- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]

[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
author: Damien Miller <djm@mindrot.org> 2011-05-05 13:48:37 +1000
committer: Damien Miller <djm@mindrot.org> 2011-05-05 13:48:37 +1000
commit: f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad (patch)
tree: e23aa2864fccb6f4097d962aa14f9d78ca02a929 /configure.ac
parent: 68790fedef210e03e36534b111e2f27b858170b4 (diff)
1 files changed, 75 insertions, 174 deletions
diff --git a/configure.ac b/configure.ac
index c8d90ea0d..573c09710 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.471 2011/01/26 20:38:58 tim Exp $
+# $Id: configure.ac,v 1.472 2011/05/05 03:48:37 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.471 $)
+AC_REVISION($Revision: 1.472 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
@@ -2299,113 +2299,15 @@ AC_RUN_IFELSE(
        ],
        [
                AC_MSG_RESULT([no])
-                # Default to use of the rand helper if OpenSSL doesn't
-                # seed itself
-                USE_RAND_HELPER=yes
        ],
        [
                AC_MSG_WARN([cross compiling: assuming yes])
-                # This is safe, since all recent OpenSSL versions will
+                # This is safe, since we will fatal() at runtime if
-                # complain at runtime if not seeded correctly.
+                # OpenSSL is not seeded correctly.
                OPENSSL_SEEDS_ITSELF=yes
        ]
 )
-# Check for PAM libs
-PAM_MSG="no"
-AC_ARG_WITH([pam],
-        [  --with-pam              Enable PAM support ],
-        [
-                if test "x$withval" != "xno" ; then
-                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
-                                AC_MSG_ERROR([PAM headers not found])
-                        fi
-                        saved_LIBS="$LIBS"
-                        AC_CHECK_LIB([dl], [dlopen], , )
-                        AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
-                        AC_CHECK_FUNCS([pam_getenvlist])
-                        AC_CHECK_FUNCS([pam_putenv])
-                        LIBS="$saved_LIBS"
-                        PAM_MSG="yes"
-                        SSHDLIBS="$SSHDLIBS -lpam"
-                        AC_DEFINE([USE_PAM], [1],
-                                [Define if you want to enable PAM support])
-                        if test $ac_cv_lib_dl_dlopen = yes; then
-                                case "$LIBS" in
-                                *-ldl*)
-                                        # libdl already in LIBS
-                                        ;;
-                                *)
-                                        SSHDLIBS="$SSHDLIBS -ldl"
-                                        ;;
-                                esac
-                        fi
-                fi
-        ]
-)
-# Check for older PAM
-if test "x$PAM_MSG" = "xyes" ; then
-        # Check PAM strerror arguments (old PAM)
-        AC_MSG_CHECKING([whether pam_strerror takes only one argument])
-        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdlib.h>
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-                ]], [[
-(void)pam_strerror((pam_handle_t *)NULL, -1);
-                ]])], [AC_MSG_RESULT([no])], [
-                        AC_DEFINE([HAVE_OLD_PAM], [1],
-                                [Define if you have an old version of PAM
-                                which takes only one argument to pam_strerror])
-                        AC_MSG_RESULT([yes])
-                        PAM_MSG="yes (old library)"
-                
-        ])
-fi
-# Do we want to force the use of the rand helper?
-AC_ARG_WITH([rand-helper],
-        [  --with-rand-helper      Use subprocess to gather strong randomness ],
-        [
-                if test "x$withval" = "xno" ; then
-                        # Force use of OpenSSL's internal RNG, even if
-                        # the previous test showed it to be unseeded.
-                        if test -z "$OPENSSL_SEEDS_ITSELF" ; then
-                                AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
-                                OPENSSL_SEEDS_ITSELF=yes
-                                USE_RAND_HELPER=""
-                        fi
-                else
-                        USE_RAND_HELPER=yes
-                fi
-        ],
-)
-# Which randomness source do we use?
