summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog864
-rw-r--r--Makefile.in4
-rw-r--r--README4
-rw-r--r--README.platform12
-rw-r--r--README.tun132
-rw-r--r--acconfig.h458
-rw-r--r--aclocal.m44
-rw-r--r--auth-krb5.c9
-rw-r--r--auth-options.c41
-rw-r--r--auth-options.h3
-rw-r--r--auth-pam.c16
-rw-r--r--auth2-gss.c7
-rw-r--r--auth2.c12
-rw-r--r--bufaux.c5
-rw-r--r--buildpkg.sh.in2
-rw-r--r--canohost.c41
-rw-r--r--channels.c168
-rw-r--r--channels.h20
-rw-r--r--cipher-aes.c12
-rw-r--r--cipher-ctr.c7
-rw-r--r--cipher.c4
-rw-r--r--clientloop.c30
-rw-r--r--config.h.in880
-rwxr-xr-xconfigure2620
-rw-r--r--configure.ac847
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/cygwin/ssh-host-config4
-rw-r--r--contrib/cygwin/ssh-user-config4
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec244
-rw-r--r--contrib/suse/rc.sshd133
-rw-r--r--contrib/suse/sysconfig.ssh9
-rw-r--r--debian/changelog44
-rw-r--r--defines.h16
-rw-r--r--dns.c35
-rw-r--r--dns.h4
-rw-r--r--entropy.c38
-rw-r--r--entropy.h7
-rw-r--r--envpass.sh44
-rw-r--r--gss-genr.c7
-rw-r--r--gss-serv-krb5.c2
-rw-r--r--gss-serv.c39
-rw-r--r--hostfile.c6
-rw-r--r--includes.h5
-rw-r--r--kex.c37
-rw-r--r--kex.h22
-rw-r--r--kexdh.c10
-rw-r--r--kexdhc.c15
-rw-r--r--kexdhs.c17
-rw-r--r--kexgex.c16
-rw-r--r--kexgexc.c17
-rw-r--r--kexgexs.c20
-rw-r--r--loginrec.c6
-rw-r--r--misc.c173
-rw-r--r--misc.h23
-rw-r--r--monitor.c14
-rw-r--r--monitor_wrap.c1
-rw-r--r--openbsd-compat/Makefile.in6
-rw-r--r--openbsd-compat/base64.c9
-rw-r--r--openbsd-compat/basename.c39
-rw-r--r--openbsd-compat/bindresvport.c8
-rw-r--r--openbsd-compat/bsd-asprintf.c95
-rw-r--r--openbsd-compat/bsd-closefrom.c4
-rw-r--r--openbsd-compat/bsd-misc.c9
-rw-r--r--openbsd-compat/bsd-snprintf.c610
-rw-r--r--openbsd-compat/daemon.c9
-rw-r--r--openbsd-compat/dirname.c40
-rw-r--r--openbsd-compat/getcwd.c54
-rw-r--r--openbsd-compat/getgrouplist.c19
-rw-r--r--openbsd-compat/getopt.c4
-rw-r--r--openbsd-compat/getrrsetbyname.c114
-rw-r--r--openbsd-compat/glob.c122
-rw-r--r--openbsd-compat/glob.h8
-rw-r--r--openbsd-compat/inet_aton.c28
-rw-r--r--openbsd-compat/inet_ntoa.c14
-rw-r--r--openbsd-compat/inet_ntop.c30
-rw-r--r--openbsd-compat/mktemp.c19
-rw-r--r--openbsd-compat/openbsd-compat.h15
-rw-r--r--openbsd-compat/openssl-compat.h15
-rw-r--r--openbsd-compat/port-tun.c252
-rw-r--r--openbsd-compat/port-tun.h33
-rw-r--r--openbsd-compat/port-uw.c24
-rw-r--r--openbsd-compat/readpassphrase.c8
-rw-r--r--openbsd-compat/readpassphrase.h43
-rw-r--r--openbsd-compat/realpath.c5
-rw-r--r--openbsd-compat/rresvport.c16
-rw-r--r--openbsd-compat/setenv.c80
-rw-r--r--openbsd-compat/sigact.c8
-rw-r--r--openbsd-compat/sigact.h8
-rw-r--r--openbsd-compat/strlcat.c16
-rw-r--r--openbsd-compat/strlcpy.c16
-rw-r--r--openbsd-compat/strmode.c14
-rw-r--r--openbsd-compat/strsep.c14
-rw-r--r--openbsd-compat/strtoll.c9
-rw-r--r--openbsd-compat/strtonum.c4
-rw-r--r--openbsd-compat/strtoul.c22
-rw-r--r--openbsd-compat/sys-queue.h4
-rw-r--r--openbsd-compat/sys-tree.h4
-rw-r--r--openbsd-compat/vis.c62
-rw-r--r--openbsd-compat/vis.h15
-rwxr-xr-xopensshd.init.in2
-rw-r--r--packet.c4
-rw-r--r--progressmeter.c6
-rw-r--r--readconf.c74
-rw-r--r--readconf.h10
-rw-r--r--regress/README.regress6
-rw-r--r--regress/agent-getpeereid.sh4
-rw-r--r--regress/forwarding.sh33
-rw-r--r--regress/multiplex.sh2
-rw-r--r--regress/reconfigure.sh5
-rw-r--r--regress/scp-ssh-wrapper.sh11
-rw-r--r--regress/scp.sh36
-rw-r--r--regress/test-exec.sh7
-rw-r--r--regress/try-ciphers.sh5
-rw-r--r--regress/yes-head.sh2
-rw-r--r--scp.03
-rw-r--r--scp.13
-rw-r--r--scp.c152
-rw-r--r--servconf.c30
-rw-r--r--servconf.h5
-rw-r--r--serverloop.c88
-rw-r--r--session.c58
-rw-r--r--sftp-client.c9
-rw-r--r--sftp-common.h5
-rw-r--r--sftp-server.02
-rw-r--r--sftp-server.c12
-rw-r--r--sftp.07
-rw-r--r--sftp.15
-rw-r--r--sftp.c14
-rw-r--r--ssh-add.02
-rw-r--r--ssh-add.c8
-rw-r--r--ssh-agent.012
-rw-r--r--ssh-agent.18
-rw-r--r--ssh-agent.c7
-rw-r--r--ssh-keygen.013
-rw-r--r--ssh-keygen.19
-rw-r--r--ssh-keygen.c32
-rw-r--r--ssh-keyscan.08
-rw-r--r--ssh-keyscan.13
-rw-r--r--ssh-keyscan.c23
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-keysign.c9
-rw-r--r--ssh-rand-helper.02
-rw-r--r--ssh.0831
-rw-r--r--ssh.11189
-rw-r--r--ssh.c89
-rw-r--r--ssh_config5
-rw-r--r--ssh_config.0162
-rw-r--r--ssh_config.5162
-rw-r--r--sshconnect.c43
-rw-r--r--sshconnect.h4
-rw-r--r--sshconnect1.c8
-rw-r--r--sshconnect2.c4
-rw-r--r--sshd.0194
-rw-r--r--sshd.8255
-rw-r--r--sshd.c52
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.018
-rw-r--r--sshd_config.520
-rw-r--r--version.h6
160 files changed, 8489 insertions, 4442 deletions
diff --git a/ChangeLog b/ChangeLog
index 5d7e7f182..ad4bf8838 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,865 @@
120060211
2 - (dtucker) [README] Bump release notes URL.
3 - (djm) Release 4.3p2
4
520060208
6 - (tim) [session.c] Logout records were not updated on systems with
7 post auth privsep disabled due to bug 1086 changes. Analysis and patch
8 by vinschen at redhat.com. OK tim@, dtucker@.
9 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
10 -> NEED_SETPGRP), reported by Berhard Simon. ok tim@
11
1220060206
13 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
14 netinet/in_systm.h. OK dtucker@.
15
1620060205
17 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
18 for Solaris. OK dtucker@.
19 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
20 kraai at ftbfs.org.
21
2220060203
23 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
24 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
25 by a platform specific check, builtin standard includes tests will be
26 skipped on the other platforms.
27 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
28 OK tim@, djm@.
29
3020060202
31 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
32 works with picky compilers. Patch from alex.kiernan at thus.net.
33
3420060201
35 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
36 determine the user's login name - needed for regress tests on Solaris
37 10 and OpenSolaris
38 - (djm) OpenBSD CVS Sync
39 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
40 [sshd.8]
41 - merge sections on protocols 1 and 2 into a single section
42 - remove configuration file section
43 ok markus
44 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
45 [sshd.8]
46 small tweak;
47 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
48 [contrib/suse/openssh.spec] Update versions ahead of release
49 - markus@cvs.openbsd.org 2006/02/01 11:27:22
50 [version.h]
51 openssh 4.3
52 - (djm) Release OpenSSH 4.3p1
53
5420060131
55 - (djm) OpenBSD CVS Sync
56 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
57 [ssh_config.5]
58 - word change, agreed w/ markus
59 - consistency fixes
60 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
61 [sshd.8]
62 move the options description up the page, and a few additional tweaks
63 whilst in here;
64 ok markus
65 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
66 [sshd.8]
67 move subsections to full sections;
68 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
69 [ssh.1]
70 add a section on verifying host keys in dns;
71 written with a lot of help from jakob;
72 feedback dtucker/markus;
73 ok markus
74 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
75 [channels.c]
76 mark channel as write failed or dead instead of read failed on error
77 of the channel output filter.
78 ok markus@
79 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
80 [ssh.1]
81 remove an incorrect sentence;
82 reported by roumen petrov;
83 ok djm markus
84 - djm@cvs.openbsd.org 2006/01/31 10:19:02
85 [misc.c misc.h scp.c sftp.c]
86 fix local arbitrary command execution vulnerability on local/local and
87 remote/remote copies (CVE-2006-0225, bz #1094), patch by
88 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
89 - djm@cvs.openbsd.org 2006/01/31 10:35:43
90 [scp.c]
91 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
92 fix from biorn@; ok markus@
93 - (djm) Sync regress tests to OpenBSD:
94 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
95 [regress/forwarding.sh]
96 Regress test for ClearAllForwardings (bz #994); ok markus@
97 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
98 [regress/multiplex.sh]
99 Don't call cleanup in multiplex as test-exec will cleanup anyway
100 found by tim@, ok djm@
101 NB. ID sync only, we already had this
102 - djm@cvs.openbsd.org 2005/05/20 23:14:15
103 [regress/test-exec.sh]
104 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
105 recently committed nc SOCKS5 changes
106 - djm@cvs.openbsd.org 2005/05/24 04:10:54
107 [regress/try-ciphers.sh]
108 oops, new arcfour modes here too
109 - markus@cvs.openbsd.org 2005/06/30 11:02:37
110 [regress/scp.sh]
111 allow SUDO=sudo; from Alexander Bluhm
112 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
113 [regress/agent-getpeereid.sh]
114 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
115 ok markus@
116 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
117 [regress/scp-ssh-wrapper.sh]
118 Fix assumption about how many args scp will pass; ok djm@
119 NB. ID sync only, we already had this
120 - djm@cvs.openbsd.org 2006/01/27 06:49:21
121 [scp.sh]
122 regress test for local to local scp copies; ok dtucker@
123 - djm@cvs.openbsd.org 2006/01/31 10:23:23
124 [scp.sh]
125 regression test for CVE-2006-0225 written by dtucker@
126 - djm@cvs.openbsd.org 2006/01/31 10:36:33
127 [scp.sh]
128 regress test for "scp a b c" where "c" is not a directory
129
13020060129
131 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
132 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
133
13420060120
135 - (dtucker) OpenBSD CVS Sync
136 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
137 [ssh.1]
138 correction from deraadt
139 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
140 [ssh.1]
141 add a section on ssh-based vpn, based on reyk's README.tun;
142 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
143 [scp.1 ssh.1 ssh_config.5 sftp.1]
144 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
145 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
146
14720060114
148 - (djm) OpenBSD CVS Sync
149 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
150 [ssh.1]
151 weed out some duplicate info in the known_hosts FILES entries;
152 ok djm
153 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
154 [ssh.1]
155 final round of whacking FILES for duplicate info, and some consistency
156 fixes;
157 ok djm
158 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
159 [ssh.1]
160 split sections on tcp and x11 forwarding into two sections.
161 add an example in the tcp section, based on sth i wrote for ssh faq;
162 help + ok: djm markus dtucker
163 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
164 [ssh.1]
165 refer to `TCP' rather than `TCP/IP' in the context of connection
166 forwarding;
167 ok markus
168 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
169 [sshd.8]
170 refer to TCP forwarding, rather than TCP/IP forwarding;
171 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
172 [ssh_config.5]
173 refer to TCP forwarding, rather than TCP/IP forwarding;
174 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
175 [ssh.1]
176 back out a sentence - AUTHENTICATION already documents this;
177
17820060109
179 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
180 tcpip service so it's always started after IP is up. Patch from
181 vinschen at redhat.com.
182
18320060106
184 - (djm) OpenBSD CVS Sync
185 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
186 [ssh.1]
187 move FILES to a -compact list, and make each files an item in that list.
188 this avoids nastly line wrap when we have long pathnames, and treats
189 each file as a separate item;
190 remove the .Pa too, since it is useless.
191 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
192 [ssh.1]
193 use a larger width for the ENVIRONMENT list;
194 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
195 [ssh.1]
196 put FILES in some sort of order: sort by pathname
197 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
198 [ssh.1]
199 tweak the description of ~/.ssh/environment
200 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
201 [ssh.1]
202 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
203 entries;
204 ok markus
205 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
206 [ssh.1]
207 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
208 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
209 [ssh.1]
210 +.Xr ssh-keyscan 1 ,
211 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
212 [ssh.1]
213 -.Xr gzip 1 ,
214 - djm@cvs.openbsd.org 2006/01/05 23:43:53
215 [misc.c]
216 check that stdio file descriptors are actually closed before clobbering
217 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
218 closed, but higher ones weren't. spotted by, and patch tested by
219 Frédéric Olivié
220
22120060103
222 - (djm) [channels.c] clean up harmless merge error, from reyk@
223
22420060103
225 - (djm) OpenBSD CVS Sync
226 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
227 [ssh_config.5 sshd_config.5]
228 some corrections from michael knudsen;
229
23020060102
231 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
232 - (djm) OpenBSD CVS Sync
233 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
234 [ssh.1]
235 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
236 AUTHENTICATION" sections into "AUTHENTICATION";
237 some rewording done to make the text read better, plus some
238 improvements from djm;
239 ok djm
240 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
241 [ssh.1]
242 clean up ENVIRONMENT a little;
243 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
244 [ssh.1]
245 .Nm does not require an argument;
246 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
247 [includes.h misc.c]
248 move <net/if.h>; ok djm@
249 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
250 [misc.c]
251 no trailing "\n" for debug()
252 - djm@cvs.openbsd.org 2006/01/02 01:20:31
253 [sftp-client.c sftp-common.h sftp-server.c]
254 use a common max. packet length, no binary change
255 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
256 [misc.c]
257 clarify tun(4) opening - set the mode and bring the interface up. also
258 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
259 suggested and ok by djm@
260 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
261 [ssh.1]
262 start to cut some duplicate info from FILES;
263 help/ok djm
264
26520060101
266 - (djm) [Makefile.in configure.ac includes.h misc.c]
267 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
268 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
269 limited to IPv4 tunnels only, and most versions don't support the
270 tap(4) device at all.
271 - (djm) [configure.ac] Fix linux/if_tun.h test
272 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
273
27420051229
275 - (djm) OpenBSD CVS Sync
276 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
277 [canohost.c channels.c clientloop.c]
278 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
279 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
280 [channels.c channels.h clientloop.c]
281 add channel output filter interface.
282 ok djm@, suggested by markus@
283 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
284 [sftp.1]
285 do not suggest that interactive authentication will work
286 with the -b flag;
287 based on a diff from john l. scarfone;
288 ok djm
289 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
290 [ssh.1]
291 document -MM; ok djm@
292 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
293 [serverloop.c ssh.c openbsd-compat/Makefile.in]
294 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
295 compatability support for Linux, diff from reyk@
296 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
297 not exist
298 - (djm) [configure.ac] oops, make that linux/if_tun.h
299
30020051229
301 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
302
30320051224
304 - (djm) OpenBSD CVS Sync
305 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
306 [ssh.1]
307 merge the sections on protocols 1 and 2 into one section on
308 authentication;
309 feedback djm dtucker
310 ok deraadt markus dtucker
311 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
312 [ssh.1]
313 .Ss -> .Sh: subsections have not made this page more readable
314 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
315 [ssh.1]
316 move info on ssh return values and config files up into the main
317 description;
318 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
319 [ssh.1]
320 -L and -R descriptions are now above, not below, ~C description;
321 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
322 [ssh.1]
323 options now described `above', rather than `later';
324 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
325 [ssh.1]
326 -Y does X11 forwarding too;
327 ok markus
328 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
329 [sshd.8]
330 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
331 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
332 [ssh_config.5]
333 put the description of "UsePrivilegedPort" in the correct place;
334 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
335 [ssh.1]
336 expand the description of -w somewhat;
337 help/ok reyk
338 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
339 [ssh.1]
340 - sync the description of -e w/ synopsis
341 - simplify the description of -I
342 - note that -I is only available if support compiled in, and that it
343 isn't by default
344 feedback/ok djm@
345 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
346 [ssh.1]
347 less mark up for -c;
348 - djm@cvs.openbsd.org 2005/12/24 02:27:41
349 [session.c sshd.c]
350 eliminate some code duplicated in privsep and non-privsep paths, and
351 explicitly clear SIGALRM handler; "groovy" deraadt@
352
35320051220
354 - (dtucker) OpenBSD CVS Sync
355 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
356 [serverloop.c]
357 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
358 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
359 [ssh.1]
360 move the option descriptions up the page: start of a restructure;
361 ok markus deraadt
362 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
363 [ssh.1]
364 simplify a sentence;
365 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
366 [ssh.1]
367 make the description of -c a little nicer;
368 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
369 [ssh.1]
370 signpost the protocol sections;
371 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
372 [ssh_config.5 session.c]
373 spelling: fowarding, fowarded
374 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
375 [ssh_config.5]
376 spelling: intented -> intended
377 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
378 [ssh.c]
379 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
380
38120051219
382 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
383 openbsd-compat/openssl-compat.h] Check for and work around broken AES
384 ciphers >128bit on (some) Solaris 10 systems. ok djm@
385
38620051217
387 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
388 scp.c also uses, so undef them here.
389 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
390 snprintf replacement can have a conflicting declaration in HP-UX's system
391 headers (const vs. no const) so we now check for and work around it. Patch
392 from the dynamic duo of David Leonard and Ted Percival.
393
39420051214
395 - (dtucker) OpenBSD CVS Sync (regress/)
396 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
397 [regress/scp-ssh-wrapper.sh]
398 Fix assumption about how many args scp will pass; ok djm@
399
40020051213
401 - (djm) OpenBSD CVS Sync
402 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
403 [ssh.1]
404 timezone -> time zone
405 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
406 [ssh.1]
407 avoid ambiguities in describing TZ;
408 ok djm@
409 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
410 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
411 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
412 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
413 [sshconnect.h sshd.8 sshd_config sshd_config.5]
414 Add support for tun(4) forwarding over OpenSSH, based on an idea and
415 initial channel code bits by markus@. This is a simple and easy way to
416 use OpenSSH for ad hoc virtual private network connections, e.g.
417 administrative tunnels or secure wireless access. It's based on a new
418 ssh channel and works similar to the existing TCP forwarding support,
419 except that it depends on the tun(4) network interface on both ends of
420 the connection for layer 2 or layer 3 tunneling. This diff also adds
421 support for LocalCommand in the ssh(1) client.
422 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
423 - djm@cvs.openbsd.org 2005/12/07 03:52:22
424 [clientloop.c]
425 reyk forgot to compile with -Werror (missing header)
426 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
427 [ssh.1]
428 - avoid line split in SYNOPSIS
429 - add args to -w
430 - kill trailing whitespace
431 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
432 [ssh.1 ssh_config.5]
433 make `!command' a little clearer;
434 ok reyk
435 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
436 [ssh_config.5]
437 keep options in order;
438 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
439 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
440 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
441 two changes to the new ssh tunnel support. this breaks compatibility
442 with the initial commit but is required for a portable approach.
443 - make the tunnel id u_int and platform friendly, use predefined types.
444 - support configuration of layer 2 (ethernet) or layer 3
445 (point-to-point, default) modes. configuration is done using the
446 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
447 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
448 in sshd_config(5).
449 ok djm@, man page bits by jmc@
450 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
451 [ssh_config.5]
452 new sentence, new line;
453 - markus@cvs.openbsd.org 2005/12/12 13:46:18
454 [channels.c channels.h session.c]
455 make sure protocol messages for internal channels are ignored.
456 allow adjust messages for non-open channels; with and ok djm@
457 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
458 again by providing a sys_tun_open() function for your platform and
459 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
460 OpenBSD's tunnel protocol, which prepends the address family to the
461 packet
462
46320051201
464 - (djm) [envpass.sh] Remove regress script that was accidentally committed
465 in top level directory and not noticed for over a year :)
466
46720051129
468 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
469 bits == 0.
470 - (dtucker) OpenBSD CVS Sync
471 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
472 [ssh-keygen.c]
473 Populate default key sizes before checking them; from & ok tim@
474 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
475 for UnixWare.
476
47720051128
478 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
479 versions of GNU head. Based on patch from zappaman at buraphalinux.org
480 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
481 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
482 - (dtucker) OpenBSD CVS Sync
483 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
484 [ssh-keygen.1 ssh-keygen.c]
485 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
486 increase minumum RSA key size to 768 bits and update man page to reflect
487 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
488 ok djm@, grudging ok deraadt@.
489 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
490 [ssh-agent.1]
491 Update agent socket path templates to reflect reality, correct xref for
492 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
493
49420051126
495 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
496 when they're available) need the real UID set otherwise pam_chauthtok will
497 set ADMCHG after changing the password, forcing the user to change it
498 again immediately.
499
50020051125
501 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
502 resolver state in resolv.h is "state" not "__res_state". With slight
503 modification by me to also work on old AIXes. ok djm@
504 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
505 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
506 shaw at vranix.com, ok djm@
507
50820051124
509 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
510 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
511 asprintf() implementation, after syncing our {v,}snprintf() implementation
512 with some extra fixes from Samba's version. With help and debugging from
513 dtucker and tim; ok dtucker@
514 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
515 order in Reliant Unix block. Patch from johane at lysator.liu.se.
516 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
517 many and use them only once. Speeds up testing on older/slower hardware.
518
51920051122
520 - (dtucker) OpenBSD CVS Sync
521 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
522 [ssh-add.c]
523 space
524 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
525 [scp.c]
526 avoid close(-1), as in rcp; ok cloder
527 - millert@cvs.openbsd.org 2005/11/15 11:59:54
528 [includes.h]
529 Include sys/queue.h explicitly instead of assuming some other header
530 will pull it in. At the moment it gets pulled in by sys/select.h
531 (which ssh has no business including) via event.h. OK markus@
532 (ID sync only in -portable)
533 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
534 [auth-krb5.c]
535 Perform Kerberos calls even for invalid users to prevent leaking
536 information about account validity. bz #975, patch originally from
537 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
538 ok markus@
539 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
540 [hostfile.c]
541 Correct format/arguments to debug call; spotted by shaw at vranix.com
542 ok djm@
543 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
544 from shaw at vranix.com.
545
54620051120
547 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
548 is going on.
549
55020051112
551 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
552 ifdef lost during sync. Spotted by tim@.
553 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
554 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
555 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
556 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
557 test: if sshd takes too long to reconfigure the subsequent connection will
558 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
559
56020051110
561 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
562 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
563 "register").
564 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
565 unnecessary prototype.
566 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
567 revs 1.7 - 1.9.
568 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
569 Patch from djm@.
570 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
571 since they're not useful right now. Patch from djm@.
572 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
573 prototypes, removal of "register").
574 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
575 of "register").
576 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
577 after the copyright notices. Having them at the top next to the CVSIDs
578 guarantees a conflict for each and every sync.
579 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
580 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
581 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
582 Removal of rcsid, "whiteout" inode type.
583 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
584 Removal of rcsid, will no longer strlcpy parts of the string.
585 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
586 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
587 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
588 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
589 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
590 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
591 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
592 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
593 with OpenBSD code since we don't support platforms without fstat any more.
594 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
595 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
596 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
597 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
598 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
599 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
600 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
601 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
602 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
603 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
604 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
605 Id and copyright sync only, there were no substantial changes we need.
606 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
607 -Wsign-compare fixes from djm.
608 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
609 Id and copyright sync only, there were no substantial changes we need.
610 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
611 doesn't change between versions, and use a safer default.
612
61320051105
614 - (djm) OpenBSD CVS Sync
615 - markus@cvs.openbsd.org 2005/10/07 11:13:57
616 [ssh-keygen.c]
617 change DSA default back to 1024, as it's defined for 1024 bits only
618 and this causes interop problems with other clients. moreover,
619 in order to improve the security of DSA you need to change more
620 components of DSA key generation (e.g. the internal SHA1 hash);
621 ok deraadt
622 - djm@cvs.openbsd.org 2005/10/10 10:23:08
623 [channels.c channels.h clientloop.c serverloop.c session.c]
624 fix regression I introduced in 4.2: X11 forwardings initiated after
625 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
626 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
627 - djm@cvs.openbsd.org 2005/10/11 23:37:37
628 [channels.c]
629 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
630 bind() failure when a previous connection's listeners are in TIME_WAIT,
631 reported by plattner AT inf.ethz.ch; ok dtucker@
632 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
633 [auth2-gss.c gss-genr.c gss-serv.c]
634 remove unneeded #includes; ok markus@
635 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
636 [gss-serv.c]
637 spelling in comments
638 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
639 [gss-serv-krb5.c gss-serv.c]
640 unused declarations; ok deraadt@
641 (id sync only for gss-serv-krb5.c)
642 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
643 [dns.c]
644 unneeded #include, unused declaration, little knf; ok deraadt@
645 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
646 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
647 KNF; ok djm@
648 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
649 [ssh-keygen.c ssh.c sshconnect2.c]
650 no trailing "\n" for log functions; ok djm@
651 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
652 [channels.c clientloop.c]
653 free()->xfree(); ok djm@
654 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
655 [sshconnect.c]
656 make external definition static; ok deraadt@
657 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
658 [dns.c]
659 fix memory leaks from 2 sources:
660 1) key_fingerprint_raw()
661 2) malloc in dns_read_rdata()
662 ok jakob@
663 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
664 [dns.c]
665 remove #ifdef LWRES; ok jakob@
666 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
667 [dns.c dns.h]
668 more cleanups; ok jakob@
669 - djm@cvs.openbsd.org 2005/10/30 01:23:19
670 [ssh_config.5]
671 mention control socket fallback behaviour, reported by
672 tryponraj AT gmail.com
673 - djm@cvs.openbsd.org 2005/10/30 04:01:03
674 [ssh-keyscan.c]
675 make ssh-keygen discard junk from server before SSH- ident, spotted by
676 dave AT cirt.net; ok dtucker@
677 - djm@cvs.openbsd.org 2005/10/30 04:03:24
678 [ssh.c]
679 fix misleading debug message; ok dtucker@
680 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
681 [canohost.c sshd.c]
682 Check for connections with IP options earlier and drop silently. ok djm@
683 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
684 [ssh_config.5]
685 remove trailing whitespace;
686 - djm@cvs.openbsd.org 2005/10/30 08:52:18
687 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
688 [ssh.c sshconnect.c sshconnect1.c sshd.c]
689 no need to escape single quotes in comments, no binary change
690 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
691 [sftp.c]
692 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
693 - djm@cvs.openbsd.org 2005/10/31 11:12:49
694 [ssh-keygen.1 ssh-keygen.c]
695 generate a protocol 2 RSA key by default
696 - djm@cvs.openbsd.org 2005/10/31 11:48:29
697 [serverloop.c]
698 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
699 SIGINT or SIGQUIT when running without privilege separation (the
700 normal privsep case is already OK). Patch mainly by dtucker@ and
701 senthilkumar_sen AT hotpop.com; ok dtucker@
702 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
703 [ssh-keygen.1]
704 grammar;
705 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
706 [canohost.c]
707 Cache reverse lookups with and without DNS separately; ok markus@
708 - djm@cvs.openbsd.org 2005/11/04 05:15:59
709 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
710 remove hardcoded hash lengths in key exchange code, allowing
711 implementation of KEX methods with different hashes (e.g. SHA-256);
712 ok markus@ dtucker@ stevesk@
713 - djm@cvs.openbsd.org 2005/11/05 05:01:15
714 [bufaux.c]
715 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
716 cs.stanford.edu; ok dtucker@
717 - (dtucker) [README.platform] Add PAM section.
718 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
719 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
720 ok dtucker@
721
72220051102
723 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
724 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
725 via FreeBSD.
726
72720051030
728 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
729 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
730 files from imorgan AT nas.nasa.gov
731 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
732 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
733 the pam_nologin module should be added to sshd's session stack in order to
734 maintain exising behaviour. Based on patch and discussion from t8m at
735 centrum.cz, ok djm@
736
73720051025
738 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
739 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
740 yet).
741 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
742 understand "%lld", even though the compiler has "long long", so handle
743 it as a special case. Patch tested by mcaskill.scott at epa.gov.
744 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
745 prompt. Patch from vinschen at redhat.com.
746
74720051017
748 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
749 /etc/default/login report and testing from aabaker at iee.org, corrections
750 from tim@.
751
75220051009
753 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
754 versions from OpenBSD. ok djm@
755
75620051008
757 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
758 brian.smith at agilent com.
759 - (djm) [configure.ac] missing 'test' call for -with-Werror test
760
76120051005
762 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
763 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
764 senthilkumar_sen at hotpop.com.
765
76620051003
767 - (dtucker) OpenBSD CVS Sync
768 - markus@cvs.openbsd.org 2005/09/07 08:53:53
769 [channels.c]
770 enforce chanid != NULL; ok djm
771 - markus@cvs.openbsd.org 2005/09/09 19:18:05
772 [clientloop.c]
773 typo; from mark at mcs.vuw.ac.nz, bug #1082
774 - djm@cvs.openbsd.org 2005/09/13 23:40:07
775 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
776 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
777 ensure that stdio fds are attached; ok deraadt@
778 - djm@cvs.openbsd.org 2005/09/19 11:37:34
779 [ssh_config.5 ssh.1]
780 mention ability to specify bind_address for DynamicForward and -D options;
781 bz#1077 spotted by Haruyama Seigo
782 - djm@cvs.openbsd.org 2005/09/19 11:47:09
783 [sshd.c]
784 stop connection abort on rekey with delayed compression enabled when
785 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
786 - djm@cvs.openbsd.org 2005/09/19 11:48:10
787 [gss-serv.c]
788 typo
789 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
790 [ssh.1]
791 some more .Bk/.Ek to avoid ugly line split;
792 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
793 [ssh.c]
794 update -D usage here too;
795 - djm@cvs.openbsd.org 2005/09/19 23:31:31
796 [ssh.1]
797 spelling nit from stevesk@
798 - djm@cvs.openbsd.org 2005/09/21 23:36:54
799 [sshd_config.5]
800 aquire -> acquire, from stevesk@
801 - djm@cvs.openbsd.org 2005/09/21 23:37:11
802 [sshd.c]
803 change label at markus@'s request
804 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
805 [ssh-keyscan.1]
806 deploy .An -nosplit; ok jmc
807 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
808 [canohost.c]
809 Relocate check_ip_options call to prevent logging of garbage for
810 connections with IP options set. bz#1092 from David Leonard,
811 "looks good" deraadt@
812 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
813 is required in the system path for the multiplex test to work.
814
81520050930
816 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
817 for strtoll. Patch from o.flebbe at science-computing.de.
818 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
819 child during PAM account check without clearing it. This restores the
820 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
821 with help from several others.
822
82320050929
824 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
825 introduced during sync.
826
82720050928
828 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
829 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
830 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
831
83220050927
833 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
834 calls, since they can't possibly fail. ok djm@
835 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
836 process when sshd relies on ssh-random-helper. Should result in faster
837 logins on systems without a real random device or prngd. ok djm@
838
83920050924
840 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
841 duplicate call. ok djm@
842
84320050922
844 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
845 skeleten at shillest.net.
846 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
847 shillest.net.
848
84920050919
850 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
851 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
852 ok dtucker@
853
85420050912
855 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
856 Mike Frysinger.
857
85820050908
859 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
860 OpenServer 6 and add osr5bigcrypt support so when someone migrates
861 passwords between UnixWare and OpenServer they will still work. OK dtucker@
862
120050901 86320050901
2 - (djm) Update RPM spec file versions 864 - (djm) Update RPM spec file versions
3 865
@@ -3013,4 +3875,4 @@
3013 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 3875 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
3014 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 3876 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3015 3877
3016$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $ 3878$Id: ChangeLog,v 1.4117.2.10 2006/02/11 00:00:44 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 947cef8c6..0bdd23fd7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $ 1# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -139,7 +139,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
139 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) 139 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
140 140
141scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 141scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
142 $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 142 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
143 143
144ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o 144ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
145 $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 145 $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/README b/README
index 51f0ca4fb..c8c413195 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-4.2 for the release notes. 1See http://www.openssh.com/txt/release-4.3p2 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $ 65$Id: README,v 1.61.2.1 2006/02/10 23:43:34 dtucker Exp $
diff --git a/README.platform b/README.platform
index af551de48..4c18a3278 100644
--- a/README.platform
+++ b/README.platform
@@ -45,4 +45,14 @@ number is already in use on your system, you may change it at build time
45by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. 45by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
46 46
47 47
48$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $ 48Platforms using PAM
49-------------------
50As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
51PAM is enabled. To maintain existing behaviour, pam_nologin should be
52added to sshd's session stack which will prevent users from starting shell
53sessions. Alternatively, pam_nologin can be added to either the auth or
54account stacks which will prevent authentication entirely, but will still
55return the output from pam_nologin to the client.
56
57
58$Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $
diff --git a/README.tun b/README.tun
new file mode 100644
index 000000000..d814f396d
--- /dev/null
+++ b/README.tun
@@ -0,0 +1,132 @@
1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17 PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38 inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43 inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48 add tun0
49 add sis0
50 up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58 Host sshgateway
59 Tunnel yes
60 TunnelDevice 0:any
61 PermitLocalCommand yes
62 LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71 Host access.somewhere.net
72 User puffy
73 Host dmzgw
74 User puffy
75 ProxyCommand ssh access.somewhere.net nc dmzgw 22
76 Host sshgateway
77 Tunnel Ethernet
78 TunnelDevice 0:any
79 PermitLocalCommand yes
80 LocalCommand sh /etc/netstart tun0
81 ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+ ( ) +----------------------+
87| Client |------( Internet )-----| access.somewhere.net |
88+--------+ ( ) +----------------------+
89 : 192.168.1.78 |
90 :............................. +-------+
91 Forwarded ssh connection : | dmzgw |
92 Layer 2 tunnel : +-------+
93 : |
94 : |
95 : +------------+
96 :......| sshgateway |
97 | +------------+
98--- real connection Bridge -> | +----------+
99... "virtual connection" [ X ]--------| somehost |
100[X] switch +----------+
101 192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108 ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113 ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118 ssh -fw 0:1 sshgateway true
119 ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130 Reyk Floeter
131
132$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
diff --git a/acconfig.h b/acconfig.h
deleted file mode 100644
index 79b5e8191..000000000
--- a/acconfig.h
+++ /dev/null
@@ -1,458 +0,0 @@
1/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
2
3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#ifndef _CONFIG_H
28#define _CONFIG_H
29
30/* Generated automatically from acconfig.h by autoheader. */
31/* Please make your changes there */
32
33@TOP@
34
35/* Define if your platform breaks doing a seteuid before a setuid */
36#undef SETEUID_BREAKS_SETUID
37
38/* Define if your setreuid() is broken */
39#undef BROKEN_SETREUID
40
41/* Define if your setregid() is broken */
42#undef BROKEN_SETREGID
43
44/* Define if your setresuid() is broken */
45#undef BROKEN_SETRESUID
46
47/* Define if your setresgid() is broken */
48#undef BROKEN_SETRESGID
49
50/* Define to a Set Process Title type if your system is */
51/* supported by bsd-setproctitle.c */
52#undef SPT_TYPE
53#undef SPT_PADCHAR
54
55/* SCO workaround */
56#undef BROKEN_SYS_TERMIO_H
57
58/* Define if you have SecureWare-based protected password database */
59#undef HAVE_SECUREWARE
60
61/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
62/* from environment and PATH */
63#undef LOGIN_PROGRAM_FALLBACK
64
65/* Full path of your "passwd" program */
66#undef _PATH_PASSWD_PROG
67
68/* Define if your password has a pw_class field */
69#undef HAVE_PW_CLASS_IN_PASSWD
70
71/* Define if your password has a pw_expire field */
72#undef HAVE_PW_EXPIRE_IN_PASSWD
73
74/* Define if your password has a pw_change field */
75#undef HAVE_PW_CHANGE_IN_PASSWD
76
77/* Define if your system uses access rights style file descriptor passing */
78#undef HAVE_ACCRIGHTS_IN_MSGHDR
79
80/* Define if your system uses ancillary data style file descriptor passing */
81#undef HAVE_CONTROL_IN_MSGHDR
82
83/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
84#undef BROKEN_INET_NTOA
85
86/* Define if your system defines sys_errlist[] */
87#undef HAVE_SYS_ERRLIST
88
89/* Define if your system defines sys_nerr */
90#undef HAVE_SYS_NERR
91
92/* Define if your system choked on IP TOS setting */
93#undef IP_TOS_IS_BROKEN
94
95/* Define if you have the getuserattr function. */
96#undef HAVE_GETUSERATTR
97
98/* Define if you have the basename function. */
99#undef HAVE_BASENAME
100
101/* Work around problematic Linux PAM modules handling of PAM_TTY */
102#undef PAM_TTY_KLUDGE
103
104/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
105#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
106
107/* Use PIPES instead of a socketpair() */
108#undef USE_PIPES
109
110/* Define if your snprintf is busted */
111#undef BROKEN_SNPRINTF
112
113/* Define if you are on Cygwin */
114#undef HAVE_CYGWIN
115
116/* Define if you have a broken realpath. */
117#undef BROKEN_REALPATH
118
119/* Define if you are on NeXT */
120#undef HAVE_NEXT
121
122/* Define if you want to enable PAM support */
123#undef USE_PAM
124
125/* Define if you want to enable AIX4's authenticate function */
126#undef WITH_AIXAUTHENTICATE
127
128/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
129#undef AIX_LOGINFAILED_4ARG
130
131/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */
132#undef SKEYCHALLENGE_4ARG
133
134/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
135#undef WITH_IRIX_ARRAY
136
137/* Define if you want IRIX project management */
138#undef WITH_IRIX_PROJECT
139
140/* Define if you want IRIX audit trails */
141#undef WITH_IRIX_AUDIT
142
143/* Define if you want IRIX kernel jobs */
144#undef WITH_IRIX_JOBS
145
146/* Location of PRNGD/EGD random number socket */
147#undef PRNGD_SOCKET
148
149/* Port number of PRNGD/EGD random number socket */
150#undef PRNGD_PORT
151
152/* Builtin PRNG command timeout */
153#undef ENTROPY_TIMEOUT_MSEC
154
155/* non-privileged user for privilege separation */
156#undef SSH_PRIVSEP_USER
157
158/* Define if you want to install preformatted manpages.*/
159#undef MANTYPE
160
161/* Define if your ssl headers are included with #include <openssl/header.h> */
162#undef HAVE_OPENSSL
163
164/* Define if you are linking against RSAref. Used only to print the right
165 * message at run-time. */
166#undef RSAREF
167
168/* struct timeval */
169#undef HAVE_STRUCT_TIMEVAL
170
171/* struct utmp and struct utmpx fields */
172#undef HAVE_HOST_IN_UTMP
173#undef HAVE_HOST_IN_UTMPX
174#undef HAVE_ADDR_IN_UTMP
175#undef HAVE_ADDR_IN_UTMPX
176#undef HAVE_ADDR_V6_IN_UTMP
177#undef HAVE_ADDR_V6_IN_UTMPX
178#undef HAVE_SYSLEN_IN_UTMPX
179#undef HAVE_PID_IN_UTMP
180#undef HAVE_TYPE_IN_UTMP
181#undef HAVE_TYPE_IN_UTMPX
182#undef HAVE_TV_IN_UTMP
183#undef HAVE_TV_IN_UTMPX
184#undef HAVE_ID_IN_UTMP
185#undef HAVE_ID_IN_UTMPX
186#undef HAVE_EXIT_IN_UTMP
187#undef HAVE_TIME_IN_UTMP
188#undef HAVE_TIME_IN_UTMPX
189
190/* Define if you don't want to use your system's login() call */
191#undef DISABLE_LOGIN
192
193/* Define if you don't want to use pututline() etc. to write [uw]tmp */
194#undef DISABLE_PUTUTLINE
195
196/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
197#undef DISABLE_PUTUTXLINE
198
199/* Define if you don't want to use lastlog */
200#undef DISABLE_LASTLOG
201
202/* Define if you don't want to use lastlog in session.c */
203#undef NO_SSH_LASTLOG
204
205/* Define if you don't want to use utmp */
206#undef DISABLE_UTMP
207
208/* Define if you don't want to use utmpx */
209#undef DISABLE_UTMPX
210
211/* Define if you don't want to use wtmp */
212#undef DISABLE_WTMP
213
214/* Define if you don't want to use wtmpx */
215#undef DISABLE_WTMPX
216
217/* Some systems need a utmpx entry for /bin/login to work */
218#undef LOGIN_NEEDS_UTMPX
219
220/* Some versions of /bin/login need the TERM supplied on the commandline */
221#undef LOGIN_NEEDS_TERM
222
223/* Define if your login program cannot handle end of options ("--") */
224#undef LOGIN_NO_ENDOPT
225
226/* Define if you want to specify the path to your lastlog file */
227#undef CONF_LASTLOG_FILE
228
229/* Define if you want to specify the path to your utmp file */
230#undef CONF_UTMP_FILE
231
232/* Define if you want to specify the path to your wtmp file */
233#undef CONF_WTMP_FILE
234
235/* Define if you want to specify the path to your utmpx file */
236#undef CONF_UTMPX_FILE
237
238/* Define if you want to specify the path to your wtmpx file */
239#undef CONF_WTMPX_FILE
240
241/* Define if you want external askpass support */
242#undef USE_EXTERNAL_ASKPASS
243
244/* Define if libc defines __progname */
245#undef HAVE___PROGNAME
246
247/* Define if compiler implements __FUNCTION__ */
248#undef HAVE___FUNCTION__
249
250/* Define if compiler implements __func__ */
251#undef HAVE___func__
252
253/* Define this is you want GSSAPI support in the version 2 protocol */
254#undef GSSAPI
255
256/* Define if you want Kerberos 5 support */
257#undef KRB5
258
259/* Define this if you are using the Heimdal version of Kerberos V5 */
260#undef HEIMDAL
261
262/* Define this if you want to use libkafs' AFS support */
263#undef USE_AFS
264
265/* Define if you want S/Key support */
266#undef SKEY
267
268/* Define if you want TCP Wrappers support */
269#undef LIBWRAP
270
271/* Define if your libraries define login() */
272#undef HAVE_LOGIN
273
274/* Define if your libraries define daemon() */
275#undef HAVE_DAEMON
276
277/* Define if your libraries define getpagesize() */
278#undef HAVE_GETPAGESIZE
279
280/* Define if xauth is found in your path */
281#undef XAUTH_PATH
282
283/* Define if you want to allow MD5 passwords */
284#undef HAVE_MD5_PASSWORDS
285
286/* Define if you want to disable shadow passwords */
287#undef DISABLE_SHADOW
288
289/* Define if you want to use shadow password expire field */
290#undef HAS_SHADOW_EXPIRE
291
292/* Define if you have Digital Unix Security Integration Architecture */
293#undef HAVE_OSF_SIA
294
295/* Define if you have getpwanam(3) [SunOS 4.x] */
296#undef HAVE_GETPWANAM
297
298/* Define if you have an old version of PAM which takes only one argument */
299/* to pam_strerror */
300#undef HAVE_OLD_PAM
301
302/* Define if you are using Solaris-derived PAM which passes pam_messages */
303/* to the conversation function with an extra level of indirection */
304#undef PAM_SUN_CODEBASE
305
306/* Set this to your mail directory if you don't have maillock.h */
307#undef MAIL_DIRECTORY
308
309/* Data types */
310#undef HAVE_U_INT
311#undef HAVE_INTXX_T
312#undef HAVE_U_INTXX_T
313#undef HAVE_UINTXX_T
314#undef HAVE_INT64_T
315#undef HAVE_U_INT64_T
316#undef HAVE_U_CHAR
317#undef HAVE_SIZE_T
318#undef HAVE_SSIZE_T
319#undef HAVE_CLOCK_T
320#undef HAVE_MODE_T
321#undef HAVE_PID_T
322#undef HAVE_SA_FAMILY_T
323#undef HAVE_STRUCT_SOCKADDR_STORAGE
324#undef HAVE_STRUCT_ADDRINFO
325#undef HAVE_STRUCT_IN6_ADDR
326#undef HAVE_STRUCT_SOCKADDR_IN6
327
328/* Fields in struct sockaddr_storage */
329#undef HAVE_SS_FAMILY_IN_SS
330#undef HAVE___SS_FAMILY_IN_SS
331
332/* Define if you have /dev/ptmx */
333#undef HAVE_DEV_PTMX
334
335/* Define if you have /dev/ptc */
336#undef HAVE_DEV_PTS_AND_PTC
337
338/* Define if you need to use IP address instead of hostname in $DISPLAY */
339#undef IPADDR_IN_DISPLAY
340
341/* Specify default $PATH */
342#undef USER_PATH
343
344/* Specify location of ssh.pid */
345#undef _PATH_SSH_PIDDIR
346
347/* getaddrinfo is broken (if present) */
348#undef BROKEN_GETADDRINFO
349
350/* updwtmpx is broken (if present) */
351#undef BROKEN_UPDWTMPX
352
353/* Workaround more Linux IPv6 quirks */
354#undef DONT_TRY_OTHER_AF
355
356/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
357#undef IPV4_IN_IPV6
358
359/* Define if you have BSD auth support */
360#undef BSD_AUTH
361
362/* Define if X11 doesn't support AF_UNIX sockets on that system */
363#undef NO_X11_UNIX_SOCKETS
364
365/* Define if the concept of ports only accessible to superusers isn't known */
366#undef NO_IPPORT_RESERVED_CONCEPT
367
368/* Needed for SCO and NeXT */
369#undef BROKEN_SAVED_UIDS
370
371/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
372#undef GLOB_HAS_ALTDIRFUNC
373
374/* Define if your system glob() function has gl_matchc options in glob_t */
375#undef GLOB_HAS_GL_MATCHC
376
377/* Define in your struct dirent expects you to allocate extra space for d_name */
378#undef BROKEN_ONE_BYTE_DIRENT_D_NAME
379
380/* Define if your system has /etc/default/login */
381#undef HAVE_ETC_DEFAULT_LOGIN
382
383/* Define if your getopt(3) defines and uses optreset */
384#undef HAVE_GETOPT_OPTRESET
385
386/* Define on *nto-qnx systems */
387#undef MISSING_NFDBITS
388
389/* Define on *nto-qnx systems */
390#undef MISSING_HOWMANY
391
392/* Define on *nto-qnx systems */
393#undef MISSING_FD_MASK
394
395/* Define if you want smartcard support */
396#undef SMARTCARD
397
398/* Define if you want smartcard support using sectok */
399#undef USE_SECTOK
400
401/* Define if you want smartcard support using OpenSC */
402#undef USE_OPENSC
403
404/* Define if you want to use OpenSSL's internally seeded PRNG only */
405#undef OPENSSL_PRNG_ONLY
406
407/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
408#undef WITH_ABBREV_NO_TTY
409
410/* Define if you want a different $PATH for the superuser */
411#undef SUPERUSER_PATH
412
413/* Path that unprivileged child will chroot() to in privep mode */
414#undef PRIVSEP_PATH
415
416/* Define if your platform needs to skip post auth file descriptor passing */
417#undef DISABLE_FD_PASSING
418
419/* Silly mkstemp() */
420#undef HAVE_STRICT_MKSTEMP
421
422/* Some systems put this outside of libc */
423#undef HAVE_NANOSLEEP
424
425/* Define if sshd somehow reacquires a controlling TTY after setsid() */
426#undef SSHD_ACQUIRES_CTTY
427
428/* Define if cmsg_type is not passed correctly */
429#undef BROKEN_CMSG_TYPE
430
431/*
432 * Define to whatever link() returns for "not supported" if it doesn't
433 * return EOPNOTSUPP.
434 */
435#undef LINK_OPNOTSUPP_ERRNO
436
437/* Strings used in /etc/passwd to denote locked account */
438#undef LOCKED_PASSWD_STRING
439#undef LOCKED_PASSWD_PREFIX
440#undef LOCKED_PASSWD_SUBSTR
441
442/* Define if getrrsetbyname() exists */
443#undef HAVE_GETRRSETBYNAME
444
445/* Define if HEADER.ad exists in arpa/nameser.h */
446#undef HAVE_HEADER_AD
447
448/* Define if your resolver libs need this for getrrsetbyname */
449#undef BIND_8_COMPAT
450
451/* Define if you have /proc/$pid/fd */
452#undef HAVE_PROC_PID
453
454@BOTTOM@
455
456/* ******************* Shouldn't need to edit below this line ************** */
457
458#endif /* _CONFIG_H */
diff --git a/aclocal.m4 b/aclocal.m4
index 2705a9b23..b68a47080 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
1dnl $Id: aclocal.m4,v 1.5 2001/10/22 00:53:59 tim Exp $ 1dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $
2dnl 2dnl
3dnl OpenSSH-specific autoconf macros 3dnl OpenSSH-specific autoconf macros
4dnl 4dnl
@@ -26,7 +26,7 @@ AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [
26 if test -n "`echo $ossh_varname`"; then 26 if test -n "`echo $ossh_varname`"; then
27 AC_MSG_RESULT($ossh_result) 27 AC_MSG_RESULT($ossh_result)
28 if test "x$ossh_result" = "xyes"; then 28 if test "x$ossh_result" = "xyes"; then
29 AC_DEFINE($3) 29 AC_DEFINE($3, 1, [Define if you have $1 in $2])
30 fi 30 fi
31 else 31 else
32 AC_MSG_RESULT(no) 32 AC_MSG_RESULT(no)
diff --git a/auth-krb5.c b/auth-krb5.c
index c7367b49a..64d613543 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
28 */ 28 */
29 29
30#include "includes.h" 30#include "includes.h"
31RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); 31RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
32 32
33#include "ssh.h" 33#include "ssh.h"
34#include "ssh1.h" 34#include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
69 krb5_ccache ccache = NULL; 69 krb5_ccache ccache = NULL;
70 int len; 70 int len;
71 71
72 if (!authctxt->valid)
73 return (0);
74
75 temporarily_use_uid(authctxt->pw); 72 temporarily_use_uid(authctxt->pw);
76 73
77 problem = krb5_init(authctxt); 74 problem = krb5_init(authctxt);
@@ -188,7 +185,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
188 else 185 else
189 return (0); 186 return (0);
190 } 187 }
191 return (1); 188 return (authctxt->valid ? 1 : 0);
192} 189}
193 190
194void 191void
@@ -218,7 +215,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
218 215
219 ret = snprintf(ccname, sizeof(ccname), 216 ret = snprintf(ccname, sizeof(ccname),
220 "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); 217 "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
221 if (ret == -1 || ret >= sizeof(ccname)) 218 if (ret < 0 || (size_t)ret >= sizeof(ccname))
222 return ENOMEM; 219 return ENOMEM;
223 220
224 old_umask = umask(0177); 221 old_umask = umask(0177);
diff --git a/auth-options.c b/auth-options.c
index a85e40835..ad97e6129 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $"); 13RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "match.h" 16#include "match.h"
@@ -35,6 +35,9 @@ char *forced_command = NULL;
35/* "environment=" options. */ 35/* "environment=" options. */
36struct envstring *custom_environment = NULL; 36struct envstring *custom_environment = NULL;
37 37
38/* "tunnel=" option. */
39int forced_tun_device = -1;
40
38extern ServerOptions options; 41extern ServerOptions options;
39 42
40void 43void
@@ -54,6 +57,7 @@ auth_clear_options(void)
54 xfree(forced_command); 57 xfree(forced_command);
55 forced_command = NULL; 58 forced_command = NULL;
56 } 59 }
60 forced_tun_device = -1;
57 channel_clear_permitted_opens(); 61 channel_clear_permitted_opens();
58 auth_debug_reset(); 62 auth_debug_reset();
59} 63}
@@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
269 xfree(patterns); 273 xfree(patterns);
270 goto next_option; 274 goto next_option;
271 } 275 }
276 cp = "tunnel=\"";
277 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
278 char *tun = NULL;
279 opts += strlen(cp);
280 tun = xmalloc(strlen(opts) + 1);
281 i = 0;
282 while (*opts) {
283 if (*opts == '"')
284 break;
285 tun[i++] = *opts++;
286 }
287 if (!*opts) {
288 debug("%.100s, line %lu: missing end quote",
289 file, linenum);
290 auth_debug_add("%.100s, line %lu: missing end quote",
291 file, linenum);
292 xfree(tun);
293 forced_tun_device = -1;
294 goto bad_option;
295 }
296 tun[i] = 0;
297 forced_tun_device = a2tun(tun, NULL);
298 xfree(tun);
299 if (forced_tun_device == SSH_TUNID_ERR) {
300 debug("%.100s, line %lu: invalid tun device",
301 file, linenum);
302 auth_debug_add("%.100s, line %lu: invalid tun device",
303 file, linenum);
304 forced_tun_device = -1;
305 goto bad_option;
306 }
307 auth_debug_add("Forced tun device: %d", forced_tun_device);
308 opts++;
309 goto next_option;
310 }
272next_option: 311next_option:
273 /* 312 /*
274 * Skip the comma, and move to the next option 313 * Skip the comma, and move to the next option
diff --git a/auth-options.h b/auth-options.h
index 15fb21255..3cd02a71f 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */ 1/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag;
28extern int no_pty_flag; 28extern int no_pty_flag;
29extern char *forced_command; 29extern char *forced_command;
30extern struct envstring *custom_environment; 30extern struct envstring *custom_environment;
31extern int forced_tun_device;
31 32
32int auth_parse_options(struct passwd *, char *, char *, u_long); 33int auth_parse_options(struct passwd *, char *, char *, u_long);
33void auth_clear_options(void); 34void auth_clear_options(void);
diff --git a/auth-pam.c b/auth-pam.c
index 0446cd559..fb9ae954a 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
47 47
48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
49#include "includes.h" 49#include "includes.h"
50RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $"); 50RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
51 51
52#ifdef USE_PAM 52#ifdef USE_PAM
53#if defined(HAVE_SECURITY_PAM_APPL_H) 53#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -716,8 +716,18 @@ sshpam_query(void *ctx, char **name, char **info,
716 plen++; 716 plen++;
717 xfree(msg); 717 xfree(msg);
718 break; 718 break;
719 case PAM_SUCCESS:
720 case PAM_AUTH_ERR: 719 case PAM_AUTH_ERR:
720 debug3("PAM: PAM_AUTH_ERR");
721 if (**prompts != NULL && strlen(**prompts) != 0) {
722 *info = **prompts;
723 **prompts = NULL;
724 *num = 0;
725 **echo_on = 0;
726 ctxt->pam_done = -1;
727 return 0;
728 }
729 /* FALLTHROUGH */
730 case PAM_SUCCESS:
721 if (**prompts != NULL) { 731 if (**prompts != NULL) {
722 /* drain any accumulated messages */ 732 /* drain any accumulated messages */
723 debug("PAM: %s", **prompts); 733 debug("PAM: %s", **prompts);
@@ -763,7 +773,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
763 Buffer buffer; 773 Buffer buffer;
764 struct pam_ctxt *ctxt = ctx; 774 struct pam_ctxt *ctxt = ctx;
765 775
766 debug2("PAM: %s entering, %d responses", __func__, num); 776 debug2("PAM: %s entering, %u responses", __func__, num);
767 switch (ctxt->pam_done) { 777 switch (ctxt->pam_done) {
768 case 1: 778 case 1:
769 sshpam_authenticated = 1; 779 sshpam_authenticated = 1;
diff --git a/auth2-gss.c b/auth2-gss.c
index 9295d531b..a6a9c05cd 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -34,7 +34,6 @@
34#include "log.h" 34#include "log.h"
35#include "dispatch.h" 35#include "dispatch.h"
36#include "servconf.h" 36#include "servconf.h"
37#include "compat.h"
38#include "packet.h" 37#include "packet.h"
39#include "monitor_wrap.h" 38#include "monitor_wrap.h"
40 39
@@ -82,7 +81,7 @@ userauth_gsskeyex(Authctxt *authctxt)
82 81
83/* 82/*
84 * We only support those mechanisms that we know about (ie ones that we know 83 * We only support those mechanisms that we know about (ie ones that we know
85 * how to check local user kuserok and the like 84 * how to check local user kuserok and the like)
86 */ 85 */
87static int 86static int
88userauth_gssapi(Authctxt *authctxt) 87userauth_gssapi(Authctxt *authctxt)
@@ -138,7 +137,7 @@ userauth_gssapi(Authctxt *authctxt)
138 return (0); 137 return (0);
139 } 138 }
140 139
141 authctxt->methoddata=(void *)ctxt; 140 authctxt->methoddata = (void *)ctxt;
142 141
143 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 142 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
144 143
diff --git a/auth2.c b/auth2.c
index bb25597e7..f12440815 100644
--- a/auth2.c
+++ b/auth2.c
@@ -163,21 +163,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
163 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 163 if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
164 authctxt->valid = 1; 164 authctxt->valid = 1;
165 debug2("input_userauth_request: setting up authctxt for %s", user); 165 debug2("input_userauth_request: setting up authctxt for %s", user);
166#ifdef USE_PAM
167 if (options.use_pam)
168 PRIVSEP(start_pam(authctxt));
169#endif
170 } else { 166 } else {
171 logit("input_userauth_request: invalid user %s", user); 167 logit("input_userauth_request: invalid user %s", user);
172 authctxt->pw = fakepw(); 168 authctxt->pw = fakepw();
173#ifdef USE_PAM
174 if (options.use_pam)
175 PRIVSEP(start_pam(authctxt));
176#endif
177#ifdef SSH_AUDIT_EVENTS 169#ifdef SSH_AUDIT_EVENTS
178 PRIVSEP(audit_event(SSH_INVALID_USER)); 170 PRIVSEP(audit_event(SSH_INVALID_USER));
179#endif 171#endif
180 } 172 }
173#ifdef USE_PAM
174 if (options.use_pam)
175 PRIVSEP(start_pam(authctxt));
176#endif
181 setproctitle("%s%s", authctxt->valid ? user : "unknown", 177 setproctitle("%s%s", authctxt->valid ? user : "unknown",
182 use_privsep ? " [net]" : ""); 178 use_privsep ? " [net]" : "");
183 authctxt->service = xstrdup(service); 179 authctxt->service = xstrdup(service);
diff --git a/bufaux.c b/bufaux.c
index 8d096a056..106a3a0c7 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $"); 40RCSID("$OpenBSD: bufaux.c,v 1.37 2005/11/05 05:01:15 djm Exp $");
41 41
42#include <openssl/bn.h> 42#include <openssl/bn.h>
43#include "bufaux.h" 43#include "bufaux.h"
@@ -63,6 +63,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
63 if (oi != bin_size) { 63 if (oi != bin_size) {
64 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", 64 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
65 oi, bin_size); 65 oi, bin_size);
66 xfree(buf);
66 return (-1); 67 return (-1);
67 } 68 }
68 69
@@ -187,10 +188,12 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
187 188
188 if (len > 0 && (bin[0] & 0x80)) { 189 if (len > 0 && (bin[0] & 0x80)) {
189 error("buffer_get_bignum2_ret: negative numbers not supported"); 190 error("buffer_get_bignum2_ret: negative numbers not supported");
191 xfree(bin);
190 return (-1); 192 return (-1);
191 } 193 }
192 if (len > 8 * 1024) { 194 if (len > 8 * 1024) {
193 error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); 195 error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
196 xfree(bin);
194 return (-1); 197 return (-1);
195 } 198 }
196 BN_bin2bn(bin, len, value); 199 BN_bin2bn(bin, len, value);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index f90ae6e81..cb9eb3048 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -353,7 +353,7 @@ else
353 # Create user if required 353 # Create user if required
354 [ "\$DO_PASSWD" = yes ] && { 354 [ "\$DO_PASSWD" = yes ] && {
355 # Use uid of 67 if possible 355 # Use uid of 67 if possible
356 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null 356 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
357 then 357 then
358 : 358 :
359 else 359 else
diff --git a/canohost.c b/canohost.c
index c27086bfd..6ca60e6b4 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $"); 15RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $");
16 16
17#include "packet.h" 17#include "packet.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -43,9 +43,6 @@ get_remote_hostname(int sock, int use_dns)
43 cleanup_exit(255); 43 cleanup_exit(255);
44 } 44 }
45 45
46 if (from.ss_family == AF_INET)
47 check_ip_options(sock, ntop);
48
49 ipv64_normalise_mapped(&from, &fromlen); 46 ipv64_normalise_mapped(&from, &fromlen);
50 47
51 if (from.ss_family == AF_INET6) 48 if (from.ss_family == AF_INET6)
@@ -55,6 +52,9 @@ get_remote_hostname(int sock, int use_dns)
55 NULL, 0, NI_NUMERICHOST) != 0) 52 NULL, 0, NI_NUMERICHOST) != 0)
56 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 53 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
57 54
55 if (from.ss_family == AF_INET)
56 check_ip_options(sock, ntop);
57
58 if (!use_dns) 58 if (!use_dns)
59 return xstrdup(ntop); 59 return xstrdup(ntop);
60 60
@@ -102,7 +102,7 @@ get_remote_hostname(int sock, int use_dns)
102 hints.ai_socktype = SOCK_STREAM; 102 hints.ai_socktype = SOCK_STREAM;
103 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 103 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
104 logit("reverse mapping checking getaddrinfo for %.700s " 104 logit("reverse mapping checking getaddrinfo for %.700s "
105 "failed - POSSIBLE BREAKIN ATTEMPT!", name); 105 "failed - POSSIBLE BREAK-IN ATTEMPT!", name);
106 return xstrdup(ntop); 106 return xstrdup(ntop);
107 } 107 }
108 /* Look for the address from the list of addresses. */ 108 /* Look for the address from the list of addresses. */
@@ -117,7 +117,7 @@ get_remote_hostname(int sock, int use_dns)
117 if (!ai) { 117 if (!ai) {
118 /* Address not found for the host name. */ 118 /* Address not found for the host name. */
119 logit("Address %.100s maps to %.600s, but this does not " 119 logit("Address %.100s maps to %.600s, but this does not "
120 "map back to the address - POSSIBLE BREAKIN ATTEMPT!", 120 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
121 ntop, name); 121 ntop, name);
122 return xstrdup(ntop); 122 return xstrdup(ntop);
123 } 123 }
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
158 for (i = 0; i < option_size; i++) 158 for (i = 0; i < option_size; i++)
159 snprintf(text + i*3, sizeof(text) - i*3, 159 snprintf(text + i*3, sizeof(text) - i*3,
160 " %2.2x", options[i]); 160 " %2.2x", options[i]);
161 logit("Connection from %.100s with IP options:%.800s", 161 fatal("Connection from %.100s with IP options:%.800s",
162 ipaddr, text);
163 packet_disconnect("Connection from %.100s with IP options:%.800s",
164 ipaddr, text); 162 ipaddr, text);
165 } 163 }
166#endif /* IP_OPTIONS */ 164#endif /* IP_OPTIONS */
@@ -200,26 +198,27 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
200const char * 198const char *
201get_canonical_hostname(int use_dns) 199get_canonical_hostname(int use_dns)
202{ 200{
201 char *host;
203 static char *canonical_host_name = NULL; 202 static char *canonical_host_name = NULL;
204 static int use_dns_done = 0; 203 static char *remote_ip = NULL;
205 204
206 /* Check if we have previously retrieved name with same option. */ 205 /* Check if we have previously retrieved name with same option. */
207 if (canonical_host_name != NULL) { 206 if (use_dns && canonical_host_name != NULL)
208 if (use_dns_done != use_dns) 207 return canonical_host_name;
209 xfree(canonical_host_name); 208 if (!use_dns && remote_ip != NULL)
210 else 209 return remote_ip;
211 return canonical_host_name;
212 }
213 210
214 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 211 /* Get the real hostname if socket; otherwise return UNKNOWN. */
215 if (packet_connection_is_on_socket()) 212 if (packet_connection_is_on_socket())
216 canonical_host_name = get_remote_hostname( 213 host = get_remote_hostname(packet_get_connection_in(), use_dns);
217 packet_get_connection_in(), use_dns);
218 else 214 else
219 canonical_host_name = xstrdup("UNKNOWN"); 215 host = "UNKNOWN";
220 216
221 use_dns_done = use_dns; 217 if (use_dns)
222 return canonical_host_name; 218 canonical_host_name = host;
219 else
220 remote_ip = host;
221 return host;
223} 222}
224 223
225/* 224/*
diff --git a/channels.c b/channels.c
index 707b57d86..92448da77 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $"); 42RCSID("$OpenBSD: channels.c,v 1.232 2006/01/30 12:22:22 reyk Exp $");
43 43
44#include "ssh.h" 44#include "ssh.h"
45#include "ssh1.h" 45#include "ssh1.h"
@@ -58,8 +58,6 @@ RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
58 58
59/* -- channel core */ 59/* -- channel core */
60 60
61#define CHAN_RBUF 16*1024
62
63/* 61/*
64 * Pointer to an array containing all allocated channels. The array is 62 * Pointer to an array containing all allocated channels. The array is
65 * dynamically extended as needed. 63 * dynamically extended as needed.
@@ -142,23 +140,51 @@ static void port_open_helper(Channel *c, char *rtype);
142/* -- channel core */ 140/* -- channel core */
143 141
144Channel * 142Channel *
145channel_lookup(int id) 143channel_by_id(int id)
146{ 144{
147 Channel *c; 145 Channel *c;
148 146
149 if (id < 0 || (u_int)id >= channels_alloc) { 147 if (id < 0 || (u_int)id >= channels_alloc) {
150 logit("channel_lookup: %d: bad id", id); 148 logit("channel_by_id: %d: bad id", id);
151 return NULL; 149 return NULL;
152 } 150 }
153 c = channels[id]; 151 c = channels[id];
154 if (c == NULL) { 152 if (c == NULL) {
155 logit("channel_lookup: %d: bad id: channel free", id); 153 logit("channel_by_id: %d: bad id: channel free", id);
156 return NULL; 154 return NULL;
157 } 155 }
158 return c; 156 return c;
159} 157}
160 158
161/* 159/*
160 * Returns the channel if it is allowed to receive protocol messages.
161 * Private channels, like listening sockets, may not receive messages.
162 */
163Channel *
164channel_lookup(int id)
165{
166 Channel *c;
167
168 if ((c = channel_by_id(id)) == NULL)
169 return (NULL);
170
171 switch(c->type) {
172 case SSH_CHANNEL_X11_OPEN:
173 case SSH_CHANNEL_LARVAL:
174 case SSH_CHANNEL_CONNECTING:
175 case SSH_CHANNEL_DYNAMIC:
176 case SSH_CHANNEL_OPENING:
177 case SSH_CHANNEL_OPEN:
178 case SSH_CHANNEL_INPUT_DRAINING:
179 case SSH_CHANNEL_OUTPUT_DRAINING:
180 return (c);
181 break;
182 }
183 logit("Non-public channel %d, type %d.", id, c->type);
184 return (NULL);
185}
186
187/*
162 * Register filedescriptors for a channel, used when allocating a channel or 188 * Register filedescriptors for a channel, used when allocating a channel or
163 * when the channel consumer/producer is ready, e.g. shell exec'd 189 * when the channel consumer/producer is ready, e.g. shell exec'd
164 */ 190 */
@@ -269,9 +295,11 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
269 c->force_drain = 0; 295 c->force_drain = 0;
270 c->single_connection = 0; 296 c->single_connection = 0;
271 c->detach_user = NULL; 297 c->detach_user = NULL;
298 c->detach_close = 0;
272 c->confirm = NULL; 299 c->confirm = NULL;
273 c->confirm_ctx = NULL; 300 c->confirm_ctx = NULL;
274 c->input_filter = NULL; 301 c->input_filter = NULL;
302 c->output_filter = NULL;
275 debug("channel %d: new [%s]", found, remote_name); 303 debug("channel %d: new [%s]", found, remote_name);
276 return c; 304 return c;
277} 305}
@@ -628,29 +656,32 @@ channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
628 c->confirm_ctx = ctx; 656 c->confirm_ctx = ctx;
629} 657}
630void 658void
631channel_register_cleanup(int id, channel_callback_fn *fn) 659channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
632{ 660{
633 Channel *c = channel_lookup(id); 661 Channel *c = channel_by_id(id);
634 662
635 if (c == NULL) { 663 if (c == NULL) {
636 logit("channel_register_cleanup: %d: bad id", id); 664 logit("channel_register_cleanup: %d: bad id", id);
637 return; 665 return;
638 } 666 }
639 c->detach_user = fn; 667 c->detach_user = fn;
668 c->detach_close = do_close;
640} 669}
641void 670void
642channel_cancel_cleanup(int id) 671channel_cancel_cleanup(int id)
643{ 672{
644 Channel *c = channel_lookup(id); 673 Channel *c = channel_by_id(id);
645 674
646 if (c == NULL) { 675 if (c == NULL) {
647 logit("channel_cancel_cleanup: %d: bad id", id); 676 logit("channel_cancel_cleanup: %d: bad id", id);
648 return; 677 return;
649 } 678 }
650 c->detach_user = NULL; 679 c->detach_user = NULL;
680 c->detach_close = 0;
651} 681}
652void 682void
653channel_register_filter(int id, channel_filter_fn *fn) 683channel_register_filter(int id, channel_infilter_fn *ifn,
684 channel_outfilter_fn *ofn)
654{ 685{
655 Channel *c = channel_lookup(id); 686 Channel *c = channel_lookup(id);
656 687
@@ -658,7 +689,8 @@ channel_register_filter(int id, channel_filter_fn *fn)
658 logit("channel_register_filter: %d: bad id", id); 689 logit("channel_register_filter: %d: bad id", id);
659 return; 690 return;
660 } 691 }
661 c->input_filter = fn; 692 c->input_filter = ifn;
693 c->output_filter = ofn;
662} 694}
663 695
664void 696void
@@ -1227,6 +1259,19 @@ port_open_helper(Channel *c, char *rtype)
1227 xfree(remote_ipaddr); 1259 xfree(remote_ipaddr);
1228} 1260}
1229 1261
1262static void
1263channel_set_reuseaddr(int fd)
1264{
1265 int on = 1;
1266
1267 /*
1268 * Set socket options.
1269 * Allow local port reuse in TIME_WAIT.
1270 */
1271 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
1272 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
1273}
1274
1230/* 1275/*
1231 * This socket is listening for connections to a forwarded TCP/IP port. 1276 * This socket is listening for connections to a forwarded TCP/IP port.
1232 */ 1277 */
@@ -1398,6 +1443,8 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
1398 debug2("channel %d: filter stops", c->self); 1443 debug2("channel %d: filter stops", c->self);
1399 chan_read_failed(c); 1444 chan_read_failed(c);
1400 } 1445 }
1446 } else if (c->datagram) {
1447 buffer_put_string(&c->input, buf, len);
1401 } else { 1448 } else {
1402 buffer_append(&c->input, buf, len); 1449 buffer_append(&c->input, buf, len);
1403 } 1450 }
@@ -1408,7 +1455,7 @@ static int
1408channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 1455channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1409{ 1456{
1410 struct termios tio; 1457 struct termios tio;
1411 u_char *data; 1458 u_char *data = NULL, *buf;
1412 u_int dlen; 1459 u_int dlen;
1413 int len; 1460 int len;
1414 1461
@@ -1416,14 +1463,45 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1416 if (c->wfd != -1 && 1463 if (c->wfd != -1 &&
1417 FD_ISSET(c->wfd, writeset) && 1464 FD_ISSET(c->wfd, writeset) &&
1418 buffer_len(&c->output) > 0) { 1465 buffer_len(&c->output) > 0) {
1419 data = buffer_ptr(&c->output); 1466 if (c->output_filter != NULL) {
1420 dlen = buffer_len(&c->output); 1467 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) {
1468 debug2("channel %d: filter stops", c->self);
1469 if (c->type != SSH_CHANNEL_OPEN)
1470 chan_mark_dead(c);
1471 else
1472 chan_write_failed(c);
1473 return -1;
1474 }
1475 } else if (c->datagram) {
1476 buf = data = buffer_get_string(&c->output, &dlen);
1477 } else {
1478 buf = data = buffer_ptr(&c->output);
1479 dlen = buffer_len(&c->output);
1480 }
1481
1482 if (c->datagram) {
1483 /* ignore truncated writes, datagrams might get lost */
1484 c->local_consumed += dlen + 4;
1485 len = write(c->wfd, buf, dlen);
1486 xfree(data);
1487 if (len < 0 && (errno == EINTR || errno == EAGAIN))
1488 return 1;
1489 if (len <= 0) {
1490 if (c->type != SSH_CHANNEL_OPEN)
1491 chan_mark_dead(c);
1492 else
1493 chan_write_failed(c);
1494 return -1;
1495 }
1496 return 1;
1497 }
1421#ifdef _AIX 1498#ifdef _AIX
1422 /* XXX: Later AIX versions can't push as much data to tty */ 1499 /* XXX: Later AIX versions can't push as much data to tty */
1423 if (compat20 && c->wfd_isatty) 1500 if (compat20 && c->wfd_isatty)
1424 dlen = MIN(dlen, 8*1024); 1501 dlen = MIN(dlen, 8*1024);
1425#endif 1502#endif
1426 len = write(c->wfd, data, dlen); 1503
1504 len = write(c->wfd, buf, dlen);
1427 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1505 if (len < 0 && (errno == EINTR || errno == EAGAIN))
1428 return 1; 1506 return 1;
1429 if (len <= 0) { 1507 if (len <= 0) {
@@ -1440,14 +1518,14 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1440 } 1518 }
1441 return -1; 1519 return -1;
1442 } 1520 }
1443 if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') { 1521 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
1444 if (tcgetattr(c->wfd, &tio) == 0 && 1522 if (tcgetattr(c->wfd, &tio) == 0 &&
1445 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1523 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
1446 /* 1524 /*
1447 * Simulate echo to reduce the impact of 1525 * Simulate echo to reduce the impact of
1448 * traffic analysis. We need to match the 1526 * traffic analysis. We need to match the
1449 * size of a SSH2_MSG_CHANNEL_DATA message 1527 * size of a SSH2_MSG_CHANNEL_DATA message
1450 * (4 byte channel id + data) 1528 * (4 byte channel id + buf)
1451 */ 1529 */
1452 packet_send_ignore(4 + len); 1530 packet_send_ignore(4 + len);
1453 packet_send(); 1531 packet_send();
@@ -1666,7 +1744,7 @@ channel_garbage_collect(Channel *c)
1666 if (c == NULL) 1744 if (c == NULL)
1667 return; 1745 return;
1668 if (c->detach_user != NULL) { 1746 if (c->detach_user != NULL) {
1669 if (!chan_is_dead(c, 0)) 1747 if (!chan_is_dead(c, c->detach_close))
1670 return; 1748 return;
1671 debug2("channel %d: gc: notify user", c->self); 1749 debug2("channel %d: gc: notify user", c->self);
1672 c->detach_user(c->self, NULL); 1750 c->detach_user(c->self, NULL);
@@ -1776,6 +1854,22 @@ channel_output_poll(void)
1776 if ((c->istate == CHAN_INPUT_OPEN || 1854 if ((c->istate == CHAN_INPUT_OPEN ||
1777 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1855 c->istate == CHAN_INPUT_WAIT_DRAIN) &&
1778 (len = buffer_len(&c->input)) > 0) { 1856 (len = buffer_len(&c->input)) > 0) {
1857 if (c->datagram) {
1858 if (len > 0) {
1859 u_char *data;
1860 u_int dlen;
1861
1862 data = buffer_get_string(&c->input,
1863 &dlen);
1864 packet_start(SSH2_MSG_CHANNEL_DATA);
1865 packet_put_int(c->remote_id);
1866 packet_put_string(data, dlen);
1867 packet_send();
1868 c->remote_window -= dlen + 4;
1869 xfree(data);
1870 }
1871 continue;
1872 }
1779 /* 1873 /*
1780 * Send some data for the other side over the secure 1874 * Send some data for the other side over the secure
1781 * connection. 1875 * connection.
@@ -1898,7 +1992,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
1898 c->local_window -= data_len; 1992 c->local_window -= data_len;
1899 } 1993 }
1900 packet_check_eom(); 1994 packet_check_eom();
1901 buffer_append(&c->output, data, data_len); 1995 if (c->datagram)
1996 buffer_put_string(&c->output, data, data_len);
1997 else
1998 buffer_append(&c->output, data, data_len);
1902 xfree(data); 1999 xfree(data);
1903} 2000}
1904 2001
@@ -2129,9 +2226,8 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
2129 id = packet_get_int(); 2226 id = packet_get_int();
2130 c = channel_lookup(id); 2227 c = channel_lookup(id);
2131 2228
2132 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 2229 if (c == NULL) {
2133 logit("Received window adjust for " 2230 logit("Received window adjust for non-open channel %d.", id);
2134 "non-open channel %d.", id);
2135 return; 2231 return;
2136 } 2232 }
2137 adjust = packet_get_int(); 2233 adjust = packet_get_int();
@@ -2188,7 +2284,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2188 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2284 const char *host_to_connect, u_short port_to_connect, int gateway_ports)
2189{ 2285{
2190 Channel *c; 2286 Channel *c;
2191 int sock, r, success = 0, on = 1, wildcard = 0, is_client; 2287 int sock, r, success = 0, wildcard = 0, is_client;
2192 struct addrinfo hints, *ai, *aitop; 2288 struct addrinfo hints, *ai, *aitop;
2193 const char *host, *addr; 2289 const char *host, *addr;
2194 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2290 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -2275,13 +2371,8 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2275 verbose("socket: %.100s", strerror(errno)); 2371 verbose("socket: %.100s", strerror(errno));
2276 continue; 2372 continue;
2277 } 2373 }
2278 /* 2374
2279 * Set socket options. 2375 channel_set_reuseaddr(sock);
2280 * Allow local port reuse in TIME_WAIT.
2281 */
2282 if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
2283 sizeof(on)) == -1)
2284 error("setsockopt SO_REUSEADDR: %s", strerror(errno));
2285 2376
2286 debug("Local forwarding listening on %s port %s.", ntop, strport); 2377 debug("Local forwarding listening on %s port %s.", ntop, strport);
2287 2378
@@ -2453,7 +2544,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
2453 2544
2454 permitted_opens[i].listen_port = 0; 2545 permitted_opens[i].listen_port = 0;
2455 permitted_opens[i].port_to_connect = 0; 2546 permitted_opens[i].port_to_connect = 0;
2456 free(permitted_opens[i].host_to_connect); 2547 xfree(permitted_opens[i].host_to_connect);
2457 permitted_opens[i].host_to_connect = NULL; 2548 permitted_opens[i].host_to_connect = NULL;
2458} 2549}
2459 2550
@@ -2668,6 +2759,9 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2668 char strport[NI_MAXSERV]; 2759 char strport[NI_MAXSERV];
2669 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2760 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
2670 2761
2762 if (chanids == NULL)
2763 return -1;
2764
2671 for (display_number = x11_display_offset; 2765 for (display_number = x11_display_offset;
2672 display_number < MAX_DISPLAYS; 2766 display_number < MAX_DISPLAYS;
2673 display_number++) { 2767 display_number++) {
@@ -2708,6 +2802,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2708 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 2802 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
2709 } 2803 }
2710#endif 2804#endif
2805 channel_set_reuseaddr(sock);
2711 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2806 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2712 debug2("bind port %d: %.100s", port, strerror(errno)); 2807 debug2("bind port %d: %.100s", port, strerror(errno));
2713 close(sock); 2808 close(sock);
@@ -2753,8 +2848,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2753 } 2848 }
2754 2849
2755 /* Allocate a channel for each socket. */ 2850 /* Allocate a channel for each socket. */
2756 if (chanids != NULL) 2851 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
2757 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
2758 for (n = 0; n < num_socks; n++) { 2852 for (n = 0; n < num_socks; n++) {
2759 sock = socks[n]; 2853 sock = socks[n];
2760 nc = channel_new("x11 listener", 2854 nc = channel_new("x11 listener",
@@ -2762,11 +2856,9 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2762 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2856 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2763 0, "X11 inet listener", 1); 2857 0, "X11 inet listener", 1);
2764 nc->single_connection = single_connection; 2858 nc->single_connection = single_connection;
2765 if (*chanids != NULL) 2859 (*chanids)[n] = nc->self;
2766 (*chanids)[n] = nc->self;
2767 } 2860 }
2768 if (*chanids != NULL) 2861 (*chanids)[n] = -1;
2769 (*chanids)[n] = -1;
2770 2862
2771 /* Return the display number for the DISPLAY environment variable. */ 2863 /* Return the display number for the DISPLAY environment variable. */
2772 *display_numberp = display_number; 2864 *display_numberp = display_number;
@@ -2952,7 +3044,7 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
2952 error("deny_input_open: type %d", type); 3044 error("deny_input_open: type %d", type);
2953 break; 3045 break;
2954 } 3046 }
2955 error("Warning: this is probably a break in attempt by a malicious server."); 3047 error("Warning: this is probably a break-in attempt by a malicious server.");
2956 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3048 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2957 packet_put_int(rchan); 3049 packet_put_int(rchan);
2958 packet_send(); 3050 packet_send();
diff --git a/channels.h b/channels.h
index 1cb2c3a34..a97dd9007 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.83 2005/12/30 15:56:37 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -63,7 +63,8 @@ struct Channel;
63typedef struct Channel Channel; 63typedef struct Channel Channel;
64 64
65typedef void channel_callback_fn(int, void *); 65typedef void channel_callback_fn(int, void *);
66typedef int channel_filter_fn(struct Channel *, char *, int); 66typedef int channel_infilter_fn(struct Channel *, char *, int);
67typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *);
67 68
68struct Channel { 69struct Channel {
69 int type; /* channel type/state */ 70 int type; /* channel type/state */
@@ -106,11 +107,15 @@ struct Channel {
106 107
107 /* callback */ 108 /* callback */
108 channel_callback_fn *confirm; 109 channel_callback_fn *confirm;
109 channel_callback_fn *detach_user;
110 void *confirm_ctx; 110 void *confirm_ctx;
111 channel_callback_fn *detach_user;
112 int detach_close;
111 113
112 /* filter */ 114 /* filter */
113 channel_filter_fn *input_filter; 115 channel_infilter_fn *input_filter;
116 channel_outfilter_fn *output_filter;
117
118 int datagram; /* keep boundaries */
114}; 119};
115 120
116#define CHAN_EXTENDED_IGNORE 0 121#define CHAN_EXTENDED_IGNORE 0
@@ -142,6 +147,8 @@ struct Channel {
142#define CHAN_EOF_SENT 0x04 147#define CHAN_EOF_SENT 0x04
143#define CHAN_EOF_RCVD 0x08 148#define CHAN_EOF_RCVD 0x08
144 149
150#define CHAN_RBUF 16*1024
151
145/* check whether 'efd' is still in use */ 152/* check whether 'efd' is still in use */
146#define CHANNEL_EFD_INPUT_ACTIVE(c) \ 153#define CHANNEL_EFD_INPUT_ACTIVE(c) \
147 (compat20 && c->extended_usage == CHAN_EXTENDED_READ && \ 154 (compat20 && c->extended_usage == CHAN_EXTENDED_READ && \
@@ -154,6 +161,7 @@ struct Channel {
154 161
155/* channel management */ 162/* channel management */
156 163
164Channel *channel_by_id(int);
157Channel *channel_lookup(int); 165Channel *channel_lookup(int);
158Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int); 166Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int);
159void channel_set_fds(int, int, int, int, int, int, u_int); 167void channel_set_fds(int, int, int, int, int, int, u_int);
@@ -163,9 +171,9 @@ void channel_stop_listening(void);
163 171
164void channel_send_open(int); 172void channel_send_open(int);
165void channel_request_start(int, char *, int); 173void channel_request_start(int, char *, int);
166void channel_register_cleanup(int, channel_callback_fn *); 174void channel_register_cleanup(int, channel_callback_fn *, int);
167void channel_register_confirm(int, channel_callback_fn *, void *); 175void channel_register_confirm(int, channel_callback_fn *, void *);
168void channel_register_filter(int, channel_filter_fn *); 176void channel_register_filter(int, channel_infilter_fn *, channel_outfilter_fn *);
169void channel_cancel_cleanup(int); 177void channel_cancel_cleanup(int);
170int channel_close_fd(int *); 178int channel_close_fd(int *);
171void channel_send_window_changes(void); 179void channel_send_window_changes(void);
diff --git a/cipher-aes.c b/cipher-aes.c
index 22d500d42..228ddb104 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -23,7 +23,11 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26#if OPENSSL_VERSION_NUMBER < 0x00907000L 26
27/* compatibility with old or broken OpenSSL versions */
28#include "openbsd-compat/openssl-compat.h"
29
30#ifdef USE_BUILTIN_RIJNDAEL
27RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); 31RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
28 32
29#include <openssl/evp.h> 33#include <openssl/evp.h>
@@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
31#include "xmalloc.h" 35#include "xmalloc.h"
32#include "log.h" 36#include "log.h"
33 37
34#if OPENSSL_VERSION_NUMBER < 0x00906000L
35#define SSH_OLD_EVP
36#endif
37
38#define RIJNDAEL_BLOCKSIZE 16 38#define RIJNDAEL_BLOCKSIZE 16
39struct ssh_rijndael_ctx 39struct ssh_rijndael_ctx
40{ 40{
@@ -157,4 +157,4 @@ evp_rijndael(void)
157#endif 157#endif
158 return (&rijndal_cbc); 158 return (&rijndal_cbc);
159} 159}
160#endif /* OPENSSL_VERSION_NUMBER */ 160#endif /* USE_BUILTIN_RIJNDAEL */
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 856177349..8a98f3c42 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
21#include "log.h" 21#include "log.h"
22#include "xmalloc.h" 22#include "xmalloc.h"
23 23
24#if OPENSSL_VERSION_NUMBER < 0x00906000L 24/* compatibility with old or broken OpenSSL versions */
25#define SSH_OLD_EVP 25#include "openbsd-compat/openssl-compat.h"
26#endif
27 26
28#if OPENSSL_VERSION_NUMBER < 0x00907000L 27#ifdef USE_BUILTIN_RIJNDAEL
29#include "rijndael.h" 28#include "rijndael.h"
30#define AES_KEY rijndael_ctx 29#define AES_KEY rijndael_ctx
31#define AES_BLOCK_SIZE 16 30#define AES_BLOCK_SIZE 16
diff --git a/cipher.c b/cipher.c
index 0dddf270a..1434d5524 100644
--- a/cipher.c
+++ b/cipher.c
@@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
334 if ((u_int)evplen != len) 334 if ((u_int)evplen != len)
335 fatal("%s: wrong iv length %d != %d", __func__, 335 fatal("%s: wrong iv length %d != %d", __func__,
336 evplen, len); 336 evplen, len);
337#if OPENSSL_VERSION_NUMBER < 0x00907000L 337#ifdef USE_BUILTIN_RIJNDAEL
338 if (c->evptype == evp_rijndael) 338 if (c->evptype == evp_rijndael)
339 ssh_rijndael_iv(&cc->evp, 0, iv, len); 339 ssh_rijndael_iv(&cc->evp, 0, iv, len);
340 else 340 else
@@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
365 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 365 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
366 if (evplen == 0) 366 if (evplen == 0)
367 return; 367 return;
368#if OPENSSL_VERSION_NUMBER < 0x00907000L 368#ifdef USE_BUILTIN_RIJNDAEL
369 if (c->evptype == evp_rijndael) 369 if (c->evptype == evp_rijndael)
370 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 370 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
371 else 371 else
diff --git a/clientloop.c b/clientloop.c
index 6a35c8e3e..5621768b5 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
59 */ 59 */
60 60
61#include "includes.h" 61#include "includes.h"
62RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); 62RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
63 63
64#include "ssh.h" 64#include "ssh.h"
65#include "ssh1.h" 65#include "ssh1.h"
@@ -77,6 +77,7 @@ RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
77#include "log.h" 77#include "log.h"
78#include "readconf.h" 78#include "readconf.h"
79#include "clientloop.h" 79#include "clientloop.h"
80#include "sshconnect.h"
80#include "authfd.h" 81#include "authfd.h"
81#include "atomicio.h" 82#include "atomicio.h"
82#include "sshpty.h" 83#include "sshpty.h"
@@ -113,7 +114,7 @@ extern char *host;
113static volatile sig_atomic_t received_window_change_signal = 0; 114static volatile sig_atomic_t received_window_change_signal = 0;
114static volatile sig_atomic_t received_signal = 0; 115static volatile sig_atomic_t received_signal = 0;
115 116
116/* Flag indicating whether the user\'s terminal is in non-blocking mode. */ 117/* Flag indicating whether the user's terminal is in non-blocking mode. */
117static int in_non_blocking_mode = 0; 118static int in_non_blocking_mode = 0;
118 119
119/* Common data for the client loop code. */ 120/* Common data for the client loop code. */
@@ -266,7 +267,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
266 } 267 }
267 } 268 }
268 snprintf(cmd, sizeof(cmd), 269 snprintf(cmd, sizeof(cmd),
269 "%s %s%s list %s . 2>" _PATH_DEVNULL, 270 "%s %s%s list %s 2>" _PATH_DEVNULL,
270 xauth_path, 271 xauth_path,
271 generated ? "-f " : "" , 272 generated ? "-f " : "" ,
272 generated ? xauthfile : "", 273 generated ? xauthfile : "",
@@ -919,6 +920,15 @@ process_cmdline(void)
919 logit(" -Lport:host:hostport Request local forward"); 920 logit(" -Lport:host:hostport Request local forward");
920 logit(" -Rport:host:hostport Request remote forward"); 921 logit(" -Rport:host:hostport Request remote forward");
921 logit(" -KRhostport Cancel remote forward"); 922 logit(" -KRhostport Cancel remote forward");
923 if (!options.permit_local_command)
924 goto out;
925 logit(" !args Execute local command");
926 goto out;
927 }
928
929 if (*s == '!' && options.permit_local_command) {
930 s++;
931 ssh_local_cmd(s);
922 goto out; 932 goto out;
923 } 933 }
924 934
@@ -1381,10 +1391,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
1381 session_ident = ssh2_chan_id; 1391 session_ident = ssh2_chan_id;
1382 if (escape_char != SSH_ESCAPECHAR_NONE) 1392 if (escape_char != SSH_ESCAPECHAR_NONE)
1383 channel_register_filter(session_ident, 1393 channel_register_filter(session_ident,
1384 simple_escape_filter); 1394 simple_escape_filter, NULL);
1385 if (session_ident != -1) 1395 if (session_ident != -1)
1386 channel_register_cleanup(session_ident, 1396 channel_register_cleanup(session_ident,
1387 client_channel_closed); 1397 client_channel_closed, 0);
1388 } else { 1398 } else {
1389 /* Check if we should immediately send eof on stdin. */ 1399 /* Check if we should immediately send eof on stdin. */
1390 client_check_initial_eof_on_stdin(); 1400 client_check_initial_eof_on_stdin();
@@ -1685,7 +1695,7 @@ client_request_x11(const char *request_type, int rchan)
1685 1695
1686 if (!options.forward_x11) { 1696 if (!options.forward_x11) {
1687 error("Warning: ssh server tried X11 forwarding."); 1697 error("Warning: ssh server tried X11 forwarding.");
1688 error("Warning: this is probably a break in attempt by a malicious server."); 1698 error("Warning: this is probably a break-in attempt by a malicious server.");
1689 return NULL; 1699 return NULL;
1690 } 1700 }
1691 originator = packet_get_string(NULL); 1701 originator = packet_get_string(NULL);
@@ -1718,7 +1728,7 @@ client_request_agent(const char *request_type, int rchan)
1718 1728
1719 if (!options.forward_agent) { 1729 if (!options.forward_agent) {
1720 error("Warning: ssh server tried agent forwarding."); 1730 error("Warning: ssh server tried agent forwarding.");
1721 error("Warning: this is probably a break in attempt by a malicious server."); 1731 error("Warning: this is probably a break-in attempt by a malicious server.");
1722 return NULL; 1732 return NULL;
1723 } 1733 }
1724 sock = ssh_get_authentication_socket(); 1734 sock = ssh_get_authentication_socket();
@@ -1887,7 +1897,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1887 /* Split */ 1897 /* Split */
1888 name = xstrdup(env[i]); 1898 name = xstrdup(env[i]);
1889 if ((val = strchr(name, '=')) == NULL) { 1899 if ((val = strchr(name, '=')) == NULL) {
1890 free(name); 1900 xfree(name);
1891 continue; 1901 continue;
1892 } 1902 }
1893 *val++ = '\0'; 1903 *val++ = '\0';
@@ -1901,7 +1911,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1901 } 1911 }
1902 if (!matched) { 1912 if (!matched) {
1903 debug3("Ignored env %s", name); 1913 debug3("Ignored env %s", name);
1904 free(name); 1914 xfree(name);
1905 continue; 1915 continue;
1906 } 1916 }
1907 1917
@@ -1910,7 +1920,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1910 packet_put_cstring(name); 1920 packet_put_cstring(name);
1911 packet_put_cstring(val); 1921 packet_put_cstring(val);
1912 packet_send(); 1922 packet_send();
1913 free(name); 1923 xfree(name);
1914 } 1924 }
1915 } 1925 }
1916 1926
diff --git a/config.h.in b/config.h.in
index 551d7e5d9..05e17adc8 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,191 +1,87 @@
1/* config.h.in. Generated from configure.ac by autoheader. */ 1/* config.h.in. Generated from configure.ac by autoheader. */
2/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
3
4/*
5 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28#ifndef _CONFIG_H
29#define _CONFIG_H
30
31/* Generated automatically from acconfig.h by autoheader. */
32/* Please make your changes there */
33 2
3/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
4 */
5#undef AIX_GETNAMEINFO_HACK
34 6
35/* Define if your platform breaks doing a seteuid before a setuid */ 7/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
36#undef SETEUID_BREAKS_SETUID 8#undef AIX_LOGINFAILED_4ARG
37
38/* Define if your setreuid() is broken */
39#undef BROKEN_SETREUID
40
41/* Define if your setregid() is broken */
42#undef BROKEN_SETREGID
43
44/* Define if your setresuid() is broken */
45#undef BROKEN_SETRESUID
46
47/* Define if your setresgid() is broken */
48#undef BROKEN_SETRESGID
49
50/* Define to a Set Process Title type if your system is */
51/* supported by bsd-setproctitle.c */
52#undef SPT_TYPE
53#undef SPT_PADCHAR
54
55/* SCO workaround */
56#undef BROKEN_SYS_TERMIO_H
57
58/* Define if you have SecureWare-based protected password database */
59#undef HAVE_SECUREWARE
60
61/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
62/* from environment and PATH */
63#undef LOGIN_PROGRAM_FALLBACK
64
65/* Full path of your "passwd" program */
66#undef _PATH_PASSWD_PROG
67
68/* Define if your password has a pw_class field */
69#undef HAVE_PW_CLASS_IN_PASSWD
70 9
71/* Define if your password has a pw_expire field */ 10/* Define if your resolver libs need this for getrrsetbyname */
72#undef HAVE_PW_EXPIRE_IN_PASSWD 11#undef BIND_8_COMPAT
73 12
74/* Define if your password has a pw_change field */ 13/* Define if cmsg_type is not passed correctly */
75#undef HAVE_PW_CHANGE_IN_PASSWD 14#undef BROKEN_CMSG_TYPE
76 15
77/* Define if your system uses access rights style file descriptor passing */ 16/* getaddrinfo is broken (if present) */
78#undef HAVE_ACCRIGHTS_IN_MSGHDR 17#undef BROKEN_GETADDRINFO
79 18
80/* Define if your system uses ancillary data style file descriptor passing */ 19/* getgroups(0,NULL) will return -1 */
81#undef HAVE_CONTROL_IN_MSGHDR 20#undef BROKEN_GETGROUPS
82 21
83/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */ 22/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
84#undef BROKEN_INET_NTOA 23#undef BROKEN_INET_NTOA
85 24
86/* Define if your system defines sys_errlist[] */ 25/* ia_uinfo routines not supported by OS yet */
87#undef HAVE_SYS_ERRLIST 26#undef BROKEN_LIBIAF
88
89/* Define if your system defines sys_nerr */
90#undef HAVE_SYS_NERR
91
92/* Define if your system choked on IP TOS setting */
93#undef IP_TOS_IS_BROKEN
94
95/* Define if you have the getuserattr function. */
96#undef HAVE_GETUSERATTR
97
98/* Define if you have the basename function. */
99#undef HAVE_BASENAME
100
101/* Work around problematic Linux PAM modules handling of PAM_TTY */
102#undef PAM_TTY_KLUDGE
103
104/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
105#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
106
107/* Use PIPES instead of a socketpair() */
108#undef USE_PIPES
109 27
110/* Define if your snprintf is busted */ 28/* Ultrix mmap can't map files */
111#undef BROKEN_SNPRINTF 29#undef BROKEN_MMAP
112 30
113/* Define if you are on Cygwin */ 31/* Define if your struct dirent expects you to allocate extra space for d_name
114#undef HAVE_CYGWIN 32 */
33#undef BROKEN_ONE_BYTE_DIRENT_D_NAME
115 34
116/* Define if you have a broken realpath. */ 35/* Define if you have a broken realpath. */
117#undef BROKEN_REALPATH 36#undef BROKEN_REALPATH
118 37
119/* Define if you are on NeXT */ 38/* Needed for NeXT */
120#undef HAVE_NEXT 39#undef BROKEN_SAVED_UIDS
121
122/* Define if you want to enable PAM support */
123#undef USE_PAM
124
125/* Define if you want to enable AIX4's authenticate function */
126#undef WITH_AIXAUTHENTICATE
127 40
128/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ 41/* Define if your setregid() is broken */
129#undef AIX_LOGINFAILED_4ARG 42#undef BROKEN_SETREGID
130 43
131/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ 44/* Define if your setresgid() is broken */
132#undef SKEYCHALLENGE_4ARG 45#undef BROKEN_SETRESGID
133 46
134/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ 47/* Define if your setresuid() is broken */
135#undef WITH_IRIX_ARRAY 48#undef BROKEN_SETRESUID
136 49
137/* Define if you want IRIX project management */ 50/* Define if your setreuid() is broken */
138#undef WITH_IRIX_PROJECT 51#undef BROKEN_SETREUID
139 52
140/* Define if you want IRIX audit trails */ 53/* LynxOS has broken setvbuf() implementation */
141#undef WITH_IRIX_AUDIT 54#undef BROKEN_SETVBUF
142 55
143/* Define if you want IRIX kernel jobs */ 56/* Define if your snprintf is busted */
144#undef WITH_IRIX_JOBS 57#undef BROKEN_SNPRINTF
145 58
146/* Location of PRNGD/EGD random number socket */ 59/* updwtmpx is broken (if present) */
147#undef PRNGD_SOCKET 60#undef BROKEN_UPDWTMPX
148 61
149/* Port number of PRNGD/EGD random number socket */ 62/* Define if you have BSD auth support */
150#undef PRNGD_PORT 63#undef BSD_AUTH
151 64
152/* Builtin PRNG command timeout */ 65/* Define if you want to specify the path to your lastlog file */
153#undef ENTROPY_TIMEOUT_MSEC 66#undef CONF_LASTLOG_FILE
154 67
155/* non-privileged user for privilege separation */ 68/* Define if you want to specify the path to your utmpx file */
156#undef SSH_PRIVSEP_USER 69#undef CONF_UTMPX_FILE
157 70
158/* Define if you want to install preformatted manpages.*/ 71/* Define if you want to specify the path to your utmp file */
159#undef MANTYPE 72#undef CONF_UTMP_FILE
160 73
161/* Define if your ssl headers are included with #include <openssl/header.h> */ 74/* Define if you want to specify the path to your wtmpx file */
162#undef HAVE_OPENSSL 75#undef CONF_WTMPX_FILE
163 76
164/* Define if you are linking against RSAref. Used only to print the right 77/* Define if you want to specify the path to your wtmp file */
165 * message at run-time. */ 78#undef CONF_WTMP_FILE
166#undef RSAREF
167 79
168/* struct timeval */ 80/* Define if your platform needs to skip post auth file descriptor passing */
169#undef HAVE_STRUCT_TIMEVAL 81#undef DISABLE_FD_PASSING
170 82
171/* struct utmp and struct utmpx fields */ 83/* Define if you don't want to use lastlog */
172#undef HAVE_HOST_IN_UTMP 84#undef DISABLE_LASTLOG
173#undef HAVE_HOST_IN_UTMPX
174#undef HAVE_ADDR_IN_UTMP
175#undef HAVE_ADDR_IN_UTMPX
176#undef HAVE_ADDR_V6_IN_UTMP
177#undef HAVE_ADDR_V6_IN_UTMPX
178#undef HAVE_SYSLEN_IN_UTMPX
179#undef HAVE_PID_IN_UTMP
180#undef HAVE_TYPE_IN_UTMP
181#undef HAVE_TYPE_IN_UTMPX
182#undef HAVE_TV_IN_UTMP
183#undef HAVE_TV_IN_UTMPX
184#undef HAVE_ID_IN_UTMP
185#undef HAVE_ID_IN_UTMPX
186#undef HAVE_EXIT_IN_UTMP
187#undef HAVE_TIME_IN_UTMP
188#undef HAVE_TIME_IN_UTMPX
189 85
190/* Define if you don't want to use your system's login() call */ 86/* Define if you don't want to use your system's login() call */
191#undef DISABLE_LOGIN 87#undef DISABLE_LOGIN
@@ -196,11 +92,8 @@
196/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */ 92/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
197#undef DISABLE_PUTUTXLINE 93#undef DISABLE_PUTUTXLINE
198 94
199/* Define if you don't want to use lastlog */ 95/* Define if you want to disable shadow passwords */
200#undef DISABLE_LASTLOG 96#undef DISABLE_SHADOW
201
202/* Define if you don't want to use lastlog in session.c */
203#undef NO_SSH_LASTLOG
204 97
205/* Define if you don't want to use utmp */ 98/* Define if you don't want to use utmp */
206#undef DISABLE_UTMP 99#undef DISABLE_UTMP
@@ -214,159 +107,17 @@
214/* Define if you don't want to use wtmpx */ 107/* Define if you don't want to use wtmpx */
215#undef DISABLE_WTMPX 108#undef DISABLE_WTMPX
216 109
217/* Some systems need a utmpx entry for /bin/login to work */
218#undef LOGIN_NEEDS_UTMPX
219
220/* Some versions of /bin/login need the TERM supplied on the commandline */
221#undef LOGIN_NEEDS_TERM
222
223/* Define if your login program cannot handle end of options ("--") */
224#undef LOGIN_NO_ENDOPT
225
226/* Define if you want to specify the path to your lastlog file */
227#undef CONF_LASTLOG_FILE
228
229/* Define if you want to specify the path to your utmp file */
230#undef CONF_UTMP_FILE
231
232/* Define if you want to specify the path to your wtmp file */
233#undef CONF_WTMP_FILE
234
235/* Define if you want to specify the path to your utmpx file */
236#undef CONF_UTMPX_FILE
237
238/* Define if you want to specify the path to your wtmpx file */
239#undef CONF_WTMPX_FILE
240
241/* Define if you want external askpass support */
242#undef USE_EXTERNAL_ASKPASS
243
244/* Define if libc defines __progname */
245#undef HAVE___PROGNAME
246
247/* Define if compiler implements __FUNCTION__ */
248#undef HAVE___FUNCTION__
249
250/* Define if compiler implements __func__ */
251#undef HAVE___func__
252
253/* Define this is you want GSSAPI support in the version 2 protocol */
254#undef GSSAPI
255
256/* Define if you want Kerberos 5 support */
257#undef KRB5
258
259/* Define this if you are using the Heimdal version of Kerberos V5 */
260#undef HEIMDAL
261
262/* Define this if you want to use libkafs' AFS support */
263#undef USE_AFS
264
265/* Define if you want S/Key support */
266#undef SKEY
267
268/* Define if you want TCP Wrappers support */
269#undef LIBWRAP
270
271/* Define if your libraries define login() */
272#undef HAVE_LOGIN
273
274/* Define if your libraries define daemon() */
275#undef HAVE_DAEMON
276
277/* Define if your libraries define getpagesize() */
278#undef HAVE_GETPAGESIZE
279
280/* Define if xauth is found in your path */
281#undef XAUTH_PATH
282
283/* Define if you want to allow MD5 passwords */
284#undef HAVE_MD5_PASSWORDS
285
286/* Define if you want to disable shadow passwords */
287#undef DISABLE_SHADOW
288
289/* Define if you want to use shadow password expire field */
290#undef HAS_SHADOW_EXPIRE
291
292/* Define if you have Digital Unix Security Integration Architecture */
293#undef HAVE_OSF_SIA
294
295/* Define if you have getpwanam(3) [SunOS 4.x] */
296#undef HAVE_GETPWANAM
297
298/* Define if you have an old version of PAM which takes only one argument */
299/* to pam_strerror */
300#undef HAVE_OLD_PAM
301
302/* Define if you are using Solaris-derived PAM which passes pam_messages */
303/* to the conversation function with an extra level of indirection */
304#undef PAM_SUN_CODEBASE
305
306/* Set this to your mail directory if you don't have maillock.h */
307#undef MAIL_DIRECTORY
308
309/* Data types */
310#undef HAVE_U_INT
311#undef HAVE_INTXX_T
312#undef HAVE_U_INTXX_T
313#undef HAVE_UINTXX_T
314#undef HAVE_INT64_T
315#undef HAVE_U_INT64_T
316#undef HAVE_U_CHAR
317#undef HAVE_SIZE_T
318#undef HAVE_SSIZE_T
319#undef HAVE_CLOCK_T
320#undef HAVE_MODE_T
321#undef HAVE_PID_T
322#undef HAVE_SA_FAMILY_T
323#undef HAVE_STRUCT_SOCKADDR_STORAGE
324#undef HAVE_STRUCT_ADDRINFO
325#undef HAVE_STRUCT_IN6_ADDR
326#undef HAVE_STRUCT_SOCKADDR_IN6
327
328/* Fields in struct sockaddr_storage */
329#undef HAVE_SS_FAMILY_IN_SS
330#undef HAVE___SS_FAMILY_IN_SS
331
332/* Define if you have /dev/ptmx */
333#undef HAVE_DEV_PTMX
334
335/* Define if you have /dev/ptc */
336#undef HAVE_DEV_PTS_AND_PTC
337
338/* Define if you need to use IP address instead of hostname in $DISPLAY */
339#undef IPADDR_IN_DISPLAY
340
341/* Specify default $PATH */
342#undef USER_PATH
343
344/* Specify location of ssh.pid */
345#undef _PATH_SSH_PIDDIR
346
347/* getaddrinfo is broken (if present) */
348#undef BROKEN_GETADDRINFO
349
350/* updwtmpx is broken (if present) */
351#undef BROKEN_UPDWTMPX
352
353/* Workaround more Linux IPv6 quirks */ 110/* Workaround more Linux IPv6 quirks */
354#undef DONT_TRY_OTHER_AF 111#undef DONT_TRY_OTHER_AF
355 112
356/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ 113/* Builtin PRNG command timeout */
357#undef IPV4_IN_IPV6 114#undef ENTROPY_TIMEOUT_MSEC
358
359/* Define if you have BSD auth support */
360#undef BSD_AUTH
361
362/* Define if X11 doesn't support AF_UNIX sockets on that system */
363#undef NO_X11_UNIX_SOCKETS
364 115
365/* Define if the concept of ports only accessible to superusers isn't known */ 116/* Define to 1 if the `getpgrp' function requires zero arguments. */
366#undef NO_IPPORT_RESERVED_CONCEPT 117#undef GETPGRP_VOID
367 118
368/* Needed for SCO and NeXT */ 119/* Conflicting defs for getspnam */
369#undef BROKEN_SAVED_UIDS 120#undef GETSPNAM_CONFLICTING_DEFS
370 121
371/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ 122/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
372#undef GLOB_HAS_ALTDIRFUNC 123#undef GLOB_HAS_ALTDIRFUNC
@@ -374,109 +125,36 @@
374/* Define if your system glob() function has gl_matchc options in glob_t */ 125/* Define if your system glob() function has gl_matchc options in glob_t */
375#undef GLOB_HAS_GL_MATCHC 126#undef GLOB_HAS_GL_MATCHC
376 127
377/* Define in your struct dirent expects you to allocate extra space for d_name */ 128/* Define this if you want GSSAPI support in the version 2 protocol */
378#undef BROKEN_ONE_BYTE_DIRENT_D_NAME 129#undef GSSAPI
379
380/* Define if your system has /etc/default/login */
381#undef HAVE_ETC_DEFAULT_LOGIN
382
383/* Define if your getopt(3) defines and uses optreset */
384#undef HAVE_GETOPT_OPTRESET
385
386/* Define on *nto-qnx systems */
387#undef MISSING_NFDBITS
388
389/* Define on *nto-qnx systems */
390#undef MISSING_HOWMANY
391
392/* Define on *nto-qnx systems */
393#undef MISSING_FD_MASK
394
395/* Define if you want smartcard support */
396#undef SMARTCARD
397
398/* Define if you want smartcard support using sectok */
399#undef USE_SECTOK
400
401/* Define if you want smartcard support using OpenSC */
402#undef USE_OPENSC
403
404/* Define if you want to use OpenSSL's internally seeded PRNG only */
405#undef OPENSSL_PRNG_ONLY
406
407/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
408#undef WITH_ABBREV_NO_TTY
409
410/* Define if you want a different $PATH for the superuser */
411#undef SUPERUSER_PATH
412
413/* Path that unprivileged child will chroot() to in privep mode */
414#undef PRIVSEP_PATH
415
416/* Define if your platform needs to skip post auth file descriptor passing */
417#undef DISABLE_FD_PASSING
418
419/* Silly mkstemp() */
420#undef HAVE_STRICT_MKSTEMP
421
422/* Some systems put this outside of libc */
423#undef HAVE_NANOSLEEP
424
425/* Define if sshd somehow reacquires a controlling TTY after setsid() */
426#undef SSHD_ACQUIRES_CTTY
427
428/* Define if cmsg_type is not passed correctly */
429#undef BROKEN_CMSG_TYPE
430
431/*
432 * Define to whatever link() returns for "not supported" if it doesn't
433 * return EOPNOTSUPP.
