summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog864
-rw-r--r--Makefile.in4
-rw-r--r--README4
-rw-r--r--README.platform12
-rw-r--r--README.tun132
-rw-r--r--acconfig.h6
-rw-r--r--aclocal.m44
-rw-r--r--auth-krb5.c9
-rw-r--r--auth-options.c41
-rw-r--r--auth-options.h3
-rw-r--r--auth-pam.c16
-rw-r--r--auth2-gss.c7
-rw-r--r--auth2.c12
-rw-r--r--bufaux.c5
-rw-r--r--buildpkg.sh.in2
-rw-r--r--canohost.c41
-rw-r--r--channels.c168
-rw-r--r--channels.h20
-rw-r--r--cipher-aes.c12
-rw-r--r--cipher-ctr.c7
-rw-r--r--cipher.c4
-rw-r--r--clientloop.c30
-rw-r--r--config.h.in885
-rwxr-xr-xconfigure2761
-rw-r--r--configure.ac893
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/cygwin/ssh-host-config4
-rw-r--r--contrib/cygwin/ssh-user-config4
-rw-r--r--contrib/redhat/openssh.spec2
-rw-r--r--contrib/suse/openssh.spec244
-rw-r--r--contrib/suse/rc.sshd133
-rw-r--r--contrib/suse/sysconfig.ssh9
-rw-r--r--defines.h16
-rw-r--r--dns.c35
-rw-r--r--dns.h4
-rw-r--r--entropy.c38
-rw-r--r--entropy.h7
-rw-r--r--gss-genr.c7
-rw-r--r--gss-serv-krb5.c2
-rw-r--r--gss-serv.c34
-rw-r--r--hostfile.c6
-rw-r--r--includes.h5
-rw-r--r--kex.c40
-rw-r--r--kex.h24
-rw-r--r--kexdh.c10
-rw-r--r--kexdhc.c15
-rw-r--r--kexdhs.c17
-rw-r--r--kexgex.c16
-rw-r--r--kexgexc.c17
-rw-r--r--kexgexs.c20
-rw-r--r--kexgssc.c27
-rw-r--r--kexgsss.c22
-rw-r--r--loginrec.c6
-rw-r--r--misc.c173
-rw-r--r--misc.h23
-rw-r--r--monitor.c14
-rw-r--r--monitor_wrap.c1
-rw-r--r--openbsd-compat/Makefile.in6
-rw-r--r--openbsd-compat/base64.c9
-rw-r--r--openbsd-compat/basename.c39
-rw-r--r--openbsd-compat/bindresvport.c8
-rw-r--r--openbsd-compat/bsd-asprintf.c95
-rw-r--r--openbsd-compat/bsd-closefrom.c4
-rw-r--r--openbsd-compat/bsd-misc.c9
-rw-r--r--openbsd-compat/bsd-snprintf.c610
-rw-r--r--openbsd-compat/daemon.c9
-rw-r--r--openbsd-compat/dirname.c40
-rw-r--r--openbsd-compat/getcwd.c54
-rw-r--r--openbsd-compat/getgrouplist.c19
-rw-r--r--openbsd-compat/getopt.c4
-rw-r--r--openbsd-compat/getrrsetbyname.c114
-rw-r--r--openbsd-compat/glob.c122
-rw-r--r--openbsd-compat/glob.h8
-rw-r--r--openbsd-compat/inet_aton.c28
-rw-r--r--openbsd-compat/inet_ntoa.c14
-rw-r--r--openbsd-compat/inet_ntop.c30
-rw-r--r--openbsd-compat/mktemp.c19
-rw-r--r--openbsd-compat/openbsd-compat.h15
-rw-r--r--openbsd-compat/openssl-compat.h15
-rw-r--r--openbsd-compat/port-tun.c252
-rw-r--r--openbsd-compat/port-tun.h33
-rw-r--r--openbsd-compat/port-uw.c24
-rw-r--r--openbsd-compat/readpassphrase.c8
-rw-r--r--openbsd-compat/readpassphrase.h43
-rw-r--r--openbsd-compat/realpath.c5
-rw-r--r--openbsd-compat/rresvport.c16
-rw-r--r--openbsd-compat/setenv.c80
-rw-r--r--openbsd-compat/sigact.c8
-rw-r--r--openbsd-compat/sigact.h8
-rw-r--r--openbsd-compat/strlcat.c16
-rw-r--r--openbsd-compat/strlcpy.c16
-rw-r--r--openbsd-compat/strmode.c14
-rw-r--r--openbsd-compat/strsep.c14
-rw-r--r--openbsd-compat/strtoll.c9
-rw-r--r--openbsd-compat/strtonum.c4
-rw-r--r--openbsd-compat/strtoul.c22
-rw-r--r--openbsd-compat/sys-queue.h4
-rw-r--r--openbsd-compat/sys-tree.h4
-rw-r--r--openbsd-compat/vis.c62
-rw-r--r--openbsd-compat/vis.h15
-rwxr-xr-xopensshd.init.in2
-rw-r--r--packet.c4
-rw-r--r--progressmeter.c6
-rw-r--r--readconf.c74
-rw-r--r--readconf.h10
-rw-r--r--regress/README.regress6
-rw-r--r--regress/agent-getpeereid.sh4
-rw-r--r--regress/forwarding.sh33
-rw-r--r--regress/multiplex.sh2
-rw-r--r--regress/reconfigure.sh5
-rw-r--r--regress/scp-ssh-wrapper.sh11
-rw-r--r--regress/scp.sh36
-rw-r--r--regress/test-exec.sh7
-rw-r--r--regress/try-ciphers.sh5
-rw-r--r--regress/yes-head.sh2
-rw-r--r--scp.03
-rw-r--r--scp.13
-rw-r--r--scp.c152
-rw-r--r--servconf.c31
-rw-r--r--servconf.h5
-rw-r--r--serverloop.c88
-rw-r--r--session.c58
-rw-r--r--sftp-client.c9
-rw-r--r--sftp-common.h5
-rw-r--r--sftp-server.02
-rw-r--r--sftp-server.c12
-rw-r--r--sftp.07
-rw-r--r--sftp.15
-rw-r--r--sftp.c14
-rw-r--r--ssh-add.02
-rw-r--r--ssh-add.c8
-rw-r--r--ssh-agent.012
-rw-r--r--ssh-agent.18
-rw-r--r--ssh-agent.c7
-rw-r--r--ssh-keygen.013
-rw-r--r--ssh-keygen.19
-rw-r--r--ssh-keygen.c32
-rw-r--r--ssh-keyscan.08
-rw-r--r--ssh-keyscan.13
-rw-r--r--ssh-keyscan.c23
-rw-r--r--ssh-keysign.02
-rw-r--r--ssh-keysign.c9
-rw-r--r--ssh-rand-helper.02
-rw-r--r--ssh.0831
-rw-r--r--ssh.11185
-rw-r--r--ssh.c89
-rw-r--r--ssh_config5
-rw-r--r--ssh_config.0162
-rw-r--r--ssh_config.5153
-rw-r--r--sshconnect.c43
-rw-r--r--sshconnect.h4
-rw-r--r--sshconnect1.c8
-rw-r--r--sshconnect2.c4
-rw-r--r--sshd.0194
-rw-r--r--sshd.8255
-rw-r--r--sshd.c58
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.018
-rw-r--r--sshd_config.520
-rw-r--r--version.h6
160 files changed, 8633 insertions, 3993 deletions
diff --git a/ChangeLog b/ChangeLog
index 9573f8672..c9b5018bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,865 @@
120060211
2 - (dtucker) [README] Bump release notes URL.
3 - (djm) Release 4.3p2
4
520060208
6 - (tim) [session.c] Logout records were not updated on systems with
7 post auth privsep disabled due to bug 1086 changes. Analysis and patch
8 by vinschen at redhat.com. OK tim@, dtucker@.
9 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
10 -> NEED_SETPGRP), reported by Berhard Simon. ok tim@
11
1220060206
13 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
14 netinet/in_systm.h. OK dtucker@.
15
1620060205
17 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
