- NetBSD login.c compile fix from David Rankin
<drankin@bohemians.lexington.ky.us>
- Fully set ut_tv if present in utmp or utmpx
+ - Portability fixes for Irix 5.3 (now compiles OK!)
+ - autoconf and other misc cleanups
19991227
- Automatically correct paths in manpages and configuration files. Patch
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords without using PAM.
+If you need to pass special options to the compiler or linker, you
+can specify these as enviornment variables before running ./configure.
+For example:
+
+CFLAGS="-O -m486" LFLAGS="-s" ./configure
3. Configuration
----------------
$(CC) $(CFLAGS) $(GNOME_CFLAGS) -o $@ gnome-ssh-askpass.c $(GNOME_LIBS)
clean:
- rm -f $(OBJS) $(TARGETS) config.status config.cache config.log core \
+ rm -f *.o $(TARGETS) config.status config.cache config.log core \
*.1 *.8 sshd_config ssh_config
manpages:
This port consists of the re-introduction of autoconf support, PAM
support (for Linux and Solaris), EGD[1] support, and replacements
for OpenBSD library functions that are (regrettably) absent from
-other unices. This port has been best tested on Linux, though some
-Solaris support is beginning to filter in. This version actively
-tracks changes in the OpenBSD CVS repository.
+other unices. This port has been best tested on Linux, Solaris and
+HPUX, though support for AIX and Irix is underway. This version
+actively tracks changes in the OpenBSD CVS repository.
The PAM support is now more functional than the popular packages of
commercial ssh-1.2.x. It checks "account" and "session" modules for
- Better documentation
-- Port to other platforms
-
-- Better testing on non-PAM systems
-
- Replace the horror in acconfig.h which tries to comphensate for the
lack of u_intXX_t types. There must be a better way.
/* SSL directory. */
#undef ssldir
+/* Define if you want to disable PAM support */
+#undef DISABLE_PAM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG
/* Specify default $PATH */
#undef USER_PATH
+/* Define if the inclusion of crypt.h breaks the build (e.g. Irix 5.x) */
+#undef CRYPT_H_BREAKS_BUILD
+
@BOTTOM@
/* ******************* Shouldn't need to edit below this line ************** */
#include "includes.h"
-#ifndef HAVE_LIBPAM
+#ifndef USE_PAM
RCSID("$Id$");
#include "xmalloc.h"
#ifdef HAVE_SHADOW_H
-#include <shadow.h>
-#endif
-
-#ifdef HAVE_MD5_PASSWORDS
-#include "md5crypt.h"
+# include <shadow.h>
#endif
+#if defined(HAVE_CRYPT_H) && !defined(CRYPT_H_BREAKS_BUILD)
+# include <crypt.h>
+#endif /* defined(HAVE_CRYPT_H) && !defined(CRYPT_H_BREAKS_BUILD) */
+#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
+# include "md5crypt.h"
+#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
/*
* Tries to authenticate the user using password. Returns true if
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
}
-#endif /* !HAVE_LIBPAM */
+#endif /* !USE_PAM */
*-*-solaris*)
AC_DEFINE(USE_UTMPX)
;;
+*-*-irix5*)
+ AC_DEFINE(CRYPT_H_BREAKS_BUILD)
+# CFLAGS="$CFLAGS -shared"
+ no_libsocket=1
+ no_libnsl=1
+ ;;
esac
dnl Check for OpenSSL/SSLeay directories.
CFLAGS="$CFLAGS -I$ssldir/include"
LDFLAGS="$LDFLAGS -L$ssldir/lib"
fi
-LIBS="$LIBS -lssl -lcrypto"
AC_MSG_RESULT($ssldir)
dnl Check for RSAref library.
