From 12a403af2e464fc8b8d95db93167b0b6d4cb15e7 Mon Sep 17 00:00:00 2001 From: jbasney Date: Wed, 5 May 2004 14:41:27 +0000 Subject: [PATCH] merged OpenSSH 3.8.1p1 to trunk --- openssh/acconfig.h | 9 ++ openssh/auth-krb5.c | 8 ++ openssh/auth-pam.c | 37 +++++--- openssh/auth-pam.h | 2 +- openssh/auth.h | 1 + openssh/auth1.c | 2 +- openssh/auth2.c | 6 +- openssh/canohost.c | 6 +- openssh/configure.ac | 121 +++++++++++++++++++++++--- openssh/defines.h | 21 +++++ openssh/gss-serv-krb5.c | 2 + openssh/monitor.c | 17 ++-- openssh/monitor_wrap.c | 10 ++- openssh/monitor_wrap.h | 2 +- openssh/openbsd-compat/bsd-misc.h | 4 + openssh/openbsd-compat/fake-rfc2553.h | 3 + openssh/openbsd-compat/xcrypt.c | 4 - openssh/readconf.c | 12 ++- openssh/readconf.h | 3 +- openssh/session.c | 12 ++- openssh/ssh-agent.c | 9 ++ openssh/ssh-keyscan.c | 4 +- openssh/ssh.1 | 3 +- openssh/ssh.c | 61 +++---------- openssh/ssh_config.5 | 20 ++++- openssh/sshconnect2.c | 4 +- openssh/sshd.c | 47 ++++------ openssh/sshd_config.5 | 11 ++- openssh/version.h | 4 +- 29 files changed, 302 insertions(+), 143 deletions(-) diff --git a/openssh/acconfig.h b/openssh/acconfig.h index 77e0322..fd14c1a 100644 --- a/openssh/acconfig.h +++ b/openssh/acconfig.h @@ -131,6 +131,9 @@ /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ #undef AIX_LOGINFAILED_4ARG +/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ +#undef SKEYCHALLENGE_4ARG + /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ #undef WITH_IRIX_ARRAY @@ -202,6 +205,9 @@ /* Define if you don't want to use lastlog in session.c */ #undef NO_SSH_LASTLOG +/* Define if have krb5_init_ets */ +#undef KRB5_INIT_ETS + /* Define if you don't want to use utmp */ #undef DISABLE_UTMP @@ -360,6 +366,9 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* updwtmpx is broken (if present) */ +#undef BROKEN_UPDWTMPX + /* Workaround more Linux IPv6 quirks */ #undef DONT_TRY_OTHER_AF diff --git a/openssh/auth-krb5.c b/openssh/auth-krb5.c index 8594924..a728eba 100644 --- a/openssh/auth-krb5.c +++ b/openssh/auth-krb5.c @@ -54,7 +54,9 @@ krb5_init(void *context) problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); +#ifdef KRB5_INIT_ETS krb5_init_ets(authctxt->krb5_ctx); +#endif } return (0); } @@ -70,6 +72,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #endif krb5_error_code problem; krb5_ccache ccache = NULL; + int len; if (!authctxt->valid) return (0); @@ -175,6 +178,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); + out: restore_uid(); diff --git a/openssh/auth-pam.c b/openssh/auth-pam.c index 7157e72..9eb3174 100644 --- a/openssh/auth-pam.c +++ b/openssh/auth-pam.c @@ -58,6 +58,7 @@ RCSID("$Id$"); extern ServerOptions options; extern Buffer loginmsg; extern int compat20; +extern u_int utmp_len; #ifdef USE_POSIX_THREADS #include @@ -117,6 +118,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, { pid_t pid; + sshpam_thread_status = -1; switch ((pid = fork())) { case -1: error("fork(): %s", strerror(errno)); @@ -159,7 +161,7 @@ static int sshpam_session_open = 0; static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; -static int *force_pwchange; +static Authctxt *sshpam_authctxt = NULL; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -179,7 +181,9 @@ void pam_password_change_required(int reqd) { debug3("%s %d", __func__, reqd); - *force_pwchange = reqd; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + sshpam_authctxt->force_pwchange = reqd; if (reqd) { no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; @@ -201,6 +205,7 @@ import_environments(Buffer *b) debug3("PAM: %s entering", __func__); +#ifndef USE_POSIX_THREADS /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); pam_password_change_required(buffer_get_int(b)); @@ -228,6 +233,7 @@ import_environments(Buffer *b) } #endif } +#endif } /* @@ -336,6 +342,9 @@ sshpam_thread(void *ctxtp) sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + if (sshpam_authctxt == NULL) + fatal("%s: PAM authctxt not initialized", __func__); + buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&sshpam_conv); @@ -348,7 +357,7 @@ sshpam_thread(void *ctxtp) if (compat20) { if (!do_pam_account()) goto