summaryrefslogtreecommitdiff
path: root/configure
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:33:15 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:30 +0100
commitf0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /configure
parent47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7): - sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket (closes: #236718). - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. - sftp(1): Allow resumption of interrupted uploads. - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. - sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. - sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages. - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly (closes: #734553). - Use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}. * Restore TCP wrappers support, removed upstream in 6.7. It is true that dropping this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. * Replace patch to disable OpenSSL version check with an updated version of Kurt Roeckx's patch from #732940 to just avoid checking the status field.
Diffstat (limited to 'configure')
-rwxr-xr-xconfigure193
1 files changed, 93 insertions, 100 deletions
diff --git a/configure b/configure
index e2f12cdff..7be478a82 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.571 . 2# From configure.ac Revision: 1.583 .
3# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.68 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
5# 5#
@@ -725,7 +725,6 @@ with_osfsia
725with_zlib 725with_zlib
726with_zlib_version_check 726with_zlib_version_check
727with_skey 727with_skey
728with_tcp_wrappers
729with_ldns 728with_ldns
730with_libedit 729with_libedit
731with_audit 730with_audit
@@ -1418,7 +1417,6 @@ Optional Packages:
1418 --with-zlib=PATH Use zlib in PATH 1417 --with-zlib=PATH Use zlib in PATH
1419 --without-zlib-version-check Disable zlib version check 1418 --without-zlib-version-check Disable zlib version check
1420 --with-skey[=PATH] Enable S/Key support (optionally in PATH) 1419 --with-skey[=PATH] Enable S/Key support (optionally in PATH)
1421 --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
1422 --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) 1420 --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
1423 --with-libedit[=PATH] Enable libedit support for sftp 1421 --with-libedit[=PATH] Enable libedit support for sftp
1424 --with-audit=module Enable audit support (modules=debug,bsm,linux) 1422 --with-audit=module Enable audit support (modules=debug,bsm,linux)
@@ -9765,84 +9763,6 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
9765fi 9763fi
9766 9764
9767 9765
9768# Check whether user wants TCP wrappers support
9769TCPW_MSG="no"
9770
9771# Check whether --with-tcp-wrappers was given.
9772if test "${with_tcp_wrappers+set}" = set; then :
9773 withval=$with_tcp_wrappers;
9774 if test "x$withval" != "xno" ; then
9775 saved_LIBS="$LIBS"
9776 saved_LDFLAGS="$LDFLAGS"
9777 saved_CPPFLAGS="$CPPFLAGS"
9778 if test -n "${withval}" && \
9779 test "x${withval}" != "xyes"; then
9780 if test -d "${withval}/lib"; then
9781 if test -n "${need_dash_r}"; then
9782 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
9783 else
9784 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
9785 fi
9786 else
9787 if test -n "${need_dash_r}"; then
9788 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
9789 else
9790 LDFLAGS="-L${withval} ${LDFLAGS}"
9791 fi
9792 fi
9793 if test -d "${withval}/include"; then
9794 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
9795 else
9796 CPPFLAGS="-I${withval} ${CPPFLAGS}"
9797 fi
9798 fi
9799 LIBS="-lwrap $LIBS"
9800 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libwrap" >&5
9801$as_echo_n "checking for libwrap... " >&6; }
9802 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
9803/* end confdefs.h. */
9804
9805#include <sys/types.h>
9806#include <sys/socket.h>
9807#include <netinet/in.h>
9808#include <tcpd.h>
9809int deny_severity = 0, allow_severity = 0;
9810
9811int
9812main ()
9813{
9814
9815 hosts_access(0);
9816
9817 ;
9818 return 0;
9819}
9820_ACEOF
9821if ac_fn_c_try_link "$LINENO"; then :
9822
9823 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
9824$as_echo "yes" >&6; }
9825
9826$as_echo "#define LIBWRAP 1" >>confdefs.h
9827
