+20020622
+ - (djm) Update README.privsep; spotted by fries@
+ - (djm) Release 3.3p1
+
+20020621
+ - (djm) Sync:
+ - djm@cvs.openbsd.org 2002/06/21 05:50:51
+ [monitor.c]
+ Don't initialise compression buffers when compression=no in sshd_config;
+ ok Niels@
+ - ID sync for auth-passwd.c
+ - (djm) Warn and disable compression on platforms which can't handle both
+ useprivilegeseparation=yes and compression=yes
+ - (djm) contrib/redhat/openssh.spec hacking:
+ - Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
+ - Add new {ssh,sshd}_config.5 manpages
+ - Add new ssh-keysign program and remove setuid from ssh client
+
+20020620
+ - (bal) Fixed AIX environment handling, use setpcred() instead of existing
+ code. (Bugzilla Bug 261)
+ - (bal) OpenBSD CVS Sync
+ - todd@cvs.openbsd.org 2002/06/14 21:35:00
+ [monitor_wrap.c]
+ spelling; from Brian Poole <raj@cerias.purdue.edu>
+ - markus@cvs.openbsd.org 2002/06/15 00:01:36
+ [authfd.c authfd.h ssh-add.c ssh-agent.c]
+ break agent key lifetime protocol and allow other contraints for key
+ usage.
+ - markus@cvs.openbsd.org 2002/06/15 00:07:38
+ [authfd.c authfd.h ssh-add.c ssh-agent.c]
+ fix stupid typo
+ - markus@cvs.openbsd.org 2002/06/15 01:27:48
+ [authfd.c authfd.h ssh-add.c ssh-agent.c]
+ remove the CONSTRAIN_IDENTITY messages and introduce a new
+ ADD_ID message with contraints instead. contraints can be
+ only added together with the private key.
+ - itojun@cvs.openbsd.org 2002/06/16 21:30:58
+ [ssh-keyscan.c]
+ use TAILQ_xx macro. from lukem@netbsd. markus ok
+ - deraadt@cvs.openbsd.org 2002/06/17 06:05:56
+ [scp.c]
+ make usage like man page
+ - deraadt@cvs.openbsd.org 2002/06/19 00:27:55
+ [auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c
+ authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1
+ ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c
+ ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c
+ xmalloc.h]
+ KNF done automatically while reading....
+ - markus@cvs.openbsd.org 2002/06/19 18:01:00
+ [cipher.c monitor.c monitor_wrap.c packet.c packet.h]
+ make the monitor sync the transfer ssh1 session key;
+ transfer keycontext only for RC4 (this is still depends on EVP
+ implementation details and is broken).
+ - stevesk@cvs.openbsd.org 2002/06/20 19:56:07
+ [ssh.1 sshd.8]
+ move configuration file options from ssh.1/sshd.8 to
+ ssh_config.5/sshd_config.5; ok deraadt@ millert@
+ - stevesk@cvs.openbsd.org 2002/06/20 20:00:05
+ [scp.1 sftp.1]
+ ssh_config(5)
+ - stevesk@cvs.openbsd.org 2002/06/20 20:03:34
+ [ssh_config sshd_config]
+ refer to config file man page
+ - markus@cvs.openbsd.org 2002/06/20 23:05:56
+ [servconf.c servconf.h session.c sshd.c]
+ allow Compression=yes/no in sshd_config
+ - markus@cvs.openbsd.org 2002/06/20 23:37:12
+ [sshd_config]
+ add Compression
+ - stevesk@cvs.openbsd.org 2002/05/25 20:40:08
+ [LICENCE]
+ missed Per Allansson (auth2-chall.c)
+ - (bal) Cygwin special handling of empty passwords wrong. Patch by
+ vinschen@redhat.com
+ - (bal) Missed integrating ssh_config.5 and sshd_config.5
+ - (bal) Still more Makefile.in updates for ssh{d}_config.5
+
+20020613
+ - (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com
+
+20020612
+ - (bal) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2002/06/11 23:03:54
+ [ssh.c]
+ remove unused cruft.
+ - markus@cvs.openbsd.org 2002/06/12 01:09:52
+ [ssh.c]
+ ssh_connect returns 0 on success
+ - (bal) Build noop setgroups() for cygwin to clean up code (For other
+ platforms without the setgroups() requirement, you MUST define
+ SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com
+ - (bal) Some platforms don't have ONLCR (Notable Mint)
+
+20020611
+ - (bal) ssh-agent.c RCSD fix (|unexpand already done)
+ - (bal) OpenBSD CVS Sync
+ - stevesk@cvs.openbsd.org 2002/06/09 22:15:15
+ [ssh.1]
+ update for no setuid root and ssh-keysign; ok deraadt@
+ - itojun@cvs.openbsd.org 2002/06/09 22:17:21
+ [sshconnect.c]
+ pass salen to sockaddr_ntop so that we are happy on linux/solaris
+ - stevesk@cvs.openbsd.org 2002/06/10 16:53:06
+ [auth-rsa.c ssh-rsa.c]
+ display minimum RSA modulus in error(); ok markus@
+ - stevesk@cvs.openbsd.org 2002/06/10 16:56:30
+ [ssh-keysign.8]
+ merge in stuff from my man page; ok markus@
+ - stevesk@cvs.openbsd.org 2002/06/10 17:36:23
+ [ssh-add.1 ssh-add.c]
+ use convtime() to parse and validate key lifetime. can now
+ use '-t 2h' etc. ok markus@ provos@
+ - stevesk@cvs.openbsd.org 2002/06/10 17:45:20
+ [readconf.c ssh.1]
+ change RhostsRSAAuthentication and RhostsAuthentication default to no
+ since ssh is no longer setuid root by default; ok markus@
+ - stevesk@cvs.openbsd.org 2002/06/10 21:21:10
+ [ssh_config]
+ update defaults for RhostsRSAAuthentication and RhostsAuthentication
+ here too (all options commented out with default value).
+ - markus@cvs.openbsd.org 2002/06/10 22:28:41
+ [channels.c channels.h session.c]
+ move creation of agent socket to session.c; no need for uidswapping
+ in channel.c.
+ - markus@cvs.openbsd.org 2002/06/11 04:14:26
+ [ssh.c sshconnect.c sshconnect.h]
+ no longer use uidswap.[ch] from the ssh client
+ run less code with euid==0 if ssh is installed setuid root
+ just switch the euid, don't switch the complete set of groups
+ (this is only needed by sshd). ok provos@
+ - mpech@cvs.openbsd.org 2002/06/11 05:46:20
+ [auth-krb4.c monitor.h serverloop.c session.c ssh-agent.c sshd.c]
+ pid_t cleanup. Markus need this now to keep hacking.
+ markus@, millert@ ok
+ - itojun@cvs.openbsd.org 2002/06/11 08:11:45
+ [canohost.c]
+ use "ntop" only after initialized
+ - (bal) Cygwin fix up from swap uid clean up in ssh.c patch by
+ vinschen@redhat.com
+
+20020609
+ - (bal) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2002/06/08 05:07:56
+ [ssh.c]
+ nuke ptrace comment
+ - markus@cvs.openbsd.org 2002/06/08 05:07:09
+ [ssh-keysign.c]
+ only accept 20 byte session ids
+ - markus@cvs.openbsd.org 2002/06/08 05:17:01
+ [readconf.c readconf.h ssh.1 ssh.c]
+ deprecate FallBackToRsh and UseRsh; patch from djm@
+ - markus@cvs.openbsd.org 2002/06/08 05:40:01
+ [readconf.c]
+ just warn about Deprecated options for now
+ - markus@cvs.openbsd.org 2002/06/08 05:41:18
+ [ssh_config]
+ remove FallBackToRsh/UseRsh
+ - markus@cvs.openbsd.org 2002/06/08 12:36:53
+ [scp.c]
+ remove FallBackToRsh
+ - markus@cvs.openbsd.org 2002/06/08 12:46:14
+ [readconf.c]
+ silently ignore deprecated options, since FallBackToRsh might be passed
+ by remote scp commands.
+ - itojun@cvs.openbsd.org 2002/06/08 21:15:27
+ [sshconnect.c]
+ always use getnameinfo. (diag message only)
+ - markus@cvs.openbsd.org 2002/06/09 04:33:27
+ [sshconnect.c]
+ abort() - > fatal()
+ - (bal) RCSID tag updates on channels.c, clientloop.c, nchan.c,
+ sftp-client.c, ssh-agenet.c, ssh-keygen.c and connect.h (we did unexpand
+ independant of them)
+
+20020607
+ - (bal) Removed --{enable/disable}-suid-ssh
+ - (bal) Missed __progname in ssh-keysign.c patch by dtucker@zip.com.au
+ - (bal) use 'LOGIN_PROGRAM' not '/usr/bin/login' in session.c patch by
+ Bertrand.Velle@apogee-com.fr
+
+20020606
+ - (bal) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2002/05/15 21:56:38
+ [servconf.c sshd.8 sshd_config]
+ re-enable privsep and disable setuid for post-3.2.2
+ - markus@cvs.openbsd.org 2002/05/16 22:02:50
+ [cipher.c kex.h mac.c]
+ fix warnings (openssl 0.9.7 requires const)
+ - stevesk@cvs.openbsd.org 2002/05/16 22:09:59
+ [session.c ssh.c]
+ don't limit xauth pathlen on client side and longer print length on
+ server when debug; ok markus@
+ - deraadt@cvs.openbsd.org 2002/05/19 20:54:52
+ [log.h]
+ extra commas in enum not 100% portable
+ - deraadt@cvs.openbsd.org 2002/05/22 23:18:25
+ [ssh.c sshd.c]
+ spelling; abishoff@arc.nasa.gov
+ - markus@cvs.openbsd.org 2002/05/23 19:24:30
+ [authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h
+ sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
+ add /usr/libexec/ssh-keysign: a setuid helper program for hostbased
+ authentication in protocol v2 (needs to access the hostkeys).
+ - markus@cvs.openbsd.org 2002/05/23 19:39:34
+ [ssh.c]
+ add comment about ssh-keysign
+ - markus@cvs.openbsd.org 2002/05/24 08:45:14
+ [sshconnect2.c]
+ stat ssh-keysign first, print error if stat fails;
+ some debug->error; fix comment
+ - markus@cvs.openbsd.org 2002/05/25 08:50:39
+ [sshconnect2.c]
+ execlp->execl; from stevesk
+ - markus@cvs.openbsd.org 2002/05/25 18:51:07
+ [auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
+ auth2-passwd.c auth2-pubkey.c Makefile.in]
+ split auth2.c into one file per method; ok provos@/deraadt@
+ - stevesk@cvs.openbsd.org 2002/05/26 20:35:10
+ [ssh.1]
+ sort ChallengeResponseAuthentication; ok markus@
+ - stevesk@cvs.openbsd.org 2002/05/28 16:45:27
+ [monitor_mm.c]
+ print strerror(errno) on mmap/munmap error; ok markus@
+ - stevesk@cvs.openbsd.org 2002/05/28 17:28:02
+ [uidswap.c]
+ format spec change/casts and some KNF; ok markus@
+ - stevesk@cvs.openbsd.org 2002/05/28 21:24:00
+ [uidswap.c]
+ use correct function name in fatal()
+ - stevesk@cvs.openbsd.org 2002/05/29 03:06:30
+ [ssh.1 sshd.8]
+ spelling
+ - markus@cvs.openbsd.org 2002/05/29 11:21:57
+ [sshd.c]
+ don't start if privsep is enabled and SSH_PRIVSEP_USER or
+ _PATH_PRIVSEP_CHROOT_DIR are missing; ok deraadt@
+ - markus@cvs.openbsd.org 2002/05/30 08:07:31
+ [cipher.c]
+ use rijndael/aes from libcrypto (openssl >= 0.9.7) instead of
+ our own implementation. allow use of AES hardware via libcrypto,
+ ok deraadt@
+ - markus@cvs.openbsd.org 2002/05/31 10:30:33
+ [sshconnect2.c]
+ extent ssh-keysign protocol:
+ pass # of socket-fd to ssh-keysign, keysign verfies locally used
+ ip-address using this socket-fd, restricts fake local hostnames
+ to actual local hostnames; ok stevesk@
+ - markus@cvs.openbsd.org 2002/05/31 11:35:15
+ [auth.h auth2.c]
+ move Authmethod definitons to per-method file.
+ - markus@cvs.openbsd.org 2002/05/31 13:16:48
+ [key.c]
+ add comment:
+ key_verify returns 1 for a correct signature, 0 for an incorrect signature
+ and -1 on error.
+ - markus@cvs.openbsd.org 2002/05/31 13:20:50
+ [ssh-rsa.c]
+ pad received signature with leading zeros, because RSA_verify expects
+ a signature of RSA_size. the drafts says the signature is transmitted
+ unpadded (e.g. putty does not pad), reported by anakin@pobox.com
+ - deraadt@cvs.openbsd.org 2002/06/03 12:04:07
+ [ssh.h]
+ compatiblity -> compatibility
+ decriptor -> descriptor
+ authentciated -> authenticated
+ transmition -> transmission
+ - markus@cvs.openbsd.org 2002/06/04 19:42:35
+ [monitor.c]
+ only allow enabled authentication methods; ok provos@
+ - markus@cvs.openbsd.org 2002/06/04 19:53:40
+ [monitor.c]
+ save the session id (hash) for ssh2 (it will be passed with the
+ initial sign request) and verify that this value is used during
+ authentication; ok provos@
+ - markus@cvs.openbsd.org 2002/06/04 23:02:06
+ [packet.c]
+ remove __FUNCTION__
+ - markus@cvs.openbsd.org 2002/06/04 23:05:49
+ [cipher.c monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c]
+ __FUNCTION__ -> __func__
+ - markus@cvs.openbsd.org 2002/06/05 16:08:07
+ [ssh-agent.1 ssh-agent.c]
+ '-a bind_address' binds the agent to user-specified unix-domain
+ socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
+ - markus@cvs.openbsd.org 2002/06/05 16:08:07
+ [ssh-agent.1 ssh-agent.c]
+ '-a bind_address' binds the agent to user-specified unix-domain
+ socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
+ - markus@cvs.openbsd.org 2002/06/05 16:48:54
+ [ssh-agent.c]
+ copy current request into an extra buffer and just flush this
+ request on errors, ok provos@
+ - markus@cvs.openbsd.org 2002/06/05 19:57:12
+ [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
+ ssh-add -x for lock and -X for unlocking the agent.
+ todo: encrypt private keys with locked...
+ - markus@cvs.openbsd.org 2002/06/05 20:56:39
+ [ssh-add.c]
+ add -x/-X to usage
+ - markus@cvs.openbsd.org 2002/06/05 21:55:44
+ [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
+ ssh-add -t life, Set lifetime (in seconds) when adding identities;
+ ok provos@
+ - stevesk@cvs.openbsd.org 2002/06/06 01:09:41
+ [monitor.h]
+ no trailing comma in enum; china@thewrittenword.com
+ - markus@cvs.openbsd.org 2002/06/06 17:12:44
+ [sftp-server.c]
+ discard remaining bytes of current request; ok provos@
+ - markus@cvs.openbsd.org 2002/06/06 17:30:11
+ [sftp-server.c]
+ use get_int() macro (hide iqueue)
+ - (bal) Missed msg.[ch] in merge. Required for ssh-keysign.
+ - (bal) Forgot to add msg.c Makefile.in.
+ - (bal) monitor_mm.c typos.
+ - (bal) Refixed auth2.c. It was never fully commited while spliting out
+ authentication to different files.
+ - (bal) ssh-keysign should build and install correctly now. Phase two
+ would be to clean out any dead wood and disable ssh setuid on install.
+ - (bal) Reverse logic, use __func__ first since it's C99
+
+20020604
+ - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
+ setsockopt from debug to error for now).
+
+20020527
+ - (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address
+ build problem on Irix reported by Dave Love <d.love@dl.ac.uk>. Back out
+ last monitor_fdpass.c changes that are no longer needed with new tests.
+ Patch tested on Irix by Jan-Frode Myklebust <janfrode@parallab.uib.no>
+
20020522
- (djm) Fix spelling mistakes, spotted by Solar Designer i
<solar@openwall.com>
Damien Miller
Kevin Steves
Daniel Kouril
+ Per Allansson
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
+SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+RAND_HELPER=$(libexecdir)/ssh-rand-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
+ -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
- -DSSH_RAND_HELPER=\"$(libexecdir)/ssh-rand-helper\"
+ -DSSH_RAND_HELPER=\"$(RAND_HELPER)\"
CC=@CC@
LD=@LD@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
-SSH_MODE= @SSHMODE@
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
@NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} $(SFTP_PROGS)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} $(SFTP_PROGS)
-LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o scard-opensc.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o monitor_wrap.o monitor_fdpass.o
+LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o msg.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o scard-opensc.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o monitor_wrap.o monitor_fdpass.o
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
-MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out
-MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8
+MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
+MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
+ $(LD) -o $@ ssh-keysign.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
- $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh
+ $(INSTALL) -m 0755 -s ssh $(DESTDIR)$(bindir)/ssh
$(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp
$(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add
$(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent
if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
$(INSTALL) -m 0755 -s ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
fi
+ $(INSTALL) -m 4711 -s ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
@NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp
@NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
+ $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
+ $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
if [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
$(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \
fi
@NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
@NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+ $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ -rm -f $(DESTDIR)$(RAND_HELPER)$(EXEEXT)
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-Privilege separation, or privsep, is an experimental feature in
-OpenSSH in which operations that require root privilege are performed
-by a separate privileged monitor process. Its purpose is to prevent
-privilege escalation by containing corruption to an unprivileged
-process. More information is available at:
+Privilege separation, or privsep, is method in OpenSSH by which
+operations that require root privilege are performed by a separate
+privileged monitor process. Its purpose is to prevent privilege
+escalation by containing corruption to an unprivileged process.
+More information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
-Privilege separation is not enabled by default, and may be enabled by
-specifying "UsePrivilegeSeparation yes" in sshd_config; see the
-UsePrivilegeSeparation option in sshd(8).
+Privilege separation is now enabled by default; see the
+UsePrivilegeSeparation option in sshd_config(5).
+
+On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
+compression must be disabled in order for privilege separation to
+function.
When privsep is enabled, the pre-authentication sshd process will
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
Privsep requires operating system support for file descriptor passing
and mmap(MAP_ANON).
-PAM-enabled OpenSSH is known to function with privsep on Linux and
-Solaris 8. It does not function on HP-UX with a trusted system
+PAM-enabled OpenSSH is known to function with privsep on Linux.
+It does not function on HP-UX with a trusted system
configuration. PAMAuthenticationViaKbdInt does not function with
privsep.
/* supported by bsd-setproctitle.c */
#undef SPT_TYPE
+/* setgroups() NOOP allowed */
+#undef SETGROUPS_NOOP
+
/* SCO workaround */
#undef BROKEN_SYS_TERMIO_H
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.3 2002/03/18 17:50:31 provos Exp $");
+RCSID("$OpenBSD: auth-bsdauth.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $");
#ifdef BSD_AUTH
#include "xmalloc.h"
debug3("bsdauth_query: style %s",
authctxt->style ? authctxt->style : "<default>");
authctxt->as = auth_userchallenge(authctxt->user,
- authctxt->style, "auth-ssh", &challenge);
+ authctxt->style, "auth-ssh", &challenge);
if (authctxt->as == NULL)
challenge = NULL;
debug2("bsdauth_query: <%s>", challenge ? challenge : "empty");
if (challenge == NULL)
return -1;
- *name = xstrdup("");
- *infotxt = xstrdup("");
+ *name = xstrdup("");
+ *infotxt = xstrdup("");
*numprompts = 1;
*prompts = xmalloc(*numprompts * sizeof(char*));
*echo_on = xmalloc(*numprompts * sizeof(u_int));
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.26 2002/03/18 01:30:10 dugsong Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.27 2002/06/11 05:46:20 mpech Exp $");
#include "ssh.h"
#include "ssh1.h"
if (lstat("/ticket", &st) != -1)
tkt_root = "/ticket/";
#endif /* AFS */
- snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%d",
- tkt_root, authctxt->pw->pw_uid, getpid());
+ snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
+ tkt_root, authctxt->pw->pw_uid, (long)getpid());
krb_set_tkt_string(authctxt->krb4_ticket_file);
}
/* Register ticket cleanup in case of fatal error. */
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
- problem = -1;
+ problem = -1;
goto out;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.26 2002/05/10 02:30:12 mouring Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
#include "packet.h"
#include "log.h"
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
return 0;
-#endif
-#ifdef HAVE_CYGWIN
- /*
- * Empty password is only possible on NT if the user has _really_
- * an empty password and authentication is done, though.
- */
- if (!is_winnt)
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.55 2002/03/29 19:18:33 stevesk Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.56 2002/06/10 16:53:06 stevesk Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
- error("auth_rsa_verify_response: n too small: %d bits",
- BN_num_bits(key->rsa->n));
+ error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.18 2002/05/13 02:37:39 itojun Exp $");
+RCSID("$OpenBSD: auth-skey.c,v 1.19 2002/06/19 00:27:55 deraadt Exp $");
#ifdef SKEY
if (skeychallenge(&skey, authctxt->user, challenge) == -1)
return -1;
- *name = xstrdup("");
- *infotxt = xstrdup("");
+ *name = xstrdup("");
+ *infotxt = xstrdup("");
*numprompts = 1;
*prompts = xmalloc(*numprompts * sizeof(char*));
*echo_on = xmalloc(*numprompts * sizeof(u_int));
-/* $OpenBSD: auth.h,v 1.37 2002/05/13 20:44:58 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
#endif
typedef struct Authctxt Authctxt;
+typedef struct Authmethod Authmethod;
typedef struct KbdintDevice KbdintDevice;
struct Authctxt {
#endif
};
+struct Authmethod {
+ char *name;
+ int (*userauth)(Authctxt *authctxt);
+ int *enabled;
+};
+
/*
* Keyboard interactive device:
* init_ctx returns: non NULL upon success
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.40 2002/04/10 08:21:47 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.41 2002/06/19 00:27:55 deraadt Exp $");
#include "xmalloc.h"
#include "rsa.h"
if (bits != BN_num_bits(client_host_key->rsa->n))
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
- BN_num_bits(client_host_key->rsa->n), bits);
+ BN_num_bits(client_host_key->rsa->n), bits);
packet_check_eom();
authenticated = auth_rhosts_rsa(pw, client_user,
if (authctxt->failures++ > AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE
+ /* XXX: privsep */
loginfailed(authctxt->user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh");
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.17 2002/03/18 17:50:31 provos Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
#include "ssh2.h"
#include "auth.h"
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name);
packet_put_cstring(instr);
- packet_put_cstring(""); /* language not used */
+ packet_put_cstring(""); /* language not used */
packet_put_int(numprompts);
for (i = 0; i < numprompts; i++) {
packet_put_cstring(prompts[i]);
--- /dev/null
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "compat.h"
+#include "bufaux.h"
+#include "auth.h"
+#include "key.h"
+#include "canohost.h"
+#include "monitor_wrap.h"
+#include "pathnames.h"
+
+/* import */
+extern ServerOptions options;
+extern u_char *session_id2;
+extern int session_id2_len;
+
+static int
+userauth_hostbased(Authctxt *authctxt)
+{
+ Buffer b;
+ Key *key = NULL;
+ char *pkalg, *cuser, *chost, *service;
+ u_char *pkblob, *sig;
+ u_int alen, blen, slen;
+ int pktype;
+ int authenticated = 0;
+
+ if (!authctxt->valid) {
+ debug2("userauth_hostbased: disabled because of invalid user");
+ return 0;
+ }
+ pkalg = packet_get_string(&alen);
+ pkblob = packet_get_string(&blen);
+ chost = packet_get_string(NULL);
+ cuser = packet_get_string(NULL);
+ sig = packet_get_string(&slen);
+
+ debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
+ cuser, chost, pkalg, slen);
+#ifdef DEBUG_PK
+ debug("signature:");
+ buffer_init(&b);
+ buffer_append(&b, sig, slen);
+ buffer_dump(&b);
+ buffer_free(&b);
+#endif
+ pktype = key_type_from_name(pkalg);
+ if (pktype == KEY_UNSPEC) {
+ /* this is perfectly legal */
+ log("userauth_hostbased: unsupported "
+ "public key algorithm: %s", pkalg);
+ goto done;
+ }
+ key = key_from_blob(pkblob, blen);
+ if (key == NULL) {
+ error("userauth_hostbased: cannot decode key: %s", pkalg);
+ goto done;
+ }
+ if (key->type != pktype) {
+ error("userauth_hostbased: type mismatch for decoded key "
+ "(received %d, expected %d)", key->type, pktype);
+ goto done;
+ }
+ service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ authctxt->service;
+ buffer_init(&b);
+ buffer_put_string(&b, session_id2, session_id2_len);
+ /* reconstruct packet */
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ buffer_put_cstring(&b, authctxt->user);
+ buffer_put_cstring(&b, service);
+ buffer_put_cstring(&b, "hostbased");
+ buffer_put_string(&b, pkalg, alen);
+ buffer_put_string(&b, pkblob, blen);
+ buffer_put_cstring(&b, chost);
+ buffer_put_cstring(&b, cuser);
+#ifdef DEBUG_PK
+ buffer_dump(&b);
+#endif
+ /* test for allowed key and correct signature */
+ authenticated = 0;
+ if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+ PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+ buffer_len(&b))) == 1)
+ authenticated = 1;
+
+ buffer_clear(&b);
+done:
+ debug2("userauth_hostbased: authenticated %d", authenticated);
+ if (key != NULL)
+ key_free(key);
+ xfree(pkalg);
+ xfree(pkblob);
+ xfree(cuser);
+ xfree(chost);
+ xfree(sig);
+ return authenticated;
+}
+
+/* return 1 if given hostkey is allowed */
+int
+hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
+ Key *key)
+{
+ const char *resolvedname, *ipaddr, *lookup;
+ HostStatus host_status;
+ int len;
+
+ resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+ ipaddr = get_remote_ipaddr();
+
+ debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
+ chost, resolvedname, ipaddr);
+
+ if (options.hostbased_uses_name_from_packet_only) {
+ if (auth_rhosts2(pw, cuser, chost, chost) == 0)
+ return 0;
+ lookup = chost;
+ } else {
+ if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
+ debug2("stripping trailing dot from chost %s", chost);
+ chost[len - 1] = '\0';
+ }
+ if (strcasecmp(resolvedname, chost) != 0)
+ log("userauth_hostbased mismatch: "
+ "client sends %s, but we resolve %s to %s",
+ chost, ipaddr, resolvedname);
+ if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
+ return 0;
+ lookup = resolvedname;
+ }
+ debug2("userauth_hostbased: access allowed by auth_rhosts2");
+
+ host_status = check_key_in_hostfiles(pw, key, lookup,
+ _PATH_SSH_SYSTEM_HOSTFILE,
+ options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
+
+ /* backward compat if no key has been found. */
+ if (host_status == HOST_NEW)
+ host_status = check_key_in_hostfiles(pw, key, lookup,
+ _PATH_SSH_SYSTEM_HOSTFILE2,
+ options.ignore_user_known_hosts ? NULL :
+ _PATH_SSH_USER_HOSTFILE2);
+
+ return (host_status == HOST_OK);
+}
+
+Authmethod method_hostbased = {
+ "hostbased",
+ userauth_hostbased,
+ &options.hostbased_authentication
+};
--- /dev/null
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+
+#include "packet.h"
+#include "auth.h"
+#include "log.h"
+#include "servconf.h"
+#include "xmalloc.h"
+
+/* import */
+extern ServerOptions options;
+
+static int
+userauth_kbdint(Authctxt *authctxt)
+{
+ int authenticated = 0;
+ char *lang, *devs;
+
+ lang = packet_get_string(NULL);
+ devs = packet_get_string(NULL);
+ packet_check_eom();
+
+ debug("keyboard-interactive devs %s", devs);
+
+ if (options.challenge_response_authentication)
+ authenticated = auth2_challenge(authctxt, devs);
+
+#ifdef USE_PAM
+ if (authenticated == 0 && options.pam_authentication_via_kbd_int)
+ authenticated = auth2_pam(authctxt);
+#endif
+ xfree(devs);
+ xfree(lang);
+#ifdef HAVE_CYGWIN
+ if (check_nt_auth(0, authctxt->pw) == 0)
+ return(0);
+#endif
+ return authenticated;
+}
+
+Authmethod method_kbdint = {
+ "keyboard-interactive",
+ userauth_kbdint,
+ &options.kbd_interactive_authentication
+};
--- /dev/null
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2-none.c,v 1.3 2002/06/19 00:27:55 deraadt Exp $");
+
+#include "auth.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "log.h"
+#include "servconf.h"
+#include "atomicio.h"
+#include "compat.h"
+#include "ssh2.h"
+#include "monitor_wrap.h"
+
+/* import */
+extern ServerOptions options;
+
+/* "none" is allowed only one time */
+static int none_enabled = 1;
+
+char *
+auth2_read_banner(void)
+{
+ struct stat st;
+ char *banner = NULL;
+ off_t len, n;
+ int fd;
+
+ if ((fd = open(options.banner, O_RDONLY)) == -1)
+ return (NULL);
+ if (fstat(fd, &st) == -1) {
+ close(fd);
+ return (NULL);
+ }
+ len = st.st_size;
+ banner = xmalloc(len + 1);
+ n = atomicio(read, fd, banner, len);
+ close(fd);
+
+ if (n != len) {
+ free(banner);
+ return (NULL);
+ }
+ banner[n] = '\0';
+
+ return (banner);
+}
+
+static void
+userauth_banner(void)
+{
+ char *banner = NULL;
+
+ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+ return;
+
+ if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+ goto done;
+
+ packet_start(SSH2_MSG_USERAUTH_BANNER);
+ packet_put_cstring(banner);
+ packet_put_cstring(""); /* language, unused */
+ packet_send();
+ debug("userauth_banner: sent");
+done:
+ if (banner)
+ xfree(banner);
+}
+
+static int
+userauth_none(Authctxt *authctxt)
+{
+ none_enabled = 0;
+ packet_check_eom();
+ userauth_banner();
+#ifdef HAVE_CYGWIN
+ if (check_nt_auth(1, authctxt->pw) == 0)
+ return(0);
+#endif
+ return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0);
+}
+
+Authmethod method_none = {
+ "none",
+ userauth_none,
+ &none_enabled
+};
--- /dev/null
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2-passwd.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+
+#include "xmalloc.h"
+#include "packet.h"
+#include "log.h"
+#include "auth.h"
+#include "monitor_wrap.h"
+#include "servconf.h"
+
+/* import */
+extern ServerOptions options;
+
+static int
+userauth_passwd(Authctxt *authctxt)
+{
+ char *password;
+ int authenticated = 0;
+ int change;
+ u_int len;
+ change = packet_get_char();
+ if (change)
+ log("password change not supported");
+ password = packet_get_string(&len);
+ packet_check_eom();
+ if (authctxt->valid &&
+#ifdef HAVE_CYGWIN
+ check_nt_auth(1, authctxt->pw) &&
+#endif
+ PRIVSEP(auth_password(authctxt, password)) == 1)
+ authenticated = 1;
+ memset(password, 0, len);
+ xfree(password);
+ return authenticated;
+}
+
+Authmethod method_passwd = {
+ "password",
+ userauth_passwd,
+ &options.password_authentication
+};
--- /dev/null
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "compat.h"
+#include "bufaux.h"
+#include "auth.h"
+#include "key.h"
+#include "pathnames.h"
+#include "uidswap.h"
+#include "auth-options.h"
+#include "canohost.h"
+#include "monitor_wrap.h"
+
+/* import */
+extern ServerOptions options;
+extern u_char *session_id2;
+extern int session_id2_len;
+
+static int
+userauth_pubkey(Authctxt *authctxt)
+{
+ Buffer b;
+ Key *key = NULL;
+ char *pkalg;
+ u_char *pkblob, *sig;
+ u_int alen, blen, slen;
+ int have_sig, pktype;
+ int authenticated = 0;
+
+ if (!authctxt->valid) {
+ debug2("userauth_pubkey: disabled because of invalid user");
+ return 0;
+ }
+ have_sig = packet_get_char();
+ if (datafellows & SSH_BUG_PKAUTH) {
+ debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+ /* no explicit pkalg given */
+ pkblob = packet_get_string(&blen);
+ buffer_init(&b);
+ buffer_append(&b, pkblob, blen);
+ /* so we have to extract the pkalg from the pkblob */
+ pkalg = buffer_get_string(&b, &alen);
+ buffer_free(&b);
+ } else {
+ pkalg = packet_get_string(&alen);
+ pkblob = packet_get_string(&blen);
+ }
+ pktype = key_type_from_name(pkalg);
+ if (pktype == KEY_UNSPEC) {
+ /* this is perfectly legal */
+ log("userauth_pubkey: unsupported public key algorithm: %s",
+ pkalg);
+ goto done;
+ }
+ key = key_from_blob(pkblob, blen);
+ if (key == NULL) {
+ error("userauth_pubkey: cannot decode key: %s", pkalg);
+ goto done;
+ }
+ if (key->type != pktype) {
+ error("userauth_pubkey: type mismatch for decoded key "
+ "(received %d, expected %d)", key->type, pktype);
+ goto done;
+ }
+ if (have_sig) {
+ sig = packet_get_string(&slen);
+ packet_check_eom();
+ buffer_init(&b);
+ if (datafellows & SSH_OLD_SESSIONID) {
+ buffer_append(&b, session_id2, session_id2_len);
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
+ }
+ /* reconstruct packet */
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ buffer_put_cstring(&b, authctxt->user);
+ buffer_put_cstring(&b,
+ datafellows & SSH_BUG_PKSERVICE ?