auth_fail; - if (*force_pwchange) { + if (sshpam_authctxt->force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) @@ -362,7 +371,7 @@ sshpam_thread(void *ctxtp) #ifndef USE_POSIX_THREADS /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); - buffer_put_int(&buffer, *force_pwchange); + buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -443,11 +452,10 @@ sshpam_cleanup(void) } static int -sshpam_init(const char *user) +sshpam_init(Authctxt *authctxt) { - extern u_int utmp_len; extern char *__progname; - const char *pam_rhost, *pam_user; + const char *pam_rhost, *pam_user, *user = authctxt->user; if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ @@ -461,6 +469,8 @@ sshpam_init(const char *user) debug("PAM: initializing for \"%s\"", user); sshpam_err = pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + sshpam_authctxt = authctxt; + if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -503,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt) return NULL; /* Initialize PAM */ - if (sshpam_init(authctxt->user) == -1) { + if (sshpam_init(authctxt) == -1) { error("PAM: initialization failed"); return (NULL); } @@ -511,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt) ctxt = xmalloc(sizeof *ctxt); memset(ctxt, 0, sizeof(*ctxt)); - force_pwchange = &(authctxt->force_pwchange); - /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); @@ -591,7 +599,10 @@ sshpam_query(void *ctx, char **name, char **info, xfree(msg); return (0); } - error("PAM: %s", msg); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, + get_remote_name_or_ip(utmp_len, options.use_dns)); /* FALLTHROUGH */ default: *num = 0; @@ -671,12 +682,12 @@ KbdintDevice mm_sshpam_device = { * This replaces auth-pam.c */ void -start_pam(const char *user) +start_pam(Authctxt *authctxt) { if (!options.use_pam) fatal("PAM: initialisation requested when UsePAM=no"); - if (sshpam_init(user) == -1) + if (sshpam_init(authctxt) == -1) fatal("PAM: initialisation failed"); } diff --git a/openssh/auth-pam.h b/openssh/auth-pam.h index 0682ca0..ff501f6 100644 --- a/openssh/auth-pam.h +++ b/openssh/auth-pam.h @@ -31,7 +31,7 @@ # define SSHD_PAM_SERVICE __progname #endif -void start_pam(const char *); +void start_pam(Authctxt *); void finish_pam(void); u_int do_pam_account(void); void do_pam_session(void); diff --git a/openssh/auth.h b/openssh/auth.h index 7e7562b..b916fa6 100644 --- a/openssh/auth.h +++ b/openssh/auth.h @@ -69,6 +69,7 @@ struct Authctxt { krb5_ccache krb5_fwd_ccache; krb5_principal krb5_user; char *krb5_ticket_file; + char *krb5_ccname; #endif #ifdef SESSION_HOOKS char *session_env_file; diff --git a/openssh/auth1.c b/openssh/auth1.c index 82fe5fb..f145cf0 100644 --- a/openssh/auth1.c +++ b/openssh/auth1.c @@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt) #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif /* diff --git a/openssh/auth2.c b/openssh/auth2.c index eaa377f..03fe49e 100644 --- a/openssh/auth2.c +++ b/openssh/auth2.c @@ -200,19 +200,20 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } else { #endif authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(authctxt->pw->pw_name)); + PRIVSEP(start_pam(authctxt)); #endif } else { logit("input_userauth_request: illegal user %s", user); authctxt->pw = fakepw(); #ifdef USE_PAM if (options.use_pam) - PRIVSEP(start_pam(user)); + PRIVSEP(start_pam(authctxt)); #endif } #ifdef GSSAPI @@ -220,7 +221,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #endif setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep && (authctxt->attempt == 1)) diff --git a/openssh/canohost.c b/openssh/canohost.c index 0bb27c9..3c26885 100644 --- a/openssh/canohost.c +++ b/openssh/canohost.c @@ -44,6 +44,9 @@ get_remote_hostname(int socket, int use_dns) cleanup_exit(255); } + if (from.ss_family == AF_INET) + check_ip_options(socket, ntop); + ipv64_normalise_mapped(&from, &fromlen); if (from.ss_family == AF_INET6) @@ -56,9 +59,6 @@ get_remote_hostname(int socket, int use_dns) if (!use_dns) return xstrdup(ntop); - if (from.ss_family == AF_INET) - check_ip_options(socket, ntop); - debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), diff --git a/openssh/configure.ac b/openssh/configure.ac index bcc0c4b..d22c117 100644 --- a/openssh/configure.ac +++ b/openssh/configure.ac @@ -1,4 +1,18 @@ # $Id$ +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -186,10 +200,7 @@ case "$host" in AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) - case "$host" in - *-*-hpux11.11*) - AC_DEFINE(BROKEN_GETADDRINFO);; - esac + check_for_hpux_broken_getaddrinfo=1 LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; @@ -212,6 +223,7 @@ case "$host" in AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; @@ -221,7 +233,7 @@ case "$host" in check_for_openpty_ctty_bug=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) inet6_default_4in6=yes case `uname -r` in @@ -259,6 +271,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SAVED_UIDS) ;; *-*-solaris*) + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) @@ -335,6 +350,9 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(BROKEN_SAVED_UIDS) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man @@ -482,10 +500,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ - sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ - sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ - sys/un.h time.h tmpdir.h ttyent.h usersec.h \ - util.h utime.h utmp.h utmpx.h vis.h) + sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \ + sys/select.h sys/stat.h sys/stream.h sys/stropts.h \ + sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \ + ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) @@ -865,6 +883,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include + #include ], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG)], + [AC_MSG_RESULT(no)] + ) fi ] ) @@ -904,6 +931,9 @@ AC_ARG_WITH(tcp-wrappers, AC_MSG_CHECKING(for libwrap) AC_TRY_LINK( [ +#include +#include +#include #include int deny_severity = 0, allow_severity = 0; ], @@ -931,12 +961,12 @@ AC_CHECK_FUNCS(\ getpeereid _getpty getrlimit getttyent glob inet_aton \ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ - pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ + pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ - truncate updwtmpx utimes vhangup vsnprintf waitpid \ + truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ ) # IRIX has a const char return value for gai_strerror() @@ -1104,6 +1134,74 @@ main() ) fi +if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + AC_FUNC_GETPGRP # Check for PAM libs @@ -2310,6 +2408,7 @@ AC_ARG_WITH(kerberos5, LIBS="$LIBS $K5LIBS" AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS)) ] ) diff --git a/openssh/defines.h b/openssh/defines.h index 3d6b688..889b918 100644 --- a/openssh/defines.h +++ b/openssh/defines.h @@ -507,6 +507,10 @@ struct winsize { # undef HAVE_GAI_STRERROR #endif +#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX) +# undef HAVE_UPDWTMPX +#endif + #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ @@ -534,6 +538,12 @@ struct winsize { # define krb5_get_err_text(context,code) error_message(code) #endif +#if defined(SKEYCHALLENGE_4ARG) +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d) +#else +# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c) +#endif + /* Maximum number of file descriptors available */ #ifdef HAVE_SYSCONF # define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) @@ -611,11 +621,22 @@ struct winsize { #endif +#ifndef UT_LINESIZE +# define UT_LINESIZE 8 +#endif + /* I hope that the presence of LASTLOG_FILE is enough to detect this */ #if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG) # define USE_LASTLOG #endif +#ifdef HAVE_OSF_SIA +# ifdef USE_SHADOW +# undef USE_SHADOW +# endif +# define CUSTOM_SYS_AUTH_PASSWD 1 +#endif + /** end of login recorder definitions */ #endif /* _DEFINES_H */ diff --git a/openssh/gss-serv-krb5.c b/openssh/gss-serv-krb5.c index 769e88b..485ecd6 100644 --- a/openssh/gss-serv-krb5.c +++ b/openssh/gss-serv-krb5.c @@ -89,7 +89,9 @@ ssh_gssapi_krb5_init() logit("Cannot initialize krb5 context"); return 0; } +#ifdef KRB5_INIT_ETS krb5_init_ets(krb_context); +#endif return 1; } diff --git a/openssh/monitor.c b/openssh/monitor.c index b432050..99379b9 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -37,7 +37,13 @@ RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $"); #include "auth.h" #include "kex.h" #include "dh.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "packet.h" #include "auth-options.h" #include "sshpty.h" @@ -781,7 +787,8 @@ mm_answer_skeyquery(int socket, Buffer *m) char challenge[1024]; u_int success; - success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; + success = _compat_skeychallenge(&skey, authctxt->user, challenge, + sizeof(challenge)) < 0 ? 0 : 1; buffer_clear(m); buffer_put_int(m, success); @@ -825,16 +832,10 @@ mm_answer_skeyrespond(int socket, Buffer *m) int mm_answer_pam_start(int socket, Buffer *m) { - char *user; - if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); - user = buffer_get_string(m, NULL); - - start_pam(user); - - xfree(user); + start_pam(authctxt); monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); diff --git a/openssh/monitor_wrap.c b/openssh/monitor_wrap.c index 567c9c6..77b3cac 100644 --- a/openssh/monitor_wrap.c +++ b/openssh/monitor_wrap.c @@ -40,7 +40,13 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.35 2003/11/17 11:06:07 markus Exp $"); #include "packet.h" #include "mac.h" #include "log.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC #include "zlib.h" +#define TARGET_OS_MAC 1 +#else +#include "zlib.h" +#endif #include "monitor.h" #include "monitor_wrap.h" #include "xmalloc.h" @@ -686,7 +692,7 @@ mm_session_pty_cleanup2(Session *s) #ifdef USE_PAM void -mm_start_pam(char *user) +mm_start_pam(Authctxt *authctxt) { Buffer m; @@ -695,8 +701,6 @@ mm_start_pam(char *user) fatal("UsePAM=no, but ended up in %s anyway", __func__); buffer_init(&m); - buffer_put_cstring(&m, user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); buffer_free(&m); diff --git a/openssh/monitor_wrap.h b/openssh/monitor_wrap.h index c4e8f30..6874984 100644 --- a/openssh/monitor_wrap.h +++ b/openssh/monitor_wrap.h @@ -72,7 +72,7 @@ char *mm_ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min); #endif #ifdef USE_PAM -void mm_start_pam(char *); +void mm_start_pam(struct Authctxt *); u_int mm_do_pam_account(void); void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); diff --git a/openssh/openbsd-compat/bsd-misc.h b/openssh/openbsd-compat/bsd-misc.h index aabc395..f746653 100644 --- a/openssh/openbsd-compat/bsd-misc.h +++ b/openssh/openbsd-compat/bsd-misc.h @@ -89,6 +89,10 @@ pid_t tcgetpgrp(int); int tcsendbreak(int, int); #endif +#ifndef HAVE_UNSETENV +void unsetenv(const char *); +#endif + /* wrapper for signal interface */ typedef void (*mysig_t)(int); mysig_t mysignal(int sig, mysig_t act); diff --git a/openssh/openbsd-compat/fake-rfc2553.h b/openssh/openbsd-compat/fake-rfc2553.h index 47b790f..0928ef7 100644 --- a/openssh/openbsd-compat/fake-rfc2553.h +++ b/openssh/openbsd-compat/fake-rfc2553.h @@ -133,6 +133,9 @@ struct addrinfo { #endif /* !HAVE_STRUCT_ADDRINFO */ #ifndef HAVE_GETADDRINFO +#ifdef getaddrinfo +# undef getaddrinfo +#endif #define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d)) int getaddrinfo(const char *, const char *, const struct addrinfo *, struct addrinfo **); diff --git a/openssh/openbsd-compat/xcrypt.c b/openssh/openbsd-compat/xcrypt.c index a0fe6c6..c3cea3c 100644 --- a/openssh/openbsd-compat/xcrypt.c +++ b/openssh/openbsd-compat/xcrypt.c @@ -24,8 +24,6 @@ #include "includes.h" -#if !defined(HAVE_OSF_SIA) - # ifdef HAVE_CRYPT_H # include # endif @@ -108,5 +106,3 @@ shadow_pw(struct passwd *pw) return pw_password; } - -#endif /* !defined(HAVE_OSF_SIA) */ diff --git a/openssh/readconf.c b/openssh/readconf.c index b2278e3..a51848e 100644 --- a/openssh/readconf.c +++ b/openssh/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -105,7 +105,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssKeyEx, oGssDelegateCreds, - oServerAliveInterval, oServerAliveCountMax, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oDeprecated, oUnsupported } OpCodes; @@ -149,6 +149,7 @@ static struct { { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, { "identityfile2", oIdentityFile }, /* alias */ + { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, @@ -742,6 +743,10 @@ parse_int: intptr = &options->enable_ssh_keysign; goto parse_flag; + case oIdentitiesOnly: + intptr = &options->identities_only; + goto parse_flag; + case oServerAliveInterval: intptr = &options->server_alive_interval; goto parse_time; @@ -876,6 +881,7 @@ initialize_options(Options * options) options->smartcard_device = NULL; options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; + options->identities_only = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; options->server_alive_interval = -1; @@ -990,6 +996,8 @@ fill_default_options(Options * options) clear_forwardings(options); if (options->no_host_authentication_for_localhost == - 1) options->no_host_authentication_for_localhost = 0; + if (options->identities_only == -1) + options->identities_only = 0; if (options->enable_ssh_keysign == -1) options->enable_ssh_keysign = 0; if (options->rekey_limit == -1) diff --git a/openssh/readconf.h b/openssh/readconf.h index d0ac671..091d533 100644 --- a/openssh/readconf.h +++ b/openssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */ /* * Author: Tatu Ylonen @@ -103,6 +103,7 @@ typedef struct { int enable_ssh_keysign; int rekey_limit; int no_host_authentication_for_localhost; + int identities_only; int server_alive_interval; int server_alive_count_max; } Options; diff --git a/openssh/session.c b/openssh/session.c index 1fe3a25..1b9ddcf 100644 --- a/openssh/session.c +++ b/openssh/session.c @@ -206,6 +206,7 @@ display_loginmsg(void) printf("%s\n", (char *)buffer_ptr(&loginmsg)); buffer_clear(&loginmsg); } + fflush(stdout); } void @@ -511,6 +512,13 @@ do_exec_no_pty(Session *s, const char *command) close(inout[0]); close(err[0]); + /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. @@ -1239,9 +1247,9 @@ do_setup_env(Session *s, const char *shell) } #endif #ifdef KRB5 - if (s->authctxt->krb5_ticket_file) + if (s->authctxt->krb5_ccname) child_set_env(&env, &envsize, "KRB5CCNAME", - s->authctxt->krb5_ticket_file); + s->authctxt->krb5_ccname); #endif #ifdef USE_PAM /* diff --git a/openssh/ssh-agent.c b/openssh/ssh-agent.c index e5232fc..f5fce6b 100644 --- a/openssh/ssh-agent.c +++ b/openssh/ssh-agent.c @@ -57,6 +57,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $"); #include "scard.h" #endif +#if defined(HAVE_SYS_PRCTL_H) +#include /* For prctl() and PR_SET_DUMPABLE */ +#endif + typedef enum { AUTH_UNUSED, AUTH_SOCKET, @@ -1023,6 +1027,11 @@ main(int ac, char **av) setegid(getgid()); setgid(getgid()); +#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ + prctl(PR_SET_DUMPABLE, 0); +#endif + SSLeay_add_all_algorithms(); __progname = ssh_get_progname(av[0]); diff --git a/openssh/ssh-keyscan.c b/openssh/ssh-keyscan.c index 68b6a0a..266b23c 100644 --- a/openssh/ssh-keyscan.c +++ b/openssh/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -489,7 +489,7 @@ conrecycle(int s) static void congreet(int s) { - int remote_major, remote_minor, n = 0; + int remote_major = 0, remote_minor = 0, n = 0; char buf[256], *cp; char remote_version[sizeof buf]; size_t bufsiz; diff --git a/openssh/ssh.1 b/openssh/ssh.1 index e2cd5d3..31eb66c 100644 --- a/openssh/ssh.1 +++ b/openssh/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -634,6 +634,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile +.It IdentitiesOnly .It LocalForward .It LogLevel .It MACs diff --git a/openssh/ssh.c b/openssh/ssh.c index a229db1..539ba7f 100644 --- a/openssh/ssh.c +++ b/openssh/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $"); #include #include @@ -146,49 +146,12 @@ pid_t proxy_command_pid = 0; static void usage(void) { - fprintf(stderr, "Usage: %s [options] host [command]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -l user Log in using this user name.\n"); - fprintf(stderr, " -n Redirect input from " _PATH_DEVNULL ".\n"); - fprintf(stderr, " -F config Config file (default: ~/%s).\n", - _PATH_SSH_USER_CONFFILE); - fprintf(stderr, " -A Enable authentication agent forwarding.\n"); - fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); - fprintf(stderr, " -X Enable X11 connection forwarding.\n"); - fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); - fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); - fprintf(stderr, " -i file Identity for public key authentication " - "(default: ~/.ssh/identity)\n"); -#ifdef SMARTCARD - fprintf(stderr, " -I reader Set smartcard reader.\n"); -#endif - fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); - fprintf(stderr, " -T Do not allocate a tty.\n"); - fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); - fprintf(stderr, " Multiple -v increases verbosity.\n"); - fprintf(stderr, " -V Display version number only.\n"); - fprintf(stderr, " -q Quiet; don't display any warning messages.\n"); - fprintf(stderr, " -f Fork into background after authentication.\n"); - fprintf(stderr, " -e char Set escape character; ``none'' = disable (default: ~).\n"); - - fprintf(stderr, " -c cipher Select encryption algorithm\n"); - fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); - fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); - fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); - fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); - fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); - fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); - fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); - fprintf(stderr, " -C Enable compression.\n"); - fprintf(stderr, " -N Do not execute a shell or command.\n"); - fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); - fprintf(stderr, " -1 Force protocol version 1.\n"); - fprintf(stderr, " -2 Force protocol version 2.\n"); - fprintf(stderr, " -4 Use IPv4 only.\n"); - fprintf(stderr, " -6 Use IPv6 only.\n"); - fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); - fprintf(stderr, " -s Invoke command (mandatory) as SSH2 subsystem.\n"); - fprintf(stderr, " -b addr Local IP address.\n"); + fprintf(stderr, +"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" +" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" +" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" +" [-p port] [-R port:host:hostport] [user@]hostname [command]\n" + ); exit(1); } @@ -347,12 +310,8 @@ again: } /* fallthrough */ case 'V': - fprintf(stderr, - "%s, SSH protocols %d.%d/%d.%d, %s\n", - SSH_VERSION, - PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1, - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, - SSLeay_version(SSLEAY_VERSION)); + fprintf(stderr, "%s, %s\n", + SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); if (opt == 'V') exit(0); break; @@ -803,7 +762,7 @@ x11_get_proto(char **_proto, char **_data) xauthdir); snprintf(cmd, sizeof(cmd), "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout 120 2>" _PATH_DEVNULL, + " untrusted timeout 1200 2>" _PATH_DEVNULL, options.xauth_location, xauthfile, display); debug2("x11_get_proto: %s", cmd); if (system(cmd) == 0) diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5 index 95c3fe2..a5be8f5 100644 --- a/openssh/ssh_config.5 +++ b/openssh/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -418,6 +418,24 @@ syntax to refer to a user's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. +.It Cm IdentitiesOnly +Specifies that +.Nm ssh +should only use the authentication identity files configured in the +.Nm +files, +even if the +.Nm ssh-agent +offers more identities. +The argument to this keyword must be +.Dq yes +or +.Dq no . +This option is intented for situations where +.Nm ssh-agent +offers many different identities. +The default is +.Dq no . .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c index 4da1990..bb69171 100644 --- a/openssh/sshconnect2.c +++ b/openssh/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1147,7 +1147,7 @@ pubkey_prepare(Authctxt *authctxt) break; } } - if (!found) { + if (!found && !options.identities_only) { id = xmalloc(sizeof(*id)); memset(id, 0, sizeof(*id)); id->key = key; diff --git a/openssh/sshd.c b/openssh/sshd.c index 2e8a4c2..f5d8d68 100644 --- a/openssh/sshd.c +++ b/openssh/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.290 2004/03/11 10:21:17 markus Exp $"); #include #include @@ -110,7 +110,6 @@ extern char *__progname; #else char *__progname; #endif -extern