434 */
435#undef LINK_OPNOTSUPP_ERRNO
436
437/* Strings used in /etc/passwd to denote locked account */
438#undef LOCKED_PASSWD_STRING
439#undef LOCKED_PASSWD_PREFIX
440#undef LOCKED_PASSWD_SUBSTR
441
442/* Define if getrrsetbyname() exists */
443#undef HAVE_GETRRSETBYNAME
444
445/* Define if HEADER.ad exists in arpa/nameser.h */
446#undef HAVE_HEADER_AD
447
448/* Define if your resolver libs need this for getrrsetbyname */
449#undef BIND_8_COMPAT
450
451/* Define if you have /proc/$pid/fd */
452#undef HAVE_PROC_PID
453
454
455/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
456 */
457#undef AIX_GETNAMEINFO_HACK
458 130
459/* getgroups(0,NULL) will return -1 */ 131/* Define if you want to use shadow password expire field */
460#undef BROKEN_GETGROUPS 132#undef HAS_SHADOW_EXPIRE
461 133
462/* ia_uinfo routines not supported by OS yet */ 134/* Define if your system uses access rights style file descriptor passing */
463#undef BROKEN_LIBIAF 135#undef HAVE_ACCRIGHTS_IN_MSGHDR
464 136
465/* Ultrix mmap can't map files */ 137/* Define if you have ut_addr in utmp.h */
466#undef BROKEN_MMAP 138#undef HAVE_ADDR_IN_UTMP
467 139
468/* LynxOS has broken setvbuf() implementation */ 140/* Define if you have ut_addr in utmpx.h */
469#undef BROKEN_SETVBUF 141#undef HAVE_ADDR_IN_UTMPX
470 142
471/* Define to 1 if the `getpgrp' function requires zero arguments. */ 143/* Define if you have ut_addr_v6 in utmp.h */
472#undef GETPGRP_VOID 144#undef HAVE_ADDR_V6_IN_UTMP
473 145
474/* Conflicting defs for getspnam */ 146/* Define if you have ut_addr_v6 in utmpx.h */
475#undef GETSPNAM_CONFLICTING_DEFS 147#undef HAVE_ADDR_V6_IN_UTMPX
476 148
477/* Define to 1 if you have the `arc4random' function. */ 149/* Define to 1 if you have the `arc4random' function. */
478#undef HAVE_ARC4RANDOM 150#undef HAVE_ARC4RANDOM
479 151
152/* Define to 1 if you have the `asprintf' function. */
153#undef HAVE_ASPRINTF
154
155/* OpenBSD's gcc has bounded */
156#undef HAVE_ATTRIBUTE__BOUNDED__
157
480/* OpenBSD's gcc has sentinel */ 158/* OpenBSD's gcc has sentinel */
481#undef HAVE_ATTRIBUTE__SENTINEL__ 159#undef HAVE_ATTRIBUTE__SENTINEL__
482 160
@@ -486,6 +164,9 @@
486/* Define to 1 if you have the `b64_pton' function. */ 164/* Define to 1 if you have the `b64_pton' function. */
487#undef HAVE_B64_PTON 165#undef HAVE_B64_PTON
488 166
167/* Define if you have the basename function. */
168#undef HAVE_BASENAME
169
489/* Define to 1 if you have the `bcopy' function. */ 170/* Define to 1 if you have the `bcopy' function. */
490#undef HAVE_BCOPY 171#undef HAVE_BCOPY
491 172
@@ -501,15 +182,27 @@
501/* Define to 1 if you have the `clock' function. */ 182/* Define to 1 if you have the `clock' function. */
502#undef HAVE_CLOCK 183#undef HAVE_CLOCK
503 184
185/* define if you have clock_t data type */
186#undef HAVE_CLOCK_T
187
504/* Define to 1 if you have the `closefrom' function. */ 188/* Define to 1 if you have the `closefrom' function. */
505#undef HAVE_CLOSEFROM 189#undef HAVE_CLOSEFROM
506 190
507/* Define if gai_strerror() returns const char * */ 191/* Define if gai_strerror() returns const char * */
508#undef HAVE_CONST_GAI_STRERROR_PROTO 192#undef HAVE_CONST_GAI_STRERROR_PROTO
509 193
194/* Define if your system uses ancillary data style file descriptor passing */
195#undef HAVE_CONTROL_IN_MSGHDR
196
510/* Define to 1 if you have the <crypt.h> header file. */ 197/* Define to 1 if you have the <crypt.h> header file. */
511#undef HAVE_CRYPT_H 198#undef HAVE_CRYPT_H
512 199
200/* Define if you are on Cygwin */
201#undef HAVE_CYGWIN
202
203/* Define if your libraries define daemon() */
204#undef HAVE_DAEMON
205
513/* Define to 1 if you have the declaration of `authenticate', and to 0 if you 206/* Define to 1 if you have the declaration of `authenticate', and to 0 if you
514 don't. */ 207 don't. */
515#undef HAVE_DECL_AUTHENTICATE 208#undef HAVE_DECL_AUTHENTICATE
@@ -546,6 +239,12 @@
546 don't. */ 239 don't. */
547#undef HAVE_DECL__GETSHORT 240#undef HAVE_DECL__GETSHORT
548 241
242/* Define if you have /dev/ptmx */
243#undef HAVE_DEV_PTMX
244
245/* Define if you have /dev/ptc */
246#undef HAVE_DEV_PTS_AND_PTC
247
549/* Define to 1 if you have the <dirent.h> header file. */ 248/* Define to 1 if you have the <dirent.h> header file. */
550#undef HAVE_DIRENT_H 249#undef HAVE_DIRENT_H
551 250
@@ -564,6 +263,12 @@
564/* Define to 1 if you have the `endutxent' function. */ 263/* Define to 1 if you have the `endutxent' function. */
565#undef HAVE_ENDUTXENT 264#undef HAVE_ENDUTXENT
566 265
266/* Define if your system has /etc/default/login */
267#undef HAVE_ETC_DEFAULT_LOGIN
268
269/* Define if you have ut_exit in utmp.h */
270#undef HAVE_EXIT_IN_UTMP
271
567/* Define to 1 if you have the `fchmod' function. */ 272/* Define to 1 if you have the `fchmod' function. */
568#undef HAVE_FCHMOD 273#undef HAVE_FCHMOD
569 274
@@ -612,6 +317,12 @@
612/* Define to 1 if you have the <getopt.h> header file. */ 317/* Define to 1 if you have the <getopt.h> header file. */
613#undef HAVE_GETOPT_H 318#undef HAVE_GETOPT_H
614 319
320/* Define if your getopt(3) defines and uses optreset */
321#undef HAVE_GETOPT_OPTRESET
322
323/* Define if your libraries define getpagesize() */
324#undef HAVE_GETPAGESIZE
325
615/* Define to 1 if you have the `getpeereid' function. */ 326/* Define to 1 if you have the `getpeereid' function. */
616#undef HAVE_GETPEEREID 327#undef HAVE_GETPEEREID
617 328
@@ -621,6 +332,9 @@
621/* Define to 1 if you have the `getrlimit' function. */ 332/* Define to 1 if you have the `getrlimit' function. */
622#undef HAVE_GETRLIMIT 333#undef HAVE_GETRLIMIT
623 334
335/* Define if getrrsetbyname() exists */
336#undef HAVE_GETRRSETBYNAME
337
624/* Define to 1 if you have the `getrusage' function. */ 338/* Define to 1 if you have the `getrusage' function. */
625#undef HAVE_GETRUSAGE 339#undef HAVE_GETRUSAGE
626 340
@@ -672,12 +386,27 @@
672/* Define to 1 if you have the <gssapi_krb5.h> header file. */ 386/* Define to 1 if you have the <gssapi_krb5.h> header file. */
673#undef HAVE_GSSAPI_KRB5_H 387#undef HAVE_GSSAPI_KRB5_H
674 388
389/* Define if HEADER.ad exists in arpa/nameser.h */
390#undef HAVE_HEADER_AD
391
392/* Define if you have ut_host in utmp.h */
393#undef HAVE_HOST_IN_UTMP
394
395/* Define if you have ut_host in utmpx.h */
396#undef HAVE_HOST_IN_UTMPX
397
675/* Define to 1 if you have the <iaf.h> header file. */ 398/* Define to 1 if you have the <iaf.h> header file. */
676#undef HAVE_IAF_H 399#undef HAVE_IAF_H
677 400
678/* Define to 1 if you have the <ia.h> header file. */ 401/* Define to 1 if you have the <ia.h> header file. */
679#undef HAVE_IA_H 402#undef HAVE_IA_H
680 403
404/* Define if you have ut_id in utmp.h */
405#undef HAVE_ID_IN_UTMP
406
407/* Define if you have ut_id in utmpx.h */
408#undef HAVE_ID_IN_UTMPX
409
681/* Define to 1 if you have the `inet_aton' function. */ 410/* Define to 1 if you have the `inet_aton' function. */
682#undef HAVE_INET_ATON 411#undef HAVE_INET_ATON
683 412
@@ -690,9 +419,15 @@
690/* Define to 1 if you have the `innetgr' function. */ 419/* Define to 1 if you have the `innetgr' function. */
691#undef HAVE_INNETGR 420#undef HAVE_INNETGR
692 421
422/* define if you have int64_t data type */
423#undef HAVE_INT64_T
424
693/* Define to 1 if you have the <inttypes.h> header file. */ 425/* Define to 1 if you have the <inttypes.h> header file. */
694#undef HAVE_INTTYPES_H 426#undef HAVE_INTTYPES_H
695 427
428/* define if you have intxx_t data type */
429#undef HAVE_INTXX_T
430
696/* Define to 1 if the system has the type `in_addr_t'. */ 431/* Define to 1 if the system has the type `in_addr_t'. */
697#undef HAVE_IN_ADDR_T 432#undef HAVE_IN_ADDR_T
698 433
@@ -738,6 +473,12 @@
738/* Define to 1 if you have the <limits.h> header file. */ 473/* Define to 1 if you have the <limits.h> header file. */
739#undef HAVE_LIMITS_H 474#undef HAVE_LIMITS_H
740 475
476/* Define to 1 if you have the <linux/if_tun.h> header file. */
477#undef HAVE_LINUX_IF_TUN_H
478
479/* Define if your libraries define login() */
480#undef HAVE_LOGIN
481
741/* Define to 1 if you have the <login_cap.h> header file. */ 482/* Define to 1 if you have the <login_cap.h> header file. */
742#undef HAVE_LOGIN_CAP_H 483#undef HAVE_LOGIN_CAP_H
743 484
@@ -753,12 +494,21 @@
753/* Define to 1 if you have the `logwtmp' function. */ 494/* Define to 1 if you have the `logwtmp' function. */
754#undef HAVE_LOGWTMP 495#undef HAVE_LOGWTMP
755 496
497/* Define to 1 if the system has the type `long double'. */
498#undef HAVE_LONG_DOUBLE
499
500/* Define to 1 if the system has the type `long long'. */
501#undef HAVE_LONG_LONG
502
756/* Define to 1 if you have the <maillock.h> header file. */ 503/* Define to 1 if you have the <maillock.h> header file. */
757#undef HAVE_MAILLOCK_H 504#undef HAVE_MAILLOCK_H
758 505
759/* Define to 1 if you have the `md5_crypt' function. */ 506/* Define to 1 if you have the `md5_crypt' function. */
760#undef HAVE_MD5_CRYPT 507#undef HAVE_MD5_CRYPT
761 508
509/* Define if you want to allow MD5 passwords */
510#undef HAVE_MD5_PASSWORDS
511
762/* Define to 1 if you have the `memmove' function. */ 512/* Define to 1 if you have the `memmove' function. */
763#undef HAVE_MEMMOVE 513#undef HAVE_MEMMOVE
764 514
@@ -771,6 +521,12 @@
771/* Define to 1 if you have the `mmap' function. */ 521/* Define to 1 if you have the `mmap' function. */
772#undef HAVE_MMAP 522#undef HAVE_MMAP
773 523
524/* define if you have mode_t data type */
525#undef HAVE_MODE_T
526
527/* Some systems put nanosleep outside of libc */
528#undef HAVE_NANOSLEEP
529
774/* Define to 1 if you have the <ndir.h> header file. */ 530/* Define to 1 if you have the <ndir.h> header file. */
775#undef HAVE_NDIR_H 531#undef HAVE_NDIR_H
776 532
@@ -780,8 +536,8 @@
780/* Define to 1 if you have the <netgroup.h> header file. */ 536/* Define to 1 if you have the <netgroup.h> header file. */
781#undef HAVE_NETGROUP_H 537#undef HAVE_NETGROUP_H
782 538
783/* Define to 1 if you have the <netinet/in_systm.h> header file. */ 539/* Define if you are on NeXT */
784#undef HAVE_NETINET_IN_SYSTM_H 540#undef HAVE_NEXT
785 541
786/* Define to 1 if you have the `ngetaddrinfo' function. */ 542/* Define to 1 if you have the `ngetaddrinfo' function. */
787#undef HAVE_NGETADDRINFO 543#undef HAVE_NGETADDRINFO
@@ -792,12 +548,22 @@
792/* Define to 1 if you have the `ogetaddrinfo' function. */ 548/* Define to 1 if you have the `ogetaddrinfo' function. */
793#undef HAVE_OGETADDRINFO 549#undef HAVE_OGETADDRINFO
794 550
551/* Define if you have an old version of PAM which takes only one argument to
552 pam_strerror */
553#undef HAVE_OLD_PAM
554
795/* Define to 1 if you have the `openlog_r' function. */ 555/* Define to 1 if you have the `openlog_r' function. */
796#undef HAVE_OPENLOG_R 556#undef HAVE_OPENLOG_R
797 557
798/* Define to 1 if you have the `openpty' function. */ 558/* Define to 1 if you have the `openpty' function. */
799#undef HAVE_OPENPTY 559#undef HAVE_OPENPTY
800 560
561/* Define if your ssl headers are included with #include <openssl/header.h> */
562#undef HAVE_OPENSSL
563
564/* Define if you have Digital Unix Security Integration Architecture */
565#undef HAVE_OSF_SIA
566
801/* Define to 1 if you have the `pam_getenvlist' function. */ 567/* Define to 1 if you have the `pam_getenvlist' function. */
802#undef HAVE_PAM_GETENVLIST 568#undef HAVE_PAM_GETENVLIST
803 569
@@ -810,9 +576,18 @@
810/* Define to 1 if you have the <paths.h> header file. */ 576/* Define to 1 if you have the <paths.h> header file. */
811#undef HAVE_PATHS_H 577#undef HAVE_PATHS_H
812 578
579/* Define if you have ut_pid in utmp.h */
580#undef HAVE_PID_IN_UTMP
581
582/* define if you have pid_t data type */
583#undef HAVE_PID_T
584
813/* Define to 1 if you have the `prctl' function. */ 585/* Define to 1 if you have the `prctl' function. */
814#undef HAVE_PRCTL 586#undef HAVE_PRCTL
815 587
588/* Define if you have /proc/$pid/fd */
589#undef HAVE_PROC_PID
590
816/* Define to 1 if you have the `pstat' function. */ 591/* Define to 1 if you have the `pstat' function. */
817#undef HAVE_PSTAT 592#undef HAVE_PSTAT
818 593
@@ -825,6 +600,15 @@
825/* Define to 1 if you have the `pututxline' function. */ 600/* Define to 1 if you have the `pututxline' function. */
826#undef HAVE_PUTUTXLINE 601#undef HAVE_PUTUTXLINE
827 602
603/* Define if your password has a pw_change field */
604#undef HAVE_PW_CHANGE_IN_PASSWD
605
606/* Define if your password has a pw_class field */
607#undef HAVE_PW_CLASS_IN_PASSWD
608
609/* Define if your password has a pw_expire field */
610#undef HAVE_PW_EXPIRE_IN_PASSWD
611
828/* Define to 1 if you have the `readpassphrase' function. */ 612/* Define to 1 if you have the `readpassphrase' function. */
829#undef HAVE_READPASSPHRASE 613#undef HAVE_READPASSPHRASE
830 614
@@ -843,9 +627,15 @@
843/* Define to 1 if you have the `rresvport_af' function. */ 627/* Define to 1 if you have the `rresvport_af' function. */
844#undef HAVE_RRESVPORT_AF 628#undef HAVE_RRESVPORT_AF
845 629
630/* define if you have sa_family_t data type */
631#undef HAVE_SA_FAMILY_T
632
846/* Define to 1 if you have the <sectok.h> header file. */ 633/* Define to 1 if you have the <sectok.h> header file. */
847#undef HAVE_SECTOK_H 634#undef HAVE_SECTOK_H
848 635
636/* Define if you have SecureWare-based protected password database */
637#undef HAVE_SECUREWARE
638
849/* Define to 1 if you have the <security/pam_appl.h> header file. */ 639/* Define to 1 if you have the <security/pam_appl.h> header file. */
850#undef HAVE_SECURITY_PAM_APPL_H 640#undef HAVE_SECURITY_PAM_APPL_H
851 641
@@ -924,6 +714,9 @@
924/* Define to 1 if the system has the type `sig_atomic_t'. */ 714/* Define to 1 if the system has the type `sig_atomic_t'. */
925#undef HAVE_SIG_ATOMIC_T 715#undef HAVE_SIG_ATOMIC_T
926 716
717/* define if you have size_t data type */
718#undef HAVE_SIZE_T
719
927/* Define to 1 if you have the `snprintf' function. */ 720/* Define to 1 if you have the `snprintf' function. */
928#undef HAVE_SNPRINTF 721#undef HAVE_SNPRINTF
929 722
@@ -933,6 +726,12 @@
933/* Have PEERCRED socket option */ 726/* Have PEERCRED socket option */
934#undef HAVE_SO_PEERCRED 727#undef HAVE_SO_PEERCRED
935 728
729/* define if you have ssize_t data type */
730#undef HAVE_SSIZE_T
731
732/* Fields in struct sockaddr_storage */
733#undef HAVE_SS_FAMILY_IN_SS
734
936/* Define to 1 if you have the <stddef.h> header file. */ 735/* Define to 1 if you have the <stddef.h> header file. */
937#undef HAVE_STDDEF_H 736#undef HAVE_STDDEF_H
938 737
@@ -951,6 +750,9 @@
951/* Define to 1 if you have the `strftime' function. */ 750/* Define to 1 if you have the `strftime' function. */
952#undef HAVE_STRFTIME 751#undef HAVE_STRFTIME
953 752
753/* Silly mkstemp() */
754#undef HAVE_STRICT_MKSTEMP
755
954/* Define to 1 if you have the <strings.h> header file. */ 756/* Define to 1 if you have the <strings.h> header file. */
955#undef HAVE_STRINGS_H 757#undef HAVE_STRINGS_H
956 758
@@ -981,15 +783,33 @@
981/* Define to 1 if you have the `strtoul' function. */ 783/* Define to 1 if you have the `strtoul' function. */
982#undef HAVE_STRTOUL 784#undef HAVE_STRTOUL
983 785
786/* define if you have struct addrinfo data type */
787#undef HAVE_STRUCT_ADDRINFO
788
789/* define if you have struct in6_addr data type */
790#undef HAVE_STRUCT_IN6_ADDR
791
792/* define if you have struct sockaddr_in6 data type */
793#undef HAVE_STRUCT_SOCKADDR_IN6
794
795/* define if you have struct sockaddr_storage data type */
796#undef HAVE_STRUCT_SOCKADDR_STORAGE
797
984/* Define to 1 if `st_blksize' is member of `struct stat'. */ 798/* Define to 1 if `st_blksize' is member of `struct stat'. */
985#undef HAVE_STRUCT_STAT_ST_BLKSIZE 799#undef HAVE_STRUCT_STAT_ST_BLKSIZE
986 800
987/* Define to 1 if the system has the type `struct timespec'. */ 801/* Define to 1 if the system has the type `struct timespec'. */
988#undef HAVE_STRUCT_TIMESPEC 802#undef HAVE_STRUCT_TIMESPEC
989 803
804/* define if you have struct timeval */
805#undef HAVE_STRUCT_TIMEVAL
806
990/* Define to 1 if you have the `sysconf' function. */ 807/* Define to 1 if you have the `sysconf' function. */
991#undef HAVE_SYSCONF 808#undef HAVE_SYSCONF
992 809
810/* Define if you have syslen in utmpx.h */
811#undef HAVE_SYSLEN_IN_UTMPX
812
993/* Define to 1 if you have the <sys/audit.h> header file. */ 813/* Define to 1 if you have the <sys/audit.h> header file. */
994#undef HAVE_SYS_AUDIT_H 814#undef HAVE_SYS_AUDIT_H
995 815
@@ -1005,12 +825,18 @@
1005/* Define to 1 if you have the <sys/dir.h> header file. */ 825/* Define to 1 if you have the <sys/dir.h> header file. */
1006#undef HAVE_SYS_DIR_H 826#undef HAVE_SYS_DIR_H
1007 827
828/* Define if your system defines sys_errlist[] */
829#undef HAVE_SYS_ERRLIST
830
1008/* Define to 1 if you have the <sys/mman.h> header file. */ 831/* Define to 1 if you have the <sys/mman.h> header file. */
1009#undef HAVE_SYS_MMAN_H 832#undef HAVE_SYS_MMAN_H
1010 833
1011/* Define to 1 if you have the <sys/ndir.h> header file. */ 834/* Define to 1 if you have the <sys/ndir.h> header file. */
1012#undef HAVE_SYS_NDIR_H 835#undef HAVE_SYS_NDIR_H
1013 836
837/* Define if your system defines sys_nerr */
838#undef HAVE_SYS_NERR
839
1014/* Define to 1 if you have the <sys/prctl.h> header file. */ 840/* Define to 1 if you have the <sys/prctl.h> header file. */
1015#undef HAVE_SYS_PRCTL_H 841#undef HAVE_SYS_PRCTL_H
1016 842
@@ -1065,6 +891,12 @@
1065/* Define to 1 if you have the <time.h> header file. */ 891/* Define to 1 if you have the <time.h> header file. */
1066#undef HAVE_TIME_H 892#undef HAVE_TIME_H
1067 893
894/* Define if you have ut_time in utmp.h */
895#undef HAVE_TIME_IN_UTMP
896
897/* Define if you have ut_time in utmpx.h */
898#undef HAVE_TIME_IN_UTMPX
899
1068/* Define to 1 if you have the <tmpdir.h> header file. */ 900/* Define to 1 if you have the <tmpdir.h> header file. */
1069#undef HAVE_TMPDIR_H 901#undef HAVE_TMPDIR_H
1070 902
@@ -1074,12 +906,30 @@
1074/* Define to 1 if you have the <ttyent.h> header file. */ 906/* Define to 1 if you have the <ttyent.h> header file. */
1075#undef HAVE_TTYENT_H 907#undef HAVE_TTYENT_H
1076 908
909/* Define if you have ut_tv in utmp.h */
910#undef HAVE_TV_IN_UTMP
911
912/* Define if you have ut_tv in utmpx.h */
913#undef HAVE_TV_IN_UTMPX
914
915/* Define if you have ut_type in utmp.h */
916#undef HAVE_TYPE_IN_UTMP
917
918/* Define if you have ut_type in utmpx.h */
919#undef HAVE_TYPE_IN_UTMPX
920
921/* define if you have uintxx_t data type */
922#undef HAVE_UINTXX_T
923
1077/* Define to 1 if you have the <unistd.h> header file. */ 924/* Define to 1 if you have the <unistd.h> header file. */
1078#undef HAVE_UNISTD_H 925#undef HAVE_UNISTD_H
1079 926
1080/* Define to 1 if you have the `unsetenv' function. */ 927/* Define to 1 if you have the `unsetenv' function. */
1081#undef HAVE_UNSETENV 928#undef HAVE_UNSETENV
1082 929
930/* Define to 1 if the system has the type `unsigned long long'. */
931#undef HAVE_UNSIGNED_LONG_LONG
932
1083/* Define to 1 if you have the `updwtmp' function. */ 933/* Define to 1 if you have the `updwtmp' function. */
1084#undef HAVE_UPDWTMP 934#undef HAVE_UPDWTMP
1085 935
@@ -1110,6 +960,24 @@
1110/* Define to 1 if you have the <utmp.h> header file. */ 960/* Define to 1 if you have the <utmp.h> header file. */
1111#undef HAVE_UTMP_H 961#undef HAVE_UTMP_H
1112 962
963/* define if you have u_char data type */
964#undef HAVE_U_CHAR
965
966/* define if you have u_int data type */
967#undef HAVE_U_INT
968
969/* define if you have u_int64_t data type */
970#undef HAVE_U_INT64_T
971
972/* define if you have u_intxx_t data type */
973#undef HAVE_U_INTXX_T
974
975/* Define to 1 if you have the `vasprintf' function. */
976#undef HAVE_VASPRINTF
977
978/* Define if va_copy exists */
979#undef HAVE_VA_COPY
980
1113/* Define to 1 if you have the `vhangup' function. */ 981/* Define to 1 if you have the `vhangup' function. */
1114#undef HAVE_VHANGUP 982#undef HAVE_VHANGUP
1115 983
@@ -1137,14 +1005,100 @@
1137/* Define to 1 if you have the `__b64_pton' function. */ 1005/* Define to 1 if you have the `__b64_pton' function. */
1138#undef HAVE___B64_PTON 1006#undef HAVE___B64_PTON
1139 1007
1008/* Define if compiler implements __FUNCTION__ */
1009#undef HAVE___FUNCTION__
1010
1011/* Define if libc defines __progname */
1012#undef HAVE___PROGNAME
1013
1014/* Fields in struct sockaddr_storage */
1015#undef HAVE___SS_FAMILY_IN_SS
1016
1017/* Define if __va_copy exists */
1018#undef HAVE___VA_COPY
1019
1020/* Define if compiler implements __func__ */
1021#undef HAVE___func__
1022
1023/* Define this if you are using the Heimdal version of Kerberos V5 */
1024#undef HEIMDAL
1025
1026/* Define if you need to use IP address instead of hostname in $DISPLAY */
1027#undef IPADDR_IN_DISPLAY
1028
1029/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
1030#undef IPV4_IN_IPV6
1031
1032/* Define if your system choked on IP TOS setting */
1033#undef IP_TOS_IS_BROKEN
1034
1035/* Define if you want Kerberos 5 support */
1036#undef KRB5
1037
1038/* Define if you want TCP Wrappers support */
1039#undef LIBWRAP
1040
1041/* Define to whatever link() returns for "not supported" if it doesn't return
1042 EOPNOTSUPP. */
1043#undef LINK_OPNOTSUPP_ERRNO
1044
1140/* max value of long long calculated by configure */ 1045/* max value of long long calculated by configure */
1141#undef LLONG_MAX 1046#undef LLONG_MAX
1142 1047
1143/* min value of long long calculated by configure */ 1048/* min value of long long calculated by configure */
1144#undef LLONG_MIN 1049#undef LLONG_MIN
1145 1050
1051/* Account locked with pw(1) */
1052#undef LOCKED_PASSWD_PREFIX
1053
1054/* String used in /etc/passwd to denote locked account */
1055#undef LOCKED_PASSWD_STRING
1056
1057/* String used in /etc/passwd to denote locked account */
1058#undef LOCKED_PASSWD_SUBSTR
1059
1060/* Some versions of /bin/login need the TERM supplied on the commandline */
1061#undef LOGIN_NEEDS_TERM
1062
1063/* Some systems need a utmpx entry for /bin/login to work */
1064#undef LOGIN_NEEDS_UTMPX
1065
1066/* Define if your login program cannot handle end of options ("--") */
1067#undef LOGIN_NO_ENDOPT
1068
1069/* If your header files don't define LOGIN_PROGRAM, then use this (detected)
1070 from environment and PATH */
1071#undef LOGIN_PROGRAM_FALLBACK
1072
1073/* Set this to your mail directory if you don't have maillock.h */
1074#undef MAIL_DIRECTORY
1075
1076/* Define on *nto-qnx systems */
1077#undef MISSING_FD_MASK
1078
1079/* Define on *nto-qnx systems */
1080#undef MISSING_HOWMANY
1081
1082/* Define on *nto-qnx systems */
1083#undef MISSING_NFDBITS
1084
1146/* Need setpgrp to acquire controlling tty */ 1085/* Need setpgrp to acquire controlling tty */
1147#undef NEED_SETPRGP 1086#undef NEED_SETPGRP
1087
1088/* Define if the concept of ports only accessible to superusers isn't known */
1089#undef NO_IPPORT_RESERVED_CONCEPT
1090
1091/* Define if you don't want to use lastlog in session.c */
1092#undef NO_SSH_LASTLOG
1093
1094/* Define if X11 doesn't support AF_UNIX sockets on that system */
1095#undef NO_X11_UNIX_SOCKETS
1096
1097/* libcrypto is missing AES 192 and 256 bit functions */
1098#undef OPENSSL_LOBOTOMISED_AES
1099
1100/* Define if you want OpenSSL's internally seeded PRNG only */
1101#undef OPENSSL_PRNG_ONLY
1148 1102
1149/* Define to the address where bug reports for this package should be sent. */ 1103/* Define to the address where bug reports for this package should be sent. */
1150#undef PACKAGE_BUGREPORT 1104#undef PACKAGE_BUGREPORT
@@ -1161,9 +1115,25 @@
1161/* Define to the version of this package. */ 1115/* Define to the version of this package. */
1162#undef PACKAGE_VERSION 1116#undef PACKAGE_VERSION
1163 1117
1118/* Define if you are using Solaris-derived PAM which passes pam_messages to
1119 the conversation function with an extra level of indirection */
1120#undef PAM_SUN_CODEBASE
1121
1122/* Work around problematic Linux PAM modules handling of PAM_TTY */
1123#undef PAM_TTY_KLUDGE
1124
1164/* must supply username to passwd */ 1125/* must supply username to passwd */
1165#undef PASSWD_NEEDS_USERNAME 1126#undef PASSWD_NEEDS_USERNAME
1166 1127
1128/* Port number of PRNGD/EGD random number socket */
1129#undef PRNGD_PORT
1130
1131/* Location of PRNGD/EGD random number socket */
1132#undef PRNGD_SOCKET
1133
1134/* Define if your platform breaks doing a seteuid before a setuid */
1135#undef SETEUID_BREAKS_SETUID
1136
1167/* The size of a `char', as computed by sizeof. */ 1137/* The size of a `char', as computed by sizeof. */
1168#undef SIZEOF_CHAR 1138#undef SIZEOF_CHAR
1169 1139
@@ -1179,15 +1149,67 @@
1179/* The size of a `short int', as computed by sizeof. */ 1149/* The size of a `short int', as computed by sizeof. */
1180#undef SIZEOF_SHORT_INT 1150#undef SIZEOF_SHORT_INT
1181 1151
1152/* Define if you want S/Key support */
1153#undef SKEY
1154
1155/* Define if your skeychallenge() function takes 4 arguments (NetBSD) */
1156#undef SKEYCHALLENGE_4ARG
1157
1158/* Define if you want smartcard support */
1159#undef SMARTCARD
1160
1161/* Define as const if snprintf() can declare const char *fmt */
1162#undef SNPRINTF_CONST
1163
1164/* Define to a Set Process Title type if your system is supported by
1165 bsd-setproctitle.c */
1166#undef SPT_TYPE
1167
1168/* Define if sshd somehow reacquires a controlling TTY after setsid() */
1169#undef SSHD_ACQUIRES_CTTY
1170
1171/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
1172#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
1173
1182/* Use audit debugging module */ 1174/* Use audit debugging module */
1183#undef SSH_AUDIT_EVENTS 1175#undef SSH_AUDIT_EVENTS
1184 1176
1177/* non-privileged user for privilege separation */
1178#undef SSH_PRIVSEP_USER
1179
1180/* Use tunnel device compatibility to OpenBSD */
1181#undef SSH_TUN_COMPAT_AF
1182
1183/* Open tunnel devices the FreeBSD way */
1184#undef SSH_TUN_FREEBSD
1185
1186/* Open tunnel devices the Linux tun/tap way */
1187#undef SSH_TUN_LINUX
1188
1189/* No layer 2 tunnel support */
1190#undef SSH_TUN_NO_L2
1191
1192/* Open tunnel devices the OpenBSD way */
1193#undef SSH_TUN_OPENBSD
1194
1195/* Prepend the address family to IP tunnel traffic */
1196#undef SSH_TUN_PREPEND_AF
1197
1185/* Define to 1 if you have the ANSI C header files. */ 1198/* Define to 1 if you have the ANSI C header files. */
1186#undef STDC_HEADERS 1199#undef STDC_HEADERS
1187 1200
1201/* Define if you want a different $PATH for the superuser */
1202#undef SUPERUSER_PATH
1203
1188/* Support passwords > 8 chars */ 1204/* Support passwords > 8 chars */
1189#undef UNIXWARE_LONG_PASSWORDS 1205#undef UNIXWARE_LONG_PASSWORDS
1190 1206
1207/* Specify default $PATH */
1208#undef USER_PATH
1209
1210/* Define this if you want to use libkafs' AFS support */
1211#undef USE_AFS
1212
1191/* Use BSM audit module */ 1213/* Use BSM audit module */
1192#undef USE_BSM_AUDIT 1214#undef USE_BSM_AUDIT
1193 1215
@@ -1197,13 +1219,44 @@
1197/* Use libedit for sftp */ 1219/* Use libedit for sftp */
1198#undef USE_LIBEDIT 1220#undef USE_LIBEDIT
1199 1221
1200/* Define if you want SELinux support. */ 1222/* Define if you want smartcard support using OpenSC */
1201#undef WITH_SELINUX 1223#undef USE_OPENSC
1224
1225/* Define if you want to enable PAM support */
1226#undef USE_PAM
1227
1228/* Use PIPES instead of a socketpair() */
1229#undef USE_PIPES
1230
1231/* Define if you want smartcard support using sectok */
1232#undef USE_SECTOK
1233
1234/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
1235#undef WITH_ABBREV_NO_TTY
1236
1237/* Define if you want to enable AIX4's authenticate function */
1238#undef WITH_AIXAUTHENTICATE
1239
1240/* Define if you have/want arrays (cluster-wide session managment, not C
1241 arrays) */
1242#undef WITH_IRIX_ARRAY
1243
1244/* Define if you want IRIX audit trails */
1245#undef WITH_IRIX_AUDIT
1246
1247/* Define if you want IRIX kernel jobs */
1248#undef WITH_IRIX_JOBS
1249
1250/* Define if you want IRIX project management */
1251#undef WITH_IRIX_PROJECT
1202 1252
1203/* Define to 1 if your processor stores words with the most significant byte 1253/* Define to 1 if your processor stores words with the most significant byte
1204 first (like Motorola and SPARC, unlike Intel and VAX). */ 1254 first (like Motorola and SPARC, unlike Intel and VAX). */
1205#undef WORDS_BIGENDIAN 1255#undef WORDS_BIGENDIAN
1206 1256
1257/* Define if xauth is found in your path */
1258#undef XAUTH_PATH
1259
1207/* Number of bits in a file offset, on hosts where this is settable. */ 1260/* Number of bits in a file offset, on hosts where this is settable. */
1208#undef _FILE_OFFSET_BITS 1261#undef _FILE_OFFSET_BITS
1209 1262
@@ -1213,6 +1266,15 @@
1213/* log for bad login attempts */ 1266/* log for bad login attempts */
1214#undef _PATH_BTMP 1267#undef _PATH_BTMP
1215 1268
1269/* Full path of your "passwd" program */
1270#undef _PATH_PASSWD_PROG
1271
1272/* Specify location of ssh.pid */
1273#undef _PATH_SSH_PIDDIR
1274
1275/* Define if we don't have struct __res_state in resolv.h */
1276#undef __res_state
1277
1216/* Define to `__inline__' or `__inline' if that's what the C compiler 1278/* Define to `__inline__' or `__inline' if that's what the C compiler
1217 calls it, or to nothing if 'inline' is not supported under any name. */ 1279 calls it, or to nothing if 'inline' is not supported under any name. */
1218#ifndef __cplusplus 1280#ifndef __cplusplus
@@ -1221,7 +1283,3 @@
1221 1283
1222/* type to use in place of socklen_t if not defined */ 1284/* type to use in place of socklen_t if not defined */
1223#undef socklen_t 1285#undef socklen_t
1224
1225/* ******************* Shouldn't need to edit below this line ************** */
1226
1227#endif /* _CONFIG_H */
diff --git a/configure b/configure
index bc27b88c2..552acba68 100755
--- a/configure
+++ b/configure
@@ -1,4 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.322.2.6 .
2# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
3# Generated by GNU Autoconf 2.59 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.59 for OpenSSH Portable.
4# 5#
@@ -311,7 +312,7 @@ ac_includes_default="\
311# include <unistd.h> 312# include <unistd.h>
312#endif" 313#endif"
313 314
314ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT build build_cpu build_vendor build_os host host_cpu host_vendor host_os AWK CPP RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA AR CAT KILL PERL SED ENT TEST_MINUS_S_SH SH TEST_SHELL PATH_GROUPADD_PROG PATH_USERADD_PROG MAKE_PACKAGE_SUPPORTED LOGIN_PROGRAM_FALLBACK PATH_PASSWD_PROG LD EGREP LIBWRAP LIBEDIT LIBPAM INSTALL_SSH_RAND_HELPER SSH_PRIVSEP_USER PROG_LS PROG_NETSTAT PROG_ARP PROG_IFCONFIG PROG_JSTAT PROG_PS PROG_SAR PROG_W PROG_WHO PROG_LAST PROG_LASTLOG PROG_DF PROG_VMSTAT PROG_UPTIME PROG_IPCS PROG_TAIL INSTALL_SSH_PRNG_CMDS OPENSC_CONFIG PRIVSEP_PATH xauth_path STRIP_OPT XAUTH_PATH NROFF MANTYPE mansubdir user_path piddir LIBOBJS LTLIBOBJS' 315ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT build build_cpu build_vendor build_os host host_cpu host_vendor host_os AWK CPP RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA EGREP AR CAT KILL PERL SED ENT TEST_MINUS_S_SH SH TEST_SHELL PATH_GROUPADD_PROG PATH_USERADD_PROG MAKE_PACKAGE_SUPPORTED STARTUP_SCRIPT_SHELL LOGIN_PROGRAM_FALLBACK PATH_PASSWD_PROG LD LIBWRAP LIBEDIT LIBPAM INSTALL_SSH_RAND_HELPER SSH_PRIVSEP_USER PROG_LS PROG_NETSTAT PROG_ARP PROG_IFCONFIG PROG_JSTAT PROG_PS PROG_SAR PROG_W PROG_WHO PROG_LAST PROG_LASTLOG PROG_DF PROG_VMSTAT PROG_UPTIME PROG_IPCS PROG_TAIL INSTALL_SSH_PRNG_CMDS OPENSC_CONFIG PRIVSEP_PATH xauth_path STRIP_OPT XAUTH_PATH NROFF MANTYPE mansubdir user_path piddir LIBOBJS LTLIBOBJS'
315ac_subst_files='' 316ac_subst_files=''
316 317
317# Initialize some variables set by options. 318# Initialize some variables set by options.
@@ -884,7 +885,7 @@ Optional Packages:
884 --with-entropy-timeout Specify entropy gathering command timeout (msec) 885 --with-entropy-timeout Specify entropy gathering command timeout (msec)
885 --with-privsep-user=user Specify non-privileged user for privilege separation 886 --with-privsep-user=user Specify non-privileged user for privilege separation
886 --with-sectok Enable smartcard support using libsectok 887 --with-sectok Enable smartcard support using libsectok
887--with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH) 888 --with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH)
888 --with-selinux Enable SELinux support 889 --with-selinux Enable SELinux support
889 --with-kerberos5=PATH Enable Kerberos 5 support 890 --with-kerberos5=PATH Enable Kerberos 5 support
890 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 891 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
@@ -1360,6 +1361,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
1360 1361
1361 1362
1362 1363
1364
1363 ac_config_headers="$ac_config_headers config.h" 1365 ac_config_headers="$ac_config_headers config.h"
1364 1366
1365ac_ext=c 1367ac_ext=c
@@ -3028,6 +3030,21 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
3028 3030
3029test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' 3031test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
3030 3032
3033echo "$as_me:$LINENO: checking for egrep" >&5
3034echo $ECHO_N "checking for egrep... $ECHO_C" >&6
3035if test "${ac_cv_prog_egrep+set}" = set; then
3036 echo $ECHO_N "(cached) $ECHO_C" >&6
3037else
3038 if echo a | (grep -E '(a|b)') >/dev/null 2>&1
3039 then ac_cv_prog_egrep='grep -E'
3040 else ac_cv_prog_egrep='egrep'
3041 fi
3042fi
3043echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
3044echo "${ECHO_T}$ac_cv_prog_egrep" >&6
3045 EGREP=$ac_cv_prog_egrep
3046
3047
3031# Extract the first word of "ar", so it can be a program name with args. 3048# Extract the first word of "ar", so it can be a program name with args.
3032set dummy ar; ac_word=$2 3049set dummy ar; ac_word=$2
3033echo "$as_me:$LINENO: checking for $ac_word" >&5 3050echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -3544,6 +3561,13 @@ else
3544echo "${ECHO_T}no" >&6 3561echo "${ECHO_T}no" >&6
3545fi 3562fi
3546 3563
3564if test -x /sbin/sh; then
3565 STARTUP_SCRIPT_SHELL=/sbin/sh
3566
3567else
3568 STARTUP_SCRIPT_SHELL=/bin/sh
3569
3570fi
3547 3571
3548# System features 3572# System features
3549# Check whether --enable-largefile or --disable-largefile was given. 3573# Check whether --enable-largefile or --disable-largefile was given.
@@ -3913,7 +3937,8 @@ fi
3913 3937
3914# Use LOGIN_PROGRAM from environment if possible 3938# Use LOGIN_PROGRAM from environment if possible
3915if test ! -z "$LOGIN_PROGRAM" ; then 3939if test ! -z "$LOGIN_PROGRAM" ; then
3916 cat >>confdefs.h <<_ACEOF 3940
3941cat >>confdefs.h <<_ACEOF
3917#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM" 3942#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM"
3918_ACEOF 3943_ACEOF
3919 3944
@@ -4006,7 +4031,8 @@ echo "${ECHO_T}no" >&6
4006fi 4031fi
4007 4032
4008if test ! -z "$PATH_PASSWD_PROG" ; then 4033if test ! -z "$PATH_PASSWD_PROG" ; then
4009 cat >>confdefs.h <<_ACEOF 4034
4035cat >>confdefs.h <<_ACEOF
4010#define _PATH_PASSWD_PROG "$PATH_PASSWD_PROG" 4036#define _PATH_PASSWD_PROG "$PATH_PASSWD_PROG"
4011_ACEOF 4037_ACEOF
4012 4038
@@ -4151,12 +4177,14 @@ fi
4151 4177
4152if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 4178if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
4153 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" 4179 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
4154 GCC_VER=`$CC --version` 4180 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
4155 case $GCC_VER in 4181 case $GCC_VER in
4156 1.*) ;; 4182 1.*) ;;
4157 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; 4183 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4158 2.*) ;; 4184 2.*) ;;
4159 *) CFLAGS="$CFLAGS -Wsign-compare" ;; 4185 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4186 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
4187 *) ;;
4160 esac 4188 esac
4161 4189
4162 if test -z "$have_llong_max"; then 4190 if test -z "$have_llong_max"; then
@@ -4230,110 +4258,6 @@ fi
4230 fi 4258 fi
4231fi 4259fi
4232 4260
4233if test -z "$have_llong_max"; then
4234 echo "$as_me:$LINENO: checking for max value of long long" >&5
4235echo $ECHO_N "checking for max value of long long... $ECHO_C" >&6
4236 if test "$cross_compiling" = yes; then
4237
4238 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking" >&5
4239echo "$as_me: WARNING: cross compiling: not checking" >&2;}
4240
4241
4242else
4243 cat >conftest.$ac_ext <<_ACEOF
4244/* confdefs.h. */
4245_ACEOF
4246cat confdefs.h >>conftest.$ac_ext
4247cat >>conftest.$ac_ext <<_ACEOF
4248/* end confdefs.h. */
4249
4250#include <stdio.h>
4251/* Why is this so damn hard? */
4252#ifdef __GNUC__
4253# undef __GNUC__
4254#endif
4255#define __USE_ISOC99
4256#include <limits.h>
4257#define DATA "conftest.llminmax"
4258int main(void) {
4259 FILE *f;
4260 long long i, llmin, llmax = 0;
4261
4262 if((f = fopen(DATA,"w")) == NULL)
4263 exit(1);
4264
4265#if defined(LLONG_MIN) && defined(LLONG_MAX)
4266 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
4267 llmin = LLONG_MIN;
4268 llmax = LLONG_MAX;
4269#else
4270 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
4271 /* This will work on one's complement and two's complement */
4272 for (i = 1; i > llmax; i <<= 1, i++)
4273 llmax = i;
4274 llmin = llmax + 1LL; /* wrap */
4275#endif
4276
4277 /* Sanity check */
4278 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
4279 || llmax - 1 > llmax) {
4280 fprintf(f, "unknown unknown\n");
4281 exit(2);
4282 }
4283
4284 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
4285 exit(3);
4286
4287 exit(0);
4288}
4289
4290_ACEOF
4291rm -f conftest$ac_exeext
4292if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
4293 (eval $ac_link) 2>&5
4294 ac_status=$?
4295 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4296 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
4297 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4298 (eval $ac_try) 2>&5
4299 ac_status=$?
4300 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4301 (exit $ac_status); }; }; then
4302
4303 llong_min=`$AWK '{print $1}' conftest.llminmax`
4304 llong_max=`$AWK '{print $2}' conftest.llminmax`
4305 echo "$as_me:$LINENO: result: $llong_max" >&5
4306echo "${ECHO_T}$llong_max" >&6
4307
4308cat >>confdefs.h <<_ACEOF
4309#define LLONG_MAX ${llong_max}LL
4310_ACEOF
4311
4312 echo "$as_me:$LINENO: checking for min value of long long" >&5
4313echo $ECHO_N "checking for min value of long long... $ECHO_C" >&6
4314 echo "$as_me:$LINENO: result: $llong_min" >&5
4315echo "${ECHO_T}$llong_min" >&6
4316
4317cat >>confdefs.h <<_ACEOF
4318#define LLONG_MIN ${llong_min}LL
4319_ACEOF
4320
4321
4322else
4323 echo "$as_me: program exited with status $ac_status" >&5
4324echo "$as_me: failed program was:" >&5
4325sed 's/^/| /' conftest.$ac_ext >&5
4326
4327( exit $ac_status )
4328
4329 echo "$as_me:$LINENO: result: not found" >&5
4330echo "${ECHO_T}not found" >&6
4331
4332fi
4333rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
4334fi
4335fi
4336
4337 4261
4338# Check whether --with-rpath or --without-rpath was given. 4262# Check whether --with-rpath or --without-rpath was given.
4339if test "${with_rpath+set}" = set; then 4263if test "${with_rpath+set}" = set; then
@@ -4508,7 +4432,8 @@ fi
4508echo "$as_me:$LINENO: result: $ac_cv_func_authenticate" >&5 4432echo "$as_me:$LINENO: result: $ac_cv_func_authenticate" >&5
4509echo "${ECHO_T}$ac_cv_func_authenticate" >&6 4433echo "${ECHO_T}$ac_cv_func_authenticate" >&6
4510if test $ac_cv_func_authenticate = yes; then 4434if test $ac_cv_func_authenticate = yes; then
4511 cat >>confdefs.h <<\_ACEOF 4435
4436cat >>confdefs.h <<\_ACEOF
4512#define WITH_AIXAUTHENTICATE 1 4437#define WITH_AIXAUTHENTICATE 1
4513_ACEOF 4438_ACEOF
4514 4439
@@ -5043,7 +4968,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5043 (exit $ac_status); }; }; then 4968 (exit $ac_status); }; }; then
5044 echo "$as_me:$LINENO: result: yes" >&5 4969 echo "$as_me:$LINENO: result: yes" >&5
5045echo "${ECHO_T}yes" >&6 4970echo "${ECHO_T}yes" >&6
5046 cat >>confdefs.h <<\_ACEOF 4971
4972cat >>confdefs.h <<\_ACEOF
5047#define AIX_LOGINFAILED_4ARG 1 4973#define AIX_LOGINFAILED_4ARG 1
5048_ACEOF 4974_ACEOF
5049 4975
@@ -5167,63 +5093,82 @@ fi
5167done 5093done
5168 5094
5169 check_for_aix_broken_getaddrinfo=1 5095 check_for_aix_broken_getaddrinfo=1
5170 cat >>confdefs.h <<\_ACEOF 5096
5097cat >>confdefs.h <<\_ACEOF
5171#define BROKEN_REALPATH 1 5098#define BROKEN_REALPATH 1
5172_ACEOF 5099_ACEOF
5173 5100
5174 cat >>confdefs.h <<\_ACEOF 5101
5102cat >>confdefs.h <<\_ACEOF
5175#define SETEUID_BREAKS_SETUID 1 5103#define SETEUID_BREAKS_SETUID 1
5176_ACEOF 5104_ACEOF
5177 5105
5178 cat >>confdefs.h <<\_ACEOF 5106
5107cat >>confdefs.h <<\_ACEOF
5179#define BROKEN_SETREUID 1 5108#define BROKEN_SETREUID 1
5180_ACEOF 5109_ACEOF
5181 5110
5182 cat >>confdefs.h <<\_ACEOF 5111
5112cat >>confdefs.h <<\_ACEOF
5183#define BROKEN_SETREGID 1 5113#define BROKEN_SETREGID 1
5184_ACEOF 5114_ACEOF
5185 5115
5186 cat >>confdefs.h <<\_ACEOF 5116
5117cat >>confdefs.h <<\_ACEOF
5187#define DISABLE_LASTLOG 1 5118#define DISABLE_LASTLOG 1
5188_ACEOF 5119_ACEOF
5189 5120
5190 cat >>confdefs.h <<\_ACEOF 5121
5122cat >>confdefs.h <<\_ACEOF
5191#define LOGIN_NEEDS_UTMPX 1 5123#define LOGIN_NEEDS_UTMPX 1
5192_ACEOF 5124_ACEOF
5193 5125
5194 cat >>confdefs.h <<\_ACEOF 5126
5127cat >>confdefs.h <<\_ACEOF
5195#define SPT_TYPE SPT_REUSEARGV 5128#define SPT_TYPE SPT_REUSEARGV
5196_ACEOF 5129_ACEOF
5197 5130
5131
5132cat >>confdefs.h <<\_ACEOF
5133#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1
5134_ACEOF
5135
5198 ;; 5136 ;;
5199*-*-cygwin*) 5137*-*-cygwin*)
5200 check_for_libcrypt_later=1 5138 check_for_libcrypt_later=1
5201 LIBS="$LIBS /usr/lib/textmode.o" 5139 LIBS="$LIBS /usr/lib/textmode.o"
5202 cat >>confdefs.h <<\_ACEOF 5140
5141cat >>confdefs.h <<\_ACEOF
5203#define HAVE_CYGWIN 1 5142#define HAVE_CYGWIN 1
5204_ACEOF 5143_ACEOF
5205 5144
5206 cat >>confdefs.h <<\_ACEOF 5145
5146cat >>confdefs.h <<\_ACEOF
5207#define USE_PIPES 1 5147#define USE_PIPES 1
5208_ACEOF 5148_ACEOF
5209 5149
5210 cat >>confdefs.h <<\_ACEOF 5150
5151cat >>confdefs.h <<\_ACEOF
5211#define DISABLE_SHADOW 1 5152#define DISABLE_SHADOW 1
5212_ACEOF 5153_ACEOF
5213 5154
5214 cat >>confdefs.h <<\_ACEOF 5155
5156cat >>confdefs.h <<\_ACEOF
5215#define IP_TOS_IS_BROKEN 1 5157#define IP_TOS_IS_BROKEN 1
5216_ACEOF 5158_ACEOF
5217 5159
5218 cat >>confdefs.h <<\_ACEOF 5160
5161cat >>confdefs.h <<\_ACEOF
5219#define NO_X11_UNIX_SOCKETS 1 5162#define NO_X11_UNIX_SOCKETS 1
5220_ACEOF 5163_ACEOF
5221 5164
5222 cat >>confdefs.h <<\_ACEOF 5165
5166cat >>confdefs.h <<\_ACEOF
5223#define NO_IPPORT_RESERVED_CONCEPT 1 5167#define NO_IPPORT_RESERVED_CONCEPT 1
5224_ACEOF 5168_ACEOF
5225 5169
5226 cat >>confdefs.h <<\_ACEOF 5170
5171cat >>confdefs.h <<\_ACEOF
5227#define DISABLE_FD_PASSING 1 5172#define DISABLE_FD_PASSING 1
5228_ACEOF 5173_ACEOF
5229 5174
@@ -5287,7 +5232,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
5287( exit $ac_status ) 5232( exit $ac_status )
5288echo "$as_me:$LINENO: result: buggy" >&5 5233echo "$as_me:$LINENO: result: buggy" >&5
5289echo "${ECHO_T}buggy" >&6 5234echo "${ECHO_T}buggy" >&6
5290 cat >>confdefs.h <<\_ACEOF 5235
5236cat >>confdefs.h <<\_ACEOF
5291#define BROKEN_GETADDRINFO 1 5237#define BROKEN_GETADDRINFO 1
5292_ACEOF 5238_ACEOF
5293 5239
@@ -5306,7 +5252,8 @@ _ACEOF
5306#define BROKEN_SETREGID 1 5252#define BROKEN_SETREGID 1
5307_ACEOF 5253_ACEOF
5308 5254
5309 cat >>confdefs.h <<_ACEOF 5255
5256cat >>confdefs.h <<_ACEOF
5310#define BIND_8_COMPAT 1 5257#define BIND_8_COMPAT 1
5311_ACEOF 5258_ACEOF
5312 5259
@@ -5319,7 +5266,8 @@ _ACEOF
5319#define USE_PIPES 1 5266#define USE_PIPES 1
5320_ACEOF 5267_ACEOF
5321 5268
5322 cat >>confdefs.h <<\_ACEOF 5269
5270cat >>confdefs.h <<\_ACEOF
5323#define LOGIN_NO_ENDOPT 1 5271#define LOGIN_NO_ENDOPT 1
5324_ACEOF 5272_ACEOF
5325 5273
@@ -5327,7 +5275,8 @@ _ACEOF
5327#define LOGIN_NEEDS_UTMPX 1 5275#define LOGIN_NEEDS_UTMPX 1
5328_ACEOF 5276_ACEOF
5329 5277
5330 cat >>confdefs.h <<\_ACEOF 5278
5279cat >>confdefs.h <<\_ACEOF
5331#define LOCKED_PASSWD_STRING "*" 5280#define LOCKED_PASSWD_STRING "*"
5332_ACEOF 5281_ACEOF
5333 5282
@@ -5335,6 +5284,7 @@ _ACEOF
5335#define SPT_TYPE SPT_PSTAT 5284#define SPT_TYPE SPT_PSTAT
5336_ACEOF 5285_ACEOF
5337 5286
5287 MAIL="/var/mail/username"
5338 LIBS="$LIBS -lsec" 5288 LIBS="$LIBS -lsec"
5339 5289
5340echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5 5290echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
@@ -5422,11 +5372,13 @@ fi
5422 fi 5372 fi
5423 ;; 5373 ;;
5424 *-*-hpux11*) 5374 *-*-hpux11*)
5425 cat >>confdefs.h <<\_ACEOF 5375
5376cat >>confdefs.h <<\_ACEOF
5426#define PAM_SUN_CODEBASE 1 5377#define PAM_SUN_CODEBASE 1
5427_ACEOF 5378_ACEOF
5428 5379
5429 cat >>confdefs.h <<\_ACEOF 5380
5381cat >>confdefs.h <<\_ACEOF
5430#define DISABLE_UTMP 1 5382#define DISABLE_UTMP 1
5431_ACEOF 5383_ACEOF
5432 5384
@@ -5443,7 +5395,8 @@ _ACEOF
5443 # lastly, we define options specific to minor releases 5395 # lastly, we define options specific to minor releases
5444 case "$host" in 5396 case "$host" in
5445 *-*-hpux10.26) 5397 *-*-hpux10.26)
5446 cat >>confdefs.h <<\_ACEOF 5398
5399cat >>confdefs.h <<\_ACEOF
5447#define HAVE_SECUREWARE 1 5400#define HAVE_SECUREWARE 1
5448_ACEOF 5401_ACEOF
5449 5402
@@ -5454,7 +5407,8 @@ _ACEOF
5454 ;; 5407 ;;
5455*-*-irix5*) 5408*-*-irix5*)
5456 PATH="$PATH:/usr/etc" 5409 PATH="$PATH:/usr/etc"
5457 cat >>confdefs.h <<\_ACEOF 5410
5411cat >>confdefs.h <<\_ACEOF
5458#define BROKEN_INET_NTOA 1 5412#define BROKEN_INET_NTOA 1
5459_ACEOF 5413_ACEOF
5460 5414
@@ -5470,7 +5424,8 @@ _ACEOF
5470#define BROKEN_SETREGID 1 5424#define BROKEN_SETREGID 1
5471_ACEOF 5425_ACEOF
5472 5426
5473 cat >>confdefs.h <<\_ACEOF 5427
5428cat >>confdefs.h <<\_ACEOF
5474#define WITH_ABBREV_NO_TTY 1 5429#define WITH_ABBREV_NO_TTY 1
5475_ACEOF 5430_ACEOF
5476 5431
@@ -5481,15 +5436,18 @@ _ACEOF
5481 ;; 5436 ;;
5482*-*-irix6*) 5437*-*-irix6*)
5483 PATH="$PATH:/usr/etc" 5438 PATH="$PATH:/usr/etc"
5484 cat >>confdefs.h <<\_ACEOF 5439
5440cat >>confdefs.h <<\_ACEOF
5485#define WITH_IRIX_ARRAY 1 5441#define WITH_IRIX_ARRAY 1
5486_ACEOF 5442_ACEOF
5487 5443
5488 cat >>confdefs.h <<\_ACEOF 5444
5445cat >>confdefs.h <<\_ACEOF
5489#define WITH_IRIX_PROJECT 1 5446#define WITH_IRIX_PROJECT 1
5490_ACEOF 5447_ACEOF
5491 5448
5492 cat >>confdefs.h <<\_ACEOF 5449
5450cat >>confdefs.h <<\_ACEOF
5493#define WITH_IRIX_AUDIT 1 5451#define WITH_IRIX_AUDIT 1
5494_ACEOF 5452_ACEOF
5495 5453
@@ -5583,7 +5541,8 @@ fi
5583echo "$as_me:$LINENO: result: $ac_cv_func_jlimit_startjob" >&5 5541echo "$as_me:$LINENO: result: $ac_cv_func_jlimit_startjob" >&5
5584echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6 5542echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6
5585if test $ac_cv_func_jlimit_startjob = yes; then 5543if test $ac_cv_func_jlimit_startjob = yes; then
5586 cat >>confdefs.h <<\_ACEOF 5544
5545cat >>confdefs.h <<\_ACEOF
5587#define WITH_IRIX_JOBS 1 5546#define WITH_IRIX_JOBS 1
5588_ACEOF 5547_ACEOF
5589 5548
@@ -5605,7 +5564,8 @@ _ACEOF
5605#define BROKEN_SETREGID 1 5564#define BROKEN_SETREGID 1
5606_ACEOF 5565_ACEOF
5607 5566
5608 cat >>confdefs.h <<\_ACEOF 5567
5568cat >>confdefs.h <<\_ACEOF
5609#define BROKEN_UPDWTMPX 1 5569#define BROKEN_UPDWTMPX 1
5610_ACEOF 5570_ACEOF
5611 5571
@@ -5647,15 +5607,18 @@ _ACEOF
5647 no_dev_ptmx=1 5607 no_dev_ptmx=1
5648 check_for_libcrypt_later=1 5608 check_for_libcrypt_later=1
5649 check_for_openpty_ctty_bug=1 5609 check_for_openpty_ctty_bug=1
5650 cat >>confdefs.h <<\_ACEOF 5610
5611cat >>confdefs.h <<\_ACEOF
5651#define DONT_TRY_OTHER_AF 1 5612#define DONT_TRY_OTHER_AF 1
5652_ACEOF 5613_ACEOF
5653 5614
5654 cat >>confdefs.h <<\_ACEOF 5615
5616cat >>confdefs.h <<\_ACEOF
5655#define PAM_TTY_KLUDGE 1 5617#define PAM_TTY_KLUDGE 1
5656_ACEOF 5618_ACEOF
5657 5619
5658 cat >>confdefs.h <<\_ACEOF 5620
5621cat >>confdefs.h <<\_ACEOF
5659#define LOCKED_PASSWD_PREFIX "!" 5622#define LOCKED_PASSWD_PREFIX "!"
5660_ACEOF 5623_ACEOF
5661 5624
@@ -5663,7 +5626,8 @@ _ACEOF
5663#define SPT_TYPE SPT_REUSEARGV 5626#define SPT_TYPE SPT_REUSEARGV
5664_ACEOF 5627_ACEOF
5665 5628
5666 cat >>confdefs.h <<\_ACEOF 5629
5630cat >>confdefs.h <<\_ACEOF
5667#define LINK_OPNOTSUPP_ERRNO EPERM 5631#define LINK_OPNOTSUPP_ERRNO EPERM
5668_ACEOF 5632_ACEOF
5669 5633
@@ -5672,25 +5636,429 @@ cat >>confdefs.h <<\_ACEOF
5672#define _PATH_BTMP "/var/log/btmp" 5636#define _PATH_BTMP "/var/log/btmp"
5673_ACEOF 5637_ACEOF
5674 5638
5675 5639 cat >>confdefs.h <<\_ACEOF
5676cat >>confdefs.h <<\_ACEOF
5677#define USE_BTMP 1 5640#define USE_BTMP 1
5678_ACEOF 5641_ACEOF
5679 5642
5680 inet6_default_4in6=yes 5643 inet6_default_4in6=yes
5681 case `uname -r` in 5644 case `uname -r` in
5682 1.*|2.0.*) 5645 1.*|2.0.*)
5683 cat >>confdefs.h <<\_ACEOF 5646
5647cat >>confdefs.h <<\_ACEOF
5684#define BROKEN_CMSG_TYPE 1 5648#define BROKEN_CMSG_TYPE 1
5685_ACEOF 5649_ACEOF
5686 5650
5687 ;; 5651 ;;
5688 esac 5652 esac
5653 # tun(4) forwarding compat code
5654
5655echo "$as_me:$LINENO: checking for ANSI C header files" >&5
5656echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
5657if test "${ac_cv_header_stdc+set}" = set; then
5658 echo $ECHO_N "(cached) $ECHO_C" >&6
5659else
5660 cat >conftest.$ac_ext <<_ACEOF
5661/* confdefs.h. */
5662_ACEOF
5663cat confdefs.h >>conftest.$ac_ext
5664cat >>conftest.$ac_ext <<_ACEOF
5665/* end confdefs.h. */
5666#include <stdlib.h>
5667#include <stdarg.h>
5668#include <string.h>
5669#include <float.h>
5670
5671int
5672main ()
5673{
5674
5675 ;
5676 return 0;
5677}
5678_ACEOF
5679rm -f conftest.$ac_objext
5680if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5681 (eval $ac_compile) 2>conftest.er1
5682 ac_status=$?
5683 grep -v '^ *+' conftest.er1 >conftest.err
5684 rm -f conftest.er1
5685 cat conftest.err >&5
5686 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5687 (exit $ac_status); } &&
5688 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
5689 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5690 (eval $ac_try) 2>&5
5691 ac_status=$?
5692 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5693 (exit $ac_status); }; } &&
5694 { ac_try='test -s conftest.$ac_objext'
5695 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5696 (eval $ac_try) 2>&5
5697 ac_status=$?
5698 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5699 (exit $ac_status); }; }; then
5700 ac_cv_header_stdc=yes
5701else
5702 echo "$as_me: failed program was:" >&5
5703sed 's/^/| /' conftest.$ac_ext >&5
5704
5705ac_cv_header_stdc=no
5706fi
5707rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5708
5709if test $ac_cv_header_stdc = yes; then
5710 # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
5711 cat >conftest.$ac_ext <<_ACEOF
5712/* confdefs.h. */
5713_ACEOF
5714cat confdefs.h >>conftest.$ac_ext
5715cat >>conftest.$ac_ext <<_ACEOF
5716/* end confdefs.h. */
5717#include <string.h>
5718
5719_ACEOF
5720if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
5721 $EGREP "memchr" >/dev/null 2>&1; then
5722 :
5723else
5724 ac_cv_header_stdc=no
5725fi
5726rm -f conftest*
5727
5728fi
5729
5730if test $ac_cv_header_stdc = yes; then
5731 # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
5732 cat >conftest.$ac_ext <<_ACEOF
5733/* confdefs.h. */
5734_ACEOF
5735cat confdefs.h >>conftest.$ac_ext
5736cat >>conftest.$ac_ext <<_ACEOF
5737/* end confdefs.h. */
5738#include <stdlib.h>
5739
5740_ACEOF
5741if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
5742 $EGREP "free" >/dev/null 2>&1; then
5743 :
5744else
5745 ac_cv_header_stdc=no
5746fi
5747rm -f conftest*
5748
5749fi
5750
5751if test $ac_cv_header_stdc = yes; then
5752 # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
5753 if test "$cross_compiling" = yes; then
5754 :
5755else
5756 cat >conftest.$ac_ext <<_ACEOF
5757/* confdefs.h. */
5758_ACEOF
5759cat confdefs.h >>conftest.$ac_ext
5760cat >>conftest.$ac_ext <<_ACEOF
5761/* end confdefs.h. */
5762#include <ctype.h>
5763#if ((' ' & 0x0FF) == 0x020)
5764# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
5765# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
5766#else
5767# define ISLOWER(c) \
5768 (('a' <= (c) && (c) <= 'i') \
5769 || ('j' <= (c) && (c) <= 'r') \
5770 || ('s' <= (c) && (c) <= 'z'))
5771# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
5772#endif
5773
5774#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
5775int
5776main ()
5777{
5778 int i;
5779 for (i = 0; i < 256; i++)
5780 if (XOR (islower (i), ISLOWER (i))
5781 || toupper (i) != TOUPPER (i))
5782 exit(2);
5783 exit (0);
5784}
5785_ACEOF
5786rm -f conftest$ac_exeext
5787if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
5788 (eval $ac_link) 2>&5
5789 ac_status=$?
5790 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5791 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
5792 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5793 (eval $ac_try) 2>&5
5794 ac_status=$?
5795 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5796 (exit $ac_status); }; }; then
5797 :
5798else
5799 echo "$as_me: program exited with status $ac_status" >&5
5800echo "$as_me: failed program was:" >&5
5801sed 's/^/| /' conftest.$ac_ext >&5
5802
5803( exit $ac_status )
5804ac_cv_header_stdc=no
5805fi
5806rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
5807fi
5808fi
5809fi
5810echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
5811echo "${ECHO_T}$ac_cv_header_stdc" >&6
5812if test $ac_cv_header_stdc = yes; then
5813
5814cat >>confdefs.h <<\_ACEOF
5815#define STDC_HEADERS 1
5816_ACEOF
5817
5818fi
5819
5820# On IRIX 5.3, sys/types and inttypes.h are conflicting.
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
5831 inttypes.h stdint.h unistd.h
5832do
5833as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
5834echo "$as_me:$LINENO: checking for $ac_header" >&5
5835echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
5836if eval "test \"\${$as_ac_Header+set}\" = set"; then
5837 echo $ECHO_N "(cached) $ECHO_C" >&6
5838else
5839 cat >conftest.$ac_ext <<_ACEOF
5840/* confdefs.h. */
5841_ACEOF
5842cat confdefs.h >>conftest.$ac_ext
5843cat >>conftest.$ac_ext <<_ACEOF
5844/* end confdefs.h. */
5845$ac_includes_default
5846
5847#include <$ac_header>
5848_ACEOF
5849rm -f conftest.$ac_objext
5850if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5851 (eval $ac_compile) 2>conftest.er1
5852 ac_status=$?
5853 grep -v '^ *+' conftest.er1 >conftest.err
5854 rm -f conftest.er1
5855 cat conftest.err >&5
5856 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5857 (exit $ac_status); } &&
5858 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
5859 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5860 (eval $ac_try) 2>&5
5861 ac_status=$?
5862 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5863 (exit $ac_status); }; } &&
5864 { ac_try='test -s conftest.$ac_objext'
5865 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5866 (eval $ac_try) 2>&5
5867 ac_status=$?
5868 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5869 (exit $ac_status); }; }; then
5870 eval "$as_ac_Header=yes"
5871else
5872 echo "$as_me: failed program was:" >&5
5873sed 's/^/| /' conftest.$ac_ext >&5
5874
5875eval "$as_ac_Header=no"
5876fi
5877rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5878fi
5879echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
5880echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
5881if test `eval echo '${'$as_ac_Header'}'` = yes; then
5882 cat >>confdefs.h <<_ACEOF
5883#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
5884_ACEOF
5885
5886fi
5887
5888done
5889
5890
5891
5892for ac_header in linux/if_tun.h
5893do
5894as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
5895if eval "test \"\${$as_ac_Header+set}\" = set"; then
5896 echo "$as_me:$LINENO: checking for $ac_header" >&5
5897echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
5898if eval "test \"\${$as_ac_Header+set}\" = set"; then
5899 echo $ECHO_N "(cached) $ECHO_C" >&6
5900fi
5901echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
5902echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
5903else
5904 # Is the header compilable?
5905echo "$as_me:$LINENO: checking $ac_header usability" >&5
5906echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
5907cat >conftest.$ac_ext <<_ACEOF
5908/* confdefs.h. */
5909_ACEOF
5910cat confdefs.h >>conftest.$ac_ext
5911cat >>conftest.$ac_ext <<_ACEOF
5912/* end confdefs.h. */
5913$ac_includes_default
5914#include <$ac_header>
5915_ACEOF
5916rm -f conftest.$ac_objext
5917if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5918 (eval $ac_compile) 2>conftest.er1
5919 ac_status=$?
5920 grep -v '^ *+' conftest.er1 >conftest.err
5921 rm -f conftest.er1
5922 cat conftest.err >&5
5923 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5924 (exit $ac_status); } &&
5925 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
5926 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5927 (eval $ac_try) 2>&5
5928 ac_status=$?
5929 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5930 (exit $ac_status); }; } &&
5931 { ac_try='test -s conftest.$ac_objext'
5932 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5933 (eval $ac_try) 2>&5
5934 ac_status=$?
5935 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5936 (exit $ac_status); }; }; then
5937 ac_header_compiler=yes
5938else
5939 echo "$as_me: failed program was:" >&5
5940sed 's/^/| /' conftest.$ac_ext >&5
5941
5942ac_header_compiler=no
5943fi
5944rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5945echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
5946echo "${ECHO_T}$ac_header_compiler" >&6
5947
5948# Is the header present?
5949echo "$as_me:$LINENO: checking $ac_header presence" >&5
5950echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
5951cat >conftest.$ac_ext <<_ACEOF
5952/* confdefs.h. */
5953_ACEOF
5954cat confdefs.h >>conftest.$ac_ext
5955cat >>conftest.$ac_ext <<_ACEOF
5956/* end confdefs.h. */
5957#include <$ac_header>
5958_ACEOF
5959if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
5960 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
5961 ac_status=$?
5962 grep -v '^ *+' conftest.er1 >conftest.err
5963 rm -f conftest.er1
5964 cat conftest.err >&5
5965 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5966 (exit $ac_status); } >/dev/null; then
5967 if test -s conftest.err; then
5968 ac_cpp_err=$ac_c_preproc_warn_flag
5969 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
5970 else
5971 ac_cpp_err=
5972 fi
5973else
5974 ac_cpp_err=yes
5975fi
5976if test -z "$ac_cpp_err"; then
5977 ac_header_preproc=yes
5978else
5979 echo "$as_me: failed program was:" >&5
5980sed 's/^/| /' conftest.$ac_ext >&5
5981
5982 ac_header_preproc=no
5983fi
5984rm -f conftest.err conftest.$ac_ext
5985echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
5986echo "${ECHO_T}$ac_header_preproc" >&6
5987
5988# So? What about this header?
5989case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
5990 yes:no: )
5991 { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
5992echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
5993 { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
5994echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
5995 ac_header_preproc=yes
5996 ;;
5997 no:yes:* )
5998 { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
5999echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
6000 { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
6001echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
6002 { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
6003echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
6004 { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
6005echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
6006 { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
6007echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
6008 { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
6009echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
6010 (
6011 cat <<\_ASBOX
6012## ------------------------------------------- ##
6013## Report this to openssh-unix-dev@mindrot.org ##
6014## ------------------------------------------- ##
6015_ASBOX
6016 ) |
6017 sed "s/^/$as_me: WARNING: /" >&2
6018 ;;
6019esac
6020echo "$as_me:$LINENO: checking for $ac_header" >&5
6021echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
6022if eval "test \"\${$as_ac_Header+set}\" = set"; then
6023 echo $ECHO_N "(cached) $ECHO_C" >&6
6024else
6025 eval "$as_ac_Header=\$ac_header_preproc"
6026fi
6027echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6028echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6029
6030fi
6031if test `eval echo '${'$as_ac_Header'}'` = yes; then
6032 cat >>confdefs.h <<_ACEOF
6033#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
6034_ACEOF
6035
6036fi
6037
6038done
6039
6040 if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
6041
6042cat >>confdefs.h <<\_ACEOF
6043#define SSH_TUN_LINUX 1
6044_ACEOF
6045
6046
6047cat >>confdefs.h <<\_ACEOF
6048#define SSH_TUN_COMPAT_AF 1
6049_ACEOF
6050
6051
6052cat >>confdefs.h <<\_ACEOF
6053#define SSH_TUN_PREPEND_AF 1
6054_ACEOF
6055
6056 fi
5689 ;; 6057 ;;
5690mips-sony-bsd|mips-sony-newsos4) 6058mips-sony-bsd|mips-sony-newsos4)
5691 6059
5692cat >>confdefs.h <<\_ACEOF 6060cat >>confdefs.h <<\_ACEOF
5693#define NEED_SETPRGP 6061#define NEED_SETPGRP 1
5694_ACEOF 6062_ACEOF
5695 6063
5696 SONY=1 6064 SONY=1
@@ -5700,9 +6068,323 @@ _ACEOF
5700 if test "x$withval" != "xno" ; then 6068 if test "x$withval" != "xno" ; then
5701 need_dash_r=1 6069 need_dash_r=1
5702 fi 6070 fi
6071
6072cat >>confdefs.h <<\_ACEOF
6073#define SSH_TUN_FREEBSD 1
6074_ACEOF
6075
6076 if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6077 echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6078echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6079if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6080 echo $ECHO_N "(cached) $ECHO_C" >&6
6081fi
6082echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6083echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6084else
6085 # Is the header compilable?
6086echo "$as_me:$LINENO: checking net/if_tap.h usability" >&5
6087echo $ECHO_N "checking net/if_tap.h usability... $ECHO_C" >&6
6088cat >conftest.$ac_ext <<_ACEOF
6089/* confdefs.h. */
6090_ACEOF
6091cat confdefs.h >>conftest.$ac_ext
6092cat >>conftest.$ac_ext <<_ACEOF
6093/* end confdefs.h. */
6094$ac_includes_default
6095#include <net/if_tap.h>
6096_ACEOF
6097rm -f conftest.$ac_objext
6098if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6099 (eval $ac_compile) 2>conftest.er1
6100 ac_status=$?
6101 grep -v '^ *+' conftest.er1 >conftest.err
6102 rm -f conftest.er1
6103 cat conftest.err >&5
6104 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6105 (exit $ac_status); } &&
6106 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
6107 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6108 (eval $ac_try) 2>&5
6109 ac_status=$?
6110 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6111 (exit $ac_status); }; } &&
6112 { ac_try='test -s conftest.$ac_objext'
6113 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6114 (eval $ac_try) 2>&5
6115 ac_status=$?
6116 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6117 (exit $ac_status); }; }; then
6118 ac_header_compiler=yes
6119else
6120 echo "$as_me: failed program was:" >&5
6121sed 's/^/| /' conftest.$ac_ext >&5
6122
6123ac_header_compiler=no
6124fi
6125rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6126echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
6127echo "${ECHO_T}$ac_header_compiler" >&6
6128
6129# Is the header present?
6130echo "$as_me:$LINENO: checking net/if_tap.h presence" >&5
6131echo $ECHO_N "checking net/if_tap.h presence... $ECHO_C" >&6
6132cat >conftest.$ac_ext <<_ACEOF
6133/* confdefs.h. */
6134_ACEOF
6135cat confdefs.h >>conftest.$ac_ext
6136cat >>conftest.$ac_ext <<_ACEOF
6137/* end confdefs.h. */
6138#include <net/if_tap.h>
6139_ACEOF
6140if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
6141 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
6142 ac_status=$?
6143 grep -v '^ *+' conftest.er1 >conftest.err
6144 rm -f conftest.er1
6145 cat conftest.err >&5
6146 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6147 (exit $ac_status); } >/dev/null; then
6148 if test -s conftest.err; then
6149 ac_cpp_err=$ac_c_preproc_warn_flag
6150 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
6151 else
6152 ac_cpp_err=
6153 fi
6154else
6155 ac_cpp_err=yes
6156fi
6157if test -z "$ac_cpp_err"; then
6158 ac_header_preproc=yes
6159else
6160 echo "$as_me: failed program was:" >&5
6161sed 's/^/| /' conftest.$ac_ext >&5
6162
6163 ac_header_preproc=no
6164fi
6165rm -f conftest.err conftest.$ac_ext
6166echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
6167echo "${ECHO_T}$ac_header_preproc" >&6
6168
6169# So? What about this header?
6170case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
6171 yes:no: )
6172 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&5
6173echo "$as_me: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
6174 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the compiler's result" >&5
6175echo "$as_me: WARNING: net/if_tap.h: proceeding with the compiler's result" >&2;}
6176 ac_header_preproc=yes
6177 ;;
6178 no:yes:* )
6179 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: present but cannot be compiled" >&5
6180echo "$as_me: WARNING: net/if_tap.h: present but cannot be compiled" >&2;}
6181 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&5
6182echo "$as_me: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&2;}
6183 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: see the Autoconf documentation" >&5
6184echo "$as_me: WARNING: net/if_tap.h: see the Autoconf documentation" >&2;}
6185 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&5
6186echo "$as_me: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&2;}
6187 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&5
6188echo "$as_me: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&2;}
6189 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&5
6190echo "$as_me: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&2;}
6191 (
6192 cat <<\_ASBOX
6193## ------------------------------------------- ##
6194## Report this to openssh-unix-dev@mindrot.org ##
6195## ------------------------------------------- ##
6196_ASBOX
6197 ) |
6198 sed "s/^/$as_me: WARNING: /" >&2
6199 ;;
6200esac
6201echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6202echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6203if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6204 echo $ECHO_N "(cached) $ECHO_C" >&6
6205else
6206 ac_cv_header_net_if_tap_h=$ac_header_preproc
6207fi
6208echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6209echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6210
6211fi
6212if test $ac_cv_header_net_if_tap_h = yes; then
6213 :
6214else
6215
6216cat >>confdefs.h <<\_ACEOF
6217#define SSH_TUN_NO_L2 1
6218_ACEOF
6219
6220fi
6221
6222
6223
6224cat >>confdefs.h <<\_ACEOF
6225#define SSH_TUN_PREPEND_AF 1
6226_ACEOF
6227
5703 ;; 6228 ;;
5704*-*-freebsd*) 6229*-*-freebsd*)
5705 check_for_libcrypt_later=1 6230 check_for_libcrypt_later=1
6231
6232cat >>confdefs.h <<\_ACEOF
6233#define LOCKED_PASSWD_PREFIX "*LOCKED*"
6234_ACEOF
6235
6236
6237cat >>confdefs.h <<\_ACEOF
6238#define SSH_TUN_FREEBSD 1
6239_ACEOF
6240
6241 if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6242 echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6243echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6244if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6245 echo $ECHO_N "(cached) $ECHO_C" >&6
6246fi
6247echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6248echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6249else
6250 # Is the header compilable?
6251echo "$as_me:$LINENO: checking net/if_tap.h usability" >&5
6252echo $ECHO_N "checking net/if_tap.h usability... $ECHO_C" >&6
6253cat >conftest.$ac_ext <<_ACEOF
6254/* confdefs.h. */
6255_ACEOF
6256cat confdefs.h >>conftest.$ac_ext
6257cat >>conftest.$ac_ext <<_ACEOF
6258/* end confdefs.h. */
6259$ac_includes_default
6260#include <net/if_tap.h>
6261_ACEOF
6262rm -f conftest.$ac_objext
6263if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6264 (eval $ac_compile) 2>conftest.er1
6265 ac_status=$?
6266 grep -v '^ *+' conftest.er1 >conftest.err
6267 rm -f conftest.er1
6268 cat conftest.err >&5
6269 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6270 (exit $ac_status); } &&
6271 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
6272 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6273 (eval $ac_try) 2>&5
6274 ac_status=$?
6275 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6276 (exit $ac_status); }; } &&
6277 { ac_try='test -s conftest.$ac_objext'
6278 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6279 (eval $ac_try) 2>&5
6280 ac_status=$?
6281 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6282 (exit $ac_status); }; }; then
6283 ac_header_compiler=yes
6284else
6285 echo "$as_me: failed program was:" >&5
6286sed 's/^/| /' conftest.$ac_ext >&5
6287
6288ac_header_compiler=no
6289fi
6290rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6291echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
6292echo "${ECHO_T}$ac_header_compiler" >&6
6293
6294# Is the header present?
6295echo "$as_me:$LINENO: checking net/if_tap.h presence" >&5
6296echo $ECHO_N "checking net/if_tap.h presence... $ECHO_C" >&6
6297cat >conftest.$ac_ext <<_ACEOF
6298/* confdefs.h. */
6299_ACEOF
6300cat confdefs.h >>conftest.$ac_ext
6301cat >>conftest.$ac_ext <<_ACEOF
6302/* end confdefs.h. */
6303#include <net/if_tap.h>
6304_ACEOF
6305if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
6306 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
6307 ac_status=$?
6308 grep -v '^ *+' conftest.er1 >conftest.err
6309 rm -f conftest.er1
6310 cat conftest.err >&5
6311 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6312 (exit $ac_status); } >/dev/null; then
6313 if test -s conftest.err; then
6314 ac_cpp_err=$ac_c_preproc_warn_flag
6315 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
6316 else
6317 ac_cpp_err=
6318 fi
6319else
6320 ac_cpp_err=yes
6321fi
6322if test -z "$ac_cpp_err"; then
6323 ac_header_preproc=yes
6324else
6325 echo "$as_me: failed program was:" >&5
6326sed 's/^/| /' conftest.$ac_ext >&5
6327
6328 ac_header_preproc=no
6329fi
6330rm -f conftest.err conftest.$ac_ext
6331echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
6332echo "${ECHO_T}$ac_header_preproc" >&6
6333
6334# So? What about this header?
6335case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
6336 yes:no: )
6337 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&5
6338echo "$as_me: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
6339 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the compiler's result" >&5
6340echo "$as_me: WARNING: net/if_tap.h: proceeding with the compiler's result" >&2;}
6341 ac_header_preproc=yes
6342 ;;
6343 no:yes:* )
6344 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: present but cannot be compiled" >&5
6345echo "$as_me: WARNING: net/if_tap.h: present but cannot be compiled" >&2;}
6346 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&5
6347echo "$as_me: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&2;}
6348 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: see the Autoconf documentation" >&5
6349echo "$as_me: WARNING: net/if_tap.h: see the Autoconf documentation" >&2;}
6350 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&5
6351echo "$as_me: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&2;}
6352 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&5
6353echo "$as_me: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&2;}
6354 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&5
6355echo "$as_me: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&2;}
6356 (
6357 cat <<\_ASBOX
6358## ------------------------------------------- ##
6359## Report this to openssh-unix-dev@mindrot.org ##
6360## ------------------------------------------- ##
6361_ASBOX
6362 ) |
6363 sed "s/^/$as_me: WARNING: /" >&2
6364 ;;
6365esac
6366echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6367echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6368if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6369 echo $ECHO_N "(cached) $ECHO_C" >&6
6370else
6371 ac_cv_header_net_if_tap_h=$ac_header_preproc
6372fi
6373echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6374echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6375
6376fi
6377if test $ac_cv_header_net_if_tap_h = yes; then
6378 :
6379else
6380
6381cat >>confdefs.h <<\_ACEOF
6382#define SSH_TUN_NO_L2 1
6383_ACEOF
6384
6385fi
6386
6387
5706 ;; 6388 ;;
5707*-*-bsdi*) 6389*-*-bsdi*)
5708 cat >>confdefs.h <<\_ACEOF 6390 cat >>confdefs.h <<\_ACEOF
@@ -5723,7 +6405,8 @@ _ACEOF
5723 conf_utmp_location=/etc/utmp 6405 conf_utmp_location=/etc/utmp
5724 conf_wtmp_location=/usr/adm/wtmp 6406 conf_wtmp_location=/usr/adm/wtmp
5725 MAIL=/usr/spool/mail 6407 MAIL=/usr/spool/mail
5726 cat >>confdefs.h <<\_ACEOF 6408
6409cat >>confdefs.h <<\_ACEOF
5727#define HAVE_NEXT 1 6410#define HAVE_NEXT 1
5728_ACEOF 6411_ACEOF
5729 6412
@@ -5735,7 +6418,8 @@ _ACEOF
5735#define USE_PIPES 1 6418#define USE_PIPES 1
5736_ACEOF 6419_ACEOF
5737 6420
5738 cat >>confdefs.h <<\_ACEOF 6421
6422cat >>confdefs.h <<\_ACEOF
5739#define BROKEN_SAVED_UIDS 1 6423#define BROKEN_SAVED_UIDS 1
5740_ACEOF 6424_ACEOF
5741 6425
@@ -5746,6 +6430,16 @@ cat >>confdefs.h <<\_ACEOF
5746#define HAVE_ATTRIBUTE__SENTINEL__ 1 6430#define HAVE_ATTRIBUTE__SENTINEL__ 1
5747_ACEOF 6431_ACEOF
5748 6432
6433
6434cat >>confdefs.h <<\_ACEOF
6435#define HAVE_ATTRIBUTE__BOUNDED__ 1
6436_ACEOF
6437
6438
6439cat >>confdefs.h <<\_ACEOF
6440#define SSH_TUN_OPENBSD 1
6441_ACEOF
6442
5749 ;; 6443 ;;
5750*-*-solaris*) 6444*-*-solaris*)
5751 if test "x$withval" != "xno" ; then 6445 if test "x$withval" != "xno" ; then
@@ -5759,7 +6453,8 @@ _ACEOF
5759#define LOGIN_NEEDS_UTMPX 1 6453#define LOGIN_NEEDS_UTMPX 1
5760_ACEOF 6454_ACEOF
5761 6455
5762 cat >>confdefs.h <<\_ACEOF 6456
6457cat >>confdefs.h <<\_ACEOF
5763#define LOGIN_NEEDS_TERM 1 6458#define LOGIN_NEEDS_TERM 1
5764_ACEOF 6459_ACEOF
5765 6460
@@ -5767,7 +6462,8 @@ _ACEOF
5767#define PAM_TTY_KLUDGE 1 6462#define PAM_TTY_KLUDGE 1
5768_ACEOF 6463_ACEOF
5769 6464
5770 cat >>confdefs.h <<\_ACEOF 6465
6466cat >>confdefs.h <<\_ACEOF
5771#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1 6467#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1
5772_ACEOF 6468_ACEOF
5773 6469
@@ -5776,7 +6472,8 @@ _ACEOF
5776_ACEOF 6472_ACEOF
5777 6473
5778 # Pushing STREAMS modules will cause sshd to acquire a controlling tty. 6474 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
5779 cat >>confdefs.h <<\_ACEOF 6475
6476cat >>confdefs.h <<\_ACEOF
5780#define SSHD_ACQUIRES_CTTY 1 6477#define SSHD_ACQUIRES_CTTY 1
5781_ACEOF 6478_ACEOF
5782 6479
@@ -5793,7 +6490,8 @@ echo "${ECHO_T}yes" >&6
5793#define DISABLE_UTMP 1 6490#define DISABLE_UTMP 1
5794_ACEOF 6491_ACEOF
5795 6492
5796 cat >>confdefs.h <<\_ACEOF 6493
6494cat >>confdefs.h <<\_ACEOF
5797#define DISABLE_WTMP 1 6495#define DISABLE_WTMP 1
5798_ACEOF 6496_ACEOF
5799 6497
@@ -6015,14 +6713,14 @@ _ACEOF
6015 6713
6016fi 6714fi
6017 6715
6018 # -lresolv needs to be at then end of LIBS or DNS lookups break 6716 # -lresolv needs to be at the end of LIBS or DNS lookups break
6019 echo "$as_me:$LINENO: checking for resolv in -lres_query" >&5 6717 echo "$as_me:$LINENO: checking for res_query in -lresolv" >&5
6020echo $ECHO_N "checking for resolv in -lres_query... $ECHO_C" >&6 6718echo $ECHO_N "checking for res_query in -lresolv... $ECHO_C" >&6
6021if test "${ac_cv_lib_res_query_resolv+set}" = set; then 6719if test "${ac_cv_lib_resolv_res_query+set}" = set; then
6022 echo $ECHO_N "(cached) $ECHO_C" >&6 6720 echo $ECHO_N "(cached) $ECHO_C" >&6
6023else 6721else
6024 ac_check_lib_save_LIBS=$LIBS 6722 ac_check_lib_save_LIBS=$LIBS
6025LIBS="-lres_query $LIBS" 6723LIBS="-lresolv $LIBS"
6026cat >conftest.$ac_ext <<_ACEOF 6724cat >conftest.$ac_ext <<_ACEOF
6027/* confdefs.h. */ 6725/* confdefs.h. */
6028_ACEOF 6726_ACEOF
@@ -6036,11 +6734,11 @@ extern "C"
6036#endif 6734#endif
6037/* We use char because int might match the return type of a gcc2 6735/* We use char because int might match the return type of a gcc2
6038 builtin and then its argument prototype would still apply. */ 6736 builtin and then its argument prototype would still apply. */
6039char resolv (); 6737char res_query ();
6040int 6738int
6041main () 6739main ()
6042{ 6740{
6043resolv (); 6741res_query ();
6044 ; 6742 ;
6045 return 0; 6743 return 0;
6046} 6744}
@@ -6066,20 +6764,20 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
6066 ac_status=$? 6764 ac_status=$?
6067 echo "$as_me:$LINENO: \$? = $ac_status" >&5 6765 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6068 (exit $ac_status); }; }; then 6766 (exit $ac_status); }; }; then
6069 ac_cv_lib_res_query_resolv=yes 6767 ac_cv_lib_resolv_res_query=yes
6070else 6768else
6071 echo "$as_me: failed program was:" >&5 6769 echo "$as_me: failed program was:" >&5
6072sed 's/^/| /' conftest.$ac_ext >&5 6770sed 's/^/| /' conftest.$ac_ext >&5
6073 6771
6074ac_cv_lib_res_query_resolv=no 6772ac_cv_lib_resolv_res_query=no
6075fi 6773fi
6076rm -f conftest.err conftest.$ac_objext \ 6774rm -f conftest.err conftest.$ac_objext \
6077 conftest$ac_exeext conftest.$ac_ext 6775 conftest$ac_exeext conftest.$ac_ext
6078LIBS=$ac_check_lib_save_LIBS 6776LIBS=$ac_check_lib_save_LIBS
6079fi 6777fi
6080echo "$as_me:$LINENO: result: $ac_cv_lib_res_query_resolv" >&5 6778echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_res_query" >&5
6081echo "${ECHO_T}$ac_cv_lib_res_query_resolv" >&6 6779echo "${ECHO_T}$ac_cv_lib_resolv_res_query" >&6
6082if test $ac_cv_lib_res_query_resolv = yes; then 6780if test $ac_cv_lib_resolv_res_query = yes; then
6083 LIBS="$LIBS -lresolv" 6781 LIBS="$LIBS -lresolv"
6084fi 6782fi
6085 6783
@@ -6115,6 +6813,7 @@ _ACEOF
6115 ;; 6813 ;;
6116# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. 6814# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
6117*-*-sysv4.2*) 6815*-*-sysv4.2*)
6816 CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
6118 cat >>confdefs.h <<\_ACEOF 6817 cat >>confdefs.h <<\_ACEOF
6119#define USE_PIPES 1 6818#define USE_PIPES 1
6120_ACEOF 6819_ACEOF
@@ -6136,6 +6835,10 @@ cat >>confdefs.h <<\_ACEOF
6136#define PASSWD_NEEDS_USERNAME 1 6835#define PASSWD_NEEDS_USERNAME 1
6137_ACEOF 6836_ACEOF
6138 6837
6838 cat >>confdefs.h <<\_ACEOF
6839#define LOCKED_PASSWD_STRING "*LK*"
6840_ACEOF
6841
6139 ;; 6842 ;;
6140# UnixWare 7.x, OpenUNIX 8 6843# UnixWare 7.x, OpenUNIX 8
6141*-*-sysv5*) 6844*-*-sysv5*)
@@ -6161,8 +6864,7 @@ _ACEOF
6161#define BROKEN_SETREGID 1 6864#define BROKEN_SETREGID 1
6162_ACEOF 6865_ACEOF
6163 6866
6164 6867 cat >>confdefs.h <<\_ACEOF
6165cat >>confdefs.h <<\_ACEOF
6166#define PASSWD_NEEDS_USERNAME 1 6868#define PASSWD_NEEDS_USERNAME 1
6167_ACEOF 6869_ACEOF
6168 6870
@@ -6175,6 +6877,11 @@ cat >>confdefs.h <<\_ACEOF
6175_ACEOF 6877_ACEOF
6176 6878
6177 ;; 6879 ;;
6880 *) cat >>confdefs.h <<\_ACEOF
6881#define LOCKED_PASSWD_STRING "*LK*"
6882_ACEOF
6883
6884 ;;
6178 esac 6885 esac
6179 ;; 6886 ;;
6180*-*-sysv*) 6887*-*-sysv*)
@@ -6228,8 +6935,7 @@ _ACEOF
6228#define BROKEN_UPDWTMPX 1 6935#define BROKEN_UPDWTMPX 1
6229_ACEOF 6936_ACEOF
6230 6937
6231 6938 cat >>confdefs.h <<\_ACEOF
6232cat >>confdefs.h <<\_ACEOF
6233#define PASSWD_NEEDS_USERNAME 1 6939#define PASSWD_NEEDS_USERNAME 1
6234_ACEOF 6940_ACEOF
6235 6941
@@ -6339,7 +7045,8 @@ done
6339 TEST_SHELL=ksh 7045 TEST_SHELL=ksh
6340 ;; 7046 ;;
6341*-*-unicosmk*) 7047*-*-unicosmk*)
6342 cat >>confdefs.h <<\_ACEOF 7048
7049cat >>confdefs.h <<\_ACEOF
6343#define NO_SSH_LASTLOG 1 7050#define NO_SSH_LASTLOG 1
6344_ACEOF 7051_ACEOF
6345 7052
@@ -6445,11 +7152,13 @@ fi;
6445 if test -f /etc/sia/matrix.conf; then 7152 if test -f /etc/sia/matrix.conf; then
6446 echo "$as_me:$LINENO: result: yes" >&5 7153 echo "$as_me:$LINENO: result: yes" >&5
6447echo "${ECHO_T}yes" >&6 7154echo "${ECHO_T}yes" >&6
6448 cat >>confdefs.h <<\_ACEOF 7155
7156cat >>confdefs.h <<\_ACEOF
6449#define HAVE_OSF_SIA 1 7157#define HAVE_OSF_SIA 1
6450_ACEOF 7158_ACEOF
6451 7159
6452 cat >>confdefs.h <<\_ACEOF 7160
7161cat >>confdefs.h <<\_ACEOF
6453#define DISABLE_LOGIN 1 7162#define DISABLE_LOGIN 1
6454_ACEOF 7163_ACEOF
6455 7164
@@ -6461,7 +7170,8 @@ _ACEOF
6461 else 7170 else
6462 echo "$as_me:$LINENO: result: no" >&5 7171 echo "$as_me:$LINENO: result: no" >&5
6463echo "${ECHO_T}no" >&6 7172echo "${ECHO_T}no" >&6
6464 cat >>confdefs.h <<\_ACEOF 7173
7174cat >>confdefs.h <<\_ACEOF
6465#define LOCKED_PASSWD_SUBSTR "Nologin" 7175#define LOCKED_PASSWD_SUBSTR "Nologin"
6466_ACEOF 7176_ACEOF
6467 7177
@@ -6485,7 +7195,7 @@ _ACEOF
6485 7195
6486 ;; 7196 ;;
6487 7197
6488*-*-nto-qnx) 7198*-*-nto-qnx*)
6489 cat >>confdefs.h <<\_ACEOF 7199 cat >>confdefs.h <<\_ACEOF
6490#define USE_PIPES 1 7200#define USE_PIPES 1
6491_ACEOF 7201_ACEOF
@@ -6494,34 +7204,40 @@ _ACEOF
6494#define NO_X11_UNIX_SOCKETS 1 7204#define NO_X11_UNIX_SOCKETS 1
6495_ACEOF 7205_ACEOF
6496 7206
6497 cat >>confdefs.h <<\_ACEOF 7207
7208cat >>confdefs.h <<\_ACEOF
6498#define MISSING_NFDBITS 1 7209#define MISSING_NFDBITS 1
6499_ACEOF 7210_ACEOF
6500 7211
6501 cat >>confdefs.h <<\_ACEOF 7212
7213cat >>confdefs.h <<\_ACEOF
6502#define MISSING_HOWMANY 1 7214#define MISSING_HOWMANY 1
6503_ACEOF 7215_ACEOF
6504 7216
6505 cat >>confdefs.h <<\_ACEOF 7217
7218cat >>confdefs.h <<\_ACEOF
6506#define MISSING_FD_MASK 1 7219#define MISSING_FD_MASK 1
6507_ACEOF 7220_ACEOF
6508 7221
7222 cat >>confdefs.h <<\_ACEOF
7223#define DISABLE_LASTLOG 1
7224_ACEOF
7225
6509 ;; 7226 ;;
6510 7227
6511*-*-ultrix*) 7228*-*-ultrix*)
6512 7229
6513cat >>confdefs.h <<\_ACEOF 7230cat >>confdefs.h <<\_ACEOF
6514#define BROKEN_GETGROUPS 7231#define BROKEN_GETGROUPS 1
6515_ACEOF 7232_ACEOF
6516 7233
6517 7234
6518cat >>confdefs.h <<\_ACEOF 7235cat >>confdefs.h <<\_ACEOF
6519#define BROKEN_MMAP 7236#define BROKEN_MMAP 1
6520_ACEOF 7237_ACEOF
6521 7238
6522 7239 cat >>confdefs.h <<\_ACEOF
6523cat >>confdefs.h <<\_ACEOF 7240#define NEED_SETPGRP 1
6524#define NEED_SETPRGP
6525_ACEOF 7241_ACEOF
6526 7242
6527 7243
@@ -6533,7 +7249,7 @@ _ACEOF
6533 7249
6534*-*-lynxos) 7250*-*-lynxos)
6535 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 7251 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
6536 cat >>confdefs.h <<\_ACEOF 7252 cat >>confdefs.h <<\_ACEOF
6537#define MISSING_HOWMANY 1 7253#define MISSING_HOWMANY 1
6538_ACEOF 7254_ACEOF
6539 7255
@@ -6601,7 +7317,7 @@ if test "${with_Werror+set}" = set; then
6601 7317
6602 if test -n "$withval" && test "x$withval" != "xno"; then 7318 if test -n "$withval" && test "x$withval" != "xno"; then
6603 werror_flags="-Werror" 7319 werror_flags="-Werror"
6604 if "x${withval}" != "xyes"; then 7320 if test "x${withval}" != "xyes"; then
6605 werror_flags="$withval" 7321 werror_flags="$withval"
6606 fi 7322 fi
6607 fi 7323 fi
@@ -6658,260 +7374,6 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
6658fi 7374fi
6659 7375
6660 7376
6661echo "$as_me:$LINENO: checking for egrep" >&5
6662echo $ECHO_N "checking for egrep... $ECHO_C" >&6
6663if test "${ac_cv_prog_egrep+set}" = set; then
6664 echo $ECHO_N "(cached) $ECHO_C" >&6
6665else
6666 if echo a | (grep -E '(a|b)') >/dev/null 2>&1
6667 then ac_cv_prog_egrep='grep -E'
6668 else ac_cv_prog_egrep='egrep'
6669 fi
6670fi
6671echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
6672echo "${ECHO_T}$ac_cv_prog_egrep" >&6
6673 EGREP=$ac_cv_prog_egrep
6674
6675
6676echo "$as_me:$LINENO: checking for ANSI C header files" >&5
6677echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
6678if test "${ac_cv_header_stdc+set}" = set; then
6679 echo $ECHO_N "(cached) $ECHO_C" >&6
6680else
6681 cat >conftest.$ac_ext <<_ACEOF
6682/* confdefs.h. */
6683_ACEOF
6684cat confdefs.h >>conftest.$ac_ext
6685cat >>conftest.$ac_ext <<_ACEOF
6686/* end confdefs.h. */
6687#include <stdlib.h>
6688#include <stdarg.h>
6689#include <string.h>
6690#include <float.h>
6691
6692int
6693main ()
6694{
6695
6696 ;
6697 return 0;
6698}
6699_ACEOF
6700rm -f conftest.$ac_objext
6701if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6702 (eval $ac_compile) 2>conftest.er1
6703 ac_status=$?
6704 grep -v '^ *+' conftest.er1 >conftest.err
6705 rm -f conftest.er1
6706 cat conftest.err >&5
6707 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6708 (exit $ac_status); } &&
6709 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
6710 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6711 (eval $ac_try) 2>&5
6712 ac_status=$?
6713 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6714 (exit $ac_status); }; } &&
6715 { ac_try='test -s conftest.$ac_objext'
6716 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6717 (eval $ac_try) 2>&5
6718 ac_status=$?
6719 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6720 (exit $ac_status); }; }; then
6721 ac_cv_header_stdc=yes
6722else
6723 echo "$as_me: failed program was:" >&5
6724sed 's/^/| /' conftest.$ac_ext >&5
6725
6726ac_cv_header_stdc=no
6727fi
6728rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6729
6730if test $ac_cv_header_stdc = yes; then
6731 # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
6732 cat >conftest.$ac_ext <<_ACEOF
6733/* confdefs.h. */
6734_ACEOF
6735cat confdefs.h >>conftest.$ac_ext
6736cat >>conftest.$ac_ext <<_ACEOF
6737/* end confdefs.h. */
6738#include <string.h>
6739
6740_ACEOF
6741if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
6742 $EGREP "memchr" >/dev/null 2>&1; then
6743 :
6744else
6745 ac_cv_header_stdc=no
6746fi
6747rm -f conftest*
6748
6749fi
6750
6751if test $ac_cv_header_stdc = yes; then
6752 # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
6753 cat >conftest.$ac_ext <<_ACEOF
6754/* confdefs.h. */
6755_ACEOF
6756cat confdefs.h >>conftest.$ac_ext
6757cat >>conftest.$ac_ext <<_ACEOF
6758/* end confdefs.h. */
6759#include <stdlib.h>
6760
6761_ACEOF
6762if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
6763 $EGREP "free" >/dev/null 2>&1; then
6764 :
6765else
6766 ac_cv_header_stdc=no
6767fi
6768rm -f conftest*
6769
6770fi
6771
6772if test $ac_cv_header_stdc = yes; then
6773 # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
6774 if test "$cross_compiling" = yes; then
6775 :
6776else
6777 cat >conftest.$ac_ext <<_ACEOF
6778/* confdefs.h. */
6779_ACEOF
6780cat confdefs.h >>conftest.$ac_ext
6781cat >>conftest.$ac_ext <<_ACEOF
6782/* end confdefs.h. */
6783#include <ctype.h>
6784#if ((' ' & 0x0FF) == 0x020)
6785# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
6786# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
6787#else
6788# define ISLOWER(c) \
6789 (('a' <= (c) && (c) <= 'i') \
6790 || ('j' <= (c) && (c) <= 'r') \
6791 || ('s' <= (c) && (c) <= 'z'))
6792# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
6793#endif
6794
6795#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
6796int
6797main ()
6798{
6799 int i;
6800 for (i = 0; i < 256; i++)
6801 if (XOR (islower (i), ISLOWER (i))
6802 || toupper (i) != TOUPPER (i))
6803 exit(2);
6804 exit (0);
6805}
6806_ACEOF
6807rm -f conftest$ac_exeext
6808if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
6809 (eval $ac_link) 2>&5
6810 ac_status=$?
6811 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6812 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
6813 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6814 (eval $ac_try) 2>&5
6815 ac_status=$?
6816 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6817 (exit $ac_status); }; }; then
6818 :
6819else
6820 echo "$as_me: program exited with status $ac_status" >&5
6821echo "$as_me: failed program was:" >&5
6822sed 's/^/| /' conftest.$ac_ext >&5
6823
6824( exit $ac_status )
6825ac_cv_header_stdc=no
6826fi
6827rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
6828fi
6829fi
6830fi
6831echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
6832echo "${ECHO_T}$ac_cv_header_stdc" >&6
6833if test $ac_cv_header_stdc = yes; then
6834
6835cat >>confdefs.h <<\_ACEOF
6836#define STDC_HEADERS 1
6837_ACEOF
6838
6839fi
6840
6841# On IRIX 5.3, sys/types and inttypes.h are conflicting.
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
6852 inttypes.h stdint.h unistd.h
6853do
6854as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
6855echo "$as_me:$LINENO: checking for $ac_header" >&5
6856echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
6857if eval "test \"\${$as_ac_Header+set}\" = set"; then
6858 echo $ECHO_N "(cached) $ECHO_C" >&6
6859else
6860 cat >conftest.$ac_ext <<_ACEOF
6861/* confdefs.h. */
6862_ACEOF
6863cat confdefs.h >>conftest.$ac_ext
6864cat >>conftest.$ac_ext <<_ACEOF
6865/* end confdefs.h. */
6866$ac_includes_default
6867
6868#include <$ac_header>
6869_ACEOF
6870rm -f conftest.$ac_objext
6871if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6872 (eval $ac_compile) 2>conftest.er1
6873 ac_status=$?
6874 grep -v '^ *+' conftest.er1 >conftest.err
6875 rm -f conftest.er1
6876 cat conftest.err >&5
6877 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6878 (exit $ac_status); } &&
6879 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
6880 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6881 (eval $ac_try) 2>&5
6882 ac_status=$?
6883 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6884 (exit $ac_status); }; } &&
6885 { ac_try='test -s conftest.$ac_objext'
6886 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6887 (eval $ac_try) 2>&5
6888 ac_status=$?
6889 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6890 (exit $ac_status); }; }; then
6891 eval "$as_ac_Header=yes"
6892else
6893 echo "$as_me: failed program was:" >&5
6894sed 's/^/| /' conftest.$ac_ext >&5
6895
6896eval "$as_ac_Header=no"
6897fi
6898rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6899fi
6900echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6901echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6902if test `eval echo '${'$as_ac_Header'}'` = yes; then
6903 cat >>confdefs.h <<_ACEOF
6904#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
6905_ACEOF
6906
6907fi
6908
6909done
6910
6911
6912
6913
6914
6915 7377
6916 7378
6917 7379
@@ -6978,7 +7440,6 @@ for ac_header in \
6978 glob.h \ 7440 glob.h \
6979 ia.h \ 7441 ia.h \
6980 iaf.h \ 7442 iaf.h \
6981 lastlog.h \
6982 limits.h \ 7443 limits.h \
6983 login.h \ 7444 login.h \
6984 login_cap.h \ 7445 login_cap.h \
@@ -6986,7 +7447,6 @@ for ac_header in \
6986 ndir.h \ 7447 ndir.h \
6987 netdb.h \ 7448 netdb.h \
6988 netgroup.h \ 7449 netgroup.h \
6989 netinet/in_systm.h \
6990 pam/pam_appl.h \ 7450 pam/pam_appl.h \
6991 paths.h \ 7451 paths.h \
6992 pty.h \ 7452 pty.h \
@@ -7175,6 +7635,72 @@ fi
7175done 7635done
7176 7636
7177 7637
7638# lastlog.h requires sys/time.h to be included first on Solaris
7639
7640for ac_header in lastlog.h
7641do
7642as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
7643echo "$as_me:$LINENO: checking for $ac_header" >&5
7644echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
7645if eval "test \"\${$as_ac_Header+set}\" = set"; then
7646 echo $ECHO_N "(cached) $ECHO_C" >&6
7647else
7648 cat >conftest.$ac_ext <<_ACEOF
7649/* confdefs.h. */
7650_ACEOF
7651cat confdefs.h >>conftest.$ac_ext
7652cat >>conftest.$ac_ext <<_ACEOF
7653/* end confdefs.h. */
7654
7655#ifdef HAVE_SYS_TIME_H
7656# include <sys/time.h>
7657#endif
7658
7659
7660#include <$ac_header>
7661_ACEOF
7662rm -f conftest.$ac_objext
7663if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
7664 (eval $ac_compile) 2>conftest.er1
7665 ac_status=$?