18 for Solaris. OK dtucker@.
19 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
20 kraai at ftbfs.org.
21
2220060203
23 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
24 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
25 by a platform specific check, builtin standard includes tests will be
26 skipped on the other platforms.
27 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
28 OK tim@, djm@.
29
3020060202
31 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
32 works with picky compilers. Patch from alex.kiernan at thus.net.
33
3420060201
35 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
36 determine the user's login name - needed for regress tests on Solaris
37 10 and OpenSolaris
38 - (djm) OpenBSD CVS Sync
39 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
40 [sshd.8]
41 - merge sections on protocols 1 and 2 into a single section
42 - remove configuration file section
43 ok markus
44 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
45 [sshd.8]
46 small tweak;
47 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
48 [contrib/suse/openssh.spec] Update versions ahead of release
49 - markus@cvs.openbsd.org 2006/02/01 11:27:22
50 [version.h]
51 openssh 4.3
52 - (djm) Release OpenSSH 4.3p1
53
5420060131
55 - (djm) OpenBSD CVS Sync
56 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
57 [ssh_config.5]
58 - word change, agreed w/ markus
59 - consistency fixes
60 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
61 [sshd.8]
62 move the options description up the page, and a few additional tweaks
63 whilst in here;
64 ok markus
65 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
66 [sshd.8]
67 move subsections to full sections;
68 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
69 [ssh.1]
70 add a section on verifying host keys in dns;
71 written with a lot of help from jakob;
72 feedback dtucker/markus;
73 ok markus
74 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
75 [channels.c]
76 mark channel as write failed or dead instead of read failed on error
77 of the channel output filter.
78 ok markus@
79 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
80 [ssh.1]
81 remove an incorrect sentence;
82 reported by roumen petrov;
83 ok djm markus
84 - djm@cvs.openbsd.org 2006/01/31 10:19:02
85 [misc.c misc.h scp.c sftp.c]
86 fix local arbitrary command execution vulnerability on local/local and
87 remote/remote copies (CVE-2006-0225, bz #1094), patch by
88 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
89 - djm@cvs.openbsd.org 2006/01/31 10:35:43
90 [scp.c]
91 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
92 fix from biorn@; ok markus@
93 - (djm) Sync regress tests to OpenBSD:
94 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
95 [regress/forwarding.sh]
96 Regress test for ClearAllForwardings (bz #994); ok markus@
97 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
98 [regress/multiplex.sh]
99 Don't call cleanup in multiplex as test-exec will cleanup anyway
100 found by tim@, ok djm@
101 NB. ID sync only, we already had this
102 - djm@cvs.openbsd.org 2005/05/20 23:14:15
103 [regress/test-exec.sh]
104 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
105 recently committed nc SOCKS5 changes
106 - djm@cvs.openbsd.org 2005/05/24 04:10:54
107 [regress/try-ciphers.sh]
108 oops, new arcfour modes here too
109 - markus@cvs.openbsd.org 2005/06/30 11:02:37
110 [regress/scp.sh]
111 allow SUDO=sudo; from Alexander Bluhm
112 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
113 [regress/agent-getpeereid.sh]
114 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
115 ok markus@
116 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
117 [regress/scp-ssh-wrapper.sh]
118 Fix assumption about how many args scp will pass; ok djm@
119 NB. ID sync only, we already had this
120 - djm@cvs.openbsd.org 2006/01/27 06:49:21
121 [scp.sh]
122 regress test for local to local scp copies; ok dtucker@
123 - djm@cvs.openbsd.org 2006/01/31 10:23:23
124 [scp.sh]
125 regression test for CVE-2006-0225 written by dtucker@
126 - djm@cvs.openbsd.org 2006/01/31 10:36:33
127 [scp.sh]
128 regress test for "scp a b c" where "c" is not a directory
129
13020060129
131 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
132 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
133
13420060120
135 - (dtucker) OpenBSD CVS Sync
136 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
137 [ssh.1]
138 correction from deraadt
139 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
140 [ssh.1]
141 add a section on ssh-based vpn, based on reyk's README.tun;
142 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
143 [scp.1 ssh.1 ssh_config.5 sftp.1]
144 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
145 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
146
14720060114
148 - (djm) OpenBSD CVS Sync
149 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
150 [ssh.1]
151 weed out some duplicate info in the known_hosts FILES entries;
152 ok djm
153 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
154 [ssh.1]
155 final round of whacking FILES for duplicate info, and some consistency
156 fixes;
157 ok djm
158 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
159 [ssh.1]
160 split sections on tcp and x11 forwarding into two sections.