9828 SSHDLIBS="$SSHDLIBS -lwrap"
9829 TCPW_MSG="yes"
9830
9831else
9832
9833 as_fn_error $? "*** libwrap missing" "$LINENO" 5
9834
9835
9836fi
9837rm -f core conftest.err conftest.$ac_objext \
9838 conftest$ac_exeext conftest.$ac_ext
9839 LIBS="$saved_LIBS"
9840 fi
9841
9842
9843fi
9844
9845
9846# Check whether user wants to use ldns 9766# Check whether user wants to use ldns
9847LDNS_MSG="no" 9767LDNS_MSG="no"
9848 9768
@@ -10407,10 +10327,6 @@ for ac_func in \
10407 Blowfish_expandstate \ 10327 Blowfish_expandstate \
10408 Blowfish_expand0state \ 10328 Blowfish_expand0state \
10409 Blowfish_stream2word \ 10329 Blowfish_stream2word \
10410 arc4random \
10411 arc4random_buf \
10412 arc4random_stir \
10413 arc4random_uniform \
10414 asprintf \ 10330 asprintf \
10415 b64_ntop \ 10331 b64_ntop \
10416 __b64_ntop \ 10332 __b64_ntop \
@@ -10454,6 +10370,7 @@ for ac_func in \
10454 mblen \ 10370 mblen \
10455 md5_crypt \ 10371 md5_crypt \
10456 memmove \ 10372 memmove \
10373 memset_s \
10457 mkdtemp \ 10374 mkdtemp \
10458 mmap \ 10375 mmap \
10459 ngetaddrinfo \ 10376 ngetaddrinfo \
@@ -10512,7 +10429,6 @@ for ac_func in \
10512 user_from_uid \ 10429 user_from_uid \
10513 usleep \ 10430 usleep \
10514 vasprintf \ 10431 vasprintf \
10515 vhangup \
10516 vsnprintf \ 10432 vsnprintf \
10517 waitpid \ 10433 waitpid \
10518 10434
@@ -11328,11 +11244,9 @@ fi
11328 11244
11329fi 11245fi
11330 11246
11331# If we don't have a working asprintf, then we strongly depend on vsnprintf 11247# We depend on vsnprintf returning the right thing on overflow: the
11332# returning the right thing on overflow: the number of characters it tried to 11248# number of characters it tried to create (as per SUSv3)
11333# create (as per SUSv3) 11249if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
11334if test "x$ac_cv_func_asprintf" != "xyes" && \
11335 test "x$ac_cv_func_vsnprintf" = "xyes" ; then
11336 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether vsnprintf returns correct values on overflow" >&5 11250 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether vsnprintf returns correct values on overflow" >&5
11337$as_echo_n "checking whether vsnprintf returns correct values on overflow... " >&6; } 11251$as_echo_n "checking whether vsnprintf returns correct values on overflow... " >&6; }
11338 if test "$cross_compiling" = yes; then : 11252 if test "$cross_compiling" = yes; then :
@@ -11347,10 +11261,14 @@ else
11347#include <stdio.h> 11261#include <stdio.h>
11348#include <stdarg.h> 11262#include <stdarg.h>
11349 11263
11350int x_snprintf(char *str,size_t count,const char *fmt,...) 11264int x_snprintf(char *str, size_t count, const char *fmt, ...)
11351{ 11265{
11352 size_t ret; va_list ap; 11266 size_t ret;
11353 va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap); 11267 va_list ap;
11268
11269 va_start(ap, fmt);
11270 ret = vsnprintf(str, count, fmt, ap);
11271 va_end(ap);
11354 return ret; 11272 return ret;
11355} 11273}
11356 11274
@@ -11358,8 +11276,12 @@ int
11358main () 11276main ()
11359{ 11277{
11360 11278
11361 char x[1]; 11279char x[1];
11362 exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); 11280if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
11281 return 1;
11282if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
11283 return 1;
11284return 0;
11363 11285
11364 ; 11286 ;
11365 return 0; 11287 return 0;
@@ -11956,7 +11878,7 @@ main ()
11956 if(fd == NULL) 11878 if(fd == NULL)
11957 exit(1); 11879 exit(1);
11958 11880
11959 if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) 11881 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
11960 exit(1); 11882 exit(1);
11961 11883
11962 exit(0); 11884 exit(0);
@@ -12013,7 +11935,8 @@ main ()
12013 if(fd == NULL) 11935 if(fd == NULL)
12014 exit(1); 11936 exit(1);
12015 11937
12016 if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) 11938 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
11939 SSLeay_version(SSLEAY_VERSION))) <0)
12017 exit(1); 11940 exit(1);
12018 11941
12019 exit(0); 11942 exit(0);
@@ -12025,6 +11948,13 @@ _ACEOF
12025if ac_fn_c_try_run "$LINENO"; then : 11948if ac_fn_c_try_run "$LINENO"; then :
12026 11949
12027 ssl_library_ver=`cat conftest.ssllibver` 11950 ssl_library_ver=`cat conftest.ssllibver`
11951 # Check version is supported.
11952 case "$ssl_library_ver" in
11953 0090[0-7]*|009080[0-5]*)
11954 as_fn_error $? "OpenSSL >= 0.9.8f required" "$LINENO" 5
11955 ;;
11956 *) ;;
11957 esac
12028 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5 11958 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5
12029$as_echo "$ssl_library_ver" >&6; } 11959$as_echo "$ssl_library_ver" >&6; }
12030 11960
@@ -12040,6 +11970,18 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
12040fi 11970fi
12041 11971
12042 11972
11973# XXX make --without-openssl work
11974
11975cat >>confdefs.h <<_ACEOF
11976#define WITH_OPENSSL 1
11977_ACEOF
11978
11979
11980cat >>confdefs.h <<_ACEOF
11981#define WITH_SSH1 1
11982_ACEOF
11983
11984
12043 11985
12044# Check whether --with-openssl-header-check was given. 11986# Check whether --with-openssl-header-check was given.
12045if test "${with_openssl_header_check+set}" = set; then : 11987if test "${with_openssl_header_check+set}" = set; then :
@@ -12573,6 +12515,25 @@ else
12573fi 12515fi
12574done 12516done
12575 12517
12518# Search for RIPE-MD support in OpenSSL
12519for ac_func in EVP_ripemd160
12520do :
12521 ac_fn_c_check_func "$LINENO" "EVP_ripemd160" "ac_cv_func_EVP_ripemd160"
12522if test "x$ac_cv_func_EVP_ripemd160" = xyes; then :
12523 cat >>confdefs.h <<_ACEOF
12524#define HAVE_EVP_RIPEMD160 1
12525_ACEOF
12526
12527else
12528 unsupported_algorithms="$unsupported_algorithms \
12529 hmac-ripemd160
12530 hmac-ripemd160@openssh.com
12531 hmac-ripemd160-etm@openssh.com"
12532
12533
12534fi
12535done
12536
12576 12537
12577# Check complete ECC support in OpenSSL 12538# Check complete ECC support in OpenSSL
12578{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5 12539{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5
@@ -12773,6 +12734,24 @@ fi
12773 12734
12774 12735
12775 12736
12737for ac_func in \
12738 arc4random \
12739 arc4random_buf \
12740 arc4random_stir \
12741 arc4random_uniform \
12742
12743do :
12744 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
12745ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
12746if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
12747 cat >>confdefs.h <<_ACEOF
12748#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
12749_ACEOF
12750
12751fi
12752done
12753
12754
12776saved_LIBS="$LIBS" 12755saved_LIBS="$LIBS"
12777{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ia_openinfo in -liaf" >&5 12756{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ia_openinfo in -liaf" >&5
12778$as_echo_n "checking for ia_openinfo in -liaf... " >&6; } 12757$as_echo_n "checking for ia_openinfo in -liaf... " >&6; }
@@ -13182,7 +13161,14 @@ fi
13182rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext 13161rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
13183fi 13162fi
13184 13163
13185SSH_PRIVSEP_USER=sshd 13164case "$host" in
13165*-*-cygwin*)
13166 SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
13167 ;;
13168*)
13169 SSH_PRIVSEP_USER=sshd
13170 ;;
13171esac
13186 13172
13187# Check whether --with-privsep-user was given. 13173# Check whether --with-privsep-user was given.
13188if test "${with_privsep_user+set}" = set; then : 13174if test "${with_privsep_user+set}" = set; then :
@@ -13195,11 +13181,19 @@ if test "${with_privsep_user+set}" = set; then :
13195 13181
13196fi 13182fi
13197 13183
13184if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
13185
13186cat >>confdefs.h <<_ACEOF
13187#define SSH_PRIVSEP_USER CYGWIN_SSH_PRIVSEP_USER
13188_ACEOF
13189
13190else
13198 13191
13199cat >>confdefs.h <<_ACEOF 13192cat >>confdefs.h <<_ACEOF
13200#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER" 13193#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
13201_ACEOF 13194_ACEOF
13202 13195
13196fi
13203 13197
13204 13198
13205if test "x$have_linux_no_new_privs" = "x1" ; then 13199if test "x$have_linux_no_new_privs" = "x1" ; then
@@ -19872,7 +19866,6 @@ echo " KerberosV support: $KRB5_MSG"
19872echo " SELinux support: $SELINUX_MSG" 19866echo " SELinux support: $SELINUX_MSG"
19873echo " Smartcard support: $SCARD_MSG" 19867echo " Smartcard support: $SCARD_MSG"
19874echo " S/KEY support: $SKEY_MSG" 19868echo " S/KEY support: $SKEY_MSG"
19875echo " TCP Wrappers support: $TCPW_MSG"
19876echo " MD5 password support: $MD5_MSG" 19869echo " MD5 password support: $MD5_MSG"
19877echo " libedit support: $LIBEDIT_MSG" 19870echo " libedit support: $LIBEDIT_MSG"
19878echo " Solaris process contract support: $SPC_MSG" 19871echo " Solaris process contract support: $SPC_MSG"