7666 grep -v '^ *+' conftest.er1 >conftest.err
7667 rm -f conftest.er1
7668 cat conftest.err >&5
7669 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7670 (exit $ac_status); } &&
7671 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
7672 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
7673 (eval $ac_try) 2>&5
7674 ac_status=$?
7675 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7676 (exit $ac_status); }; } &&
7677 { ac_try='test -s conftest.$ac_objext'
7678 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
7679 (eval $ac_try) 2>&5
7680 ac_status=$?
7681 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7682 (exit $ac_status); }; }; then
7683 eval "$as_ac_Header=yes"
7684else
7685 echo "$as_me: failed program was:" >&5
7686sed 's/^/| /' conftest.$ac_ext >&5
7687
7688eval "$as_ac_Header=no"
7689fi
7690rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
7691fi
7692echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
7693echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
7694if test `eval echo '${'$as_ac_Header'}'` = yes; then
7695 cat >>confdefs.h <<_ACEOF
7696#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
7697_ACEOF
7698
7699fi
7700
7701done
7702
7703
7178# sys/ptms.h requires sys/stream.h to be included first on Solaris 7704# sys/ptms.h requires sys/stream.h to be included first on Solaris
7179 7705
7180for ac_header in sys/ptms.h 7706for ac_header in sys/ptms.h
@@ -7899,11 +8425,7 @@ else
7899 save_LIBS="$LIBS" 8425 save_LIBS="$LIBS"
7900 LIBS="$LIBS -lgen" 8426 LIBS="$LIBS -lgen"
7901 if test "$cross_compiling" = yes; then 8427 if test "$cross_compiling" = yes; then
7902 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 8428 ac_cv_have_broken_dirname="no"
7903See \`config.log' for more details." >&5
7904echo "$as_me: error: cannot run test program while cross compiling
7905See \`config.log' for more details." >&2;}
7906 { (exit 1); exit 1; }; }
7907else 8429else
7908 cat >conftest.$ac_ext <<_ACEOF 8430 cat >conftest.$ac_ext <<_ACEOF
7909/* confdefs.h. */ 8431/* confdefs.h. */
@@ -7947,7 +8469,6 @@ sed 's/^/| /' conftest.$ac_ext >&5
7947 8469
7948( exit $ac_status ) 8470( exit $ac_status )
7949 ac_cv_have_broken_dirname="yes" 8471 ac_cv_have_broken_dirname="yes"
7950
7951fi 8472fi
7952rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 8473rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
7953fi 8474fi
@@ -8402,7 +8923,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_basename" >&5
8402echo "${ECHO_T}$ac_cv_search_basename" >&6 8923echo "${ECHO_T}$ac_cv_search_basename" >&6
8403if test "$ac_cv_search_basename" != no; then 8924if test "$ac_cv_search_basename" != no; then
8404 test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS" 8925 test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS"
8405 cat >>confdefs.h <<\_ACEOF 8926
8927cat >>confdefs.h <<\_ACEOF
8406#define HAVE_BASENAME 1 8928#define HAVE_BASENAME 1
8407_ACEOF 8929_ACEOF
8408 8930
@@ -8989,9 +9511,13 @@ fi
8989 9511
8990fi 9512fi
8991 9513
8992echo "$as_me:$LINENO: checking for utimes" >&5 9514
8993echo $ECHO_N "checking for utimes... $ECHO_C" >&6 9515for ac_func in utimes
8994if test "${ac_cv_func_utimes+set}" = set; then 9516do
9517as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
9518echo "$as_me:$LINENO: checking for $ac_func" >&5
9519echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
9520if eval "test \"\${$as_ac_var+set}\" = set"; then
8995 echo $ECHO_N "(cached) $ECHO_C" >&6 9521 echo $ECHO_N "(cached) $ECHO_C" >&6
8996else 9522else
8997 cat >conftest.$ac_ext <<_ACEOF 9523 cat >conftest.$ac_ext <<_ACEOF
@@ -9000,12 +9526,12 @@ _ACEOF
9000cat confdefs.h >>conftest.$ac_ext 9526cat confdefs.h >>conftest.$ac_ext
9001cat >>conftest.$ac_ext <<_ACEOF 9527cat >>conftest.$ac_ext <<_ACEOF
9002/* end confdefs.h. */ 9528/* end confdefs.h. */
9003/* Define utimes to an innocuous variant, in case <limits.h> declares utimes. 9529/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
9004 For example, HP-UX 11i <limits.h> declares gettimeofday. */ 9530 For example, HP-UX 11i <limits.h> declares gettimeofday. */
9005#define utimes innocuous_utimes 9531#define $ac_func innocuous_$ac_func
9006 9532
9007/* System header to define __stub macros and hopefully few prototypes, 9533/* System header to define __stub macros and hopefully few prototypes,
9008 which can conflict with char utimes (); below. 9534 which can conflict with char $ac_func (); below.
9009 Prefer <limits.h> to <assert.h> if __STDC__ is defined, since 9535 Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
9010 <limits.h> exists even on freestanding compilers. */ 9536 <limits.h> exists even on freestanding compilers. */
9011 9537
@@ -9015,7 +9541,7 @@ cat >>conftest.$ac_ext <<_ACEOF
9015# include <assert.h> 9541# include <assert.h>
9016#endif 9542#endif
9017 9543
9018#undef utimes 9544#undef $ac_func
9019 9545
9020/* Override any gcc2 internal prototype to avoid an error. */ 9546/* Override any gcc2 internal prototype to avoid an error. */
9021#ifdef __cplusplus 9547#ifdef __cplusplus
@@ -9024,14 +9550,14 @@ extern "C"
9024#endif 9550#endif
9025/* We use char because int might match the return type of a gcc2 9551/* We use char because int might match the return type of a gcc2
9026 builtin and then its argument prototype would still apply. */ 9552 builtin and then its argument prototype would still apply. */
9027char utimes (); 9553char $ac_func ();
9028/* The GNU C library defines this for functions which it implements 9554/* The GNU C library defines this for functions which it implements
9029 to always fail with ENOSYS. Some functions are actually named 9555 to always fail with ENOSYS. Some functions are actually named
9030 something starting with __ and the normal name is an alias. */ 9556 something starting with __ and the normal name is an alias. */
9031#if defined (__stub_utimes) || defined (__stub___utimes) 9557#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
9032choke me 9558choke me
9033#else 9559#else
9034char (*f) () = utimes; 9560char (*f) () = $ac_func;
9035#endif 9561#endif
9036#ifdef __cplusplus 9562#ifdef __cplusplus
9037} 9563}
@@ -9040,7 +9566,7 @@ char (*f) () = utimes;
9040int 9566int
9041main () 9567main ()
9042{ 9568{
9043return f != utimes; 9569return f != $ac_func;
9044 ; 9570 ;
9045 return 0; 9571 return 0;
9046} 9572}
@@ -9066,20 +9592,23 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9066 ac_status=$? 9592 ac_status=$?
9067 echo "$as_me:$LINENO: \$? = $ac_status" >&5 9593 echo "$as_me:$LINENO: \$? = $ac_status" >&5
9068 (exit $ac_status); }; }; then 9594 (exit $ac_status); }; }; then
9069 ac_cv_func_utimes=yes 9595 eval "$as_ac_var=yes"
9070else 9596else
9071 echo "$as_me: failed program was:" >&5 9597 echo "$as_me: failed program was:" >&5
9072sed 's/^/| /' conftest.$ac_ext >&5 9598sed 's/^/| /' conftest.$ac_ext >&5
9073 9599
9074ac_cv_func_utimes=no 9600eval "$as_ac_var=no"
9075fi 9601fi
9076rm -f conftest.err conftest.$ac_objext \ 9602rm -f conftest.err conftest.$ac_objext \
9077 conftest$ac_exeext conftest.$ac_ext 9603 conftest$ac_exeext conftest.$ac_ext
9078fi 9604fi
9079echo "$as_me:$LINENO: result: $ac_cv_func_utimes" >&5 9605echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
9080echo "${ECHO_T}$ac_cv_func_utimes" >&6 9606echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
9081if test $ac_cv_func_utimes = yes; then 9607if test `eval echo '${'$as_ac_var'}'` = yes; then
9082 : 9608 cat >>confdefs.h <<_ACEOF
9609#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
9610_ACEOF
9611
9083else 9612else
9084 echo "$as_me:$LINENO: checking for utimes in -lc89" >&5 9613 echo "$as_me:$LINENO: checking for utimes in -lc89" >&5
9085echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6 9614echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6
@@ -9154,6 +9683,7 @@ fi
9154 9683
9155 9684
9156fi 9685fi
9686done
9157 9687
9158 9688
9159 9689
@@ -9426,7 +9956,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_login" >&5
9426echo "${ECHO_T}$ac_cv_search_login" >&6 9956echo "${ECHO_T}$ac_cv_search_login" >&6
9427if test "$ac_cv_search_login" != no; then 9957if test "$ac_cv_search_login" != no; then
9428 test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS" 9958 test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS"
9429 cat >>confdefs.h <<\_ACEOF 9959
9960cat >>confdefs.h <<\_ACEOF
9430#define HAVE_LOGIN 1 9961#define HAVE_LOGIN 1
9431_ACEOF 9962_ACEOF
9432 9963
@@ -9730,7 +10261,8 @@ _ACEOF
9730if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | 10261if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
9731 $EGREP "FOUNDIT" >/dev/null 2>&1; then 10262 $EGREP "FOUNDIT" >/dev/null 2>&1; then
9732 10263
9733 cat >>confdefs.h <<\_ACEOF 10264
10265cat >>confdefs.h <<\_ACEOF
9734#define GLOB_HAS_ALTDIRFUNC 1 10266#define GLOB_HAS_ALTDIRFUNC 1
9735_ACEOF 10267_ACEOF
9736 10268
@@ -9764,7 +10296,8 @@ _ACEOF
9764if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | 10296if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
9765 $EGREP "FOUNDIT" >/dev/null 2>&1; then 10297 $EGREP "FOUNDIT" >/dev/null 2>&1; then
9766 10298
9767 cat >>confdefs.h <<\_ACEOF 10299
10300cat >>confdefs.h <<\_ACEOF
9768#define GLOB_HAS_GL_MATCHC 1 10301#define GLOB_HAS_GL_MATCHC 1
9769_ACEOF 10302_ACEOF
9770 10303
@@ -9828,7 +10361,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
9828 10361
9829 echo "$as_me:$LINENO: result: no" >&5 10362 echo "$as_me:$LINENO: result: no" >&5
9830echo "${ECHO_T}no" >&6 10363echo "${ECHO_T}no" >&6
9831 cat >>confdefs.h <<\_ACEOF 10364
10365cat >>confdefs.h <<\_ACEOF
9832#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 10366#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1
9833_ACEOF 10367_ACEOF
9834 10368
@@ -9840,7 +10374,8 @@ fi
9840echo "$as_me:$LINENO: checking for /proc/pid/fd directory" >&5 10374echo "$as_me:$LINENO: checking for /proc/pid/fd directory" >&5
9841echo $ECHO_N "checking for /proc/pid/fd directory... $ECHO_C" >&6 10375echo $ECHO_N "checking for /proc/pid/fd directory... $ECHO_C" >&6
9842if test -d "/proc/$$/fd" ; then 10376if test -d "/proc/$$/fd" ; then
9843 cat >>confdefs.h <<\_ACEOF 10377
10378cat >>confdefs.h <<\_ACEOF
9844#define HAVE_PROC_PID 1 10379#define HAVE_PROC_PID 1
9845_ACEOF 10380_ACEOF
9846 10381
@@ -9865,7 +10400,8 @@ if test "${with_skey+set}" = set; then
9865 LDFLAGS="$LDFLAGS -L${withval}/lib" 10400 LDFLAGS="$LDFLAGS -L${withval}/lib"
9866 fi 10401 fi
9867 10402
9868 cat >>confdefs.h <<\_ACEOF 10403
10404cat >>confdefs.h <<\_ACEOF
9869#define SKEY 1 10405#define SKEY 1
9870_ACEOF 10406_ACEOF
9871 10407
@@ -9874,14 +10410,7 @@ _ACEOF
9874 10410
9875 echo "$as_me:$LINENO: checking for s/key support" >&5 10411 echo "$as_me:$LINENO: checking for s/key support" >&5
9876echo $ECHO_N "checking for s/key support... $ECHO_C" >&6 10412echo $ECHO_N "checking for s/key support... $ECHO_C" >&6
9877 if test "$cross_compiling" = yes; then 10413 cat >conftest.$ac_ext <<_ACEOF
9878 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
9879See \`config.log' for more details." >&5
9880echo "$as_me: error: cannot run test program while cross compiling
9881See \`config.log' for more details." >&2;}
9882 { (exit 1); exit 1; }; }
9883else
9884 cat >conftest.$ac_ext <<_ACEOF
9885/* confdefs.h. */ 10414/* confdefs.h. */
9886_ACEOF 10415_ACEOF
9887cat confdefs.h >>conftest.$ac_ext 10416cat confdefs.h >>conftest.$ac_ext
@@ -9893,12 +10422,22 @@ cat >>conftest.$ac_ext <<_ACEOF
9893int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } 10422int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
9894 10423
9895_ACEOF 10424_ACEOF
9896rm -f conftest$ac_exeext 10425rm -f conftest.$ac_objext conftest$ac_exeext
9897if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 10426if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9898 (eval $ac_link) 2>&5 10427 (eval $ac_link) 2>conftest.er1
10428 ac_status=$?
10429 grep -v '^ *+' conftest.er1 >conftest.err
10430 rm -f conftest.er1
10431 cat conftest.err >&5
10432 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10433 (exit $ac_status); } &&
10434 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
10435 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
10436 (eval $ac_try) 2>&5
9899 ac_status=$? 10437 ac_status=$?
9900 echo "$as_me:$LINENO: \$? = $ac_status" >&5 10438 echo "$as_me:$LINENO: \$? = $ac_status" >&5
9901 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' 10439 (exit $ac_status); }; } &&
10440 { ac_try='test -s conftest$ac_exeext'
9902 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 10441 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
9903 (eval $ac_try) 2>&5 10442 (eval $ac_try) 2>&5
9904 ac_status=$? 10443 ac_status=$?
@@ -9907,11 +10446,9 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9907 echo "$as_me:$LINENO: result: yes" >&5 10446 echo "$as_me:$LINENO: result: yes" >&5
9908echo "${ECHO_T}yes" >&6 10447echo "${ECHO_T}yes" >&6
9909else 10448else
9910 echo "$as_me: program exited with status $ac_status" >&5 10449 echo "$as_me: failed program was:" >&5
9911echo "$as_me: failed program was:" >&5
9912sed 's/^/| /' conftest.$ac_ext >&5 10450sed 's/^/| /' conftest.$ac_ext >&5
9913 10451
9914( exit $ac_status )
9915 10452
9916 echo "$as_me:$LINENO: result: no" >&5 10453 echo "$as_me:$LINENO: result: no" >&5
9917echo "${ECHO_T}no" >&6 10454echo "${ECHO_T}no" >&6
@@ -9920,8 +10457,8 @@ echo "$as_me: error: ** Incomplete or missing s/key libraries." >&2;}
9920 { (exit 1); exit 1; }; } 10457 { (exit 1); exit 1; }; }
9921 10458
9922fi 10459fi
9923rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 10460rm -f conftest.err conftest.$ac_objext \
9924fi 10461 conftest$ac_exeext conftest.$ac_ext
9925 echo "$as_me:$LINENO: checking if skeychallenge takes 4 arguments" >&5 10462 echo "$as_me:$LINENO: checking if skeychallenge takes 4 arguments" >&5
9926echo $ECHO_N "checking if skeychallenge takes 4 arguments... $ECHO_C" >&6 10463echo $ECHO_N "checking if skeychallenge takes 4 arguments... $ECHO_C" >&6
9927 cat >conftest.$ac_ext <<_ACEOF 10464 cat >conftest.$ac_ext <<_ACEOF
@@ -9963,7 +10500,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
9963 (exit $ac_status); }; }; then 10500 (exit $ac_status); }; }; then
9964 echo "$as_me:$LINENO: result: yes" >&5 10501 echo "$as_me:$LINENO: result: yes" >&5
9965echo "${ECHO_T}yes" >&6 10502echo "${ECHO_T}yes" >&6
9966 cat >>confdefs.h <<\_ACEOF 10503
10504cat >>confdefs.h <<\_ACEOF
9967#define SKEYCHALLENGE_4ARG 1 10505#define SKEYCHALLENGE_4ARG 1
9968_ACEOF 10506_ACEOF
9969 10507
@@ -10062,7 +10600,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
10062 10600
10063 echo "$as_me:$LINENO: result: yes" >&5 10601 echo "$as_me:$LINENO: result: yes" >&5
10064echo "${ECHO_T}yes" >&6 10602echo "${ECHO_T}yes" >&6
10065 cat >>confdefs.h <<\_ACEOF 10603
10604cat >>confdefs.h <<\_ACEOF
10066#define LIBWRAP 1 10605#define LIBWRAP 1
10067_ACEOF 10606_ACEOF
10068 10607
@@ -10096,8 +10635,12 @@ if test "${with_libedit+set}" = set; then
10096 withval="$with_libedit" 10635 withval="$with_libedit"
10097 if test "x$withval" != "xno" ; then 10636 if test "x$withval" != "xno" ; then
10098 if test "x$withval" != "xyes"; then 10637 if test "x$withval" != "xyes"; then
10099 CPPFLAGS="$CPPFLAGS -I$withval/include" 10638 CPPFLAGS="$CPPFLAGS -I${withval}/include"
10100 LDFLAGS="$LDFLAGS -L$withval/lib" 10639 if test -n "${need_dash_r}"; then
10640 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
10641 else
10642 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
10643 fi
10101 fi 10644 fi
10102 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5 10645 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
10103echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6 10646echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6
@@ -10166,7 +10709,7 @@ echo "${ECHO_T}$ac_cv_lib_edit_el_init" >&6
10166if test $ac_cv_lib_edit_el_init = yes; then 10709if test $ac_cv_lib_edit_el_init = yes; then
10167 10710
10168cat >>confdefs.h <<\_ACEOF 10711cat >>confdefs.h <<\_ACEOF
10169#define USE_LIBEDIT 10712#define USE_LIBEDIT 1
10170_ACEOF 10713_ACEOF
10171 10714
10172 LIBEDIT="-ledit -lcurses" 10715 LIBEDIT="-ledit -lcurses"
@@ -10688,7 +11231,7 @@ done
10688 11231
10689 11232
10690cat >>confdefs.h <<\_ACEOF 11233cat >>confdefs.h <<\_ACEOF
10691#define USE_BSM_AUDIT 11234#define USE_BSM_AUDIT 1
10692_ACEOF 11235_ACEOF
10693 11236
10694 ;; 11237 ;;
@@ -10698,7 +11241,7 @@ _ACEOF
10698echo "${ECHO_T}debug" >&6 11241echo "${ECHO_T}debug" >&6
10699 11242
10700cat >>confdefs.h <<\_ACEOF 11243cat >>confdefs.h <<\_ACEOF
10701#define SSH_AUDIT_EVENTS 11244#define SSH_AUDIT_EVENTS 1
10702_ACEOF 11245_ACEOF
10703 11246
10704 ;; 11247 ;;
@@ -10795,8 +11338,10 @@ fi;
10795 11338
10796 11339
10797 11340
11341
10798for ac_func in \ 11342for ac_func in \
10799 arc4random \ 11343 arc4random \
11344 asprintf \
10800 b64_ntop \ 11345 b64_ntop \
10801 __b64_ntop \ 11346 __b64_ntop \
10802 b64_pton \ 11347 b64_pton \
@@ -10872,7 +11417,7 @@ for ac_func in \
10872 truncate \ 11417 truncate \
10873 unsetenv \ 11418 unsetenv \
10874 updwtmpx \ 11419 updwtmpx \
10875 utimes \ 11420 vasprintf \
10876 vhangup \ 11421 vhangup \
10877 vsnprintf \ 11422 vsnprintf \
10878 waitpid \ 11423 waitpid \
@@ -11261,7 +11806,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_nanosleep" >&5
11261echo "${ECHO_T}$ac_cv_search_nanosleep" >&6 11806echo "${ECHO_T}$ac_cv_search_nanosleep" >&6
11262if test "$ac_cv_search_nanosleep" != no; then 11807if test "$ac_cv_search_nanosleep" != no; then
11263 test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS" 11808 test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS"
11264 cat >>confdefs.h <<\_ACEOF 11809
11810cat >>confdefs.h <<\_ACEOF
11265#define HAVE_NANOSLEEP 1 11811#define HAVE_NANOSLEEP 1
11266_ACEOF 11812_ACEOF
11267 11813
@@ -11968,6 +12514,7 @@ echo "$as_me: failed program was:" >&5
11968sed 's/^/| /' conftest.$ac_ext >&5 12514sed 's/^/| /' conftest.$ac_ext >&5
11969 12515
11970( exit $ac_status ) 12516( exit $ac_status )
12517
11971cat >>confdefs.h <<\_ACEOF 12518cat >>confdefs.h <<\_ACEOF
11972#define BROKEN_SETRESUID 1 12519#define BROKEN_SETRESUID 1
11973_ACEOF 12520_ACEOF
@@ -12118,6 +12665,7 @@ echo "$as_me: failed program was:" >&5
12118sed 's/^/| /' conftest.$ac_ext >&5 12665sed 's/^/| /' conftest.$ac_ext >&5
12119 12666
12120( exit $ac_status ) 12667( exit $ac_status )
12668
12121cat >>confdefs.h <<\_ACEOF 12669cat >>confdefs.h <<\_ACEOF
12122#define BROKEN_SETRESGID 1 12670#define BROKEN_SETRESGID 1
12123_ACEOF 12671_ACEOF
@@ -12739,7 +13287,8 @@ fi
12739echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5 13287echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
12740echo "${ECHO_T}$ac_cv_func_daemon" >&6 13288echo "${ECHO_T}$ac_cv_func_daemon" >&6
12741if test $ac_cv_func_daemon = yes; then 13289if test $ac_cv_func_daemon = yes; then
12742 cat >>confdefs.h <<\_ACEOF 13290
13291cat >>confdefs.h <<\_ACEOF
12743#define HAVE_DAEMON 1 13292#define HAVE_DAEMON 1
12744_ACEOF 13293_ACEOF
12745 13294
@@ -12908,7 +13457,8 @@ fi
12908echo "$as_me:$LINENO: result: $ac_cv_func_getpagesize" >&5 13457echo "$as_me:$LINENO: result: $ac_cv_func_getpagesize" >&5
12909echo "${ECHO_T}$ac_cv_func_getpagesize" >&6 13458echo "${ECHO_T}$ac_cv_func_getpagesize" >&6
12910if test $ac_cv_func_getpagesize = yes; then 13459if test $ac_cv_func_getpagesize = yes; then
12911 cat >>confdefs.h <<\_ACEOF 13460
13461cat >>confdefs.h <<\_ACEOF
12912#define HAVE_GETPAGESIZE 1 13462#define HAVE_GETPAGESIZE 1
12913_ACEOF 13463_ACEOF
12914 13464
@@ -13029,7 +13579,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
13029 13579
13030 echo "$as_me:$LINENO: result: no" >&5 13580 echo "$as_me:$LINENO: result: no" >&5
13031echo "${ECHO_T}no" >&6 13581echo "${ECHO_T}no" >&6
13032 cat >>confdefs.h <<\_ACEOF 13582
13583cat >>confdefs.h <<\_ACEOF
13033#define BROKEN_SNPRINTF 1 13584#define BROKEN_SNPRINTF 1
13034_ACEOF 13585_ACEOF
13035 13586
@@ -13041,6 +13592,133 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
13041fi 13592fi
13042fi 13593fi
13043 13594
13595# If we don't have a working asprintf, then we strongly depend on vsnprintf
13596# returning the right thing on overflow: the number of characters it tried to
13597# create (as per SUSv3)
13598if test "x$ac_cv_func_asprintf" != "xyes" && \
13599 test "x$ac_cv_func_vsnprintf" = "xyes" ; then
13600 echo "$as_me:$LINENO: checking whether vsnprintf returns correct values on overflow" >&5
13601echo $ECHO_N "checking whether vsnprintf returns correct values on overflow... $ECHO_C" >&6
13602 if test "$cross_compiling" = yes; then
13603 { echo "$as_me:$LINENO: WARNING: cross compiling: Assuming working vsnprintf()" >&5
13604echo "$as_me: WARNING: cross compiling: Assuming working vsnprintf()" >&2;}
13605
13606else
13607 cat >conftest.$ac_ext <<_ACEOF
13608/* confdefs.h. */
13609_ACEOF
13610cat confdefs.h >>conftest.$ac_ext
13611cat >>conftest.$ac_ext <<_ACEOF
13612/* end confdefs.h. */
13613
13614#include <sys/types.h>
13615#include <stdio.h>
13616#include <stdarg.h>
13617
13618int x_snprintf(char *str,size_t count,const char *fmt,...)
13619{
13620 size_t ret; va_list ap;
13621 va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
13622 return ret;
13623}
13624int main(void)
13625{
13626 char x[1];
13627 exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
13628}
13629_ACEOF
13630rm -f conftest$ac_exeext
13631if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
13632 (eval $ac_link) 2>&5
13633 ac_status=$?
13634 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13635 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
13636 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13637 (eval $ac_try) 2>&5
13638 ac_status=$?
13639 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13640 (exit $ac_status); }; }; then
13641 echo "$as_me:$LINENO: result: yes" >&5
13642echo "${ECHO_T}yes" >&6
13643else
13644 echo "$as_me: program exited with status $ac_status" >&5
13645echo "$as_me: failed program was:" >&5
13646sed 's/^/| /' conftest.$ac_ext >&5
13647
13648( exit $ac_status )
13649
13650 echo "$as_me:$LINENO: result: no" >&5
13651echo "${ECHO_T}no" >&6
13652
13653cat >>confdefs.h <<\_ACEOF
13654#define BROKEN_SNPRINTF 1
13655_ACEOF
13656
13657 { echo "$as_me:$LINENO: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&5
13658echo "$as_me: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&2;}
13659
13660fi
13661rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13662fi
13663fi
13664
13665# On systems where [v]snprintf is broken, but is declared in stdio,
13666# check that the fmt argument is const char * or just char *.
13667# This is only useful for when BROKEN_SNPRINTF
13668echo "$as_me:$LINENO: checking whether snprintf can declare const char *fmt" >&5
13669echo $ECHO_N "checking whether snprintf can declare const char *fmt... $ECHO_C" >&6
13670cat >conftest.$ac_ext <<_ACEOF
13671/* confdefs.h. */
13672_ACEOF
13673cat confdefs.h >>conftest.$ac_ext
13674cat >>conftest.$ac_ext <<_ACEOF
13675/* end confdefs.h. */
13676#include <stdio.h>
13677 int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
13678 int main(void) { snprintf(0, 0, 0); }
13679
13680_ACEOF
13681rm -f conftest.$ac_objext
13682if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
13683 (eval $ac_compile) 2>conftest.er1
13684 ac_status=$?
13685 grep -v '^ *+' conftest.er1 >conftest.err
13686 rm -f conftest.er1
13687 cat conftest.err >&5
13688 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13689 (exit $ac_status); } &&
13690 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
13691 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13692 (eval $ac_try) 2>&5
13693 ac_status=$?
13694 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13695 (exit $ac_status); }; } &&
13696 { ac_try='test -s conftest.$ac_objext'
13697 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13698 (eval $ac_try) 2>&5
13699 ac_status=$?
13700 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13701 (exit $ac_status); }; }; then
13702 echo "$as_me:$LINENO: result: yes" >&5
13703echo "${ECHO_T}yes" >&6
13704
13705cat >>confdefs.h <<\_ACEOF
13706#define SNPRINTF_CONST const
13707_ACEOF
13708
13709else
13710 echo "$as_me: failed program was:" >&5
13711sed 's/^/| /' conftest.$ac_ext >&5
13712
13713echo "$as_me:$LINENO: result: no" >&5
13714echo "${ECHO_T}no" >&6
13715 cat >>confdefs.h <<\_ACEOF
13716#define SNPRINTF_CONST /* not const */
13717_ACEOF
13718
13719fi
13720rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
13721
13044# Check for missing getpeereid (or equiv) support 13722# Check for missing getpeereid (or equiv) support
13045NO_PEERCHECK="" 13723NO_PEERCHECK=""
13046if test "x$ac_cv_func_getpeereid" != "xyes" ; then 13724if test "x$ac_cv_func_getpeereid" != "xyes" ; then
@@ -13087,7 +13765,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
13087echo "${ECHO_T}yes" >&6 13765echo "${ECHO_T}yes" >&6
13088 13766
13089cat >>confdefs.h <<\_ACEOF 13767cat >>confdefs.h <<\_ACEOF
13090#define HAVE_SO_PEERCRED 13768#define HAVE_SO_PEERCRED 1
13091_ACEOF 13769_ACEOF
13092 13770
13093 13771
@@ -13156,7 +13834,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
13156 13834
13157 echo "$as_me:$LINENO: result: yes" >&5 13835 echo "$as_me:$LINENO: result: yes" >&5
13158echo "${ECHO_T}yes" >&6 13836echo "${ECHO_T}yes" >&6
13159 cat >>confdefs.h <<\_ACEOF 13837
13838cat >>confdefs.h <<\_ACEOF
13160#define HAVE_STRICT_MKSTEMP 1 13839#define HAVE_STRICT_MKSTEMP 1
13161_ACEOF 13840_ACEOF
13162 13841
@@ -13170,11 +13849,11 @@ if test ! -z "$check_for_openpty_ctty_bug"; then
13170 echo "$as_me:$LINENO: checking if openpty correctly handles controlling tty" >&5 13849 echo "$as_me:$LINENO: checking if openpty correctly handles controlling tty" >&5
13171echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6 13850echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6
13172 if test "$cross_compiling" = yes; then 13851 if test "$cross_compiling" = yes; then
13173 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 13852
13174See \`config.log' for more details." >&5 13853 echo "$as_me:$LINENO: result: cross-compiling" >&5
13175echo "$as_me: error: cannot run test program while cross compiling 13854echo "${ECHO_T}cross-compiling" >&6
13176See \`config.log' for more details." >&2;} 13855
13177 { (exit 1); exit 1; }; } 13856
13178else 13857else
13179 cat >conftest.$ac_ext <<_ACEOF 13858 cat >conftest.$ac_ext <<_ACEOF
13180/* confdefs.h. */ 13859/* confdefs.h. */
@@ -13245,7 +13924,6 @@ echo "${ECHO_T}no" >&6
13245_ACEOF 13924_ACEOF
13246 13925
13247 13926
13248
13249fi 13927fi
13250rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 13928rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13251fi 13929fi
@@ -13256,11 +13934,11 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13256 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 13934 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
13257echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 13935echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
13258 if test "$cross_compiling" = yes; then 13936 if test "$cross_compiling" = yes; then
13259 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 13937
13260See \`config.log' for more details." >&5 13938 echo "$as_me:$LINENO: result: cross-compiling" >&5
13261echo "$as_me: error: cannot run test program while cross compiling 13939echo "${ECHO_T}cross-compiling" >&6
13262See \`config.log' for more details." >&2;} 13940
13263 { (exit 1); exit 1; }; } 13941
13264else 13942else
13265 cat >conftest.$ac_ext <<_ACEOF 13943 cat >conftest.$ac_ext <<_ACEOF
13266/* confdefs.h. */ 13944/* confdefs.h. */
@@ -13353,7 +14031,6 @@ echo "${ECHO_T}no" >&6
13353_ACEOF 14031_ACEOF
13354 14032
13355 14033
13356
13357fi 14034fi
13358rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 14035rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13359fi 14036fi
@@ -13364,11 +14041,10 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13364 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 14041 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
13365echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 14042echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
13366 if test "$cross_compiling" = yes; then 14043 if test "$cross_compiling" = yes; then
13367 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 14044 echo "$as_me:$LINENO: result: cross-compiling" >&5
13368See \`config.log' for more details." >&5 14045echo "${ECHO_T}cross-compiling" >&6
13369echo "$as_me: error: cannot run test program while cross compiling 14046
13370See \`config.log' for more details." >&2;} 14047 ]
13371 { (exit 1); exit 1; }; }
13372else 14048else
13373 cat >conftest.$ac_ext <<_ACEOF 14049 cat >conftest.$ac_ext <<_ACEOF
13374/* confdefs.h. */ 14050/* confdefs.h. */
@@ -13436,7 +14112,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
13436echo "${ECHO_T}yes" >&6 14112echo "${ECHO_T}yes" >&6
13437 14113
13438cat >>confdefs.h <<\_ACEOF 14114cat >>confdefs.h <<\_ACEOF
13439#define AIX_GETNAMEINFO_HACK 14115#define AIX_GETNAMEINFO_HACK 1
13440_ACEOF 14116_ACEOF
13441 14117
13442 14118
@@ -13454,7 +14130,6 @@ echo "${ECHO_T}no" >&6
13454_ACEOF 14130_ACEOF
13455 14131
13456 14132
13457
13458fi 14133fi
13459rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 14134rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13460fi 14135fi
@@ -13945,7 +14620,8 @@ done
13945 14620
13946 PAM_MSG="yes" 14621 PAM_MSG="yes"
13947 14622
13948 cat >>confdefs.h <<\_ACEOF 14623
14624cat >>confdefs.h <<\_ACEOF
13949#define USE_PAM 1 14625#define USE_PAM 1
13950_ACEOF 14626_ACEOF
13951 14627
@@ -14015,7 +14691,8 @@ else
14015sed 's/^/| /' conftest.$ac_ext >&5 14691sed 's/^/| /' conftest.$ac_ext >&5
14016 14692
14017 14693
14018 cat >>confdefs.h <<\_ACEOF 14694
14695cat >>confdefs.h <<\_ACEOF
14019#define HAVE_OLD_PAM 1 14696#define HAVE_OLD_PAM 1
14020_ACEOF 14697_ACEOF
14021 14698
@@ -14107,7 +14784,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
14107 ac_status=$? 14784 ac_status=$?
14108 echo "$as_me:$LINENO: \$? = $ac_status" >&5 14785 echo "$as_me:$LINENO: \$? = $ac_status" >&5
14109 (exit $ac_status); }; }; then 14786 (exit $ac_status); }; }; then
14110 cat >>confdefs.h <<\_ACEOF 14787
14788cat >>confdefs.h <<\_ACEOF
14111#define HAVE_OPENSSL 1 14789#define HAVE_OPENSSL 1
14112_ACEOF 14790_ACEOF
14113 14791
@@ -14385,6 +15063,63 @@ fi
14385rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 15063rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
14386fi 15064fi
14387 15065
15066# Check for OpenSSL without EVP_aes_{192,256}_cbc
15067echo "$as_me:$LINENO: checking whether OpenSSL has crippled AES support" >&5
15068echo $ECHO_N "checking whether OpenSSL has crippled AES support... $ECHO_C" >&6
15069cat >conftest.$ac_ext <<_ACEOF
15070/* confdefs.h. */
15071_ACEOF
15072cat confdefs.h >>conftest.$ac_ext
15073cat >>conftest.$ac_ext <<_ACEOF
15074/* end confdefs.h. */
15075
15076#include <string.h>
15077#include <openssl/evp.h>
15078int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
15079
15080_ACEOF
15081rm -f conftest.$ac_objext
15082if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
15083 (eval $ac_compile) 2>conftest.er1
15084 ac_status=$?
15085 grep -v '^ *+' conftest.er1 >conftest.err
15086 rm -f conftest.er1
15087 cat conftest.err >&5
15088 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15089 (exit $ac_status); } &&
15090 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
15091 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
15092 (eval $ac_try) 2>&5
15093 ac_status=$?
15094 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15095 (exit $ac_status); }; } &&
15096 { ac_try='test -s conftest.$ac_objext'
15097 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
15098 (eval $ac_try) 2>&5
15099 ac_status=$?
15100 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15101 (exit $ac_status); }; }; then
15102
15103 echo "$as_me:$LINENO: result: no" >&5
15104echo "${ECHO_T}no" >&6
15105
15106else
15107 echo "$as_me: failed program was:" >&5
15108sed 's/^/| /' conftest.$ac_ext >&5
15109
15110
15111 echo "$as_me:$LINENO: result: yes" >&5
15112echo "${ECHO_T}yes" >&6
15113
15114cat >>confdefs.h <<\_ACEOF
15115#define OPENSSL_LOBOTOMISED_AES 1
15116_ACEOF
15117
15118
15119
15120fi
15121rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
15122
14388# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 15123# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
14389# because the system crypt() is more featureful. 15124# because the system crypt() is more featureful.
14390if test "x$check_for_libcrypt_before" = "x1"; then 15125if test "x$check_for_libcrypt_before" = "x1"; then
@@ -14694,7 +15429,8 @@ fi;
14694# Which randomness source do we use? 15429# Which randomness source do we use?
14695if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then 15430if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
14696 # OpenSSL only 15431 # OpenSSL only
14697 cat >>confdefs.h <<\_ACEOF 15432
15433cat >>confdefs.h <<\_ACEOF
14698#define OPENSSL_PRNG_ONLY 1 15434#define OPENSSL_PRNG_ONLY 1
14699_ACEOF 15435_ACEOF
14700 15436
@@ -14729,7 +15465,8 @@ echo "$as_me: error: You must specify a numeric port number for --with-prngd-por
14729 esac 15465 esac
14730 if test ! -z "$withval" ; then 15466 if test ! -z "$withval" ; then
14731 PRNGD_PORT="$withval" 15467 PRNGD_PORT="$withval"
14732 cat >>confdefs.h <<_ACEOF 15468
15469cat >>confdefs.h <<_ACEOF
14733#define PRNGD_PORT $PRNGD_PORT 15470#define PRNGD_PORT $PRNGD_PORT
14734_ACEOF 15471_ACEOF
14735 15472
@@ -14771,7 +15508,8 @@ echo "$as_me: error: You may not specify both a PRNGD/EGD port and socket" >&2;}
14771echo "$as_me: WARNING: Entropy socket is not readable" >&2;} 15508echo "$as_me: WARNING: Entropy socket is not readable" >&2;}
14772 fi 15509 fi
14773 PRNGD_SOCKET="$withval" 15510 PRNGD_SOCKET="$withval"
14774 cat >>confdefs.h <<_ACEOF 15511
15512cat >>confdefs.h <<_ACEOF
14775#define PRNGD_SOCKET "$PRNGD_SOCKET" 15513#define PRNGD_SOCKET "$PRNGD_SOCKET"
14776_ACEOF 15514_ACEOF
14777 15515
@@ -14820,6 +15558,7 @@ if test "${with_entropy_timeout+set}" = set; then
14820 15558
14821 15559
14822fi; 15560fi;
15561
14823cat >>confdefs.h <<_ACEOF 15562cat >>confdefs.h <<_ACEOF
14824#define ENTROPY_TIMEOUT_MSEC $entropy_timeout 15563#define ENTROPY_TIMEOUT_MSEC $entropy_timeout
14825_ACEOF 15564_ACEOF
@@ -14838,6 +15577,7 @@ if test "${with_privsep_user+set}" = set; then
14838 15577
14839 15578
14840fi; 15579fi;
15580
14841cat >>confdefs.h <<_ACEOF 15581cat >>confdefs.h <<_ACEOF
14842#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER" 15582#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
14843_ACEOF 15583_ACEOF
@@ -15603,7 +16343,199 @@ if test ! -z "$SONY" ; then
15603 LIBS="$LIBS -liberty"; 16343 LIBS="$LIBS -liberty";
15604fi 16344fi
15605 16345
15606# Checks for data types 16346# Check for long long datatypes
16347echo "$as_me:$LINENO: checking for long long" >&5
16348echo $ECHO_N "checking for long long... $ECHO_C" >&6
16349if test "${ac_cv_type_long_long+set}" = set; then
16350 echo $ECHO_N "(cached) $ECHO_C" >&6
16351else
16352 cat >conftest.$ac_ext <<_ACEOF
16353/* confdefs.h. */
16354_ACEOF
16355cat confdefs.h >>conftest.$ac_ext
16356cat >>conftest.$ac_ext <<_ACEOF
16357/* end confdefs.h. */
16358$ac_includes_default
16359int
16360main ()
16361{
16362if ((long long *) 0)
16363 return 0;
16364if (sizeof (long long))
16365 return 0;
16366 ;
16367 return 0;
16368}
16369_ACEOF
16370rm -f conftest.$ac_objext
16371if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16372 (eval $ac_compile) 2>conftest.er1
16373 ac_status=$?
16374 grep -v '^ *+' conftest.er1 >conftest.err
16375 rm -f conftest.er1
16376 cat conftest.err >&5
16377 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16378 (exit $ac_status); } &&
16379 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
16380 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16381 (eval $ac_try) 2>&5
16382 ac_status=$?
16383 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16384 (exit $ac_status); }; } &&
16385 { ac_try='test -s conftest.$ac_objext'
16386 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16387 (eval $ac_try) 2>&5
16388 ac_status=$?
16389 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16390 (exit $ac_status); }; }; then
16391 ac_cv_type_long_long=yes
16392else
16393 echo "$as_me: failed program was:" >&5
16394sed 's/^/| /' conftest.$ac_ext >&5
16395
16396ac_cv_type_long_long=no
16397fi
16398rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16399fi
16400echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
16401echo "${ECHO_T}$ac_cv_type_long_long" >&6
16402if test $ac_cv_type_long_long = yes; then
16403
16404cat >>confdefs.h <<_ACEOF
16405#define HAVE_LONG_LONG 1
16406_ACEOF
16407
16408
16409fi
16410echo "$as_me:$LINENO: checking for unsigned long long" >&5
16411echo $ECHO_N "checking for unsigned long long... $ECHO_C" >&6
16412if test "${ac_cv_type_unsigned_long_long+set}" = set; then
16413 echo $ECHO_N "(cached) $ECHO_C" >&6
16414else
16415 cat >conftest.$ac_ext <<_ACEOF
16416/* confdefs.h. */
16417_ACEOF
16418cat confdefs.h >>conftest.$ac_ext
16419cat >>conftest.$ac_ext <<_ACEOF
16420/* end confdefs.h. */
16421$ac_includes_default
16422int
16423main ()
16424{
16425if ((unsigned long long *) 0)
16426 return 0;
16427if (sizeof (unsigned long long))
16428 return 0;
16429 ;
16430 return 0;
16431}
16432_ACEOF
16433rm -f conftest.$ac_objext
16434if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16435 (eval $ac_compile) 2>conftest.er1
16436 ac_status=$?
16437 grep -v '^ *+' conftest.er1 >conftest.err
16438 rm -f conftest.er1
16439 cat conftest.err >&5
16440 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16441 (exit $ac_status); } &&
16442 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
16443 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16444 (eval $ac_try) 2>&5
16445 ac_status=$?
16446 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16447 (exit $ac_status); }; } &&
16448 { ac_try='test -s conftest.$ac_objext'
16449 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16450 (eval $ac_try) 2>&5
16451 ac_status=$?
16452 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16453 (exit $ac_status); }; }; then
16454 ac_cv_type_unsigned_long_long=yes
16455else
16456 echo "$as_me: failed program was:" >&5
16457sed 's/^/| /' conftest.$ac_ext >&5
16458
16459ac_cv_type_unsigned_long_long=no
16460fi
16461rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16462fi
16463echo "$as_me:$LINENO: result: $ac_cv_type_unsigned_long_long" >&5
16464echo "${ECHO_T}$ac_cv_type_unsigned_long_long" >&6
16465if test $ac_cv_type_unsigned_long_long = yes; then
16466
16467cat >>confdefs.h <<_ACEOF
16468#define HAVE_UNSIGNED_LONG_LONG 1
16469_ACEOF
16470
16471
16472fi
16473echo "$as_me:$LINENO: checking for long double" >&5
16474echo $ECHO_N "checking for long double... $ECHO_C" >&6
16475if test "${ac_cv_type_long_double+set}" = set; then
16476 echo $ECHO_N "(cached) $ECHO_C" >&6
16477else
16478 cat >conftest.$ac_ext <<_ACEOF
16479/* confdefs.h. */
16480_ACEOF
16481cat confdefs.h >>conftest.$ac_ext
16482cat >>conftest.$ac_ext <<_ACEOF
16483/* end confdefs.h. */
16484$ac_includes_default
16485int
16486main ()
16487{
16488if ((long double *) 0)
16489 return 0;
16490if (sizeof (long double))
16491 return 0;
16492 ;
16493 return 0;
16494}
16495_ACEOF
16496rm -f conftest.$ac_objext
16497if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16498 (eval $ac_compile) 2>conftest.er1
16499 ac_status=$?
16500 grep -v '^ *+' conftest.er1 >conftest.err
16501 rm -f conftest.er1
16502 cat conftest.err >&5
16503 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16504 (exit $ac_status); } &&
16505 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
16506 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16507 (eval $ac_try) 2>&5
16508 ac_status=$?
16509 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16510 (exit $ac_status); }; } &&
16511 { ac_try='test -s conftest.$ac_objext'
16512 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16513 (eval $ac_try) 2>&5
16514 ac_status=$?
16515 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16516 (exit $ac_status); }; }; then
16517 ac_cv_type_long_double=yes
16518else
16519 echo "$as_me: failed program was:" >&5
16520sed 's/^/| /' conftest.$ac_ext >&5
16521
16522ac_cv_type_long_double=no
16523fi
16524rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16525fi
16526echo "$as_me:$LINENO: result: $ac_cv_type_long_double" >&5
16527echo "${ECHO_T}$ac_cv_type_long_double" >&6
16528if test $ac_cv_type_long_double = yes; then
16529
16530cat >>confdefs.h <<_ACEOF
16531#define HAVE_LONG_DOUBLE 1
16532_ACEOF
16533
16534
16535fi
16536
16537
16538# Check datatype sizes
15607echo "$as_me:$LINENO: checking for char" >&5 16539echo "$as_me:$LINENO: checking for char" >&5
15608echo $ECHO_N "checking for char... $ECHO_C" >&6 16540echo $ECHO_N "checking for char... $ECHO_C" >&6
15609if test "${ac_cv_type_char+set}" = set; then 16541if test "${ac_cv_type_char+set}" = set; then
@@ -17640,6 +18572,124 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
17640 ac_cv_sizeof_long_long_int=0 18572 ac_cv_sizeof_long_long_int=0
17641fi 18573fi
17642 18574
18575# compute LLONG_MIN and LLONG_MAX if we don't know them.
18576if test -z "$have_llong_max"; then
18577 echo "$as_me:$LINENO: checking for max value of long long" >&5
18578echo $ECHO_N "checking for max value of long long... $ECHO_C" >&6
18579 if test "$cross_compiling" = yes; then
18580
18581 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking" >&5
18582echo "$as_me: WARNING: cross compiling: not checking" >&2;}
18583
18584
18585else
18586 cat >conftest.$ac_ext <<_ACEOF
18587/* confdefs.h. */
18588_ACEOF
18589cat confdefs.h >>conftest.$ac_ext
18590cat >>conftest.$ac_ext <<_ACEOF
18591/* end confdefs.h. */
18592
18593#include <stdio.h>
18594/* Why is this so damn hard? */
18595#ifdef __GNUC__
18596# undef __GNUC__
18597#endif
18598#define __USE_ISOC99
18599#include <limits.h>
18600#define DATA "conftest.llminmax"
18601int main(void) {
18602 FILE *f;
18603 long long i, llmin, llmax = 0;
18604
18605 if((f = fopen(DATA,"w")) == NULL)
18606 exit(1);
18607
18608#if defined(LLONG_MIN) && defined(LLONG_MAX)
18609 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
18610 llmin = LLONG_MIN;
18611 llmax = LLONG_MAX;
18612#else
18613 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
18614 /* This will work on one's complement and two's complement */
18615 for (i = 1; i > llmax; i <<= 1, i++)
18616 llmax = i;
18617 llmin = llmax + 1LL; /* wrap */
18618#endif
18619
18620 /* Sanity check */
18621 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
18622 || llmax - 1 > llmax) {
18623 fprintf(f, "unknown unknown\n");
18624 exit(2);
18625 }
18626
18627 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
18628 exit(3);
18629
18630 exit(0);
18631}
18632
18633_ACEOF
18634rm -f conftest$ac_exeext
18635if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
18636 (eval $ac_link) 2>&5
18637 ac_status=$?
18638 echo "$as_me:$LINENO: \$? = $ac_status" >&5
18639 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
18640 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
18641 (eval $ac_try) 2>&5
18642 ac_status=$?
18643 echo "$as_me:$LINENO: \$? = $ac_status" >&5
18644 (exit $ac_status); }; }; then
18645
18646 llong_min=`$AWK '{print $1}' conftest.llminmax`
18647 llong_max=`$AWK '{print $2}' conftest.llminmax`
18648
18649 # snprintf on some Tru64s doesn't understand "%lld"
18650 case "$host" in
18651 alpha-dec-osf*)
18652 if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
18653 test "x$llong_max" = "xld"; then
18654 llong_min="-9223372036854775808"
18655 llong_max="9223372036854775807"
18656 fi
18657 ;;
18658 esac
18659
18660 echo "$as_me:$LINENO: result: $llong_max" >&5
18661echo "${ECHO_T}$llong_max" >&6
18662
18663cat >>confdefs.h <<_ACEOF
18664#define LLONG_MAX ${llong_max}LL
18665_ACEOF
18666
18667 echo "$as_me:$LINENO: checking for min value of long long" >&5
18668echo $ECHO_N "checking for min value of long long... $ECHO_C" >&6
18669 echo "$as_me:$LINENO: result: $llong_min" >&5
18670echo "${ECHO_T}$llong_min" >&6
18671
18672cat >>confdefs.h <<_ACEOF
18673#define LLONG_MIN ${llong_min}LL
18674_ACEOF
18675
18676
18677else
18678 echo "$as_me: program exited with status $ac_status" >&5
18679echo "$as_me: failed program was:" >&5
18680sed 's/^/| /' conftest.$ac_ext >&5
18681
18682( exit $ac_status )
18683
18684 echo "$as_me:$LINENO: result: not found" >&5
18685echo "${ECHO_T}not found" >&6
18686
18687fi
18688rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
18689fi
18690fi
18691
18692
17643# More checks for data types 18693# More checks for data types
17644echo "$as_me:$LINENO: checking for u_int type" >&5 18694echo "$as_me:$LINENO: checking for u_int type" >&5
17645echo $ECHO_N "checking for u_int type... $ECHO_C" >&6 18695echo $ECHO_N "checking for u_int type... $ECHO_C" >&6
@@ -17697,7 +18747,8 @@ fi
17697echo "$as_me:$LINENO: result: $ac_cv_have_u_int" >&5 18747echo "$as_me:$LINENO: result: $ac_cv_have_u_int" >&5
17698echo "${ECHO_T}$ac_cv_have_u_int" >&6 18748echo "${ECHO_T}$ac_cv_have_u_int" >&6
17699if test "x$ac_cv_have_u_int" = "xyes" ; then 18749if test "x$ac_cv_have_u_int" = "xyes" ; then
17700 cat >>confdefs.h <<\_ACEOF 18750
18751cat >>confdefs.h <<\_ACEOF
17701#define HAVE_U_INT 1 18752#define HAVE_U_INT 1
17702_ACEOF 18753_ACEOF
17703 18754
@@ -17760,7 +18811,8 @@ fi
17760echo "$as_me:$LINENO: result: $ac_cv_have_intxx_t" >&5 18811echo "$as_me:$LINENO: result: $ac_cv_have_intxx_t" >&5
17761echo "${ECHO_T}$ac_cv_have_intxx_t" >&6 18812echo "${ECHO_T}$ac_cv_have_intxx_t" >&6
17762if test "x$ac_cv_have_intxx_t" = "xyes" ; then 18813if test "x$ac_cv_have_intxx_t" = "xyes" ; then
17763 cat >>confdefs.h <<\_ACEOF 18814
18815cat >>confdefs.h <<\_ACEOF
17764#define HAVE_INTXX_T 1 18816#define HAVE_INTXX_T 1
17765_ACEOF 18817_ACEOF
17766 18818
@@ -17892,7 +18944,8 @@ fi
17892echo "$as_me:$LINENO: result: $ac_cv_have_int64_t" >&5 18944echo "$as_me:$LINENO: result: $ac_cv_have_int64_t" >&5
17893echo "${ECHO_T}$ac_cv_have_int64_t" >&6 18945echo "${ECHO_T}$ac_cv_have_int64_t" >&6
17894if test "x$ac_cv_have_int64_t" = "xyes" ; then 18946if test "x$ac_cv_have_int64_t" = "xyes" ; then
17895 cat >>confdefs.h <<\_ACEOF 18947
18948cat >>confdefs.h <<\_ACEOF
17896#define HAVE_INT64_T 1 18949#define HAVE_INT64_T 1
17897_ACEOF 18950_ACEOF
17898 18951
@@ -17954,7 +19007,8 @@ fi
17954echo "$as_me:$LINENO: result: $ac_cv_have_u_intxx_t" >&5 19007echo "$as_me:$LINENO: result: $ac_cv_have_u_intxx_t" >&5
17955echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6 19008echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6
17956if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then 19009if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
17957 cat >>confdefs.h <<\_ACEOF 19010
19011cat >>confdefs.h <<\_ACEOF
17958#define HAVE_U_INTXX_T 1 19012#define HAVE_U_INTXX_T 1
17959_ACEOF 19013_ACEOF
17960 19014
@@ -18075,7 +19129,8 @@ fi
18075echo "$as_me:$LINENO: result: $ac_cv_have_u_int64_t" >&5 19129echo "$as_me:$LINENO: result: $ac_cv_have_u_int64_t" >&5
18076echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6 19130echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6
18077if test "x$ac_cv_have_u_int64_t" = "xyes" ; then 19131if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
18078 cat >>confdefs.h <<\_ACEOF 19132
19133cat >>confdefs.h <<\_ACEOF
18079#define HAVE_U_INT64_T 1 19134#define HAVE_U_INT64_T 1
18080_ACEOF 19135_ACEOF
18081 19136
@@ -18199,7 +19254,8 @@ fi
18199echo "$as_me:$LINENO: result: $ac_cv_have_uintxx_t" >&5 19254echo "$as_me:$LINENO: result: $ac_cv_have_uintxx_t" >&5
18200echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6 19255echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6
18201 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then 19256 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
18202 cat >>confdefs.h <<\_ACEOF 19257
19258cat >>confdefs.h <<\_ACEOF
18203#define HAVE_UINTXX_T 1 19259#define HAVE_UINTXX_T 1
18204_ACEOF 19260_ACEOF
18205 19261
@@ -18393,7 +19449,8 @@ fi
18393echo "$as_me:$LINENO: result: $ac_cv_have_u_char" >&5 19449echo "$as_me:$LINENO: result: $ac_cv_have_u_char" >&5
18394echo "${ECHO_T}$ac_cv_have_u_char" >&6 19450echo "${ECHO_T}$ac_cv_have_u_char" >&6
18395if test "x$ac_cv_have_u_char" = "xyes" ; then 19451if test "x$ac_cv_have_u_char" = "xyes" ; then
18396 cat >>confdefs.h <<\_ACEOF 19452
19453cat >>confdefs.h <<\_ACEOF
18397#define HAVE_U_CHAR 1 19454#define HAVE_U_CHAR 1
18398_ACEOF 19455_ACEOF
18399 19456
@@ -18739,7 +19796,8 @@ fi
18739echo "$as_me:$LINENO: result: $ac_cv_have_size_t" >&5 19796echo "$as_me:$LINENO: result: $ac_cv_have_size_t" >&5
18740echo "${ECHO_T}$ac_cv_have_size_t" >&6 19797echo "${ECHO_T}$ac_cv_have_size_t" >&6
18741if test "x$ac_cv_have_size_t" = "xyes" ; then 19798if test "x$ac_cv_have_size_t" = "xyes" ; then
18742 cat >>confdefs.h <<\_ACEOF 19799
19800cat >>confdefs.h <<\_ACEOF
18743#define HAVE_SIZE_T 1 19801#define HAVE_SIZE_T 1
18744_ACEOF 19802_ACEOF
18745 19803
@@ -18803,7 +19861,8 @@ fi
18803echo "$as_me:$LINENO: result: $ac_cv_have_ssize_t" >&5 19861echo "$as_me:$LINENO: result: $ac_cv_have_ssize_t" >&5
18804echo "${ECHO_T}$ac_cv_have_ssize_t" >&6 19862echo "${ECHO_T}$ac_cv_have_ssize_t" >&6
18805if test "x$ac_cv_have_ssize_t" = "xyes" ; then 19863if test "x$ac_cv_have_ssize_t" = "xyes" ; then
18806 cat >>confdefs.h <<\_ACEOF 19864
19865cat >>confdefs.h <<\_ACEOF
18807#define HAVE_SSIZE_T 1 19866#define HAVE_SSIZE_T 1
18808_ACEOF 19867_ACEOF
18809 19868
@@ -18867,7 +19926,8 @@ fi
18867echo "$as_me:$LINENO: result: $ac_cv_have_clock_t" >&5 19926echo "$as_me:$LINENO: result: $ac_cv_have_clock_t" >&5
18868echo "${ECHO_T}$ac_cv_have_clock_t" >&6 19927echo "${ECHO_T}$ac_cv_have_clock_t" >&6
18869if test "x$ac_cv_have_clock_t" = "xyes" ; then 19928if test "x$ac_cv_have_clock_t" = "xyes" ; then
18870 cat >>confdefs.h <<\_ACEOF 19929
19930cat >>confdefs.h <<\_ACEOF
18871#define HAVE_CLOCK_T 1 19931#define HAVE_CLOCK_T 1
18872_ACEOF 19932_ACEOF
18873 19933
@@ -18980,7 +20040,8 @@ fi
18980echo "$as_me:$LINENO: result: $ac_cv_have_sa_family_t" >&5 20040echo "$as_me:$LINENO: result: $ac_cv_have_sa_family_t" >&5
18981echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6 20041echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6
18982if test "x$ac_cv_have_sa_family_t" = "xyes" ; then 20042if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
18983 cat >>confdefs.h <<\_ACEOF 20043
20044cat >>confdefs.h <<\_ACEOF
18984#define HAVE_SA_FAMILY_T 1 20045#define HAVE_SA_FAMILY_T 1
18985_ACEOF 20046_ACEOF
18986 20047
@@ -19044,7 +20105,8 @@ fi
19044echo "$as_me:$LINENO: result: $ac_cv_have_pid_t" >&5 20105echo "$as_me:$LINENO: result: $ac_cv_have_pid_t" >&5
19045echo "${ECHO_T}$ac_cv_have_pid_t" >&6 20106echo "${ECHO_T}$ac_cv_have_pid_t" >&6
19046if test "x$ac_cv_have_pid_t" = "xyes" ; then 20107if test "x$ac_cv_have_pid_t" = "xyes" ; then
19047 cat >>confdefs.h <<\_ACEOF 20108
20109cat >>confdefs.h <<\_ACEOF
19048#define HAVE_PID_T 1 20110#define HAVE_PID_T 1
19049_ACEOF 20111_ACEOF
19050 20112
@@ -19108,7 +20170,8 @@ fi
19108echo "$as_me:$LINENO: result: $ac_cv_have_mode_t" >&5 20170echo "$as_me:$LINENO: result: $ac_cv_have_mode_t" >&5
19109echo "${ECHO_T}$ac_cv_have_mode_t" >&6 20171echo "${ECHO_T}$ac_cv_have_mode_t" >&6
19110if test "x$ac_cv_have_mode_t" = "xyes" ; then 20172if test "x$ac_cv_have_mode_t" = "xyes" ; then
19111 cat >>confdefs.h <<\_ACEOF 20173
20174cat >>confdefs.h <<\_ACEOF
19112#define HAVE_MODE_T 1 20175#define HAVE_MODE_T 1
19113_ACEOF 20176_ACEOF
19114 20177
@@ -19174,7 +20237,8 @@ fi
19174echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_storage" >&5 20237echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_storage" >&5
19175echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6 20238echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6
19176if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then 20239if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
19177 cat >>confdefs.h <<\_ACEOF 20240
20241cat >>confdefs.h <<\_ACEOF
19178#define HAVE_STRUCT_SOCKADDR_STORAGE 1 20242#define HAVE_STRUCT_SOCKADDR_STORAGE 1
19179_ACEOF 20243_ACEOF
19180 20244
@@ -19239,7 +20303,8 @@ fi
19239echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_in6" >&5 20303echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_in6" >&5
19240echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6 20304echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6
19241if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then 20305if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
19242 cat >>confdefs.h <<\_ACEOF 20306
20307cat >>confdefs.h <<\_ACEOF
19243#define HAVE_STRUCT_SOCKADDR_IN6 1 20308#define HAVE_STRUCT_SOCKADDR_IN6 1
19244_ACEOF 20309_ACEOF
19245 20310
@@ -19304,7 +20369,8 @@ fi
19304echo "$as_me:$LINENO: result: $ac_cv_have_struct_in6_addr" >&5 20369echo "$as_me:$LINENO: result: $ac_cv_have_struct_in6_addr" >&5
19305echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6 20370echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6
19306if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then 20371if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
19307 cat >>confdefs.h <<\_ACEOF 20372
20373cat >>confdefs.h <<\_ACEOF
19308#define HAVE_STRUCT_IN6_ADDR 1 20374#define HAVE_STRUCT_IN6_ADDR 1
19309_ACEOF 20375_ACEOF
19310 20376
@@ -19370,7 +20436,8 @@ fi
19370echo "$as_me:$LINENO: result: $ac_cv_have_struct_addrinfo" >&5 20436echo "$as_me:$LINENO: result: $ac_cv_have_struct_addrinfo" >&5
19371echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6 20437echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6
19372if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then 20438if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
19373 cat >>confdefs.h <<\_ACEOF 20439
20440cat >>confdefs.h <<\_ACEOF
19374#define HAVE_STRUCT_ADDRINFO 1 20441#define HAVE_STRUCT_ADDRINFO 1
19375_ACEOF 20442_ACEOF
19376 20443
@@ -19432,7 +20499,8 @@ fi
19432echo "$as_me:$LINENO: result: $ac_cv_have_struct_timeval" >&5 20499echo "$as_me:$LINENO: result: $ac_cv_have_struct_timeval" >&5
19433echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6 20500echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6
19434if test "x$ac_cv_have_struct_timeval" = "xyes" ; then 20501if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
19435 cat >>confdefs.h <<\_ACEOF 20502
20503cat >>confdefs.h <<\_ACEOF
19436#define HAVE_STRUCT_TIMEVAL 1 20504#define HAVE_STRUCT_TIMEVAL 1
19437_ACEOF 20505_ACEOF
19438 20506
@@ -19610,7 +20678,8 @@ fi
19610 echo "$as_me:$LINENO: result: $ossh_result" >&5 20678 echo "$as_me:$LINENO: result: $ossh_result" >&5
19611echo "${ECHO_T}$ossh_result" >&6 20679echo "${ECHO_T}$ossh_result" >&6
19612 if test "x$ossh_result" = "xyes"; then 20680 if test "x$ossh_result" = "xyes"; then
19613 cat >>confdefs.h <<\_ACEOF 20681
20682cat >>confdefs.h <<\_ACEOF
19614#define HAVE_HOST_IN_UTMP 1 20683#define HAVE_HOST_IN_UTMP 1
19615_ACEOF 20684_ACEOF
19616 20685
@@ -19654,7 +20723,8 @@ fi
19654 echo "$as_me:$LINENO: result: $ossh_result" >&5 20723 echo "$as_me:$LINENO: result: $ossh_result" >&5
19655echo "${ECHO_T}$ossh_result" >&6 20724echo "${ECHO_T}$ossh_result" >&6
19656 if test "x$ossh_result" = "xyes"; then 20725 if test "x$ossh_result" = "xyes"; then
19657 cat >>confdefs.h <<\_ACEOF 20726
20727cat >>confdefs.h <<\_ACEOF
19658#define HAVE_HOST_IN_UTMPX 1 20728#define HAVE_HOST_IN_UTMPX 1
19659_ACEOF 20729_ACEOF
19660 20730
@@ -19698,7 +20768,8 @@ fi
19698 echo "$as_me:$LINENO: result: $ossh_result" >&5 20768 echo "$as_me:$LINENO: result: $ossh_result" >&5
19699echo "${ECHO_T}$ossh_result" >&6 20769echo "${ECHO_T}$ossh_result" >&6
19700 if test "x$ossh_result" = "xyes"; then 20770 if test "x$ossh_result" = "xyes"; then
19701 cat >>confdefs.h <<\_ACEOF 20771
20772cat >>confdefs.h <<\_ACEOF
19702#define HAVE_SYSLEN_IN_UTMPX 1 20773#define HAVE_SYSLEN_IN_UTMPX 1
19703_ACEOF 20774_ACEOF
19704 20775
@@ -19742,7 +20813,8 @@ fi
19742 echo "$as_me:$LINENO: result: $ossh_result" >&5 20813 echo "$as_me:$LINENO: result: $ossh_result" >&5
19743echo "${ECHO_T}$ossh_result" >&6 20814echo "${ECHO_T}$ossh_result" >&6
19744 if test "x$ossh_result" = "xyes"; then 20815 if test "x$ossh_result" = "xyes"; then
19745 cat >>confdefs.h <<\_ACEOF 20816
20817cat >>confdefs.h <<\_ACEOF
19746#define HAVE_PID_IN_UTMP 1 20818#define HAVE_PID_IN_UTMP 1
19747_ACEOF 20819_ACEOF
19748 20820
@@ -19786,7 +20858,8 @@ fi
19786 echo "$as_me:$LINENO: result: $ossh_result" >&5 20858 echo "$as_me:$LINENO: result: $ossh_result" >&5
19787echo "${ECHO_T}$ossh_result" >&6 20859echo "${ECHO_T}$ossh_result" >&6
19788 if test "x$ossh_result" = "xyes"; then 20860 if test "x$ossh_result" = "xyes"; then
19789 cat >>confdefs.h <<\_ACEOF 20861
20862cat >>confdefs.h <<\_ACEOF
19790#define HAVE_TYPE_IN_UTMP 1 20863#define HAVE_TYPE_IN_UTMP 1
19791_ACEOF 20864_ACEOF
19792 20865
@@ -19830,7 +20903,8 @@ fi
19830 echo "$as_me:$LINENO: result: $ossh_result" >&5 20903 echo "$as_me:$LINENO: result: $ossh_result" >&5
19831echo "${ECHO_T}$ossh_result" >&6 20904echo "${ECHO_T}$ossh_result" >&6
19832 if test "x$ossh_result" = "xyes"; then 20905 if test "x$ossh_result" = "xyes"; then
19833 cat >>confdefs.h <<\_ACEOF 20906
20907cat >>confdefs.h <<\_ACEOF
19834#define HAVE_TYPE_IN_UTMPX 1 20908#define HAVE_TYPE_IN_UTMPX 1
19835_ACEOF 20909_ACEOF
19836 20910
@@ -19874,7 +20948,8 @@ fi
19874 echo "$as_me:$LINENO: result: $ossh_result" >&5 20948 echo "$as_me:$LINENO: result: $ossh_result" >&5
19875echo "${ECHO_T}$ossh_result" >&6 20949echo "${ECHO_T}$ossh_result" >&6
19876 if test "x$ossh_result" = "xyes"; then 20950 if test "x$ossh_result" = "xyes"; then
19877 cat >>confdefs.h <<\_ACEOF 20951
20952cat >>confdefs.h <<\_ACEOF
19878#define HAVE_TV_IN_UTMP 1 20953#define HAVE_TV_IN_UTMP 1
19879_ACEOF 20954_ACEOF
19880 20955
@@ -19918,7 +20993,8 @@ fi
19918 echo "$as_me:$LINENO: result: $ossh_result" >&5 20993 echo "$as_me:$LINENO: result: $ossh_result" >&5
19919echo "${ECHO_T}$ossh_result" >&6 20994echo "${ECHO_T}$ossh_result" >&6
19920 if test "x$ossh_result" = "xyes"; then 20995 if test "x$ossh_result" = "xyes"; then
19921 cat >>confdefs.h <<\_ACEOF 20996
20997cat >>confdefs.h <<\_ACEOF
19922#define HAVE_ID_IN_UTMP 1 20998#define HAVE_ID_IN_UTMP 1
19923_ACEOF 20999_ACEOF
19924 21000
@@ -19962,7 +21038,8 @@ fi
19962 echo "$as_me:$LINENO: result: $ossh_result" >&5 21038 echo "$as_me:$LINENO: result: $ossh_result" >&5
19963echo "${ECHO_T}$ossh_result" >&6 21039echo "${ECHO_T}$ossh_result" >&6
19964 if test "x$ossh_result" = "xyes"; then 21040 if test "x$ossh_result" = "xyes"; then
19965 cat >>confdefs.h <<\_ACEOF 21041
21042cat >>confdefs.h <<\_ACEOF
19966#define HAVE_ID_IN_UTMPX 1 21043#define HAVE_ID_IN_UTMPX 1
19967_ACEOF 21044_ACEOF
19968 21045
@@ -20006,7 +21083,8 @@ fi
20006 echo "$as_me:$LINENO: result: $ossh_result" >&5 21083 echo "$as_me:$LINENO: result: $ossh_result" >&5
20007echo "${ECHO_T}$ossh_result" >&6 21084echo "${ECHO_T}$ossh_result" >&6
20008 if test "x$ossh_result" = "xyes"; then 21085 if test "x$ossh_result" = "xyes"; then
20009 cat >>confdefs.h <<\_ACEOF 21086
21087cat >>confdefs.h <<\_ACEOF
20010#define HAVE_ADDR_IN_UTMP 1 21088#define HAVE_ADDR_IN_UTMP 1
20011_ACEOF 21089_ACEOF
20012 21090
@@ -20050,7 +21128,8 @@ fi
20050 echo "$as_me:$LINENO: result: $ossh_result" >&5 21128 echo "$as_me:$LINENO: result: $ossh_result" >&5
20051echo "${ECHO_T}$ossh_result" >&6 21129echo "${ECHO_T}$ossh_result" >&6
20052 if test "x$ossh_result" = "xyes"; then 21130 if test "x$ossh_result" = "xyes"; then
20053 cat >>confdefs.h <<\_ACEOF 21131
21132cat >>confdefs.h <<\_ACEOF
20054#define HAVE_ADDR_IN_UTMPX 1 21133#define HAVE_ADDR_IN_UTMPX 1
20055_ACEOF 21134_ACEOF
20056 21135
@@ -20094,7 +21173,8 @@ fi
20094 echo "$as_me:$LINENO: result: $ossh_result" >&5 21173 echo "$as_me:$LINENO: result: $ossh_result" >&5
20095echo "${ECHO_T}$ossh_result" >&6 21174echo "${ECHO_T}$ossh_result" >&6
20096 if test "x$ossh_result" = "xyes"; then 21175 if test "x$ossh_result" = "xyes"; then
20097 cat >>confdefs.h <<\_ACEOF 21176
21177cat >>confdefs.h <<\_ACEOF
20098#define HAVE_ADDR_V6_IN_UTMP 1 21178#define HAVE_ADDR_V6_IN_UTMP 1
20099_ACEOF 21179_ACEOF
20100 21180
@@ -20138,7 +21218,8 @@ fi
20138 echo "$as_me:$LINENO: result: $ossh_result" >&5 21218 echo "$as_me:$LINENO: result: $ossh_result" >&5
20139echo "${ECHO_T}$ossh_result" >&6 21219echo "${ECHO_T}$ossh_result" >&6
20140 if test "x$ossh_result" = "xyes"; then 21220 if test "x$ossh_result" = "xyes"; then
20141 cat >>confdefs.h <<\_ACEOF 21221
21222cat >>confdefs.h <<\_ACEOF
20142#define HAVE_ADDR_V6_IN_UTMPX 1 21223#define HAVE_ADDR_V6_IN_UTMPX 1
20143_ACEOF 21224_ACEOF
20144 21225
@@ -20182,7 +21263,8 @@ fi
20182 echo "$as_me:$LINENO: result: $ossh_result" >&5 21263 echo "$as_me:$LINENO: result: $ossh_result" >&5
20183echo "${ECHO_T}$ossh_result" >&6 21264echo "${ECHO_T}$ossh_result" >&6
20184 if test "x$ossh_result" = "xyes"; then 21265 if test "x$ossh_result" = "xyes"; then
20185 cat >>confdefs.h <<\_ACEOF 21266
21267cat >>confdefs.h <<\_ACEOF
20186#define HAVE_EXIT_IN_UTMP 1 21268#define HAVE_EXIT_IN_UTMP 1
20187_ACEOF 21269_ACEOF
20188 21270
@@ -20226,7 +21308,8 @@ fi
20226 echo "$as_me:$LINENO: result: $ossh_result" >&5 21308 echo "$as_me:$LINENO: result: $ossh_result" >&5
20227echo "${ECHO_T}$ossh_result" >&6 21309echo "${ECHO_T}$ossh_result" >&6
20228 if test "x$ossh_result" = "xyes"; then 21310 if test "x$ossh_result" = "xyes"; then
20229 cat >>confdefs.h <<\_ACEOF 21311
21312cat >>confdefs.h <<\_ACEOF
20230#define HAVE_TIME_IN_UTMP 1 21313#define HAVE_TIME_IN_UTMP 1
20231_ACEOF 21314_ACEOF
20232 21315
@@ -20270,7 +21353,8 @@ fi
20270 echo "$as_me:$LINENO: result: $ossh_result" >&5 21353 echo "$as_me:$LINENO: result: $ossh_result" >&5
20271echo "${ECHO_T}$ossh_result" >&6 21354echo "${ECHO_T}$ossh_result" >&6
20272 if test "x$ossh_result" = "xyes"; then 21355 if test "x$ossh_result" = "xyes"; then
20273 cat >>confdefs.h <<\_ACEOF 21356
21357cat >>confdefs.h <<\_ACEOF
20274#define HAVE_TIME_IN_UTMPX 1 21358#define HAVE_TIME_IN_UTMPX 1
20275_ACEOF 21359_ACEOF
20276 21360
@@ -20314,7 +21398,8 @@ fi
20314 echo "$as_me:$LINENO: result: $ossh_result" >&5 21398 echo "$as_me:$LINENO: result: $ossh_result" >&5
20315echo "${ECHO_T}$ossh_result" >&6 21399echo "${ECHO_T}$ossh_result" >&6
20316 if test "x$ossh_result" = "xyes"; then 21400 if test "x$ossh_result" = "xyes"; then
20317 cat >>confdefs.h <<\_ACEOF 21401
21402cat >>confdefs.h <<\_ACEOF
20318#define HAVE_TV_IN_UTMPX 1 21403#define HAVE_TV_IN_UTMPX 1
20319_ACEOF 21404_ACEOF
20320 21405
@@ -20433,6 +21518,133 @@ _ACEOF
20433 21518
20434fi 21519fi
20435 21520
21521echo "$as_me:$LINENO: checking for struct __res_state.retrans" >&5
21522echo $ECHO_N "checking for struct __res_state.retrans... $ECHO_C" >&6
21523if test "${ac_cv_member_struct___res_state_retrans+set}" = set; then
21524 echo $ECHO_N "(cached) $ECHO_C" >&6
21525else
21526 cat >conftest.$ac_ext <<_ACEOF
21527/* confdefs.h. */
21528_ACEOF
21529cat confdefs.h >>conftest.$ac_ext
21530cat >>conftest.$ac_ext <<_ACEOF
21531/* end confdefs.h. */
21532
21533#include <stdio.h>
21534#if HAVE_SYS_TYPES_H
21535# include <sys/types.h>
21536#endif
21537#include <netinet/in.h>
21538#include <arpa/nameser.h>
21539#include <resolv.h>
21540
21541
21542int
21543main ()
21544{
21545static struct __res_state ac_aggr;
21546if (ac_aggr.retrans)
21547return 0;
21548 ;
21549 return 0;
21550}
21551_ACEOF
21552rm -f conftest.$ac_objext
21553if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
21554 (eval $ac_compile) 2>conftest.er1
21555 ac_status=$?
21556 grep -v '^ *+' conftest.er1 >conftest.err
21557 rm -f conftest.er1
21558 cat conftest.err >&5
21559 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21560 (exit $ac_status); } &&
21561 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
21562 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21563 (eval $ac_try) 2>&5
21564 ac_status=$?
21565 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21566 (exit $ac_status); }; } &&
21567 { ac_try='test -s conftest.$ac_objext'
21568 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21569 (eval $ac_try) 2>&5
21570 ac_status=$?
21571 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21572 (exit $ac_status); }; }; then
21573 ac_cv_member_struct___res_state_retrans=yes
21574else
21575 echo "$as_me: failed program was:" >&5
21576sed 's/^/| /' conftest.$ac_ext >&5
21577
21578cat >conftest.$ac_ext <<_ACEOF
21579/* confdefs.h. */
21580_ACEOF
21581cat confdefs.h >>conftest.$ac_ext
21582cat >>conftest.$ac_ext <<_ACEOF
21583/* end confdefs.h. */
21584
21585#include <stdio.h>
21586#if HAVE_SYS_TYPES_H
21587# include <sys/types.h>
21588#endif
21589#include <netinet/in.h>
21590#include <arpa/nameser.h>
21591#include <resolv.h>
21592
21593
21594int
21595main ()
21596{
21597static struct __res_state ac_aggr;
21598if (sizeof ac_aggr.retrans)
21599return 0;
21600 ;
21601 return 0;
21602}
21603_ACEOF
21604rm -f conftest.$ac_objext
21605if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
21606 (eval $ac_compile) 2>conftest.er1
21607 ac_status=$?
21608 grep -v '^ *+' conftest.er1 >conftest.err
21609 rm -f conftest.er1
21610 cat conftest.err >&5
21611 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21612 (exit $ac_status); } &&
21613 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
21614 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21615 (eval $ac_try) 2>&5
21616 ac_status=$?
21617 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21618 (exit $ac_status); }; } &&
21619 { ac_try='test -s conftest.$ac_objext'
21620 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21621 (eval $ac_try) 2>&5
21622 ac_status=$?
21623 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21624 (exit $ac_status); }; }; then
21625 ac_cv_member_struct___res_state_retrans=yes
21626else
21627 echo "$as_me: failed program was:" >&5
21628sed 's/^/| /' conftest.$ac_ext >&5
21629
21630ac_cv_member_struct___res_state_retrans=no
21631fi
21632rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
21633fi
21634rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
21635fi
21636echo "$as_me:$LINENO: result: $ac_cv_member_struct___res_state_retrans" >&5
21637echo "${ECHO_T}$ac_cv_member_struct___res_state_retrans" >&6
21638if test $ac_cv_member_struct___res_state_retrans = yes; then
21639 :
21640else
21641
21642cat >>confdefs.h <<\_ACEOF
21643#define __res_state state
21644_ACEOF
21645
21646fi
21647
20436 21648
20437echo "$as_me:$LINENO: checking for ss_family field in struct sockaddr_storage" >&5 21649echo "$as_me:$LINENO: checking for ss_family field in struct sockaddr_storage" >&5
20438echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6 21650echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6
@@ -20492,7 +21704,8 @@ fi
20492echo "$as_me:$LINENO: result: $ac_cv_have_ss_family_in_struct_ss" >&5 21704echo "$as_me:$LINENO: result: $ac_cv_have_ss_family_in_struct_ss" >&5
20493echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6 21705echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6
20494if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then 21706if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
20495 cat >>confdefs.h <<\_ACEOF 21707
21708cat >>confdefs.h <<\_ACEOF
20496#define HAVE_SS_FAMILY_IN_SS 1 21709#define HAVE_SS_FAMILY_IN_SS 1
20497_ACEOF 21710_ACEOF
20498 21711
@@ -20557,7 +21770,8 @@ fi
20557echo "$as_me:$LINENO: result: $ac_cv_have___ss_family_in_struct_ss" >&5 21770echo "$as_me:$LINENO: result: $ac_cv_have___ss_family_in_struct_ss" >&5
20558echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6 21771echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6
20559if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then 21772if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
20560 cat >>confdefs.h <<\_ACEOF 21773
21774cat >>confdefs.h <<\_ACEOF
20561#define HAVE___SS_FAMILY_IN_SS 1 21775#define HAVE___SS_FAMILY_IN_SS 1
20562_ACEOF 21776_ACEOF
20563 21777
@@ -20621,7 +21835,8 @@ fi
20621echo "$as_me:$LINENO: result: $ac_cv_have_pw_class_in_struct_passwd" >&5 21835echo "$as_me:$LINENO: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
20622echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6 21836echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6
20623if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then 21837if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
20624 cat >>confdefs.h <<\_ACEOF 21838
21839cat >>confdefs.h <<\_ACEOF
20625#define HAVE_PW_CLASS_IN_PASSWD 1 21840#define HAVE_PW_CLASS_IN_PASSWD 1
20626_ACEOF 21841_ACEOF
20627 21842
@@ -20685,7 +21900,8 @@ fi
20685echo "$as_me:$LINENO: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5 21900echo "$as_me:$LINENO: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
20686echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6 21901echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6
20687if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then 21902if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
20688 cat >>confdefs.h <<\_ACEOF 21903
21904cat >>confdefs.h <<\_ACEOF
20689#define HAVE_PW_EXPIRE_IN_PASSWD 1 21905#define HAVE_PW_EXPIRE_IN_PASSWD 1
20690_ACEOF 21906_ACEOF
20691 21907
@@ -20749,7 +21965,8 @@ fi
20749echo "$as_me:$LINENO: result: $ac_cv_have_pw_change_in_struct_passwd" >&5 21965echo "$as_me:$LINENO: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
20750echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6 21966echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6
20751if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then 21967if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
20752 cat >>confdefs.h <<\_ACEOF 21968
21969cat >>confdefs.h <<\_ACEOF
20753#define HAVE_PW_CHANGE_IN_PASSWD 1 21970#define HAVE_PW_CHANGE_IN_PASSWD 1
20754_ACEOF 21971_ACEOF
20755 21972
@@ -20812,7 +22029,8 @@ fi
20812echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5 22029echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5
20813echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6 22030echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6
20814if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then 22031if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
20815 cat >>confdefs.h <<\_ACEOF 22032
22033cat >>confdefs.h <<\_ACEOF
20816#define HAVE_ACCRIGHTS_IN_MSGHDR 1 22034#define HAVE_ACCRIGHTS_IN_MSGHDR 1
20817_ACEOF 22035_ACEOF
20818 22036
@@ -20875,7 +22093,8 @@ fi
20875echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5 22093echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5
20876echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6 22094echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6
20877if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then 22095if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
20878 cat >>confdefs.h <<\_ACEOF 22096
22097cat >>confdefs.h <<\_ACEOF
20879#define HAVE_CONTROL_IN_MSGHDR 1 22098#define HAVE_CONTROL_IN_MSGHDR 1
20880_ACEOF 22099_ACEOF
20881 22100
@@ -20938,7 +22157,8 @@ fi
20938echo "$as_me:$LINENO: result: $ac_cv_libc_defines___progname" >&5 22157echo "$as_me:$LINENO: result: $ac_cv_libc_defines___progname" >&5
20939echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6 22158echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6
20940if test "x$ac_cv_libc_defines___progname" = "xyes" ; then 22159if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
20941 cat >>confdefs.h <<\_ACEOF 22160
22161cat >>confdefs.h <<\_ACEOF
20942#define HAVE___PROGNAME 1 22162#define HAVE___PROGNAME 1
20943_ACEOF 22163_ACEOF
20944 22164
@@ -21003,7 +22223,8 @@ fi
21003echo "$as_me:$LINENO: result: $ac_cv_cc_implements___FUNCTION__" >&5 22223echo "$as_me:$LINENO: result: $ac_cv_cc_implements___FUNCTION__" >&5
21004echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6 22224echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6
21005if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then 22225if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
21006 cat >>confdefs.h <<\_ACEOF 22226
22227cat >>confdefs.h <<\_ACEOF
21007#define HAVE___FUNCTION__ 1 22228#define HAVE___FUNCTION__ 1
21008_ACEOF 22229_ACEOF
21009 22230
@@ -21068,12 +22289,143 @@ fi
21068echo "$as_me:$LINENO: result: $ac_cv_cc_implements___func__" >&5 22289echo "$as_me:$LINENO: result: $ac_cv_cc_implements___func__" >&5
21069echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6 22290echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6
21070if test "x$ac_cv_cc_implements___func__" = "xyes" ; then 22291if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
21071 cat >>confdefs.h <<\_ACEOF 22292
22293cat >>confdefs.h <<\_ACEOF
21072#define HAVE___func__ 1 22294#define HAVE___func__ 1
21073_ACEOF 22295_ACEOF
21074 22296
21075fi 22297fi
21076 22298
22299echo "$as_me:$LINENO: checking whether va_copy exists" >&5
22300echo $ECHO_N "checking whether va_copy exists... $ECHO_C" >&6
22301if test "${ac_cv_have_va_copy+set}" = set; then
22302 echo $ECHO_N "(cached) $ECHO_C" >&6
22303else
22304
22305 cat >conftest.$ac_ext <<_ACEOF
22306/* confdefs.h. */
22307_ACEOF
22308cat confdefs.h >>conftest.$ac_ext
22309cat >>conftest.$ac_ext <<_ACEOF
22310/* end confdefs.h. */
22311#include <stdarg.h>
22312 va_list x,y;
22313int
22314main ()
22315{
22316va_copy(x,y);
22317 ;
22318 return 0;
22319}
22320_ACEOF
22321rm -f conftest.$ac_objext conftest$ac_exeext
22322if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
22323 (eval $ac_link) 2>conftest.er1
22324 ac_status=$?
22325 grep -v '^ *+' conftest.er1 >conftest.err
22326 rm -f conftest.er1
22327 cat conftest.err >&5
22328 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22329 (exit $ac_status); } &&
22330 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
22331 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22332 (eval $ac_try) 2>&5
22333 ac_status=$?
22334 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22335 (exit $ac_status); }; } &&
22336 { ac_try='test -s conftest$ac_exeext'
22337 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22338 (eval $ac_try) 2>&5
22339 ac_status=$?
22340 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22341 (exit $ac_status); }; }; then
22342 ac_cv_have_va_copy="yes"
22343else
22344 echo "$as_me: failed program was:" >&5
22345sed 's/^/| /' conftest.$ac_ext >&5
22346
22347 ac_cv_have_va_copy="no"
22348
22349fi
22350rm -f conftest.err conftest.$ac_objext \
22351 conftest$ac_exeext conftest.$ac_ext
22352
22353fi
22354echo "$as_me:$LINENO: result: $ac_cv_have_va_copy" >&5
22355echo "${ECHO_T}$ac_cv_have_va_copy" >&6
22356if test "x$ac_cv_have_va_copy" = "xyes" ; then
22357
22358cat >>confdefs.h <<\_ACEOF
22359#define HAVE_VA_COPY 1
22360_ACEOF
22361
22362fi
22363
22364echo "$as_me:$LINENO: checking whether __va_copy exists" >&5
22365echo $ECHO_N "checking whether __va_copy exists... $ECHO_C" >&6
22366if test "${ac_cv_have___va_copy+set}" = set; then
22367 echo $ECHO_N "(cached) $ECHO_C" >&6
22368else
22369
22370 cat >conftest.$ac_ext <<_ACEOF
22371/* confdefs.h. */
22372_ACEOF
22373cat confdefs.h >>conftest.$ac_ext
22374cat >>conftest.$ac_ext <<_ACEOF
22375/* end confdefs.h. */
22376#include <stdarg.h>
22377 va_list x,y;
22378int
22379main ()
22380{
22381__va_copy(x,y);
22382 ;
22383 return 0;
22384}
22385_ACEOF
22386rm -f conftest.$ac_objext conftest$ac_exeext
22387if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
22388 (eval $ac_link) 2>conftest.er1
22389 ac_status=$?
22390 grep -v '^ *+' conftest.er1 >conftest.err
22391 rm -f conftest.er1
22392 cat conftest.err >&5
22393 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22394 (exit $ac_status); } &&
22395 { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
22396 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22397 (eval $ac_try) 2>&5
22398 ac_status=$?
22399 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22400 (exit $ac_status); }; } &&
22401 { ac_try='test -s conftest$ac_exeext'
22402 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22403 (eval $ac_try) 2>&5
22404 ac_status=$?