161 add an example in the tcp section, based on sth i wrote for ssh faq;
162 help + ok: djm markus dtucker
163 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
164 [ssh.1]
165 refer to `TCP' rather than `TCP/IP' in the context of connection
166 forwarding;
167 ok markus
168 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
169 [sshd.8]
170 refer to TCP forwarding, rather than TCP/IP forwarding;
171 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
172 [ssh_config.5]
173 refer to TCP forwarding, rather than TCP/IP forwarding;
174 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
175 [ssh.1]
176 back out a sentence - AUTHENTICATION already documents this;
177
17820060109
179 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
180 tcpip service so it's always started after IP is up. Patch from
181 vinschen at redhat.com.
182
18320060106
184 - (djm) OpenBSD CVS Sync
185 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
186 [ssh.1]
187 move FILES to a -compact list, and make each files an item in that list.
188 this avoids nastly line wrap when we have long pathnames, and treats
189 each file as a separate item;
190 remove the .Pa too, since it is useless.
191 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
192 [ssh.1]
193 use a larger width for the ENVIRONMENT list;
194 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
195 [ssh.1]
196 put FILES in some sort of order: sort by pathname
197 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
198 [ssh.1]
199 tweak the description of ~/.ssh/environment
200 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
201 [ssh.1]
202 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
203 entries;
204 ok markus
205 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
206 [ssh.1]
207 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
208 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
209 [ssh.1]
210 +.Xr ssh-keyscan 1 ,
211 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
212 [ssh.1]
213 -.Xr gzip 1 ,
214 - djm@cvs.openbsd.org 2006/01/05 23:43:53
215 [misc.c]
216 check that stdio file descriptors are actually closed before clobbering
217 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
218 closed, but higher ones weren't. spotted by, and patch tested by
219 Frédéric Olivié
220
22120060103
222 - (djm) [channels.c] clean up harmless merge error, from reyk@
223
22420060103
225 - (djm) OpenBSD CVS Sync
226 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
227 [ssh_config.5 sshd_config.5]
228 some corrections from michael knudsen;
229
23020060102
231 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
232 - (djm) OpenBSD CVS Sync
233 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
234 [ssh.1]
235 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
236 AUTHENTICATION" sections into "AUTHENTICATION";
237 some rewording done to make the text read better, plus some
238 improvements from djm;
239 ok djm
240 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
241 [ssh.1]
242 clean up ENVIRONMENT a little;
243 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
244 [ssh.1]
245 .Nm does not require an argument;
246 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
247 [includes.h misc.c]
248 move <net/if.h>; ok djm@
249 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
250 [misc.c]
251 no trailing "\n" for debug()
252 - djm@cvs.openbsd.org 2006/01/02 01:20:31
253 [sftp-client.c sftp-common.h sftp-server.c]
254 use a common max. packet length, no binary change
255 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
256 [misc.c]
257 clarify tun(4) opening - set the mode and bring the interface up. also
258 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
259 suggested and ok by djm@
260 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
261 [ssh.1]
262 start to cut some duplicate info from FILES;
263 help/ok djm
264
26520060101
266 - (djm) [Makefile.in configure.ac includes.h misc.c]
267 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
268 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
269 limited to IPv4 tunnels only, and most versions don't support the
270 tap(4) device at all.
271 - (djm) [configure.ac] Fix linux/if_tun.h test
272 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
273
27420051229
275 - (djm) OpenBSD CVS Sync
276 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
277 [canohost.c channels.c clientloop.c]
278 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
279 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
280 [channels.c channels.h clientloop.c]
281 add channel output filter interface.