AC_CHECK_LIB(crypto, CRYPTO_lock, ,AC_MSG_ERROR([*** libcrypto missing - please install first ***]))
AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***]))
AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil")
-AC_CHECK_LIB(nsl, yp_match, , )
-AC_CHECK_LIB(socket, main, , )
+AC_CHECK_LIB(crypt, crypt, , )
-dnl Use ip address instead of hostname in $DISPLAY
-AC_ARG_WITH(pam,
- [ --without-pam Disable PAM support ],
- [
- if test "x$withval" != "xno" ; then
- no_pam=1
- fi
- ]
-)
-if test -z "$no_pam" ; then
- AC_CHECK_LIB(dl, dlopen, , )
- AC_CHECK_LIB(pam, pam_authenticate, , )
+if test -z "$no_libsocket" ; then
+ AC_CHECK_LIB(nsl, yp_match, , )
+fi
+if test -z "$no_libnsl" ; then
+ AC_CHECK_LIB(socket, main, , )
fi
dnl Checks for header files.
-AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h util.h utmp.h utmpx.h)
+AC_CHECK_HEADERS(bstring.h crypt.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h util.h utmp.h utmpx.h)
dnl Checks for library functions.
-AC_CHECK_FUNCS(arc4random getpagesize _getpty innetgr mkdtemp openpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf)
+AC_CHECK_FUNCS(arc4random getpagesize _getpty innetgr md5_crypt mkdtemp openpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf)
AC_CHECK_FUNC(login,
[AC_DEFINE(HAVE_LOGIN)],
[AC_MSG_RESULT(no)]
)
-dnl Check PAM strerror arguments
-AC_MSG_CHECKING([whether pam_strerror takes only one argument])
-AC_TRY_COMPILE(
- [
- #include <stdlib.h>
- #include <security/pam_appl.h>
- ],
- [(void)pam_strerror((pam_handle_t *)NULL, -1);],
- [AC_MSG_RESULT(no)],
+AC_ARG_WITH(pam,
+ [ --without-pam Disable PAM support ],
[
- AC_DEFINE(HAVE_OLD_PAM)
- AC_MSG_RESULT(yes)
+ if test "x$withval" = "xno" ; then
+ no_pam=1
+ AC_DEFINE(DISABLE_PAM)
+ fi
]
-)
+)
+
+if test -z "$no_pam" -a "x$ac_cv_header_security_pam_appl_h" = "xyes" ; then
+ AC_CHECK_LIB(dl, dlopen, , )
+ LIBS="$LIBS -lpam"
+ dnl Check PAM strerror arguments
+ AC_MSG_CHECKING([whether pam_strerror takes only one argument])
+ AC_TRY_COMPILE(
+ [
+ #include <stdlib.h>
+ #include <security/pam_appl.h>
+ ],
+ [(void)pam_strerror((pam_handle_t *)NULL, -1);],
+ [AC_MSG_RESULT(no)],
+ [
+ AC_DEFINE(HAVE_OLD_PAM)
+ AC_MSG_RESULT(yes)
+ ]
+ )
+fi
AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
dnl Check whether user wants GNOME ssh-askpass
fi
done
if test -z "$gotlastlog" ; then
- AC_MSG_WARN([*** Cannot find lastlog ***])
+ AC_MSG_RESULT(not found)
nolastlog=1
else
if test "x$gotlastlog" = "xdir" ; then
+ AC_MSG_RESULT(${lastlog}/)
AC_DEFINE(LASTLOG_IS_DIR)
AC_MSG_WARN([*** Directory-based lastlogs are not yet supported ***])
nolastlog=1
+ else
+ AC_MSG_RESULT($lastlog)
+ AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog")
fi
- AC_MSG_RESULT($lastlog)
- AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog")
fi
]
)
#endif
#ifdef HAVE_MAILLOCK_H
-#include <maillock.h>
+# include <maillock.h> /* For _PATH_MAILDIR */
#endif
+#ifdef HAVE_SYS_CDEFS_H
+# include <sys/cdefs.h> /* For __P() */
+#endif
+
#ifndef SHUT_RDWR
enum
{
# define _PATH_RSH RSH_PATH
# endif /* RSH_PATH */
#endif /* _PATH_RSH */
+
+#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM)
+# define USE_PAM
+#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */
+
#include <time.h>
#include <dirent.h>
+#ifdef HAVE_BSTRING_H
+# include <bstring.h>
+#endif
#ifdef HAVE_NETGROUP_H
# include <netgroup.h>
#endif
+#ifdef HAVE_NETDB_H
+# include <netdb.h>
+#endif
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
#ifdef HAVE_SYS_BSDTTY_H
# include <sys/bsdtty.h>
#endif
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
# include <security/pam_appl.h>
#endif
#include "config.h"
-#ifdef HAVE_MD5_PASSWORDS
+#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
#include <unistd.h>
