diff options
-rw-r--r-- | CREDITS | 4 | ||||
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | auth-pam.c | 14 | ||||
-rw-r--r-- | auth-passwd.c | 15 | ||||
-rw-r--r-- | auth2-none.c | 2 | ||||
-rw-r--r-- | auth2-passwd.c | 6 | ||||
-rw-r--r-- | configure.ac | 37 | ||||
-rw-r--r-- | contrib/caldera/openssh.spec | 4 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 4 | ||||
-rw-r--r-- | contrib/suse/openssh.spec | 2 | ||||
-rw-r--r-- | monitor.c | 2 | ||||
-rw-r--r-- | version.h | 2 |
13 files changed, 61 insertions, 44 deletions
@@ -5,7 +5,7 @@ Theo de Raadt, and Dug Song - Creators of OpenSSH | |||
5 | 5 | ||
6 | Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix | 6 | Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix |
7 | Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes | 7 | Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes |
8 | Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes | 8 | Andre Lucas <andre@ae-35.com> - new login code, many fixes |
9 | Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support | 9 | Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support |
10 | Andrew McGill <andrewm@datrix.co.za> - SCO fixes | 10 | Andrew McGill <andrewm@datrix.co.za> - SCO fixes |
11 | Andrew Morgan <morgan@transmeta.com> - PAM bugfixes | 11 | Andrew Morgan <morgan@transmeta.com> - PAM bugfixes |
@@ -91,5 +91,5 @@ Apologies to anyone I have missed. | |||
91 | 91 | ||
92 | Damien Miller <djm@mindrot.org> | 92 | Damien Miller <djm@mindrot.org> |
93 | 93 | ||
94 | $Id: CREDITS,v 1.67 2002/07/28 20:31:19 stevesk Exp $ | 94 | $Id: CREDITS,v 1.68 2003/04/29 13:22:40 djm Exp $ |
95 | 95 | ||
@@ -1,3 +1,10 @@ | |||
1 | 20030429 | ||
2 | - (djm) Add back radix.o (used by AFS support), after it went missing from | ||
3 | Makefile many moons ago | ||
4 | - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer | ||
5 | - (djm) Fix blibpath specification for AIX/gcc | ||
6 | - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org | ||
7 | |||
1 | 20030428 | 8 | 20030428 |
2 | - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit | 9 | - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit |
3 | hacked code. | 10 | hacked code. |
@@ -1349,4 +1356,4 @@ | |||
1349 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1356 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1350 | ok provos@ | 1357 | ok provos@ |
1351 | 1358 | ||
1352 | $Id: ChangeLog,v 1.2663 2003/04/28 23:30:43 mouring Exp $ | 1359 | $Id: ChangeLog,v 1.2664 2003/04/29 13:22:40 djm Exp $ |
diff --git a/Makefile.in b/Makefile.in index 6702eb96e..123bf48cf 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.228 2003/03/21 00:34:34 mouring Exp $ | 1 | # $Id: Makefile.in,v 1.229 2003/04/29 13:22:40 djm Exp $ |
2 | 2 | ||
3 | # uncomment if you run a non bourne compatable shell. Ie. csh | 3 | # uncomment if you run a non bourne compatable shell. Ie. csh |
4 | #SHELL = @SH@ | 4 | #SHELL = @SH@ |
@@ -62,7 +62,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys | |||
62 | 62 | ||
63 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ | 63 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ |
64 | cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ | 64 | cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ |
65 | hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \ | 65 | hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \ |
66 | rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ | 66 | rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ |
67 | key.o dispatch.o kex.o mac.o uuencode.o misc.o \ | 67 | key.o dispatch.o kex.o mac.o uuencode.o misc.o \ |
68 | rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ | 68 | rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ |
diff --git a/auth-pam.c b/auth-pam.c index b29444e89..f3d1956ea 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -38,7 +38,7 @@ extern char *__progname; | |||
38 | 38 | ||
39 | extern int use_privsep; | 39 | extern int use_privsep; |
40 | 40 | ||
41 | RCSID("$Id: auth-pam.c,v 1.56 2003/04/09 10:59:48 djm Exp $"); | 41 | RCSID("$Id: auth-pam.c,v 1.57 2003/04/29 13:22:40 djm Exp $"); |
42 | 42 | ||
43 | #define NEW_AUTHTOK_MSG \ | 43 | #define NEW_AUTHTOK_MSG \ |
44 | "Warning: Your password has expired, please change it now." | 44 | "Warning: Your password has expired, please change it now." |
@@ -201,7 +201,7 @@ void do_pam_cleanup_proc(void *context) | |||
201 | } | 201 | } |
202 | } | 202 | } |
203 | 203 | ||
204 | /* Attempt password authentation using PAM */ | 204 | /* Attempt password authentication using PAM */ |
205 | int auth_pam_password(Authctxt *authctxt, const char *password) | 205 | int auth_pam_password(Authctxt *authctxt, const char *password) |
206 | { | 206 | { |
207 | extern ServerOptions options; | 207 | extern ServerOptions options; |
@@ -215,13 +215,13 @@ int auth_pam_password(Authctxt *authctxt, const char *password) | |||
215 | pamstate = INITIAL_LOGIN; | 215 | pamstate = INITIAL_LOGIN; |
216 | pam_retval = do_pam_authenticate( | 216 | pam_retval = do_pam_authenticate( |
217 | options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); | 217 | options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); |
218 | if (pam_retval == PAM_SUCCESS) { | 218 | if (pam_retval == PAM_SUCCESS && pw) { |
219 | debug("PAM Password authentication accepted for " | 219 | debug("PAM password authentication accepted for " |
220 | "user \"%.100s\"", pw->pw_name); | 220 | "%.100s", pw->pw_name); |
221 | return 1; | 221 | return 1; |
222 | } else { | 222 | } else { |
223 | debug("PAM Password authentication for \"%.100s\" " | 223 | debug("PAM password authentication failed for " |
224 | "failed[%d]: %s", pw->pw_name, pam_retval, | 224 | "%.100s: %s", pw ? pw->pw_name : "an illegal user", |
225 | PAM_STRERROR(__pamh, pam_retval)); | 225 | PAM_STRERROR(__pamh, pam_retval)); |
226 | return 0; | 226 | return 0; |
227 | } | 227 | } |
diff --git a/auth-passwd.c b/auth-passwd.c index 9901d4842..62ea3a52d 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -93,6 +93,7 @@ int | |||
93 | auth_password(Authctxt *authctxt, const char *password) | 93 | auth_password(Authctxt *authctxt, const char *password) |
94 | { | 94 | { |
95 | struct passwd * pw = authctxt->pw; | 95 | struct passwd * pw = authctxt->pw; |
96 | int ok = authctxt->valid; | ||
96 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) | 97 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) |
97 | char *encrypted_password; | 98 | char *encrypted_password; |
98 | char *pw_password; | 99 | char *pw_password; |
@@ -115,19 +116,23 @@ auth_password(Authctxt *authctxt, const char *password) | |||
115 | 116 | ||
116 | /* deny if no user. */ | 117 | /* deny if no user. */ |
117 | if (pw == NULL) | 118 | if (pw == NULL) |
118 | return 0; | 119 | ok = 0; |
119 | #ifndef HAVE_CYGWIN | 120 | #ifndef HAVE_CYGWIN |
120 | if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | 121 | if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) |
121 | return 0; | 122 | ok = 0; |
122 | #endif | 123 | #endif |
123 | if (*password == '\0' && options.permit_empty_passwd == 0) | 124 | if (*password == '\0' && options.permit_empty_passwd == 0) |
124 | return 0; | 125 | ok = 0; |
125 | 126 | ||
126 | #if defined(USE_PAM) | 127 | #if defined(USE_PAM) |
127 | return auth_pam_password(authctxt, password); | 128 | return auth_pam_password(authctxt, password) && ok; |
128 | #elif defined(HAVE_OSF_SIA) | 129 | #elif defined(HAVE_OSF_SIA) |