282 ok djm@, suggested by markus@
283 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
284 [sftp.1]
285 do not suggest that interactive authentication will work
286 with the -b flag;
287 based on a diff from john l. scarfone;
288 ok djm
289 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
290 [ssh.1]
291 document -MM; ok djm@
292 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
293 [serverloop.c ssh.c openbsd-compat/Makefile.in]
294 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
295 compatability support for Linux, diff from reyk@
296 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
297 not exist
298 - (djm) [configure.ac] oops, make that linux/if_tun.h
299
30020051229
301 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
302
30320051224
304 - (djm) OpenBSD CVS Sync
305 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
306 [ssh.1]
307 merge the sections on protocols 1 and 2 into one section on
308 authentication;
309 feedback djm dtucker
310 ok deraadt markus dtucker
311 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
312 [ssh.1]
313 .Ss -> .Sh: subsections have not made this page more readable
314 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
315 [ssh.1]
316 move info on ssh return values and config files up into the main
317 description;
318 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
319 [ssh.1]
320 -L and -R descriptions are now above, not below, ~C description;
321 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
322 [ssh.1]
323 options now described `above', rather than `later';
324 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
325 [ssh.1]
326 -Y does X11 forwarding too;
327 ok markus
328 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
329 [sshd.8]
330 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
331 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
332 [ssh_config.5]
333 put the description of "UsePrivilegedPort" in the correct place;
334 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
335 [ssh.1]
336 expand the description of -w somewhat;
337 help/ok reyk
338 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
339 [ssh.1]
340 - sync the description of -e w/ synopsis
341 - simplify the description of -I
342 - note that -I is only available if support compiled in, and that it
343 isn't by default
344 feedback/ok djm@
345 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
346 [ssh.1]
347 less mark up for -c;
348 - djm@cvs.openbsd.org 2005/12/24 02:27:41
349 [session.c sshd.c]
350 eliminate some code duplicated in privsep and non-privsep paths, and
351 explicitly clear SIGALRM handler; "groovy" deraadt@
352
35320051220
354 - (dtucker) OpenBSD CVS Sync
355 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
356 [serverloop.c]
357 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
358 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
359 [ssh.1]
360 move the option descriptions up the page: start of a restructure;
361 ok markus deraadt
362 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
363 [ssh.1]
364 simplify a sentence;
365 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
366 [ssh.1]
367 make the description of -c a little nicer;
368 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
369 [ssh.1]
370 signpost the protocol sections;
371 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
372 [ssh_config.5 session.c]
373 spelling: fowarding, fowarded
374 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
375 [ssh_config.5]
376 spelling: intented -> intended
377 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
378 [ssh.c]
379 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
380
38120051219
382 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
383 openbsd-compat/openssl-compat.h] Check for and work around broken AES
384 ciphers >128bit on (some) Solaris 10 systems. ok djm@
385
38620051217
387 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
388 scp.c also uses, so undef them here.
389 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
390 snprintf replacement can have a conflicting declaration in HP-UX's system
391 headers (const vs. no const) so we now check for and work around it. Patch
392 from the dynamic duo of David Leonard and Ted Percival.
393
39420051214
395 - (dtucker) OpenBSD CVS Sync (regress/)
396 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
397 [regress/scp-ssh-wrapper.sh]
398 Fix assumption about how many args scp will pass; ok djm@
399
40020051213
401 - (djm) OpenBSD CVS Sync
402 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
403 [ssh.1]
404 timezone -> time zone
405 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
406 [ssh.1]
407 avoid ambiguities in describing TZ;
408 ok djm@
409 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
410 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
411 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
412 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
413 [sshconnect.h sshd.8 sshd_config sshd_config.5]
414 Add support for tun(4) forwarding over OpenSSH, based on an idea and
415 initial channel code bits by markus@. This is a simple and easy way to
416 use OpenSSH for ad hoc virtual private network connections, e.g.
417 administrative tunnels or secure wireless access. It's based on a new
418 ssh channel and works similar to the existing TCP forwarding support,
419 except that it depends on the tun(4) network interface on both ends of
420 the connection for layer 2 or layer 3 tunneling. This diff also adds
421 support for LocalCommand in the ssh(1) client.
422 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
423 - djm@cvs.openbsd.org 2005/12/07 03:52:22
424 [clientloop.c]
425 reyk forgot to compile with -Werror (missing header)
426 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
427 [ssh.1]
428 - avoid line split in SYNOPSIS
429 - add args to -w
430 - kill trailing whitespace
431 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
432 [ssh.1 ssh_config.5]
433 make `!command' a little clearer;
434 ok reyk
435 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
436 [ssh_config.5]
437 keep options in order;
438 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
439 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
440 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
441 two changes to the new ssh tunnel support. this breaks compatibility
442 with the initial commit but is required for a portable approach.
443 - make the tunnel id u_int and platform friendly, use predefined types.
444 - support configuration of layer 2 (ethernet) or layer 3
445 (point-to-point, default) modes. configuration is done using the
446 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
447 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
448 in sshd_config(5).
449 ok djm@, man page bits by jmc@
450 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
451 [ssh_config.5]
452 new sentence, new line;
453 - markus@cvs.openbsd.org 2005/12/12 13:46:18
454 [channels.c channels.h session.c]
455 make sure protocol messages for internal channels are ignored.
456 allow adjust messages for non-open channels; with and ok djm@
457 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
458 again by providing a sys_tun_open() function for your platform and
459 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
460 OpenBSD's tunnel protocol, which prepends the address family to the
461 packet
462
46320051201
464 - (djm) [envpass.sh] Remove regress script that was accidentally committed
465 in top level directory and not noticed for over a year :)
466
46720051129
468 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
469 bits == 0.
470 - (dtucker) OpenBSD CVS Sync
471 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
472 [ssh-keygen.c]
473 Populate default key sizes before checking them; from & ok tim@
474 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
475 for UnixWare.
476
47720051128
478 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
479 versions of GNU head. Based on patch from zappaman at buraphalinux.org
480 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
481 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
482 - (dtucker) OpenBSD CVS Sync
483 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
484 [ssh-keygen.1 ssh-keygen.c]
485 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
486 increase minumum RSA key size to 768 bits and update man page to reflect
487 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
488 ok djm@, grudging ok deraadt@.
489 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
490 [ssh-agent.1]
491 Update agent socket path templates to reflect reality, correct xref for
492 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
493
49420051126
495 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
496 when they're available) need the real UID set otherwise pam_chauthtok will
497 set ADMCHG after changing the password, forcing the user to change it
498 again immediately.
499
50020051125
501 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
502 resolver state in resolv.h is "state" not "__res_state". With slight
503 modification by me to also work on old AIXes. ok djm@
504 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
505 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
506 shaw at vranix.com, ok djm@
507
50820051124
509 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
510 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
511 asprintf() implementation, after syncing our {v,}snprintf() implementation
512 with some extra fixes from Samba's version. With help and debugging from
513 dtucker and tim; ok dtucker@
514 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
515 order in Reliant Unix block. Patch from johane at lysator.liu.se.