+ "ssh-userauth" :
+ authctxt->service);
+ if (datafellows & SSH_BUG_PKAUTH) {
+ buffer_put_char(&b, have_sig);
+ } else {
+ buffer_put_cstring(&b, "publickey");
+ buffer_put_char(&b, have_sig);
+ buffer_put_cstring(&b, pkalg);
+ }
+ buffer_put_string(&b, pkblob, blen);
+#ifdef DEBUG_PK
+ buffer_dump(&b);
+#endif
+ /* test for correct signature */
+ authenticated = 0;
+ if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
+ PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+ buffer_len(&b))) == 1)
+ authenticated = 1;
+ buffer_clear(&b);
+ xfree(sig);
+ } else {
+ debug("test whether pkalg/pkblob are acceptable");
+ packet_check_eom();
+
+ /* XXX fake reply and always send PK_OK ? */
+ /*
+ * XXX this allows testing whether a user is allowed
+ * to login: if you happen to have a valid pubkey this
+ * message is sent. the message is NEVER sent at all
+ * if a user is not allowed to login. is this an
+ * issue? -markus
+ */
+ if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
+ packet_start(SSH2_MSG_USERAUTH_PK_OK);
+ packet_put_string(pkalg, alen);
+ packet_put_string(pkblob, blen);
+ packet_send();
+ packet_write_wait();
+ authctxt->postponed = 1;
+ }
+ }
+ if (authenticated != 1)
+ auth_clear_options();
+done:
+ debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
+ if (key != NULL)
+ key_free(key);
+ xfree(pkalg);
+ xfree(pkblob);
+#ifdef HAVE_CYGWIN
+ if (check_nt_auth(0, authctxt->pw) == 0)
+ return(0);
+#endif
+ return authenticated;
+}
+
+/* return 1 if user allows given key */
+static int
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
+{
+ char line[8192];
+ int found_key = 0;
+ FILE *f;
+ u_long linenum = 0;
+ struct stat st;
+ Key *found;
+ char *fp;
+
+ if (pw == NULL)
+ return 0;
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
+ debug("trying public key file %s", file);
+
+ /* Fail quietly if file does not exist */
+ if (stat(file, &st) < 0) {
+ /* Restore the privileged uid. */
+ restore_uid();
+ return 0;
+ }
+ /* Open the file containing the authorized keys. */
+ f = fopen(file, "r");
+ if (!f) {
+ /* Restore the privileged uid. */
+ restore_uid();
+ return 0;
+ }
+ if (options.strict_modes &&
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
+ fclose(f);
+ log("Authentication refused: %s", line);
+ restore_uid();
+ return 0;
+ }
+
+ found_key = 0;
+ found = key_new(key->type);
+
+ while (fgets(line, sizeof(line), f)) {
+ char *cp, *options = NULL;
+ linenum++;
+ /* Skip leading whitespace, empty and comment lines. */
+ for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ if (!*cp || *cp == '\n' || *cp == '#')
+ continue;
+
+ if (key_read(found, &cp) != 1) {
+ /* no key? check if there are options for this key */
+ int quoted = 0;
+ debug2("user_key_allowed: check options: '%s'", cp);
+ options = cp;
+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+ if (*cp == '\\' && cp[1] == '"')
+ cp++; /* Skip both */
+ else if (*cp == '"')
+ quoted = !quoted;
+ }
+ /* Skip remaining whitespace. */
+ for (; *cp == ' ' || *cp == '\t'; cp++)
+ ;
+ if (key_read(found, &cp) != 1) {
+ debug2("user_key_allowed: advance: '%s'", cp);
+ /* still no key? advance to next line*/
+ continue;
+ }
+ }
+ if (key_equal(found, key) &&
+ auth_parse_options(pw, options, file, linenum) == 1) {
+ found_key = 1;
+ debug("matching key found: file %s, line %lu",
+ file, linenum);
+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ verbose("Found matching %s key: %s",
+ key_type(found), fp);
+ xfree(fp);
+ break;
+ }
+ }
+ restore_uid();
+ fclose(f);
+ key_free(found);
+ if (!found_key)
+ debug2("key not found");
+ return found_key;
+}
+
+/* check whether given key is in .ssh/authorized_keys* */
+int
+user_key_allowed(struct passwd *pw, Key *key)
+{
+ int success;
+ char *file;
+
+ file = authorized_keys_file(pw);
+ success = user_key_allowed2(pw, key, file);
+ xfree(file);
+ if (success)
+ return success;
+
+ /* try suffix "2" for backward compat, too */
+ file = authorized_keys_file2(pw);
+ success = user_key_allowed2(pw, key, file);
+ xfree(file);
+ return success;
+}
+
+Authmethod method_pubkey = {
+ "publickey",
+ userauth_pubkey,
+ &options.pubkey_authentication
+};
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $");
-
-#include <openssl/evp.h>
+RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
#include "ssh2.h"
#include "xmalloc.h"
-#include "rsa.h"
-#include "sshpty.h"
#include "packet.h"
-#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
-#include "channels.h"
-#include "bufaux.h"
#include "auth.h"
-#include "session.h"
#include "dispatch.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
#include "pathnames.h"
-#include "uidswap.h"
-#include "auth-options.h"
-#include "hostfile.h"
-#include "canohost.h"
-#include "match.h"
#include "monitor_wrap.h"
-#include "atomicio.h"
/* import */
extern ServerOptions options;
extern int session_id2_len;
Authctxt *x_authctxt = NULL;
-static int one = 1;
-typedef struct Authmethod Authmethod;
-struct Authmethod {
- char *name;
- int (*userauth)(Authctxt *authctxt);
- int *enabled;
+/* methods */
+
+extern Authmethod method_none;
+extern Authmethod method_pubkey;
+extern Authmethod method_passwd;
+extern Authmethod method_kbdint;
+extern Authmethod method_hostbased;
+
+Authmethod *authmethods[] = {
+ &method_none,
+ &method_pubkey,
+ &method_passwd,
+ &method_kbdint,
+ &method_hostbased,
+ NULL
};
/* protocol */
int user_key_allowed(struct passwd *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
-/* auth */
-static void userauth_banner(void);
-static int userauth_none(Authctxt *);
-static int userauth_passwd(Authctxt *);
-static int userauth_pubkey(Authctxt *);
-static int userauth_hostbased(Authctxt *);
-static int userauth_kbdint(Authctxt *);
-
-Authmethod authmethods[] = {
- {"none",
- userauth_none,
- &one},
- {"publickey",
- userauth_pubkey,
- &options.pubkey_authentication},
- {"password",
- userauth_passwd,
- &options.password_authentication},
- {"keyboard-interactive",
- userauth_kbdint,
- &options.kbd_interactive_authentication},
- {"hostbased",
- userauth_hostbased,
- &options.hostbased_authentication},
- {NULL, NULL, NULL}
-};
-
/*
* loop until authctxt->success == TRUE
*/
} else {
if (authctxt->failures++ > AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE
+ /* XXX: privsep */
loginfailed(authctxt->user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh");
}
}
-char *
-auth2_read_banner(void)
-{
- struct stat st;
- char *banner = NULL;
- off_t len, n;
- int fd;
-
- if ((fd = open(options.banner, O_RDONLY)) == -1)
- return (NULL);
- if (fstat(fd, &st) == -1) {
- close(fd);
- return (NULL);
- }
- len = st.st_size;
- banner = xmalloc(len + 1);
- n = atomicio(read, fd, banner, len);
- close(fd);
-
- if (n != len) {
- free(banner);
- return (NULL);
- }
- banner[n] = '\0';
-
- return (banner);
-}
-
-static void
-userauth_banner(void)
-{
- char *banner = NULL;
-
- if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
- return;
-
- if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
- goto done;
-
- packet_start(SSH2_MSG_USERAUTH_BANNER);
- packet_put_cstring(banner);
- packet_put_cstring(""); /* language, unused */
- packet_send();
- debug("userauth_banner: sent");
-done:
- if (banner)
- xfree(banner);
- return;
-}
-
-static int
-userauth_none(Authctxt *authctxt)
-{
- /* disable method "none", only allowed one time */
- Authmethod *m = authmethod_lookup("none");
- if (m != NULL)
- m->enabled = NULL;
- packet_check_eom();
- userauth_banner();
-
- if (authctxt->valid == 0)
- return(0);
-
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(1, authctxt->pw) == 0)
- return(0);
-#endif
- return PRIVSEP(auth_password(authctxt, ""));
-}
-
-static int
-userauth_passwd(Authctxt *authctxt)
-{
- char *password;
- int authenticated = 0;
- int change;
- u_int len;
- change = packet_get_char();
- if (change)
- log("password change not supported");
- password = packet_get_string(&len);
- packet_check_eom();
- if (authctxt->valid &&
-#ifdef HAVE_CYGWIN
- check_nt_auth(1, authctxt->pw) &&
-#endif
- PRIVSEP(auth_password(authctxt, password)) == 1)
- authenticated = 1;
- memset(password, 0, len);
- xfree(password);
- return authenticated;
-}
-
-static int
-userauth_kbdint(Authctxt *authctxt)
-{
- int authenticated = 0;
- char *lang, *devs;
-
- lang = packet_get_string(NULL);
- devs = packet_get_string(NULL);
- packet_check_eom();
-
- debug("keyboard-interactive devs %s", devs);
-
- if (options.challenge_response_authentication)
- authenticated = auth2_challenge(authctxt, devs);
-
-#ifdef USE_PAM
- if (authenticated == 0 && options.pam_authentication_via_kbd_int)
- authenticated = auth2_pam(authctxt);
-#endif
- xfree(devs);
- xfree(lang);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw) == 0)
- return(0);
-#endif
- return authenticated;
-}
-
-static int
-userauth_pubkey(Authctxt *authctxt)
-{
- Buffer b;
- Key *key = NULL;
- char *pkalg;
- u_char *pkblob, *sig;
- u_int alen, blen, slen;
- int have_sig, pktype;
- int authenticated = 0;
-
- if (!authctxt->valid) {
- debug2("userauth_pubkey: disabled because of invalid user");
- return 0;
- }
- have_sig = packet_get_char();
- if (datafellows & SSH_BUG_PKAUTH) {
- debug2("userauth_pubkey: SSH_BUG_PKAUTH");
- /* no explicit pkalg given */
- pkblob = packet_get_string(&blen);
- buffer_init(&b);
- buffer_append(&b, pkblob, blen);
- /* so we have to extract the pkalg from the pkblob */
- pkalg = buffer_get_string(&b, &alen);
- buffer_free(&b);
- } else {
- pkalg = packet_get_string(&alen);
- pkblob = packet_get_string(&blen);
- }
- pktype = key_type_from_name(pkalg);
- if (pktype == KEY_UNSPEC) {
- /* this is perfectly legal */
- log("userauth_pubkey: unsupported public key algorithm: %s",
- pkalg);
- goto done;
- }
- key = key_from_blob(pkblob, blen);
- if (key == NULL) {
- error("userauth_pubkey: cannot decode key: %s", pkalg);
- goto done;
- }
- if (key->type != pktype) {
- error("userauth_pubkey: type mismatch for decoded key "
- "(received %d, expected %d)", key->type, pktype);
- goto done;
- }
- if (have_sig) {
- sig = packet_get_string(&slen);
- packet_check_eom();
- buffer_init(&b);
- if (datafellows & SSH_OLD_SESSIONID) {
- buffer_append(&b, session_id2, session_id2_len);
- } else {
- buffer_put_string(&b, session_id2, session_id2_len);
- }
- /* reconstruct packet */
- buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
- buffer_put_cstring(&b,
- datafellows & SSH_BUG_PKSERVICE ?
- "ssh-userauth" :
- authctxt->service);
- if (datafellows & SSH_BUG_PKAUTH) {
- buffer_put_char(&b, have_sig);
- } else {
- buffer_put_cstring(&b, "publickey");
- buffer_put_char(&b, have_sig);
- buffer_put_cstring(&b, pkalg);
- }
- buffer_put_string(&b, pkblob, blen);
-#ifdef DEBUG_PK
- buffer_dump(&b);
-#endif
- /* test for correct signature */
- authenticated = 0;
- if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
- PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
- authenticated = 1;
- buffer_clear(&b);
- xfree(sig);
- } else {
- debug("test whether pkalg/pkblob are acceptable");
- packet_check_eom();
-
- /* XXX fake reply and always send PK_OK ? */
- /*
- * XXX this allows testing whether a user is allowed
- * to login: if you happen to have a valid pubkey this
- * message is sent. the message is NEVER sent at all
- * if a user is not allowed to login. is this an
- * issue? -markus
- */
- if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
- packet_start(SSH2_MSG_USERAUTH_PK_OK);
- packet_put_string(pkalg, alen);
- packet_put_string(pkblob, blen);
- packet_send();
- packet_write_wait();
- authctxt->postponed = 1;
- }
- }
- if (authenticated != 1)
- auth_clear_options();
-done:
- debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
- if (key != NULL)
- key_free(key);
- xfree(pkalg);
- xfree(pkblob);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw) == 0)
- return(0);
-#endif
- return authenticated;
-}
-
-static int
-userauth_hostbased(Authctxt *authctxt)
-{
- Buffer b;
- Key *key = NULL;
- char *pkalg, *cuser, *chost, *service;
- u_char *pkblob, *sig;
- u_int alen, blen, slen;
- int pktype;
- int authenticated = 0;
-
- if (!authctxt->valid) {
- debug2("userauth_hostbased: disabled because of invalid user");
- return 0;
- }
- pkalg = packet_get_string(&alen);
- pkblob = packet_get_string(&blen);
- chost = packet_get_string(NULL);
- cuser = packet_get_string(NULL);
- sig = packet_get_string(&slen);
-
- debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
- cuser, chost, pkalg, slen);
-#ifdef DEBUG_PK
- debug("signature:");
- buffer_init(&b);
- buffer_append(&b, sig, slen);
- buffer_dump(&b);
- buffer_free(&b);
-#endif
- pktype = key_type_from_name(pkalg);
- if (pktype == KEY_UNSPEC) {
- /* this is perfectly legal */
- log("userauth_hostbased: unsupported "
- "public key algorithm: %s", pkalg);
- goto done;
- }
- key = key_from_blob(pkblob, blen);
- if (key == NULL) {
- error("userauth_hostbased: cannot decode key: %s", pkalg);
- goto done;
- }
- if (key->type != pktype) {
- error("userauth_hostbased: type mismatch for decoded key "
- "(received %d, expected %d)", key->type, pktype);
- goto done;
- }
- service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
- authctxt->service;
- buffer_init(&b);
- buffer_put_string(&b, session_id2, session_id2_len);
- /* reconstruct packet */
- buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
- buffer_put_cstring(&b, service);
- buffer_put_cstring(&b, "hostbased");
- buffer_put_string(&b, pkalg, alen);
- buffer_put_string(&b, pkblob, blen);
- buffer_put_cstring(&b, chost);
- buffer_put_cstring(&b, cuser);
-#ifdef DEBUG_PK
- buffer_dump(&b);
-#endif
- /* test for allowed key and correct signature */
- authenticated = 0;
- if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
- PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
- authenticated = 1;
-
- buffer_clear(&b);
-done:
- debug2("userauth_hostbased: authenticated %d", authenticated);
- if (key != NULL)
- key_free(key);
- xfree(pkalg);
- xfree(pkblob);
- xfree(cuser);
- xfree(chost);
- xfree(sig);
- return authenticated;
-}
-
/* get current user */
struct passwd*
static char *
authmethods_get(void)
{
- Authmethod *method = NULL;
Buffer b;
char *list;
+ int i;
buffer_init(&b);
- for (method = authmethods; method->name != NULL; method++) {
- if (strcmp(method->name, "none") == 0)
+ for (i = 0; authmethods[i] != NULL; i++) {
+ if (strcmp(authmethods[i]->name, "none") == 0)
continue;
- if (method->enabled != NULL && *(method->enabled) != 0) {
+ if (authmethods[i]->enabled != NULL &&
+ *(authmethods[i]->enabled) != 0) {
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
- buffer_append(&b, method->name, strlen(method->name));
+ buffer_append(&b, authmethods[i]->name,
+ strlen(authmethods[i]->name));
}
}
buffer_append(&b, "\0", 1);
static Authmethod *
authmethod_lookup(const char *name)
{
- Authmethod *method = NULL;
+ int i;
+
if (name != NULL)
- for (method = authmethods; method->name != NULL; method++)
- if (method->enabled != NULL &&
- *(method->enabled) != 0 &&
- strcmp(name, method->name) == 0)
- return method;
- debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
+ for (i = 0; authmethods[i] != NULL; i++)
+ if (authmethods[i]->enabled != NULL &&
+ *(authmethods[i]->enabled) != 0 &&
+ strcmp(name, authmethods[i]->name) == 0)
+ return authmethods[i];
+ debug2("Unrecognized authentication method name: %s",
+ name ? name : "NULL");
return NULL;
}
-
-/* return 1 if user allows given key */
-static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
-{
- char line[8192];
- int found_key = 0;
- FILE *f;
- u_long linenum = 0;
- struct stat st;
- Key *found;
- char *fp;
-
- if (pw == NULL)
- return 0;
-
- /* Temporarily use the user's uid. */
- temporarily_use_uid(pw);
-
- debug("trying public key file %s", file);
-
- /* Fail quietly if file does not exist */
- if (stat(file, &st) < 0) {
- /* Restore the privileged uid. */
- restore_uid();
- return 0;
- }
- /* Open the file containing the authorized keys. */
- f = fopen(file, "r");
- if (!f) {
- /* Restore the privileged uid. */
- restore_uid();
- return 0;
- }
- if (options.strict_modes &&
- secure_filename(f, file, pw, line, sizeof(line)) != 0) {
- fclose(f);
- log("Authentication refused: %s", line);
- restore_uid();
- return 0;
- }
-
- found_key = 0;
- found = key_new(key->type);
-
- while (fgets(line, sizeof(line), f)) {
- char *cp, *options = NULL;
- linenum++;
- /* Skip leading whitespace, empty and comment lines. */
- for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
- ;
- if (!*cp || *cp == '\n' || *cp == '#')
- continue;
-
- if (key_read(found, &cp) != 1) {
- /* no key? check if there are options for this key */
- int quoted = 0;
- debug2("user_key_allowed: check options: '%s'", cp);
- options = cp;
- for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
- if (*cp == '\\' && cp[1] == '"')
- cp++; /* Skip both */
- else if (*cp == '"')
- quoted = !quoted;
- }
- /* Skip remaining whitespace. */
- for (; *cp == ' ' || *cp == '\t'; cp++)
- ;
- if (key_read(found, &cp) != 1) {
- debug2("user_key_allowed: advance: '%s'", cp);
- /* still no key? advance to next line*/
- continue;
- }
- }
- if (key_equal(found, key) &&
- auth_parse_options(pw, options, file, linenum) == 1) {
- found_key = 1;
- debug("matching key found: file %s, line %lu",
- file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
- verbose("Found matching %s key: %s",
- key_type(found), fp);
- xfree(fp);
- break;
- }
- }
- restore_uid();
- fclose(f);
- key_free(found);
- if (!found_key)
- debug2("key not found");
- return found_key;
-}
-
-/* check whether given key is in .ssh/authorized_keys* */
-int
-user_key_allowed(struct passwd *pw, Key *key)
-{
- int success;
- char *file;
-
- file = authorized_keys_file(pw);
- success = user_key_allowed2(pw, key, file);
- xfree(file);
- if (success)
- return success;
-
- /* try suffix "2" for backward compat, too */
- file = authorized_keys_file2(pw);
- success = user_key_allowed2(pw, key, file);
- xfree(file);
- return success;
-}
-
-/* return 1 if given hostkey is allowed */
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
- Key *key)
-{
- const char *resolvedname, *ipaddr, *lookup;
- HostStatus host_status;
- int len;
-
- resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
- ipaddr = get_remote_ipaddr();
-
- debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
- chost, resolvedname, ipaddr);
-
- if (options.hostbased_uses_name_from_packet_only) {
- if (auth_rhosts2(pw, cuser, chost, chost) == 0)
- return 0;
- lookup = chost;
- } else {
- if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
- debug2("stripping trailing dot from chost %s", chost);
- chost[len - 1] = '\0';
- }
- if (strcasecmp(resolvedname, chost) != 0)
- log("userauth_hostbased mismatch: "
- "client sends %s, but we resolve %s to %s",
- chost, ipaddr, resolvedname);
- if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
- return 0;
- lookup = resolvedname;
- }
- debug2("userauth_hostbased: access allowed by auth_rhosts2");
-
- host_status = check_key_in_hostfiles(pw, key, lookup,
- _PATH_SSH_SYSTEM_HOSTFILE,
- options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
- /* backward compat if no key has been found. */
- if (host_status == HOST_NEW)
- host_status = check_key_in_hostfiles(pw, key, lookup,
- _PATH_SSH_SYSTEM_HOSTFILE2,
- options.ignore_user_known_hosts ? NULL :
- _PATH_SSH_USER_HOSTFILE2);
-
- return (host_status == HOST_OK);
-}
*/
#include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.49 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.55 2002/06/19 00:27:55 deraadt Exp $");
#include <openssl/evp.h>
/* macro to check for "agent failure" message */
#define agent_failed(x) \
((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \
- (x == SSH2_AGENT_FAILURE))
+ (x == SSH2_AGENT_FAILURE))
/* Returns the number of the authentication fd, or -1 if there is none. */
xfree(auth);
}
+/* Lock/unlock agent */
+int
+ssh_lock_agent(AuthenticationConnection *auth, int lock, const char *password)
+{
+ int type;
+ Buffer msg;
+
+ buffer_init(&msg);
+ buffer_put_char(&msg, lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK);
+ buffer_put_cstring(&msg, password);
+
+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
+ buffer_free(&msg);
+ return 0;
+ }
+ type = buffer_get_char(&msg);
+ buffer_free(&msg);
+ return decode_reply(type);
+}
+
/*
* Returns the first authentication identity held by the agent.
*/
static void
ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
{
- buffer_clear(b);
- buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
buffer_put_int(b, BN_num_bits(key->n));
buffer_put_bignum(b, key->n);
buffer_put_bignum(b, key->e);
static void
ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
{
- buffer_clear(b);
- buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
buffer_put_cstring(b, key_ssh_name(key));
switch (key->type) {
case KEY_RSA:
*/
int
-ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
+ const char *comment, u_int life)
{
Buffer msg;
- int type;
+ int type, constrained = (life != 0);
buffer_init(&msg);
switch (key->type) {
case KEY_RSA1:
+ type = constrained ?
+ SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
+ SSH_AGENTC_ADD_RSA_IDENTITY;
+ buffer_put_char(&msg, type);
ssh_encode_identity_rsa1(&msg, key->rsa, comment);
break;
case KEY_RSA:
case KEY_DSA:
+ type = constrained ?
+ SSH2_AGENTC_ADD_ID_CONSTRAINED :
+ SSH2_AGENTC_ADD_IDENTITY;
+ buffer_put_char(&msg, type);
ssh_encode_identity_ssh2(&msg, key, comment);
break;
default:
return 0;
break;
}
+ if (constrained) {
+ if (life != 0) {
+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+ buffer_put_int(&msg, life);
+ }
+ }
if (ssh_request_reply(auth, &msg, &msg) == 0) {
buffer_free(&msg);
return 0;
return decode_reply(type);
}
+int
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+{
+ return ssh_add_identity_constrained(auth, key, comment, 0);
+}
+
/*
* Removes an identity from the authentication server. This call is not
* meant to be used by normal applications.
-/* $OpenBSD: authfd.h,v 1.24 2002/03/21 22:44:05 rees Exp $ */
+/* $OpenBSD: authfd.h,v 1.30 2002/06/19 00:27:55 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* smartcard */
#define SSH_AGENTC_ADD_SMARTCARD_KEY 20
-#define SSH_AGENTC_REMOVE_SMARTCARD_KEY 21
+#define SSH_AGENTC_REMOVE_SMARTCARD_KEY 21
+
+/* lock/unlock the agent */
+#define SSH_AGENTC_LOCK 22
+#define SSH_AGENTC_UNLOCK 23
+
+/* add key with constraints */
+#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
+#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
+
+#define SSH_AGENT_CONSTRAIN_LIFETIME 1
/* extended failure messages */
#define SSH2_AGENT_FAILURE 30
/* additional error code for ssh.com's ssh-agent2 */
-#define SSH_COM_AGENT2_FAILURE 102
+#define SSH_COM_AGENT2_FAILURE 102
#define SSH_AGENT_OLD_SIGNATURE 0x01
typedef struct {
- int fd;
- Buffer identities;
- int howmany;
-} AuthenticationConnection;
+ int fd;
+ Buffer identities;
+ int howmany;
+} AuthenticationConnection;
-int ssh_get_authentication_socket(void);
-void ssh_close_authentication_socket(int);
+int ssh_get_authentication_socket(void);
+void ssh_close_authentication_socket(int);
AuthenticationConnection *ssh_get_authentication_connection(void);
-void ssh_close_authentication_connection(AuthenticationConnection *);
+void ssh_close_authentication_connection(AuthenticationConnection *);
int ssh_get_num_identities(AuthenticationConnection *, int);
Key *ssh_get_first_identity(AuthenticationConnection *, char **, int);
Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
+int ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int);
int ssh_remove_identity(AuthenticationConnection *, Key *);
int ssh_remove_all_identities(AuthenticationConnection *, int);
+int ssh_lock_agent(AuthenticationConnection *, int, const char *);
int ssh_update_card(AuthenticationConnection *, int, const char *, const char *);
int
*/
#include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.48 2002/02/28 15:46:33 markus Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.49 2002/05/23 19:24:30 markus Exp $");
#include <openssl/err.h>
#include <openssl/evp.h>
return NULL;
}
-static Key *
+Key *
key_load_private_pem(int fd, int type, const char *passphrase,
char **commentp)
{
-/* $OpenBSD: authfile.h,v 1.9 2002/03/04 17:27:39 stevesk Exp $ */
+/* $OpenBSD: authfile.h,v 1.10 2002/05/23 19:24:30 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
Key *key_load_public_type(int, const char *, char **);
Key *key_load_private(const char *, const char *, char **);
Key *key_load_private_type(int, const char *, const char *, char **);
+Key *key_load_private_pem(int, int, const char *, char **);
#endif
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-largefile omit support for large files
- --enable-suid-ssh Install ssh as suid root (default)
- --disable-suid-ssh Install ssh without suid bit
--disable-lastlog disable use of lastlog even if detected no
--disable-utmp disable use of utmp even if detected no
--disable-utmpx disable use of utmpx even if detected no
cat >>confdefs.h <<\_ACEOF
@%:@define NO_X11_UNIX_SOCKETS 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+@%:@define SETGROUPS_NOOP 1
_ACEOF
;;
*-*-sysv4.2*)
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
-# enable_suid_ssh=no
cat >>confdefs.h <<\_ACEOF
@%:@define USE_PIPES 1
_ACEOF
*-*-sysv5*)
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
-# enable_suid_ssh=no
cat >>confdefs.h <<\_ACEOF
@%:@define USE_PIPES 1
_ACEOF
+
+
inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
- setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \
- setsid setvbuf sigaction sigvec snprintf socketpair strerror \
- strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \
- vhangup vsnprintf waitpid __b64_ntop _getpty
+ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \
+ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
+ socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
+ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5
done
-echo "$as_me:$LINENO: checking for getuserattr" >&5
-echo $ECHO_N "checking for getuserattr... $ECHO_C" >&6
-if test "${ac_cv_func_getuserattr+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
- which can conflict with char getuserattr (); below. */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char getuserattr ();
-char (*f) ();
-
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
-/* The GNU C library defines this for functions which it implements
- to always fail with ENOSYS. Some functions are actually named
- something starting with __ and the normal name is an alias. */
-#if defined (__stub_getuserattr) || defined (__stub___getuserattr)
-choke me
-#else
-f = getuserattr;
-#endif
-
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_func_getuserattr=yes
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-ac_cv_func_getuserattr=no
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getuserattr" >&5
-echo "${ECHO_T}$ac_cv_func_getuserattr" >&6
-if test $ac_cv_func_getuserattr = yes; then
- cat >>confdefs.h <<\_ACEOF
-@%:@define HAVE_GETUSERATTR 1
-_ACEOF
-
-else
- echo "$as_me:$LINENO: checking for getuserattr in -ls" >&5
-echo $ECHO_N "checking for getuserattr in -ls... $ECHO_C" >&6
-if test "${ac_cv_lib_s_getuserattr+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-ls $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char getuserattr ();
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
-getuserattr ();
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_lib_s_getuserattr=yes
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-ac_cv_lib_s_getuserattr=no
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_s_getuserattr" >&5
-echo "${ECHO_T}$ac_cv_lib_s_getuserattr" >&6
-if test $ac_cv_lib_s_getuserattr = yes; then
- LIBS="$LIBS -ls"; cat >>confdefs.h <<\_ACEOF
-@%:@define HAVE_GETUSERATTR 1
-_ACEOF
-
-fi
-
-
-fi
-
-
echo "$as_me:$LINENO: checking for daemon" >&5
echo $ECHO_N "checking for daemon... $ECHO_C" >&6
if test "${ac_cv_func_daemon+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- cat >conftest.$ac_ext <<_ACEOF
+ if test "$cross_compiling" = yes; then
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+ { (exit 1); exit 1; }; }
+else
+ cat >conftest.$ac_ext <<_ACEOF
#line $LINENO "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
-
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
+int main() {
+#ifdef msg_accrights
+exit(1);
#endif
-int
-main ()
-{
- struct msghdr m; m.msg_accrights = 0;
- ;
- return 0;
+struct msghdr m;
+m.msg_accrights = 0;
+exit(0);
}
+
_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>&5
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest.$ac_objext'
+ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
(exit $ac_status); }; }; then
ac_cv_have_accrights_in_msghdr="yes"
else
- echo "$as_me: failed program was:" >&5
+ echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
cat conftest.$ac_ext >&5
+( exit $ac_status )
ac_cv_have_accrights_in_msghdr="no"
fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
fi
echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- cat >conftest.$ac_ext <<_ACEOF
+ if test "$cross_compiling" = yes; then
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+ { (exit 1); exit 1; }; }
+else
+ cat >conftest.$ac_ext <<_ACEOF
#line $LINENO "configure"
#include "confdefs.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
-
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
+int main() {
+#ifdef msg_control
+exit(1);
#endif
-int
-main ()
-{
- struct msghdr m; m.msg_control = 0;
- ;
- return 0;
+struct msghdr m;
+m.msg_control = 0;
+exit(0);
}
+
_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>&5
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest.$ac_objext'
+ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
(exit $ac_status); }; }; then
ac_cv_have_control_in_msghdr="yes"
else
- echo "$as_me: failed program was:" >&5
+ echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
cat conftest.$ac_ext >&5
+( exit $ac_status )
ac_cv_have_control_in_msghdr="no"
fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
fi
echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5
fi;
-echo "$as_me:$LINENO: checking whether to install ssh as suid root" >&5
-echo $ECHO_N "checking whether to install ssh as suid root... $ECHO_C" >&6
-# Check whether --enable-suid-ssh or --disable-suid-ssh was given.
-if test "${enable_suid_ssh+set}" = set; then
- enableval="$enable_suid_ssh"
- case "$enableval" in
- no)
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
- SSHMODE=0711
- ;;
- *) echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
- SSHMODE=4711
- ;;
- esac
-else
- echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
- SSHMODE=4711
-
-fi;
-
-
-
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
s,@MANTYPE@,$MANTYPE,;t t
s,@mansubdir@,$mansubdir,;t t
s,@user_path@,$user_path,;t t
-s,@SSHMODE@,$SSHMODE,;t t
s,@piddir@,$piddir,;t t
CEOF
m4trace:configure.ac:85: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
m4trace:configure.ac:86: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
m4trace:configure.ac:87: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
-m4trace:configure.ac:90: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
-m4trace:configure.ac:93: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
-m4trace:configure.ac:101: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:102: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:103: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:104: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:105: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:106: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:107: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:117: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:118: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:128: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
-m4trace:configure.ac:129: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:130: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:131: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:132: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:134: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:141: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
-m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
-m4trace:configure.ac:148: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY])
-m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT])
-m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS])
-m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
-m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
-m4trace:configure.ac:158: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF])
-m4trace:configure.ac:159: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
-m4trace:configure.ac:163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4])
-m4trace:configure.ac:177: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT])
-m4trace:configure.ac:178: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
-m4trace:configure.ac:179: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:180: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
-m4trace:configure.ac:188: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
-m4trace:configure.ac:189: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:190: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM])
-m4trace:configure.ac:191: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
-m4trace:configure.ac:198: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:199: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:206: -1- AC_CHECK_FUNCS([getpwanam])
-m4trace:configure.ac:206: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */
+m4trace:configure.ac:88: -1- AC_DEFINE_TRACE_LITERAL([SETGROUPS_NOOP])
+m4trace:configure.ac:91: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
+m4trace:configure.ac:94: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
+m4trace:configure.ac:102: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:103: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:104: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:105: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:106: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:107: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:108: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:118: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:129: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:130: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:131: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:132: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:134: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:135: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+m4trace:configure.ac:143: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY])
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT])
+m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT])
+m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS])
+m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:159: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF])
+m4trace:configure.ac:160: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+m4trace:configure.ac:164: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4])
+m4trace:configure.ac:178: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT])
+m4trace:configure.ac:179: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
+m4trace:configure.ac:180: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:181: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:189: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:190: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:191: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM])
+m4trace:configure.ac:192: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+m4trace:configure.ac:199: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:200: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:207: -1- AC_CHECK_FUNCS([getpwanam])
+m4trace:configure.ac:207: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */
#undef HAVE_GETPWANAM])
-m4trace:configure.ac:207: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
-m4trace:configure.ac:211: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:217: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:224: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:225: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
+m4trace:configure.ac:208: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:212: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:218: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:225: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:226: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
m4trace:configure.ac:234: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:240: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:253: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H])
-m4trace:configure.ac:254: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:255: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:256: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:257: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
-m4trace:configure.ac:258: -1- AC_CHECK_FUNCS([getluid setluid])
-m4trace:configure.ac:258: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
+m4trace:configure.ac:239: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:252: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H])
+m4trace:configure.ac:253: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:254: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:255: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:256: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:257: -1- AC_CHECK_FUNCS([getluid setluid])
+m4trace:configure.ac:257: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
#undef HAVE_GETLUID])
-m4trace:configure.ac:258: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
+m4trace:configure.ac:257: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
#undef HAVE_SETLUID])
-m4trace:configure.ac:268: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:269: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:270: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:271: -1- AC_CHECK_FUNCS([getluid setluid])
-m4trace:configure.ac:271: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
+m4trace:configure.ac:267: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:268: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:269: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:270: -1- AC_CHECK_FUNCS([getluid setluid])
+m4trace:configure.ac:270: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
#undef HAVE_GETLUID])
-m4trace:configure.ac:271: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
+m4trace:configure.ac:270: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
#undef HAVE_SETLUID])
-m4trace:configure.ac:277: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:296: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA])
-m4trace:configure.ac:297: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
-m4trace:configure.ac:306: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:307: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
-m4trace:configure.ac:308: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS])
-m4trace:configure.ac:309: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY])
-m4trace:configure.ac:310: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK])
-m4trace:configure.ac:358: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \
+m4trace:configure.ac:276: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:295: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA])
+m4trace:configure.ac:296: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
+m4trace:configure.ac:305: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:306: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
+m4trace:configure.ac:307: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS])
+m4trace:configure.ac:308: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY])
+m4trace:configure.ac:309: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK])
+m4trace:configure.ac:357: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \
getopt.h glob.h lastlog.h limits.h login.h \
login_cap.h maillock.h netdb.h netgroup.h \
netinet/in_systm.h paths.h pty.h readpassphrase.h \
sys/stropts.h sys/sysmacros.h sys/time.h \
sys/un.h time.h ttyent.h usersec.h \
util.h utime.h utmp.h utmpx.h])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the <bstring.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the <bstring.h> header file. */
#undef HAVE_BSTRING_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the <crypt.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the <crypt.h> header file. */
#undef HAVE_CRYPT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the <endian.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the <endian.h> header file. */
#undef HAVE_ENDIAN_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the <floatingpoint.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the <floatingpoint.h> header file. */
#undef HAVE_FLOATINGPOINT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the <getopt.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the <getopt.h> header file. */
#undef HAVE_GETOPT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the <glob.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the <glob.h> header file. */
#undef HAVE_GLOB_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the <lastlog.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the <login.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the <login.h> header file. */
#undef HAVE_LOGIN_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the <login_cap.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the <login_cap.h> header file. */
#undef HAVE_LOGIN_CAP_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the <maillock.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the <maillock.h> header file. */
#undef HAVE_MAILLOCK_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the <netdb.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the <netgroup.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the <netgroup.h> header file. */
#undef HAVE_NETGROUP_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the <netinet/in_systm.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the <netinet/in_systm.h> header file. */
#undef HAVE_NETINET_IN_SYSTM_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the <paths.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the <paths.h> header file. */
#undef HAVE_PATHS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the <pty.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the <readpassphrase.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the <readpassphrase.h> header file. */
#undef HAVE_READPASSPHRASE_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the <rpc/types.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the <rpc/types.h> header file. */
#undef HAVE_RPC_TYPES_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the <security/pam_appl.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the <security/pam_appl.h> header file. */
#undef HAVE_SECURITY_PAM_APPL_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the <shadow.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the <shadow.h> header file. */
#undef HAVE_SHADOW_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
#undef HAVE_STDDEF_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the <sys/bitypes.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the <sys/bitypes.h> header file. */
#undef HAVE_SYS_BITYPES_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the <sys/bsdtty.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the <sys/bsdtty.h> header file. */
#undef HAVE_SYS_BSDTTY_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the <sys/cdefs.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the <sys/cdefs.h> header file. */
#undef HAVE_SYS_CDEFS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the <sys/mman.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the <sys/mman.h> header file. */
#undef HAVE_SYS_MMAN_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the <sys/select.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the <sys/stropts.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the <sys/stropts.h> header file. */
#undef HAVE_SYS_STROPTS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the <sys/sysmacros.h> header file. */
#undef HAVE_SYS_SYSMACROS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
#undef HAVE_SYS_TIME_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the <sys/un.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the <time.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the <time.h> header file. */
#undef HAVE_TIME_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the <ttyent.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the <ttyent.h> header file. */
#undef HAVE_TTYENT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the <usersec.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the <usersec.h> header file. */
#undef HAVE_USERSEC_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the <util.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the <util.h> header file. */
#undef HAVE_UTIL_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the <utime.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the <utime.h> header file. */
#undef HAVE_UTIME_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the <utmp.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the <utmp.h> header file. */
#undef HAVE_UTMP_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the <utmpx.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the <utmpx.h> header file. */
#undef HAVE_UTMPX_H])
-m4trace:configure.ac:358: -1- AC_HEADER_STDC
-m4trace:configure.ac:358: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS])
-m4trace:configure.ac:358: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */
+m4trace:configure.ac:357: -1- AC_HEADER_STDC
+m4trace:configure.ac:357: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS])
+m4trace:configure.ac:357: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS])
-m4trace:configure.ac:358: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+m4trace:configure.ac:357: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
inttypes.h stdint.h unistd.h], [], [], [$ac_includes_default])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the <sys/types.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the <memory.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H])
-m4trace:configure.ac:358: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
+m4trace:configure.ac:357: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H])
-m4trace:configure.ac:361: -2- AC_CHECK_LIB([nsl], [yp_match])
-m4trace:configure.ac:361: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */
+m4trace:configure.ac:360: -2- AC_CHECK_LIB([nsl], [yp_match])
+m4trace:configure.ac:360: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */
#undef HAVE_LIBNSL])
-m4trace:configure.ac:361: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL])
-m4trace:configure.ac:362: -2- AC_CHECK_LIB([socket], [setsockopt])
-m4trace:configure.ac:362: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */
+m4trace:configure.ac:360: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL])
+m4trace:configure.ac:361: -2- AC_CHECK_LIB([socket], [setsockopt])
+m4trace:configure.ac:361: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */
#undef HAVE_LIBSOCKET])
-m4trace:configure.ac:362: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET])
-m4trace:configure.ac:367: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc])
-m4trace:configure.ac:372: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])
-m4trace:configure.ac:414: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5
+m4trace:configure.ac:361: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET])
+m4trace:configure.ac:366: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc])
+m4trace:configure.ac:371: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])
+m4trace:configure.ac:413: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5
echo "$as_me: error: *** zlib missing - please install first or check config.log ***" >&2;}
{ (exit 1); exit 1; }; }])
-m4trace:configure.ac:414: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */
+m4trace:configure.ac:413: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */
#undef HAVE_LIBZ])
-m4trace:configure.ac:414: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ])
-m4trace:configure.ac:419: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"])
-m4trace:configure.ac:422: -1- AC_CHECK_LIB([c89], [utimes], [LIBS="$LIBS -lc89"])
-m4trace:configure.ac:425: -1- AC_CHECK_HEADERS([libutil.h])
-m4trace:configure.ac:425: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the <libutil.h> header file. */
+m4trace:configure.ac:413: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ])
+m4trace:configure.ac:418: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"])
+m4trace:configure.ac:421: -1- AC_CHECK_LIB([c89], [utimes], [LIBS="$LIBS -lc89"])
+m4trace:configure.ac:424: -1- AC_CHECK_HEADERS([libutil.h])
+m4trace:configure.ac:424: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H])
-m4trace:configure.ac:426: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN])
-m4trace:configure.ac:427: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp])
-m4trace:configure.ac:427: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */
+m4trace:configure.ac:425: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN])
+m4trace:configure.ac:426: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp])
+m4trace:configure.ac:426: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */
#undef HAVE_LOGOUT])
-m4trace:configure.ac:427: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */
+m4trace:configure.ac:426: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */
#undef HAVE_UPDWTMP])
-m4trace:configure.ac:427: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */
+m4trace:configure.ac:426: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */
#undef HAVE_LOGWTMP])
-m4trace:configure.ac:429: -1- AC_FUNC_STRFTIME
-m4trace:configure.ac:429: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX.
