ssh-rand-helper
survey.sh
survey
+opensshd.init
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt, and Dug Song - Creators of OpenSSH
+Ahsan Rashid <arms@sco.com> - UnixWare long passwords
Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
Andre Lucas <andre@ae-35.com> - new login code, many fixes
David Hesprich <darkgrue@gue-tech.org> - Configure fixes
David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
+Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
Garrick James <garrick@james.net> - configure fixes
Gary E. Miller <gem@rellim.com> - SCO support
+20050901
+ - (djm) Update RPM spec file versions
+
+20050831
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/08/30 22:08:05
+ [gss-serv.c sshconnect2.c]
+ destroy credentials if krb5_kuserok() call fails. Stops credentials being
+ delegated to users who are not authorised for GSSAPIAuthentication when
+ GSSAPIDeletegateCredentials=yes and another authentication mechanism
+ succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
+ simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
+ - markus@cvs.openbsd.org 2005/08/31 09:28:42
+ [version.h]
+ 4.2
+ - (dtucker) [README] Update release note URL to 4.2
+ - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
+ openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
+ libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
+ Feedback and OK dtucker@
+
+20050830
+ - (tim) [configure.ac] Back out last change. It needs to be done differently.
+
+20050829
+ - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
+ password support to 7.x for now.
+
+20050826
+ - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
+ openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
+ openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
+ openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
+ on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
+ by tim@. Feedback and OK dtucker@
+
+20050823
+ - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
+ qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
+ and "//foo" to be different. Spotted by vinschen at redhat.com.
+ - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
+ and OK dtucker@
+ - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
+
+20050821
+ - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
+ LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@
+
+20050816
+ - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
+ from Jacob Nevins; ok dtucker@
+
+20050815
+ - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
+ - (tim) [configure.ac] corrections to libedit tests. Report and patches
+ by skeleten AT shillest.net
+
+20050812
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2005/07/28 17:36:22
+ [packet.c]
+ missing packet_init_compression(); from solar
+ - djm@cvs.openbsd.org 2005/07/30 01:26:16
+ [ssh.c]
+ fix -D listen_host initialisation, so it picks up gateway_ports setting
+ correctly
+ - djm@cvs.openbsd.org 2005/07/30 02:03:47
+ [readconf.c]
+ listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
+ - dtucker@cvs.openbsd.org 2005/08/06 10:03:12
+ [servconf.c]
+ Unbreak sshd ListenAddress for bare IPv6 addresses.
+ Report from Janusz Mucka; ok djm@
+ - jaredy@cvs.openbsd.org 2005/08/08 13:22:48
+ [sftp.c]
+ sftp prompt enhancements:
+ - in non-interactive mode, do not print an empty prompt at the end
+ before finishing
+ - print newline after EOF in editline mode
+ - call el_end() in editline mode
+ ok dtucker djm
+
+20050810
+ - (dtucker) [configure.ac] Test libedit library and headers for compatibility.
+ Report from skeleten AT shillest.net, ok djm@
+ - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
+ Sync current (thread-safe) version of realpath.c from OpenBSD (which is
+ in turn based on FreeBSD's). ok djm@
+
+20050809
+ - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
+ Report by skeleten AT shillest.net
+
+20050803
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
+ individually and use a value less likely to collide with real values from
+ netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
+ latter is specified in the standard.
+
+20050802
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/07/27 10:39:03
+ [scp.c hostfile.c sftp-client.c]
+ Silence bogus -Wuninitialized warnings; ok djm@
+ - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
+ with gcc. ok djm@
+ - (dtucker) [configure.ac] Add a --with-Werror option to configure for
+ adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
+
+20050726
+ - (dtucker) [configure.ac] Update zlib warning message too, pointed out by
+ tim@.
+ - (djm) OpenBSD CVS Sync
+ - otto@cvs.openbsd.org 2005/07/19 15:32:26
+ [auth-passwd.c]
+ auth_usercheck(3) can return NULL, so check for that. Report from
+ mpech@. ok markus@
+ - markus@cvs.openbsd.org 2005/07/25 11:59:40
+ [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
+ [sshconnect2.c sshd.c sshd_config sshd_config.5]
+ add a new compression method that delays compression until the user
+ has been authenticated successfully and set compression to 'delayed'
+ for sshd.
+ this breaks older openssh clients (< 3.5) if they insist on
+ compression, so you have to re-enable compression in sshd_config.
+ ok djm@
+
+20050725
+ - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
+
+20050717
+- OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/07/16 01:35:24
+ [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
+ [sshconnect.c]
+ spacing
+ - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
+ [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
+ in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
+ - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
+ - djm@cvs.openbsd.org 2005/07/17 06:49:04
+ [channels.c channels.h session.c session.h]
+ Fix a number of X11 forwarding channel leaks:
+ 1. Refuse multiple X11 forwarding requests on the same session
+ 2. Clean up all listeners after a single_connection X11 forward, not just
+ the one that made the single connection
+ 3. Destroy X11 listeners when the session owning them goes away
+ testing and ok dtucker@
+ - djm@cvs.openbsd.org 2005/07/17 07:17:55
+ [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
+ [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
+ [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
+ [sshconnect.c sshconnect2.c]
+ knf says that a 2nd level indent is four (not three or five) spaces
+ -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
+ [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
+ - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
+
+20050716
+ - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
+ socketpair stays open on in both the monitor and PAM process. Patch from
+ Joerg Sonnenberger.
+
+20050714
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/07/06 09:33:05
+ [ssh.1]
+ clarify meaning of ssh -b ; with & ok jmc@
+ - dtucker@cvs.openbsd.org 2005/07/08 09:26:18
+ [misc.c]
+ Make comment match code; ok djm@
+ - markus@cvs.openbsd.org 2005/07/08 09:41:33
+ [channels.h]
+ race when efd gets closed while there is still buffered data:
+ change CHANNEL_EFD_OUTPUT_ACTIVE()
+ 1) c->efd must always be valid AND
+ 2a) no EOF has been seen OR
+ 2b) there is buffered data
+ report, initial fix and testing Chuck Cranor
+ - dtucker@cvs.openbsd.org 2005/07/08 10:20:41
+ [ssh_config.5]
+ change BindAddress to match recent ssh -b change; prompted by markus@
+ - jmc@cvs.openbsd.org 2005/07/08 12:53:10
+ [ssh_config.5]
+ new sentence, new line;
+ - dtucker@cvs.openbsd.org 2005/07/14 04:00:43
+ [misc.h]
+ use __sentinel__ attribute; ok deraadt@ djm@ markus@
+ - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
+ compiler doesn't understand it to prevent warnings. If any mainstream
+ compiler versions acquire it we can test for those versions. Based on
+ discussion with djm@.
+
+20050707
+ - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
+ the MIT Kerberos code path into a common function and expand mkstemp
+ template to be consistent with the rest of OpenSSH. From sxw at
+ inf.ed.ac.uk, ok djm@
+ - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
+ in the case where the buffer is insufficient, so always return ENOMEM.
+ Also pointed out by sxw at inf.ed.ac.uk.
+ - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
+ calls to krb5_init_ets, which has not been required since krb-1.1.x and
+ most Kerberos versions no longer export in their public API. From sxw
+ at inf.ed.ac.uk, ok djm@
+
+20050706
+ - (djm) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2005/07/01 13:19:47
+ [channels.c]
+ don't free() if getaddrinfo() fails; report mpech@
+ - djm@cvs.openbsd.org 2005/07/04 00:58:43
+ [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
+ implement support for X11 and agent forwarding over multiplex slave
+ connections. Because of protocol limitations, the slave connections inherit
+ the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
+ their own.
+ ok dtucker@ "put it in" deraadt@
+ - jmc@cvs.openbsd.org 2005/07/04 11:29:51
+ [ssh_config.5]
+ fix Xr and a little grammar;
+ - markus@cvs.openbsd.org 2005/07/04 14:04:11
+ [channels.c]
+ don't forget to set x11_saved_display
+
+20050626
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/06/17 22:53:47
+ [ssh.c sshconnect.c]
+ Fix ControlPath's %p expanding to "0" for a default port,
+ spotted dwmw2 AT infradead.org; ok markus@
+ - djm@cvs.openbsd.org 2005/06/18 04:30:36
+ [ssh.c ssh_config.5]
+ allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
+ - djm@cvs.openbsd.org 2005/06/25 22:47:49
+ [ssh.c]
+ do the default port filling code a few lines earlier, so it really
+ does fix %p
+
+20050618
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/05/20 12:57:01;
+ [auth1.c] split protocol 1 auth methods into separate functions, makes
+ authloop much more readable; fixes and ok markus@ (portable ok &
+ polish dtucker@)
+ - djm@cvs.openbsd.org 2005/06/17 02:44:33
+ [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
+ - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
+ tested and fixes tim@
+
+20050617
+ - (djm) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2005/06/16 03:38:36
+ [channels.c channels.h clientloop.c clientloop.h ssh.c]
+ move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
+ easier later; ok deraadt@
+ - markus@cvs.openbsd.org 2005/06/16 08:00:00
+ [canohost.c channels.c sshd.c]
+ don't exit if getpeername fails for forwarded ports; bugzilla #1054;
+ ok djm
+ - djm@cvs.openbsd.org 2005/06/17 02:44:33
+ [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
+ [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
+ [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
+ [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
+ [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
+ make this -Wsign-compare clean; ok avsm@ markus@
+ NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
+ NB2. more work may be needed to make portable Wsign-compare clean
+ - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
+ openbsd-compat/openssl-compat.c] only include openssl compat stuff where
+ it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by
+ and ok tim@
+
+20050616
+ - (djm) OpenBSD CVS Sync
+ - jaredy@cvs.openbsd.org 2005/06/07 13:25:23
+ [progressmeter.c]
+ catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
+ - djm@cvs.openbsd.org 2005/06/06 11:20:36
+ [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
+ introduce a generic %foo expansion function. replace existing % expansion
+ and add expansion to ControlPath; ok markus@
+ - djm@cvs.openbsd.org 2005/06/08 03:50:00
+ [ssh-keygen.1 ssh-keygen.c sshd.8]
+ increase default rsa/dsa key length from 1024 to 2048 bits;
+ ok markus@ deraadt@
+ - djm@cvs.openbsd.org 2005/06/08 11:25:09
+ [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
+ add ControlMaster=auto/autoask options to support opportunistic
+ multiplexing; tested avsm@ and jakob@, ok markus@
+ - dtucker@cvs.openbsd.org 2005/06/09 13:43:49
+ [cipher.c]
+ Correctly initialize end of array sentinel; ok djm@
+ (Id sync only, change already in portable)
+
+20050609
+ - (dtucker) [cipher.c openbsd-compat/Makefile.in
+ openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
+ Move compatibility code for supporting older OpenSSL versions to the
+ compat layer. Suggested by and "no objection" djm@
+
+20050607
+ - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
+ in today's episode we attempt to coax it from limits.h where it may be
+ hiding, failing that we take the DIY approach. Tested by tim@
+
+20050603
+ - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
+ defined, and check that it helps before keeping it in CFLAGS. Some old
+ gcc's don't set an error code when encountering an unknown value in -std.
+ Found and tested by tim@.
+ - (dtucker) [configure.ac] Point configure's reporting address at the
+ openssh-unix-dev list. ok tim@ djm@
+
+20050602
+ - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
+ Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
+ to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
+ must be run on all platforms) Add missing ;; to case statement. OK dtucker@
+
+20050601
+ - (dtucker) [configure.ac] Look for _getshort and _getlong in
+ arpa/nameser.h.
+ - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
+ Add strtoll to the compat library, from OpenBSD.
+ - (dtucker) OpenBSD CVS Sync
+ - avsm@cvs.openbsd.org 2005/05/26 02:08:05
+ [scp.c]
+ If copying multiple files to a target file (which normally fails, as it
+ must be a target directory), kill the spawned ssh child before exiting.
+ This stops it trying to authenticate and spewing lots of output.
+ deraadt@ ok
+ - dtucker@cvs.openbsd.org 2005/05/26 09:08:12
+ [ssh-keygen.c]
+ uint32_t -> u_int32_t for consistency; ok djm@
+ - djm@cvs.openbsd.org 2005/05/27 08:30:37
+ [ssh.c]
+ fix -O for cases where no ControlPath has been specified or socket at
+ ControlPath is not contactable; spotted by and ok avsm@
+ - (tim) [config.guess config.sub] Update to '2005-05-27' version.
+ - (tim) [configure.ac] set TEST_SHELL for OpenServer 6
+
+20050531
+ - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at
+ vintela.com.
+ - (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
+
+20050530
+ - (dtucker) [README] Link to new release notes. Beter late than never...
+
+20050529
+ - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
+ argument to passwdexpired to be initialized to NULL. Suggested by tim@
+ While at it, initialize the other arguments to auth functions in case they
+ ever acquire this behaviour.
+ - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
+ - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
+ spotted by tim@.
+
+20050528
+ - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
+ one entry per line to make it easier to merge changes. ok djm@
+ - (dtucker) [configure.ac] strsep() may be defined in string.h, so check
+ for its presence and include it in the strsep check.
+ - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
+ its presence before doing AC_FUNC_GETPGRP.
+ - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
+ version-specific variations as required.
+ - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
+ per the autoconf man page. Configure should always define them but it
+ doesn't hurt to check.
+
+20050527
+ - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
+ David Leach; ok dtucker@
+ - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
+ openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo.
+ Required changes from Bernhard Simon, integrated by me. ok djm@
+
+20050525
+ - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not
+ been used for a while
+ - (djm) OpenBSD CVS Sync
+ - otto@cvs.openbsd.org 2005/04/05 13:45:31
+ [ssh-keygen.c]
+ - djm@cvs.openbsd.org 2005/04/06 09:43:59
+ [sshd.c]
+ avoid harmless logspam by not performing setsockopt() on non-socket;
+ ok markus@
+ - dtucker@cvs.openbsd.org 2005/04/06 12:26:06
+ [ssh.c]
+ Fix debug call for port forwards; patch from pete at seebeyond.com,
+ ok djm@ (ID sync only - change already in portable)
+ - djm@cvs.openbsd.org 2005/04/09 04:32:54
+ [misc.c misc.h tildexpand.c Makefile.in]
+ replace tilde_expand_filename with a simpler implementation, ahead of
+ more whacking; ok deraadt@
+ - jmc@cvs.openbsd.org 2005/04/14 12:30:30
+ [ssh.1]
+ arg to -b is an address, not if_name;
+ ok markus@
+ - jakob@cvs.openbsd.org 2005/04/20 10:05:45
+ [dns.c]
+ do not try to look up SSHFP for numerical hostname. ok djm@
+ - djm@cvs.openbsd.org 2005/04/21 06:17:50
+ [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
+ [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
+ variable, so don't say that we do (bz #623); ok deraadt@
+ - djm@cvs.openbsd.org 2005/04/21 11:47:19
+ [ssh.c]
+ don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
+ ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
+ - dtucker@cvs.openbsd.org 2005/04/23 23:43:47
+ [readpass.c]
+ Add debug message if read_passphrase can't open /dev/tty; bz #471;
+ ok djm@
+ - jmc@cvs.openbsd.org 2005/04/26 12:59:02
+ [sftp-client.h]
+ spelling correction in comment from wiz@netbsd;
+ - jakob@cvs.openbsd.org 2005/04/26 13:08:37
+ [ssh.c ssh_config.5]
+ fallback gracefully if client cannot connect to ControlPath. ok djm@
+ - moritz@cvs.openbsd.org 2005/04/28 10:17:56
+ [progressmeter.c ssh-keyscan.c]
+ add snprintf checks. ok djm@ markus@
+ - markus@cvs.openbsd.org 2005/05/02 21:13:22
+ [readpass.c]
+ missing {}
+ - djm@cvs.openbsd.org 2005/05/10 10:28:11
+ [ssh.c]
+ print nice error message for EADDRINUSE as well (ID sync only)
+ - djm@cvs.openbsd.org 2005/05/10 10:30:43
+ [ssh.c]
+ report real errors on fallback from ControlMaster=no to normal connect
+ - markus@cvs.openbsd.org 2005/05/16 15:30:51
+ [readconf.c servconf.c]
+ check return value from strdelim() for NULL (AddressFamily); mpech
+ - djm@cvs.openbsd.org 2005/05/19 02:39:55
+ [sshd_config.5]
+ sort config options, from grunk AT pestilenz.org; ok jmc@
+ - djm@cvs.openbsd.org 2005/05/19 02:40:52
+ [sshd_config]
+ whitespace nit, from grunk AT pestilenz.org
+ - djm@cvs.openbsd.org 2005/05/19 02:42:26
+ [includes.h]
+ fix cast, from grunk AT pestilenz.org
+ - djm@cvs.openbsd.org 2005/05/20 10:50:55
+ [ssh_config.5]
+ give a ProxyCommand example using nc(1), with and ok jmc@
+ - jmc@cvs.openbsd.org 2005/05/20 11:23:32
+ [ssh_config.5]
+ oops - article and spacing;
+ - avsm@cvs.openbsd.org 2005/05/23 22:44:01
+ [moduli.c ssh-keygen.c]
+ - removes signed/unsigned comparisons in moduli generation
+ - use strtonum instead of atoi where its easier
+ - check some strlcpy overflow and fatal instead of truncate
+ - djm@cvs.openbsd.org 2005/05/23 23:32:46
+ [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
+ add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
+ ok markus@
+ - avsm@cvs.openbsd.org 2005/05/24 02:05:09
+ [ssh-keygen.c]
+ some style nits from dmiller@, and use a fatal() instead of a printf()/exit
+ - avsm@cvs.openbsd.org 2005/05/24 17:32:44
+ [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
+ [ssh-keyscan.c sshconnect.c]
+ Switch atomicio to use a simpler interface; it now returns a size_t
+ (containing number of bytes read/written), and indicates error by
+ returning 0. EOF is signalled by errno==EPIPE.
+ Typical use now becomes:
+
+ if (atomicio(read, ..., len) != len)
+ err(1,"read");
+
+ ok deraadt@, cloder@, djm@
+ - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
+ Cygwin.
+ - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
+ warning: dereferencing type-punned pointer will break strict-aliasing rules
+ warning: passing arg 3 of `pam_get_item' from incompatible pointer type
+ The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
+ - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
+ templates for _getshort and _getlong if missing to prevent compiler warnings
+ on Linux.
+ - (djm) [configure.ac openbsd-compat/Makefile.in]
+ [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
+ Add strtonum(3) from OpenBSD libc, new code needs it.
+ Unfortunately Linux forces us to do a bizarre dance with compiler
+ options to get LLONG_MIN/MAX; Spotted by and ok dtucker@
+
20050524
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update spec file versions to 4.1p1
- (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
allocation when retrieving core Windows environment. Add CYGWIN variable
to propagated variables. Patch from vinschen at redhat.com, ok djm@
- - (djm) Release 4.1p1
+ - Release 4.1p1
20050524
- (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
William Jones
Darren Tucker
Sun Microsystems
+ The SCO Group
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Damien Miller
Eric P. Allman
The Regents of the University of California
+ Constantin S. Svintsoff
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
- log.o match.o moduli.o mpaux.o nchan.o packet.o \
- readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o \
+ log.o match.o moduli.o nchan.o packet.o \
+ readpass.o rsa.o ttymodes.o xmalloc.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
$(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
fi
-# fake rule to stop make trying to compile moduli.o into a binary "modulo"
+# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
moduli:
echo
-See http://www.openssh.com/txt/release-4.0 for the release notes.
+See http://www.openssh.com/txt/release-4.2 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
[3] http://www.gzip.org/zlib/
[4] http://www.openssl.org/
-[5] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris
- and HP-UX 11)
+[5] http://www.openpam.org
+ http://www.kernel.org/pub/linux/libs/pam/
+ (PAM also is standard on Solaris and HP-UX 11)
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.
-PAM-enabled OpenSSH is known to function with privsep on AIX, HP-UX
-(including Trusted Mode), Linux and Solaris.
+PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
+HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
part of privsep is supported. Post-authentication privsep is disabled
Tuning the random helper can be done by running ./ssh-random-helper in
very verbose mode ("-vvv") and identifying the commands that are taking
-accessive amounts of time or hanging altogher. Any problem commands can
+excessive amounts of time or hanging altogher. Any problem commands can
be modified or removed from ssh_prng_cmds.
The default entropy collector will timeout programs which take too long
/* Define if you are on NeXT */
#undef HAVE_NEXT
-/* Define if you are on NEWS-OS */
-#undef HAVE_NEWS4
-
/* Define if you want to enable PAM support */
#undef USE_PAM
/* Define if you don't want to use lastlog in session.c */
#undef NO_SSH_LASTLOG
-/* Define if have krb5_init_ets */
-#undef KRB5_INIT_ETS
-
/* Define if you don't want to use utmp */
#undef DISABLE_UTMP
/* decryption sbox */
static unsigned char sboxdec[] = {
- 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
- 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
- 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
- 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
- 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
- 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
- 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
- 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
- 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
- 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
- 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
- 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
- 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
- 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
- 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
- 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
- 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
- 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
- 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
- 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
- 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
- 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
- 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
- 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
- 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
- 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
- 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
- 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
- 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
- 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
- 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
+ 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
+ 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
+ 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
+ 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
+ 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
+ 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
+ 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
+ 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
+ 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
+ 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
+ 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
+ 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
+ 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
+ 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
+ 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
+ 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
+ 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
+ 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
+ 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
+ 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
+ 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
+ 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
+ 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
+ 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
+ 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
+ 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
+ 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
+ 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
+ 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
+ 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
+ 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
};
};
static unsigned char reverse[] = {
- 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
- 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
- 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
- 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
- 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
- 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
- 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
- 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
- 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
- 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
- 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
- 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
- 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
- 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
- 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
- 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
- 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
- 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
- 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
- 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
- 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
- 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
- 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
- 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
- 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
- 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
- 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
- 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
- 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
- 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
- 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
- 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
+ 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
+ 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
+ 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
+ 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
+ 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
+ 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
+ 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
+ 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
+ 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
+ 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
+ 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
+ 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
+ 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
+ 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
+ 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
+ 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
+ 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
+ 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
+ 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
+ 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
+ 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
+ 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
+ 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
+ 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
+ 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
+ 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
+ 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
+ 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
+ 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
+ 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
+ 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
+ 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
};
/*
/*
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
* All rights reserved.
*
*/
#include "includes.h"
-RCSID("$OpenBSD: atomicio.c,v 1.12 2003/07/31 15:50:16 avsm Exp $");
+RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
#include "atomicio.h"
/*
* ensure all of data on socket comes through. f==read || f==vwrite
*/
-ssize_t
+size_t
atomicio(f, fd, _s, n)
ssize_t (*f) (int, void *, size_t);
int fd;
size_t n;
{
char *s = _s;
- ssize_t res, pos = 0;
+ size_t pos = 0;
+ ssize_t res;
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
if (errno == EINTR || errno == EAGAIN)
#endif
continue;
+ return 0;
case 0:
- return (res);
+ errno = EPIPE;
+ return pos;
default:
- pos += res;
+ pos += (u_int)res;
}
}
return (pos);
-/* $OpenBSD: atomicio.h,v 1.5 2003/06/28 16:23:06 deraadt Exp $ */
+/* $OpenBSD: atomicio.h,v 1.6 2005/05/24 17:32:43 avsm Exp $ */
/*
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
/*
* Ensure all of data on socket comes through. f==read || f==vwrite
*/
-ssize_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
+size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
#define vwrite (ssize_t (*)(int, void *, size_t))write
audit_connection_from(const char *host, int port)
{
debug("audit connection from %s port %d euid %d", host, port,
- (int)geteuid());
+ (int)geteuid());
}
/*
const char *t = ttyn ? ttyn : "(no tty)";
debug("audit session open euid %d user %s tty name %s", geteuid(),
- audit_username(), t);
+ audit_username(), t);
}
/*
const char *t = ttyn ? ttyn : "(no tty)";
debug("audit session close euid %d user %s tty name %s", geteuid(),
- audit_username(), t);
+ audit_username(), t);
}
/*
problem = krb5_init_context(&authctxt->krb5_ctx);
if (problem)
return (problem);
-#ifdef KRB5_INIT_ETS
- krb5_init_ets(authctxt->krb5_ctx);
-#endif
}
return (0);
}
#ifndef HEIMDAL
krb5_creds creds;
krb5_principal server;
- char ccname[40];
- int tmpfd;
- mode_t old_umask;
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
goto out;
}
- snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
- umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
- problem = errno;
- goto out;
- }
-
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
- problem = errno;
- goto out;
- }
- close(tmpfd);
-
- problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
if (problem)
goto out;
}
}
+#ifndef HEIMDAL
+krb5_error_code
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ int tmpfd, ret;
+ char ccname[40];
+ mode_t old_umask;
+
+ ret = snprintf(ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ if (ret == -1 || ret >= sizeof(ccname))
+ return ENOMEM;
+
+ old_umask = umask(0177);
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
+ umask(old_umask);
+ if (tmpfd == -1) {
+ logit("mkstemp(): %.100s", strerror(errno));
+ return errno;
+ }
+
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ logit("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ return errno;
+ }
+ close(tmpfd);
+
+ return (krb5_cc_resolve(ctx, ccname, ccache));
+}
+#endif /* !HEIMDAL */
#endif /* KRB5 */
#include <pam/pam_appl.h>
#endif
+/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
+#ifdef PAM_SUN_CODEBASE
+# define sshpam_const /* Solaris, HP-UX, AIX */
+#else
+# define sshpam_const const /* LinuxPAM, OpenPAM */
+#endif
+
#include "auth.h"
#include "auth-pam.h"
#include "buffer.h"
static int sshpam_thread_status = -1;
static mysig_t sshpam_oldsig;
-static void
+static void
sshpam_sigchld_handler(int sig)
{
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
- <= 0) {
+ <= 0) {
/* PAM thread has not exitted, privsep slave must have */
kill(cleanup_ctxt->pam_thread, SIGTERM);
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
void *(*thread_start)(void *), void *arg)
{
pid_t pid;
+ struct pam_ctxt *ctx = arg;
sshpam_thread_status = -1;
switch ((pid = fork())) {
error("fork(): %s", strerror(errno));
return (-1);
case 0:
+ close(ctx->pam_psock);
+ ctx->pam_psock = -1;
thread_start(arg);
_exit(1);
default:
*thread = pid;
+ close(ctx->pam_csock);
+ ctx->pam_csock = -1;
sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
return (0);
}
* Conversation function for authentication thread.
*/
static int
-sshpam_thread_conv(int n, struct pam_message **msg,
+sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
Buffer buffer;
char **env_from_pam;
u_int i;
const char *pam_user;
+ const char **ptr_pam_user = &pam_user;
- pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user);
+ pam_get_item(sshpam_handle, PAM_USER,
+ (sshpam_const void **)ptr_pam_user);
environ[0] = NULL;
if (sshpam_authctxt != NULL) {
}
static int
-sshpam_null_conv(int n, struct pam_message **msg,
+sshpam_null_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
debug3("PAM: %s entering, %d messages", __func__, n);
static struct pam_conv null_conv = { sshpam_null_conv, NULL };
static int
-sshpam_store_conv(int n, struct pam_message **msg,
+sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
{
extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
+ const char **ptr_pam_user = &pam_user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
- PAM_USER, (void **)&pam_user);
+ PAM_USER, (sshpam_const void **)ptr_pam_user);
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
return (0);
pam_end(sshpam_handle, sshpam_err);
buffer_init(&buffer);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
- options.permit_root_login == PERMIT_YES))
+ options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
-
+
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
return (sshpam_account_status);
}
static int
-sshpam_tty_conv(int n, struct pam_message **msg,
+sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
char input[PAM_MAX_MSG_SIZE];
* display.
*/
static int
-sshpam_passwd_conv(int n, struct pam_message **msg,
+sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
*resp = reply;
return (PAM_SUCCESS);
- fail:
+ fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
* information via timing (eg if the PAM config has a delay on fail).
