X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/4ad6580941cec3c753413167c2a65fadfbe6f378..5c7fc85dc58121ebfd2bc586abc91c9c447a78e2:/configure.ac diff --git a/configure.ac b/configure.ac index 606ee87a..3a96fd3f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,20 @@ # $Id$ - -AC_INIT +# +# Copyright (c) 1999-2004 Damien Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +AC_INIT(OpenSSH, Portable) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -14,6 +28,8 @@ AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL AC_PATH_PROG(AR, ar) +AC_PATH_PROG(CAT, cat) +AC_PATH_PROG(KILL, kill) AC_PATH_PROGS(PERL, perl5 perl) AC_PATH_PROG(SED, sed) AC_SUBST(PERL) @@ -23,6 +39,14 @@ AC_PATH_PROG(TEST_MINUS_S_SH, bash) AC_PATH_PROG(TEST_MINUS_S_SH, ksh) AC_PATH_PROG(TEST_MINUS_S_SH, sh) AC_PATH_PROG(SH, sh) +AC_SUBST(TEST_SHELL,sh) + +dnl for buildpkg.sh +AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd, + [/usr/sbin${PATH_SEPARATOR}/etc]) +AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no) # System features AC_SYS_LARGEFILE @@ -42,11 +66,16 @@ else fi fi +AC_PATH_PROG(PATH_PASSWD_PROG, passwd) +if test ! -z "$PATH_PASSWD_PROG" ; then + AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG") +fi + if test -z "$LD" ; then LD=$CC fi AC_SUBST(LD) - + AC_C_INLINE if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" @@ -55,7 +84,7 @@ fi AC_ARG_WITH(rpath, [ --without-rpath Disable auto-added -R linker paths], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then need_dash_r="" fi if test "x$withval" = "xyes" ; then @@ -67,11 +96,9 @@ AC_ARG_WITH(rpath, # Check for some target-specific stuff case "$host" in *-*-aix*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) if (test -z "$blibpath"); then - blibpath="/usr/lib:/lib:/usr/local/lib" + blibpath="/usr/lib:/lib" fi saved_LDFLAGS="$LDFLAGS" for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do @@ -94,8 +121,11 @@ case "$host" in LIBS="$LIBS -ls" ]) ]) + dnl Check for various auth function declarations in headers. + AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, + passwdexpired, setauthdb], , , [#include ]) dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) - AC_CHECK_DECL(loginfailed, + AC_CHECK_DECLS(loginfailed, [AC_MSG_CHECKING(if loginfailed takes 4 arguments) AC_TRY_COMPILE( [#include ], @@ -108,7 +138,7 @@ case "$host" in [#include ] ) AC_CHECK_FUNCS(setauthdb) - AC_DEFINE(BROKEN_GETADDRINFO) + check_for_aix_broken_getaddrinfo=1 AC_DEFINE(BROKEN_REALPATH) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) @@ -128,7 +158,6 @@ case "$host" in AC_DEFINE(NO_X11_UNIX_SOCKETS) AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(DISABLE_FD_PASSING) - AC_DEFINE(SETGROUPS_NOOP) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) @@ -162,7 +191,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec -lsecpw" @@ -178,7 +206,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" @@ -194,12 +221,13 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) + AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) + check_for_hpux_broken_getaddrinfo=1 + check_for_conflicting_getspnam=1 LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; *-*-irix5*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" AC_DEFINE(BROKEN_INET_NTOA) AC_DEFINE(SETEUID_BREAKS_SETUID) @@ -209,8 +237,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; *-*-irix6*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) @@ -220,6 +246,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(BROKEN_UPDWTMPX) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; @@ -229,8 +256,11 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) check_for_openpty_ctty_bug=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM) + AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) + AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) inet6_default_4in6=yes case `uname -r` in 1.*|2.0.