+20020522
+ - (djm) Fix spelling mistakes, spotted by Solar Designer i
+ <solar@openwall.com>
+ - Sync scard/ (not sure when it drifted)
+ - (djm) OpenBSD CVS Sync:
+ [auth.c]
+ Fix typo/thinko. Pass in as to auth_approval(), not NULL.
+ Closes PR 2659.
+ - Crank version
+ - Crank RPM spec versions
+
+20020521
+ - (stevesk) [sshd.c] bug 245; disable setsid() for now
+ - (stevesk) [sshd.c] #ifndef HAVE_CYGWIN for setgroups()
+
+20020517
+ - (tim) [configure.ac] remove extra MD5_MSG="no" line.
+
20020515
- (bal) CVS ID fix up on auth-passwd.c
- (bal) OpenBSD CVS Sync
configure supports the following options to change the default
privsep user and chroot directory:
- --with-privsep-path=xxx Path for privilege seperation chroot
+ --with-privsep-path=xxx Path for privilege separation chroot
--with-privsep-user=user Specify non-privileged user for privilege separation
Privsep requires operating system support for file descriptor passing
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.42 2002/05/13 20:44:58 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
}
#ifdef BSD_AUTH
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
- auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+ auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
debug("Approval failure for %s", user);
pw = NULL;
}
--with-kerberos4=PATH Enable Kerberos 4 support
--with-afs=PATH Enable AFS support
--with-rsh=PATH Specify path to remote shell program
- --with-privsep-path=xxx Path for privilege seperation chroot
+ --with-privsep-path=xxx Path for privilege separation chroot
--with-xauth=PATH Specify path to xauth program
--with-mantype=man|cat|doc Set man page type
--with-md5-passwords Enable use of MD5 passwords
fi
# Set superuser path separately to user path
-MD5_MSG="no"
# Check whether --with-superuser-path or --without-superuser-path was given.
if test "${with_superuser_path+set}" = set; then
m4trace:configure.ac:1944: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
m4trace:configure.ac:2021: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH])
m4trace:configure.ac:2022: -1- AC_SUBST([user_path])
-m4trace:configure.ac:2035: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
-m4trace:configure.ac:2048: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
-m4trace:configure.ac:2071: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2071: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2083: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
-m4trace:configure.ac:2101: -1- AC_SUBST([SSHMODE])
-m4trace:configure.ac:2126: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
-m4trace:configure.ac:2127: -1- AC_SUBST([piddir])
-m4trace:configure.ac:2133: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2137: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2141: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2145: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2149: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2153: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
-m4trace:configure.ac:2157: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
-m4trace:configure.ac:2161: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
-m4trace:configure.ac:2171: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2233: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
-m4trace:configure.ac:2258: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2263: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
-m4trace:configure.ac:2288: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2293: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
-m4trace:configure.ac:2318: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2321: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
-m4trace:configure.ac:2343: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2346: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
-m4trace:configure.ac:2364: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
+m4trace:configure.ac:2034: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
+m4trace:configure.ac:2047: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
+m4trace:configure.ac:2070: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2070: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2082: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
+m4trace:configure.ac:2100: -1- AC_SUBST([SSHMODE])
+m4trace:configure.ac:2125: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
+m4trace:configure.ac:2126: -1- AC_SUBST([piddir])
+m4trace:configure.ac:2132: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2136: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2140: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2144: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2148: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2152: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
+m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
+m4trace:configure.ac:2160: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
+m4trace:configure.ac:2170: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2232: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
+m4trace:configure.ac:2257: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2262: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
+m4trace:configure.ac:2287: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2292: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
+m4trace:configure.ac:2317: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2320: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
+m4trace:configure.ac:2342: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2345: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
+m4trace:configure.ac:2363: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
PRIVSEP_PATH=/var/empty
AC_ARG_WITH(privsep-path,
- [ --with-privsep-path=xxx Path for privilege seperation chroot ],
+ [ --with-privsep-path=xxx Path for privilege separation chroot ],
[
if test "x$withval" != "$no" ; then
PRIVSEP_PATH=$withval
fi
# Set superuser path separately to user path
-MD5_MSG="no"
AC_ARG_WITH(superuser-path,
[ --with-superuser-path= Specify different path for super-user],
[
%define use-stable 1
%if %{use-stable}
- %define version 3.2.2p1
+ %define version 3.2.3p1
%define cvs %{nil}
%define release 1
%else
- %define version 3.2.2
+ %define version 3.2.3
%define cvs cvs20020515
%define release 0r1
%endif
-%define ver 3.2.2p1
+%define ver 3.2.3p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 3.2.2p1
+Version: 3.2.3p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
begin 644 Ssh.bin
-M`P)!%P`501P`;``!`C@"`/Y@\`4`_J'P!0!!%T$;`?Z@\`4`01=!&@'^>/,!