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ options.permit_root_login != PERMIT_YES))
sshpam_password = badpw;
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
- return 1;
+ return 1;
} else {
debug("PAM: password authentication failed for %.100s: %s",
authctxt->valid ? authctxt->user : "an illegal user",
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
#include "packet.h"
#include "buffer.h"
as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password);
+ if (as == NULL)
+ return (0);
if (auth_getstate(as) & AUTH_PWEXPIRED) {
auth_close(as);
disable_forwarding();
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
#include "packet.h"
#include "uidswap.h"
*/
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
- pw->pw_name, cuser, chost);
+ pw->pw_name, cuser, chost);
packet_send_debug("Rhosts with RSA host authentication accepted.");
return 1;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $");
#include "packet.h"
#include "uidswap.h"
/* If the entry was negated, deny access. */
if (negated) {
auth_debug_add("Matched negative entry in %.100s.",
- filename);
+ filename);
return 0;
}
/* Accept authentication. */
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.62 2004/12/11 01:48:56 dtucker Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp;
char *key_options;
+ int keybits;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
continue;
/* check the real bits */
- if (bits != BN_num_bits(key->rsa->n))
+ keybits = BN_num_bits(key->rsa->n);
+ if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec()) {
struct pr_passwd *pr;
-
+
pr = getprpwnam((char *)user);
/* Test for Trusted Mode expiry disabled */
int len;
struct skey skey;
- if (_compat_skeychallenge(&skey, authctxt->user, challenge,
+ if (_compat_skeychallenge(&skey, authctxt->user, challenge,
sizeof(challenge)) == -1)
return -1;
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
+RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
- int i;
+ u_int i;
#ifdef USE_SHADOW
struct spwd *spw = NULL;
#endif
/* grab passwd field for locked account check */
#ifdef USE_SHADOW
if (spw != NULL)
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+ passwd = get_iaf_password(pw);
+#else
passwd = spw->sp_pwdp;
+#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#else
passwd = pw->pw_passwd;
#endif
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+ free(passwd);
+#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
*
* This returns a buffer allocated by xmalloc.
*/
-char *
-expand_filename(const char *filename, struct passwd *pw)
+static char *
+expand_authorized_keys(const char *filename, struct passwd *pw)
{
- Buffer buffer;
- char *file;
- const char *cp;
+ char *file, *ret;
- /*
- * Build the filename string in the buffer by making the appropriate
- * substitutions to the given file name.
- */
- buffer_init(&buffer);
- for (cp = filename; *cp; cp++) {
- if (cp[0] == '%' && cp[1] == '%') {
- buffer_append(&buffer, "%", 1);
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'h') {
- buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'u') {
- buffer_append(&buffer, pw->pw_name,
- strlen(pw->pw_name));
- cp++;
- continue;
- }
- buffer_append(&buffer, cp, 1);
- }
- buffer_append(&buffer, "\0", 1);
+ file = percent_expand(filename, "h", pw->pw_dir,
+ "u", pw->pw_name, (char *)NULL);
/*
* Ensure that filename starts anchored. If not, be backward
* compatible and prepend the '%h/'
*/
- file = xmalloc(MAXPATHLEN);
- cp = buffer_ptr(&buffer);
- if (*cp != '/')
- snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
- else
- strlcpy(file, cp, MAXPATHLEN);
+ if (*file == '/')
+ return (file);
+
+ ret = xmalloc(MAXPATHLEN);
+ if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
+ strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
+ strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
+ fatal("expand_authorized_keys: path too long");
- buffer_free(&buffer);
- return file;
+ xfree(file);
+ return (ret);
}
char *
authorized_keys_file(struct passwd *pw)
{
- return expand_filename(options.authorized_keys_file, pw);
+ return expand_authorized_keys(options.authorized_keys_file, pw);
}
char *
authorized_keys_file2(struct passwd *pw)
{
- return expand_filename(options.authorized_keys_file2, pw);
+ return expand_authorized_keys(options.authorized_keys_file2, pw);
}
/* return ok if key exists in sysfile or userfile */
-/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
+/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
int verify_response(Authctxt *, const char *);
void abandon_challenge_response(Authctxt *);
-char *expand_filename(const char *, struct passwd *);
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: "
+
+#if defined(KRB5) && !defined(HEIMDAL)
+#include <krb5.h>
+krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+#endif
#endif
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
#include "xmalloc.h"
#include "rsa.h"
extern ServerOptions options;
extern Buffer loginmsg;
-/*
- * convert ssh auth msg type into description
- */
+static int auth1_process_password(Authctxt *, char *, size_t);
+static int auth1_process_rsa(Authctxt *, char *, size_t);
+static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
+static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
+static int auth1_process_tis_response(Authctxt *, char *, size_t);
+
+static char *client_user = NULL; /* Used to fill in remote user for PAM */
+
+struct AuthMethod1 {
+ int type;
+ char *name;
+ int *enabled;
+ int (*method)(Authctxt *, char *, size_t);
+};
+
+const struct AuthMethod1 auth1_methods[] = {
+ {
+ SSH_CMSG_AUTH_PASSWORD, "password",
+ &options.password_authentication, auth1_process_password
+ },
+ {
+ SSH_CMSG_AUTH_RSA, "rsa",
+ &options.rsa_authentication, auth1_process_rsa
+ },
+ {
+ SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
+ &options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
+ },
+ {
+ SSH_CMSG_AUTH_TIS, "challenge-response",
+ &options.challenge_response_authentication,
+ auth1_process_tis_challenge
+ },
+ {
+ SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
+ &options.challenge_response_authentication,
+ auth1_process_tis_response
+ },
+ { -1, NULL, NULL, NULL}
+};
+
+static const struct AuthMethod1
+*lookup_authmethod1(int type)
+{
+ int i;
+
+ for(i = 0; auth1_methods[i].name != NULL; i++)
+ if (auth1_methods[i].type == type)
+ return (&(auth1_methods[i]));
+
+ return (NULL);
+}
+
static char *
get_authname(int type)
{
- static char buf[1024];
- switch (type) {
- case SSH_CMSG_AUTH_PASSWORD:
- return "password";
- case SSH_CMSG_AUTH_RSA:
- return "rsa";
- case SSH_CMSG_AUTH_RHOSTS_RSA:
- return "rhosts-rsa";
- case SSH_CMSG_AUTH_RHOSTS:
- return "rhosts";
- case SSH_CMSG_AUTH_TIS:
- case SSH_CMSG_AUTH_TIS_RESPONSE:
- return "challenge-response";
+ const struct AuthMethod1 *a;
+ static char buf[64];
+
+ if ((a = lookup_authmethod1(type)) != NULL)
+ return (a->name);
+ snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
+ return (buf);
+}
+
+static int
+auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
+{
+ int authenticated = 0;
+ char *password;
+ u_int dlen;
+
+ /*
+ * Read user password. It is in plain text, but was
+ * transmitted over the encrypted channel so it is
+ * not visible to an outside observer.
+ */
+ password = packet_get_string(&dlen);
+ packet_check_eom();
+
+ /* Try authentication with the password. */
+ authenticated = PRIVSEP(auth_password(authctxt, password));
+
+ memset(password, 0, dlen);
+ xfree(password);
+
+ return (authenticated);
+}
+
+static int
+auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
+{
+ int authenticated = 0;
+ BIGNUM *n;
+
+ /* RSA authentication requested. */
+ if ((n = BN_new()) == NULL)
+ fatal("do_authloop: BN_new failed");
+ packet_get_bignum(n);
+ packet_check_eom();
+ authenticated = auth_rsa(authctxt, n);
+ BN_clear_free(n);
+
+ return (authenticated);
+}
+
+static int
+auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
+{
+ int keybits, authenticated = 0;
+ u_int bits;
+ Key *client_host_key;
+ u_int ulen;
+
+ /*
+ * Get client user name. Note that we just have to
+ * trust the client; root on the client machine can
+ * claim to be any user.
+ */
+ client_user = packet_get_string(&ulen);
+
+ /* Get the client host key. */
+ client_host_key = key_new(KEY_RSA1);
+ bits = packet_get_int();
+ packet_get_bignum(client_host_key->rsa->e);
+ packet_get_bignum(client_host_key->rsa->n);
+
+ keybits = BN_num_bits(client_host_key->rsa->n);
+ if (keybits < 0 || bits != (u_int)keybits) {
+ verbose("Warning: keysize mismatch for client_host_key: "
+ "actual %d, announced %d",
+ BN_num_bits(client_host_key->rsa->n), bits);
}
- snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
- return buf;
+ packet_check_eom();
+
+ authenticated = auth_rhosts_rsa(authctxt, client_user,
+ client_host_key);
+ key_free(client_host_key);
+
+ snprintf(info, infolen, " ruser %.100s", client_user);
+
+ return (authenticated);
+}
+
+static int
+auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
+{
+ char *challenge;
+
+ if ((challenge = get_challenge(authctxt)) == NULL)
+ return (0);
+
+ debug("sending challenge '%s'", challenge);
+ packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+ packet_put_cstring(challenge);
+ xfree(challenge);
+ packet_send();
+ packet_write_wait();
+
+ return (-1);
+}
+
+static int
+auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
+{
+ int authenticated = 0;
+ char *response;
+ u_int dlen;
+
+ response = packet_get_string(&dlen);
+ packet_check_eom();
+ authenticated = verify_response(authctxt, response);
+ memset(response, 'r', dlen);
+ xfree(response);
+
+ return (authenticated);
}
/*
do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
- u_int bits;
- Key *client_host_key;
- BIGNUM *n;
- char *client_user, *password;
char info[1024];
- u_int dlen;
- u_int ulen;
- int prev, type = 0;
+ int prev = 0, type = 0;
+ const struct AuthMethod1 *meth;
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
packet_send();
packet_write_wait();
- client_user = NULL;
-
for (;;) {
/* default to fail */
authenticated = 0;
type != SSH_CMSG_AUTH_TIS_RESPONSE)
abandon_challenge_response(authctxt);
- /* Process the packet. */
- switch (type) {
- case SSH_CMSG_AUTH_RHOSTS_RSA:
- if (!options.rhosts_rsa_authentication) {
- verbose("Rhosts with RSA authentication disabled.");
- break;
- }
- /*
- * Get client user name. Note that we just have to
- * trust the client; root on the client machine can
- * claim to be any user.
- */
- client_user = packet_get_string(&ulen);
-
- /* Get the client host key. */
- client_host_key = key_new(KEY_RSA1);
- bits = packet_get_int();
- packet_get_bignum(client_host_key->rsa->e);
- packet_get_bignum(client_host_key->rsa->n);
-
- if (bits != BN_num_bits(client_host_key->rsa->n))
- verbose("Warning: keysize mismatch for client_host_key: "
- "actual %d, announced %d",
- BN_num_bits(client_host_key->rsa->n), bits);
- packet_check_eom();
-
- authenticated = auth_rhosts_rsa(authctxt, client_user,
- client_host_key);
- key_free(client_host_key);
-
- snprintf(info, sizeof info, " ruser %.100s", client_user);
- break;
-
- case SSH_CMSG_AUTH_RSA:
- if (!options.rsa_authentication) {
- verbose("RSA authentication disabled.");
- break;
- }
- /* RSA authentication requested. */
- if ((n = BN_new()) == NULL)
- fatal("do_authloop: BN_new failed");
- packet_get_bignum(n);
- packet_check_eom();
- authenticated = auth_rsa(authctxt, n);
- BN_clear_free(n);
- break;
-
- case SSH_CMSG_AUTH_PASSWORD:
- if (!options.password_authentication) {
- verbose("Password authentication disabled.");
- break;
- }
- /*
- * Read user password. It is in plain text, but was
- * transmitted over the encrypted channel so it is
- * not visible to an outside observer.
- */
- password = packet_get_string(&dlen);
- packet_check_eom();
-
- /* Try authentication with the password. */
- authenticated = PRIVSEP(auth_password(authctxt, password));
-
- memset(password, 0, strlen(password));
- xfree(password);
- break;
-
- case SSH_CMSG_AUTH_TIS:
- debug("rcvd SSH_CMSG_AUTH_TIS");
- if (options.challenge_response_authentication == 1) {
- char *challenge = get_challenge(authctxt);
- if (challenge != NULL) {
- debug("sending challenge '%s'", challenge);
- packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
- packet_put_cstring(challenge);
- xfree(challenge);
- packet_send();
- packet_write_wait();
- continue;
- }
- }
- break;
- case SSH_CMSG_AUTH_TIS_RESPONSE:
- debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
- if (options.challenge_response_authentication == 1) {
- char *response = packet_get_string(&dlen);
- packet_check_eom();
- authenticated = verify_response(authctxt, response);
- memset(response, 'r', dlen);
- xfree(response);
- }
- break;
-
- default:
- /*
- * Any unknown messages will be ignored (and failure
- * returned) during authentication.
- */
- logit("Unknown message during authentication: type %d", type);
- break;
+ if ((meth = lookup_authmethod1(type)) == NULL) {
+ logit("Unknown message during authentication: "
+ "type %d", type);
+ goto skip;
+ }
+
+ if (!*(meth->enabled)) {
+ verbose("%s authentication disabled.", meth->name);
+ goto skip;
}
+
+ authenticated = meth->method(authctxt, info, sizeof(info));
+ if (authenticated == -1)
+ continue; /* "postponed" */
+
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
#ifdef HAVE_CYGWIN
if (authenticated &&
- !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
+ !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
authctxt->pw)) {
packet_disconnect("Authentication rejected for uid %d.",
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
#else
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
- !auth_root_allowed(get_authname(type))) {
- authenticated = 0;
+ !auth_root_allowed(meth->name)) {
+ authenticated = 0;
# ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
# endif
size_t len;
error("Access denied for user %s by PAM account "
- "configuration", authctxt->user);
+ "configuration", authctxt->user);
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = buffer_ptr(&loginmsg);
}
#endif
+ skip:
/* Log before sending the reply */
auth_log(authctxt, authenticated, get_authname(type), info);
/*
* If we are not running as root, the user must have the same uid as
- * the server. (Unless you are running Windows)
+ * the server.
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
#include "ssh2.h"
#include "auth.h"
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
- kbdintctxt->devices : "<empty>");
+ kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
return kbdintctxt->device ? 1 : 0;
{
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
- int i;
- u_int *echo_on;
+ u_int i, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
{
Authctxt *authctxt = ctxt;
KbdintAuthctxt *kbdintctxt;
- int i, authenticated = 0, res, len;
- u_int nresp;
+ int authenticated = 0, res, len;
+ u_int i, nresp;
char **response = NULL, *method;
if (authctxt == NULL)
-/* $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
int present;
OM_uint32 ms;
u_int len;
- char *doid = NULL;
+ u_char *doid = NULL;
if (!authctxt->valid || authctxt->user == NULL)
return (0);
present = 0;
doid = packet_get_string(&len);
- if (len > 2 &&
- doid[0] == SSH_GSS_OIDTYPE &&
- doid[1] == len - 2) {
+ if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
+ doid[1] == len - 2) {
goid.elements = doid + 2;
goid.length = len - 2;
gss_test_oid_set_member(&ms, &goid, supported,
packet_write_wait();
}
fatal("Access denied for user %s by PAM account "
- "configuration", authctxt->user);
+ "configuration", authctxt->user);
}
}
#endif
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.64 2004/08/11 21:44:31 avsm Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
static int
ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
{
- int l;
- u_int len;
+ u_int l, len;
char buf[1024];
/* Get the length of the message, and format it in the buffer. */
l = len;
if (l > sizeof(buf))
l = sizeof(buf);
- l = atomicio(read, auth->fd, buf, l);
- if (l <= 0) {
+ if (atomicio(read, auth->fd, buf, l) != l) {
error("Error reading response from authentication socket.");
return 0;
}
Key *
ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
{
+ int keybits;
u_int bits;
u_char *blob;
u_int blen;
buffer_get_bignum(&auth->identities, key->rsa->e);
buffer_get_bignum(&auth->identities, key->rsa->n);
*comment = buffer_get_string(&auth->identities, NULL);
- if (bits != BN_num_bits(key->rsa->n))
+ keybits = BN_num_bits(key->rsa->n);
+ if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: identity keysize mismatch: actual %d, announced %u",
BN_num_bits(key->rsa->n), bits);
break;
*/
#include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
#include <openssl/err.h>
#include <openssl/evp.h>
#include "authfile.h"
#include "rsa.h"
#include "misc.h"
+#include "atomicio.h"
/* Version identification string for SSH v1 identity files. */
static const char authfile_id_string[] =
buffer_free(&encrypted);
return 0;
}
- if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
- buffer_len(&encrypted)) {
+ if (atomicio(vwrite, fd, buffer_ptr(&encrypted),
+ buffer_len(&encrypted)) != buffer_len(&encrypted)) {
error("write to key file %s failed: %s", filename,
strerror(errno));
buffer_free(&encrypted);
Key *pub;
struct stat st;
char *cp;
- int i;
+ u_int i;
size_t len;
if (fstat(fd, &st) < 0) {
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
- if (read(fd, cp, (size_t) len) != (size_t) len) {
+ if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);
key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
char **commentp)
{
- int i, check1, check2, cipher_type;
+ u_int i;
+ int check1, check2, cipher_type;
size_t len;
Buffer buffer, decrypted;
u_char *cp;
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
- if (read(fd, cp, (size_t) len) != (size_t) len) {
+ if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);
*/
#include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.35 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $");
#include <openssl/bn.h>
#include "bufaux.h"
buf[0] = 0x00;
/* Get the value of in binary */
oi = BN_bn2bin(value, buf+1);
- if (oi != bytes-1) {
+ if (oi < 0 || (u_int)oi != bytes - 1) {
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
"oi %d != bin_size %d", oi, bytes);
xfree(buf);
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.42 2005/02/18 03:05:53 djm Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $");
#include "packet.h"
#include "xmalloc.h"
u_char options[200];
char text[sizeof(options) * 3 + 1];
socklen_t option_size;
- int i, ipproto;
+ u_int i;
+ int ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
struct in_addr inaddr;
u_int16_t port;
- if (addr->ss_family != AF_INET6 ||
+ if (addr->ss_family != AF_INET6 ||
!IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
return;
} else {
if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
- cleanup_exit(255);
+ return -1;
}
}
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
+/* Saved X11 local (client) display. */
+static char *x11_saved_display = NULL;
+
/* Saved X11 authentication protocol name. */
static char *x11_saved_proto = NULL;
FD_SET(c->wfd, writeset);
} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
- debug2("channel %d: obuf_empty delayed efd %d/(%d)",
- c->self, c->efd, buffer_len(&c->extended));
+ debug2("channel %d: obuf_empty delayed efd %d/(%d)",
+ c->self, c->efd, buffer_len(&c->extended));
else
chan_obuf_empty(c);
}
channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
{
char *p, *host;
- int len, have, i, found;
+ u_int len, have, i, found;
char username[256];
struct {
u_int8_t version;
} s5_req, s5_rsp;
u_int16_t dest_port;
u_char *p, dest_addr[255+1];
- int i, have, found, nmethods, addrlen, af;
+ u_int have, i, found, nmethods, addrlen, af;
debug2("channel %d: decode socks5", c->self);
p = buffer_ptr(&c->input);
channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
{
u_char *p;
- int have, ret;
+ u_int have;
+ int ret;
have = buffer_len(&c->input);
c->delayed = 0;
int direct;
char buf[1024];
char *remote_ipaddr = get_peer_ipaddr(c->sock);
- u_short remote_port = get_peer_port(c->sock);
+ int remote_port = get_peer_port(c->sock);
direct = (strcmp(rtype, "direct-tcpip") == 0);
}
/* originator host and port */
packet_put_cstring(remote_ipaddr);
- packet_put_int(remote_port);
+ packet_put_int((u_int)remote_port);
packet_send();
} else {
packet_start(SSH_MSG_PORT_OPEN);
* hack for extended data: delay EOF if EFD still in use.
*/
if (CHANNEL_EFD_INPUT_ACTIVE(c))
- debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
- c->self, c->efd, buffer_len(&c->extended));
+ debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
+ c->self, c->efd, buffer_len(&c->extended));
else
chan_ibuf_empty(c);
}
if (host == NULL) {
error("No forward host name.");
- return success;
+ return 0;
}
if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
error("Forward host name too long.");
- return success;
+ return 0;
}
/*
packet_disconnect("getaddrinfo: fatal error: %s",
gai_strerror(r));
} else {
- verbose("channel_setup_fwd_listener: "
- "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
- packet_send_debug("channel_setup_fwd_listener: "
+ error("channel_setup_fwd_listener: "
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
}
- aitop = NULL;
+ return 0;
}
for (ai = aitop; ai; ai = ai->ai_next) {
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
- int single_connection, u_int *display_numberp)
+ int single_connection, u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
int display_number, sock;
}
/* Allocate a channel for each socket. */
+ if (chanids != NULL)
+ *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
nc = channel_new("x11 listener",
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
0, "X11 inet listener", 1);
nc->single_connection = single_connection;
+ if (*chanids != NULL)
+ (*chanids)[n] = nc->self;
}
+ if (*chanids != NULL)
+ (*chanids)[n] = -1;
/* Return the display number for the DISPLAY environment variable. */
*display_numberp = display_number;
* This should be called in the client only.
*/
void
-x11_request_forwarding_with_spoofing(int client_session_id,
+x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
const char *proto, const char *data)
{
u_int data_len = (u_int) strlen(data) / 2;
- u_int i, value, len;
+ u_int i, value;
char *new_data;
int screen_number;
const char *cp;
u_int32_t rnd = 0;
- cp = getenv("DISPLAY");
- if (cp)
- cp = strchr(cp, ':');
+ if (x11_saved_display == NULL)
+ x11_saved_display = xstrdup(disp);
+ else if (strcmp(disp, x11_saved_display) != 0) {
+ error("x11_request_forwarding_with_spoofing: different "
+ "$DISPLAY already forwarded");
+ return;
+ }
+
+ cp = disp;
+ if (disp)
+ cp = strchr(disp, ':');
if (cp)
cp = strchr(cp, '.');
if (cp)
else
screen_number = 0;
- /* Save protocol name. */
- x11_saved_proto = xstrdup(proto);
-
- /*
- * Extract real authentication data and generate fake data of the
- * same length.
- */
- x11_saved_data = xmalloc(data_len);
- x11_fake_data = xmalloc(data_len);
- for (i = 0; i < data_len; i++) {
- if (sscanf(data + 2 * i, "%2x", &value) != 1)
- fatal("x11_request_forwarding: bad authentication data: %.100s", data);
- if (i % 4 == 0)
- rnd = arc4random();
- x11_saved_data[i] = value;
- x11_fake_data[i] = rnd & 0xff;
- rnd >>= 8;
- }
- x11_saved_data_len = data_len;
- x11_fake_data_len = data_len;
+ if (x11_saved_proto == NULL) {
+ /* Save protocol name. */
+ x11_saved_proto = xstrdup(proto);
+ /*
+ * Extract real authentication data and generate fake data
+ * of the same length.
+ */
+ x11_saved_data = xmalloc(data_len);
+ x11_fake_data = xmalloc(data_len);
+ for (i = 0; i < data_len; i++) {
+ if (sscanf(data + 2 * i, "%2x", &value) != 1)
+ fatal("x11_request_forwarding: bad "
+ "authentication data: %.100s", data);
+ if (i % 4 == 0)
+ rnd = arc4random();
+ x11_saved_data[i] = value;
+ x11_fake_data[i] = rnd & 0xff;
+ rnd >>= 8;
+ }
+ x11_saved_data_len = data_len;
+ x11_fake_data_len = data_len;
+ }
/* Convert the fake data into hex. */
- len = 2 * data_len + 1;
- new_data = xmalloc(len);
- for (i = 0; i < data_len; i++)
- snprintf(new_data + 2 * i, len - 2 * i,
- "%02x", (u_char) x11_fake_data[i]);
+ new_data = tohex(x11_fake_data, data_len);
/* Send the request packet. */
if (compat20) {
-/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
buffer_len(&c->extended) > 0))
#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
(compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
- ((c->efd != -1 && !(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD))) || \
+ c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
buffer_len(&c->extended) > 0))
/* channel management */
/* x11 forwarding */
int x11_connect_display(void);
-int x11_create_display_inet(int, int, int, u_int *);
+int x11_create_display_inet(int, int, int, u_int *, int **);
void x11_input_open(int, u_int32_t, void *);
-void x11_request_forwarding_with_spoofing(int, const char *, const char *);
+void x11_request_forwarding_with_spoofing(int, const char *, const char *,
+ const char *);
void deny_input_open(int, u_int32_t, void *);
/* agent forwarding */
#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
static int
-acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
}
static int
-acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
+acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
unsigned int inl)
{
acss(&data(ctx)->ks,inl,in,out);
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
+RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
}
if (key != NULL)
AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
- &c->aes_ctx);
+ &c->aes_ctx);
if (iv != NULL)
memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
return (1);
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
#include "xmalloc.h"
#include "log.h"
#include <openssl/md5.h>
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-extern const EVP_CIPHER *evp_rijndael(void);
-extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-#endif
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE)
-# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-extern const EVP_CIPHER *evp_acss(void);
-# define EVP_acss evp_acss
-# define EVP_CTRL_SET_ACSS_MODE xxx /* used below */
-# else
-# define EVP_acss NULL /* Don't try to support ACSS on older OpenSSL */
-# endif /* (OPENSSL_VERSION_NUMBER >= 0x00906000L) */
-#endif /* !defined(EVP_CTRL_SET_ACSS_MODE) */
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
int number; /* for ssh1 only */
u_int block_size;
u_int key_len;
+ u_int discard_len;
const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
- { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
- { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
- { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
- { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
-
- { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
- { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
- { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
- { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
- { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
- { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
+ { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
+ { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
+
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
+ { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
+ { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
+ { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
+ { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
+ { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se",
- SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
-#else
- { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
- { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
- { "rijndael-cbc@lysator.liu.se",
- SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00905000L
- { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
- { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
- { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
+ SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
+#ifdef USE_CIPHER_ACSS
+ { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
#endif
-#if defined(EVP_CTRL_SET_ACSS_MODE)
- { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss },
-#endif
- { NULL, SSH_CIPHER_INVALID, 0, 0, NULL }
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
};
/*--*/
EVP_CIPHER *type;
#else
const EVP_CIPHER *type;
-#endif
int klen;
+#endif
+ u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
- if (klen > 0 && keylen != klen) {
+ if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
#endif
+
+ if (cipher->discard_len > 0) {
+ junk = xmalloc(cipher->discard_len);
+ discard = xmalloc(cipher->discard_len);
+ if (EVP_Cipher(&cc->evp, discard, junk,
+ cipher->discard_len) == 0)
+ fatal("evp_crypt: EVP_Cipher failed during discard");
+ memset(discard, 0, cipher->discard_len);
+ xfree(junk);
+ xfree(discard);
+ }
}
void
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
-#ifdef SSH_OLD_EVP
- EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
-#else
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
-#endif
}
void
cipher_cleanup(CipherContext *cc)
{
-#ifdef SSH_OLD_EVP
- EVP_CIPHER_CTX_cleanup(&cc->evp);
-#else
if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
-#endif
}
/*
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
- if (evplen == 0)
+ if (evplen <= 0)
return;
- if (evplen != len)
+ if ((u_int)evplen != len)
fatal("%s: wrong iv length %d != %d", __func__,
evplen, len);
#if OPENSSL_VERSION_NUMBER < 0x00907000L
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.136 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
struct confirm_ctx {
int want_tty;
int want_subsys;
+ int want_x_fwd;
+ int want_agent_fwd;
Buffer cmd;
char *term;
struct termios tio;
return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
}
+#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+void
+client_x11_get_proto(const char *display, const char *xauth_path,
+ u_int trusted, char **_proto, char **_data)
+{
+ char cmd[1024];
+ char line[512];
+ char xdisplay[512];
+ static char proto[512], data[512];
+ FILE *f;
+ int got_data = 0, generated = 0, do_unlink = 0, i;
+ char *xauthdir, *xauthfile;
+ struct stat st;
+
+ xauthdir = xauthfile = NULL;
+ *_proto = proto;
+ *_data = data;
+ proto[0] = data[0] = '\0';
+
+ if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+ debug("No xauth program.");
+ } else {
+ if (display == NULL) {
+ debug("x11_get_proto: DISPLAY not set");
+ return;
+ }
+ /*
+ * Handle FamilyLocal case where $DISPLAY does
+ * not match an authorization entry. For this we
+ * just try "xauth list unix:displaynum.screennum".
+ * XXX: "localhost" match to determine FamilyLocal
+ * is not perfect.