-if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
-        # OpenSSL only
-        AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
-                [Define if you want OpenSSL's internally seeded PRNG only])
-        RAND_MSG="OpenSSL internal ONLY"
-        INSTALL_SSH_RAND_HELPER=""
-elif test ! -z "$USE_RAND_HELPER" ; then
-        # install rand helper
-        RAND_MSG="ssh-rand-helper"
-        INSTALL_SSH_RAND_HELPER="yes"
-fi
-AC_SUBST([INSTALL_SSH_RAND_HELPER])
-### Configuration of ssh-rand-helper
 # PRNGD TCP socket
 AC_ARG_WITH([prngd-port],
        [  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
@@ -2460,7 +2362,7 @@ AC_ARG_WITH([prngd-socket],
        ],
        [
                # Check for existing socket only if we don't have a random device already
-                if test "$USE_RAND_HELPER" = yes ; then
+                if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
                        AC_MSG_CHECKING([for PRNGD/EGD socket])
                        # Insert other locations here
                        for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
@@ -2479,19 +2381,79 @@ AC_ARG_WITH([prngd-socket],
        ]
 )
-# Change default command timeout for hashing entropy source
+# Which randomness source do we use?
-entropy_timeout=200
+if test ! -z "$PRNGD_PORT" ; then
-AC_ARG_WITH([entropy-timeout],
+        RAND_MSG="PRNGd port $PRNGD_PORT"
-        [  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
+elif test ! -z "$PRNGD_SOCKET" ; then
+        RAND_MSG="PRNGd socket $PRNGD_SOCKET"
+elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
+        AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
+                [Define if you want OpenSSL's internally seeded PRNG only])
+        RAND_MSG="OpenSSL internal ONLY"
+else
+        AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
+fi
+# Check for PAM libs
+PAM_MSG="no"
+AC_ARG_WITH([pam],
+        [  --with-pam              Enable PAM support ],
        [
-                if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                if test "x$withval" != "xno" ; then
-                    test "x${withval}" != "xyes"; then
+                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-                        entropy_timeout=$withval
+                           test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
+                                AC_MSG_ERROR([PAM headers not found])
+                        fi
+                        saved_LIBS="$LIBS"
+                        AC_CHECK_LIB([dl], [dlopen], , )
+                        AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
+                        AC_CHECK_FUNCS([pam_getenvlist])
+                        AC_CHECK_FUNCS([pam_putenv])
+                        LIBS="$saved_LIBS"
+                        PAM_MSG="yes"
+                        SSHDLIBS="$SSHDLIBS -lpam"
+                        AC_DEFINE([USE_PAM], [1],
+                                [Define if you want to enable PAM support])
+                        if test $ac_cv_lib_dl_dlopen = yes; then
+                                case "$LIBS" in
+                                *-ldl*)
+                                        # libdl already in LIBS
+                                        ;;
+                                *)
+                                        SSHDLIBS="$SSHDLIBS -ldl"
+                                        ;;
+                                esac
+                        fi
                fi
        ]
 )
-AC_DEFINE_UNQUOTED([ENTROPY_TIMEOUT_MSEC], [$entropy_timeout],
-        [Builtin PRNG command timeout])
+# Check for older PAM
+if test "x$PAM_MSG" = "xyes" ; then
+        # Check PAM strerror arguments (old PAM)
+        AC_MSG_CHECKING([whether pam_strerror takes only one argument])
+        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdlib.h>
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+                ]], [[
+(void)pam_strerror((pam_handle_t *)NULL, -1);
+                ]])], [AC_MSG_RESULT([no])], [
+                        AC_DEFINE([HAVE_OLD_PAM], [1],
+                                [Define if you have an old version of PAM
+                                which takes only one argument to pam_strerror])
+                        AC_MSG_RESULT([yes])
+                        PAM_MSG="yes (old library)"
+                
+        ])
+fi
 SSH_PRIVSEP_USER=sshd
 AC_ARG_WITH([privsep-user],
@@ -2507,56 +2469,6 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
        [non-privileged user for privilege separation])
 AC_SUBST([SSH_PRIVSEP_USER])
-# We do this little dance with the search path to insure
-# that programs that we select for use by installed programs
-# (which may be run by the super-user) come from trusted
-# locations before they come from the user's private area.
