summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2009-12-29 21:32:03 +0000
committerColin Watson <cjwatson@debian.org>2009-12-29 21:32:03 +0000
commit04942aa41fa94ec6f2c3ce1d348f600f31bb7c78 (patch)
treeaf8e928bd79d3f2d0219bb5b2c78b573ec31d94c
parent9ad7b718d42e43f3a285fcbc8f91193931fce324 (diff)
parent16704d57999d987fb8d9ba53379841a79f016d67 (diff)
import openssh-4.2p1-gsskex-20050926-2.patch
Diffstat
-rw-r--r--CREDITS4
-rw-r--r--ChangeLog670
-rw-r--r--INSTALL18
-rw-r--r--LICENCE2
-rw-r--r--Makefile.in8
-rw-r--r--README9
-rw-r--r--README.privsep6
-rw-r--r--WARNING.RNG4
-rw-r--r--acconfig.h14
-rw-r--r--acss.c128
-rw-r--r--atomicio.c14
-rw-r--r--atomicio.h4
-rw-r--r--audit.c8
-rw-r--r--auth-krb5.c70
-rw-r--r--auth-options.c8
-rw-r--r--auth-pam.c65
-rw-r--r--auth-passwd.c5
-rw-r--r--auth-rh-rsa.c4
-rw-r--r--auth-rhosts.c4
-rw-r--r--auth-rsa.c6
-rw-r--r--auth-shadow.c4
-rw-r--r--auth-sia.c2
-rw-r--r--auth-sia.h1
-rw-r--r--auth-skey.c2
-rw-r--r--auth.c71
-rw-r--r--auth.h13
-rw-r--r--auth1.c328
-rw-r--r--auth2-chall.c11
-rw-r--r--auth2-gss.c13
-rw-r--r--auth2.c7
-rw-r--r--authfd.c12
-rw-r--r--authfile.c16
-rw-r--r--bufaux.c6
-rw-r--r--bufaux.h4
-rw-r--r--buffer.c8
-rw-r--r--buffer.h5
-rw-r--r--buildpkg.sh.in8
-rw-r--r--canohost.c11
-rw-r--r--channels.c133
-rw-r--r--channels.h9
-rw-r--r--cipher-acss.c6
-rw-r--r--cipher-ctr.c4
-rw-r--r--cipher.c102
-rw-r--r--clientloop.c155
-rw-r--r--clientloop.h9
-rwxr-xr-xconfig.guess591
-rw-r--r--config.h.in71
-rwxr-xr-xconfig.sub136
-rwxr-xr-xconfigure1519
-rw-r--r--configure.ac618
-rwxr-xr-xcontrib/aix/buildbff.sh4
-rw-r--r--contrib/aix/pam.conf4
-rw-r--r--contrib/caldera/openssh.spec14
-rw-r--r--contrib/cygwin/ssh-host-config16
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec2
-rw-r--r--defines.h51
-rw-r--r--dns.c33
-rw-r--r--entropy.c6
-rw-r--r--gss-genr.c55
-rw-r--r--gss-serv-krb5.c35
-rw-r--r--gss-serv.c21
-rw-r--r--hostfile.c10
-rw-r--r--includes.h13
-rw-r--r--kex.c50
-rw-r--r--kex.h15
-rw-r--r--kexgssc.c142
-rw-r--r--kexgsss.c96
-rw-r--r--key.c4
-rw-r--r--log.c1
-rw-r--r--loginrec.c39
-rw-r--r--loginrec.h4
-rw-r--r--mac.c11
-rw-r--r--match.c4
-rw-r--r--mdoc2man.awk3
-rw-r--r--misc.c134
-rw-r--r--misc.h9
-rw-r--r--moduli.c33
-rw-r--r--monitor.c24
-rw-r--r--monitor_wrap.c29
-rw-r--r--msg.c15
-rw-r--r--myproposal.h7
-rw-r--r--openbsd-compat/Makefile.in8
-rw-r--r--openbsd-compat/bsd-cygwin_util.c7
-rw-r--r--openbsd-compat/bsd-misc.c20
-rw-r--r--openbsd-compat/fake-rfc2553.h16
-rw-r--r--openbsd-compat/getrrsetbyname.c4
-rw-r--r--openbsd-compat/openbsd-compat.h7
-rw-r--r--openbsd-compat/openssl-compat.c46
-rw-r--r--openbsd-compat/openssl-compat.h65
-rw-r--r--openbsd-compat/port-aix.c20
-rw-r--r--openbsd-compat/port-aix.h15
-rw-r--r--openbsd-compat/port-uw.c134
-rw-r--r--openbsd-compat/port-uw.h30
-rw-r--r--openbsd-compat/readpassphrase.c7
-rw-r--r--openbsd-compat/realpath.c266
-rw-r--r--openbsd-compat/strtoll.c151
-rw-r--r--openbsd-compat/strtonum.c69
-rw-r--r--openbsd-compat/xcrypt.c5
-rw-r--r--packet.c63
-rw-r--r--packet.h6
-rw-r--r--progressmeter.c49
-rw-r--r--readconf.c49
-rw-r--r--readconf.h8
-rw-r--r--readpass.c11
-rw-r--r--regress/multiplex.sh6
-rw-r--r--regress/reexec.sh6
-rw-r--r--regress/test-exec.sh9
-rw-r--r--scp.02
-rw-r--r--scp.c51
-rw-r--r--servconf.c49
-rw-r--r--servconf.h1
-rw-r--r--serverloop.c6
-rw-r--r--session.c136
-rw-r--r--session.h5
-rw-r--r--sftp-client.c43
-rw-r--r--sftp-client.h4
-rw-r--r--sftp-server.02
-rw-r--r--sftp-server.c12
-rw-r--r--sftp.02
-rw-r--r--sftp.c55
-rw-r--r--ssh-add.018
-rw-r--r--ssh-add.114
-rw-r--r--ssh-add.c8
-rw-r--r--ssh-agent.021
-rw-r--r--ssh-agent.114
-rw-r--r--ssh-gss.h12
-rw-r--r--ssh-keygen.055
-rw-r--r--ssh-keygen.136
-rw-r--r--ssh-keygen.c86
-rw-r--r--ssh-keyscan.02
-rw-r--r--ssh-keyscan.c34
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-rand-helper.02
-rw-r--r--ssh-rand-helper.c16
-rw-r--r--ssh-rsa.c4
-rw-r--r--ssh.0166
-rw-r--r--ssh.184
-rw-r--r--ssh.c238
-rw-r--r--ssh_config.0123
-rw-r--r--ssh_config.5136
-rw-r--r--sshconnect.c74
-rw-r--r--sshconnect1.c4
-rw-r--r--sshconnect2.c46
-rw-r--r--sshd.050
-rw-r--r--sshd.832
-rw-r--r--sshd.c107
-rw-r--r--sshd_config6
-rw-r--r--sshd_config.035
-rw-r--r--sshd_config.545
-rw-r--r--sshpty.c4
-rw-r--r--ttymodes.c30
-rw-r--r--version.h4
153 files changed, 6046 insertions, 2719 deletions
diff --git a/CREDITS b/CREDITS
index 2a77b8729..82b9f2210 100644
--- a/CREDITS
+++ b/CREDITS
@@ -3,6 +3,7 @@ Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
3Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 3Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
4Theo de Raadt, and Dug Song - Creators of OpenSSH 4Theo de Raadt, and Dug Song - Creators of OpenSSH
5 5
6Ahsan Rashid <arms@sco.com> - UnixWare long passwords
6Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix 7Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
7Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes 8Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
8Andre Lucas <andre@ae-35.com> - new login code, many fixes 9Andre Lucas <andre@ae-35.com> - new login code, many fixes
@@ -32,6 +33,7 @@ David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
32David Hesprich <darkgrue@gue-tech.org> - Configure fixes 33David Hesprich <darkgrue@gue-tech.org> - Configure fixes
33David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes 34David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
34Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code. 35Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
36Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
35Ed Eden <ede370@stl.rural.usda.gov> - configure fixes 37Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
36Garrick James <garrick@james.net> - configure fixes 38Garrick James <garrick@james.net> - configure fixes
37Gary E. Miller <gem@rellim.com> - SCO support 39Gary E. Miller <gem@rellim.com> - SCO support
@@ -98,5 +100,5 @@ Apologies to anyone I have missed.
98 100
99Damien Miller <djm@mindrot.org> 101Damien Miller <djm@mindrot.org>
100 102
101$Id: CREDITS,v 1.79 2004/05/26 23:59:31 dtucker Exp $ 103$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $
102 104
diff --git a/ChangeLog b/ChangeLog
index 046e32e8a..9573f8672 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,671 @@
120050901
2 - (djm) Update RPM spec file versions
3
420050831
5 - (djm) OpenBSD CVS Sync
6 - djm@cvs.openbsd.org 2005/08/30 22:08:05
7 [gss-serv.c sshconnect2.c]
8 destroy credentials if krb5_kuserok() call fails. Stops credentials being
9 delegated to users who are not authorised for GSSAPIAuthentication when
10 GSSAPIDeletegateCredentials=yes and another authentication mechanism
11 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
12 simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
13 - markus@cvs.openbsd.org 2005/08/31 09:28:42
14 [version.h]
15 4.2
16 - (dtucker) [README] Update release note URL to 4.2
17 - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
18 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
19 libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
20 Feedback and OK dtucker@
21
2220050830
23 - (tim) [configure.ac] Back out last change. It needs to be done differently.
24
2520050829
26 - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
27 password support to 7.x for now.
28
2920050826
30 - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
31 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
32 openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
33 openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
34 on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
35 by tim@. Feedback and OK dtucker@
36
3720050823
38 - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
39 qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
40 and "//foo" to be different. Spotted by vinschen at redhat.com.
41 - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
42 and OK dtucker@
43 - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
44
4520050821
46 - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
47 LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@
48
4920050816
50 - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
51 from Jacob Nevins; ok dtucker@
52
5320050815
54 - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
55 - (tim) [configure.ac] corrections to libedit tests. Report and patches
56 by skeleten AT shillest.net
57
5820050812
59 - (djm) OpenBSD CVS Sync
60 - markus@cvs.openbsd.org 2005/07/28 17:36:22
61 [packet.c]
62 missing packet_init_compression(); from solar
63 - djm@cvs.openbsd.org 2005/07/30 01:26:16
64 [ssh.c]
65 fix -D listen_host initialisation, so it picks up gateway_ports setting
66 correctly
67 - djm@cvs.openbsd.org 2005/07/30 02:03:47
68 [readconf.c]
69 listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
70 - dtucker@cvs.openbsd.org 2005/08/06 10:03:12
71 [servconf.c]
72 Unbreak sshd ListenAddress for bare IPv6 addresses.
73 Report from Janusz Mucka; ok djm@
74 - jaredy@cvs.openbsd.org 2005/08/08 13:22:48
75 [sftp.c]
76 sftp prompt enhancements:
77 - in non-interactive mode, do not print an empty prompt at the end
78 before finishing
79 - print newline after EOF in editline mode
80 - call el_end() in editline mode
81 ok dtucker djm
82
8320050810
84 - (dtucker) [configure.ac] Test libedit library and headers for compatibility.
85 Report from skeleten AT shillest.net, ok djm@
86 - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
87 Sync current (thread-safe) version of realpath.c from OpenBSD (which is
88 in turn based on FreeBSD's). ok djm@
89
9020050809
91 - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
92 Report by skeleten AT shillest.net
93
9420050803
95 - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
96 individually and use a value less likely to collide with real values from
97 netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
98 - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
99 latter is specified in the standard.
100
10120050802
102 - (dtucker) OpenBSD CVS Sync
103 - dtucker@cvs.openbsd.org 2005/07/27 10:39:03
104 [scp.c hostfile.c sftp-client.c]
105 Silence bogus -Wuninitialized warnings; ok djm@
106 - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
107 with gcc. ok djm@
108 - (dtucker) [configure.ac] Add a --with-Werror option to configure for
109 adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
110
11120050726
112 - (dtucker) [configure.ac] Update zlib warning message too, pointed out by
113 tim@.
114 - (djm) OpenBSD CVS Sync
115 - otto@cvs.openbsd.org 2005/07/19 15:32:26
116 [auth-passwd.c]
117 auth_usercheck(3) can return NULL, so check for that. Report from
118 mpech@. ok markus@
119 - markus@cvs.openbsd.org 2005/07/25 11:59:40
120 [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
121 [sshconnect2.c sshd.c sshd_config sshd_config.5]
122 add a new compression method that delays compression until the user
123 has been authenticated successfully and set compression to 'delayed'
124 for sshd.
125 this breaks older openssh clients (< 3.5) if they insist on
126 compression, so you have to re-enable compression in sshd_config.
127 ok djm@
128
12920050725
130 - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
131
13220050717
133- OpenBSD CVS Sync
134 - djm@cvs.openbsd.org 2005/07/16 01:35:24
135 [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
136 [sshconnect.c]
137 spacing
138 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
139 [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
140 in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
141 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
142 - djm@cvs.openbsd.org 2005/07/17 06:49:04
143 [channels.c channels.h session.c session.h]
144 Fix a number of X11 forwarding channel leaks:
145 1. Refuse multiple X11 forwarding requests on the same session
146 2. Clean up all listeners after a single_connection X11 forward, not just
147 the one that made the single connection
148 3. Destroy X11 listeners when the session owning them goes away
149 testing and ok dtucker@
150 - djm@cvs.openbsd.org 2005/07/17 07:17:55
151 [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
152 [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
153 [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
154 [sshconnect.c sshconnect2.c]
155 knf says that a 2nd level indent is four (not three or five) spaces
156 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
157 [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
158 - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
159
16020050716
161 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
162 socketpair stays open on in both the monitor and PAM process. Patch from
163 Joerg Sonnenberger.
164
16520050714
166 - (dtucker) OpenBSD CVS Sync
167 - dtucker@cvs.openbsd.org 2005/07/06 09:33:05
168 [ssh.1]
169 clarify meaning of ssh -b ; with & ok jmc@
170 - dtucker@cvs.openbsd.org 2005/07/08 09:26:18
171 [misc.c]
172 Make comment match code; ok djm@
173 - markus@cvs.openbsd.org 2005/07/08 09:41:33
174 [channels.h]
175 race when efd gets closed while there is still buffered data:
176 change CHANNEL_EFD_OUTPUT_ACTIVE()
177 1) c->efd must always be valid AND
178 2a) no EOF has been seen OR
179 2b) there is buffered data
180 report, initial fix and testing Chuck Cranor
181 - dtucker@cvs.openbsd.org 2005/07/08 10:20:41
182 [ssh_config.5]
183 change BindAddress to match recent ssh -b change; prompted by markus@
184 - jmc@cvs.openbsd.org 2005/07/08 12:53:10
185 [ssh_config.5]
186 new sentence, new line;
187 - dtucker@cvs.openbsd.org 2005/07/14 04:00:43
188 [misc.h]
189 use __sentinel__ attribute; ok deraadt@ djm@ markus@
190 - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
191 compiler doesn't understand it to prevent warnings. If any mainstream
192 compiler versions acquire it we can test for those versions. Based on
193 discussion with djm@.
194
19520050707
196 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
197 the MIT Kerberos code path into a common function and expand mkstemp
198 template to be consistent with the rest of OpenSSH. From sxw at
199 inf.ed.ac.uk, ok djm@
200 - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
201 in the case where the buffer is insufficient, so always return ENOMEM.
202 Also pointed out by sxw at inf.ed.ac.uk.
203 - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
204 calls to krb5_init_ets, which has not been required since krb-1.1.x and
205 most Kerberos versions no longer export in their public API. From sxw
206 at inf.ed.ac.uk, ok djm@
207
20820050706
209 - (djm) OpenBSD CVS Sync
210 - markus@cvs.openbsd.org 2005/07/01 13:19:47
211 [channels.c]
212 don't free() if getaddrinfo() fails; report mpech@
213 - djm@cvs.openbsd.org 2005/07/04 00:58:43
214 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
215 implement support for X11 and agent forwarding over multiplex slave
216 connections. Because of protocol limitations, the slave connections inherit
217 the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
218 their own.
219 ok dtucker@ "put it in" deraadt@
220 - jmc@cvs.openbsd.org 2005/07/04 11:29:51
221 [ssh_config.5]
222 fix Xr and a little grammar;
223 - markus@cvs.openbsd.org 2005/07/04 14:04:11
224 [channels.c]
225 don't forget to set x11_saved_display
226
22720050626
228 - (djm) OpenBSD CVS Sync
229 - djm@cvs.openbsd.org 2005/06/17 22:53:47
230 [ssh.c sshconnect.c]
231 Fix ControlPath's %p expanding to "0" for a default port,
232 spotted dwmw2 AT infradead.org; ok markus@
233 - djm@cvs.openbsd.org 2005/06/18 04:30:36
234 [ssh.c ssh_config.5]
235 allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
236 - djm@cvs.openbsd.org 2005/06/25 22:47:49
237 [ssh.c]
238 do the default port filling code a few lines earlier, so it really
239 does fix %p
240
24120050618
242 - (djm) OpenBSD CVS Sync
243 - djm@cvs.openbsd.org 2005/05/20 12:57:01;
244 [auth1.c] split protocol 1 auth methods into separate functions, makes
245 authloop much more readable; fixes and ok markus@ (portable ok &
246 polish dtucker@)
247 - djm@cvs.openbsd.org 2005/06/17 02:44:33
248 [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
249 - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
250 tested and fixes tim@
251
25220050617
253 - (djm) OpenBSD CVS Sync
254 - djm@cvs.openbsd.org 2005/06/16 03:38:36
255 [channels.c channels.h clientloop.c clientloop.h ssh.c]
256 move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
257 easier later; ok deraadt@
258 - markus@cvs.openbsd.org 2005/06/16 08:00:00
259 [canohost.c channels.c sshd.c]
260 don't exit if getpeername fails for forwarded ports; bugzilla #1054;
261 ok djm
262 - djm@cvs.openbsd.org 2005/06/17 02:44:33
263 [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
264 [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
265 [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
266 [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
267 [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
268 make this -Wsign-compare clean; ok avsm@ markus@
269 NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
270 NB2. more work may be needed to make portable Wsign-compare clean
271 - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
272 openbsd-compat/openssl-compat.c] only include openssl compat stuff where
273 it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by
274 and ok tim@
275
27620050616
277 - (djm) OpenBSD CVS Sync
278 - jaredy@cvs.openbsd.org 2005/06/07 13:25:23
279 [progressmeter.c]
280 catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
281 - djm@cvs.openbsd.org 2005/06/06 11:20:36
282 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
283 introduce a generic %foo expansion function. replace existing % expansion
284 and add expansion to ControlPath; ok markus@
285 - djm@cvs.openbsd.org 2005/06/08 03:50:00
286 [ssh-keygen.1 ssh-keygen.c sshd.8]
287 increase default rsa/dsa key length from 1024 to 2048 bits;
288 ok markus@ deraadt@
289 - djm@cvs.openbsd.org 2005/06/08 11:25:09
290 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
291 add ControlMaster=auto/autoask options to support opportunistic
292 multiplexing; tested avsm@ and jakob@, ok markus@
293 - dtucker@cvs.openbsd.org 2005/06/09 13:43:49
294 [cipher.c]
295 Correctly initialize end of array sentinel; ok djm@
296 (Id sync only, change already in portable)
297
29820050609
299 - (dtucker) [cipher.c openbsd-compat/Makefile.in
300 openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
301 Move compatibility code for supporting older OpenSSL versions to the
302 compat layer. Suggested by and "no objection" djm@
303
30420050607
305 - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
306 in today's episode we attempt to coax it from limits.h where it may be
307 hiding, failing that we take the DIY approach. Tested by tim@
308
30920050603
310 - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
311 defined, and check that it helps before keeping it in CFLAGS. Some old
312 gcc's don't set an error code when encountering an unknown value in -std.
313 Found and tested by tim@.
314 - (dtucker) [configure.ac] Point configure's reporting address at the
315 openssh-unix-dev list. ok tim@ djm@
316
31720050602
318 - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
319 Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
320 to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
321 must be run on all platforms) Add missing ;; to case statement. OK dtucker@
322
32320050601
324 - (dtucker) [configure.ac] Look for _getshort and _getlong in
325 arpa/nameser.h.
326 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
327 Add strtoll to the compat library, from OpenBSD.
328 - (dtucker) OpenBSD CVS Sync
329 - avsm@cvs.openbsd.org 2005/05/26 02:08:05
330 [scp.c]
331 If copying multiple files to a target file (which normally fails, as it
332 must be a target directory), kill the spawned ssh child before exiting.
333 This stops it trying to authenticate and spewing lots of output.
334 deraadt@ ok
335 - dtucker@cvs.openbsd.org 2005/05/26 09:08:12
336 [ssh-keygen.c]
337 uint32_t -> u_int32_t for consistency; ok djm@
338 - djm@cvs.openbsd.org 2005/05/27 08:30:37
339 [ssh.c]
340 fix -O for cases where no ControlPath has been specified or socket at
341 ControlPath is not contactable; spotted by and ok avsm@
342 - (tim) [config.guess config.sub] Update to '2005-05-27' version.
343 - (tim) [configure.ac] set TEST_SHELL for OpenServer 6
344
34520050531
346 - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at
347 vintela.com.
348 - (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
349
35020050530
351 - (dtucker) [README] Link to new release notes. Beter late than never...
352
35320050529
354 - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
355 argument to passwdexpired to be initialized to NULL. Suggested by tim@
356 While at it, initialize the other arguments to auth functions in case they
357 ever acquire this behaviour.
358 - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
359 - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
360 spotted by tim@.
361
36220050528
363 - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
364 one entry per line to make it easier to merge changes. ok djm@
365 - (dtucker) [configure.ac] strsep() may be defined in string.h, so check
366 for its presence and include it in the strsep check.
367 - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
368 its presence before doing AC_FUNC_GETPGRP.
369 - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
370 version-specific variations as required.
371 - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
372 per the autoconf man page. Configure should always define them but it
373 doesn't hurt to check.
374
37520050527
376 - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
377 David Leach; ok dtucker@
378 - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
379 openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo.
380 Required changes from Bernhard Simon, integrated by me. ok djm@
381
38220050525
383 - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not
384 been used for a while
385 - (djm) OpenBSD CVS Sync
386 - otto@cvs.openbsd.org 2005/04/05 13:45:31
387 [ssh-keygen.c]
388 - djm@cvs.openbsd.org 2005/04/06 09:43:59
389 [sshd.c]
390 avoid harmless logspam by not performing setsockopt() on non-socket;
391 ok markus@
392 - dtucker@cvs.openbsd.org 2005/04/06 12:26:06
393 [ssh.c]
394 Fix debug call for port forwards; patch from pete at seebeyond.com,
395 ok djm@ (ID sync only - change already in portable)
396 - djm@cvs.openbsd.org 2005/04/09 04:32:54
397 [misc.c misc.h tildexpand.c Makefile.in]
398 replace tilde_expand_filename with a simpler implementation, ahead of
399 more whacking; ok deraadt@
400 - jmc@cvs.openbsd.org 2005/04/14 12:30:30
401 [ssh.1]
402 arg to -b is an address, not if_name;
403 ok markus@
404 - jakob@cvs.openbsd.org 2005/04/20 10:05:45
405 [dns.c]
406 do not try to look up SSHFP for numerical hostname. ok djm@
407 - djm@cvs.openbsd.org 2005/04/21 06:17:50
408 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
409 [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
410 variable, so don't say that we do (bz #623); ok deraadt@
411 - djm@cvs.openbsd.org 2005/04/21 11:47:19
412 [ssh.c]
413 don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
414 ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
415 - dtucker@cvs.openbsd.org 2005/04/23 23:43:47
416 [readpass.c]
417 Add debug message if read_passphrase can't open /dev/tty; bz #471;
418 ok djm@
419 - jmc@cvs.openbsd.org 2005/04/26 12:59:02
420 [sftp-client.h]
421 spelling correction in comment from wiz@netbsd;
422 - jakob@cvs.openbsd.org 2005/04/26 13:08:37
423 [ssh.c ssh_config.5]
424 fallback gracefully if client cannot connect to ControlPath. ok djm@
425 - moritz@cvs.openbsd.org 2005/04/28 10:17:56
426 [progressmeter.c ssh-keyscan.c]
427 add snprintf checks. ok djm@ markus@
428 - markus@cvs.openbsd.org 2005/05/02 21:13:22
429 [readpass.c]
430 missing {}
431 - djm@cvs.openbsd.org 2005/05/10 10:28:11
432 [ssh.c]
433 print nice error message for EADDRINUSE as well (ID sync only)
434 - djm@cvs.openbsd.org 2005/05/10 10:30:43
435 [ssh.c]
436 report real errors on fallback from ControlMaster=no to normal connect
437 - markus@cvs.openbsd.org 2005/05/16 15:30:51
438 [readconf.c servconf.c]
439 check return value from strdelim() for NULL (AddressFamily); mpech
440 - djm@cvs.openbsd.org 2005/05/19 02:39:55
441 [sshd_config.5]
442 sort config options, from grunk AT pestilenz.org; ok jmc@
443 - djm@cvs.openbsd.org 2005/05/19 02:40:52
444 [sshd_config]
445 whitespace nit, from grunk AT pestilenz.org
446 - djm@cvs.openbsd.org 2005/05/19 02:42:26
447 [includes.h]
448 fix cast, from grunk AT pestilenz.org
449 - djm@cvs.openbsd.org 2005/05/20 10:50:55
450 [ssh_config.5]
451 give a ProxyCommand example using nc(1), with and ok jmc@
452 - jmc@cvs.openbsd.org 2005/05/20 11:23:32
453 [ssh_config.5]
454 oops - article and spacing;
455 - avsm@cvs.openbsd.org 2005/05/23 22:44:01
456 [moduli.c ssh-keygen.c]
457 - removes signed/unsigned comparisons in moduli generation
458 - use strtonum instead of atoi where its easier
459 - check some strlcpy overflow and fatal instead of truncate
460 - djm@cvs.openbsd.org 2005/05/23 23:32:46
461 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
462 add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
463 ok markus@
464 - avsm@cvs.openbsd.org 2005/05/24 02:05:09
465 [ssh-keygen.c]
466 some style nits from dmiller@, and use a fatal() instead of a printf()/exit
467 - avsm@cvs.openbsd.org 2005/05/24 17:32:44
468 [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
469 [ssh-keyscan.c sshconnect.c]
470 Switch atomicio to use a simpler interface; it now returns a size_t
471 (containing number of bytes read/written), and indicates error by
472 returning 0. EOF is signalled by errno==EPIPE.
473 Typical use now becomes:
474
475 if (atomicio(read, ..., len) != len)
476 err(1,"read");
477
478 ok deraadt@, cloder@, djm@
479 - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
480 Cygwin.
481 - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
482 warning: dereferencing type-punned pointer will break strict-aliasing rules
483 warning: passing arg 3 of `pam_get_item' from incompatible pointer type
484 The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
485 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
486 templates for _getshort and _getlong if missing to prevent compiler warnings
487 on Linux.
488 - (djm) [configure.ac openbsd-compat/Makefile.in]
489 [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
490 Add strtonum(3) from OpenBSD libc, new code needs it.
491 Unfortunately Linux forces us to do a bizarre dance with compiler
492 options to get LLONG_MIN/MAX; Spotted by and ok dtucker@
493
49420050524
495 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
496 [contrib/suse/openssh.spec] Update spec file versions to 4.1p1
497 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
498 that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
499 idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use
500 USE_POSIX_THREADS will now generate an error so we don't silently change
501 behaviour. ok djm@
502 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
503 allocation when retrieving core Windows environment. Add CYGWIN variable
504 to propagated variables. Patch from vinschen at redhat.com, ok djm@
505 - Release 4.1p1
506
50720050524
508 - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
509 terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz;
510 "looks ok" dtucker@
511
51220050512
513 - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script
514 hard link section. Bug 1038.
515
51620050509
517 - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a
518 user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com.
519
52020050504
521 - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used
522 unix domain socket, so catch that too; from jakob@ ok dtucker@
523
52420050503
525 - (dtucker) [canohost.c] normalise socket addresses returned by
526 get_remote_hostname(). This means that IPv4 addresses in log messages
527 on IPv6 enabled machines will no longer be prefixed by "::ffff:" and
528 AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style
529 addresses only for 4-in-6 mapped connections, regardless of whether
530 or not the machine is IPv6 enabled. ok djm@
531
53220050425
533 - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the
534 existence of a process since it's more portable. Found by jbasney at
535 ncsa.uiuc.edu; ok tim@
536 - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh
537 will clean up anyway. From tim@
538 - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running
539 "make tests" works even if you're building on a filesystem that doesn't
540 support sockets. From deengert at anl.gov, ok djm@
541
54220050424
543 - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or
544 1.2.1.2 or higher. With tim@, ok djm@
545
54620050423
547 - (tim) [config.guess] Add support for OpenServer 6.
548
54920050421
550 - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if
551 UseLogin is set as PAM is not used to establish credentials in that
552 case. Found by Michael Selvesteen, ok djm@
553
55420050419
555 - (dtucker) [INSTALL] Reference README.privsep for the privilege separation
556 requirements. Pointed out by Bengt Svensson.
557 - (dtucker) [INSTALL] Put the s/key text and URL back together.
558 - (dtucker) [INSTALL] Fix s/key text too.
559
56020050411
561 - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME
562
56320050405
564 - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@
565 - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on
566 Tru64. Patch from cmadams at hiwaay.net.
567 - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of
568 sys_auth_passwd, pointed out by cmadams at hiwaay.net.
569
57020050403
571 - (djm) OpenBSD CVS Sync
572 - deraadt@cvs.openbsd.org 2005/03/31 18:39:21
573 [scp.c]
574 copy argv[] element instead of smashing the one that ps will see; ok otto
575 - djm@cvs.openbsd.org 2005/04/02 12:41:16
576 [scp.c]
577 since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror
578 build
579 - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read
580 will free as needed. ok tim@ djm@
581
58220050331
583 - (dtucker) OpenBSD CVS Sync
584 - jmc@cvs.openbsd.org 2005/03/16 11:10:38
585 [ssh_config.5]
586 get the syntax right for {Local,Remote}Forward;
587 based on a diff from markus;
588 problem report from ponraj;
589 ok dtucker@ markus@ deraadt@
590 - markus@cvs.openbsd.org 2005/03/16 21:17:39
591 [version.h]
592 4.1
593 - jmc@cvs.openbsd.org 2005/03/18 17:05:00
594 [sshd_config.5]
595 typo;
596 - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in
597 handling of password expiry messages returned by AIX's authentication
598 routines, originally reported by robvdwal at sara.nl.
599 - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug
600 message on some platforms. Patch from pete at seebeyond.com via djm.
601 - (dtucker) [monitor.c] Remaining part of fix for bug #1006.
602
60320050329
604 - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're
605 interested in which is much faster in large (eg LDAP or NIS) environments.
606 Patch from dleonard at vintela.com.
607
60820050321
609 - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes
610 and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net,
611 with & ok tim@
612 - (dtucker) [configure.ac] Make configure error out if the user specifies
613 --with-libedit but the required libs can't be found, rather than silently
614 ignoring and continuing. ok tim@
615 - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions
616 of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se.
617
61820050317
619 - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
620 Make --without-opensc work.
621 - (tim) [configure.ac] portability changes on test statements. Some shells
622 have problems with -a operator.
623 - (tim) [configure.ac] make some configure options a little more error proof.
624 - (tim) [configure.ac] remove trailing white space.
625
62620050314
627 - (dtucker) OpenBSD CVS Sync
628 - dtucker@cvs.openbsd.org 2005/03/10 10:15:02
629 [readconf.c]
630 Check listen addresses for null, prevents xfree from dying during
631 ClearAllForwardings (bz #996). From Craig Leres, ok markus@
632 - deraadt@cvs.openbsd.org 2005/03/10 22:01:05
633 [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c
634 monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c
635 readconf.c bufaux.c sftp.c]
636 spacing
637 - deraadt@cvs.openbsd.org 2005/03/10 22:40:38
638 [auth-options.c]
639 spacing
640 - markus@cvs.openbsd.org 2005/03/11 14:59:06
641 [ssh-keygen.c]
642 typo, missing \n; mpech
643 - jmc@cvs.openbsd.org 2005/03/12 11:55:03
644 [ssh_config.5]
645 escape `.' at eol to avoid double spacing issues;
646 - dtucker@cvs.openbsd.org 2005/03/14 10:09:03
647 [ssh-keygen.1]
648 Correct description of -H (bz #997); ok markus@, punctuation jmc@
649 - dtucker@cvs.openbsd.org 2005/03/14 11:44:42
650 [auth.c]
651 Populate host for log message for logins denied by AllowUsers and
652 DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com)
653 - markus@cvs.openbsd.org 2005/03/14 11:46:56
654 [buffer.c buffer.h channels.c]
655 limit input buffer size for channels; bugzilla #896; with and ok dtucker@
656 - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed
657 with a rpm -F
658
65920050313
660 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
661 localized name of the local administrators group more reliable. From
662 vinschen at redhat.com.
663
66420050312
665 - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug
666 output ends up in the client's output, causing regress failures. Found
667 by Corinna Vinschen.
668
120050309 66920050309
2 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64 670 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
3 so that regress tests behave. From Chris Adams. 671 so that regress tests behave. From Chris Adams.
@@ -2321,4 +2989,4 @@
2321 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 2989 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
2322 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 2990 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
2323 2991
2324$Id: ChangeLog,v 1.3707.2.1 2005/03/09 04:52:09 djm Exp $ 2992$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $
diff --git a/INSTALL b/INSTALL
index 4fc3744f3..753d2d061 100644
--- a/INSTALL
+++ b/INSTALL
@@ -3,7 +3,7 @@
3 3
4You will need working installations of Zlib and OpenSSL. 4You will need working installations of Zlib and OpenSSL.
5 5
6Zlib 1.1.4 or greater: 6Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
7http://www.gzip.org/zlib/ 7http://www.gzip.org/zlib/
8 8
9OpenSSL 0.9.6 or greater: 9OpenSSL 0.9.6 or greater:
@@ -50,20 +50,20 @@ lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
50http://www.lothar.com/tech/crypto/ 50http://www.lothar.com/tech/crypto/
51 51
52S/Key Libraries: 52S/Key Libraries:
53
54If you wish to use --with-skey then you will need the library below
55installed. No other S/Key library is currently known to be supported.
56
53http://www.sparc.spb.su/solaris/skey/ 57http://www.sparc.spb.su/solaris/skey/
54 58
55LibEdit: 59LibEdit:
56
57sftp now supports command-line editing via NetBSD's libedit. If your 60sftp now supports command-line editing via NetBSD's libedit. If your
58platform has it available natively you can use that, alternatively 61platform has it available natively you can use that, alternatively
59you might try these multi-platform ports: 62you might try these multi-platform ports:
63
60http://www.thrysoee.dk/editline/ 64http://www.thrysoee.dk/editline/
61http://sourceforge.net/projects/libedit/ 65http://sourceforge.net/projects/libedit/
62 66
63If you wish to use --with-skey then you will need the above library
64installed. No other current S/Key library is currently known to be
65supported.
66
672. Building / Installation 672. Building / Installation
68-------------------------- 68--------------------------
69 69
@@ -91,6 +91,10 @@ make install
91This will install the binaries in /opt/{bin,lib,sbin}, but will place the 91This will install the binaries in /opt/{bin,lib,sbin}, but will place the
92configuration files in /etc/ssh. 92configuration files in /etc/ssh.
93 93
94If you are using Privilege Separation (which is enabled by default)
95then you will also need to create the user, group and directory used by
96sshd for privilege separation. See README.privsep for details.
97
94If you are using PAM, you may need to manually install a PAM control 98If you are using PAM, you may need to manually install a PAM control
95file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 99file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
96them). Note that the service name used to start PAM is __progname, 100them). Note that the service name used to start PAM is __progname,
@@ -221,4 +225,4 @@ Please refer to the "reporting bugs" section of the webpage at
221http://www.openssh.com/ 225http://www.openssh.com/
222 226
223 227
224$Id: INSTALL,v 1.66 2005/01/18 01:05:18 dtucker Exp $ 228$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $
diff --git a/LICENCE b/LICENCE
index ae03eb3a7..ac3634f22 100644
--- a/LICENCE
+++ b/LICENCE
@@ -204,6 +204,7 @@ OpenSSH contains no GPL code.
204 William Jones 204 William Jones
205 Darren Tucker 205 Darren Tucker
206 Sun Microsystems 206 Sun Microsystems
207 The SCO Group
207 208
208 * Redistribution and use in source and binary forms, with or without 209 * Redistribution and use in source and binary forms, with or without
209 * modification, are permitted provided that the following conditions 210 * modification, are permitted provided that the following conditions
@@ -255,6 +256,7 @@ OpenSSH contains no GPL code.
255 Damien Miller 256 Damien Miller
256 Eric P. Allman 257 Eric P. Allman
257 The Regents of the University of California 258 The Regents of the University of California
259 Constantin S. Svintsoff
258 260
259 * Redistribution and use in source and binary forms, with or without 261 * Redistribution and use in source and binary forms, with or without
260 * modification, are permitted provided that the following conditions 262 * modification, are permitted provided that the following conditions
diff --git a/Makefile.in b/Makefile.in
index e0be3d04b..f73219ba6 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.270 2005/02/25 23:12:38 dtucker Exp $ 1# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -66,8 +66,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \
66 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 66 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
67 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ 67 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
68 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ 68 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
69 log.o match.o moduli.o mpaux.o nchan.o packet.o \ 69 log.o match.o moduli.o nchan.o packet.o \
70 readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o \ 70 readpass.o rsa.o ttymodes.o xmalloc.o \
71 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 71 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
72 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ 72 monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
73 kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ 73 kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
@@ -190,7 +190,7 @@ ssh_prng_cmds.out: ssh_prng_cmds
190 $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ 190 $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
191 fi 191 fi
192 192
193# fake rule to stop make trying to compile moduli.o into a binary "modulo" 193# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
194moduli: 194moduli:
195 echo 195 echo
196 196
diff --git a/README b/README
index 0c5335ff5..51f0ca4fb 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-4.0 for the release notes. 1See http://www.openssh.com/txt/release-4.2 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -56,9 +56,10 @@ References -
56[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 56[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
57[3] http://www.gzip.org/zlib/ 57[3] http://www.gzip.org/zlib/
58[4] http://www.openssl.org/ 58[4] http://www.openssl.org/
59[5] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris 59[5] http://www.openpam.org
60 and HP-UX 11) 60 http://www.kernel.org/pub/linux/libs/pam/
61 (PAM also is standard on Solaris and HP-UX 11)
61[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
62[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
63 64
64$Id: README,v 1.56.4.1 2005/03/09 03:12:09 djm Exp $ 65$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $
diff --git a/README.privsep b/README.privsep
index ecb9d6914..f565e72da 100644
--- a/README.privsep
+++ b/README.privsep
@@ -38,8 +38,8 @@ privsep user and chroot directory:
38Privsep requires operating system support for file descriptor passing. 38Privsep requires operating system support for file descriptor passing.
39Compression will be disabled on systems without a working mmap MAP_ANON. 39Compression will be disabled on systems without a working mmap MAP_ANON.
40 40
41PAM-enabled OpenSSH is known to function with privsep on AIX, HP-UX 41PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
42(including Trusted Mode), Linux and Solaris. 42HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
43 43
44On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication 44On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
45part of privsep is supported. Post-authentication privsep is disabled 45part of privsep is supported. Post-authentication privsep is disabled
@@ -60,4 +60,4 @@ process 1005 is the sshd process listening for new connections.
60process 6917 is the privileged monitor process, 6919 is the user owned 60process 6917 is the privileged monitor process, 6919 is the user owned
61sshd process and 6921 is the shell process. 61sshd process and 6921 is the shell process.
62 62
63$Id: README.privsep,v 1.15 2004/10/06 10:09:32 dtucker Exp $ 63$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
diff --git a/WARNING.RNG b/WARNING.RNG
index 687891a73..97da74ff7 100644
--- a/WARNING.RNG
+++ b/WARNING.RNG
@@ -57,7 +57,7 @@ disproportionate time to execute.
57 57
58Tuning the random helper can be done by running ./ssh-random-helper in 58Tuning the random helper can be done by running ./ssh-random-helper in
59very verbose mode ("-vvv") and identifying the commands that are taking 59very verbose mode ("-vvv") and identifying the commands that are taking
60accessive amounts of time or hanging altogher. Any problem commands can 60excessive amounts of time or hanging altogher. Any problem commands can
61be modified or removed from ssh_prng_cmds. 61be modified or removed from ssh_prng_cmds.
62 62
63The default entropy collector will timeout programs which take too long 63The default entropy collector will timeout programs which take too long
@@ -92,4 +92,4 @@ If you are forced to use ssh-rand-helper consider still downloading
92prngd/egd and configure OpenSSH using --with-prngd-port=xx or 92prngd/egd and configure OpenSSH using --with-prngd-port=xx or
93--with-prngd-socket=xx (refer to INSTALL for more information). 93--with-prngd-socket=xx (refer to INSTALL for more information).
94 94
95$Id: WARNING.RNG,v 1.7 2004/12/06 11:40:11 dtucker Exp $ 95$Id: WARNING.RNG,v 1.8 2005/05/26 01:47:54 djm Exp $
diff --git a/acconfig.h b/acconfig.h
index 5721f65fb..619c4b801 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
1/* $Id: acconfig.h,v 1.181 2005/02/25 23:07:38 dtucker Exp $ */ 1/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -119,9 +119,6 @@
119/* Define if you are on NeXT */ 119/* Define if you are on NeXT */
120#undef HAVE_NEXT 120#undef HAVE_NEXT
121 121
122/* Define if you are on NEWS-OS */
123#undef HAVE_NEWS4
124
125/* Define if you want to enable PAM support */ 122/* Define if you want to enable PAM support */
126#undef USE_PAM 123#undef USE_PAM
127 124
@@ -205,9 +202,6 @@
205/* Define if you don't want to use lastlog in session.c */ 202/* Define if you don't want to use lastlog in session.c */
206#undef NO_SSH_LASTLOG 203#undef NO_SSH_LASTLOG
207 204
208/* Define if have krb5_init_ets */
209#undef KRB5_INIT_ETS
210
211/* Define if you don't want to use utmp */ 205/* Define if you don't want to use utmp */
212#undef DISABLE_UTMP 206#undef DISABLE_UTMP
213 207
@@ -353,6 +347,12 @@
353/* getaddrinfo is broken (if present) */ 347/* getaddrinfo is broken (if present) */
354#undef BROKEN_GETADDRINFO 348#undef BROKEN_GETADDRINFO
355 349
350/* platform uses an in-memory credentials cache */
351#undef USE_CCAPI
352
353/* platform has a Security Authorization Session API */
354#undef USE_SECURITY_SESSION_API
355
356/* updwtmpx is broken (if present) */ 356/* updwtmpx is broken (if present) */
357#undef BROKEN_UPDWTMPX 357#undef BROKEN_UPDWTMPX
358 358
diff --git a/acss.c b/acss.c
index 9364ba9fe..99efde071 100644
--- a/acss.c
+++ b/acss.c
@@ -1,4 +1,4 @@
1/* $Id: acss.c,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ 1/* $Id: acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2004 The OpenBSD project 3 * Copyright (c) 2004 The OpenBSD project
4 * 4 *
@@ -24,37 +24,37 @@
24 24
25/* decryption sbox */ 25/* decryption sbox */
26static unsigned char sboxdec[] = { 26static unsigned char sboxdec[] = {
27 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, 27 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
28 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, 28 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
29 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, 29 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
30 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, 30 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
31 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, 31 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
32 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, 32 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
33 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, 33 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
34 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, 34 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
35 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, 35 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
36 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, 36 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
37 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, 37 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
38 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, 38 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
39 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, 39 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
40 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, 40 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
41 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, 41 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
42 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, 42 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
43 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, 43 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
44 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, 44 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
45 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, 45 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
46 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, 46 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
47 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, 47 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
48 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, 48 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
49 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, 49 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
50 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, 50 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
51 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, 51 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
52 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, 52 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
53 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, 53 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
54 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, 54 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
55 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, 55 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
56 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, 56 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
57 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, 57 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
58 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff 58 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
59}; 59};
60 60
@@ -95,38 +95,38 @@ static unsigned char sboxenc[] = {
95}; 95};
96 96
97static unsigned char reverse[] = { 97static unsigned char reverse[] = {
98 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, 98 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
99 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, 99 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
100 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, 100 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
101 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, 101 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
102 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, 102 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
103 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, 103 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
104 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, 104 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
105 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, 105 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
106 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, 106 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
107 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, 107 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
108 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, 108 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
109 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, 109 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
110 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, 110 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
111 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, 111 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
112 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, 112 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
113 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, 113 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
114 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, 114 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
115 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, 115 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
116 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, 116 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
117 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, 117 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
118 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, 118 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
119 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, 119 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
120 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, 120 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
121 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, 121 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
122 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, 122 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
123 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, 123 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
124 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, 124 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
125 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, 125 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
126 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, 126 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
127 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, 127 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
128 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, 128 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
129 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff 129 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
130}; 130};
131 131
132/* 132/*
diff --git a/atomicio.c b/atomicio.c
index 7637e1671..12abbda16 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,5 @@
1/* 1/*
2 * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
2 * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved. 3 * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
3 * All rights reserved. 4 * All rights reserved.
4 * 5 *
@@ -24,14 +25,14 @@
24 */ 25 */
25 26
26#include "includes.h" 27#include "includes.h"
27RCSID("$OpenBSD: atomicio.c,v 1.12 2003/07/31 15:50:16 avsm Exp $"); 28RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
28 29
29#include "atomicio.h" 30#include "atomicio.h"
30 31
31/* 32/*
32 * ensure all of data on socket comes through. f==read || f==vwrite 33 * ensure all of data on socket comes through. f==read || f==vwrite
33 */ 34 */
34ssize_t 35size_t
35atomicio(f, fd, _s, n) 36atomicio(f, fd, _s, n)
36 ssize_t (*f) (int, void *, size_t); 37 ssize_t (*f) (int, void *, size_t);
37 int fd; 38 int fd;
@@ -39,7 +40,8 @@ atomicio(f, fd, _s, n)
39 size_t n; 40 size_t n;
40{ 41{
41 char *s = _s; 42 char *s = _s;
42 ssize_t res, pos = 0; 43 size_t pos = 0;
44 ssize_t res;
43 45
44 while (n > pos) { 46 while (n > pos) {
45 res = (f) (fd, s + pos, n - pos); 47 res = (f) (fd, s + pos, n - pos);
@@ -51,10 +53,12 @@ atomicio(f, fd, _s, n)
51 if (errno == EINTR || errno == EAGAIN) 53 if (errno == EINTR || errno == EAGAIN)
52#endif 54#endif
53 continue; 55 continue;
56 return 0;
54 case 0: 57 case 0:
55 return (res); 58 errno = EPIPE;
59 return pos;
56 default: 60 default:
57 pos += res; 61 pos += (u_int)res;
58 } 62 }
59 } 63 }
60 return (pos); 64 return (pos);
diff --git a/atomicio.h b/atomicio.h
index 5c0f392ef..7eccf206b 100644
--- a/atomicio.h
+++ b/atomicio.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: atomicio.h,v 1.5 2003/06/28 16:23:06 deraadt Exp $ */ 1/* $OpenBSD: atomicio.h,v 1.6 2005/05/24 17:32:43 avsm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved. 4 * Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
@@ -28,6 +28,6 @@
28/* 28/*
29 * Ensure all of data on socket comes through. f==read || f==vwrite 29 * Ensure all of data on socket comes through. f==read || f==vwrite
30 */ 30 */
31ssize_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t); 31size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
32 32
33#define vwrite (ssize_t (*)(int, void *, size_t))write 33#define vwrite (ssize_t (*)(int, void *, size_t))write
diff --git a/audit.c b/audit.c
index 18fc41047..c77d0c012 100644
--- a/audit.c
+++ b/audit.c
@@ -1,4 +1,4 @@
1/* $Id: audit.c,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */ 1/* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. 4 * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
@@ -120,7 +120,7 @@ void
120audit_connection_from(const char *host, int port) 120audit_connection_from(const char *host, int port)
121{ 121{
122 debug("audit connection from %s port %d euid %d", host, port, 122 debug("audit connection from %s port %d euid %d", host, port,
123 (int)geteuid()); 123 (int)geteuid());
124} 124}
125 125
126/* 126/*
@@ -147,7 +147,7 @@ audit_session_open(const char *ttyn)
147 const char *t = ttyn ? ttyn : "(no tty)"; 147 const char *t = ttyn ? ttyn : "(no tty)";
148 148
149 debug("audit session open euid %d user %s tty name %s", geteuid(), 149 debug("audit session open euid %d user %s tty name %s", geteuid(),
150 audit_username(), t); 150 audit_username(), t);
151} 151}
152 152
153/* 153/*
@@ -163,7 +163,7 @@ audit_session_close(const char *ttyn)
163 const char *t = ttyn ? ttyn : "(no tty)"; 163 const char *t = ttyn ? ttyn : "(no tty)";
164 164
165 debug("audit session close euid %d user %s tty name %s", geteuid(), 165 debug("audit session close euid %d user %s tty name %s", geteuid(),
166 audit_username(), t); 166 audit_username(), t);
167} 167}
168 168
169/* 169/*
diff --git a/auth-krb5.c b/auth-krb5.c
index 2f742534a..5f554a66b 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -54,9 +54,6 @@ krb5_init(void *context)
54 problem = krb5_init_context(&authctxt->krb5_ctx); 54 problem = krb5_init_context(&authctxt->krb5_ctx);
55 if (problem) 55 if (problem)
56 return (problem); 56 return (problem);
57#ifdef KRB5_INIT_ETS
58 krb5_init_ets(authctxt->krb5_ctx);
59#endif
60 } 57 }
61 return (0); 58 return (0);
62} 59}
@@ -67,9 +64,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
67#ifndef HEIMDAL 64#ifndef HEIMDAL
68 krb5_creds creds; 65 krb5_creds creds;
69 krb5_principal server; 66 krb5_principal server;
70 char ccname[40];
71 int tmpfd;
72 mode_t old_umask;
73#endif 67#endif
74 krb5_error_code problem; 68 krb5_error_code problem;
75 krb5_ccache ccache = NULL; 69 krb5_ccache ccache = NULL;
@@ -146,26 +140,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
146 goto out; 140 goto out;
147 } 141 }
148 142
149 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); 143 problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
150
151 old_umask = umask(0177);
152 tmpfd = mkstemp(ccname + strlen("FILE:"));
153 umask(old_umask);
154 if (tmpfd == -1) {
155 logit("mkstemp(): %.100s", strerror(errno));
156 problem = errno;
157 goto out;
158 }
159
160 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
161 logit("fchmod(): %.100s", strerror(errno));
162 close(tmpfd);
163 problem = errno;
164 goto out;
165 }
166 close(tmpfd);
167
168 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
169 if (problem) 144 if (problem)
170 goto out; 145 goto out;
171 146
@@ -184,8 +159,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
184 159
185 len = strlen(authctxt->krb5_ticket_file) + 6; 160 len = strlen(authctxt->krb5_ticket_file) + 6;
186 authctxt->krb5_ccname = xmalloc(len); 161 authctxt->krb5_ccname = xmalloc(len);
162#ifdef USE_CCAPI
163 snprintf(authctxt->krb5_ccname, len, "API:%s",
164 authctxt->krb5_ticket_file);
165#else
187 snprintf(authctxt->krb5_ccname, len, "FILE:%s", 166 snprintf(authctxt->krb5_ccname, len, "FILE:%s",
188 authctxt->krb5_ticket_file); 167 authctxt->krb5_ticket_file);
168#endif
189 169
190#ifdef USE_PAM 170#ifdef USE_PAM
191 if (options.use_pam) 171 if (options.use_pam)
@@ -234,4 +214,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
234 } 214 }
235} 215}
236 216
217#ifndef HEIMDAL
218krb5_error_code
219ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
220 int ret;
221 char ccname[40];
222 mode_t old_umask;
223#ifdef USE_CCAPI
224 char cctemplate[] = "API:krb5cc_%d";
225#else
226 char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
227 int tmpfd;
228#endif
229
230 ret = snprintf(ccname, sizeof(ccname),
231 cctemplate, geteuid());
232 if (ret == -1 || ret >= (int) sizeof(ccname))
233 return ENOMEM;
234
235#ifndef USE_CCAPI
236 old_umask = umask(0177);
237 tmpfd = mkstemp(ccname + strlen("FILE:"));
238 umask(old_umask);
239 if (tmpfd == -1) {
240 logit("mkstemp(): %.100s", strerror(errno));
241 return errno;
242 }
243
244 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
245 logit("fchmod(): %.100s", strerror(errno));
246 close(tmpfd);
247 return errno;
248 }
249 close(tmpfd);
250#endif
251
252 return (krb5_cc_resolve(ctx, ccname, ccache));
253}
254#endif /* !HEIMDAL */
237#endif /* KRB5 */ 255#endif /* KRB5 */
diff --git a/auth-options.c b/auth-options.c
index 04d12d66e..a85e40835 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth-options.c,v 1.29 2005/03/01 10:09:52 djm Exp $"); 13RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "match.h" 16#include "match.h"
@@ -247,7 +247,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
247 host = hpdelim(&p); 247 host = hpdelim(&p);
248 if (host == NULL || strlen(host) >= NI_MAXHOST) { 248 if (host == NULL || strlen(host) >= NI_MAXHOST) {
249 debug("%.100s, line %lu: Bad permitopen " 249 debug("%.100s, line %lu: Bad permitopen "
250 "specification <%.100s>", file, linenum, 250 "specification <%.100s>", file, linenum,
251 patterns); 251 patterns);
252 auth_debug_add("%.100s, line %lu: " 252 auth_debug_add("%.100s, line %lu: "
253 "Bad permitopen specification", file, 253 "Bad permitopen specification", file,
@@ -255,8 +255,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
255 xfree(patterns); 255 xfree(patterns);
256 goto bad_option; 256 goto bad_option;
257 } 257 }
258 host = cleanhostname(host); 258 host = cleanhostname(host);
259 if (p == NULL || (port = a2port(p)) == 0) { 259 if (p == NULL || (port = a2port(p)) == 0) {
260 debug("%.100s, line %lu: Bad permitopen port " 260 debug("%.100s, line %lu: Bad permitopen port "
261 "<%.100s>", file, linenum, p ? p : ""); 261 "<%.100s>", file, linenum, p ? p : "");
262 auth_debug_add("%.100s, line %lu: " 262 auth_debug_add("%.100s, line %lu: "
diff --git a/auth-pam.c b/auth-pam.c
index 6ce8c429b..0446cd559 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
47 47
48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
49#include "includes.h" 49#include "includes.h"
50RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $"); 50RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $");
51 51
52#ifdef USE_PAM 52#ifdef USE_PAM
53#if defined(HAVE_SECURITY_PAM_APPL_H) 53#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -56,6 +56,13 @@ RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $");
56#include <pam/pam_appl.h> 56#include <pam/pam_appl.h>
57#endif 57#endif
58 58
59/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
60#ifdef PAM_SUN_CODEBASE
61# define sshpam_const /* Solaris, HP-UX, AIX */
62#else
63# define sshpam_const const /* LinuxPAM, OpenPAM */
64#endif
65
59#include "auth.h" 66#include "auth.h"
60#include "auth-pam.h" 67#include "auth-pam.h"
61#include "buffer.h" 68#include "buffer.h"
@@ -76,7 +83,17 @@ extern Buffer loginmsg;
76extern int compat20; 83extern int compat20;
77extern u_int utmp_len; 84extern u_int utmp_len;
78 85
86/* so we don't silently change behaviour */
79#ifdef USE_POSIX_THREADS 87#ifdef USE_POSIX_THREADS
88# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK"
89#endif
90
91/*
92 * Formerly known as USE_POSIX_THREADS, using this is completely unsupported
93 * and generally a bad idea. Use at own risk and do not expect support if
94 * this breaks.
95 */
96#ifdef UNSUPPORTED_POSIX_THREADS_HACK
80#include <pthread.h> 97#include <pthread.h>
81/* 98/*
82 * Avoid namespace clash when *not* using pthreads for systems *with* 99 * Avoid namespace clash when *not* using pthreads for systems *with*
@@ -98,7 +115,7 @@ struct pam_ctxt {
98static void sshpam_free_ctx(void *); 115static void sshpam_free_ctx(void *);
99static struct pam_ctxt *cleanup_ctxt; 116static struct pam_ctxt *cleanup_ctxt;
100 117
101#ifndef USE_POSIX_THREADS 118#ifndef UNSUPPORTED_POSIX_THREADS_HACK
102/* 119/*
103 * Simulate threads with processes. 120 * Simulate threads with processes.
104 */ 121 */
@@ -106,14 +123,14 @@ static struct pam_ctxt *cleanup_ctxt;
106static int sshpam_thread_status = -1; 123static int sshpam_thread_status = -1;
107static mysig_t sshpam_oldsig; 124static mysig_t sshpam_oldsig;
108 125
109static void 126static void
110sshpam_sigchld_handler(int sig) 127sshpam_sigchld_handler(int sig)
111{ 128{
112 signal(SIGCHLD, SIG_DFL); 129 signal(SIGCHLD, SIG_DFL);
113 if (cleanup_ctxt == NULL) 130 if (cleanup_ctxt == NULL)
114 return; /* handler called after PAM cleanup, shouldn't happen */ 131 return; /* handler called after PAM cleanup, shouldn't happen */
115 if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) 132 if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
116 <= 0) { 133 <= 0) {
117 /* PAM thread has not exitted, privsep slave must have */ 134 /* PAM thread has not exitted, privsep slave must have */
118 kill(cleanup_ctxt->pam_thread, SIGTERM); 135 kill(cleanup_ctxt->pam_thread, SIGTERM);
119 if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) 136 if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
@@ -140,6 +157,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
140 void *(*thread_start)(void *), void *arg) 157 void *(*thread_start)(void *), void *arg)
141{ 158{
142 pid_t pid; 159 pid_t pid;
160 struct pam_ctxt *ctx = arg;
143 161
144 sshpam_thread_status = -1; 162 sshpam_thread_status = -1;
145 switch ((pid = fork())) { 163 switch ((pid = fork())) {
@@ -147,10 +165,14 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
147 error("fork(): %s", strerror(errno)); 165 error("fork(): %s", strerror(errno));
148 return (-1); 166 return (-1);
149 case 0: 167 case 0:
168 close(ctx->pam_psock);
169 ctx->pam_psock = -1;
150 thread_start(arg); 170 thread_start(arg);
151 _exit(1); 171 _exit(1);
152 default: 172 default:
153 *thread = pid; 173 *thread = pid;
174 close(ctx->pam_csock);
175 ctx->pam_csock = -1;
154 sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler); 176 sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
155 return (0); 177 return (0);
156 } 178 }
@@ -255,7 +277,7 @@ import_environments(Buffer *b)
255 277
256 debug3("PAM: %s entering", __func__); 278 debug3("PAM: %s entering", __func__);
257 279
258#ifndef USE_POSIX_THREADS 280#ifndef UNSUPPORTED_POSIX_THREADS_HACK
259 /* Import variables set by do_pam_account */ 281 /* Import variables set by do_pam_account */
260 sshpam_account_status = buffer_get_int(b); 282 sshpam_account_status = buffer_get_int(b);
261 sshpam_password_change_required(buffer_get_int(b)); 283 sshpam_password_change_required(buffer_get_int(b));
@@ -290,7 +312,7 @@ import_environments(Buffer *b)
290 * Conversation function for authentication thread. 312 * Conversation function for authentication thread.
291 */ 313 */
292static int 314static int
293sshpam_thread_conv(int n, struct pam_message **msg, 315sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
294 struct pam_response **resp, void *data) 316 struct pam_response **resp, void *data)
295{ 317{
296 Buffer buffer; 318 Buffer buffer;
@@ -384,13 +406,15 @@ sshpam_thread(void *ctxtp)
384 struct pam_conv sshpam_conv; 406 struct pam_conv sshpam_conv;
385 int flags = (options.permit_empty_passwd == 0 ? 407 int flags = (options.permit_empty_passwd == 0 ?
386 PAM_DISALLOW_NULL_AUTHTOK : 0); 408 PAM_DISALLOW_NULL_AUTHTOK : 0);
387#ifndef USE_POSIX_THREADS 409#ifndef UNSUPPORTED_POSIX_THREADS_HACK
388 extern char **environ; 410 extern char **environ;
389 char **env_from_pam; 411 char **env_from_pam;
390 u_int i; 412 u_int i;
391 const char *pam_user; 413 const char *pam_user;
414 const char **ptr_pam_user = &pam_user;
392 415
393 pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user); 416 pam_get_item(sshpam_handle, PAM_USER,
417 (sshpam_const void **)ptr_pam_user);
394 environ[0] = NULL; 418 environ[0] = NULL;
395 419
396 if (sshpam_authctxt != NULL) { 420 if (sshpam_authctxt != NULL) {
@@ -428,7 +452,7 @@ sshpam_thread(void *ctxtp)
428 452
429 buffer_put_cstring(&buffer, "OK"); 453 buffer_put_cstring(&buffer, "OK");
430 454
431#ifndef USE_POSIX_THREADS 455#ifndef UNSUPPORTED_POSIX_THREADS_HACK
432 /* Export variables set by do_pam_account */ 456 /* Export variables set by do_pam_account */
433 buffer_put_int(&buffer, sshpam_account_status); 457 buffer_put_int(&buffer, sshpam_account_status);
434 buffer_put_int(&buffer, sshpam_authctxt->force_pwchange); 458 buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
@@ -447,7 +471,7 @@ sshpam_thread(void *ctxtp)
447 buffer_put_int(&buffer, i); 471 buffer_put_int(&buffer, i);
448 for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) 472 for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
449 buffer_put_cstring(&buffer, env_from_pam[i]); 473 buffer_put_cstring(&buffer, env_from_pam[i]);
450#endif /* USE_POSIX_THREADS */ 474#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
451 475
452 /* XXX - can't do much about an error here */ 476 /* XXX - can't do much about an error here */
453 ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); 477 ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
@@ -482,7 +506,7 @@ sshpam_thread_cleanup(void)
482} 506}
483 507
484static int 508static int
485sshpam_null_conv(int n, struct pam_message **msg, 509sshpam_null_conv(int n, sshpam_const struct pam_message **msg,
486 struct pam_response **resp, void *data) 510 struct pam_response **resp, void *data)
487{ 511{
488 debug3("PAM: %s entering, %d messages", __func__, n); 512 debug3("PAM: %s entering, %d messages", __func__, n);
@@ -492,7 +516,7 @@ sshpam_null_conv(int n, struct pam_message **msg,
492static struct pam_conv null_conv = { sshpam_null_conv, NULL }; 516static struct pam_conv null_conv = { sshpam_null_conv, NULL };
493 517
494static int 518static int
495sshpam_store_conv(int n, struct pam_message **msg, 519sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
496 struct pam_response **resp, void *data) 520 struct pam_response **resp, void *data)
497{ 521{
498 struct pam_response *reply; 522 struct pam_response *reply;
@@ -561,11 +585,12 @@ sshpam_init(Authctxt *authctxt)
561{ 585{
562 extern char *__progname; 586 extern char *__progname;
563 const char *pam_rhost, *pam_user, *user = authctxt->user; 587 const char *pam_rhost, *pam_user, *user = authctxt->user;
588 const char **ptr_pam_user = &pam_user;
564 589
565 if (sshpam_handle != NULL) { 590 if (sshpam_handle != NULL) {
566 /* We already have a PAM context; check if the user matches */ 591 /* We already have a PAM context; check if the user matches */
567 sshpam_err = pam_get_item(sshpam_handle, 592 sshpam_err = pam_get_item(sshpam_handle,
568 PAM_USER, (void **)&pam_user); 593 PAM_USER, (sshpam_const void **)ptr_pam_user);
569 if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) 594 if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
570 return (0); 595 return (0);
571 pam_end(sshpam_handle, sshpam_err); 596 pam_end(sshpam_handle, sshpam_err);
@@ -755,7 +780,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
755 buffer_init(&buffer); 780 buffer_init(&buffer);
756 if (sshpam_authctxt->valid && 781 if (sshpam_authctxt->valid &&
757 (sshpam_authctxt->pw->pw_uid != 0 || 782 (sshpam_authctxt->pw->pw_uid != 0 ||
758 options.permit_root_login == PERMIT_YES)) 783 options.permit_root_login == PERMIT_YES))
759 buffer_put_cstring(&buffer, *resp); 784 buffer_put_cstring(&buffer, *resp);
760 else 785 else
761 buffer_put_cstring(&buffer, badpw); 786 buffer_put_cstring(&buffer, badpw);
@@ -828,7 +853,7 @@ do_pam_account(void)
828 sshpam_err = pam_acct_mgmt(sshpam_handle, 0); 853 sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
829 debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, 854 debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
830 pam_strerror(sshpam_handle, sshpam_err)); 855 pam_strerror(sshpam_handle, sshpam_err));
831 856
832 if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { 857 if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
833 sshpam_account_status = 0; 858 sshpam_account_status = 0;
834 return (sshpam_account_status); 859 return (sshpam_account_status);
@@ -881,7 +906,7 @@ do_pam_setcred(int init)
881} 906}
882 907
883static int 908static int
884sshpam_tty_conv(int n, struct pam_message **msg, 909sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
885 struct pam_response **resp, void *data) 910 struct pam_response **resp, void *data)
886{ 911{
887 char input[PAM_MAX_MSG_SIZE]; 912 char input[PAM_MAX_MSG_SIZE];
@@ -1040,7 +1065,7 @@ free_pam_environment(char **env)
1040 * display. 1065 * display.
1041 */ 1066 */
1042static int 1067static int
1043sshpam_passwd_conv(int n, struct pam_message **msg, 1068sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
1044 struct pam_response **resp, void *data) 1069 struct pam_response **resp, void *data)
1045{ 1070{
1046 struct pam_response *reply; 1071 struct pam_response *reply;
@@ -1086,7 +1111,7 @@ sshpam_passwd_conv(int n, struct pam_message **msg,
1086 *resp = reply; 1111 *resp = reply;
1087 return (PAM_SUCCESS); 1112 return (PAM_SUCCESS);
1088 1113
1089 fail: 1114 fail:
1090 for(i = 0; i < n; i++) { 1115 for(i = 0; i < n; i++) {
1091 if (reply[i].resp != NULL) 1116 if (reply[i].resp != NULL)
1092 xfree(reply[i].resp); 1117 xfree(reply[i].resp);
@@ -1119,7 +1144,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
1119 * information via timing (eg if the PAM config has a delay on fail). 1144 * information via timing (eg if the PAM config has a delay on fail).
1120 */ 1145 */
1121 if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && 1146 if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
1122 options.permit_root_login != PERMIT_YES)) 1147 options.permit_root_login != PERMIT_YES))
1123 sshpam_password = badpw; 1148 sshpam_password = badpw;
1124 1149
1125 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 1150 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@@ -1133,7 +1158,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
1133 if (sshpam_err == PAM_SUCCESS && authctxt->valid) { 1158 if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
1134 debug("PAM: password authentication accepted for %.100s", 1159 debug("PAM: password authentication accepted for %.100s",
1135 authctxt->user); 1160 authctxt->user);
1136 return 1; 1161 return 1;
1137 } else { 1162 } else {
1138 debug("PAM: password authentication failed for %.100s: %s", 1163 debug("PAM: password authentication failed for %.100s: %s",
1139 authctxt->valid ? authctxt->user : "an illegal user", 1164 authctxt->valid ? authctxt->user : "an illegal user",
diff --git a/auth-passwd.c b/auth-passwd.c
index 27ece3f72..6e6d0d76a 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $"); 39RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
40 40
41#include "packet.h" 41#include "packet.h"
42#include "buffer.h" 42#include "buffer.h"
@@ -47,7 +47,6 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
47 47
48extern Buffer loginmsg; 48extern Buffer loginmsg;
49extern ServerOptions options; 49extern ServerOptions options;
50int sys_auth_passwd(Authctxt *, const char *);
51 50
52#ifdef HAVE_LOGIN_CAP 51#ifdef HAVE_LOGIN_CAP
53extern login_cap_t *lc; 52extern login_cap_t *lc;
@@ -164,6 +163,8 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
164 163
165 as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", 164 as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
166 (char *)password); 165 (char *)password);
166 if (as == NULL)
167 return (0);
167 if (auth_getstate(as) & AUTH_PWEXPIRED) { 168 if (auth_getstate(as) & AUTH_PWEXPIRED) {
168 auth_close(as); 169 auth_close(as);
169 disable_forwarding(); 170 disable_forwarding();
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 29eb538ec..c31f2b97b 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $"); 16RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
17 17
18#include "packet.h" 18#include "packet.h"
19#include "uidswap.h" 19#include "uidswap.h"
@@ -86,7 +86,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
86 */ 86 */
87 87
88 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", 88 verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
89 pw->pw_name, cuser, chost); 89 pw->pw_name, cuser, chost);
90 packet_send_debug("Rhosts with RSA host authentication accepted."); 90 packet_send_debug("Rhosts with RSA host authentication accepted.");
91 return 1; 91 return 1;
92} 92}
diff --git a/auth-rhosts.c b/auth-rhosts.c
index 585246e82..aaba8557e 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
14 */ 14 */
15 15
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $"); 17RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $");
18 18
19#include "packet.h" 19#include "packet.h"
20#include "uidswap.h" 20#include "uidswap.h"
@@ -133,7 +133,7 @@ check_rhosts_file(const char *filename, const char *hostname,
133 /* If the entry was negated, deny access. */ 133 /* If the entry was negated, deny access. */
134 if (negated) { 134 if (negated) {
135 auth_debug_add("Matched negative entry in %.100s.", 135 auth_debug_add("Matched negative entry in %.100s.",
136 filename); 136 filename);
137 return 0; 137 return 0;
138 } 138 }
139 /* Accept authentication. */ 139 /* Accept authentication. */
diff --git a/auth-rsa.c b/auth-rsa.c
index 4378008d3..d9c9652dc 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
14 */ 14 */
15 15
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: auth-rsa.c,v 1.62 2004/12/11 01:48:56 dtucker Exp $"); 17RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
18 18
19#include <openssl/rsa.h> 19#include <openssl/rsa.h>
20#include <openssl/md5.h> 20#include <openssl/md5.h>
@@ -205,6 +205,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
205 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 205 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
206 char *cp; 206 char *cp;
207 char *key_options; 207 char *key_options;
208 int keybits;
208 209
209 /* Skip leading whitespace, empty and comment lines. */ 210 /* Skip leading whitespace, empty and comment lines. */
210 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 211 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -243,7 +244,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
243 continue; 244 continue;
244 245
245 /* check the real bits */ 246 /* check the real bits */
246 if (bits != BN_num_bits(key->rsa->n)) 247 keybits = BN_num_bits(key->rsa->n);
248 if (keybits < 0 || bits != (u_int)keybits)
247 logit("Warning: %s, line %lu: keysize mismatch: " 249 logit("Warning: %s, line %lu: keysize mismatch: "
248 "actual %d vs. announced %d.", 250 "actual %d vs. announced %d.",
249 file, linenum, BN_num_bits(key->rsa->n), bits); 251 file, linenum, BN_num_bits(key->rsa->n), bits);
diff --git a/auth-shadow.c b/auth-shadow.c
index f6004f68f..59737b93c 100644
--- a/auth-shadow.c
+++ b/auth-shadow.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$Id: auth-shadow.c,v 1.6 2005/02/16 03:20:06 dtucker Exp $"); 26RCSID("$Id: auth-shadow.c,v 1.7 2005/07/17 07:04:47 djm Exp $");
27 27
28#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 28#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
29#include <shadow.h> 29#include <shadow.h>
@@ -101,7 +101,7 @@ auth_shadow_pwexpired(Authctxt *ctxt)
101#if defined(__hpux) && !defined(HAVE_SECUREWARE) 101#if defined(__hpux) && !defined(HAVE_SECUREWARE)
102 if (iscomsec()) { 102 if (iscomsec()) {
103 struct pr_passwd *pr; 103 struct pr_passwd *pr;
104 104
105 pr = getprpwnam((char *)user); 105 pr = getprpwnam((char *)user);
106 106
107 /* Test for Trusted Mode expiry disabled */ 107 /* Test for Trusted Mode expiry disabled */
diff --git a/auth-sia.c b/auth-sia.c
index 63f55d07f..af7182b48 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -47,7 +47,7 @@ extern int saved_argc;
47extern char **saved_argv; 47extern char **saved_argv;
48 48
49int 49int
50sys_auth_passwd(Authctxt *authctxt, char *pass) 50sys_auth_passwd(Authctxt *authctxt, const char *pass)
51{ 51{
52 int ret; 52 int ret;
53 SIAENTITY *ent = NULL; 53 SIAENTITY *ent = NULL;
diff --git a/auth-sia.h b/auth-sia.h
index ca55e913e..27cbb93f1 100644
--- a/auth-sia.h
+++ b/auth-sia.h
@@ -26,7 +26,6 @@
26 26
27#ifdef HAVE_OSF_SIA 27#ifdef HAVE_OSF_SIA
28 28
29int sys_auth_passwd(Authctxt *, char *);
30void session_setup_sia(struct passwd *, char *); 29void session_setup_sia(struct passwd *, char *);
31 30
32#endif /* HAVE_OSF_SIA */ 31#endif /* HAVE_OSF_SIA */
diff --git a/auth-skey.c b/auth-skey.c
index ac1af69ed..f676dbec9 100644
--- a/auth-skey.c
+++ b/auth-skey.c
@@ -47,7 +47,7 @@ skey_query(void *ctx, char **name, char **infotxt,
47 int len; 47 int len;
48 struct skey skey; 48 struct skey skey;
49 49
50 if (_compat_skeychallenge(&skey, authctxt->user, challenge, 50 if (_compat_skeychallenge(&skey, authctxt->user, challenge,
51 sizeof(challenge)) == -1) 51 sizeof(challenge)) == -1)
52 return -1; 52 return -1;
53 53
diff --git a/auth.c b/auth.c
index 256807683..2dc5c2be6 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $"); 26RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
27 27
28#ifdef HAVE_LOGIN_H 28#ifdef HAVE_LOGIN_H
29#include <login.h> 29#include <login.h>
@@ -76,7 +76,7 @@ allowed_user(struct passwd * pw)
76 struct stat st; 76 struct stat st;
77 const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; 77 const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
78 char *shell; 78 char *shell;
79 int i; 79 u_int i;
80#ifdef USE_SHADOW 80#ifdef USE_SHADOW
81 struct spwd *spw = NULL; 81 struct spwd *spw = NULL;
82#endif 82#endif
@@ -97,7 +97,11 @@ allowed_user(struct passwd * pw)
97 /* grab passwd field for locked account check */ 97 /* grab passwd field for locked account check */
98#ifdef USE_SHADOW 98#ifdef USE_SHADOW
99 if (spw != NULL) 99 if (spw != NULL)
100#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
101 passwd = get_iaf_password(pw);
102#else
100 passwd = spw->sp_pwdp; 103 passwd = spw->sp_pwdp;
104#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
101#else 105#else
102 passwd = pw->pw_passwd; 106 passwd = pw->pw_passwd;
103#endif 107#endif
@@ -119,6 +123,9 @@ allowed_user(struct passwd * pw)
119 if (strstr(passwd, LOCKED_PASSWD_SUBSTR)) 123 if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
120 locked = 1; 124 locked = 1;
121#endif 125#endif
126#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
127 free(passwd);
128#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
122 if (locked) { 129 if (locked) {
123 logit("User %.100s not allowed because account is locked", 130 logit("User %.100s not allowed because account is locked",
124 pw->pw_name); 131 pw->pw_name);
@@ -145,7 +152,8 @@ allowed_user(struct passwd * pw)
145 return 0; 152 return 0;
146 } 153 }
147 154
148 if (options.num_deny_users > 0 || options.num_allow_users > 0) { 155 if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
156 options.num_deny_groups > 0 || options.num_allow_groups > 0) {
149 hostname = get_canonical_hostname(options.use_dns); 157 hostname = get_canonical_hostname(options.use_dns);
150 ipaddr = get_remote_ipaddr(); 158 ipaddr = get_remote_ipaddr();
151 } 159 }
@@ -325,64 +333,41 @@ auth_root_allowed(char *method)
325 * 333 *
326 * This returns a buffer allocated by xmalloc. 334 * This returns a buffer allocated by xmalloc.
327 */ 335 */
328char * 336static char *
329expand_filename(const char *filename, struct passwd *pw) 337expand_authorized_keys(const char *filename, struct passwd *pw)
330{ 338{
331 Buffer buffer; 339 char *file, *ret;
332 char *file;
333 const char *cp;
334 340
335 /* 341 file = percent_expand(filename, "h", pw->pw_dir,
336 * Build the filename string in the buffer by making the appropriate 342 "u", pw->pw_name, (char *)NULL);
337 * substitutions to the given file name.
338 */
339 buffer_init(&buffer);
340 for (cp = filename; *cp; cp++) {
341 if (cp[0] == '%' && cp[1] == '%') {
342 buffer_append(&buffer, "%", 1);
343 cp++;
344 continue;
345 }
346 if (cp[0] == '%' && cp[1] == 'h') {
347 buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
348 cp++;
349 continue;
350 }
351 if (cp[0] == '%' && cp[1] == 'u') {
352 buffer_append(&buffer, pw->pw_name,
353 strlen(pw->pw_name));
354 cp++;
355 continue;
356 }
357 buffer_append(&buffer, cp, 1);
358 }
359 buffer_append(&buffer, "\0", 1);
360 343
361 /* 344 /*
362 * Ensure that filename starts anchored. If not, be backward 345 * Ensure that filename starts anchored. If not, be backward
363 * compatible and prepend the '%h/' 346 * compatible and prepend the '%h/'
364 */ 347 */
365 file = xmalloc(MAXPATHLEN); 348 if (*file == '/')
366 cp = buffer_ptr(&buffer); 349 return (file);
367 if (*cp != '/') 350
368 snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp); 351 ret = xmalloc(MAXPATHLEN);
369 else 352 if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
370 strlcpy(file, cp, MAXPATHLEN); 353 strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
354 strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
355 fatal("expand_authorized_keys: path too long");
371 356
372 buffer_free(&buffer); 357 xfree(file);
373 return file; 358 return (ret);
374} 359}
375 360
376char * 361char *
377authorized_keys_file(struct passwd *pw) 362authorized_keys_file(struct passwd *pw)
378{ 363{
379 return expand_filename(options.authorized_keys_file, pw); 364 return expand_authorized_keys(options.authorized_keys_file, pw);
380} 365}
381 366
382char * 367char *
383authorized_keys_file2(struct passwd *pw) 368authorized_keys_file2(struct passwd *pw)
384{ 369{
385 return expand_filename(options.authorized_keys_file2, pw); 370 return expand_authorized_keys(options.authorized_keys_file2, pw);
386} 371}
387 372
388/* return ok if key exists in sysfile or userfile */ 373/* return ok if key exists in sysfile or userfile */
diff --git a/auth.h b/auth.h
index 8d1f93403..456d28f37 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ 1/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -30,6 +30,7 @@
30 30
31#include "key.h" 31#include "key.h"
32#include "hostfile.h" 32#include "hostfile.h"
33#include "buffer.h"
33#include <openssl/rsa.h> 34#include <openssl/rsa.h>
34 35
35#ifdef HAVE_LOGIN_CAP 36#ifdef HAVE_LOGIN_CAP
@@ -52,6 +53,7 @@ struct Authctxt {
52 int valid; /* user exists and is allowed to login */ 53 int valid; /* user exists and is allowed to login */
53 int attempt; 54 int attempt;
54 int failures; 55 int failures;
56 int server_caused_failure;
55 int force_pwchange; 57 int force_pwchange;
56 char *user; /* username sent by the client */ 58 char *user; /* username sent by the client */
57 char *service; 59 char *service;
@@ -68,6 +70,7 @@ struct Authctxt {
68 char *krb5_ticket_file; 70 char *krb5_ticket_file;
69 char *krb5_ccname; 71 char *krb5_ccname;
70#endif 72#endif
73 Buffer *loginmsg;
71 void *methoddata; 74 void *methoddata;
72}; 75};
73/* 76/*
@@ -161,7 +164,6 @@ char *get_challenge(Authctxt *);
161int verify_response(Authctxt *, const char *); 164int verify_response(Authctxt *, const char *);
162void abandon_challenge_response(Authctxt *); 165void abandon_challenge_response(Authctxt *);
163 166
164char *expand_filename(const char *, struct passwd *);
165char *authorized_keys_file(struct passwd *); 167char *authorized_keys_file(struct passwd *);
166char *authorized_keys_file2(struct passwd *); 168char *authorized_keys_file2(struct passwd *);
167 169
@@ -185,7 +187,14 @@ void auth_debug_reset(void);
185 187
186struct passwd *fakepw(void); 188struct passwd *fakepw(void);
187 189
190int sys_auth_passwd(Authctxt *, const char *);
191
188#define AUTH_FAIL_MSG "Too many authentication failures for %.100s" 192#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
189 193
190#define SKEY_PROMPT "\nS/Key Password: " 194#define SKEY_PROMPT "\nS/Key Password: "
195
196#if defined(KRB5) && !defined(HEIMDAL)
197#include <krb5.h>
198krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
199#endif
191#endif 200#endif
diff --git a/auth1.c b/auth1.c
index d08928455..4bc2bf76d 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $"); 13RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "rsa.h" 16#include "rsa.h"
@@ -31,28 +31,182 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
31extern ServerOptions options; 31extern ServerOptions options;
32extern Buffer loginmsg; 32extern Buffer loginmsg;
33 33
34/* 34static int auth1_process_password(Authctxt *, char *, size_t);
35 * convert ssh auth msg type into description 35static int auth1_process_rsa(Authctxt *, char *, size_t);
36 */ 36static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
37static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
38static int auth1_process_tis_response(Authctxt *, char *, size_t);
39
40static char *client_user = NULL; /* Used to fill in remote user for PAM */
41
42struct AuthMethod1 {
43 int type;
44 char *name;
45 int *enabled;
46 int (*method)(Authctxt *, char *, size_t);
47};
48
49const struct AuthMethod1 auth1_methods[] = {
50 {
51 SSH_CMSG_AUTH_PASSWORD, "password",
52 &options.password_authentication, auth1_process_password
53 },
54 {
55 SSH_CMSG_AUTH_RSA, "rsa",
56 &options.rsa_authentication, auth1_process_rsa
57 },
58 {
59 SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
60 &options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
61 },
62 {
63 SSH_CMSG_AUTH_TIS, "challenge-response",
64 &options.challenge_response_authentication,
65 auth1_process_tis_challenge
66 },
67 {
68 SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
69 &options.challenge_response_authentication,
70 auth1_process_tis_response
71 },
72 { -1, NULL, NULL, NULL}
73};
74
75static const struct AuthMethod1
76*lookup_authmethod1(int type)
77{
78 int i;
79
80 for(i = 0; auth1_methods[i].name != NULL; i++)
81 if (auth1_methods[i].type == type)
82 return (&(auth1_methods[i]));
83
84 return (NULL);
85}
86
37static char * 87static char *
38get_authname(int type) 88get_authname(int type)
39{ 89{
40 static char buf[1024]; 90 const struct AuthMethod1 *a;
41 switch (type) { 91 static char buf[64];
42 case SSH_CMSG_AUTH_PASSWORD: 92
43 return "password"; 93 if ((a = lookup_authmethod1(type)) != NULL)
44 case SSH_CMSG_AUTH_RSA: 94 return (a->name);
45 return "rsa"; 95 snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
46 case SSH_CMSG_AUTH_RHOSTS_RSA: 96 return (buf);
47 return "rhosts-rsa"; 97}
48 case SSH_CMSG_AUTH_RHOSTS: 98
49 return "rhosts"; 99static int
50 case SSH_CMSG_AUTH_TIS: 100auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
51 case SSH_CMSG_AUTH_TIS_RESPONSE: 101{
52 return "challenge-response"; 102 int authenticated = 0;
103 char *password;
104 u_int dlen;
105
106 /*
107 * Read user password. It is in plain text, but was
108 * transmitted over the encrypted channel so it is
109 * not visible to an outside observer.
110 */
111 password = packet_get_string(&dlen);
112 packet_check_eom();
113
114 /* Try authentication with the password. */
115 authenticated = PRIVSEP(auth_password(authctxt, password));
116
117 memset(password, 0, dlen);
118 xfree(password);
119
120 return (authenticated);
121}
122
123static int
124auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
125{
126 int authenticated = 0;
127 BIGNUM *n;
128
129 /* RSA authentication requested. */
130 if ((n = BN_new()) == NULL)
131 fatal("do_authloop: BN_new failed");
132 packet_get_bignum(n);
133 packet_check_eom();
134 authenticated = auth_rsa(authctxt, n);
135 BN_clear_free(n);
136
137 return (authenticated);
138}
139
140static int
141auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
142{
143 int keybits, authenticated = 0;
144 u_int bits;
145 Key *client_host_key;
146 u_int ulen;
147
148 /*
149 * Get client user name. Note that we just have to
150 * trust the client; root on the client machine can
151 * claim to be any user.
152 */
153 client_user = packet_get_string(&ulen);
154
155 /* Get the client host key. */
156 client_host_key = key_new(KEY_RSA1);
157 bits = packet_get_int();
158 packet_get_bignum(client_host_key->rsa->e);
159 packet_get_bignum(client_host_key->rsa->n);
160
161 keybits = BN_num_bits(client_host_key->rsa->n);
162 if (keybits < 0 || bits != (u_int)keybits) {
163 verbose("Warning: keysize mismatch for client_host_key: "
164 "actual %d, announced %d",
165 BN_num_bits(client_host_key->rsa->n), bits);
53 } 166 }
54 snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); 167 packet_check_eom();
55 return buf; 168
169 authenticated = auth_rhosts_rsa(authctxt, client_user,
170 client_host_key);
171 key_free(client_host_key);
172
173 snprintf(info, infolen, " ruser %.100s", client_user);
174
175 return (authenticated);
176}
177
178static int
179auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
180{
181 char *challenge;
182
183 if ((challenge = get_challenge(authctxt)) == NULL)
184 return (0);
185
186 debug("sending challenge '%s'", challenge);
187 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
188 packet_put_cstring(challenge);
189 xfree(challenge);
190 packet_send();
191 packet_write_wait();
192
193 return (-1);
194}
195
196static int
197auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
198{
199 int authenticated = 0;
200 char *response;
201 u_int dlen;
202
203 response = packet_get_string(&dlen);
204 packet_check_eom();
205 authenticated = verify_response(authctxt, response);
206 memset(response, 'r', dlen);
207 xfree(response);
208
209 return (authenticated);
56} 210}
57 211
58/* 212/*
@@ -63,14 +217,9 @@ static void
63do_authloop(Authctxt *authctxt) 217do_authloop(Authctxt *authctxt)
64{ 218{
65 int authenticated = 0; 219 int authenticated = 0;
66 u_int bits;
67 Key *client_host_key;
68 BIGNUM *n;
69 char *client_user, *password;
70 char info[1024]; 220 char info[1024];
71 u_int dlen; 221 int prev = 0, type = 0;
72 u_int ulen; 222 const struct AuthMethod1 *meth;
73 int prev, type = 0;
74 223
75 debug("Attempting authentication for %s%.100s.", 224 debug("Attempting authentication for %s%.100s.",
76 authctxt->valid ? "" : "invalid user ", authctxt->user); 225 authctxt->valid ? "" : "invalid user ", authctxt->user);
@@ -95,8 +244,6 @@ do_authloop(Authctxt *authctxt)
95 packet_send(); 244 packet_send();
96 packet_write_wait(); 245 packet_write_wait();
97 246
98 client_user = NULL;
99
100 for (;;) { 247 for (;;) {
101 /* default to fail */ 248 /* default to fail */
102 authenticated = 0; 249 authenticated = 0;
@@ -118,107 +265,21 @@ do_authloop(Authctxt *authctxt)
118 type != SSH_CMSG_AUTH_TIS_RESPONSE) 265 type != SSH_CMSG_AUTH_TIS_RESPONSE)
119 abandon_challenge_response(authctxt); 266 abandon_challenge_response(authctxt);
120 267
121 /* Process the packet. */ 268 if ((meth = lookup_authmethod1(type)) == NULL) {
122 switch (type) { 269 logit("Unknown message during authentication: "
123 case SSH_CMSG_AUTH_RHOSTS_RSA: 270 "type %d", type);
124 if (!options.rhosts_rsa_authentication) { 271 goto skip;
125 verbose("Rhosts with RSA authentication disabled."); 272 }
126 break; 273
127 } 274 if (!*(meth->enabled)) {
128 /* 275 verbose("%s authentication disabled.", meth->name);
129 * Get client user name. Note that we just have to 276 goto skip;
130 * trust the client; root on the client machine can
131 * claim to be any user.
132 */
133 client_user = packet_get_string(&ulen);
134
135 /* Get the client host key. */
136 client_host_key = key_new(KEY_RSA1);
137 bits = packet_get_int();
138 packet_get_bignum(client_host_key->rsa->e);
139 packet_get_bignum(client_host_key->rsa->n);
140
141 if (bits != BN_num_bits(client_host_key->rsa->n))
142 verbose("Warning: keysize mismatch for client_host_key: "
143 "actual %d, announced %d",
144 BN_num_bits(client_host_key->rsa->n), bits);
145 packet_check_eom();
146
147 authenticated = auth_rhosts_rsa(authctxt, client_user,
148 client_host_key);
149 key_free(client_host_key);
150
151 snprintf(info, sizeof info, " ruser %.100s", client_user);
152 break;
153
154 case SSH_CMSG_AUTH_RSA:
155 if (!options.rsa_authentication) {
156 verbose("RSA authentication disabled.");
157 break;
158 }
159 /* RSA authentication requested. */
160 if ((n = BN_new()) == NULL)
161 fatal("do_authloop: BN_new failed");
162 packet_get_bignum(n);
163 packet_check_eom();
164 authenticated = auth_rsa(authctxt, n);
165 BN_clear_free(n);
166 break;
167
168 case SSH_CMSG_AUTH_PASSWORD:
169 if (!options.password_authentication) {
170 verbose("Password authentication disabled.");
171 break;
172 }
173 /*
174 * Read user password. It is in plain text, but was
175 * transmitted over the encrypted channel so it is
176 * not visible to an outside observer.
177 */
178 password = packet_get_string(&dlen);
179 packet_check_eom();
180
181 /* Try authentication with the password. */
182 authenticated = PRIVSEP(auth_password(authctxt, password));
183
184 memset(password, 0, strlen(password));
185 xfree(password);
186 break;
187
188 case SSH_CMSG_AUTH_TIS:
189 debug("rcvd SSH_CMSG_AUTH_TIS");
190 if (options.challenge_response_authentication == 1) {
191 char *challenge = get_challenge(authctxt);
192 if (challenge != NULL) {
193 debug("sending challenge '%s'", challenge);
194 packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
195 packet_put_cstring(challenge);
196 xfree(challenge);
197 packet_send();
198 packet_write_wait();
199 continue;
200 }
201 }
202 break;
203 case SSH_CMSG_AUTH_TIS_RESPONSE:
204 debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
205 if (options.challenge_response_authentication == 1) {
206 char *response = packet_get_string(&dlen);
207 packet_check_eom();
208 authenticated = verify_response(authctxt, response);
209 memset(response, 'r', dlen);
210 xfree(response);
211 }
212 break;
213
214 default:
215 /*
216 * Any unknown messages will be ignored (and failure
217 * returned) during authentication.
218 */
219 logit("Unknown message during authentication: type %d", type);
220 break;
221 } 277 }
278
279 authenticated = meth->method(authctxt, info, sizeof(info));
280 if (authenticated == -1)
281 continue; /* "postponed" */
282
222#ifdef BSD_AUTH 283#ifdef BSD_AUTH
223 if (authctxt->as) { 284 if (authctxt->as) {
224 auth_close(authctxt->as); 285 auth_close(authctxt->as);
@@ -238,7 +299,7 @@ do_authloop(Authctxt *authctxt)
238 299
239#ifdef HAVE_CYGWIN 300#ifdef HAVE_CYGWIN
240 if (authenticated && 301 if (authenticated &&
241 !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, 302 !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
242 authctxt->pw)) { 303 authctxt->pw)) {
243 packet_disconnect("Authentication rejected for uid %d.", 304 packet_disconnect("Authentication rejected for uid %d.",
244 authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); 305 authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
@@ -247,8 +308,8 @@ do_authloop(Authctxt *authctxt)
247#else 308#else
248 /* Special handling for root */ 309 /* Special handling for root */
249 if (authenticated && authctxt->pw->pw_uid == 0 && 310 if (authenticated && authctxt->pw->pw_uid == 0 &&
250 !auth_root_allowed(get_authname(type))) { 311 !auth_root_allowed(meth->name)) {
251 authenticated = 0; 312 authenticated = 0;
252# ifdef SSH_AUDIT_EVENTS 313# ifdef SSH_AUDIT_EVENTS
253 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 314 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
254# endif 315# endif
@@ -262,7 +323,7 @@ do_authloop(Authctxt *authctxt)
262 size_t len; 323 size_t len;
263 324
264 error("Access denied for user %s by PAM account " 325 error("Access denied for user %s by PAM account "
265 "configuration", authctxt->user); 326 "configuration", authctxt->user);
266 len = buffer_len(&loginmsg); 327 len = buffer_len(&loginmsg);
267 buffer_append(&loginmsg, "\0", 1); 328 buffer_append(&loginmsg, "\0", 1);
268 msg = buffer_ptr(&loginmsg); 329 msg = buffer_ptr(&loginmsg);
@@ -276,6 +337,7 @@ do_authloop(Authctxt *authctxt)
276 } 337 }
277#endif 338#endif
278 339
340 skip:
279 /* Log before sending the reply */ 341 /* Log before sending the reply */
280 auth_log(authctxt, authenticated, get_authname(type), info); 342 auth_log(authctxt, authenticated, get_authname(type), info);
281 343
@@ -341,7 +403,7 @@ do_authentication(Authctxt *authctxt)
341 403
342 /* 404 /*
343 * If we are not running as root, the user must have the same uid as 405 * If we are not running as root, the user must have the same uid as
344 * the server. (Unless you are running Windows) 406 * the server.