-M`4$701P!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$7L`4`_F'3``!!%T$9
-M`?YATP4`_G/5"P7^8=,'`OZAT`$!_J#0$@1!%T$8`0```$$7!`$&`/Y@`;@`
-M`$$8\`H(`$$9\`H``$$:\@\``$$;\B$``$$<\A```/`&__(```0(`!8```9C
-M""T#"<(H+00$*"T%""A;`&19``#P$/_R`P(&`0#(```38`!!70!&$UP`1@09
-M":1+``D*D`!@`"@37`!&!!E6`````*(````$____P````*$````0````*@``
-M`"````"-````,````&H37`!&`QD(2@`)"FX`8``H$UP`1@<9"@#_/2!@`$L1
-M2@`)"F<`8``H$UP`'A-<`$8($1-<`$8(7@!0"!%@`%59"C\`8`!:*PIS:&``
-M6BL37`!&`P,*`(!@`%\K`PH`@&``55D37`!&`P<H$UP`1@0#*`,%8`!565D*
-M;0!@`"A9`/`"__(!`0$)``@```J0`&``*%D`\!/_\@$!`@D`#```8D$7+5\`
-M/"M9````\!+_]@$!`P$`&```$UP`'EX`,D4`#Q-<`!X*`,@)$%X`-P17L`7_
-M\@$!!`(`/```$U\``!-B_J$M7P`%70`*$V+^H"U?``]=`!038OYX+0H$`%\`
-<&5T`'@H$`&``(T4`"0IG`&``*!->`"U9````````
+M`P)!&P`801X`>``!`E@"`/Y@\`4`_J'P!0!!&T$=`?Z@\`4`01M!'`'^>/,!
+M`4$;01X!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$;L`4`_F'3``#^8=,%
+M`/ZAT`$!_J#0)P'^H],*`?ZCTPD`_G/5"P7^8=,'`OZAT`H`_J#0$@3^:-,@
+M`T$;`P`%`/Y@`<P``$$<\@\``$$=\B$``$$>\A```/`0__(%`@8!`0H``&``
+M0205!!D)I$L`"0J0`&``*!4$&58``````.P````%____P````.D````0````
+M,P```"````#'````,````(T````R````V!4#&0A*``D*;@!@`"@5!QD*`/\]
+M(6``1A)*``D*9P!@`"@*/P!@`$LK"1)@`$LK!6``4!P$#00#2@`.#01@`%5@
+M`%I@`"@37``>%0@2%0A>`%\($F``9%(`:`H_`&``2RL*<VA@`$LK8`!I"1`U
+M(14#`Q)@`&X<!`T$`TL`"P,28`!D4@`.#01@`%5@`%I@`"A2`"X5`PH$`&``
+M<RL#!6``9%(`'14#"@$"8`!S*P,%8`!D4@`,4@`)"FT`8``H60``\`+_\@$!