22405 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22406 (exit $ac_status); }; }; then
22407 ac_cv_have___va_copy="yes"
22408else
22409 echo "$as_me: failed program was:" >&5
22410sed 's/^/| /' conftest.$ac_ext >&5
22411
22412 ac_cv_have___va_copy="no"
22413
22414fi
22415rm -f conftest.err conftest.$ac_objext \
22416 conftest$ac_exeext conftest.$ac_ext
22417
22418fi
22419echo "$as_me:$LINENO: result: $ac_cv_have___va_copy" >&5
22420echo "${ECHO_T}$ac_cv_have___va_copy" >&6
22421if test "x$ac_cv_have___va_copy" = "xyes" ; then
22422
22423cat >>confdefs.h <<\_ACEOF
22424#define HAVE___VA_COPY 1
22425_ACEOF
22426
22427fi
22428
21077echo "$as_me:$LINENO: checking whether getopt has optreset support" >&5 22429echo "$as_me:$LINENO: checking whether getopt has optreset support" >&5
21078echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6 22430echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6
21079if test "${ac_cv_have_getopt_optreset+set}" = set; then 22431if test "${ac_cv_have_getopt_optreset+set}" = set; then
@@ -21133,7 +22485,8 @@ fi
21133echo "$as_me:$LINENO: result: $ac_cv_have_getopt_optreset" >&5 22485echo "$as_me:$LINENO: result: $ac_cv_have_getopt_optreset" >&5
21134echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6 22486echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6
21135if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then 22487if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
21136 cat >>confdefs.h <<\_ACEOF 22488
22489cat >>confdefs.h <<\_ACEOF
21137#define HAVE_GETOPT_OPTRESET 1 22490#define HAVE_GETOPT_OPTRESET 1
21138_ACEOF 22491_ACEOF
21139 22492
@@ -21196,7 +22549,8 @@ fi
21196echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_errlist" >&5 22549echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_errlist" >&5
21197echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6 22550echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6
21198if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then 22551if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
21199 cat >>confdefs.h <<\_ACEOF 22552
22553cat >>confdefs.h <<\_ACEOF
21200#define HAVE_SYS_ERRLIST 1 22554#define HAVE_SYS_ERRLIST 1
21201_ACEOF 22555_ACEOF
21202 22556
@@ -21260,7 +22614,8 @@ fi
21260echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_nerr" >&5 22614echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_nerr" >&5
21261echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6 22615echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6
21262if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then 22616if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
21263 cat >>confdefs.h <<\_ACEOF 22617
22618cat >>confdefs.h <<\_ACEOF
21264#define HAVE_SYS_NERR 1 22619#define HAVE_SYS_NERR 1
21265_ACEOF 22620_ACEOF
21266 22621
@@ -21516,11 +22871,13 @@ fi
21516echo "$as_me: error: Can't find libsectok" >&2;} 22871echo "$as_me: error: Can't find libsectok" >&2;}
21517 { (exit 1); exit 1; }; } 22872 { (exit 1); exit 1; }; }
21518 fi 22873 fi
21519 cat >>confdefs.h <<\_ACEOF 22874
22875cat >>confdefs.h <<\_ACEOF
21520#define SMARTCARD 1 22876#define SMARTCARD 1
21521_ACEOF 22877_ACEOF
21522 22878
21523 cat >>confdefs.h <<\_ACEOF 22879
22880cat >>confdefs.h <<\_ACEOF
21524#define USE_SECTOK 1 22881#define USE_SECTOK 1
21525_ACEOF 22882_ACEOF
21526 22883
@@ -21591,7 +22948,8 @@ fi
21591#define SMARTCARD 1 22948#define SMARTCARD 1
21592_ACEOF 22949_ACEOF
21593 22950
21594 cat >>confdefs.h <<\_ACEOF 22951
22952cat >>confdefs.h <<\_ACEOF
21595#define USE_OPENSC 1 22953#define USE_OPENSC 1
21596_ACEOF 22954_ACEOF
21597 22955
@@ -21724,7 +23082,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_getrrsetbyname" >&5
21724echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6 23082echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6
21725if test "$ac_cv_search_getrrsetbyname" != no; then 23083if test "$ac_cv_search_getrrsetbyname" != no; then
21726 test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS" 23084 test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS"
21727 cat >>confdefs.h <<\_ACEOF 23085
23086cat >>confdefs.h <<\_ACEOF
21728#define HAVE_GETRRSETBYNAME 1 23087#define HAVE_GETRRSETBYNAME 1
21729_ACEOF 23088_ACEOF
21730 23089
@@ -22432,7 +23791,8 @@ fi
22432echo "$as_me:$LINENO: result: $ac_cv_member_HEADER_ad" >&5 23791echo "$as_me:$LINENO: result: $ac_cv_member_HEADER_ad" >&5
22433echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6 23792echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6
22434if test $ac_cv_member_HEADER_ad = yes; then 23793if test $ac_cv_member_HEADER_ad = yes; then
22435 cat >>confdefs.h <<\_ACEOF 23794
23795cat >>confdefs.h <<\_ACEOF
22436#define HAVE_HEADER_AD 1 23796#define HAVE_HEADER_AD 1
22437_ACEOF 23797_ACEOF
22438 23798
@@ -22622,7 +23982,8 @@ if test "${with_kerberos5+set}" = set; then
22622 KRB5ROOT=${withval} 23982 KRB5ROOT=${withval}
22623 fi 23983 fi
22624 23984
22625 cat >>confdefs.h <<\_ACEOF 23985
23986cat >>confdefs.h <<\_ACEOF
22626#define KRB5 1 23987#define KRB5 1
22627_ACEOF 23988_ACEOF
22628 23989
@@ -22640,7 +24001,8 @@ echo $ECHO_N "checking for gssapi support... $ECHO_C" >&6
22640 if $KRB5CONF | grep gssapi >/dev/null ; then 24001 if $KRB5CONF | grep gssapi >/dev/null ; then
22641 echo "$as_me:$LINENO: result: yes" >&5 24002 echo "$as_me:$LINENO: result: yes" >&5
22642echo "${ECHO_T}yes" >&6 24003echo "${ECHO_T}yes" >&6
22643 cat >>confdefs.h <<\_ACEOF 24004
24005cat >>confdefs.h <<\_ACEOF
22644#define GSSAPI 1 24006#define GSSAPI 1
22645_ACEOF 24007_ACEOF
22646 24008
@@ -22693,7 +24055,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
22693 (exit $ac_status); }; }; then 24055 (exit $ac_status); }; }; then
22694 echo "$as_me:$LINENO: result: yes" >&5 24056 echo "$as_me:$LINENO: result: yes" >&5
22695echo "${ECHO_T}yes" >&6 24057echo "${ECHO_T}yes" >&6
22696 cat >>confdefs.h <<\_ACEOF 24058
24059cat >>confdefs.h <<\_ACEOF
22697#define HEIMDAL 1 24060#define HEIMDAL 1
22698_ACEOF 24061_ACEOF
22699 24062
@@ -23562,7 +24925,6 @@ fi
23562 if test ! -z "$blibpath" ; then 24925 if test ! -z "$blibpath" ; then
23563 blibpath="$blibpath:${KRB5ROOT}/lib" 24926 blibpath="$blibpath:${KRB5ROOT}/lib"
23564 fi 24927 fi
23565 fi
23566 24928
23567 24929
23568 24930
@@ -24015,8 +25377,8 @@ fi
24015done 25377done
24016 25378
24017 25379
24018 LIBS="$LIBS $K5LIBS" 25380 LIBS="$LIBS $K5LIBS"
24019 echo "$as_me:$LINENO: checking for library containing k_hasafs" >&5 25381 echo "$as_me:$LINENO: checking for library containing k_hasafs" >&5
24020echo $ECHO_N "checking for library containing k_hasafs... $ECHO_C" >&6 25382echo $ECHO_N "checking for library containing k_hasafs... $ECHO_C" >&6
24021if test "${ac_cv_search_k_hasafs+set}" = set; then 25383if test "${ac_cv_search_k_hasafs+set}" = set; then
24022 echo $ECHO_N "(cached) $ECHO_C" >&6 25384 echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -24137,12 +25499,14 @@ echo "$as_me:$LINENO: result: $ac_cv_search_k_hasafs" >&5
24137echo "${ECHO_T}$ac_cv_search_k_hasafs" >&6 25499echo "${ECHO_T}$ac_cv_search_k_hasafs" >&6
24138if test "$ac_cv_search_k_hasafs" != no; then 25500if test "$ac_cv_search_k_hasafs" != no; then
24139 test "$ac_cv_search_k_hasafs" = "none required" || LIBS="$ac_cv_search_k_hasafs $LIBS" 25501 test "$ac_cv_search_k_hasafs" = "none required" || LIBS="$ac_cv_search_k_hasafs $LIBS"
24140 cat >>confdefs.h <<\_ACEOF 25502
25503cat >>confdefs.h <<\_ACEOF
24141#define USE_AFS 1 25504#define USE_AFS 1
24142_ACEOF 25505_ACEOF
24143 25506
24144fi 25507fi
24145 25508
25509 fi
24146 25510
24147 25511
24148fi; 25512fi;
@@ -24244,7 +25608,8 @@ if test -z "$xauth_path" ; then
24244 XAUTH_PATH="undefined" 25608 XAUTH_PATH="undefined"
24245 25609
24246else 25610else
24247 cat >>confdefs.h <<_ACEOF 25611
25612cat >>confdefs.h <<_ACEOF
24248#define XAUTH_PATH "$xauth_path" 25613#define XAUTH_PATH "$xauth_path"
24249_ACEOF 25614_ACEOF
24250 25615
@@ -24255,7 +25620,8 @@ fi
24255# Check for mail directory (last resort if we cannot get it from headers) 25620# Check for mail directory (last resort if we cannot get it from headers)
24256if test ! -z "$MAIL" ; then 25621if test ! -z "$MAIL" ; then
24257 maildir=`dirname $MAIL` 25622 maildir=`dirname $MAIL`
24258 cat >>confdefs.h <<_ACEOF 25623
25624cat >>confdefs.h <<_ACEOF
24259#define MAIL_DIRECTORY "$maildir" 25625#define MAIL_DIRECTORY "$maildir"
24260_ACEOF 25626_ACEOF
24261 25627
@@ -24287,7 +25653,8 @@ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5
24287echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6 25653echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6
24288if test $ac_cv_file___dev_ptmx_ = yes; then 25654if test $ac_cv_file___dev_ptmx_ = yes; then
24289 25655
24290 cat >>confdefs.h <<_ACEOF 25656
25657cat >>confdefs.h <<_ACEOF
24291#define HAVE_DEV_PTMX 1 25658#define HAVE_DEV_PTMX 1
24292_ACEOF 25659_ACEOF
24293 25660
@@ -24319,7 +25686,8 @@ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5
24319echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6 25686echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6
24320if test $ac_cv_file___dev_ptc_ = yes; then 25687if test $ac_cv_file___dev_ptc_ = yes; then
24321 25688
24322 cat >>confdefs.h <<_ACEOF 25689
25690cat >>confdefs.h <<_ACEOF
24323#define HAVE_DEV_PTS_AND_PTC 1 25691#define HAVE_DEV_PTS_AND_PTC 1
24324_ACEOF 25692_ACEOF
24325 25693
@@ -24423,7 +25791,8 @@ if test "${with_md5_passwords+set}" = set; then
24423 withval="$with_md5_passwords" 25791 withval="$with_md5_passwords"
24424 25792
24425 if test "x$withval" != "xno" ; then 25793 if test "x$withval" != "xno" ; then
24426 cat >>confdefs.h <<\_ACEOF 25794
25795cat >>confdefs.h <<\_ACEOF
24427#define HAVE_MD5_PASSWORDS 1 25796#define HAVE_MD5_PASSWORDS 1
24428_ACEOF 25797_ACEOF
24429 25798
@@ -24506,7 +25875,8 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
24506 if test "x$sp_expire_available" = "xyes" ; then 25875 if test "x$sp_expire_available" = "xyes" ; then
24507 echo "$as_me:$LINENO: result: yes" >&5 25876 echo "$as_me:$LINENO: result: yes" >&5
24508echo "${ECHO_T}yes" >&6 25877echo "${ECHO_T}yes" >&6
24509 cat >>confdefs.h <<\_ACEOF 25878
25879cat >>confdefs.h <<\_ACEOF
24510#define HAS_SHADOW_EXPIRE 1 25880#define HAS_SHADOW_EXPIRE 1
24511_ACEOF 25881_ACEOF
24512 25882
@@ -24519,7 +25889,8 @@ fi
24519# Use ip address instead of hostname in $DISPLAY 25889# Use ip address instead of hostname in $DISPLAY
24520if test ! -z "$IPADDR_IN_DISPLAY" ; then 25890if test ! -z "$IPADDR_IN_DISPLAY" ; then
24521 DISPLAY_HACK_MSG="yes" 25891 DISPLAY_HACK_MSG="yes"
24522 cat >>confdefs.h <<\_ACEOF 25892
25893cat >>confdefs.h <<\_ACEOF
24523#define IPADDR_IN_DISPLAY 1 25894#define IPADDR_IN_DISPLAY 1
24524_ACEOF 25895_ACEOF
24525 25896
@@ -24554,7 +25925,14 @@ echo "$as_me: /etc/default/login handling disabled" >&6;}
24554 etc_default_login=yes 25925 etc_default_login=yes
24555 fi 25926 fi
24556else 25927else
24557 etc_default_login=yes 25928 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
25929 then
25930 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking /etc/default/login" >&5
25931echo "$as_me: WARNING: cross compiling: not checking /etc/default/login" >&2;}
25932 etc_default_login=no
25933 else
25934 etc_default_login=yes
25935 fi
24558 25936
24559fi; 25937fi;
24560 25938
@@ -24580,12 +25958,9 @@ if test $ac_cv_file___etc_default_login_ = yes; then
24580 external_path_file=/etc/default/login 25958 external_path_file=/etc/default/login
24581fi 25959fi
24582 25960
24583 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; 25961 if test "x$external_path_file" = "x/etc/default/login"; then
24584 then 25962
24585 { echo "$as_me:$LINENO: WARNING: cross compiling: Disabling /etc/default/login test" >&5 25963cat >>confdefs.h <<\_ACEOF
24586echo "$as_me: WARNING: cross compiling: Disabling /etc/default/login test" >&2;}
24587 elif test "x$external_path_file" = "x/etc/default/login"; then
24588 cat >>confdefs.h <<\_ACEOF
24589#define HAVE_ETC_DEFAULT_LOGIN 1 25964#define HAVE_ETC_DEFAULT_LOGIN 1
24590_ACEOF 25965_ACEOF
24591 25966
@@ -24724,7 +26099,8 @@ echo "${ECHO_T}Adding $t_bindir to USER_PATH so scp will work" >&6
24724 26099
24725fi; 26100fi;
24726if test "x$external_path_file" != "x/etc/login.conf" ; then 26101if test "x$external_path_file" != "x/etc/login.conf" ; then
24727 cat >>confdefs.h <<_ACEOF 26102
26103cat >>confdefs.h <<_ACEOF
24728#define USER_PATH "$user_path" 26104#define USER_PATH "$user_path"
24729_ACEOF 26105_ACEOF
24730 26106
@@ -24739,7 +26115,8 @@ if test "${with_superuser_path+set}" = set; then
24739 26115
24740 if test -n "$withval" && test "x$withval" != "xno" && \ 26116 if test -n "$withval" && test "x$withval" != "xno" && \
24741 test "x${withval}" != "xyes"; then 26117 test "x${withval}" != "xyes"; then
24742 cat >>confdefs.h <<_ACEOF 26118
26119cat >>confdefs.h <<_ACEOF
24743#define SUPERUSER_PATH "$withval" 26120#define SUPERUSER_PATH "$withval"
24744_ACEOF 26121_ACEOF
24745 26122
@@ -24761,7 +26138,8 @@ if test "${with_4in6+set}" = set; then
24761 if test "x$withval" != "xno" ; then 26138 if test "x$withval" != "xno" ; then
24762 echo "$as_me:$LINENO: result: yes" >&5 26139 echo "$as_me:$LINENO: result: yes" >&5
24763echo "${ECHO_T}yes" >&6 26140echo "${ECHO_T}yes" >&6
24764 cat >>confdefs.h <<\_ACEOF 26141
26142cat >>confdefs.h <<\_ACEOF
24765#define IPV4_IN_IPV6 1 26143#define IPV4_IN_IPV6 1
24766_ACEOF 26144_ACEOF
24767 26145
@@ -24797,7 +26175,8 @@ if test "${with_bsd_auth+set}" = set; then
24797 withval="$with_bsd_auth" 26175 withval="$with_bsd_auth"
24798 26176
24799 if test "x$withval" != "xno" ; then 26177 if test "x$withval" != "xno" ; then
24800 cat >>confdefs.h <<\_ACEOF 26178
26179cat >>confdefs.h <<\_ACEOF
24801#define BSD_AUTH 1 26180#define BSD_AUTH 1
24802_ACEOF 26181_ACEOF
24803 26182
@@ -24834,6 +26213,7 @@ echo "$as_me: WARNING: ** no $piddir directory on this system **" >&2;}
24834 26213
24835fi; 26214fi;
24836 26215
26216
24837cat >>confdefs.h <<_ACEOF 26217cat >>confdefs.h <<_ACEOF
24838#define _PATH_SSH_PIDDIR "$piddir" 26218#define _PATH_SSH_PIDDIR "$piddir"
24839_ACEOF 26219_ACEOF
@@ -24871,7 +26251,8 @@ if test "${enable_utmpx+set}" = set; then
24871 enableval="$enable_utmpx" 26251 enableval="$enable_utmpx"
24872 26252
24873 if test "x$enableval" = "xno" ; then 26253 if test "x$enableval" = "xno" ; then
24874 cat >>confdefs.h <<\_ACEOF 26254
26255cat >>confdefs.h <<\_ACEOF
24875#define DISABLE_UTMPX 1 26256#define DISABLE_UTMPX 1
24876_ACEOF 26257_ACEOF
24877 26258
@@ -24897,7 +26278,8 @@ if test "${enable_wtmpx+set}" = set; then
24897 enableval="$enable_wtmpx" 26278 enableval="$enable_wtmpx"
24898 26279
24899 if test "x$enableval" = "xno" ; then 26280 if test "x$enableval" = "xno" ; then
24900 cat >>confdefs.h <<\_ACEOF 26281
26282cat >>confdefs.h <<\_ACEOF
24901#define DISABLE_WTMPX 1 26283#define DISABLE_WTMPX 1
24902_ACEOF 26284_ACEOF
24903 26285
@@ -24923,7 +26305,8 @@ if test "${enable_pututline+set}" = set; then
24923 enableval="$enable_pututline" 26305 enableval="$enable_pututline"
24924 26306
24925 if test "x$enableval" = "xno" ; then 26307 if test "x$enableval" = "xno" ; then
24926 cat >>confdefs.h <<\_ACEOF 26308
26309cat >>confdefs.h <<\_ACEOF
24927#define DISABLE_PUTUTLINE 1 26310#define DISABLE_PUTUTLINE 1
24928_ACEOF 26311_ACEOF
24929 26312
@@ -24936,7 +26319,8 @@ if test "${enable_pututxline+set}" = set; then
24936 enableval="$enable_pututxline" 26319 enableval="$enable_pututxline"
24937 26320
24938 if test "x$enableval" = "xno" ; then 26321 if test "x$enableval" = "xno" ; then
24939 cat >>confdefs.h <<\_ACEOF 26322
26323cat >>confdefs.h <<\_ACEOF
24940#define DISABLE_PUTUTXLINE 1 26324#define DISABLE_PUTUTXLINE 1
24941_ACEOF 26325_ACEOF
24942 26326
@@ -25101,7 +26485,8 @@ echo "$as_me: WARNING: ** Cannot find lastlog **" >&2;}
25101fi 26485fi
25102 26486
25103if test -n "$conf_lastlog_location"; then 26487if test -n "$conf_lastlog_location"; then
25104 cat >>confdefs.h <<_ACEOF 26488
26489cat >>confdefs.h <<_ACEOF
25105#define CONF_LASTLOG_FILE "$conf_lastlog_location" 26490#define CONF_LASTLOG_FILE "$conf_lastlog_location"
25106_ACEOF 26491_ACEOF
25107 26492
@@ -25179,7 +26564,8 @@ _ACEOF
25179 fi 26564 fi
25180fi 26565fi
25181if test -n "$conf_utmp_location"; then 26566if test -n "$conf_utmp_location"; then
25182 cat >>confdefs.h <<_ACEOF 26567
26568cat >>confdefs.h <<_ACEOF
25183#define CONF_UTMP_FILE "$conf_utmp_location" 26569#define CONF_UTMP_FILE "$conf_utmp_location"
25184_ACEOF 26570_ACEOF
25185 26571
@@ -25257,7 +26643,8 @@ _ACEOF
25257 fi 26643 fi
25258fi 26644fi
25259if test -n "$conf_wtmp_location"; then 26645if test -n "$conf_wtmp_location"; then
25260 cat >>confdefs.h <<_ACEOF 26646
26647cat >>confdefs.h <<_ACEOF
25261#define CONF_WTMP_FILE "$conf_wtmp_location" 26648#define CONF_WTMP_FILE "$conf_wtmp_location"
25262_ACEOF 26649_ACEOF
25263 26650
@@ -25331,7 +26718,8 @@ _ACEOF
25331 26718
25332 fi 26719 fi
25333else 26720else
25334 cat >>confdefs.h <<_ACEOF 26721
26722cat >>confdefs.h <<_ACEOF
25335#define CONF_UTMPX_FILE "$conf_utmpx_location" 26723#define CONF_UTMPX_FILE "$conf_utmpx_location"
25336_ACEOF 26724_ACEOF
25337 26725
@@ -25404,7 +26792,8 @@ _ACEOF
25404 26792
25405 fi 26793 fi
25406else 26794else
25407 cat >>confdefs.h <<_ACEOF 26795
26796cat >>confdefs.h <<_ACEOF
25408#define CONF_WTMPX_FILE "$conf_wtmpx_location" 26797#define CONF_WTMPX_FILE "$conf_wtmpx_location"
25409_ACEOF 26798_ACEOF
25410 26799
@@ -26068,6 +27457,7 @@ s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
26068s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t 27457s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
26069s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t 27458s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
26070s,@INSTALL_DATA@,$INSTALL_DATA,;t t 27459s,@INSTALL_DATA@,$INSTALL_DATA,;t t
27460s,@EGREP@,$EGREP,;t t
26071s,@AR@,$AR,;t t 27461s,@AR@,$AR,;t t
26072s,@CAT@,$CAT,;t t 27462s,@CAT@,$CAT,;t t
26073s,@KILL@,$KILL,;t t 27463s,@KILL@,$KILL,;t t
@@ -26080,10 +27470,10 @@ s,@TEST_SHELL@,$TEST_SHELL,;t t
26080s,@PATH_GROUPADD_PROG@,$PATH_GROUPADD_PROG,;t t 27470s,@PATH_GROUPADD_PROG@,$PATH_GROUPADD_PROG,;t t
26081s,@PATH_USERADD_PROG@,$PATH_USERADD_PROG,;t t 27471s,@PATH_USERADD_PROG@,$PATH_USERADD_PROG,;t t
26082s,@MAKE_PACKAGE_SUPPORTED@,$MAKE_PACKAGE_SUPPORTED,;t t 27472s,@MAKE_PACKAGE_SUPPORTED@,$MAKE_PACKAGE_SUPPORTED,;t t
27473s,@STARTUP_SCRIPT_SHELL@,$STARTUP_SCRIPT_SHELL,;t t
26083s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t 27474s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t
26084s,@PATH_PASSWD_PROG@,$PATH_PASSWD_PROG,;t t 27475s,@PATH_PASSWD_PROG@,$PATH_PASSWD_PROG,;t t
26085s,@LD@,$LD,;t t 27476s,@LD@,$LD,;t t
26086s,@EGREP@,$EGREP,;t t
26087s,@LIBWRAP@,$LIBWRAP,;t t 27477s,@LIBWRAP@,$LIBWRAP,;t t
26088s,@LIBEDIT@,$LIBEDIT,;t t 27478s,@LIBEDIT@,$LIBEDIT,;t t
26089s,@LIBPAM@,$LIBPAM,;t t 27479s,@LIBPAM@,$LIBPAM,;t t
diff --git a/configure.ac b/configure.ac
index 849e2f771..9ff199451 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $ 1# $Id: configure.ac,v 1.322.2.6 2006/02/08 11:11:06 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,6 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) 17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
18AC_REVISION($Revision: 1.322.2.6 $)
18AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
19 20
20AC_CONFIG_HEADER(config.h) 21AC_CONFIG_HEADER(config.h)
@@ -27,6 +28,7 @@ AC_PROG_AWK
27AC_PROG_CPP 28AC_PROG_CPP
28AC_PROG_RANLIB 29AC_PROG_RANLIB
29AC_PROG_INSTALL 30AC_PROG_INSTALL
31AC_PROG_EGREP
30AC_PATH_PROG(AR, ar) 32AC_PATH_PROG(AR, ar)
31AC_PATH_PROG(CAT, cat) 33AC_PATH_PROG(CAT, cat)
32AC_PATH_PROG(KILL, kill) 34AC_PATH_PROG(KILL, kill)
@@ -47,6 +49,11 @@ AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd,
47AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd, 49AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd,
48 [/usr/sbin${PATH_SEPARATOR}/etc]) 50 [/usr/sbin${PATH_SEPARATOR}/etc])
49AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no) 51AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no)
52if test -x /sbin/sh; then
53 AC_SUBST(STARTUP_SCRIPT_SHELL,/sbin/sh)
54else
55 AC_SUBST(STARTUP_SCRIPT_SHELL,/bin/sh)
56fi
50 57
51# System features 58# System features
52AC_SYS_LARGEFILE 59AC_SYS_LARGEFILE
@@ -57,7 +64,9 @@ fi
57 64
58# Use LOGIN_PROGRAM from environment if possible 65# Use LOGIN_PROGRAM from environment if possible
59if test ! -z "$LOGIN_PROGRAM" ; then 66if test ! -z "$LOGIN_PROGRAM" ; then
60 AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM") 67 AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM",
68 [If your header files don't define LOGIN_PROGRAM,
69 then use this (detected) from environment and PATH])
61else 70else
62 # Search for login 71 # Search for login
63 AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login) 72 AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login)
@@ -68,7 +77,8 @@ fi
68 77
69AC_PATH_PROG(PATH_PASSWD_PROG, passwd) 78AC_PATH_PROG(PATH_PASSWD_PROG, passwd)
70if test ! -z "$PATH_PASSWD_PROG" ; then 79if test ! -z "$PATH_PASSWD_PROG" ; then
71 AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG") 80 AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG",
81 [Full path of your "passwd" program])
72fi 82fi
73 83
74if test -z "$LD" ; then 84if test -z "$LD" ; then
@@ -82,12 +92,14 @@ AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
82 92
83if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 93if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
84 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" 94 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
85 GCC_VER=`$CC --version` 95 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
86 case $GCC_VER in 96 case $GCC_VER in
87 1.*) ;; 97 1.*) ;;
88 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; 98 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
89 2.*) ;; 99 2.*) ;;
90 *) CFLAGS="$CFLAGS -Wsign-compare" ;; 100 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
101 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
102 *) ;;
91 esac 103 esac
92 104
93 if test -z "$have_llong_max"; then 105 if test -z "$have_llong_max"; then
@@ -103,70 +115,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
103 fi 115 fi
104fi 116fi
105 117
106if test -z "$have_llong_max"; then
107 AC_MSG_CHECKING([for max value of long long])
108 AC_RUN_IFELSE(
109 [AC_LANG_SOURCE([[
110#include <stdio.h>
111/* Why is this so damn hard? */
112#ifdef __GNUC__
113# undef __GNUC__
114#endif
115#define __USE_ISOC99
116#include <limits.h>
117#define DATA "conftest.llminmax"
118int main(void) {
119 FILE *f;
120 long long i, llmin, llmax = 0;
121
122 if((f = fopen(DATA,"w")) == NULL)
123 exit(1);
124
125#if defined(LLONG_MIN) && defined(LLONG_MAX)
126 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
127 llmin = LLONG_MIN;
128 llmax = LLONG_MAX;
129#else
130 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
131 /* This will work on one's complement and two's complement */
132 for (i = 1; i > llmax; i <<= 1, i++)
133 llmax = i;
134 llmin = llmax + 1LL; /* wrap */
135#endif
136
137 /* Sanity check */
138 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
139 || llmax - 1 > llmax) {
140 fprintf(f, "unknown unknown\n");
141 exit(2);
142 }
143
144 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
145 exit(3);
146
147 exit(0);
148}
149 ]])],
150 [
151 llong_min=`$AWK '{print $1}' conftest.llminmax`
152 llong_max=`$AWK '{print $2}' conftest.llminmax`
153 AC_MSG_RESULT($llong_max)
154 AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
155 [max value of long long calculated by configure])
156 AC_MSG_CHECKING([for min value of long long])
157 AC_MSG_RESULT($llong_min)
158 AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
159 [min value of long long calculated by configure])
160 ],
161 [
162 AC_MSG_RESULT(not found)
163 ],
164 [
165 AC_MSG_WARN([cross compiling: not checking])
166 ]
167 )
168fi
169
170AC_ARG_WITH(rpath, 118AC_ARG_WITH(rpath,
171 [ --without-rpath Disable auto-added -R linker paths], 119 [ --without-rpath Disable auto-added -R linker paths],
172 [ 120 [
@@ -201,7 +149,8 @@ case "$host" in
201 fi 149 fi
202 LDFLAGS="$saved_LDFLAGS" 150 LDFLAGS="$saved_LDFLAGS"
203 dnl Check for authenticate. Might be in libs.a on older AIXes 151 dnl Check for authenticate. Might be in libs.a on older AIXes
204 AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], 152 AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1,
153 [Define if you want to enable AIX4's authenticate function])],
205 [AC_CHECK_LIB(s,authenticate, 154 [AC_CHECK_LIB(s,authenticate,
206 [ AC_DEFINE(WITH_AIXAUTHENTICATE) 155 [ AC_DEFINE(WITH_AIXAUTHENTICATE)
207 LIBS="$LIBS -ls" 156 LIBS="$LIBS -ls"
@@ -217,7 +166,9 @@ case "$host" in
217 [#include <usersec.h>], 166 [#include <usersec.h>],
218 [(void)loginfailed("user","host","tty",0);], 167 [(void)loginfailed("user","host","tty",0);],
219 [AC_MSG_RESULT(yes) 168 [AC_MSG_RESULT(yes)
220 AC_DEFINE(AIX_LOGINFAILED_4ARG)], 169 AC_DEFINE(AIX_LOGINFAILED_4ARG, 1,
170 [Define if your AIX loginfailed() function
171 takes 4 arguments (AIX >= 5.2)])],
221 [AC_MSG_RESULT(no)] 172 [AC_MSG_RESULT(no)]
222 )], 173 )],
223 [], 174 [],
@@ -225,25 +176,38 @@ case "$host" in
225 ) 176 )
226 AC_CHECK_FUNCS(setauthdb) 177 AC_CHECK_FUNCS(setauthdb)
227 check_for_aix_broken_getaddrinfo=1 178 check_for_aix_broken_getaddrinfo=1
228 AC_DEFINE(BROKEN_REALPATH) 179 AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
229 AC_DEFINE(SETEUID_BREAKS_SETUID) 180 AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
230 AC_DEFINE(BROKEN_SETREUID) 181 [Define if your platform breaks doing a seteuid before a setuid])
231 AC_DEFINE(BROKEN_SETREGID) 182 AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken])
183 AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken])
232 dnl AIX handles lastlog as part of its login message 184 dnl AIX handles lastlog as part of its login message
233 AC_DEFINE(DISABLE_LASTLOG) 185 AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog])
234 AC_DEFINE(LOGIN_NEEDS_UTMPX) 186 AC_DEFINE(LOGIN_NEEDS_UTMPX, 1,
235 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) 187 [Some systems need a utmpx entry for /bin/login to work])
188 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV,
189 [Define to a Set Process Title type if your system is
190 supported by bsd-setproctitle.c])
191 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
192 [AIX 5.2 and 5.3 (and presumably newer) require this])
236 ;; 193 ;;
237*-*-cygwin*) 194*-*-cygwin*)
238 check_for_libcrypt_later=1 195 check_for_libcrypt_later=1
239 LIBS="$LIBS /usr/lib/textmode.o" 196 LIBS="$LIBS /usr/lib/textmode.o"
240 AC_DEFINE(HAVE_CYGWIN) 197 AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
241 AC_DEFINE(USE_PIPES) 198 AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
242 AC_DEFINE(DISABLE_SHADOW) 199 AC_DEFINE(DISABLE_SHADOW, 1,
243 AC_DEFINE(IP_TOS_IS_BROKEN) 200 [Define if you want to disable shadow passwords])
244 AC_DEFINE(NO_X11_UNIX_SOCKETS) 201 AC_DEFINE(IP_TOS_IS_BROKEN, 1,
245 AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) 202 [Define if your system choked on IP TOS setting])
246 AC_DEFINE(DISABLE_FD_PASSING) 203 AC_DEFINE(NO_X11_UNIX_SOCKETS, 1,
204 [Define if X11 doesn't support AF_UNIX sockets on that system])
205 AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
206 [Define if the concept of ports only accessible to
207 superusers isn't known])
208 AC_DEFINE(DISABLE_FD_PASSING, 1,
209 [Define if your platform needs to skip post auth
210 file descriptor passing])
247 ;; 211 ;;
248*-*-dgux*) 212*-*-dgux*)
249 AC_DEFINE(IP_TOS_IS_BROKEN) 213 AC_DEFINE(IP_TOS_IS_BROKEN)
@@ -260,22 +224,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
260 exit(1); 224 exit(1);
261}], [AC_MSG_RESULT(working)], 225}], [AC_MSG_RESULT(working)],
262 [AC_MSG_RESULT(buggy) 226 [AC_MSG_RESULT(buggy)
263 AC_DEFINE(BROKEN_GETADDRINFO)], 227 AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
264 [AC_MSG_RESULT(assume it is working)]) 228 [AC_MSG_RESULT(assume it is working)])
265 AC_DEFINE(SETEUID_BREAKS_SETUID) 229 AC_DEFINE(SETEUID_BREAKS_SETUID)
266 AC_DEFINE(BROKEN_SETREUID) 230 AC_DEFINE(BROKEN_SETREUID)
267 AC_DEFINE(BROKEN_SETREGID) 231 AC_DEFINE(BROKEN_SETREGID)
268 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1) 232 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
233 [Define if your resolver libs need this for getrrsetbyname])
269 ;; 234 ;;
270*-*-hpux*) 235*-*-hpux*)
271 # first we define all of the options common to all HP-UX releases 236 # first we define all of the options common to all HP-UX releases
272 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" 237 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
273 IPADDR_IN_DISPLAY=yes 238 IPADDR_IN_DISPLAY=yes
274 AC_DEFINE(USE_PIPES) 239 AC_DEFINE(USE_PIPES)
275 AC_DEFINE(LOGIN_NO_ENDOPT) 240 AC_DEFINE(LOGIN_NO_ENDOPT, 1,
241 [Define if your login program cannot handle end of options ("--")])
276 AC_DEFINE(LOGIN_NEEDS_UTMPX) 242 AC_DEFINE(LOGIN_NEEDS_UTMPX)
277 AC_DEFINE(LOCKED_PASSWD_STRING, "*") 243 AC_DEFINE(LOCKED_PASSWD_STRING, "*",
244 [String used in /etc/passwd to denote locked account])
278 AC_DEFINE(SPT_TYPE,SPT_PSTAT) 245 AC_DEFINE(SPT_TYPE,SPT_PSTAT)
246 MAIL="/var/mail/username"
279 LIBS="$LIBS -lsec" 247 LIBS="$LIBS -lsec"
280 AC_CHECK_LIB(xnet, t_error, , 248 AC_CHECK_LIB(xnet, t_error, ,
281 AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) 249 AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
@@ -288,8 +256,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
288 fi 256 fi
289 ;; 257 ;;
290 *-*-hpux11*) 258 *-*-hpux11*)
291 AC_DEFINE(PAM_SUN_CODEBASE) 259 AC_DEFINE(PAM_SUN_CODEBASE, 1,
292 AC_DEFINE(DISABLE_UTMP) 260 [Define if you are using Solaris-derived PAM which
261 passes pam_messages to the conversation function
262 with an extra level of indirection])
263 AC_DEFINE(DISABLE_UTMP, 1,
264 [Define if you don't want to use utmp])
293 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) 265 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
294 check_for_hpux_broken_getaddrinfo=1 266 check_for_hpux_broken_getaddrinfo=1
295 check_for_conflicting_getspnam=1 267 check_for_conflicting_getspnam=1
@@ -299,7 +271,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
299 # lastly, we define options specific to minor releases 271 # lastly, we define options specific to minor releases
300 case "$host" in 272 case "$host" in
301 *-*-hpux10.26) 273 *-*-hpux10.26)
302 AC_DEFINE(HAVE_SECUREWARE) 274 AC_DEFINE(HAVE_SECUREWARE, 1,
275 [Define if you have SecureWare-based
276 protected password database])
303 disable_ptmx_check=yes 277 disable_ptmx_check=yes
304 LIBS="$LIBS -lsecpw" 278 LIBS="$LIBS -lsecpw"
305 ;; 279 ;;
@@ -307,24 +281,33 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
307 ;; 281 ;;
308*-*-irix5*) 282*-*-irix5*)
309 PATH="$PATH:/usr/etc" 283 PATH="$PATH:/usr/etc"
310 AC_DEFINE(BROKEN_INET_NTOA) 284 AC_DEFINE(BROKEN_INET_NTOA, 1,
285 [Define if you system's inet_ntoa is busted
286 (e.g. Irix gcc issue)])
311 AC_DEFINE(SETEUID_BREAKS_SETUID) 287 AC_DEFINE(SETEUID_BREAKS_SETUID)
312 AC_DEFINE(BROKEN_SETREUID) 288 AC_DEFINE(BROKEN_SETREUID)
313 AC_DEFINE(BROKEN_SETREGID) 289 AC_DEFINE(BROKEN_SETREGID)
314 AC_DEFINE(WITH_ABBREV_NO_TTY) 290 AC_DEFINE(WITH_ABBREV_NO_TTY, 1,
291 [Define if you shouldn't strip 'tty' from your
292 ttyname in [uw]tmp])
315 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 293 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
316 ;; 294 ;;
317*-*-irix6*) 295*-*-irix6*)
318 PATH="$PATH:/usr/etc" 296 PATH="$PATH:/usr/etc"
319 AC_DEFINE(WITH_IRIX_ARRAY) 297 AC_DEFINE(WITH_IRIX_ARRAY, 1,
320 AC_DEFINE(WITH_IRIX_PROJECT) 298 [Define if you have/want arrays
321 AC_DEFINE(WITH_IRIX_AUDIT) 299 (cluster-wide session managment, not C arrays)])
322 AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) 300 AC_DEFINE(WITH_IRIX_PROJECT, 1,
301 [Define if you want IRIX project management])
302 AC_DEFINE(WITH_IRIX_AUDIT, 1,
303 [Define if you want IRIX audit trails])
304 AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1,
305 [Define if you want IRIX kernel jobs])])
323 AC_DEFINE(BROKEN_INET_NTOA) 306 AC_DEFINE(BROKEN_INET_NTOA)
324 AC_DEFINE(SETEUID_BREAKS_SETUID) 307 AC_DEFINE(SETEUID_BREAKS_SETUID)
325 AC_DEFINE(BROKEN_SETREUID) 308 AC_DEFINE(BROKEN_SETREUID)
326 AC_DEFINE(BROKEN_SETREGID) 309 AC_DEFINE(BROKEN_SETREGID)
327 AC_DEFINE(BROKEN_UPDWTMPX) 310 AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)])
328 AC_DEFINE(WITH_ABBREV_NO_TTY) 311 AC_DEFINE(WITH_ABBREV_NO_TTY)
329 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 312 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
330 ;; 313 ;;
@@ -340,22 +323,37 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
340 no_dev_ptmx=1 323 no_dev_ptmx=1
341 check_for_libcrypt_later=1 324 check_for_libcrypt_later=1
342 check_for_openpty_ctty_bug=1 325 check_for_openpty_ctty_bug=1
343 AC_DEFINE(DONT_TRY_OTHER_AF) 326 AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks])
344 AC_DEFINE(PAM_TTY_KLUDGE) 327 AC_DEFINE(PAM_TTY_KLUDGE, 1,
345 AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") 328 [Work around problematic Linux PAM modules handling of PAM_TTY])
329 AC_DEFINE(LOCKED_PASSWD_PREFIX, "!",
330 [String used in /etc/passwd to denote locked account])
346 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) 331 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
347 AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM) 332 AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM,
333 [Define to whatever link() returns for "not supported"
334 if it doesn't return EOPNOTSUPP.])
348 AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) 335 AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
349 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) 336 AC_DEFINE(USE_BTMP)
350 inet6_default_4in6=yes 337 inet6_default_4in6=yes
351 case `uname -r` in 338 case `uname -r` in
352 1.*|2.0.*) 339 1.*|2.0.*)
353 AC_DEFINE(BROKEN_CMSG_TYPE) 340 AC_DEFINE(BROKEN_CMSG_TYPE, 1,
341 [Define if cmsg_type is not passed correctly])
354 ;; 342 ;;
355 esac 343 esac
344 # tun(4) forwarding compat code
345 AC_CHECK_HEADERS(linux/if_tun.h)
346 if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
347 AC_DEFINE(SSH_TUN_LINUX, 1,
348 [Open tunnel devices the Linux tun/tap way])
349 AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
350 [Use tunnel device compatibility to OpenBSD])
351 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
352 [Prepend the address family to IP tunnel traffic])
353 fi
356 ;; 354 ;;
357mips-sony-bsd|mips-sony-newsos4) 355mips-sony-bsd|mips-sony-newsos4)
358 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) 356 AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
359 SONY=1 357 SONY=1
360 ;; 358 ;;
361*-*-netbsd*) 359*-*-netbsd*)
@@ -363,9 +361,18 @@ mips-sony-bsd|mips-sony-newsos4)
363 if test "x$withval" != "xno" ; then 361 if test "x$withval" != "xno" ; then
364 need_dash_r=1 362 need_dash_r=1
365 fi 363 fi
364 AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
365 AC_CHECK_HEADER([net/if_tap.h], ,
366 AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
367 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
368 [Prepend the address family to IP tunnel traffic])
366 ;; 369 ;;
367*-*-freebsd*) 370*-*-freebsd*)
368 check_for_libcrypt_later=1 371 check_for_libcrypt_later=1
372 AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)])
373 AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
374 AC_CHECK_HEADER([net/if_tap.h], ,
375 AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
369 ;; 376 ;;
370*-*-bsdi*) 377*-*-bsdi*)
371 AC_DEFINE(SETEUID_BREAKS_SETUID) 378 AC_DEFINE(SETEUID_BREAKS_SETUID)
@@ -377,13 +384,15 @@ mips-sony-bsd|mips-sony-newsos4)
377 conf_utmp_location=/etc/utmp 384 conf_utmp_location=/etc/utmp
378 conf_wtmp_location=/usr/adm/wtmp 385 conf_wtmp_location=/usr/adm/wtmp
379 MAIL=/usr/spool/mail 386 MAIL=/usr/spool/mail
380 AC_DEFINE(HAVE_NEXT) 387 AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT])
381 AC_DEFINE(BROKEN_REALPATH) 388 AC_DEFINE(BROKEN_REALPATH)
382 AC_DEFINE(USE_PIPES) 389 AC_DEFINE(USE_PIPES)
383 AC_DEFINE(BROKEN_SAVED_UIDS) 390 AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT])
384 ;; 391 ;;
385*-*-openbsd*) 392*-*-openbsd*)
386 AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) 393 AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
394 AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
395 AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
387 ;; 396 ;;
388*-*-solaris*) 397*-*-solaris*)
389 if test "x$withval" != "xno" ; then 398 if test "x$withval" != "xno" ; then
@@ -391,12 +400,18 @@ mips-sony-bsd|mips-sony-newsos4)
391 fi 400 fi
392 AC_DEFINE(PAM_SUN_CODEBASE) 401 AC_DEFINE(PAM_SUN_CODEBASE)
393 AC_DEFINE(LOGIN_NEEDS_UTMPX) 402 AC_DEFINE(LOGIN_NEEDS_UTMPX)
394 AC_DEFINE(LOGIN_NEEDS_TERM) 403 AC_DEFINE(LOGIN_NEEDS_TERM, 1,
404 [Some versions of /bin/login need the TERM supplied
405 on the commandline])
395 AC_DEFINE(PAM_TTY_KLUDGE) 406 AC_DEFINE(PAM_TTY_KLUDGE)
396 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) 407 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
408 [Define if pam_chauthtok wants real uid set
409 to the unpriv'ed user])
397 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 410 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
398 # Pushing STREAMS modules will cause sshd to acquire a controlling tty. 411 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
399 AC_DEFINE(SSHD_ACQUIRES_CTTY) 412 AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
413 [Define if sshd somehow reacquires a controlling TTY
414 after setsid()])
400 external_path_file=/etc/default/login 415 external_path_file=/etc/default/login
401 # hardwire lastlog location (can't detect it on some versions) 416 # hardwire lastlog location (can't detect it on some versions)
402 conf_lastlog_location="/var/adm/lastlog" 417 conf_lastlog_location="/var/adm/lastlog"
@@ -405,7 +420,8 @@ mips-sony-bsd|mips-sony-newsos4)
405 if test "$sol2ver" -ge 8; then 420 if test "$sol2ver" -ge 8; then
406 AC_MSG_RESULT(yes) 421 AC_MSG_RESULT(yes)
407 AC_DEFINE(DISABLE_UTMP) 422 AC_DEFINE(DISABLE_UTMP)
408 AC_DEFINE(DISABLE_WTMP) 423 AC_DEFINE(DISABLE_WTMP, 1,
424 [Define if you don't want to use wtmp])
409 else 425 else
410 AC_MSG_RESULT(no) 426 AC_MSG_RESULT(no)
411 fi 427 fi
@@ -430,8 +446,8 @@ mips-sony-bsd|mips-sony-newsos4)
430*-sni-sysv*) 446*-sni-sysv*)
431 # /usr/ucblib MUST NOT be searched on ReliantUNIX 447 # /usr/ucblib MUST NOT be searched on ReliantUNIX
432 AC_CHECK_LIB(dl, dlsym, ,) 448 AC_CHECK_LIB(dl, dlsym, ,)
433 # -lresolv needs to be at then end of LIBS or DNS lookups break 449 # -lresolv needs to be at the end of LIBS or DNS lookups break
434 AC_CHECK_LIB(res_query, resolv, [ LIBS="$LIBS -lresolv" ]) 450 AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ])
435 IPADDR_IN_DISPLAY=yes 451 IPADDR_IN_DISPLAY=yes
436 AC_DEFINE(USE_PIPES) 452 AC_DEFINE(USE_PIPES)
437 AC_DEFINE(IP_TOS_IS_BROKEN) 453 AC_DEFINE(IP_TOS_IS_BROKEN)
@@ -446,11 +462,13 @@ mips-sony-bsd|mips-sony-newsos4)
446 ;; 462 ;;
447# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. 463# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
448*-*-sysv4.2*) 464*-*-sysv4.2*)
465 CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
449 AC_DEFINE(USE_PIPES) 466 AC_DEFINE(USE_PIPES)
450 AC_DEFINE(SETEUID_BREAKS_SETUID) 467 AC_DEFINE(SETEUID_BREAKS_SETUID)
451 AC_DEFINE(BROKEN_SETREUID) 468 AC_DEFINE(BROKEN_SETREUID)
452 AC_DEFINE(BROKEN_SETREGID) 469 AC_DEFINE(BROKEN_SETREGID)
453 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 470 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
471 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
454 ;; 472 ;;
455# UnixWare 7.x, OpenUNIX 8 473# UnixWare 7.x, OpenUNIX 8
456*-*-sysv5*) 474*-*-sysv5*)
@@ -460,11 +478,14 @@ mips-sony-bsd|mips-sony-newsos4)
460 AC_DEFINE(SETEUID_BREAKS_SETUID) 478 AC_DEFINE(SETEUID_BREAKS_SETUID)
461 AC_DEFINE(BROKEN_SETREUID) 479 AC_DEFINE(BROKEN_SETREUID)
462 AC_DEFINE(BROKEN_SETREGID) 480 AC_DEFINE(BROKEN_SETREGID)
463 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 481 AC_DEFINE(PASSWD_NEEDS_USERNAME)
464 case "$host" in 482 case "$host" in
465 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 483 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
466 TEST_SHELL=/u95/bin/sh 484 TEST_SHELL=/u95/bin/sh
467 AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet]) 485 AC_DEFINE(BROKEN_LIBIAF, 1,
486 [ia_uinfo routines not supported by OS yet])
487 ;;
488 *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
468 ;; 489 ;;
469 esac 490 esac
470 ;; 491 ;;
@@ -490,13 +511,14 @@ mips-sony-bsd|mips-sony-newsos4)
490 AC_DEFINE(BROKEN_SETREGID) 511 AC_DEFINE(BROKEN_SETREGID)
491 AC_DEFINE(WITH_ABBREV_NO_TTY) 512 AC_DEFINE(WITH_ABBREV_NO_TTY)
492 AC_DEFINE(BROKEN_UPDWTMPX) 513 AC_DEFINE(BROKEN_UPDWTMPX)
493 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 514 AC_DEFINE(PASSWD_NEEDS_USERNAME)
494 AC_CHECK_FUNCS(getluid setluid) 515 AC_CHECK_FUNCS(getluid setluid)
495 MANTYPE=man 516 MANTYPE=man
496 TEST_SHELL=ksh 517 TEST_SHELL=ksh
497 ;; 518 ;;
498*-*-unicosmk*) 519*-*-unicosmk*)
499 AC_DEFINE(NO_SSH_LASTLOG) 520 AC_DEFINE(NO_SSH_LASTLOG, 1,
521 [Define if you don't want to use lastlog in session.c])
500 AC_DEFINE(SETEUID_BREAKS_SETUID) 522 AC_DEFINE(SETEUID_BREAKS_SETUID)
501 AC_DEFINE(BROKEN_SETREUID) 523 AC_DEFINE(BROKEN_SETREUID)
502 AC_DEFINE(BROKEN_SETREGID) 524 AC_DEFINE(BROKEN_SETREGID)
@@ -543,13 +565,18 @@ mips-sony-bsd|mips-sony-newsos4)
543 if test -z "$no_osfsia" ; then 565 if test -z "$no_osfsia" ; then
544 if test -f /etc/sia/matrix.conf; then 566 if test -f /etc/sia/matrix.conf; then
545 AC_MSG_RESULT(yes) 567 AC_MSG_RESULT(yes)
546 AC_DEFINE(HAVE_OSF_SIA) 568 AC_DEFINE(HAVE_OSF_SIA, 1,
547 AC_DEFINE(DISABLE_LOGIN) 569 [Define if you have Digital Unix Security
570 Integration Architecture])
571 AC_DEFINE(DISABLE_LOGIN, 1,
572 [Define if you don't want to use your
573 system's login() call])
548 AC_DEFINE(DISABLE_FD_PASSING) 574 AC_DEFINE(DISABLE_FD_PASSING)
549 LIBS="$LIBS -lsecurity -ldb -lm -laud" 575 LIBS="$LIBS -lsecurity -ldb -lm -laud"
550 else 576 else
551 AC_MSG_RESULT(no) 577 AC_MSG_RESULT(no)
552 AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") 578 AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
579 [String used in /etc/passwd to denote locked account])
553 fi 580 fi
554 fi 581 fi
555 AC_DEFINE(BROKEN_GETADDRINFO) 582 AC_DEFINE(BROKEN_GETADDRINFO)
@@ -558,24 +585,25 @@ mips-sony-bsd|mips-sony-newsos4)
558 AC_DEFINE(BROKEN_SETREGID) 585 AC_DEFINE(BROKEN_SETREGID)
559 ;; 586 ;;
560 587
561*-*-nto-qnx) 588*-*-nto-qnx*)
562 AC_DEFINE(USE_PIPES) 589 AC_DEFINE(USE_PIPES)
563 AC_DEFINE(NO_X11_UNIX_SOCKETS) 590 AC_DEFINE(NO_X11_UNIX_SOCKETS)
564 AC_DEFINE(MISSING_NFDBITS) 591 AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems])
565 AC_DEFINE(MISSING_HOWMANY) 592 AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
566 AC_DEFINE(MISSING_FD_MASK) 593 AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
594 AC_DEFINE(DISABLE_LASTLOG)
567 ;; 595 ;;
568 596
569*-*-ultrix*) 597*-*-ultrix*)
570 AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1]) 598 AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1])
571 AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files]) 599 AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files])
572 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) 600 AC_DEFINE(NEED_SETPGRP)
573 AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix]) 601 AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
574 ;; 602 ;;
575 603
576*-*-lynxos) 604*-*-lynxos)
577 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 605 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
578 AC_DEFINE(MISSING_HOWMANY) 606 AC_DEFINE(MISSING_HOWMANY)
579 AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation]) 607 AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
580 ;; 608 ;;
581esac 609esac
@@ -622,7 +650,7 @@ AC_ARG_WITH(Werror,
622 [ 650 [
623 if test -n "$withval" && test "x$withval" != "xno"; then 651 if test -n "$withval" && test "x$withval" != "xno"; then
624 werror_flags="-Werror" 652 werror_flags="-Werror"
625 if "x${withval}" != "xyes"; then 653 if test "x${withval}" != "xyes"; then
626 werror_flags="$withval" 654 werror_flags="$withval"
627 fi 655 fi
628 fi 656 fi
@@ -655,7 +683,6 @@ AC_CHECK_HEADERS( \
655 glob.h \ 683 glob.h \
656 ia.h \ 684 ia.h \
657 iaf.h \ 685 iaf.h \
658 lastlog.h \
659 limits.h \ 686 limits.h \
660 login.h \ 687 login.h \
661 login_cap.h \ 688 login_cap.h \
@@ -663,7 +690,6 @@ AC_CHECK_HEADERS( \
663 ndir.h \ 690 ndir.h \
664 netdb.h \ 691 netdb.h \
665 netgroup.h \ 692 netgroup.h \
666 netinet/in_systm.h \
667 pam/pam_appl.h \ 693 pam/pam_appl.h \
668 paths.h \ 694 paths.h \
669 pty.h \ 695 pty.h \
@@ -705,6 +731,13 @@ AC_CHECK_HEADERS( \
705 vis.h \ 731 vis.h \
706) 732)
707 733
734# lastlog.h requires sys/time.h to be included first on Solaris
735AC_CHECK_HEADERS(lastlog.h, [], [], [
736#ifdef HAVE_SYS_TIME_H
737# include <sys/time.h>
738#endif
739])
740
708# sys/ptms.h requires sys/stream.h to be included first on Solaris 741# sys/ptms.h requires sys/stream.h to be included first on Solaris
709AC_CHECK_HEADERS(sys/ptms.h, [], [], [ 742AC_CHECK_HEADERS(sys/ptms.h, [], [], [
710#ifdef HAVE_SYS_STREAM_H 743#ifdef HAVE_SYS_STREAM_H
@@ -723,8 +756,8 @@ AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
723 ac_cv_have_broken_dirname, [ 756 ac_cv_have_broken_dirname, [
724 save_LIBS="$LIBS" 757 save_LIBS="$LIBS"
725 LIBS="$LIBS -lgen" 758 LIBS="$LIBS -lgen"
726 AC_TRY_RUN( 759 AC_RUN_IFELSE(
727 [ 760 [AC_LANG_SOURCE([[
728#include <libgen.h> 761#include <libgen.h>
729#include <string.h> 762#include <string.h>
730 763
@@ -739,9 +772,10 @@ int main(int argc, char **argv) {
739 exit(0); 772 exit(0);
740 } 773 }
741} 774}
742 ], 775 ]])],
776 [ ac_cv_have_broken_dirname="no" ],
777 [ ac_cv_have_broken_dirname="yes" ],
743 [ ac_cv_have_broken_dirname="no" ], 778 [ ac_cv_have_broken_dirname="no" ],
744 [ ac_cv_have_broken_dirname="yes" ]
745 ) 779 )
746 LIBS="$save_LIBS" 780 LIBS="$save_LIBS"
747 ]) 781 ])
@@ -755,7 +789,8 @@ int main(int argc, char **argv) {
755 789
756AC_CHECK_FUNC(getspnam, , 790AC_CHECK_FUNC(getspnam, ,
757 AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) 791 AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
758AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) 792AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1,
793 [Define if you have the basename function.]))
759 794
760dnl zlib is required 795dnl zlib is required
761AC_ARG_WITH(zlib, 796AC_ARG_WITH(zlib,
@@ -859,14 +894,15 @@ dnl UnixWare 2.x
859AC_CHECK_FUNC(strcasecmp, 894AC_CHECK_FUNC(strcasecmp,
860 [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] 895 [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
861) 896)
862AC_CHECK_FUNC(utimes, 897AC_CHECK_FUNCS(utimes,
863 [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) 898 [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES)
864 LIBS="$LIBS -lc89"]) ] 899 LIBS="$LIBS -lc89"]) ]
865) 900)
866 901
867dnl Checks for libutil functions 902dnl Checks for libutil functions
868AC_CHECK_HEADERS(libutil.h) 903AC_CHECK_HEADERS(libutil.h)
869AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN)]) 904AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1,
905 [Define if your libraries define login()])])
870AC_CHECK_FUNCS(logout updwtmp logwtmp) 906AC_CHECK_FUNCS(logout updwtmp logwtmp)
871 907
872AC_FUNC_STRFTIME 908AC_FUNC_STRFTIME
@@ -881,7 +917,9 @@ AC_EGREP_CPP(FOUNDIT,
881 #endif 917 #endif
882 ], 918 ],
883 [ 919 [
884 AC_DEFINE(GLOB_HAS_ALTDIRFUNC) 920 AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1,
921 [Define if your system glob() function has
922 the GLOB_ALTDIRFUNC extension])
885 AC_MSG_RESULT(yes) 923 AC_MSG_RESULT(yes)
886 ], 924 ],
887 [ 925 [
@@ -897,7 +935,9 @@ AC_EGREP_CPP(FOUNDIT,
897 int main(void){glob_t g; g.gl_matchc = 1;} 935 int main(void){glob_t g; g.gl_matchc = 1;}
898 ], 936 ],
899 [ 937 [
900 AC_DEFINE(GLOB_HAS_GL_MATCHC) 938 AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
939 [Define if your system glob() function has
940 gl_matchc options in glob_t])
901 AC_MSG_RESULT(yes) 941 AC_MSG_RESULT(yes)
902 ], 942 ],
903 [ 943 [
@@ -915,7 +955,9 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
915 [AC_MSG_RESULT(yes)], 955 [AC_MSG_RESULT(yes)],
916 [ 956 [
917 AC_MSG_RESULT(no) 957 AC_MSG_RESULT(no)
918 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) 958 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1,
959 [Define if your struct dirent expects you to
960 allocate extra space for d_name])
919 ], 961 ],
920 [ 962 [
921 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) 963 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
@@ -925,7 +967,7 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
925 967
926AC_MSG_CHECKING([for /proc/pid/fd directory]) 968AC_MSG_CHECKING([for /proc/pid/fd directory])
927if test -d "/proc/$$/fd" ; then 969if test -d "/proc/$$/fd" ; then
928 AC_DEFINE(HAVE_PROC_PID) 970 AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])
929 AC_MSG_RESULT(yes) 971 AC_MSG_RESULT(yes)
930else 972else
931 AC_MSG_RESULT(no) 973 AC_MSG_RESULT(no)
@@ -943,17 +985,17 @@ AC_ARG_WITH(skey,
943 LDFLAGS="$LDFLAGS -L${withval}/lib" 985 LDFLAGS="$LDFLAGS -L${withval}/lib"
944 fi 986 fi
945 987
946 AC_DEFINE(SKEY) 988 AC_DEFINE(SKEY, 1, [Define if you want S/Key support])
947 LIBS="-lskey $LIBS" 989 LIBS="-lskey $LIBS"
948 SKEY_MSG="yes" 990 SKEY_MSG="yes"
949 991
950 AC_MSG_CHECKING([for s/key support]) 992 AC_MSG_CHECKING([for s/key support])
951 AC_TRY_RUN( 993 AC_LINK_IFELSE(
952 [ 994 [AC_LANG_SOURCE([[
953#include <stdio.h> 995#include <stdio.h>
954#include <skey.h> 996#include <skey.h>
955int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } 997int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
956 ], 998 ]])],
957 [AC_MSG_RESULT(yes)], 999 [AC_MSG_RESULT(yes)],
958 [ 1000 [
959 AC_MSG_RESULT(no) 1001 AC_MSG_RESULT(no)
@@ -965,7 +1007,9 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
965 #include <skey.h>], 1007 #include <skey.h>],
966 [(void)skeychallenge(NULL,"name","",0);], 1008 [(void)skeychallenge(NULL,"name","",0);],
967 [AC_MSG_RESULT(yes) 1009 [AC_MSG_RESULT(yes)
968 AC_DEFINE(SKEYCHALLENGE_4ARG)], 1010 AC_DEFINE(SKEYCHALLENGE_4ARG, 1,
1011 [Define if your skeychallenge()
1012 function takes 4 arguments (NetBSD)])],
969 [AC_MSG_RESULT(no)] 1013 [AC_MSG_RESULT(no)]
970 ) 1014 )
971 fi 1015 fi
@@ -1016,7 +1060,9 @@ AC_ARG_WITH(tcp-wrappers,
1016 [hosts_access(0);], 1060 [hosts_access(0);],
1017 [ 1061 [
1018 AC_MSG_RESULT(yes) 1062 AC_MSG_RESULT(yes)
1019 AC_DEFINE(LIBWRAP) 1063 AC_DEFINE(LIBWRAP, 1,
1064 [Define if you want
1065 TCP Wrappers support])
1020 AC_SUBST(LIBWRAP) 1066 AC_SUBST(LIBWRAP)
1021 TCPW_MSG="yes" 1067 TCPW_MSG="yes"
1022 ], 1068 ],
@@ -1035,11 +1081,15 @@ AC_ARG_WITH(libedit,
1035 [ --with-libedit[[=PATH]] Enable libedit support for sftp], 1081 [ --with-libedit[[=PATH]] Enable libedit support for sftp],
1036 [ if test "x$withval" != "xno" ; then 1082 [ if test "x$withval" != "xno" ; then
1037 if test "x$withval" != "xyes"; then 1083 if test "x$withval" != "xyes"; then
1038 CPPFLAGS="$CPPFLAGS -I$withval/include" 1084 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1039 LDFLAGS="$LDFLAGS -L$withval/lib" 1085 if test -n "${need_dash_r}"; then
1086 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1087 else
1088 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1089 fi
1040 fi 1090 fi
1041 AC_CHECK_LIB(edit, el_init, 1091 AC_CHECK_LIB(edit, el_init,
1042 [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) 1092 [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
1043 LIBEDIT="-ledit -lcurses" 1093 LIBEDIT="-ledit -lcurses"
1044 LIBEDIT_MSG="yes" 1094 LIBEDIT_MSG="yes"
1045 AC_SUBST(LIBEDIT) 1095 AC_SUBST(LIBEDIT)
@@ -1083,12 +1133,12 @@ AC_ARG_WITH(audit,
1083 [AC_MSG_ERROR(BSM enabled and required function not found)]) 1133 [AC_MSG_ERROR(BSM enabled and required function not found)])
1084 # These are optional 1134 # These are optional
1085 AC_CHECK_FUNCS(getaudit_addr) 1135 AC_CHECK_FUNCS(getaudit_addr)
1086 AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module]) 1136 AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
1087 ;; 1137 ;;
1088 debug) 1138 debug)
1089 AUDIT_MODULE=debug 1139 AUDIT_MODULE=debug
1090 AC_MSG_RESULT(debug) 1140 AC_MSG_RESULT(debug)
1091 AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) 1141 AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
1092 ;; 1142 ;;
1093 no) 1143 no)
1094 AC_MSG_RESULT(no) 1144 AC_MSG_RESULT(no)
@@ -1102,6 +1152,7 @@ AC_ARG_WITH(audit,
1102dnl Checks for library functions. Please keep in alphabetical order 1152dnl Checks for library functions. Please keep in alphabetical order
1103AC_CHECK_FUNCS( \ 1153AC_CHECK_FUNCS( \
1104 arc4random \ 1154 arc4random \
1155 asprintf \
1105 b64_ntop \ 1156 b64_ntop \
1106 __b64_ntop \ 1157 __b64_ntop \
1107 b64_pton \ 1158 b64_pton \
@@ -1177,7 +1228,7 @@ AC_CHECK_FUNCS( \
1177 truncate \ 1228 truncate \
1178 unsetenv \ 1229 unsetenv \
1179 updwtmpx \ 1230 updwtmpx \
1180 utimes \ 1231 vasprintf \
1181 vhangup \ 1232 vhangup \
1182 vsnprintf \ 1233 vsnprintf \
1183 waitpid \ 1234 waitpid \
@@ -1198,7 +1249,8 @@ str = gai_strerror(0);],[
1198 AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, 1249 AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1,
1199 [Define if gai_strerror() returns const char *])])]) 1250 [Define if gai_strerror() returns const char *])])])
1200 1251
1201AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) 1252AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1,
1253 [Some systems put nanosleep outside of libc]))
1202 1254
1203dnl Make sure prototypes are defined for these before using them. 1255dnl Make sure prototypes are defined for these before using them.
1204AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) 1256AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
@@ -1230,7 +1282,8 @@ AC_CHECK_FUNCS(setresuid, [
1230int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} 1282int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
1231 ]])], 1283 ]])],
1232 [AC_MSG_RESULT(yes)], 1284 [AC_MSG_RESULT(yes)],
1233 [AC_DEFINE(BROKEN_SETRESUID) 1285 [AC_DEFINE(BROKEN_SETRESUID, 1,
1286 [Define if your setresuid() is broken])
1234 AC_MSG_RESULT(not implemented)], 1287 AC_MSG_RESULT(not implemented)],
1235 [AC_MSG_WARN([cross compiling: not checking setresuid])] 1288 [AC_MSG_WARN([cross compiling: not checking setresuid])]
1236 ) 1289 )
@@ -1246,7 +1299,8 @@ AC_CHECK_FUNCS(setresgid, [
1246int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} 1299int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
1247 ]])], 1300 ]])],
1248 [AC_MSG_RESULT(yes)], 1301 [AC_MSG_RESULT(yes)],
1249 [AC_DEFINE(BROKEN_SETRESGID) 1302 [AC_DEFINE(BROKEN_SETRESGID, 1,
1303 [Define if your setresgid() is broken])
1250 AC_MSG_RESULT(not implemented)], 1304 AC_MSG_RESULT(not implemented)],
1251 [AC_MSG_WARN([cross compiling: not checking setresuid])] 1305 [AC_MSG_WARN([cross compiling: not checking setresuid])]
1252 ) 1306 )
@@ -1262,13 +1316,16 @@ AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
1262AC_CHECK_FUNCS(setutxent utmpxname) 1316AC_CHECK_FUNCS(setutxent utmpxname)
1263 1317
1264AC_CHECK_FUNC(daemon, 1318AC_CHECK_FUNC(daemon,
1265 [AC_DEFINE(HAVE_DAEMON)], 1319 [AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
1266 [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] 1320 [AC_CHECK_LIB(bsd, daemon,
1321 [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
1267) 1322)
1268 1323
1269AC_CHECK_FUNC(getpagesize, 1324AC_CHECK_FUNC(getpagesize,
1270 [AC_DEFINE(HAVE_GETPAGESIZE)], 1325 [AC_DEFINE(HAVE_GETPAGESIZE, 1,
1271 [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] 1326 [Define if your libraries define getpagesize()])],
1327 [AC_CHECK_LIB(ucb, getpagesize,
1328 [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])]
1272) 1329)
1273 1330
1274# Check for broken snprintf 1331# Check for broken snprintf
@@ -1282,13 +1339,62 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
1282 [AC_MSG_RESULT(yes)], 1339 [AC_MSG_RESULT(yes)],
1283 [ 1340 [
1284 AC_MSG_RESULT(no) 1341 AC_MSG_RESULT(no)
1285 AC_DEFINE(BROKEN_SNPRINTF) 1342 AC_DEFINE(BROKEN_SNPRINTF, 1,
1343 [Define if your snprintf is busted])
1286 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) 1344 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
1287 ], 1345 ],
1288 [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] 1346 [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
1289 ) 1347 )
1290fi 1348fi
1291 1349
1350# If we don't have a working asprintf, then we strongly depend on vsnprintf
1351# returning the right thing on overflow: the number of characters it tried to
1352# create (as per SUSv3)
1353if test "x$ac_cv_func_asprintf" != "xyes" && \
1354 test "x$ac_cv_func_vsnprintf" = "xyes" ; then
1355 AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
1356 AC_RUN_IFELSE(
1357 [AC_LANG_SOURCE([[
1358#include <sys/types.h>
1359#include <stdio.h>
1360#include <stdarg.h>
1361
1362int x_snprintf(char *str,size_t count,const char *fmt,...)
1363{
1364 size_t ret; va_list ap;
1365 va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
1366 return ret;
1367}
1368int main(void)
1369{
1370 char x[1];
1371 exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
1372} ]])],
1373 [AC_MSG_RESULT(yes)],
1374 [
1375 AC_MSG_RESULT(no)
1376 AC_DEFINE(BROKEN_SNPRINTF, 1,
1377 [Define if your snprintf is busted])
1378 AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
1379 ],
1380 [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
1381 )
1382fi
1383
1384# On systems where [v]snprintf is broken, but is declared in stdio,
1385# check that the fmt argument is const char * or just char *.
1386# This is only useful for when BROKEN_SNPRINTF
1387AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
1388AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
1389 int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
1390 int main(void) { snprintf(0, 0, 0); }
1391 ]])],
1392 [AC_MSG_RESULT(yes)
1393 AC_DEFINE(SNPRINTF_CONST, [const],
1394 [Define as const if snprintf() can declare const char *fmt])],
1395 [AC_MSG_RESULT(no)
1396 AC_DEFINE(SNPRINTF_CONST, [/* not const */])])
1397
1292# Check for missing getpeereid (or equiv) support 1398# Check for missing getpeereid (or equiv) support
1293NO_PEERCHECK="" 1399NO_PEERCHECK=""
1294if test "x$ac_cv_func_getpeereid" != "xyes" ; then 1400if test "x$ac_cv_func_getpeereid" != "xyes" ; then
@@ -1298,7 +1404,7 @@ if test "x$ac_cv_func_getpeereid" != "xyes" ; then
1298 #include <sys/socket.h>], 1404 #include <sys/socket.h>],
1299 [int i = SO_PEERCRED;], 1405 [int i = SO_PEERCRED;],
1300 [ AC_MSG_RESULT(yes) 1406 [ AC_MSG_RESULT(yes)
1301 AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option]) 1407 AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option])
1302 ], 1408 ],
1303 [AC_MSG_RESULT(no) 1409 [AC_MSG_RESULT(no)
1304 NO_PEERCHECK=1] 1410 NO_PEERCHECK=1]
@@ -1308,21 +1414,21 @@ fi
1308dnl see whether mkstemp() requires XXXXXX 1414dnl see whether mkstemp() requires XXXXXX
1309if test "x$ac_cv_func_mkdtemp" = "xyes" ; then 1415if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
1310AC_MSG_CHECKING([for (overly) strict mkstemp]) 1416AC_MSG_CHECKING([for (overly) strict mkstemp])
1311AC_TRY_RUN( 1417AC_RUN_IFELSE(
1312 [ 1418 [AC_LANG_SOURCE([[
1313#include <stdlib.h> 1419#include <stdlib.h>
1314main() { char template[]="conftest.mkstemp-test"; 1420main() { char template[]="conftest.mkstemp-test";
1315if (mkstemp(template) == -1) 1421if (mkstemp(template) == -1)
1316 exit(1); 1422 exit(1);
1317unlink(template); exit(0); 1423unlink(template); exit(0);
1318} 1424}
1319 ], 1425 ]])],
1320 [ 1426 [
1321 AC_MSG_RESULT(no) 1427 AC_MSG_RESULT(no)
1322 ], 1428 ],
1323 [ 1429 [
1324 AC_MSG_RESULT(yes) 1430 AC_MSG_RESULT(yes)
1325 AC_DEFINE(HAVE_STRICT_MKSTEMP) 1431 AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()])
1326 ], 1432 ],
1327 [ 1433 [
1328 AC_MSG_RESULT(yes) 1434 AC_MSG_RESULT(yes)
@@ -1334,8 +1440,8 @@ fi
1334dnl make sure that openpty does not reacquire controlling terminal 1440dnl make sure that openpty does not reacquire controlling terminal
1335if test ! -z "$check_for_openpty_ctty_bug"; then 1441if test ! -z "$check_for_openpty_ctty_bug"; then
1336 AC_MSG_CHECKING(if openpty correctly handles controlling tty) 1442 AC_MSG_CHECKING(if openpty correctly handles controlling tty)
1337 AC_TRY_RUN( 1443 AC_RUN_IFELSE(
1338 [ 1444 [AC_LANG_SOURCE([[
1339#include <stdio.h> 1445#include <stdio.h>
1340#include <sys/fcntl.h> 1446#include <sys/fcntl.h>
1341#include <sys/types.h> 1447#include <sys/types.h>
@@ -1367,13 +1473,16 @@ main()
1367 exit(0); /* Did not acquire ctty: OK */ 1473 exit(0); /* Did not acquire ctty: OK */
1368 } 1474 }
1369} 1475}
1370 ], 1476 ]])],
1371 [ 1477 [
1372 AC_MSG_RESULT(yes) 1478 AC_MSG_RESULT(yes)
1373 ], 1479 ],
1374 [ 1480 [
1375 AC_MSG_RESULT(no) 1481 AC_MSG_RESULT(no)
1376 AC_DEFINE(SSHD_ACQUIRES_CTTY) 1482 AC_DEFINE(SSHD_ACQUIRES_CTTY)
1483 ],
1484 [
1485 AC_MSG_RESULT(cross-compiling, assuming yes)
1377 ] 1486 ]
1378 ) 1487 )
1379fi 1488fi
@@ -1381,8 +1490,8 @@ fi
1381if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ 1490if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1382 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then 1491 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
1383 AC_MSG_CHECKING(if getaddrinfo seems to work) 1492 AC_MSG_CHECKING(if getaddrinfo seems to work)
1384 AC_TRY_RUN( 1493 AC_RUN_IFELSE(
1385 [ 1494 [AC_LANG_SOURCE([[
1386#include <stdio.h> 1495#include <stdio.h>
1387#include <sys/socket.h> 1496#include <sys/socket.h>
1388#include <netdb.h> 1497#include <netdb.h>
@@ -1436,13 +1545,16 @@ main(void)
1436 } 1545 }
1437 exit(0); 1546 exit(0);
1438} 1547}
1439 ], 1548 ]])],
1440 [ 1549 [
1441 AC_MSG_RESULT(yes) 1550 AC_MSG_RESULT(yes)
1442 ], 1551 ],
1443 [ 1552 [
1444 AC_MSG_RESULT(no) 1553 AC_MSG_RESULT(no)
1445 AC_DEFINE(BROKEN_GETADDRINFO) 1554 AC_DEFINE(BROKEN_GETADDRINFO)
1555 ],
1556 [
1557 AC_MSG_RESULT(cross-compiling, assuming yes)
1446 ] 1558 ]
1447 ) 1559 )
1448fi 1560fi
@@ -1450,8 +1562,8 @@ fi
1450if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ 1562if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1451 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then 1563 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
1452 AC_MSG_CHECKING(if getaddrinfo seems to work) 1564 AC_MSG_CHECKING(if getaddrinfo seems to work)
1453 AC_TRY_RUN( 1565 AC_RUN_IFELSE(
1454 [ 1566 [AC_LANG_SOURCE([[
1455#include <stdio.h> 1567#include <stdio.h>
1456#include <sys/socket.h> 1568#include <sys/socket.h>
1457#include <netdb.h> 1569#include <netdb.h>
@@ -1493,15 +1605,18 @@ main(void)
1493 } 1605 }
1494 exit(0); 1606 exit(0);
1495} 1607}
1496 ], 1608 ]])],
1497 [ 1609 [
1498 AC_MSG_RESULT(yes) 1610 AC_MSG_RESULT(yes)
1499 AC_DEFINE(AIX_GETNAMEINFO_HACK, [], 1611 AC_DEFINE(AIX_GETNAMEINFO_HACK, 1,
1500[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) 1612 [Define if you have a getaddrinfo that fails
1613 for the all-zeros IPv6 address])
1501 ], 1614 ],
1502 [ 1615 [
1503 AC_MSG_RESULT(no) 1616 AC_MSG_RESULT(no)
1504 AC_DEFINE(BROKEN_GETADDRINFO) 1617 AC_DEFINE(BROKEN_GETADDRINFO)
1618 ],
1619 AC_MSG_RESULT(cross-compiling, assuming no)
1505 ] 1620 ]
1506 ) 1621 )
1507fi 1622fi
@@ -1544,7 +1659,8 @@ AC_ARG_WITH(pam,
1544 1659
1545 PAM_MSG="yes" 1660 PAM_MSG="yes"
1546 1661
1547 AC_DEFINE(USE_PAM) 1662 AC_DEFINE(USE_PAM, 1,
1663 [Define if you want to enable PAM support])
1548 if test $ac_cv_lib_dl_dlopen = yes; then 1664 if test $ac_cv_lib_dl_dlopen = yes; then
1549 LIBPAM="-lpam -ldl" 1665 LIBPAM="-lpam -ldl"
1550 else 1666 else
@@ -1571,7 +1687,9 @@ if test "x$PAM_MSG" = "xyes" ; then
1571 [(void)pam_strerror((pam_handle_t *)NULL, -1);], 1687 [(void)pam_strerror((pam_handle_t *)NULL, -1);],
1572 [AC_MSG_RESULT(no)], 1688 [AC_MSG_RESULT(no)],
1573 [ 1689 [
1574 AC_DEFINE(HAVE_OLD_PAM) 1690 AC_DEFINE(HAVE_OLD_PAM, 1,
1691 [Define if you have an old version of PAM
1692 which takes only one argument to pam_strerror])
1575 AC_MSG_RESULT(yes) 1693 AC_MSG_RESULT(yes)
1576 PAM_MSG="yes (old library)" 1694 PAM_MSG="yes (old library)"
1577 ] 1695 ]
@@ -1611,7 +1729,9 @@ AC_ARG_WITH(ssl-dir,
1611 ] 1729 ]
1612) 1730)
1613LIBS="-lcrypto $LIBS" 1731LIBS="-lcrypto $LIBS"
1614AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), 1732AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
1733 [Define if your ssl headers are included
1734 with #include <openssl/header.h>]),
1615 [ 1735 [
1616 dnl Check default openssl install dir 1736 dnl Check default openssl install dir
1617 if test -n "${need_dash_r}"; then 1737 if test -n "${need_dash_r}"; then
@@ -1721,6 +1841,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
1721 ] 1841 ]
1722) 1842)
1723 1843
1844# Check for OpenSSL without EVP_aes_{192,256}_cbc
1845AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
1846AC_COMPILE_IFELSE(
1847 [AC_LANG_SOURCE([[
1848#include <string.h>
1849#include <openssl/evp.h>
1850int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
1851 ]])],
1852 [
1853 AC_MSG_RESULT(no)
1854 ],
1855 [
1856 AC_MSG_RESULT(yes)
1857 AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
1858 [libcrypto is missing AES 192 and 256 bit functions])
1859 ]
1860)
1861
1724# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 1862# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
1725# because the system crypt() is more featureful. 1863# because the system crypt() is more featureful.
1726if test "x$check_for_libcrypt_before" = "x1"; then 1864if test "x$check_for_libcrypt_before" = "x1"; then
@@ -1785,7 +1923,8 @@ AC_ARG_WITH(rand-helper,
1785# Which randomness source do we use? 1923# Which randomness source do we use?
1786if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then 1924if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
1787 # OpenSSL only 1925 # OpenSSL only
1788 AC_DEFINE(OPENSSL_PRNG_ONLY) 1926 AC_DEFINE(OPENSSL_PRNG_ONLY, 1,
1927 [Define if you want OpenSSL's internally seeded PRNG only])
1789 RAND_MSG="OpenSSL internal ONLY" 1928 RAND_MSG="OpenSSL internal ONLY"
1790 INSTALL_SSH_RAND_HELPER="" 1929 INSTALL_SSH_RAND_HELPER=""
1791elif test ! -z "$USE_RAND_HELPER" ; then 1930elif test ! -z "$USE_RAND_HELPER" ; then
@@ -1813,7 +1952,8 @@ AC_ARG_WITH(prngd-port,
1813 esac 1952 esac
1814 if test ! -z "$withval" ; then 1953 if test ! -z "$withval" ; then
1815 PRNGD_PORT="$withval" 1954 PRNGD_PORT="$withval"
1816 AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) 1955 AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT,
1956 [Port number of PRNGD/EGD random number socket])
1817 fi 1957 fi
1818 ] 1958 ]
1819) 1959)
@@ -1844,7 +1984,8 @@ AC_ARG_WITH(prngd-socket,
1844 AC_MSG_WARN(Entropy socket is not readable) 1984 AC_MSG_WARN(Entropy socket is not readable)
1845 fi 1985 fi
1846 PRNGD_SOCKET="$withval" 1986 PRNGD_SOCKET="$withval"
1847 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") 1987 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET",
1988 [Location of PRNGD/EGD random number socket])
1848 fi 1989 fi
1849 ], 1990 ],
1850 [ 1991 [
@@ -1879,7 +2020,8 @@ AC_ARG_WITH(entropy-timeout,
1879 fi 2020 fi
1880 ] 2021 ]
1881) 2022)
1882AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) 2023AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout,
2024 [Builtin PRNG command timeout])
1883 2025
1884SSH_PRIVSEP_USER=sshd 2026SSH_PRIVSEP_USER=sshd
1885AC_ARG_WITH(privsep-user, 2027AC_ARG_WITH(privsep-user,
@@ -1891,7 +2033,8 @@ AC_ARG_WITH(privsep-user,
1891 fi 2033 fi
1892 ] 2034 ]
1893) 2035)
1894AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") 2036AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER",
2037 [non-privileged user for privilege separation])
1895AC_SUBST(SSH_PRIVSEP_USER) 2038AC_SUBST(SSH_PRIVSEP_USER)
1896 2039
1897# We do this little dance with the search path to insure 2040# We do this little dance with the search path to insure
@@ -1949,7 +2092,10 @@ if test ! -z "$SONY" ; then
1949 LIBS="$LIBS -liberty"; 2092 LIBS="$LIBS -liberty";
1950fi 2093fi
1951 2094
1952# Checks for data types 2095# Check for long long datatypes
2096AC_CHECK_TYPES([long long, unsigned long long, long double])
2097
2098# Check datatype sizes
1953AC_CHECK_SIZEOF(char, 1) 2099AC_CHECK_SIZEOF(char, 1)
1954AC_CHECK_SIZEOF(short int, 2) 2100AC_CHECK_SIZEOF(short int, 2)
1955AC_CHECK_SIZEOF(int, 4) 2101AC_CHECK_SIZEOF(int, 4)
@@ -1961,6 +2107,84 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
1961 ac_cv_sizeof_long_long_int=0 2107 ac_cv_sizeof_long_long_int=0
1962fi 2108fi
1963 2109
2110# compute LLONG_MIN and LLONG_MAX if we don't know them.
2111if test -z "$have_llong_max"; then
2112 AC_MSG_CHECKING([for max value of long long])
2113 AC_RUN_IFELSE(
2114 [AC_LANG_SOURCE([[
2115#include <stdio.h>
2116/* Why is this so damn hard? */
2117#ifdef __GNUC__
2118# undef __GNUC__
2119#endif
2120#define __USE_ISOC99
2121#include <limits.h>
2122#define DATA "conftest.llminmax"
2123int main(void) {
2124 FILE *f;
2125 long long i, llmin, llmax = 0;
2126
2127 if((f = fopen(DATA,"w")) == NULL)
2128 exit(1);
2129
2130#if defined(LLONG_MIN) && defined(LLONG_MAX)
2131 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
2132 llmin = LLONG_MIN;
2133 llmax = LLONG_MAX;
2134#else
2135 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
2136 /* This will work on one's complement and two's complement */
2137 for (i = 1; i > llmax; i <<= 1, i++)
2138 llmax = i;
2139 llmin = llmax + 1LL; /* wrap */
2140#endif
2141
2142 /* Sanity check */
2143 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
2144 || llmax - 1 > llmax) {
2145 fprintf(f, "unknown unknown\n");
2146 exit(2);
2147 }
2148
2149 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
2150 exit(3);
2151
2152 exit(0);
2153}
2154 ]])],
2155 [
2156 llong_min=`$AWK '{print $1}' conftest.llminmax`
2157 llong_max=`$AWK '{print $2}' conftest.llminmax`
2158
2159 # snprintf on some Tru64s doesn't understand "%lld"
2160 case "$host" in
2161 alpha-dec-osf*)
2162 if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
2163 test "x$llong_max" = "xld"; then
2164 llong_min="-9223372036854775808"
2165 llong_max="9223372036854775807"
2166 fi
2167 ;;
2168 esac
2169
2170 AC_MSG_RESULT($llong_max)
2171 AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
2172 [max value of long long calculated by configure])
2173 AC_MSG_CHECKING([for min value of long long])
2174 AC_MSG_RESULT($llong_min)
2175 AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
2176 [min value of long long calculated by configure])
2177 ],
2178 [
2179 AC_MSG_RESULT(not found)
2180 ],
2181 [
2182 AC_MSG_WARN([cross compiling: not checking])
2183 ]
2184 )
2185fi
2186
2187
1964# More checks for data types 2188# More checks for data types
1965AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ 2189AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
1966 AC_TRY_COMPILE( 2190 AC_TRY_COMPILE(
@@ -1971,7 +2195,7 @@ AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
1971 ) 2195 )
1972]) 2196])
1973if test "x$ac_cv_have_u_int" = "xyes" ; then 2197if test "x$ac_cv_have_u_int" = "xyes" ; then
1974 AC_DEFINE(HAVE_U_INT) 2198 AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type])
1975 have_u_int=1 2199 have_u_int=1
1976fi 2200fi
1977 2201
@@ -1984,7 +2208,7 @@ AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
1984 ) 2208 )
1985]) 2209])
1986if test "x$ac_cv_have_intxx_t" = "xyes" ; then 2210if test "x$ac_cv_have_intxx_t" = "xyes" ; then
1987 AC_DEFINE(HAVE_INTXX_T) 2211 AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type])
1988 have_intxx_t=1 2212 have_intxx_t=1
1989fi 2213fi
1990 2214
@@ -2021,7 +2245,7 @@ AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
2021 ) 2245 )
2022]) 2246])
2023if test "x$ac_cv_have_int64_t" = "xyes" ; then 2247if test "x$ac_cv_have_int64_t" = "xyes" ; then
2024 AC_DEFINE(HAVE_INT64_T) 2248 AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type])
2025fi 2249fi
2026 2250
2027AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ 2251AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
@@ -2033,7 +2257,7 @@ AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
2033 ) 2257 )
2034]) 2258])
2035if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then 2259if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
2036 AC_DEFINE(HAVE_U_INTXX_T) 2260 AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type])
2037 have_u_intxx_t=1 2261 have_u_intxx_t=1
2038fi 2262fi
2039 2263
@@ -2059,7 +2283,7 @@ AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
2059 ) 2283 )
2060]) 2284])
2061if test "x$ac_cv_have_u_int64_t" = "xyes" ; then 2285if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
2062 AC_DEFINE(HAVE_U_INT64_T) 2286 AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type])
2063 have_u_int64_t=1 2287 have_u_int64_t=1
2064fi 2288fi
2065 2289
@@ -2088,7 +2312,8 @@ if test -z "$have_u_intxx_t" ; then
2088 ) 2312 )
2089 ]) 2313 ])
2090 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then 2314 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
2091 AC_DEFINE(HAVE_UINTXX_T) 2315 AC_DEFINE(HAVE_UINTXX_T, 1,
2316 [define if you have uintxx_t data type])
2092 fi 2317 fi
2093fi 2318fi
2094 2319
@@ -2139,7 +2364,7 @@ AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
2139 ) 2364 )
2140]) 2365])
2141if test "x$ac_cv_have_u_char" = "xyes" ; then 2366if test "x$ac_cv_have_u_char" = "xyes" ; then
2142 AC_DEFINE(HAVE_U_CHAR) 2367 AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type])
2143fi 2368fi
2144 2369
2145TYPE_SOCKLEN_T 2370TYPE_SOCKLEN_T
@@ -2161,7 +2386,7 @@ AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
2161 ) 2386 )
2162]) 2387])
2163if test "x$ac_cv_have_size_t" = "xyes" ; then 2388if test "x$ac_cv_have_size_t" = "xyes" ; then
2164 AC_DEFINE(HAVE_SIZE_T) 2389 AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type])
2165fi 2390fi
2166 2391
2167AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ 2392AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
@@ -2175,7 +2400,7 @@ AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
2175 ) 2400 )
2176]) 2401])
2177if test "x$ac_cv_have_ssize_t" = "xyes" ; then 2402if test "x$ac_cv_have_ssize_t" = "xyes" ; then
2178 AC_DEFINE(HAVE_SSIZE_T) 2403 AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type])
2179fi 2404fi
2180 2405
2181AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ 2406AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
@@ -2189,7 +2414,7 @@ AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
2189 ) 2414 )
2190]) 2415])
2191if test "x$ac_cv_have_clock_t" = "xyes" ; then 2416if test "x$ac_cv_have_clock_t" = "xyes" ; then
2192 AC_DEFINE(HAVE_CLOCK_T) 2417 AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type])
2193fi 2418fi
2194 2419
2195AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ 2420AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
@@ -2214,7 +2439,8 @@ AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
2214 ) 2439 )
2215]) 2440])
2216if test "x$ac_cv_have_sa_family_t" = "xyes" ; then 2441if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
2217 AC_DEFINE(HAVE_SA_FAMILY_T) 2442 AC_DEFINE(HAVE_SA_FAMILY_T, 1,
2443 [define if you have sa_family_t data type])
2218fi 2444fi
2219 2445
2220AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ 2446AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
@@ -2228,7 +2454,7 @@ AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
2228 ) 2454 )
2229]) 2455])
2230if test "x$ac_cv_have_pid_t" = "xyes" ; then 2456if test "x$ac_cv_have_pid_t" = "xyes" ; then
2231 AC_DEFINE(HAVE_PID_T) 2457 AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type])
2232fi 2458fi
2233 2459
2234AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ 2460AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
@@ -2242,7 +2468,7 @@ AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
2242 ) 2468 )
2243]) 2469])
2244if test "x$ac_cv_have_mode_t" = "xyes" ; then 2470if test "x$ac_cv_have_mode_t" = "xyes" ; then
2245 AC_DEFINE(HAVE_MODE_T) 2471 AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type])
2246fi 2472fi
2247 2473
2248 2474
@@ -2258,7 +2484,8 @@ AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage
2258 ) 2484 )
2259]) 2485])
2260if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then 2486if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
2261 AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) 2487 AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1,
2488 [define if you have struct sockaddr_storage data type])
2262fi 2489fi
2263 2490
2264AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ 2491AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
@@ -2273,7 +2500,8 @@ AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
2273 ) 2500 )
2274]) 2501])
2275if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then 2502if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
2276 AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) 2503 AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1,
2504 [define if you have struct sockaddr_in6 data type])
2277fi 2505fi
2278 2506
2279AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ 2507AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
@@ -2288,7 +2516,8 @@ AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
2288 ) 2516 )
2289]) 2517])
2290if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then 2518if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
2291 AC_DEFINE(HAVE_STRUCT_IN6_ADDR) 2519 AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1,
2520 [define if you have struct in6_addr data type])
2292fi 2521fi
2293 2522
2294AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ 2523AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
@@ -2304,7 +2533,8 @@ AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
2304 ) 2533 )
2305]) 2534])
2306if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then 2535if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
2307 AC_DEFINE(HAVE_STRUCT_ADDRINFO) 2536 AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1,
2537 [define if you have struct addrinfo data type])
2308fi 2538fi
2309 2539
2310AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ 2540AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
@@ -2316,7 +2546,7 @@ AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
2316 ) 2546 )
2317]) 2547])
2318if test "x$ac_cv_have_struct_timeval" = "xyes" ; then 2548if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
2319 AC_DEFINE(HAVE_STRUCT_TIMEVAL) 2549 AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval])
2320 have_struct_timeval=1 2550 have_struct_timeval=1
2321fi 2551fi
2322 2552
@@ -2381,6 +2611,17 @@ OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX)
2381OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) 2611OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)
2382 2612
2383AC_CHECK_MEMBERS([struct stat.st_blksize]) 2613AC_CHECK_MEMBERS([struct stat.st_blksize])
2614AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state,
2615 [Define if we don't have struct __res_state in resolv.h])],
2616[
2617#include <stdio.h>
2618#if HAVE_SYS_TYPES_H
2619# include <sys/types.h>
2620#endif
2621#include <netinet/in.h>
2622#include <arpa/nameser.h>
2623#include <resolv.h>
2624])
2384 2625
2385AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], 2626AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
2386 ac_cv_have_ss_family_in_struct_ss, [ 2627 ac_cv_have_ss_family_in_struct_ss, [
@@ -2395,7 +2636,7 @@ AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
2395 ) 2636 )
2396]) 2637])
2397if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then 2638if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
2398 AC_DEFINE(HAVE_SS_FAMILY_IN_SS) 2639 AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage])
2399fi 2640fi
2400 2641
2401AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], 2642AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
@@ -2411,7 +2652,8 @@ AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
2411 ) 2652 )
2412]) 2653])
2413if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then 2654if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
2414 AC_DEFINE(HAVE___SS_FAMILY_IN_SS) 2655 AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1,
2656 [Fields in struct sockaddr_storage])
2415fi 2657fi
2416 2658
2417AC_CACHE_CHECK([for pw_class field in struct passwd], 2659AC_CACHE_CHECK([for pw_class field in struct passwd],
@@ -2426,7 +2668,8 @@ AC_CACHE_CHECK([for pw_class field in struct passwd],
2426 ) 2668 )
2427]) 2669])
2428if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then 2670if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
2429 AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD) 2671 AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1,
2672 [Define if your password has a pw_class field])
2430fi 2673fi
2431 2674
2432AC_CACHE_CHECK([for pw_expire field in struct passwd], 2675AC_CACHE_CHECK([for pw_expire field in struct passwd],
@@ -2441,7 +2684,8 @@ AC_CACHE_CHECK([for pw_expire field in struct passwd],
2441 ) 2684 )
2442]) 2685])
2443if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then 2686if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
2444 AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD) 2687 AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1,
2688 [Define if your password has a pw_expire field])
2445fi 2689fi
2446 2690
2447AC_CACHE_CHECK([for pw_change field in struct passwd], 2691AC_CACHE_CHECK([for pw_change field in struct passwd],
@@ -2456,7 +2700,8 @@ AC_CACHE_CHECK([for pw_change field in struct passwd],
2456 ) 2700 )
2457]) 2701])
2458if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then 2702if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
2459 AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD) 2703 AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1,
2704 [Define if your password has a pw_change field])
2460fi 2705fi
2461 2706
2462dnl make sure we're using the real structure members and not defines 2707dnl make sure we're using the real structure members and not defines
@@ -2482,7 +2727,9 @@ exit(0);
2482 ) 2727 )
2483]) 2728])
2484if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then 2729if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
2485 AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR) 2730 AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1,
2731 [Define if your system uses access rights style
2732 file descriptor passing])
2486fi 2733fi
2487 2734
2488AC_CACHE_CHECK([for msg_control field in struct msghdr], 2735AC_CACHE_CHECK([for msg_control field in struct msghdr],
@@ -2507,7 +2754,9 @@ exit(0);
2507 ) 2754 )
2508]) 2755])
2509if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then 2756if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
2510 AC_DEFINE(HAVE_CONTROL_IN_MSGHDR) 2757 AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1,
2758 [Define if your system uses ancillary data style
2759 file descriptor passing])
2511fi 2760fi
2512 2761
2513AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ 2762AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
@@ -2518,7 +2767,7 @@ AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
2518 ) 2767 )
2519]) 2768])
2520if test "x$ac_cv_libc_defines___progname" = "xyes" ; then 2769if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
2521 AC_DEFINE(HAVE___PROGNAME) 2770 AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname])
2522fi 2771fi
2523 2772
2524AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ 2773AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
@@ -2531,7 +2780,8 @@ AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNC
2531 ) 2780 )
2532]) 2781])
2533if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then 2782if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
2534 AC_DEFINE(HAVE___FUNCTION__) 2783 AC_DEFINE(HAVE___FUNCTION__, 1,
2784 [Define if compiler implements __FUNCTION__])
2535fi 2785fi
2536 2786
2537AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ 2787AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
@@ -2544,7 +2794,33 @@ AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__,
2544 ) 2794 )
2545]) 2795])
2546if test "x$ac_cv_cc_implements___func__" = "xyes" ; then 2796if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
2547 AC_DEFINE(HAVE___func__) 2797 AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__])
2798fi
2799
2800AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
2801 AC_TRY_LINK(
2802 [#include <stdarg.h>
2803 va_list x,y;],
2804 [va_copy(x,y);],
2805 [ ac_cv_have_va_copy="yes" ],
2806 [ ac_cv_have_va_copy="no" ]
2807 )
2808])
2809if test "x$ac_cv_have_va_copy" = "xyes" ; then
2810 AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists])
2811fi
2812
2813AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
2814 AC_TRY_LINK(
2815 [#include <stdarg.h>
2816 va_list x,y;],
2817 [__va_copy(x,y);],
2818 [ ac_cv_have___va_copy="yes" ],
2819 [ ac_cv_have___va_copy="no" ]
2820 )
2821])
2822if test "x$ac_cv_have___va_copy" = "xyes" ; then
2823 AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists])
2548fi 2824fi
2549 2825
2550AC_CACHE_CHECK([whether getopt has optreset support], 2826AC_CACHE_CHECK([whether getopt has optreset support],
@@ -2559,7 +2835,8 @@ AC_CACHE_CHECK([whether getopt has optreset support],
2559 ) 2835 )
2560]) 2836])
2561if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then 2837if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
2562 AC_DEFINE(HAVE_GETOPT_OPTRESET) 2838 AC_DEFINE(HAVE_GETOPT_OPTRESET, 1,
2839 [Define if your getopt(3) defines and uses optreset])
2563fi 2840fi
2564 2841
2565AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ 2842AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
@@ -2570,7 +2847,8 @@ AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
2570 ) 2847 )
2571]) 2848])
2572if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then 2849if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
2573 AC_DEFINE(HAVE_SYS_ERRLIST) 2850 AC_DEFINE(HAVE_SYS_ERRLIST, 1,
2851 [Define if your system defines sys_errlist[]])
2574fi 2852fi
2575 2853
2576 2854
@@ -2582,7 +2860,7 @@ AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
2582 ) 2860 )
2583]) 2861])
2584if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then 2862if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
2585 AC_DEFINE(HAVE_SYS_NERR) 2863 AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
2586fi 2864fi
2587 2865
2588SCARD_MSG="no" 2866SCARD_MSG="no"
@@ -2609,8 +2887,11 @@ AC_ARG_WITH(sectok,
2609 if test "$ac_cv_lib_sectok_sectok_open" != yes; then 2887 if test "$ac_cv_lib_sectok_sectok_open" != yes; then
2610 AC_MSG_ERROR(Can't find libsectok) 2888 AC_MSG_ERROR(Can't find libsectok)
2611 fi 2889 fi
2612 AC_DEFINE(SMARTCARD) 2890 AC_DEFINE(SMARTCARD, 1,
2613 AC_DEFINE(USE_SECTOK) 2891 [Define if you want smartcard support])
2892 AC_DEFINE(USE_SECTOK, 1,
2893 [Define if you want smartcard support
2894 using sectok])
2614 SCARD_MSG="yes, using sectok" 2895 SCARD_MSG="yes, using sectok"
2615 fi 2896 fi
2616 ] 2897 ]
@@ -2619,7 +2900,7 @@ AC_ARG_WITH(sectok,
2619# Check whether user wants OpenSC support 2900# Check whether user wants OpenSC support
2620OPENSC_CONFIG="no" 2901OPENSC_CONFIG="no"
2621AC_ARG_WITH(opensc, 2902AC_ARG_WITH(opensc,
2622 [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], 2903 [ --with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
2623 [ 2904 [
2624 if test "x$withval" != "xno" ; then 2905 if test "x$withval" != "xno" ; then
2625 if test "x$withval" != "xyes" ; then 2906 if test "x$withval" != "xyes" ; then
@@ -2633,7 +2914,9 @@ AC_ARG_WITH(opensc,
2633 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" 2914 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
2634 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" 2915 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
2635 AC_DEFINE(SMARTCARD) 2916 AC_DEFINE(SMARTCARD)
2636 AC_DEFINE(USE_OPENSC) 2917 AC_DEFINE(USE_OPENSC, 1,
2918 [Define if you want smartcard support
2919 using OpenSC])
2637 SCARD_MSG="yes, using OpenSC" 2920 SCARD_MSG="yes, using OpenSC"
2638 fi 2921 fi
2639 fi 2922 fi
@@ -2642,7 +2925,8 @@ AC_ARG_WITH(opensc,
2642 2925
2643# Check libraries needed by DNS fingerprint support 2926# Check libraries needed by DNS fingerprint support
2644AC_SEARCH_LIBS(getrrsetbyname, resolv, 2927AC_SEARCH_LIBS(getrrsetbyname, resolv,
2645 [AC_DEFINE(HAVE_GETRRSETBYNAME)], 2928 [AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
2929 [Define if getrrsetbyname() exists])],
2646 [ 2930 [
2647 # Needed by our getrrsetbyname() 2931 # Needed by our getrrsetbyname()
2648 AC_SEARCH_LIBS(res_query, resolv) 2932 AC_SEARCH_LIBS(res_query, resolv)
@@ -2671,7 +2955,8 @@ int main()
2671 [#include <sys/types.h> 2955 [#include <sys/types.h>
2672 #include <arpa/nameser.h>]) 2956 #include <arpa/nameser.h>])
2673 AC_CHECK_MEMBER(HEADER.ad, 2957 AC_CHECK_MEMBER(HEADER.ad,
2674 [AC_DEFINE(HAVE_HEADER_AD)],, 2958 [AC_DEFINE(HAVE_HEADER_AD, 1,
2959 [Define if HEADER.ad exists in arpa/nameser.h])],,
2675 [#include <arpa/nameser.h>]) 2960 [#include <arpa/nameser.h>])
2676 ]) 2961 ])
2677 2962
@@ -2698,7 +2983,7 @@ AC_ARG_WITH(kerberos5,
2698 KRB5ROOT=${withval} 2983 KRB5ROOT=${withval}
2699 fi 2984 fi
2700 2985
2701 AC_DEFINE(KRB5) 2986 AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support])
2702 KRB5_MSG="yes" 2987 KRB5_MSG="yes"
2703 2988
2704 AC_MSG_CHECKING(for krb5-config) 2989 AC_MSG_CHECKING(for krb5-config)
@@ -2709,7 +2994,9 @@ AC_ARG_WITH(kerberos5,
2709 AC_MSG_CHECKING(for gssapi support) 2994 AC_MSG_CHECKING(for gssapi support)
2710 if $KRB5CONF | grep gssapi >/dev/null ; then 2995 if $KRB5CONF | grep gssapi >/dev/null ; then
2711 AC_MSG_RESULT(yes) 2996 AC_MSG_RESULT(yes)
2712 AC_DEFINE(GSSAPI) 2997 AC_DEFINE(GSSAPI, 1,
2998 [Define this if you want GSSAPI
2999 support in the version 2 protocol])
2713 k5confopts=gssapi 3000 k5confopts=gssapi
2714 else 3001 else
2715 AC_MSG_RESULT(no) 3002 AC_MSG_RESULT(no)
@@ -2722,7 +3009,9 @@ AC_ARG_WITH(kerberos5,
2722 AC_TRY_COMPILE([ #include <krb5.h> ], 3009 AC_TRY_COMPILE([ #include <krb5.h> ],
2723 [ char *tmp = heimdal_version; ], 3010 [ char *tmp = heimdal_version; ],
2724 [ AC_MSG_RESULT(yes) 3011 [ AC_MSG_RESULT(yes)
2725 AC_DEFINE(HEIMDAL) ], 3012 AC_DEFINE(HEIMDAL, 1,
3013 [Define this if you are using the
3014 Heimdal version of Kerberos V5]) ],
2726 AC_MSG_RESULT(no) 3015 AC_MSG_RESULT(no)
2727 ) 3016 )
2728 else 3017 else
@@ -2777,14 +3066,15 @@ AC_ARG_WITH(kerberos5,
2777 if test ! -z "$blibpath" ; then 3066 if test ! -z "$blibpath" ; then
2778 blibpath="$blibpath:${KRB5ROOT}/lib" 3067 blibpath="$blibpath:${KRB5ROOT}/lib"
2779 fi 3068 fi
2780 fi
2781 3069
2782 AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) 3070 AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
2783 AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) 3071 AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h)
2784 AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) 3072 AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h)
2785 3073
2786 LIBS="$LIBS $K5LIBS" 3074 LIBS="$LIBS $K5LIBS"
2787 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) 3075 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1,
3076 [Define this if you want to use libkafs' AFS support]))
3077 fi
2788 ] 3078 ]
2789) 3079)
2790 3080
@@ -2838,7 +3128,8 @@ if test -z "$xauth_path" ; then
2838 XAUTH_PATH="undefined" 3128 XAUTH_PATH="undefined"
2839 AC_SUBST(XAUTH_PATH) 3129 AC_SUBST(XAUTH_PATH)
2840else 3130else
2841 AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") 3131 AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path",
3132 [Define if xauth is found in your path])
2842 XAUTH_PATH=$xauth_path 3133 XAUTH_PATH=$xauth_path
2843 AC_SUBST(XAUTH_PATH) 3134 AC_SUBST(XAUTH_PATH)
2844fi 3135fi
@@ -2846,7 +3137,8 @@ fi
2846# Check for mail directory (last resort if we cannot get it from headers) 3137# Check for mail directory (last resort if we cannot get it from headers)
2847if test ! -z "$MAIL" ; then 3138if test ! -z "$MAIL" ; then
2848 maildir=`dirname $MAIL` 3139 maildir=`dirname $MAIL`
2849 AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") 3140 AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir",
3141 [Set this to your mail directory if you don't have maillock.h])
2850fi 3142fi
2851 3143
2852if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then 3144if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
@@ -2857,7 +3149,8 @@ if test -z "$no_dev_ptmx" ; then
2857 if test "x$disable_ptmx_check" != "xyes" ; then 3149 if test "x$disable_ptmx_check" != "xyes" ; then
2858 AC_CHECK_FILE("/dev/ptmx", 3150 AC_CHECK_FILE("/dev/ptmx",
2859 [ 3151 [
2860 AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) 3152 AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1,
3153 [Define if you have /dev/ptmx])
2861 have_dev_ptmx=1 3154 have_dev_ptmx=1
2862 ] 3155 ]
2863 ) 3156 )
@@ -2867,7 +3160,8 @@ fi
2867if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then 3160if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
2868 AC_CHECK_FILE("/dev/ptc", 3161 AC_CHECK_FILE("/dev/ptc",
2869 [ 3162 [
2870 AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) 3163 AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1,
3164 [Define if you have /dev/ptc])
2871 have_dev_ptc=1 3165 have_dev_ptc=1
2872 ] 3166 ]
2873 ) 3167 )
@@ -2914,7 +3208,8 @@ AC_ARG_WITH(md5-passwords,
2914 [ --with-md5-passwords Enable use of MD5 passwords], 3208 [ --with-md5-passwords Enable use of MD5 passwords],
2915 [ 3209 [
2916 if test "x$withval" != "xno" ; then 3210 if test "x$withval" != "xno" ; then
2917 AC_DEFINE(HAVE_MD5_PASSWORDS) 3211 AC_DEFINE(HAVE_MD5_PASSWORDS, 1,
3212 [Define if you want to allow MD5 passwords])
2918 MD5_MSG="yes" 3213 MD5_MSG="yes"
2919 fi 3214 fi
2920 ] 3215 ]
@@ -2944,7 +3239,8 @@ if test -z "$disable_shadow" ; then
2944 3239
2945 if test "x$sp_expire_available" = "xyes" ; then 3240 if test "x$sp_expire_available" = "xyes" ; then
2946 AC_MSG_RESULT(yes) 3241 AC_MSG_RESULT(yes)
2947 AC_DEFINE(HAS_SHADOW_EXPIRE) 3242 AC_DEFINE(HAS_SHADOW_EXPIRE, 1,
3243 [Define if you want to use shadow password expire field])
2948 else 3244 else
2949 AC_MSG_RESULT(no) 3245 AC_MSG_RESULT(no)
2950 fi 3246 fi
@@ -2953,7 +3249,9 @@ fi
2953# Use ip address instead of hostname in $DISPLAY 3249# Use ip address instead of hostname in $DISPLAY
2954if test ! -z "$IPADDR_IN_DISPLAY" ; then 3250if test ! -z "$IPADDR_IN_DISPLAY" ; then
2955 DISPLAY_HACK_MSG="yes" 3251 DISPLAY_HACK_MSG="yes"
2956 AC_DEFINE(IPADDR_IN_DISPLAY) 3252 AC_DEFINE(IPADDR_IN_DISPLAY, 1,
3253 [Define if you need to use IP address
3254 instead of hostname in $DISPLAY])
2957else 3255else
2958 DISPLAY_HACK_MSG="no" 3256 DISPLAY_HACK_MSG="no"
2959 AC_ARG_WITH(ipaddr-display, 3257 AC_ARG_WITH(ipaddr-display,
@@ -2976,17 +3274,21 @@ AC_ARG_ENABLE(etc-default-login,
2976 else 3274 else
2977 etc_default_login=yes 3275 etc_default_login=yes
2978 fi ], 3276 fi ],
2979 [ etc_default_login=yes ] 3277 [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
3278 then
3279 AC_MSG_WARN([cross compiling: not checking /etc/default/login])
3280 etc_default_login=no
3281 else
3282 etc_default_login=yes
3283 fi ]
2980) 3284)
2981 3285
2982if test "x$etc_default_login" != "xno"; then 3286if test "x$etc_default_login" != "xno"; then
2983 AC_CHECK_FILE("/etc/default/login", 3287 AC_CHECK_FILE("/etc/default/login",
2984 [ external_path_file=/etc/default/login ]) 3288 [ external_path_file=/etc/default/login ])
2985 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; 3289 if test "x$external_path_file" = "x/etc/default/login"; then
2986 then 3290 AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1,
2987 AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) 3291 [Define if your system has /etc/default/login])
2988 elif test "x$external_path_file" = "x/etc/default/login"; then
2989 AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN)
2990 fi 3292 fi
2991fi 3293fi
2992 3294
@@ -3023,8 +3325,8 @@ $external_path_file .])
3023If PATH is defined in $external_path_file, ensure the path to scp is included, 3325If PATH is defined in $external_path_file, ensure the path to scp is included,
3024otherwise scp will not work.]) 3326otherwise scp will not work.])
3025 fi 3327 fi
3026 AC_TRY_RUN( 3328 AC_RUN_IFELSE(
3027 [ 3329 [AC_LANG_SOURCE([[
3028/* find out what STDPATH is */ 3330/* find out what STDPATH is */
3029#include <stdio.h> 3331#include <stdio.h>
3030#ifdef HAVE_PATHS_H 3332#ifdef HAVE_PATHS_H
@@ -3056,7 +3358,8 @@ main()
3056 3358
3057 exit(0); 3359 exit(0);
3058} 3360}
3059 ], [ user_path=`cat conftest.stdpath` ], 3361 ]])],
3362 [ user_path=`cat conftest.stdpath` ],
3060 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], 3363 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
3061 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] 3364 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
3062 ) 3365 )
@@ -3079,7 +3382,7 @@ main()
3079 fi ] 3382 fi ]
3080) 3383)
3081if test "x$external_path_file" != "x/etc/login.conf" ; then 3384if test "x$external_path_file" != "x/etc/login.conf" ; then
3082 AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") 3385 AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH])
3083 AC_SUBST(user_path) 3386 AC_SUBST(user_path)
3084fi 3387fi
3085 3388
@@ -3089,7 +3392,9 @@ AC_ARG_WITH(superuser-path,
3089 [ 3392 [
3090 if test -n "$withval" && test "x$withval" != "xno" && \ 3393 if test -n "$withval" && test "x$withval" != "xno" && \
3091 test "x${withval}" != "xyes"; then 3394 test "x${withval}" != "xyes"; then
3092 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") 3395 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval",
3396 [Define if you want a different $PATH
3397 for the superuser])
3093 superuser_path=$withval 3398 superuser_path=$withval
3094 fi 3399 fi
3095 ] 3400 ]
@@ -3103,7 +3408,9 @@ AC_ARG_WITH(4in6,
3103 [ 3408 [
3104 if test "x$withval" != "xno" ; then 3409 if test "x$withval" != "xno" ; then
3105 AC_MSG_RESULT(yes) 3410 AC_MSG_RESULT(yes)
3106 AC_DEFINE(IPV4_IN_IPV6) 3411 AC_DEFINE(IPV4_IN_IPV6, 1,
3412 [Detect IPv4 in IPv6 mapped addresses
3413 and treat as IPv4])
3107 IPV4_IN6_HACK_MSG="yes" 3414 IPV4_IN6_HACK_MSG="yes"
3108 else 3415 else
3109 AC_MSG_RESULT(no) 3416 AC_MSG_RESULT(no)
@@ -3125,7 +3432,8 @@ AC_ARG_WITH(bsd-auth,
3125 [ --with-bsd-auth Enable BSD auth support], 3432 [ --with-bsd-auth Enable BSD auth support],
3126 [ 3433 [
3127 if test "x$withval" != "xno" ; then 3434 if test "x$withval" != "xno" ; then
3128 AC_DEFINE(BSD_AUTH) 3435 AC_DEFINE(BSD_AUTH, 1,
3436 [Define if you have BSD auth support])
3129 BSD_AUTH_MSG=yes 3437 BSD_AUTH_MSG=yes
3130 fi 3438 fi
3131 ] 3439 ]
@@ -3154,7 +3462,7 @@ AC_ARG_WITH(pid-dir,
3154 ] 3462 ]
3155) 3463)
3156 3464
3157AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir") 3465AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid])
3158AC_SUBST(piddir) 3466AC_SUBST(piddir)
3159 3467
3160dnl allow user to disable some login recording features 3468dnl allow user to disable some login recording features
@@ -3178,7 +3486,8 @@ AC_ARG_ENABLE(utmpx,
3178 [ --disable-utmpx disable use of utmpx even if detected [no]], 3486 [ --disable-utmpx disable use of utmpx even if detected [no]],
3179 [ 3487 [
3180 if test "x$enableval" = "xno" ; then 3488 if test "x$enableval" = "xno" ; then
3181 AC_DEFINE(DISABLE_UTMPX) 3489 AC_DEFINE(DISABLE_UTMPX, 1,
3490 [Define if you don't want to use utmpx])
3182 fi 3491 fi
3183 ] 3492 ]
3184) 3493)
@@ -3194,7 +3503,8 @@ AC_ARG_ENABLE(wtmpx,
3194 [ --disable-wtmpx disable use of wtmpx even if detected [no]], 3503 [ --disable-wtmpx disable use of wtmpx even if detected [no]],
3195 [ 3504 [
3196 if test "x$enableval" = "xno" ; then 3505 if test "x$enableval" = "xno" ; then
3197 AC_DEFINE(DISABLE_WTMPX) 3506 AC_DEFINE(DISABLE_WTMPX, 1,
3507 [Define if you don't want to use wtmpx])
3198 fi 3508 fi
3199 ] 3509 ]
3200) 3510)
@@ -3210,7 +3520,9 @@ AC_ARG_ENABLE(pututline,
3210 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], 3520 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
3211 [ 3521 [
3212 if test "x$enableval" = "xno" ; then 3522 if test "x$enableval" = "xno" ; then
3213 AC_DEFINE(DISABLE_PUTUTLINE) 3523 AC_DEFINE(DISABLE_PUTUTLINE, 1,
3524 [Define if you don't want to use pututline()
3525 etc. to write [uw]tmp])
3214 fi 3526 fi
3215 ] 3527 ]
3216) 3528)
@@ -3218,7 +3530,9 @@ AC_ARG_ENABLE(pututxline,
3218 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], 3530 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
3219 [ 3531 [
3220 if test "x$enableval" = "xno" ; then 3532 if test "x$enableval" = "xno" ; then
3221 AC_DEFINE(DISABLE_PUTUTXLINE) 3533 AC_DEFINE(DISABLE_PUTUTXLINE, 1,
3534 [Define if you don't want to use pututxline()
3535 etc. to write [uw]tmpx])
3222 fi 3536 fi
3223 ] 3537 ]
3224) 3538)
@@ -3293,7 +3607,8 @@ if test -z "$conf_lastlog_location"; then
3293fi 3607fi
3294 3608
3295if test -n "$conf_lastlog_location"; then 3609if test -n "$conf_lastlog_location"; then
3296 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") 3610 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location",
3611 [Define if you want to specify the path to your lastlog file])
3297fi 3612fi
3298 3613
3299dnl utmp detection 3614dnl utmp detection
@@ -3323,7 +3638,8 @@ if test -z "$conf_utmp_location"; then
3323 fi 3638 fi
3324fi 3639fi
3325if test -n "$conf_utmp_location"; then 3640if test -n "$conf_utmp_location"; then
3326 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") 3641 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location",
3642 [Define if you want to specify the path to your utmp file])
3327fi 3643fi
3328 3644
3329dnl wtmp detection 3645dnl wtmp detection
@@ -3353,7 +3669,8 @@ if test -z "$conf_wtmp_location"; then
3353 fi 3669 fi
3354fi 3670fi
3355if test -n "$conf_wtmp_location"; then 3671if test -n "$conf_wtmp_location"; then
3356 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") 3672 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location",
3673 [Define if you want to specify the path to your wtmp file])
3357fi 3674fi
3358 3675
3359 3676
@@ -3381,7 +3698,8 @@ if test -z "$conf_utmpx_location"; then
3381 AC_DEFINE(DISABLE_UTMPX) 3698 AC_DEFINE(DISABLE_UTMPX)
3382 fi 3699 fi
3383else 3700else
3384 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") 3701 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
3702 [Define if you want to specify the path to your utmpx file])
3385fi 3703fi
3386 3704
3387dnl wtmpx detection 3705dnl wtmpx detection
@@ -3406,7 +3724,8 @@ if test -z "$conf_wtmpx_location"; then
3406 AC_DEFINE(DISABLE_WTMPX) 3724 AC_DEFINE(DISABLE_WTMPX)
3407 fi 3725 fi
3408else 3726else
3409 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") 3727 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
3728 [Define if you want to specify the path to your wtmpx file])
3410fi 3729fi
3411 3730
3412 3731
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index bfde0fefc..09c08f194 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%if %{use_stable} 19%if %{use_stable}
20 %define version 4.2p1 20 %define version 4.3p2
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
23%else 23%else
@@ -357,4 +357,4 @@ fi
357* Mon Jan 01 1998 ... 357* Mon Jan 01 1998 ...
358Template Version: 1.31 358Template Version: 1.31
359 359
360$Id: openssh.spec,v 1.55 2005/09/01 09:10:49 djm Exp $ 360$Id: openssh.spec,v 1.56.2.1 2006/02/11 00:00:45 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index fbfb5c195..0540890e6 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -551,14 +551,14 @@ then
551 [ -z "${_cygwin}" ] && _cygwin="ntsec" 551 [ -z "${_cygwin}" ] && _cygwin="ntsec"
552 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] 552 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
553 then 553 then
554 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" 554 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
555 then 555 then
556 echo 556 echo
557 echo "The service has been installed under sshd_server account." 557 echo "The service has been installed under sshd_server account."
558 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." 558 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
559 fi 559 fi
560 else 560 else
561 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" 561 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
562 then 562 then
563 echo 563 echo
564 echo "The service has been installed under LocalSystem account." 564 echo "The service has been installed under LocalSystem account."
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index fe07ce360..9482efe9e 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -198,7 +198,7 @@ fi
198 198
199if [ ! -f "${pwdhome}/.ssh/id_rsa" ] 199if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
200then 200then
201 if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " 201 if request "Shall I create an SSH2 RSA identity file for you?"
202 then 202 then
203 echo "Generating ${pwdhome}/.ssh/id_rsa" 203 echo "Generating ${pwdhome}/.ssh/id_rsa"
204 if [ "${with_passphrase}" = "yes" ] 204 if [ "${with_passphrase}" = "yes" ]
@@ -217,7 +217,7 @@ fi
217 217
218if [ ! -f "${pwdhome}/.ssh/id_dsa" ] 218if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
219then 219then
220 if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " 220 if request "Shall I create an SSH2 DSA identity file for you?"
221 then 221 then
222 echo "Generating ${pwdhome}/.ssh/id_dsa" 222 echo "Generating ${pwdhome}/.ssh/id_dsa"
223 if [ "${with_passphrase}" = "yes" ] 223 if [ "${with_passphrase}" = "yes" ]
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 049b07fe4..cbdf7bbc7 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 4.2p1 1%define ver 4.3p2
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 6ad862fad..b49e78c65 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,14 +1,29 @@
1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 1# Default values for additional components
2Name: openssh 2%define build_x11_askpass 1
3Version: 4.2p1 3
4URL: http://www.openssh.com/ 4# Define the UID/GID to use for privilege separation
5Release: 1 5%define sshd_gid 65
6Source0: openssh-%{version}.tar.gz 6%define sshd_uid 71
7Copyright: BSD 7
8Group: Applications/Internet 8# The version of x11-ssh-askpass to use
9BuildRoot: /tmp/openssh-%{version}-buildroot 9%define xversion 1.2.4.1
10PreReq: openssl 10
11Obsoletes: ssh 11# Allow the ability to override defaults with -D skip_xxx=1
12%{?skip_x11_askpass:%define build_x11_askpass 0}
13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh
16Version: 4.3p2
17URL: http://www.openssh.com/
18Release: 1
19Source0: openssh-%{version}.tar.gz
20Source1: x11-ssh-askpass-%{xversion}.tar.gz
21License: BSD
22Group: Productivity/Networking/SSH
23BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
24PreReq: openssl
25Obsoletes: ssh
26Provides: ssh
12# 27#
13# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) 28# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
14# building prerequisites -- stuff for 29# building prerequisites -- stuff for
@@ -16,14 +31,25 @@ Obsoletes: ssh
16# TCP Wrappers (nkitb), 31# TCP Wrappers (nkitb),
17# and Gnome (glibdev, gtkdev, and gnlibsd) 32# and Gnome (glibdev, gtkdev, and gnlibsd)
18# 33#
19BuildPrereq: openssl 34BuildPrereq: openssl
20BuildPrereq: nkitb 35BuildPrereq: nkitb
21BuildPrereq: glibdev 36#BuildPrereq: glibdev
22BuildPrereq: gtkdev 37#BuildPrereq: gtkdev
23BuildPrereq: gnlibsd 38#BuildPrereq: gnlibsd
39
40%package askpass
41Summary: A passphrase dialog for OpenSSH and the X window System.
42Group: Productivity/Networking/SSH
43Requires: openssh = %{version}
44Obsoletes: ssh-extras
45Provides: openssh:${_libdir}/ssh/ssh-askpass
46
47%if %{build_x11_askpass}
48BuildPrereq: XFree86-devel
49%endif
24 50
25%description 51%description
26Ssh (Secure Shell) a program for logging into a remote machine and for 52Ssh (Secure Shell) is a program for logging into a remote machine and for
27executing commands in a remote machine. It is intended to replace 53executing commands in a remote machine. It is intended to replace
28rlogin and rsh, and provide secure encrypted communications between 54rlogin and rsh, and provide secure encrypted communications between
29two untrusted hosts over an insecure network. X11 connections and 55two untrusted hosts over an insecure network. X11 connections and
@@ -34,10 +60,26 @@ up to date in terms of security and features, as well as removing all
34patented algorithms to seperate libraries (OpenSSL). 60patented algorithms to seperate libraries (OpenSSL).
35 61
36This package includes all files necessary for both the OpenSSH 62This package includes all files necessary for both the OpenSSH
37client and server. Additionally, this package contains the GNOME 63client and server.
38passphrase dialog. 64
65%description askpass
66Ssh (Secure Shell) is a program for logging into a remote machine and for
67executing commands in a remote machine. It is intended to replace
68rlogin and rsh, and provide secure encrypted communications between
69two untrusted hosts over an insecure network. X11 connections and
70arbitrary TCP/IP ports can also be forwarded over the secure channel.
71
72OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
73up to date in terms of security and features, as well as removing all
74patented algorithms to seperate libraries (OpenSSL).
75
76This package contains an X Window System passphrase dialog for OpenSSH.
39 77
40%changelog 78%changelog
79* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
80- Removed accidental inclusion of --without-zlib-version-check
81* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
82- Overhaul to deal with newer versions of SuSE and OpenSSH
41* Mon Jun 12 2000 Damien Miller <djm@mindrot.org> 83* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
42- Glob manpages to catch compressed files 84- Glob manpages to catch compressed files
43* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> 85* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
@@ -84,116 +126,124 @@ passphrase dialog.
84 126
85%prep 127%prep
86 128
129%if %{build_x11_askpass}
130%setup -q -a 1
131%else
87%setup -q 132%setup -q
133%endif
88 134
89%build 135%build
90CFLAGS="$RPM_OPT_FLAGS" \ 136CFLAGS="$RPM_OPT_FLAGS" \
91./configure --prefix=/usr \ 137%configure --prefix=/usr \
92 --sysconfdir=/etc/ssh \ 138 --sysconfdir=%{_sysconfdir}/ssh \
93 --datadir=/usr/share/openssh \ 139 --mandir=%{_mandir} \
140 --with-privsep-path=/var/lib/empty \
94 --with-pam \ 141 --with-pam \
95 --with-gnome-askpass \
96 --with-tcp-wrappers \ 142 --with-tcp-wrappers \
97 --with-ipv4-default \ 143 --libexecdir=%{_libdir}/ssh
98 --libexecdir=/usr/lib/ssh
99make 144make
100 145
101cd contrib 146%if %{build_x11_askpass}
102gcc -O -g `gnome-config --cflags gnome gnomeui` \ 147cd x11-ssh-askpass-%{xversion}
103 gnome-ssh-askpass.c -o gnome-ssh-askpass \ 148%configure --mandir=/usr/X11R6/man \
104 `gnome-config --libs gnome gnomeui` 149 --libexecdir=%{_libdir}/ssh
150xmkmf -a
151make
105cd .. 152cd ..
153%endif
106 154
107%install 155%install
108rm -rf $RPM_BUILD_ROOT 156rm -rf $RPM_BUILD_ROOT
109make install DESTDIR=$RPM_BUILD_ROOT/ 157make install DESTDIR=$RPM_BUILD_ROOT/
110install -d $RPM_BUILD_ROOT/etc/ssh/
111install -d $RPM_BUILD_ROOT/etc/pam.d/ 158install -d $RPM_BUILD_ROOT/etc/pam.d/
112install -d $RPM_BUILD_ROOT/sbin/init.d/ 159install -d $RPM_BUILD_ROOT/etc/init.d/
113install -d $RPM_BUILD_ROOT/var/adm/fillup-templates 160install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
114install -d $RPM_BUILD_ROOT/usr/lib/ssh
115install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd 161install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
116install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd 162install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
117ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd 163install -m744 contrib/suse/sysconfig.ssh \
118install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass
119ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass
120install -m744 contrib/suse/rc.config.sshd \
121 $RPM_BUILD_ROOT/var/adm/fillup-templates 164 $RPM_BUILD_ROOT/var/adm/fillup-templates
122 165
166%if %{build_x11_askpass}
167cd x11-ssh-askpass-%{xversion}
168make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
169rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
170%endif
171
123%clean 172%clean
124rm -rf $RPM_BUILD_ROOT 173rm -rf $RPM_BUILD_ROOT
125 174
175%pre
176/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
177/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
178
126%post 179%post
127if [ "$1" = 1 ]; then
128 echo "Creating SSH stop/start scripts in the rc directories..."
129 ln -s ../sshd /sbin/init.d/rc2.d/K20sshd
130 ln -s ../sshd /sbin/init.d/rc2.d/S20sshd
131 ln -s ../sshd /sbin/init.d/rc3.d/K20sshd
132 ln -s ../sshd /sbin/init.d/rc3.d/S20sshd
133fi
134echo "Updating /etc/rc.config..."
135if [ -x /bin/fillup ] ; then
136 /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd
137else
138 echo "ERROR: fillup not found. This should NOT happen in SuSE Linux."
139 echo "Update /etc/rc.config by hand from the following template file:"
140 echo " /var/adm/fillup-templates/rc.config.sshd"
141fi
142if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then 180if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
143 echo "Generating SSH host key..." 181 echo "Generating SSH RSA host key..."
144 /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 182 /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
145fi 183fi
146if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then 184if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
147 echo "Generating SSH DSA host key..." 185 echo "Generating SSH DSA host key..."
148 /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 186 /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
149fi
150if test -r /var/run/sshd.pid
151then
152 echo "Restarting the running SSH daemon..."
