai(port, inet_addr(hostname))) + return 0; + else + return EAI_MEMORY; + if ((hp = gethostbyname(hostname)) && + hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { + for (i = 0; hp->h_addr_list[i]; i++) + if (cur = malloc_ai(port, + ((struct in_addr *)hp->h_addr_list[i])->s_addr)) { + if (prev) + prev->ai_next = cur; + else + *res = cur; + prev = cur; + } else { + if (*res) + freeaddrinfo(*res); + return EAI_MEMORY; + } + return 0; + } + return EAI_NODATA; +} +#endif /* !HAVE_GETADDRINFO */ diff -ruN ssh-openbsd-2000012700/fake-getaddrinfo.h openssh-1.2.2p1/fake-getaddrinfo.h --- ssh-openbsd-2000012700/fake-getaddrinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-getaddrinfo.h Sun Jan 16 18:19:25 2000 @@ -0,0 +1,45 @@ +#ifndef _FAKE_GETADDRINFO_H +#define _FAKE_GETADDRINFO_H + +#include "config.h" + +#include "fake-gai-errnos.h" + +#ifndef AI_PASSIVE +# define AI_PASSIVE 1 +# define AI_CANONNAME 2 +#endif + +#ifndef NI_NUMERICHOST +# define NI_NUMERICHOST 2 +# define NI_NAMEREQD 4 +# define NI_NUMERICSERV 8 +#endif + +#ifndef HAVE_STRUCT_ADDRINFO +struct addrinfo { + int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ + int ai_family; /* PF_xxx */ + int ai_socktype; /* SOCK_xxx */ + int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ + size_t ai_addrlen; /* length of ai_addr */ + char *ai_canonname; /* canonical name for hostname */ + struct sockaddr *ai_addr; /* binary address */ + struct addrinfo *ai_next; /* next structure in linked list */ +}; +#endif /* !HAVE_STRUCT_ADDRINFO */ + +#ifndef HAVE_GETADDRINFO +int getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *hints, struct addrinfo **res); +#endif /* !HAVE_GETADDRINFO */ + +#ifndef HAVE_GAI_STRERROR +char *gai_strerror(int ecode); +#endif /* !HAVE_GAI_STRERROR */ + +#ifndef HAVE_FREEADDRINFO +void freeaddrinfo(struct addrinfo *ai); +#endif /* !HAVE_FREEADDRINFO */ + +#endif /* _FAKE_GETADDRINFO_H */ diff -ruN ssh-openbsd-2000012700/fake-getnameinfo.c openssh-1.2.2p1/fake-getnameinfo.c --- ssh-openbsd-2000012700/fake-getnameinfo.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-getnameinfo.c Fri Jan 14 15:45:49 2000 @@ -0,0 +1,61 @@ +/* + * fake library for ssh + * + * This file includes getnameinfo(). + * These funtions are defined in rfc2133. + * + * But these functions are not implemented correctly. The minimum subset + * is implemented for ssh use only. For exapmle, this routine assumes + * that ai_family is AF_INET. Don't use it for another purpose. + * + * In the case not using 'configure --enable-ipv6', this getnameinfo.c + * will be used if you have broken getnameinfo or no getnameinfo. + */ + +#include "includes.h" +#include "ssh.h" + +#ifndef HAVE_GETNAMEINFO +int +getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) +const struct sockaddr *sa; +size_t salen; +char *host; +size_t hostlen; +char *serv; +size_t servlen; +int flags; +{ + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + struct hostent *hp; + char tmpserv[16]; + + if (serv) { + sprintf(tmpserv, "%d", ntohs(sin->sin_port)); + if (strlen(tmpserv) > servlen) + return EAI_MEMORY; + else + strcpy(serv, tmpserv); + } + if (host) + if (flags & NI_NUMERICHOST) + if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) + return EAI_MEMORY; + else { + strcpy(host, inet_ntoa(sin->sin_addr)); + return 0; + } + else + if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr), + AF_INET)) + if (strlen(hp->h_name) > hostlen) + return EAI_MEMORY; + else { + strcpy(host, hp->h_name); + return 0; + } + else + return EAI_NODATA; + return 0; +} +#endif /* !HAVE_GETNAMEINFO */ diff -ruN ssh-openbsd-2000012700/fake-getnameinfo.h openssh-1.2.2p1/fake-getnameinfo.h --- ssh-openbsd-2000012700/fake-getnameinfo.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-getnameinfo.h Fri Jan 14 15:45:49 2000 @@ -0,0 +1,17 @@ +#ifndef _FAKE_GETNAMEINFO_H +#define _FAKE_GETNAMEINFO_H + +#include "config.h" +#ifndef HAVE_GETNAMEINFO +int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, + size_t hostlen, char *serv, size_t servlen, int flags); +#endif /* !HAVE_GETNAMEINFO */ + +#ifndef NI_MAXSERV +# define NI_MAXSERV 32 +#endif /* !NI_MAXSERV */ +#ifndef NI_MAXHOST +# define NI_MAXHOST 1025 +#endif /* !NI_MAXHOST */ + +#endif /* _FAKE_GETNAMEINFO_H */ diff -ruN ssh-openbsd-2000012700/fake-socket.h openssh-1.2.2p1/fake-socket.h --- ssh-openbsd-2000012700/fake-socket.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fake-socket.h Fri Jan 14 15:45:49 2000 @@ -0,0 +1,49 @@ +#ifndef _FAKE_SOCKET_H +#define _FAKE_SOCKET_H + +#include "config.h" +#include "sys/types.h" + +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +#define _SS_MAXSIZE 128 /* Implementation specific max size */ +#define _SS_ALIGNSIZE (sizeof(int)) +#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) +#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ + _SS_PAD1SIZE + _SS_ALIGNSIZE)) + +struct sockaddr_storage { + u_short ss_family; + char __ss_pad1[_SS_PAD1SIZE]; + int __ss_align; + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +#define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \ + ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef HAVE_STRUCT_IN6_ADDR +struct in6_addr { + u_int8_t s6_addr[16]; +}; +#endif /* !HAVE_STRUCT_IN6_ADDR */ + +#ifndef HAVE_STRUCT_SOCKADDR_IN6 +struct sockaddr_in6 { + unsigned short sin6_family; + u_int16_t sin6_port; + u_int32_t sin6_flowinfo; + struct in6_addr sin6_addr; +}; +#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + +#endif /* !_FAKE_SOCKET_H */ + diff -ruN ssh-openbsd-2000012700/fingerprint.c openssh-1.2.2p1/fingerprint.c --- ssh-openbsd-2000012700/fingerprint.c Thu Nov 25 03:15:25 1999 +++ openssh-1.2.2p1/fingerprint.c Tue Dec 7 17:03:33 1999 @@ -32,7 +32,12 @@ #include "ssh.h" #include "xmalloc.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif #define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x" diff -ruN ssh-openbsd-2000012700/fixpaths openssh-1.2.2p1/fixpaths --- ssh-openbsd-2000012700/fixpaths Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/fixpaths Thu Jan 20 23:13:36 2000 @@ -0,0 +1,49 @@ +#!/usr/bin/perl -w +# +# fixpaths - substitute makefile variables into text files + + +$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; + +$ext="out"; + +if (!defined(@ARGV)) { die ("$usage"); } + +# read in the command line and get some definitions +while ($_=$ARGV[0], /^-/) { + if (/^-[Dx]/) { + # definition + shift(@ARGV); + if ( /-D(.*)=(.*)/ ) { + $def{"$1"}=$2; + } elsif ( /-x\s*(\w+)/ ) { + $ext=$1; + } else { + die ("$usage$0: error in command line arguments.\n"); + } + } else { + die ("$usage$0: unknown option '-".$ARGV[0][1]."'\n"); + } +} # while parsing arguments + +if (!defined(%def)) { + die ("$0: nothing to do - no substitutions listed!\n"); +} + +for $f (@ARGV) { + + $f =~ /(.*\/)*(.*)$/; + $of = $2.".$ext"; + + open(IN, "<$f") || die ("$0: input file $f missing!\n"); + if (open(OUT, ">$of")) { + while () { + for $s (keys(%def)) { + s#$s#$def{$s}#; + } # for $s + print OUT; + } # while + } # if (outfile open) +} # for $f + +exit 0; diff -ruN ssh-openbsd-2000012700/gnome-ssh-askpass.c openssh-1.2.2p1/gnome-ssh-askpass.c --- ssh-openbsd-2000012700/gnome-ssh-askpass.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/gnome-ssh-askpass.c Mon Nov 22 22:42:17 1999 @@ -0,0 +1,125 @@ +/* +** +** GNOME ssh passphrase requestor +** +** Damien Miller +** +** Copyright 1999 Internet Business Solutions +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include +#include + +int passphrase_dialog(char **passphrase_p, char *message) +{ + char *passphrase; + int result; + + GtkWidget *dialog, *entry, *label; + + dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, + GNOME_STOCK_BUTTON_CANCEL, NULL); + + label = gtk_label_new(message); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, + FALSE, 0); + + entry = gtk_entry_new(); + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + FALSE, 0); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + + /* Center window and prepare for grab */ + gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL); + gnome_dialog_set_default(GNOME_DIALOG(dialog), 0); + gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); + gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE); + gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE); + gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD); + gtk_widget_show_all(dialog); + + /* Grab focus */ + XGrabServer(GDK_DISPLAY()); + gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); + gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME); + + /* Make close dialog */ + gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry)); + + /* Run dialog */ + result = gnome_dialog_run(GNOME_DIALOG(dialog)); + + /* Ungrab */ + XUngrabServer(GDK_DISPLAY()); + gdk_pointer_ungrab(GDK_CURRENT_TIME); + gdk_keyboard_ungrab(GDK_CURRENT_TIME); + gdk_flush(); + + passphrase = gtk_entry_get_text(GTK_ENTRY(entry)); + + /* Take copy of passphrase if user selected OK */ + if (result == 0) + *passphrase_p = strdup(passphrase); + else + *passphrase_p = NULL; + + /* Zero existing passphrase */ + memset(passphrase, '\0', strlen(passphrase)); + gtk_entry_set_text(GTK_ENTRY(entry), passphrase); + + gnome_dialog_close(GNOME_DIALOG(dialog)); + + return (result == 0); +} + +int main(int