*) @@ -244,7 +274,7 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-netbsd*) check_for_libcrypt_before=1 - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then need_dash_r=1 fi ;; @@ -265,21 +295,16 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_REALPATH) AC_DEFINE(USE_PIPES) AC_DEFINE(BROKEN_SAVED_UIDS) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - CFLAGS="$CFLAGS" ;; *-*-solaris*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - if test "x$withval" = "xno" ; then - LDFLAGS="$LDFLAGS -L/usr/local/lib" - else - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" + if test "x$withval" != "xno" ; then need_dash_r=1 fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") # Pushing STREAMS modules will cause sshd to acquire a controlling tty. AC_DEFINE(SSHD_ACQUIRES_CTTY) @@ -306,8 +331,6 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(USE_PIPES) ;; *-ncr-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lc89" AC_DEFINE(USE_PIPES) AC_DEFINE(SSHD_ACQUIRES_CTTY) @@ -316,10 +339,10 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SETREGID) ;; *-sni-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" # /usr/ucblib MUST NOT be searched on ReliantUNIX - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_CHECK_LIB(dl, dlsym, ,) + # -lresolv needs to be at then end of LIBS or DNS lookups break + AC_CHECK_LIB(res_query, resolv, [ LIBS="$LIBS -lresolv" ]) IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) @@ -332,48 +355,33 @@ mips-sony-bsd|mips-sony-newsos4) # Attention: always take care to bind libsocket and libnsl before libc, # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog ;; +# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. *-*-sysv4.2*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_DEFINE(USE_PIPES) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) ;; +# UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_DEFINE(USE_PIPES) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) ;; *-*-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" ;; +# SCO UNIX and OEM versions of SCO UNIX *-*-sco3.2v4*) - CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" - LIBS="$LIBS -los -lprot -lx -ltinfo -lm" - RANLIB=true - no_dev_ptmx=1 - AC_DEFINE(BROKEN_SYS_TERMIO_H) - AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SECUREWARE) - AC_DEFINE(DISABLE_SHADOW) - AC_DEFINE(BROKEN_SAVED_UIDS) - AC_DEFINE(WITH_ABBREV_NO_TTY) - AC_CHECK_FUNCS(getluid setluid) - MANTYPE=man - do_sco3_extra_lib_check=yes + AC_MSG_ERROR("This Platform is no longer supported.") ;; +# SCO OpenServer 5.x *-*-sco3.2v5*) if test -z "$GCC"; then CFLAGS="$CFLAGS -belf" fi - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" no_dev_ptmx=1 AC_DEFINE(USE_PIPES) @@ -384,10 +392,17 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(BROKEN_UPDWTMPX) + AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man + TEST_SHELL=ksh ;; *-*-unicosmk*) + AC_DEFINE(NO_SSH_LASTLOG) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) LDFLAGS="$LDFLAGS" @@ -395,14 +410,20 @@ mips-sony-bsd|mips-sony-newsos4) MANTYPE=cat ;; *-*-unicosmp*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) LDFLAGS="$LDFLAGS" - LIBS="$LIBS -lgen -lacid" + LIBS="$LIBS -lgen -lacid -ldb" MANTYPE=cat ;; *-*-unicos*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(NO_SSH_LASTLOG) @@ -453,15 +474,17 @@ esac AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then CFLAGS="$CFLAGS $withval" fi - ] + ] ) AC_ARG_WITH(cppflags, [ --with-cppflags Specify additional flags to pass to preprocessor] , [ - if test "x$withval" != "xno"; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then CPPFLAGS="$CPPFLAGS $withval" fi ] @@ -469,55 +492,59 @@ AC_ARG_WITH(cppflags, AC_ARG_WITH(ldflags, [ --with-ldflags Specify additional flags to pass to linker], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then LDFLAGS="$LDFLAGS $withval" fi - ] + ] ) AC_ARG_WITH(libs, [ --with-libs Specify additional libraries to link with], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then LIBS="$LIBS $withval" fi - ] + ] ) AC_MSG_CHECKING(compiler and flags for sanity) -AC_TRY_RUN([ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([ #include int main(){exit(0);} - ], + ])], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***]) - ] + ], + [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] ) # Checks for header files. -AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h limits.h login.h \ - login_cap.h maillock.h netdb.h netgroup.h \ +AC_CHECK_HEADERS(bstring.h crypt.h dirent.h endian.h features.h \ + floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \ + login_cap.h maillock.h ndir.h netdb.h netgroup.h \ netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ - strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ - sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ - sys/un.h time.h tmpdir.h ttyent.h usersec.h \ - util.h utime.h utmp.h utmpx.h vis.h) + strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \ + sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \ + sys/pstat.h sys/select.h sys/stat.h sys/stream.h \ + sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \ + time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) + +# sys/ptms.h