153 /usr/sbin/rcsshd restart >&2
154fi 187fi
188%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
189%run_permissions
190
191%verifyscript
192%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
155 193
156%preun 194%preun
157if [ "$1" = 0 ] 195%stop_on_removal sshd
158then 196
159 echo "Stopping the SSH daemon..." 197%postun
160 /usr/sbin/rcsshd stop >&2 198%restart_on_update sshd
161 echo "Removing SSH stop/start scripts from the rc directories..." 199%{insserv_cleanup}
162 rm /sbin/init.d/rc2.d/K20sshd
163 rm /sbin/init.d/rc2.d/S20sshd
164 rm /sbin/init.d/rc3.d/K20sshd
165 rm /sbin/init.d/rc3.d/S20sshd
166fi
167 200
168%files 201%files
169%defattr(-,root,root) 202%defattr(-,root,root)
170%doc ChangeLog OVERVIEW README* 203%doc ChangeLog OVERVIEW README*
171%doc RFC.nroff TODO CREDITS LICENCE 204%doc RFC.nroff TODO CREDITS LICENCE
172%attr(0755,root,root) %dir /etc/ssh 205%attr(0755,root,root) %dir %{_sysconfdir}/ssh
173%attr(0644,root,root) %config /etc/ssh/ssh_config 206%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
174%attr(0600,root,root) %config /etc/ssh/sshd_config 207%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
175%attr(0600,root,root) %config /etc/ssh/moduli 208%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
176%attr(0644,root,root) %config /etc/pam.d/sshd 209%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
177%attr(0755,root,root) %config /sbin/init.d/sshd 210%attr(0755,root,root) %config /etc/init.d/sshd
178%attr(0755,root,root) /usr/bin/ssh-keygen 211%attr(0755,root,root) %{_bindir}/ssh-keygen
179%attr(0755,root,root) /usr/bin/scp 212%attr(0755,root,root) %{_bindir}/scp
180%attr(4755,root,root) /usr/bin/ssh 213%attr(0755,root,root) %{_bindir}/ssh
181%attr(-,root,root) /usr/bin/slogin 214%attr(-,root,root) %{_bindir}/slogin
182%attr(0755,root,root) /usr/bin/ssh-agent 215%attr(0755,root,root) %{_bindir}/ssh-agent
183%attr(0755,root,root) /usr/bin/ssh-add 216%attr(0755,root,root) %{_bindir}/ssh-add
184%attr(0755,root,root) /usr/bin/ssh-keyscan 217%attr(0755,root,root) %{_bindir}/ssh-keyscan
185%attr(0755,root,root) /usr/bin/sftp 218%attr(0755,root,root) %{_bindir}/sftp
186%attr(0755,root,root) /usr/sbin/sshd 219%attr(0755,root,root) %{_sbindir}/sshd
187%attr(-,root,root) /usr/sbin/rcsshd 220%attr(0755,root,root) %dir %{_libdir}/ssh
188%attr(0755,root,root) %dir /usr/lib/ssh 221%attr(0755,root,root) %{_libdir}/ssh/sftp-server
189%attr(0755,root,root) /usr/lib/ssh/ssh-askpass 222%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
190%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass 223%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
191%attr(0644,root,root) %doc /usr/man/man1/scp.1* 224%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
192%attr(0644,root,root) %doc /usr/man/man1/ssh.1* 225%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
193%attr(-,root,root) %doc /usr/man/man1/slogin.1* 226%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
194%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* 227%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
195%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* 228%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
196%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* 229%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
197%attr(0644,root,root) %doc /usr/man/man8/sshd.8* 230%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
198%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd 231%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
232%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
233%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
234%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
235%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
236%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
199 237
238%if %{build_x11_askpass}
239%files askpass
240%defattr(-,root,root)
241%doc x11-ssh-askpass-%{xversion}/README
242%doc x11-ssh-askpass-%{xversion}/ChangeLog
243%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
244%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
245%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
246%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
247%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
248%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
249%endif
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index f7d431ebb..573960bfa 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -1,80 +1,133 @@
1#! /bin/sh 1#! /bin/sh
2# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. 2# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
3# 3#
4# Author: Chris Saia <csaia@wtower.com> 4# Author: Jiri Smid <feedback@suse.de>
5# 5#
6# /sbin/init.d/sshd 6# /etc/init.d/sshd
7# 7#
8# and symbolic its link 8# and symbolic its link
9# 9#
10# /sbin/rcsshd 10# /usr/sbin/rcsshd
11# 11#
12### BEGIN INIT INFO
13# Provides: sshd
14# Required-Start: $network $remote_fs
15# Required-Stop: $network $remote_fs
16# Default-Start: 3 5
17# Default-Stop: 0 1 2 6
18# Description: Start the sshd daemon
19### END INIT INFO
12 20
13. /etc/rc.config 21SSHD_BIN=/usr/sbin/sshd
22test -x $SSHD_BIN || exit 5
14 23
15# Determine the base and follow a runlevel link name. 24SSHD_SYSCONFIG=/etc/sysconfig/ssh
16base=${0##*/} 25test -r $SSHD_SYSCONFIG || exit 6
17link=${base#*[SK][0-9][0-9]} 26. $SSHD_SYSCONFIG
18 27
19# Force execution if not called by a runlevel directory. 28SSHD_PIDFILE=/var/run/sshd.init.pid
20test $link = $base && START_SSHD=yes 29
21test "$START_SSHD" = yes || exit 0 30. /etc/rc.status
31
32# Shell functions sourced from /etc/rc.status:
33# rc_check check and set local and overall rc status
34# rc_status check and set local and overall rc status
35# rc_status -v ditto but be verbose in local rc status
36# rc_status -v -r ditto and clear the local rc status
37# rc_failed set local and overall rc status to failed
38# rc_reset clear local rc status (overall remains)
39# rc_exit exit appropriate to overall rc status
40
41# First reset status of this service
42rc_reset
22 43
23# The echo return value for success (defined in /etc/rc.config).
24return=$rc_done
25case "$1" in 44case "$1" in
26 start) 45 start)
27 echo -n "Starting service sshd" 46 if ! test -f /etc/ssh/ssh_host_key ; then
47 echo Generating /etc/ssh/ssh_host_key.
48 ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
49 fi
50 if ! test -f /etc/ssh/ssh_host_dsa_key ; then
51 echo Generating /etc/ssh/ssh_host_dsa_key.
52
53 ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
54 fi
55 if ! test -f /etc/ssh/ssh_host_rsa_key ; then
56 echo Generating /etc/ssh/ssh_host_rsa_key.
57
58 ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
59 fi
60 echo -n "Starting SSH daemon"
28 ## Start daemon with startproc(8). If this fails 61 ## Start daemon with startproc(8). If this fails
29 ## the echo return value is set appropriate. 62 ## the echo return value is set appropriate.
30 63
31 startproc /usr/sbin/sshd || return=$rc_failed 64 startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
32 65
33 echo -e "$return" 66 # Remember status and be verbose
67 rc_status -v
34 ;; 68 ;;
35 stop) 69 stop)
36 echo -n "Stopping service sshd" 70 echo -n "Shutting down SSH daemon"
37 ## Stop daemon with killproc(8) and if this fails 71 ## Stop daemon with killproc(8) and if this fails
38 ## set echo the echo return value. 72 ## set echo the echo return value.
39 73
40 killproc -TERM /usr/sbin/sshd || return=$rc_failed 74 killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
41 75
42 echo -e "$return" 76 # Remember status and be verbose
77 rc_status -v
43 ;; 78 ;;
79 try-restart)
80 ## Stop the service and if this succeeds (i.e. the
81 ## service was running before), start it again.
82 $0 status >/dev/null && $0 restart
83
84 # Remember status and be quiet
85 rc_status
86 ;;
44 restart) 87 restart)
45 ## If first returns OK call the second, if first or 88 ## Stop the service and regardless of whether it was
46 ## second command fails, set echo return value. 89 ## running or not, start it again.
47 $0 stop && $0 start || return=$rc_failed 90 $0 stop
48 ;; 91 $0 start
49 reload)
50 ## Choose ONE of the following two cases:
51 92
52 ## First possibility: A few services accepts a signal 93 # Remember status and be quiet
53 ## to reread the (changed) configuration. 94 rc_status
95 ;;
96 force-reload|reload)
97 ## Signal the daemon to reload its config. Most daemons
98 ## do this on signal 1 (SIGHUP).
54 99
55 echo -n "Reload service sshd" 100 echo -n "Reload service sshd"
56 killproc -HUP /usr/sbin/sshd || return=$rc_failed 101
57 echo -e "$return" 102 killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
58 ;; 103
104 rc_status -v
105
106 ;;
59 status) 107 status)
60 echo -n "Checking for service sshd" 108 echo -n "Checking for service sshd "
61 ## Check status with checkproc(8), if process is running 109 ## Check status with checkproc(8), if process is running
62 ## checkproc will return with exit status 0. 110 ## checkproc will return with exit status 0.
63 111
64 checkproc /usr/sbin/sshd && echo OK || echo No process 112 # Status has a slightly different for the status command:
113 # 0 - service running
114 # 1 - service dead, but /var/run/ pid file exists
115 # 2 - service dead, but /var/lock/ lock file exists
116 # 3 - service not running
117
118 checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
119
120 rc_status -v
65 ;; 121 ;;
66 probe) 122 probe)
67 ## Optional: Probe for the necessity of a reload, 123 ## Optional: Probe for the necessity of a reload,
68 ## give out the argument which is required for a reload. 124 ## give out the argument which is required for a reload.
69 125
70 test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload 126 test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
71 ;; 127 ;;
72 *) 128 *)
73 echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" 129 echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
74 exit 1 130 exit 1
75 ;; 131 ;;
76esac 132esac
77 133rc_exit
78# Inform the caller not only verbosely and set an exit status.
79test "$return" = "$rc_done" || exit 1
80exit 0
diff --git a/contrib/suse/sysconfig.ssh b/contrib/suse/sysconfig.ssh
new file mode 100644
index 000000000..c6a37e5cb
--- /dev/null
+++ b/contrib/suse/sysconfig.ssh
@@ -0,0 +1,9 @@
1## Path: Network/Remote access/SSH
2## Description: SSH server settings
3## Type: string
4## Default: ""
5## ServiceRestart: sshd
6#
7# Options for sshd
8#
9SSHD_OPTS=""
diff --git a/debian/changelog b/debian/changelog
index 0d0363119..98e6ed73a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,45 @@
1openssh (1:4.2p1-9) UNRELEASED; urgency=low 1openssh (1:4.3p2-1) UNRELEASED; urgency=low
2 2
3 * New upstream release (closes: #361032).
4 - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
5 subshell to perform local to local, and remote to remote copy
6 operations. This subshell exposed filenames to shell expansion twice;
7 allowing a local attacker to create filenames containing shell
8 metacharacters that, if matched by a wildcard, could lead to execution
9 of attacker-specified commands with the privilege of the user running
10 scp (closes: #349645).
11 - Add support for tunneling arbitrary network packets over a connection
12 between an OpenSSH client and server via tun(4) virtual network
13 interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
14 between the client and server providing real network connectivity at
15 layer 2 or 3. This feature is experimental.
16 - Reduce default key length for new DSA keys generated by ssh-keygen
17 back to 1024 bits. DSA is not specified for longer lengths and does
18 not fully benefit from simply making keys longer. As per FIPS 186-2
19 Change Notice 1, ssh-keygen will refuse to generate a new DSA key
20 smaller or larger than 1024 bits.
21 - Fixed X forwarding failing to start when the X11 client is executed in
22 background at the time of session exit.
23 - Change ssh-keygen to generate a protocol 2 RSA key when invoked
24 without arguments (closes: #114894).
25 - Fix timing variance for valid vs. invalid accounts when attempting
26 Kerberos authentication.
27 - Ensure that ssh always returns code 255 on internal error
28 (closes: #259865).
29 - Cleanup wtmp files on SIGTERM when not using privsep.
30 - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
31 lingering sockets from previous session (X11 applications can
32 sometimes not connect to 127.0.0.1:60xx) (closes:
33 https://launchpad.net/bugs/25528).
34 - Ensure that fds 0, 1 and 2 are always attached in all programs, by
35 duping /dev/null to them if necessary.
36 - Xauth list invocation had bogus "." argument.
37 - Remove internal assumptions on key exchange hash algorithm and output
38 length, preparing OpenSSH for KEX methods with alternate hashes.
39 - Ignore junk sent by a server before it sends the "SSH-" banner.
40 - Many manual page improvements.
41 - Lots of cleanups, including fixes to memory leaks on error paths and
42 possible crashes.
3 * Rename KeepAlive to TCPKeepAlive in default sshd_config 43 * Rename KeepAlive to TCPKeepAlive in default sshd_config
4 (closes: #349896). 44 (closes: #349896).
5 * debconf template translations: 45 * debconf template translations:
diff --git a/defines.h b/defines.h
index 408b988b5..f25934176 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */ 28/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -450,6 +450,10 @@ struct winsize {
450# define __sentinel__ 450# define __sentinel__
451#endif 451#endif
452 452
453#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
454# define __bounded__(x, y, z)
455#endif
456
453/* *-*-nto-qnx doesn't define this macro in the system headers */ 457/* *-*-nto-qnx doesn't define this macro in the system headers */
454#ifdef MISSING_HOWMANY 458#ifdef MISSING_HOWMANY
455# define howmany(x,y) (((x)+((y)-1))/(y)) 459# define howmany(x,y) (((x)+((y)-1))/(y))
@@ -688,7 +692,7 @@ struct winsize {
688# define CUSTOM_SYS_AUTH_PASSWD 1 692# define CUSTOM_SYS_AUTH_PASSWD 1
689#endif 693#endif
690 694
691#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 695#ifdef HAVE_LIBIAF
692# define CUSTOM_SYS_AUTH_PASSWD 1 696# define CUSTOM_SYS_AUTH_PASSWD 1
693#endif 697#endif
694 698
@@ -711,4 +715,12 @@ struct winsize {
711# undef HAVE_MMAP 715# undef HAVE_MMAP
712#endif 716#endif
713 717
718/* some system headers on HP-UX define YES/NO */
719#ifdef YES
720# undef YES
721#endif
722#ifdef NO
723# undef NO
724#endif
725
714#endif /* _DEFINES_H */ 726#endif /* _DEFINES_H */
diff --git a/dns.c b/dns.c
index 4487c1aba..a71dd9bff 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */ 1/* $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -25,27 +25,16 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28
29#include "includes.h" 28#include "includes.h"
29RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
30 30
31#include <openssl/bn.h>
32#ifdef LWRES
33#include <lwres/netdb.h>
34#include <dns/result.h>
35#else /* LWRES */
36#include <netdb.h> 31#include <netdb.h>
37#endif /* LWRES */
38 32
39#include "xmalloc.h" 33#include "xmalloc.h"
40#include "key.h" 34#include "key.h"
41#include "dns.h" 35#include "dns.h"
42#include "log.h" 36#include "log.h"
43#include "uuencode.h"
44
45extern char *__progname;
46RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
47 37
48#ifndef LWRES
49static const char *errset_text[] = { 38static const char *errset_text[] = {
50 "success", /* 0 ERRSET_SUCCESS */ 39 "success", /* 0 ERRSET_SUCCESS */
51 "out of memory", /* 1 ERRSET_NOMEMORY */ 40 "out of memory", /* 1 ERRSET_NOMEMORY */
@@ -75,8 +64,6 @@ dns_result_totext(unsigned int res)
75 return "unknown error"; 64 return "unknown error";
76 } 65 }
77} 66}
78#endif /* LWRES */
79
80 67
81/* 68/*
82 * Read SSHFP parameters from key buffer. 69 * Read SSHFP parameters from key buffer.
@@ -95,12 +82,14 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
95 *algorithm = SSHFP_KEY_DSA; 82 *algorithm = SSHFP_KEY_DSA;
96 break; 83 break;
97 default: 84 default:
98 *algorithm = SSHFP_KEY_RESERVED; 85 *algorithm = SSHFP_KEY_RESERVED; /* 0 */
99 } 86 }
100 87
101 if (*algorithm) { 88 if (*algorithm) {
102 *digest_type = SSHFP_HASH_SHA1; 89 *digest_type = SSHFP_HASH_SHA1;
103 *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); 90 *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
91 if (*digest == NULL)
92 fatal("dns_read_key: null from key_fingerprint_raw()");
104 success = 1; 93 success = 1;
105 } else { 94 } else {
106 *digest_type = SSHFP_HASH_RESERVED; 95 *digest_type = SSHFP_HASH_RESERVED;
@@ -133,7 +122,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
133 *digest = (u_char *) xmalloc(*digest_len); 122 *digest = (u_char *) xmalloc(*digest_len);
134 memcpy(*digest, rdata + 2, *digest_len); 123 memcpy(*digest, rdata + 2, *digest_len);
135 } else { 124 } else {
136 *digest = NULL; 125 *digest = xstrdup("");
137 } 126 }
138 127
139 success = 1; 128 success = 1;
@@ -187,7 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
187 176
188 *flags = 0; 177 *flags = 0;
189 178
190 debug3("verify_hostkey_dns"); 179 debug3("verify_host_key_dns");
191 if (hostkey == NULL) 180 if (hostkey == NULL)
192 fatal("No key to look up!"); 181 fatal("No key to look up!");
193 182
@@ -223,7 +212,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
223 if (fingerprints->rri_nrdatas) 212 if (fingerprints->rri_nrdatas)
224 *flags |= DNS_VERIFY_FOUND; 213 *flags |= DNS_VERIFY_FOUND;
225 214
226 for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { 215 for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
227 /* 216 /*
228 * Extract the key from the answer. Ignore any badly 217 * Extract the key from the answer. Ignore any badly
229 * formatted fingerprints. 218 * formatted fingerprints.
@@ -247,8 +236,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
247 *flags |= DNS_VERIFY_MATCH; 236 *flags |= DNS_VERIFY_MATCH;
248 } 237 }
249 } 238 }
239 xfree(dnskey_digest);
250 } 240 }
251 241
242 xfree(hostkey_digest); /* from key_fingerprint_raw() */
252 freerrset(fingerprints); 243 freerrset(fingerprints);
253 244
254 if (*flags & DNS_VERIFY_FOUND) 245 if (*flags & DNS_VERIFY_FOUND)
@@ -262,7 +253,6 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
262 return 0; 253 return 0;
263} 254}
264 255
265
266/* 256/*
267 * Export the fingerprint of a key as a DNS resource record 257 * Export the fingerprint of a key as a DNS resource record
268 */ 258 */
@@ -278,7 +268,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
278 int success = 0; 268 int success = 0;
279 269
280 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, 270 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
281 &rdata_digest, &rdata_digest_len, key)) { 271 &rdata_digest, &rdata_digest_len, key)) {
282 272
283 if (generic) 273 if (generic)
284 fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, 274 fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
@@ -291,9 +281,10 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
291 for (i = 0; i < rdata_digest_len; i++) 281 for (i = 0; i < rdata_digest_len; i++)
292 fprintf(f, "%02x", rdata_digest[i]); 282 fprintf(f, "%02x", rdata_digest[i]);
293 fprintf(f, "\n"); 283 fprintf(f, "\n");
284 xfree(rdata_digest); /* from key_fingerprint_raw() */
294 success = 1; 285 success = 1;
295 } else { 286 } else {
296 error("dns_export_rr: unsupported algorithm"); 287 error("export_dns_rr: unsupported algorithm");
297 } 288 }
298 289
299 return success; 290 return success;
diff --git a/dns.h b/dns.h
index c5da22ef6..0aa1c28f2 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $ */ 1/* $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -25,7 +25,6 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28
29#include "includes.h" 28#include "includes.h"
30 29
31#ifndef DNS_H 30#ifndef DNS_H
@@ -49,7 +48,6 @@ enum sshfp_hashes {
49#define DNS_VERIFY_MATCH 0x00000002 48#define DNS_VERIFY_MATCH 0x00000002
50#define DNS_VERIFY_SECURE 0x00000004 49#define DNS_VERIFY_SECURE 0x00000004
51 50
52
53int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); 51int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *);
54int export_dns_rr(const char *, const Key *, FILE *, int); 52int export_dns_rr(const char *, const Key *, FILE *, int);
55 53
diff --git a/entropy.c b/entropy.c
index e48d6d3f9..b9d238200 100644
--- a/entropy.c
+++ b/entropy.c
@@ -26,6 +26,7 @@
26 26
27#include <openssl/rand.h> 27#include <openssl/rand.h>
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29#include <openssl/err.h>
29 30
30#include "ssh.h" 31#include "ssh.h"
31#include "misc.h" 32#include "misc.h"
@@ -33,6 +34,8 @@
33#include "atomicio.h" 34#include "atomicio.h"
34#include "pathnames.h" 35#include "pathnames.h"
35#include "log.h" 36#include "log.h"
37#include "buffer.h"
38#include "bufaux.h"
36 39
37/* 40/*
38 * Portable OpenSSH PRNG seeding: 41 * Portable OpenSSH PRNG seeding:
@@ -45,7 +48,7 @@
45 * XXX: we should tell the child how many bytes we need. 48 * XXX: we should tell the child how many bytes we need.
46 */ 49 */
47 50
48RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $"); 51RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $");
49 52
50#ifndef OPENSSL_PRNG_ONLY 53#ifndef OPENSSL_PRNG_ONLY
51#define RANDOM_SEED_SIZE 48 54#define RANDOM_SEED_SIZE 48
@@ -148,10 +151,35 @@ init_rng(void)
148#endif 151#endif
149 152
150#ifndef OPENSSL_PRNG_ONLY 153#ifndef OPENSSL_PRNG_ONLY
151 if ((original_uid = getuid()) == -1) 154 original_uid = getuid();
152 fatal("getuid: %s", strerror(errno)); 155 original_euid = geteuid();
153 if ((original_euid = geteuid()) == -1)
154 fatal("geteuid: %s", strerror(errno));
155#endif 156#endif
156} 157}
157 158
159#ifndef OPENSSL_PRNG_ONLY
160void
161rexec_send_rng_seed(Buffer *m)
162{
163 u_char buf[RANDOM_SEED_SIZE];
164
165 if (RAND_bytes(buf, sizeof(buf)) <= 0) {
166 error("Couldn't obtain random bytes (error %ld)",
167 ERR_get_error());
168 buffer_put_string(m, "", 0);
169 } else
170 buffer_put_string(m, buf, sizeof(buf));
171}
172
173void
174rexec_recv_rng_seed(Buffer *m)
175{
176 u_char *buf;
177 u_int len;
178
179 buf = buffer_get_string_ret(m, &len);
180 if (buf != NULL) {
181 debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
182 RAND_add(buf, len, len);
183 }
184}
185#endif
diff --git a/entropy.h b/entropy.h
index 5f63c1f1f..ec1ebcc57 100644
--- a/entropy.h
+++ b/entropy.h
@@ -22,12 +22,17 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24 24
25/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ 25/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */
26 26
27#ifndef _RANDOMS_H 27#ifndef _RANDOMS_H
28#define _RANDOMS_H 28#define _RANDOMS_H
29 29
30#include "buffer.h"
31
30void seed_rng(void); 32void seed_rng(void);
31void init_rng(void); 33void init_rng(void);
32 34
35void rexec_send_rng_seed(Buffer *);
36void rexec_recv_rng_seed(Buffer *);
37
33#endif /* _RANDOMS_H */ 38#endif /* _RANDOMS_H */
diff --git a/envpass.sh b/envpass.sh
deleted file mode 100644
index 67044d421..000000000
--- a/envpass.sh
+++ /dev/null
@@ -1,44 +0,0 @@
1# $OpenBSD: envpass.sh,v 1.1 2004/04/27 09:47:30 djm Exp $
2# Placed in the Public Domain.
3
4tid="environment passing"
5
6# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
7
8trace "pass env, don't accept"
9verbose "test $tid: pass env, don't accept"
10_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy otherhost \
11 '[ -z "$_TEST_ENV" ]'
12r=$?
13if [ $r -ne 0 ]; then
14 fail "environment found"
15fi
16
17trace "don't pass env, accept"
18verbose "test $tid: don't pass env, accept"
19${SSH} -F $OBJ/ssh_proxy otherhost \
20 '[ -z "$_XXX_TEST_A" -a -z "$_XXX_TEST_B" ]'
21r=$?
22if [ $r -ne 0 ]; then
23 fail "environment found"
24fi
25
26trace "pass single env, accept single env"
27verbose "test $tid: pass single env, accept single env"
28_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy otherhost \
29 '[ "x$_XXX_TEST" = "xblah" ]'
30r=$?
31if [ $r -ne 0 ]; then
32 fail "environment not found"
33fi
34
35trace "pass multiple env, accept multiple env"
36verbose "test $tid: pass multiple env, accept multiple env"
37_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
38 -F $OBJ/ssh_proxy otherhost \
39 '[ "x$_XXX_TEST_A" = "x1" -a "x$_XXX_TEST_B" = "x2" ]'
40r=$?
41if [ $r -ne 0 ]; then
42 fail "environment not found"
43fi
44
diff --git a/gss-genr.c b/gss-genr.c
index aad30dd0b..2a905f5e9 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -30,9 +30,7 @@
30 30
31#include "xmalloc.h" 31#include "xmalloc.h"
32#include "bufaux.h" 32#include "bufaux.h"
33#include "compat.h"
34#include "log.h" 33#include "log.h"
35#include "monitor_wrap.h"
36#include "ssh2.h" 34#include "ssh2.h"
37#include <openssl/evp.h> 35#include <openssl/evp.h>
38 36
@@ -411,7 +409,8 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
411} 409}
412 410
413OM_uint32 411OM_uint32
414ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { 412ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
413{
415 if (*ctx) 414 if (*ctx)
416 ssh_gssapi_delete_ctx(ctx); 415 ssh_gssapi_delete_ctx(ctx);
417 ssh_gssapi_build_ctx(ctx); 416 ssh_gssapi_build_ctx(ctx);
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 5033ffb25..5a9b2cdd3 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */ 1/* $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
diff --git a/gss-serv.c b/gss-serv.c
index 05ae54e97..9682fc3c3 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -29,20 +29,16 @@
29#ifdef GSSAPI 29#ifdef GSSAPI
30 30
31#include "bufaux.h" 31#include "bufaux.h"
32#include "compat.h"
33#include "auth.h" 32#include "auth.h"
34#include "log.h" 33#include "log.h"
35#include "channels.h" 34#include "channels.h"
36#include "session.h" 35#include "session.h"
37#include "servconf.h" 36#include "servconf.h"
38#include "monitor_wrap.h"
39#include "xmalloc.h" 37#include "xmalloc.h"
40#include "getput.h" 38#include "getput.h"
41 39
42#include "ssh-gss.h" 40#include "ssh-gss.h"
43 41
44extern ServerOptions options;
45
46static ssh_gssapi_client gssapi_client = 42static ssh_gssapi_client gssapi_client =
47 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 43 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
48 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 44 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
@@ -61,7 +57,7 @@ ssh_gssapi_mech* supported_mechs[]= {
61 &gssapi_null_mech, 57 &gssapi_null_mech,
62}; 58};
63 59
64/* Unpriviledged */ 60/* Unprivileged */
65char * 61char *
66ssh_gssapi_server_mechanisms() { 62ssh_gssapi_server_mechanisms() {
67 gss_OID_set supported; 63 gss_OID_set supported;
@@ -71,7 +67,7 @@ ssh_gssapi_server_mechanisms() {
71 NULL)); 67 NULL));
72} 68}
73 69
74/* Unpriviledged */ 70/* Unprivileged */
75int 71int
76ssh_gssapi_server_check_mech(gss_OID oid, void *data) { 72ssh_gssapi_server_check_mech(gss_OID oid, void *data) {
77 Gssctxt * ctx = NULL; 73 Gssctxt * ctx = NULL;
@@ -83,7 +79,7 @@ ssh_gssapi_server_check_mech(gss_OID oid, void *data) {
83 return (res); 79 return (res);
84} 80}
85 81
86/* Unpriviledged */ 82/* Unprivileged */
87void 83void
88ssh_gssapi_supported_oids(gss_OID_set *oidset) 84ssh_gssapi_supported_oids(gss_OID_set *oidset)
89{ 85{
@@ -112,7 +108,7 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
112 * oid 108 * oid
113 * credentials (from ssh_gssapi_acquire_cred) 109 * credentials (from ssh_gssapi_acquire_cred)
114 */ 110 */
115/* Priviledged */ 111/* Privileged */
116OM_uint32 112OM_uint32
117ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, 113ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
118 gss_buffer_desc *send_tok, OM_uint32 *flags) 114 gss_buffer_desc *send_tok, OM_uint32 *flags)
@@ -160,14 +156,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
160 OM_uint32 offset; 156 OM_uint32 offset;
161 OM_uint32 oidl; 157 OM_uint32 oidl;
162 158
163 tok=ename->value; 159 tok = ename->value;
164 160
165 /* 161 /*
166 * Check that ename is long enough for all of the fixed length 162 * Check that ename is long enough for all of the fixed length
167 * header, and that the initial ID bytes are correct 163 * header, and that the initial ID bytes are correct
168 */ 164 */
169 165
170 if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) 166 if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
171 return GSS_S_FAILURE; 167 return GSS_S_FAILURE;
172 168
173 /* 169 /*
@@ -186,7 +182,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
186 */ 182 */
187 if (tok[4] != 0x06 || tok[5] != oidl || 183 if (tok[4] != 0x06 || tok[5] != oidl ||
188 ename->length < oidl+6 || 184 ename->length < oidl+6 ||
189 !ssh_gssapi_check_oid(ctx,tok+6,oidl)) 185 !ssh_gssapi_check_oid(ctx, tok+6, oidl))
190 return GSS_S_FAILURE; 186 return GSS_S_FAILURE;
191 187
192 offset = oidl+6; 188 offset = oidl+6;
@@ -201,7 +197,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
201 return GSS_S_FAILURE; 197 return GSS_S_FAILURE;
202 198
203 name->value = xmalloc(name->length+1); 199 name->value = xmalloc(name->length+1);
204 memcpy(name->value,tok+offset,name->length); 200 memcpy(name->value, tok+offset,name->length);
205 ((char *)name->value)[name->length] = 0; 201 ((char *)name->value)[name->length] = 0;
206 202
207 return GSS_S_COMPLETE; 203 return GSS_S_COMPLETE;
@@ -210,7 +206,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
210/* Extract the client details from a given context. This can only reliably 206/* Extract the client details from a given context. This can only reliably
211 * be called once for a context */ 207 * be called once for a context */
212 208
213/* Priviledged (called from accept_secure_ctx) */ 209/* Privileged (called from accept_secure_ctx) */
214OM_uint32 210OM_uint32
215ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 211ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
216{ 212{
@@ -285,15 +281,14 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
285 281
286 if (gssapi_client.store.envvar != NULL && 282 if (gssapi_client.store.envvar != NULL &&
287 gssapi_client.store.envval != NULL) { 283 gssapi_client.store.envval != NULL) {
288
289 debug("Setting %s to %s", gssapi_client.store.envvar, 284 debug("Setting %s to %s", gssapi_client.store.envvar,
290 gssapi_client.store.envval); 285 gssapi_client.store.envval);
291 child_set_env(envp, envsizep, gssapi_client.store.envvar, 286 child_set_env(envp, envsizep, gssapi_client.store.envvar,
292 gssapi_client.store.envval); 287 gssapi_client.store.envval);
293 } 288 }
294} 289}
295 290
296/* Priviledged */ 291/* Privileged */
297int 292int
298ssh_gssapi_userok(char *user) 293ssh_gssapi_userok(char *user)
299{ 294{
@@ -320,4 +315,14 @@ ssh_gssapi_userok(char *user)
320 return (0); 315 return (0);
321} 316}
322 317
318/* Privileged */
319OM_uint32
320ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
321{
322 ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
323 gssbuf, gssmic, NULL);
324
325 return (ctx->major);
326}
327
323#endif 328#endif
diff --git a/hostfile.c b/hostfile.c
index 63550a29d..3ed646247 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $"); 39RCSID("$OpenBSD: hostfile.c,v 1.36 2005/11/22 03:36:03 dtucker Exp $");
40 40
41#include <resolv.h> 41#include <resolv.h>
42#include <openssl/hmac.h> 42#include <openssl/hmac.h>
@@ -88,8 +88,8 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
88 return (-1); 88 return (-1);
89 } 89 }
90 if (ret != SHA_DIGEST_LENGTH) { 90 if (ret != SHA_DIGEST_LENGTH) {
91 debug2("extract_salt: expected salt len %u, got %u", 91 debug2("extract_salt: expected salt len %d, got %d",
92 salt_len, ret); 92 SHA_DIGEST_LENGTH, ret);
93 return (-1); 93 return (-1);
94 } 94 }
95 95
diff --git a/includes.h b/includes.h
index fa65aa38d..520817400 100644
--- a/includes.h
+++ b/includes.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */ 1/* $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -21,6 +21,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
21 21
22#include "config.h" 22#include "config.h"
23 23
24#define _GNU_SOURCE /* activate extra prototypes for glibc */
25
24#include <stdarg.h> 26#include <stdarg.h>
25#include <stdio.h> 27#include <stdio.h>
26#include <ctype.h> 28#include <ctype.h>
@@ -67,7 +69,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
67#ifdef HAVE_NEXT 69#ifdef HAVE_NEXT
68# include <libc.h> 70# include <libc.h>
69#endif 71#endif
70#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */
71#include <unistd.h> /* For STDIN_FILENO, etc */ 72#include <unistd.h> /* For STDIN_FILENO, etc */
72#include <termios.h> /* Struct winsize */ 73#include <termios.h> /* Struct winsize */
73 74
diff --git a/kex.c b/kex.c
index e7147ae74..e0b9d5872 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $"); 26RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
27 27
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29 29
@@ -298,18 +298,23 @@ choose_kex(Kex *k, char *client, char *server)
298 fatal("no kex alg"); 298 fatal("no kex alg");
299 if (strcmp(k->name, KEX_DH1) == 0) { 299 if (strcmp(k->name, KEX_DH1) == 0) {
300 k->kex_type = KEX_DH_GRP1_SHA1; 300 k->kex_type = KEX_DH_GRP1_SHA1;
301 k->evp_md = EVP_sha1();
301 } else if (strcmp(k->name, KEX_DH14) == 0) { 302 } else if (strcmp(k->name, KEX_DH14) == 0) {
302 k->kex_type = KEX_DH_GRP14_SHA1; 303 k->kex_type = KEX_DH_GRP14_SHA1;
303 } else if (strcmp(k->name, KEX_DHGEX) == 0) { 304 k->evp_md = EVP_sha1();
305 } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
304 k->kex_type = KEX_DH_GEX_SHA1; 306 k->kex_type = KEX_DH_GEX_SHA1;
307 k->evp_md = EVP_sha1();
305#ifdef GSSAPI 308#ifdef GSSAPI
306 } else if (strncmp(k->name, KEX_GSS_SHA1, 309 } else if (strncmp(k->name, KEX_GSS_SHA1,
307 sizeof(KEX_GSS_SHA1)-1) == 0) { 310 sizeof(KEX_GSS_SHA1)-1) == 0) {
308 k->kex_type = KEX_GSS_GRP1_SHA1; 311 k->kex_type = KEX_GSS_GRP1_SHA1;
312 k->evp_md = EVP_sha1();
309#endif 313#endif
310 } else 314 } else
311 fatal("bad kex alg %s", k->name); 315 fatal("bad kex alg %s", k->name);
312} 316}
317
313static void 318static void
314choose_hostkeyalg(Kex *k, char *client, char *server) 319choose_hostkeyalg(Kex *k, char *client, char *server)
315{ 320{
@@ -413,28 +418,28 @@ kex_choose_conf(Kex *kex)
413} 418}
414 419
415static u_char * 420static u_char *
416derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret) 421derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
422 BIGNUM *shared_secret)
417{ 423{
418 Buffer b; 424 Buffer b;
419 const EVP_MD *evp_md = EVP_sha1();
420 EVP_MD_CTX md; 425 EVP_MD_CTX md;
421 char c = id; 426 char c = id;
422 u_int have; 427 u_int have;
423 int mdsz = EVP_MD_size(evp_md); 428 int mdsz;
424 u_char *digest; 429 u_char *digest;
425 430
426 if (mdsz < 0) 431 if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
427 fatal("derive_key: mdsz < 0"); 432 fatal("bad kex md size %d", mdsz);
428 digest = xmalloc(roundup(need, mdsz)); 433 digest = xmalloc(roundup(need, mdsz));
429 434
430 buffer_init(&b); 435 buffer_init(&b);
431 buffer_put_bignum2(&b, shared_secret); 436 buffer_put_bignum2(&b, shared_secret);
432 437
433 /* K1 = HASH(K || H || "A" || session_id) */ 438 /* K1 = HASH(K || H || "A" || session_id) */
434 EVP_DigestInit(&md, evp_md); 439 EVP_DigestInit(&md, kex->evp_md);
435 if (!(datafellows & SSH_BUG_DERIVEKEY)) 440 if (!(datafellows & SSH_BUG_DERIVEKEY))
436 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 441 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
437 EVP_DigestUpdate(&md, hash, mdsz); 442 EVP_DigestUpdate(&md, hash, hashlen);
438 EVP_DigestUpdate(&md, &c, 1); 443 EVP_DigestUpdate(&md, &c, 1);
439 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); 444 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
440 EVP_DigestFinal(&md, digest, NULL); 445 EVP_DigestFinal(&md, digest, NULL);
@@ -445,10 +450,10 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
445 * Key = K1 || K2 || ... || Kn 450 * Key = K1 || K2 || ... || Kn
446 */ 451 */
447 for (have = mdsz; need > have; have += mdsz) { 452 for (have = mdsz; need > have; have += mdsz) {
448 EVP_DigestInit(&md, evp_md); 453 EVP_DigestInit(&md, kex->evp_md);
449 if (!(datafellows & SSH_BUG_DERIVEKEY)) 454 if (!(datafellows & SSH_BUG_DERIVEKEY))
450 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 455 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
451 EVP_DigestUpdate(&md, hash, mdsz); 456 EVP_DigestUpdate(&md, hash, hashlen);
452 EVP_DigestUpdate(&md, digest, have); 457 EVP_DigestUpdate(&md, digest, have);
453 EVP_DigestFinal(&md, digest + have, NULL); 458 EVP_DigestFinal(&md, digest + have, NULL);
454 } 459 }
@@ -464,13 +469,15 @@ Newkeys *current_keys[MODE_MAX];
464 469
465#define NKEYS 6 470#define NKEYS 6
466void 471void
467kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) 472kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
468{ 473{
469 u_char *keys[NKEYS]; 474 u_char *keys[NKEYS];
470 u_int i, mode, ctos; 475 u_int i, mode, ctos;
471 476
472 for (i = 0; i < NKEYS; i++) 477 for (i = 0; i < NKEYS; i++) {
473 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); 478 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
479 shared_secret);
480 }
474 481
475 debug2("kex_derive_keys"); 482 debug2("kex_derive_keys");
476 for (mode = 0; mode < MODE_MAX; mode++) { 483 for (mode = 0; mode < MODE_MAX; mode++) {
diff --git a/kex.h b/kex.h
index 25720dff8..370e3e873 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */ 1/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -31,9 +31,9 @@
31#include "cipher.h" 31#include "cipher.h"
32#include "key.h" 32#include "key.h"
33 33
34#define KEX_DH1 "diffie-hellman-group1-sha1" 34#define KEX_DH1 "diffie-hellman-group1-sha1"
35#define KEX_DH14 "diffie-hellman-group14-sha1" 35#define KEX_DH14 "diffie-hellman-group14-sha1"
36#define KEX_DHGEX "diffie-hellman-group-exchange-sha1" 36#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
37 37
38#define COMP_NONE 0 38#define COMP_NONE 0
39#define COMP_ZLIB 1 39#define COMP_ZLIB 1
@@ -115,6 +115,7 @@ struct Kex {
115 Buffer peer; 115 Buffer peer;
116 int done; 116 int done;
117 int flags; 117 int flags;
118 const EVP_MD *evp_md;
118#ifdef GSSAPI 119#ifdef GSSAPI
119 int gss_deleg_creds; 120 int gss_deleg_creds;
120#endif 121#endif
@@ -131,7 +132,7 @@ void kex_finish(Kex *);
131 132
132void kex_send_kexinit(Kex *); 133void kex_send_kexinit(Kex *);
133void kex_input_kexinit(int, u_int32_t, void *); 134void kex_input_kexinit(int, u_int32_t, void *);
134void kex_derive_keys(Kex *, u_char *, BIGNUM *); 135void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
135 136
136Newkeys *kex_get_newkeys(int); 137Newkeys *kex_get_newkeys(int);
137 138
@@ -145,12 +146,13 @@ void kexgss_client(Kex *);
145void kexgss_server(Kex *); 146void kexgss_server(Kex *);
146#endif 147#endif
147 148
148u_char * 149void
149kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 150kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
150 BIGNUM *, BIGNUM *, BIGNUM *); 151 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
151u_char * 152void
152kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int, 153kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
153 int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *); 154 int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
155 BIGNUM *, BIGNUM *, u_char **, u_int *);
154 156
155void 157void
156derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); 158derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff --git a/kexdh.c b/kexdh.c
index 4bbb7d1db..f79d8781d 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $"); 26RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
27 27
28#include <openssl/evp.h> 28#include <openssl/evp.h>
29 29
@@ -32,7 +32,7 @@ RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
32#include "ssh2.h" 32#include "ssh2.h"
33#include "kex.h" 33#include "kex.h"
34 34
35u_char * 35void
36kex_dh_hash( 36kex_dh_hash(
37 char *client_version_string, 37 char *client_version_string,
38 char *server_version_string, 38 char *server_version_string,
@@ -41,7 +41,8 @@ kex_dh_hash(
41 u_char *serverhostkeyblob, int sbloblen, 41 u_char *serverhostkeyblob, int sbloblen,
42 BIGNUM *client_dh_pub, 42 BIGNUM *client_dh_pub,
43 BIGNUM *server_dh_pub, 43 BIGNUM *server_dh_pub,
44 BIGNUM *shared_secret) 44 BIGNUM *shared_secret,
45 u_char **hash, u_int *hashlen)
45{ 46{
46 Buffer b; 47 Buffer b;
47 static u_char digest[EVP_MAX_MD_SIZE]; 48 static u_char digest[EVP_MAX_MD_SIZE];
@@ -77,5 +78,6 @@ kex_dh_hash(
77#ifdef DEBUG_KEX 78#ifdef DEBUG_KEX
78 dump_digest("hash", digest, EVP_MD_size(evp_md)); 79 dump_digest("hash", digest, EVP_MD_size(evp_md));
79#endif 80#endif
80 return digest; 81 *hash = digest;
82 *hashlen = EVP_MD_size(evp_md);
81} 83}
diff --git a/kexdhc.c b/kexdhc.c
index f48bd4678..d8a2fa3b7 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); 26RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
27 27
28#include "xmalloc.h" 28#include "xmalloc.h"
29#include "key.h" 29#include "key.h"
@@ -41,7 +41,7 @@ kexdh_client(Kex *kex)
41 Key *server_host_key; 41 Key *server_host_key;
42 u_char *server_host_key_blob = NULL, *signature = NULL; 42 u_char *server_host_key_blob = NULL, *signature = NULL;
43 u_char *kbuf, *hash; 43 u_char *kbuf, *hash;
44 u_int klen, kout, slen, sbloblen; 44 u_int klen, kout, slen, sbloblen, hashlen;
45 45
46 /* generate and send 'e', client DH public key */ 46 /* generate and send 'e', client DH public key */
47 switch (kex->kex_type) { 47 switch (kex->kex_type) {
@@ -114,7 +114,7 @@ kexdh_client(Kex *kex)
114 xfree(kbuf); 114 xfree(kbuf);
115 115
116 /* calc and verify H */ 116 /* calc and verify H */
117 hash = kex_dh_hash( 117 kex_dh_hash(
118 kex->client_version_string, 118 kex->client_version_string,
119 kex->server_version_string, 119 kex->server_version_string,
120 buffer_ptr(&kex->my), buffer_len(&kex->my), 120 buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -122,25 +122,26 @@ kexdh_client(Kex *kex)
122 server_host_key_blob, sbloblen, 122 server_host_key_blob, sbloblen,
123 dh->pub_key, 123 dh->pub_key,
124 dh_server_pub, 124 dh_server_pub,
125 shared_secret 125 shared_secret,
126 &hash, &hashlen
126 ); 127 );
127 xfree(server_host_key_blob); 128 xfree(server_host_key_blob);
128 BN_clear_free(dh_server_pub); 129 BN_clear_free(dh_server_pub);
129 DH_free(dh); 130 DH_free(dh);
130 131
131 if (key_verify(server_host_key, signature, slen, hash, 20) != 1) 132 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
132 fatal("key_verify failed for server_host_key"); 133 fatal("key_verify failed for server_host_key");
133 key_free(server_host_key); 134 key_free(server_host_key);
134 xfree(signature); 135 xfree(signature);
135 136
136 /* save session id */ 137 /* save session id */
137 if (kex->session_id == NULL) { 138 if (kex->session_id == NULL) {
138 kex->session_id_len = 20; 139 kex->session_id_len = hashlen;
139 kex->session_id = xmalloc(kex->session_id_len); 140 kex->session_id = xmalloc(kex->session_id_len);
140 memcpy(kex->session_id, hash, kex->session_id_len); 141 memcpy(kex->session_id, hash, kex->session_id_len);
141 } 142 }
142 143
143 kex_derive_keys(kex, hash, shared_secret); 144 kex_derive_keys(kex, hash, hashlen, shared_secret);
144 BN_clear_free(shared_secret); 145 BN_clear_free(shared_secret);
145 kex_finish(kex); 146 kex_finish(kex);
146} 147}
diff --git a/kexdhs.c b/kexdhs.c
index 225e65592..26c8cdfd6 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); 26RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
27 27
28#include "xmalloc.h" 28#include "xmalloc.h"
29#include "key.h" 29#include "key.h"
@@ -41,7 +41,7 @@ kexdh_server(Kex *kex)
41 DH *dh; 41 DH *dh;
42 Key *server_host_key; 42 Key *server_host_key;
43 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 43 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
44 u_int sbloblen, klen, kout; 44 u_int sbloblen, klen, kout, hashlen;
45 u_int slen; 45 u_int slen;
46 46
47 /* generate server DH public key */ 47 /* generate server DH public key */
@@ -103,7 +103,7 @@ kexdh_server(Kex *kex)
103 key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); 103 key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
104 104
105 /* calc H */ 105 /* calc H */
106 hash = kex_dh_hash( 106 kex_dh_hash(
107 kex->client_version_string, 107 kex->client_version_string,
108 kex->server_version_string, 108 kex->server_version_string,
109 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 109 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -111,21 +111,20 @@ kexdh_server(Kex *kex)
111 server_host_key_blob, sbloblen, 111 server_host_key_blob, sbloblen,
112 dh_client_pub, 112 dh_client_pub,
113 dh->pub_key, 113 dh->pub_key,
114 shared_secret 114 shared_secret,
115 &hash, &hashlen
115 ); 116 );
116 BN_clear_free(dh_client_pub); 117 BN_clear_free(dh_client_pub);
117 118
118 /* save session id := H */ 119 /* save session id := H */
119 /* XXX hashlen depends on KEX */
120 if (kex->session_id == NULL) { 120 if (kex->session_id == NULL) {
121 kex->session_id_len = 20; 121 kex->session_id_len = hashlen;
122 kex->session_id = xmalloc(kex->session_id_len); 122 kex->session_id = xmalloc(kex->session_id_len);
123 memcpy(kex->session_id, hash, kex->session_id_len); 123 memcpy(kex->session_id, hash, kex->session_id_len);
124 } 124 }
125 125
126 /* sign H */ 126 /* sign H */
127 /* XXX hashlen depends on KEX */ 127 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
128 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
129 128
130 /* destroy_sensitive_data(); */ 129 /* destroy_sensitive_data(); */
131 130
@@ -141,7 +140,7 @@ kexdh_server(Kex *kex)
141 /* have keys, free DH */ 140 /* have keys, free DH */
142 DH_free(dh); 141 DH_free(dh);
143 142
144 kex_derive_keys(kex, hash, shared_secret); 143 kex_derive_keys(kex, hash, hashlen, shared_secret);
145 BN_clear_free(shared_secret); 144 BN_clear_free(shared_secret);
146 kex_finish(kex); 145 kex_finish(kex);
147} 146}
diff --git a/kexgex.c b/kexgex.c
index b0c39c8cb..705484a47 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $"); 27RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
28 28
29#include <openssl/evp.h> 29#include <openssl/evp.h>
30 30
@@ -33,8 +33,9 @@ RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
33#include "kex.h" 33#include "kex.h"
34#include "ssh2.h" 34#include "ssh2.h"
35 35
36u_char * 36void
37kexgex_hash( 37kexgex_hash(
38 const EVP_MD *evp_md,
38 char *client_version_string, 39 char *client_version_string,
39 char *server_version_string, 40 char *server_version_string,
40 char *ckexinit, int ckexinitlen, 41 char *ckexinit, int ckexinitlen,
@@ -43,11 +44,11 @@ kexgex_hash(
43 int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen, 44 int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
44 BIGNUM *client_dh_pub, 45 BIGNUM *client_dh_pub,
45 BIGNUM *server_dh_pub, 46 BIGNUM *server_dh_pub,
46 BIGNUM *shared_secret) 47 BIGNUM *shared_secret,
48 u_char **hash, u_int *hashlen)
47{ 49{
48 Buffer b; 50 Buffer b;
49 static u_char digest[EVP_MAX_MD_SIZE]; 51 static u_char digest[EVP_MAX_MD_SIZE];
50 const EVP_MD *evp_md = EVP_sha1();
51 EVP_MD_CTX md; 52 EVP_MD_CTX md;
52 53
53 buffer_init(&b); 54 buffer_init(&b);
@@ -79,14 +80,15 @@ kexgex_hash(
79#ifdef DEBUG_KEXDH 80#ifdef DEBUG_KEXDH
80 buffer_dump(&b); 81 buffer_dump(&b);
81#endif 82#endif
83
82 EVP_DigestInit(&md, evp_md); 84 EVP_DigestInit(&md, evp_md);
83 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 85 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
84 EVP_DigestFinal(&md, digest, NULL); 86 EVP_DigestFinal(&md, digest, NULL);
85 87
86 buffer_free(&b); 88 buffer_free(&b);
87 89 *hash = digest;
90 *hashlen = EVP_MD_size(evp_md);
88#ifdef DEBUG_KEXDH 91#ifdef DEBUG_KEXDH
89 dump_digest("hash", digest, EVP_MD_size(evp_md)); 92 dump_digest("hash", digest, *hashlen);
90#endif 93#endif
91 return digest;
92} 94}
diff --git a/kexgexc.c b/kexgexc.c
index 0193183b9..a6ff8757d 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $"); 27RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
28 28
29#include "xmalloc.h" 29#include "xmalloc.h"
30#include "key.h" 30#include "key.h"
@@ -42,7 +42,7 @@ kexgex_client(Kex *kex)
42 BIGNUM *p = NULL, *g = NULL; 42 BIGNUM *p = NULL, *g = NULL;
43 Key *server_host_key; 43 Key *server_host_key;
44 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 44 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
45 u_int klen, kout, slen, sbloblen; 45 u_int klen, kout, slen, sbloblen, hashlen;
46 int min, max, nbits; 46 int min, max, nbits;
47 DH *dh; 47 DH *dh;
48 48
@@ -155,7 +155,8 @@ kexgex_client(Kex *kex)
155 min = max = -1; 155 min = max = -1;
156 156
157 /* calc and verify H */ 157 /* calc and verify H */
158 hash = kexgex_hash( 158 kexgex_hash(
159 kex->evp_md,
159 kex->client_version_string, 160 kex->client_version_string,
160 kex->server_version_string, 161 kex->server_version_string,
161 buffer_ptr(&kex->my), buffer_len(&kex->my), 162 buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -165,25 +166,27 @@ kexgex_client(Kex *kex)
165 dh->p, dh->g, 166 dh->p, dh->g,
166 dh->pub_key, 167 dh->pub_key,
167 dh_server_pub, 168 dh_server_pub,
168 shared_secret 169 shared_secret,
170 &hash, &hashlen
169 ); 171 );
172
170 /* have keys, free DH */ 173 /* have keys, free DH */
171 DH_free(dh); 174 DH_free(dh);
172 xfree(server_host_key_blob); 175 xfree(server_host_key_blob);
173 BN_clear_free(dh_server_pub); 176 BN_clear_free(dh_server_pub);
174 177
175 if (key_verify(server_host_key, signature, slen, hash, 20) != 1) 178 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
176 fatal("key_verify failed for server_host_key"); 179 fatal("key_verify failed for server_host_key");
177 key_free(server_host_key); 180 key_free(server_host_key);
178 xfree(signature); 181 xfree(signature);
179 182
180 /* save session id */ 183 /* save session id */
181 if (kex->session_id == NULL) { 184 if (kex->session_id == NULL) {
182 kex->session_id_len = 20; 185 kex->session_id_len = hashlen;
183 kex->session_id = xmalloc(kex->session_id_len); 186 kex->session_id = xmalloc(kex->session_id_len);
184 memcpy(kex->session_id, hash, kex->session_id_len); 187 memcpy(kex->session_id, hash, kex->session_id_len);
185 } 188 }
186 kex_derive_keys(kex, hash, shared_secret); 189 kex_derive_keys(kex, hash, hashlen, shared_secret);
187 BN_clear_free(shared_secret); 190 BN_clear_free(shared_secret);
188 191
189 kex_finish(kex); 192 kex_finish(kex);
diff --git a/kexgexs.c b/kexgexs.c
index baebfcfb0..c48b27af9 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); 27RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
28 28
29#include "xmalloc.h" 29#include "xmalloc.h"
30#include "key.h" 30#include "key.h"
@@ -43,7 +43,7 @@ kexgex_server(Kex *kex)
43 Key *server_host_key; 43 Key *server_host_key;
44 DH *dh; 44 DH *dh;
45 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 45 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
46 u_int sbloblen, klen, kout, slen; 46 u_int sbloblen, klen, kout, slen, hashlen;
47 int min = -1, max = -1, nbits = -1, type; 47 int min = -1, max = -1, nbits = -1, type;
48 48
49 if (kex->load_host_key == NULL) 49 if (kex->load_host_key == NULL)
@@ -137,8 +137,9 @@ kexgex_server(Kex *kex)
137 if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) 137 if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
138 min = max = -1; 138 min = max = -1;
139 139
140 /* calc H */ /* XXX depends on 'kex' */ 140 /* calc H */
141 hash = kexgex_hash( 141 kexgex_hash(
142 kex->evp_md,
142 kex->client_version_string, 143 kex->client_version_string,
143 kex->server_version_string, 144 kex->server_version_string,
144 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 145 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -148,21 +149,20 @@ kexgex_server(Kex *kex)
148 dh->p, dh->g, 149 dh->p, dh->g,
149 dh_client_pub, 150 dh_client_pub,
150 dh->pub_key, 151 dh->pub_key,
151 shared_secret 152 shared_secret,
153 &hash, &hashlen
152 ); 154 );
153 BN_clear_free(dh_client_pub); 155 BN_clear_free(dh_client_pub);
154 156
155 /* save session id := H */ 157 /* save session id := H */
156 /* XXX hashlen depends on KEX */
157 if (kex->session_id == NULL) { 158 if (kex->session_id == NULL) {
158 kex->session_id_len = 20; 159 kex->session_id_len = hashlen;
159 kex->session_id = xmalloc(kex->session_id_len); 160 kex->session_id = xmalloc(kex->session_id_len);
160 memcpy(kex->session_id, hash, kex->session_id_len); 161 memcpy(kex->session_id, hash, kex->session_id_len);
161 } 162 }
162 163
163 /* sign H */ 164 /* sign H */
164 /* XXX hashlen depends on KEX */ 165 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
165 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
166 166
167 /* destroy_sensitive_data(); */ 167 /* destroy_sensitive_data(); */
168 168
@@ -179,7 +179,7 @@ kexgex_server(Kex *kex)
179 /* have keys, free DH */ 179 /* have keys, free DH */
180 DH_free(dh); 180 DH_free(dh);
181 181
182 kex_derive_keys(kex, hash, shared_secret); 182 kex_derive_keys(kex, hash, hashlen, shared_secret);
183 BN_clear_free(shared_secret); 183 BN_clear_free(shared_secret);
184 184
185 kex_finish(kex); 185 kex_finish(kex);
diff --git a/loginrec.c b/loginrec.c
index c3783c991..d096346ec 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -165,7 +165,7 @@
165# include <libutil.h> 165# include <libutil.h>
166#endif 166#endif
167 167
168RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $"); 168RCSID("$Id: loginrec.c,v 1.71 2005/11/22 08:55:13 dtucker Exp $");
169 169
170/** 170/**
171 ** prototypes for helper functions in this file 171 ** prototypes for helper functions in this file
@@ -1589,7 +1589,7 @@ lastlog_get_entry(struct logininfo *li)
1589 return (0); 1589 return (0);
1590 default: 1590 default:
1591 error("%s: Error reading from %s: Expecting %d, got %d", 1591 error("%s: Error reading from %s: Expecting %d, got %d",
1592 __func__, LASTLOG_FILE, sizeof(last), ret); 1592 __func__, LASTLOG_FILE, (int)sizeof(last), ret);
1593 return (0); 1593 return (0);
1594 } 1594 }
1595 1595
@@ -1613,7 +1613,7 @@ record_failed_login(const char *username, const char *hostname,
1613 int fd; 1613 int fd;
1614 struct utmp ut; 1614 struct utmp ut;
1615 struct sockaddr_storage from; 1615 struct sockaddr_storage from;
1616 size_t fromlen = sizeof(from); 1616 socklen_t fromlen = sizeof(from);
1617 struct sockaddr_in *a4; 1617 struct sockaddr_in *a4;
1618 struct sockaddr_in6 *a6; 1618 struct sockaddr_in6 *a6;
1619 time_t t; 1619 time_t t;
diff --git a/misc.c b/misc.c
index 2dd8ae6e3..29e928886 100644
--- a/misc.c
+++ b/misc.c
@@ -24,7 +24,11 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $"); 27RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $");
28
29#ifdef SSH_TUN_OPENBSD
30#include <net/if.h>
31#endif
28 32
29#include "misc.h" 33#include "misc.h"
30#include "log.h" 34#include "log.h"
@@ -194,6 +198,37 @@ a2port(const char *s)
194 return port; 198 return port;
195} 199}
196 200
201int
202a2tun(const char *s, int *remote)
203{
204 const char *errstr = NULL;
205 char *sp, *ep;
206 int tun;
207
208 if (remote != NULL) {
209 *remote = SSH_TUNID_ANY;
210 sp = xstrdup(s);
211 if ((ep = strchr(sp, ':')) == NULL) {
212 xfree(sp);
213 return (a2tun(s, NULL));
214 }
215 ep[0] = '\0'; ep++;
216 *remote = a2tun(ep, NULL);
217 tun = a2tun(sp, NULL);
218 xfree(sp);
219 return (*remote == SSH_TUNID_ERR ? *remote : tun);
220 }
221
222 if (strcasecmp(s, "any") == 0)
223 return (SSH_TUNID_ANY);
224
225 tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr);
226 if (errstr != NULL)
227 return (SSH_TUNID_ERR);
228
229 return (tun);
230}
231
197#define SECONDS 1 232#define SECONDS 1
198#define MINUTES (SECONDS * 60) 233#define MINUTES (SECONDS * 60)
199#define HOURS (MINUTES * 60) 234#define HOURS (MINUTES * 60)
@@ -356,12 +391,15 @@ void
356addargs(arglist *args, char *fmt, ...) 391addargs(arglist *args, char *fmt, ...)
357{ 392{
358 va_list ap; 393 va_list ap;
359 char buf[1024]; 394 char *cp;
360 u_int nalloc; 395 u_int nalloc;
396 int r;
361 397
362 va_start(ap, fmt); 398 va_start(ap, fmt);
363 vsnprintf(buf, sizeof(buf), fmt, ap); 399 r = vasprintf(&cp, fmt, ap);
364 va_end(ap); 400 va_end(ap);
401 if (r == -1)
402 fatal("addargs: argument too long");
365 403
366 nalloc = args->nalloc; 404 nalloc = args->nalloc;
367 if (args->list == NULL) { 405 if (args->list == NULL) {
@@ -372,10 +410,44 @@ addargs(arglist *args, char *fmt, ...)
372 410
373 args->list = xrealloc(args->list, nalloc * sizeof(char *)); 411 args->list = xrealloc(args->list, nalloc * sizeof(char *));
374 args->nalloc = nalloc; 412 args->nalloc = nalloc;
375 args->list[args->num++] = xstrdup(buf); 413 args->list[args->num++] = cp;
376 args->list[args->num] = NULL; 414 args->list[args->num] = NULL;
377} 415}
378 416
417void
418replacearg(arglist *args, u_int which, char *fmt, ...)
419{
420 va_list ap;
421 char *cp;
422 int r;
423
424 va_start(ap, fmt);
425 r = vasprintf(&cp, fmt, ap);
426 va_end(ap);
427 if (r == -1)
428 fatal("replacearg: argument too long");
429
430 if (which >= args->num)
431 fatal("replacearg: tried to replace invalid arg %d >= %d",
432 which, args->num);
433 xfree(args->list[which]);
434 args->list[which] = cp;
435}
436
437void
438freeargs(arglist *args)
439{
440 u_int i;
441
442 if (args->list != NULL) {
443 for (i = 0; i < args->num; i++)
444 xfree(args->list[i]);
445 xfree(args->list);
446 args->nalloc = args->num = 0;
447 args->list = NULL;
448 }
449}
450
379/* 451/*
380 * Expands tildes in the file name. Returns data allocated by xmalloc. 452 * Expands tildes in the file name. Returns data allocated by xmalloc.
381 * Warning: this calls getpw*. 453 * Warning: this calls getpw*.
@@ -507,6 +579,99 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
507 return -1; 579 return -1;
508} 580}
509 581
582int
583tun_open(int tun, int mode)
584{
585#if defined(CUSTOM_SYS_TUN_OPEN)
586 return (sys_tun_open(tun, mode));
587#elif defined(SSH_TUN_OPENBSD)
588 struct ifreq ifr;
589 char name[100];
590 int fd = -1, sock;
591
592 /* Open the tunnel device */
593 if (tun <= SSH_TUNID_MAX) {
594 snprintf(name, sizeof(name), "/dev/tun%d", tun);
595 fd = open(name, O_RDWR);
596 } else if (tun == SSH_TUNID_ANY) {
597 for (tun = 100; tun >= 0; tun--) {
598 snprintf(name, sizeof(name), "/dev/tun%d", tun);
599 if ((fd = open(name, O_RDWR)) >= 0)
600 break;
601 }
602 } else {
603 debug("%s: invalid tunnel %u", __func__, tun);
604 return (-1);
605 }
606
607 if (fd < 0) {
608 debug("%s: %s open failed: %s", __func__, name, strerror(errno));
609 return (-1);
610 }
611
612 debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
613
614 /* Set the tunnel device operation mode */
615 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
616 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
617 goto failed;
618
619 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
620 goto failed;
621
622 /* Set interface mode */
623 ifr.ifr_flags &= ~IFF_UP;
624 if (mode == SSH_TUNMODE_ETHERNET)
625 ifr.ifr_flags |= IFF_LINK0;
626 else
627 ifr.ifr_flags &= ~IFF_LINK0;
628 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
629 goto failed;
630
631 /* Bring interface up */
632 ifr.ifr_flags |= IFF_UP;
633 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
634 goto failed;
635
636 close(sock);
637 return (fd);
638
639 failed:
640 if (fd >= 0)
641 close(fd);
642 if (sock >= 0)
643 close(sock);
644 debug("%s: failed to set %s mode %d: %s", __func__, name,
645 mode, strerror(errno));
646 return (-1);
647#else
648 error("Tunnel interfaces are not supported on this platform");
649 return (-1);
650#endif
651}
652
653void
654sanitise_stdfd(void)
655{
656 int nullfd, dupfd;
657
658 if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
659 fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno));
660 exit(1);
661 }
662 while (++dupfd <= 2) {
663 /* Only clobber closed fds */
664 if (fcntl(dupfd, F_GETFL, 0) >= 0)
665 continue;
666 if (dup2(nullfd, dupfd) == -1) {
667 fprintf(stderr, "dup2: %s", strerror(errno));
668 exit(1);
669 }
670 }
671 if (nullfd > 2)
672 close(nullfd);
673}
674
510char * 675char *
511tohex(const u_char *d, u_int l) 676tohex(const u_char *d, u_int l)
512{ 677{
diff --git a/misc.h b/misc.h
index 2d630feb5..0a1a09a68 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */ 1/* $OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -20,6 +20,7 @@ int set_nonblock(int);
20int unset_nonblock(int); 20int unset_nonblock(int);
21void set_nodelay(int); 21void set_nodelay(int);
22int a2port(const char *); 22int a2port(const char *);
23int a2tun(const char *, int *);
23char *hpdelim(char **); 24char *hpdelim(char **);
24char *cleanhostname(char *); 25char *cleanhostname(char *);
25char *colon(char *); 26char *colon(char *);
@@ -27,6 +28,7 @@ long convtime(const char *);
27char *tilde_expand_filename(const char *, uid_t); 28char *tilde_expand_filename(const char *, uid_t);
28char *percent_expand(const char *, ...) __attribute__((__sentinel__)); 29char *percent_expand(const char *, ...) __attribute__((__sentinel__));
29char *tohex(const u_char *, u_int); 30char *tohex(const u_char *, u_int);
31void sanitise_stdfd(void);
30 32
31struct passwd *pwcopy(struct passwd *); 33struct passwd *pwcopy(struct passwd *);
32 34
@@ -36,7 +38,11 @@ struct arglist {
36 u_int num; 38 u_int num;
37 u_int nalloc; 39 u_int nalloc;
38}; 40};
39void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); 41void addargs(arglist *, char *, ...)
42 __attribute__((format(printf, 2, 3)));
43void replacearg(arglist *, u_int, char *, ...)
44 __attribute__((format(printf, 3, 4)));
45void freeargs(arglist *);
40 46
41/* readpass.c */ 47/* readpass.c */
42 48
@@ -48,3 +54,16 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
48char *read_passphrase(const char *, int); 54char *read_passphrase(const char *, int);
49int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 55int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
50int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 56int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
57
58int tun_open(int, int);
59
60/* Common definitions for ssh tunnel device forwarding */
61#define SSH_TUNMODE_NO 0x00
62#define SSH_TUNMODE_POINTOPOINT 0x01
63#define SSH_TUNMODE_ETHERNET 0x02
64#define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT
65#define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET)
66
67#define SSH_TUNID_ANY 0x7fffffff
68#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1)
69#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2)
diff --git a/monitor.c b/monitor.c
index 0d100ab56..e9693ef63 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $"); 28RCSID("$OpenBSD: monitor.c,v 1.64 2005/10/13 22:24:31 stevesk Exp $");
29 29
30#include <openssl/dh.h> 30#include <openssl/dh.h>
31 31
@@ -855,9 +855,7 @@ mm_answer_pam_account(int sock, Buffer *m)
855 ret = do_pam_account(); 855 ret = do_pam_account();
856 856
857 buffer_put_int(m, ret); 857 buffer_put_int(m, ret);
858 buffer_append(&loginmsg, "\0", 1); 858 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
859 buffer_put_cstring(m, buffer_ptr(&loginmsg));
860 buffer_clear(&loginmsg);
861 859
862 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); 860 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
863 861
@@ -1855,7 +1853,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1855 buffer_clear(m); 1853 buffer_clear(m);
1856 buffer_put_int(m, major); 1854 buffer_put_int(m, major);
1857 1855
1858 mm_request_send(sock,MONITOR_ANS_GSSSETUP, m); 1856 mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
1859 1857
1860 /* Now we have a context, enable the step */ 1858 /* Now we have a context, enable the step */
1861 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); 1859 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
@@ -1868,7 +1866,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1868{ 1866{
1869 gss_buffer_desc in; 1867 gss_buffer_desc in;
1870 gss_buffer_desc out = GSS_C_EMPTY_BUFFER; 1868 gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
1871 OM_uint32 major,minor; 1869 OM_uint32 major, minor;
1872 OM_uint32 flags = 0; /* GSI needs this */ 1870 OM_uint32 flags = 0; /* GSI needs this */
1873 u_int len; 1871 u_int len;
1874 1872
@@ -1885,7 +1883,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1885 1883
1886 gss_release_buffer(&minor, &out); 1884 gss_release_buffer(&minor, &out);
1887 1885
1888 if (major==GSS_S_COMPLETE) { 1886 if (major == GSS_S_COMPLETE) {
1889 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 1887 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1890 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 1888 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1891 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 1889 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1935,7 +1933,7 @@ mm_answer_gss_userok(int sock, Buffer *m)
1935 debug3("%s: sending result %d", __func__, authenticated); 1933 debug3("%s: sending result %d", __func__, authenticated);
1936 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 1934 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1937 1935
1938 auth_method="gssapi-with-mic"; 1936 auth_method = "gssapi-with-mic";
1939 1937
1940 /* Monitor loop will terminate if authenticated */ 1938 /* Monitor loop will terminate if authenticated */
1941 return (authenticated); 1939 return (authenticated);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 63d158b67..23b0cbd59 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -72,7 +72,6 @@ extern struct monitor *pmonitor;
72extern Buffer input, output; 72extern Buffer input, output;
73extern Buffer loginmsg; 73extern Buffer loginmsg;
74extern ServerOptions options; 74extern ServerOptions options;
75extern Buffer loginmsg;
76 75
77int 76int
78mm_is_monitor(void) 77mm_is_monitor(void)
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6f5ee2845..3a8703bc1 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $ 1# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -18,9 +18,9 @@ LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-irix.o port-aix.o port-uw.o 23PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
24 24
25.c.o: 25.c.o:
26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $< 26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
index dcaa03e5d..9a60f583b 100644
--- a/openbsd-compat/base64.c
+++ b/openbsd-compat/base64.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
2
3/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ 1/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */
4 2
5/* 3/*
@@ -44,6 +42,8 @@
44 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. 42 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
45 */ 43 */
46 44
45/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
46
47#include "includes.h" 47#include "includes.h"
48 48
49#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) 49#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
@@ -139,7 +139,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
139 size_t datalength = 0; 139 size_t datalength = 0;
140 u_char input[3]; 140 u_char input[3];
141 u_char output[4]; 141 u_char output[4];
142 int i; 142 u_int i;
143 143
144 while (2 < srclength) { 144 while (2 < srclength) {
145 input[0] = *src++; 145 input[0] = *src++;
@@ -206,7 +206,8 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
206int 206int
207b64_pton(char const *src, u_char *target, size_t targsize) 207b64_pton(char const *src, u_char *target, size_t targsize)
208{ 208{
209 int tarindex, state, ch; 209 u_int tarindex, state;
210 int ch;
210 char *pos; 211 char *pos;
211 212
212 state = 0; 213 state = 0;
diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c
index 552dc1e1c..ad040e139 100644
--- a/openbsd-compat/basename.c
+++ b/openbsd-compat/basename.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ 1/* $OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */
2
3/* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
7 * 5 *
8 * Permission to use, copy, modify, and distribute this software for any 6 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above 7 * purpose with or without fee is hereby granted, provided that the above
@@ -18,34 +16,35 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_BASENAME 22#ifndef HAVE_BASENAME
23 23
24#ifndef lint
25static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $";
26#endif /* not lint */
27
28char * 24char *
29basename(const char *path) 25basename(const char *path)
30{ 26{
31 static char bname[MAXPATHLEN]; 27 static char bname[MAXPATHLEN];
32 register const char *endp, *startp; 28 size_t len;
29 const char *endp, *startp;
33 30
34 /* Empty or NULL string gets treated as "." */ 31 /* Empty or NULL string gets treated as "." */
35 if (path == NULL || *path == '\0') { 32 if (path == NULL || *path == '\0') {
36 (void)strlcpy(bname, ".", sizeof bname); 33 bname[0] = '.';
37 return(bname); 34 bname[1] = '\0';
35 return (bname);
38 } 36 }
39 37
40 /* Strip trailing slashes */ 38 /* Strip any trailing slashes */
41 endp = path + strlen(path) - 1; 39 endp = path + strlen(path) - 1;
42 while (endp > path && *endp == '/') 40 while (endp > path && *endp == '/')
43 endp--; 41 endp--;
44 42
45 /* All slashes become "/" */ 43 /* All slashes becomes "/" */
46 if (endp == path && *endp == '/') { 44 if (endp == path && *endp == '/') {
47 (void)strlcpy(bname, "/", sizeof bname); 45 bname[0] = '/';
48 return(bname); 46 bname[1] = '\0';
47 return (bname);
49 } 48 }
50 49
51 /* Find the start of the base */ 50 /* Find the start of the base */
@@ -53,12 +52,14 @@ basename(const char *path)
53 while (startp > path && *(startp - 1) != '/') 52 while (startp > path && *(startp - 1) != '/')
54 startp--; 53 startp--;
55 54
56 if (endp - startp + 2 > sizeof(bname)) { 55 len = endp - startp + 1;
56 if (len >= sizeof(bname)) {
57 errno = ENAMETOOLONG; 57 errno = ENAMETOOLONG;
58 return(NULL); 58 return (NULL);
59 } 59 }
60 strlcpy(bname, startp, endp - startp + 2); 60 memcpy(bname, startp, len);
61 return(bname); 61 bname[len] = '\0';
62 return (bname);
62} 63}
63 64
64#endif /* !defined(HAVE_BASENAME) */ 65#endif /* !defined(HAVE_BASENAME) */
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 8a273f9b5..7f48fd03a 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -1,6 +1,6 @@
1/* This file has be substantially modified from the original OpenBSD source */ 1/* This file has be substantially modified from the original OpenBSD source */
2 2
3/* $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $ */ 3/* $OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $ */
4 4
5/* 5/*
6 * Copyright 1996, Jason Downs. All rights reserved. 6 * Copyright 1996, Jason Downs. All rights reserved.
@@ -28,6 +28,8 @@
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */ 29 */
30 30
31/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
32
31#include "includes.h" 33#include "includes.h"
32 34
33#ifndef HAVE_BINDRESVPORT_SA 35#ifndef HAVE_BINDRESVPORT_SA
@@ -42,9 +44,7 @@
42 * Bind a socket to a privileged IP port 44 * Bind a socket to a privileged IP port
43 */ 45 */
44int 46int
45bindresvport_sa(sd, sa) 47bindresvport_sa(int sd, struct sockaddr *sa)
46 int sd;
47 struct sockaddr *sa;
48{ 48{
49 int error, af; 49 int error, af;
50 struct sockaddr_storage myaddr; 50 struct sockaddr_storage myaddr;
diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c
new file mode 100644
index 000000000..5ca01f80f
--- /dev/null
+++ b/openbsd-compat/bsd-asprintf.c
@@ -0,0 +1,95 @@
1/*
2 * Copyright (c) 2004 Darren Tucker.
3 *
4 * Based originally on asprintf.c from OpenBSD:
5 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include "includes.h"
21
22#ifndef HAVE_VASPRINTF
23
24#ifndef VA_COPY
25# ifdef HAVE_VA_COPY
26# define VA_COPY(dest, src) va_copy(dest, src)
27# else
28# ifdef HAVE___VA_COPY
29# define VA_COPY(dest, src) __va_copy(dest, src)
30# else
31# define VA_COPY(dest, src) (dest) = (src)
32# endif
33# endif
34#endif
35
36#define INIT_SZ 128
37
38int vasprintf(char **str, const char *fmt, va_list ap)
39{
40 int ret = -1;
41 va_list ap2;
42 char *string, *newstr;
43 size_t len;
44
45 VA_COPY(ap2, ap);
46 if ((string = malloc(INIT_SZ)) == NULL)
47 goto fail;
48
49 ret = vsnprintf(string, INIT_SZ, fmt, ap2);
50 if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
51 *str = string;
52 } else if (ret == INT_MAX) { /* shouldn't happen */
53 goto fail;
54 } else { /* bigger than initial, realloc allowing for nul */
55 len = (size_t)ret + 1;
56 if ((newstr = realloc(string, len)) == NULL) {
57 free(string);
58 goto fail;
59 } else {
60 va_end(ap2);
61 VA_COPY(ap2, ap);
62 ret = vsnprintf(newstr, len, fmt, ap2);
63 if (ret >= 0 && (size_t)ret < len) {
64 *str = newstr;
65 } else { /* failed with realloc'ed string, give up */
66 free(newstr);
67 goto fail;
68 }
69 }
70 }
71 va_end(ap2);
72 return (ret);
73
74fail:
75 *str = NULL;
76 errno = ENOMEM;
77 va_end(ap2);
78 return (-1);
79}
80#endif
81
82#ifndef HAVE_ASPRINTF
83int asprintf(char **str, const char *fmt, ...)
84{
85 va_list ap;
86 int ret;
87
88 *str = NULL;
89 va_start(ap, fmt);
90 ret = vasprintf(str, fmt, ap);
91 va_end(ap);
92
93 return ret;
94}
95#endif
diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
index 61a9fa391..5b7b94ae4 100644
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -46,7 +46,7 @@
46# define OPEN_MAX 256 46# define OPEN_MAX 256
47#endif 47#endif
48 48
49RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $"); 49RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
50 50
51#ifndef lint 51#ifndef lint
52static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $"; 52static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
@@ -67,7 +67,7 @@ closefrom(int lowfd)
67 67
68 /* Check for a /proc/$$/fd directory. */ 68 /* Check for a /proc/$$/fd directory. */
69 len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid()); 69 len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
70 if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) { 70 if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
71 while ((dent = readdir(dirp)) != NULL) { 71 while ((dent = readdir(dirp)) != NULL) {
72 fd = strtol(dent->d_name, &endp, 10); 72 fd = strtol(dent->d_name, &endp, 10);
73 if (dent->d_name != endp && *endp == '\0' && 73 if (dent->d_name != endp && *endp == '\0' &&
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 6ba9bd986..d32b054d7 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
18#include "includes.h" 18#include "includes.h"
19#include "xmalloc.h" 19#include "xmalloc.h"
20 20
21RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $"); 21RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $");
22 22
23#ifndef HAVE___PROGNAME 23#ifndef HAVE___PROGNAME
24char *__progname; 24char *__progname;
@@ -223,10 +223,7 @@ strdup(const char *str)
223 len = strlen(str) + 1; 223 len = strlen(str) + 1;
224 cp = malloc(len); 224 cp = malloc(len);
225 if (cp != NULL) 225 if (cp != NULL)
226 if (strlcpy(cp, str, len) != len) { 226 return(memcpy(cp, str, len));
227 free(cp); 227 return NULL;
228 return NULL;
229 }
230 return cp;
231} 228}
232#endif 229#endif
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index b5a7ef7a0..e4ba154fd 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -45,45 +45,82 @@
45 * missing. Some systems only have snprintf() but not vsnprintf(), so 45 * missing. Some systems only have snprintf() but not vsnprintf(), so
46 * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. 46 * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
47 * 47 *
48 * Ben Lindstrom <mouring@eviladmin.org> 09/27/00 for OpenSSH 48 * Andrew Tridgell (tridge@samba.org) Oct 1998
49 * Welcome to the world of %lld and %qd support. With other 49 * fixed handling of %.0f
50 * long long support. This is needed for sftp-server to work 50 * added test for HAVE_LONG_DOUBLE
51 * right.
52 * 51 *
53 * Ben Lindstrom <mouring@eviladmin.org> 02/12/01 for OpenSSH 52 * tridge@samba.org, idra@samba.org, April 2001
54 * Removed all hint of VARARGS stuff and banished it to the void, 53 * got rid of fcvt code (twas buggy and made testing harder)
55 * and did a bit of KNF style work to make things a bit more 54 * added C99 semantics
56 * acceptable. Consider stealing from mutt or enlightenment. 55 *
56 * date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0
57 * actually print args for %g and %e
58 *
59 * date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0
60 * Since includes.h isn't included here, VA_COPY has to be defined here. I don't
61 * see any include file that is guaranteed to be here, so I'm defining it
62 * locally. Fixes AIX and Solaris builds.
63 *
64 * date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13
65 * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
66 * functions
67 *
68 * date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4
69 * Fix usage of va_list passed as an arg. Use __va_copy before using it
70 * when it exists.
71 *
72 * date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14
73 * Fix incorrect zpadlen handling in fmtfp.
74 * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
75 * few mods to make it easier to compile the tests.
76 * addedd the "Ollie" test to the floating point ones.
77 *
78 * Martin Pool (mbp@samba.org) April 2003
79 * Remove NO_CONFIG_H so that the test case can be built within a source
80 * tree with less trouble.
81 * Remove unnecessary SAFE_FREE() definition.
82 *
83 * Martin Pool (mbp@samba.org) May 2003
84 * Put in a prototype for dummy_snprintf() to quiet compiler warnings.
85 *
86 * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
87 * if the C library has some snprintf functions already.
57 **************************************************************/ 88 **************************************************************/
58 89
59#include "includes.h" 90#include "includes.h"
60 91
61RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $"); 92RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
62 93
63#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */ 94#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */
64# undef HAVE_SNPRINTF 95# undef HAVE_SNPRINTF
65# undef HAVE_VSNPRINTF 96# undef HAVE_VSNPRINTF
66#endif 97#endif
67 98
68#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) 99#ifndef VA_COPY
69 100# ifdef HAVE_VA_COPY
70static void 101# define VA_COPY(dest, src) va_copy(dest, src)
71dopr(char *buffer, size_t maxlen, const char *format, va_list args); 102# else
72 103# ifdef HAVE___VA_COPY
73static void 104# define VA_COPY(dest, src) __va_copy(dest, src)
74fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, 105# else
75 int min, int max); 106# define VA_COPY(dest, src) (dest) = (src)
107# endif
108# endif
109#endif
76 110
77static void 111#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
78fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base,
79 int min, int max, int flags);
80 112
81static void 113#ifdef HAVE_LONG_DOUBLE
82fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 114# define LDOUBLE long double
83 int min, int max, int flags); 115#else
116# define LDOUBLE double
117#endif
84 118
85static void 119#ifdef HAVE_LONG_LONG
86dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); 120# define LLONG long long
121#else
122# define LLONG long
123#endif
87 124
88/* 125/*
89 * dopr(): poor man's version of doprintf 126 * dopr(): poor man's version of doprintf
@@ -109,28 +146,49 @@ dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
109#define DP_F_UNSIGNED (1 << 6) 146#define DP_F_UNSIGNED (1 << 6)
110 147
111/* Conversion Flags */ 148/* Conversion Flags */
112#define DP_C_SHORT 1 149#define DP_C_SHORT 1
113#define DP_C_LONG 2 150#define DP_C_LONG 2
114#define DP_C_LDOUBLE 3 151#define DP_C_LDOUBLE 3
115#define DP_C_LONG_LONG 4 152#define DP_C_LLONG 4
116 153
117#define char_to_int(p) (p - '0') 154#define char_to_int(p) ((p)- '0')
118#define abs_val(p) (p < 0 ? -p : p) 155#ifndef MAX
119 156# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
157#endif
120 158
121static void 159static size_t dopr(char *buffer, size_t maxlen, const char *format,
122dopr(char *buffer, size_t maxlen, const char *format, va_list args) 160 va_list args_in);
161static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
162 char *value, int flags, int min, int max);
163static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
164 long value, int base, int min, int max, int flags);
165static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
166 LDOUBLE fvalue, int min, int max, int flags);
167static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
168
169static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
123{ 170{
124 char *strvalue, ch; 171 char ch;
125 long value; 172 LLONG value;
126 long double fvalue; 173 LDOUBLE fvalue;
127 int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0; 174 char *strvalue;
128 size_t currlen = 0; 175 int min;
129 176 int max;
177 int state;
178 int flags;
179 int cflags;
180 size_t currlen;
181 va_list args;
182
183 VA_COPY(args, args_in);
184
185 state = DP_S_DEFAULT;
186 currlen = flags = cflags = min = 0;
187 max = -1;
130 ch = *format++; 188 ch = *format++;
131 189
132 while (state != DP_S_DONE) { 190 while (state != DP_S_DONE) {
133 if ((ch == '\0') || (currlen >= maxlen)) 191 if (ch == '\0')
134 state = DP_S_DONE; 192 state = DP_S_DONE;
135 193
136 switch(state) { 194 switch(state) {
@@ -138,7 +196,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
138 if (ch == '%') 196 if (ch == '%')
139 state = DP_S_FLAGS; 197 state = DP_S_FLAGS;
140 else 198 else
141 dopr_outch(buffer, &currlen, maxlen, ch); 199 dopr_outch (buffer, &currlen, maxlen, ch);
142 ch = *format++; 200 ch = *format++;
143 break; 201 break;
144 case DP_S_FLAGS: 202 case DP_S_FLAGS:
@@ -170,34 +228,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
170 break; 228 break;
171 case DP_S_MIN: 229 case DP_S_MIN:
172 if (isdigit((unsigned char)ch)) { 230 if (isdigit((unsigned char)ch)) {
173 min = 10 * min + char_to_int (ch); 231 min = 10*min + char_to_int (ch);
174 ch = *format++; 232 ch = *format++;
175 } else if (ch == '*') { 233 } else if (ch == '*') {
176 min = va_arg (args, int); 234 min = va_arg (args, int);
177 ch = *format++; 235 ch = *format++;
178 state = DP_S_DOT; 236 state = DP_S_DOT;
179 } else 237 } else {
180 state = DP_S_DOT; 238 state = DP_S_DOT;
239 }
181 break; 240 break;
182 case DP_S_DOT: 241 case DP_S_DOT:
183 if (ch == '.') { 242 if (ch == '.') {
184 state = DP_S_MAX; 243 state = DP_S_MAX;
185 ch = *format++; 244 ch = *format++;
186 } else 245 } else {
187 state = DP_S_MOD; 246 state = DP_S_MOD;
247 }
188 break; 248 break;
189 case DP_S_MAX: 249 case DP_S_MAX:
190 if (isdigit((unsigned char)ch)) { 250 if (isdigit((unsigned char)ch)) {
191 if (max < 0) 251 if (max < 0)
192 max = 0; 252 max = 0;
193 max = 10 * max + char_to_int(ch); 253 max = 10*max + char_to_int (ch);
194 ch = *format++; 254 ch = *format++;
195 } else if (ch == '*') { 255 } else if (ch == '*') {
196 max = va_arg (args, int); 256 max = va_arg (args, int);
197 ch = *format++; 257 ch = *format++;
198 state = DP_S_MOD; 258 state = DP_S_MOD;
199 } else 259 } else {
200 state = DP_S_MOD; 260 state = DP_S_MOD;
261 }
201 break; 262 break;
202 case DP_S_MOD: 263 case DP_S_MOD:
203 switch (ch) { 264 switch (ch) {
@@ -208,15 +269,11 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
208 case 'l': 269 case 'l':
209 cflags = DP_C_LONG; 270 cflags = DP_C_LONG;
210 ch = *format++; 271 ch = *format++;
211 if (ch == 'l') { 272 if (ch == 'l') { /* It's a long long */
212 cflags = DP_C_LONG_LONG; 273 cflags = DP_C_LLONG;
213 ch = *format++; 274 ch = *format++;
214 } 275 }
215 break; 276 break;
216 case 'q':
217 cflags = DP_C_LONG_LONG;
218 ch = *format++;
219 break;
220 case 'L': 277 case 'L':
221 cflags = DP_C_LDOUBLE; 278 cflags = DP_C_LDOUBLE;
222 ch = *format++; 279 ch = *format++;
@@ -231,37 +288,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
231 case 'd': 288 case 'd':
232 case 'i': 289 case 'i':
233 if (cflags == DP_C_SHORT) 290 if (cflags == DP_C_SHORT)
234 value = va_arg(args, int); 291 value = va_arg (args, int);
235 else if (cflags == DP_C_LONG) 292 else if (cflags == DP_C_LONG)
236 value = va_arg(args, long int); 293 value = va_arg (args, long int);
237 else if (cflags == DP_C_LONG_LONG) 294 else if (cflags == DP_C_LLONG)
238 value = va_arg (args, long long); 295 value = va_arg (args, LLONG);
239 else 296 else
240 value = va_arg (args, int); 297 value = va_arg (args, int);
241 fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags); 298 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
242 break; 299 break;
243 case 'o': 300 case 'o':
244 flags |= DP_F_UNSIGNED; 301 flags |= DP_F_UNSIGNED;
245 if (cflags == DP_C_SHORT) 302 if (cflags == DP_C_SHORT)
246 value = va_arg(args, unsigned int); 303 value = va_arg (args, unsigned int);
247 else if (cflags == DP_C_LONG) 304 else if (cflags == DP_C_LONG)
248 value = va_arg(args, unsigned long int); 305 value = (long)va_arg (args, unsigned long int);
249 else if (cflags == DP_C_LONG_LONG) 306 else if (cflags == DP_C_LLONG)
250 value = va_arg(args, unsigned long long); 307 value = (long)va_arg (args, unsigned LLONG);
251 else 308 else
252 value = va_arg(args, unsigned int); 309 value = (long)va_arg (args, unsigned int);
253 fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags); 310 fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
254 break; 311 break;
255 case 'u': 312 case 'u':
256 flags |= DP_F_UNSIGNED; 313 flags |= DP_F_UNSIGNED;
257 if (cflags == DP_C_SHORT) 314 if (cflags == DP_C_SHORT)
258 value = va_arg(args, unsigned int); 315 value = va_arg (args, unsigned int);
259 else if (cflags == DP_C_LONG) 316 else if (cflags == DP_C_LONG)
260 value = va_arg(args, unsigned long int); 317 value = (long)va_arg (args, unsigned long int);
261 else if (cflags == DP_C_LONG_LONG) 318 else if (cflags == DP_C_LLONG)
262 value = va_arg(args, unsigned long long); 319 value = (LLONG)va_arg (args, unsigned LLONG);
263 else 320 else
264 value = va_arg(args, unsigned int); 321 value = (long)va_arg (args, unsigned int);
265 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); 322 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
266 break; 323 break;
267 case 'X': 324 case 'X':
@@ -269,79 +326,86 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
269 case 'x': 326 case 'x':
270 flags |= DP_F_UNSIGNED; 327 flags |= DP_F_UNSIGNED;
271 if (cflags == DP_C_SHORT) 328 if (cflags == DP_C_SHORT)
272 value = va_arg(args, unsigned int); 329 value = va_arg (args, unsigned int);
273 else if (cflags == DP_C_LONG) 330 else if (cflags == DP_C_LONG)
274 value = va_arg(args, unsigned long int); 331 value = (long)va_arg (args, unsigned long int);
275 else if (cflags == DP_C_LONG_LONG) 332 else if (cflags == DP_C_LLONG)
276 value = va_arg(args, unsigned long long); 333 value = (LLONG)va_arg (args, unsigned LLONG);
277 else 334 else
278 value = va_arg(args, unsigned int); 335 value = (long)va_arg (args, unsigned int);
279 fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags); 336 fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
280 break; 337 break;
281 case 'f': 338 case 'f':
282 if (cflags == DP_C_LDOUBLE) 339 if (cflags == DP_C_LDOUBLE)
283 fvalue = va_arg(args, long double); 340 fvalue = va_arg (args, LDOUBLE);
284 else 341 else
285 fvalue = va_arg(args, double); 342 fvalue = va_arg (args, double);
286 /* um, floating point? */ 343 /* um, floating point? */
287 fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags); 344 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
288 break; 345 break;
289 case 'E': 346 case 'E':
290 flags |= DP_F_UP; 347 flags |= DP_F_UP;
291 case 'e': 348 case 'e':
292 if (cflags == DP_C_LDOUBLE) 349 if (cflags == DP_C_LDOUBLE)
293 fvalue = va_arg(args, long double); 350 fvalue = va_arg (args, LDOUBLE);
294 else 351 else
295 fvalue = va_arg(args, double); 352 fvalue = va_arg (args, double);
353 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
296 break; 354 break;
297 case 'G': 355 case 'G':
298 flags |= DP_F_UP; 356 flags |= DP_F_UP;
299 case 'g': 357 case 'g':
300 if (cflags == DP_C_LDOUBLE) 358 if (cflags == DP_C_LDOUBLE)
301 fvalue = va_arg(args, long double); 359 fvalue = va_arg (args, LDOUBLE);
302 else 360 else
303 fvalue = va_arg(args, double); 361 fvalue = va_arg (args, double);
362 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
304 break; 363 break;
305 case 'c': 364 case 'c':
306 dopr_outch(buffer, &currlen, maxlen, va_arg(args, int)); 365 dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
307 break; 366 break;
308 case 's': 367 case 's':
309 strvalue = va_arg(args, char *); 368 strvalue = va_arg (args, char *);
310 if (max < 0) 369 if (!strvalue) strvalue = "(NULL)";
311 max = maxlen; /* ie, no max */ 370 if (max == -1) {
312 fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max); 371 max = strlen(strvalue);
372 }
373 if (min > 0 && max >= 0 && min > max) max = min;
374 fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
313 break; 375 break;
314 case 'p': 376 case 'p':
315 strvalue = va_arg(args, void *); 377 strvalue = va_arg (args, void *);
316 fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags); 378 fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
317 break; 379 break;
318 case 'n': 380 case 'n':
319 if (cflags == DP_C_SHORT) { 381 if (cflags == DP_C_SHORT) {
320 short int *num; 382 short int *num;
321 num = va_arg(args, short int *); 383 num = va_arg (args, short int *);
322 *num = currlen; 384 *num = currlen;
323 } else if (cflags == DP_C_LONG) { 385 } else if (cflags == DP_C_LONG) {
324 long int *num; 386 long int *num;
325 num = va_arg(args, long int *); 387 num = va_arg (args, long int *);
326 *num = currlen; 388 *num = (long int)currlen;
327 } else if (cflags == DP_C_LONG_LONG) { 389 } else if (cflags == DP_C_LLONG) {
328 long long *num; 390 LLONG *num;
329 num = va_arg(args, long long *); 391 num = va_arg (args, LLONG *);
330 *num = currlen; 392 *num = (LLONG)currlen;
331 } else { 393 } else {
332 int *num; 394 int *num;
333 num = va_arg(args, int *); 395 num = va_arg (args, int *);
334 *num = currlen; 396 *num = currlen;
335 } 397 }
336 break; 398 break;
337 case '%': 399 case '%':
338 dopr_outch(buffer, &currlen, maxlen, ch); 400 dopr_outch (buffer, &currlen, maxlen, ch);
339 break; 401 break;
340 case 'w': /* not supported yet, treat as next char */ 402 case 'w':
403 /* not supported yet, treat as next char */
341 ch = *format++; 404 ch = *format++;
342 break; 405 break;
343 default: /* Unknown, skip */ 406 default:
344 break; 407 /* Unknown, skip */
408 break;
345 } 409 }
346 ch = *format++; 410 ch = *format++;
347 state = DP_S_DEFAULT; 411 state = DP_S_DEFAULT;
@@ -350,24 +414,33 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
350 break; 414 break;
351 case DP_S_DONE: 415 case DP_S_DONE:
352 break; 416 break;
353 default: /* hmm? */ 417 default:
418 /* hmm? */
354 break; /* some picky compilers need this */ 419 break; /* some picky compilers need this */
355 } 420 }
356 } 421 }
357 if (currlen < maxlen - 1) 422 if (maxlen != 0) {
358 buffer[currlen] = '\0'; 423 if (currlen < maxlen - 1)
359 else 424 buffer[currlen] = '\0';
360 buffer[maxlen - 1] = '\0'; 425 else if (maxlen > 0)
426 buffer[maxlen - 1] = '\0';
427 }
428
429 return currlen;
361} 430}
362 431
363static void 432static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
364fmtstr(char *buffer, size_t *currlen, size_t maxlen, 433 char *value, int flags, int min, int max)
365 char *value, int flags, int min, int max)
366{ 434{
367 int cnt = 0, padlen, strln; /* amount to pad */ 435 int padlen, strln; /* amount to pad */
368 436 int cnt = 0;
369 if (value == 0) 437
438#ifdef DEBUG_SNPRINTF
439 printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
440#endif
441 if (value == 0) {
370 value = "<NULL>"; 442 value = "<NULL>";
443 }
371 444
372 for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ 445 for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
373 padlen = min - strln; 446 padlen = min - strln;
@@ -375,18 +448,18 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
375 padlen = 0; 448 padlen = 0;
376 if (flags & DP_F_MINUS) 449 if (flags & DP_F_MINUS)
377 padlen = -padlen; /* Left Justify */ 450 padlen = -padlen; /* Left Justify */
378 451
379 while ((padlen > 0) && (cnt < max)) { 452 while ((padlen > 0) && (cnt < max)) {
380 dopr_outch(buffer, currlen, maxlen, ' '); 453 dopr_outch (buffer, currlen, maxlen, ' ');
381 --padlen; 454 --padlen;
382 ++cnt; 455 ++cnt;
383 } 456 }
384 while (*value && (cnt < max)) { 457 while (*value && (cnt < max)) {
385 dopr_outch(buffer, currlen, maxlen, *value++); 458 dopr_outch (buffer, currlen, maxlen, *value++);
386 ++cnt; 459 ++cnt;
387 } 460 }
388 while ((padlen < 0) && (cnt < max)) { 461 while ((padlen < 0) && (cnt < max)) {
389 dopr_outch(buffer, currlen, maxlen, ' '); 462 dopr_outch (buffer, currlen, maxlen, ' ');
390 ++padlen; 463 ++padlen;
391 ++cnt; 464 ++cnt;
392 } 465 }
@@ -394,49 +467,49 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
394 467
395/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */ 468/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
396 469
397static void 470static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
398fmtint(char *buffer, size_t *currlen, size_t maxlen, 471 long value, int base, int min, int max, int flags)
399 long value, int base, int min, int max, int flags)
400{ 472{
473 int signvalue = 0;
401 unsigned long uvalue; 474 unsigned long uvalue;
402 char convert[20]; 475 char convert[20];
403 int signvalue = 0, place = 0, caps = 0; 476 int place = 0;
404 int spadlen = 0; /* amount to space pad */ 477 int spadlen = 0; /* amount to space pad */
405 int zpadlen = 0; /* amount to zero pad */ 478 int zpadlen = 0; /* amount to zero pad */
406 479 int caps = 0;
480
407 if (max < 0) 481 if (max < 0)
408 max = 0; 482 max = 0;
409 483
410 uvalue = value; 484 uvalue = value;
411 485
412 if (!(flags & DP_F_UNSIGNED)) { 486 if(!(flags & DP_F_UNSIGNED)) {
413 if (value < 0) { 487 if( value < 0 ) {
414 signvalue = '-'; 488 signvalue = '-';
415 uvalue = -value; 489 uvalue = -value;
416 } else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ 490 } else {
417 signvalue = '+'; 491 if (flags & DP_F_PLUS) /* Do a sign (+/i) */
418 else if (flags & DP_F_SPACE) 492 signvalue = '+';
419 signvalue = ' '; 493 else if (flags & DP_F_SPACE)
494 signvalue = ' ';
495 }
420 } 496 }
421 497
422 if (flags & DP_F_UP) 498 if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
423 caps = 1; /* Should characters be upper case? */ 499
424 do { 500 do {
425 convert[place++] = 501 convert[place++] =
426 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 502 (caps? "0123456789ABCDEF":"0123456789abcdef")
427 [uvalue % (unsigned)base]; 503 [uvalue % (unsigned)base ];
428 uvalue = (uvalue / (unsigned)base ); 504 uvalue = (uvalue / (unsigned)base );
429 } while (uvalue && (place < 20)); 505 } while(uvalue && (place < 20));
430 if (place == 20) 506 if (place == 20) place--;
431 place--;
432 convert[place] = 0; 507 convert[place] = 0;
433 508
434 zpadlen = max - place; 509 zpadlen = max - place;
435 spadlen = min - MAX (max, place) - (signvalue ? 1 : 0); 510 spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
436 if (zpadlen < 0) 511 if (zpadlen < 0) zpadlen = 0;
437 zpadlen = 0; 512 if (spadlen < 0) spadlen = 0;
438 if (spadlen < 0)
439 spadlen = 0;
440 if (flags & DP_F_ZERO) { 513 if (flags & DP_F_ZERO) {
441 zpadlen = MAX(zpadlen, spadlen); 514 zpadlen = MAX(zpadlen, spadlen);
442 spadlen = 0; 515 spadlen = 0;
@@ -444,27 +517,32 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
444 if (flags & DP_F_MINUS) 517 if (flags & DP_F_MINUS)
445 spadlen = -spadlen; /* Left Justifty */ 518 spadlen = -spadlen; /* Left Justifty */
446 519
520#ifdef DEBUG_SNPRINTF
521 printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
522 zpadlen, spadlen, min, max, place);
523#endif
524
447 /* Spaces */ 525 /* Spaces */
448 while (spadlen > 0) { 526 while (spadlen > 0) {
449 dopr_outch(buffer, currlen, maxlen, ' '); 527 dopr_outch (buffer, currlen, maxlen, ' ');
450 --spadlen; 528 --spadlen;
451 } 529 }
452 530
453 /* Sign */ 531 /* Sign */
454 if (signvalue) 532 if (signvalue)
455 dopr_outch(buffer, currlen, maxlen, signvalue); 533 dopr_outch (buffer, currlen, maxlen, signvalue);
456 534
457 /* Zeros */ 535 /* Zeros */
458 if (zpadlen > 0) { 536 if (zpadlen > 0) {
459 while (zpadlen > 0) { 537 while (zpadlen > 0) {
460 dopr_outch(buffer, currlen, maxlen, '0'); 538 dopr_outch (buffer, currlen, maxlen, '0');
461 --zpadlen; 539 --zpadlen;
462 } 540 }
463 } 541 }
464 542
465 /* Digits */ 543 /* Digits */
466 while (place > 0) 544 while (place > 0)
467 dopr_outch(buffer, currlen, maxlen, convert[--place]); 545 dopr_outch (buffer, currlen, maxlen, convert[--place]);
468 546
469 /* Left Justified spaces */ 547 /* Left Justified spaces */
470 while (spadlen < 0) { 548 while (spadlen < 0) {
@@ -473,11 +551,20 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
473 } 551 }
474} 552}
475 553
476static long double 554static LDOUBLE abs_val(LDOUBLE value)
477pow10(int exp)
478{ 555{
479 long double result = 1; 556 LDOUBLE result = value;
557
558 if (value < 0)
559 result = -value;
560
561 return result;
562}
480 563
564static LDOUBLE POW10(int exp)
565{
566 LDOUBLE result = 1;
567
481 while (exp) { 568 while (exp) {
482 result *= 10; 569 result *= 10;
483 exp--; 570 exp--;
@@ -486,28 +573,69 @@ pow10(int exp)
486 return result; 573 return result;
487} 574}
488 575
489static long 576static LLONG ROUND(LDOUBLE value)
490round(long double value)
491{ 577{
492 long intpart = value; 578 LLONG intpart;
493
494 value -= intpart;
495 if (value >= 0.5)
496 intpart++;
497 579
580 intpart = (LLONG)value;
581 value = value - intpart;
582 if (value >= 0.5) intpart++;
583
498 return intpart; 584 return intpart;
499} 585}
500 586
501static void 587/* a replacement for modf that doesn't need the math library. Should
502fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 588 be portable, but slow */
503 int min, int max, int flags) 589static double my_modf(double x0, double *iptr)
504{ 590{
505 char iconvert[20], fconvert[20]; 591 int i;
506 int signvalue = 0, iplace = 0, fplace = 0; 592 long l;
593 double x = x0;
594 double f = 1.0;
595
596 for (i=0;i<100;i++) {
597 l = (long)x;
598 if (l <= (x+1) && l >= (x-1)) break;
599 x *= 0.1;
600 f *= 10.0;
601 }
602
603 if (i == 100) {
604 /* yikes! the number is beyond what we can handle. What do we do? */
605 (*iptr) = 0;
606 return 0;
607 }
608
609 if (i != 0) {
610 double i2;
611 double ret;
612
613 ret = my_modf(x0-l*f, &i2);
614 (*iptr) = l*f + i2;
615 return ret;
616 }
617
618 (*iptr) = l;
619 return x - (*iptr);
620}
621
622
623static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
624 LDOUBLE fvalue, int min, int max, int flags)
625{
626 int signvalue = 0;
627 double ufvalue;
628 char iconvert[311];
629 char fconvert[311];
630 int iplace = 0;
631 int fplace = 0;
507 int padlen = 0; /* amount to pad */ 632 int padlen = 0; /* amount to pad */
508 int zpadlen = 0, caps = 0; 633 int zpadlen = 0;
509 long intpart, fracpart; 634 int caps = 0;
510 long double ufvalue; 635 int idx;
636 double intpart;
637 double fracpart;
638 double temp;
511 639
512 /* 640 /*
513 * AIX manpage says the default is 0, but Solaris says the default 641 * AIX manpage says the default is 0, but Solaris says the default
@@ -516,137 +644,159 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
516 if (max < 0) 644 if (max < 0)
517 max = 6; 645 max = 6;
518 646
519 ufvalue = abs_val(fvalue); 647 ufvalue = abs_val (fvalue);
520 648
521 if (fvalue < 0) 649 if (fvalue < 0) {
522 signvalue = '-'; 650 signvalue = '-';
523 else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ 651 } else {
524 signvalue = '+'; 652 if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
525 else if (flags & DP_F_SPACE) 653 signvalue = '+';
526 signvalue = ' '; 654 } else {
655 if (flags & DP_F_SPACE)
656 signvalue = ' ';
657 }
658 }
527 659
528 intpart = ufvalue; 660#if 0
661 if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
662#endif
663
664#if 0
665 if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
666#endif
529 667
530 /* 668 /*
531 * Sorry, we only support 9 digits past the decimal because of our 669 * Sorry, we only support 16 digits past the decimal because of our
532 * conversion method 670 * conversion method
533 */ 671 */
534 if (max > 9) 672 if (max > 16)
535 max = 9; 673 max = 16;
536 674
537 /* We "cheat" by converting the fractional part to integer by 675 /* We "cheat" by converting the fractional part to integer by
538 * multiplying by a factor of 10 676 * multiplying by a factor of 10
539 */ 677 */
540 fracpart = round((pow10 (max)) * (ufvalue - intpart));
541 678
542 if (fracpart >= pow10 (max)) { 679 temp = ufvalue;
680 my_modf(temp, &intpart);
681
682 fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
683
684 if (fracpart >= POW10(max)) {
543 intpart++; 685 intpart++;
544 fracpart -= pow10 (max); 686 fracpart -= POW10(max);
545 } 687 }
546 688
547 /* Convert integer part */ 689 /* Convert integer part */
548 do { 690 do {
691 temp = intpart*0.1;
692 my_modf(temp, &intpart);
693 idx = (int) ((temp -intpart +0.05)* 10.0);
694 /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
695 /* printf ("%llf, %f, %x\n", temp, intpart, idx); */
549 iconvert[iplace++] = 696 iconvert[iplace++] =
550 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 697 (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
551 [intpart % 10]; 698 } while (intpart && (iplace < 311));
552 intpart = (intpart / 10); 699 if (iplace == 311) iplace--;
553 } while(intpart && (iplace < 20));
554 if (iplace == 20)
555 iplace--;
556 iconvert[iplace] = 0; 700 iconvert[iplace] = 0;
557 701
558 /* Convert fractional part */ 702 /* Convert fractional part */
559 do { 703 if (fracpart)
560 fconvert[fplace++] = 704 {
561 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 705 do {
562 [fracpart % 10]; 706 temp = fracpart*0.1;
563 fracpart = (fracpart / 10); 707 my_modf(temp, &fracpart);
564 } while(fracpart && (fplace < 20)); 708 idx = (int) ((temp -fracpart +0.05)* 10.0);
565 if (fplace == 20) 709 /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
566 fplace--; 710 /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
711 fconvert[fplace++] =
712 (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
713 } while(fracpart && (fplace < 311));
714 if (fplace == 311) fplace--;
715 }
567 fconvert[fplace] = 0; 716 fconvert[fplace] = 0;
568 717
569 /* -1 for decimal point, another -1 if we are printing a sign */ 718 /* -1 for decimal point, another -1 if we are printing a sign */
570 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); 719 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
571 zpadlen = max - fplace; 720 zpadlen = max - fplace;
572 if (zpadlen < 0) 721 if (zpadlen < 0) zpadlen = 0;
573 zpadlen = 0;
574 if (padlen < 0) 722 if (padlen < 0)
575 padlen = 0; 723 padlen = 0;
576 if (flags & DP_F_MINUS) 724 if (flags & DP_F_MINUS)
577 padlen = -padlen; /* Left Justifty */ 725 padlen = -padlen; /* Left Justifty */
578 726
579 if ((flags & DP_F_ZERO) && (padlen > 0)) { 727 if ((flags & DP_F_ZERO) && (padlen > 0)) {
580 if (signvalue) { 728 if (signvalue) {
581 dopr_outch(buffer, currlen, maxlen, signvalue); 729 dopr_outch (buffer, currlen, maxlen, signvalue);
582 --padlen; 730 --padlen;
583 signvalue = 0; 731 signvalue = 0;
584 } 732 }
585 while (padlen > 0) { 733 while (padlen > 0) {
586 dopr_outch(buffer, currlen, maxlen, '0'); 734 dopr_outch (buffer, currlen, maxlen, '0');
587 --padlen; 735 --padlen;
588 } 736 }
589 } 737 }
590 while (padlen > 0) { 738 while (padlen > 0) {
591 dopr_outch(buffer, currlen, maxlen, ' '); 739 dopr_outch (buffer, currlen, maxlen, ' ');
592 --padlen; 740 --padlen;
593 } 741 }
594 if (signvalue) 742 if (signvalue)
595 dopr_outch(buffer, currlen, maxlen, signvalue); 743 dopr_outch (buffer, currlen, maxlen, signvalue);
596 744
597 while (iplace > 0) 745 while (iplace > 0)
598 dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]); 746 dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
747
748#ifdef DEBUG_SNPRINTF
749 printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
750#endif
599 751
600 /* 752 /*
601 * Decimal point. This should probably use locale to find the 753 * Decimal point. This should probably use locale to find the correct
602 * correct char to print out. 754 * char to print out.