+m4trace:configure.ac:428: -1- AC_FUNC_STRFTIME
+m4trace:configure.ac:428: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX.
AC_CHECK_LIB(intl, strftime,
[AC_DEFINE(HAVE_STRFTIME)
LIBS="-lintl $LIBS"])])
-m4trace:configure.ac:429: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */
+m4trace:configure.ac:428: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */
#undef HAVE_STRFTIME])
-m4trace:configure.ac:429: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME)
+m4trace:configure.ac:428: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME)
LIBS="-lintl $LIBS"])
-m4trace:configure.ac:429: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME])
-m4trace:configure.ac:447: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC])
-m4trace:configure.ac:463: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC])
-m4trace:configure.ac:477: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME])
-m4trace:configure.ac:510: -1- AC_DEFINE_TRACE_LITERAL([SKEY])
-m4trace:configure.ac:564: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP])
-m4trace:configure.ac:564: -1- AC_SUBST([LIBWRAP])
-m4trace:configure.ac:577: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresvport_sa \
+m4trace:configure.ac:428: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME])
+m4trace:configure.ac:446: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC])
+m4trace:configure.ac:462: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC])
+m4trace:configure.ac:476: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME])
+m4trace:configure.ac:509: -1- AC_DEFINE_TRACE_LITERAL([SKEY])
+m4trace:configure.ac:563: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP])
+m4trace:configure.ac:563: -1- AC_SUBST([LIBWRAP])
+m4trace:configure.ac:576: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresvport_sa \
clock fchmod fchown freeaddrinfo futimes gai_strerror \
getaddrinfo getcwd getgrouplist getnameinfo getopt \
getrlimit getrusage getttyent glob inet_aton inet_ntoa \
inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
- setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \
- setsid setvbuf sigaction sigvec snprintf socketpair strerror \
- strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \
- vhangup vsnprintf waitpid __b64_ntop _getpty])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */
+ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \
+ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
+ socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
+ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty])
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */
#undef HAVE_ARC4RANDOM])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */
#undef HAVE_B64_NTOP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */
#undef HAVE_BCOPY])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */
#undef HAVE_BINDRESVPORT_SA])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */
#undef HAVE_CLOCK])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */
#undef HAVE_FCHMOD])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */
#undef HAVE_FCHOWN])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */
#undef HAVE_FREEADDRINFO])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */
#undef HAVE_FUTIMES])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */
#undef HAVE_GAI_STRERROR])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */
#undef HAVE_GETADDRINFO])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */
#undef HAVE_GETCWD])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */
#undef HAVE_GETGROUPLIST])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */
#undef HAVE_GETNAMEINFO])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */
#undef HAVE_GETOPT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */
#undef HAVE_GETRLIMIT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */
#undef HAVE_GETRUSAGE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */
#undef HAVE_GETTTYENT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */
#undef HAVE_GLOB])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */
#undef HAVE_INET_ATON])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */
#undef HAVE_INET_NTOA])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */
#undef HAVE_INET_NTOP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */
#undef HAVE_INNETGR])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */
#undef HAVE_LOGIN_GETCAPBOOL])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */
#undef HAVE_MD5_CRYPT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */
#undef HAVE_MEMMOVE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */
#undef HAVE_MKDTEMP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */
#undef HAVE_MMAP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */
#undef HAVE_NGETADDRINFO])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */
#undef HAVE_OPENPTY])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */
#undef HAVE_OGETADDRINFO])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */
#undef HAVE_READPASSPHRASE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */
#undef HAVE_REALPATH])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */
#undef HAVE_RECVMSG])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */
#undef HAVE_RRESVPORT_AF])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */
#undef HAVE_SENDMSG])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */
#undef HAVE_SETDTABLESIZE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */
#undef HAVE_SETEGID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */
#undef HAVE_SETENV])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */
#undef HAVE_SETEUID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETGROUPS], [/* Define to 1 if you have the \`setgroups' function. */
+#undef HAVE_SETGROUPS])
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */
#undef HAVE_SETLOGIN])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */
#undef HAVE_SETPROCTITLE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */
#undef HAVE_SETRESGID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */
#undef HAVE_SETREUID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */
#undef HAVE_SETRLIMIT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */
#undef HAVE_SETSID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETPCRED], [/* Define to 1 if you have the \`setpcred' function. */
+#undef HAVE_SETPCRED])
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */
#undef HAVE_SETVBUF])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */
#undef HAVE_SIGACTION])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */
#undef HAVE_SIGVEC])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */
#undef HAVE_SNPRINTF])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */
#undef HAVE_SOCKETPAIR])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */
#undef HAVE_STRERROR])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */
#undef HAVE_STRLCAT])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */
#undef HAVE_STRLCPY])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */
#undef HAVE_STRMODE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */
#undef HAVE_STRSEP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */
#undef HAVE_SYSCONF])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */
#undef HAVE_TCGETPGRP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */
#undef HAVE_TRUNCATE])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */
#undef HAVE_UTIMES])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */
#undef HAVE_VHANGUP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */
#undef HAVE_VSNPRINTF])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */
#undef HAVE_WAITPID])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */
#undef HAVE___B64_NTOP])
-m4trace:configure.ac:577: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */
+m4trace:configure.ac:576: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */
#undef HAVE__GETPTY])
-m4trace:configure.ac:614: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [
+m4trace:configure.ac:613: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [
AC_CHECK_LIB(gen, dirname,[
AC_CACHE_CHECK([for broken dirname],
ac_cv_have_broken_dirname, [
fi
])
])
-m4trace:configure.ac:614: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */
+m4trace:configure.ac:613: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */
#undef HAVE_DIRNAME])
-m4trace:configure.ac:614: -1- AC_CHECK_HEADERS([libgen.h])
-m4trace:configure.ac:614: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
+m4trace:configure.ac:613: -1- AC_CHECK_HEADERS([libgen.h])
+m4trace:configure.ac:613: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
#undef HAVE_LIBGEN_H])
-m4trace:configure.ac:614: -1- AC_CHECK_LIB([gen], [dirname], [
+m4trace:configure.ac:613: -1- AC_CHECK_LIB([gen], [dirname], [
AC_CACHE_CHECK([for broken dirname],
ac_cv_have_broken_dirname, [
save_LIBS="$LIBS"
AC_CHECK_HEADERS(libgen.h)
fi
])
-m4trace:configure.ac:614: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME])
-m4trace:configure.ac:614: -1- AC_CHECK_HEADERS([libgen.h])
-m4trace:configure.ac:614: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
+m4trace:configure.ac:613: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME])
+m4trace:configure.ac:613: -1- AC_CHECK_HEADERS([libgen.h])
+m4trace:configure.ac:613: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
#undef HAVE_LIBGEN_H])
-m4trace:configure.ac:617: -1- AC_CHECK_FUNCS([gettimeofday time])
-m4trace:configure.ac:617: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */
+m4trace:configure.ac:616: -1- AC_CHECK_FUNCS([gettimeofday time])
+m4trace:configure.ac:616: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */
#undef HAVE_GETTIMEOFDAY])
-m4trace:configure.ac:617: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */
+m4trace:configure.ac:616: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */
#undef HAVE_TIME])
-m4trace:configure.ac:619: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */
+m4trace:configure.ac:618: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */
#undef HAVE_ENDUTENT])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */
#undef HAVE_GETUTENT])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */
#undef HAVE_GETUTID])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */
#undef HAVE_GETUTLINE])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */
#undef HAVE_PUTUTLINE])
-m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */
+m4trace:configure.ac:618: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */
#undef HAVE_SETUTENT])
-m4trace:configure.ac:620: -1- AC_CHECK_FUNCS([utmpname])
-m4trace:configure.ac:620: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */
+m4trace:configure.ac:619: -1- AC_CHECK_FUNCS([utmpname])
+m4trace:configure.ac:619: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */
#undef HAVE_UTMPNAME])
-m4trace:configure.ac:622: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ])
-m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */
+m4trace:configure.ac:621: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ])
+m4trace:configure.ac:621: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */
#undef HAVE_ENDUTXENT])
-m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */
+m4trace:configure.ac:621: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */
#undef HAVE_GETUTXENT])
-m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */
+m4trace:configure.ac:621: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */
#undef HAVE_GETUTXID])
-m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */
+m4trace:configure.ac:621: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */
#undef HAVE_GETUTXLINE])
-m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */
+m4trace:configure.ac:621: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */
#undef HAVE_PUTUTXLINE])
-m4trace:configure.ac:623: -1- AC_CHECK_FUNCS([setutxent utmpxname])
-m4trace:configure.ac:623: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */
+m4trace:configure.ac:622: -1- AC_CHECK_FUNCS([setutxent utmpxname])
+m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */
#undef HAVE_SETUTXENT])
-m4trace:configure.ac:623: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */
+m4trace:configure.ac:622: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */
#undef HAVE_UTMPXNAME])
-m4trace:configure.ac:628: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETUSERATTR])
-m4trace:configure.ac:628: -1- AC_CHECK_LIB([s], [getuserattr], [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])
-m4trace:configure.ac:628: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETUSERATTR])
-m4trace:configure.ac:633: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
-m4trace:configure.ac:633: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])
-m4trace:configure.ac:633: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
-m4trace:configure.ac:638: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
-m4trace:configure.ac:638: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])
-m4trace:configure.ac:638: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
-m4trace:configure.ac:654: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
-m4trace:configure.ac:657: -1- AC_FUNC_GETPGRP
-m4trace:configure.ac:657: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID])
-m4trace:configure.ac:657: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */
+m4trace:configure.ac:627: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
+m4trace:configure.ac:627: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])
+m4trace:configure.ac:627: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
+m4trace:configure.ac:632: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
+m4trace:configure.ac:632: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])
+m4trace:configure.ac:632: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
+m4trace:configure.ac:648: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
+m4trace:configure.ac:651: -1- AC_FUNC_GETPGRP
+m4trace:configure.ac:651: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID])
+m4trace:configure.ac:651: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */
#undef GETPGRP_VOID])
-m4trace:configure.ac:685: -1- AC_CHECK_LIB([dl], [dlopen], [], [])
-m4trace:configure.ac:685: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */
+m4trace:configure.ac:679: -1- AC_CHECK_LIB([dl], [dlopen], [], [])
+m4trace:configure.ac:679: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */
#undef HAVE_LIBDL])
-m4trace:configure.ac:685: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL])
-m4trace:configure.ac:685: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5
+m4trace:configure.ac:679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL])
+m4trace:configure.ac:679: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5
echo "$as_me: error: *** libpam missing" >&2;}
{ (exit 1); exit 1; }; }])
-m4trace:configure.ac:685: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */
+m4trace:configure.ac:679: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */
#undef HAVE_LIBPAM])
-m4trace:configure.ac:685: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM])
-m4trace:configure.ac:685: -1- AC_CHECK_FUNCS([pam_getenvlist])
-m4trace:configure.ac:685: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */
+m4trace:configure.ac:679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM])
+m4trace:configure.ac:679: -1- AC_CHECK_FUNCS([pam_getenvlist])
+m4trace:configure.ac:679: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */
#undef HAVE_PAM_GETENVLIST])
-m4trace:configure.ac:685: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM])
-m4trace:configure.ac:685: -1- AC_SUBST([LIBPAM])
-m4trace:configure.ac:703: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM])
-m4trace:configure.ac:735: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
-m4trace:configure.ac:750: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
-m4trace:configure.ac:773: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
-m4trace:configure.ac:821: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY])
-m4trace:configure.ac:829: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER])
-m4trace:configure.ac:852: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT])
-m4trace:configure.ac:902: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
-m4trace:configure.ac:902: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
-m4trace:configure.ac:914: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC])
-m4trace:configure.ac:925: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER])
-m4trace:configure.ac:942: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS])
-m4trace:configure.ac:942: -1- AC_SUBST([PROG_LS])
-m4trace:configure.ac:943: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT])
-m4trace:configure.ac:943: -1- AC_SUBST([PROG_NETSTAT])
-m4trace:configure.ac:944: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP])
-m4trace:configure.ac:944: -1- AC_SUBST([PROG_ARP])
-m4trace:configure.ac:945: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG])
-m4trace:configure.ac:945: -1- AC_SUBST([PROG_IFCONFIG])
-m4trace:configure.ac:946: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT])
-m4trace:configure.ac:946: -1- AC_SUBST([PROG_JSTAT])
-m4trace:configure.ac:947: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS])
-m4trace:configure.ac:947: -1- AC_SUBST([PROG_PS])
-m4trace:configure.ac:948: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR])
-m4trace:configure.ac:948: -1- AC_SUBST([PROG_SAR])
-m4trace:configure.ac:949: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W])
-m4trace:configure.ac:949: -1- AC_SUBST([PROG_W])
-m4trace:configure.ac:950: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO])
-m4trace:configure.ac:950: -1- AC_SUBST([PROG_WHO])
-m4trace:configure.ac:951: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST])
-m4trace:configure.ac:951: -1- AC_SUBST([PROG_LAST])
-m4trace:configure.ac:952: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG])
-m4trace:configure.ac:952: -1- AC_SUBST([PROG_LASTLOG])
-m4trace:configure.ac:953: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF])
-m4trace:configure.ac:953: -1- AC_SUBST([PROG_DF])
-m4trace:configure.ac:954: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT])
-m4trace:configure.ac:954: -1- AC_SUBST([PROG_VMSTAT])
-m4trace:configure.ac:955: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME])
-m4trace:configure.ac:955: -1- AC_SUBST([PROG_UPTIME])
-m4trace:configure.ac:956: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS])
-m4trace:configure.ac:956: -1- AC_SUBST([PROG_IPCS])
-m4trace:configure.ac:957: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL])
-m4trace:configure.ac:957: -1- AC_SUBST([PROG_TAIL])
-m4trace:configure.ac:974: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS])
-m4trace:configure.ac:983: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR])
-m4trace:configure.ac:983: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */
+m4trace:configure.ac:679: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM])
+m4trace:configure.ac:679: -1- AC_SUBST([LIBPAM])
+m4trace:configure.ac:697: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM])
+m4trace:configure.ac:729: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
+m4trace:configure.ac:744: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
+m4trace:configure.ac:767: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
+m4trace:configure.ac:815: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY])
+m4trace:configure.ac:823: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER])
+m4trace:configure.ac:846: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT])
+m4trace:configure.ac:896: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
+m4trace:configure.ac:896: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
+m4trace:configure.ac:908: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC])
+m4trace:configure.ac:919: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER])
+m4trace:configure.ac:936: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS])
+m4trace:configure.ac:936: -1- AC_SUBST([PROG_LS])
+m4trace:configure.ac:937: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT])
+m4trace:configure.ac:937: -1- AC_SUBST([PROG_NETSTAT])
+m4trace:configure.ac:938: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP])
+m4trace:configure.ac:938: -1- AC_SUBST([PROG_ARP])
+m4trace:configure.ac:939: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG])
+m4trace:configure.ac:939: -1- AC_SUBST([PROG_IFCONFIG])
+m4trace:configure.ac:940: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT])
+m4trace:configure.ac:940: -1- AC_SUBST([PROG_JSTAT])
+m4trace:configure.ac:941: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS])
+m4trace:configure.ac:941: -1- AC_SUBST([PROG_PS])
+m4trace:configure.ac:942: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR])
+m4trace:configure.ac:942: -1- AC_SUBST([PROG_SAR])
+m4trace:configure.ac:943: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W])
+m4trace:configure.ac:943: -1- AC_SUBST([PROG_W])
+m4trace:configure.ac:944: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO])
+m4trace:configure.ac:944: -1- AC_SUBST([PROG_WHO])
+m4trace:configure.ac:945: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST])
+m4trace:configure.ac:945: -1- AC_SUBST([PROG_LAST])
+m4trace:configure.ac:946: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG])
+m4trace:configure.ac:946: -1- AC_SUBST([PROG_LASTLOG])
+m4trace:configure.ac:947: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF])
+m4trace:configure.ac:947: -1- AC_SUBST([PROG_DF])
+m4trace:configure.ac:948: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT])
+m4trace:configure.ac:948: -1- AC_SUBST([PROG_VMSTAT])
+m4trace:configure.ac:949: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME])
+m4trace:configure.ac:949: -1- AC_SUBST([PROG_UPTIME])
+m4trace:configure.ac:950: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS])
+m4trace:configure.ac:950: -1- AC_SUBST([PROG_IPCS])
+m4trace:configure.ac:951: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL])
+m4trace:configure.ac:951: -1- AC_SUBST([PROG_TAIL])
+m4trace:configure.ac:968: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS])
+m4trace:configure.ac:977: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR])
+m4trace:configure.ac:977: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */
#undef SIZEOF_CHAR])
-m4trace:configure.ac:984: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT])
-m4trace:configure.ac:984: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */
+m4trace:configure.ac:978: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT])
+m4trace:configure.ac:978: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */
#undef SIZEOF_SHORT_INT])
-m4trace:configure.ac:985: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT])
-m4trace:configure.ac:985: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */
+m4trace:configure.ac:979: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT])
+m4trace:configure.ac:979: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */
#undef SIZEOF_INT])
-m4trace:configure.ac:986: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT])
-m4trace:configure.ac:986: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */
+m4trace:configure.ac:980: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT])
+m4trace:configure.ac:980: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */
#undef SIZEOF_LONG_INT])
-m4trace:configure.ac:987: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT])
-m4trace:configure.ac:987: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */
+m4trace:configure.ac:981: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT])
+m4trace:configure.ac:981: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */
#undef SIZEOF_LONG_LONG_INT])
-m4trace:configure.ac:1004: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT])
-m4trace:configure.ac:1017: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1033: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1045: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
-m4trace:configure.ac:1059: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
-m4trace:configure.ac:1072: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
-m4trace:configure.ac:1084: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1098: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1110: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
-m4trace:configure.ac:1124: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
-m4trace:configure.ac:1139: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
-m4trace:configure.ac:1153: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
-m4trace:configure.ac:1175: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1175: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1190: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR])
-m4trace:configure.ac:1193: -1- AC_DEFINE_TRACE_LITERAL([socklen_t])
-m4trace:configure.ac:1193: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */
+m4trace:configure.ac:998: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT])
+m4trace:configure.ac:1011: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1027: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1039: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1053: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1066: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1078: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1092: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1104: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
+m4trace:configure.ac:1118: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
+m4trace:configure.ac:1133: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
+m4trace:configure.ac:1147: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
+m4trace:configure.ac:1169: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1169: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1184: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR])
+m4trace:configure.ac:1187: -1- AC_DEFINE_TRACE_LITERAL([socklen_t])
+m4trace:configure.ac:1187: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */
#undef socklen_t])
-m4trace:configure.ac:1195: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include <signal.h>])
-m4trace:configure.ac:1195: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T])
-m4trace:configure.ac:1195: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */
+m4trace:configure.ac:1189: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include <signal.h>])
+m4trace:configure.ac:1189: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T])
+m4trace:configure.ac:1189: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */
#undef HAVE_SIG_ATOMIC_T])
-m4trace:configure.ac:1208: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T])
-m4trace:configure.ac:1222: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T])
-m4trace:configure.ac:1236: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T])
-m4trace:configure.ac:1261: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T])
-m4trace:configure.ac:1275: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T])
-m4trace:configure.ac:1289: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T])
-m4trace:configure.ac:1305: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE])
-m4trace:configure.ac:1320: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6])
-m4trace:configure.ac:1335: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR])
-m4trace:configure.ac:1351: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO])
-m4trace:configure.ac:1363: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL])
-m4trace:configure.ac:1400: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
-m4trace:configure.ac:1402: -1- AC_SUBST([NO_SFTP])
-m4trace:configure.ac:1405: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP])
-m4trace:configure.ac:1406: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX])
-m4trace:configure.ac:1407: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX])
-m4trace:configure.ac:1408: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP])
-m4trace:configure.ac:1409: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP])
-m4trace:configure.ac:1410: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX])
-m4trace:configure.ac:1411: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP])
-m4trace:configure.ac:1412: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP])
-m4trace:configure.ac:1413: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX])
-m4trace:configure.ac:1414: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP])
-m4trace:configure.ac:1415: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX])
-m4trace:configure.ac:1416: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP])
-m4trace:configure.ac:1417: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX])
-m4trace:configure.ac:1418: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP])
-m4trace:configure.ac:1419: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP])
-m4trace:configure.ac:1420: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX])
-m4trace:configure.ac:1421: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX])
-m4trace:configure.ac:1423: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE])
-m4trace:configure.ac:1423: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */
+m4trace:configure.ac:1202: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T])
+m4trace:configure.ac:1216: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T])
+m4trace:configure.ac:1230: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T])
+m4trace:configure.ac:1255: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T])
+m4trace:configure.ac:1269: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T])
+m4trace:configure.ac:1283: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T])
+m4trace:configure.ac:1299: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE])
+m4trace:configure.ac:1314: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6])
+m4trace:configure.ac:1329: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR])
+m4trace:configure.ac:1345: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO])
+m4trace:configure.ac:1357: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL])
+m4trace:configure.ac:1394: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
+m4trace:configure.ac:1396: -1- AC_SUBST([NO_SFTP])
+m4trace:configure.ac:1399: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP])
+m4trace:configure.ac:1400: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX])
+m4trace:configure.ac:1401: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX])
+m4trace:configure.ac:1402: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP])
+m4trace:configure.ac:1403: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP])
+m4trace:configure.ac:1404: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX])
+m4trace:configure.ac:1405: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP])
+m4trace:configure.ac:1406: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP])
+m4trace:configure.ac:1407: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX])
+m4trace:configure.ac:1408: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP])
+m4trace:configure.ac:1409: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX])
+m4trace:configure.ac:1410: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP])
+m4trace:configure.ac:1411: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX])
+m4trace:configure.ac:1412: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP])
+m4trace:configure.ac:1413: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP])
+m4trace:configure.ac:1414: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX])
+m4trace:configure.ac:1415: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX])
+m4trace:configure.ac:1417: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE])
+m4trace:configure.ac:1417: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */
#undef HAVE_STRUCT_STAT_ST_BLKSIZE])
-m4trace:configure.ac:1438: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS])
-m4trace:configure.ac:1454: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS])
-m4trace:configure.ac:1469: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD])
-m4trace:configure.ac:1484: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD])
-m4trace:configure.ac:1499: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD])
-m4trace:configure.ac:1516: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR])
-m4trace:configure.ac:1533: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR])
-m4trace:configure.ac:1544: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME])
-m4trace:configure.ac:1557: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__])
-m4trace:configure.ac:1570: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__])
-m4trace:configure.ac:1585: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET])
-m4trace:configure.ac:1596: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST])
-m4trace:configure.ac:1608: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR])
-m4trace:configure.ac:1641: -1- AC_CHECK_HEADERS([sectok.h])
-m4trace:configure.ac:1641: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the <sectok.h> header file. */
+m4trace:configure.ac:1432: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS])
+m4trace:configure.ac:1448: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS])
+m4trace:configure.ac:1463: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD])
+m4trace:configure.ac:1478: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD])
+m4trace:configure.ac:1493: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD])
+m4trace:configure.ac:1518: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR])
+m4trace:configure.ac:1542: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR])
+m4trace:configure.ac:1553: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME])
+m4trace:configure.ac:1566: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__])
+m4trace:configure.ac:1579: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__])
+m4trace:configure.ac:1594: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET])
+m4trace:configure.ac:1605: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST])
+m4trace:configure.ac:1617: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR])
+m4trace:configure.ac:1650: -1- AC_CHECK_HEADERS([sectok.h])
+m4trace:configure.ac:1650: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the <sectok.h> header file. */
#undef HAVE_SECTOK_H])
-m4trace:configure.ac:1641: -1- AC_CHECK_LIB([sectok], [sectok_open])
-m4trace:configure.ac:1641: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */
+m4trace:configure.ac:1650: -1- AC_CHECK_LIB([sectok], [sectok_open])
+m4trace:configure.ac:1650: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */
#undef HAVE_LIBSECTOK])
-m4trace:configure.ac:1641: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK])
-m4trace:configure.ac:1641: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
-m4trace:configure.ac:1641: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK])
-m4trace:configure.ac:1650: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG])
-m4trace:configure.ac:1656: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
-m4trace:configure.ac:1657: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC])
-m4trace:configure.ac:1699: -1- AC_DEFINE_TRACE_LITERAL([KRB5])
-m4trace:configure.ac:1699: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL])
-m4trace:configure.ac:1699: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
-m4trace:configure.ac:1699: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
+m4trace:configure.ac:1650: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK])
+m4trace:configure.ac:1650: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
+m4trace:configure.ac:1650: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK])
+m4trace:configure.ac:1659: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG])
+m4trace:configure.ac:1665: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
+m4trace:configure.ac:1666: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC])
+m4trace:configure.ac:1708: -1- AC_DEFINE_TRACE_LITERAL([KRB5])
+m4trace:configure.ac:1708: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL])
+m4trace:configure.ac:1708: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
+m4trace:configure.ac:1708: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV])
-m4trace:configure.ac:1699: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
-m4trace:configure.ac:1753: -1- AC_CHECK_HEADERS([krb.h])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the <krb.h> header file. */
+m4trace:configure.ac:1708: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
+m4trace:configure.ac:1762: -1- AC_CHECK_HEADERS([krb.h])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the <krb.h> header file. */
#undef HAVE_KRB_H])
-m4trace:configure.ac:1753: -1- AC_CHECK_LIB([krb], [main])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */
+m4trace:configure.ac:1762: -1- AC_CHECK_LIB([krb], [main])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */
#undef HAVE_LIBKRB])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB])
-m4trace:configure.ac:1753: -1- AC_CHECK_LIB([krb4], [main])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB])
+m4trace:configure.ac:1762: -1- AC_CHECK_LIB([krb4], [main])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */
#undef HAVE_LIBKRB4])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4])
-m4trace:configure.ac:1753: -1- AC_CHECK_LIB([des], [des_cbc_encrypt])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4])
+m4trace:configure.ac:1762: -1- AC_CHECK_LIB([des], [des_cbc_encrypt])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */
#undef HAVE_LIBDES])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES])
-m4trace:configure.ac:1753: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES])
+m4trace:configure.ac:1762: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */
#undef HAVE_LIBDES425])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425])
-m4trace:configure.ac:1753: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
-m4trace:configure.ac:1753: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425])
+m4trace:configure.ac:1762: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
+m4trace:configure.ac:1762: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
-m4trace:configure.ac:1753: -1- AC_DEFINE_TRACE_LITERAL([KRB4])
-m4trace:configure.ac:1779: -1- AC_DEFINE_TRACE_LITERAL([AFS])
-m4trace:configure.ac:1793: -1- AC_SUBST([rsh_path], [$ac_cv_path_rsh_path])
-m4trace:configure.ac:1804: -1- AC_SUBST([PRIVSEP_PATH])
-m4trace:configure.ac:1819: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path])
-m4trace:configure.ac:1823: -1- AC_SUBST([XAUTH_PATH])
-m4trace:configure.ac:1825: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH])
-m4trace:configure.ac:1827: -1- AC_SUBST([XAUTH_PATH])
-m4trace:configure.ac:1830: -1- AC_DEFINE_TRACE_LITERAL([RSH_PATH])
-m4trace:configure.ac:1836: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY])
-m4trace:configure.ac:1846: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX])
-m4trace:configure.ac:1854: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC])
-m4trace:configure.ac:1871: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF])
-m4trace:configure.ac:1880: -1- AC_SUBST([MANTYPE])
-m4trace:configure.ac:1886: -1- AC_SUBST([mansubdir])
-m4trace:configure.ac:1898: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS])
-m4trace:configure.ac:1909: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:1924: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE])
-m4trace:configure.ac:1933: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
-m4trace:configure.ac:1944: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
-m4trace:configure.ac:2021: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH])
-m4trace:configure.ac:2022: -1- AC_SUBST([user_path])
-m4trace:configure.ac:2034: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
-m4trace:configure.ac:2047: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
-m4trace:configure.ac:2070: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2070: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2082: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
-m4trace:configure.ac:2100: -1- AC_SUBST([SSHMODE])
-m4trace:configure.ac:2125: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
-m4trace:configure.ac:2126: -1- AC_SUBST([piddir])
-m4trace:configure.ac:2132: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2136: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2140: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2144: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2148: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2152: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
-m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
-m4trace:configure.ac:2160: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
-m4trace:configure.ac:2170: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2232: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
-m4trace:configure.ac:2257: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2262: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
-m4trace:configure.ac:2287: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2292: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
-m4trace:configure.ac:2317: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2320: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
-m4trace:configure.ac:2342: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2345: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
-m4trace:configure.ac:2363: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
+m4trace:configure.ac:1762: -1- AC_DEFINE_TRACE_LITERAL([KRB4])
+m4trace:configure.ac:1788: -1- AC_DEFINE_TRACE_LITERAL([AFS])
+m4trace:configure.ac:1802: -1- AC_SUBST([rsh_path], [$ac_cv_path_rsh_path])
+m4trace:configure.ac:1813: -1- AC_SUBST([PRIVSEP_PATH])
+m4trace:configure.ac:1828: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path])
+m4trace:configure.ac:1832: -1- AC_SUBST([XAUTH_PATH])
+m4trace:configure.ac:1834: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH])
+m4trace:configure.ac:1836: -1- AC_SUBST([XAUTH_PATH])
+m4trace:configure.ac:1839: -1- AC_DEFINE_TRACE_LITERAL([RSH_PATH])
+m4trace:configure.ac:1845: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY])
+m4trace:configure.ac:1855: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX])
+m4trace:configure.ac:1863: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC])
+m4trace:configure.ac:1880: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF])
+m4trace:configure.ac:1889: -1- AC_SUBST([MANTYPE])
+m4trace:configure.ac:1895: -1- AC_SUBST([mansubdir])
+m4trace:configure.ac:1907: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS])
+m4trace:configure.ac:1918: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:1933: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE])
+m4trace:configure.ac:1942: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
+m4trace:configure.ac:1953: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
+m4trace:configure.ac:2030: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH])
+m4trace:configure.ac:2031: -1- AC_SUBST([user_path])
+m4trace:configure.ac:2043: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
+m4trace:configure.ac:2056: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
+m4trace:configure.ac:2079: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2079: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2091: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
+m4trace:configure.ac:2115: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
+m4trace:configure.ac:2116: -1- AC_SUBST([piddir])
+m4trace:configure.ac:2122: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2126: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2130: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2134: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2138: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2142: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
+m4trace:configure.ac:2146: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
+m4trace:configure.ac:2150: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
+m4trace:configure.ac:2160: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2222: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
+m4trace:configure.ac:2247: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2252: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
+m4trace:configure.ac:2277: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2282: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
+m4trace:configure.ac:2307: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2310: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
+m4trace:configure.ac:2332: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2335: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
+m4trace:configure.ac:2353: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.31 2002/02/27 21:23:13 stevesk Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.32 2002/06/11 08:11:45 itojun Exp $");
#include "packet.h"
#include "xmalloc.h"
}
}
#endif
- if (from.ss_family == AF_INET)
- check_ip_options(socket, ntop);
if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+ if (from.ss_family == AF_INET)
+ check_ip_options(socket, ntop);
+
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.173 2002/04/22 21:04:52 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.175 2002/06/10 22:28:41 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
#include "packet.h"
#include "xmalloc.h"
-#include "uidswap.h"
#include "log.h"
#include "misc.h"
#include "channels.h"
#define NUM_SOCKS 10
-/* Name and directory of socket for authentication agent forwarding. */
-static char *auth_sock_name = NULL;
-static char *auth_sock_dir = NULL;
-
/* AF_UNSPEC or AF_INET or AF_INET6 */
static int IPv4or6 = AF_UNSPEC;
FD_SET(c->wfd, writeset);
} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
- debug2("channel %d: obuf_empty delayed efd %d/(%d)",
- c->self, c->efd, buffer_len(&c->extended));
+ debug2("channel %d: obuf_empty delayed efd %d/(%d)",
+ c->self, c->efd, buffer_len(&c->extended));
else
chan_obuf_empty(c);
}
* hack for extended data: delay EOF if EFD still in use.
*/
if (CHANNEL_EFD_INPUT_ACTIVE(c))
- debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
- c->self, c->efd, buffer_len(&c->extended));
+ debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
+ c->self, c->efd, buffer_len(&c->extended));
else
chan_ibuf_empty(c);
}
continue;
}
}
+#ifdef IPV6_V6ONLY
+ if (ai->ai_family == AF_INET6) {
+ int on = 1;
+ if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
+ error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
+ }
+#endif
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug("bind port %d: %.100s", port, strerror(errno));
close(sock);
if (num_socks == NUM_SOCKS)
break;
#else
- break;
+ if (x11_use_localhost) {
+ if (num_socks == NUM_SOCKS)
+ break;
+ } else {
+ break;
+ }
#endif
}
freeaddrinfo(aitop);
packet_write_wait();
}
-/*
- * Returns the name of the forwarded authentication socket. Returns NULL if
- * there is no forwarded authentication socket. The returned value points to
- * a static buffer.
- */
-
-char *
-auth_get_socket_name(void)
-{
- return auth_sock_name;
-}
-
-/* removes the agent forwarding socket */
-
-void
-auth_sock_cleanup_proc(void *_pw)
-{
- struct passwd *pw = _pw;
-
- if (auth_sock_name) {
- temporarily_use_uid(pw);
- unlink(auth_sock_name);
- rmdir(auth_sock_dir);
- auth_sock_name = NULL;
- restore_uid();
- }
-}
-
-/*
- * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
- * This starts forwarding authentication requests.