requires sys/stream.h to be included first on Solaris +AC_CHECK_HEADERS(sys/ptms.h, [], [], [ +#ifdef HAVE_SYS_STREAM_H +# include +#endif +]) # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) -dnl SCO OS3 needs this for libwrap -if test "x$with_tcp_wrappers" != "xno" ; then - if test "x$do_sco3_extra_lib_check" = "xyes" ; then - AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , -lyp -lrpc) - fi -fi - dnl IRIX and Solaris 2.5.1 have dirname() in libgen AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ AC_CHECK_LIB(gen, dirname,[ @@ -562,10 +589,9 @@ AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) dnl zlib is required AC_ARG_WITH(zlib, [ --with-zlib=PATH Use zlib in PATH], - [ - if test "x$withval" = "xno" ; then - AC_MSG_ERROR([*** zlib is required ***]) - fi + [ if test "x$withval" = "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + elif test "x$withval" != "xyes"; then if test -d "$withval/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -584,30 +610,79 @@ AC_ARG_WITH(zlib, else CPPFLAGS="-I${withval} ${CPPFLAGS}" fi - ] + fi ] ) -AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) +AC_CHECK_LIB(z, deflate, , + [ + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + dnl Check default zlib install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ), + [ + AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) + ] + ) + ] +) AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) -AC_MSG_CHECKING(for zlib 1.1.4 or greater) -AC_TRY_RUN([ + +AC_ARG_WITH(zlib-version-check, + [ --without-zlib-version-check Disable zlib version check], + [ if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + ] +) + +AC_MSG_CHECKING(for possibly buggy zlib) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include #include int main() { - int a, b, c, v; - if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3) + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) exit(1); - v = a*1000000 + b*1000 + c; - if (v >= 1001004) + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) + exit(0); + + /* 1.2.1.2 and up are OK */ + if (v >= 1020102) exit(0); + exit(2); } + ]])], + AC_MSG_RESULT(no), + [ AC_MSG_RESULT(yes) + if test -z "$zlib_check_nonfatal" ; then + AC_MSG_ERROR([*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +"./configure --without-zlib-version-check". +If you are in doubt, upgrade zlib to version 1.2.1.2 or greater. +See http://www.gzip.org/zlib/ for details.]) + else + AC_MSG_WARN([zlib version may have security problems]) + fi ], - AC_MSG_RESULT(yes), - [ AC_MSG_RESULT(no) - AC_MSG_ERROR([*** zlib too old - check config.log ***]) ] + [ AC_MSG_WARN([cross compiling: not checking zlib version]) ] ) - dnl UnixWare 2.x AC_CHECK_FUNC(strcasecmp, @@ -660,24 +735,35 @@ AC_EGREP_CPP(FOUNDIT, ) AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) -AC_TRY_RUN( - [ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} - ], + ]])], [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + ], + [ + AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) ] ) +AC_MSG_CHECKING([for /proc/pid/fd directory]) +if test -d "/proc/$$/fd" ; then + AC_DEFINE(HAVE_PROC_PID) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, - [ --with-skey[[=PATH]] Enable S/Key support - (optionally in PATH)], + [ --with-skey[[=PATH]] Enable S/Key support (optionally in PATH)], [ if test "x$withval" != "xno" ; then @@ -689,7 +775,7 @@ AC_ARG_WITH(skey, AC_DEFINE(SKEY) LIBS="-lskey $LIBS" SKEY_MSG="yes" - + AC_MSG_CHECKING([for s/key support]) AC_TRY_RUN( [ @@ -702,6 +788,15 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) + AC_MSG_CHECKING(if skeychallenge takes 4 arguments) + AC_TRY_COMPILE( + [#include + #include ], + [(void)skeychallenge(NULL,"name","",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(SKEYCHALLENGE_4ARG)], + [AC_MSG_RESULT(no)] + ) fi ] ) @@ -709,14 +804,14 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } # Check whether user wants TCP wrappers support TCPW_MSG="no" AC_ARG_WITH(tcp-wrappers, - [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support - (optionally in PATH)], + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], [ if test "x$withval" != "xno" ; then saved_LIBS="$LIBS" saved_LDFLAGS="$LDFLAGS" saved_CPPFLAGS="$CPPFLAGS" - if test -n "${withval}" -a "${withval}" != "yes"; then + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then if test -d "${withval}/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -741,6 +836,9 @@ AC_ARG_WITH(tcp-wrappers, AC_MSG_CHECKING(for libwrap) AC_TRY_LINK( [ +#include +#include +#include #include int deny_severity = 0, allow_severity = 0; ], @@ -760,20 +858,72 @@ AC_ARG_WITH(tcp-wrappers, ] ) +# Check whether user wants libedit support +LIBEDIT_MSG="no" +AC_ARG_WITH(libedit, + [ --with-libedit[[=PATH]] Enable libedit support for sftp], + [ if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes"; then + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + fi + AC_CHECK_LIB(edit, el_init, + [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) + LIBEDIT="-ledit -lcurses" + LIBEDIT_MSG="yes" + AC_SUBST(LIBEDIT) + ], + [ AC_MSG_ERROR(libedit not found) ], + [ -lcurses ] + ) + fi ] +) + +AUDIT_MODULE=none +AC_ARG_WITH(audit, + [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ + AC_MSG_CHECKING(for supported audit module) + case "$withval" in + bsm) + AC_MSG_RESULT(bsm) + AUDIT_MODULE=bsm + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(bsm/audit.h, [], + [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)]) + AC_CHECK_LIB(bsm, getaudit, [], + [AC_MSG_ERROR(BSM enabled and required library not found)]) + AC_CHECK_FUNCS(getaudit, [], + [AC_MSG_ERROR(BSM enabled and required function not found)]) + # These are optional + AC_CHECK_FUNCS(getaudit_addr) + AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module]) + ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT(debug) + AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) + ;; + *) + AC_MSG_ERROR([Unknown audit module $withval]) + ;; + esac ] +) + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS(\ - arc4random __b64_ntop b64_ntop __b64_pton b64_pton \ - bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ - getaddrinfo getcwd getgrouplist getnameinfo getopt \ - getpeereid _getpty getrlimit getttyent glob inet_aton \ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ + bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \ + freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \ + getopt getpeereid _getpty getrlimit getttyent glob inet_aton \ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ - pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ + pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid \ + truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ ) # IRIX has a const char return value for gai_strerror() @@ -804,31 +954,37 @@ AC_CHECK_DECL(tcsendbreak, [#include ] ) +AC_CHECK_DECLS(h_errno, , ,[#include ]) + AC_CHECK_FUNCS(setresuid, [ dnl Some platorms have setresuid that isn't implemented, test for this AC_MSG_CHECKING(if setresuid seems to work) - AC_TRY_RUN([ + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ], + ]])], [AC_MSG_RESULT(yes)], [AC_DEFINE(BROKEN_SETRESUID) - AC_MSG_RESULT(not implemented)] + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] ) ]) AC_CHECK_FUNCS(setresgid, [ dnl Some platorms have setresgid that isn't implemented, test for this AC_MSG_CHECKING(if setresgid seems to work) - AC_TRY_RUN([ + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ], + ]])], [AC_MSG_RESULT(yes)], [AC_DEFINE(BROKEN_SETRESGID) - AC_MSG_RESULT(not implemented)] + AC_MSG_RESULT(not implemented)], + [AC_MSG_WARN([cross compiling: not checking setresuid])] ) ]) @@ -854,20 +1010,37 @@ AC_CHECK_FUNC(getpagesize, # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then AC_MSG_CHECKING([whether snprintf correctly terminates long strings]) - AC_TRY_RUN( - [ + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} - ], + ]])], [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_SNPRINTF) AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) - ] + ], + [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] ) fi +# Check for missing getpeereid (or equiv) support +NO_PEERCHECK="" +if test "x$ac_cv_func_getpeereid" != "xyes" ; then + AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt]) + AC_TRY_COMPILE( + [#include + #include ], + [int i = SO_PEERCRED;], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option]) + ], + [AC_MSG_RESULT(no) + NO_PEERCHECK=1] + ) +fi + dnl see whether mkstemp() requires XXXXXX if test "x$ac_cv_func_mkdtemp" = "xyes" ; then AC_MSG_CHECKING([for (overly) strict mkstemp]) @@ -941,6 +1114,152 @@ main() ) fi +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (err != 0) { + if (err == EAI_SYSTEM) + perror("getnameinfo EAI_SYSTEM"); + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); + exit(2); + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); + if (sock < 0) + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) + exit(3); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + +if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ + test "x$check_for_aix_broken_getaddrinfo" = "x1"; then + AC_MSG_CHECKING(if getaddrinfo seems to work) + AC_TRY_RUN( + [ +#include +#include +#include +#include +#include + +#define TEST_PORT "2222" + +int +main(void) +{ + int err, sock; + struct addrinfo *gai_ai, *ai, hints; + char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE; + + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); + exit(1); + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) + continue; + + err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, + sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV); + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); + exit(2); + } + } + exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(AIX_GETNAMEINFO_HACK, [], +[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) + ], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_GETADDRINFO) + ] + ) +fi + +if test "x$check_for_conflicting_getspnam" = "x1"; then + AC_MSG_CHECKING(for conflicting getspnam in shadow.h) + AC_COMPILE_IFELSE( + [ +#include +int main(void) {exit(0);} + ], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1, + [Conflicting defs for getspnam]) + ] + ) +fi + AC_FUNC_GETPGRP # Check for PAM libs @@ -995,12 +1314,6 @@ if test "x$PAM_MSG" = "xyes" ; then ) fi -# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, -# because the system crypt() is more featureful. -if test "x$check_for_libcrypt_before" = "x1"; then - AC_CHECK_LIB(crypt, crypt) -fi - # Search for OpenSSL saved_CPPFLAGS="$CPPFLAGS" saved_LDFLAGS="$LDFLAGS" @@ -1008,6 +1321,10 @@ AC_ARG_WITH(ssl-dir, [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], [ if test "x$withval" != "xno" ; then + case "$withval" in + # Relative paths + ./*|../*) withval="`pwd`/$withval" + esac if test -d "$withval/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -1029,7 +1346,7 @@ AC_ARG_WITH(ssl-dir, fi ] ) -LIBS="$LIBS -lcrypto" +LIBS="-lcrypto $LIBS" AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), [ dnl Check default openssl install dir @@ -1049,8 +1366,8 @@ AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), # Determine OpenSSL header version AC_MSG_CHECKING([OpenSSL header version]) -AC_TRY_RUN( - [ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include #include @@ -1068,7 +1385,7 @@ int main(void) { exit(0); } - ], + ]])], [ ssl_header_ver=`cat conftest.sslincver` AC_MSG_RESULT($ssl_header_ver) @@ -1076,13 +1393,16 @@ int main(void) { [ AC_MSG_RESULT(not found) AC_MSG_ERROR(OpenSSL version header not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) ] ) # Determine OpenSSL library version AC_MSG_CHECKING([OpenSSL library version]) -AC_TRY_RUN( - [ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include #include @@ -1101,7 +1421,7 @@ int main(void) { exit(0); } - ], + ]])], [ ssl_library_ver=`cat conftest.ssllibver` AC_MSG_RESULT($ssl_library_ver) @@ -1109,17 +1429,20 @@ int main(void) { [ AC_MSG_RESULT(not found) AC_MSG_ERROR(OpenSSL library not found.) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) ] ) # Sanity check OpenSSL headers AC_MSG_CHECKING([whether OpenSSL's headers match the library]) -AC_TRY_RUN( - [ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } - ], + ]])], [ AC_MSG_RESULT(yes) ], @@ -1128,11 +1451,20 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } AC_MSG_ERROR([Your OpenSSL headers do not match your library. Check config.log for details. Also see contrib/findssl.sh for help identifying header/library mismatches.]) + ], + [ + AC_MSG_WARN([cross compiling: not checking]) ] ) +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + AC_CHECK_LIB(crypt, crypt) +fi + # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the -# version in OpenSSL. Skip this for PAM +# version in OpenSSL. if test "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") fi @@ -1142,12 +1474,12 @@ fi # Check wheter OpenSSL seeds itself AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) -AC_TRY_RUN( - [ +AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include int main(void) { exit(RAND_status() == 1 ? 