603 */ 755 */
604 dopr_outch(buffer, currlen, maxlen, '.'); 756 if (max > 0) {
605 757 dopr_outch (buffer, currlen, maxlen, '.');
606 while (fplace > 0) 758
607 dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]); 759 while (zpadlen > 0) {
760 dopr_outch (buffer, currlen, maxlen, '0');
761 --zpadlen;
762 }
608 763
609 while (zpadlen > 0) { 764 while (fplace > 0)
610 dopr_outch(buffer, currlen, maxlen, '0'); 765 dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
611 --zpadlen;
612 } 766 }
613 767
614 while (padlen < 0) { 768 while (padlen < 0) {
615 dopr_outch(buffer, currlen, maxlen, ' '); 769 dopr_outch (buffer, currlen, maxlen, ' ');
616 ++padlen; 770 ++padlen;
617 } 771 }
618} 772}
619 773
620static void 774static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
621dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
622{ 775{
623 if (*currlen < maxlen) 776 if (*currlen < maxlen) {
624 buffer[(*currlen)++] = c; 777 buffer[(*currlen)] = c;
778 }
779 (*currlen)++;
625} 780}
626#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ 781#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
627 782
628#ifndef HAVE_VSNPRINTF 783#if !defined(HAVE_VSNPRINTF)
629int 784int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
630vsnprintf(char *str, size_t count, const char *fmt, va_list args)
631{ 785{
632 str[0] = 0; 786 return dopr(str, count, fmt, args);
633 dopr(str, count, fmt, args);
634
635 return(strlen(str));
636} 787}
637#endif /* !HAVE_VSNPRINTF */ 788#endif
638 789
639#ifndef HAVE_SNPRINTF 790#if !defined(HAVE_SNPRINTF)
640int 791int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
641snprintf(char *str,size_t count,const char *fmt,...)
642{ 792{
793 size_t ret;
643 va_list ap; 794 va_list ap;
644 795
645 va_start(ap, fmt); 796 va_start(ap, fmt);
646 (void) vsnprintf(str, count, fmt, ap); 797 ret = vsnprintf(str, count, fmt, ap);
647 va_end(ap); 798 va_end(ap);
648 799 return ret;
649 return(strlen(str));
650} 800}
801#endif
651 802
652#endif /* !HAVE_SNPRINTF */
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index c0be5fff9..f8a0680bf 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ 1/* $OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1990, 1993 3 * Copyright (c) 1990, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#ifndef HAVE_DAEMON 35#ifndef HAVE_DAEMON
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40int 37int
41daemon(int nochdir, int noclose) 38daemon(int nochdir, int noclose)
42{ 39{
diff --git a/openbsd-compat/dirname.c b/openbsd-compat/dirname.c
index 25ab34dd6..30fcb4968 100644
--- a/openbsd-compat/dirname.c
+++ b/openbsd-compat/dirname.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ 1/* $OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $ */
2
3/* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
7 * 5 *
8 * Permission to use, copy, modify, and distribute this software for any 6 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above 7 * purpose with or without fee is hereby granted, provided that the above
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_DIRNAME 22#ifndef HAVE_DIRNAME
23 23
24#ifndef lint
25static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $";
26#endif /* not lint */
27
28#include <errno.h> 24#include <errno.h>
29#include <string.h> 25#include <string.h>
30#include <sys/param.h> 26#include <sys/param.h>
@@ -32,16 +28,18 @@ static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Ex
32char * 28char *
33dirname(const char *path) 29dirname(const char *path)
34{ 30{
35 static char bname[MAXPATHLEN]; 31 static char dname[MAXPATHLEN];
36 register const char *endp; 32 size_t len;
33 const char *endp;
37 34
38 /* Empty or NULL string gets treated as "." */ 35 /* Empty or NULL string gets treated as "." */
39 if (path == NULL || *path == '\0') { 36 if (path == NULL || *path == '\0') {
40 (void)strlcpy(bname, ".", sizeof bname); 37 dname[0] = '.';
41 return(bname); 38 dname[1] = '\0';
39 return (dname);
42 } 40 }
43 41
44 /* Strip trailing slashes */ 42 /* Strip any trailing slashes */
45 endp = path + strlen(path) - 1; 43 endp = path + strlen(path) - 1;
46 while (endp > path && *endp == '/') 44 while (endp > path && *endp == '/')
47 endp--; 45 endp--;
@@ -52,19 +50,23 @@ dirname(const char *path)
52 50
53 /* Either the dir is "/" or there are no slashes */ 51 /* Either the dir is "/" or there are no slashes */
54 if (endp == path) { 52 if (endp == path) {
55 (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname); 53 dname[0] = *endp == '/' ? '/' : '.';
56 return(bname); 54 dname[1] = '\0';
55 return (dname);
57 } else { 56 } else {
57 /* Move forward past the separating slashes */
58 do { 58 do {
59 endp--; 59 endp--;
60 } while (endp > path && *endp == '/'); 60 } while (endp > path && *endp == '/');
61 } 61 }
62 62
63 if (endp - path + 2 > sizeof(bname)) { 63 len = endp - path + 1;
64 if (len >= sizeof(dname)) {
64 errno = ENAMETOOLONG; 65 errno = ENAMETOOLONG;
65 return(NULL); 66 return (NULL);
66 } 67 }
67 strlcpy(bname, path, endp - path + 2); 68 memcpy(dname, path, len);
68 return(bname); 69 dname[len] = '\0';
70 return (dname);
69} 71}
70#endif 72#endif
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index 19be59172..711cb9cd5 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ 1/* $OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1989, 1991, 1993 3 * Copyright (c) 1989, 1991, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#if !defined(HAVE_GETCWD) 35#if !defined(HAVE_GETCWD)
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40#include <sys/param.h> 37#include <sys/param.h>
41#include <sys/stat.h> 38#include <sys/stat.h>
42#include <errno.h> 39#include <errno.h>
@@ -54,12 +51,12 @@ static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp
54char * 51char *
55getcwd(char *pt, size_t size) 52getcwd(char *pt, size_t size)
56{ 53{
57 register struct dirent *dp; 54 struct dirent *dp;
58 register DIR *dir = NULL; 55 DIR *dir = NULL;
59 register dev_t dev; 56 dev_t dev;
60 register ino_t ino; 57 ino_t ino;
61 register int first; 58 int first;
62 register char *bpt, *bup; 59 char *bpt, *bup;
63 struct stat s; 60 struct stat s;
64 dev_t root_dev; 61 dev_t root_dev;
65 ino_t root_ino; 62 ino_t root_ino;
@@ -80,7 +77,7 @@ getcwd(char *pt, size_t size)
80 } 77 }
81 ept = pt + size; 78 ept = pt + size;
82 } else { 79 } else {
83 if ((pt = malloc(ptsize = 1024 - 4)) == NULL) 80 if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL)
84 return (NULL); 81 return (NULL);
85 ept = pt + ptsize; 82 ept = pt + ptsize;
86 } 83 }
@@ -88,13 +85,13 @@ getcwd(char *pt, size_t size)
88 *bpt = '\0'; 85 *bpt = '\0';
89 86
90 /* 87 /*
91 * Allocate bytes (1024 - malloc space) for the string of "../"'s. 88 * Allocate bytes for the string of "../"'s.
92 * Should always be enough (it's 340 levels). If it's not, allocate 89 * Should always be enough (it's 340 levels). If it's not, allocate
93 * as necessary. Special * case the first stat, it's ".", not "..". 90 * as necessary. Special * case the first stat, it's ".", not "..".
94 */ 91 */
95 if ((up = malloc(upsize = 1024 - 4)) == NULL) 92 if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
96 goto err; 93 goto err;
97 eup = up + MAXPATHLEN; 94 eup = up + upsize;
98 bup = up; 95 bup = up;
99 up[0] = '.'; 96 up[0] = '.';
100 up[1] = '\0'; 97 up[1] = '\0';
@@ -139,18 +136,16 @@ getcwd(char *pt, size_t size)
139 136
140 if ((nup = realloc(up, upsize *= 2)) == NULL) 137 if ((nup = realloc(up, upsize *= 2)) == NULL)
141 goto err; 138 goto err;
139 bup = nup + (bup - up);
142 up = nup; 140 up = nup;
143 bup = up;
144 eup = up + upsize; 141 eup = up + upsize;
145 } 142 }
146 *bup++ = '.'; 143 *bup++ = '.';
147 *bup++ = '.'; 144 *bup++ = '.';
148 *bup = '\0'; 145 *bup = '\0';
149 146
150 /* Open and stat parent directory. 147 /* Open and stat parent directory. */
151 * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) 148 if (!(dir = opendir(up)) || fstat(dirfd(dir), &s))
152 */
153 if (!(dir = opendir(up)) || lstat(up,&s))
154 goto err; 149 goto err;
155 150
156 /* Add trailing slash for next directory. */ 151 /* Add trailing slash for next directory. */
@@ -175,7 +170,7 @@ getcwd(char *pt, size_t size)
175 goto notfound; 170 goto notfound;
176 if (ISDOT(dp)) 171 if (ISDOT(dp))
177 continue; 172 continue;
178 memmove(bup, dp->d_name, dp->d_namlen + 1); 173 memcpy(bup, dp->d_name, dp->d_namlen + 1);
179 174
180 /* Save the first error for later. */ 175 /* Save the first error for later. */
181 if (lstat(up, &s)) { 176 if (lstat(up, &s)) {
@@ -193,19 +188,18 @@ getcwd(char *pt, size_t size)
193 * leading slash. 188 * leading slash.
194 */ 189 */
195 if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) { 190 if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
196 size_t len, off; 191 size_t len;
197 char *npt; 192 char *npt;
198 193
199 if (!ptsize) { 194 if (!ptsize) {
200 errno = ERANGE; 195 errno = ERANGE;
201 goto err; 196 goto err;
202 } 197 }
203 off = bpt - pt;
204 len = ept - bpt; 198 len = ept - bpt;
205 if ((npt = realloc(pt, ptsize *= 2)) == NULL) 199 if ((npt = realloc(pt, ptsize *= 2)) == NULL)
206 goto err; 200 goto err;
201 bpt = npt + (bpt - pt);
207 pt = npt; 202 pt = npt;
208 bpt = pt + off;
209 ept = pt + ptsize; 203 ept = pt + ptsize;
210 memmove(ept - len, bpt, len); 204 memmove(ept - len, bpt, len);
211 bpt = ept - len; 205 bpt = ept - len;
@@ -213,7 +207,7 @@ getcwd(char *pt, size_t size)
213 if (!first) 207 if (!first)
214 *--bpt = '/'; 208 *--bpt = '/';
215 bpt -= dp->d_namlen; 209 bpt -= dp->d_namlen;
216 memmove(bpt, dp->d_name, dp->d_namlen); 210 memcpy(bpt, dp->d_name, dp->d_namlen);
217 (void)closedir(dir); 211 (void)closedir(dir);
218 212
219 /* Truncate any file name. */ 213 /* Truncate any file name. */
@@ -230,12 +224,16 @@ notfound:
230 errno = save_errno ? save_errno : ENOENT; 224 errno = save_errno ? save_errno : ENOENT;
231 /* FALLTHROUGH */ 225 /* FALLTHROUGH */
232err: 226err:
227 save_errno = errno;
228
233 if (ptsize) 229 if (ptsize)
234 free(pt); 230 free(pt);
235 if (up) 231 free(up);
236 free(up);
237 if (dir) 232 if (dir)
238 (void)closedir(dir); 233 (void)closedir(dir);
234
235 errno = save_errno;
236
239 return (NULL); 237 return (NULL);
240} 238}
241 239
diff --git a/openbsd-compat/getgrouplist.c b/openbsd-compat/getgrouplist.c
index 59c164f44..a57d7d388 100644
--- a/openbsd-compat/getgrouplist.c
+++ b/openbsd-compat/getgrouplist.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ 1/* $OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1991, 1993 3 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#ifndef HAVE_GETGROUPLIST 35#ifndef HAVE_GETGROUPLIST
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40/* 37/*
41 * get credential 38 * get credential
42 */ 39 */
@@ -46,14 +43,10 @@ static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraad
46#include <grp.h> 43#include <grp.h>
47 44
48int 45int
49getgrouplist(uname, agroup, groups, grpcnt) 46getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
50 const char *uname;
51 gid_t agroup;
52 register gid_t *groups;
53 int *grpcnt;
54{ 47{
55 register struct group *grp; 48 struct group *grp;
56 register int i, ngroups; 49 int i, ngroups;
57 int ret, maxgroups; 50 int ret, maxgroups;
58 int bail; 51 int bail;
59 52
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
index f5ee6778d..5450e43d9 100644
--- a/openbsd-compat/getopt.c
+++ b/openbsd-compat/getopt.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
2
3/* 1/*
4 * Copyright (c) 1987, 1993, 1994 2 * Copyright (c) 1987, 1993, 1994
5 * The Regents of the University of California. All rights reserved. 3 * The Regents of the University of California. All rights reserved.
@@ -29,6 +27,8 @@
29 * SUCH DAMAGE. 27 * SUCH DAMAGE.
30 */ 28 */
31 29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
31
32#include "includes.h" 32#include "includes.h"
33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) 33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
34 34
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 2016ffe31..bea6aea3b 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ 1/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
2
3/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2001 Jakob Schlyter. All rights reserved. 4 * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
@@ -45,54 +43,26 @@
45 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 43 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
46 */ 44 */
47 45
46/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
47
48#include "includes.h" 48#include "includes.h"
49 49
50#ifndef HAVE_GETRRSETBYNAME 50#ifndef HAVE_GETRRSETBYNAME
51 51
52#include "getrrsetbyname.h" 52#include "getrrsetbyname.h"
53 53
54#define ANSWER_BUFFER_SIZE 1024*64
55
56#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO 54#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
57extern int h_errno; 55extern int h_errno;
58#endif 56#endif
59 57
60struct dns_query { 58/* We don't need multithread support here */
61 char *name; 59#ifdef _THREAD_PRIVATE
62 u_int16_t type; 60# undef _THREAD_PRIVATE
63 u_int16_t class; 61#endif
64 struct dns_query *next; 62#define _THREAD_PRIVATE(a,b,c) (c)
65}; 63struct __res_state _res;
66
67struct dns_rr {
68 char *name;
69 u_int16_t type;
70 u_int16_t class;
71 u_int16_t ttl;
72 u_int16_t size;
73 void *rdata;
74 struct dns_rr *next;
75};
76
77struct dns_response {
78 HEADER header;
79 struct dns_query *query;
80 struct dns_rr *answer;
81 struct dns_rr *authority;
82 struct dns_rr *additional;
83};
84
85static struct dns_response *parse_dns_response(const u_char *, int);
86static struct dns_query *parse_dns_qsection(const u_char *, int,
87 const u_char **, int);
88static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
89 int);
90
91static void free_dns_query(struct dns_query *);
92static void free_dns_rr(struct dns_rr *);
93static void free_dns_response(struct dns_response *);
94 64
95static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t); 65/* Necessary functions and macros */
96 66
97/* 67/*
98 * Inline versions of get/put short/long. Pointer is advanced. 68 * Inline versions of get/put short/long. Pointer is advanced.
@@ -162,14 +132,56 @@ _getlong(msgp)
162u_int32_t _getlong(register const u_char *); 132u_int32_t _getlong(register const u_char *);
163#endif 133#endif
164 134
135/* ************** */
136
137#define ANSWER_BUFFER_SIZE 1024*64
138
139struct dns_query {
140 char *name;
141 u_int16_t type;
142 u_int16_t class;
143 struct dns_query *next;
144};
145
146struct dns_rr {
147 char *name;
148 u_int16_t type;
149 u_int16_t class;
150 u_int16_t ttl;
151 u_int16_t size;
152 void *rdata;
153 struct dns_rr *next;
154};
155
156struct dns_response {
157 HEADER header;
158 struct dns_query *query;
159 struct dns_rr *answer;
160 struct dns_rr *authority;
161 struct dns_rr *additional;
162};
163
164static struct dns_response *parse_dns_response(const u_char *, int);
165static struct dns_query *parse_dns_qsection(const u_char *, int,
166 const u_char **, int);
167static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
168 int);
169
170static void free_dns_query(struct dns_query *);
171static void free_dns_rr(struct dns_rr *);
172static void free_dns_response(struct dns_response *);
173
174static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
175
165int 176int
166getrrsetbyname(const char *hostname, unsigned int rdclass, 177getrrsetbyname(const char *hostname, unsigned int rdclass,
167 unsigned int rdtype, unsigned int flags, 178 unsigned int rdtype, unsigned int flags,
168 struct rrsetinfo **res) 179 struct rrsetinfo **res)
169{ 180{
181 struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
170 int result; 182 int result;
171 struct rrsetinfo *rrset = NULL; 183 struct rrsetinfo *rrset = NULL;
172 struct dns_response *response; 184 struct dns_response *response = NULL;
173 struct dns_rr *rr; 185 struct dns_rr *rr;
174 struct rdatainfo *rdata; 186 struct rdatainfo *rdata;
175 int length; 187 int length;
@@ -195,19 +207,19 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
195 } 207 }
196 208
197 /* initialize resolver */ 209 /* initialize resolver */
198 if ((_res.options & RES_INIT) == 0 && res_init() == -1) { 210 if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
199 result = ERRSET_FAIL; 211 result = ERRSET_FAIL;
200 goto fail; 212 goto fail;
201 } 213 }
202 214
203#ifdef DEBUG 215#ifdef DEBUG
204 _res.options |= RES_DEBUG; 216 _resp->options |= RES_DEBUG;
205#endif /* DEBUG */ 217#endif /* DEBUG */
206 218
207#ifdef RES_USE_DNSSEC 219#ifdef RES_USE_DNSSEC
208 /* turn on DNSSEC if EDNS0 is configured */ 220 /* turn on DNSSEC if EDNS0 is configured */
209 if (_res.options & RES_USE_EDNS0) 221 if (_resp->options & RES_USE_EDNS0)
210 _res.options |= RES_USE_DNSSEC; 222 _resp->options |= RES_USE_DNSSEC;
211#endif /* RES_USE_DNSEC */ 223#endif /* RES_USE_DNSEC */
212 224
213 /* make query */ 225 /* make query */
@@ -257,13 +269,11 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
257#endif 269#endif
258 270
259 /* copy name from answer section */ 271 /* copy name from answer section */
260 length = strlen(response->answer->name); 272 rrset->rri_name = strdup(response->answer->name);
261 rrset->rri_name = malloc(length + 1);
262 if (rrset->rri_name == NULL) { 273 if (rrset->rri_name == NULL) {
263 result = ERRSET_NOMEMORY; 274 result = ERRSET_NOMEMORY;
264 goto fail; 275 goto fail;
265 } 276 }
266 strlcpy(rrset->rri_name, response->answer->name, length + 1);
267 277
268 /* count answers */ 278 /* count answers */
269 rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass, 279 rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
@@ -281,7 +291,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
281 291
282 /* allocate memory for signatures */ 292 /* allocate memory for signatures */
283 rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); 293 rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
284 if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) { 294 if (rrset->rri_sigs == NULL) {
285 result = ERRSET_NOMEMORY; 295 result = ERRSET_NOMEMORY;
286 goto fail; 296 goto fail;
287 } 297 }
@@ -311,6 +321,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
311 memcpy(rdata->rdi_data, rr->rdata, rr->size); 321 memcpy(rdata->rdi_data, rr->rdata, rr->size);
312 } 322 }
313 } 323 }
324 free_dns_response(response);
314 325
315 *res = rrset; 326 *res = rrset;
316 return (ERRSET_SUCCESS); 327 return (ERRSET_SUCCESS);
@@ -318,6 +329,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
318fail: 329fail:
319 if (rrset != NULL) 330 if (rrset != NULL)
320 freerrset(rrset); 331 freerrset(rrset);
332 if (response != NULL)
333 free_dns_response(response);
321 return (result); 334 return (result);
322} 335}
323 336
@@ -467,7 +480,8 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count)
467} 480}
468 481
469static struct dns_rr * 482static struct dns_rr *
470parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count) 483parse_dns_rrsection(const u_char *answer, int size, const u_char **cp,
484 int count)
471{ 485{
472 struct dns_rr *head, *curr, *prev; 486 struct dns_rr *head, *curr, *prev;
473 int i, length; 487 int i, length;
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index 7fafc8c40..f6a04ea3f 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ 1/* $OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1989, 1993 3 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -32,6 +31,8 @@
32 * SUCH DAMAGE. 31 * SUCH DAMAGE.
33 */ 32 */
34 33
34/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
35
35#include "includes.h" 36#include "includes.h"
36#include <ctype.h> 37#include <ctype.h>
37 38
@@ -50,14 +51,6 @@ get_arg_max(void)
50#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \ 51#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
51 !defined(GLOB_HAS_GL_MATCHC) 52 !defined(GLOB_HAS_GL_MATCHC)
52 53
53#if defined(LIBC_SCCS) && !defined(lint)
54#if 0
55static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93";
56#else
57static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $";
58#endif
59#endif /* LIBC_SCCS and not lint */
60
61/* 54/*
62 * glob(3) -- a superset of the one defined in POSIX 1003.2. 55 * glob(3) -- a superset of the one defined in POSIX 1003.2.
63 * 56 *
@@ -158,10 +151,8 @@ static void qprintf(const char *, Char *);
158#endif 151#endif
159 152
160int 153int
161glob(pattern, flags, errfunc, pglob) 154glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
162 const char *pattern; 155 glob_t *pglob)
163 int flags, (*errfunc)(const char *, int);
164 glob_t *pglob;
165{ 156{
166 const u_char *patnext; 157 const u_char *patnext;
167 int c; 158 int c;
@@ -209,9 +200,7 @@ glob(pattern, flags, errfunc, pglob)
209 * characters 200 * characters
210 */ 201 */
211static int 202static int
212globexp1(pattern, pglob) 203globexp1(const Char *pattern, glob_t *pglob)
213 const Char *pattern;
214 glob_t *pglob;
215{ 204{
216 const Char* ptr = pattern; 205 const Char* ptr = pattern;
217 int rv; 206 int rv;
@@ -234,10 +223,7 @@ globexp1(pattern, pglob)
234 * If it fails then it tries to glob the rest of the pattern and returns. 223 * If it fails then it tries to glob the rest of the pattern and returns.
235 */ 224 */
236static int 225static int
237globexp2(ptr, pattern, pglob, rv) 226globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
238 const Char *ptr, *pattern;
239 glob_t *pglob;
240 int *rv;
241{ 227{
242 int i; 228 int i;
243 Char *lm, *ls; 229 Char *lm, *ls;
@@ -342,11 +328,7 @@ globexp2(ptr, pattern, pglob, rv)
342 * expand tilde from the passwd file. 328 * expand tilde from the passwd file.
343 */ 329 */
344static const Char * 330static const Char *
345globtilde(pattern, patbuf, patbuf_len, pglob) 331globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
346 const Char *pattern;
347 Char *patbuf;
348 size_t patbuf_len;
349 glob_t *pglob;
350{ 332{
351 struct passwd *pwd; 333 struct passwd *pwd;
352 char *h; 334 char *h;
@@ -414,9 +396,7 @@ globtilde(pattern, patbuf, patbuf_len, pglob)
414 * to find no matches. 396 * to find no matches.
415 */ 397 */
416static int 398static int
417glob0(pattern, pglob) 399glob0(const Char *pattern, glob_t *pglob)
418 const Char *pattern;
419 glob_t *pglob;
420{ 400{
421 const Char *qpatnext; 401 const Char *qpatnext;
422 int c, err, oldpathc; 402 int c, err, oldpathc;
@@ -503,17 +483,13 @@ glob0(pattern, pglob)
503} 483}
504 484
505static int 485static int
506compare(p, q) 486compare(const void *p, const void *q)
507 const void *p, *q;
508{ 487{
509 return(strcmp(*(char **)p, *(char **)q)); 488 return(strcmp(*(char **)p, *(char **)q));
510} 489}
511 490
512static int 491static int
513glob1(pattern, pattern_last, pglob, limitp) 492glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
514 Char *pattern, *pattern_last;
515 glob_t *pglob;
516 size_t *limitp;
517{ 493{
518 Char pathbuf[MAXPATHLEN]; 494 Char pathbuf[MAXPATHLEN];
519 495
@@ -531,12 +507,8 @@ glob1(pattern, pattern_last, pglob, limitp)
531 * meta characters. 507 * meta characters.
532 */ 508 */
533static int 509static int
534glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, 510glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
535 pattern_last, pglob, limitp) 511 Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
536 Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
537 Char *pattern, *pattern_last;
538 glob_t *pglob;
539 size_t *limitp;
540{ 512{
541 struct stat sb; 513 struct stat sb;
542 Char *p, *q; 514 Char *p, *q;
@@ -595,14 +567,11 @@ glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern,
595} 567}
596 568
597static int 569static int
598glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, 570glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
599 restpattern, restpattern_last, pglob, limitp) 571 Char *pattern, Char *pattern_last, Char *restpattern,
600 Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; 572 Char *restpattern_last, glob_t *pglob, size_t *limitp)
601 Char *pattern, *pattern_last, *restpattern, *restpattern_last;
602 glob_t *pglob;
603 size_t *limitp;
604{ 573{
605 register struct dirent *dp; 574 struct dirent *dp;
606 DIR *dirp; 575 DIR *dirp;
607 int err; 576 int err;
608 char buf[MAXPATHLEN]; 577 char buf[MAXPATHLEN];
@@ -640,8 +609,8 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
640 else 609 else
641 readdirfunc = (struct dirent *(*)(void *))readdir; 610 readdirfunc = (struct dirent *(*)(void *))readdir;
642 while ((dp = (*readdirfunc)(dirp))) { 611 while ((dp = (*readdirfunc)(dirp))) {
643 register u_char *sc; 612 u_char *sc;
644 register Char *dc; 613 Char *dc;
645 614
646 /* Initial DOT must be matched literally. */ 615 /* Initial DOT must be matched literally. */
647 if (dp->d_name[0] == DOT && *pattern != DOT) 616 if (dp->d_name[0] == DOT && *pattern != DOT)
@@ -689,13 +658,10 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
689 * gl_pathv points to (gl_offs + gl_pathc + 1) items. 658 * gl_pathv points to (gl_offs + gl_pathc + 1) items.
690 */ 659 */
691static int 660static int
692globextend(path, pglob, limitp) 661globextend(const Char *path, glob_t *pglob, size_t *limitp)
693 const Char *path;
694 glob_t *pglob;
695 size_t *limitp;
696{ 662{
697 register char **pathv; 663 char **pathv;
698 register int i; 664 int i;
699 u_int newsize, len; 665 u_int newsize, len;
700 char *copy; 666 char *copy;
701 const Char *p; 667 const Char *p;
@@ -747,8 +713,7 @@ globextend(path, pglob, limitp)
747 * pattern causes a recursion level. 713 * pattern causes a recursion level.
748 */ 714 */
749static int 715static int
750match(name, pat, patend) 716match(Char *name, Char *pat, Char *patend)
751 register Char *name, *pat, *patend;
752{ 717{
753 int ok, negate_range; 718 int ok, negate_range;
754 Char c, k; 719 Char c, k;
@@ -759,11 +724,10 @@ match(name, pat, patend)
759 case M_ALL: 724 case M_ALL:
760 if (pat == patend) 725 if (pat == patend)
761 return(1); 726 return(1);
762 do 727 do {
763 if (match(name, pat, patend)) 728 if (match(name, pat, patend))
764 return(1); 729 return(1);
765 while (*name++ != EOS) 730 } while (*name++ != EOS);
766 ;
767 return(0); 731 return(0);
768 case M_ONE: 732 case M_ONE:
769 if (*name++ == EOS) 733 if (*name++ == EOS)
@@ -796,11 +760,10 @@ match(name, pat, patend)
796 760
797/* Free allocated data belonging to a glob_t structure. */ 761/* Free allocated data belonging to a glob_t structure. */
798void 762void
799globfree(pglob) 763globfree(glob_t *pglob)
800 glob_t *pglob;
801{ 764{
802 register int i; 765 int i;
803 register char **pp; 766 char **pp;
804 767
805 if (pglob->gl_pathv != NULL) { 768 if (pglob->gl_pathv != NULL) {
806 pp = pglob->gl_pathv + pglob->gl_offs; 769 pp = pglob->gl_pathv + pglob->gl_offs;
@@ -813,9 +776,7 @@ globfree(pglob)
813} 776}
814 777
815static DIR * 778static DIR *
816g_opendir(str, pglob) 779g_opendir(Char *str, glob_t *pglob)
817 register Char *str;
818 glob_t *pglob;
819{ 780{
820 char buf[MAXPATHLEN]; 781 char buf[MAXPATHLEN];
821 782
@@ -833,10 +794,7 @@ g_opendir(str, pglob)
833} 794}
834 795
835static int 796static int
836g_lstat(fn, sb, pglob) 797g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
837 register Char *fn;
838 struct stat *sb;
839 glob_t *pglob;
840{ 798{
841 char buf[MAXPATHLEN]; 799 char buf[MAXPATHLEN];
842 800
@@ -848,10 +806,7 @@ g_lstat(fn, sb, pglob)
848} 806}
849 807
850static int 808static int
851g_stat(fn, sb, pglob) 809g_stat(Char *fn, struct stat *sb, glob_t *pglob)
852 register Char *fn;
853 struct stat *sb;
854 glob_t *pglob;
855{ 810{
856 char buf[MAXPATHLEN]; 811 char buf[MAXPATHLEN];
857 812
@@ -863,9 +818,7 @@ g_stat(fn, sb, pglob)
863} 818}
864 819
865static Char * 820static Char *
866g_strchr(str, ch) 821g_strchr(Char *str, int ch)
867 Char *str;
868 int ch;
869{ 822{
870 do { 823 do {
871 if (*str == ch) 824 if (*str == ch)
@@ -875,10 +828,7 @@ g_strchr(str, ch)
875} 828}
876 829
877static int 830static int
878g_Ctoc(str, buf, len) 831g_Ctoc(const Char *str, char *buf, u_int len)
879 register const Char *str;
880 char *buf;
881 u_int len;
882{ 832{
883 833
884 while (len--) { 834 while (len--) {
@@ -890,11 +840,9 @@ g_Ctoc(str, buf, len)
890 840
891#ifdef DEBUG 841#ifdef DEBUG
892static void 842static void
893qprintf(str, s) 843qprintf(const char *str, Char *s)
894 const char *str;
895 register Char *s;
896{ 844{
897 register Char *p; 845 Char *p;
898 846
899 (void)printf("%s:\n", str); 847 (void)printf("%s:\n", str);
900 for (p = s; *p; p++) 848 for (p = s; *p; p++)
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index 3428b2013..4fdbfc1ea 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: include/glob.h */ 1/* $OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $ */
2
3/* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */
4/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */ 2/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */
5 3
6/* 4/*
@@ -37,6 +35,8 @@
37 * @(#)glob.h 8.1 (Berkeley) 6/2/93 35 * @(#)glob.h 8.1 (Berkeley) 6/2/93
38 */ 36 */
39 37
38/* OPENBSD ORIGINAL: include/glob.h */
39
40#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \ 40#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
41 !defined(GLOB_HAS_GL_MATCHC) 41 !defined(GLOB_HAS_GL_MATCHC)
42 42
@@ -72,6 +72,7 @@ typedef struct {
72#define GLOB_MARK 0x0008 /* Append / to matching directories. */ 72#define GLOB_MARK 0x0008 /* Append / to matching directories. */
73#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ 73#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */
74#define GLOB_NOSORT 0x0020 /* Don't sort. */ 74#define GLOB_NOSORT 0x0020 /* Don't sort. */
75#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
75 76
76#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ 77#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */
77#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ 78#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */
@@ -79,7 +80,6 @@ typedef struct {
79#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ 80#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */
80#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ 81#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */
81#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ 82#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */
82#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
83#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */ 83#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */
84 84
85/* Error values returned by glob(3) */ 85/* Error values returned by glob(3) */
diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c
index c141bcc68..130597e14 100644
--- a/openbsd-compat/inet_aton.c
+++ b/openbsd-compat/inet_aton.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ 1/* $OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $ */
2
3/* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1983, 1990, 1993 4 * Copyright (c) 1983, 1990, 1993
@@ -51,19 +49,12 @@
51 * --Copyright-- 49 * --Copyright--
52 */ 50 */
53 51
52/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
53
54#include "includes.h" 54#include "includes.h"
55 55
56#if !defined(HAVE_INET_ATON) 56#if !defined(HAVE_INET_ATON)
57 57
58#if defined(LIBC_SCCS) && !defined(lint)
59#if 0
60static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
61static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $";
62#else
63static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $";
64#endif
65#endif /* LIBC_SCCS and not lint */
66
67#include <sys/types.h> 58#include <sys/types.h>
68#include <sys/param.h> 59#include <sys/param.h>
69#include <netinet/in.h> 60#include <netinet/in.h>
@@ -76,8 +67,7 @@ static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert E
76 * The value returned is in network order. 67 * The value returned is in network order.
77 */ 68 */
78in_addr_t 69in_addr_t
79inet_addr(cp) 70inet_addr(const char *cp)
80 register const char *cp;
81{ 71{
82 struct in_addr val; 72 struct in_addr val;
83 73
@@ -97,11 +87,11 @@ inet_addr(cp)
97int 87int
98inet_aton(const char *cp, struct in_addr *addr) 88inet_aton(const char *cp, struct in_addr *addr)
99{ 89{
100 register u_int32_t val; 90 u_int32_t val;
101 register int base, n; 91 int base, n;
102 register char c; 92 char c;
103 unsigned int parts[4]; 93 u_int parts[4];
104 register unsigned int *pp = parts; 94 u_int *pp = parts;
105 95
106 c = *cp; 96 c = *cp;
107 for (;;) { 97 for (;;) {
diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c
index dc010dc53..0eb7b3bd7 100644
--- a/openbsd-compat/inet_ntoa.c
+++ b/openbsd-compat/inet_ntoa.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ 1/* $OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1983, 1993 3 * Copyright (c) 1983, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) 35#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40/* 37/*
41 * Convert network-format internet address 38 * Convert network-format internet address
42 * to base 256 d.d.d.d representation. 39 * to base 256 d.d.d.d representation.
@@ -46,10 +43,11 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E
46#include <arpa/inet.h> 43#include <arpa/inet.h>
47#include <stdio.h> 44#include <stdio.h>
48 45
49char *inet_ntoa(struct in_addr in) 46char *
47inet_ntoa(struct in_addr in)
50{ 48{
51 static char b[18]; 49 static char b[18];
52 register char *p; 50 char *p;
53 51
54 p = (char *)&in; 52 p = (char *)&in;
55#define UC(b) (((int)b)&0xff) 53#define UC(b) (((int)b)&0xff)
diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c
index 47796c370..e7ca4b7f8 100644
--- a/openbsd-compat/inet_ntop.c
+++ b/openbsd-compat/inet_ntop.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ 1/* $OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $ */
2
3/* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */
4 2
5/* Copyright (c) 1996 by Internet Software Consortium. 3/* Copyright (c) 1996 by Internet Software Consortium.
6 * 4 *
@@ -18,18 +16,12 @@
18 * SOFTWARE. 16 * SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
20
21#include "includes.h" 21#include "includes.h"
22 22
23#ifndef HAVE_INET_NTOP 23#ifndef HAVE_INET_NTOP
24 24
25#if defined(LIBC_SCCS) && !defined(lint)
26#if 0
27static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
28#else
29static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $";
30#endif
31#endif /* LIBC_SCCS and not lint */
32
33#include <sys/param.h> 25#include <sys/param.h>
34#include <sys/types.h> 26#include <sys/types.h>
35#include <sys/socket.h> 27#include <sys/socket.h>
@@ -65,11 +57,7 @@ static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
65 * Paul Vixie, 1996. 57 * Paul Vixie, 1996.
66 */ 58 */
67const char * 59const char *
68inet_ntop(af, src, dst, size) 60inet_ntop(int af, const void *src, char *dst, size_t size)
69 int af;
70 const void *src;
71 char *dst;
72 size_t size;
73{ 61{
74 switch (af) { 62 switch (af) {
75 case AF_INET: 63 case AF_INET:
@@ -95,10 +83,7 @@ inet_ntop(af, src, dst, size)
95 * Paul Vixie, 1996. 83 * Paul Vixie, 1996.
96 */ 84 */
97static const char * 85static const char *
98inet_ntop4(src, dst, size) 86inet_ntop4(const u_char *src, char *dst, size_t size)
99 const u_char *src;
100 char *dst;
101 size_t size;
102{ 87{
103 static const char fmt[] = "%u.%u.%u.%u"; 88 static const char fmt[] = "%u.%u.%u.%u";
104 char tmp[sizeof "255.255.255.255"]; 89 char tmp[sizeof "255.255.255.255"];
@@ -120,10 +105,7 @@ inet_ntop4(src, dst, size)
120 * Paul Vixie, 1996. 105 * Paul Vixie, 1996.
121 */ 106 */
122static const char * 107static const char *
123inet_ntop6(src, dst, size) 108inet_ntop6(const u_char *src, char *dst, size_t size)
124 const u_char *src;
125 char *dst;
126 size_t size;
127{ 109{
128 /* 110 /*
129 * Note that int32_t and int16_t need only be "at least" large enough 111 * Note that int32_t and int16_t need only be "at least" large enough
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index 969f69580..88e04c520 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -1,8 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
2
3/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ 1/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
4/* Changes: Removed mktemp */ 2/* Changes: Removed mktemp */
5 3
4/* $OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
6/* 5/*
7 * Copyright (c) 1987, 1993 6 * Copyright (c) 1987, 1993
8 * The Regents of the University of California. All rights reserved. 7 * The Regents of the University of California. All rights reserved.
@@ -32,20 +31,16 @@
32 * SUCH DAMAGE. 31 * SUCH DAMAGE.
33 */ 32 */
34 33
34/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
35
35#include "includes.h" 36#include "includes.h"
36 37
37#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) 38#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
38 39
39#if defined(LIBC_SCCS) && !defined(lint)
40static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
41#endif /* LIBC_SCCS and not lint */
42
43static int _gettemp(char *, int *, int, int); 40static int _gettemp(char *, int *, int, int);
44 41
45int 42int
46mkstemps(path, slen) 43mkstemps(char *path, int slen)
47 char *path;
48 int slen;
49{ 44{
50 int fd; 45 int fd;
51 46
@@ -53,8 +48,7 @@ mkstemps(path, slen)
53} 48}
54 49
55int 50int
56mkstemp(path) 51mkstemp(char *path)
57 char *path;
58{ 52{
59 int fd; 53 int fd;
60 54
@@ -62,8 +56,7 @@ mkstemp(path)
62} 56}
63 57
64char * 58char *
65mkdtemp(path) 59mkdtemp(char *path)
66 char *path;
67{ 60{
68 return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); 61 return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
69} 62}
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index ba68bc27e..1a3027353 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */ 1/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -142,6 +142,10 @@ unsigned int arc4random(void);
142void arc4random_stir(void); 142void arc4random_stir(void);
143#endif /* !HAVE_ARC4RANDOM */ 143#endif /* !HAVE_ARC4RANDOM */
144 144
145#ifndef HAVE_ASPRINTF
146int asprintf(char **, const char *, ...);
147#endif
148
145#ifndef HAVE_OPENPTY 149#ifndef HAVE_OPENPTY
146int openpty(int *, int *, char *, struct termios *, struct winsize *); 150int openpty(int *, int *, char *, struct termios *, struct winsize *);
147#endif /* HAVE_OPENPTY */ 151#endif /* HAVE_OPENPTY */
@@ -152,10 +156,18 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
152int snprintf(char *, size_t, const char *, ...); 156int snprintf(char *, size_t, const char *, ...);
153#endif 157#endif
154 158
159#ifndef HAVE_STRTOLL
160long long strtoll(const char *, char **, int);
161#endif
162
155#ifndef HAVE_STRTONUM 163#ifndef HAVE_STRTONUM
156long long strtonum(const char *, long long, long long, const char **); 164long long strtonum(const char *, long long, long long, const char **);
157#endif 165#endif
158 166
167#ifndef HAVE_VASPRINTF
168int vasprintf(char **, const char *, va_list);
169#endif
170
159#ifndef HAVE_VSNPRINTF 171#ifndef HAVE_VSNPRINTF
160int vsnprintf(char *, size_t, const char *, va_list); 172int vsnprintf(char *, size_t, const char *, va_list);
161#endif 173#endif
@@ -174,5 +186,6 @@ char *shadow_pw(struct passwd *pw);
174#include "port-irix.h" 186#include "port-irix.h"
175#include "port-aix.h" 187#include "port-aix.h"
176#include "port-uw.h" 188#include "port-uw.h"
189#include "port-tun.h"
177 190
178#endif /* _OPENBSD_COMPAT_H */ 191#endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index d9b2fa55f..8a015ec43 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,7 +24,11 @@
24# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 24# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
25#endif 25#endif
26 26
27#if OPENSSL_VERSION_NUMBER < 0x00907000L 27#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
28# define USE_BUILTIN_RIJNDAEL
29#endif
30
31#ifdef USE_BUILTIN_RIJNDAEL
28# define EVP_aes_128_cbc evp_rijndael 32# define EVP_aes_128_cbc evp_rijndael
29# define EVP_aes_192_cbc evp_rijndael 33# define EVP_aes_192_cbc evp_rijndael
30# define EVP_aes_256_cbc evp_rijndael 34# define EVP_aes_256_cbc evp_rijndael
@@ -43,7 +47,12 @@ extern const EVP_CIPHER *evp_acss(void);
43#endif 47#endif
44 48
45/* 49/*
46 * insert comment here 50 * We overload some of the OpenSSL crypto functions with ssh_* equivalents
51 * which cater for older and/or less featureful OpenSSL version.
52 *
53 * In order for the compat library to call the real functions, it must
54 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
55 * implement the ssh_* equivalents.
47 */ 56 */
48#ifdef SSH_OLD_EVP 57#ifdef SSH_OLD_EVP
49 58
diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c
new file mode 100644
index 000000000..31921615f
--- /dev/null
+++ b/openbsd-compat/port-tun.c
@@ -0,0 +1,252 @@
1/*
2 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#include "log.h"
20#include "misc.h"
21#include "bufaux.h"
22
23/*
24 * This is the portable version of the SSH tunnel forwarding, it
25 * uses some preprocessor definitions for various platform-specific
26 * settings.
27 *
28 * SSH_TUN_LINUX Use the (newer) Linux tun/tap device
29 * SSH_TUN_COMPAT_AF Translate the OpenBSD address family
30 * SSH_TUN_PREPEND_AF Prepend/remove the address family
31 */
32
33/*
34 * System-specific tunnel open function
35 */
36
37#if defined(SSH_TUN_LINUX)
38#include <linux/if.h>
39#include <linux/if_tun.h>
40
41int
42sys_tun_open(int tun, int mode)
43{
44 struct ifreq ifr;
45 int fd = -1;
46 const char *name = NULL;
47
48 if ((fd = open("/dev/net/tun", O_RDWR)) == -1) {
49 debug("%s: failed to open tunnel control interface: %s",
50 __func__, strerror(errno));
51 return (-1);
52 }
53
54 bzero(&ifr, sizeof(ifr));
55
56 if (mode == SSH_TUNMODE_ETHERNET) {
57 ifr.ifr_flags = IFF_TAP;
58 name = "tap%d";
59 } else {
60 ifr.ifr_flags = IFF_TUN;
61 name = "tun%d";
62 }
63 ifr.ifr_flags |= IFF_NO_PI;
64
65 if (tun != SSH_TUNID_ANY) {
66 if (tun > SSH_TUNID_MAX) {
67 debug("%s: invalid tunnel id %x: %s", __func__,
68 tun, strerror(errno));
69 goto failed;
70 }
71 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun);
72 }
73
74 if (ioctl(fd, TUNSETIFF, &ifr) == -1) {
75 debug("%s: failed to configure tunnel (mode %d): %s", __func__,
76 mode, strerror(errno));
77 goto failed;
78 }
79
80 if (tun == SSH_TUNID_ANY)
81 debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
82 else
83 debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
84
85 return (fd);
86
87 failed:
88 close(fd);
89 return (-1);
90}
91#endif /* SSH_TUN_LINUX */
92
93#ifdef SSH_TUN_FREEBSD
94#include <sys/socket.h>
95#include <net/if.h>
96#include <net/if_tun.h>
97
98int
99sys_tun_open(int tun, int mode)
100{
101 struct ifreq ifr;
102 char name[100];
103 int fd = -1, sock, flag;
104 const char *tunbase = "tun";
105
106 if (mode == SSH_TUNMODE_ETHERNET) {
107#ifdef SSH_TUN_NO_L2
108 debug("%s: no layer 2 tunnelling support", __func__);
109 return (-1);
110#else
111 tunbase = "tap";
112#endif
113 }
114
115 /* Open the tunnel device */
116 if (tun <= SSH_TUNID_MAX) {
117 snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
118 fd = open(name, O_RDWR);
119 } else if (tun == SSH_TUNID_ANY) {
120 for (tun = 100; tun >= 0; tun--) {
121 snprintf(name, sizeof(name), "/dev/%s%d",
122 tunbase, tun);
123 if ((fd = open(name, O_RDWR)) >= 0)
124 break;
125 }
126 } else {
127 debug("%s: invalid tunnel %u\n", __func__, tun);
128 return (-1);
129 }
130
131 if (fd < 0) {
132 debug("%s: %s open failed: %s", __func__, name,
133 strerror(errno));
134 return (-1);
135 }
136
137 /* Turn on tunnel headers */
138 flag = 1;
139#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
140 if (mode != SSH_TUNMODE_ETHERNET &&
141 ioctl(fd, TUNSIFHEAD, &flag) == -1) {
142 debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
143 strerror(errno));
144 close(fd);
145 }
146#endif
147
148 debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
149
150 /* Set the tunnel device operation mode */
151 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
152 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
153 goto failed;
154
155 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
156 goto failed;
157 ifr.ifr_flags |= IFF_UP;
158 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
159 goto failed;
160
161 close(sock);
162 return (fd);
163
164 failed:
165 if (fd >= 0)
166 close(fd);
167 if (sock >= 0)
168 close(sock);
169 debug("%s: failed to set %s mode %d: %s", __func__, name,
170 mode, strerror(errno));
171 return (-1);
172}
173#endif /* SSH_TUN_FREEBSD */
174
175/*
176 * System-specific channel filters
177 */
178
179#if defined(SSH_TUN_FILTER)
180#define OPENBSD_AF_INET 2
181#define OPENBSD_AF_INET6 24
182
183int
184sys_tun_infilter(struct Channel *c, char *buf, int len)
185{
186#if defined(SSH_TUN_PREPEND_AF)
187 char rbuf[CHAN_RBUF];
188 struct ip *iph;
189#endif
190 u_int32_t *af;
191 char *ptr = buf;
192
193#if defined(SSH_TUN_PREPEND_AF)
194 if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
195 return (-1);
196 ptr = (char *)&rbuf[0];
197 bcopy(buf, ptr + sizeof(u_int32_t), len);
198 len += sizeof(u_int32_t);
199 af = (u_int32_t *)ptr;
200
201 iph = (struct ip *)(ptr + sizeof(u_int32_t));
202 switch (iph->ip_v) {
203 case 6:
204 *af = AF_INET6;
205 break;
206 case 4:
207 default:
208 *af = AF_INET;
209 break;
210 }
211#endif
212
213#if defined(SSH_TUN_COMPAT_AF)
214 if (len < (int)sizeof(u_int32_t))
215 return (-1);
216
217 af = (u_int32_t *)ptr;
218 if (*af == htonl(AF_INET6))
219 *af = htonl(OPENBSD_AF_INET6);
220 else
221 *af = htonl(OPENBSD_AF_INET);
222#endif
223
224 buffer_put_string(&c->input, ptr, len);
225 return (0);
226}
227
228u_char *
229sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen)
230{
231 u_char *buf;
232 u_int32_t *af;
233
234 *data = buffer_get_string(&c->output, dlen);
235 if (*dlen < sizeof(*af))
236 return (NULL);
237 buf = *data;
238
239#if defined(SSH_TUN_PREPEND_AF)
240 *dlen -= sizeof(u_int32_t);
241 buf = *data + sizeof(u_int32_t);
242#elif defined(SSH_TUN_COMPAT_AF)
243 af = ntohl(*(u_int32_t *)buf);
244 if (*af == OPENBSD_AF_INET6)
245 *af = htonl(AF_INET6);
246 else
247 *af = htonl(AF_INET);
248#endif
249
250 return (buf);
251}
252#endif /* SSH_TUN_FILTER */
diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h
new file mode 100644
index 000000000..86d9272b4
--- /dev/null
+++ b/openbsd-compat/port-tun.h
@@ -0,0 +1,33 @@
1/*
2 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#ifndef _PORT_TUN_H
18#define _PORT_TUN_H
19
20#include "channels.h"
21
22#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
23# define CUSTOM_SYS_TUN_OPEN
24int sys_tun_open(int, int);
25#endif
26
27#if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF)
28# define SSH_TUN_FILTER
29int sys_tun_infilter(struct Channel *, char *, int);
30u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *);
31#endif
32
33#endif
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index d881ff028..c64427121 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -25,7 +25,7 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 28#ifdef HAVE_LIBIAF
29#ifdef HAVE_CRYPT_H 29#ifdef HAVE_CRYPT_H
30#include <crypt.h> 30#include <crypt.h>
31#endif 31#endif
@@ -42,7 +42,6 @@ int
42sys_auth_passwd(Authctxt *authctxt, const char *password) 42sys_auth_passwd(Authctxt *authctxt, const char *password)
43{ 43{
44 struct passwd *pw = authctxt->pw; 44 struct passwd *pw = authctxt->pw;
45 char *encrypted_password;
46 char *salt; 45 char *salt;
47 int result; 46 int result;
48 47
@@ -55,21 +54,24 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
55 54
56 /* Encrypt the candidate password using the proper salt. */ 55 /* Encrypt the candidate password using the proper salt. */
57 salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx"; 56 salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
58#ifdef UNIXWARE_LONG_PASSWORDS
59 if (!nischeck(pw->pw_name))
60 encrypted_password = bigcrypt(password, salt);
61 else
62#endif /* UNIXWARE_LONG_PASSWORDS */
63 encrypted_password = xcrypt(password, salt);
64 57
65 /* 58 /*
66 * Authentication is accepted if the encrypted passwords 59 * Authentication is accepted if the encrypted passwords
67 * are identical. 60 * are identical.
68 */ 61 */
69 result = (strcmp(encrypted_password, pw_password) == 0); 62#ifdef UNIXWARE_LONG_PASSWORDS
63 if (!nischeck(pw->pw_name)) {
64 result = ((strcmp(bigcrypt(password, salt), pw_password) == 0)
65 || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0));
66 }
67 else
68#endif /* UNIXWARE_LONG_PASSWORDS */
69 result = (strcmp(xcrypt(password, salt), pw_password) == 0);
70 70
71#if !defined(BROKEN_LIBIAF)
71 if (authctxt->valid) 72 if (authctxt->valid)
72 free(pw_password); 73 free(pw_password);
74#endif
73 return(result); 75 return(result);
74} 76}
75 77
@@ -114,6 +116,7 @@ nischeck(char *namep)
114 functions that call shadow_pw() will need to free 116 functions that call shadow_pw() will need to free
115 */ 117 */
116 118
119#if !defined(BROKEN_LIBIAF)
117char * 120char *
118get_iaf_password(struct passwd *pw) 121get_iaf_password(struct passwd *pw)
119{ 122{
@@ -130,5 +133,6 @@ get_iaf_password(struct passwd *pw)
130 else 133 else
131 fatal("ia_openinfo: Unable to open the shadow passwd file"); 134 fatal("ia_openinfo: Unable to open the shadow passwd file");
132} 135}
133#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ 136#endif /* !BROKEN_LIBIAF */
137#endif /* HAVE_LIBIAF */
134 138
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index eb060bdbf..919c0174a 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ 1/* $OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $ */
2
3/* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -22,9 +20,7 @@
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512. 20 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 */ 21 */
24 22
25#if defined(LIBC_SCCS) && !defined(lint) 23/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
26static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $";
27#endif /* LIBC_SCCS and not lint */
28 24
29#include "includes.h" 25#include "includes.h"
30 26
diff --git a/openbsd-compat/readpassphrase.h b/openbsd-compat/readpassphrase.h
index 178edf346..5fd7c5d77 100644
--- a/openbsd-compat/readpassphrase.h
+++ b/openbsd-compat/readpassphrase.h
@@ -1,34 +1,27 @@
1/* OPENBSD ORIGINAL: include/readpassphrase.h */ 1/* $OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $ */
2
3/* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
7 * All rights reserved. 5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
8 * 9 *
9 * Redistribution and use in source and binary forms, with or without 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * modification, are permitted provided that the following conditions 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * are met: 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * 1. Redistributions of source code must retain the above copyright 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * notice, this list of conditions and the following disclaimer. 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * 2. Redistributions in binary form must reproduce the above copyright 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * notice, this list of conditions and the following disclaimer in the 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 * 17 *
20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 18 * Sponsored in part by the Defense Advanced Research Projects
21 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 19 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 20 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
26 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
28 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
29 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */ 21 */
31 22
23/* OPENBSD ORIGINAL: include/readpassphrase.h */
24
32#ifndef _READPASSPHRASE_H_ 25#ifndef _READPASSPHRASE_H_
33#define _READPASSPHRASE_H_ 26#define _READPASSPHRASE_H_
34 27
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index 8430bec24..b6120d034 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ 1/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru> 3 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
5 * 4 *
@@ -28,6 +27,8 @@
28 * SUCH DAMAGE. 27 * SUCH DAMAGE.
29 */ 28 */
30 29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
31
31#include "includes.h" 32#include "includes.h"
32 33
33#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) 34#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 75167065c..71cf6e6eb 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ 1/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. 3 * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved.
5 * Copyright (c) 1983, 1993, 1994 4 * Copyright (c) 1983, 1993, 1994
@@ -30,26 +29,21 @@
30 * SUCH DAMAGE. 29 * SUCH DAMAGE.
31 */ 30 */
32 31
32/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
33
33#include "includes.h" 34#include "includes.h"
34 35
35#ifndef HAVE_RRESVPORT_AF 36#ifndef HAVE_RRESVPORT_AF
36 37
37#if defined(LIBC_SCCS) && !defined(lint)
38static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $";
39#endif /* LIBC_SCCS and not lint */
40
41#include "includes.h"
42
43#if 0 38#if 0
44int 39int
45rresvport(alport) 40rresvport(int *alport)
46 int *alport;
47{ 41{
48 return rresvport_af(alport, AF_INET); 42 return rresvport_af(alport, AF_INET);
49} 43}
50#endif 44#endif
51 45
52int 46int
53rresvport_af(int *alport, sa_family_t af) 47rresvport_af(int *alport, sa_family_t af)
54{ 48{
55 struct sockaddr_storage ss; 49 struct sockaddr_storage ss;
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index c3a86c651..b52a99c2c 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ 1/* $OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1987 Regents of the University of California. 3 * Copyright (c) 1987 Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,36 +28,31 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
32
32#include "includes.h" 33#include "includes.h"
33#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) 34#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <stdlib.h> 36#include <stdlib.h>
40#include <string.h> 37#include <string.h>
41 38
42char *__findenv(const char *name, int *offset); 39extern char **environ;
43 40
41/* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
44/* 42/*
45 * __findenv -- 43 * __findenv --
46 * Returns pointer to value associated with name, if any, else NULL. 44 * Returns pointer to value associated with name, if any, else NULL.
47 * Sets offset to be the offset of the name/value combination in the 45 * Sets offset to be the offset of the name/value combination in the
48 * environmental array, for use by setenv(3) and unsetenv(3). 46 * environmental array, for use by setenv(3) and unsetenv(3).
49 * Explicitly removes '=' in argument name. 47 * Explicitly removes '=' in argument name.
50 *
51 * This routine *should* be a static; don't use it.
52 */ 48 */
53char * 49static char *
54__findenv(name, offset) 50__findenv(const char *name, int *offset)
55 register const char *name;
56 int *offset;
57{ 51{
58 extern char **environ; 52 extern char **environ;
59 register int len, i; 53 int len, i;
60 register const char *np; 54 const char *np;
61 register char **p, *cp; 55 char **p, *cp;
62 56
63 if (name == NULL || environ == NULL) 57 if (name == NULL || environ == NULL)
64 return (NULL); 58 return (NULL);
@@ -84,14 +78,10 @@ __findenv(name, offset)
84 * "value". If rewrite is set, replace any current value. 78 * "value". If rewrite is set, replace any current value.
85 */ 79 */
86int 80int
87setenv(name, value, rewrite) 81setenv(const char *name, const char *value, int rewrite)
88 register const char *name;
89 register const char *value;
90 int rewrite;
91{ 82{
92 extern char **environ; 83 static char **lastenv; /* last value of environ */
93 static int alloced; /* if allocated space before */ 84 char *C;
94 register char *C;
95 int l_value, offset; 85 int l_value, offset;
96 86
97 if (*value == '=') /* no `=' in value */ 87 if (*value == '=') /* no `=' in value */
@@ -106,30 +96,23 @@ setenv(name, value, rewrite)
106 return (0); 96 return (0);
107 } 97 }
108 } else { /* create new slot */ 98 } else { /* create new slot */
109 register int cnt; 99 size_t cnt;
110 register char **P; 100 char **P;
111 101
112 for (P = environ, cnt = 0; *P; ++P, ++cnt); 102 for (P = environ; *P != NULL; P++)
113 if (alloced) { /* just increase size */ 103 ;
114 P = (char **)realloc((void *)environ, 104 cnt = P - environ;
115 (size_t)(sizeof(char *) * (cnt + 2))); 105 P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
116 if (!P) 106 if (!P)
117 return (-1); 107 return (-1);
118 environ = P; 108 if (lastenv != environ)
119 } 109 memcpy(P, environ, cnt * sizeof(char *));
120 else { /* get new space */ 110 lastenv = environ = P;
121 alloced = 1; /* copy old entries into it */
122 P = (char **)malloc((size_t)(sizeof(char *) *
123 (cnt + 2)));
124 if (!P)
125 return (-1);
126 memmove(P, environ, cnt * sizeof(char *));
127 environ = P;
128 }
129 environ[cnt + 1] = NULL;
130 offset = cnt; 111 offset = cnt;
112 environ[cnt + 1] = NULL;
131 } 113 }
132 for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ 114 for (C = (char *)name; *C && *C != '='; ++C)
115 ; /* no `=' in name */
133 if (!(environ[offset] = /* name + `=' + value */ 116 if (!(environ[offset] = /* name + `=' + value */
134 malloc((size_t)((int)(C - name) + l_value + 2)))) 117 malloc((size_t)((int)(C - name) + l_value + 2))))
135 return (-1); 118 return (-1);
@@ -147,15 +130,12 @@ setenv(name, value, rewrite)
147 * Delete environmental variable "name". 130 * Delete environmental variable "name".
148 */ 131 */
149void 132void
150unsetenv(name) 133unsetenv(const char *name)
151 const char *name;
152{ 134{
153 extern char **environ; 135 char **P;
154 register char **P;
155 int offset; 136 int offset;
156 char *__findenv();
157 137
158 while (__findenv(name, &offset)) /* if set multiple times */ 138 while (__findenv(name, &offset)) /* if set multiple times */
159 for (P = &environ[offset];; ++P) 139 for (P = &environ[offset];; ++P)
160 if (!(*P = *(P + 1))) 140 if (!(*P = *(P + 1)))
161 break; 141 break;
diff --git a/openbsd-compat/sigact.c b/openbsd-compat/sigact.c
index 2772ac574..8b8e4dd2c 100644
--- a/openbsd-compat/sigact.c
+++ b/openbsd-compat/sigact.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ 1/* $OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $ */
2
3/* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */
4 2
5/**************************************************************************** 3/****************************************************************************
6 * Copyright (c) 1998 Free Software Foundation, Inc. * 4 * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
7 * * 5 * *
8 * Permission is hereby granted, free of charge, to any person obtaining a * 6 * Permission is hereby granted, free of charge, to any person obtaining a *
9 * copy of this software and associated documentation files (the * 7 * copy of this software and associated documentation files (the *
@@ -35,6 +33,8 @@
35 * and: Eric S. Raymond <esr@snark.thyrsus.com> * 33 * and: Eric S. Raymond <esr@snark.thyrsus.com> *
36 ****************************************************************************/ 34 ****************************************************************************/
37 35
36/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
37
38#include "includes.h" 38#include "includes.h"
39#include <signal.h> 39#include <signal.h>
40#include "sigact.h" 40#include "sigact.h"
diff --git a/openbsd-compat/sigact.h b/openbsd-compat/sigact.h
index b37c1f84a..db96d0a5c 100644
--- a/openbsd-compat/sigact.h
+++ b/openbsd-compat/sigact.h
@@ -1,7 +1,7 @@
1/* $OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $ */ 1/* $OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $ */
2 2
3/**************************************************************************** 3/****************************************************************************
4 * Copyright (c) 1998 Free Software Foundation, Inc. * 4 * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
5 * * 5 * *
6 * Permission is hereby granted, free of charge, to any person obtaining a * 6 * Permission is hereby granted, free of charge, to any person obtaining a *
7 * copy of this software and associated documentation files (the * 7 * copy of this software and associated documentation files (the *
@@ -34,12 +34,14 @@
34 ****************************************************************************/ 34 ****************************************************************************/
35 35
36/* 36/*
37 * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $ 37 * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $
38 * 38 *
39 * This file exists to handle non-POSIX systems which don't have <unistd.h>, 39 * This file exists to handle non-POSIX systems which don't have <unistd.h>,
40 * and usually no sigaction() nor <termios.h> 40 * and usually no sigaction() nor <termios.h>
41 */ 41 */
42 42
43/* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */
44
43#ifndef _SIGACTION_H 45#ifndef _SIGACTION_H
44#define _SIGACTION_H 46#define _SIGACTION_H
45 47
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
index 70f01cb2a..bcc1b61ad 100644
--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ 1/* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_STRLCAT 22#ifndef HAVE_STRLCAT
23 23
24#if defined(LIBC_SCCS) && !defined(lint)
25static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $";
26#endif /* LIBC_SCCS and not lint */
27
28#include <sys/types.h> 24#include <sys/types.h>
29#include <string.h> 25#include <string.h>
30 26
@@ -38,9 +34,9 @@ static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp
38size_t 34size_t
39strlcat(char *dst, const char *src, size_t siz) 35strlcat(char *dst, const char *src, size_t siz)
40{ 36{
41 register char *d = dst; 37 char *d = dst;
42 register const char *s = src; 38 const char *s = src;
43 register size_t n = siz; 39 size_t n = siz;
44 size_t dlen; 40 size_t dlen;
45 41
46 /* Find the end of dst and adjust bytes left but don't go past end */ 42 /* Find the end of dst and adjust bytes left but don't go past end */
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index ccfa12a0a..679a5b291 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ 1/* $OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_STRLCPY 22#ifndef HAVE_STRLCPY
23 23
24#if defined(LIBC_SCCS) && !defined(lint)
25static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $";
26#endif /* LIBC_SCCS and not lint */
27
28#include <sys/types.h> 24#include <sys/types.h>
29#include <string.h> 25#include <string.h>
30 26
@@ -36,9 +32,9 @@ static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp
36size_t 32size_t
37strlcpy(char *dst, const char *src, size_t siz) 33strlcpy(char *dst, const char *src, size_t siz)
38{ 34{
39 register char *d = dst; 35 char *d = dst;
40 register const char *s = src; 36 const char *s = src;
41 register size_t n = siz; 37 size_t n = siz;
42 38
43 /* Copy as many bytes as will fit */ 39 /* Copy as many bytes as will fit */
44 if (n != 0 && --n != 0) { 40 if (n != 0 && --n != 0) {
diff --git a/openbsd-compat/strmode.c b/openbsd-compat/strmode.c
index ea8d515e3..4a8161422 100644
--- a/openbsd-compat/strmode.c
+++ b/openbsd-compat/strmode.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ 1/* $OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1990 The Regents of the University of California. 3 * Copyright (c) 1990 The Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRMODE 34#ifndef HAVE_STRMODE
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <sys/types.h> 36#include <sys/types.h>
40#include <sys/stat.h> 37#include <sys/stat.h>
41#include <string.h> 38#include <string.h>
@@ -72,11 +69,6 @@ strmode(int mode, char *p)
72 *p++ = 'p'; 69 *p++ = 'p';
73 break; 70 break;
74#endif 71#endif
75#ifdef S_IFWHT
76 case S_IFWHT: /* whiteout */
77 *p++ = 'w';
78 break;
79#endif
80 default: /* unknown */ 72 default: /* unknown */
81 *p++ = '?'; 73 *p++ = '?';
82 break; 74 break;
diff --git a/openbsd-compat/strsep.c b/openbsd-compat/strsep.c
index 330d84ce1..b36eb8fda 100644
--- a/openbsd-compat/strsep.c
+++ b/openbsd-compat/strsep.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ 1/* $OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */
4 2
5/*- 3/*-
6 * Copyright (c) 1990, 1993 4 * Copyright (c) 1990, 1993
@@ -31,6 +29,8 @@
31 * SUCH DAMAGE. 29 * SUCH DAMAGE.
32 */ 30 */
33 31
32/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
33
34#include "includes.h" 34#include "includes.h"
35 35
36#if !defined(HAVE_STRSEP) 36#if !defined(HAVE_STRSEP)
@@ -38,14 +38,6 @@
38#include <string.h> 38#include <string.h>
39#include <stdio.h> 39#include <stdio.h>
40 40
41#if defined(LIBC_SCCS) && !defined(lint)
42#if 0
43static char sccsid[] = "@(#)strsep.c 8.1 (Berkeley) 6/4/93";
44#else
45static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
46#endif
47#endif /* LIBC_SCCS and not lint */
48
49/* 41/*
50 * Get next token from string *stringp, where tokens are possibly-empty 42 * Get next token from string *stringp, where tokens are possibly-empty
51 * strings separated by characters from delim. 43 * strings separated by characters from delim.
diff --git a/openbsd-compat/strtoll.c b/openbsd-compat/strtoll.c
index 60c276f8a..f62930388 100644
--- a/openbsd-compat/strtoll.c
+++ b/openbsd-compat/strtoll.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */ 1/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1992 The Regents of the University of California. 3 * Copyright (c) 1992 The Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRTOLL 34#ifndef HAVE_STRTOLL
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <sys/types.h> 36#include <sys/types.h>
40 37
41#include <ctype.h> 38#include <ctype.h>
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
index b681ed83b..8ad0d0058 100644
--- a/openbsd-compat/strtonum.c
+++ b/openbsd-compat/strtonum.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
2
3/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */ 1/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
4 2
5/* 3/*
@@ -19,6 +17,8 @@
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */ 18 */
21 19
20/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
21
22#include "includes.h" 22#include "includes.h"
23#ifndef HAVE_STRTONUM 23#ifndef HAVE_STRTONUM
24#include <limits.h> 24#include <limits.h>
diff --git a/openbsd-compat/strtoul.c b/openbsd-compat/strtoul.c
index 24d0e253d..8219c8391 100644
--- a/openbsd-compat/strtoul.c
+++ b/openbsd-compat/strtoul.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ 1/* $OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1990 Regents of the University of California. 3 * Copyright (c) 1990 Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRTOUL 34#ifndef HAVE_STRTOUL
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <ctype.h> 36#include <ctype.h>
40#include <errno.h> 37#include <errno.h>
41#include <limits.h> 38#include <limits.h>
@@ -48,15 +45,12 @@ static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp
48 * alphabets and digits are each contiguous. 45 * alphabets and digits are each contiguous.
49 */ 46 */
50unsigned long 47unsigned long
51strtoul(nptr, endptr, base) 48strtoul(const char *nptr, char **endptr, int base)
52 const char *nptr;
53 char **endptr;
54 register int base;
55{ 49{
56 register const char *s; 50 const char *s;
57 register unsigned long acc, cutoff; 51 unsigned long acc, cutoff;
58 register int c; 52 int c;
59 register int neg, any, cutlim; 53 int neg, any, cutlim;
60 54
61 /* 55 /*
62 * See strtol for comments as to the logic used. 56 * See strtol for comments as to the logic used.
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index c49a94650..402343324 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: sys/sys/queue.h */
2
3/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */ 1/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */
4/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ 2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */
5 3
@@ -34,6 +32,8 @@
34 * @(#)queue.h 8.5 (Berkeley) 8/20/94 32 * @(#)queue.h 8.5 (Berkeley) 8/20/94
35 */ 33 */
36 34
35/* OPENBSD ORIGINAL: sys/sys/queue.h */
36
37#ifndef _FAKE_QUEUE_H_ 37#ifndef _FAKE_QUEUE_H_
38#define _FAKE_QUEUE_H_ 38#define _FAKE_QUEUE_H_
39 39
diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h
index 73cfbe72a..c80b90b21 100644
--- a/openbsd-compat/sys-tree.h
+++ b/openbsd-compat/sys-tree.h
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: sys/sys/tree.h */
2
3/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ 1/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */
4/* 2/*
5 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -26,6 +24,8 @@
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */ 25 */
28 26
27/* OPENBSD ORIGINAL: sys/sys/tree.h */
28
29#ifndef _SYS_TREE_H_ 29#ifndef _SYS_TREE_H_
30#define _SYS_TREE_H_ 30#define _SYS_TREE_H_
31 31
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c
index 1fb7a01e3..3a087b341 100644
--- a/openbsd-compat/vis.c
+++ b/openbsd-compat/vis.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ 1/* $OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1989, 1993 3 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -28,36 +27,34 @@
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
30
31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
32
31#include "includes.h" 33#include "includes.h"
32#if !defined(HAVE_STRNVIS) 34#if !defined(HAVE_STRNVIS)
33 35
34#if defined(LIBC_SCCS) && !defined(lint)
35static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
36#endif /* LIBC_SCCS and not lint */
37
38#include <ctype.h> 36#include <ctype.h>
39#include <string.h> 37#include <string.h>
40 38
41#include "vis.h" 39#include "vis.h"
42 40
43#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') 41#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
44#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ 42#define isvisible(c) \
45 isgraph((u_char)(c))) || \ 43 (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \
46 ((flag & VIS_SP) == 0 && (c) == ' ') || \ 44 (((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') || \
47 ((flag & VIS_TAB) == 0 && (c) == '\t') || \ 45 (flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) || \
48 ((flag & VIS_NL) == 0 && (c) == '\n') || \ 46 ((flag & VIS_SP) == 0 && (c) == ' ') || \
49 ((flag & VIS_SAFE) && ((c) == '\b' || \ 47 ((flag & VIS_TAB) == 0 && (c) == '\t') || \
50 (c) == '\007' || (c) == '\r' || \ 48 ((flag & VIS_NL) == 0 && (c) == '\n') || \
51 isgraph((u_char)(c))))) 49 ((flag & VIS_SAFE) && ((c) == '\b' || \
50 (c) == '\007' || (c) == '\r' || \
51 isgraph((u_char)(c)))))
52 52
53/* 53/*
54 * vis - visually encode characters 54 * vis - visually encode characters
55 */ 55 */
56char * 56char *
57vis(dst, c, flag, nextc) 57vis(char *dst, int c, int flag, int nextc)
58 register char *dst;
59 int c, nextc;
60 register int flag;
61{ 58{
62 if (isvisible(c)) { 59 if (isvisible(c)) {
63 *dst++ = c; 60 *dst++ = c;
@@ -111,7 +108,8 @@ vis(dst, c, flag, nextc)
111 goto done; 108 goto done;
112 } 109 }
113 } 110 }
114 if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) { 111 if (((c & 0177) == ' ') || (flag & VIS_OCTAL) ||
112 ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) {
115 *dst++ = '\\'; 113 *dst++ = '\\';
116 *dst++ = ((u_char)c >> 6 & 07) + '0'; 114 *dst++ = ((u_char)c >> 6 & 07) + '0';
117 *dst++ = ((u_char)c >> 3 & 07) + '0'; 115 *dst++ = ((u_char)c >> 3 & 07) + '0';
@@ -124,7 +122,7 @@ vis(dst, c, flag, nextc)
124 c &= 0177; 122 c &= 0177;
125 *dst++ = 'M'; 123 *dst++ = 'M';
126 } 124 }
127 if (iscntrl(c)) { 125 if (iscntrl((u_char)c)) {
128 *dst++ = '^'; 126 *dst++ = '^';
129 if (c == 0177) 127 if (c == 0177)
130 *dst++ = '?'; 128 *dst++ = '?';
@@ -153,12 +151,9 @@ done:
153 * This is useful for encoding a block of data. 151 * This is useful for encoding a block of data.
154 */ 152 */
155int 153int
156strvis(dst, src, flag) 154strvis(char *dst, const char *src, int flag)
157 register char *dst;
158 register const char *src;
159 int flag;
160{ 155{
161 register char c; 156 char c;
162 char *start; 157 char *start;
163 158
164 for (start = dst; (c = *src);) 159 for (start = dst; (c = *src);)
@@ -168,16 +163,11 @@ strvis(dst, src, flag)
168} 163}
169 164
170int 165int
171strnvis(dst, src, siz, flag) 166strnvis(char *dst, const char *src, size_t siz, int flag)
172 char *dst;
173 const char *src;
174 size_t siz;
175 int flag;
176{ 167{
177 char c;
178 char *start, *end; 168 char *start, *end;
179 char tbuf[5]; 169 char tbuf[5];
180 int i; 170 int c, i;
181 171
182 i = 0; 172 i = 0;
183 for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) { 173 for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
@@ -217,13 +207,9 @@ strnvis(dst, src, siz, flag)
217} 207}
218 208
219int 209int
220strvisx(dst, src, len, flag) 210strvisx(char *dst, const char *src, size_t len, int flag)
221 register char *dst;
222 register const char *src;
223 register size_t len;
224 int flag;
225{ 211{
226 register char c; 212 char c;
227 char *start; 213 char *start;
228 214
229 for (start = dst; len > 1; len--) { 215 for (start = dst; len > 1; len--) {
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h
index 663355a24..3898a9e70 100644
--- a/openbsd-compat/vis.h
+++ b/openbsd-compat/vis.h
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: include/vis.h */ 1/* $OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $ */
2
3/* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */
4/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ 2/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */
5 3
6/*- 4/*-
@@ -34,6 +32,8 @@
34 * @(#)vis.h 5.9 (Berkeley) 4/3/91 32 * @(#)vis.h 5.9 (Berkeley) 4/3/91
35 */ 33 */
36 34
35/* OPENBSD ORIGINAL: include/vis.h */
36
37#include "includes.h" 37#include "includes.h"
38#if !defined(HAVE_STRNVIS) 38#if !defined(HAVE_STRNVIS)
39 39
@@ -63,6 +63,7 @@
63 * other 63 * other
64 */ 64 */
65#define VIS_NOSLASH 0x40 /* inhibit printing '\' */ 65#define VIS_NOSLASH 0x40 /* inhibit printing '\' */
66#define VIS_GLOB 0x100 /* encode glob(3) magics and '#' */
66 67
67/* 68/*
68 * unvis return codes 69 * unvis return codes
@@ -80,10 +81,14 @@
80 81
81char *vis(char *, int, int, int); 82char *vis(char *, int, int, int);
82int strvis(char *, const char *, int); 83int strvis(char *, const char *, int);
83int strnvis(char *, const char *, size_t, int); 84int strnvis(char *, const char *, size_t, int)
84int strvisx(char *, const char *, size_t, int); 85 __attribute__ ((__bounded__(__string__,1,3)));
86int strvisx(char *, const char *, size_t, int)
87 __attribute__ ((__bounded__(__string__,1,3)));
85int strunvis(char *, const char *); 88int strunvis(char *, const char *);
86int unvis(char *, char, int *, int); 89int unvis(char *, char, int *, int);
90ssize_t strnunvis(char *, const char *, size_t)
91 __attribute__ ((__bounded__(__string__,1,3)));
87 92
88#endif /* !_VIS_H_ */ 93#endif /* !_VIS_H_ */
89 94
diff --git a/opensshd.init.in b/opensshd.init.in
index ffa7cdac2..c36c5c88a 100755
--- a/opensshd.init.in
+++ b/opensshd.init.in
@@ -1,4 +1,4 @@
1#!/sbin/sh 1#!@STARTUP_SCRIPT_SHELL@
2# Donated code that was put under PD license. 2# Donated code that was put under PD license.
3# 3#
4# Stripped PRNGd out of it for the time being. 4# Stripped PRNGd out of it for the time being.
diff --git a/packet.c b/packet.c
index 4becde0a4..3208383e8 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $"); 40RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $");
41 41
42#include "openbsd-compat/sys-queue.h" 42#include "openbsd-compat/sys-queue.h"
43 43
@@ -575,7 +575,7 @@ packet_send1(void)
575 buffer_clear(&outgoing_packet); 575 buffer_clear(&outgoing_packet);
576 576
577 /* 577 /*
578 * Note that the packet is now only buffered in output. It won\'t be 578 * Note that the packet is now only buffered in output. It won't be
579 * actually sent until packet_write_wait or packet_write_poll is 579 * actually sent until packet_write_wait or packet_write_poll is
580 * called. 580 * called.
581 */ 581 */
diff --git a/progressmeter.c b/progressmeter.c
index 3cda09061..13c51d87e 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -85,8 +85,8 @@ format_rate(char *buf, int size, off_t bytes)
85 bytes = (bytes + 512) / 1024; 85 bytes = (bytes + 512) / 1024;
86 } 86 }
87 snprintf(buf, size, "%3lld.%1lld%c%s", 87 snprintf(buf, size, "%3lld.%1lld%c%s",
88 (int64_t) (bytes + 5) / 100, 88 (long long) (bytes + 5) / 100,
89 (int64_t) (bytes + 5) / 10 % 10, 89 (long long) (bytes + 5) / 10 % 10,
90 unit[i], 90 unit[i],
91 i ? "B" : " "); 91 i ? "B" : " ");
92} 92}
@@ -99,7 +99,7 @@ format_size(char *buf, int size, off_t bytes)
99 for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++) 99 for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
100 bytes = (bytes + 512) / 1024; 100 bytes = (bytes + 512) / 1024;
101 snprintf(buf, size, "%4lld%c%s", 101 snprintf(buf, size, "%4lld%c%s",
102 (int64_t) bytes, 102 (long long) bytes,
103 unit[i], 103 unit[i],
104 i ? "B" : " "); 104 i ? "B" : " ");
105} 105}
diff --git a/readconf.c b/readconf.c
index d2c5a77f7..7933c5289 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -70,6 +70,10 @@ RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
70 Cipher none 70 Cipher none
71 PasswordAuthentication no 71 PasswordAuthentication no
72 72
73 Host vpn.fake.com
74 Tunnel yes
75 TunnelDevice 3
76
73 # Defaults for various options 77 # Defaults for various options
74 Host * 78 Host *
75 ForwardAgent no 79 ForwardAgent no
@@ -107,6 +111,7 @@ typedef enum {
107 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 111 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
108 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 112 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
109 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 113 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
114 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
110 oProtocolKeepAlives, oSetupTimeOut, 115 oProtocolKeepAlives, oSetupTimeOut,
111 oDeprecated, oUnsupported 116 oDeprecated, oUnsupported
112} OpCodes; 117} OpCodes;
@@ -199,6 +204,10 @@ static struct {
199 { "controlpath", oControlPath }, 204 { "controlpath", oControlPath },
200 { "controlmaster", oControlMaster }, 205 { "controlmaster", oControlMaster },
201 { "hashknownhosts", oHashKnownHosts }, 206 { "hashknownhosts", oHashKnownHosts },
207 { "tunnel", oTunnel },
208 { "tunneldevice", oTunnelDevice },
209 { "localcommand", oLocalCommand },
210 { "permitlocalcommand", oPermitLocalCommand },
202 { "protocolkeepalives", oProtocolKeepAlives }, 211 { "protocolkeepalives", oProtocolKeepAlives },
203 { "setuptimeout", oSetupTimeOut }, 212 { "setuptimeout", oSetupTimeOut },
204 { NULL, oBadOption } 213 { NULL, oBadOption }
@@ -267,6 +276,7 @@ clear_forwardings(Options *options)
267 xfree(options->remote_forwards[i].connect_host); 276 xfree(options->remote_forwards[i].connect_host);
268 } 277 }
269 options->num_remote_forwards = 0; 278 options->num_remote_forwards = 0;
279 options->tun_open = SSH_TUNMODE_NO;
270} 280}
271 281
272/* 282/*
@@ -299,7 +309,7 @@ process_config_line(Options *options, const char *host,
299 int *activep) 309 int *activep)
300{ 310{
301 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; 311 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
302 int opcode, *intptr, value; 312 int opcode, *intptr, value, value2;
303 size_t len; 313 size_t len;
304 Forward fwd; 314 Forward fwd;
305 315
@@ -556,9 +566,10 @@ parse_string:
556 goto parse_string; 566 goto parse_string;
557 567
558 case oProxyCommand: 568 case oProxyCommand:
569 charptr = &options->proxy_command;
570parse_command:
559 if (s == NULL) 571 if (s == NULL)
560 fatal("%.200s line %d: Missing argument.", filename, linenum); 572 fatal("%.200s line %d: Missing argument.", filename, linenum);
561 charptr = &options->proxy_command;
562 len = strspn(s, WHITESPACE "="); 573 len = strspn(s, WHITESPACE "=");
563 if (*activep && *charptr == NULL) 574 if (*activep && *charptr == NULL)
564 *charptr = xstrdup(s + len); 575 *charptr = xstrdup(s + len);
@@ -826,6 +837,49 @@ parse_int:
826 intptr = &options->hash_known_hosts; 837 intptr = &options->hash_known_hosts;
827 goto parse_flag; 838 goto parse_flag;
828 839
840 case oTunnel:
841 intptr = &options->tun_open;
842 arg = strdelim(&s);
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: Missing yes/point-to-point/"
845 "ethernet/no argument.", filename, linenum);
846 value = 0; /* silence compiler */
847 if (strcasecmp(arg, "ethernet") == 0)
848 value = SSH_TUNMODE_ETHERNET;
849 else if (strcasecmp(arg, "point-to-point") == 0)
850 value = SSH_TUNMODE_POINTOPOINT;
851 else if (strcasecmp(arg, "yes") == 0)
852 value = SSH_TUNMODE_DEFAULT;
853 else if (strcasecmp(arg, "no") == 0)
854 value = SSH_TUNMODE_NO;
855 else
856 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
857 "no argument: %s", filename, linenum, arg);
858 if (*activep)
859 *intptr = value;
860 break;
861
862 case oTunnelDevice:
863 arg = strdelim(&s);
864 if (!arg || *arg == '\0')
865 fatal("%.200s line %d: Missing argument.", filename, linenum);
866 value = a2tun(arg, &value2);
867 if (value == SSH_TUNID_ERR)
868 fatal("%.200s line %d: Bad tun device.", filename, linenum);
869 if (*activep) {
870 options->tun_local = value;
871 options->tun_remote = value2;
872 }
873 break;
874
875 case oLocalCommand:
876 charptr = &options->local_command;
877 goto parse_command;
878
879 case oPermitLocalCommand:
880 intptr = &options->permit_local_command;
881 goto parse_flag;
882
829 case oSetupTimeOut: 883 case oSetupTimeOut:
830 intptr = &options->setuptimeout; 884 intptr = &options->setuptimeout;
831 goto parse_int; 885 goto parse_int;
@@ -994,6 +1048,11 @@ initialize_options(Options * options)
994 options->control_path = NULL; 1048 options->control_path = NULL;
995 options->control_master = -1; 1049 options->control_master = -1;
996 options->hash_known_hosts = -1; 1050 options->hash_known_hosts = -1;
1051 options->tun_open = -1;
1052 options->tun_local = -1;
1053 options->tun_remote = -1;
1054 options->local_command = NULL;
1055 options->permit_local_command = -1;
997} 1056}
998 1057
999/* 1058/*
@@ -1123,6 +1182,14 @@ fill_default_options(Options * options)
1123 options->control_master = 0; 1182 options->control_master = 0;
1124 if (options->hash_known_hosts == -1) 1183 if (options->hash_known_hosts == -1)
1125 options->hash_known_hosts = 0; 1184 options->hash_known_hosts = 0;
1185 if (options->tun_open == -1)
1186 options->tun_open = SSH_TUNMODE_NO;
1187 if (options->tun_local == -1)
1188 options->tun_local = SSH_TUNID_ANY;
1189 if (options->tun_remote == -1)
1190 options->tun_remote = SSH_TUNID_ANY;
1191 if (options->permit_local_command == -1)
1192 options->permit_local_command = 0;
1126 if (options->setuptimeout == -1) { 1193 if (options->setuptimeout == -1) {
1127 /* in batch mode, default is 5mins */ 1194 /* in batch mode, default is 5mins */
1128 if (options->batch_mode == 1) 1195 if (options->batch_mode == 1)
@@ -1130,6 +1197,7 @@ fill_default_options(Options * options)
1130 else 1197 else
1131 options->setuptimeout = 0; 1198 options->setuptimeout = 0;
1132 } 1199 }
1200 /* options->local_command should not be set by default */
1133 /* options->proxy_command should not be set by default */ 1201 /* options->proxy_command should not be set by default */
1134 /* options->user will be set in the main program if appropriate */ 1202 /* options->user will be set in the main program if appropriate */
1135 /* options->hostname will be set in the main program if appropriate */ 1203 /* options->hostname will be set in the main program if appropriate */
diff --git a/readconf.h b/readconf.h
index a68734437..630895ee4 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ 1/* $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -115,6 +115,14 @@ typedef struct {
115 int control_master; 115 int control_master;
116 116
117 int hash_known_hosts; 117 int hash_known_hosts;
118
119 int tun_open; /* tun(4) */
120 int tun_local; /* force tun device (optional) */
121 int tun_remote; /* force tun device (optional) */
122
123 char *local_command;
124 int permit_local_command;
125
118} Options; 126} Options;
119 127
120#define SSHCTL_MASTER_NO 0 128#define SSHCTL_MASTER_NO 0
diff --git a/regress/README.regress b/regress/README.regress
index 0c07c9cf1..5aaf734bd 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -97,8 +97,12 @@ Known Issues.
97 unless ssh-rand-helper is in pre-installed (the path to 97 unless ssh-rand-helper is in pre-installed (the path to
98 ssh-rand-helper is hard coded). 98 ssh-rand-helper is hard coded).
99 99
100- Similarly, if you do not have "scp" in your system's $PATH then the
101 multiplex scp tests will fail (since the system's shell startup scripts
102 will determine where the shell started by sshd will look for scp).
103
100- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head 104- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
101 test to fail. The old behaviour can be restored by setting (and 105 test to fail. The old behaviour can be restored by setting (and
102 exporting) _POSIX2_VERSION=199209 before running the tests. 106 exporting) _POSIX2_VERSION=199209 before running the tests.
103 107
104$Id: README.regress,v 1.9 2004/08/17 12:31:33 dtucker Exp $ 108$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 46d20dc2b..6186a8d48 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -27,7 +27,7 @@ else
27 fail "ssh-add failed with $r != 1" 27 fail "ssh-add failed with $r != 1"
28 fi 28 fi
29 29
30 < /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1 30 < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
31 r=$? 31 r=$?
32 if [ $r -lt 2 ]; then 32 if [ $r -lt 2 ]; then
33 fail "ssh-add did not fail for ${UNPRIV}: $r < 2" 33 fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index dfe065dd6..3b171144f 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ 1# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -32,3 +32,34 @@ for p in 1 2; do
32 32
33 sleep 10 33 sleep 10
34done 34done
35
36for p in 1 2; do
37 trace "simple clear forwarding proto $p"
38 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
39
40 trace "clear local forward proto $p"
41 ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
42 -oClearAllForwardings=yes somehost sleep 10
43 if [ $? != 0 ]; then
44 fail "connection failed with cleared local forwarding"
45 else
46 # this one should fail
47 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
48 2>${TEST_SSH_LOGFILE} && \
49 fail "local forwarding not cleared"
50 fi
51 sleep 10
52
53 trace "clear remote forward proto $p"
54 ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
55 -oClearAllForwardings=yes somehost sleep 10
56 if [ $? != 0 ]; then
57 fail "connection failed with cleared remote forwarding"
58 else
59 # this one should fail
60 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
61 2>${TEST_SSH_LOGFILE} && \
62 fail "remote forwarding not cleared"
63 fi
64 sleep 10
65done
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index a172e5790..4fba7b5ac 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
index ba6dbc6f5..1daf29f9a 100644
--- a/regress/reconfigure.sh
+++ b/regress/reconfigure.sh
@@ -15,8 +15,9 @@ esac
15 15
16start_sshd 16start_sshd
17 17
18$SUDO kill -HUP `cat $PIDFILE` 18PID=`cat $PIDFILE`
19sleep 1 19rm -f $PIDFILE
20$SUDO kill -HUP $PID
20 21
21trace "wait for sshd to restart" 22trace "wait for sshd to restart"
22i=0; 23i=0;
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index 8e4314773..d1005a995 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $ 2# $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4 4
5printname () { 5printname () {
@@ -16,8 +16,11 @@ printname () {
16 done 16 done
17} 17}
18 18
19# discard first 5 args 19# Discard all but last argument. We use arg later.
20shift; shift; shift; shift; shift 20while test "$1" != ""; do
21 arg="$1"
22 shift
23done
21 24
22BAD="../../../../../../../../../../../../../${DIR}/dotpathdir" 25BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
23 26
@@ -49,6 +52,6 @@ badserver_4)
49 echo "X" 52 echo "X"
50 ;; 53 ;;
51*) 54*)
52 exec $1 55 exec $arg
53 ;; 56 ;;
54esac 57esac
diff --git a/regress/scp.sh b/regress/scp.sh
index c3034b6e7..c5d412dd9 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $ 1# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="scp" 4tid="scp"
@@ -28,6 +28,11 @@ scpclean() {
28 mkdir ${DIR} ${DIR2} 28 mkdir ${DIR} ${DIR2}
29} 29}
30 30
31verbose "$tid: simple copy local file to local file"
32scpclean
33$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
34cmp ${DATA} ${COPY} || fail "corrupted copy"
35
31verbose "$tid: simple copy local file to remote file" 36verbose "$tid: simple copy local file to remote file"
32scpclean 37scpclean
33$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed" 38$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
@@ -44,6 +49,12 @@ cp ${DATA} ${COPY}
44$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed" 49$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
45cmp ${COPY} ${DIR}/copy || fail "corrupted copy" 50cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
46 51
52verbose "$tid: simple copy local file to local dir"
53scpclean
54cp ${DATA} ${COPY}
55$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
56cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
57
47verbose "$tid: simple copy remote file to local dir" 58verbose "$tid: simple copy remote file to local dir"
48scpclean 59scpclean
49cp ${DATA} ${COPY} 60cp ${DATA} ${COPY}
@@ -57,6 +68,13 @@ cp ${DATA} ${DIR}/copy
57$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed" 68$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
58diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 69diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
59 70
71verbose "$tid: recursive local dir to local dir"
72scpclean
73rm -rf ${DIR2}
74cp ${DATA} ${DIR}/copy
75$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
76diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
77
60verbose "$tid: recursive remote dir to local dir" 78verbose "$tid: recursive remote dir to local dir"
61scpclean 79scpclean
62rm -rf ${DIR2} 80rm -rf ${DIR2}
@@ -64,6 +82,13 @@ cp ${DATA} ${DIR}/copy
64$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed" 82$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
65diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 83diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
66 84
85verbose "$tid: shell metacharacters"
86scpclean
87(cd ${DIR} && \
88touch '`touch metachartest`' && \
89$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
90[ ! -f metachartest ] ) || fail "shell metacharacters"
91
67if [ ! -z "$SUDO" ]; then 92if [ ! -z "$SUDO" ]; then
68 verbose "$tid: skipped file after scp -p with failed chown+utimes" 93 verbose "$tid: skipped file after scp -p with failed chown+utimes"
69 scpclean 94 scpclean
@@ -73,7 +98,7 @@ if [ ! -z "$SUDO" ]; then
73 chmod 660 ${DIR2}/copy 98 chmod 660 ${DIR2}/copy
74 $SUDO chown root ${DIR2}/copy 99 $SUDO chown root ${DIR2}/copy
75 $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1 100 $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
76 diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 101 $SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
77 $SUDO rm ${DIR2}/copy 102 $SUDO rm ${DIR2}/copy
78fi 103fi
79 104
@@ -91,5 +116,12 @@ for i in 0 1 2 3 4; do
91 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" 116 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
92done 117done
93 118
119verbose "$tid: detect non-directory target"
120scpclean
121echo a > ${COPY}
122echo b > ${COPY2}
123$SCP $scpopts ${DATA} ${COPY} ${COPY2}
124cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
125
94scpclean 126scpclean
95rm -f ${OBJ}/scp-ssh-wrapper.scp 127rm -f ${OBJ}/scp-ssh-wrapper.scp
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4b3a70eb3..59ae33c08 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -24,6 +24,8 @@ if [ -x /usr/ucb/whoami ]; then
24 USER=`/usr/ucb/whoami` 24 USER=`/usr/ucb/whoami`
25elif whoami >/dev/null 2>&1; then 25elif whoami >/dev/null 2>&1; then
26 USER=`whoami` 26 USER=`whoami`
27elif logname >/dev/null 2>&1; then
28 USER=`logname`
27else 29else
28 USER=`id -un` 30 USER=`id -un`
29fi 31fi
@@ -194,6 +196,7 @@ trap fatal 3 2
194cat << EOF > $OBJ/sshd_config 196cat << EOF > $OBJ/sshd_config
195 StrictModes no 197 StrictModes no
196 Port $PORT 198 Port $PORT
199 AddressFamily inet
197 ListenAddress 127.0.0.1 200 ListenAddress 127.0.0.1
198 #ListenAddress ::1 201 #ListenAddress ::1
199 PidFile $PIDFILE 202 PidFile $PIDFILE
@@ -244,7 +247,7 @@ trace "generate keys"
244for t in rsa rsa1; do 247for t in rsa rsa1; do
245 # generate user key 248 # generate user key
246 rm -f $OBJ/$t 249 rm -f $OBJ/$t
247 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ 250 ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\
248 fail "ssh-keygen for $t failed" 251 fail "ssh-keygen for $t failed"
249 252
250 # known hosts file for client 253 # known hosts file for client
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index c6e1b9152..379fe353a 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,9 +1,10 @@
1# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
5 5
6ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour 6ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
7 arcfour128 arcfour256 arcfour
7 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
8 aes128-ctr aes192-ctr aes256-ctr" 9 aes128-ctr aes192-ctr aes256-ctr"
9macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96" 10macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 17a4d0dd4..a8e6bc800 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -4,7 +4,7 @@
4tid="yes pipe head" 4tid="yes pipe head"
5 5
6for p in 1 2; do 6for p in 1 2; do
7 lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)` 7 lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
8 if [ $? -ne 0 ]; then 8 if [ $? -ne 0 ]; then
9 fail "yes|head test failed" 9 fail "yes|head test failed"
10 lines = 0; 10 lines = 0;
diff --git a/scp.0 b/scp.0
index aa54dda3f..2c7f15567 100644
--- a/scp.0
+++ b/scp.0
@@ -92,6 +92,7 @@ DESCRIPTION
92 Protocol 92 Protocol
93 ProxyCommand 93 ProxyCommand
94 PubkeyAuthentication 94 PubkeyAuthentication
95 RekeyLimit
95 RhostsRSAAuthentication 96 RhostsRSAAuthentication
96 RSAAuthentication 97 RSAAuthentication
97 SendEnv 98 SendEnv
@@ -141,4 +142,4 @@ AUTHORS
141 Timo Rinne <tri@iki.fi> 142 Timo Rinne <tri@iki.fi>
142 Tatu Ylonen <ylo@cs.hut.fi> 143 Tatu Ylonen <ylo@cs.hut.fi>
143 144
144OpenBSD 3.8 September 25, 1999 3 145OpenBSD 3.9 September 25, 1999 3
diff --git a/scp.1 b/scp.1
index b5191e318..d9b1f8e8f 100644
--- a/scp.1
+++ b/scp.1
@@ -9,7 +9,7 @@
9.\" 9.\"
10.\" Created: Sun May 7 00:14:37 1995 ylo 10.\" Created: Sun May 7 00:14:37 1995 ylo
11.\" 11.\"
12.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $ 12.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $
13.\" 13.\"
14.Dd September 25, 1999 14.Dd September 25, 1999
15.Dt SCP 1 15.Dt SCP 1
@@ -152,6 +152,7 @@ For full details of the options listed below, and their possible values, see
152.It Protocol 152.It Protocol
153.It ProxyCommand 153.It ProxyCommand
154.It PubkeyAuthentication 154.It PubkeyAuthentication
155.It RekeyLimit
155.It RhostsRSAAuthentication 156.It RhostsRSAAuthentication
156.It RSAAuthentication 157.It RSAAuthentication
157.It SendEnv 158.It SendEnv
diff --git a/scp.c b/scp.c
index 1407aa71d..620024ea7 100644
--- a/scp.c
+++ b/scp.c
@@ -71,7 +71,7 @@
71 */ 71 */
72 72
73#include "includes.h" 73#include "includes.h"
74RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $"); 74RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");
75 75
76#include "xmalloc.h" 76#include "xmalloc.h"
77#include "atomicio.h" 77#include "atomicio.h"
@@ -118,6 +118,48 @@ killchild(int signo)
118 exit(1); 118 exit(1);
119} 119}
120 120
121static int
122do_local_cmd(arglist *a)
123{
124 u_int i;
125 int status;
126 pid_t pid;
127
128 if (a->num == 0)
129 fatal("do_local_cmd: no arguments");
130
131 if (verbose_mode) {
132 fprintf(stderr, "Executing:");
133 for (i = 0; i < a->num; i++)
134 fprintf(stderr, " %s", a->list[i]);
135 fprintf(stderr, "\n");
136 }
137 if ((pid = fork()) == -1)
138 fatal("do_local_cmd: fork: %s", strerror(errno));
139
140 if (pid == 0) {
141 execvp(a->list[0], a->list);
142 perror(a->list[0]);
143 exit(1);
144 }
145
146 do_cmd_pid = pid;
147 signal(SIGTERM, killchild);
148 signal(SIGINT, killchild);
149 signal(SIGHUP, killchild);
150
151 while (waitpid(pid, &status, 0) == -1)
152 if (errno != EINTR)
153 fatal("do_local_cmd: waitpid: %s", strerror(errno));
154
155 do_cmd_pid = -1;
156
157 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
158 return (-1);
159
160 return (0);
161}
162
121/* 163/*
122 * This function executes the given command as the specified user on the 164 * This function executes the given command as the specified user on the
123 * given host. This returns < 0 if execution fails, and >= 0 otherwise. This 165 * given host. This returns < 0 if execution fails, and >= 0 otherwise. This
@@ -162,7 +204,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
162 close(pin[0]); 204 close(pin[0]);
163 close(pout[1]); 205 close(pout[1]);
164 206
165 args.list[0] = ssh_program; 207 replacearg(&args, 0, "%s", ssh_program);
166 if (remuser != NULL) 208 if (remuser != NULL)
167 addargs(&args, "-l%s", remuser); 209 addargs(&args, "-l%s", remuser);
168 addargs(&args, "%s", host); 210 addargs(&args, "%s", host);
@@ -222,12 +264,17 @@ main(int argc, char **argv)
222 extern char *optarg; 264 extern char *optarg;
223 extern int optind; 265 extern int optind;
224 266
267 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
268 sanitise_stdfd();
269
225 __progname = ssh_get_progname(argv[0]); 270 __progname = ssh_get_progname(argv[0]);
226 271
272 memset(&args, '\0', sizeof(args));
227 args.list = NULL; 273 args.list = NULL;
228 addargs(&args, "ssh"); /* overwritten with ssh_program */ 274 addargs(&args, "%s", ssh_program);
229 addargs(&args, "-x"); 275 addargs(&args, "-x");
230 addargs(&args, "-oForwardAgent no"); 276 addargs(&args, "-oForwardAgent no");
277 addargs(&args, "-oPermitLocalCommand no");
231 addargs(&args, "-oClearAllForwardings yes"); 278 addargs(&args, "-oClearAllForwardings yes");
232 279
233 fflag = tflag = 0; 280 fflag = tflag = 0;
@@ -336,9 +383,9 @@ main(int argc, char **argv)
336 if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ 383 if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */
337 toremote(targ, argc, argv); 384 toremote(targ, argc, argv);
338 else { 385 else {
339 tolocal(argc, argv); /* Dest is local host. */
340 if (targetshouldbedirectory) 386 if (targetshouldbedirectory)
341 verifydir(argv[argc - 1]); 387 verifydir(argv[argc - 1]);
388 tolocal(argc, argv); /* Dest is local host. */
342 } 389 }
343 /* 390 /*
344 * Finally check the exit status of the ssh process, if one was forked 391 * Finally check the exit status of the ssh process, if one was forked
@@ -364,6 +411,10 @@ toremote(char *targ, int argc, char **argv)
364{ 411{
365 int i, len; 412 int i, len;
366 char *bp, *host, *src, *suser, *thost, *tuser, *arg; 413 char *bp, *host, *src, *suser, *thost, *tuser, *arg;
414 arglist alist;
415
416 memset(&alist, '\0', sizeof(alist));
417 alist.list = NULL;
367 418
368 *targ++ = 0; 419 *targ++ = 0;
369 if (*targ == 0) 420 if (*targ == 0)
@@ -381,56 +432,48 @@ toremote(char *targ, int argc, char **argv)
381 tuser = NULL; 432 tuser = NULL;
382 } 433 }
383 434
435 if (tuser != NULL && !okname(tuser)) {
436 xfree(arg);
437 return;
438 }
439
384 for (i = 0; i < argc - 1; i++) { 440 for (i = 0; i < argc - 1; i++) {
385 src = colon(argv[i]); 441 src = colon(argv[i]);
386 if (src) { /* remote to remote */ 442 if (src) { /* remote to remote */
387 static char *ssh_options = 443 freeargs(&alist);
388 "-x -o'ClearAllForwardings yes'"; 444 addargs(&alist, "%s", ssh_program);
445 if (verbose_mode)
446 addargs(&alist, "-v");
447 addargs(&alist, "-x");
448 addargs(&alist, "-oClearAllForwardings yes");
449 addargs(&alist, "-n");
450
389 *src++ = 0; 451 *src++ = 0;
390 if (*src == 0) 452 if (*src == 0)
391 src = "."; 453 src = ".";
392 host = strrchr(argv[i], '@'); 454 host = strrchr(argv[i], '@');
393 len = strlen(ssh_program) + strlen(argv[i]) + 455
394 strlen(src) + (tuser ? strlen(tuser) : 0) +
395 strlen(thost) + strlen(targ) +
396 strlen(ssh_options) + CMDNEEDS + 20;
397 bp = xmalloc(len);
398 if (host) { 456 if (host) {
399 *host++ = 0; 457 *host++ = 0;
400 host = cleanhostname(host); 458 host = cleanhostname(host);
401 suser = argv[i]; 459 suser = argv[i];
402 if (*suser == '\0') 460 if (*suser == '\0')
403 suser = pwd->pw_name; 461 suser = pwd->pw_name;
404 else if (!okname(suser)) { 462 else if (!okname(suser))
405 xfree(bp);
406 continue; 463 continue;
407 } 464 addargs(&alist, "-l");
408 if (tuser && !okname(tuser)) { 465 addargs(&alist, "%s", suser);
409 xfree(bp);
410 continue;
411 }
412 snprintf(bp, len,
413 "%s%s %s -n "
414 "-l %s %s %s %s '%s%s%s:%s'",
415 ssh_program, verbose_mode ? " -v" : "",
416 ssh_options, suser, host, cmd, src,
417 tuser ? tuser : "", tuser ? "@" : "",
418 thost, targ);
419 } else { 466 } else {
420 host = cleanhostname(argv[i]); 467 host = cleanhostname(argv[i]);
421 snprintf(bp, len,
422 "exec %s%s %s -n %s "
423 "%s %s '%s%s%s:%s'",
424 ssh_program, verbose_mode ? " -v" : "",
425 ssh_options, host, cmd, src,
426 tuser ? tuser : "", tuser ? "@" : "",
427 thost, targ);
428 } 468 }
429 if (verbose_mode) 469 addargs(&alist, "%s", host);
430 fprintf(stderr, "Executing: %s\n", bp); 470 addargs(&alist, "%s", cmd);
431 if (system(bp) != 0) 471 addargs(&alist, "%s", src);
472 addargs(&alist, "%s%s%s:%s",
473 tuser ? tuser : "", tuser ? "@" : "",
474 thost, targ);
475 if (do_local_cmd(&alist) != 0)
432 errs = 1; 476 errs = 1;
433 (void) xfree(bp);
434 } else { /* local to remote */ 477 } else { /* local to remote */
435 if (remin == -1) { 478 if (remin == -1) {
436 len = strlen(targ) + CMDNEEDS + 20; 479 len = strlen(targ) + CMDNEEDS + 20;
@@ -454,20 +497,23 @@ tolocal(int argc, char **argv)
454{ 497{
455 int i, len; 498 int i, len;
456 char *bp, *host, *src, *suser; 499 char *bp, *host, *src, *suser;
500 arglist alist;
501
502 memset(&alist, '\0', sizeof(alist));
503 alist.list = NULL;
457 504
458 for (i = 0; i < argc - 1; i++) { 505 for (i = 0; i < argc - 1; i++) {
459 if (!(src = colon(argv[i]))) { /* Local to local. */ 506 if (!(src = colon(argv[i]))) { /* Local to local. */
460 len = strlen(_PATH_CP) + strlen(argv[i]) + 507 freeargs(&alist);
461 strlen(argv[argc - 1]) + 20; 508 addargs(&alist, "%s", _PATH_CP);
462 bp = xmalloc(len); 509 if (iamrecursive)
463 (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, 510 addargs(&alist, "-r");
464 iamrecursive ? " -r" : "", pflag ? " -p" : "", 511 if (pflag)
465 argv[i], argv[argc - 1]); 512 addargs(&alist, "-p");
466 if (verbose_mode) 513 addargs(&alist, "%s", argv[i]);
467 fprintf(stderr, "Executing: %s\n", bp); 514 addargs(&alist, "%s", argv[argc-1]);
468 if (system(bp)) 515 if (do_local_cmd(&alist))
469 ++errs; 516 ++errs;
470 (void) xfree(bp);
471 continue; 517 continue;
472 } 518 }
473 *src++ = 0; 519 *src++ = 0;
@@ -560,7 +606,7 @@ syserr: run_err("%s: %s", name, strerror(errno));
560#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) 606#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
561 snprintf(buf, sizeof buf, "C%04o %lld %s\n", 607 snprintf(buf, sizeof buf, "C%04o %lld %s\n",
562 (u_int) (stb.st_mode & FILEMODEMASK), 608 (u_int) (stb.st_mode & FILEMODEMASK),
563 (int64_t)stb.st_size, last); 609 (long long)stb.st_size, last);
564 if (verbose_mode) { 610 if (verbose_mode) {
565 fprintf(stderr, "Sending file modes: %s", buf); 611 fprintf(stderr, "Sending file modes: %s", buf);
566 } 612 }
@@ -568,7 +614,10 @@ syserr: run_err("%s: %s", name, strerror(errno));
568 if (response() < 0) 614 if (response() < 0)
569 goto next; 615 goto next;
570 if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) { 616 if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
571next: (void) close(fd); 617next: if (fd != -1) {
618 (void) close(fd);
619 fd = -1;
620 }
572 continue; 621 continue;
573 } 622 }
574 if (showprogress) 623 if (showprogress)
@@ -597,8 +646,11 @@ next: (void) close(fd);
597 if (showprogress) 646 if (showprogress)
598 stop_progress_meter(); 647 stop_progress_meter();
599 648
600 if (close(fd) < 0 && !haderr) 649 if (fd != -1) {
601 haderr = errno; 650 if (close(fd) < 0 && !haderr)
651 haderr = errno;
652 fd = -1;
653 }
602 if (!haderr) 654 if (!haderr)
603 (void) atomicio(vwrite, remout, "", 1); 655 (void) atomicio(vwrite, remout, "", 1);
604 else 656 else
diff --git a/servconf.c b/servconf.c
index 9e420a527..81953bb80 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
101 options->authorized_keys_file = NULL; 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL; 102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0; 103 options->num_accept_env = 0;
104 options->permit_tun = -1;
104 105
105 /* Needs to be accessable in many places */ 106 /* Needs to be accessable in many places */
106 use_privsep = -1; 107 use_privsep = -1;
@@ -229,6 +230,8 @@ fill_default_server_options(ServerOptions *options)
229 } 230 }
230 if (options->authorized_keys_file == NULL) 231 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 if (options->permit_tun == -1)
234 options->permit_tun = SSH_TUNMODE_NO;
232 235
233 /* Turn privilege separation on by default */ 236 /* Turn privilege separation on by default */
234 if (use_privsep == -1) 237 if (use_privsep == -1)
@@ -270,7 +273,7 @@ typedef enum {
270 sBanner, sUseDNS, sHostbasedAuthentication, 273 sBanner, sUseDNS, sHostbasedAuthentication,
271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, 276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
274 sUsePrivilegeSeparation, 277 sUsePrivilegeSeparation,
275 sDeprecated, sUnsupported 278 sDeprecated, sUnsupported
276} ServerOpCodes; 279} ServerOpCodes;
@@ -373,6 +376,7 @@ static struct {
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
374 { "useprivilegeseparation", sUsePrivilegeSeparation}, 377 { "useprivilegeseparation", sUsePrivilegeSeparation},
375 { "acceptenv", sAcceptEnv }, 378 { "acceptenv", sAcceptEnv },
379 { "permittunnel", sPermitTunnel },
376 { NULL, sBadOption } 380 { NULL, sBadOption }
377}; 381};
378 382
@@ -962,6 +966,28 @@ parse_flag:
962 } 966 }
963 break; 967 break;
964 968
969 case sPermitTunnel:
970 intptr = &options->permit_tun;
971 arg = strdelim(&cp);
972 if (!arg || *arg == '\0')
973 fatal("%s line %d: Missing yes/point-to-point/"
974 "ethernet/no argument.", filename, linenum);
975 value = 0; /* silence compiler */
976 if (strcasecmp(arg, "ethernet") == 0)
977 value = SSH_TUNMODE_ETHERNET;
978 else if (strcasecmp(arg, "point-to-point") == 0)
979 value = SSH_TUNMODE_POINTOPOINT;
980 else if (strcasecmp(arg, "yes") == 0)
981 value = SSH_TUNMODE_YES;
982 else if (strcasecmp(arg, "no") == 0)
983 value = SSH_TUNMODE_NO;
984 else
985 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
986 "no argument: %s", filename, linenum, arg);
987 if (*intptr == -1)
988 *intptr = value;
989 break;
990
965 case sDeprecated: 991 case sDeprecated:
966 logit("%s line %d: Deprecated option %s", 992 logit("%s line %d: Deprecated option %s",
967 filename, linenum, arg); 993 filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index f7e56d521..ab82c8f57 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -133,7 +133,10 @@ typedef struct {
133 133
134 char *authorized_keys_file; /* File containing public keys */ 134 char *authorized_keys_file; /* File containing public keys */
135 char *authorized_keys_file2; 135 char *authorized_keys_file2;
136
136 int use_pam; /* Enable auth via PAM */ 137 int use_pam; /* Enable auth via PAM */
138
139 int permit_tun;
137} ServerOptions; 140} ServerOptions;
138 141
139void initialize_server_options(ServerOptions *); 142void initialize_server_options(ServerOptions *);
diff --git a/serverloop.c b/serverloop.c
index 031847873..f72b73bf8 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $"); 38RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $");
39 39
40#include "xmalloc.h" 40#include "xmalloc.h"
41#include "packet.h" 41#include "packet.h"
@@ -61,6 +61,7 @@ extern ServerOptions options;
61/* XXX */ 61/* XXX */
62extern Kex *xxx_kex; 62extern Kex *xxx_kex;
63extern Authctxt *the_authctxt; 63extern Authctxt *the_authctxt;
64extern int use_privsep;
64 65
65static Buffer stdin_buffer; /* Buffer for stdin data. */ 66static Buffer stdin_buffer; /* Buffer for stdin data. */
66static Buffer stdout_buffer; /* Buffer for stdout data. */ 67static Buffer stdout_buffer; /* Buffer for stdout data. */
@@ -90,6 +91,9 @@ static int client_alive_timeouts = 0;
90 91
91static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ 92static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */
92 93
94/* Cleanup on signals (!use_privsep case only) */
95static volatile sig_atomic_t received_sigterm = 0;
96
93/* prototypes */ 97/* prototypes */
94static void server_init_dispatch(void); 98static void server_init_dispatch(void);
95 99
@@ -151,6 +155,12 @@ sigchld_handler(int sig)
151 errno = save_errno; 155 errno = save_errno;
152} 156}
153 157
158static void
159sigterm_handler(int sig)
160{
161 received_sigterm = sig;
162}
163
154/* 164/*
155 * Make packets from buffered stderr data, and buffer it for sending 165 * Make packets from buffered stderr data, and buffer it for sending
156 * to the client. 166 * to the client.