516 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
517 many and use them only once. Speeds up testing on older/slower hardware.
518
51920051122
520 - (dtucker) OpenBSD CVS Sync
521 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
522 [ssh-add.c]
523 space
524 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
525 [scp.c]
526 avoid close(-1), as in rcp; ok cloder
527 - millert@cvs.openbsd.org 2005/11/15 11:59:54
528 [includes.h]
529 Include sys/queue.h explicitly instead of assuming some other header
530 will pull it in. At the moment it gets pulled in by sys/select.h
531 (which ssh has no business including) via event.h. OK markus@
532 (ID sync only in -portable)
533 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
534 [auth-krb5.c]
535 Perform Kerberos calls even for invalid users to prevent leaking
536 information about account validity. bz #975, patch originally from
537 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
538 ok markus@
539 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
540 [hostfile.c]
541 Correct format/arguments to debug call; spotted by shaw at vranix.com
542 ok djm@
543 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
544 from shaw at vranix.com.
545
54620051120
547 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
548 is going on.
549
55020051112
551 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
552 ifdef lost during sync. Spotted by tim@.
553 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
554 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
555 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
556 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
557 test: if sshd takes too long to reconfigure the subsequent connection will
558 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
559
56020051110
561 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
562 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
563 "register").
564 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
565 unnecessary prototype.
566 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
567 revs 1.7 - 1.9.
568 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
569 Patch from djm@.
570 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
571 since they're not useful right now. Patch from djm@.
572 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
573 prototypes, removal of "register").
574 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
575 of "register").
576 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
577 after the copyright notices. Having them at the top next to the CVSIDs
578 guarantees a conflict for each and every sync.
579 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
580 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
581 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
582 Removal of rcsid, "whiteout" inode type.
583 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
584 Removal of rcsid, will no longer strlcpy parts of the string.
585 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
586 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
587 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
588 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
589 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
590 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
591 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
592 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
593 with OpenBSD code since we don't support platforms without fstat any more.
594 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
595 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
596 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
597 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
598 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
599 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
600 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
601 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
602 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
603 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
604 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
605 Id and copyright sync only, there were no substantial changes we need.
606 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
607 -Wsign-compare fixes from djm.
608 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
609 Id and copyright sync only, there were no substantial changes we need.
610 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
611 doesn't change between versions, and use a safer default.
612
61320051105
614 - (djm) OpenBSD CVS Sync
615 - markus@cvs.openbsd.org 2005/10/07 11:13:57
616 [ssh-keygen.c]
617 change DSA default back to 1024, as it's defined for 1024 bits only
618 and this causes interop problems with other clients. moreover,
619 in order to improve the security of DSA you need to change more
620 components of DSA key generation (e.g. the internal SHA1 hash);
621 ok deraadt
622 - djm@cvs.openbsd.org 2005/10/10 10:23:08
623 [channels.c channels.h clientloop.c serverloop.c session.c]
624 fix regression I introduced in 4.2: X11 forwardings initiated after
625 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
626 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
627 - djm@cvs.openbsd.org 2005/10/11 23:37:37
628 [channels.c]
629 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
630 bind() failure when a previous connection's listeners are in TIME_WAIT,
631 reported by plattner AT inf.ethz.ch; ok dtucker@
632 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
633 [auth2-gss.c gss-genr.c gss-serv.c]
634 remove unneeded #includes; ok markus@
635 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
636 [gss-serv.c]
637 spelling in comments
638 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
639 [gss-serv-krb5.c gss-serv.c]
640 unused declarations; ok deraadt@
641 (id sync only for gss-serv-krb5.c)
642 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
643 [dns.c]
644 unneeded #include, unused declaration, little knf; ok deraadt@
645 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
646 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
647 KNF; ok djm@
648 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
649 [ssh-keygen.c ssh.c sshconnect2.c]
650 no trailing "\n" for log functions; ok djm@
651 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
652 [channels.c clientloop.c]
653 free()->xfree(); ok djm@
654 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
655 [sshconnect.c]
656 make external definition static; ok deraadt@
657 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
658 [dns.c]
659 fix memory leaks from 2 sources:
660 1) key_fingerprint_raw()
661 2) malloc in dns_read_rdata()
662 ok jakob@
663 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
664 [dns.c]
665 remove #ifdef LWRES; ok jakob@
666 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
667 [dns.c dns.h]
668 more cleanups; ok jakob@
669 - djm@cvs.openbsd.org 2005/10/30 01:23:19
670 [ssh_config.5]
671 mention control socket fallback behaviour, reported by
672 tryponraj AT gmail.com
673 - djm@cvs.openbsd.org 2005/10/30 04:01:03
674 [ssh-keyscan.c]
675 make ssh-keygen discard junk from server before SSH- ident, spotted by
676 dave AT cirt.net; ok dtucker@
677 - djm@cvs.openbsd.org 2005/10/30 04:03:24
678 [ssh.c]
679 fix misleading debug message; ok dtucker@
680 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
681 [canohost.c sshd.c]
682 Check for connections with IP options earlier and drop silently. ok djm@
683 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
684 [ssh_config.5]
685 remove trailing whitespace;
686 - djm@cvs.openbsd.org 2005/10/30 08:52:18
687 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
688 [ssh.c sshconnect.c sshconnect1.c sshd.c]
689 no need to escape single quotes in comments, no binary change
690 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
691 [sftp.c]
692 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
693 - djm@cvs.openbsd.org 2005/10/31 11:12:49
694 [ssh-keygen.1 ssh-keygen.c]
695 generate a protocol 2 RSA key by default
696 - djm@cvs.openbsd.org 2005/10/31 11:48:29
697 [serverloop.c]
698 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
699 SIGINT or SIGQUIT when running without privilege separation (the
700 normal privsep case is already OK). Patch mainly by dtucker@ and
701 senthilkumar_sen AT hotpop.com; ok dtucker@
702 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
703 [ssh-keygen.1]
704 grammar;
705 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
706 [canohost.c]
707 Cache reverse lookups with and without DNS separately; ok markus@
708 - djm@cvs.openbsd.org 2005/11/04 05:15:59
709 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
710 remove hardcoded hash lengths in key exchange code, allowing
711 implementation of KEX methods with different hashes (e.g. SHA-256);
712 ok markus@ dtucker@ stevesk@
713 - djm@cvs.openbsd.org 2005/11/05 05:01:15
714 [bufaux.c]
715 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
716 cs.stanford.edu; ok dtucker@
717 - (dtucker) [README.platform] Add PAM section.
