From 8b32eddc967aaf168381bd0552cafc7fd3b6fad6 Mon Sep 17 00:00:00 2001 From: jbasney Date: Thu, 26 May 2005 19:49:24 +0000 Subject: [PATCH] merged OpenSSH 4.1p1 to trunk --- openssh/auth-pam.c | 20 ++- openssh/auth.c | 5 +- openssh/auth.h | 4 + openssh/canohost.c | 2 + openssh/configure.ac | 199 ++++++++++++++++++------------ openssh/contrib/aix/buildbff.sh | 2 +- openssh/log.c | 1 + openssh/misc.c | 8 +- openssh/monitor.c | 8 +- openssh/openbsd-compat/port-aix.c | 4 +- openssh/openbsd-compat/port-aix.h | 2 + openssh/readconf.c | 10 +- openssh/servconf.c | 4 +- openssh/session.c | 3 +- openssh/ssh.c | 12 +- openssh/ssh_config.5 | 46 +++---- openssh/sshd.c | 2 + openssh/sshd_config.5 | 4 +- openssh/version.h | 4 +- 19 files changed, 198 insertions(+), 142 deletions(-) diff --git a/openssh/auth-pam.c b/openssh/auth-pam.c index 0b79f3a..e1b8e78 100644 --- a/openssh/auth-pam.c +++ b/openssh/auth-pam.c @@ -76,7 +76,17 @@ extern Buffer loginmsg; extern int compat20; extern u_int utmp_len; +/* so we don't silently change behaviour */ #ifdef USE_POSIX_THREADS +# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK" +#endif + +/* + * Formerly known as USE_POSIX_THREADS, using this is completely unsupported + * and generally a bad idea. Use at own risk and do not expect support if + * this breaks. + */ +#ifdef UNSUPPORTED_POSIX_THREADS_HACK #include /* * Avoid namespace clash when *not* using pthreads for systems *with* @@ -98,7 +108,7 @@ struct pam_ctxt { static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* * Simulate threads with processes. */ @@ -255,7 +265,7 @@ import_environments(Buffer *b) debug3("PAM: %s entering", __func__); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); sshpam_password_change_required(buffer_get_int(b)); @@ -384,7 +394,7 @@ sshpam_thread(void *ctxtp) struct pam_conv sshpam_conv; int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK extern char **environ; char **env_from_pam; u_int i; @@ -428,7 +438,7 @@ sshpam_thread(void *ctxtp) buffer_put_cstring(&buffer, "OK"); -#ifndef USE_POSIX_THREADS +#ifndef UNSUPPORTED_POSIX_THREADS_HACK /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); @@ -447,7 +457,7 @@ sshpam_thread(void *ctxtp) buffer_put_int(&buffer, i); for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) buffer_put_cstring(&buffer, env_from_pam[i]); -#endif /* USE_POSIX_THREADS */ +#endif /* UNSUPPORTED_POSIX_THREADS_HACK */ /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); diff --git a/openssh/auth.c b/openssh/auth.c index 70bf48a..594ccce 100644 --- a/openssh/auth.c +++ b/openssh/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $"); +RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $"); #ifdef HAVE_LOGIN_H #include @@ -145,7 +145,8 @@ allowed_user(struct passwd * pw) return 0; } - if (options.num_deny_users > 0 || options.num_allow_users > 0) { + if (options.num_deny_users > 0 || options.num_allow_users > 0 || + options.num_deny_groups > 0 || options.num_allow_groups > 0) { hostname = get_canonical_hostname(options.use_dns); ipaddr = get_remote_ipaddr(); } diff --git a/openssh/auth.h b/openssh/auth.h index 635233b..0159f89 100644 --- a/openssh/auth.h +++ b/openssh/auth.h @@ -30,6 +30,7 @@ #include "key.h" #include "hostfile.h" +#include "buffer.h" #include #ifdef HAVE_LOGIN_CAP @@ -74,6 +75,7 @@ struct Authctxt { #ifdef SESSION_HOOKS char *session_env_file; #endif + Buffer *loginmsg; void *methoddata; }; /* @@ -191,6 +193,8 @@ void auth_debug_reset(void); struct passwd *fakepw(void); +int sys_auth_passwd(Authctxt *, const char *); + #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " diff --git a/openssh/canohost.c b/openssh/canohost.c index 3b672bd..803ccaf 100644 --- a/openssh/canohost.c +++ b/openssh/canohost.c @@ -251,6 +251,8 @@ get_socket_address(int sock, int remote, int flags) if (addr.ss_family == AF_INET6) addrlen = sizeof(struct sockaddr_in6); + ipv64_normalise_mapped(&addr, &addrlen); + /* Get the address in ascii. */ if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), NULL, 