@@ -502,6 +512,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
502 child_terminated = 0; 512 child_terminated = 0;
503 mysignal(SIGCHLD, sigchld_handler); 513 mysignal(SIGCHLD, sigchld_handler);
504 514
515 if (!use_privsep) {
516 signal(SIGTERM, sigterm_handler);
517 signal(SIGINT, sigterm_handler);
518 signal(SIGQUIT, sigterm_handler);
519 }
520
505 /* Initialize our global variables. */ 521 /* Initialize our global variables. */
506 fdin = fdin_arg; 522 fdin = fdin_arg;
507 fdout = fdout_arg; 523 fdout = fdout_arg;
@@ -548,7 +564,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
548 * If we have no separate fderr (which is the case when we have a pty 564 * If we have no separate fderr (which is the case when we have a pty
549 * - there we cannot make difference between data sent to stdout and 565 * - there we cannot make difference between data sent to stdout and
550 * stderr), indicate that we have seen an EOF from stderr. This way 566 * stderr), indicate that we have seen an EOF from stderr. This way
551 * we don\'t need to check the descriptor everywhere. 567 * we don't need to check the descriptor everywhere.
552 */ 568 */
553 if (fderr == -1) 569 if (fderr == -1)
554 fderr_eof = 1; 570 fderr_eof = 1;
@@ -629,6 +645,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
629 wait_until_can_do_something(&readset, &writeset, &max_fd, 645 wait_until_can_do_something(&readset, &writeset, &max_fd,
630 &nalloc, max_time_milliseconds); 646 &nalloc, max_time_milliseconds);
631 647
648 if (received_sigterm) {
649 logit("Exiting on signal %d", received_sigterm);
650 /* Clean up sessions, utmp, etc. */
651 cleanup_exit(255);
652 }
653
632 /* Process any channel events. */ 654 /* Process any channel events. */
633 channel_after_select(readset, writeset); 655 channel_after_select(readset, writeset);
634 656
@@ -749,6 +771,12 @@ server_loop2(Authctxt *authctxt)
749 connection_in = packet_get_connection_in(); 771 connection_in = packet_get_connection_in();
750 connection_out = packet_get_connection_out(); 772 connection_out = packet_get_connection_out();
751 773
774 if (!use_privsep) {
775 signal(SIGTERM, sigterm_handler);
776 signal(SIGINT, sigterm_handler);
777 signal(SIGQUIT, sigterm_handler);
778 }
779
752 notify_setup(); 780 notify_setup();
753 781
754 max_fd = MAX(connection_in, connection_out); 782 max_fd = MAX(connection_in, connection_out);
@@ -766,6 +794,12 @@ server_loop2(Authctxt *authctxt)
766 wait_until_can_do_something(&readset, &writeset, &max_fd, 794 wait_until_can_do_something(&readset, &writeset, &max_fd,
767 &nalloc, 0); 795 &nalloc, 0);
768 796
797 if (received_sigterm) {
798 logit("Exiting on signal %d", received_sigterm);
799 /* Clean up sessions, utmp, etc. */
800 cleanup_exit(255);
801 }
802
769 collect_children(); 803 collect_children();
770 if (!rekeying) { 804 if (!rekeying) {
771 channel_after_select(readset, writeset); 805 channel_after_select(readset, writeset);
@@ -880,6 +914,52 @@ server_request_direct_tcpip(void)
880} 914}
881 915
882static Channel * 916static Channel *
917server_request_tun(void)
918{
919 Channel *c = NULL;
920 int mode, tun;
921 int sock;
922
923 mode = packet_get_int();
924 switch (mode) {
925 case SSH_TUNMODE_POINTOPOINT:
926 case SSH_TUNMODE_ETHERNET:
927 break;
928 default:
929 packet_send_debug("Unsupported tunnel device mode.");
930 return NULL;
931 }
932 if ((options.permit_tun & mode) == 0) {
933 packet_send_debug("Server has rejected tunnel device "
934 "forwarding");
935 return NULL;
936 }
937
938 tun = packet_get_int();
939 if (forced_tun_device != -1) {
940 if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
941 goto done;
942 tun = forced_tun_device;
943 }
944 sock = tun_open(tun, mode);
945 if (sock < 0)
946 goto done;
947 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
948 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
949 c->datagram = 1;
950#if defined(SSH_TUN_FILTER)
951 if (mode == SSH_TUNMODE_POINTOPOINT)
952 channel_register_filter(c->self, sys_tun_infilter,
953 sys_tun_outfilter);
954#endif
955
956 done:
957 if (c == NULL)
958 packet_send_debug("Failed to open the tunnel device.");
959 return c;
960}
961
962static Channel *
883server_request_session(void) 963server_request_session(void)
884{ 964{
885 Channel *c; 965 Channel *c;
@@ -900,7 +980,7 @@ server_request_session(void)
900 channel_free(c); 980 channel_free(c);
901 return NULL; 981 return NULL;
902 } 982 }
903 channel_register_cleanup(c->self, session_close_by_channel); 983 channel_register_cleanup(c->self, session_close_by_channel, 0);
904 return c; 984 return c;
905} 985}
906 986
@@ -924,6 +1004,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
924 c = server_request_session(); 1004 c = server_request_session();
925 } else if (strcmp(ctype, "direct-tcpip") == 0) { 1005 } else if (strcmp(ctype, "direct-tcpip") == 0) {
926 c = server_request_direct_tcpip(); 1006 c = server_request_direct_tcpip();
1007 } else if (strcmp(ctype, "tun@openssh.com") == 0) {
1008 c = server_request_tun();
927 } 1009 }
928 if (c != NULL) { 1010 if (c != NULL) {
929 debug("server_input_channel_open: confirm %s", ctype); 1011 debug("server_input_channel_open: confirm %s", ctype);
diff --git a/session.c b/session.c
index fb719d42a..daad03929 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -211,15 +211,6 @@ do_authenticated(Authctxt *authctxt)
211{ 211{
212 setproctitle("%s", authctxt->pw->pw_name); 212 setproctitle("%s", authctxt->pw->pw_name);
213 213
214 /*
215 * Cancel the alarm we set to limit the time taken for
216 * authentication.
217 */
218 alarm(0);
219 if (startup_pipe != -1) {
220 close(startup_pipe);
221 startup_pipe = -1;
222 }
223 /* setup the channel layer */ 214 /* setup the channel layer */
224 if (!no_port_forwarding_flag && options.allow_tcp_forwarding) 215 if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
225 channel_permit_all_opens(); 216 channel_permit_all_opens();
@@ -1423,7 +1414,7 @@ child_close_fds(void)
1423 endpwent(); 1414 endpwent();
1424 1415
1425 /* 1416 /*
1426 * Close any extra open file descriptors so that we don\'t have them 1417 * Close any extra open file descriptors so that we don't have them
1427 * hanging around in clients. Note that we want to do this after 1418 * hanging around in clients. Note that we want to do this after
1428 * initgroups, because at least on Solaris 2.3 it leaves file 1419 * initgroups, because at least on Solaris 2.3 it leaves file
1429 * descriptors open. 1420 * descriptors open.
@@ -1475,7 +1466,9 @@ do_child(Session *s, const char *command)
1475 if (!check_quietlogin(s, command)) 1466 if (!check_quietlogin(s, command))
1476 do_motd(); 1467 do_motd();
1477#else /* HAVE_OSF_SIA */ 1468#else /* HAVE_OSF_SIA */
1478 do_nologin(pw); 1469 /* When PAM is enabled we rely on it to do the nologin check */
1470 if (!options.use_pam)
1471 do_nologin(pw);
1479 do_setusercontext(pw); 1472 do_setusercontext(pw);
1480 /* 1473 /*
1481 * PAM session modules in do_setusercontext may have 1474 * PAM session modules in do_setusercontext may have
@@ -1556,7 +1549,7 @@ do_child(Session *s, const char *command)
1556 } 1549 }
1557#endif 1550#endif
1558 1551
1559 /* Change current directory to the user\'s home directory. */ 1552 /* Change current directory to the user's home directory. */
1560 if (chdir(pw->pw_dir) < 0) { 1553 if (chdir(pw->pw_dir) < 0) {
1561 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 1554 fprintf(stderr, "Could not chdir to home directory %s: %s\n",
1562 pw->pw_dir, strerror(errno)); 1555 pw->pw_dir, strerror(errno));
@@ -1871,7 +1864,7 @@ session_x11_req(Session *s)
1871 1864
1872 if (s->auth_proto != NULL || s->auth_data != NULL) { 1865 if (s->auth_proto != NULL || s->auth_data != NULL) {
1873 error("session_x11_req: session %d: " 1866 error("session_x11_req: session %d: "
1874 "x11 fowarding already active", s->self); 1867 "x11 forwarding already active", s->self);
1875 return 0; 1868 return 0;
1876 } 1869 }
1877 s->single_connection = packet_get_char(); 1870 s->single_connection = packet_get_char();
@@ -2103,7 +2096,7 @@ session_close_x11(int id)
2103{ 2096{
2104 Channel *c; 2097 Channel *c;
2105 2098
2106 if ((c = channel_lookup(id)) == NULL) { 2099 if ((c = channel_by_id(id)) == NULL) {
2107 debug("session_close_x11: x11 channel %d missing", id); 2100 debug("session_close_x11: x11 channel %d missing", id);
2108 } else { 2101 } else {
2109 /* Detach X11 listener */ 2102 /* Detach X11 listener */
@@ -2158,7 +2151,6 @@ static void
2158session_exit_message(Session *s, int status) 2151session_exit_message(Session *s, int status)
2159{ 2152{
2160 Channel *c; 2153 Channel *c;
2161 u_int i;
2162 2154
2163 if ((c = channel_lookup(s->chanid)) == NULL) 2155 if ((c = channel_lookup(s->chanid)) == NULL)
2164 fatal("session_exit_message: session %d: no channel %d", 2156 fatal("session_exit_message: session %d: no channel %d",
@@ -2188,7 +2180,14 @@ session_exit_message(Session *s, int status)
2188 2180
2189 /* disconnect channel */ 2181 /* disconnect channel */
2190 debug("session_exit_message: release channel %d", s->chanid); 2182 debug("session_exit_message: release channel %d", s->chanid);
2191 channel_cancel_cleanup(s->chanid); 2183
2184 /*
2185 * Adjust cleanup callback attachment to send close messages when
2186 * the channel gets EOF. The session will be then be closed
2187 * by session_close_by_channel when the childs close their fds.
2188 */
2189 channel_register_cleanup(c->self, session_close_by_channel, 1);
2190
2192 /* 2191 /*
2193 * emulate a write failure with 'chan_write_failed', nobody will be 2192 * emulate a write failure with 'chan_write_failed', nobody will be
2194 * interested in data we write. 2193 * interested in data we write.
@@ -2197,15 +2196,6 @@ session_exit_message(Session *s, int status)
2197 */ 2196 */
2198 if (c->ostate != CHAN_OUTPUT_CLOSED) 2197 if (c->ostate != CHAN_OUTPUT_CLOSED)
2199 chan_write_failed(c); 2198 chan_write_failed(c);
2200 s->chanid = -1;
2201
2202 /* Close any X11 listeners associated with this session */
2203 if (s->x11_chanids != NULL) {
2204 for (i = 0; s->x11_chanids[i] != -1; i++) {
2205 session_close_x11(s->x11_chanids[i]);
2206 s->x11_chanids[i] = -1;
2207 }
2208 }
2209} 2199}
2210 2200
2211void 2201void
@@ -2249,7 +2239,9 @@ session_close_by_pid(pid_t pid, int status)
2249 } 2239 }
2250 if (s->chanid != -1) 2240 if (s->chanid != -1)
2251 session_exit_message(s, status); 2241 session_exit_message(s, status);
2252 session_close(s); 2242 if (s->ttyfd != -1)
2243 session_pty_cleanup(s);
2244 s->pid = 0;
2253} 2245}
2254 2246
2255/* 2247/*
@@ -2260,6 +2252,7 @@ void
2260session_close_by_channel(int id, void *arg) 2252session_close_by_channel(int id, void *arg)
2261{ 2253{
2262 Session *s = session_by_channel(id); 2254 Session *s = session_by_channel(id);
2255 u_int i;
2263 2256
2264 if (s == NULL) { 2257 if (s == NULL) {
2265 debug("session_close_by_channel: no session for id %d", id); 2258 debug("session_close_by_channel: no session for id %d", id);
@@ -2279,6 +2272,15 @@ session_close_by_channel(int id, void *arg)
2279 } 2272 }
2280 /* detach by removing callback */ 2273 /* detach by removing callback */
2281 channel_cancel_cleanup(s->chanid); 2274 channel_cancel_cleanup(s->chanid);
2275
2276 /* Close any X11 listeners associated with this session */
2277 if (s->x11_chanids != NULL) {
2278 for (i = 0; s->x11_chanids[i] != -1; i++) {
2279 session_close_x11(s->x11_chanids[i]);
2280 s->x11_chanids[i] = -1;
2281 }
2282 }
2283
2282 s->chanid = -1; 2284 s->chanid = -1;
2283 session_close(s); 2285 session_close(s);
2284} 2286}
@@ -2373,7 +2375,7 @@ session_setup_x11fwd(Session *s)
2373 } 2375 }
2374 for (i = 0; s->x11_chanids[i] != -1; i++) { 2376 for (i = 0; s->x11_chanids[i] != -1; i++) {
2375 channel_register_cleanup(s->x11_chanids[i], 2377 channel_register_cleanup(s->x11_chanids[i],
2376 session_close_single_x11); 2378 session_close_single_x11, 0);
2377 } 2379 }
2378 2380
2379 /* Set up a suitable value for the DISPLAY variable. */ 2381 /* Set up a suitable value for the DISPLAY variable. */
diff --git a/sftp-client.c b/sftp-client.c
index afbd1e6f3..05bce3368 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -20,7 +20,7 @@
20/* XXX: copy between two remote sites */ 20/* XXX: copy between two remote sites */
21 21
22#include "includes.h" 22#include "includes.h"
23RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $"); 23RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
24 24
25#include "openbsd-compat/sys-queue.h" 25#include "openbsd-compat/sys-queue.h"
26 26
@@ -42,9 +42,6 @@ extern int showprogress;
42/* Minimum amount of data to read at at time */ 42/* Minimum amount of data to read at at time */
43#define MIN_READ_SIZE 512 43#define MIN_READ_SIZE 512
44 44
45/* Maximum packet size */
46#define MAX_MSG_LENGTH (256 * 1024)
47
48struct sftp_conn { 45struct sftp_conn {
49 int fd_in; 46 int fd_in;
50 int fd_out; 47 int fd_out;
@@ -59,7 +56,7 @@ send_msg(int fd, Buffer *m)
59{ 56{
60 u_char mlen[4]; 57 u_char mlen[4];
61 58
62 if (buffer_len(m) > MAX_MSG_LENGTH) 59 if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
63 fatal("Outbound message too long %u", buffer_len(m)); 60 fatal("Outbound message too long %u", buffer_len(m));
64 61
65 /* Send length first */ 62 /* Send length first */
@@ -87,7 +84,7 @@ get_msg(int fd, Buffer *m)
87 } 84 }
88 85
89 msg_len = buffer_get_int(m); 86 msg_len = buffer_get_int(m);
90 if (msg_len > MAX_MSG_LENGTH) 87 if (msg_len > SFTP_MAX_MSG_LENGTH)
91 fatal("Received message too long %u", msg_len); 88 fatal("Received message too long %u", msg_len);
92 89
93 buffer_append_space(m, msg_len); 90 buffer_append_space(m, msg_len);
diff --git a/sftp-common.h b/sftp-common.h
index b42ba9140..2b1995a2d 100644
--- a/sftp-common.h
+++ b/sftp-common.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $ */ 1/* $OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -25,6 +25,9 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28/* Maximum packet that we are willing to send/accept */
29#define SFTP_MAX_MSG_LENGTH (256 * 1024)
30
28typedef struct Attrib Attrib; 31typedef struct Attrib Attrib;
29 32
30/* File attributes */ 33/* File attributes */
diff --git a/sftp-server.0 b/sftp-server.0
index 285ff706e..5367b5fdb 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -24,4 +24,4 @@ AUTHORS
24HISTORY 24HISTORY
25 sftp-server first appeared in OpenBSD 2.8 . 25 sftp-server first appeared in OpenBSD 2.8 .
26 26
27OpenBSD 3.8 August 30, 2000 1 27OpenBSD 3.9 August 30, 2000 1
diff --git a/sftp-server.c b/sftp-server.c
index 6870e7732..7060c44ad 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -14,13 +14,14 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $"); 17RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
18 18
19#include "buffer.h" 19#include "buffer.h"
20#include "bufaux.h" 20#include "bufaux.h"
21#include "getput.h" 21#include "getput.h"
22#include "log.h" 22#include "log.h"
23#include "xmalloc.h" 23#include "xmalloc.h"
24#include "misc.h"
24 25
25#include "sftp.h" 26#include "sftp.h"
26#include "sftp-common.h" 27#include "sftp-common.h"
@@ -427,7 +428,7 @@ process_read(void)
427 len = get_int(); 428 len = get_int();
428 429
429 TRACE("read id %u handle %d off %llu len %d", id, handle, 430 TRACE("read id %u handle %d off %llu len %d", id, handle,
430 (u_int64_t)off, len); 431 (unsigned long long)off, len);
431 if (len > sizeof buf) { 432 if (len > sizeof buf) {
432 len = sizeof buf; 433 len = sizeof buf;
433 logit("read change len %d", len); 434 logit("read change len %d", len);
@@ -468,7 +469,7 @@ process_write(void)
468 data = get_string(&len); 469 data = get_string(&len);
469 470
470 TRACE("write id %u handle %d off %llu len %d", id, handle, 471 TRACE("write id %u handle %d off %llu len %d", id, handle,
471 (u_int64_t)off, len); 472 (unsigned long long)off, len);
472 fd = handle_to_fd(handle); 473 fd = handle_to_fd(handle);
473 if (fd >= 0) { 474 if (fd >= 0) {
474 if (lseek(fd, off, SEEK_SET) < 0) { 475 if (lseek(fd, off, SEEK_SET) < 0) {
@@ -945,7 +946,7 @@ process(void)
945 return; /* Incomplete message. */ 946 return; /* Incomplete message. */
946 cp = buffer_ptr(&iqueue); 947 cp = buffer_ptr(&iqueue);
947 msg_len = GET_32BIT(cp); 948 msg_len = GET_32BIT(cp);
948 if (msg_len > 256 * 1024) { 949 if (msg_len > SFTP_MAX_MSG_LENGTH) {
949 error("bad message "); 950 error("bad message ");
950 exit(11); 951 exit(11);
951 } 952 }
@@ -1036,6 +1037,9 @@ main(int ac, char **av)
1036 int in, out, max; 1037 int in, out, max;
1037 ssize_t len, olen, set_size; 1038 ssize_t len, olen, set_size;
1038 1039
1040 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1041 sanitise_stdfd();
1042
1039 /* XXX should use getopt */ 1043 /* XXX should use getopt */
1040 1044
1041 __progname = ssh_get_progname(av[0]); 1045 __progname = ssh_get_progname(av[0]);
diff --git a/sftp.0 b/sftp.0
index 1205c437b..77ab78d96 100644
--- a/sftp.0
+++ b/sftp.0
@@ -25,8 +25,8 @@ DESCRIPTION
25 The third usage format allows sftp to start in a remote directory. 25 The third usage format allows sftp to start in a remote directory.
26 26
27 The final usage format allows for automated sessions using the -b option. 27 The final usage format allows for automated sessions using the -b option.
28 In such cases, it is usually necessary to configure public key authenti- 28 In such cases, it is necessary to configure non-interactive authentica-
29 cation to obviate the need to enter a password at connection time (see 29 tion to obviate the need to enter a password at connection time (see
30 sshd(8) and ssh-keygen(1) for details). The options are as follows: 30 sshd(8) and ssh-keygen(1) for details). The options are as follows:
31 31
32 -1 Specify the use of protocol version 1. 32 -1 Specify the use of protocol version 1.
@@ -96,6 +96,7 @@ DESCRIPTION
96 Protocol 96 Protocol
97 ProxyCommand 97 ProxyCommand
98 PubkeyAuthentication 98 PubkeyAuthentication
99 RekeyLimit
99 RhostsRSAAuthentication 100 RhostsRSAAuthentication
100 RSAAuthentication 101 RSAAuthentication
101 SendEnv 102 SendEnv
@@ -262,4 +263,4 @@ SEE ALSO
262 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- 263 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
263 filexfer-00.txt, January 2001, work in progress material. 264 filexfer-00.txt, January 2001, work in progress material.
264 265
265OpenBSD 3.8 February 4, 2001 4 266OpenBSD 3.9 February 4, 2001 4
diff --git a/sftp.1 b/sftp.1
index c89ffc30f..47aafa89e 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp.1,v 1.61 2005/03/01 17:19:35 jmc Exp $ 1.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
2.\" 2.\"
3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 3.\" Copyright (c) 2001 Damien Miller. All rights reserved.
4.\" 4.\"
@@ -78,7 +78,7 @@ to start in a remote directory.
78The final usage format allows for automated sessions using the 78The final usage format allows for automated sessions using the
79.Fl b 79.Fl b
80option. 80option.
81In such cases, it is usually necessary to configure public key authentication 81In such cases, it is necessary to configure non-interactive authentication
82to obviate the need to enter a password at connection time (see 82to obviate the need to enter a password at connection time (see
83.Xr sshd 8 83.Xr sshd 8
84and 84and
@@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see
180.It Protocol 180.It Protocol
181.It ProxyCommand 181.It ProxyCommand
182.It PubkeyAuthentication 182.It PubkeyAuthentication
183.It RekeyLimit
183.It RhostsRSAAuthentication 184.It RhostsRSAAuthentication
184.It RSAAuthentication 185.It RSAAuthentication
185.It SendEnv 186.It SendEnv
diff --git a/sftp.c b/sftp.c
index f98ed7d27..a2e3f6aad 100644
--- a/sftp.c
+++ b/sftp.c
@@ -16,7 +16,7 @@
16 16
17#include "includes.h" 17#include "includes.h"
18 18
19RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $"); 19RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
20 20
21#ifdef USE_LIBEDIT 21#ifdef USE_LIBEDIT
22#include <histedit.h> 22#include <histedit.h>
@@ -697,6 +697,8 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
697 } 697 }
698 698
699 if (lflag & SORT_FLAGS) { 699 if (lflag & SORT_FLAGS) {
700 for (n = 0; d[n] != NULL; n++)
701 ; /* count entries */
700 sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT); 702 sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT);
701 qsort(d, n, sizeof(*d), sdirent_comp); 703 qsort(d, n, sizeof(*d), sdirent_comp);
702 } 704 }
@@ -1447,11 +1449,16 @@ main(int argc, char **argv)
1447 extern int optind; 1449 extern int optind;
1448 extern char *optarg; 1450 extern char *optarg;
1449 1451
1452 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1453 sanitise_stdfd();
1454
1450 __progname = ssh_get_progname(argv[0]); 1455 __progname = ssh_get_progname(argv[0]);
1456 memset(&args, '\0', sizeof(args));
1451 args.list = NULL; 1457 args.list = NULL;
1452 addargs(&args, "ssh"); /* overwritten with ssh_program */ 1458 addargs(&args, ssh_program);
1453 addargs(&args, "-oForwardX11 no"); 1459 addargs(&args, "-oForwardX11 no");
1454 addargs(&args, "-oForwardAgent no"); 1460 addargs(&args, "-oForwardAgent no");
1461 addargs(&args, "-oPermitLocalCommand no");
1455 addargs(&args, "-oClearAllForwardings yes"); 1462 addargs(&args, "-oClearAllForwardings yes");
1456 1463
1457 ll = SYSLOG_LEVEL_INFO; 1464 ll = SYSLOG_LEVEL_INFO;
@@ -1483,6 +1490,7 @@ main(int argc, char **argv)
1483 break; 1490 break;
1484 case 'S': 1491 case 'S':
1485 ssh_program = optarg; 1492 ssh_program = optarg;
1493 replacearg(&args, 0, "%s", ssh_program);
1486 break; 1494 break;
1487 case 'b': 1495 case 'b':
1488 if (batchmode) 1496 if (batchmode)
@@ -1559,7 +1567,6 @@ main(int argc, char **argv)
1559 addargs(&args, "%s", host); 1567 addargs(&args, "%s", host);
1560 addargs(&args, "%s", (sftp_server != NULL ? 1568 addargs(&args, "%s", (sftp_server != NULL ?
1561 sftp_server : "sftp")); 1569 sftp_server : "sftp"));
1562 args.list[0] = ssh_program;
1563 1570
1564 if (!batchmode) 1571 if (!batchmode)
1565 fprintf(stderr, "Connecting to %s...\n", host); 1572 fprintf(stderr, "Connecting to %s...\n", host);
@@ -1572,6 +1579,7 @@ main(int argc, char **argv)
1572 fprintf(stderr, "Attaching to %s...\n", sftp_direct); 1579 fprintf(stderr, "Attaching to %s...\n", sftp_direct);
1573 connect_to_server(sftp_direct, args.list, &in, &out); 1580 connect_to_server(sftp_direct, args.list, &in, &out);
1574 } 1581 }
1582 freeargs(&args);
1575 1583
1576 err = interactive_loop(in, out, file1, file2); 1584 err = interactive_loop(in, out, file1, file2);
1577 1585
diff --git a/ssh-add.0 b/ssh-add.0
index 1c2455f9b..ee05d09d6 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -99,4 +99,4 @@ AUTHORS
99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
100 versions 1.5 and 2.0. 100 versions 1.5 and 2.0.
101 101
102OpenBSD 3.8 September 25, 1999 2 102OpenBSD 3.9 September 25, 1999 2
diff --git a/ssh-add.c b/ssh-add.c
index a3428769c..2b01e6f13 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $"); 38RCSID("$OpenBSD: ssh-add.c,v 1.74 2005/11/12 18:37:59 deraadt Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -312,6 +312,9 @@ main(int argc, char **argv)
312 char *sc_reader_id = NULL; 312 char *sc_reader_id = NULL;
313 int i, ch, deleting = 0, ret = 0; 313 int i, ch, deleting = 0, ret = 0;
314 314
315 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
316 sanitise_stdfd();
317
315 __progname = ssh_get_progname(argv[0]); 318 __progname = ssh_get_progname(argv[0]);
316 init_rng(); 319 init_rng();
317 seed_rng(); 320 seed_rng();
@@ -321,7 +324,8 @@ main(int argc, char **argv)
321 /* At first, get a connection to the authentication agent. */ 324 /* At first, get a connection to the authentication agent. */
322 ac = ssh_get_authentication_connection(); 325 ac = ssh_get_authentication_connection();
323 if (ac == NULL) { 326 if (ac == NULL) {
324 fprintf(stderr, "Could not open a connection to your authentication agent.\n"); 327 fprintf(stderr,
328 "Could not open a connection to your authentication agent.\n");
325 exit(2); 329 exit(2);
326 } 330 }
327 while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { 331 while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
diff --git a/ssh-agent.0 b/ssh-agent.0
index 8490a9da8..7d64d550f 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -19,7 +19,7 @@ DESCRIPTION
19 19
20 -a bind_address 20 -a bind_address
21 Bind the agent to the unix-domain socket bind_address. The de- 21 Bind the agent to the unix-domain socket bind_address. The de-
22 fault is /tmp/ssh-XXXXXXXX/agent.<ppid>. 22 fault is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.
23 23
24 -c Generate C-shell commands on stdout. This is the default if 24 -c Generate C-shell commands on stdout. This is the default if
25 SHELL looks like it's a csh style of shell. 25 SHELL looks like it's a csh style of shell.
@@ -33,9 +33,9 @@ DESCRIPTION
33 -t life 33 -t life
34 Set a default value for the maximum lifetime of identities added 34 Set a default value for the maximum lifetime of identities added
35 to the agent. The lifetime may be specified in seconds or in a 35 to the agent. The lifetime may be specified in seconds or in a
36 time format specified in sshd(8). A lifetime specified for an 36 time format specified in sshd_config(5). A lifetime specified
37 identity with ssh-add(1) overrides this value. Without this op- 37 for an identity with ssh-add(1) overrides this value. Without
38 tion the default maximum lifetime is forever. 38 this option the default maximum lifetime is forever.
39 39
40 -d Debug mode. When this option is specified ssh-agent will not 40 -d Debug mode. When this option is specified ssh-agent will not
41 fork. 41 fork.
@@ -98,7 +98,7 @@ FILES
98 Contains the protocol version 2 RSA authentication identity of 98 Contains the protocol version 2 RSA authentication identity of
99 the user. 99 the user.
100 100
101 /tmp/ssh-XXXXXXXX/agent.<ppid> 101 /tmp/ssh-XXXXXXXXXX/agent.<ppid>
102 Unix-domain sockets used to contain the connection to the authen- 102 Unix-domain sockets used to contain the connection to the authen-
103 tication agent. These sockets should only be readable by the 103 tication agent. These sockets should only be readable by the
104 owner. The sockets should get automatically removed when the 104 owner. The sockets should get automatically removed when the
@@ -114,4 +114,4 @@ AUTHORS
114 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 114 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
115 versions 1.5 and 2.0. 115 versions 1.5 and 2.0.
116 116
117OpenBSD 3.8 September 25, 1999 2 117OpenBSD 3.9 September 25, 1999 2
diff --git a/ssh-agent.1 b/ssh-agent.1
index 741cf4bd1..fd6bd3f6c 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $ 1.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -70,7 +70,7 @@ The options are as follows:
70Bind the agent to the unix-domain socket 70Bind the agent to the unix-domain socket
71.Ar bind_address . 71.Ar bind_address .
72The default is 72The default is
73.Pa /tmp/ssh-XXXXXXXX/agent.<ppid> . 73.Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid> .
74.It Fl c 74.It Fl c
75Generate C-shell commands on 75Generate C-shell commands on
76.Dv stdout . 76.Dv stdout .
@@ -90,7 +90,7 @@ environment variable).
90.It Fl t Ar life 90.It Fl t Ar life
91Set a default value for the maximum lifetime of identities added to the agent. 91Set a default value for the maximum lifetime of identities added to the agent.
92The lifetime may be specified in seconds or in a time format specified in 92The lifetime may be specified in seconds or in a time format specified in
93.Xr sshd 8 . 93.Xr sshd_config 5 .
94A lifetime specified for an identity with 94A lifetime specified for an identity with
95.Xr ssh-add 1 95.Xr ssh-add 1
96overrides this value. 96overrides this value.
@@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user.
185Contains the protocol version 2 DSA authentication identity of the user. 185Contains the protocol version 2 DSA authentication identity of the user.
186.It Pa ~/.ssh/id_rsa 186.It Pa ~/.ssh/id_rsa
187Contains the protocol version 2 RSA authentication identity of the user. 187Contains the protocol version 2 RSA authentication identity of the user.
188.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid> 188.It Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid>
189Unix-domain sockets used to contain the connection to the 189Unix-domain sockets used to contain the connection to the
190authentication agent. 190authentication agent.
191These sockets should only be readable by the owner. 191These sockets should only be readable by the owner.
diff --git a/ssh-agent.c b/ssh-agent.c
index dd7e22ad5..a69c25eec 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
35 35
36#include "includes.h" 36#include "includes.h"
37#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
38RCSID("$OpenBSD: ssh-agent.c,v 1.122 2004/10/29 22:53:56 djm Exp $"); 38RCSID("$OpenBSD: ssh-agent.c,v 1.124 2005/10/30 08:52:18 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/md5.h> 41#include <openssl/md5.h>
@@ -355,7 +355,7 @@ process_remove_identity(SocketEntry *e, int version)
355 if (id != NULL) { 355 if (id != NULL) {
356 /* 356 /*
357 * We have this key. Free the old key. Since we 357 * We have this key. Free the old key. Since we
358 * don\'t want to leave empty slots in the middle of 358 * don't want to leave empty slots in the middle of
359 * the array, we actually free the key there and move 359 * the array, we actually free the key there and move
360 * all the entries between the empty slot and the end 360 * all the entries between the empty slot and the end
361 * of the array. 361 * of the array.
@@ -1008,6 +1008,9 @@ main(int ac, char **av)
1008 pid_t pid; 1008 pid_t pid;
1009 char pidstrbuf[1 + 3 * sizeof pid]; 1009 char pidstrbuf[1 + 3 * sizeof pid];
1010 1010
1011 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1012 sanitise_stdfd();
1013
1011 /* drop */ 1014 /* drop */
1012 setegid(getgid()); 1015 setegid(getgid());
1013 setgid(getgid()); 1016 setgid(getgid());
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index de651e9c4..a972607b2 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -27,7 +27,9 @@ DESCRIPTION
27 ssh-keygen generates, manages and converts authentication keys for 27 ssh-keygen generates, manages and converts authentication keys for
28 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 28 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
29 and RSA or DSA keys for use by SSH protocol version 2. The type of key 29 and RSA or DSA keys for use by SSH protocol version 2. The type of key
30 to be generated is specified with the -t option. 30 to be generated is specified with the -t option. If invoked without any
31 arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
32 connections.
31 33
32 ssh-keygen is also used to generate groups for use in Diffie-Hellman 34 ssh-keygen is also used to generate groups for use in Diffie-Hellman
33 group exchange (DH-GEX). See the MODULI GENERATION section for details. 35 group exchange (DH-GEX). See the MODULI GENERATION section for details.
@@ -74,9 +76,10 @@ DESCRIPTION
74 file. 76 file.
75 77
76 -b bits 78 -b bits
77 Specifies the number of bits in the key to create. Minimum is 79 Specifies the number of bits in the key to create. For RSA keys,
78 512 bits. Generally, 2048 bits is considered sufficient. The 80 the minimum size is 768 bits and the default is 2048 bits. Gen-
79 default is 2048 bits. 81 erally, 2048 bits is considered sufficient. DSA keys must be ex-
82 actly 1024 bits as specified by FIPS 186-2.
80 83
81 -C comment 84 -C comment
82 Provides a new comment. 85 Provides a new comment.
@@ -282,4 +285,4 @@ AUTHORS
282 created OpenSSH. Markus Friedl contributed the support for SSH protocol 285 created OpenSSH. Markus Friedl contributed the support for SSH protocol
283 versions 1.5 and 2.0. 286 versions 1.5 and 2.0.
284 287
285OpenBSD 3.8 September 25, 1999 5 288OpenBSD 3.9 September 25, 1999 5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 5454d00ce..ab16bcd77 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -118,6 +118,9 @@ keys for use by SSH protocol version 2.
118The type of key to be generated is specified with the 118The type of key to be generated is specified with the
119.Fl t 119.Fl t
120option. 120option.
121If invoked without any arguments,
122.Nm
123will generate an RSA key for use in SSH protocol 2 connections.
121.Pp 124.Pp
122.Nm 125.Nm
123is also used to generate groups for use in Diffie-Hellman group 126is also used to generate groups for use in Diffie-Hellman group
@@ -187,9 +190,9 @@ command.
187Show the bubblebabble digest of specified private or public key file. 190Show the bubblebabble digest of specified private or public key file.
188.It Fl b Ar bits 191.It Fl b Ar bits
189Specifies the number of bits in the key to create. 192Specifies the number of bits in the key to create.
190Minimum is 512 bits. 193For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
191Generally, 2048 bits is considered sufficient. 194Generally, 2048 bits is considered sufficient.
192The default is 2048 bits. 195DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
193.It Fl C Ar comment 196.It Fl C Ar comment
194Provides a new comment. 197Provides a new comment.
195.It Fl c 198.It Fl c
diff --git a/ssh-keygen.c b/ssh-keygen.c
index b17851946..64fadc7a1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); 15RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
16 16
17#include <openssl/evp.h> 17#include <openssl/evp.h>
18#include <openssl/pem.h> 18#include <openssl/pem.h>
@@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
35#endif 35#endif
36#include "dns.h" 36#include "dns.h"
37 37
38/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ 38/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
39u_int32_t bits = 2048; 39#define DEFAULT_BITS 2048
40#define DEFAULT_BITS_DSA 1024
41u_int32_t bits = 0;
40 42
41/* 43/*
42 * Flag indicating that we just want to change the passphrase. This can be 44 * Flag indicating that we just want to change the passphrase. This can be
@@ -1018,6 +1020,9 @@ main(int ac, char **av)
1018 extern int optind; 1020 extern int optind;
1019 extern char *optarg; 1021 extern char *optarg;
1020 1022
1023 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1024 sanitise_stdfd();
1025
1021 __progname = ssh_get_progname(av[0]); 1026 __progname = ssh_get_progname(av[0]);
1022 1027
1023 SSLeay_add_all_algorithms(); 1028 SSLeay_add_all_algorithms();
@@ -1041,7 +1046,7 @@ main(int ac, char **av)
1041 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { 1046 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1042 switch (opt) { 1047 switch (opt) {
1043 case 'b': 1048 case 'b':
1044 bits = strtonum(optarg, 512, 32768, &errstr); 1049 bits = strtonum(optarg, 768, 32768, &errstr);
1045 if (errstr) 1050 if (errstr)
1046 fatal("Bits has bad value %s (%s)", 1051 fatal("Bits has bad value %s (%s)",
1047 optarg, errstr); 1052 optarg, errstr);
@@ -1214,8 +1219,10 @@ main(int ac, char **av)
1214 out_file, strerror(errno)); 1219 out_file, strerror(errno));
1215 return (1); 1220 return (1);
1216 } 1221 }
1222 if (bits == 0)
1223 bits = DEFAULT_BITS;
1217 if (gen_candidates(out, memory, bits, start) != 0) 1224 if (gen_candidates(out, memory, bits, start) != 0)
1218 fatal("modulus candidate generation failed\n"); 1225 fatal("modulus candidate generation failed");
1219 1226
1220 return (0); 1227 return (0);
1221 } 1228 }
@@ -1238,21 +1245,24 @@ main(int ac, char **av)
1238 out_file, strerror(errno)); 1245 out_file, strerror(errno));
1239 } 1246 }
1240 if (prime_test(in, out, trials, generator_wanted) != 0) 1247 if (prime_test(in, out, trials, generator_wanted) != 0)
1241 fatal("modulus screening failed\n"); 1248 fatal("modulus screening failed");
1242 return (0); 1249 return (0);
1243 } 1250 }
1244 1251
1245 arc4random_stir(); 1252 arc4random_stir();
1246 1253
1247 if (key_type_name == NULL) { 1254 if (key_type_name == NULL)
1248 printf("You must specify a key type (-t).\n"); 1255 key_type_name = "rsa";
1249 usage(); 1256
1250 }
1251 type = key_type_from_name(key_type_name); 1257 type = key_type_from_name(key_type_name);
1252 if (type == KEY_UNSPEC) { 1258 if (type == KEY_UNSPEC) {
1253 fprintf(stderr, "unknown key type %s\n", key_type_name); 1259 fprintf(stderr, "unknown key type %s\n", key_type_name);
1254 exit(1); 1260 exit(1);
1255 } 1261 }
1262 if (bits == 0)
1263 bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
1264 if (type == KEY_DSA && bits != 1024)
1265 fatal("DSA keys must be 1024 bits");
1256 if (!quiet) 1266 if (!quiet)
1257 printf("Generating public/private %s key pair.\n", key_type_name); 1267 printf("Generating public/private %s key pair.\n", key_type_name);
1258 private = key_generate(type, bits); 1268 private = key_generate(type, bits);
@@ -1265,7 +1275,7 @@ main(int ac, char **av)
1265 if (!have_identity) 1275 if (!have_identity)
1266 ask_filename(pw, "Enter file in which to save the key"); 1276 ask_filename(pw, "Enter file in which to save the key");
1267 1277
1268 /* Create ~/.ssh directory if it doesn\'t already exist. */ 1278 /* Create ~/.ssh directory if it doesn't already exist. */
1269 snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); 1279 snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
1270 if (strstr(identity_file, dotsshdir) != NULL && 1280 if (strstr(identity_file, dotsshdir) != NULL &&
1271 stat(dotsshdir, &st) < 0) { 1281 stat(dotsshdir, &st) < 0) {
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index b365148e4..0206c04fb 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -94,9 +94,9 @@ SEE ALSO
94 ssh(1), sshd(8) 94 ssh(1), sshd(8)
95 95
96AUTHORS 96AUTHORS
97 David Mazieres <dm@lcs.mit.edu> wrote the initial version, and 97 David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
98 Wayne Davison <wayned@users.sourceforge.net> added support for protocol 98 Davison <wayned@users.sourceforge.net> added support for protocol version
99 version 2. 99 2.
100 100
101BUGS 101BUGS
102 It generates "Connection closed by remote host" messages on the consoles 102 It generates "Connection closed by remote host" messages on the consoles
@@ -104,4 +104,4 @@ BUGS
104 This is because it opens a connection to the ssh port, reads the public 104 This is because it opens a connection to the ssh port, reads the public
105 key, and drops the connection as soon as it gets the key. 105 key, and drops the connection as soon as it gets the key.
106 106
107OpenBSD 3.8 January 1, 1996 2 107OpenBSD 3.9 January 1, 1996 2
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 7e846f77c..80fc8cd96 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -156,6 +156,7 @@ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
156.Xr ssh 1 , 156.Xr ssh 1 ,
157.Xr sshd 8 157.Xr sshd 8
158.Sh AUTHORS 158.Sh AUTHORS
159.An -nosplit
159.An David Mazieres Aq dm@lcs.mit.edu 160.An David Mazieres Aq dm@lcs.mit.edu
160wrote the initial version, and 161wrote the initial version, and
161.An Wayne Davison Aq wayned@users.sourceforge.net 162.An Wayne Davison Aq wayned@users.sourceforge.net
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 64eecfb9a..f429c2c02 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
7 */ 7 */
8 8
9#include "includes.h" 9#include "includes.h"
10RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $"); 10RCSID("$OpenBSD: ssh-keyscan.c,v 1.57 2005/10/30 04:01:03 djm Exp $");
11 11
12#include "openbsd-compat/sys-queue.h" 12#include "openbsd-compat/sys-queue.h"
13 13
@@ -499,12 +499,18 @@ congreet(int s)
499 size_t bufsiz; 499 size_t bufsiz;
500 con *c = &fdcon[s]; 500 con *c = &fdcon[s];
501 501
502 bufsiz = sizeof(buf); 502 for (;;) {
503 cp = buf; 503 memset(buf, '\0', sizeof(buf));
504 while (bufsiz-- && (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') { 504 bufsiz = sizeof(buf);
505 if (*cp == '\r') 505 cp = buf;
506 *cp = '\n'; 506 while (bufsiz-- &&
507 cp++; 507 (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
508 if (*cp == '\r')
509 *cp = '\n';
510 cp++;
511 }
512 if (n != 1 || strncmp(buf, "SSH-", 4) == 0)
513 break;
508 } 514 }
509 if (n == 0) { 515 if (n == 0) {
510 switch (errno) { 516 switch (errno) {
@@ -712,6 +718,9 @@ main(int argc, char **argv)
712 seed_rng(); 718 seed_rng();
713 TAILQ_INIT(&tq); 719 TAILQ_INIT(&tq);
714 720
721 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
722 sanitise_stdfd();
723
715 if (argc <= 1) 724 if (argc <= 1)
716 usage(); 725 usage();
717 726
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index ea944a6fe..c32c42fb2 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -39,4 +39,4 @@ HISTORY
39AUTHORS 39AUTHORS
40 Markus Friedl <markus@openbsd.org> 40 Markus Friedl <markus@openbsd.org>
41 41
42OpenBSD 3.8 May 24, 2002 1 42OpenBSD 3.9 May 24, 2002 1
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 04597a91d..dae3a2e8c 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24#include "includes.h" 24#include "includes.h"
25RCSID("$OpenBSD: ssh-keysign.c,v 1.18 2004/08/23 14:29:23 dtucker Exp $"); 25RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $");
26 26
27#include <openssl/evp.h> 27#include <openssl/evp.h>
28#include <openssl/rand.h> 28#include <openssl/rand.h>
@@ -148,6 +148,13 @@ main(int argc, char **argv)
148 u_int slen, dlen; 148 u_int slen, dlen;
149 u_int32_t rnd[256]; 149 u_int32_t rnd[256];
150 150
151 /* Ensure that stdin and stdout are connected */
152 if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
153 exit(1);
154 /* Leave /dev/null fd iff it is attached to stderr */
155 if (fd > 2)
156 close(fd);
157
151 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); 158 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
152 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); 159 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
153 160
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 35a7a7ce5..75ad52fa4 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -46,4 +46,4 @@ AUTHORS
46SEE ALSO 46SEE ALSO
47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) 47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
48 48
49OpenBSD 3.8 April 14, 2002 1 49OpenBSD 3.9 April 14, 2002 1
diff --git a/ssh.0 b/ssh.0
index 274fab8b5..83c4b94eb 100644
--- a/ssh.0
+++ b/ssh.0
@@ -5,208 +5,26 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] 7 ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
8 [-D port] [-e escape_char] [-F configfile] [-i identity_file] 8 [-D [bind_address:]port] [-e escape_char] [-F configfile]
9 [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] 9 [-i identity_file] [-L [bind_address:]port:host:hostport]
10 [-O ctl_cmd] [-o option] [-p port] 10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
11 [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname 11 [-R [bind_address:]port:host:hostport] [-S ctl_path]
12 [command] 12 [-w tunnel:tunnel] [user@]hostname [command]
13 13
14DESCRIPTION 14DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 15 ssh (SSH client) is a program for logging into a remote machine and for
16 executing commands on a remote machine. It is intended to replace rlogin 16 executing commands on a remote machine. It is intended to replace rlogin
17 and rsh, and provide secure encrypted communications between two untrust- 17 and rsh, and provide secure encrypted communications between two untrust-
18 ed hosts over an insecure network. X11 connections and arbitrary TCP/IP 18 ed hosts over an insecure network. X11 connections and arbitrary TCP
19 ports can also be forwarded over the secure channel. 19 ports can also be forwarded over the secure channel.
20 20
21 ssh connects and logs into the specified hostname (with optional user 21 ssh connects and logs into the specified hostname (with optional user
22 name). The user must prove his/her identity to the remote machine using 22 name). The user must prove his/her identity to the remote machine using
23 one of several methods depending on the protocol version used. 23 one of several methods depending on the protocol version used (see be-
24 low).
24 25
25 If command is specified, command is executed on the remote host instead 26 If command is specified, it is executed on the remote host instead of a
26 of a login shell. 27 login shell.
27
28 SSH protocol version 1
29 The first authentication method is the rhosts or hosts.equiv method com-
30 bined with RSA-based host authentication. If the machine the user logs
31 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
32 machine, and the user names are the same on both sides, or if the files
33 ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
34 machine and contain a line containing the name of the client machine and
35 the name of the user on that machine, the user is considered for log in.
36 Additionally, if the server can verify the client's host key (see
37 /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section),
38 only then is login permitted. This authentication method closes security
39 holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to
40 the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto-
41 col in general, are inherently insecure and should be disabled if securi-
42 ty is desired.]
43
44 As a second authentication method, ssh supports RSA based authentication.
45 The scheme is based on public-key cryptography: there are cryptosystems
46 where encryption and decryption are done using separate keys, and it is
47 not possible to derive the decryption key from the encryption key. RSA
48 is one such system. The idea is that each user creates a public/private
49 key pair for authentication purposes. The server knows the public key,
50 and only the user knows the private key.
51
52 The file ~/.ssh/authorized_keys lists the public keys that are permitted
53 for logging in. When the user logs in, the ssh program tells the server
54 which key pair it would like to use for authentication. The server
55 checks if this key is permitted, and if so, sends the user (actually the
56 ssh program running on behalf of the user) a challenge, a random number,
57 encrypted by the user's public key. The challenge can only be decrypted
58 using the proper private key. The user's client then decrypts the chal-
59 lenge using the private key, proving that he/she knows the private key
60 but without disclosing it to the server.
61
62 ssh implements the RSA authentication protocol automatically. The user
63 creates his/her RSA key pair by running ssh-keygen(1). This stores the
64 private key in ~/.ssh/identity and stores the public key in
65 ~/.ssh/identity.pub in the user's home directory. The user should then
66 copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory
67 on the remote machine (the authorized_keys file corresponds to the con-
68 ventional ~/.rhosts file, and has one key per line, though the lines can
69 be very long). After this, the user can log in without giving the pass-
70 word.
71
72 The most convenient way to use RSA authentication may be with an authen-
73 tication agent. See ssh-agent(1) for more information.
74
75 If other authentication methods fail, ssh prompts the user for a pass-
76 word. The password is sent to the remote host for checking; however,
77 since all communications are encrypted, the password cannot be seen by
78 someone listening on the network.
79
80 SSH protocol version 2
81 When a user connects using protocol version 2, similar authentication
82 methods are available. Using the default values for
83 PreferredAuthentications, the client will try to authenticate first using
84 the hostbased method; if this method fails, public key authentication is
85 attempted, and finally if this method fails, keyboard-interactive and
86 password authentication are tried.
87
88 The public key method is similar to RSA authentication described in the
89 previous section and allows the RSA or DSA algorithm to be used: The
90 client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the
91 session identifier and sends the result to the server. The server checks
92 whether the matching public key is listed in ~/.ssh/authorized_keys and
93 grants access if both the key is found and the signature is correct. The
94 session identifier is derived from a shared Diffie-Hellman value and is
95 only known to the client and the server.
96
97 If public key authentication fails or is not available, a password can be
98 sent encrypted to the remote host to prove the user's identity.
99
100 Additionally, ssh supports hostbased or challenge response authentica-
101 tion.
102
103 Protocol 2 provides additional mechanisms for confidentiality (the traf-
104 fic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) and in-
105 tegrity (hmac-md5, hmac-sha1, hmac-ripemd160). Note that protocol 1
106 lacks a strong mechanism for ensuring the integrity of the connection.
107
108 Login session and remote execution
109 When the user's identity has been accepted by the server, the server ei-
110 ther executes the given command, or logs into the machine and gives the
111 user a normal shell on the remote machine. All communication with the
112 remote command or shell will be automatically encrypted.
113
114 If a pseudo-terminal has been allocated (normal login session), the user
115 may use the escape characters noted below.
116
117 If no pseudo-tty has been allocated, the session is transparent and can
118 be used to reliably transfer binary data. On most systems, setting the
119 escape character to ``none'' will also make the session transparent even
120 if a tty is used.
121
122 The session terminates when the command or shell on the remote machine
123 exits and all X11 and TCP/IP connections have been closed. The exit sta-
124 tus of the remote program is returned as the exit status of ssh.
125
126 Escape Characters
127 When a pseudo-terminal has been requested, ssh supports a number of func-
128 tions through the use of an escape character.
129
130 A single tilde character can be sent as ~~ or by following the tilde by a
131 character other than those described below. The escape character must
132 always follow a newline to be interpreted as special. The escape charac-
133 ter can be changed in configuration files using the EscapeChar configura-
134 tion directive or on the command line by the -e option.
135
136 The supported escapes (assuming the default `~') are:
137
138 ~. Disconnect.
139
140 ~^Z Background ssh.
141
142 ~# List forwarded connections.
143
144 ~& Background ssh at logout when waiting for forwarded connection /
145 X11 sessions to terminate.
146
147 ~? Display a list of escape characters.
148
149 ~B Send a BREAK to the remote system (only useful for SSH protocol
150 version 2 and if the peer supports it).
151
152 ~C Open command line. Currently this allows the addition of port
153 forwardings using the -L and -R options (see below). It also al-
154 lows the cancellation of existing remote port-forwardings using
155 -KR hostport. Basic help is available, using the -h option.
156
157 ~R Request rekeying of the connection (only useful for SSH protocol
158 version 2 and if the peer supports it).
159
160 X11 and TCP forwarding
161 If the ForwardX11 variable is set to ``yes'' (or see the description of
162 the -X and -x options described later) and the user is using X11 (the
163 DISPLAY environment variable is set), the connection to the X11 display
164 is automatically forwarded to the remote side in such a way that any X11
165 programs started from the shell (or command) will go through the encrypt-
166 ed channel, and the connection to the real X server will be made from the
167 local machine. The user should not manually set DISPLAY. Forwarding of
168 X11 connections can be configured on the command line or in configuration
169 files.
170
171 The DISPLAY value set by ssh will point to the server machine, but with a
172 display number greater than zero. This is normal, and happens because
173 ssh creates a ``proxy'' X server on the server machine for forwarding the
174 connections over the encrypted channel.
175
176 ssh will also automatically set up Xauthority data on the server machine.
177 For this purpose, it will generate a random authorization cookie, store
178 it in Xauthority on the server, and verify that any forwarded connections
179 carry this cookie and replace it by the real cookie when the connection
180 is opened. The real authentication cookie is never sent to the server
181 machine (and no cookies are sent in the plain).
182
183 If the ForwardAgent variable is set to ``yes'' (or see the description of
184 the -A and -a options described later) and the user is using an authenti-
185 cation agent, the connection to the agent is automatically forwarded to
186 the remote side.
187
188 Forwarding of arbitrary TCP/IP connections over the secure channel can be
189 specified either on the command line or in a configuration file. One
190 possible application of TCP/IP forwarding is a secure connection to an
191 electronic purse; another is going through firewalls.
192
193 Server authentication
194 ssh automatically maintains and checks a database containing identifica-
195 tions for all hosts it has ever been used with. Host keys are stored in
196 ~/.ssh/known_hosts in the user's home directory. Additionally, the file
197 /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
198 new hosts are automatically added to the user's file. If a host's iden-
199 tification ever changes, ssh warns about this and disables password au-
200 thentication to prevent a trojan horse from getting the user's password.
201 Another purpose of this mechanism is to prevent man-in-the-middle attacks
202 which could otherwise be used to circumvent the encryption. The
203 StrictHostKeyChecking option can be used to prevent logins to machines
204 whose host key is not known or has changed.
205
206 ssh can be configured to verify host identification using fingerprint re-
207 source records (SSHFP) published in DNS. The VerifyHostKeyDNS option can
208 be used to control how DNS lookups are performed. SSHFP resource records
209 can be generated using ssh-keygen(1).
210 28
211 The options are as follows: 29 The options are as follows:
212 30
@@ -238,7 +56,7 @@ DESCRIPTION
238 dress. 56 dress.
239 57
240 -C Requests compression of all data (including stdin, stdout, 58 -C Requests compression of all data (including stdin, stdout,
241 stderr, and data for forwarded X11 and TCP/IP connections). The 59 stderr, and data for forwarded X11 and TCP connections). The
242 compression algorithm is the same used by gzip(1), and the 60 compression algorithm is the same used by gzip(1), and the
243 ``level'' can be controlled by the CompressionLevel option for 61 ``level'' can be controlled by the CompressionLevel option for
244 protocol version 1. Compression is desirable on modem lines and 62 protocol version 1. Compression is desirable on modem lines and
@@ -250,7 +68,7 @@ DESCRIPTION
250 Selects the cipher specification for encrypting the session. 68 Selects the cipher specification for encrypting the session.
251 69
252 Protocol version 1 allows specification of a single cipher. The 70 Protocol version 1 allows specification of a single cipher. The
253 suported values are ``3des'', ``blowfish'' and ``des''. 3des 71 supported values are ``3des'', ``blowfish'', and ``des''. 3des
254 (triple-des) is an encrypt-decrypt-encrypt triple with three dif- 72 (triple-des) is an encrypt-decrypt-encrypt triple with three dif-
255 ferent keys. It is believed to be secure. blowfish is a fast 73 ferent keys. It is believed to be secure. blowfish is a fast
256 block cipher; it appears very secure and is much faster than 74 block cipher; it appears very secure and is much faster than
@@ -259,29 +77,39 @@ DESCRIPTION
259 the 3des cipher. Its use is strongly discouraged due to crypto- 77 the 3des cipher. Its use is strongly discouraged due to crypto-
260 graphic weaknesses. The default is ``3des''. 78 graphic weaknesses. The default is ``3des''.
261 79
262 For protocol version 2 cipher_spec is a comma-separated list of 80 For protocol version 2, cipher_spec is a comma-separated list of
263 ciphers listed in order of preference. The supported ciphers are 81 ciphers listed in order of preference. The supported ciphers
264 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 82 are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
265 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 83 aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blow-
266 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 84 fish-cbc, and cast128-cbc. The default is:
267 ``cast128-cbc''. The default is
268 85
269 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 86 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
270 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 87 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
271 aes192-ctr,aes256-ctr'' 88 aes192-ctr,aes256-ctr
272 89
273 -D port 90 -D [bind_address:]port
274 Specifies a local ``dynamic'' application-level port forwarding. 91 Specifies a local ``dynamic'' application-level port forwarding.
275 This works by allocating a socket to listen to port on the local 92 This works by allocating a socket to listen to port on the local
276 side, and whenever a connection is made to this port, the connec- 93 side, optionally bound to the specified bind_address. Whenever a
277 tion is forwarded over the secure channel, and the application 94 connection is made to this port, the connection is forwarded over
278 protocol is then used to determine where to connect to from the 95 the secure channel, and the application protocol is then used to
279 remote machine. Currently the SOCKS4 and SOCKS5 protocols are 96 determine where to connect to from the remote machine. Currently
280 supported, and ssh will act as a SOCKS server. Only root can 97 the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
281 forward privileged ports. Dynamic port forwardings can also be 98 as a SOCKS server. Only root can forward privileged ports. Dy-
282 specified in the configuration file. 99 namic port forwardings can also be specified in the configuration
283 100 file.
284 -e ch | ^ch | none 101
102 IPv6 addresses can be specified with an alternative syntax:
103 [bind_address/]port or by enclosing the address in square brack-
104 ets. Only the superuser can forward privileged ports. By de-
105 fault, the local port is bound in accordance with the
106 GatewayPorts setting. However, an explicit bind_address may be
107 used to bind the connection to a specific address. The
108 bind_address of ``localhost'' indicates that the listening port
109 be bound for local use only, while an empty address or `*' indi-
110 cates that the port should be available from all interfaces.
111
112 -e escape_char
285 Sets the escape character for sessions with a pty (default: `~'). 113 Sets the escape character for sessions with a pty (default: `~').
286 The escape character is only recognized at the beginning of a 114 The escape character is only recognized at the beginning of a
287 line. The escape character followed by a dot (`.') closes the 115 line. The escape character followed by a dot (`.') closes the
@@ -305,9 +133,10 @@ DESCRIPTION
305 -g Allows remote hosts to connect to local forwarded ports. 133 -g Allows remote hosts to connect to local forwarded ports.
306 134
307 -I smartcard_device 135 -I smartcard_device
308 Specifies which smartcard device to use. The argument is the de- 136 Specify the device ssh should use to communicate with a smartcard
309 vice ssh should use to communicate with a smartcard used for 137 used for storing the user's private RSA key. This option is only
310 storing the user's private RSA key. 138 available if support for smartcard devices is compiled in (de-
139 fault is no support).
311 140
312 -i identity_file 141 -i identity_file
313 Selects a file from which the identity (private key) for RSA or 142 Selects a file from which the identity (private key) for RSA or
@@ -345,8 +174,10 @@ DESCRIPTION
345 may be specified on a per-host basis in the configuration file. 174 may be specified on a per-host basis in the configuration file.
346 175
347 -M Places the ssh client into ``master'' mode for connection shar- 176 -M Places the ssh client into ``master'' mode for connection shar-
348 ing. Refer to the description of ControlMaster in ssh_config(5) 177 ing. Multiple -M options places ssh into ``master'' mode with
349 for details. 178 confirmation required before slave connections are accepted. Re-
179 fer to the description of ControlMaster in ssh_config(5) for de-
180 tails.
350 181
351 -m mac_spec 182 -m mac_spec
352 Additionally, for protocol version 2 a comma-separated list of 183 Additionally, for protocol version 2 a comma-separated list of
@@ -410,17 +241,20 @@ DESCRIPTION
410 IdentityFile 241 IdentityFile
411 IdentitiesOnly 242 IdentitiesOnly
412 KbdInteractiveDevices 243 KbdInteractiveDevices
244 LocalCommand
413 LocalForward 245 LocalForward
414 LogLevel 246 LogLevel
415 MACs 247 MACs
416 NoHostAuthenticationForLocalhost 248 NoHostAuthenticationForLocalhost
417 NumberOfPasswordPrompts 249 NumberOfPasswordPrompts
418 PasswordAuthentication 250 PasswordAuthentication
251 PermitLocalCommand
419 Port 252 Port
420 PreferredAuthentications 253 PreferredAuthentications
421 Protocol 254 Protocol
422 ProxyCommand 255 ProxyCommand
423 PubkeyAuthentication 256 PubkeyAuthentication
257 RekeyLimit
424 RemoteForward 258 RemoteForward
425 RhostsRSAAuthentication 259 RhostsRSAAuthentication
426 RSAAuthentication 260 RSAAuthentication
@@ -430,6 +264,8 @@ DESCRIPTION
430 SmartcardDevice 264 SmartcardDevice
431 StrictHostKeyChecking 265 StrictHostKeyChecking
432 TCPKeepAlive 266 TCPKeepAlive
267 Tunnel
268 TunnelDevice
433 UsePrivilegedPort 269 UsePrivilegedPort
434 User 270 User
435 UserKnownHostsFile 271 UserKnownHostsFile
@@ -489,6 +325,12 @@ DESCRIPTION
489 tion, and configuration problems. Multiple -v options increase 325 tion, and configuration problems. Multiple -v options increase
490 the verbosity. The maximum is 3. 326 the verbosity. The maximum is 3.
491 327
328 -w tunnel:tunnel
329 Requests a tun(4) device on the client (first tunnel arg) and
330 server (second tunnel arg). The devices may be specified by nu-
331 merical ID or the keyword ``any'', which uses the next available
332 tunnel device. See also the Tunnel directive in ssh_config(5).
333
492 -X Enables X11 forwarding. This can also be specified on a per-host 334 -X Enables X11 forwarding. This can also be specified on a per-host
493 basis in a configuration file. 335 basis in a configuration file.
494 336
@@ -508,100 +350,358 @@ DESCRIPTION
508 -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not 350 -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
509 subjected to the X11 SECURITY extension controls. 351 subjected to the X11 SECURITY extension controls.
510 352
511CONFIGURATION FILES
512 ssh may additionally obtain configuration data from a per-user configura- 353 ssh may additionally obtain configuration data from a per-user configura-
513 tion file and a system-wide configuration file. The file format and con- 354 tion file and a system-wide configuration file. The file format and con-
514 figuration options are described in ssh_config(5). 355 figuration options are described in ssh_config(5).
515 356
516ENVIRONMENT 357 ssh exits with the exit status of the remote command or with 255 if an
517 ssh will normally set the following environment variables: 358 error occurred.
359
360AUTHENTICATION
361 The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the
362 default, with ssh falling back to protocol 1 if it detects protocol 2 is
363 unsupported. These settings may be altered using the Protocol option in
364 ssh_config(5), or enforced using the -1 and -2 options (see above). Both
365 protocols support similar authentication methods, but protocol 2 is pre-
366 ferred since it provides additional mechanisms for confidentiality (the
367 traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
368 integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
369 strong mechanism for ensuring the integrity of the connection.
370
371 The methods available for authentication are: host-based authentication,
372 public key authentication, challenge-response authentication, and pass-
373 word authentication. Authentication methods are tried in the order spec-
374 ified above, though protocol 2 has a configuration option to change the
375 default order: PreferredAuthentications.
376
377 Host-based authentication works as follows: If the machine the user logs
378 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
379 machine, and the user names are the same on both sides, or if the files
380 ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
381 machine and contain a line containing the name of the client machine and
382 the name of the user on that machine, the user is considered for login.
383 Additionally, the server must be able to verify the client's host key
384 (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
385 below) for login to be permitted. This authentication method closes se-
386 curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
387 [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
388 rlogin/rsh protocol in general, are inherently insecure and should be
389 disabled if security is desired.]
390
391 Public key authentication works as follows: The scheme is based on pub-
392 lic-key cryptography, using cryptosystems where encryption and decryption
393 are done using separate keys, and it is unfeasible to derive the decryp-
394 tion key from the encryption key. The idea is that each user creates a
395 public/private key pair for authentication purposes. The server knows
396 the public key, and only the user knows the private key. ssh implements
397 public key authentication protocol automatically, using either the RSA or
398 DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
399 protocol 2 may use either. The HISTORY section of ssl(8) contains a
400 brief discussion of the two algorithms.
401
402 The file ~/.ssh/authorized_keys lists the public keys that are permitted
403 for logging in. When the user logs in, the ssh program tells the server
404 which key pair it would like to use for authentication. The client
405 proves that it has access to the private key and the server checks that
406 the corresponding public key is authorized to accept the account.
407
408 The user creates his/her key pair by running ssh-keygen(1). This stores
409 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
410 2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
411 ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
412 ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us-
413 er should then copy the public key to ~/.ssh/authorized_keys in his/her
414 home directory on the remote machine. The authorized_keys file corre-
415 sponds to the conventional ~/.rhosts file, and has one key per line,
416 though the lines can be very long. After this, the user can log in with-
417 out giving the password.
418
419 The most convenient way to use public key authentication may be with an
420 authentication agent. See ssh-agent(1) for more information.
421
422 Challenge-response authentication works as follows: The server sends an
423 arbitrary "challenge" text, and prompts for a response. Protocol 2 al-
424 lows multiple challenges and responses; protocol 1 is restricted to just
425 one challenge/response. Examples of challenge-response authentication
426 include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD
427 systems).
428
429 Finally, if other authentication methods fail, ssh prompts the user for a
430 password. The password is sent to the remote host for checking; however,
431 since all communications are encrypted, the password cannot be seen by
432 someone listening on the network.
433
434 ssh automatically maintains and checks a database containing identifica-
435 tion for all hosts it has ever been used with. Host keys are stored in
436 ~/.ssh/known_hosts in the user's home directory. Additionally, the file
437 /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
438 new hosts are automatically added to the user's file. If a host's iden-
439 tification ever changes, ssh warns about this and disables password au-
440 thentication to prevent server spoofing or man-in-the-middle attacks,
441 which could otherwise be used to circumvent the encryption. The
442 StrictHostKeyChecking option can be used to control logins to machines
443 whose host key is not known or has changed.
444
445 When the user's identity has been accepted by the server, the server ei-
446 ther executes the given command, or logs into the machine and gives the
447 user a normal shell on the remote machine. All communication with the
448 remote command or shell will be automatically encrypted.
449
450 If a pseudo-terminal has been allocated (normal login session), the user
451 may use the escape characters noted below.
452
453 If no pseudo-tty has been allocated, the session is transparent and can
454 be used to reliably transfer binary data. On most systems, setting the
455 escape character to ``none'' will also make the session transparent even
456 if a tty is used.
457
458 The session terminates when the command or shell on the remote machine
459 exits and all X11 and TCP connections have been closed.
460
461ESCAPE CHARACTERS
462 When a pseudo-terminal has been requested, ssh supports a number of func-
463 tions through the use of an escape character.
464
465 A single tilde character can be sent as ~~ or by following the tilde by a
466 character other than those described below. The escape character must
467 always follow a newline to be interpreted as special. The escape charac-
468 ter can be changed in configuration files using the EscapeChar configura-
469 tion directive or on the command line by the -e option.
470
471 The supported escapes (assuming the default `~') are:
472
473 ~. Disconnect.
474
475 ~^Z Background ssh.
476
477 ~# List forwarded connections.
478
479 ~& Background ssh at logout when waiting for forwarded connection /
480 X11 sessions to terminate.
481
482 ~? Display a list of escape characters.
483
484 ~B Send a BREAK to the remote system (only useful for SSH protocol
485 version 2 and if the peer supports it).
486
487 ~C Open command line. Currently this allows the addition of port
488 forwardings using the -L and -R options (see above). It also al-
489 lows the cancellation of existing remote port-forwardings using
490 -KR hostport. !command allows the user to execute a local com-
491 mand if the PermitLocalCommand option is enabled in
492 ssh_config(5). Basic help is available, using the -h option.
493
494 ~R Request rekeying of the connection (only useful for SSH protocol
495 version 2 and if the peer supports it).
496
497TCP FORWARDING
498 Forwarding of arbitrary TCP connections over the secure channel can be
499 specified either on the command line or in a configuration file. One
500 possible application of TCP forwarding is a secure connection to a mail
501 server; another is going through firewalls.
502
503 In the example below, we look at encrypting communication between an IRC
504 client and server, even though the IRC server does not directly support
505 encrypted communications. This works as follows: the user connects to
506 the remote host using ssh, specifying a port to be used to forward con-
507 nections to the remote server. After that it is possible to start the
508 service which is to be encrypted on the client machine, connecting to the
509 same local port, and ssh will encrypt and forward the connection.
510
511 The following example tunnels an IRC session from client machine
512 ``127.0.0.1'' (localhost) to remote server ``server.example.com'':
513
514 $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
515 $ irc -c '#users' -p 1234 pinky 127.0.0.1
516
517 This tunnels a connection to IRC server ``server.example.com'', joining
518 channel ``#users'', nickname ``pinky'', using port 1234. It doesn't mat-
519 ter which port is used, as long as it's greater than 1023 (remember, only
520 root can open sockets on privileged ports) and doesn't conflict with any
521 ports already in use. The connection is forwarded to port 6667 on the
522 remote server, since that's the standard port for IRC services.
523
524 The -f option backgrounds ssh and the remote command ``sleep 10'' is
525 specified to allow an amount of time (10 seconds, in the example) to
526 start the service which is to be tunnelled. If no connections are made
527 within the time specified, ssh will exit.
528
529X11 FORWARDING
530 If the ForwardX11 variable is set to ``yes'' (or see the description of
531 the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
532 environment variable is set), the connection to the X11 display is auto-
533 matically forwarded to the remote side in such a way that any X11 pro-
534 grams started from the shell (or command) will go through the encrypted
535 channel, and the connection to the real X server will be made from the
536 local machine. The user should not manually set DISPLAY. Forwarding of
537 X11 connections can be configured on the command line or in configuration
538 files.
539
540 The DISPLAY value set by ssh will point to the server machine, but with a
541 display number greater than zero. This is normal, and happens because
542 ssh creates a ``proxy'' X server on the server machine for forwarding the
543 connections over the encrypted channel.
544
545 ssh will also automatically set up Xauthority data on the server machine.
546 For this purpose, it will generate a random authorization cookie, store
547 it in Xauthority on the server, and verify that any forwarded connections
548 carry this cookie and replace it by the real cookie when the connection
549 is opened. The real authentication cookie is never sent to the server
550 machine (and no cookies are sent in the plain).
551
552 If the ForwardAgent variable is set to ``yes'' (or see the description of
553 the -A and -a options above) and the user is using an authentication
554 agent, the connection to the agent is automatically forwarded to the re-
555 mote side.
556
557VERIFYING HOST KEYS
558 When connecting to a server for the first time, a fingerprint of the
559 server's public key is presented to the user (unless the option
560 StrictHostKeyChecking has been disabled). Fingerprints can be determined
561 using ssh-keygen(1):
562
563 $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
564
565 If the fingerprint is already known, it can be matched and verified, and
566 the key can be accepted. If the fingerprint is unknown, an alternative
567 method of verification is available: SSH fingerprints verified by DNS.
568 An additional resource record (RR), SSHFP, is added to a zonefile and the
569 connecting client is able to match the fingerprint with that of the key
570 presented.
571
572 In this example, we are connecting a client to a server,
573 ``host.example.com''. The SSHFP resource records should first be added
574 to the zonefile for host.example.com:
518 575
519 DISPLAY The DISPLAY variable indicates the location of the X11 server. 576 $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
520 It is automatically set by ssh to point to a value of the form 577 $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
521 ``hostname:n'' where hostname indicates the host where the shell
522 runs, and n is an integer >= 1. ssh uses this special value to
523 forward X11 connections over the secure channel. The user
524 should normally not set DISPLAY explicitly, as that will render
525 the X11 connection insecure (and will require the user to manu-
526 ally copy any required authorization cookies).
527 578
528 HOME Set to the path of the user's home directory. 579 The output lines will have to be added to the zonefile. To check that
580 the zone is answering fingerprint queries:
529 581
530 LOGNAME Synonym for USER; set for compatibility with systems that use 582 $ dig -t SSHFP host.example.com
531 this variable.
532 583
533 MAIL Set to the path of the user's mailbox. 584 Finally the client connects:
534 585
535 PATH Set to the default PATH, as specified when compiling ssh. 586 $ ssh -o "VerifyHostKeyDNS ask" host.example.com
587 [...]
588 Matching host key fingerprint found in DNS.
589 Are you sure you want to continue connecting (yes/no)?
536 590
537 SSH_ASKPASS 591 See the VerifyHostKeyDNS option in ssh_config(5) for more information.
538 If ssh needs a passphrase, it will read the passphrase from the
539 current terminal if it was run from a terminal. If ssh does not
540 have a terminal associated with it but DISPLAY and SSH_ASKPASS
541 are set, it will execute the program specified by SSH_ASKPASS
542 and open an X11 window to read the passphrase. This is particu-
543 larly useful when calling ssh from a .xsession or related
544 script. (Note that on some machines it may be necessary to
545 redirect the input from /dev/null to make this work.)
546 592
547 SSH_AUTH_SOCK 593SSH-BASED VIRTUAL PRIVATE NETWORKS
548 Identifies the path of a unix-domain socket used to communicate 594 ssh contains support for Virtual Private Network (VPN) tunnelling using
549 with the agent. 595 the tun(4) network pseudo-device, allowing two networks to be joined se-
596 curely. The sshd_config(5) configuration option PermitTunnel controls
597 whether the server supports this, and at what level (layer 2 or 3 traf-
598 fic).
550 599
551 SSH_CONNECTION 600 The following example would connect client network 10.0.50.0/24 with re-
552 Identifies the client and server ends of the connection. The 601 mote network 10.0.99.0/24, provided that the SSH server running on the
553 variable contains four space-separated values: client ip-ad- 602 gateway to the remote network, at 192.168.1.15, allows it:
554 dress, client port number, server ip-address and server port
555 number.
556 603
557 SSH_ORIGINAL_COMMAND 604 # ssh -f -w 0:1 192.168.1.15 true
558 The variable contains the original command line if a forced com- 605 # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
559 mand is executed. It can be used to extract the original argu-
560 ments.
561 606
562 SSH_TTY This is set to the name of the tty (path to the device) associ- 607 Client access may be more finely tuned via the /root/.ssh/authorized_keys
563 ated with the current shell or command. If the current session 608 file (see below) and the PermitRootLogin server option. The following
564 has no tty, this variable is not set. 609 entry would permit connections on the first tun(4) device from user
610 ``jane'' and on the second device from user ``john'', if PermitRootLogin
611 is set to ``forced-commands-only'':
565 612
566 TZ The timezone variable is set to indicate the present timezone if 613 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
567 it was set when the daemon was started (i.e., the daemon passes 614 tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
568 the value on to new connections).
569 615
570 USER Set to the name of the user logging in. 616 Since a SSH-based setup entails a fair amount of overhead, it may be more
617 suited to temporary setups, such as for wireless VPNs. More permanent
618 VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).
619
620ENVIRONMENT
621 ssh will normally set the following environment variables:
622
623 DISPLAY The DISPLAY variable indicates the location of the
624 X11 server. It is automatically set by ssh to
625 point to a value of the form ``hostname:n'', where
626 ``hostname'' indicates the host where the shell
627 runs, and `n' is an integer >= 1. ssh uses this
628 special value to forward X11 connections over the
629 secure channel. The user should normally not set
630 DISPLAY explicitly, as that will render the X11
631 connection insecure (and will require the user to
632 manually copy any required authorization cookies).
633
634 HOME Set to the path of the user's home directory.
635
636 LOGNAME Synonym for USER; set for compatibility with sys-
637 tems that use this variable.
638
639 MAIL Set to the path of the user's mailbox.
640
641 PATH Set to the default PATH, as specified when compil-
642 ing ssh.
643
644 SSH_ASKPASS If ssh needs a passphrase, it will read the
645 passphrase from the current terminal if it was run
646 from a terminal. If ssh does not have a terminal
647 associated with it but DISPLAY and SSH_ASKPASS are
648 set, it will execute the program specified by
649 SSH_ASKPASS and open an X11 window to read the
650 passphrase. This is particularly useful when call-
651 ing ssh from a .xsession or related script. (Note
652 that on some machines it may be necessary to redi-
653 rect the input from /dev/null to make this work.)
654
655 SSH_AUTH_SOCK Identifies the path of a UNIX-domain socket used to
656 communicate with the agent.
657
658 SSH_CONNECTION Identifies the client and server ends of the con-
659 nection. The variable contains four space-separat-
660 ed values: client IP address, client port number,
661 server IP address, and server port number.
662
663 SSH_ORIGINAL_COMMAND This variable contains the original command line if
664 a forced command is executed. It can be used to
665 extract the original arguments.
666
667 SSH_TTY This is set to the name of the tty (path to the de-
668 vice) associated with the current shell or command.
669 If the current session has no tty, this variable is
670 not set.
671
672 TZ This variable is set to indicate the present time
673 zone if it was set when the daemon was started
674 (i.e., the daemon passes the value on to new con-
675 nections).
676
677 USER Set to the name of the user logging in.
571 678
572 Additionally, ssh reads ~/.ssh/environment, and adds lines of the format 679 Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
573 ``VARNAME=value'' to the environment if the file exists and if users are 680 ``VARNAME=value'' to the environment if the file exists and users are al-
574 allowed to change their environment. For more information, see the 681 lowed to change their environment. For more information, see the
575 PermitUserEnvironment option in sshd_config(5). 682 PermitUserEnvironment option in sshd_config(5).
576 683
577FILES 684FILES
578 ~/.ssh/known_hosts 685 ~/.rhosts
579 Records host keys for all hosts the user has logged into that are 686 This file is used for host-based authentication (see above). On
580 not in /etc/ssh/ssh_known_hosts. See sshd(8). 687 some machines this file may need to be world-readable if the us-
581 688 er's home directory is on an NFS partition, because sshd(8) reads
582 ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa 689 it as root. Additionally, this file must be owned by the user,
583 Contains the authentication identity of the user. They are for 690 and must not have write permissions for anyone else. The recom-
584 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 691 mended permission for most machines is read/write for the user,
585 These files contain sensitive data and should be readable by the 692 and not accessible by others.
586 user but not accessible by others (read/write/execute). Note 693
587 that ssh ignores a private key file if it is accessible by oth- 694 ~/.shosts
588 ers. It is possible to specify a passphrase when generating the 695 This file is used in exactly the same way as .rhosts, but allows
589 key; the passphrase will be used to encrypt the sensitive part of 696 host-based authentication without permitting login with
590 this file using 3DES. 697 rlogin/rsh.
591 698
592 ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub 699 ~/.ssh/authorized_keys
593 Contains the public key for authentication (public part of the 700 Lists the public keys (RSA/DSA) that can be used for logging in
594 identity file in human-readable form). The contents of the 701 as this user. The format of this file is described in the
595 ~/.ssh/identity.pub file should be added to the file 702 sshd(8) manual page. This file is not highly sensitive, but the
596 ~/.ssh/authorized_keys on all machines where the user wishes to 703 recommended permissions are read/write for the user, and not ac-
597 log in using protocol version 1 RSA authentication. The contents 704 cessible by others.
598 of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be
599 added to ~/.ssh/authorized_keys on all machines where the user
600 wishes to log in using protocol version 2 DSA/RSA authentication.
601 These files are not sensitive and can (but need not) be readable
602 by anyone. These files are never used automatically and are not
603 necessary; they are only provided for the convenience of the us-
604 er.
605 705
606 ~/.ssh/config 706 ~/.ssh/config
607 This is the per-user configuration file. The file format and 707 This is the per-user configuration file. The file format and
@@ -609,112 +709,75 @@ FILES
609 the potential for abuse, this file must have strict permissions: 709 the potential for abuse, this file must have strict permissions:
610 read/write for the user, and not accessible by others. 710 read/write for the user, and not accessible by others.
611 711
612 ~/.ssh/authorized_keys 712 ~/.ssh/environment
613 Lists the public keys (RSA/DSA) that can be used for logging in 713 Contains additional definitions for environment variables; see
614 as this user. The format of this file is described in the 714 ENVIRONMENT, above.
615 sshd(8) manual page. In the simplest form the format is the same 715
616 as the .pub identity files. This file is not highly sensitive, 716 ~/.ssh/identity
617 but the recommended permissions are read/write for the user, and 717 ~/.ssh/id_dsa
618 not accessible by others. 718 ~/.ssh/id_rsa
719 Contains the private key for authentication. These files contain
720 sensitive data and should be readable by the user but not acces-
721 sible by others (read/write/execute). ssh will simply ignore a
722 private key file if it is accessible by others. It is possible
723 to specify a passphrase when generating the key which will be
724 used to encrypt the sensitive part of this file using 3DES.
725
726 ~/.ssh/identity.pub
727 ~/.ssh/id_dsa.pub
728 ~/.ssh/id_rsa.pub
729 Contains the public key for authentication. These files are not
730 sensitive and can (but need not) be readable by anyone.
619 731
620 /etc/ssh/ssh_known_hosts 732 ~/.ssh/known_hosts
621 Systemwide list of known host keys. This file should be prepared 733 Contains a list of host keys for all hosts the user has logged
622 by the system administrator to contain the public host keys of 734 into that are not already in the systemwide list of known host
623 all machines in the organization. This file should be world- 735 keys. See sshd(8) for further details of the format of this
624 readable. This file contains public keys, one per line, in the 736 file.
625 following format (fields separated by spaces): system name, pub- 737
626 lic key and optional comment field. When different names are 738 ~/.ssh/rc
627 used for the same machine, all such names should be listed, sepa- 739 Commands in this file are executed by ssh when the user logs in,
628 rated by commas. The format is described in the sshd(8) manual 740 just before the user's shell (or command) is started. See the
629 page. 741 sshd(8) manual page for more information.
630 742
631 The canonical system name (as returned by name servers) is used 743 /etc/hosts.equiv
632 by sshd(8) to verify the client host when logging in; other names 744 This file is for host-based authentication (see above). It
633 are needed because ssh does not convert the user-supplied name to 745 should only be writable by root.
634 a canonical name before checking the key, because someone with 746
635 access to the name servers would then be able to fool host au- 747 /etc/shosts.equiv
636 thentication. 748 This file is used in exactly the same way as hosts.equiv, but al-
749 lows host-based authentication without permitting login with
750 rlogin/rsh.
637 751
638 /etc/ssh/ssh_config 752 /etc/ssh/ssh_config
639 Systemwide configuration file. The file format and configuration 753 Systemwide configuration file. The file format and configuration
640 options are described in ssh_config(5). 754 options are described in ssh_config(5).
641 755
642 /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, 756 /etc/ssh/ssh_host_key
643 /etc/ssh/ssh_host_rsa_key 757 /etc/ssh/ssh_host_dsa_key
758 /etc/ssh/ssh_host_rsa_key
644 These three files contain the private parts of the host keys and 759 These three files contain the private parts of the host keys and
645 are used for RhostsRSAAuthentication and HostbasedAuthentication. 760 are used for host-based authentication. If protocol version 1 is
646 If the protocol version 1 RhostsRSAAuthentication method is used, 761 used, ssh must be setuid root, since the host key is readable on-
647 ssh must be setuid root, since the host key is readable only by 762 ly by root. For protocol version 2, ssh uses ssh-keysign(8) to
648 root. For protocol version 2, ssh uses ssh-keysign(8) to access 763 access the host keys, eliminating the requirement that ssh be se-
649 the host keys for HostbasedAuthentication. This eliminates the 764 tuid root when host-based authentication is used. By default ssh
650 requirement that ssh be setuid root when that authentication 765 is not setuid root.
651 method is used. By default ssh is not setuid root.
652 766
653 ~/.rhosts 767 /etc/ssh/ssh_known_hosts
654 This file is used in RhostsRSAAuthentication and 768 Systemwide list of known host keys. This file should be prepared
655 HostbasedAuthentication authentication to list the host/user 769 by the system administrator to contain the public host keys of
656 pairs that are permitted to log in. (Note that this file is also 770 all machines in the organization. It should be world-readable.
657 used by rlogin and rsh, which makes using this file insecure.) 771 See sshd(8) for further details of the format of this file.
658 Each line of the file contains a host name (in the canonical form
659 returned by name servers), and then a user name on that host,
660 separated by a space. On some machines this file may need to be
661 world-readable if the user's home directory is on a NFS parti-
662 tion, because sshd(8) reads it as root. Additionally, this file
663 must be owned by the user, and must not have write permissions
664 for anyone else. The recommended permission for most machines is
665 read/write for the user, and not accessible by others.
666
667 Note that sshd(8) allows authentication only in combination with
668 client host key authentication before permitting log in. If the
669 server machine does not have the client's host key in
670 /etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts.
671 The easiest way to do this is to connect back to the client from
672 the server machine using ssh; this will automatically add the
673 host key to ~/.ssh/known_hosts.
674
675 ~/.shosts
676 This file is used exactly the same way as .rhosts. The purpose
677 for having this file is to be able to use RhostsRSAAuthentication
678 and HostbasedAuthentication authentication without permitting lo-
679 gin with rlogin or rsh(1).
680
681 /etc/hosts.equiv
682 This file is used during RhostsRSAAuthentication and
683 HostbasedAuthentication authentication. It contains canonical
684 hosts names, one per line (the full format is described in the
685 sshd(8) manual page). If the client host is found in this file,
686 login is automatically permitted provided client and server user
687 names are the same. Additionally, successful client host key au-
688 thentication is required. This file should only be writable by
689 root.
690
691 /etc/shosts.equiv
692 This file is processed exactly as /etc/hosts.equiv. This file
693 may be useful to permit logins using ssh but not using
694 rsh/rlogin.
695 772
696 /etc/ssh/sshrc 773 /etc/ssh/sshrc
697 Commands in this file are executed by ssh when the user logs in 774 Commands in this file are executed by ssh when the user logs in,
698 just before the user's shell (or command) is started. See the
699 sshd(8) manual page for more information.
700
701 ~/.ssh/rc
702 Commands in this file are executed by ssh when the user logs in
703 just before the user's shell (or command) is started. See the 775 just before the user's shell (or command) is started. See the
704 sshd(8) manual page for more information. 776 sshd(8) manual page for more information.
705 777
706 ~/.ssh/environment
707 Contains additional definitions for environment variables, see
708 section ENVIRONMENT above.
709
710DIAGNOSTICS
711 ssh exits with the exit status of the remote command or with 255 if an
712 error occurred.
713
714SEE ALSO 778SEE ALSO
715 gzip(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), 779 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
716 ssh-keygen(1), telnet(1), hosts.equiv(5), ssh_config(5), ssh-keysign(8), 780 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
717 sshd(8)
718 781
719 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH 782 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
720 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January 783 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
@@ -727,4 +790,4 @@ AUTHORS
727 created OpenSSH. Markus Friedl contributed the support for SSH protocol 790 created OpenSSH. Markus Friedl contributed the support for SSH protocol
728 versions 1.5 and 2.0. 791 versions 1.5 and 2.0.
729 792
730OpenBSD 3.8 September 25, 1999 12 793OpenBSD 3.9 September 25, 1999 12
diff --git a/ssh.1 b/ssh.1
index 9ce28be69..f7c65a372 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ 37.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -43,21 +43,29 @@
43.Nd OpenSSH SSH client (remote login program) 43.Nd OpenSSH SSH client (remote login program)
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Nm ssh 45.Nm ssh
46.Bk -words
47.Op Fl 1246AaCfgkMNnqsTtVvXxY 46.Op Fl 1246AaCfgkMNnqsTtVvXxY
48.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
49.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
50.Op Fl D Ar port 49.Oo Fl D\ \&
50.Sm off
51.Oo Ar bind_address : Oc
52.Ar port
53.Sm on
54.Oc
51.Op Fl e Ar escape_char 55.Op Fl e Ar escape_char
52.Op Fl F Ar configfile 56.Op Fl F Ar configfile
57.Bk -words
53.Op Fl i Ar identity_file 58.Op Fl i Ar identity_file
59.Ek
54.Oo Fl L\ \& 60.Oo Fl L\ \&
55.Sm off 61.Sm off
56.Oo Ar bind_address : Oc 62.Oo Ar bind_address : Oc
57.Ar port : host : hostport 63.Ar port : host : hostport
58.Sm on 64.Sm on
59.Oc 65.Oc
66.Bk -words
60.Op Fl l Ar login_name 67.Op Fl l Ar login_name
68.Ek
61.Op Fl m Ar mac_spec 69.Op Fl m Ar mac_spec
62.Op Fl O Ar ctl_cmd 70.Op Fl O Ar ctl_cmd
63.Op Fl o Ar option 71.Op Fl o Ar option
@@ -69,6 +77,8 @@
69.Sm on 77.Sm on
70.Oc 78.Oc
71.Op Fl S Ar ctl_path 79.Op Fl S Ar ctl_path
80.Bk -words
81.Op Fl w Ar tunnel : Ns Ar tunnel
72.Oo Ar user Ns @ Oc Ns Ar hostname 82.Oo Ar user Ns @ Oc Ns Ar hostname
73.Op Ar command 83.Op Ar command
74.Ek 84.Ek
@@ -79,7 +89,7 @@ executing commands on a remote machine.
79It is intended to replace rlogin and rsh, 89It is intended to replace rlogin and rsh,
80and provide secure encrypted communications between 90and provide secure encrypted communications between
81two untrusted hosts over an insecure network. 91two untrusted hosts over an insecure network.
82X11 connections and arbitrary TCP/IP ports 92X11 connections and arbitrary TCP ports
83can also be forwarded over the secure channel. 93can also be forwarded over the secure channel.
84.Pp 94.Pp
85.Nm 95.Nm
@@ -90,306 +100,12 @@ connects and logs into the specified
90name). 100name).
91The user must prove 101The user must prove
92his/her identity to the remote machine using one of several methods 102his/her identity to the remote machine using one of several methods
93depending on the protocol version used. 103depending on the protocol version used (see below).
94.Pp 104.Pp
95If 105If
96.Ar command 106.Ar command
97is specified, 107is specified,
98.Ar command 108it is executed on the remote host instead of a login shell.
99is executed on the remote host instead of a login shell.
100.Ss SSH protocol version 1
101The first authentication method is the
102.Em rhosts
103or
104.Em hosts.equiv
105method combined with RSA-based host authentication.
106If the machine the user logs in from is listed in
107.Pa /etc/hosts.equiv
108or
109.Pa /etc/shosts.equiv
110on the remote machine, and the user names are
111the same on both sides, or if the files
112.Pa ~/.rhosts
113or
114.Pa ~/.shosts
115exist in the user's home directory on the
116remote machine and contain a line containing the name of the client
117machine and the name of the user on that machine, the user is
118considered for log in.
119Additionally, if the server can verify the client's
120host key (see
121.Pa /etc/ssh/ssh_known_hosts
122and
123.Pa ~/.ssh/known_hosts
124in the
125.Sx FILES
126section), only then is login permitted.
127This authentication method closes security holes due to IP
128spoofing, DNS spoofing and routing spoofing.
129[Note to the administrator:
130.Pa /etc/hosts.equiv ,
131.Pa ~/.rhosts ,
132and the rlogin/rsh protocol in general, are inherently insecure and should be
133disabled if security is desired.]
134.Pp
135As a second authentication method,
136.Nm
137supports RSA based authentication.
138The scheme is based on public-key cryptography: there are cryptosystems
139where encryption and decryption are done using separate keys, and it
140is not possible to derive the decryption key from the encryption key.
141RSA is one such system.
142The idea is that each user creates a public/private
143key pair for authentication purposes.
144The server knows the public key, and only the user knows the private key.
145.Pp
146The file
147.Pa ~/.ssh/authorized_keys
148lists the public keys that are permitted for logging in.
149When the user logs in, the
150.Nm
151program tells the server which key pair it would like to use for
152authentication.
153The server checks if this key is permitted, and if so,
154sends the user (actually the
155.Nm
156program running on behalf of the user) a challenge, a random number,
157encrypted by the user's public key.
158The challenge can only be decrypted using the proper private key.
159The user's client then decrypts the challenge using the private key,
160proving that he/she knows the private key
161but without disclosing it to the server.
162.Pp
163.Nm
164implements the RSA authentication protocol automatically.
165The user creates his/her RSA key pair by running
166.Xr ssh-keygen 1 .
167This stores the private key in
168.Pa ~/.ssh/identity
169and stores the public key in
170.Pa ~/.ssh/identity.pub
171in the user's home directory.
172The user should then copy the
173.Pa identity.pub
174to
175.Pa ~/.ssh/authorized_keys
176in his/her home directory on the remote machine (the
177.Pa authorized_keys
178file corresponds to the conventional
179.Pa ~/.rhosts
180file, and has one key
181per line, though the lines can be very long).
182After this, the user can log in without giving the password.
183.Pp
184The most convenient way to use RSA authentication may be with an
185authentication agent.
186See
187.Xr ssh-agent 1
188for more information.
189.Pp
190If other authentication methods fail,
191.Nm
192prompts the user for a password.
193The password is sent to the remote
194host for checking; however, since all communications are encrypted,
195the password cannot be seen by someone listening on the network.
196.Ss SSH protocol version 2
197When a user connects using protocol version 2,
198similar authentication methods are available.
199Using the default values for
200.Cm PreferredAuthentications ,
201the client will try to authenticate first using the hostbased method;
202if this method fails, public key authentication is attempted,
203and finally if this method fails, keyboard-interactive and
204password authentication are tried.
205.Pp
206The public key method is similar to RSA authentication described
207in the previous section and allows the RSA or DSA algorithm to be used:
208The client uses his private key,
209.Pa ~/.ssh/id_dsa
210or
211.Pa ~/.ssh/id_rsa ,
212to sign the session identifier and sends the result to the server.
213The server checks whether the matching public key is listed in
214.Pa ~/.ssh/authorized_keys
215and grants access if both the key is found and the signature is correct.
216The session identifier is derived from a shared Diffie-Hellman value
217and is only known to the client and the server.
218.Pp
219If public key authentication fails or is not available, a password
220can be sent encrypted to the remote host to prove the user's identity.
221.Pp
222Additionally,
223.Nm
224supports hostbased or challenge response authentication.
225.Pp
226Protocol 2 provides additional mechanisms for confidentiality
227(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
228and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
229Note that protocol 1 lacks a strong mechanism for ensuring the
230integrity of the connection.
231.Ss Login session and remote execution
232When the user's identity has been accepted by the server, the server
233either executes the given command, or logs into the machine and gives
234the user a normal shell on the remote machine.
235All communication with
236the remote command or shell will be automatically encrypted.
237.Pp
238If a pseudo-terminal has been allocated (normal login session), the
239user may use the escape characters noted below.
240.Pp
241If no pseudo-tty has been allocated,
242the session is transparent and can be used to reliably transfer binary data.
243On most systems, setting the escape character to
244.Dq none
245will also make the session transparent even if a tty is used.
246.Pp
247The session terminates when the command or shell on the remote
248machine exits and all X11 and TCP/IP connections have been closed.
249The exit status of the remote program is returned as the exit status of
250.Nm ssh .
251.Ss Escape Characters
252When a pseudo-terminal has been requested,
253.Nm
254supports a number of functions through the use of an escape character.
255.Pp
256A single tilde character can be sent as
257.Ic ~~
258or by following the tilde by a character other than those described below.
259The escape character must always follow a newline to be interpreted as
260special.
261The escape character can be changed in configuration files using the
262.Cm EscapeChar
263configuration directive or on the command line by the
264.Fl e
265option.
266.Pp
267The supported escapes (assuming the default
268.Ql ~ )
269are:
270.Bl -tag -width Ds
271.It Cm ~.
272Disconnect.
273.It Cm ~^Z
274Background
275.Nm ssh .
276.It Cm ~#
277List forwarded connections.
278.It Cm ~&
279Background
280.Nm
281at logout when waiting for forwarded connection / X11 sessions to terminate.
282.It Cm ~?
283Display a list of escape characters.
284.It Cm ~B
285Send a BREAK to the remote system
286(only useful for SSH protocol version 2 and if the peer supports it).
287.It Cm ~C
288Open command line.
289Currently this allows the addition of port forwardings using the
290.Fl L
291and
292.Fl R
293options (see below).
294It also allows the cancellation of existing remote port-forwardings
295using
296.Fl KR Ar hostport .
297Basic help is available, using the
298.Fl h
299option.
300.It Cm ~R
301Request rekeying of the connection
302(only useful for SSH protocol version 2 and if the peer supports it).
303.El
304.Ss X11 and TCP forwarding
305If the
306.Cm ForwardX11
307variable is set to
308.Dq yes
309(or see the description of the
310.Fl X
311and
312.Fl x
313options described later)
314and the user is using X11 (the
315.Ev DISPLAY
316environment variable is set), the connection to the X11 display is
317automatically forwarded to the remote side in such a way that any X11
318programs started from the shell (or command) will go through the
319encrypted channel, and the connection to the real X server will be made
320from the local machine.
321The user should not manually set
322.Ev DISPLAY .
323Forwarding of X11 connections can be
324configured on the command line or in configuration files.
325.Pp
326The
327.Ev DISPLAY
328value set by
329.Nm
330will point to the server machine, but with a display number greater than zero.
331This is normal, and happens because
332.Nm
333creates a
334.Dq proxy
335X server on the server machine for forwarding the
336connections over the encrypted channel.
337.Pp
338.Nm
339will also automatically set up Xauthority data on the server machine.
340For this purpose, it will generate a random authorization cookie,
341store it in Xauthority on the server, and verify that any forwarded
342connections carry this cookie and replace it by the real cookie when
343the connection is opened.
344The real authentication cookie is never
345sent to the server machine (and no cookies are sent in the plain).
346.Pp
347If the
348.Cm ForwardAgent
349variable is set to
350.Dq yes
351(or see the description of the
352.Fl A
353and
354.Fl a
355options described later) and
356the user is using an authentication agent, the connection to the agent
357is automatically forwarded to the remote side.
358.Pp
359Forwarding of arbitrary TCP/IP connections over the secure channel can
360be specified either on the command line or in a configuration file.
361One possible application of TCP/IP forwarding is a secure connection to an
362electronic purse; another is going through firewalls.
363.Ss Server authentication
364.Nm
365automatically maintains and checks a database containing
366identifications for all hosts it has ever been used with.
367Host keys are stored in
368.Pa ~/.ssh/known_hosts
369in the user's home directory.
370Additionally, the file
371.Pa /etc/ssh/ssh_known_hosts
372is automatically checked for known hosts.
373Any new hosts are automatically added to the user's file.
374If a host's identification ever changes,
375.Nm
376warns about this and disables password authentication to prevent a
377trojan horse from getting the user's password.
378Another purpose of this mechanism is to prevent man-in-the-middle attacks
379which could otherwise be used to circumvent the encryption.
380The
381.Cm StrictHostKeyChecking
382option can be used to prevent logins to machines whose
383host key is not known or has changed.
384.Pp
385.Nm
386can be configured to verify host identification using fingerprint resource
387records (SSHFP) published in DNS.
388The
389.Cm VerifyHostKeyDNS
390option can be used to control how DNS lookups are performed.
391SSHFP resource records can be generated using
392.Xr ssh-keygen 1 .
393.Pp 109.Pp
394The options are as follows: 110The options are as follows:
395.Bl -tag -width Ds 111.Bl -tag -width Ds
@@ -430,7 +146,7 @@ of the connection.
430Only useful on systems with more than one address. 146Only useful on systems with more than one address.
431.It Fl C 147.It Fl C
432Requests compression of all data (including stdin, stdout, stderr, and 148Requests compression of all data (including stdin, stdout, stderr, and
433data for forwarded X11 and TCP/IP connections). 149data for forwarded X11 and TCP connections).
434The compression algorithm is the same used by 150The compression algorithm is the same used by
435.Xr gzip 1 , 151.Xr gzip 1 ,
436and the 152and the
@@ -448,9 +164,9 @@ option.
448Selects the cipher specification for encrypting the session. 164Selects the cipher specification for encrypting the session.
449.Pp 165.Pp
450Protocol version 1 allows specification of a single cipher. 166Protocol version 1 allows specification of a single cipher.
451The suported values are 167The supported values are
452.Dq 3des , 168.Dq 3des ,
453.Dq blowfish 169.Dq blowfish ,
454and 170and
455.Dq des . 171.Dq des .
456.Ar 3des 172.Ar 3des
@@ -470,37 +186,44 @@ Its use is strongly discouraged due to cryptographic weaknesses.
470The default is 186The default is
471.Dq 3des . 187.Dq 3des .
472.Pp 188.Pp
473For protocol version 2 189For protocol version 2,
474.Ar cipher_spec 190.Ar cipher_spec
475is a comma-separated list of ciphers 191is a comma-separated list of ciphers
476listed in order of preference. 192listed in order of preference.
477The supported ciphers are 193The supported ciphers are:
478.Dq 3des-cbc , 1943des-cbc,
479.Dq aes128-cbc , 195aes128-cbc,
480.Dq aes192-cbc , 196aes192-cbc,
481.Dq aes256-cbc , 197aes256-cbc,
482.Dq aes128-ctr , 198aes128-ctr,
483.Dq aes192-ctr , 199aes192-ctr,
484.Dq aes256-ctr , 200aes256-ctr,
485.Dq arcfour128 , 201arcfour128,
486.Dq arcfour256 , 202arcfour256,
487.Dq arcfour , 203arcfour,
488.Dq blowfish-cbc , 204blowfish-cbc,
489and 205and
490.Dq cast128-cbc . 206cast128-cbc.
491The default is 207The default is:
492.Bd -literal 208.Bd -literal -offset indent
493 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 209aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
494 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 210arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
495 aes192-ctr,aes256-ctr'' 211aes192-ctr,aes256-ctr
496.Ed 212.Ed
497.It Fl D Ar port 213.It Fl D Xo
214.Sm off
215.Oo Ar bind_address : Oc
216.Ar port
217.Sm on
218.Xc
498Specifies a local 219Specifies a local
499.Dq dynamic 220.Dq dynamic
500application-level port forwarding. 221application-level port forwarding.
501This works by allocating a socket to listen to 222This works by allocating a socket to listen to
502.Ar port 223.Ar port
503on the local side, and whenever a connection is made to this port, the 224on the local side, optionally bound to the specified
225.Ar bind_address .
226Whenever a connection is made to this port, the
504connection is forwarded over the secure channel, and the application 227connection is forwarded over the secure channel, and the application
505protocol is then used to determine where to connect to from the 228protocol is then used to determine where to connect to from the
506remote machine. 229remote machine.
@@ -509,7 +232,31 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and
509will act as a SOCKS server. 232will act as a SOCKS server.
510Only root can forward privileged ports. 233Only root can forward privileged ports.
511Dynamic port forwardings can also be specified in the configuration file. 234Dynamic port forwardings can also be specified in the configuration file.
512.It Fl e Ar ch | ^ch | none 235.Pp
236IPv6 addresses can be specified with an alternative syntax:
237.Sm off
238.Xo
239.Op Ar bind_address No /
240.Ar port
241.Xc
242.Sm on
243or by enclosing the address in square brackets.
244Only the superuser can forward privileged ports.
245By default, the local port is bound in accordance with the
246.Cm GatewayPorts
247setting.
248However, an explicit
249.Ar bind_address
250may be used to bind the connection to a specific address.
251The
252.Ar bind_address
253of
254.Dq localhost
255indicates that the listening port be bound for local use only, while an
256empty address or
257.Sq *
258indicates that the port should be available from all interfaces.
259.It Fl e Ar escape_char
513Sets the escape character for sessions with a pty (default: 260Sets the escape character for sessions with a pty (default:
514.Ql ~ ) . 261.Ql ~ ) .
515The escape character is only recognized at the beginning of a line. 262The escape character is only recognized at the beginning of a line.
@@ -545,11 +292,12 @@ something like
545.It Fl g 292.It Fl g
546Allows remote hosts to connect to local forwarded ports. 293Allows remote hosts to connect to local forwarded ports.
547.It Fl I Ar smartcard_device 294.It Fl I Ar smartcard_device
548Specifies which smartcard device to use. 295Specify the device
549The argument is the device
550.Nm 296.Nm
551should use to communicate with a smartcard used for storing the user's 297should use to communicate with a smartcard used for storing the user's
552private RSA key. 298private RSA key.
299This option is only available if support for smartcard devices
300is compiled in (default is no support).
553.It Fl i Ar identity_file 301.It Fl i Ar identity_file
554Selects a file from which the identity (private key) for 302Selects a file from which the identity (private key) for
555RSA or DSA authentication is read. 303RSA or DSA authentication is read.
@@ -621,6 +369,13 @@ Places the
621client into 369client into
622.Dq master 370.Dq master
623mode for connection sharing. 371mode for connection sharing.
372Multiple
373.Fl M
374options places
375.Nm
376into
377.Dq master
378mode with confirmation required before slave connections are accepted.
624Refer to the description of 379Refer to the description of
625.Cm ControlMaster 380.Cm ControlMaster
626in 381in
@@ -709,17 +464,20 @@ For full details of the options listed below, and their possible values, see
709.It IdentityFile 464.It IdentityFile
710.It IdentitiesOnly 465.It IdentitiesOnly
711.It KbdInteractiveDevices 466.It KbdInteractiveDevices
467.It LocalCommand
712.It LocalForward 468.It LocalForward
713.It LogLevel 469.It LogLevel
714.It MACs 470.It MACs
715.It NoHostAuthenticationForLocalhost 471.It NoHostAuthenticationForLocalhost
716.It NumberOfPasswordPrompts 472.It NumberOfPasswordPrompts
717.It PasswordAuthentication 473.It PasswordAuthentication
474.It PermitLocalCommand
718.It Port 475.It Port
719.It PreferredAuthentications 476.It PreferredAuthentications
720.It Protocol 477.It Protocol
721.It ProxyCommand 478.It ProxyCommand
722.It PubkeyAuthentication 479.It PubkeyAuthentication
480.It RekeyLimit
723.It RemoteForward 481.It RemoteForward
724.It RhostsRSAAuthentication 482.It RhostsRSAAuthentication
725.It RSAAuthentication 483.It RSAAuthentication
@@ -729,6 +487,8 @@ For full details of the options listed below, and their possible values, see
729.It SmartcardDevice 487.It SmartcardDevice
730.It StrictHostKeyChecking 488.It StrictHostKeyChecking
731.It TCPKeepAlive 489.It TCPKeepAlive
490.It Tunnel
491.It TunnelDevice
732.It UsePrivilegedPort 492.It UsePrivilegedPort
733.It User 493.It User
734.It UserKnownHostsFile 494.It UserKnownHostsFile
@@ -832,6 +592,24 @@ Multiple
832.Fl v 592.Fl v
833options increase the verbosity. 593options increase the verbosity.