char **environ; /* Server configuration options. */ ServerOptions options; @@ -577,7 +576,7 @@ privsep_preauth_child(void) debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); #if 0 - /* XXX not ready, to heavy after chroot */ + /* XXX not ready, too heavy after chroot */ do_setusercontext(pw); #else gidset[0] = pw->pw_gid; @@ -773,26 +772,12 @@ drop_connection(int startups) static void usage(void) { - fprintf(stderr, "sshd version %s, %s\n", + fprintf(stderr, "%s, %s\n", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); - fprintf(stderr, "Usage: %s [options]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE); - fprintf(stderr, " -d Debugging mode (multiple -d means more debugging)\n"); - fprintf(stderr, " -i Started from inetd\n"); - fprintf(stderr, " -D Do not fork into daemon mode\n"); - fprintf(stderr, " -t Only test configuration file and keys\n"); - fprintf(stderr, " -q Quiet (no logging)\n"); - fprintf(stderr, " -p port Listen on the specified port (default: 22)\n"); - fprintf(stderr, " -k seconds Regenerate server key every this many seconds (default: 3600)\n"); - fprintf(stderr, " -g seconds Grace period for authentication (default: 600)\n"); - fprintf(stderr, " -b bits Size of server RSA key (default: 768 bits)\n"); - fprintf(stderr, " -h file File from which to read host key (default: %s)\n", - _PATH_HOST_KEY_FILE); - fprintf(stderr, " -u len Maximum hostname length for utmp recording\n"); - fprintf(stderr, " -4 Use IPv4 only\n"); - fprintf(stderr, " -6 Use IPv6 only\n"); - fprintf(stderr, " -o option Process the option as if it was read from a configuration file.\n"); + fprintf(stderr, +"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" +" [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" + ); exit(1); } @@ -841,6 +826,9 @@ main(int ac, char **av) av = saved_argv; #endif + if (geteuid() == 0 && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); + /* Initialize configuration options to their default values. */ initialize_server_options(&options); @@ -949,6 +937,13 @@ main(int ac, char **av) SYSLOG_FACILITY_AUTH : options.log_facility, log_stderr || !inetd_flag); +#ifdef _AIX + /* + * Unset KRB5CCNAME, otherwise the user's session may inherit it from + * root's environment + */ + unsetenv("KRB5CCNAME"); +#endif /* _AIX */ #ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! @@ -1118,13 +1113,6 @@ main(int ac, char **av) unmounted if desired. */ chdir("/"); -#ifndef HAVE_CYGWIN -#ifndef GSI /* GSI gets configuration from environment! */ - /* Clear environment */ - environ[0] = NULL; -#endif -#endif - /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); @@ -1403,6 +1391,7 @@ main(int ac, char **av) } /* This is the child processing a new connection. */ + setproctitle("%s", "[accepted]"); /* * Create a new session and process group since the 4.4BSD diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index 168fd23..c53480d 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -312,6 +312,11 @@ To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. Default is .Dq no . +.It Cm KerberosGetAFSToken +If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire +an AFS token before accessing the user's home directory. +Default is +.Dq no . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism @@ -441,7 +446,9 @@ The default is .Pp If this option is set to .Dq without-password -password authentication is disabled for root. +password authentication is disabled for root. Note that other authentication +methods (e.g., keyboard-interactive/PAM) may still allow root to login using +a password. .Pp If this option is set to .Dq forced-commands-only diff --git a/openssh/version.h b/openssh/version.h index 39002e3..ca56a7d 100644 --- a/openssh/version.h +++ b/openssh/version.h @@ -1,4 +1,4 @@ -/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ +/* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */ #ifdef GSI #define GSI_VERSION " GSI" @@ -18,6 +18,6 @@ #define MGLUE_VERSION "" #endif -#define SSH_VERSION "OpenSSH_3.8p1" \ +#define SSH_VERSION "OpenSSH_3.8.1p1" \ " NCSA_GSSAPI_20040423" \ GSI_VERSION KRB5_VERSION MGLUE_VERSION -- 2.45.1