718 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
719 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
720 ok dtucker@
721
72220051102
723 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
724 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
725 via FreeBSD.
726
72720051030
728 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
729 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
730 files from imorgan AT nas.nasa.gov
731 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
732 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
733 the pam_nologin module should be added to sshd's session stack in order to
734 maintain exising behaviour. Based on patch and discussion from t8m at
735 centrum.cz, ok djm@
736
73720051025
738 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
739 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
740 yet).
741 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
742 understand "%lld", even though the compiler has "long long", so handle
743 it as a special case. Patch tested by mcaskill.scott at epa.gov.
744 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
745 prompt. Patch from vinschen at redhat.com.
746
74720051017
748 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
749 /etc/default/login report and testing from aabaker at iee.org, corrections
750 from tim@.
751
75220051009
753 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
754 versions from OpenBSD. ok djm@
755
75620051008
757 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
758 brian.smith at agilent com.
759 - (djm) [configure.ac] missing 'test' call for -with-Werror test
760
76120051005
762 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
763 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
764 senthilkumar_sen at hotpop.com.
765
76620051003
767 - (dtucker) OpenBSD CVS Sync
768 - markus@cvs.openbsd.org 2005/09/07 08:53:53
769 [channels.c]
770 enforce chanid != NULL; ok djm
771 - markus@cvs.openbsd.org 2005/09/09 19:18:05
772 [clientloop.c]
773 typo; from mark at mcs.vuw.ac.nz, bug #1082
774 - djm@cvs.openbsd.org 2005/09/13 23:40:07
775 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
776 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
777 ensure that stdio fds are attached; ok deraadt@
778 - djm@cvs.openbsd.org 2005/09/19 11:37:34
779 [ssh_config.5 ssh.1]
780 mention ability to specify bind_address for DynamicForward and -D options;
781 bz#1077 spotted by Haruyama Seigo
782 - djm@cvs.openbsd.org 2005/09/19 11:47:09
783 [sshd.c]
784 stop connection abort on rekey with delayed compression enabled when
785 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
786 - djm@cvs.openbsd.org 2005/09/19 11:48:10
787 [gss-serv.c]
788 typo
789 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
790 [ssh.1]
791 some more .Bk/.Ek to avoid ugly line split;
792 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
793 [ssh.c]
794 update -D usage here too;
795 - djm@cvs.openbsd.org 2005/09/19 23:31:31
796 [ssh.1]
797 spelling nit from stevesk@
798 - djm@cvs.openbsd.org 2005/09/21 23:36:54
799 [sshd_config.5]
800 aquire -> acquire, from stevesk@
801 - djm@cvs.openbsd.org 2005/09/21 23:37:11
802 [sshd.c]
803 change label at markus@'s request
804 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
805 [ssh-keyscan.1]
806 deploy .An -nosplit; ok jmc
807 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
808 [canohost.c]
809 Relocate check_ip_options call to prevent logging of garbage for
810 connections with IP options set. bz#1092 from David Leonard,
811 "looks good" deraadt@
812 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
813 is required in the system path for the multiplex test to work.
814
81520050930
816 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
817 for strtoll. Patch from o.flebbe at science-computing.de.
818 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
819 child during PAM account check without clearing it. This restores the
820 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
821 with help from several others.
822
82320050929
824 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
825 introduced during sync.
826
82720050928
828 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
829 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
830 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
831
83220050927
833 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
834 calls, since they can't possibly fail. ok djm@
835 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
836 process when sshd relies on ssh-random-helper. Should result in faster
837 logins on systems without a real random device or prngd. ok djm@
838
83920050924
840 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
841 duplicate call. ok djm@
842
84320050922
844 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
845 skeleten at shillest.net.
846 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
847 shillest.net.
848
84920050919
850 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
851 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
852 ok dtucker@
853
85420050912
855 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
856 Mike Frysinger.
857
85820050908
859 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
860 OpenServer 6 and add osr5bigcrypt support so when someone migrates
861 passwords between UnixWare and OpenServer they will still work. OK dtucker@
862
120050901 86320050901
2 - (djm) Update RPM spec file versions 864 - (djm) Update RPM spec file versions
3 865
@@ -2989,4 +3851,4 @@
2989 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 3851 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
2990 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 3852 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
2991 3853
2992$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $ 3854$Id: ChangeLog,v 1.4117.2.10 2006/02/11 00:00:44 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index f73219ba6..f1b45cdde 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $ 1# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -139,7 +139,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
139 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) 139 $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
140 140
141scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o 141scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
142 $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 142 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
143 143
144ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o 144ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
145 $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 145 $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/README b/README
index 51f0ca4fb..c8c413195 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
1See http://www.openssh.com/txt/release-4.2 for the release notes. 1See http://www.openssh.com/txt/release-4.3p2 for the release notes.