- */
-
-int
-auth_input_request_forwarding(struct passwd * pw)
-{
- Channel *nc;
- int sock;
- struct sockaddr_un sunaddr;
-
- if (auth_get_socket_name() != NULL) {
- error("authentication forwarding requested twice.");
- return 0;
- }
-
- /* Temporarily drop privileged uid for mkdir/bind. */
- temporarily_use_uid(pw);
-
- /* Allocate a buffer for the socket name, and format the name. */
- auth_sock_name = xmalloc(MAXPATHLEN);
- auth_sock_dir = xmalloc(MAXPATHLEN);
- strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
-
- /* Create private directory for socket */
- if (mkdtemp(auth_sock_dir) == NULL) {
- packet_send_debug("Agent forwarding disabled: "
- "mkdtemp() failed: %.100s", strerror(errno));
- restore_uid();
- xfree(auth_sock_name);
- xfree(auth_sock_dir);
- auth_sock_name = NULL;
- auth_sock_dir = NULL;
- return 0;
- }
- snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d",
- auth_sock_dir, (int) getpid());
-
- /* delete agent socket on fatal() */
- fatal_add_cleanup(auth_sock_cleanup_proc, pw);
-
- /* Create the socket. */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0)
- packet_disconnect("socket: %.100s", strerror(errno));
-
- /* Bind it to the name. */
- memset(&sunaddr, 0, sizeof(sunaddr));
- sunaddr.sun_family = AF_UNIX;
- strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
-
- if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
- packet_disconnect("bind: %.100s", strerror(errno));
-
- /* Restore the privileged uid. */
- restore_uid();
-
- /* Start listening on the socket. */
- if (listen(sock, 5) < 0)
- packet_disconnect("listen: %.100s", strerror(errno));
-
- /* Allocate a channel for the authentication agent socket. */
- nc = channel_new("auth socket",
- SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, xstrdup("auth socket"), 1);
- strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
- return 1;
-}
-
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
void
-/* $OpenBSD: channels.h,v 1.67 2002/03/26 22:50:39 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.68 2002/06/10 22:28:41 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* agent forwarding */
void auth_request_forwarding(void);
-char *auth_get_socket_name(void);
-void auth_sock_cleanup_proc(void *);
-int auth_input_request_forwarding(struct passwd *);
void auth_input_open_request(int, u_int32_t, void *);
/* channel close */
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.55 2002/04/03 09:26:11 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.59 2002/06/19 18:01:00 markus Exp $");
#include "xmalloc.h"
#include "log.h"
#include "cipher.h"
#include <openssl/md5.h>
-#include "rijndael.h"
#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#endif
-static EVP_CIPHER *evp_ssh1_3des(void);
-static EVP_CIPHER *evp_ssh1_bf(void);
-static EVP_CIPHER *evp_rijndael(void);
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#include "rijndael.h"
+static const EVP_CIPHER *evp_rijndael(void);
+#endif
+static const EVP_CIPHER *evp_ssh1_3des(void);
+static const EVP_CIPHER *evp_ssh1_bf(void);
struct Cipher {
char *name;
int number; /* for ssh1 only */
u_int block_size;
u_int key_len;
- EVP_CIPHER *(*evptype)(void);
+ const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
{ "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
+#else
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
+#endif
{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL }
};
}
return (1);
}
-static EVP_CIPHER *
+static const EVP_CIPHER *
evp_ssh1_3des(void)
{
static EVP_CIPHER ssh1_3des;
swap_bytes(out, out, len);
return (ret);
}
-static EVP_CIPHER *
+static const EVP_CIPHER *
evp_ssh1_bf(void)
{
static EVP_CIPHER ssh1_bf;
return (&ssh1_bf);
}
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
/* RIJNDAEL */
#define RIJNDAEL_BLOCKSIZE 16
struct ssh_rijndael_ctx
}
return (1);
}
-static EVP_CIPHER *
+static const EVP_CIPHER *
evp_rijndael(void)
{
static EVP_CIPHER rijndal_cbc;
#endif
return (&rijndal_cbc);
}
+#endif
/*
* Exports an IV from the CipherContext required to export the key
if (evplen == 0)
return;
if (evplen != len)
- fatal("%s: wrong iv length %d != %d", __FUNCTION__,
+ fatal("%s: wrong iv length %d != %d", __func__,
evplen, len);
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
if (c->evptype == evp_rijndael) {
struct ssh_rijndael_ctx *aesc;
aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
if (aesc == NULL)
- fatal("%s: no rijndael context", __FUNCTION__);
+ fatal("%s: no rijndael context", __func__);
civ = aesc->r_iv;
- } else {
+ } else
+#endif
+ {
civ = cc->evp.iv;
}
break;
case SSH_CIPHER_3DES: {
struct ssh1_3des_ctx *desc;
if (len != 24)
- fatal("%s: bad 3des iv length: %d", __FUNCTION__, len);
+ fatal("%s: bad 3des iv length: %d", __func__, len);
desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
if (desc == NULL)
- fatal("%s: no 3des context", __FUNCTION__);
- debug3("%s: Copying 3DES IV", __FUNCTION__);
+ fatal("%s: no 3des context", __func__);
+ debug3("%s: Copying 3DES IV", __func__);
memcpy(iv, desc->k1.iv, 8);
memcpy(iv + 8, desc->k2.iv, 8);
memcpy(iv + 16, desc->k3.iv, 8);
return;
}
default:
- fatal("%s: bad cipher %d", __FUNCTION__, c->number);
+ fatal("%s: bad cipher %d", __func__, c->number);
}
memcpy(iv, civ, len);
}
if (evplen == 0)
return;
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
if (c->evptype == evp_rijndael) {
struct ssh_rijndael_ctx *aesc;
aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
if (aesc == NULL)
- fatal("%s: no rijndael context", __FUNCTION__);
+ fatal("%s: no rijndael context", __func__);
div = aesc->r_iv;
- }else {
+ } else
+#endif
+ {
div = cc->evp.iv;
}
break;
struct ssh1_3des_ctx *desc;
desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
if (desc == NULL)
- fatal("%s: no 3des context", __FUNCTION__);
- debug3("%s: Installed 3DES IV", __FUNCTION__);
+ fatal("%s: no 3des context", __func__);
+ debug3("%s: Installed 3DES IV", __func__);
memcpy(desc->k1.iv, iv, 8);
memcpy(desc->k2.iv, iv + 8, 8);
memcpy(desc->k3.iv, iv + 16, 8);
return;
}
default:
- fatal("%s: bad cipher %d", __FUNCTION__, c->number);
+ fatal("%s: bad cipher %d", __func__, c->number);
}
memcpy(div, iv, evplen);
}
cipher_get_keycontext(CipherContext *cc, u_char *dat)
{
Cipher *c = cc->cipher;
- int plen;
+ int plen = 0;
- if (c->number == SSH_CIPHER_3DES) {
- struct ssh1_3des_ctx *desc;
- desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
- if (desc == NULL)
- fatal("%s: no 3des context", __FUNCTION__);
- plen = EVP_X_STATE_LEN(desc->k1);
+ if (c->evptype == EVP_rc4) {
+ plen = EVP_X_STATE_LEN(cc->evp);
if (dat == NULL)
- return (3*plen);
- memcpy(dat, EVP_X_STATE(desc->k1), plen);
- memcpy(dat + plen, EVP_X_STATE(desc->k2), plen);
- memcpy(dat + 2*plen, EVP_X_STATE(desc->k3), plen);
- return (3*plen);
+ return (plen);
+ memcpy(dat, EVP_X_STATE(cc->evp), plen);
}
-
- /* Generic EVP */
- plen = EVP_X_STATE_LEN(cc->evp);
- if (dat == NULL)
- return (plen);
-
- memcpy(dat, EVP_X_STATE(cc->evp), plen);
return (plen);
}
Cipher *c = cc->cipher;
int plen;
- if (c->number == SSH_CIPHER_3DES) {
- struct ssh1_3des_ctx *desc;
- desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
- if (desc == NULL)
- fatal("%s: no 3des context", __FUNCTION__);
- plen = EVP_X_STATE_LEN(desc->k1);
- memcpy(EVP_X_STATE(desc->k1), dat, plen);
- memcpy(EVP_X_STATE(desc->k2), dat + plen, plen);
- memcpy(EVP_X_STATE(desc->k3), dat + 2*plen, plen);
- } else {
+ if (c->evptype == EVP_rc4) {
plen = EVP_X_STATE_LEN(cc->evp);
memcpy(EVP_X_STATE(cc->evp), dat, plen);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.100 2002/04/22 21:04:52 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.101 2002/06/09 13:32:01 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
int local = 0;
leave_raw_mode();
- handler = signal(SIGINT, SIG_IGN);
+ handler = signal(SIGINT, SIG_IGN);
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
if (s == NULL)
goto out;
AC_DEFINE(IPV4_DEFAULT)
AC_DEFINE(IP_TOS_IS_BROKEN)
AC_DEFINE(NO_X11_UNIX_SOCKETS)
+ AC_DEFINE(SETGROUPS_NOOP)
;;
*-*-dgux*)
AC_DEFINE(IP_TOS_IS_BROKEN)
*-*-sysv4.2*)
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
-# enable_suid_ssh=no
AC_DEFINE(USE_PIPES)
;;
*-*-sysv5*)
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
-# enable_suid_ssh=no
AC_DEFINE(USE_PIPES)
;;
*-*-sysv*)
inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
- setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \
- setsid setvbuf sigaction sigvec snprintf socketpair strerror \
- strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \
- vhangup vsnprintf waitpid __b64_ntop _getpty)
+ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \
+ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
+ socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
+ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty)
dnl IRIX and Solaris 2.5.1 have dirname() in libgen
AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
AC_CHECK_FUNCS(setutxent utmpxname)
-AC_CHECK_FUNC(getuserattr,
- [AC_DEFINE(HAVE_GETUSERATTR)],
- [AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])]
-)
-
AC_CHECK_FUNC(daemon,
[AC_DEFINE(HAVE_DAEMON)],
[AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
]
)
-AC_MSG_CHECKING(whether to install ssh as suid root)
-AC_ARG_ENABLE(suid-ssh,
-[ --enable-suid-ssh Install ssh as suid root (default)
- --disable-suid-ssh Install ssh without suid bit],
-[ case "$enableval" in
- no)
- AC_MSG_RESULT(no)
- SSHMODE=0711
- ;;
- *) AC_MSG_RESULT(yes)
- SSHMODE=4711
- ;;
- esac ],
- AC_MSG_RESULT(yes)
- SSHMODE=4711
-)
-AC_SUBST(SSHMODE)
-
-
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
%define use-stable 1
%if %{use-stable}
- %define version 3.2.3p1
+ %define version 3.3p1
%define cvs %{nil}
%define release 1
%else
- %define version 3.2.3
+ %define version 3.3
%define cvs cvs20020515
%define release 0r1
%endif
-%define ver 3.2.3p1
+%define ver 3.3p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
# Disable IPv6 (avoids DNS hangs on some glibc versions)
%define noip6 0
+# Do we want kerberos5 support (1=yes 0=no)
+%define kerberos5 1
+
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%define rescue 0
%{?build_rescue:%define rescue 1}
+# Turn off some stuff for resuce builds
+%if %{rescue}
+%define kerberos5 0
+%endif
+
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
--with-ipv4-default \
%endif
%if %{rescue}
- --without-pam --with-md5-passwords
+ --without-pam --with-md5-passwords \
%else
- --with-pam --with-kerberos5=/usr/kerberos
+ --with-pam \
+%endif
+%if %{kerberos5}
+ --with-kerberos5=/usr/kerberos \
%endif
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%files clients
%defattr(-,root,root)
-%attr(4755,root,root) %{_bindir}/ssh
+%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%endif
%changelog
+* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
+- Add new {ssh,sshd}_config.5 manpages
+- Add new ssh-keysign program and remove setuid from ssh client
+
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
- Merge in spec changes from RedHat, reorgansie a little
- Add Privsep user, group and directory
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 3.2.3p1
+Version: 3.3p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
# define OPENSSL_free(x) Free(x)
#endif
-#if defined(HAVE___func__)
-# define __FUNCTION__ __func__
-#elif !defined(HAVE___FUNCTION__)
-# define __FUNCTION__ ""
+#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
+# define __func__ __FUNCTION__
+#elif !defined(HAVE___func__)
+# define __func__ ""
#endif
/*
if (waitpid(pid, &ret, 0) == -1)
fatal("Couldn't wait for ssh-rand-helper completion: %s",
- strerror(errno));
+ strerror(errno));
mysignal(SIGCHLD, old_sigchld);
/* We don't mind if the child exits upon a SIGPIPE */
-/* $OpenBSD: kex.h,v 1.30 2002/03/18 17:50:31 provos Exp $ */
+/* $OpenBSD: kex.h,v 1.31 2002/05/16 22:02:50 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
struct Mac {
char *name;
int enabled;
- EVP_MD *md;
+ const EVP_MD *md;
int mac_len;
u_char *key;
int key_len;
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.43 2002/03/19 10:49:35 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.44 2002/05/31 13:16:48 markus Exp $");
#include <openssl/evp.h>
}
}
+/*
+ * key_verify returns 1 for a correct signature, 0 for an incorrect signature
+ * and -1 on error.
+ */
int
key_verify(
Key *key,
-/* $OpenBSD: log.h,v 1.6 2002/02/22 12:20:34 markus Exp $ */
+/* $OpenBSD: log.h,v 1.7 2002/05/19 20:54:52 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
SYSLOG_FACILITY_LOCAL5,
SYSLOG_FACILITY_LOCAL6,
SYSLOG_FACILITY_LOCAL7,
- SYSLOG_FACILITY_NOT_SET = -1,
+ SYSLOG_FACILITY_NOT_SET = -1
} SyslogFacility;
typedef enum {
SYSLOG_LEVEL_DEBUG1,
SYSLOG_LEVEL_DEBUG2,
SYSLOG_LEVEL_DEBUG3,
- SYSLOG_LEVEL_NOT_SET = -1,
+ SYSLOG_LEVEL_NOT_SET = -1
} LogLevel;
void log_init(char *, LogLevel, SyslogFacility, int);
*/
#include "includes.h"
-RCSID("$OpenBSD: mac.c,v 1.4 2002/01/25 22:07:40 markus Exp $");
+RCSID("$OpenBSD: mac.c,v 1.5 2002/05/16 22:02:50 markus Exp $");
#include <openssl/hmac.h>
struct {
char *name;
- EVP_MD * (*mdfunc)(void);
+ const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */
} macs[] = {
{ "hmac-sha1", EVP_sha1, 0, },
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.11 2002/05/15 15:47:49 mouring Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.16 2002/06/21 05:50:51 djm Exp $");
#include <openssl/dh.h>
u_int ivinlen;
u_char *ivout;
u_int ivoutlen;
+ u_char *ssh1key;
+ u_int ssh1keylen;
int ssh1cipher;
int ssh1protoflags;
u_char *input;
static u_char *hostbased_cuser = NULL;
static u_char *hostbased_chost = NULL;
static char *auth_method = "unknown";
+static int session_id2_len = 0;
+static u_char *session_id2 = NULL;
struct mon_table {
enum monitor_reqtype type;
if (authenticated) {
if (!(ent->flags & MON_AUTHDECIDE))
fatal("%s: unexpected authentication from %d",
- __FUNCTION__, ent->type);
+ __func__, ent->type);
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
}
if (!authctxt->valid)
- fatal("%s: authenticated invalid user", __FUNCTION__);
+ fatal("%s: authenticated invalid user", __func__);
debug("%s: %s has been authenticated by privileged process",
- __FUNCTION__, authctxt->user);
+ __func__, authctxt->user);
mm_get_keystate(pmonitor);
void
monitor_sync(struct monitor *pmonitor)
{
- /* The member allocation is not visible, so sync it */
- mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
+ if (options.compression) {
+ /* The member allocation is not visible, so sync it */
+ mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
+ }
}
int
mm_request_receive(pmonitor->m_sendfd, &m);
type = buffer_get_char(&m);
- debug3("%s: checking request %d", __FUNCTION__, type);
+ debug3("%s: checking request %d", __func__, type);
while (ent->f != NULL) {
if (ent->type == type)
if (ent->f != NULL) {
if (!(ent->flags & MON_PERMIT))
- fatal("%s: unpermitted request %d", __FUNCTION__,
+ fatal("%s: unpermitted request %d", __func__,
type);
ret = (*ent->f)(pmonitor->m_sendfd, &m);
buffer_free(&m);
/* The child may use this request only once, disable it */
if (ent->flags & MON_ONCE) {
- debug2("%s: %d used once, disabling now", __FUNCTION__,
+ debug2("%s: %d used once, disabling now", __func__,
type);
ent->flags &= ~MON_PERMIT;
}
return ret;
}
- fatal("%s: unsupported request: %d", __FUNCTION__, type);
+ fatal("%s: unsupported request: %d", __func__, type);
/* NOTREACHED */
return (-1);
max = buffer_get_int(m);
debug3("%s: got parameters: %d %d %d",
- __FUNCTION__, min, want, max);
+ __func__, min, want, max);
/* We need to check here, too, in case the child got corrupted */
if (max < min || want < min || max < want)
fatal("%s: bad parameters: %d %d %d",
- __FUNCTION__, min, want, max);
+ __func__, min, want, max);
buffer_clear(m);
u_int siglen, datlen;
int keyid;
- debug3("%s", __FUNCTION__);
+ debug3("%s", __func__);
keyid = buffer_get_int(m);
p = buffer_get_string(m, &datlen);
if (datlen != 20)
- fatal("%s: data length incorrect: %d", __FUNCTION__, datlen);
+ fatal("%s: data length incorrect: %d", __func__, datlen);
+
+ /* save session id, it will be passed on the first call */
+ if (session_id2_len == 0) {
+ session_id2_len = datlen;
+ session_id2 = xmalloc(session_id2_len);
+ memcpy(session_id2, p, session_id2_len);
+ }
if ((key = get_hostkey_by_index(keyid)) == NULL)
- fatal("%s: no hostkey from index %d", __FUNCTION__, keyid);
+ fatal("%s: no hostkey from index %d", __func__, keyid);
if (key_sign(key, &signature, &siglen, p, datlen) < 0)
- fatal("%s: key_sign failed", __FUNCTION__);
+ fatal("%s: key_sign failed", __func__);
- debug3("%s: signature %p(%d)", __FUNCTION__, signature, siglen);
+ debug3("%s: signature %p(%d)", __func__, signature, siglen);
buffer_clear(m);
buffer_put_string(m, signature, siglen);
struct passwd *pwent;
int allowed = 0;
- debug3("%s", __FUNCTION__);
+ debug3("%s", __func__);
if (authctxt->attempt++ != 0)
- fatal("%s: multiple attempts for getpwnam", __FUNCTION__);
+ fatal("%s: multiple attempts for getpwnam", __func__);
login = buffer_get_string(m, NULL);
buffer_put_cstring(m, pwent->pw_shell);
out:
- debug3("%s: sending MONITOR_ANS_PWNAM: %d", __FUNCTION__, allowed);
+ debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
mm_request_send(socket, MONITOR_ANS_PWNAM, m);
/* For SSHv1 allow authentication now */
authctxt->service = buffer_get_string(m, NULL);
authctxt->style = buffer_get_string(m, NULL);
debug3("%s: service=%s, style=%s",
- __FUNCTION__, authctxt->service, authctxt->style);
+ __func__, authctxt->service, authctxt->style);
if (strlen(authctxt->style) == 0) {
xfree(authctxt->style);
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
- authenticated = authctxt->valid && auth_password(authctxt, passwd);
+ authenticated = options.password_authentication &&
+ authctxt->valid && auth_password(authctxt, passwd);
memset(passwd, 0, strlen(passwd));
xfree(passwd);
buffer_clear(m);
buffer_put_int(m, authenticated);
- debug3("%s: sending result %d", __FUNCTION__, authenticated);
+ debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(socket, MONITOR_ANS_AUTHPASSWORD, m);
call_count++;
if (res != -1)
buffer_put_cstring(m, prompts[0]);
- debug3("%s: sending challenge res: %d", __FUNCTION__, res);
+ debug3("%s: sending challenge res: %d", __func__, res);
mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
if (res != -1) {
int authok;
if (authctxt->as == 0)
- fatal("%s: no bsd auth session", __FUNCTION__);
+ fatal("%s: no bsd auth session", __func__);
response = buffer_get_string(m, NULL);
- authok = auth_userresponse(authctxt->as, response, 0);
+ authok = options.challenge_response_authentication &&
+ auth_userresponse(authctxt->as, response, 0);
authctxt->as = NULL;
- debug3("%s: <%s> = <%d>", __FUNCTION__, response, authok);
+ debug3("%s: <%s> = <%d>", __func__, response, authok);
xfree(response);
buffer_clear(m);
buffer_put_int(m, authok);
- debug3("%s: sending authenticated: %d", __FUNCTION__, authok);
+ debug3("%s: sending authenticated: %d", __func__, authok);
mm_request_send(socket, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
if (res != -1)
buffer_put_cstring(m, challenge);
- debug3("%s: sending challenge res: %d", __FUNCTION__, res);
+ debug3("%s: sending challenge res: %d", __func__, res);
mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
return (0);
response = buffer_get_string(m, NULL);
- authok = (authctxt->valid &&
+ authok = (options.challenge_response_authentication &&
+ authctxt->valid &&
skey_haskey(authctxt->pw->pw_name) == 0 &&
skey_passcheck(authctxt->pw->pw_name, response) != -1);
buffer_clear(m);
buffer_put_int(m, authok);
- debug3("%s: sending authenticated: %d", __FUNCTION__, authok);
+ debug3("%s: sending authenticated: %d", __func__, authok);
mm_request_send(socket, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
mm_append_debug(Buffer *m)
{
if (auth_debug_init && buffer_len(&auth_debug)) {
- debug3("%s: Appending debug messages for child", __FUNCTION__);
+ debug3("%s: Appending debug messages for child", __func__);
buffer_append(m, buffer_ptr(&auth_debug),
buffer_len(&auth_debug));
buffer_clear(&auth_debug);
enum mm_keytype type = 0;
int allowed = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
type = buffer_get_int(m);
cuser = buffer_get_string(m, NULL);
if ((compat20 && type == MM_RSAHOSTKEY) ||
(!compat20 && type != MM_RSAHOSTKEY))
- fatal("%s: key type and protocol mismatch", __FUNCTION__);
+ fatal("%s: key type and protocol mismatch", __func__);
- debug3("%s: key_from_blob: %p", __FUNCTION__, key);
+ debug3("%s: key_from_blob: %p", __func__, key);
if (key != NULL && authctxt->pw != NULL) {
switch(type) {
case MM_USERKEY:
- allowed = user_key_allowed(authctxt->pw, key);
+ allowed = options.pubkey_authentication &&
+ user_key_allowed(authctxt->pw, key);
break;
case MM_HOSTKEY:
- allowed = hostbased_key_allowed(authctxt->pw,
+ allowed = options.hostbased_authentication &&
+ hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
- allowed = auth_rhosts_rsa_key_allowed(authctxt->pw,
+ allowed = options.rhosts_rsa_authentication &&
+ auth_rhosts_rsa_key_allowed(authctxt->pw,
cuser, chost, key);
break;
default:
- fatal("%s: unknown key type %d", __FUNCTION__, type);
+ fatal("%s: unknown key type %d", __func__, type);
break;
}
key_free(key);
}
debug3("%s: key %p is %s",
- __FUNCTION__, key, allowed ? "allowed" : "disallowed");
+ __func__, key, allowed ? "allowed" : "disallowed");
buffer_clear(m);
buffer_put_int(m, allowed);
u_char *p;
u_int len;
int fail = 0;
- int session_id2_len = 20 /*XXX should get from [net] */;
buffer_init(&b);
buffer_append(&b, data, datalen);
if (datafellows & SSH_OLD_SESSIONID) {
+ p = buffer_ptr(&b);
+ len = buffer_len(&b);
+ if ((session_id2 == NULL) ||
+ (len < session_id2_len) ||
+ (memcmp(p, session_id2, session_id2_len) != 0))
+ fail++;
buffer_consume(&b, session_id2_len);
} else {
- xfree(buffer_get_string(&b, &len));
- if (len != session_id2_len)
+ p = buffer_get_string(&b, &len);
+ if ((session_id2 == NULL) ||
+ (len != session_id2_len) ||
+ (memcmp(p, session_id2, session_id2_len) != 0))
fail++;
+ xfree(p);
}
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
u_char *p;
u_int len;
int fail = 0;
- int session_id2_len = 20 /*XXX should get from [net] */;
buffer_init(&b);
buffer_append(&b, data, datalen);
- xfree(buffer_get_string(&b, &len));
- if (len != session_id2_len)
+ p = buffer_get_string(&b, &len);
+ if ((session_id2 == NULL) ||
+ (len != session_id2_len) ||
+ (memcmp(p, session_id2, session_id2_len) != 0))
fail++;
+ xfree(p);
+
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
- fatal("%s: bad key, not previously allowed", __FUNCTION__);
+ fatal("%s: bad key, not previously allowed", __func__);
key = key_from_blob(blob, bloblen);
if (key == NULL)
- fatal("%s: bad public key blob", __FUNCTION__);
+ fatal("%s: bad public key blob", __func__);
switch (key_blobtype) {
case MM_USERKEY:
break;
}
if (!valid_data)
- fatal("%s: bad signature data blob", __FUNCTION__);
+ fatal("%s: bad signature data blob", __func__);
verified = key_verify(key, signature, signaturelen, data, datalen);
debug3("%s: key %p signature %s",
- __FUNCTION__, key, verified ? "verified" : "unverified");
+ __func__, key, verified ? "verified" : "unverified");
key_free(key);
xfree(blob);
buffer_put_int(m, verified);
mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m);
- auth_method = "publickey";
+ auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
return (verified);
}
static void
mm_session_close(Session *s)
{
- debug3("%s: session %d pid %d", __FUNCTION__, s->self, s->pid);
+ debug3("%s: session %d pid %d", __func__, s->self, s->pid);
if (s->ttyfd != -1) {
- debug3("%s: tty %s ptyfd %d", __FUNCTION__, s->tty, s->ptyfd);
+ debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
fatal_remove_cleanup(session_pty_cleanup2, (void *)s);
session_pty_cleanup2(s);
}
Session *s;
int res, fd0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_clear(m);
s = session_new();
/* We need to trick ttyslot */
if (dup2(s->ttyfd, 0) == -1)
- fatal("%s: dup2", __FUNCTION__);
+ fatal("%s: dup2", __func__);
mm_record_login(s, authctxt->pw);
/* make sure nothing uses fd 0 */
if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
- fatal("%s: open(/dev/null): %s", __FUNCTION__, strerror(errno));
+ fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
if (fd0 != 0)
- error("%s: fd0 %d != 0", __FUNCTION__, fd0);
+ error("%s: fd0 %d != 0", __func__, fd0);
/* slave is not needed */
close(s->ttyfd);
/* no need to dup() because nobody closes ptyfd */
s->ptymaster = s->ptyfd;
- debug3("%s: tty %s ptyfd %d", __FUNCTION__, s->tty, s->ttyfd);
+ debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
return (0);
Session *s;
char *tty;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
tty = buffer_get_string(m, NULL);
if ((s = session_by_tty(tty)) != NULL)
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
if ((p = BN_new()) == NULL)
- fatal("%s: BN_new", __FUNCTION__);
+ fatal("%s: BN_new", __func__);
buffer_get_bignum2(m, p);
{
int i;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
if (buffer_len(m) != 16)
- fatal("%s: bad ssh1 session id", __FUNCTION__);
+ fatal("%s: bad ssh1 session id", __func__);
for (i = 0; i < 16; i++)
session_id[i] = buffer_get_char(m);
u_int blen = 0;
int allowed = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
- if (authctxt->valid) {
+ if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
- fatal("%s: BN_new", __FUNCTION__);
+ fatal("%s: BN_new", __func__);
buffer_get_bignum2(m, client_n);
allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key);
BN_clear_free(client_n);
if (allowed && key != NULL) {
key->type = KEY_RSA; /* cheat for key_to_blob */
if (key_to_blob(key, &blob, &blen) == 0)
- fatal("%s: key_to_blob failed", __FUNCTION__);
+ fatal("%s: key_to_blob failed", __func__);
buffer_put_string(m, blob, blen);
/* Save temporarily for comparison in verify */
u_char *blob;
u_int blen;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
if (!authctxt->valid)
- fatal("%s: authctxt not valid", __FUNCTION__);
+ fatal("%s: authctxt not valid", __func__);
blob = buffer_get_string(m, &blen);
if (!monitor_allowed_key(blob, blen))
- fatal("%s: bad key, not previously allowed", __FUNCTION__);
+ fatal("%s: bad key, not previously allowed", __func__);
if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
- fatal("%s: key type mismatch", __FUNCTION__);
+ fatal("%s: key type mismatch", __func__);
if ((key = key_from_blob(blob, blen)) == NULL)
- fatal("%s: received bad key", __FUNCTION__);
+ fatal("%s: received bad key", __func__);
if (ssh1_challenge)
BN_clear_free(ssh1_challenge);
buffer_clear(m);
buffer_put_bignum2(m, ssh1_challenge);
- debug3("%s sending reply", __FUNCTION__);
+ debug3("%s sending reply", __func__);
mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
u_int blen, len;
int success;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
if (!authctxt->valid)
- fatal("%s: authctxt not valid", __FUNCTION__);
+ fatal("%s: authctxt not valid", __func__);
if (ssh1_challenge == NULL)
- fatal("%s: no ssh1_challenge", __FUNCTION__);
+ fatal("%s: no ssh1_challenge", __func__);
blob = buffer_get_string(m, &blen);
if (!monitor_allowed_key(blob, blen))
- fatal("%s: bad key, not previously allowed", __FUNCTION__);
+ fatal("%s: bad key, not previously allowed", __func__);
if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
- fatal("%s: key type mismatch: %d", __FUNCTION__, key_blobtype);
+ fatal("%s: key type mismatch: %d", __func__, key_blobtype);
if ((key = key_from_blob(blob, blen)) == NULL)
- fatal("%s: received bad key", __FUNCTION__);
+ fatal("%s: received bad key", __func__);
response = buffer_get_string(m, &len);
if (len != 16)
- fatal("%s: received bad response to challenge", __FUNCTION__);
+ fatal("%s: received bad response to challenge", __func__);
success = auth_rsa_verify_response(key, ssh1_challenge, response);
key_free(key);
extern struct monitor *pmonitor;
int res, status;
- debug3("%s: tearing down sessions", __FUNCTION__);
+ debug3("%s: tearing down sessions", __func__);
/* The child is terminating */
session_destroy_all(&mm_session_close);
set_newkeys(MODE_IN);
set_newkeys(MODE_OUT);
} else {
- u_char key[SSH_SESSION_KEY_LENGTH];
-
- memset(key, 'a', sizeof(key));
packet_set_protocol_flags(child_state.ssh1protoflags);
- packet_set_encryption_key(key, SSH_SESSION_KEY_LENGTH,
- child_state.ssh1cipher);
+ packet_set_encryption_key(child_state.ssh1key,
+ child_state.ssh1keylen, child_state.ssh1cipher);
+ xfree(child_state.ssh1key);
}
+ /* for rc4 and other stateful ciphers */
packet_set_keycontext(MODE_OUT, child_state.keyout);
xfree(child_state.keyout);
packet_set_keycontext(MODE_IN, child_state.keyin);
sizeof(outgoing_stream));
/* Update with new address */
- mm_init_compression(pmonitor->m_zlib);
+ if (options.compression)
+ mm_init_compression(pmonitor->m_zlib);
/* Network I/O buffers */
/* XXX inefficient for large buffers, need: buffer_init_from_string */
kex = xmalloc(sizeof(*kex));
memset(kex, 0, sizeof(*kex));
kex->session_id = buffer_get_string(m, &kex->session_id_len);
+ if ((session_id2 == NULL) ||
+ (kex->session_id_len != session_id2_len) ||
+ (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
+ fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
u_char *blob, *p;
u_int bloblen, plen;
- debug3("%s: Waiting for new keys", __FUNCTION__);
+ debug3("%s: Waiting for new keys", __func__);
buffer_init(&m);
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, &m);
if (!compat20) {
child_state.ssh1protoflags = buffer_get_int(&m);
child_state.ssh1cipher = buffer_get_int(&m);
+ child_state.ssh1key = buffer_get_string(&m,
+ &child_state.ssh1keylen);
child_state.ivout = buffer_get_string(&m,
&child_state.ivoutlen);
child_state.ivin = buffer_get_string(&m, &child_state.ivinlen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
xfree(blob);
- debug3("%s: Waiting for second key", __FUNCTION__);
+ debug3("%s: Waiting for second key", __func__);
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
xfree(blob);
child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen);
child_state.keyin = buffer_get_string(&m, &child_state.keyinlen);
- debug3("%s: Getting compression state", __FUNCTION__);
+ debug3("%s: Getting compression state", __func__);
/* Get compression state */
p = buffer_get_string(&m, &plen);
if (plen != sizeof(child_state.outgoing))
- fatal("%s: bad request size", __FUNCTION__);
+ fatal("%s: bad request size", __func__);
memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
xfree(p);
p = buffer_get_string(&m, &plen);
if (plen != sizeof(child_state.incoming))
- fatal("%s: bad request size", __FUNCTION__);
+ fatal("%s: bad request size", __func__);
memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
xfree(p);
/* Network I/O buffers */
- debug3("%s: Getting Network I/O buffers", __FUNCTION__);
+ debug3("%s: Getting Network I/O buffers", __func__);
child_state.input = buffer_get_string(&m, &child_state.ilen);
child_state.output = buffer_get_string(&m, &child_state.olen);
{
#ifdef HAVE_SOCKETPAIR
if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1)
- fatal("%s: socketpair", __FUNCTION__);
+ fatal("%s: socketpair", __func__);
#else
fatal("%s: UsePrivilegeSeparation=yes not supported",
- __FUNCTION__);
+ __func__);
#endif
FD_CLOSEONEXEC(pair[0]);
FD_CLOSEONEXEC(pair[1]);
mon->m_sendfd = pair[1];
/* Used to share zlib space across processes */
- mon->m_zback = mm_create(NULL, MM_MEMSIZE);
- mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
+ if (options.compression) {
+ mon->m_zback = mm_create(NULL, MM_MEMSIZE);
+ mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
- /* Compression needs to share state across borders */
- mm_init_compression(mon->m_zlib);
+ /* Compression needs to share state across borders */
+ mm_init_compression(mon->m_zlib);
+ }
return mon;
}
-/* $OpenBSD: monitor.h,v 1.4 2002/05/12 23:53:45 djm Exp $ */
+/* $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_PAM_START,
- MONITOR_REQ_TERM,
+ MONITOR_REQ_TERM
};
struct mm_master;
struct mm_master *m_zback;
struct mm_master *m_zlib;
struct Kex **m_pkex;
- int m_pid;
+ pid_t m_pid;
};
struct monitor *monitor_init(void);
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_fdpass.c,v 1.2 2002/03/24 17:53:16 stevesk Exp $");
+RCSID("$OpenBSD: monitor_fdpass.c,v 1.3 2002/06/04 23:05:49 markus Exp $");
#include <sys/uio.h>
msg.msg_iovlen = 1;
if ((n = sendmsg(socket, &msg, 0)) == -1)
- fatal("%s: sendmsg(%d): %s", __FUNCTION__, fd,
+ fatal("%s: sendmsg(%d): %s", __func__, fd,
strerror(errno));
if (n != 1)
fatal("%s: sendmsg: expected sent 1 got %d",
- __FUNCTION__, n);
+ __func__, n);
#else
fatal("%s: UsePrivilegeSeparation=yes not supported",
- __FUNCTION__);
+ __func__);
#endif
}
#endif
if ((n = recvmsg(socket, &msg, 0)) == -1)
- fatal("%s: recvmsg: %s", __FUNCTION__, strerror(errno));
+ fatal("%s: recvmsg: %s", __func__, strerror(errno));
if (n != 1)
fatal("%s: recvmsg: expected received 1 got %d",
- __FUNCTION__, n);
+ __func__, n);
#ifdef HAVE_ACCRIGHTS_IN_MSGHDR
if (msg.msg_accrightslen != sizeof(fd))
- fatal("%s: no fd", __FUNCTION__);
+ fatal("%s: no fd", __func__);
#else
cmsg = CMSG_FIRSTHDR(&msg);
if (cmsg->cmsg_type != SCM_RIGHTS)
- fatal("%s: expected type %d got %d", __FUNCTION__,
+ fatal("%s: expected type %d got %d", __func__,
SCM_RIGHTS, cmsg->cmsg_type);
fd = (*(int *)CMSG_DATA(cmsg));
#endif
return fd;
#else
fatal("%s: UsePrivilegeSeparation=yes not supported",
- __FUNCTION__);
+ __func__);
#endif
}
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_mm.c,v 1.4 2002/03/25 20:12:10 stevesk Exp $");
+RCSID("$OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $");
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
-1, 0);
if (address == MAP_FAILED)
- fatal("mmap(%lu)", (u_long)size);
+ fatal("mmap(%lu): %s", (u_long)size, strerror(errno));
#else
fatal("%s: UsePrivilegeSeparation=yes not supported",
- __FUNCTION__);
+ __func__);
#endif
mm->address = address;
#ifdef HAVE_MMAP
if (munmap(mm->address, mm->size) == -1)
- fatal("munmap(%p, %lu)", mm->address, (u_long)mm->size);
+ fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size,
+ strerror(errno));
#else
fatal("%s: UsePrivilegeSeparation=yes not supported",
- __FUNCTION__);
+ __func__);
#endif
if (mm->mmalloc == NULL)
xfree(mm);
address = mm_malloc(mm, size);
if (address == NULL)
- fatal("%s: mm_malloc(%lu)", __FUNCTION__, (u_long)size);
+ fatal("%s: mm_malloc(%lu)", __func__, (u_long)size);
return (address);
}
struct mm_master *mmold;
struct mmtree rb_free, rb_allocated;
- debug3("%s: Share sync", __FUNCTION__);
+ debug3("%s: Share sync", __func__);
mm = *pmm;
mmold = mm->mmalloc;
*pmm = mm;
*pmmalloc = mmalloc;
- debug3("%s: Share sync end", __FUNCTION__);
+ debug3("%s: Share sync end", __func__);
}
void
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.7 2002/05/15 15:47:49 mouring Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.11 2002/06/19 18:01:00 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
u_char buf[5];
u_int mlen = buffer_len(m);
- debug3("%s entering: type %d", __FUNCTION__, type);
+ debug3("%s entering: type %d", __func__, type);
PUT_32BIT(buf, mlen + 1);
- buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
+ buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
if (atomicio(write, socket, buf, sizeof(buf)) != sizeof(buf))
- fatal("%s: write", __FUNCTION__);
+ fatal("%s: write", __func__);
if (atomicio(write, socket, buffer_ptr(m), mlen) != mlen)
- fatal("%s: write", __FUNCTION__);
+ fatal("%s: write", __func__);
}
void
ssize_t res;
u_int msg_len;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
res = atomicio(read, socket, buf, sizeof(buf));
if (res != sizeof(buf)) {
if (res == 0)
fatal_cleanup();
- fatal("%s: read: %ld", __FUNCTION__, (long)res);
+ fatal("%s: read: %ld", __func__, (long)res);
}
msg_len = GET_32BIT(buf);
if (msg_len > 256 * 1024)
- fatal("%s: read: bad msg_len %d", __FUNCTION__, msg_len);
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
buffer_clear(m);
buffer_append_space(m, msg_len);
res = atomicio(read, socket, buffer_ptr(m), msg_len);
if (res != msg_len)
- fatal("%s: read: %ld != msg_len", __FUNCTION__, (long)res);
+ fatal("%s: read: %ld != msg_len", __func__, (long)res);
}
void
{
u_char rtype;