#include <string.h>
return passwd;
}
-#endif /* HAVE_MD5_PASSWORDS */
+#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
#include "config.h"
-#include <unistd.h>
-#include <string.h>
-
-#ifdef HAVE_OPENSSL
-#include <openssl/md5.h>
-#endif
-
-#ifdef HAVE_SSL
-#include <ssl/md5.h>
-#endif
+#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
int is_md5_salt(const char *salt);
char *md5_crypt(const char *pw, const char *salt);
+#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
+
#endif /* MD5CRYPT_H */
const char *display, const char *auth_proto,
const char *auth_data, const char *ttyname);
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
int do_pam_auth(const char *user, const char *password);
if (pam_retval != PAM_SUCCESS)
fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
/*
* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP;
/* The connection has been terminated. */
verbose("Closing connection to %.100s", remote_ip);
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
{
int retval;
fatal_remove_cleanup(&pam_cleanup_proc, NULL);
}
}
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
packet_close();
exit(0);
pwcopy.pw_shell = xstrdup(pw->pw_shell);
pw = &pwcopy;
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
{
int pam_retval;
#ifdef KRB4
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
do_pam_auth(pw->pw_name, "")) {
-#else /* HAVE_LIBPAM */
+#else /* USE_PAM */
auth_password(pw, "")) {
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
/* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
authenticated = auth_rhosts(pw, client_user);
snprintf(user, sizeof user, " ruser %s", client_user);
-#ifndef HAVE_LIBPAM
+#ifndef USE_PAM
xfree(client_user);
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
break;
case SSH_CMSG_AUTH_RHOSTS_RSA:
BN_clear_free(client_host_key_n);
snprintf(user, sizeof user, " ruser %s", client_user);
-#ifndef HAVE_LIBPAM
+#ifndef USE_PAM
xfree(client_user);
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
break;
case SSH_CMSG_AUTH_RSA:
password = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
/* Do PAM auth with password */
authenticated = do_pam_auth(pw->pw_name, password);
-#else /* HAVE_LIBPAM */
+#else /* USE_PAM */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
memset(password, 0, strlen(password));
xfree(password);
break;
get_remote_port(),
user);
-#ifndef HAVE_LIBPAM
+#ifndef USE_PAM
if (authenticated)
return;
if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
-#else /* HAVE_LIBPAM */
+#else /* USE_PAM */
if (authenticated) {
do_pam_account(pw->pw_name, client_user);
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
}
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
/* Indicate that we now have a pty. */
have_pty = 1;
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
/* do the pam_open_session since we have the pty */
do_pam_session(pw->pw_name,ttyname);
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
break;
snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
/* output the results of the pamconv() */
if (!quiet_login && pamconv_msg != NULL)
fprintf(stderr, pamconv_msg);
struct stat st;
char *argv[10];
-#ifndef HAVE_LIBPAM /* pam_nologin handles this */
+#ifndef USE_PAM /* pam_nologin handles this */
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
if (f) {
if (pw->pw_uid != 0)
exit(254);
}
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. */
}
#endif /* KRB4 */
-#ifdef HAVE_LIBPAM
+#ifdef USE_PAM
/* Pull in any environment variables that may have been set by PAM. */
{
char *equals, var_name[512], var_val[512];
}
}
}
-#endif /* HAVE_LIBPAM */
+#endif /* USE_PAM */
if (xauthfile)
child_set_env(&env, &envsize, "XAUTHORITY", xauthfile);
andersk / openssh.git / commitdiff