2 2
3- A Japanese translation of this document and of the OpenSSH FAQ is 3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html 4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html 63[7] http://www.openssh.com/faq.html
64 64
65$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $ 65$Id: README,v 1.61.2.1 2006/02/10 23:43:34 dtucker Exp $
diff --git a/README.platform b/README.platform
index af551de48..4c18a3278 100644
--- a/README.platform
+++ b/README.platform
@@ -45,4 +45,14 @@ number is already in use on your system, you may change it at build time
45by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. 45by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
46 46
47 47
48$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $ 48Platforms using PAM
49-------------------
50As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
51PAM is enabled. To maintain existing behaviour, pam_nologin should be
52added to sshd's session stack which will prevent users from starting shell
53sessions. Alternatively, pam_nologin can be added to either the auth or
54account stacks which will prevent authentication entirely, but will still
55return the output from pam_nologin to the client.
56
57
58$Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $
diff --git a/README.tun b/README.tun
new file mode 100644
index 000000000..d814f396d
--- /dev/null
+++ b/README.tun
@@ -0,0 +1,132 @@
1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17 PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38 inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43 inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48 add tun0
49 add sis0
50 up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58 Host sshgateway
59 Tunnel yes
60 TunnelDevice 0:any
61 PermitLocalCommand yes
62 LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71 Host access.somewhere.net
72 User puffy
73 Host dmzgw
74 User puffy
75 ProxyCommand ssh access.somewhere.net nc dmzgw 22
76 Host sshgateway
77 Tunnel Ethernet
78 TunnelDevice 0:any
79 PermitLocalCommand yes
80 LocalCommand sh /etc/netstart tun0
81 ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+ ( ) +----------------------+
87| Client |------( Internet )-----| access.somewhere.net |
88+--------+ ( ) +----------------------+
89 : 192.168.1.78 |
90 :............................. +-------+
91 Forwarded ssh connection : | dmzgw |
92 Layer 2 tunnel : +-------+
93 : |
94 : |
95 : +------------+
96 :......| sshgateway |
97 | +------------+
98--- real connection Bridge -> | +----------+
99... "virtual connection" [ X ]--------| somehost |
100[X] switch +----------+
101 192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108 ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113 ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118 ssh -fw 0:1 sshgateway true
119 ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130 Reyk Floeter
131
132$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
diff --git a/acconfig.h b/acconfig.h
index 619c4b801..79b5e8191 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -347,12 +347,6 @@
347/* getaddrinfo is broken (if present) */ 347/* getaddrinfo is broken (if present) */
348#undef BROKEN_GETADDRINFO 348#undef BROKEN_GETADDRINFO
349 349
350/* platform uses an in-memory credentials cache */
351#undef USE_CCAPI
352
353/* platform has a Security Authorization Session API */
354#undef USE_SECURITY_SESSION_API
355
356/* updwtmpx is broken (if present) */ 350/* updwtmpx is broken (if present) */
357#undef BROKEN_UPDWTMPX 351#undef BROKEN_UPDWTMPX
358 352
diff --git a/aclocal.m4 b/aclocal.m4
index 2705a9b23..b68a47080 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
1dnl $Id: aclocal.m4,v 1.5 2001/10/22 00:53:59 tim Exp $ 1dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $
2dnl 2dnl
3dnl OpenSSH-specific autoconf macros 3dnl OpenSSH-specific autoconf macros
4dnl 4dnl
@@ -26,7 +26,7 @@ AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [
26 if test -n "`echo $ossh_varname`"; then 26 if test -n "`echo $ossh_varname`"; then
27 AC_MSG_RESULT($ossh_result) 27 AC_MSG_RESULT($ossh_result)
28 if test "x$ossh_result" = "xyes"; then 28 if test "x$ossh_result" = "xyes"; then
29 AC_DEFINE($3) 29 AC_DEFINE($3, 1, [Define if you have $1 in $2])
30 fi 30 fi
31 else 31 else
32 AC_MSG_RESULT(no) 32 AC_MSG_RESULT(no)
diff --git a/auth-krb5.c b/auth-krb5.c
index 5f554a66b..bc37675a2 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
28 */ 28 */
29 29
30#include "includes.h" 30#include "includes.h"
31RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); 31RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
32 32
33#include "ssh.h" 33#include "ssh.h"
34#include "ssh1.h" 34#include "ssh1.h"
@@ -69,9 +69,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
69 krb5_ccache ccache = NULL; 69 krb5_ccache ccache = NULL;
70 int len; 70 int len;
71 71
72 if (!authctxt->valid)
73 return (0);
74
75 temporarily_use_uid(authctxt->pw); 72 temporarily_use_uid(authctxt->pw);
76 73
77 problem = krb5_init(authctxt); 74 problem = krb5_init(authctxt);
@@ -193,7 +190,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
193 else 190 else
194 return (0); 191 return (0);
195 } 192 }
196 return (1); 193 return (authctxt->valid ? 1 : 0);
197} 194}
198 195
199void 196void
@@ -229,7 +226,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
229 226
230 ret = snprintf(ccname, sizeof(ccname), 227 ret = snprintf(ccname, sizeof(ccname),
231 cctemplate, geteuid()); 228 cctemplate, geteuid());
232 if (ret == -1 || ret >= (int) sizeof(ccname)) 229 if (ret < 0 || (size_t)ret >= sizeof(ccname))
233 return ENOMEM; 230 return ENOMEM;
234 231
235#ifndef USE_CCAPI 232#ifndef USE_CCAPI
diff --git a/auth-options.c b/auth-options.c
index a85e40835..ad97e6129 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $"); 13RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "match.h" 16#include "match.h"