345 */ 407 */
346#ifndef HAVE_CYGWIN 408#ifndef HAVE_CYGWIN
347 if (!use_privsep && getuid() != 0 && authctxt->pw && 409 if (!use_privsep && getuid() != 0 && authctxt->pw &&
diff --git a/auth2-chall.c b/auth2-chall.c
index 384a543ee..b147cadf3 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */ 24 */
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $"); 26RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
27 27
28#include "ssh2.h" 28#include "ssh2.h"
29#include "auth.h" 29#include "auth.h"
@@ -167,7 +167,7 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
167 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; 167 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
168 xfree(t); 168 xfree(t);
169 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? 169 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
170 kbdintctxt->devices : "<empty>"); 170 kbdintctxt->devices : "<empty>");
171 } while (kbdintctxt->devices && !kbdintctxt->device); 171 } while (kbdintctxt->devices && !kbdintctxt->device);
172 172
173 return kbdintctxt->device ? 1 : 0; 173 return kbdintctxt->device ? 1 : 0;
@@ -239,8 +239,7 @@ send_userauth_info_request(Authctxt *authctxt)
239{ 239{
240 KbdintAuthctxt *kbdintctxt; 240 KbdintAuthctxt *kbdintctxt;
241 char *name, *instr, **prompts; 241 char *name, *instr, **prompts;
242 int i; 242 u_int i, *echo_on;
243 u_int *echo_on;
244 243
245 kbdintctxt = authctxt->kbdintctxt; 244 kbdintctxt = authctxt->kbdintctxt;
246 if (kbdintctxt->device->query(kbdintctxt->ctxt, 245 if (kbdintctxt->device->query(kbdintctxt->ctxt,
@@ -273,8 +272,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
273{ 272{
274 Authctxt *authctxt = ctxt; 273 Authctxt *authctxt = ctxt;
275 KbdintAuthctxt *kbdintctxt; 274 KbdintAuthctxt *kbdintctxt;
276 int i, authenticated = 0, res, len; 275 int authenticated = 0, res, len;
277 u_int nresp; 276 u_int i, nresp;
278 char **response = NULL, *method; 277 char **response = NULL, *method;
279 278
280 if (authctxt == NULL) 279 if (authctxt == NULL)
diff --git a/auth2-gss.c b/auth2-gss.c
index 0ac405496..9cbc29605 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -94,7 +94,7 @@ userauth_gssapi(Authctxt *authctxt)
94 int present; 94 int present;
95 OM_uint32 ms; 95 OM_uint32 ms;
96 u_int len; 96 u_int len;
97 char *doid = NULL; 97 u_char *doid = NULL;
98 98
99 if (!authctxt->valid || authctxt->user == NULL) 99 if (!authctxt->valid || authctxt->user == NULL)
100 return (0); 100 return (0);
@@ -115,9 +115,8 @@ userauth_gssapi(Authctxt *authctxt)
115 present = 0; 115 present = 0;
116 doid = packet_get_string(&len); 116 doid = packet_get_string(&len);
117 117
118 if (len > 2 && 118 if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
119 doid[0] == SSH_GSS_OIDTYPE && 119 doid[1] == len - 2) {
120 doid[1] == len - 2) {
121 goid.elements = doid + 2; 120 goid.elements = doid + 2;
122 goid.length = len - 2; 121 goid.length = len - 2;
123 gss_test_oid_set_member(&ms, &goid, supported, 122 gss_test_oid_set_member(&ms, &goid, supported,
@@ -131,11 +130,13 @@ userauth_gssapi(Authctxt *authctxt)
131 130
132 if (!present) { 131 if (!present) {
133 xfree(doid); 132 xfree(doid);
133 authctxt->server_caused_failure = 1;
134 return (0); 134 return (0);
135 } 135 }
136 136
137 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 137 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
138 xfree(doid); 138 xfree(doid);
139 authctxt->server_caused_failure = 1;
139 return (0); 140 return (0);
140 } 141 }
141 142
@@ -320,7 +321,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
320} 321}
321 322
322Authmethod method_gsskeyex = { 323Authmethod method_gsskeyex = {
323 "gssapi-keyx", 324 "gssapi-keyex",
324 userauth_gsskeyex, 325 userauth_gsskeyex,
325 &options.gss_authentication 326 &options.gss_authentication
326}; 327};
diff --git a/auth2.c b/auth2.c
index 46068b285..87f8ad507 100644
--- a/auth2.c
+++ b/auth2.c
@@ -194,6 +194,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
194#endif 194#endif
195 195
196 authctxt->postponed = 0; 196 authctxt->postponed = 0;
197 authctxt->server_caused_failure = 0;
197 198
198 /* try to authenticate user */ 199 /* try to authenticate user */
199 m = authmethod_lookup(method); 200 m = authmethod_lookup(method);
@@ -236,7 +237,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
236 packet_write_wait(); 237 packet_write_wait();
237 } 238 }
238 fatal("Access denied for user %s by PAM account " 239 fatal("Access denied for user %s by PAM account "
239 "configuration", authctxt->user); 240 "configuration", authctxt->user);
240 } 241 }
241 } 242 }
242#endif 243#endif
@@ -264,7 +265,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
264 /* now we can break out */ 265 /* now we can break out */
265 authctxt->success = 1; 266 authctxt->success = 1;
266 } else { 267 } else {
267 if (authctxt->failures++ > options.max_authtries) { 268 /* Dont count server configuration issues against the client */
269 if (!authctxt->server_caused_failure &&
270 authctxt->failures++ > options.max_authtries) {
268#ifdef SSH_AUDIT_EVENTS 271#ifdef SSH_AUDIT_EVENTS
269 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 272 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
270#endif 273#endif
diff --git a/authfd.c b/authfd.c
index 662350cef..8976616b4 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: authfd.c,v 1.64 2004/08/11 21:44:31 avsm Exp $"); 38RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -114,8 +114,7 @@ ssh_get_authentication_socket(void)
114static int 114static int
115ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply) 115ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
116{ 116{
117 int l; 117 u_int l, len;
118 u_int len;
119 char buf[1024]; 118 char buf[1024];
120 119
121 /* Get the length of the message, and format it in the buffer. */ 120 /* Get the length of the message, and format it in the buffer. */
@@ -149,8 +148,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
149 l = len; 148 l = len;
150 if (l > sizeof(buf)) 149 if (l > sizeof(buf))
151 l = sizeof(buf); 150 l = sizeof(buf);
152 l = atomicio(read, auth->fd, buf, l); 151 if (atomicio(read, auth->fd, buf, l) != l) {
153 if (l <= 0) {
154 error("Error reading response from authentication socket."); 152 error("Error reading response from authentication socket.");
155 return 0; 153 return 0;
156 } 154 }
@@ -303,6 +301,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
303Key * 301Key *
304ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version) 302ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
305{ 303{
304 int keybits;
306 u_int bits; 305 u_int bits;
307 u_char *blob; 306 u_char *blob;
308 u_int blen; 307 u_int blen;
@@ -323,7 +322,8 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
323 buffer_get_bignum(&auth->identities, key->rsa->e); 322 buffer_get_bignum(&auth->identities, key->rsa->e);
324 buffer_get_bignum(&auth->identities, key->rsa->n); 323 buffer_get_bignum(&auth->identities, key->rsa->n);
325 *comment = buffer_get_string(&auth->identities, NULL); 324 *comment = buffer_get_string(&auth->identities, NULL);
326 if (bits != BN_num_bits(key->rsa->n)) 325 keybits = BN_num_bits(key->rsa->n);
326 if (keybits < 0 || bits != (u_int)keybits)
327 logit("Warning: identity keysize mismatch: actual %d, announced %u", 327 logit("Warning: identity keysize mismatch: actual %d, announced %u",
328 BN_num_bits(key->rsa->n), bits); 328 BN_num_bits(key->rsa->n), bits);
329 break; 329 break;
diff --git a/authfile.c b/authfile.c
index 6a04cd7a9..420813f37 100644
--- a/authfile.c
+++ b/authfile.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $"); 39RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
40 40
41#include <openssl/err.h> 41#include <openssl/err.h>
42#include <openssl/evp.h> 42#include <openssl/evp.h>
@@ -52,6 +52,7 @@ RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
52#include "authfile.h" 52#include "authfile.h"
53#include "rsa.h" 53#include "rsa.h"
54#include "misc.h" 54#include "misc.h"
55#include "atomicio.h"
55 56
56/* Version identification string for SSH v1 identity files. */ 57/* Version identification string for SSH v1 identity files. */
57static const char authfile_id_string[] = 58static const char authfile_id_string[] =
@@ -147,8 +148,8 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase,
147 buffer_free(&encrypted); 148 buffer_free(&encrypted);
148 return 0; 149 return 0;
149 } 150 }
150 if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) != 151 if (atomicio(vwrite, fd, buffer_ptr(&encrypted),
151 buffer_len(&encrypted)) { 152 buffer_len(&encrypted)) != buffer_len(&encrypted)) {
152 error("write to key file %s failed: %s", filename, 153 error("write to key file %s failed: %s", filename,
153 strerror(errno)); 154 strerror(errno));
154 buffer_free(&encrypted); 155 buffer_free(&encrypted);
@@ -236,7 +237,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
236 Key *pub; 237 Key *pub;
237 struct stat st; 238 struct stat st;
238 char *cp; 239 char *cp;
239 int i; 240 u_int i;
240 size_t len; 241 size_t len;
241 242
242 if (fstat(fd, &st) < 0) { 243 if (fstat(fd, &st) < 0) {
@@ -253,7 +254,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
253 buffer_init(&buffer); 254 buffer_init(&buffer);
254 cp = buffer_append_space(&buffer, len); 255 cp = buffer_append_space(&buffer, len);
255 256
256 if (read(fd, cp, (size_t) len) != (size_t) len) { 257 if (atomicio(read, fd, cp, len) != len) {
257 debug("Read from key file %.200s failed: %.100s", filename, 258 debug("Read from key file %.200s failed: %.100s", filename,
258 strerror(errno)); 259 strerror(errno));
259 buffer_free(&buffer); 260 buffer_free(&buffer);
@@ -322,7 +323,8 @@ static Key *
322key_load_private_rsa1(int fd, const char *filename, const char *passphrase, 323key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
323 char **commentp) 324 char **commentp)
324{ 325{
325 int i, check1, check2, cipher_type; 326 u_int i;
327 int check1, check2, cipher_type;
326 size_t len; 328 size_t len;
327 Buffer buffer, decrypted; 329 Buffer buffer, decrypted;
328 u_char *cp; 330 u_char *cp;
@@ -347,7 +349,7 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
347 buffer_init(&buffer); 349 buffer_init(&buffer);
348 cp = buffer_append_space(&buffer, len); 350 cp = buffer_append_space(&buffer, len);
349 351
350 if (read(fd, cp, (size_t) len) != (size_t) len) { 352 if (atomicio(read, fd, cp, len) != len) {
351 debug("Read from key file %.200s failed: %.100s", filename, 353 debug("Read from key file %.200s failed: %.100s", filename,
352 strerror(errno)); 354 strerror(errno));
353 buffer_free(&buffer); 355 buffer_free(&buffer);
diff --git a/bufaux.c b/bufaux.c
index 4ea6af1b6..8d096a056 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: bufaux.c,v 1.34 2004/12/06 16:00:43 markus Exp $"); 40RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $");
41 41
42#include <openssl/bn.h> 42#include <openssl/bn.h>
43#include "bufaux.h" 43#include "bufaux.h"
@@ -154,7 +154,7 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
154 buf[0] = 0x00; 154 buf[0] = 0x00;
155 /* Get the value of in binary */ 155 /* Get the value of in binary */
156 oi = BN_bn2bin(value, buf+1); 156 oi = BN_bn2bin(value, buf+1);
157 if (oi != bytes-1) { 157 if (oi < 0 || (u_int)oi != bytes - 1) {
158 error("buffer_put_bignum2_ret: BN_bn2bin() failed: " 158 error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
159 "oi %d != bin_size %d", oi, bytes); 159 "oi %d != bin_size %d", oi, bytes);
160 xfree(buf); 160 xfree(buf);
@@ -179,7 +179,7 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
179{ 179{
180 u_int len; 180 u_int len;
181 u_char *bin; 181 u_char *bin;
182 182
183 if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) { 183 if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
184 error("buffer_get_bignum2_ret: invalid bignum"); 184 error("buffer_get_bignum2_ret: invalid bignum");
185 return (-1); 185 return (-1);
diff --git a/bufaux.h b/bufaux.h
index e30911ddc..f5efaed3e 100644
--- a/bufaux.h
+++ b/bufaux.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: bufaux.h,v 1.20 2004/10/29 23:56:17 djm Exp $ */ 1/* $OpenBSD: bufaux.h,v 1.21 2005/03/10 22:01:05 deraadt Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -40,7 +40,7 @@ void buffer_put_string(Buffer *, const void *, u_int);
40void buffer_put_cstring(Buffer *, const char *); 40void buffer_put_cstring(Buffer *, const char *);
41 41
42#define buffer_skip_string(b) \ 42#define buffer_skip_string(b) \
43 do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while(0) 43 do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
44 44
45int buffer_put_bignum_ret(Buffer *, const BIGNUM *); 45int buffer_put_bignum_ret(Buffer *, const BIGNUM *);
46int buffer_get_bignum_ret(Buffer *, BIGNUM *); 46int buffer_get_bignum_ret(Buffer *, BIGNUM *);
diff --git a/buffer.c b/buffer.c
index 1a25004ba..487e08105 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $"); 15RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
16 16
17#include "xmalloc.h" 17#include "xmalloc.h"
18#include "buffer.h" 18#include "buffer.h"
@@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len)
78 u_int newlen; 78 u_int newlen;
79 void *p; 79 void *p;
80 80
81 if (len > 0x100000) 81 if (len > BUFFER_MAX_CHUNK)
82 fatal("buffer_append_space: len %u not supported", len); 82 fatal("buffer_append_space: len %u not supported", len);
83 83
84 /* If the buffer is empty, start using it from the beginning. */ 84 /* If the buffer is empty, start using it from the beginning. */
@@ -97,7 +97,7 @@ restart:
97 * If the buffer is quite empty, but all data is at the end, move the 97 * If the buffer is quite empty, but all data is at the end, move the
98 * data to the beginning and retry. 98 * data to the beginning and retry.
99 */ 99 */
100 if (buffer->offset > buffer->alloc / 2) { 100 if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
101 memmove(buffer->buf, buffer->buf + buffer->offset, 101 memmove(buffer->buf, buffer->buf + buffer->offset,
102 buffer->end - buffer->offset); 102 buffer->end - buffer->offset);
103 buffer->end -= buffer->offset; 103 buffer->end -= buffer->offset;
@@ -107,7 +107,7 @@ restart:
107 /* Increase the size of the buffer and retry. */ 107 /* Increase the size of the buffer and retry. */
108 108
109 newlen = buffer->alloc + len + 32768; 109 newlen = buffer->alloc + len + 32768;
110 if (newlen > 0xa00000) 110 if (newlen > BUFFER_MAX_LEN)
111 fatal("buffer_append_space: alloc %u not supported", 111 fatal("buffer_append_space: alloc %u not supported",
112 newlen); 112 newlen);
113 buffer->buf = xrealloc(buffer->buf, newlen); 113 buffer->buf = xrealloc(buffer->buf, newlen);
diff --git a/buffer.h b/buffer.h
index 9c09d4f43..2b20eed52 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */ 1/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,6 +23,9 @@ typedef struct {
23 u_int end; /* Offset of last byte containing data. */ 23 u_int end; /* Offset of last byte containing data. */
24} Buffer; 24} Buffer;
25 25
26#define BUFFER_MAX_CHUNK 0x100000
27#define BUFFER_MAX_LEN 0xa00000
28
26void buffer_init(Buffer *); 29void buffer_init(Buffer *);
27void buffer_clear(Buffer *); 30void buffer_clear(Buffer *);
28void buffer_free(Buffer *); 31void buffer_free(Buffer *);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index f243e90bf..f90ae6e81 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -282,11 +282,11 @@ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SY
282 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s 282 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
283else 283else
284 [ "$RCS_D" = yes ] && \ 284 [ "$RCS_D" = yes ] && \
285installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 285installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
286 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 286 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
287 [ "$RC1_D" = no ] || \ 287 [ "$RC1_D" = no ] || \
288 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 288 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
289 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l 289 installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
290fi 290fi
291 291
292# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh) 292# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
diff --git a/canohost.c b/canohost.c
index 1c22d4770..c27086bfd 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: canohost.c,v 1.42 2005/02/18 03:05:53 djm Exp $"); 15RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $");
16 16
17#include "packet.h" 17#include "packet.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -143,7 +143,8 @@ check_ip_options(int sock, char *ipaddr)
143 u_char options[200]; 143 u_char options[200];
144 char text[sizeof(options) * 3 + 1]; 144 char text[sizeof(options) * 3 + 1];
145 socklen_t option_size; 145 socklen_t option_size;
146 int i, ipproto; 146 u_int i;
147 int ipproto;
147 struct protoent *ip; 148 struct protoent *ip;
148 149
149 if ((ip = getprotobyname("ip")) != NULL) 150 if ((ip = getprotobyname("ip")) != NULL)
@@ -173,7 +174,7 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
173 struct in_addr inaddr; 174 struct in_addr inaddr;
174 u_int16_t port; 175 u_int16_t port;
175 176
176 if (addr->ss_family != AF_INET6 || 177 if (addr->ss_family != AF_INET6 ||
177 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 178 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
178 return; 179 return;
179 180
@@ -251,6 +252,8 @@ get_socket_address(int sock, int remote, int flags)
251 if (addr.ss_family == AF_INET6) 252 if (addr.ss_family == AF_INET6)
252 addrlen = sizeof(struct sockaddr_in6); 253 addrlen = sizeof(struct sockaddr_in6);
253 254
255 ipv64_normalise_mapped(&addr, &addrlen);
256
254 /* Get the address in ascii. */ 257 /* Get the address in ascii. */
255 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 258 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
256 sizeof(ntop), NULL, 0, flags)) != 0) { 259 sizeof(ntop), NULL, 0, flags)) != 0) {
@@ -344,7 +347,7 @@ get_sock_port(int sock, int local)
344 } else { 347 } else {
345 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 348 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
346 debug("getpeername failed: %.100s", strerror(errno)); 349 debug("getpeername failed: %.100s", strerror(errno));
347 cleanup_exit(255); 350 return -1;
348 } 351 }
349 } 352 }
350 353
diff --git a/channels.c b/channels.c
index 1be213bce..8c7b2b369 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: channels.c,v 1.212 2005/03/01 10:09:52 djm Exp $"); 42RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
43 43
44#include "ssh.h" 44#include "ssh.h"
45#include "ssh1.h" 45#include "ssh1.h"
@@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.212 2005/03/01 10:09:52 djm Exp $");
58 58
59/* -- channel core */ 59/* -- channel core */
60 60
61#define CHAN_RBUF 16*1024
62
61/* 63/*
62 * Pointer to an array containing all allocated channels. The array is 64 * Pointer to an array containing all allocated channels. The array is
63 * dynamically extended as needed. 65 * dynamically extended as needed.
@@ -109,6 +111,9 @@ static int all_opens_permitted = 0;
109/* Maximum number of fake X11 displays to try. */ 111/* Maximum number of fake X11 displays to try. */
110#define MAX_DISPLAYS 1000 112#define MAX_DISPLAYS 1000
111 113
114/* Saved X11 local (client) display. */
115static char *x11_saved_display = NULL;
116
112/* Saved X11 authentication protocol name. */ 117/* Saved X11 authentication protocol name. */
113static char *x11_saved_proto = NULL; 118static char *x11_saved_proto = NULL;
114 119
@@ -712,6 +717,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
712{ 717{
713 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 718 u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
714 719
720 /* check buffer limits */
721 limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
722
715 if (c->istate == CHAN_INPUT_OPEN && 723 if (c->istate == CHAN_INPUT_OPEN &&
716 limit > 0 && 724 limit > 0 &&
717 buffer_len(&c->input) < limit) 725 buffer_len(&c->input) < limit)
@@ -722,8 +730,8 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
722 FD_SET(c->wfd, writeset); 730 FD_SET(c->wfd, writeset);
723 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 731 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
724 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 732 if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
725 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 733 debug2("channel %d: obuf_empty delayed efd %d/(%d)",
726 c->self, c->efd, buffer_len(&c->extended)); 734 c->self, c->efd, buffer_len(&c->extended));
727 else 735 else
728 chan_obuf_empty(c); 736 chan_obuf_empty(c);
729 } 737 }
@@ -889,7 +897,7 @@ static int
889channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) 897channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
890{ 898{
891 char *p, *host; 899 char *p, *host;
892 int len, have, i, found; 900 u_int len, have, i, found;
893 char username[256]; 901 char username[256];
894 struct { 902 struct {
895 u_int8_t version; 903 u_int8_t version;
@@ -974,7 +982,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
974 } s5_req, s5_rsp; 982 } s5_req, s5_rsp;
975 u_int16_t dest_port; 983 u_int16_t dest_port;
976 u_char *p, dest_addr[255+1]; 984 u_char *p, dest_addr[255+1];
977 int i, have, found, nmethods, addrlen, af; 985 u_int have, i, found, nmethods, addrlen, af;
978 986
979 debug2("channel %d: decode socks5", c->self); 987 debug2("channel %d: decode socks5", c->self);
980 p = buffer_ptr(&c->input); 988 p = buffer_ptr(&c->input);
@@ -1018,7 +1026,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
1018 debug2("channel %d: only socks5 connect supported", c->self); 1026 debug2("channel %d: only socks5 connect supported", c->self);
1019 return -1; 1027 return -1;
1020 } 1028 }
1021 switch(s5_req.atyp){ 1029 switch (s5_req.atyp){
1022 case SSH_SOCKS5_IPV4: 1030 case SSH_SOCKS5_IPV4:
1023 addrlen = 4; 1031 addrlen = 4;
1024 af = AF_INET; 1032 af = AF_INET;
@@ -1070,7 +1078,8 @@ static void
1070channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) 1078channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
1071{ 1079{
1072 u_char *p; 1080 u_char *p;
1073 int have, ret; 1081 u_int have;
1082 int ret;
1074 1083
1075 have = buffer_len(&c->input); 1084 have = buffer_len(&c->input);
1076 c->delayed = 0; 1085 c->delayed = 0;
@@ -1173,7 +1182,7 @@ port_open_helper(Channel *c, char *rtype)
1173 int direct; 1182 int direct;
1174 char buf[1024]; 1183 char buf[1024];
1175 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1184 char *remote_ipaddr = get_peer_ipaddr(c->sock);
1176 u_short remote_port = get_peer_port(c->sock); 1185 int remote_port = get_peer_port(c->sock);
1177 1186
1178 direct = (strcmp(rtype, "direct-tcpip") == 0); 1187 direct = (strcmp(rtype, "direct-tcpip") == 0);
1179 1188
@@ -1203,7 +1212,7 @@ port_open_helper(Channel *c, char *rtype)
1203 } 1212 }
1204 /* originator host and port */ 1213 /* originator host and port */
1205 packet_put_cstring(remote_ipaddr); 1214 packet_put_cstring(remote_ipaddr);
1206 packet_put_int(remote_port); 1215 packet_put_int((u_int)remote_port);
1207 packet_send(); 1216 packet_send();
1208 } else { 1217 } else {
1209 packet_start(SSH_MSG_PORT_OPEN); 1218 packet_start(SSH_MSG_PORT_OPEN);
@@ -1360,7 +1369,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
1360static int 1369static int
1361channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 1370channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
1362{ 1371{
1363 char buf[16*1024]; 1372 char buf[CHAN_RBUF];
1364 int len; 1373 int len;
1365 1374
1366 if (c->rfd != -1 && 1375 if (c->rfd != -1 &&
@@ -1454,7 +1463,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1454static int 1463static int
1455channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 1464channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
1456{ 1465{
1457 char buf[16*1024]; 1466 char buf[CHAN_RBUF];
1458 int len; 1467 int len;
1459 1468
1460/** XXX handle drain efd, too */ 1469/** XXX handle drain efd, too */
@@ -1804,8 +1813,8 @@ channel_output_poll(void)
1804 * hack for extended data: delay EOF if EFD still in use. 1813 * hack for extended data: delay EOF if EFD still in use.
1805 */ 1814 */
1806 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 1815 if (CHANNEL_EFD_INPUT_ACTIVE(c))
1807 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 1816 debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
1808 c->self, c->efd, buffer_len(&c->extended)); 1817 c->self, c->efd, buffer_len(&c->extended));
1809 else 1818 else
1810 chan_ibuf_empty(c); 1819 chan_ibuf_empty(c);
1811 } 1820 }
@@ -2190,20 +2199,20 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2190 2199
2191 if (host == NULL) { 2200 if (host == NULL) {
2192 error("No forward host name."); 2201 error("No forward host name.");
2193 return success; 2202 return 0;
2194 } 2203 }
2195 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2204 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
2196 error("Forward host name too long."); 2205 error("Forward host name too long.");
2197 return success; 2206 return 0;
2198 } 2207 }
2199 2208
2200 /* 2209 /*
2201 * Determine whether or not a port forward listens to loopback, 2210 * Determine whether or not a port forward listens to loopback,
2202 * specified address or wildcard. On the client, a specified bind 2211 * specified address or wildcard. On the client, a specified bind
2203 * address will always override gateway_ports. On the server, a 2212 * address will always override gateway_ports. On the server, a
2204 * gateway_ports of 1 (``yes'') will override the client's 2213 * gateway_ports of 1 (``yes'') will override the client's
2205 * specification and force a wildcard bind, whereas a value of 2 2214 * specification and force a wildcard bind, whereas a value of 2
2206 * (``clientspecified'') will bind to whatever address the client 2215 * (``clientspecified'') will bind to whatever address the client
2207 * asked for. 2216 * asked for.
2208 * 2217 *
2209 * Special-case listen_addrs are: 2218 * Special-case listen_addrs are:
@@ -2245,12 +2254,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2245 packet_disconnect("getaddrinfo: fatal error: %s", 2254 packet_disconnect("getaddrinfo: fatal error: %s",
2246 gai_strerror(r)); 2255 gai_strerror(r));
2247 } else { 2256 } else {
2248 verbose("channel_setup_fwd_listener: " 2257 error("channel_setup_fwd_listener: "
2249 "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
2250 packet_send_debug("channel_setup_fwd_listener: "
2251 "getaddrinfo(%.64s): %s", addr, gai_strerror(r)); 2258 "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
2252 } 2259 }
2253 aitop = NULL; 2260 return 0;
2254 } 2261 }
2255 2262
2256 for (ai = aitop; ai; ai = ai->ai_next) { 2263 for (ai = aitop; ai; ai = ai->ai_next) {
@@ -2317,7 +2324,7 @@ channel_cancel_rport_listener(const char *host, u_short port)
2317 u_int i; 2324 u_int i;
2318 int found = 0; 2325 int found = 0;
2319 2326
2320 for(i = 0; i < channels_alloc; i++) { 2327 for (i = 0; i < channels_alloc; i++) {
2321 Channel *c = channels[i]; 2328 Channel *c = channels[i];
2322 2329
2323 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2330 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
@@ -2629,7 +2636,7 @@ channel_send_window_changes(void)
2629 struct winsize ws; 2636 struct winsize ws;
2630 2637
2631 for (i = 0; i < channels_alloc; i++) { 2638 for (i = 0; i < channels_alloc; i++) {
2632 if (channels[i] == NULL || !channels[i]->client_tty || 2639 if (channels[i] == NULL || !channels[i]->client_tty ||
2633 channels[i]->type != SSH_CHANNEL_OPEN) 2640 channels[i]->type != SSH_CHANNEL_OPEN)
2634 continue; 2641 continue;
2635 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 2642 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
@@ -2652,7 +2659,7 @@ channel_send_window_changes(void)
2652 */ 2659 */
2653int 2660int
2654x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 2661x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2655 int single_connection, u_int *display_numberp) 2662 int single_connection, u_int *display_numberp, int **chanids)
2656{ 2663{
2657 Channel *nc = NULL; 2664 Channel *nc = NULL;
2658 int display_number, sock; 2665 int display_number, sock;
@@ -2742,6 +2749,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2742 } 2749 }
2743 2750
2744 /* Allocate a channel for each socket. */ 2751 /* Allocate a channel for each socket. */
2752 if (chanids != NULL)
2753 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
2745 for (n = 0; n < num_socks; n++) { 2754 for (n = 0; n < num_socks; n++) {
2746 sock = socks[n]; 2755 sock = socks[n];
2747 nc = channel_new("x11 listener", 2756 nc = channel_new("x11 listener",
@@ -2749,7 +2758,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2749 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2758 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2750 0, "X11 inet listener", 1); 2759 0, "X11 inet listener", 1);
2751 nc->single_connection = single_connection; 2760 nc->single_connection = single_connection;
2761 if (*chanids != NULL)
2762 (*chanids)[n] = nc->self;
2752 } 2763 }
2764 if (*chanids != NULL)
2765 (*chanids)[n] = -1;
2753 2766
2754 /* Return the display number for the DISPLAY environment variable. */ 2767 /* Return the display number for the DISPLAY environment variable. */
2755 *display_numberp = display_number; 2768 *display_numberp = display_number;
@@ -2947,19 +2960,27 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
2947 * This should be called in the client only. 2960 * This should be called in the client only.
2948 */ 2961 */
2949void 2962void
2950x11_request_forwarding_with_spoofing(int client_session_id, 2963x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
2951 const char *proto, const char *data) 2964 const char *proto, const char *data)
2952{ 2965{
2953 u_int data_len = (u_int) strlen(data) / 2; 2966 u_int data_len = (u_int) strlen(data) / 2;
2954 u_int i, value, len; 2967 u_int i, value;
2955 char *new_data; 2968 char *new_data;
2956 int screen_number; 2969 int screen_number;
2957 const char *cp; 2970 const char *cp;
2958 u_int32_t rnd = 0; 2971 u_int32_t rnd = 0;
2959 2972
2960 cp = getenv("DISPLAY"); 2973 if (x11_saved_display == NULL)
2961 if (cp) 2974 x11_saved_display = xstrdup(disp);
2962 cp = strchr(cp, ':'); 2975 else if (strcmp(disp, x11_saved_display) != 0) {
2976 error("x11_request_forwarding_with_spoofing: different "
2977 "$DISPLAY already forwarded");
2978 return;
2979 }
2980
2981 cp = disp;
2982 if (disp)
2983 cp = strchr(disp, ':');
2963 if (cp) 2984 if (cp)
2964 cp = strchr(cp, '.'); 2985 cp = strchr(cp, '.');
2965 if (cp) 2986 if (cp)
@@ -2967,33 +2988,31 @@ x11_request_forwarding_with_spoofing(int client_session_id,
2967 else 2988 else
2968 screen_number = 0; 2989 screen_number = 0;
2969 2990
2970 /* Save protocol name. */ 2991 if (x11_saved_proto == NULL) {
2971 x11_saved_proto = xstrdup(proto); 2992 /* Save protocol name. */
2972 2993 x11_saved_proto = xstrdup(proto);
2973 /* 2994 /*
2974 * Extract real authentication data and generate fake data of the 2995 * Extract real authentication data and generate fake data
2975 * same length. 2996 * of the same length.
2976 */ 2997 */
2977 x11_saved_data = xmalloc(data_len); 2998 x11_saved_data = xmalloc(data_len);
2978 x11_fake_data = xmalloc(data_len); 2999 x11_fake_data = xmalloc(data_len);
2979 for (i = 0; i < data_len; i++) { 3000 for (i = 0; i < data_len; i++) {
2980 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3001 if (sscanf(data + 2 * i, "%2x", &value) != 1)
2981 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 3002 fatal("x11_request_forwarding: bad "
2982 if (i % 4 == 0) 3003 "authentication data: %.100s", data);
2983 rnd = arc4random(); 3004 if (i % 4 == 0)
2984 x11_saved_data[i] = value; 3005 rnd = arc4random();
2985 x11_fake_data[i] = rnd & 0xff; 3006 x11_saved_data[i] = value;
2986 rnd >>= 8; 3007 x11_fake_data[i] = rnd & 0xff;
2987 } 3008 rnd >>= 8;
2988 x11_saved_data_len = data_len; 3009 }
2989 x11_fake_data_len = data_len; 3010 x11_saved_data_len = data_len;
3011 x11_fake_data_len = data_len;
3012 }
2990 3013
2991 /* Convert the fake data into hex. */ 3014 /* Convert the fake data into hex. */
2992 len = 2 * data_len + 1; 3015 new_data = tohex(x11_fake_data, data_len);
2993 new_data = xmalloc(len);
2994 for (i = 0; i < data_len; i++)
2995 snprintf(new_data + 2 * i, len - 2 * i,
2996 "%02x", (u_char) x11_fake_data[i]);
2997 3016
2998 /* Send the request packet. */ 3017 /* Send the request packet. */
2999 if (compat20) { 3018 if (compat20) {
diff --git a/channels.h b/channels.h
index fc20fb2c3..1cb2c3a34 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -149,7 +149,7 @@ struct Channel {
149 buffer_len(&c->extended) > 0)) 149 buffer_len(&c->extended) > 0))
150#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \ 150#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
151 (compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \ 151 (compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
152 ((c->efd != -1 && !(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD))) || \ 152 c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
153 buffer_len(&c->extended) > 0)) 153 buffer_len(&c->extended) > 0))
154 154
155/* channel management */ 155/* channel management */
@@ -214,9 +214,10 @@ int channel_cancel_rport_listener(const char *, u_short);
214/* x11 forwarding */ 214/* x11 forwarding */
215 215
216int x11_connect_display(void); 216int x11_connect_display(void);
217int x11_create_display_inet(int, int, int, u_int *); 217int x11_create_display_inet(int, int, int, u_int *, int **);
218void x11_input_open(int, u_int32_t, void *); 218void x11_input_open(int, u_int32_t, void *);
219void x11_request_forwarding_with_spoofing(int, const char *, const char *); 219void x11_request_forwarding_with_spoofing(int, const char *, const char *,
220 const char *);
220void deny_input_open(int, u_int32_t, void *); 221void deny_input_open(int, u_int32_t, void *);
221 222
222/* agent forwarding */ 223/* agent forwarding */
diff --git a/cipher-acss.c b/cipher-acss.c
index 3a966a74d..a95fa6747 100644
--- a/cipher-acss.c
+++ b/cipher-acss.c
@@ -17,7 +17,7 @@
17#include "includes.h" 17#include "includes.h"
18#include <openssl/evp.h> 18#include <openssl/evp.h>
19 19
20RCSID("$Id: cipher-acss.c,v 1.2 2004/02/06 04:26:11 dtucker Exp $"); 20RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $");
21 21
22#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) 22#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
23 23
@@ -33,7 +33,7 @@ typedef struct {
33#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07 33#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
34 34
35static int 35static int
36acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 36acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
37 const unsigned char *iv, int enc) 37 const unsigned char *iv, int enc)
38{ 38{
39 acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA); 39 acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
@@ -41,7 +41,7 @@ acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
41} 41}
42 42
43static int 43static int
44acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, 44acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
45 unsigned int inl) 45 unsigned int inl)
46{ 46{
47 acss(&data(ctx)->ks,inl,in,out); 47 acss(&data(ctx)->ks,inl,in,out);
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 43f1ede57..856177349 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); 17RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
18 18
19#include <openssl/evp.h> 19#include <openssl/evp.h>
20 20
@@ -95,7 +95,7 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
95 } 95 }
96 if (key != NULL) 96 if (key != NULL)
97 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, 97 AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
98 &c->aes_ctx); 98 &c->aes_ctx);
99 if (iv != NULL) 99 if (iv != NULL)
100 memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); 100 memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
101 return (1); 101 return (1);
diff --git a/cipher.c b/cipher.c
index beba4618d..0dddf270a 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $"); 38RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
39 39
40#include "xmalloc.h" 40#include "xmalloc.h"
41#include "log.h" 41#include "log.h"
@@ -43,25 +43,8 @@ RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
43 43
44#include <openssl/md5.h> 44#include <openssl/md5.h>
45 45
46#if OPENSSL_VERSION_NUMBER < 0x00906000L 46/* compatibility with old or broken OpenSSL versions */
47#define SSH_OLD_EVP 47#include "openbsd-compat/openssl-compat.h"
48#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
49#endif
50
51#if OPENSSL_VERSION_NUMBER < 0x00907000L
52extern const EVP_CIPHER *evp_rijndael(void);
53extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
54#endif
55
56#if !defined(EVP_CTRL_SET_ACSS_MODE)
57# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
58extern const EVP_CIPHER *evp_acss(void);
59# define EVP_acss evp_acss
60# define EVP_CTRL_SET_ACSS_MODE xxx /* used below */
61# else
62# define EVP_acss NULL /* Don't try to support ACSS on older OpenSSL */
63# endif /* (OPENSSL_VERSION_NUMBER >= 0x00906000L) */
64#endif /* !defined(EVP_CTRL_SET_ACSS_MODE) */
65 48
66extern const EVP_CIPHER *evp_ssh1_bf(void); 49extern const EVP_CIPHER *evp_ssh1_bf(void);
67extern const EVP_CIPHER *evp_ssh1_3des(void); 50extern const EVP_CIPHER *evp_ssh1_3des(void);
@@ -74,39 +57,32 @@ struct Cipher {
74 int number; /* for ssh1 only */ 57 int number; /* for ssh1 only */
75 u_int block_size; 58 u_int block_size;
76 u_int key_len; 59 u_int key_len;
60 u_int discard_len;
77 const EVP_CIPHER *(*evptype)(void); 61 const EVP_CIPHER *(*evptype)(void);
78} ciphers[] = { 62} ciphers[] = {
79 { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, 63 { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
80 { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, 64 { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
81 { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, 65 { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
82 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, 66 { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
83 67
84 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, 68 { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
85 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, 69 { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
86 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, 70 { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
87 { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, 71 { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
88#if OPENSSL_VERSION_NUMBER < 0x00907000L 72 { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
89 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, 73 { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
90 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, 74 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
91 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, 75 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
76 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
92 { "rijndael-cbc@lysator.liu.se", 77 { "rijndael-cbc@lysator.liu.se",
93 SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, 78 SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
94#else 79 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
95 { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, 80 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
96 { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, 81 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
97 { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, 82#ifdef USE_CIPHER_ACSS
98 { "rijndael-cbc@lysator.liu.se", 83 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
99 SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
100#endif
101#if OPENSSL_VERSION_NUMBER >= 0x00905000L
102 { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
103 { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
104 { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
105#endif 84#endif
106#if defined(EVP_CTRL_SET_ACSS_MODE) 85 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
107 { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss },
108#endif
109 { NULL, SSH_CIPHER_INVALID, 0, 0, NULL }
110}; 86};
111 87
112/*--*/ 88/*--*/
@@ -222,8 +198,9 @@ cipher_init(CipherContext *cc, Cipher *cipher,
222 EVP_CIPHER *type; 198 EVP_CIPHER *type;
223#else 199#else
224 const EVP_CIPHER *type; 200 const EVP_CIPHER *type;
225#endif
226 int klen; 201 int klen;
202#endif
203 u_char *junk, *discard;
227 204
228 if (cipher->number == SSH_CIPHER_DES) { 205 if (cipher->number == SSH_CIPHER_DES) {
229 if (dowarn) { 206 if (dowarn) {
@@ -261,7 +238,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
261 fatal("cipher_init: EVP_CipherInit failed for %s", 238 fatal("cipher_init: EVP_CipherInit failed for %s",
262 cipher->name); 239 cipher->name);
263 klen = EVP_CIPHER_CTX_key_length(&cc->evp); 240 klen = EVP_CIPHER_CTX_key_length(&cc->evp);
264 if (klen > 0 && keylen != klen) { 241 if (klen > 0 && keylen != (u_int)klen) {
265 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen); 242 debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
266 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) 243 if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
267 fatal("cipher_init: set keylen failed (%d -> %d)", 244 fatal("cipher_init: set keylen failed (%d -> %d)",
@@ -271,6 +248,17 @@ cipher_init(CipherContext *cc, Cipher *cipher,
271 fatal("cipher_init: EVP_CipherInit: set key failed for %s", 248 fatal("cipher_init: EVP_CipherInit: set key failed for %s",
272 cipher->name); 249 cipher->name);
273#endif 250#endif
251
252 if (cipher->discard_len > 0) {
253 junk = xmalloc(cipher->discard_len);
254 discard = xmalloc(cipher->discard_len);
255 if (EVP_Cipher(&cc->evp, discard, junk,
256 cipher->discard_len) == 0)
257 fatal("evp_crypt: EVP_Cipher failed during discard");
258 memset(discard, 0, cipher->discard_len);
259 xfree(junk);
260 xfree(discard);
261 }
274} 262}
275 263
276void 264void
@@ -278,23 +266,15 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
278{ 266{
279 if (len % cc->cipher->block_size) 267 if (len % cc->cipher->block_size)
280 fatal("cipher_encrypt: bad plaintext length %d", len); 268 fatal("cipher_encrypt: bad plaintext length %d", len);
281#ifdef SSH_OLD_EVP
282 EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
283#else
284 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0) 269 if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
285 fatal("evp_crypt: EVP_Cipher failed"); 270 fatal("evp_crypt: EVP_Cipher failed");
286#endif
287} 271}
288 272
289void 273void
290cipher_cleanup(CipherContext *cc) 274cipher_cleanup(CipherContext *cc)
291{ 275{
292#ifdef SSH_OLD_EVP
293 EVP_CIPHER_CTX_cleanup(&cc->evp);
294#else
295 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0) 276 if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
296 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed"); 277 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
297#endif
298} 278}
299 279
300/* 280/*
@@ -349,9 +329,9 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
349 case SSH_CIPHER_DES: 329 case SSH_CIPHER_DES:
350 case SSH_CIPHER_BLOWFISH: 330 case SSH_CIPHER_BLOWFISH:
351 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 331 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
352 if (evplen == 0) 332 if (evplen <= 0)
353 return; 333 return;
354 if (evplen != len) 334 if ((u_int)evplen != len)
355 fatal("%s: wrong iv length %d != %d", __func__, 335 fatal("%s: wrong iv length %d != %d", __func__,
356 evplen, len); 336 evplen, len);
357#if OPENSSL_VERSION_NUMBER < 0x00907000L 337#if OPENSSL_VERSION_NUMBER < 0x00907000L
diff --git a/clientloop.c b/clientloop.c
index 1e250883f..47f3c7ecd 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
59 */ 59 */
60 60
61#include "includes.h" 61#include "includes.h"
62RCSID("$OpenBSD: clientloop.c,v 1.135 2005/03/01 10:09:52 djm Exp $"); 62RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
63 63
64#include "ssh.h" 64#include "ssh.h"
65#include "ssh1.h" 65#include "ssh1.h"
@@ -140,6 +140,8 @@ int session_ident = -1;
140struct confirm_ctx { 140struct confirm_ctx {
141 int want_tty; 141 int want_tty;
142 int want_subsys; 142 int want_subsys;
143 int want_x_fwd;
144 int want_agent_fwd;
143 Buffer cmd; 145 Buffer cmd;
144 char *term; 146 char *term;
145 struct termios tio; 147 struct termios tio;
@@ -208,6 +210,109 @@ get_current_time(void)
208 return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0; 210 return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
209} 211}
210 212
213#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
214void
215client_x11_get_proto(const char *display, const char *xauth_path,
216 u_int trusted, char **_proto, char **_data)
217{
218 char cmd[1024];
219 char line[512];
220 char xdisplay[512];
221 static char proto[512], data[512];
222 FILE *f;
223 int got_data = 0, generated = 0, do_unlink = 0, i;
224 char *xauthdir, *xauthfile;
225 struct stat st;
226
227 xauthdir = xauthfile = NULL;
228 *_proto = proto;
229 *_data = data;
230 proto[0] = data[0] = '\0';
231
232 if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
233 debug("No xauth program.");
234 } else {
235 if (display == NULL) {
236 debug("x11_get_proto: DISPLAY not set");
237 return;
238 }
239 /*
240 * Handle FamilyLocal case where $DISPLAY does
241 * not match an authorization entry. For this we
242 * just try "xauth list unix:displaynum.screennum".
243 * XXX: "localhost" match to determine FamilyLocal
244 * is not perfect.
245 */
246 if (strncmp(display, "localhost:", 10) == 0) {
247 snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
248 display + 10);
249 display = xdisplay;
250 }
251 if (trusted == 0) {
252 xauthdir = xmalloc(MAXPATHLEN);
253 xauthfile = xmalloc(MAXPATHLEN);
254 strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
255 if (mkdtemp(xauthdir) != NULL) {
256 do_unlink = 1;
257 snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
258 xauthdir);
259 snprintf(cmd, sizeof(cmd),
260 "%s -f %s generate %s " SSH_X11_PROTO
261 " untrusted timeout 1200 2>" _PATH_DEVNULL,
262 xauth_path, xauthfile, display);
263 debug2("x11_get_proto: %s", cmd);
264 if (system(cmd) == 0)
265 generated = 1;
266 }
267 }
268 snprintf(cmd, sizeof(cmd),
269 "%s %s%s list %s . 2>" _PATH_DEVNULL,
270 xauth_path,
271 generated ? "-f " : "" ,
272 generated ? xauthfile : "",
273 display);
274 debug2("x11_get_proto: %s", cmd);
275 f = popen(cmd, "r");
276 if (f && fgets(line, sizeof(line), f) &&
277 sscanf(line, "%*s %511s %511s", proto, data) == 2)
278 got_data = 1;
279 if (f)
280 pclose(f);
281 }
282
283 if (do_unlink) {
284 unlink(xauthfile);
285 rmdir(xauthdir);
286 }
287 if (xauthdir)
288 xfree(xauthdir);
289 if (xauthfile)
290 xfree(xauthfile);
291
292 /*
293 * If we didn't get authentication data, just make up some
294 * data. The forwarding code will check the validity of the
295 * response anyway, and substitute this data. The X11
296 * server, however, will ignore this fake data and use
297 * whatever authentication mechanisms it was using otherwise
298 * for the local connection.
299 */
300 if (!got_data) {
301 u_int32_t rnd = 0;
302
303 logit("Warning: No xauth data; "
304 "using fake authentication data for X11 forwarding.");
305 strlcpy(proto, SSH_X11_PROTO, sizeof proto);
306 for (i = 0; i < 16; i++) {
307 if (i % 4 == 0)
308 rnd = arc4random();
309 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
310 rnd & 0xff);
311 rnd >>= 8;
312 }
313 }
314}
315
211/* 316/*
212 * This is called when the interactive is entered. This checks if there is 317 * This is called when the interactive is entered. This checks if there is
213 * an EOF coming on stdin. We must check this explicitly, as select() does 318 * an EOF coming on stdin. We must check this explicitly, as select() does
@@ -528,6 +633,7 @@ static void
528client_extra_session2_setup(int id, void *arg) 633client_extra_session2_setup(int id, void *arg)
529{ 634{
530 struct confirm_ctx *cctx = arg; 635 struct confirm_ctx *cctx = arg;
636 const char *display;
531 Channel *c; 637 Channel *c;
532 int i; 638 int i;
533 639
@@ -536,6 +642,24 @@ client_extra_session2_setup(int id, void *arg)
536 if ((c = channel_lookup(id)) == NULL) 642 if ((c = channel_lookup(id)) == NULL)
537 fatal("%s: no channel for id %d", __func__, id); 643 fatal("%s: no channel for id %d", __func__, id);
538 644
645 display = getenv("DISPLAY");
646 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
647 char *proto, *data;
648 /* Get reasonable local authentication information. */
649 client_x11_get_proto(display, options.xauth_location,
650 options.forward_x11_trusted, &proto, &data);
651 /* Request forwarding with authentication spoofing. */
652 debug("Requesting X11 forwarding with authentication spoofing.");
653 x11_request_forwarding_with_spoofing(id, display, proto, data);
654 /* XXX wait for reply */
655 }
656
657 if (cctx->want_agent_fwd && options.forward_agent) {
658 debug("Requesting authentication agent forwarding.");
659 channel_request_start(id, "auth-agent-req@openssh.com", 0);
660 packet_send();
661 }
662
539 client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 663 client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
540 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, 664 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
541 client_subsystem_reply); 665 client_subsystem_reply);
@@ -556,12 +680,12 @@ client_process_control(fd_set * readset)
556{ 680{
557 Buffer m; 681 Buffer m;
558 Channel *c; 682 Channel *c;
559 int client_fd, new_fd[3], ver, i, allowed; 683 int client_fd, new_fd[3], ver, allowed;
560 socklen_t addrlen; 684 socklen_t addrlen;
561 struct sockaddr_storage addr; 685 struct sockaddr_storage addr;
562 struct confirm_ctx *cctx; 686 struct confirm_ctx *cctx;
563 char *cmd; 687 char *cmd;
564 u_int len, env_len, command, flags; 688 u_int i, len, env_len, command, flags;
565 uid_t euid; 689 uid_t euid;
566 gid_t egid; 690 gid_t egid;
567 691
@@ -601,7 +725,7 @@ client_process_control(fd_set * readset)
601 buffer_free(&m); 725 buffer_free(&m);
602 return; 726 return;
603 } 727 }
604 if ((ver = buffer_get_char(&m)) != 1) { 728 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
605 error("%s: wrong client version %d", __func__, ver); 729 error("%s: wrong client version %d", __func__, ver);
606 buffer_free(&m); 730 buffer_free(&m);
607 close(client_fd); 731 close(client_fd);
@@ -616,24 +740,26 @@ client_process_control(fd_set * readset)
616 740
617 switch (command) { 741 switch (command) {
618 case SSHMUX_COMMAND_OPEN: 742 case SSHMUX_COMMAND_OPEN:
619 if (options.control_master == 2) 743 if (options.control_master == SSHCTL_MASTER_ASK ||
744 options.control_master == SSHCTL_MASTER_AUTO_ASK)
620 allowed = ask_permission("Allow shared connection " 745 allowed = ask_permission("Allow shared connection "
621 "to %s? ", host); 746 "to %s? ", host);
622 /* continue below */ 747 /* continue below */
623 break; 748 break;
624 case SSHMUX_COMMAND_TERMINATE: 749 case SSHMUX_COMMAND_TERMINATE:
625 if (options.control_master == 2) 750 if (options.control_master == SSHCTL_MASTER_ASK ||
751 options.control_master == SSHCTL_MASTER_AUTO_ASK)
626 allowed = ask_permission("Terminate shared connection " 752 allowed = ask_permission("Terminate shared connection "
627 "to %s? ", host); 753 "to %s? ", host);
628 if (allowed) 754 if (allowed)
629 quit_pending = 1; 755 quit_pending = 1;
630 /* FALLTHROUGH */ 756 /* FALLTHROUGH */
631 case SSHMUX_COMMAND_ALIVE_CHECK: 757 case SSHMUX_COMMAND_ALIVE_CHECK:
632 /* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */ 758 /* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */
633 buffer_clear(&m); 759 buffer_clear(&m);
634 buffer_put_int(&m, allowed); 760 buffer_put_int(&m, allowed);
635 buffer_put_int(&m, getpid()); 761 buffer_put_int(&m, getpid());
636 if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { 762 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
637 error("%s: client msg_send failed", __func__); 763 error("%s: client msg_send failed", __func__);
638 close(client_fd); 764 close(client_fd);
639 buffer_free(&m); 765 buffer_free(&m);
@@ -653,7 +779,7 @@ client_process_control(fd_set * readset)
653 buffer_clear(&m); 779 buffer_clear(&m);
654 buffer_put_int(&m, allowed); 780 buffer_put_int(&m, allowed);
655 buffer_put_int(&m, getpid()); 781 buffer_put_int(&m, getpid());
656 if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { 782 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
657 error("%s: client msg_send failed", __func__); 783 error("%s: client msg_send failed", __func__);
658 close(client_fd); 784 close(client_fd);
659 buffer_free(&m); 785 buffer_free(&m);
@@ -674,7 +800,7 @@ client_process_control(fd_set * readset)
674 buffer_free(&m); 800 buffer_free(&m);
675 return; 801 return;
676 } 802 }
677 if ((ver = buffer_get_char(&m)) != 1) { 803 if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
678 error("%s: wrong client version %d", __func__, ver); 804 error("%s: wrong client version %d", __func__, ver);
679 buffer_free(&m); 805 buffer_free(&m);
680 close(client_fd); 806 close(client_fd);
@@ -685,6 +811,8 @@ client_process_control(fd_set * readset)
685 memset(cctx, 0, sizeof(*cctx)); 811 memset(cctx, 0, sizeof(*cctx));
686 cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0; 812 cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
687 cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0; 813 cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
814 cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
815 cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0;
688 cctx->term = buffer_get_string(&m, &len); 816 cctx->term = buffer_get_string(&m, &len);
689 817
690 cmd = buffer_get_string(&m, &len); 818 cmd = buffer_get_string(&m, &len);
@@ -718,7 +846,7 @@ client_process_control(fd_set * readset)
718 846
719 /* This roundtrip is just for synchronisation of ttymodes */ 847 /* This roundtrip is just for synchronisation of ttymodes */
720 buffer_clear(&m); 848 buffer_clear(&m);
721 if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { 849 if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
722 error("%s: client msg_send failed", __func__); 850 error("%s: client msg_send failed", __func__);
723 close(client_fd); 851 close(client_fd);
724 close(new_fd[0]); 852 close(new_fd[0]);
@@ -866,7 +994,10 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
866 u_char ch; 994 u_char ch;
867 char *s; 995 char *s;
868 996
869 for (i = 0; i < len; i++) { 997 if (len <= 0)
998 return (0);
999
1000 for (i = 0; i < (u_int)len; i++) {
870 /* Get one character at a time. */ 1001 /* Get one character at a time. */
871 ch = buf[i]; 1002 ch = buf[i];
872 1003
diff --git a/clientloop.h b/clientloop.h
index b23c111cb..aed2d918b 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.h,v 1.12 2004/11/07 00:01:46 djm Exp $ */ 1/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -37,10 +37,15 @@
37 37
38/* Client side main loop for the interactive session. */ 38/* Client side main loop for the interactive session. */
39int client_loop(int, int, int); 39int client_loop(int, int, int);
40void client_x11_get_proto(const char *, const char *, u_int,
41 char **, char **);
40void client_global_request_reply_fwd(int, u_int32_t, void *); 42void client_global_request_reply_fwd(int, u_int32_t, void *);
41void client_session2_setup(int, int, int, const char *, struct termios *, 43void client_session2_setup(int, int, int, const char *, struct termios *,
42 int, Buffer *, char **, dispatch_fn *); 44 int, Buffer *, char **, dispatch_fn *);
43 45
46/* Multiplexing protocol version */
47#define SSHMUX_VER 1
48
44/* Multiplexing control protocol flags */ 49/* Multiplexing control protocol flags */
45#define SSHMUX_COMMAND_OPEN 1 /* Open new connection */ 50#define SSHMUX_COMMAND_OPEN 1 /* Open new connection */
46#define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */ 51#define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */
@@ -48,3 +53,5 @@ void client_session2_setup(int, int, int, const char *, struct termios *,
48 53
49#define SSHMUX_FLAG_TTY (1) /* Request tty on open */ 54#define SSHMUX_FLAG_TTY (1) /* Request tty on open */
50#define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */ 55#define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */
56#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */
57#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */
diff --git a/config.guess b/config.guess
index 500ee74b0..6d71f752f 100755
--- a/config.guess
+++ b/config.guess
@@ -1,9 +1,9 @@
1#! /bin/sh 1#! /bin/sh
2# Attempt to guess a canonical system name. 2# Attempt to guess a canonical system name.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. 4# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
5 5
6timestamp='2003-10-03' 6timestamp='2005-05-27'
7 7
8# This file is free software; you can redistribute it and/or modify it 8# This file is free software; you can redistribute it and/or modify it
9# under the terms of the GNU General Public License as published by 9# under the terms of the GNU General Public License as published by
@@ -17,13 +17,15 @@ timestamp='2003-10-03'
17# 17#
18# You should have received a copy of the GNU General Public License 18# You should have received a copy of the GNU General Public License
19# along with this program; if not, write to the Free Software 19# along with this program; if not, write to the Free Software
20# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
21# 02110-1301, USA.
21# 22#
22# As a special exception to the GNU General Public License, if you 23# As a special exception to the GNU General Public License, if you
23# distribute this file as part of a program that contains a 24# distribute this file as part of a program that contains a
24# configuration script generated by Autoconf, you may include it under 25# configuration script generated by Autoconf, you may include it under
25# the same distribution terms that you use for the rest of that program. 26# the same distribution terms that you use for the rest of that program.
26 27
28
27# Originally written by Per Bothner <per@bothner.com>. 29# Originally written by Per Bothner <per@bothner.com>.
28# Please send patches to <config-patches@gnu.org>. Submit a context 30# Please send patches to <config-patches@gnu.org>. Submit a context
29# diff and a properly formatted ChangeLog entry. 31# diff and a properly formatted ChangeLog entry.
@@ -53,7 +55,7 @@ version="\
53GNU config.guess ($timestamp) 55GNU config.guess ($timestamp)
54 56
55Originally written by Per Bothner. 57Originally written by Per Bothner.
56Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 58Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
57Free Software Foundation, Inc. 59Free Software Foundation, Inc.
58 60
59This is free software; see the source for copying conditions. There is NO 61This is free software; see the source for copying conditions. There is NO
@@ -66,11 +68,11 @@ Try \`$me --help' for more information."
66while test $# -gt 0 ; do 68while test $# -gt 0 ; do
67 case $1 in 69 case $1 in
68 --time-stamp | --time* | -t ) 70 --time-stamp | --time* | -t )
69 echo "$timestamp" ; exit 0 ;; 71 echo "$timestamp" ; exit ;;
70 --version | -v ) 72 --version | -v )
71 echo "$version" ; exit 0 ;; 73 echo "$version" ; exit ;;
72 --help | --h* | -h ) 74 --help | --h* | -h )
73 echo "$usage"; exit 0 ;; 75 echo "$usage"; exit ;;
74 -- ) # Stop option processing 76 -- ) # Stop option processing
75 shift; break ;; 77 shift; break ;;
76 - ) # Use stdin as input. 78 - ) # Use stdin as input.
@@ -196,50 +198,64 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
196 # contains redundant information, the shorter form: 198 # contains redundant information, the shorter form:
197 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. 199 # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
198 echo "${machine}-${os}${release}" 200 echo "${machine}-${os}${release}"
199 exit 0 ;; 201 exit ;;
202 amd64:OpenBSD:*:*)
203 echo x86_64-unknown-openbsd${UNAME_RELEASE}
204 exit ;;
200 amiga:OpenBSD:*:*) 205 amiga:OpenBSD:*:*)
201 echo m68k-unknown-openbsd${UNAME_RELEASE} 206 echo m68k-unknown-openbsd${UNAME_RELEASE}
202 exit 0 ;; 207 exit ;;
203 arc:OpenBSD:*:*) 208 cats:OpenBSD:*:*)
204 echo mipsel-unknown-openbsd${UNAME_RELEASE} 209 echo arm-unknown-openbsd${UNAME_RELEASE}
205 exit 0 ;; 210 exit ;;
206 hp300:OpenBSD:*:*) 211 hp300:OpenBSD:*:*)
207 echo m68k-unknown-openbsd${UNAME_RELEASE} 212 echo m68k-unknown-openbsd${UNAME_RELEASE}
208 exit 0 ;; 213 exit ;;
214 luna88k:OpenBSD:*:*)
215 echo m88k-unknown-openbsd${UNAME_RELEASE}
216 exit ;;
209 mac68k:OpenBSD:*:*) 217 mac68k:OpenBSD:*:*)
210 echo m68k-unknown-openbsd${UNAME_RELEASE} 218 echo m68k-unknown-openbsd${UNAME_RELEASE}
211 exit 0 ;; 219 exit ;;
212 macppc:OpenBSD:*:*) 220 macppc:OpenBSD:*:*)
213 echo powerpc-unknown-openbsd${UNAME_RELEASE} 221 echo powerpc-unknown-openbsd${UNAME_RELEASE}
214 exit 0 ;; 222 exit ;;
215 mvme68k:OpenBSD:*:*) 223 mvme68k:OpenBSD:*:*)
216 echo m68k-unknown-openbsd${UNAME_RELEASE} 224 echo m68k-unknown-openbsd${UNAME_RELEASE}
217 exit 0 ;; 225 exit ;;
218 mvme88k:OpenBSD:*:*) 226 mvme88k:OpenBSD:*:*)
219 echo m88k-unknown-openbsd${UNAME_RELEASE} 227 echo m88k-unknown-openbsd${UNAME_RELEASE}
220 exit 0 ;; 228 exit ;;
221 mvmeppc:OpenBSD:*:*) 229 mvmeppc:OpenBSD:*:*)
222 echo powerpc-unknown-openbsd${UNAME_RELEASE} 230 echo powerpc-unknown-openbsd${UNAME_RELEASE}
223 exit 0 ;; 231 exit ;;
224 pmax:OpenBSD:*:*)
225 echo mipsel-unknown-openbsd${UNAME_RELEASE}
226 exit 0 ;;
227 sgi:OpenBSD:*:*) 232 sgi:OpenBSD:*:*)
228 echo mipseb-unknown-openbsd${UNAME_RELEASE} 233 echo mips64-unknown-openbsd${UNAME_RELEASE}
229 exit 0 ;; 234 exit ;;
230 sun3:OpenBSD:*:*) 235 sun3:OpenBSD:*:*)
231 echo m68k-unknown-openbsd${UNAME_RELEASE} 236 echo m68k-unknown-openbsd${UNAME_RELEASE}
232 exit 0 ;; 237 exit ;;
233 wgrisc:OpenBSD:*:*)
234 echo mipsel-unknown-openbsd${UNAME_RELEASE}
235 exit 0 ;;
236 *:OpenBSD:*:*) 238 *:OpenBSD:*:*)
237 echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} 239 echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
238 exit 0 ;; 240 exit ;;
241 *:ekkoBSD:*:*)
242 echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
243 exit ;;
244 macppc:MirBSD:*:*)
245 echo powerppc-unknown-mirbsd${UNAME_RELEASE}
246 exit ;;
247 *:MirBSD:*:*)
248 echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
249 exit ;;
239 alpha:OSF1:*:*) 250 alpha:OSF1:*:*)
240 if test $UNAME_RELEASE = "V4.0"; then 251 case $UNAME_RELEASE in
252 *4.0)
241 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` 253 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
242 fi 254 ;;
255 *5.*)
256 UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
257 ;;
258 esac
243 # According to Compaq, /usr/sbin/psrinfo has been available on 259 # According to Compaq, /usr/sbin/psrinfo has been available on
244 # OSF/1 and Tru64 systems produced since 1995. I hope that 260 # OSF/1 and Tru64 systems produced since 1995. I hope that
245 # covers most systems running today. This code pipes the CPU 261 # covers most systems running today. This code pipes the CPU
@@ -277,42 +293,49 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
277 "EV7.9 (21364A)") 293 "EV7.9 (21364A)")
278 UNAME_MACHINE="alphaev79" ;; 294 UNAME_MACHINE="alphaev79" ;;
279 esac 295 esac
296 # A Pn.n version is a patched version.
280 # A Vn.n version is a released version. 297 # A Vn.n version is a released version.
281 # A Tn.n version is a released field test version. 298 # A Tn.n version is a released field test version.
282 # A Xn.n version is an unreleased experimental baselevel. 299 # A Xn.n version is an unreleased experimental baselevel.
283 # 1.2 uses "1.2" for uname -r. 300 # 1.2 uses "1.2" for uname -r.
284 echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` 301 echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
285 exit 0 ;; 302 exit ;;
286 Alpha*:OpenVMS:*:*)
287 echo alpha-hp-vms
288 exit 0 ;;
289 Alpha\ *:Windows_NT*:*) 303 Alpha\ *:Windows_NT*:*)
290 # How do we know it's Interix rather than the generic POSIX subsystem? 304 # How do we know it's Interix rather than the generic POSIX subsystem?
291 # Should we change UNAME_MACHINE based on the output of uname instead 305 # Should we change UNAME_MACHINE based on the output of uname instead
292 # of the specific Alpha model? 306 # of the specific Alpha model?
293 echo alpha-pc-interix 307 echo alpha-pc-interix
294 exit 0 ;; 308 exit ;;
295 21064:Windows_NT:50:3) 309 21064:Windows_NT:50:3)
296 echo alpha-dec-winnt3.5 310 echo alpha-dec-winnt3.5
297 exit 0 ;; 311 exit ;;
298 Amiga*:UNIX_System_V:4.0:*) 312 Amiga*:UNIX_System_V:4.0:*)
299 echo m68k-unknown-sysv4 313 echo m68k-unknown-sysv4
300 exit 0;; 314 exit ;;
301 *:[Aa]miga[Oo][Ss]:*:*) 315 *:[Aa]miga[Oo][Ss]:*:*)
302 echo ${UNAME_MACHINE}-unknown-amigaos 316 echo ${UNAME_MACHINE}-unknown-amigaos
303 exit 0 ;; 317 exit ;;
304 *:[Mm]orph[Oo][Ss]:*:*) 318 *:[Mm]orph[Oo][Ss]:*:*)
305 echo ${UNAME_MACHINE}-unknown-morphos 319 echo ${UNAME_MACHINE}-unknown-morphos
306 exit 0 ;; 320 exit ;;
307 *:OS/390:*:*) 321 *:OS/390:*:*)
308 echo i370-ibm-openedition 322 echo i370-ibm-openedition
309 exit 0 ;; 323 exit ;;
324 *:z/VM:*:*)
325 echo s390-ibm-zvmoe
326 exit ;;
327 *:OS400:*:*)
328 echo powerpc-ibm-os400
329 exit ;;
310 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) 330 arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
311 echo arm-acorn-riscix${UNAME_RELEASE} 331 echo arm-acorn-riscix${UNAME_RELEASE}
312 exit 0;; 332 exit ;;
333 arm:riscos:*:*|arm:RISCOS:*:*)
334 echo arm-unknown-riscos
335 exit ;;
313 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) 336 SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
314 echo hppa1.1-hitachi-hiuxmpp 337 echo hppa1.1-hitachi-hiuxmpp
315 exit 0;; 338 exit ;;
316 Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) 339 Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
317 # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. 340 # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
318 if test "`(/bin/universe) 2>/dev/null`" = att ; then 341 if test "`(/bin/universe) 2>/dev/null`" = att ; then
@@ -320,32 +343,32 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
320 else 343 else
321 echo pyramid-pyramid-bsd 344 echo pyramid-pyramid-bsd
322 fi 345 fi
323 exit 0 ;; 346 exit ;;
324 NILE*:*:*:dcosx) 347 NILE*:*:*:dcosx)
325 echo pyramid-pyramid-svr4 348 echo pyramid-pyramid-svr4
326 exit 0 ;; 349 exit ;;
327 DRS?6000:unix:4.0:6*) 350 DRS?6000:unix:4.0:6*)
328 echo sparc-icl-nx6 351 echo sparc-icl-nx6
329 exit 0 ;; 352 exit ;;
330 DRS?6000:UNIX_SV:4.2*:7*) 353 DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
331 case `/usr/bin/uname -p` in 354 case `/usr/bin/uname -p` in
332 sparc) echo sparc-icl-nx7 && exit 0 ;; 355 sparc) echo sparc-icl-nx7; exit ;;
333 esac ;; 356 esac ;;
334 sun4H:SunOS:5.*:*) 357 sun4H:SunOS:5.*:*)
335 echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` 358 echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
336 exit 0 ;; 359 exit ;;
337 sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) 360 sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
338 echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` 361 echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
339 exit 0 ;; 362 exit ;;
340 i86pc:SunOS:5.*:*) 363 i86pc:SunOS:5.*:*)
341 echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` 364 echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
342 exit 0 ;; 365 exit ;;
343 sun4*:SunOS:6*:*) 366 sun4*:SunOS:6*:*)
344 # According to config.sub, this is the proper way to canonicalize 367 # According to config.sub, this is the proper way to canonicalize
345 # SunOS6. Hard to guess exactly what SunOS6 will be like, but 368 # SunOS6. Hard to guess exactly what SunOS6 will be like, but
346 # it's likely to be more like Solaris than SunOS4. 369 # it's likely to be more like Solaris than SunOS4.
347 echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` 370 echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
348 exit 0 ;; 371 exit ;;
349 sun4*:SunOS:*:*) 372 sun4*:SunOS:*:*)
350 case "`/usr/bin/arch -k`" in 373 case "`/usr/bin/arch -k`" in
351 Series*|S4*) 374 Series*|S4*)
@@ -354,10 +377,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
354 esac 377 esac
355 # Japanese Language versions have a version number like `4.1.3-JL'. 378 # Japanese Language versions have a version number like `4.1.3-JL'.
356 echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` 379 echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
357 exit 0 ;; 380 exit ;;
358 sun3*:SunOS:*:*) 381 sun3*:SunOS:*:*)
359 echo m68k-sun-sunos${UNAME_RELEASE} 382 echo m68k-sun-sunos${UNAME_RELEASE}
360 exit 0 ;; 383 exit ;;
361 sun*:*:4.2BSD:*) 384 sun*:*:4.2BSD:*)
362 UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` 385 UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
363 test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 386 test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
@@ -369,10 +392,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
369 echo sparc-sun-sunos${UNAME_RELEASE} 392 echo sparc-sun-sunos${UNAME_RELEASE}
370 ;; 393 ;;
371 esac 394 esac
372 exit 0 ;; 395 exit ;;
373 aushp:SunOS:*:*) 396 aushp:SunOS:*:*)
374 echo sparc-auspex-sunos${UNAME_RELEASE} 397 echo sparc-auspex-sunos${UNAME_RELEASE}
375 exit 0 ;; 398 exit ;;
376 # The situation for MiNT is a little confusing. The machine name 399 # The situation for MiNT is a little confusing. The machine name
377 # can be virtually everything (everything which is not 400 # can be virtually everything (everything which is not
378 # "atarist" or "atariste" at least should have a processor 401 # "atarist" or "atariste" at least should have a processor
@@ -383,37 +406,40 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
383 # be no problem. 406 # be no problem.
384 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) 407 atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
385 echo m68k-atari-mint${UNAME_RELEASE} 408 echo m68k-atari-mint${UNAME_RELEASE}
386 exit 0 ;; 409 exit ;;
387 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) 410 atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
388 echo m68k-atari-mint${UNAME_RELEASE} 411 echo m68k-atari-mint${UNAME_RELEASE}
389 exit 0 ;; 412 exit ;;
390 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) 413 *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
391 echo m68k-atari-mint${UNAME_RELEASE} 414 echo m68k-atari-mint${UNAME_RELEASE}
392 exit 0 ;; 415 exit ;;
393 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) 416 milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
394 echo m68k-milan-mint${UNAME_RELEASE} 417 echo m68k-milan-mint${UNAME_RELEASE}
395 exit 0 ;; 418 exit ;;
396 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) 419 hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
397 echo m68k-hades-mint${UNAME_RELEASE} 420 echo m68k-hades-mint${UNAME_RELEASE}
398 exit 0 ;; 421 exit ;;
399 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) 422 *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
400 echo m68k-unknown-mint${UNAME_RELEASE} 423 echo m68k-unknown-mint${UNAME_RELEASE}
401 exit 0 ;; 424 exit ;;
425 m68k:machten:*:*)
426 echo m68k-apple-machten${UNAME_RELEASE}
427 exit ;;
402 powerpc:machten:*:*) 428 powerpc:machten:*:*)
403 echo powerpc-apple-machten${UNAME_RELEASE} 429 echo powerpc-apple-machten${UNAME_RELEASE}
404 exit 0 ;; 430 exit ;;
405 RISC*:Mach:*:*) 431 RISC*:Mach:*:*)
406 echo mips-dec-mach_bsd4.3 432 echo mips-dec-mach_bsd4.3
407 exit 0 ;; 433 exit ;;
408 RISC*:ULTRIX:*:*) 434 RISC*:ULTRIX:*:*)
409 echo mips-dec-ultrix${UNAME_RELEASE} 435 echo mips-dec-ultrix${UNAME_RELEASE}
410 exit 0 ;; 436 exit ;;
411 VAX*:ULTRIX*:*:*) 437 VAX*:ULTRIX*:*:*)
412 echo vax-dec-ultrix${UNAME_RELEASE} 438 echo vax-dec-ultrix${UNAME_RELEASE}
413 exit 0 ;; 439 exit ;;
414 2020:CLIX:*:* | 2430:CLIX:*:*) 440 2020:CLIX:*:* | 2430:CLIX:*:*)
415 echo clipper-intergraph-clix${UNAME_RELEASE} 441 echo clipper-intergraph-clix${UNAME_RELEASE}
416 exit 0 ;; 442 exit ;;
417 mips:*:*:UMIPS | mips:*:*:RISCos) 443 mips:*:*:UMIPS | mips:*:*:RISCos)
418 eval $set_cc_for_build 444 eval $set_cc_for_build
419 sed 's/^ //' << EOF >$dummy.c 445 sed 's/^ //' << EOF >$dummy.c
@@ -437,32 +463,33 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
437 exit (-1); 463 exit (-1);
438 } 464 }
439EOF 465EOF
440 $CC_FOR_BUILD -o $dummy $dummy.c \ 466 $CC_FOR_BUILD -o $dummy $dummy.c &&
441 && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ 467 dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
442 && exit 0 468 SYSTEM_NAME=`$dummy $dummyarg` &&
469 { echo "$SYSTEM_NAME"; exit; }
443 echo mips-mips-riscos${UNAME_RELEASE} 470 echo mips-mips-riscos${UNAME_RELEASE}
444 exit 0 ;; 471 exit ;;
445 Motorola:PowerMAX_OS:*:*) 472 Motorola:PowerMAX_OS:*:*)
446 echo powerpc-motorola-powermax 473 echo powerpc-motorola-powermax
447 exit 0 ;; 474 exit ;;
448 Motorola:*:4.3:PL8-*) 475 Motorola:*:4.3:PL8-*)
449 echo powerpc-harris-powermax 476 echo powerpc-harris-powermax
450 exit 0 ;; 477 exit ;;
451 Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) 478 Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
452 echo powerpc-harris-powermax 479 echo powerpc-harris-powermax
453 exit 0 ;; 480 exit ;;
454 Night_Hawk:Power_UNIX:*:*) 481 Night_Hawk:Power_UNIX:*:*)
455 echo powerpc-harris-powerunix 482 echo powerpc-harris-powerunix
456 exit 0 ;; 483 exit ;;
457 m88k:CX/UX:7*:*) 484 m88k:CX/UX:7*:*)
458 echo m88k-harris-cxux7 485 echo m88k-harris-cxux7
459 exit 0 ;; 486 exit ;;
460 m88k:*:4*:R4*) 487 m88k:*:4*:R4*)
461 echo m88k-motorola-sysv4 488 echo m88k-motorola-sysv4
462 exit 0 ;; 489 exit ;;
463 m88k:*:3*:R3*) 490 m88k:*:3*:R3*)
464 echo m88k-motorola-sysv3 491 echo m88k-motorola-sysv3
465 exit 0 ;; 492 exit ;;
466 AViiON:dgux:*:*) 493 AViiON:dgux:*:*)
467 # DG/UX returns AViiON for all architectures 494 # DG/UX returns AViiON for all architectures
468 UNAME_PROCESSOR=`/usr/bin/uname -p` 495 UNAME_PROCESSOR=`/usr/bin/uname -p`
@@ -478,29 +505,29 @@ EOF
478 else 505 else
479 echo i586-dg-dgux${UNAME_RELEASE} 506 echo i586-dg-dgux${UNAME_RELEASE}
480 fi 507 fi
481 exit 0 ;; 508 exit ;;
482 M88*:DolphinOS:*:*) # DolphinOS (SVR3) 509 M88*:DolphinOS:*:*) # DolphinOS (SVR3)
483 echo m88k-dolphin-sysv3 510 echo m88k-dolphin-sysv3
484 exit 0 ;; 511 exit ;;
485 M88*:*:R3*:*) 512 M88*:*:R3*:*)
486 # Delta 88k system running SVR3 513 # Delta 88k system running SVR3
487 echo m88k-motorola-sysv3 514 echo m88k-motorola-sysv3
488 exit 0 ;; 515 exit ;;
489 XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) 516 XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
490 echo m88k-tektronix-sysv3 517 echo m88k-tektronix-sysv3
491 exit 0 ;; 518 exit ;;
492 Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) 519 Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
493 echo m68k-tektronix-bsd 520 echo m68k-tektronix-bsd
494 exit 0 ;; 521 exit ;;
495 *:IRIX*:*:*) 522 *:IRIX*:*:*)
496 echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` 523 echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
497 exit 0 ;; 524 exit ;;
498 ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. 525 ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
499 echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id 526 echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id
500 exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' 527 exit ;; # Note that: echo "'`uname -s`'" gives 'AIX '
501 i*86:AIX:*:*) 528 i*86:AIX:*:*)
502 echo i386-ibm-aix 529 echo i386-ibm-aix
503 exit 0 ;; 530 exit ;;
504 ia64:AIX:*:*) 531 ia64:AIX:*:*)
505 if [ -x /usr/bin/oslevel ] ; then 532 if [ -x /usr/bin/oslevel ] ; then
506 IBM_REV=`/usr/bin/oslevel` 533 IBM_REV=`/usr/bin/oslevel`
@@ -508,7 +535,7 @@ EOF
508 IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} 535 IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
509 fi 536 fi
510 echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} 537 echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
511 exit 0 ;; 538 exit ;;
512 *:AIX:2:3) 539 *:AIX:2:3)
513 if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then 540 if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
514 eval $set_cc_for_build 541 eval $set_cc_for_build
@@ -523,14 +550,18 @@ EOF
523 exit(0); 550 exit(0);
524 } 551 }
525EOF 552EOF
526 $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 553 if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
527 echo rs6000-ibm-aix3.2.5 554 then
555 echo "$SYSTEM_NAME"
556 else
557 echo rs6000-ibm-aix3.2.5
558 fi
528 elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then 559 elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
529 echo rs6000-ibm-aix3.2.4 560 echo rs6000-ibm-aix3.2.4
530 else 561 else
531 echo rs6000-ibm-aix3.2 562 echo rs6000-ibm-aix3.2
532 fi 563 fi
533 exit 0 ;; 564 exit ;;
534 *:AIX:*:[45]) 565 *:AIX:*:[45])
535 IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` 566 IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
536 if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then 567 if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
@@ -544,28 +575,28 @@ EOF
544 IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} 575 IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
545 fi 576 fi
546 echo ${IBM_ARCH}-ibm-aix${IBM_REV} 577 echo ${IBM_ARCH}-ibm-aix${IBM_REV}
547 exit 0 ;; 578 exit ;;
548 *:AIX:*:*) 579 *:AIX:*:*)
549 echo rs6000-ibm-aix 580 echo rs6000-ibm-aix
550 exit 0 ;; 581 exit ;;
551 ibmrt:4.4BSD:*|romp-ibm:BSD:*) 582 ibmrt:4.4BSD:*|romp-ibm:BSD:*)
552 echo romp-ibm-bsd4.4 583 echo romp-ibm-bsd4.4
553 exit 0 ;; 584 exit ;;
554 ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and 585 ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and
555 echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to 586 echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to
556 exit 0 ;; # report: romp-ibm BSD 4.3 587 exit ;; # report: romp-ibm BSD 4.3
557 *:BOSX:*:*) 588 *:BOSX:*:*)
558 echo rs6000-bull-bosx 589 echo rs6000-bull-bosx
559 exit 0 ;; 590 exit ;;
560 DPX/2?00:B.O.S.:*:*) 591 DPX/2?00:B.O.S.:*:*)
561 echo m68k-bull-sysv3 592 echo m68k-bull-sysv3
562 exit 0 ;; 593 exit ;;
563 9000/[34]??:4.3bsd:1.*:*) 594 9000/[34]??:4.3bsd:1.*:*)
564 echo m68k-hp-bsd 595 echo m68k-hp-bsd
565 exit 0 ;; 596 exit ;;
566 hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) 597 hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
567 echo m68k-hp-bsd4.4 598 echo m68k-hp-bsd4.4
568 exit 0 ;; 599 exit ;;
569 9000/[34678]??:HP-UX:*:*) 600 9000/[34678]??:HP-UX:*:*)
570 HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` 601 HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
571 case "${UNAME_MACHINE}" in 602 case "${UNAME_MACHINE}" in
@@ -629,7 +660,18 @@ EOF
629 then 660 then
630 # avoid double evaluation of $set_cc_for_build 661 # avoid double evaluation of $set_cc_for_build
631 test -n "$CC_FOR_BUILD" || eval $set_cc_for_build 662 test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
632 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null 663
664 # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
665 # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler
666 # generating 64-bit code. GNU and HP use different nomenclature:
667 #
668 # $ CC_FOR_BUILD=cc ./config.guess
669 # => hppa2.0w-hp-hpux11.23
670 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
671 # => hppa64-hp-hpux11.23
672
673 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
674 grep __LP64__ >/dev/null
633 then 675 then
634 HP_ARCH="hppa2.0w" 676 HP_ARCH="hppa2.0w"
635 else 677 else
@@ -637,11 +679,11 @@ EOF
637 fi 679 fi
638 fi 680 fi
639 echo ${HP_ARCH}-hp-hpux${HPUX_REV} 681 echo ${HP_ARCH}-hp-hpux${HPUX_REV}
640 exit 0 ;; 682 exit ;;
641 ia64:HP-UX:*:*) 683 ia64:HP-UX:*:*)
642 HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` 684 HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
643 echo ia64-hp-hpux${HPUX_REV} 685 echo ia64-hp-hpux${HPUX_REV}
644 exit 0 ;; 686 exit ;;
645 3050*:HI-UX:*:*) 687 3050*:HI-UX:*:*)
646 eval $set_cc_for_build 688 eval $set_cc_for_build
647 sed 's/^ //' << EOF >$dummy.c 689 sed 's/^ //' << EOF >$dummy.c
@@ -669,153 +711,166 @@ EOF
669 exit (0); 711 exit (0);
670 } 712 }
671EOF 713EOF
672 $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 714 $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
715 { echo "$SYSTEM_NAME"; exit; }
673 echo unknown-hitachi-hiuxwe2 716 echo unknown-hitachi-hiuxwe2
674 exit 0 ;; 717 exit ;;
675 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) 718 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
676 echo hppa1.1-hp-bsd 719 echo hppa1.1-hp-bsd
677 exit 0 ;; 720 exit ;;
678 9000/8??:4.3bsd:*:*) 721 9000/8??:4.3bsd:*:*)
679 echo hppa1.0-hp-bsd 722 echo hppa1.0-hp-bsd
680 exit 0 ;; 723 exit ;;
681 *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) 724 *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
682 echo hppa1.0-hp-mpeix 725 echo hppa1.0-hp-mpeix
683 exit 0 ;; 726 exit ;;
684 hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) 727 hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
685 echo hppa1.1-hp-osf 728 echo hppa1.1-hp-osf
686 exit 0 ;; 729 exit ;;
687 hp8??:OSF1:*:*) 730 hp8??:OSF1:*:*)
688 echo hppa1.0-hp-osf 731 echo hppa1.0-hp-osf
689 exit 0 ;; 732 exit ;;
690 i*86:OSF1:*:*) 733 i*86:OSF1:*:*)
691 if [ -x /usr/sbin/sysversion ] ; then 734 if [ -x /usr/sbin/sysversion ] ; then
692 echo ${UNAME_MACHINE}-unknown-osf1mk 735 echo ${UNAME_MACHINE}-unknown-osf1mk
693 else 736 else
694 echo ${UNAME_MACHINE}-unknown-osf1 737 echo ${UNAME_MACHINE}-unknown-osf1
695 fi 738 fi
696 exit 0 ;; 739 exit ;;
697 parisc*:Lites*:*:*) 740 parisc*:Lites*:*:*)
698 echo hppa1.1-hp-lites 741 echo hppa1.1-hp-lites
699 exit 0 ;; 742 exit ;;
700 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) 743 C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
701 echo c1-convex-bsd 744 echo c1-convex-bsd
702 exit 0 ;; 745 exit ;;
703 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) 746 C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
704 if getsysinfo -f scalar_acc 747 if getsysinfo -f scalar_acc
705 then echo c32-convex-bsd 748 then echo c32-convex-bsd
706 else echo c2-convex-bsd 749 else echo c2-convex-bsd
707 fi 750 fi
708 exit 0 ;; 751 exit ;;
709 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) 752 C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
710 echo c34-convex-bsd 753 echo c34-convex-bsd
711 exit 0 ;; 754 exit ;;
712 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) 755 C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
713 echo c38-convex-bsd 756 echo c38-convex-bsd
714 exit 0 ;; 757 exit ;;
715 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) 758 C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
716 echo c4-convex-bsd 759 echo c4-convex-bsd
717 exit 0 ;; 760 exit ;;
718 CRAY*Y-MP:*:*:*) 761 CRAY*Y-MP:*:*:*)
719 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 762 echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
720 exit 0 ;; 763 exit ;;
721 CRAY*[A-Z]90:*:*:*) 764 CRAY*[A-Z]90:*:*:*)
722 echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ 765 echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
723 | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ 766 | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
724 -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ 767 -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
725 -e 's/\.[^.]*$/.X/' 768 -e 's/\.[^.]*$/.X/'
726 exit 0 ;; 769 exit ;;
727 CRAY*TS:*:*:*) 770 CRAY*TS:*:*:*)
728 echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 771 echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
729 exit 0 ;; 772 exit ;;
730 CRAY*T3E:*:*:*) 773 CRAY*T3E:*:*:*)
731 echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 774 echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
732 exit 0 ;; 775 exit ;;
733 CRAY*SV1:*:*:*) 776 CRAY*SV1:*:*:*)
734 echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 777 echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
735 exit 0 ;; 778 exit ;;
736 *:UNICOS/mp:*:*) 779 *:UNICOS/mp:*:*)
737 echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 780 echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
738 exit 0 ;; 781 exit ;;
739 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) 782 F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
740 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` 783 FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
741 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` 784 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
742 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` 785 FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
743 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" 786 echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
744 exit 0 ;; 787 exit ;;
788 5000:UNIX_System_V:4.*:*)
789 FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
790 FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
791 echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
792 exit ;;
745 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) 793 i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
746 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} 794 echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
747 exit 0 ;; 795 exit ;;
748 sparc*:BSD/OS:*:*) 796 sparc*:BSD/OS:*:*)
749 echo sparc-unknown-bsdi${UNAME_RELEASE} 797 echo sparc-unknown-bsdi${UNAME_RELEASE}
750 exit 0 ;; 798 exit ;;
751 *:BSD/OS:*:*) 799 *:BSD/OS:*:*)
752 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} 800 echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
753 exit 0 ;; 801 exit ;;
754 *:FreeBSD:*:*|*:GNU/FreeBSD:*:*) 802 *:FreeBSD:*:*)
755 # Determine whether the default compiler uses glibc. 803 echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
756 eval $set_cc_for_build 804 exit ;;
757 sed 's/^ //' << EOF >$dummy.c
758 #include <features.h>
759 #if __GLIBC__ >= 2
760 LIBC=gnu
761 #else
762 LIBC=
763 #endif
764EOF
765 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
766 # GNU/FreeBSD systems have a "k" prefix to indicate we are using
767 # FreeBSD's kernel, but not the complete OS.
768 case ${LIBC} in gnu) kernel_only='k' ;; esac
769 echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
770 exit 0 ;;
771 i*:CYGWIN*:*) 805 i*:CYGWIN*:*)
772 echo ${UNAME_MACHINE}-pc-cygwin 806 echo ${UNAME_MACHINE}-pc-cygwin
773 exit 0 ;; 807 exit ;;
774 i*:MINGW*:*) 808 i*:MINGW*:*)
775 echo ${UNAME_MACHINE}-pc-mingw32 809 echo ${UNAME_MACHINE}-pc-mingw32
776 exit 0 ;; 810 exit ;;
811 i*:windows32*:*)
812 # uname -m includes "-pc" on this system.
813 echo ${UNAME_MACHINE}-mingw32
814 exit ;;
777 i*:PW*:*) 815 i*:PW*:*)
778 echo ${UNAME_MACHINE}-pc-pw32 816 echo ${UNAME_MACHINE}-pc-pw32
779 exit 0 ;; 817 exit ;;
780 x86:Interix*:[34]*) 818 x86:Interix*:[34]*)
781 echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' 819 echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
782 exit 0 ;; 820 exit ;;
783 [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) 821 [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
784 echo i${UNAME_MACHINE}-pc-mks 822 echo i${UNAME_MACHINE}-pc-mks
785 exit 0 ;; 823 exit ;;
786 i*:Windows_NT*:* | Pentium*:Windows_NT*:*) 824 i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
787 # How do we know it's Interix rather than the generic POSIX subsystem? 825 # How do we know it's Interix rather than the generic POSIX subsystem?
788 # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we 826 # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
789 # UNAME_MACHINE based on the output of uname instead of i386? 827 # UNAME_MACHINE based on the output of uname instead of i386?
790 echo i586-pc-interix 828 echo i586-pc-interix
791 exit 0 ;; 829 exit ;;
792 i*:UWIN*:*) 830 i*:UWIN*:*)
793 echo ${UNAME_MACHINE}-pc-uwin 831 echo ${UNAME_MACHINE}-pc-uwin
794 exit 0 ;; 832 exit ;;
833 amd64:CYGWIN*:*:*)
834 echo x86_64-unknown-cygwin
835 exit ;;
795 p*:CYGWIN*:*) 836 p*:CYGWIN*:*)
796 echo powerpcle-unknown-cygwin 837 echo powerpcle-unknown-cygwin
797 exit 0 ;; 838 exit ;;
798 prep*:SunOS:5.*:*) 839 prep*:SunOS:5.*:*)
799 echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` 840 echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
800 exit 0 ;; 841 exit ;;
801 *:GNU:*:*) 842 *:GNU:*:*)
843 # the GNU system
802 echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` 844 echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
803 exit 0 ;; 845 exit ;;
846 *:GNU/*:*:*)
847 # other systems with GNU libc and userland
848 echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
849 exit ;;
804 i*86:Minix:*:*) 850 i*86:Minix:*:*)
805 echo ${UNAME_MACHINE}-pc-minix 851 echo ${UNAME_MACHINE}-pc-minix
806 exit 0 ;; 852 exit ;;
807 arm*:Linux:*:*) 853 arm*:Linux:*:*)
808 echo ${UNAME_MACHINE}-unknown-linux-gnu 854 echo ${UNAME_MACHINE}-unknown-linux-gnu
809 exit 0 ;; 855 exit ;;
810 cris:Linux:*:*) 856 cris:Linux:*:*)
811 echo cris-axis-linux-gnu 857 echo cris-axis-linux-gnu
812 exit 0 ;; 858 exit ;;
859 crisv32:Linux:*:*)
860 echo crisv32-axis-linux-gnu
861 exit ;;
862 frv:Linux:*:*)
863 echo frv-unknown-linux-gnu
864 exit ;;
813 ia64:Linux:*:*) 865 ia64:Linux:*:*)
814 echo ${UNAME_MACHINE}-unknown-linux-gnu 866 echo ${UNAME_MACHINE}-unknown-linux-gnu
815 exit 0 ;; 867 exit ;;
868 m32r*:Linux:*:*)
869 echo ${UNAME_MACHINE}-unknown-linux-gnu
870 exit ;;
816 m68*:Linux:*:*) 871 m68*:Linux:*:*)
817 echo ${UNAME_MACHINE}-unknown-linux-gnu 872 echo ${UNAME_MACHINE}-unknown-linux-gnu
818 exit 0 ;; 873 exit ;;
819 mips:Linux:*:*) 874 mips:Linux:*:*)
820 eval $set_cc_for_build 875 eval $set_cc_for_build
821 sed 's/^ //' << EOF >$dummy.c 876 sed 's/^ //' << EOF >$dummy.c
@@ -833,7 +888,7 @@ EOF
833 #endif 888 #endif
834EOF 889EOF
835 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` 890 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
836 test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 891 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
837 ;; 892 ;;
838 mips64:Linux:*:*) 893 mips64:Linux:*:*)
839 eval $set_cc_for_build 894 eval $set_cc_for_build
@@ -852,14 +907,14 @@ EOF
852 #endif 907 #endif
853EOF 908EOF
854 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` 909 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
855 test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 910 test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
856 ;; 911 ;;
857 ppc:Linux:*:*) 912 ppc:Linux:*:*)
858 echo powerpc-unknown-linux-gnu 913 echo powerpc-unknown-linux-gnu
859 exit 0 ;; 914 exit ;;
860 ppc64:Linux:*:*) 915 ppc64:Linux:*:*)
861 echo powerpc64-unknown-linux-gnu 916 echo powerpc64-unknown-linux-gnu
862 exit 0 ;; 917 exit ;;
863 alpha:Linux:*:*) 918 alpha:Linux:*:*)
864 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in 919 case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
865 EV5) UNAME_MACHINE=alphaev5 ;; 920 EV5) UNAME_MACHINE=alphaev5 ;;
@@ -873,7 +928,7 @@ EOF
873 objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null 928 objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
874 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi 929 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
875 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} 930 echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
876 exit 0 ;; 931 exit ;;
877 parisc:Linux:*:* | hppa:Linux:*:*) 932 parisc:Linux:*:* | hppa:Linux:*:*)
878 # Look for CPU level 933 # Look for CPU level
879 case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in 934 case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@@ -881,25 +936,25 @@ EOF
881 PA8*) echo hppa2.0-unknown-linux-gnu ;; 936 PA8*) echo hppa2.0-unknown-linux-gnu ;;
882 *) echo hppa-unknown-linux-gnu ;; 937 *) echo hppa-unknown-linux-gnu ;;
883 esac 938 esac
884 exit 0 ;; 939 exit ;;
885 parisc64:Linux:*:* | hppa64:Linux:*:*) 940 parisc64:Linux:*:* | hppa64:Linux:*:*)
886 echo hppa64-unknown-linux-gnu 941 echo hppa64-unknown-linux-gnu
887 exit 0 ;; 942 exit ;;
888 s390:Linux:*:* | s390x:Linux:*:*) 943 s390:Linux:*:* | s390x:Linux:*:*)
889 echo ${UNAME_MACHINE}-ibm-linux 944 echo ${UNAME_MACHINE}-ibm-linux
890 exit 0 ;; 945 exit ;;
891 sh64*:Linux:*:*) 946 sh64*:Linux:*:*)
892 echo ${UNAME_MACHINE}-unknown-linux-gnu 947 echo ${UNAME_MACHINE}-unknown-linux-gnu
893 exit 0 ;; 948 exit ;;
894 sh*:Linux:*:*) 949 sh*:Linux:*:*)
895 echo ${UNAME_MACHINE}-unknown-linux-gnu 950 echo ${UNAME_MACHINE}-unknown-linux-gnu
896 exit 0 ;; 951 exit ;;
897 sparc:Linux:*:* | sparc64:Linux:*:*) 952 sparc:Linux:*:* | sparc64:Linux:*:*)
898 echo ${UNAME_MACHINE}-unknown-linux-gnu 953 echo ${UNAME_MACHINE}-unknown-linux-gnu
899 exit 0 ;; 954 exit ;;
900 x86_64:Linux:*:*) 955 x86_64:Linux:*:*)
901 echo x86_64-unknown-linux-gnu 956 echo x86_64-unknown-linux-gnu
902 exit 0 ;; 957 exit ;;
903 i*86:Linux:*:*) 958 i*86:Linux:*:*)
904 # The BFD linker knows what the default object file format is, so 959 # The BFD linker knows what the default object file format is, so
905 # first see if it will tell us. cd to the root directory to prevent 960 # first see if it will tell us. cd to the root directory to prevent
@@ -917,15 +972,15 @@ EOF
917 ;; 972 ;;
918 a.out-i386-linux) 973 a.out-i386-linux)
919 echo "${UNAME_MACHINE}-pc-linux-gnuaout" 974 echo "${UNAME_MACHINE}-pc-linux-gnuaout"
920 exit 0 ;; 975 exit ;;
921 coff-i386) 976 coff-i386)
922 echo "${UNAME_MACHINE}-pc-linux-gnucoff" 977 echo "${UNAME_MACHINE}-pc-linux-gnucoff"
923 exit 0 ;; 978 exit ;;
924 "") 979 "")
925 # Either a pre-BFD a.out linker (linux-gnuoldld) or 980 # Either a pre-BFD a.out linker (linux-gnuoldld) or
926 # one that does not give us useful --help. 981 # one that does not give us useful --help.