0 : 1); } - ], + ]])], [ OPENSSL_SEEDS_ITSELF=yes AC_MSG_RESULT(yes) @@ -1157,6 +1489,12 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); } # Default to use of the rand helper if OpenSSL doesn't # seed itself USE_RAND_HELPER=yes + ], + [ + AC_MSG_WARN([cross compiling: assuming yes]) + # This is safe, since all recent OpenSSL versions will + # complain at runtime if not seeded correctly. + OPENSSL_SEEDS_ITSELF=yes ] ) @@ -1177,10 +1515,10 @@ AC_ARG_WITH(rand-helper, USE_RAND_HELPER=yes fi ], -) +) # Which randomness source do we use? -if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then +if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then # OpenSSL only AC_DEFINE(OPENSSL_PRNG_ONLY) RAND_MSG="OpenSSL internal ONLY" @@ -1270,10 +1608,11 @@ entropy_timeout=200 AC_ARG_WITH(entropy-timeout, [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then entropy_timeout=$withval fi - ] + ] ) AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) @@ -1281,10 +1620,11 @@ SSH_PRIVSEP_USER=sshd AC_ARG_WITH(privsep-user, [ --with-privsep-user=user Specify non-privileged user for privilege separation], [ - if test -n "$withval"; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then SSH_PRIVSEP_USER=$withval fi - ] + ] ) AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") AC_SUBST(SSH_PRIVSEP_USER) @@ -1541,6 +1881,10 @@ TYPE_SOCKLEN_T AC_CHECK_TYPES(sig_atomic_t,,,[#include ]) +AC_CHECK_TYPES(in_addr_t,,, +[#include +#include ]) + AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ AC_TRY_COMPILE( [ @@ -1714,17 +2058,17 @@ fi AC_CHECK_TYPES(struct timespec) # We need int64_t or else certian parts of the compile will fail. -if test "x$ac_cv_have_int64_t" = "xno" -a \ - "x$ac_cv_sizeof_long_int" != "x8" -a \ - "x$ac_cv_sizeof_long_long_int" = "x0" ; then +if test "x$ac_cv_have_int64_t" = "xno" && \ + test "x$ac_cv_sizeof_long_int" != "x8" && \ + test "x$ac_cv_sizeof_long_long_int" = "x0" ; then echo "OpenSSH requires int64_t support. Contact your vendor or install" echo "an alternative compiler (I.E., GCC) before continuing." echo "" exit 1; else dnl test snprintf (broken on SCO w/gcc) - AC_TRY_RUN( - [ + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ #include #include #ifdef HAVE_SNPRINTF @@ -1747,7 +2091,8 @@ main() #else main() { exit(0); } #endif - ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], + AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ) fi @@ -1852,13 +2197,14 @@ fi dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ - AC_TRY_RUN( + AC_COMPILE_IFELSE( [ #include #include #include int main() { #ifdef msg_accrights +#error "msg_accrights is a macro" exit(1); #endif struct msghdr m; @@ -1876,13 +2222,14 @@ fi AC_CACHE_CHECK([for msg_control field in struct msghdr], ac_cv_have_control_in_msghdr, [ - AC_TRY_RUN( + AC_COMPILE_IFELSE( [ #include #include #include int main() { #ifdef msg_control +#error "msg_control is a macro" exit(1); #endif struct msghdr m; @@ -2005,23 +2352,28 @@ AC_ARG_WITH(sectok, ) # Check whether user wants OpenSC support +OPENSC_CONFIG="no" AC_ARG_WITH(opensc, - AC_HELP_STRING([--with-opensc=PFX], - [Enable smartcard support using OpenSC]), - opensc_config_prefix="$withval", opensc_config_prefix="") -if test x$opensc_config_prefix != x ; then - OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config - AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) - if test "$OPENSC_CONFIG" != "no"; then - LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` - LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` - CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" - LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" - AC_DEFINE(SMARTCARD) - AC_DEFINE(USE_OPENSC) - SCARD_MSG="yes, using OpenSC" - fi -fi + [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes" ; then + OPENSC_CONFIG=$withval/bin/opensc-config + else + AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) + fi + if test "$OPENSC_CONFIG" != "no"; then + LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` + LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` + CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" + LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" + AC_DEFINE(SMARTCARD) + AC_DEFINE(USE_OPENSC) + SCARD_MSG="yes, using OpenSC" + fi + fi + ] +) # Check libraries needed by DNS fingerprint support AC_SEARCH_LIBS(getrrsetbyname, resolv, @@ -2030,6 +2382,25 @@ AC_SEARCH_LIBS(getrrsetbyname, resolv, # Needed by our getrrsetbyname() AC_SEARCH_LIBS(res_query, resolv) AC_SEARCH_LIBS(dn_expand, resolv) + AC_MSG_CHECKING(if res_query will link) + AC_TRY_LINK_FUNC(res_query, AC_MSG_RESULT(yes), + [AC_MSG_RESULT(no) + saved_LIBS="$LIBS" + LIBS="$LIBS -lresolv" + AC_MSG_CHECKING(for res_query in -lresolv) + AC_LINK_IFELSE([ +#include +int main() +{ + res_query (0, 0, 0, 0, 0); + return 0; +} + ], + [LIBS="$LIBS -lresolv" + AC_MSG_RESULT(yes)], + [LIBS="$saved_LIBS" + AC_MSG_RESULT(no)]) + ]) AC_CHECK_FUNCS(_getshort _getlong) AC_CHECK_MEMBER(HEADER.ad, [AC_DEFINE(HAVE_HEADER_AD)],, @@ -2058,18 +2429,15 @@ AC_ARG_WITH(kerberos5, AC_MSG_CHECKING(for gssapi support) if $KRB5CONF | grep gssapi >/dev/null ; then AC_MSG_RESULT(yes) - K5CFLAGS="`$KRB5CONF --cflags gssapi`" - dnl m4 quadragraphs: "sed 's/-l[^- ]*//g'" - K5LDFLAGS="`$KRB5CONF --libs gssapi | sed 's/-l@<:@^- @:>@*//g'`" - K5LIBS="`$KRB5CONF --libs gssapi | sed 's/-L@<:@^- @:>@*//g'`" + AC_DEFINE(GSSAPI) + k5confopts=gssapi else AC_MSG_RESULT(no) - K5CFLAGS="`$KRB5CONF --cflags`" - K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^- @:>@*//g'`" - K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^- @:>@*//g'`" + k5confopts="" fi + K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" + K5LIBS="`$KRB5CONF --libs $k5confopts`" CPPFLAGS="$CPPFLAGS $K5CFLAGS" - LDFLAGS="$LDFLAGS $K5LDFLAGS" AC_MSG_CHECKING(whether we are using Heimdal) AC_TRY_COMPILE([ #include ], [ char *tmp = heimdal_version; ], @@ -2086,7 +2454,10 @@ AC_ARG_WITH(kerberos5, [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) AC_DEFINE(HEIMDAL) - K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" + K5LIBS="-lkrb5 -ldes" + K5LIBS="$K5LIBS -lcom_err -lasn1" + AC_CHECK_LIB(roken, net_write, + [K5LIBS="$K5LIBS -lroken"]) ], [ AC_MSG_RESULT(no) K5LIBS="-lkrb5 -lk5crypto -lcom_err" @@ -2104,7 +2475,7 @@ AC_ARG_WITH(kerberos5, $K5LIBS) ], $K5LIBS) - + AC_CHECK_HEADER(gssapi.h, , [ unset ac_cv_header_gssapi_h CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" @@ -2126,14 +2497,17 @@ AC_ARG_WITH(kerberos5, if test ! -z "$blibpath" ; then blibpath="$blibpath:${KRB5ROOT}/lib" fi - fi ] - AC_SEARCH_LIBS(k_hasafs, kafs, - [ AC_DEFINE(AFS) - K5LIBS="-lkafs $K5LIBS" - ] - ) + fi + + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) + AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) + + LIBS="$LIBS $K5LIBS" + AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS)) + ] ) -LIBS="$LIBS $K5LIBS" # Looking for programs, paths and files @@ -2141,7 +2515,8 @@ PRIVSEP_PATH=/var/empty AC_ARG_WITH(privsep-path, [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], [ - if test "x$withval" != "$no" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then PRIVSEP_PATH=$withval fi ] @@ -2151,7 +2526,8 @@ AC_SUBST(PRIVSEP_PATH) AC_ARG_WITH(xauth, [ --with-xauth=PATH Specify path to xauth program ], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then xauth_path=$withval fi ], @@ -2194,6 +2570,10 @@ if test ! -z "$MAIL" ; then AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") fi +if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +fi if test -z "$no_dev_ptmx" ; then if test "x$disable_ptmx_check" != "xyes" ; then AC_CHECK_FILE("/dev/ptmx", @@ -2204,12 +2584,17 @@ if test -z "$no_dev_ptmx" ; then ) fi fi -AC_CHECK_FILE("/dev/ptc", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) - have_dev_ptc=1 - ] -) + +if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then + AC_CHECK_FILE("/dev/ptc", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 + ] + ) +else + AC_MSG_WARN([cross compiling: Disabling /dev/ptc test]) +fi # Options from here on. Some of these are preset by platform above AC_ARG_WITH(mantype, @@ -2260,7 +2645,7 @@ AC_ARG_WITH(md5-passwords, AC_ARG_WITH(shadow, [ --without-shadow Disable shadow password support], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_SHADOW) disable_shadow=yes fi @@ -2295,7 +2680,7 @@ else AC_ARG_WITH(ipaddr-display, [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], [ - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then AC_DEFINE(IPADDR_IN_DISPLAY) DISPLAY_HACK_MSG="yes" fi @@ -2305,18 +2690,30 @@ fi # check for /etc/default/login and use it if present. AC_ARG_ENABLE(etc-default-login, - [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]],, -[ -AC_CHECK_FILE("/etc/default/login", [ external_path_file=/etc/default/login ]) + [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]], + [ if test "x$enableval" = "xno"; then + AC_MSG_NOTICE([/etc/default/login handling disabled]) + etc_default_login=no + else + etc_default_login=yes + fi ], + [ etc_default_login=yes ] +) -if test "x$external_path_file" = "x/etc/default/login"; then - AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) +if test "x$etc_default_login" != "xno"; then + AC_CHECK_FILE("/etc/default/login", + [ external_path_file=/etc/default/login ]) + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; + then + AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) + elif test "x$external_path_file" = "x/etc/default/login"; then + AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) + fi