834The maximum is 3. 594The maximum is 3.
595.It Fl w Ar tunnel : Ns Ar tunnel
596Requests a
597.Xr tun 4
598device on the client
599(first
600.Ar tunnel
601arg)
602and server
603(second
604.Ar tunnel
605arg).
606The devices may be specified by numerical ID or the keyword
607.Dq any ,
608which uses the next available tunnel device.
609See also the
610.Cm Tunnel
611directive in
612.Xr ssh_config 5 .
835.It Fl X 613.It Fl X
836Enables X11 forwarding. 614Enables X11 forwarding.
837This can also be specified on a per-host basis in a configuration file. 615This can also be specified on a per-host basis in a configuration file.
@@ -859,16 +637,474 @@ Enables trusted X11 forwarding.
859Trusted X11 forwardings are not subjected to the X11 SECURITY extension 637Trusted X11 forwardings are not subjected to the X11 SECURITY extension
860controls. 638controls.
861.El 639.El
862.Sh CONFIGURATION FILES 640.Pp
863.Nm 641.Nm
864may additionally obtain configuration data from 642may additionally obtain configuration data from
865a per-user configuration file and a system-wide configuration file. 643a per-user configuration file and a system-wide configuration file.
866The file format and configuration options are described in 644The file format and configuration options are described in
867.Xr ssh_config 5 . 645.Xr ssh_config 5 .
646.Pp
647.Nm
648exits with the exit status of the remote command or with 255
649if an error occurred.
650.Sh AUTHENTICATION
651The OpenSSH SSH client supports SSH protocols 1 and 2.
652Protocol 2 is the default, with
653.Nm
654falling back to protocol 1 if it detects protocol 2 is unsupported.
655These settings may be altered using the
656.Cm Protocol
657option in
658.Xr ssh_config 5 ,
659or enforced using the
660.Fl 1
661and
662.Fl 2
663options (see above).
664Both protocols support similar authentication methods,
665but protocol 2 is preferred since
666it provides additional mechanisms for confidentiality
667(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
668and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
669Protocol 1 lacks a strong mechanism for ensuring the
670integrity of the connection.
671.Pp
672The methods available for authentication are:
673host-based authentication,
674public key authentication,
675challenge-response authentication,
676and password authentication.
677Authentication methods are tried in the order specified above,
678though protocol 2 has a configuration option to change the default order:
679.Cm PreferredAuthentications .
680.Pp
681Host-based authentication works as follows:
682If the machine the user logs in from is listed in
683.Pa /etc/hosts.equiv
684or
685.Pa /etc/shosts.equiv
686on the remote machine, and the user names are
687the same on both sides, or if the files
688.Pa ~/.rhosts
689or
690.Pa ~/.shosts
691exist in the user's home directory on the
692remote machine and contain a line containing the name of the client
693machine and the name of the user on that machine, the user is
694considered for login.
695Additionally, the server
696.Em must
697be able to verify the client's
698host key (see the description of
699.Pa /etc/ssh/ssh_known_hosts
700and
701.Pa ~/.ssh/known_hosts ,
702below)
703for login to be permitted.
704This authentication method closes security holes due to IP
705spoofing, DNS spoofing, and routing spoofing.
706[Note to the administrator:
707.Pa /etc/hosts.equiv ,
708.Pa ~/.rhosts ,
709and the rlogin/rsh protocol in general, are inherently insecure and should be
710disabled if security is desired.]
711.Pp
712Public key authentication works as follows:
713The scheme is based on public-key cryptography,
714using cryptosystems
715where encryption and decryption are done using separate keys,
716and it is unfeasible to derive the decryption key from the encryption key.
717The idea is that each user creates a public/private
718key pair for authentication purposes.
719The server knows the public key, and only the user knows the private key.
720.Nm
721implements public key authentication protocol automatically,
722using either the RSA or DSA algorithms.
723Protocol 1 is restricted to using only RSA keys,
724but protocol 2 may use either.
725The
726.Sx HISTORY
727section of
728.Xr ssl 8
729contains a brief discussion of the two algorithms.
730.Pp
731The file
732.Pa ~/.ssh/authorized_keys
733lists the public keys that are permitted for logging in.
734When the user logs in, the
735.Nm
736program tells the server which key pair it would like to use for
737authentication.
738The client proves that it has access to the private key
739and the server checks that the corresponding public key
740is authorized to accept the account.
741.Pp
742The user creates his/her key pair by running
743.Xr ssh-keygen 1 .
744This stores the private key in
745.Pa ~/.ssh/identity
746(protocol 1),
747.Pa ~/.ssh/id_dsa
748(protocol 2 DSA),
749or
750.Pa ~/.ssh/id_rsa
751(protocol 2 RSA)
752and stores the public key in
753.Pa ~/.ssh/identity.pub
754(protocol 1),
755.Pa ~/.ssh/id_dsa.pub
756(protocol 2 DSA),
757or
758.Pa ~/.ssh/id_rsa.pub
759(protocol 2 RSA)
760in the user's home directory.
761The user should then copy the public key
762to
763.Pa ~/.ssh/authorized_keys
764in his/her home directory on the remote machine.
765The
766.Pa authorized_keys
767file corresponds to the conventional
768.Pa ~/.rhosts
769file, and has one key
770per line, though the lines can be very long.
771After this, the user can log in without giving the password.
772.Pp
773The most convenient way to use public key authentication may be with an
774authentication agent.
775See
776.Xr ssh-agent 1
777for more information.
778.Pp
779Challenge-response authentication works as follows:
780The server sends an arbitrary
781.Qq challenge
782text, and prompts for a response.
783Protocol 2 allows multiple challenges and responses;
784protocol 1 is restricted to just one challenge/response.
785Examples of challenge-response authentication include
786BSD Authentication (see
787.Xr login.conf 5 )
788and PAM (some non-OpenBSD systems).
789.Pp
790Finally, if other authentication methods fail,
791.Nm
792prompts the user for a password.
793The password is sent to the remote
794host for checking; however, since all communications are encrypted,
795the password cannot be seen by someone listening on the network.
796.Pp
797.Nm
798automatically maintains and checks a database containing
799identification for all hosts it has ever been used with.
800Host keys are stored in
801.Pa ~/.ssh/known_hosts
802in the user's home directory.
803Additionally, the file
804.Pa /etc/ssh/ssh_known_hosts
805is automatically checked for known hosts.
806Any new hosts are automatically added to the user's file.
807If a host's identification ever changes,
808.Nm
809warns about this and disables password authentication to prevent
810server spoofing or man-in-the-middle attacks,
811which could otherwise be used to circumvent the encryption.
812The
813.Cm StrictHostKeyChecking
814option can be used to control logins to machines whose
815host key is not known or has changed.
816.Pp
817When the user's identity has been accepted by the server, the server
818either executes the given command, or logs into the machine and gives
819the user a normal shell on the remote machine.
820All communication with
821the remote command or shell will be automatically encrypted.
822.Pp
823If a pseudo-terminal has been allocated (normal login session), the
824user may use the escape characters noted below.
825.Pp
826If no pseudo-tty has been allocated,
827the session is transparent and can be used to reliably transfer binary data.
828On most systems, setting the escape character to
829.Dq none
830will also make the session transparent even if a tty is used.
831.Pp
832The session terminates when the command or shell on the remote
833machine exits and all X11 and TCP connections have been closed.
834.Sh ESCAPE CHARACTERS
835When a pseudo-terminal has been requested,
836.Nm
837supports a number of functions through the use of an escape character.
838.Pp
839A single tilde character can be sent as
840.Ic ~~
841or by following the tilde by a character other than those described below.
842The escape character must always follow a newline to be interpreted as
843special.
844The escape character can be changed in configuration files using the
845.Cm EscapeChar
846configuration directive or on the command line by the
847.Fl e
848option.
849.Pp
850The supported escapes (assuming the default
851.Ql ~ )
852are:
853.Bl -tag -width Ds
854.It Cm ~.
855Disconnect.
856.It Cm ~^Z
857Background
858.Nm .
859.It Cm ~#
860List forwarded connections.
861.It Cm ~&
862Background
863.Nm
864at logout when waiting for forwarded connection / X11 sessions to terminate.
865.It Cm ~?
866Display a list of escape characters.
867.It Cm ~B
868Send a BREAK to the remote system
869(only useful for SSH protocol version 2 and if the peer supports it).
870.It Cm ~C
871Open command line.
872Currently this allows the addition of port forwardings using the
873.Fl L
874and
875.Fl R
876options (see above).
877It also allows the cancellation of existing remote port-forwardings
878using
879.Fl KR Ar hostport .
880.Ic !\& Ns Ar command
881allows the user to execute a local command if the
882.Ic PermitLocalCommand
883option is enabled in
884.Xr ssh_config 5 .
885Basic help is available, using the
886.Fl h
887option.
888.It Cm ~R
889Request rekeying of the connection
890(only useful for SSH protocol version 2 and if the peer supports it).
891.El
892.Sh TCP FORWARDING
893Forwarding of arbitrary TCP connections over the secure channel can
894be specified either on the command line or in a configuration file.
895One possible application of TCP forwarding is a secure connection to a
896mail server; another is going through firewalls.
897.Pp
898In the example below, we look at encrypting communication between
899an IRC client and server, even though the IRC server does not directly
900support encrypted communications.
901This works as follows:
902the user connects to the remote host using
903.Nm ,
904specifying a port to be used to forward connections
905to the remote server.
906After that it is possible to start the service which is to be encrypted
907on the client machine,
908connecting to the same local port,
909and
910.Nm
911will encrypt and forward the connection.
912.Pp
913The following example tunnels an IRC session from client machine
914.Dq 127.0.0.1
915(localhost)
916to remote server
917.Dq server.example.com :
918.Bd -literal -offset 4n
919$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
920$ irc -c '#users' -p 1234 pinky 127.0.0.1
921.Ed
922.Pp
923This tunnels a connection to IRC server
924.Dq server.example.com ,
925joining channel
926.Dq #users ,
927nickname
928.Dq pinky ,
929using port 1234.
930It doesn't matter which port is used,
931as long as it's greater than 1023
932(remember, only root can open sockets on privileged ports)
933and doesn't conflict with any ports already in use.
934The connection is forwarded to port 6667 on the remote server,
935since that's the standard port for IRC services.
936.Pp
937The
938.Fl f
939option backgrounds
940.Nm
941and the remote command
942.Dq sleep 10
943is specified to allow an amount of time
944(10 seconds, in the example)
945to start the service which is to be tunnelled.
946If no connections are made within the time specified,
947.Nm
948will exit.
949.Sh X11 FORWARDING
950If the
951.Cm ForwardX11
952variable is set to
953.Dq yes
954(or see the description of the
955.Fl X ,
956.Fl x ,
957and
958.Fl Y
959options above)
960and the user is using X11 (the
961.Ev DISPLAY
962environment variable is set), the connection to the X11 display is
963automatically forwarded to the remote side in such a way that any X11
964programs started from the shell (or command) will go through the
965encrypted channel, and the connection to the real X server will be made
966from the local machine.
967The user should not manually set
968.Ev DISPLAY .
969Forwarding of X11 connections can be
970configured on the command line or in configuration files.
971.Pp
972The
973.Ev DISPLAY
974value set by
975.Nm
976will point to the server machine, but with a display number greater than zero.
977This is normal, and happens because
978.Nm
979creates a
980.Dq proxy
981X server on the server machine for forwarding the
982connections over the encrypted channel.
983.Pp
984.Nm
985will also automatically set up Xauthority data on the server machine.
986For this purpose, it will generate a random authorization cookie,
987store it in Xauthority on the server, and verify that any forwarded
988connections carry this cookie and replace it by the real cookie when
989the connection is opened.
990The real authentication cookie is never
991sent to the server machine (and no cookies are sent in the plain).
992.Pp
993If the
994.Cm ForwardAgent
995variable is set to
996.Dq yes
997(or see the description of the
998.Fl A
999and
1000.Fl a
1001options above) and
1002the user is using an authentication agent, the connection to the agent
1003is automatically forwarded to the remote side.
1004.Sh VERIFYING HOST KEYS
1005When connecting to a server for the first time,
1006a fingerprint of the server's public key is presented to the user
1007(unless the option
1008.Cm StrictHostKeyChecking
1009has been disabled).
1010Fingerprints can be determined using
1011.Xr ssh-keygen 1 :
1012.Pp
1013.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1014.Pp
1015If the fingerprint is already known,
1016it can be matched and verified,
1017and the key can be accepted.
1018If the fingerprint is unknown,
1019an alternative method of verification is available:
1020SSH fingerprints verified by DNS.
1021An additional resource record (RR),
1022SSHFP,
1023is added to a zonefile
1024and the connecting client is able to match the fingerprint
1025with that of the key presented.
1026.Pp
1027In this example, we are connecting a client to a server,
1028.Dq host.example.com .
1029The SSHFP resource records should first be added to the zonefile for
1030host.example.com:
1031.Bd -literal -offset indent
1032$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
1033$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1034.Ed
1035.Pp
1036The output lines will have to be added to the zonefile.
1037To check that the zone is answering fingerprint queries:
1038.Pp
1039.Dl $ dig -t SSHFP host.example.com
1040.Pp
1041Finally the client connects:
1042.Bd -literal -offset indent
1043$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1044[...]
1045Matching host key fingerprint found in DNS.
1046Are you sure you want to continue connecting (yes/no)?
1047.Ed
1048.Pp
1049See the
1050.Cm VerifyHostKeyDNS
1051option in
1052.Xr ssh_config 5
1053for more information.
1054.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1055.Nm
1056contains support for Virtual Private Network (VPN) tunnelling
1057using the
1058.Xr tun 4
1059network pseudo-device,
1060allowing two networks to be joined securely.
1061The
1062.Xr sshd_config 5
1063configuration option
1064.Cm PermitTunnel
1065controls whether the server supports this,
1066and at what level (layer 2 or 3 traffic).
1067.Pp
1068The following example would connect client network 10.0.50.0/24
1069with remote network 10.0.99.0/24, provided that the SSH server
1070running on the gateway to the remote network,
1071at 192.168.1.15, allows it:
1072.Bd -literal -offset indent
1073# ssh -f -w 0:1 192.168.1.15 true
1074# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
1075.Ed
1076.Pp
1077Client access may be more finely tuned via the
1078.Pa /root/.ssh/authorized_keys
1079file (see below) and the
1080.Cm PermitRootLogin
1081server option.
1082The following entry would permit connections on the first
1083.Xr tun 4
1084device from user
1085.Dq jane
1086and on the second device from user
1087.Dq john ,
1088if
1089.Cm PermitRootLogin
1090is set to
1091.Dq forced-commands-only :
1092.Bd -literal -offset 2n
1093tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1094tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
1095.Ed
1096.Pp
1097Since a SSH-based setup entails a fair amount of overhead,
1098it may be more suited to temporary setups,
1099such as for wireless VPNs.
1100More permanent VPNs are better provided by tools such as
1101.Xr ipsecctl 8
1102and
1103.Xr isakmpd 8 .
868.Sh ENVIRONMENT 1104.Sh ENVIRONMENT
869.Nm 1105.Nm
870will normally set the following environment variables: 1106will normally set the following environment variables:
871.Bl -tag -width LOGNAME 1107.Bl -tag -width "SSH_ORIGINAL_COMMAND"
872.It Ev DISPLAY 1108.It Ev DISPLAY
873The 1109The
874.Ev DISPLAY 1110.Ev DISPLAY
@@ -876,9 +1112,12 @@ variable indicates the location of the X11 server.
876It is automatically set by 1112It is automatically set by
877.Nm 1113.Nm
878to point to a value of the form 1114to point to a value of the form
879.Dq hostname:n 1115.Dq hostname:n ,
880where hostname indicates 1116where
881the host where the shell runs, and n is an integer \*(Ge 1. 1117.Dq hostname
1118indicates the host where the shell runs, and
1119.Sq n
1120is an integer \*(Ge 1.
882.Nm 1121.Nm
883uses this special value to forward X11 connections over the secure 1122uses this special value to forward X11 connections over the secure
884channel. 1123channel.
@@ -899,7 +1138,7 @@ Set to the path of the user's mailbox.
899Set to the default 1138Set to the default
900.Ev PATH , 1139.Ev PATH ,
901as specified when compiling 1140as specified when compiling
902.Nm ssh . 1141.Nm .
903.It Ev SSH_ASKPASS 1142.It Ev SSH_ASKPASS
904If 1143If
905.Nm 1144.Nm
@@ -924,15 +1163,16 @@ may be necessary to redirect the input from
924.Pa /dev/null 1163.Pa /dev/null
925to make this work.) 1164to make this work.)
926.It Ev SSH_AUTH_SOCK 1165.It Ev SSH_AUTH_SOCK
927Identifies the path of a unix-domain socket used to communicate with the 1166Identifies the path of a
928agent. 1167.Ux Ns -domain
1168socket used to communicate with the agent.
929.It Ev SSH_CONNECTION 1169.It Ev SSH_CONNECTION
930Identifies the client and server ends of the connection. 1170Identifies the client and server ends of the connection.
931The variable contains 1171The variable contains
932four space-separated values: client ip-address, client port number, 1172four space-separated values: client IP address, client port number,
933server ip-address and server port number. 1173server IP address, and server port number.
934.It Ev SSH_ORIGINAL_COMMAND 1174.It Ev SSH_ORIGINAL_COMMAND
935The variable contains the original command line if a forced command 1175This variable contains the original command line if a forced command
936is executed. 1176is executed.
937It can be used to extract the original arguments. 1177It can be used to extract the original arguments.
938.It Ev SSH_TTY 1178.It Ev SSH_TTY
@@ -941,7 +1181,7 @@ with the current shell or command.
941If the current session has no tty, 1181If the current session has no tty,
942this variable is not set. 1182this variable is not set.
943.It Ev TZ 1183.It Ev TZ
944The timezone variable is set to indicate the present timezone if it 1184This variable is set to indicate the present time zone if it
945was set when the daemon was started (i.e., the daemon passes the value 1185was set when the daemon was started (i.e., the daemon passes the value
946on to new connections). 1186on to new connections).
947.It Ev USER 1187.It Ev USER
@@ -954,224 +1194,153 @@ reads
954.Pa ~/.ssh/environment , 1194.Pa ~/.ssh/environment ,
955and adds lines of the format 1195and adds lines of the format
956.Dq VARNAME=value 1196.Dq VARNAME=value
957to the environment if the file exists and if users are allowed to 1197to the environment if the file exists and users are allowed to
958change their environment. 1198change their environment.
959For more information, see the 1199For more information, see the
960.Cm PermitUserEnvironment 1200.Cm PermitUserEnvironment
961option in 1201option in
962.Xr sshd_config 5 . 1202.Xr sshd_config 5 .
963.Sh FILES 1203.Sh FILES
964.Bl -tag -width Ds 1204.Bl -tag -width Ds -compact
965.It Pa ~/.ssh/known_hosts 1205.It ~/.rhosts
966Records host keys for all hosts the user has logged into that are not 1206This file is used for host-based authentication (see above).
967in 1207On some machines this file may need to be
968.Pa /etc/ssh/ssh_known_hosts . 1208world-readable if the user's home directory is on an NFS partition,
969See 1209because
970.Xr sshd 8 . 1210.Xr sshd 8
971.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa 1211reads it as root.
972Contains the authentication identity of the user. 1212Additionally, this file must be owned by the user,
973They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 1213and must not have write permissions for anyone else.
1214The recommended
1215permission for most machines is read/write for the user, and not
1216accessible by others.
1217.Pp
1218.It ~/.shosts
1219This file is used in exactly the same way as
1220.Pa .rhosts ,
1221but allows host-based authentication without permitting login with
1222rlogin/rsh.
1223.Pp
1224.It ~/.ssh/authorized_keys
1225Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1226The format of this file is described in the
1227.Xr sshd 8
1228manual page.
1229This file is not highly sensitive, but the recommended
1230permissions are read/write for the user, and not accessible by others.
1231.Pp
1232.It ~/.ssh/config
1233This is the per-user configuration file.
1234The file format and configuration options are described in
1235.Xr ssh_config 5 .
1236Because of the potential for abuse, this file must have strict permissions:
1237read/write for the user, and not accessible by others.
1238It may be group-writable provided that the group in question contains only
1239the user.
1240.Pp
1241.It ~/.ssh/environment
1242Contains additional definitions for environment variables; see
1243.Sx ENVIRONMENT ,
1244above.
1245.Pp
1246.It ~/.ssh/identity
1247.It ~/.ssh/id_dsa
1248.It ~/.ssh/id_rsa
1249Contains the private key for authentication.
974These files 1250These files
975contain sensitive data and should be readable by the user but not 1251contain sensitive data and should be readable by the user but not
976accessible by others (read/write/execute). 1252accessible by others (read/write/execute).
977Note that
978.Nm 1253.Nm
979ignores a private key file if it is accessible by others. 1254will simply ignore a private key file if it is accessible by others.
980It is possible to specify a passphrase when 1255It is possible to specify a passphrase when
981generating the key; the passphrase will be used to encrypt the 1256generating the key which will be used to encrypt the
982sensitive part of this file using 3DES. 1257sensitive part of this file using 3DES.
983.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub 1258.Pp
984Contains the public key for authentication (public part of the 1259.It ~/.ssh/identity.pub
985identity file in human-readable form). 1260.It ~/.ssh/id_dsa.pub
986The contents of the 1261.It ~/.ssh/id_rsa.pub
987.Pa ~/.ssh/identity.pub 1262Contains the public key for authentication.
988file should be added to the file
989.Pa ~/.ssh/authorized_keys
990on all machines
991where the user wishes to log in using protocol version 1 RSA authentication.
992The contents of the
993.Pa ~/.ssh/id_dsa.pub
994and
995.Pa ~/.ssh/id_rsa.pub
996file should be added to
997.Pa ~/.ssh/authorized_keys
998on all machines
999where the user wishes to log in using protocol version 2 DSA/RSA authentication.
1000These files are not 1263These files are not
1001sensitive and can (but need not) be readable by anyone. 1264sensitive and can (but need not) be readable by anyone.
1002These files are
1003never used automatically and are not necessary; they are only provided for
1004the convenience of the user.
1005.It Pa ~/.ssh/config
1006This is the per-user configuration file.
1007The file format and configuration options are described in
1008.Xr ssh_config 5 .
1009Because of the potential for abuse, this file must have strict permissions:
1010read/write for the user, and not accessible by others.
1011It may be group-writable provided that the group in question contains only
1012the user.
1013.It Pa ~/.ssh/authorized_keys
1014Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1015The format of this file is described in the
1016.Xr sshd 8
1017manual page.
1018In the simplest form the format is the same as the
1019.Pa .pub
1020identity files.
1021This file is not highly sensitive, but the recommended
1022permissions are read/write for the user, and not accessible by others.
1023.It Pa /etc/ssh/ssh_known_hosts
1024Systemwide list of known host keys.
1025This file should be prepared by the
1026system administrator to contain the public host keys of all machines in the
1027organization.
1028This file should be world-readable.
1029This file contains
1030public keys, one per line, in the following format (fields separated
1031by spaces): system name, public key and optional comment field.
1032When different names are used
1033for the same machine, all such names should be listed, separated by
1034commas.
1035The format is described in the
1036.Xr sshd 8
1037manual page.
1038.Pp 1265.Pp
1039The canonical system name (as returned by name servers) is used by 1266.It ~/.ssh/known_hosts
1267Contains a list of host keys for all hosts the user has logged into
1268that are not already in the systemwide list of known host keys.
1269See
1040.Xr sshd 8 1270.Xr sshd 8
1041to verify the client host when logging in; other names are needed because 1271for further details of the format of this file.
1272.Pp
1273.It ~/.ssh/rc
1274Commands in this file are executed by
1042.Nm 1275.Nm
1043does not convert the user-supplied name to a canonical name before 1276when the user logs in, just before the user's shell (or command) is
1044checking the key, because someone with access to the name servers 1277started.
1045would then be able to fool host authentication. 1278See the
1279.Xr sshd 8
1280manual page for more information.
1281.Pp
1282.It /etc/hosts.equiv
1283This file is for host-based authentication (see above).
1284It should only be writable by root.
1285.Pp
1286.It /etc/shosts.equiv
1287This file is used in exactly the same way as
1288.Pa hosts.equiv ,
1289but allows host-based authentication without permitting login with
1290rlogin/rsh.
1291.Pp
1046.It Pa /etc/ssh/ssh_config 1292.It Pa /etc/ssh/ssh_config
1047Systemwide configuration file. 1293Systemwide configuration file.
1048The file format and configuration options are described in 1294The file format and configuration options are described in
1049.Xr ssh_config 5 . 1295.Xr ssh_config 5 .
1050.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key 1296.Pp
1297.It /etc/ssh/ssh_host_key
1298.It /etc/ssh/ssh_host_dsa_key
1299.It /etc/ssh/ssh_host_rsa_key
1051These three files contain the private parts of the host keys 1300These three files contain the private parts of the host keys
1052and are used for 1301and are used for host-based authentication.
1053.Cm RhostsRSAAuthentication 1302If protocol version 1 is used,
1054and
1055.Cm HostbasedAuthentication .
1056If the protocol version 1
1057.Cm RhostsRSAAuthentication
1058method is used,
1059.Nm 1303.Nm
1060must be setuid root, since the host key is readable only by root. 1304must be setuid root, since the host key is readable only by root.
1061For protocol version 2, 1305For protocol version 2,
1062.Nm 1306.Nm
1063uses 1307uses
1064.Xr ssh-keysign 8 1308.Xr ssh-keysign 8
1065to access the host keys for 1309to access the host keys,
1066.Cm HostbasedAuthentication . 1310eliminating the requirement that
1067This eliminates the requirement that
1068.Nm 1311.Nm
1069be setuid root when that authentication method is used. 1312be setuid root when host-based authentication is used.
1070By default 1313By default
1071.Nm 1314.Nm
1072is not setuid root. 1315is not setuid root.
1073.It Pa ~/.rhosts
1074This file is used in
1075.Cm RhostsRSAAuthentication
1076and
1077.Cm HostbasedAuthentication
1078authentication to list the
1079host/user pairs that are permitted to log in.
1080(Note that this file is
1081also used by rlogin and rsh, which makes using this file insecure.)
1082Each line of the file contains a host name (in the canonical form
1083returned by name servers), and then a user name on that host,
1084separated by a space.
1085On some machines this file may need to be
1086world-readable if the user's home directory is on a NFS partition,
1087because
1088.Xr sshd 8
1089reads it as root.
1090Additionally, this file must be owned by the user,
1091and must not have write permissions for anyone else.
1092The recommended
1093permission for most machines is read/write for the user, and not
1094accessible by others.
1095.Pp 1316.Pp
1096Note that 1317.It /etc/ssh/ssh_known_hosts
1097.Xr sshd 8 1318Systemwide list of known host keys.
1098allows authentication only in combination with client host key 1319This file should be prepared by the
1099authentication before permitting log in. 1320system administrator to contain the public host keys of all machines in the
1100If the server machine does not have the client's host key in 1321organization.
1101.Pa /etc/ssh/ssh_known_hosts , 1322It should be world-readable.
1102it can be stored in 1323See
1103.Pa ~/.ssh/known_hosts .
1104The easiest way to do this is to
1105connect back to the client from the server machine using ssh; this
1106will automatically add the host key to
1107.Pa ~/.ssh/known_hosts .
1108.It Pa ~/.shosts
1109This file is used exactly the same way as
1110.Pa .rhosts .
1111The purpose for
1112having this file is to be able to use
1113.Cm RhostsRSAAuthentication
1114and
1115.Cm HostbasedAuthentication
1116authentication without permitting login with
1117.Xr rlogin
1118or
1119.Xr rsh 1 .
1120.It Pa /etc/hosts.equiv
1121This file is used during
1122.Cm RhostsRSAAuthentication
1123and
1124.Cm HostbasedAuthentication
1125authentication.
1126It contains
1127canonical hosts names, one per line (the full format is described in the
1128.Xr sshd 8
1129manual page).
1130If the client host is found in this file, login is
1131automatically permitted provided client and server user names are the
1132same.
1133Additionally, successful client host key authentication is required.
1134This file should only be writable by root.
1135.It Pa /etc/shosts.equiv
1136This file is processed exactly as
1137.Pa /etc/hosts.equiv .
1138This file may be useful to permit logins using
1139.Nm
1140but not using rsh/rlogin.
1141.It Pa /etc/ssh/sshrc
1142Commands in this file are executed by
1143.Nm
1144when the user logs in just before the user's shell (or command) is started.
1145See the
1146.Xr sshd 8 1324.Xr sshd 8
1147manual page for more information. 1325for further details of the format of this file.
1148.It Pa ~/.ssh/rc 1326.Pp
1327.It /etc/ssh/sshrc
1149Commands in this file are executed by 1328Commands in this file are executed by
1150.Nm 1329.Nm
1151when the user logs in just before the user's shell (or command) is 1330when the user logs in, just before the user's shell (or command) is started.
1152started.
1153See the 1331See the
1154.Xr sshd 8 1332.Xr sshd 8
1155manual page for more information. 1333manual page for more information.
1156.It Pa ~/.ssh/environment
1157Contains additional definitions for environment variables, see section
1158.Sx ENVIRONMENT
1159above.
1160.El 1334.El
1161.Sh DIAGNOSTICS
1162.Nm
1163exits with the exit status of the remote command or with 255
1164if an error occurred.
1165.Sh SEE ALSO 1335.Sh SEE ALSO
1166.Xr gzip 1 ,
1167.Xr rsh 1 ,
1168.Xr scp 1 , 1336.Xr scp 1 ,
1169.Xr sftp 1 , 1337.Xr sftp 1 ,
1170.Xr ssh-add 1 , 1338.Xr ssh-add 1 ,
1171.Xr ssh-agent 1 , 1339.Xr ssh-agent 1 ,
1172.Xr ssh-argv0 1 , 1340.Xr ssh-argv0 1 ,
1173.Xr ssh-keygen 1 , 1341.Xr ssh-keygen 1 ,
1174.Xr telnet 1 , 1342.Xr ssh-keyscan 1 ,
1343.Xr tun 4 ,
1175.Xr hosts.equiv 5 , 1344.Xr hosts.equiv 5 ,
1176.Xr ssh_config 5 , 1345.Xr ssh_config 5 ,
1177.Xr ssh-keysign 8 , 1346.Xr ssh-keysign 8 ,
diff --git a/ssh.c b/ssh.c
index 75a0d9b23..a64f1e2dc 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $"); 43RCSID("$OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $");
44 44
45#include <openssl/evp.h> 45#include <openssl/evp.h>
46#include <openssl/err.h> 46#include <openssl/err.h>
@@ -158,13 +158,13 @@ usage(void)
158{ 158{
159 fprintf(stderr, 159 fprintf(stderr,
160"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" 160"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
161" [-D port] [-e escape_char] [-F configfile]\n" 161" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
162" [-i identity_file] [-L [bind_address:]port:host:hostport]\n" 162" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
163" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 163" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
164" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" 164" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
165" [user@]hostname [command]\n" 165" [-w tunnel:tunnel] [user@]hostname [command]\n"
166 ); 166 );
167 exit(1); 167 exit(255);
168} 168}
169 169
170static int ssh_session(void); 170static int ssh_session(void);
@@ -188,6 +188,9 @@ main(int ac, char **av)
188 struct servent *sp; 188 struct servent *sp;
189 Forward fwd; 189 Forward fwd;
190 190
191 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
192 sanitise_stdfd();
193
191 __progname = ssh_get_progname(av[0]); 194 __progname = ssh_get_progname(av[0]);
192 init_rng(); 195 init_rng();
193 196
@@ -220,7 +223,7 @@ main(int ac, char **av)
220 pw = getpwuid(original_real_uid); 223 pw = getpwuid(original_real_uid);
221 if (!pw) { 224 if (!pw) {
222 logit("You don't exist, go away!"); 225 logit("You don't exist, go away!");
223 exit(1); 226 exit(255);
224 } 227 }
225 /* Take a copy of the returned structure. */ 228 /* Take a copy of the returned structure. */
226 pw = pwcopy(pw); 229 pw = pwcopy(pw);
@@ -241,7 +244,7 @@ main(int ac, char **av)
241 244
242again: 245again:
243 while ((opt = getopt(ac, av, 246 while ((opt = getopt(ac, av,
244 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { 247 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
245 switch (opt) { 248 switch (opt) {
246 case '1': 249 case '1':
247 options.protocol = SSH_PROTO_1; 250 options.protocol = SSH_PROTO_1;
@@ -337,6 +340,15 @@ again:
337 if (opt == 'V') 340 if (opt == 'V')
338 exit(0); 341 exit(0);
339 break; 342 break;
343 case 'w':
344 if (options.tun_open == -1)
345 options.tun_open = SSH_TUNMODE_DEFAULT;
346 options.tun_local = a2tun(optarg, &options.tun_remote);
347 if (options.tun_local == SSH_TUNID_ERR) {
348 fprintf(stderr, "Bad tun device '%s'\n", optarg);
349 exit(255);
350 }
351 break;
340 case 'q': 352 case 'q':
341 if (options.log_level == SYSLOG_LEVEL_QUIET) { 353 if (options.log_level == SYSLOG_LEVEL_QUIET) {
342 options.log_level = SYSLOG_LEVEL_SILENT; 354 options.log_level = SYSLOG_LEVEL_SILENT;
@@ -357,7 +369,7 @@ again:
357 else { 369 else {
358 fprintf(stderr, "Bad escape character '%s'.\n", 370 fprintf(stderr, "Bad escape character '%s'.\n",
359 optarg); 371 optarg);
360 exit(1); 372 exit(255);
361 } 373 }
362 break; 374 break;
363 case 'c': 375 case 'c':
@@ -372,7 +384,7 @@ again:
372 fprintf(stderr, 384 fprintf(stderr,
373 "Unknown cipher type '%s'\n", 385 "Unknown cipher type '%s'\n",
374 optarg); 386 optarg);
375 exit(1); 387 exit(255);
376 } 388 }
377 if (options.cipher == SSH_CIPHER_3DES) 389 if (options.cipher == SSH_CIPHER_3DES)
378 options.ciphers = "3des-cbc"; 390 options.ciphers = "3des-cbc";
@@ -388,7 +400,7 @@ again:
388 else { 400 else {
389 fprintf(stderr, "Unknown mac type '%s'\n", 401 fprintf(stderr, "Unknown mac type '%s'\n",
390 optarg); 402 optarg);
391 exit(1); 403 exit(255);
392 } 404 }
393 break; 405 break;
394 case 'M': 406 case 'M':
@@ -401,7 +413,7 @@ again:
401 options.port = a2port(optarg); 413 options.port = a2port(optarg);
402 if (options.port == 0) { 414 if (options.port == 0) {
403 fprintf(stderr, "Bad port '%s'\n", optarg); 415 fprintf(stderr, "Bad port '%s'\n", optarg);
404 exit(1); 416 exit(255);
405 } 417 }
406 break; 418 break;
407 case 'l': 419 case 'l':
@@ -415,7 +427,7 @@ again:
415 fprintf(stderr, 427 fprintf(stderr,
416 "Bad local forwarding specification '%s'\n", 428 "Bad local forwarding specification '%s'\n",
417 optarg); 429 optarg);
418 exit(1); 430 exit(255);
419 } 431 }
420 break; 432 break;
421 433
@@ -426,7 +438,7 @@ again:
426 fprintf(stderr, 438 fprintf(stderr,
427 "Bad remote forwarding specification " 439 "Bad remote forwarding specification "
428 "'%s'\n", optarg); 440 "'%s'\n", optarg);
429 exit(1); 441 exit(255);
430 } 442 }
431 break; 443 break;
432 444
@@ -437,7 +449,7 @@ again:
437 if ((fwd.listen_host = hpdelim(&cp)) == NULL) { 449 if ((fwd.listen_host = hpdelim(&cp)) == NULL) {
438 fprintf(stderr, "Bad dynamic forwarding " 450 fprintf(stderr, "Bad dynamic forwarding "
439 "specification '%.100s'\n", optarg); 451 "specification '%.100s'\n", optarg);
440 exit(1); 452 exit(255);
441 } 453 }
442 if (cp != NULL) { 454 if (cp != NULL) {
443 fwd.listen_port = a2port(cp); 455 fwd.listen_port = a2port(cp);
@@ -450,7 +462,7 @@ again:
450 if (fwd.listen_port == 0) { 462 if (fwd.listen_port == 0) {
451 fprintf(stderr, "Bad dynamic port '%s'\n", 463 fprintf(stderr, "Bad dynamic port '%s'\n",
452 optarg); 464 optarg);
453 exit(1); 465 exit(255);
454 } 466 }
455 add_local_forward(&options, &fwd); 467 add_local_forward(&options, &fwd);
456 xfree(p); 468 xfree(p);
@@ -471,7 +483,7 @@ again:
471 line = xstrdup(optarg); 483 line = xstrdup(optarg);
472 if (process_config_line(&options, host ? host : "", 484 if (process_config_line(&options, host ? host : "",
473 line, "command-line", 0, &dummy) != 0) 485 line, "command-line", 0, &dummy) != 0)
474 exit(1); 486 exit(255);
475 xfree(line); 487 xfree(line);
476 break; 488 break;
477 case 's': 489 case 's':
@@ -647,7 +659,7 @@ again:
647 original_effective_uid == 0 && options.use_privileged_port, 659 original_effective_uid == 0 && options.use_privileged_port,
648#endif 660#endif
649 options.proxy_command) != 0) 661 options.proxy_command) != 0)
650 exit(1); 662 exit(255);
651 663
652 /* 664 /*
653 * If we successfully made the connection, load the host private key 665 * If we successfully made the connection, load the host private key
@@ -700,7 +712,7 @@ again:
700 712
701 /* 713 /*
702 * Now that we are back to our own permissions, create ~/.ssh 714 * Now that we are back to our own permissions, create ~/.ssh
703 * directory if it doesn\'t already exist. 715 * directory if it doesn't already exist.
704 */ 716 */
705 snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); 717 snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
706 if (stat(buf, &st) < 0) 718 if (stat(buf, &st) < 0)
@@ -796,8 +808,7 @@ ssh_init_forwarding(void)
796 debug("Remote connections from %.200s:%d forwarded to " 808 debug("Remote connections from %.200s:%d forwarded to "
797 "local address %.200s:%d", 809 "local address %.200s:%d",
798 (options.remote_forwards[i].listen_host == NULL) ? 810 (options.remote_forwards[i].listen_host == NULL) ?
799 (options.gateway_ports ? "*" : "LOCALHOST") : 811 "LOCALHOST" : options.remote_forwards[i].listen_host,
800 options.remote_forwards[i].listen_host,
801 options.remote_forwards[i].listen_port, 812 options.remote_forwards[i].listen_port,
802 options.remote_forwards[i].connect_host, 813 options.remote_forwards[i].connect_host,
803 options.remote_forwards[i].connect_port); 814 options.remote_forwards[i].connect_port);
@@ -813,7 +824,7 @@ static void
813check_agent_present(void) 824check_agent_present(void)
814{ 825{
815 if (options.forward_agent) { 826 if (options.forward_agent) {
816 /* Clear agent forwarding if we don\'t have an agent. */ 827 /* Clear agent forwarding if we don't have an agent. */
817 if (!ssh_agent_present()) 828 if (!ssh_agent_present())
818 options.forward_agent = 0; 829 options.forward_agent = 0;
819 } 830 }
@@ -1015,7 +1026,7 @@ ssh_control_listener(void)
1015 fatal("ControlPath too long"); 1026 fatal("ControlPath too long");
1016 1027
1017 if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 1028 if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1018 fatal("%s socket(): %s\n", __func__, strerror(errno)); 1029 fatal("%s socket(): %s", __func__, strerror(errno));
1019 1030
1020 old_umask = umask(0177); 1031 old_umask = umask(0177);
1021 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { 1032 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
@@ -1024,12 +1035,12 @@ ssh_control_listener(void)
1024 fatal("ControlSocket %s already exists", 1035 fatal("ControlSocket %s already exists",
1025 options.control_path); 1036 options.control_path);
1026 else 1037 else
1027 fatal("%s bind(): %s\n", __func__, strerror(errno)); 1038 fatal("%s bind(): %s", __func__, strerror(errno));
1028 } 1039 }
1029 umask(old_umask); 1040 umask(old_umask);
1030 1041
1031 if (listen(control_fd, 64) == -1) 1042 if (listen(control_fd, 64) == -1)
1032 fatal("%s listen(): %s\n", __func__, strerror(errno)); 1043 fatal("%s listen(): %s", __func__, strerror(errno));
1033 1044
1034 set_nonblock(control_fd); 1045 set_nonblock(control_fd);
1035} 1046}
@@ -1062,6 +1073,33 @@ ssh_session2_setup(int id, void *arg)
1062 packet_send(); 1073 packet_send();
1063 } 1074 }
1064 1075
1076 if (options.tun_open != SSH_TUNMODE_NO) {
1077 Channel *c;
1078 int fd;
1079
1080 debug("Requesting tun.");
1081 if ((fd = tun_open(options.tun_local,
1082 options.tun_open)) >= 0) {
1083 c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
1084 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1085 0, "tun", 1);
1086 c->datagram = 1;
1087#if defined(SSH_TUN_FILTER)
1088 if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
1089 channel_register_filter(c->self, sys_tun_infilter,
1090 sys_tun_outfilter);
1091#endif
1092 packet_start(SSH2_MSG_CHANNEL_OPEN);
1093 packet_put_cstring("tun@openssh.com");
1094 packet_put_int(c->self);
1095 packet_put_int(c->local_window_max);
1096 packet_put_int(c->local_maxpacket);
1097 packet_put_int(options.tun_open);
1098 packet_put_int(options.tun_remote);
1099 packet_send();
1100 }
1101 }
1102
1065 client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), 1103 client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
1066 NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); 1104 NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
1067 1105
@@ -1126,6 +1164,11 @@ ssh_session2(void)
1126 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1164 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
1127 id = ssh_session2_open(); 1165 id = ssh_session2_open();
1128 1166
1167 /* Execute a local command */
1168 if (options.local_command != NULL &&
1169 options.permit_local_command)
1170 ssh_local_cmd(options.local_command);
1171
1129 /* If requested, let ssh continue in the background. */ 1172 /* If requested, let ssh continue in the background. */
1130 if (fork_after_authentication_flag) 1173 if (fork_after_authentication_flag)
1131 if (daemon(1, 1) < 0) 1174 if (daemon(1, 1) < 0)
diff --git a/ssh_config b/ssh_config
index 0510f347c..a3cac0e4e 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $ 1# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -38,5 +38,8 @@ Host *
38# Cipher 3des 38# Cipher 3des
39# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc 39# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
40# EscapeChar ~ 40# EscapeChar ~
41# Tunnel no
42# TunnelDevice any:any
43# PermitLocalCommand no
41 SendEnv LANG LC_* 44 SendEnv LANG LC_*
42 HashKnownHosts yes 45 HashKnownHosts yes
diff --git a/ssh_config.0 b/ssh_config.0
index a2706b69c..46a0543c3 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -129,16 +129,19 @@ DESCRIPTION
129 on a control socket specified using the ControlPath argument. 129 on a control socket specified using the ControlPath argument.
130 Additional sessions can connect to this socket using the same 130 Additional sessions can connect to this socket using the same
131 ControlPath with ControlMaster set to ``no'' (the default). 131 ControlPath with ControlMaster set to ``no'' (the default).
132 These sessions will reuse the master instance's network connec- 132 These sessions will try to reuse the master instance's network
133 tion rather than initiating new ones. Setting this to ``ask'' 133 connection rather than initiating new ones, but will fall back to
134 will cause ssh to listen for control connections, but require 134 connecting normally if the control socket does not exist, or is
135 confirmation using the SSH_ASKPASS program before they are ac- 135 not listening.
136 cepted (see ssh-add(1) for details). If the ControlPath can not 136
137 be opened, ssh will continue without connecting to a master in- 137 Setting this to ``ask'' will cause ssh to listen for control con-
138 stance. 138 nections, but require confirmation using the SSH_ASKPASS program
139 before they are accepted (see ssh-add(1) for details). If the
140 ControlPath can not be opened, ssh will continue without connect-
141 ing to a master instance.
139 142
140 X11 and ssh-agent(1) forwarding is supported over these multi- 143 X11 and ssh-agent(1) forwarding is supported over these multi-
141 plexed connections, however the display and agent fowarded will 144 plexed connections, however the display and agent forwarded will
142 be the one belonging to the master connection i.e. it is not pos- 145 be the one belonging to the master connection i.e. it is not pos-
143 sible to forward multiple displays or agents. 146 sible to forward multiple displays or agents.
144 147
@@ -159,14 +162,24 @@ DESCRIPTION
159 nections are uniquely identified. 162 nections are uniquely identified.
160 163
161 DynamicForward 164 DynamicForward
162 Specifies that a TCP/IP port on the local machine be forwarded 165 Specifies that a TCP port on the local machine be forwarded over
163 over the secure channel, and the application protocol is then 166 the secure channel, and the application protocol is then used to
164 used to determine where to connect to from the remote machine. 167 determine where to connect to from the remote machine.
165 The argument must be a port number. Currently the SOCKS4 and 168
166 SOCKS5 protocols are supported, and ssh will act as a SOCKS serv- 169 The argument must be [bind_address:]port. IPv6 addresses can be
167 er. Multiple forwardings may be specified, and additional for- 170 specified by enclosing addresses in square brackets or by using
168 wardings can be given on the command line. Only the superuser 171 an alternative syntax: [bind_address/]port. By default, the lo-
169 can forward privileged ports. 172 cal port is bound in accordance with the GatewayPorts setting.
173 However, an explicit bind_address may be used to bind the connec-
174 tion to a specific address. The bind_address of ``localhost''
175 indicates that the listening port be bound for local use only,
176 while an empty address or `*' indicates that the port should be
177 available from all interfaces.
178
179 Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
180 will act as a SOCKS server. Multiple forwardings may be speci-
181 fied, and additional forwardings can be given on the command
182 line. Only the superuser can forward privileged ports.
170 183
171 EnableSSHKeysign 184 EnableSSHKeysign
172 Setting this option to ``yes'' in the global client configuration 185 Setting this option to ``yes'' in the global client configuration
@@ -280,6 +293,14 @@ DESCRIPTION
280 permitted (both on the command line and in HostName specifica- 293 permitted (both on the command line and in HostName specifica-
281 tions). 294 tions).
282 295
296 IdentitiesOnly
297 Specifies that ssh should only use the authentication identity
298 files configured in the ssh_config files, even if the ssh-agent
299 offers more identities. The argument to this keyword must be
300 ``yes'' or ``no''. This option is intended for situations where
301 ssh-agent offers many different identities. The default is
302 ``no''.
303
283 IdentityFile 304 IdentityFile
284 Specifies a file from which the user's RSA or DSA authentication 305 Specifies a file from which the user's RSA or DSA authentication
285 identity is read. The default is ~/.ssh/identity for protocol 306 identity is read. The default is ~/.ssh/identity for protocol
@@ -290,35 +311,33 @@ DESCRIPTION
290 is possible to have multiple identity files specified in configu- 311 is possible to have multiple identity files specified in configu-
291 ration files; all these identities will be tried in sequence. 312 ration files; all these identities will be tried in sequence.
292 313
293 IdentitiesOnly
294 Specifies that ssh should only use the authentication identity
295 files configured in the ssh_config files, even if the ssh-agent
296 offers more identities. The argument to this keyword must be
297 ``yes'' or ``no''. This option is intented for situations where
298 ssh-agent offers many different identities. The default is
299 ``no''.
300
301 KbdInteractiveDevices 314 KbdInteractiveDevices
302 Specifies the list of methods to use in keyboard-interactive au- 315 Specifies the list of methods to use in keyboard-interactive au-
303 thentication. Multiple method names must be comma-separated. 316 thentication. Multiple method names must be comma-separated.
304 The default is to use the server specified list. 317 The default is to use the server specified list.
305 318
319 LocalCommand
320 Specifies a command to execute on the local machine after suc-
321 cessfully connecting to the server. The command string extends
322 to the end of the line, and is executed with /bin/sh. This di-
323 rective is ignored unless PermitLocalCommand has been enabled.
324
306 LocalForward 325 LocalForward
307 Specifies that a TCP/IP port on the local machine be forwarded 326 Specifies that a TCP port on the local machine be forwarded over
308 over the secure channel to the specified host and port from the 327 the secure channel to the specified host and port from the remote
309 remote machine. The first argument must be [bind_address:]port 328 machine. The first argument must be [bind_address:]port and the
310 and the second argument must be host:hostport. IPv6 addresses 329 second argument must be host:hostport. IPv6 addresses can be
311 can be specified by enclosing addresses in square brackets or by 330 specified by enclosing addresses in square brackets or by using
312 using an alternative syntax: [bind_address/]port and 331 an alternative syntax: [bind_address/]port and host/hostport.
313 host/hostport. Multiple forwardings may be specified, and addi- 332 Multiple forwardings may be specified, and additional forwardings
314 tional forwardings can be given on the command line. Only the 333 can be given on the command line. Only the superuser can forward
315 superuser can forward privileged ports. By default, the local 334 privileged ports. By default, the local port is bound in accor-
316 port is bound in accordance with the GatewayPorts setting. How- 335 dance with the GatewayPorts setting. However, an explicit
317 ever, an explicit bind_address may be used to bind the connection 336 bind_address may be used to bind the connection to a specific ad-
318 to a specific address. The bind_address of ``localhost'' indi- 337 dress. The bind_address of ``localhost'' indicates that the lis-
319 cates that the listening port be bound for local use only, while 338 tening port be bound for local use only, while an empty address
320 an empty address or `*' indicates that the port should be avail- 339 or `*' indicates that the port should be available from all in-
321 able from all interfaces. 340 terfaces.
322 341
323 LogLevel 342 LogLevel
324 Gives the verbosity level that is used when logging messages from 343 Gives the verbosity level that is used when logging messages from
@@ -351,6 +370,11 @@ DESCRIPTION
351 to this keyword must be ``yes'' or ``no''. The default is 370 to this keyword must be ``yes'' or ``no''. The default is
352 ``yes''. 371 ``yes''.
353 372
373 PermitLocalCommand
374 Allow local command execution via the LocalCommand option or us-
375 ing the !command escape sequence in ssh(1). The argument must be
376 ``yes'' or ``no''. The default is ``no''.
377
354 Port Specifies the port number to connect on the remote host. Default 378 Port Specifies the port number to connect on the remote host. Default
355 is 22. 379 is 22.
356 380
@@ -393,16 +417,24 @@ DESCRIPTION
393 to this keyword must be ``yes'' or ``no''. The default is 417 to this keyword must be ``yes'' or ``no''. The default is
394 ``yes''. This option applies to protocol version 2 only. 418 ``yes''. This option applies to protocol version 2 only.
395 419
420 RekeyLimit
421 Specifies the maximum amount of data that may be transmitted be-
422 fore the session key is renegotiated. The argument is the number
423 of bytes, with an optional suffix of `K', `M', or `G' to indicate
424 Kilobytes, Megabytes, or Gigabytes, respectively. The default is
425 between ``1G'' and ``4G'', depending on the cipher. This option
426 applies to protocol version 2 only.
427
396 RemoteForward 428 RemoteForward
397 Specifies that a TCP/IP port on the remote machine be forwarded 429 Specifies that a TCP port on the remote machine be forwarded over
398 over the secure channel to the specified host and port from the 430 the secure channel to the specified host and port from the local
399 local machine. The first argument must be [bind_address:]port 431 machine. The first argument must be [bind_address:]port and the
400 and the second argument must be host:hostport. IPv6 addresses 432 second argument must be host:hostport. IPv6 addresses can be
401 can be specified by enclosing addresses in square brackets or by 433 specified by enclosing addresses in square brackets or by using
402 using an alternative syntax: [bind_address/]port and 434 an alternative syntax: [bind_address/]port and host/hostport.
403 host/hostport. Multiple forwardings may be specified, and addi- 435 Multiple forwardings may be specified, and additional forwardings
404 tional forwardings can be given on the command line. Only the 436 can be given on the command line. Only the superuser can forward
405 superuser can forward privileged ports. 437 privileged ports.
406 438
407 If the bind_address is not specified, the default is to only bind 439 If the bind_address is not specified, the default is to only bind
408 to loopback addresses. If the bind_address is `*' or an empty 440 to loopback addresses. If the bind_address is `*' or an empty
@@ -434,15 +466,8 @@ DESCRIPTION
434 separated by whitespace or spread across multiple SendEnv direc- 466 separated by whitespace or spread across multiple SendEnv direc-
435 tives. The default is not to send any environment variables. 467 tives. The default is not to send any environment variables.
436 468
437 ServerAliveInterval
438 Sets a timeout interval in seconds after which if no data has
439 been received from the server, ssh will send a message through
440 the encrypted channel to request a response from the server. The
441 default is 0, indicating that these messages will not be sent to
442 the server. This option applies to protocol version 2 only.
443
444 ServerAliveCountMax 469 ServerAliveCountMax
445 Sets the number of server alive messages (see above) which may be 470 Sets the number of server alive messages (see below) which may be
446 sent without ssh receiving any messages back from the server. If 471 sent without ssh receiving any messages back from the server. If
447 this threshold is reached while server alive messages are being 472 this threshold is reached while server alive messages are being
448 sent, ssh will disconnect from the server, terminating the ses- 473 sent, ssh will disconnect from the server, terminating the ses-
@@ -455,9 +480,16 @@ DESCRIPTION
455 tion has become inactive. 480 tion has become inactive.
456 481
457 The default value is 3. If, for example, ServerAliveInterval 482 The default value is 3. If, for example, ServerAliveInterval
458 (above) is set to 15, and ServerAliveCountMax is left at the de- 483 (see below) is set to 15, and ServerAliveCountMax is left at the
459 fault, if the server becomes unresponsive ssh will disconnect af- 484 default, if the server becomes unresponsive ssh will disconnect
460 ter approximately 45 seconds. 485 after approximately 45 seconds.
486
487 ServerAliveInterval
488 Sets a timeout interval in seconds after which if no data has
489 been received from the server, ssh will send a message through
490 the encrypted channel to request a response from the server. The
491 default is 0, indicating that these messages will not be sent to
492 the server. This option applies to protocol version 2 only.
461 493
462 SmartcardDevice 494 SmartcardDevice
463 Specifies which smartcard device to use. The argument to this 495 Specifies which smartcard device to use. The argument to this
@@ -496,6 +528,16 @@ DESCRIPTION
496 To disable TCP keepalive messages, the value should be set to 528 To disable TCP keepalive messages, the value should be set to
497 ``no''. 529 ``no''.
498 530
531 Tunnel Request starting tun(4) device forwarding between the client and
532 the server. This option also allows requesting layer 2 (ether-
533 net) instead of layer 3 (point-to-point) tunneling from the serv-
534 er. The argument must be ``yes'', ``point-to-point'',
535 ``ethernet'' or ``no''. The default is ``no''.
536
537 TunnelDevice
538 Force a specified tun(4) device on the client. Without this op-
539 tion, the next available device will be used.
540
499 UsePrivilegedPort 541 UsePrivilegedPort
500 Specifies whether to use a privileged port for outgoing connec- 542 Specifies whether to use a privileged port for outgoing connec-
501 tions. The argument must be ``yes'' or ``no''. The default is 543 tions. The argument must be ``yes'' or ``no''. The default is
@@ -551,4 +593,4 @@ AUTHORS
551 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 593 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
552 versions 1.5 and 2.0. 594 versions 1.5 and 2.0.
553 595
554OpenBSD 3.8 September 25, 1999 9 596OpenBSD 3.9 September 25, 1999 9
diff --git a/ssh_config.5 b/ssh_config.5
index b232a0203..889def626 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -270,8 +270,10 @@ with
270set to 270set to
271.Dq no 271.Dq no
272(the default). 272(the default).
273These sessions will reuse the master instance's network connection rather 273These sessions will try to reuse the master instance's network connection
274than initiating new ones. 274rather than initiating new ones, but will fall back to connecting normally
275if the control socket does not exist, or is not listening.
276.Pp
275Setting this to 277Setting this to
276.Dq ask 278.Dq ask
277will cause 279will cause
@@ -290,7 +292,7 @@ will continue without connecting to a master instance.
290X11 and 292X11 and
291.Xr ssh-agent 1 293.Xr ssh-agent 1
292forwarding is supported over these multiplexed connections, however the 294forwarding is supported over these multiplexed connections, however the
293display and agent fowarded will be the one belonging to the master 295display and agent forwarded will be the one belonging to the master
294connection i.e. it is not possible to forward multiple displays or agents. 296connection i.e. it is not possible to forward multiple displays or agents.
295.Pp 297.Pp
296Two additional options allow for opportunistic multiplexing: try to use a 298Two additional options allow for opportunistic multiplexing: try to use a
@@ -323,11 +325,33 @@ used for opportunistic connection sharing include
323all three of these escape sequences. 325all three of these escape sequences.
324This ensures that shared connections are uniquely identified. 326This ensures that shared connections are uniquely identified.
325.It Cm DynamicForward 327.It Cm DynamicForward
326Specifies that a TCP/IP port on the local machine be forwarded 328Specifies that a TCP port on the local machine be forwarded
327over the secure channel, and the application 329over the secure channel, and the application
328protocol is then used to determine where to connect to from the 330protocol is then used to determine where to connect to from the
329remote machine. 331remote machine.
330The argument must be a port number. 332.Pp
333The argument must be
334.Sm off
335.Oo Ar bind_address : Oc Ar port .
336.Sm on
337IPv6 addresses can be specified by enclosing addresses in square brackets or
338by using an alternative syntax:
339.Oo Ar bind_address Ns / Oc Ns Ar port .
340By default, the local port is bound in accordance with the
341.Cm GatewayPorts
342setting.
343However, an explicit
344.Ar bind_address
345may be used to bind the connection to a specific address.
346The
347.Ar bind_address
348of
349.Dq localhost
350indicates that the listening port be bound for local use only, while an
351empty address or
352.Sq *
353indicates that the port should be available from all interfaces.
354.Pp
331Currently the SOCKS4 and SOCKS5 protocols are supported, and 355Currently the SOCKS4 and SOCKS5 protocols are supported, and
332.Nm ssh 356.Nm ssh
333will act as a SOCKS server. 357will act as a SOCKS server.
@@ -501,23 +525,6 @@ Default is the name given on the command line.
501Numeric IP addresses are also permitted (both on the command line and in 525Numeric IP addresses are also permitted (both on the command line and in
502.Cm HostName 526.Cm HostName
503specifications). 527specifications).
504.It Cm IdentityFile
505Specifies a file from which the user's RSA or DSA authentication identity
506is read.
507The default is
508.Pa ~/.ssh/identity
509for protocol version 1, and
510.Pa ~/.ssh/id_rsa
511and
512.Pa ~/.ssh/id_dsa
513for protocol version 2.
514Additionally, any identities represented by the authentication agent
515will be used for authentication.
516The file name may use the tilde
517syntax to refer to a user's home directory.
518It is possible to have
519multiple identity files specified in configuration files; all these
520identities will be tried in sequence.
521.It Cm IdentitiesOnly 528.It Cm IdentitiesOnly
522Specifies that 529Specifies that
523.Nm ssh 530.Nm ssh
@@ -531,17 +538,42 @@ The argument to this keyword must be
531.Dq yes 538.Dq yes
532or 539or
533.Dq no . 540.Dq no .
534This option is intented for situations where 541This option is intended for situations where
535.Nm ssh-agent 542.Nm ssh-agent
536offers many different identities. 543offers many different identities.
537The default is 544The default is
538.Dq no . 545.Dq no .
546.It Cm IdentityFile
547Specifies a file from which the user's RSA or DSA authentication identity
548is read.
549The default is
550.Pa ~/.ssh/identity
551for protocol version 1, and
552.Pa ~/.ssh/id_rsa
553and
554.Pa ~/.ssh/id_dsa
555for protocol version 2.
556Additionally, any identities represented by the authentication agent
557will be used for authentication.
558The file name may use the tilde
559syntax to refer to a user's home directory.
560It is possible to have
561multiple identity files specified in configuration files; all these
562identities will be tried in sequence.
539.It Cm KbdInteractiveDevices 563.It Cm KbdInteractiveDevices
540Specifies the list of methods to use in keyboard-interactive authentication. 564Specifies the list of methods to use in keyboard-interactive authentication.
541Multiple method names must be comma-separated. 565Multiple method names must be comma-separated.
542The default is to use the server specified list. 566The default is to use the server specified list.
567.It Cm LocalCommand
568Specifies a command to execute on the local machine after successfully
569connecting to the server.
570The command string extends to the end of the line, and is executed with
571.Pa /bin/sh .
572This directive is ignored unless
573.Cm PermitLocalCommand
574has been enabled.
543.It Cm LocalForward 575.It Cm LocalForward
544Specifies that a TCP/IP port on the local machine be forwarded over 576Specifies that a TCP port on the local machine be forwarded over
545the secure channel to the specified host and port from the remote machine. 577the secure channel to the specified host and port from the remote machine.
546The first argument must be 578The first argument must be
547.Sm off 579.Sm off
@@ -609,6 +641,19 @@ or
609.Dq no . 641.Dq no .
610The default is 642The default is
611.Dq yes . 643.Dq yes .
644.It Cm PermitLocalCommand
645Allow local command execution via the
646.Ic LocalCommand
647option or using the
648.Ic !\& Ns Ar command
649escape sequence in
650.Xr ssh 1 .
651The argument must be
652.Dq yes
653or
654.Dq no .
655The default is
656.Dq no .
612.It Cm Port 657.It Cm Port
613Specifies the port number to connect on the remote host. 658Specifies the port number to connect on the remote host.
614Default is 22. 659Default is 22.
@@ -681,8 +726,23 @@ or
681The default is 726The default is
682.Dq yes . 727.Dq yes .
683This option applies to protocol version 2 only. 728This option applies to protocol version 2 only.
729.It Cm RekeyLimit
730Specifies the maximum amount of data that may be transmitted before the
731session key is renegotiated.
732The argument is the number of bytes, with an optional suffix of
733.Sq K ,
734.Sq M ,
735or
736.Sq G
737to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
738The default is between
739.Dq 1G
740and
741.Dq 4G ,
742depending on the cipher.
743This option applies to protocol version 2 only.
684.It Cm RemoteForward 744.It Cm RemoteForward
685Specifies that a TCP/IP port on the remote machine be forwarded over 745Specifies that a TCP port on the remote machine be forwarded over
686the secure channel to the specified host and port from the local machine. 746the secure channel to the specified host and port from the local machine.
687The first argument must be 747The first argument must be
688.Sm off 748.Sm off
@@ -759,21 +819,8 @@ across multiple
759.Cm SendEnv 819.Cm SendEnv
760directives. 820directives.
761The default is not to send any environment variables. 821The default is not to send any environment variables.
762.It Cm ServerAliveInterval
763Sets a timeout interval in seconds after which if no data has been received
764from the server,
765.Nm ssh
766will send a message through the encrypted
767channel to request a response from the server.
768The default
769is 0, indicating that these messages will not be sent to the server,
770or 300 if the
771.Cm BatchMode
772option is set.
773.Cm ProtocolKeepAlives
774is a Debian-specific compatibility alias for this option.
775.It Cm ServerAliveCountMax 822.It Cm ServerAliveCountMax
776Sets the number of server alive messages (see above) which may be 823Sets the number of server alive messages (see below) which may be
777sent without 824sent without
778.Nm ssh 825.Nm ssh
779receiving any messages back from the server. 826receiving any messages back from the server.
@@ -795,7 +842,7 @@ server depend on knowing when a connection has become inactive.
795The default value is 3. 842The default value is 3.
796If, for example, 843If, for example,
797.Cm ServerAliveInterval 844.Cm ServerAliveInterval
798(above) is set to 15, and 845(see below) is set to 15, and
799.Cm ServerAliveCountMax 846.Cm ServerAliveCountMax
800is left at the default, if the server becomes unresponsive ssh 847is left at the default, if the server becomes unresponsive ssh
801will disconnect after approximately 45 seconds. 848will disconnect after approximately 45 seconds.
@@ -803,6 +850,20 @@ This option works when using protocol version 2 only; in protocol version
8031 there is no mechanism to request a response from the server to the 8501 there is no mechanism to request a response from the server to the
804server alive messages, so disconnection is the responsibility of the TCP 851server alive messages, so disconnection is the responsibility of the TCP
805stack. 852stack.
853.It Cm ServerAliveInterval
854Sets a timeout interval in seconds after which if no data has been received
855from the server,
856.Nm ssh
857will send a message through the encrypted
858channel to request a response from the server.
859The default
860is 0, indicating that these messages will not be sent to the server,
861or 300 if the
862.Cm BatchMode
863option is set.
864This option applies to protocol version 2 only.
865.Cm ProtocolKeepAlives
866is a Debian-specific compatibility alias for this option.
806.It Cm SetupTimeOut 867.It Cm SetupTimeOut
807Normally, 868Normally,
808.Nm ssh 869.Nm ssh
@@ -885,6 +946,25 @@ This is important in scripts, and many users want it too.
885.Pp 946.Pp
886To disable TCP keepalive messages, the value should be set to 947To disable TCP keepalive messages, the value should be set to
887.Dq no . 948.Dq no .
949.It Cm Tunnel
950Request starting
951.Xr tun 4
952device forwarding between the client and the server.
953This option also allows requesting layer 2 (ethernet)
954instead of layer 3 (point-to-point) tunneling from the server.
955The argument must be
956.Dq yes ,
957.Dq point-to-point ,
958.Dq ethernet
959or
960.Dq no .
961The default is
962.Dq no .
963.It Cm TunnelDevice
964Force a specified
965.Xr tun 4
966device on the client.
967Without this option, the next available device will be used.
888.It Cm UsePrivilegedPort 968.It Cm UsePrivilegedPort
889Specifies whether to use a privileged port for outgoing connections. 969Specifies whether to use a privileged port for outgoing connections.
890The argument must be 970The argument must be
diff --git a/sshconnect.c b/sshconnect.c
index 10eaac35d..8a63ef22b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $"); 16RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19 19
@@ -31,13 +31,12 @@ RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
31#include "readconf.h" 31#include "readconf.h"
32#include "atomicio.h" 32#include "atomicio.h"
33#include "misc.h" 33#include "misc.h"
34
35#include "dns.h" 34#include "dns.h"
36 35
37char *client_version_string = NULL; 36char *client_version_string = NULL;
38char *server_version_string = NULL; 37char *server_version_string = NULL;
39 38
40int matching_host_key_dns = 0; 39static int matching_host_key_dns = 0;
41 40
42/* import */ 41/* import */
43extern Options options; 42extern Options options;
@@ -647,7 +646,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
647 file_key = key_new(host_key->type); 646 file_key = key_new(host_key->type);
648 647
649 /* 648 /*
650 * Check if the host key is present in the user\'s list of known 649 * Check if the host key is present in the user's list of known
651 * hosts or in the systemwide list. 650 * hosts or in the systemwide list.
652 */ 651 */
653 host_file = user_hostfile; 652 host_file = user_hostfile;
@@ -1078,3 +1077,39 @@ warn_changed_key(Key *host_key)
1078 1077
1079 xfree(fp); 1078 xfree(fp);
1080} 1079}
1080
1081/*
1082 * Execute a local command
1083 */
1084int
1085ssh_local_cmd(const char *args)
1086{
1087 char *shell;
1088 pid_t pid;
1089 int status;
1090
1091 if (!options.permit_local_command ||
1092 args == NULL || !*args)
1093 return (1);
1094
1095 if ((shell = getenv("SHELL")) == NULL)
1096 shell = _PATH_BSHELL;
1097
1098 pid = fork();
1099 if (pid == 0) {
1100 debug3("Executing %s -c \"%s\"", shell, args);
1101 execl(shell, shell, "-c", args, (char *)NULL);
1102 error("Couldn't execute %s -c \"%s\": %s",
1103 shell, args, strerror(errno));
1104 _exit(1);
1105 } else if (pid == -1)
1106 fatal("fork failed: %.100s", strerror(errno));
1107 while (waitpid(pid, &status, 0) == -1)
1108 if (errno != EINTR)
1109 fatal("Couldn't wait for child: %s", strerror(errno));
1110
1111 if (!WIFEXITED(status))
1112 return (1);
1113
1114 return (WEXITSTATUS(status));
1115}
diff --git a/sshconnect.h b/sshconnect.h
index 0be30fe69..e7c7a2b34 100644
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ 1/* $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -49,7 +49,7 @@ void ssh_userauth1(const char *, const char *, char *, Sensitive *);
49void ssh_userauth2(const char *, const char *, char *, Sensitive *); 49void ssh_userauth2(const char *, const char *, char *, Sensitive *);
50 50
51void ssh_put_password(char *); 51void ssh_put_password(char *);
52 52int ssh_local_cmd(const char *);
53 53
54/* 54/*
55 * Macros to raise/lower permissions. 55 * Macros to raise/lower permissions.
diff --git a/sshconnect1.c b/sshconnect1.c
index bd05723c7..440d7c5bd 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.62 2005/10/30 08:52:18 djm Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/md5.h> 19#include <openssl/md5.h>
@@ -84,7 +84,7 @@ try_agent_authentication(void)
84 /* Wait for server's response. */ 84 /* Wait for server's response. */
85 type = packet_read(); 85 type = packet_read();
86 86
87 /* The server sends failure if it doesn\'t like our key or 87 /* The server sends failure if it doesn't like our key or
88 does not support RSA authentication. */ 88 does not support RSA authentication. */
89 if (type == SSH_SMSG_FAILURE) { 89 if (type == SSH_SMSG_FAILURE) {
90 debug("Server refused our key."); 90 debug("Server refused our key.");
@@ -215,8 +215,8 @@ try_rsa_authentication(int idx)
215 type = packet_read(); 215 type = packet_read();
216 216
217 /* 217 /*
218 * The server responds with failure if it doesn\'t like our key or 218 * The server responds with failure if it doesn't like our key or
219 * doesn\'t support RSA authentication. 219 * doesn't support RSA authentication.
220 */ 220 */
221 if (type == SSH_SMSG_FAILURE) { 221 if (type == SSH_SMSG_FAILURE) {
222 debug("Server refused our key."); 222 debug("Server refused our key.");
diff --git a/sshconnect2.c b/sshconnect2.c
index 579e60c1c..7ee71763a 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); 26RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $");
27 27
28#include "openbsd-compat/sys-queue.h" 28#include "openbsd-compat/sys-queue.h"
29 29
@@ -769,7 +769,7 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
769 769
770 packet_check_eom(); 770 packet_check_eom();
771 771
772 debug("Server GSSAPI Error:\n%s\n", msg); 772 debug("Server GSSAPI Error:\n%s", msg);
773 xfree(msg); 773 xfree(msg);
774 xfree(lang); 774 xfree(lang);
775} 775}
diff --git a/sshd.0 b/sshd.0
index 9a9613b54..040be6cad 100644
--- a/sshd.0
+++ b/sshd.0
@@ -8,95 +8,20 @@ SYNOPSIS
8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
9 9
10DESCRIPTION 10DESCRIPTION
11 sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- 11 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
12 grams replace rlogin and rsh, and provide secure encrypted communications 12 programs replace rlogin and rsh, and provide secure encrypted communica-
13 between two untrusted hosts over an insecure network. The programs are 13 tions between two untrusted hosts over an insecure network.
14 intended to be as easy to install and use as possible.
15
16 sshd is the daemon that listens for connections from clients. It is nor-
17 mally started at boot from /etc/rc. It forks a new daemon for each in-
18 coming connection. The forked daemons handle key exchange, encryption,
19 authentication, command execution, and data exchange. This implementa-
20 tion of sshd supports both SSH protocol version 1 and 2 simultaneously.
21 sshd works as follows:
22
23 SSH protocol version 1
24 Each host has a host-specific RSA key (normally 2048 bits) used to iden-
25 tify the host. Additionally, when the daemon starts, it generates a
26 server RSA key (normally 768 bits). This key is normally regenerated ev-
27 ery hour if it has been used, and is never stored on disk.
28
29 Whenever a client connects, the daemon responds with its public host and
30 server keys. The client compares the RSA host key against its own
31 database to verify that it has not changed. The client then generates a
32 256-bit random number. It encrypts this random number using both the
33 host key and the server key, and sends the encrypted number to the serv-
34 er. Both sides then use this random number as a session key which is
35 used to encrypt all further communications in the session. The rest of
36 the session is encrypted using a conventional cipher, currently Blowfish
37 or 3DES, with 3DES being used by default. The client selects the encryp-
38 tion algorithm to use from those offered by the server.
39 14
40 Next, the server and the client enter an authentication dialog. The 15 sshd listens for connections from clients. It is normally started at
41 client tries to authenticate itself using .rhosts authentication combined 16 boot from /etc/rc. It forks a new daemon for each incoming connection.
42 with RSA host authentication, RSA challenge-response authentication, or 17 The forked daemons handle key exchange, encryption, authentication, com-
43 password based authentication. 18 mand execution, and data exchange.
44
45 Regardless of the authentication type, the account is checked to ensure
46 that it is accessible. An account is not accessible if it is locked,
47 listed in DenyUsers or its group is listed in DenyGroups . The defini-
48 tion of a locked account is system dependant. Some platforms have their
49 own account database (eg AIX) and some modify the passwd field ( `*LK*'
50 on Solaris, `*' on HP-UX, containing `Nologin' on Tru64 and a leading
51 `!!' on Linux). If there is a requirement to disable password authenti-
52 cation for the account while allowing still public-key, then the passwd
53 field should be set to something other than these values (eg `NP' or
54 `*NP*' ).
55
56 rshd, rlogind, and rexecd are disabled (thus completely disabling rlogin
57 and rsh into the machine).
58
59 SSH protocol version 2
60 Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
61 used to identify the host. However, when the daemon starts, it does not
62 generate a server key. Forward security is provided through a Diffie-
63 Hellman key agreement. This key agreement results in a shared session
64 key.
65
66 The rest of the session is encrypted using a symmetric cipher, currently
67 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit
68 AES. The client selects the encryption algorithm to use from those of-
69 fered by the server. Additionally, session integrity is provided through
70 a cryptographic message authentication code (hmac-sha1 or hmac-md5).
71
72 Protocol version 2 provides a public key based user (PubkeyAuthentica-
73 tion) or client host (HostbasedAuthentication) authentication method,
74 conventional password authentication and challenge response based meth-
75 ods.
76
77 Command execution and data forwarding
78 If the client successfully authenticates itself, a dialog for preparing
79 the session is entered. At this time the client may request things like
80 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP
81 connections, or forwarding the authentication agent connection over the
82 secure channel.
83
84 Finally, the client either requests a shell or execution of a command.
85 The sides then enter session mode. In this mode, either side may send
86 data at any time, and such data is forwarded to/from the shell or command
87 on the server side, and the user terminal in the client side.
88
89 When the user program terminates and all forwarded X11 and other connec-
90 tions have been closed, the server sends command exit status to the
91 client, and both sides exit.
92 19
93 sshd can be configured using command-line options or a configuration file 20 sshd can be configured using command-line options or a configuration file
94 (by default sshd_config(5)). Command-line options override values speci- 21 (by default sshd_config(5)); command-line options override values speci-
95 fied in the configuration file. 22 fied in the configuration file. sshd rereads its configuration file when
96 23 it receives a hangup signal, SIGHUP, by executing itself with the name
97 sshd rereads its configuration file when it receives a hangup signal, 24 and options it was started with, e.g., /usr/sbin/sshd.
98 SIGHUP, by executing itself with the name and options it was started
99 with, e.g., /usr/sbin/sshd.
100 25
101 The options are as follows: 26 The options are as follows:
102 27
@@ -165,8 +90,9 @@ DESCRIPTION
165 -p port 90 -p port
166 Specifies the port on which the server listens for connections 91 Specifies the port on which the server listens for connections
167 (default 22). Multiple port options are permitted. Ports speci- 92 (default 22). Multiple port options are permitted. Ports speci-
168 fied in the configuration file are ignored when a command-line 93 fied in the configuration file with the Port option are ignored
169 port is specified. 94 when a command-line port is specified. Ports specified using the
95 ListenAddress option override command-line ports.
170 96
171 -q Quiet mode. Nothing is sent to the system log. Normally the be- 97 -q Quiet mode. Nothing is sent to the system log. Normally the be-
172 ginning, authentication, and termination of each connection is 98 ginning, authentication, and termination of each connection is
@@ -185,15 +111,74 @@ DESCRIPTION
185 the utmp file. -u0 may also be used to prevent sshd from making 111 the utmp file. -u0 may also be used to prevent sshd from making
186 DNS requests unless the authentication mechanism or configuration 112 DNS requests unless the authentication mechanism or configuration
187 requires it. Authentication mechanisms that may require DNS in- 113 requires it. Authentication mechanisms that may require DNS in-
188 clude RhostsRSAAuthentication, HostbasedAuthentication and using 114 clude RhostsRSAAuthentication, HostbasedAuthentication, and using
189 a from="pattern-list" option in a key file. Configuration op- 115 a from="pattern-list" option in a key file. Configuration op-
190 tions that require DNS include using a USER@HOST pattern in 116 tions that require DNS include using a USER@HOST pattern in
191 AllowUsers or DenyUsers. 117 AllowUsers or DenyUsers.
192 118
193CONFIGURATION FILE 119AUTHENTICATION
194 sshd reads configuration data from /etc/ssh/sshd_config (or the file 120 The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols
195 specified with -f on the command line). The file format and configura- 121 are supported by default, though this can be changed via the Protocol op-
196 tion options are described in sshd_config(5). 122 tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro-
123 tocol 1 only supports RSA keys. For both protocols, each host has a
124 host-specific key, normally 2048 bits, used to identify the host.
125
126 Forward security for protocol 1 is provided through an additional server
127 key, normally 768 bits, generated when the server starts. This key is
128 normally regenerated every hour if it has been used, and is never stored
129 on disk. Whenever a client connects, the daemon responds with its public
130 host and server keys. The client compares the RSA host key against its
131 own database to verify that it has not changed. The client then gener-
132 ates a 256-bit random number. It encrypts this random number using both
133 the host key and the server key, and sends the encrypted number to the
134 server. Both sides then use this random number as a session key which is
135 used to encrypt all further communications in the session. The rest of
136 the session is encrypted using a conventional cipher, currently Blowfish
137 or 3DES, with 3DES being used by default. The client selects the encryp-
138 tion algorithm to use from those offered by the server.
139
140 For protocol 2, forward security is provided through a Diffie-Hellman key
141 agreement. This key agreement results in a shared session key. The rest
142 of the session is encrypted using a symmetric cipher, currently 128-bit
143 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
144 client selects the encryption algorithm to use from those offered by the
145 server. Additionally, session integrity is provided through a crypto-
146 graphic message authentication code (hmac-sha1 or hmac-md5).
147
148 Finally, the server and the client enter an authentication dialog. The
149 client tries to authenticate itself using host-based authentication, pub-
150 lic key authentication, challenge-response authentication, or password
151 authentication.
152
153 Regardless of the authentication type, the account is checked to ensure
154 that it is accessible. An account is not accessible if it is locked,
155 listed in DenyUsers or its group is listed in DenyGroups . The defini-
156 tion of a locked account is system dependant. Some platforms have their
157 own account database (eg AIX) and some modify the passwd field ( `*LK*'
158 on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
159 leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
160 a requirement to disable password authentication for the account while
161 allowing still public-key, then the passwd field should be set to some-
162 thing other than these values (eg `NP' or `*NP*' ).
163
164 System security is not improved unless rshd, rlogind, and rexecd are dis-
165 abled (thus completely disabling rlogin and rsh into the machine).
166
167COMMAND EXECUTION AND DATA FORWARDING
168 If the client successfully authenticates itself, a dialog for preparing
169 the session is entered. At this time the client may request things like
170 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con-
171 nections, or forwarding the authentication agent connection over the se-
172 cure channel.
173
174 Finally, the client either requests a shell or execution of a command.
175 The sides then enter session mode. In this mode, either side may send
176 data at any time, and such data is forwarded to/from the shell or command
177 on the server side, and the user terminal in the client side.
178
179 When the user program terminates and all forwarded X11 and other connec-
180 tions have been closed, the server sends command exit status to the
181 client, and both sides exit.
197 182
198LOGIN PROCESS 183LOGIN PROCESS
199 When a user successfully logs in, sshd does the following: 184 When a user successfully logs in, sshd does the following:
@@ -280,9 +265,9 @@ AUTHORIZED_KEYS FILE FORMAT
280 backslash. This option might be useful to restrict certain pub- 265 backslash. This option might be useful to restrict certain pub-
281 lic keys to perform just a specific operation. An example might 266 lic keys to perform just a specific operation. An example might
282 be a key that permits remote backups but nothing else. Note that 267 be a key that permits remote backups but nothing else. Note that
283 the client may specify TCP/IP and/or X11 forwarding unless they 268 the client may specify TCP and/or X11 forwarding unless they are
284 are explicitly prohibited. Note that this option applies to 269 explicitly prohibited. Note that this option applies to shell,
285 shell, command or subsystem execution. 270 command or subsystem execution.
286 271
287 environment="NAME=value" 272 environment="NAME=value"
288 Specifies that the string is to be added to the environment when 273 Specifies that the string is to be added to the environment when
@@ -293,10 +278,9 @@ AUTHORIZED_KEYS FILE FORMAT
293 This option is automatically disabled if UseLogin is enabled. 278 This option is automatically disabled if UseLogin is enabled.
294 279
295 no-port-forwarding 280 no-port-forwarding
296 Forbids TCP/IP forwarding when this key is used for authentica- 281 Forbids TCP forwarding when this key is used for authentication.
297 tion. Any port forward requests by the client will return an er- 282 Any port forward requests by the client will return an error.
298 ror. This might be used, e.g., in connection with the command 283 This might be used, e.g., in connection with the command option.
299 option.
300 284
301 no-X11-forwarding 285 no-X11-forwarding
302 Forbids X11 forwarding when this key is used for authentication. 286 Forbids X11 forwarding when this key is used for authentication.
@@ -316,6 +300,11 @@ AUTHORIZED_KEYS FILE FORMAT
316 is performed on the specified hostnames, they must be literal do- 300 is performed on the specified hostnames, they must be literal do-
317 mains or addresses. 301 mains or addresses.
318 302
303 tunnel="n"
304 Force a tun(4) device on the server. Without this option, the
305 next available device will be used if the client requests a tun-
306 nel.
307
319 Examples 308 Examples
320 1024 33 12121...312314325 ylo@foo.bar 309 1024 33 12121...312314325 ylo@foo.bar
321 310
@@ -326,6 +315,9 @@ AUTHORIZED_KEYS FILE FORMAT
326 315
327 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 316 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
328 317
318 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openb-
319 sd.org
320
329SSH_KNOWN_HOSTS FILE FORMAT 321SSH_KNOWN_HOSTS FILE FORMAT
330 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host 322 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
331 public keys for all known hosts. The global file should be prepared by 323 public keys for all known hosts. The global file should be prepared by
@@ -571,4 +563,4 @@ AUTHORS
571 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 563 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
572 for privilege separation. 564 for privilege separation.
573 565
574OpenBSD 3.8 September 25, 1999 9 566OpenBSD 3.9 September 25, 1999 9
diff --git a/sshd.8 b/sshd.8
index 92eb7a9da..fec3c3582 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $ 37.\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -56,16 +56,14 @@
56.Ek 56.Ek
57.Sh DESCRIPTION 57.Sh DESCRIPTION
58.Nm 58.Nm
59(SSH Daemon) is the daemon program for 59(OpenSSH Daemon) is the daemon program for
60.Xr ssh 1 . 60.Xr ssh 1 .
61Together these programs replace rlogin and rsh, and 61Together these programs replace rlogin and rsh, and
62provide secure encrypted communications between two untrusted hosts 62provide secure encrypted communications between two untrusted hosts
63over an insecure network. 63over an insecure network.
64The programs are intended to be as easy to
65install and use as possible.
66.Pp 64.Pp
67.Nm 65.Nm
68is the daemon that listens for connections from clients. 66listens for connections from clients.
69It is normally started at boot from 67It is normally started at boot from
70.Pa /etc/rc . 68.Pa /etc/rc .
71It forks a new 69It forks a new
@@ -73,119 +71,13 @@ daemon for each incoming connection.
73The forked daemons handle 71The forked daemons handle
74key exchange, encryption, authentication, command execution, 72key exchange, encryption, authentication, command execution,
75and data exchange. 73and data exchange.
76This implementation of
77.Nm
78supports both SSH protocol version 1 and 2 simultaneously.
79.Nm
80works as follows:
81.Ss SSH protocol version 1
82Each host has a host-specific RSA key
83(normally 2048 bits) used to identify the host.
84Additionally, when
85the daemon starts, it generates a server RSA key (normally 768 bits).
86This key is normally regenerated every hour if it has been used, and
87is never stored on disk.
88.Pp
89Whenever a client connects, the daemon responds with its public
90host and server keys.
91The client compares the
92RSA host key against its own database to verify that it has not changed.
93The client then generates a 256-bit random number.
94It encrypts this
95random number using both the host key and the server key, and sends
96the encrypted number to the server.
97Both sides then use this
98random number as a session key which is used to encrypt all further
99communications in the session.
100The rest of the session is encrypted
101using a conventional cipher, currently Blowfish or 3DES, with 3DES
102being used by default.
103The client selects the encryption algorithm
104to use from those offered by the server.
105.Pp
106Next, the server and the client enter an authentication dialog.
107The client tries to authenticate itself using
108.Em .rhosts
109authentication combined with RSA host
110authentication, RSA challenge-response authentication, or password
111based authentication.
112.Pp
113Regardless of the authentication type, the account is checked to
114ensure that it is accessible. An account is not accessible if it is
115locked, listed in
116.Cm DenyUsers
117or its group is listed in
118.Cm DenyGroups
119\&. The definition of a locked account is system dependant. Some platforms
120have their own account database (eg AIX) and some modify the passwd field (
121.Ql \&*LK\&*
122on Solaris,
123.Ql \&*
124on HP-UX, containing
125.Ql Nologin
126on Tru64 and a leading
127.Ql \&!!
128on Linux). If there is a requirement to disable password authentication
129for the account while allowing still public-key, then the passwd field
130should be set to something other than these values (eg
131.Ql NP
132or
133.Ql \&*NP\&*
134).
135.Pp
136.Nm rshd ,
137.Nm rlogind ,
138and
139.Nm rexecd
140are disabled (thus completely disabling
141.Xr rlogin
142and
143.Xr rsh
144into the machine).
145.Ss SSH protocol version 2
146Version 2 works similarly:
147Each host has a host-specific key (RSA or DSA) used to identify the host.
148However, when the daemon starts, it does not generate a server key.
149Forward security is provided through a Diffie-Hellman key agreement.
150This key agreement results in a shared session key.
151.Pp
152The rest of the session is encrypted using a symmetric cipher, currently
153128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
154The client selects the encryption algorithm
155to use from those offered by the server.
156Additionally, session integrity is provided
157through a cryptographic message authentication code
158(hmac-sha1 or hmac-md5).
159.Pp
160Protocol version 2 provides a public key based
161user (PubkeyAuthentication) or
162client host (HostbasedAuthentication) authentication method,
163conventional password authentication and challenge response based methods.
164.Ss Command execution and data forwarding
165If the client successfully authenticates itself, a dialog for
166preparing the session is entered.
167At this time the client may request
168things like allocating a pseudo-tty, forwarding X11 connections,
169forwarding TCP/IP connections, or forwarding the authentication agent
170connection over the secure channel.
171.Pp
172Finally, the client either requests a shell or execution of a command.
173The sides then enter session mode.
174In this mode, either side may send
175data at any time, and such data is forwarded to/from the shell or
176command on the server side, and the user terminal in the client side.
177.Pp
178When the user program terminates and all forwarded X11 and other
179connections have been closed, the server sends command exit status to
180the client, and both sides exit.
181.Pp 74.Pp
182.Nm 75.Nm
183can be configured using command-line options or a configuration file 76can be configured using command-line options or a configuration file
184(by default 77(by default
185.Xr sshd_config 5 ) . 78.Xr sshd_config 5 ) ;
186Command-line options override values specified in the 79command-line options override values specified in the
187configuration file. 80configuration file.
188.Pp
189.Nm 81.Nm
190rereads its configuration file when it receives a hangup signal, 82rereads its configuration file when it receives a hangup signal,
191.Dv SIGHUP , 83.Dv SIGHUP ,
@@ -285,8 +177,12 @@ For full details of the options, and their values, see
285Specifies the port on which the server listens for connections 177Specifies the port on which the server listens for connections
286(default 22). 178(default 22).
287Multiple port options are permitted. 179Multiple port options are permitted.
288Ports specified in the configuration file are ignored when a 180Ports specified in the configuration file with the
289command-line port is specified. 181.Cm Port
182option are ignored when a command-line port is specified.
183Ports specified using the
184.Cm ListenAddress
185option override command-line ports.
290.It Fl q 186.It Fl q
291Quiet mode. 187Quiet mode.
292Only fatal errors are sent to the system log. 188Only fatal errors are sent to the system log.
@@ -324,7 +220,7 @@ from making DNS requests unless the authentication
324mechanism or configuration requires it. 220mechanism or configuration requires it.
325Authentication mechanisms that may require DNS include 221Authentication mechanisms that may require DNS include
326.Cm RhostsRSAAuthentication , 222.Cm RhostsRSAAuthentication ,
327.Cm HostbasedAuthentication 223.Cm HostbasedAuthentication ,
328and using a 224and using a
329.Cm from="pattern-list" 225.Cm from="pattern-list"
330option in a key file. 226option in a key file.
@@ -334,15 +230,114 @@ USER@HOST pattern in
334or 230or
335.Cm DenyUsers . 231.Cm DenyUsers .
336.El 232.El
337.Sh CONFIGURATION FILE 233.Sh AUTHENTICATION
338.Nm 234The OpenSSH SSH daemon supports SSH protocols 1 and 2.
339reads configuration data from 235Both protocols are supported by default,
340.Pa /etc/ssh/sshd_config 236though this can be changed via the
341(or the file specified with 237.Cm Protocol
342.Fl f 238option in
343on the command line).
344The file format and configuration options are described in
345.Xr sshd_config 5 . 239.Xr sshd_config 5 .
240Protocol 2 supports both RSA and DSA keys;
241protocol 1 only supports RSA keys.
242For both protocols,
243each host has a host-specific key,
244normally 2048 bits,
245used to identify the host.
246.Pp
247Forward security for protocol 1 is provided through
248an additional server key,
249normally 768 bits,
250generated when the server starts.
251This key is normally regenerated every hour if it has been used, and
252is never stored on disk.
253Whenever a client connects, the daemon responds with its public
254host and server keys.
255The client compares the
256RSA host key against its own database to verify that it has not changed.
257The client then generates a 256-bit random number.
258It encrypts this
259random number using both the host key and the server key, and sends
260the encrypted number to the server.
261Both sides then use this
262random number as a session key which is used to encrypt all further
263communications in the session.
264The rest of the session is encrypted
265using a conventional cipher, currently Blowfish or 3DES, with 3DES
266being used by default.
267The client selects the encryption algorithm
268to use from those offered by the server.
269.Pp
270For protocol 2,
271forward security is provided through a Diffie-Hellman key agreement.
272This key agreement results in a shared session key.
273The rest of the session is encrypted using a symmetric cipher, currently
274128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
275The client selects the encryption algorithm
276to use from those offered by the server.
277Additionally, session integrity is provided
278through a cryptographic message authentication code
279(hmac-sha1 or hmac-md5).
280.Pp
281Finally, the server and the client enter an authentication dialog.
282The client tries to authenticate itself using
283host-based authentication,
284public key authentication,
285challenge-response authentication,
286or password authentication.
287.Pp
288Regardless of the authentication type, the account is checked to
289ensure that it is accessible. An account is not accessible if it is
290locked, listed in
291.Cm DenyUsers
292or its group is listed in
293.Cm DenyGroups
294\&. The definition of a locked account is system dependant. Some platforms
295have their own account database (eg AIX) and some modify the passwd field (
296.Ql \&*LK\&*
297on Solaris and UnixWare,
298.Ql \&*
299on HP-UX, containing
300.Ql Nologin
301on Tru64,
302a leading
303.Ql \&*LOCKED\&*
304on FreeBSD and a leading
305.Ql \&!!
306on Linux). If there is a requirement to disable password authentication
307for the account while allowing still public-key, then the passwd field
308should be set to something other than these values (eg
309.Ql NP
310or
311.Ql \&*NP\&*
312).
313.Pp
314System security is not improved unless
315.Nm rshd ,
316.Nm rlogind ,
317and
318.Nm rexecd
319are disabled (thus completely disabling
320.Xr rlogin
321and
322.Xr rsh
323into the machine).
324.Sh COMMAND EXECUTION AND DATA FORWARDING
325If the client successfully authenticates itself, a dialog for
326preparing the session is entered.
327At this time the client may request
328things like allocating a pseudo-tty, forwarding X11 connections,
329forwarding TCP connections, or forwarding the authentication agent
330connection over the secure channel.
331.Pp
332Finally, the client either requests a shell or execution of a command.
333The sides then enter session mode.
334In this mode, either side may send
335data at any time, and such data is forwarded to/from the shell or
336command on the server side, and the user terminal in the client side.
337.Pp
338When the user program terminates and all forwarded X11 and other
339connections have been closed, the server sends command exit status to
340the client, and both sides exit.
346.Sh LOGIN PROCESS 341.Sh LOGIN PROCESS
347When a user successfully logs in, 342When a user successfully logs in,
348.Nm 343.Nm
@@ -476,7 +471,7 @@ A quote may be included in the command by quoting it with a backslash.
476This option might be useful 471This option might be useful
477to restrict certain public keys to perform just a specific operation. 472to restrict certain public keys to perform just a specific operation.
478An example might be a key that permits remote backups but nothing else. 473An example might be a key that permits remote backups but nothing else.
479Note that the client may specify TCP/IP and/or X11 474Note that the client may specify TCP and/or X11
480forwarding unless they are explicitly prohibited. 475forwarding unless they are explicitly prohibited.
481Note that this option applies to shell, command or subsystem execution. 476Note that this option applies to shell, command or subsystem execution.
482.It Cm environment="NAME=value" 477.It Cm environment="NAME=value"
@@ -493,7 +488,7 @@ This option is automatically disabled if
493.Cm UseLogin 488.Cm UseLogin
494is enabled. 489is enabled.
495.It Cm no-port-forwarding 490.It Cm no-port-forwarding
496Forbids TCP/IP forwarding when this key is used for authentication. 491Forbids TCP forwarding when this key is used for authentication.
497Any port forward requests by the client will return an error. 492Any port forward requests by the client will return an error.
498This might be used, e.g., in connection with the 493This might be used, e.g., in connection with the
499.Cm command 494.Cm command
@@ -518,6 +513,12 @@ Multiple
518options may be applied separated by commas. 513options may be applied separated by commas.
519No pattern matching is performed on the specified hostnames, 514No pattern matching is performed on the specified hostnames,
520they must be literal domains or addresses. 515they must be literal domains or addresses.
516.It Cm tunnel="n"
517Force a
518.Xr tun 4
519device on the server.
520Without this option, the next available device will be used if
521the client requests a tunnel.
521.El 522.El
522.Ss Examples 523.Ss Examples
5231024 33 12121...312314325 ylo@foo.bar 5241024 33 12121...312314325 ylo@foo.bar
@@ -527,6 +528,8 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
527command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi 528command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
528.Pp 529.Pp
529permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 530permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
531.Pp
532tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org
530.Sh SSH_KNOWN_HOSTS FILE FORMAT 533.Sh SSH_KNOWN_HOSTS FILE FORMAT
531The 534The
532.Pa /etc/ssh/ssh_known_hosts 535.Pa /etc/ssh/ssh_known_hosts
diff --git a/sshd.c b/sshd.c
index 967f5e7f0..df6d1e374 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
42 */ 42 */
43 43
44#include "includes.h" 44#include "includes.h"
45RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $"); 45RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
46 46
47#include <openssl/dh.h> 47#include <openssl/dh.h>
48#include <openssl/bn.h> 48#include <openssl/bn.h>
@@ -633,16 +633,8 @@ privsep_postauth(Authctxt *authctxt)
633 if (authctxt->pw->pw_uid == 0 || options.use_login) { 633 if (authctxt->pw->pw_uid == 0 || options.use_login) {
634#endif 634#endif
635 /* File descriptor passing is broken or root login */ 635 /* File descriptor passing is broken or root login */
636 monitor_apply_keystate(pmonitor);
637 use_privsep = 0; 636 use_privsep = 0;
638 return; 637 goto skip;
639 }
640
641 /* Authentication complete */
642 alarm(0);
643 if (startup_pipe != -1) {
644 close(startup_pipe);
645 startup_pipe = -1;
646 } 638 }
647 639
648 /* New socket pair */ 640 /* New socket pair */
@@ -669,6 +661,7 @@ privsep_postauth(Authctxt *authctxt)
669 /* Drop privileges */ 661 /* Drop privileges */
670 do_setusercontext(authctxt->pw); 662 do_setusercontext(authctxt->pw);
671 663
664 skip:
672 /* It is safe now to apply the key state */ 665 /* It is safe now to apply the key state */
673 monitor_apply_keystate(pmonitor); 666 monitor_apply_keystate(pmonitor);
674 667
@@ -800,6 +793,7 @@ send_rexec_state(int fd, Buffer *conf)
800 * bignum iqmp " 793 * bignum iqmp "
801 * bignum p " 794 * bignum p "
802 * bignum q " 795 * bignum q "
796 * string rngseed (only if OpenSSL is not self-seeded)
803 */ 797 */
804 buffer_init(&m); 798 buffer_init(&m);
805 buffer_put_cstring(&m, buffer_ptr(conf)); 799 buffer_put_cstring(&m, buffer_ptr(conf));
@@ -816,6 +810,10 @@ send_rexec_state(int fd, Buffer *conf)
816 } else 810 } else
817 buffer_put_int(&m, 0); 811 buffer_put_int(&m, 0);
818 812
813#ifndef OPENSSL_PRNG_ONLY
814 rexec_send_rng_seed(&m);
815#endif
816
819 if (ssh_msg_send(fd, 0, &m) == -1) 817 if (ssh_msg_send(fd, 0, &m) == -1)
820 fatal("%s: ssh_msg_send failed", __func__); 818 fatal("%s: ssh_msg_send failed", __func__);
821 819
@@ -858,6 +856,11 @@ recv_rexec_state(int fd, Buffer *conf)
858 rsa_generate_additional_parameters( 856 rsa_generate_additional_parameters(
859 sensitive_data.server_key->rsa); 857 sensitive_data.server_key->rsa);
860 } 858 }
859
860#ifndef OPENSSL_PRNG_ONLY
861 rexec_recv_rng_seed(&m);
862#endif
863
861 buffer_free(&m); 864 buffer_free(&m);
862 865
863 debug3("%s: done", __func__); 866 debug3("%s: done", __func__);
@@ -914,6 +917,9 @@ main(int ac, char **av)
914 if (geteuid() == 0 && setgroups(0, NULL) == -1) 917 if (geteuid() == 0 && setgroups(0, NULL) == -1)
915 debug("setgroups(): %.200s", strerror(errno)); 918 debug("setgroups(): %.200s", strerror(errno));
916 919
920 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
921 sanitise_stdfd();
922
917 /* Initialize configuration options to their default values. */ 923 /* Initialize configuration options to their default values. */
918 initialize_server_options(&options); 924 initialize_server_options(&options);
919 925
@@ -1056,8 +1062,6 @@ main(int ac, char **av)
1056 drop_cray_privs(); 1062 drop_cray_privs();
1057#endif 1063#endif
1058 1064
1059 seed_rng();
1060
1061 sensitive_data.server_key = NULL; 1065 sensitive_data.server_key = NULL;
1062 sensitive_data.ssh1_host_key = NULL; 1066 sensitive_data.ssh1_host_key = NULL;
1063 sensitive_data.have_ssh1_key = 0; 1067 sensitive_data.have_ssh1_key = 0;
@@ -1076,6 +1080,8 @@ main(int ac, char **av)
1076 if (!rexec_flag) 1080 if (!rexec_flag)
1077 buffer_free(&cfg); 1081 buffer_free(&cfg);
1078 1082
1083 seed_rng();
1084
1079 /* Fill in default values for those options not explicitly set. */ 1085 /* Fill in default values for those options not explicitly set. */
1080 fill_default_server_options(&options); 1086 fill_default_server_options(&options);
1081 1087
@@ -1645,7 +1651,12 @@ main(int ac, char **av)
1645 debug("get_remote_port failed"); 1651 debug("get_remote_port failed");
1646 cleanup_exit(255); 1652 cleanup_exit(255);
1647 } 1653 }
1648 remote_ip = get_remote_ipaddr(); 1654
1655 /*
1656 * We use get_canonical_hostname with usedns = 0 instead of
1657 * get_remote_ipaddr here so IP options will be checked.
1658 */
1659 remote_ip = get_canonical_hostname(0);
1649 1660
1650#ifdef SSH_AUDIT_EVENTS 1661#ifdef SSH_AUDIT_EVENTS
1651 audit_connection_from(remote_ip, remote_port); 1662 audit_connection_from(remote_ip, remote_port);
@@ -1671,10 +1682,10 @@ main(int ac, char **av)
1671 verbose("Connection from %.500s port %d", remote_ip, remote_port); 1682 verbose("Connection from %.500s port %d", remote_ip, remote_port);
1672 1683
1673 /* 1684 /*
1674 * We don\'t want to listen forever unless the other side 1685 * We don't want to listen forever unless the other side
1675 * successfully authenticates itself. So we set up an alarm which is 1686 * successfully authenticates itself. So we set up an alarm which is
1676 * cleared after successful authentication. A limit of zero 1687 * cleared after successful authentication. A limit of zero
1677 * indicates no limit. Note that we don\'t set the alarm in debugging 1688 * indicates no limit. Note that we don't set the alarm in debugging
1678 * mode; it is just annoying to have the server exit just when you 1689 * mode; it is just annoying to have the server exit just when you
1679 * are about to discover the bug. 1690 * are about to discover the bug.
1680 */ 1691 */
@@ -1721,6 +1732,17 @@ main(int ac, char **av)
1721 } 1732 }
1722 1733
1723 authenticated: 1734 authenticated:
1735 /*
1736 * Cancel the alarm we set to limit the time taken for
1737 * authentication.
1738 */
1739 alarm(0);
1740 signal(SIGALRM, SIG_DFL);
1741 if (startup_pipe != -1) {
1742 close(startup_pipe);
1743 startup_pipe = -1;
1744 }
1745
1724#ifdef SSH_AUDIT_EVENTS 1746#ifdef SSH_AUDIT_EVENTS
1725 audit_event(SSH_AUTH_SUCCESS); 1747 audit_event(SSH_AUTH_SUCCESS);
1726#endif 1748#endif
diff --git a/sshd_config b/sshd_config
index 1440c05ff..4957dd1a6 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ 1# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -96,6 +96,7 @@
96#UseDNS yes 96#UseDNS yes
97#PidFile /var/run/sshd.pid 97#PidFile /var/run/sshd.pid
98#MaxStartups 10 98#MaxStartups 10
99#PermitTunnel no
99 100
100# no default banner path 101# no default banner path
101#Banner /some/path 102#Banner /some/path
diff --git a/sshd_config.0 b/sshd_config.0
index d821a84b6..d2c5454e1 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -92,7 +92,7 @@ DESCRIPTION
92 aes192-ctr,aes256-ctr'' 92 aes192-ctr,aes256-ctr''
93 93
94 ClientAliveCountMax 94 ClientAliveCountMax
95 Sets the number of client alive messages (see above) which may be 95 Sets the number of client alive messages (see below) which may be
96 sent without sshd receiving any messages back from the client. 96 sent without sshd receiving any messages back from the client.
97 If this threshold is reached while client alive messages are be- 97 If this threshold is reached while client alive messages are be-
98 ing sent, sshd will disconnect the client, terminating the ses- 98 ing sent, sshd will disconnect the client, terminating the ses-
@@ -104,9 +104,10 @@ DESCRIPTION
104 able when the client or server depend on knowing when a connec- 104 able when the client or server depend on knowing when a connec-
105 tion has become inactive. 105 tion has become inactive.
106 106
107 The default value is 3. If ClientAliveInterval (above) is set to 107 The default value is 3. If ClientAliveInterval (see below) is
108 15, and ClientAliveCountMax is left at the default, unresponsive 108 set to 15, and ClientAliveCountMax is left at the default, unre-
109 ssh clients will be disconnected after approximately 45 seconds. 109 sponsive ssh clients will be disconnected after approximately 45
110 seconds.
110 111
111 ClientAliveInterval 112 ClientAliveInterval
112 Sets a timeout interval in seconds after which if no data has 113 Sets a timeout interval in seconds after which if no data has
@@ -198,7 +199,7 @@ DESCRIPTION
198 199
199 KerberosGetAFSToken 200 KerberosGetAFSToken
200 If AFS is active and the user has a Kerberos 5 TGT, attempt to 201 If AFS is active and the user has a Kerberos 5 TGT, attempt to
201 aquire an AFS token before accessing the user's home directory. 202 acquire an AFS token before accessing the user's home directory.
202 Default is ``no''. 203 Default is ``no''.
203 204
204 KerberosOrLocalPasswd 205 KerberosOrLocalPasswd
@@ -295,6 +296,11 @@ DESCRIPTION
295 296
296 If this option is set to ``no'' root is not allowed to log in. 297 If this option is set to ``no'' root is not allowed to log in.
297 298
299 PermitTunnel
300 Specifies whether tun(4) device forwarding is allowed. The argu-
301 ment must be ``yes'', ``point-to-point'', ``ethernet'' or ``no''.
302 The default is ``no''.
303
298 PermitUserEnvironment 304 PermitUserEnvironment
299 Specifies whether ~/.ssh/environment and environment= options in 305 Specifies whether ~/.ssh/environment and environment= options in
300 ~/.ssh/authorized_keys are processed by sshd. The default is 306 ~/.ssh/authorized_keys are processed by sshd. The default is
@@ -501,4 +507,4 @@ AUTHORS
501 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 507 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
502 for privilege separation. 508 for privilege separation.
503 509
504OpenBSD 3.8 September 25, 1999 8 510OpenBSD 3.9 September 25, 1999 8
diff --git a/sshd_config.5 b/sshd_config.5
index 048e8924e..71a293ffb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -181,7 +181,7 @@ The default is
181 aes192-ctr,aes256-ctr'' 181 aes192-ctr,aes256-ctr''
182.Ed 182.Ed
183.It Cm ClientAliveCountMax 183.It Cm ClientAliveCountMax
184Sets the number of client alive messages (see above) which may be 184Sets the number of client alive messages (see below) which may be
185sent without 185sent without
186.Nm sshd 186.Nm sshd
187receiving any messages back from the client. 187receiving any messages back from the client.
@@ -203,7 +203,7 @@ server depend on knowing when a connection has become inactive.
203The default value is 3. 203The default value is 3.
204If 204If
205.Cm ClientAliveInterval 205.Cm ClientAliveInterval
206(above) is set to 15, and 206(see below) is set to 15, and
207.Cm ClientAliveCountMax 207.Cm ClientAliveCountMax
208is left at the default, unresponsive ssh clients 208is left at the default, unresponsive ssh clients
209will be disconnected after approximately 45 seconds. 209will be disconnected after approximately 45 seconds.
@@ -348,7 +348,7 @@ Kerberos servtab which allows the verification of the KDC's identity.
348Default is 348Default is
349.Dq no . 349.Dq no .
350.It Cm KerberosGetAFSToken 350.It Cm KerberosGetAFSToken
351If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire 351If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
352an AFS token before accessing the user's home directory. 352an AFS token before accessing the user's home directory.
353Default is 353Default is
354.Dq no . 354.Dq no .
@@ -502,6 +502,18 @@ All other authentication methods are disabled for root.
502If this option is set to 502If this option is set to
503.Dq no 503.Dq no
504root is not allowed to log in. 504root is not allowed to log in.
505.It Cm PermitTunnel
506Specifies whether
507.Xr tun 4
508device forwarding is allowed.
509The argument must be
510.Dq yes ,
511.Dq point-to-point ,
512.Dq ethernet
513or
514.Dq no .
515The default is
516.Dq no .
505.It Cm PermitUserEnvironment 517.It Cm PermitUserEnvironment
506Specifies whether 518Specifies whether
507.Pa ~/.ssh/environment 519.Pa ~/.ssh/environment
diff --git a/version.h b/version.h
index c4397326f..35eb49d63 100644
--- a/version.h
+++ b/version.h
@@ -1,8 +1,8 @@
1/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.46 2006/02/01 11:27:22 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_4.2" 3#define SSH_VERSION "OpenSSH_4.3"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p2"
6#ifndef SSH_EXTRAVERSION 6#ifndef SSH_EXTRAVERSION
7#define SSH_EXTRAVERSION 7#define SSH_EXTRAVERSION
8#endif 8#endif