- debug3("%s entering: type %d", __FUNCTION__, type);
+ debug3("%s entering: type %d", __func__, type);
mm_request_receive(socket, m);
rtype = buffer_get_char(m);
if (rtype != type)
- fatal("%s: read: rtype %d != type %d", __FUNCTION__,
+ fatal("%s: read: rtype %d != type %d", __func__,
rtype, type);
}
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);
- debug3("%s: waiting for MONITOR_ANS_MODULI", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_MODULI", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m);
success = buffer_get_char(&m);
if (success == 0)
- fatal("%s: MONITOR_ANS_MODULI failed", __FUNCTION__);
+ fatal("%s: MONITOR_ANS_MODULI failed", __func__);
if ((p = BN_new()) == NULL)
- fatal("%s: BN_new failed", __FUNCTION__);
+ fatal("%s: BN_new failed", __func__);
if ((g = BN_new()) == NULL)
- fatal("%s: BN_new failed", __FUNCTION__);
+ fatal("%s: BN_new failed", __func__);
buffer_get_bignum2(&m, p);
buffer_get_bignum2(&m, g);
- debug3("%s: remaining %d", __FUNCTION__, buffer_len(&m));
+ debug3("%s: remaining %d", __func__, buffer_len(&m));
buffer_free(&m);
return (dh_new_group(g, p));
Kex *kex = *pmonitor->m_pkex;
Buffer m;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_int(&m, kex->host_key_index(key));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m);
- debug3("%s: waiting for MONITOR_ANS_SIGN", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_SIGN", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m);
*sigp = buffer_get_string(&m, lenp);
buffer_free(&m);
struct passwd *pw;
u_int pwlen;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_cstring(&m, login);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m);
- debug3("%s: waiting for MONITOR_ANS_PWNAM", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m);
if (buffer_get_char(&m) == 0) {
}
pw = buffer_get_string(&m, &pwlen);
if (pwlen != sizeof(struct passwd))
- fatal("%s: struct passwd size mismatch", __FUNCTION__);
+ fatal("%s: struct passwd size mismatch", __func__);
pw->pw_name = buffer_get_string(&m, NULL);
pw->pw_passwd = buffer_get_string(&m, NULL);
pw->pw_gecos = buffer_get_string(&m, NULL);
Buffer m;
char *banner;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m);
banner = buffer_get_string(&m, NULL);
buffer_free(&m);
-
+
return (banner);
}
{
Buffer m;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_cstring(&m, service);
Buffer m;
int authenticated = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_cstring(&m, password);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m);
- debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);
authenticated = buffer_get_int(&m);
buffer_free(&m);
debug3("%s: user %sauthenticated",
- __FUNCTION__, authenticated ? "" : "not ");
+ __func__, authenticated ? "" : "not ");
return (authenticated);
}
while (buffer_len(m)) {
msg = buffer_get_string(m, NULL);
- debug3("%s: Sending debug: %s", __FUNCTION__, msg);
+ debug3("%s: Sending debug: %s", __func__, msg);
packet_send_debug("%s", msg);
xfree(msg);
}
u_int len;
int allowed = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
/* Convert the key to a blob and the pass it over */
if (!key_to_blob(key, &blob, &len))
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
- debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
allowed = buffer_get_int(&m);
u_int len;
int verified = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
/* Convert the key to a blob and the pass it over */
if (!key_to_blob(key, &blob, &len))
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
- debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m);
verified = buffer_get_int(&m);
Mac *mac;
Comp *comp;
- debug3("%s: %p(%d)", __FUNCTION__, blob, blen);
+ debug3("%s: %p(%d)", __func__, blob, blen);
#ifdef DEBUG_PK
dump_base64(stderr, blob, blen);
#endif
enc->key = buffer_get_string(&b, &enc->key_len);
enc->iv = buffer_get_string(&b, &len);
if (len != enc->block_size)
- fatal("%s: bad ivlen: expected %d != %d", __FUNCTION__,
+ fatal("%s: bad ivlen: expected %d != %d", __func__,
enc->block_size, len);
if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
- fatal("%s: bad cipher name %s or pointer %p", __FUNCTION__,
+ fatal("%s: bad cipher name %s or pointer %p", __func__,
enc->name, enc->cipher);
/* Mac structure */
mac->name = buffer_get_string(&b, NULL);
if (mac->name == NULL || mac_init(mac, mac->name) == -1)
- fatal("%s: can not init mac %s", __FUNCTION__, mac->name);
+ fatal("%s: can not init mac %s", __func__, mac->name);
mac->enabled = buffer_get_int(&b);
mac->key = buffer_get_string(&b, &len);
if (len > mac->key_len)
- fatal("%s: bad mac key lenght: %d > %d", __FUNCTION__, len,
+ fatal("%s: bad mac key length: %d > %d", __func__, len,
mac->key_len);
mac->key_len = len;
Comp *comp;
Newkeys *newkey = newkeys[mode];
- debug3("%s: converting %p", __FUNCTION__, newkey);
+ debug3("%s: converting %p", __func__, newkey);
if (newkey == NULL) {
- error("%s: newkey == NULL", __FUNCTION__);
+ error("%s: newkey == NULL", __func__);
return 0;
}
enc = &newkey->enc;
if (!compat20) {
u_char iv[24];
- int ivlen;
+ u_char *key;
+ u_int ivlen, keylen;
buffer_put_int(&m, packet_get_protocol_flags());
buffer_put_int(&m, packet_get_ssh1_cipher());
- debug3("%s: Sending ssh1 IV", __FUNCTION__);
+ debug3("%s: Sending ssh1 KEY+IV", __func__);
+ keylen = packet_get_encryption_key(NULL);
+ key = xmalloc(keylen+1); /* add 1 if keylen == 0 */
+ keylen = packet_get_encryption_key(key);
+ buffer_put_string(&m, key, keylen);
+ memset(key, 0, keylen);
+ xfree(key);
+
ivlen = packet_get_keyiv_len(MODE_OUT);
packet_get_keyiv(MODE_OUT, iv, ivlen);
buffer_put_string(&m, iv, ivlen);
}
debug3("%s: Sending new keys: %p %p",
- __FUNCTION__, newkeys[MODE_OUT], newkeys[MODE_IN]);
+ __func__, newkeys[MODE_OUT], newkeys[MODE_IN]);
/* Keys from Kex */
if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
- fatal("%s: conversion of newkeys failed", __FUNCTION__);
+ fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
xfree(blob);
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
- fatal("%s: conversion of newkeys failed", __FUNCTION__);
+ fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
xfree(blob);
buffer_put_int(&m, packet_get_seqnr(MODE_OUT));
buffer_put_int(&m, packet_get_seqnr(MODE_IN));
- debug3("%s: New keys have been sent", __FUNCTION__);
+ debug3("%s: New keys have been sent", __func__);
skip:
/* More key context */
plen = packet_get_keycontext(MODE_OUT, NULL);
xfree(p);
/* Compression state */
- debug3("%s: Sending compression state", __FUNCTION__);
+ debug3("%s: Sending compression state", __func__);
buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream));
buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
- debug3("%s: Finished sending state", __FUNCTION__);
+ debug3("%s: Finished sending state", __func__);
buffer_free(&m);
}
buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
- debug3("%s: waiting for MONITOR_ANS_PTY", __FUNCTION__);
+ debug3("%s: waiting for MONITOR_ANS_PTY", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m);
success = buffer_get_int(&m);
if (success == 0) {
- debug3("%s: pty alloc failed", __FUNCTION__);
+ debug3("%s: pty alloc failed", __func__);
buffer_free(&m);
return (0);
}
{
Buffer m;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_cstring(&m, user);
mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
char ***prompts, u_int **echo_on)
{
- *name = xstrdup("");
- *infotxt = xstrdup("");
+ *name = xstrdup("");
+ *infotxt = xstrdup("");
*numprompts = 1;
*prompts = xmalloc(*numprompts * sizeof(char*));
*echo_on = xmalloc(*numprompts * sizeof(u_int));
int res;
char *challenge;
- debug3("%s: entering", __FUNCTION__);
+ debug3("%s: entering", __func__);
buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m);
&m);
res = buffer_get_int(&m);
if (res == -1) {
- debug3("%s: no challenge", __FUNCTION__);
+ debug3("%s: no challenge", __func__);
buffer_free(&m);
return (-1);
}
mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
(*prompts)[0] = challenge;
- debug3("%s: received challenge: %s", __FUNCTION__, challenge);
+ debug3("%s: received challenge: %s", __func__, challenge);
return (0);
}
Buffer m;
int authok;
- debug3("%s: entering", __FUNCTION__);
+ debug3("%s: entering", __func__);
if (numresponses != 1)
return (-1);
int len, res;
char *p, *challenge;
- debug3("%s: entering", __FUNCTION__);
+ debug3("%s: entering", __func__);
buffer_init(&m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m);
&m);
res = buffer_get_int(&m);
if (res == -1) {
- debug3("%s: no challenge", __FUNCTION__);
+ debug3("%s: no challenge", __func__);
buffer_free(&m);
return (-1);
}
challenge = buffer_get_string(&m, NULL);
buffer_free(&m);
- debug3("%s: received challenge: %s", __FUNCTION__, challenge);
+ debug3("%s: received challenge: %s", __func__, challenge);
mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
Buffer m;
int authok;
- debug3("%s: entering", __FUNCTION__);
+ debug3("%s: entering", __func__);
if (numresponses != 1)
return (-1);
Buffer m;
int i;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
for (i = 0; i < 16; i++)
u_int blen;
int allowed = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
buffer_init(&m);
buffer_put_bignum2(&m, client_n);
if (allowed && rkey != NULL) {
blob = buffer_get_string(&m, &blen);
if ((key = key_from_blob(blob, blen)) == NULL)
- fatal("%s: key_from_blob failed", __FUNCTION__);
+ fatal("%s: key_from_blob failed", __func__);
*rkey = key;
xfree(blob);
}
u_char *blob;
u_int blen;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
if ((challenge = BN_new()) == NULL)
- fatal("%s: BN_new failed", __FUNCTION__);
+ fatal("%s: BN_new failed", __func__);
key->type = KEY_RSA; /* XXX cheat for key_to_blob */
if (key_to_blob(key, &blob, &blen) == 0)
- fatal("%s: key_to_blob failed", __FUNCTION__);
+ fatal("%s: key_to_blob failed", __func__);
key->type = KEY_RSA1;
buffer_init(&m);
u_int blen;
int success = 0;
- debug3("%s entering", __FUNCTION__);
+ debug3("%s entering", __func__);
key->type = KEY_RSA; /* XXX cheat for key_to_blob */
if (key_to_blob(key, &blob, &blen) == 0)
- fatal("%s: key_to_blob failed", __FUNCTION__);
+ fatal("%s: key_to_blob failed", __func__);
key->type = KEY_RSA1;
buffer_init(&m);
--- /dev/null
+/*
+ * Copyright (c) 2002 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: msg.c,v 1.2 2002/06/19 00:27:55 deraadt Exp $");
+
+#include "buffer.h"
+#include "getput.h"
+#include "log.h"
+#include "atomicio.h"
+#include "msg.h"
+
+void
+msg_send(int fd, u_char type, Buffer *m)
+{
+ u_char buf[5];
+ u_int mlen = buffer_len(m);
+
+ debug3("msg_send: type %d", type);
+
+ PUT_32BIT(buf, mlen + 1);
+ buf[4] = type; /* 1st byte of payload is mesg-type */
+ if (atomicio(write, fd, buf, sizeof(buf)) != sizeof(buf))
+ fatal("msg_send: write");
+ if (atomicio(write, fd, buffer_ptr(m), mlen) != mlen)
+ fatal("msg_send: write");
+}
+
+int
+msg_recv(int fd, Buffer *m)
+{
+ u_char buf[4];
+ ssize_t res;
+ u_int msg_len;
+
+ debug3("msg_recv entering");
+
+ res = atomicio(read, fd, buf, sizeof(buf));
+ if (res != sizeof(buf)) {
+ if (res == 0)
+ return -1;
+ fatal("msg_recv: read: header %d", res);
+ }
+ msg_len = GET_32BIT(buf);
+ if (msg_len > 256 * 1024)
+ fatal("msg_recv: read: bad msg_len %d", msg_len);
+ buffer_clear(m);
+ buffer_append_space(m, msg_len);
+ res = atomicio(read, fd, buffer_ptr(m), msg_len);
+ if (res != msg_len)
+ fatal("msg_recv: read: %ld != msg_len", (long)res);
+ return 0;
+}
--- /dev/null
+/* $OpenBSD: msg.h,v 1.1 2002/05/23 19:24:30 markus Exp $ */
+/*
+ * Copyright (c) 2002 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SSH_MSG_H
+#define SSH_MSG_H
+
+void msg_send(int, u_char, Buffer *);
+int msg_recv(int, Buffer *);
+
+#endif
*/
#include "includes.h"
-RCSID("$OpenBSD: nchan.c,v 1.45 2002/03/25 21:13:51 markus Exp $");
+RCSID("$OpenBSD: nchan.c,v 1.47 2002/06/19 00:27:55 deraadt Exp $");
#include "ssh1.h"
#include "ssh2.h"
else
chan_rcvd_ieof1(c);
if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN &&
- buffer_len(&c->output) == 0 &&
+ buffer_len(&c->output) == 0 &&
!CHANNEL_EFD_OUTPUT_ACTIVE(c))
chan_obuf_empty(c);
}
c->extended_usage == CHAN_EXTENDED_WRITE &&
c->efd != -1 &&
buffer_len(&c->extended) > 0) {
- debug2("channel %d: active efd: %d len %d",
- c->self, c->efd, buffer_len(&c->extended));
+ debug2("channel %d: active efd: %d len %d",
+ c->self, c->efd, buffer_len(&c->extended));
return 0;
}
if (!(c->flags & CHAN_CLOSE_SENT)) {
}
#endif /* HAVE_TRUNCATE */
+#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP)
+/*
+ * Cygwin setgroups should be a noop.
+ */
+int
+setgroups(size_t size, const gid_t *list)
+{
+ return 0;
+}
+#endif
+
int truncate (const char *path, off_t length);
#endif /* HAVE_TRUNCATE */
+#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP)
+int setgroups(size_t size, const gid_t *list);
+#endif
+
+
#endif /* _BSD_MISC_H */
#ifdef _AIX
-#ifdef HAVE_USERSEC_H
-#include <usersec.h>
-#endif /* HAVE_USERSEC_H */
-
#include <uinfo.h>
#include <../xmalloc.h>
-/* AIX limits */
-#if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE)
-# define S_UFSIZE_HARD S_UFSIZE "_hard"
-# define S_UCPU_HARD S_UCPU "_hard"
-# define S_UDATA_HARD S_UDATA "_hard"
-# define S_USTACK_HARD S_USTACK "_hard"
-# define S_URSS_HARD S_URSS "_hard"
-# define S_UCORE_HARD S_UCORE "_hard"
-# define S_UNOFILE_HARD S_UNOFILE "_hard"
-#endif
-
-#if defined(HAVE_GETUSERATTR)
-/*
- * AIX-specific login initialisation
- */
-void
-set_limit(char *user, char *soft, char *hard, int resource, int mult)
-{
- struct rlimit rlim;
- int slim, hlim;
-
- getrlimit(resource, &rlim);
-
- slim = 0;
- if (getuserattr(user, soft, &slim, SEC_INT) != -1) {
- if (slim < 0) {
- rlim.rlim_cur = RLIM_INFINITY;
- } else if (slim != 0) {
- /* See the wackiness below */
- if (rlim.rlim_cur == slim * mult)
- slim = 0;
- else
- rlim.rlim_cur = slim * mult;
- }
- }
- hlim = 0;
- if (getuserattr(user, hard, &hlim, SEC_INT) != -1) {
- if (hlim < 0) {
- rlim.rlim_max = RLIM_INFINITY;
- } else if (hlim != 0) {
- rlim.rlim_max = hlim * mult;
- }
- }
-
- /*
- * XXX For cpu and fsize the soft limit is set to the hard limit
- * if the hard limit is left at its default value and the soft limit
- * is changed from its default value, either by requesting it
- * (slim == 0) or by setting it to the current default. At least
- * that's how rlogind does it. If you're confused you're not alone.
- * Bug or feature? AIX 4.3.1.2
- */
- if ((!strcmp(soft, "fsize") || !strcmp(soft, "cpu"))
- && hlim == 0 && slim != 0)
- rlim.rlim_max = rlim.rlim_cur;
- /* A specified hard limit limits the soft limit */
- else if (hlim > 0 && rlim.rlim_cur > rlim.rlim_max)
- rlim.rlim_cur = rlim.rlim_max;
- /* A soft limit can increase a hard limit */
- else if (rlim.rlim_cur > rlim.rlim_max)
- rlim.rlim_max = rlim.rlim_cur;
-
- if (setrlimit(resource, &rlim) != 0)
- error("setrlimit(%.10s) failed: %.100s", soft, strerror(errno));
-}
-
-void
-set_limits_from_userattr(char *user)
-{
- int mask;
- char buf[16];
-
- set_limit(user, S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512);
- set_limit(user, S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1);
- set_limit(user, S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512);
- set_limit(user, S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512);
- set_limit(user, S_URSS, S_URSS_HARD, RLIMIT_RSS, 512);
- set_limit(user, S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512);
-#if defined(S_UNOFILE)
- set_limit(user, S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1);
-#endif
-
- if (getuserattr(user, S_UMASK, &mask, SEC_INT) != -1) {
- /* Convert decimal to octal */
- (void) snprintf(buf, sizeof(buf), "%d", mask);
- if (sscanf(buf, "%o", &mask) == 1)
- umask(mask);
- }
-}
-#endif /* defined(HAVE_GETUSERATTR) */
-
/*
* AIX has a "usrinfo" area where logname and
* other stuff is stored - a few applications
#ifdef _AIX
-#ifdef HAVE_GETUSERATTR
-void set_limit(char *user, char *soft, char *hard, int resource, int mult);
-void set_limits_from_userattr(char *user);
-#endif /* HAVE_GETUSERATTR */
-
void aix_usrinfo(struct passwd *pw, char *tty, int ttyfd);
#endif /* _AIX */
*/
#include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.93 2002/03/24 16:01:13 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.95 2002/06/19 18:01:00 markus Exp $");
#include "xmalloc.h"
#include "buffer.h"
#include "log.h"
#include "canohost.h"
#include "misc.h"
+#include "ssh.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
static u_int32_t read_seqnr = 0;
static u_int32_t send_seqnr = 0;
+/* Session key for protocol v1 */
+static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
+static u_int ssh1_keylen;
+
/* roundup current message to extra_pad bytes */
static u_char extra_pad = 0;
else if (mode == MODE_OUT)
send_seqnr = seqnr;
else
- fatal("%s: bad mode %d", __FUNCTION__, mode);
+ fatal("packet_set_seqnr: bad mode %d", mode);
}
/* returns 1 if connection is via ipv4 */
* key is used for both sending and reception. However, both directions are
* encrypted independently of each other.
*/
+
void
packet_set_encryption_key(const u_char *key, u_int keylen,
int number)
fatal("packet_set_encryption_key: unknown cipher number %d", number);
if (keylen < 20)
fatal("packet_set_encryption_key: keylen too small: %d", keylen);
+ if (keylen > SSH_SESSION_KEY_LENGTH)
+ fatal("packet_set_encryption_key: keylen too big: %d", keylen);
+ memcpy(ssh1_key, key, keylen);
+ ssh1_keylen = keylen;
cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
}
+u_int
+packet_get_encryption_key(u_char *key)
+{
+ if (key == NULL)
+ return (ssh1_keylen);
+ memcpy(key, ssh1_key, ssh1_keylen);
+ return (ssh1_keylen);
+}
+
/* Start constructing a packet to send. */
void
packet_start(u_char type)
-/* $OpenBSD: packet.h,v 1.34 2002/03/18 17:16:38 markus Exp $ */
+/* $OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int packet_get_connection_out(void);
void packet_close(void);
void packet_set_encryption_key(const u_char *, u_int, int);
+u_int packet_get_encryption_key(u_char *);
void packet_set_protocol_flags(u_int);
u_int packet_get_protocol_flags(void);
void packet_start_compression(int);
-/* $OpenBSD: pathnames.h,v 1.12 2002/03/19 03:03:43 stevesk Exp $ */
+/* $OpenBSD: pathnames.h,v 1.13 2002/05/23 19:24:30 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass"
#endif
+/* Location of ssh-keysign for hostbased authentication */
+#ifndef _PATH_SSH_KEY_SIGN
+#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign"
+#endif
+
/* xauth for X11 forwarding */
#ifndef _PATH_XAUTH
#define _PATH_XAUTH "/usr/X11R6/bin/xauth"
#include "includes.h"
#include "uuencode.h"
-RCSID("$OpenBSD: radix.c,v 1.20 2002/04/23 12:58:26 markus Exp $");
+RCSID("$OpenBSD: radix.c,v 1.21 2002/06/19 00:27:55 deraadt Exp $");
#ifdef AFS
#include <krb.h>
goto done;
memcpy(&creds->ticket_st.dat, p, len);
creds->ticket_st.length = len;
-
+
ret = 1;
done:
buffer_free(&b);
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.95 2002/02/04 12:15:25 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
#include "ssh.h"
#include "xmalloc.h"
# that they are given in.
Host *.ngs.fi ngs.fi
- FallBackToRsh no
+ User foo
Host fake.com
HostName another.host.name.real.org
ProxyCommand ssh-proxy %h %p
Host *.fr
- UseRsh yes
+ PublicKeyAuthentication no
Host *.su
Cipher none
PasswordAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication yes
- FallBackToRsh no
- UseRsh no
StrictHostKeyChecking yes
KeepAlives no
IdentityFile ~/.ssh/identity
typedef enum {
oBadOption,
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
- oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+ oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
#if defined(KRB4) || defined(KRB5)
oKerberosAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
- oClearAllForwardings, oNoHostAuthenticationForLocalhost
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oDeprecated
} OpCodes;
/* Textual representations of the tokens. */
#ifdef AFS
{ "afstokenpassing", oAFSTokenPassing },
#endif
- { "fallbacktorsh", oFallBackToRsh },
- { "usersh", oUseRsh },
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* alias */
{ "hostname", oHostName },
intptr = &options->afs_token_passing;
goto parse_flag;
#endif
- case oFallBackToRsh:
- intptr = &options->fallback_to_rsh;
- goto parse_flag;
-
- case oUseRsh:
- intptr = &options->use_rsh;
- goto parse_flag;
-
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
*intptr = value;
break;
+ case oDeprecated:
+ debug("%s line %d: Deprecated option \"%s\"",
+ filename, linenum, keyword);
+ return 0;
+
default:
fatal("process_config_line: Unimplemented opcode %d", opcode);
}
options->kbd_interactive_devices = NULL;
options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
- options->fallback_to_rsh = -1;
- options->use_rsh = -1;
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
if (options->use_privileged_port == -1)
options->use_privileged_port = 0;
if (options->rhosts_authentication == -1)
- options->rhosts_authentication = 1;
+ options->rhosts_authentication = 0;
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 1;
if (options->rhosts_rsa_authentication == -1)
- options->rhosts_rsa_authentication = 1;
+ options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
- if (options->fallback_to_rsh == -1)
- options->fallback_to_rsh = 0;
- if (options->use_rsh == -1)
- options->use_rsh = 0;
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
-/* $OpenBSD: readconf.h,v 1.42 2002/03/04 17:27:39 stevesk Exp $ */
+/* $OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
- int fallback_to_rsh;/* Use rsh if cannot connect with ssh. */
- int use_rsh; /* Always use rsh (don\'t try ssh). */
int batch_mode; /* Batch mode: do not ask for passwords. */
int check_host_ip; /* Also keep track of keys for IP address */
int strict_host_key_checking; /* Strict host key checking. */
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.21 2002/01/29 23:50:37 markus Exp $
+.\" $OpenBSD: scp.1,v 1.22 2002/06/20 20:00:05 stevesk Exp $
.\"
.Dd September 25, 1999
.Dt SCP 1
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
-in the format used in the
-.Xr ssh 1
-configuration file. This is useful for specifying options
+in the format used in
+.Xr ssh_config 5 .
+This is useful for specifying options
for which there is no separate
.Nm scp
command-line flag. For example, forcing the use of protocol
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
+.Xr ssh_config 5
.Xr sshd 8
*/
#include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.88 2002/04/06 18:24:09 mouring Exp $");
+RCSID("$OpenBSD: scp.c,v 1.91 2002/06/19 00:27:55 deraadt Exp $");
#include "xmalloc.h"
#include "atomicio.h"
__progname = get_progname(argv[0]);
args.list = NULL;
- addargs(&args, "ssh"); /* overwritten with ssh_program */
+ addargs(&args, "ssh"); /* overwritten with ssh_program */
addargs(&args, "-x");
addargs(&args, "-oForwardAgent no");
- addargs(&args, "-oFallBackToRsh no");
addargs(&args, "-oClearAllForwardings yes");
fflag = tflag = 0;
src = colon(argv[i]);
if (src) { /* remote to remote */
static char *ssh_options =
- "-x -o'FallBackToRsh no' "
- "-o'ClearAllForwardings yes'";
+ "-x -o'ClearAllForwardings yes'";
*src++ = 0;
if (*src == 0)
src = ".";
usage(void)
{
(void) fprintf(stderr,
- "usage: scp [-pqrvBC46] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]\n"
- " [-o option] f1 f2\n"
- " or: scp [options] f1 ... fn directory\n");
+ "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n"
+ " [-c cipher] [-i identity] [-o option]\n"
+ " [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
exit(1);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.109 2002/05/15 21:02:52 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.111 2002/06/20 23:05:55 markus Exp $");
#if defined(KRB4)
#include <krb.h>
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
+ options->compression = -1;
options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->permit_empty_passwd = 0;
if (options->use_login == -1)
options->use_login = 0;
+ if (options->compression == -1)
+ options->compression = 1;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
- /* Turn privilege separation _off_ by default */
+ /* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = 0;
+ use_privsep = 1;
+
+#if !defined(HAVE_MMAP) || !defined(MAP_ANON)
+ if (use_privsep && options->compression == 1) {
+ error("This platform does not support both privilege "
+ "separation and compression");
+ error("Compression disabled");
+ options->compression = 0;
+ }
+#endif
+
}
/* Keyword tokens. */
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
- sUseLogin, sAllowTcpForwarding,
+ sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "uselogin", sUseLogin },
+ { "compression", sCompression },
{ "keepalive", sKeepAlives },
{ "allowtcpforwarding", sAllowTcpForwarding },
{ "allowusers", sAllowUsers },
intptr = &options->use_login;
goto parse_flag;
+ case sCompression:
+ intptr = &options->compression;
+ goto parse_flag;
+
case sGatewayPorts:
intptr = &options->gateway_ports;
goto parse_flag;
-/* $OpenBSD: servconf.h,v 1.57 2002/03/20 19:12:25 stevesk Exp $ */
+/* $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int use_login; /* If true, login(1) is used */
+ int compression; /* If true, compression is allowed */
int allow_tcp_forwarding;
u_int num_allow_users;
char *allow_users[MAX_ALLOW_USERS];
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.101 2002/03/30 18:51:15 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.102 2002/06/11 05:46:20 mpech Exp $");
#include "xmalloc.h"
#include "packet.h"
if (errno != EINTR)
packet_disconnect("wait: %.100s", strerror(errno));
if (wait_pid != pid)
- error("Strange, wait returned pid %d, expected %d",
- wait_pid, pid);
+ error("Strange, wait returned pid %ld, expected %ld",
+ (long)wait_pid, (long)pid);
/* Check if it exited normally. */
if (WIFEXITED(wait_status)) {
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.134 2002/03/29 18:59:31 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.138 2002/06/20 23:05:55 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
login_cap_t *lc;
#endif
+/* Name and directory of socket for authentication agent forwarding. */
+static char *auth_sock_name = NULL;
+static char *auth_sock_dir = NULL;
+
+/* removes the agent forwarding socket */
+
+static void
+auth_sock_cleanup_proc(void *_pw)
+{
+ struct passwd *pw = _pw;
+
+ if (auth_sock_name != NULL) {
+ temporarily_use_uid(pw);
+ unlink(auth_sock_name);
+ rmdir(auth_sock_dir);
+ auth_sock_name = NULL;
+ restore_uid();
+ }
+}
+
+static int
+auth_input_request_forwarding(struct passwd * pw)
+{
+ Channel *nc;
+ int sock;
+ struct sockaddr_un sunaddr;
+
+ if (auth_sock_name != NULL) {
+ error("authentication forwarding requested twice.");
+ return 0;
+ }
+
+ /* Temporarily drop privileged uid for mkdir/bind. */
+ temporarily_use_uid(pw);
+
+ /* Allocate a buffer for the socket name, and format the name. */
+ auth_sock_name = xmalloc(MAXPATHLEN);
+ auth_sock_dir = xmalloc(MAXPATHLEN);
+ strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+
+ /* Create private directory for socket */
+ if (mkdtemp(auth_sock_dir) == NULL) {
+ packet_send_debug("Agent forwarding disabled: "
+ "mkdtemp() failed: %.100s", strerror(errno));
+ restore_uid();
+ xfree(auth_sock_name);
+ xfree(auth_sock_dir);
+ auth_sock_name = NULL;
+ auth_sock_dir = NULL;
+ return 0;
+ }
+ snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld",
+ auth_sock_dir, (long) getpid());
+
+ /* delete agent socket on fatal() */
+ fatal_add_cleanup(auth_sock_cleanup_proc, pw);
+
+ /* Create the socket. */
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (sock < 0)
+ packet_disconnect("socket: %.100s", strerror(errno));
+
+ /* Bind it to the name. */
+ memset(&sunaddr, 0, sizeof(sunaddr));
+ sunaddr.sun_family = AF_UNIX;
+ strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
+
+ if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
+ packet_disconnect("bind: %.100s", strerror(errno));
+
+ /* Restore the privileged uid. */
+ restore_uid();
+
+ /* Start listening on the socket. */
+ if (listen(sock, 5) < 0)
+ packet_disconnect("listen: %.100s", strerror(errno));
+
+ /* Allocate a channel for the authentication agent socket. */
+ nc = channel_new("auth socket",
+ SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+ 0, xstrdup("auth socket"), 1);
+ strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
+ return 1;
+}
+
+
void
do_authenticated(Authctxt *authctxt)
{
do_authenticated1(authctxt);
/* remove agent socket */
- if (auth_get_socket_name())
+ if (auth_sock_name != NULL)
auth_sock_cleanup_proc(authctxt->pw);
#ifdef KRB4
if (options.kerberos_ticket_cleanup)
compression_level);
break;
}
+ if (!options.compression) {
+ debug2("compression disabled");
+ break;
+ }
/* Enable compression after we have responded with SUCCESS. */
enable_compression_after_reply = 1;
success = 1;
void
do_exec_no_pty(Session *s, const char *command)
{
- int pid;
+ pid_t pid;
#ifdef USE_PIPES
int pin[2], pout[2], perr[2];
copy_environment(fetch_pam_environment(), &env, &envsize);
#endif /* USE_PAM */
- if (auth_get_socket_name() != NULL)
+ if (auth_sock_name != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
- auth_get_socket_name());
+ auth_sock_name);
/* read $HOME/.ssh/environment. */
if (!options.use_login) {
/* Add authority data to .Xauthority if appropriate. */
if (debug_flag) {
fprintf(stderr,
- "Running %.100s add "
+ "Running %.500s add "
"%.100s %.100s %.100s\n",
options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
#else /* HAVE_CYGWIN */
if (getuid() == 0 || geteuid() == 0) {
#endif /* HAVE_CYGWIN */
-#ifdef HAVE_GETUSERATTR
- set_limits_from_userattr(pw->pw_name);
-#endif /* HAVE_GETUSERATTR */
+#ifdef HAVE_SETPCRED
+ setpcred(pw->pw_name);
+#endif /* HAVE_SETPCRED */
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
{
/* Launch login(1). */
- execl("/usr/bin/login", "login", "-h", hostname,
+ execl(LOGIN_PROGRAM, "login", "-h", hostname,
#ifdef xxxLOGIN_NEEDS_TERM
- (s->term ? s->term : "unknown"),
+ (s->term ? s->term : "unknown"),
#endif /* LOGIN_NEEDS_TERM */
#ifdef LOGIN_NO_ENDOPT
"-p", "-f", pw->pw_name, (char *)NULL);
int i;
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
- debug("dump: used %d session %d %p channel %d pid %d",
+ debug("dump: used %d session %d %p channel %d pid %ld",
s->used,
s->self,
s,
s->chanid,
- s->pid);
+ (long)s->pid);
}
}
session_by_pid(pid_t pid)
{
int i;
- debug("session_by_pid: pid %d", pid);
+ debug("session_by_pid: pid %ld", (long)pid);
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (s->used && s->pid == pid)
return s;
}
- error("session_by_pid: unknown pid %d", pid);
+ error("session_by_pid: unknown pid %ld", (long)pid);
session_dump();
return NULL;
}
if ((c = channel_lookup(s->chanid)) == NULL)
fatal("session_exit_message: session %d: no channel %d",
s->self, s->chanid);
- debug("session_exit_message: session %d channel %d pid %d",
- s->self, s->chanid, s->pid);
+ debug("session_exit_message: session %d channel %d pid %ld",
+ s->self, s->chanid, (long)s->pid);
if (WIFEXITED(status)) {
channel_request_start(s->chanid, "exit-status", 0);
void
session_close(Session *s)
{
- debug("session_close: session %d pid %d", s->self, s->pid);
+ debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1) {
fatal_remove_cleanup(session_pty_cleanup, (void *)s);
session_pty_cleanup(s);
{
Session *s = session_by_pid(pid);
if (s == NULL) {
- debug("session_close_by_pid: no session for pid %d", pid);
+ debug("session_close_by_pid: no session for pid %ld",
+ (long)pid);
return;
}
if (s->chanid != -1)
debug("session_close_by_channel: no session for id %d", id);
return;
}
- debug("session_close_by_channel: channel %d child %d", id, s->pid);
+ debug("session_close_by_channel: channel %d child %ld",
+ id, (long)s->pid);
if (s->pid != 0) {
debug("session_close_by_channel: channel %d: has child", id);
/*
/* XXX: copy between two remote sites */
#include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.31 2002/04/06 00:30:08 djm Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.32 2002/06/09 13:32:01 markus Exp $");
#include "openbsd-compat/fake-queue.h"
if (id == startid || len == 0 ||
id - ackid >= conn->num_requests) {
- u_int r_id;
+ u_int r_id;
buffer_clear(&msg);
get_msg(conn->fd_in, &msg);
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.33 2002/02/13 00:28:13 markus Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.35 2002/06/06 17:30:11 markus Exp $");
#include "buffer.h"
#include "bufaux.h"
{
Buffer msg;
- version = buffer_get_int(&iqueue);
+ version = get_int();
TRACE("client version %d", version);
buffer_init(&msg);
buffer_put_char(&msg, SSH2_FXP_VERSION);
process(void)
{
u_int msg_len;
+ u_int buf_len;
+ u_int consumed;
u_int type;
u_char *cp;
- if (buffer_len(&iqueue) < 5)
+ buf_len = buffer_len(&iqueue);
+ if (buf_len < 5)
return; /* Incomplete message. */
cp = buffer_ptr(&iqueue);
msg_len = GET_32BIT(cp);
error("bad message ");
exit(11);
}
- if (buffer_len(&iqueue) < msg_len + 4)
+ if (buf_len < msg_len + 4)
return;
buffer_consume(&iqueue, 4);
+ buf_len -= 4;
type = buffer_get_char(&iqueue);
switch (type) {
case SSH2_FXP_INIT:
error("Unknown message %d", type);
break;
}
+ /* discard the remaining bytes from the current packet */
+ if (buf_len < buffer_len(&iqueue))
+ fatal("iqueue grows");
+ consumed = buf_len - buffer_len(&iqueue);
+ if (msg_len < consumed)
+ fatal("msg_len %d < consumed %d", msg_len, consumed);
+ if (msg_len > consumed)
+ buffer_consume(&iqueue, msg_len - consumed);
}
int
-.\" $OpenBSD: sftp.1,v 1.33 2002/02/26 19:06:43 deraadt Exp $
+.\" $OpenBSD: sftp.1,v 1.35 2002/06/20 20:00:05 stevesk Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
-in the format used in the
-.Xr ssh 1
-configuration file. This is useful for specifying options
+in the format used in
+.Xr ssh_config 5 .
+This is useful for specifying options
for which there is no separate
.Nm sftp
command-line flag. For example, to specify an alternate
.It Fl v
Raise logging level. This option is also passed to ssh.
.It Fl B Ar buffer_size
-Specify the size of the buffer that
+Specify the size of the buffer that
.Nm
uses when transferring files. Larger buffers require fewer round trips at
the cost of higher memory consumption. The default is 32768 bytes.
This option is directly passed to
.Xr ssh 1 .
.It Fl P Ar sftp_server path
-Connect directly to a local
-.Nm sftp-server
+Connect directly to a local
+.Nm sftp-server
(rather than via
.Nm ssh )
This option may be useful in debugging the client and server.
.It Fl R Ar num_requests
-Specify how many requests may be outstanding at any one time. Increasing
+Specify how many requests may be outstanding at any one time. Increasing
this may slightly improve file transfer speed but will increase memory
usage. The default is 16 outstanding requests.
.It Fl S Ar program
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
.Xr sftp-server 8 ,
.Xr sshd 8
.Rs
interactive_loop(in, out, file1, file2);
#if !defined(USE_PIPES)
- shutdown(in, SHUT_RDWR);
- shutdown(out, SHUT_RDWR);
+ shutdown(in, SHUT_RDWR);
+ shutdown(out, SHUT_RDWR);
#endif
close(in);
-.\" $OpenBSD: ssh-add.1,v 1.30 2002/02/04 20:41:16 stevesk Exp $
+.\" $OpenBSD: ssh-add.1,v 1.35 2002/06/19 00:27:55 deraadt Exp $
.\"
.\" -*- nroff -*-
.\"
.Nd adds RSA or DSA identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
-.Op Fl lLdD
+.Op Fl lLdDxX
+.Op Fl t Ar life
.Op Ar
.Nm ssh-add
.Fl s Ar reader
.Xr ssh-agent 1 .
When run without arguments, it adds the files
.Pa $HOME/.ssh/id_rsa ,
-.Pa $HOME/.ssh/id_dsa
+.Pa $HOME/.ssh/id_dsa
and
.Pa $HOME/.ssh/identity .
Alternative file names can be given on the command line.
Instead of adding the identity, removes the identity from the agent.
.It Fl D
Deletes all identities from the agent.
+.It Fl x
+Lock the agent with a password.
+.It Fl X
+Unlock the agent.
+.It Fl t Ar life
+Set a maximum lifetime when adding identities to an agent.
+The lifetime may be specified in seconds or in a time format
+specified in
+.Xr sshd 8 .
.It Fl s Ar reader
Add key in smartcard
.Ar reader .
may be necessary to redirect the input from
.Pa /dev/null
to make this work.)
+.It Ev SSH_AUTH_SOCK
+Identifies the path of a unix-domain socket used to communicate with the
+agent.