fi -]) dnl BSD systems use /etc/login.conf so --with-default-path= has no effect -if test $ac_cv_func_login_getcapbool = "yes" -a \ - $ac_cv_header_login_cap_h = "yes" ; then +if test $ac_cv_func_login_getcapbool = "yes" && \ + test $ac_cv_header_login_cap_h = "yes" ; then external_path_file=/etc/login.conf fi @@ -2329,7 +2726,7 @@ AC_ARG_WITH(default-path, AC_MSG_WARN([ --with-default-path=PATH has no effect on this system. Edit /etc/login.conf instead.]) - elif test "x$withval" != "xno" ; then + elif test "x$withval" != "xno" ; then if test ! -z "$external_path_file" ; then AC_MSG_WARN([ --with-default-path=PATH will only be used if PATH is not defined in @@ -2370,11 +2767,11 @@ main() { FILE *fd; int rc; - + fd = fopen(DATA,"w"); if(fd == NULL) exit(1); - + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) exit(1); @@ -2411,7 +2808,8 @@ fi AC_ARG_WITH(superuser-path, [ --with-superuser-path= Specify different path for super-user], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") superuser_path=$withval fi @@ -2447,7 +2845,7 @@ BSD_AUTH_MSG=no AC_ARG_WITH(bsd-auth, [ --with-bsd-auth Enable BSD auth support], [ - if test "x$withval" != "xno" ; then + if test "x$withval" != "xno" ; then AC_DEFINE(BSD_AUTH) BSD_AUTH_MSG=yes fi @@ -2457,7 +2855,7 @@ AC_ARG_WITH(bsd-auth, # Where to place sshd.pid piddir=/var/run # make sure the directory exists -if test ! -d $piddir ; then +if test ! -d $piddir ; then piddir=`eval echo ${sysconfdir}` case $piddir in NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; @@ -2467,9 +2865,10 @@ fi AC_ARG_WITH(pid-dir, [ --with-pid-dir=PATH Specify location of ssh.pid file], [ - if test "x$withval" != "xno" ; then + if test -n "$withval" && test "x$withval" != "xno" && \ + test "x${withval}" != "xyes"; then piddir=$withval - if test ! -d $piddir ; then + if test ! -d $piddir ; then AC_MSG_WARN([** no $piddir directory on this system **]) fi fi @@ -2547,9 +2946,9 @@ AC_ARG_ENABLE(pututxline, AC_ARG_WITH(lastlog, [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_LASTLOG) - else + elif test -n "$withval" && test "x${withval}" != "xyes"; then conf_lastlog_location=$withval fi ] @@ -2616,7 +3015,7 @@ fi if test -n "$conf_lastlog_location"; then AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") -fi +fi dnl utmp detection AC_MSG_CHECKING([if your system defines UTMP_FILE]) @@ -2646,7 +3045,7 @@ if test -z "$conf_utmp_location"; then fi if test -n "$conf_utmp_location"; then AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") -fi +fi dnl wtmp detection AC_MSG_CHECKING([if your system defines WTMP_FILE]) @@ -2676,7 +3075,7 @@ if test -z "$conf_wtmp_location"; then fi if test -n "$conf_wtmp_location"; then AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") -fi +fi dnl utmpx detection - I don't know any system so perverse as to require @@ -2704,7 +3103,7 @@ if test -z "$conf_utmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") -fi +fi dnl wtmpx detection AC_MSG_CHECKING([if your system defines WTMPX_FILE]) @@ -2729,7 +3128,7 @@ if test -z "$conf_wtmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") -fi +fi if test ! -z "$blibpath" ; then @@ -2746,7 +3145,8 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then fi AC_EXEEXT -AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) +AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \ + scard/Makefile ssh_prng_cmds survey.sh]) AC_OUTPUT # Print summary of options @@ -2792,6 +3192,7 @@ echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " libedit support: $LIBEDIT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" @@ -2811,6 +3212,11 @@ echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" echo "" +if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then + echo "SVR4 style packages are supported with \"make package\"" + echo "" +fi + if test "x$PAM_MSG" = "xyes" ; then echo "PAM is enabled. You may need to install a PAM control file " echo "for sshd, otherwise password authentication may fail. " @@ -2827,3 +3233,17 @@ if test ! -z "$RAND_HELPER_CMDHASH" ; then echo "" fi +if test ! -z "$NO_PEERCHECK" ; then + echo "WARNING: the operating system that you are using does not " + echo "appear to support either the getpeereid() API nor the " + echo "SO_PEERCRED getsockopt() option. These facilities are used to " + echo "enforce security checks to prevent unauthorised connections to " + echo "ssh-agent. Their absence increases the risk that a malicious " + echo "user can connect to your agent. " + echo "" +fi + +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi