+20060201
+ - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
+ determine the user's login name - needed for regress tests on Solaris
+ 10 and OpenSolaris
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/02/01 09:06:50
+ [sshd.8]
+ - merge sections on protocols 1 and 2 into a single section
+ - remove configuration file section
+ ok markus
+ - jmc@cvs.openbsd.org 2006/02/01 09:11:41
+ [sshd.8]
+ small tweak;
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update versions ahead of release
+ - markus@cvs.openbsd.org 2006/02/01 11:27:22
+ [version.h]
+ openssh 4.3
+ - (djm) Release OpenSSH 4.3p1
+
+20060131
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/01/20 11:21:45
+ [ssh_config.5]
+ - word change, agreed w/ markus
+ - consistency fixes
+ - jmc@cvs.openbsd.org 2006/01/25 09:04:34
+ [sshd.8]
+ move the options description up the page, and a few additional tweaks
+ whilst in here;
+ ok markus
+ - jmc@cvs.openbsd.org 2006/01/25 09:07:22
+ [sshd.8]
+ move subsections to full sections;
+ - jmc@cvs.openbsd.org 2006/01/26 08:47:56
+ [ssh.1]
+ add a section on verifying host keys in dns;
+ written with a lot of help from jakob;
+ feedback dtucker/markus;
+ ok markus
+ - reyk@cvs.openbsd.org 2006/01/30 12:22:22
+ [channels.c]
+ mark channel as write failed or dead instead of read failed on error
+ of the channel output filter.
+ ok markus@
+ - jmc@cvs.openbsd.org 2006/01/30 13:37:49
+ [ssh.1]
+ remove an incorrect sentence;
+ reported by roumen petrov;
+ ok djm markus
+ - djm@cvs.openbsd.org 2006/01/31 10:19:02
+ [misc.c misc.h scp.c sftp.c]
+ fix local arbitrary command execution vulnerability on local/local and
+ remote/remote copies (CVE-2006-0225, bz #1094), patch by
+ t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
+ - djm@cvs.openbsd.org 2006/01/31 10:35:43
+ [scp.c]
+ "scp a b c" shouldn't clobber "c" when it is not a directory, report and
+ fix from biorn@; ok markus@
+ - (djm) Sync regress tests to OpenBSD:
+ - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
+ [regress/forwarding.sh]
+ Regress test for ClearAllForwardings (bz #994); ok markus@
+ - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
+ [regress/multiplex.sh]
+ Don't call cleanup in multiplex as test-exec will cleanup anyway
+ found by tim@, ok djm@
+ NB. ID sync only, we already had this
+ - djm@cvs.openbsd.org 2005/05/20 23:14:15
+ [regress/test-exec.sh]
+ force addressfamily=inet for tests, unbreaking dynamic-forward regress for
+ recently committed nc SOCKS5 changes
+ - djm@cvs.openbsd.org 2005/05/24 04:10:54
+ [regress/try-ciphers.sh]
+ oops, new arcfour modes here too
+ - markus@cvs.openbsd.org 2005/06/30 11:02:37
+ [regress/scp.sh]
+ allow SUDO=sudo; from Alexander Bluhm
+ - grunk@cvs.openbsd.org 2005/11/14 21:25:56
+ [regress/agent-getpeereid.sh]
+ all other scripts in this dir use $SUDO, not 'sudo', so pull this even
+ ok markus@
+ - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
+ [regress/scp-ssh-wrapper.sh]
+ Fix assumption about how many args scp will pass; ok djm@
+ NB. ID sync only, we already had this
+ - djm@cvs.openbsd.org 2006/01/27 06:49:21
+ [scp.sh]
+ regress test for local to local scp copies; ok dtucker@
+ - djm@cvs.openbsd.org 2006/01/31 10:23:23
+ [scp.sh]
+ regression test for CVE-2006-0225 written by dtucker@
+ - djm@cvs.openbsd.org 2006/01/31 10:36:33
+ [scp.sh]
+ regress test for "scp a b c" where "c" is not a directory
+
+20060129
+ - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
+ opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
+
+20060120
+ - (dtucker) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/01/15 17:37:05
+ [ssh.1]
+ correction from deraadt
+ - jmc@cvs.openbsd.org 2006/01/18 10:53:29
+ [ssh.1]
+ add a section on ssh-based vpn, based on reyk's README.tun;
+ - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
+ [scp.1 ssh.1 ssh_config.5 sftp.1]
+ Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
+ #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
+
+20060114
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/01/06 13:27:32
+ [ssh.1]
+ weed out some duplicate info in the known_hosts FILES entries;
+ ok djm
+ - jmc@cvs.openbsd.org 2006/01/06 13:29:10
+ [ssh.1]
+ final round of whacking FILES for duplicate info, and some consistency
+ fixes;
+ ok djm
+ - jmc@cvs.openbsd.org 2006/01/12 14:44:12
+ [ssh.1]
+ split sections on tcp and x11 forwarding into two sections.
+ add an example in the tcp section, based on sth i wrote for ssh faq;
+ help + ok: djm markus dtucker
+ - jmc@cvs.openbsd.org 2006/01/12 18:48:48
+ [ssh.1]
+ refer to `TCP' rather than `TCP/IP' in the context of connection
+ forwarding;
+ ok markus
+ - jmc@cvs.openbsd.org 2006/01/12 22:20:00
+ [sshd.8]
+ refer to TCP forwarding, rather than TCP/IP forwarding;
+ - jmc@cvs.openbsd.org 2006/01/12 22:26:02
+ [ssh_config.5]
+ refer to TCP forwarding, rather than TCP/IP forwarding;
+ - jmc@cvs.openbsd.org 2006/01/12 22:34:12
+ [ssh.1]
+ back out a sentence - AUTHENTICATION already documents this;
+
+20060109
+ - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
+ tcpip service so it's always started after IP is up. Patch from
+ vinschen at redhat.com.
+
+20060106
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/01/03 16:31:10
+ [ssh.1]
+ move FILES to a -compact list, and make each files an item in that list.
+ this avoids nastly line wrap when we have long pathnames, and treats
+ each file as a separate item;
+ remove the .Pa too, since it is useless.
+ - jmc@cvs.openbsd.org 2006/01/03 16:35:30
+ [ssh.1]
+ use a larger width for the ENVIRONMENT list;
+ - jmc@cvs.openbsd.org 2006/01/03 16:52:36
+ [ssh.1]
+ put FILES in some sort of order: sort by pathname
+ - jmc@cvs.openbsd.org 2006/01/03 16:55:18
+ [ssh.1]
+ tweak the description of ~/.ssh/environment
+ - jmc@cvs.openbsd.org 2006/01/04 18:42:46
+ [ssh.1]
+ chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
+ entries;
+ ok markus
+ - jmc@cvs.openbsd.org 2006/01/04 18:45:01
+ [ssh.1]
+ remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
+ - jmc@cvs.openbsd.org 2006/01/04 19:40:24
+ [ssh.1]
+ +.Xr ssh-keyscan 1 ,
+ - jmc@cvs.openbsd.org 2006/01/04 19:50:09
+ [ssh.1]
+ -.Xr gzip 1 ,
+ - djm@cvs.openbsd.org 2006/01/05 23:43:53
+ [misc.c]
+ check that stdio file descriptors are actually closed before clobbering
+ them in sanitise_stdfd(). problems occurred when a lower numbered fd was
+ closed, but higher ones weren't. spotted by, and patch tested by
+ Frédéric Olivié
+
+20060103
+ - (djm) [channels.c] clean up harmless merge error, from reyk@
+
+20060103
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2006/01/02 17:09:49
+ [ssh_config.5 sshd_config.5]
+ some corrections from michael knudsen;
+
+20060102
+ - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2005/12/31 10:46:17
+ [ssh.1]
+ merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
+ AUTHENTICATION" sections into "AUTHENTICATION";
+ some rewording done to make the text read better, plus some
+ improvements from djm;
+ ok djm
+ - jmc@cvs.openbsd.org 2005/12/31 13:44:04
+ [ssh.1]
+ clean up ENVIRONMENT a little;
+ - jmc@cvs.openbsd.org 2005/12/31 13:45:19
+ [ssh.1]
+ .Nm does not require an argument;
+ - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
+ [includes.h misc.c]
+ move <net/if.h>; ok djm@
+ - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
+ [misc.c]
+ no trailing "\n" for debug()
+ - djm@cvs.openbsd.org 2006/01/02 01:20:31
+ [sftp-client.c sftp-common.h sftp-server.c]
+ use a common max. packet length, no binary change
+ - reyk@cvs.openbsd.org 2006/01/02 07:53:44
+ [misc.c]
+ clarify tun(4) opening - set the mode and bring the interface up. also
+ (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
+ suggested and ok by djm@
+ - jmc@cvs.openbsd.org 2006/01/02 12:31:06
+ [ssh.1]
+ start to cut some duplicate info from FILES;
+ help/ok djm
+
+20060101
+ - (djm) [Makefile.in configure.ac includes.h misc.c]
+ [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
+ for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
+ limited to IPv4 tunnels only, and most versions don't support the
+ tap(4) device at all.
+ - (djm) [configure.ac] Fix linux/if_tun.h test
+ - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
+
+20051229
+ - (djm) OpenBSD CVS Sync
+ - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
+ [canohost.c channels.c clientloop.c]
+ use 'break-in' for consistency; ok deraadt@ ok and input jmc@
+ - reyk@cvs.openbsd.org 2005/12/30 15:56:37
+ [channels.c channels.h clientloop.c]
+ add channel output filter interface.
+ ok djm@, suggested by markus@
+ - jmc@cvs.openbsd.org 2005/12/30 16:59:00
+ [sftp.1]
+ do not suggest that interactive authentication will work
+ with the -b flag;
+ based on a diff from john l. scarfone;
+ ok djm
+ - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
+ [ssh.1]
+ document -MM; ok djm@
+ - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
+ [serverloop.c ssh.c openbsd-compat/Makefile.in]
+ [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
+ compatability support for Linux, diff from reyk@
+ - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
+ not exist
+ - (djm) [configure.ac] oops, make that linux/if_tun.h
+
+20051229
+ - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
+
+20051224
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2005/12/20 21:59:43
+ [ssh.1]
+ merge the sections on protocols 1 and 2 into one section on
+ authentication;
+ feedback djm dtucker
+ ok deraadt markus dtucker
+ - jmc@cvs.openbsd.org 2005/12/20 22:02:50
+ [ssh.1]
+ .Ss -> .Sh: subsections have not made this page more readable
+ - jmc@cvs.openbsd.org 2005/12/20 22:09:41
+ [ssh.1]
+ move info on ssh return values and config files up into the main
+ description;
+ - jmc@cvs.openbsd.org 2005/12/21 11:48:16
+ [ssh.1]
+ -L and -R descriptions are now above, not below, ~C description;
+ - jmc@cvs.openbsd.org 2005/12/21 11:57:25
+ [ssh.1]
+ options now described `above', rather than `later';
+ - jmc@cvs.openbsd.org 2005/12/21 12:53:31
+ [ssh.1]
+ -Y does X11 forwarding too;
+ ok markus
+ - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
+ [sshd.8]
+ clarify precedence of -p, Port, ListenAddress; ok and help jmc@
+ - jmc@cvs.openbsd.org 2005/12/22 10:31:40
+ [ssh_config.5]
+ put the description of "UsePrivilegedPort" in the correct place;
+ - jmc@cvs.openbsd.org 2005/12/22 11:23:42
+ [ssh.1]
+ expand the description of -w somewhat;
+ help/ok reyk
+ - jmc@cvs.openbsd.org 2005/12/23 14:55:53
+ [ssh.1]
+ - sync the description of -e w/ synopsis
+ - simplify the description of -I
+ - note that -I is only available if support compiled in, and that it
+ isn't by default
+ feedback/ok djm@
+ - jmc@cvs.openbsd.org 2005/12/23 23:46:23
+ [ssh.1]
+ less mark up for -c;
+ - djm@cvs.openbsd.org 2005/12/24 02:27:41
+ [session.c sshd.c]
+ eliminate some code duplicated in privsep and non-privsep paths, and
+ explicitly clear SIGALRM handler; "groovy" deraadt@
+
+20051220
+ - (dtucker) OpenBSD CVS Sync
+ - reyk@cvs.openbsd.org 2005/12/13 15:03:02
+ [serverloop.c]
+ if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
+ - jmc@cvs.openbsd.org 2005/12/16 18:07:08
+ [ssh.1]
+ move the option descriptions up the page: start of a restructure;
+ ok markus deraadt
+ - jmc@cvs.openbsd.org 2005/12/16 18:08:53
+ [ssh.1]
+ simplify a sentence;
+ - jmc@cvs.openbsd.org 2005/12/16 18:12:22
+ [ssh.1]
+ make the description of -c a little nicer;
+ - jmc@cvs.openbsd.org 2005/12/16 18:14:40
+ [ssh.1]
+ signpost the protocol sections;
+ - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
+ [ssh_config.5 session.c]
+ spelling: fowarding, fowarded
+ - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
+ [ssh_config.5]
+ spelling: intented -> intended
+ - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
+ [ssh.c]
+ exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
+
+20051219
+ - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
+ openbsd-compat/openssl-compat.h] Check for and work around broken AES
+ ciphers >128bit on (some) Solaris 10 systems. ok djm@
+
+20051217
+ - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
+ scp.c also uses, so undef them here.
+ - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
+ snprintf replacement can have a conflicting declaration in HP-UX's system
+ headers (const vs. no const) so we now check for and work around it. Patch
+ from the dynamic duo of David Leonard and Ted Percival.
+
+20051214
+ - (dtucker) OpenBSD CVS Sync (regress/)
+ - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
+ [regress/scp-ssh-wrapper.sh]
+ Fix assumption about how many args scp will pass; ok djm@
+
+20051213
+ - (djm) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2005/11/30 11:18:27
+ [ssh.1]
+ timezone -> time zone
+ - jmc@cvs.openbsd.org 2005/11/30 11:45:20
+ [ssh.1]
+ avoid ambiguities in describing TZ;
+ ok djm@
+ - reyk@cvs.openbsd.org 2005/12/06 22:38:28
+ [auth-options.c auth-options.h channels.c channels.h clientloop.c]
+ [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
+ [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
+ [sshconnect.h sshd.8 sshd_config sshd_config.5]
+ Add support for tun(4) forwarding over OpenSSH, based on an idea and
+ initial channel code bits by markus@. This is a simple and easy way to
+ use OpenSSH for ad hoc virtual private network connections, e.g.
+ administrative tunnels or secure wireless access. It's based on a new
+ ssh channel and works similar to the existing TCP forwarding support,
+ except that it depends on the tun(4) network interface on both ends of
+ the connection for layer 2 or layer 3 tunneling. This diff also adds
+ support for LocalCommand in the ssh(1) client.
+ ok djm@, markus@, jmc@ (manpages), tested and discussed with others
+ - djm@cvs.openbsd.org 2005/12/07 03:52:22
+ [clientloop.c]
+ reyk forgot to compile with -Werror (missing header)
+ - jmc@cvs.openbsd.org 2005/12/07 10:52:13
+ [ssh.1]
+ - avoid line split in SYNOPSIS
+ - add args to -w
+ - kill trailing whitespace
+ - jmc@cvs.openbsd.org 2005/12/08 14:59:44
+ [ssh.1 ssh_config.5]
+ make `!command' a little clearer;
+ ok reyk
+ - jmc@cvs.openbsd.org 2005/12/08 15:06:29
+ [ssh_config.5]
+ keep options in order;
+ - reyk@cvs.openbsd.org 2005/12/08 18:34:11
+ [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
+ [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
+ two changes to the new ssh tunnel support. this breaks compatibility
+ with the initial commit but is required for a portable approach.
+ - make the tunnel id u_int and platform friendly, use predefined types.
+ - support configuration of layer 2 (ethernet) or layer 3
+ (point-to-point, default) modes. configuration is done using the
+ Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
+ restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
+ in sshd_config(5).
+ ok djm@, man page bits by jmc@
+ - jmc@cvs.openbsd.org 2005/12/08 21:37:50
+ [ssh_config.5]
+ new sentence, new line;
+ - markus@cvs.openbsd.org 2005/12/12 13:46:18
+ [channels.c channels.h session.c]
+ make sure protocol messages for internal channels are ignored.
+ allow adjust messages for non-open channels; with and ok djm@
+ - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
+ again by providing a sys_tun_open() function for your platform and
+ setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
+ OpenBSD's tunnel protocol, which prepends the address family to the
+ packet
+
+20051201
+ - (djm) [envpass.sh] Remove regress script that was accidentally committed
+ in top level directory and not noticed for over a year :)
+
+20051129
+ - (tim) [ssh-keygen.c] Move DSA length test after setting default when
+ bits == 0.
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
+ [ssh-keygen.c]
+ Populate default key sizes before checking them; from & ok tim@
+ - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
+ for UnixWare.
+
+20051128
+ - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
+ versions of GNU head. Based on patch from zappaman at buraphalinux.org
+ - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
+ _GNU_SOURCE instead. Patch from t8m at centrum.cz.
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
+ [ssh-keygen.1 ssh-keygen.c]
+ Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
+ increase minumum RSA key size to 768 bits and update man page to reflect
+ these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
+ ok djm@, grudging ok deraadt@.
+ - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
+ [ssh-agent.1]
+ Update agent socket path templates to reflect reality, correct xref for
+ time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
+
+20051126
+ - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
+ when they're available) need the real UID set otherwise pam_chauthtok will
+ set ADMCHG after changing the password, forcing the user to change it
+ again immediately.
+
+20051125
+ - (dtucker) [configure.ac] Apply tim's fix for older systems where the
+ resolver state in resolv.h is "state" not "__res_state". With slight
+ modification by me to also work on old AIXes. ok djm@
+ - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
+ snprintf formats, fixes warnings on some 64 bit platforms. Patch from
+ shaw at vranix.com, ok djm@
+
+20051124
+ - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
+ openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
+ asprintf() implementation, after syncing our {v,}snprintf() implementation
+ with some extra fixes from Samba's version. With help and debugging from
+ dtucker and tim; ok dtucker@
+ - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
+ order in Reliant Unix block. Patch from johane at lysator.liu.se.
+ - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
+ many and use them only once. Speeds up testing on older/slower hardware.
+
+20051122
+ - (dtucker) OpenBSD CVS Sync
+ - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
+ [ssh-add.c]
+ space
+ - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
+ [scp.c]
+ avoid close(-1), as in rcp; ok cloder
+ - millert@cvs.openbsd.org 2005/11/15 11:59:54
+ [includes.h]
+ Include sys/queue.h explicitly instead of assuming some other header
+ will pull it in. At the moment it gets pulled in by sys/select.h
+ (which ssh has no business including) via event.h. OK markus@
+ (ID sync only in -portable)
+ - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
+ [auth-krb5.c]
+ Perform Kerberos calls even for invalid users to prevent leaking
+ information about account validity. bz #975, patch originally from
+ Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
+ ok markus@
+ - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
+ [hostfile.c]
+ Correct format/arguments to debug call; spotted by shaw at vranix.com
+ ok djm@
+ - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
+ from shaw at vranix.com.
+
+20051120
+ - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
+ is going on.
+
+20051112
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
+ ifdef lost during sync. Spotted by tim@.
+ - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
+ - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
+ - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
+ - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
+ test: if sshd takes too long to reconfigure the subsequent connection will
+ fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
+
+20051110
+ - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
+ OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
+ "register").
+ - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
+ unnecessary prototype.
+ - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
+ revs 1.7 - 1.9.
+ - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
+ Patch from djm@.
+ - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
+ since they're not useful right now. Patch from djm@.
+ - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
+ prototypes, removal of "register").
+ - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
+ of "register").
+ - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
+ after the copyright notices. Having them at the top next to the CVSIDs
+ guarantees a conflict for each and every sync.
+ - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
+ - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
+ - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
+ Removal of rcsid, "whiteout" inode type.
+ - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
+ Removal of rcsid, will no longer strlcpy parts of the string.
+ - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
+ - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
+ - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
+ - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
+ - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
+ - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
+ - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
+ with OpenBSD code since we don't support platforms without fstat any more.
+ - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
+ - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
+ - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
+ - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
+ - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
+ - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
+ - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
+ - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
+ - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
+ - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
+ - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
+ Id and copyright sync only, there were no substantial changes we need.
+ - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
+ -Wsign-compare fixes from djm.
+ - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
+ Id and copyright sync only, there were no substantial changes we need.
+ - (dtucker) [configure.ac] Try to get the gcc version number in a way that
+ doesn't change between versions, and use a safer default.
+
+20051105
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2005/10/07 11:13:57
+ [ssh-keygen.c]
+ change DSA default back to 1024, as it's defined for 1024 bits only
+ and this causes interop problems with other clients. moreover,
+ in order to improve the security of DSA you need to change more
+ components of DSA key generation (e.g. the internal SHA1 hash);
+ ok deraadt
+ - djm@cvs.openbsd.org 2005/10/10 10:23:08
+ [channels.c channels.h clientloop.c serverloop.c session.c]
+ fix regression I introduced in 4.2: X11 forwardings initiated after
+ a session has exited (e.g. "(sleep 5; xterm) &") would not start.
+ bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
+ - djm@cvs.openbsd.org 2005/10/11 23:37:37
+ [channels.c]
+ bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
+ bind() failure when a previous connection's listeners are in TIME_WAIT,
+ reported by plattner AT inf.ethz.ch; ok dtucker@
+ - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
+ [auth2-gss.c gss-genr.c gss-serv.c]
+ remove unneeded #includes; ok markus@
+ - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
+ [gss-serv.c]
+ spelling in comments
+ - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
+ [gss-serv-krb5.c gss-serv.c]
+ unused declarations; ok deraadt@
+ (id sync only for gss-serv-krb5.c)
+ - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
+ [dns.c]
+ unneeded #include, unused declaration, little knf; ok deraadt@
+ - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
+ [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
+ KNF; ok djm@
+ - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
+ [ssh-keygen.c ssh.c sshconnect2.c]
+ no trailing "\n" for log functions; ok djm@
+ - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
+ [channels.c clientloop.c]
+ free()->xfree(); ok djm@
+ - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
+ [sshconnect.c]
+ make external definition static; ok deraadt@
+ - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
+ [dns.c]
+ fix memory leaks from 2 sources:
+ 1) key_fingerprint_raw()
+ 2) malloc in dns_read_rdata()
+ ok jakob@
+ - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
+ [dns.c]
+ remove #ifdef LWRES; ok jakob@
+ - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
+ [dns.c dns.h]
+ more cleanups; ok jakob@
+ - djm@cvs.openbsd.org 2005/10/30 01:23:19
+ [ssh_config.5]
+ mention control socket fallback behaviour, reported by
+ tryponraj AT gmail.com
+ - djm@cvs.openbsd.org 2005/10/30 04:01:03
+ [ssh-keyscan.c]
+ make ssh-keygen discard junk from server before SSH- ident, spotted by
+ dave AT cirt.net; ok dtucker@
+ - djm@cvs.openbsd.org 2005/10/30 04:03:24
+ [ssh.c]
+ fix misleading debug message; ok dtucker@
+ - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
+ [canohost.c sshd.c]
+ Check for connections with IP options earlier and drop silently. ok djm@
+ - jmc@cvs.openbsd.org 2005/10/30 08:43:47
+ [ssh_config.5]
+ remove trailing whitespace;
+ - djm@cvs.openbsd.org 2005/10/30 08:52:18
+ [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
+ [ssh.c sshconnect.c sshconnect1.c sshd.c]
+ no need to escape single quotes in comments, no binary change
+ - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
+ [sftp.c]
+ Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
+ - djm@cvs.openbsd.org 2005/10/31 11:12:49
+ [ssh-keygen.1 ssh-keygen.c]
+ generate a protocol 2 RSA key by default
+ - djm@cvs.openbsd.org 2005/10/31 11:48:29
+ [serverloop.c]
+ make sure we clean up wtmp, etc. file when we receive a SIGTERM,
+ SIGINT or SIGQUIT when running without privilege separation (the
+ normal privsep case is already OK). Patch mainly by dtucker@ and
+ senthilkumar_sen AT hotpop.com; ok dtucker@
+ - jmc@cvs.openbsd.org 2005/10/31 19:55:25
+ [ssh-keygen.1]
+ grammar;
+ - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
+ [canohost.c]
+ Cache reverse lookups with and without DNS separately; ok markus@
+ - djm@cvs.openbsd.org 2005/11/04 05:15:59
+ [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
+ remove hardcoded hash lengths in key exchange code, allowing
+ implementation of KEX methods with different hashes (e.g. SHA-256);
+ ok markus@ dtucker@ stevesk@
+ - djm@cvs.openbsd.org 2005/11/05 05:01:15
+ [bufaux.c]
+ Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
+ cs.stanford.edu; ok dtucker@
+ - (dtucker) [README.platform] Add PAM section.
+ - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
+ resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
+ ok dtucker@
+
+20051102
+ - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
+ Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
+ via FreeBSD.
+
+20051030
+ - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
+ sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
+ files from imorgan AT nas.nasa.gov
+ - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
+ enabled, instead allow PAM to handle it. Note that on platforms using PAM,
+ the pam_nologin module should be added to sshd's session stack in order to
+ maintain exising behaviour. Based on patch and discussion from t8m at
+ centrum.cz, ok djm@
+
+20051025
+ - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
+ sizeof(long long) checks, to make fixing bug #1104 easier (no changes
+ yet).
+ - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
+ understand "%lld", even though the compiler has "long long", so handle
+ it as a special case. Patch tested by mcaskill.scott at epa.gov.
+ - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
+ prompt. Patch from vinschen at redhat.com.
+
+20051017
+ - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
+ /etc/default/login report and testing from aabaker at iee.org, corrections
+ from tim@.
+
+20051009
+ - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
+ versions from OpenBSD. ok djm@
+
+20051008
+ - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
+ brian.smith at agilent com.
+ - (djm) [configure.ac] missing 'test' call for -with-Werror test
+
+20051005
+ - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
+ "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
+ senthilkumar_sen at hotpop.com.
+
+20051003
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2005/09/07 08:53:53
+ [channels.c]
+ enforce chanid != NULL; ok djm
+ - markus@cvs.openbsd.org 2005/09/09 19:18:05
+ [clientloop.c]
+ typo; from mark at mcs.vuw.ac.nz, bug #1082
+ - djm@cvs.openbsd.org 2005/09/13 23:40:07
+ [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
+ scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
+ ensure that stdio fds are attached; ok deraadt@
+ - djm@cvs.openbsd.org 2005/09/19 11:37:34
+ [ssh_config.5 ssh.1]
+ mention ability to specify bind_address for DynamicForward and -D options;
+ bz#1077 spotted by Haruyama Seigo
+ - djm@cvs.openbsd.org 2005/09/19 11:47:09
+ [sshd.c]
+ stop connection abort on rekey with delayed compression enabled when
+ post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
+ - djm@cvs.openbsd.org 2005/09/19 11:48:10
+ [gss-serv.c]
+ typo
+ - jmc@cvs.openbsd.org 2005/09/19 15:38:27
+ [ssh.1]
+ some more .Bk/.Ek to avoid ugly line split;
+ - jmc@cvs.openbsd.org 2005/09/19 15:42:44
+ [ssh.c]
+ update -D usage here too;
+ - djm@cvs.openbsd.org 2005/09/19 23:31:31
+ [ssh.1]
+ spelling nit from stevesk@
+ - djm@cvs.openbsd.org 2005/09/21 23:36:54
+ [sshd_config.5]
+ aquire -> acquire, from stevesk@
+ - djm@cvs.openbsd.org 2005/09/21 23:37:11
+ [sshd.c]
+ change label at markus@'s request
+ - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
+ [ssh-keyscan.1]
+ deploy .An -nosplit; ok jmc
+ - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
+ [canohost.c]
+ Relocate check_ip_options call to prevent logging of garbage for
+ connections with IP options set. bz#1092 from David Leonard,
+ "looks good" deraadt@
+ - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
+ is required in the system path for the multiplex test to work.
+
+20050930
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
+ for strtoll. Patch from o.flebbe at science-computing.de.
+ - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
+ child during PAM account check without clearing it. This restores the
+ post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
+ with help from several others.
+
+20050929
+ - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
+ introduced during sync.
+
+20050928
+ - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
+ - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
+ PAM via keyboard-interactive. Patch tested by the folks at Vintela.
+
+20050927
+ - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
+ calls, since they can't possibly fail. ok djm@
+ - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
+ process when sshd relies on ssh-random-helper. Should result in faster
+ logins on systems without a real random device or prngd. ok djm@
+
+20050924
+ - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
+ duplicate call. ok djm@
+
+20050922
+ - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
+ skeleten at shillest.net.
+ - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
+ shillest.net.
+
+20050919
+ - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
+ AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
+ ok dtucker@
+
+20050912
+ - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
+ Mike Frysinger.
+
+20050908
+ - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
+ OpenServer 6 and add osr5bigcrypt support so when someone migrates
+ passwords between UnixWare and OpenServer they will still work. OK dtucker@
+
20050901
- (djm) Update RPM spec file versions
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-See http://www.openssh.com/txt/release-4.2 for the release notes.
+See http://www.openssh.com/txt/release-4.3 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
+Platforms using PAM
+-------------------
+As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
+PAM is enabled. To maintain existing behaviour, pam_nologin should be
+added to sshd's session stack which will prevent users from starting shell
+sessions. Alternatively, pam_nologin can be added to either the auth or
+account stacks which will prevent authentication entirely, but will still
+return the output from pam_nologin to the client.
+
+
$Id$
--- /dev/null
+How to use OpenSSH-based virtual private networks
+-------------------------------------------------
+
+OpenSSH contains support for VPN tunneling using the tun(4) network
+tunnel pseudo-device which is available on most platforms, either for
+layer 2 or 3 traffic.
+
+The following brief instructions on how to use this feature use
+a network configuration specific to the OpenBSD operating system.
+
+(1) Server: Enable support for SSH tunneling
+
+To enable the ssh server to accept tunnel requests from the client, you
+have to add the following option to the ssh server configuration file
+(/etc/ssh/sshd_config):
+
+ PermitTunnel yes
+
+Restart the server or send the hangup signal (SIGHUP) to let the server
+reread it's configuration.
+
+(2) Server: Restrict client access and assign the tunnel
+
+The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
+restrict the client to connect to a specified tunnel and to
+automatically start the related interface configuration command. These
+settings are optional but recommended:
+
+ tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
+
+(3) Client: Configure the local network tunnel interface
+
+Use the hostname.if(5) interface-specific configuration file to set up
+the network tunnel configuration with OpenBSD. For example, use the
+following configuration in /etc/hostname.tun0 to set up the layer 3
+tunnel on the client:
+
+ inet 192.168.5.1 255.255.255.252 192.168.5.2
+
+OpenBSD also supports layer 2 tunneling over the tun device by adding
+the link0 flag:
+
+ inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
+
+Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
+interface, like the following example for /etc/bridgename.bridge0:
+
+ add tun0
+ add sis0
+ up
+
+(4) Client: Configure the OpenSSH client
+
+To establish tunnel forwarding for connections to a specified
+remote host by default, use the following ssh client configuration for
+the privileged user (in /root/.ssh/config):
+
+ Host sshgateway
+ Tunnel yes
+ TunnelDevice 0:any
+ PermitLocalCommand yes
+ LocalCommand sh /etc/netstart tun0
+
+A more complicated configuration is possible to establish a tunnel to
+a remote host which is not directly accessible by the client.
+The following example describes a client configuration to connect to
+the remote host over two ssh hops in between. It uses the OpenSSH
+ProxyCommand in combination with the nc(1) program to forward the final
+ssh tunnel destination over multiple ssh sessions.
+
+ Host access.somewhere.net
+ User puffy
+ Host dmzgw
+ User puffy
+ ProxyCommand ssh access.somewhere.net nc dmzgw 22
+ Host sshgateway
+ Tunnel Ethernet
+ TunnelDevice 0:any
+ PermitLocalCommand yes
+ LocalCommand sh /etc/netstart tun0
+ ProxyCommand ssh dmzgw nc sshgateway 22
+
+The following network plan illustrates the previous configuration in
+combination with layer 2 tunneling and Ethernet bridging.
+
++--------+ ( ) +----------------------+
+| Client |------( Internet )-----| access.somewhere.net |
++--------+ ( ) +----------------------+
+ : 192.168.1.78 |
+ :............................. +-------+
+ Forwarded ssh connection : | dmzgw |
+ Layer 2 tunnel : +-------+
+ : |
+ : |
+ : +------------+
+ :......| sshgateway |
+ | +------------+
+--- real connection Bridge -> | +----------+
+... "virtual connection" [ X ]--------| somehost |
+[X] switch +----------+
+ 192.168.1.25
+
+(5) Client: Connect to the server and establish the tunnel
+
+Finally connect to the OpenSSH server to establish the tunnel by using
+the following command:
+
+ ssh sshgateway
+
+It is also possible to tell the client to fork into the background after
+the connection has been successfully established:
+
+ ssh -f sshgateway true
+
+Without the ssh configuration done in step (4), it is also possible
+to use the following command lines:
+
+ ssh -fw 0:1 sshgateway true
+ ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
+
+Using OpenSSH tunnel forwarding is a simple way to establish secure
+and ad hoc virtual private networks. Possible fields of application
+could be wireless networks or administrative VPN tunnels.
+
+Nevertheless, ssh tunneling requires some packet header overhead and
+runs on top of TCP. It is still suggested to use the IP Security
+Protocol (IPSec) for robust and permanent VPN connections and to
+interconnect corporate networks.
+
+ Reyk Floeter
+
+$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
if test -n "`echo $ossh_varname`"; then
AC_MSG_RESULT($ossh_result)
if test "x$ossh_result" = "xyes"; then
- AC_DEFINE($3)
+ AC_DEFINE($3, 1, [Define if you have $1 in $2])
fi
else
AC_MSG_RESULT(no)
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
#include "ssh.h"
#include "ssh1.h"
krb5_ccache ccache = NULL;
int len;
- if (!authctxt->valid)
- return (0);
-
temporarily_use_uid(authctxt->pw);
problem = krb5_init(authctxt);
else
return (0);
}
- return (1);
+ return (authctxt->valid ? 1 : 0);
}
void
ret = snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
- if (ret == -1 || ret >= sizeof(ccname))
+ if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
old_umask = umask(0177);
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
#include "xmalloc.h"
#include "match.h"
/* "environment=" options. */
struct envstring *custom_environment = NULL;
+/* "tunnel=" option. */
+int forced_tun_device = -1;
+
extern ServerOptions options;
void
xfree(forced_command);
forced_command = NULL;
}
+ forced_tun_device = -1;
channel_clear_permitted_opens();
auth_debug_reset();
}
xfree(patterns);
goto next_option;
}
+ cp = "tunnel=\"";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ char *tun = NULL;
+ opts += strlen(cp);
+ tun = xmalloc(strlen(opts) + 1);
+ i = 0;
+ while (*opts) {
+ if (*opts == '"')
+ break;
+ tun[i++] = *opts++;
+ }
+ if (!*opts) {
+ debug("%.100s, line %lu: missing end quote",
+ file, linenum);
+ auth_debug_add("%.100s, line %lu: missing end quote",
+ file, linenum);
+ xfree(tun);
+ forced_tun_device = -1;
+ goto bad_option;
+ }
+ tun[i] = 0;
+ forced_tun_device = a2tun(tun, NULL);
+ xfree(tun);
+ if (forced_tun_device == SSH_TUNID_ERR) {
+ debug("%.100s, line %lu: invalid tun device",
+ file, linenum);
+ auth_debug_add("%.100s, line %lu: invalid tun device",
+ file, linenum);
+ forced_tun_device = -1;
+ goto bad_option;
+ }
+ auth_debug_add("Forced tun device: %d", forced_tun_device);
+ opts++;
+ goto next_option;
+ }
next_option:
/*
* Skip the comma, and move to the next option
-/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */
+/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
extern int no_pty_flag;
extern char *forced_command;
extern struct envstring *custom_environment;
+extern int forced_tun_device;
int auth_parse_options(struct passwd *, char *, char *, u_long);
void auth_clear_options(void);
plen++;
xfree(msg);
break;
- case PAM_SUCCESS:
case PAM_AUTH_ERR:
+ debug3("PAM: PAM_AUTH_ERR");
+ if (**prompts != NULL && strlen(**prompts) != 0) {
+ *info = **prompts;
+ **prompts = NULL;
+ *num = 0;
+ **echo_on = 0;
+ ctxt->pam_done = -1;
+ return 0;
+ }
+ /* FALLTHROUGH */
+ case PAM_SUCCESS:
if (**prompts != NULL) {
/* drain any accumulated messages */
debug("PAM: %s", **prompts);
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
- debug2("PAM: %s entering, %d responses", __func__, num);
+ debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
sshpam_authenticated = 1;
-/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#include "log.h"
#include "dispatch.h"
#include "servconf.h"
-#include "compat.h"
#include "packet.h"
#include "monitor_wrap.h"
/*
* We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like
+ * how to check local user kuserok and the like)
*/
static int
userauth_gssapi(Authctxt *authctxt)
return (0);
}
- authctxt->methoddata=(void *)ctxt;
+ authctxt->methoddata = (void *)ctxt;
packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
-#ifdef USE_PAM
- if (options.use_pam)
- PRIVSEP(start_pam(authctxt));
-#endif
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
-#ifdef USE_PAM
- if (options.use_pam)
- PRIVSEP(start_pam(authctxt));
-#endif
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
}
+#ifdef USE_PAM
+ if (options.use_pam)
+ PRIVSEP(start_pam(authctxt));
+#endif
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
*/
#include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.37 2005/11/05 05:01:15 djm Exp $");
#include <openssl/bn.h>
#include "bufaux.h"
if (oi != bin_size) {
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
oi, bin_size);
+ xfree(buf);
return (-1);
}
if (len > 0 && (bin[0] & 0x80)) {
error("buffer_get_bignum2_ret: negative numbers not supported");
+ xfree(bin);
return (-1);
}
if (len > 8 * 1024) {
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
+ xfree(bin);
return (-1);
}
BN_bin2bn(bin, len, value);
# Create user if required
[ "\$DO_PASSWD" = yes ] && {
# Use uid of 67 if possible
- if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
then
:
else
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $");
#include "packet.h"
#include "xmalloc.h"
cleanup_exit(255);
}
- if (from.ss_family == AF_INET)
- check_ip_options(sock, ntop);
-
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+ if (from.ss_family == AF_INET)
+ check_ip_options(sock, ntop);
+
if (!use_dns)
return xstrdup(ntop);
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
- "failed - POSSIBLE BREAKIN ATTEMPT!", name);
+ "failed - POSSIBLE BREAK-IN ATTEMPT!", name);
return xstrdup(ntop);
}
/* Look for the address from the list of addresses. */
if (!ai) {
/* Address not found for the host name. */
logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+ "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
ntop, name);
return xstrdup(ntop);
}
for (i = 0; i < option_size; i++)
snprintf(text + i*3, sizeof(text) - i*3,
" %2.2x", options[i]);
- logit("Connection from %.100s with IP options:%.800s",
- ipaddr, text);
- packet_disconnect("Connection from %.100s with IP options:%.800s",
+ fatal("Connection from %.100s with IP options:%.800s",
ipaddr, text);
}
#endif /* IP_OPTIONS */
const char *
get_canonical_hostname(int use_dns)
{
+ char *host;
static char *canonical_host_name = NULL;
- static int use_dns_done = 0;
+ static char *remote_ip = NULL;
/* Check if we have previously retrieved name with same option. */
- if (canonical_host_name != NULL) {
- if (use_dns_done != use_dns)
- xfree(canonical_host_name);
- else
- return canonical_host_name;
- }
+ if (use_dns && canonical_host_name != NULL)
+ return canonical_host_name;
+ if (!use_dns && remote_ip != NULL)
+ return remote_ip;
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
- canonical_host_name = get_remote_hostname(
- packet_get_connection_in(), use_dns);
+ host = get_remote_hostname(packet_get_connection_in(), use_dns);
else
- canonical_host_name = xstrdup("UNKNOWN");
+ host = "UNKNOWN";
- use_dns_done = use_dns;
- return canonical_host_name;
+ if (use_dns)
+ canonical_host_name = host;
+ else
+ remote_ip = host;
+ return host;
}
/*
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
+RCSID("$OpenBSD: channels.c,v 1.232 2006/01/30 12:22:22 reyk Exp $");
#include "ssh.h"
#include "ssh1.h"
/* -- channel core */
-#define CHAN_RBUF 16*1024
-
/*
* Pointer to an array containing all allocated channels. The array is
* dynamically extended as needed.
/* -- channel core */
Channel *
-channel_lookup(int id)
+channel_by_id(int id)
{
Channel *c;
if (id < 0 || (u_int)id >= channels_alloc) {
- logit("channel_lookup: %d: bad id", id);
+ logit("channel_by_id: %d: bad id", id);
return NULL;
}
c = channels[id];
if (c == NULL) {
- logit("channel_lookup: %d: bad id: channel free", id);
+ logit("channel_by_id: %d: bad id: channel free", id);
return NULL;
}
return c;
}
+/*
+ * Returns the channel if it is allowed to receive protocol messages.
+ * Private channels, like listening sockets, may not receive messages.
+ */
+Channel *
+channel_lookup(int id)
+{
+ Channel *c;
+
+ if ((c = channel_by_id(id)) == NULL)
+ return (NULL);
+
+ switch(c->type) {
+ case SSH_CHANNEL_X11_OPEN:
+ case SSH_CHANNEL_LARVAL:
+ case SSH_CHANNEL_CONNECTING:
+ case SSH_CHANNEL_DYNAMIC:
+ case SSH_CHANNEL_OPENING:
+ case SSH_CHANNEL_OPEN:
+ case SSH_CHANNEL_INPUT_DRAINING:
+ case SSH_CHANNEL_OUTPUT_DRAINING:
+ return (c);
+ break;
+ }
+ logit("Non-public channel %d, type %d.", id, c->type);
+ return (NULL);
+}
+
/*
* Register filedescriptors for a channel, used when allocating a channel or
* when the channel consumer/producer is ready, e.g. shell exec'd
c->force_drain = 0;
c->single_connection = 0;
c->detach_user = NULL;
+ c->detach_close = 0;
c->confirm = NULL;
c->confirm_ctx = NULL;
c->input_filter = NULL;
+ c->output_filter = NULL;
debug("channel %d: new [%s]", found, remote_name);
return c;
}
c->confirm_ctx = ctx;
}
void
-channel_register_cleanup(int id, channel_callback_fn *fn)
+channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
{
- Channel *c = channel_lookup(id);
+ Channel *c = channel_by_id(id);
if (c == NULL) {
logit("channel_register_cleanup: %d: bad id", id);
return;
}
c->detach_user = fn;
+ c->detach_close = do_close;
}
void
channel_cancel_cleanup(int id)
{
- Channel *c = channel_lookup(id);
+ Channel *c = channel_by_id(id);
if (c == NULL) {
logit("channel_cancel_cleanup: %d: bad id", id);
return;
}
c->detach_user = NULL;
+ c->detach_close = 0;
}
void
-channel_register_filter(int id, channel_filter_fn *fn)
+channel_register_filter(int id, channel_infilter_fn *ifn,
+ channel_outfilter_fn *ofn)
{
Channel *c = channel_lookup(id);
logit("channel_register_filter: %d: bad id", id);
return;
}
- c->input_filter = fn;
+ c->input_filter = ifn;
+ c->output_filter = ofn;
}
void
xfree(remote_ipaddr);
}
+static void
+channel_set_reuseaddr(int fd)
+{
+ int on = 1;
+
+ /*
+ * Set socket options.
+ * Allow local port reuse in TIME_WAIT.
+ */
+ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
+ error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+}
+
/*
* This socket is listening for connections to a forwarded TCP/IP port.
*/
debug2("channel %d: filter stops", c->self);
chan_read_failed(c);
}
+ } else if (c->datagram) {
+ buffer_put_string(&c->input, buf, len);
} else {
buffer_append(&c->input, buf, len);
}
channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
{
struct termios tio;
- u_char *data;
+ u_char *data = NULL, *buf;
u_int dlen;
int len;
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&
buffer_len(&c->output) > 0) {
- data = buffer_ptr(&c->output);
- dlen = buffer_len(&c->output);
+ if (c->output_filter != NULL) {
+ if ((buf = c->output_filter(c, &data, &dlen)) == NULL) {
+ debug2("channel %d: filter stops", c->self);
+ if (c->type != SSH_CHANNEL_OPEN)
+ chan_mark_dead(c);
+ else
+ chan_write_failed(c);
+ return -1;
+ }
+ } else if (c->datagram) {
+ buf = data = buffer_get_string(&c->output, &dlen);
+ } else {
+ buf = data = buffer_ptr(&c->output);
+ dlen = buffer_len(&c->output);
+ }
+
+ if (c->datagram) {
+ /* ignore truncated writes, datagrams might get lost */
+ c->local_consumed += dlen + 4;
+ len = write(c->wfd, buf, dlen);
+ xfree(data);
+ if (len < 0 && (errno == EINTR || errno == EAGAIN))
+ return 1;
+ if (len <= 0) {
+ if (c->type != SSH_CHANNEL_OPEN)
+ chan_mark_dead(c);
+ else
+ chan_write_failed(c);
+ return -1;
+ }
+ return 1;
+ }
#ifdef _AIX
/* XXX: Later AIX versions can't push as much data to tty */
if (compat20 && c->wfd_isatty)
dlen = MIN(dlen, 8*1024);
#endif
- len = write(c->wfd, data, dlen);
+
+ len = write(c->wfd, buf, dlen);
if (len < 0 && (errno == EINTR || errno == EAGAIN))
return 1;
if (len <= 0) {
}
return -1;
}
- if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') {
+ if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
if (tcgetattr(c->wfd, &tio) == 0 &&
!(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
/*
* Simulate echo to reduce the impact of
* traffic analysis. We need to match the
* size of a SSH2_MSG_CHANNEL_DATA message
- * (4 byte channel id + data)
+ * (4 byte channel id + buf)
*/
packet_send_ignore(4 + len);
packet_send();
if (c == NULL)
return;
if (c->detach_user != NULL) {
- if (!chan_is_dead(c, 0))
+ if (!chan_is_dead(c, c->detach_close))
return;
debug2("channel %d: gc: notify user", c->self);
c->detach_user(c->self, NULL);
if ((c->istate == CHAN_INPUT_OPEN ||
c->istate == CHAN_INPUT_WAIT_DRAIN) &&
(len = buffer_len(&c->input)) > 0) {
+ if (c->datagram) {
+ if (len > 0) {
+ u_char *data;
+ u_int dlen;
+
+ data = buffer_get_string(&c->input,
+ &dlen);
+ packet_start(SSH2_MSG_CHANNEL_DATA);
+ packet_put_int(c->remote_id);
+ packet_put_string(data, dlen);
+ packet_send();
+ c->remote_window -= dlen + 4;
+ xfree(data);
+ }
+ continue;
+ }
/*
* Send some data for the other side over the secure
* connection.
c->local_window -= data_len;
}
packet_check_eom();
- buffer_append(&c->output, data, data_len);
+ if (c->datagram)
+ buffer_put_string(&c->output, data, data_len);
+ else
+ buffer_append(&c->output, data, data_len);
xfree(data);
}
id = packet_get_int();
c = channel_lookup(id);
- if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
- logit("Received window adjust for "
- "non-open channel %d.", id);
+ if (c == NULL) {
+ logit("Received window adjust for non-open channel %d.", id);
return;
}
adjust = packet_get_int();
const char *host_to_connect, u_short port_to_connect, int gateway_ports)
{
Channel *c;
- int sock, r, success = 0, on = 1, wildcard = 0, is_client;
+ int sock, r, success = 0, wildcard = 0, is_client;
struct addrinfo hints, *ai, *aitop;
const char *host, *addr;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
verbose("socket: %.100s", strerror(errno));
continue;
}
- /*
- * Set socket options.
- * Allow local port reuse in TIME_WAIT.
- */
- if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
- sizeof(on)) == -1)
- error("setsockopt SO_REUSEADDR: %s", strerror(errno));
+
+ channel_set_reuseaddr(sock);
debug("Local forwarding listening on %s port %s.", ntop, strport);
permitted_opens[i].listen_port = 0;
permitted_opens[i].port_to_connect = 0;
- free(permitted_opens[i].host_to_connect);
+ xfree(permitted_opens[i].host_to_connect);
permitted_opens[i].host_to_connect = NULL;
}
char strport[NI_MAXSERV];
int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
+ if (chanids == NULL)
+ return -1;
+
for (display_number = x11_display_offset;
display_number < MAX_DISPLAYS;
display_number++) {
error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
}
#endif
+ channel_set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);
}
/* Allocate a channel for each socket. */
- if (chanids != NULL)
- *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
+ *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
nc = channel_new("x11 listener",
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
0, "X11 inet listener", 1);
nc->single_connection = single_connection;
- if (*chanids != NULL)
- (*chanids)[n] = nc->self;
+ (*chanids)[n] = nc->self;
}
- if (*chanids != NULL)
- (*chanids)[n] = -1;
+ (*chanids)[n] = -1;
/* Return the display number for the DISPLAY environment variable. */
*display_numberp = display_number;
error("deny_input_open: type %d", type);
break;
}
- error("Warning: this is probably a break in attempt by a malicious server.");
+ error("Warning: this is probably a break-in attempt by a malicious server.");
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(rchan);
packet_send();
-/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.83 2005/12/30 15:56:37 reyk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
typedef struct Channel Channel;
typedef void channel_callback_fn(int, void *);
-typedef int channel_filter_fn(struct Channel *, char *, int);
+typedef int channel_infilter_fn(struct Channel *, char *, int);
+typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *);
struct Channel {
int type; /* channel type/state */
/* callback */
channel_callback_fn *confirm;
- channel_callback_fn *detach_user;
void *confirm_ctx;
+ channel_callback_fn *detach_user;
+ int detach_close;
/* filter */
- channel_filter_fn *input_filter;
+ channel_infilter_fn *input_filter;
+ channel_outfilter_fn *output_filter;
+
+ int datagram; /* keep boundaries */
};
#define CHAN_EXTENDED_IGNORE 0
#define CHAN_EOF_SENT 0x04
#define CHAN_EOF_RCVD 0x08
+#define CHAN_RBUF 16*1024
+
/* check whether 'efd' is still in use */
#define CHANNEL_EFD_INPUT_ACTIVE(c) \
(compat20 && c->extended_usage == CHAN_EXTENDED_READ && \
/* channel management */
+Channel *channel_by_id(int);
Channel *channel_lookup(int);
Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int);
void channel_set_fds(int, int, int, int, int, int, u_int);
void channel_send_open(int);
void channel_request_start(int, char *, int);
-void channel_register_cleanup(int, channel_callback_fn *);
+void channel_register_cleanup(int, channel_callback_fn *, int);
void channel_register_confirm(int, channel_callback_fn *, void *);
-void channel_register_filter(int, channel_filter_fn *);
+void channel_register_filter(int, channel_infilter_fn *, channel_outfilter_fn *);
void channel_cancel_cleanup(int);
int channel_close_fd(int *);
void channel_send_window_changes(void);
*/
#include "includes.h"
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+
+#ifdef USE_BUILTIN_RIJNDAEL
RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
#include <openssl/evp.h>
#include "xmalloc.h"
#include "log.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
-
#define RIJNDAEL_BLOCKSIZE 16
struct ssh_rijndael_ctx
{
#endif
return (&rijndal_cbc);
}
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* USE_BUILTIN_RIJNDAEL */
#include "log.h"
#include "xmalloc.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
#include "rijndael.h"
#define AES_KEY rijndael_ctx
#define AES_BLOCK_SIZE 16
if ((u_int)evplen != len)
fatal("%s: wrong iv length %d != %d", __func__,
evplen, len);
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
if (c->evptype == evp_rijndael)
ssh_rijndael_iv(&cc->evp, 0, iv, len);
else
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
if (evplen == 0)
return;
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
if (c->evptype == evp_rijndael)
ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
else
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "log.h"
#include "readconf.h"
#include "clientloop.h"
+#include "sshconnect.h"
#include "authfd.h"
#include "atomicio.h"
#include "sshpty.h"
static volatile sig_atomic_t received_window_change_signal = 0;
static volatile sig_atomic_t received_signal = 0;
-/* Flag indicating whether the user\'s terminal is in non-blocking mode. */
+/* Flag indicating whether the user's terminal is in non-blocking mode. */
static int in_non_blocking_mode = 0;
/* Common data for the client loop code. */
}
}
snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s . 2>" _PATH_DEVNULL,
+ "%s %s%s list %s 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
logit(" -Lport:host:hostport Request local forward");
logit(" -Rport:host:hostport Request remote forward");
logit(" -KRhostport Cancel remote forward");
+ if (!options.permit_local_command)
+ goto out;
+ logit(" !args Execute local command");
+ goto out;
+ }
+
+ if (*s == '!' && options.permit_local_command) {
+ s++;
+ ssh_local_cmd(s);
goto out;
}
session_ident = ssh2_chan_id;
if (escape_char != SSH_ESCAPECHAR_NONE)
channel_register_filter(session_ident,
- simple_escape_filter);
+ simple_escape_filter, NULL);
if (session_ident != -1)
channel_register_cleanup(session_ident,
- client_channel_closed);
+ client_channel_closed, 0);
} else {
/* Check if we should immediately send eof on stdin. */
client_check_initial_eof_on_stdin();
if (!options.forward_x11) {
error("Warning: ssh server tried X11 forwarding.");
- error("Warning: this is probably a break in attempt by a malicious server.");
+ error("Warning: this is probably a break-in attempt by a malicious server.");
return NULL;
}
originator = packet_get_string(NULL);
if (!options.forward_agent) {
error("Warning: ssh server tried agent forwarding.");
- error("Warning: this is probably a break in attempt by a malicious server.");
+ error("Warning: this is probably a break-in attempt by a malicious server.");
return NULL;
}
sock = ssh_get_authentication_socket();
/* Split */
name = xstrdup(env[i]);
if ((val = strchr(name, '=')) == NULL) {
- free(name);
+ xfree(name);
continue;
}
*val++ = '\0';
}
if (!matched) {
debug3("Ignored env %s", name);
- free(name);
+ xfree(name);
continue;
}
packet_put_cstring(name);
packet_put_cstring(val);
packet_send();
- free(name);
+ xfree(name);
}
}
AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd,
[/usr/sbin${PATH_SEPARATOR}/etc])
AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no)
+if test -x /sbin/sh; then
+ AC_SUBST(STARTUP_SCRIPT_SHELL,/sbin/sh)
+else
+ AC_SUBST(STARTUP_SCRIPT_SHELL,/bin/sh)
+fi
# System features
AC_SYS_LARGEFILE
# Use LOGIN_PROGRAM from environment if possible
if test ! -z "$LOGIN_PROGRAM" ; then
- AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM")
+ AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM",
+ [If your header files don't define LOGIN_PROGRAM,
+ then use this (detected) from environment and PATH])
else
# Search for login
AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login)
AC_PATH_PROG(PATH_PASSWD_PROG, passwd)
if test ! -z "$PATH_PASSWD_PROG" ; then
- AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG")
+ AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG",
+ [Full path of your "passwd" program])
fi
if test -z "$LD" ; then
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
- GCC_VER=`$CC --version`
+ GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
1.*) ;;
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
2.*) ;;
- *) CFLAGS="$CFLAGS -Wsign-compare" ;;
+ 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
+ 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
+ *) ;;
esac
if test -z "$have_llong_max"; then
fi
fi
-if test -z "$have_llong_max"; then
- AC_MSG_CHECKING([for max value of long long])
- AC_RUN_IFELSE(
- [AC_LANG_SOURCE([[
-#include <stdio.h>
-/* Why is this so damn hard? */
-#ifdef __GNUC__
-# undef __GNUC__
-#endif
-#define __USE_ISOC99
-#include <limits.h>
-#define DATA "conftest.llminmax"
-int main(void) {
- FILE *f;
- long long i, llmin, llmax = 0;
-
- if((f = fopen(DATA,"w")) == NULL)
- exit(1);
-
-#if defined(LLONG_MIN) && defined(LLONG_MAX)
- fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
- llmin = LLONG_MIN;
- llmax = LLONG_MAX;
-#else
- fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
- /* This will work on one's complement and two's complement */
- for (i = 1; i > llmax; i <<= 1, i++)
- llmax = i;
- llmin = llmax + 1LL; /* wrap */
-#endif
-
- /* Sanity check */
- if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
- || llmax - 1 > llmax) {
- fprintf(f, "unknown unknown\n");
- exit(2);
- }
-
- if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
- exit(3);
-
- exit(0);
-}
- ]])],
- [
- llong_min=`$AWK '{print $1}' conftest.llminmax`
- llong_max=`$AWK '{print $2}' conftest.llminmax`
- AC_MSG_RESULT($llong_max)
- AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
- [max value of long long calculated by configure])
- AC_MSG_CHECKING([for min value of long long])
- AC_MSG_RESULT($llong_min)
- AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
- [min value of long long calculated by configure])
- ],
- [
- AC_MSG_RESULT(not found)
- ],
- [
- AC_MSG_WARN([cross compiling: not checking])
- ]
- )
-fi
-
AC_ARG_WITH(rpath,
[ --without-rpath Disable auto-added -R linker paths],
[
fi
LDFLAGS="$saved_LDFLAGS"
dnl Check for authenticate. Might be in libs.a on older AIXes
- AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
+ AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1,
+ [Define if you want to enable AIX4's authenticate function])],
[AC_CHECK_LIB(s,authenticate,
[ AC_DEFINE(WITH_AIXAUTHENTICATE)
LIBS="$LIBS -ls"
[#include <usersec.h>],
[(void)loginfailed("user","host","tty",0);],
[AC_MSG_RESULT(yes)
- AC_DEFINE(AIX_LOGINFAILED_4ARG)],
+ AC_DEFINE(AIX_LOGINFAILED_4ARG, 1,
+ [Define if your AIX loginfailed() function
+ takes 4 arguments (AIX >= 5.2)])],
[AC_MSG_RESULT(no)]
)],
[],
)
AC_CHECK_FUNCS(setauthdb)
check_for_aix_broken_getaddrinfo=1
- AC_DEFINE(BROKEN_REALPATH)
- AC_DEFINE(SETEUID_BREAKS_SETUID)
- AC_DEFINE(BROKEN_SETREUID)
- AC_DEFINE(BROKEN_SETREGID)
+ AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
+ AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
+ [Define if your platform breaks doing a seteuid before a setuid])
+ AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken])
+ AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken])
dnl AIX handles lastlog as part of its login message
- AC_DEFINE(DISABLE_LASTLOG)
- AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
+ AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog])
+ AC_DEFINE(LOGIN_NEEDS_UTMPX, 1,
+ [Some systems need a utmpx entry for /bin/login to work])
+ AC_DEFINE(SPT_TYPE,SPT_REUSEARGV,
+ [Define to a Set Process Title type if your system is
+ supported by bsd-setproctitle.c])
+ AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
+ [AIX 5.2 and 5.3 (and presumably newer) require this])
;;
*-*-cygwin*)
check_for_libcrypt_later=1
LIBS="$LIBS /usr/lib/textmode.o"
- AC_DEFINE(HAVE_CYGWIN)
- AC_DEFINE(USE_PIPES)
- AC_DEFINE(DISABLE_SHADOW)
- AC_DEFINE(IP_TOS_IS_BROKEN)
- AC_DEFINE(NO_X11_UNIX_SOCKETS)
- AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
- AC_DEFINE(DISABLE_FD_PASSING)
+ AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
+ AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
+ AC_DEFINE(DISABLE_SHADOW, 1,
+ [Define if you want to disable shadow passwords])
+ AC_DEFINE(IP_TOS_IS_BROKEN, 1,
+ [Define if your system choked on IP TOS setting])
+ AC_DEFINE(NO_X11_UNIX_SOCKETS, 1,
+ [Define if X11 doesn't support AF_UNIX sockets on that system])
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
+ [Define if the concept of ports only accessible to
+ superusers isn't known])
+ AC_DEFINE(DISABLE_FD_PASSING, 1,
+ [Define if your platform needs to skip post auth
+ file descriptor passing])
;;
*-*-dgux*)
AC_DEFINE(IP_TOS_IS_BROKEN)
exit(1);
}], [AC_MSG_RESULT(working)],
[AC_MSG_RESULT(buggy)
- AC_DEFINE(BROKEN_GETADDRINFO)],
+ AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
[AC_MSG_RESULT(assume it is working)])
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
- AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1)
+ AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
+ [Define if your resolver libs need this for getrrsetbyname])
;;
*-*-hpux*)
# first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(USE_PIPES)
- AC_DEFINE(LOGIN_NO_ENDOPT)
+ AC_DEFINE(LOGIN_NO_ENDOPT, 1,
+ [Define if your login program cannot handle end of options ("--")])
AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(LOCKED_PASSWD_STRING, "*")
+ AC_DEFINE(LOCKED_PASSWD_STRING, "*",
+ [String used in /etc/passwd to denote locked account])
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+ MAIL="/var/mail/username"
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,
AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
fi
;;
*-*-hpux11*)
- AC_DEFINE(PAM_SUN_CODEBASE)
- AC_DEFINE(DISABLE_UTMP)
+ AC_DEFINE(PAM_SUN_CODEBASE, 1,
+ [Define if you are using Solaris-derived PAM which
+ passes pam_messages to the conversation function
+ with an extra level of indirection])
+ AC_DEFINE(DISABLE_UTMP, 1,
+ [Define if you don't want to use utmp])
AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
check_for_hpux_broken_getaddrinfo=1
check_for_conflicting_getspnam=1
# lastly, we define options specific to minor releases
case "$host" in
*-*-hpux10.26)
- AC_DEFINE(HAVE_SECUREWARE)
+ AC_DEFINE(HAVE_SECUREWARE, 1,
+ [Define if you have SecureWare-based
+ protected password database])
disable_ptmx_check=yes
LIBS="$LIBS -lsecpw"
;;
;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
- AC_DEFINE(BROKEN_INET_NTOA)
+ AC_DEFINE(BROKEN_INET_NTOA, 1,
+ [Define if you system's inet_ntoa is busted
+ (e.g. Irix gcc issue)])
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
- AC_DEFINE(WITH_ABBREV_NO_TTY)
+ AC_DEFINE(WITH_ABBREV_NO_TTY, 1,
+ [Define if you shouldn't strip 'tty' from your
+ ttyname in [uw]tmp])
AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
*-*-irix6*)
PATH="$PATH:/usr/etc"
- AC_DEFINE(WITH_IRIX_ARRAY)
- AC_DEFINE(WITH_IRIX_PROJECT)
- AC_DEFINE(WITH_IRIX_AUDIT)
- AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
+ AC_DEFINE(WITH_IRIX_ARRAY, 1,
+ [Define if you have/want arrays
+ (cluster-wide session managment, not C arrays)])
+ AC_DEFINE(WITH_IRIX_PROJECT, 1,
+ [Define if you want IRIX project management])
+ AC_DEFINE(WITH_IRIX_AUDIT, 1,
+ [Define if you want IRIX audit trails])
+ AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1,
+ [Define if you want IRIX kernel jobs])])
AC_DEFINE(BROKEN_INET_NTOA)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
- AC_DEFINE(BROKEN_UPDWTMPX)
+ AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)])
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
no_dev_ptmx=1
check_for_libcrypt_later=1
check_for_openpty_ctty_bug=1
- AC_DEFINE(DONT_TRY_OTHER_AF)
- AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
+ AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks])
+ AC_DEFINE(PAM_TTY_KLUDGE, 1,
+ [Work around problematic Linux PAM modules handling of PAM_TTY])
+ AC_DEFINE(LOCKED_PASSWD_PREFIX, "!",
+ [String used in /etc/passwd to denote locked account])
AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
- AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM)
+ AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM,
+ [Define to whatever link() returns for "not supported"
+ if it doesn't return EOPNOTSUPP.])
AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
- AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
+ AC_DEFINE(USE_BTMP)
inet6_default_4in6=yes
case `uname -r` in
1.*|2.0.*)
- AC_DEFINE(BROKEN_CMSG_TYPE)
+ AC_DEFINE(BROKEN_CMSG_TYPE, 1,
+ [Define if cmsg_type is not passed correctly])
;;
esac
+ # tun(4) forwarding compat code
+ AC_CHECK_HEADERS(linux/if_tun.h)
+ if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
+ AC_DEFINE(SSH_TUN_LINUX, 1,
+ [Open tunnel devices the Linux tun/tap way])
+ AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
+ [Use tunnel device compatibility to OpenBSD])
+ AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
+ [Prepend the address family to IP tunnel traffic])
+ fi
;;
mips-sony-bsd|mips-sony-newsos4)
- AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
+ AC_DEFINE(NEED_SETPRGP, 1, [Need setpgrp to acquire controlling tty])
SONY=1
;;
*-*-netbsd*)
if test "x$withval" != "xno" ; then
need_dash_r=1
fi
+ AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
+ AC_CHECK_HEADER([net/if_tap.h], ,
+ AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
+ AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
+ [Prepend the address family to IP tunnel traffic])
;;
*-*-freebsd*)
check_for_libcrypt_later=1
+ AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)])
+ AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
+ AC_CHECK_HEADER([net/if_tap.h], ,
+ AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
;;
*-*-bsdi*)
AC_DEFINE(SETEUID_BREAKS_SETUID)
conf_utmp_location=/etc/utmp
conf_wtmp_location=/usr/adm/wtmp
MAIL=/usr/spool/mail
- AC_DEFINE(HAVE_NEXT)
+ AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT])
AC_DEFINE(BROKEN_REALPATH)
AC_DEFINE(USE_PIPES)
- AC_DEFINE(BROKEN_SAVED_UIDS)
+ AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT])
;;
*-*-openbsd*)
AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
+ AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
+ AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
fi
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(LOGIN_NEEDS_TERM)
+ AC_DEFINE(LOGIN_NEEDS_TERM, 1,
+ [Some versions of /bin/login need the TERM supplied
+ on the commandline])
AC_DEFINE(PAM_TTY_KLUDGE)
- AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID)
+ AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
+ [Define if pam_chauthtok wants real uid set
+ to the unpriv'ed user])
AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
- AC_DEFINE(SSHD_ACQUIRES_CTTY)
+ AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
+ [Define if sshd somehow reacquires a controlling TTY
+ after setsid()])
external_path_file=/etc/default/login
# hardwire lastlog location (can't detect it on some versions)
conf_lastlog_location="/var/adm/lastlog"
if test "$sol2ver" -ge 8; then
AC_MSG_RESULT(yes)
AC_DEFINE(DISABLE_UTMP)
- AC_DEFINE(DISABLE_WTMP)
+ AC_DEFINE(DISABLE_WTMP, 1,
+ [Define if you don't want to use wtmp])
else
AC_MSG_RESULT(no)
fi
*-sni-sysv*)
# /usr/ucblib MUST NOT be searched on ReliantUNIX
AC_CHECK_LIB(dl, dlsym, ,)
- # -lresolv needs to be at then end of LIBS or DNS lookups break
- AC_CHECK_LIB(res_query, resolv, [ LIBS="$LIBS -lresolv" ])
+ # -lresolv needs to be at the end of LIBS or DNS lookups break
+ AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ])
IPADDR_IN_DISPLAY=yes
AC_DEFINE(USE_PIPES)
AC_DEFINE(IP_TOS_IS_BROKEN)
;;
# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
*-*-sysv4.2*)
+ CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
AC_DEFINE(USE_PIPES)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
+ AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
# UnixWare 7.x, OpenUNIX 8
*-*-sysv5*)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
- AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
+ AC_DEFINE(PASSWD_NEEDS_USERNAME)
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
TEST_SHELL=/u95/bin/sh
- AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
+ AC_DEFINE(BROKEN_LIBIAF, 1,
+ [ia_uinfo routines not supported by OS yet])
+ ;;
+ *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
;;
esac
;;
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(WITH_ABBREV_NO_TTY)
AC_DEFINE(BROKEN_UPDWTMPX)
- AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
+ AC_DEFINE(PASSWD_NEEDS_USERNAME)
AC_CHECK_FUNCS(getluid setluid)
MANTYPE=man
TEST_SHELL=ksh
;;
*-*-unicosmk*)
- AC_DEFINE(NO_SSH_LASTLOG)
+ AC_DEFINE(NO_SSH_LASTLOG, 1,
+ [Define if you don't want to use lastlog in session.c])
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
if test -z "$no_osfsia" ; then
if test -f /etc/sia/matrix.conf; then
AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_OSF_SIA)
- AC_DEFINE(DISABLE_LOGIN)
+ AC_DEFINE(HAVE_OSF_SIA, 1,
+ [Define if you have Digital Unix Security
+ Integration Architecture])
+ AC_DEFINE(DISABLE_LOGIN, 1,
+ [Define if you don't want to use your
+ system's login() call])
AC_DEFINE(DISABLE_FD_PASSING)
LIBS="$LIBS -lsecurity -ldb -lm -laud"
else
AC_MSG_RESULT(no)
- AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
+ AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
+ [String used in /etc/passwd to denote locked account])
fi
fi
AC_DEFINE(BROKEN_GETADDRINFO)
*-*-nto-qnx)
AC_DEFINE(USE_PIPES)
AC_DEFINE(NO_X11_UNIX_SOCKETS)
- AC_DEFINE(MISSING_NFDBITS)
- AC_DEFINE(MISSING_HOWMANY)
- AC_DEFINE(MISSING_FD_MASK)
+ AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems])
+ AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
+ AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
;;
*-*-ultrix*)
- AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1])
- AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files])
- AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
+ AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1])
+ AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files])
+ AC_DEFINE(NEED_SETPRGP)
AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
;;
*-*-lynxos)
CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
- AC_DEFINE(MISSING_HOWMANY)
+ AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
;;
esac
[
if test -n "$withval" && test "x$withval" != "xno"; then
werror_flags="-Werror"
- if "x${withval}" != "xyes"; then
+ if test "x${withval}" != "xyes"; then
werror_flags="$withval"
fi
fi
login_cap.h \
maillock.h \
ndir.h \
+ net/if.h \
netdb.h \
netgroup.h \
netinet/in_systm.h \
ac_cv_have_broken_dirname, [
save_LIBS="$LIBS"
LIBS="$LIBS -lgen"
- AC_TRY_RUN(
- [
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
#include <libgen.h>
#include <string.h>
exit(0);
}
}
- ],
+ ]])],
+ [ ac_cv_have_broken_dirname="no" ],
+ [ ac_cv_have_broken_dirname="yes" ],
[ ac_cv_have_broken_dirname="no" ],
- [ ac_cv_have_broken_dirname="yes" ]
)
LIBS="$save_LIBS"
])
AC_CHECK_FUNC(getspnam, ,
AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
-AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1,
+ [Define if you have the basename function.]))
dnl zlib is required
AC_ARG_WITH(zlib,
AC_CHECK_FUNC(strcasecmp,
[], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
)
-AC_CHECK_FUNC(utimes,
+AC_CHECK_FUNCS(utimes,
[], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES)
LIBS="$LIBS -lc89"]) ]
)
dnl Checks for libutil functions
AC_CHECK_HEADERS(libutil.h)
-AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN)])
+AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1,
+ [Define if your libraries define login()])])
AC_CHECK_FUNCS(logout updwtmp logwtmp)
AC_FUNC_STRFTIME
#endif
],
[
- AC_DEFINE(GLOB_HAS_ALTDIRFUNC)
+ AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1,
+ [Define if your system glob() function has
+ the GLOB_ALTDIRFUNC extension])
AC_MSG_RESULT(yes)
],
[
int main(void){glob_t g; g.gl_matchc = 1;}
],
[
- AC_DEFINE(GLOB_HAS_GL_MATCHC)
+ AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
+ [Define if your system glob() function has
+ gl_matchc options in glob_t])
AC_MSG_RESULT(yes)
],
[
[AC_MSG_RESULT(yes)],
[
AC_MSG_RESULT(no)
- AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
+ AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1,
+ [Define if your struct dirent expects you to
+ allocate extra space for d_name])
],
[
AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
AC_MSG_CHECKING([for /proc/pid/fd directory])
if test -d "/proc/$$/fd" ; then
- AC_DEFINE(HAVE_PROC_PID)
+ AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
LDFLAGS="$LDFLAGS -L${withval}/lib"
fi
- AC_DEFINE(SKEY)
+ AC_DEFINE(SKEY, 1, [Define if you want S/Key support])
LIBS="-lskey $LIBS"
SKEY_MSG="yes"
AC_MSG_CHECKING([for s/key support])
- AC_TRY_RUN(
- [
+ AC_LINK_IFELSE(
+ [AC_LANG_SOURCE([[
#include <stdio.h>
#include <skey.h>
int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
- ],
+ ]])],
[AC_MSG_RESULT(yes)],
[
AC_MSG_RESULT(no)
#include <skey.h>],
[(void)skeychallenge(NULL,"name","",0);],
[AC_MSG_RESULT(yes)
- AC_DEFINE(SKEYCHALLENGE_4ARG)],
+ AC_DEFINE(SKEYCHALLENGE_4ARG, 1,
+ [Define if your skeychallenge()
+ function takes 4 arguments (NetBSD)])],
[AC_MSG_RESULT(no)]
)
fi
[hosts_access(0);],
[
AC_MSG_RESULT(yes)
- AC_DEFINE(LIBWRAP)
+ AC_DEFINE(LIBWRAP, 1,
+ [Define if you want
+ TCP Wrappers support])
AC_SUBST(LIBWRAP)
TCPW_MSG="yes"
],
[ --with-libedit[[=PATH]] Enable libedit support for sftp],
[ if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes"; then
- CPPFLAGS="$CPPFLAGS -I$withval/include"
- LDFLAGS="$LDFLAGS -L$withval/lib"
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
fi
AC_CHECK_LIB(edit, el_init,
- [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp])
+ [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
LIBEDIT="-ledit -lcurses"
LIBEDIT_MSG="yes"
AC_SUBST(LIBEDIT)
[AC_MSG_ERROR(BSM enabled and required function not found)])
# These are optional
AC_CHECK_FUNCS(getaudit_addr)
- AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module])
+ AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
;;
debug)
AUDIT_MODULE=debug
AC_MSG_RESULT(debug)
- AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module)
+ AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
;;
no)
AC_MSG_RESULT(no)
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
arc4random \
+ asprintf \
b64_ntop \
__b64_ntop \
b64_pton \
truncate \
unsetenv \
updwtmpx \
- utimes \
+ vasprintf \
vhangup \
vsnprintf \
waitpid \
AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1,
[Define if gai_strerror() returns const char *])])])
-AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
+AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1,
+ [Some systems put nanosleep outside of libc]))
dnl Make sure prototypes are defined for these before using them.
AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
]])],
[AC_MSG_RESULT(yes)],
- [AC_DEFINE(BROKEN_SETRESUID)
+ [AC_DEFINE(BROKEN_SETRESUID, 1,
+ [Define if your setresuid() is broken])
AC_MSG_RESULT(not implemented)],
[AC_MSG_WARN([cross compiling: not checking setresuid])]
)
int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
]])],
[AC_MSG_RESULT(yes)],
- [AC_DEFINE(BROKEN_SETRESGID)
+ [AC_DEFINE(BROKEN_SETRESGID, 1,
+ [Define if your setresgid() is broken])
AC_MSG_RESULT(not implemented)],
[AC_MSG_WARN([cross compiling: not checking setresuid])]
)
AC_CHECK_FUNCS(setutxent utmpxname)
AC_CHECK_FUNC(daemon,
- [AC_DEFINE(HAVE_DAEMON)],
- [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
+ [AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
+ [AC_CHECK_LIB(bsd, daemon,
+ [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
)
AC_CHECK_FUNC(getpagesize,
- [AC_DEFINE(HAVE_GETPAGESIZE)],
- [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])]
+ [AC_DEFINE(HAVE_GETPAGESIZE, 1,
+ [Define if your libraries define getpagesize()])],
+ [AC_CHECK_LIB(ucb, getpagesize,
+ [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])]
)
# Check for broken snprintf
[AC_MSG_RESULT(yes)],
[
AC_MSG_RESULT(no)
- AC_DEFINE(BROKEN_SNPRINTF)
+ AC_DEFINE(BROKEN_SNPRINTF, 1,
+ [Define if your snprintf is busted])
AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
],
[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
)
fi
+# If we don't have a working asprintf, then we strongly depend on vsnprintf
+# returning the right thing on overflow: the number of characters it tried to
+# create (as per SUSv3)
+if test "x$ac_cv_func_asprintf" != "xyes" && \
+ test "x$ac_cv_func_vsnprintf" = "xyes" ; then
+ AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+int x_snprintf(char *str,size_t count,const char *fmt,...)
+{
+ size_t ret; va_list ap;
+ va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
+ return ret;
+}
+int main(void)
+{
+ char x[1];
+ exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+} ]])],
+ [AC_MSG_RESULT(yes)],
+ [
+ AC_MSG_RESULT(no)
+ AC_DEFINE(BROKEN_SNPRINTF, 1,
+ [Define if your snprintf is busted])
+ AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
+ ],
+ [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
+ )
+fi
+
+# On systems where [v]snprintf is broken, but is declared in stdio,
+# check that the fmt argument is const char * or just char *.
+# This is only useful for when BROKEN_SNPRINTF
+AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
+ int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
+ int main(void) { snprintf(0, 0, 0); }
+ ]])],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(SNPRINTF_CONST, [const],
+ [Define as const if snprintf() can declare const char *fmt])],
+ [AC_MSG_RESULT(no)
+ AC_DEFINE(SNPRINTF_CONST, [/* not const */])])
+
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
if test "x$ac_cv_func_getpeereid" != "xyes" ; then
#include <sys/socket.h>],
[int i = SO_PEERCRED;],
[ AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option])
+ AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option])
],
[AC_MSG_RESULT(no)
NO_PEERCHECK=1]
dnl see whether mkstemp() requires XXXXXX
if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
AC_MSG_CHECKING([for (overly) strict mkstemp])
-AC_TRY_RUN(
- [
+AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
#include <stdlib.h>
main() { char template[]="conftest.mkstemp-test";
if (mkstemp(template) == -1)
exit(1);
unlink(template); exit(0);
}
- ],
+ ]])],
[
AC_MSG_RESULT(no)
],
[
AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_STRICT_MKSTEMP)
+ AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()])
],
[
AC_MSG_RESULT(yes)
dnl make sure that openpty does not reacquire controlling terminal
if test ! -z "$check_for_openpty_ctty_bug"; then
AC_MSG_CHECKING(if openpty correctly handles controlling tty)
- AC_TRY_RUN(
- [
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
#include <stdio.h>
#include <sys/fcntl.h>
#include <sys/types.h>
exit(0); /* Did not acquire ctty: OK */
}
}
- ],
+ ]])],
[
AC_MSG_RESULT(yes)
],
[
AC_MSG_RESULT(no)
AC_DEFINE(SSHD_ACQUIRES_CTTY)
+ ],
+ [
+ AC_MSG_RESULT(cross-compiling, assuming yes)
]
)
fi
if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
AC_MSG_CHECKING(if getaddrinfo seems to work)
- AC_TRY_RUN(
- [
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
}
exit(0);
}
- ],
+ ]])],
[
AC_MSG_RESULT(yes)
],
[
AC_MSG_RESULT(no)
AC_DEFINE(BROKEN_GETADDRINFO)
+ ],
+ [
+ AC_MSG_RESULT(cross-compiling, assuming yes)
]
)
fi
if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
AC_MSG_CHECKING(if getaddrinfo seems to work)
- AC_TRY_RUN(
- [
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
}
exit(0);
}
- ],
+ ]])],
[
AC_MSG_RESULT(yes)
- AC_DEFINE(AIX_GETNAMEINFO_HACK, [],
-[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address])
+ AC_DEFINE(AIX_GETNAMEINFO_HACK, 1,
+ [Define if you have a getaddrinfo that fails
+ for the all-zeros IPv6 address])
],
[
AC_MSG_RESULT(no)
AC_DEFINE(BROKEN_GETADDRINFO)
+ ],
+ AC_MSG_RESULT(cross-compiling, assuming no)
]
)
fi
PAM_MSG="yes"
- AC_DEFINE(USE_PAM)
+ AC_DEFINE(USE_PAM, 1,
+ [Define if you want to enable PAM support])
if test $ac_cv_lib_dl_dlopen = yes; then
LIBPAM="-lpam -ldl"
else
[(void)pam_strerror((pam_handle_t *)NULL, -1);],
[AC_MSG_RESULT(no)],
[
- AC_DEFINE(HAVE_OLD_PAM)
+ AC_DEFINE(HAVE_OLD_PAM, 1,
+ [Define if you have an old version of PAM
+ which takes only one argument to pam_strerror])
AC_MSG_RESULT(yes)
PAM_MSG="yes (old library)"
]
]
)
LIBS="-lcrypto $LIBS"
-AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
+AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
+ [Define if your ssl headers are included
+ with #include <openssl/header.h>]),
[
dnl Check default openssl install dir
if test -n "${need_dash_r}"; then
]
)
+# Check for OpenSSL without EVP_aes_{192,256}_cbc
+AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
+AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/evp.h>
+int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)}
+ ]])],
+ [
+ AC_MSG_RESULT(no)
+ ],
+ [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
+ [libcrypto is missing AES 192 and 256 bit functions])
+ ]
+)
+
# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
# because the system crypt() is more featureful.
if test "x$check_for_libcrypt_before" = "x1"; then
# Which randomness source do we use?
if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
# OpenSSL only
- AC_DEFINE(OPENSSL_PRNG_ONLY)
+ AC_DEFINE(OPENSSL_PRNG_ONLY, 1,
+ [Define if you want OpenSSL's internally seeded PRNG only])
RAND_MSG="OpenSSL internal ONLY"
INSTALL_SSH_RAND_HELPER=""
elif test ! -z "$USE_RAND_HELPER" ; then
esac
if test ! -z "$withval" ; then
PRNGD_PORT="$withval"
- AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
+ AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT,
+ [Port number of PRNGD/EGD random number socket])
fi
]
)
AC_MSG_WARN(Entropy socket is not readable)
fi
PRNGD_SOCKET="$withval"
- AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
+ AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET",
+ [Location of PRNGD/EGD random number socket])
fi
],
[
fi
]
)
-AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
+AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout,
+ [Builtin PRNG command timeout])
SSH_PRIVSEP_USER=sshd
AC_ARG_WITH(privsep-user,
fi
]
)
-AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER")
+AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER",
+ [non-privileged user for privilege separation])
AC_SUBST(SSH_PRIVSEP_USER)
# We do this little dance with the search path to insure
LIBS="$LIBS -liberty";
fi
-# Checks for data types
+# Check for long long datatypes
+AC_CHECK_TYPES([long long, unsigned long long, long double])
+
+# Check datatype sizes
AC_CHECK_SIZEOF(char, 1)
AC_CHECK_SIZEOF(short int, 2)
AC_CHECK_SIZEOF(int, 4)
ac_cv_sizeof_long_long_int=0
fi
+# compute LLONG_MIN and LLONG_MAX if we don't know them.
+if test -z "$have_llong_max"; then
+ AC_MSG_CHECKING([for max value of long long])
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
+#include <stdio.h>
+/* Why is this so damn hard? */
+#ifdef __GNUC__
+# undef __GNUC__
+#endif
+#define __USE_ISOC99
+#include <limits.h>
+#define DATA "conftest.llminmax"
+int main(void) {
+ FILE *f;
+ long long i, llmin, llmax = 0;
+
+ if((f = fopen(DATA,"w")) == NULL)
+ exit(1);
+
+#if defined(LLONG_MIN) && defined(LLONG_MAX)
+ fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
+ llmin = LLONG_MIN;
+ llmax = LLONG_MAX;
+#else
+ fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
+ /* This will work on one's complement and two's complement */
+ for (i = 1; i > llmax; i <<= 1, i++)
+ llmax = i;
+ llmin = llmax + 1LL; /* wrap */
+#endif
+
+ /* Sanity check */
+ if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
+ || llmax - 1 > llmax) {
+ fprintf(f, "unknown unknown\n");
+ exit(2);
+ }
+
+ if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
+ exit(3);
+
+ exit(0);
+}
+ ]])],
+ [
+ llong_min=`$AWK '{print $1}' conftest.llminmax`
+ llong_max=`$AWK '{print $2}' conftest.llminmax`
+
+ # snprintf on some Tru64s doesn't understand "%lld"
+ case "$host" in
+ alpha-dec-osf*)
+ if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
+ test "x$llong_max" = "xld"; then
+ llong_min="-9223372036854775808"
+ llong_max="9223372036854775807"
+ fi
+ ;;
+ esac
+
+ AC_MSG_RESULT($llong_max)
+ AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
+ [max value of long long calculated by configure])
+ AC_MSG_CHECKING([for min value of long long])
+ AC_MSG_RESULT($llong_min)
+ AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
+ [min value of long long calculated by configure])
+ ],
+ [
+ AC_MSG_RESULT(not found)
+ ],
+ [
+ AC_MSG_WARN([cross compiling: not checking])
+ ]
+ )
+fi
+
+
# More checks for data types
AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
AC_TRY_COMPILE(
)
])
if test "x$ac_cv_have_u_int" = "xyes" ; then
- AC_DEFINE(HAVE_U_INT)
+ AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type])
have_u_int=1
fi
)
])
if test "x$ac_cv_have_intxx_t" = "xyes" ; then
- AC_DEFINE(HAVE_INTXX_T)
+ AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type])
have_intxx_t=1
fi
)
])
if test "x$ac_cv_have_int64_t" = "xyes" ; then
- AC_DEFINE(HAVE_INT64_T)
+ AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type])
fi
AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
)
])
if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
- AC_DEFINE(HAVE_U_INTXX_T)
+ AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type])
have_u_intxx_t=1
fi
)
])
if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
- AC_DEFINE(HAVE_U_INT64_T)
+ AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type])
have_u_int64_t=1
fi
)
])
if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
- AC_DEFINE(HAVE_UINTXX_T)
+ AC_DEFINE(HAVE_UINTXX_T, 1,
+ [define if you have uintxx_t data type])
fi
fi
)
])
if test "x$ac_cv_have_u_char" = "xyes" ; then
- AC_DEFINE(HAVE_U_CHAR)
+ AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type])
fi
TYPE_SOCKLEN_T
)
])
if test "x$ac_cv_have_size_t" = "xyes" ; then
- AC_DEFINE(HAVE_SIZE_T)
+ AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type])
fi
AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
)
])
if test "x$ac_cv_have_ssize_t" = "xyes" ; then
- AC_DEFINE(HAVE_SSIZE_T)
+ AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type])
fi
AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
)
])
if test "x$ac_cv_have_clock_t" = "xyes" ; then
- AC_DEFINE(HAVE_CLOCK_T)
+ AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type])
fi
AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
)
])
if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
- AC_DEFINE(HAVE_SA_FAMILY_T)
+ AC_DEFINE(HAVE_SA_FAMILY_T, 1,
+ [define if you have sa_family_t data type])
fi
AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
)
])
if test "x$ac_cv_have_pid_t" = "xyes" ; then
- AC_DEFINE(HAVE_PID_T)
+ AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type])
fi
AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
)
])
if test "x$ac_cv_have_mode_t" = "xyes" ; then
- AC_DEFINE(HAVE_MODE_T)
+ AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type])
fi
)
])
if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
- AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE)
+ AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1,
+ [define if you have struct sockaddr_storage data type])
fi
AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
)
])
if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
- AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6)
+ AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1,
+ [define if you have struct sockaddr_in6 data type])
fi
AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
)
])
if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
- AC_DEFINE(HAVE_STRUCT_IN6_ADDR)
+ AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1,
+ [define if you have struct in6_addr data type])
fi
AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
)
])
if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
- AC_DEFINE(HAVE_STRUCT_ADDRINFO)
+ AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1,
+ [define if you have struct addrinfo data type])
fi
AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
)
])
if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
- AC_DEFINE(HAVE_STRUCT_TIMEVAL)
+ AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval])
have_struct_timeval=1
fi
OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)
AC_CHECK_MEMBERS([struct stat.st_blksize])
+AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state,
+ [Define if we don't have struct __res_state in resolv.h])],
+[
+#include <stdio.h>
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+])
AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
ac_cv_have_ss_family_in_struct_ss, [
)
])
if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
- AC_DEFINE(HAVE_SS_FAMILY_IN_SS)
+ AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage])
fi
AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
)
])
if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
- AC_DEFINE(HAVE___SS_FAMILY_IN_SS)
+ AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1,
+ [Fields in struct sockaddr_storage])
fi
AC_CACHE_CHECK([for pw_class field in struct passwd],
)
])
if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
- AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD)
+ AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1,
+ [Define if your password has a pw_class field])
fi
AC_CACHE_CHECK([for pw_expire field in struct passwd],
)
])
if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
- AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD)
+ AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1,
+ [Define if your password has a pw_expire field])
fi
AC_CACHE_CHECK([for pw_change field in struct passwd],
)
])
if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
- AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD)
+ AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1,
+ [Define if your password has a pw_change field])
fi
dnl make sure we're using the real structure members and not defines
)
])
if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
- AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR)
+ AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1,
+ [Define if your system uses access rights style
+ file descriptor passing])
fi
AC_CACHE_CHECK([for msg_control field in struct msghdr],
)
])
if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
- AC_DEFINE(HAVE_CONTROL_IN_MSGHDR)
+ AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1,
+ [Define if your system uses ancillary data style
+ file descriptor passing])
fi
AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
)
])
if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
- AC_DEFINE(HAVE___PROGNAME)
+ AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname])
fi
AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
)
])
if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
- AC_DEFINE(HAVE___FUNCTION__)
+ AC_DEFINE(HAVE___FUNCTION__, 1,
+ [Define if compiler implements __FUNCTION__])
fi
AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
)
])
if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
- AC_DEFINE(HAVE___func__)
+ AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__])
+fi
+
+AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
+ AC_TRY_LINK(
+ [#include <stdarg.h>
+ va_list x,y;],
+ [va_copy(x,y);],
+ [ ac_cv_have_va_copy="yes" ],
+ [ ac_cv_have_va_copy="no" ]
+ )
+])
+if test "x$ac_cv_have_va_copy" = "xyes" ; then
+ AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists])
+fi
+
+AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
+ AC_TRY_LINK(
+ [#include <stdarg.h>
+ va_list x,y;],
+ [__va_copy(x,y);],
+ [ ac_cv_have___va_copy="yes" ],
+ [ ac_cv_have___va_copy="no" ]
+ )
+])
+if test "x$ac_cv_have___va_copy" = "xyes" ; then
+ AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists])
fi
AC_CACHE_CHECK([whether getopt has optreset support],
)
])
if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
- AC_DEFINE(HAVE_GETOPT_OPTRESET)
+ AC_DEFINE(HAVE_GETOPT_OPTRESET, 1,
+ [Define if your getopt(3) defines and uses optreset])
fi
AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
)
])
if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
- AC_DEFINE(HAVE_SYS_ERRLIST)
+ AC_DEFINE(HAVE_SYS_ERRLIST, 1,
+ [Define if your system defines sys_errlist[]])
fi
)
])
if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
- AC_DEFINE(HAVE_SYS_NERR)
+ AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
fi
SCARD_MSG="no"
if test "$ac_cv_lib_sectok_sectok_open" != yes; then
AC_MSG_ERROR(Can't find libsectok)
fi
- AC_DEFINE(SMARTCARD)
- AC_DEFINE(USE_SECTOK)
+ AC_DEFINE(SMARTCARD, 1,
+ [Define if you want smartcard support])
+ AC_DEFINE(USE_SECTOK, 1,
+ [Define if you want smartcard support
+ using sectok])
SCARD_MSG="yes, using sectok"
fi
]
# Check whether user wants OpenSC support
OPENSC_CONFIG="no"
AC_ARG_WITH(opensc,
- [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
+ [ --with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
[
if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes" ; then
CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
AC_DEFINE(SMARTCARD)
- AC_DEFINE(USE_OPENSC)
+ AC_DEFINE(USE_OPENSC, 1,
+ [Define if you want smartcard support
+ using OpenSC])
SCARD_MSG="yes, using OpenSC"
fi
fi
# Check libraries needed by DNS fingerprint support
AC_SEARCH_LIBS(getrrsetbyname, resolv,
- [AC_DEFINE(HAVE_GETRRSETBYNAME)],
+ [AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
+ [Define if getrrsetbyname() exists])],
[
# Needed by our getrrsetbyname()
AC_SEARCH_LIBS(res_query, resolv)
[#include <sys/types.h>
#include <arpa/nameser.h>])
AC_CHECK_MEMBER(HEADER.ad,
- [AC_DEFINE(HAVE_HEADER_AD)],,
+ [AC_DEFINE(HAVE_HEADER_AD, 1,
+ [Define if HEADER.ad exists in arpa/nameser.h])],,
[#include <arpa/nameser.h>])
])
KRB5ROOT=${withval}
fi
- AC_DEFINE(KRB5)
+ AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support])
KRB5_MSG="yes"
AC_MSG_CHECKING(for krb5-config)
AC_MSG_CHECKING(for gssapi support)
if $KRB5CONF | grep gssapi >/dev/null ; then
AC_MSG_RESULT(yes)
- AC_DEFINE(GSSAPI)
+ AC_DEFINE(GSSAPI, 1,
+ [Define this if you want GSSAPI
+ support in the version 2 protocol])
k5confopts=gssapi
else
AC_MSG_RESULT(no)
AC_TRY_COMPILE([ #include <krb5.h> ],
[ char *tmp = heimdal_version; ],
[ AC_MSG_RESULT(yes)
- AC_DEFINE(HEIMDAL) ],
+ AC_DEFINE(HEIMDAL, 1,
+ [Define this if you are using the
+ Heimdal version of Kerberos V5]) ],
AC_MSG_RESULT(no)
)
else
if test ! -z "$blibpath" ; then
blibpath="$blibpath:${KRB5ROOT}/lib"
fi
- fi
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
- AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h)
- AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h)
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
+ AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h)
+ AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h)
- LIBS="$LIBS $K5LIBS"
- AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
+ LIBS="$LIBS $K5LIBS"
+ AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1,
+ [Define this if you want to use libkafs' AFS support]))
+ fi
]
)
XAUTH_PATH="undefined"
AC_SUBST(XAUTH_PATH)
else
- AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path")
+ AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path",
+ [Define if xauth is found in your path])
XAUTH_PATH=$xauth_path
AC_SUBST(XAUTH_PATH)
fi
# Check for mail directory (last resort if we cannot get it from headers)
if test ! -z "$MAIL" ; then
maildir=`dirname $MAIL`
- AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir")
+ AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir",
+ [Set this to your mail directory if you don't have maillock.h])
fi
if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
if test "x$disable_ptmx_check" != "xyes" ; then
AC_CHECK_FILE("/dev/ptmx",
[
- AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
+ AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1,
+ [Define if you have /dev/ptmx])
have_dev_ptmx=1
]
)
if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
AC_CHECK_FILE("/dev/ptc",
[
- AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC)
+ AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1,
+ [Define if you have /dev/ptc])
have_dev_ptc=1
]
)
[ --with-md5-passwords Enable use of MD5 passwords],
[
if test "x$withval" != "xno" ; then
- AC_DEFINE(HAVE_MD5_PASSWORDS)
+ AC_DEFINE(HAVE_MD5_PASSWORDS, 1,
+ [Define if you want to allow MD5 passwords])
MD5_MSG="yes"
fi
]
if test "x$sp_expire_available" = "xyes" ; then
AC_MSG_RESULT(yes)
- AC_DEFINE(HAS_SHADOW_EXPIRE)
+ AC_DEFINE(HAS_SHADOW_EXPIRE, 1,
+ [Define if you want to use shadow password expire field])
else
AC_MSG_RESULT(no)
fi
# Use ip address instead of hostname in $DISPLAY
if test ! -z "$IPADDR_IN_DISPLAY" ; then
DISPLAY_HACK_MSG="yes"
- AC_DEFINE(IPADDR_IN_DISPLAY)
+ AC_DEFINE(IPADDR_IN_DISPLAY, 1,
+ [Define if you need to use IP address
+ instead of hostname in $DISPLAY])
else
DISPLAY_HACK_MSG="no"
AC_ARG_WITH(ipaddr-display,
else
etc_default_login=yes
fi ],
- [ etc_default_login=yes ]
+ [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
+ then
+ AC_MSG_WARN([cross compiling: not checking /etc/default/login])
+ etc_default_login=no
+ else
+ etc_default_login=yes
+ fi ]
)
if test "x$etc_default_login" != "xno"; then
AC_CHECK_FILE("/etc/default/login",
[ external_path_file=/etc/default/login ])
- if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
- then
- AC_MSG_WARN([cross compiling: Disabling /etc/default/login test])
- elif test "x$external_path_file" = "x/etc/default/login"; then
- AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN)
+ if test "x$external_path_file" = "x/etc/default/login"; then
+ AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1,
+ [Define if your system has /etc/default/login])
fi
fi
If PATH is defined in $external_path_file, ensure the path to scp is included,
otherwise scp will not work.])
fi
- AC_TRY_RUN(
- [
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
/* find out what STDPATH is */
#include <stdio.h>
#ifdef HAVE_PATHS_H
exit(0);
}
- ], [ user_path=`cat conftest.stdpath` ],
+ ]])],
+ [ user_path=`cat conftest.stdpath` ],
[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
)
fi ]
)
if test "x$external_path_file" != "x/etc/login.conf" ; then
- AC_DEFINE_UNQUOTED(USER_PATH, "$user_path")
+ AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH])
AC_SUBST(user_path)
fi
[
if test -n "$withval" && test "x$withval" != "xno" && \
test "x${withval}" != "xyes"; then
- AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval")
+ AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval",
+ [Define if you want a different $PATH
+ for the superuser])
superuser_path=$withval
fi
]
[
if test "x$withval" != "xno" ; then
AC_MSG_RESULT(yes)
- AC_DEFINE(IPV4_IN_IPV6)
+ AC_DEFINE(IPV4_IN_IPV6, 1,
+ [Detect IPv4 in IPv6 mapped addresses
+ and treat as IPv4])
IPV4_IN6_HACK_MSG="yes"
else
AC_MSG_RESULT(no)
[ --with-bsd-auth Enable BSD auth support],
[
if test "x$withval" != "xno" ; then
- AC_DEFINE(BSD_AUTH)
+ AC_DEFINE(BSD_AUTH, 1,
+ [Define if you have BSD auth support])
BSD_AUTH_MSG=yes
fi
]
]
)
-AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir")
+AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid])
AC_SUBST(piddir)
dnl allow user to disable some login recording features
[ --disable-utmpx disable use of utmpx even if detected [no]],
[
if test "x$enableval" = "xno" ; then
- AC_DEFINE(DISABLE_UTMPX)
+ AC_DEFINE(DISABLE_UTMPX, 1,
+ [Define if you don't want to use utmpx])
fi
]
)
[ --disable-wtmpx disable use of wtmpx even if detected [no]],
[
if test "x$enableval" = "xno" ; then
- AC_DEFINE(DISABLE_WTMPX)
+ AC_DEFINE(DISABLE_WTMPX, 1,
+ [Define if you don't want to use wtmpx])
fi
]
)
[ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
[
if test "x$enableval" = "xno" ; then
- AC_DEFINE(DISABLE_PUTUTLINE)
+ AC_DEFINE(DISABLE_PUTUTLINE, 1,
+ [Define if you don't want to use pututline()
+ etc. to write [uw]tmp])
fi
]
)
[ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
[
if test "x$enableval" = "xno" ; then
- AC_DEFINE(DISABLE_PUTUTXLINE)
+ AC_DEFINE(DISABLE_PUTUTXLINE, 1,
+ [Define if you don't want to use pututxline()
+ etc. to write [uw]tmpx])
fi
]
)
fi
if test -n "$conf_lastlog_location"; then
- AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location")
+ AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location",
+ [Define if you want to specify the path to your lastlog file])
fi
dnl utmp detection
fi
fi
if test -n "$conf_utmp_location"; then
- AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location")
+ AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location",
+ [Define if you want to specify the path to your utmp file])
fi
dnl wtmp detection
fi
fi
if test -n "$conf_wtmp_location"; then
- AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location")
+ AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location",
+ [Define if you want to specify the path to your wtmp file])
fi
AC_DEFINE(DISABLE_UTMPX)
fi
else
- AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location")
+ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
+ [Define if you want to specify the path to your utmpx file])
fi
dnl wtmpx detection
AC_DEFINE(DISABLE_WTMPX)
fi
else
- AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location")
+ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
+ [Define if you want to specify the path to your wtmpx file])
fi
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
- %define version 4.2p1
+ %define version 4.3p1
%define cvs %{nil}
%define release 1
%else
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
then
echo
echo "The service has been installed under sshd_server account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
else
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
then
echo
echo "The service has been installed under LocalSystem account."
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
then
- if request "Shall I create an SSH2 RSA identity file for you? (yes/no) "
+ if request "Shall I create an SSH2 RSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/id_rsa"
if [ "${with_passphrase}" = "yes" ]
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
then
- if request "Shall I create an SSH2 DSA identity file for you? (yes/no) "
+ if request "Shall I create an SSH2 DSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/id_dsa"
if [ "${with_passphrase}" = "yes" ]
-%define ver 4.2p1
+%define ver 4.3p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
-Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
-Name: openssh
-Version: 4.2p1
-URL: http://www.openssh.com/
-Release: 1
-Source0: openssh-%{version}.tar.gz
-Copyright: BSD
-Group: Applications/Internet
-BuildRoot: /tmp/openssh-%{version}-buildroot
-PreReq: openssl
-Obsoletes: ssh
+# Default values for additional components
+%define build_x11_askpass 1
+
+# Define the UID/GID to use for privilege separation
+%define sshd_gid 65
+%define sshd_uid 71
+
+# The version of x11-ssh-askpass to use
+%define xversion 1.2.4.1
+
+# Allow the ability to override defaults with -D skip_xxx=1
+%{?skip_x11_askpass:%define build_x11_askpass 0}
+
+Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
+Name: openssh
+Version: 4.3p1
+URL: http://www.openssh.com/
+Release: 1
+Source0: openssh-%{version}.tar.gz
+Source1: x11-ssh-askpass-%{xversion}.tar.gz
+License: BSD
+Group: Productivity/Networking/SSH
+BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
+PreReq: openssl
+Obsoletes: ssh
+Provides: ssh
#
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
# building prerequisites -- stuff for
# TCP Wrappers (nkitb),
# and Gnome (glibdev, gtkdev, and gnlibsd)
#
-BuildPrereq: openssl
-BuildPrereq: nkitb
-BuildPrereq: glibdev
-BuildPrereq: gtkdev
-BuildPrereq: gnlibsd
+BuildPrereq: openssl
+BuildPrereq: nkitb
+#BuildPrereq: glibdev
+#BuildPrereq: gtkdev
+#BuildPrereq: gnlibsd
+
+%package askpass
+Summary: A passphrase dialog for OpenSSH and the X window System.
+Group: Productivity/Networking/SSH
+Requires: openssh = %{version}
+Obsoletes: ssh-extras
+Provides: openssh:${_libdir}/ssh/ssh-askpass
+
+%if %{build_x11_askpass}
+BuildPrereq: XFree86-devel
+%endif
%description
-Ssh (Secure Shell) a program for logging into a remote machine and for
+Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
patented algorithms to seperate libraries (OpenSSL).
This package includes all files necessary for both the OpenSSH
-client and server. Additionally, this package contains the GNOME
-passphrase dialog.
+client and server.
+
+%description askpass
+Ssh (Secure Shell) is a program for logging into a remote machine and for
+executing commands in a remote machine. It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
+up to date in terms of security and features, as well as removing all
+patented algorithms to seperate libraries (OpenSSL).
+
+This package contains an X Window System passphrase dialog for OpenSSH.
%changelog
+* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
+- Removed accidental inclusion of --without-zlib-version-check
+* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
+- Overhaul to deal with newer versions of SuSE and OpenSSH
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
- Glob manpages to catch compressed files
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
%prep
+%if %{build_x11_askpass}
+%setup -q -a 1
+%else
%setup -q
+%endif
%build
CFLAGS="$RPM_OPT_FLAGS" \
-./configure --prefix=/usr \
- --sysconfdir=/etc/ssh \
- --datadir=/usr/share/openssh \
+%configure --prefix=/usr \
+ --sysconfdir=%{_sysconfdir}/ssh \
+ --mandir=%{_mandir} \
+ --with-privsep-path=/var/lib/empty \
--with-pam \
- --with-gnome-askpass \
--with-tcp-wrappers \
- --with-ipv4-default \
- --libexecdir=/usr/lib/ssh
+ --libexecdir=%{_libdir}/ssh
make
-cd contrib
-gcc -O -g `gnome-config --cflags gnome gnomeui` \
- gnome-ssh-askpass.c -o gnome-ssh-askpass \
- `gnome-config --libs gnome gnomeui`
+%if %{build_x11_askpass}
+cd x11-ssh-askpass-%{xversion}
+%configure --mandir=/usr/X11R6/man \
+ --libexecdir=%{_libdir}/ssh
+xmkmf -a
+make
cd ..
+%endif
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT/
-install -d $RPM_BUILD_ROOT/etc/ssh/
install -d $RPM_BUILD_ROOT/etc/pam.d/
-install -d $RPM_BUILD_ROOT/sbin/init.d/
+install -d $RPM_BUILD_ROOT/etc/init.d/
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
-install -d $RPM_BUILD_ROOT/usr/lib/ssh
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd
-ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd
-install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass
-ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass
-install -m744 contrib/suse/rc.config.sshd \
+install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
+install -m744 contrib/suse/sysconfig.ssh \
$RPM_BUILD_ROOT/var/adm/fillup-templates
+%if %{build_x11_askpass}
+cd x11-ssh-askpass-%{xversion}
+make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
+rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
+%endif
+
%clean
rm -rf $RPM_BUILD_ROOT
+%pre
+/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
+/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
+
%post
-if [ "$1" = 1 ]; then
- echo "Creating SSH stop/start scripts in the rc directories..."
- ln -s ../sshd /sbin/init.d/rc2.d/K20sshd
- ln -s ../sshd /sbin/init.d/rc2.d/S20sshd
- ln -s ../sshd /sbin/init.d/rc3.d/K20sshd
- ln -s ../sshd /sbin/init.d/rc3.d/S20sshd
-fi
-echo "Updating /etc/rc.config..."
-if [ -x /bin/fillup ] ; then
- /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd
-else
- echo "ERROR: fillup not found. This should NOT happen in SuSE Linux."
- echo "Update /etc/rc.config by hand from the following template file:"
- echo " /var/adm/fillup-templates/rc.config.sshd"
-fi
if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
- echo "Generating SSH host key..."
- /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2
+ echo "Generating SSH RSA host key..."
+ /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
fi
if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
echo "Generating SSH DSA host key..."
- /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2
-fi
-if test -r /var/run/sshd.pid
-then
- echo "Restarting the running SSH daemon..."
- /usr/sbin/rcsshd restart >&2
+ /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
fi
+%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
+%run_permissions
+
+%verifyscript
+%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
%preun
-if [ "$1" = 0 ]
-then
- echo "Stopping the SSH daemon..."
- /usr/sbin/rcsshd stop >&2
- echo "Removing SSH stop/start scripts from the rc directories..."
- rm /sbin/init.d/rc2.d/K20sshd
- rm /sbin/init.d/rc2.d/S20sshd
- rm /sbin/init.d/rc3.d/K20sshd
- rm /sbin/init.d/rc3.d/S20sshd
-fi
+%stop_on_removal sshd
+
+%postun
+%restart_on_update sshd
+%{insserv_cleanup}
%files
%defattr(-,root,root)
%doc ChangeLog OVERVIEW README*
%doc RFC.nroff TODO CREDITS LICENCE
-%attr(0755,root,root) %dir /etc/ssh
-%attr(0644,root,root) %config /etc/ssh/ssh_config
-%attr(0600,root,root) %config /etc/ssh/sshd_config
-%attr(0600,root,root) %config /etc/ssh/moduli
-%attr(0644,root,root) %config /etc/pam.d/sshd
-%attr(0755,root,root) %config /sbin/init.d/sshd
-%attr(0755,root,root) /usr/bin/ssh-keygen
-%attr(0755,root,root) /usr/bin/scp
-%attr(4755,root,root) /usr/bin/ssh
-%attr(-,root,root) /usr/bin/slogin
-%attr(0755,root,root) /usr/bin/ssh-agent
-%attr(0755,root,root) /usr/bin/ssh-add
-%attr(0755,root,root) /usr/bin/ssh-keyscan
-%attr(0755,root,root) /usr/bin/sftp
-%attr(0755,root,root) /usr/sbin/sshd
-%attr(-,root,root) /usr/sbin/rcsshd
-%attr(0755,root,root) %dir /usr/lib/ssh
-%attr(0755,root,root) /usr/lib/ssh/ssh-askpass
-%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass
-%attr(0644,root,root) %doc /usr/man/man1/scp.1*
-%attr(0644,root,root) %doc /usr/man/man1/ssh.1*
-%attr(-,root,root) %doc /usr/man/man1/slogin.1*
-%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1*
-%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1*
-%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1*
-%attr(0644,root,root) %doc /usr/man/man8/sshd.8*
-%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/init.d/sshd
+%attr(0755,root,root) %{_bindir}/ssh-keygen
+%attr(0755,root,root) %{_bindir}/scp
+%attr(0755,root,root) %{_bindir}/ssh
+%attr(-,root,root) %{_bindir}/slogin
+%attr(0755,root,root) %{_bindir}/ssh-agent
+%attr(0755,root,root) %{_bindir}/ssh-add
+%attr(0755,root,root) %{_bindir}/ssh-keyscan
+%attr(0755,root,root) %{_bindir}/sftp
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %dir %{_libdir}/ssh
+%attr(0755,root,root) %{_libdir}/ssh/sftp-server
+%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
+%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
+%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
+%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
+%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
+%if %{build_x11_askpass}
+%files askpass
+%defattr(-,root,root)
+%doc x11-ssh-askpass-%{xversion}/README
+%doc x11-ssh-askpass-%{xversion}/ChangeLog
+%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
+%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
+%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
+%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
+%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
+%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
+%endif
#! /bin/sh
-# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany.
+# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
-# Author: Chris Saia <csaia@wtower.com>
+# Author: Jiri Smid <feedback@suse.de>
#
-# /sbin/init.d/sshd
+# /etc/init.d/sshd
#
# and symbolic its link
#
-# /sbin/rcsshd
+# /usr/sbin/rcsshd
#
+### BEGIN INIT INFO
+# Provides: sshd
+# Required-Start: $network $remote_fs
+# Required-Stop: $network $remote_fs
+# Default-Start: 3 5
+# Default-Stop: 0 1 2 6
+# Description: Start the sshd daemon
+### END INIT INFO
-. /etc/rc.config
+SSHD_BIN=/usr/sbin/sshd
+test -x $SSHD_BIN || exit 5
-# Determine the base and follow a runlevel link name.
-base=${0##*/}
-link=${base#*[SK][0-9][0-9]}
+SSHD_SYSCONFIG=/etc/sysconfig/ssh
+test -r $SSHD_SYSCONFIG || exit 6
+. $SSHD_SYSCONFIG
-# Force execution if not called by a runlevel directory.
-test $link = $base && START_SSHD=yes
-test "$START_SSHD" = yes || exit 0
+SSHD_PIDFILE=/var/run/sshd.init.pid
+
+. /etc/rc.status
+
+# Shell functions sourced from /etc/rc.status:
+# rc_check check and set local and overall rc status
+# rc_status check and set local and overall rc status
+# rc_status -v ditto but be verbose in local rc status
+# rc_status -v -r ditto and clear the local rc status
+# rc_failed set local and overall rc status to failed
+# rc_reset clear local rc status (overall remains)
+# rc_exit exit appropriate to overall rc status
+
+# First reset status of this service
+rc_reset
-# The echo return value for success (defined in /etc/rc.config).
-return=$rc_done
case "$1" in
start)
- echo -n "Starting service sshd"
+ if ! test -f /etc/ssh/ssh_host_key ; then
+ echo Generating /etc/ssh/ssh_host_key.
+ ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
+ fi
+ if ! test -f /etc/ssh/ssh_host_dsa_key ; then
+ echo Generating /etc/ssh/ssh_host_dsa_key.
+
+ ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
+ fi
+ if ! test -f /etc/ssh/ssh_host_rsa_key ; then
+ echo Generating /etc/ssh/ssh_host_rsa_key.
+
+ ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
+ fi
+ echo -n "Starting SSH daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
- startproc /usr/sbin/sshd || return=$rc_failed
+ startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
- echo -e "$return"
+ # Remember status and be verbose
+ rc_status -v
;;
stop)
- echo -n "Stopping service sshd"
+ echo -n "Shutting down SSH daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
- killproc -TERM /usr/sbin/sshd || return=$rc_failed
+ killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
- echo -e "$return"
+ # Remember status and be verbose
+ rc_status -v
;;
+ try-restart)
+ ## Stop the service and if this succeeds (i.e. the
+ ## service was running before), start it again.
+ $0 status >/dev/null && $0 restart
+
+ # Remember status and be quiet
+ rc_status
+ ;;
restart)
- ## If first returns OK call the second, if first or
- ## second command fails, set echo return value.
- $0 stop && $0 start || return=$rc_failed
- ;;
- reload)
- ## Choose ONE of the following two cases:
+ ## Stop the service and regardless of whether it was
+ ## running or not, start it again.
+ $0 stop
+ $0 start
- ## First possibility: A few services accepts a signal
- ## to reread the (changed) configuration.
+ # Remember status and be quiet
+ rc_status
+ ;;
+ force-reload|reload)
+ ## Signal the daemon to reload its config. Most daemons
+ ## do this on signal 1 (SIGHUP).
echo -n "Reload service sshd"
- killproc -HUP /usr/sbin/sshd || return=$rc_failed
- echo -e "$return"
- ;;
+
+ killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
+
+ rc_status -v
+
+ ;;
status)
- echo -n "Checking for service sshd"
- ## Check status with checkproc(8), if process is running
- ## checkproc will return with exit status 0.
+ echo -n "Checking for service sshd "
+ ## Check status with checkproc(8), if process is running
+ ## checkproc will return with exit status 0.
- checkproc /usr/sbin/sshd && echo OK || echo No process
+ # Status has a slightly different for the status command:
+ # 0 - service running
+ # 1 - service dead, but /var/run/ pid file exists
+ # 2 - service dead, but /var/lock/ lock file exists
+ # 3 - service not running
+
+ checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
+
+ rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
- test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload
+ test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
;;
*)
- echo "Usage: $0 {start|stop|status|restart|reload[|probe]}"
+ echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
-
-# Inform the caller not only verbosely and set an exit status.
-test "$return" = "$rc_done" || exit 1
-exit 0
+rc_exit
--- /dev/null
+## Path: Network/Remote access/SSH
+## Description: SSH server settings
+## Type: string
+## Default: ""
+## ServiceRestart: sshd
+#
+# Options for sshd
+#
+SSHD_OPTS=""
# define __sentinel__
#endif
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
+# define __bounded__(x, y, z)
+#endif
+
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef HAVE_LIBIAF
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
# undef HAVE_MMAP
#endif
+/* some system headers on HP-UX define YES/NO */
+#ifdef YES
+# undef YES
+#endif
+#ifdef NO
+# undef NO
+#endif
+
#endif /* _DEFINES_H */
-/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-
#include "includes.h"
+RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
-#include <openssl/bn.h>
-#ifdef LWRES
-#include <lwres/netdb.h>
-#include <dns/result.h>
-#else /* LWRES */
#include <netdb.h>
-#endif /* LWRES */
#include "xmalloc.h"
#include "key.h"
#include "dns.h"
#include "log.h"
-#include "uuencode.h"
-
-extern char *__progname;
-RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
-#ifndef LWRES
static const char *errset_text[] = {
"success", /* 0 ERRSET_SUCCESS */
"out of memory", /* 1 ERRSET_NOMEMORY */
return "unknown error";
}
}
-#endif /* LWRES */
-
/*
* Read SSHFP parameters from key buffer.
*algorithm = SSHFP_KEY_DSA;
break;
default:
- *algorithm = SSHFP_KEY_RESERVED;
+ *algorithm = SSHFP_KEY_RESERVED; /* 0 */
}
if (*algorithm) {
*digest_type = SSHFP_HASH_SHA1;
*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
+ if (*digest == NULL)
+ fatal("dns_read_key: null from key_fingerprint_raw()");
success = 1;
} else {
*digest_type = SSHFP_HASH_RESERVED;
*digest = (u_char *) xmalloc(*digest_len);
memcpy(*digest, rdata + 2, *digest_len);
} else {
- *digest = NULL;
+ *digest = xstrdup("");
}
success = 1;
*flags = 0;
- debug3("verify_hostkey_dns");
+ debug3("verify_host_key_dns");
if (hostkey == NULL)
fatal("No key to look up!");
if (fingerprints->rri_nrdatas)
*flags |= DNS_VERIFY_FOUND;
- for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) {
+ for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
/*
* Extract the key from the answer. Ignore any badly
* formatted fingerprints.
*flags |= DNS_VERIFY_MATCH;
}
}
+ xfree(dnskey_digest);
}
+ xfree(hostkey_digest); /* from key_fingerprint_raw() */
freerrset(fingerprints);
if (*flags & DNS_VERIFY_FOUND)
return 0;
}
-
/*
* Export the fingerprint of a key as a DNS resource record
*/
int success = 0;
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
- &rdata_digest, &rdata_digest_len, key)) {
+ &rdata_digest, &rdata_digest_len, key)) {
if (generic)
fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
for (i = 0; i < rdata_digest_len; i++)
fprintf(f, "%02x", rdata_digest[i]);
fprintf(f, "\n");
+ xfree(rdata_digest); /* from key_fingerprint_raw() */
success = 1;
} else {
- error("dns_export_rr: unsupported algorithm");
+ error("export_dns_rr: unsupported algorithm");
}
return success;
-/* $OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $ */
+/* $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-
#include "includes.h"
#ifndef DNS_H
#define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004
-
int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *);
int export_dns_rr(const char *, const Key *, FILE *, int);
#include <openssl/rand.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
#include "ssh.h"
#include "misc.h"
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
+#include "buffer.h"
+#include "bufaux.h"
/*
* Portable OpenSSH PRNG seeding:
"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
#ifndef OPENSSL_PRNG_ONLY
- if ((original_uid = getuid()) == -1)
- fatal("getuid: %s", strerror(errno));
- if ((original_euid = geteuid()) == -1)
- fatal("geteuid: %s", strerror(errno));
+ original_uid = getuid();
+ original_euid = geteuid();
#endif
}
+#ifndef OPENSSL_PRNG_ONLY
+void
+rexec_send_rng_seed(Buffer *m)
+{
+ u_char buf[RANDOM_SEED_SIZE];
+
+ if (RAND_bytes(buf, sizeof(buf)) <= 0) {
+ error("Couldn't obtain random bytes (error %ld)",
+ ERR_get_error());
+ buffer_put_string(m, "", 0);
+ } else
+ buffer_put_string(m, buf, sizeof(buf));
+}
+
+void
+rexec_recv_rng_seed(Buffer *m)
+{
+ u_char *buf;
+ u_int len;
+
+ buf = buffer_get_string_ret(m, &len);
+ if (buf != NULL) {
+ debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
+ RAND_add(buf, len, len);
+ }
+}
+#endif
#ifndef _RANDOMS_H
#define _RANDOMS_H
+#include "buffer.h"
+
void seed_rng(void);
void init_rng(void);
+void rexec_send_rng_seed(Buffer *);
+void rexec_recv_rng_seed(Buffer *);
+
#endif /* _RANDOMS_H */
-/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#include "xmalloc.h"
#include "bufaux.h"
-#include "compat.h"
#include "log.h"
-#include "monitor_wrap.h"
#include "ssh2.h"
#include "ssh-gss.h"
}
OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
-/* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */
+/* $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
-/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#ifdef GSSAPI
#include "bufaux.h"
-#include "compat.h"
#include "auth.h"
#include "log.h"
#include "channels.h"
#include "session.h"
#include "servconf.h"
-#include "monitor_wrap.h"
#include "xmalloc.h"
#include "getput.h"
#include "ssh-gss.h"
-extern ServerOptions options;
-
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
&gssapi_null_mech,
};
-/* Unpriviledged */
+/* Unprivileged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
* oid
* credentials (from ssh_gssapi_acquire_cred)
*/
-/* Priviledged */
+/* Privileged */
OM_uint32
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
gss_buffer_desc *send_tok, OM_uint32 *flags)
OM_uint32 offset;
OM_uint32 oidl;
- tok=ename->value;
+ tok = ename->value;
/*
* Check that ename is long enough for all of the fixed length
* header, and that the initial ID bytes are correct
*/
- if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
+ if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
return GSS_S_FAILURE;
/*
*/
if (tok[4] != 0x06 || tok[5] != oidl ||
ename->length < oidl+6 ||
- !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+ !ssh_gssapi_check_oid(ctx, tok+6, oidl))
return GSS_S_FAILURE;
offset = oidl+6;
return GSS_S_FAILURE;
name->value = xmalloc(name->length+1);
- memcpy(name->value,tok+offset,name->length);
+ memcpy(name->value, tok+offset,name->length);
((char *)name->value)[name->length] = 0;
return GSS_S_COMPLETE;
/* Extract the client details from a given context. This can only reliably
* be called once for a context */
-/* Priviledged (called from accept_secure_ctx) */
+/* Privileged (called from accept_secure_ctx) */
OM_uint32
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
if (gssapi_client.store.envvar != NULL &&
gssapi_client.store.envval != NULL) {
-
debug("Setting %s to %s", gssapi_client.store.envvar,
- gssapi_client.store.envval);
+ gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
gssapi_client.store.envval);
}
}
-/* Priviledged */
+/* Privileged */
int
ssh_gssapi_userok(char *user)
{
return (0);
}
-/* Priviledged */
+/* Privileged */
OM_uint32
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
{
*/
#include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.36 2005/11/22 03:36:03 dtucker Exp $");
#include <resolv.h>
#include <openssl/hmac.h>
return (-1);
}
if (ret != SHA_DIGEST_LENGTH) {
- debug2("extract_salt: expected salt len %u, got %u",
- salt_len, ret);
+ debug2("extract_salt: expected salt len %d, got %d",
+ SHA_DIGEST_LENGTH, ret);
return (-1);
}
-/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */
+/* $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#include "config.h"
+#define _GNU_SOURCE /* activate extra prototypes for glibc */
+
#include <stdarg.h>
#include <stdio.h>
#include <ctype.h>
#ifdef HAVE_NEXT
# include <libc.h>
#endif
-#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */
#include <unistd.h> /* For STDIN_FILENO, etc */
#include <termios.h> /* Struct winsize */
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
#include <openssl/crypto.h>
fatal("no kex alg");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
+ k->evp_md = EVP_sha1();
} else if (strcmp(k->name, KEX_DH14) == 0) {
k->kex_type = KEX_DH_GRP14_SHA1;
- } else if (strcmp(k->name, KEX_DHGEX) == 0) {
+ k->evp_md = EVP_sha1();
+ } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
k->kex_type = KEX_DH_GEX_SHA1;
+ k->evp_md = EVP_sha1();
} else
fatal("bad kex alg %s", k->name);
}
+
static void
choose_hostkeyalg(Kex *k, char *client, char *server)
{
}
static u_char *
-derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
+derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
+ BIGNUM *shared_secret)
{
Buffer b;
- const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
char c = id;
u_int have;
- int mdsz = EVP_MD_size(evp_md);
+ int mdsz;
u_char *digest;
- if (mdsz < 0)
- fatal("derive_key: mdsz < 0");
- digest = xmalloc(roundup(need, mdsz));
+ if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
+ fatal("bad kex md size %d", mdsz);
+ digest = xmalloc(roundup(need, mdsz));
buffer_init(&b);
buffer_put_bignum2(&b, shared_secret);
/* K1 = HASH(K || H || "A" || session_id) */
- EVP_DigestInit(&md, evp_md);
+ EVP_DigestInit(&md, kex->evp_md);
if (!(datafellows & SSH_BUG_DERIVEKEY))
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
- EVP_DigestUpdate(&md, hash, mdsz);
+ EVP_DigestUpdate(&md, hash, hashlen);
EVP_DigestUpdate(&md, &c, 1);
EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
EVP_DigestFinal(&md, digest, NULL);
* Key = K1 || K2 || ... || Kn
*/
for (have = mdsz; need > have; have += mdsz) {
- EVP_DigestInit(&md, evp_md);
+ EVP_DigestInit(&md, kex->evp_md);
if (!(datafellows & SSH_BUG_DERIVEKEY))
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
- EVP_DigestUpdate(&md, hash, mdsz);
+ EVP_DigestUpdate(&md, hash, hashlen);
EVP_DigestUpdate(&md, digest, have);
EVP_DigestFinal(&md, digest + have, NULL);
}
#define NKEYS 6
void
-kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
+kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
{
u_char *keys[NKEYS];
u_int i, mode, ctos;
- for (i = 0; i < NKEYS; i++)
- keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
+ for (i = 0; i < NKEYS; i++) {
+ keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
+ shared_secret);
+ }
debug2("kex_derive_keys");
for (mode = 0; mode < MODE_MAX; mode++) {
-/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
#include "cipher.h"
#include "key.h"
-#define KEX_DH1 "diffie-hellman-group1-sha1"
-#define KEX_DH14 "diffie-hellman-group14-sha1"
-#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
+#define KEX_DH1 "diffie-hellman-group1-sha1"
+#define KEX_DH14 "diffie-hellman-group14-sha1"
+#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define COMP_NONE 0
#define COMP_ZLIB 1
Buffer peer;
int done;
int flags;
+ const EVP_MD *evp_md;
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
void kex_send_kexinit(Kex *);
void kex_input_kexinit(int, u_int32_t, void *);
-void kex_derive_keys(Kex *, u_char *, BIGNUM *);
+void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
Newkeys *kex_get_newkeys(int);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
-u_char *
+void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
- BIGNUM *, BIGNUM *, BIGNUM *);
-u_char *
-kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int,
- int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *);
+ BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
+void
+kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
+ BIGNUM *, BIGNUM *, u_char **, u_int *);
void
derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
#include <openssl/evp.h>
#include "ssh2.h"
#include "kex.h"
-u_char *
+void
kex_dh_hash(
char *client_version_string,
char *server_version_string,
u_char *serverhostkeyblob, int sbloblen,
BIGNUM *client_dh_pub,
BIGNUM *server_dh_pub,
- BIGNUM *shared_secret)
+ BIGNUM *shared_secret,
+ u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[EVP_MAX_MD_SIZE];
#ifdef DEBUG_KEX
dump_digest("hash", digest, EVP_MD_size(evp_md));
#endif
- return digest;
+ *hash = digest;
+ *hashlen = EVP_MD_size(evp_md);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
- u_int klen, kout, slen, sbloblen;
+ u_int klen, kout, slen, sbloblen, hashlen;
/* generate and send 'e', client DH public key */
switch (kex->kex_type) {
xfree(kbuf);
/* calc and verify H */
- hash = kex_dh_hash(
+ kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
server_host_key_blob, sbloblen,
dh->pub_key,
dh_server_pub,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
xfree(server_host_key_blob);
BN_clear_free(dh_server_pub);
DH_free(dh);
- if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+ if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
/* save session id */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
DH *dh;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int sbloblen, klen, kout;
+ u_int sbloblen, klen, kout, hashlen;
u_int slen;
/* generate server DH public key */
key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
/* calc H */
- hash = kex_dh_hash(
+ kex_dh_hash(
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
dh_client_pub,
dh->pub_key,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
- /* XXX hashlen depends on KEX */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
- /* XXX hashlen depends on KEX */
- PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+ PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
/* destroy_sensitive_data(); */
/* have keys, free DH */
DH_free(dh);
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
#include <openssl/evp.h>
#include "kex.h"
#include "ssh2.h"
-u_char *
+void
kexgex_hash(
+ const EVP_MD *evp_md,
char *client_version_string,
char *server_version_string,
char *ckexinit, int ckexinitlen,
int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
BIGNUM *client_dh_pub,
BIGNUM *server_dh_pub,
- BIGNUM *shared_secret)
+ BIGNUM *shared_secret,
+ u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[EVP_MAX_MD_SIZE];
- const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
buffer_init(&b);
#ifdef DEBUG_KEXDH
buffer_dump(&b);
#endif
+
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
EVP_DigestFinal(&md, digest, NULL);
buffer_free(&b);
-
+ *hash = digest;
+ *hashlen = EVP_MD_size(evp_md);
#ifdef DEBUG_KEXDH
- dump_digest("hash", digest, EVP_MD_size(evp_md));
+ dump_digest("hash", digest, *hashlen);
#endif
- return digest;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $");
+RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
BIGNUM *p = NULL, *g = NULL;
Key *server_host_key;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int klen, kout, slen, sbloblen;
+ u_int klen, kout, slen, sbloblen, hashlen;
int min, max, nbits;
DH *dh;
min = max = -1;
/* calc and verify H */
- hash = kexgex_hash(
+ kexgex_hash(
+ kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
dh->p, dh->g,
dh->pub_key,
dh_server_pub,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
+
/* have keys, free DH */
DH_free(dh);
xfree(server_host_key_blob);
BN_clear_free(dh_server_pub);
- if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+ if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
/* save session id */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
*/
#include "includes.h"
-RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
#include "xmalloc.h"
#include "key.h"
Key *server_host_key;
DH *dh;
u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
- u_int sbloblen, klen, kout, slen;
+ u_int sbloblen, klen, kout, slen, hashlen;
int min = -1, max = -1, nbits = -1, type;
if (kex->load_host_key == NULL)
if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
min = max = -1;
- /* calc H */ /* XXX depends on 'kex' */
- hash = kexgex_hash(
+ /* calc H */
+ kexgex_hash(
+ kex->evp_md,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
dh->p, dh->g,
dh_client_pub,
dh->pub_key,
- shared_secret
+ shared_secret,
+ &hash, &hashlen
);
BN_clear_free(dh_client_pub);
/* save session id := H */
- /* XXX hashlen depends on KEX */
if (kex->session_id == NULL) {
- kex->session_id_len = 20;
+ kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
- /* XXX hashlen depends on KEX */
- PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
+ PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
/* destroy_sensitive_data(); */
/* have keys, free DH */
DH_free(dh);
- kex_derive_keys(kex, hash, shared_secret);
+ kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
return (0);
default:
error("%s: Error reading from %s: Expecting %d, got %d",
- __func__, LASTLOG_FILE, sizeof(last), ret);
+ __func__, LASTLOG_FILE, (int)sizeof(last), ret);
return (0);
}
int fd;
struct utmp ut;
struct sockaddr_storage from;
- size_t fromlen = sizeof(from);
+ socklen_t fromlen = sizeof(from);
struct sockaddr_in *a4;
struct sockaddr_in6 *a6;
time_t t;
*/
#include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $");
+RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $");
+
+#ifdef SSH_TUN_OPENBSD
+#include <net/if.h>
+#endif
#include "misc.h"
#include "log.h"
return port;
}
+int
+a2tun(const char *s, int *remote)
+{
+ const char *errstr = NULL;
+ char *sp, *ep;
+ int tun;
+
+ if (remote != NULL) {
+ *remote = SSH_TUNID_ANY;
+ sp = xstrdup(s);
+ if ((ep = strchr(sp, ':')) == NULL) {
+ xfree(sp);
+ return (a2tun(s, NULL));
+ }
+ ep[0] = '\0'; ep++;
+ *remote = a2tun(ep, NULL);
+ tun = a2tun(sp, NULL);
+ xfree(sp);
+ return (*remote == SSH_TUNID_ERR ? *remote : tun);
+ }
+
+ if (strcasecmp(s, "any") == 0)
+ return (SSH_TUNID_ANY);
+
+ tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr);
+ if (errstr != NULL)
+ return (SSH_TUNID_ERR);
+
+ return (tun);
+}
+
#define SECONDS 1
#define MINUTES (SECONDS * 60)
#define HOURS (MINUTES * 60)
addargs(arglist *args, char *fmt, ...)
{
va_list ap;
- char buf[1024];
+ char *cp;
u_int nalloc;
+ int r;
va_start(ap, fmt);
- vsnprintf(buf, sizeof(buf), fmt, ap);
+ r = vasprintf(&cp, fmt, ap);
va_end(ap);
+ if (r == -1)
+ fatal("addargs: argument too long");
nalloc = args->nalloc;
if (args->list == NULL) {
args->list = xrealloc(args->list, nalloc * sizeof(char *));
args->nalloc = nalloc;
- args->list[args->num++] = xstrdup(buf);
+ args->list[args->num++] = cp;
args->list[args->num] = NULL;
}
+void
+replacearg(arglist *args, u_int which, char *fmt, ...)
+{
+ va_list ap;
+ char *cp;
+ int r;
+
+ va_start(ap, fmt);
+ r = vasprintf(&cp, fmt, ap);
+ va_end(ap);
+ if (r == -1)
+ fatal("replacearg: argument too long");
+
+ if (which >= args->num)
+ fatal("replacearg: tried to replace invalid arg %d >= %d",
+ which, args->num);
+ xfree(args->list[which]);
+ args->list[which] = cp;
+}
+
+void
+freeargs(arglist *args)
+{
+ u_int i;
+
+ if (args->list != NULL) {
+ for (i = 0; i < args->num; i++)
+ xfree(args->list[i]);
+ xfree(args->list);
+ args->nalloc = args->num = 0;
+ args->list = NULL;
+ }
+}
+
/*
* Expands tildes in the file name. Returns data allocated by xmalloc.
* Warning: this calls getpw*.
return -1;
}
+int
+tun_open(int tun, int mode)
+{
+#if defined(CUSTOM_SYS_TUN_OPEN)
+ return (sys_tun_open(tun, mode));
+#elif defined(SSH_TUN_OPENBSD)
+ struct ifreq ifr;
+ char name[100];
+ int fd = -1, sock;
+
+ /* Open the tunnel device */
+ if (tun <= SSH_TUNID_MAX) {
+ snprintf(name, sizeof(name), "/dev/tun%d", tun);
+ fd = open(name, O_RDWR);
+ } else if (tun == SSH_TUNID_ANY) {
+ for (tun = 100; tun >= 0; tun--) {
+ snprintf(name, sizeof(name), "/dev/tun%d", tun);
+ if ((fd = open(name, O_RDWR)) >= 0)
+ break;
+ }
+ } else {
+ debug("%s: invalid tunnel %u", __func__, tun);
+ return (-1);
+ }
+
+ if (fd < 0) {
+ debug("%s: %s open failed: %s", __func__, name, strerror(errno));
+ return (-1);
+ }
+
+ debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
+
+ /* Set the tunnel device operation mode */
+ snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
+ if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
+ goto failed;
+
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
+ goto failed;
+
+ /* Set interface mode */
+ ifr.ifr_flags &= ~IFF_UP;
+ if (mode == SSH_TUNMODE_ETHERNET)
+ ifr.ifr_flags |= IFF_LINK0;
+ else
+ ifr.ifr_flags &= ~IFF_LINK0;
+ if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
+ goto failed;
+
+ /* Bring interface up */
+ ifr.ifr_flags |= IFF_UP;
+ if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
+ goto failed;
+
+ close(sock);
+ return (fd);
+
+ failed:
+ if (fd >= 0)
+ close(fd);
+ if (sock >= 0)
+ close(sock);
+ debug("%s: failed to set %s mode %d: %s", __func__, name,
+ mode, strerror(errno));
+ return (-1);
+#else
+ error("Tunnel interfaces are not supported on this platform");
+ return (-1);
+#endif
+}
+
+void
+sanitise_stdfd(void)
+{
+ int nullfd, dupfd;
+
+ if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+ fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno));
+ exit(1);
+ }
+ while (++dupfd <= 2) {
+ /* Only clobber closed fds */
+ if (fcntl(dupfd, F_GETFL, 0) >= 0)
+ continue;
+ if (dup2(nullfd, dupfd) == -1) {
+ fprintf(stderr, "dup2: %s", strerror(errno));
+ exit(1);
+ }
+ }
+ if (nullfd > 2)
+ close(nullfd);
+}
+
char *
tohex(const u_char *d, u_int l)
{
-/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */
+/* $OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int unset_nonblock(int);
void set_nodelay(int);
int a2port(const char *);
+int a2tun(const char *, int *);
char *hpdelim(char **);
char *cleanhostname(char *);
char *colon(char *);
char *tilde_expand_filename(const char *, uid_t);
char *percent_expand(const char *, ...) __attribute__((__sentinel__));
char *tohex(const u_char *, u_int);
+void sanitise_stdfd(void);
struct passwd *pwcopy(struct passwd *);
u_int num;
u_int nalloc;
};
-void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
+void addargs(arglist *, char *, ...)
+ __attribute__((format(printf, 2, 3)));
+void replacearg(arglist *, u_int, char *, ...)
+ __attribute__((format(printf, 3, 4)));
+void freeargs(arglist *);
/* readpass.c */
char *read_passphrase(const char *, int);
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+
+int tun_open(int, int);
+
+/* Common definitions for ssh tunnel device forwarding */
+#define SSH_TUNMODE_NO 0x00
+#define SSH_TUNMODE_POINTOPOINT 0x01
+#define SSH_TUNMODE_ETHERNET 0x02
+#define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT
+#define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET)
+
+#define SSH_TUNID_ANY 0x7fffffff
+#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1)
+#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2)
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.64 2005/10/13 22:24:31 stevesk Exp $");
#include <openssl/dh.h>
ret = do_pam_account();
buffer_put_int(m, ret);
- buffer_append(&loginmsg, "\0", 1);
- buffer_put_cstring(m, buffer_ptr(&loginmsg));
- buffer_clear(&loginmsg);
+ buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
buffer_clear(m);
buffer_put_int(m, major);
- mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);
+ mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
/* Now we have a context, enable the step */
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
{
gss_buffer_desc in;
gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
- OM_uint32 major,minor;
+ OM_uint32 major, minor;
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
gss_release_buffer(&minor, &out);
- if (major==GSS_S_COMPLETE) {
+ if (major == GSS_S_COMPLETE) {
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
- auth_method="gssapi-with-mic";
+ auth_method = "gssapi-with-mic";
/* Monitor loop will terminate if authenticated */
return (authenticated);
extern Buffer input, output;
extern Buffer loginmsg;
extern ServerOptions options;
-extern Buffer loginmsg;
int
mm_is_monitor(void)
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
-COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-irix.o port-aix.o port-uw.o
+PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
-
/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */
/*
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
+/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
+
#include "includes.h"
#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
size_t datalength = 0;
u_char input[3];
u_char output[4];
- int i;
+ u_int i;
while (2 < srclength) {
input[0] = *src++;
int
b64_pton(char const *src, u_char *target, size_t targsize)
{
- int tarindex, state, ch;
+ u_int tarindex, state;
+ int ch;
char *pos;
state = 0;
-/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
-
-/* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */
+/* $OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */
/*
- * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
+
#include "includes.h"
#ifndef HAVE_BASENAME
-#ifndef lint
-static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $";
-#endif /* not lint */
-
char *
basename(const char *path)
{
static char bname[MAXPATHLEN];
- register const char *endp, *startp;
+ size_t len;
+ const char *endp, *startp;
/* Empty or NULL string gets treated as "." */
if (path == NULL || *path == '\0') {
- (void)strlcpy(bname, ".", sizeof bname);
- return(bname);
+ bname[0] = '.';
+ bname[1] = '\0';
+ return (bname);
}
- /* Strip trailing slashes */
+ /* Strip any trailing slashes */
endp = path + strlen(path) - 1;
while (endp > path && *endp == '/')
endp--;
- /* All slashes become "/" */
+ /* All slashes becomes "/" */
if (endp == path && *endp == '/') {
- (void)strlcpy(bname, "/", sizeof bname);
- return(bname);
+ bname[0] = '/';
+ bname[1] = '\0';
+ return (bname);
}
/* Find the start of the base */
while (startp > path && *(startp - 1) != '/')
startp--;
- if (endp - startp + 2 > sizeof(bname)) {
+ len = endp - startp + 1;
+ if (len >= sizeof(bname)) {
errno = ENAMETOOLONG;
- return(NULL);
+ return (NULL);
}
- strlcpy(bname, startp, endp - startp + 2);
- return(bname);
+ memcpy(bname, startp, len);
+ bname[len] = '\0';
+ return (bname);
}
#endif /* !defined(HAVE_BASENAME) */
/* This file has be substantially modified from the original OpenBSD source */
-/* $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $ */
+/* $OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $ */
/*
* Copyright 1996, Jason Downs. All rights reserved.
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
+
#include "includes.h"
#ifndef HAVE_BINDRESVPORT_SA
* Bind a socket to a privileged IP port
*/
int
-bindresvport_sa(sd, sa)
- int sd;
- struct sockaddr *sa;
+bindresvport_sa(int sd, struct sockaddr *sa)
{
int error, af;
struct sockaddr_storage myaddr;
--- /dev/null
+/*
+ * Copyright (c) 2004 Darren Tucker.
+ *
+ * Based originally on asprintf.c from OpenBSD:
+ * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifndef HAVE_VASPRINTF
+
+#ifndef VA_COPY
+# ifdef HAVE_VA_COPY
+# define VA_COPY(dest, src) va_copy(dest, src)
+# else
+# ifdef HAVE___VA_COPY
+# define VA_COPY(dest, src) __va_copy(dest, src)
+# else
+# define VA_COPY(dest, src) (dest) = (src)
+# endif
+# endif
+#endif
+
+#define INIT_SZ 128
+
+int vasprintf(char **str, const char *fmt, va_list ap)
+{
+ int ret = -1;
+ va_list ap2;
+ char *string, *newstr;
+ size_t len;
+
+ VA_COPY(ap2, ap);
+ if ((string = malloc(INIT_SZ)) == NULL)
+ goto fail;
+
+ ret = vsnprintf(string, INIT_SZ, fmt, ap2);
+ if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
+ *str = string;
+ } else if (ret == INT_MAX) { /* shouldn't happen */
+ goto fail;
+ } else { /* bigger than initial, realloc allowing for nul */
+ len = (size_t)ret + 1;
+ if ((newstr = realloc(string, len)) == NULL) {
+ free(string);
+ goto fail;
+ } else {
+ va_end(ap2);
+ VA_COPY(ap2, ap);
+ ret = vsnprintf(newstr, len, fmt, ap2);
+ if (ret >= 0 && (size_t)ret < len) {
+ *str = newstr;
+ } else { /* failed with realloc'ed string, give up */
+ free(newstr);
+ goto fail;
+ }
+ }
+ }
+ va_end(ap2);
+ return (ret);
+
+fail:
+ *str = NULL;
+ errno = ENOMEM;
+ va_end(ap2);
+ return (-1);
+}
+#endif
+
+#ifndef HAVE_ASPRINTF
+int asprintf(char **str, const char *fmt, ...)
+{
+ va_list ap;
+ int ret;
+
+ *str = NULL;
+ va_start(ap, fmt);
+ ret = vasprintf(str, fmt, ap);
+ va_end(ap);
+
+ return ret;
+}
+#endif
# define OPEN_MAX 256
#endif
-RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $");
+RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
#ifndef lint
static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
/* Check for a /proc/$$/fd directory. */
len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
- if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
+ if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
while ((dent = readdir(dirp)) != NULL) {
fd = strtol(dent->d_name, &endp, 10);
if (dent->d_name != endp && *endp == '\0' &&
len = strlen(str) + 1;
cp = malloc(len);
if (cp != NULL)
- if (strlcpy(cp, str, len) != len) {
- free(cp);
- return NULL;
- }
- return cp;
+ return(memcpy(cp, str, len));
+ return NULL;
}
#endif
* missing. Some systems only have snprintf() but not vsnprintf(), so
* the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
*
- * Ben Lindstrom <mouring@eviladmin.org> 09/27/00 for OpenSSH
- * Welcome to the world of %lld and %qd support. With other
- * long long support. This is needed for sftp-server to work
- * right.
+ * Andrew Tridgell (tridge@samba.org) Oct 1998
+ * fixed handling of %.0f
+ * added test for HAVE_LONG_DOUBLE
*
- * Ben Lindstrom <mouring@eviladmin.org> 02/12/01 for OpenSSH
- * Removed all hint of VARARGS stuff and banished it to the void,
- * and did a bit of KNF style work to make things a bit more
- * acceptable. Consider stealing from mutt or enlightenment.
+ * tridge@samba.org, idra@samba.org, April 2001
+ * got rid of fcvt code (twas buggy and made testing harder)
+ * added C99 semantics
+ *
+ * date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0
+ * actually print args for %g and %e
+ *
+ * date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0
+ * Since includes.h isn't included here, VA_COPY has to be defined here. I don't
+ * see any include file that is guaranteed to be here, so I'm defining it
+ * locally. Fixes AIX and Solaris builds.
+ *
+ * date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13
+ * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
+ * functions
+ *
+ * date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4
+ * Fix usage of va_list passed as an arg. Use __va_copy before using it
+ * when it exists.
+ *
+ * date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14
+ * Fix incorrect zpadlen handling in fmtfp.
+ * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
+ * few mods to make it easier to compile the tests.
+ * addedd the "Ollie" test to the floating point ones.
+ *
+ * Martin Pool (mbp@samba.org) April 2003
+ * Remove NO_CONFIG_H so that the test case can be built within a source
+ * tree with less trouble.
+ * Remove unnecessary SAFE_FREE() definition.
+ *
+ * Martin Pool (mbp@samba.org) May 2003
+ * Put in a prototype for dummy_snprintf() to quiet compiler warnings.
+ *
+ * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
+ * if the C library has some snprintf functions already.
**************************************************************/
#include "includes.h"
# undef HAVE_VSNPRINTF
#endif
-#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
-
-static void
-dopr(char *buffer, size_t maxlen, const char *format, va_list args);
-
-static void
-fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags,
- int min, int max);
+#ifndef VA_COPY
+# ifdef HAVE_VA_COPY
+# define VA_COPY(dest, src) va_copy(dest, src)
+# else
+# ifdef HAVE___VA_COPY
+# define VA_COPY(dest, src) __va_copy(dest, src)
+# else
+# define VA_COPY(dest, src) (dest) = (src)
+# endif
+# endif
+#endif
-static void
-fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base,
- int min, int max, int flags);
+#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
-static void
-fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
- int min, int max, int flags);
+#ifdef HAVE_LONG_DOUBLE
+# define LDOUBLE long double
+#else
+# define LDOUBLE double
+#endif
-static void
-dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
+#ifdef HAVE_LONG_LONG
+# define LLONG long long
+#else
+# define LLONG long
+#endif
/*
* dopr(): poor man's version of doprintf
#define DP_F_UNSIGNED (1 << 6)
/* Conversion Flags */
-#define DP_C_SHORT 1
-#define DP_C_LONG 2
-#define DP_C_LDOUBLE 3
-#define DP_C_LONG_LONG 4
-
-#define char_to_int(p) (p - '0')
-#define abs_val(p) (p < 0 ? -p : p)
-
+#define DP_C_SHORT 1
+#define DP_C_LONG 2
+#define DP_C_LDOUBLE 3
+#define DP_C_LLONG 4
+
+#define char_to_int(p) ((p)- '0')
+#ifndef MAX
+# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
+#endif
-static void
-dopr(char *buffer, size_t maxlen, const char *format, va_list args)
+static size_t dopr(char *buffer, size_t maxlen, const char *format,
+ va_list args_in);
+static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+ char *value, int flags, int min, int max);
+static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
+ long value, int base, int min, int max, int flags);
+static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
+ LDOUBLE fvalue, int min, int max, int flags);
+static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
+
+static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
{
- char *strvalue, ch;
- long value;
- long double fvalue;
- int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0;
- size_t currlen = 0;
-
+ char ch;
+ LLONG value;
+ LDOUBLE fvalue;
+ char *strvalue;
+ int min;
+ int max;
+ int state;
+ int flags;
+ int cflags;
+ size_t currlen;
+ va_list args;
+
+ VA_COPY(args, args_in);
+
+ state = DP_S_DEFAULT;
+ currlen = flags = cflags = min = 0;
+ max = -1;
ch = *format++;
-
+
while (state != DP_S_DONE) {
- if ((ch == '\0') || (currlen >= maxlen))
+ if (ch == '\0')
state = DP_S_DONE;
switch(state) {
if (ch == '%')
state = DP_S_FLAGS;
else
- dopr_outch(buffer, &currlen, maxlen, ch);
+ dopr_outch (buffer, &currlen, maxlen, ch);
ch = *format++;
break;
case DP_S_FLAGS:
break;
case DP_S_MIN:
if (isdigit((unsigned char)ch)) {
- min = 10 * min + char_to_int (ch);
+ min = 10*min + char_to_int (ch);
ch = *format++;
} else if (ch == '*') {
min = va_arg (args, int);
ch = *format++;
state = DP_S_DOT;
- } else
+ } else {
state = DP_S_DOT;
+ }
break;
case DP_S_DOT:
if (ch == '.') {
state = DP_S_MAX;
ch = *format++;
- } else
+ } else {
state = DP_S_MOD;
+ }
break;
case DP_S_MAX:
if (isdigit((unsigned char)ch)) {
if (max < 0)
max = 0;
- max = 10 * max + char_to_int(ch);
+ max = 10*max + char_to_int (ch);
ch = *format++;
} else if (ch == '*') {
max = va_arg (args, int);
ch = *format++;
state = DP_S_MOD;
- } else
+ } else {
state = DP_S_MOD;
+ }
break;
case DP_S_MOD:
switch (ch) {
case 'l':
cflags = DP_C_LONG;
ch = *format++;
- if (ch == 'l') {
- cflags = DP_C_LONG_LONG;
+ if (ch == 'l') { /* It's a long long */
+ cflags = DP_C_LLONG;
ch = *format++;
}
break;
- case 'q':
- cflags = DP_C_LONG_LONG;
- ch = *format++;
- break;
case 'L':
cflags = DP_C_LDOUBLE;
ch = *format++;
case 'd':
case 'i':
if (cflags == DP_C_SHORT)
- value = va_arg(args, int);
+ value = va_arg (args, int);
else if (cflags == DP_C_LONG)
- value = va_arg(args, long int);
- else if (cflags == DP_C_LONG_LONG)
- value = va_arg (args, long long);
+ value = va_arg (args, long int);
+ else if (cflags == DP_C_LLONG)
+ value = va_arg (args, LLONG);
else
value = va_arg (args, int);
- fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags);
+ fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
break;
case 'o':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
- value = va_arg(args, unsigned int);
+ value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
- value = va_arg(args, unsigned long int);
- else if (cflags == DP_C_LONG_LONG)
- value = va_arg(args, unsigned long long);
+ value = (long)va_arg (args, unsigned long int);
+ else if (cflags == DP_C_LLONG)
+ value = (long)va_arg (args, unsigned LLONG);
else
- value = va_arg(args, unsigned int);
- fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags);
+ value = (long)va_arg (args, unsigned int);
+ fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
break;
case 'u':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
- value = va_arg(args, unsigned int);
+ value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
- value = va_arg(args, unsigned long int);
- else if (cflags == DP_C_LONG_LONG)
- value = va_arg(args, unsigned long long);
+ value = (long)va_arg (args, unsigned long int);
+ else if (cflags == DP_C_LLONG)
+ value = (LLONG)va_arg (args, unsigned LLONG);
else
- value = va_arg(args, unsigned int);
+ value = (long)va_arg (args, unsigned int);
fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
break;
case 'X':
case 'x':
flags |= DP_F_UNSIGNED;
if (cflags == DP_C_SHORT)
- value = va_arg(args, unsigned int);
+ value = va_arg (args, unsigned int);
else if (cflags == DP_C_LONG)
- value = va_arg(args, unsigned long int);
- else if (cflags == DP_C_LONG_LONG)
- value = va_arg(args, unsigned long long);
+ value = (long)va_arg (args, unsigned long int);
+ else if (cflags == DP_C_LLONG)
+ value = (LLONG)va_arg (args, unsigned LLONG);
else
- value = va_arg(args, unsigned int);
- fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags);
+ value = (long)va_arg (args, unsigned int);
+ fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
break;
case 'f':
if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, long double);
+ fvalue = va_arg (args, LDOUBLE);
else
- fvalue = va_arg(args, double);
+ fvalue = va_arg (args, double);
/* um, floating point? */
- fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags);
+ fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
break;
case 'E':
flags |= DP_F_UP;
case 'e':
if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, long double);
+ fvalue = va_arg (args, LDOUBLE);
else
- fvalue = va_arg(args, double);
+ fvalue = va_arg (args, double);
+ fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
break;
case 'G':
flags |= DP_F_UP;
case 'g':
if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, long double);
+ fvalue = va_arg (args, LDOUBLE);
else
- fvalue = va_arg(args, double);
+ fvalue = va_arg (args, double);
+ fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
break;
case 'c':
- dopr_outch(buffer, &currlen, maxlen, va_arg(args, int));
+ dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
break;
case 's':
- strvalue = va_arg(args, char *);
- if (max < 0)
- max = maxlen; /* ie, no max */
- fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max);
+ strvalue = va_arg (args, char *);
+ if (!strvalue) strvalue = "(NULL)";
+ if (max == -1) {
+ max = strlen(strvalue);
+ }
+ if (min > 0 && max >= 0 && min > max) max = min;
+ fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
break;
case 'p':
- strvalue = va_arg(args, void *);
- fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
+ strvalue = va_arg (args, void *);
+ fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
break;
case 'n':
if (cflags == DP_C_SHORT) {
short int *num;
- num = va_arg(args, short int *);
+ num = va_arg (args, short int *);
*num = currlen;
} else if (cflags == DP_C_LONG) {
long int *num;
- num = va_arg(args, long int *);
- *num = currlen;
- } else if (cflags == DP_C_LONG_LONG) {
- long long *num;
- num = va_arg(args, long long *);
- *num = currlen;
+ num = va_arg (args, long int *);
+ *num = (long int)currlen;
+ } else if (cflags == DP_C_LLONG) {
+ LLONG *num;
+ num = va_arg (args, LLONG *);
+ *num = (LLONG)currlen;
} else {
int *num;
- num = va_arg(args, int *);
+ num = va_arg (args, int *);
*num = currlen;
}
break;
case '%':
- dopr_outch(buffer, &currlen, maxlen, ch);
+ dopr_outch (buffer, &currlen, maxlen, ch);
break;
- case 'w': /* not supported yet, treat as next char */
+ case 'w':
+ /* not supported yet, treat as next char */
ch = *format++;
break;
- default: /* Unknown, skip */
- break;
+ default:
+ /* Unknown, skip */
+ break;
}
ch = *format++;
state = DP_S_DEFAULT;
break;
case DP_S_DONE:
break;
- default: /* hmm? */
+ default:
+ /* hmm? */
break; /* some picky compilers need this */
}
}
- if (currlen < maxlen - 1)
- buffer[currlen] = '\0';
- else
- buffer[maxlen - 1] = '\0';
+ if (maxlen != 0) {
+ if (currlen < maxlen - 1)
+ buffer[currlen] = '\0';
+ else if (maxlen > 0)
+ buffer[maxlen - 1] = '\0';
+ }
+
+ return currlen;
}
-static void
-fmtstr(char *buffer, size_t *currlen, size_t maxlen,
- char *value, int flags, int min, int max)
+static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+ char *value, int flags, int min, int max)
{
- int cnt = 0, padlen, strln; /* amount to pad */
-
- if (value == 0)
+ int padlen, strln; /* amount to pad */
+ int cnt = 0;
+
+#ifdef DEBUG_SNPRINTF
+ printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
+#endif
+ if (value == 0) {
value = "<NULL>";
+ }
for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
padlen = min - strln;
padlen = 0;
if (flags & DP_F_MINUS)
padlen = -padlen; /* Left Justify */
-
+
while ((padlen > 0) && (cnt < max)) {
- dopr_outch(buffer, currlen, maxlen, ' ');
+ dopr_outch (buffer, currlen, maxlen, ' ');
--padlen;
++cnt;
}
while (*value && (cnt < max)) {
- dopr_outch(buffer, currlen, maxlen, *value++);
+ dopr_outch (buffer, currlen, maxlen, *value++);
++cnt;
}
while ((padlen < 0) && (cnt < max)) {
- dopr_outch(buffer, currlen, maxlen, ' ');
+ dopr_outch (buffer, currlen, maxlen, ' ');
++padlen;
++cnt;
}
/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
-static void
-fmtint(char *buffer, size_t *currlen, size_t maxlen,
- long value, int base, int min, int max, int flags)
+static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
+ long value, int base, int min, int max, int flags)
{
+ int signvalue = 0;
unsigned long uvalue;
char convert[20];
- int signvalue = 0, place = 0, caps = 0;
+ int place = 0;
int spadlen = 0; /* amount to space pad */
int zpadlen = 0; /* amount to zero pad */
-
+ int caps = 0;
+
if (max < 0)
max = 0;
-
+
uvalue = value;
-
- if (!(flags & DP_F_UNSIGNED)) {
- if (value < 0) {
+
+ if(!(flags & DP_F_UNSIGNED)) {
+ if( value < 0 ) {
signvalue = '-';
uvalue = -value;
- } else if (flags & DP_F_PLUS) /* Do a sign (+/i) */
- signvalue = '+';
- else if (flags & DP_F_SPACE)
- signvalue = ' ';
+ } else {
+ if (flags & DP_F_PLUS) /* Do a sign (+/i) */
+ signvalue = '+';
+ else if (flags & DP_F_SPACE)
+ signvalue = ' ';
+ }
}
- if (flags & DP_F_UP)
- caps = 1; /* Should characters be upper case? */
+ if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
+
do {
convert[place++] =
- (caps ? "0123456789ABCDEF" : "0123456789abcdef")
- [uvalue % (unsigned)base];
+ (caps? "0123456789ABCDEF":"0123456789abcdef")
+ [uvalue % (unsigned)base ];
uvalue = (uvalue / (unsigned)base );
- } while (uvalue && (place < 20));
- if (place == 20)
- place--;
+ } while(uvalue && (place < 20));
+ if (place == 20) place--;
convert[place] = 0;
zpadlen = max - place;
spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
- if (zpadlen < 0)
- zpadlen = 0;
- if (spadlen < 0)
- spadlen = 0;
+ if (zpadlen < 0) zpadlen = 0;
+ if (spadlen < 0) spadlen = 0;
if (flags & DP_F_ZERO) {
zpadlen = MAX(zpadlen, spadlen);
spadlen = 0;
if (flags & DP_F_MINUS)
spadlen = -spadlen; /* Left Justifty */
+#ifdef DEBUG_SNPRINTF
+ printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
+ zpadlen, spadlen, min, max, place);
+#endif
+
/* Spaces */
while (spadlen > 0) {
- dopr_outch(buffer, currlen, maxlen, ' ');
+ dopr_outch (buffer, currlen, maxlen, ' ');
--spadlen;
}
/* Sign */
if (signvalue)
- dopr_outch(buffer, currlen, maxlen, signvalue);
+ dopr_outch (buffer, currlen, maxlen, signvalue);
/* Zeros */
if (zpadlen > 0) {
while (zpadlen > 0) {
- dopr_outch(buffer, currlen, maxlen, '0');
+ dopr_outch (buffer, currlen, maxlen, '0');
--zpadlen;
}
}
/* Digits */
while (place > 0)
- dopr_outch(buffer, currlen, maxlen, convert[--place]);
+ dopr_outch (buffer, currlen, maxlen, convert[--place]);
/* Left Justified spaces */
while (spadlen < 0) {
}
}
-static long double
-pow10(int exp)
+static LDOUBLE abs_val(LDOUBLE value)
{
- long double result = 1;
+ LDOUBLE result = value;
+
+ if (value < 0)
+ result = -value;
+
+ return result;
+}
+static LDOUBLE POW10(int exp)
+{
+ LDOUBLE result = 1;
+
while (exp) {
result *= 10;
exp--;
return result;
}
-static long
-round(long double value)
+static LLONG ROUND(LDOUBLE value)
{
- long intpart = value;
-
- value -= intpart;
- if (value >= 0.5)
- intpart++;
+ LLONG intpart;
+ intpart = (LLONG)value;
+ value = value - intpart;
+ if (value >= 0.5) intpart++;
+
return intpart;
}
-static void
-fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
- int min, int max, int flags)
+/* a replacement for modf that doesn't need the math library. Should
+ be portable, but slow */
+static double my_modf(double x0, double *iptr)
{
- char iconvert[20], fconvert[20];
- int signvalue = 0, iplace = 0, fplace = 0;
+ int i;
+ long l;
+ double x = x0;
+ double f = 1.0;
+
+ for (i=0;i<100;i++) {
+ l = (long)x;
+ if (l <= (x+1) && l >= (x-1)) break;
+ x *= 0.1;
+ f *= 10.0;
+ }
+
+ if (i == 100) {
+ /* yikes! the number is beyond what we can handle. What do we do? */
+ (*iptr) = 0;
+ return 0;
+ }
+
+ if (i != 0) {
+ double i2;
+ double ret;
+
+ ret = my_modf(x0-l*f, &i2);
+ (*iptr) = l*f + i2;
+ return ret;
+ }
+
+ (*iptr) = l;
+ return x - (*iptr);
+}
+
+
+static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
+ LDOUBLE fvalue, int min, int max, int flags)
+{
+ int signvalue = 0;
+ double ufvalue;
+ char iconvert[311];
+ char fconvert[311];
+ int iplace = 0;
+ int fplace = 0;
int padlen = 0; /* amount to pad */
- int zpadlen = 0, caps = 0;
- long intpart, fracpart;
- long double ufvalue;
+ int zpadlen = 0;
+ int caps = 0;
+ int idx;
+ double intpart;
+ double fracpart;
+ double temp;
/*
* AIX manpage says the default is 0, but Solaris says the default
if (max < 0)
max = 6;
- ufvalue = abs_val(fvalue);
+ ufvalue = abs_val (fvalue);
- if (fvalue < 0)
+ if (fvalue < 0) {
signvalue = '-';
- else if (flags & DP_F_PLUS) /* Do a sign (+/i) */
- signvalue = '+';
- else if (flags & DP_F_SPACE)
- signvalue = ' ';
+ } else {
+ if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
+ signvalue = '+';
+ } else {
+ if (flags & DP_F_SPACE)
+ signvalue = ' ';
+ }
+ }
- intpart = ufvalue;
+#if 0
+ if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
+#endif
+
+#if 0
+ if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
+#endif
/*
- * Sorry, we only support 9 digits past the decimal because of our
+ * Sorry, we only support 16 digits past the decimal because of our
* conversion method
*/
- if (max > 9)
- max = 9;
+ if (max > 16)
+ max = 16;
/* We "cheat" by converting the fractional part to integer by
* multiplying by a factor of 10
*/
- fracpart = round((pow10 (max)) * (ufvalue - intpart));
- if (fracpart >= pow10 (max)) {
+ temp = ufvalue;
+ my_modf(temp, &intpart);
+
+ fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
+
+ if (fracpart >= POW10(max)) {
intpart++;
- fracpart -= pow10 (max);
+ fracpart -= POW10(max);
}
/* Convert integer part */
do {
+ temp = intpart*0.1;
+ my_modf(temp, &intpart);
+ idx = (int) ((temp -intpart +0.05)* 10.0);
+ /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
+ /* printf ("%llf, %f, %x\n", temp, intpart, idx); */
iconvert[iplace++] =
- (caps ? "0123456789ABCDEF" : "0123456789abcdef")
- [intpart % 10];
- intpart = (intpart / 10);
- } while(intpart && (iplace < 20));
- if (iplace == 20)
- iplace--;
+ (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
+ } while (intpart && (iplace < 311));
+ if (iplace == 311) iplace--;
iconvert[iplace] = 0;
/* Convert fractional part */
- do {
- fconvert[fplace++] =
- (caps ? "0123456789ABCDEF" : "0123456789abcdef")
- [fracpart % 10];
- fracpart = (fracpart / 10);
- } while(fracpart && (fplace < 20));
- if (fplace == 20)
- fplace--;
+ if (fracpart)
+ {
+ do {
+ temp = fracpart*0.1;
+ my_modf(temp, &fracpart);
+ idx = (int) ((temp -fracpart +0.05)* 10.0);
+ /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
+ /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
+ fconvert[fplace++] =
+ (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
+ } while(fracpart && (fplace < 311));
+ if (fplace == 311) fplace--;
+ }
fconvert[fplace] = 0;
-
+
/* -1 for decimal point, another -1 if we are printing a sign */
padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
zpadlen = max - fplace;
- if (zpadlen < 0)
- zpadlen = 0;
+ if (zpadlen < 0) zpadlen = 0;
if (padlen < 0)
padlen = 0;
if (flags & DP_F_MINUS)
padlen = -padlen; /* Left Justifty */
-
+
if ((flags & DP_F_ZERO) && (padlen > 0)) {
if (signvalue) {
- dopr_outch(buffer, currlen, maxlen, signvalue);
+ dopr_outch (buffer, currlen, maxlen, signvalue);
--padlen;
signvalue = 0;
}
while (padlen > 0) {
- dopr_outch(buffer, currlen, maxlen, '0');
+ dopr_outch (buffer, currlen, maxlen, '0');
--padlen;
}
}
while (padlen > 0) {
- dopr_outch(buffer, currlen, maxlen, ' ');
+ dopr_outch (buffer, currlen, maxlen, ' ');
--padlen;
}
if (signvalue)
- dopr_outch(buffer, currlen, maxlen, signvalue);
-
+ dopr_outch (buffer, currlen, maxlen, signvalue);
+
while (iplace > 0)
- dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]);
+ dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
+
+#ifdef DEBUG_SNPRINTF
+ printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
+#endif
/*
- * Decimal point. This should probably use locale to find the
- * correct char to print out.
+ * Decimal point. This should probably use locale to find the correct
+ * char to print out.
*/
- dopr_outch(buffer, currlen, maxlen, '.');
-
- while (fplace > 0)
- dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]);
+ if (max > 0) {
+ dopr_outch (buffer, currlen, maxlen, '.');
+
+ while (zpadlen > 0) {
+ dopr_outch (buffer, currlen, maxlen, '0');
+ --zpadlen;
+ }
- while (zpadlen > 0) {
- dopr_outch(buffer, currlen, maxlen, '0');
- --zpadlen;
+ while (fplace > 0)
+ dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
}
while (padlen < 0) {
- dopr_outch(buffer, currlen, maxlen, ' ');
+ dopr_outch (buffer, currlen, maxlen, ' ');
++padlen;
}
}
-static void
-dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
+static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
{
- if (*currlen < maxlen)
- buffer[(*currlen)++] = c;
+ if (*currlen < maxlen) {
+ buffer[(*currlen)] = c;
+ }
+ (*currlen)++;
}
#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
-#ifndef HAVE_VSNPRINTF
-int
-vsnprintf(char *str, size_t count, const char *fmt, va_list args)
+#if !defined(HAVE_VSNPRINTF)
+int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
{
- str[0] = 0;
- dopr(str, count, fmt, args);
-
- return(strlen(str));
+ return dopr(str, count, fmt, args);
}
-#endif /* !HAVE_VSNPRINTF */
+#endif
-#ifndef HAVE_SNPRINTF
-int
-snprintf(char *str,size_t count,const char *fmt,...)
+#if !defined(HAVE_SNPRINTF)
+int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
{
+ size_t ret;
va_list ap;
va_start(ap, fmt);
- (void) vsnprintf(str, count, fmt, ap);
+ ret = vsnprintf(str, count, fmt, ap);
va_end(ap);
-
- return(strlen(str));
+ return ret;
}
+#endif
-#endif /* !HAVE_SNPRINTF */
-/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
-
+/* $OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */
/*-
* Copyright (c) 1990, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
+
#include "includes.h"
#ifndef HAVE_DAEMON
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
int
daemon(int nochdir, int noclose)
{
-/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
-
-/* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */
+/* $OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $ */
/*
- * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
+
#include "includes.h"
#ifndef HAVE_DIRNAME
-#ifndef lint
-static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $";
-#endif /* not lint */
-
#include <errno.h>
#include <string.h>
#include <sys/param.h>
char *
dirname(const char *path)
{
- static char bname[MAXPATHLEN];
- register const char *endp;
+ static char dname[MAXPATHLEN];
+ size_t len;
+ const char *endp;
/* Empty or NULL string gets treated as "." */
if (path == NULL || *path == '\0') {
- (void)strlcpy(bname, ".", sizeof bname);
- return(bname);
+ dname[0] = '.';
+ dname[1] = '\0';
+ return (dname);
}
- /* Strip trailing slashes */
+ /* Strip any trailing slashes */
endp = path + strlen(path) - 1;
while (endp > path && *endp == '/')
endp--;
/* Either the dir is "/" or there are no slashes */
if (endp == path) {
- (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname);
- return(bname);
+ dname[0] = *endp == '/' ? '/' : '.';
+ dname[1] = '\0';
+ return (dname);
} else {
+ /* Move forward past the separating slashes */
do {
endp--;
} while (endp > path && *endp == '/');
}
- if (endp - path + 2 > sizeof(bname)) {
+ len = endp - path + 1;
+ if (len >= sizeof(dname)) {
errno = ENAMETOOLONG;
- return(NULL);
+ return (NULL);
}
- strlcpy(bname, path, endp - path + 2);
- return(bname);
+ memcpy(dname, path, len);
+ dname[len] = '\0';
+ return (dname);
}
#endif
-/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
-
+/* $OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
/*
* Copyright (c) 1989, 1991, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
+
#include "includes.h"
#if !defined(HAVE_GETCWD)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/param.h>
#include <sys/stat.h>
#include <errno.h>
char *
getcwd(char *pt, size_t size)
{
- register struct dirent *dp;
- register DIR *dir = NULL;
- register dev_t dev;
- register ino_t ino;
- register int first;
- register char *bpt, *bup;
+ struct dirent *dp;
+ DIR *dir = NULL;
+ dev_t dev;
+ ino_t ino;
+ int first;
+ char *bpt, *bup;
struct stat s;
dev_t root_dev;
ino_t root_ino;
}
ept = pt + size;
} else {
- if ((pt = malloc(ptsize = 1024 - 4)) == NULL)
+ if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL)
return (NULL);
ept = pt + ptsize;
}
*bpt = '\0';
/*
- * Allocate bytes (1024 - malloc space) for the string of "../"'s.
+ * Allocate bytes for the string of "../"'s.
* Should always be enough (it's 340 levels). If it's not, allocate
* as necessary. Special * case the first stat, it's ".", not "..".
*/
- if ((up = malloc(upsize = 1024 - 4)) == NULL)
+ if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
goto err;
- eup = up + MAXPATHLEN;
+ eup = up + upsize;
bup = up;
up[0] = '.';
up[1] = '\0';
if ((nup = realloc(up, upsize *= 2)) == NULL)
goto err;
+ bup = nup + (bup - up);
up = nup;
- bup = up;
eup = up + upsize;
}
*bup++ = '.';
*bup++ = '.';
*bup = '\0';
- /* Open and stat parent directory.
- * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s)
- */
- if (!(dir = opendir(up)) || lstat(up,&s))
+ /* Open and stat parent directory. */
+ if (!(dir = opendir(up)) || fstat(dirfd(dir), &s))
goto err;
/* Add trailing slash for next directory. */
goto notfound;
if (ISDOT(dp))
continue;
- memmove(bup, dp->d_name, dp->d_namlen + 1);
+ memcpy(bup, dp->d_name, dp->d_namlen + 1);
/* Save the first error for later. */
if (lstat(up, &s)) {
* leading slash.
*/
if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
- size_t len, off;
+ size_t len;
char *npt;
if (!ptsize) {
errno = ERANGE;
goto err;
}
- off = bpt - pt;
len = ept - bpt;
if ((npt = realloc(pt, ptsize *= 2)) == NULL)
goto err;
+ bpt = npt + (bpt - pt);
pt = npt;
- bpt = pt + off;
ept = pt + ptsize;
memmove(ept - len, bpt, len);
bpt = ept - len;
if (!first)
*--bpt = '/';
bpt -= dp->d_namlen;
- memmove(bpt, dp->d_name, dp->d_namlen);
+ memcpy(bpt, dp->d_name, dp->d_namlen);
(void)closedir(dir);
/* Truncate any file name. */
errno = save_errno ? save_errno : ENOENT;
/* FALLTHROUGH */
err:
+ save_errno = errno;
+
if (ptsize)
free(pt);
- if (up)
- free(up);
+ free(up);
if (dir)
(void)closedir(dir);
+
+ errno = save_errno;
+
return (NULL);
}
-/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
-
+/* $OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
/*
* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
+
#include "includes.h"
#ifndef HAVE_GETGROUPLIST
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
/*
* get credential
*/
#include <grp.h>
int
-getgrouplist(uname, agroup, groups, grpcnt)
- const char *uname;
- gid_t agroup;
- register gid_t *groups;
- int *grpcnt;
+getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
{
- register struct group *grp;
- register int i, ngroups;
+ struct group *grp;
+ int i, ngroups;
int ret, maxgroups;
int bail;
-/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
-
/*
* Copyright (c) 1987, 1993, 1994
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
+
#include "includes.h"
#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
-/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
-
-/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */
+/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
/*
* Copyright (c) 2001 Jakob Schlyter. All rights reserved.
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
+
#include "includes.h"
#ifndef HAVE_GETRRSETBYNAME
#include "getrrsetbyname.h"
-#define ANSWER_BUFFER_SIZE 1024*64
-
#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
extern int h_errno;
#endif
-struct dns_query {
- char *name;
- u_int16_t type;
- u_int16_t class;
- struct dns_query *next;
-};
-
-struct dns_rr {
- char *name;
- u_int16_t type;
- u_int16_t class;
- u_int16_t ttl;
- u_int16_t size;
- void *rdata;
- struct dns_rr *next;
-};
-
-struct dns_response {
- HEADER header;
- struct dns_query *query;
- struct dns_rr *answer;
- struct dns_rr *authority;
- struct dns_rr *additional;
-};
-
-static struct dns_response *parse_dns_response(const u_char *, int);
-static struct dns_query *parse_dns_qsection(const u_char *, int,
- const u_char **, int);
-static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
- int);
-
-static void free_dns_query(struct dns_query *);
-static void free_dns_rr(struct dns_rr *);
-static void free_dns_response(struct dns_response *);
+/* We don't need multithread support here */
+#ifdef _THREAD_PRIVATE
+# undef _THREAD_PRIVATE
+#endif
+#define _THREAD_PRIVATE(a,b,c) (c)
+struct __res_state _res;
-static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
+/* Necessary functions and macros */
/*
* Inline versions of get/put short/long. Pointer is advanced.
u_int32_t _getlong(register const u_char *);
#endif
+/* ************** */
+
+#define ANSWER_BUFFER_SIZE 1024*64
+
+struct dns_query {
+ char *name;
+ u_int16_t type;
+ u_int16_t class;
+ struct dns_query *next;
+};
+
+struct dns_rr {
+ char *name;
+ u_int16_t type;
+ u_int16_t class;
+ u_int16_t ttl;
+ u_int16_t size;
+ void *rdata;
+ struct dns_rr *next;
+};
+
+struct dns_response {
+ HEADER header;
+ struct dns_query *query;
+ struct dns_rr *answer;
+ struct dns_rr *authority;
+ struct dns_rr *additional;
+};
+
+static struct dns_response *parse_dns_response(const u_char *, int);
+static struct dns_query *parse_dns_qsection(const u_char *, int,
+ const u_char **, int);
+static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
+ int);
+
+static void free_dns_query(struct dns_query *);
+static void free_dns_rr(struct dns_rr *);
+static void free_dns_response(struct dns_response *);
+
+static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
+
int
getrrsetbyname(const char *hostname, unsigned int rdclass,
unsigned int rdtype, unsigned int flags,
struct rrsetinfo **res)
{
+ struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
int result;
struct rrsetinfo *rrset = NULL;
- struct dns_response *response;
+ struct dns_response *response = NULL;
struct dns_rr *rr;
struct rdatainfo *rdata;
int length;
}
/* initialize resolver */
- if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
+ if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
result = ERRSET_FAIL;
goto fail;
}
#ifdef DEBUG
- _res.options |= RES_DEBUG;
+ _resp->options |= RES_DEBUG;
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
/* turn on DNSSEC if EDNS0 is configured */
- if (_res.options & RES_USE_EDNS0)
- _res.options |= RES_USE_DNSSEC;
+ if (_resp->options & RES_USE_EDNS0)
+ _resp->options |= RES_USE_DNSSEC;
#endif /* RES_USE_DNSEC */
/* make query */
#endif
/* copy name from answer section */
- length = strlen(response->answer->name);
- rrset->rri_name = malloc(length + 1);
+ rrset->rri_name = strdup(response->answer->name);
if (rrset->rri_name == NULL) {
result = ERRSET_NOMEMORY;
goto fail;
}
- strlcpy(rrset->rri_name, response->answer->name, length + 1);
/* count answers */
rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
/* allocate memory for signatures */
rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
- if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) {
+ if (rrset->rri_sigs == NULL) {
result = ERRSET_NOMEMORY;
goto fail;
}
memcpy(rdata->rdi_data, rr->rdata, rr->size);
}
}
+ free_dns_response(response);
*res = rrset;
return (ERRSET_SUCCESS);
fail:
if (rrset != NULL)
freerrset(rrset);
+ if (response != NULL)
+ free_dns_response(response);
return (result);
}
}
static struct dns_rr *
-parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count)
+parse_dns_rrsection(const u_char *answer, int size, const u_char **cp,
+ int count)
{
struct dns_rr *head, *curr, *prev;
int i, length;
-/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
-
+/* $OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
+
#include "includes.h"
#include <ctype.h>
#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
!defined(GLOB_HAS_GL_MATCHC)
-#if defined(LIBC_SCCS) && !defined(lint)
-#if 0
-static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93";
-#else
-static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $";
-#endif
-#endif /* LIBC_SCCS and not lint */
-
/*
* glob(3) -- a superset of the one defined in POSIX 1003.2.
*
#endif
int
-glob(pattern, flags, errfunc, pglob)
- const char *pattern;
- int flags, (*errfunc)(const char *, int);
- glob_t *pglob;
+glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
+ glob_t *pglob)
{
const u_char *patnext;
int c;
* characters
*/
static int
-globexp1(pattern, pglob)
- const Char *pattern;
- glob_t *pglob;
+globexp1(const Char *pattern, glob_t *pglob)
{
const Char* ptr = pattern;
int rv;
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
-globexp2(ptr, pattern, pglob, rv)
- const Char *ptr, *pattern;
- glob_t *pglob;
- int *rv;
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
{
int i;
Char *lm, *ls;
* expand tilde from the passwd file.
*/
static const Char *
-globtilde(pattern, patbuf, patbuf_len, pglob)
- const Char *pattern;
- Char *patbuf;
- size_t patbuf_len;
- glob_t *pglob;
+globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
{
struct passwd *pwd;
char *h;
* to find no matches.
*/
static int
-glob0(pattern, pglob)
- const Char *pattern;
- glob_t *pglob;
+glob0(const Char *pattern, glob_t *pglob)
{
const Char *qpatnext;
int c, err, oldpathc;
}
static int
-compare(p, q)
- const void *p, *q;
+compare(const void *p, const void *q)
{
return(strcmp(*(char **)p, *(char **)q));
}
static int
-glob1(pattern, pattern_last, pglob, limitp)
- Char *pattern, *pattern_last;
- glob_t *pglob;
- size_t *limitp;
+glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
{
Char pathbuf[MAXPATHLEN];
* meta characters.
*/
static int
-glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern,
- pattern_last, pglob, limitp)
- Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
- Char *pattern, *pattern_last;
- glob_t *pglob;
- size_t *limitp;
+glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
+ Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
{
struct stat sb;
Char *p, *q;
}
static int
-glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
- restpattern, restpattern_last, pglob, limitp)
- Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
- Char *pattern, *pattern_last, *restpattern, *restpattern_last;
- glob_t *pglob;
- size_t *limitp;
+glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
+ Char *pattern, Char *pattern_last, Char *restpattern,
+ Char *restpattern_last, glob_t *pglob, size_t *limitp)
{
- register struct dirent *dp;
+ struct dirent *dp;
DIR *dirp;
int err;
char buf[MAXPATHLEN];
else
readdirfunc = (struct dirent *(*)(void *))readdir;
while ((dp = (*readdirfunc)(dirp))) {
- register u_char *sc;
- register Char *dc;
+ u_char *sc;
+ Char *dc;
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == DOT && *pattern != DOT)
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
-globextend(path, pglob, limitp)
- const Char *path;
- glob_t *pglob;
- size_t *limitp;
+globextend(const Char *path, glob_t *pglob, size_t *limitp)
{
- register char **pathv;
- register int i;
+ char **pathv;
+ int i;
u_int newsize, len;
char *copy;
const Char *p;
* pattern causes a recursion level.
*/
static int
-match(name, pat, patend)
- register Char *name, *pat, *patend;
+match(Char *name, Char *pat, Char *patend)
{
int ok, negate_range;
Char c, k;
case M_ALL:
if (pat == patend)
return(1);
- do
+ do {
if (match(name, pat, patend))
return(1);
- while (*name++ != EOS)
- ;
+ } while (*name++ != EOS);
return(0);
case M_ONE:
if (*name++ == EOS)
/* Free allocated data belonging to a glob_t structure. */
void
-globfree(pglob)
- glob_t *pglob;
+globfree(glob_t *pglob)
{
- register int i;
- register char **pp;
+ int i;
+ char **pp;
if (pglob->gl_pathv != NULL) {
pp = pglob->gl_pathv + pglob->gl_offs;
}
static DIR *
-g_opendir(str, pglob)
- register Char *str;
- glob_t *pglob;
+g_opendir(Char *str, glob_t *pglob)
{
char buf[MAXPATHLEN];
}
static int
-g_lstat(fn, sb, pglob)
- register Char *fn;
- struct stat *sb;
- glob_t *pglob;
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
{
char buf[MAXPATHLEN];
}
static int
-g_stat(fn, sb, pglob)
- register Char *fn;
- struct stat *sb;
- glob_t *pglob;
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
{
char buf[MAXPATHLEN];
}
static Char *
-g_strchr(str, ch)
- Char *str;
- int ch;
+g_strchr(Char *str, int ch)
{
do {
if (*str == ch)
}
static int
-g_Ctoc(str, buf, len)
- register const Char *str;
- char *buf;
- u_int len;
+g_Ctoc(const Char *str, char *buf, u_int len)
{
while (len--) {
#ifdef DEBUG
static void
-qprintf(str, s)
- const char *str;
- register Char *s;
+qprintf(const char *str, Char *s)
{
- register Char *p;
+ Char *p;
(void)printf("%s:\n", str);
for (p = s; *p; p++)
-/* OPENBSD ORIGINAL: include/glob.h */
-
-/* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */
+/* $OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $ */
/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */
/*
* @(#)glob.h 8.1 (Berkeley) 6/2/93
*/
+/* OPENBSD ORIGINAL: include/glob.h */
+
#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
!defined(GLOB_HAS_GL_MATCHC)
#define GLOB_MARK 0x0008 /* Append / to matching directories. */
#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */
#define GLOB_NOSORT 0x0020 /* Don't sort. */
+#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */
#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */
#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */
#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */
#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */
-#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */
/* Error values returned by glob(3) */
-/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
-
-/* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */
+/* $OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $ */
/*
* Copyright (c) 1983, 1990, 1993
* --Copyright--
*/
+/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
+
#include "includes.h"
#if !defined(HAVE_INET_ATON)
-#if defined(LIBC_SCCS) && !defined(lint)
-#if 0
-static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $";
-#else
-static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $";
-#endif
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/types.h>
#include <sys/param.h>
#include <netinet/in.h>
* The value returned is in network order.
*/
in_addr_t
-inet_addr(cp)
- register const char *cp;
+inet_addr(const char *cp)
{
struct in_addr val;
int
inet_aton(const char *cp, struct in_addr *addr)
{
- register u_int32_t val;
- register int base, n;
- register char c;
- unsigned int parts[4];
- register unsigned int *pp = parts;
+ u_int32_t val;
+ int base, n;
+ char c;
+ u_int parts[4];
+ u_int *pp = parts;
c = *cp;
for (;;) {
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
-
+/* $OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */
/*
* Copyright (c) 1983, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
+
#include "includes.h"
#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
/*
* Convert network-format internet address
* to base 256 d.d.d.d representation.
#include <arpa/inet.h>
#include <stdio.h>
-char *inet_ntoa(struct in_addr in)
+char *
+inet_ntoa(struct in_addr in)
{
static char b[18];
- register char *p;
+ char *p;
p = (char *)∈
#define UC(b) (((int)b)&0xff)
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
-
-/* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */
+/* $OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $ */
/* Copyright (c) 1996 by Internet Software Consortium.
*
* SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
+
#include "includes.h"
#ifndef HAVE_INET_NTOP
-#if defined(LIBC_SCCS) && !defined(lint)
-#if 0
-static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
-#else
-static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $";
-#endif
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
* Paul Vixie, 1996.
*/
const char *
-inet_ntop(af, src, dst, size)
- int af;
- const void *src;
- char *dst;
- size_t size;
+inet_ntop(int af, const void *src, char *dst, size_t size)
{
switch (af) {
case AF_INET:
* Paul Vixie, 1996.
*/
static const char *
-inet_ntop4(src, dst, size)
- const u_char *src;
- char *dst;
- size_t size;
+inet_ntop4(const u_char *src, char *dst, size_t size)
{
static const char fmt[] = "%u.%u.%u.%u";
char tmp[sizeof "255.255.255.255"];
* Paul Vixie, 1996.
*/
static const char *
-inet_ntop6(src, dst, size)
- const u_char *src;
- char *dst;
- size_t size;
+inet_ntop6(const u_char *src, char *dst, size_t size)
{
/*
* Note that int32_t and int16_t need only be "at least" large enough
-/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
-
/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
/* Changes: Removed mktemp */
+/* $OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
/*
* Copyright (c) 1987, 1993
* The Regents of the University of California. All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
+
#include "includes.h"
#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
static int _gettemp(char *, int *, int, int);
int
-mkstemps(path, slen)
- char *path;
- int slen;
+mkstemps(char *path, int slen)
{
int fd;
}
int
-mkstemp(path)
- char *path;
+mkstemp(char *path)
{
int fd;
}
char *
-mkdtemp(path)
- char *path;
+mkdtemp(char *path)
{
return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
}
void arc4random_stir(void);
#endif /* !HAVE_ARC4RANDOM */
+#ifndef HAVE_ASPRINTF
+int asprintf(char **, const char *, ...);
+#endif
+
#ifndef HAVE_OPENPTY
int openpty(int *, int *, char *, struct termios *, struct winsize *);
#endif /* HAVE_OPENPTY */
int snprintf(char *, size_t, const char *, ...);
#endif
+#ifndef HAVE_STRTOLL
+long long strtoll(const char *, char **, int);
+#endif
+
#ifndef HAVE_STRTONUM
long long strtonum(const char *, long long, long long, const char **);
#endif
+#ifndef HAVE_VASPRINTF
+int vasprintf(char **, const char *, va_list);
+#endif
+
#ifndef HAVE_VSNPRINTF
int vsnprintf(char *, size_t, const char *, va_list);
#endif
#include "port-irix.h"
#include "port-aix.h"
#include "port-uw.h"
+#include "port-tun.h"
#endif /* _OPENBSD_COMPAT_H */
# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#endif
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
+# define USE_BUILTIN_RIJNDAEL
+#endif
+
+#ifdef USE_BUILTIN_RIJNDAEL
# define EVP_aes_128_cbc evp_rijndael
# define EVP_aes_192_cbc evp_rijndael
# define EVP_aes_256_cbc evp_rijndael
#endif
/*
- * insert comment here
+ * We overload some of the OpenSSL crypto functions with ssh_* equivalents
+ * which cater for older and/or less featureful OpenSSL version.
+ *
+ * In order for the compat library to call the real functions, it must
+ * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
+ * implement the ssh_* equivalents.
*/
#ifdef SSH_OLD_EVP
--- /dev/null
+/*
+ * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include "log.h"
+#include "misc.h"
+#include "bufaux.h"
+
+/*
+ * This is the portable version of the SSH tunnel forwarding, it
+ * uses some preprocessor definitions for various platform-specific
+ * settings.
+ *
+ * SSH_TUN_LINUX Use the (newer) Linux tun/tap device
+ * SSH_TUN_COMPAT_AF Translate the OpenBSD address family
+ * SSH_TUN_PREPEND_AF Prepend/remove the address family
+ */
+
+/*
+ * System-specific tunnel open function
+ */
+
+#if defined(SSH_TUN_LINUX)
+#include <linux/if.h>
+#include <linux/if_tun.h>
+
+int
+sys_tun_open(int tun, int mode)
+{
+ struct ifreq ifr;
+ int fd = -1;
+ const char *name = NULL;
+
+ if ((fd = open("/dev/net/tun", O_RDWR)) == -1) {
+ debug("%s: failed to open tunnel control interface: %s",
+ __func__, strerror(errno));
+ return (-1);
+ }
+
+ bzero(&ifr, sizeof(ifr));
+
+ if (mode == SSH_TUNMODE_ETHERNET) {
+ ifr.ifr_flags = IFF_TAP;
+ name = "tap%d";
+ } else {
+ ifr.ifr_flags = IFF_TUN;
+ name = "tun%d";
+ }
+ ifr.ifr_flags |= IFF_NO_PI;
+
+ if (tun != SSH_TUNID_ANY) {
+ if (tun > SSH_TUNID_MAX) {
+ debug("%s: invalid tunnel id %x: %s", __func__,
+ tun, strerror(errno));
+ goto failed;
+ }
+ snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun);
+ }
+
+ if (ioctl(fd, TUNSETIFF, &ifr) == -1) {
+ debug("%s: failed to configure tunnel (mode %d): %s", __func__,
+ mode, strerror(errno));
+ goto failed;
+ }
+
+ if (tun == SSH_TUNID_ANY)
+ debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
+ else
+ debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
+
+ return (fd);
+
+ failed:
+ close(fd);
+ return (-1);
+}
+#endif /* SSH_TUN_LINUX */
+
+#ifdef SSH_TUN_FREEBSD
+#include <sys/socket.h>
+#include <net/if.h>
+#include <net/if_tun.h>
+
+int
+sys_tun_open(int tun, int mode)
+{
+ struct ifreq ifr;
+ char name[100];
+ int fd = -1, sock, flag;
+ const char *tunbase = "tun";
+
+ if (mode == SSH_TUNMODE_ETHERNET) {
+#ifdef SSH_TUN_NO_L2
+ debug("%s: no layer 2 tunnelling support", __func__);
+ return (-1);
+#else
+ tunbase = "tap";
+#endif
+ }
+
+ /* Open the tunnel device */
+ if (tun <= SSH_TUNID_MAX) {
+ snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
+ fd = open(name, O_RDWR);
+ } else if (tun == SSH_TUNID_ANY) {
+ for (tun = 100; tun >= 0; tun--) {
+ snprintf(name, sizeof(name), "/dev/%s%d",
+ tunbase, tun);
+ if ((fd = open(name, O_RDWR)) >= 0)
+ break;
+ }
+ } else {
+ debug("%s: invalid tunnel %u\n", __func__, tun);
+ return (-1);
+ }
+
+ if (fd < 0) {
+ debug("%s: %s open failed: %s", __func__, name,
+ strerror(errno));
+ return (-1);
+ }
+
+ /* Turn on tunnel headers */
+ flag = 1;
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ if (mode != SSH_TUNMODE_ETHERNET &&
+ ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
+ strerror(errno));
+ close(fd);
+ }
+#endif
+
+ debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
+
+ /* Set the tunnel device operation mode */
+ snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
+ if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
+ goto failed;
+
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
+ goto failed;
+ ifr.ifr_flags |= IFF_UP;
+ if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
+ goto failed;
+
+ close(sock);
+ return (fd);
+
+ failed:
+ if (fd >= 0)
+ close(fd);
+ if (sock >= 0)
+ close(sock);
+ debug("%s: failed to set %s mode %d: %s", __func__, name,
+ mode, strerror(errno));
+ return (-1);
+}
+#endif /* SSH_TUN_FREEBSD */
+
+/*
+ * System-specific channel filters
+ */
+
+#if defined(SSH_TUN_FILTER)
+#define OPENBSD_AF_INET 2
+#define OPENBSD_AF_INET6 24
+
+int
+sys_tun_infilter(struct Channel *c, char *buf, int len)
+{
+#if defined(SSH_TUN_PREPEND_AF)
+ char rbuf[CHAN_RBUF];
+ struct ip *iph;
+#endif
+ u_int32_t *af;
+ char *ptr = buf;
+
+#if defined(SSH_TUN_PREPEND_AF)
+ if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
+ return (-1);
+ ptr = (char *)&rbuf[0];
+ bcopy(buf, ptr + sizeof(u_int32_t), len);
+ len += sizeof(u_int32_t);
+ af = (u_int32_t *)ptr;
+
+ iph = (struct ip *)(ptr + sizeof(u_int32_t));
+ switch (iph->ip_v) {
+ case 6:
+ *af = AF_INET6;
+ break;
+ case 4:
+ default:
+ *af = AF_INET;
+ break;
+ }
+#endif
+
+#if defined(SSH_TUN_COMPAT_AF)
+ if (len < (int)sizeof(u_int32_t))
+ return (-1);
+
+ af = (u_int32_t *)ptr;
+ if (*af == htonl(AF_INET6))
+ *af = htonl(OPENBSD_AF_INET6);
+ else
+ *af = htonl(OPENBSD_AF_INET);
+#endif
+
+ buffer_put_string(&c->input, ptr, len);
+ return (0);
+}
+
+u_char *
+sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen)
+{
+ u_char *buf;
+ u_int32_t *af;
+
+ *data = buffer_get_string(&c->output, dlen);
+ if (*dlen < sizeof(*af))
+ return (NULL);
+ buf = *data;
+
+#if defined(SSH_TUN_PREPEND_AF)
+ *dlen -= sizeof(u_int32_t);
+ buf = *data + sizeof(u_int32_t);
+#elif defined(SSH_TUN_COMPAT_AF)
+ af = ntohl(*(u_int32_t *)buf);
+ if (*af == OPENBSD_AF_INET6)
+ *af = htonl(AF_INET6);
+ else
+ *af = htonl(AF_INET);
+#endif
+
+ return (buf);
+}
+#endif /* SSH_TUN_FILTER */
--- /dev/null
+/*
+ * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_TUN_H
+#define _PORT_TUN_H
+
+#include "channels.h"
+
+#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
+# define CUSTOM_SYS_TUN_OPEN
+int sys_tun_open(int, int);
+#endif
+
+#if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF)
+# define SSH_TUN_FILTER
+int sys_tun_infilter(struct Channel *, char *, int);
+u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *);
+#endif
+
+#endif
#include "includes.h"
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef HAVE_LIBIAF
#ifdef HAVE_CRYPT_H
#include <crypt.h>
#endif
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
- char *encrypted_password;
char *salt;
int result;
/* Encrypt the candidate password using the proper salt. */
salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
-#ifdef UNIXWARE_LONG_PASSWORDS
- if (!nischeck(pw->pw_name))
- encrypted_password = bigcrypt(password, salt);
- else
-#endif /* UNIXWARE_LONG_PASSWORDS */
- encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords
* are identical.
*/
- result = (strcmp(encrypted_password, pw_password) == 0);
+#ifdef UNIXWARE_LONG_PASSWORDS
+ if (!nischeck(pw->pw_name)) {
+ result = ((strcmp(bigcrypt(password, salt), pw_password) == 0)
+ || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0));
+ }
+ else
+#endif /* UNIXWARE_LONG_PASSWORDS */
+ result = (strcmp(xcrypt(password, salt), pw_password) == 0);
+#if !defined(BROKEN_LIBIAF)
if (authctxt->valid)
free(pw_password);
+#endif
return(result);
}
functions that call shadow_pw() will need to free
*/
+#if !defined(BROKEN_LIBIAF)
char *
get_iaf_password(struct passwd *pw)
{
else
fatal("ia_openinfo: Unable to open the shadow passwd file");
}
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+#endif /* !BROKEN_LIBIAF */
+#endif /* HAVE_LIBIAF */
-/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
-
-/* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */
+/* $OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $ */
/*
* Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
#include "includes.h"
-/* OPENBSD ORIGINAL: include/readpassphrase.h */
-
-/* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */
+/* $OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $ */
/*
- * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- * derived from this software without specific prior written permission.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
+/* OPENBSD ORIGINAL: include/readpassphrase.h */
+
#ifndef _READPASSPHRASE_H_
#define _READPASSPHRASE_H_
-/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
-
+/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
/*
* Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
*
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
+
#include "includes.h"
#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
-
+/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */
/*
* Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved.
* Copyright (c) 1983, 1993, 1994
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
+
#include "includes.h"
#ifndef HAVE_RRESVPORT_AF
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "includes.h"
-
#if 0
int
-rresvport(alport)
- int *alport;
+rresvport(int *alport)
{
return rresvport_af(alport, AF_INET);
}
#endif
-int
+int
rresvport_af(int *alport, sa_family_t af)
{
struct sockaddr_storage ss;
-/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
-
+/* $OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
/*
* Copyright (c) 1987 Regents of the University of California.
* All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
+
#include "includes.h"
#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <stdlib.h>
#include <string.h>
-char *__findenv(const char *name, int *offset);
+extern char **environ;
+/* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
/*
* __findenv --
* Returns pointer to value associated with name, if any, else NULL.
* Sets offset to be the offset of the name/value combination in the
* environmental array, for use by setenv(3) and unsetenv(3).
* Explicitly removes '=' in argument name.
- *
- * This routine *should* be a static; don't use it.
*/
-char *
-__findenv(name, offset)
- register const char *name;
- int *offset;
+static char *
+__findenv(const char *name, int *offset)
{
extern char **environ;
- register int len, i;
- register const char *np;
- register char **p, *cp;
+ int len, i;
+ const char *np;
+ char **p, *cp;
if (name == NULL || environ == NULL)
return (NULL);
* "value". If rewrite is set, replace any current value.
*/
int
-setenv(name, value, rewrite)
- register const char *name;
- register const char *value;
- int rewrite;
+setenv(const char *name, const char *value, int rewrite)
{
- extern char **environ;
- static int alloced; /* if allocated space before */
- register char *C;
+ static char **lastenv; /* last value of environ */
+ char *C;
int l_value, offset;
if (*value == '=') /* no `=' in value */
return (0);
}
} else { /* create new slot */
- register int cnt;
- register char **P;
+ size_t cnt;
+ char **P;
- for (P = environ, cnt = 0; *P; ++P, ++cnt);
- if (alloced) { /* just increase size */
- P = (char **)realloc((void *)environ,
- (size_t)(sizeof(char *) * (cnt + 2)));
- if (!P)
- return (-1);
- environ = P;
- }
- else { /* get new space */
- alloced = 1; /* copy old entries into it */
- P = (char **)malloc((size_t)(sizeof(char *) *
- (cnt + 2)));
- if (!P)
- return (-1);
- memmove(P, environ, cnt * sizeof(char *));
- environ = P;
- }
- environ[cnt + 1] = NULL;
+ for (P = environ; *P != NULL; P++)
+ ;
+ cnt = P - environ;
+ P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+ if (!P)
+ return (-1);
+ if (lastenv != environ)
+ memcpy(P, environ, cnt * sizeof(char *));
+ lastenv = environ = P;
offset = cnt;
+ environ[cnt + 1] = NULL;
}
- for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */
+ for (C = (char *)name; *C && *C != '='; ++C)
+ ; /* no `=' in name */
if (!(environ[offset] = /* name + `=' + value */
malloc((size_t)((int)(C - name) + l_value + 2))))
return (-1);
* Delete environmental variable "name".
*/
void
-unsetenv(name)
- const char *name;
+unsetenv(const char *name)
{
- extern char **environ;
- register char **P;
+ char **P;
int offset;
- char *__findenv();
- while (__findenv(name, &offset)) /* if set multiple times */
+ while (__findenv(name, &offset)) /* if set multiple times */
for (P = &environ[offset];; ++P)
if (!(*P = *(P + 1)))
break;
-/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
-
-/* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */
+/* $OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $ */
/****************************************************************************
- * Copyright (c) 1998 Free Software Foundation, Inc. *
+ * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
* *
* Permission is hereby granted, free of charge, to any person obtaining a *
* copy of this software and associated documentation files (the *
* and: Eric S. Raymond <esr@snark.thyrsus.com> *
****************************************************************************/
+/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
+
#include "includes.h"
#include <signal.h>
#include "sigact.h"
-/* $OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $ */
+/* $OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $ */
/****************************************************************************
- * Copyright (c) 1998 Free Software Foundation, Inc. *
+ * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
* *
* Permission is hereby granted, free of charge, to any person obtaining a *
* copy of this software and associated documentation files (the *
****************************************************************************/
/*
- * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $
+ * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $
*
* This file exists to handle non-POSIX systems which don't have <unistd.h>,
* and usually no sigaction() nor <termios.h>
*/
+/* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */
+
#ifndef _SIGACTION_H
#define _SIGACTION_H
-/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
-
-/* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */
+/* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
/*
* Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
+
#include "includes.h"
#ifndef HAVE_STRLCAT
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/types.h>
#include <string.h>
size_t
strlcat(char *dst, const char *src, size_t siz)
{
- register char *d = dst;
- register const char *s = src;
- register size_t n = siz;
+ char *d = dst;
+ const char *s = src;
+ size_t n = siz;
size_t dlen;
/* Find the end of dst and adjust bytes left but don't go past end */
-/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
-
-/* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */
+/* $OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $ */
/*
* Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
+
#include "includes.h"
#ifndef HAVE_STRLCPY
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/types.h>
#include <string.h>
size_t
strlcpy(char *dst, const char *src, size_t siz)
{
- register char *d = dst;
- register const char *s = src;
- register size_t n = siz;
+ char *d = dst;
+ const char *s = src;
+ size_t n = siz;
/* Copy as many bytes as will fit */
if (n != 0 && --n != 0) {
-/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
-
+/* $OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
/*-
* Copyright (c) 1990 The Regents of the University of California.
* All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
+
#include "includes.h"
#ifndef HAVE_STRMODE
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/types.h>
#include <sys/stat.h>
#include <string.h>
case S_IFIFO: /* fifo */
*p++ = 'p';
break;
-#endif
-#ifdef S_IFWHT
- case S_IFWHT: /* whiteout */
- *p++ = 'w';
- break;
#endif
default: /* unknown */
*p++ = '?';
-/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
-
-/* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */
+/* $OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $ */
/*-
* Copyright (c) 1990, 1993
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
+
#include "includes.h"
#if !defined(HAVE_STRSEP)
#include <string.h>
#include <stdio.h>
-#if defined(LIBC_SCCS) && !defined(lint)
-#if 0
-static char sccsid[] = "@(#)strsep.c 8.1 (Berkeley) 6/4/93";
-#else
-static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
-#endif
-#endif /* LIBC_SCCS and not lint */
-
/*
* Get next token from string *stringp, where tokens are possibly-empty
* strings separated by characters from delim.
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
-
+/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */
/*-
* Copyright (c) 1992 The Regents of the University of California.
* All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
+
#include "includes.h"
#ifndef HAVE_STRTOLL
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/types.h>
#include <ctype.h>
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
-
/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
/*
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
+
#include "includes.h"
#ifndef HAVE_STRTONUM
#include <limits.h>
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
-
+/* $OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
/*
* Copyright (c) 1990 Regents of the University of California.
* All rights reserved.
* SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
+
#include "includes.h"
#ifndef HAVE_STRTOUL
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <ctype.h>
#include <errno.h>
#include <limits.h>
* alphabets and digits are each contiguous.
*/
unsigned long
-strtoul(nptr, endptr, base)
- const char *nptr;
- char **endptr;
- register int base;
+strtoul(const char *nptr, char **endptr, int base)
{
- register const char *s;
- register unsigned long acc, cutoff;
- register int c;
- register int neg, any, cutlim;
+ const char *s;
+ unsigned long acc, cutoff;
+ int c;
+ int neg, any, cutlim;
/*
* See strtol for comments as to the logic used.
-/* OPENBSD ORIGINAL: sys/sys/queue.h */
-
/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */
/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */
* @(#)queue.h 8.5 (Berkeley) 8/20/94
*/
+/* OPENBSD ORIGINAL: sys/sys/queue.h */
+
#ifndef _FAKE_QUEUE_H_
#define _FAKE_QUEUE_H_
-/* OPENBSD ORIGINAL: sys/sys/tree.h */
-
/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+/* OPENBSD ORIGINAL: sys/sys/tree.h */
+
#ifndef _SYS_TREE_H_
#define _SYS_TREE_H_
-/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
-
+/* $OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */
/*-
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
+
+/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
+
#include "includes.h"
#if !defined(HAVE_STRNVIS)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <ctype.h>
#include <string.h>
#include "vis.h"
#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
-#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \
- isgraph((u_char)(c))) || \
- ((flag & VIS_SP) == 0 && (c) == ' ') || \
- ((flag & VIS_TAB) == 0 && (c) == '\t') || \
- ((flag & VIS_NL) == 0 && (c) == '\n') || \
- ((flag & VIS_SAFE) && ((c) == '\b' || \
- (c) == '\007' || (c) == '\r' || \
- isgraph((u_char)(c)))))
+#define isvisible(c) \
+ (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \
+ (((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') || \
+ (flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) || \
+ ((flag & VIS_SP) == 0 && (c) == ' ') || \
+ ((flag & VIS_TAB) == 0 && (c) == '\t') || \
+ ((flag & VIS_NL) == 0 && (c) == '\n') || \
+ ((flag & VIS_SAFE) && ((c) == '\b' || \
+ (c) == '\007' || (c) == '\r' || \
+ isgraph((u_char)(c)))))
/*
* vis - visually encode characters
*/
char *
-vis(dst, c, flag, nextc)
- register char *dst;
- int c, nextc;
- register int flag;
+vis(char *dst, int c, int flag, int nextc)
{
if (isvisible(c)) {
*dst++ = c;
goto done;
}
}
- if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) {
+ if (((c & 0177) == ' ') || (flag & VIS_OCTAL) ||
+ ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) {
*dst++ = '\\';
*dst++ = ((u_char)c >> 6 & 07) + '0';
*dst++ = ((u_char)c >> 3 & 07) + '0';
c &= 0177;
*dst++ = 'M';
}
- if (iscntrl(c)) {
+ if (iscntrl((u_char)c)) {
*dst++ = '^';
if (c == 0177)
*dst++ = '?';
* This is useful for encoding a block of data.
*/
int
-strvis(dst, src, flag)
- register char *dst;
- register const char *src;
- int flag;
+strvis(char *dst, const char *src, int flag)
{
- register char c;
+ char c;
char *start;
for (start = dst; (c = *src);)
}
int
-strnvis(dst, src, siz, flag)
- char *dst;
- const char *src;
- size_t siz;
- int flag;
+strnvis(char *dst, const char *src, size_t siz, int flag)
{
- char c;
char *start, *end;
char tbuf[5];
- int i;
+ int c, i;
i = 0;
for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
}
int
-strvisx(dst, src, len, flag)
- register char *dst;
- register const char *src;
- register size_t len;
- int flag;
+strvisx(char *dst, const char *src, size_t len, int flag)
{
- register char c;
+ char c;
char *start;
for (start = dst; len > 1; len--) {
-/* OPENBSD ORIGINAL: include/vis.h */
-
-/* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */
+/* $OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $ */
/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */
/*-
* @(#)vis.h 5.9 (Berkeley) 4/3/91
*/
+/* OPENBSD ORIGINAL: include/vis.h */
+
#include "includes.h"
#if !defined(HAVE_STRNVIS)
* other
*/
#define VIS_NOSLASH 0x40 /* inhibit printing '\' */
+#define VIS_GLOB 0x100 /* encode glob(3) magics and '#' */
/*
* unvis return codes
char *vis(char *, int, int, int);
int strvis(char *, const char *, int);
-int strnvis(char *, const char *, size_t, int);
-int strvisx(char *, const char *, size_t, int);
+int strnvis(char *, const char *, size_t, int)
+ __attribute__ ((__bounded__(__string__,1,3)));
+int strvisx(char *, const char *, size_t, int)
+ __attribute__ ((__bounded__(__string__,1,3)));
int strunvis(char *, const char *);
int unvis(char *, char, int *, int);
+ssize_t strnunvis(char *, const char *, size_t)
+ __attribute__ ((__bounded__(__string__,1,3)));
#endif /* !_VIS_H_ */
-#!/sbin/sh
+#!@STARTUP_SCRIPT_SHELL@
# Donated code that was put under PD license.
#
# Stripped PRNGd out of it for the time being.
*/
#include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $");
#include "openbsd-compat/sys-queue.h"
buffer_clear(&outgoing_packet);
/*
- * Note that the packet is now only buffered in output. It won\'t be
+ * Note that the packet is now only buffered in output. It won't be
* actually sent until packet_write_wait or packet_write_poll is
* called.
*/
bytes = (bytes + 512) / 1024;
}
snprintf(buf, size, "%3lld.%1lld%c%s",
- (int64_t) (bytes + 5) / 100,
- (int64_t) (bytes + 5) / 10 % 10,
+ (long long) (bytes + 5) / 100,
+ (long long) (bytes + 5) / 10 % 10,
unit[i],
i ? "B" : " ");
}
for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
bytes = (bytes + 512) / 1024;
snprintf(buf, size, "%4lld%c%s",
- (int64_t) bytes,
+ (long long) bytes,
unit[i],
i ? "B" : " ");
}
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
#include "ssh.h"
#include "xmalloc.h"
Cipher none
PasswordAuthentication no
+ Host vpn.fake.com
+ Tunnel yes
+ TunnelDevice 3
+
# Defaults for various options
Host *
ForwardAgent no
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oDeprecated, oUnsupported
} OpCodes;
{ "controlpath", oControlPath },
{ "controlmaster", oControlMaster },
{ "hashknownhosts", oHashKnownHosts },
+ { "tunnel", oTunnel },
+ { "tunneldevice", oTunnelDevice },
+ { "localcommand", oLocalCommand },
+ { "permitlocalcommand", oPermitLocalCommand },
{ NULL, oBadOption }
};
xfree(options->remote_forwards[i].connect_host);
}
options->num_remote_forwards = 0;
+ options->tun_open = SSH_TUNMODE_NO;
}
/*
int *activep)
{
char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
- int opcode, *intptr, value;
+ int opcode, *intptr, value, value2;
size_t len;
Forward fwd;
goto parse_string;
case oProxyCommand:
+ charptr = &options->proxy_command;
+parse_command:
if (s == NULL)
fatal("%.200s line %d: Missing argument.", filename, linenum);
- charptr = &options->proxy_command;
len = strspn(s, WHITESPACE "=");
if (*activep && *charptr == NULL)
*charptr = xstrdup(s + len);
intptr = &options->hash_known_hosts;
goto parse_flag;
+ case oTunnel:
+ intptr = &options->tun_open;
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing yes/point-to-point/"
+ "ethernet/no argument.", filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcasecmp(arg, "ethernet") == 0)
+ value = SSH_TUNMODE_ETHERNET;
+ else if (strcasecmp(arg, "point-to-point") == 0)
+ value = SSH_TUNMODE_POINTOPOINT;
+ else if (strcasecmp(arg, "yes") == 0)
+ value = SSH_TUNMODE_DEFAULT;
+ else if (strcasecmp(arg, "no") == 0)
+ value = SSH_TUNMODE_NO;
+ else
+ fatal("%s line %d: Bad yes/point-to-point/ethernet/"
+ "no argument: %s", filename, linenum, arg);
+ if (*activep)
+ *intptr = value;
+ break;
+
+ case oTunnelDevice:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ value = a2tun(arg, &value2);
+ if (value == SSH_TUNID_ERR)
+ fatal("%.200s line %d: Bad tun device.", filename, linenum);
+ if (*activep) {
+ options->tun_local = value;
+ options->tun_remote = value2;
+ }
+ break;
+
+ case oLocalCommand:
+ charptr = &options->local_command;
+ goto parse_command;
+
+ case oPermitLocalCommand:
+ intptr = &options->permit_local_command;
+ goto parse_flag;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
options->control_path = NULL;
options->control_master = -1;
options->hash_known_hosts = -1;
+ options->tun_open = -1;
+ options->tun_local = -1;
+ options->tun_remote = -1;
+ options->local_command = NULL;
+ options->permit_local_command = -1;
}
/*
options->control_master = 0;
if (options->hash_known_hosts == -1)
options->hash_known_hosts = 0;
+ if (options->tun_open == -1)
+ options->tun_open = SSH_TUNMODE_NO;
+ if (options->tun_local == -1)
+ options->tun_local = SSH_TUNID_ANY;
+ if (options->tun_remote == -1)
+ options->tun_remote = SSH_TUNID_ANY;
+ if (options->permit_local_command == -1)
+ options->permit_local_command = 0;
+ /* options->local_command should not be set by default */
/* options->proxy_command should not be set by default */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
-/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int control_master;
int hash_known_hosts;
+
+ int tun_open; /* tun(4) */
+ int tun_local; /* force tun device (optional) */
+ int tun_remote; /* force tun device (optional) */
+
+ char *local_command;
+ int permit_local_command;
+
} Options;
#define SSHCTL_MASTER_NO 0
unless ssh-rand-helper is in pre-installed (the path to
ssh-rand-helper is hard coded).
+- Similarly, if you do not have "scp" in your system's $PATH then the
+ multiplex scp tests will fail (since the system's shell startup scripts
+ will determine where the shell started by sshd will look for scp).
+
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
test to fail. The old behaviour can be restored by setting (and
exporting) _POSIX2_VERSION=199209 before running the tests.
-# $OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $
+# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
fail "ssh-add failed with $r != 1"
fi
- < /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
+ < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
r=$?
if [ $r -lt 2 ]; then
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
-# $OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
# Placed in the Public Domain.
tid="local and remote forwarding"
sleep 10
done
+
+for p in 1 2; do
+ trace "simple clear forwarding proto $p"
+ ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+ trace "clear local forward proto $p"
+ ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+ -oClearAllForwardings=yes somehost sleep 10
+ if [ $? != 0 ]; then
+ fail "connection failed with cleared local forwarding"
+ else
+ # this one should fail
+ ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+ 2>${TEST_SSH_LOGFILE} && \
+ fail "local forwarding not cleared"
+ fi
+ sleep 10
+
+ trace "clear remote forward proto $p"
+ ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+ -oClearAllForwardings=yes somehost sleep 10
+ if [ $? != 0 ]; then
+ fail "connection failed with cleared remote forwarding"
+ else
+ # this one should fail
+ ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+ 2>${TEST_SSH_LOGFILE} && \
+ fail "remote forwarding not cleared"
+ fi
+ sleep 10
+done
-# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $
+# $OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
# Placed in the Public Domain.
CTL=/tmp/openssh.regress.ctl-sock.$$
start_sshd
-$SUDO kill -HUP `cat $PIDFILE`
-sleep 1
+PID=`cat $PIDFILE`
+rm -f $PIDFILE
+$SUDO kill -HUP $PID
trace "wait for sshd to restart"
i=0;
#!/bin/sh
-# $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $
+# $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
# Placed in the Public Domain.
printname () {
done
}
-# discard first 5 args
-shift; shift; shift; shift; shift
+# Discard all but last argument. We use arg later.
+while test "$1" != ""; do
+ arg="$1"
+ shift
+done
BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
echo "X"
;;
*)
- exec $1
+ exec $arg
;;
esac
-# $OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $
+# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
# Placed in the Public Domain.
tid="scp"
mkdir ${DIR} ${DIR2}
}
+verbose "$tid: simple copy local file to local file"
+scpclean
+$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
verbose "$tid: simple copy local file to remote file"
scpclean
$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+verbose "$tid: simple copy local file to local dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
verbose "$tid: simple copy remote file to local dir"
scpclean
cp ${DATA} ${COPY}
$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+verbose "$tid: recursive local dir to local dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
+diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+
verbose "$tid: recursive remote dir to local dir"
scpclean
rm -rf ${DIR2}
$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+verbose "$tid: shell metacharacters"
+scpclean
+(cd ${DIR} && \
+touch '`touch metachartest`' && \
+$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
+[ ! -f metachartest ] ) || fail "shell metacharacters"
+
if [ ! -z "$SUDO" ]; then
verbose "$tid: skipped file after scp -p with failed chown+utimes"
scpclean
chmod 660 ${DIR2}/copy
$SUDO chown root ${DIR2}/copy
$SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
- diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+ $SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
$SUDO rm ${DIR2}/copy
fi
[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
done
+verbose "$tid: detect non-directory target"
+scpclean
+echo a > ${COPY}
+echo b > ${COPY2}
+$SCP $scpopts ${DATA} ${COPY} ${COPY2}
+cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
+
scpclean
rm -f ${OBJ}/scp-ssh-wrapper.scp
-# $OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
USER=`/usr/ucb/whoami`
elif whoami >/dev/null 2>&1; then
USER=`whoami`
+elif logname >/dev/null 2>&1; then
+ USER=`logname`
else
USER=`id -un`
fi
cat << EOF > $OBJ/sshd_config
StrictModes no
Port $PORT
+ AddressFamily inet
ListenAddress 127.0.0.1
#ListenAddress ::1
PidFile $PIDFILE
for t in rsa rsa1; do
# generate user key
rm -f $OBJ/$t
- ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\
+ ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\
fail "ssh-keygen for $t failed"
# known hosts file for client
-# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $
+# $OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
# Placed in the Public Domain.
tid="try ciphers"
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
+ arcfour128 arcfour256 arcfour
aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
aes128-ctr aes192-ctr aes256-ctr"
macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
tid="yes pipe head"
for p in 1 2; do
- lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)`
+ lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
lines = 0;
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $
.\"
.Dd September 25, 1999
.Dt SCP 1
.It Protocol
.It ProxyCommand
.It PubkeyAuthentication
+.It RekeyLimit
.It RhostsRSAAuthentication
.It RSAAuthentication
.It SendEnv
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $");
+RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");
#include "xmalloc.h"
#include "atomicio.h"
exit(1);
}
+static int
+do_local_cmd(arglist *a)
+{
+ u_int i;
+ int status;
+ pid_t pid;
+
+ if (a->num == 0)
+ fatal("do_local_cmd: no arguments");
+
+ if (verbose_mode) {
+ fprintf(stderr, "Executing:");
+ for (i = 0; i < a->num; i++)
+ fprintf(stderr, " %s", a->list[i]);
+ fprintf(stderr, "\n");
+ }
+ if ((pid = fork()) == -1)
+ fatal("do_local_cmd: fork: %s", strerror(errno));
+
+ if (pid == 0) {
+ execvp(a->list[0], a->list);
+ perror(a->list[0]);
+ exit(1);
+ }
+
+ do_cmd_pid = pid;
+ signal(SIGTERM, killchild);
+ signal(SIGINT, killchild);
+ signal(SIGHUP, killchild);
+
+ while (waitpid(pid, &status, 0) == -1)
+ if (errno != EINTR)
+ fatal("do_local_cmd: waitpid: %s", strerror(errno));
+
+ do_cmd_pid = -1;
+
+ if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+ return (-1);
+
+ return (0);
+}
+
/*
* This function executes the given command as the specified user on the
* given host. This returns < 0 if execution fails, and >= 0 otherwise. This
close(pin[0]);
close(pout[1]);
- args.list[0] = ssh_program;
+ replacearg(&args, 0, "%s", ssh_program);
if (remuser != NULL)
addargs(&args, "-l%s", remuser);
addargs(&args, "%s", host);
extern char *optarg;
extern int optind;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(argv[0]);
+ memset(&args, '\0', sizeof(args));
args.list = NULL;
- addargs(&args, "ssh"); /* overwritten with ssh_program */
+ addargs(&args, "%s", ssh_program);
addargs(&args, "-x");
addargs(&args, "-oForwardAgent no");
+ addargs(&args, "-oPermitLocalCommand no");
addargs(&args, "-oClearAllForwardings yes");
fflag = tflag = 0;
if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */
toremote(targ, argc, argv);
else {
- tolocal(argc, argv); /* Dest is local host. */
if (targetshouldbedirectory)
verifydir(argv[argc - 1]);
+ tolocal(argc, argv); /* Dest is local host. */
}
/*
* Finally check the exit status of the ssh process, if one was forked
{
int i, len;
char *bp, *host, *src, *suser, *thost, *tuser, *arg;
+ arglist alist;
+
+ memset(&alist, '\0', sizeof(alist));
+ alist.list = NULL;
*targ++ = 0;
if (*targ == 0)
tuser = NULL;
}
+ if (tuser != NULL && !okname(tuser)) {
+ xfree(arg);
+ return;
+ }
+
for (i = 0; i < argc - 1; i++) {
src = colon(argv[i]);
if (src) { /* remote to remote */
- static char *ssh_options =
- "-x -o'ClearAllForwardings yes'";
+ freeargs(&alist);
+ addargs(&alist, "%s", ssh_program);
+ if (verbose_mode)
+ addargs(&alist, "-v");
+ addargs(&alist, "-x");
+ addargs(&alist, "-oClearAllForwardings yes");
+ addargs(&alist, "-n");
+
*src++ = 0;
if (*src == 0)
src = ".";
host = strrchr(argv[i], '@');
- len = strlen(ssh_program) + strlen(argv[i]) +
- strlen(src) + (tuser ? strlen(tuser) : 0) +
- strlen(thost) + strlen(targ) +
- strlen(ssh_options) + CMDNEEDS + 20;
- bp = xmalloc(len);
+
if (host) {
*host++ = 0;
host = cleanhostname(host);
suser = argv[i];
if (*suser == '\0')
suser = pwd->pw_name;
- else if (!okname(suser)) {
- xfree(bp);
+ else if (!okname(suser))
continue;
- }
- if (tuser && !okname(tuser)) {
- xfree(bp);
- continue;
- }
- snprintf(bp, len,
- "%s%s %s -n "
- "-l %s %s %s %s '%s%s%s:%s'",
- ssh_program, verbose_mode ? " -v" : "",
- ssh_options, suser, host, cmd, src,
- tuser ? tuser : "", tuser ? "@" : "",
- thost, targ);
+ addargs(&alist, "-l");
+ addargs(&alist, "%s", suser);
} else {
host = cleanhostname(argv[i]);
- snprintf(bp, len,
- "exec %s%s %s -n %s "
- "%s %s '%s%s%s:%s'",
- ssh_program, verbose_mode ? " -v" : "",
- ssh_options, host, cmd, src,
- tuser ? tuser : "", tuser ? "@" : "",
- thost, targ);
}
- if (verbose_mode)
- fprintf(stderr, "Executing: %s\n", bp);
- if (system(bp) != 0)
+ addargs(&alist, "%s", host);
+ addargs(&alist, "%s", cmd);
+ addargs(&alist, "%s", src);
+ addargs(&alist, "%s%s%s:%s",
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+ if (do_local_cmd(&alist) != 0)
errs = 1;
- (void) xfree(bp);
} else { /* local to remote */
if (remin == -1) {
len = strlen(targ) + CMDNEEDS + 20;
{
int i, len;
char *bp, *host, *src, *suser;
+ arglist alist;
+
+ memset(&alist, '\0', sizeof(alist));
+ alist.list = NULL;
for (i = 0; i < argc - 1; i++) {
if (!(src = colon(argv[i]))) { /* Local to local. */
- len = strlen(_PATH_CP) + strlen(argv[i]) +
- strlen(argv[argc - 1]) + 20;
- bp = xmalloc(len);
- (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
- iamrecursive ? " -r" : "", pflag ? " -p" : "",
- argv[i], argv[argc - 1]);
- if (verbose_mode)
- fprintf(stderr, "Executing: %s\n", bp);
- if (system(bp))
+ freeargs(&alist);
+ addargs(&alist, "%s", _PATH_CP);
+ if (iamrecursive)
+ addargs(&alist, "-r");
+ if (pflag)
+ addargs(&alist, "-p");
+ addargs(&alist, "%s", argv[i]);
+ addargs(&alist, "%s", argv[argc-1]);
+ if (do_local_cmd(&alist))
++errs;
- (void) xfree(bp);
continue;
}
*src++ = 0;
#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
snprintf(buf, sizeof buf, "C%04o %lld %s\n",
(u_int) (stb.st_mode & FILEMODEMASK),
- (int64_t)stb.st_size, last);
+ (long long)stb.st_size, last);
if (verbose_mode) {
fprintf(stderr, "Sending file modes: %s", buf);
}
if (response() < 0)
goto next;
if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
-next: (void) close(fd);
+next: if (fd != -1) {
+ (void) close(fd);
+ fd = -1;
+ }
continue;
}
if (showprogress)
if (showprogress)
stop_progress_meter();
- if (close(fd) < 0 && !haderr)
- haderr = errno;
+ if (fd != -1) {
+ if (close(fd) < 0 && !haderr)
+ haderr = errno;
+ fd = -1;
+ }
if (!haderr)
(void) atomicio(vwrite, remout, "", 1);
else
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
#include "ssh.h"
#include "log.h"
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
options->num_accept_env = 0;
+ options->permit_tun = -1;
/* Needs to be accessable in many places */
use_privsep = -1;
}
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+ if (options->permit_tun == -1)
+ options->permit_tun = SSH_TUNMODE_NO;
/* Turn privilege separation on by default */
if (use_privsep == -1)
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
{ "acceptenv", sAcceptEnv },
+ { "permittunnel", sPermitTunnel },
{ NULL, sBadOption }
};
}
break;
+ case sPermitTunnel:
+ intptr = &options->permit_tun;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing yes/point-to-point/"
+ "ethernet/no argument.", filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcasecmp(arg, "ethernet") == 0)
+ value = SSH_TUNMODE_ETHERNET;
+ else if (strcasecmp(arg, "point-to-point") == 0)
+ value = SSH_TUNMODE_POINTOPOINT;
+ else if (strcasecmp(arg, "yes") == 0)
+ value = SSH_TUNMODE_YES;
+ else if (strcasecmp(arg, "no") == 0)
+ value = SSH_TUNMODE_NO;
+ else
+ fatal("%s line %d: Bad yes/point-to-point/ethernet/"
+ "no argument: %s", filename, linenum, arg);
+ if (*intptr == -1)
+ *intptr = value;
+ break;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
-/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
+
int use_pam; /* Enable auth via PAM */
+
+ int permit_tun;
} ServerOptions;
void initialize_server_options(ServerOptions *);
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $");
#include "xmalloc.h"
#include "packet.h"
/* XXX */
extern Kex *xxx_kex;
extern Authctxt *the_authctxt;
+extern int use_privsep;
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */
+/* Cleanup on signals (!use_privsep case only) */
+static volatile sig_atomic_t received_sigterm = 0;
+
/* prototypes */
static void server_init_dispatch(void);
errno = save_errno;
}
+static void
+sigterm_handler(int sig)
+{
+ received_sigterm = sig;
+}
+
/*
* Make packets from buffered stderr data, and buffer it for sending
* to the client.
child_terminated = 0;
mysignal(SIGCHLD, sigchld_handler);
+ if (!use_privsep) {
+ signal(SIGTERM, sigterm_handler);
+ signal(SIGINT, sigterm_handler);
+ signal(SIGQUIT, sigterm_handler);
+ }
+
/* Initialize our global variables. */
fdin = fdin_arg;
fdout = fdout_arg;
* If we have no separate fderr (which is the case when we have a pty
* - there we cannot make difference between data sent to stdout and
* stderr), indicate that we have seen an EOF from stderr. This way
- * we don\'t need to check the descriptor everywhere.
+ * we don't need to check the descriptor everywhere.
*/
if (fderr == -1)
fderr_eof = 1;
wait_until_can_do_something(&readset, &writeset, &max_fd,
&nalloc, max_time_milliseconds);
+ if (received_sigterm) {
+ logit("Exiting on signal %d", received_sigterm);
+ /* Clean up sessions, utmp, etc. */
+ cleanup_exit(255);
+ }
+
/* Process any channel events. */
channel_after_select(readset, writeset);
connection_in = packet_get_connection_in();
connection_out = packet_get_connection_out();
+ if (!use_privsep) {
+ signal(SIGTERM, sigterm_handler);
+ signal(SIGINT, sigterm_handler);
+ signal(SIGQUIT, sigterm_handler);
+ }
+
notify_setup();
max_fd = MAX(connection_in, connection_out);
wait_until_can_do_something(&readset, &writeset, &max_fd,
&nalloc, 0);
+ if (received_sigterm) {
+ logit("Exiting on signal %d", received_sigterm);
+ /* Clean up sessions, utmp, etc. */
+ cleanup_exit(255);
+ }
+
collect_children();
if (!rekeying) {
channel_after_select(readset, writeset);
return c;
}
+static Channel *
+server_request_tun(void)
+{
+ Channel *c = NULL;
+ int mode, tun;
+ int sock;
+
+ mode = packet_get_int();
+ switch (mode) {
+ case SSH_TUNMODE_POINTOPOINT:
+ case SSH_TUNMODE_ETHERNET:
+ break;
+ default:
+ packet_send_debug("Unsupported tunnel device mode.");
+ return NULL;
+ }
+ if ((options.permit_tun & mode) == 0) {
+ packet_send_debug("Server has rejected tunnel device "
+ "forwarding");
+ return NULL;
+ }
+
+ tun = packet_get_int();
+ if (forced_tun_device != -1) {
+ if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
+ goto done;
+ tun = forced_tun_device;
+ }
+ sock = tun_open(tun, mode);
+ if (sock < 0)
+ goto done;
+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ c->datagram = 1;
+#if defined(SSH_TUN_FILTER)
+ if (mode == SSH_TUNMODE_POINTOPOINT)
+ channel_register_filter(c->self, sys_tun_infilter,
+ sys_tun_outfilter);
+#endif
+
+ done:
+ if (c == NULL)
+ packet_send_debug("Failed to open the tunnel device.");
+ return c;
+}
+
static Channel *
server_request_session(void)
{
channel_free(c);
return NULL;
}
- channel_register_cleanup(c->self, session_close_by_channel);
+ channel_register_cleanup(c->self, session_close_by_channel, 0);
return c;
}
c = server_request_session();
} else if (strcmp(ctype, "direct-tcpip") == 0) {
c = server_request_direct_tcpip();
+ } else if (strcmp(ctype, "tun@openssh.com") == 0) {
+ c = server_request_tun();
}
if (c != NULL) {
debug("server_input_channel_open: confirm %s", ctype);
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
{
setproctitle("%s", authctxt->pw->pw_name);
- /*
- * Cancel the alarm we set to limit the time taken for
- * authentication.
- */
- alarm(0);
- if (startup_pipe != -1) {
- close(startup_pipe);
- startup_pipe = -1;
- }
/* setup the channel layer */
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
channel_permit_all_opens();
endpwent();
/*
- * Close any extra open file descriptors so that we don\'t have them
+ * Close any extra open file descriptors so that we don't have them
* hanging around in clients. Note that we want to do this after
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
if (!check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
- do_nologin(pw);
+ /* When PAM is enabled we rely on it to do the nologin check */
+ if (!options.use_pam)
+ do_nologin(pw);
do_setusercontext(pw);
/*
* PAM session modules in do_setusercontext may have
}
#endif
- /* Change current directory to the user\'s home directory. */
+ /* Change current directory to the user's home directory. */
if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
pw->pw_dir, strerror(errno));
if (s->auth_proto != NULL || s->auth_data != NULL) {
error("session_x11_req: session %d: "
- "x11 fowarding already active", s->self);
+ "x11 forwarding already active", s->self);
return 0;
}
s->single_connection = packet_get_char();
{
Channel *c;
- if ((c = channel_lookup(id)) == NULL) {
+ if ((c = channel_by_id(id)) == NULL) {
debug("session_close_x11: x11 channel %d missing", id);
} else {
/* Detach X11 listener */
session_exit_message(Session *s, int status)
{
Channel *c;
- u_int i;
if ((c = channel_lookup(s->chanid)) == NULL)
fatal("session_exit_message: session %d: no channel %d",
/* disconnect channel */
debug("session_exit_message: release channel %d", s->chanid);
- channel_cancel_cleanup(s->chanid);
+ s->pid = 0;
+
+ /*
+ * Adjust cleanup callback attachment to send close messages when
+ * the channel gets EOF. The session will be then be closed
+ * by session_close_by_channel when the childs close their fds.
+ */
+ channel_register_cleanup(c->self, session_close_by_channel, 1);
+
/*
* emulate a write failure with 'chan_write_failed', nobody will be
* interested in data we write.
*/
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
- s->chanid = -1;
-
- /* Close any X11 listeners associated with this session */
- if (s->x11_chanids != NULL) {
- for (i = 0; s->x11_chanids[i] != -1; i++) {
- session_close_x11(s->x11_chanids[i]);
- s->x11_chanids[i] = -1;
- }
- }
}
void
}
if (s->chanid != -1)
session_exit_message(s, status);
- session_close(s);
+ if (s->ttyfd != -1)
+ session_pty_cleanup(s);
}
/*
session_close_by_channel(int id, void *arg)
{
Session *s = session_by_channel(id);
+ u_int i;
if (s == NULL) {
debug("session_close_by_channel: no session for id %d", id);
}
/* detach by removing callback */
channel_cancel_cleanup(s->chanid);
+
+ /* Close any X11 listeners associated with this session */
+ if (s->x11_chanids != NULL) {
+ for (i = 0; s->x11_chanids[i] != -1; i++) {
+ session_close_x11(s->x11_chanids[i]);
+ s->x11_chanids[i] = -1;
+ }
+ }
+
s->chanid = -1;
session_close(s);
}
}
for (i = 0; s->x11_chanids[i] != -1; i++) {
channel_register_cleanup(s->x11_chanids[i],
- session_close_single_x11);
+ session_close_single_x11, 0);
}
/* Set up a suitable value for the DISPLAY variable. */
/* XXX: copy between two remote sites */
#include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
#include "openbsd-compat/sys-queue.h"
/* Minimum amount of data to read at at time */
#define MIN_READ_SIZE 512
-/* Maximum packet size */
-#define MAX_MSG_LENGTH (256 * 1024)
-
struct sftp_conn {
int fd_in;
int fd_out;
{
u_char mlen[4];
- if (buffer_len(m) > MAX_MSG_LENGTH)
+ if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
fatal("Outbound message too long %u", buffer_len(m));
/* Send length first */
}
msg_len = buffer_get_int(m);
- if (msg_len > MAX_MSG_LENGTH)
+ if (msg_len > SFTP_MAX_MSG_LENGTH)
fatal("Received message too long %u", msg_len);
buffer_append_space(m, msg_len);
-/* $OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $ */
+/* $OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+/* Maximum packet that we are willing to send/accept */
+#define SFTP_MAX_MSG_LENGTH (256 * 1024)
+
typedef struct Attrib Attrib;
/* File attributes */
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
#include "buffer.h"
#include "bufaux.h"
#include "getput.h"
#include "log.h"
#include "xmalloc.h"
+#include "misc.h"
#include "sftp.h"
#include "sftp-common.h"
len = get_int();
TRACE("read id %u handle %d off %llu len %d", id, handle,
- (u_int64_t)off, len);
+ (unsigned long long)off, len);
if (len > sizeof buf) {
len = sizeof buf;
logit("read change len %d", len);
data = get_string(&len);
TRACE("write id %u handle %d off %llu len %d", id, handle,
- (u_int64_t)off, len);
+ (unsigned long long)off, len);
fd = handle_to_fd(handle);
if (fd >= 0) {
if (lseek(fd, off, SEEK_SET) < 0) {
return; /* Incomplete message. */
cp = buffer_ptr(&iqueue);
msg_len = GET_32BIT(cp);
- if (msg_len > 256 * 1024) {
+ if (msg_len > SFTP_MAX_MSG_LENGTH) {
error("bad message ");
exit(11);
}
int in, out, max;
ssize_t len, olen, set_size;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
/* XXX should use getopt */
__progname = ssh_get_progname(av[0]);
-.\" $OpenBSD: sftp.1,v 1.61 2005/03/01 17:19:35 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
The final usage format allows for automated sessions using the
.Fl b
option.
-In such cases, it is usually necessary to configure public key authentication
+In such cases, it is necessary to configure non-interactive authentication
to obviate the need to enter a password at connection time (see
.Xr sshd 8
and
.It Protocol
.It ProxyCommand
.It PubkeyAuthentication
+.It RekeyLimit
.It RhostsRSAAuthentication
.It RSAAuthentication
.It SendEnv
#include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
#ifdef USE_LIBEDIT
#include <histedit.h>
}
if (lflag & SORT_FLAGS) {
+ for (n = 0; d[n] != NULL; n++)
+ ; /* count entries */
sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT);
qsort(d, n, sizeof(*d), sdirent_comp);
}
extern int optind;
extern char *optarg;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(argv[0]);
+ memset(&args, '\0', sizeof(args));
args.list = NULL;
- addargs(&args, "ssh"); /* overwritten with ssh_program */
+ addargs(&args, ssh_program);
addargs(&args, "-oForwardX11 no");
addargs(&args, "-oForwardAgent no");
+ addargs(&args, "-oPermitLocalCommand no");
addargs(&args, "-oClearAllForwardings yes");
ll = SYSLOG_LEVEL_INFO;
break;
case 'S':
ssh_program = optarg;
+ replacearg(&args, 0, "%s", ssh_program);
break;
case 'b':
if (batchmode)
addargs(&args, "%s", host);
addargs(&args, "%s", (sftp_server != NULL ?
sftp_server : "sftp"));
- args.list[0] = ssh_program;
if (!batchmode)
fprintf(stderr, "Connecting to %s...\n", host);
fprintf(stderr, "Attaching to %s...\n", sftp_direct);
connect_to_server(sftp_direct, args.list, &in, &out);
}
+ freeargs(&args);
err = interactive_loop(in, out, file1, file2);
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.74 2005/11/12 18:37:59 deraadt Exp $");
#include <openssl/evp.h>
char *sc_reader_id = NULL;
int i, ch, deleting = 0, ret = 0;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(argv[0]);
init_rng();
seed_rng();
/* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection();
if (ac == NULL) {
- fprintf(stderr, "Could not open a connection to your authentication agent.\n");
+ fprintf(stderr,
+ "Could not open a connection to your authentication agent.\n");
exit(2);
}
while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
-.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
Bind the agent to the unix-domain socket
.Ar bind_address .
The default is
-.Pa /tmp/ssh-XXXXXXXX/agent.<ppid> .
+.Pa /tmp/ssh-XXXXXXXX
XX/agent.<ppid> .
.It Fl c
Generate C-shell commands on
.Dv stdout .
.It Fl t Ar life
Set a default value for the maximum lifetime of identities added to the agent.
The lifetime may be specified in seconds or in a time format specified in
-.Xr sshd 8 .
+.Xr sshd_config 5 .
A lifetime specified for an identity with
.Xr ssh-add 1
overrides this value.
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
-.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
+.It Pa /tmp/ssh-XXXXXXXX
XX/agent.<ppid>
Unix-domain sockets used to contain the connection to the
authentication agent.
These sockets should only be readable by the owner.
#include "includes.h"
#include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.122 2004/10/29 22:53:56 djm Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.124 2005/10/30 08:52:18 djm Exp $");
#include <openssl/evp.h>
#include <openssl/md5.h>
if (id != NULL) {
/*
* We have this key. Free the old key. Since we
- * don\'t want to leave empty slots in the middle of
+ * don't want to leave empty slots in the middle of
* the array, we actually free the key there and move
* all the entries between the empty slot and the end
* of the array.
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
/* drop */
setegid(getgid());
setgid(getgid());
-.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
.\"
.\" -*- nroff -*-
.\"
The type of key to be generated is specified with the
.Fl t
option.
+If invoked without any arguments,
+.Nm
+will generate an RSA key for use in SSH protocol 2 connections.
.Pp
.Nm
is also used to generate groups for use in Diffie-Hellman group
Show the bubblebabble digest of specified private or public key file.
.It Fl b Ar bits
Specifies the number of bits in the key to create.
-Minimum is 512 bits.
+For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
Generally, 2048 bits is considered sufficient.
-The default is 2048 bits.
+DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
#endif
#include "dns.h"
-/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
-u_int32_t bits = 2048;
+/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
+#define DEFAULT_BITS 2048
+#define DEFAULT_BITS_DSA 1024
+u_int32_t bits = 0;
/*
* Flag indicating that we just want to change the passphrase. This can be
extern int optind;
extern char *optarg;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(av[0]);
SSLeay_add_all_algorithms();
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
- bits = strtonum(optarg, 512, 32768, &errstr);
+ bits = strtonum(optarg, 768, 32768, &errstr);
if (errstr)
fatal("Bits has bad value %s (%s)",
optarg, errstr);
out_file, strerror(errno));
return (1);
}
+ if (bits == 0)
+ bits = DEFAULT_BITS;
if (gen_candidates(out, memory, bits, start) != 0)
- fatal("modulus candidate generation failed\n");
+ fatal("modulus candidate generation failed");
return (0);
}
out_file, strerror(errno));
}
if (prime_test(in, out, trials, generator_wanted) != 0)
- fatal("modulus screening failed\n");
+ fatal("modulus screening failed");
return (0);
}
arc4random_stir();
- if (key_type_name == NULL) {
- printf("You must specify a key type (-t).\n");
- usage();
- }
+ if (key_type_name == NULL)
+ key_type_name = "rsa";
+
type = key_type_from_name(key_type_name);
if (type == KEY_UNSPEC) {
fprintf(stderr, "unknown key type %s\n", key_type_name);
exit(1);
}
+ if (bits == 0)
+ bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
+ if (type == KEY_DSA && bits != 1024)
+ fatal("DSA keys must be 1024 bits");
if (!quiet)
printf("Generating public/private %s key pair.\n", key_type_name);
private = key_generate(type, bits);
if (!have_identity)
ask_filename(pw, "Enter file in which to save the key");
- /* Create ~/.ssh directory if it doesn\'t already exist. */
+ /* Create ~/.ssh directory if it doesn't already exist. */
snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
if (strstr(identity_file, dotsshdir) != NULL &&
stat(dotsshdir, &st) < 0) {
-.\" $OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
.Xr ssh 1 ,
.Xr sshd 8
.Sh AUTHORS
+.An -nosplit
.An David Mazieres Aq dm@lcs.mit.edu
wrote the initial version, and
.An Wayne Davison Aq wayned@users.sourceforge.net
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.57 2005/10/30 04:01:03 djm Exp $");
#include "openbsd-compat/sys-queue.h"
size_t bufsiz;
con *c = &fdcon[s];
- bufsiz = sizeof(buf);
- cp = buf;
- while (bufsiz-- && (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
- if (*cp == '\r')
- *cp = '\n';
- cp++;
+ for (;;) {
+ memset(buf, '\0', sizeof(buf));
+ bufsiz = sizeof(buf);
+ cp = buf;
+ while (bufsiz-- &&
+ (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
+ if (*cp == '\r')
+ *cp = '\n';
+ cp++;
+ }
+ if (n != 1 || strncmp(buf, "SSH-", 4) == 0)
+ break;
}
if (n == 0) {
switch (errno) {
seed_rng();
TAILQ_INIT(&tq);
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
if (argc <= 1)
usage();
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.18 2004/08/23 14:29:23 dtucker Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $");
#include <openssl/evp.h>
#include <openssl/rand.h>
u_int slen, dlen;
u_int32_t rnd[256];
+ /* Ensure that stdin and stdout are connected */
+ if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
+ exit(1);
+ /* Leave /dev/null fd iff it is attached to stderr */
+ if (fd > 2)
+ close(fd);
+
key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $
+.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Nd OpenSSH SSH client (remote login program)
.Sh SYNOPSIS
.Nm ssh
-.Bk -words
.Op Fl 1246AaCfgkMNnqsTtVvXxY
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
-.Op Fl D Ar port
+.Oo Fl D\ \&
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Oc
.Op Fl e Ar escape_char
.Op Fl F Ar configfile
+.Bk -words
.Op Fl i Ar identity_file
+.Ek
.Oo Fl L\ \&
.Sm off
.Oo Ar bind_address : Oc
.Ar port : host : hostport
.Sm on
.Oc
+.Bk -words
.Op Fl l Ar login_name
+.Ek
.Op Fl m Ar mac_spec
.Op Fl O Ar ctl_cmd
.Op Fl o Ar option
.Sm on
.Oc
.Op Fl S Ar ctl_path
+.Bk -words
+.Op Fl w Ar tunnel : Ns Ar tunnel
.Oo Ar user Ns @ Oc Ns Ar hostname
.Op Ar command
.Ek
It is intended to replace rlogin and rsh,
and provide secure encrypted communications between
two untrusted hosts over an insecure network.
-X11 connections and arbitrary TCP/IP ports
+X11 connections and arbitrary TCP ports
can also be forwarded over the secure channel.
.Pp
.Nm
name).
The user must prove
his/her identity to the remote machine using one of several methods
-depending on the protocol version used.
+depending on the protocol version used (see below).
.Pp
If
.Ar command
is specified,
-.Ar command
-is executed on the remote host instead of a login shell.
-.Ss SSH protocol version 1
-The first authentication method is the
-.Em rhosts
-or
-.Em hosts.equiv
-method combined with RSA-based host authentication.
-If the machine the user logs in from is listed in
-.Pa /etc/hosts.equiv
-or
-.Pa /etc/shosts.equiv
-on the remote machine, and the user names are
-the same on both sides, or if the files
-.Pa ~/.rhosts
-or
-.Pa ~/.shosts
-exist in the user's home directory on the
-remote machine and contain a line containing the name of the client
-machine and the name of the user on that machine, the user is
-considered for log in.
-Additionally, if the server can verify the client's
-host key (see
-.Pa /etc/ssh/ssh_known_hosts
-and
-.Pa ~/.ssh/known_hosts
-in the
-.Sx FILES
-section), only then is login permitted.
-This authentication method closes security holes due to IP
-spoofing, DNS spoofing and routing spoofing.
-[Note to the administrator:
-.Pa /etc/hosts.equiv ,
-.Pa ~/.rhosts ,
-and the rlogin/rsh protocol in general, are inherently insecure and should be
-disabled if security is desired.]
-.Pp
-As a second authentication method,
-.Nm
-supports RSA based authentication.
-The scheme is based on public-key cryptography: there are cryptosystems
-where encryption and decryption are done using separate keys, and it
-is not possible to derive the decryption key from the encryption key.
-RSA is one such system.
-The idea is that each user creates a public/private
-key pair for authentication purposes.
-The server knows the public key, and only the user knows the private key.
-.Pp
-The file
-.Pa ~/.ssh/authorized_keys
-lists the public keys that are permitted for logging in.
-When the user logs in, the
-.Nm
-program tells the server which key pair it would like to use for
-authentication.
-The server checks if this key is permitted, and if so,
-sends the user (actually the
-.Nm
-program running on behalf of the user) a challenge, a random number,
-encrypted by the user's public key.
-The challenge can only be decrypted using the proper private key.
-The user's client then decrypts the challenge using the private key,
-proving that he/she knows the private key
-but without disclosing it to the server.
-.Pp
-.Nm
-implements the RSA authentication protocol automatically.
-The user creates his/her RSA key pair by running
-.Xr ssh-keygen 1 .
-This stores the private key in
-.Pa ~/.ssh/identity
-and stores the public key in
-.Pa ~/.ssh/identity.pub
-in the user's home directory.
-The user should then copy the
-.Pa identity.pub
-to
-.Pa ~/.ssh/authorized_keys
-in his/her home directory on the remote machine (the
-.Pa authorized_keys
-file corresponds to the conventional
-.Pa ~/.rhosts
-file, and has one key
-per line, though the lines can be very long).
-After this, the user can log in without giving the password.
-.Pp
-The most convenient way to use RSA authentication may be with an
-authentication agent.
-See
-.Xr ssh-agent 1
-for more information.
-.Pp
-If other authentication methods fail,
-.Nm
-prompts the user for a password.
-The password is sent to the remote
-host for checking; however, since all communications are encrypted,
-the password cannot be seen by someone listening on the network.
-.Ss SSH protocol version 2
-When a user connects using protocol version 2,
-similar authentication methods are available.
-Using the default values for
-.Cm PreferredAuthentications ,
-the client will try to authenticate first using the hostbased method;
-if this method fails, public key authentication is attempted,
-and finally if this method fails, keyboard-interactive and
-password authentication are tried.
-.Pp
-The public key method is similar to RSA authentication described
-in the previous section and allows the RSA or DSA algorithm to be used:
-The client uses his private key,
-.Pa ~/.ssh/id_dsa
-or
-.Pa ~/.ssh/id_rsa ,
-to sign the session identifier and sends the result to the server.
-The server checks whether the matching public key is listed in
-.Pa ~/.ssh/authorized_keys
-and grants access if both the key is found and the signature is correct.
-The session identifier is derived from a shared Diffie-Hellman value
-and is only known to the client and the server.
-.Pp
-If public key authentication fails or is not available, a password
-can be sent encrypted to the remote host to prove the user's identity.
-.Pp
-Additionally,
-.Nm
-supports hostbased or challenge response authentication.
-.Pp
-Protocol 2 provides additional mechanisms for confidentiality
-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
-Note that protocol 1 lacks a strong mechanism for ensuring the
-integrity of the connection.
-.Ss Login session and remote execution
-When the user's identity has been accepted by the server, the server
-either executes the given command, or logs into the machine and gives
-the user a normal shell on the remote machine.
-All communication with
-the remote command or shell will be automatically encrypted.
-.Pp
-If a pseudo-terminal has been allocated (normal login session), the
-user may use the escape characters noted below.
-.Pp
-If no pseudo-tty has been allocated,
-the session is transparent and can be used to reliably transfer binary data.
-On most systems, setting the escape character to
-.Dq none
-will also make the session transparent even if a tty is used.
-.Pp
-The session terminates when the command or shell on the remote
-machine exits and all X11 and TCP/IP connections have been closed.
-The exit status of the remote program is returned as the exit status of
-.Nm ssh .
-.Ss Escape Characters
-When a pseudo-terminal has been requested,
-.Nm
-supports a number of functions through the use of an escape character.
-.Pp
-A single tilde character can be sent as
-.Ic ~~
-or by following the tilde by a character other than those described below.
-The escape character must always follow a newline to be interpreted as
-special.
-The escape character can be changed in configuration files using the
-.Cm EscapeChar
-configuration directive or on the command line by the
-.Fl e
-option.
-.Pp
-The supported escapes (assuming the default
-.Ql ~ )
-are:
-.Bl -tag -width Ds
-.It Cm ~.
-Disconnect.
-.It Cm ~^Z
-Background
-.Nm ssh .
-.It Cm ~#
-List forwarded connections.
-.It Cm ~&
-Background
-.Nm
-at logout when waiting for forwarded connection / X11 sessions to terminate.
-.It Cm ~?
-Display a list of escape characters.
-.It Cm ~B
-Send a BREAK to the remote system
-(only useful for SSH protocol version 2 and if the peer supports it).
-.It Cm ~C
-Open command line.
-Currently this allows the addition of port forwardings using the
-.Fl L
-and
-.Fl R
-options (see below).
-It also allows the cancellation of existing remote port-forwardings
-using
-.Fl KR Ar hostport .
-Basic help is available, using the
-.Fl h
-option.
-.It Cm ~R
-Request rekeying of the connection
-(only useful for SSH protocol version 2 and if the peer supports it).
-.El
-.Ss X11 and TCP forwarding
-If the
-.Cm ForwardX11
-variable is set to
-.Dq yes
-(or see the description of the
-.Fl X
-and
-.Fl x
-options described later)
-and the user is using X11 (the
-.Ev DISPLAY
-environment variable is set), the connection to the X11 display is
-automatically forwarded to the remote side in such a way that any X11
-programs started from the shell (or command) will go through the
-encrypted channel, and the connection to the real X server will be made
-from the local machine.
-The user should not manually set
-.Ev DISPLAY .
-Forwarding of X11 connections can be
-configured on the command line or in configuration files.
-.Pp
-The
-.Ev DISPLAY
-value set by
-.Nm
-will point to the server machine, but with a display number greater than zero.
-This is normal, and happens because
-.Nm
-creates a
-.Dq proxy
-X server on the server machine for forwarding the
-connections over the encrypted channel.
-.Pp
-.Nm
-will also automatically set up Xauthority data on the server machine.
-For this purpose, it will generate a random authorization cookie,
-store it in Xauthority on the server, and verify that any forwarded
-connections carry this cookie and replace it by the real cookie when
-the connection is opened.
-The real authentication cookie is never
-sent to the server machine (and no cookies are sent in the plain).
-.Pp
-If the
-.Cm ForwardAgent
-variable is set to
-.Dq yes
-(or see the description of the
-.Fl A
-and
-.Fl a
-options described later) and
-the user is using an authentication agent, the connection to the agent
-is automatically forwarded to the remote side.
-.Pp
-Forwarding of arbitrary TCP/IP connections over the secure channel can
-be specified either on the command line or in a configuration file.
-One possible application of TCP/IP forwarding is a secure connection to an
-electronic purse; another is going through firewalls.
-.Ss Server authentication
-.Nm
-automatically maintains and checks a database containing
-identifications for all hosts it has ever been used with.
-Host keys are stored in
-.Pa ~/.ssh/known_hosts
-in the user's home directory.
-Additionally, the file
-.Pa /etc/ssh/ssh_known_hosts
-is automatically checked for known hosts.
-Any new hosts are automatically added to the user's file.
-If a host's identification ever changes,
-.Nm
-warns about this and disables password authentication to prevent a
-trojan horse from getting the user's password.
-Another purpose of this mechanism is to prevent man-in-the-middle attacks
-which could otherwise be used to circumvent the encryption.
-The
-.Cm StrictHostKeyChecking
-option can be used to prevent logins to machines whose
-host key is not known or has changed.
-.Pp
-.Nm
-can be configured to verify host identification using fingerprint resource
-records (SSHFP) published in DNS.
-The
-.Cm VerifyHostKeyDNS
-option can be used to control how DNS lookups are performed.
-SSHFP resource records can be generated using
-.Xr ssh-keygen 1 .
+it is executed on the remote host instead of a login shell.
.Pp
The options are as follows:
.Bl -tag -width Ds
Only useful on systems with more than one address.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
-data for forwarded X11 and TCP/IP connections).
+data for forwarded X11 and TCP connections).
The compression algorithm is the same used by
.Xr gzip 1 ,
and the
Selects the cipher specification for encrypting the session.
.Pp
Protocol version 1 allows specification of a single cipher.
-The suported values are
+The supported values are
.Dq 3des ,
-.Dq blowfish
+.Dq blowfish ,
and
.Dq des .
.Ar 3des
The default is
.Dq 3des .
.Pp
-For protocol version 2
+For protocol version 2,
.Ar cipher_spec
is a comma-separated list of ciphers
listed in order of preference.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
+The supported ciphers are:
+3des-cbc,
+aes128-cbc,
+aes192-cbc,
+aes256-cbc,
+aes128-ctr,
+aes192-ctr,
+aes256-ctr,
+arcfour128,
+arcfour256,
+arcfour,
+blowfish-cbc,
and
-.Dq cast128-cbc .
-The default is
-.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
- arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
- aes192-ctr,aes256-ctr''
+cast128-cbc.
+The default is:
+.Bd -literal -offset indent
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+aes192-ctr,aes256-ctr
.Ed
-.It Fl D Ar port
+.It Fl D Xo
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Xc
Specifies a local
.Dq dynamic
application-level port forwarding.
This works by allocating a socket to listen to
.Ar port
-on the local side, and whenever a connection is made to this port, the
+on the local side, optionally bound to the specified
+.Ar bind_address .
+Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine.
will act as a SOCKS server.
Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configuration file.
-.It Fl e Ar ch | ^ch | none
+.Pp
+IPv6 addresses can be specified with an alternative syntax:
+.Sm off
+.Xo
+.Op Ar bind_address No /
+.Ar port
+.Xc
+.Sm on
+or by enclosing the address in square brackets.
+Only the superuser can forward privileged ports.
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
+.It Fl e Ar escape_char
Sets the escape character for sessions with a pty (default:
.Ql ~ ) .
The escape character is only recognized at the beginning of a line.
.It Fl g
Allows remote hosts to connect to local forwarded ports.
.It Fl I Ar smartcard_device
-Specifies which smartcard device to use.
-The argument is the device
+Specify the device
.Nm
should use to communicate with a smartcard used for storing the user's
private RSA key.
+This option is only available if support for smartcard devices
+is compiled in (default is no support).
.It Fl i Ar identity_file
Selects a file from which the identity (private key) for
RSA or DSA authentication is read.
client into
.Dq master
mode for connection sharing.
+Multiple
+.Fl M
+options places
+.Nm
+into
+.Dq master
+mode with confirmation required before slave connections are accepted.
Refer to the description of
.Cm ControlMaster
in
.It IdentityFile
.It IdentitiesOnly
.It KbdInteractiveDevices
+.It LocalCommand
.It LocalForward
.It LogLevel
.It MACs
.It NoHostAuthenticationForLocalhost
.It NumberOfPasswordPrompts
.It PasswordAuthentication
+.It PermitLocalCommand
.It Port
.It PreferredAuthentications
.It Protocol
.It ProxyCommand
.It PubkeyAuthentication
+.It RekeyLimit
.It RemoteForward
.It RhostsRSAAuthentication
.It RSAAuthentication
.It SmartcardDevice
.It StrictHostKeyChecking
.It TCPKeepAlive
+.It Tunnel
+.It TunnelDevice
.It UsePrivilegedPort
.It User
.It UserKnownHostsFile
.Fl v
options increase the verbosity.
The maximum is 3.
+.It Fl w Ar tunnel : Ns Ar tunnel
+Requests a
+.Xr tun 4
+device on the client
+(first
+.Ar tunnel
+arg)
+and server
+(second
+.Ar tunnel
+arg).
+The devices may be specified by numerical ID or the keyword
+.Dq any ,
+which uses the next available tunnel device.
+See also the
+.Cm Tunnel
+directive in
+.Xr ssh_config 5 .
.It Fl X
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.El
-.Sh CONFIGURATION FILES
+.Pp
.Nm
may additionally obtain configuration data from
a per-user configuration file and a system-wide configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
+.Pp
+.Nm
+exits with the exit status of the remote command or with 255
+if an error occurred.
+.Sh AUTHENTICATION
+The OpenSSH SSH client supports SSH protocols 1 and 2.
+Protocol 2 is the default, with
+.Nm
+falling back to protocol 1 if it detects protocol 2 is unsupported.
+These settings may be altered using the
+.Cm Protocol
+option in
+.Xr ssh_config 5 ,
+or enforced using the
+.Fl 1
+and
+.Fl 2
+options (see above).
+Both protocols support similar authentication methods,
+but protocol 2 is preferred since
+it provides additional mechanisms for confidentiality
+(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
+and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
+Protocol 1 lacks a strong mechanism for ensuring the
+integrity of the connection.
+.Pp
+The methods available for authentication are:
+host-based authentication,
+public key authentication,
+challenge-response authentication,
+and password authentication.
+Authentication methods are tried in the order specified above,
+though protocol 2 has a configuration option to change the default order:
+.Cm PreferredAuthentications .
+.Pp
+Host-based authentication works as follows:
+If the machine the user logs in from is listed in
+.Pa /etc/hosts.equiv
+or
+.Pa /etc/shosts.equiv
+on the remote machine, and the user names are
+the same on both sides, or if the files
+.Pa ~/.rhosts
+or
+.Pa ~/.shosts
+exist in the user's home directory on the
+remote machine and contain a line containing the name of the client
+machine and the name of the user on that machine, the user is
+considered for login.
+Additionally, the server
+.Em must
+be able to verify the client's
+host key (see the description of
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa ~/.ssh/known_hosts ,
+below)
+for login to be permitted.
+This authentication method closes security holes due to IP
+spoofing, DNS spoofing, and routing spoofing.
+[Note to the administrator:
+.Pa /etc/hosts.equiv ,
+.Pa ~/.rhosts ,
+and the rlogin/rsh protocol in general, are inherently insecure and should be
+disabled if security is desired.]
+.Pp
+Public key authentication works as follows:
+The scheme is based on public-key cryptography,
+using cryptosystems
+where encryption and decryption are done using separate keys,
+and it is unfeasible to derive the decryption key from the encryption key.
+The idea is that each user creates a public/private
+key pair for authentication purposes.
+The server knows the public key, and only the user knows the private key.
+.Nm
+implements public key authentication protocol automatically,
+using either the RSA or DSA algorithms.
+Protocol 1 is restricted to using only RSA keys,
+but protocol 2 may use either.
+The
+.Sx HISTORY
+section of
+.Xr ssl 8
+contains a brief discussion of the two algorithms.
+.Pp
+The file
+.Pa ~/.ssh/authorized_keys
+lists the public keys that are permitted for logging in.
+When the user logs in, the
+.Nm
+program tells the server which key pair it would like to use for
+authentication.
+The client proves that it has access to the private key
+and the server checks that the corresponding public key
+is authorized to accept the account.
+.Pp
+The user creates his/her key pair by running
+.Xr ssh-keygen 1 .
+This stores the private key in
+.Pa ~/.ssh/identity
+(protocol 1),
+.Pa ~/.ssh/id_dsa
+(protocol 2 DSA),
+or
+.Pa ~/.ssh/id_rsa
+(protocol 2 RSA)
+and stores the public key in
+.Pa ~/.ssh/identity.pub
+(protocol 1),
+.Pa ~/.ssh/id_dsa.pub
+(protocol 2 DSA),
+or
+.Pa ~/.ssh/id_rsa.pub
+(protocol 2 RSA)
+in the user's home directory.
+The user should then copy the public key
+to
+.Pa ~/.ssh/authorized_keys
+in his/her home directory on the remote machine.
+The
+.Pa authorized_keys
+file corresponds to the conventional
+.Pa ~/.rhosts
+file, and has one key
+per line, though the lines can be very long.
+After this, the user can log in without giving the password.
+.Pp
+The most convenient way to use public key authentication may be with an
+authentication agent.
+See
+.Xr ssh-agent 1
+for more information.
+.Pp
+Challenge-response authentication works as follows:
+The server sends an arbitrary
+.Qq challenge
+text, and prompts for a response.
+Protocol 2 allows multiple challenges and responses;
+protocol 1 is restricted to just one challenge/response.
+Examples of challenge-response authentication include
+BSD Authentication (see
+.Xr login.conf 5 )
+and PAM (some non-OpenBSD systems).
+.Pp
+Finally, if other authentication methods fail,
+.Nm
+prompts the user for a password.
+The password is sent to the remote
+host for checking; however, since all communications are encrypted,
+the password cannot be seen by someone listening on the network.
+.Pp
+.Nm
+automatically maintains and checks a database containing
+identification for all hosts it has ever been used with.
+Host keys are stored in
+.Pa ~/.ssh/known_hosts
+in the user's home directory.
+Additionally, the file
+.Pa /etc/ssh/ssh_known_hosts
+is automatically checked for known hosts.
+Any new hosts are automatically added to the user's file.
+If a host's identification ever changes,
+.Nm
+warns about this and disables password authentication to prevent
+server spoofing or man-in-the-middle attacks,
+which could otherwise be used to circumvent the encryption.
+The
+.Cm StrictHostKeyChecking
+option can be used to control logins to machines whose
+host key is not known or has changed.
+.Pp
+When the user's identity has been accepted by the server, the server
+either executes the given command, or logs into the machine and gives
+the user a normal shell on the remote machine.
+All communication with
+the remote command or shell will be automatically encrypted.
+.Pp
+If a pseudo-terminal has been allocated (normal login session), the
+user may use the escape characters noted below.
+.Pp
+If no pseudo-tty has been allocated,
+the session is transparent and can be used to reliably transfer binary data.
+On most systems, setting the escape character to
+.Dq none
+will also make the session transparent even if a tty is used.
+.Pp
+The session terminates when the command or shell on the remote
+machine exits and all X11 and TCP connections have been closed.
+.Sh ESCAPE CHARACTERS
+When a pseudo-terminal has been requested,
+.Nm
+supports a number of functions through the use of an escape character.
+.Pp
+A single tilde character can be sent as
+.Ic ~~
+or by following the tilde by a character other than those described below.
+The escape character must always follow a newline to be interpreted as
+special.
+The escape character can be changed in configuration files using the
+.Cm EscapeChar
+configuration directive or on the command line by the
+.Fl e
+option.
+.Pp
+The supported escapes (assuming the default
+.Ql ~ )
+are:
+.Bl -tag -width Ds
+.It Cm ~.
+Disconnect.
+.It Cm ~^Z
+Background
+.Nm .
+.It Cm ~#
+List forwarded connections.
+.It Cm ~&
+Background
+.Nm
+at logout when waiting for forwarded connection / X11 sessions to terminate.
+.It Cm ~?
+Display a list of escape characters.
+.It Cm ~B
+Send a BREAK to the remote system
+(only useful for SSH protocol version 2 and if the peer supports it).
+.It Cm ~C
+Open command line.
+Currently this allows the addition of port forwardings using the
+.Fl L
+and
+.Fl R
+options (see above).
+It also allows the cancellation of existing remote port-forwardings
+using
+.Fl KR Ar hostport .
+.Ic !\& Ns Ar command
+allows the user to execute a local command if the
+.Ic PermitLocalCommand
+option is enabled in
+.Xr ssh_config 5 .
+Basic help is available, using the
+.Fl h
+option.
+.It Cm ~R
+Request rekeying of the connection
+(only useful for SSH protocol version 2 and if the peer supports it).
+.El
+.Sh TCP FORWARDING
+Forwarding of arbitrary TCP connections over the secure channel can
+be specified either on the command line or in a configuration file.
+One possible application of TCP forwarding is a secure connection to a
+mail server; another is going through firewalls.
+.Pp
+In the example below, we look at encrypting communication between
+an IRC client and server, even though the IRC server does not directly
+support encrypted communications.
+This works as follows:
+the user connects to the remote host using
+.Nm ,
+specifying a port to be used to forward connections
+to the remote server.
+After that it is possible to start the service which is to be encrypted
+on the client machine,
+connecting to the same local port,
+and
+.Nm
+will encrypt and forward the connection.
+.Pp
+The following example tunnels an IRC session from client machine
+.Dq 127.0.0.1
+(localhost)
+to remote server
+.Dq server.example.com :
+.Bd -literal -offset 4n
+$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
+$ irc -c '#users' -p 1234 pinky 127.0.0.1
+.Ed
+.Pp
+This tunnels a connection to IRC server
+.Dq server.example.com ,
+joining channel
+.Dq #users ,
+nickname
+.Dq pinky ,
+using port 1234.
+It doesn't matter which port is used,
+as long as it's greater than 1023
+(remember, only root can open sockets on privileged ports)
+and doesn't conflict with any ports already in use.
+The connection is forwarded to port 6667 on the remote server,
+since that's the standard port for IRC services.
+.Pp
+The
+.Fl f
+option backgrounds
+.Nm
+and the remote command
+.Dq sleep 10
+is specified to allow an amount of time
+(10 seconds, in the example)
+to start the service which is to be tunnelled.
+If no connections are made within the time specified,
+.Nm
+will exit.
+.Sh X11 FORWARDING
+If the
+.Cm ForwardX11
+variable is set to
+.Dq yes
+(or see the description of the
+.Fl X ,
+.Fl x ,
+and
+.Fl Y
+options above)
+and the user is using X11 (the
+.Ev DISPLAY
+environment variable is set), the connection to the X11 display is
+automatically forwarded to the remote side in such a way that any X11
+programs started from the shell (or command) will go through the
+encrypted channel, and the connection to the real X server will be made
+from the local machine.
+The user should not manually set
+.Ev DISPLAY .
+Forwarding of X11 connections can be
+configured on the command line or in configuration files.
+.Pp
+The
+.Ev DISPLAY
+value set by
+.Nm
+will point to the server machine, but with a display number greater than zero.
+This is normal, and happens because
+.Nm
+creates a
+.Dq proxy
+X server on the server machine for forwarding the
+connections over the encrypted channel.
+.Pp
+.Nm
+will also automatically set up Xauthority data on the server machine.
+For this purpose, it will generate a random authorization cookie,
+store it in Xauthority on the server, and verify that any forwarded
+connections carry this cookie and replace it by the real cookie when
+the connection is opened.
+The real authentication cookie is never
+sent to the server machine (and no cookies are sent in the plain).
+.Pp
+If the
+.Cm ForwardAgent
+variable is set to
+.Dq yes
+(or see the description of the
+.Fl A
+and
+.Fl a
+options above) and
+the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side.
+.Sh VERIFYING HOST KEYS
+When connecting to a server for the first time,
+a fingerprint of the server's public key is presented to the user
+(unless the option
+.Cm StrictHostKeyChecking
+has been disabled).
+Fingerprints can be determined using
+.Xr ssh-keygen 1 :
+.Pp
+.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
+.Pp
+If the fingerprint is already known,
+it can be matched and verified,
+and the key can be accepted.
+If the fingerprint is unknown,
+an alternative method of verification is available:
+SSH fingerprints verified by DNS.
+An additional resource record (RR),
+SSHFP,
+is added to a zonefile
+and the connecting client is able to match the fingerprint
+with that of the key presented.
+.Pp
+In this example, we are connecting a client to a server,
+.Dq host.example.com .
+The SSHFP resource records should first be added to the zonefile for
+host.example.com:
+.Bd -literal -offset indent
+$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
+$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
+.Ed
+.Pp
+The output lines will have to be added to the zonefile.
+To check that the zone is answering fingerprint queries:
+.Pp
+.Dl $ dig -t SSHFP host.example.com
+.Pp
+Finally the client connects:
+.Bd -literal -offset indent
+$ ssh -o "VerifyHostKeyDNS ask" host.example.com
+[...]
+Matching host key fingerprint found in DNS.
+Are you sure you want to continue connecting (yes/no)?
+.Ed
+.Pp
+See the
+.Cm VerifyHostKeyDNS
+option in
+.Xr ssh_config 5
+for more information.
+.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
+.Nm
+contains support for Virtual Private Network (VPN) tunnelling
+using the
+.Xr tun 4
+network pseudo-device,
+allowing two networks to be joined securely.
+The
+.Xr sshd_config 5
+configuration option
+.Cm PermitTunnel
+controls whether the server supports this,
+and at what level (layer 2 or 3 traffic).
+.Pp
+The following example would connect client network 10.0.50.0/24
+with remote network 10.0.99.0/24, provided that the SSH server
+running on the gateway to the remote network,
+at 192.168.1.15, allows it:
+.Bd -literal -offset indent
+# ssh -f -w 0:1 192.168.1.15 true
+# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
+.Ed
+.Pp
+Client access may be more finely tuned via the
+.Pa /root/.ssh/authorized_keys
+file (see below) and the
+.Cm PermitRootLogin
+server option.
+The following entry would permit connections on the first
+.Xr tun 4
+device from user
+.Dq jane
+and on the second device from user
+.Dq john ,
+if
+.Cm PermitRootLogin
+is set to
+.Dq forced-commands-only :
+.Bd -literal -offset 2n
+tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
+tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
+.Ed
+.Pp
+Since a SSH-based setup entails a fair amount of overhead,
+it may be more suited to temporary setups,
+such as for wireless VPNs.
+More permanent VPNs are better provided by tools such as
+.Xr ipsecctl 8
+and
+.Xr isakmpd 8 .
.Sh ENVIRONMENT
.Nm
will normally set the following environment variables:
-.Bl -tag -width LOGNAME
+.Bl -tag -width "SSH_ORIGINAL_COMMAND"
.It Ev DISPLAY
The
.Ev DISPLAY
It is automatically set by
.Nm
to point to a value of the form
-.Dq hostname:n
-where hostname indicates
-the host where the shell runs, and n is an integer \*(Ge 1.
+.Dq hostname:n ,
+where
+.Dq hostname
+indicates the host where the shell runs, and
+.Sq n
+is an integer \*(Ge 1.
.Nm
uses this special value to forward X11 connections over the secure
channel.
Set to the default
.Ev PATH ,
as specified when compiling
-.Nm ssh .
+.Nm .
.It Ev SSH_ASKPASS
If
.Nm
.Pa /dev/null
to make this work.)
.It Ev SSH_AUTH_SOCK
-Identifies the path of a unix-domain socket used to communicate with the
-agent.
+Identifies the path of a
+.Ux Ns -domain
+socket used to communicate with the agent.
.It Ev SSH_CONNECTION
Identifies the client and server ends of the connection.
The variable contains
-four space-separated values: client ip-address, client port number,
-server ip-address and server port number.
+four space-separated values: client IP address, client port number,
+server IP address, and server port number.
.It Ev SSH_ORIGINAL_COMMAND
-The variable contains the original command line if a forced command
+This variable contains the original command line if a forced command
is executed.
It can be used to extract the original arguments.
.It Ev SSH_TTY
If the current session has no tty,
this variable is not set.
.It Ev TZ
-The timezone variable is set to indicate the present timezone if it
+This variable is set to indicate the present time zone if it
was set when the daemon was started (i.e., the daemon passes the value
on to new connections).
.It Ev USER
.Pa ~/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
-to the environment if the file exists and if users are allowed to
+to the environment if the file exists and users are allowed to
change their environment.
For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
.Sh FILES
-.Bl -tag -width Ds
-.It Pa ~/.ssh/known_hosts
-Records host keys for all hosts the user has logged into that are not
-in
-.Pa /etc/ssh/ssh_known_hosts .
-See
-.Xr sshd 8 .
-.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
-Contains the authentication identity of the user.
-They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
+.Bl -tag -width Ds -compact
+.It ~/.rhosts
+This file is used for host-based authentication (see above).
+On some machines this file may need to be
+world-readable if the user's home directory is on an NFS partition,
+because
+.Xr sshd 8
+reads it as root.
+Additionally, this file must be owned by the user,
+and must not have write permissions for anyone else.
+The recommended
+permission for most machines is read/write for the user, and not
+accessible by others.
+.Pp
+.It ~/.shosts
+This file is used in exactly the same way as
+.Pa .rhosts ,
+but allows host-based authentication without permitting login with
+rlogin/rsh.
+.Pp
+.It ~/.ssh/authorized_keys
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
+The format of this file is described in the
+.Xr sshd 8
+manual page.
+This file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.Pp
+.It ~/.ssh/config
+This is the per-user configuration file.
+The file format and configuration options are described in
+.Xr ssh_config 5 .
+Because of the potential for abuse, this file must have strict permissions:
+read/write for the user, and not accessible by others.
+.Pp
+.It ~/.ssh/environment
+Contains additional definitions for environment variables; see
+.Sx ENVIRONMENT ,
+above.
+.Pp
+.It ~/.ssh/identity
+.It ~/.ssh/id_dsa
+.It ~/.ssh/id_rsa
+Contains the private key for authentication.
These files
contain sensitive data and should be readable by the user but not
accessible by others (read/write/execute).
-Note that
.Nm
-ignores a private key file if it is accessible by others.
+will simply ignore a private key file if it is accessible by others.
It is possible to specify a passphrase when
-generating the key; the passphrase will be used to encrypt the
+generating the key which will be used to encrypt the
sensitive part of this file using 3DES.
-.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
-Contains the public key for authentication (public part of the
-identity file in human-readable form).
-The contents of the
-.Pa ~/.ssh/identity.pub
-file should be added to the file
-.Pa ~/.ssh/authorized_keys
-on all machines
-where the user wishes to log in using protocol version 1 RSA authentication.
-The contents of the
-.Pa ~/.ssh/id_dsa.pub
-and
-.Pa ~/.ssh/id_rsa.pub
-file should be added to
-.Pa ~/.ssh/authorized_keys
-on all machines
-where the user wishes to log in using protocol version 2 DSA/RSA authentication.
+.Pp
+.It ~/.ssh/identity.pub
+.It ~/.ssh/id_dsa.pub
+.It ~/.ssh/id_rsa.pub
+Contains the public key for authentication.
These files are not
sensitive and can (but need not) be readable by anyone.
-These files are
-never used automatically and are not necessary; they are only provided for
-the convenience of the user.
-.It Pa ~/.ssh/config
-This is the per-user configuration file.
-The file format and configuration options are described in
-.Xr ssh_config 5 .
-Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
-.It Pa ~/.ssh/authorized_keys
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
-The format of this file is described in the
-.Xr sshd 8
-manual page.
-In the simplest form the format is the same as the
-.Pa .pub
-identity files.
-This file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.It Pa /etc/ssh/ssh_known_hosts
-Systemwide list of known host keys.
-This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.
-This file should be world-readable.
-This file contains
-public keys, one per line, in the following format (fields separated
-by spaces): system name, public key and optional comment field.
-When different names are used
-for the same machine, all such names should be listed, separated by
-commas.
-The format is described in the
-.Xr sshd 8
-manual page.
.Pp
-The canonical system name (as returned by name servers) is used by
+.It ~/.ssh/known_hosts
+Contains a list of host keys for all hosts the user has logged into
+that are not already in the systemwide list of known host keys.
+See
.Xr sshd 8
-to verify the client host when logging in; other names are needed because
+for further details of the format of this file.
+.Pp
+.It ~/.ssh/rc
+Commands in this file are executed by
.Nm
-does not convert the user-supplied name to a canonical name before
-checking the key, because someone with access to the name servers
-would then be able to fool host authentication.
+when the user logs in, just before the user's shell (or command) is
+started.
+See the
+.Xr sshd 8
+manual page for more information.
+.Pp
+.It /etc/hosts.equiv
+This file is for host-based authentication (see above).
+It should only be writable by root.
+.Pp
+.It /etc/shosts.equiv
+This file is used in exactly the same way as
+.Pa hosts.equiv ,
+but allows host-based authentication without permitting login with
+rlogin/rsh.
+.Pp
.It Pa /etc/ssh/ssh_config
Systemwide configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
-.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
+.Pp
+.It /etc/ssh/ssh_host_key
+.It /etc/ssh/ssh_host_dsa_key
+.It /etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys
-and are used for
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication .
-If the protocol version 1
-.Cm RhostsRSAAuthentication
-method is used,
+and are used for host-based authentication.
+If protocol version 1 is used,
.Nm
must be setuid root, since the host key is readable only by root.
For protocol version 2,
.Nm
uses
.Xr ssh-keysign 8
-to access the host keys for
-.Cm HostbasedAuthentication .
-This eliminates the requirement that
+to access the host keys,
+eliminating the requirement that
.Nm
-be setuid root when that authentication method is used.
+be setuid root when host-based authentication is used.
By default
.Nm
is not setuid root.
-.It Pa ~/.rhosts
-This file is used in
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication to list the
-host/user pairs that are permitted to log in.
-(Note that this file is
-also used by rlogin and rsh, which makes using this file insecure.)
-Each line of the file contains a host name (in the canonical form
-returned by name servers), and then a user name on that host,
-separated by a space.
-On some machines this file may need to be
-world-readable if the user's home directory is on a NFS partition,
-because
-.Xr sshd 8
-reads it as root.
-Additionally, this file must be owned by the user,
-and must not have write permissions for anyone else.
-The recommended
-permission for most machines is read/write for the user, and not
-accessible by others.
.Pp
-Note that
-.Xr sshd 8
-allows authentication only in combination with client host key
-authentication before permitting log in.
-If the server machine does not have the client's host key in
-.Pa /etc/ssh/ssh_known_hosts ,
-it can be stored in
-.Pa ~/.ssh/known_hosts .
-The easiest way to do this is to
-connect back to the client from the server machine using ssh; this
-will automatically add the host key to
-.Pa ~/.ssh/known_hosts .
-.It Pa ~/.shosts
-This file is used exactly the same way as
-.Pa .rhosts .
-The purpose for
-having this file is to be able to use
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication without permitting login with
-.Xr rlogin
-or
-.Xr rsh 1 .
-.It Pa /etc/hosts.equiv
-This file is used during
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication.
-It contains
-canonical hosts names, one per line (the full format is described in the
-.Xr sshd 8
-manual page).
-If the client host is found in this file, login is
-automatically permitted provided client and server user names are the
-same.
-Additionally, successful client host key authentication is required.
-This file should only be writable by root.
-.It Pa /etc/shosts.equiv
-This file is processed exactly as
-.Pa /etc/hosts.equiv .
-This file may be useful to permit logins using
-.Nm
-but not using rsh/rlogin.
-.It Pa /etc/ssh/sshrc
-Commands in this file are executed by
-.Nm
-when the user logs in just before the user's shell (or command) is started.
-See the
+.It /etc/ssh/ssh_known_hosts
+Systemwide list of known host keys.
+This file should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+It should be world-readable.
+See
.Xr sshd 8
-manual page for more information.
-.It Pa ~/.ssh/rc
+for further details of the format of this file.
+.Pp
+.It /etc/ssh/sshrc
Commands in this file are executed by
.Nm
-when the user logs in just before the user's shell (or command) is
-started.
+when the user logs in, just before the user's shell (or command) is started.
See the
.Xr sshd 8
manual page for more information.
-.It Pa ~/.ssh/environment
-Contains additional definitions for environment variables, see section
-.Sx ENVIRONMENT
-above.
.El
-.Sh DIAGNOSTICS
-.Nm
-exits with the exit status of the remote command or with 255
-if an error occurred.
.Sh SEE ALSO
-.Xr gzip 1 ,
-.Xr rsh 1 ,
.Xr scp 1 ,
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
-.Xr telnet 1 ,
+.Xr ssh-keyscan 1 ,
+.Xr tun 4 ,
.Xr hosts.equiv 5 ,
.Xr ssh_config 5 ,
.Xr ssh-keysign 8 ,
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
{
fprintf(stderr,
"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
-" [-D port] [-e escape_char] [-F configfile]\n"
+" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
-" [user@]hostname [command]\n"
+" [-w tunnel:tunnel] [user@]hostname [command]\n"
);
- exit(1);
+ exit(255);
}
static int ssh_session(void);
struct servent *sp;
Forward fwd;
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
__progname = ssh_get_progname(av[0]);
init_rng();
pw = getpwuid(original_real_uid);
if (!pw) {
logit("You don't exist, go away!");
- exit(1);
+ exit(255);
}
/* Take a copy of the returned structure. */
pw = pwcopy(pw);
again:
while ((opt = getopt(ac, av,
- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) {
+ "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
if (opt == 'V')
exit(0);
break;
+ case 'w':
+ if (options.tun_open == -1)
+ options.tun_open = SSH_TUNMODE_DEFAULT;
+ options.tun_local = a2tun(optarg, &options.tun_remote);
+ if (options.tun_local == SSH_TUNID_ERR) {
+ fprintf(stderr, "Bad tun device '%s'\n", optarg);
+ exit(255);
+ }
+ break;
case 'q':
options.log_level = SYSLOG_LEVEL_QUIET;
break;
else {
fprintf(stderr, "Bad escape character '%s'.\n",
optarg);
- exit(1);
+ exit(255);
}
break;
case 'c':
fprintf(stderr,
"Unknown cipher type '%s'\n",
optarg);
- exit(1);
+ exit(255);
}
if (options.cipher == SSH_CIPHER_3DES)
options.ciphers = "3des-cbc";
else {
fprintf(stderr, "Unknown mac type '%s'\n",
optarg);
- exit(1);
+ exit(255);
}
break;
case 'M':
options.port = a2port(optarg);
if (options.port == 0) {
fprintf(stderr, "Bad port '%s'\n", optarg);
- exit(1);
+ exit(255);
}
break;
case 'l':
fprintf(stderr,
"Bad local forwarding specification '%s'\n",
optarg);
- exit(1);
+ exit(255);
}
break;
fprintf(stderr,
"Bad remote forwarding specification "
"'%s'\n", optarg);
- exit(1);
+ exit(255);
}
break;
if ((fwd.listen_host = hpdelim(&cp)) == NULL) {
fprintf(stderr, "Bad dynamic forwarding "
"specification '%.100s'\n", optarg);
- exit(1);
+ exit(255);
}
if (cp != NULL) {
fwd.listen_port = a2port(cp);
if (fwd.listen_port == 0) {
fprintf(stderr, "Bad dynamic port '%s'\n",
optarg);
- exit(1);
+ exit(255);
}
add_local_forward(&options, &fwd);
xfree(p);
line = xstrdup(optarg);
if (process_config_line(&options, host ? host : "",
line, "command-line", 0, &dummy) != 0)
- exit(1);
+ exit(255);
xfree(line);
break;
case 's':
original_effective_uid == 0 && options.use_privileged_port,
#endif
options.proxy_command) != 0)
- exit(1);
+ exit(255);
/*
* If we successfully made the connection, load the host private key
/*
* Now that we are back to our own permissions, create ~/.ssh
- * directory if it doesn\'t already exist.
+ * directory if it doesn't already exist.
*/
snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
if (stat(buf, &st) < 0)
debug("Remote connections from %.200s:%d forwarded to "
"local address %.200s:%d",
(options.remote_forwards[i].listen_host == NULL) ?
- (options.gateway_ports ? "*" : "LOCALHOST") :
- options.remote_forwards[i].listen_host,
+ "LOCALHOST" : options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
options.remote_forwards[i].connect_port);
check_agent_present(void)
{
if (options.forward_agent) {
- /* Clear agent forwarding if we don\'t have an agent. */
+ /* Clear agent forwarding if we don't have an agent. */
if (!ssh_agent_present())
options.forward_agent = 0;
}
fatal("ControlPath too long");
if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
- fatal("%s socket(): %s\n", __func__, strerror(errno));
+ fatal("%s socket(): %s", __func__, strerror(errno));
old_umask = umask(0177);
if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
fatal("ControlSocket %s already exists",
options.control_path);
else
- fatal("%s bind(): %s\n", __func__, strerror(errno));
+ fatal("%s bind(): %s", __func__, strerror(errno));
}
umask(old_umask);
if (listen(control_fd, 64) == -1)
- fatal("%s listen(): %s\n", __func__, strerror(errno));
+ fatal("%s listen(): %s", __func__, strerror(errno));
set_nonblock(control_fd);
}
packet_send();
}
+ if (options.tun_open != SSH_TUNMODE_NO) {
+ Channel *c;
+ int fd;
+
+ debug("Requesting tun.");
+ if ((fd = tun_open(options.tun_local,
+ options.tun_open)) >= 0) {
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+ 0, "tun", 1);
+ c->datagram = 1;
+#if defined(SSH_TUN_FILTER)
+ if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+ channel_register_filter(c->self, sys_tun_infilter,
+ sys_tun_outfilter);
+#endif
+ packet_start(SSH2_MSG_CHANNEL_OPEN);
+ packet_put_cstring("tun@openssh.com");
+ packet_put_int(c->self);
+ packet_put_int(c->local_window_max);
+ packet_put_int(c->local_maxpacket);
+ packet_put_int(options.tun_open);
+ packet_put_int(options.tun_remote);
+ packet_send();
+ }
+ }
+
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open();
+ /* Execute a local command */
+ if (options.local_command != NULL &&
+ options.permit_local_command)
+ ssh_local_cmd(options.local_command);
+
/* If requested, let ssh continue in the background. */
if (fork_after_authentication_flag)
if (daemon(1, 1) < 0)
-# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $
+# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
+# Tunnel no
+# TunnelDevice any:any
+# PermitLocalCommand no
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
set to
.Dq no
(the default).
-These sessions will reuse the master instance's network connection rather
-than initiating new ones.
+These sessions will try to reuse the master instance's network connection
+rather than initiating new ones, but will fall back to connecting normally
+if the control socket does not exist, or is not listening.
+.Pp
Setting this to
.Dq ask
will cause
X11 and
.Xr ssh-agent 1
forwarding is supported over these multiplexed connections, however the
-display and agent fowarded will be the one belonging to the master
+display and agent forwarded will be the one belonging to the master
connection i.e. it is not possible to forward multiple displays or agents.
.Pp
Two additional options allow for opportunistic multiplexing: try to use a
all three of these escape sequences.
This ensures that shared connections are uniquely identified.
.It Cm DynamicForward
-Specifies that a TCP/IP port on the local machine be forwarded
+Specifies that a TCP port on the local machine be forwarded
over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine.
-The argument must be a port number.
+.Pp
+The argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port .
+.Sm on
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port .
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
+.Pp
Currently the SOCKS4 and SOCKS5 protocols are supported, and
.Nm ssh
will act as a SOCKS server.
Numeric IP addresses are also permitted (both on the command line and in
.Cm HostName
specifications).
-.It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read.
-The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
-.Pa ~/.ssh/id_rsa
-and
-.Pa ~/.ssh/id_dsa
-for protocol version 2.
-Additionally, any identities represented by the authentication agent
-will be used for authentication.
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
.It Cm IdentitiesOnly
Specifies that
.Nm ssh
.Dq yes
or
.Dq no .
-This option is intented for situations where
+This option is intended for situations where
.Nm ssh-agent
offers many different identities.
The default is
.Dq no .
+.It Cm IdentityFile
+Specifies a file from which the user's RSA or DSA authentication identity
+is read.
+The default is
+.Pa ~/.ssh/identity
+for protocol version 1, and
+.Pa ~/.ssh/id_rsa
+and
+.Pa ~/.ssh/id_dsa
+for protocol version 2.
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
.It Cm KbdInteractiveDevices
Specifies the list of methods to use in keyboard-interactive authentication.
Multiple method names must be comma-separated.
The default is to use the server specified list.
+.It Cm LocalCommand
+Specifies a command to execute on the local machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+This directive is ignored unless
+.Cm PermitLocalCommand
+has been enabled.
.It Cm LocalForward
-Specifies that a TCP/IP port on the local machine be forwarded over
+Specifies that a TCP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote machine.
The first argument must be
.Sm off
.Dq no .
The default is
.Dq yes .
+.It Cm PermitLocalCommand
+Allow local command execution via the
+.Ic LocalCommand
+option or using the
+.Ic !\& Ns Ar command
+escape sequence in
+.Xr ssh 1 .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm Port
Specifies the port number to connect on the remote host.
Default is 22.
The default is
.Dq yes .
This option applies to protocol version 2 only.
+.It Cm RekeyLimit
+Specifies the maximum amount of data that may be transmitted before the
+session key is renegotiated.
+The argument is the number of bytes, with an optional suffix of
+.Sq K ,
+.Sq M ,
+or
+.Sq G
+to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
+The default is between
+.Dq 1G
+and
+.Dq 4G ,
+depending on the cipher.
+This option applies to protocol version 2 only.
.It Cm RemoteForward
-Specifies that a TCP/IP port on the remote machine be forwarded over
+Specifies that a TCP port on the remote machine be forwarded over
the secure channel to the specified host and port from the local machine.
The first argument must be
.Sm off
.Cm SendEnv
directives.
The default is not to send any environment variables.
-.It Cm ServerAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the server,
-.Nm ssh
-will send a message through the encrypted
-channel to request a response from the server.
-The default
-is 0, indicating that these messages will not be sent to the server.
-This option applies to protocol version 2 only.
.It Cm ServerAliveCountMax
-Sets the number of server alive messages (see above) which may be
+Sets the number of server alive messages (see below) which may be
sent without
.Nm ssh
receiving any messages back from the server.
The default value is 3.
If, for example,
.Cm ServerAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
.Cm ServerAliveCountMax
is left at the default, if the server becomes unresponsive ssh
will disconnect after approximately 45 seconds.
+.It Cm ServerAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the server,
+.Nm ssh
+will send a message through the encrypted
+channel to request a response from the server.
+The default
+is 0, indicating that these messages will not be sent to the server.
+This option applies to protocol version 2 only.
.It Cm SmartcardDevice
Specifies which smartcard device to use.
The argument to this keyword is the device
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
+.It Cm Tunnel
+Request starting
+.Xr tun 4
+device forwarding between the client and the server.
+This option also allows requesting layer 2 (ethernet)
+instead of layer 3 (point-to-point) tunneling from the server.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm TunnelDevice
+Force a specified
+.Xr tun 4
+device on the client.
+Without this option, the next available device will be used.
.It Cm UsePrivilegedPort
Specifies whether to use a privileged port for outgoing connections.
The argument must be
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $");
#include <openssl/bn.h>
#include "readconf.h"
#include "atomicio.h"
#include "misc.h"
-
#include "dns.h"
char *client_version_string = NULL;
char *server_version_string = NULL;
-int matching_host_key_dns = 0;
+static int matching_host_key_dns = 0;
/* import */
extern Options options;
file_key = key_new(host_key->type);
/*
- * Check if the host key is present in the user\'s list of known
+ * Check if the host key is present in the user's list of known
* hosts or in the systemwide list.
*/
host_file = user_hostfile;
xfree(fp);
}
+
+/*
+ * Execute a local command
+ */
+int
+ssh_local_cmd(const char *args)
+{
+ char *shell;
+ pid_t pid;
+ int status;
+
+ if (!options.permit_local_command ||
+ args == NULL || !*args)
+ return (1);
+
+ if ((shell = getenv("SHELL")) == NULL)
+ shell = _PATH_BSHELL;
+
+ pid = fork();
+ if (pid == 0) {
+ debug3("Executing %s -c \"%s\"", shell, args);
+ execl(shell, shell, "-c", args, (char *)NULL);
+ error("Couldn't execute %s -c \"%s\": %s",
+ shell, args, strerror(errno));
+ _exit(1);
+ } else if (pid == -1)
+ fatal("fork failed: %.100s", strerror(errno));
+ while (waitpid(pid, &status, 0) == -1)
+ if (errno != EINTR)
+ fatal("Couldn't wait for child: %s", strerror(errno));
+
+ if (!WIFEXITED(status))
+ return (1);
+
+ return (WEXITSTATUS(status));
+}
-/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
void ssh_userauth2(const char *, const char *, char *, Sensitive *);
void ssh_put_password(char *);
-
+int ssh_local_cmd(const char *);
/*
* Macros to raise/lower permissions.
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.62 2005/10/30 08:52:18 djm Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
/* Wait for server's response. */
type = packet_read();
- /* The server sends failure if it doesn\'t like our key or
+ /* The server sends failure if it doesn't like our key or
does not support RSA authentication. */
if (type == SSH_SMSG_FAILURE) {
debug("Server refused our key.");
type = packet_read();
/*
- * The server responds with failure if it doesn\'t like our key or
- * doesn\'t support RSA authentication.
+ * The server responds with failure if it doesn't like our key or
+ * doesn't support RSA authentication.
*/
if (type == SSH_SMSG_FAILURE) {
debug("Server refused our key.");
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $");
#include "openbsd-compat/sys-queue.h"
packet_check_eom();
- debug("Server GSSAPI Error:\n%s\n", msg);
+ debug("Server GSSAPI Error:\n%s", msg);
xfree(msg);
xfree(lang);
}
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
.Ek
.Sh DESCRIPTION
.Nm
-(SSH Daemon) is the daemon program for
+(OpenSSH Daemon) is the daemon program for
.Xr ssh 1 .
Together these programs replace rlogin and rsh, and
provide secure encrypted communications between two untrusted hosts
over an insecure network.
-The programs are intended to be as easy to
-install and use as possible.
.Pp
.Nm
-is the daemon that listens for connections from clients.
+listens for connections from clients.
It is normally started at boot from
.Pa /etc/rc .
It forks a new
The forked daemons handle
key exchange, encryption, authentication, command execution,
and data exchange.
-This implementation of
-.Nm
-supports both SSH protocol version 1 and 2 simultaneously.
-.Nm
-works as follows:
-.Ss SSH protocol version 1
-Each host has a host-specific RSA key
-(normally 2048 bits) used to identify the host.
-Additionally, when
-the daemon starts, it generates a server RSA key (normally 768 bits).
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
-.Pp
-Whenever a client connects, the daemon responds with its public
-host and server keys.
-The client compares the
-RSA host key against its own database to verify that it has not changed.
-The client then generates a 256-bit random number.
-It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.
-Both sides then use this
-random number as a session key which is used to encrypt all further
-communications in the session.
-The rest of the session is encrypted
-using a conventional cipher, currently Blowfish or 3DES, with 3DES
-being used by default.
-The client selects the encryption algorithm
-to use from those offered by the server.
-.Pp
-Next, the server and the client enter an authentication dialog.
-The client tries to authenticate itself using
-.Em .rhosts
-authentication combined with RSA host
-authentication, RSA challenge-response authentication, or password
-based authentication.
-.Pp
-Regardless of the authentication type, the account is checked to
-ensure that it is accessible. An account is not accessible if it is
-locked, listed in
-.Cm DenyUsers
-or its group is listed in
-.Cm DenyGroups
-\&. The definition of a locked account is system dependant. Some platforms
-have their own account database (eg AIX) and some modify the passwd field (
-.Ql \&*LK\&*
-on Solaris,
-.Ql \&*
-on HP-UX, containing
-.Ql Nologin
-on Tru64 and a leading
-.Ql \&!!
-on Linux). If there is a requirement to disable password authentication
-for the account while allowing still public-key, then the passwd field
-should be set to something other than these values (eg
-.Ql NP
-or
-.Ql \&*NP\&*
-).
-.Pp
-.Nm rshd ,
-.Nm rlogind ,
-and
-.Nm rexecd
-are disabled (thus completely disabling
-.Xr rlogin
-and
-.Xr rsh
-into the machine).
-.Ss SSH protocol version 2
-Version 2 works similarly:
-Each host has a host-specific key (RSA or DSA) used to identify the host.
-However, when the daemon starts, it does not generate a server key.
-Forward security is provided through a Diffie-Hellman key agreement.
-This key agreement results in a shared session key.
-.Pp
-The rest of the session is encrypted using a symmetric cipher, currently
-128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
-The client selects the encryption algorithm
-to use from those offered by the server.
-Additionally, session integrity is provided
-through a cryptographic message authentication code
-(hmac-sha1 or hmac-md5).
-.Pp
-Protocol version 2 provides a public key based
-user (PubkeyAuthentication) or
-client host (HostbasedAuthentication) authentication method,
-conventional password authentication and challenge response based methods.
-.Ss Command execution and data forwarding
-If the client successfully authenticates itself, a dialog for
-preparing the session is entered.
-At this time the client may request
-things like allocating a pseudo-tty, forwarding X11 connections,
-forwarding TCP/IP connections, or forwarding the authentication agent
-connection over the secure channel.
-.Pp
-Finally, the client either requests a shell or execution of a command.
-The sides then enter session mode.
-In this mode, either side may send
-data at any time, and such data is forwarded to/from the shell or
-command on the server side, and the user terminal in the client side.
-.Pp
-When the user program terminates and all forwarded X11 and other
-connections have been closed, the server sends command exit status to
-the client, and both sides exit.
.Pp
.Nm
can be configured using command-line options or a configuration file
(by default
-.Xr sshd_config 5 ) .
-Command-line options override values specified in the
+.Xr sshd_config 5 ) ;
+command-line options override values specified in the
configuration file.
-.Pp
.Nm
rereads its configuration file when it receives a hangup signal,
.Dv SIGHUP ,
Specifies the port on which the server listens for connections
(default 22).
Multiple port options are permitted.
-Ports specified in the configuration file are ignored when a
-command-line port is specified.
+Ports specified in the configuration file with the
+.Cm Port
+option are ignored when a command-line port is specified.
+Ports specified using the
+.Cm ListenAddress
+option override command-line ports.
.It Fl q
Quiet mode.
Nothing is sent to the system log.
mechanism or configuration requires it.
Authentication mechanisms that may require DNS include
.Cm RhostsRSAAuthentication ,
-.Cm HostbasedAuthentication
+.Cm HostbasedAuthentication ,
and using a
.Cm from="pattern-list"
option in a key file.
or
.Cm DenyUsers .
.El
-.Sh CONFIGURATION FILE
-.Nm
-reads configuration data from
-.Pa /etc/ssh/sshd_config
-(or the file specified with
-.Fl f
-on the command line).
-The file format and configuration options are described in
+.Sh AUTHENTICATION
+The OpenSSH SSH daemon supports SSH protocols 1 and 2.
+Both protocols are supported by default,
+though this can be changed via the
+.Cm Protocol
+option in
.Xr sshd_config 5 .
+Protocol 2 supports both RSA and DSA keys;
+protocol 1 only supports RSA keys.
+For both protocols,
+each host has a host-specific key,
+normally 2048 bits,
+used to identify the host.
+.Pp
+Forward security for protocol 1 is provided through
+an additional server key,
+normally 768 bits,
+generated when the server starts.
+This key is normally regenerated every hour if it has been used, and
+is never stored on disk.
+Whenever a client connects, the daemon responds with its public
+host and server keys.
+The client compares the
+RSA host key against its own database to verify that it has not changed.
+The client then generates a 256-bit random number.
+It encrypts this
+random number using both the host key and the server key, and sends
+the encrypted number to the server.
+Both sides then use this
+random number as a session key which is used to encrypt all further
+communications in the session.
+The rest of the session is encrypted
+using a conventional cipher, currently Blowfish or 3DES, with 3DES
+being used by default.
+The client selects the encryption algorithm
+to use from those offered by the server.
+.Pp
+For protocol 2,
+forward security is provided through a Diffie-Hellman key agreement.
+This key agreement results in a shared session key.
+The rest of the session is encrypted using a symmetric cipher, currently
+128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
+The client selects the encryption algorithm
+to use from those offered by the server.
+Additionally, session integrity is provided
+through a cryptographic message authentication code
+(hmac-sha1 or hmac-md5).
+.Pp
+Finally, the server and the client enter an authentication dialog.
+The client tries to authenticate itself using
+host-based authentication,
+public key authentication,
+challenge-response authentication,
+or password authentication.
+.Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible. An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&. The definition of a locked account is system dependant. Some platforms
+have their own account database (eg AIX) and some modify the passwd field (
+.Ql \&*LK\&*
+on Solaris and UnixWare,
+.Ql \&*
+on HP-UX, containing
+.Ql Nologin
+on Tru64,
+a leading
+.Ql \&*LOCKED\&*
+on FreeBSD and a leading
+.Ql \&!!
+on Linux). If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
+System security is not improved unless
+.Nm rshd ,
+.Nm rlogind ,
+and
+.Nm rexecd
+are disabled (thus completely disabling
+.Xr rlogin
+and
+.Xr rsh
+into the machine).
+.Sh COMMAND EXECUTION AND DATA FORWARDING
+If the client successfully authenticates itself, a dialog for
+preparing the session is entered.
+At this time the client may request
+things like allocating a pseudo-tty, forwarding X11 connections,
+forwarding TCP connections, or forwarding the authentication agent
+connection over the secure channel.
+.Pp
+Finally, the client either requests a shell or execution of a command.
+The sides then enter session mode.
+In this mode, either side may send
+data at any time, and such data is forwarded to/from the shell or
+command on the server side, and the user terminal in the client side.
+.Pp
+When the user program terminates and all forwarded X11 and other
+connections have been closed, the server sends command exit status to
+the client, and both sides exit.
.Sh LOGIN PROCESS
When a user successfully logs in,
.Nm
This option might be useful
to restrict certain public keys to perform just a specific operation.
An example might be a key that permits remote backups but nothing else.
-Note that the client may specify TCP/IP and/or X11
+Note that the client may specify TCP and/or X11
forwarding unless they are explicitly prohibited.
Note that this option applies to shell, command or subsystem execution.
.It Cm environment="NAME=value"
.Cm UseLogin
is enabled.
.It Cm no-port-forwarding
-Forbids TCP/IP forwarding when this key is used for authentication.
+Forbids TCP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
This might be used, e.g., in connection with the
.Cm command
options may be applied separated by commas.
No pattern matching is performed on the specified hostnames,
they must be literal domains or addresses.
+.It Cm tunnel="n"
+Force a
+.Xr tun 4
+device on the server.
+Without this option, the next available device will be used if
+the client requests a tunnel.
.El
.Ss Examples
1024 33 12121...312314325 ylo@foo.bar
command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
.Pp
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
+.Pp
+tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org
.Sh SSH_KNOWN_HOSTS FILE FORMAT
The
.Pa /etc/ssh/ssh_known_hosts
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
if (authctxt->pw->pw_uid == 0 || options.use_login) {
#endif
/* File descriptor passing is broken or root login */
- monitor_apply_keystate(pmonitor);
use_privsep = 0;
- return;
- }
-
- /* Authentication complete */
- alarm(0);
- if (startup_pipe != -1) {
- close(startup_pipe);
- startup_pipe = -1;
+ goto skip;
}
/* New socket pair */
/* Drop privileges */
do_setusercontext(authctxt->pw);
+ skip:
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);
* bignum iqmp "
* bignum p "
* bignum q "
+ * string rngseed (only if OpenSSL is not self-seeded)
*/
buffer_init(&m);
buffer_put_cstring(&m, buffer_ptr(conf));
} else
buffer_put_int(&m, 0);
+#ifndef OPENSSL_PRNG_ONLY
+ rexec_send_rng_seed(&m);
+#endif
+
if (ssh_msg_send(fd, 0, &m) == -1)
fatal("%s: ssh_msg_send failed", __func__);
rsa_generate_additional_parameters(
sensitive_data.server_key->rsa);
}
+
+#ifndef OPENSSL_PRNG_ONLY
+ rexec_recv_rng_seed(&m);
+#endif
+
buffer_free(&m);
debug3("%s: done", __func__);
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ sanitise_stdfd();
+
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
drop_cray_privs();
#endif
- seed_rng();
-
sensitive_data.server_key = NULL;
sensitive_data.ssh1_host_key = NULL;
sensitive_data.have_ssh1_key = 0;
if (!rexec_flag)
buffer_free(&cfg);
+ seed_rng();
+
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
debug("get_remote_port failed");
cleanup_exit(255);
}
- remote_ip = get_remote_ipaddr();
+
+ /*
+ * We use get_canonical_hostname with usedns = 0 instead of
+ * get_remote_ipaddr here so IP options will be checked.
+ */
+ remote_ip = get_canonical_hostname(0);
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
verbose("Connection from %.500s port %d", remote_ip, remote_port);
/*
- * We don\'t want to listen forever unless the other side
+ * We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
* cleared after successful authentication. A limit of zero
- * indicates no limit. Note that we don\'t set the alarm in debugging
+ * indicates no limit. Note that we don't set the alarm in debugging
* mode; it is just annoying to have the server exit just when you
* are about to discover the bug.
*/
}
authenticated:
+ /*
+ * Cancel the alarm we set to limit the time taken for
+ * authentication.
+ */
+ alarm(0);
+ signal(SIGALRM, SIG_DFL);
+ if (startup_pipe != -1) {
+ close(startup_pipe);
+ startup_pipe = -1;
+ }
+
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_AUTH_SUCCESS);
#endif
-# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
+# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
+#PermitTunnel no
# no default banner path
#Banner /some/path
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
aes192-ctr,aes256-ctr''
.Ed
.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see above) which may be
+Sets the number of client alive messages (see below) which may be
sent without
.Nm sshd
receiving any messages back from the client.
The default value is 3.
If
.Cm ClientAliveInterval
-(above) is set to 15, and
+(see below) is set to 15, and
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
Default is
.Dq no .
.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
+If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
an AFS token before accessing the user's home directory.
Default is
.Dq no .
If this option is set to
.Dq no
root is not allowed to log in.
+.It Cm PermitTunnel
+Specifies whether
+.Xr tun 4
+device forwarding is allowed.
+The argument must be
+.Dq yes ,
+.Dq point-to-point ,
+.Dq ethernet
+or
+.Dq no .
+The default is
+.Dq no .
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
-/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */
+/* $OpenBSD: version.h,v 1.46 2006/02/01 11:27:22 markus Exp $ */
-#define SSH_VERSION "OpenSSH_4.2"
+#define SSH_VERSION "OpenSSH_4.3"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
andersk / gssapi-openssh.git / commitdiff