argc, char **argv) +{ + char *passphrase; + char *message; + + gnome_init("GNOME ssh-askpass", "0.1", argc, argv); + + if (argc == 2) + message = argv[1]; + else + message = "Enter your OpenSSH passphrase:"; + + if (passphrase_dialog(&passphrase, message)) + { + puts(passphrase); + memset(passphrase, '\0', strlen(passphrase)); + } + + return 0; +} diff -ruN ssh-openbsd-2000012700/includes.h openssh-1.2.2p1/includes.h --- ssh-openbsd-2000012700/includes.h Thu Nov 25 06:53:47 1999 +++ openssh-1.2.2p1/includes.h Tue Feb 1 23:05:30 2000 @@ -19,15 +19,14 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } +#include "config.h" + #include #include -#include #include #include -#include #include #include -#include #include #include @@ -38,7 +37,6 @@ #include #include -#include #include #include #include @@ -52,18 +50,78 @@ #include #include #include -#include #include +#ifdef HAVE_BSTRING_H +# include +#endif +#ifdef HAVE_NETGROUP_H +# include +#endif +#ifdef HAVE_NETDB_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_ENDIAN_H +# include +#endif +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_SYS_TIME_H +# include +#endif +#ifdef HAVE_SYS_BSDTTY_H +# include +#endif +#ifdef USE_PAM +# include +#endif +#ifdef HAVE_POLL_H +# include +#else +# ifdef HAVE_SYS_POLL_H +# include +# endif +#endif +#ifdef HAVE_SYS_SYSMACROS_H +# include +#endif + #include "version.h" +/* BSD function replacements */ +#include "bsd-bindresvport.h" +#include "bsd-rresvport.h" +#include "bsd-misc.h" +#include "bsd-strlcpy.h" +#include "bsd-strlcat.h" +#include "bsd-mktemp.h" +#include "bsd-snprintf.h" +#include "bsd-daemon.h" +#include "bsd-login.h" + +/* rfc2553 socket API replacements */ +#include "fake-getaddrinfo.h" +#include "fake-getnameinfo.h" +#include "fake-socket.h" + /* Define this to be the path of the xauth program. */ +#ifndef XAUTH_PATH #define XAUTH_PATH "/usr/X11R6/bin/xauth" +#endif /* XAUTH_PATH */ + +/* Define this to be the path of the rsh program. */ +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif /* _PATH_RSH */ /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. */ -#define USE_PIPES 1 +/* #define USE_PIPES 1 */ #endif /* INCLUDES_H */ diff -ruN ssh-openbsd-2000012700/install-sh openssh-1.2.2p1/install-sh --- ssh-openbsd-2000012700/install-sh Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/install-sh Thu Nov 25 12:31:26 1999 @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 diff -ruN ssh-openbsd-2000012700/lib/Makefile openssh-1.2.2p1/lib/Makefile --- ssh-openbsd-2000012700/lib/Makefile Tue Dec 7 08:47:11 1999 +++ openssh-1.2.2p1/lib/Makefile Thu Jan 1 10:00:00 1970 @@ -1,25 +0,0 @@ -.PATH: ${.CURDIR}/.. - -LIB= ssh -SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ - cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ - hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ - rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c - -NOPROFILE= yes -NOPIC= yes - -install: - @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS - -.include diff -ruN ssh-openbsd-2000012700/log-client.c openssh-1.2.2p1/log-client.c --- ssh-openbsd-2000012700/log-client.c Wed Nov 24 11:26:02 1999 +++ openssh-1.2.2p1/log-client.c Fri Jan 21 00:18:16 2000 @@ -45,12 +45,12 @@ } } -#define MSGBUFSIZE 1024 +#define SSH_MSGBUFSIZE 1024 void do_log(LogLevel level, const char *fmt, va_list args) { - char msgbuf[MSGBUFSIZE]; + char msgbuf[SSH_MSGBUFSIZE]; if (level > log_level) return; diff -ruN ssh-openbsd-2000012700/log-server.c openssh-1.2.2p1/log-server.c --- ssh-openbsd-2000012700/log-server.c Wed Nov 24 11:26:02 1999 +++ openssh-1.2.2p1/log-server.c Fri Jan 21 00:18:16 2000 @@ -22,6 +22,12 @@ #include "xmalloc.h" #include "ssh.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "sshd"; +#endif /* HAVE___PROGNAME */ + static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 0; static int log_facility = LOG_AUTH; @@ -91,16 +97,15 @@ log_on_stderr = on_stderr; } -#define MSGBUFSIZE 1024 +#define SSH_MSGBUFSIZE 1024 void do_log(LogLevel level, const char *fmt, va_list args) { - char msgbuf[MSGBUFSIZE]; - char fmtbuf[MSGBUFSIZE]; + char msgbuf[SSH_MSGBUFSIZE]; + char fmtbuf[SSH_MSGBUFSIZE]; char *txt = NULL; int pri = LOG_INFO; - extern char *__progname; if (level > log_level) return; diff -ruN ssh-openbsd-2000012700/login.c openssh-1.2.2p1/login.c --- ssh-openbsd-2000012700/login.c Tue Jan 4 11:07:59 2000 +++ openssh-1.2.2p1/login.c Wed Feb 2 19:17:41 2000 @@ -20,10 +20,24 @@ #include "includes.h" RCSID("$Id: login.c,v 1.11 2000/01/04 00:07:59 markus Exp $"); -#include -#include +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# include +#endif +#ifdef HAVE_UTMP_H +# include +#endif #include "ssh.h" +#ifdef HAVE_UTIL_H +# include +#endif +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + /* * Returns the time when the user last logged in. Returns 0 if the * information is not available. This must be called before record_login. @@ -39,17 +53,28 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; int fd; +#ifdef LASTLOG_IS_DIR + char lbuf[1024]; +#endif /* LASTLOG_IS_DIR */ lastlog = _PATH_LASTLOG; buf[0] = '\0'; +#ifndef LASTLOG_IS_DIR fd = open(lastlog, O_RDONLY); if (fd < 0) return 0; lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); +#else /* LASTLOG_IS_DIR */ + snprintf(lbuf, sizeof(buf), "%s/%s", lastlog, logname); + fd = open(lbuf, O_RDONLY); + if (fd < 0) + return 0; +#endif /* LASTLOG_IS_DIR */ if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) { close(fd); return 0; @@ -60,6 +85,49 @@ strncpy(buf, ll.ll_host, bufsize - 1); buf[bufsize - 1] = 0; return ll.ll_time; + +#else /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ + /* Look in wtmp for the last login */ + struct utmp wt; + char *wt_file = _PATH_WTMP; + int fd1; + unsigned long t = 0; + + if ( (fd1 = open(wt_file, O_RDONLY)) < 0 ) { + error("Couldn't open %.100s to find last login time.", wt_file); + return 0; + } + + /* seek to last record of file */ + lseek(fd1, (off_t)(0-sizeof(struct utmp)), SEEK_END); + + /* loop through wtmp for our last user login record */ + do { + if (read(fd1, &wt, sizeof(wt)) != sizeof(wt)) { + close(fd1); + return 0; + } + + if ( wt.ut_type == USER_PROCESS) { + if ( !strncmp(logname, wt.ut_user, 8) ) { + t = (unsigned long) wt.ut_time; +#ifdef HAVE_HOST_IN_UTMP + if (bufsize > sizeof(wt.ut_host) + 1) + bufsize = sizeof(wt.ut_host) + 1; + strncpy(buf, wt.ut_host, bufsize - 1); + buf[bufsize - 1] = 0; +#else /* HAVE_HOST_IN_UTMP */ + buf[0] = 0; +#endif /* HAVE_HOST_IN_UTMP */ + } + } + + if (lseek(fd1, (off_t)(0-2*sizeof(struct utmp)), SEEK_CUR) == -1) + break; + } while (t == 0); + + return t; +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* @@ -71,28 +139,111 @@ record_login(int pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr) { - int fd; +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; +#ifdef LASTLOG_IS_DIR + char buf[1024]; +#endif /* LASTLOG_IS_DIR */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ struct utmp u; - const char *utmp, *wtmp; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + struct utmpx utx; +#endif /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); - u.ut_time = time(NULL); +#if defined(HAVE_ID_IN_UTMP) + strncpy(u.ut_id, ttyname + 8, sizeof(u.ut_id)); +#endif /* defined(HAVE_ID_IN_UTMP) */ strncpy(u.ut_name, user, sizeof(u.ut_name)); +#if defined(HAVE_TV_IN_UTMP) + (void)gettimeofday(&u.ut_tv, NULL); +#else /* defined(HAVE_TV_IN_UTMP) */ + u.ut_time = time(NULL); +#endif /* defined(HAVE_TV_IN_UTMP) */ +#if defined(HAVE_PID_IN_UTMP) + u.ut_pid = (pid_t)pid; +#endif /* HAVE_PID_IN_UTMP */ +#if defined(HAVE_TYPE_IN_UTMP) + u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +#endif /* HAVE_TYPE_IN_UTMP */ +#if defined(HAVE_HOST_IN_UTMP) strncpy(u.ut_host, host, sizeof(u.ut_host)); +#endif +#if defined(HAVE_ADDR_IN_UTMP) + if (addr) { + switch (addr->sa_family) { + case AF_INET: { + struct sockaddr_in *in = (struct sockaddr_in*)addr; + memcpy(&(u.ut_addr), &(in->sin_addr), sizeof(&(in->sin_addr))); + break; + } +#if defined(HAVE_ADDR_V6_IN_UTMP) + case AF_INET6: { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)addr; + memcpy(u.ut_addr_v6, &(in6->sin6_addr), sizeof(&(in6->sin6_addr))); + break; + } +#endif + default: + break; + } + } +#endif - /* Figure out the file names. */ - utmp = _PATH_UTMP; - wtmp = _PATH_WTMP; +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + memset(&utx, 0, sizeof(utx)); + strncpy(utx.ut_user, user, sizeof(utx.ut_name)); + strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); + strncpy(utx.ut_id, ttyname + 8, sizeof(utx.ut_id)); + utx.ut_pid = (pid_t)pid; + (void)gettimeofday(&utx.ut_tv, NULL); + utx.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +# ifdef HAVE_HOST_IN_UTMPX +# ifdef HAVE_SYSLEN_IN_UTMPX + utx.ut_syslen = strlen(host); + strncpy(utx.ut_host, host, utx.ut_syslen); +# else + strncpy(utx.ut_host, host, sizeof(utx.ut_host)); +# endif /* HAVE_SYSLEN_IN_UTMPX */ +# endif +#if defined(HAVE_ADDR_IN_UTMPX) + if (addr) { + switch (addr->sa_family) { + case AF_INET: { + struct sockaddr_in *in = (struct sockaddr_in*)addr; + memcpy(&(utx.ut_addr), &(in->sin_addr), sizeof(&(in->sin_addr))); + break; + } +#if defined(HAVE_ADDR_V6_IN_UTMPX) + case AF_INET6: { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)addr; + memcpy(utx.ut_addr_v6, &(in6->sin6_addr), sizeof(&(in6->sin6_addr))); + break; + } +#endif + default: + break; + } + } +#endif +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ +/*#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN)*/ +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) + login(&u, &utx); +#else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ login(&u); +#endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ + +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) lastlog = _PATH_LASTLOG; /* Update lastlog unless actually recording a logout. */ if (strcmp(user, "") != 0) { + int fd; /* * It is safer to bzero the lastlog structure first because * some systems might have some extra fields in it (e.g. SGI) @@ -103,14 +254,21 @@ ll.ll_time = time(NULL); strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line)); strncpy(ll.ll_host, host, sizeof(ll.ll_host)); +#ifdef LASTLOG_IS_DIR + snprintf(buf, sizeof(buf), "%s/%s", lastlog, user); + fd = open(buf, O_RDWR); + if (fd >= 0) { +#else /* LASTLOG_IS_DIR */ fd = open(lastlog, O_RDWR); if (fd >= 0) { lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET); +#endif /* LASTLOG_IS_DIR */ if (write(fd, &ll, sizeof(ll)) != sizeof(ll)) log("Could not write %.100s: %.100s", lastlog, strerror(errno)); close(fd); } } +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* Records that the user has logged out. */ @@ -118,7 +276,11 @@ void record_logout(int pid, const char *ttyname) { +#ifdef HAVE_LIBUTIL_LOGIN const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) logwtmp(line, "", ""); +#else /* HAVE_LIBUTIL_LOGIN */ + record_login(pid, ttyname, "", -1, "", NULL); +#endif /* HAVE_LIBUTIL_LOGIN */ } diff -ruN ssh-openbsd-2000012700/md5crypt.c openssh-1.2.2p1/md5crypt.c --- ssh-openbsd-2000012700/md5crypt.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/md5crypt.c Tue Dec 28 15:09:36 1999 @@ -0,0 +1,166 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +#include +#include + +#ifdef HAVE_OPENSSL +#include +#endif + +#ifdef HAVE_SSL +#include +#endif + +static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static char *magic = "$1$"; /* + * This string is magic for + * this algorithm. Having + * it this way, we can get + * get better later on + */ + +static void +to64(char *s, unsigned long v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +int +is_md5_salt(const char *salt) +{ + return (!strncmp(salt, magic, strlen(magic))); +} + +/* + * UNIX password + * + * Use MD5 for what it is best at... + */ + +char * +md5_crypt(const char *pw, const char *salt) +{ + static char passwd[120], *p; + static const char *sp,*ep; + unsigned char final[16]; + int sl,pl,i,j; + MD5_CTX ctx,ctx1; + unsigned long l; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(!strncmp(sp,magic,strlen(magic))) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) + continue; + + /* get the length of the true salt */ + sl = ep - sp; + + MD5_Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5_Update(&ctx,pw,strlen(pw)); + + /* Then our magic string */ + MD5_Update(&ctx,magic,strlen(magic)); + + /* Then the raw salt */ + MD5_Update(&ctx,sp,sl); + + /* Then just as many characters of the MD5(pw,salt,pw) */ + MD5_Init(&ctx1); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Update(&ctx1,sp,sl); + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + for(pl = strlen(pw); pl > 0; pl -= 16) + MD5_Update(&ctx,final,pl>16 ? 16 : pl); + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + /* Then something really weird... */ + for (j=0,i = strlen(pw); i ; i >>= 1) + if(i&1) + MD5_Update(&ctx, final+j, 1); + else + MD5_Update(&ctx, pw+j, 1); + + /* Now make the output string */ + strcpy(passwd,magic); + strncat(passwd,sp,sl); + strcat(passwd,"$"); + + MD5_Final(final,&ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i=0;i<1000;i++) { + MD5_Init(&ctx1); + if(i & 1) + MD5_Update(&ctx1,pw,strlen(pw)); + else + MD5_Update(&ctx1,final,16); + + if(i % 3) + MD5_Update(&ctx1,sp,sl); + + if(i % 7) + MD5_Update(&ctx1,pw,strlen(pw)); + + if(i & 1) + MD5_Update(&ctx1,final,16); + else + MD5_Update(&ctx1,pw,strlen(pw)); + MD5_Final(final,&ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; + l = final[11] ; to64(p,l,2); p += 2; + *p = '\0'; + + /* Don't leave anything around in vm they could use. */ + memset(final,0,sizeof final); + + return passwd; +} + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ diff -ruN ssh-openbsd-2000012700/md5crypt.h openssh-1.2.2p1/md5crypt.h --- ssh-openbsd-2000012700/md5crypt.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/md5crypt.h Tue Dec 28 15:09:36 1999 @@ -0,0 +1,30 @@ +/* + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +/* + * Ported from FreeBSD to Linux, only minimal changes. --marekm + */ + +/* + * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu + */ + +#ifndef _MD5CRYPT_H +#define _MD5CRYPT_H + +#include "config.h" + +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) + +int is_md5_salt(const char *salt); +char *md5_crypt(const char *pw, const char *salt); + +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + +#endif /* MD5CRYPT_H */ diff -ruN ssh-openbsd-2000012700/mpaux.c openssh-1.2.2p1/mpaux.c --- ssh-openbsd-2000012700/mpaux.c Thu Dec 9 09:37:42 1999 +++ openssh-1.2.2p1/mpaux.c Tue Dec 14 10:47:16 1999 @@ -17,11 +17,17 @@ #include "includes.h" RCSID("$Id: mpaux.c,v 1.9 1999/12/08 22:37:42 markus Exp $"); -#include #include "getput.h" #include "xmalloc.h" +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL +#include #include +#endif void compute_session_id(unsigned char session_id[16], diff -ruN ssh-openbsd-2000012700/packages/redhat/openssh.spec openssh-1.2.2p1/packages/redhat/openssh.spec --- ssh-openbsd-2000012700/packages/redhat/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/redhat/openssh.spec Tue Mar 7 09:37:07 2000 @@ -0,0 +1,234 @@ +# Version of OpenSSH +%define oversion 1.2.2p1 + +# Version of ssh-askpass +%define aversion 0.99 + +Summary: OpenSSH free Secure Shell (SSH) implementation +Name: openssh +Version: %{oversion} +Release: 1 +Packager: Damien Miller +Source0: http://violet.ibs.com.au/openssh/files/openssh-%{oversion}.tar.gz +Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +Obsoletes: ssh +PreReq: openssl +Requires: openssl +BuildPreReq: perl +BuildPreReq: openssl-devel +BuildPreReq: tcp_wrappers +BuildPreReq: gnome-libs-devel + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: System Environment/Daemons +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Group: System Environment/Daemons +Obsoletes: ssh-server +PreReq: openssh chkconfig >= 0.9 + +%package askpass +Summary: OpenSSH X11 passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%package askpass-gnome +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains Jim Knoble's X11 passphrase +dialog. + +%description askpass-gnome +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Sun Dec 26 1999 Damien Miller +- Added Jim Knoble's askpass +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -a 1 + +%build + +CFLAGS="$RPM_OPT_FLAGS" \ + ./configure --prefix=/usr --sysconfdir=/etc/ssh \ + --with-gnome-askpass --with-tcp-wrappers \ + --with-ipv4-default + +make + +cd x11-ssh-askpass-%{aversion} +xmkmf -a +make +cd .. + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ + +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/etc/rc.d/init.d +install -m644 packages/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m755 packages/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd + +install -s x11-ssh-askpass-%{aversion}/ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/x11-ssh-askpass +ln -s /usr/libexec/ssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +/sbin/chkconfig --add sshd +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + /etc/rc.d/init.d/sshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + /etc/rc.d/init.d/sshd stop >&2 + /sbin/chkconfig --del sshd +fi + +%files +%defattr(-,root,root) +%doc ChangeLog OVERVIEW COPYING.Ylonen README README.Ylonen INSTALL +%doc CREDITS UPGRADING +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) /usr/man/man1/scp.1 +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) /usr/man/man1/ssh.1 +%attr(0644,root,root) /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) /usr/man/man1/ssh-add.1 +%attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) /usr/man/man1/slogin.1 + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) /usr/man/man8/sshd.8 +%attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config +%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd +%attr(0755,root,root) %config /etc/rc.d/init.d/sshd + +%files askpass +%defattr(-,root,root) +%doc x11-ssh-askpass-%{aversion}/README +%doc x11-ssh-askpass-%{aversion}/ChangeLog +%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/x11-ssh-askpass + +%files askpass-gnome +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass diff -ruN ssh-openbsd-2000012700/packages/redhat/sshd.init openssh-1.2.2p1/packages/redhat/sshd.init --- ssh-openbsd-2000012700/packages/redhat/sshd.init Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/redhat/sshd.init Sat Dec 18 20:54:52 1999 @@ -0,0 +1,60 @@ +#!