+ */
+ if (strncmp(display, "localhost:", 10) == 0) {
+ snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+ display + 10);
+ display = xdisplay;
+ }
+ if (trusted == 0) {
+ xauthdir = xmalloc(MAXPATHLEN);
+ xauthfile = xmalloc(MAXPATHLEN);
+ strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
+ if (mkdtemp(xauthdir) != NULL) {
+ do_unlink = 1;
+ snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
+ xauthdir);
+ snprintf(cmd, sizeof(cmd),
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout 1200 2>" _PATH_DEVNULL,
+ xauth_path, xauthfile, display);
+ debug2("x11_get_proto: %s", cmd);
+ if (system(cmd) == 0)
+ generated = 1;
+ }
+ }
+ snprintf(cmd, sizeof(cmd),
+ "%s %s%s list %s . 2>" _PATH_DEVNULL,
+ xauth_path,
+ generated ? "-f " : "" ,
+ generated ? xauthfile : "",
+ display);
+ debug2("x11_get_proto: %s", cmd);
+ f = popen(cmd, "r");
+ if (f && fgets(line, sizeof(line), f) &&
+ sscanf(line, "%*s %511s %511s", proto, data) == 2)
+ got_data = 1;
+ if (f)
+ pclose(f);
+ }
+
+ if (do_unlink) {
+ unlink(xauthfile);
+ rmdir(xauthdir);
+ }
+ if (xauthdir)
+ xfree(xauthdir);
+ if (xauthfile)
+ xfree(xauthfile);
+
+ /*
+ * If we didn't get authentication data, just make up some
+ * data. The forwarding code will check the validity of the
+ * response anyway, and substitute this data. The X11
+ * server, however, will ignore this fake data and use
+ * whatever authentication mechanisms it was using otherwise
+ * for the local connection.
+ */
+ if (!got_data) {
+ u_int32_t rnd = 0;
+
+ logit("Warning: No xauth data; "
+ "using fake authentication data for X11 forwarding.");
+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
+ for (i = 0; i < 16; i++) {
+ if (i % 4 == 0)
+ rnd = arc4random();
+ snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
+ rnd & 0xff);
+ rnd >>= 8;
+ }
+ }
+}
+
/*
* This is called when the interactive is entered. This checks if there is
* an EOF coming on stdin. We must check this explicitly, as select() does
client_extra_session2_setup(int id, void *arg)
{
struct confirm_ctx *cctx = arg;
+ const char *display;
Channel *c;
int i;
if ((c = channel_lookup(id)) == NULL)
fatal("%s: no channel for id %d", __func__, id);
+ display = getenv("DISPLAY");
+ if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
+ char *proto, *data;
+ /* Get reasonable local authentication information. */
+ client_x11_get_proto(display, options.xauth_location,
+ options.forward_x11_trusted, &proto, &data);
+ /* Request forwarding with authentication spoofing. */
+ debug("Requesting X11 forwarding with authentication spoofing.");
+ x11_request_forwarding_with_spoofing(id, display, proto, data);
+ /* XXX wait for reply */
+ }
+
+ if (cctx->want_agent_fwd && options.forward_agent) {
+ debug("Requesting authentication agent forwarding.");
+ channel_request_start(id, "auth-agent-req@openssh.com", 0);
+ packet_send();
+ }
+
client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
client_subsystem_reply);
{
Buffer m;
Channel *c;
- int client_fd, new_fd[3], ver, i, allowed;
+ int client_fd, new_fd[3], ver, allowed;
socklen_t addrlen;
struct sockaddr_storage addr;
struct confirm_ctx *cctx;
char *cmd;
- u_int len, env_len, command, flags;
+ u_int i, len, env_len, command, flags;
uid_t euid;
gid_t egid;
buffer_free(&m);
return;
}
- if ((ver = buffer_get_char(&m)) != 1) {
+ if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
error("%s: wrong client version %d", __func__, ver);
buffer_free(&m);
close(client_fd);
switch (command) {
case SSHMUX_COMMAND_OPEN:
- if (options.control_master == 2)
+ if (options.control_master == SSHCTL_MASTER_ASK ||
+ options.control_master == SSHCTL_MASTER_AUTO_ASK)
allowed = ask_permission("Allow shared connection "
"to %s? ", host);
/* continue below */
break;
case SSHMUX_COMMAND_TERMINATE:
- if (options.control_master == 2)
+ if (options.control_master == SSHCTL_MASTER_ASK ||
+ options.control_master == SSHCTL_MASTER_AUTO_ASK)
allowed = ask_permission("Terminate shared connection "
"to %s? ", host);
if (allowed)
buffer_clear(&m);
buffer_put_int(&m, allowed);
buffer_put_int(&m, getpid());
- if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
+ if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
buffer_free(&m);
buffer_clear(&m);
buffer_put_int(&m, allowed);
buffer_put_int(&m, getpid());
- if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
+ if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
buffer_free(&m);
buffer_free(&m);
return;
}
- if ((ver = buffer_get_char(&m)) != 1) {
+ if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
error("%s: wrong client version %d", __func__, ver);
buffer_free(&m);
close(client_fd);
memset(cctx, 0, sizeof(*cctx));
cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
+ cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
+ cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0;
cctx->term = buffer_get_string(&m, &len);
cmd = buffer_get_string(&m, &len);
/* This roundtrip is just for synchronisation of ttymodes */
buffer_clear(&m);
- if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
+ if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
close(new_fd[0]);
u_char ch;
char *s;
- for (i = 0; i < len; i++) {
+ if (len <= 0)
+ return (0);
+
+ for (i = 0; i < (u_int)len; i++) {
/* Get one character at a time. */
ch = buf[i];
-/* $OpenBSD: clientloop.h,v 1.12 2004/11/07 00:01:46 djm Exp $ */
+/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
+void client_x11_get_proto(const char *, const char *, u_int,
+ char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
int, Buffer *, char **, dispatch_fn *);
+/* Multiplexing protocol version */
+#define SSHMUX_VER 1
+
/* Multiplexing control protocol flags */
#define SSHMUX_COMMAND_OPEN 1 /* Open new connection */
#define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */
#define SSHMUX_FLAG_TTY (1) /* Request tty on open */
#define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */
+#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */
+#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
-timestamp='2003-10-03'
+timestamp='2005-05-27'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
+
# Originally written by Per Bothner <per@bothner.com>.
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted ChangeLog entry.
GNU config.guess ($timestamp)
Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
while test $# -gt 0 ; do
case $1 in
--time-stamp | --time* | -t )
- echo "$timestamp" ; exit 0 ;;
+ echo "$timestamp" ; exit ;;
--version | -v )
- echo "$version" ; exit 0 ;;
+ echo "$version" ; exit ;;
--help | --h* | -h )
- echo "$usage"; exit 0 ;;
+ echo "$usage"; exit ;;
-- ) # Stop option processing
shift; break ;;
- ) # Use stdin as input.
# contains redundant information, the shorter form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}"
- exit 0 ;;
+ exit ;;
+ amd64:OpenBSD:*:*)
+ echo x86_64-unknown-openbsd${UNAME_RELEASE}
+ exit ;;
amiga:OpenBSD:*:*)
echo m68k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
- arc:OpenBSD:*:*)
- echo mipsel-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
+ cats:OpenBSD:*:*)
+ echo arm-unknown-openbsd${UNAME_RELEASE}
+ exit ;;
hp300:OpenBSD:*:*)
echo m68k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
+ luna88k:OpenBSD:*:*)
+ echo m88k-unknown-openbsd${UNAME_RELEASE}
+ exit ;;
mac68k:OpenBSD:*:*)
echo m68k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
macppc:OpenBSD:*:*)
echo powerpc-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
mvme68k:OpenBSD:*:*)
echo m68k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
mvme88k:OpenBSD:*:*)
echo m88k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
mvmeppc:OpenBSD:*:*)
echo powerpc-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
- pmax:OpenBSD:*:*)
- echo mipsel-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
sgi:OpenBSD:*:*)
- echo mipseb-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ echo mips64-unknown-openbsd${UNAME_RELEASE}
+ exit ;;
sun3:OpenBSD:*:*)
echo m68k-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
- wgrisc:OpenBSD:*:*)
- echo mipsel-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:OpenBSD:*:*)
echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
+ *:ekkoBSD:*:*)
+ echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+ exit ;;
+ macppc:MirBSD:*:*)
+ echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+ exit ;;
+ *:MirBSD:*:*)
+ echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+ exit ;;
alpha:OSF1:*:*)
- if test $UNAME_RELEASE = "V4.0"; then
+ case $UNAME_RELEASE in
+ *4.0)
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
- fi
+ ;;
+ *5.*)
+ UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+ ;;
+ esac
# According to Compaq, /usr/sbin/psrinfo has been available on
# OSF/1 and Tru64 systems produced since 1995. I hope that
# covers most systems running today. This code pipes the CPU
"EV7.9 (21364A)")
UNAME_MACHINE="alphaev79" ;;
esac
+ # A Pn.n version is a patched version.
# A Vn.n version is a released version.
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
- echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
- exit 0 ;;
- Alpha*:OpenVMS:*:*)
- echo alpha-hp-vms
- exit 0 ;;
+ echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+ exit ;;
Alpha\ *:Windows_NT*:*)
# How do we know it's Interix rather than the generic POSIX subsystem?
# Should we change UNAME_MACHINE based on the output of uname instead
# of the specific Alpha model?
echo alpha-pc-interix
- exit 0 ;;
+ exit ;;
21064:Windows_NT:50:3)
echo alpha-dec-winnt3.5
- exit 0 ;;
+ exit ;;
Amiga*:UNIX_System_V:4.0:*)
echo m68k-unknown-sysv4
- exit 0;;
+ exit ;;
*:[Aa]miga[Oo][Ss]:*:*)
echo ${UNAME_MACHINE}-unknown-amigaos
- exit 0 ;;
+ exit ;;
*:[Mm]orph[Oo][Ss]:*:*)
echo ${UNAME_MACHINE}-unknown-morphos
- exit 0 ;;
+ exit ;;
*:OS/390:*:*)
echo i370-ibm-openedition
- exit 0 ;;
+ exit ;;
+ *:z/VM:*:*)
+ echo s390-ibm-zvmoe
+ exit ;;
+ *:OS400:*:*)
+ echo powerpc-ibm-os400
+ exit ;;
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
- exit 0;;
+ exit ;;
+ arm:riscos:*:*|arm:RISCOS:*:*)
+ echo arm-unknown-riscos
+ exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
echo hppa1.1-hitachi-hiuxmpp
- exit 0;;
+ exit ;;
Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
if test "`(/bin/universe) 2>/dev/null`" = att ; then
else
echo pyramid-pyramid-bsd
fi
- exit 0 ;;
+ exit ;;
NILE*:*:*:dcosx)
echo pyramid-pyramid-svr4
- exit 0 ;;
+ exit ;;
DRS?6000:unix:4.0:6*)
echo sparc-icl-nx6
- exit 0 ;;
- DRS?6000:UNIX_SV:4.2*:7*)
+ exit ;;
+ DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
case `/usr/bin/uname -p` in
- sparc) echo sparc-icl-nx7 && exit 0 ;;
+ sparc) echo sparc-icl-nx7; exit ;;
esac ;;
sun4H:SunOS:5.*:*)
echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
+ exit ;;
sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
+ exit ;;
i86pc:SunOS:5.*:*)
echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
+ exit ;;
sun4*:SunOS:6*:*)
# According to config.sub, this is the proper way to canonicalize
# SunOS6. Hard to guess exactly what SunOS6 will be like, but
# it's likely to be more like Solaris than SunOS4.
echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
+ exit ;;
sun4*:SunOS:*:*)
case "`/usr/bin/arch -k`" in
Series*|S4*)
esac
# Japanese Language versions have a version number like `4.1.3-JL'.
echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
- exit 0 ;;
+ exit ;;
sun3*:SunOS:*:*)
echo m68k-sun-sunos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
echo sparc-sun-sunos${UNAME_RELEASE}
;;
esac
- exit 0 ;;
+ exit ;;
aushp:SunOS:*:*)
echo sparc-auspex-sunos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
# The situation for MiNT is a little confusing. The machine name
# can be virtually everything (everything which is not
# "atarist" or "atariste" at least should have a processor
# be no problem.
atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
echo m68k-milan-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
echo m68k-hades-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
echo m68k-unknown-mint${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
+ m68k:machten:*:*)
+ echo m68k-apple-machten${UNAME_RELEASE}
+ exit ;;
powerpc:machten:*:*)
echo powerpc-apple-machten${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
RISC*:Mach:*:*)
echo mips-dec-mach_bsd4.3
- exit 0 ;;
+ exit ;;
RISC*:ULTRIX:*:*)
echo mips-dec-ultrix${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
VAX*:ULTRIX*:*:*)
echo vax-dec-ultrix${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
2020:CLIX:*:* | 2430:CLIX:*:*)
echo clipper-intergraph-clix${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
mips:*:*:UMIPS | mips:*:*:RISCos)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
exit (-1);
}
EOF
- $CC_FOR_BUILD -o $dummy $dummy.c \
- && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
- && exit 0
+ $CC_FOR_BUILD -o $dummy $dummy.c &&
+ dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+ SYSTEM_NAME=`$dummy $dummyarg` &&
+ { echo "$SYSTEM_NAME"; exit; }
echo mips-mips-riscos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
Motorola:PowerMAX_OS:*:*)
echo powerpc-motorola-powermax
- exit 0 ;;
+ exit ;;
Motorola:*:4.3:PL8-*)
echo powerpc-harris-powermax
- exit 0 ;;
+ exit ;;
Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
echo powerpc-harris-powermax
- exit 0 ;;
+ exit ;;
Night_Hawk:Power_UNIX:*:*)
echo powerpc-harris-powerunix
- exit 0 ;;
+ exit ;;
m88k:CX/UX:7*:*)
echo m88k-harris-cxux7
- exit 0 ;;
+ exit ;;
m88k:*:4*:R4*)
echo m88k-motorola-sysv4
- exit 0 ;;
+ exit ;;
m88k:*:3*:R3*)
echo m88k-motorola-sysv3
- exit 0 ;;
+ exit ;;
AViiON:dgux:*:*)
# DG/UX returns AViiON for all architectures
UNAME_PROCESSOR=`/usr/bin/uname -p`
else
echo i586-dg-dgux${UNAME_RELEASE}
fi
- exit 0 ;;
+ exit ;;
M88*:DolphinOS:*:*) # DolphinOS (SVR3)
echo m88k-dolphin-sysv3
- exit 0 ;;
+ exit ;;
M88*:*:R3*:*)
# Delta 88k system running SVR3
echo m88k-motorola-sysv3
- exit 0 ;;
+ exit ;;
XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
echo m88k-tektronix-sysv3
- exit 0 ;;
+ exit ;;
Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
echo m68k-tektronix-bsd
- exit 0 ;;
+ exit ;;
*:IRIX*:*:*)
echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
- exit 0 ;;
+ exit ;;
????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
- echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
- exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX '
+ echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
+ exit ;; # Note that: echo "'`uname -s`'" gives 'AIX '
i*86:AIX:*:*)
echo i386-ibm-aix
- exit 0 ;;
+ exit ;;
ia64:AIX:*:*)
if [ -x /usr/bin/oslevel ] ; then
IBM_REV=`/usr/bin/oslevel`
IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
fi
echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
- exit 0 ;;
+ exit ;;
*:AIX:2:3)
if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
eval $set_cc_for_build
exit(0);
}
EOF
- $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
- echo rs6000-ibm-aix3.2.5
+ if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+ then
+ echo "$SYSTEM_NAME"
+ else
+ echo rs6000-ibm-aix3.2.5
+ fi
elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
echo rs6000-ibm-aix3.2.4
else
echo rs6000-ibm-aix3.2
fi
- exit 0 ;;
+ exit ;;
*:AIX:*:[45])
IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
fi
echo ${IBM_ARCH}-ibm-aix${IBM_REV}
- exit 0 ;;
+ exit ;;
*:AIX:*:*)
echo rs6000-ibm-aix
- exit 0 ;;
+ exit ;;
ibmrt:4.4BSD:*|romp-ibm:BSD:*)
echo romp-ibm-bsd4.4
- exit 0 ;;
+ exit ;;
ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and
echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to
- exit 0 ;; # report: romp-ibm BSD 4.3
+ exit ;; # report: romp-ibm BSD 4.3
*:BOSX:*:*)
echo rs6000-bull-bosx
- exit 0 ;;
+ exit ;;
DPX/2?00:B.O.S.:*:*)
echo m68k-bull-sysv3
- exit 0 ;;
+ exit ;;
9000/[34]??:4.3bsd:1.*:*)
echo m68k-hp-bsd
- exit 0 ;;
+ exit ;;
hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
echo m68k-hp-bsd4.4
- exit 0 ;;
+ exit ;;
9000/[34678]??:HP-UX:*:*)
HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
case "${UNAME_MACHINE}" in
then
# avoid double evaluation of $set_cc_for_build
test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
- if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
+
+ # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+ # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler
+ # generating 64-bit code. GNU and HP use different nomenclature:
+ #
+ # $ CC_FOR_BUILD=cc ./config.guess
+ # => hppa2.0w-hp-hpux11.23
+ # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+ # => hppa64-hp-hpux11.23
+
+ if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+ grep __LP64__ >/dev/null
then
HP_ARCH="hppa2.0w"
else
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
- exit 0 ;;
+ exit ;;
ia64:HP-UX:*:*)
HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
echo ia64-hp-hpux${HPUX_REV}
- exit 0 ;;
+ exit ;;
3050*:HI-UX:*:*)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
exit (0);
}
EOF
- $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+ $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+ { echo "$SYSTEM_NAME"; exit; }
echo unknown-hitachi-hiuxwe2
- exit 0 ;;
+ exit ;;
9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
echo hppa1.1-hp-bsd
- exit 0 ;;
+ exit ;;
9000/8??:4.3bsd:*:*)
echo hppa1.0-hp-bsd
- exit 0 ;;
+ exit ;;
*9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
echo hppa1.0-hp-mpeix
- exit 0 ;;
+ exit ;;
hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
echo hppa1.1-hp-osf
- exit 0 ;;
+ exit ;;
hp8??:OSF1:*:*)
echo hppa1.0-hp-osf
- exit 0 ;;
+ exit ;;
i*86:OSF1:*:*)
if [ -x /usr/sbin/sysversion ] ; then
echo ${UNAME_MACHINE}-unknown-osf1mk
else
echo ${UNAME_MACHINE}-unknown-osf1
fi
- exit 0 ;;
+ exit ;;
parisc*:Lites*:*:*)
echo hppa1.1-hp-lites
- exit 0 ;;
+ exit ;;
C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
echo c1-convex-bsd
- exit 0 ;;
+ exit ;;
C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
- exit 0 ;;
+ exit ;;
C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
echo c34-convex-bsd
- exit 0 ;;
+ exit ;;
C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
echo c38-convex-bsd
- exit 0 ;;
+ exit ;;
C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
echo c4-convex-bsd
- exit 0 ;;
+ exit ;;
CRAY*Y-MP:*:*:*)
echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ exit ;;
CRAY*[A-Z]90:*:*:*)
echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ exit ;;
CRAY*TS:*:*:*)
echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ exit ;;
CRAY*T3E:*:*:*)
echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ exit ;;
CRAY*SV1:*:*:*)
echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ exit ;;
*:UNICOS/mp:*:*)
- echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
- exit 0 ;;
+ echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+ exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
- exit 0 ;;
+ exit ;;
+ 5000:UNIX_System_V:4.*:*)
+ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+ echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+ exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
sparc*:BSD/OS:*:*)
echo sparc-unknown-bsdi${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:BSD/OS:*:*)
echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
- exit 0 ;;
- *:FreeBSD:*:*|*:GNU/FreeBSD:*:*)
- # Determine whether the default compiler uses glibc.
- eval $set_cc_for_build
- sed 's/^ //' << EOF >$dummy.c
- #include <features.h>
- #if __GLIBC__ >= 2
- LIBC=gnu
- #else
- LIBC=
- #endif
-EOF
- eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
- # GNU/FreeBSD systems have a "k" prefix to indicate we are using
- # FreeBSD's kernel, but not the complete OS.
- case ${LIBC} in gnu) kernel_only='k' ;; esac
- echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
- exit 0 ;;
+ exit ;;
+ *:FreeBSD:*:*)
+ echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+ exit ;;
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
- exit 0 ;;
+ exit ;;
i*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
- exit 0 ;;
+ exit ;;
+ i*:windows32*:*)
+ # uname -m includes "-pc" on this system.
+ echo ${UNAME_MACHINE}-mingw32
+ exit ;;
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
- exit 0 ;;
+ exit ;;
x86:Interix*:[34]*)
echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
- exit 0 ;;
+ exit ;;
[345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
echo i${UNAME_MACHINE}-pc-mks
- exit 0 ;;
+ exit ;;
i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
# How do we know it's Interix rather than the generic POSIX subsystem?
# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
# UNAME_MACHINE based on the output of uname instead of i386?
echo i586-pc-interix
- exit 0 ;;
+ exit ;;
i*:UWIN*:*)
echo ${UNAME_MACHINE}-pc-uwin
- exit 0 ;;
+ exit ;;
+ amd64:CYGWIN*:*:*)
+ echo x86_64-unknown-cygwin
+ exit ;;
p*:CYGWIN*:*)
echo powerpcle-unknown-cygwin
- exit 0 ;;
+ exit ;;
prep*:SunOS:5.*:*)
echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
- exit 0 ;;
+ exit ;;
*:GNU:*:*)
+ # the GNU system
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
- exit 0 ;;
+ exit ;;
+ *:GNU/*:*:*)
+ # other systems with GNU libc and userland
+ echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+ exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
- exit 0 ;;
+ exit ;;
arm*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
cris:Linux:*:*)
echo cris-axis-linux-gnu
- exit 0 ;;
+ exit ;;
+ crisv32:Linux:*:*)
+ echo crisv32-axis-linux-gnu
+ exit ;;
+ frv:Linux:*:*)
+ echo frv-unknown-linux-gnu
+ exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
+ m32r*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit ;;
m68*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
mips:Linux:*:*)
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
- test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+ test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
;;
mips64:Linux:*:*)
eval $set_cc_for_build
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
- test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+ test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
- exit 0 ;;
+ exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
PA8*) echo hppa2.0-unknown-linux-gnu ;;
*) echo hppa-unknown-linux-gnu ;;
esac
- exit 0 ;;
+ exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux
- exit 0 ;;
+ exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
sparc:Linux:*:* | sparc64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
- exit 0 ;;
+ exit ;;
i*86:Linux:*:*)
# The BFD linker knows what the default object file format is, so
# first see if it will tell us. cd to the root directory to prevent
;;
a.out-i386-linux)
echo "${UNAME_MACHINE}-pc-linux-gnuaout"
- exit 0 ;;
+ exit ;;
coff-i386)
echo "${UNAME_MACHINE}-pc-linux-gnucoff"
- exit 0 ;;
+ exit ;;
"")
# Either a pre-BFD a.out linker (linux-gnuoldld) or
# one that does not give us useful --help.
echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
- exit 0 ;;
+ exit ;;
esac
# Determine whether the default compiler is a.out or elf
eval $set_cc_for_build
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
- test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
- test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+ test x"${LIBC}" != x && {
+ echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+ exit
+ }
+ test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
# earlier versions are messed up and put the nodename in both
# sysname and nodename.
echo i386-sequent-sysv4
- exit 0 ;;
+ exit ;;
i*86:UNIX_SV:4.2MP:2.*)
# Unixware is an offshoot of SVR4, but it has its own version
# number series starting with 2...
# I just have to hope. -- rms.
# Use sysv4.2uw... so that sysv4* matches it.
echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
- exit 0 ;;
+ exit ;;
i*86:OS/2:*:*)
# If we were able to find `uname', then EMX Unix compatibility
# is probably installed.
echo ${UNAME_MACHINE}-pc-os2-emx
- exit 0 ;;
+ exit ;;
i*86:XTS-300:*:STOP)
echo ${UNAME_MACHINE}-unknown-stop
- exit 0 ;;
+ exit ;;
i*86:atheos:*:*)
echo ${UNAME_MACHINE}-unknown-atheos
- exit 0 ;;
+ exit ;;
+ i*86:syllable:*:*)
+ echo ${UNAME_MACHINE}-pc-syllable
+ exit ;;
i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
echo i386-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
i*86:*DOS:*:*)
echo ${UNAME_MACHINE}-pc-msdosdjgpp
- exit 0 ;;
+ exit ;;
i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
else
echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
fi
- exit 0 ;;
+ exit ;;
i*86:*:5:[678]*)
- # Unixware 7.x, OpenUNIX 8, & OpenServer 6
+ # UnixWare 7.x, OpenUNIX and OpenServer 6.
case `/bin/uname -X | grep "^Machine"` in
*486*) UNAME_MACHINE=i486 ;;
*Pentium) UNAME_MACHINE=i586 ;;
*Pent*|*Celeron) UNAME_MACHINE=i686 ;;
esac
echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
- exit 0 ;;
+ exit ;;
i*86:*:3.2:*)
if test -f /usr/options/cb.name; then
UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
else
echo ${UNAME_MACHINE}-pc-sysv32
fi
- exit 0 ;;
+ exit ;;
pc:*:*:*)
# Left here for compatibility:
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i386.
echo i386-pc-msdosdjgpp
- exit 0 ;;
+ exit ;;
Intel:Mach:3*:*)
echo i386-pc-mach3
- exit 0 ;;
+ exit ;;
paragon:*:*:*)
echo i860-intel-osf1
- exit 0 ;;
+ exit ;;
i860:*:4.*:*) # i860-SVR4
if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
else # Add other i860-SVR4 vendors below as they are discovered.
echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4
fi
- exit 0 ;;
+ exit ;;
mini*:CTIX:SYS*5:*)
# "miniframe"
echo m68010-convergent-sysv
- exit 0 ;;
+ exit ;;
mc68k:UNIX:SYSTEM5:3.51m)
echo m68k-convergent-sysv
- exit 0 ;;
+ exit ;;
M680?0:D-NIX:5.3:*)
echo m68k-diab-dnix
- exit 0 ;;
- M68*:*:R3V[567]*:*)
- test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
- 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
+ exit ;;
+ M68*:*:R3V[5678]*:*)
+ test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+ 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
OS_REL=''
test -r /etc/.relid \
&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
- && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+ && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
- && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
- && echo i486-ncr-sysv4 && exit 0 ;;
+ && { echo i486-ncr-sysv4; exit; } ;;
m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
echo m68k-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
mc68030:UNIX_System_V:4.*:*)
echo m68k-atari-sysv4
- exit 0 ;;
+ exit ;;
TSUNAMI:LynxOS:2.*:*)
echo sparc-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
rs6000:LynxOS:2.*:*)
echo rs6000-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
echo powerpc-unknown-lynxos${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
SM[BE]S:UNIX_SV:*:*)
echo mips-dde-sysv${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
RM*:ReliantUNIX-*:*:*)
echo mips-sni-sysv4
- exit 0 ;;
+ exit ;;
RM*:SINIX-*:*:*)
echo mips-sni-sysv4
- exit 0 ;;
+ exit ;;
*:SINIX-*:*:*)
if uname -p 2>/dev/null >/dev/null ; then
UNAME_MACHINE=`(uname -p) 2>/dev/null`
else
echo ns32k-sni-sysv
fi
- exit 0 ;;
+ exit ;;
PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
# says <Richard.M.Bartel@ccMail.Census.GOV>
echo i586-unisys-sysv4
- exit 0 ;;
+ exit ;;
*:UNIX_System_V:4*:FTX*)
# From Gerald Hewes <hewes@openmarket.com>.
# How about differentiating between stratus architectures? -djm
echo hppa1.1-stratus-sysv4
- exit 0 ;;
+ exit ;;
*:*:*:FTX*)
# From seanf@swdc.stratus.com.
echo i860-stratus-sysv4
- exit 0 ;;
+ exit ;;
+ i*86:VOS:*:*)
+ # From Paul.Green@stratus.com.