130 | if (!ok) | ||
131 | return 0; | ||
129 | return auth_sia_password(authctxt, password); | 132 | return auth_sia_password(authctxt, password); |
130 | #else | 133 | #else |
134 | if (!ok) | ||
135 | return 0; | ||
131 | # ifdef KRB5 | 136 | # ifdef KRB5 |
132 | if (options.kerberos_authentication == 1) { | 137 | if (options.kerberos_authentication == 1) { |
133 | int ret = auth_krb5_password(authctxt, password); | 138 | int ret = auth_krb5_password(authctxt, password); |
diff --git a/auth2-none.c b/auth2-none.c index c07b2dd81..692a2961f 100644 --- a/auth2-none.c +++ b/auth2-none.c | |||
@@ -100,7 +100,7 @@ userauth_none(Authctxt *authctxt) | |||
100 | if (check_nt_auth(1, authctxt->pw) == 0) | 100 | if (check_nt_auth(1, authctxt->pw) == 0) |
101 | return(0); | 101 | return(0); |
102 | #endif | 102 | #endif |
103 | return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0); | 103 | return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; |
104 | } | 104 | } |
105 | 105 | ||
106 | Authmethod method_none = { | 106 | Authmethod method_none = { |
diff --git a/auth2-passwd.c b/auth2-passwd.c index a8f15161a..3c2734b56 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c | |||
@@ -47,11 +47,11 @@ userauth_passwd(Authctxt *authctxt) | |||
47 | logit("password change not supported"); | 47 | logit("password change not supported"); |
48 | password = packet_get_string(&len); | 48 | password = packet_get_string(&len); |
49 | packet_check_eom(); | 49 | packet_check_eom(); |
50 | if (authctxt->valid && | 50 | if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid |
51 | #ifdef HAVE_CYGWIN | 51 | #ifdef HAVE_CYGWIN |
52 | check_nt_auth(1, authctxt->pw) && | 52 | && check_nt_auth(1, authctxt->pw) |
53 | #endif | 53 | #endif |
54 | PRIVSEP(auth_password(authctxt, password)) == 1) | 54 | ) |
55 | authenticated = 1; | 55 | authenticated = 1; |
56 | memset(password, 0, len); | 56 | memset(password, 0, len); |
57 | xfree(password); | 57 | xfree(password); |
diff --git a/configure.ac b/configure.ac index 47fef0cbe..38cc4d401 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $ | 1 | # $Id: configure.ac,v 1.114 2003/04/29 13:22:40 djm Exp $ |
2 | 2 | ||
3 | AC_INIT | 3 | AC_INIT |
4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
@@ -57,20 +57,24 @@ case "$host" in | |||
57 | AFS_LIBS="-lld" | 57 | AFS_LIBS="-lld" |
58 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" | 58 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" |
59 | LDFLAGS="$LDFLAGS -L/usr/local/lib" | 59 | LDFLAGS="$LDFLAGS -L/usr/local/lib" |
60 | if (test "$LD" != "gcc" && test -z "$blibpath"); then | 60 | AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) |
61 | AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath]) | 61 | if (test -z "$blibpath"); then |
62 | saved_LDFLAGS="$LDFLAGS" | 62 | blibpath="/usr/lib:/lib:/usr/local/lib" |
63 | LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib" | 63 | fi |
64 | AC_TRY_LINK([], | 64 | saved_LDFLAGS="$LDFLAGS" |
65 | [], | 65 | for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do |
66 | [ | 66 | if (test -z "$blibflags"); then |
67 | AC_MSG_RESULT(yes) | 67 | LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" |
68 | blibpath="/usr/lib:/lib:/usr/local/lib" | 68 | AC_TRY_LINK([], [], [blibflags=$tryflags]) |
69 | ], | 69 | fi |
70 | [ AC_MSG_RESULT(no) ] | 70 | done |
71 | ) | 71 | if (test -z "$blibflags"); then |
72 | LDFLAGS="$saved_LDFLAGS" | 72 | AC_MSG_RESULT(not found) |
73 | AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log]) | ||
74 | else | ||
75 | AC_MSG_RESULT($blibflags) | ||
73 | fi | 76 | fi |
77 | LDFLAGS="$saved_LDFLAGS" | ||
