Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
+Andre Lucas <andre@ae-35.com> - new login code, many fixes
Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
Andrew McGill <andrewm@datrix.co.za> - SCO fixes
Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
+20030429
+ - (djm) Add back radix.o (used by AFS support), after it went missing from
+ Makefile many moons ago
+ - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
+ - (djm) Fix blibpath specification for AIX/gcc
+ - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
+
20030401
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2003/03/28 10:11:43
LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
cipher.o compat.o compress.o crc32.o deattack.o fatal.o \
- hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \
+ hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \
rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
}
}
-/* Attempt password authentation using PAM */
+/* Attempt password authentication using PAM */
int auth_pam_password(Authctxt *authctxt, const char *password)
{
extern ServerOptions options;
pamstate = INITIAL_LOGIN;
pam_retval = do_pam_authenticate(
options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
- if (pam_retval == PAM_SUCCESS) {
- debug("PAM Password authentication accepted for "
- "user \"%.100s\"", pw->pw_name);
+ if (pam_retval == PAM_SUCCESS && pw) {
+ debug("PAM password authentication accepted for "
+ "%.100s", pw->pw_name);
return 1;
} else {
- debug("PAM Password authentication for \"%.100s\" "
- "failed[%d]: %s", pw->pw_name, pam_retval,
+ debug("PAM password authentication failed for "
+ "%.100s: %s", pw ? pw->pw_name : "an illegal user",
PAM_STRERROR(__pamh, pam_retval));
return 0;
}
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
+ int ok = authctxt->valid;
#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
char *encrypted_password;
char *pw_password;
/* deny if no user. */
if (pw == NULL)
- return 0;
+ ok = 0;
#ifndef HAVE_CYGWIN
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
- return 0;
+ if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
- return 0;
+ ok = 0;
#if defined(USE_PAM)
- return auth_pam_password(authctxt, password);
+ return auth_pam_password(authctxt, password) && ok;
#elif defined(HAVE_OSF_SIA)
+ if (!ok)
+ return 0;
return auth_sia_password(authctxt, password);
#else
+ if (!ok)
+ return 0;
# ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
Gssctxt *gssctxt;
gss_buffer_desc send_tok,recv_tok;
OM_uint32 maj_status, min_status;
- int len;
+ u_int len;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
gssctxt=authctxt->methoddata;
recv_tok.value=packet_get_string(&len);
- recv_tok.length=len; /* int vs. size_t */
+ recv_tok.length=len; /* u_int vs. size_t */
maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, NULL));
if (check_nt_auth(1, authctxt->pw) == 0)
return(0);
#endif
- return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0);
+ return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
}
Authmethod method_none = {
log("password change not supported");
password = packet_get_string(&len);
packet_check_eom();
- if (authctxt->valid &&
+ if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid
#ifdef HAVE_CYGWIN
- check_nt_auth(1, authctxt->pw) &&
+ && check_nt_auth(1, authctxt->pw)
#endif
- PRIVSEP(auth_password(authctxt, password)) == 1)
+ )
authenticated = 1;
memset(password, 0, len);
xfree(password);
AFS_LIBS="-lld"
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
- if (test "$LD" != "gcc" && test -z "$blibpath"); then
- AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath])
- saved_LDFLAGS="$LDFLAGS"
- LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib"
- AC_TRY_LINK([],
- [],
- [
- AC_MSG_RESULT(yes)
- blibpath="/usr/lib:/lib:/usr/local/lib"
- ],
- [ AC_MSG_RESULT(no) ]
- )
- LDFLAGS="$saved_LDFLAGS"
+ AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
+ if (test -z "$blibpath"); then
+ blibpath="/usr/lib:/lib:/usr/local/lib"
fi
+ saved_LDFLAGS="$LDFLAGS"
+ for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
+ if (test -z "$blibflags"); then
+ LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
+ AC_TRY_LINK([], [], [blibflags=$tryflags])