/bin/bash + +# Init file for OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: OpenSSH server daemon +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +# source function library +. /etc/rc.d/init.d/functions + +RETVAL=0 + +case "$1" in + start) + echo -n "Starting sshd: " + if [ ! -f /var/run/sshd.pid ] ; then + case "`type -type success`" in + function) + /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" + RETVAL=$? + ;; + *) + /usr/sbin/sshd && echo -n "sshd " + RETVAL=$? + ;; + esac + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd + fi + echo + ;; + stop) + echo -n "Shutting down sshd: " + if [ -f /var/run/sshd.pid ] ; then + killproc sshd + fi + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd + ;; + restart) + $0 stop + $0 start + RETVAL=$? + ;; + status) + status sshd + RETVAL=$? + ;; + *) + echo "Usage: sshd {start|stop|restart|status}" + exit 1 +esac + +exit $RETVAL diff -ruN ssh-openbsd-2000012700/packages/redhat/sshd.pam openssh-1.2.2p1/packages/redhat/sshd.pam --- ssh-openbsd-2000012700/packages/redhat/sshd.pam Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/redhat/sshd.pam Mon Jan 3 20:00:52 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_pwdb.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_pwdb.so shadow nullok use_authtok +session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so diff -ruN ssh-openbsd-2000012700/packages/suse/openssh.spec openssh-1.2.2p1/packages/suse/openssh.spec --- ssh-openbsd-2000012700/packages/suse/openssh.spec Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/suse/openssh.spec Tue Mar 7 09:37:07 2000 @@ -0,0 +1,243 @@ +Summary: OpenSSH, a free Secure Shell (SSH) implementation +Name: openssh +Version: 1.2.2p1 +Release: 1 +Source0: openssh-%{version}.tar.gz +Copyright: BSD +Group: Applications/Internet +BuildRoot: /tmp/openssh-%{version}-buildroot +PreReq: openssl +Obsoletes: ssh +# +# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) +# building prerequisites -- stuff for +# OpenSSL (openssl-devel), +# TCP Wrappers (nkitb), +# and Gnome (glibdev, gtkdev, and gnlibsd) +# +BuildPrereq: openssl-devel +BuildPrereq: nkitb +BuildPrereq: glibdev +BuildPrereq: gtkdev +BuildPrereq: gnlibsd + +%package clients +Summary: OpenSSH Secure Shell protocol clients +Requires: openssh +Group: Applications/Internet +Obsoletes: ssh-clients + +%package server +Summary: OpenSSH Secure Shell protocol server (sshd) +Requires: openssh +Group: System Environment/Daemons +PreReq: openssh +Obsoletes: ssh-server + +%package askpass +Summary: OpenSSH GNOME passphrase dialog +Group: Applications/Internet +Requires: openssh +Obsoletes: ssh-extras +Obsoletes: ssh-askpass + +%description +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the core files necessary for both the OpenSSH +client and server. To make this package useful, you should also +install openssh-clients, openssh-server, or both. + +%description clients +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package includes the clients necessary to make encrypted connections +to SSH servers. + +%description server +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the secure shell daemon. The sshd is the server +part of the secure shell protocol and allows ssh clients to connect to +your host. + +%description askpass +Ssh (Secure Shell) a program for logging into a remote machine and for +executing commands in a remote machine. It is intended to replace +rlogin and rsh, and provide secure encrypted communications between +two untrusted hosts over an insecure network. X11 connections and +arbitrary TCP/IP ports can also be forwarded over the secure channel. + +OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it +up to date in terms of security and features, as well as removing all +patented algorithms to seperate libraries (OpenSSL). + +This package contains the GNOME passphrase dialog. + +%changelog +* Sun Dec 26 1999 Chris Saia +- Made symlink to gnome-ssh-askpass called ssh-askpass +* Wed Nov 24 1999 Chris Saia +- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and + /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into + his released tarfile +- Changed permissions on ssh_config in the install procedure to 644 from 600 + even though it was correct in the %files section and thus right in the RPMs +- Postinstall script for the server now only prints "Generating SSH host + key..." if we need to actually do this, in order to eliminate a confusing + message if an SSH host key is already in place +- Marked all manual pages as %doc(umentation) +* Mon Nov 22 1999 Chris Saia +- Added flag to configure daemon with TCP Wrappers support +- Added building prerequisites (works in RPM 3.0 and newer) +* Thu Nov 18 1999 Chris Saia +- Made this package correct for SuSE. +- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly + with SuSE, and lib_pwdb.so isn't installed by default. +* Mon Nov 15 1999 Damien Miller +- Split subpackages further based on patch from jim knoble +* Sat Nov 13 1999 Damien Miller +- Added 'Obsoletes' directives +* Tue Nov 09 1999 Damien Miller +- Use make install +- Subpackages +* Mon Nov 08 1999 Damien Miller +- Added links for slogin +- Fixed perms on manpages +* Sat Oct 30 1999 Damien Miller +- Renamed init script +* Fri Oct 29 1999 Damien Miller +- Back to old binary names +* Thu Oct 28 1999 Damien Miller +- Use autoconf +- New binary names +* Wed Oct 27 1999 Damien Miller +- Initial RPMification, based on Jan "Yenya" Kasprzak's spec. + +%prep + +%setup -q + +%build +CFLAGS="$RPM_OPT_FLAGS" \ +./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ + --with-tcp-wrappers --with-ipv4-default +make + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT/ +install -d $RPM_BUILD_ROOT/etc/ssh/ +install -d $RPM_BUILD_ROOT/etc/pam.d/ +install -d $RPM_BUILD_ROOT/sbin/init.d/ +install -d $RPM_BUILD_ROOT/var/adm/fillup-templates +install -m644 sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd +install -m744 packages/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd +ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd +ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass +install -m744 packages/suse/rc.config.sshd \ + $RPM_BUILD_ROOT/var/adm/fillup-templates + +%clean +rm -rf $RPM_BUILD_ROOT + +%post server +if [ "$1" = 1 ]; then + echo "Creating SSH stop/start scripts in the rc directories..." + ln -s ../sshd /sbin/init.d/rc2.d/K20sshd + ln -s ../sshd /sbin/init.d/rc2.d/S20sshd + ln -s ../sshd /sbin/init.d/rc3.d/K20sshd + ln -s ../sshd /sbin/init.d/rc3.d/S20sshd +fi +echo "Updating /etc/rc.config..." +if [ -x /bin/fillup ] ; then + /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd +else + echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." + echo "Update /etc/rc.config by hand from the following template file:" + echo " /var/adm/fillup-templates/rc.config.sshd" +fi +if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then + echo "Generating SSH host key..." + /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 +fi +if test -r /var/run/sshd.pid +then + echo "Restarting the running SSH daemon..." + /usr/sbin/rcsshd restart >&2 +fi + +%preun server +if [ "$1" = 0 ] +then + echo "Stopping the SSH daemon..." + /usr/sbin/rcsshd stop >&2 + echo "Removing SSH stop/start scripts from the rc directories..." + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd +fi + +%files +%defattr(-,root,root) +%doc COPYING.Ylonen ChangeLog OVERVIEW README README.Ylonen +%doc RFC.nroff TODO UPGRADING CREDITS +%attr(0755,root,root) /usr/bin/ssh-keygen +%attr(0755,root,root) /usr/bin/scp +%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1 +%attr(0644,root,root) %doc /usr/man/man1/scp.1 +%attr(0755,root,root) %dir /etc/ssh +%attr(0755,root,root) %dir /usr/libexec/ssh + +%files clients +%defattr(-,root,root) +%attr(4755,root,root) /usr/bin/ssh +%attr(0755,root,root) /usr/bin/ssh-agent +%attr(0755,root,root) /usr/bin/ssh-add +%attr(0644,root,root) %doc /usr/man/man1/ssh.1 +%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1 +%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1 +%attr(0644,root,root) %config /etc/ssh/ssh_config +%attr(-,root,root) /usr/bin/slogin +%attr(-,root,root) %doc /usr/man/man1/slogin.1 + +%files server +%defattr(-,root,root) +%attr(0755,root,root) /usr/sbin/sshd +%attr(0644,root,root) %doc /usr/man/man8/sshd.8 +%attr(0600,root,root) %config /etc/ssh/sshd_config +%attr(0644,root,root) %config /etc/pam.d/sshd +%attr(0755,root,root) %config /sbin/init.d/sshd +%attr(-,root,root) /usr/sbin/rcsshd +%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd + +%files askpass +%defattr(-,root,root) +%attr(0755,root,root) /usr/libexec/ssh/ssh-askpass +%attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass + diff -ruN ssh-openbsd-2000012700/packages/suse/rc.config.sshd openssh-1.2.2p1/packages/suse/rc.config.sshd --- ssh-openbsd-2000012700/packages/suse/rc.config.sshd Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/suse/rc.config.sshd Tue Nov 23 10:11:29 1999 @@ -0,0 +1,5 @@ +# +# Start the Secure Shell (SSH) Daemon? +# +START_SSHD="yes" + diff -ruN ssh-openbsd-2000012700/packages/suse/rc.sshd openssh-1.2.2p1/packages/suse/rc.sshd --- ssh-openbsd-2000012700/packages/suse/rc.sshd Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/packages/suse/rc.sshd Tue Nov 23 10:11:29 1999 @@ -0,0 +1,80 @@ +#! /bin/sh +# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. +# +# Author: Chris Saia +# +# /sbin/init.d/sshd +# +# and symbolic its link +# +# /sbin/rcsshd +# + +. /etc/rc.config + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +# Force execution if not called by a runlevel directory. +test $link = $base && START_SSHD=yes +test "$START_SSHD" = yes || exit 0 + +# The echo return value for success (defined in /etc/rc.config). +return=$rc_done +case "$1" in + start) + echo -n "Starting service sshd" + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + + startproc /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + stop) + echo -n "Stopping service sshd" + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -TERM /usr/sbin/sshd || return=$rc_failed + + echo -e "$return" + ;; + restart) + ## If first returns OK call the second, if first or + ## second command fails, set echo return value. + $0 stop && $0 start || return=$rc_failed + ;; + reload) + ## Choose ONE of the following two cases: + + ## First possibility: A few services accepts a signal + ## to reread the (changed) configuration. + + echo -n "Reload service sshd" + killproc -HUP /usr/sbin/sshd || return=$rc_failed + echo -e "$return" + ;; + status) + echo -n "Checking for service sshd" + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + checkproc /usr/sbin/sshd && echo OK || echo No process + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" + exit 1 + ;; +esac + +# Inform the caller not only verbosely and set an exit status. +test "$return" = "$rc_done" || exit 1 +exit 0 diff -ruN ssh-openbsd-2000012700/packet.h openssh-1.2.2p1/packet.h --- ssh-openbsd-2000012700/packet.h Wed Jan 5 03:54:58 2000 +++ openssh-1.2.2p1/packet.h Fri Jan 14 15:45:51 2000 @@ -18,7 +18,14 @@ #ifndef PACKET_H #define PACKET_H +#include "config.h" + +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif /* * Sets the socket used for communication. Disables encryption until diff -ruN ssh-openbsd-2000012700/pty.c openssh-1.2.2p1/pty.c --- ssh-openbsd-2000012700/pty.c Sat Dec 11 20:35:46 1999 +++ openssh-1.2.2p1/pty.c Thu Mar 2 23:56:13 2000 @@ -16,7 +16,10 @@ #include "includes.h" RCSID("$Id: pty.c,v 1.11 1999/12/11 09:35:46 markus Exp $"); -#include +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + #include "pty.h" #include "ssh.h" @@ -25,6 +28,13 @@ #undef HAVE_DEV_PTMX #endif +#ifdef HAVE_PTY_H +# include +#endif +#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) +# include +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -74,7 +84,7 @@ } return 1; #else /* HAVE__GETPTY */ -#ifdef HAVE_DEV_PTMX +#if defined(HAVE_DEV_PTMX) /* * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 * also has bsd-style ptys, but they simply do not work.) @@ -177,10 +187,12 @@ void pty_release(const char *ttyname) { +#ifndef PTY_REMOVED_ON_CLOSE if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0) - debug("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno)); + error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno)); if (chmod(ttyname, (mode_t) 0666) < 0) - debug("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno)); + error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno)); +#endif /* PTY_REMOVED_ON_CLOSE */ } /* Makes the tty the processes controlling tty and sets it to sane modes. */ @@ -248,4 +260,30 @@ w.ws_xpixel = xpixel; w.ws_ypixel = ypixel; (void) ioctl(ptyfd, TIOCSWINSZ, &w); +} + +void +pty_setowner(struct passwd *pw, const char *ttyname) +{ + struct group *grp; + gid_t gid; + mode_t mode; + + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); + if (grp) { + gid = grp->gr_gid; + mode = S_IRUSR | S_IWUSR | S_IWGRP; + } else { + gid = pw->pw_gid; + mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; + } + + /* Change ownership of the tty. */ + if (chown(ttyname, pw->pw_uid, gid) < 0) + fatal("chown(%.100s, %d, %d) failed: %.100s", + ttyname, pw->pw_uid, gid, strerror(errno)); + if (chmod(ttyname, mode) < 0) + fatal("chmod(%.100s, 0%o) failed: %.100s", + ttyname, mode, strerror(errno)); } diff -ruN ssh-openbsd-2000012700/pty.h openssh-1.2.2p1/pty.h --- ssh-openbsd-2000012700/pty.h Mon Dec 6 23:10:12 1999 +++ openssh-1.2.2p1/pty.h Thu Mar 2 23:30:53 2000 @@ -43,4 +43,6 @@ pty_change_window_size(int ptyfd, int row, int col, int xpixel, int ypixel); +void pty_setowner(struct passwd *pw, const char *ttyname); + #endif /* PTY_H */ diff -ruN ssh-openbsd-2000012700/random.c openssh-1.2.2p1/random.c --- ssh-openbsd-2000012700/random.c Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/random.c Thu Feb 3 14:04:50 2000 @@ -0,0 +1,124 @@ +/* +** +** Random number collection +** +** Damien Miller +** +** Copyright 1999 Damien Miller +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#ifdef HAVE_STDDEF_H +#include +#endif + +#include "ssh.h" +#include "xmalloc.h" +#include "random.h" + +#ifndef offsetof +# define offsetof(type, member) ((size_t) &((type *)0)->member) +#endif + +#ifdef HAVE_EGD + +/* Collect entropy from EGD */ +void get_random_bytes(unsigned char *buf, int len) +{ + static int random_pool; + int c; + char egd_message[2] = { 0x02, 0x00 }; + struct sockaddr_un addr; + int addr_len; + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; + + /* FIXME: compile time check? */ + if (sizeof(RANDOM_POOL) > sizeof(addr.sun_path)) + fatal("Random pool path is too long"); + + strcpy(addr.sun_path, RANDOM_POOL); + + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(RANDOM_POOL); + + random_pool = socket(AF_UNIX, SOCK_STREAM, 0); + + if (random_pool == -1) + fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); + + if (connect(random_pool, (struct sockaddr*)&addr, addr_len) == -1) + fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + + if (len > 255) + fatal("Too many bytes to read from EGD"); + + /* Send blocking read request to EGD */ + egd_message[1] = len; + + c = atomicio(write, random_pool, egd_message, sizeof(egd_message)); + if (c == -1) + fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); + + c = atomicio(read, random_pool, buf, len); + if (c <= 0) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + + close(random_pool); +} +#else /* HAVE_EGD */ + +/* Collect entropy from /dev/urandom or pipe */ +void get_random_bytes(unsigned char *buf, int len) +{ + static int random_pool; + int c; + + random_pool = open(RANDOM_POOL, O_RDONLY); + if (random_pool == -1) + fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + + c = atomicio(read, random_pool, buf, len); + if (c <= 0) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + + close(random_pool); +} + +#endif /* HAVE_EGD */ diff -ruN ssh-openbsd-2000012700/random.h openssh-1.2.2p1/random.h --- ssh-openbsd-2000012700/random.h Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/random.h Thu Feb 3 14:04:50 2000 @@ -0,0 +1,41 @@ +/* +** +** Random number collection +** +** Damien Miller +** +** Copyright 1999 Damien Miller +** +** Permission is hereby granted, free of charge, to any person +** obtaining a copy of this software and associated documentation +** files (the "Software"), to deal in the Software without +** restriction, including without limitation the rights to use, copy, +** modify, merge, publish, distribute, sublicense, and/or sell copies +** of the Software, and to permit persons to whom the Software is +** furnished to do so, subject to the following conditions: +** +** The above copyright notice and this permission notice shall be +** included in all copies or substantial portions of the Software. +** +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE +** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE +** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET +** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE +** OR OTHER DEALINGS IN THE SOFTWARE. +** +** Except as contained in this notice, the name of Internet Business +** Solutions shall not be used in advertising or otherwise to promote +** the sale, use or other dealings in this Software without prior +** written authorization from Internet Business Solutions. +** +*/ + +#ifndef _RANDOM_H +#define _RANDOM_H + +void get_random_bytes(unsigned char *buf, int len); + +#endif /* _RANDOM_H */ diff -ruN ssh-openbsd-2000012700/rsa.c openssh-1.2.2p1/rsa.c --- ssh-openbsd-2000012700/rsa.c Thu Nov 25 06:53:50 1999 +++ openssh-1.2.2p1/rsa.c Sun Mar 5 17:14:38 2000 @@ -40,14 +40,29 @@ #include "rsa.h" #include "ssh.h" #include "xmalloc.h" +#include "random.h" int rsa_verbose = 1; +/* + * Seed OpenSSL's random number generator + */ +void +seed_rng() +{ + char buf[64]; + + get_random_bytes(buf, sizeof(buf)); + RAND_seed(buf, sizeof(buf)); + memset(buf, 0, sizeof(buf)); +} + int rsa_alive() { RSA *key; + seed_rng(); key = RSA_generate_key(32, 3, NULL, NULL); if (key == NULL) return (0); @@ -56,6 +71,21 @@ } /* + * Key generation progress meter callback + */ +void +keygen_progress(int p, int n, void *arg) +{ + const char progress_chars[] = ".o+O?"; + + if ((p < 0) || (p > (sizeof(progress_chars) - 2))) + p = sizeof(progress_chars) - 2; + + putchar(progress_chars[p]); + fflush(stdout); +} + +/* * Generates RSA public and private keys. This initializes the data * structures; they should be freed with rsa_clear_private_key and * rsa_clear_public_key. @@ -66,11 +96,16 @@ { RSA *key; + seed_rng(); + if (rsa_verbose) { printf("Generating RSA keys: "); fflush(stdout); + key = RSA_generate_key(bits, 