927 echo "${UNAME_MACHINE}-pc-linux-gnuoldld" 982 echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
928 exit 0 ;; 983 exit ;;
929 esac 984 esac
930 # Determine whether the default compiler is a.out or elf 985 # Determine whether the default compiler is a.out or elf
931 eval $set_cc_for_build 986 eval $set_cc_for_build
@@ -953,15 +1008,18 @@ EOF
953 #endif 1008 #endif
954EOF 1009EOF
955 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` 1010 eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
956 test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 1011 test x"${LIBC}" != x && {
957 test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 1012 echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
1013 exit
1014 }
1015 test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
958 ;; 1016 ;;
959 i*86:DYNIX/ptx:4*:*) 1017 i*86:DYNIX/ptx:4*:*)
960 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. 1018 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
961 # earlier versions are messed up and put the nodename in both 1019 # earlier versions are messed up and put the nodename in both
962 # sysname and nodename. 1020 # sysname and nodename.
963 echo i386-sequent-sysv4 1021 echo i386-sequent-sysv4
964 exit 0 ;; 1022 exit ;;
965 i*86:UNIX_SV:4.2MP:2.*) 1023 i*86:UNIX_SV:4.2MP:2.*)
966 # Unixware is an offshoot of SVR4, but it has its own version 1024 # Unixware is an offshoot of SVR4, but it has its own version
967 # number series starting with 2... 1025 # number series starting with 2...
@@ -969,24 +1027,27 @@ EOF
969 # I just have to hope. -- rms. 1027 # I just have to hope. -- rms.
970 # Use sysv4.2uw... so that sysv4* matches it. 1028 # Use sysv4.2uw... so that sysv4* matches it.
971 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} 1029 echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
972 exit 0 ;; 1030 exit ;;
973 i*86:OS/2:*:*) 1031 i*86:OS/2:*:*)
974 # If we were able to find `uname', then EMX Unix compatibility 1032 # If we were able to find `uname', then EMX Unix compatibility
975 # is probably installed. 1033 # is probably installed.
976 echo ${UNAME_MACHINE}-pc-os2-emx 1034 echo ${UNAME_MACHINE}-pc-os2-emx
977 exit 0 ;; 1035 exit ;;
978 i*86:XTS-300:*:STOP) 1036 i*86:XTS-300:*:STOP)
979 echo ${UNAME_MACHINE}-unknown-stop 1037 echo ${UNAME_MACHINE}-unknown-stop
980 exit 0 ;; 1038 exit ;;
981 i*86:atheos:*:*) 1039 i*86:atheos:*:*)
982 echo ${UNAME_MACHINE}-unknown-atheos 1040 echo ${UNAME_MACHINE}-unknown-atheos
983 exit 0 ;; 1041 exit ;;
1042 i*86:syllable:*:*)
1043 echo ${UNAME_MACHINE}-pc-syllable
1044 exit ;;
984 i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) 1045 i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
985 echo i386-unknown-lynxos${UNAME_RELEASE} 1046 echo i386-unknown-lynxos${UNAME_RELEASE}
986 exit 0 ;; 1047 exit ;;
987 i*86:*DOS:*:*) 1048 i*86:*DOS:*:*)
988 echo ${UNAME_MACHINE}-pc-msdosdjgpp 1049 echo ${UNAME_MACHINE}-pc-msdosdjgpp
989 exit 0 ;; 1050 exit ;;
990 i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) 1051 i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
991 UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` 1052 UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
992 if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then 1053 if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
@@ -994,15 +1055,16 @@ EOF
994 else 1055 else
995 echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} 1056 echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
996 fi 1057 fi
997 exit 0 ;; 1058 exit ;;
998 i*86:*:5:[78]*) 1059 i*86:*:5:[678]*)
1060 # UnixWare 7.x, OpenUNIX and OpenServer 6.
999 case `/bin/uname -X | grep "^Machine"` in 1061 case `/bin/uname -X | grep "^Machine"` in
1000 *486*) UNAME_MACHINE=i486 ;; 1062 *486*) UNAME_MACHINE=i486 ;;
1001 *Pentium) UNAME_MACHINE=i586 ;; 1063 *Pentium) UNAME_MACHINE=i586 ;;
1002 *Pent*|*Celeron) UNAME_MACHINE=i686 ;; 1064 *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
1003 esac 1065 esac
1004 echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} 1066 echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
1005 exit 0 ;; 1067 exit ;;
1006 i*86:*:3.2:*) 1068 i*86:*:3.2:*)
1007 if test -f /usr/options/cb.name; then 1069 if test -f /usr/options/cb.name; then
1008 UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name` 1070 UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
@@ -1020,73 +1082,73 @@ EOF
1020 else 1082 else
1021 echo ${UNAME_MACHINE}-pc-sysv32 1083 echo ${UNAME_MACHINE}-pc-sysv32
1022 fi 1084 fi
1023 exit 0 ;; 1085 exit ;;
1024 pc:*:*:*) 1086 pc:*:*:*)
1025 # Left here for compatibility: 1087 # Left here for compatibility:
1026 # uname -m prints for DJGPP always 'pc', but it prints nothing about 1088 # uname -m prints for DJGPP always 'pc', but it prints nothing about
1027 # the processor, so we play safe by assuming i386. 1089 # the processor, so we play safe by assuming i386.
1028 echo i386-pc-msdosdjgpp 1090 echo i386-pc-msdosdjgpp
1029 exit 0 ;; 1091 exit ;;
1030 Intel:Mach:3*:*) 1092 Intel:Mach:3*:*)
1031 echo i386-pc-mach3 1093 echo i386-pc-mach3
1032 exit 0 ;; 1094 exit ;;
1033 paragon:*:*:*) 1095 paragon:*:*:*)
1034 echo i860-intel-osf1 1096 echo i860-intel-osf1
1035 exit 0 ;; 1097 exit ;;
1036 i860:*:4.*:*) # i860-SVR4 1098 i860:*:4.*:*) # i860-SVR4
1037 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then 1099 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
1038 echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 1100 echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
1039 else # Add other i860-SVR4 vendors below as they are discovered. 1101 else # Add other i860-SVR4 vendors below as they are discovered.
1040 echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 1102 echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4
1041 fi 1103 fi
1042 exit 0 ;; 1104 exit ;;
1043 mini*:CTIX:SYS*5:*) 1105 mini*:CTIX:SYS*5:*)
1044 # "miniframe" 1106 # "miniframe"
1045 echo m68010-convergent-sysv 1107 echo m68010-convergent-sysv
1046 exit 0 ;; 1108 exit ;;
1047 mc68k:UNIX:SYSTEM5:3.51m) 1109 mc68k:UNIX:SYSTEM5:3.51m)
1048 echo m68k-convergent-sysv 1110 echo m68k-convergent-sysv
1049 exit 0 ;; 1111 exit ;;
1050 M680?0:D-NIX:5.3:*) 1112 M680?0:D-NIX:5.3:*)
1051 echo m68k-diab-dnix 1113 echo m68k-diab-dnix
1052 exit 0 ;; 1114 exit ;;
1053 M68*:*:R3V[567]*:*) 1115 M68*:*:R3V[5678]*:*)
1054 test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; 1116 test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
1055 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0) 1117 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
1056 OS_REL='' 1118 OS_REL=''
1057 test -r /etc/.relid \ 1119 test -r /etc/.relid \
1058 && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` 1120 && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
1059 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ 1121 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
1060 && echo i486-ncr-sysv4.3${OS_REL} && exit 0 1122 && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
1061 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ 1123 /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
1062 && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; 1124 && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
1063 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) 1125 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
1064 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ 1126 /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
1065 && echo i486-ncr-sysv4 && exit 0 ;; 1127 && { echo i486-ncr-sysv4; exit; } ;;
1066 m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) 1128 m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
1067 echo m68k-unknown-lynxos${UNAME_RELEASE} 1129 echo m68k-unknown-lynxos${UNAME_RELEASE}
1068 exit 0 ;; 1130 exit ;;
1069 mc68030:UNIX_System_V:4.*:*) 1131 mc68030:UNIX_System_V:4.*:*)
1070 echo m68k-atari-sysv4 1132 echo m68k-atari-sysv4
1071 exit 0 ;; 1133 exit ;;
1072 TSUNAMI:LynxOS:2.*:*) 1134 TSUNAMI:LynxOS:2.*:*)
1073 echo sparc-unknown-lynxos${UNAME_RELEASE} 1135 echo sparc-unknown-lynxos${UNAME_RELEASE}
1074 exit 0 ;; 1136 exit ;;
1075 rs6000:LynxOS:2.*:*) 1137 rs6000:LynxOS:2.*:*)
1076 echo rs6000-unknown-lynxos${UNAME_RELEASE} 1138 echo rs6000-unknown-lynxos${UNAME_RELEASE}
1077 exit 0 ;; 1139 exit ;;
1078 PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) 1140 PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
1079 echo powerpc-unknown-lynxos${UNAME_RELEASE} 1141 echo powerpc-unknown-lynxos${UNAME_RELEASE}
1080 exit 0 ;; 1142 exit ;;
1081 SM[BE]S:UNIX_SV:*:*) 1143 SM[BE]S:UNIX_SV:*:*)
1082 echo mips-dde-sysv${UNAME_RELEASE} 1144 echo mips-dde-sysv${UNAME_RELEASE}
1083 exit 0 ;; 1145 exit ;;
1084 RM*:ReliantUNIX-*:*:*) 1146 RM*:ReliantUNIX-*:*:*)
1085 echo mips-sni-sysv4 1147 echo mips-sni-sysv4
1086 exit 0 ;; 1148 exit ;;
1087 RM*:SINIX-*:*:*) 1149 RM*:SINIX-*:*:*)
1088 echo mips-sni-sysv4 1150 echo mips-sni-sysv4
1089 exit 0 ;; 1151 exit ;;
1090 *:SINIX-*:*:*) 1152 *:SINIX-*:*:*)
1091 if uname -p 2>/dev/null >/dev/null ; then 1153 if uname -p 2>/dev/null >/dev/null ; then
1092 UNAME_MACHINE=`(uname -p) 2>/dev/null` 1154 UNAME_MACHINE=`(uname -p) 2>/dev/null`
@@ -1094,68 +1156,73 @@ EOF
1094 else 1156 else
1095 echo ns32k-sni-sysv 1157 echo ns32k-sni-sysv
1096 fi 1158 fi
1097 exit 0 ;; 1159 exit ;;
1098 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort 1160 PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
1099 # says <Richard.M.Bartel@ccMail.Census.GOV> 1161 # says <Richard.M.Bartel@ccMail.Census.GOV>
1100 echo i586-unisys-sysv4 1162 echo i586-unisys-sysv4
1101 exit 0 ;; 1163 exit ;;
1102 *:UNIX_System_V:4*:FTX*) 1164 *:UNIX_System_V:4*:FTX*)
1103 # From Gerald Hewes <hewes@openmarket.com>. 1165 # From Gerald Hewes <hewes@openmarket.com>.
1104 # How about differentiating between stratus architectures? -djm 1166 # How about differentiating between stratus architectures? -djm
1105 echo hppa1.1-stratus-sysv4 1167 echo hppa1.1-stratus-sysv4
1106 exit 0 ;; 1168 exit ;;
1107 *:*:*:FTX*) 1169 *:*:*:FTX*)
1108 # From seanf@swdc.stratus.com. 1170 # From seanf@swdc.stratus.com.
1109 echo i860-stratus-sysv4 1171 echo i860-stratus-sysv4
1110 exit 0 ;; 1172 exit ;;
1173 i*86:VOS:*:*)
1174 # From Paul.Green@stratus.com.
1175 echo ${UNAME_MACHINE}-stratus-vos
1176 exit ;;
1111 *:VOS:*:*) 1177 *:VOS:*:*)
1112 # From Paul.Green@stratus.com. 1178 # From Paul.Green@stratus.com.
1113 echo hppa1.1-stratus-vos 1179 echo hppa1.1-stratus-vos
1114 exit 0 ;; 1180 exit ;;
1115 mc68*:A/UX:*:*) 1181 mc68*:A/UX:*:*)
1116 echo m68k-apple-aux${UNAME_RELEASE} 1182 echo m68k-apple-aux${UNAME_RELEASE}
1117 exit 0 ;; 1183 exit ;;
1118 news*:NEWS-OS:6*:*) 1184 news*:NEWS-OS:6*:*)
1119 echo mips-sony-newsos6 1185 echo mips-sony-newsos6
1120 exit 0 ;; 1186 exit ;;
1121 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) 1187 R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
1122 if [ -d /usr/nec ]; then 1188 if [ -d /usr/nec ]; then
1123 echo mips-nec-sysv${UNAME_RELEASE} 1189 echo mips-nec-sysv${UNAME_RELEASE}
1124 else 1190 else
1125 echo mips-unknown-sysv${UNAME_RELEASE} 1191 echo mips-unknown-sysv${UNAME_RELEASE}
1126 fi 1192 fi
1127 exit 0 ;; 1193 exit ;;
1128 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. 1194 BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
1129 echo powerpc-be-beos 1195 echo powerpc-be-beos
1130 exit 0 ;; 1196 exit ;;
1131 BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. 1197 BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only.
1132 echo powerpc-apple-beos 1198 echo powerpc-apple-beos
1133 exit 0 ;; 1199 exit ;;
1134 BePC:BeOS:*:*) # BeOS running on Intel PC compatible. 1200 BePC:BeOS:*:*) # BeOS running on Intel PC compatible.
1135 echo i586-pc-beos 1201 echo i586-pc-beos
1136 exit 0 ;; 1202 exit ;;
1137 SX-4:SUPER-UX:*:*) 1203 SX-4:SUPER-UX:*:*)
1138 echo sx4-nec-superux${UNAME_RELEASE} 1204 echo sx4-nec-superux${UNAME_RELEASE}
1139 exit 0 ;; 1205 exit ;;
1140 SX-5:SUPER-UX:*:*) 1206 SX-5:SUPER-UX:*:*)
1141 echo sx5-nec-superux${UNAME_RELEASE} 1207 echo sx5-nec-superux${UNAME_RELEASE}
1142 exit 0 ;; 1208 exit ;;
1143 SX-6:SUPER-UX:*:*) 1209 SX-6:SUPER-UX:*:*)
1144 echo sx6-nec-superux${UNAME_RELEASE} 1210 echo sx6-nec-superux${UNAME_RELEASE}
1145 exit 0 ;; 1211 exit ;;
1146 Power*:Rhapsody:*:*) 1212 Power*:Rhapsody:*:*)
1147 echo powerpc-apple-rhapsody${UNAME_RELEASE} 1213 echo powerpc-apple-rhapsody${UNAME_RELEASE}
1148 exit 0 ;; 1214 exit ;;
1149 *:Rhapsody:*:*) 1215 *:Rhapsody:*:*)
1150 echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} 1216 echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
1151 exit 0 ;; 1217 exit ;;
1152 *:Darwin:*:*) 1218 *:Darwin:*:*)
1153 case `uname -p` in 1219 UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
1220 case $UNAME_PROCESSOR in
1154 *86) UNAME_PROCESSOR=i686 ;; 1221 *86) UNAME_PROCESSOR=i686 ;;
1155 powerpc) UNAME_PROCESSOR=powerpc ;; 1222 unknown) UNAME_PROCESSOR=powerpc ;;
1156 esac 1223 esac
1157 echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} 1224 echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
1158 exit 0 ;; 1225 exit ;;
1159 *:procnto*:*:* | *:QNX:[0123456789]*:*) 1226 *:procnto*:*:* | *:QNX:[0123456789]*:*)
1160 UNAME_PROCESSOR=`uname -p` 1227 UNAME_PROCESSOR=`uname -p`
1161 if test "$UNAME_PROCESSOR" = "x86"; then 1228 if test "$UNAME_PROCESSOR" = "x86"; then
@@ -1163,22 +1230,25 @@ EOF
1163 UNAME_MACHINE=pc 1230 UNAME_MACHINE=pc
1164 fi 1231 fi
1165 echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} 1232 echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
1166 exit 0 ;; 1233 exit ;;
1167 *:QNX:*:4*) 1234 *:QNX:*:4*)
1168 echo i386-pc-qnx 1235 echo i386-pc-qnx
1169 exit 0 ;; 1236 exit ;;
1170 NSR-[DGKLNPTVWY]:NONSTOP_KERNEL:*:*) 1237 NSE-?:NONSTOP_KERNEL:*:*)
1238 echo nse-tandem-nsk${UNAME_RELEASE}
1239 exit ;;
1240 NSR-?:NONSTOP_KERNEL:*:*)
1171 echo nsr-tandem-nsk${UNAME_RELEASE} 1241 echo nsr-tandem-nsk${UNAME_RELEASE}
1172 exit 0 ;; 1242 exit ;;
1173 *:NonStop-UX:*:*) 1243 *:NonStop-UX:*:*)
1174 echo mips-compaq-nonstopux 1244 echo mips-compaq-nonstopux
1175 exit 0 ;; 1245 exit ;;
1176 BS2000:POSIX*:*:*) 1246 BS2000:POSIX*:*:*)
1177 echo bs2000-siemens-sysv 1247 echo bs2000-siemens-sysv
1178 exit 0 ;; 1248 exit ;;
1179 DS/*:UNIX_System_V:*:*) 1249 DS/*:UNIX_System_V:*:*)
1180 echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} 1250 echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
1181 exit 0 ;; 1251 exit ;;
1182 *:Plan9:*:*) 1252 *:Plan9:*:*)
1183 # "uname -m" is not consistent, so use $cputype instead. 386 1253 # "uname -m" is not consistent, so use $cputype instead. 386
1184 # is converted to i386 for consistency with other x86 1254 # is converted to i386 for consistency with other x86
@@ -1189,28 +1259,44 @@ EOF
1189 UNAME_MACHINE="$cputype" 1259 UNAME_MACHINE="$cputype"
1190 fi 1260 fi
1191 echo ${UNAME_MACHINE}-unknown-plan9 1261 echo ${UNAME_MACHINE}-unknown-plan9
1192 exit 0 ;; 1262 exit ;;
1193 *:TOPS-10:*:*) 1263 *:TOPS-10:*:*)
1194 echo pdp10-unknown-tops10 1264 echo pdp10-unknown-tops10
1195 exit 0 ;; 1265 exit ;;
1196 *:TENEX:*:*) 1266 *:TENEX:*:*)
1197 echo pdp10-unknown-tenex 1267 echo pdp10-unknown-tenex
1198 exit 0 ;; 1268 exit ;;
1199 KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) 1269 KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
1200 echo pdp10-dec-tops20 1270 echo pdp10-dec-tops20
1201 exit 0 ;; 1271 exit ;;
1202 XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) 1272 XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
1203 echo pdp10-xkl-tops20 1273 echo pdp10-xkl-tops20
1204 exit 0 ;; 1274 exit ;;
1205 *:TOPS-20:*:*) 1275 *:TOPS-20:*:*)
1206 echo pdp10-unknown-tops20 1276 echo pdp10-unknown-tops20
1207 exit 0 ;; 1277 exit ;;
1208 *:ITS:*:*) 1278 *:ITS:*:*)
1209 echo pdp10-unknown-its 1279 echo pdp10-unknown-its
1210 exit 0 ;; 1280 exit ;;
1211 SEI:*:*:SEIUX) 1281 SEI:*:*:SEIUX)
1212 echo mips-sei-seiux${UNAME_RELEASE} 1282 echo mips-sei-seiux${UNAME_RELEASE}
1213 exit 0 ;; 1283 exit ;;
1284 *:DragonFly:*:*)
1285 echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
1286 exit ;;
1287 *:*VMS:*:*)
1288 UNAME_MACHINE=`(uname -p) 2>/dev/null`
1289 case "${UNAME_MACHINE}" in
1290 A*) echo alpha-dec-vms ; exit ;;
1291 I*) echo ia64-dec-vms ; exit ;;
1292 V*) echo vax-dec-vms ; exit ;;
1293 esac ;;
1294 *:XENIX:*:SysV)
1295 echo i386-pc-xenix
1296 exit ;;
1297 i*86:skyos:*:*)
1298 echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
1299 exit ;;
1214esac 1300esac
1215 1301
1216#echo '(No uname command or uname output not recognized.)' 1>&2 1302#echo '(No uname command or uname output not recognized.)' 1>&2
@@ -1242,7 +1328,7 @@ main ()
1242#endif 1328#endif
1243 1329
1244#if defined (__arm) && defined (__acorn) && defined (__unix) 1330#if defined (__arm) && defined (__acorn) && defined (__unix)
1245 printf ("arm-acorn-riscix"); exit (0); 1331 printf ("arm-acorn-riscix\n"); exit (0);
1246#endif 1332#endif
1247 1333
1248#if defined (hp300) && !defined (hpux) 1334#if defined (hp300) && !defined (hpux)
@@ -1331,11 +1417,12 @@ main ()
1331} 1417}
1332EOF 1418EOF
1333 1419
1334$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 1420$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
1421 { echo "$SYSTEM_NAME"; exit; }
1335 1422
1336# Apollos put the system type in the environment. 1423# Apollos put the system type in the environment.
1337 1424
1338test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } 1425test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
1339 1426
1340# Convex versions that predate uname can use getsysinfo(1) 1427# Convex versions that predate uname can use getsysinfo(1)
1341 1428
@@ -1344,22 +1431,22 @@ then
1344 case `getsysinfo -f cpu_type` in 1431 case `getsysinfo -f cpu_type` in
1345 c1*) 1432 c1*)
1346 echo c1-convex-bsd 1433 echo c1-convex-bsd
1347 exit 0 ;; 1434 exit ;;
1348 c2*) 1435 c2*)
1349 if getsysinfo -f scalar_acc 1436 if getsysinfo -f scalar_acc
1350 then echo c32-convex-bsd 1437 then echo c32-convex-bsd
1351 else echo c2-convex-bsd 1438 else echo c2-convex-bsd
1352 fi 1439 fi
1353 exit 0 ;; 1440 exit ;;
1354 c34*) 1441 c34*)
1355 echo c34-convex-bsd 1442 echo c34-convex-bsd
1356 exit 0 ;; 1443 exit ;;
1357 c38*) 1444 c38*)
1358 echo c38-convex-bsd 1445 echo c38-convex-bsd
1359 exit 0 ;; 1446 exit ;;
1360 c4*) 1447 c4*)
1361 echo c4-convex-bsd 1448 echo c4-convex-bsd
1362 exit 0 ;; 1449 exit ;;
1363 esac 1450 esac
1364fi 1451fi
1365 1452
@@ -1370,7 +1457,9 @@ This script, last modified $timestamp, has failed to recognize
1370the operating system you are using. It is advised that you 1457the operating system you are using. It is advised that you
1371download the most up to date version of the config scripts from 1458download the most up to date version of the config scripts from
1372 1459
1373 ftp://ftp.gnu.org/pub/gnu/config/ 1460 http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
1461and
1462 http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
1374 1463
1375If the version you run ($0) is already up to date, please 1464If the version you run ($0) is already up to date, please
1376send the following data and any information you think might be 1465send the following data and any information you think might be
diff --git a/config.h.in b/config.h.in
index 70f997323..1b964ee0f 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,5 +1,5 @@
1/* config.h.in. Generated from configure.ac by autoheader. */ 1/* config.h.in. Generated from configure.ac by autoheader. */
2/* $Id: acconfig.h,v 1.181 2005/02/25 23:07:38 dtucker Exp $ */ 2/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
3 3
4/* 4/*
5 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 5 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -119,9 +119,6 @@
119/* Define if you are on NeXT */ 119/* Define if you are on NeXT */
120#undef HAVE_NEXT 120#undef HAVE_NEXT
121 121
122/* Define if you are on NEWS-OS */
123#undef HAVE_NEWS4
124
125/* Define if you want to enable PAM support */ 122/* Define if you want to enable PAM support */
126#undef USE_PAM 123#undef USE_PAM
127 124
@@ -205,9 +202,6 @@
205/* Define if you don't want to use lastlog in session.c */ 202/* Define if you don't want to use lastlog in session.c */
206#undef NO_SSH_LASTLOG 203#undef NO_SSH_LASTLOG
207 204
208/* Define if have krb5_init_ets */
209#undef KRB5_INIT_ETS
210
211/* Define if you don't want to use utmp */ 205/* Define if you don't want to use utmp */
212#undef DISABLE_UTMP 206#undef DISABLE_UTMP
213 207
@@ -462,6 +456,18 @@
462 */ 456 */
463#undef AIX_GETNAMEINFO_HACK 457#undef AIX_GETNAMEINFO_HACK
464 458
459/* getgroups(0,NULL) will return -1 */
460#undef BROKEN_GETGROUPS
461
462/* ia_uinfo routines not supported by OS yet */
463#undef BROKEN_LIBIAF
464
465/* Ultrix mmap can't map files */
466#undef BROKEN_MMAP
467
468/* LynxOS has broken setvbuf() implementation */
469#undef BROKEN_SETVBUF
470
465/* Define to 1 if the `getpgrp' function requires zero arguments. */ 471/* Define to 1 if the `getpgrp' function requires zero arguments. */
466#undef GETPGRP_VOID 472#undef GETPGRP_VOID
467 473
@@ -471,6 +477,9 @@
471/* Define to 1 if you have the `arc4random' function. */ 477/* Define to 1 if you have the `arc4random' function. */
472#undef HAVE_ARC4RANDOM 478#undef HAVE_ARC4RANDOM
473 479
480/* OpenBSD's gcc has sentinel */
481#undef HAVE_ATTRIBUTE__SENTINEL__
482
474/* Define to 1 if you have the `b64_ntop' function. */ 483/* Define to 1 if you have the `b64_ntop' function. */
475#undef HAVE_B64_NTOP 484#undef HAVE_B64_NTOP
476 485
@@ -525,6 +534,18 @@
525 don't. */ 534 don't. */
526#undef HAVE_DECL_PASSWDEXPIRED 535#undef HAVE_DECL_PASSWDEXPIRED
527 536
537/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
538 don't. */
539#undef HAVE_DECL_SETAUTHDB
540
541/* Define to 1 if you have the declaration of `_getlong', and to 0 if you
542 don't. */
543#undef HAVE_DECL__GETLONG
544
545/* Define to 1 if you have the declaration of `_getshort', and to 0 if you
546 don't. */
547#undef HAVE_DECL__GETSHORT
548
528/* Define to 1 if you have the <dirent.h> header file. */ 549/* Define to 1 if you have the <dirent.h> header file. */
529#undef HAVE_DIRENT_H 550#undef HAVE_DIRENT_H
530 551
@@ -543,9 +564,6 @@
543/* Define to 1 if you have the `endutxent' function. */ 564/* Define to 1 if you have the `endutxent' function. */
544#undef HAVE_ENDUTXENT 565#undef HAVE_ENDUTXENT
545 566
546/* Define to 1 if you have the `fchdir' function. */
547#undef HAVE_FCHDIR
548
549/* Define to 1 if you have the `fchmod' function. */ 567/* Define to 1 if you have the `fchmod' function. */
550#undef HAVE_FCHMOD 568#undef HAVE_FCHMOD
551 569
@@ -654,6 +672,9 @@
654/* Define to 1 if you have the <gssapi_krb5.h> header file. */ 672/* Define to 1 if you have the <gssapi_krb5.h> header file. */
655#undef HAVE_GSSAPI_KRB5_H 673#undef HAVE_GSSAPI_KRB5_H
656 674
675/* Define to 1 if you have the <iaf.h> header file. */
676#undef HAVE_IAF_H
677
657/* Define to 1 if you have the <ia.h> header file. */ 678/* Define to 1 if you have the <ia.h> header file. */
658#undef HAVE_IA_H 679#undef HAVE_IA_H
659 680
@@ -690,6 +711,9 @@
690/* Define to 1 if you have the <libgen.h> header file. */ 711/* Define to 1 if you have the <libgen.h> header file. */
691#undef HAVE_LIBGEN_H 712#undef HAVE_LIBGEN_H
692 713
714/* Define to 1 if you have the `iaf' library (-liaf). */
715#undef HAVE_LIBIAF
716
693/* Define to 1 if you have the `nsl' library (-lnsl). */ 717/* Define to 1 if you have the `nsl' library (-lnsl). */
694#undef HAVE_LIBNSL 718#undef HAVE_LIBNSL
695 719
@@ -903,6 +927,9 @@
903/* Define to 1 if you have the `socketpair' function. */ 927/* Define to 1 if you have the `socketpair' function. */
904#undef HAVE_SOCKETPAIR 928#undef HAVE_SOCKETPAIR
905 929
930/* Have PEERCRED socket option */
931#undef HAVE_SO_PEERCRED
932
906/* Define to 1 if you have the <stddef.h> header file. */ 933/* Define to 1 if you have the <stddef.h> header file. */
907#undef HAVE_STDDEF_H 934#undef HAVE_STDDEF_H
908 935
@@ -912,6 +939,9 @@
912/* Define to 1 if you have the <stdlib.h> header file. */ 939/* Define to 1 if you have the <stdlib.h> header file. */
913#undef HAVE_STDLIB_H 940#undef HAVE_STDLIB_H
914 941
942/* Define to 1 if you have the `strdup' function. */
943#undef HAVE_STRDUP
944
915/* Define to 1 if you have the `strerror' function. */ 945/* Define to 1 if you have the `strerror' function. */
916#undef HAVE_STRERROR 946#undef HAVE_STRERROR
917 947
@@ -939,6 +969,12 @@
939/* Define to 1 if you have the `strsep' function. */ 969/* Define to 1 if you have the `strsep' function. */
940#undef HAVE_STRSEP 970#undef HAVE_STRSEP
941 971
972/* Define to 1 if you have the `strtoll' function. */
973#undef HAVE_STRTOLL
974
975/* Define to 1 if you have the `strtonum' function. */
976#undef HAVE_STRTONUM
977
942/* Define to 1 if you have the `strtoul' function. */ 978/* Define to 1 if you have the `strtoul' function. */
943#undef HAVE_STRTOUL 979#undef HAVE_STRTOUL
944 980
@@ -996,6 +1032,9 @@
996/* Define to 1 if you have the <sys/strtio.h> header file. */ 1032/* Define to 1 if you have the <sys/strtio.h> header file. */
997#undef HAVE_SYS_STRTIO_H 1033#undef HAVE_SYS_STRTIO_H
998 1034
1035/* Force use of sys/syslog.h on Ultrix */
1036#undef HAVE_SYS_SYSLOG_H
1037
999/* Define to 1 if you have the <sys/sysmacros.h> header file. */ 1038/* Define to 1 if you have the <sys/sysmacros.h> header file. */
1000#undef HAVE_SYS_SYSMACROS_H 1039#undef HAVE_SYS_SYSMACROS_H
1001 1040
@@ -1095,6 +1134,15 @@
1095/* Define to 1 if you have the `__b64_pton' function. */ 1134/* Define to 1 if you have the `__b64_pton' function. */
1096#undef HAVE___B64_PTON 1135#undef HAVE___B64_PTON
1097 1136
1137/* max value of long long calculated by configure */
1138#undef LLONG_MAX
1139
1140/* min value of long long calculated by configure */
1141#undef LLONG_MIN
1142
1143/* Need setpgrp to acquire controlling tty */
1144#undef NEED_SETPRGP
1145
1098/* Define to the address where bug reports for this package should be sent. */ 1146/* Define to the address where bug reports for this package should be sent. */
1099#undef PACKAGE_BUGREPORT 1147#undef PACKAGE_BUGREPORT
1100 1148
@@ -1134,6 +1182,9 @@
1134/* Define to 1 if you have the ANSI C header files. */ 1182/* Define to 1 if you have the ANSI C header files. */
1135#undef STDC_HEADERS 1183#undef STDC_HEADERS
1136 1184
1185/* Support passwords > 8 chars */
1186#undef UNIXWARE_LONG_PASSWORDS
1187
1137/* Use BSM audit module */ 1188/* Use BSM audit module */
1138#undef USE_BSM_AUDIT 1189#undef USE_BSM_AUDIT
1139 1190
diff --git a/config.sub b/config.sub
index 1f31816b9..519f2cd00 100755
--- a/config.sub
+++ b/config.sub
@@ -1,9 +1,9 @@
1#! /bin/sh 1#! /bin/sh
2# Configuration validation subroutine script. 2# Configuration validation subroutine script.
3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 3# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
4# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. 4# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
5 5
6timestamp='2003-08-18' 6timestamp='2005-05-12'
7 7
8# This file is (in principle) common to ALL GNU software. 8# This file is (in principle) common to ALL GNU software.
9# The presence of a machine in this file suggests that SOME GNU software 9# The presence of a machine in this file suggests that SOME GNU software
@@ -21,14 +21,15 @@ timestamp='2003-08-18'
21# 21#
22# You should have received a copy of the GNU General Public License 22# You should have received a copy of the GNU General Public License
23# along with this program; if not, write to the Free Software 23# along with this program; if not, write to the Free Software
24# Foundation, Inc., 59 Temple Place - Suite 330, 24# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
25# Boston, MA 02111-1307, USA. 25# 02110-1301, USA.
26 26#
27# As a special exception to the GNU General Public License, if you 27# As a special exception to the GNU General Public License, if you
28# distribute this file as part of a program that contains a 28# distribute this file as part of a program that contains a
29# configuration script generated by Autoconf, you may include it under 29# configuration script generated by Autoconf, you may include it under
30# the same distribution terms that you use for the rest of that program. 30# the same distribution terms that you use for the rest of that program.
31 31
32
32# Please send patches to <config-patches@gnu.org>. Submit a context 33# Please send patches to <config-patches@gnu.org>. Submit a context
33# diff and a properly formatted ChangeLog entry. 34# diff and a properly formatted ChangeLog entry.
34# 35#
@@ -70,7 +71,7 @@ Report bugs and patches to <config-patches@gnu.org>."
70version="\ 71version="\
71GNU config.sub ($timestamp) 72GNU config.sub ($timestamp)
72 73
73Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 74Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
74Free Software Foundation, Inc. 75Free Software Foundation, Inc.
75 76
76This is free software; see the source for copying conditions. There is NO 77This is free software; see the source for copying conditions. There is NO
@@ -83,11 +84,11 @@ Try \`$me --help' for more information."
83while test $# -gt 0 ; do 84while test $# -gt 0 ; do
84 case $1 in 85 case $1 in
85 --time-stamp | --time* | -t ) 86 --time-stamp | --time* | -t )
86 echo "$timestamp" ; exit 0 ;; 87 echo "$timestamp" ; exit ;;
87 --version | -v ) 88 --version | -v )
88 echo "$version" ; exit 0 ;; 89 echo "$version" ; exit ;;
89 --help | --h* | -h ) 90 --help | --h* | -h )
90 echo "$usage"; exit 0 ;; 91 echo "$usage"; exit ;;
91 -- ) # Stop option processing 92 -- ) # Stop option processing
92 shift; break ;; 93 shift; break ;;
93 - ) # Use stdin as input. 94 - ) # Use stdin as input.
@@ -99,7 +100,7 @@ while test $# -gt 0 ; do
99 *local*) 100 *local*)
100 # First pass through any local machine types. 101 # First pass through any local machine types.
101 echo $1 102 echo $1
102 exit 0;; 103 exit ;;
103 104
104 * ) 105 * )
105 break ;; 106 break ;;
@@ -118,7 +119,8 @@ esac
118# Here we must recognize all the valid KERNEL-OS combinations. 119# Here we must recognize all the valid KERNEL-OS combinations.
119maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` 120maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
120case $maybe_os in 121case $maybe_os in
121 nto-qnx* | linux-gnu* | linux-dietlibc | kfreebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) 122 nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
123 kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
122 os=-$maybe_os 124 os=-$maybe_os
123 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` 125 basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
124 ;; 126 ;;
@@ -144,7 +146,7 @@ case $os in
144 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ 146 -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
145 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ 147 -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
146 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ 148 -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
147 -apple | -axis) 149 -apple | -axis | -knuth | -cray)
148 os= 150 os=
149 basic_machine=$1 151 basic_machine=$1
150 ;; 152 ;;
@@ -230,13 +232,14 @@ case $basic_machine in
230 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ 232 | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
231 | am33_2.0 \ 233 | am33_2.0 \
232 | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ 234 | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
235 | bfin \
233 | c4x | clipper \ 236 | c4x | clipper \
234 | d10v | d30v | dlx | dsp16xx \ 237 | d10v | d30v | dlx | dsp16xx \
235 | fr30 | frv \ 238 | fr30 | frv \
236 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ 239 | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
237 | i370 | i860 | i960 | ia64 \ 240 | i370 | i860 | i960 | ia64 \
238 | ip2k | iq2000 \ 241 | ip2k | iq2000 \
239 | m32r | m68000 | m68k | m88k | mcore \ 242 | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
240 | mips | mipsbe | mipseb | mipsel | mipsle \ 243 | mips | mipsbe | mipseb | mipsel | mipsle \
241 | mips16 \ 244 | mips16 \
242 | mips64 | mips64el \ 245 | mips64 | mips64el \
@@ -261,12 +264,13 @@ case $basic_machine in
261 | pyramid \ 264 | pyramid \
262 | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ 265 | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
263 | sh64 | sh64le \ 266 | sh64 | sh64le \
264 | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \ 267 | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
268 | sparcv8 | sparcv9 | sparcv9b \
265 | strongarm \ 269 | strongarm \
266 | tahoe | thumb | tic4x | tic80 | tron \ 270 | tahoe | thumb | tic4x | tic80 | tron \
267 | v850 | v850e \ 271 | v850 | v850e \
268 | we32k \ 272 | we32k \
269 | x86 | xscale | xstormy16 | xtensa \ 273 | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
270 | z8k) 274 | z8k)
271 basic_machine=$basic_machine-unknown 275 basic_machine=$basic_machine-unknown
272 ;; 276 ;;
@@ -297,9 +301,9 @@ case $basic_machine in
297 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ 301 | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
298 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ 302 | arm-* | armbe-* | armle-* | armeb-* | armv*-* \
299 | avr-* \ 303 | avr-* \
300 | bs2000-* \ 304 | bfin-* | bs2000-* \
301 | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ 305 | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
302 | clipper-* | cydra-* \ 306 | clipper-* | craynv-* | cydra-* \
303 | d10v-* | d30v-* | dlx-* \ 307 | d10v-* | d30v-* | dlx-* \
304 | elxsi-* \ 308 | elxsi-* \
305 | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ 309 | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
@@ -307,9 +311,9 @@ case $basic_machine in
307 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ 311 | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
308 | i*86-* | i860-* | i960-* | ia64-* \ 312 | i*86-* | i860-* | i960-* | ia64-* \
309 | ip2k-* | iq2000-* \ 313 | ip2k-* | iq2000-* \
310 | m32r-* \ 314 | m32r-* | m32rle-* \
311 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ 315 | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
312 | m88110-* | m88k-* | mcore-* \ 316 | m88110-* | m88k-* | maxq-* | mcore-* \
313 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ 317 | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
314 | mips16-* \ 318 | mips16-* \
315 | mips64-* | mips64el-* \ 319 | mips64-* | mips64el-* \
@@ -325,8 +329,9 @@ case $basic_machine in
325 | mipsisa64sb1-* | mipsisa64sb1el-* \ 329 | mipsisa64sb1-* | mipsisa64sb1el-* \
326 | mipsisa64sr71k-* | mipsisa64sr71kel-* \ 330 | mipsisa64sr71k-* | mipsisa64sr71kel-* \
327 | mipstx39-* | mipstx39el-* \ 331 | mipstx39-* | mipstx39el-* \
332 | mmix-* \
328 | msp430-* \ 333 | msp430-* \
329 | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \ 334 | none-* | np1-* | ns16k-* | ns32k-* \
330 | orion-* \ 335 | orion-* \
331 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ 336 | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
332 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ 337 | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
@@ -334,15 +339,16 @@ case $basic_machine in
334 | romp-* | rs6000-* \ 339 | romp-* | rs6000-* \
335 | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ 340 | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
336 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ 341 | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
337 | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ 342 | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
338 | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ 343 | sparclite-* \
344 | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
339 | tahoe-* | thumb-* \ 345 | tahoe-* | thumb-* \
340 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ 346 | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
341 | tron-* \ 347 | tron-* \
342 | v850-* | v850e-* | vax-* \ 348 | v850-* | v850e-* | vax-* \
343 | we32k-* \ 349 | we32k-* \
344 | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ 350 | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
345 | xtensa-* \ 351 | xstormy16-* | xtensa-* \
346 | ymp-* \ 352 | ymp-* \
347 | z8k-*) 353 | z8k-*)
348 ;; 354 ;;
@@ -362,6 +368,9 @@ case $basic_machine in
362 basic_machine=a29k-amd 368 basic_machine=a29k-amd
363 os=-udi 369 os=-udi
364 ;; 370 ;;
371 abacus)
372 basic_machine=abacus-unknown
373 ;;
365 adobe68k) 374 adobe68k)
366 basic_machine=m68010-adobe 375 basic_machine=m68010-adobe
367 os=-scout 376 os=-scout
@@ -379,6 +388,9 @@ case $basic_machine in
379 amd64) 388 amd64)
380 basic_machine=x86_64-pc 389 basic_machine=x86_64-pc
381 ;; 390 ;;
391 amd64-*)
392 basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
393 ;;
382 amdahl) 394 amdahl)
383 basic_machine=580-amdahl 395 basic_machine=580-amdahl
384 os=-sysv 396 os=-sysv
@@ -438,12 +450,27 @@ case $basic_machine in
438 basic_machine=j90-cray 450 basic_machine=j90-cray
439 os=-unicos 451 os=-unicos
440 ;; 452 ;;
453 craynv)
454 basic_machine=craynv-cray
455 os=-unicosmp
456 ;;
457 cr16c)
458 basic_machine=cr16c-unknown
459 os=-elf
460 ;;
441 crds | unos) 461 crds | unos)
442 basic_machine=m68k-crds 462 basic_machine=m68k-crds
443 ;; 463 ;;
464 crisv32 | crisv32-* | etraxfs*)
465 basic_machine=crisv32-axis
466 ;;
444 cris | cris-* | etrax*) 467 cris | cris-* | etrax*)
445 basic_machine=cris-axis 468 basic_machine=cris-axis
446 ;; 469 ;;
470 crx)
471 basic_machine=crx-unknown
472 os=-elf
473 ;;
447 da30 | da30-*) 474 da30 | da30-*)
448 basic_machine=m68k-da30 475 basic_machine=m68k-da30
449 ;; 476 ;;
@@ -466,6 +493,10 @@ case $basic_machine in
466 basic_machine=m88k-motorola 493 basic_machine=m88k-motorola
467 os=-sysv3 494 os=-sysv3
468 ;; 495 ;;
496 djgpp)
497 basic_machine=i586-pc
498 os=-msdosdjgpp
499 ;;
469 dpx20 | dpx20-*) 500 dpx20 | dpx20-*)
470 basic_machine=rs6000-bull 501 basic_machine=rs6000-bull
471 os=-bosx 502 os=-bosx
@@ -644,10 +675,6 @@ case $basic_machine in
644 mips3*) 675 mips3*)
645 basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown 676 basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
646 ;; 677 ;;
647 mmix*)
648 basic_machine=mmix-knuth
649 os=-mmixware
650 ;;
651 monitor) 678 monitor)
652 basic_machine=m68k-rom68k 679 basic_machine=m68k-rom68k
653 os=-coff 680 os=-coff
@@ -728,10 +755,6 @@ case $basic_machine in
728 np1) 755 np1)
729 basic_machine=np1-gould 756 basic_machine=np1-gould
730 ;; 757 ;;
731 nv1)
732 basic_machine=nv1-cray
733 os=-unicosmp
734 ;;
735 nsr-tandem) 758 nsr-tandem)
736 basic_machine=nsr-tandem 759 basic_machine=nsr-tandem
737 ;; 760 ;;
@@ -743,6 +766,10 @@ case $basic_machine in
743 basic_machine=or32-unknown 766 basic_machine=or32-unknown
744 os=-coff 767 os=-coff
745 ;; 768 ;;
769 os400)
770 basic_machine=powerpc-ibm
771 os=-os400
772 ;;
746 OSE68000 | ose68000) 773 OSE68000 | ose68000)
747 basic_machine=m68000-ericsson 774 basic_machine=m68000-ericsson
748 os=-ose 775 os=-ose
@@ -963,6 +990,10 @@ case $basic_machine in
963 tower | tower-32) 990 tower | tower-32)
964 basic_machine=m68k-ncr 991 basic_machine=m68k-ncr
965 ;; 992 ;;
993 tpf)
994 basic_machine=s390x-ibm
995 os=-tpf
996 ;;
966 udi29k) 997 udi29k)
967 basic_machine=a29k-amd 998 basic_machine=a29k-amd
968 os=-udi 999 os=-udi
@@ -1006,6 +1037,10 @@ case $basic_machine in
1006 basic_machine=hppa1.1-winbond 1037 basic_machine=hppa1.1-winbond
1007 os=-proelf 1038 os=-proelf
1008 ;; 1039 ;;
1040 xbox)
1041 basic_machine=i686-pc
1042 os=-mingw32
1043 ;;
1009 xps | xps100) 1044 xps | xps100)
1010 basic_machine=xps100-honeywell 1045 basic_machine=xps100-honeywell
1011 ;; 1046 ;;
@@ -1036,6 +1071,9 @@ case $basic_machine in
1036 romp) 1071 romp)
1037 basic_machine=romp-ibm 1072 basic_machine=romp-ibm
1038 ;; 1073 ;;
1074 mmix)
1075 basic_machine=mmix-knuth
1076 ;;
1039 rs6000) 1077 rs6000)
1040 basic_machine=rs6000-ibm 1078 basic_machine=rs6000-ibm
1041 ;; 1079 ;;
@@ -1058,7 +1096,7 @@ case $basic_machine in
1058 sh64) 1096 sh64)
1059 basic_machine=sh64-unknown 1097 basic_machine=sh64-unknown
1060 ;; 1098 ;;
1061 sparc | sparcv9 | sparcv9b) 1099 sparc | sparcv8 | sparcv9 | sparcv9b)
1062 basic_machine=sparc-sun 1100 basic_machine=sparc-sun
1063 ;; 1101 ;;
1064 cydra) 1102 cydra)
@@ -1131,19 +1169,20 @@ case $os in
1131 | -aos* \ 1169 | -aos* \
1132 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ 1170 | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
1133 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ 1171 | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
1134 | -hiux* | -386bsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \ 1172 | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
1135 | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ 1173 | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
1174 | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
1136 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ 1175 | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
1137 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ 1176 | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
1138 | -chorusos* | -chorusrdb* \ 1177 | -chorusos* | -chorusrdb* \
1139 | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ 1178 | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
1140 | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ 1179 | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
1141 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ 1180 | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
1142 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ 1181 | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
1143 | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ 1182 | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
1144 | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ 1183 | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
1145 | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ 1184 | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
1146 | -powermax* | -dnix* | -nx6 | -nx7 | -sei*) 1185 | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*)
1147 # Remember, each alternative MUST END IN *, to match a version number. 1186 # Remember, each alternative MUST END IN *, to match a version number.
1148 ;; 1187 ;;
1149 -qnx*) 1188 -qnx*)
@@ -1182,6 +1221,9 @@ case $os in
1182 -opened*) 1221 -opened*)
1183 os=-openedition 1222 os=-openedition
1184 ;; 1223 ;;
1224 -os400*)
1225 os=-os400
1226 ;;
1185 -wince*) 1227 -wince*)
1186 os=-wince 1228 os=-wince
1187 ;; 1229 ;;
@@ -1203,6 +1245,9 @@ case $os in
1203 -atheos*) 1245 -atheos*)
1204 os=-atheos 1246 os=-atheos
1205 ;; 1247 ;;
1248 -syllable*)
1249 os=-syllable
1250 ;;
1206 -386bsd) 1251 -386bsd)
1207 os=-bsd 1252 os=-bsd
1208 ;; 1253 ;;
@@ -1225,6 +1270,9 @@ case $os in
1225 -sinix*) 1270 -sinix*)
1226 os=-sysv4 1271 os=-sysv4
1227 ;; 1272 ;;
1273 -tpf*)
1274 os=-tpf
1275 ;;
1228 -triton*) 1276 -triton*)
1229 os=-sysv3 1277 os=-sysv3
1230 ;; 1278 ;;
@@ -1261,6 +1309,9 @@ case $os in
1261 -kaos*) 1309 -kaos*)
1262 os=-kaos 1310 os=-kaos
1263 ;; 1311 ;;
1312 -zvmoe)
1313 os=-zvmoe
1314 ;;
1264 -none) 1315 -none)
1265 ;; 1316 ;;
1266 *) 1317 *)
@@ -1341,6 +1392,9 @@ case $basic_machine in
1341 *-ibm) 1392 *-ibm)
1342 os=-aix 1393 os=-aix
1343 ;; 1394 ;;
1395 *-knuth)
1396 os=-mmixware
1397 ;;
1344 *-wec) 1398 *-wec)
1345 os=-proelf 1399 os=-proelf
1346 ;; 1400 ;;
@@ -1473,9 +1527,15 @@ case $basic_machine in
1473 -mvs* | -opened*) 1527 -mvs* | -opened*)
1474 vendor=ibm 1528 vendor=ibm
1475 ;; 1529 ;;
1530 -os400*)
1531 vendor=ibm
1532 ;;
1476 -ptx*) 1533 -ptx*)
1477 vendor=sequent 1534 vendor=sequent
1478 ;; 1535 ;;
1536 -tpf*)
1537 vendor=ibm
1538 ;;
1479 -vxsim* | -vxworks* | -windiss*) 1539 -vxsim* | -vxworks* | -windiss*)
1480 vendor=wrs 1540 vendor=wrs
1481 ;; 1541 ;;
@@ -1500,7 +1560,7 @@ case $basic_machine in
1500esac 1560esac
1501 1561
1502echo $basic_machine$os 1562echo $basic_machine$os
1503exit 0 1563exit
1504 1564
1505# Local variables: 1565# Local variables:
1506# eval: (add-hook 'write-file-hooks 'time-stamp) 1566# eval: (add-hook 'write-file-hooks 'time-stamp)
diff --git a/configure b/configure
index 1bf7b0b0b..362218407 100755
--- a/configure
+++ b/configure
@@ -2,6 +2,8 @@
2# Guess values for system-dependent variables and create Makefiles. 2# Guess values for system-dependent variables and create Makefiles.
3# Generated by GNU Autoconf 2.59 for OpenSSH Portable. 3# Generated by GNU Autoconf 2.59 for OpenSSH Portable.
4# 4#
5# Report bugs to <openssh-unix-dev@mindrot.org>.
6#
5# Copyright (C) 2003 Free Software Foundation, Inc. 7# Copyright (C) 2003 Free Software Foundation, Inc.
6# This configure script is free software; the Free Software Foundation 8# This configure script is free software; the Free Software Foundation
7# gives unlimited permission to copy, distribute and modify it. 9# gives unlimited permission to copy, distribute and modify it.
@@ -269,7 +271,7 @@ PACKAGE_NAME='OpenSSH'
269PACKAGE_TARNAME='openssh' 271PACKAGE_TARNAME='openssh'
270PACKAGE_VERSION='Portable' 272PACKAGE_VERSION='Portable'
271PACKAGE_STRING='OpenSSH Portable' 273PACKAGE_STRING='OpenSSH Portable'
272PACKAGE_BUGREPORT='' 274PACKAGE_BUGREPORT='openssh-unix-dev@mindrot.org'
273 275
274ac_unique_file="ssh.c" 276ac_unique_file="ssh.c"
275# Factoring default headers for most tests. 277# Factoring default headers for most tests.
@@ -867,6 +869,7 @@ Optional Packages:
867 --with-cppflags Specify additional flags to pass to preprocessor 869 --with-cppflags Specify additional flags to pass to preprocessor
868 --with-ldflags Specify additional flags to pass to linker 870 --with-ldflags Specify additional flags to pass to linker
869 --with-libs Specify additional libraries to link with 871 --with-libs Specify additional libraries to link with
872 --with-Werror Build main code with -Werror
870 --with-zlib=PATH Use zlib in PATH 873 --with-zlib=PATH Use zlib in PATH
871 --without-zlib-version-check Disable zlib version check 874 --without-zlib-version-check Disable zlib version check
872 --with-skey[=PATH] Enable S/Key support (optionally in PATH) 875 --with-skey[=PATH] Enable S/Key support (optionally in PATH)
@@ -881,7 +884,7 @@ Optional Packages:
881 --with-entropy-timeout Specify entropy gathering command timeout (msec) 884 --with-entropy-timeout Specify entropy gathering command timeout (msec)
882 --with-privsep-user=user Specify non-privileged user for privilege separation 885 --with-privsep-user=user Specify non-privileged user for privilege separation
883 --with-sectok Enable smartcard support using libsectok 886 --with-sectok Enable smartcard support using libsectok
884 --with-opensc=PFX Enable smartcard support using OpenSC 887--with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH)
885 --with-kerberos5=PATH Enable Kerberos 5 support 888 --with-kerberos5=PATH Enable Kerberos 5 support
886 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 889 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
887 --with-xauth=PATH Specify path to xauth program 890 --with-xauth=PATH Specify path to xauth program
@@ -908,6 +911,7 @@ Some influential environment variables:
908Use these variables to override the choices made by `configure' or to help 911Use these variables to override the choices made by `configure' or to help
909it to find libraries and programs with nonstandard names/locations. 912it to find libraries and programs with nonstandard names/locations.
910 913
914Report bugs to <openssh-unix-dev@mindrot.org>.
911_ACEOF 915_ACEOF
912fi 916fi
913 917
@@ -4098,8 +4102,253 @@ _ACEOF
4098 ;; 4102 ;;
4099esac 4103esac
4100 4104
4105
4106echo "$as_me:$LINENO: checking whether LLONG_MAX is declared" >&5
4107echo $ECHO_N "checking whether LLONG_MAX is declared... $ECHO_C" >&6
4108if test "${ac_cv_have_decl_LLONG_MAX+set}" = set; then
4109 echo $ECHO_N "(cached) $ECHO_C" >&6
4110else
4111 cat >conftest.$ac_ext <<_ACEOF
4112/* confdefs.h. */
4113_ACEOF
4114cat confdefs.h >>conftest.$ac_ext
4115cat >>conftest.$ac_ext <<_ACEOF
4116/* end confdefs.h. */
4117#include <limits.h>
4118
4119int
4120main ()
4121{
4122#ifndef LLONG_MAX
4123 char *p = (char *) LLONG_MAX;
4124#endif
4125
4126 ;
4127 return 0;
4128}
4129_ACEOF
4130rm -f conftest.$ac_objext
4131if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
4132 (eval $ac_compile) 2>conftest.er1
4133 ac_status=$?
4134 grep -v '^ *+' conftest.er1 >conftest.err
4135 rm -f conftest.er1
4136 cat conftest.err >&5
4137 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4138 (exit $ac_status); } &&
4139 { ac_try='test -z "$ac_c_werror_flag"
4140 || test ! -s conftest.err'
4141 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4142 (eval $ac_try) 2>&5
4143 ac_status=$?
4144 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4145 (exit $ac_status); }; } &&
4146 { ac_try='test -s conftest.$ac_objext'
4147 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4148 (eval $ac_try) 2>&5
4149 ac_status=$?
4150 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4151 (exit $ac_status); }; }; then
4152 ac_cv_have_decl_LLONG_MAX=yes
4153else
4154 echo "$as_me: failed program was:" >&5
4155sed 's/^/| /' conftest.$ac_ext >&5
4156
4157ac_cv_have_decl_LLONG_MAX=no
4158fi
4159rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
4160fi
4161echo "$as_me:$LINENO: result: $ac_cv_have_decl_LLONG_MAX" >&5
4162echo "${ECHO_T}$ac_cv_have_decl_LLONG_MAX" >&6
4163if test $ac_cv_have_decl_LLONG_MAX = yes; then
4164 have_llong_max=1
4165fi
4166
4167
4101if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 4168if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
4102 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" 4169 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
4170 GCC_VER=`$CC --version`
4171 case $GCC_VER in
4172 1.*) ;;
4173 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4174 2.*) ;;
4175 *) CFLAGS="$CFLAGS -Wsign-compare" ;;
4176 esac
4177
4178 if test -z "$have_llong_max"; then
4179 # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
4180 unset ac_cv_have_decl_LLONG_MAX
4181 saved_CFLAGS="$CFLAGS"
4182 CFLAGS="$CFLAGS -std=gnu99"
4183 echo "$as_me:$LINENO: checking whether LLONG_MAX is declared" >&5
4184echo $ECHO_N "checking whether LLONG_MAX is declared... $ECHO_C" >&6
4185if test "${ac_cv_have_decl_LLONG_MAX+set}" = set; then
4186 echo $ECHO_N "(cached) $ECHO_C" >&6
4187else
4188 cat >conftest.$ac_ext <<_ACEOF
4189/* confdefs.h. */
4190_ACEOF
4191cat confdefs.h >>conftest.$ac_ext
4192cat >>conftest.$ac_ext <<_ACEOF
4193/* end confdefs.h. */
4194#include <limits.h>
4195
4196
4197int
4198main ()
4199{
4200#ifndef LLONG_MAX
4201 char *p = (char *) LLONG_MAX;
4202#endif
4203
4204 ;
4205 return 0;
4206}
4207_ACEOF
4208rm -f conftest.$ac_objext
4209if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
4210 (eval $ac_compile) 2>conftest.er1
4211 ac_status=$?
4212 grep -v '^ *+' conftest.er1 >conftest.err
4213 rm -f conftest.er1
4214 cat conftest.err >&5
4215 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4216 (exit $ac_status); } &&
4217 { ac_try='test -z "$ac_c_werror_flag"
4218 || test ! -s conftest.err'
4219 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4220 (eval $ac_try) 2>&5
4221 ac_status=$?
4222 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4223 (exit $ac_status); }; } &&
4224 { ac_try='test -s conftest.$ac_objext'
4225 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4226 (eval $ac_try) 2>&5
4227 ac_status=$?
4228 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4229 (exit $ac_status); }; }; then
4230 ac_cv_have_decl_LLONG_MAX=yes
4231else
4232 echo "$as_me: failed program was:" >&5
4233sed 's/^/| /' conftest.$ac_ext >&5
4234
4235ac_cv_have_decl_LLONG_MAX=no
4236fi
4237rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
4238fi
4239echo "$as_me:$LINENO: result: $ac_cv_have_decl_LLONG_MAX" >&5
4240echo "${ECHO_T}$ac_cv_have_decl_LLONG_MAX" >&6
4241if test $ac_cv_have_decl_LLONG_MAX = yes; then
4242 have_llong_max=1
4243else
4244 CFLAGS="$saved_CFLAGS"
4245fi
4246
4247 fi
4248fi
4249
4250if test -z "$have_llong_max"; then
4251 echo "$as_me:$LINENO: checking for max value of long long" >&5
4252echo $ECHO_N "checking for max value of long long... $ECHO_C" >&6
4253 if test "$cross_compiling" = yes; then
4254
4255 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking" >&5
4256echo "$as_me: WARNING: cross compiling: not checking" >&2;}
4257
4258
4259else
4260 cat >conftest.$ac_ext <<_ACEOF
4261/* confdefs.h. */
4262_ACEOF
4263cat confdefs.h >>conftest.$ac_ext
4264cat >>conftest.$ac_ext <<_ACEOF
4265/* end confdefs.h. */
4266
4267#include <stdio.h>
4268/* Why is this so damn hard? */
4269#ifdef __GNUC__
4270# undef __GNUC__
4271#endif
4272#define __USE_ISOC99
4273#include <limits.h>
4274#define DATA "conftest.llminmax"
4275int main(void) {
4276 FILE *f;
4277 long long i, llmin, llmax = 0;
4278
4279 if((f = fopen(DATA,"w")) == NULL)
4280 exit(1);
4281
4282#if defined(LLONG_MIN) && defined(LLONG_MAX)
4283 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
4284 llmin = LLONG_MIN;
4285 llmax = LLONG_MAX;
4286#else
4287 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
4288 /* This will work on one's complement and two's complement */
4289 for (i = 1; i > llmax; i <<= 1, i++)
4290 llmax = i;
4291 llmin = llmax + 1LL; /* wrap */
4292#endif
4293
4294 /* Sanity check */
4295 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
4296 || llmax - 1 > llmax) {
4297 fprintf(f, "unknown unknown\n");
4298 exit(2);
4299 }
4300
4301 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
4302 exit(3);
4303
4304 exit(0);
4305}
4306
4307_ACEOF
4308rm -f conftest$ac_exeext
4309if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
4310 (eval $ac_link) 2>&5
4311 ac_status=$?
4312 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4313 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
4314 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4315 (eval $ac_try) 2>&5
4316 ac_status=$?
4317 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4318 (exit $ac_status); }; }; then
4319
4320 llong_min=`$AWK '{print $1}' conftest.llminmax`
4321 llong_max=`$AWK '{print $2}' conftest.llminmax`
4322 echo "$as_me:$LINENO: result: $llong_max" >&5
4323echo "${ECHO_T}$llong_max" >&6
4324
4325cat >>confdefs.h <<_ACEOF
4326#define LLONG_MAX ${llong_max}LL
4327_ACEOF
4328
4329 echo "$as_me:$LINENO: checking for min value of long long" >&5
4330echo $ECHO_N "checking for min value of long long... $ECHO_C" >&6
4331 echo "$as_me:$LINENO: result: $llong_min" >&5
4332echo "${ECHO_T}$llong_min" >&6
4333
4334cat >>confdefs.h <<_ACEOF
4335#define LLONG_MIN ${llong_min}LL
4336_ACEOF
4337
4338
4339else
4340 echo "$as_me: program exited with status $ac_status" >&5
4341echo "$as_me: failed program was:" >&5
4342sed 's/^/| /' conftest.$ac_ext >&5
4343
4344( exit $ac_status )
4345
4346 echo "$as_me:$LINENO: result: not found" >&5
4347echo "${ECHO_T}not found" >&6
4348
4349fi
4350rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
4351fi
4103fi 4352fi
4104 4353
4105 4354
@@ -4643,6 +4892,77 @@ _ACEOF
4643 4892
4644 4893
4645fi 4894fi
4895echo "$as_me:$LINENO: checking whether setauthdb is declared" >&5
4896echo $ECHO_N "checking whether setauthdb is declared... $ECHO_C" >&6
4897if test "${ac_cv_have_decl_setauthdb+set}" = set; then
4898 echo $ECHO_N "(cached) $ECHO_C" >&6
4899else
4900 cat >conftest.$ac_ext <<_ACEOF
4901/* confdefs.h. */
4902_ACEOF
4903cat confdefs.h >>conftest.$ac_ext
4904cat >>conftest.$ac_ext <<_ACEOF
4905/* end confdefs.h. */
4906#include <usersec.h>
4907
4908int
4909main ()
4910{
4911#ifndef setauthdb
4912 char *p = (char *) setauthdb;
4913#endif
4914
4915 ;
4916 return 0;
4917}
4918_ACEOF
4919rm -f conftest.$ac_objext
4920if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
4921 (eval $ac_compile) 2>conftest.er1
4922 ac_status=$?
4923 grep -v '^ *+' conftest.er1 >conftest.err
4924 rm -f conftest.er1
4925 cat conftest.err >&5
4926 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4927 (exit $ac_status); } &&
4928 { ac_try='test -z "$ac_c_werror_flag"
4929 || test ! -s conftest.err'
4930 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4931 (eval $ac_try) 2>&5
4932 ac_status=$?
4933 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4934 (exit $ac_status); }; } &&
4935 { ac_try='test -s conftest.$ac_objext'
4936 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4937 (eval $ac_try) 2>&5
4938 ac_status=$?
4939 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4940 (exit $ac_status); }; }; then
4941 ac_cv_have_decl_setauthdb=yes
4942else
4943 echo "$as_me: failed program was:" >&5
4944sed 's/^/| /' conftest.$ac_ext >&5
4945
4946ac_cv_have_decl_setauthdb=no
4947fi
4948rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
4949fi
4950echo "$as_me:$LINENO: result: $ac_cv_have_decl_setauthdb" >&5
4951echo "${ECHO_T}$ac_cv_have_decl_setauthdb" >&6
4952if test $ac_cv_have_decl_setauthdb = yes; then
4953
4954cat >>confdefs.h <<_ACEOF
4955#define HAVE_DECL_SETAUTHDB 1
4956_ACEOF
4957
4958
4959else
4960 cat >>confdefs.h <<_ACEOF
4961#define HAVE_DECL_SETAUTHDB 0
4962_ACEOF
4963
4964
4965fi
4646 4966
4647 4967
4648 echo "$as_me:$LINENO: checking whether loginfailed is declared" >&5 4968 echo "$as_me:$LINENO: checking whether loginfailed is declared" >&5
@@ -5019,121 +5339,8 @@ _ACEOF
5019_ACEOF 5339_ACEOF
5020 5340
5021 ;; 5341 ;;
5022*-*-hpux10.26) 5342*-*-hpux*)
5023 if test -z "$GCC"; then 5343 # first we define all of the options common to all HP-UX releases
5024 CFLAGS="$CFLAGS -Ae"
5025 fi
5026 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
5027 IPADDR_IN_DISPLAY=yes
5028 cat >>confdefs.h <<\_ACEOF
5029#define HAVE_SECUREWARE 1
5030_ACEOF
5031
5032 cat >>confdefs.h <<\_ACEOF
5033#define USE_PIPES 1
5034_ACEOF
5035
5036 cat >>confdefs.h <<\_ACEOF
5037#define LOGIN_NO_ENDOPT 1
5038_ACEOF
5039
5040 cat >>confdefs.h <<\_ACEOF
5041#define LOGIN_NEEDS_UTMPX 1
5042_ACEOF
5043
5044 cat >>confdefs.h <<\_ACEOF
5045#define LOCKED_PASSWD_STRING "*"
5046_ACEOF
5047
5048 cat >>confdefs.h <<\_ACEOF
5049#define SPT_TYPE SPT_PSTAT
5050_ACEOF
5051
5052 LIBS="$LIBS -lsec -lsecpw"
5053
5054echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
5055echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
5056if test "${ac_cv_lib_xnet_t_error+set}" = set; then
5057 echo $ECHO_N "(cached) $ECHO_C" >&6
5058else
5059 ac_check_lib_save_LIBS=$LIBS
5060LIBS="-lxnet $LIBS"
5061cat >conftest.$ac_ext <<_ACEOF
5062/* confdefs.h. */
5063_ACEOF
5064cat confdefs.h >>conftest.$ac_ext
5065cat >>conftest.$ac_ext <<_ACEOF
5066/* end confdefs.h. */
5067
5068/* Override any gcc2 internal prototype to avoid an error. */
5069#ifdef __cplusplus
5070extern "C"
5071#endif
5072/* We use char because int might match the return type of a gcc2
5073 builtin and then its argument prototype would still apply. */
5074char t_error ();
5075int
5076main ()
5077{
5078t_error ();
5079 ;
5080 return 0;
5081}
5082_ACEOF
5083rm -f conftest.$ac_objext conftest$ac_exeext
5084if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
5085 (eval $ac_link) 2>conftest.er1
5086 ac_status=$?
5087 grep -v '^ *+' conftest.er1 >conftest.err
5088 rm -f conftest.er1
5089 cat conftest.err >&5
5090 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5091 (exit $ac_status); } &&
5092 { ac_try='test -z "$ac_c_werror_flag"
5093 || test ! -s conftest.err'
5094 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5095 (eval $ac_try) 2>&5
5096 ac_status=$?
5097 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5098 (exit $ac_status); }; } &&
5099 { ac_try='test -s conftest$ac_exeext'
5100 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5101 (eval $ac_try) 2>&5
5102 ac_status=$?
5103 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5104 (exit $ac_status); }; }; then
5105 ac_cv_lib_xnet_t_error=yes
5106else
5107 echo "$as_me: failed program was:" >&5
5108sed 's/^/| /' conftest.$ac_ext >&5
5109
5110ac_cv_lib_xnet_t_error=no
5111fi
5112rm -f conftest.err conftest.$ac_objext \
5113 conftest$ac_exeext conftest.$ac_ext
5114LIBS=$ac_check_lib_save_LIBS
5115fi
5116echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
5117echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
5118if test $ac_cv_lib_xnet_t_error = yes; then
5119 cat >>confdefs.h <<_ACEOF
5120#define HAVE_LIBXNET 1
5121_ACEOF
5122
5123 LIBS="-lxnet $LIBS"
5124
5125else
5126 { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
5127echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
5128 { (exit 1); exit 1; }; }
5129fi
5130
5131 disable_ptmx_check=yes
5132 ;;
5133*-*-hpux10*)
5134 if test -z "$GCC"; then
5135 CFLAGS="$CFLAGS -Ae"
5136 fi
5137 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" 5344 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
5138 IPADDR_IN_DISPLAY=yes 5345 IPADDR_IN_DISPLAY=yes
5139 cat >>confdefs.h <<\_ACEOF 5346 cat >>confdefs.h <<\_ACEOF
@@ -5235,124 +5442,44 @@ echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
5235 { (exit 1); exit 1; }; } 5442 { (exit 1); exit 1; }; }
5236fi 5443fi
5237 5444
5238 ;;
5239*-*-hpux11*)
5240 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
5241 IPADDR_IN_DISPLAY=yes
5242 cat >>confdefs.h <<\_ACEOF
5243#define PAM_SUN_CODEBASE 1
5244_ACEOF
5245
5246 cat >>confdefs.h <<\_ACEOF
5247#define USE_PIPES 1
5248_ACEOF
5249
5250 cat >>confdefs.h <<\_ACEOF
5251#define LOGIN_NO_ENDOPT 1
5252_ACEOF
5253 5445
5254 cat >>confdefs.h <<\_ACEOF 5446 # next, we define all of the options specific to major releases
5255#define LOGIN_NEEDS_UTMPX 1 5447 case "$host" in
5448 *-*-hpux10*)
5449 if test -z "$GCC"; then
5450 CFLAGS="$CFLAGS -Ae"
5451 fi
5452 ;;
5453 *-*-hpux11*)
5454 cat >>confdefs.h <<\_ACEOF
5455#define PAM_SUN_CODEBASE 1
5256_ACEOF 5456_ACEOF
5257 5457
5258 cat >>confdefs.h <<\_ACEOF 5458 cat >>confdefs.h <<\_ACEOF
5259#define DISABLE_UTMP 1 5459#define DISABLE_UTMP 1
5260_ACEOF 5460_ACEOF
5261 5461
5262 cat >>confdefs.h <<\_ACEOF
5263#define LOCKED_PASSWD_STRING "*"
5264_ACEOF
5265
5266 cat >>confdefs.h <<\_ACEOF
5267#define SPT_TYPE SPT_PSTAT
5268_ACEOF
5269
5270 5462
5271cat >>confdefs.h <<\_ACEOF 5463cat >>confdefs.h <<\_ACEOF
5272#define USE_BTMP 1 5464#define USE_BTMP 1
5273_ACEOF 5465_ACEOF
5274 5466
5275 check_for_hpux_broken_getaddrinfo=1 5467 check_for_hpux_broken_getaddrinfo=1
5276 check_for_conflicting_getspnam=1 5468 check_for_conflicting_getspnam=1
5277 LIBS="$LIBS -lsec" 5469 ;;
5278 5470 esac
5279echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
5280echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
5281if test "${ac_cv_lib_xnet_t_error+set}" = set; then
5282 echo $ECHO_N "(cached) $ECHO_C" >&6
5283else
5284 ac_check_lib_save_LIBS=$LIBS
5285LIBS="-lxnet $LIBS"
5286cat >conftest.$ac_ext <<_ACEOF
5287/* confdefs.h. */
5288_ACEOF
5289cat confdefs.h >>conftest.$ac_ext
5290cat >>conftest.$ac_ext <<_ACEOF
5291/* end confdefs.h. */
5292
5293/* Override any gcc2 internal prototype to avoid an error. */
5294#ifdef __cplusplus
5295extern "C"
5296#endif
5297/* We use char because int might match the return type of a gcc2
5298 builtin and then its argument prototype would still apply. */
5299char t_error ();
5300int
5301main ()
5302{
5303t_error ();
5304 ;
5305 return 0;
5306}
5307_ACEOF
5308rm -f conftest.$ac_objext conftest$ac_exeext
5309if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
5310 (eval $ac_link) 2>conftest.er1
5311 ac_status=$?
5312 grep -v '^ *+' conftest.er1 >conftest.err
5313 rm -f conftest.er1
5314 cat conftest.err >&5
5315 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5316 (exit $ac_status); } &&
5317 { ac_try='test -z "$ac_c_werror_flag"
5318 || test ! -s conftest.err'
5319 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5320 (eval $ac_try) 2>&5
5321 ac_status=$?
5322 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5323 (exit $ac_status); }; } &&
5324 { ac_try='test -s conftest$ac_exeext'
5325 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5326 (eval $ac_try) 2>&5
5327 ac_status=$?
5328 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5329 (exit $ac_status); }; }; then
5330 ac_cv_lib_xnet_t_error=yes
5331else
5332 echo "$as_me: failed program was:" >&5
5333sed 's/^/| /' conftest.$ac_ext >&5
5334 5471
5335ac_cv_lib_xnet_t_error=no 5472 # lastly, we define options specific to minor releases
5336fi 5473 case "$host" in
5337rm -f conftest.err conftest.$ac_objext \ 5474 *-*-hpux10.26)
5338 conftest$ac_exeext conftest.$ac_ext 5475 cat >>confdefs.h <<\_ACEOF
5339LIBS=$ac_check_lib_save_LIBS 5476#define HAVE_SECUREWARE 1
5340fi
5341echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
5342echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
5343if test $ac_cv_lib_xnet_t_error = yes; then
5344 cat >>confdefs.h <<_ACEOF
5345#define HAVE_LIBXNET 1
5346_ACEOF 5477_ACEOF
5347 5478
5348 LIBS="-lxnet $LIBS" 5479 disable_ptmx_check=yes
5349 5480 LIBS="$LIBS -lsecpw"
5350else 5481 ;;
5351 { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 5482 esac
5352echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
5353 { (exit 1); exit 1; }; }
5354fi
5355
5356 ;; 5483 ;;
5357*-*-irix5*) 5484*-*-irix5*)
5358 PATH="$PATH:/usr/etc" 5485 PATH="$PATH:/usr/etc"
@@ -5566,8 +5693,9 @@ _ACEOF
5566 esac 5693 esac
5567 ;; 5694 ;;
5568mips-sony-bsd|mips-sony-newsos4) 5695mips-sony-bsd|mips-sony-newsos4)
5569 cat >>confdefs.h <<\_ACEOF 5696
5570#define HAVE_NEWS4 1 5697cat >>confdefs.h <<\_ACEOF
5698#define NEED_SETPRGP
5571_ACEOF 5699_ACEOF
5572 5700
5573 SONY=1 5701 SONY=1
@@ -5617,6 +5745,13 @@ _ACEOF
5617_ACEOF 5745_ACEOF
5618 5746
5619 ;; 5747 ;;
5748*-*-openbsd*)
5749
5750cat >>confdefs.h <<\_ACEOF
5751#define HAVE_ATTRIBUTE__SENTINEL__ 1
5752_ACEOF
5753
5754 ;;
5620*-*-solaris*) 5755*-*-solaris*)
5621 if test "x$withval" != "xno" ; then 5756 if test "x$withval" != "xno" ; then
5622 need_dash_r=1 5757 need_dash_r=1
@@ -6004,9 +6139,20 @@ _ACEOF
6004#define BROKEN_SETREGID 1 6139#define BROKEN_SETREGID 1
6005_ACEOF 6140_ACEOF
6006 6141
6142
6143cat >>confdefs.h <<\_ACEOF
6144#define PASSWD_NEEDS_USERNAME 1
6145_ACEOF
6146
6007 ;; 6147 ;;
6008# UnixWare 7.x, OpenUNIX 8 6148# UnixWare 7.x, OpenUNIX 8
6009*-*-sysv5*) 6149*-*-sysv5*)
6150 check_for_libcrypt_later=1
6151
6152cat >>confdefs.h <<\_ACEOF
6153#define UNIXWARE_LONG_PASSWORDS 1
6154_ACEOF
6155
6010 cat >>confdefs.h <<\_ACEOF 6156 cat >>confdefs.h <<\_ACEOF
6011#define USE_PIPES 1 6157#define USE_PIPES 1
6012_ACEOF 6158_ACEOF
@@ -6023,6 +6169,21 @@ _ACEOF
6023#define BROKEN_SETREGID 1 6169#define BROKEN_SETREGID 1
6024_ACEOF 6170_ACEOF
6025 6171
6172
6173cat >>confdefs.h <<\_ACEOF
6174#define PASSWD_NEEDS_USERNAME 1
6175_ACEOF
6176
6177 case "$host" in
6178 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
6179 TEST_SHELL=/u95/bin/sh
6180
6181cat >>confdefs.h <<\_ACEOF
6182#define BROKEN_LIBIAF 1
6183_ACEOF
6184
6185 ;;
6186 esac
6026 ;; 6187 ;;
6027*-*-sysv*) 6188*-*-sysv*)
6028 ;; 6189 ;;
@@ -6355,6 +6516,42 @@ _ACEOF
6355_ACEOF 6516_ACEOF
6356 6517
6357 ;; 6518 ;;
6519
6520*-*-ultrix*)
6521
6522cat >>confdefs.h <<\_ACEOF
6523#define BROKEN_GETGROUPS
6524_ACEOF
6525
6526
6527cat >>confdefs.h <<\_ACEOF
6528#define BROKEN_MMAP
6529_ACEOF
6530
6531
6532cat >>confdefs.h <<\_ACEOF
6533#define NEED_SETPRGP
6534_ACEOF
6535
6536
6537cat >>confdefs.h <<\_ACEOF
6538#define HAVE_SYS_SYSLOG_H 1
6539_ACEOF
6540
6541 ;;
6542
6543*-*-lynxos)
6544 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
6545 cat >>confdefs.h <<\_ACEOF
6546#define MISSING_HOWMANY 1
6547_ACEOF
6548
6549
6550cat >>confdefs.h <<\_ACEOF
6551#define BROKEN_SETVBUF 1
6552_ACEOF
6553
6554 ;;
6358esac 6555esac
6359 6556
6360# Allow user to specify flags 6557# Allow user to specify flags
@@ -6363,7 +6560,8 @@ esac
6363if test "${with_cflags+set}" = set; then 6560if test "${with_cflags+set}" = set; then
6364 withval="$with_cflags" 6561 withval="$with_cflags"
6365 6562
6366 if test "x$withval" != "xno" ; then 6563 if test -n "$withval" && test "x$withval" != "xno" && \
6564 test "x${withval}" != "xyes"; then
6367 CFLAGS="$CFLAGS $withval" 6565 CFLAGS="$CFLAGS $withval"
6368 fi 6566 fi
6369 6567
@@ -6374,7 +6572,8 @@ fi;
6374if test "${with_cppflags+set}" = set; then 6572if test "${with_cppflags+set}" = set; then
6375 withval="$with_cppflags" 6573 withval="$with_cppflags"
6376 6574
6377 if test "x$withval" != "xno"; then 6575 if test -n "$withval" && test "x$withval" != "xno" && \
6576 test "x${withval}" != "xyes"; then
6378 CPPFLAGS="$CPPFLAGS $withval" 6577 CPPFLAGS="$CPPFLAGS $withval"
6379 fi 6578 fi
6380 6579
@@ -6385,7 +6584,8 @@ fi;
6385if test "${with_ldflags+set}" = set; then 6584if test "${with_ldflags+set}" = set; then
6386 withval="$with_ldflags" 6585 withval="$with_ldflags"
6387 6586
6388 if test "x$withval" != "xno" ; then 6587 if test -n "$withval" && test "x$withval" != "xno" && \
6588 test "x${withval}" != "xyes"; then
6389 LDFLAGS="$LDFLAGS $withval" 6589 LDFLAGS="$LDFLAGS $withval"
6390 fi 6590 fi
6391 6591
@@ -6396,13 +6596,28 @@ fi;
6396if test "${with_libs+set}" = set; then 6596if test "${with_libs+set}" = set; then
6397 withval="$with_libs" 6597 withval="$with_libs"
6398 6598
6399 if test "x$withval" != "xno" ; then 6599 if test -n "$withval" && test "x$withval" != "xno" && \
6600 test "x${withval}" != "xyes"; then
6400 LIBS="$LIBS $withval" 6601 LIBS="$LIBS $withval"
6401 fi 6602 fi
6402 6603
6403 6604
6404fi; 6605fi;
6405 6606
6607# Check whether --with-Werror or --without-Werror was given.
6608if test "${with_Werror+set}" = set; then
6609 withval="$with_Werror"
6610
6611 if test -n "$withval" && test "x$withval" != "xno"; then
6612 werror_flags="-Werror"
6613 if "x${withval}" != "xyes"; then
6614 werror_flags="$withval"
6615 fi
6616 fi
6617
6618
6619fi;
6620
6406echo "$as_me:$LINENO: checking compiler and flags for sanity" >&5 6621echo "$as_me:$LINENO: checking compiler and flags for sanity" >&5
6407echo $ECHO_N "checking compiler and flags for sanity... $ECHO_C" >&6 6622echo $ECHO_N "checking compiler and flags for sanity... $ECHO_C" >&6
6408if test "$cross_compiling" = yes; then 6623if test "$cross_compiling" = yes; then
@@ -6451,7 +6666,6 @@ fi
6451rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 6666rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
6452fi 6667fi
6453 6668
6454# Checks for header files.
6455 6669
6456echo "$as_me:$LINENO: checking for egrep" >&5 6670echo "$as_me:$LINENO: checking for egrep" >&5
6457echo $ECHO_N "checking for egrep... $ECHO_C" >&6 6671echo $ECHO_N "checking for egrep... $ECHO_C" >&6
@@ -6761,16 +6975,69 @@ done
6761 6975
6762 6976
6763 6977
6764for ac_header in bstring.h crypt.h dirent.h endian.h features.h \ 6978
6765 floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \ 6979
6766 login_cap.h maillock.h ndir.h netdb.h netgroup.h \ 6980
6767 netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ 6981for ac_header in \
6768 rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ 6982 bstring.h \
6769 strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \ 6983 crypt.h \
6770 sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \ 6984 dirent.h \
6771 sys/pstat.h sys/select.h sys/stat.h sys/stream.h \ 6985 endian.h \
6772 sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \ 6986 features.h \
6773 time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h 6987 floatingpoint.h \
6988 getopt.h \
6989 glob.h \
6990 ia.h \
6991 iaf.h \
6992 lastlog.h \
6993 limits.h \
6994 login.h \
6995 login_cap.h \
6996 maillock.h \
6997 ndir.h \
6998 netdb.h \
6999 netgroup.h \
7000 netinet/in_systm.h \
7001 pam/pam_appl.h \
7002 paths.h \
7003 pty.h \
7004 readpassphrase.h \
7005 rpc/types.h \
7006 security/pam_appl.h \
7007 shadow.h \
7008 stddef.h \
7009 stdint.h \
7010 string.h \
7011 strings.h \
7012 sys/audit.h \
7013 sys/bitypes.h \
7014 sys/bsdtty.h \
7015 sys/cdefs.h \
7016 sys/dir.h \
7017 sys/mman.h \
7018 sys/ndir.h \
7019 sys/prctl.h \
7020 sys/pstat.h \
7021 sys/select.h \
7022 sys/stat.h \
7023 sys/stream.h \
7024 sys/stropts.h \
7025 sys/strtio.h \
7026 sys/sysmacros.h \
7027 sys/time.h \
7028 sys/timers.h \
7029 sys/un.h \
7030 time.h \
7031 tmpdir.h \
7032 ttyent.h \
7033 unistd.h \
7034 usersec.h \
7035 util.h \
7036 utime.h \
7037 utmp.h \
7038 utmpx.h \
7039 vis.h \
7040
6774do 7041do
6775as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` 7042as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
6776if eval "test \"\${$as_ac_Header+set}\" = set"; then 7043if eval "test \"\${$as_ac_Header+set}\" = set"; then
@@ -6891,9 +7158,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
6891echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 7158echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
6892 ( 7159 (
6893 cat <<\_ASBOX 7160 cat <<\_ASBOX
6894## ---------------------------------- ## 7161## ------------------------------------------- ##
6895## Report this to the OpenSSH lists. ## 7162## Report this to openssh-unix-dev@mindrot.org ##
6896## ---------------------------------- ## 7163## ------------------------------------------- ##
6897_ASBOX 7164_ASBOX
6898 ) | 7165 ) |
6899 sed "s/^/$as_me: WARNING: /" >&2 7166 sed "s/^/$as_me: WARNING: /" >&2
@@ -7547,9 +7814,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
7547echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 7814echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
7548 ( 7815 (
7549 cat <<\_ASBOX 7816 cat <<\_ASBOX
7550## ---------------------------------- ## 7817## ------------------------------------------- ##
7551## Report this to the OpenSSH lists. ## 7818## Report this to openssh-unix-dev@mindrot.org ##
7552## ---------------------------------- ## 7819## ------------------------------------------- ##
7553_ASBOX 7820_ASBOX
7554 ) | 7821 ) |
7555 sed "s/^/$as_me: WARNING: /" >&2 7822 sed "s/^/$as_me: WARNING: /" >&2
@@ -7837,9 +8104,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
7837echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 8104echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
7838 ( 8105 (
7839 cat <<\_ASBOX 8106 cat <<\_ASBOX
7840## ---------------------------------- ## 8107## ------------------------------------------- ##
7841## Report this to the OpenSSH lists. ## 8108## Report this to openssh-unix-dev@mindrot.org ##
7842## ---------------------------------- ## 8109## ------------------------------------------- ##
7843_ASBOX 8110_ASBOX
7844 ) | 8111 ) |
7845 sed "s/^/$as_me: WARNING: /" >&2 8112 sed "s/^/$as_me: WARNING: /" >&2
@@ -8171,12 +8438,11 @@ fi
8171# Check whether --with-zlib or --without-zlib was given. 8438# Check whether --with-zlib or --without-zlib was given.
8172if test "${with_zlib+set}" = set; then 8439if test "${with_zlib+set}" = set; then
8173 withval="$with_zlib" 8440 withval="$with_zlib"
8174 8441 if test "x$withval" = "xno" ; then
8175 if test "x$withval" = "xno" ; then 8442 { { echo "$as_me:$LINENO: error: *** zlib is required ***" >&5
8176 { { echo "$as_me:$LINENO: error: *** zlib is required ***" >&5
8177echo "$as_me: error: *** zlib is required ***" >&2;} 8443echo "$as_me: error: *** zlib is required ***" >&2;}
8178 { (exit 1); exit 1; }; } 8444 { (exit 1); exit 1; }; }
8179 fi 8445 elif test "x$withval" != "xyes"; then
8180 if test -d "$withval/lib"; then 8446 if test -d "$withval/lib"; then
8181 if test -n "${need_dash_r}"; then 8447 if test -n "${need_dash_r}"; then
8182 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" 8448 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -8195,7 +8461,7 @@ echo "$as_me: error: *** zlib is required ***" >&2;}
8195 else 8461 else
8196 CPPFLAGS="-I${withval} ${CPPFLAGS}" 8462 CPPFLAGS="-I${withval} ${CPPFLAGS}"
8197 fi 8463 fi
8198 8464 fi
8199 8465
8200fi; 8466fi;
8201 8467
@@ -8466,9 +8732,9 @@ echo "$as_me: WARNING: zlib.h: proceeding with the preprocessor's result" >&2;}
8466echo "$as_me: WARNING: zlib.h: in the future, the compiler will take precedence" >&2;} 8732echo "$as_me: WARNING: zlib.h: in the future, the compiler will take precedence" >&2;}
8467 ( 8733 (
8468 cat <<\_ASBOX 8734 cat <<\_ASBOX
8469## ---------------------------------- ## 8735## ------------------------------------------- ##
8470## Report this to the OpenSSH lists. ## 8736## Report this to openssh-unix-dev@mindrot.org ##
8471## ---------------------------------- ## 8737## ------------------------------------------- ##
8472_ASBOX 8738_ASBOX
8473 ) | 8739 ) |
8474 sed "s/^/$as_me: WARNING: /" >&2 8740 sed "s/^/$as_me: WARNING: /" >&2
@@ -8506,8 +8772,8 @@ if test "${with_zlib_version_check+set}" = set; then
8506 8772
8507fi; 8773fi;
8508 8774
8509echo "$as_me:$LINENO: checking for zlib 1.1.4 or greater" >&5 8775echo "$as_me:$LINENO: checking for possibly buggy zlib" >&5
8510echo $ECHO_N "checking for zlib 1.1.4 or greater... $ECHO_C" >&6 8776echo $ECHO_N "checking for possibly buggy zlib... $ECHO_C" >&6
8511if test "$cross_compiling" = yes; then 8777if test "$cross_compiling" = yes; then
8512 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking zlib version" >&5 8778 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking zlib version" >&5
8513echo "$as_me: WARNING: cross compiling: not checking zlib version" >&2;} 8779echo "$as_me: WARNING: cross compiling: not checking zlib version" >&2;}
@@ -8520,15 +8786,25 @@ cat confdefs.h >>conftest.$ac_ext
8520cat >>conftest.$ac_ext <<_ACEOF 8786cat >>conftest.$ac_ext <<_ACEOF
8521/* end confdefs.h. */ 8787/* end confdefs.h. */
8522 8788
8789#include <stdio.h>
8523#include <zlib.h> 8790#include <zlib.h>
8524int main() 8791int main()
8525{ 8792{
8526 int a, b, c, v; 8793 int a=0, b=0, c=0, d=0, n, v;
8527 if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3) 8794 n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
8795 if (n != 3 && n != 4)
8528 exit(1); 8796 exit(1);
8529 v = a*1000000 + b*1000 + c; 8797 v = a*1000000 + b*10000 + c*100 + d;
8530 if (v >= 1001004) 8798 fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
8799
8800 /* 1.1.4 is OK */
8801 if (a == 1 && b == 1 && c >= 4)
8802 exit(0);
8803
8804 /* 1.2.3 and up are OK */
8805 if (v >= 1020300)
8531 exit(0); 8806 exit(0);
8807
8532 exit(2); 8808 exit(2);
8533} 8809}
8534 8810
@@ -8544,29 +8820,31 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
8544 ac_status=$? 8820 ac_status=$?