0, flags)) != 0) { diff --git a/openssh/configure.ac b/openssh/configure.ac index 6dd54d5..f9620af 100644 --- a/openssh/configure.ac +++ b/openssh/configure.ac @@ -75,7 +75,7 @@ if test -z "$LD" ; then LD=$CC fi AC_SUBST(LD) - + AC_C_INLINE if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" @@ -84,7 +84,7 @@ fi AC_ARG_WITH(rpath, [ --without-rpath Disable auto-added -R linker paths], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then need_dash_r="" fi if test "x$withval" = "xyes" ; then @@ -123,7 +123,7 @@ case "$host" in ]) dnl Check for various auth function declarations in headers. AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, - passwdexpired], , , [#include ]) + passwdexpired, setauthdb], , , [#include ]) dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) AC_CHECK_DECLS(loginfailed, [AC_MSG_CHECKING(if loginfailed takes 4 arguments) @@ -265,7 +265,7 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-netbsd*) check_for_libcrypt_before=1 - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then need_dash_r=1 fi ;; @@ -288,7 +288,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SAVED_UIDS) ;; *-*-solaris*) - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then need_dash_r=1 fi AC_DEFINE(PAM_SUN_CODEBASE) @@ -352,6 +352,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) @@ -359,6 +360,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) ;; *-*-sysv*) ;; @@ -463,15 +465,17 @@ esac AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then CFLAGS="$CFLAGS $withval" fi - ] + ] ) AC_ARG_WITH(cppflags, [ --with-cppflags Specify additional flags to pass to preprocessor] , [ - if test "x$withval" != "xno"; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then CPPFLAGS="$CPPFLAGS $withval" fi ] @@ -479,18 +483,20 @@ AC_ARG_WITH(cppflags, AC_ARG_WITH(ldflags, [ --with-ldflags Specify additional flags to pass to linker], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then LDFLAGS="$LDFLAGS $withval" fi - ] + ] ) AC_ARG_WITH(libs, [ --with-libs Specify additional libraries to link with], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then LIBS="$LIBS $withval" fi - ] + ] ) AC_MSG_CHECKING(compiler and flags for sanity) @@ -574,10 +580,9 @@ AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) dnl zlib is required AC_ARG_WITH(zlib, [ --with-zlib=PATH Use zlib in PATH], - [ - if test "x$withval" = "xno" ; then - AC_MSG_ERROR([*** zlib is required ***]) - fi + [ if test "x$withval" = "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + elif test "x$withval" != "xyes"; then if test -d "$withval/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -596,7 +601,7 @@ AC_ARG_WITH(zlib, else CPPFLAGS="-I${withval} ${CPPFLAGS}" fi - ] + fi ] ) AC_CHECK_LIB(z, deflate, , @@ -629,29 +634,40 @@ AC_ARG_WITH(zlib-version-check, ] ) -AC_MSG_CHECKING(for zlib 1.1.4 or greater) +AC_MSG_CHECKING(for possibly buggy zlib) AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include #include int main() { - int a, b, c, v; - if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3) + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) exit(1); - v = a*1000000 + b*1000 + c; - if (v >= 1001004) + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) exit(0); + + /* 1.2.1.2 and up are OK */ + if (v >= 1020102) + exit(0); + exit(2); } ]])], - AC_MSG_RESULT(yes), - [ AC_MSG_RESULT(no) + AC_MSG_RESULT(no), + [ AC_MSG_RESULT(yes) if test -z "$zlib_check_nonfatal" ; then AC_MSG_ERROR([*** zlib too old - check config.log *** Your reported zlib version has known security problems. It's possible your vendor has fixed these problems without changing the version number. If you are sure this is the case, you can disable the check by running "./configure --without-zlib-version-check". -If you are in doubt, upgrade zlib to version 1.1.4 or greater.]) +If you are in doubt, upgrade zlib to version 1.2.1.2 or greater. +See http://www.gzip.org/zlib/ for details.]) else AC_MSG_WARN([zlib version may have security problems]) fi @@ -721,7 +737,7 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} AC_MSG_RESULT(no) AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) ], - [ + [ AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) ] @@ -896,7 +912,7 @@ AC_ARG_WITH(skey, AC_DEFINE(SKEY) LIBS="-lskey $LIBS" SKEY_MSG="yes" - + AC_MSG_CHECKING([for s/key support]) AC_TRY_RUN( [ @@ -931,7 +947,8 @@ AC_ARG_WITH(tcp-wrappers, saved_LIBS="$LIBS" saved_LDFLAGS="$LDFLAGS" saved_CPPFLAGS="$CPPFLAGS" - if test -n "${withval}" -a "${withval}" != "yes"; then + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then if test -d "${withval}/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -983,13 +1000,18 @@ LIBEDIT_MSG="no" AC_ARG_WITH(libedit, [ --with-libedit[[=PATH]] Enable libedit support for sftp], [ if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + fi AC_CHECK_LIB(edit, el_init, [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) LIBEDIT="-ledit -lcurses" LIBEDIT_MSG="yes" AC_SUBST(LIBEDIT) ], - [], [-lcurses] + [ AC_MSG_ERROR(libedit not found) ], + [ -lcurses ] ) fi ] ) @@ -1148,7 +1170,9 @@ if test "x$ac_cv_func_getpeereid" != "xyes" ; then [#include #include ], [int i = SO_PEERCRED;], - [AC_MSG_RESULT(yes)], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option]) + ], [AC_MSG_RESULT(no) NO_PEERCHECK=1] ) @@ -1227,7 +1251,8 @@ main() ) fi -if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then AC_MSG_CHECKING(if getaddrinfo seems to work) AC_TRY_RUN( [ @@ -1295,7 +1320,8 @@ main(void) ) fi -if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then AC_MSG_CHECKING(if getaddrinfo seems to work) AC_TRY_RUN( [ @@ -1606,7 +1632,7 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); } [ AC_MSG_WARN([cross compiling: assuming yes]) # This is safe, since all recent OpenSSL versions will - # complain at runtime if not seeded correctly. + # complain at runtime if not seeded correctly. OPENSSL_SEEDS_ITSELF=yes ] ) @@ -1628,10 +1654,10 @@ AC_ARG_WITH(rand-helper, USE_RAND_HELPER=yes fi ], -) +) # Which randomness source do we use? -if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then +if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then # OpenSSL only AC_DEFINE(OPENSSL_PRNG_ONLY) RAND_MSG="OpenSSL internal ONLY" @@ -1721,10 +1747,11 @@ entropy_timeout=200 AC_ARG_WITH(entropy-timeout, [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then entropy_timeout=$withval fi - ] + ] ) AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) @@ -1732,10 +1759,11 @@ SSH_PRIVSEP_USER=sshd AC_ARG_WITH(privsep-user, [ --with-privsep-user=user Specify non-privileged user for privilege separation], [ - if test -n "$withval"; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then SSH_PRIVSEP_USER=$withval fi - ] + ] ) AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") AC_SUBST(SSH_PRIVSEP_USER) @@ -2169,9 +2197,9 @@ fi AC_CHECK_TYPES(struct timespec) # We need int64_t or else certian parts of the compile will fail. -if test "x$ac_cv_have_int64_t" = "xno" -a \ - "x$ac_cv_sizeof_long_int" != "x8" -a \ - "x$ac_cv_sizeof_long_long_int" = "x0" ; then +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then echo "OpenSSH requires int64_t support. Contact your vendor or install" echo "an alternative compiler (I.E., GCC) before continuing." echo "" @@ -2463,23 +2491,28 @@ AC_ARG_WITH(sectok, ) # Check whether user wants OpenSC support +OPENSC_CONFIG="no" AC_ARG_WITH(opensc, - AC_HELP_STRING([--with-opensc=PFX], - [Enable smartcard support using OpenSC]), - opensc_config_prefix="$withval", opensc_config_prefix="") -if test x$opensc_config_prefix != x ; then - OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config - AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) - if test "$OPENSC_CONFIG" != "no"; then - LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` - LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` - CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" - LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" - AC_DEFINE(SMARTCARD) - AC_DEFINE(USE_OPENSC) - SCARD_MSG="yes, using