74 | AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], | 78 | AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], |
75 | [AC_CHECK_LIB(s,authenticate, | 79 | [AC_CHECK_LIB(s,authenticate, |
76 | [ AC_DEFINE(WITH_AIXAUTHENTICATE) | 80 | [ AC_DEFINE(WITH_AIXAUTHENTICATE) |
@@ -618,6 +622,7 @@ AC_CHECK_FUNCS(\ | |||
618 | ) | 622 | ) |
619 | 623 | ||
620 | AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) | 624 | AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) |
625 | AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) | ||
621 | 626 | ||
622 | dnl Make sure strsep prototype is defined before defining HAVE_STRSEP | 627 | dnl Make sure strsep prototype is defined before defining HAVE_STRSEP |
623 | AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) | 628 | AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) |
@@ -2473,8 +2478,8 @@ fi | |||
2473 | 2478 | ||
2474 | 2479 | ||
2475 | if test ! -z "$blibpath" ; then | 2480 | if test ! -z "$blibpath" ; then |
2476 | LDFLAGS="$LDFLAGS -blibpath:$blibpath" | 2481 | LDFLAGS="$LDFLAGS $blibflags$blibpath" |
2477 | AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) | 2482 | AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) |
2478 | fi | 2483 | fi |
2479 | 2484 | ||
2480 | dnl remove pam and dl because they are in $LIBPAM | 2485 | dnl remove pam and dl because they are in $LIBPAM |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 142d30d88..8e97c3818 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -17,7 +17,7 @@ | |||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %if %{use_stable} | 19 | %if %{use_stable} |
20 | %define version 3.6.1p1 | 20 | %define version 3.6.1p2 |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 2 | 22 | %define release 2 |
23 | %else | 23 | %else |
@@ -364,4 +364,4 @@ fi | |||
364 | * Mon Jan 01 1998 ... | 364 | * Mon Jan 01 1998 ... |
365 | Template Version: 1.31 | 365 | Template Version: 1.31 |
366 | 366 | ||
367 | $Id: openssh.spec,v 1.42 2003/04/01 11:46:53 djm Exp $ | 367 | $Id: openssh.spec,v 1.43 2003/04/29 13:22:40 djm Exp $ |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 11d86a83c..8809ded70 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,5 +1,5 @@ | |||
1 | %define ver 3.6.1p1 | 1 | %define ver 3.6.1p2 |
2 | %define rel 2 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
5 | %define sshd_uid 74 | 5 | %define sshd_uid 74 |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 194dbb7d1..707c3a221 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -1,6 +1,6 @@ | |||
1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
2 | Name: openssh | 2 | Name: openssh |
3 | Version: 3.6.1p1 | 3 | Version: 3.6.1p2 |
4 | URL: http://www.openssh.com/ | 4 | URL: http://www.openssh.com/ |
5 | Release: 1 | 5 | Release: 1 |
6 | Source0: openssh-%{version}.tar.gz | 6 | Source0: openssh-%{version}.tar.gz |
@@ -606,7 +606,7 @@ mm_answer_authpassword(int socket, Buffer *m) | |||
606 | passwd = buffer_get_string(m, &plen); | 606 | passwd = buffer_get_string(m, &plen); |
607 | /* Only authenticate if the context is valid */ | 607 | /* Only authenticate if the context is valid */ |
608 | authenticated = options.password_authentication && | 608 | authenticated = options.password_authentication && |
609 | authctxt->valid && auth_password(authctxt, passwd); | 609 | auth_password(authctxt, passwd) && authctxt->valid; |
610 | memset(passwd, 0, strlen(passwd)); | 610 | memset(passwd, 0, strlen(passwd)); |
611 | xfree(passwd); | 611 | xfree(passwd); |
612 | 612 | ||
@@ -1,3 +1,3 @@ | |||
1 | /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */ | 1 | /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */ |
2 | 2 | ||
3 | #define SSH_VERSION "OpenSSH_3.6.1p1" | 3 | #define SSH_VERSION "OpenSSH_3.6.1p2" |