8545 echo "$as_me:$LINENO: \$? = $ac_status" >&5 8821 echo "$as_me:$LINENO: \$? = $ac_status" >&5
8546 (exit $ac_status); }; }; then 8822 (exit $ac_status); }; }; then
8547 echo "$as_me:$LINENO: result: yes" >&5 8823 echo "$as_me:$LINENO: result: no" >&5
8548echo "${ECHO_T}yes" >&6 8824echo "${ECHO_T}no" >&6
8549else 8825else
8550 echo "$as_me: program exited with status $ac_status" >&5 8826 echo "$as_me: program exited with status $ac_status" >&5
8551echo "$as_me: failed program was:" >&5 8827echo "$as_me: failed program was:" >&5
8552sed 's/^/| /' conftest.$ac_ext >&5 8828sed 's/^/| /' conftest.$ac_ext >&5
8553 8829
8554( exit $ac_status ) 8830( exit $ac_status )
8555 echo "$as_me:$LINENO: result: no" >&5 8831 echo "$as_me:$LINENO: result: yes" >&5
8556echo "${ECHO_T}no" >&6 8832echo "${ECHO_T}yes" >&6
8557 if test -z "$zlib_check_nonfatal" ; then 8833 if test -z "$zlib_check_nonfatal" ; then
8558 { { echo "$as_me:$LINENO: error: *** zlib too old - check config.log *** 8834 { { echo "$as_me:$LINENO: error: *** zlib too old - check config.log ***
8559Your reported zlib version has known security problems. It's possible your 8835Your reported zlib version has known security problems. It's possible your
8560vendor has fixed these problems without changing the version number. If you 8836vendor has fixed these problems without changing the version number. If you
8561are sure this is the case, you can disable the check by running 8837are sure this is the case, you can disable the check by running
8562\"./configure --without-zlib-version-check\". 8838\"./configure --without-zlib-version-check\".
8563If you are in doubt, upgrade zlib to version 1.1.4 or greater." >&5 8839If you are in doubt, upgrade zlib to version 1.2.3 or greater.
8840See http://www.gzip.org/zlib/ for details." >&5
8564echo "$as_me: error: *** zlib too old - check config.log *** 8841echo "$as_me: error: *** zlib too old - check config.log ***
8565Your reported zlib version has known security problems. It's possible your 8842Your reported zlib version has known security problems. It's possible your
8566vendor has fixed these problems without changing the version number. If you 8843vendor has fixed these problems without changing the version number. If you
8567are sure this is the case, you can disable the check by running 8844are sure this is the case, you can disable the check by running
8568\"./configure --without-zlib-version-check\". 8845\"./configure --without-zlib-version-check\".
8569If you are in doubt, upgrade zlib to version 1.1.4 or greater." >&2;} 8846If you are in doubt, upgrade zlib to version 1.2.3 or greater.
8847See http://www.gzip.org/zlib/ for details." >&2;}
8570 { (exit 1); exit 1; }; } 8848 { (exit 1); exit 1; }; }
8571 else 8849 else
8572 { echo "$as_me:$LINENO: WARNING: zlib version may have security problems" >&5 8850 { echo "$as_me:$LINENO: WARNING: zlib version may have security problems" >&5
@@ -9032,9 +9310,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
9032echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 9310echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
9033 ( 9311 (
9034 cat <<\_ASBOX 9312 cat <<\_ASBOX
9035## ---------------------------------- ## 9313## ------------------------------------------- ##
9036## Report this to the OpenSSH lists. ## 9314## Report this to openssh-unix-dev@mindrot.org ##
9037## ---------------------------------- ## 9315## ------------------------------------------- ##
9038_ASBOX 9316_ASBOX
9039 ) | 9317 ) |
9040 sed "s/^/$as_me: WARNING: /" >&2 9318 sed "s/^/$as_me: WARNING: /" >&2
@@ -9753,7 +10031,8 @@ if test "${with_tcp_wrappers+set}" = set; then
9753 saved_LIBS="$LIBS" 10031 saved_LIBS="$LIBS"
9754 saved_LDFLAGS="$LDFLAGS" 10032 saved_LDFLAGS="$LDFLAGS"
9755 saved_CPPFLAGS="$CPPFLAGS" 10033 saved_CPPFLAGS="$CPPFLAGS"
9756 if test -n "${withval}" -a "${withval}" != "yes"; then 10034 if test -n "${withval}" && \
10035 test "x${withval}" != "xyes"; then
9757 if test -d "${withval}/lib"; then 10036 if test -d "${withval}/lib"; then
9758 if test -n "${need_dash_r}"; then 10037 if test -n "${need_dash_r}"; then
9759 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" 10038 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -9856,13 +10135,17 @@ LIBEDIT_MSG="no"
9856if test "${with_libedit+set}" = set; then 10135if test "${with_libedit+set}" = set; then
9857 withval="$with_libedit" 10136 withval="$with_libedit"
9858 if test "x$withval" != "xno" ; then 10137 if test "x$withval" != "xno" ; then
10138 if test "x$withval" != "xyes"; then
10139 CPPFLAGS="$CPPFLAGS -I$withval/include"
10140 LDFLAGS="$LDFLAGS -L$withval/lib"
10141 fi
9859 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5 10142 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
9860echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6 10143echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6
9861if test "${ac_cv_lib_edit_el_init+set}" = set; then 10144if test "${ac_cv_lib_edit_el_init+set}" = set; then
9862 echo $ECHO_N "(cached) $ECHO_C" >&6 10145 echo $ECHO_N "(cached) $ECHO_C" >&6
9863else 10146else
9864 ac_check_lib_save_LIBS=$LIBS 10147 ac_check_lib_save_LIBS=$LIBS
9865LIBS="-ledit -lcurses 10148LIBS="-ledit -lcurses
9866 $LIBS" 10149 $LIBS"
9867cat >conftest.$ac_ext <<_ACEOF 10150cat >conftest.$ac_ext <<_ACEOF
9868/* confdefs.h. */ 10151/* confdefs.h. */
@@ -9931,8 +10214,66 @@ _ACEOF
9931 LIBEDIT_MSG="yes" 10214 LIBEDIT_MSG="yes"
9932 10215
9933 10216
10217else
10218 { { echo "$as_me:$LINENO: error: libedit not found" >&5
10219echo "$as_me: error: libedit not found" >&2;}
10220 { (exit 1); exit 1; }; }
9934fi 10221fi
9935 10222
10223 echo "$as_me:$LINENO: checking if libedit version is compatible" >&5
10224echo $ECHO_N "checking if libedit version is compatible... $ECHO_C" >&6
10225 cat >conftest.$ac_ext <<_ACEOF
10226/* confdefs.h. */
10227_ACEOF
10228cat confdefs.h >>conftest.$ac_ext
10229cat >>conftest.$ac_ext <<_ACEOF
10230/* end confdefs.h. */
10231
10232#include <histedit.h>
10233int main(void)
10234{
10235 int i = H_SETSIZE;
10236 el_init("", NULL, NULL, NULL);
10237 exit(0);
10238}
10239
10240_ACEOF
10241rm -f conftest.$ac_objext
10242if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
10243 (eval $ac_compile) 2>conftest.er1
10244 ac_status=$?
10245 grep -v '^ *+' conftest.er1 >conftest.err
10246 rm -f conftest.er1
10247 cat conftest.err >&5
10248 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10249 (exit $ac_status); } &&
10250 { ac_try='test -z "$ac_c_werror_flag"
10251 || test ! -s conftest.err'
10252 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
10253 (eval $ac_try) 2>&5
10254 ac_status=$?
10255 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10256 (exit $ac_status); }; } &&
10257 { ac_try='test -s conftest.$ac_objext'
10258 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
10259 (eval $ac_try) 2>&5
10260 ac_status=$?
10261 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10262 (exit $ac_status); }; }; then
10263 echo "$as_me:$LINENO: result: yes" >&5
10264echo "${ECHO_T}yes" >&6
10265else
10266 echo "$as_me: failed program was:" >&5
10267sed 's/^/| /' conftest.$ac_ext >&5
10268
10269 echo "$as_me:$LINENO: result: no" >&5
10270echo "${ECHO_T}no" >&6
10271 { { echo "$as_me:$LINENO: error: libedit version is not compatible" >&5
10272echo "$as_me: error: libedit version is not compatible" >&2;}
10273 { (exit 1); exit 1; }; }
10274
10275fi
10276rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
9936 fi 10277 fi
9937 10278
9938fi; 10279fi;
@@ -10072,9 +10413,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
10072echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 10413echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
10073 ( 10414 (
10074 cat <<\_ASBOX 10415 cat <<\_ASBOX
10075## ---------------------------------- ## 10416## ------------------------------------------- ##
10076## Report this to the OpenSSH lists. ## 10417## Report this to openssh-unix-dev@mindrot.org ##
10077## ---------------------------------- ## 10418## ------------------------------------------- ##
10078_ASBOX 10419_ASBOX
10079 ) | 10420 ) |
10080 sed "s/^/$as_me: WARNING: /" >&2 10421 sed "s/^/$as_me: WARNING: /" >&2
@@ -10407,6 +10748,10 @@ cat >>confdefs.h <<\_ACEOF
10407_ACEOF 10748_ACEOF
10408 10749
10409 ;; 10750 ;;
10751 no)
10752 echo "$as_me:$LINENO: result: no" >&5
10753echo "${ECHO_T}no" >&6
10754 ;;
10410 *) 10755 *)
10411 { { echo "$as_me:$LINENO: error: Unknown audit module $withval" >&5 10756 { { echo "$as_me:$LINENO: error: Unknown audit module $withval" >&5
10412echo "$as_me: error: Unknown audit module $withval" >&2;} 10757echo "$as_me: error: Unknown audit module $withval" >&2;}
@@ -10494,19 +10839,89 @@ fi;
10494 10839
10495 10840
10496 10841
10842
10843
10497for ac_func in \ 10844for ac_func in \
10498 arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ 10845 arc4random \
10499 bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \ 10846 b64_ntop \
10500 freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \ 10847 __b64_ntop \
10501 getopt getpeereid _getpty getrlimit getttyent glob inet_aton \ 10848 b64_pton \
10502 inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ 10849 __b64_pton \
10503 mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ 10850 bcopy \
10504 pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ 10851 bindresvport_sa \
10505 setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ 10852 clock \
10506 setproctitle setregid setreuid setrlimit \ 10853 closefrom \
10507 setsid setvbuf sigaction sigvec snprintf socketpair strerror \ 10854 dirfd \
10508 strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ 10855 fchmod \
10509 truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ 10856 fchown \
10857 freeaddrinfo \
10858 futimes \
10859 getaddrinfo \
10860 getcwd \
10861 getgrouplist \
10862 getnameinfo \
10863 getopt \
10864 getpeereid \
10865 _getpty \
10866 getrlimit \
10867 getttyent \
10868 glob \
10869 inet_aton \
10870 inet_ntoa \
10871 inet_ntop \
10872 innetgr \
10873 login_getcapbool \
10874 md5_crypt \
10875 memmove \
10876 mkdtemp \
10877 mmap \
10878 ngetaddrinfo \
10879 nsleep \
10880 ogetaddrinfo \
10881 openlog_r \
10882 openpty \
10883 prctl \
10884 pstat \
10885 readpassphrase \
10886 realpath \
10887 recvmsg \
10888 rresvport_af \
10889 sendmsg \
10890 setdtablesize \
10891 setegid \
10892 setenv \
10893 seteuid \
10894 setgroups \
10895 setlogin \
10896 setpcred \
10897 setproctitle \
10898 setregid \
10899 setreuid \
10900 setrlimit \
10901 setsid \
10902 setvbuf \
10903 sigaction \
10904 sigvec \
10905 snprintf \
10906 socketpair \
10907 strdup \
10908 strerror \
10909 strlcat \
10910 strlcpy \
10911 strmode \
10912 strnvis \
10913 strtonum \
10914 strtoll \
10915 strtoul \
10916 sysconf \
10917 tcgetpgrp \
10918 truncate \
10919 unsetenv \
10920 updwtmpx \
10921 utimes \
10922 vhangup \
10923 vsnprintf \
10924 waitpid \
10510 10925
10511do 10926do
10512as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` 10927as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -10904,9 +11319,9 @@ _ACEOF
10904fi 11319fi
10905 11320
10906 11321
10907echo "$as_me:$LINENO: checking whether strsep is declared" >&5 11322echo "$as_me:$LINENO: checking whether getrusage is declared" >&5
10908echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6 11323echo $ECHO_N "checking whether getrusage is declared... $ECHO_C" >&6
10909if test "${ac_cv_have_decl_strsep+set}" = set; then 11324if test "${ac_cv_have_decl_getrusage+set}" = set; then
10910 echo $ECHO_N "(cached) $ECHO_C" >&6 11325 echo $ECHO_N "(cached) $ECHO_C" >&6
10911else 11326else
10912 cat >conftest.$ac_ext <<_ACEOF 11327 cat >conftest.$ac_ext <<_ACEOF
@@ -10919,8 +11334,8 @@ $ac_includes_default
10919int 11334int
10920main () 11335main ()
10921{ 11336{
10922#ifndef strsep 11337#ifndef getrusage
10923 char *p = (char *) strsep; 11338 char *p = (char *) getrusage;
10924#endif 11339#endif
10925 11340
10926 ; 11341 ;
@@ -10949,20 +11364,20 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
10949 ac_status=$? 11364 ac_status=$?
10950 echo "$as_me:$LINENO: \$? = $ac_status" >&5 11365 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10951 (exit $ac_status); }; }; then 11366 (exit $ac_status); }; }; then
10952 ac_cv_have_decl_strsep=yes 11367 ac_cv_have_decl_getrusage=yes
10953else 11368else
10954 echo "$as_me: failed program was:" >&5 11369 echo "$as_me: failed program was:" >&5
10955sed 's/^/| /' conftest.$ac_ext >&5 11370sed 's/^/| /' conftest.$ac_ext >&5
10956 11371
10957ac_cv_have_decl_strsep=no 11372ac_cv_have_decl_getrusage=no
10958fi 11373fi
10959rm -f conftest.err conftest.$ac_objext conftest.$ac_ext 11374rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
10960fi 11375fi
10961echo "$as_me:$LINENO: result: $ac_cv_have_decl_strsep" >&5 11376echo "$as_me:$LINENO: result: $ac_cv_have_decl_getrusage" >&5
10962echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6 11377echo "${ECHO_T}$ac_cv_have_decl_getrusage" >&6
10963if test $ac_cv_have_decl_strsep = yes; then 11378if test $ac_cv_have_decl_getrusage = yes; then
10964 11379
10965for ac_func in strsep 11380for ac_func in getrusage
10966do 11381do
10967as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` 11382as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
10968echo "$as_me:$LINENO: checking for $ac_func" >&5 11383echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -11065,9 +11480,9 @@ done
11065 11480
11066fi 11481fi
11067 11482
11068echo "$as_me:$LINENO: checking whether getrusage is declared" >&5 11483echo "$as_me:$LINENO: checking whether strsep is declared" >&5
11069echo $ECHO_N "checking whether getrusage is declared... $ECHO_C" >&6 11484echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6
11070if test "${ac_cv_have_decl_getrusage+set}" = set; then 11485if test "${ac_cv_have_decl_strsep+set}" = set; then
11071 echo $ECHO_N "(cached) $ECHO_C" >&6 11486 echo $ECHO_N "(cached) $ECHO_C" >&6
11072else 11487else
11073 cat >conftest.$ac_ext <<_ACEOF 11488 cat >conftest.$ac_ext <<_ACEOF
@@ -11076,12 +11491,17 @@ _ACEOF
11076cat confdefs.h >>conftest.$ac_ext 11491cat confdefs.h >>conftest.$ac_ext
11077cat >>conftest.$ac_ext <<_ACEOF 11492cat >>conftest.$ac_ext <<_ACEOF
11078/* end confdefs.h. */ 11493/* end confdefs.h. */
11079$ac_includes_default 11494
11495#ifdef HAVE_STRING_H
11496# include <string.h>
11497#endif
11498
11499
11080int 11500int
11081main () 11501main ()
11082{ 11502{
11083#ifndef getrusage 11503#ifndef strsep
11084 char *p = (char *) getrusage; 11504 char *p = (char *) strsep;
11085#endif 11505#endif
11086 11506
11087 ; 11507 ;
@@ -11110,20 +11530,20 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
11110 ac_status=$? 11530 ac_status=$?
11111 echo "$as_me:$LINENO: \$? = $ac_status" >&5 11531 echo "$as_me:$LINENO: \$? = $ac_status" >&5
11112 (exit $ac_status); }; }; then 11532 (exit $ac_status); }; }; then
11113 ac_cv_have_decl_getrusage=yes 11533 ac_cv_have_decl_strsep=yes
11114else 11534else
11115 echo "$as_me: failed program was:" >&5 11535 echo "$as_me: failed program was:" >&5
11116sed 's/^/| /' conftest.$ac_ext >&5 11536sed 's/^/| /' conftest.$ac_ext >&5
11117 11537
11118ac_cv_have_decl_getrusage=no 11538ac_cv_have_decl_strsep=no
11119fi 11539fi
11120rm -f conftest.err conftest.$ac_objext conftest.$ac_ext 11540rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
11121fi 11541fi
11122echo "$as_me:$LINENO: result: $ac_cv_have_decl_getrusage" >&5 11542echo "$as_me:$LINENO: result: $ac_cv_have_decl_strsep" >&5
11123echo "${ECHO_T}$ac_cv_have_decl_getrusage" >&6 11543echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6
11124if test $ac_cv_have_decl_getrusage = yes; then 11544if test $ac_cv_have_decl_strsep = yes; then
11125 11545
11126for ac_func in getrusage 11546for ac_func in strsep
11127do 11547do
11128as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` 11548as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
11129echo "$as_me:$LINENO: checking for $ac_func" >&5 11549echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -12733,8 +13153,14 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
12733 ac_status=$? 13153 ac_status=$?
12734 echo "$as_me:$LINENO: \$? = $ac_status" >&5 13154 echo "$as_me:$LINENO: \$? = $ac_status" >&5
12735 (exit $ac_status); }; }; then 13155 (exit $ac_status); }; }; then
12736 echo "$as_me:$LINENO: result: yes" >&5 13156 echo "$as_me:$LINENO: result: yes" >&5
12737echo "${ECHO_T}yes" >&6 13157echo "${ECHO_T}yes" >&6
13158
13159cat >>confdefs.h <<\_ACEOF
13160#define HAVE_SO_PEERCRED
13161_ACEOF
13162
13163
12738else 13164else
12739 echo "$as_me: failed program was:" >&5 13165 echo "$as_me: failed program was:" >&5
12740sed 's/^/| /' conftest.$ac_ext >&5 13166sed 's/^/| /' conftest.$ac_ext >&5
@@ -12895,7 +13321,8 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
12895fi 13321fi
12896fi 13322fi
12897 13323
12898if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then 13324if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13325 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
12899 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 13326 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
12900echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 13327echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
12901 if test "$cross_compiling" = yes; then 13328 if test "$cross_compiling" = yes; then
@@ -13002,7 +13429,8 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
13002fi 13429fi
13003fi 13430fi
13004 13431
13005if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then 13432if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13433 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
13006 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 13434 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
13007echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 13435echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
13008 if test "$cross_compiling" = yes; then 13436 if test "$cross_compiling" = yes; then
@@ -14189,6 +14617,80 @@ fi
14189fi 14617fi
14190 14618
14191 14619
14620echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5
14621echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6
14622if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then
14623 echo $ECHO_N "(cached) $ECHO_C" >&6
14624else
14625 ac_check_lib_save_LIBS=$LIBS
14626LIBS="-liaf $LIBS"
14627cat >conftest.$ac_ext <<_ACEOF
14628/* confdefs.h. */
14629_ACEOF
14630cat confdefs.h >>conftest.$ac_ext
14631cat >>conftest.$ac_ext <<_ACEOF
14632/* end confdefs.h. */
14633
14634/* Override any gcc2 internal prototype to avoid an error. */
14635#ifdef __cplusplus
14636extern "C"
14637#endif
14638/* We use char because int might match the return type of a gcc2
14639 builtin and then its argument prototype would still apply. */
14640char ia_openinfo ();
14641int
14642main ()
14643{
14644ia_openinfo ();
14645 ;
14646 return 0;
14647}
14648_ACEOF
14649rm -f conftest.$ac_objext conftest$ac_exeext
14650if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
14651 (eval $ac_link) 2>conftest.er1
14652 ac_status=$?
14653 grep -v '^ *+' conftest.er1 >conftest.err
14654 rm -f conftest.er1
14655 cat conftest.err >&5
14656 echo "$as_me:$LINENO: \$? = $ac_status" >&5
14657 (exit $ac_status); } &&
14658 { ac_try='test -z "$ac_c_werror_flag"
14659 || test ! -s conftest.err'
14660 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
14661 (eval $ac_try) 2>&5
14662 ac_status=$?
14663 echo "$as_me:$LINENO: \$? = $ac_status" >&5
14664 (exit $ac_status); }; } &&
14665 { ac_try='test -s conftest$ac_exeext'
14666 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
14667 (eval $ac_try) 2>&5
14668 ac_status=$?
14669 echo "$as_me:$LINENO: \$? = $ac_status" >&5
14670 (exit $ac_status); }; }; then
14671 ac_cv_lib_iaf_ia_openinfo=yes
14672else
14673 echo "$as_me: failed program was:" >&5
14674sed 's/^/| /' conftest.$ac_ext >&5
14675
14676ac_cv_lib_iaf_ia_openinfo=no
14677fi
14678rm -f conftest.err conftest.$ac_objext \
14679 conftest$ac_exeext conftest.$ac_ext
14680LIBS=$ac_check_lib_save_LIBS
14681fi
14682echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5
14683echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6
14684if test $ac_cv_lib_iaf_ia_openinfo = yes; then
14685 cat >>confdefs.h <<_ACEOF
14686#define HAVE_LIBIAF 1
14687_ACEOF
14688
14689 LIBS="-liaf $LIBS"
14690
14691fi
14692
14693
14192### Configure cryptographic random number support 14694### Configure cryptographic random number support
14193 14695
14194# Check wheter OpenSSL seeds itself 14696# Check wheter OpenSSL seeds itself
@@ -14272,7 +14774,7 @@ echo "$as_me: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&2;}
14272fi; 14774fi;
14273 14775
14274# Which randomness source do we use? 14776# Which randomness source do we use?
14275if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then 14777if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
14276 # OpenSSL only 14778 # OpenSSL only
14277 cat >>confdefs.h <<\_ACEOF 14779 cat >>confdefs.h <<\_ACEOF
14278#define OPENSSL_PRNG_ONLY 1 14780#define OPENSSL_PRNG_ONLY 1
@@ -14393,7 +14895,8 @@ entropy_timeout=200
14393if test "${with_entropy_timeout+set}" = set; then 14895if test "${with_entropy_timeout+set}" = set; then
14394 withval="$with_entropy_timeout" 14896 withval="$with_entropy_timeout"
14395 14897
14396 if test "x$withval" != "xno" ; then 14898 if test -n "$withval" && test "x$withval" != "xno" && \
14899 test "x${withval}" != "xyes"; then
14397 entropy_timeout=$withval 14900 entropy_timeout=$withval
14398 fi 14901 fi
14399 14902
@@ -14410,7 +14913,8 @@ SSH_PRIVSEP_USER=sshd
14410if test "${with_privsep_user+set}" = set; then 14913if test "${with_privsep_user+set}" = set; then
14411 withval="$with_privsep_user" 14914 withval="$with_privsep_user"
14412 14915
14413 if test -n "$withval"; then 14916 if test -n "$withval" && test "x$withval" != "xno" && \
14917 test "x${withval}" != "xyes"; then
14414 SSH_PRIVSEP_USER=$withval 14918 SSH_PRIVSEP_USER=$withval
14415 fi 14919 fi
14416 14920
@@ -19152,9 +19656,9 @@ fi
19152 19656
19153 19657
19154# We need int64_t or else certian parts of the compile will fail. 19658# We need int64_t or else certian parts of the compile will fail.
19155if test "x$ac_cv_have_int64_t" = "xno" -a \ 19659if test "x$ac_cv_have_int64_t" = "xno" && \
19156 "x$ac_cv_sizeof_long_int" != "x8" -a \ 19660 test "x$ac_cv_sizeof_long_int" != "x8" && \
19157 "x$ac_cv_sizeof_long_long_int" = "x0" ; then 19661 test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
19158 echo "OpenSSH requires int64_t support. Contact your vendor or install" 19662 echo "OpenSSH requires int64_t support. Contact your vendor or install"
19159 echo "an alternative compiler (I.E., GCC) before continuing." 19663 echo "an alternative compiler (I.E., GCC) before continuing."
19160 echo "" 19664 echo ""
@@ -21068,9 +21572,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
21068echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 21572echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
21069 ( 21573 (
21070 cat <<\_ASBOX 21574 cat <<\_ASBOX
21071## ---------------------------------- ## 21575## ------------------------------------------- ##
21072## Report this to the OpenSSH lists. ## 21576## Report this to openssh-unix-dev@mindrot.org ##
21073## ---------------------------------- ## 21577## ------------------------------------------- ##
21074_ASBOX 21578_ASBOX
21075 ) | 21579 ) |
21076 sed "s/^/$as_me: WARNING: /" >&2 21580 sed "s/^/$as_me: WARNING: /" >&2
@@ -21195,17 +21699,17 @@ _ACEOF
21195fi; 21699fi;
21196 21700
21197# Check whether user wants OpenSC support 21701# Check whether user wants OpenSC support
21702OPENSC_CONFIG="no"
21198 21703
21199# Check whether --with-opensc or --without-opensc was given. 21704# Check whether --with-opensc or --without-opensc was given.
21200if test "${with_opensc+set}" = set; then 21705if test "${with_opensc+set}" = set; then
21201 withval="$with_opensc" 21706 withval="$with_opensc"
21202 opensc_config_prefix="$withval" 21707
21203else 21708 if test "x$withval" != "xno" ; then
21204 opensc_config_prefix="" 21709 if test "x$withval" != "xyes" ; then
21205fi; 21710 OPENSC_CONFIG=$withval/bin/opensc-config
21206if test x$opensc_config_prefix != x ; then 21711 else
21207 OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config 21712 # Extract the first word of "opensc-config", so it can be a program name with args.
21208 # Extract the first word of "opensc-config", so it can be a program name with args.
21209set dummy opensc-config; ac_word=$2 21713set dummy opensc-config; ac_word=$2
21210echo "$as_me:$LINENO: checking for $ac_word" >&5 21714echo "$as_me:$LINENO: checking for $ac_word" >&5
21211echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 21715echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
@@ -21245,22 +21749,26 @@ else
21245echo "${ECHO_T}no" >&6 21749echo "${ECHO_T}no" >&6
21246fi 21750fi
21247 21751
21248 if test "$OPENSC_CONFIG" != "no"; then 21752 fi
21249 LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` 21753 if test "$OPENSC_CONFIG" != "no"; then
21250 LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` 21754 LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
21251 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" 21755 LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
21252 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" 21756 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
21253 cat >>confdefs.h <<\_ACEOF 21757 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
21758 cat >>confdefs.h <<\_ACEOF
21254#define SMARTCARD 1 21759#define SMARTCARD 1
21255_ACEOF 21760_ACEOF
21256 21761
21257 cat >>confdefs.h <<\_ACEOF 21762 cat >>confdefs.h <<\_ACEOF
21258#define USE_OPENSC 1 21763#define USE_OPENSC 1
21259_ACEOF 21764_ACEOF
21260 21765
21261 SCARD_MSG="yes, using OpenSC" 21766 SCARD_MSG="yes, using OpenSC"
21262 fi 21767 fi
21263fi 21768 fi
21769
21770
21771fi;
21264 21772
21265# Check libraries needed by DNS fingerprint support 21773# Check libraries needed by DNS fingerprint support
21266echo "$as_me:$LINENO: checking for library containing getrrsetbyname" >&5 21774echo "$as_me:$LINENO: checking for library containing getrrsetbyname" >&5
@@ -21855,6 +22363,152 @@ _ACEOF
21855fi 22363fi
21856done 22364done
21857 22365
22366 echo "$as_me:$LINENO: checking whether _getshort is declared" >&5
22367echo $ECHO_N "checking whether _getshort is declared... $ECHO_C" >&6
22368if test "${ac_cv_have_decl__getshort+set}" = set; then
22369 echo $ECHO_N "(cached) $ECHO_C" >&6
22370else
22371 cat >conftest.$ac_ext <<_ACEOF
22372/* confdefs.h. */
22373_ACEOF
22374cat confdefs.h >>conftest.$ac_ext
22375cat >>conftest.$ac_ext <<_ACEOF
22376/* end confdefs.h. */
22377#include <sys/types.h>
22378 #include <arpa/nameser.h>
22379
22380int
22381main ()
22382{
22383#ifndef _getshort
22384 char *p = (char *) _getshort;
22385#endif
22386
22387 ;
22388 return 0;
22389}
22390_ACEOF
22391rm -f conftest.$ac_objext
22392if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
22393 (eval $ac_compile) 2>conftest.er1
22394 ac_status=$?
22395 grep -v '^ *+' conftest.er1 >conftest.err
22396 rm -f conftest.er1
22397 cat conftest.err >&5
22398 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22399 (exit $ac_status); } &&
22400 { ac_try='test -z "$ac_c_werror_flag"
22401 || test ! -s conftest.err'
22402 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22403 (eval $ac_try) 2>&5
22404 ac_status=$?
22405 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22406 (exit $ac_status); }; } &&
22407 { ac_try='test -s conftest.$ac_objext'
22408 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22409 (eval $ac_try) 2>&5
22410 ac_status=$?
22411 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22412 (exit $ac_status); }; }; then
22413 ac_cv_have_decl__getshort=yes
22414else
22415 echo "$as_me: failed program was:" >&5
22416sed 's/^/| /' conftest.$ac_ext >&5
22417
22418ac_cv_have_decl__getshort=no
22419fi
22420rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
22421fi
22422echo "$as_me:$LINENO: result: $ac_cv_have_decl__getshort" >&5
22423echo "${ECHO_T}$ac_cv_have_decl__getshort" >&6
22424if test $ac_cv_have_decl__getshort = yes; then
22425
22426cat >>confdefs.h <<_ACEOF
22427#define HAVE_DECL__GETSHORT 1
22428_ACEOF
22429
22430
22431else
22432 cat >>confdefs.h <<_ACEOF
22433#define HAVE_DECL__GETSHORT 0
22434_ACEOF
22435
22436
22437fi
22438echo "$as_me:$LINENO: checking whether _getlong is declared" >&5
22439echo $ECHO_N "checking whether _getlong is declared... $ECHO_C" >&6
22440if test "${ac_cv_have_decl__getlong+set}" = set; then
22441 echo $ECHO_N "(cached) $ECHO_C" >&6
22442else
22443 cat >conftest.$ac_ext <<_ACEOF
22444/* confdefs.h. */
22445_ACEOF
22446cat confdefs.h >>conftest.$ac_ext
22447cat >>conftest.$ac_ext <<_ACEOF
22448/* end confdefs.h. */
22449#include <sys/types.h>
22450 #include <arpa/nameser.h>
22451
22452int
22453main ()
22454{
22455#ifndef _getlong
22456 char *p = (char *) _getlong;
22457#endif
22458
22459 ;
22460 return 0;
22461}
22462_ACEOF
22463rm -f conftest.$ac_objext
22464if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
22465 (eval $ac_compile) 2>conftest.er1
22466 ac_status=$?
22467 grep -v '^ *+' conftest.er1 >conftest.err
22468 rm -f conftest.er1
22469 cat conftest.err >&5
22470 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22471 (exit $ac_status); } &&
22472 { ac_try='test -z "$ac_c_werror_flag"
22473 || test ! -s conftest.err'
22474 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22475 (eval $ac_try) 2>&5
22476 ac_status=$?
22477 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22478 (exit $ac_status); }; } &&
22479 { ac_try='test -s conftest.$ac_objext'
22480 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22481 (eval $ac_try) 2>&5
22482 ac_status=$?
22483 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22484 (exit $ac_status); }; }; then
22485 ac_cv_have_decl__getlong=yes
22486else
22487 echo "$as_me: failed program was:" >&5
22488sed 's/^/| /' conftest.$ac_ext >&5
22489
22490ac_cv_have_decl__getlong=no
22491fi
22492rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
22493fi
22494echo "$as_me:$LINENO: result: $ac_cv_have_decl__getlong" >&5
22495echo "${ECHO_T}$ac_cv_have_decl__getlong" >&6
22496if test $ac_cv_have_decl__getlong = yes; then
22497
22498cat >>confdefs.h <<_ACEOF
22499#define HAVE_DECL__GETLONG 1
22500_ACEOF
22501
22502
22503else
22504 cat >>confdefs.h <<_ACEOF
22505#define HAVE_DECL__GETLONG 0
22506_ACEOF
22507
22508
22509fi
22510
22511
21858 echo "$as_me:$LINENO: checking for HEADER.ad" >&5 22512 echo "$as_me:$LINENO: checking for HEADER.ad" >&5
21859echo $ECHO_N "checking for HEADER.ad... $ECHO_C" >&6 22513echo $ECHO_N "checking for HEADER.ad... $ECHO_C" >&6
21860if test "${ac_cv_member_HEADER_ad+set}" = set; then 22514if test "${ac_cv_member_HEADER_ad+set}" = set; then
@@ -22594,9 +23248,9 @@ echo "$as_me: WARNING: gssapi.h: proceeding with the preprocessor's result" >&2;
22594echo "$as_me: WARNING: gssapi.h: in the future, the compiler will take precedence" >&2;} 23248echo "$as_me: WARNING: gssapi.h: in the future, the compiler will take precedence" >&2;}
22595 ( 23249 (
22596 cat <<\_ASBOX 23250 cat <<\_ASBOX
22597## ---------------------------------- ## 23251## ------------------------------------------- ##
22598## Report this to the OpenSSH lists. ## 23252## Report this to openssh-unix-dev@mindrot.org ##
22599## ---------------------------------- ## 23253## ------------------------------------------- ##
22600_ASBOX 23254_ASBOX
22601 ) | 23255 ) |
22602 sed "s/^/$as_me: WARNING: /" >&2 23256 sed "s/^/$as_me: WARNING: /" >&2
@@ -22740,9 +23394,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
22740echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 23394echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
22741 ( 23395 (
22742 cat <<\_ASBOX 23396 cat <<\_ASBOX
22743## ---------------------------------- ## 23397## ------------------------------------------- ##
22744## Report this to the OpenSSH lists. ## 23398## Report this to openssh-unix-dev@mindrot.org ##
22745## ---------------------------------- ## 23399## ------------------------------------------- ##
22746_ASBOX 23400_ASBOX
22747 ) | 23401 ) |
22748 sed "s/^/$as_me: WARNING: /" >&2 23402 sed "s/^/$as_me: WARNING: /" >&2
@@ -22898,9 +23552,9 @@ echo "$as_me: WARNING: gssapi_krb5.h: proceeding with the preprocessor's result"
22898echo "$as_me: WARNING: gssapi_krb5.h: in the future, the compiler will take precedence" >&2;} 23552echo "$as_me: WARNING: gssapi_krb5.h: in the future, the compiler will take precedence" >&2;}
22899 ( 23553 (
22900 cat <<\_ASBOX 23554 cat <<\_ASBOX
22901## ---------------------------------- ## 23555## ------------------------------------------- ##
22902## Report this to the OpenSSH lists. ## 23556## Report this to openssh-unix-dev@mindrot.org ##
22903## ---------------------------------- ## 23557## ------------------------------------------- ##
22904_ASBOX 23558_ASBOX
22905 ) | 23559 ) |
22906 sed "s/^/$as_me: WARNING: /" >&2 23560 sed "s/^/$as_me: WARNING: /" >&2
@@ -23057,9 +23711,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
23057echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 23711echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
23058 ( 23712 (
23059 cat <<\_ASBOX 23713 cat <<\_ASBOX
23060## ---------------------------------- ## 23714## ------------------------------------------- ##
23061## Report this to the OpenSSH lists. ## 23715## Report this to openssh-unix-dev@mindrot.org ##
23062## ---------------------------------- ## 23716## ------------------------------------------- ##
23063_ASBOX 23717_ASBOX
23064 ) | 23718 ) |
23065 sed "s/^/$as_me: WARNING: /" >&2 23719 sed "s/^/$as_me: WARNING: /" >&2
@@ -23208,9 +23862,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
23208echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 23862echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
23209 ( 23863 (
23210 cat <<\_ASBOX 23864 cat <<\_ASBOX
23211## ---------------------------------- ## 23865## ------------------------------------------- ##
23212## Report this to the OpenSSH lists. ## 23866## Report this to openssh-unix-dev@mindrot.org ##
23213## ---------------------------------- ## 23867## ------------------------------------------- ##
23214_ASBOX 23868_ASBOX
23215 ) | 23869 ) |
23216 sed "s/^/$as_me: WARNING: /" >&2 23870 sed "s/^/$as_me: WARNING: /" >&2
@@ -23359,9 +24013,9 @@ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&
23359echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} 24013echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
23360 ( 24014 (
23361 cat <<\_ASBOX 24015 cat <<\_ASBOX
23362## ---------------------------------- ## 24016## ------------------------------------------- ##
23363## Report this to the OpenSSH lists. ## 24017## Report this to openssh-unix-dev@mindrot.org ##
23364## ---------------------------------- ## 24018## ------------------------------------------- ##
23365_ASBOX 24019_ASBOX
23366 ) | 24020 ) |
23367 sed "s/^/$as_me: WARNING: /" >&2 24021 sed "s/^/$as_me: WARNING: /" >&2
@@ -23518,135 +24172,6 @@ _ACEOF
23518 24172
23519fi 24173fi
23520 24174
23521 echo "$as_me:$LINENO: checking for library containing krb5_init_ets" >&5
23522echo $ECHO_N "checking for library containing krb5_init_ets... $ECHO_C" >&6
23523if test "${ac_cv_search_krb5_init_ets+set}" = set; then
23524 echo $ECHO_N "(cached) $ECHO_C" >&6
23525else
23526 ac_func_search_save_LIBS=$LIBS
23527ac_cv_search_krb5_init_ets=no
23528cat >conftest.$ac_ext <<_ACEOF
23529/* confdefs.h. */
23530_ACEOF
23531cat confdefs.h >>conftest.$ac_ext
23532cat >>conftest.$ac_ext <<_ACEOF
23533/* end confdefs.h. */
23534
23535/* Override any gcc2 internal prototype to avoid an error. */
23536#ifdef __cplusplus
23537extern "C"
23538#endif
23539/* We use char because int might match the return type of a gcc2
23540 builtin and then its argument prototype would still apply. */
23541char krb5_init_ets ();
23542int
23543main ()
23544{
23545krb5_init_ets ();
23546 ;
23547 return 0;
23548}
23549_ACEOF
23550rm -f conftest.$ac_objext conftest$ac_exeext
23551if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
23552 (eval $ac_link) 2>conftest.er1
23553 ac_status=$?
23554 grep -v '^ *+' conftest.er1 >conftest.err
23555 rm -f conftest.er1
23556 cat conftest.err >&5
23557 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23558 (exit $ac_status); } &&
23559 { ac_try='test -z "$ac_c_werror_flag"
23560 || test ! -s conftest.err'
23561 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
23562 (eval $ac_try) 2>&5
23563 ac_status=$?
23564 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23565 (exit $ac_status); }; } &&
23566 { ac_try='test -s conftest$ac_exeext'
23567 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
23568 (eval $ac_try) 2>&5
23569 ac_status=$?
23570 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23571 (exit $ac_status); }; }; then
23572 ac_cv_search_krb5_init_ets="none required"
23573else
23574 echo "$as_me: failed program was:" >&5
23575sed 's/^/| /' conftest.$ac_ext >&5
23576
23577fi
23578rm -f conftest.err conftest.$ac_objext \
23579 conftest$ac_exeext conftest.$ac_ext
23580if test "$ac_cv_search_krb5_init_ets" = no; then
23581 for ac_lib in $K5LIBS; do
23582 LIBS="-l$ac_lib $ac_func_search_save_LIBS"
23583 cat >conftest.$ac_ext <<_ACEOF
23584/* confdefs.h. */
23585_ACEOF
23586cat confdefs.h >>conftest.$ac_ext
23587cat >>conftest.$ac_ext <<_ACEOF
23588/* end confdefs.h. */
23589
23590/* Override any gcc2 internal prototype to avoid an error. */
23591#ifdef __cplusplus
23592extern "C"
23593#endif
23594/* We use char because int might match the return type of a gcc2
23595 builtin and then its argument prototype would still apply. */
23596char krb5_init_ets ();
23597int
23598main ()
23599{
23600krb5_init_ets ();
23601 ;
23602 return 0;
23603}
23604_ACEOF
23605rm -f conftest.$ac_objext conftest$ac_exeext
23606if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
23607 (eval $ac_link) 2>conftest.er1
23608 ac_status=$?
23609 grep -v '^ *+' conftest.er1 >conftest.err
23610 rm -f conftest.er1
23611 cat conftest.err >&5
23612 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23613 (exit $ac_status); } &&
23614 { ac_try='test -z "$ac_c_werror_flag"
23615 || test ! -s conftest.err'
23616 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
23617 (eval $ac_try) 2>&5
23618 ac_status=$?
23619 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23620 (exit $ac_status); }; } &&
23621 { ac_try='test -s conftest$ac_exeext'
23622 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
23623 (eval $ac_try) 2>&5
23624 ac_status=$?
23625 echo "$as_me:$LINENO: \$? = $ac_status" >&5
23626 (exit $ac_status); }; }; then
23627 ac_cv_search_krb5_init_ets="-l$ac_lib"
23628break
23629else
23630 echo "$as_me: failed program was:" >&5
23631sed 's/^/| /' conftest.$ac_ext >&5
23632
23633fi
23634rm -f conftest.err conftest.$ac_objext \
23635 conftest$ac_exeext conftest.$ac_ext
23636 done
23637fi
23638LIBS=$ac_func_search_save_LIBS
23639fi
23640echo "$as_me:$LINENO: result: $ac_cv_search_krb5_init_ets" >&5
23641echo "${ECHO_T}$ac_cv_search_krb5_init_ets" >&6
23642if test "$ac_cv_search_krb5_init_ets" != no; then
23643 test "$ac_cv_search_krb5_init_ets" = "none required" || LIBS="$ac_cv_search_krb5_init_ets $LIBS"
23644 cat >>confdefs.h <<\_ACEOF
23645#define KRB5_INIT_ETS 1
23646_ACEOF
23647
23648fi
23649
23650 24175
23651 24176
23652fi; 24177fi;
@@ -23659,7 +24184,8 @@ PRIVSEP_PATH=/var/empty
23659if test "${with_privsep_path+set}" = set; then 24184if test "${with_privsep_path+set}" = set; then
23660 withval="$with_privsep_path" 24185 withval="$with_privsep_path"
23661 24186
23662 if test "x$withval" != "$no" ; then 24187 if test -n "$withval" && test "x$withval" != "xno" && \
24188 test "x${withval}" != "xyes"; then
23663 PRIVSEP_PATH=$withval 24189 PRIVSEP_PATH=$withval
23664 fi 24190 fi
23665 24191
@@ -23672,7 +24198,8 @@ fi;
23672if test "${with_xauth+set}" = set; then 24198if test "${with_xauth+set}" = set; then
23673 withval="$with_xauth" 24199 withval="$with_xauth"
23674 24200
23675 if test "x$withval" != "xno" ; then 24201 if test -n "$withval" && test "x$withval" != "xno" && \
24202 test "x${withval}" != "xyes"; then
23676 xauth_path=$withval 24203 xauth_path=$withval
23677 fi 24204 fi
23678 24205
@@ -24095,8 +24622,8 @@ _ACEOF
24095 fi 24622 fi
24096fi 24623fi
24097 24624
24098if test $ac_cv_func_login_getcapbool = "yes" -a \ 24625if test $ac_cv_func_login_getcapbool = "yes" && \
24099 $ac_cv_header_login_cap_h = "yes" ; then 24626 test $ac_cv_header_login_cap_h = "yes" ; then
24100 external_path_file=/etc/login.conf 24627 external_path_file=/etc/login.conf
24101fi 24628fi
24102 24629
@@ -24240,7 +24767,8 @@ fi
24240if test "${with_superuser_path+set}" = set; then 24767if test "${with_superuser_path+set}" = set; then
24241 withval="$with_superuser_path" 24768 withval="$with_superuser_path"
24242 24769
24243 if test "x$withval" != "xno" ; then 24770 if test -n "$withval" && test "x$withval" != "xno" && \
24771 test "x${withval}" != "xyes"; then
24244 cat >>confdefs.h <<_ACEOF 24772 cat >>confdefs.h <<_ACEOF
24245#define SUPERUSER_PATH "$withval" 24773#define SUPERUSER_PATH "$withval"
24246_ACEOF 24774_ACEOF
@@ -24324,7 +24852,8 @@ fi
24324if test "${with_pid_dir+set}" = set; then 24852if test "${with_pid_dir+set}" = set; then
24325 withval="$with_pid_dir" 24853 withval="$with_pid_dir"
24326 24854
24327 if test "x$withval" != "xno" ; then 24855 if test -n "$withval" && test "x$withval" != "xno" && \
24856 test "x${withval}" != "xyes"; then
24328 piddir=$withval 24857 piddir=$withval
24329 if test ! -d $piddir ; then 24858 if test ! -d $piddir ; then
24330 { echo "$as_me:$LINENO: WARNING: ** no $piddir directory on this system **" >&5 24859 { echo "$as_me:$LINENO: WARNING: ** no $piddir directory on this system **" >&5
@@ -24455,7 +24984,7 @@ if test "${with_lastlog+set}" = set; then
24455#define DISABLE_LASTLOG 1 24984#define DISABLE_LASTLOG 1
24456_ACEOF 24985_ACEOF
24457 24986
24458 else 24987 elif test -n "$withval" && test "x${withval}" != "xyes"; then
24459 conf_lastlog_location=$withval 24988 conf_lastlog_location=$withval
24460 fi 24989 fi
24461 24990
@@ -24931,6 +25460,8 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
24931 LIBS=`echo $LIBS | sed 's/-ldl //'` 25460 LIBS=`echo $LIBS | sed 's/-ldl //'`
24932fi 25461fi
24933 25462
25463CFLAGS="$CFLAGS $werror_flags"
25464
24934 25465
24935 ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile scard/Makefile ssh_prng_cmds survey.sh" 25466 ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile scard/Makefile ssh_prng_cmds survey.sh"
24936 25467
diff --git a/configure.ac b/configure.ac
index e48028b7b..6e36aa22b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.250 2005/03/07 09:21:37 tim Exp $ 1# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -14,7 +14,7 @@
14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT(OpenSSH, Portable) 17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
18AC_CONFIG_SRCDIR([ssh.c]) 18AC_CONFIG_SRCDIR([ssh.c])
19 19
20AC_CONFIG_HEADER(config.h) 20AC_CONFIG_HEADER(config.h)
@@ -75,16 +75,102 @@ if test -z "$LD" ; then
75 LD=$CC 75 LD=$CC
76fi 76fi
77AC_SUBST(LD) 77AC_SUBST(LD)
78 78
79AC_C_INLINE 79AC_C_INLINE
80
81AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
82
80if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 83if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
81 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" 84 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
85 GCC_VER=`$CC --version`
86 case $GCC_VER in
87 1.*) ;;
88 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
89 2.*) ;;
90 *) CFLAGS="$CFLAGS -Wsign-compare" ;;
91 esac
92
93 if test -z "$have_llong_max"; then
94 # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
95 unset ac_cv_have_decl_LLONG_MAX
96 saved_CFLAGS="$CFLAGS"
97 CFLAGS="$CFLAGS -std=gnu99"
98 AC_CHECK_DECL(LLONG_MAX,
99 [have_llong_max=1],
100 [CFLAGS="$saved_CFLAGS"],
101 [#include <limits.h>]
102 )
103 fi
104fi
105
106if test -z "$have_llong_max"; then
107 AC_MSG_CHECKING([for max value of long long])
108 AC_RUN_IFELSE(
109 [AC_LANG_SOURCE([[
110#include <stdio.h>
111/* Why is this so damn hard? */
112#ifdef __GNUC__
113# undef __GNUC__
114#endif
115#define __USE_ISOC99
116#include <limits.h>
117#define DATA "conftest.llminmax"
118int main(void) {
119 FILE *f;
120 long long i, llmin, llmax = 0;
121
122 if((f = fopen(DATA,"w")) == NULL)
123 exit(1);
124
125#if defined(LLONG_MIN) && defined(LLONG_MAX)
126 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
127 llmin = LLONG_MIN;
128 llmax = LLONG_MAX;
129#else
130 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
131 /* This will work on one's complement and two's complement */
132 for (i = 1; i > llmax; i <<= 1, i++)
133 llmax = i;
134 llmin = llmax + 1LL; /* wrap */
135#endif
136
137 /* Sanity check */
138 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
139 || llmax - 1 > llmax) {
140 fprintf(f, "unknown unknown\n");
141 exit(2);
142 }
143
144 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
145 exit(3);
146
147 exit(0);
148}
149 ]])],
150 [
151 llong_min=`$AWK '{print $1}' conftest.llminmax`
152 llong_max=`$AWK '{print $2}' conftest.llminmax`
153 AC_MSG_RESULT($llong_max)
154 AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
155 [max value of long long calculated by configure])
156 AC_MSG_CHECKING([for min value of long long])
157 AC_MSG_RESULT($llong_min)
158 AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
159 [min value of long long calculated by configure])
160 ],
161 [
162 AC_MSG_RESULT(not found)
163 ],
164 [
165 AC_MSG_WARN([cross compiling: not checking])
166 ]
167 )
82fi 168fi
83 169
84AC_ARG_WITH(rpath, 170AC_ARG_WITH(rpath,
85 [ --without-rpath Disable auto-added -R linker paths], 171 [ --without-rpath Disable auto-added -R linker paths],
86 [ 172 [
87 if test "x$withval" = "xno" ; then 173 if test "x$withval" = "xno" ; then
88 need_dash_r="" 174 need_dash_r=""
89 fi 175 fi
90 if test "x$withval" = "xyes" ; then 176 if test "x$withval" = "xyes" ; then
@@ -123,7 +209,7 @@ case "$host" in
123 ]) 209 ])
124 dnl Check for various auth function declarations in headers. 210 dnl Check for various auth function declarations in headers.
125 AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess, 211 AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
126 passwdexpired], , , [#include <usersec.h>]) 212 passwdexpired, setauthdb], , , [#include <usersec.h>])
127 dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2) 213 dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
128 AC_CHECK_DECLS(loginfailed, 214 AC_CHECK_DECLS(loginfailed,
129 [AC_MSG_CHECKING(if loginfailed takes 4 arguments) 215 [AC_MSG_CHECKING(if loginfailed takes 4 arguments)
@@ -180,52 +266,66 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
180 AC_DEFINE(BROKEN_SETREUID) 266 AC_DEFINE(BROKEN_SETREUID)
181 AC_DEFINE(BROKEN_SETREGID) 267 AC_DEFINE(BROKEN_SETREGID)
182 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1) 268 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1)
269 AC_MSG_CHECKING(if we have the Security Authorization Session API)
270 AC_TRY_COMPILE([#include <Security/AuthSession.h>],
271 [SessionCreate(0, 0);],
272 [ac_cv_use_security_session_api="yes"
273 AC_DEFINE(USE_SECURITY_SESSION_API)
274 LIBS="$LIBS -framework Security"
275 AC_MSG_RESULT(yes)],
276 [ac_cv_use_security_session_api="no"
277 AC_MSG_RESULT(no)])
278 AC_MSG_CHECKING(if we have an in-memory credentials cache)
279 AC_TRY_COMPILE(
280 [#include <Kerberos/Kerberos.h>],
281 [cc_context_t c;
282 (void) cc_initialize (&c, 0, NULL, NULL);],
283 [AC_DEFINE(USE_CCAPI)
284 LIBS="$LIBS -framework Security"
285 AC_MSG_RESULT(yes)
286 if test "x$ac_cv_use_security_session_api" = "xno"; then
287 AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)
288 fi],
289 [AC_MSG_RESULT(no)]
290 )
183 ;; 291 ;;
184*-*-hpux10.26) 292*-*-hpux*)
185 if test -z "$GCC"; then 293 # first we define all of the options common to all HP-UX releases
186 CFLAGS="$CFLAGS -Ae"
187 fi
188 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
189 IPADDR_IN_DISPLAY=yes
190 AC_DEFINE(HAVE_SECUREWARE)
191 AC_DEFINE(USE_PIPES)
192 AC_DEFINE(LOGIN_NO_ENDOPT)
193 AC_DEFINE(LOGIN_NEEDS_UTMPX)
194 AC_DEFINE(LOCKED_PASSWD_STRING, "*")
195 AC_DEFINE(SPT_TYPE,SPT_PSTAT)
196 LIBS="$LIBS -lsec -lsecpw"
197 AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
198 disable_ptmx_check=yes
199 ;;
200*-*-hpux10*)
201 if test -z "$GCC"; then
202 CFLAGS="$CFLAGS -Ae"
203 fi
204 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
205 IPADDR_IN_DISPLAY=yes
206 AC_DEFINE(USE_PIPES)
207 AC_DEFINE(LOGIN_NO_ENDOPT)
208 AC_DEFINE(LOGIN_NEEDS_UTMPX)
209 AC_DEFINE(LOCKED_PASSWD_STRING, "*")
210 AC_DEFINE(SPT_TYPE,SPT_PSTAT)
211 LIBS="$LIBS -lsec"
212 AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
213 ;;
214*-*-hpux11*)
215 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" 294 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
216 IPADDR_IN_DISPLAY=yes 295 IPADDR_IN_DISPLAY=yes
217 AC_DEFINE(PAM_SUN_CODEBASE)
218 AC_DEFINE(USE_PIPES) 296 AC_DEFINE(USE_PIPES)
219 AC_DEFINE(LOGIN_NO_ENDOPT) 297 AC_DEFINE(LOGIN_NO_ENDOPT)
220 AC_DEFINE(LOGIN_NEEDS_UTMPX) 298 AC_DEFINE(LOGIN_NEEDS_UTMPX)
221 AC_DEFINE(DISABLE_UTMP)
222 AC_DEFINE(LOCKED_PASSWD_STRING, "*") 299 AC_DEFINE(LOCKED_PASSWD_STRING, "*")
223 AC_DEFINE(SPT_TYPE,SPT_PSTAT) 300 AC_DEFINE(SPT_TYPE,SPT_PSTAT)
224 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
225 check_for_hpux_broken_getaddrinfo=1
226 check_for_conflicting_getspnam=1
227 LIBS="$LIBS -lsec" 301 LIBS="$LIBS -lsec"
228 AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) 302 AC_CHECK_LIB(xnet, t_error, ,
303 AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
304
305 # next, we define all of the options specific to major releases
306 case "$host" in
307 *-*-hpux10*)
308 if test -z "$GCC"; then
309 CFLAGS="$CFLAGS -Ae"
310 fi
311 ;;
312 *-*-hpux11*)
313 AC_DEFINE(PAM_SUN_CODEBASE)
314 AC_DEFINE(DISABLE_UTMP)
315 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
316 check_for_hpux_broken_getaddrinfo=1
317 check_for_conflicting_getspnam=1
318 ;;
319 esac
320
321 # lastly, we define options specific to minor releases
322 case "$host" in
323 *-*-hpux10.26)
324 AC_DEFINE(HAVE_SECUREWARE)
325 disable_ptmx_check=yes
326 LIBS="$LIBS -lsecpw"
327 ;;
328 esac
229 ;; 329 ;;
230*-*-irix5*) 330*-*-irix5*)
231 PATH="$PATH:/usr/etc" 331 PATH="$PATH:/usr/etc"
@@ -269,12 +369,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
269 esac 369 esac
270 ;; 370 ;;
271mips-sony-bsd|mips-sony-newsos4) 371mips-sony-bsd|mips-sony-newsos4)
272 AC_DEFINE(HAVE_NEWS4) 372 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
273 SONY=1 373 SONY=1
274 ;; 374 ;;
275*-*-netbsd*) 375*-*-netbsd*)
276 check_for_libcrypt_before=1 376 check_for_libcrypt_before=1
277 if test "x$withval" != "xno" ; then 377 if test "x$withval" != "xno" ; then
278 need_dash_r=1 378 need_dash_r=1
279 fi 379 fi
280 ;; 380 ;;
@@ -296,8 +396,11 @@ mips-sony-bsd|mips-sony-newsos4)
296 AC_DEFINE(USE_PIPES) 396 AC_DEFINE(USE_PIPES)
297 AC_DEFINE(BROKEN_SAVED_UIDS) 397 AC_DEFINE(BROKEN_SAVED_UIDS)
298 ;; 398 ;;
399*-*-openbsd*)
400 AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
401 ;;
299*-*-solaris*) 402*-*-solaris*)
300 if test "x$withval" != "xno" ; then 403 if test "x$withval" != "xno" ; then
301 need_dash_r=1 404 need_dash_r=1
302 fi 405 fi
303 AC_DEFINE(PAM_SUN_CODEBASE) 406 AC_DEFINE(PAM_SUN_CODEBASE)
@@ -361,13 +464,23 @@ mips-sony-bsd|mips-sony-newsos4)
361 AC_DEFINE(SETEUID_BREAKS_SETUID) 464 AC_DEFINE(SETEUID_BREAKS_SETUID)
362 AC_DEFINE(BROKEN_SETREUID) 465 AC_DEFINE(BROKEN_SETREUID)
363 AC_DEFINE(BROKEN_SETREGID) 466 AC_DEFINE(BROKEN_SETREGID)
467 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
364 ;; 468 ;;
365# UnixWare 7.x, OpenUNIX 8 469# UnixWare 7.x, OpenUNIX 8
366*-*-sysv5*) 470*-*-sysv5*)
471 check_for_libcrypt_later=1
472 AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
367 AC_DEFINE(USE_PIPES) 473 AC_DEFINE(USE_PIPES)
368 AC_DEFINE(SETEUID_BREAKS_SETUID) 474 AC_DEFINE(SETEUID_BREAKS_SETUID)
369 AC_DEFINE(BROKEN_SETREUID) 475 AC_DEFINE(BROKEN_SETREUID)
370 AC_DEFINE(BROKEN_SETREGID) 476 AC_DEFINE(BROKEN_SETREGID)
477 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
478 case "$host" in
479 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
480 TEST_SHELL=/u95/bin/sh
481 AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
482 ;;
483 esac
371 ;; 484 ;;
372*-*-sysv*) 485*-*-sysv*)
373 ;; 486 ;;
@@ -466,21 +579,36 @@ mips-sony-bsd|mips-sony-newsos4)
466 AC_DEFINE(MISSING_HOWMANY) 579 AC_DEFINE(MISSING_HOWMANY)
467 AC_DEFINE(MISSING_FD_MASK) 580 AC_DEFINE(MISSING_FD_MASK)
468 ;; 581 ;;
582
583*-*-ultrix*)
584 AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1])
585 AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files])
586 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
587 AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
588 ;;
589
590*-*-lynxos)
591 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
592 AC_DEFINE(MISSING_HOWMANY)
593 AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
594 ;;
469esac 595esac
470 596
471# Allow user to specify flags 597# Allow user to specify flags
472AC_ARG_WITH(cflags, 598AC_ARG_WITH(cflags,
473 [ --with-cflags Specify additional flags to pass to compiler], 599 [ --with-cflags Specify additional flags to pass to compiler],
474 [ 600 [
475 if test "x$withval" != "xno" ; then 601 if test -n "$withval" && test "x$withval" != "xno" && \
602 test "x${withval}" != "xyes"; then
476 CFLAGS="$CFLAGS $withval" 603 CFLAGS="$CFLAGS $withval"
477 fi 604 fi
478 ] 605 ]
479) 606)
480AC_ARG_WITH(cppflags, 607AC_ARG_WITH(cppflags,
481 [ --with-cppflags Specify additional flags to pass to preprocessor] , 608 [ --with-cppflags Specify additional flags to pass to preprocessor] ,
482 [ 609 [
483 if test "x$withval" != "xno"; then 610 if test -n "$withval" && test "x$withval" != "xno" && \
611 test "x${withval}" != "xyes"; then
484 CPPFLAGS="$CPPFLAGS $withval" 612 CPPFLAGS="$CPPFLAGS $withval"
485 fi 613 fi
486 ] 614 ]
@@ -488,18 +616,31 @@ AC_ARG_WITH(cppflags,
488AC_ARG_WITH(ldflags, 616AC_ARG_WITH(ldflags,
489 [ --with-ldflags Specify additional flags to pass to linker], 617 [ --with-ldflags Specify additional flags to pass to linker],
490 [ 618 [
491 if test "x$withval" != "xno" ; then 619 if test -n "$withval" && test "x$withval" != "xno" && \
620 test "x${withval}" != "xyes"; then
492 LDFLAGS="$LDFLAGS $withval" 621 LDFLAGS="$LDFLAGS $withval"
493 fi 622 fi
494 ] 623 ]
495) 624)
496AC_ARG_WITH(libs, 625AC_ARG_WITH(libs,
497 [ --with-libs Specify additional libraries to link with], 626 [ --with-libs Specify additional libraries to link with],
498 [ 627 [
499 if test "x$withval" != "xno" ; then 628 if test -n "$withval" && test "x$withval" != "xno" && \
629 test "x${withval}" != "xyes"; then
500 LIBS="$LIBS $withval" 630 LIBS="$LIBS $withval"
501 fi 631 fi
502 ] 632 ]
633)
634AC_ARG_WITH(Werror,
635 [ --with-Werror Build main code with -Werror],
636 [
637 if test -n "$withval" && test "x$withval" != "xno"; then
638 werror_flags="-Werror"
639 if "x${withval}" != "xyes"; then
640 werror_flags="$withval"
641 fi
642 fi
643 ]
503) 644)
504 645
505AC_MSG_CHECKING(compiler and flags for sanity) 646AC_MSG_CHECKING(compiler and flags for sanity)
@@ -516,17 +657,67 @@ int main(){exit(0);}
516 [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] 657 [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
517) 658)
518 659
519# Checks for header files. 660dnl Checks for header files.
520AC_CHECK_HEADERS(bstring.h crypt.h dirent.h endian.h features.h \ 661AC_CHECK_HEADERS( \
521 floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \ 662 bstring.h \
522 login_cap.h maillock.h ndir.h netdb.h netgroup.h \ 663 crypt.h \
523 netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ 664 dirent.h \
524 rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ 665 endian.h \
525 strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \ 666 features.h \
526 sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \ 667 floatingpoint.h \
527 sys/pstat.h sys/select.h sys/stat.h sys/stream.h \ 668 getopt.h \
528 sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \ 669 glob.h \
529 time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) 670 ia.h \
671 iaf.h \
672 lastlog.h \
673 limits.h \
674 login.h \
675 login_cap.h \
676 maillock.h \
677 ndir.h \
678 netdb.h \
679 netgroup.h \
680 netinet/in_systm.h \
681 pam/pam_appl.h \
682 paths.h \
683 pty.h \
684 readpassphrase.h \
685 rpc/types.h \
686 security/pam_appl.h \
687 shadow.h \
688 stddef.h \
689 stdint.h \
690 string.h \
691 strings.h \
692 sys/audit.h \
693 sys/bitypes.h \
694 sys/bsdtty.h \
695 sys/cdefs.h \
696 sys/dir.h \
697 sys/mman.h \
698 sys/ndir.h \
699 sys/prctl.h \
700 sys/pstat.h \
701 sys/select.h \
702 sys/stat.h \
703 sys/stream.h \
704 sys/stropts.h \
705 sys/strtio.h \
706 sys/sysmacros.h \
707 sys/time.h \
708 sys/timers.h \
709 sys/un.h \
710 time.h \
711 tmpdir.h \
712 ttyent.h \
713 unistd.h \
714 usersec.h \
715 util.h \
716 utime.h \
717 utmp.h \
718 utmpx.h \
719 vis.h \
720)
530 721
531# sys/ptms.h requires sys/stream.h to be included first on Solaris 722# sys/ptms.h requires sys/stream.h to be included first on Solaris
532AC_CHECK_HEADERS(sys/ptms.h, [], [], [ 723AC_CHECK_HEADERS(sys/ptms.h, [], [], [
@@ -583,10 +774,9 @@ AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
583dnl zlib is required 774dnl zlib is required
584AC_ARG_WITH(zlib, 775AC_ARG_WITH(zlib,
585 [ --with-zlib=PATH Use zlib in PATH], 776 [ --with-zlib=PATH Use zlib in PATH],
586 [ 777 [ if test "x$withval" = "xno" ; then
587 if test "x$withval" = "xno" ; then 778 AC_MSG_ERROR([*** zlib is required ***])
588 AC_MSG_ERROR([*** zlib is required ***]) 779 elif test "x$withval" != "xyes"; then
589 fi
590 if test -d "$withval/lib"; then 780 if test -d "$withval/lib"; then
591 if test -n "${need_dash_r}"; then 781 if test -n "${need_dash_r}"; then
592 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" 782 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -605,7 +795,7 @@ AC_ARG_WITH(zlib,
605 else 795 else
606 CPPFLAGS="-I${withval} ${CPPFLAGS}" 796 CPPFLAGS="-I${withval} ${CPPFLAGS}"
607 fi 797 fi
608 ] 798 fi ]
609) 799)
610 800
611AC_CHECK_LIB(z, deflate, , 801AC_CHECK_LIB(z, deflate, ,
@@ -638,29 +828,40 @@ AC_ARG_WITH(zlib-version-check,
638 ] 828 ]
639) 829)
640 830
641AC_MSG_CHECKING(for zlib 1.1.4 or greater) 831AC_MSG_CHECKING(for possibly buggy zlib)
642AC_RUN_IFELSE([AC_LANG_SOURCE([[ 832AC_RUN_IFELSE([AC_LANG_SOURCE([[
833#include <stdio.h>
643#include <zlib.h> 834#include <zlib.h>
644int main() 835int main()
645{ 836{
646 int a, b, c, v; 837 int a=0, b=0, c=0, d=0, n, v;
647 if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3) 838 n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
839 if (n != 3 && n != 4)
648 exit(1); 840 exit(1);
649 v = a*1000000 + b*1000 + c; 841 v = a*1000000 + b*10000 + c*100 + d;
650 if (v >= 1001004) 842 fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
843
844 /* 1.1.4 is OK */
845 if (a == 1 && b == 1 && c >= 4)
846 exit(0);
847
848 /* 1.2.3 and up are OK */
849 if (v >= 1020300)
651 exit(0); 850 exit(0);
851
652 exit(2); 852 exit(2);
653} 853}
654 ]])], 854 ]])],
655 AC_MSG_RESULT(yes), 855 AC_MSG_RESULT(no),
656 [ AC_MSG_RESULT(no) 856 [ AC_MSG_RESULT(yes)
657 if test -z "$zlib_check_nonfatal" ; then 857 if test -z "$zlib_check_nonfatal" ; then
658 AC_MSG_ERROR([*** zlib too old - check config.log *** 858 AC_MSG_ERROR([*** zlib too old - check config.log ***
659Your reported zlib version has known security problems. It's possible your 859Your reported zlib version has known security problems. It's possible your
660vendor has fixed these problems without changing the version number. If you 860vendor has fixed these problems without changing the version number. If you
661are sure this is the case, you can disable the check by running 861are sure this is the case, you can disable the check by running
662"./configure --without-zlib-version-check". 862"./configure --without-zlib-version-check".
663If you are in doubt, upgrade zlib to version 1.1.4 or greater.]) 863If you are in doubt, upgrade zlib to version 1.2.3 or greater.
864See http://www.gzip.org/zlib/ for details.])
664 else 865 else
665 AC_MSG_WARN([zlib version may have security problems]) 866 AC_MSG_WARN([zlib version may have security problems])
666 fi 867 fi
@@ -730,7 +931,7 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
730 AC_MSG_RESULT(no) 931 AC_MSG_RESULT(no)
731 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) 932 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
732 ], 933 ],
733 [ 934 [
734 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) 935 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
735 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) 936 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
736 ] 937 ]
@@ -759,7 +960,7 @@ AC_ARG_WITH(skey,
759 AC_DEFINE(SKEY) 960 AC_DEFINE(SKEY)
760 LIBS="-lskey $LIBS" 961 LIBS="-lskey $LIBS"
761 SKEY_MSG="yes" 962 SKEY_MSG="yes"
762 963
763 AC_MSG_CHECKING([for s/key support]) 964 AC_MSG_CHECKING([for s/key support])
764 AC_TRY_RUN( 965 AC_TRY_RUN(
765 [ 966 [
@@ -794,7 +995,8 @@ AC_ARG_WITH(tcp-wrappers,
794 saved_LIBS="$LIBS" 995 saved_LIBS="$LIBS"
795 saved_LDFLAGS="$LDFLAGS" 996 saved_LDFLAGS="$LDFLAGS"
796 saved_CPPFLAGS="$CPPFLAGS" 997 saved_CPPFLAGS="$CPPFLAGS"
797 if test -n "${withval}" -a "${withval}" != "yes"; then 998 if test -n "${withval}" && \
999 test "x${withval}" != "xyes"; then
798 if test -d "${withval}/lib"; then 1000 if test -d "${withval}/lib"; then
799 if test -n "${need_dash_r}"; then 1001 if test -n "${need_dash_r}"; then
800 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" 1002 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -846,13 +1048,33 @@ LIBEDIT_MSG="no"
846AC_ARG_WITH(libedit, 1048AC_ARG_WITH(libedit,
847 [ --with-libedit[[=PATH]] Enable libedit support for sftp], 1049 [ --with-libedit[[=PATH]] Enable libedit support for sftp],
848 [ if test "x$withval" != "xno" ; then 1050 [ if test "x$withval" != "xno" ; then
1051 if test "x$withval" != "xyes"; then
1052 CPPFLAGS="$CPPFLAGS -I$withval/include"
1053 LDFLAGS="$LDFLAGS -L$withval/lib"
1054 fi
849 AC_CHECK_LIB(edit, el_init, 1055 AC_CHECK_LIB(edit, el_init,
850 [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) 1056 [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp])
851 LIBEDIT="-ledit -lcurses" 1057 LIBEDIT="-ledit -lcurses"
852 LIBEDIT_MSG="yes" 1058 LIBEDIT_MSG="yes"
853 AC_SUBST(LIBEDIT) 1059 AC_SUBST(LIBEDIT)
854 ], 1060 ],
855 [], [-lcurses] 1061 [ AC_MSG_ERROR(libedit not found) ],
1062 [ -lcurses ]
1063 )
1064 AC_MSG_CHECKING(if libedit version is compatible)
1065 AC_COMPILE_IFELSE(
1066 [AC_LANG_SOURCE([[
1067#include <histedit.h>
1068int main(void)
1069{
1070 int i = H_SETSIZE;
1071 el_init("", NULL, NULL, NULL);
1072 exit(0);
1073}
1074 ]])],
1075 [ AC_MSG_RESULT(yes) ],
1076 [ AC_MSG_RESULT(no)
1077 AC_MSG_ERROR(libedit version is not compatible) ]
856 ) 1078 )
857 fi ] 1079 fi ]
858) 1080)
@@ -882,6 +1104,9 @@ AC_ARG_WITH(audit,
882 AC_MSG_RESULT(debug) 1104 AC_MSG_RESULT(debug)
883 AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) 1105 AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module)
884 ;; 1106 ;;
1107 no)
1108 AC_MSG_RESULT(no)
1109 ;;
885 *) 1110 *)
886 AC_MSG_ERROR([Unknown audit module $withval]) 1111 AC_MSG_ERROR([Unknown audit module $withval])
887 ;; 1112 ;;
@@ -889,19 +1114,87 @@ AC_ARG_WITH(audit,
889) 1114)
890 1115
891dnl Checks for library functions. Please keep in alphabetical order 1116dnl Checks for library functions. Please keep in alphabetical order
892AC_CHECK_FUNCS(\ 1117AC_CHECK_FUNCS( \
893 arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ 1118 arc4random \
894 bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \ 1119 b64_ntop \
895 freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \ 1120 __b64_ntop \
896 getopt getpeereid _getpty getrlimit getttyent glob inet_aton \ 1121 b64_pton \
897 inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ 1122 __b64_pton \
898 mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ 1123 bcopy \
899 pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ 1124 bindresvport_sa \
900 setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ 1125 clock \
901 setproctitle setregid setreuid setrlimit \ 1126 closefrom \
902 setsid setvbuf sigaction sigvec snprintf socketpair strerror \ 1127 dirfd \
903 strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ 1128 fchmod \
904 truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \ 1129 fchown \
1130 freeaddrinfo \
1131 futimes \
1132 getaddrinfo \
1133 getcwd \
1134 getgrouplist \
1135 getnameinfo \
1136 getopt \
1137 getpeereid \
1138 _getpty \
1139 getrlimit \
1140 getttyent \
1141 glob \
1142 inet_aton \
1143 inet_ntoa \
1144 inet_ntop \
1145 innetgr \
1146 login_getcapbool \
1147 md5_crypt \
1148 memmove \
1149 mkdtemp \
1150 mmap \
1151 ngetaddrinfo \
1152 nsleep \
1153 ogetaddrinfo \
1154 openlog_r \
1155 openpty \
1156 prctl \
1157 pstat \
1158 readpassphrase \
1159 realpath \
1160 recvmsg \
1161 rresvport_af \
1162 sendmsg \
1163 setdtablesize \
1164 setegid \
1165 setenv \
1166 seteuid \
1167 setgroups \
1168 setlogin \
1169 setpcred \
1170 setproctitle \
1171 setregid \
1172 setreuid \
1173 setrlimit \
1174 setsid \
1175 setvbuf \
1176 sigaction \
1177 sigvec \
1178 snprintf \
1179 socketpair \
1180 strdup \
1181 strerror \
1182 strlcat \
1183 strlcpy \
1184 strmode \
1185 strnvis \
1186 strtonum \
1187 strtoll \
1188 strtoul \
1189 sysconf \
1190 tcgetpgrp \
1191 truncate \
1192 unsetenv \
1193 updwtmpx \
1194 utimes \
1195 vhangup \
1196 vsnprintf \
1197 waitpid \
905) 1198)
906 1199
907# IRIX has a const char return value for gai_strerror() 1200# IRIX has a const char return value for gai_strerror()
@@ -922,8 +1215,15 @@ str = gai_strerror(0);],[
922AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) 1215AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
923 1216
924dnl Make sure prototypes are defined for these before using them. 1217dnl Make sure prototypes are defined for these before using them.
925AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
926AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) 1218AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
1219AC_CHECK_DECL(strsep,
1220 [AC_CHECK_FUNCS(strsep)],
1221 [],
1222 [
1223#ifdef HAVE_STRING_H
1224# include <string.h>
1225#endif
1226 ])
927 1227
928dnl tcsendbreak might be a macro 1228dnl tcsendbreak might be a macro
929AC_CHECK_DECL(tcsendbreak, 1229AC_CHECK_DECL(tcsendbreak,
@@ -1011,7 +1311,9 @@ if test "x$ac_cv_func_getpeereid" != "xyes" ; then
1011 [#include <sys/types.h> 1311 [#include <sys/types.h>
1012 #include <sys/socket.h>], 1312 #include <sys/socket.h>],
1013 [int i = SO_PEERCRED;], 1313 [int i = SO_PEERCRED;],
1014 [AC_MSG_RESULT(yes)], 1314 [ AC_MSG_RESULT(yes)
1315 AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option])
1316 ],
1015 [AC_MSG_RESULT(no) 1317 [AC_MSG_RESULT(no)
1016 NO_PEERCHECK=1] 1318 NO_PEERCHECK=1]
1017 ) 1319 )
@@ -1090,7 +1392,8 @@ main()
1090 ) 1392 )
1091fi 1393fi
1092 1394
1093if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then 1395if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1396 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
1094 AC_MSG_CHECKING(if getaddrinfo seems to work) 1397 AC_MSG_CHECKING(if getaddrinfo seems to work)
1095 AC_TRY_RUN( 1398 AC_TRY_RUN(
1096 [ 1399 [
@@ -1158,7 +1461,8 @@ main(void)
1158 ) 1461 )
1159fi 1462fi
1160 1463
1161if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_aix_broken_getaddrinfo" = "x1"; then 1464if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1465 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
1162 AC_MSG_CHECKING(if getaddrinfo seems to work) 1466 AC_MSG_CHECKING(if getaddrinfo seems to work)
1163 AC_TRY_RUN( 1467 AC_TRY_RUN(
1164 [ 1468 [
@@ -1443,6 +1747,7 @@ if test "x$check_for_libcrypt_later" = "x1"; then
1443 AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") 1747 AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
1444fi 1748fi
1445 1749
1750AC_CHECK_LIB(iaf, ia_openinfo)
1446 1751
1447### Configure cryptographic random number support 1752### Configure cryptographic random number support
1448 1753
@@ -1467,7 +1772,7 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
1467 [ 1772 [
1468 AC_MSG_WARN([cross compiling: assuming yes]) 1773 AC_MSG_WARN([cross compiling: assuming yes])
1469 # This is safe, since all recent OpenSSL versions will 1774 # This is safe, since all recent OpenSSL versions will
1470 # complain at runtime if not seeded correctly. 1775 # complain at runtime if not seeded correctly.
1471 OPENSSL_SEEDS_ITSELF=yes 1776 OPENSSL_SEEDS_ITSELF=yes
1472 ] 1777 ]
1473) 1778)
@@ -1489,10 +1794,10 @@ AC_ARG_WITH(rand-helper,
1489 USE_RAND_HELPER=yes 1794 USE_RAND_HELPER=yes
1490 fi 1795 fi
1491 ], 1796 ],
1492) 1797)
1493 1798
1494# Which randomness source do we use? 1799# Which randomness source do we use?
1495if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then 1800if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
1496 # OpenSSL only 1801 # OpenSSL only
1497 AC_DEFINE(OPENSSL_PRNG_ONLY) 1802 AC_DEFINE(OPENSSL_PRNG_ONLY)
1498 RAND_MSG="OpenSSL internal ONLY" 1803 RAND_MSG="OpenSSL internal ONLY"
@@ -1582,10 +1887,11 @@ entropy_timeout=200
1582AC_ARG_WITH(entropy-timeout, 1887AC_ARG_WITH(entropy-timeout,
1583 [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], 1888 [ --with-entropy-timeout Specify entropy gathering command timeout (msec)],
1584 [ 1889 [
1585 if test "x$withval" != "xno" ; then 1890 if test -n "$withval" && test "x$withval" != "xno" && \
1891 test "x${withval}" != "xyes"; then
1586 entropy_timeout=$withval 1892 entropy_timeout=$withval
1587 fi 1893 fi
1588 ] 1894 ]
1589) 1895)
1590AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) 1896AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
1591 1897
@@ -1593,10 +1899,11 @@ SSH_PRIVSEP_USER=sshd
1593AC_ARG_WITH(privsep-user, 1899AC_ARG_WITH(privsep-user,
1594 [ --with-privsep-user=user Specify non-privileged user for privilege separation], 1900 [ --with-privsep-user=user Specify non-privileged user for privilege separation],
1595 [ 1901 [
1596 if test -n "$withval"; then 1902 if test -n "$withval" && test "x$withval" != "xno" && \
1903 test "x${withval}" != "xyes"; then
1597 SSH_PRIVSEP_USER=$withval 1904 SSH_PRIVSEP_USER=$withval
1598 fi 1905 fi
1599 ] 1906 ]
1600) 1907)
1601AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") 1908AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER")
1602AC_SUBST(SSH_PRIVSEP_USER) 1909AC_SUBST(SSH_PRIVSEP_USER)
@@ -2030,9 +2337,9 @@ fi
2030AC_CHECK_TYPES(struct timespec) 2337AC_CHECK_TYPES(struct timespec)
2031 2338
2032# We need int64_t or else certian parts of the compile will fail. 2339# We need int64_t or else certian parts of the compile will fail.
2033if test "x$ac_cv_have_int64_t" = "xno" -a \ 2340if test "x$ac_cv_have_int64_t" = "xno" && \
2034 "x$ac_cv_sizeof_long_int" != "x8" -a \ 2341 test "x$ac_cv_sizeof_long_int" != "x8" && \
2035 "x$ac_cv_sizeof_long_long_int" = "x0" ; then 2342 test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
2036 echo "OpenSSH requires int64_t support. Contact your vendor or install" 2343 echo "OpenSSH requires int64_t support. Contact your vendor or install"
2037 echo "an alternative compiler (I.E., GCC) before continuing." 2344 echo "an alternative compiler (I.E., GCC) before continuing."
2038 echo "" 2345 echo ""
@@ -2324,23 +2631,28 @@ AC_ARG_WITH(sectok,
2324) 2631)
2325 2632
2326# Check whether user wants OpenSC support 2633# Check whether user wants OpenSC support
2634OPENSC_CONFIG="no"
2327AC_ARG_WITH(opensc, 2635AC_ARG_WITH(opensc,
2328 AC_HELP_STRING([--with-opensc=PFX], 2636 [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
2329 [Enable smartcard support using OpenSC]), 2637 [
2330 opensc_config_prefix="$withval", opensc_config_prefix="") 2638 if test "x$withval" != "xno" ; then
2331if test x$opensc_config_prefix != x ; then 2639 if test "x$withval" != "xyes" ; then
2332 OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config 2640 OPENSC_CONFIG=$withval/bin/opensc-config
2333 AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no) 2641 else
2334 if test "$OPENSC_CONFIG" != "no"; then 2642 AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
2335 LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags` 2643 fi
2336 LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs` 2644 if test "$OPENSC_CONFIG" != "no"; then
2337 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" 2645 LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
2338 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" 2646 LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
2339 AC_DEFINE(SMARTCARD) 2647 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
2340 AC_DEFINE(USE_OPENSC) 2648 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
2341 SCARD_MSG="yes, using OpenSC" 2649 AC_DEFINE(SMARTCARD)
2342 fi 2650 AC_DEFINE(USE_OPENSC)
2343fi 2651 SCARD_MSG="yes, using OpenSC"
2652 fi
2653 fi
2654 ]
2655)
2344 2656
2345# Check libraries needed by DNS fingerprint support 2657# Check libraries needed by DNS fingerprint support
2346AC_SEARCH_LIBS(getrrsetbyname, resolv, 2658AC_SEARCH_LIBS(getrrsetbyname, resolv,
@@ -2369,6 +2681,9 @@ int main()
2369 AC_MSG_RESULT(no)]) 2681 AC_MSG_RESULT(no)])
2370 ]) 2682 ])
2371 AC_CHECK_FUNCS(_getshort _getlong) 2683 AC_CHECK_FUNCS(_getshort _getlong)
2684 AC_CHECK_DECLS([_getshort, _getlong], , ,
2685 [#include <sys/types.h>
2686 #include <arpa/nameser.h>])
2372 AC_CHECK_MEMBER(HEADER.ad, 2687 AC_CHECK_MEMBER(HEADER.ad,
2373 [AC_DEFINE(HAVE_HEADER_AD)],, 2688 [AC_DEFINE(HAVE_HEADER_AD)],,
2374 [#include <arpa/nameser.h>]) 2689 [#include <arpa/nameser.h>])
@@ -2423,7 +2738,7 @@ AC_ARG_WITH(kerberos5,
2423 AC_DEFINE(HEIMDAL) 2738 AC_DEFINE(HEIMDAL)
2424 K5LIBS="-lkrb5 -ldes" 2739 K5LIBS="-lkrb5 -ldes"
2425 K5LIBS="$K5LIBS -lcom_err -lasn1" 2740 K5LIBS="$K5LIBS -lcom_err -lasn1"
2426 AC_CHECK_LIB(roken, net_write, 2741 AC_CHECK_LIB(roken, net_write,
2427 [K5LIBS="$K5LIBS -lroken"]) 2742 [K5LIBS="$K5LIBS -lroken"])
2428 ], 2743 ],
2429 [ AC_MSG_RESULT(no) 2744 [ AC_MSG_RESULT(no)
@@ -2442,7 +2757,7 @@ AC_ARG_WITH(kerberos5,
2442 $K5LIBS) 2757 $K5LIBS)
2443 ], 2758 ],
2444 $K5LIBS) 2759 $K5LIBS)
2445 2760
2446 AC_CHECK_HEADER(gssapi.h, , 2761 AC_CHECK_HEADER(gssapi.h, ,
2447 [ unset ac_cv_header_gssapi_h 2762 [ unset ac_cv_header_gssapi_h
2448 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" 2763 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
@@ -2472,7 +2787,6 @@ AC_ARG_WITH(kerberos5,
2472 2787
2473 LIBS="$LIBS $K5LIBS" 2788 LIBS="$LIBS $K5LIBS"
2474 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) 2789 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
2475 AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
2476 ] 2790 ]
2477) 2791)
2478 2792
@@ -2482,7 +2796,8 @@ PRIVSEP_PATH=/var/empty
2482AC_ARG_WITH(privsep-path, 2796AC_ARG_WITH(privsep-path,
2483 [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)], 2797 [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
2484 [ 2798 [
2485 if test "x$withval" != "$no" ; then 2799 if test -n "$withval" && test "x$withval" != "xno" && \
2800 test "x${withval}" != "xyes"; then
2486 PRIVSEP_PATH=$withval 2801 PRIVSEP_PATH=$withval
2487 fi 2802 fi
2488 ] 2803 ]
@@ -2492,7 +2807,8 @@ AC_SUBST(PRIVSEP_PATH)
2492AC_ARG_WITH(xauth, 2807AC_ARG_WITH(xauth,
2493 [ --with-xauth=PATH Specify path to xauth program ], 2808 [ --with-xauth=PATH Specify path to xauth program ],
2494 [ 2809 [
2495 if test "x$withval" != "xno" ; then 2810 if test -n "$withval" && test "x$withval" != "xno" && \
2811 test "x${withval}" != "xyes"; then
2496 xauth_path=$withval 2812 xauth_path=$withval
2497 fi 2813 fi
2498 ], 2814 ],
@@ -2610,7 +2926,7 @@ AC_ARG_WITH(md5-passwords,
2610AC_ARG_WITH(shadow, 2926AC_ARG_WITH(shadow,
2611 [ --without-shadow Disable shadow password support], 2927 [ --without-shadow Disable shadow password support],
2612 [ 2928 [
2613 if test "x$withval" = "xno" ; then 2929 if test "x$withval" = "xno" ; then
2614 AC_DEFINE(DISABLE_SHADOW) 2930 AC_DEFINE(DISABLE_SHADOW)
2615 disable_shadow=yes 2931 disable_shadow=yes
2616 fi 2932 fi
@@ -2645,7 +2961,7 @@ else
2645 AC_ARG_WITH(ipaddr-display, 2961 AC_ARG_WITH(ipaddr-display,
2646 [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], 2962 [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY],
2647 [ 2963 [
2648 if test "x$withval" != "xno" ; then 2964 if test "x$withval" != "xno" ; then
2649 AC_DEFINE(IPADDR_IN_DISPLAY) 2965 AC_DEFINE(IPADDR_IN_DISPLAY)
2650 DISPLAY_HACK_MSG="yes" 2966 DISPLAY_HACK_MSG="yes"
2651 fi 2967 fi
@@ -2677,8 +2993,8 @@ if test "x$etc_default_login" != "xno"; then
2677fi 2993fi
2678 2994
2679dnl BSD systems use /etc/login.conf so --with-default-path= has no effect 2995dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
2680if test $ac_cv_func_login_getcapbool = "yes" -a \ 2996if test $ac_cv_func_login_getcapbool = "yes" && \
2681 $ac_cv_header_login_cap_h = "yes" ; then 2997 test $ac_cv_header_login_cap_h = "yes" ; then
2682 external_path_file=/etc/login.conf 2998 external_path_file=/etc/login.conf
2683fi 2999fi
2684 3000
@@ -2691,7 +3007,7 @@ AC_ARG_WITH(default-path,
2691 AC_MSG_WARN([ 3007 AC_MSG_WARN([
2692--with-default-path=PATH has no effect on this system. 3008--with-default-path=PATH has no effect on this system.
2693Edit /etc/login.conf instead.]) 3009Edit /etc/login.conf instead.])
2694 elif test "x$withval" != "xno" ; then 3010 elif test "x$withval" != "xno" ; then
2695 if test ! -z "$external_path_file" ; then 3011 if test ! -z "$external_path_file" ; then
2696 AC_MSG_WARN([ 3012 AC_MSG_WARN([
2697--with-default-path=PATH will only be used if PATH is not defined in 3013--with-default-path=PATH will only be used if PATH is not defined in
@@ -2732,11 +3048,11 @@ main()
2732{ 3048{
2733 FILE *fd; 3049 FILE *fd;
2734 int rc; 3050 int rc;
2735 3051
2736 fd = fopen(DATA,"w"); 3052 fd = fopen(DATA,"w");
2737 if(fd == NULL) 3053 if(fd == NULL)
2738 exit(1); 3054 exit(1);
2739 3055
2740 if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) 3056 if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
2741 exit(1); 3057 exit(1);
2742 3058
@@ -2773,7 +3089,8 @@ fi
2773AC_ARG_WITH(superuser-path, 3089AC_ARG_WITH(superuser-path,
2774 [ --with-superuser-path= Specify different path for super-user], 3090 [ --with-superuser-path= Specify different path for super-user],
2775 [ 3091 [
2776 if test "x$withval" != "xno" ; then 3092 if test -n "$withval" && test "x$withval" != "xno" && \
3093 test "x${withval}" != "xyes"; then
2777 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") 3094 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval")
2778 superuser_path=$withval 3095 superuser_path=$withval
2779 fi 3096 fi
@@ -2809,7 +3126,7 @@ BSD_AUTH_MSG=no
2809AC_ARG_WITH(bsd-auth, 3126AC_ARG_WITH(bsd-auth,
2810 [ --with-bsd-auth Enable BSD auth support], 3127 [ --with-bsd-auth Enable BSD auth support],
2811 [ 3128 [
2812 if test "x$withval" != "xno" ; then 3129 if test "x$withval" != "xno" ; then
2813 AC_DEFINE(BSD_AUTH) 3130 AC_DEFINE(BSD_AUTH)
2814 BSD_AUTH_MSG=yes 3131 BSD_AUTH_MSG=yes
2815 fi 3132 fi
@@ -2819,7 +3136,7 @@ AC_ARG_WITH(bsd-auth,
2819# Where to place sshd.pid 3136# Where to place sshd.pid
2820piddir=/var/run 3137piddir=/var/run
2821# make sure the directory exists 3138# make sure the directory exists
2822if test ! -d $piddir ; then 3139if test ! -d $piddir ; then
2823 piddir=`eval echo ${sysconfdir}` 3140 piddir=`eval echo ${sysconfdir}`
2824 case $piddir in 3141 case $piddir in
2825 NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; 3142 NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
@@ -2829,9 +3146,10 @@ fi
2829AC_ARG_WITH(pid-dir, 3146AC_ARG_WITH(pid-dir,
2830 [ --with-pid-dir=PATH Specify location of ssh.pid file], 3147 [ --with-pid-dir=PATH Specify location of ssh.pid file],
2831 [ 3148 [
2832 if test "x$withval" != "xno" ; then 3149 if test -n "$withval" && test "x$withval" != "xno" && \
3150 test "x${withval}" != "xyes"; then
2833 piddir=$withval 3151 piddir=$withval
2834 if test ! -d $piddir ; then 3152 if test ! -d $piddir ; then
2835 AC_MSG_WARN([** no $piddir directory on this system **]) 3153 AC_MSG_WARN([** no $piddir directory on this system **])
2836 fi 3154 fi
2837 fi 3155 fi
@@ -2909,9 +3227,9 @@ AC_ARG_ENABLE(pututxline,
2909AC_ARG_WITH(lastlog, 3227AC_ARG_WITH(lastlog,
2910 [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], 3228 [ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
2911 [ 3229 [
2912 if test "x$withval" = "xno" ; then 3230 if test "x$withval" = "xno" ; then
2913 AC_DEFINE(DISABLE_LASTLOG) 3231 AC_DEFINE(DISABLE_LASTLOG)
2914 else 3232 elif test -n "$withval" && test "x${withval}" != "xyes"; then
2915 conf_lastlog_location=$withval 3233 conf_lastlog_location=$withval
2916 fi 3234 fi
2917 ] 3235 ]
@@ -2978,7 +3296,7 @@ fi
2978 3296
2979if test -n "$conf_lastlog_location"; then 3297if test -n "$conf_lastlog_location"; then
2980 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") 3298 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location")
2981fi 3299fi
2982 3300
2983dnl utmp detection 3301dnl utmp detection
2984AC_MSG_CHECKING([if your system defines UTMP_FILE]) 3302AC_MSG_CHECKING([if your system defines UTMP_FILE])
@@ -3008,7 +3326,7 @@ if test -z "$conf_utmp_location"; then
3008fi 3326fi
3009if test -n "$conf_utmp_location"; then 3327if test -n "$conf_utmp_location"; then
3010 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") 3328 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location")
3011fi 3329fi
3012 3330
3013dnl wtmp detection 3331dnl wtmp detection
3014AC_MSG_CHECKING([if your system defines WTMP_FILE]) 3332AC_MSG_CHECKING([if your system defines WTMP_FILE])
@@ -3038,7 +3356,7 @@ if test -z "$conf_wtmp_location"; then
3038fi 3356fi
3039if test -n "$conf_wtmp_location"; then 3357if test -n "$conf_wtmp_location"; then
3040 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") 3358 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location")
3041fi 3359fi
3042 3360
3043 3361
3044dnl utmpx detection - I don't know any system so perverse as to require 3362dnl utmpx detection - I don't know any system so perverse as to require
@@ -3066,7 +3384,7 @@ if test -z "$conf_utmpx_location"; then
3066 fi 3384 fi
3067else 3385else
3068 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") 3386 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location")
3069fi 3387fi
3070 3388
3071dnl wtmpx detection 3389dnl wtmpx detection
3072AC_MSG_CHECKING([if your system defines WTMPX_FILE]) 3390AC_MSG_CHECKING([if your system defines WTMPX_FILE])
@@ -3091,7 +3409,7 @@ if test -z "$conf_wtmpx_location"; then
3091 fi 3409 fi
3092else 3410else
3093 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") 3411 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location")
3094fi 3412fi
3095 3413
3096 3414
3097if test ! -z "$blibpath" ; then 3415if test ! -z "$blibpath" ; then
@@ -3107,6 +3425,10 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
3107 LIBS=`echo $LIBS | sed 's/-ldl //'` 3425 LIBS=`echo $LIBS | sed 's/-ldl //'`
3108fi 3426fi
3109 3427
3428dnl Adding -Werror to CFLAGS early prevents configure tests from running.