OpenSC" - fi -fi + [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + OPENSC_CONFIG=$withval/bin/opensc-config + else + AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) + fi + if test "$OPENSC_CONFIG" != "no"; then + LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` + LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` + CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" + LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_OPENSC) + SCARD_MSG="yes, using OpenSC" + fi + fi + ] +) # Check libraries needed by DNS fingerprint support AC_SEARCH_LIBS(getrrsetbyname, resolv, @@ -2562,7 +2595,7 @@ AC_ARG_WITH(kerberos5, AC_DEFINE(HEIMDAL) K5LIBS="-lkrb5 -ldes" K5LIBS="$K5LIBS -lcom_err -lasn1" - AC_CHECK_LIB(roken, net_write, + AC_CHECK_LIB(roken, net_write, [K5LIBS="$K5LIBS -lroken"]) ], [ AC_MSG_RESULT(no) @@ -2581,7 +2614,7 @@ AC_ARG_WITH(kerberos5, $K5LIBS) ], $K5LIBS) - + AC_CHECK_HEADER(gssapi.h, , [ unset ac_cv_header_gssapi_h CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" @@ -2667,7 +2700,8 @@ PRIVSEP_PATH=/var/empty AC_ARG_WITH(privsep-path, [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], [ - if test "x$withval" != "$no" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then PRIVSEP_PATH=$withval fi ] @@ -2677,7 +2711,8 @@ AC_SUBST(PRIVSEP_PATH) AC_ARG_WITH(xauth, [ --with-xauth=PATH Specify path to xauth program ], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then xauth_path=$withval fi ], @@ -2795,7 +2830,7 @@ AC_ARG_WITH(md5-passwords, AC_ARG_WITH(shadow, [ --without-shadow Disable shadow password support], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_SHADOW) disable_shadow=yes fi @@ -2830,7 +2865,7 @@ else AC_ARG_WITH(ipaddr-display, [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], [ - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then AC_DEFINE(IPADDR_IN_DISPLAY) DISPLAY_HACK_MSG="yes" fi @@ -2862,8 +2897,8 @@ if test "x$etc_default_login" != "xno"; then fi dnl BSD systems use /etc/login.conf so --with-default-path= has no effect -if test $ac_cv_func_login_getcapbool = "yes" -a \ - $ac_cv_header_login_cap_h = "yes" ; then +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then external_path_file=/etc/login.conf fi @@ -2876,7 +2911,7 @@ AC_ARG_WITH(default-path, AC_MSG_WARN([ --with-default-path=PATH has no effect on this system. Edit /etc/login.conf instead.]) - elif test "x$withval" != "xno" ; then + elif test "x$withval" != "xno" ; then if test ! -z "$external_path_file" ; then AC_MSG_WARN([ --with-default-path=PATH will only be used if PATH is not defined in @@ -2917,11 +2952,11 @@ main() { FILE *fd; int rc; - + fd = fopen(DATA,"w"); if(fd == NULL) exit(1); - + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) exit(1); @@ -2958,7 +2993,8 @@ fi AC_ARG_WITH(superuser-path, [ --with-superuser-path= Specify different path for super-user], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") superuser_path=$withval fi @@ -2994,7 +3030,7 @@ BSD_AUTH_MSG=no AC_ARG_WITH(bsd-auth, [ --with-bsd-auth Enable BSD auth support], [ - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then AC_DEFINE(BSD_AUTH) BSD_AUTH_MSG=yes fi @@ -3004,7 +3040,7 @@ AC_ARG_WITH(bsd-auth, # Where to place sshd.pid piddir=/var/run # make sure the directory exists -if test ! -d $piddir ; then +if test ! -d $piddir ; then piddir=`eval echo ${sysconfdir}` case $piddir in NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; @@ -3014,9 +3050,10 @@ fi AC_ARG_WITH(pid-dir, [ --with-pid-dir=PATH Specify location of ssh.pid file], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then piddir=$withval - if test ! -d $piddir ; then + if test ! -d $piddir ; then AC_MSG_WARN([** no $piddir directory on this system **]) fi fi @@ -3094,9 +3131,9 @@ AC_ARG_ENABLE(pututxline, AC_ARG_WITH(lastlog, [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_LASTLOG) - else + elif test -n "$withval" && test "x${withval}" != "xyes"; then conf_lastlog_location=$withval fi ] @@ -3163,7 +3200,7 @@ fi if test -n "$conf_lastlog_location"; then AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") -fi +fi dnl utmp detection AC_MSG_CHECKING([if your system defines UTMP_FILE]) @@ -3193,7 +3230,7 @@ if test -z "$conf_utmp_location"; then fi if test -n "$conf_utmp_location"; then AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") -fi +fi dnl wtmp detection AC_MSG_CHECKING([if your system defines WTMP_FILE]) @@ -3223,7 +3260,7 @@ if test -z "$conf_wtmp_location"; then fi if test -n "$conf_wtmp_location"; then AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") -fi +fi dnl utmpx detection - I don't know any system so perverse as to require @@ -3251,7 +3288,7 @@ if test -z "$conf_utmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") -fi +fi dnl wtmpx detection AC_MSG_CHECKING([if your system defines WTMPX_FILE]) @@ -3276,7 +3313,7 @@ if test -z "$conf_wtmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") -fi +fi if test ! -z "$blibpath" ; then diff --git a/openssh/contrib/aix/buildbff.sh b/openssh/contrib/aix/buildbff.sh index 4b5d71b..5410fea 100755 --- a/openssh/contrib/aix/buildbff.sh +++ b/openssh/contrib/aix/buildbff.sh @@ -219,7 +219,7 @@ else fi # Create user if required - if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if lsuser "$SSH_PRIVSEP_USER" >/dev/null then echo "PrivSep user $SSH_PRIVSEP_USER already exists." else diff --git a/openssh/log.c b/openssh/log.c index e55a54f..96ab24b 100644 --- a/openssh/log.c +++ b/openssh/log.c @@ -196,6 +196,7 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; #endif + argv0 = av0; switch (level) { diff --git a/openssh/misc.c b/openssh/misc.c index eebb402..dba91e6 100644 --- a/openssh/misc.c +++ b/openssh/misc.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.28 2005/03/01 10:09:52 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.29 2005/03/10 22:01:05 deraadt Exp $"); #include "misc.h" #include "log.h" @@ -321,13 +321,13 @@ hpdelim(char **cp) case '\0': *cp = NULL; /* no more fields*/ break; - + case ':': case '/': *s = '\0'; /* terminate */ *cp = s + 1; break; - + default: return NULL; } @@ -409,7 +409,7 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, debug("%s: %s line %lu exceeds size limit", __func__, filename, *lineno); /* discard remainder of line */ - while(fgetc(f) != '\n' && !feof(f)) + while (fgetc(f) != '\n' && !feof(f)) ; /* nothing */ } } diff --git a/openssh/monitor.c b/openssh/monitor.c index 0ccb1be..cdd74b3 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $"); #include @@ -338,6 +338,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); + authctxt->loginmsg = &loginmsg; + if (compat20) { mon_dispatch = mon_dispatch_proto20; @@ -1019,7 +1021,7 @@ mm_answer_keyallowed(int sock, Buffer *m) debug3("%s: key_from_blob: %p", __func__, key); if (key != NULL && authctxt->valid) { - switch(type) { + switch (type) { case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); @@ -1566,7 +1568,6 @@ mm_answer_audit_event(int socket, Buffer *m) debug3("%s entering", __func__); event = buffer_get_int(m); - buffer_free(m); switch(event) { case SSH_AUTH_FAIL_PUBKEY: case SSH_AUTH_FAIL_HOSTBASED: @@ -1595,7 +1596,6 @@ mm_answer_audit_command(int socket, Buffer *m) /* sanity check command, if so how? */ audit_run_command(cmd); xfree(cmd); - buffer_free(m); return (0); } #endif /* SSH_AUDIT_EVENTS */ diff --git a/openssh/openbsd-compat/port-aix.c b/openssh/openbsd-compat/port-aix.c index fa6a4ff..cf5d4b9 100644 --- a/openssh/openbsd-compat/port-aix.c +++ b/openssh/openbsd-compat/port-aix.c @@ -151,7 +151,7 @@ aix_valid_authentications(const char *user) * returns 0. */ int -sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg) +sys_auth_passwd(Authctxt *ctxt, const char *password) { char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name; int authsuccess = 0, expired, reenter, result; @@ -181,7 +181,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg) */ expired = passwdexpired(name, &msg); if (msg && *msg) { - buffer_append(loginmsg, msg, strlen(msg)); + buffer_append(ctxt->loginmsg, msg, strlen(msg)); aix_remove_embedded_newlines(msg); } debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); diff --git a/openssh/openbsd-compat/port-aix.h b/openssh/openbsd-compat/port-aix.h index 4f0080e..939729b 100644 --- a/openssh/openbsd-compat/port-aix.h +++ b/openssh/openbsd-compat/port-aix.h @@ -48,7 +48,9 @@ /* These should be in the system headers but are not. */ int usrinfo(int, char *, int); +#if (HAVE_DECL_SETAUTHDB == 0) int setauthdb(const char *, char *); +#endif /* these may or may not be in the headers depending on the version */ #if (HAVE_DECL_AUTHENTICATE == 0) int authenticate(char *, char *, int *, char **); diff --git a/openssh/readconf.c b/openssh/readconf.c index d18ca3c..4d05a89 100644 --- a/openssh/readconf.c +++ b/openssh/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.137 2005/03/04 08:48:06 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -255,12 +255,14 @@ clear_forwardings(Options *options) int i; for (i = 0; i < options->num_local_forwards; i++) { - xfree(options->local_forwards[i].listen_host); + if (options->local_forwards[i].listen_host != NULL) + xfree(options->local_forwards[i].listen_host); xfree(options->local_forwards[i].connect_host); } options->num_local_forwards = 0; for (i = 0; i < options->num_remote_forwards; i++) { - xfree(options->remote_forwards[i].listen_host); + if (options->remote_forwards[i].listen_host != NULL) + xfree(options->remote_forwards[i].listen_host); xfree(options->remote_forwards[i].connect_host); } options->num_remote_forwards = 0; @@ -301,7 +303,7 @@ process_config_line(Options *options, const char *host, Forward fwd; /* Strip trailing whitespace */ - for(len = strlen(line) - 1; len > 0; len--) { + for (len = strlen(line) - 1; len > 0; len--) { if (strchr(WHITESPACE, line[len]) == NULL) break; line[len] = '\0'; diff --git a/openssh/servconf.c b/openssh/servconf.c index 66212eb..bda9016 100644 --- a/openssh/servconf.c +++ b/openssh/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.139 2005/03/01 10:09:52 djm Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $"); #include "ssh.h" #include "log.h" @@ -1041,7 +1041,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf) obuf = cbuf = xstrdup(buffer_ptr(conf)); linenum = 1; - while((cp = strsep(&cbuf, "\n")) != NULL) { + while ((cp = strsep(&cbuf, "\n")) != NULL) { if (process_server_config_line(options, cp, filename, linenum++) != 0) bad_options++; diff --git a/openssh/session.c b/openssh/session.c index 1227af8..4a3041a 100644 --- a/openssh/session.c +++ b/openssh/session.c @@ -1665,7 +1665,8 @@ do_child(Session *s, const char *command) } #ifdef USE_PAM - if (options.use_pam && !is_pam_session_open()) { + if (options.use_pam && !options.use_login && !is_pam_session_open()) { + debug3("PAM session not opened, exiting"); display_loginmsg(); exit(254); } diff --git a/openssh/ssh.c b/openssh/ssh.c index 715a8ba..d374399 100644 --- a/openssh/ssh.c +++ b/openssh/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.233 2005/03/01 17:22:06 jmc Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.234 2005/03/10 22:01:06 deraadt Exp $"); #include #include @@ -882,8 +882,8 @@ ssh_init_forwarding(void) for (i = 0; i < options.num_local_forwards; i++) { debug("Local connections to %.200s:%d forwarded to remote " "address %.200s:%d", - (options.local_forwards[i].listen_host == NULL) ? - (options.gateway_ports ? "*" : "LOCALHOST") : + (options.local_forwards[i].listen_host == NULL) ? + (options.gateway_ports ? "*" : "LOCALHOST") : options.local_forwards[i].listen_host, options.local_forwards[i].listen_port, options.local_forwards[i].connect_host, @@ -902,6 +902,8 @@ ssh_init_forwarding(void) for (i = 0; i < options.num_remote_forwards; i++) { debug("Remote connections from %.200s:%d forwarded to " "local address %.200s:%d", + (options.remote_forwards[i].listen_host == NULL) ? + (options.gateway_ports ? "*" : "LOCALHOST") : options.remote_forwards[i].listen_host, options.remote_forwards[i].listen_port, options.remote_forwards[i].connect_host, @@ -1119,7 +1121,7 @@ ssh_control_listener(void) old_umask = umask(0177); if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { control_fd = -1; - if (errno == EINVAL) + if (errno == EINVAL || errno == EADDRINUSE) fatal("ControlSocket %s already exists", options.control_path); else @@ -1369,7 +1371,7 @@ control_client(const char *path) switch (mux_command) { case SSHMUX_COMMAND_ALIVE_CHECK: - fprintf(stderr, "Master running (pid=%d)\r\n", + fprintf(stderr, "Master running (pid=%d)\r\n", control_server_pid); exit(0); case SSHMUX_COMMAND_TERMINATE: diff --git a/openssh/ssh_config.5 b/openssh/ssh_config.5 index 3ca22a3..ba05ede 100644 --- a/openssh/ssh_config.5 +++ b/openssh/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -507,21 +507,17 @@ The default is to use the server specified list. .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. -The first argument must be a port number, and the second must be -.Xo +The first argument must be .Sm off -.Oo Ar bind_address : Oc -.Ar host : port +.Oo Ar bind_address : Oc Ar port .Sm on -.Xc . +and the second argument must be +.Ar host : Ns Ar hostport . IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: -.Sm off -.Xo -.Op Ar bind_address No / -.Ar host No / Ar port -.Xc . -.Sm on +.Oo Ar bind_address Ns / Oc Ns Ar port +and +.Ar host Ns / Ns Ar hostport . Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. @@ -583,9 +579,9 @@ Default is 22. .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. -This allows a client to prefer one method (e.g. +This allows a client to prefer one method (e.g.\& .Cm keyboard-interactive ) -over another method (e.g. +over another method (e.g.\& .Cm password ) The default for this option is: .Dq hostbased,external-keyx,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password . @@ -644,21 +640,17 @@ This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. -The first argument must be a port number, and the second must be -.Xo +The first argument must be .Sm off -.Oo Ar bind_address : Oc -.Ar host : port -.Sm on -.Xc . -IPv6 addresses can be specified by enclosing any addresses in square brackets -or by using the alternative syntax: -.Sm off -.Xo -.Op Ar bind_address No / -.Ar host No / Ar port -.Xc . +.Oo Ar bind_address : Oc Ar port .Sm on +and the second argument must be +.Ar host : Ns Ar hostport . +IPv6 addresses can be specified by enclosing addresses in square brackets +or by using an alternative syntax: +.Oo Ar bind_address Ns / Oc Ns Ar port +and +.Ar host Ns / Ns Ar hostport . Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. diff --git a/openssh/sshd.c b/openssh/sshd.c index 72aa933..a0eda63 100644 --- a/openssh/sshd.c +++ b/openssh/sshd.c @@ -1692,6 +1692,8 @@ main(int ac, char **av) authctxt = xmalloc(sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt)); + authctxt->loginmsg = &loginmsg; + /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index becabc0..0350340 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.39 2005/03/01 10:09:52 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -642,7 +642,7 @@ To disable TCP keepalive messages, the value should be set to .It Cm UseDNS Specifies whether .Nm sshd -should lookup the remote host name and check that +should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is diff --git a/openssh/version.h b/openssh/version.h index ae47580..c9ad901 100644 --- a/openssh/version.h +++ b/openssh/version.h @@ -1,4 +1,4 @@ -/* $OpenBSD: version.h,v 1.43 2005/03/08 23:49:48 djm Exp $ */ +/* $OpenBSD: version.h,v 1.44 2005/03/16 21:17:39 markus Exp $ */ #ifdef GSI #define GSI_VERSION " GSI" @@ -18,7 +18,7 @@ #define MGLUE_VERSION "" #endif -#define SSH_VERSION "OpenSSH_4.0" +#define SSH_VERSION "OpenSSH_4.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE \ -- 2.45.2