+M`0D`"```"I``8``H60#P$__R`0$""0`,``!B01LM7P`\*UD```#P$O_V`0$#
+M`0`8```37``>7@`R10`/$UP`'@H`R`D07@`W!%>P!?_R`0$$`@`\```37P``
+M$V+^H2U?``5=``H38OZ@+5\`#UT`%!-B_G@M"@0`7P`970`>"@0`8``C10`)
+/"F<`8``H$UX`+5D`````
`
end
public class Ssh extends javacard.framework.Applet
{
+ // Change this when the applet changes; hi byte is major, low byte is minor
+ static final short applet_version = (short)0x0102;
+
/* constants declaration */
// code of CLA byte in the command APDU header
static final byte Ssh_CLA =(byte)0x05;
static final byte DECRYPT = (byte) 0x10;
static final byte GET_KEYLENGTH = (byte) 0x20;
static final byte GET_PUBKEY = (byte) 0x30;
+ static final byte GET_VERSION = (byte) 0x32;
static final byte GET_RESPONSE = (byte) 0xc0;
- /* instance variables declaration */
static final short keysize = 1024;
+ static final short root_fid = (short)0x3f00;
+ static final short privkey_fid = (short)0x0012;
+ static final short pubkey_fid = (short)(('s'<<8)|'h');
- //RSA_CRT_PrivateKey rsakey;
+ /* instance variables declaration */
AsymKey rsakey;
CyberflexFile file;
CyberflexOS os;
- byte buffer[];
-
- static byte[] keyHdr = {(byte)0xC2, (byte)0x01, (byte)0x05};
-
private Ssh()
{
file = new CyberflexFile();
// APDU object carries a byte array (buffer) to
// transfer incoming and outgoing APDU header
// and data bytes between card and CAD
- buffer = apdu.getBuffer();
+ byte buffer[] = apdu.getBuffer();
+ short size, st;
// verify that if the applet can accept this
// APDU message
if (buffer[ISO.OFFSET_CLA] != Ssh_CLA)
ISOException.throwIt(ISO.SW_CLA_NOT_SUPPORTED);
//decrypt (apdu);
- short size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
+ size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
if (apdu.setIncomingAndReceive() != size)
ISOException.throwIt (ISO.SW_WRONG_LENGTH);
+ // check access; depends on bit 2 (x/a)
+ file.selectFile(root_fid);
+ file.selectFile(privkey_fid);
+ st = os.checkAccess(ACL.EXECUTE);
+ if (st != ST.ACCESS_CLEARED) {
+ CyberflexAPDU.prepareSW1SW2(st);
+ ISOException.throwIt(CyberflexAPDU.getSW1SW2());
+ }
+
rsakey.cryptoUpdate (buffer, (short) ISO.OFFSET_CDATA, size,
buffer, (short) ISO.OFFSET_CDATA);
apdu.setOutgoingAndSend ((short) ISO.OFFSET_CDATA, size);
- return;
+ break;
case GET_PUBKEY:
- file.selectFile((short)(0x3f<<8)); // select root
- file.selectFile((short)(('s'<<8)|'h')); // select public key file
- os.readBinaryFile (buffer, (short)0, (short)0, (short)(keysize/8));
- apdu.setOutgoingAndSend((short)0, (short)(keysize/8));
- return;
+ file.selectFile(root_fid); // select root
+ file.selectFile(pubkey_fid); // select public key file
+ size = (short)(file.getFileSize() - 16);
+ st = os.readBinaryFile(buffer, (short)0, (short)0, size);
+ if (st == ST.SUCCESS)
+ apdu.setOutgoingAndSend((short)0, size);
+ else {
+ CyberflexAPDU.prepareSW1SW2(st);
+ ISOException.throwIt(CyberflexAPDU.getSW1SW2());
+ }
+ break;
case GET_KEYLENGTH:
- buffer[0] = (byte)((keysize >> 8) & 0xff);
- buffer[1] = (byte)(keysize & 0xff);
+ Util.setShort(buffer, (short)0, keysize);
+ apdu.setOutgoingAndSend ((short)0, (short)2);
+ break;
+ case GET_VERSION:
+ Util.setShort(buffer, (short)0, applet_version);
apdu.setOutgoingAndSend ((short)0, (short)2);
- return;
+ break;
case GET_RESPONSE:
- return;
+ break;
default:
ISOException.throwIt (ISO.SW_INS_NOT_SUPPORTED);
}
if (test_flag)
exit(0);
+#ifndef HAVE_CYGWIN
/*
* Clear out any supplemental groups we may have inherited. This
* prevents inadvertent creation of files with bad modes (in the
*/
if (setgroups(0, NULL) < 0)
debug("setgroups() failed: %.200s", strerror(errno));
+#endif /* !HAVE_CYGWIN */
/* Initialize the log (it is reinitialized below in case we forked). */
if (debug_flag && !inetd_flag)
* setlogin() affects the entire process group. We don't
* want the child to be able to affect the parent.
*/
+#if 0
+ /* XXX: this breaks Solaris */
if (setsid() < 0)
error("setsid: %.100s", strerror(errno));
+#endif
/*
* Disable the key regeneration alarm. We will not regenerate the
-/* $OpenBSD: version.h,v 1.31 2002/05/15 21:05:29 markus Exp $ */
+/* $OpenBSD: version.h,v 1.32 2002/05/17 14:57:40 markus Exp $ */
-#define SSH_VERSION "OpenSSH_3.2.2p1"
+#define SSH_VERSION "OpenSSH_3.2.3p1"