3429dnl Add now.
3430CFLAGS="$CFLAGS $werror_flags"
3431
3110AC_EXEEXT 3432AC_EXEEXT
3111AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \ 3433AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
3112 scard/Makefile ssh_prng_cmds survey.sh]) 3434 scard/Makefile ssh_prng_cmds survey.sh])
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 4a5c32b0e..09b9c118c 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,7 +1,7 @@
1#!/bin/sh 1#!/bin/sh
2# 2#
3# buildbff.sh: Create AIX SMIT-installable OpenSSH packages 3# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
4# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $ 4# $Id: buildbff.sh,v 1.8 2005/03/29 13:24:12 dtucker Exp $
5# 5#
6# Author: Darren Tucker (dtucker at zip dot com dot au) 6# Author: Darren Tucker (dtucker at zip dot com dot au)
7# This file is placed in the public domain and comes with absolutely 7# This file is placed in the public domain and comes with absolutely
@@ -219,7 +219,7 @@ else
219 fi 219 fi
220 220
221 # Create user if required 221 # Create user if required
222 if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null 222 if lsuser "$SSH_PRIVSEP_USER" >/dev/null
223 then 223 then
224 echo "PrivSep user $SSH_PRIVSEP_USER already exists." 224 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
225 else 225 else
diff --git a/contrib/aix/pam.conf b/contrib/aix/pam.conf
index 1495f43cb..f1528b005 100644
--- a/contrib/aix/pam.conf
+++ b/contrib/aix/pam.conf
@@ -11,10 +11,10 @@ OTHER auth required /usr/lib/security/pam_aix
11sshd account required /usr/lib/security/pam_aix 11sshd account required /usr/lib/security/pam_aix
12OTHER account required /usr/lib/security/pam_aix 12OTHER account required /usr/lib/security/pam_aix
13 13
14# Session Management 14# Password Management
15sshd password required /usr/lib/security/pam_aix 15sshd password required /usr/lib/security/pam_aix
16OTHER password required /usr/lib/security/pam_aix 16OTHER password required /usr/lib/security/pam_aix
17 17
18# Password Management 18# Session Management
19sshd session required /usr/lib/security/pam_aix 19sshd session required /usr/lib/security/pam_aix
20OTHER session required /usr/lib/security/pam_aix 20OTHER session required /usr/lib/security/pam_aix
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 67d8e6ff4..bfde0fefc 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,12 +17,12 @@
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%if %{use_stable} 19%if %{use_stable}
20 %define version 4.0p1 20 %define version 4.2p1
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
23%else 23%else
24 %define version 3.9p1 24 %define version 4.1p1
25 %define cvs cvs20011009 25 %define cvs cvs20050315
26 %define release 0r1 26 %define release 0r1
27%endif 27%endif
28%define xsa x11-ssh-askpass 28%define xsa x11-ssh-askpass
@@ -297,12 +297,7 @@ fi
297 297
298%PreUn server 298%PreUn server
299[ "$1" = 0 ] || exit 0 299[ "$1" = 0 ] || exit 0
300
301! %{SVIdir}/sshd status || %{SVIdir}/sshd stop 300! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
302: # to protect the rpm database
303
304
305%PostUn server
306if [ -x %{LSBinit}-remove ]; then 301if [ -x %{LSBinit}-remove ]; then
307 %{LSBinit}-remove sshd 302 %{LSBinit}-remove sshd
308else 303else
@@ -310,7 +305,6 @@ else
310fi 305fi
311: # to protect the rpm database 306: # to protect the rpm database
312 307
313
314%Files 308%Files
315%defattr(-,root,root) 309%defattr(-,root,root)
316%dir %{_sysconfdir} 310%dir %{_sysconfdir}
@@ -363,4 +357,4 @@ fi
363* Mon Jan 01 1998 ... 357* Mon Jan 01 1998 ...
364Template Version: 1.31 358Template Version: 1.31
365 359
366$Id: openssh.spec,v 1.52 2005/03/09 00:02:42 djm Exp $ 360$Id: openssh.spec,v 1.55 2005/09/01 09:10:49 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index c7164f610..fbfb5c195 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -449,12 +449,10 @@ then
449 echo "Should this script create a new local account 'sshd_server' which has" 449 echo "Should this script create a new local account 'sshd_server' which has"
450 if request "the required privileges?" 450 if request "the required privileges?"
451 then 451 then
452 _admingroup=`awk -F: '{if ( $1 != "root" && $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` 452 _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
453 if [ -z "${_admingroup}" ] 453 if [ -z "${_admingroup}" ]
454 then 454 then
455 echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" 455 echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
456 echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
457 echo "and restart this script."
458 exit 1 456 exit 1
459 fi 457 fi
460 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` 458 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
@@ -585,6 +583,16 @@ then
585 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log 583 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
586 fi 584 fi
587 fi 585 fi
586 if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
587 then
588 echo
589 echo "Warning: It appears that you have user mode mounts (\"Just me\""
590 echo "chosen during install.) Any daemons installed as services will"
591 echo "fail to function unless system mounts are used. To change this,"
592 echo "re-run setup.exe and choose \"All users\"."
593 echo
594 echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
595 fi
588 fi 596 fi
589fi 597fi
590 598
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 8fbc4c02a..049b07fe4 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 4.0p1 1%define ver 4.2p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 449613db6..6ad862fad 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
2Name: openssh 2Name: openssh
3Version: 4.0p1 3Version: 4.2p1
4URL: http://www.openssh.com/ 4URL: http://www.openssh.com/
5Release: 1 5Release: 1
6Source0: openssh-%{version}.tar.gz 6Source0: openssh-%{version}.tar.gz
diff --git a/defines.h b/defines.h
index 7758bc37a..408b988b5 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.119 2005/02/20 10:01:49 dtucker Exp $ */ 28/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -54,10 +54,24 @@ enum
54# ifdef PATH_MAX 54# ifdef PATH_MAX
55# define MAXPATHLEN PATH_MAX 55# define MAXPATHLEN PATH_MAX
56# else /* PATH_MAX */ 56# else /* PATH_MAX */
57# define MAXPATHLEN 64 /* Should be safe */ 57# define MAXPATHLEN 64
58/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */
59# ifndef BROKEN_REALPATH
60# define BROKEN_REALPATH 1
61# endif /* BROKEN_REALPATH */
58# endif /* PATH_MAX */ 62# endif /* PATH_MAX */
59#endif /* MAXPATHLEN */ 63#endif /* MAXPATHLEN */
60 64
65#ifndef PATH_MAX
66# ifdef _POSIX_PATH_MAX
67# define PATH_MAX _POSIX_PATH_MAX
68# endif
69#endif
70
71#ifndef MAXSYMLINKS
72# define MAXSYMLINKS 5
73#endif
74
61#ifndef STDIN_FILENO 75#ifndef STDIN_FILENO
62# define STDIN_FILENO 0 76# define STDIN_FILENO 0
63#endif 77#endif
@@ -432,6 +446,10 @@ struct winsize {
432# define __dead __attribute__((noreturn)) 446# define __dead __attribute__((noreturn))
433#endif 447#endif
434 448
449#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
450# define __sentinel__
451#endif
452
435/* *-*-nto-qnx doesn't define this macro in the system headers */ 453/* *-*-nto-qnx doesn't define this macro in the system headers */
436#ifdef MISSING_HOWMANY 454#ifdef MISSING_HOWMANY
437# define howmany(x,y) (((x)+((y)-1))/(y)) 455# define howmany(x,y) (((x)+((y)-1))/(y))
@@ -567,6 +585,23 @@ struct winsize {
567# define SSH_SYSFDMAX 10000 585# define SSH_SYSFDMAX 10000
568#endif 586#endif
569 587
588#if defined(__Lynx__)
589 /*
590 * LynxOS defines these in param.h which we do not want to include since
591 * it will also pull in a bunch of kernel definitions.
592 */
593# define ALIGNBYTES (sizeof(int) - 1)
594# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES)
595 /* Missing prototypes on LynxOS */
596 int snprintf (char *, size_t, const char *, ...);
597 int mkstemp (char *);
598 char *crypt (const char *, const char *);
599 int seteuid (uid_t);
600 int setegid (gid_t);
601 char *mkdtemp (char *);
602 int rresvport_af (int *, sa_family_t);
603 int innetgr (const char *, const char *, const char *, const char *);
604#endif
570 605
571/* 606/*
572 * Define this to use pipes instead of socketpairs for communicating with the 607 * Define this to use pipes instead of socketpairs for communicating with the
@@ -653,6 +688,10 @@ struct winsize {
653# define CUSTOM_SYS_AUTH_PASSWD 1 688# define CUSTOM_SYS_AUTH_PASSWD 1
654#endif 689#endif
655 690
691#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
692# define CUSTOM_SYS_AUTH_PASSWD 1
693#endif
694
656/* HP-UX 11.11 */ 695/* HP-UX 11.11 */
657#ifdef BTMP_FILE 696#ifdef BTMP_FILE
658# define _PATH_BTMP BTMP_FILE 697# define _PATH_BTMP BTMP_FILE
@@ -664,4 +703,12 @@ struct winsize {
664 703
665/** end of login recorder definitions */ 704/** end of login recorder definitions */
666 705
706#ifdef BROKEN_GETGROUPS
707# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b)))
708#endif
709
710#if defined(HAVE_MMAP) && defined(BROKEN_MMAP)
711# undef HAVE_MMAP
712#endif
713
667#endif /* _DEFINES_H */ 714#endif /* _DEFINES_H */
diff --git a/dns.c b/dns.c
index 140ab6042..4487c1aba 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $ */ 1/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -43,7 +43,7 @@
43#include "uuencode.h" 43#include "uuencode.h"
44 44
45extern char *__progname; 45extern char *__progname;
46RCSID("$OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $"); 46RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
47 47
48#ifndef LWRES 48#ifndef LWRES
49static const char *errset_text[] = { 49static const char *errset_text[] = {
@@ -142,6 +142,26 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
142 return success; 142 return success;
143} 143}
144 144
145/*
146 * Check if hostname is numerical.
147 * Returns -1 if hostname is numeric, 0 otherwise
148 */
149static int
150is_numeric_hostname(const char *hostname)
151{
152 struct addrinfo hints, *ai;
153
154 memset(&hints, 0, sizeof(hints));
155 hints.ai_socktype = SOCK_DGRAM;
156 hints.ai_flags = AI_NUMERICHOST;
157
158 if (getaddrinfo(hostname, "0", &hints, &ai) == 0) {
159 freeaddrinfo(ai);
160 return -1;
161 }
162
163 return 0;
164}
145 165
146/* 166/*
147 * Verify the given hostname, address and host key using DNS. 167 * Verify the given hostname, address and host key using DNS.
@@ -151,7 +171,7 @@ int
151verify_host_key_dns(const char *hostname, struct sockaddr *address, 171verify_host_key_dns(const char *hostname, struct sockaddr *address,
152 const Key *hostkey, int *flags) 172 const Key *hostkey, int *flags)
153{ 173{
154 int counter; 174 u_int counter;
155 int result; 175 int result;
156 struct rrsetinfo *fingerprints = NULL; 176 struct rrsetinfo *fingerprints = NULL;
157 177
@@ -171,6 +191,11 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
171 if (hostkey == NULL) 191 if (hostkey == NULL)
172 fatal("No key to look up!"); 192 fatal("No key to look up!");
173 193
194 if (is_numeric_hostname(hostname)) {
195 debug("skipped DNS lookup for numerical hostname");
196 return -1;
197 }
198
174 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, 199 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
175 DNS_RDATATYPE_SSHFP, 0, &fingerprints); 200 DNS_RDATATYPE_SSHFP, 0, &fingerprints);
176 if (result) { 201 if (result) {
@@ -249,7 +274,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
249 u_char *rdata_digest; 274 u_char *rdata_digest;
250 u_int rdata_digest_len; 275 u_int rdata_digest_len;
251 276
252 int i; 277 u_int i;
253 int success = 0; 278 int success = 0;
254 279
255 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, 280 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
diff --git a/entropy.c b/entropy.c
index 0997174b6..410bbb927 100644
--- a/entropy.c
+++ b/entropy.c
@@ -45,7 +45,7 @@
45 * XXX: we should tell the child how many bytes we need. 45 * XXX: we should tell the child how many bytes we need.
46 */ 46 */
47 47
48RCSID("$Id: entropy.c,v 1.48 2003/11/21 12:56:47 djm Exp $"); 48RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $");
49 49
50#ifndef OPENSSL_PRNG_ONLY 50#ifndef OPENSSL_PRNG_ONLY
51#define RANDOM_SEED_SIZE 48 51#define RANDOM_SEED_SIZE 48
@@ -114,8 +114,8 @@ seed_rng(void)
114 close(p[0]); 114 close(p[0]);
115 115
116 if (waitpid(pid, &ret, 0) == -1) 116 if (waitpid(pid, &ret, 0) == -1)
117 fatal("Couldn't wait for ssh-rand-helper completion: %s", 117 fatal("Couldn't wait for ssh-rand-helper completion: %s",
118 strerror(errno)); 118 strerror(errno));
119 signal(SIGCHLD, old_sigchld); 119 signal(SIGCHLD, old_sigchld);
120 120
121 /* We don't mind if the child exits upon a SIGPIPE */ 121 /* We don't mind if the child exits upon a SIGPIPE */
diff --git a/gss-genr.c b/gss-genr.c
index 36925df4e..9dec270a3 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
1/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -55,6 +55,11 @@ Gssctxt *gss_kex_context = NULL;
55 55
56static ssh_gss_kex_mapping *gss_enc2oid = NULL; 56static ssh_gss_kex_mapping *gss_enc2oid = NULL;
57 57
58int
59ssh_gssapi_oid_table_ok() {
60 return (gss_enc2oid != NULL);
61}
62
58/* 63/*
59 * Return a list of the gss-group1-sha1 mechanisms supported by this program 64 * Return a list of the gss-group1-sha1 mechanisms supported by this program
60 * 65 *
@@ -64,7 +69,7 @@ static ssh_gss_kex_mapping *gss_enc2oid = NULL;
64 69
65 70
66char * 71char *
67ssh_gssapi_client_mechanisms(char *host) { 72ssh_gssapi_client_mechanisms(const char *host) {
68 gss_OID_set gss_supported; 73 gss_OID_set gss_supported;
69 OM_uint32 min_status; 74 OM_uint32 min_status;
70 75
@@ -85,8 +90,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
85 const EVP_MD *evp_md = EVP_md5(); 90 const EVP_MD *evp_md = EVP_md5();
86 EVP_MD_CTX md; 91 EVP_MD_CTX md;
87 92
88 evp_md = EVP_md5();
89
90 if (gss_enc2oid != NULL) { 93 if (gss_enc2oid != NULL) {
91 for (i=0;gss_enc2oid[i].encoded!=NULL;i++) 94 for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
92 xfree(gss_enc2oid[i].encoded); 95 xfree(gss_enc2oid[i].encoded);
@@ -99,12 +102,13 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
99 buffer_init(&buf); 102 buffer_init(&buf);
100 103
101 oidpos = 0; 104 oidpos = 0;
102 for (i=0;i<gss_supported->count;i++) { 105 for (i = 0;i < gss_supported->count;i++) {
103 if (gss_supported->elements[i].length<128 && 106 if (gss_supported->elements[i].length < 128 &&
104 (*check)(&(gss_supported->elements[i]), data)) { 107 (*check)(&(gss_supported->elements[i]), data)) {
105 108
106 deroid[0] = SSH_GSS_OIDTYPE; 109 deroid[0] = SSH_GSS_OIDTYPE;
107 deroid[1] = gss_supported->elements[i].length; 110 deroid[1] = gss_supported->elements[i].length;
111
108 EVP_DigestInit(&md, evp_md); 112 EVP_DigestInit(&md, evp_md);
109 EVP_DigestUpdate(&md, deroid, 2); 113 EVP_DigestUpdate(&md, deroid, 2);
110 EVP_DigestUpdate(&md, 114 EVP_DigestUpdate(&md,
@@ -117,10 +121,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
117 encoded, EVP_MD_size(evp_md)*2); 121 encoded, EVP_MD_size(evp_md)*2);
118 122
119 if (oidpos != 0) 123 if (oidpos != 0)
120 buffer_put_char(&buf,','); 124 buffer_put_char(&buf, ',');
121 125
122 buffer_append(&buf, KEX_GSS_SHA1, 126 buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
123 sizeof(KEX_GSS_SHA1)-1); 127 sizeof(KEX_GSS_GEX_SHA1_ID)-1);
128 buffer_append(&buf, encoded, enclen);
129 buffer_put_char(&buf,',');
130 buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
131 sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
124 buffer_append(&buf, encoded, enclen); 132 buffer_append(&buf, encoded, enclen);
125 133
126 gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); 134 gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@@ -131,7 +139,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
131 gss_enc2oid[oidpos].oid = NULL; 139 gss_enc2oid[oidpos].oid = NULL;
132 gss_enc2oid[oidpos].encoded = NULL; 140 gss_enc2oid[oidpos].encoded = NULL;
133 141
134 buffer_put_char(&buf,'\0'); 142 buffer_put_char(&buf, '\0');
135 143
136 mechs = xmalloc(buffer_len(&buf)); 144 mechs = xmalloc(buffer_len(&buf));
137 buffer_get(&buf, mechs, buffer_len(&buf)); 145 buffer_get(&buf, mechs, buffer_len(&buf));
@@ -146,21 +154,28 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
146} 154}
147 155
148gss_OID 156gss_OID
149ssh_gssapi_id_kex(Gssctxt *ctx, char *name) { 157ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
150 int i = 0; 158 int i = 0;
151 159
152 if (strncmp(name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) != 0) 160 if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
161 sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
162 name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
163 *gex = 0;
164 } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
165 sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
166 name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
167 *gex = 1;
168 } else {
153 return NULL; 169 return NULL;
154 170 }
155 name+=sizeof(KEX_GSS_SHA1)-1; /* Skip ID string */
156 171
157 while (gss_enc2oid[i].encoded != NULL && 172 while (gss_enc2oid[i].encoded != NULL &&
158 strcmp(name,gss_enc2oid[i].encoded)!=0) { 173 strcmp(name, gss_enc2oid[i].encoded) != 0) {
159 i++; 174 i++;
160 } 175 }
161 176
162 if (gss_enc2oid[i].oid != NULL && ctx != NULL) 177 if (gss_enc2oid[i].oid != NULL && ctx != NULL)
163 ssh_gssapi_set_oid(ctx,gss_enc2oid[i].oid); 178 ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
164 179
165 return gss_enc2oid[i].oid; 180 return gss_enc2oid[i].oid;
166} 181}
@@ -203,8 +218,8 @@ ssh_gssapi_error(Gssctxt *ctxt)
203} 218}
204 219
205char * 220char *
206ssh_gssapi_last_error(Gssctxt *ctxt, 221ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
207 OM_uint32 *major_status, OM_uint32 *minor_status) 222 OM_uint32 *minor_status)
208{ 223{
209 OM_uint32 lmin; 224 OM_uint32 lmin;
210 gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; 225 gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
@@ -422,7 +437,7 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
422int 437int
423ssh_gssapi_check_mechanism(gss_OID oid, void *host) { 438ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
424 Gssctxt * ctx = NULL; 439 Gssctxt * ctx = NULL;
425 gss_buffer_desc token; 440 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
426 OM_uint32 major, minor; 441 OM_uint32 major, minor;
427 442
428 ssh_gssapi_build_ctx(&ctx); 443 ssh_gssapi_build_ctx(&ctx);
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 91d87f798..4f02621dd 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -65,9 +65,6 @@ ssh_gssapi_krb5_init(void)
65 logit("Cannot initialize krb5 context"); 65 logit("Cannot initialize krb5 context");
66 return 0; 66 return 0;
67 } 67 }
68#ifdef KRB5_INIT_ETS
69 krb5_init_ets(krb_context);
70#endif
71 68
72 return 1; 69 return 1;
73} 70}
@@ -131,34 +128,10 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
131 return; 128 return;
132 } 129 }
133#else 130#else
134 { 131 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
135 int tmpfd; 132 logit("ssh_krb5_cc_gen(): %.100s",
136 char ccname[40]; 133 krb5_get_err_text(krb_context, problem));
137 mode_t old_umask; 134 return;
138
139 snprintf(ccname, sizeof(ccname),
140 "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
141
142 old_umask = umask(0177);
143 tmpfd = mkstemp(ccname + strlen("FILE:"));
144 umask(old_umask);
145 if (tmpfd == -1) {
146 logit("mkstemp(): %.100s", strerror(errno));
147 problem = errno;
148 return;
149 }
150 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
151 logit("fchmod(): %.100s", strerror(errno));
152 close(tmpfd);
153 problem = errno;
154 return;
155 }
156 close(tmpfd);
157 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
158 logit("krb5_cc_resolve(): %.100s",
159 krb5_get_err_text(krb_context, problem));
160 return;
161 }
162 } 135 }
163#endif /* #ifdef HEIMDAL */ 136#endif /* #ifdef HEIMDAL */
164 137
diff --git a/gss-serv.c b/gss-serv.c
index fad79a1b4..05ae54e97 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -156,7 +156,7 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
156static OM_uint32 156static OM_uint32
157ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) 157ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
158{ 158{
159 char *tok; 159 u_char *tok;
160 OM_uint32 offset; 160 OM_uint32 offset;
161 OM_uint32 oidl; 161 OM_uint32 oidl;
162 162
@@ -186,7 +186,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
186 */ 186 */
187 if (tok[4] != 0x06 || tok[5] != oidl || 187 if (tok[4] != 0x06 || tok[5] != oidl ||
188 ename->length < oidl+6 || 188 ename->length < oidl+6 ||
189 !ssh_gssapi_check_oid(ctx,tok+6,oidl)) 189 !ssh_gssapi_check_oid(ctx,tok+6,oidl))
190 return GSS_S_FAILURE; 190 return GSS_S_FAILURE;
191 191
192 offset = oidl+6; 192 offset = oidl+6;
@@ -289,7 +289,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
289 debug("Setting %s to %s", gssapi_client.store.envvar, 289 debug("Setting %s to %s", gssapi_client.store.envvar,
290 gssapi_client.store.envval); 290 gssapi_client.store.envval);
291 child_set_env(envp, envsizep, gssapi_client.store.envvar, 291 child_set_env(envp, envsizep, gssapi_client.store.envvar,
292 gssapi_client.store.envval); 292 gssapi_client.store.envval);
293 } 293 }
294} 294}
295 295
@@ -297,13 +297,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
297int 297int
298ssh_gssapi_userok(char *user) 298ssh_gssapi_userok(char *user)
299{ 299{
300 OM_uint32 lmin;
301
300 if (gssapi_client.exportedname.length == 0 || 302 if (gssapi_client.exportedname.length == 0 ||
301 gssapi_client.exportedname.value == NULL) { 303 gssapi_client.exportedname.value == NULL) {
302 debug("No suitable client data"); 304 debug("No suitable client data");
303 return 0; 305 return 0;
304 } 306 }
305 if (gssapi_client.mech && gssapi_client.mech->userok) 307 if (gssapi_client.mech && gssapi_client.mech->userok)
306 return ((*gssapi_client.mech->userok)(&gssapi_client, user)); 308 if ((*gssapi_client.mech->userok)(&gssapi_client, user))
309 return 1;
310 else {
311 /* Destroy delegated credentials if userok fails */
312 gss_release_buffer(&lmin, &gssapi_client.displayname);
313 gss_release_buffer(&lmin, &gssapi_client.exportedname);
314 gss_release_cred(&lmin, &gssapi_client.creds);
315 memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
316 return 0;
317 }
307 else 318 else
308 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); 319 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
309 return (0); 320 return (0);
diff --git a/hostfile.c b/hostfile.c
index 2e1c8bcd0..63550a29d 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: hostfile.c,v 1.33 2005/03/01 10:40:26 djm Exp $"); 39RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $");
40 40
41#include <resolv.h> 41#include <resolv.h>
42#include <openssl/hmac.h> 42#include <openssl/hmac.h>
@@ -92,7 +92,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
92 salt_len, ret); 92 salt_len, ret);
93 return (-1); 93 return (-1);
94 } 94 }
95 95
96 return (0); 96 return (0);
97} 97}
98 98
@@ -123,7 +123,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
123 HMAC_Final(&mac_ctx, result, NULL); 123 HMAC_Final(&mac_ctx, result, NULL);
124 HMAC_cleanup(&mac_ctx); 124 HMAC_cleanup(&mac_ctx);
125 125
126 if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 || 126 if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
127 __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1) 127 __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
128 fatal("host_hash: __b64_ntop failed"); 128 fatal("host_hash: __b64_ntop failed");
129 129
@@ -310,12 +310,12 @@ lookup_key_in_hostfile_by_type(const char *filename, const char *host,
310 */ 310 */
311 311
312int 312int
313add_host_to_hostfile(const char *filename, const char *host, const Key *key, 313add_host_to_hostfile(const char *filename, const char *host, const Key *key,
314 int store_hash) 314 int store_hash)
315{ 315{
316 FILE *f; 316 FILE *f;
317 int success = 0; 317 int success = 0;
318 char *hashed_host; 318 char *hashed_host = NULL;
319 319
320 if (key == NULL) 320 if (key == NULL)
321 return 1; /* XXX ? */ 321 return 1; /* XXX ? */
diff --git a/includes.h b/includes.h
index 3d3aa3b21..fa65aa38d 100644
--- a/includes.h
+++ b/includes.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: includes.h,v 1.18 2004/06/13 15:03:02 djm Exp $ */ 1/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -17,10 +17,11 @@
17#define INCLUDES_H 17#define INCLUDES_H
18 18
19#define RCSID(msg) \ 19#define RCSID(msg) \
20static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } 20static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
21 21
22#include "config.h" 22#include "config.h"
23 23
24#include <stdarg.h>
24#include <stdio.h> 25#include <stdio.h>
25#include <ctype.h> 26#include <ctype.h>
26#include <errno.h> 27#include <errno.h>
@@ -168,6 +169,10 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
168# include <ia.h> 169# include <ia.h>
169#endif 170#endif
170 171
172#ifdef HAVE_IAF_H
173# include <iaf.h>
174#endif
175
171#ifdef HAVE_TMPDIR_H 176#ifdef HAVE_TMPDIR_H
172# include <tmpdir.h> 177# include <tmpdir.h>
173#endif 178#endif
@@ -181,6 +186,10 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
181# include <kafs.h> 186# include <kafs.h>
182#endif 187#endif
183 188
189#if defined(HAVE_SYS_SYSLOG_H)
190# include <sys/syslog.h>
191#endif
192
184/* 193/*
185 * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations 194 * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
186 * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. 195 * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.
diff --git a/kex.c b/kex.c
index 3d6f3ab54..8cd851d23 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kex.c,v 1.60 2004/06/21 17:36:31 avsm Exp $"); 26RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
27 27
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29 29
@@ -56,7 +56,7 @@ static void kex_choose_conf(Kex *);
56static void 56static void
57kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) 57kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
58{ 58{
59 int i; 59 u_int i;
60 60
61 buffer_clear(b); 61 buffer_clear(b);
62 /* 62 /*
@@ -105,7 +105,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
105static void 105static void
106kex_prop_free(char **proposal) 106kex_prop_free(char **proposal)
107{ 107{
108 int i; 108 u_int i;
109 109
110 for (i = 0; i < PROPOSAL_MAX; i++) 110 for (i = 0; i < PROPOSAL_MAX; i++)
111 xfree(proposal[i]); 111 xfree(proposal[i]);
@@ -154,7 +154,7 @@ kex_send_kexinit(Kex *kex)
154{ 154{
155 u_int32_t rnd = 0; 155 u_int32_t rnd = 0;
156 u_char *cookie; 156 u_char *cookie;
157 int i; 157 u_int i;
158 158
159 if (kex == NULL) { 159 if (kex == NULL) {
160 error("kex_send_kexinit: no kex, cannot rekey"); 160 error("kex_send_kexinit: no kex, cannot rekey");
@@ -187,8 +187,7 @@ void
187kex_input_kexinit(int type, u_int32_t seq, void *ctxt) 187kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
188{ 188{
189 char *ptr; 189 char *ptr;
190 int dlen; 190 u_int i, dlen;
191 int i;
192 Kex *kex = (Kex *)ctxt; 191 Kex *kex = (Kex *)ctxt;
193 192
194 debug("SSH2_MSG_KEXINIT received"); 193 debug("SSH2_MSG_KEXINIT received");
@@ -280,10 +279,12 @@ choose_comp(Comp *comp, char *client, char *server)
280 char *name = match_list(client, server, NULL); 279 char *name = match_list(client, server, NULL);
281 if (name == NULL) 280 if (name == NULL)
282 fatal("no matching comp found: client %s server %s", client, server); 281 fatal("no matching comp found: client %s server %s", client, server);
283 if (strcmp(name, "zlib") == 0) { 282 if (strcmp(name, "zlib@openssh.com") == 0) {
284 comp->type = 1; 283 comp->type = COMP_DELAYED;
284 } else if (strcmp(name, "zlib") == 0) {
285 comp->type = COMP_ZLIB;
285 } else if (strcmp(name, "none") == 0) { 286 } else if (strcmp(name, "none") == 0) {
286 comp->type = 0; 287 comp->type = COMP_NONE;
287 } else { 288 } else {
288 fatal("unsupported comp %s", name); 289 fatal("unsupported comp %s", name);
289 } 290 }
@@ -302,8 +303,11 @@ choose_kex(Kex *k, char *client, char *server)
302 } else if (strcmp(k->name, KEX_DHGEX) == 0) { 303 } else if (strcmp(k->name, KEX_DHGEX) == 0) {
303 k->kex_type = KEX_DH_GEX_SHA1; 304 k->kex_type = KEX_DH_GEX_SHA1;
304#ifdef GSSAPI 305#ifdef GSSAPI
305 } else if (strncmp(k->name, KEX_GSS_SHA1, 306 } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
306 sizeof(KEX_GSS_SHA1)-1) == 0) { 307 sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
308 k->kex_type = KEX_GSS_GEX_SHA1;
309 } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
310 sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
307 k->kex_type = KEX_GSS_GRP1_SHA1; 311 k->kex_type = KEX_GSS_GRP1_SHA1;
308#endif 312#endif
309 } else 313 } else
@@ -352,9 +356,7 @@ kex_choose_conf(Kex *kex)
352 char **my, **peer; 356 char **my, **peer;
353 char **cprop, **sprop; 357 char **cprop, **sprop;
354 int nenc, nmac, ncomp; 358 int nenc, nmac, ncomp;
355 int mode; 359 u_int mode, ctos, need;
356 int ctos; /* direction: if true client-to-server */
357 int need;
358 int first_kex_follows, type; 360 int first_kex_follows, type;
359 361
360 my = kex_buf2prop(&kex->my, NULL); 362 my = kex_buf2prop(&kex->my, NULL);
@@ -404,7 +406,7 @@ kex_choose_conf(Kex *kex)
404 406
405 /* ignore the next message if the proposals do not match */ 407 /* ignore the next message if the proposals do not match */
406 if (first_kex_follows && !proposals_match(my, peer) && 408 if (first_kex_follows && !proposals_match(my, peer) &&
407 !(datafellows & SSH_BUG_FIRSTKEX)) { 409 !(datafellows & SSH_BUG_FIRSTKEX)) {
408 type = packet_read(); 410 type = packet_read();
409 debug2("skipping next packet (type %u)", type); 411 debug2("skipping next packet (type %u)", type);
410 } 412 }
@@ -414,15 +416,19 @@ kex_choose_conf(Kex *kex)
414} 416}
415 417
416static u_char * 418static u_char *
417derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret) 419derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
418{ 420{
419 Buffer b; 421 Buffer b;
420 const EVP_MD *evp_md = EVP_sha1(); 422 const EVP_MD *evp_md = EVP_sha1();
421 EVP_MD_CTX md; 423 EVP_MD_CTX md;
422 char c = id; 424 char c = id;
423 int have; 425 u_int have;
424 int mdsz = EVP_MD_size(evp_md); 426 int mdsz = EVP_MD_size(evp_md);
425 u_char *digest = xmalloc(roundup(need, mdsz)); 427 u_char *digest;
428
429 if (mdsz < 0)
430 fatal("derive_key: mdsz < 0");
431 digest = xmalloc(roundup(need, mdsz));
426 432
427 buffer_init(&b); 433 buffer_init(&b);
428 buffer_put_bignum2(&b, shared_secret); 434 buffer_put_bignum2(&b, shared_secret);
@@ -464,7 +470,7 @@ void
464kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) 470kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
465{ 471{
466 u_char *keys[NKEYS]; 472 u_char *keys[NKEYS];
467 int i, mode, ctos; 473 u_int i, mode, ctos;
468 474
469 for (i = 0; i < NKEYS; i++) 475 for (i = 0; i < NKEYS; i++)
470 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); 476 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
@@ -502,13 +508,13 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
502 EVP_DigestInit(&md, evp_md); 508 EVP_DigestInit(&md, evp_md);
503 509
504 len = BN_num_bytes(host_modulus); 510 len = BN_num_bytes(host_modulus);
505 if (len < (512 / 8) || len > sizeof(nbuf)) 511 if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
506 fatal("%s: bad host modulus (len %d)", __func__, len); 512 fatal("%s: bad host modulus (len %d)", __func__, len);
507 BN_bn2bin(host_modulus, nbuf); 513 BN_bn2bin(host_modulus, nbuf);
508 EVP_DigestUpdate(&md, nbuf, len); 514 EVP_DigestUpdate(&md, nbuf, len);
509 515
510 len = BN_num_bytes(server_modulus); 516 len = BN_num_bytes(server_modulus);
511 if (len < (512 / 8) || len > sizeof(nbuf)) 517 if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
512 fatal("%s: bad server modulus (len %d)", __func__, len); 518 fatal("%s: bad server modulus (len %d)", __func__, len);
513 BN_bn2bin(server_modulus, nbuf); 519 BN_bn2bin(server_modulus, nbuf);
514 EVP_DigestUpdate(&md, nbuf, len); 520 EVP_DigestUpdate(&md, nbuf, len);
@@ -527,7 +533,7 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
527void 533void
528dump_digest(char *msg, u_char *digest, int len) 534dump_digest(char *msg, u_char *digest, int len)
529{ 535{
530 int i; 536 u_int i;
531 537
532 fprintf(stderr, "%s\n", msg); 538 fprintf(stderr, "%s\n", msg);
533 for (i = 0; i< len; i++) { 539 for (i = 0; i< len; i++) {
diff --git a/kex.h b/kex.h
index 9536d506c..b458c2d1e 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.35 2004/06/13 12:53:24 djm Exp $ */ 1/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -35,6 +35,10 @@
35#define KEX_DH14 "diffie-hellman-group14-sha1" 35#define KEX_DH14 "diffie-hellman-group14-sha1"
36#define KEX_DHGEX "diffie-hellman-group-exchange-sha1" 36#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
37 37
38#define COMP_NONE 0
39#define COMP_ZLIB 1
40#define COMP_DELAYED 2
41
38enum kex_init_proposals { 42enum kex_init_proposals {
39 PROPOSAL_KEX_ALGS, 43 PROPOSAL_KEX_ALGS,
40 PROPOSAL_SERVER_HOST_KEY_ALGS, 44 PROPOSAL_SERVER_HOST_KEY_ALGS,
@@ -60,6 +64,7 @@ enum kex_exchange {
60 KEX_DH_GRP14_SHA1, 64 KEX_DH_GRP14_SHA1,
61 KEX_DH_GEX_SHA1, 65 KEX_DH_GEX_SHA1,
62 KEX_GSS_GRP1_SHA1, 66 KEX_GSS_GRP1_SHA1,
67 KEX_GSS_GEX_SHA1,
63 KEX_MAX 68 KEX_MAX
64}; 69};
65 70
@@ -84,9 +89,9 @@ struct Mac {
84 char *name; 89 char *name;
85 int enabled; 90 int enabled;
86 const EVP_MD *md; 91 const EVP_MD *md;
87 int mac_len; 92 u_int mac_len;
88 u_char *key; 93 u_char *key;
89 int key_len; 94 u_int key_len;
90}; 95};
91struct Comp { 96struct Comp {
92 int type; 97 int type;
@@ -102,7 +107,7 @@ struct Kex {
102 u_char *session_id; 107 u_char *session_id;
103 u_int session_id_len; 108 u_int session_id_len;
104 Newkeys *newkeys[MODE_MAX]; 109 Newkeys *newkeys[MODE_MAX];
105 int we_need; 110 u_int we_need;
106 int server; 111 int server;
107 char *name; 112 char *name;
108 int hostkey_type; 113 int hostkey_type;
@@ -113,6 +118,8 @@ struct Kex {
113 int flags; 118 int flags;
114#ifdef GSSAPI 119#ifdef GSSAPI
115 int gss_deleg_creds; 120 int gss_deleg_creds;
121 int gss_trust_dns;
122 char *gss_host;
116#endif 123#endif
117 char *client_version_string; 124 char *client_version_string;
118 char *server_version_string; 125 char *server_version_string;
diff --git a/kexgssc.c b/kexgssc.c
index eee96dd23..1843403b6 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved. 2 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
@@ -42,34 +42,68 @@
42 42
43void 43void
44kexgss_client(Kex *kex) { 44kexgss_client(Kex *kex) {
45 gss_buffer_desc gssbuf, send_tok, recv_tok, msg_tok, *token_ptr; 45 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
46 gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
46 Gssctxt *ctxt; 47 Gssctxt *ctxt;
47 OM_uint32 maj_status, min_status, ret_flags; 48 OM_uint32 maj_status, min_status, ret_flags;
48 unsigned int klen, kout; 49 unsigned int klen, kout;
49 DH *dh; 50 DH *dh;
50 BIGNUM *dh_server_pub = 0; 51 BIGNUM *dh_server_pub = NULL;
51 BIGNUM *shared_secret = 0; 52 BIGNUM *shared_secret = NULL;
53 BIGNUM *p = NULL;
54 BIGNUM *g = NULL;
52 unsigned char *kbuf; 55 unsigned char *kbuf;
53 unsigned char *hash; 56 unsigned char *hash;
54 unsigned char *serverhostkey; 57 unsigned char *serverhostkey = NULL;
55 char *msg; 58 char *msg;
56 char *lang; 59 char *lang;
57 int type = 0; 60 int type = 0;
58 int first = 1; 61 int first = 1;
59 int slen = 0; 62 int slen = 0;
63 int gex = 0;
64 int nbits, min, max;
60 u_int strlen; 65 u_int strlen;
61 66
67 /* Initialise our GSSAPI world */
62 ssh_gssapi_build_ctx(&ctxt); 68 ssh_gssapi_build_ctx(&ctxt);
63 if (ssh_gssapi_id_kex(ctxt,kex->name) == NULL) 69 if (ssh_gssapi_id_kex(ctxt, kex->name, &gex) == NULL)
64 fatal("Couldn't identify host exchange"); 70 fatal("Couldn't identify host exchange");
65 71
66 if (ssh_gssapi_import_name(ctxt,get_canonical_hostname(1))) 72 if (ssh_gssapi_import_name(ctxt, kex->gss_host))
67 fatal("Couldn't import hostname "); 73 fatal("Couldn't import hostname");
74
75 if (gex) {
76 debug("Doing group exchange\n");
77 nbits = dh_estimate(kex->we_need * 8);
78 min = DH_GRP_MIN;
79 max = DH_GRP_MAX;
80 packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
81 packet_put_int(min);
82 packet_put_int(nbits);
83 packet_put_int(max);
84
85 packet_send();
86
87 packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
88
89 if ((p = BN_new()) == NULL)
90 fatal("BN_new() failed");
91 packet_get_bignum2(p);
92 if ((g = BN_new()) == NULL)
93 fatal("BN_new() failed");
94 packet_get_bignum2(g);
95 packet_check_eom();
96
97 if (BN_num_bits(p) < min || BN_num_bits(p) > max)
98 fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
99 min, BN_num_bits(p), max);
100
101 dh = dh_new_group(g, p);
102 } else {
103 dh = dh_new_group1();
104 }
68 105
69 /* This code should match that in ssh_dh1_client */
70
71 /* Step 1 - e is dh->pub_key */ 106 /* Step 1 - e is dh->pub_key */
72 dh = dh_new_group1();
73 dh_gen_key(dh, kex->we_need * 8); 107 dh_gen_key(dh, kex->we_need * 8);
74 108
75 /* This is f, we initialise it now to make life easier */ 109 /* This is f, we initialise it now to make life easier */
@@ -97,7 +131,7 @@ kexgss_client(Kex *kex) {
97 131
98 /* If we've got an old receive buffer get rid of it */ 132 /* If we've got an old receive buffer get rid of it */
99 if (token_ptr != GSS_C_NO_BUFFER) 133 if (token_ptr != GSS_C_NO_BUFFER)
100 (void) gss_release_buffer(&min_status, &recv_tok); 134 xfree(recv_tok.value);
101 135
102 if (maj_status == GSS_S_COMPLETE) { 136 if (maj_status == GSS_S_COMPLETE) {
103 /* If mutual state flag is not true, kex fails */ 137 /* If mutual state flag is not true, kex fails */
@@ -126,15 +160,21 @@ kexgss_client(Kex *kex) {
126 send_tok.length); 160 send_tok.length);
127 } 161 }
128 packet_send(); 162 packet_send();
163 gss_release_buffer(&min_status, &send_tok);
129 164
130 /* If we've sent them data, they should reply */ 165 /* If we've sent them data, they should reply */
131 166 do {
132 type = packet_read(); 167 type = packet_read();
168 if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
169 debug("Received KEXGSS_HOSTKEY");
170 if (serverhostkey)
171 fatal("Server host key received more than once");
172 serverhostkey =
173 packet_get_string(&slen);
174 }
175 } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
176
133 switch (type) { 177 switch (type) {
134 case SSH2_MSG_KEXGSS_HOSTKEY:
135 debug("Received KEXGSS_HOSTKEY");
136 serverhostkey = packet_get_string(&slen);
137 break;
138 case SSH2_MSG_KEXGSS_CONTINUE: 178 case SSH2_MSG_KEXGSS_CONTINUE:
139 debug("Received GSSAPI_CONTINUE"); 179 debug("Received GSSAPI_CONTINUE");
140 if (maj_status == GSS_S_COMPLETE) 180 if (maj_status == GSS_S_COMPLETE)
@@ -144,8 +184,8 @@ kexgss_client(Kex *kex) {
144 break; 184 break;
145 case SSH2_MSG_KEXGSS_COMPLETE: 185 case SSH2_MSG_KEXGSS_COMPLETE:
146 debug("Received GSSAPI_COMPLETE"); 186 debug("Received GSSAPI_COMPLETE");
147 packet_get_bignum2(dh_server_pub); 187 packet_get_bignum2(dh_server_pub);
148 msg_tok.value = packet_get_string(&strlen); 188 msg_tok.value = packet_get_string(&strlen);
149 msg_tok.length = strlen; 189 msg_tok.length = strlen;
150 190
151 /* Is there a token included? */ 191 /* Is there a token included? */
@@ -156,10 +196,10 @@ kexgss_client(Kex *kex) {
156 /* If we're already complete - protocol error */ 196 /* If we're already complete - protocol error */
157 if (maj_status == GSS_S_COMPLETE) 197 if (maj_status == GSS_S_COMPLETE)
158 packet_disconnect("Protocol error: received token when complete"); 198 packet_disconnect("Protocol error: received token when complete");
159 } else { 199 } else {
160 /* No token included */ 200 /* No token included */
161 if (maj_status != GSS_S_COMPLETE) 201 if (maj_status != GSS_S_COMPLETE)
162 packet_disconnect("Protocol error: did not receive final token"); 202 packet_disconnect("Protocol error: did not receive final token");
163 } 203 }
164 break; 204 break;
165 case SSH2_MSG_KEXGSS_ERROR: 205 case SSH2_MSG_KEXGSS_ERROR:
@@ -168,7 +208,7 @@ kexgss_client(Kex *kex) {
168 min_status = packet_get_int(); 208 min_status = packet_get_int();
169 msg = packet_get_string(NULL); 209 msg = packet_get_string(NULL);
170 lang = packet_get_string(NULL); 210 lang = packet_get_string(NULL);
171 fprintf(stderr,"GSSAPI Error: \n%s",msg); 211 fatal("GSSAPI Error: \n%s",msg);
172 default: 212 default:
173 packet_disconnect("Protocol error: didn't expect packet type %d", 213 packet_disconnect("Protocol error: didn't expect packet type %d",
174 type); 214 type);
@@ -181,12 +221,12 @@ kexgss_client(Kex *kex) {
181 } 221 }
182 } while (maj_status & GSS_S_CONTINUE_NEEDED); 222 } while (maj_status & GSS_S_CONTINUE_NEEDED);
183 223
184 /* 224 /*
185 * We _must_ have received a COMPLETE message in reply from the 225 * We _must_ have received a COMPLETE message in reply from the
186 * server, which will have set dh_server_pub and msg_tok 226 * server, which will have set dh_server_pub and msg_tok
187 */ 227 */
188 228
189 if (type!=SSH2_MSG_KEXGSS_COMPLETE) 229 if (type != SSH2_MSG_KEXGSS_COMPLETE)
190 fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it"); 230 fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
191 231
192 /* Check f in range [1, p-1] */ 232 /* Check f in range [1, p-1] */
@@ -203,25 +243,45 @@ kexgss_client(Kex *kex) {
203 memset(kbuf, 0, klen); 243 memset(kbuf, 0, klen);
204 xfree(kbuf); 244 xfree(kbuf);
205 245
206 /* The GSS hash is identical to the DH one */ 246 if (gex) {
207 hash = kex_dh_hash( kex->client_version_string, 247 hash = kexgex_hash( kex->client_version_string,
208 kex->server_version_string, 248 kex->server_version_string,
209 buffer_ptr(&kex->my), buffer_len(&kex->my), 249 buffer_ptr(&kex->my), buffer_len(&kex->my),
210 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 250 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
211 serverhostkey, slen, /* server host key */ 251 serverhostkey, slen,
212 dh->pub_key, /* e */ 252 min, nbits, max,
213 dh_server_pub, /* f */ 253 dh->p, dh->g,
214 shared_secret /* K */ 254 dh->pub_key,
215 ); 255 dh_server_pub,
216 256 shared_secret
257 );
258 } else {
259 /* The GSS hash is identical to the DH one */
260 hash = kex_dh_hash( kex->client_version_string,
261 kex->server_version_string,
262 buffer_ptr(&kex->my), buffer_len(&kex->my),
263 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
264 serverhostkey, slen, /* server host key */
265 dh->pub_key, /* e */
266 dh_server_pub, /* f */
267 shared_secret /* K */
268 );
269 }
270
217 gssbuf.value = hash; 271 gssbuf.value = hash;
218 gssbuf.length = 20; 272 gssbuf.length = 20;
219 273
220 /* Verify that the hash matches the MIC we just got. */ 274 /* Verify that the hash matches the MIC we just got. */
221 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 275 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
222 packet_disconnect("Hash's MIC didn't verify"); 276 packet_disconnect("Hash's MIC didn't verify");
223 277
278 xfree(msg_tok.value);
279
224 DH_free(dh); 280 DH_free(dh);
281 if (serverhostkey)
282 xfree(serverhostkey);
283 BN_clear_free(dh_server_pub);
284
225 /* save session id */ 285 /* save session id */
226 if (kex->session_id == NULL) { 286 if (kex->session_id == NULL) {
227 kex->session_id_len = 20; 287 kex->session_id_len = 20;
diff --git a/kexgsss.c b/kexgsss.c
index 80c133ac9..268eeccae 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved. 2 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
@@ -53,21 +53,31 @@ kexgss_server(Kex *kex)
53 */ 53 */
54 54
55 OM_uint32 ret_flags = 0; 55 OM_uint32 ret_flags = 0;
56 gss_buffer_desc gssbuf, send_tok, recv_tok, msg_tok; 56 gss_buffer_desc gssbuf, recv_tok, msg_tok;
57 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
57 Gssctxt *ctxt = NULL; 58 Gssctxt *ctxt = NULL;
58 unsigned int klen, kout; 59 unsigned int klen, kout;
59 unsigned char *kbuf, *hash; 60 unsigned char *kbuf, *hash;
60 DH *dh; 61 DH *dh;
62 int min = -1, max = -1, nbits = -1;
61 BIGNUM *shared_secret = NULL; 63 BIGNUM *shared_secret = NULL;
62 BIGNUM *dh_client_pub = NULL; 64 BIGNUM *dh_client_pub = NULL;
63 int type =0; 65 int type = 0;
66 int gex;
64 u_int slen; 67 u_int slen;
65 gss_OID oid; 68 gss_OID oid;
66 69
67 /* Initialise GSSAPI */ 70 /* Initialise GSSAPI */
68 71
72 /* If we're rekeying, privsep means that some of the private structures
73 * in the GSSAPI code are no longer available. This kludges them back
74 * into life
75 */
76 if (!ssh_gssapi_oid_table_ok())
77 ssh_gssapi_server_mechanisms();
78
69 debug2("%s: Identifying %s", __func__, kex->name); 79 debug2("%s: Identifying %s", __func__, kex->name);
70 oid = ssh_gssapi_id_kex(NULL, kex->name); 80 oid = ssh_gssapi_id_kex(NULL, kex->name, &gex);
71 if (oid == NULL) 81 if (oid == NULL)
72 fatal("Unknown gssapi mechanism"); 82 fatal("Unknown gssapi mechanism");
73 83
@@ -76,6 +86,34 @@ kexgss_server(Kex *kex)
76 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) 86 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
77 fatal("Unable to acquire credentials for the server"); 87 fatal("Unable to acquire credentials for the server");
78 88
89 if (gex) {
90 debug("Doing group exchange");
91 packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
92 min = packet_get_int();
93 nbits = packet_get_int();
94 max = packet_get_int();
95 min = MAX(DH_GRP_MIN, min);
96 max = MIN(DH_GRP_MAX, max);
97 packet_check_eom();
98 if (max < min || nbits < min || max < nbits)
99 fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
100 min, nbits, max);
101 dh = PRIVSEP(choose_dh(min, nbits, max));
102 if (dh == NULL)
103 packet_disconnect("Protocol error: no matching group found");
104
105 packet_start(SSH2_MSG_KEXGSS_GROUP);
106 packet_put_bignum2(dh->p);
107 packet_put_bignum2(dh->g);
108 packet_send();
109
110 packet_write_wait();
111
112 } else {
113 dh = dh_new_group1();
114 }
115 dh_gen_key(dh, kex->we_need * 8);
116
79 do { 117 do {
80 debug("Wait SSH2_MSG_GSSAPI_INIT"); 118 debug("Wait SSH2_MSG_GSSAPI_INIT");
81 type = packet_read(); 119 type = packet_read();
@@ -86,10 +124,9 @@ kexgss_server(Kex *kex)
86 recv_tok.value = packet_get_string(&slen); 124 recv_tok.value = packet_get_string(&slen);
87 recv_tok.length = slen; 125 recv_tok.length = slen;
88 126
89 dh_client_pub = BN_new(); 127 if ((dh_client_pub = BN_new()) == NULL)
90
91 if (dh_client_pub == NULL)
92 fatal("dh_client_pub == NULL"); 128 fatal("dh_client_pub == NULL");
129
93 packet_get_bignum2(dh_client_pub); 130 packet_get_bignum2(dh_client_pub);
94 131
95 /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ 132 /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
@@ -107,8 +144,8 @@ kexgss_server(Kex *kex)
107 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, 144 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
108 &send_tok, &ret_flags)); 145 &send_tok, &ret_flags));
109 146
110 gss_release_buffer(&min_status, &recv_tok); 147 xfree(recv_tok.value);
111 148
112 if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) 149 if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
113 fatal("Zero length token output when incomplete"); 150 fatal("Zero length token output when incomplete");
114 151
@@ -125,7 +162,7 @@ kexgss_server(Kex *kex)
125 } while (maj_status & GSS_S_CONTINUE_NEEDED); 162 } while (maj_status & GSS_S_CONTINUE_NEEDED);
126 163
127 if (GSS_ERROR(maj_status)) { 164 if (GSS_ERROR(maj_status)) {
128 if (send_tok.length>0) { 165 if (send_tok.length > 0) {
129 packet_start(SSH2_MSG_KEXGSS_CONTINUE); 166 packet_start(SSH2_MSG_KEXGSS_CONTINUE);
130 packet_put_string(send_tok.value, send_tok.length); 167 packet_put_string(send_tok.value, send_tok.length);
131 packet_send(); 168 packet_send();
@@ -139,9 +176,6 @@ kexgss_server(Kex *kex)
139 if (!(ret_flags & GSS_C_INTEG_FLAG)) 176 if (!(ret_flags & GSS_C_INTEG_FLAG))
140 fatal("Integrity flag wasn't set"); 177 fatal("Integrity flag wasn't set");
141 178
142 dh = dh_new_group1();
143 dh_gen_key(dh, kex->we_need * 8);
144
145 if (!dh_pub_is_valid(dh, dh_client_pub)) 179 if (!dh_pub_is_valid(dh, dh_client_pub))
146 packet_disconnect("bad client public DH value"); 180 packet_disconnect("bad client public DH value");
147 181
@@ -154,14 +188,29 @@ kexgss_server(Kex *kex)
154 memset(kbuf, 0, klen); 188 memset(kbuf, 0, klen);
155 xfree(kbuf); 189 xfree(kbuf);
156 190
157 /* The GSSAPI hash is identical to the Diffie Helman one */ 191 if (gex) {
158 hash = kex_dh_hash( 192 hash = kexgex_hash(
159 kex->client_version_string, kex->server_version_string, 193 kex->client_version_string, kex->server_version_string,
160 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 194 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
161 buffer_ptr(&kex->my), buffer_len(&kex->my), 195 buffer_ptr(&kex->my), buffer_len(&kex->my),
162 NULL, 0, /* Change this if we start sending host keys */ 196 NULL, 0,
163 dh_client_pub, dh->pub_key, shared_secret 197 min, nbits, max,
164 ); 198 dh->p, dh->g,
199 dh_client_pub,
200 dh->pub_key,
201 shared_secret
202 );
203 }
204 else {
205 /* The GSSAPI hash is identical to the Diffie Helman one */
206 hash = kex_dh_hash(
207 kex->client_version_string, kex->server_version_string,
208 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
209 buffer_ptr(&kex->my), buffer_len(&kex->my),
210 NULL, 0, /* Change this if we start sending host keys */
211 dh_client_pub, dh->pub_key, shared_secret
212 );
213 }
165 BN_free(dh_client_pub); 214 BN_free(dh_client_pub);
166 215
167 if (kex->session_id == NULL) { 216 if (kex->session_id == NULL) {
@@ -180,7 +229,7 @@ kexgss_server(Kex *kex)
180 packet_put_bignum2(dh->pub_key); 229 packet_put_bignum2(dh->pub_key);
181 packet_put_string((char *)msg_tok.value,msg_tok.length); 230 packet_put_string((char *)msg_tok.value,msg_tok.length);
182 231
183 if (send_tok.length!=0) { 232 if (send_tok.length != 0) {
184 packet_put_char(1); /* true */ 233 packet_put_char(1); /* true */
185 packet_put_string((char *)send_tok.value, send_tok.length); 234 packet_put_string((char *)send_tok.value, send_tok.length);
186 } else { 235 } else {
@@ -188,7 +237,8 @@ kexgss_server(Kex *kex)
188 } 237 }
189 packet_send(); 238 packet_send();
190 239
191 gss_release_buffer(&min_status, &send_tok); 240 gss_release_buffer(&min_status, &send_tok);
241 gss_release_buffer(&min_status, &msg_tok);
192 242
193 if (gss_kex_context == NULL) 243 if (gss_kex_context == NULL)
194 gss_kex_context = ctxt; 244 gss_kex_context = ctxt;
diff --git a/key.c b/key.c
index db401cb12..239a35919 100644
--- a/key.c
+++ b/key.c
@@ -32,7 +32,7 @@
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */ 33 */
34#include "includes.h" 34#include "includes.h"
35RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $"); 35RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
36 36
37#include <openssl/evp.h> 37#include <openssl/evp.h>
38 38
@@ -231,7 +231,7 @@ static char *
231key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len) 231key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
232{ 232{
233 char *retval; 233 char *retval;
234 int i; 234 u_int i;
235 235
236 retval = xmalloc(dgst_raw_len * 3 + 1); 236 retval = xmalloc(dgst_raw_len * 3 + 1);
237 retval[0] = '\0'; 237 retval[0] = '\0';
diff --git a/log.c b/log.c
index e55a54f16..96ab24b04 100644
--- a/log.c
+++ b/log.c
@@ -196,6 +196,7 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
196#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) 196#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
197 struct syslog_data sdata = SYSLOG_DATA_INIT; 197 struct syslog_data sdata = SYSLOG_DATA_INIT;
198#endif 198#endif
199
199 argv0 = av0; 200 argv0 = av0;
200 201
201 switch (level) { 202 switch (level) {
diff --git a/loginrec.c b/loginrec.c
index 361ac4cb7..c3783c991 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -165,7 +165,7 @@
165# include <libutil.h> 165# include <libutil.h>
166#endif 166#endif
167 167
168RCSID("$Id: loginrec.c,v 1.67 2005/02/15 11:19:28 dtucker Exp $"); 168RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $");
169 169
170/** 170/**
171 ** prototypes for helper functions in this file 171 ** prototypes for helper functions in this file
@@ -362,7 +362,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
362 strlcpy(li->username, username, sizeof(li->username)); 362 strlcpy(li->username, username, sizeof(li->username));
363 pw = getpwnam(li->username); 363 pw = getpwnam(li->username);
364 if (pw == NULL) { 364 if (pw == NULL) {
365 fatal("%s: Cannot find user \"%s\"", __func__, 365 fatal("%s: Cannot find user \"%s\"", __func__,
366 li->username); 366 li->username);
367 } 367 }
368 li->uid = pw->pw_uid; 368 li->uid = pw->pw_uid;
@@ -374,7 +374,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
374 return (1); 374 return (1);
375} 375}
376 376
377/* 377/*
378 * login_set_current_time(struct logininfo *) - set the current time 378 * login_set_current_time(struct logininfo *) - set the current time
379 * 379 *
380 * Set the current time in a logininfo structure. This function is 380 * Set the current time in a logininfo structure. This function is
@@ -443,8 +443,9 @@ login_write(struct logininfo *li)
443 wtmpx_write_entry(li); 443 wtmpx_write_entry(li);
444#endif 444#endif
445#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN 445#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
446 if (li->type == LTYPE_LOGIN && 446 if (li->type == LTYPE_LOGIN &&
447 !sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg)) 447 !sys_auth_record_login(li->username,li->hostname,li->line,
448 &loginmsg))
448 logit("Writing login record failed for %s", li->username); 449 logit("Writing login record failed for %s", li->username);
449#endif 450#endif
450#ifdef SSH_AUDIT_EVENTS 451#ifdef SSH_AUDIT_EVENTS
@@ -534,7 +535,7 @@ getlast_entry(struct logininfo *li)
534 * sure dst has enough space, if not just copy src (ugh) 535 * sure dst has enough space, if not just copy src (ugh)
535 */ 536 */
536char * 537char *
537line_fullname(char *dst, const char *src, int dstsize) 538line_fullname(char *dst, const char *src, u_int dstsize)
538{ 539{
539 memset(dst, '\0', dstsize); 540 memset(dst, '\0', dstsize);
540 if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5))) 541 if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5)))
@@ -558,7 +559,7 @@ line_stripname(char *dst, const char *src, int dstsize)
558 return (dst); 559 return (dst);
559} 560}
560 561
561/* 562/*
562 * line_abbrevname(): Return the abbreviated (usually four-character) 563 * line_abbrevname(): Return the abbreviated (usually four-character)
563 * form of the line (Just use the last <dstsize> characters of the 564 * form of the line (Just use the last <dstsize> characters of the
564 * full name.) 565 * full name.)
@@ -808,7 +809,7 @@ utmp_write_library(struct logininfo *li, struct utmp *ut)
808} 809}
809# else /* UTMP_USE_LIBRARY */ 810# else /* UTMP_USE_LIBRARY */
810 811
811/* 812/*
812 * Write a utmp entry direct to the file 813 * Write a utmp entry direct to the file
813 * This is a slightly modification of code in OpenBSD's login.c 814 * This is a slightly modification of code in OpenBSD's login.c
814 */ 815 */
@@ -852,7 +853,7 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
852 return (0); 853 return (0);
853 } 854 }
854 if (ret != pos) { 855 if (ret != pos) {
855 logit("%s: Couldn't seek to tty %d slot in %s", 856 logit("%s: Couldn't seek to tty %d slot in %s",
856 __func__, tty, UTMP_FILE); 857 __func__, tty, UTMP_FILE);
857 return (0); 858 return (0);
858 } 859 }
@@ -1052,7 +1053,7 @@ utmpx_write_entry(struct logininfo *li)
1052 1053
1053#ifdef USE_WTMP 1054#ifdef USE_WTMP
1054 1055
1055/* 1056/*
1056 * Write a wtmp entry direct to the end of the file 1057 * Write a wtmp entry direct to the end of the file
1057 * This is a slight modification of code in OpenBSD's logwtmp.c 1058 * This is a slight modification of code in OpenBSD's logwtmp.c
1058 */ 1059 */
@@ -1113,7 +1114,7 @@ wtmp_write_entry(struct logininfo *li)
1113} 1114}
1114 1115
1115 1116
1116/* 1117/*
1117 * Notes on fetching login data from wtmp/wtmpx 1118 * Notes on fetching login data from wtmp/wtmpx
1118 * 1119 *
1119 * Logouts are usually recorded with (amongst other things) a blank 1120 * Logouts are usually recorded with (amongst other things) a blank
@@ -1157,12 +1158,12 @@ wtmp_get_entry(struct logininfo *li)
1157 li->tv_sec = li->tv_usec = 0; 1158 li->tv_sec = li->tv_usec = 0;
1158 1159
1159 if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) { 1160 if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
1160 logit("%s: problem opening %s: %s", __func__, 1161 logit("%s: problem opening %s: %s", __func__,
1161 WTMP_FILE, strerror(errno)); 1162 WTMP_FILE, strerror(errno));
1162 return (0); 1163 return (0);
1163 } 1164 }
1164 if (fstat(fd, &st) != 0) { 1165 if (fstat(fd, &st) != 0) {
1165 logit("%s: couldn't stat %s: %s", __func__, 1166 logit("%s: couldn't stat %s: %s", __func__,
1166 WTMP_FILE, strerror(errno)); 1167 WTMP_FILE, strerror(errno));
1167 close(fd); 1168 close(fd);
1168 return (0); 1169 return (0);
@@ -1177,7 +1178,7 @@ wtmp_get_entry(struct logininfo *li)
1177 1178
1178 while (!found) { 1179 while (!found) {
1179 if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) { 1180 if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
1180 logit("%s: read of %s failed: %s", __func__, 1181 logit("%s: read of %s failed: %s", __func__,
1181 WTMP_FILE, strerror(errno)); 1182 WTMP_FILE, strerror(errno));
1182 close (fd); 1183 close (fd);
1183 return (0); 1184 return (0);
@@ -1235,7 +1236,7 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx)
1235 int fd, ret = 1; 1236 int fd, ret = 1;
1236 1237
1237 if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) { 1238 if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
1238 logit("%s: problem opening %s: %s", __func__, 1239 logit("%s: problem opening %s: %s", __func__,
1239 WTMPX_FILE, strerror(errno)); 1240 WTMPX_FILE, strerror(errno));
1240 return (0); 1241 return (0);
1241 } 1242 }
@@ -1322,12 +1323,12 @@ wtmpx_get_entry(struct logininfo *li)
1322 li->tv_sec = li->tv_usec = 0; 1323 li->tv_sec = li->tv_usec = 0;
1323 1324
1324 if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) { 1325 if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
1325 logit("%s: problem opening %s: %s", __func__, 1326 logit("%s: problem opening %s: %s", __func__,
1326 WTMPX_FILE, strerror(errno)); 1327 WTMPX_FILE, strerror(errno));
1327 return (0); 1328 return (0);
1328 } 1329 }
1329 if (fstat(fd, &st) != 0) { 1330 if (fstat(fd, &st) != 0) {
1330 logit("%s: couldn't stat %s: %s", __func__, 1331 logit("%s: couldn't stat %s: %s", __func__,
1331 WTMPX_FILE, strerror(errno)); 1332 WTMPX_FILE, strerror(errno));
1332 close(fd); 1333 close(fd);
1333 return (0); 1334 return (0);
@@ -1342,13 +1343,13 @@ wtmpx_get_entry(struct logininfo *li)
1342 1343
1343 while (!found) { 1344 while (!found) {
1344 if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) { 1345 if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
1345 logit("%s: read of %s failed: %s", __func__, 1346 logit("%s: read of %s failed: %s", __func__,
1346 WTMPX_FILE, strerror(errno)); 1347 WTMPX_FILE, strerror(errno));
1347 close (fd); 1348 close (fd);
1348 return (0); 1349 return (0);
1349 } 1350 }
1350 /* 1351 /*
1351 * Logouts are recorded as a blank username on a particular 1352 * Logouts are recorded as a blank username on a particular
1352 * line. So, we just need to find the username in struct utmpx 1353 * line. So, we just need to find the username in struct utmpx
1353 */ 1354 */
1354 if (wtmpx_islogin(li, &utx)) { 1355 if (wtmpx_islogin(li, &utx)) {
diff --git a/loginrec.h b/loginrec.h
index d1a12a853..8e3390178 100644
--- a/loginrec.h
+++ b/loginrec.h
@@ -35,7 +35,7 @@
35#include <netinet/in.h> 35#include <netinet/in.h>
36#include <sys/socket.h> 36#include <sys/socket.h>
37 37
38/* RCSID("$Id: loginrec.h,v 1.9 2005/02/02 06:10:11 dtucker Exp $"); */ 38/* RCSID("$Id: loginrec.h,v 1.10 2005/06/19 00:19:44 djm Exp $"); */
39 39
40/** 40/**
41 ** you should use the login_* calls to work around platform dependencies 41 ** you should use the login_* calls to work around platform dependencies
@@ -128,7 +128,7 @@ struct logininfo *login_get_lastlog(struct logininfo *li, const int uid);
128unsigned int login_get_lastlog_time(const int uid); 128unsigned int login_get_lastlog_time(const int uid);
129 129
130/* produce various forms of the line filename */ 130/* produce various forms of the line filename */
131char *line_fullname(char *dst, const char *src, int dstsize); 131char *line_fullname(char *dst, const char *src, u_int dstsize);
132char *line_stripname(char *dst, const char *src, int dstsize); 132char *line_stripname(char *dst, const char *src, int dstsize);
133char *line_abbrevname(char *dst, const char *src, int dstsize); 133char *line_abbrevname(char *dst, const char *src, int dstsize);
134 134
diff --git a/mac.c b/mac.c
index 097f0b93b..2bda5a1b9 100644
--- a/mac.c
+++ b/mac.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: mac.c,v 1.6 2003/09/18 13:02:21 miod Exp $"); 26RCSID("$OpenBSD: mac.c,v 1.7 2005/06/17 02:44:32 djm Exp $");
27 27
28#include <openssl/hmac.h> 28#include <openssl/hmac.h>
29 29
@@ -51,12 +51,15 @@ struct {
51int 51int
52mac_init(Mac *mac, char *name) 52mac_init(Mac *mac, char *name)
53{ 53{
54 int i; 54 int i, evp_len;
55
55 for (i = 0; macs[i].name; i++) { 56 for (i = 0; macs[i].name; i++) {
56 if (strcmp(name, macs[i].name) == 0) { 57 if (strcmp(name, macs[i].name) == 0) {
57 if (mac != NULL) { 58 if (mac != NULL) {
58 mac->md = (*macs[i].mdfunc)(); 59 mac->md = (*macs[i].mdfunc)();
59 mac->key_len = mac->mac_len = EVP_MD_size(mac->md); 60 if ((evp_len = EVP_MD_size(mac->md)) <= 0)
61 fatal("mac %s len %d", name, evp_len);
62 mac->key_len = mac->mac_len = (u_int)evp_len;
60 if (macs[i].truncatebits != 0) 63 if (macs[i].truncatebits != 0)
61 mac->mac_len = macs[i].truncatebits/8; 64 mac->mac_len = macs[i].truncatebits/8;
62 } 65 }
@@ -77,7 +80,7 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
77 80
78 if (mac->key == NULL) 81 if (mac->key == NULL)
79 fatal("mac_compute: no key"); 82 fatal("mac_compute: no key");
80 if ((u_int)mac->mac_len > sizeof(m)) 83 if (mac->mac_len > sizeof(m))
81 fatal("mac_compute: mac too long"); 84 fatal("mac_compute: mac too long");
82 HMAC_Init(&c, mac->key, mac->key_len, mac->md); 85 HMAC_Init(&c, mac->key, mac->key_len, mac->md);
83 PUT_32BIT(b, seqno); 86 PUT_32BIT(b, seqno);
diff --git a/match.c b/match.c
index 3ddb62730..29fb7dab9 100644
--- a/match.c
+++ b/match.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: match.c,v 1.19 2002/03/01 13:12:10 markus Exp $"); 38RCSID("$OpenBSD: match.c,v 1.20 2005/06/17 02:44:32 djm Exp $");
39 39
40#include "match.h" 40#include "match.h"
41#include "xmalloc.h" 41#include "xmalloc.h"
@@ -254,7 +254,7 @@ match_list(const char *client, const char *server, u_int *next)
254 ret = xstrdup(p); 254 ret = xstrdup(p);
255 if (next != NULL) 255 if (next != NULL)
256 *next = (cp == NULL) ? 256 *next = (cp == NULL) ?
257 strlen(c) : cp - c; 257 strlen(c) : (u_int)(cp - c);
258 xfree(c); 258 xfree(c);
259 xfree(s); 259 xfree(s);
260 return ret; 260 return ret;
diff --git a/mdoc2man.awk b/mdoc2man.awk
index 4e72cdc1c..d6eaf4601 100644
--- a/mdoc2man.awk
+++ b/mdoc2man.awk
@@ -140,6 +140,9 @@ function add(str) {
140 } else if(match(words[w],"^Dt$")) { 140 } else if(match(words[w],"^Dt$")) {
141 id=wtail() 141 id=wtail()
142 next 142 next
143 } else if(match(words[w],"^Ox$")) {
144 add("OpenBSD")
145 skip=1
143 } else if(match(words[w],"^Os$")) { 146 } else if(match(words[w],"^Os$")) {
144 add(".TH " id " \"" date "\" \"" wtail() "\"") 147 add(".TH " id " \"" date "\" \"" wtail() "\"")
145 } else if(match(words[w],"^Sh$")) { 148 } else if(match(words[w],"^Sh$")) {
diff --git a/misc.c b/misc.c
index 2e366f81b..2dd8ae6e3 100644
--- a/misc.c
+++ b/misc.c
@@ -1,5 +1,6 @@
1/* 1/*
2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 2 * Copyright (c) 2000 Markus Friedl. All rights reserved.
3 * Copyright (c) 2005 Damien Miller. All rights reserved.
3 * 4 *
4 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -23,7 +24,7 @@
23 */ 24 */
24 25
25#include "includes.h" 26#include "includes.h"
26RCSID("$OpenBSD: misc.c,v 1.28 2005/03/01 10:09:52 djm Exp $"); 27RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $");
27 28
28#include "misc.h" 29#include "misc.h"
29#include "log.h" 30#include "log.h"
@@ -303,13 +304,13 @@ hpdelim(char **cp)
303 case '\0': 304 case '\0':
304 *cp = NULL; /* no more fields*/ 305 *cp = NULL; /* no more fields*/
305 break; 306 break;
306 307
307 case ':': 308 case ':':
308 case '/': 309 case '/':
309 *s = '\0'; /* terminate */ 310 *s = '\0'; /* terminate */
310 *cp = s + 1; 311 *cp = s + 1;
311 break; 312 break;
312 313
313 default: 314 default:
314 return NULL; 315 return NULL;
315 } 316 }
@@ -376,6 +377,114 @@ addargs(arglist *args, char *fmt, ...)
376} 377}
377 378
378/* 379/*
380 * Expands tildes in the file name. Returns data allocated by xmalloc.
381 * Warning: this calls getpw*.
382 */
383char *
384tilde_expand_filename(const char *filename, uid_t uid)
385{
386 const char *path;
387 char user[128], ret[MAXPATHLEN];
388 struct passwd *pw;
389 u_int len, slash;
390
391 if (*filename != '~')
392 return (xstrdup(filename));
393 filename++;
394
395 path = strchr(filename, '/');
396 if (path != NULL && path > filename) { /* ~user/path */
397 slash = path - filename;
398 if (slash > sizeof(user) - 1)
399 fatal("tilde_expand_filename: ~username too long");
400 memcpy(user, filename, slash);
401 user[slash] = '\0';
402 if ((pw = getpwnam(user)) == NULL)
403 fatal("tilde_expand_filename: No such user %s", user);
404 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
405 fatal("tilde_expand_filename: No such uid %d", uid);
406
407 if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
408 fatal("tilde_expand_filename: Path too long");
409
410 /* Make sure directory has a trailing '/' */
411 len = strlen(pw->pw_dir);
412 if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
413 strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
414 fatal("tilde_expand_filename: Path too long");
415
416 /* Skip leading '/' from specified path */
417 if (path != NULL)
418 filename = path + 1;
419 if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret))
420 fatal("tilde_expand_filename: Path too long");
421
422 return (xstrdup(ret));
423}
424
425/*
426 * Expand a string with a set of %[char] escapes. A number of escapes may be
427 * specified as (char *escape_chars, char *replacement) pairs. The list must
428 * be terminated by a NULL escape_char. Returns replaced string in memory
429 * allocated by xmalloc.
430 */
431char *
432percent_expand(const char *string, ...)
433{
434#define EXPAND_MAX_KEYS 16
435 struct {
436 const char *key;
437 const char *repl;
438 } keys[EXPAND_MAX_KEYS];
439 u_int num_keys, i, j;
440 char buf[4096];
441 va_list ap;
442
443 /* Gather keys */
444 va_start(ap, string);
445 for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) {
446 keys[num_keys].key = va_arg(ap, char *);
447 if (keys[num_keys].key == NULL)
448 break;
449 keys[num_keys].repl = va_arg(ap, char *);
450 if (keys[num_keys].repl == NULL)
451 fatal("percent_expand: NULL replacement");
452 }
453 va_end(ap);
454
455 if (num_keys >= EXPAND_MAX_KEYS)
456 fatal("percent_expand: too many keys");
457
458 /* Expand string */
459 *buf = '\0';
460 for (i = 0; *string != '\0'; string++) {
461 if (*string != '%') {
462 append:
463 buf[i++] = *string;
464 if (i >= sizeof(buf))
465 fatal("percent_expand: string too long");
466 buf[i] = '\0';
467 continue;
468 }
469 string++;
470 if (*string == '%')
471 goto append;
472 for (j = 0; j < num_keys; j++) {
473 if (strchr(keys[j].key, *string) != NULL) {
474 i = strlcat(buf, keys[j].repl, sizeof(buf));
475 if (i >= sizeof(buf))
476 fatal("percent_expand: string too long");
477 break;
478 }
479 }
480 if (j >= num_keys)
481 fatal("percent_expand: unknown key %%%c", *string);
482 }
483 return (xstrdup(buf));
484#undef EXPAND_MAX_KEYS
485}
486
487/*
379 * Read an entire line from a public key file into a static buffer, discarding 488 * Read an entire line from a public key file into a static buffer, discarding
380 * lines that exceed the buffer size. Returns 0 on success, -1 on failure. 489 * lines that exceed the buffer size. Returns 0 on success, -1 on failure.
381 */ 490 */
@@ -391,9 +500,26 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
391 debug("%s: %s line %lu exceeds size limit", __func__, 500 debug("%s: %s line %lu exceeds size limit", __func__,
392 filename, *lineno); 501 filename, *lineno);
393 /* discard remainder of line */ 502 /* discard remainder of line */
394 while(fgetc(f) != '\n' && !feof(f)) 503 while (fgetc(f) != '\n' && !feof(f))
395 ; /* nothing */ 504 ; /* nothing */
396 } 505 }
397 } 506 }
398 return -1; 507 return -1;
399} 508}
509
510char *
511tohex(const u_char *d, u_int l)
512{
513 char b[3], *r;
514 u_int i, hl;
515
516 hl = l * 2 + 1;
517 r = xmalloc(hl);
518 *r = '\0';
519 for (i = 0; i < l; i++) {
520 snprintf(b, sizeof(b), "%02x", d[i]);
521 strlcat(r, b, hl);
522 }
523 return (r);
524}
525
diff --git a/misc.h b/misc.h
index 8bbc87f0d..2d630feb5 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.h,v 1.21 2005/03/01 10:09:52 djm Exp $ */ 1/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -24,6 +24,9 @@ char *hpdelim(char **);
24char *cleanhostname(char *); 24char *cleanhostname(char *);
25char *colon(char *); 25char *colon(char *);
26long convtime(const char *); 26long convtime(const char *);
27char *tilde_expand_filename(const char *, uid_t);
28char *percent_expand(const char *, ...) __attribute__((__sentinel__));
29char *tohex(const u_char *, u_int);
27 30
28struct passwd *pwcopy(struct passwd *); 31struct passwd *pwcopy(struct passwd *);
29 32
@@ -35,10 +38,6 @@ struct arglist {
35}; 38};
36void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); 39void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
37 40
38/* tildexpand.c */
39
40char *tilde_expand_filename(const char *, uid_t);
41
42/* readpass.c */ 41/* readpass.c */
43 42
44#define RP_ECHO 0x0001 43#define RP_ECHO 0x0001
diff --git a/moduli.c b/moduli.c
index 8b05248e2..d53806ea6 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: moduli.c,v 1.10 2005/01/17 03:25:46 dtucker Exp $ */ 1/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */
2/* 2/*
3 * Copyright 1994 Phil Karn <karn@qualcomm.com> 3 * Copyright 1994 Phil Karn <karn@qualcomm.com>
4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com> 4 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -112,22 +112,22 @@
112#define TINY_NUMBER (1UL<<16) 112#define TINY_NUMBER (1UL<<16)
113 113
114/* Ensure enough bit space for testing 2*q. */ 114/* Ensure enough bit space for testing 2*q. */
115#define TEST_MAXIMUM (1UL<<16) 115#define TEST_MAXIMUM (1UL<<16)
116#define TEST_MINIMUM (QSIZE_MINIMUM + 1) 116#define TEST_MINIMUM (QSIZE_MINIMUM + 1)
117/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */ 117/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */
118#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */ 118#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */
119 119
120/* bit operations on 32-bit words */ 120/* bit operations on 32-bit words */
121#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31))) 121#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
122#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31))) 122#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
123#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31))) 123#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
124 124
125/* 125/*
126 * Prime testing defines 126 * Prime testing defines
127 */ 127 */
128 128
129/* Minimum number of primality tests to perform */ 129/* Minimum number of primality tests to perform */
130#define TRIAL_MINIMUM (4) 130#define TRIAL_MINIMUM (4)
131 131
132/* 132/*
133 * Sieving data (XXX - move to struct) 133 * Sieving data (XXX - move to struct)
@@ -144,7 +144,7 @@ static u_int32_t *LargeSieve, largewords, largetries, largenumbers;
144static u_int32_t largebits, largememory; /* megabytes */ 144static u_int32_t largebits, largememory; /* megabytes */
145static BIGNUM *largebase; 145static BIGNUM *largebase;
146 146
147int gen_candidates(FILE *, int, int, BIGNUM *); 147int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
148int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); 148int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
149 149
150/* 150/*
@@ -241,19 +241,20 @@ sieve_large(u_int32_t s)
241 * The list is checked against small known primes (less than 2**30). 241 * The list is checked against small known primes (less than 2**30).
242 */ 242 */
243int 243int
244gen_candidates(FILE *out, int memory, int power, BIGNUM *start) 244gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
245{ 245{
246 BIGNUM *q; 246 BIGNUM *q;
247 u_int32_t j, r, s, t; 247 u_int32_t j, r, s, t;
248 u_int32_t smallwords = TINY_NUMBER >> 6; 248 u_int32_t smallwords = TINY_NUMBER >> 6;
249 u_int32_t tinywords = TINY_NUMBER >> 6; 249 u_int32_t tinywords = TINY_NUMBER >> 6;
250 time_t time_start, time_stop; 250 time_t time_start, time_stop;
251 int i, ret = 0; 251 u_int32_t i;
252 int ret = 0;
252 253
253 largememory = memory; 254 largememory = memory;
254 255
255 if (memory != 0 && 256 if (memory != 0 &&
256 (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { 257 (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
257 error("Invalid memory amount (min %ld, max %ld)", 258 error("Invalid memory amount (min %ld, max %ld)",
258 LARGE_MINIMUM, LARGE_MAXIMUM); 259 LARGE_MINIMUM, LARGE_MAXIMUM);
259 return (-1); 260 return (-1);
@@ -371,8 +372,8 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start)
371 * fencepost errors, the last pass is skipped. 372 * fencepost errors, the last pass is skipped.
372 */ 373 */
373 for (smallbase = TINY_NUMBER + 3; 374 for (smallbase = TINY_NUMBER + 3;
374 smallbase < (SMALL_MAXIMUM - TINY_NUMBER); 375 smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
375 smallbase += TINY_NUMBER) { 376 smallbase += TINY_NUMBER) {
376 for (i = 0; i < tinybits; i++) { 377 for (i = 0; i < tinybits; i++) {
377 if (BIT_TEST(TinySieve, i)) 378 if (BIT_TEST(TinySieve, i))
378 continue; /* 2*i+3 is composite */ 379 continue; /* 2*i+3 is composite */
@@ -548,7 +549,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
548 * due to earlier inconsistencies in interpretation, check 549 * due to earlier inconsistencies in interpretation, check
549 * the proposed bit size. 550 * the proposed bit size.
550 */ 551 */
551 if (BN_num_bits(p) != (in_size + 1)) { 552 if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) {
552 debug2("%10u: bit size %u mismatch", count_in, in_size); 553 debug2("%10u: bit size %u mismatch", count_in, in_size);
553 continue; 554 continue;
554 } 555 }
diff --git a/monitor.c b/monitor.c
index b57b53f21..86fe23931 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.62 2005/01/30 11:18:08 dtucker Exp $"); 28RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
29 29
30#include <openssl/dh.h> 30#include <openssl/dh.h>
31 31
@@ -317,6 +317,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
317 authctxt = _authctxt; 317 authctxt = _authctxt;
318 memset(authctxt, 0, sizeof(*authctxt)); 318 memset(authctxt, 0, sizeof(*authctxt));
319 319
320 authctxt->loginmsg = &loginmsg;
321
320 if (compat20) { 322 if (compat20) {
321 mon_dispatch = mon_dispatch_proto20; 323 mon_dispatch = mon_dispatch_proto20;
322 324
@@ -882,8 +884,8 @@ int
882mm_answer_pam_query(int sock, Buffer *m) 884mm_answer_pam_query(int sock, Buffer *m)
883{ 885{
884 char *name, *info, **prompts; 886 char *name, *info, **prompts;
885 u_int num, *echo_on; 887 u_int i, num, *echo_on;
886 int i, ret; 888 int ret;
887 889
888 debug3("%s", __func__); 890 debug3("%s", __func__);
889 sshpam_authok = NULL; 891 sshpam_authok = NULL;
@@ -916,8 +918,8 @@ int
916mm_answer_pam_respond(int sock, Buffer *m) 918mm_answer_pam_respond(int sock, Buffer *m)
917{ 919{
918 char **resp; 920 char **resp;
919 u_int num; 921 u_int i, num;
920 int i, ret; 922 int ret;
921 923
922 debug3("%s", __func__); 924 debug3("%s", __func__);
923 sshpam_authok = NULL; 925 sshpam_authok = NULL;
@@ -991,7 +993,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
991 debug3("%s: key_from_blob: %p", __func__, key); 993 debug3("%s: key_from_blob: %p", __func__, key);
992 994
993 if (key != NULL && authctxt->valid) { 995 if (key != NULL && authctxt->valid) {
994 switch(type) { 996 switch (type) {
995 case MM_USERKEY: 997 case MM_USERKEY:
996 allowed = options.pubkey_authentication && 998 allowed = options.pubkey_authentication &&
997 user_key_allowed(authctxt->pw, key); 999 user_key_allowed(authctxt->pw, key);
@@ -1538,7 +1540,6 @@ mm_answer_audit_event(int socket, Buffer *m)
1538 debug3("%s entering", __func__); 1540 debug3("%s entering", __func__);
1539 1541
1540 event = buffer_get_int(m); 1542 event = buffer_get_int(m);
1541 buffer_free(m);
1542 switch(event) { 1543 switch(event) {
1543 case SSH_AUTH_FAIL_PUBKEY: 1544 case SSH_AUTH_FAIL_PUBKEY:
1544 case SSH_AUTH_FAIL_HOSTBASED: 1545 case SSH_AUTH_FAIL_HOSTBASED:
@@ -1567,7 +1568,6 @@ mm_answer_audit_command(int socket, Buffer *m)
1567 /* sanity check command, if so how? */ 1568 /* sanity check command, if so how? */
1568 audit_run_command(cmd); 1569 audit_run_command(cmd);
1569 xfree(cmd); 1570 xfree(cmd);
1570 buffer_free(m);
1571 return (0); 1571 return (0);
1572} 1572}
1573#endif /* SSH_AUDIT_EVENTS */ 1573#endif /* SSH_AUDIT_EVENTS */
@@ -1640,6 +1640,7 @@ mm_get_kex(Buffer *m)
1640 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1640 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1641#ifdef GSSAPI 1641#ifdef GSSAPI
1642 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 1642 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
1643 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
1643#endif 1644#endif
1644 kex->server = 1; 1645 kex->server = 1;
1645 kex->hostkey_type = buffer_get_int(m); 1646 kex->hostkey_type = buffer_get_int(m);
@@ -1938,10 +1939,13 @@ mm_answer_gss_userok(int sock, Buffer *m)
1938int 1939int
1939mm_answer_gss_sign(int socket, Buffer *m) 1940mm_answer_gss_sign(int socket, Buffer *m)
1940{ 1941{
1941 gss_buffer_desc data, hash; 1942 gss_buffer_desc data;
1943 gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
1942 OM_uint32 major, minor; 1944 OM_uint32 major, minor;
1945 u_int len;
1943 1946
1944 data.value = buffer_get_string(m, &data.length); 1947 data.value = buffer_get_string(m, &len);
1948 data.length = len;
1945 if (data.length != 20) 1949 if (data.length != 20)
1946 fatal("%s: data length incorrect: %d", __func__, data.length); 1950 fatal("%s: data length incorrect: %d", __func__, data.length);
1947 1951
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 482ff5bc3..72b75d50a 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor_wrap.c,v 1.39 2004/07/17 05:31:41 dtucker Exp $"); 28RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
29 29
30#include <openssl/bn.h> 30#include <openssl/bn.h>
31#include <openssl/dh.h> 31#include <openssl/dh.h>
@@ -95,9 +95,9 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
95 PUT_32BIT(buf, mlen + 1); 95 PUT_32BIT(buf, mlen + 1);
96 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ 96 buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
97 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) 97 if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
98 fatal("%s: write", __func__); 98 fatal("%s: write: %s", __func__, strerror(errno));
99 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) 99 if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
100 fatal("%s: write", __func__); 100 fatal("%s: write: %s", __func__, strerror(errno));
101} 101}
102 102
103void 103void
@@ -105,24 +105,21 @@ mm_request_receive(int sock, Buffer *m)
105{ 105{
106 u_char buf[4]; 106 u_char buf[4];
107 u_int msg_len; 107 u_int msg_len;
108 ssize_t res;
109 108
110 debug3("%s entering", __func__); 109 debug3("%s entering", __func__);
111 110
112 res = atomicio(read, sock, buf, sizeof(buf)); 111 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
113 if (res != sizeof(buf)) { 112 if (errno == EPIPE)
114 if (res == 0)
115 cleanup_exit(255); 113 cleanup_exit(255);
116 fatal("%s: read: %ld", __func__, (long)res); 114 fatal("%s: read: %s", __func__, strerror(errno));
117 } 115 }
118 msg_len = GET_32BIT(buf); 116 msg_len = GET_32BIT(buf);
119 if (msg_len > 256 * 1024) 117 if (msg_len > 256 * 1024)
120 fatal("%s: read: bad msg_len %d", __func__, msg_len); 118 fatal("%s: read: bad msg_len %d", __func__, msg_len);
121 buffer_clear(m); 119 buffer_clear(m);
122 buffer_append_space(m, msg_len); 120 buffer_append_space(m, msg_len);
123 res = atomicio(read, sock, buffer_ptr(m), msg_len); 121 if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
124 if (res != msg_len) 122 fatal("%s: read: %s", __func__, strerror(errno));
125 fatal("%s: read: %ld != msg_len", __func__, (long)res);
126} 123}
127 124
128void 125void
@@ -767,7 +764,8 @@ mm_sshpam_query(void *ctx, char **name, char **info,
767 u_int *num, char ***prompts, u_int **echo_on) 764 u_int *num, char ***prompts, u_int **echo_on)
768{ 765{
769 Buffer m; 766 Buffer m;
770 int i, ret; 767 u_int i;
768 int ret;
771 769
772 debug3("%s", __func__); 770 debug3("%s", __func__);
773 buffer_init(&m); 771 buffer_init(&m);
@@ -793,7 +791,8 @@ int
793mm_sshpam_respond(void *ctx, u_int num, char **resp) 791mm_sshpam_respond(void *ctx, u_int num, char **resp)
794{ 792{
795 Buffer m; 793 Buffer m;
796 int i, ret; 794 u_int i;
795 int ret;
797 796
798 debug3("%s", __func__); 797 debug3("%s", __func__);
799 buffer_init(&m); 798 buffer_init(&m);
@@ -1223,6 +1222,7 @@ mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
1223{ 1222{
1224 Buffer m; 1223 Buffer m;
1225 OM_uint32 major; 1224 OM_uint32 major;
1225 u_int len;
1226 1226
1227 buffer_init(&m); 1227 buffer_init(&m);
1228 buffer_put_string(&m, data->value, data->length); 1228 buffer_put_string(&m, data->value, data->length);
@@ -1231,7 +1231,8 @@ mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
1231 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); 1231 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
1232 1232
1233 major = buffer_get_int(&m); 1233 major = buffer_get_int(&m);
1234 hash->value = buffer_get_string(&m, &hash->length); 1234 hash->value = buffer_get_string(&m, &len);
1235 hash->length = len;
1235 1236
1236 buffer_free(&m); 1237 buffer_free(&m);
1237 1238
diff --git a/msg.c b/msg.c
index 30bc3f107..3e4c2882c 100644
--- a/msg.c
+++ b/msg.c
@@ -22,7 +22,7 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24#include "includes.h" 24#include "includes.h"
25RCSID("$OpenBSD: msg.c,v 1.7 2003/11/17 09:45:39 djm Exp $"); 25RCSID("$OpenBSD: msg.c,v 1.8 2005/05/24 17:32:43 avsm Exp $");
26 26
27#include "buffer.h" 27#include "buffer.h"
28#include "getput.h" 28#include "getput.h"
@@ -55,15 +55,13 @@ int
55ssh_msg_recv(int fd, Buffer *m) 55ssh_msg_recv(int fd, Buffer *m)
56{ 56{
57 u_char buf[4]; 57 u_char buf[4];
58 ssize_t res;
59 u_int msg_len; 58 u_int msg_len;
60 59
61 debug3("ssh_msg_recv entering"); 60 debug3("ssh_msg_recv entering");
62 61
63 res = atomicio(read, fd, buf, sizeof(buf)); 62 if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
64 if (res != sizeof(buf)) { 63 if (errno != EPIPE)
65 if (res != 0) 64 error("ssh_msg_recv: read: header");
66 error("ssh_msg_recv: read: header %ld", (long)res);
67 return (-1); 65 return (-1);
68 } 66 }
69 msg_len = GET_32BIT(buf); 67 msg_len = GET_32BIT(buf);
@@ -73,9 +71,8 @@ ssh_msg_recv(int fd, Buffer *m)
73 } 71 }
74 buffer_clear(m); 72 buffer_clear(m);
75 buffer_append_space(m, msg_len); 73 buffer_append_space(m, msg_len);
76 res = atomicio(read, fd, buffer_ptr(m), msg_len); 74 if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
77 if (res != msg_len) { 75 error("ssh_msg_recv: read: %s", strerror(errno));
78 error("ssh_msg_recv: read: %ld != msg_len", (long)res);
79 return (-1); 76 return (-1);
80 } 77 }
81 return (0); 78 return (0);
diff --git a/myproposal.h b/myproposal.h
index 228ed6882..d8cba1caf 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -28,14 +28,15 @@
28 "diffie-hellman-group1-sha1" 28 "diffie-hellman-group1-sha1"
29#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" 29#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
30#define KEX_DEFAULT_ENCRYPT \ 30#define KEX_DEFAULT_ENCRYPT \
31 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ 31 "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
32 "arcfour128,arcfour256,arcfour," \
32 "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ 33 "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
33 "aes128-ctr,aes192-ctr,aes256-ctr" 34 "aes128-ctr,aes192-ctr,aes256-ctr"
34#define KEX_DEFAULT_MAC \ 35#define KEX_DEFAULT_MAC \
35 "hmac-md5,hmac-sha1,hmac-ripemd160," \ 36 "hmac-md5,hmac-sha1,hmac-ripemd160," \
36 "hmac-ripemd160@openssh.com," \ 37 "hmac-ripemd160@openssh.com," \
37 "hmac-sha1-96,hmac-md5-96" 38 "hmac-sha1-96,hmac-md5-96"
38#define KEX_DEFAULT_COMP "none,zlib" 39#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
39#define KEX_DEFAULT_LANG "" 40#define KEX_DEFAULT_LANG ""
40 41
41 42
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 0f34f2240..6f5ee2845 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.31 2004/08/15 08:41:00 djm Exp $ 1# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,11 +16,11 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-irix.o port-aix.o 23PORTS=port-irix.o port-aix.o port-uw.o
24 24
25.c.o: 25.c.o:
26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $< 26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index f53abb6e2..b5e3cc52b 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
29 29
30#include "includes.h" 30#include "includes.h"
31 31
32RCSID("$Id: bsd-cygwin_util.c,v 1.13 2004/08/30 10:42:08 dtucker Exp $"); 32RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
33 33
34#ifdef HAVE_CYGWIN 34#ifdef HAVE_CYGWIN
35 35
@@ -247,6 +247,7 @@ static struct wenv {
247 { NL("COMMONPROGRAMFILES=") }, 247 { NL("COMMONPROGRAMFILES=") },
248 { NL("COMPUTERNAME=") }, 248 { NL("COMPUTERNAME=") },
249 { NL("COMSPEC=") }, 249 { NL("COMSPEC=") },
250 { NL("CYGWIN=") },
250 { NL("NUMBER_OF_PROCESSORS=") }, 251 { NL("NUMBER_OF_PROCESSORS=") },
251 { NL("OS=") }, 252 { NL("OS=") },
252 { NL("PATH=") }, 253 { NL("PATH=") },
@@ -260,7 +261,7 @@ static struct wenv {
260 { NL("SYSTEMROOT=") }, 261 { NL("SYSTEMROOT=") },
261 { NL("TMP=") }, 262 { NL("TMP=") },
262 { NL("TEMP=") }, 263 { NL("TEMP=") },
263 { NL("WINDIR=") }, 264 { NL("WINDIR=") }
264}; 265};
265 266
266char ** 267char **
@@ -269,7 +270,7 @@ fetch_windows_environment(void)
269 char **e, **p; 270 char **e, **p;
270 int i, idx = 0; 271 int i, idx = 0;
271 272
272 p = xmalloc(WENV_SIZ * sizeof(char *)); 273 p = xmalloc((WENV_SIZ + 1) * sizeof(char *));
273 for (e = environ; *e != NULL; ++e) { 274 for (e = environ; *e != NULL; ++e) {
274 for (i = 0; i < WENV_SIZ; ++i) { 275 for (i = 0; i < WENV_SIZ; ++i) {
275 if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen)) 276 if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 41f92cce9..6ba9bd986 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
18#include "includes.h" 18#include "includes.h"
19#include "xmalloc.h" 19#include "xmalloc.h"
20 20
21RCSID("$Id: bsd-misc.c,v 1.26 2005/02/25 23:07:38 dtucker Exp $"); 21RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $");
22 22
23#ifndef HAVE___PROGNAME 23#ifndef HAVE___PROGNAME
24char *__progname; 24char *__progname;
@@ -212,3 +212,21 @@ mysignal(int sig, mysig_t act)
212 return (signal(sig, act)); 212 return (signal(sig, act));
213#endif 213#endif
214} 214}
215
216#ifndef HAVE_STRDUP
217char *
218strdup(const char *str)
219{
220 size_t len;
221 char *cp;
222
223 len = strlen(str) + 1;
224 cp = malloc(len);
225 if (cp != NULL)
226 if (strlcpy(cp, str, len) != len) {
227 free(cp);
228 return NULL;
229 }
230 return cp;
231}
232#endif
diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h
index 636792ed7..cbcf7f727 100644
--- a/openbsd-compat/fake-rfc2553.h
+++ b/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,4 @@
1/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */ 1/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (C) 2000-2003 Damien Miller. All rights reserved. 4 * Copyright (C) 2000-2003 Damien Miller. All rights reserved.