+ fi
+ done
+ if (test -z "$blibflags"); then
+ AC_MSG_RESULT(not found)
+ AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
+ else
+ AC_MSG_RESULT($blibflags)
+ fi
+ LDFLAGS="$saved_LDFLAGS"
AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
[AC_CHECK_LIB(s,authenticate,
[ AC_DEFINE(WITH_AIXAUTHENTICATE)
)
AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
dnl IRIX has basename() in libgen
AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
if test ! -z "$blibpath" ; then
- LDFLAGS="$LDFLAGS -blibpath:$blibpath"
- AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile])
+ LDFLAGS="$LDFLAGS $blibflags$blibpath"
+ AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
fi
dnl remove pam and dl because they are in $LIBPAM
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
- %define version 3.6.1p1
+ %define version 3.6.1p2
%define cvs %{nil}
%define release 2
%else
-%define ver 3.6.1p1
+%define ver 3.6.1p2
%define rel 1
# OpenSSH privilege separation requires a user & group ID
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 3.6.1p1
+Version: 3.6.1p2
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
Buffer peer;
int done;
int flags;
- char *host;
char *client_version_string;
char *server_version_string;
struct KexOptions options;
#include "log.h"
#include "packet.h"
#include "dh.h"
+#include "canohost.h"
#include "ssh2.h"
#include "ssh-gss.h"
-#include "canohost.h"
void
kexgss_client(Kex *kex)
char *lang;
int type = 0;
int first = 1;
- int slen = 0, strlen;
+ int slen = 0;
+ u_int strlen;
/* Initialise our GSSAPI world */
ssh_gssapi_build_ctx(&ctxt);
if (ssh_gssapi_client_id_kex(ctxt,kex->name)==NULL) {
fatal("Couldn't identify host exchange");
}
+
if (ssh_gssapi_import_name(ctxt,get_canonical_hostname(1))) {
fatal("Couldn't import hostname ");
}
if (GSS_ERROR(maj_status)) {
if (send_tok.length!=0) {
- /* Hmmm - not sure about this */
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
packet_put_string(send_tok.value,
send_tok.length);
if (maj_status == GSS_S_COMPLETE)
fatal("GSSAPI Continue received from server when complete");
recv_tok.value=packet_get_string(&strlen);
- recv_tok.length=strlen; /* int vs. size_t */
+ recv_tok.length=strlen; /* u_int vs. size_t */
break;
case SSH2_MSG_KEXGSS_COMPLETE:
debug("Received GSSAPI_COMPLETE");
packet_get_bignum2(dh_server_pub);
msg_tok.value=packet_get_string(&strlen);
- msg_tok.length=strlen; /* int vs. size_t */
+ msg_tok.length=strlen; /* u_int vs. size_t */
/* Is there a token included? */
if (packet_get_char()) {
recv_tok.value=
packet_get_string(&strlen);
- recv_tok.length=strlen; /*int/size_t*/
+ recv_tok.length=strlen; /*u_int/size_t*/
/* If we're already complete - protocol error */
if (maj_status == GSS_S_COMPLETE)
packet_disconnect("Protocol error: received token when complete");
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
authenticated = options.password_authentication &&
- authctxt->valid && auth_password(authctxt, passwd);
+ auth_password(authctxt, passwd) && authctxt->valid;
memset(passwd, 0, strlen(passwd));
xfree(passwd);
mm_answer_gss_setup_ctx(int socket, Buffer *m) {
gss_OID_desc oid;
OM_uint32 major;
- int len;
+ u_int len;
oid.elements=buffer_get_string(m,&len);
oid.length=len;
int authenticated = 0;
buffer_init(&m);
+
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
-
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
&m);
OM_uint32 major,minor;
int count;
gss_OID_desc oid;
+ u_int length;
+
buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSMECHS, &m);
gss_create_empty_oid_set(&minor,mech_set);
while(count-->0) {
- u_int length;
oid.elements=buffer_get_string(&m,&length);
oid.length=length;
gss_add_oid_set_member(&minor,&oid,mech_set);
#include <gssapi_generic.h>
/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
-
#ifndef GSS_C_NT_HOSTBASED_SERVICE
#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
#endif /* GSS_C_NT_... */
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
- kex->host=host;
#ifdef GSSAPI
kex->options.gss_deleg_creds=options.gss_deleg_creds;
#endif
/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
-#define SSH_VERSION "OpenSSH_3.6.1p1"
+#define SSH_VERSION "OpenSSH_3.6.1p2"