35, keygen_progress, NULL); + printf("\n"); + } else { + key = RSA_generate_key(bits, 35, NULL, NULL); } - key = RSA_generate_key(bits, 35, NULL, NULL); if (key == NULL) fatal("rsa_generate_key: key generation failed."); diff -ruN ssh-openbsd-2000012700/rsa.h openssh-1.2.2p1/rsa.h --- ssh-openbsd-2000012700/rsa.h Thu Nov 25 06:53:50 1999 +++ openssh-1.2.2p1/rsa.h Sat Jan 29 20:40:22 2000 @@ -18,8 +18,19 @@ #ifndef RSA_H #define RSA_H +#include "config.h" + +#ifdef HAVE_OPENSSL +#include +#include +#include +#endif + +#ifdef HAVE_SSL #include #include +#include +#endif /* Calls SSL RSA_generate_key, only copies to prv and pub */ void rsa_generate_key(RSA * prv, RSA * pub, unsigned int bits); diff -ruN ssh-openbsd-2000012700/scp/Makefile openssh-1.2.2p1/scp/Makefile --- ssh-openbsd-2000012700/scp/Makefile Tue Dec 7 08:47:11 1999 +++ openssh-1.2.2p1/scp/Makefile Thu Jan 1 10:00:00 1970 @@ -1,18 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= scp -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= scp.1 - -SRCS= scp.c - -.include diff -ruN ssh-openbsd-2000012700/scp.c openssh-1.2.2p1/scp.c --- ssh-openbsd-2000012700/scp.c Tue Jan 25 09:11:20 2000 +++ openssh-1.2.2p1/scp.c Fri Jan 14 15:45:51 2000 @@ -45,7 +45,7 @@ */ #include "includes.h" -RCSID("$Id: scp.c,v 1.25 2000/01/24 22:11:20 markus Exp $"); +RCSID("$Id: scp.c,v 1.24 2000/01/04 16:57:16 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -84,7 +84,7 @@ int verbose_mode = 0; /* This is set to non-zero if compression is desired. */ -int compress = 0; +int compress_flag = 0; /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; @@ -158,7 +158,7 @@ args[i++] = "-oFallBackToRsh no"; if (verbose_mode) args[i++] = "-v"; - if (compress) + if (compress_flag) args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; @@ -296,7 +296,7 @@ batchmode = 1; break; case 'C': - compress = 1; + compress_flag = 1; break; case 'q': showprogress = 0; @@ -580,7 +580,7 @@ if (haderr) (void) write(remout, bp->buf, amt); else { - result = write(remout, bp->buf, amt); + result = atomicio(write, remout, bp->buf, amt); if (result != amt) haderr = result >= 0 ? EIO : errno; statbytes += result; @@ -954,22 +954,24 @@ { static FILE *fp; va_list ap; - va_start(ap, fmt); ++errs; if (fp == NULL && !(fp = fdopen(remout, "w"))) return; (void) fprintf(fp, "%c", 0x01); (void) fprintf(fp, "scp: "); + va_start(ap, fmt); (void) vfprintf(fp, fmt, ap); + va_end(ap); (void) fprintf(fp, "\n"); (void) fflush(fp); if (!iamremote) { + va_start(ap, fmt); vfprintf(stderr, fmt, ap); + va_end(ap); fprintf(stderr, "\n"); } - va_end(ap); } /* Stuff below is from BSD rcp util.c. */ @@ -1006,7 +1008,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: scp.c,v 1.25 2000/01/24 22:11:20 markus Exp $ + * $Id: scp.c,v 1.24 2000/01/04 16:57:16 markus Exp $ */ char * @@ -1060,12 +1062,12 @@ c = *cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-' && c != '.') + if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') goto bad; } while (*++cp); return (1); -bad: fprintf(stderr, "%s: invalid user name\n", cp0); +bad: fprintf(stderr, "%s: invalid user name", cp0); return (0); } @@ -1118,7 +1120,7 @@ } void -updateprogressmeter(void) +updateprogressmeter(int sig) { int save_errno = errno; @@ -1185,8 +1187,8 @@ i++; abbrevsize >>= 10; } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5qd %c%c ", - (quad_t) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5d %c%c ", + (int) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : 'B'); timersub(&now, &lastupdate, &wait); @@ -1224,7 +1226,11 @@ atomicio(write, fileno(stdout), buf, strlen(buf)); if (flag == -1) { - signal(SIGALRM, (void *) updateprogressmeter); + struct sigaction sa; + sa.sa_handler = updateprogressmeter; + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sigaction(SIGALRM, &sa, NULL); alarmtimer(1); } else if (flag == 1) { alarmtimer(0); diff -ruN ssh-openbsd-2000012700/serverloop.c openssh-1.2.2p1/serverloop.c --- ssh-openbsd-2000012700/serverloop.c Tue Dec 7 07:15:28 1999 +++ openssh-1.2.2p1/serverloop.c Mon Jan 17 20:55:19 2000 @@ -36,10 +36,15 @@ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. + * + * After SIGCHLD child_has_selected is set to 1 after the first pass + * through the wait_until_can_do_something() select(). This ensures + * that the child's output gets a chance to drain before it is yanked. */ static int child_pid; /* Pid of the child. */ static volatile int child_terminated; /* The child has terminated. */ +static volatile int child_has_selected; /* Child has had chance to drain. */ static volatile int child_wait_status; /* Status from wait(). */ void @@ -56,6 +61,7 @@ if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) child_terminated = 1; + child_has_selected = 0; } signal(SIGCHLD, sigchld_handler); errno = save_errno; @@ -300,6 +306,9 @@ else goto retry_select; } + + if (child_terminated) + child_has_selected = 1; } /* @@ -438,6 +447,7 @@ /* Initialize the SIGCHLD kludge. */ child_pid = pid; child_terminated = 0; + child_has_selected = 0; signal(SIGCHLD, sigchld_handler); /* Initialize our global variables. */ @@ -533,8 +543,11 @@ * descriptors, and we have no more data to send to the * client, and there is no pending buffered data. */ - if (fdout_eof && fderr_eof && !packet_have_data_to_write() && - buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { + if (((fdout_eof && fderr_eof) || + (child_terminated && child_has_selected)) && + !packet_have_data_to_write() && + (buffer_len(&stdout_buffer) == 0) && + (buffer_len(&stderr_buffer) == 0)) { if (!channel_still_open()) goto quit; if (!waiting_termination) { diff -ruN ssh-openbsd-2000012700/ssh/Makefile openssh-1.2.2p1/ssh/Makefile --- ssh-openbsd-2000012700/ssh/Makefile Tue Dec 7 08:47:12 1999 +++ openssh-1.2.2p1/ssh/Makefile Thu Jan 1 10:00:00 1970 @@ -1,36 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=4555 -.endif - -BINDIR= /usr/bin -MAN= ssh.1 -LINKS= ${BINDIR}/ssh ${BINDIR}/slogin -MLINKS= ssh.1 slogin.1 - -SRCS= ssh.c sshconnect.c log-client.c readconf.c clientloop.c - -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.include - -LDADD+= -lutil -lz -lcrypto -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -ruN ssh-openbsd-2000012700/ssh-add/Makefile openssh-1.2.2p1/ssh-add/Makefile --- ssh-openbsd-2000012700/ssh-add/Makefile Tue Dec 7 08:47:11 1999 +++ openssh-1.2.2p1/ssh-add/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-add -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-add.1 - -SRCS= ssh-add.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN ssh-openbsd-2000012700/ssh-add.c openssh-1.2.2p1/ssh-add.c --- ssh-openbsd-2000012700/ssh-add.c Fri Dec 3 07:05:40 1999 +++ openssh-1.2.2p1/ssh-add.c Mon Dec 6 11:47:29 1999 @@ -15,6 +15,12 @@ #include "authfd.h" #include "fingerprint.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-add"; +#endif /* HAVE___PROGNAME */ + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -201,8 +207,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; - fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); diff -ruN ssh-openbsd-2000012700/ssh-agent/Makefile openssh-1.2.2p1/ssh-agent/Makefile --- ssh-openbsd-2000012700/ssh-agent/Makefile Thu Oct 28 02:54:49 1999 +++ openssh-1.2.2p1/ssh-agent/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-agent -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-agent.1 - -SRCS= ssh-agent.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN ssh-openbsd-2000012700/ssh-agent.c openssh-1.2.2p1/ssh-agent.c --- ssh-openbsd-2000012700/ssh-agent.c Mon Jan 3 08:51:03 2000 +++ openssh-1.2.2p1/ssh-agent.c Mon Jan 3 23:41:05 2000 @@ -21,7 +21,12 @@ #include "getput.h" #include "mpaux.h" +#ifdef HAVE_OPENSSL +#include +#endif +#ifdef HAVE_SSL #include +#endif typedef struct { int fd; @@ -52,7 +57,11 @@ char socket_name[1024]; char socket_dir[1024]; +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-agent"; +#endif /* HAVE___PROGNAME */ void process_request_identity(SocketEntry *e) diff -ruN ssh-openbsd-2000012700/ssh-askpass openssh-1.2.2p1/ssh-askpass --- ssh-openbsd-2000012700/ssh-askpass Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/ssh-askpass Mon Nov 8 15:30:59 1999 @@ -0,0 +1,38 @@ +#!/usr/bin/perl -w + +# Written by Tommi Virtanen . Consider it public domain. + +use strict; +use Tk; + +sub do_it($$;) { + my ($passphrase, $main) = @_; + print $passphrase->get(), "\n"; + $main->destroy(); +} + +sub ask($;) { + my ($prompt)=@_; + my $main=MainWindow->new; + $main->Label(-text=>$prompt)->pack(-fill=>'x'); + my $passphrase=$main->Entry(-show=>'*')->pack(-fill=>'x'); + $passphrase->focus(); + my $buttons=$main->Frame; + $buttons->pack(-side=>'right'); + my $ok=$buttons->Button(-text=>'Ok', + -command=>sub {do_it $passphrase, $main} + )->pack(-side=>'left'); + my $cancel=$buttons->Button(-text=>'Cancel', -command=>[$main=>'destroy']) + ->pack(-side=>'right'); + $main->bind('Tk::Button', '' => 'invoke'); + $main->bind('', [$ok => 'invoke']); + $main->bind('', [$cancel => 'invoke']); + $main->bind('' => [$main => 'grabGlobal']); + + MainLoop; +} + +ask ($#ARGV==0 + ? $ARGV[0] + : 'Please enter your authentication passphrase:'); + diff -ruN ssh-openbsd-2000012700/ssh-keygen/Makefile openssh-1.2.2p1/ssh-keygen/Makefile --- ssh-openbsd-2000012700/ssh-keygen/Makefile Thu Oct 28 02:54:49 1999 +++ openssh-1.2.2p1/ssh-keygen/Makefile Thu Jan 1 10:00:00 1970 @@ -1,21 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= ssh-keygen -BINOWN= root - -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else -BINMODE?