-# This should help avoid accidentally configuring some
-# random version of a program in someone's personal bin.
-OPATH=$PATH
-PATH=/bin:/usr/bin
-test -h /bin 2> /dev/null && PATH=/usr/bin
-test -d /sbin && PATH=$PATH:/sbin
-test -d /usr/sbin && PATH=$PATH:/usr/sbin
-PATH=$PATH:/etc:$OPATH
-# These programs are used by the command hashing source to gather entropy
-OSSH_PATH_ENTROPY_PROG([PROG_LS], [ls])
-OSSH_PATH_ENTROPY_PROG([PROG_NETSTAT], [netstat])
-OSSH_PATH_ENTROPY_PROG([PROG_ARP], [arp])
-OSSH_PATH_ENTROPY_PROG([PROG_IFCONFIG], [ifconfig])
-OSSH_PATH_ENTROPY_PROG([PROG_JSTAT], [jstat])
-OSSH_PATH_ENTROPY_PROG([PROG_PS], [ps])
-OSSH_PATH_ENTROPY_PROG([PROG_SAR], [sar])
-OSSH_PATH_ENTROPY_PROG([PROG_W], [w])
-OSSH_PATH_ENTROPY_PROG([PROG_WHO], [who])
-OSSH_PATH_ENTROPY_PROG([PROG_LAST], [last])
-OSSH_PATH_ENTROPY_PROG([PROG_LASTLOG], [lastlog])
-OSSH_PATH_ENTROPY_PROG([PROG_DF], [df])
-OSSH_PATH_ENTROPY_PROG([PROG_VMSTAT], [vmstat])
-OSSH_PATH_ENTROPY_PROG([PROG_UPTIME], [uptime])
-OSSH_PATH_ENTROPY_PROG([PROG_IPCS], [ipcs])
-OSSH_PATH_ENTROPY_PROG([PROG_TAIL], [tail])
-# restore PATH
-PATH=$OPATH
-# Where does ssh-rand-helper get its randomness from?
-INSTALL_SSH_PRNG_CMDS=""
-if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
-        if test ! -z "$PRNGD_PORT" ; then
-                RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
-        elif test ! -z "$PRNGD_SOCKET" ; then
-                RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
-        else
-                RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
-                RAND_HELPER_CMDHASH=yes
-                INSTALL_SSH_PRNG_CMDS="yes"
-        fi
-fi
-AC_SUBST([INSTALL_SSH_PRNG_CMDS])
 # Cheap hack to ensure NEWS-OS libraries are arranged right.
 if test ! -z "$SONY" ; then
  LIBS="$LIBS -liberty";
@@ -4157,7 +4069,7 @@ AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
 AC_EXEEXT
 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
        openbsd-compat/Makefile openbsd-compat/regress/Makefile \
-        ssh_prng_cmds survey.sh])
+        survey.sh])
 AC_OUTPUT
 # Print summary of options
@@ -4212,9 +4124,6 @@ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
-if test ! -z "$USE_RAND_HELPER" ; then
-echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
-fi
 echo ""
@@ -4246,14 +4155,6 @@ if test "x$PAM_MSG" = "xyes" ; then
        echo ""
 fi
-if test ! -z "$RAND_HELPER_CMDHASH" ; then
-        echo "WARNING: you are using the builtin random number collection "
-        echo "service. Please read WARNING.RNG and request that your OS "
-        echo "vendor includes kernel-based random number collection in "
-        echo "future versions of your OS."
-        echo ""
-fi
 if test ! -z "$NO_PEERCHECK" ; then
        echo "WARNING: the operating system that you are using does not"
        echo "appear to support getpeereid(), getpeerucred() or the"
author	Damien Miller <djm@mindrot.org>	2011-05-05 13:48:37 +1000
committer	Damien Miller <djm@mindrot.org>	2011-05-05 13:48:37 +1000
commit	f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad (patch)
tree	e23aa2864fccb6f4097d962aa14f9d78ca02a929 /configure.ac
parent	68790fedef210e03e36534b111e2f27b858170b4 (diff)

diff --git a/configure.ac b/configure.ac index c8d90ea0d..573c09710 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.471 2011/01/26 20:38:58 tim Exp $	1	# $Id: configure.ac,v 1.472 2011/05/05 03:48:37 djm Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -15,7 +15,7 @@
15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		16
17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])	17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18	AC_REVISION($Revision: 1.471 $)	18	AC_REVISION($Revision: 1.472 $)
19	AC_CONFIG_SRCDIR([ssh.c])	19	AC_CONFIG_SRCDIR([ssh.c])
20	AC_LANG([C])	20	AC_LANG([C])
21		21
@@ -2299,113 +2299,15 @@ AC_RUN_IFELSE(
2299	],	2299	],
2300	[	2300	[
2301	AC_MSG_RESULT([no])	2301	AC_MSG_RESULT([no])
2302	# Default to use of the rand helper if OpenSSL doesn't
2303	# seed itself
2304	USE_RAND_HELPER=yes
2305	],	2302	],
2306	[	2303	[
2307	AC_MSG_WARN([cross compiling: assuming yes])	2304	AC_MSG_WARN([cross compiling: assuming yes])
2308	# This is safe, since all recent OpenSSL versions will	2305	# This is safe, since we will fatal() at runtime if
2309	# complain at runtime if not seeded correctly.	2306	# OpenSSL is not seeded correctly.
2310	OPENSSL_SEEDS_ITSELF=yes	2307	OPENSSL_SEEDS_ITSELF=yes
2311	]	2308	]
2312	)	2309	)
2313		2310
2314	# Check for PAM libs
2315	PAM_MSG="no"
2316	AC_ARG_WITH([pam],
2317	[ --with-pam Enable PAM support ],
2318	[
2319	if test "x$withval" != "xno" ; then
2320	if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
2321	test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
2322	AC_MSG_ERROR([PAM headers not found])
2323	fi
2324
2325	saved_LIBS="$LIBS"
2326	AC_CHECK_LIB([dl], [dlopen], , )
2327	AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
2328	AC_CHECK_FUNCS([pam_getenvlist])
2329	AC_CHECK_FUNCS([pam_putenv])
2330	LIBS="$saved_LIBS"
2331
2332	PAM_MSG="yes"
2333
2334	SSHDLIBS="$SSHDLIBS -lpam"
2335	AC_DEFINE([USE_PAM], [1],
2336	[Define if you want to enable PAM support])
2337
2338	if test $ac_cv_lib_dl_dlopen = yes; then
2339	case "$LIBS" in
2340	-ldl)
2341	# libdl already in LIBS
2342	;;
2343	*)
2344	SSHDLIBS="$SSHDLIBS -ldl"
2345	;;
2346	esac
2347	fi
2348	fi
2349	]
2350	)
2351
2352	# Check for older PAM
2353	if test "x$PAM_MSG" = "xyes" ; then
2354	# Check PAM strerror arguments (old PAM)
2355	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
2356	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2357	#include <stdlib.h>
2358	#if defined(HAVE_SECURITY_PAM_APPL_H)
2359	#include <security/pam_appl.h>
2360	#elif defined (HAVE_PAM_PAM_APPL_H)
2361	#include <pam/pam_appl.h>
2362	#endif
2363	]], [[
2364	(void)pam_strerror((pam_handle_t *)NULL, -1);
2365	]])], [AC_MSG_RESULT([no])], [
2366	AC_DEFINE([HAVE_OLD_PAM], [1],
2367	[Define if you have an old version of PAM
2368	which takes only one argument to pam_strerror])
2369	AC_MSG_RESULT([yes])
2370	PAM_MSG="yes (old library)"
2371
2372	])
2373	fi
2374
2375	# Do we want to force the use of the rand helper?
2376	AC_ARG_WITH([rand-helper],
2377	[ --with-rand-helper Use subprocess to gather strong randomness ],
2378	[
2379	if test "x$withval" = "xno" ; then
2380	# Force use of OpenSSL's internal RNG, even if
2381	# the previous test showed it to be unseeded.
2382	if test -z "$OPENSSL_SEEDS_ITSELF" ; then
2383	AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
2384	OPENSSL_SEEDS_ITSELF=yes
2385	USE_RAND_HELPER=""
2386	fi
2387	else
2388	USE_RAND_HELPER=yes
2389	fi
2390	],
2391	)
2392
2393	# Which randomness source do we use?
2394	if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
2395	# OpenSSL only
2396	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
2397	[Define if you want OpenSSL's internally seeded PRNG only])
2398	RAND_MSG="OpenSSL internal ONLY"
2399	INSTALL_SSH_RAND_HELPER=""
2400	elif test ! -z "$USE_RAND_HELPER" ; then
2401	# install rand helper
2402	RAND_MSG="ssh-rand-helper"
2403	INSTALL_SSH_RAND_HELPER="yes"
2404	fi
2405	AC_SUBST([INSTALL_SSH_RAND_HELPER])
2406
2407	### Configuration of ssh-rand-helper
2408
2409	# PRNGD TCP socket	2311	# PRNGD TCP socket
2410	AC_ARG_WITH([prngd-port],	2312	AC_ARG_WITH([prngd-port],
2411	[ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],	2313	[ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],
@@ -2460,7 +2362,7 @@ AC_ARG_WITH([prngd-socket],
2460	],	2362	],
2461	[	2363	[
2462	# Check for existing socket only if we don't have a random device already	2364	# Check for existing socket only if we don't have a random device already
2463	if test "$USE_RAND_HELPER" = yes ; then	2365	if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
2464	AC_MSG_CHECKING([for PRNGD/EGD socket])	2366	AC_MSG_CHECKING([for PRNGD/EGD socket])
2465	# Insert other locations here	2367	# Insert other locations here
2466	for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do	2368	for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
@@ -2479,19 +2381,79 @@ AC_ARG_WITH([prngd-socket],
2479	]	2381	]
2480	)	2382	)
2481		2383
2482	# Change default command timeout for hashing entropy source	2384	# Which randomness source do we use?
2483	entropy_timeout=200	2385	if test ! -z "$PRNGD_PORT" ; then
2484	AC_ARG_WITH([entropy-timeout],	2386	RAND_MSG="PRNGd port $PRNGD_PORT"
2485	[ --with-entropy-timeout Specify entropy gathering command timeout (msec)],	2387	elif test ! -z "$PRNGD_SOCKET" ; then
		2388	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
		2389	elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
		2390	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
		2391	[Define if you want OpenSSL's internally seeded PRNG only])
		2392	RAND_MSG="OpenSSL internal ONLY"
		2393	else
		2394	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
		2395	fi
		2396
		2397	# Check for PAM libs
		2398	PAM_MSG="no"
		2399	AC_ARG_WITH([pam],
		2400	[ --with-pam Enable PAM support ],
2486	[	2401	[
2487	if test -n "$withval" && test "x$withval" != "xno" && \	2402	if test "x$withval" != "xno" ; then
2488	test "x${withval}" != "xyes"; then	2403	if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
2489	entropy_timeout=$withval	2404	test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
		2405	AC_MSG_ERROR([PAM headers not found])
		2406	fi
		2407
		2408	saved_LIBS="$LIBS"
		2409	AC_CHECK_LIB([dl], [dlopen], , )
		2410	AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
		2411	AC_CHECK_FUNCS([pam_getenvlist])
		2412	AC_CHECK_FUNCS([pam_putenv])
		2413	LIBS="$saved_LIBS"
		2414
		2415	PAM_MSG="yes"
		2416
		2417	SSHDLIBS="$SSHDLIBS -lpam"
		2418	AC_DEFINE([USE_PAM], [1],
		2419	[Define if you want to enable PAM support])
		2420
		2421	if test $ac_cv_lib_dl_dlopen = yes; then
		2422	case "$LIBS" in
		2423	-ldl)
		2424	# libdl already in LIBS
		2425	;;
		2426	*)
		2427	SSHDLIBS="$SSHDLIBS -ldl"
		2428	;;
		2429	esac
		2430	fi
2490	fi	2431	fi
2491	]	2432	]
2492	)	2433	)
2493	AC_DEFINE_UNQUOTED([ENTROPY_TIMEOUT_MSEC], [$entropy_timeout],	2434
2494	[Builtin PRNG command timeout])	2435	# Check for older PAM
		2436	if test "x$PAM_MSG" = "xyes" ; then
		2437	# Check PAM strerror arguments (old PAM)
		2438	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
		2439	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
		2440	#include <stdlib.h>
		2441	#if defined(HAVE_SECURITY_PAM_APPL_H)
		2442	#include <security/pam_appl.h>
		2443	#elif defined (HAVE_PAM_PAM_APPL_H)
		2444	#include <pam/pam_appl.h>
		2445	#endif
		2446	]], [[
		2447	(void)pam_strerror((pam_handle_t *)NULL, -1);
		2448	]])], [AC_MSG_RESULT([no])], [
		2449	AC_DEFINE([HAVE_OLD_PAM], [1],
		2450	[Define if you have an old version of PAM
		2451	which takes only one argument to pam_strerror])
		2452	AC_MSG_RESULT([yes])
		2453	PAM_MSG="yes (old library)"
		2454
		2455	])
		2456	fi
2495		2457
2496	SSH_PRIVSEP_USER=sshd	2458	SSH_PRIVSEP_USER=sshd
2497	AC_ARG_WITH([privsep-user],	2459	AC_ARG_WITH([privsep-user],
@@ -2507,56 +2469,6 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
2507	[non-privileged user for privilege separation])	2469	[non-privileged user for privilege separation])
2508	AC_SUBST([SSH_PRIVSEP_USER])	2470	AC_SUBST([SSH_PRIVSEP_USER])
2509		2471
2510	# We do this little dance with the search path to insure
2511	# that programs that we select for use by installed programs
2512	# (which may be run by the super-user) come from trusted
2513	# locations before they come from the user's private area.
2514	# This should help avoid accidentally configuring some
2515	# random version of a program in someone's personal bin.
2516
2517	OPATH=$PATH
2518	PATH=/bin:/usr/bin
2519	test -h /bin 2> /dev/null && PATH=/usr/bin
2520	test -d /sbin && PATH=$PATH:/sbin
2521	test -d /usr/sbin && PATH=$PATH:/usr/sbin
2522	PATH=$PATH:/etc:$OPATH
2523
2524	# These programs are used by the command hashing source to gather entropy
2525	OSSH_PATH_ENTROPY_PROG([PROG_LS], [ls])
2526	OSSH_PATH_ENTROPY_PROG([PROG_NETSTAT], [netstat])
2527	OSSH_PATH_ENTROPY_PROG([PROG_ARP], [arp])
2528	OSSH_PATH_ENTROPY_PROG([PROG_IFCONFIG], [ifconfig])
2529	OSSH_PATH_ENTROPY_PROG([PROG_JSTAT], [jstat])
2530	OSSH_PATH_ENTROPY_PROG([PROG_PS], [ps])
2531	OSSH_PATH_ENTROPY_PROG([PROG_SAR], [sar])
2532	OSSH_PATH_ENTROPY_PROG([PROG_W], [w])
2533	OSSH_PATH_ENTROPY_PROG([PROG_WHO], [who])
2534	OSSH_PATH_ENTROPY_PROG([PROG_LAST], [last])
2535	OSSH_PATH_ENTROPY_PROG([PROG_LASTLOG], [lastlog])
2536	OSSH_PATH_ENTROPY_PROG([PROG_DF], [df])
2537	OSSH_PATH_ENTROPY_PROG([PROG_VMSTAT], [vmstat])
2538	OSSH_PATH_ENTROPY_PROG([PROG_UPTIME], [uptime])
2539	OSSH_PATH_ENTROPY_PROG([PROG_IPCS], [ipcs])
2540	OSSH_PATH_ENTROPY_PROG([PROG_TAIL], [tail])
2541	# restore PATH
2542	PATH=$OPATH
2543
2544	# Where does ssh-rand-helper get its randomness from?
2545	INSTALL_SSH_PRNG_CMDS=""
2546	if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
2547	if test ! -z "$PRNGD_PORT" ; then
2548	RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
2549	elif test ! -z "$PRNGD_SOCKET" ; then
2550	RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
2551	else
2552	RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
2553	RAND_HELPER_CMDHASH=yes
2554	INSTALL_SSH_PRNG_CMDS="yes"
2555	fi
2556	fi
2557	AC_SUBST([INSTALL_SSH_PRNG_CMDS])
2558
2559
2560	# Cheap hack to ensure NEWS-OS libraries are arranged right.	2472	# Cheap hack to ensure NEWS-OS libraries are arranged right.
2561	if test ! -z "$SONY" ; then	2473	if test ! -z "$SONY" ; then
2562	LIBS="$LIBS -liberty";	2474	LIBS="$LIBS -liberty";
@@ -4157,7 +4069,7 @@ AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
4157	AC_EXEEXT	4069	AC_EXEEXT
4158	AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \	4070	AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
4159	openbsd-compat/Makefile openbsd-compat/regress/Makefile \	4071	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
4160	ssh_prng_cmds survey.sh])	4072	survey.sh])
4161	AC_OUTPUT	4073	AC_OUTPUT
4162		4074
4163	# Print summary of options	4075	# Print summary of options
@@ -4212,9 +4124,6 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
4212	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"	4124	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
4213	echo " BSD Auth support: $BSD_AUTH_MSG"	4125	echo " BSD Auth support: $BSD_AUTH_MSG"
4214	echo " Random number source: $RAND_MSG"	4126	echo " Random number source: $RAND_MSG"
4215	if test ! -z "$USE_RAND_HELPER" ; then
4216	echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
4217	fi
4218		4127
4219	echo ""	4128	echo ""
4220		4129
@@ -4246,14 +4155,6 @@ if test "x$PAM_MSG" = "xyes" ; then
4246	echo ""	4155	echo ""
4247	fi	4156	fi
4248		4157
4249	if test ! -z "$RAND_HELPER_CMDHASH" ; then
4250	echo "WARNING: you are using the builtin random number collection "
4251	echo "service. Please read WARNING.RNG and request that your OS "
4252	echo "vendor includes kernel-based random number collection in "
4253	echo "future versions of your OS."
4254	echo ""
4255	fi
4256
4257	if test ! -z "$NO_PEERCHECK" ; then	4158	if test ! -z "$NO_PEERCHECK" ; then
4258	echo "WARNING: the operating system that you are using does not"	4159	echo "WARNING: the operating system that you are using does not"
4259	echo "appear to support getpeereid(), getpeerucred() or the"	4160	echo "appear to support getpeereid(), getpeerucred() or the"