@@ -114,10 +114,16 @@ struct sockaddr_in6 {
114#endif /* !NI_MAXHOST */ 114#endif /* !NI_MAXHOST */
115 115
116#ifndef EAI_NODATA 116#ifndef EAI_NODATA
117# define EAI_NODATA 1 117# define EAI_NODATA (INT_MAX - 1)
118# define EAI_MEMORY 2 118#endif
119# define EAI_NONAME 3 119#ifndef EAI_MEMORY
120# define EAI_SYSTEM 4 120# define EAI_MEMORY (INT_MAX - 2)
121#endif
122#ifndef EAI_NONAME
123# define EAI_NONAME (INT_MAX - 3)
124#endif
125#ifndef EAI_SYSTEM
126# define EAI_SYSTEM (INT_MAX - 4)
121#endif 127#endif
122 128
123#ifndef HAVE_STRUCT_ADDRINFO 129#ifndef HAVE_STRUCT_ADDRINFO
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 4e869c4df..2016ffe31 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -144,6 +144,8 @@ _getshort(msgp)
144 GETSHORT(u, msgp); 144 GETSHORT(u, msgp);
145 return (u); 145 return (u);
146} 146}
147#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
148u_int16_t _getshort(register const u_char *);
147#endif 149#endif
148 150
149#ifndef HAVE__GETLONG 151#ifndef HAVE__GETLONG
@@ -156,6 +158,8 @@ _getlong(msgp)
156 GETLONG(u, msgp); 158 GETLONG(u, msgp);
157 return (u); 159 return (u);
158} 160}
161#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
162u_int32_t _getlong(register const u_char *);
159#endif 163#endif
160 164
161int 165int
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 89d1454e0..ba68bc27e 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.26 2004/08/15 08:41:00 djm Exp $ */ 1/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -152,6 +152,10 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
152int snprintf(char *, size_t, const char *, ...); 152int snprintf(char *, size_t, const char *, ...);
153#endif 153#endif
154 154
155#ifndef HAVE_STRTONUM
156long long strtonum(const char *, long long, long long, const char **);
157#endif
158
155#ifndef HAVE_VSNPRINTF 159#ifndef HAVE_VSNPRINTF
156int vsnprintf(char *, size_t, const char *, va_list); 160int vsnprintf(char *, size_t, const char *, va_list);
157#endif 161#endif
@@ -169,5 +173,6 @@ char *shadow_pw(struct passwd *pw);
169#include "bsd-cygwin_util.h" 173#include "bsd-cygwin_util.h"
170#include "port-irix.h" 174#include "port-irix.h"
171#include "port-aix.h" 175#include "port-aix.h"
176#include "port-uw.h"
172 177
173#endif /* _OPENBSD_COMPAT_H */ 178#endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
new file mode 100644
index 000000000..b690e8fe6
--- /dev/null
+++ b/openbsd-compat/openssl-compat.c
@@ -0,0 +1,46 @@
1/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
15 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include "includes.h"
20
21#define SSH_DONT_REDEF_EVP
22#include "openssl-compat.h"
23
24#ifdef SSH_OLD_EVP
25int
26ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
27 unsigned char *key, unsigned char *iv, int enc)
28{
29 EVP_CipherInit(evp, type, key, iv, enc);
30 return 1;
31}
32
33int
34ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
35{
36 EVP_Cipher(evp, dst, src, len);
37 return 1;
38}
39
40int
41ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
42{
43 EVP_CIPHER_CTX_cleanup(evp);
44 return 1;
45}
46#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
new file mode 100644
index 000000000..d9b2fa55f
--- /dev/null
+++ b/openbsd-compat/openssl-compat.h
@@ -0,0 +1,65 @@
1/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
15 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include "includes.h"
20#include <openssl/evp.h>
21
22#if OPENSSL_VERSION_NUMBER < 0x00906000L
23# define SSH_OLD_EVP
24# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
25#endif
26
27#if OPENSSL_VERSION_NUMBER < 0x00907000L
28# define EVP_aes_128_cbc evp_rijndael
29# define EVP_aes_192_cbc evp_rijndael
30# define EVP_aes_256_cbc evp_rijndael
31extern const EVP_CIPHER *evp_rijndael(void);
32extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
33#endif
34
35#if !defined(EVP_CTRL_SET_ACSS_MODE)
36# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
37# define USE_CIPHER_ACSS 1
38extern const EVP_CIPHER *evp_acss(void);
39# define EVP_acss evp_acss
40# else
41# define EVP_acss NULL
42# endif
43#endif
44
45/*
46 * insert comment here
47 */
48#ifdef SSH_OLD_EVP
49
50# ifndef SSH_DONT_REDEF_EVP
51
52# ifdef EVP_Cipher
53# undef EVP_Cipher
54# endif
55
56# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
57# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
58# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
59# endif
60
61int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
62 unsigned char *, int);
63int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
64int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
65#endif
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index fa6a4ff7b..81d8124e0 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,7 +1,7 @@
1/* 1/*
2 * 2 *
3 * Copyright (c) 2001 Gert Doering. All rights reserved. 3 * Copyright (c) 2001 Gert Doering. All rights reserved.
4 * Copyright (c) 2003,2004 Darren Tucker. All rights reserved. 4 * Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -42,14 +42,12 @@ static char old_registry[REGISTRY_SIZE] = "";
42# endif 42# endif
43 43
44/* 44/*
45 * AIX has a "usrinfo" area where logname and other stuff is stored - 45 * AIX has a "usrinfo" area where logname and other stuff is stored -
46 * a few applications actually use this and die if it's not set 46 * a few applications actually use this and die if it's not set
47 * 47 *
48 * NOTE: TTY= should be set, but since no one uses it and it's hard to 48 * NOTE: TTY= should be set, but since no one uses it and it's hard to
49 * acquire due to privsep code. We will just drop support. 49 * acquire due to privsep code. We will just drop support.
50 */ 50 */
51
52
53void 51void
54aix_usrinfo(struct passwd *pw) 52aix_usrinfo(struct passwd *pw)
55{ 53{
@@ -60,7 +58,7 @@ aix_usrinfo(struct passwd *pw)
60 len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name)); 58 len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
61 cp = xmalloc(len); 59 cp = xmalloc(len);
62 60
63 i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', 61 i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
64 pw->pw_name, '\0'); 62 pw->pw_name, '\0');
65 if (usrinfo(SETUINFO, cp, i) == -1) 63 if (usrinfo(SETUINFO, cp, i) == -1)
66 fatal("Couldn't set usrinfo: %s", strerror(errno)); 64 fatal("Couldn't set usrinfo: %s", strerror(errno));
@@ -151,16 +149,16 @@ aix_valid_authentications(const char *user)
151 * returns 0. 149 * returns 0.
152 */ 150 */
153int 151int
154sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg) 152sys_auth_passwd(Authctxt *ctxt, const char *password)
155{ 153{
156 char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name; 154 char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
157 int authsuccess = 0, expired, reenter, result; 155 int authsuccess = 0, expired, reenter, result;
158 156
159 do { 157 do {
160 result = authenticate((char *)name, (char *)password, &reenter, 158 result = authenticate((char *)name, (char *)password, &reenter,
161 &authmsg); 159 &authmsg);
162 aix_remove_embedded_newlines(authmsg); 160 aix_remove_embedded_newlines(authmsg);
163 debug3("AIX/authenticate result %d, msg %.100s", result, 161 debug3("AIX/authenticate result %d, authmsg %.100s", result,
164 authmsg); 162 authmsg);
165 } while (reenter); 163 } while (reenter);
166 164
@@ -170,7 +168,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
170 if (result == 0) { 168 if (result == 0) {
171 authsuccess = 1; 169 authsuccess = 1;
172 170
173 /* 171 /*
174 * Record successful login. We don't have a pty yet, so just 172 * Record successful login. We don't have a pty yet, so just
175 * label the line as "ssh" 173 * label the line as "ssh"
176 */ 174 */
@@ -181,7 +179,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password, Buffer *loginmsg)
181 */ 179 */
182 expired = passwdexpired(name, &msg); 180 expired = passwdexpired(name, &msg);
183 if (msg && *msg) { 181 if (msg && *msg) {
184 buffer_append(loginmsg, msg, strlen(msg)); 182 buffer_append(ctxt->loginmsg, msg, strlen(msg));
185 aix_remove_embedded_newlines(msg); 183 aix_remove_embedded_newlines(msg);
186 } 184 }
187 debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); 185 debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
@@ -257,7 +255,7 @@ int
257sys_auth_record_login(const char *user, const char *host, const char *ttynm, 255sys_auth_record_login(const char *user, const char *host, const char *ttynm,
258 Buffer *loginmsg) 256 Buffer *loginmsg)
259{ 257{
260 char *msg; 258 char *msg = NULL;
261 int success = 0; 259 int success = 0;
262 260
263 aix_setauthdb(user); 261 aix_setauthdb(user);
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index a05ce9703..37b2c12b0 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,8 +1,9 @@
1/* $Id: port-aix.h,v 1.24 2005/02/16 11:49:31 dtucker Exp $ */ 1/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
2 2
3/* 3/*
4 * 4 *
5 * Copyright (c) 2001 Gert Doering. All rights reserved. 5 * Copyright (c) 2001 Gert Doering. All rights reserved.
6 * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
6 * 7 *
7 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -47,21 +48,23 @@
47 48
48/* These should be in the system headers but are not. */ 49/* These should be in the system headers but are not. */
49int usrinfo(int, char *, int); 50int usrinfo(int, char *, int);
51#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
50int setauthdb(const char *, char *); 52int setauthdb(const char *, char *);
53#endif
51/* these may or may not be in the headers depending on the version */ 54/* these may or may not be in the headers depending on the version */
52#if (HAVE_DECL_AUTHENTICATE == 0) 55#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
53int authenticate(char *, char *, int *, char **); 56int authenticate(char *, char *, int *, char **);
54#endif 57#endif
55#if (HAVE_DECL_LOGINFAILED == 0) 58#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
56int loginfailed(char *, char *, char *); 59int loginfailed(char *, char *, char *);
57#endif 60#endif
58#if (HAVE_DECL_LOGINRESTRICTIONS == 0) 61#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
59int loginrestrictions(char *, int, char *, char **); 62int loginrestrictions(char *, int, char *, char **);
60#endif 63#endif
61#if (HAVE_DECL_LOGINSUCCESS == 0) 64#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
62int loginsuccess(char *, char *, char *, char **); 65int loginsuccess(char *, char *, char *, char **);
63#endif 66#endif
64#if (HAVE_DECL_PASSWDEXPIRED == 0) 67#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
65int passwdexpired(char *, char **); 68int passwdexpired(char *, char **);
66#endif 69#endif
67 70
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
new file mode 100644
index 000000000..d881ff028
--- /dev/null
+++ b/openbsd-compat/port-uw.c
@@ -0,0 +1,134 @@
1/*
2 * Copyright (c) 2005 The SCO Group. All rights reserved.
3 * Copyright (c) 2005 Tim Rice. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
27
28#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
29#ifdef HAVE_CRYPT_H
30#include <crypt.h>
31#endif
32#include "packet.h"
33#include "buffer.h"
34#include "log.h"
35#include "servconf.h"
36#include "auth.h"
37#include "auth-options.h"
38
39int nischeck(char *);
40
41int
42sys_auth_passwd(Authctxt *authctxt, const char *password)
43{
44 struct passwd *pw = authctxt->pw;
45 char *encrypted_password;
46 char *salt;
47 int result;
48
49 /* Just use the supplied fake password if authctxt is invalid */
50 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
51
52 /* Check for users with no password. */
53 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
54 return (1);
55
56 /* Encrypt the candidate password using the proper salt. */
57 salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
58#ifdef UNIXWARE_LONG_PASSWORDS
59 if (!nischeck(pw->pw_name))
60 encrypted_password = bigcrypt(password, salt);
61 else
62#endif /* UNIXWARE_LONG_PASSWORDS */
63 encrypted_password = xcrypt(password, salt);
64
65 /*
66 * Authentication is accepted if the encrypted passwords
67 * are identical.
68 */
69 result = (strcmp(encrypted_password, pw_password) == 0);
70
71 if (authctxt->valid)
72 free(pw_password);
73 return(result);
74}
75
76#ifdef UNIXWARE_LONG_PASSWORDS
77int
78nischeck(char *namep)
79{
80 char password_file[] = "/etc/passwd";
81 FILE *fd;
82 struct passwd *ent = NULL;
83
84 if ((fd = fopen (password_file, "r")) == NULL) {
85 /*
86 * If the passwd file has dissapeared we are in a bad state.
87 * However, returning 0 will send us back through the
88 * authentication scheme that has checked the ia database for
89 * passwords earlier.
90 */
91 return(0);
92 }
93
94 /*
95 * fgetpwent() only reads from password file, so we know for certain
96 * that the user is local.
97 */
98 while (ent = fgetpwent(fd)) {
99 if (strcmp (ent->pw_name, namep) == 0) {
100 /* Local user */
101 fclose (fd);
102 return(0);
103 }
104 }
105
106 fclose (fd);
107 return (1);
108}
109
110#endif /* UNIXWARE_LONG_PASSWORDS */
111
112/*
113 NOTE: ia_get_logpwd() allocates memory for arg 2
114 functions that call shadow_pw() will need to free
115 */
116
117char *
118get_iaf_password(struct passwd *pw)
119{
120 char *pw_password = NULL;
121
122 uinfo_t uinfo;
123 if (!ia_openinfo(pw->pw_name,&uinfo)) {
124 ia_get_logpwd(uinfo, &pw_password);
125 if (pw_password == NULL)
126 fatal("ia_get_logpwd: Unable to get the shadow passwd");
127 ia_closeinfo(uinfo);
128 return pw_password;
129 }
130 else
131 fatal("ia_openinfo: Unable to open the shadow passwd file");
132}
133#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
134
diff --git a/openbsd-compat/port-uw.h b/openbsd-compat/port-uw.h
new file mode 100644
index 000000000..3589b2e44
--- /dev/null
+++ b/openbsd-compat/port-uw.h
@@ -0,0 +1,30 @@
1/*
2 * Copyright (c) 2005 Tim Rice. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26
27#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
28char * get_iaf_password(struct passwd *pw);
29#endif
30
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 4ee1be5de..eb060bdbf 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -137,8 +137,11 @@ restart:
137 (void)write(output, "\n", 1); 137 (void)write(output, "\n", 1);
138 138
139 /* Restore old terminal settings and signals. */ 139 /* Restore old terminal settings and signals. */
140 if (memcmp(&term, &oterm, sizeof(term)) != 0) 140 if (memcmp(&term, &oterm, sizeof(term)) != 0) {
141 (void)tcsetattr(input, _T_FLUSH, &oterm); 141 while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
142 errno == EINTR)
143 continue;
144 }
142 (void)sigaction(SIGALRM, &savealrm, NULL); 145 (void)sigaction(SIGALRM, &savealrm, NULL);
143 (void)sigaction(SIGHUP, &savehup, NULL); 146 (void)sigaction(SIGHUP, &savehup, NULL);
144 (void)sigaction(SIGINT, &saveint, NULL); 147 (void)sigaction(SIGINT, &saveint, NULL);
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index 7f73bd998..8430bec24 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -1,11 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ 1/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
2 2
3/* 3/*
4 * Copyright (c) 1994 4 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
5 * The Regents of the University of California. All rights reserved.
6 *
7 * This code is derived from software contributed to Berkeley by
8 * Jan-Simon Pendry.
9 * 5 *
10 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -15,14 +11,14 @@
15 * 2. Redistributions in binary form must reproduce the above copyright 11 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the 12 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution. 13 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors 14 * 3. The names of the authors may not be used to endorse or promote
19 * may be used to endorse or promote products derived from this software 15 * products derived from this software without specific prior written
20 * without specific prior written permission. 16 * permission.
21 * 17 *
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -36,169 +32,165 @@
36 32
37#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) 33#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
38 34
39#if defined(LIBC_SCCS) && !defined(lint)
40static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
41#endif /* LIBC_SCCS and not lint */
42
43#include <sys/param.h> 35#include <sys/param.h>
44#include <sys/stat.h> 36#include <sys/stat.h>
45 37
46#include <errno.h> 38#include <errno.h>
47#include <fcntl.h>
48#include <stdlib.h> 39#include <stdlib.h>
49#include <string.h> 40#include <string.h>
50#include <unistd.h> 41#include <unistd.h>
51 42
52/* 43/*
53 * MAXSYMLINKS 44 * char *realpath(const char *path, char resolved[PATH_MAX]);
54 */
55#ifndef MAXSYMLINKS
56#define MAXSYMLINKS 5
57#endif
58
59/*
60 * char *realpath(const char *path, char resolved_path[MAXPATHLEN]);
61 * 45 *
62 * Find the real name of path, by removing all ".", ".." and symlink 46 * Find the real name of path, by removing all ".", ".." and symlink
63 * components. Returns (resolved) on success, or (NULL) on failure, 47 * components. Returns (resolved) on success, or (NULL) on failure,
64 * in which case the path which caused trouble is left in (resolved). 48 * in which case the path which caused trouble is left in (resolved).
65 */ 49 */
66char * 50char *
67realpath(const char *path, char *resolved) 51realpath(const char *path, char resolved[PATH_MAX])
68{ 52{
69 struct stat sb; 53 struct stat sb;
70 int fd, n, needslash, serrno; 54 char *p, *q, *s;
71 char *p, *q, wbuf[MAXPATHLEN]; 55 size_t left_len, resolved_len;
72 int symlinks = 0; 56 unsigned symlinks;
73 57 int serrno, slen;
74 /* Save the starting point. */ 58 char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
75#ifndef HAVE_FCHDIR 59
76 char start[MAXPATHLEN]; 60 serrno = errno;
77 /* this is potentially racy but without fchdir we have no option */ 61 symlinks = 0;
78 if (getcwd(start, sizeof(start)) == NULL) { 62 if (path[0] == '/') {
79 resolved[0] = '.'; 63 resolved[0] = '/';
80 resolved[1] = '\0'; 64 resolved[1] = '\0';
81 return (NULL); 65 if (path[1] == '\0')
66 return (resolved);
67 resolved_len = 1;
68 left_len = strlcpy(left, path + 1, sizeof(left));
69 } else {
70 if (getcwd(resolved, PATH_MAX) == NULL) {
71 strlcpy(resolved, ".", PATH_MAX);
72 return (NULL);
73 }
74 resolved_len = strlen(resolved);
75 left_len = strlcpy(left, path, sizeof(left));
82 } 76 }
83#endif 77 if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
84 if ((fd = open(".", O_RDONLY)) < 0) { 78 errno = ENAMETOOLONG;
85 resolved[0] = '.';
86 resolved[1] = '\0';
87 return (NULL); 79 return (NULL);
88 } 80 }
89 81
90 /* Convert "." -> "" to optimize away a needless lstat() and chdir() */
91 if (path[0] == '.' && path[1] == '\0')
92 path = "";
93
94 /* 82 /*
95 * Find the dirname and basename from the path to be resolved. 83 * Iterate over path components in `left'.
96 * Change directory to the dirname component.
97 * lstat the basename part.
98 * if it is a symlink, read in the value and loop.
99 * if it is a directory, then change to that directory.
100 * get the current directory name and append the basename.
101 */ 84 */
102 if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) { 85 while (left_len != 0) {
103 serrno = ENAMETOOLONG; 86 /*
104 goto err2; 87 * Extract the next path component and adjust `left'
105 } 88 * and its length.
106loop: 89 */
107 q = strrchr(resolved, '/'); 90 p = strchr(left, '/');
108 if (q != NULL) { 91 s = p ? p : left + left_len;
109 p = q + 1; 92 if (s - left >= sizeof(next_token)) {
110 if (q == resolved) 93 errno = ENAMETOOLONG;
111 q = "/"; 94 return (NULL);
112 else {
113 do {
114 --q;
115 } while (q > resolved && *q == '/');
116 q[1] = '\0';
117 q = resolved;
118 } 95 }
119 if (chdir(q) < 0) 96 memcpy(next_token, left, s - left);
120 goto err1; 97 next_token[s - left] = '\0';
121 } else 98 left_len -= s - left;
122 p = resolved; 99 if (p != NULL)
123 100 memmove(left, s + 1, left_len + 1);
124 /* Deal with the last component. */ 101 if (resolved[resolved_len - 1] != '/') {
125 if (*p != '\0' && lstat(p, &sb) == 0) { 102 if (resolved_len + 1 >= PATH_MAX) {
126 if (S_ISLNK(sb.st_mode)) { 103 errno = ENAMETOOLONG;
127 if (++symlinks > MAXSYMLINKS) { 104 return (NULL);
128 errno = ELOOP;
129 goto err1;
130 } 105 }
131 if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0) 106 resolved[resolved_len++] = '/';
132 goto err1; 107 resolved[resolved_len] = '\0';
133 resolved[n] = '\0';
134 goto loop;
135 } 108 }
136 if (S_ISDIR(sb.st_mode)) { 109 if (next_token[0] == '\0')
137 if (chdir(p) < 0) 110 continue;
138 goto err1; 111 else if (strcmp(next_token, ".") == 0)
139 p = ""; 112 continue;
113 else if (strcmp(next_token, "..") == 0) {
114 /*
115 * Strip the last path component except when we have
116 * single "/"
117 */
118 if (resolved_len > 1) {
119 resolved[resolved_len - 1] = '\0';
120 q = strrchr(resolved, '/') + 1;
121 *q = '\0';
122 resolved_len = q - resolved;
123 }
124 continue;
140 } 125 }
141 }
142
143 /*
144 * Save the last component name and get the full pathname of
145 * the current directory.
146 */
147 if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
148 errno = ENAMETOOLONG;
149 goto err1;
150 }
151 if (getcwd(resolved, MAXPATHLEN) == NULL)
152 goto err1;
153
154 /*
155 * Join the two strings together, ensuring that the right thing
156 * happens if the last component is empty, or the dirname is root.
157 */
158 if (resolved[0] == '/' && resolved[1] == '\0')
159 needslash = 0;
160 else
161 needslash = 1;
162 126
163 if (*wbuf) { 127 /*
164 if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) { 128 * Append the next path component and lstat() it. If
129 * lstat() fails we still can return successfully if
130 * there are no more path components left.
131 */
132 resolved_len = strlcat(resolved, next_token, PATH_MAX);
133 if (resolved_len >= PATH_MAX) {
165 errno = ENAMETOOLONG; 134 errno = ENAMETOOLONG;
166 goto err1; 135 return (NULL);
167 } 136 }
168 if (needslash) { 137 if (lstat(resolved, &sb) != 0) {
169 if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) { 138 if (errno == ENOENT && p == NULL) {
170 errno = ENAMETOOLONG; 139 errno = serrno;
171 goto err1; 140 return (resolved);
172 } 141 }
142 return (NULL);
173 } 143 }
174 if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) { 144 if (S_ISLNK(sb.st_mode)) {
175 errno = ENAMETOOLONG; 145 if (symlinks++ > MAXSYMLINKS) {
176 goto err1; 146 errno = ELOOP;
177 } 147 return (NULL);
178 } 148 }
149 slen = readlink(resolved, symlink, sizeof(symlink) - 1);
150 if (slen < 0)
151 return (NULL);
152 symlink[slen] = '\0';
153 if (symlink[0] == '/') {
154 resolved[1] = 0;
155 resolved_len = 1;
156 } else if (resolved_len > 1) {
157 /* Strip the last path component. */
158 resolved[resolved_len - 1] = '\0';
159 q = strrchr(resolved, '/') + 1;
160 *q = '\0';
161 resolved_len = q - resolved;
162 }
179 163
180 /* Go back to where we came from. */ 164 /*
181#ifdef HAVE_FCHDIR 165 * If there are any path components left, then
182 if (fchdir(fd) < 0) { 166 * append them to symlink. The result is placed
183#else 167 * in `left'.
184 if (chdir(start) < 0) { 168 */
185#endif 169 if (p != NULL) {
186 serrno = errno; 170 if (symlink[slen - 1] != '/') {
187 goto err2; 171 if (slen + 1 >= sizeof(symlink)) {
172 errno = ENAMETOOLONG;
173 return (NULL);
174 }
175 symlink[slen] = '/';
176 symlink[slen + 1] = 0;
177 }
178 left_len = strlcat(symlink, left, sizeof(left));
179 if (left_len >= sizeof(left)) {
180 errno = ENAMETOOLONG;
181 return (NULL);
182 }
183 }
184 left_len = strlcpy(left, symlink, sizeof(left));
185 }
188 } 186 }
189 187
190 /* It's okay if the close fails, what's an fd more or less? */ 188 /*
191 (void)close(fd); 189 * Remove trailing slash except when the resolved pathname
190 * is a single "/".
191 */
192 if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
193 resolved[resolved_len - 1] = '\0';
192 return (resolved); 194 return (resolved);
193
194err1: serrno = errno;
195#ifdef HAVE_FCHDIR
196 (void)fchdir(fd);
197#else
198 chdir(start);
199#endif
200err2: (void)close(fd);
201 errno = serrno;
202 return (NULL);
203} 195}
204#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */ 196#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/openbsd-compat/strtoll.c b/openbsd-compat/strtoll.c
new file mode 100644
index 000000000..60c276f8a
--- /dev/null
+++ b/openbsd-compat/strtoll.c
@@ -0,0 +1,151 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
2
3/*-
4 * Copyright (c) 1992 The Regents of the University of California.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include "includes.h"
33#ifndef HAVE_STRTOLL
34
35#if defined(LIBC_SCCS) && !defined(lint)
36static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <sys/types.h>
40
41#include <ctype.h>
42#include <errno.h>
43#include <limits.h>
44#include <stdlib.h>
45
46/*
47 * Convert a string to a long long.
48 *
49 * Ignores `locale' stuff. Assumes that the upper and lower case
50 * alphabets and digits are each contiguous.
51 */
52long long
53strtoll(const char *nptr, char **endptr, int base)
54{
55 const char *s;
56 long long acc, cutoff;
57 int c;
58 int neg, any, cutlim;
59
60 /*
61 * Skip white space and pick up leading +/- sign if any.
62 * If base is 0, allow 0x for hex and 0 for octal, else
63 * assume decimal; if base is already 16, allow 0x.
64 */
65 s = nptr;
66 do {
67 c = (unsigned char) *s++;
68 } while (isspace(c));
69 if (c == '-') {
70 neg = 1;
71 c = *s++;
72 } else {
73 neg = 0;
74 if (c == '+')
75 c = *s++;
76 }
77 if ((base == 0 || base == 16) &&
78 c == '0' && (*s == 'x' || *s == 'X')) {
79 c = s[1];
80 s += 2;
81 base = 16;
82 }
83 if (base == 0)
84 base = c == '0' ? 8 : 10;
85
86 /*
87 * Compute the cutoff value between legal numbers and illegal
88 * numbers. That is the largest legal value, divided by the
89 * base. An input number that is greater than this value, if
90 * followed by a legal input character, is too big. One that
91 * is equal to this value may be valid or not; the limit
92 * between valid and invalid numbers is then based on the last
93 * digit. For instance, if the range for long longs is
94 * [-9223372036854775808..9223372036854775807] and the input base
95 * is 10, cutoff will be set to 922337203685477580 and cutlim to
96 * either 7 (neg==0) or 8 (neg==1), meaning that if we have
97 * accumulated a value > 922337203685477580, or equal but the
98 * next digit is > 7 (or 8), the number is too big, and we will
99 * return a range error.
100 *
101 * Set any if any `digits' consumed; make it negative to indicate
102 * overflow.
103 */
104 cutoff = neg ? LLONG_MIN : LLONG_MAX;
105 cutlim = cutoff % base;
106 cutoff /= base;
107 if (neg) {
108 if (cutlim > 0) {
109 cutlim -= base;
110 cutoff += 1;
111 }
112 cutlim = -cutlim;
113 }
114 for (acc = 0, any = 0;; c = (unsigned char) *s++) {
115 if (isdigit(c))
116 c -= '0';
117 else if (isalpha(c))
118 c -= isupper(c) ? 'A' - 10 : 'a' - 10;
119 else
120 break;
121 if (c >= base)
122 break;
123 if (any < 0)
124 continue;
125 if (neg) {
126 if (acc < cutoff || (acc == cutoff && c > cutlim)) {
127 any = -1;
128 acc = LLONG_MIN;
129 errno = ERANGE;
130 } else {
131 any = 1;
132 acc *= base;
133 acc -= c;
134 }
135 } else {
136 if (acc > cutoff || (acc == cutoff && c > cutlim)) {
137 any = -1;
138 acc = LLONG_MAX;
139 errno = ERANGE;
140 } else {
141 any = 1;
142 acc *= base;
143 acc += c;
144 }
145 }
146 }
147 if (endptr != 0)
148 *endptr = (char *) (any ? s - 1 : nptr);
149 return (acc);
150}
151#endif /* HAVE_STRTOLL */
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
new file mode 100644
index 000000000..b681ed83b
--- /dev/null
+++ b/openbsd-compat/strtonum.c
@@ -0,0 +1,69 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
2
3/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
4
5/*
6 * Copyright (c) 2004 Ted Unangst and Todd Miller
7 * All rights reserved.
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22#include "includes.h"
23#ifndef HAVE_STRTONUM
24#include <limits.h>
25
26#define INVALID 1
27#define TOOSMALL 2
28#define TOOLARGE 3
29
30long long
31strtonum(const char *numstr, long long minval, long long maxval,
32 const char **errstrp)
33{
34 long long ll = 0;
35 char *ep;
36 int error = 0;
37 struct errval {
38 const char *errstr;
39 int err;
40 } ev[4] = {
41 { NULL, 0 },
42 { "invalid", EINVAL },
43 { "too small", ERANGE },
44 { "too large", ERANGE },
45 };
46
47 ev[0].err = errno;
48 errno = 0;
49 if (minval > maxval)
50 error = INVALID;
51 else {
52 ll = strtoll(numstr, &ep, 10);
53 if (numstr == ep || *ep != '\0')
54 error = INVALID;
55 else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
56 error = TOOSMALL;
57 else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
58 error = TOOLARGE;
59 }
60 if (errstrp != NULL)
61 *errstrp = ev[error].errstr;
62 errno = ev[error].err;
63 if (error)
64 ll = 0;
65
66 return (ll);
67}
68
69#endif /* HAVE_STRTONUM */
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index c3cea3c86..9afa0b9f2 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -93,6 +93,11 @@ shadow_pw(struct passwd *pw)
93 if (spw != NULL) 93 if (spw != NULL)
94 pw_password = spw->sp_pwdp; 94 pw_password = spw->sp_pwdp;
95# endif 95# endif
96
97#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
98 return(get_iaf_password(pw));
99#endif
100
96# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) 101# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
97 struct passwd_adjunct *spw; 102 struct passwd_adjunct *spw;
98 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) 103 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
diff --git a/packet.c b/packet.c
index 7c150fde7..70e0110cb 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: packet.c,v 1.116 2004/10/20 11:48:53 markus Exp $"); 40RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $");
41 41
42#include "openbsd-compat/sys-queue.h" 42#include "openbsd-compat/sys-queue.h"
43 43
@@ -116,6 +116,12 @@ static int initialized = 0;
116/* Set to true if the connection is interactive. */ 116/* Set to true if the connection is interactive. */
117static int interactive_mode = 0; 117static int interactive_mode = 0;
118 118
119/* Set to true if we are the server side. */
120static int server_side = 0;
121
122/* Set to true if we are authenticated. */
123static int after_authentication = 0;
124
119/* Session key information for Encryption and MAC */ 125/* Session key information for Encryption and MAC */
120Newkeys *newkeys[MODE_MAX]; 126Newkeys *newkeys[MODE_MAX];
121static struct packet_state { 127static struct packet_state {
@@ -624,7 +630,9 @@ set_newkeys(int mode)
624 /* Deleting the keys does not gain extra security */ 630 /* Deleting the keys does not gain extra security */
625 /* memset(enc->iv, 0, enc->block_size); 631 /* memset(enc->iv, 0, enc->block_size);
626 memset(enc->key, 0, enc->key_len); */ 632 memset(enc->key, 0, enc->key_len); */
627 if (comp->type != 0 && comp->enabled == 0) { 633 if ((comp->type == COMP_ZLIB ||
634 (comp->type == COMP_DELAYED && after_authentication)) &&
635 comp->enabled == 0) {
628 packet_init_compression(); 636 packet_init_compression();
629 if (mode == MODE_OUT) 637 if (mode == MODE_OUT)
630 buffer_compress_init_send(6); 638 buffer_compress_init_send(6);
@@ -645,6 +653,35 @@ set_newkeys(int mode)
645} 653}
646 654
647/* 655/*
656 * Delayed compression for SSH2 is enabled after authentication:
657 * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
658 * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
659 */
660static void
661packet_enable_delayed_compress(void)
662{
663 Comp *comp = NULL;
664 int mode;
665
666 /*
667 * Remember that we are past the authentication step, so rekeying
668 * with COMP_DELAYED will turn on compression immediately.
669 */
670 after_authentication = 1;
671 for (mode = 0; mode < MODE_MAX; mode++) {
672 comp = &newkeys[mode]->comp;
673 if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
674 packet_init_compression();
675 if (mode == MODE_OUT)
676 buffer_compress_init_send(6);
677 else
678 buffer_compress_init_recv();
679 comp->enabled = 1;
680 }
681 }
682}
683
684/*
648 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) 685 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
649 */ 686 */
650static void 687static void
@@ -757,6 +794,8 @@ packet_send2_wrapped(void)
757 794
758 if (type == SSH2_MSG_NEWKEYS) 795 if (type == SSH2_MSG_NEWKEYS)
759 set_newkeys(MODE_OUT); 796 set_newkeys(MODE_OUT);
797 else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
798 packet_enable_delayed_compress();
760} 799}
761 800
762static void 801static void
@@ -992,7 +1031,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
992 static u_int packet_length = 0; 1031 static u_int packet_length = 0;
993 u_int padlen, need; 1032 u_int padlen, need;
994 u_char *macbuf, *cp, type; 1033 u_char *macbuf, *cp, type;
995 int maclen, block_size; 1034 u_int maclen, block_size;
996 Enc *enc = NULL; 1035 Enc *enc = NULL;
997 Mac *mac = NULL; 1036 Mac *mac = NULL;
998 Comp *comp = NULL; 1037 Comp *comp = NULL;
@@ -1099,6 +1138,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
1099 packet_disconnect("Invalid ssh2 packet type: %d", type); 1138 packet_disconnect("Invalid ssh2 packet type: %d", type);
1100 if (type == SSH2_MSG_NEWKEYS) 1139 if (type == SSH2_MSG_NEWKEYS)
1101 set_newkeys(MODE_IN); 1140 set_newkeys(MODE_IN);
1141 else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
1142 packet_enable_delayed_compress();
1102#ifdef PACKET_DEBUG 1143#ifdef PACKET_DEBUG
1103 fprintf(stderr, "read/plain[%d]:\r\n", type); 1144 fprintf(stderr, "read/plain[%d]:\r\n", type);
1104 buffer_dump(&incoming_packet); 1145 buffer_dump(&incoming_packet);
@@ -1229,9 +1270,9 @@ packet_get_bignum2(BIGNUM * value)
1229} 1270}
1230 1271
1231void * 1272void *
1232packet_get_raw(int *length_ptr) 1273packet_get_raw(u_int *length_ptr)
1233{ 1274{
1234 int bytes = buffer_len(&incoming_packet); 1275 u_int bytes = buffer_len(&incoming_packet);
1235 1276
1236 if (length_ptr != NULL) 1277 if (length_ptr != NULL)
1237 *length_ptr = bytes; 1278 *length_ptr = bytes;
@@ -1524,3 +1565,15 @@ packet_set_rekey_limit(u_int32_t bytes)
1524{ 1565{
1525 rekey_limit = bytes; 1566 rekey_limit = bytes;
1526} 1567}
1568
1569void
1570packet_set_server(void)
1571{
1572 server_side = 1;
1573}
1574
1575void
1576packet_set_authenticated(void)
1577{
1578 after_authentication = 1;
1579}
diff --git a/packet.h b/packet.h
index 37f82f2f6..8c23646aa 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.h,v 1.41 2004/05/11 19:01:43 deraadt Exp $ */ 1/* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -30,6 +30,8 @@ u_int packet_get_protocol_flags(void);
30void packet_start_compression(int); 30void packet_start_compression(int);
31void packet_set_interactive(int); 31void packet_set_interactive(int);
32int packet_is_interactive(void); 32int packet_is_interactive(void);
33void packet_set_server(void);
34void packet_set_authenticated(void);
33 35
34void packet_start(u_char); 36void packet_start(u_char);
35void packet_put_char(int ch); 37void packet_put_char(int ch);
@@ -52,7 +54,7 @@ u_int packet_get_char(void);
52u_int packet_get_int(void); 54u_int packet_get_int(void);
53void packet_get_bignum(BIGNUM * value); 55void packet_get_bignum(BIGNUM * value);
54void packet_get_bignum2(BIGNUM * value); 56void packet_get_bignum2(BIGNUM * value);
55void *packet_get_raw(int *length_ptr); 57void *packet_get_raw(u_int *length_ptr);
56void *packet_get_string(u_int *length_ptr); 58void *packet_get_string(u_int *length_ptr);
57void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2))); 59void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
58void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); 60void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff --git a/progressmeter.c b/progressmeter.c
index 93f5a3e62..3cda09061 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: progressmeter.c,v 1.22 2004/07/11 17:48:47 deraadt Exp $"); 26RCSID("$OpenBSD: progressmeter.c,v 1.24 2005/06/07 13:25:23 jaredy Exp $");
27 27
28#include "progressmeter.h" 28#include "progressmeter.h"
29#include "atomicio.h" 29#include "atomicio.h"
@@ -42,6 +42,10 @@ static int can_output(void);
42static void format_size(char *, int, off_t); 42static void format_size(char *, int, off_t);
43static void format_rate(char *, int, off_t); 43static void format_rate(char *, int, off_t);
44 44
45/* window resizing */
46static void sig_winch(int);
47static void setscreensize(void);
48
45/* updates the progressmeter to reflect the current state of the transfer */ 49/* updates the progressmeter to reflect the current state of the transfer */
46void refresh_progress_meter(void); 50void refresh_progress_meter(void);
47 51
@@ -57,6 +61,7 @@ static volatile off_t *counter; /* progress counter */
57static long stalled; /* how long we have been stalled */ 61static long stalled; /* how long we have been stalled */
58static int bytes_per_second; /* current speed in bytes per second */ 62static int bytes_per_second; /* current speed in bytes per second */
59static int win_size; /* terminal window size */ 63static int win_size; /* terminal window size */
64static volatile sig_atomic_t win_resized; /* for window resizing */
60 65
61/* units for format_size */ 66/* units for format_size */
62static const char unit[] = " KMGT"; 67static const char unit[] = " KMGT";
@@ -147,6 +152,8 @@ refresh_progress_meter(void)
147 len = snprintf(buf, file_len + 1, "\r%s", file); 152 len = snprintf(buf, file_len + 1, "\r%s", file);
148 if (len < 0) 153 if (len < 0)
149 len = 0; 154 len = 0;
155 if (len >= file_len + 1)
156 len = file_len;
150 for (i = len; i < file_len; i++ ) 157 for (i = len; i < file_len; i++ )
151 buf[i] = ' '; 158 buf[i] = ' ';
152 buf[file_len] = '\0'; 159 buf[file_len] = '\0';
@@ -215,6 +222,10 @@ update_progress_meter(int ignore)
215 222
216 save_errno = errno; 223 save_errno = errno;
217 224
225 if (win_resized) {
226 setscreensize();
227 win_resized = 0;
228 }
218 if (can_output()) 229 if (can_output())
219 refresh_progress_meter(); 230 refresh_progress_meter();
220 231
@@ -226,8 +237,6 @@ update_progress_meter(int ignore)
226void 237void
227start_progress_meter(char *f, off_t filesize, off_t *ctr) 238start_progress_meter(char *f, off_t filesize, off_t *ctr)
228{ 239{
229 struct winsize winsize;
230
231 start = last_update = time(NULL); 240 start = last_update = time(NULL);
232 file = f; 241 file = f;
233 end_pos = filesize; 242 end_pos = filesize;
@@ -236,20 +245,12 @@ start_progress_meter(char *f, off_t filesize, off_t *ctr)
236 stalled = 0; 245 stalled = 0;
237 bytes_per_second = 0; 246 bytes_per_second = 0;
238 247
239 if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 && 248 setscreensize();
240 winsize.ws_col != 0) {
241 if (winsize.ws_col > MAX_WINSIZE)
242 win_size = MAX_WINSIZE;
243 else
244 win_size = winsize.ws_col;
245 } else
246 win_size = DEFAULT_WINSIZE;
247 win_size += 1; /* trailing \0 */
248
249 if (can_output()) 249 if (can_output())
250 refresh_progress_meter(); 250 refresh_progress_meter();
251 251
252 signal(SIGALRM, update_progress_meter); 252 signal(SIGALRM, update_progress_meter);
253 signal(SIGWINCH, sig_winch);
253 alarm(UPDATE_INTERVAL); 254 alarm(UPDATE_INTERVAL);
254} 255}
255 256
@@ -267,3 +268,25 @@ stop_progress_meter(void)
267 268
268 atomicio(vwrite, STDOUT_FILENO, "\n", 1); 269 atomicio(vwrite, STDOUT_FILENO, "\n", 1);
269} 270}
271
272static void
273sig_winch(int sig)
274{
275 win_resized = 1;
276}
277
278static void
279setscreensize(void)
280{
281 struct winsize winsize;
282
283 if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
284 winsize.ws_col != 0) {
285 if (winsize.ws_col > MAX_WINSIZE)
286 win_size = MAX_WINSIZE;
287 else
288 win_size = winsize.ws_col;
289 } else
290 win_size = DEFAULT_WINSIZE;
291 win_size += 1; /* trailing \0 */
292}
diff --git a/readconf.c b/readconf.c
index 7173a8c23..345df9c25 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.137 2005/03/04 08:48:06 djm Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -105,6 +105,7 @@ typedef enum {
105 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 105 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
106 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 106 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
107 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 107 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
108 oGssTrustDns,
108 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 109 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
109 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 110 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
110 oDeprecated, oUnsupported 111 oDeprecated, oUnsupported
@@ -140,9 +141,11 @@ static struct {
140#if defined(GSSAPI) 141#if defined(GSSAPI)
141 { "gssapiauthentication", oGssAuthentication }, 142 { "gssapiauthentication", oGssAuthentication },
142 { "gssapidelegatecredentials", oGssDelegateCreds }, 143 { "gssapidelegatecredentials", oGssDelegateCreds },
144 { "gssapitrustdns", oGssTrustDns },
143#else 145#else
144 { "gssapiauthentication", oUnsupported }, 146 { "gssapiauthentication", oUnsupported },
145 { "gssapidelegatecredentials", oUnsupported }, 147 { "gssapidelegatecredentials", oUnsupported },
148 { "gssapitrustdns", oUnsupported },
146#endif 149#endif
147 { "fallbacktorsh", oDeprecated }, 150 { "fallbacktorsh", oDeprecated },
148 { "usersh", oDeprecated }, 151 { "usersh", oDeprecated },
@@ -253,12 +256,14 @@ clear_forwardings(Options *options)
253 int i; 256 int i;
254 257
255 for (i = 0; i < options->num_local_forwards; i++) { 258 for (i = 0; i < options->num_local_forwards; i++) {
256 xfree(options->local_forwards[i].listen_host); 259 if (options->local_forwards[i].listen_host != NULL)
260 xfree(options->local_forwards[i].listen_host);
257 xfree(options->local_forwards[i].connect_host); 261 xfree(options->local_forwards[i].connect_host);
258 } 262 }
259 options->num_local_forwards = 0; 263 options->num_local_forwards = 0;
260 for (i = 0; i < options->num_remote_forwards; i++) { 264 for (i = 0; i < options->num_remote_forwards; i++) {
261 xfree(options->remote_forwards[i].listen_host); 265 if (options->remote_forwards[i].listen_host != NULL)
266 xfree(options->remote_forwards[i].listen_host);
262 xfree(options->remote_forwards[i].connect_host); 267 xfree(options->remote_forwards[i].connect_host);
263 } 268 }
264 options->num_remote_forwards = 0; 269 options->num_remote_forwards = 0;
@@ -299,7 +304,7 @@ process_config_line(Options *options, const char *host,
299 Forward fwd; 304 Forward fwd;
300 305
301 /* Strip trailing whitespace */ 306 /* Strip trailing whitespace */
302 for(len = strlen(line) - 1; len > 0; len--) { 307 for (len = strlen(line) - 1; len > 0; len--) {
303 if (strchr(WHITESPACE, line[len]) == NULL) 308 if (strchr(WHITESPACE, line[len]) == NULL)
304 break; 309 break;
305 line[len] = '\0'; 310 line[len] = '\0';
@@ -408,6 +413,10 @@ parse_flag:
408 intptr = &options->gss_deleg_creds; 413 intptr = &options->gss_deleg_creds;
409 goto parse_flag; 414 goto parse_flag;
410 415
416 case oGssTrustDns:
417 intptr = &options->gss_trust_dns;
418 goto parse_flag;
419
411 case oBatchMode: 420 case oBatchMode:
412 intptr = &options->batch_mode; 421 intptr = &options->batch_mode;
413 goto parse_flag; 422 goto parse_flag;
@@ -693,7 +702,7 @@ parse_int:
693 fwd.listen_host = cleanhostname(fwd.listen_host); 702 fwd.listen_host = cleanhostname(fwd.listen_host);
694 } else { 703 } else {
695 fwd.listen_port = a2port(fwd.listen_host); 704 fwd.listen_port = a2port(fwd.listen_host);
696 fwd.listen_host = ""; 705 fwd.listen_host = NULL;
697 } 706 }
698 if (fwd.listen_port == 0) 707 if (fwd.listen_port == 0)
699 fatal("%.200s line %d: Badly formatted port number.", 708 fatal("%.200s line %d: Badly formatted port number.",
@@ -741,6 +750,9 @@ parse_int:
741 750
742 case oAddressFamily: 751 case oAddressFamily:
743 arg = strdelim(&s); 752 arg = strdelim(&s);
753 if (!arg || *arg == '\0')
754 fatal("%s line %d: missing address family.",
755 filename, linenum);
744 intptr = &options->address_family; 756 intptr = &options->address_family;
745 if (strcasecmp(arg, "inet") == 0) 757 if (strcasecmp(arg, "inet") == 0)
746 value = AF_INET; 758 value = AF_INET;
@@ -791,7 +803,27 @@ parse_int:
791 803
792 case oControlMaster: 804 case oControlMaster:
793 intptr = &options->control_master; 805 intptr = &options->control_master;
794 goto parse_yesnoask; 806 arg = strdelim(&s);
807 if (!arg || *arg == '\0')
808 fatal("%.200s line %d: Missing ControlMaster argument.",
809 filename, linenum);
810 value = 0; /* To avoid compiler warning... */
811 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
812 value = SSHCTL_MASTER_YES;
813 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
814 value = SSHCTL_MASTER_NO;
815 else if (strcmp(arg, "auto") == 0)
816 value = SSHCTL_MASTER_AUTO;
817 else if (strcmp(arg, "ask") == 0)
818 value = SSHCTL_MASTER_ASK;
819 else if (strcmp(arg, "autoask") == 0)
820 value = SSHCTL_MASTER_AUTO_ASK;
821 else
822 fatal("%.200s line %d: Bad ControlMaster argument.",
823 filename, linenum);
824 if (*activep && *intptr == -1)
825 *intptr = value;
826 break;
795 827
796 case oHashKnownHosts: 828 case oHashKnownHosts:
797 intptr = &options->hash_known_hosts; 829 intptr = &options->hash_known_hosts;
@@ -814,7 +846,7 @@ parse_int:
814 /* Check that there is no garbage at end of line. */ 846 /* Check that there is no garbage at end of line. */
815 if ((arg = strdelim(&s)) != NULL && *arg != '\0') { 847 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
816 fatal("%.200s line %d: garbage at end of line; \"%.200s\".", 848 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
817 filename, linenum, arg); 849 filename, linenum, arg);
818 } 850 }
819 return 0; 851 return 0;
820} 852}
@@ -892,6 +924,7 @@ initialize_options(Options * options)
892 options->challenge_response_authentication = -1; 924 options->challenge_response_authentication = -1;
893 options->gss_authentication = -1; 925 options->gss_authentication = -1;
894 options->gss_deleg_creds = -1; 926 options->gss_deleg_creds = -1;
927 options->gss_trust_dns = -1;
895 options->password_authentication = -1; 928 options->password_authentication = -1;
896 options->kbd_interactive_authentication = -1; 929 options->kbd_interactive_authentication = -1;
897 options->kbd_interactive_devices = NULL; 930 options->kbd_interactive_devices = NULL;
@@ -975,6 +1008,8 @@ fill_default_options(Options * options)
975 options->gss_authentication = 0; 1008 options->gss_authentication = 0;
976 if (options->gss_deleg_creds == -1) 1009 if (options->gss_deleg_creds == -1)
977 options->gss_deleg_creds = 0; 1010 options->gss_deleg_creds = 0;
1011 if (options->gss_trust_dns == -1)
1012 options->gss_trust_dns = 0;
978 if (options->password_authentication == -1) 1013 if (options->password_authentication == -1)
979 options->password_authentication = 1; 1014 options->password_authentication = 1;
980 if (options->kbd_interactive_authentication == -1) 1015 if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index de4b4cb27..b403c10ec 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */ 1/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,6 +46,7 @@ typedef struct {
46 /* Try S/Key or TIS, authentication. */ 46 /* Try S/Key or TIS, authentication. */
47 int gss_authentication; /* Try GSS authentication */ 47 int gss_authentication; /* Try GSS authentication */
48 int gss_deleg_creds; /* Delegate GSS credentials */ 48 int gss_deleg_creds; /* Delegate GSS credentials */
49 int gss_trust_dns; /* Trust DNS for GSS canonicalization */
49 int password_authentication; /* Try password 50 int password_authentication; /* Try password
50 * authentication. */ 51 * authentication. */
51 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 52 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
@@ -116,6 +117,11 @@ typedef struct {
116 int hash_known_hosts; 117 int hash_known_hosts;
117} Options; 118} Options;
118 119
120#define SSHCTL_MASTER_NO 0
121#define SSHCTL_MASTER_YES 1
122#define SSHCTL_MASTER_AUTO 2
123#define SSHCTL_MASTER_ASK 3
124#define SSHCTL_MASTER_AUTO_ASK 4
119 125
120void initialize_options(Options *); 126void initialize_options(Options *);
121void fill_default_options(Options *); 127void fill_default_options(Options *);
diff --git a/readpass.c b/readpass.c
index c2bacdcd4..7914799a4 100644
--- a/readpass.c
+++ b/readpass.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: readpass.c,v 1.31 2004/10/29 22:53:56 djm Exp $"); 26RCSID("$OpenBSD: readpass.c,v 1.33 2005/05/02 21:13:22 markus Exp $");
27 27
28#include "xmalloc.h" 28#include "xmalloc.h"
29#include "misc.h" 29#include "misc.h"
@@ -106,15 +106,20 @@ read_passphrase(const char *prompt, int flags)
106 if (flags & RP_USE_ASKPASS) 106 if (flags & RP_USE_ASKPASS)
107 use_askpass = 1; 107 use_askpass = 1;
108 else if (flags & RP_ALLOW_STDIN) { 108 else if (flags & RP_ALLOW_STDIN) {
109 if (!isatty(STDIN_FILENO)) 109 if (!isatty(STDIN_FILENO)) {
110 debug("read_passphrase: stdin is not a tty");
110 use_askpass = 1; 111 use_askpass = 1;
112 }
111 } else { 113 } else {
112 rppflags |= RPP_REQUIRE_TTY; 114 rppflags |= RPP_REQUIRE_TTY;
113 ttyfd = open(_PATH_TTY, O_RDWR); 115 ttyfd = open(_PATH_TTY, O_RDWR);
114 if (ttyfd >= 0) 116 if (ttyfd >= 0)
115 close(ttyfd); 117 close(ttyfd);
116 else 118 else {
119 debug("read_passphrase: can't open %s: %s", _PATH_TTY,
120 strerror(errno));
117 use_askpass = 1; 121 use_askpass = 1;
122 }
118 } 123 }
119 124
120 if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL) 125 if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index e8cc1ac53..a172e5790 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,7 +1,7 @@
1# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=$OBJ/ctl-sock 4CTL=/tmp/openssh.regress.ctl-sock.$$
5 5
6tid="connection multiplexing" 6tid="connection multiplexing"
7 7
@@ -89,6 +89,4 @@ ${SSH} -S $CTL -Oexit otherhost || fail "send exit command failed"
89# Wait for master to exit 89# Wait for master to exit
90sleep 2 90sleep 2
91 91
92ps -p $MASTER_PID >/dev/null && fail "exit command failed" 92kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
93
94cleanup
diff --git a/regress/reexec.sh b/regress/reexec.sh
index d69b8c577..4f824a31d 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -3,10 +3,10 @@
3 3
4tid="reexec tests" 4tid="reexec tests"
5 5
6DATA=/bin/ls 6DATA=/bin/ls${EXEEXT}
7COPY=${OBJ}/copy 7COPY=${OBJ}/copy
8SSHD_ORIG=$SSHD 8SSHD_ORIG=$SSHD${EXEEXT}
9SSHD_COPY=$OBJ/sshd 9SSHD_COPY=$OBJ/sshd${EXEEXT}
10 10
11# Start a sshd and then delete it 11# Start a sshd and then delete it
12start_sshd_copy () 12start_sshd_copy ()
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4e53449be..4b3a70eb3 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -96,9 +96,10 @@ if [ "x$TEST_SSH_SCP" != "x" ]; then
96fi 96fi
97 97
98# Path to sshd must be absolute for rexec 98# Path to sshd must be absolute for rexec
99if [ ! -x /$SSHD ]; then 99case "$SSHD" in
100 SSHD=`which sshd` 100/*) ;;
101fi 101*) SSHD=`which sshd` ;;
102esac
102 103
103if [ "x$TEST_SSH_LOGFILE" = "x" ]; then 104if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
104 TEST_SSH_LOGFILE=/dev/null 105 TEST_SSH_LOGFILE=/dev/null
@@ -197,7 +198,7 @@ cat << EOF > $OBJ/sshd_config
197 #ListenAddress ::1 198 #ListenAddress ::1
198 PidFile $PIDFILE 199 PidFile $PIDFILE
199 AuthorizedKeysFile $OBJ/authorized_keys_%u 200 AuthorizedKeysFile $OBJ/authorized_keys_%u
200 LogLevel DEBUG 201 LogLevel VERBOSE
201 AcceptEnv _XXX_TEST_* 202 AcceptEnv _XXX_TEST_*
202 AcceptEnv _XXX_TEST 203 AcceptEnv _XXX_TEST
203 Subsystem sftp $SFTPSERVER 204 Subsystem sftp $SFTPSERVER
diff --git a/scp.0 b/scp.0
index f9368e71b..aa54dda3f 100644
--- a/scp.0
+++ b/scp.0
@@ -141,4 +141,4 @@ AUTHORS
141 Timo Rinne <tri@iki.fi> 141 Timo Rinne <tri@iki.fi>
142 Tatu Ylonen <ylo@cs.hut.fi> 142 Tatu Ylonen <ylo@cs.hut.fi>
143 143
144OpenBSD 3.6 September 25, 1999 3 144OpenBSD 3.8 September 25, 1999 3
diff --git a/scp.c b/scp.c
index f69fd05fc..1407aa71d 100644
--- a/scp.c
+++ b/scp.c
@@ -71,7 +71,7 @@
71 */ 71 */
72 72
73#include "includes.h" 73#include "includes.h"
74RCSID("$OpenBSD: scp.c,v 1.119 2005/01/24 10:22:06 dtucker Exp $"); 74RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $");
75 75
76#include "xmalloc.h" 76#include "xmalloc.h"
77#include "atomicio.h" 77#include "atomicio.h"
@@ -109,11 +109,13 @@ static void
109killchild(int signo) 109killchild(int signo)
110{ 110{
111 if (do_cmd_pid > 1) { 111 if (do_cmd_pid > 1) {
112 kill(do_cmd_pid, signo); 112 kill(do_cmd_pid, signo ? signo : SIGTERM);
113 waitpid(do_cmd_pid, NULL, 0); 113 waitpid(do_cmd_pid, NULL, 0);
114 } 114 }
115 115
116 _exit(1); 116 if (signo)
117 _exit(1);
118 exit(1);
117} 119}
118 120
119/* 121/*
@@ -184,7 +186,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
184} 186}
185 187
186typedef struct { 188typedef struct {
187 int cnt; 189 size_t cnt;
188 char *buf; 190 char *buf;
189} BUF; 191} BUF;
190 192
@@ -361,20 +363,21 @@ void
361toremote(char *targ, int argc, char **argv) 363toremote(char *targ, int argc, char **argv)
362{ 364{
363 int i, len; 365 int i, len;
364 char *bp, *host, *src, *suser, *thost, *tuser; 366 char *bp, *host, *src, *suser, *thost, *tuser, *arg;
365 367
366 *targ++ = 0; 368 *targ++ = 0;
367 if (*targ == 0) 369 if (*targ == 0)
368 targ = "."; 370 targ = ".";
369 371
370 if ((thost = strrchr(argv[argc - 1], '@'))) { 372 arg = xstrdup(argv[argc - 1]);
373 if ((thost = strrchr(arg, '@'))) {
371 /* user@host */ 374 /* user@host */
372 *thost++ = 0; 375 *thost++ = 0;
373 tuser = argv[argc - 1]; 376 tuser = arg;
374 if (*tuser == '\0') 377 if (*tuser == '\0')
375 tuser = NULL; 378 tuser = NULL;
376 } else { 379 } else {
377 thost = argv[argc - 1]; 380 thost = arg;
378 tuser = NULL; 381 tuser = NULL;
379 } 382 }
380 383
@@ -501,8 +504,9 @@ source(int argc, char **argv)
501 struct stat stb; 504 struct stat stb;
502 static BUF buffer; 505 static BUF buffer;
503 BUF *bp; 506 BUF *bp;
504 off_t i, amt, result, statbytes; 507 off_t i, amt, statbytes;
505 int fd, haderr, indx; 508 size_t result;
509 int fd = -1, haderr, indx;
506 char *last, *name, buf[2048]; 510 char *last, *name, buf[2048];
507 int len; 511 int len;
508 512
@@ -577,14 +581,14 @@ next: (void) close(fd);
577 if (!haderr) { 581 if (!haderr) {
578 result = atomicio(read, fd, bp->buf, amt); 582 result = atomicio(read, fd, bp->buf, amt);
579 if (result != amt) 583 if (result != amt)
580 haderr = result >= 0 ? EIO : errno; 584 haderr = errno;
581 } 585 }
582 if (haderr) 586 if (haderr)
583 (void) atomicio(vwrite, remout, bp->buf, amt); 587 (void) atomicio(vwrite, remout, bp->buf, amt);
584 else { 588 else {
585 result = atomicio(vwrite, remout, bp->buf, amt); 589 result = atomicio(vwrite, remout, bp->buf, amt);
586 if (result != amt) 590 if (result != amt)
587 haderr = result >= 0 ? EIO : errno; 591 haderr = errno;
588 statbytes += result; 592 statbytes += result;
589 } 593 }
590 if (limit_rate) 594 if (limit_rate)
@@ -719,8 +723,9 @@ sink(int argc, char **argv)
719 YES, NO, DISPLAYED 723 YES, NO, DISPLAYED
720 } wrerr; 724 } wrerr;
721 BUF *bp; 725 BUF *bp;
722 off_t i, j; 726 off_t i;
723 int amt, count, exists, first, mask, mode, ofd, omode; 727 size_t j, count;
728 int amt, exists, first, mask, mode, ofd, omode;
724 off_t size, statbytes; 729 off_t size, statbytes;
725 int setimes, targisdir, wrerrno = 0; 730 int setimes, targisdir, wrerrno = 0;
726 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; 731 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
@@ -747,7 +752,7 @@ sink(int argc, char **argv)
747 targisdir = 1; 752 targisdir = 1;
748 for (first = 1;; first = 0) { 753 for (first = 1;; first = 0) {
749 cp = buf; 754 cp = buf;
750 if (atomicio(read, remin, cp, 1) <= 0) 755 if (atomicio(read, remin, cp, 1) != 1)
751 return; 756 return;
752 if (*cp++ == '\n') 757 if (*cp++ == '\n')
753 SCREWUP("unexpected <newline>"); 758 SCREWUP("unexpected <newline>");
@@ -828,7 +833,7 @@ sink(int argc, char **argv)
828 } 833 }
829 if (targisdir) { 834 if (targisdir) {
830 static char *namebuf; 835 static char *namebuf;
831 static int cursize; 836 static size_t cursize;
832 size_t need; 837 size_t need;
833 838
834 need = strlen(targ) + strlen(cp) + 250; 839 need = strlen(targ) + strlen(cp) + 250;
@@ -901,7 +906,7 @@ bad: run_err("%s: %s", np, strerror(errno));
901 count += amt; 906 count += amt;
902 do { 907 do {
903 j = atomicio(read, remin, cp, amt); 908 j = atomicio(read, remin, cp, amt);
904 if (j <= 0) { 909 if (j == 0) {
905 run_err("%s", j ? strerror(errno) : 910 run_err("%s", j ? strerror(errno) :
906 "dropped connection"); 911 "dropped connection");
907 exit(1); 912 exit(1);
@@ -917,10 +922,10 @@ bad: run_err("%s: %s", np, strerror(errno));
917 if (count == bp->cnt) { 922 if (count == bp->cnt) {
918 /* Keep reading so we stay sync'd up. */ 923 /* Keep reading so we stay sync'd up. */
919 if (wrerr == NO) { 924 if (wrerr == NO) {
920 j = atomicio(vwrite, ofd, bp->buf, count); 925 if (atomicio(vwrite, ofd, bp->buf,
921 if (j != count) { 926 count) != count) {
922 wrerr = YES; 927 wrerr = YES;
923 wrerrno = j >= 0 ? EIO : errno; 928 wrerrno = errno;
924 } 929 }
925 } 930 }
926 count = 0; 931 count = 0;
@@ -930,9 +935,9 @@ bad: run_err("%s: %s", np, strerror(errno));
930 if (showprogress) 935 if (showprogress)
931 stop_progress_meter(); 936 stop_progress_meter();
932 if (count != 0 && wrerr == NO && 937 if (count != 0 && wrerr == NO &&
933 (j = atomicio(vwrite, ofd, bp->buf, count)) != count) { 938 atomicio(vwrite, ofd, bp->buf, count) != count) {
934 wrerr = YES; 939 wrerr = YES;
935 wrerrno = j >= 0 ? EIO : errno; 940 wrerrno = errno;
936 } 941 }
937 if (wrerr == NO && ftruncate(ofd, size) != 0) { 942 if (wrerr == NO && ftruncate(ofd, size) != 0) {
938 run_err("%s: truncate: %s", np, strerror(errno)); 943 run_err("%s: truncate: %s", np, strerror(errno));
@@ -1069,7 +1074,7 @@ verifydir(char *cp)
1069 errno = ENOTDIR; 1074 errno = ENOTDIR;
1070 } 1075 }
1071 run_err("%s: %s", cp, strerror(errno)); 1076 run_err("%s: %s", cp, strerror(errno));
1072 exit(1); 1077 killchild(0);
1073} 1078}
1074 1079
1075int 1080int
diff --git a/servconf.c b/servconf.c
index 2d1a0c362..becd5b7c5 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.139 2005/03/01 10:09:52 djm Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options)
72 options->kerberos_ticket_cleanup = -1; 72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1; 73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1; 74 options->gss_authentication=-1;
75 options->gss_keyex = -1;
75 options->gss_cleanup_creds = -1; 76 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1; 77 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1; 78 options->kbd_interactive_authentication = -1;
@@ -186,6 +187,8 @@ fill_default_server_options(ServerOptions *options)
186 options->kerberos_get_afs_token = 0; 187 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1) 188 if (options->gss_authentication == -1)
188 options->gss_authentication = 0; 189 options->gss_authentication = 0;
190 if (options->gss_keyex == -1)
191 options->gss_keyex = 0;
189 if (options->gss_cleanup_creds == -1) 192 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1; 193 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1) 194 if (options->password_authentication == -1)
@@ -201,7 +204,7 @@ fill_default_server_options(ServerOptions *options)
201 if (options->use_login == -1) 204 if (options->use_login == -1)
202 options->use_login = 0; 205 options->use_login = 0;
203 if (options->compression == -1) 206 if (options->compression == -1)
204 options->compression = 1; 207 options->compression = COMP_DELAYED;
205 if (options->allow_tcp_forwarding == -1) 208 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1; 209 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1) 210 if (options->gateway_ports == -1)
@@ -270,7 +273,7 @@ typedef enum {
270 sBanner, sUseDNS, sHostbasedAuthentication, 273 sBanner, sUseDNS, sHostbasedAuthentication,
271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, 276 sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv,
274 sUsePrivilegeSeparation, 277 sUsePrivilegeSeparation,
275 sDeprecated, sUnsupported 278 sDeprecated, sUnsupported
276} ServerOpCodes; 279} ServerOpCodes;
@@ -324,9 +327,11 @@ static struct {
324 { "afstokenpassing", sUnsupported }, 327 { "afstokenpassing", sUnsupported },
325#ifdef GSSAPI 328#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication }, 329 { "gssapiauthentication", sGssAuthentication },
330 { "gssapikeyexchange", sGssKeyEx },
327 { "gssapicleanupcredentials", sGssCleanupCreds }, 331 { "gssapicleanupcredentials", sGssCleanupCreds },
328#else 332#else
329 { "gssapiauthentication", sUnsupported }, 333 { "gssapiauthentication", sUnsupported },
334 { "gssapikeyexchange", sUnsupported },
330 { "gssapicleanupcredentials", sUnsupported }, 335 { "gssapicleanupcredentials", sUnsupported },
331#endif 336#endif
332 { "passwordauthentication", sPasswordAuthentication }, 337 { "passwordauthentication", sPasswordAuthentication },
@@ -398,7 +403,7 @@ parse_token(const char *cp, const char *filename,
398static void 403static void
399add_listen_addr(ServerOptions *options, char *addr, u_short port) 404add_listen_addr(ServerOptions *options, char *addr, u_short port)
400{ 405{
401 int i; 406 u_int i;
402 407
403 if (options->num_ports == 0) 408 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 409 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@@ -438,9 +443,10 @@ process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum) 443 const char *filename, int linenum)
439{ 444{
440 char *cp, **charptr, *arg, *p; 445 char *cp, **charptr, *arg, *p;
441 int *intptr, value, i, n; 446 int *intptr, value, n;
442 ServerOpCodes opcode; 447 ServerOpCodes opcode;
443 u_short port; 448 u_short port;
449 u_int i;
444 450
445 cp = line; 451 cp = line;
446 arg = strdelim(&cp); 452 arg = strdelim(&cp);
@@ -516,6 +522,12 @@ parse_time:
516 if (arg == NULL || *arg == '\0') 522 if (arg == NULL || *arg == '\0')
517 fatal("%s line %d: missing address", 523 fatal("%s line %d: missing address",
518 filename, linenum); 524 filename, linenum);
525 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
526 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
527 && strchr(p+1, ':') != NULL) {
528 add_listen_addr(options, arg, 0);
529 break;
530 }
519 p = hpdelim(&arg); 531 p = hpdelim(&arg);
520 if (p == NULL) 532 if (p == NULL)
521 fatal("%s line %d: bad address:port usage", 533 fatal("%s line %d: bad address:port usage",
@@ -532,6 +544,9 @@ parse_time:
532 544
533 case sAddressFamily: 545 case sAddressFamily:
534 arg = strdelim(&cp); 546 arg = strdelim(&cp);
547 if (!arg || *arg == '\0')
548 fatal("%s line %d: missing address family.",
549 filename, linenum);
535 intptr = &options->address_family; 550 intptr = &options->address_family;
536 if (options->listen_addrs != NULL) 551 if (options->listen_addrs != NULL)
537 fatal("%s line %d: address family must be specified before " 552 fatal("%s line %d: address family must be specified before "
@@ -659,6 +674,10 @@ parse_flag:
659 intptr = &options->gss_authentication; 674 intptr = &options->gss_authentication;
660 goto parse_flag; 675 goto parse_flag;
661 676
677 case sGssKeyEx:
678 intptr = &options->gss_keyex;
679 goto parse_flag;
680
662 case sGssCleanupCreds: 681 case sGssCleanupCreds:
663 intptr = &options->gss_cleanup_creds; 682 intptr = &options->gss_cleanup_creds;
664 goto parse_flag; 683 goto parse_flag;
@@ -721,7 +740,23 @@ parse_flag:
721 740
722 case sCompression: 741 case sCompression:
723 intptr = &options->compression; 742 intptr = &options->compression;
724 goto parse_flag; 743 arg = strdelim(&cp);
744 if (!arg || *arg == '\0')
745 fatal("%s line %d: missing yes/no/delayed "
746 "argument.", filename, linenum);
747 value = 0; /* silence compiler */
748 if (strcmp(arg, "delayed") == 0)
749 value = COMP_DELAYED;
750 else if (strcmp(arg, "yes") == 0)
751 value = COMP_ZLIB;
752 else if (strcmp(arg, "no") == 0)
753 value = COMP_NONE;
754 else
755 fatal("%s line %d: Bad yes/no/delayed "
756 "argument: %s", filename, linenum, arg);
757 if (*intptr == -1)
758 *intptr = value;
759 break;
725 760
726 case sGatewayPorts: 761 case sGatewayPorts:
727 intptr = &options->gateway_ports; 762 intptr = &options->gateway_ports;
@@ -1001,7 +1036,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1001 1036
1002 obuf = cbuf = xstrdup(buffer_ptr(conf)); 1037 obuf = cbuf = xstrdup(buffer_ptr(conf));
1003 linenum = 1; 1038 linenum = 1;
1004 while((cp = strsep(&cbuf, "\n")) != NULL) { 1039 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1005 if (process_server_config_line(options, cp, filename, 1040 if (process_server_config_line(options, cp, filename,
1006 linenum++) != 0) 1041 linenum++) != 0)
1007 bad_options++; 1042 bad_options++;
diff --git a/servconf.h b/servconf.h
index f7e56d521..3e4e07e08 100644
--- a/servconf.h
+++ b/servconf.h
@@ -88,6 +88,7 @@ typedef struct {
88 int kerberos_get_afs_token; /* If true, try to get AFS token if 88 int kerberos_get_afs_token; /* If true, try to get AFS token if
89 * authenticated with Kerberos. */ 89 * authenticated with Kerberos. */
90 int gss_authentication; /* If true, permit GSSAPI authentication */ 90 int gss_authentication; /* If true, permit GSSAPI authentication */
91 int gss_keyex; /* If true, permit GSSAPI key exchange */
91 int gss_cleanup_creds; /* If true, destroy cred cache on logout */ 92 int gss_cleanup_creds; /* If true, destroy cred cache on logout */
92 int password_authentication; /* If true, permit password 93 int password_authentication; /* If true, permit password
93 * authentication. */ 94 * authentication. */
diff --git a/serverloop.c b/serverloop.c
index eee1e7959..d2eff170a 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: serverloop.c,v 1.117 2004/08/11 21:43:05 avsm Exp $"); 38RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $");
39 39
40#include "xmalloc.h" 40#include "xmalloc.h"
41#include "packet.h" 41#include "packet.h"
@@ -865,7 +865,7 @@ server_request_direct_tcpip(void)
865 packet_check_eom(); 865 packet_check_eom();
866 866
867 debug("server_request_direct_tcpip: originator %s port %d, target %s port %d", 867 debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
868 originator, originator_port, target, target_port); 868 originator, originator_port, target, target_port);
869 869
870 /* XXX check permission */ 870 /* XXX check permission */
871 sock = channel_connect_to(target, target_port); 871 sock = channel_connect_to(target, target_port);
@@ -983,7 +983,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
983#ifndef NO_IPPORT_RESERVED_CONCEPT 983#ifndef NO_IPPORT_RESERVED_CONCEPT
984 || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) 984 || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
985#endif 985#endif
986 ) { 986 ) {
987 success = 0; 987 success = 0;
988 packet_send_debug("Server has disabled port forwarding."); 988 packet_send_debug("Server has disabled port forwarding.");
989 } else { 989 } else {
diff --git a/session.c b/session.c
index b32c9e2ca..db8722f47 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -56,6 +56,7 @@ RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
56#include "serverloop.h" 56#include "serverloop.h"
57#include "canohost.h" 57#include "canohost.h"
58#include "session.h" 58#include "session.h"
59#include "kex.h"
59#include "monitor_wrap.h" 60#include "monitor_wrap.h"
60 61
61#if defined(KRB5) && defined(USE_AFS) 62#if defined(KRB5) && defined(USE_AFS)
@@ -196,11 +197,11 @@ auth_input_request_forwarding(struct passwd * pw)
196static void 197static void
197display_loginmsg(void) 198display_loginmsg(void)
198{ 199{
199 if (buffer_len(&loginmsg) > 0) { 200 if (buffer_len(&loginmsg) > 0) {
200 buffer_append(&loginmsg, "\0", 1); 201 buffer_append(&loginmsg, "\0", 1);
201 printf("%s", (char *)buffer_ptr(&loginmsg)); 202 printf("%s", (char *)buffer_ptr(&loginmsg));
202 buffer_clear(&loginmsg); 203 buffer_clear(&loginmsg);
203 } 204 }
204} 205}
205 206
206void 207void
@@ -272,7 +273,7 @@ do_authenticated1(Authctxt *authctxt)
272 compression_level); 273 compression_level);
273 break; 274 break;
274 } 275 }
275 if (!options.compression) { 276 if (options.compression == COMP_NONE) {
276 debug2("compression disabled"); 277 debug2("compression disabled");
277 break; 278 break;
278 } 279 }
@@ -946,7 +947,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
946} 947}
947#endif /* HAVE_ETC_DEFAULT_LOGIN */ 948#endif /* HAVE_ETC_DEFAULT_LOGIN */
948 949
949void copy_environment(char **source, char ***env, u_int *envsize) 950void
951copy_environment(char **source, char ***env, u_int *envsize)
950{ 952{
951 char *var_name, *var_val; 953 char *var_name, *var_val;
952 int i; 954 int i;
@@ -1332,6 +1334,11 @@ do_setusercontext(struct passwd *pw)
1332# ifdef _AIX 1334# ifdef _AIX
1333 aix_usrinfo(pw); 1335 aix_usrinfo(pw);
1334# endif /* _AIX */ 1336# endif /* _AIX */
1337#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
1338 if (set_id(pw->pw_name) != 0) {
1339 exit(1);
1340 }
1341#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
1335 /* Permanently switch to the desired uid. */ 1342 /* Permanently switch to the desired uid. */
1336 permanently_set_uid(pw); 1343 permanently_set_uid(pw);
1337#endif 1344#endif
@@ -1477,7 +1484,8 @@ do_child(Session *s, const char *command)
1477 } 1484 }
1478 1485
1479#ifdef USE_PAM 1486#ifdef USE_PAM
1480 if (options.use_pam && !is_pam_session_open()) { 1487 if (options.use_pam && !options.use_login && !is_pam_session_open()) {
1488 debug3("PAM session not opened, exiting");
1481 display_loginmsg(); 1489 display_loginmsg();
1482 exit(254); 1490 exit(254);
1483 } 1491 }
@@ -1528,7 +1536,7 @@ do_child(Session *s, const char *command)
1528 */ 1536 */
1529 1537
1530 if (options.kerberos_get_afs_token && k_hasafs() && 1538 if (options.kerberos_get_afs_token && k_hasafs() &&
1531 (s->authctxt->krb5_ctx != NULL)) { 1539 (s->authctxt->krb5_ctx != NULL)) {
1532 char cell[64]; 1540 char cell[64];
1533 1541
1534 debug("Getting AFS token"); 1542 debug("Getting AFS token");
@@ -1632,6 +1640,7 @@ session_new(void)
1632 s->ttyfd = -1; 1640 s->ttyfd = -1;
1633 s->used = 1; 1641 s->used = 1;
1634 s->self = i; 1642 s->self = i;
1643 s->x11_chanids = NULL;
1635 debug("session_new: session %d", i); 1644 debug("session_new: session %d", i);
1636 return s; 1645 return s;
1637 } 1646 }
@@ -1705,6 +1714,29 @@ session_by_channel(int id)
1705} 1714}
1706 1715
1707static Session * 1716static Session *
1717session_by_x11_channel(int id)
1718{
1719 int i, j;
1720
1721 for (i = 0; i < MAX_SESSIONS; i++) {
1722 Session *s = &sessions[i];
1723
1724 if (s->x11_chanids == NULL || !s->used)
1725 continue;
1726 for (j = 0; s->x11_chanids[j] != -1; j++) {
1727 if (s->x11_chanids[j] == id) {
1728 debug("session_by_x11_channel: session %d "
1729 "channel %d", s->self, id);
1730 return s;
1731 }
1732 }
1733 }
1734 debug("session_by_x11_channel: unknown channel %d", id);
1735 session_dump();
1736 return NULL;
1737}
1738
1739static Session *
1708session_by_pid(pid_t pid) 1740session_by_pid(pid_t pid)
1709{ 1741{
1710 int i; 1742 int i;
@@ -1799,7 +1831,7 @@ session_subsystem_req(Session *s)
1799 u_int len; 1831 u_int len;
1800 int success = 0; 1832 int success = 0;
1801 char *cmd, *subsys = packet_get_string(&len); 1833 char *cmd, *subsys = packet_get_string(&len);
1802 int i; 1834 u_int i;
1803 1835
1804 packet_check_eom(); 1836 packet_check_eom();
1805 logit("subsystem request for %.100s", subsys); 1837 logit("subsystem request for %.100s", subsys);
@@ -1833,6 +1865,11 @@ session_x11_req(Session *s)
1833{ 1865{
1834 int success; 1866 int success;
1835 1867
1868 if (s->auth_proto != NULL || s->auth_data != NULL) {
1869 error("session_x11_req: session %d: "
1870 "x11 fowarding already active", s->self);
1871 return 0;
1872 }
1836 s->single_connection = packet_get_char(); 1873 s->single_connection = packet_get_char();
1837 s->auth_proto = packet_get_string(NULL); 1874 s->auth_proto = packet_get_string(NULL);
1838 s->auth_data = packet_get_string(NULL); 1875 s->auth_data = packet_get_string(NULL);
@@ -2058,9 +2095,66 @@ sig2name(int sig)
2058} 2095}
2059 2096
2060static void 2097static void
2098session_close_x11(int id)
2099{
2100 Channel *c;
2101
2102 if ((c = channel_lookup(id)) == NULL) {
2103 debug("session_close_x11: x11 channel %d missing", id);
2104 } else {
2105 /* Detach X11 listener */
2106 debug("session_close_x11: detach x11 channel %d", id);
2107 channel_cancel_cleanup(id);
2108 if (c->ostate != CHAN_OUTPUT_CLOSED)
2109 chan_mark_dead(c);
2110 }
2111}
2112
2113static void
2114session_close_single_x11(int id, void *arg)
2115{
2116 Session *s;
2117 u_int i;
2118
2119 debug3("session_close_single_x11: channel %d", id);
2120 channel_cancel_cleanup(id);
2121 if ((s = session_by_x11_channel(id)) == NULL)
2122 fatal("session_close_single_x11: no x11 channel %d", id);
2123 for (i = 0; s->x11_chanids[i] != -1; i++) {
2124 debug("session_close_single_x11: session %d: "
2125 "closing channel %d", s->self, s->x11_chanids[i]);
2126 /*
2127 * The channel "id" is already closing, but make sure we
2128 * close all of its siblings.
2129 */
2130 if (s->x11_chanids[i] != id)
2131 session_close_x11(s->x11_chanids[i]);
2132 }
2133 xfree(s->x11_chanids);
2134 s->x11_chanids = NULL;
2135 if (s->display) {
2136 xfree(s->display);
2137 s->display = NULL;
2138 }
2139 if (s->auth_proto) {
2140 xfree(s->auth_proto);
2141 s->auth_proto = NULL;
2142 }
2143 if (s->auth_data) {
2144 xfree(s->auth_data);
2145 s->auth_data = NULL;
2146 }
2147 if (s->auth_display) {
2148 xfree(s->auth_display);
2149 s->auth_display = NULL;
2150 }
2151}
2152
2153static void
2061session_exit_message(Session *s, int status) 2154session_exit_message(Session *s, int status)
2062{ 2155{
2063 Channel *c; 2156 Channel *c;
2157 u_int i;
2064 2158
2065 if ((c = channel_lookup(s->chanid)) == NULL) 2159 if ((c = channel_lookup(s->chanid)) == NULL)
2066 fatal("session_exit_message: session %d: no channel %d", 2160 fatal("session_exit_message: session %d: no channel %d",
@@ -2100,12 +2194,20 @@ session_exit_message(Session *s, int status)
2100 if (c->ostate != CHAN_OUTPUT_CLOSED) 2194 if (c->ostate != CHAN_OUTPUT_CLOSED)
2101 chan_write_failed(c); 2195 chan_write_failed(c);
2102 s->chanid = -1; 2196 s->chanid = -1;
2197
2198 /* Close any X11 listeners associated with this session */
2199 if (s->x11_chanids != NULL) {
2200 for (i = 0; s->x11_chanids[i] != -1; i++) {
2201 session_close_x11(s->x11_chanids[i]);
2202 s->x11_chanids[i] = -1;
2203 }
2204 }
2103} 2205}
2104 2206
2105void 2207void
2106session_close(Session *s) 2208session_close(Session *s)
2107{ 2209{
2108 int i; 2210 u_int i;
2109 2211
2110 debug("session_close: session %d pid %ld", s->self, (long)s->pid); 2212 debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2111 if (s->ttyfd != -1) 2213 if (s->ttyfd != -1)
@@ -2114,6 +2216,8 @@ session_close(Session *s)
2114 xfree(s->term); 2216 xfree(s->term);
2115 if (s->display) 2217 if (s->display)
2116 xfree(s->display); 2218 xfree(s->display);
2219 if (s->x11_chanids)
2220 xfree(s->x11_chanids);
2117 if (s->auth_display) 2221 if (s->auth_display)
2118 xfree(s->auth_display); 2222 xfree(s->auth_display);
2119 if (s->auth_data) 2223 if (s->auth_data)
@@ -2152,6 +2256,7 @@ void
2152session_close_by_channel(int id, void *arg) 2256session_close_by_channel(int id, void *arg)
2153{ 2257{
2154 Session *s = session_by_channel(id); 2258 Session *s = session_by_channel(id);
2259
2155 if (s == NULL) { 2260 if (s == NULL) {
2156 debug("session_close_by_channel: no session for id %d", id); 2261 debug("session_close_by_channel: no session for id %d", id);
2157 return; 2262 return;
@@ -2232,6 +2337,7 @@ session_setup_x11fwd(Session *s)
2232 struct stat st; 2337 struct stat st;
2233 char display[512], auth_display[512]; 2338 char display[512], auth_display[512];
2234 char hostname[MAXHOSTNAMELEN]; 2339 char hostname[MAXHOSTNAMELEN];
2340 u_int i;
2235 2341
2236 if (no_x11_forwarding_flag) { 2342 if (no_x11_forwarding_flag) {
2237 packet_send_debug("X11 forwarding disabled in user configuration file."); 2343 packet_send_debug("X11 forwarding disabled in user configuration file.");
@@ -2257,10 +2363,14 @@ session_setup_x11fwd(Session *s)
2257 } 2363 }
2258 if (x11_create_display_inet(options.x11_display_offset, 2364 if (x11_create_display_inet(options.x11_display_offset,
2259 options.x11_use_localhost, s->single_connection, 2365 options.x11_use_localhost, s->single_connection,
2260 &s->display_number) == -1) { 2366 &s->display_number, &s->x11_chanids) == -1) {
2261 debug("x11_create_display_inet failed."); 2367 debug("x11_create_display_inet failed.");
2262 return 0; 2368 return 0;
2263 } 2369 }
2370 for (i = 0; s->x11_chanids[i] != -1; i++) {
2371 channel_register_cleanup(s->x11_chanids[i],
2372 session_close_single_x11);
2373 }
2264 2374
2265 /* Set up a suitable value for the DISPLAY variable. */ 2375 /* Set up a suitable value for the DISPLAY variable. */
2266 if (gethostname(hostname, sizeof(hostname)) < 0) 2376 if (gethostname(hostname, sizeof(hostname)) < 0)
diff --git a/session.h b/session.h
index 48be5070c..a2598a99c 100644
--- a/session.h
+++ b/session.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.h,v 1.23 2004/07/17 05:31:41 dtucker Exp $ */ 1/* $OpenBSD: session.h,v 1.25 2005/07/17 06:49:04 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -49,8 +49,9 @@ struct Session {
49 int single_connection; 49 int single_connection;
50 /* proto 2 */ 50 /* proto 2 */
51 int chanid; 51 int chanid;
52 int *x11_chanids;
52 int is_subsystem; 53 int is_subsystem;
53 int num_env; 54 u_int num_env;
54 struct { 55 struct {
55 char *name; 56 char *name;
56 char *val; 57 char *val;
diff --git a/sftp-client.c b/sftp-client.c
index d894a11f2..afbd1e6f3 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -20,7 +20,7 @@
20/* XXX: copy between two remote sites */ 20/* XXX: copy between two remote sites */
21 21
22#include "includes.h" 22#include "includes.h"
23RCSID("$OpenBSD: sftp-client.c,v 1.52 2004/11/25 22:22:14 markus Exp $"); 23RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $");
24 24
25#include "openbsd-compat/sys-queue.h" 25#include "openbsd-compat/sys-queue.h"
26 26
@@ -64,10 +64,10 @@ send_msg(int fd, Buffer *m)
64 64
65 /* Send length first */ 65 /* Send length first */
66 PUT_32BIT(mlen, buffer_len(m)); 66 PUT_32BIT(mlen, buffer_len(m));
67 if (atomicio(vwrite, fd, mlen, sizeof(mlen)) <= 0) 67 if (atomicio(vwrite, fd, mlen, sizeof(mlen)) != sizeof(mlen))
68 fatal("Couldn't send packet: %s", strerror(errno)); 68 fatal("Couldn't send packet: %s", strerror(errno));
69 69
70 if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) <= 0) 70 if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) != buffer_len(m))
71 fatal("Couldn't send packet: %s", strerror(errno)); 71 fatal("Couldn't send packet: %s", strerror(errno));
72 72
73 buffer_clear(m); 73 buffer_clear(m);
@@ -76,26 +76,27 @@ send_msg(int fd, Buffer *m)
76static void 76static void
77get_msg(int fd, Buffer *m) 77get_msg(int fd, Buffer *m)
78{ 78{
79 ssize_t len;
80 u_int msg_len; 79 u_int msg_len;
81 80
82 buffer_append_space(m, 4); 81 buffer_append_space(m, 4);
83 len = atomicio(read, fd, buffer_ptr(m), 4); 82 if (atomicio(read, fd, buffer_ptr(m), 4) != 4) {
84 if (len == 0) 83 if (errno == EPIPE)
85 fatal("Connection closed"); 84 fatal("Connection closed");
86 else if (len == -1) 85 else
87 fatal("Couldn't read packet: %s", strerror(errno)); 86 fatal("Couldn't read packet: %s", strerror(errno));
87 }
88 88
89 msg_len = buffer_get_int(m); 89 msg_len = buffer_get_int(m);
90 if (msg_len > MAX_MSG_LENGTH) 90 if (msg_len > MAX_MSG_LENGTH)
91 fatal("Received message too long %u", msg_len); 91 fatal("Received message too long %u", msg_len);
92 92
93 buffer_append_space(m, msg_len); 93 buffer_append_space(m, msg_len);
94 len = atomicio(read, fd, buffer_ptr(m), msg_len); 94 if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
95 if (len == 0) 95 if (errno == EPIPE)
96 fatal("Connection closed"); 96 fatal("Connection closed");
97 else if (len == -1) 97 else
98 fatal("Read packet: %s", strerror(errno)); 98 fatal("Read packet: %s", strerror(errno));
99 }
99} 100}
100 101
101static void 102static void
@@ -310,7 +311,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
310 SFTP_DIRENT ***dir) 311 SFTP_DIRENT ***dir)
311{ 312{
312 Buffer msg; 313 Buffer msg;
313 u_int type, id, handle_len, i, expected_id, ents = 0; 314 u_int count, type, id, handle_len, i, expected_id, ents = 0;
314 char *handle; 315 char *handle;
315 316
316 id = conn->msg_id++; 317 id = conn->msg_id++;
@@ -334,8 +335,6 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
334 } 335 }
335 336
336 for (; !interrupted;) { 337 for (; !interrupted;) {
337 int count;
338
339 id = expected_id = conn->msg_id++; 338 id = expected_id = conn->msg_id++;
340 339
341 debug3("Sending SSH2_FXP_READDIR I:%u", id); 340 debug3("Sending SSH2_FXP_READDIR I:%u", id);
@@ -743,10 +742,10 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
743 Attrib junk, *a; 742 Attrib junk, *a;
744 Buffer msg; 743 Buffer msg;
745 char *handle; 744 char *handle;
746 int local_fd, status, num_req, max_req, write_error; 745 int local_fd, status = 0, write_error;
747 int read_error, write_errno; 746 int read_error, write_errno;
748 u_int64_t offset, size; 747 u_int64_t offset, size;
749 u_int handle_len, mode, type, id, buflen; 748 u_int handle_len, mode, type, id, buflen, num_req, max_req;
750 off_t progress_counter; 749 off_t progress_counter;
751 struct request { 750 struct request {
752 u_int id; 751 u_int id;
@@ -856,7 +855,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
856 debug3("Received reply T:%u I:%u R:%d", type, id, max_req); 855 debug3("Received reply T:%u I:%u R:%d", type, id, max_req);
857 856
858 /* Find the request in our queue */ 857 /* Find the request in our queue */
859 for(req = TAILQ_FIRST(&requests); 858 for (req = TAILQ_FIRST(&requests);
860 req != NULL && req->id != id; 859 req != NULL && req->id != id;
861 req = TAILQ_NEXT(req, tq)) 860 req = TAILQ_NEXT(req, tq))
862 ; 861 ;
@@ -1109,7 +1108,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1109 debug3("SSH2_FXP_STATUS %d", status); 1108 debug3("SSH2_FXP_STATUS %d", status);
1110 1109
1111 /* Find the request in our queue */ 1110 /* Find the request in our queue */
1112 for(ack = TAILQ_FIRST(&acks); 1111 for (ack = TAILQ_FIRST(&acks);
1113 ack != NULL && ack->id != r_id; 1112 ack != NULL && ack->id != r_id;
1114 ack = TAILQ_NEXT(ack, tq)) 1113 ack = TAILQ_NEXT(ack, tq))
1115 ; 1114 ;
@@ -1127,7 +1126,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
1127 goto done; 1126 goto done;
1128 } 1127 }
1129 debug3("In write loop, ack for %u %u bytes at %llu", 1128 debug3("In write loop, ack for %u %u bytes at %llu",
1130 ack->id, ack->len, (unsigned long long)ack->offset); 1129 ack->id, ack->len, (unsigned long long)ack->offset);
1131 ++ackid; 1130 ++ackid;
1132 xfree(ack); 1131 xfree(ack);
1133 } 1132 }
diff --git a/sftp-client.h b/sftp-client.h
index 991e05d33..c8a41f377 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.h,v 1.13 2004/11/29 07:41:24 djm Exp $ */ 1/* $OpenBSD: sftp-client.h,v 1.14 2005/04/26 12:59:02 jmc Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 4 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@@ -30,7 +30,7 @@ struct SFTP_DIRENT {
30}; 30};
31 31
32/* 32/*
33 * Initialiase a SSH filexfer connection. Returns NULL on error or 33 * Initialise a SSH filexfer connection. Returns NULL on error or
34 * a pointer to a initialized sftp_conn struct on success. 34 * a pointer to a initialized sftp_conn struct on success.
35 */ 35 */
36struct sftp_conn *do_init(int, int, u_int, u_int); 36struct sftp_conn *do_init(int, int, u_int, u_int);
diff --git a/sftp-server.0 b/sftp-server.0
index 995e48ecd..285ff706e 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -24,4 +24,4 @@ AUTHORS
24HISTORY 24HISTORY
25 sftp-server first appeared in OpenBSD 2.8 . 25 sftp-server first appeared in OpenBSD 2.8 .
26 26
27OpenBSD 3.6 August 30, 2000 1 27OpenBSD 3.8 August 30, 2000 1
diff --git a/sftp-server.c b/sftp-server.c
index e82280057..6870e7732 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: sftp-server.c,v 1.47 2004/06/25 05:38:48 dtucker Exp $"); 17RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $");
18 18
19#include "buffer.h" 19#include "buffer.h"
20#include "bufaux.h" 20#include "bufaux.h"
@@ -130,7 +130,7 @@ Handle handles[100];
130static void 130static void
131handle_init(void) 131handle_init(void)
132{ 132{
133 int i; 133 u_int i;
134 134
135 for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) 135 for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
136 handles[i].use = HANDLE_UNUSED; 136 handles[i].use = HANDLE_UNUSED;
@@ -139,7 +139,7 @@ handle_init(void)
139static int 139static int
140handle_new(int use, const char *name, int fd, DIR *dirp) 140handle_new(int use, const char *name, int fd, DIR *dirp)
141{ 141{
142 int i; 142 u_int i;
143 143
144 for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) { 144 for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) {
145 if (handles[i].use == HANDLE_UNUSED) { 145 if (handles[i].use == HANDLE_UNUSED) {
@@ -156,7 +156,7 @@ handle_new(int use, const char *name, int fd, DIR *dirp)
156static int 156static int
157handle_is_ok(int i, int type) 157handle_is_ok(int i, int type)
158{ 158{
159 return i >= 0 && i < sizeof(handles)/sizeof(Handle) && 159 return i >= 0 && (u_int)i < sizeof(handles)/sizeof(Handle) &&
160 handles[i].use == type; 160 handles[i].use == type;
161} 161}
162 162
@@ -477,10 +477,10 @@ process_write(void)
477 } else { 477 } else {
478/* XXX ATOMICIO ? */ 478/* XXX ATOMICIO ? */
479 ret = write(fd, data, len); 479 ret = write(fd, data, len);
480 if (ret == -1) { 480 if (ret < 0) {
481 error("process_write: write failed"); 481 error("process_write: write failed");
482 status = errno_to_portable(errno); 482 status = errno_to_portable(errno);
483 } else if (ret == len) { 483 } else if ((size_t)ret == len) {
484 status = SSH2_FX_OK; 484 status = SSH2_FX_OK;
485 } else { 485 } else {
486 logit("nothing at all written"); 486 logit("nothing at all written");
diff --git a/sftp.0 b/sftp.0
index 5b1a2fc69..1205c437b 100644
--- a/sftp.0
+++ b/sftp.0
@@ -262,4 +262,4 @@ SEE ALSO
262 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- 262 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
263 filexfer-00.txt, January 2001, work in progress material. 263 filexfer-00.txt, January 2001, work in progress material.
264 264
265OpenBSD 3.6 February 4, 2001 4 265OpenBSD 3.8 February 4, 2001 4
diff --git a/sftp.c b/sftp.c
index f8553ed82..f98ed7d27 100644
--- a/sftp.c
+++ b/sftp.c
@@ -16,7 +16,7 @@
16 16
17#include "includes.h" 17#include "includes.h"
18 18
19RCSID("$OpenBSD: sftp.c,v 1.62 2005/02/20 22:59:06 djm Exp $"); 19RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $");
20 20
21#ifdef USE_LIBEDIT 21#ifdef USE_LIBEDIT
22#include <histedit.h> 22#include <histedit.h>
@@ -357,7 +357,7 @@ parse_ls_flags(const char **cpp, int *lflag)
357 357
358 /* Check for flags */ 358 /* Check for flags */
359 if (cp++[0] == '-') { 359 if (cp++[0] == '-') {
360 for(; strchr(WHITESPACE, *cp) == NULL; cp++) { 360 for (; strchr(WHITESPACE, *cp) == NULL; cp++) {
361 switch (*cp) { 361 switch (*cp) {
362 case 'l': 362 case 'l':
363 *lflag &= ~VIEW_FLAGS; 363 *lflag &= ~VIEW_FLAGS;
@@ -404,7 +404,7 @@ get_pathname(const char **cpp, char **path)
404{ 404{
405 const char *cp = *cpp, *end; 405 const char *cp = *cpp, *end;
406 char quot; 406 char quot;
407 int i, j; 407 u_int i, j;
408 408
409 cp += strspn(cp, WHITESPACE); 409 cp += strspn(cp, WHITESPACE);
410 if (!*cp) { 410 if (!*cp) {
@@ -664,14 +664,15 @@ sdirent_comp(const void *aa, const void *bb)
664static int 664static int
665do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) 665do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
666{ 666{
667 int n, c = 1, colspace = 0, columns = 1; 667 int n;
668 u_int c = 1, colspace = 0, columns = 1;
668 SFTP_DIRENT **d; 669 SFTP_DIRENT **d;
669 670
670 if ((n = do_readdir(conn, path, &d)) != 0) 671 if ((n = do_readdir(conn, path, &d)) != 0)
671 return (n); 672 return (n);
672 673
673 if (!(lflag & LS_SHORT_VIEW)) { 674 if (!(lflag & LS_SHORT_VIEW)) {
674 int m = 0, width = 80; 675 u_int m = 0, width = 80;
675 struct winsize ws; 676 struct winsize ws;
676 char *tmp; 677 char *tmp;
677 678
@@ -747,7 +748,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
747 int lflag) 748 int lflag)
748{ 749{
749 glob_t g; 750 glob_t g;
750 int i, c = 1, colspace = 0, columns = 1; 751 u_int i, c = 1, colspace = 0, columns = 1;
751 Attrib *a = NULL; 752 Attrib *a = NULL;
752 753
753 memset(&g, 0, sizeof(g)); 754 memset(&g, 0, sizeof(g));
@@ -783,7 +784,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
783 } 784 }
784 785
785 if (!(lflag & LS_SHORT_VIEW)) { 786 if (!(lflag & LS_SHORT_VIEW)) {
786 int m = 0, width = 80; 787 u_int m = 0, width = 80;
787 struct winsize ws; 788 struct winsize ws;
788 789
789 /* Count entries for sort and find longest filename */ 790 /* Count entries for sort and find longest filename */
@@ -1236,7 +1237,7 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
1236 char *dir = NULL; 1237 char *dir = NULL;
1237 char cmd[2048]; 1238 char cmd[2048];
1238 struct sftp_conn *conn; 1239 struct sftp_conn *conn;
1239 int err; 1240 int err, interactive;
1240 EditLine *el = NULL; 1241 EditLine *el = NULL;
1241#ifdef USE_LIBEDIT 1242#ifdef USE_LIBEDIT
1242 History *hl = NULL; 1243 History *hl = NULL;
@@ -1294,14 +1295,15 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
1294 xfree(dir); 1295 xfree(dir);
1295 } 1296 }
1296 1297
1297#if HAVE_SETVBUF 1298#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF)
1298 setvbuf(stdout, NULL, _IOLBF, 0); 1299 setvbuf(stdout, NULL, _IOLBF, 0);
1299 setvbuf(infile, NULL, _IOLBF, 0); 1300 setvbuf(infile, NULL, _IOLBF, 0);
1300#else 1301#else
1301 setlinebuf(stdout); 1302 setlinebuf(stdout);
1302 setlinebuf(infile); 1303 setlinebuf(infile);
1303#endif 1304#endif
1304 1305
1306 interactive = !batchmode && isatty(STDIN_FILENO);
1305 err = 0; 1307 err = 0;
1306 for (;;) { 1308 for (;;) {
1307 char *cp; 1309 char *cp;
@@ -1309,20 +1311,28 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
1309 signal(SIGINT, SIG_IGN); 1311 signal(SIGINT, SIG_IGN);
1310 1312
1311 if (el == NULL) { 1313 if (el == NULL) {
1312 printf("sftp> "); 1314 if (interactive)
1315 printf("sftp> ");
1313 if (fgets(cmd, sizeof(cmd), infile) == NULL) { 1316 if (fgets(cmd, sizeof(cmd), infile) == NULL) {
1314 printf("\n"); 1317 if (interactive)
1318 printf("\n");
1315 break; 1319 break;
1316 } 1320 }
1317 if (batchmode) /* Echo command */ 1321 if (!interactive) { /* Echo command */
1318 printf("%s", cmd); 1322 printf("sftp> %s", cmd);
1323 if (strlen(cmd) > 0 &&
1324 cmd[strlen(cmd) - 1] != '\n')
1325 printf("\n");
1326 }
1319 } else { 1327 } else {
1320#ifdef USE_LIBEDIT 1328#ifdef USE_LIBEDIT
1321 const char *line; 1329 const char *line;
1322 int count = 0; 1330 int count = 0;
1323 1331
1324 if ((line = el_gets(el, &count)) == NULL || count <= 0) 1332 if ((line = el_gets(el, &count)) == NULL || count <= 0) {
1325 break; 1333 printf("\n");
1334 break;
1335 }
1326 history(hl, &hev, H_ENTER, line); 1336 history(hl, &hev, H_ENTER, line);
1327 if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) { 1337 if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) {
1328 fprintf(stderr, "Error: input line too long\n"); 1338 fprintf(stderr, "Error: input line too long\n");
@@ -1345,6 +1355,11 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
1345 } 1355 }
1346 xfree(pwd); 1356 xfree(pwd);
1347 1357
1358#ifdef USE_LIBEDIT
1359 if (el != NULL)
1360 el_end(el);
1361#endif /* USE_LIBEDIT */
1362
1348 /* err == 1 signifies normal "quit" exit */ 1363 /* err == 1 signifies normal "quit" exit */
1349 return (err >= 0 ? 0 : -1); 1364 return (err >= 0 ? 0 : -1);
1350} 1365}
@@ -1475,7 +1490,7 @@ main(int argc, char **argv)
1475 1490
1476 /* Allow "-" as stdin */ 1491 /* Allow "-" as stdin */
1477 if (strcmp(optarg, "-") != 0 && 1492 if (strcmp(optarg, "-") != 0 &&
1478 (infile = fopen(optarg, "r")) == NULL) 1493 (infile = fopen(optarg, "r")) == NULL)
1479 fatal("%s (%s).", strerror(errno), optarg); 1494 fatal("%s (%s).", strerror(errno), optarg);
1480 showprogress = 0; 1495 showprogress = 0;
1481 batchmode = 1; 1496 batchmode = 1;
@@ -1561,8 +1576,8 @@ main(int argc, char **argv)
1561 err = interactive_loop(in, out, file1, file2); 1576 err = interactive_loop(in, out, file1, file2);
1562 1577
1563#if !defined(USE_PIPES) 1578#if !defined(USE_PIPES)
1564 shutdown(in, SHUT_RDWR); 1579 shutdown(in, SHUT_RDWR);
1565 shutdown(out, SHUT_RDWR); 1580 shutdown(out, SHUT_RDWR);
1566#endif 1581#endif
1567 1582
1568 close(in); 1583 close(in);
diff --git a/ssh-add.0 b/ssh-add.0
index 28a2ad222..1c2455f9b 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -11,11 +11,11 @@ SYNOPSIS
11DESCRIPTION 11DESCRIPTION
12 ssh-add adds RSA or DSA identities to the authentication agent, 12 ssh-add adds RSA or DSA identities to the authentication agent,
13 ssh-agent(1). When run without arguments, it adds the files 13 ssh-agent(1). When run without arguments, it adds the files
14 $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. Alterna- 14 ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. Alternative file names
15 tive file names can be given on the command line. If any file requires a 15 can be given on the command line. If any file requires a passphrase,
16 passphrase, ssh-add asks for the passphrase from the user. The 16 ssh-add asks for the passphrase from the user. The passphrase is read
17 passphrase is read from the user's tty. ssh-add retries the last 17 from the user's tty. ssh-add retries the last passphrase if multiple
18 passphrase if multiple identity files are given. 18 identity files are given.
19 19
20 The authentication agent must be running and the SSH_AUTH_SOCK environ- 20 The authentication agent must be running and the SSH_AUTH_SOCK environ-
21 ment variable must contain the name of its socket for ssh-add to work. 21 ment variable must contain the name of its socket for ssh-add to work.
@@ -70,15 +70,15 @@ ENVIRONMENT
70 with the agent. 70 with the agent.
71 71
72FILES 72FILES
73 $HOME/.ssh/identity 73 ~/.ssh/identity
74 Contains the protocol version 1 RSA authentication identity of 74 Contains the protocol version 1 RSA authentication identity of
75 the user. 75 the user.
76 76
77 $HOME/.ssh/id_dsa 77 ~/.ssh/id_dsa
78 Contains the protocol version 2 DSA authentication identity of 78 Contains the protocol version 2 DSA authentication identity of
79 the user. 79 the user.
80 80
81 $HOME/.ssh/id_rsa 81 ~/.ssh/id_rsa
82 Contains the protocol version 2 RSA authentication identity of 82 Contains the protocol version 2 RSA authentication identity of
83 the user. 83 the user.
84 84
@@ -99,4 +99,4 @@ AUTHORS
99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
100 versions 1.5 and 2.0. 100 versions 1.5 and 2.0.
101 101
102OpenBSD 3.6 September 25, 1999 2 102OpenBSD 3.8 September 25, 1999 2
diff --git a/ssh-add.1 b/ssh-add.1
index 1f3df5bec..327fcddae 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-add.1,v 1.42 2005/03/01 17:32:19 jmc Exp $ 1.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -57,10 +57,10 @@
57adds RSA or DSA identities to the authentication agent, 57adds RSA or DSA identities to the authentication agent,
58.Xr ssh-agent 1 . 58.Xr ssh-agent 1 .
59When run without arguments, it adds the files 59When run without arguments, it adds the files
60.Pa $HOME/.ssh/id_rsa , 60.Pa ~/.ssh/id_rsa ,
61.Pa $HOME/.ssh/id_dsa 61.Pa ~/.ssh/id_dsa
62and 62and
63.Pa $HOME/.ssh/identity . 63.Pa ~/.ssh/identity .
64Alternative file names can be given on the command line. 64Alternative file names can be given on the command line.
65If any file requires a passphrase, 65If any file requires a passphrase,
66.Nm 66.Nm
@@ -142,11 +142,11 @@ agent.
142.El 142.El
143.Sh FILES 143.Sh FILES
144.Bl -tag -width Ds 144.Bl -tag -width Ds
145.It Pa $HOME/.ssh/identity 145.It Pa ~/.ssh/identity
146Contains the protocol version 1 RSA authentication identity of the user. 146Contains the protocol version 1 RSA authentication identity of the user.
147.It Pa $HOME/.ssh/id_dsa 147.It Pa ~/.ssh/id_dsa
148Contains the protocol version 2 DSA authentication identity of the user. 148Contains the protocol version 2 DSA authentication identity of the user.
149.It Pa $HOME/.ssh/id_rsa 149.It Pa ~/.ssh/id_rsa
150Contains the protocol version 2 RSA authentication identity of the user. 150Contains the protocol version 2 RSA authentication identity of the user.
151.El 151.El
152.Pp 152.Pp
diff --git a/ssh-add.c b/ssh-add.c
index 06a52464e..a3428769c 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: ssh-add.c,v 1.70 2004/05/08 00:21:31 djm Exp $"); 38RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -145,7 +145,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
145 /* clear passphrase since it did not work */ 145 /* clear passphrase since it did not work */
146 clear_pass(); 146 clear_pass();
147 snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ", 147 snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
148 comment); 148 comment);
149 for (;;) { 149 for (;;) {
150 pass = read_passphrase(msg, RP_ALLOW_STDIN); 150 pass = read_passphrase(msg, RP_ALLOW_STDIN);
151 if (strcmp(pass, "") == 0) { 151 if (strcmp(pass, "") == 0) {
@@ -389,7 +389,7 @@ main(int argc, char **argv)
389 goto done; 389 goto done;
390 } 390 }
391 391
392 for(i = 0; default_files[i]; i++) { 392 for (i = 0; default_files[i]; i++) {
393 snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir, 393 snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
394 default_files[i]); 394 default_files[i]);
395 if (stat(buf, &st) < 0) 395 if (stat(buf, &st) < 0)
@@ -402,7 +402,7 @@ main(int argc, char **argv)
402 if (count == 0) 402 if (count == 0)
403 ret = 1; 403 ret = 1;
404 } else { 404 } else {
405 for(i = 0; i < argc; i++) { 405 for (i = 0; i < argc; i++) {
406 if (do_file(ac, deleting, argv[i]) == -1) 406 if (do_file(ac, deleting, argv[i]) == -1)
407 ret = 1; 407 ret = 1;
408 } 408 }
diff --git a/ssh-agent.0 b/ssh-agent.0
index c2d7efa57..8490a9da8 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -45,13 +45,12 @@ DESCRIPTION
45 45
46 The agent initially does not have any private keys. Keys are added using 46 The agent initially does not have any private keys. Keys are added using
47 ssh-add(1). When executed without arguments, ssh-add(1) adds the files 47 ssh-add(1). When executed without arguments, ssh-add(1) adds the files
48 $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the 48 ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a
49 identity has a passphrase, ssh-add(1) asks for the passphrase (using a 49 passphrase, ssh-add(1) asks for the passphrase (using a small X11 appli-
50 small X11 application if running under X11, or from the terminal if run- 50 cation if running under X11, or from the terminal if running without X).
51 ning without X). It then sends the identity to the agent. Several iden- 51 It then sends the identity to the agent. Several identities can be
52 tities can be stored in the agent; the agent can automatically use any of 52 stored in the agent; the agent can automatically use any of these identi-
53 these identities. ssh-add -l displays the identities currently held by 53 ties. ssh-add -l displays the identities currently held by the agent.
54 the agent.
55 54
56 The idea is that the agent is run in the user's local PC, laptop, or ter- 55 The idea is that the agent is run in the user's local PC, laptop, or ter-
57 minal. Authentication data need not be stored on any other machine, and 56 minal. Authentication data need not be stored on any other machine, and
@@ -87,15 +86,15 @@ DESCRIPTION
87 terminates. 86 terminates.
88 87
89FILES 88FILES
90 $HOME/.ssh/identity 89 ~/.ssh/identity
91 Contains the protocol version 1 RSA authentication identity of 90 Contains the protocol version 1 RSA authentication identity of
92 the user. 91 the user.
93 92
94 $HOME/.ssh/id_dsa 93 ~/.ssh/id_dsa
95 Contains the protocol version 2 DSA authentication identity of 94 Contains the protocol version 2 DSA authentication identity of
96 the user. 95 the user.
97 96
98 $HOME/.ssh/id_rsa 97 ~/.ssh/id_rsa
99 Contains the protocol version 2 RSA authentication identity of 98 Contains the protocol version 2 RSA authentication identity of
100 the user. 99 the user.
101 100
@@ -115,4 +114,4 @@ AUTHORS
115 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 114 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
116 versions 1.5 and 2.0. 115 versions 1.5 and 2.0.
117 116
118OpenBSD 3.6 September 25, 1999 2 117OpenBSD 3.8 September 25, 1999 2
diff --git a/ssh-agent.1 b/ssh-agent.1
index 226804e5f..741cf4bd1 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-agent.1,v 1.41 2004/07/11 17:48:47 deraadt Exp $ 1.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -111,10 +111,10 @@ Keys are added using
111When executed without arguments, 111When executed without arguments,
112.Xr ssh-add 1 112.Xr ssh-add 1
113adds the files 113adds the files
114.Pa $HOME/.ssh/id_rsa , 114.Pa ~/.ssh/id_rsa ,
115.Pa $HOME/.ssh/id_dsa 115.Pa ~/.ssh/id_dsa
116and 116and
117.Pa $HOME/.ssh/identity . 117.Pa ~/.ssh/identity .
118If the identity has a passphrase, 118If the identity has a passphrase,
119.Xr ssh-add 1 119.Xr ssh-add 1
120asks for the passphrase (using a small X11 application if running 120asks for the passphrase (using a small X11 application if running
@@ -179,11 +179,11 @@ The agent exits automatically when the command given on the command
179line terminates. 179line terminates.
180.Sh FILES 180.Sh FILES
181.Bl -tag -width Ds 181.Bl -tag -width Ds
182.It Pa $HOME/.ssh/identity 182.It Pa ~/.ssh/identity
183Contains the protocol version 1 RSA authentication identity of the user. 183Contains the protocol version 1 RSA authentication identity of the user.
184.It Pa $HOME/.ssh/id_dsa 184.It Pa ~/.ssh/id_dsa
185Contains the protocol version 2 DSA authentication identity of the user. 185Contains the protocol version 2 DSA authentication identity of the user.
186.It Pa $HOME/.ssh/id_rsa 186.It Pa ~/.ssh/id_rsa
187Contains the protocol version 2 RSA authentication identity of the user. 187Contains the protocol version 2 RSA authentication identity of the user.
188.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid> 188.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
189Unix-domain sockets used to contain the connection to the 189Unix-domain sockets used to contain the connection to the
diff --git a/ssh-gss.h b/ssh-gss.h
index 74ce6f8bc..213930103 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -67,7 +67,10 @@
67#define SSH2_MSG_KEXGSS_COMPLETE 32 67#define SSH2_MSG_KEXGSS_COMPLETE 32
68#define SSH2_MSG_KEXGSS_HOSTKEY 33 68#define SSH2_MSG_KEXGSS_HOSTKEY 33
69#define SSH2_MSG_KEXGSS_ERROR 34 69#define SSH2_MSG_KEXGSS_ERROR 34
70#define KEX_GSS_SHA1 "gss-group1-sha1-" 70#define SSH2_MSG_KEXGSS_GROUPREQ 40
71#define SSH2_MSG_KEXGSS_GROUP 41
72#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
73#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
71 74
72typedef struct { 75typedef struct {
73 char *filename; 76 char *filename;
@@ -130,10 +133,10 @@ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
130void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 133void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
131 134
132typedef int ssh_gssapi_check_fn(gss_OID, void *); 135typedef int ssh_gssapi_check_fn(gss_OID, void *);
133char *ssh_gssapi_client_mechanisms(char *host); 136char *ssh_gssapi_client_mechanisms(const char *host);
134char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, void *); 137char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, void *);
135int ssh_gssapi_check_mechanism(gss_OID, void *); 138int ssh_gssapi_check_mechanism(gss_OID, void *);
136gss_OID ssh_gssapi_id_kex(Gssctxt *, char *); 139gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int *);
137 140
138int ssh_gssapi_server_check_mech(gss_OID, void *); 141int ssh_gssapi_server_check_mech(gss_OID, void *);
139int ssh_gssapi_userok(char *name); 142int ssh_gssapi_userok(char *name);
@@ -141,7 +144,8 @@ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
141void ssh_gssapi_do_child(char ***, u_int *); 144void ssh_gssapi_do_child(char ***, u_int *);
142void ssh_gssapi_cleanup_creds(void); 145void ssh_gssapi_cleanup_creds(void);
143void ssh_gssapi_storecreds(void); 146void ssh_gssapi_storecreds(void);
144 147char * ssh_gssapi_server_mechanisms(void);
148int ssh_gssapi_oid_table_ok();
145#endif /* GSSAPI */ 149#endif /* GSSAPI */
146 150
147#endif /* _SSH_GSS_H */ 151#endif /* _SSH_GSS_H */
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 998b6f1e0..de651e9c4 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -33,9 +33,9 @@ DESCRIPTION
33 group exchange (DH-GEX). See the MODULI GENERATION section for details. 33 group exchange (DH-GEX). See the MODULI GENERATION section for details.
34 34
35 Normally each user wishing to use SSH with RSA or DSA authentication runs 35 Normally each user wishing to use SSH with RSA or DSA authentication runs
36 this once to create the authentication key in $HOME/.ssh/identity, 36 this once to create the authentication key in ~/.ssh/identity,
37 $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system admin- 37 ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the system administrator
38 istrator may use this to generate host keys, as seen in /etc/rc. 38 may use this to generate host keys, as seen in /etc/rc.
39 39
40 Normally this program generates the key and asks for a file in which to 40 Normally this program generates the key and asks for a file in which to
41 store the private key. The public key is stored in a file with the same 41 store the private key. The public key is stored in a file with the same
@@ -75,8 +75,8 @@ DESCRIPTION
75 75
76 -b bits 76 -b bits
77 Specifies the number of bits in the key to create. Minimum is 77 Specifies the number of bits in the key to create. Minimum is
78 512 bits. Generally, 1024 bits is considered sufficient. The 78 512 bits. Generally, 2048 bits is considered sufficient. The
79 default is 1024 bits. 79 default is 2048 bits.
80 80
81 -C comment 81 -C comment
82 Provides a new comment. 82 Provides a new comment.
@@ -110,13 +110,14 @@ DESCRIPTION
110 -g Use generic DNS format when printing fingerprint resource records 110 -g Use generic DNS format when printing fingerprint resource records
111 using the -r command. 111 using the -r command.
112 112
113 -H Hash a known_hosts file, printing the result to standard output. 113 -H Hash a known_hosts file. This replaces all hostnames and ad-
114 This replaces all hostnames and addresses with hashed representa- 114 dresses with hashed representations within the specified file;
115 tions. These hashes may be used normally by ssh and sshd, but 115 the original content is moved to a file with a .old suffix.
116 they do not reveal identifying information should the file's con- 116 These hashes may be used normally by ssh and sshd, but they do
117 tents be disclosed. This option will not modify existing hashed 117 not reveal identifying information should the file's contents be
118 hostnames and is therefore safe to use on files that mix hashed 118 disclosed. This option will not modify existing hashed hostnames
119 and non-hashed names. 119 and is therefore safe to use on files that mix hashed and non-
120 hashed names.
120 121
121 -i This option will read an unencrypted private (or public) key file 122 -i This option will read an unencrypted private (or public) key file
122 in SSH2-compatible format and print an OpenSSH compatible private 123 in SSH2-compatible format and print an OpenSSH compatible private
@@ -216,7 +217,7 @@ MODULI GENERATION
216 a connection share common moduli. 217 a connection share common moduli.
217 218
218FILES 219FILES
219 $HOME/.ssh/identity 220 ~/.ssh/identity
220 Contains the protocol version 1 RSA authentication identity of 221 Contains the protocol version 1 RSA authentication identity of
221 the user. This file should not be readable by anyone but the us- 222 the user. This file should not be readable by anyone but the us-
222 er. It is possible to specify a passphrase when generating the 223 er. It is possible to specify a passphrase when generating the
@@ -225,14 +226,14 @@ FILES
225 ssh-keygen but it is offered as the default file for the private 226 ssh-keygen but it is offered as the default file for the private
226 key. ssh(1) will read this file when a login attempt is made. 227 key. ssh(1) will read this file when a login attempt is made.
227 228
228 $HOME/.ssh/identity.pub 229 ~/.ssh/identity.pub
229 Contains the protocol version 1 RSA public key for authentica- 230 Contains the protocol version 1 RSA public key for authentica-
230 tion. The contents of this file should be added to 231 tion. The contents of this file should be added to
231 $HOME/.ssh/authorized_keys on all machines where the user wishes 232 ~/.ssh/authorized_keys on all machines where the user wishes to
232 to log in using RSA authentication. There is no need to keep the 233 log in using RSA authentication. There is no need to keep the
233 contents of this file secret. 234 contents of this file secret.
234 235
235 $HOME/.ssh/id_dsa 236 ~/.ssh/id_dsa
236 Contains the protocol version 2 DSA authentication identity of 237 Contains the protocol version 2 DSA authentication identity of
237 the user. This file should not be readable by anyone but the us- 238 the user. This file should not be readable by anyone but the us-
238 er. It is possible to specify a passphrase when generating the 239 er. It is possible to specify a passphrase when generating the
@@ -241,14 +242,14 @@ FILES
241 ssh-keygen but it is offered as the default file for the private 242 ssh-keygen but it is offered as the default file for the private
242 key. ssh(1) will read this file when a login attempt is made. 243 key. ssh(1) will read this file when a login attempt is made.
243 244
244 $HOME/.ssh/id_dsa.pub 245 ~/.ssh/id_dsa.pub
245 Contains the protocol version 2 DSA public key for authentica- 246 Contains the protocol version 2 DSA public key for authentica-
246 tion. The contents of this file should be added to 247 tion. The contents of this file should be added to
247 $HOME/.ssh/authorized_keys on all machines where the user wishes 248 ~/.ssh/authorized_keys on all machines where the user wishes to
248 to log in using public key authentication. There is no need to 249 log in using public key authentication. There is no need to keep
249 keep the contents of this file secret. 250 the contents of this file secret.
250 251
251 $HOME/.ssh/id_rsa 252 ~/.ssh/id_rsa
252 Contains the protocol version 2 RSA authentication identity of 253 Contains the protocol version 2 RSA authentication identity of
253 the user. This file should not be readable by anyone but the us- 254 the user. This file should not be readable by anyone but the us-
254 er. It is possible to specify a passphrase when generating the 255 er. It is possible to specify a passphrase when generating the
@@ -257,12 +258,12 @@ FILES
257 ssh-keygen but it is offered as the default file for the private 258 ssh-keygen but it is offered as the default file for the private
258 key. ssh(1) will read this file when a login attempt is made. 259 key. ssh(1) will read this file when a login attempt is made.
259 260
260 $HOME/.ssh/id_rsa.pub 261 ~/.ssh/id_rsa.pub
261 Contains the protocol version 2 RSA public key for authentica- 262 Contains the protocol version 2 RSA public key for authentica-
262 tion. The contents of this file should be added to 263 tion. The contents of this file should be added to
263 $HOME/.ssh/authorized_keys on all machines where the user wishes 264 ~/.ssh/authorized_keys on all machines where the user wishes to
264 to log in using public key authentication. There is no need to 265 log in using public key authentication. There is no need to keep
265 keep the contents of this file secret. 266 the contents of this file secret.
266 267
267 /etc/moduli 268 /etc/moduli
268 Contains Diffie-Hellman groups used for DH-GEX. The file format 269 Contains Diffie-Hellman groups used for DH-GEX. The file format
@@ -281,4 +282,4 @@ AUTHORS
281 created OpenSSH. Markus Friedl contributed the support for SSH protocol 282 created OpenSSH. Markus Friedl contributed the support for SSH protocol
282 versions 1.5 and 2.0. 283 versions 1.5 and 2.0.
283 284
284OpenBSD 3.6 September 25, 1999 5 285OpenBSD 3.8 September 25, 1999 5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 3987b1e66..5454d00ce 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.66 2005/03/01 18:15:56 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -129,10 +129,10 @@ section for details.
129Normally each user wishing to use SSH 129Normally each user wishing to use SSH
130with RSA or DSA authentication runs this once to create the authentication 130with RSA or DSA authentication runs this once to create the authentication
131key in 131key in
132.Pa $HOME/.ssh/identity , 132.Pa ~/.ssh/identity ,
133.Pa $HOME/.ssh/id_dsa 133.Pa ~/.ssh/id_dsa
134or 134or
135.Pa $HOME/.ssh/id_rsa . 135.Pa ~/.ssh/id_rsa .
136Additionally, the system administrator may use this to generate host keys, 136Additionally, the system administrator may use this to generate host keys,
137as seen in 137as seen in
138.Pa /etc/rc . 138.Pa /etc/rc .
@@ -188,8 +188,8 @@ Show the bubblebabble digest of specified private or public key file.
188.It Fl b Ar bits 188.It Fl b Ar bits
189Specifies the number of bits in the key to create. 189Specifies the number of bits in the key to create.
190Minimum is 512 bits. 190Minimum is 512 bits.
191Generally, 1024 bits is considered sufficient. 191Generally, 2048 bits is considered sufficient.
192The default is 1024 bits. 192The default is 2048 bits.
193.It Fl C Ar comment 193.It Fl C Ar comment
194Provides a new comment. 194Provides a new comment.
195.It Fl c 195.It Fl c
@@ -232,8 +232,10 @@ command.
232.It Fl H 232.It Fl H
233Hash a 233Hash a
234.Pa known_hosts 234.Pa known_hosts
235file, printing the result to standard output. 235file.
236This replaces all hostnames and addresses with hashed representations. 236This replaces all hostnames and addresses with hashed representations
237within the specified file; the original content is moved to a file with
238a .old suffix.
237These hashes may be used normally by 239These hashes may be used normally by
238.Nm ssh 240.Nm ssh
239and 241and
@@ -379,7 +381,7 @@ It is important that this file contains moduli of a range of bit lengths and
379that both ends of a connection share common moduli. 381that both ends of a connection share common moduli.
380.Sh FILES 382.Sh FILES
381.Bl -tag -width Ds 383.Bl -tag -width Ds
382.It Pa $HOME/.ssh/identity 384.It Pa ~/.ssh/identity
383Contains the protocol version 1 RSA authentication identity of the user. 385Contains the protocol version 1 RSA authentication identity of the user.
384This file should not be readable by anyone but the user. 386This file should not be readable by anyone but the user.
385It is possible to 387It is possible to
@@ -390,14 +392,14 @@ This file is not automatically accessed by
390but it is offered as the default file for the private key. 392but it is offered as the default file for the private key.
391.Xr ssh 1 393.Xr ssh 1
392will read this file when a login attempt is made. 394will read this file when a login attempt is made.
393.It Pa $HOME/.ssh/identity.pub 395.It Pa ~/.ssh/identity.pub
394Contains the protocol version 1 RSA public key for authentication. 396Contains the protocol version 1 RSA public key for authentication.
395The contents of this file should be added to 397The contents of this file should be added to
396.Pa $HOME/.ssh/authorized_keys 398.Pa ~/.ssh/authorized_keys
397on all machines 399on all machines
398where the user wishes to log in using RSA authentication. 400where the user wishes to log in using RSA authentication.
399There is no need to keep the contents of this file secret. 401There is no need to keep the contents of this file secret.
400.It Pa $HOME/.ssh/id_dsa 402.It Pa ~/.ssh/id_dsa
401Contains the protocol version 2 DSA authentication identity of the user. 403Contains the protocol version 2 DSA authentication identity of the user.
402This file should not be readable by anyone but the user. 404This file should not be readable by anyone but the user.
403It is possible to 405It is possible to
@@ -408,14 +410,14 @@ This file is not automatically accessed by
408but it is offered as the default file for the private key. 410but it is offered as the default file for the private key.
409.Xr ssh 1 411.Xr ssh 1
410will read this file when a login attempt is made. 412will read this file when a login attempt is made.
411.It Pa $HOME/.ssh/id_dsa.pub 413.It Pa ~/.ssh/id_dsa.pub
412Contains the protocol version 2 DSA public key for authentication. 414Contains the protocol version 2 DSA public key for authentication.
413The contents of this file should be added to 415The contents of this file should be added to
414.Pa $HOME/.ssh/authorized_keys 416.Pa ~/.ssh/authorized_keys
415on all machines 417on all machines
416where the user wishes to log in using public key authentication. 418where the user wishes to log in using public key authentication.
417There is no need to keep the contents of this file secret. 419There is no need to keep the contents of this file secret.
418.It Pa $HOME/.ssh/id_rsa 420.It Pa ~/.ssh/id_rsa
419Contains the protocol version 2 RSA authentication identity of the user. 421Contains the protocol version 2 RSA authentication identity of the user.
420This file should not be readable by anyone but the user. 422This file should not be readable by anyone but the user.
421It is possible to 423It is possible to
@@ -426,10 +428,10 @@ This file is not automatically accessed by
426but it is offered as the default file for the private key. 428but it is offered as the default file for the private key.
427.Xr ssh 1 429.Xr ssh 1
428will read this file when a login attempt is made. 430will read this file when a login attempt is made.
429.It Pa $HOME/.ssh/id_rsa.pub 431.It Pa ~/.ssh/id_rsa.pub
430Contains the protocol version 2 RSA public key for authentication. 432Contains the protocol version 2 RSA public key for authentication.
431The contents of this file should be added to 433The contents of this file should be added to
432.Pa $HOME/.ssh/authorized_keys 434.Pa ~/.ssh/authorized_keys
433on all machines 435on all machines
434where the user wishes to log in using public key authentication. 436where the user wishes to log in using public key authentication.
435There is no need to keep the contents of this file secret. 437There is no need to keep the contents of this file secret.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index a9931d4d8..b17851946 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: ssh-keygen.c,v 1.120 2005/03/02 01:27:41 djm Exp $"); 15RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
16 16
17#include <openssl/evp.h> 17#include <openssl/evp.h>
18#include <openssl/pem.h> 18#include <openssl/pem.h>
@@ -36,7 +36,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.120 2005/03/02 01:27:41 djm Exp $");
36#include "dns.h" 36#include "dns.h"
37 37
38/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ 38/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
39int bits = 1024; 39u_int32_t bits = 2048;
40 40
41/* 41/*
42 * Flag indicating that we just want to change the passphrase. This can be 42 * Flag indicating that we just want to change the passphrase. This can be
@@ -90,7 +90,7 @@ extern char *__progname;
90char hostname[MAXHOSTNAMELEN]; 90char hostname[MAXHOSTNAMELEN];
91 91
92/* moduli.c */ 92/* moduli.c */
93int gen_candidates(FILE *, int, int, BIGNUM *); 93int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
94int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); 94int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
95 95
96static void 96static void
@@ -684,7 +684,7 @@ do_known_hosts(struct passwd *pw, const char *name)
684 if (delete_host && !c) 684 if (delete_host && !c)
685 print_host(out, cp, public, 0); 685 print_host(out, cp, public, 0);
686 } else if (hash_hosts) { 686 } else if (hash_hosts) {
687 for(cp2 = strsep(&cp, ","); 687 for (cp2 = strsep(&cp, ",");
688 cp2 != NULL && *cp2 != '\0'; 688 cp2 != NULL && *cp2 != '\0';
689 cp2 = strsep(&cp, ",")) { 689 cp2 = strsep(&cp, ",")) {
690 if (strcspn(cp2, "*?!") != strlen(cp2)) 690 if (strcspn(cp2, "*?!") != strlen(cp2))
@@ -707,7 +707,7 @@ do_known_hosts(struct passwd *pw, const char *name)
707 identity_file); 707 identity_file);
708 if (inplace) { 708 if (inplace) {
709 fprintf(stderr, "Not replacing existing known_hosts " 709 fprintf(stderr, "Not replacing existing known_hosts "
710 "file beacuse of errors"); 710 "file because of errors\n");
711 fclose(out); 711 fclose(out);
712 unlink(tmp); 712 unlink(tmp);
713 } 713 }
@@ -738,7 +738,7 @@ do_known_hosts(struct passwd *pw, const char *name)
738 fprintf(stderr, "WARNING: %s contains unhashed " 738 fprintf(stderr, "WARNING: %s contains unhashed "
739 "entries\n", old); 739 "entries\n", old);
740 fprintf(stderr, "Delete this file to ensure privacy " 740 fprintf(stderr, "Delete this file to ensure privacy "
741 "of hostnames\n"); 741 "of hostnames\n");
742 } 742 }
743 } 743 }
744 744
@@ -959,31 +959,38 @@ usage(void)
959{ 959{
960 fprintf(stderr, "Usage: %s [options]\n", __progname); 960 fprintf(stderr, "Usage: %s [options]\n", __progname);
961 fprintf(stderr, "Options:\n"); 961 fprintf(stderr, "Options:\n");
962 fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");
963 fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
962 fprintf(stderr, " -b bits Number of bits in the key to create.\n"); 964 fprintf(stderr, " -b bits Number of bits in the key to create.\n");
965 fprintf(stderr, " -C comment Provide new comment.\n");
963 fprintf(stderr, " -c Change comment in private and public key files.\n"); 966 fprintf(stderr, " -c Change comment in private and public key files.\n");
967#ifdef SMARTCARD
968 fprintf(stderr, " -D reader Download public key from smartcard.\n");
969#endif /* SMARTCARD */
964 fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n"); 970 fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
971 fprintf(stderr, " -F hostname Find hostname in known hosts file.\n");
965 fprintf(stderr, " -f filename Filename of the key file.\n"); 972 fprintf(stderr, " -f filename Filename of the key file.\n");
973 fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n");
966 fprintf(stderr, " -g Use generic DNS resource record format.\n"); 974 fprintf(stderr, " -g Use generic DNS resource record format.\n");
975 fprintf(stderr, " -H Hash names in known_hosts file.\n");
967 fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n"); 976 fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
968 fprintf(stderr, " -l Show fingerprint of key file.\n"); 977 fprintf(stderr, " -l Show fingerprint of key file.\n");
969 fprintf(stderr, " -p Change passphrase of private key file.\n"); 978 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
970 fprintf(stderr, " -q Quiet.\n");
971 fprintf(stderr, " -y Read private key file and print public key.\n");
972 fprintf(stderr, " -t type Specify type of key to create.\n");
973 fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
974 fprintf(stderr, " -H Hash names in known_hosts file\n");
975 fprintf(stderr, " -F hostname Find hostname in known hosts file\n");
976 fprintf(stderr, " -C comment Provide new comment.\n");
977 fprintf(stderr, " -N phrase Provide new passphrase.\n"); 979 fprintf(stderr, " -N phrase Provide new passphrase.\n");
978 fprintf(stderr, " -P phrase Provide old passphrase.\n"); 980 fprintf(stderr, " -P phrase Provide old passphrase.\n");
981 fprintf(stderr, " -p Change passphrase of private key file.\n");
982 fprintf(stderr, " -q Quiet.\n");
983 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
979 fprintf(stderr, " -r hostname Print DNS resource record.\n"); 984 fprintf(stderr, " -r hostname Print DNS resource record.\n");
985 fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n");
986 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
987 fprintf(stderr, " -t type Specify type of key to create.\n");
980#ifdef SMARTCARD 988#ifdef SMARTCARD
981 fprintf(stderr, " -D reader Download public key from smartcard.\n");
982 fprintf(stderr, " -U reader Upload private key to smartcard.\n"); 989 fprintf(stderr, " -U reader Upload private key to smartcard.\n");
983#endif /* SMARTCARD */ 990#endif /* SMARTCARD */
984 991 fprintf(stderr, " -v Verbose.\n");
985 fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n"); 992 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
986 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n"); 993 fprintf(stderr, " -y Read private key file and print public key.\n");
987 994
988 exit(1); 995 exit(1);
989} 996}
@@ -1000,12 +1007,13 @@ main(int ac, char **av)
1000 Key *private, *public; 1007 Key *private, *public;
1001 struct passwd *pw; 1008 struct passwd *pw;
1002 struct stat st; 1009 struct stat st;
1003 int opt, type, fd, download = 0, memory = 0; 1010 int opt, type, fd, download = 0;
1004 int generator_wanted = 0, trials = 100; 1011 u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1005 int do_gen_candidates = 0, do_screen_candidates = 0; 1012 int do_gen_candidates = 0, do_screen_candidates = 0;
1006 int log_level = SYSLOG_LEVEL_INFO; 1013 int log_level = SYSLOG_LEVEL_INFO;
1007 BIGNUM *start = NULL; 1014 BIGNUM *start = NULL;
1008 FILE *f; 1015 FILE *f;
1016 const char *errstr;
1009 1017
1010 extern int optind; 1018 extern int optind;
1011 extern char *optarg; 1019 extern char *optarg;
@@ -1033,11 +1041,10 @@ main(int ac, char **av)
1033 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { 1041 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1034 switch (opt) { 1042 switch (opt) {
1035 case 'b': 1043 case 'b':
1036 bits = atoi(optarg); 1044 bits = strtonum(optarg, 512, 32768, &errstr);
1037 if (bits < 512 || bits > 32768) { 1045 if (errstr)
1038 printf("Bits has bad value.\n"); 1046 fatal("Bits has bad value %s (%s)",
1039 exit(1); 1047 optarg, errstr);
1040 }
1041 break; 1048 break;
1042 case 'F': 1049 case 'F':
1043 find_host = 1; 1050 find_host = 1;
@@ -1063,7 +1070,9 @@ main(int ac, char **av)
1063 change_comment = 1; 1070 change_comment = 1;
1064 break; 1071 break;
1065 case 'f': 1072 case 'f':
1066 strlcpy(identity_file, optarg, sizeof(identity_file)); 1073 if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=
1074 sizeof(identity_file))
1075 fatal("Identity filename too long");
1067 have_identity = 1; 1076 have_identity = 1;
1068 break; 1077 break;
1069 case 'g': 1078 case 'g':
@@ -1118,23 +1127,34 @@ main(int ac, char **av)
1118 rr_hostname = optarg; 1127 rr_hostname = optarg;
1119 break; 1128 break;
1120 case 'W': 1129 case 'W':
1121 generator_wanted = atoi(optarg); 1130 generator_wanted = strtonum(optarg, 1, UINT_MAX, &errstr);
1122 if (generator_wanted < 1) 1131 if (errstr)
1123 fatal("Desired generator has bad value."); 1132 fatal("Desired generator has bad value: %s (%s)",
1133 optarg, errstr);
1124 break; 1134 break;
1125 case 'a': 1135 case 'a':
1126 trials = atoi(optarg); 1136 trials = strtonum(optarg, 1, UINT_MAX, &errstr);
1137 if (errstr)
1138 fatal("Invalid number of trials: %s (%s)",
1139 optarg, errstr);
1127 break; 1140 break;
1128 case 'M': 1141 case 'M':
1129 memory = atoi(optarg); 1142 memory = strtonum(optarg, 1, UINT_MAX, &errstr);
1143 if (errstr) {
1144 fatal("Memory limit is %s: %s", errstr, optarg);
1145 }
1130 break; 1146 break;
1131 case 'G': 1147 case 'G':
1132 do_gen_candidates = 1; 1148 do_gen_candidates = 1;
1133 strlcpy(out_file, optarg, sizeof(out_file)); 1149 if (strlcpy(out_file, optarg, sizeof(out_file)) >=
1150 sizeof(out_file))
1151 fatal("Output filename too long");
1134 break; 1152 break;
1135 case 'T': 1153 case 'T':
1136 do_screen_candidates = 1; 1154 do_screen_candidates = 1;
1137 strlcpy(out_file, optarg, sizeof(out_file)); 1155 if (strlcpy(out_file, optarg, sizeof(out_file)) >=
1156 sizeof(out_file))
1157 fatal("Output filename too long");
1138 break; 1158 break;
1139 case 'S': 1159 case 'S':
1140 /* XXX - also compare length against bits */ 1160 /* XXX - also compare length against bits */
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 4bbfd1483..b365148e4 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -104,4 +104,4 @@ BUGS
104 This is because it opens a connection to the ssh port, reads the public 104 This is because it opens a connection to the ssh port, reads the public
105 key, and drops the connection as soon as it gets the key. 105 key, and drops the connection as soon as it gets the key.
106 106
107OpenBSD 3.6 January 1, 1996 2 107OpenBSD 3.8 January 1, 1996 2
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index bc2c3b728..46f063687 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
7 */ 7 */
8 8
9#include "includes.h" 9#include "includes.h"
10RCSID("$OpenBSD: ssh-keyscan.c,v 1.52 2005/03/01 15:47:14 jmc Exp $"); 10RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $");
11 11
12#include "openbsd-compat/sys-queue.h" 12#include "openbsd-compat/sys-queue.h"
13 13
@@ -166,7 +166,7 @@ Linebuf_lineno(Linebuf * lb)
166static char * 166static char *
167Linebuf_getline(Linebuf * lb) 167Linebuf_getline(Linebuf * lb)
168{ 168{
169 int n = 0; 169 size_t n = 0;
170 void *p; 170 void *p;
171 171
172 lb->lineno++; 172 lb->lineno++;
@@ -493,7 +493,7 @@ conrecycle(int s)
493static void 493static void
494congreet(int s) 494congreet(int s)
495{ 495{
496 int remote_major = 0, remote_minor = 0, n = 0; 496 int n = 0, remote_major = 0, remote_minor = 0;
497 char buf[256], *cp; 497 char buf[256], *cp;
498 char remote_version[sizeof buf]; 498 char remote_version[sizeof buf];
499 size_t bufsiz; 499 size_t bufsiz;
@@ -506,14 +506,17 @@ congreet(int s)
506 *cp = '\n'; 506 *cp = '\n';
507 cp++; 507 cp++;
508 } 508 }
509 if (n < 0) {
510 if (errno != ECONNREFUSED)
511 error("read (%s): %s", c->c_name, strerror(errno));
512 conrecycle(s);
513 return;
514 }
515 if (n == 0) { 509 if (n == 0) {
516 error("%s: Connection closed by remote host", c->c_name); 510 switch (errno) {
511 case EPIPE:
512 error("%s: Connection closed by remote host", c->c_name);
513 break;
514 case ECONNREFUSED:
515 break;
516 default:
517 error("read (%s): %s", c->c_name, strerror(errno));
518 break;
519 }
517 conrecycle(s); 520 conrecycle(s);
518 return; 521 return;
519 } 522 }
@@ -543,7 +546,12 @@ congreet(int s)
543 n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", 546 n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
544 c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, 547 c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
545 c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); 548 c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
546 if (atomicio(vwrite, s, buf, n) != n) { 549 if (n < 0 || (size_t)n >= sizeof(buf)) {
550 error("snprintf: buffer too small");
551 confree(s);
552 return;
553 }
554 if (atomicio(vwrite, s, buf, n) != (size_t)n) {
547 error("write (%s): %s", c->c_name, strerror(errno)); 555 error("write (%s): %s", c->c_name, strerror(errno));
548 confree(s); 556 confree(s);
549 return; 557 return;
@@ -561,14 +569,14 @@ static void
561conread(int s) 569conread(int s)
562{ 570{
563 con *c = &fdcon[s]; 571 con *c = &fdcon[s];
564 int n; 572 size_t n;
565 573
566 if (c->c_status == CS_CON) { 574 if (c->c_status == CS_CON) {
567 congreet(s); 575 congreet(s);
568 return; 576 return;
569 } 577 }
570 n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off); 578 n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
571 if (n < 0) { 579 if (n == 0) {
572 error("read (%s): %s", c->c_name, strerror(errno)); 580 error("read (%s): %s", c->c_name, strerror(errno));
573 confree(s); 581 confree(s);
574 return; 582 return;
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index e10b8ac45..ea944a6fe 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -39,4 +39,4 @@ HISTORY
39AUTHORS 39AUTHORS
40 Markus Friedl <markus@openbsd.org> 40 Markus Friedl <markus@openbsd.org>
41 41
42OpenBSD 3.6 May 24, 2002 1 42OpenBSD 3.8 May 24, 2002 1
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 9af5fdd8f..35a7a7ce5 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -46,4 +46,4 @@ AUTHORS
46SEE ALSO 46SEE ALSO
47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) 47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
48 48
49OpenBSD 3.6 April 14, 2002 1 49OpenBSD 3.8 April 14, 2002 1
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index d7d8d0f3b..87e52cf75 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -39,7 +39,7 @@
39#include "pathnames.h" 39#include "pathnames.h"
40#include "log.h" 40#include "log.h"
41 41
42RCSID("$Id: ssh-rand-helper.c,v 1.23 2005/02/16 02:32:30 dtucker Exp $"); 42RCSID("$Id: ssh-rand-helper.c,v 1.26 2005/07/17 07:26:44 djm Exp $");
43 43
44/* Number of bytes we write out */ 44/* Number of bytes we write out */
45#define OUTPUT_SEED_SIZE 48 45#define OUTPUT_SEED_SIZE 48
@@ -123,7 +123,7 @@ get_random_bytes_prngd(unsigned char *buf, int len,
123 unsigned short tcp_port, char *socket_path) 123 unsigned short tcp_port, char *socket_path)
124{ 124{
125 int fd, addr_len, rval, errors; 125 int fd, addr_len, rval, errors;
126 char msg[2]; 126 u_char msg[2];
127 struct sockaddr_storage addr; 127 struct sockaddr_storage addr;
128 struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr; 128 struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr;
129 struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr; 129 struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr;
@@ -135,8 +135,8 @@ get_random_bytes_prngd(unsigned char *buf, int len,
135 if (socket_path != NULL && 135 if (socket_path != NULL &&
136 strlen(socket_path) >= sizeof(addr_un->sun_path)) 136 strlen(socket_path) >= sizeof(addr_un->sun_path))
137 fatal("Random pool path is too long"); 137 fatal("Random pool path is too long");
138 if (len > 255) 138 if (len <= 0 || len > 255)
139 fatal("Too many bytes to read from PRNGD"); 139 fatal("Too many bytes (%d) to read from PRNGD", len);
140 140
141 memset(&addr, '\0', sizeof(addr)); 141 memset(&addr, '\0', sizeof(addr));
142 142
@@ -190,7 +190,7 @@ reopen:
190 goto done; 190 goto done;
191 } 191 }
192 192
193 if (atomicio(read, fd, buf, len) != len) { 193 if (atomicio(read, fd, buf, len) != (size_t)len) {
194 if (errno == EPIPE && errors < 10) { 194 if (errno == EPIPE && errors < 10) {
195 close(fd); 195 close(fd);
196 errors++; 196 errors++;
@@ -398,8 +398,8 @@ hash_command_output(entropy_cmd_t *src, unsigned char *hash)
398 debug3("Time elapsed: %d msec", msec_elapsed); 398 debug3("Time elapsed: %d msec", msec_elapsed);
399 399
400 if (waitpid(pid, &status, 0) == -1) { 400 if (waitpid(pid, &status, 0) == -1) {
401 error("Couldn't wait for child '%s' completion: %s", 401 error("Couldn't wait for child '%s' completion: %s",
402 src->cmdstring, strerror(errno)); 402 src->cmdstring, strerror(errno));
403 return 0.0; 403 return 0.0;
404 } 404 }
405 405
@@ -600,7 +600,7 @@ prng_write_seedfile(void)
600 save_errno = errno; 600 save_errno = errno;
601 unlink(tmpseed); 601 unlink(tmpseed);
602 fatal("problem renaming PRNG seedfile from %.100s " 602 fatal("problem renaming PRNG seedfile from %.100s "
603 "to %.100s (%.100s)", tmpseed, filename, 603 "to %.100s (%.100s)", tmpseed, filename,
604 strerror(save_errno)); 604 strerror(save_errno));
605 } 605 }
606 } 606 }
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 6e3be0a7e..eb422d07e 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: ssh-rsa.c,v 1.31 2003/11/10 16:23:41 jakob Exp $"); 17RCSID("$OpenBSD: ssh-rsa.c,v 1.32 2005/06/17 02:44:33 djm Exp $");
18 18
19#include <openssl/evp.h> 19#include <openssl/evp.h>
20#include <openssl/err.h> 20#include <openssl/err.h>
@@ -238,7 +238,7 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
238 ERR_error_string(ERR_get_error(), NULL)); 238 ERR_error_string(ERR_get_error(), NULL));
239 goto done; 239 goto done;
240 } 240 }
241 if (len != hlen + oidlen) { 241 if (len < 0 || (u_int)len != hlen + oidlen) {
242 error("bad decrypted len: %d != %d + %d", len, hlen, oidlen); 242 error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
243 goto done; 243 goto done;
244 } 244 }
diff --git a/ssh.0 b/ssh.0
index 7ef493013..274fab8b5 100644
--- a/ssh.0
+++ b/ssh.0
@@ -30,16 +30,16 @@ DESCRIPTION
30 bined with RSA-based host authentication. If the machine the user logs 30 bined with RSA-based host authentication. If the machine the user logs
31 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote 31 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
32 machine, and the user names are the same on both sides, or if the files 32 machine, and the user names are the same on both sides, or if the files
33 $HOME/.rhosts or $HOME/.shosts exist in the user's home directory on the 33 ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
34 remote machine and contain a line containing the name of the client ma- 34 machine and contain a line containing the name of the client machine and
35 chine and the name of the user on that machine, the user is considered 35 the name of the user on that machine, the user is considered for log in.
36 for log in. Additionally, if the server can verify the client's host key 36 Additionally, if the server can verify the client's host key (see
37 (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES 37 /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section),
38 section), only then is login permitted. This authentication method clos- 38 only then is login permitted. This authentication method closes security
39 es security holes due to IP spoofing, DNS spoofing and routing spoofing. 39 holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to
40 [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the 40 the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto-
41 rlogin/rsh protocol in general, are inherently insecure and should be 41 col in general, are inherently insecure and should be disabled if securi-
42 disabled if security is desired.] 42 ty is desired.]
43 43
44 As a second authentication method, ssh supports RSA based authentication. 44 As a second authentication method, ssh supports RSA based authentication.
45 The scheme is based on public-key cryptography: there are cryptosystems 45 The scheme is based on public-key cryptography: there are cryptosystems
@@ -49,25 +49,25 @@ DESCRIPTION
49 key pair for authentication purposes. The server knows the public key, 49 key pair for authentication purposes. The server knows the public key,
50 and only the user knows the private key. 50 and only the user knows the private key.
51 51
52 The file $HOME/.ssh/authorized_keys lists the public keys that are per- 52 The file ~/.ssh/authorized_keys lists the public keys that are permitted
53 mitted for logging in. When the user logs in, the ssh program tells the 53 for logging in. When the user logs in, the ssh program tells the server
54 server which key pair it would like to use for authentication. The serv- 54 which key pair it would like to use for authentication. The server
55 er checks if this key is permitted, and if so, sends the user (actually 55 checks if this key is permitted, and if so, sends the user (actually the
56 the ssh program running on behalf of the user) a challenge, a random num- 56 ssh program running on behalf of the user) a challenge, a random number,
57 ber, encrypted by the user's public key. The challenge can only be de- 57 encrypted by the user's public key. The challenge can only be decrypted
58 crypted using the proper private key. The user's client then decrypts 58 using the proper private key. The user's client then decrypts the chal-
59 the challenge using the private key, proving that he/she knows the pri- 59 lenge using the private key, proving that he/she knows the private key
60 vate key but without disclosing it to the server. 60 but without disclosing it to the server.
61 61
62 ssh implements the RSA authentication protocol automatically. The user 62 ssh implements the RSA authentication protocol automatically. The user
63 creates his/her RSA key pair by running ssh-keygen(1). This stores the 63 creates his/her RSA key pair by running ssh-keygen(1). This stores the
64 private key in $HOME/.ssh/identity and stores the public key in 64 private key in ~/.ssh/identity and stores the public key in
65 $HOME/.ssh/identity.pub in the user's home directory. The user should 65 ~/.ssh/identity.pub in the user's home directory. The user should then
66 then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home 66 copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory
67 directory on the remote machine (the authorized_keys file corresponds to 67 on the remote machine (the authorized_keys file corresponds to the con-
68 the conventional $HOME/.rhosts file, and has one key per line, though the 68 ventional ~/.rhosts file, and has one key per line, though the lines can
69 lines can be very long). After this, the user can log in without giving 69 be very long). After this, the user can log in without giving the pass-
70 the password. 70 word.
71 71
72 The most convenient way to use RSA authentication may be with an authen- 72 The most convenient way to use RSA authentication may be with an authen-
73 tication agent. See ssh-agent(1) for more information. 73 tication agent. See ssh-agent(1) for more information.
@@ -87,13 +87,12 @@ DESCRIPTION
87 87
88 The public key method is similar to RSA authentication described in the 88 The public key method is similar to RSA authentication described in the
89 previous section and allows the RSA or DSA algorithm to be used: The 89 previous section and allows the RSA or DSA algorithm to be used: The
90 client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to 90 client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the
91 sign the session identifier and sends the result to the server. The 91 session identifier and sends the result to the server. The server checks
92 server checks whether the matching public key is listed in 92 whether the matching public key is listed in ~/.ssh/authorized_keys and
93 $HOME/.ssh/authorized_keys and grants access if both the key is found and 93 grants access if both the key is found and the signature is correct. The
94 the signature is correct. The session identifier is derived from a 94 session identifier is derived from a shared Diffie-Hellman value and is
95 shared Diffie-Hellman value and is only known to the client and the serv- 95 only known to the client and the server.
96 er.
97 96
98 If public key authentication fails or is not available, a password can be 97 If public key authentication fails or is not available, a password can be
99 sent encrypted to the remote host to prove the user's identity. 98 sent encrypted to the remote host to prove the user's identity.
@@ -194,13 +193,13 @@ DESCRIPTION
194 Server authentication 193 Server authentication
195 ssh automatically maintains and checks a database containing identifica- 194 ssh automatically maintains and checks a database containing identifica-
196 tions for all hosts it has ever been used with. Host keys are stored in 195 tions for all hosts it has ever been used with. Host keys are stored in
197 $HOME/.ssh/known_hosts in the user's home directory. Additionally, the 196 ~/.ssh/known_hosts in the user's home directory. Additionally, the file
198 file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. 197 /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
199 Any new hosts are automatically added to the user's file. If a host's 198 new hosts are automatically added to the user's file. If a host's iden-
200 identification ever changes, ssh warns about this and disables password 199 tification ever changes, ssh warns about this and disables password au-
201 authentication to prevent a trojan horse from getting the user's pass- 200 thentication to prevent a trojan horse from getting the user's password.
202 word. Another purpose of this mechanism is to prevent man-in-the-middle 201 Another purpose of this mechanism is to prevent man-in-the-middle attacks
203 attacks which could otherwise be used to circumvent the encryption. The 202 which could otherwise be used to circumvent the encryption. The
204 StrictHostKeyChecking option can be used to prevent logins to machines 203 StrictHostKeyChecking option can be used to prevent logins to machines
205 whose host key is not known or has changed. 204 whose host key is not known or has changed.
206 205
@@ -234,8 +233,9 @@ DESCRIPTION
234 -a Disables forwarding of the authentication agent connection. 233 -a Disables forwarding of the authentication agent connection.
235 234
236 -b bind_address 235 -b bind_address
237 Specify the interface to transmit from on machines with multiple 236 Use bind_address on the local machine as the source address of
238 interfaces or aliased addresses. 237 the connection. Only useful on systems with more than one ad-
238 dress.
239 239
240 -C Requests compression of all data (including stdin, stdout, 240 -C Requests compression of all data (including stdin, stdout,
241 stderr, and data for forwarded X11 and TCP/IP connections). The 241 stderr, and data for forwarded X11 and TCP/IP connections). The
@@ -262,11 +262,13 @@ DESCRIPTION
262 For protocol version 2 cipher_spec is a comma-separated list of 262 For protocol version 2 cipher_spec is a comma-separated list of
263 ciphers listed in order of preference. The supported ciphers are 263 ciphers listed in order of preference. The supported ciphers are
264 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 264 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
265 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'', 265 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
266 ``blowfish-cbc'', and ``cast128-cbc''. The default is 266 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
267 ``cast128-cbc''. The default is
267 268
268 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 269 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
269 aes192-cbc,aes256-cbc'' 270 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
271 aes192-ctr,aes256-ctr''
270 272
271 -D port 273 -D port
272 Specifies a local ``dynamic'' application-level port forwarding. 274 Specifies a local ``dynamic'' application-level port forwarding.
@@ -292,7 +294,7 @@ DESCRIPTION
292 Specifies an alternative per-user configuration file. If a con- 294 Specifies an alternative per-user configuration file. If a con-
293 figuration file is given on the command line, the system-wide 295 figuration file is given on the command line, the system-wide
294 configuration file (/etc/ssh/ssh_config) will be ignored. The 296 configuration file (/etc/ssh/ssh_config) will be ignored. The
295 default for the per-user configuration file is $HOME/.ssh/config. 297 default for the per-user configuration file is ~/.ssh/config.
296 298
297 -f Requests ssh to go to background just before command execution. 299 -f Requests ssh to go to background just before command execution.
298 This is useful if ssh is going to ask for passwords or passphras- 300 This is useful if ssh is going to ask for passwords or passphras-
@@ -309,12 +311,12 @@ DESCRIPTION
309 311
310 -i identity_file 312 -i identity_file
311 Selects a file from which the identity (private key) for RSA or 313 Selects a file from which the identity (private key) for RSA or
312 DSA authentication is read. The default is $HOME/.ssh/identity 314 DSA authentication is read. The default is ~/.ssh/identity for
313 for protocol version 1, and $HOME/.ssh/id_rsa and 315 protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
314 $HOME/.ssh/id_dsa for protocol version 2. Identity files may al- 316 tocol version 2. Identity files may also be specified on a per-
315 so be specified on a per-host basis in the configuration file. 317 host basis in the configuration file. It is possible to have
316 It is possible to have multiple -i options (and multiple identi- 318 multiple -i options (and multiple identities specified in config-
317 ties specified in configuration files). 319 uration files).
318 320
319 -k Disables forwarding (delegation) of GSSAPI credentials to the 321 -k Disables forwarding (delegation) of GSSAPI credentials to the
320 server. 322 server.
@@ -567,17 +569,17 @@ ENVIRONMENT
567 569
568 USER Set to the name of the user logging in. 570 USER Set to the name of the user logging in.
569 571
570 Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the 572 Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
571 format ``VARNAME=value'' to the environment if the file exists and if 573 ``VARNAME=value'' to the environment if the file exists and if users are
572 users are allowed to change their environment. For more information, see 574 allowed to change their environment. For more information, see the
573 the PermitUserEnvironment option in sshd_config(5). 575 PermitUserEnvironment option in sshd_config(5).
574 576
575FILES 577FILES
576 $HOME/.ssh/known_hosts 578 ~/.ssh/known_hosts
577 Records host keys for all hosts the user has logged into that are 579 Records host keys for all hosts the user has logged into that are
578 not in /etc/ssh/ssh_known_hosts. See sshd(8). 580 not in /etc/ssh/ssh_known_hosts. See sshd(8).
579 581
580 $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa 582 ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
581 Contains the authentication identity of the user. They are for 583 Contains the authentication identity of the user. They are for
582 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 584 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
583 These files contain sensitive data and should be readable by the 585 These files contain sensitive data and should be readable by the
@@ -587,27 +589,27 @@ FILES
587 key; the passphrase will be used to encrypt the sensitive part of 589 key; the passphrase will be used to encrypt the sensitive part of
588 this file using 3DES. 590 this file using 3DES.
589 591
590 $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 592 ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
591 Contains the public key for authentication (public part of the 593 Contains the public key for authentication (public part of the
592 identity file in human-readable form). The contents of the 594 identity file in human-readable form). The contents of the
593 $HOME/.ssh/identity.pub file should be added to the file 595 ~/.ssh/identity.pub file should be added to the file
594 $HOME/.ssh/authorized_keys on all machines where the user wishes 596 ~/.ssh/authorized_keys on all machines where the user wishes to
595 to log in using protocol version 1 RSA authentication. The con- 597 log in using protocol version 1 RSA authentication. The contents
596 tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file 598 of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be
597 should be added to $HOME/.ssh/authorized_keys on all machines 599 added to ~/.ssh/authorized_keys on all machines where the user
598 where the user wishes to log in using protocol version 2 DSA/RSA 600 wishes to log in using protocol version 2 DSA/RSA authentication.
599 authentication. These files are not sensitive and can (but need 601 These files are not sensitive and can (but need not) be readable
600 not) be readable by anyone. These files are never used automati- 602 by anyone. These files are never used automatically and are not
601 cally and are not necessary; they are only provided for the con- 603 necessary; they are only provided for the convenience of the us-
602 venience of the user. 604 er.
603 605
604 $HOME/.ssh/config 606 ~/.ssh/config
605 This is the per-user configuration file. The file format and 607 This is the per-user configuration file. The file format and
606 configuration options are described in ssh_config(5). Because of 608 configuration options are described in ssh_config(5). Because of
607 the potential for abuse, this file must have strict permissions: 609 the potential for abuse, this file must have strict permissions:
608 read/write for the user, and not accessible by others. 610 read/write for the user, and not accessible by others.
609 611
610 $HOME/.ssh/authorized_keys 612 ~/.ssh/authorized_keys
611 Lists the public keys (RSA/DSA) that can be used for logging in 613 Lists the public keys (RSA/DSA) that can be used for logging in
612 as this user. The format of this file is described in the 614 as this user. The format of this file is described in the
613 sshd(8) manual page. In the simplest form the format is the same 615 sshd(8) manual page. In the simplest form the format is the same
@@ -648,7 +650,7 @@ FILES
648 requirement that ssh be setuid root when that authentication 650 requirement that ssh be setuid root when that authentication
649 method is used. By default ssh is not setuid root. 651 method is used. By default ssh is not setuid root.
650 652
651 $HOME/.rhosts 653 ~/.rhosts
652 This file is used in RhostsRSAAuthentication and 654 This file is used in RhostsRSAAuthentication and
653 HostbasedAuthentication authentication to list the host/user 655 HostbasedAuthentication authentication to list the host/user
654 pairs that are permitted to log in. (Note that this file is also 656 pairs that are permitted to log in. (Note that this file is also
@@ -665,12 +667,12 @@ FILES
665 Note that sshd(8) allows authentication only in combination with 667 Note that sshd(8) allows authentication only in combination with
666 client host key authentication before permitting log in. If the 668 client host key authentication before permitting log in. If the
667 server machine does not have the client's host key in 669 server machine does not have the client's host key in
668 /etc/ssh/ssh_known_hosts, it can be stored in 670 /etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts.
669 $HOME/.ssh/known_hosts. The easiest way to do this is to connect 671 The easiest way to do this is to connect back to the client from
670 back to the client from the server machine using ssh; this will 672 the server machine using ssh; this will automatically add the
671 automatically add the host key to $HOME/.ssh/known_hosts. 673 host key to ~/.ssh/known_hosts.
672 674
673 $HOME/.shosts 675 ~/.shosts
674 This file is used exactly the same way as .rhosts. The purpose 676 This file is used exactly the same way as .rhosts. The purpose
675 for having this file is to be able to use RhostsRSAAuthentication 677 for having this file is to be able to use RhostsRSAAuthentication
676 and HostbasedAuthentication authentication without permitting lo- 678 and HostbasedAuthentication authentication without permitting lo-
@@ -696,12 +698,12 @@ FILES
696 just before the user's shell (or command) is started. See the 698 just before the user's shell (or command) is started. See the
697 sshd(8) manual page for more information. 699 sshd(8) manual page for more information.
698 700
699 $HOME/.ssh/rc 701 ~/.ssh/rc
700 Commands in this file are executed by ssh when the user logs in 702 Commands in this file are executed by ssh when the user logs in
701 just before the user's shell (or command) is started. See the 703 just before the user's shell (or command) is started. See the
702 sshd(8) manual page for more information. 704 sshd(8) manual page for more information.
703 705
704 $HOME/.ssh/environment 706 ~/.ssh/environment
705 Contains additional definitions for environment variables, see 707 Contains additional definitions for environment variables, see
706 section ENVIRONMENT above. 708 section ENVIRONMENT above.
707 709
@@ -725,4 +727,4 @@ AUTHORS
725 created OpenSSH. Markus Friedl contributed the support for SSH protocol 727 created OpenSSH. Markus Friedl contributed the support for SSH protocol
726 versions 1.5 and 2.0. 728 versions 1.5 and 2.0.
727 729
728OpenBSD 3.6 September 25, 1999 11 730OpenBSD 3.8 September 25, 1999 12
diff --git a/ssh.1 b/ssh.1
index e6f4b4a54..b0749763b 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $ 37.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -109,9 +109,9 @@ or
109.Pa /etc/shosts.equiv 109.Pa /etc/shosts.equiv
110on the remote machine, and the user names are 110on the remote machine, and the user names are
111the same on both sides, or if the files 111the same on both sides, or if the files
112.Pa $HOME/.rhosts 112.Pa ~/.rhosts
113or 113or
114.Pa $HOME/.shosts 114.Pa ~/.shosts
115exist in the user's home directory on the 115exist in the user's home directory on the
116remote machine and contain a line containing the name of the client 116remote machine and contain a line containing the name of the client
117machine and the name of the user on that machine, the user is 117machine and the name of the user on that machine, the user is
@@ -120,7 +120,7 @@ Additionally, if the server can verify the client's
120host key (see 120host key (see
121.Pa /etc/ssh/ssh_known_hosts 121.Pa /etc/ssh/ssh_known_hosts
122and 122and
123.Pa $HOME/.ssh/known_hosts 123.Pa ~/.ssh/known_hosts
124in the 124in the
125.Sx FILES 125.Sx FILES
126section), only then is login permitted. 126section), only then is login permitted.
@@ -128,7 +128,7 @@ This authentication method closes security holes due to IP
128spoofing, DNS spoofing and routing spoofing. 128spoofing, DNS spoofing and routing spoofing.
129[Note to the administrator: 129[Note to the administrator:
130.Pa /etc/hosts.equiv , 130.Pa /etc/hosts.equiv ,
131.Pa $HOME/.rhosts , 131.Pa ~/.rhosts ,
132and the rlogin/rsh protocol in general, are inherently insecure and should be 132and the rlogin/rsh protocol in general, are inherently insecure and should be
133disabled if security is desired.] 133disabled if security is desired.]
134.Pp 134.Pp
@@ -144,7 +144,7 @@ key pair for authentication purposes.
144The server knows the public key, and only the user knows the private key. 144The server knows the public key, and only the user knows the private key.
145.Pp 145.Pp
146The file 146The file
147.Pa $HOME/.ssh/authorized_keys 147.Pa ~/.ssh/authorized_keys
148lists the public keys that are permitted for logging in. 148lists the public keys that are permitted for logging in.
149When the user logs in, the 149When the user logs in, the
150.Nm 150.Nm
@@ -165,18 +165,18 @@ implements the RSA authentication protocol automatically.
165The user creates his/her RSA key pair by running 165The user creates his/her RSA key pair by running
166.Xr ssh-keygen 1 . 166.Xr ssh-keygen 1 .
167This stores the private key in 167This stores the private key in
168.Pa $HOME/.ssh/identity 168.Pa ~/.ssh/identity
169and stores the public key in 169and stores the public key in
170.Pa $HOME/.ssh/identity.pub 170.Pa ~/.ssh/identity.pub
171in the user's home directory. 171in the user's home directory.
172The user should then copy the 172The user should then copy the
173.Pa identity.pub 173.Pa identity.pub
174to 174to
175.Pa $HOME/.ssh/authorized_keys 175.Pa ~/.ssh/authorized_keys
176in his/her home directory on the remote machine (the 176in his/her home directory on the remote machine (the
177.Pa authorized_keys 177.Pa authorized_keys
178file corresponds to the conventional 178file corresponds to the conventional
179.Pa $HOME/.rhosts 179.Pa ~/.rhosts
180file, and has one key 180file, and has one key
181per line, though the lines can be very long). 181per line, though the lines can be very long).
182After this, the user can log in without giving the password. 182After this, the user can log in without giving the password.
@@ -206,12 +206,12 @@ password authentication are tried.
206The public key method is similar to RSA authentication described 206The public key method is similar to RSA authentication described
207in the previous section and allows the RSA or DSA algorithm to be used: 207in the previous section and allows the RSA or DSA algorithm to be used:
208The client uses his private key, 208The client uses his private key,
209.Pa $HOME/.ssh/id_dsa 209.Pa ~/.ssh/id_dsa
210or 210or
211.Pa $HOME/.ssh/id_rsa , 211.Pa ~/.ssh/id_rsa ,
212to sign the session identifier and sends the result to the server. 212to sign the session identifier and sends the result to the server.
213The server checks whether the matching public key is listed in 213The server checks whether the matching public key is listed in
214.Pa $HOME/.ssh/authorized_keys 214.Pa ~/.ssh/authorized_keys
215and grants access if both the key is found and the signature is correct. 215and grants access if both the key is found and the signature is correct.
216The session identifier is derived from a shared Diffie-Hellman value 216The session identifier is derived from a shared Diffie-Hellman value
217and is only known to the client and the server. 217and is only known to the client and the server.
@@ -365,7 +365,7 @@ electronic purse; another is going through firewalls.
365automatically maintains and checks a database containing 365automatically maintains and checks a database containing
366identifications for all hosts it has ever been used with. 366identifications for all hosts it has ever been used with.
367Host keys are stored in 367Host keys are stored in
368.Pa $HOME/.ssh/known_hosts 368.Pa ~/.ssh/known_hosts
369in the user's home directory. 369in the user's home directory.
370Additionally, the file 370Additionally, the file
371.Pa /etc/ssh/ssh_known_hosts 371.Pa /etc/ssh/ssh_known_hosts
@@ -423,8 +423,11 @@ authenticate using the identities loaded into the agent.
423.It Fl a 423.It Fl a
424Disables forwarding of the authentication agent connection. 424Disables forwarding of the authentication agent connection.
425.It Fl b Ar bind_address 425.It Fl b Ar bind_address
426Specify the interface to transmit from on machines with multiple 426Use
427interfaces or aliased addresses. 427.Ar bind_address
428on the local machine as the source address
429of the connection.
430Only useful on systems with more than one address.
428.It Fl C 431.It Fl C
429Requests compression of all data (including stdin, stdout, stderr, and 432Requests compression of all data (including stdin, stdout, stderr, and
430data for forwarded X11 and TCP/IP connections). 433data for forwarded X11 and TCP/IP connections).
@@ -479,14 +482,17 @@ The supported ciphers are
479.Dq aes128-ctr , 482.Dq aes128-ctr ,
480.Dq aes192-ctr , 483.Dq aes192-ctr ,
481.Dq aes256-ctr , 484.Dq aes256-ctr ,
485.Dq arcfour128 ,
486.Dq arcfour256 ,
482.Dq arcfour , 487.Dq arcfour ,
483.Dq blowfish-cbc , 488.Dq blowfish-cbc ,
484and 489and
485.Dq cast128-cbc . 490.Dq cast128-cbc .
486The default is 491The default is
487.Bd -literal 492.Bd -literal
488 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 493 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
489 aes192-cbc,aes256-cbc'' 494 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
495 aes192-ctr,aes256-ctr''
490.Ed 496.Ed
491.It Fl D Ar port 497.It Fl D Ar port
492Specifies a local 498Specifies a local
@@ -522,7 +528,7 @@ the system-wide configuration file
522.Pq Pa /etc/ssh/ssh_config 528.Pq Pa /etc/ssh/ssh_config
523will be ignored. 529will be ignored.
524The default for the per-user configuration file is 530The default for the per-user configuration file is
525.Pa $HOME/.ssh/config . 531.Pa ~/.ssh/config .
526.It Fl f 532.It Fl f
527Requests 533Requests
528.Nm 534.Nm
@@ -548,11 +554,11 @@ private RSA key.
548Selects a file from which the identity (private key) for 554Selects a file from which the identity (private key) for
549RSA or DSA authentication is read. 555RSA or DSA authentication is read.
550The default is 556The default is
551.Pa $HOME/.ssh/identity 557.Pa ~/.ssh/identity
552for protocol version 1, and 558for protocol version 1, and
553.Pa $HOME/.ssh/id_rsa 559.Pa ~/.ssh/id_rsa
554and 560and
555.Pa $HOME/.ssh/id_dsa 561.Pa ~/.ssh/id_dsa
556for protocol version 2. 562for protocol version 2.
557Identity files may also be specified on 563Identity files may also be specified on
558a per-host basis in the configuration file. 564a per-host basis in the configuration file.
@@ -941,7 +947,7 @@ Set to the name of the user logging in.
941Additionally, 947Additionally,
942.Nm 948.Nm
943reads 949reads
944.Pa $HOME/.ssh/environment , 950.Pa ~/.ssh/environment ,
945and adds lines of the format 951and adds lines of the format
946.Dq VARNAME=value 952.Dq VARNAME=value
947to the environment if the file exists and if users are allowed to 953to the environment if the file exists and if users are allowed to
@@ -952,13 +958,13 @@ option in
952.Xr sshd_config 5 . 958.Xr sshd_config 5 .
953.Sh FILES 959.Sh FILES
954.Bl -tag -width Ds 960.Bl -tag -width Ds
955.It Pa $HOME/.ssh/known_hosts 961.It Pa ~/.ssh/known_hosts
956Records host keys for all hosts the user has logged into that are not 962Records host keys for all hosts the user has logged into that are not
957in 963in
958.Pa /etc/ssh/ssh_known_hosts . 964.Pa /etc/ssh/ssh_known_hosts .
959See 965See
960.Xr sshd 8 . 966.Xr sshd 8 .
961.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa 967.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa
962Contains the authentication identity of the user. 968Contains the authentication identity of the user.
963They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 969They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
964These files 970These files
@@ -970,21 +976,21 @@ ignores a private key file if it is accessible by others.
970It is possible to specify a passphrase when 976It is possible to specify a passphrase when
971generating the key; the passphrase will be used to encrypt the 977generating the key; the passphrase will be used to encrypt the
972sensitive part of this file using 3DES. 978sensitive part of this file using 3DES.
973.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub 979.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub
974Contains the public key for authentication (public part of the 980Contains the public key for authentication (public part of the
975identity file in human-readable form). 981identity file in human-readable form).
976The contents of the 982The contents of the
977.Pa $HOME/.ssh/identity.pub 983.Pa ~/.ssh/identity.pub
978file should be added to the file 984file should be added to the file
979.Pa $HOME/.ssh/authorized_keys 985.Pa ~/.ssh/authorized_keys
980on all machines 986on all machines
981where the user wishes to log in using protocol version 1 RSA authentication. 987where the user wishes to log in using protocol version 1 RSA authentication.
982The contents of the 988The contents of the
983.Pa $HOME/.ssh/id_dsa.pub 989.Pa ~/.ssh/id_dsa.pub
984and 990and
985.Pa $HOME/.ssh/id_rsa.pub 991.Pa ~/.ssh/id_rsa.pub
986file should be added to 992file should be added to
987.Pa $HOME/.ssh/authorized_keys 993.Pa ~/.ssh/authorized_keys
988on all machines 994on all machines
989where the user wishes to log in using protocol version 2 DSA/RSA authentication. 995where the user wishes to log in using protocol version 2 DSA/RSA authentication.
990These files are not 996These files are not
@@ -992,13 +998,13 @@ sensitive and can (but need not) be readable by anyone.
992These files are 998These files are
993never used automatically and are not necessary; they are only provided for 999never used automatically and are not necessary; they are only provided for
994the convenience of the user. 1000the convenience of the user.
995.It Pa $HOME/.ssh/config 1001.It Pa ~/.ssh/config
996This is the per-user configuration file. 1002This is the per-user configuration file.
997The file format and configuration options are described in 1003The file format and configuration options are described in
998.Xr ssh_config 5 . 1004.Xr ssh_config 5 .
999Because of the potential for abuse, this file must have strict permissions: 1005Because of the potential for abuse, this file must have strict permissions:
1000read/write for the user, and not accessible by others. 1006read/write for the user, and not accessible by others.
1001.It Pa $HOME/.ssh/authorized_keys 1007.It Pa ~/.ssh/authorized_keys
1002Lists the public keys (RSA/DSA) that can be used for logging in as this user. 1008Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1003The format of this file is described in the 1009The format of this file is described in the
1004.Xr sshd 8 1010.Xr sshd 8
@@ -1058,7 +1064,7 @@ be setuid root when that authentication method is used.
1058By default 1064By default
1059.Nm 1065.Nm
1060is not setuid root. 1066is not setuid root.
1061.It Pa $HOME/.rhosts 1067.It Pa ~/.rhosts
1062This file is used in 1068This file is used in
1063.Cm RhostsRSAAuthentication 1069.Cm RhostsRSAAuthentication
1064and 1070and
@@ -1088,12 +1094,12 @@ authentication before permitting log in.
1088If the server machine does not have the client's host key in 1094If the server machine does not have the client's host key in
1089.Pa /etc/ssh/ssh_known_hosts , 1095.Pa /etc/ssh/ssh_known_hosts ,
1090it can be stored in 1096it can be stored in
1091.Pa $HOME/.ssh/known_hosts . 1097.Pa ~/.ssh/known_hosts .
1092The easiest way to do this is to 1098The easiest way to do this is to
1093connect back to the client from the server machine using ssh; this 1099connect back to the client from the server machine using ssh; this
1094will automatically add the host key to 1100will automatically add the host key to
1095.Pa $HOME/.ssh/known_hosts . 1101.Pa ~/.ssh/known_hosts .
1096.It Pa $HOME/.shosts 1102.It Pa ~/.shosts
1097This file is used exactly the same way as 1103This file is used exactly the same way as
1098.Pa .rhosts . 1104.Pa .rhosts .
1099The purpose for 1105The purpose for
@@ -1133,7 +1139,7 @@ when the user logs in just before the user's shell (or command) is started.
1133See the 1139See the
1134.Xr sshd 8 1140.Xr sshd 8
1135manual page for more information. 1141manual page for more information.
1136.It Pa $HOME/.ssh/rc 1142.It Pa ~/.ssh/rc
1137Commands in this file are executed by 1143Commands in this file are executed by
1138.Nm 1144.Nm
1139when the user logs in just before the user's shell (or command) is 1145when the user logs in just before the user's shell (or command) is
@@ -1141,7 +1147,7 @@ started.
1141See the 1147See the
1142.Xr sshd 8 1148.Xr sshd 8
1143manual page for more information. 1149manual page for more information.
1144.It Pa $HOME/.ssh/environment 1150.It Pa ~/.ssh/environment
1145Contains additional definitions for environment variables, see section 1151Contains additional definitions for environment variables, see section
1146.Sx ENVIRONMENT 1152.Sx ENVIRONMENT
1147above. 1153above.
diff --git a/ssh.c b/ssh.c
index 9acec3082..c9e5aac7a 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: ssh.c,v 1.233 2005/03/01 17:22:06 jmc Exp $"); 43RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $");
44 44
45#include <openssl/evp.h> 45#include <openssl/evp.h>
46#include <openssl/err.h> 46#include <openssl/err.h>
@@ -145,7 +145,7 @@ pid_t proxy_command_pid = 0;
145int control_fd = -1; 145int control_fd = -1;
146 146
147/* Multiplexing control command */ 147/* Multiplexing control command */
148static u_int mux_command = SSHMUX_COMMAND_OPEN; 148static u_int mux_command = 0;
149 149
150/* Only used in control client mode */ 150/* Only used in control client mode */
151volatile sig_atomic_t control_client_terminate = 0; 151volatile sig_atomic_t control_client_terminate = 0;
@@ -185,6 +185,7 @@ main(int ac, char **av)
185 int dummy; 185 int dummy;
186 extern int optind, optreset; 186 extern int optind, optreset;
187 extern char *optarg; 187 extern char *optarg;
188 struct servent *sp;
188 Forward fwd; 189 Forward fwd;
189 190
190 __progname = ssh_get_progname(av[0]); 191 __progname = ssh_get_progname(av[0]);
@@ -386,8 +387,10 @@ again:
386 } 387 }
387 break; 388 break;
388 case 'M': 389 case 'M':
389 options.control_master = 390 if (options.control_master == SSHCTL_MASTER_YES)
390 (options.control_master >= 1) ? 2 : 1; 391 options.control_master = SSHCTL_MASTER_ASK;
392 else
393 options.control_master = SSHCTL_MASTER_YES;
391 break; 394 break;
392 case 'p': 395 case 'p':
393 options.port = a2port(optarg); 396 options.port = a2port(optarg);
@@ -436,7 +439,7 @@ again:
436 fwd.listen_host = cleanhostname(fwd.listen_host); 439 fwd.listen_host = cleanhostname(fwd.listen_host);
437 } else { 440 } else {
438 fwd.listen_port = a2port(fwd.listen_host); 441 fwd.listen_port = a2port(fwd.listen_host);
439 fwd.listen_host = ""; 442 fwd.listen_host = NULL;
440 } 443 }
441 444
442 if (fwd.listen_port == 0) { 445 if (fwd.listen_port == 0) {
@@ -550,7 +553,7 @@ again:
550 if (no_tty_flag) 553 if (no_tty_flag)
551 tty_flag = 0; 554 tty_flag = 0;
552 /* Do not allocate a tty if stdin is not a tty. */ 555 /* Do not allocate a tty if stdin is not a tty. */
553 if (!isatty(fileno(stdin)) && !force_tty_flag) { 556 if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
554 if (tty_flag) 557 if (tty_flag)
555 logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); 558 logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
556 tty_flag = 0; 559 tty_flag = 0;
@@ -604,16 +607,31 @@ again:
604 *p = tolower(*p); 607 *p = tolower(*p);
605 } 608 }
606 609
610 /* Get default port if port has not been set. */
611 if (options.port == 0) {
612 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
613 options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
614 }
615
607 if (options.proxy_command != NULL && 616 if (options.proxy_command != NULL &&
608 strcmp(options.proxy_command, "none") == 0) 617 strcmp(options.proxy_command, "none") == 0)
609 options.proxy_command = NULL; 618 options.proxy_command = NULL;
619 if (options.control_path != NULL &&
620 strcmp(options.control_path, "none") == 0)
621 options.control_path = NULL;
610 622
611 if (options.control_path != NULL) { 623 if (options.control_path != NULL) {
612 options.control_path = tilde_expand_filename( 624 snprintf(buf, sizeof(buf), "%d", options.port);
613 options.control_path, original_real_uid); 625 cp = tilde_expand_filename(options.control_path,
626 original_real_uid);
627 options.control_path = percent_expand(cp, "p", buf, "h", host,
628 "r", options.user, (char *)NULL);
629 xfree(cp);
614 } 630 }
615 if (options.control_path != NULL && options.control_master == 0) 631 if (mux_command != 0 && options.control_path == NULL)
616 control_client(options.control_path); /* This doesn't return */ 632 fatal("No ControlPath specified for \"-O\" command");
633 if (options.control_path != NULL)
634 control_client(options.control_path);
617 635
618 /* Open a connection to the remote host. */ 636 /* Open a connection to the remote host. */
619 if (ssh_connect(host, &hostaddr, options.port, 637 if (ssh_connect(host, &hostaddr, options.port,
@@ -742,110 +760,6 @@ again:
742 return exit_status; 760 return exit_status;
743} 761}
744 762
745#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
746
747static void
748x11_get_proto(char **_proto, char **_data)
749{
750 char cmd[1024];
751 char line[512];
752 char xdisplay[512];
753 static char proto[512], data[512];
754 FILE *f;
755 int got_data = 0, generated = 0, do_unlink = 0, i;
756 char *display, *xauthdir, *xauthfile;
757 struct stat st;
758
759 xauthdir = xauthfile = NULL;
760 *_proto = proto;
761 *_data = data;
762 proto[0] = data[0] = '\0';
763
764 if (!options.xauth_location ||
765 (stat(options.xauth_location, &st) == -1)) {
766 debug("No xauth program.");
767 } else {
768 if ((display = getenv("DISPLAY")) == NULL) {
769 debug("x11_get_proto: DISPLAY not set");
770 return;
771 }
772 /*
773 * Handle FamilyLocal case where $DISPLAY does
774 * not match an authorization entry. For this we
775 * just try "xauth list unix:displaynum.screennum".