=555 -.endif - -BINDIR= /usr/bin -MAN= ssh-keygen.1 - -SRCS= ssh-keygen.c log-client.c - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -ruN ssh-openbsd-2000012700/ssh-keygen.c openssh-1.2.2p1/ssh-keygen.c --- ssh-openbsd-2000012700/ssh-keygen.c Thu Nov 25 06:53:52 1999 +++ openssh-1.2.2p1/ssh-keygen.c Thu Nov 25 11:54:59 1999 @@ -54,7 +54,11 @@ char *identity_comment = NULL; /* argv0 */ +#ifdef HAVE___PROGNAME extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh-keygen"; +#endif /* HAVE___PROGNAME */ void ask_filename(struct passwd *pw, const char *prompt) diff -ruN ssh-openbsd-2000012700/ssh.1 openssh-1.2.2p1/ssh.1 --- ssh-openbsd-2000012700/ssh.1 Sat Jan 22 13:17:50 2000 +++ openssh-1.2.2p1/ssh.1 Fri Mar 3 22:48:49 2000 @@ -626,7 +626,7 @@ Gives the verbosity level that is used when logging messages from .Nm ssh . The possible values are: -QUIET, FATAL, ERROR, INFO, CHAT and DEBUG. +QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The diff -ruN ssh-openbsd-2000012700/ssh.c openssh-1.2.2p1/ssh.c --- ssh-openbsd-2000012700/ssh.c Wed Jan 5 00:41:32 2000 +++ openssh-1.2.2p1/ssh.c Thu Mar 2 23:09:21 2000 @@ -21,9 +21,19 @@ #include "readconf.h" #include "uidswap.h" +#ifdef HAVE___PROGNAME +extern char *__progname; +#else /* HAVE___PROGNAME */ +const char *__progname = "ssh"; +#endif /* HAVE___PROGNAME */ + /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -402,8 +412,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; - fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); diff -ruN ssh-openbsd-2000012700/ssh.h openssh-1.2.2p1/ssh.h --- ssh-openbsd-2000012700/ssh.h Tue Jan 4 11:08:00 2000 +++ openssh-1.2.2p1/ssh.h Mon Feb 7 13:20:26 2000 @@ -18,6 +18,14 @@ #ifndef SSH_H #define SSH_H +#include /* For struct sockaddr_in */ +#include /* For struct pw */ +#include /* For va_list */ +#include /* For struct sockaddr_storage */ +#include "fake-socket.h" /* For struct sockaddr_storage */ +#ifdef HAVE_SYS_SELECT_H +# include +#endif #include "rsa.h" #include "cipher.h" @@ -61,8 +69,13 @@ */ #define SSH_SERVICE_NAME "ssh" +#ifndef ETCDIR #define ETCDIR "/etc" +#endif /* ETCDIR */ + +#ifndef PIDDIR #define PIDDIR "/var/run" +#endif /* PIDDIR */ /* * System-wide file containing host keys of known hosts. This file should be @@ -78,7 +91,17 @@ #define SERVER_CONFIG_FILE ETCDIR "/sshd_config" #define HOST_CONFIG_FILE ETCDIR "/ssh_config" -#define SSH_PROGRAM "/usr/bin/ssh" +#ifndef SSH_PROGRAM +#define SSH_PROGRAM "/usr/bin/ssh" +#endif /* SSH_PROGRAM */ + +#ifndef LOGIN_PROGRAM +#define LOGIN_PROGRAM "/usr/bin/login" +#endif /* LOGIN_PROGRAM */ + +#ifndef ASKPASS_PROGRAM +#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" +#endif /* ASKPASS_PROGRAM */ /* * The process id of the daemon listening for connections is saved here to @@ -154,7 +177,9 @@ * Default path to ssh-askpass used by ssh-add, * environment variable for overwriting the default location */ -#define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#ifndef SSH_ASKPASS_DEFAULT +# define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" +#endif #define SSH_ASKPASS_ENV "SSH_ASKPASS" /* @@ -722,5 +747,9 @@ /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; + +#ifdef USE_PAM +#include "auth-pam.h" +#endif /* USE_PAM */ #endif /* SSH_H */ diff -ruN ssh-openbsd-2000012700/ssh_config openssh-1.2.2p1/ssh_config --- ssh-openbsd-2000012700/ssh_config Wed Oct 27 13:38:42 1999 +++ openssh-1.2.2p1/ssh_config Thu Jan 20 23:13:38 2000 @@ -28,3 +28,9 @@ # Port 22 # Cipher blowfish # EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + FallBackToRsh no diff -ruN ssh-openbsd-2000012700/sshconnect.c openssh-1.2.2p1/sshconnect.c --- ssh-openbsd-2000012700/sshconnect.c Tue Jan 18 20:42:17 2000 +++ openssh-1.2.2p1/sshconnect.c Thu Jan 20 22:44:09 2000 @@ -10,7 +10,15 @@ #include "includes.h" RCSID("$OpenBSD: sshconnect.c,v 1.53 2000/01/18 09:42:17 markus Exp $"); +#ifdef HAVE_OPENSSL +#include +#include +#endif +#ifdef HAVE_SSL #include +#include +#endif + #include "xmalloc.h" #include "rsa.h" #include "ssh.h" @@ -23,8 +31,6 @@ #include "readconf.h" #include "fingerprint.h" -#include - /* Session id for the current session. */ unsigned char session_id[16]; @@ -252,7 +258,7 @@ temporarily_use_uid(original_real_uid); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, sizeof(*hostaddr)); + memcpy(hostaddr, ai->ai_addr, sizeof(*(ai->ai_addr))); restore_uid(); break; } else { @@ -1066,6 +1072,7 @@ HostStatus host_status; HostStatus ip_status; int local = 0, host_ip_differ = 0; + int salen; char ntop[NI_MAXHOST]; /* @@ -1079,12 +1086,15 @@ switch (hostaddr->sa_family) { case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); break; case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); break; default: local = 0; + salen = sizeof(struct sockaddr_storage); break; } if (local) { @@ -1100,7 +1110,7 @@ options.check_host_ip = 0; if (options.check_host_ip) { - if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), + if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); ip = xstrdup(ntop); diff -ruN ssh-openbsd-2000012700/sshd/Makefile openssh-1.2.2p1/sshd/Makefile --- ssh-openbsd-2000012700/sshd/Makefile Tue Dec 7 08:47:12 1999 +++ openssh-1.2.2p1/sshd/Makefile Thu Jan 1 10:00:00 1970 @@ -1,45 +0,0 @@ -.PATH: ${.CURDIR}/.. - -PROG= sshd -BINOWN= root -BINMODE=555 -BINDIR= /usr/sbin -MAN= sshd.8 - -SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c - -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - -.include - -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -ruN ssh-openbsd-2000012700/sshd.c openssh-1.2.2p1/sshd.c --- ssh-openbsd-2000012700/sshd.c Tue Jan 25 07:31:19 2000 +++ openssh-1.2.2p1/sshd.c Fri Mar 3 22:35:33 2000 @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.81 2000/01/24 20:31:19 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.80 2000/01/20 15:19:22 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -49,7 +49,11 @@ * Flag indicating whether IPv4 or IPv6. This can be set on the command line. * Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else int IPv4or6 = AF_UNSPEC; +#endif /* * Debug mode flag. This can be set on the command line. If debug @@ -230,7 +234,6 @@ char * get_authname(int type) { - static char buf[1024]; switch (type) { case SSH_CMSG_AUTH_PASSWORD: return "password"; @@ -249,8 +252,8 @@ return "s/key"; #endif } - snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); - return buf; + fatal("get_authname: unknown auth %d: internal error", type); + return NULL; } /* @@ -555,7 +558,8 @@ debug("Bind to port %s on %s.", strport, ntop); /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if ((bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) && + (!ai->ai_next)) { error("Bind to port %s on %s failed: %.200s.", strport, ntop, strerror(errno)); close(listen_sock); @@ -878,6 +882,11 @@ /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); + +#ifdef USE_PAM + finish_pam(); +#endif /* USE_PAM */ + packet_close(); exit(0); } @@ -1088,6 +1097,9 @@ { struct group *grp; int i; +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) @@ -1144,6 +1156,12 @@ return 0; } } + +#ifdef WITH_AIXAUTHENTICATE + if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + return 0; +#endif /* WITH_AIXAUTHENTICATE */ + /* We found no reason not to let this user try to log on... */ return 1; } @@ -1168,6 +1186,10 @@ setproctitle("%s", user); +#ifdef WITH_AIXAUTHENTICATE + char *loginmsg; +#endif /* WITH_AIXAUTHENTICATE */ + #ifdef AFS /* If machine has AFS, set process authentication group. */ if (k_hasafs()) { @@ -1191,6 +1213,10 @@ pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; +#ifdef USE_PAM + start_pam(pw); +#endif + /* * If we are not running as root, the user must have the same uid as * the server. @@ -1205,7 +1231,11 @@ #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ +#ifdef USE_PAM + auth_pam_password(pw, "")) { +#else /* USE_PAM */ auth_password(pw, "")) { +#endif /* USE_PAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -1225,6 +1255,9 @@ get_canonical_hostname()); } /* The user has been authenticated and accepted. */ +#ifdef WITH_AIXAUTHENTICATE + loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); +#endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); @@ -1248,7 +1281,7 @@ unsigned int bits; BIGNUM *client_host_key_e, *client_host_key_n; BIGNUM *n; - char *client_user, *password; + char *client_user = NULL, *password = NULL; char user[1024]; int plen, dlen, nlen, ulen, elen; int type = 0; @@ -1345,7 +1378,6 @@ authenticated = auth_rhosts(pw, client_user); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -1378,7 +1410,6 @@ BN_clear_free(client_host_key_n); snprintf(user, sizeof user, " ruser %s", client_user); - xfree(client_user); break; case SSH_CMSG_AUTH_RSA: @@ -1407,9 +1438,13 @@ password = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); +#ifdef USE_PAM + /* Do PAM auth with password */ + authenticated = auth_pam_password(pw, password); +#else /* USE_PAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); - +#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); break; @@ -1475,8 +1510,22 @@ get_remote_port(), user); - if (authenticated) + if (authenticated) { +#ifdef USE_PAM + if (!do_pam_account(pw->pw_name, client_user)) { + if (client_user != NULL) + xfree(client_user); + + do_fake_authloop(pw->pw_name); + } +#endif /* USE_PAM */ return; + } + + if (client_user != NULL) { + xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); @@ -1514,8 +1563,10 @@ for (attempt = 1;; attempt++) { /* Read a packet. This will not return if the client disconnects. */ int plen; +#ifndef SKEY + (void)packet_read(&plen); +#else /* SKEY */ int type = packet_read(&plen); -#ifdef SKEY int dlen; char *password, *skeyinfo; /* Try to send a fake s/key challenge. */ @@ -1546,6 +1597,11 @@ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); +#ifdef WITH_AIXAUTHENTICATE + if (strncmp(get_authname(type),"password", + strlen(get_authname(type))) == 0) + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ } /* NOTREACHED */ abort(); @@ -1567,6 +1623,37 @@ } } +struct pty_cleanup_context { + const char *ttyname; + int pid; +}; + +/* + * Function to perform cleanup if we get aborted abnormally (e.g., due to a + * dropped connection). + */ +void +pty_cleanup_proc(void *context) +{ + struct pty_cleanup_context *cu = context; + + debug("pty_cleanup_proc called"); + + /* Record that the user has logged out. */ + record_logout(cu->pid, cu->ttyname); + + /* Release the pseudo-tty. */ + pty_release(cu->ttyname); +} + +/* simple cleanup: chown tty slave back to root */ +static void +pty_release_proc(void *tty) +{ + char *ttyname = tty; + pty_release(ttyname); +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -1581,11 +1668,7 @@ int have_pty = 0, ptyfd = -1, ttyfd = -1, xauthfd = -1; int row, col, xpixel, ypixel, screen; char ttyname[64]; - char *command, *term = NULL, *display = NULL, *proto = NULL, - *data = NULL; - struct group *grp; - gid_t tty_gid; - mode_t tty_mode; + char *command, *term = NULL, *display = NULL, *proto = NULL, *data = NULL; int n_bytes; /* @@ -1643,33 +1726,20 @@ error("Failed to allocate pty."); goto fail; } - /* Determine the group to make the owner of the tty. */ - grp = getgrnam("tty"); - if (grp) { - tty_gid = grp->gr_gid; - tty_mode = S_IRUSR | S_IWUSR | S_IWGRP; - } else { - tty_gid = pw->pw_gid; - tty_mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH; - } - - /* Change ownership of the tty. */ - if (chown(ttyname, pw->pw_uid, tty_gid) < 0) - fatal("chown(%.100s, %d, %d) failed: %.100s", - ttyname, pw->pw_uid, tty_gid, strerror(errno)); - if (chmod(ttyname, tty_mode) < 0) - fatal("chmod(%.100s, 0%o) failed: %.100s", - ttyname, tty_mode, strerror(errno)); + fatal_add_cleanup(pty_release_proc, (void *)ttyname); + pty_setowner(pw, ttyname); /* Get TERM from the packet. Note that the value may be of arbitrary length. */ term = packet_get_string(&dlen); packet_integrity_check(dlen, strlen(term), type); - /* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */ + /* Remaining bytes */ n_bytes = plen - (4 + dlen + 4 * 4); - if (strcmp(term, "") == 0) + if (strcmp(term, "") == 0) { + xfree(term); term = NULL; + } /* Get window size from the packet. */ row = packet_get_int(); @@ -1861,6 +1931,10 @@ setproctitle("%s@notty", pw->pw_name); +#ifdef USE_PAM + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ @@ -1939,29 +2013,6 @@ #endif /* USE_PIPES */ } -struct pty_cleanup_context { - const char *ttyname; - int pid; -}; - -/* - * Function to perform cleanup if we get aborted abnormally (e.g., due to a - * dropped connection). - */ -void -pty_cleanup_proc(void *context) -{ - struct pty_cleanup_context *cu = context; - - debug("pty_cleanup_proc called"); - - /* Record that the user has logged out. */ - record_logout(cu->pid, cu->ttyname); - - /* Release the pseudo-tty. */ - pty_release(cu->ttyname); -} - /* * This is called to fork and execute a command when we have a tty. This * will call do_child from the child, and server_loop from the parent after @@ -1999,6 +2050,11 @@ } setproctitle("%s@%s", pw->pw_name, strrchr(ttyname, '/') + 1); +#ifdef USE_PAM + do_pam_session(pw->pw_name, ttyname); + do_pam_setcred(); +#endif /* USE_PAM */ + /* Fork the child. */ if ((pid = fork()) == 0) { pid = getpid(); @@ -2050,6 +2106,11 @@ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef USE_PAM + if (!quiet_login) + print_pam_messages(); +#endif /* USE_PAM */ + /* * If the user has logged in before, display the time of last * login. However, don't display anything extra if a command @@ -2098,6 +2159,15 @@ close(ttyfd); /* + * Add a cleanup function to clear the utmp entry and record logout + * time in case we call fatal() (e.g., the connection gets closed). + */ + cleanup_context.pid = pid; + cleanup_context.ttyname = ttyname; + fatal_add_cleanup(pty_cleanup_proc, (void *) &cleanup_context); + fatal_remove_cleanup(pty_release_proc, (void *) ttyname); + + /* * Create another descriptor of the pty master side for use as the * standard input. We could use the original descriptor, but this * simplifies code in server_loop. The descriptor is bidirectional. @@ -2106,14 +2176,6 @@ if (fdout < 0) packet_disconnect("dup failed: %.100s", strerror(errno)); - /* - * Add a cleanup function to clear the utmp entry and record logout - * time in case we call fatal() (e.g., the connection gets closed). - */ - cleanup_context.pid = pid; - cleanup_context.ttyname = ttyname; - fatal_add_cleanup(pty_cleanup_proc, (void *) &cleanup_context); - /* Enter interactive session. */ server_loop(pid, ptyfd, fdout, -1); /* server_loop has not closed ptyfd and fdout. */ @@ -2213,6 +2275,39 @@ fclose(f); } +#ifdef USE_PAM +/* + * Sets any environment variables which have been specified by PAM + */ +void do_pam_environment(char ***env, int *envsize) +{ + char *equals, var_name[512], var_val[512]; + char **pam_env; + int i; + + if ((pam_env = fetch_pam_environment()) == NULL) + return; + + for(i = 0; pam_env[i] != NULL; i++) { + if ((equals = strstr(pam_env[i], "=")) == NULL) + continue; + + if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) + { + memset(var_name, '\0', sizeof(var_name)); + memset(var_val, '\0', sizeof(var_val)); + + strncpy(var_name, pam_env[i], equals - pam_env[i]); + strcpy(var_val, equals + 1); + + debug("PAM environment: %s=%s", var_name, var_val); + + child_set_env(env, envsize, var_name, var_val); + } + } +} +#endif /* USE_PAM */ + /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group @@ -2232,6 +2327,8 @@ struct stat st; char *argv[10]; +#ifndef USE_PAM /* pam_nologin handles this */ + /* Check /etc/nologin. */ f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ @@ -2241,6 +2338,8 @@ if (pw->pw_uid != 0) exit(254); } +#endif /* USE_PAM */ + /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); @@ -2333,6 +2432,18 @@ if (display) child_set_env(&env, &envsize, "DISPLAY", display); +#ifdef _AIX + { + char *authstate,*krb5cc; + + if ((authstate = getenv("AUTHSTATE")) != NULL) + child_set_env(&env,&envsize,"AUTHSTATE",authstate); + + if ((krb5cc = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); + } +#endif + #ifdef KRB4 { extern char *ticket; @@ -2342,12 +2453,20 @@ } #endif /* KRB4 */ +#ifdef USE_PAM + /* Pull in any environment variables that may have been set by PAM. */ + do_pam_environment(&env, &envsize); +#endif /* USE_PAM */ + if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); + if (auth_get_socket_name() != NULL) child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, auth_get_socket_name()); + read_environment_file(&env,&envsize,"/etc/environment"); + /* read $HOME/.ssh/environment. */ if (!options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); @@ -2501,7 +2620,7 @@ } else { /* Launch login(1). */ - execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(), + execl(LOGIN_PROGRAM, "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ diff -ruN ssh-openbsd-2000012700/sshd.pam.generic openssh-1.2.2p1/sshd.pam.generic --- ssh-openbsd-2000012700/sshd.pam.generic Thu Jan 1 10:00:00 1970 +++ openssh-1.2.2p1/sshd.pam.generic Mon Jan 3 20:00:52 2000 @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_unix.so +password required /lib/security/pam_cracklib.so +password required /lib/security/pam_unix.so shadow nullok use_authtok +session required /lib/security/pam_unix.so +session required /lib/security/pam_limits.so diff -ruN ssh-openbsd-2000012700/sshd_config openssh-1.2.2p1/sshd_config --- ssh-openbsd-2000012700/sshd_config Tue Jan 4 11:08:01 2000 +++ openssh-1.2.2p1/sshd_config Thu Jan 20 23:13:40 2000 @@ -1,7 +1,7 @@ # This is ssh server systemwide configuration file. Port 22 -#ListenAddress 0.0.0.0 +ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key ServerKeyBits 768 @@ -46,5 +46,5 @@ # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -#CheckMail yes -#UseLogin no +CheckMail no +UseLogin no diff -ruN ssh-openbsd-2000012700/uidswap.c openssh-1.2.2p1/uidswap.c --- ssh-openbsd-2000012700/uidswap.c Thu Nov 25 06:53:54 1999 +++ openssh-1.2.2p1/uidswap.c Fri Jan 21 00:18:16 2000 @@ -25,10 +25,11 @@ /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ #define SAVED_IDS_WORK_WITH_SETEUID -#endif /* _POSIX_SAVED_IDS */ /* Saved effective uid. */ static uid_t saved_euid = 0; + +#endif /* _POSIX_SAVED_IDS */ /* * Temporarily changes to the given uid. If the effective user