+ echo ${UNAME_MACHINE}-stratus-vos
+ exit ;;
*:VOS:*:*)
# From Paul.Green@stratus.com.
echo hppa1.1-stratus-vos
- exit 0 ;;
+ exit ;;
mc68*:A/UX:*:*)
echo m68k-apple-aux${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
news*:NEWS-OS:6*:*)
echo mips-sony-newsos6
- exit 0 ;;
+ exit ;;
R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
if [ -d /usr/nec ]; then
echo mips-nec-sysv${UNAME_RELEASE}
else
echo mips-unknown-sysv${UNAME_RELEASE}
fi
- exit 0 ;;
+ exit ;;
BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
echo powerpc-be-beos
- exit 0 ;;
+ exit ;;
BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only.
echo powerpc-apple-beos
- exit 0 ;;
+ exit ;;
BePC:BeOS:*:*) # BeOS running on Intel PC compatible.
echo i586-pc-beos
- exit 0 ;;
+ exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
SX-5:SUPER-UX:*:*)
echo sx5-nec-superux${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
SX-6:SUPER-UX:*:*)
echo sx6-nec-superux${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:Rhapsody:*:*)
echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:Darwin:*:*)
- case `uname -p` in
+ UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+ case $UNAME_PROCESSOR in
*86) UNAME_PROCESSOR=i686 ;;
- powerpc) UNAME_PROCESSOR=powerpc ;;
+ unknown) UNAME_PROCESSOR=powerpc ;;
esac
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
if test "$UNAME_PROCESSOR" = "x86"; then
UNAME_MACHINE=pc
fi
echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:QNX:*:4*)
echo i386-pc-qnx
- exit 0 ;;
- NSR-[DGKLNPTVWY]:NONSTOP_KERNEL:*:*)
+ exit ;;
+ NSE-?:NONSTOP_KERNEL:*:*)
+ echo nse-tandem-nsk${UNAME_RELEASE}
+ exit ;;
+ NSR-?:NONSTOP_KERNEL:*:*)
echo nsr-tandem-nsk${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:NonStop-UX:*:*)
echo mips-compaq-nonstopux
- exit 0 ;;
+ exit ;;
BS2000:POSIX*:*:*)
echo bs2000-siemens-sysv
- exit 0 ;;
+ exit ;;
DS/*:UNIX_System_V:*:*)
echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
*:Plan9:*:*)
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
UNAME_MACHINE="$cputype"
fi
echo ${UNAME_MACHINE}-unknown-plan9
- exit 0 ;;
+ exit ;;
*:TOPS-10:*:*)
echo pdp10-unknown-tops10
- exit 0 ;;
+ exit ;;
*:TENEX:*:*)
echo pdp10-unknown-tenex
- exit 0 ;;
+ exit ;;
KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
echo pdp10-dec-tops20
- exit 0 ;;
+ exit ;;
XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
echo pdp10-xkl-tops20
- exit 0 ;;
+ exit ;;
*:TOPS-20:*:*)
echo pdp10-unknown-tops20
- exit 0 ;;
+ exit ;;
*:ITS:*:*)
echo pdp10-unknown-its
- exit 0 ;;
+ exit ;;
SEI:*:*:SEIUX)
echo mips-sei-seiux${UNAME_RELEASE}
- exit 0 ;;
+ exit ;;
+ *:DragonFly:*:*)
+ echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+ exit ;;
+ *:*VMS:*:*)
+ UNAME_MACHINE=`(uname -p) 2>/dev/null`
+ case "${UNAME_MACHINE}" in
+ A*) echo alpha-dec-vms ; exit ;;
+ I*) echo ia64-dec-vms ; exit ;;
+ V*) echo vax-dec-vms ; exit ;;
+ esac ;;
+ *:XENIX:*:SysV)
+ echo i386-pc-xenix
+ exit ;;
+ i*86:skyos:*:*)
+ echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+ exit ;;
esac
#echo '(No uname command or uname output not recognized.)' 1>&2
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
- printf ("arm-acorn-riscix"); exit (0);
+ printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
}
EOF
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+ { echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
- exit 0 ;;
+ exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
- exit 0 ;;
+ exit ;;
c34*)
echo c34-convex-bsd
- exit 0 ;;
+ exit ;;
c38*)
echo c38-convex-bsd
- exit 0 ;;
+ exit ;;
c4*)
echo c4-convex-bsd
- exit 0 ;;
+ exit ;;
esac
fi
the operating system you are using. It is advised that you
download the most up to date version of the config scripts from
- ftp://ftp.gnu.org/pub/gnu/config/
+ http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+ http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
If the version you run ($0) is already up to date, please
send the following data and any information you think might be
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
-timestamp='2003-08-18'
+timestamp='2005-05-12'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
+
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted ChangeLog entry.
#
version="\
GNU config.sub ($timestamp)
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
while test $# -gt 0 ; do
case $1 in
--time-stamp | --time* | -t )
- echo "$timestamp" ; exit 0 ;;
+ echo "$timestamp" ; exit ;;
--version | -v )
- echo "$version" ; exit 0 ;;
+ echo "$version" ; exit ;;
--help | --h* | -h )
- echo "$usage"; exit 0 ;;
+ echo "$usage"; exit ;;
-- ) # Stop option processing
shift; break ;;
- ) # Use stdin as input.
*local*)
# First pass through any local machine types.
echo $1
- exit 0;;
+ exit ;;
* )
break ;;
# Here we must recognize all the valid KERNEL-OS combinations.
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
- nto-qnx* | linux-gnu* | linux-dietlibc | kfreebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+ nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+ kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
- -apple | -axis)
+ -apple | -axis | -knuth | -cray)
os=
basic_machine=$1
;;
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+ | bfin \
| c4x | clipper \
| d10v | d30v | dlx | dsp16xx \
| fr30 | frv \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
- | m32r | m68000 | m68k | m88k | mcore \
+ | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
| pyramid \
| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
- | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+ | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+ | sparcv8 | sparcv9 | sparcv9b \
| strongarm \
| tahoe | thumb | tic4x | tic80 | tron \
| v850 | v850e \
| we32k \
- | x86 | xscale | xstormy16 | xtensa \
+ | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
| z8k)
basic_machine=$basic_machine-unknown
;;
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* \
- | bs2000-* \
+ | bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
- | clipper-* | cydra-* \
+ | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
- | m32r-* \
+ | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
- | m88110-* | m88k-* | mcore-* \
+ | m88110-* | m88k-* | maxq-* | mcore-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipstx39-* | mipstx39el-* \
+ | mmix-* \
| msp430-* \
- | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+ | none-* | np1-* | ns16k-* | ns32k-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
| romp-* | rs6000-* \
| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
- | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
- | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+ | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+ | sparclite-* \
+ | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
| tahoe-* | thumb-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tron-* \
| v850-* | v850e-* | vax-* \
| we32k-* \
- | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
- | xtensa-* \
+ | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+ | xstormy16-* | xtensa-* \
| ymp-* \
| z8k-*)
;;
basic_machine=a29k-amd
os=-udi
;;
+ abacus)
+ basic_machine=abacus-unknown
+ ;;
adobe68k)
basic_machine=m68010-adobe
os=-scout
amd64)
basic_machine=x86_64-pc
;;
+ amd64-*)
+ basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+ ;;
amdahl)
basic_machine=580-amdahl
os=-sysv
basic_machine=j90-cray
os=-unicos
;;
+ craynv)
+ basic_machine=craynv-cray
+ os=-unicosmp
+ ;;
+ cr16c)
+ basic_machine=cr16c-unknown
+ os=-elf
+ ;;
crds | unos)
basic_machine=m68k-crds
;;
+ crisv32 | crisv32-* | etraxfs*)
+ basic_machine=crisv32-axis
+ ;;
cris | cris-* | etrax*)
basic_machine=cris-axis
;;
+ crx)
+ basic_machine=crx-unknown
+ os=-elf
+ ;;
da30 | da30-*)
basic_machine=m68k-da30
;;
basic_machine=m88k-motorola
os=-sysv3
;;
+ djgpp)
+ basic_machine=i586-pc
+ os=-msdosdjgpp
+ ;;
dpx20 | dpx20-*)
basic_machine=rs6000-bull
os=-bosx
mips3*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
;;
- mmix*)
- basic_machine=mmix-knuth
- os=-mmixware
- ;;
monitor)
basic_machine=m68k-rom68k
os=-coff
np1)
basic_machine=np1-gould
;;
- nv1)
- basic_machine=nv1-cray
- os=-unicosmp
- ;;
nsr-tandem)
basic_machine=nsr-tandem
;;
basic_machine=or32-unknown
os=-coff
;;
+ os400)
+ basic_machine=powerpc-ibm
+ os=-os400
+ ;;
OSE68000 | ose68000)
basic_machine=m68000-ericsson
os=-ose
tower | tower-32)
basic_machine=m68k-ncr
;;
+ tpf)
+ basic_machine=s390x-ibm
+ os=-tpf
+ ;;
udi29k)
basic_machine=a29k-amd
os=-udi
basic_machine=hppa1.1-winbond
os=-proelf
;;
+ xbox)
+ basic_machine=i686-pc
+ os=-mingw32
+ ;;
xps | xps100)
basic_machine=xps100-honeywell
;;
romp)
basic_machine=romp-ibm
;;
+ mmix)
+ basic_machine=mmix-knuth
+ ;;
rs6000)
basic_machine=rs6000-ibm
;;
sh64)
basic_machine=sh64-unknown
;;
- sparc | sparcv9 | sparcv9b)
+ sparc | sparcv8 | sparcv9 | sparcv9b)
basic_machine=sparc-sun
;;
cydra)
| -aos* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
- | -hiux* | -386bsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \
- | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* \
| -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
- | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+ | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
- | -powermax* | -dnix* | -nx6 | -nx7 | -sei*)
+ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
-opened*)
os=-openedition
;;
+ -os400*)
+ os=-os400
+ ;;
-wince*)
os=-wince
;;
-atheos*)
os=-atheos
;;
+ -syllable*)
+ os=-syllable
+ ;;
-386bsd)
os=-bsd
;;
-sinix*)
os=-sysv4
;;
+ -tpf*)
+ os=-tpf
+ ;;
-triton*)
os=-sysv3
;;
-kaos*)
os=-kaos
;;
+ -zvmoe)
+ os=-zvmoe
+ ;;
-none)
;;
*)
*-ibm)
os=-aix
;;
+ *-knuth)
+ os=-mmixware
+ ;;
*-wec)
os=-proelf
;;
-mvs* | -opened*)
vendor=ibm
;;
+ -os400*)
+ vendor=ibm
+ ;;
-ptx*)
vendor=sequent
;;
+ -tpf*)
+ vendor=ibm
+ ;;
-vxsim* | -vxworks* | -windiss*)
vendor=wrs
;;
esac
echo $basic_machine$os
-exit 0
+exit
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-AC_INIT(OpenSSH, Portable)
+AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
AC_SUBST(LD)
AC_C_INLINE
+
+AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
+
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
- CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized"
+ CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
+ GCC_VER=`$CC --version`
+ case $GCC_VER in
+ 1.*) ;;
+ 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
+ 2.*) ;;
+ *) CFLAGS="$CFLAGS -Wsign-compare" ;;
+ esac
+
+ if test -z "$have_llong_max"; then
+ # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
+ unset ac_cv_have_decl_LLONG_MAX
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -std=gnu99"
+ AC_CHECK_DECL(LLONG_MAX,
+ [have_llong_max=1],
+ [CFLAGS="$saved_CFLAGS"],
+ [#include <limits.h>]
+ )
+ fi
+fi
+
+if test -z "$have_llong_max"; then
+ AC_MSG_CHECKING([for max value of long long])
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([[
+#include <stdio.h>
+/* Why is this so damn hard? */
+#ifdef __GNUC__
+# undef __GNUC__
+#endif
+#define __USE_ISOC99
+#include <limits.h>
+#define DATA "conftest.llminmax"
+int main(void) {
+ FILE *f;
+ long long i, llmin, llmax = 0;
+
+ if((f = fopen(DATA,"w")) == NULL)
+ exit(1);
+
+#if defined(LLONG_MIN) && defined(LLONG_MAX)
+ fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
+ llmin = LLONG_MIN;
+ llmax = LLONG_MAX;
+#else
+ fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
+ /* This will work on one's complement and two's complement */
+ for (i = 1; i > llmax; i <<= 1, i++)
+ llmax = i;
+ llmin = llmax + 1LL; /* wrap */
+#endif
+
+ /* Sanity check */
+ if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
+ || llmax - 1 > llmax) {
+ fprintf(f, "unknown unknown\n");
+ exit(2);
+ }
+
+ if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
+ exit(3);
+
+ exit(0);
+}
+ ]])],
+ [
+ llong_min=`$AWK '{print $1}' conftest.llminmax`
+ llong_max=`$AWK '{print $2}' conftest.llminmax`
+ AC_MSG_RESULT($llong_max)
+ AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
+ [max value of long long calculated by configure])
+ AC_MSG_CHECKING([for min value of long long])
+ AC_MSG_RESULT($llong_min)
+ AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
+ [min value of long long calculated by configure])
+ ],
+ [
+ AC_MSG_RESULT(not found)
+ ],
+ [
+ AC_MSG_WARN([cross compiling: not checking])
+ ]
+ )
fi
AC_ARG_WITH(rpath,
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1)
;;
-*-*-hpux10.26)
- if test -z "$GCC"; then
- CFLAGS="$CFLAGS -Ae"
- fi
- CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
- IPADDR_IN_DISPLAY=yes
- AC_DEFINE(HAVE_SECUREWARE)
- AC_DEFINE(USE_PIPES)
- AC_DEFINE(LOGIN_NO_ENDOPT)
- AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(LOCKED_PASSWD_STRING, "*")
- AC_DEFINE(SPT_TYPE,SPT_PSTAT)
- LIBS="$LIBS -lsec -lsecpw"
- AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
- disable_ptmx_check=yes
- ;;
-*-*-hpux10*)
- if test -z "$GCC"; then
- CFLAGS="$CFLAGS -Ae"
- fi
- CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
- IPADDR_IN_DISPLAY=yes
- AC_DEFINE(USE_PIPES)
- AC_DEFINE(LOGIN_NO_ENDOPT)
- AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(LOCKED_PASSWD_STRING, "*")
- AC_DEFINE(SPT_TYPE,SPT_PSTAT)
- LIBS="$LIBS -lsec"
- AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
- ;;
-*-*-hpux11*)
+*-*-hpux*)
+ # first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
- AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(USE_PIPES)
AC_DEFINE(LOGIN_NO_ENDOPT)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
- AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
- AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
- check_for_hpux_broken_getaddrinfo=1
- check_for_conflicting_getspnam=1
LIBS="$LIBS -lsec"
- AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
+ AC_CHECK_LIB(xnet, t_error, ,
+ AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
+
+ # next, we define all of the options specific to major releases
+ case "$host" in
+ *-*-hpux10*)
+ if test -z "$GCC"; then
+ CFLAGS="$CFLAGS -Ae"
+ fi
+ ;;
+ *-*-hpux11*)
+ AC_DEFINE(PAM_SUN_CODEBASE)
+ AC_DEFINE(DISABLE_UTMP)
+ AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
+ check_for_hpux_broken_getaddrinfo=1
+ check_for_conflicting_getspnam=1
+ ;;
+ esac
+
+ # lastly, we define options specific to minor releases
+ case "$host" in
+ *-*-hpux10.26)
+ AC_DEFINE(HAVE_SECUREWARE)
+ disable_ptmx_check=yes
+ LIBS="$LIBS -lsecpw"
+ ;;
+ esac
;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
esac
;;
mips-sony-bsd|mips-sony-newsos4)
- AC_DEFINE(HAVE_NEWS4)
+ AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
SONY=1
;;
*-*-netbsd*)
AC_DEFINE(USE_PIPES)
AC_DEFINE(BROKEN_SAVED_UIDS)
;;
+*-*-openbsd*)
+ AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
+ ;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
need_dash_r=1
;;
# UnixWare 7.x, OpenUNIX 8
*-*-sysv5*)
+ check_for_libcrypt_later=1
+ AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
AC_DEFINE(USE_PIPES)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
+ case "$host" in
+ *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
+ TEST_SHELL=/u95/bin/sh
+ AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
+ ;;
+ esac
;;
*-*-sysv*)
;;
AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(MISSING_FD_MASK)
;;
+
+*-*-ultrix*)
+ AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1])
+ AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files])
+ AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
+ AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
+ ;;
+
+*-*-lynxos)
+ CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
+ AC_DEFINE(MISSING_HOWMANY)
+ AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
+ ;;
esac
# Allow user to specify flags
fi
]
)
+AC_ARG_WITH(Werror,
+ [ --with-Werror Build main code with -Werror],
+ [
+ if test -n "$withval" && test "x$withval" != "xno"; then
+ werror_flags="-Werror"
+ if "x${withval}" != "xyes"; then
+ werror_flags="$withval"
+ fi
+ fi
+ ]
+)
AC_MSG_CHECKING(compiler and flags for sanity)
AC_RUN_IFELSE(
[ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
)
-# Checks for header files.
-AC_CHECK_HEADERS(bstring.h crypt.h dirent.h endian.h features.h \
- floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \
- login_cap.h maillock.h ndir.h netdb.h netgroup.h \
- netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
- rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
- strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \
- sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \
- sys/pstat.h sys/select.h sys/stat.h sys/stream.h \
- sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \
- time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
+dnl Checks for header files.
+AC_CHECK_HEADERS( \
+ bstring.h \
+ crypt.h \
+ dirent.h \
+ endian.h \
+ features.h \
+ floatingpoint.h \
+ getopt.h \
+ glob.h \
+ ia.h \
+ iaf.h \
+ lastlog.h \
+ limits.h \
+ login.h \
+ login_cap.h \
+ maillock.h \
+ ndir.h \
+ netdb.h \
+ netgroup.h \
+ netinet/in_systm.h \
+ pam/pam_appl.h \
+ paths.h \
+ pty.h \
+ readpassphrase.h \
+ rpc/types.h \
+ security/pam_appl.h \
+ shadow.h \
+ stddef.h \
+ stdint.h \
+ string.h \
+ strings.h \
+ sys/audit.h \
+ sys/bitypes.h \
+ sys/bsdtty.h \
+ sys/cdefs.h \
+ sys/dir.h \
+ sys/mman.h \
+ sys/ndir.h \
+ sys/prctl.h \
+ sys/pstat.h \
+ sys/select.h \
+ sys/stat.h \
+ sys/stream.h \
+ sys/stropts.h \
+ sys/strtio.h \
+ sys/sysmacros.h \
+ sys/time.h \
+ sys/timers.h \
+ sys/un.h \
+ time.h \
+ tmpdir.h \
+ ttyent.h \
+ unistd.h \
+ usersec.h \
+ util.h \
+ utime.h \
+ utmp.h \
+ utmpx.h \
+ vis.h \
+)
# sys/ptms.h requires sys/stream.h to be included first on Solaris
AC_CHECK_HEADERS(sys/ptms.h, [], [], [
if (a == 1 && b == 1 && c >= 4)
exit(0);
- /* 1.2.1.2 and up are OK */
- if (v >= 1020102)
+ /* 1.2.3 and up are OK */
+ if (v >= 1020300)
exit(0);
exit(2);
vendor has fixed these problems without changing the version number. If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
-If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
+If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.])
else
AC_MSG_WARN([zlib version may have security problems])
[ AC_MSG_ERROR(libedit not found) ],
[ -lcurses ]
)
+ AC_MSG_CHECKING(if libedit version is compatible)
+ AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE([[
+#include <histedit.h>
+int main(void)
+{
+ int i = H_SETSIZE;
+ el_init("", NULL, NULL, NULL);
+ exit(0);
+}
+ ]])],
+ [ AC_MSG_RESULT(yes) ],
+ [ AC_MSG_RESULT(no)
+ AC_MSG_ERROR(libedit version is not compatible) ]
+ )
fi ]
)
AC_MSG_RESULT(debug)
AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module)
;;
+ no)
+ AC_MSG_RESULT(no)
+ ;;
*)
AC_MSG_ERROR([Unknown audit module $withval])
;;
)
dnl Checks for library functions. Please keep in alphabetical order
-AC_CHECK_FUNCS(\
- arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
- bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \
- freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \
- getopt getpeereid _getpty getrlimit getttyent glob inet_aton \
- inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
- mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
- pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
- setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
- setproctitle setregid setreuid setrlimit \
- setsid setvbuf sigaction sigvec snprintf socketpair strerror \
- strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
- truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
+AC_CHECK_FUNCS( \
+ arc4random \
+ b64_ntop \
+ __b64_ntop \
+ b64_pton \
+ __b64_pton \
+ bcopy \
+ bindresvport_sa \
+ clock \
+ closefrom \
+ dirfd \
+ fchmod \
+ fchown \
+ freeaddrinfo \
+ futimes \
+ getaddrinfo \
+ getcwd \
+ getgrouplist \
+ getnameinfo \
+ getopt \
+ getpeereid \
+ _getpty \
+ getrlimit \
+ getttyent \
+ glob \
+ inet_aton \
+ inet_ntoa \
+ inet_ntop \
+ innetgr \
+ login_getcapbool \
+ md5_crypt \
+ memmove \
+ mkdtemp \
+ mmap \
+ ngetaddrinfo \
+ nsleep \
+ ogetaddrinfo \
+ openlog_r \
+ openpty \
+ prctl \
+ pstat \
+ readpassphrase \
+ realpath \
+ recvmsg \
+ rresvport_af \
+ sendmsg \
+ setdtablesize \
+ setegid \
+ setenv \
+ seteuid \
+ setgroups \
+ setlogin \
+ setpcred \
+ setproctitle \
+ setregid \
+ setreuid \
+ setrlimit \
+ setsid \
+ setvbuf \
+ sigaction \
+ sigvec \
+ snprintf \
+ socketpair \
+ strdup \
+ strerror \
+ strlcat \
+ strlcpy \
+ strmode \
+ strnvis \
+ strtonum \
+ strtoll \
+ strtoul \
+ sysconf \
+ tcgetpgrp \
+ truncate \
+ unsetenv \
+ updwtmpx \
+ utimes \
+ vhangup \
+ vsnprintf \
+ waitpid \
)
# IRIX has a const char return value for gai_strerror()
AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
dnl Make sure prototypes are defined for these before using them.
-AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
+AC_CHECK_DECL(strsep,
+ [AC_CHECK_FUNCS(strsep)],
+ [],
+ [
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif
+ ])
dnl tcsendbreak might be a macro
AC_CHECK_DECL(tcsendbreak,
AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
fi
+AC_CHECK_LIB(iaf, ia_openinfo)
### Configure cryptographic random number support
AC_MSG_RESULT(no)])
])
AC_CHECK_FUNCS(_getshort _getlong)
+ AC_CHECK_DECLS([_getshort, _getlong], , ,
+ [#include <sys/types.h>
+ #include <arpa/nameser.h>])
AC_CHECK_MEMBER(HEADER.ad,
[AC_DEFINE(HAVE_HEADER_AD)],,
[#include <arpa/nameser.h>])
LIBS="$LIBS $K5LIBS"
AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
- AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
]
)
LIBS=`echo $LIBS | sed 's/-ldl //'`
fi
+dnl Adding -Werror to CFLAGS early prevents configure tests from running.
+dnl Add now.
+CFLAGS="$CFLAGS $werror_flags"
+
AC_EXEEXT
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
scard/Makefile ssh_prng_cmds survey.sh])
sshd account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_aix
-# Session Management
+# Password Management
sshd password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_aix
-# Password Management
+# Session Management
sshd session required /usr/lib/security/pam_aix
OTHER session required /usr/lib/security/pam_aix
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
- %define version 4.1p1
+ %define version 4.2p1
%define cvs %{nil}
%define release 1
%else
-%define ver 4.1p1
+%define ver 4.2p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 4.1p1
+Version: 4.2p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
# ifdef PATH_MAX
# define MAXPATHLEN PATH_MAX
# else /* PATH_MAX */
-# define MAXPATHLEN 64 /* Should be safe */
+# define MAXPATHLEN 64
+/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */
+# ifndef BROKEN_REALPATH
+# define BROKEN_REALPATH 1
+# endif /* BROKEN_REALPATH */
# endif /* PATH_MAX */
#endif /* MAXPATHLEN */
+#ifndef PATH_MAX
+# ifdef _POSIX_PATH_MAX
+# define PATH_MAX _POSIX_PATH_MAX
+# endif
+#endif
+
+#ifndef MAXSYMLINKS
+# define MAXSYMLINKS 5
+#endif
+
#ifndef STDIN_FILENO
# define STDIN_FILENO 0
#endif
# define __dead __attribute__((noreturn))
#endif
+#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
+# define __sentinel__
+#endif
+
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
# define SSH_SYSFDMAX 10000
#endif
+#if defined(__Lynx__)
+ /*
+ * LynxOS defines these in param.h which we do not want to include since
+ * it will also pull in a bunch of kernel definitions.
+ */
+# define ALIGNBYTES (sizeof(int) - 1)
+# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES)
+ /* Missing prototypes on LynxOS */
+ int snprintf (char *, size_t, const char *, ...);
+ int mkstemp (char *);
+ char *crypt (const char *, const char *);
+ int seteuid (uid_t);
+ int setegid (gid_t);
+ char *mkdtemp (char *);
+ int rresvport_af (int *, sa_family_t);
+ int innetgr (const char *, const char *, const char *, const char *);
+#endif
/*
* Define this to use pipes instead of socketpairs for communicating with the
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+# define CUSTOM_SYS_AUTH_PASSWD 1
+#endif
+
/* HP-UX 11.11 */
#ifdef BTMP_FILE
# define _PATH_BTMP BTMP_FILE
/** end of login recorder definitions */
+#ifdef BROKEN_GETGROUPS
+# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b)))
+#endif
+
+#if defined(HAVE_MMAP) && defined(BROKEN_MMAP)
+# undef HAVE_MMAP
+#endif
+
#endif /* _DEFINES_H */
-/* $OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $ */
+/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
#include "uuencode.h"
extern char *__progname;
-RCSID("$OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $");
+RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
#ifndef LWRES
static const char *errset_text[] = {
return success;
}
+/*
+ * Check if hostname is numerical.
+ * Returns -1 if hostname is numeric, 0 otherwise
+ */
+static int
+is_numeric_hostname(const char *hostname)
+{
+ struct addrinfo hints, *ai;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_NUMERICHOST;
+
+ if (getaddrinfo(hostname, "0", &hints, &ai) == 0) {
+ freeaddrinfo(ai);
+ return -1;
+ }
+
+ return 0;
+}
/*
* Verify the given hostname, address and host key using DNS.
verify_host_key_dns(const char *hostname, struct sockaddr *address,
const Key *hostkey, int *flags)
{
- int counter;
+ u_int counter;
int result;
struct rrsetinfo *fingerprints = NULL;
if (hostkey == NULL)
fatal("No key to look up!");
+ if (is_numeric_hostname(hostname)) {
+ debug("skipped DNS lookup for numerical hostname");
+ return -1;
+ }
+
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
DNS_RDATATYPE_SSHFP, 0, &fingerprints);
if (result) {
u_char *rdata_digest;
u_int rdata_digest_len;
- int i;
+ u_int i;
int success = 0;
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
close(p[0]);
if (waitpid(pid, &ret, 0) == -1)
- fatal("Couldn't wait for ssh-rand-helper completion: %s",
- strerror(errno));
+ fatal("Couldn't wait for ssh-rand-helper completion: %s",
+ strerror(errno));
signal(SIGCHLD, old_sigchld);
/* We don't mind if the child exits upon a SIGPIPE */
-/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
}
char *
-ssh_gssapi_last_error(Gssctxt *ctxt,
- OM_uint32 *major_status, OM_uint32 *minor_status)
+ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
+ OM_uint32 *minor_status)
{
OM_uint32 lmin;
gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
logit("Cannot initialize krb5 context");
return 0;
}
-#ifdef KRB5_INIT_ETS
- krb5_init_ets(krb_context);
-#endif
return 1;
}
return;
}
#else
- {
- int tmpfd;
- char ccname[40];
- mode_t old_umask;
-
- snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
-
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
- umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
- problem = errno;
- return;
- }
- if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
- problem = errno;
- return;
- }
- close(tmpfd);
- if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
- logit("krb5_cc_resolve(): %.100s",
- krb5_get_err_text(krb_context, problem));
- return;
- }
+ if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
+ logit("ssh_krb5_cc_gen(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ return;
}
#endif /* #ifdef HEIMDAL */
-/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
static OM_uint32
ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
{
- char *tok;
+ u_char *tok;
OM_uint32 offset;
OM_uint32 oidl;
*/
if (tok[4] != 0x06 || tok[5] != oidl ||
ename->length < oidl+6 ||
- !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+ !ssh_gssapi_check_oid(ctx,tok+6,oidl))
return GSS_S_FAILURE;
offset = oidl+6;
debug("Setting %s to %s", gssapi_client.store.envvar,
gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
- gssapi_client.store.envval);
+ gssapi_client.store.envval);
}
}
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
*/
#include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.34 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $");
#include <resolv.h>
#include <openssl/hmac.h>
{
FILE *f;
int success = 0;
- char *hashed_host;
+ char *hashed_host = NULL;
if (key == NULL)
return 1; /* XXX ? */
-/* $OpenBSD: includes.h,v 1.18 2004/06/13 15:03:02 djm Exp $ */
+/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define INCLUDES_H
#define RCSID(msg) \
-static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
#include "config.h"
+#include <stdarg.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>
# include <ia.h>
#endif
+#ifdef HAVE_IAF_H
+# include <iaf.h>
+#endif
+
#ifdef HAVE_TMPDIR_H
# include <tmpdir.h>
#endif
# include <kafs.h>
#endif
+#if defined(HAVE_SYS_SYSLOG_H)
+# include <sys/syslog.h>
+#endif
+
/*
* On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
* of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
+RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
#include <openssl/crypto.h>
static void
kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
{
- int i;
+ u_int i;
buffer_clear(b);
/*
static void
kex_prop_free(char **proposal)
{
- int i;
+ u_int i;
for (i = 0; i < PROPOSAL_MAX; i++)
xfree(proposal[i]);
{
u_int32_t rnd = 0;
u_char *cookie;
- int i;
+ u_int i;
if (kex == NULL) {
error("kex_send_kexinit: no kex, cannot rekey");
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
{
char *ptr;
- int dlen;
- int i;
+ u_int i, dlen;
Kex *kex = (Kex *)ctxt;
debug("SSH2_MSG_KEXINIT received");
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching comp found: client %s server %s", client, server);
- if (strcmp(name, "zlib") == 0) {
- comp->type = 1;
+ if (strcmp(name, "zlib@openssh.com") == 0) {
+ comp->type = COMP_DELAYED;
+ } else if (strcmp(name, "zlib") == 0) {
+ comp->type = COMP_ZLIB;
} else if (strcmp(name, "none") == 0) {
- comp->type = 0;
+ comp->type = COMP_NONE;
} else {
fatal("unsupported comp %s", name);
}
char **my, **peer;
char **cprop, **sprop;
int nenc, nmac, ncomp;
- int mode;
- int ctos; /* direction: if true client-to-server */
- int need;
+ u_int mode, ctos, need;
int first_kex_follows, type;
my = kex_buf2prop(&kex->my, NULL);
/* ignore the next message if the proposals do not match */
if (first_kex_follows && !proposals_match(my, peer) &&
- !(datafellows & SSH_BUG_FIRSTKEX)) {
+ !(datafellows & SSH_BUG_FIRSTKEX)) {
type = packet_read();
debug2("skipping next packet (type %u)", type);
}
}
static u_char *
-derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret)
+derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
{
Buffer b;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
char c = id;
- int have;
+ u_int have;
int mdsz = EVP_MD_size(evp_md);
- u_char *digest = xmalloc(roundup(need, mdsz));
+ u_char *digest;
+
+ if (mdsz < 0)
+ fatal("derive_key: mdsz < 0");
+ digest = xmalloc(roundup(need, mdsz));
buffer_init(&b);
buffer_put_bignum2(&b, shared_secret);
kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
{
u_char *keys[NKEYS];
- int i, mode, ctos;
+ u_int i, mode, ctos;
for (i = 0; i < NKEYS; i++)
keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
EVP_DigestInit(&md, evp_md);
len = BN_num_bytes(host_modulus);
- if (len < (512 / 8) || len > sizeof(nbuf))
+ if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad host modulus (len %d)", __func__, len);
BN_bn2bin(host_modulus, nbuf);
EVP_DigestUpdate(&md, nbuf, len);
len = BN_num_bytes(server_modulus);
- if (len < (512 / 8) || len > sizeof(nbuf))
+ if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad server modulus (len %d)", __func__, len);
BN_bn2bin(server_modulus, nbuf);
EVP_DigestUpdate(&md, nbuf, len);
void
dump_digest(char *msg, u_char *digest, int len)
{
- int i;
+ u_int i;
fprintf(stderr, "%s\n", msg);
for (i = 0; i< len; i++) {
-/* $OpenBSD: kex.h,v 1.35 2004/06/13 12:53:24 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
#define KEX_DH14 "diffie-hellman-group14-sha1"
#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
+#define COMP_NONE 0
+#define COMP_ZLIB 1
+#define COMP_DELAYED 2
+
enum kex_init_proposals {
PROPOSAL_KEX_ALGS,
PROPOSAL_SERVER_HOST_KEY_ALGS,
char *name;
int enabled;
const EVP_MD *md;
- int mac_len;
+ u_int mac_len;
u_char *key;
- int key_len;
+ u_int key_len;
};
struct Comp {
int type;
u_char *session_id;
u_int session_id_len;
Newkeys *newkeys[MODE_MAX];
- int we_need;
+ u_int we_need;
int server;
char *name;
int hostkey_type;
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");
+RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
{
char *retval;
- int i;
+ u_int i;
retval = xmalloc(dgst_raw_len * 3 + 1);
retval[0] = '\0';
strlcpy(li->username, username, sizeof(li->username));
pw = getpwnam(li->username);
if (pw == NULL) {
- fatal("%s: Cannot find user \"%s\"", __func__,
+ fatal("%s: Cannot find user \"%s\"", __func__,
li->username);
}
li->uid = pw->pw_uid;
return (1);
}
-/*
+/*
* login_set_current_time(struct logininfo *) - set the current time
*
* Set the current time in a logininfo structure. This function is
wtmpx_write_entry(li);
#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
- if (li->type == LTYPE_LOGIN &&
- !sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg))
+ if (li->type == LTYPE_LOGIN &&
+ !sys_auth_record_login(li->username,li->hostname,li->line,
+ &loginmsg))
logit("Writing login record failed for %s", li->username);
#endif
#ifdef SSH_AUDIT_EVENTS
* sure dst has enough space, if not just copy src (ugh)
*/
char *
-line_fullname(char *dst, const char *src, int dstsize)
+line_fullname(char *dst, const char *src, u_int dstsize)
{
memset(dst, '\0', dstsize);
if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5)))
return (dst);
}
-/*
+/*
* line_abbrevname(): Return the abbreviated (usually four-character)
* form of the line (Just use the last <dstsize> characters of the
* full name.)
}
# else /* UTMP_USE_LIBRARY */
-/*
+/*
* Write a utmp entry direct to the file
* This is a slightly modification of code in OpenBSD's login.c
*/
return (0);
}
if (ret != pos) {
- logit("%s: Couldn't seek to tty %d slot in %s",
+ logit("%s: Couldn't seek to tty %d slot in %s",
__func__, tty, UTMP_FILE);
return (0);
}
#ifdef USE_WTMP
-/*
+/*
* Write a wtmp entry direct to the end of the file
* This is a slight modification of code in OpenBSD's logwtmp.c
*/
}
-/*
+/*
* Notes on fetching login data from wtmp/wtmpx
*
* Logouts are usually recorded with (amongst other things) a blank
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
- logit("%s: problem opening %s: %s", __func__,
+ logit("%s: problem opening %s: %s", __func__,
WTMP_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
- logit("%s: couldn't stat %s: %s", __func__,
+ logit("%s: couldn't stat %s: %s", __func__,
WTMP_FILE, strerror(errno));
close(fd);
return (0);
while (!found) {
if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
- logit("%s: read of %s failed: %s", __func__,
+ logit("%s: read of %s failed: %s", __func__,
WTMP_FILE, strerror(errno));
close (fd);
return (0);
int fd, ret = 1;
if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
- logit("%s: problem opening %s: %s", __func__,
+ logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
- logit("%s: problem opening %s: %s", __func__,
+ logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
- logit("%s: couldn't stat %s: %s", __func__,
+ logit("%s: couldn't stat %s: %s", __func__,
WTMPX_FILE, strerror(errno));
close(fd);
return (0);
while (!found) {
if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
- logit("%s: read of %s failed: %s", __func__,
+ logit("%s: read of %s failed: %s", __func__,
WTMPX_FILE, strerror(errno));
close (fd);
return (0);
}
/*
- * Logouts are recorded as a blank username on a particular
+ * Logouts are recorded as a blank username on a particular
* line. So, we just need to find the username in struct utmpx
*/
if (wtmpx_islogin(li, &utx)) {
unsigned int login_get_lastlog_time(const int uid);
/* produce various forms of the line filename */
-char *line_fullname(char *dst, const char *src, int dstsize);
+char *line_fullname(char *dst, const char *src, u_int dstsize);
char *line_stripname(char *dst, const char *src, int dstsize);
char *line_abbrevname(char *dst, const char *src, int dstsize);
*/
#include "includes.h"
-RCSID("$OpenBSD: mac.c,v 1.6 2003/09/18 13:02:21 miod Exp $");
+RCSID("$OpenBSD: mac.c,v 1.7 2005/06/17 02:44:32 djm Exp $");
#include <openssl/hmac.h>
int
mac_init(Mac *mac, char *name)
{
- int i;
+ int i, evp_len;
+
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL) {
mac->md = (*macs[i].mdfunc)();
- mac->key_len = mac->mac_len = EVP_MD_size(mac->md);
+ if ((evp_len = EVP_MD_size(mac->md)) <= 0)
+ fatal("mac %s len %d", name, evp_len);
+ mac->key_len = mac->mac_len = (u_int)evp_len;
if (macs[i].truncatebits != 0)
mac->mac_len = macs[i].truncatebits/8;
}
if (mac->key == NULL)
fatal("mac_compute: no key");
- if ((u_int)mac->mac_len > sizeof(m))
+ if (mac->mac_len > sizeof(m))
fatal("mac_compute: mac too long");
HMAC_Init(&c, mac->key, mac->key_len, mac->md);
PUT_32BIT(b, seqno);
*/
#include "includes.h"
-RCSID("$OpenBSD: match.c,v 1.19 2002/03/01 13:12:10 markus Exp $");
+RCSID("$OpenBSD: match.c,v 1.20 2005/06/17 02:44:32 djm Exp $");
#include "match.h"
#include "xmalloc.h"
ret = xstrdup(p);
if (next != NULL)
*next = (cp == NULL) ?
- strlen(c) : cp - c;
+ strlen(c) : (u_int)(cp - c);
xfree(c);
xfree(s);
return ret;
} else if(match(words[w],"^Dt$")) {
id=wtail()
next
+ } else if(match(words[w],"^Ox$")) {
+ add("OpenBSD")
+ skip=1
} else if(match(words[w],"^Os$")) {
add(".TH " id " \"" date "\" \"" wtail() "\"")
} else if(match(words[w],"^Sh$")) {
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 2005 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
*/
#include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.29 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $");
#include "misc.h"
#include "log.h"
args->list[args->num] = NULL;
}
+/*
+ * Expands tildes in the file name. Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+ */
+char *
+tilde_expand_filename(const char *filename, uid_t uid)
+{
+ const char *path;
+ char user[128], ret[MAXPATHLEN];
+ struct passwd *pw;
+ u_int len, slash;
+
+ if (*filename != '~')
+ return (xstrdup(filename));
+ filename++;
+
+ path = strchr(filename, '/');
+ if (path != NULL && path > filename) { /* ~user/path */
+ slash = path - filename;
+ if (slash > sizeof(user) - 1)
+ fatal("tilde_expand_filename: ~username too long");
+ memcpy(user, filename, slash);
+ user[slash] = '\0';
+ if ((pw = getpwnam(user)) == NULL)
+ fatal("tilde_expand_filename: No such user %s", user);
+ } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
+ fatal("tilde_expand_filename: No such uid %d", uid);
+
+ if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
+ fatal("tilde_expand_filename: Path too long");
+
+ /* Make sure directory has a trailing '/' */
+ len = strlen(pw->pw_dir);
+ if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
+ strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
+ fatal("tilde_expand_filename: Path too long");
+
+ /* Skip leading '/' from specified path */
+ if (path != NULL)
+ filename = path + 1;
+ if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret))
+ fatal("tilde_expand_filename: Path too long");
+
+ return (xstrdup(ret));
+}
+
+/*
+ * Expand a string with a set of %[char] escapes. A number of escapes may be
+ * specified as (char *escape_chars, char *replacement) pairs. The list must
+ * be terminated by a NULL escape_char. Returns replaced string in memory
+ * allocated by xmalloc.
+ */
+char *
+percent_expand(const char *string, ...)
+{
+#define EXPAND_MAX_KEYS 16
+ struct {
+ const char *key;
+ const char *repl;
+ } keys[EXPAND_MAX_KEYS];
+ u_int num_keys, i, j;
+ char buf[4096];
+ va_list ap;
+
+ /* Gather keys */
+ va_start(ap, string);
+ for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) {
+ keys[num_keys].key = va_arg(ap, char *);
+ if (keys[num_keys].key == NULL)
+ break;
+ keys[num_keys].repl = va_arg(ap, char *);
+ if (keys[num_keys].repl == NULL)
+ fatal("percent_expand: NULL replacement");
+ }
+ va_end(ap);
+
+ if (num_keys >= EXPAND_MAX_KEYS)
+ fatal("percent_expand: too many keys");
+
+ /* Expand string */
+ *buf = '\0';
+ for (i = 0; *string != '\0'; string++) {
+ if (*string != '%') {
+ append:
+ buf[i++] = *string;
+ if (i >= sizeof(buf))
+ fatal("percent_expand: string too long");
+ buf[i] = '\0';
+ continue;
+ }
+ string++;
+ if (*string == '%')
+ goto append;
+ for (j = 0; j < num_keys; j++) {
+ if (strchr(keys[j].key, *string) != NULL) {
+ i = strlcat(buf, keys[j].repl, sizeof(buf));
+ if (i >= sizeof(buf))
+ fatal("percent_expand: string too long");
+ break;
+ }
+ }
+ if (j >= num_keys)
+ fatal("percent_expand: unknown key %%%c", *string);
+ }
+ return (xstrdup(buf));
+#undef EXPAND_MAX_KEYS
+}
+
/*
* Read an entire line from a public key file into a static buffer, discarding
* lines that exceed the buffer size. Returns 0 on success, -1 on failure.
}
return -1;
}
+
+char *
+tohex(const u_char *d, u_int l)
+{
+ char b[3], *r;
+ u_int i, hl;
+
+ hl = l * 2 + 1;
+ r = xmalloc(hl);
+ *r = '\0';
+ for (i = 0; i < l; i++) {
+ snprintf(b, sizeof(b), "%02x", d[i]);
+ strlcat(r, b, hl);
+ }
+ return (r);
+}
+
-/* $OpenBSD: misc.h,v 1.21 2005/03/01 10:09:52 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
char *cleanhostname(char *);
char *colon(char *);
long convtime(const char *);
+char *tilde_expand_filename(const char *, uid_t);
+char *percent_expand(const char *, ...) __attribute__((__sentinel__));
+char *tohex(const u_char *, u_int);
struct passwd *pwcopy(struct passwd *);
};
void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
-/* tildexpand.c */
-
-char *tilde_expand_filename(const char *, uid_t);
-
/* readpass.c */
#define RP_ECHO 0x0001
-/* $OpenBSD: moduli.c,v 1.10 2005/01/17 03:25:46 dtucker Exp $ */
+/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
#define TINY_NUMBER (1UL<<16)
/* Ensure enough bit space for testing 2*q. */
-#define TEST_MAXIMUM (1UL<<16)
-#define TEST_MINIMUM (QSIZE_MINIMUM + 1)
-/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */
-#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */
+#define TEST_MAXIMUM (1UL<<16)
+#define TEST_MINIMUM (QSIZE_MINIMUM + 1)
+/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */
+#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */
/* bit operations on 32-bit words */
-#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
-#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
-#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
+#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
+#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
+#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
/*
* Prime testing defines
*/
/* Minimum number of primality tests to perform */
-#define TRIAL_MINIMUM (4)
+#define TRIAL_MINIMUM (4)
/*
* Sieving data (XXX - move to struct)
static u_int32_t largebits, largememory; /* megabytes */
static BIGNUM *largebase;
-int gen_candidates(FILE *, int, int, BIGNUM *);
+int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
/*
* The list is checked against small known primes (less than 2**30).
*/
int
-gen_candidates(FILE *out, int memory, int power, BIGNUM *start)
+gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
{
BIGNUM *q;
u_int32_t j, r, s, t;
u_int32_t smallwords = TINY_NUMBER >> 6;
u_int32_t tinywords = TINY_NUMBER >> 6;
time_t time_start, time_stop;
- int i, ret = 0;
+ u_int32_t i;
+ int ret = 0;
largememory = memory;
if (memory != 0 &&
- (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
+ (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
error("Invalid memory amount (min %ld, max %ld)",
LARGE_MINIMUM, LARGE_MAXIMUM);
return (-1);
* fencepost errors, the last pass is skipped.
*/
for (smallbase = TINY_NUMBER + 3;
- smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
- smallbase += TINY_NUMBER) {
+ smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
+ smallbase += TINY_NUMBER) {
for (i = 0; i < tinybits; i++) {
if (BIT_TEST(TinySieve, i))
continue; /* 2*i+3 is composite */
* due to earlier inconsistencies in interpretation, check
* the proposed bit size.
*/
- if (BN_num_bits(p) != (in_size + 1)) {
+ if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) {
debug2("%10u: bit size %u mismatch", count_in, in_size);
continue;
}
mm_answer_pam_query(int sock, Buffer *m)
{
char *name, *info, **prompts;
- u_int num, *echo_on;
- int i, ret;
+ u_int i, num, *echo_on;
+ int ret;
debug3("%s", __func__);
sshpam_authok = NULL;
mm_answer_pam_respond(int sock, Buffer *m)
{
char **resp;
- u_int num;
- int i, ret;
+ u_int i, num;
+ int ret;
debug3("%s", __func__);
sshpam_authok = NULL;
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.39 2004/07/17 05:31:41 dtucker Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
PUT_32BIT(buf, mlen + 1);
buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
- fatal("%s: write", __func__);
+ fatal("%s: write: %s", __func__, strerror(errno));
if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
- fatal("%s: write", __func__);
+ fatal("%s: write: %s", __func__, strerror(errno));
}
void
{
u_char buf[4];
u_int msg_len;
- ssize_t res;
debug3("%s entering", __func__);
- res = atomicio(read, sock, buf, sizeof(buf));
- if (res != sizeof(buf)) {
- if (res == 0)
+ if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
+ if (errno == EPIPE)
cleanup_exit(255);
- fatal("%s: read: %ld", __func__, (long)res);
+ fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = GET_32BIT(buf);
if (msg_len > 256 * 1024)
fatal("%s: read: bad msg_len %d", __func__, msg_len);
buffer_clear(m);
buffer_append_space(m, msg_len);
- res = atomicio(read, sock, buffer_ptr(m), msg_len);
- if (res != msg_len)
- fatal("%s: read: %ld != msg_len", __func__, (long)res);
+ if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
+ fatal("%s: read: %s", __func__, strerror(errno));
}
void
u_int *num, char ***prompts, u_int **echo_on)
{
Buffer m;
- int i, ret;
+ u_int i;
+ int ret;
debug3("%s", __func__);
buffer_init(&m);
mm_sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer m;
- int i, ret;
+ u_int i;
+ int ret;
debug3("%s", __func__);
buffer_init(&m);
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: msg.c,v 1.7 2003/11/17 09:45:39 djm Exp $");
+RCSID("$OpenBSD: msg.c,v 1.8 2005/05/24 17:32:43 avsm Exp $");
#include "buffer.h"
#include "getput.h"
ssh_msg_recv(int fd, Buffer *m)
{
u_char buf[4];
- ssize_t res;
u_int msg_len;
debug3("ssh_msg_recv entering");
- res = atomicio(read, fd, buf, sizeof(buf));
- if (res != sizeof(buf)) {
- if (res != 0)
- error("ssh_msg_recv: read: header %ld", (long)res);
+ if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
+ if (errno != EPIPE)
+ error("ssh_msg_recv: read: header");
return (-1);
}
msg_len = GET_32BIT(buf);
}
buffer_clear(m);
buffer_append_space(m, msg_len);
- res = atomicio(read, fd, buffer_ptr(m), msg_len);
- if (res != msg_len) {
- error("ssh_msg_recv: read: %ld != msg_len", (long)res);
+ if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
+ error("ssh_msg_recv: read: %s", strerror(errno));
return (-1);
}
return (0);
-/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
"diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \
- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
+ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
+ "arcfour128,arcfour256,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
"hmac-sha1-96,hmac-md5-96"
-#define KEX_DEFAULT_COMP "none,zlib"
+#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
-COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-irix.o port-aix.o
+PORTS=port-irix.o port-aix.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
return (signal(sig, act));
#endif
}
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *str)
+{
+ size_t len;
+ char *cp;
+
+ len = strlen(str) + 1;
+ cp = malloc(len);
+ if (cp != NULL)
+ if (strlcpy(cp, str, len) != len) {
+ free(cp);
+ return NULL;
+ }
+ return cp;
+}
+#endif
#endif /* !NI_MAXHOST */
#ifndef EAI_NODATA
-# define EAI_NODATA 1
-# define EAI_MEMORY 2
-# define EAI_NONAME 3
-# define EAI_SYSTEM 4
+# define EAI_NODATA (INT_MAX - 1)
+#endif
+#ifndef EAI_MEMORY
+# define EAI_MEMORY (INT_MAX - 2)
+#endif
+#ifndef EAI_NONAME
+# define EAI_NONAME (INT_MAX - 3)
+#endif
+#ifndef EAI_SYSTEM
+# define EAI_SYSTEM (INT_MAX - 4)
#endif
#ifndef HAVE_STRUCT_ADDRINFO
GETSHORT(u, msgp);
return (u);
}
+#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
+u_int16_t _getshort(register const u_char *);
#endif
#ifndef HAVE__GETLONG
GETLONG(u, msgp);
return (u);
}
+#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
+u_int32_t _getlong(register const u_char *);
#endif
int
int snprintf(char *, size_t, const char *, ...);
#endif
+#ifndef HAVE_STRTONUM
+long long strtonum(const char *, long long, long long, const char **);
+#endif
+
#ifndef HAVE_VSNPRINTF
int vsnprintf(char *, size_t, const char *, va_list);
#endif
#include "bsd-cygwin_util.h"
#include "port-irix.h"
#include "port-aix.h"
+#include "port-uw.h"
#endif /* _OPENBSD_COMPAT_H */
--- /dev/null
+/* $Id$ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#define SSH_DONT_REDEF_EVP
+#include "openssl-compat.h"
+
+#ifdef SSH_OLD_EVP
+int
+ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
+ unsigned char *key, unsigned char *iv, int enc)
+{
+ EVP_CipherInit(evp, type, key, iv, enc);
+ return 1;
+}
+
+int
+ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
+{
+ EVP_Cipher(evp, dst, src, len);
+ return 1;
+}
+
+int
+ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
+{
+ EVP_CIPHER_CTX_cleanup(evp);
+ return 1;
+}
+#endif
--- /dev/null
+/* $Id$ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+# define SSH_OLD_EVP
+# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define EVP_aes_128_cbc evp_rijndael
+# define EVP_aes_192_cbc evp_rijndael
+# define EVP_aes_256_cbc evp_rijndael
+extern const EVP_CIPHER *evp_rijndael(void);
+extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+#endif
+
+#if !defined(EVP_CTRL_SET_ACSS_MODE)
+# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+# define USE_CIPHER_ACSS 1
+extern const EVP_CIPHER *evp_acss(void);
+# define EVP_acss evp_acss
+# else
+# define EVP_acss NULL
+# endif
+#endif
+
+/*
+ * insert comment here
+ */
+#ifdef SSH_OLD_EVP
+
+# ifndef SSH_DONT_REDEF_EVP
+
+# ifdef EVP_Cipher
+# undef EVP_Cipher
+# endif
+
+# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
+# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
+# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
+# endif
+
+int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
+ unsigned char *, int);
+int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
+int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
+#endif
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
- * Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
+ * Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
# endif
/*
- * AIX has a "usrinfo" area where logname and other stuff is stored -
+ * AIX has a "usrinfo" area where logname and other stuff is stored -
* a few applications actually use this and die if it's not set
*
* NOTE: TTY= should be set, but since no one uses it and it's hard to
* acquire due to privsep code. We will just drop support.
*/
-
-
void
aix_usrinfo(struct passwd *pw)
{
len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
cp = xmalloc(len);
- i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
+ i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
pw->pw_name, '\0');
if (usrinfo(SETUINFO, cp, i) == -1)
fatal("Couldn't set usrinfo: %s", strerror(errno));
int
sys_auth_passwd(Authctxt *ctxt, const char *password)
{
- char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
+ char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
int authsuccess = 0, expired, reenter, result;
do {
result = authenticate((char *)name, (char *)password, &reenter,
&authmsg);
aix_remove_embedded_newlines(authmsg);
- debug3("AIX/authenticate result %d, msg %.100s", result,
+ debug3("AIX/authenticate result %d, authmsg %.100s", result,
authmsg);
} while (reenter);
if (result == 0) {
authsuccess = 1;
- /*
+ /*
* Record successful login. We don't have a pty yet, so just
* label the line as "ssh"
*/
sys_auth_record_login(const char *user, const char *host, const char *ttynm,
Buffer *loginmsg)
{
- char *msg;
+ char *msg = NULL;
int success = 0;
aix_setauthdb(user);
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
+ * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
/* These should be in the system headers but are not. */
int usrinfo(int, char *, int);
-#if (HAVE_DECL_SETAUTHDB == 0)
+#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
int setauthdb(const char *, char *);
#endif
/* these may or may not be in the headers depending on the version */
-#if (HAVE_DECL_AUTHENTICATE == 0)
+#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
int authenticate(char *, char *, int *, char **);
#endif
-#if (HAVE_DECL_LOGINFAILED == 0)
+#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
int loginfailed(char *, char *, char *);
#endif
-#if (HAVE_DECL_LOGINRESTRICTIONS == 0)
+#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
int loginrestrictions(char *, int, char *, char **);
#endif
-#if (HAVE_DECL_LOGINSUCCESS == 0)
+#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
int loginsuccess(char *, char *, char *, char **);
#endif
-#if (HAVE_DECL_PASSWDEXPIRED == 0)
+#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
int passwdexpired(char *, char **);
#endif
--- /dev/null
+/*
+ * Copyright (c) 2005 The SCO Group. All rights reserved.
+ * Copyright (c) 2005 Tim Rice. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+#include "auth-options.h"
+
+int nischeck(char *);
+
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
+{
+ struct passwd *pw = authctxt->pw;
+ char *encrypted_password;
+ char *salt;
+ int result;
+
+ /* Just use the supplied fake password if authctxt is invalid */
+ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+
+ /* Check for users with no password. */
+ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+ return (1);
+
+ /* Encrypt the candidate password using the proper salt. */
+ salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
+#ifdef UNIXWARE_LONG_PASSWORDS
+ if (!nischeck(pw->pw_name))
+ encrypted_password = bigcrypt(password, salt);
+ else
+#endif /* UNIXWARE_LONG_PASSWORDS */
+ encrypted_password = xcrypt(password, salt);
+
+ /*
+ * Authentication is accepted if the encrypted passwords
+ * are identical.
+ */
+ result = (strcmp(encrypted_password, pw_password) == 0);
+
+ if (authctxt->valid)
+ free(pw_password);
+ return(result);
+}
+
+#ifdef UNIXWARE_LONG_PASSWORDS
+int
+nischeck(char *namep)
+{
+ char password_file[] = "/etc/passwd";
+ FILE *fd;
+ struct passwd *ent = NULL;
+
+ if ((fd = fopen (password_file, "r")) == NULL) {
+ /*
+ * If the passwd file has dissapeared we are in a bad state.
+ * However, returning 0 will send us back through the
+ * authentication scheme that has checked the ia database for
+ * passwords earlier.
+ */
+ return(0);
+ }
+
+ /*
+ * fgetpwent() only reads from password file, so we know for certain
+ * that the user is local.
+ */
+ while (ent = fgetpwent(fd)) {
+ if (strcmp (ent->pw_name, namep) == 0) {
+ /* Local user */
+ fclose (fd);
+ return(0);
+ }
+ }
+
+ fclose (fd);
+ return (1);
+}
+
+#endif /* UNIXWARE_LONG_PASSWORDS */
+
+/*
+ NOTE: ia_get_logpwd() allocates memory for arg 2
+ functions that call shadow_pw() will need to free
+ */
+
+char *
+get_iaf_password(struct passwd *pw)
+{
+ char *pw_password = NULL;
+
+ uinfo_t uinfo;
+ if (!ia_openinfo(pw->pw_name,&uinfo)) {
+ ia_get_logpwd(uinfo, &pw_password);
+ if (pw_password == NULL)
+ fatal("ia_get_logpwd: Unable to get the shadow passwd");
+ ia_closeinfo(uinfo);
+ return pw_password;
+ }
+ else
+ fatal("ia_openinfo: Unable to open the shadow passwd file");
+}
+#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+
--- /dev/null
+/*
+ * Copyright (c) 2005 Tim Rice. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+char * get_iaf_password(struct passwd *pw);
+#endif
+
/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
/*
- * Copyright (c) 1994
- * The Regents of the University of California. All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Jan-Simon Pendry.
+ * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. The names of the authors may not be used to endorse or promote
+ * products derived from this software without specific prior written
+ * permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
#include <sys/param.h>
#include <sys/stat.h>
#include <errno.h>
-#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
- * MAXSYMLINKS
- */
-#ifndef MAXSYMLINKS
-#define MAXSYMLINKS 5
-#endif
-
-/*
- * char *realpath(const char *path, char resolved_path[MAXPATHLEN]);
+ * char *realpath(const char *path, char resolved[PATH_MAX]);
*
* Find the real name of path, by removing all ".", ".." and symlink
* components. Returns (resolved) on success, or (NULL) on failure,
* in which case the path which caused trouble is left in (resolved).
*/
char *
-realpath(const char *path, char *resolved)
+realpath(const char *path, char resolved[PATH_MAX])
{
struct stat sb;
- int fd, n, needslash, serrno;
- char *p, *q, wbuf[MAXPATHLEN];
- int symlinks = 0;
-
- /* Save the starting point. */
-#ifndef HAVE_FCHDIR
- char start[MAXPATHLEN];
- /* this is potentially racy but without fchdir we have no option */
- if (getcwd(start, sizeof(start)) == NULL) {
- resolved[0] = '.';
+ char *p, *q, *s;
+ size_t left_len, resolved_len;
+ unsigned symlinks;
+ int serrno, slen;
+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
+
+ serrno = errno;
+ symlinks = 0;
+ if (path[0] == '/') {
+ resolved[0] = '/';
resolved[1] = '\0';
- return (NULL);
+ if (path[1] == '\0')
+ return (resolved);
+ resolved_len = 1;
+ left_len = strlcpy(left, path + 1, sizeof(left));
+ } else {
+ if (getcwd(resolved, PATH_MAX) == NULL) {
+ strlcpy(resolved, ".", PATH_MAX);
+ return (NULL);
+ }
+ resolved_len = strlen(resolved);
+ left_len = strlcpy(left, path, sizeof(left));
}
-#endif
- if ((fd = open(".", O_RDONLY)) < 0) {
- resolved[0] = '.';
- resolved[1] = '\0';
+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
+ errno = ENAMETOOLONG;
return (NULL);
}
- /* Convert "." -> "" to optimize away a needless lstat() and chdir() */
- if (path[0] == '.' && path[1] == '\0')
- path = "";
-
/*
- * Find the dirname and basename from the path to be resolved.
- * Change directory to the dirname component.
- * lstat the basename part.
- * if it is a symlink, read in the value and loop.
- * if it is a directory, then change to that directory.
- * get the current directory name and append the basename.
+ * Iterate over path components in `left'.
*/
- if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) {
- serrno = ENAMETOOLONG;
- goto err2;
- }
-loop:
- q = strrchr(resolved, '/');
- if (q != NULL) {
- p = q + 1;
- if (q == resolved)
- q = "/";
- else {
- do {
- --q;
- } while (q > resolved && *q == '/');
- q[1] = '\0';
- q = resolved;
+ while (left_len != 0) {
+ /*
+ * Extract the next path component and adjust `left'
+ * and its length.
+ */
+ p = strchr(left, '/');
+ s = p ? p : left + left_len;
+ if (s - left >= sizeof(next_token)) {
+ errno = ENAMETOOLONG;
+ return (NULL);
}
- if (chdir(q) < 0)
- goto err1;
- } else
- p = resolved;
-
- /* Deal with the last component. */
- if (*p != '\0' && lstat(p, &sb) == 0) {
- if (S_ISLNK(sb.st_mode)) {
- if (++symlinks > MAXSYMLINKS) {
- errno = ELOOP;
- goto err1;
+ memcpy(next_token, left, s - left);
+ next_token[s - left] = '\0';
+ left_len -= s - left;
+ if (p != NULL)
+ memmove(left, s + 1, left_len + 1);
+ if (resolved[resolved_len - 1] != '/') {
+ if (resolved_len + 1 >= PATH_MAX) {
+ errno = ENAMETOOLONG;
+ return (NULL);
}
- if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0)
- goto err1;
- resolved[n] = '\0';
- goto loop;
+ resolved[resolved_len++] = '/';
+ resolved[resolved_len] = '\0';
}
- if (S_ISDIR(sb.st_mode)) {
- if (chdir(p) < 0)
- goto err1;
- p = "";
+ if (next_token[0] == '\0')
+ continue;
+ else if (strcmp(next_token, ".") == 0)
+ continue;
+ else if (strcmp(next_token, "..") == 0) {
+ /*
+ * Strip the last path component except when we have
+ * single "/"
+ */
+ if (resolved_len > 1) {
+ resolved[resolved_len - 1] = '\0';
+ q = strrchr(resolved, '/') + 1;
+ *q = '\0';
+ resolved_len = q - resolved;
+ }
+ continue;
}
- }
-
- /*
- * Save the last component name and get the full pathname of
- * the current directory.
- */
- if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
- errno = ENAMETOOLONG;
- goto err1;
- }
- if (getcwd(resolved, MAXPATHLEN) == NULL)
- goto err1;
-
- /*
- * Join the two strings together, ensuring that the right thing
- * happens if the last component is empty, or the dirname is root.
- */
- if (resolved[0] == '/' && resolved[1] == '\0')
- needslash = 0;
- else
- needslash = 1;
- if (*wbuf) {
- if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
+ /*
+ * Append the next path component and lstat() it. If
+ * lstat() fails we still can return successfully if
+ * there are no more path components left.
+ */
+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
+ if (resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
- goto err1;
+ return (NULL);
}
- if (needslash) {
- if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) {
- errno = ENAMETOOLONG;
- goto err1;
+ if (lstat(resolved, &sb) != 0) {
+ if (errno == ENOENT && p == NULL) {
+ errno = serrno;
+ return (resolved);
}
+ return (NULL);
}
- if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) {
- errno = ENAMETOOLONG;
- goto err1;
- }
- }
+ if (S_ISLNK(sb.st_mode)) {
+ if (symlinks++ > MAXSYMLINKS) {
+ errno = ELOOP;
+ return (NULL);
+ }
+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
+ if (slen < 0)
+ return (NULL);
+ symlink[slen] = '\0';
+ if (symlink[0] == '/') {
+ resolved[1] = 0;
+ resolved_len = 1;
+ } else if (resolved_len > 1) {
+ /* Strip the last path component. */
+ resolved[resolved_len - 1] = '\0';
+ q = strrchr(resolved, '/') + 1;
+ *q = '\0';
+ resolved_len = q - resolved;
+ }
- /* Go back to where we came from. */
-#ifdef HAVE_FCHDIR
- if (fchdir(fd) < 0) {
-#else
- if (chdir(start) < 0) {
-#endif
- serrno = errno;
- goto err2;
+ /*
+ * If there are any path components left, then
+ * append them to symlink. The result is placed
+ * in `left'.
+ */
+ if (p != NULL) {
+ if (symlink[slen - 1] != '/') {
+ if (slen + 1 >= sizeof(symlink)) {
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+ symlink[slen] = '/';
+ symlink[slen + 1] = 0;
+ }
+ left_len = strlcat(symlink, left, sizeof(left));
+ if (left_len >= sizeof(left)) {
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+ }
+ left_len = strlcpy(left, symlink, sizeof(left));
+ }
}
- /* It's okay if the close fails, what's an fd more or less? */
- (void)close(fd);
+ /*
+ * Remove trailing slash except when the resolved pathname
+ * is a single "/".
+ */
+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
+ resolved[resolved_len - 1] = '\0';
return (resolved);
-
-err1: serrno = errno;
-#ifdef HAVE_FCHDIR
- (void)fchdir(fd);
-#else
- chdir(start);
-#endif
-err2: (void)close(fd);
- errno = serrno;
- return (NULL);
}
#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
--- /dev/null
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
+
+/*-
+ * Copyright (c) 1992 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTOLL
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+/*
+ * Convert a string to a long long.
+ *
+ * Ignores `locale' stuff. Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+long long
+strtoll(const char *nptr, char **endptr, int base)
+{
+ const char *s;
+ long long acc, cutoff;
+ int c;
+ int neg, any, cutlim;
+
+ /*
+ * Skip white space and pick up leading +/- sign if any.
+ * If base is 0, allow 0x for hex and 0 for octal, else
+ * assume decimal; if base is already 16, allow 0x.
+ */
+ s = nptr;
+ do {
+ c = (unsigned char) *s++;
+ } while (isspace(c));
+ if (c == '-') {
+ neg = 1;
+ c = *s++;
+ } else {
+ neg = 0;
+ if (c == '+')
+ c = *s++;
+ }
+ if ((base == 0 || base == 16) &&
+ c == '0' && (*s == 'x' || *s == 'X')) {
+ c = s[1];
+ s += 2;
+ base = 16;
+ }
+ if (base == 0)
+ base = c == '0' ? 8 : 10;
+
+ /*
+ * Compute the cutoff value between legal numbers and illegal
+ * numbers. That is the largest legal value, divided by the
+ * base. An input number that is greater than this value, if
+ * followed by a legal input character, is too big. One that
+ * is equal to this value may be valid or not; the limit
+ * between valid and invalid numbers is then based on the last
+ * digit. For instance, if the range for long longs is
+ * [-9223372036854775808..9223372036854775807] and the input base
+ * is 10, cutoff will be set to 922337203685477580 and cutlim to
+ * either 7 (neg==0) or 8 (neg==1), meaning that if we have
+ * accumulated a value > 922337203685477580, or equal but the
+ * next digit is > 7 (or 8), the number is too big, and we will
+ * return a range error.
+ *
+ * Set any if any `digits' consumed; make it negative to indicate
+ * overflow.
+ */
+ cutoff = neg ? LLONG_MIN : LLONG_MAX;
+ cutlim = cutoff % base;
+ cutoff /= base;
+ if (neg) {
+ if (cutlim > 0) {
+ cutlim -= base;
+ cutoff += 1;
+ }
+ cutlim = -cutlim;
+ }
+ for (acc = 0, any = 0;; c = (unsigned char) *s++) {
+ if (isdigit(c))
+ c -= '0';
+ else if (isalpha(c))
+ c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+ else
+ break;
+ if (c >= base)
+ break;
+ if (any < 0)
+ continue;
+ if (neg) {
+ if (acc < cutoff || (acc == cutoff && c > cutlim)) {
+ any = -1;
+ acc = LLONG_MIN;
+ errno = ERANGE;
+ } else {
+ any = 1;
+ acc *= base;
+ acc -= c;
+ }
+ } else {
+ if (acc > cutoff || (acc == cutoff && c > cutlim)) {
+ any = -1;
+ acc = LLONG_MAX;
+ errno = ERANGE;
+ } else {
+ any = 1;
+ acc *= base;
+ acc += c;
+ }
+ }
+ }
+ if (endptr != 0)
+ *endptr = (char *) (any ? s - 1 : nptr);
+ return (acc);
+}
+#endif /* HAVE_STRTOLL */
--- /dev/null
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
+
+/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTONUM
+#include <limits.h>
+
+#define INVALID 1
+#define TOOSMALL 2
+#define TOOLARGE 3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+ const char **errstrp)
+{
+ long long ll = 0;
+ char *ep;
+ int error = 0;
+ struct errval {
+ const char *errstr;
+ int err;
+ } ev[4] = {
+ { NULL, 0 },
+ { "invalid", EINVAL },
+ { "too small", ERANGE },
+ { "too large", ERANGE },
+ };
+
+ ev[0].err = errno;
+ errno = 0;
+ if (minval > maxval)
+ error = INVALID;
+ else {
+ ll = strtoll(numstr, &ep, 10);
+ if (numstr == ep || *ep != '\0')
+ error = INVALID;
+ else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+ error = TOOSMALL;
+ else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+ error = TOOLARGE;
+ }
+ if (errstrp != NULL)
+ *errstrp = ev[error].errstr;
+ errno = ev[error].err;
+ if (error)
+ ll = 0;
+
+ return (ll);
+}
+
+#endif /* HAVE_STRTONUM */
if (spw != NULL)
pw_password = spw->sp_pwdp;
# endif
+
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+ return(get_iaf_password(pw));
+#endif
+
# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
*/
#include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.116 2004/10/20 11:48:53 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $");
#include "openbsd-compat/sys-queue.h"
/* Set to true if the connection is interactive. */
static int interactive_mode = 0;
+/* Set to true if we are the server side. */
+static int server_side = 0;
+
+/* Set to true if we are authenticated. */
+static int after_authentication = 0;
+
/* Session key information for Encryption and MAC */
Newkeys *newkeys[MODE_MAX];
static struct packet_state {
/* Deleting the keys does not gain extra security */
/* memset(enc->iv, 0, enc->block_size);
memset(enc->key, 0, enc->key_len); */
- if (comp->type != 0 && comp->enabled == 0) {
+ if ((comp->type == COMP_ZLIB ||
+ (comp->type == COMP_DELAYED && after_authentication)) &&
+ comp->enabled == 0) {
packet_init_compression();
if (mode == MODE_OUT)
buffer_compress_init_send(6);
*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
}
+/*
+ * Delayed compression for SSH2 is enabled after authentication:
+ * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
+ * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
+ */
+static void
+packet_enable_delayed_compress(void)
+{
+ Comp *comp = NULL;
+ int mode;
+
+ /*
+ * Remember that we are past the authentication step, so rekeying
+ * with COMP_DELAYED will turn on compression immediately.
+ */
+ after_authentication = 1;
+ for (mode = 0; mode < MODE_MAX; mode++) {
+ comp = &newkeys[mode]->comp;
+ if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ packet_init_compression();
+ if (mode == MODE_OUT)
+ buffer_compress_init_send(6);
+ else
+ buffer_compress_init_recv();
+ comp->enabled = 1;
+ }
+ }
+}
+
/*
* Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
*/
if (type == SSH2_MSG_NEWKEYS)
set_newkeys(MODE_OUT);
+ else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
+ packet_enable_delayed_compress();
}
static void
static u_int packet_length = 0;
u_int padlen, need;
u_char *macbuf, *cp, type;
- int maclen, block_size;
+ u_int maclen, block_size;
Enc *enc = NULL;
Mac *mac = NULL;
Comp *comp = NULL;
packet_disconnect("Invalid ssh2 packet type: %d", type);
if (type == SSH2_MSG_NEWKEYS)
set_newkeys(MODE_IN);
+ else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
+ packet_enable_delayed_compress();
#ifdef PACKET_DEBUG
fprintf(stderr, "read/plain[%d]:\r\n", type);
buffer_dump(&incoming_packet);
}
void *
-packet_get_raw(int *length_ptr)
+packet_get_raw(u_int *length_ptr)
{
- int bytes = buffer_len(&incoming_packet);
+ u_int bytes = buffer_len(&incoming_packet);
if (length_ptr != NULL)
*length_ptr = bytes;
{
rekey_limit = bytes;
}
+
+void
+packet_set_server(void)
+{
+ server_side = 1;
+}
+
+void
+packet_set_authenticated(void)
+{
+ after_authentication = 1;
+}
-/* $OpenBSD: packet.h,v 1.41 2004/05/11 19:01:43 deraadt Exp $ */
+/* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
void packet_start_compression(int);
void packet_set_interactive(int);
int packet_is_interactive(void);
+void packet_set_server(void);
+void packet_set_authenticated(void);
void packet_start(u_char);
void packet_put_char(int ch);
u_int packet_get_int(void);
void packet_get_bignum(BIGNUM * value);
void packet_get_bignum2(BIGNUM * value);
-void *packet_get_raw(int *length_ptr);
+void *packet_get_raw(u_int *length_ptr);
void *packet_get_string(u_int *length_ptr);
void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
*/
#include "includes.h"
-RCSID("$OpenBSD: progressmeter.c,v 1.22 2004/07/11 17:48:47 deraadt Exp $");
+RCSID("$OpenBSD: progressmeter.c,v 1.24 2005/06/07 13:25:23 jaredy Exp $");
#include "progressmeter.h"
#include "atomicio.h"
static void format_size(char *, int, off_t);
static void format_rate(char *, int, off_t);
+/* window resizing */
+static void sig_winch(int);
+static void setscreensize(void);
+
/* updates the progressmeter to reflect the current state of the transfer */
void refresh_progress_meter(void);
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
static int win_size; /* terminal window size */
+static volatile sig_atomic_t win_resized; /* for window resizing */
/* units for format_size */
static const char unit[] = " KMGT";
len = snprintf(buf, file_len + 1, "\r%s", file);
if (len < 0)
len = 0;
+ if (len >= file_len + 1)
+ len = file_len;
for (i = len; i < file_len; i++ )
buf[i] = ' ';
buf[file_len] = '\0';
save_errno = errno;
+ if (win_resized) {
+ setscreensize();
+ win_resized = 0;
+ }
if (can_output())
refresh_progress_meter();
void
start_progress_meter(char *f, off_t filesize, off_t *ctr)
{
- struct winsize winsize;
-
start = last_update = time(NULL);
file = f;
end_pos = filesize;
stalled = 0;
bytes_per_second = 0;
- if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
- winsize.ws_col != 0) {
- if (winsize.ws_col > MAX_WINSIZE)
- win_size = MAX_WINSIZE;
- else
- win_size = winsize.ws_col;
- } else
- win_size = DEFAULT_WINSIZE;
- win_size += 1; /* trailing \0 */
-
+ setscreensize();
if (can_output())
refresh_progress_meter();
signal(SIGALRM, update_progress_meter);
+ signal(SIGWINCH, sig_winch);
alarm(UPDATE_INTERVAL);
}
atomicio(vwrite, STDOUT_FILENO, "\n", 1);
}
+
+static void
+sig_winch(int sig)
+{
+ win_resized = 1;
+}
+
+static void
+setscreensize(void)
+{
+ struct winsize winsize;
+
+ if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
+ winsize.ws_col != 0) {
+ if (winsize.ws_col > MAX_WINSIZE)
+ win_size = MAX_WINSIZE;
+ else
+ win_size = winsize.ws_col;
+ } else
+ win_size = DEFAULT_WINSIZE;
+ win_size += 1; /* trailing \0 */
+}
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
#include "ssh.h"
#include "xmalloc.h"
fwd.listen_host = cleanhostname(fwd.listen_host);
} else {
fwd.listen_port = a2port(fwd.listen_host);
- fwd.listen_host = "";
+ fwd.listen_host = NULL;
}
if (fwd.listen_port == 0)
fatal("%.200s line %d: Badly formatted port number.",
case oAddressFamily:
arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing address family.",
+ filename, linenum);
intptr = &options->address_family;
if (strcasecmp(arg, "inet") == 0)
value = AF_INET;
case oControlMaster:
intptr = &options->control_master;
- goto parse_yesnoask;
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing ControlMaster argument.",
+ filename, linenum);
+ value = 0; /* To avoid compiler warning... */
+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
+ value = SSHCTL_MASTER_YES;
+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
+ value = SSHCTL_MASTER_NO;
+ else if (strcmp(arg, "auto") == 0)
+ value = SSHCTL_MASTER_AUTO;
+ else if (strcmp(arg, "ask") == 0)
+ value = SSHCTL_MASTER_ASK;
+ else if (strcmp(arg, "autoask") == 0)
+ value = SSHCTL_MASTER_AUTO_ASK;
+ else
+ fatal("%.200s line %d: Bad ControlMaster argument.",
+ filename, linenum);
+ if (*activep && *intptr == -1)
+ *intptr = value;
+ break;
case oHashKnownHosts:
intptr = &options->hash_known_hosts;
/* Check that there is no garbage at end of line. */
if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
- filename, linenum, arg);
+ filename, linenum, arg);
}
return 0;
}
-/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int hash_known_hosts;
} Options;
+#define SSHCTL_MASTER_NO 0
+#define SSHCTL_MASTER_YES 1
+#define SSHCTL_MASTER_AUTO 2
+#define SSHCTL_MASTER_ASK 3
+#define SSHCTL_MASTER_AUTO_ASK 4
void initialize_options(Options *);
void fill_default_options(Options *);
*/
#include "includes.h"
-RCSID("$OpenBSD: readpass.c,v 1.31 2004/10/29 22:53:56 djm Exp $");
+RCSID("$OpenBSD: readpass.c,v 1.33 2005/05/02 21:13:22 markus Exp $");
#include "xmalloc.h"
#include "misc.h"
if (flags & RP_USE_ASKPASS)
use_askpass = 1;
else if (flags & RP_ALLOW_STDIN) {
- if (!isatty(STDIN_FILENO))
+ if (!isatty(STDIN_FILENO)) {
+ debug("read_passphrase: stdin is not a tty");
use_askpass = 1;
+ }
} else {
rppflags |= RPP_REQUIRE_TTY;
ttyfd = open(_PATH_TTY, O_RDWR);
if (ttyfd >= 0)
close(ttyfd);
- else
+ else {
+ debug("read_passphrase: can't open %s: %s", _PATH_TTY,
+ strerror(errno));
use_askpass = 1;
+ }
}
if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
tid="reexec tests"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
COPY=${OBJ}/copy
-SSHD_ORIG=$SSHD
-SSHD_COPY=$OBJ/sshd
+SSHD_ORIG=$SSHD${EXEEXT}
+SSHD_COPY=$OBJ/sshd${EXEEXT}
# Start a sshd and then delete it
start_sshd_copy ()
fi
# Path to sshd must be absolute for rexec
-if [ ! -x /$SSHD ]; then
- SSHD=`which sshd`
-fi
+case "$SSHD" in
+/*) ;;
+*) SSHD=`which sshd` ;;
+esac
if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
TEST_SSH_LOGFILE=/dev/null
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.121 2005/04/02 12:41:16 djm Exp $");
+RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $");
#include "xmalloc.h"
#include "atomicio.h"
killchild(int signo)
{
if (do_cmd_pid > 1) {
- kill(do_cmd_pid, signo);
+ kill(do_cmd_pid, signo ? signo : SIGTERM);
waitpid(do_cmd_pid, NULL, 0);
}
- _exit(1);
+ if (signo)
+ _exit(1);
+ exit(1);
}
/*
}
typedef struct {
- int cnt;
+ size_t cnt;
char *buf;
} BUF;
struct stat stb;
static BUF buffer;
BUF *bp;
- off_t i, amt, result, statbytes;
- int fd, haderr, indx;
+ off_t i, amt, statbytes;
+ size_t result;
+ int fd = -1, haderr, indx;
char *last, *name, buf[2048];
int len;
if (!haderr) {
result = atomicio(read, fd, bp->buf, amt);
if (result != amt)
- haderr = result >= 0 ? EIO : errno;
+ haderr = errno;
}
if (haderr)
(void) atomicio(vwrite, remout, bp->buf, amt);
else {
result = atomicio(vwrite, remout, bp->buf, amt);
if (result != amt)
- haderr = result >= 0 ? EIO : errno;
+ haderr = errno;
statbytes += result;
}
if (limit_rate)
YES, NO, DISPLAYED
} wrerr;
BUF *bp;
- off_t i, j;
- int amt, count, exists, first, mask, mode, ofd, omode;
+ off_t i;
+ size_t j, count;
+ int amt, exists, first, mask, mode, ofd, omode;
off_t size, statbytes;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
targisdir = 1;
for (first = 1;; first = 0) {
cp = buf;
- if (atomicio(read, remin, cp, 1) <= 0)
+ if (atomicio(read, remin, cp, 1) != 1)
return;
if (*cp++ == '\n')
SCREWUP("unexpected <newline>");
}
if (targisdir) {
static char *namebuf;
- static int cursize;
+ static size_t cursize;
size_t need;
need = strlen(targ) + strlen(cp) + 250;
count += amt;
do {
j = atomicio(read, remin, cp, amt);
- if (j <= 0) {
+ if (j == 0) {
run_err("%s", j ? strerror(errno) :
"dropped connection");
exit(1);
if (count == bp->cnt) {
/* Keep reading so we stay sync'd up. */
if (wrerr == NO) {
- j = atomicio(vwrite, ofd, bp->buf, count);
- if (j != count) {
+ if (atomicio(vwrite, ofd, bp->buf,
+ count) != count) {
wrerr = YES;
- wrerrno = j >= 0 ? EIO : errno;
+ wrerrno = errno;
}
}
count = 0;
if (showprogress)
stop_progress_meter();
if (count != 0 && wrerr == NO &&
- (j = atomicio(vwrite, ofd, bp->buf, count)) != count) {
+ atomicio(vwrite, ofd, bp->buf, count) != count) {
wrerr = YES;
- wrerrno = j >= 0 ? EIO : errno;
+ wrerrno = errno;
}
if (wrerr == NO && ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
errno = ENOTDIR;
}
run_err("%s: %s", cp, strerror(errno));
- exit(1);
+ killchild(0);
}
int
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
#include "ssh.h"
#include "log.h"
if (options->use_login == -1)
options->use_login = 0;
if (options->compression == -1)
- options->compression = 1;
+ options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
static void
add_listen_addr(ServerOptions *options, char *addr, u_short port)
{
- int i;
+ u_int i;
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
const char *filename, int linenum)
{
char *cp, **charptr, *arg, *p;
- int *intptr, value, i, n;
+ int *intptr, value, n;
ServerOpCodes opcode;
u_short port;
+ u_int i;
cp = line;
arg = strdelim(&cp);
if (arg == NULL || *arg == '\0')
fatal("%s line %d: missing address",
filename, linenum);
+ /* check for bare IPv6 address: no "[]" and 2 or more ":" */
+ if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
+ && strchr(p+1, ':') != NULL) {
+ add_listen_addr(options, arg, 0);
+ break;
+ }
p = hpdelim(&arg);
if (p == NULL)
fatal("%s line %d: bad address:port usage",
case sAddressFamily:
arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing address family.",
+ filename, linenum);
intptr = &options->address_family;
if (options->listen_addrs != NULL)
fatal("%s line %d: address family must be specified before "
case sCompression:
intptr = &options->compression;
- goto parse_flag;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing yes/no/delayed "
+ "argument.", filename, linenum);
+ value = 0; /* silence compiler */
+ if (strcmp(arg, "delayed") == 0)
+ value = COMP_DELAYED;
+ else if (strcmp(arg, "yes") == 0)
+ value = COMP_ZLIB;
+ else if (strcmp(arg, "no") == 0)
+ value = COMP_NONE;
+ else
+ fatal("%s line %d: Bad yes/no/delayed "
+ "argument: %s", filename, linenum, arg);
+ if (*intptr == -1)
+ *intptr = value;
+ break;
case sGatewayPorts:
intptr = &options->gateway_ports;
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.117 2004/08/11 21:43:05 avsm Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $");
#include "xmalloc.h"
#include "packet.h"
packet_check_eom();
debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
- originator, originator_port, target, target_port);
+ originator, originator_port, target, target_port);
/* XXX check permission */
sock = channel_connect_to(target, target_port);
#ifndef NO_IPPORT_RESERVED_CONCEPT
|| (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
#endif
- ) {
+ ) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "serverloop.h"
#include "canohost.h"
#include "session.h"
+#include "kex.h"
#include "monitor_wrap.h"
#if defined(KRB5) && defined(USE_AFS)
static void
display_loginmsg(void)
{
- if (buffer_len(&loginmsg) > 0) {
- buffer_append(&loginmsg, "\0", 1);
- printf("%s", (char *)buffer_ptr(&loginmsg));
- buffer_clear(&loginmsg);
- }
+ if (buffer_len(&loginmsg) > 0) {
+ buffer_append(&loginmsg, "\0", 1);
+ printf("%s", (char *)buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
}
void
compression_level);
break;
}
- if (!options.compression) {
+ if (options.compression == COMP_NONE) {
debug2("compression disabled");
break;
}
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
-void copy_environment(char **source, char ***env, u_int *envsize)
+void
+copy_environment(char **source, char ***env, u_int *envsize)
{
char *var_name, *var_val;
int i;
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
+#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+ if (set_id(pw->pw_name) != 0) {
+ exit(1);
+ }
+#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
*/
if (options.kerberos_get_afs_token && k_hasafs() &&
- (s->authctxt->krb5_ctx != NULL)) {
+ (s->authctxt->krb5_ctx != NULL)) {
char cell[64];
debug("Getting AFS token");
s->ttyfd = -1;
s->used = 1;
s->self = i;
+ s->x11_chanids = NULL;
debug("session_new: session %d", i);
return s;
}
return NULL;
}
+static Session *
+session_by_x11_channel(int id)
+{
+ int i, j;
+
+ for (i = 0; i < MAX_SESSIONS; i++) {
+ Session *s = &sessions[i];
+
+ if (s->x11_chanids == NULL || !s->used)
+ continue;
+ for (j = 0; s->x11_chanids[j] != -1; j++) {
+ if (s->x11_chanids[j] == id) {
+ debug("session_by_x11_channel: session %d "
+ "channel %d", s->self, id);
+ return s;
+ }
+ }
+ }
+ debug("session_by_x11_channel: unknown channel %d", id);
+ session_dump();
+ return NULL;
+}
+
static Session *
session_by_pid(pid_t pid)
{
u_int len;
int success = 0;
char *cmd, *subsys = packet_get_string(&len);
- int i;
+ u_int i;
packet_check_eom();
logit("subsystem request for %.100s", subsys);
{
int success;
+ if (s->auth_proto != NULL || s->auth_data != NULL) {
+ error("session_x11_req: session %d: "
+ "x11 fowarding already active", s->self);
+ return 0;
+ }
s->single_connection = packet_get_char();
s->auth_proto = packet_get_string(NULL);
s->auth_data = packet_get_string(NULL);
return "SIG@openssh.com";
}
+static void
+session_close_x11(int id)
+{
+ Channel *c;
+
+ if ((c = channel_lookup(id)) == NULL) {
+ debug("session_close_x11: x11 channel %d missing", id);
+ } else {
+ /* Detach X11 listener */
+ debug("session_close_x11: detach x11 channel %d", id);
+ channel_cancel_cleanup(id);
+ if (c->ostate != CHAN_OUTPUT_CLOSED)
+ chan_mark_dead(c);
+ }
+}
+
+static void
+session_close_single_x11(int id, void *arg)
+{
+ Session *s;
+ u_int i;
+
+ debug3("session_close_single_x11: channel %d", id);
+ channel_cancel_cleanup(id);
+ if ((s = session_by_x11_channel(id)) == NULL)
+ fatal("session_close_single_x11: no x11 channel %d", id);
+ for (i = 0; s->x11_chanids[i] != -1; i++) {
+ debug("session_close_single_x11: session %d: "
+ "closing channel %d", s->self, s->x11_chanids[i]);
+ /*
+ * The channel "id" is already closing, but make sure we
+ * close all of its siblings.