.El
.Sh DIAGNOSTICS
Exit status is 0 on success, 1 if the specified command fails,
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.53 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.61 2002/06/19 00:27:55 deraadt Exp $");
#include <openssl/evp.h>
#include "authfile.h"
#include "pathnames.h"
#include "readpass.h"
+#include "misc.h"
#ifdef HAVE___PROGNAME
extern char *__progname;
NULL
};
+/* Default lifetime (0 == forever) */
+static int lifetime = 0;
/* we keep a cache of one passphrases */
static char *pass = NULL;
strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
}
}
- if (ssh_add_identity(ac, private, comment)) {
+
+ if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
ret = 0;
- } else
+ if (lifetime != 0)
+ fprintf(stderr,
+ "Lifetime set to %d seconds\n", lifetime);
+ } else if (ssh_add_identity(ac, private, comment)) {
+ fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+ ret = 0;
+ } else {
fprintf(stderr, "Could not add identity: %s\n", filename);
+ }
xfree(comment);
key_free(private);
return 0;
}
+static int
+lock_agent(AuthenticationConnection *ac, int lock)
+{
+ char prompt[100], *p1, *p2;
+ int passok = 1, ret = -1;
+
+ strlcpy(prompt, "Enter lock password: ", sizeof(prompt));
+ p1 = read_passphrase(prompt, RP_ALLOW_STDIN);
+ if (lock) {
+ strlcpy(prompt, "Again: ", sizeof prompt);
+ p2 = read_passphrase(prompt, RP_ALLOW_STDIN);
+ if (strcmp(p1, p2) != 0) {
+ fprintf(stderr, "Passwords do not match.\n");
+ passok = 0;
+ }
+ memset(p2, 0, strlen(p2));
+ xfree(p2);
+ }
+ if (passok && ssh_lock_agent(ac, lock, p1)) {
+ fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un");
+ ret = 0;
+ } else
+ fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
+ memset(p1, 0, strlen(p1));
+ xfree(p1);
+ return -1;
+}
+
static int
do_file(AuthenticationConnection *ac, int deleting, char *file)
{
fprintf(stderr, " -L List public key parameters of all identities.\n");
fprintf(stderr, " -d Delete identity.\n");
fprintf(stderr, " -D Delete all identities.\n");
+ fprintf(stderr, " -x Lock agent.\n");
+ fprintf(stderr, " -x Unlock agent.\n");
+ fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
#ifdef SMARTCARD
fprintf(stderr, " -s reader Add key in smartcard reader.\n");
fprintf(stderr, " -e reader Remove key in smartcard reader.\n");
fprintf(stderr, "Could not open a connection to your authentication agent.\n");
exit(2);
}
- while ((ch = getopt(argc, argv, "lLdDe:s:")) != -1) {
+ while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) {
switch (ch) {
case 'l':
case 'L':
ret = 1;
goto done;
break;
+ case 'x':
+ case 'X':
+ if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
+ ret = 1;
+ goto done;
+ break;
case 'd':
deleting = 1;
break;
deleting = 1;
sc_reader_id = optarg;
break;
+ case 't':
+ if ((lifetime = convtime(optarg)) == -1) {
+ fprintf(stderr, "Invalid lifetime\n");
+ ret = 1;
+ goto done;
+ }
+ break;
default:
usage();
ret = 1;
-.\" $OpenBSD: ssh-agent.1,v 1.31 2002/02/04 20:41:16 stevesk Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.33 2002/06/19 00:27:55 deraadt Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.Nd authentication agent
.Sh SYNOPSIS
.Nm ssh-agent
+.Op Fl a Ar bind_address
.Op Fl c Li | Fl s
.Op Fl d
.Op Ar command Op Ar args ...
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl a Ar bind_address
+Bind the agent to the unix-domain socket
+.Ar bind_address .
+The default is
+.Pa /tmp/ssh-XXXXXXXX/agent.<pid> .
.It Fl c
Generate C-shell commands on
.Dv stdout .
.Xr ssh-add 1
adds the files
.Pa $HOME/.ssh/id_rsa ,
-.Pa $HOME/.ssh/id_dsa
+.Pa $HOME/.ssh/id_dsa
and
.Pa $HOME/.ssh/identity .
If the identity has a passphrase,
This way, private keys are not exposed to clients using the agent.
.Pp
A unix-domain socket is created
-.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
and the name of this socket is stored in the
.Ev SSH_AUTH_SOCK
environment
#include "includes.h"
#include "openbsd-compat/fake-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.85 2002/04/02 11:49:39 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.95 2002/06/19 00:27:55 deraadt Exp $");
#include <openssl/evp.h>
#include <openssl/md5.h>
sock_type type;
Buffer input;
Buffer output;
+ Buffer request;
} SocketEntry;
u_int sockets_alloc = 0;
TAILQ_ENTRY(identity) next;
Key *key;
char *comment;
+ u_int death;
} Identity;
typedef struct {
char socket_name[1024];
char socket_dir[1024];
+/* locking */
+int locked = 0;
+char *lock_passwd = NULL;
+
#ifdef HAVE___PROGNAME
extern char *__progname;
#else
return &idtable[version];
}
+static void
+free_identity(Identity *id)
+{
+ key_free(id->key);
+ xfree(id->comment);
+ xfree(id);
+}
+
/* return matching private key for given public key */
static Identity *
lookup_identity(Key *key, int version)
return (NULL);
}
-static void
-free_identity(Identity *id)
-{
- key_free(id->key);
- xfree(id->comment);
- xfree(id);
-}
-
/* send list of supported public keys to 'client' */
static void
process_request_identities(SocketEntry *e, int version)
if ((challenge = BN_new()) == NULL)
fatal("process_authentication_challenge1: BN_new failed");
- buffer_get_int(&e->input); /* ignored */
- buffer_get_bignum(&e->input, key->rsa->e);
- buffer_get_bignum(&e->input, key->rsa->n);
- buffer_get_bignum(&e->input, challenge);
+ buffer_get_int(&e->request); /* ignored */
+ buffer_get_bignum(&e->request, key->rsa->e);
+ buffer_get_bignum(&e->request, key->rsa->n);
+ buffer_get_bignum(&e->request, challenge);
/* Only protocol 1.1 is supported */
- if (buffer_len(&e->input) == 0)
+ if (buffer_len(&e->request) == 0)
goto failure;
- buffer_get(&e->input, session_id, 16);
- response_type = buffer_get_int(&e->input);
+ buffer_get(&e->request, session_id, 16);
+ response_type = buffer_get_int(&e->request);
if (response_type != 1)
goto failure;
datafellows = 0;
- blob = buffer_get_string(&e->input, &blen);
- data = buffer_get_string(&e->input, &dlen);
+ blob = buffer_get_string(&e->request, &blen);
+ data = buffer_get_string(&e->request, &dlen);
- flags = buffer_get_int(&e->input);
+ flags = buffer_get_int(&e->request);
if (flags & SSH_AGENT_OLD_SIGNATURE)
datafellows = SSH_BUG_SIGBLOB;
switch (version) {
case 1:
key = key_new(KEY_RSA1);
- bits = buffer_get_int(&e->input);
- buffer_get_bignum(&e->input, key->rsa->e);
- buffer_get_bignum(&e->input, key->rsa->n);
+ bits = buffer_get_int(&e->request);
+ buffer_get_bignum(&e->request, key->rsa->e);
+ buffer_get_bignum(&e->request, key->rsa->n);
if (bits != key_size(key))
log("Warning: identity keysize mismatch: actual %d, announced %d",
key_size(key), bits);
break;
case 2:
- blob = buffer_get_string(&e->input, &blen);
+ blob = buffer_get_string(&e->request, &blen);
key = key_from_blob(blob, blen);
xfree(blob);
break;
/* Send success. */
buffer_put_int(&e->output, 1);
buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
- return;
+}
+
+static void
+reaper(void)
+{
+ Idtab *tab;
+ Identity *id, *nxt;
+ int version;
+ u_int now = time(NULL);
+
+ for (version = 1; version < 3; version++) {
+ tab = idtab_lookup(version);
+ for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
+ nxt = TAILQ_NEXT(id, next);
+ if (id->death != 0 && now >= id->death) {
+ TAILQ_REMOVE(&tab->idlist, id, next);
+ free_identity(id);
+ tab->nentries--;
+ }
+ }
+ }
}
static void
Key *k = NULL;
char *type_name;
char *comment;
- int type, success = 0;
+ int type, success = 0, death = 0;
Idtab *tab = idtab_lookup(version);
switch (version) {
case 1:
k = key_new_private(KEY_RSA1);
- buffer_get_int(&e->input); /* ignored */
- buffer_get_bignum(&e->input, k->rsa->n);
- buffer_get_bignum(&e->input, k->rsa->e);
- buffer_get_bignum(&e->input, k->rsa->d);
- buffer_get_bignum(&e->input, k->rsa->iqmp);
+ buffer_get_int(&e->request); /* ignored */
+ buffer_get_bignum(&e->request, k->rsa->n);
+ buffer_get_bignum(&e->request, k->rsa->e);
+ buffer_get_bignum(&e->request, k->rsa->d);
+ buffer_get_bignum(&e->request, k->rsa->iqmp);
/* SSH and SSL have p and q swapped */
- buffer_get_bignum(&e->input, k->rsa->q); /* p */
- buffer_get_bignum(&e->input, k->rsa->p); /* q */
+ buffer_get_bignum(&e->request, k->rsa->q); /* p */
+ buffer_get_bignum(&e->request, k->rsa->p); /* q */
/* Generate additional parameters */
rsa_generate_additional_parameters(k->rsa);
break;
case 2:
- type_name = buffer_get_string(&e->input, NULL);
+ type_name = buffer_get_string(&e->request, NULL);
type = key_type_from_name(type_name);
xfree(type_name);
switch (type) {
case KEY_DSA:
k = key_new_private(type);
- buffer_get_bignum2(&e->input, k->dsa->p);
- buffer_get_bignum2(&e->input, k->dsa->q);
- buffer_get_bignum2(&e->input, k->dsa->g);
- buffer_get_bignum2(&e->input, k->dsa->pub_key);
- buffer_get_bignum2(&e->input, k->dsa->priv_key);
+ buffer_get_bignum2(&e->request, k->dsa->p);
+ buffer_get_bignum2(&e->request, k->dsa->q);
+ buffer_get_bignum2(&e->request, k->dsa->g);
+ buffer_get_bignum2(&e->request, k->dsa->pub_key);
+ buffer_get_bignum2(&e->request, k->dsa->priv_key);
break;
case KEY_RSA:
k = key_new_private(type);
- buffer_get_bignum2(&e->input, k->rsa->n);
- buffer_get_bignum2(&e->input, k->rsa->e);
- buffer_get_bignum2(&e->input, k->rsa->d);
- buffer_get_bignum2(&e->input, k->rsa->iqmp);
- buffer_get_bignum2(&e->input, k->rsa->p);
- buffer_get_bignum2(&e->input, k->rsa->q);
+ buffer_get_bignum2(&e->request, k->rsa->n);
+ buffer_get_bignum2(&e->request, k->rsa->e);
+ buffer_get_bignum2(&e->request, k->rsa->d);
+ buffer_get_bignum2(&e->request, k->rsa->iqmp);
+ buffer_get_bignum2(&e->request, k->rsa->p);
+ buffer_get_bignum2(&e->request, k->rsa->q);
/* Generate additional parameters */
rsa_generate_additional_parameters(k->rsa);
break;
default:
- buffer_clear(&e->input);
+ buffer_clear(&e->request);
goto send;
}
break;
}
- comment = buffer_get_string(&e->input, NULL);
+ comment = buffer_get_string(&e->request, NULL);
if (k == NULL) {
xfree(comment);
goto send;
}
success = 1;
+ while (buffer_len(&e->request)) {
+ switch (buffer_get_char(&e->request)) {
+ case SSH_AGENT_CONSTRAIN_LIFETIME:
+ death = time(NULL) + buffer_get_int(&e->request);
+ break;
+ default:
+ break;
+ }
+ }
if (lookup_identity(k, version) == NULL) {
Identity *id = xmalloc(sizeof(Identity));
id->key = k;
id->comment = comment;
+ id->death = death;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
/* Increment the number of identities. */
tab->nentries++;
success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}
+/* XXX todo: encrypt sensitive data with passphrase */
+static void
+process_lock_agent(SocketEntry *e, int lock)
+{
+ char *passwd;
+ int success = 0;
+
+ passwd = buffer_get_string(&e->request, NULL);
+ if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
+ locked = 0;
+ memset(lock_passwd, 0, strlen(lock_passwd));
+ xfree(lock_passwd);
+ lock_passwd = NULL;
+ success = 1;
+ } else if (!locked && lock) {
+ locked = 1;
+ lock_passwd = xstrdup(passwd);
+ success = 1;
+ }
+ memset(passwd, 0, strlen(passwd));
+ xfree(passwd);
+
+ buffer_put_int(&e->output, 1);
+ buffer_put_char(&e->output,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+static void
+no_identities(SocketEntry *e, u_int type)
+{
+ Buffer msg;
+
+ buffer_init(&msg);
+ buffer_put_char(&msg,
+ (type == SSH_AGENTC_REQUEST_RSA_IDENTITIES) ?
+ SSH_AGENT_RSA_IDENTITIES_ANSWER : SSH2_AGENT_IDENTITIES_ANSWER);
+ buffer_put_int(&msg, 0);
+ buffer_put_int(&e->output, buffer_len(&msg));
+ buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
+ buffer_free(&msg);
+}
#ifdef SMARTCARD
static void
char *sc_reader_id = NULL, *pin;
int i, version, success = 0;
- sc_reader_id = buffer_get_string(&e->input, NULL);
- pin = buffer_get_string(&e->input, NULL);
+ sc_reader_id = buffer_get_string(&e->request, NULL);
+ pin = buffer_get_string(&e->request, NULL);
keys = sc_get_keys(sc_reader_id, pin);
xfree(sc_reader_id);
xfree(pin);
id = xmalloc(sizeof(Identity));
id->key = k;
id->comment = xstrdup("smartcard key");
+ id->death = 0;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
tab->nentries++;
success = 1;
char *sc_reader_id = NULL, *pin;
int i, version, success = 0;
- sc_reader_id = buffer_get_string(&e->input, NULL);
- pin = buffer_get_string(&e->input, NULL);
+ sc_reader_id = buffer_get_string(&e->request, NULL);
+ pin = buffer_get_string(&e->request, NULL);
keys = sc_get_keys(sc_reader_id, pin);
xfree(sc_reader_id);
xfree(pin);
version = k->type == KEY_RSA1 ? 1 : 2;
if ((id = lookup_identity(k, version)) != NULL) {
tab = idtab_lookup(version);
- TAILQ_REMOVE(&tab->idlist, id, next);
+ TAILQ_REMOVE(&tab->idlist, id, next);
tab->nentries--;
free_identity(id);
success = 1;
u_int msg_len;
u_int type;
u_char *cp;
+
+ /* kill dead keys */
+ reaper();
+
if (buffer_len(&e->input) < 5)
return; /* Incomplete message. */
cp = buffer_ptr(&e->input);
shutdown(e->fd, SHUT_RDWR);
close(e->fd);
e->type = AUTH_UNUSED;
+ buffer_free(&e->input);
+ buffer_free(&e->output);
+ buffer_free(&e->request);
return;
}
if (buffer_len(&e->input) < msg_len + 4)
return;
+
+ /* move the current input to e->request */
buffer_consume(&e->input, 4);
- type = buffer_get_char(&e->input);
+ buffer_clear(&e->request);
+ buffer_append(&e->request, buffer_ptr(&e->input), msg_len);
+ buffer_consume(&e->input, msg_len);
+ type = buffer_get_char(&e->request);
+
+ /* check wheter agent is locked */
+ if (locked && type != SSH_AGENTC_UNLOCK) {
+ buffer_clear(&e->request);
+ switch (type) {
+ case SSH_AGENTC_REQUEST_RSA_IDENTITIES:
+ case SSH2_AGENTC_REQUEST_IDENTITIES:
+ /* send empty lists */
+ no_identities(e, type);
+ break;
+ default:
+ /* send a fail message for all other request types */
+ buffer_put_int(&e->output, 1);
+ buffer_put_char(&e->output, SSH_AGENT_FAILURE);
+ }
+ return;
+ }
debug("type %d", type);
switch (type) {
+ case SSH_AGENTC_LOCK:
+ case SSH_AGENTC_UNLOCK:
+ process_lock_agent(e, type == SSH_AGENTC_LOCK);
+ break;
/* ssh1 */
case SSH_AGENTC_RSA_CHALLENGE:
process_authentication_challenge1(e);
process_request_identities(e, 1);
break;
case SSH_AGENTC_ADD_RSA_IDENTITY:
+ case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
process_add_identity(e, 1);
break;
case SSH_AGENTC_REMOVE_RSA_IDENTITY:
process_request_identities(e, 2);
break;
case SSH2_AGENTC_ADD_IDENTITY:
+ case SSH2_AGENTC_ADD_ID_CONSTRAINED:
process_add_identity(e, 2);
break;
case SSH2_AGENTC_REMOVE_IDENTITY:
default:
/* Unknown message. Respond with failure. */
error("Unknown message %d", type);
- buffer_clear(&e->input);
+ buffer_clear(&e->request);
buffer_put_int(&e->output, 1);
buffer_put_char(&e->output, SSH_AGENT_FAILURE);
break;
sockets[i].type = type;
buffer_init(&sockets[i].input);
buffer_init(&sockets[i].output);
+ buffer_init(&sockets[i].request);
return;
}
old_alloc = sockets_alloc;
sockets[old_alloc].fd = fd;
buffer_init(&sockets[old_alloc].input);
buffer_init(&sockets[old_alloc].output);
+ buffer_init(&sockets[old_alloc].request);
}
static int
sockets[i].type = AUTH_UNUSED;
buffer_free(&sockets[i].input);
buffer_free(&sockets[i].output);
+ buffer_free(&sockets[i].request);
break;
}
buffer_consume(&sockets[i].output, len);
sockets[i].type = AUTH_UNUSED;
buffer_free(&sockets[i].input);
buffer_free(&sockets[i].output);
+ buffer_free(&sockets[i].request);
break;
}
buffer_append(&sockets[i].input, buf, len);
fprintf(stderr, " -s Generate Bourne shell commands on stdout.\n");
fprintf(stderr, " -k Kill the current agent.\n");
fprintf(stderr, " -d Debug mode.\n");
+ fprintf(stderr, " -a socket Bind agent socket to given name.\n");
exit(1);
}
#endif
pid_t pid;
char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid];
+ char *agentsocket = NULL;
extern int optind;
fd_set *readsetp = NULL, *writesetp = NULL;
seed_rng();
#ifdef __GNU_LIBRARY__
- while ((ch = getopt(ac, av, "+cdks")) != -1) {
+ while ((ch = getopt(ac, av, "+cdksa:")) != -1) {
#else /* __GNU_LIBRARY__ */
- while ((ch = getopt(ac, av, "cdks")) != -1) {
+ while ((ch = getopt(ac, av, "cdksa:")) != -1) {
#endif /* __GNU_LIBRARY__ */
switch (ch) {
case 'c':
usage();
d_flag++;
break;
+ case 'a':
+ agentsocket = optarg;
+ break;
default:
usage();
}
format = c_flag ? "unsetenv %s;\n" : "unset %s;\n";
printf(format, SSH_AUTHSOCKET_ENV_NAME);
printf(format, SSH_AGENTPID_ENV_NAME);
- printf("echo Agent pid %d killed;\n", pid);
+ printf("echo Agent pid %ld killed;\n", (long)pid);
exit(0);
}
parent_pid = getpid();
- /* Create private directory for agent socket */
- strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir);
- if (mkdtemp(socket_dir) == NULL) {
- perror("mkdtemp: private socket dir");
- exit(1);
+ if (agentsocket == NULL) {
+ /* Create private directory for agent socket */
+ strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir);
+ if (mkdtemp(socket_dir) == NULL) {
+ perror("mkdtemp: private socket dir");
+ exit(1);
+ }
+ snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir,
+ (long)parent_pid);
+ } else {
+ /* Try to use specified agent socket */
+ socket_dir[0] = '\0';
+ strlcpy(socket_name, agentsocket, sizeof socket_name);
}
- snprintf(socket_name, sizeof socket_name, "%s/agent.%d", socket_dir,
- parent_pid);
/*
* Create socket early so it will exist before command gets run from
format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
- printf("echo Agent pid %d;\n", parent_pid);
+ printf("echo Agent pid %ld;\n", (long)parent_pid);
goto skip;
}
pid = fork();
}
if (pid != 0) { /* Parent - execute the given command. */
close(sock);
- snprintf(pidstrbuf, sizeof pidstrbuf, "%d", pid);
+ snprintf(pidstrbuf, sizeof pidstrbuf, "%ld", (long)pid);
if (ac == 0) {
format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf,
SSH_AGENTPID_ENV_NAME);
- printf("echo Agent pid %d;\n", pid);
+ printf("echo Agent pid %ld;\n", (long)pid);
exit(0);
}
if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 ||
-.\" $OpenBSD: ssh-keygen.1,v 1.53 2002/02/16 14:53:37 stevesk Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.54 2002/06/19 00:27:55 deraadt Exp $
.\"
.\" -*- nroff -*-
.\"
generates, manages and converts authentication keys for
.Xr ssh 1 .
.Nm
-can create RSA keys for use by SSH protocol version 1 and RSA or DSA
+can create RSA keys for use by SSH protocol version 1 and RSA or DSA
keys for use by SSH protocol version 2. The type of key to be generated
is specified with the
.Fl t
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.98 2002/03/27 22:21:45 markus Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
}
#define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
-#define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
+#define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
key_free(prv);
if (ret < 0)
exit(1);
- log("loading key done");
+ log("loading key done");
exit(0);
}
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.35 2002/03/04 18:30:23 stevesk Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.36 2002/06/16 21:30:58 itojun Exp $");
#include "openbsd-compat/fake-queue.h"
con *c;
gettimeofday(&now, NULL);
- c = tq.tqh_first;
+ c = TAILQ_FIRST(&tq);
if (c && (c->c_tv.tv_sec > now.tv_sec ||
(c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) {
xfree(r);
xfree(e);
- c = tq.tqh_first;
+ c = TAILQ_FIRST(&tq);
while (c && (c->c_tv.tv_sec < now.tv_sec ||
(c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) {
int s = c->c_fd;
- c = c->c_link.tqe_next;
+ c = TAILQ_NEXT(c, c_link);
conrecycle(s);
}
}
--- /dev/null
+.\" $OpenBSD: ssh-keysign.8,v 1.2 2002/06/10 16:56:30 stevesk Exp $
+.\"
+.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd May 24, 2002
+.Dt SSH-KEYSIGN 8
+.Os
+.Sh NAME
+.Nm ssh-keysign
+.Nd ssh helper program for hostbased authentication
+.Sh SYNOPSIS
+.Nm
+.Sh DESCRIPTION
+.Nm
+is used by
+.Xr ssh 1
+to access the local host keys and generate the digital signature
+required during hostbased authentication with SSH protocol version 2.
+.Nm
+is not intended to be invoked by the user, but from
+.Xr ssh 1 .
+See
+.Xr ssh 1
+and
+.Xr sshd 8
+for more information about hostbased authentication.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
+These files contain the private parts of the host keys used to
+generate the digital signature. They
+should be owned by root, readable only by root, and not
+accessible to others.
+Since they are readable only by root,
+.Nm
+must be set-uid root if hostbased authentication is used.
+.El
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
+.Sh AUTHORS
+Markus Friedl <markus@openbsd.org>
+.Sh HISTORY
+.Nm
+first appeared in
+.Ox 3.2 .
--- /dev/null
+/*
+ * Copyright (c) 2002 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $");
+
+#include <openssl/evp.h>
+
+#include "log.h"
+#include "key.h"
+#include "ssh2.h"
+#include "misc.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "authfile.h"
+#include "msg.h"
+#include "canohost.h"
+#include "pathnames.h"
+
+#ifdef HAVE___PROGNAME
+extern char *__progname;
+#else
+char *__progname;
+#endif
+
+static int
+valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
+ u_int datalen)
+{
+ Buffer b;
+ Key *key;
+ u_char *pkblob;
+ u_int blen, len;
+ char *pkalg, *p;
+ int pktype, fail;
+
+ fail = 0;
+
+ buffer_init(&b);
+ buffer_append(&b, data, datalen);
+
+ /* session id, currently limited to SHA1 (20 bytes) */
+ p = buffer_get_string(&b, &len);
+ if (len != 20)
+ fail++;
+ xfree(p);
+
+ if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+ fail++;
+
+ /* server user */
+ buffer_skip_string(&b);
+
+ /* service */
+ p = buffer_get_string(&b, NULL);
+ if (strcmp("ssh-connection", p) != 0)
+ fail++;
+ xfree(p);
+
+ /* method */
+ p = buffer_get_string(&b, NULL);
+ if (strcmp("hostbased", p) != 0)
+ fail++;
+ xfree(p);
+
+ /* pubkey */
+ pkalg = buffer_get_string(&b, NULL);
+ pkblob = buffer_get_string(&b, &blen);
+
+ pktype = key_type_from_name(pkalg);
+ if (pktype == KEY_UNSPEC)
+ fail++;
+ else if ((key = key_from_blob(pkblob, blen)) == NULL)
+ fail++;
+ else if (key->type != pktype)
+ fail++;
+ xfree(pkalg);
+ xfree(pkblob);
+
+ /* client host name, handle trailing dot */
+ p = buffer_get_string(&b, &len);
+ debug2("valid_request: check expect chost %s got %s", host, p);
+ if (strlen(host) != len - 1)
+ fail++;
+ else if (p[len - 1] != '.')
+ fail++;
+ else if (strncasecmp(host, p, len - 1) != 0)
+ fail++;
+ xfree(p);
+
+ /* local user */
+ p = buffer_get_string(&b, NULL);
+
+ if (strcmp(pw->pw_name, p) != 0)
+ fail++;
+ xfree(p);
+
+ /* end of message */
+ if (buffer_len(&b) != 0)
+ fail++;
+
+ debug3("valid_request: fail %d", fail);
+
+ if (fail && key != NULL)
+ key_free(key);
+ else
+ *ret = key;
+
+ return (fail ? -1 : 0);
+}
+
+int
+main(int argc, char **argv)
+{
+ Buffer b;
+ Key *keys[2], *key;
+ struct passwd *pw;
+ int key_fd[2], i, found, version = 2, fd;
+ u_char *signature, *data;
+ char *host;
+ u_int slen, dlen;
+
+ key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+ key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+
+ seteuid(getuid());
+ setuid(getuid());
+
+ init_rng();
+ seed_rng();
+ arc4random_stir();
+
+#ifdef DEBUG_SSH_KEYSIGN
+ log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
+#endif
+
+ if (key_fd[0] == -1 && key_fd[1] == -1)
+ fatal("could not open any host key");
+
+ if ((pw = getpwuid(getuid())) == NULL)
+ fatal("getpwuid failed");
+ pw = pwcopy(pw);
+
+ SSLeay_add_all_algorithms();
+
+ found = 0;
+ for (i = 0; i < 2; i++) {
+ keys[i] = NULL;
+ if (key_fd[i] == -1)
+ continue;
+ keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
+ NULL, NULL);
+ close(key_fd[i]);
+ if (keys[i] != NULL)
+ found = 1;
+ }
+ if (!found)
+ fatal("no hostkey found");
+
+ buffer_init(&b);
+ if (msg_recv(STDIN_FILENO, &b) < 0)
+ fatal("msg_recv failed");
+ if (buffer_get_char(&b) != version)
+ fatal("bad version");
+ fd = buffer_get_int(&b);
+ if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
+ fatal("bad fd");
+ if ((host = get_local_name(fd)) == NULL)
+ fatal("cannot get sockname for fd");
+
+ data = buffer_get_string(&b, &dlen);
+ if (valid_request(pw, host, &key, data, dlen) < 0)
+ fatal("not a valid request");
+ xfree(data);
+ xfree(host);
+
+ found = 0;
+ for (i = 0; i < 2; i++) {
+ if (keys[i] != NULL &&
+ key_equal(key, keys[i])) {
+ found = 1;
+ break;
+ }
+ }
+ if (!found)
+ fatal("no matching hostkey found");
+
+ if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
+ fatal("key_sign failed");
+
+ /* send reply */
+ buffer_clear(&b);
+ buffer_put_string(&b, signature, slen);
+ msg_send(STDOUT_FILENO, version, &b);
+
+ return (0);
+}
if (waitpid(pid, &status, 0) == -1) {
error("Couldn't wait for child '%s' completion: %s",
- src->cmdstring, strerror(errno));
+ src->cmdstring, strerror(errno));
return 0.0;
}
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.18 2002/04/02 20:11:38 markus Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.20 2002/06/10 16:53:06 stevesk Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
EVP_MD_CTX md;
char *ktype;
u_char digest[EVP_MAX_MD_SIZE], *sigblob;
- u_int len, dlen;
+ u_int len, dlen, modlen;
int rlen, ret, nid;
if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) {
return -1;
}
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
- error("ssh_rsa_verify: n too small: %d bits",
- BN_num_bits(key->rsa->n));
+ error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return -1;
}
buffer_init(&b);
xfree(sigblob);
return -1;
}
+ /* RSA_verify expects a signature of RSA_size */
+ modlen = RSA_size(key->rsa);
+ if (len > modlen) {
+ error("ssh_rsa_verify: len %d > modlen %d", len, modlen);
+ xfree(sigblob);
+ return -1;
+ } else if (len < modlen) {
+ int diff = modlen - len;
+ debug("ssh_rsa_verify: add padding: modlen %d > len %d",
+ modlen, len);
+ sigblob = xrealloc(sigblob, modlen);
+ memmove(sigblob + diff, sigblob, len);
+ memset(sigblob, 0, diff);
+ len = modlen;
+ }
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.151 2002/05/06 23:34:33 millert Exp $
+.\" $OpenBSD: ssh.1,v 1.158 2002/06/20 19:56:07 stevesk Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
otherwise be used to circumvent the encryption.
The
.Cm StrictHostKeyChecking
-option (see below) can be used to prevent logins to machines whose
+option can be used to prevent logins to machines whose
host key is not known or has changed.
.Pp
The options are as follows:
.Dq level
can be controlled by the
.Cm CompressionLevel
-option (see below).
+option.
Compression is desirable on modem lines and other
slow connections, but will only slow down things on fast networks.
The default value can be set on a host-by-host basis in the
configuration files; see the
.Cm Compression
-option below.
+option.
.It Fl F Ar configfile
Specifies an alternative per-user configuration file.
If a configuration file is given on the command line,
.El
.Sh CONFIGURATION FILES
.Nm
-obtains configuration data from the following sources in
-the following order:
-command line options, user's configuration file
-.Pq Pa $HOME/.ssh/config ,
-and system-wide configuration file
-.Pq Pa /etc/ssh/ssh_config .
-For each parameter, the first obtained value
-will be used.
-The configuration files contain sections bracketed by
-.Dq Host
-specifications, and that section is only applied for hosts that
-match one of the patterns given in the specification.
-The matched host name is the one given on the command line.
-.Pp
-Since the first obtained value for each parameter is used, more
-host-specific declarations should be given near the beginning of the
-file, and general defaults at the end.
-.Pp
-The configuration file has the following format:
-.Pp
-Empty lines and lines starting with
-.Ql #
-are comments.
-.Pp
-Otherwise a line is of the format
-.Dq keyword arguments .
-Configuration options may be separated by whitespace or
-optional whitespace and exactly one
-.Ql = ;
-the latter format is useful to avoid the need to quote whitespace
-when specifying configuration options using the
-.Nm ssh ,
-.Nm scp
-and
-.Nm sftp
-.Fl o
-option.
-.Pp
-The possible
-keywords and their meanings are as follows (note that
-keywords are case-insensitive and arguments are case-sensitive):
-.Bl -tag -width Ds
-.It Cm Host
-Restricts the following declarations (up to the next
-.Cm Host
-keyword) to be only for those hosts that match one of the patterns
-given after the keyword.
-.Ql \&*
-and
-.Ql ?
-can be used as wildcards in the
-patterns.
-A single
-.Ql \&*
-as a pattern can be used to provide global
-defaults for all hosts.
-The host is the
-.Ar hostname
-argument given on the command line (i.e., the name is not converted to
-a canonicalized host name before matching).
-.It Cm AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm BatchMode
-If set to
-.Dq yes ,
-passphrase/password querying will be disabled.
-This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm BindAddress
-Specify the interface to transmit from on machines with multiple
-interfaces or aliased addresses.
-Note that this option does not work if
-.Cm UsePrivilegedPort
-is set to
-.Dq yes .
-.It Cm CheckHostIP
-If this flag is set to
-.Dq yes ,
-ssh will additionally check the host IP address in the
-.Pa known_hosts
-file.
-This allows ssh to detect if a host key changed due to DNS spoofing.
-If the option is set to
-.Dq no ,
-the check will not be executed.
-The default is
-.Dq yes .
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Dq blowfish ,
-.Dq 3des ,
-and
-.Dq des
-are supported.
-.Ar des
-is only supported in the
-.Nm
-client for interoperability with legacy protocol 1 implementations
-that do not support the
-.Ar 3des
-cipher. Its use is strongly discouraged due to cryptographic
-weaknesses.
-The default is
-.Dq 3des .
-.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
-in order of preference.
-Multiple ciphers must be comma-separated.
-The default is
-.Pp
-.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc''
-.Ed
-.It Cm ClearAllForwardings
-Specifies that all local, remote and dynamic port forwardings
-specified in the configuration files or on the command line be
-cleared. This option is primarily useful when used from the
-.Nm
-command line to clear port forwardings set in
-configuration files, and is automatically set by
-.Xr scp 1
-and
-.Xr sftp 1 .
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm Compression
-Specifies whether to use compression.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
-.It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before falling
-back to rsh or exiting.
-The argument must be an integer.
-This may be useful in scripts if the connection sometimes fails.
-The default is 1.
-.It Cm DynamicForward
-Specifies that a TCP/IP port on the local machine be forwarded
-over the secure channel, and the application
-protocol is then used to determine where to connect to from the
-remote machine. The argument must be a port number.
-Currently the SOCKS4 protocol is supported, and
-.Nm
-will act as a SOCKS4 server.
-Multiple forwardings may be specified, and
-additional forwardings can be given on the command line. Only
-the superuser can forward privileged ports.
-.It Cm EscapeChar
-Sets the escape character (default:
-.Ql ~ ) .
-The escape character can also
-be set on the command line.
-The argument should be a single character,
-.Ql ^
-followed by a letter, or
-.Dq none
-to disable the escape
-character entirely (making the connection transparent for binary
-data).
-.It Cm FallBackToRsh
-Specifies that if connecting via
-.Nm
-fails due to a connection refused error (there is no
-.Xr sshd 8
-listening on the remote host),
-.Xr rsh 1
-should automatically be used instead (after a suitable warning about
-the session being unencrypted).
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm ForwardAgent
-Specifies whether the connection to the authentication agent (if any)
-will be forwarded to the remote machine.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm ForwardX11
-Specifies whether X11 connections will be automatically redirected
-over the secure channel and
-.Ev DISPLAY
-set.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm GatewayPorts
-Specifies whether remote hosts are allowed to connect to local
-forwarded ports.
-By default,
-.Nm
-binds local port forwardings to the loopback addresss. This
-prevents other remote hosts from connecting to forwarded ports.
-.Cm GatewayPorts
-can be used to specify that
-.Nm
-should bind local port forwardings to the wildcard address,
-thus allowing remote hosts to connect to forwarded ports.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm GlobalKnownHostsFile
-Specifies a file to use for the global
-host key database instead of
-.Pa /etc/ssh/ssh_known_hosts .
-.It Cm HostbasedAuthentication
-Specifies whether to try rhosts based authentication with public key
-authentication.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 2 only and
-is similar to
-.Cm RhostsRSAAuthentication .
-.It Cm HostKeyAlgorithms
-Specifies the protocol version 2 host key algorithms
-that the client wants to use in order of preference.
-The default for this option is:
-.Dq ssh-rsa,ssh-dss .
-.It Cm HostKeyAlias
-Specifies an alias that should be used instead of the
-real host name when looking up or saving the host key
-in the host key database files.
-This option is useful for tunneling ssh connections
-or for multiple servers running on a single host.
-.It Cm HostName
-Specifies the real host name to log into.
-This can be used to specify nicknames or abbreviations for hosts.
-Default is the name given on the command line.
-Numeric IP addresses are also permitted (both on the command line and in
-.Cm HostName
-specifications).
-.It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read. The default is
-.Pa $HOME/.ssh/identity
-for protocol version 1, and
-.Pa $HOME/.ssh/id_rsa
-and
-.Pa $HOME/.ssh/id_dsa
-for protocol version 2.
-Additionally, any identities represented by the authentication agent
-will be used for authentication.
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
-.It Cm KeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the client will notice
-if the network goes down or the remote host dies.
-This is important in scripts, and many users want it too.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-This will only work if the Kerberos server is actually an AFS kaserver.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm LocalForward
-Specifies that a TCP/IP port on the local machine be forwarded over
-the secure channel to the specified host and port from the remote machine.
-The first argument must be a port number, and the second must be
-.Ar host:port .
-IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
-Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
-.It Cm LogLevel
-Gives the verbosity level that is used when logging messages from
-.Nm ssh .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
-and DEBUG3 each specify higher levels of verbose output.
-.It Cm MACs
-Specifies the MAC (message authentication code) algorithms
-in order of preference.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
-Multiple algorithms must be comma-separated.
-The default is
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm NoHostAuthenticationForLocalhost
-This option can be used if the home directory is shared across machines.
-In this case localhost will refer to a different machine on each of
-the machines and the user will get many warnings about changed host keys.
-However, this option disables host authentication for localhost.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is to check the host key for localhost.
-.It Cm NumberOfPasswordPrompts
-Specifies the number of password prompts before giving up.
-The argument to this keyword must be an integer.
-Default is 3.
-.It Cm PasswordAuthentication
-Specifies whether to use password authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm Port
-Specifies the port number to connect on the remote host.
-Default is 22.
-.It Cm PreferredAuthentications
-Specifies the order in which the client should try protocol 2
-authentication methods. This allows a client to prefer one method (e.g.
-.Cm keyboard-interactive )
-over another method (e.g.
-.Cm password )
-The default for this option is:
-.Dq hostbased,publickey,keyboard-interactive,password .
-.It Cm Protocol
-Specifies the protocol versions
-.Nm
-should support in order of preference.
-The possible values are
-.Dq 1
-and
-.Dq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Dq 2,1 .
-This means that
-.Nm
-tries version 2 and falls back to version 1
-if version 2 is not available.
-.It Cm ProxyCommand
-Specifies the command to use to connect to the server.
-The command
-string extends to the end of the line, and is executed with
-.Pa /bin/sh .
-In the command string,
-.Ql %h
-will be substituted by the host name to
-connect and
-.Ql %p
-by the port.
-The command can be basically anything,
-and should read from its standard input and write to its standard output.
-It should eventually connect an
-.Xr sshd 8
-server running on some machine, or execute
-.Ic sshd -i
-somewhere.
-Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
-the user).
-Note that
-.Cm CheckHostIP
-is not available for connects with a proxy command.
-.Pp
-.It Cm PubkeyAuthentication
-Specifies whether to try public key authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-This option applies to protocol version 2 only.
-.It Cm RemoteForward
-Specifies that a TCP/IP port on the remote machine be forwarded over
-the secure channel to the specified host and port from the local machine.
-The first argument must be a port number, and the second must be
-.Ar host:port .
-IPv6 addresses can be specified with an alternative syntax:
-.Ar host/port .
-Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
-.It Cm RhostsAuthentication
-Specifies whether to try rhosts based authentication.
-Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.
-Disabling rhosts authentication may reduce
-authentication time on slow connections when rhosts authentication is
-not used.
-Most servers do not permit RhostsAuthentication because it
-is not secure (see
-.Cm RhostsRSAAuthentication ) .
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 1 only.
-.It Cm ChallengeResponseAuthentication
-Specifies whether to use challenge response authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm SmartcardDevice
-Specifies which smartcard device to use. The argument to this keyword is
-the device
-.Nm
-should use to communicate with a smartcard used for storing the user's
-private RSA key. By default, no device is specified and smartcard support
-is not activated.
-.It Cm StrictHostKeyChecking
-If this flag is set to
-.Dq yes ,
-.Nm
-will never automatically add host keys to the
-.Pa $HOME/.ssh/known_hosts
-file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks,
-however, can be annoying when the
-.Pa /etc/ssh/ssh_known_hosts
-file is poorly maintained, or connections to new hosts are
-frequently made.
-This option forces the user to manually
-add all new hosts.
-If this flag is set to
-.Dq no ,
-.Nm
-will automatically add new host keys to the
-user known hosts files.
-If this flag is set to
-.Dq ask ,
-new host keys
-will be added to the user known host files only after the user
-has confirmed that is what they really want to do, and
-.Nm
-will refuse to connect to hosts whose host key has changed.
-The host keys of
-known hosts will be verified automatically in all cases.
-The argument must be
-.Dq yes ,
-.Dq no
-or
-.Dq ask .
-The default is
-.Dq ask .
-.It Cm UsePrivilegedPort
-Specifies whether to use a privileged port for outgoing connections.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-Note that this option must be set to
-.Dq yes
-if
-.Cm RhostsAuthentication
-and
-.Cm RhostsRSAAuthentication
-authentications are needed with older servers.
-.It Cm User
-Specifies the user to log in as.
-This can be useful when a different user name is used on different machines.
-This saves the trouble of
-having to remember to give the user name on the command line.
-.It Cm UserKnownHostsFile
-Specifies a file to use for the user
-host key database instead of
-.Pa $HOME/.ssh/known_hosts .
-.It Cm UseRsh
-Specifies that rlogin/rsh should be used for this host.
-It is possible that the host does not at all support the
-.Nm
-protocol.
-This causes
-.Nm
-to immediately execute
-.Xr rsh 1 .
-All other options (except
-.Cm HostName )
-are ignored if this has been specified.
-The argument must be
-.Dq yes
-or
-.Dq no .
-.It Cm XAuthLocation
-Specifies the location of the
-.Xr xauth 1
-program.
-The default is
-.Pa /usr/X11R6/bin/xauth .
-.El
+may additionally obtain configuration data from
+a per-user configuration file and a system-wide configuration file.
+The file format and configuration options are described in
+.Xr ssh_config 5 .
.Sh ENVIRONMENT
.Nm
will normally set the following environment variables:
the convenience of the user.
.It Pa $HOME/.ssh/config
This is the per-user configuration file.
-The format of this file is described above.
-This file is used by the
-.Nm
-client.
-This file does not usually contain any sensitive information,
-but the recommended permissions are read/write for the user, and not
-accessible by others.
+The file format and configuration options are described in
+.Xr ssh_config 5 .
.It Pa $HOME/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described in the
would then be able to fool host authentication.
.It Pa /etc/ssh/ssh_config
Systemwide configuration file.
-This file provides defaults for those
-values that are not specified in the user's configuration file, and
-for those users who do not have a configuration file.
-This file must be world-readable.
+The file format and configuration options are described in
+.Xr ssh_config 5 .
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys
and are used for
.Cm RhostsRSAAuthentication
and
.Cm HostbasedAuthentication .
-Since they are readable only by root
+If the protocol version 1
+.Cm RhostsRSAAuthentication
+method is used,
+.Nm
+must be setuid root, since the host key is readable only by root.
+For protocol version 2,
+.Nm
+uses
+.Xr ssh-keysign 8
+to access the host keys for
+.Cm HostbasedAuthentication .
+This eliminates the requirement that
+.Nm
+be setuid root when that authentication method is used.
+By default
.Nm
-must be setuid root if these authentication methods are desired.
+is not setuid root.
.It Pa $HOME/.rhosts
This file is used in
.Pa \&.rhosts
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
.Xr telnet 1 ,
+.Xr ssh_config 4 ,
+.Xr ssh-keysign 8,
.Xr sshd 8
.Rs
.%A T. Ylonen
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.170 2002/04/22 21:04:52 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.179 2002/06/12 01:09:52 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
#include "xmalloc.h"
#include "packet.h"
#include "buffer.h"
-#include "uidswap.h"
#include "channels.h"
#include "key.h"
#include "authfd.h"
/*
* Flag indicating that ssh should fork after authentication. This is useful
- * so that the pasphrase can be entered manually, and then ssh goes to the
+ * so that the passphrase can be entered manually, and then ssh goes to the
* background.
*/
int fork_after_authentication_flag = 0;
struct sockaddr_storage hostaddr;
/* Private host keys. */
-struct {
- Key **keys;
- int nkeys;
-} sensitive_data;
+Sensitive sensitive_data;
/* Original real UID. */
uid_t original_real_uid;
+uid_t original_effective_uid;
/* command to be executed */
Buffer command;
exit(1);
}
-/*
- * Connects to the given host using rsh (or prints an error message and exits
- * if rsh is not available). This function never returns.
- */
-static void
-rsh_connect(char *host, char *user, Buffer * command)
-{
- char *args[10];
- int i;
-
- log("Using rsh. WARNING: Connection will not be encrypted.");
- /* Build argument list for rsh. */
- i = 0;
- args[i++] = _PATH_RSH;
- /* host may have to come after user on some systems */
- args[i++] = host;
- if (user) {
- args[i++] = "-l";
- args[i++] = user;
- }
- if (buffer_len(command) > 0) {
- buffer_append(command, "\0", 1);
- args[i++] = buffer_ptr(command);
- }
- args[i++] = NULL;
- if (debug_flag) {
- for (i = 0; args[i]; i++) {
- if (i != 0)
- fprintf(stderr, " ");
- fprintf(stderr, "%s", args[i]);
- }
- fprintf(stderr, "\n");
- }
- execv(_PATH_RSH, args);
- perror(_PATH_RSH);
- exit(1);
-}
-
static int ssh_session(void);
static int ssh_session2(void);
static void load_public_identity_files(void);
int
main(int ac, char **av)
{
- int i, opt, exit_status, cerr;
+ int i, opt, exit_status;
u_short fwd_port, fwd_host_port;
char sfwd_port[6], sfwd_host_port[6];
char *p, *cp, buf[256];
struct stat st;
struct passwd *pw;
int dummy;
- uid_t original_effective_uid;
extern int optind, optreset;
extern char *optarg;
* them when the port has been created (actually, when the connection
* has been made, as we may need to create the port several times).
*/
- temporarily_use_uid(pw);
+ PRIV_END;
/*
* Set our umask to something reasonable, as some files are created
"originating port will not be trusted.");
options.rhosts_authentication = 0;
}
- /*
- * If using rsh has been selected, exec it now (without trying
- * anything else). Note that we must release privileges first.
- */
- if (options.use_rsh) {
- /*
- * Restore our superuser privileges. This must be done
- * before permanently setting the uid.
- */
- restore_uid();
-
- /* Switch to the original uid permanently. */
- permanently_set_uid(pw);
-
- /* Execute rsh. */
- rsh_connect(host, options.user, &command);
- fatal("rsh_connect returned");
- }
- /* Restore our superuser privileges. */
- restore_uid();
-
/* Open a connection to the remote host. */
- cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6,
+ if (ssh_connect(host, &hostaddr, options.port, IPv4or6,
options.connection_attempts,
- original_effective_uid != 0 || !options.use_privileged_port,
- pw, options.proxy_command);
+#ifdef HAVE_CYGWIN
+ options.use_privileged_port,
+#else
+ original_effective_uid == 0 && options.use_privileged_port,
+#endif
+ options.proxy_command) != 0)
+ exit(1);
/*
* If we successfully made the connection, load the host private key
* in case we will need it later for combined rsa-rhosts
* authentication. This must be done before releasing extra
* privileges, because the file is only readable by root.
+ * If we cannot access the private keys, load the public keys
+ * instead and try to execute the ssh-keysign helper instead.
*/
sensitive_data.nkeys = 0;
sensitive_data.keys = NULL;
- if (!cerr && (options.rhosts_rsa_authentication ||
- options.hostbased_authentication)) {
+ sensitive_data.external_keysign = 0;
+ if (options.rhosts_rsa_authentication ||
+ options.hostbased_authentication) {
sensitive_data.nkeys = 3;
sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+
+ PRIV_START;
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
_PATH_HOST_KEY_FILE, "", NULL);
sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
_PATH_HOST_DSA_KEY_FILE, "", NULL);
sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL);
+ PRIV_END;
+
+ if (sensitive_data.keys[0] == NULL &&
+ sensitive_data.keys[1] == NULL &&
+ sensitive_data.keys[2] == NULL) {
+ sensitive_data.keys[1] = key_load_public(
+ _PATH_HOST_DSA_KEY_FILE, NULL);
+ sensitive_data.keys[2] = key_load_public(
+ _PATH_HOST_RSA_KEY_FILE, NULL);
+ sensitive_data.external_keysign = 1;
+ }
}
/*
* Get rid of any extra privileges that we may have. We will no
* user's home directory if it happens to be on a NFS volume where
* root is mapped to nobody.
*/
-
- /*
- * Note that some legacy systems need to postpone the following call
- * to permanently_set_uid() until the private hostkey is destroyed
- * with RSA_free(). Otherwise the calling user could ptrace() the
- * process, read the private hostkey and impersonate the host.
- * OpenBSD does not allow ptracing of setuid processes.
- */
- permanently_set_uid(pw);
+ seteuid(original_real_uid);
+ setuid(original_real_uid);
/*
* Now that we are back to our own permissions, create ~/.ssh
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);
- /* Check if the connection failed, and try "rsh" if appropriate. */
- if (cerr) {
- if (!options.fallback_to_rsh)
- exit(1);
- if (options.port != 0)
- log("Secure connection to %.100s on port %hu refused; "
- "reverting to insecure method",
- host, options.port);
- else
- log("Secure connection to %.100s refused; "
- "reverting to insecure method.", host);
-
- rsh_connect(host, options.user, &command);
- fatal("rsh_connect returned");
- }
/* load options.identity_files */
load_public_identity_files();
signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
/* Log into the remote system. This never returns if the login fails. */
- ssh_login(sensitive_data.keys, sensitive_data.nkeys,
- host, (struct sockaddr *)&hostaddr, pw);
+ ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw);
/* We no longer need the private host keys. Clear them now. */
if (sensitive_data.nkeys != 0) {
* XXX: "localhost" match to determine FamilyLocal
* is not perfect.
*/
- snprintf(line, sizeof line, "%.100s list unix:%s 2>"
+ snprintf(line, sizeof line, "%s list unix:%s 2>"
_PATH_DEVNULL, options.xauth_location, display+10);
else
- snprintf(line, sizeof line, "%.100s list %.200s 2>"
+ snprintf(line, sizeof line, "%s list %.200s 2>"
_PATH_DEVNULL, options.xauth_location, display);
debug2("x11_get_proto %s", line);
f = popen(line, "r");
debug("Sending subsystem: %.*s", len, (u_char *)buffer_ptr(&command));
channel_request_start(id, "subsystem", /*want reply*/ 1);
/* register callback for reply */
- /* XXX we asume that client_loop has already been called */
+ /* XXX we assume that client_loop has already been called */
dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply);
dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply);
} else {
-/* $OpenBSD: ssh.h,v 1.69 2002/05/11 20:24:48 stevesk Exp $ */
+/* $OpenBSD: ssh.h,v 1.70 2002/06/03 12:04:07 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define SSH_MAX_IDENTITY_FILES 100
/*
- * Major protocol version. Different version indicates major incompatiblity
+ * Major protocol version. Different version indicates major incompatibility
* that prevents communication.
*
* Minor protocol version. Different version indicates minor incompatibility
-# $OpenBSD: ssh_config,v 1.12 2002/01/16 17:55:33 stevesk Exp $
+# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
-# This is the ssh client system-wide configuration file. See ssh(1)
-# for more information. This file provides defaults for users, and
-# the values can be changed in per-user configuration files or on the
-# command line.
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# Host *
# ForwardAgent no
# ForwardX11 no
-# RhostsAuthentication yes
-# RhostsRSAAuthentication yes
+# RhostsAuthentication no
+# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
-# FallBackToRsh no
-# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
--- /dev/null
+.\" -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\" All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose. Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.Dd September 25, 1999
+.Dt SSH_CONFIG 5
+.Os
+.Sh NAME
+.Nm ssh_config
+.Nd OpenSSH SSH client configuration files
+.Sh SYNOPSIS
+.Bl -tag -width Ds -compact
+.It Pa $HOME/.ssh/config
+.It Pa /etc/ssh/ssh_config
+.El
+.Sh DESCRIPTION
+.Nm ssh
+obtains configuration data from the following sources in
+the following order:
+command line options, user's configuration file
+.Pq Pa $HOME/.ssh/config ,
+and system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config .
+.Pp
+For each parameter, the first obtained value
+will be used.
+The configuration files contain sections bracketed by
+.Dq Host
+specifications, and that section is only applied for hosts that
+match one of the patterns given in the specification.
+The matched host name is the one given on the command line.
+.Pp
+Since the first obtained value for each parameter is used, more
+host-specific declarations should be given near the beginning of the
+file, and general defaults at the end.
+.Pp
+The configuration file has the following format:
+.Pp
+Empty lines and lines starting with
+.Ql #
+are comments.
+.Pp
+Otherwise a line is of the format
+.Dq keyword arguments .
+Configuration options may be separated by whitespace or
+optional whitespace and exactly one
+.Ql = ;
+the latter format is useful to avoid the need to quote whitespace
+when specifying configuration options using the
+.Nm ssh ,
+.Nm scp
+and
+.Nm sftp
+.Fl o
+option.
+.Pp
+The possible
+keywords and their meanings are as follows (note that
+keywords are case-insensitive and arguments are case-sensitive):
+.Bl -tag -width Ds
+.It Cm Host
+Restricts the following declarations (up to the next
+.Cm Host
+keyword) to be only for those hosts that match one of the patterns
+given after the keyword.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the
+patterns.
+A single
+.Ql \&*
+as a pattern can be used to provide global
+defaults for all hosts.
+The host is the
+.Ar hostname
+argument given on the command line (i.e., the name is not converted to
+a canonicalized host name before matching).
+.It Cm AFSTokenPassing
+Specifies whether to pass AFS tokens to remote host.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm BatchMode
+If set to
+.Dq yes ,
+passphrase/password querying will be disabled.
+This option is useful in scripts and other batch jobs where no user
+is present to supply the password.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm BindAddress
+Specify the interface to transmit from on machines with multiple
+interfaces or aliased addresses.
+Note that this option does not work if
+.Cm UsePrivilegedPort
+is set to
+.Dq yes .
+.It Cm ChallengeResponseAuthentication
+Specifies whether to use challenge response authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+.It Cm CheckHostIP
+If this flag is set to
+.Dq yes ,
+ssh will additionally check the host IP address in the
+.Pa known_hosts
+file.
+This allows ssh to detect if a host key changed due to DNS spoofing.
+If the option is set to
+.Dq no ,
+the check will not be executed.
+The default is
+.Dq yes .
+.It Cm Cipher
+Specifies the cipher to use for encrypting the session
+in protocol version 1.
+Currently,
+.Dq blowfish ,
+.Dq 3des ,
+and
+.Dq des
+are supported.
+.Ar des
+is only supported in the
+.Nm ssh
+client for interoperability with legacy protocol 1 implementations
+that do not support the
+.Ar 3des
+cipher. Its use is strongly discouraged due to cryptographic
+weaknesses.
+The default is
+.Dq 3des .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2
+in order of preference.
+Multiple ciphers must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+ aes192-cbc,aes256-cbc''
+.Ed
+.It Cm ClearAllForwardings
+Specifies that all local, remote and dynamic port forwardings
+specified in the configuration files or on the command line be
+cleared. This option is primarily useful when used from the
+.Nm ssh
+command line to clear port forwardings set in
+configuration files, and is automatically set by
+.Xr scp 1
+and
+.Xr sftp 1 .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm Compression
+Specifies whether to use compression.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm CompressionLevel
+Specifies the compression level to use if compression is enabled.
+The argument must be an integer from 1 (fast) to 9 (slow, best).
+The default level is 6, which is good for most applications.
+The meaning of the values is the same as in
+.Xr gzip 1 .
+Note that this option applies to protocol version 1 only.
+.It Cm ConnectionAttempts
+Specifies the number of tries (one per second) to make before exiting.
+The argument must be an integer.
+This may be useful in scripts if the connection sometimes fails.
+The default is 1.
+.It Cm DynamicForward
+Specifies that a TCP/IP port on the local machine be forwarded
+over the secure channel, and the application
+protocol is then used to determine where to connect to from the
+remote machine. The argument must be a port number.
+Currently the SOCKS4 protocol is supported, and
+.Nm ssh
+will act as a SOCKS4 server.
+Multiple forwardings may be specified, and
+additional forwardings can be given on the command line. Only
+the superuser can forward privileged ports.
+.It Cm EscapeChar
+Sets the escape character (default:
+.Ql ~ ) .
+The escape character can also
+be set on the command line.
+The argument should be a single character,
+.Ql ^
+followed by a letter, or
+.Dq none
+to disable the escape
+character entirely (making the connection transparent for binary
+data).
+.It Cm ForwardAgent
+Specifies whether the connection to the authentication agent (if any)
+will be forwarded to the remote machine.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm ForwardX11
+Specifies whether X11 connections will be automatically redirected
+over the secure channel and
+.Ev DISPLAY
+set.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to local
+forwarded ports.
+By default,
+.Nm ssh
+binds local port forwardings to the loopback address. This
+prevents other remote hosts from connecting to forwarded ports.
+.Cm GatewayPorts
+can be used to specify that
+.Nm ssh
+should bind local port forwardings to the wildcard address,
+thus allowing remote hosts to connect to forwarded ports.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GlobalKnownHostsFile
+Specifies a file to use for the global
+host key database instead of
+.Pa /etc/ssh/ssh_known_hosts .
+.It Cm HostbasedAuthentication
+Specifies whether to try rhosts based authentication with public key
+authentication.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+This option applies to protocol version 2 only and
+is similar to
+.Cm RhostsRSAAuthentication .
+.It Cm HostKeyAlgorithms
+Specifies the protocol version 2 host key algorithms
+that the client wants to use in order of preference.
+The default for this option is:
+.Dq ssh-rsa,ssh-dss .
+.It Cm HostKeyAlias
+Specifies an alias that should be used instead of the
+real host name when looking up or saving the host key
+in the host key database files.
+This option is useful for tunneling ssh connections
+or for multiple servers running on a single host.
+.It Cm HostName
+Specifies the real host name to log into.
+This can be used to specify nicknames or abbreviations for hosts.
+Default is the name given on the command line.
+Numeric IP addresses are also permitted (both on the command line and in
+.Cm HostName
+specifications).
+.It Cm IdentityFile
+Specifies a file from which the user's RSA or DSA authentication identity
+is read. The default is
+.Pa $HOME/.ssh/identity
+for protocol version 1, and
+.Pa $HOME/.ssh/id_rsa
+and
+.Pa $HOME/.ssh/id_dsa
+for protocol version 2.
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
+.It Cm KeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the client will notice
+if the network goes down or the remote host dies.
+This is important in scripts, and many users want it too.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no .
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication will be used.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT will be forwarded to the server.
+This will only work if the Kerberos server is actually an AFS kaserver.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm LocalForward
+Specifies that a TCP/IP port on the local machine be forwarded over
+the secure channel to the specified host and port from the remote machine.
+The first argument must be a port number, and the second must be
+.Ar host:port .
+IPv6 addresses can be specified with an alternative syntax:
+.Ar host/port .
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm ssh .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of verbose output.
+.It Cm MACs
+Specifies the MAC (message authentication code) algorithms
+in order of preference.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm NoHostAuthenticationForLocalhost
+This option can be used if the home directory is shared across machines.
+In this case localhost will refer to a different machine on each of
+the machines and the user will get many warnings about changed host keys.
+However, this option disables host authentication for localhost.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is to check the host key for localhost.
+.It Cm NumberOfPasswordPrompts
+Specifies the number of password prompts before giving up.
+The argument to this keyword must be an integer.
+Default is 3.
+.It Cm PasswordAuthentication
+Specifies whether to use password authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+.It Cm Port
+Specifies the port number to connect on the remote host.
+Default is 22.
+.It Cm PreferredAuthentications
+Specifies the order in which the client should try protocol 2
+authentication methods. This allows a client to prefer one method (e.g.
+.Cm keyboard-interactive )
+over another method (e.g.
+.Cm password )
+The default for this option is:
+.Dq hostbased,publickey,keyboard-interactive,password .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm ssh
+should support in order of preference.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 2,1 .
+This means that
+.Nm ssh
+tries version 2 and falls back to version 1
+if version 2 is not available.
+.It Cm ProxyCommand
+Specifies the command to use to connect to the server.
+The command
+string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+In the command string,
+.Ql %h
+will be substituted by the host name to
+connect and
+.Ql %p
+by the port.
+The command can be basically anything,
+and should read from its standard input and write to its standard output.
+It should eventually connect an
+.Xr sshd 8
+server running on some machine, or execute
+.Ic sshd -i
+somewhere.
+Host key management will be done using the
+HostName of the host being connected (defaulting to the name typed by
+the user).
+Note that
+.Cm CheckHostIP
+is not available for connects with a proxy command.
+.Pp
+.It Cm PubkeyAuthentication
+Specifies whether to try public key authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+This option applies to protocol version 2 only.
+.It Cm RemoteForward
+Specifies that a TCP/IP port on the remote machine be forwarded over
+the secure channel to the specified host and port from the local machine.
+The first argument must be a port number, and the second must be
+.Ar host:port .
+IPv6 addresses can be specified with an alternative syntax:
+.Ar host/port .
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm RhostsAuthentication
+Specifies whether to try rhosts based authentication.
+Note that this
+declaration only affects the client side and has no effect whatsoever
+on security.
+Most servers do not permit RhostsAuthentication because it
+is not secure (see
+.Cm RhostsRSAAuthentication ) .
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm RhostsRSAAuthentication
+Specifies whether to try rhosts based authentication with RSA host
+authentication.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+This option applies to protocol version 1 only and requires
+.Nm ssh
+to be setuid root.
+.It Cm RSAAuthentication
+Specifies whether to try RSA authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+RSA authentication will only be
+attempted if the identity file exists, or an authentication agent is
+running.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 1 only.
+.It Cm SmartcardDevice
+Specifies which smartcard device to use. The argument to this keyword is
+the device
+.Nm ssh
+should use to communicate with a smartcard used for storing the user's
+private RSA key. By default, no device is specified and smartcard support
+is not activated.
+.It Cm StrictHostKeyChecking
+If this flag is set to
+.Dq yes ,
+.Nm ssh
+will never automatically add host keys to the
+.Pa $HOME/.ssh/known_hosts
+file, and refuses to connect to hosts whose host key has changed.
+This provides maximum protection against trojan horse attacks,
+however, can be annoying when the
+.Pa /etc/ssh/ssh_known_hosts
+file is poorly maintained, or connections to new hosts are
+frequently made.
+This option forces the user to manually
+add all new hosts.
+If this flag is set to
+.Dq no ,
+.Nm ssh
+will automatically add new host keys to the
+user known hosts files.
+If this flag is set to
+.Dq ask ,
+new host keys
+will be added to the user known host files only after the user
+has confirmed that is what they really want to do, and
+.Nm ssh
+will refuse to connect to hosts whose host key has changed.
+The host keys of
+known hosts will be verified automatically in all cases.
+The argument must be
+.Dq yes ,
+.Dq no
+or
+.Dq ask .
+The default is
+.Dq ask .
+.It Cm UsePrivilegedPort
+Specifies whether to use a privileged port for outgoing connections.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+Note that this option must be set to
+.Dq yes
+if
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication
+authentications are needed with older servers.
+.It Cm User
+Specifies the user to log in as.
+This can be useful when a different user name is used on different machines.
+This saves the trouble of
+having to remember to give the user name on the command line.
+.It Cm UserKnownHostsFile
+Specifies a file to use for the user
+host key database instead of
+.Pa $HOME/.ssh/known_hosts .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/config
+This is the per-user configuration file.
+The format of this file is described above.
+This file is used by the
+.Nm ssh
+client.
+This file does not usually contain any sensitive information,
+but the recommended permissions are read/write for the user, and not
+accessible by others.
+.It Pa /etc/ssh/ssh_config
+Systemwide configuration file.
+This file provides defaults for those
+values that are not specified in the user's configuration file, and
+for those users who do not have a configuration file.
+This file must be world-readable.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr ssh 1
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.119 2002/01/21 15:13:51 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.125 2002/06/19 00:27:55 deraadt Exp $");
#include <openssl/bn.h>
char *client_version_string = NULL;
char *server_version_string = NULL;
+/* import */
extern Options options;
extern char *__progname;
+extern uid_t original_real_uid;
+extern uid_t original_effective_uid;
#ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */
#define INET6_ADDRSTRLEN 46
#endif
static const char *
-sockaddr_ntop(struct sockaddr *sa)
+sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
{
- void *addr;
- static char addrbuf[INET6_ADDRSTRLEN];
+ static char addrbuf[NI_MAXHOST];
- switch (sa->sa_family) {
- case AF_INET:
- addr = &((struct sockaddr_in *)sa)->sin_addr;
- break;
- case AF_INET6:
- addr = &((struct sockaddr_in6 *)sa)->sin6_addr;
- break;
- default:
- /* This case should be protected against elsewhere */
- abort(); /* XXX abort is bad -- do something else */
- }
- inet_ntop(sa->sa_family, addr, addrbuf, sizeof(addrbuf));
+ if (getnameinfo(sa, salen, addrbuf, sizeof(addrbuf), NULL, 0,
+ NI_NUMERICHOST) != 0)
+ fatal("sockaddr_ntop: getnameinfo NI_NUMERICHOST failed");
return addrbuf;
}
* Connect to the given ssh server using a proxy command.
*/
static int
-ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
- const char *proxy_command)
+ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
{
Buffer command;
const char *cp;
char *argv[10];
/* Child. Permanently give up superuser privileges. */
- permanently_set_uid(pw);
+ seteuid(original_real_uid);
+ setuid(original_real_uid);
/* Redirect stdin and stdout. */
close(pin[1]);
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
-ssh_create_socket(struct passwd *pw, int privileged, int family)
+ssh_create_socket(int privileged, int family)
{
int sock, gaierr;
struct addrinfo hints, *res;
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
+ PRIV_START;
sock = rresvport_af(&p, family);
+ PRIV_END;
if (sock < 0)
error("rresvport: af=%d %.100s", family, strerror(errno));
else
debug("Allocated local port %d.", p);
return sock;
}
- /*
- * Just create an ordinary socket on arbitrary port. We use
- * the user's uid to create the socket.
- */
- temporarily_use_uid(pw);
sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
- restore_uid();
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)
/*
* Opens a TCP/IP connection to the remote server on the given host.
* The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used. If anonymous is zero,
+ * If port is 0, the default port will be used. If needpriv is true,
* a privileged port will be allocated to make the connection.
- * This requires super-user privileges if anonymous is false.
+ * This requires super-user privileges if needpriv is true.
* Connection_attempts specifies the maximum number of tries (one per
* second). If proxy_command is non-NULL, it specifies the command (with %h
* and %p substituted for host and port, respectively) to use to contact
int
ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
u_short port, int family, int connection_attempts,
- int anonymous, struct passwd *pw, const char *proxy_command)
+ int needpriv, const char *proxy_command)
{
int gaierr;
int on = 1;
*/
int full_failure = 1;
- debug("ssh_connect: getuid %u geteuid %u anon %d",
- (u_int) getuid(), (u_int) geteuid(), anonymous);
+ debug("ssh_connect: needpriv %d", needpriv);
/* Get default port if port has not been set. */
if (port == 0) {
}
/* If a proxy command is given, connect using it. */
if (proxy_command != NULL)
- return ssh_proxy_connect(host, port, pw, proxy_command);
+ return ssh_proxy_connect(host, port, proxy_command);
/* No proxy command. */
host, ntop, strport);
/* Create a socket for connecting. */
- sock = ssh_create_socket(pw,
-#ifdef HAVE_CYGWIN
- !anonymous,
-#else
- !anonymous && geteuid() == 0,
-#endif
- ai->ai_family);
+ sock = ssh_create_socket(needpriv, ai->ai_family);
if (sock < 0)
/* Any error is already output */
continue;
- /* Connect to the host. We use the user's uid in the
- * hope that it will help with tcp_wrappers showing
- * the remote uid as root.
- */
- temporarily_use_uid(pw);
if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
/* Successful connection. */
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
- restore_uid();
break;
} else {
if (errno == ECONNREFUSED)
full_failure = 0;
log("ssh: connect to address %s port %s: %s",
- sockaddr_ntop(ai->ai_addr), strport,
- strerror(errno));
- restore_uid();
+ sockaddr_ntop(ai->ai_addr, ai->ai_addrlen),
+ strport, strerror(errno));
/*
* Close the failed socket; there appear to
* be some problems when reusing a socket for
len = strlen(msg);
snprintf(msg + len, sizeof(msg) - len,
"\nMatching host key in %s:%d",
- host_file, host_line);
+ host_file, host_line);
}
if (options.strict_host_key_checking == 1) {
log(msg);
* This function does not require super-user privileges.
*/
void
-ssh_login(Key **keys, int nkeys, const char *orighost,
+ssh_login(Sensitive *sensitive, const char *orighost,
struct sockaddr *hostaddr, struct passwd *pw)
{
char *host, *cp;
/* authenticate user */
if (compat20) {
ssh_kex2(host, hostaddr);
- ssh_userauth2(local_user, server_user, host, keys, nkeys);
+ ssh_userauth2(local_user, server_user, host, sensitive);
} else {
ssh_kex(host, hostaddr);
- ssh_userauth1(local_user, server_user, host, keys, nkeys);
+ ssh_userauth1(local_user, server_user, host, sensitive);
}
}
-/* $OpenBSD: sshconnect.h,v 1.13 2001/10/08 19:05:05 markus Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
#ifndef SSHCONNECT_H
#define SSHCONNECT_H
+typedef struct Sensitive Sensitive;
+struct Sensitive {
+ Key **keys;
+ int nkeys;
+ int external_keysign;
+};
+
int
ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
- int, struct passwd *, const char *);
+ int, const char *);
void
-ssh_login(Key **, int, const char *, struct sockaddr *, struct passwd *);
+ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *);
int verify_host_key(char *, struct sockaddr *, Key *);
void ssh_kex(char *, struct sockaddr *);
void ssh_kex2(char *, struct sockaddr *);
-void ssh_userauth1(const char *, const char *, char *, Key **, int);
-void ssh_userauth2(const char *, const char *, char *, Key **, int);
+void ssh_userauth1(const char *, const char *, char *, Sensitive *);
+void ssh_userauth2(const char *, const char *, char *, Sensitive *);
void ssh_put_password(char *);
+
+/*
+ * Macros to raise/lower permissions.
+ */
+#define PRIV_START do { \
+ int save_errno = errno; \
+ (void)seteuid(original_effective_uid); \
+ errno = save_errno; \
+} while (0)
+
+#define PRIV_END do { \
+ int save_errno = errno; \
+ (void)seteuid(original_real_uid); \
+ errno = save_errno; \
+} while (0)
+
#endif
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.50 2002/04/21 16:25:06 stevesk Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.51 2002/05/23 19:24:30 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
*/
void
ssh_userauth1(const char *local_user, const char *server_user, char *host,
- Key **keys, int nkeys)
+ Sensitive *sensitive)
{
#ifdef KRB5
krb5_context context = NULL;
*/
if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
options.rhosts_rsa_authentication) {
- for (i = 0; i < nkeys; i++) {
- if (keys[i] != NULL && keys[i]->type == KEY_RSA1 &&
- try_rhosts_rsa_authentication(local_user, keys[i]))
+ for (i = 0; i < sensitive->nkeys; i++) {
+ if (sensitive->keys[i] != NULL &&
+ sensitive->keys[i]->type == KEY_RSA1 &&
+ try_rhosts_rsa_authentication(local_user,
+ sensitive->keys[i]))
goto success;
}
}
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.99 2002/03/26 15:58:46 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.104 2002/06/19 00:27:55 deraadt Exp $");
#include "ssh.h"
#include "ssh2.h"
#include "match.h"
#include "dispatch.h"
#include "canohost.h"
+#include "msg.h"
+#include "pathnames.h"
/* import */
extern char *client_version_string;
int last_key_hint;
AuthenticationConnection *agent;
/* hostbased */
- Key **keys;
- int nkeys;
+ Sensitive *sensitive;
/* kbd-interactive */
int info_req_seen;
};
void
ssh_userauth2(const char *local_user, const char *server_user, char *host,
- Key **keys, int nkeys)
+ Sensitive *sensitive)
{
Authctxt authctxt;
int type;
authctxt.success = 0;
authctxt.method = authmethod_lookup("none");
authctxt.authlist = NULL;
- authctxt.keys = keys;
- authctxt.nkeys = nkeys;
+ authctxt.sensitive = sensitive;
authctxt.info_req_seen = 0;
if (authctxt.method == NULL)
fatal("ssh_userauth2: internal error: cannot send userauth none request");
if (key->type != pktype) {
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
- key->type, pktype);
+ key->type, pktype);
break;
}
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
packet_add_padding(64);
packet_send();
- dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
+ dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
&input_userauth_passwd_changereq);
return 1;
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_char(1); /* additional info */
- snprintf(prompt, sizeof(prompt),
+ snprintf(prompt, sizeof(prompt),
"Enter %.30s@%.128s's old password: ",
authctxt->server_user, authctxt->host);
password = read_passphrase(prompt, 0);
xfree(password);
password = NULL;
while (password == NULL) {
- snprintf(prompt, sizeof(prompt),
+ snprintf(prompt, sizeof(prompt),
"Enter %.30s@%.128s's new password: ",
authctxt->server_user, authctxt->host);
password = read_passphrase(prompt, RP_ALLOW_EOF);
/* bail out */
return;
}
- snprintf(prompt, sizeof(prompt),
+ snprintf(prompt, sizeof(prompt),
"Retype %.30s@%.128s's new password: ",
authctxt->server_user, authctxt->host);
retype = read_passphrase(prompt, 0);
xfree(password);
packet_add_padding(64);
packet_send();
-
- dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
+
+ dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
&input_userauth_passwd_changereq);
}
packet_send();
}
-/*
- * this will be move to an external program (ssh-keysign) ASAP. ssh-keysign
- * will be setuid-root and the sbit can be removed from /usr/bin/ssh.
- */
+static int
+ssh_keysign(
+ Key *key,
+ u_char **sigp, u_int *lenp,
+ u_char *data, u_int datalen)
+{
+ Buffer b;
+ struct stat st;
+ pid_t pid;
+ int to[2], from[2], status, version = 2;
+
+ debug("ssh_keysign called");
+
+ if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
+ error("ssh_keysign: no installed: %s", strerror(errno));
+ return -1;
+ }
+ if (fflush(stdout) != 0)
+ error("ssh_keysign: fflush: %s", strerror(errno));
+ if (pipe(to) < 0) {
+ error("ssh_keysign: pipe: %s", strerror(errno));
+ return -1;
+ }
+ if (pipe(from) < 0) {
+ error("ssh_keysign: pipe: %s", strerror(errno));
+ return -1;
+ }
+ if ((pid = fork()) < 0) {
+ error("ssh_keysign: fork: %s", strerror(errno));
+ return -1;
+ }
+ if (pid == 0) {
+ seteuid(getuid());
+ setuid(getuid());
+ close(from[0]);
+ if (dup2(from[1], STDOUT_FILENO) < 0)
+ fatal("ssh_keysign: dup2: %s", strerror(errno));
+ close(to[1]);
+ if (dup2(to[0], STDIN_FILENO) < 0)
+ fatal("ssh_keysign: dup2: %s", strerror(errno));
+ close(from[1]);
+ close(to[0]);
+ execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
+ fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
+ strerror(errno));
+ }
+ close(from[1]);
+ close(to[0]);
+
+ buffer_init(&b);
+ buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
+ buffer_put_string(&b, data, datalen);
+ msg_send(to[1], version, &b);
+
+ if (msg_recv(from[0], &b) < 0) {
+ error("ssh_keysign: no reply");
+ buffer_clear(&b);
+ return -1;
+ }
+ close(from[0]);
+ close(to[1]);
+
+ while (waitpid(pid, &status, 0) < 0)
+ if (errno != EINTR)
+ break;
+
+ if (buffer_get_char(&b) != version) {
+ error("ssh_keysign: bad version");
+ buffer_clear(&b);
+ return -1;
+ }
+ *sigp = buffer_get_string(&b, lenp);
+ buffer_clear(&b);
+
+ return 0;
+}
+
int
userauth_hostbased(Authctxt *authctxt)
{
Key *private = NULL;
+ Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
char *chost, *pkalg, *p;
int ok, i, len, found = 0;
/* check for a useful key */
- for (i = 0; i < authctxt->nkeys; i++) {
- private = authctxt->keys[i];
+ for (i = 0; i < sensitive->nkeys; i++) {
+ private = sensitive->keys[i];
if (private && private->type != KEY_RSA1) {
found = 1;
/* we take and free the key */
- authctxt->keys[i] = NULL;
+ sensitive->keys[i] = NULL;
break;
}
}
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
- ok = key_sign(private, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+ if (sensitive->external_keysign)
+ ok = ssh_keysign(private, &signature, &slen,
+ buffer_ptr(&b), buffer_len(&b));
+ else
+ ok = key_sign(private, &signature, &slen,
+ buffer_ptr(&b), buffer_len(&b));
key_free(private);
buffer_free(&b);
if (ok != 0) {
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.181 2002/05/15 21:02:53 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.184 2002/06/20 19:56:07 stevesk Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
(or the file specified with
.Fl f
on the command line).
-The file contains keyword-argument pairs, one per line.
-Lines starting with
-.Ql #
-and empty lines are interpreted as comments.
-.Pp
-The possible
-keywords and their meanings are as follows (note that
-keywords are case-insensitive and arguments are case-sensitive):
-.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
-.It Cm AllowGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-If specified, login is allowed only for users whose primary
-group or supplementary group list matches one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-.Pp
-.It Cm AllowTcpForwarding
-Specifies whether TCP forwarding is permitted.
-The default is
-.Dq yes .
-Note that disabling TCP forwarding does not improve security unless
-users are also denied shell access, as they can always install their
-own forwarders.
-.Pp
-.It Cm AllowUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-If specified, login is allowed only for users names that
-match one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-.Pp
-.It Cm AuthorizedKeysFile
-Specifies the file that contains the public keys that can be used
-for user authentication.
-.Cm AuthorizedKeysFile
-may contain tokens of the form %T which are substituted during connection
-set-up. The following tokens are defined: %% is replaced by a literal '%',
-%h is replaced by the home directory of the user being authenticated and
-%u is replaced by the username of that user.
-After expansion,
-.Cm AuthorizedKeysFile
-is taken to be an absolute path or one relative to the user's home
-directory.
-The default is
-.Dq .ssh/authorized_keys .
-.It Cm Banner
-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.
-The contents of the specified file are sent to the remote user before
-authentication is allowed.
-This option is only available for protocol version 2.
-By default, no banner is displayed.
-.Pp
-.It Cm ChallengeResponseAuthentication
-Specifies whether challenge response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
-The default is
-.Dq yes .
-.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2.
-Multiple ciphers must be comma-separated.
-The default is
-.Pp
-.Bd -literal
- ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
- aes192-cbc,aes256-cbc''
-.Ed
-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Nm
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
-.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see above) which may be
-sent without
-.Nm
-receiving any messages back from the client. If this threshold is
-reached while client alive messages are being sent,
-.Nm
-will disconnect the client, terminating the session. It is important
-to note that the use of client alive messages is very different from
-.Cm KeepAlive
-(below). The client alive messages are sent through the
-encrypted channel and therefore will not be spoofable. The TCP keepalive
-option enabled by
-.Cm KeepAlive
-is spoofable. The client alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
-.Pp
-The default value is 3. If
-.Cm ClientAliveInterval
-(above) is set to 15, and
-.Cm ClientAliveCountMax
-is left at the default, unresponsive ssh clients
-will be disconnected after approximately 45 seconds.
-.It Cm DenyGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-Login is disallowed for users whose primary group or supplementary
-group list matches one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as
-wildcards in the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-.Pp
-.It Cm DenyUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-Login is disallowed for user names that match one of the patterns.
-.Ql \&*
-and
-.Ql ?
-can be used as wildcards in the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-.It Cm GatewayPorts
-Specifies whether remote hosts are allowed to connect to ports
-forwarded for the client.
-By default,
-.Nm
-binds remote port forwardings to the loopback addresss. This
-prevents other remote hosts from connecting to forwarded ports.
-.Cm GatewayPorts
-can be used to specify that
-.Nm
-should bind remote port forwardings to the wildcard address,
-thus allowing remote hosts to connect to forwarded ports.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful public key client host authentication is allowed
-(hostbased authentication).
-This option is similar to
-.Cm RhostsRSAAuthentication
-and applies to protocol version 2 only.
-The default is
-.Dq no .
-.It Cm HostKey
-Specifies a file containing a private host key
-used by SSH.
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
-.Pa /etc/ssh/ssh_host_dsa_key
-for protocol version 2.
-Note that
-.Nm
-will refuse to use a file if it is group/world-accessible.
-It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
-.It Cm IgnoreRhosts
-Specifies that
-.Pa .rhosts
-and
-.Pa .shosts
-files will not be used in
-.Cm RhostsAuthentication ,
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-.Pp
-.Pa /etc/hosts.equiv
-and
-.Pa /etc/shosts.equiv
-are still used.
-The default is
-.Dq yes .
-.It Cm IgnoreUserKnownHosts
-Specifies whether
-.Nm
-should ignore the user's
-.Pa $HOME/.ssh/known_hosts
-during
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-The default is
-.Dq no .
-.It Cm KeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send keepalives), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable keepalives, the value should be set to
-.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
-This can be in the form of a Kerberos ticket, or if
-.Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC.
-To use this option, the server needs a
-Kerberos servtab which allows the verification of the KDC's identity.
-Default is
-.Dq no .
-.It Cm KerberosOrLocalPasswd
-If set then if password authentication through Kerberos fails then
-the password will be validated via any additional local mechanism
-such as
-.Pa /etc/passwd .
-Default is
-.Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
-.It Cm KerberosTicketCleanup
-Specifies whether to automatically destroy the user's ticket cache
-file on logout.
-Default is
-.Dq yes .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
-.It Cm ListenAddress
-Specifies the local addresses
-.Nm
-should listen on.
-The following forms may be used:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No : Ar port
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Oo
-.Ar host No | Ar IPv6_addr Oc : Ar port
-.Sm on
-.El
-.Pp
-If
-.Ar port
-is not specified,
-.Nm
-will listen on the address and all prior
-.Cm Port
-options specified. The default is to listen on all local
-addresses. Multiple
-.Cm ListenAddress
-options are permitted. Additionally, any
-.Cm Port
-options must precede this option for non port qualified addresses.
-.It Cm LoginGraceTime
-The server disconnects after this time if the user has not
-successfully logged in.
-If the value is 0, there is no time limit.
-The default is 600 (seconds).
-.It Cm LogLevel
-Gives the verbosity level that is used when logging messages from
-.Nm sshd .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
-and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users
-and is not recommended.
-.It Cm MACs
-Specifies the available MAC (message authentication code) algorithms.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
-Multiple algorithms must be comma-separated.
-The default is
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm MaxStartups
-Specifies the maximum number of concurrent unauthenticated connections to the
-.Nm
-daemon.
-Additional connections will be dropped until authentication succeeds or the
-.Cm LoginGraceTime
-expires for a connection.
-The default is 10.
-.Pp
-Alternatively, random early drop can be enabled by specifying
-the three colon separated values
-.Dq start:rate:full
-(e.g., "10:30:60").
-.Nm
-will refuse connection attempts with a probability of
-.Dq rate/100
-(30%)
-if there are currently
-.Dq start
-(10)
-unauthenticated connections.
-The probability increases linearly and all connection attempts
-are refused if the number of unauthenticated connections reaches
-.Dq full
-(60).
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
-.Cm PasswordAuthentication
-is disabled.
-The default is
-.Dq no .
-.It Cm PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is
-.Dq yes .
-.It Cm PermitEmptyPasswords
-When password authentication is allowed, it specifies whether the
-server allows login to accounts with empty password strings.
-The default is
-.Dq no .
-.It Cm PermitRootLogin
-Specifies whether root can login using
-.Xr ssh 1 .
-The argument must be
-.Dq yes ,
-.Dq without-password ,
-.Dq forced-commands-only
-or
-.Dq no .
-The default is
-.Dq yes .
-.Pp
-If this option is set to
-.Dq without-password
-password authentication is disabled for root.
-.Pp
-If this option is set to
-.Dq forced-commands-only
-root login with public key authentication will be allowed,
-but only if the
-.Ar command
-option has been specified
-(which may be useful for taking remote backups even if root login is
-normally not allowed). All other authentication methods are disabled
-for root.
-.Pp
-If this option is set to
-.Dq no
-root is not allowed to login.
-.It Cm PidFile
-Specifies the file that contains the process identifier of the
-.Nm
-daemon.
-The default is
-.Pa /var/run/sshd.pid .
-.It Cm Port
-Specifies the port number that
-.Nm
-listens on.
-The default is 22.
-Multiple options of this type are permitted.
-See also
-.Cm ListenAddress .
-.It Cm PrintLastLog
-Specifies whether
-.Nm
-should print the date and time when the user last logged in.
-The default is
-.Dq yes .
-.It Cm PrintMotd
-Specifies whether
-.Nm
-should print
-.Pa /etc/motd
-when a user logs in interactively.
-(On some systems it is also printed by the shell,
-.Pa /etc/profile ,
-or equivalent.)
-The default is
-.Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Nm
-should support.
-The possible values are
-.Dq 1
-and
-.Dq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Dq 2,1 .
-.It Cm PubkeyAuthentication
-Specifies whether public key authentication is allowed.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
-.Cm RhostsRSAAuthentication
-should be used
-instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.
-.It Cm StrictModes
-Specifies whether
-.Nm
-should check file modes and ownership of the
-user's files and home directory before accepting login.
-This is normally desirable because novices sometimes accidentally leave their
-directory or files world-writable.
-The default is
-.Dq yes .
-.It Cm Subsystem
-Configures an external subsystem (e.g., file transfer daemon).
-Arguments should be a subsystem name and a command to execute upon subsystem
-request.
-The command
-.Xr sftp-server 8
-implements the
-.Dq sftp
-file transfer subsystem.
-By default no subsystems are defined.
-Note that this option applies to protocol version 2 only.
-.It Cm SyslogFacility
-Gives the facility code that is used when logging messages from
-.Nm sshd .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-The default is AUTH.
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used for interactive login sessions.
-The default is
-.Dq no .
-Note that
-.Xr login 1
-is never used for remote command execution.
-Note also, that if this is enabled,
-.Cm X11Forwarding
-will be disabled because
-.Xr login 1
-does not know how to handle
-.Xr xauth 1
-cookies. If
-.Cm UsePrivilegeSeparation
-is specified, it will be disabled after authentication.
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Nm
-separated privileges by creating an unprivileged child process
-to deal with incoming network traffic. After successful authentication,
-another process will be created that has the privilege of the authenticated
-user. The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The default is
-.Dq no .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Nm sshd Ns 's
-X11 forwarding.
-This prevents
-.Nm
-from interfering with real X11 servers.
-The default is 10.
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.
-The default is
-.Dq no .
-Note that disabling X11 forwarding does not improve security in any
-way, as users can always install their own forwarders.
-X11 forwarding is automatically disabled if
-.Cm UseLogin
-is enabled.
-.It Cm X11UseLocalhost
-Specifies whether
-.Nm
-should bind the X11 forwarding server to the loopback address or to
-the wildcard address. By default,
-.Nm
-binds the forwarding server to the loopback address and sets the
-hostname part of the
-.Ev DISPLAY
-environment variable to
-.Dq localhost .
-This prevents remote hosts from connecting to the fake display.
-However, some older X11 clients may not function with this
-configuration.
-.Cm X11UseLocalhost
-may be set to
-.Dq no
-to specify that the forwarding server should be bound to the wildcard
-address.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm XAuthLocation
-Specifies the location of the
-.Xr xauth 1
-program.
-The default is
-.Pa /usr/X11R6/bin/xauth .
-.El
-.Ss Time Formats
-.Pp
-.Nm
-command-line arguments and configuration file options that specify time
-may be expressed using a sequence of the form:
-.Sm off
-.Ar time Oo Ar qualifier Oc ,
-.Sm on
-where
-.Ar time
-is a positive integer value and
-.Ar qualifier
-is one of the following:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It Cm <none>
-seconds
-.It Cm s | Cm S
-seconds
-.It Cm m | Cm M
-minutes
-.It Cm h | Cm H
-hours
-.It Cm d | Cm D
-days
-.It Cm w | Cm W
-weeks
-.El
-.Pp
-Each member of the sequence is added together to calculate
-the total time value.
-.Pp
-Time format examples:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It 600
-600 seconds (10 minutes)
-.It 10m
-10 minutes
-.It 1h30m
-1 hour 30 minutes (90 minutes)
-.El
+The file format and configuration options are described in
+.Xr sshd_config 5 .
.Sh LOGIN PROCESS
When a user successfully logs in,
.Nm
.It Pa /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
-This file should be writable by root only, but it is recommended
-(though not necessary) that it be world-readable.
+The file format and configuration options are described in
+.Xr sshd_config 5 .
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
.Xr ssh-keygen 1 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
+.Xr sshd_config 5 ,
.Xr sftp-server 8
.Rs
.%A T. Ylonen
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.242 2002/05/15 15:47:49 mouring Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.246 2002/06/20 23:05:56 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
fatal_cleanup();
}
- /* Read other side's version identification. */
+ /* Read other sides version identification. */
memset(buf, 0, sizeof(buf));
for (i = 0; i < sizeof(buf) - 1; i++) {
if (atomicio(read, sock_in, &buf[i], 1) != 1) {
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
- debug2("Network child is on pid %d", pid);
+ debug2("Network child is on pid %ld", (long)pid);
close(pmonitor->m_recvfd);
authctxt = monitor_child_preauth(pmonitor);
if (pmonitor->m_pid == -1)
fatal("fork of unprivileged child failed");
else if (pmonitor->m_pid != 0) {
- debug2("User child is on pid %d", pmonitor->m_pid);
+ debug2("User child is on pid %ld", (long)pmonitor->m_pid);
close(pmonitor->m_recvfd);
monitor_child_postauth(pmonitor);
}
}
+ if (use_privsep) {
+ struct passwd *pw;
+ struct stat st;
+
+ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
+ fatal("Privilege separation user %s does not exist",
+ SSH_PRIVSEP_USER);
+ if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
+ (S_ISDIR(st.st_mode) == 0))
+ fatal("Missing privilege separation directory: %s",
+ _PATH_PRIVSEP_CHROOT_DIR);
+ }
+
/* Configuration looks good, so exit if in test mode. */
if (test_flag)
exit(0);
-#ifndef HAVE_CYGWIN
/*
* Clear out any supplemental groups we may have inherited. This
* prevents inadvertent creation of files with bad modes (in the
*/
if (setgroups(0, NULL) < 0)
debug("setgroups() failed: %.200s", strerror(errno));
-#endif /* !HAVE_CYGWIN */
/* Initialize the log (it is reinitialized below in case we forked). */
if (debug_flag && !inetd_flag)
*/
f = fopen(options.pid_file, "wb");
if (f) {
- fprintf(f, "%u\n", (u_int) getpid());
+ fprintf(f, "%ld\n", (long) getpid());
fclose(f);
}
}
if (pid < 0)
error("fork: %.100s", strerror(errno));
else
- debug("Forked child %d.", pid);
+ debug("Forked child %ld.", (long)pid);
close(startup_p[1]);
sshd_exchange_identification(sock_in, sock_out);
/*
* Check that the connection comes from a privileged port.
- * Rhosts-Authentication only makes sense from priviledged
+ * Rhosts-Authentication only makes sense from privileged
* programs. Of course, if the intruder has root access on his local
* machine, he can connect from any port. So do not use these
* authentication methods from machines that you do not trust.
debug("Received session key; encryption turned on.");
- /* Send an acknowledgement packet. Note that this packet is sent encrypted. */
+ /* Send an acknowledgment packet. Note that this packet is sent encrypted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
}
+ if (!options.compression) {
+ myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+ myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
+ }
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
/* start key exchange */
-# $OpenBSD: sshd_config,v 1.53 2002/05/15 21:02:53 markus Exp $
+# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
-# This is the sshd server system-wide configuration file. See sshd(8)
-# for more information.
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation no
+#UsePrivilegeSeparation yes
+#Compression yes
#MaxStartups 10
# no default banner path
--- /dev/null
+.\" -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\" All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose. Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $OpenBSD: sshd_config.5,v 1.3 2002/06/20 23:37:12 markus Exp $
+.Dd September 25, 1999
+.Dt SSHD_CONFIG 5
+.Os
+.Sh NAME
+.Nm sshd_config
+.Nd OpenSSH SSH daemon configuration file
+.Sh SYNOPSIS
+.Bl -tag -width Ds -compact
+.It Pa /etc/ssh/sshd_config
+.El
+.Sh DESCRIPTION
+.Nm sshd
+reads configuration data from
+.Pa /etc/ssh/sshd_config
+(or the file specified with
+.Fl f
+on the command line).
+The file contains keyword-argument pairs, one per line.
+Lines starting with
+.Ql #
+and empty lines are interpreted as comments.
+.Pp
+The possible
+keywords and their meanings are as follows (note that
+keywords are case-insensitive and arguments are case-sensitive):
+.Bl -tag -width Ds
+.It Cm AFSTokenPassing
+Specifies whether an AFS token may be forwarded to the server.
+Default is
+.Dq no .
+.It Cm AllowGroups
+This keyword can be followed by a list of group name patterns, separated
+by spaces.
+If specified, login is allowed only for users whose primary
+group or supplementary group list matches one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid; a numerical group ID is not recognized.
+By default, login is allowed for all groups.
+.Pp
+.It Cm AllowTcpForwarding
+Specifies whether TCP forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling TCP forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
+.Pp
+.It Cm AllowUsers
+This keyword can be followed by a list of user name patterns, separated
+by spaces.
+If specified, login is allowed only for users names that
+match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only user names are valid; a numerical user ID is not recognized.
+By default, login is allowed for all users.
+If the pattern takes the form USER@HOST then USER and HOST
+are separately checked, restricting logins to particular
+users from particular hosts.
+.Pp
+.It Cm AuthorizedKeysFile
+Specifies the file that contains the public keys that can be used
+for user authentication.
+.Cm AuthorizedKeysFile
+may contain tokens of the form %T which are substituted during connection
+set-up. The following tokens are defined: %% is replaced by a literal '%',
+%h is replaced by the home directory of the user being authenticated and
+%u is replaced by the username of that user.
+After expansion,
+.Cm AuthorizedKeysFile
+is taken to be an absolute path or one relative to the user's home
+directory.
+The default is
+.Dq .ssh/authorized_keys .
+.It Cm Banner
+In some jurisdictions, sending a warning message before authentication
+may be relevant for getting legal protection.
+The contents of the specified file are sent to the remote user before
+authentication is allowed.
+This option is only available for protocol version 2.
+By default, no banner is displayed.
+.Pp
+.It Cm ChallengeResponseAuthentication
+Specifies whether challenge response authentication is allowed.
+All authentication styles from
+.Xr login.conf 5
+are supported.
+The default is
+.Dq yes .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+ ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+ aes192-cbc,aes256-cbc''
+.Ed
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client,
+.Nm sshd
+will send a message through the encrypted
+channel to request a response from the client.
+The default
+is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.
+.It Cm ClientAliveCountMax
+Sets the number of client alive messages (see above) which may be
+sent without
+.Nm sshd
+receiving any messages back from the client. If this threshold is
+reached while client alive messages are being sent,
+.Nm sshd
+will disconnect the client, terminating the session. It is important
+to note that the use of client alive messages is very different from
+.Cm KeepAlive
+(below). The client alive messages are sent through the
+encrypted channel and therefore will not be spoofable. The TCP keepalive
+option enabled by
+.Cm KeepAlive
+is spoofable. The client alive mechanism is valuable when the client or
+server depend on knowing when a connection has become inactive.
+.Pp
+The default value is 3. If
+.Cm ClientAliveInterval
+(above) is set to 15, and
+.Cm ClientAliveCountMax
+is left at the default, unresponsive ssh clients
+will be disconnected after approximately 45 seconds.
+.It Cm Compression
+Specifies whether compression is allowed.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+.It Cm DenyGroups
+This keyword can be followed by a list of group name patterns, separated
+by spaces.
+Login is disallowed for users whose primary group or supplementary
+group list matches one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid; a numerical group ID is not recognized.
+By default, login is allowed for all groups.
+.Pp
+.It Cm DenyUsers
+This keyword can be followed by a list of user name patterns, separated
+by spaces.
+Login is disallowed for user names that match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the patterns.
+Only user names are valid; a numerical user ID is not recognized.
+By default, login is allowed for all users.
+If the pattern takes the form USER@HOST then USER and HOST
+are separately checked, restricting logins to particular
+users from particular hosts.
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to ports
+forwarded for the client.
+By default,
+.Nm sshd
+binds remote port forwardings to the loopback address. This
+prevents other remote hosts from connecting to forwarded ports.
+.Cm GatewayPorts
+can be used to specify that
+.Nm sshd
+should bind remote port forwardings to the wildcard address,
+thus allowing remote hosts to connect to forwarded ports.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm HostbasedAuthentication
+Specifies whether rhosts or /etc/hosts.equiv authentication together
+with successful public key client host authentication is allowed
+(hostbased authentication).
+This option is similar to
+.Cm RhostsRSAAuthentication
+and applies to protocol version 2 only.
+The default is
+.Dq no .
+.It Cm HostKey
+Specifies a file containing a private host key
+used by SSH.
+The default is
+.Pa /etc/ssh/ssh_host_key
+for protocol version 1, and
+.Pa /etc/ssh/ssh_host_rsa_key
+and
+.Pa /etc/ssh/ssh_host_dsa_key
+for protocol version 2.
+Note that
+.Nm sshd
+will refuse to use a file if it is group/world-accessible.
+It is possible to have multiple host key files.
+.Dq rsa1
+keys are used for version 1 and
+.Dq dsa
+or
+.Dq rsa
+are used for version 2 of the SSH protocol.
+.It Cm IgnoreRhosts
+Specifies that
+.Pa .rhosts
+and
+.Pa .shosts
+files will not be used in
+.Cm RhostsAuthentication ,
+.Cm RhostsRSAAuthentication
+or
+.Cm HostbasedAuthentication .
+.Pp
+.Pa /etc/hosts.equiv
+and
+.Pa /etc/shosts.equiv
+are still used.
+The default is
+.Dq yes .
+.It Cm IgnoreUserKnownHosts
+Specifies whether
+.Nm sshd
+should ignore the user's
+.Pa $HOME/.ssh/known_hosts
+during
+.Cm RhostsRSAAuthentication
+or
+.Cm HostbasedAuthentication .
+The default is
+.Dq no .
+.It Cm KeepAlive
+Specifies whether the system should send TCP keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the server will notice
+if the network goes down or the client host crashes.
+This avoids infinitely hanging sessions.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no .
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication is allowed.
+This can be in the form of a Kerberos ticket, or if
+.It Cm PAMAuthenticationViaKbdInt
+Specifies whether PAM challenge response authentication is allowed. This
+allows the use of most PAM challenge response authentication modules, but
+it will allow password authentication regardless of whether
+.Cm PasswordAuthentication
+is yes, the password provided by the user will be validated through
+the Kerberos KDC.
+To use this option, the server needs a
+Kerberos servtab which allows the verification of the KDC's identity.
+Default is
+.Dq no .
+.It Cm KerberosOrLocalPasswd
+If set then if password authentication through Kerberos fails then
+the password will be validated via any additional local mechanism
+such as
+.Pa /etc/passwd .
+Default is
+.Dq yes .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT may be forwarded to the server.
+Default is
+.Dq no ,
+as this only works when the Kerberos KDC is actually an AFS kaserver.
+.It Cm KerberosTicketCleanup
+Specifies whether to automatically destroy the user's ticket cache
+file on logout.
+Default is
+.Dq yes .
+.It Cm KeyRegenerationInterval
+In protocol version 1, the ephemeral server key is automatically regenerated
+after this many seconds (if it has been used).
+The purpose of regeneration is to prevent
+decrypting captured sessions by later breaking into the machine and
+stealing the keys.
+The key is never stored anywhere.
+If the value is 0, the key is never regenerated.
+The default is 3600 (seconds).
+.It Cm ListenAddress
+Specifies the local addresses
+.Nm sshd
+should listen on.
+The following forms may be used:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm ListenAddress
+.Sm off
+.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
+.Sm on
+.It
+.Cm ListenAddress
+.Sm off
+.Ar host No | Ar IPv4_addr No : Ar port
+.Sm on
+.It
+.Cm ListenAddress
+.Sm off
+.Oo
+.Ar host No | Ar IPv6_addr Oc : Ar port
+.Sm on
+.El
+.Pp
+If
+.Ar port
+is not specified,
+.Nm sshd
+will listen on the address and all prior
+.Cm Port
+options specified. The default is to listen on all local
+addresses. Multiple
+.Cm ListenAddress
+options are permitted. Additionally, any
+.Cm Port
+options must precede this option for non port qualified addresses.
+.It Cm LoginGraceTime
+The server disconnects after this time if the user has not
+successfully logged in.
+If the value is 0, there is no time limit.
+The default is 600 (seconds).
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm sshd .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users
+and is not recommended.
+.It Cm MACs
+Specifies the available MAC (message authentication code) algorithms.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm MaxStartups
+Specifies the maximum number of concurrent unauthenticated connections to the
+.Nm sshd
+daemon.
+Additional connections will be dropped until authentication succeeds or the
+.Cm LoginGraceTime
+expires for a connection.
+The default is 10.
+.Pp
+Alternatively, random early drop can be enabled by specifying
+the three colon separated values
+.Dq start:rate:full
+(e.g., "10:30:60").
+.Nm sshd
+will refuse connection attempts with a probability of
+.Dq rate/100
+(30%)
+if there are currently
+.Dq start
+(10)
+unauthenticated connections.
+The probability increases linearly and all connection attempts
+are refused if the number of unauthenticated connections reaches
+.Dq full
+(60).
+.It Cm PasswordAuthentication
+Specifies whether password authentication is allowed.
+The default is
+.Dq yes .
+.It Cm PermitEmptyPasswords
+When password authentication is allowed, it specifies whether the
+server allows login to accounts with empty password strings.
+The default is
+.Dq no .
+.It Cm PermitRootLogin
+Specifies whether root can login using
+.Xr ssh 1 .
+The argument must be
+.Dq yes ,
+.Dq without-password ,
+.Dq forced-commands-only
+or
+.Dq no .
+The default is
+.Dq yes .
+.Pp
+If this option is set to
+.Dq without-password
+password authentication is disabled for root.
+.Pp
+If this option is set to
+.Dq forced-commands-only
+root login with public key authentication will be allowed,
+but only if the
+.Ar command
+option has been specified
+(which may be useful for taking remote backups even if root login is
+normally not allowed). All other authentication methods are disabled
+for root.
+.Pp
+If this option is set to
+.Dq no
+root is not allowed to login.
+.It Cm PidFile
+Specifies the file that contains the process identifier of the
+.Nm sshd
+daemon.
+The default is
+.Pa /var/run/sshd.pid .
+.It Cm Port
+Specifies the port number that
+.Nm sshd
+listens on.
+The default is 22.
+Multiple options of this type are permitted.
+See also
+.Cm ListenAddress .
+.It Cm PrintLastLog
+Specifies whether
+.Nm sshd
+should print the date and time when the user last logged in.
+The default is
+.Dq yes .
+.It Cm PrintMotd
+Specifies whether
+.Nm sshd
+should print
+.Pa /etc/motd
+when a user logs in interactively.
+(On some systems it is also printed by the shell,
+.Pa /etc/profile ,
+or equivalent.)
+The default is
+.Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm sshd
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 2,1 .
+.It Cm PubkeyAuthentication
+Specifies whether public key authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
+.It Cm RhostsAuthentication
+Specifies whether authentication using rhosts or /etc/hosts.equiv
+files is sufficient.
+Normally, this method should not be permitted because it is insecure.
+.Cm RhostsRSAAuthentication
+should be used
+instead, because it performs RSA-based host authentication in addition
+to normal rhosts or /etc/hosts.equiv authentication.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm RhostsRSAAuthentication
+Specifies whether rhosts or /etc/hosts.equiv authentication together
+with successful RSA host authentication is allowed.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm RSAAuthentication
+Specifies whether pure RSA authentication is allowed.
+The default is
+.Dq yes .
+This option applies to protocol version 1 only.
+.It Cm ServerKeyBits
+Defines the number of bits in the ephemeral protocol version 1 server key.
+The minimum value is 512, and the default is 768.
+.It Cm StrictModes
+Specifies whether
+.Nm sshd
+should check file modes and ownership of the
+user's files and home directory before accepting login.
+This is normally desirable because novices sometimes accidentally leave their
+directory or files world-writable.
+The default is
+.Dq yes .
+.It Cm Subsystem
+Configures an external subsystem (e.g., file transfer daemon).
+Arguments should be a subsystem name and a command to execute upon subsystem
+request.
+The command
+.Xr sftp-server 8
+implements the
+.Dq sftp
+file transfer subsystem.
+By default no subsystems are defined.
+Note that this option applies to protocol version 2 only.
+.It Cm SyslogFacility
+Gives the facility code that is used when logging messages from
+.Nm sshd .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Cm UseLogin
+Specifies whether
+.Xr login 1
+is used for interactive login sessions.
+The default is
+.Dq no .
+Note that
+.Xr login 1
+is never used for remote command execution.
+Note also, that if this is enabled,
+.Cm X11Forwarding
+will be disabled because
+.Xr login 1
+does not know how to handle
+.Xr xauth 1
+cookies. If
+.Cm UsePrivilegeSeparation
+is specified, it will be disabled after authentication.
+.It Cm UsePrivilegeSeparation
+Specifies whether
+.Nm sshd
+separates privileges by creating an unprivileged child process
+to deal with incoming network traffic. After successful authentication,
+another process will be created that has the privilege of the authenticated
+user. The goal of privilege separation is to prevent privilege
+escalation by containing any corruption within the unprivileged processes.
+The default is
+.Dq yes .
+.It Cm VerifyReverseMapping
+Specifies whether
+.Nm sshd
+should try to verify the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq no .
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Nm sshd Ns 's
+X11 forwarding.
+This prevents
+.Nm sshd
+from interfering with real X11 servers.
+The default is 10.
+.It Cm X11Forwarding
+Specifies whether X11 forwarding is permitted.
+The default is
+.Dq no .
+Note that disabling X11 forwarding does not improve security in any
+way, as users can always install their own forwarders.
+X11 forwarding is automatically disabled if
+.Cm UseLogin
+is enabled.
+.It Cm X11UseLocalhost
+Specifies whether
+.Nm sshd
+should bind the X11 forwarding server to the loopback address or to
+the wildcard address. By default,
+.Nm sshd
+binds the forwarding server to the loopback address and sets the
+hostname part of the
+.Ev DISPLAY
+environment variable to
+.Dq localhost .
+This prevents remote hosts from connecting to the fake display.
+However, some older X11 clients may not function with this
+configuration.
+.Cm X11UseLocalhost
+may be set to
+.Dq no
+to specify that the forwarding server should be bound to the wildcard
+address.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
+.El
+.Ss Time Formats
+.Pp
+.Nm sshd
+command-line arguments and configuration file options that specify time
+may be expressed using a sequence of the form:
+.Sm off
+.Ar time Oo Ar qualifier Oc ,
+.Sm on
+where
+.Ar time
+is a positive integer value and
+.Ar qualifier
+is one of the following:
+.Pp
+.Bl -tag -width Ds -compact -offset indent
+.It Cm <none>
+seconds
+.It Cm s | Cm S
+seconds
+.It Cm m | Cm M
+minutes
+.It Cm h | Cm H
+hours
+.It Cm d | Cm D
+days
+.It Cm w | Cm W
+weeks
+.El
+.Pp
+Each member of the sequence is added together to calculate
+the total time value.
+.Pp
+Time format examples:
+.Pp
+.Bl -tag -width Ds -compact -offset indent
+.It 600
+600 seconds (10 minutes)
+.It 10m
+10 minutes
+.It 1h30m
+1 hour 30 minutes (90 minutes)
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/sshd_config
+Contains configuration data for
+.Nm sshd .
+This file should be writable by root only, but it is recommended
+(though not necessary) that it be world-readable.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+Niels Provos and Markus Friedl contributed support
+for privilege separation.
+.Sh SEE ALSO
+.Xr sshd 8
#else /* HAVE_DEV_PTS_AND_PTC */
#ifdef _CRAY
char buf[64];
- int i;
- int highpty;
+ int i;
+ int highpty;
#ifdef _SC_CRAY_NPTY
highpty = sysconf(_SC_CRAY_NPTY);
if (fd < 0)
error("%.100s: %.100s", ttyname, strerror(errno));
close(*ttyfd);
- *ttyfd = fd;
+ *ttyfd = fd;
#else /* _CRAY */
/* First disconnect from the old controlling tty. */
*/
#include "includes.h"
-RCSID("$OpenBSD: ttymodes.c,v 1.17 2002/03/19 10:49:35 markus Exp $");
+RCSID("$OpenBSD: ttymodes.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
#include "packet.h"
#include "log.h"
else
packet_put_raw(buffer_ptr(&buf), buffer_len(&buf));
buffer_free(&buf);
- return;
}
/*
/* Set the new modes for the terminal. */
if (tcsetattr(fd, TCSANOW, &tio) == -1)
log("Setting tty modes failed: %.100s", strerror(errno));
- return;
}
#if defined(OLCUC)
TTYMODE(OLCUC, c_oflag, 71)
#endif
+#ifdef ONLCR
TTYMODE(ONLCR, c_oflag, 72)
+#endif
#ifdef OCRNL
TTYMODE(OCRNL, c_oflag, 73)
#endif
*/
#include "includes.h"
-RCSID("$OpenBSD: uidswap.c,v 1.20 2002/04/01 21:50:51 stevesk Exp $");
+RCSID("$OpenBSD: uidswap.c,v 1.22 2002/05/28 21:24:00 stevesk Exp $");
#include "log.h"
#include "uidswap.h"
#ifdef SAVED_IDS_WORK_WITH_SETEUID
saved_euid = geteuid();
saved_egid = getegid();
- debug("temporarily_use_uid: %d/%d (e=%d)",
- pw->pw_uid, pw->pw_gid, saved_euid);
+ debug("temporarily_use_uid: %u/%u (e=%u)",
+ (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid);
if (saved_euid != 0) {
privileged = 0;
return;
if (user_groupslen < 0)
fatal("getgroups: %.100s", strerror(errno));
}
-#ifndef HAVE_CYGWIN
/* Set the effective uid to the given (unprivileged) uid. */
if (setgroups(user_groupslen, user_groups) < 0)
fatal("setgroups: %.100s", strerror(errno));
-#endif /* !HAVE_CYGWIN */
#ifndef SAVED_IDS_WORK_WITH_SETEUID
/* Propagate the privileged gid to all of our gids. */
if (setgid(getegid()) < 0)
debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
if (setegid(pw->pw_gid) < 0)
- fatal("setegid %u: %.100s", (u_int) pw->pw_gid,
+ fatal("setegid %u: %.100s", (u_int)pw->pw_gid,
strerror(errno));
if (seteuid(pw->pw_uid) == -1)
- fatal("seteuid %u: %.100s", (u_int) pw->pw_uid,
+ fatal("seteuid %u: %.100s", (u_int)pw->pw_uid,
strerror(errno));
}
#ifdef SAVED_IDS_WORK_WITH_SETEUID
/* Set the effective uid back to the saved privileged uid. */
if (seteuid(saved_euid) < 0)
- fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno));
+ fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
if (setegid(saved_egid) < 0)
- fatal("setegid %u: %.100s", (u_int) saved_egid,
- strerror(errno));
+ fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
#else /* SAVED_IDS_WORK_WITH_SETEUID */
/*
* We are unable to restore the real uid to its unprivileged value.
setgid(getgid());
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
-#ifndef HAVE_CYGWIN
if (setgroups(saved_egroupslen, saved_egroups) < 0)
fatal("setgroups: %.100s", strerror(errno));
-#endif /* !HAVE_CYGWIN */
temporarily_use_uid_effective = 0;
}
permanently_set_uid(struct passwd *pw)
{
if (temporarily_use_uid_effective)
- fatal("restore_uid: temporarily_use_uid effective");
+ fatal("permanently_set_uid: temporarily_use_uid effective");
if (setgid(pw->pw_gid) < 0)
- fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno));
+ fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
if (setuid(pw->pw_uid) < 0)
- fatal("setuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno));
+ fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
}
-/* $OpenBSD: version.h,v 1.32 2002/05/17 14:57:40 markus Exp $ */
+/* $OpenBSD: version.h,v 1.33 2002/06/21 15:41:20 markus Exp $ */
+
+#define SSH_VERSION "OpenSSH_3.3"
-#define SSH_VERSION "OpenSSH_3.2.3p1"
-/* $OpenBSD: xmalloc.h,v 1.8 2002/03/04 17:27:39 stevesk Exp $ */
+/* $OpenBSD: xmalloc.h,v 1.9 2002/06/19 00:27:55 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
void *xmalloc(size_t);
void *xrealloc(void *, size_t);
void xfree(void *);
-char *xstrdup(const char *);
+char *xstrdup(const char *);
#endif /* XMALLOC_H */