776 * XXX: "localhost" match to determine FamilyLocal
777 * is not perfect.
778 */
779 if (strncmp(display, "localhost:", 10) == 0) {
780 snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
781 display + 10);
782 display = xdisplay;
783 }
784 if (options.forward_x11_trusted == 0) {
785 xauthdir = xmalloc(MAXPATHLEN);
786 xauthfile = xmalloc(MAXPATHLEN);
787 strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
788 if (mkdtemp(xauthdir) != NULL) {
789 do_unlink = 1;
790 snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
791 xauthdir);
792 snprintf(cmd, sizeof(cmd),
793 "%s -f %s generate %s " SSH_X11_PROTO
794 " untrusted timeout 1200 2>" _PATH_DEVNULL,
795 options.xauth_location, xauthfile, display);
796 debug2("x11_get_proto: %s", cmd);
797 if (system(cmd) == 0)
798 generated = 1;
799 }
800 }
801 snprintf(cmd, sizeof(cmd),
802 "%s %s%s list %s . 2>" _PATH_DEVNULL,
803 options.xauth_location,
804 generated ? "-f " : "" ,
805 generated ? xauthfile : "",
806 display);
807 debug2("x11_get_proto: %s", cmd);
808 f = popen(cmd, "r");
809 if (f && fgets(line, sizeof(line), f) &&
810 sscanf(line, "%*s %511s %511s", proto, data) == 2)
811 got_data = 1;
812 if (f)
813 pclose(f);
814 }
815
816 if (do_unlink) {
817 unlink(xauthfile);
818 rmdir(xauthdir);
819 }
820 if (xauthdir)
821 xfree(xauthdir);
822 if (xauthfile)
823 xfree(xauthfile);
824
825 /*
826 * If we didn't get authentication data, just make up some
827 * data. The forwarding code will check the validity of the
828 * response anyway, and substitute this data. The X11
829 * server, however, will ignore this fake data and use
830 * whatever authentication mechanisms it was using otherwise
831 * for the local connection.
832 */
833 if (!got_data) {
834 u_int32_t rnd = 0;
835
836 logit("Warning: No xauth data; "
837 "using fake authentication data for X11 forwarding.");
838 strlcpy(proto, SSH_X11_PROTO, sizeof proto);
839 for (i = 0; i < 16; i++) {
840 if (i % 4 == 0)
841 rnd = arc4random();
842 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
843 rnd & 0xff);
844 rnd >>= 8;
845 }
846 }
847}
848
849static void 763static void
850ssh_init_forwarding(void) 764ssh_init_forwarding(void)
851{ 765{
@@ -856,8 +770,8 @@ ssh_init_forwarding(void)
856 for (i = 0; i < options.num_local_forwards; i++) { 770 for (i = 0; i < options.num_local_forwards; i++) {
857 debug("Local connections to %.200s:%d forwarded to remote " 771 debug("Local connections to %.200s:%d forwarded to remote "
858 "address %.200s:%d", 772 "address %.200s:%d",
859 (options.local_forwards[i].listen_host == NULL) ? 773 (options.local_forwards[i].listen_host == NULL) ?
860 (options.gateway_ports ? "*" : "LOCALHOST") : 774 (options.gateway_ports ? "*" : "LOCALHOST") :
861 options.local_forwards[i].listen_host, 775 options.local_forwards[i].listen_host,
862 options.local_forwards[i].listen_port, 776 options.local_forwards[i].listen_port,
863 options.local_forwards[i].connect_host, 777 options.local_forwards[i].connect_host,
@@ -876,6 +790,8 @@ ssh_init_forwarding(void)
876 for (i = 0; i < options.num_remote_forwards; i++) { 790 for (i = 0; i < options.num_remote_forwards; i++) {
877 debug("Remote connections from %.200s:%d forwarded to " 791 debug("Remote connections from %.200s:%d forwarded to "
878 "local address %.200s:%d", 792 "local address %.200s:%d",
793 (options.remote_forwards[i].listen_host == NULL) ?
794 (options.gateway_ports ? "*" : "LOCALHOST") :
879 options.remote_forwards[i].listen_host, 795 options.remote_forwards[i].listen_host,
880 options.remote_forwards[i].listen_port, 796 options.remote_forwards[i].listen_port,
881 options.remote_forwards[i].connect_host, 797 options.remote_forwards[i].connect_host,
@@ -906,6 +822,7 @@ ssh_session(void)
906 int have_tty = 0; 822 int have_tty = 0;
907 struct winsize ws; 823 struct winsize ws;
908 char *cp; 824 char *cp;
825 const char *display;
909 826
910 /* Enable compression if requested. */ 827 /* Enable compression if requested. */
911 if (options.compression) { 828 if (options.compression) {
@@ -967,13 +884,15 @@ ssh_session(void)
967 packet_disconnect("Protocol error waiting for pty request response."); 884 packet_disconnect("Protocol error waiting for pty request response.");
968 } 885 }
969 /* Request X11 forwarding if enabled and DISPLAY is set. */ 886 /* Request X11 forwarding if enabled and DISPLAY is set. */
970 if (options.forward_x11 && getenv("DISPLAY") != NULL) { 887 display = getenv("DISPLAY");
888 if (options.forward_x11 && display != NULL) {
971 char *proto, *data; 889 char *proto, *data;
972 /* Get reasonable local authentication information. */ 890 /* Get reasonable local authentication information. */
973 x11_get_proto(&proto, &data); 891 client_x11_get_proto(display, options.xauth_location,
892 options.forward_x11_trusted, &proto, &data);
974 /* Request forwarding with authentication spoofing. */ 893 /* Request forwarding with authentication spoofing. */
975 debug("Requesting X11 forwarding with authentication spoofing."); 894 debug("Requesting X11 forwarding with authentication spoofing.");
976 x11_request_forwarding_with_spoofing(0, proto, data); 895 x11_request_forwarding_with_spoofing(0, display, proto, data);
977 896
978 /* Read response from the server. */ 897 /* Read response from the server. */
979 type = packet_read(); 898 type = packet_read();
@@ -1075,9 +994,12 @@ ssh_control_listener(void)
1075 mode_t old_umask; 994 mode_t old_umask;
1076 int addr_len; 995 int addr_len;
1077 996
1078 if (options.control_path == NULL || options.control_master <= 0) 997 if (options.control_path == NULL ||
998 options.control_master == SSHCTL_MASTER_NO)
1079 return; 999 return;
1080 1000
1001 debug("setting up multiplex master socket");
1002
1081 memset(&addr, '\0', sizeof(addr)); 1003 memset(&addr, '\0', sizeof(addr));
1082 addr.sun_family = AF_UNIX; 1004 addr.sun_family = AF_UNIX;
1083 addr_len = offsetof(struct sockaddr_un, sun_path) + 1005 addr_len = offsetof(struct sockaddr_un, sun_path) +
@@ -1093,7 +1015,7 @@ ssh_control_listener(void)
1093 old_umask = umask(0177); 1015 old_umask = umask(0177);
1094 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { 1016 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
1095 control_fd = -1; 1017 control_fd = -1;
1096 if (errno == EINVAL) 1018 if (errno == EINVAL || errno == EADDRINUSE)
1097 fatal("ControlSocket %s already exists", 1019 fatal("ControlSocket %s already exists",
1098 options.control_path); 1020 options.control_path);
1099 else 1021 else
@@ -1112,15 +1034,18 @@ static void
1112ssh_session2_setup(int id, void *arg) 1034ssh_session2_setup(int id, void *arg)
1113{ 1035{
1114 extern char **environ; 1036 extern char **environ;
1115 1037 const char *display;
1116 int interactive = tty_flag; 1038 int interactive = tty_flag;
1117 if (options.forward_x11 && getenv("DISPLAY") != NULL) { 1039
1040 display = getenv("DISPLAY");
1041 if (options.forward_x11 && display != NULL) {
1118 char *proto, *data; 1042 char *proto, *data;
1119 /* Get reasonable local authentication information. */ 1043 /* Get reasonable local authentication information. */
1120 x11_get_proto(&proto, &data); 1044 client_x11_get_proto(display, options.xauth_location,
1045 options.forward_x11_trusted, &proto, &data);
1121 /* Request forwarding with authentication spoofing. */ 1046 /* Request forwarding with authentication spoofing. */
1122 debug("Requesting X11 forwarding with authentication spoofing."); 1047 debug("Requesting X11 forwarding with authentication spoofing.");
1123 x11_request_forwarding_with_spoofing(id, proto, data); 1048 x11_request_forwarding_with_spoofing(id, display, proto, data);
1124 interactive = 1; 1049 interactive = 1;
1125 /* XXX wait for reply */ 1050 /* XXX wait for reply */
1126 } 1051 }
@@ -1288,13 +1213,18 @@ control_client(const char *path)
1288 extern char **environ; 1213 extern char **environ;
1289 u_int flags; 1214 u_int flags;
1290 1215
1291 if (stdin_null_flag) { 1216 if (mux_command == 0)
1292 if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1217 mux_command = SSHMUX_COMMAND_OPEN;
1293 fatal("open(/dev/null): %s", strerror(errno)); 1218
1294 if (dup2(fd, STDIN_FILENO) == -1) 1219 switch (options.control_master) {
1295 fatal("dup2: %s", strerror(errno)); 1220 case SSHCTL_MASTER_AUTO:
1296 if (fd > STDERR_FILENO) 1221 case SSHCTL_MASTER_AUTO_ASK:
1297 close(fd); 1222 debug("auto-mux: Trying existing master");
1223 /* FALLTHROUGH */
1224 case SSHCTL_MASTER_NO:
1225 break;
1226 default:
1227 return;
1298 } 1228 }
1299 1229
1300 memset(&addr, '\0', sizeof(addr)); 1230 memset(&addr, '\0', sizeof(addr));
@@ -1309,31 +1239,55 @@ control_client(const char *path)
1309 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 1239 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1310 fatal("%s socket(): %s", __func__, strerror(errno)); 1240 fatal("%s socket(): %s", __func__, strerror(errno));
1311 1241
1312 if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) 1242 if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) {
1313 fatal("Couldn't connect to %s: %s", path, strerror(errno)); 1243 if (mux_command != SSHMUX_COMMAND_OPEN) {
1244 fatal("Control socket connect(%.100s): %s", path,
1245 strerror(errno));
1246 }
1247 if (errno == ENOENT)
1248 debug("Control socket \"%.100s\" does not exist", path);
1249 else {
1250 error("Control socket connect(%.100s): %s", path,
1251 strerror(errno));
1252 }
1253 close(sock);
1254 return;
1255 }
1256
1257 if (stdin_null_flag) {
1258 if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
1259 fatal("open(/dev/null): %s", strerror(errno));
1260 if (dup2(fd, STDIN_FILENO) == -1)
1261 fatal("dup2: %s", strerror(errno));
1262 if (fd > STDERR_FILENO)
1263 close(fd);
1264 }
1314 1265
1315 if ((term = getenv("TERM")) == NULL) 1266 term = getenv("TERM");
1316 term = "";
1317 1267
1318 flags = 0; 1268 flags = 0;
1319 if (tty_flag) 1269 if (tty_flag)
1320 flags |= SSHMUX_FLAG_TTY; 1270 flags |= SSHMUX_FLAG_TTY;
1321 if (subsystem_flag) 1271 if (subsystem_flag)
1322 flags |= SSHMUX_FLAG_SUBSYS; 1272 flags |= SSHMUX_FLAG_SUBSYS;
1273 if (options.forward_x11)
1274 flags |= SSHMUX_FLAG_X11_FWD;
1275 if (options.forward_agent)
1276 flags |= SSHMUX_FLAG_AGENT_FWD;
1323 1277
1324 buffer_init(&m); 1278 buffer_init(&m);
1325 1279
1326 /* Send our command to server */ 1280 /* Send our command to server */
1327 buffer_put_int(&m, mux_command); 1281 buffer_put_int(&m, mux_command);
1328 buffer_put_int(&m, flags); 1282 buffer_put_int(&m, flags);
1329 if (ssh_msg_send(sock, /* version */1, &m) == -1) 1283 if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
1330 fatal("%s: msg_send", __func__); 1284 fatal("%s: msg_send", __func__);
1331 buffer_clear(&m); 1285 buffer_clear(&m);
1332 1286
1333 /* Get authorisation status and PID of controlee */ 1287 /* Get authorisation status and PID of controlee */
1334 if (ssh_msg_recv(sock, &m) == -1) 1288 if (ssh_msg_recv(sock, &m) == -1)
1335 fatal("%s: msg_recv", __func__); 1289 fatal("%s: msg_recv", __func__);
1336 if (buffer_get_char(&m) != 1) 1290 if (buffer_get_char(&m) != SSHMUX_VER)
1337 fatal("%s: wrong version", __func__); 1291 fatal("%s: wrong version", __func__);
1338 if (buffer_get_int(&m) != 1) 1292 if (buffer_get_int(&m) != 1)
1339 fatal("Connection to master denied"); 1293 fatal("Connection to master denied");
@@ -1343,7 +1297,7 @@ control_client(const char *path)
1343 1297
1344 switch (mux_command) { 1298 switch (mux_command) {
1345 case SSHMUX_COMMAND_ALIVE_CHECK: 1299 case SSHMUX_COMMAND_ALIVE_CHECK:
1346 fprintf(stderr, "Master running (pid=%d)\r\n", 1300 fprintf(stderr, "Master running (pid=%d)\r\n",
1347 control_server_pid); 1301 control_server_pid);
1348 exit(0); 1302 exit(0);
1349 case SSHMUX_COMMAND_TERMINATE: 1303 case SSHMUX_COMMAND_TERMINATE:
@@ -1357,7 +1311,7 @@ control_client(const char *path)
1357 } 1311 }
1358 1312
1359 /* SSHMUX_COMMAND_OPEN */ 1313 /* SSHMUX_COMMAND_OPEN */
1360 buffer_put_cstring(&m, term); 1314 buffer_put_cstring(&m, term ? term : "");
1361 buffer_append(&command, "\0", 1); 1315 buffer_append(&command, "\0", 1);
1362 buffer_put_cstring(&m, buffer_ptr(&command)); 1316 buffer_put_cstring(&m, buffer_ptr(&command));
1363 1317
@@ -1379,7 +1333,7 @@ control_client(const char *path)
1379 } 1333 }
1380 } 1334 }
1381 1335
1382 if (ssh_msg_send(sock, /* version */1, &m) == -1) 1336 if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
1383 fatal("%s: msg_send", __func__); 1337 fatal("%s: msg_send", __func__);
1384 1338
1385 mm_send_fd(sock, STDIN_FILENO); 1339 mm_send_fd(sock, STDIN_FILENO);
@@ -1390,7 +1344,7 @@ control_client(const char *path)
1390 buffer_clear(&m); 1344 buffer_clear(&m);
1391 if (ssh_msg_recv(sock, &m) == -1) 1345 if (ssh_msg_recv(sock, &m) == -1)
1392 fatal("%s: msg_recv", __func__); 1346 fatal("%s: msg_recv", __func__);
1393 if (buffer_get_char(&m) != 1) 1347 if (buffer_get_char(&m) != SSHMUX_VER)
1394 fatal("%s: wrong version", __func__); 1348 fatal("%s: wrong version", __func__);
1395 buffer_free(&m); 1349 buffer_free(&m);
1396 1350
diff --git a/ssh_config.0 b/ssh_config.0
index 9577abc48..a2706b69c 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -4,14 +4,14 @@ NAME
4 ssh_config - OpenSSH SSH client configuration files 4 ssh_config - OpenSSH SSH client configuration files
5 5
6SYNOPSIS 6SYNOPSIS
7 $HOME/.ssh/config 7 ~/.ssh/config
8 /etc/ssh/ssh_config 8 /etc/ssh/ssh_config
9 9
10DESCRIPTION 10DESCRIPTION
11 ssh obtains configuration data from the following sources in the follow- 11 ssh obtains configuration data from the following sources in the follow-
12 ing order: 12 ing order:
13 1. command-line options 13 1. command-line options
14 2. user's configuration file ($HOME/.ssh/config) 14 2. user's configuration file (~/.ssh/config)
15 3. system-wide configuration file (/etc/ssh/ssh_config) 15 3. system-wide configuration file (/etc/ssh/ssh_config)
16 16
17 For each parameter, the first obtained value will be used. The configu- 17 For each parameter, the first obtained value will be used. The configu-
@@ -57,9 +57,10 @@ DESCRIPTION
57 ``yes'' or ``no''. The default is ``no''. 57 ``yes'' or ``no''. The default is ``no''.
58 58
59 BindAddress 59 BindAddress
60 Specify the interface to transmit from on machines with multiple 60 Use the specified address on the local machine as the source ad-
61 interfaces or aliased addresses. Note that this option does not 61 dress of the connection. Only useful on systems with more than
62 work if UsePrivilegedPort is set to ``yes''. 62 one address. Note that this option does not work if
63 UsePrivilegedPort is set to ``yes''.
63 64
64 ChallengeResponseAuthentication 65 ChallengeResponseAuthentication
65 Specifies whether to use challenge response authentication. The 66 Specifies whether to use challenge response authentication. The
@@ -85,11 +86,12 @@ DESCRIPTION
85 preference. Multiple ciphers must be comma-separated. The sup- 86 preference. Multiple ciphers must be comma-separated. The sup-
86 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', 87 ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'',
87 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', 88 ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
88 ``arcfour'', ``blowfish-cbc'', and ``cast128-cbc''. The default 89 ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
89 is 90 and ``cast128-cbc''. The default is
90 91
91 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 92 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
92 aes192-cbc,aes256-cbc'' 93 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
94 aes192-ctr,aes256-ctr''
93 95
94 ClearAllForwardings 96 ClearAllForwardings
95 Specifies that all local, remote and dynamic port forwardings 97 Specifies that all local, remote and dynamic port forwardings
@@ -131,11 +133,30 @@ DESCRIPTION
131 tion rather than initiating new ones. Setting this to ``ask'' 133 tion rather than initiating new ones. Setting this to ``ask''
132 will cause ssh to listen for control connections, but require 134 will cause ssh to listen for control connections, but require
133 confirmation using the SSH_ASKPASS program before they are ac- 135 confirmation using the SSH_ASKPASS program before they are ac-
134 cepted (see ssh-add(1) for details). 136 cepted (see ssh-add(1) for details). If the ControlPath can not
137 be opened, ssh will continue without connecting to a master in-
138 stance.
139
140 X11 and ssh-agent(1) forwarding is supported over these multi-
141 plexed connections, however the display and agent fowarded will
142 be the one belonging to the master connection i.e. it is not pos-
143 sible to forward multiple displays or agents.
144
145 Two additional options allow for opportunistic multiplexing: try
146 to use a master connection but fall back to creating a new one if
147 one does not already exist. These options are: ``auto'' and
148 ``autoask''. The latter requires confirmation like the ``ask''
149 option.
135 150
136 ControlPath 151 ControlPath
137 Specify the path to the control socket used for connection shar- 152 Specify the path to the control socket used for connection shar-
138 ing. See ControlMaster above. 153 ing as described in the ControlMaster section above or the string
154 ``none'' to disable connection sharing. In the path, `%h' will
155 be substituted by the target host name, `%p' the port and `%r' by
156 the remote login username. It is recommended that any
157 ControlPath used for opportunistic connection sharing include all
158 three of these escape sequences. This ensures that shared con-
159 nections are uniquely identified.
139 160
140 DynamicForward 161 DynamicForward
141 Specifies that a TCP/IP port on the local machine be forwarded 162 Specifies that a TCP/IP port on the local machine be forwarded
@@ -228,9 +249,9 @@ DESCRIPTION
228 249
229 HashKnownHosts 250 HashKnownHosts
230 Indicates that ssh should hash host names and addresses when they 251 Indicates that ssh should hash host names and addresses when they
231 are added to $HOME/.ssh/known_hosts. These hashed names may be 252 are added to ~/.ssh/known_hosts. These hashed names may be used
232 used normally by ssh and sshd, but they do not reveal identifying 253 normally by ssh and sshd, but they do not reveal identifying in-
233 information should the file's contents be disclosed. The default 254 formation should the file's contents be disclosed. The default
234 is ``no''. Note that hashing of names and addresses will not be 255 is ``no''. Note that hashing of names and addresses will not be
235 retrospectively applied to existing known hosts files, but these 256 retrospectively applied to existing known hosts files, but these
236 may be manually hashed using ssh-keygen(1). 257 may be manually hashed using ssh-keygen(1).
@@ -261,14 +282,13 @@ DESCRIPTION
261 282
262 IdentityFile 283 IdentityFile
263 Specifies a file from which the user's RSA or DSA authentication 284 Specifies a file from which the user's RSA or DSA authentication
264 identity is read. The default is $HOME/.ssh/identity for proto- 285 identity is read. The default is ~/.ssh/identity for protocol
265 col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for 286 version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver-
266 protocol version 2. Additionally, any identities represented by 287 sion 2. Additionally, any identities represented by the authen-
267 the authentication agent will be used for authentication. The 288 tication agent will be used for authentication. The file name
268 file name may use the tilde syntax to refer to a user's home di- 289 may use the tilde syntax to refer to a user's home directory. It
269 rectory. It is possible to have multiple identity files speci- 290 is possible to have multiple identity files specified in configu-
270 fied in configuration files; all these identities will be tried 291 ration files; all these identities will be tried in sequence.
271 in sequence.
272 292
273 IdentitiesOnly 293 IdentitiesOnly
274 Specifies that ssh should only use the authentication identity 294 Specifies that ssh should only use the authentication identity
@@ -286,18 +306,19 @@ DESCRIPTION
286 LocalForward 306 LocalForward
287 Specifies that a TCP/IP port on the local machine be forwarded 307 Specifies that a TCP/IP port on the local machine be forwarded
288 over the secure channel to the specified host and port from the 308 over the secure channel to the specified host and port from the
289 remote machine. The first argument must be a port number, and 309 remote machine. The first argument must be [bind_address:]port
290 the second must be [bind_address:]host:port. IPv6 addresses can 310 and the second argument must be host:hostport. IPv6 addresses
291 be specified by enclosing addresses in square brackets or by us- 311 can be specified by enclosing addresses in square brackets or by
292 ing an alternative syntax: [bind_address/]host/port. Multiple 312 using an alternative syntax: [bind_address/]port and
293 forwardings may be specified, and additional forwardings can be 313 host/hostport. Multiple forwardings may be specified, and addi-
294 given on the command line. Only the superuser can forward privi- 314 tional forwardings can be given on the command line. Only the
295 leged ports. By default, the local port is bound in accordance 315 superuser can forward privileged ports. By default, the local
296 with the GatewayPorts setting. However, an explicit bind_address 316 port is bound in accordance with the GatewayPorts setting. How-
297 may be used to bind the connection to a specific address. The 317 ever, an explicit bind_address may be used to bind the connection
298 bind_address of ``localhost'' indicates that the listening port 318 to a specific address. The bind_address of ``localhost'' indi-
299 be bound for local use only, while an empty address or `*' indi- 319 cates that the listening port be bound for local use only, while
300 cates that the port should be available from all interfaces. 320 an empty address or `*' indicates that the port should be avail-
321 able from all interfaces.
301 322
302 LogLevel 323 LogLevel
303 Gives the verbosity level that is used when logging messages from 324 Gives the verbosity level that is used when logging messages from
@@ -336,7 +357,7 @@ DESCRIPTION
336 PreferredAuthentications 357 PreferredAuthentications
337 Specifies the order in which the client should try protocol 2 au- 358 Specifies the order in which the client should try protocol 2 au-
338 thentication methods. This allows a client to prefer one method 359 thentication methods. This allows a client to prefer one method
339 (e.g. keyboard-interactive) over another method (e.g. password) 360 (e.g. keyboard-interactive) over another method (e.g. password)
340 The default for this option is: ``hostbased,publickey,keyboard- 361 The default for this option is: ``hostbased,publickey,keyboard-
341 interactive,password''. 362 interactive,password''.
342 363
@@ -361,6 +382,12 @@ DESCRIPTION
361 tirely. Note that CheckHostIP is not available for connects with 382 tirely. Note that CheckHostIP is not available for connects with
362 a proxy command. 383 a proxy command.
363 384
385 This directive is useful in conjunction with nc(1) and its proxy
386 support. For example, the following directive would connect via
387 an HTTP proxy at 192.0.2.0:
388
389 ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
390
364 PubkeyAuthentication 391 PubkeyAuthentication
365 Specifies whether to try public key authentication. The argument 392 Specifies whether to try public key authentication. The argument
366 to this keyword must be ``yes'' or ``no''. The default is 393 to this keyword must be ``yes'' or ``no''. The default is
@@ -369,13 +396,13 @@ DESCRIPTION
369 RemoteForward 396 RemoteForward
370 Specifies that a TCP/IP port on the remote machine be forwarded 397 Specifies that a TCP/IP port on the remote machine be forwarded
371 over the secure channel to the specified host and port from the 398 over the secure channel to the specified host and port from the
372 local machine. The first argument must be a port number, and the 399 local machine. The first argument must be [bind_address:]port
373 second must be [bind_address:]host:port. IPv6 addresses can be 400 and the second argument must be host:hostport. IPv6 addresses
374 specified by enclosing any addresses in square brackets or by us- 401 can be specified by enclosing addresses in square brackets or by
375 ing the alternative syntax: [bind_address/]host/port. Multiple 402 using an alternative syntax: [bind_address/]port and
376 forwardings may be specified, and additional forwardings can be 403 host/hostport. Multiple forwardings may be specified, and addi-
377 given on the command line. Only the superuser can forward privi- 404 tional forwardings can be given on the command line. Only the
378 leged ports. 405 superuser can forward privileged ports.
379 406
380 If the bind_address is not specified, the default is to only bind 407 If the bind_address is not specified, the default is to only bind
381 to loopback addresses. If the bind_address is `*' or an empty 408 to loopback addresses. If the bind_address is `*' or an empty
@@ -440,9 +467,9 @@ DESCRIPTION
440 467
441 StrictHostKeyChecking 468 StrictHostKeyChecking
442 If this flag is set to ``yes'', ssh will never automatically add 469 If this flag is set to ``yes'', ssh will never automatically add
443 host keys to the $HOME/.ssh/known_hosts file, and refuses to con- 470 host keys to the ~/.ssh/known_hosts file, and refuses to connect
444 nect to hosts whose host key has changed. This provides maximum 471 to hosts whose host key has changed. This provides maximum pro-
445 protection against trojan horse attacks, however, can be annoying 472 tection against trojan horse attacks, however, can be annoying
446 when the /etc/ssh/ssh_known_hosts file is poorly maintained, or 473 when the /etc/ssh/ssh_known_hosts file is poorly maintained, or
447 connections to new hosts are frequently made. This option forces 474 connections to new hosts are frequently made. This option forces
448 the user to manually add all new hosts. If this flag is set to 475 the user to manually add all new hosts. If this flag is set to
@@ -483,7 +510,7 @@ DESCRIPTION
483 510
484 UserKnownHostsFile 511 UserKnownHostsFile
485 Specifies a file to use for the user host key database instead of 512 Specifies a file to use for the user host key database instead of
486 $HOME/.ssh/known_hosts. 513 ~/.ssh/known_hosts.
487 514
488 VerifyHostKeyDNS 515 VerifyHostKeyDNS
489 Specifies whether to verify the remote key using DNS and SSHFP 516 Specifies whether to verify the remote key using DNS and SSHFP
@@ -502,7 +529,7 @@ DESCRIPTION
502 is /usr/X11R6/bin/xauth. 529 is /usr/X11R6/bin/xauth.
503 530
504FILES 531FILES
505 $HOME/.ssh/config 532 ~/.ssh/config
506 This is the per-user configuration file. The format of this file 533 This is the per-user configuration file. The format of this file
507 is described above. This file is used by the ssh client. Be- 534 is described above. This file is used by the ssh client. Be-
508 cause of the potential for abuse, this file must have strict per- 535 cause of the potential for abuse, this file must have strict per-
@@ -524,4 +551,4 @@ AUTHORS
524 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 551 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
525 versions 1.5 and 2.0. 552 versions 1.5 and 2.0.
526 553
527OpenBSD 3.6 September 25, 1999 8 554OpenBSD 3.8 September 25, 1999 9
diff --git a/ssh_config.5 b/ssh_config.5
index 06db04c27..9033185b1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -43,7 +43,7 @@
43.Nd OpenSSH SSH client configuration files 43.Nd OpenSSH SSH client configuration files
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Bl -tag -width Ds -compact 45.Bl -tag -width Ds -compact
46.It Pa $HOME/.ssh/config 46.It Pa ~/.ssh/config
47.It Pa /etc/ssh/ssh_config 47.It Pa /etc/ssh/ssh_config
48.El 48.El
49.Sh DESCRIPTION 49.Sh DESCRIPTION
@@ -55,7 +55,7 @@ the following order:
55command-line options 55command-line options
56.It 56.It
57user's configuration file 57user's configuration file
58.Pq Pa $HOME/.ssh/config 58.Pq Pa ~/.ssh/config
59.It 59.It
60system-wide configuration file 60system-wide configuration file
61.Pq Pa /etc/ssh/ssh_config 61.Pq Pa /etc/ssh/ssh_config
@@ -136,8 +136,9 @@ or
136The default is 136The default is
137.Dq no . 137.Dq no .
138.It Cm BindAddress 138.It Cm BindAddress
139Specify the interface to transmit from on machines with multiple 139Use the specified address on the local machine as the source address of
140interfaces or aliased addresses. 140the connection.
141Only useful on systems with more than one address.
141Note that this option does not work if 142Note that this option does not work if
142.Cm UsePrivilegedPort 143.Cm UsePrivilegedPort
143is set to 144is set to
@@ -193,14 +194,17 @@ The supported ciphers are
193.Dq aes128-ctr , 194.Dq aes128-ctr ,
194.Dq aes192-ctr , 195.Dq aes192-ctr ,
195.Dq aes256-ctr , 196.Dq aes256-ctr ,
197.Dq arcfour128 ,
198.Dq arcfour256 ,
196.Dq arcfour , 199.Dq arcfour ,
197.Dq blowfish-cbc , 200.Dq blowfish-cbc ,
198and 201and
199.Dq cast128-cbc . 202.Dq cast128-cbc .
200The default is 203The default is
201.Bd -literal 204.Bd -literal
202 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 205 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
203 aes192-cbc,aes256-cbc'' 206 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
207 aes192-ctr,aes256-ctr''
204.Ed 208.Ed
205.It Cm ClearAllForwardings 209.It Cm ClearAllForwardings
206Specifies that all local, remote and dynamic port forwardings 210Specifies that all local, remote and dynamic port forwardings
@@ -270,11 +274,47 @@ to listen for control connections, but require confirmation using the
270program before they are accepted (see 274program before they are accepted (see
271.Xr ssh-add 1 275.Xr ssh-add 1
272for details). 276for details).
277If the
278.Cm ControlPath
279can not be opened,
280.Nm ssh
281will continue without connecting to a master instance.
282.Pp
283X11 and
284.Xr ssh-agent 1
285forwarding is supported over these multiplexed connections, however the
286display and agent fowarded will be the one belonging to the master
287connection i.e. it is not possible to forward multiple displays or agents.
288.Pp
289Two additional options allow for opportunistic multiplexing: try to use a
290master connection but fall back to creating a new one if one does not already
291exist.
292These options are:
293.Dq auto
294and
295.Dq autoask .
296The latter requires confirmation like the
297.Dq ask
298option.
273.It Cm ControlPath 299.It Cm ControlPath
274Specify the path to the control socket used for connection sharing. 300Specify the path to the control socket used for connection sharing as described
275See 301in the
276.Cm ControlMaster 302.Cm ControlMaster
277above. 303section above or the string
304.Dq none
305to disable connection sharing.
306In the path,
307.Ql %h
308will be substituted by the target host name,
309.Ql %p
310the port and
311.Ql %r
312by the remote login username.
313It is recommended that any
314.Cm ControlPath
315used for opportunistic connection sharing include
316all three of these escape sequences.
317This ensures that shared connections are uniquely identified.
278.It Cm DynamicForward 318.It Cm DynamicForward
279Specifies that a TCP/IP port on the local machine be forwarded 319Specifies that a TCP/IP port on the local machine be forwarded
280over the secure channel, and the application 320over the secure channel, and the application
@@ -407,11 +447,21 @@ Forward (delegate) credentials to the server.
407The default is 447The default is
408.Dq no . 448.Dq no .
409Note that this option applies to protocol version 2 only. 449Note that this option applies to protocol version 2 only.
450.It Cm GSSAPITrustDns
451Set to
452.Dq yes to indicate that the DNS is trusted to securely canonicalize
453the name of the host being connected to. If
454.Dq no, the hostname entered on the
455command line will be passed untouched to the GSSAPI library.
456The default is
457.Dq no .
458This option only applies to protocol version 2 connections using GSSAPI
459key exchange.
410.It Cm HashKnownHosts 460.It Cm HashKnownHosts
411Indicates that 461Indicates that
412.Nm ssh 462.Nm ssh
413should hash host names and addresses when they are added to 463should hash host names and addresses when they are added to
414.Pa $HOME/.ssh/known_hosts . 464.Pa ~/.ssh/known_hosts .
415These hashed names may be used normally by 465These hashed names may be used normally by
416.Nm ssh 466.Nm ssh
417and 467and
@@ -457,11 +507,11 @@ specifications).
457Specifies a file from which the user's RSA or DSA authentication identity 507Specifies a file from which the user's RSA or DSA authentication identity
458is read. 508is read.
459The default is 509The default is
460.Pa $HOME/.ssh/identity 510.Pa ~/.ssh/identity
461for protocol version 1, and 511for protocol version 1, and
462.Pa $HOME/.ssh/id_rsa 512.Pa ~/.ssh/id_rsa
463and 513and
464.Pa $HOME/.ssh/id_dsa 514.Pa ~/.ssh/id_dsa
465for protocol version 2. 515for protocol version 2.
466Additionally, any identities represented by the authentication agent 516Additionally, any identities represented by the authentication agent
467will be used for authentication. 517will be used for authentication.
@@ -495,21 +545,17 @@ The default is to use the server specified list.
495.It Cm LocalForward 545.It Cm LocalForward
496Specifies that a TCP/IP port on the local machine be forwarded over 546Specifies that a TCP/IP port on the local machine be forwarded over
497the secure channel to the specified host and port from the remote machine. 547the secure channel to the specified host and port from the remote machine.
498The first argument must be a port number, and the second must be 548The first argument must be
499.Xo
500.Sm off 549.Sm off
501.Oo Ar bind_address : Oc 550.Oo Ar bind_address : Oc Ar port
502.Ar host : port
503.Sm on 551.Sm on
504.Xc . 552and the second argument must be
553.Ar host : Ns Ar hostport .
505IPv6 addresses can be specified by enclosing addresses in square brackets or 554IPv6 addresses can be specified by enclosing addresses in square brackets or
506by using an alternative syntax: 555by using an alternative syntax:
507.Sm off 556.Oo Ar bind_address Ns / Oc Ns Ar port
508.Xo 557and
509.Op Ar bind_address No / 558.Ar host Ns / Ns Ar hostport .
510.Ar host No / Ar port
511.Xc .
512.Sm on
513Multiple forwardings may be specified, and additional forwardings can be 559Multiple forwardings may be specified, and additional forwardings can be
514given on the command line. 560given on the command line.
515Only the superuser can forward privileged ports. 561Only the superuser can forward privileged ports.
@@ -571,9 +617,9 @@ Default is 22.
571.It Cm PreferredAuthentications 617.It Cm PreferredAuthentications
572Specifies the order in which the client should try protocol 2 618Specifies the order in which the client should try protocol 2
573authentication methods. 619authentication methods.
574This allows a client to prefer one method (e.g. 620This allows a client to prefer one method (e.g.\&
575.Cm keyboard-interactive ) 621.Cm keyboard-interactive )
576over another method (e.g. 622over another method (e.g.\&
577.Cm password ) 623.Cm password )
578The default for this option is: 624The default for this option is:
579.Dq hostbased,publickey,keyboard-interactive,password . 625.Dq hostbased,publickey,keyboard-interactive,password .
@@ -620,6 +666,14 @@ Note that
620.Cm CheckHostIP 666.Cm CheckHostIP
621is not available for connects with a proxy command. 667is not available for connects with a proxy command.
622.Pp 668.Pp
669This directive is useful in conjunction with
670.Xr nc 1
671and its proxy support.
672For example, the following directive would connect via an HTTP proxy at
673192.0.2.0:
674.Bd -literal -offset 3n
675ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
676.Ed
623.It Cm PubkeyAuthentication 677.It Cm PubkeyAuthentication
624Specifies whether to try public key authentication. 678Specifies whether to try public key authentication.
625The argument to this keyword must be 679The argument to this keyword must be
@@ -632,21 +686,17 @@ This option applies to protocol version 2 only.
632.It Cm RemoteForward 686.It Cm RemoteForward
633Specifies that a TCP/IP port on the remote machine be forwarded over 687Specifies that a TCP/IP port on the remote machine be forwarded over
634the secure channel to the specified host and port from the local machine. 688the secure channel to the specified host and port from the local machine.
635The first argument must be a port number, and the second must be 689The first argument must be
636.Xo
637.Sm off 690.Sm off
638.Oo Ar bind_address : Oc 691.Oo Ar bind_address : Oc Ar port
639.Ar host : port
640.Sm on
641.Xc .
642IPv6 addresses can be specified by enclosing any addresses in square brackets
643or by using the alternative syntax:
644.Sm off
645.Xo
646.Op Ar bind_address No /
647.Ar host No / Ar port
648.Xc .
649.Sm on 692.Sm on
693and the second argument must be
694.Ar host : Ns Ar hostport .
695IPv6 addresses can be specified by enclosing addresses in square brackets
696or by using an alternative syntax:
697.Oo Ar bind_address Ns / Oc Ns Ar port
698and
699.Ar host Ns / Ns Ar hostport .
650Multiple forwardings may be specified, and additional 700Multiple forwardings may be specified, and additional
651forwardings can be given on the command line. 701forwardings can be given on the command line.
652Only the superuser can forward privileged ports. 702Only the superuser can forward privileged ports.
@@ -759,7 +809,7 @@ If this flag is set to
759.Dq yes , 809.Dq yes ,
760.Nm ssh 810.Nm ssh
761will never automatically add host keys to the 811will never automatically add host keys to the
762.Pa $HOME/.ssh/known_hosts 812.Pa ~/.ssh/known_hosts
763file, and refuses to connect to hosts whose host key has changed. 813file, and refuses to connect to hosts whose host key has changed.
764This provides maximum protection against trojan horse attacks, 814This provides maximum protection against trojan horse attacks,
765however, can be annoying when the 815however, can be annoying when the
@@ -831,7 +881,7 @@ having to remember to give the user name on the command line.
831.It Cm UserKnownHostsFile 881.It Cm UserKnownHostsFile
832Specifies a file to use for the user 882Specifies a file to use for the user
833host key database instead of 883host key database instead of
834.Pa $HOME/.ssh/known_hosts . 884.Pa ~/.ssh/known_hosts .
835.It Cm VerifyHostKeyDNS 885.It Cm VerifyHostKeyDNS
836Specifies whether to verify the remote key using DNS and SSHFP resource 886Specifies whether to verify the remote key using DNS and SSHFP resource
837records. 887records.
@@ -864,7 +914,7 @@ The default is
864.El 914.El
865.Sh FILES 915.Sh FILES
866.Bl -tag -width Ds 916.Bl -tag -width Ds
867.It Pa $HOME/.ssh/config 917.It Pa ~/.ssh/config
868This is the per-user configuration file. 918This is the per-user configuration file.
869The format of this file is described above. 919The format of this file is described above.
870This file is used by the 920This file is used by the
diff --git a/sshconnect.c b/sshconnect.c
index 49190560d..ba7b9b71e 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect.c,v 1.161 2005/03/02 01:00:06 djm Exp $"); 16RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19 19
@@ -59,12 +59,11 @@ static void warn_changed_key(Key *);
59static int 59static int
60ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 60ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
61{ 61{
62 Buffer command; 62 char *command_string, *tmp;
63 const char *cp;
64 char *command_string;
65 int pin[2], pout[2]; 63 int pin[2], pout[2];
66 pid_t pid; 64 pid_t pid;
67 char strport[NI_MAXSERV]; 65 char strport[NI_MAXSERV];
66 size_t len;
68 67
69 /* Convert the port number into a string. */ 68 /* Convert the port number into a string. */
70 snprintf(strport, sizeof strport, "%hu", port); 69 snprintf(strport, sizeof strport, "%hu", port);
@@ -76,31 +75,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
76 * Use "exec" to avoid "sh -c" processes on some platforms 75 * Use "exec" to avoid "sh -c" processes on some platforms
77 * (e.g. Solaris) 76 * (e.g. Solaris)
78 */ 77 */
79 buffer_init(&command); 78 len = strlen(proxy_command) + 6;
80 buffer_append(&command, "exec ", 5); 79 tmp = xmalloc(len);
81 80 strlcpy(tmp, "exec ", len);
82 for (cp = proxy_command; *cp; cp++) { 81 strlcat(tmp, proxy_command, len);
83 if (cp[0] == '%' && cp[1] == '%') { 82 command_string = percent_expand(tmp, "h", host,
84 buffer_append(&command, "%", 1); 83 "p", strport, (char *)NULL);
85 cp++; 84 xfree(tmp);
86 continue;
87 }
88 if (cp[0] == '%' && cp[1] == 'h') {
89 buffer_append(&command, host, strlen(host));
90 cp++;
91 continue;
92 }
93 if (cp[0] == '%' && cp[1] == 'p') {
94 buffer_append(&command, strport, strlen(strport));
95 cp++;
96 continue;
97 }
98 buffer_append(&command, cp, 1);
99 }
100 buffer_append(&command, "\0", 1);
101
102 /* Get the final command string. */
103 command_string = buffer_ptr(&command);
104 85
105 /* Create pipes for communicating with the proxy. */ 86 /* Create pipes for communicating with the proxy. */
106 if (pipe(pin) < 0 || pipe(pout) < 0) 87 if (pipe(pin) < 0 || pipe(pout) < 0)
@@ -154,7 +135,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
154 close(pout[1]); 135 close(pout[1]);
155 136
156 /* Free the command name. */ 137 /* Free the command name. */
157 buffer_free(&command); 138 xfree(command_string);
158 139
159 /* Set the connection file descriptors. */ 140 /* Set the connection file descriptors. */
160 packet_set_connection(pout[0], pin[1]); 141 packet_set_connection(pout[0], pin[1]);
@@ -247,13 +228,13 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
247 tv.tv_sec = timeout; 228 tv.tv_sec = timeout;
248 tv.tv_usec = 0; 229 tv.tv_usec = 0;
249 230
250 for(;;) { 231 for (;;) {
251 rc = select(sockfd + 1, NULL, fdset, NULL, &tv); 232 rc = select(sockfd + 1, NULL, fdset, NULL, &tv);
252 if (rc != -1 || errno != EINTR) 233 if (rc != -1 || errno != EINTR)
253 break; 234 break;
254 } 235 }
255 236
256 switch(rc) { 237 switch (rc) {
257 case 0: 238 case 0:
258 /* Timed out */ 239 /* Timed out */
259 errno = ETIMEDOUT; 240 errno = ETIMEDOUT;
@@ -308,18 +289,9 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
308 int sock = -1, attempt; 289 int sock = -1, attempt;
309 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 290 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
310 struct addrinfo hints, *ai, *aitop; 291 struct addrinfo hints, *ai, *aitop;
311 struct servent *sp;
312 292
313 debug2("ssh_connect: needpriv %d", needpriv); 293 debug2("ssh_connect: needpriv %d", needpriv);
314 294
315 /* Get default port if port has not been set. */
316 if (port == 0) {
317 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
318 if (sp)
319 port = ntohs(sp->s_port);
320 else
321 port = SSH_DEFAULT_PORT;
322 }
323 /* If a proxy command is given, connect using it. */ 295 /* If a proxy command is given, connect using it. */
324 if (proxy_command != NULL) 296 if (proxy_command != NULL)
325 return ssh_proxy_connect(host, port, proxy_command); 297 return ssh_proxy_connect(host, port, proxy_command);
@@ -421,19 +393,21 @@ static void
421ssh_exchange_identification(void) 393ssh_exchange_identification(void)
422{ 394{
423 char buf[256], remote_version[256]; /* must be same size! */ 395 char buf[256], remote_version[256]; /* must be same size! */
424 int remote_major, remote_minor, i, mismatch; 396 int remote_major, remote_minor, mismatch;
425 int connection_in = packet_get_connection_in(); 397 int connection_in = packet_get_connection_in();
426 int connection_out = packet_get_connection_out(); 398 int connection_out = packet_get_connection_out();
427 int minor1 = PROTOCOL_MINOR_1; 399 int minor1 = PROTOCOL_MINOR_1;
400 u_int i;
428 401
429 /* Read other side\'s version identification. */ 402 /* Read other side's version identification. */
430 for (;;) { 403 for (;;) {
431 for (i = 0; i < sizeof(buf) - 1; i++) { 404 for (i = 0; i < sizeof(buf) - 1; i++) {
432 int len = atomicio(read, connection_in, &buf[i], 1); 405 size_t len = atomicio(read, connection_in, &buf[i], 1);
433 if (len < 0) 406
434 fatal("ssh_exchange_identification: read: %.100s", strerror(errno)); 407 if (len != 1 && errno == EPIPE)
435 if (len != 1)
436 fatal("ssh_exchange_identification: Connection closed by remote host"); 408 fatal("ssh_exchange_identification: Connection closed by remote host");
409 else if (len != 1)
410 fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
437 if (buf[i] == '\r') { 411 if (buf[i] == '\r') {
438 buf[i] = '\n'; 412 buf[i] = '\n';
439 buf[i + 1] = 0; 413 buf[i + 1] = 0;
@@ -573,7 +547,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
573 switch (hostaddr->sa_family) { 547 switch (hostaddr->sa_family) {
574 case AF_INET: 548 case AF_INET:
575 local = (ntohl(((struct sockaddr_in *)hostaddr)-> 549 local = (ntohl(((struct sockaddr_in *)hostaddr)->
576 sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; 550 sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
577 salen = sizeof(struct sockaddr_in); 551 salen = sizeof(struct sockaddr_in);
578 break; 552 break;
579 case AF_INET6: 553 case AF_INET6:
@@ -706,8 +680,8 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
706 680
707 if (show_other_keys(host, host_key)) 681 if (show_other_keys(host, host_key))
708 snprintf(msg1, sizeof(msg1), 682 snprintf(msg1, sizeof(msg1),
709 "\nbut keys of different type are already" 683 "\nbut keys of different type are already"
710 " known for this host."); 684 " known for this host.");
711 else 685 else
712 snprintf(msg1, sizeof(msg1), "."); 686 snprintf(msg1, sizeof(msg1), ".");
713 /* The default */ 687 /* The default */
diff --git a/sshconnect1.c b/sshconnect1.c
index 6e2e31c02..bd05723c7 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.60 2004/07/28 09:40:29 markus Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/md5.h> 19#include <openssl/md5.h>
@@ -162,7 +162,7 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
162 /* Compute the response. */ 162 /* Compute the response. */
163 /* The response is MD5 of decrypted challenge plus session id. */ 163 /* The response is MD5 of decrypted challenge plus session id. */
164 len = BN_num_bytes(challenge); 164 len = BN_num_bytes(challenge);
165 if (len <= 0 || len > sizeof(buf)) 165 if (len <= 0 || (u_int)len > sizeof(buf))
166 packet_disconnect( 166 packet_disconnect(
167 "respond_to_rsa_challenge: bad challenge length %d", len); 167 "respond_to_rsa_challenge: bad challenge length %d", len);
168 168
diff --git a/sshconnect2.c b/sshconnect2.c
index b69602c0c..aa0b6ec59 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $"); 26RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
27 27
28#include "openbsd-compat/sys-queue.h" 28#include "openbsd-compat/sys-queue.h"
29 29
@@ -87,16 +87,24 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
87#ifdef GSSAPI 87#ifdef GSSAPI
88 char *orig, *gss; 88 char *orig, *gss;
89 int len; 89 int len;
90 char *gss_host;
90#endif 91#endif
91 92
92 xxx_host = host; 93 xxx_host = host;
93 xxx_hostaddr = hostaddr; 94 xxx_hostaddr = hostaddr;
94 95
95#ifdef GSSAPI 96#ifdef GSSAPI
97 /* Add the GSSAPI mechanisms currently supported on this client to
98 * the key exchange algorithm proposal */
96 orig = myproposal[PROPOSAL_KEX_ALGS]; 99 orig = myproposal[PROPOSAL_KEX_ALGS];
97 gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); 100 if (options.gss_trust_dns)
98 debug("Offering GSSAPI proposal: %s",gss); 101 gss_host = (char *)get_canonical_hostname(1);
102 else
103 gss_host = host;
104
105 gss = ssh_gssapi_client_mechanisms(gss_host);
99 if (gss) { 106 if (gss) {
107 debug("Offering GSSAPI proposal: %s", gss);
100 len = strlen(orig) + strlen(gss) + 2; 108 len = strlen(orig) + strlen(gss) + 2;
101 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); 109 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
102 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss, 110 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss,
@@ -118,10 +126,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
118 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 126 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
119 if (options.compression) { 127 if (options.compression) {
120 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 128 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
121 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; 129 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
122 } else { 130 } else {
123 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 131 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
124 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib"; 132 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
125 } 133 }
126 if (options.macs != NULL) { 134 if (options.macs != NULL) {
127 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 135 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -132,6 +140,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
132 options.hostkeyalgorithms; 140 options.hostkeyalgorithms;
133 141
134#ifdef GSSAPI 142#ifdef GSSAPI
143 /* If we've got GSSAPI algorithms, then we also support the
144 * 'null' hostkey, as a last resort */
135 if (gss) { 145 if (gss) {
136 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 146 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
137 len = strlen(orig) + sizeof(",null"); 147 len = strlen(orig) + sizeof(",null");
@@ -151,6 +161,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
151 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 161 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
152#ifdef GSSAPI 162#ifdef GSSAPI
153 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 163 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
164 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
154#endif 165#endif
155 kex->client_version_string=client_version_string; 166 kex->client_version_string=client_version_string;
156 kex->server_version_string=server_version_string; 167 kex->server_version_string=server_version_string;
@@ -158,6 +169,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
158 169
159#ifdef GSSAPI 170#ifdef GSSAPI
160 kex->gss_deleg_creds = options.gss_deleg_creds; 171 kex->gss_deleg_creds = options.gss_deleg_creds;
172 kex->gss_trust_dns = options.gss_trust_dns;
173 kex->gss_host = gss_host;
161#endif 174#endif
162 175
163 xxx_kex = kex; 176 xxx_kex = kex;
@@ -242,7 +255,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
242void input_gssapi_hash(int type, u_int32_t, void *); 255void input_gssapi_hash(int type, u_int32_t, void *);
243void input_gssapi_error(int, u_int32_t, void *); 256void input_gssapi_error(int, u_int32_t, void *);
244void input_gssapi_errtok(int, u_int32_t, void *); 257void input_gssapi_errtok(int, u_int32_t, void *);
245int userauth_gsskeyx(Authctxt *authctxt); 258int userauth_gsskeyex(Authctxt *authctxt);
246#endif 259#endif
247 260
248void userauth(Authctxt *, char *); 261void userauth(Authctxt *, char *);
@@ -258,8 +271,8 @@ static char *authmethods_get(void);
258 271
259Authmethod authmethods[] = { 272Authmethod authmethods[] = {
260#ifdef GSSAPI 273#ifdef GSSAPI
261 {"gssapi-keyx", 274 {"gssapi-keyex",
262 userauth_gsskeyx, 275 userauth_gsskeyex,
263 &options.gss_authentication, 276 &options.gss_authentication,
264 NULL}, 277 NULL},
265 {"gssapi-with-mic", 278 {"gssapi-with-mic",
@@ -391,7 +404,7 @@ void
391input_userauth_error(int type, u_int32_t seq, void *ctxt) 404input_userauth_error(int type, u_int32_t seq, void *ctxt)
392{ 405{
393 fatal("input_userauth_error: bad message during authentication: " 406 fatal("input_userauth_error: bad message during authentication: "
394 "type %d", type); 407 "type %d", type);
395} 408}
396 409
397void 410void
@@ -521,7 +534,7 @@ userauth_gssapi(Authctxt *authctxt)
521{ 534{
522 Gssctxt *gssctxt = NULL; 535 Gssctxt *gssctxt = NULL;
523 static gss_OID_set gss_supported = NULL; 536 static gss_OID_set gss_supported = NULL;
524 static int mech = 0; 537 static u_int mech = 0;
525 OM_uint32 min; 538 OM_uint32 min;
526 int ok = 0; 539 int ok = 0;
527 540
@@ -548,7 +561,8 @@ userauth_gssapi(Authctxt *authctxt)
548 } 561 }
549 } 562 }
550 563
551 if (!ok) return 0; 564 if (!ok)
565 return 0;
552 566
553 authctxt->methoddata=(void *)gssctxt; 567 authctxt->methoddata=(void *)gssctxt;
554 568
@@ -583,7 +597,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
583 Authctxt *authctxt = ctxt; 597 Authctxt *authctxt = ctxt;
584 Gssctxt *gssctxt = authctxt->methoddata; 598 Gssctxt *gssctxt = authctxt->methoddata;
585 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 599 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
586 gss_buffer_desc gssbuf, mic; 600 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
601 gss_buffer_desc gssbuf;
587 OM_uint32 status, ms, flags; 602 OM_uint32 status, ms, flags;
588 Buffer b; 603 Buffer b;
589 604
@@ -717,7 +732,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
717 732
718 /* Stick it into GSSAPI and see what it says */ 733 /* Stick it into GSSAPI and see what it says */
719 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, 734 status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
720 &recv_tok, &send_tok, NULL); 735 &recv_tok, &send_tok, NULL);
721 736
722 xfree(recv_tok.value); 737 xfree(recv_tok.value);
723 gss_release_buffer(&ms, &send_tok); 738 gss_release_buffer(&ms, &send_tok);
@@ -745,10 +760,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
745} 760}
746 761
747int 762int
748userauth_gsskeyx(Authctxt *authctxt) 763userauth_gsskeyex(Authctxt *authctxt)
749{ 764{
750 Buffer b; 765 Buffer b;
751 gss_buffer_desc gssbuf, mic; 766 gss_buffer_desc gssbuf;
767 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
752 OM_uint32 ms; 768 OM_uint32 ms;
753 769
754 static int attempt = 0; 770 static int attempt = 0;
diff --git a/sshd.0 b/sshd.0
index fe4d29e54..9a9613b54 100644
--- a/sshd.0
+++ b/sshd.0
@@ -21,7 +21,7 @@ DESCRIPTION
21 sshd works as follows: 21 sshd works as follows:
22 22
23 SSH protocol version 1 23 SSH protocol version 1
24 Each host has a host-specific RSA key (normally 1024 bits) used to iden- 24 Each host has a host-specific RSA key (normally 2048 bits) used to iden-
25 tify the host. Additionally, when the daemon starts, it generates a 25 tify the host. Additionally, when the daemon starts, it generates a
26 server RSA key (normally 768 bits). This key is normally regenerated ev- 26 server RSA key (normally 768 bits). This key is normally regenerated ev-
27 ery hour if it has been used, and is never stored on disk. 27 ery hour if it has been used, and is never stored on disk.
@@ -200,8 +200,7 @@ LOGIN PROCESS
200 200
201 1. If the login is on a tty, and no command has been specified, 201 1. If the login is on a tty, and no command has been specified,
202 prints last login time and /etc/motd (unless prevented in the 202 prints last login time and /etc/motd (unless prevented in the
203 configuration file or by $HOME/.hushlogin; see the FILES sec- 203 configuration file or by ~/.hushlogin; see the FILES section).
204 tion).
205 204
206 2. If the login is on a tty, records login time. 205 2. If the login is on a tty, records login time.
207 206
@@ -212,21 +211,20 @@ LOGIN PROCESS
212 211
213 5. Sets up basic environment. 212 5. Sets up basic environment.
214 213
215 6. Reads the file $HOME/.ssh/environment, if it exists, and users 214 6. Reads the file ~/.ssh/environment, if it exists, and users are
216 are allowed to change their environment. See the 215 allowed to change their environment. See the
217 PermitUserEnvironment option in sshd_config(5). 216 PermitUserEnvironment option in sshd_config(5).
218 217
219 7. Changes to user's home directory. 218 7. Changes to user's home directory.
220 219
221 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- 220 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
222 ists, runs it; otherwise runs xauth. The ``rc'' files are 221 runs it; otherwise runs xauth. The ``rc'' files are given the
223 given the X11 authentication protocol and cookie in standard 222 X11 authentication protocol and cookie in standard input.
224 input.
225 223
226 9. Runs user's shell or command. 224 9. Runs user's shell or command.
227 225
228AUTHORIZED_KEYS FILE FORMAT 226AUTHORIZED_KEYS FILE FORMAT
229 $HOME/.ssh/authorized_keys is the default file that lists the public keys 227 ~/.ssh/authorized_keys is the default file that lists the public keys
230 that are permitted for RSA authentication in protocol version 1 and for 228 that are permitted for RSA authentication in protocol version 1 and for
231 public key authentication (PubkeyAuthentication) in protocol version 2. 229 public key authentication (PubkeyAuthentication) in protocol version 2.
232 AuthorizedKeysFile may be used to specify an alternative file. 230 AuthorizedKeysFile may be used to specify an alternative file.
@@ -329,10 +327,10 @@ AUTHORIZED_KEYS FILE FORMAT
329 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 327 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
330 328
331SSH_KNOWN_HOSTS FILE FORMAT 329SSH_KNOWN_HOSTS FILE FORMAT
332 The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain 330 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
333 host public keys for all known hosts. The global file should be prepared 331 public keys for all known hosts. The global file should be prepared by
334 by the administrator (optional), and the per-user file is maintained au- 332 the administrator (optional), and the per-user file is maintained auto-
335 tomatically: whenever the user connects from an unknown host its key is 333 matically: whenever the user connects from an unknown host its key is
336 added to the per-user file. 334 added to the per-user file.
337 335
338 Each line in these files contains the following fields: hostnames, bits, 336 Each line in these files contains the following fields: hostnames, bits,
@@ -417,7 +415,7 @@ FILES
417 The content of this file is not sensitive; it can be world-read- 415 The content of this file is not sensitive; it can be world-read-
418 able. 416 able.
419 417
420 $HOME/.ssh/authorized_keys 418 ~/.ssh/authorized_keys
421 Lists the public keys (RSA or DSA) that can be used to log into 419 Lists the public keys (RSA or DSA) that can be used to log into
422 the user's account. This file must be readable by root (which 420 the user's account. This file must be readable by root (which
423 may on some machines imply it being world-readable if the user's 421 may on some machines imply it being world-readable if the user's
@@ -427,7 +425,7 @@ FILES
427 identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, 425 identity.pub, id_dsa.pub and/or id_rsa.pub files into this file,
428 as described in ssh-keygen(1). 426 as described in ssh-keygen(1).
429 427
430 /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts 428 /etc/ssh/ssh_known_hosts, ~/.ssh/known_hosts
431 These files are consulted when using rhosts with RSA host authen- 429 These files are consulted when using rhosts with RSA host authen-
432 tication or protocol version 2 hostbased authentication to check 430 tication or protocol version 2 hostbased authentication to check
433 the public key of the host. The key must be listed in one of 431 the public key of the host. The key must be listed in one of
@@ -435,12 +433,12 @@ FILES
435 verify that it is connecting to the correct remote host. These 433 verify that it is connecting to the correct remote host. These
436 files should be writable only by root/the owner. 434 files should be writable only by root/the owner.
437 /etc/ssh/ssh_known_hosts should be world-readable, and 435 /etc/ssh/ssh_known_hosts should be world-readable, and
438 $HOME/.ssh/known_hosts can, but need not be, world-readable. 436 ~/.ssh/known_hosts can, but need not be, world-readable.
439 437
440 /etc/motd 438 /etc/motd
441 See motd(5). 439 See motd(5).
442 440
443 $HOME/.hushlogin 441 ~/.hushlogin
444 This file is used to suppress printing the last login time and 442 This file is used to suppress printing the last login time and
445 /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- 443 /etc/motd, if PrintLastLog and PrintMotd, respectively, are en-
446 abled. It does not suppress printing of the banner specified by 444 abled. It does not suppress printing of the banner specified by
@@ -456,7 +454,7 @@ FILES
456 Access controls that should be enforced by tcp-wrappers are de- 454 Access controls that should be enforced by tcp-wrappers are de-
457 fined here. Further details are described in hosts_access(5). 455 fined here. Further details are described in hosts_access(5).
458 456
459 $HOME/.rhosts 457 ~/.rhosts
460 This file is used during RhostsRSAAuthentication and 458 This file is used during RhostsRSAAuthentication and
461 HostbasedAuthentication and contains host-username pairs, sepa- 459 HostbasedAuthentication and contains host-username pairs, sepa-
462 rated by a space, one per line. The given user on the corre- 460 rated by a space, one per line. The given user on the corre-
@@ -469,7 +467,7 @@ FILES
469 user name may be of the form +@groupname to specify all hosts or 467 user name may be of the form +@groupname to specify all hosts or
470 all users in the group. 468 all users in the group.
471 469
472 $HOME/.shosts 470 ~/.shosts
473 For ssh, this file is exactly the same as for .rhosts. However, 471 For ssh, this file is exactly the same as for .rhosts. However,
474 this file is not used by rlogin and rshd, so using this permits 472 this file is not used by rlogin and rshd, so using this permits
475 access using SSH only. 473 access using SSH only.
@@ -505,7 +503,7 @@ FILES
505 file may be useful in environments that want to run both 503 file may be useful in environments that want to run both
506 rsh/rlogin and ssh. 504 rsh/rlogin and ssh.
507 505
508 $HOME/.ssh/environment 506 ~/.ssh/environment
509 This file is read into the environment at login (if it exists). 507 This file is read into the environment at login (if it exists).
510 It can only contain empty lines, comment lines (that start with 508 It can only contain empty lines, comment lines (that start with
511 `#'), and assignment lines of the form name=value. The file 509 `#'), and assignment lines of the form name=value. The file
@@ -513,7 +511,7 @@ FILES
513 anyone else. Environment processing is disabled by default and 511 anyone else. Environment processing is disabled by default and
514 is controlled via the PermitUserEnvironment option. 512 is controlled via the PermitUserEnvironment option.
515 513
516 $HOME/.ssh/rc 514 ~/.ssh/rc
517 If this file exists, it is run with /bin/sh after reading the en- 515 If this file exists, it is run with /bin/sh after reading the en-
518 vironment files but before starting the user's shell or command. 516 vironment files but before starting the user's shell or command.
519 It must not produce any output on stdout; stderr must be used in- 517 It must not produce any output on stdout; stderr must be used in-
@@ -548,9 +546,9 @@ FILES
548 readable by anyone else. 546 readable by anyone else.
549 547
550 /etc/ssh/sshrc 548 /etc/ssh/sshrc
551 Like $HOME/.ssh/rc. This can be used to specify machine-specific 549 Like ~/.ssh/rc. This can be used to specify machine-specific lo-
552 login-time initializations globally. This file should be 550 gin-time initializations globally. This file should be writable
553 writable only by root, and should be world-readable. 551 only by root, and should be world-readable.
554 552
555SEE ALSO 553SEE ALSO
556 scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), 554 scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
@@ -573,4 +571,4 @@ AUTHORS
573 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 571 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
574 for privilege separation. 572 for privilege separation.
575 573
576OpenBSD 3.6 September 25, 1999 9 574OpenBSD 3.8 September 25, 1999 9
diff --git a/sshd.8 b/sshd.8
index ac3bf96cf..fdff4ac91 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $ 37.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -80,7 +80,7 @@ supports both SSH protocol version 1 and 2 simultaneously.
80works as follows: 80works as follows:
81.Ss SSH protocol version 1 81.Ss SSH protocol version 1
82Each host has a host-specific RSA key 82Each host has a host-specific RSA key
83(normally 1024 bits) used to identify the host. 83(normally 2048 bits) used to identify the host.
84Additionally, when 84Additionally, when
85the daemon starts, it generates a server RSA key (normally 768 bits). 85the daemon starts, it generates a server RSA key (normally 768 bits).
86This key is normally regenerated every hour if it has been used, and 86This key is normally regenerated every hour if it has been used, and
@@ -350,7 +350,7 @@ If the login is on a tty, and no command has been specified,
350prints last login time and 350prints last login time and
351.Pa /etc/motd 351.Pa /etc/motd
352(unless prevented in the configuration file or by 352(unless prevented in the configuration file or by
353.Pa $HOME/.hushlogin ; 353.Pa ~/.hushlogin ;
354see the 354see the
355.Sx FILES 355.Sx FILES
356section). 356section).
@@ -367,7 +367,7 @@ Changes to run with normal user privileges.
367Sets up basic environment. 367Sets up basic environment.
368.It 368.It
369Reads the file 369Reads the file
370.Pa $HOME/.ssh/environment , 370.Pa ~/.ssh/environment ,
371if it exists, and users are allowed to change their environment. 371if it exists, and users are allowed to change their environment.
372See the 372See the
373.Cm PermitUserEnvironment 373.Cm PermitUserEnvironment
@@ -377,7 +377,7 @@ option in
377Changes to user's home directory. 377Changes to user's home directory.
378.It 378.It
379If 379If
380.Pa $HOME/.ssh/rc 380.Pa ~/.ssh/rc
381exists, runs it; else if 381exists, runs it; else if
382.Pa /etc/ssh/sshrc 382.Pa /etc/ssh/sshrc
383exists, runs 383exists, runs
@@ -390,7 +390,7 @@ authentication protocol and cookie in standard input.
390Runs user's shell or command. 390Runs user's shell or command.
391.El 391.El
392.Sh AUTHORIZED_KEYS FILE FORMAT 392.Sh AUTHORIZED_KEYS FILE FORMAT
393.Pa $HOME/.ssh/authorized_keys 393.Pa ~/.ssh/authorized_keys
394is the default file that lists the public keys that are 394is the default file that lists the public keys that are
395permitted for RSA authentication in protocol version 1 395permitted for RSA authentication in protocol version 1
396and for public key authentication (PubkeyAuthentication) 396and for public key authentication (PubkeyAuthentication)
@@ -528,7 +528,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
528The 528The
529.Pa /etc/ssh/ssh_known_hosts 529.Pa /etc/ssh/ssh_known_hosts
530and 530and
531.Pa $HOME/.ssh/known_hosts 531.Pa ~/.ssh/known_hosts
532files contain host public keys for all known hosts. 532files contain host public keys for all known hosts.
533The global file should 533The global file should
534be prepared by the administrator (optional), and the per-user file is 534be prepared by the administrator (optional), and the per-user file is
@@ -639,7 +639,7 @@ listening for connections (if there are several daemons running
639concurrently for different ports, this contains the process ID of the one 639concurrently for different ports, this contains the process ID of the one
640started last). 640started last).
641The content of this file is not sensitive; it can be world-readable. 641The content of this file is not sensitive; it can be world-readable.
642.It Pa $HOME/.ssh/authorized_keys 642.It Pa ~/.ssh/authorized_keys
643Lists the public keys (RSA or DSA) that can be used to log into the user's account. 643Lists the public keys (RSA or DSA) that can be used to log into the user's account.
644This file must be readable by root (which may on some machines imply 644This file must be readable by root (which may on some machines imply
645it being world-readable if the user's home directory resides on an NFS 645it being world-readable if the user's home directory resides on an NFS
@@ -653,7 +653,7 @@ and/or
653.Pa id_rsa.pub 653.Pa id_rsa.pub
654files into this file, as described in 654files into this file, as described in
655.Xr ssh-keygen 1 . 655.Xr ssh-keygen 1 .
656.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" 656.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
657These files are consulted when using rhosts with RSA host 657These files are consulted when using rhosts with RSA host
658authentication or protocol version 2 hostbased authentication 658authentication or protocol version 2 hostbased authentication
659to check the public key of the host. 659to check the public key of the host.
@@ -663,12 +663,12 @@ to verify that it is connecting to the correct remote host.
663These files should be writable only by root/the owner. 663These files should be writable only by root/the owner.
664.Pa /etc/ssh/ssh_known_hosts 664.Pa /etc/ssh/ssh_known_hosts
665should be world-readable, and 665should be world-readable, and
666.Pa $HOME/.ssh/known_hosts 666.Pa ~/.ssh/known_hosts
667can, but need not be, world-readable. 667can, but need not be, world-readable.
668.It Pa /etc/motd 668.It Pa /etc/motd
669See 669See
670.Xr motd 5 . 670.Xr motd 5 .
671.It Pa $HOME/.hushlogin 671.It Pa ~/.hushlogin
672This file is used to suppress printing the last login time and 672This file is used to suppress printing the last login time and
673.Pa /etc/motd , 673.Pa /etc/motd ,
674if 674if
@@ -691,7 +691,7 @@ The file should be world-readable.
691Access controls that should be enforced by tcp-wrappers are defined here. 691Access controls that should be enforced by tcp-wrappers are defined here.
692Further details are described in 692Further details are described in
693.Xr hosts_access 5 . 693.Xr hosts_access 5 .
694.It Pa $HOME/.rhosts 694.It Pa ~/.rhosts
695This file is used during 695This file is used during
696.Cm RhostsRSAAuthentication 696.Cm RhostsRSAAuthentication
697and 697and
@@ -709,7 +709,7 @@ It is also possible to use netgroups in the file.
709Either host or user 709Either host or user
710name may be of the form +@groupname to specify all hosts or all users 710name may be of the form +@groupname to specify all hosts or all users
711in the group. 711in the group.
712.It Pa $HOME/.shosts 712.It Pa ~/.shosts
713For ssh, 713For ssh,
714this file is exactly the same as for 714this file is exactly the same as for
715.Pa .rhosts . 715.Pa .rhosts .
@@ -758,7 +758,7 @@ This is processed exactly as
758.Pa /etc/hosts.equiv . 758.Pa /etc/hosts.equiv .
759However, this file may be useful in environments that want to run both 759However, this file may be useful in environments that want to run both
760rsh/rlogin and ssh. 760rsh/rlogin and ssh.
761.It Pa $HOME/.ssh/environment 761.It Pa ~/.ssh/environment
762This file is read into the environment at login (if it exists). 762This file is read into the environment at login (if it exists).
763It can only contain empty lines, comment lines (that start with 763It can only contain empty lines, comment lines (that start with
764.Ql # ) , 764.Ql # ) ,
@@ -769,7 +769,7 @@ Environment processing is disabled by default and is
769controlled via the 769controlled via the
770.Cm PermitUserEnvironment 770.Cm PermitUserEnvironment
771option. 771option.
772.It Pa $HOME/.ssh/rc 772.It Pa ~/.ssh/rc
773If this file exists, it is run with 773If this file exists, it is run with
774.Pa /bin/sh 774.Pa /bin/sh
775after reading the 775after reading the
@@ -814,7 +814,7 @@ This file should be writable only by the user, and need not be
814readable by anyone else. 814readable by anyone else.
815.It Pa /etc/ssh/sshrc 815.It Pa /etc/ssh/sshrc
816Like 816Like
817.Pa $HOME/.ssh/rc . 817.Pa ~/.ssh/rc .
818This can be used to specify 818This can be used to specify
819machine-specific login-time initializations globally. 819machine-specific login-time initializations globally.
820This file should be writable only by root, and should be world-readable. 820This file should be writable only by root, and should be world-readable.
diff --git a/sshd.c b/sshd.c
index 51b476778..da0b26587 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
42 */ 42 */
43 43
44#include "includes.h" 44#include "includes.h"
45RCSID("$OpenBSD: sshd.c,v 1.308 2005/02/08 22:24:57 dtucker Exp $"); 45RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $");
46 46
47#include <openssl/dh.h> 47#include <openssl/dh.h>
48#include <openssl/bn.h> 48#include <openssl/bn.h>
@@ -86,6 +86,10 @@ RCSID("$OpenBSD: sshd.c,v 1.308 2005/02/08 22:24:57 dtucker Exp $");
86#include "monitor_wrap.h" 86#include "monitor_wrap.h"
87#include "monitor_fdpass.h" 87#include "monitor_fdpass.h"
88 88
89#ifdef USE_SECURITY_SESSION_API
90#include <Security/AuthSession.h>
91#endif
92
89#ifdef LIBWRAP 93#ifdef LIBWRAP
90#include <tcpd.h> 94#include <tcpd.h>
91#include <syslog.h> 95#include <syslog.h>
@@ -358,7 +362,8 @@ key_regeneration_alarm(int sig)
358static void 362static void
359sshd_exchange_identification(int sock_in, int sock_out) 363sshd_exchange_identification(int sock_in, int sock_out)
360{ 364{
361 int i, mismatch; 365 u_int i;
366 int mismatch;
362 int remote_major, remote_minor; 367 int remote_major, remote_minor;
363 int major, minor; 368 int major, minor;
364 char *s; 369 char *s;
@@ -670,6 +675,12 @@ privsep_postauth(Authctxt *authctxt)
670 675
671 /* It is safe now to apply the key state */ 676 /* It is safe now to apply the key state */
672 monitor_apply_keystate(pmonitor); 677 monitor_apply_keystate(pmonitor);
678
679 /*
680 * Tell the packet layer that authentication was successful, since
681 * this information is not part of the key state.
682 */
683 packet_set_authenticated();
673} 684}
674 685
675static char * 686static char *
@@ -1033,7 +1044,7 @@ main(int ac, char **av)
1033 /* 1044 /*
1034 * Unset KRB5CCNAME, otherwise the user's session may inherit it from 1045 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
1035 * root's environment 1046 * root's environment
1036 */ 1047 */
1037 if (getenv("KRB5CCNAME") != NULL) 1048 if (getenv("KRB5CCNAME") != NULL)
1038 unsetenv("KRB5CCNAME"); 1049 unsetenv("KRB5CCNAME");
1039 1050
@@ -1111,6 +1122,7 @@ main(int ac, char **av)
1111 options.protocol &= ~SSH_PROTO_1; 1122 options.protocol &= ~SSH_PROTO_1;
1112 } 1123 }
1113#ifndef GSSAPI 1124#ifndef GSSAPI
1125 /* The GSSAPI key exchange can run without a host key */
1114 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { 1126 if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1115 logit("Disabling protocol version 2. Could not load host key"); 1127 logit("Disabling protocol version 2. Could not load host key");
1116 options.protocol &= ~SSH_PROTO_2; 1128 options.protocol &= ~SSH_PROTO_2;
@@ -1617,19 +1629,22 @@ main(int ac, char **av)
1617 signal(SIGCHLD, SIG_DFL); 1629 signal(SIGCHLD, SIG_DFL);
1618 signal(SIGINT, SIG_DFL); 1630 signal(SIGINT, SIG_DFL);
1619 1631
1620 /* Set SO_KEEPALIVE if requested. */
1621 if (options.tcp_keep_alive &&
1622 setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
1623 sizeof(on)) < 0)
1624 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1625
1626 /* 1632 /*
1627 * Register our connection. This turns encryption off because we do 1633 * Register our connection. This turns encryption off because we do
1628 * not have a key. 1634 * not have a key.
1629 */ 1635 */
1630 packet_set_connection(sock_in, sock_out); 1636 packet_set_connection(sock_in, sock_out);
1637 packet_set_server();
1638
1639 /* Set SO_KEEPALIVE if requested. */
1640 if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
1641 setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
1642 error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
1631 1643
1632 remote_port = get_remote_port(); 1644 if ((remote_port = get_remote_port()) < 0) {
1645 debug("get_remote_port failed");
1646 cleanup_exit(255);
1647 }
1633 remote_ip = get_remote_ipaddr(); 1648 remote_ip = get_remote_ipaddr();
1634 1649
1635#ifdef SSH_AUDIT_EVENTS 1650#ifdef SSH_AUDIT_EVENTS
@@ -1655,6 +1670,62 @@ main(int ac, char **av)
1655 /* Log the connection. */ 1670 /* Log the connection. */
1656 verbose("Connection from %.500s port %d", remote_ip, remote_port); 1671 verbose("Connection from %.500s port %d", remote_ip, remote_port);
1657 1672
1673#ifdef USE_SECURITY_SESSION_API
1674 /*
1675 * Create a new security session for use by the new user login if
1676 * the current session is the root session or we are not launched
1677 * by inetd (eg: debugging mode or server mode). We do not
1678 * necessarily need to create a session if we are launched from
1679 * inetd because Panther xinetd will create a session for us.
1680 *
1681 * The only case where this logic will fail is if there is an
1682 * inetd running in a non-root session which is not creating
1683 * new sessions for us. Then all the users will end up in the
1684 * same session (bad).
1685 *
1686 * When the client exits, the session will be destroyed for us
1687 * automatically.
1688 *
1689 * We must create the session before any credentials are stored
1690 * (including AFS pags, which happens a few lines below).
1691 */
1692 {
1693 OSStatus err = 0;
1694 SecuritySessionId sid = 0;
1695 SessionAttributeBits sattrs = 0;
1696
1697 err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
1698 if (err)
1699 error("SessionGetInfo() failed with error %.8X",
1700 (unsigned) err);
1701 else
1702 debug("Current Session ID is %.8X / Session Attributes a
1703re %.8X",
1704 (unsigned) sid, (unsigned) sattrs);
1705
1706 if (inetd_flag && !(sattrs & sessionIsRoot))
1707 debug("Running in inetd mode in a non-root session... "
1708 "assuming inetd created the session for us.");
1709 else {
1710 debug("Creating new security session...");
1711 err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
1712 if (err)
1713 error("SessionCreate() failed with error %.8X",
1714 (unsigned) err);
1715
1716 err = SessionGetInfo(callerSecuritySession, &sid,
1717 &sattrs);
1718 if (err)
1719 error("SessionGetInfo() failed with error %.8X",
1720 (unsigned) err);
1721 else
1722 debug("New Session ID is %.8X / Session Attribut
1723es are %.8X",
1724 (unsigned) sid, (unsigned) sattrs);
1725 }
1726 }
1727#endif
1728
1658 /* 1729 /*
1659 * We don\'t want to listen forever unless the other side 1730 * We don\'t want to listen forever unless the other side
1660 * successfully authenticates itself. So we set up an alarm which is 1731 * successfully authenticates itself. So we set up an alarm which is
@@ -1675,6 +1746,8 @@ main(int ac, char **av)
1675 authctxt = xmalloc(sizeof(*authctxt)); 1746 authctxt = xmalloc(sizeof(*authctxt));
1676 memset(authctxt, 0, sizeof(*authctxt)); 1747 memset(authctxt, 0, sizeof(*authctxt));
1677 1748
1749 authctxt->loginmsg = &loginmsg;
1750
1678 /* XXX global for cleanup, access from other modules */ 1751 /* XXX global for cleanup, access from other modules */
1679 the_authctxt = authctxt; 1752 the_authctxt = authctxt;
1680 1753
@@ -1898,7 +1971,7 @@ do_ssh1_kex(void)
1898 if (!rsafail) { 1971 if (!rsafail) {
1899 BN_mask_bits(session_key_int, sizeof(session_key) * 8); 1972 BN_mask_bits(session_key_int, sizeof(session_key) * 8);
1900 len = BN_num_bytes(session_key_int); 1973 len = BN_num_bytes(session_key_int);
1901 if (len < 0 || len > sizeof(session_key)) { 1974 if (len < 0 || (u_int)len > sizeof(session_key)) {
1902 error("do_connection: bad session key len from %s: " 1975 error("do_connection: bad session key len from %s: "
1903 "session_key_int %d > sizeof(session_key) %lu", 1976 "session_key_int %d > sizeof(session_key) %lu",
1904 get_remote_ipaddr(), len, (u_long)sizeof(session_key)); 1977 get_remote_ipaddr(), len, (u_long)sizeof(session_key));
@@ -1985,10 +2058,14 @@ do_ssh2_kex(void)
1985 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 2058 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
1986 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 2059 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
1987 } 2060 }
1988 if (!options.compression) { 2061 if (options.compression == COMP_NONE) {
1989 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 2062 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1990 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; 2063 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
2064 } else if (options.compression == COMP_DELAYED) {
2065 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2066 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
1991 } 2067 }
2068
1992 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 2069 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
1993 2070
1994 /* start key exchange */ 2071 /* start key exchange */
@@ -2008,7 +2085,10 @@ do_ssh2_kex(void)
2008 if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) 2085 if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
2009 orig = NULL; 2086 orig = NULL;
2010 2087
2011 gss = ssh_gssapi_server_mechanisms(); 2088 if (options.gss_keyex)
2089 gss = ssh_gssapi_server_mechanisms();
2090 else
2091 gss = NULL;
2012 2092
2013 if (gss && orig) { 2093 if (gss && orig) {
2014 int len = strlen(orig) + strlen(gss) + 2; 2094 int len = strlen(orig) + strlen(gss) + 2;
@@ -2041,6 +2121,7 @@ do_ssh2_kex(void)
2041 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2121 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2042#ifdef GSSAPI 2122#ifdef GSSAPI
2043 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2123 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2124 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
2044#endif 2125#endif
2045 kex->server = 1; 2126 kex->server = 1;
2046 kex->client_version_string=client_version_string; 2127 kex->client_version_string=client_version_string;
diff --git a/sshd_config b/sshd_config
index 53ae9942e..1440c05ff 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ 1# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -27,7 +27,7 @@
27#ServerKeyBits 768 27#ServerKeyBits 768
28 28
29# Logging 29# Logging
30#obsoletes QuietMode and FascistLogging 30# obsoletes QuietMode and FascistLogging
31#SyslogFacility AUTH 31#SyslogFacility AUTH
32#LogLevel INFO 32#LogLevel INFO
33 33
@@ -90,7 +90,7 @@
90#UseLogin no 90#UseLogin no
91#UsePrivilegeSeparation yes 91#UsePrivilegeSeparation yes
92#PermitUserEnvironment no 92#PermitUserEnvironment no
93#Compression yes 93#Compression delayed
94#ClientAliveInterval 0 94#ClientAliveInterval 0
95#ClientAliveCountMax 3 95#ClientAliveCountMax 3
96#UseDNS yes 96#UseDNS yes
diff --git a/sshd_config.0 b/sshd_config.0
index 1f8763faf..d821a84b6 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -83,18 +83,13 @@ DESCRIPTION
83 Specifies the ciphers allowed for protocol version 2. Multiple 83 Specifies the ciphers allowed for protocol version 2. Multiple
84 ciphers must be comma-separated. The supported ciphers are 84 ciphers must be comma-separated. The supported ciphers are
85 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 85 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
86 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour'', 86 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'',
87 ``blowfish-cbc'', and ``cast128-cbc''. The default is 87 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and
88 ``cast128-cbc''. The default is
88 89
89 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 90 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
90 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 91 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
91 92 aes192-ctr,aes256-ctr''
92 ClientAliveInterval
93 Sets a timeout interval in seconds after which if no data has
94 been received from the client, sshd will send a message through
95 the encrypted channel to request a response from the client. The
96 default is 0, indicating that these messages will not be sent to
97 the client. This option applies to protocol version 2 only.
98 93
99 ClientAliveCountMax 94 ClientAliveCountMax
100 Sets the number of client alive messages (see above) which may be 95 Sets the number of client alive messages (see above) which may be
@@ -113,9 +108,17 @@ DESCRIPTION
113 15, and ClientAliveCountMax is left at the default, unresponsive 108 15, and ClientAliveCountMax is left at the default, unresponsive
114 ssh clients will be disconnected after approximately 45 seconds. 109 ssh clients will be disconnected after approximately 45 seconds.
115 110
111 ClientAliveInterval
112 Sets a timeout interval in seconds after which if no data has
113 been received from the client, sshd will send a message through
114 the encrypted channel to request a response from the client. The
115 default is 0, indicating that these messages will not be sent to
116 the client. This option applies to protocol version 2 only.
117
116 Compression 118 Compression
117 Specifies whether compression is allowed. The argument must be 119 Specifies whether compression is allowed, or delayed until the
118 ``yes'' or ``no''. The default is ``yes''. 120 user has authenticated successfully. The argument must be
121 ``yes'', ``delayed'', or ``no''. The default is ``delayed''.
119 122
120 DenyGroups 123 DenyGroups
121 This keyword can be followed by a list of group name patterns, 124 This keyword can be followed by a list of group name patterns,
@@ -183,7 +186,7 @@ DESCRIPTION
183 186
184 IgnoreUserKnownHosts 187 IgnoreUserKnownHosts
185 Specifies whether sshd should ignore the user's 188 Specifies whether sshd should ignore the user's
186 $HOME/.ssh/known_hosts during RhostsRSAAuthentication or 189 ~/.ssh/known_hosts during RhostsRSAAuthentication or
187 HostbasedAuthentication. The default is ``no''. 190 HostbasedAuthentication. The default is ``no''.
188 191
189 KerberosAuthentication 192 KerberosAuthentication
@@ -383,7 +386,7 @@ DESCRIPTION
383 To disable TCP keepalive messages, the value should be set to 386 To disable TCP keepalive messages, the value should be set to
384 ``no''. 387 ``no''.
385 388
386 UseDNS Specifies whether sshd should lookup the remote host name and 389 UseDNS Specifies whether sshd should look up the remote host name and
387 check that the resolved host name for the remote IP address maps 390 check that the resolved host name for the remote IP address maps
388 back to the very same IP address. The default is ``yes''. 391 back to the very same IP address. The default is ``yes''.
389 392
@@ -498,4 +501,4 @@ AUTHORS
498 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 501 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
499 for privilege separation. 502 for privilege separation.
500 503
501OpenBSD 3.6 September 25, 1999 8 504OpenBSD 3.8 September 25, 1999 8
diff --git a/sshd_config.5 b/sshd_config.5
index 8d291e61d..5af4b1b27 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.39 2005/03/01 10:09:52 djm Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -168,24 +168,18 @@ The supported ciphers are
168.Dq aes128-ctr , 168.Dq aes128-ctr ,
169.Dq aes192-ctr , 169.Dq aes192-ctr ,
170.Dq aes256-ctr , 170.Dq aes256-ctr ,
171.Dq arcfour128 ,
172.Dq arcfour256 ,
171.Dq arcfour , 173.Dq arcfour ,
172.Dq blowfish-cbc , 174.Dq blowfish-cbc ,
173and 175and
174.Dq cast128-cbc . 176.Dq cast128-cbc .
175The default is 177The default is
176.Bd -literal 178.Bd -literal
177 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, 179 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
178 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' 180 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
181 aes192-ctr,aes256-ctr''
179.Ed 182.Ed
180.It Cm ClientAliveInterval
181Sets a timeout interval in seconds after which if no data has been received
182from the client,
183.Nm sshd
184will send a message through the encrypted
185channel to request a response from the client.
186The default
187is 0, indicating that these messages will not be sent to the client.
188This option applies to protocol version 2 only.
189.It Cm ClientAliveCountMax 183.It Cm ClientAliveCountMax
190Sets the number of client alive messages (see above) which may be 184Sets the number of client alive messages (see above) which may be
191sent without 185sent without
@@ -213,14 +207,25 @@ If
213.Cm ClientAliveCountMax 207.Cm ClientAliveCountMax
214is left at the default, unresponsive ssh clients 208is left at the default, unresponsive ssh clients
215will be disconnected after approximately 45 seconds. 209will be disconnected after approximately 45 seconds.
210.It Cm ClientAliveInterval
211Sets a timeout interval in seconds after which if no data has been received
212from the client,
213.Nm sshd
214will send a message through the encrypted
215channel to request a response from the client.
216The default
217is 0, indicating that these messages will not be sent to the client.
218This option applies to protocol version 2 only.
216.It Cm Compression 219.It Cm Compression
217Specifies whether compression is allowed. 220Specifies whether compression is allowed, or delayed until
221the user has authenticated successfully.
218The argument must be 222The argument must be
219.Dq yes 223.Dq yes ,
224.Dq delayed ,
220or 225or
221.Dq no . 226.Dq no .
222The default is 227The default is
223.Dq yes . 228.Dq delayed .
224.It Cm DenyGroups 229.It Cm DenyGroups
225This keyword can be followed by a list of group name patterns, separated 230This keyword can be followed by a list of group name patterns, separated
226by spaces. 231by spaces.
@@ -272,6 +277,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
272The default is 277The default is
273.Dq no . 278.Dq no .
274Note that this option applies to protocol version 2 only. 279Note that this option applies to protocol version 2 only.
280.It Cm GSSAPIKeyExchange
281Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
282doesn't rely on ssh keys to verify host identity.
283The default is
284.Dq no .
285Note that this option applies to protocol version 2 only.
275.It Cm GSSAPICleanupCredentials 286.It Cm GSSAPICleanupCredentials
276Specifies whether to automatically destroy the user's credentials cache 287Specifies whether to automatically destroy the user's credentials cache
277on logout. 288on logout.
@@ -327,7 +338,7 @@ The default is
327Specifies whether 338Specifies whether
328.Nm sshd 339.Nm sshd
329should ignore the user's 340should ignore the user's
330.Pa $HOME/.ssh/known_hosts 341.Pa ~/.ssh/known_hosts
331during 342during
332.Cm RhostsRSAAuthentication 343.Cm RhostsRSAAuthentication
333or 344or
@@ -630,7 +641,7 @@ To disable TCP keepalive messages, the value should be set to
630.It Cm UseDNS 641.It Cm UseDNS
631Specifies whether 642Specifies whether
632.Nm sshd 643.Nm sshd
633should lookup the remote host name and check that 644should look up the remote host name and check that
634the resolved host name for the remote IP address maps back to the 645the resolved host name for the remote IP address maps back to the
635very same IP address. 646very same IP address.
636The default is 647The default is
diff --git a/sshpty.c b/sshpty.c
index efd1dfefa..36788c4d7 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -128,10 +128,10 @@ pty_make_controlling_tty(int *ttyfd, const char *tty)
128 if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0) 128 if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0)
129 error("ioctl(TIOCSCTTY): %.100s", strerror(errno)); 129 error("ioctl(TIOCSCTTY): %.100s", strerror(errno));
130#endif /* TIOCSCTTY */ 130#endif /* TIOCSCTTY */
131#ifdef HAVE_NEWS4 131#ifdef NEED_SETPGRP
132 if (setpgrp(0,0) < 0) 132 if (setpgrp(0,0) < 0)
133 error("SETPGRP %s",strerror(errno)); 133 error("SETPGRP %s",strerror(errno));
134#endif /* HAVE_NEWS4 */ 134#endif /* NEED_SETPGRP */
135#ifdef USE_VHANGUP 135#ifdef USE_VHANGUP
136 old = signal(SIGHUP, SIG_IGN); 136 old = signal(SIGHUP, SIG_IGN);
137 vhangup(); 137 vhangup();
diff --git a/ttymodes.c b/ttymodes.c
index c32e213a4..cf4c7d5c6 100644
--- a/ttymodes.c
+++ b/ttymodes.c
@@ -241,6 +241,32 @@ baud_to_speed(int baud)
241} 241}
242 242
243/* 243/*
244 * Encode a special character into SSH line format.
245 */
246static u_int
247special_char_encode(cc_t c)
248{
249#ifdef _POSIX_VDISABLE
250 if (c == _POSIX_VDISABLE)
251 return 255;
252#endif /* _POSIX_VDISABLE */
253 return c;
254}
255
256/*
257 * Decode a special character from SSH line format.
258 */
259static cc_t
260special_char_decode(u_int c)
261{
262#ifdef _POSIX_VDISABLE
263 if (c == 255)
264 return _POSIX_VDISABLE;
265#endif /* _POSIX_VDISABLE */
266 return c;
267}
268
269/*
244 * Encodes terminal modes for the terminal referenced by fd 270 * Encodes terminal modes for the terminal referenced by fd
245 * or tiop in a portable manner, and appends the modes to a packet 271 * or tiop in a portable manner, and appends the modes to a packet
246 * being constructed. 272 * being constructed.
@@ -287,7 +313,7 @@ tty_make_modes(int fd, struct termios *tiop)
287#define TTYCHAR(NAME, OP) \ 313#define TTYCHAR(NAME, OP) \
288 debug3("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \ 314 debug3("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \
289 buffer_put_char(&buf, OP); \ 315 buffer_put_char(&buf, OP); \
290 put_arg(&buf, tio.c_cc[NAME]); 316 put_arg(&buf, special_char_encode(tio.c_cc[NAME]));
291 317
292#define TTYMODE(NAME, FIELD, OP) \ 318#define TTYMODE(NAME, FIELD, OP) \
293 debug3("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \ 319 debug3("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \
@@ -375,7 +401,7 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
375#define TTYCHAR(NAME, OP) \ 401#define TTYCHAR(NAME, OP) \
376 case OP: \ 402 case OP: \
377 n_bytes += arg_size; \ 403 n_bytes += arg_size; \
378 tio.c_cc[NAME] = get_arg(); \ 404 tio.c_cc[NAME] = special_char_decode(get_arg()); \
379 debug3("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \ 405 debug3("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \
380 break; 406 break;
381#define TTYMODE(NAME, FIELD, OP) \ 407#define TTYMODE(NAME, FIELD, OP) \
diff --git a/version.h b/version.h
index 1a7f23bba..b9c87e2fb 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: version.h,v 1.43 2005/03/08 23:49:48 djm Exp $ */ 1/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_4.0" 3#define SSH_VERSION "OpenSSH_4.2"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 21:47:47 +0000