+ */
+ if (s->x11_chanids[i] != id)
+ session_close_x11(s->x11_chanids[i]);
+ }
+ xfree(s->x11_chanids);
+ s->x11_chanids = NULL;
+ if (s->display) {
+ xfree(s->display);
+ s->display = NULL;
+ }
+ if (s->auth_proto) {
+ xfree(s->auth_proto);
+ s->auth_proto = NULL;
+ }
+ if (s->auth_data) {
+ xfree(s->auth_data);
+ s->auth_data = NULL;
+ }
+ if (s->auth_display) {
+ xfree(s->auth_display);
+ s->auth_display = NULL;
+ }
+}
+
static void
session_exit_message(Session *s, int status)
{
Channel *c;
+ u_int i;
if ((c = channel_lookup(s->chanid)) == NULL)
fatal("session_exit_message: session %d: no channel %d",
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
s->chanid = -1;
+
+ /* Close any X11 listeners associated with this session */
+ if (s->x11_chanids != NULL) {
+ for (i = 0; s->x11_chanids[i] != -1; i++) {
+ session_close_x11(s->x11_chanids[i]);
+ s->x11_chanids[i] = -1;
+ }
+ }
}
void
session_close(Session *s)
{
- int i;
+ u_int i;
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
xfree(s->term);
if (s->display)
xfree(s->display);
+ if (s->x11_chanids)
+ xfree(s->x11_chanids);
if (s->auth_display)
xfree(s->auth_display);
if (s->auth_data)
session_close_by_channel(int id, void *arg)
{
Session *s = session_by_channel(id);
+
if (s == NULL) {
debug("session_close_by_channel: no session for id %d", id);
return;
struct stat st;
char display[512], auth_display[512];
char hostname[MAXHOSTNAMELEN];
+ u_int i;
if (no_x11_forwarding_flag) {
packet_send_debug("X11 forwarding disabled in user configuration file.");
}
if (x11_create_display_inet(options.x11_display_offset,
options.x11_use_localhost, s->single_connection,
- &s->display_number) == -1) {
+ &s->display_number, &s->x11_chanids) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
+ for (i = 0; s->x11_chanids[i] != -1; i++) {
+ channel_register_cleanup(s->x11_chanids[i],
+ session_close_single_x11);
+ }
/* Set up a suitable value for the DISPLAY variable. */
if (gethostname(hostname, sizeof(hostname)) < 0)
-/* $OpenBSD: session.h,v 1.23 2004/07/17 05:31:41 dtucker Exp $ */
+/* $OpenBSD: session.h,v 1.25 2005/07/17 06:49:04 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
int single_connection;
/* proto 2 */
int chanid;
+ int *x11_chanids;
int is_subsystem;
- int num_env;
+ u_int num_env;
struct {
char *name;
char *val;
/* XXX: copy between two remote sites */
#include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.53 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $");
#include "openbsd-compat/sys-queue.h"
/* Send length first */
PUT_32BIT(mlen, buffer_len(m));
- if (atomicio(vwrite, fd, mlen, sizeof(mlen)) <= 0)
+ if (atomicio(vwrite, fd, mlen, sizeof(mlen)) != sizeof(mlen))
fatal("Couldn't send packet: %s", strerror(errno));
- if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) <= 0)
+ if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) != buffer_len(m))
fatal("Couldn't send packet: %s", strerror(errno));
buffer_clear(m);
static void
get_msg(int fd, Buffer *m)
{
- ssize_t len;
u_int msg_len;
buffer_append_space(m, 4);
- len = atomicio(read, fd, buffer_ptr(m), 4);
- if (len == 0)
- fatal("Connection closed");
- else if (len == -1)
- fatal("Couldn't read packet: %s", strerror(errno));
+ if (atomicio(read, fd, buffer_ptr(m), 4) != 4) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
+ else
+ fatal("Couldn't read packet: %s", strerror(errno));
+ }
msg_len = buffer_get_int(m);
if (msg_len > MAX_MSG_LENGTH)
fatal("Received message too long %u", msg_len);
buffer_append_space(m, msg_len);
- len = atomicio(read, fd, buffer_ptr(m), msg_len);
- if (len == 0)
- fatal("Connection closed");
- else if (len == -1)
- fatal("Read packet: %s", strerror(errno));
+ if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
+ else
+ fatal("Read packet: %s", strerror(errno));
+ }
}
static void
SFTP_DIRENT ***dir)
{
Buffer msg;
- u_int type, id, handle_len, i, expected_id, ents = 0;
+ u_int count, type, id, handle_len, i, expected_id, ents = 0;
char *handle;
id = conn->msg_id++;
}
for (; !interrupted;) {
- int count;
-
id = expected_id = conn->msg_id++;
debug3("Sending SSH2_FXP_READDIR I:%u", id);
Attrib junk, *a;
Buffer msg;
char *handle;
- int local_fd, status, num_req, max_req, write_error;
+ int local_fd, status = 0, write_error;
int read_error, write_errno;
u_int64_t offset, size;
- u_int handle_len, mode, type, id, buflen;
+ u_int handle_len, mode, type, id, buflen, num_req, max_req;
off_t progress_counter;
struct request {
u_int id;
goto done;
}
debug3("In write loop, ack for %u %u bytes at %llu",
- ack->id, ack->len, (unsigned long long)ack->offset);
+ ack->id, ack->len, (unsigned long long)ack->offset);
++ackid;
xfree(ack);
}
-/* $OpenBSD: sftp-client.h,v 1.13 2004/11/29 07:41:24 djm Exp $ */
+/* $OpenBSD: sftp-client.h,v 1.14 2005/04/26 12:59:02 jmc Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
};
/*
- * Initialiase a SSH filexfer connection. Returns NULL on error or
+ * Initialise a SSH filexfer connection. Returns NULL on error or
* a pointer to a initialized sftp_conn struct on success.
*/
struct sftp_conn *do_init(int, int, u_int, u_int);
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.47 2004/06/25 05:38:48 dtucker Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $");
#include "buffer.h"
#include "bufaux.h"
static void
handle_init(void)
{
- int i;
+ u_int i;
for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
handles[i].use = HANDLE_UNUSED;
static int
handle_new(int use, const char *name, int fd, DIR *dirp)
{
- int i;
+ u_int i;
for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) {
if (handles[i].use == HANDLE_UNUSED) {
static int
handle_is_ok(int i, int type)
{
- return i >= 0 && i < sizeof(handles)/sizeof(Handle) &&
+ return i >= 0 && (u_int)i < sizeof(handles)/sizeof(Handle) &&
handles[i].use == type;
}
} else {
/* XXX ATOMICIO ? */
ret = write(fd, data, len);
- if (ret == -1) {
+ if (ret < 0) {
error("process_write: write failed");
status = errno_to_portable(errno);
- } else if (ret == len) {
+ } else if ((size_t)ret == len) {
status = SSH2_FX_OK;
} else {
logit("nothing at all written");
#include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $");
#ifdef USE_LIBEDIT
#include <histedit.h>
{
const char *cp = *cpp, *end;
char quot;
- int i, j;
+ u_int i, j;
cp += strspn(cp, WHITESPACE);
if (!*cp) {
static int
do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
{
- int n, c = 1, colspace = 0, columns = 1;
+ int n;
+ u_int c = 1, colspace = 0, columns = 1;
SFTP_DIRENT **d;
if ((n = do_readdir(conn, path, &d)) != 0)
return (n);
if (!(lflag & LS_SHORT_VIEW)) {
- int m = 0, width = 80;
+ u_int m = 0, width = 80;
struct winsize ws;
char *tmp;
int lflag)
{
glob_t g;
- int i, c = 1, colspace = 0, columns = 1;
+ u_int i, c = 1, colspace = 0, columns = 1;
Attrib *a = NULL;
memset(&g, 0, sizeof(g));
}
if (!(lflag & LS_SHORT_VIEW)) {
- int m = 0, width = 80;
+ u_int m = 0, width = 80;
struct winsize ws;
/* Count entries for sort and find longest filename */
char *dir = NULL;
char cmd[2048];
struct sftp_conn *conn;
- int err;
+ int err, interactive;
EditLine *el = NULL;
#ifdef USE_LIBEDIT
History *hl = NULL;
xfree(dir);
}
-#if HAVE_SETVBUF
+#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF)
setvbuf(stdout, NULL, _IOLBF, 0);
setvbuf(infile, NULL, _IOLBF, 0);
#else
- setlinebuf(stdout);
- setlinebuf(infile);
+ setlinebuf(stdout);
+ setlinebuf(infile);
#endif
+ interactive = !batchmode && isatty(STDIN_FILENO);
err = 0;
for (;;) {
char *cp;
signal(SIGINT, SIG_IGN);
if (el == NULL) {
- printf("sftp> ");
+ if (interactive)
+ printf("sftp> ");
if (fgets(cmd, sizeof(cmd), infile) == NULL) {
- printf("\n");
+ if (interactive)
+ printf("\n");
break;
}
- if (batchmode) /* Echo command */
- printf("%s", cmd);
+ if (!interactive) { /* Echo command */
+ printf("sftp> %s", cmd);
+ if (strlen(cmd) > 0 &&
+ cmd[strlen(cmd) - 1] != '\n')
+ printf("\n");
+ }
} else {
#ifdef USE_LIBEDIT
const char *line;
int count = 0;
- if ((line = el_gets(el, &count)) == NULL || count <= 0)
- break;
+ if ((line = el_gets(el, &count)) == NULL || count <= 0) {
+ printf("\n");
+ break;
+ }
history(hl, &hev, H_ENTER, line);
if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) {
fprintf(stderr, "Error: input line too long\n");
}
xfree(pwd);
+#ifdef USE_LIBEDIT
+ if (el != NULL)
+ el_end(el);
+#endif /* USE_LIBEDIT */
+
/* err == 1 signifies normal "quit" exit */
return (err >= 0 ? 0 : -1);
}
/* Allow "-" as stdin */
if (strcmp(optarg, "-") != 0 &&
- (infile = fopen(optarg, "r")) == NULL)
+ (infile = fopen(optarg, "r")) == NULL)
fatal("%s (%s).", strerror(errno), optarg);
showprogress = 0;
batchmode = 1;
err = interactive_loop(in, out, file1, file2);
#if !defined(USE_PIPES)
- shutdown(in, SHUT_RDWR);
- shutdown(out, SHUT_RDWR);
+ shutdown(in, SHUT_RDWR);
+ shutdown(out, SHUT_RDWR);
#endif
close(in);
-.\" $OpenBSD: ssh-add.1,v 1.42 2005/03/01 17:32:19 jmc Exp $
+.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
.\"
.\" -*- nroff -*-
.\"
adds RSA or DSA identities to the authentication agent,
.Xr ssh-agent 1 .
When run without arguments, it adds the files
-.Pa $HOME/.ssh/id_rsa ,
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_rsa ,
+.Pa ~/.ssh/id_dsa
and
-.Pa $HOME/.ssh/identity .
+.Pa ~/.ssh/identity .
Alternative file names can be given on the command line.
If any file requires a passphrase,
.Nm
.El
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/identity
+.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_dsa
+.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_rsa
+.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
.Pp
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
/* clear passphrase since it did not work */
clear_pass();
snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
- comment);
+ comment);
for (;;) {
pass = read_passphrase(msg, RP_ALLOW_STDIN);
if (strcmp(pass, "") == 0) {
-.\" $OpenBSD: ssh-agent.1,v 1.41 2004/07/11 17:48:47 deraadt Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
When executed without arguments,
.Xr ssh-add 1
adds the files
-.Pa $HOME/.ssh/id_rsa ,
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_rsa ,
+.Pa ~/.ssh/id_dsa
and
-.Pa $HOME/.ssh/identity .
+.Pa ~/.ssh/identity .
If the identity has a passphrase,
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running
line terminates.
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/identity
+.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_dsa
+.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_rsa
+.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection to the
-.\" $OpenBSD: ssh-keygen.1,v 1.67 2005/03/14 10:09:03 dtucker Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $
.\"
.\" -*- nroff -*-
.\"
Normally each user wishing to use SSH
with RSA or DSA authentication runs this once to create the authentication
key in
-.Pa $HOME/.ssh/identity ,
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/identity ,
+.Pa ~/.ssh/id_dsa
or
-.Pa $HOME/.ssh/id_rsa .
+.Pa ~/.ssh/id_rsa .
Additionally, the system administrator may use this to generate host keys,
as seen in
.Pa /etc/rc .
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
-Generally, 1024 bits is considered sufficient.
-The default is 1024 bits.
+Generally, 2048 bits is considered sufficient.
+The default is 2048 bits.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
that both ends of a connection share common moduli.
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/identity
+.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
-.It Pa $HOME/.ssh/identity.pub
+.It Pa ~/.ssh/identity.pub
Contains the protocol version 1 RSA public key for authentication.
The contents of this file should be added to
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using RSA authentication.
There is no need to keep the contents of this file secret.
-.It Pa $HOME/.ssh/id_dsa
+.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
-.It Pa $HOME/.ssh/id_dsa.pub
+.It Pa ~/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentication.
The contents of this file should be added to
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
-.It Pa $HOME/.ssh/id_rsa
+.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
-.It Pa $HOME/.ssh/id_rsa.pub
+.It Pa ~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication.
The contents of this file should be added to
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.122 2005/03/11 14:59:06 markus Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
#include "dns.h"
/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
-int bits = 1024;
+u_int32_t bits = 2048;
/*
* Flag indicating that we just want to change the passphrase. This can be
char hostname[MAXHOSTNAMELEN];
/* moduli.c */
-int gen_candidates(FILE *, int, int, BIGNUM *);
+int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
static void
fprintf(stderr, "WARNING: %s contains unhashed "
"entries\n", old);
fprintf(stderr, "Delete this file to ensure privacy "
- "of hostnames\n");
+ "of hostnames\n");
}
}
{
fprintf(stderr, "Usage: %s [options]\n", __progname);
fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");
+ fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
fprintf(stderr, " -b bits Number of bits in the key to create.\n");
+ fprintf(stderr, " -C comment Provide new comment.\n");
fprintf(stderr, " -c Change comment in private and public key files.\n");
+#ifdef SMARTCARD
+ fprintf(stderr, " -D reader Download public key from smartcard.\n");
+#endif /* SMARTCARD */
fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
+ fprintf(stderr, " -F hostname Find hostname in known hosts file.\n");
fprintf(stderr, " -f filename Filename of the key file.\n");
+ fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n");
fprintf(stderr, " -g Use generic DNS resource record format.\n");
+ fprintf(stderr, " -H Hash names in known_hosts file.\n");
fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
fprintf(stderr, " -l Show fingerprint of key file.\n");
- fprintf(stderr, " -p Change passphrase of private key file.\n");
- fprintf(stderr, " -q Quiet.\n");
- fprintf(stderr, " -y Read private key file and print public key.\n");
- fprintf(stderr, " -t type Specify type of key to create.\n");
- fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
- fprintf(stderr, " -H Hash names in known_hosts file\n");
- fprintf(stderr, " -F hostname Find hostname in known hosts file\n");
- fprintf(stderr, " -C comment Provide new comment.\n");
+ fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
fprintf(stderr, " -N phrase Provide new passphrase.\n");
fprintf(stderr, " -P phrase Provide old passphrase.\n");
+ fprintf(stderr, " -p Change passphrase of private key file.\n");
+ fprintf(stderr, " -q Quiet.\n");
+ fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
fprintf(stderr, " -r hostname Print DNS resource record.\n");
+ fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n");
+ fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
+ fprintf(stderr, " -t type Specify type of key to create.\n");
#ifdef SMARTCARD
- fprintf(stderr, " -D reader Download public key from smartcard.\n");
fprintf(stderr, " -U reader Upload private key to smartcard.\n");
#endif /* SMARTCARD */
-
- fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n");
- fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n");
+ fprintf(stderr, " -v Verbose.\n");
+ fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
+ fprintf(stderr, " -y Read private key file and print public key.\n");
exit(1);
}
Key *private, *public;
struct passwd *pw;
struct stat st;
- int opt, type, fd, download = 0, memory = 0;
- int generator_wanted = 0, trials = 100;
+ int opt, type, fd, download = 0;
+ u_int32_t memory = 0, generator_wanted = 0, trials = 100;
int do_gen_candidates = 0, do_screen_candidates = 0;
int log_level = SYSLOG_LEVEL_INFO;
BIGNUM *start = NULL;
FILE *f;
+ const char *errstr;
extern int optind;
extern char *optarg;
"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
- bits = atoi(optarg);
- if (bits < 512 || bits > 32768) {
- printf("Bits has bad value.\n");
- exit(1);
- }
+ bits = strtonum(optarg, 512, 32768, &errstr);
+ if (errstr)
+ fatal("Bits has bad value %s (%s)",
+ optarg, errstr);
break;
case 'F':
find_host = 1;
change_comment = 1;
break;
case 'f':
- strlcpy(identity_file, optarg, sizeof(identity_file));
+ if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=
+ sizeof(identity_file))
+ fatal("Identity filename too long");
have_identity = 1;
break;
case 'g':
rr_hostname = optarg;
break;
case 'W':
- generator_wanted = atoi(optarg);
- if (generator_wanted < 1)
- fatal("Desired generator has bad value.");
+ generator_wanted = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr)
+ fatal("Desired generator has bad value: %s (%s)",
+ optarg, errstr);
break;
case 'a':
- trials = atoi(optarg);
+ trials = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr)
+ fatal("Invalid number of trials: %s (%s)",
+ optarg, errstr);
break;
case 'M':
- memory = atoi(optarg);
+ memory = strtonum(optarg, 1, UINT_MAX, &errstr);
+ if (errstr) {
+ fatal("Memory limit is %s: %s", errstr, optarg);
+ }
break;
case 'G':
do_gen_candidates = 1;
- strlcpy(out_file, optarg, sizeof(out_file));
+ if (strlcpy(out_file, optarg, sizeof(out_file)) >=
+ sizeof(out_file))
+ fatal("Output filename too long");
break;
case 'T':
do_screen_candidates = 1;
- strlcpy(out_file, optarg, sizeof(out_file));
+ if (strlcpy(out_file, optarg, sizeof(out_file)) >=
+ sizeof(out_file))
+ fatal("Output filename too long");
break;
case 'S':
/* XXX - also compare length against bits */
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.52 2005/03/01 15:47:14 jmc Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $");
#include "openbsd-compat/sys-queue.h"
static char *
Linebuf_getline(Linebuf * lb)
{
- int n = 0;
+ size_t n = 0;
void *p;
lb->lineno++;
static void
congreet(int s)
{
- int remote_major = 0, remote_minor = 0, n = 0;
+ int n = 0, remote_major = 0, remote_minor = 0;
char buf[256], *cp;
char remote_version[sizeof buf];
size_t bufsiz;
*cp = '\n';
cp++;
}
- if (n < 0) {
- if (errno != ECONNREFUSED)
- error("read (%s): %s", c->c_name, strerror(errno));
- conrecycle(s);
- return;
- }
if (n == 0) {
- error("%s: Connection closed by remote host", c->c_name);
+ switch (errno) {
+ case EPIPE:
+ error("%s: Connection closed by remote host", c->c_name);
+ break;
+ case ECONNREFUSED:
+ break;
+ default:
+ error("read (%s): %s", c->c_name, strerror(errno));
+ break;
+ }
conrecycle(s);
return;
}
n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
- if (atomicio(vwrite, s, buf, n) != n) {
+ if (n < 0 || (size_t)n >= sizeof(buf)) {
+ error("snprintf: buffer too small");
+ confree(s);
+ return;
+ }
+ if (atomicio(vwrite, s, buf, n) != (size_t)n) {
error("write (%s): %s", c->c_name, strerror(errno));
confree(s);
return;
conread(int s)
{
con *c = &fdcon[s];
- int n;
+ size_t n;
if (c->c_status == CS_CON) {
congreet(s);
return;
}
n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
- if (n < 0) {
+ if (n == 0) {
error("read (%s): %s", c->c_name, strerror(errno));
confree(s);
return;
unsigned short tcp_port, char *socket_path)
{
int fd, addr_len, rval, errors;
- char msg[2];
+ u_char msg[2];
struct sockaddr_storage addr;
struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr;
struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr;
if (socket_path != NULL &&
strlen(socket_path) >= sizeof(addr_un->sun_path))
fatal("Random pool path is too long");
- if (len > 255)
- fatal("Too many bytes to read from PRNGD");
+ if (len <= 0 || len > 255)
+ fatal("Too many bytes (%d) to read from PRNGD", len);
memset(&addr, '\0', sizeof(addr));
goto done;
}
- if (atomicio(read, fd, buf, len) != len) {
+ if (atomicio(read, fd, buf, len) != (size_t)len) {
if (errno == EPIPE && errors < 10) {
close(fd);
errors++;
debug3("Time elapsed: %d msec", msec_elapsed);
if (waitpid(pid, &status, 0) == -1) {
- error("Couldn't wait for child '%s' completion: %s",
- src->cmdstring, strerror(errno));
+ error("Couldn't wait for child '%s' completion: %s",
+ src->cmdstring, strerror(errno));
return 0.0;
}
save_errno = errno;
unlink(tmpseed);
fatal("problem renaming PRNG seedfile from %.100s "
- "to %.100s (%.100s)", tmpseed, filename,
+ "to %.100s (%.100s)", tmpseed, filename,
strerror(save_errno));
}
}
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.31 2003/11/10 16:23:41 jakob Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.32 2005/06/17 02:44:33 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
ERR_error_string(ERR_get_error(), NULL));
goto done;
}
- if (len != hlen + oidlen) {
+ if (len < 0 || (u_int)len != hlen + oidlen) {
error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
goto done;
}
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Pa /etc/shosts.equiv
on the remote machine, and the user names are
the same on both sides, or if the files
-.Pa $HOME/.rhosts
+.Pa ~/.rhosts
or
-.Pa $HOME/.shosts
+.Pa ~/.shosts
exist in the user's home directory on the
remote machine and contain a line containing the name of the client
machine and the name of the user on that machine, the user is
host key (see
.Pa /etc/ssh/ssh_known_hosts
and
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
in the
.Sx FILES
section), only then is login permitted.
spoofing, DNS spoofing and routing spoofing.
[Note to the administrator:
.Pa /etc/hosts.equiv ,
-.Pa $HOME/.rhosts ,
+.Pa ~/.rhosts ,
and the rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
.Pp
The server knows the public key, and only the user knows the private key.
.Pp
The file
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
lists the public keys that are permitted for logging in.
When the user logs in, the
.Nm
The user creates his/her RSA key pair by running
.Xr ssh-keygen 1 .
This stores the private key in
-.Pa $HOME/.ssh/identity
+.Pa ~/.ssh/identity
and stores the public key in
-.Pa $HOME/.ssh/identity.pub
+.Pa ~/.ssh/identity.pub
in the user's home directory.
The user should then copy the
.Pa identity.pub
to
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
in his/her home directory on the remote machine (the
.Pa authorized_keys
file corresponds to the conventional
-.Pa $HOME/.rhosts
+.Pa ~/.rhosts
file, and has one key
per line, though the lines can be very long).
After this, the user can log in without giving the password.
The public key method is similar to RSA authentication described
in the previous section and allows the RSA or DSA algorithm to be used:
The client uses his private key,
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_dsa
or
-.Pa $HOME/.ssh/id_rsa ,
+.Pa ~/.ssh/id_rsa ,
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
and grants access if both the key is found and the signature is correct.
The session identifier is derived from a shared Diffie-Hellman value
and is only known to the client and the server.
automatically maintains and checks a database containing
identifications for all hosts it has ever been used with.
Host keys are stored in
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
in the user's home directory.
Additionally, the file
.Pa /etc/ssh/ssh_known_hosts
.It Fl a
Disables forwarding of the authentication agent connection.
.It Fl b Ar bind_address
-Specify the interface to transmit from on machines with multiple
-interfaces or aliased addresses.
+Use
+.Ar bind_address
+on the local machine as the source address
+of the connection.
+Only useful on systems with more than one address.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc''
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+ arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+ aes192-ctr,aes256-ctr''
.Ed
.It Fl D Ar port
Specifies a local
.Pq Pa /etc/ssh/ssh_config
will be ignored.
The default for the per-user configuration file is
-.Pa $HOME/.ssh/config .
+.Pa ~/.ssh/config .
.It Fl f
Requests
.Nm
Selects a file from which the identity (private key) for
RSA or DSA authentication is read.
The default is
-.Pa $HOME/.ssh/identity
+.Pa ~/.ssh/identity
for protocol version 1, and
-.Pa $HOME/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa
and
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_dsa
for protocol version 2.
Identity files may also be specified on
a per-host basis in the configuration file.
Additionally,
.Nm
reads
-.Pa $HOME/.ssh/environment ,
+.Pa ~/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
to the environment if the file exists and if users are allowed to
.Xr sshd_config 5 .
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/known_hosts
+.It Pa ~/.ssh/known_hosts
Records host keys for all hosts the user has logged into that are not
in
.Pa /etc/ssh/ssh_known_hosts .
See
.Xr sshd 8 .
-.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
+.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
Contains the authentication identity of the user.
They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
These files
It is possible to specify a passphrase when
generating the key; the passphrase will be used to encrypt the
sensitive part of this file using 3DES.
-.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
+.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
Contains the public key for authentication (public part of the
identity file in human-readable form).
The contents of the
-.Pa $HOME/.ssh/identity.pub
+.Pa ~/.ssh/identity.pub
file should be added to the file
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 1 RSA authentication.
The contents of the
-.Pa $HOME/.ssh/id_dsa.pub
+.Pa ~/.ssh/id_dsa.pub
and
-.Pa $HOME/.ssh/id_rsa.pub
+.Pa ~/.ssh/id_rsa.pub
file should be added to
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using protocol version 2 DSA/RSA authentication.
These files are not
These files are
never used automatically and are not necessary; they are only provided for
the convenience of the user.
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
This is the per-user configuration file.
The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not accessible by others.
-.It Pa $HOME/.ssh/authorized_keys
+.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
By default
.Nm
is not setuid root.
-.It Pa $HOME/.rhosts
+.It Pa ~/.rhosts
This file is used in
.Cm RhostsRSAAuthentication
and
If the server machine does not have the client's host key in
.Pa /etc/ssh/ssh_known_hosts ,
it can be stored in
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
The easiest way to do this is to
connect back to the client from the server machine using ssh; this
will automatically add the host key to
-.Pa $HOME/.ssh/known_hosts .
-.It Pa $HOME/.shosts
+.Pa ~/.ssh/known_hosts .
+.It Pa ~/.shosts
This file is used exactly the same way as
.Pa .rhosts .
The purpose for
See the
.Xr sshd 8
manual page for more information.
-.It Pa $HOME/.ssh/rc
+.It Pa ~/.ssh/rc
Commands in this file are executed by
.Nm
when the user logs in just before the user's shell (or command) is
See the
.Xr sshd 8
manual page for more information.
-.It Pa $HOME/.ssh/environment
+.It Pa ~/.ssh/environment
Contains additional definitions for environment variables, see section
.Sx ENVIRONMENT
above.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
int control_fd = -1;
/* Multiplexing control command */
-static u_int mux_command = SSHMUX_COMMAND_OPEN;
+static u_int mux_command = 0;
/* Only used in control client mode */
volatile sig_atomic_t control_client_terminate = 0;
int dummy;
extern int optind, optreset;
extern char *optarg;
+ struct servent *sp;
Forward fwd;
__progname = ssh_get_progname(av[0]);
}
break;
case 'M':
- options.control_master =
- (options.control_master >= 1) ? 2 : 1;
+ if (options.control_master == SSHCTL_MASTER_YES)
+ options.control_master = SSHCTL_MASTER_ASK;
+ else
+ options.control_master = SSHCTL_MASTER_YES;
break;
case 'p':
options.port = a2port(optarg);
fwd.listen_host = cleanhostname(fwd.listen_host);
} else {
fwd.listen_port = a2port(fwd.listen_host);
- fwd.listen_host = "";
+ fwd.listen_host = NULL;
}
if (fwd.listen_port == 0) {
if (no_tty_flag)
tty_flag = 0;
/* Do not allocate a tty if stdin is not a tty. */
- if (!isatty(fileno(stdin)) && !force_tty_flag) {
+ if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
if (tty_flag)
logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
tty_flag = 0;
*p = tolower(*p);
}
+ /* Get default port if port has not been set. */
+ if (options.port == 0) {
+ sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+ options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
+ }
+
if (options.proxy_command != NULL &&
strcmp(options.proxy_command, "none") == 0)
options.proxy_command = NULL;
+ if (options.control_path != NULL &&
+ strcmp(options.control_path, "none") == 0)
+ options.control_path = NULL;
if (options.control_path != NULL) {
- options.control_path = tilde_expand_filename(
- options.control_path, original_real_uid);
+ snprintf(buf, sizeof(buf), "%d", options.port);
+ cp = tilde_expand_filename(options.control_path,
+ original_real_uid);
+ options.control_path = percent_expand(cp, "p", buf, "h", host,
+ "r", options.user, (char *)NULL);
+ xfree(cp);
}
- if (options.control_path != NULL && options.control_master == 0)
- control_client(options.control_path); /* This doesn't return */
+ if (mux_command != 0 && options.control_path == NULL)
+ fatal("No ControlPath specified for \"-O\" command");
+ if (options.control_path != NULL)
+ control_client(options.control_path);
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
return exit_status;
}
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
-
-static void
-x11_get_proto(char **_proto, char **_data)
-{
- char cmd[1024];
- char line[512];
- char xdisplay[512];
- static char proto[512], data[512];
- FILE *f;
- int got_data = 0, generated = 0, do_unlink = 0, i;
- char *display, *xauthdir, *xauthfile;
- struct stat st;
-
- xauthdir = xauthfile = NULL;
- *_proto = proto;
- *_data = data;
- proto[0] = data[0] = '\0';
-
- if (!options.xauth_location ||
- (stat(options.xauth_location, &st) == -1)) {
- debug("No xauth program.");
- } else {
- if ((display = getenv("DISPLAY")) == NULL) {
- debug("x11_get_proto: DISPLAY not set");
- return;
- }
- /*
- * Handle FamilyLocal case where $DISPLAY does
- * not match an authorization entry. For this we
- * just try "xauth list unix:displaynum.screennum".
- * XXX: "localhost" match to determine FamilyLocal
- * is not perfect.
- */
- if (strncmp(display, "localhost:", 10) == 0) {
- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
- display + 10);
- display = xdisplay;
- }
- if (options.forward_x11_trusted == 0) {
- xauthdir = xmalloc(MAXPATHLEN);
- xauthfile = xmalloc(MAXPATHLEN);
- strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
- if (mkdtemp(xauthdir) != NULL) {
- do_unlink = 1;
- snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
- xauthdir);
- snprintf(cmd, sizeof(cmd),
- "%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 1200 2>" _PATH_DEVNULL,
- options.xauth_location, xauthfile, display);
- debug2("x11_get_proto: %s", cmd);
- if (system(cmd) == 0)
- generated = 1;
- }
- }
- snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s . 2>" _PATH_DEVNULL,
- options.xauth_location,
- generated ? "-f " : "" ,
- generated ? xauthfile : "",
- display);
- debug2("x11_get_proto: %s", cmd);
- f = popen(cmd, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %511s %511s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
- }
-
- if (do_unlink) {
- unlink(xauthfile);
- rmdir(xauthdir);
- }
- if (xauthdir)
- xfree(xauthdir);
- if (xauthfile)
- xfree(xauthfile);
-
- /*
- * If we didn't get authentication data, just make up some
- * data. The forwarding code will check the validity of the
- * response anyway, and substitute this data. The X11
- * server, however, will ignore this fake data and use
- * whatever authentication mechanisms it was using otherwise
- * for the local connection.
- */
- if (!got_data) {
- u_int32_t rnd = 0;
-
- logit("Warning: No xauth data; "
- "using fake authentication data for X11 forwarding.");
- strlcpy(proto, SSH_X11_PROTO, sizeof proto);
- for (i = 0; i < 16; i++) {
- if (i % 4 == 0)
- rnd = arc4random();
- snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
- rnd & 0xff);
- rnd >>= 8;
- }
- }
-}
-
static void
ssh_init_forwarding(void)
{
for (i = 0; i < options.num_remote_forwards; i++) {
debug("Remote connections from %.200s:%d forwarded to "
"local address %.200s:%d",
- (options.remote_forwards[i].listen_host == NULL) ?
- (options.gateway_ports ? "*" : "LOCALHOST") :
+ (options.remote_forwards[i].listen_host == NULL) ?
+ (options.gateway_ports ? "*" : "LOCALHOST") :
options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
int have_tty = 0;
struct winsize ws;
char *cp;
+ const char *display;
/* Enable compression if requested. */
if (options.compression) {
packet_disconnect("Protocol error waiting for pty request response.");
}
/* Request X11 forwarding if enabled and DISPLAY is set. */
- if (options.forward_x11 && getenv("DISPLAY") != NULL) {
+ display = getenv("DISPLAY");
+ if (options.forward_x11 && display != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
- x11_get_proto(&proto, &data);
+ client_x11_get_proto(display, options.xauth_location,
+ options.forward_x11_trusted, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing.");
- x11_request_forwarding_with_spoofing(0, proto, data);
+ x11_request_forwarding_with_spoofing(0, display, proto, data);
/* Read response from the server. */
type = packet_read();
mode_t old_umask;
int addr_len;
- if (options.control_path == NULL || options.control_master <= 0)
+ if (options.control_path == NULL ||
+ options.control_master == SSHCTL_MASTER_NO)
return;
+ debug("setting up multiplex master socket");
+
memset(&addr, '\0', sizeof(addr));
addr.sun_family = AF_UNIX;
addr_len = offsetof(struct sockaddr_un, sun_path) +
ssh_session2_setup(int id, void *arg)
{
extern char **environ;
-
+ const char *display;
int interactive = tty_flag;
- if (options.forward_x11 && getenv("DISPLAY") != NULL) {
+
+ display = getenv("DISPLAY");
+ if (options.forward_x11 && display != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
- x11_get_proto(&proto, &data);
+ client_x11_get_proto(display, options.xauth_location,
+ options.forward_x11_trusted, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing.");
- x11_request_forwarding_with_spoofing(id, proto, data);
+ x11_request_forwarding_with_spoofing(id, display, proto, data);
interactive = 1;
/* XXX wait for reply */
}
extern char **environ;
u_int flags;
- if (stdin_null_flag) {
- if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
- fatal("open(/dev/null): %s", strerror(errno));
- if (dup2(fd, STDIN_FILENO) == -1)
- fatal("dup2: %s", strerror(errno));
- if (fd > STDERR_FILENO)
- close(fd);
+ if (mux_command == 0)
+ mux_command = SSHMUX_COMMAND_OPEN;
+
+ switch (options.control_master) {
+ case SSHCTL_MASTER_AUTO:
+ case SSHCTL_MASTER_AUTO_ASK:
+ debug("auto-mux: Trying existing master");
+ /* FALLTHROUGH */
+ case SSHCTL_MASTER_NO:
+ break;
+ default:
+ return;
}
memset(&addr, '\0', sizeof(addr));
if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
fatal("%s socket(): %s", __func__, strerror(errno));
- if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1)
- fatal("Couldn't connect to %s: %s", path, strerror(errno));
+ if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) {
+ if (mux_command != SSHMUX_COMMAND_OPEN) {
+ fatal("Control socket connect(%.100s): %s", path,
+ strerror(errno));
+ }
+ if (errno == ENOENT)
+ debug("Control socket \"%.100s\" does not exist", path);
+ else {
+ error("Control socket connect(%.100s): %s", path,
+ strerror(errno));
+ }
+ close(sock);
+ return;
+ }
+
+ if (stdin_null_flag) {
+ if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
+ fatal("open(/dev/null): %s", strerror(errno));
+ if (dup2(fd, STDIN_FILENO) == -1)
+ fatal("dup2: %s", strerror(errno));
+ if (fd > STDERR_FILENO)
+ close(fd);
+ }
- if ((term = getenv("TERM")) == NULL)
- term = "";
+ term = getenv("TERM");
flags = 0;
if (tty_flag)
flags |= SSHMUX_FLAG_TTY;
if (subsystem_flag)
flags |= SSHMUX_FLAG_SUBSYS;
+ if (options.forward_x11)
+ flags |= SSHMUX_FLAG_X11_FWD;
+ if (options.forward_agent)
+ flags |= SSHMUX_FLAG_AGENT_FWD;
buffer_init(&m);
/* Send our command to server */
buffer_put_int(&m, mux_command);
buffer_put_int(&m, flags);
- if (ssh_msg_send(sock, /* version */1, &m) == -1)
+ if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
fatal("%s: msg_send", __func__);
buffer_clear(&m);
/* Get authorisation status and PID of controlee */
if (ssh_msg_recv(sock, &m) == -1)
fatal("%s: msg_recv", __func__);
- if (buffer_get_char(&m) != 1)
+ if (buffer_get_char(&m) != SSHMUX_VER)
fatal("%s: wrong version", __func__);
if (buffer_get_int(&m) != 1)
fatal("Connection to master denied");
}
/* SSHMUX_COMMAND_OPEN */
- buffer_put_cstring(&m, term);
+ buffer_put_cstring(&m, term ? term : "");
buffer_append(&command, "\0", 1);
buffer_put_cstring(&m, buffer_ptr(&command));
}
}
- if (ssh_msg_send(sock, /* version */1, &m) == -1)
+ if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
fatal("%s: msg_send", __func__);
mm_send_fd(sock, STDIN_FILENO);
buffer_clear(&m);
if (ssh_msg_recv(sock, &m) == -1)
fatal("%s: msg_recv", __func__);
- if (buffer_get_char(&m) != 1)
+ if (buffer_get_char(&m) != SSHMUX_VER)
fatal("%s: wrong version", __func__);
buffer_free(&m);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
.Nd OpenSSH SSH client configuration files
.Sh SYNOPSIS
.Bl -tag -width Ds -compact
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
.It Pa /etc/ssh/ssh_config
.El
.Sh DESCRIPTION
command-line options
.It
user's configuration file
-.Pq Pa $HOME/.ssh/config
+.Pq Pa ~/.ssh/config
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
The default is
.Dq no .
.It Cm BindAddress
-Specify the interface to transmit from on machines with multiple
-interfaces or aliased addresses.
+Use the specified address on the local machine as the source address of
+the connection.
+Only useful on systems with more than one address.
Note that this option does not work if
.Cm UsePrivilegedPort
is set to
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc''
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+ arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+ aes192-ctr,aes256-ctr''
.Ed
.It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings
program before they are accepted (see
.Xr ssh-add 1
for details).
+If the
+.Cm ControlPath
+can not be opened,
+.Nm ssh
+will continue without connecting to a master instance.
+.Pp
+X11 and
+.Xr ssh-agent 1
+forwarding is supported over these multiplexed connections, however the
+display and agent fowarded will be the one belonging to the master
+connection i.e. it is not possible to forward multiple displays or agents.
+.Pp
+Two additional options allow for opportunistic multiplexing: try to use a
+master connection but fall back to creating a new one if one does not already
+exist.
+These options are:
+.Dq auto
+and
+.Dq autoask .
+The latter requires confirmation like the
+.Dq ask
+option.
.It Cm ControlPath
-Specify the path to the control socket used for connection sharing.
-See
+Specify the path to the control socket used for connection sharing as described
+in the
.Cm ControlMaster
-above.
+section above or the string
+.Dq none
+to disable connection sharing.
+In the path,
+.Ql %h
+will be substituted by the target host name,
+.Ql %p
+the port and
+.Ql %r
+by the remote login username.
+It is recommended that any
+.Cm ControlPath
+used for opportunistic connection sharing include
+all three of these escape sequences.
+This ensures that shared connections are uniquely identified.
.It Cm DynamicForward
Specifies that a TCP/IP port on the local machine be forwarded
over the secure channel, and the application
Indicates that
.Nm ssh
should hash host names and addresses when they are added to
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
These hashed names may be used normally by
.Nm ssh
and
Specifies a file from which the user's RSA or DSA authentication identity
is read.
The default is
-.Pa $HOME/.ssh/identity
+.Pa ~/.ssh/identity
for protocol version 1, and
-.Pa $HOME/.ssh/id_rsa
+.Pa ~/.ssh/id_rsa
and
-.Pa $HOME/.ssh/id_dsa
+.Pa ~/.ssh/id_dsa
for protocol version 2.
Additionally, any identities represented by the authentication agent
will be used for authentication.
.Cm CheckHostIP
is not available for connects with a proxy command.
.Pp
+This directive is useful in conjunction with
+.Xr nc 1
+and its proxy support.
+For example, the following directive would connect via an HTTP proxy at
+192.0.2.0:
+.Bd -literal -offset 3n
+ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
+.Ed
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
.Dq yes ,
.Nm ssh
will never automatically add host keys to the
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
file, and refuses to connect to hosts whose host key has changed.
This provides maximum protection against trojan horse attacks,
however, can be annoying when the
.It Cm UserKnownHostsFile
Specifies a file to use for the user
host key database instead of
-.Pa $HOME/.ssh/known_hosts .
+.Pa ~/.ssh/known_hosts .
.It Cm VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP resource
records.
.El
.Sh FILES
.Bl -tag -width Ds
-.It Pa $HOME/.ssh/config
+.It Pa ~/.ssh/config
This is the per-user configuration file.
The format of this file is described above.
This file is used by the
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.162 2005/03/10 22:01:06 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
#include <openssl/bn.h>
static int
ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
{
- Buffer command;
- const char *cp;
- char *command_string;
+ char *command_string, *tmp;
int pin[2], pout[2];
pid_t pid;
char strport[NI_MAXSERV];
+ size_t len;
/* Convert the port number into a string. */
snprintf(strport, sizeof strport, "%hu", port);
* Use "exec" to avoid "sh -c" processes on some platforms
* (e.g. Solaris)
*/
- buffer_init(&command);
- buffer_append(&command, "exec ", 5);
-
- for (cp = proxy_command; *cp; cp++) {
- if (cp[0] == '%' && cp[1] == '%') {
- buffer_append(&command, "%", 1);
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'h') {
- buffer_append(&command, host, strlen(host));
- cp++;
- continue;
- }
- if (cp[0] == '%' && cp[1] == 'p') {
- buffer_append(&command, strport, strlen(strport));
- cp++;
- continue;
- }
- buffer_append(&command, cp, 1);
- }
- buffer_append(&command, "\0", 1);
-
- /* Get the final command string. */
- command_string = buffer_ptr(&command);
+ len = strlen(proxy_command) + 6;
+ tmp = xmalloc(len);
+ strlcpy(tmp, "exec ", len);
+ strlcat(tmp, proxy_command, len);
+ command_string = percent_expand(tmp, "h", host,
+ "p", strport, (char *)NULL);
+ xfree(tmp);
/* Create pipes for communicating with the proxy. */
if (pipe(pin) < 0 || pipe(pout) < 0)
close(pout[1]);
/* Free the command name. */
- buffer_free(&command);
+ xfree(command_string);
/* Set the connection file descriptors. */
packet_set_connection(pout[0], pin[1]);
int sock = -1, attempt;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct addrinfo hints, *ai, *aitop;
- struct servent *sp;
debug2("ssh_connect: needpriv %d", needpriv);
- /* Get default port if port has not been set. */
- if (port == 0) {
- sp = getservbyname(SSH_SERVICE_NAME, "tcp");
- if (sp)
- port = ntohs(sp->s_port);
- else
- port = SSH_DEFAULT_PORT;
- }
/* If a proxy command is given, connect using it. */
if (proxy_command != NULL)
return ssh_proxy_connect(host, port, proxy_command);
ssh_exchange_identification(void)
{
char buf[256], remote_version[256]; /* must be same size! */
- int remote_major, remote_minor, i, mismatch;
+ int remote_major, remote_minor, mismatch;
int connection_in = packet_get_connection_in();
int connection_out = packet_get_connection_out();
int minor1 = PROTOCOL_MINOR_1;
+ u_int i;
- /* Read other side\'s version identification. */
+ /* Read other side's version identification. */
for (;;) {
for (i = 0; i < sizeof(buf) - 1; i++) {
- int len = atomicio(read, connection_in, &buf[i], 1);
- if (len < 0)
- fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
- if (len != 1)
+ size_t len = atomicio(read, connection_in, &buf[i], 1);
+
+ if (len != 1 && errno == EPIPE)
fatal("ssh_exchange_identification: Connection closed by remote host");
+ else if (len != 1)
+ fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
if (buf[i] == '\r') {
buf[i] = '\n';
buf[i + 1] = 0;
switch (hostaddr->sa_family) {
case AF_INET:
local = (ntohl(((struct sockaddr_in *)hostaddr)->
- sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+ sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
salen = sizeof(struct sockaddr_in);
break;
case AF_INET6:
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
- "\nbut keys of different type are already"
- " known for this host.");
+ "\nbut keys of different type are already"
+ " known for this host.");
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.60 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
/* Compute the response. */
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
- if (len <= 0 || len > sizeof(buf))
+ if (len <= 0 || (u_int)len > sizeof(buf))
packet_disconnect(
"respond_to_rsa_challenge: bad challenge length %d", len);
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
#include "openbsd-compat/sys-queue.h"
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
if (options.compression) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
- myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
+ myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
} else {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
- myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
+ myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
}
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
input_userauth_error(int type, u_int32_t seq, void *ctxt)
{
fatal("input_userauth_error: bad message during authentication: "
- "type %d", type);
+ "type %d", type);
}
void
{
Gssctxt *gssctxt = NULL;
static gss_OID_set gss_supported = NULL;
- static int mech = 0;
+ static u_int mech = 0;
OM_uint32 min;
int ok = 0;
}
}
- if (!ok) return 0;
+ if (!ok)
+ return 0;
authctxt->methoddata=(void *)gssctxt;
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt = authctxt->methoddata;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc gssbuf, mic;
+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc gssbuf;
OM_uint32 status, ms, flags;
Buffer b;
/* Stick it into GSSAPI and see what it says */
status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
- &recv_tok, &send_tok, NULL);
+ &recv_tok, &send_tok, NULL);
xfree(recv_tok.value);
gss_release_buffer(&ms, &send_tok);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
works as follows:
.Ss SSH protocol version 1
Each host has a host-specific RSA key
-(normally 1024 bits) used to identify the host.
+(normally 2048 bits) used to identify the host.
Additionally, when
the daemon starts, it generates a server RSA key (normally 768 bits).
This key is normally regenerated every hour if it has been used, and
prints last login time and
.Pa /etc/motd
(unless prevented in the configuration file or by
-.Pa $HOME/.hushlogin ;
+.Pa ~/.hushlogin ;
see the
.Sx FILES
section).
Sets up basic environment.
.It
Reads the file
-.Pa $HOME/.ssh/environment ,
+.Pa ~/.ssh/environment ,
if it exists, and users are allowed to change their environment.
See the
.Cm PermitUserEnvironment
Changes to user's home directory.
.It
If
-.Pa $HOME/.ssh/rc
+.Pa ~/.ssh/rc
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
Runs user's shell or command.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
is the default file that lists the public keys that are
permitted for RSA authentication in protocol version 1
and for public key authentication (PubkeyAuthentication)
The
.Pa /etc/ssh/ssh_known_hosts
and
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
files contain host public keys for all known hosts.
The global file should
be prepared by the administrator (optional), and the per-user file is
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
-.It Pa $HOME/.ssh/authorized_keys
+.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
+.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.
These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
.It Pa /etc/motd
See
.Xr motd 5 .
-.It Pa $HOME/.hushlogin
+.It Pa ~/.hushlogin
This file is used to suppress printing the last login time and
.Pa /etc/motd ,
if
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
-.It Pa $HOME/.rhosts
+.It Pa ~/.rhosts
This file is used during
.Cm RhostsRSAAuthentication
and
Either host or user
name may be of the form +@groupname to specify all hosts or all users
in the group.
-.It Pa $HOME/.shosts
+.It Pa ~/.shosts
For ssh,
this file is exactly the same as for
.Pa .rhosts .
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
-.It Pa $HOME/.ssh/environment
+.It Pa ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
.Ql # ) ,
controlled via the
.Cm PermitUserEnvironment
option.
-.It Pa $HOME/.ssh/rc
+.It Pa ~/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the
readable by anyone else.
.It Pa /etc/ssh/sshrc
Like
-.Pa $HOME/.ssh/rc .
+.Pa ~/.ssh/rc .
This can be used to specify
machine-specific login-time initializations globally.
This file should be writable only by root, and should be world-readable.
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.308 2005/02/08 22:24:57 dtucker Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
static void
sshd_exchange_identification(int sock_in, int sock_out)
{
- int i, mismatch;
+ u_int i;
+ int mismatch;
int remote_major, remote_minor;
int major, minor;
char *s;
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);
+
+ /*
+ * Tell the packet layer that authentication was successful, since
+ * this information is not part of the key state.
+ */
+ packet_set_authenticated();
}
static char *
/*
* Unset KRB5CCNAME, otherwise the user's session may inherit it from
* root's environment
- */
+ */
if (getenv("KRB5CCNAME") != NULL)
unsetenv("KRB5CCNAME");
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
- /* Set SO_KEEPALIVE if requested. */
- if (options.tcp_keep_alive &&
- setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
- sizeof(on)) < 0)
- error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
-
/*
* Register our connection. This turns encryption off because we do
* not have a key.
*/
packet_set_connection(sock_in, sock_out);
+ packet_set_server();
- remote_port = get_remote_port();
+ /* Set SO_KEEPALIVE if requested. */
+ if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
+ setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
+ error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+ if ((remote_port = get_remote_port()) < 0) {
+ debug("get_remote_port failed");
+ cleanup_exit(255);
+ }
remote_ip = get_remote_ipaddr();
#ifdef SSH_AUDIT_EVENTS
if (!rsafail) {
BN_mask_bits(session_key_int, sizeof(session_key) * 8);
len = BN_num_bytes(session_key_int);
- if (len < 0 || len > sizeof(session_key)) {
+ if (len < 0 || (u_int)len > sizeof(session_key)) {
error("do_connection: bad session key len from %s: "
"session_key_int %d > sizeof(session_key) %lu",
get_remote_ipaddr(), len, (u_long)sizeof(session_key));
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
- if (!options.compression) {
+ if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
+ } else if (options.compression == COMP_DELAYED) {
+ myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+ myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
}
+
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
/* start key exchange */
-# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
+# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#ServerKeyBits 768
# Logging
-#obsoletes QuietMode and FascistLogging
+# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
-#Compression yes
+#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
.Dq aes128-ctr ,
.Dq aes192-ctr ,
.Dq aes256-ctr ,
+.Dq arcfour128 ,
+.Dq arcfour256 ,
.Dq arcfour ,
.Dq blowfish-cbc ,
and
.Dq cast128-cbc .
The default is
.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+ arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+ aes192-ctr,aes256-ctr''
.Ed
-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Nm sshd
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see above) which may be
sent without
.Cm ClientAliveCountMax
is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client,
+.Nm sshd
+will send a message through the encrypted
+channel to request a response from the client.
+The default
+is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.
.It Cm Compression
-Specifies whether compression is allowed.
+Specifies whether compression is allowed, or delayed until
+the user has authenticated successfully.
The argument must be
-.Dq yes
+.Dq yes ,
+.Dq delayed ,
or
.Dq no .
The default is
-.Dq yes .
+.Dq delayed .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
Specifies whether
.Nm sshd
should ignore the user's
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
during
.Cm RhostsRSAAuthentication
or
if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0)
error("ioctl(TIOCSCTTY): %.100s", strerror(errno));
#endif /* TIOCSCTTY */
-#ifdef HAVE_NEWS4
+#ifdef NEED_SETPGRP
if (setpgrp(0,0) < 0)
error("SETPGRP %s",strerror(errno));
-#endif /* HAVE_NEWS4 */
+#endif /* NEED_SETPGRP */
#ifdef USE_VHANGUP
old = signal(SIGHUP, SIG_IGN);
vhangup();
}
}
+/*
+ * Encode a special character into SSH line format.
+ */
+static u_int
+special_char_encode(cc_t c)
+{
+#ifdef _POSIX_VDISABLE
+ if (c == _POSIX_VDISABLE)
+ return 255;
+#endif /* _POSIX_VDISABLE */
+ return c;
+}
+
+/*
+ * Decode a special character from SSH line format.
+ */
+static cc_t
+special_char_decode(u_int c)
+{
+#ifdef _POSIX_VDISABLE
+ if (c == 255)
+ return _POSIX_VDISABLE;
+#endif /* _POSIX_VDISABLE */
+ return c;
+}
+
/*
* Encodes terminal modes for the terminal referenced by fd
* or tiop in a portable manner, and appends the modes to a packet
#define TTYCHAR(NAME, OP) \
debug3("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \
buffer_put_char(&buf, OP); \
- put_arg(&buf, tio.c_cc[NAME]);
+ put_arg(&buf, special_char_encode(tio.c_cc[NAME]));
#define TTYMODE(NAME, FIELD, OP) \
debug3("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \
#define TTYCHAR(NAME, OP) \
case OP: \
n_bytes += arg_size; \
- tio.c_cc[NAME] = get_arg(); \
+ tio.c_cc[NAME] = special_char_decode(get_arg()); \
debug3("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \
break;
#define TTYMODE(NAME, FIELD, OP) \
-/* $OpenBSD: version.h,v 1.44 2005/03/16 21:17:39 markus Exp $ */
+/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */
-#define SSH_VERSION "OpenSSH_4.1"
+#define SSH_VERSION "OpenSSH_4.2"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
andersk / gssapi-openssh.git / commitdiff