@@ -35,6 +35,9 @@ char *forced_command = NULL;
35/* "environment=" options. */ 35/* "environment=" options. */
36struct envstring *custom_environment = NULL; 36struct envstring *custom_environment = NULL;
37 37
38/* "tunnel=" option. */
39int forced_tun_device = -1;
40
38extern ServerOptions options; 41extern ServerOptions options;
39 42
40void 43void
@@ -54,6 +57,7 @@ auth_clear_options(void)
54 xfree(forced_command); 57 xfree(forced_command);
55 forced_command = NULL; 58 forced_command = NULL;
56 } 59 }
60 forced_tun_device = -1;
57 channel_clear_permitted_opens(); 61 channel_clear_permitted_opens();
58 auth_debug_reset(); 62 auth_debug_reset();
59} 63}
@@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
269 xfree(patterns); 273 xfree(patterns);
270 goto next_option; 274 goto next_option;
271 } 275 }
276 cp = "tunnel=\"";
277 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
278 char *tun = NULL;
279 opts += strlen(cp);
280 tun = xmalloc(strlen(opts) + 1);
281 i = 0;
282 while (*opts) {
283 if (*opts == '"')
284 break;
285 tun[i++] = *opts++;
286 }
287 if (!*opts) {
288 debug("%.100s, line %lu: missing end quote",
289 file, linenum);
290 auth_debug_add("%.100s, line %lu: missing end quote",
291 file, linenum);
292 xfree(tun);
293 forced_tun_device = -1;
294 goto bad_option;
295 }
296 tun[i] = 0;
297 forced_tun_device = a2tun(tun, NULL);
298 xfree(tun);
299 if (forced_tun_device == SSH_TUNID_ERR) {
300 debug("%.100s, line %lu: invalid tun device",
301 file, linenum);
302 auth_debug_add("%.100s, line %lu: invalid tun device",
303 file, linenum);
304 forced_tun_device = -1;
305 goto bad_option;
306 }
307 auth_debug_add("Forced tun device: %d", forced_tun_device);
308 opts++;
309 goto next_option;
310 }
272next_option: 311next_option:
273 /* 312 /*
274 * Skip the comma, and move to the next option 313 * Skip the comma, and move to the next option
diff --git a/auth-options.h b/auth-options.h
index 15fb21255..3cd02a71f 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */ 1/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag;
28extern int no_pty_flag; 28extern int no_pty_flag;
29extern char *forced_command; 29extern char *forced_command;
30extern struct envstring *custom_environment; 30extern struct envstring *custom_environment;
31extern int forced_tun_device;
31 32
32int auth_parse_options(struct passwd *, char *, char *, u_long); 33int auth_parse_options(struct passwd *, char *, char *, u_long);
33void auth_clear_options(void); 34void auth_clear_options(void);
diff --git a/auth-pam.c b/auth-pam.c
index 0446cd559..fb9ae954a 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
47 47
48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 48/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
49#include "includes.h" 49#include "includes.h"
50RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $"); 50RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
51 51
52#ifdef USE_PAM 52#ifdef USE_PAM
53#if defined(HAVE_SECURITY_PAM_APPL_H) 53#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -716,8 +716,18 @@ sshpam_query(void *ctx, char **name, char **info,
716 plen++; 716 plen++;
717 xfree(msg); 717 xfree(msg);
718 break; 718 break;
719 case PAM_SUCCESS:
720 case PAM_AUTH_ERR: 719 case PAM_AUTH_ERR:
720 debug3("PAM: PAM_AUTH_ERR");
721 if (**prompts != NULL && strlen(**prompts) != 0) {
722 *info = **prompts;
723 **prompts = NULL;
724 *num = 0;
725 **echo_on = 0;
726 ctxt->pam_done = -1;
727 return 0;
728 }
729 /* FALLTHROUGH */
730 case PAM_SUCCESS:
721 if (**prompts != NULL) { 731 if (**prompts != NULL) {
722 /* drain any accumulated messages */ 732 /* drain any accumulated messages */
723 debug("PAM: %s", **prompts); 733 debug("PAM: %s", **prompts);
@@ -763,7 +773,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
763 Buffer buffer; 773 Buffer buffer;
764 struct pam_ctxt *ctxt = ctx; 774 struct pam_ctxt *ctxt = ctx;
765 775
766 debug2("PAM: %s entering, %d responses", __func__, num); 776 debug2("PAM: %s entering, %u responses", __func__, num);
767 switch (ctxt->pam_done) { 777 switch (ctxt->pam_done) {
768 case 1: 778 case 1:
769 sshpam_authenticated = 1; 779 sshpam_authenticated = 1;
diff --git a/auth2-gss.c b/auth2-gss.c
index 9cbc29605..539654ee0 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -34,7 +34,6 @@
34#include "log.h" 34#include "log.h"
35#include "dispatch.h" 35#include "dispatch.h"
36#include "servconf.h" 36#include "servconf.h"
37#include "compat.h"
38#include "packet.h" 37#include "packet.h"
39#include "monitor_wrap.h" 38#include "monitor_wrap.h"
40 39
@@ -82,7 +81,7 @@ userauth_gsskeyex(Authctxt *authctxt)
82 81
83/* 82/*
84 * We only support those mechanisms that we know about (ie ones that we know 83 * We only support those mechanisms that we know about (ie ones that we know
85 * how to check local user kuserok and the like 84 * how to check local user kuserok and the like)
86 */ 85 */
87static int 86static int
88userauth_gssapi(Authctxt *authctxt) 87userauth_gssapi(Authctxt *authctxt)
@@ -140,7 +139,7 @@ userauth_gssapi(Authctxt *authctxt)
140 return (0); 139 return (0);
141 } 140 }
142 141
143 authctxt->methoddata=(void *)ctxt; 142 authctxt->methoddata = (void *)ctxt;
144 143
145 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 144 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
146 145
diff --git a/auth2.c b/auth2.c
index 87f8ad507..6e58797bd 100644
--- a/auth2.c
+++ b/auth2.c
@@ -158,21 +158,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
158 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 158 if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
159 authctxt->valid = 1; 159 authctxt->valid = 1;
160 debug2("input_userauth_request: setting up authctxt for %s", user); 160 debug2("input_userauth_request: setting up authctxt for %s", user);
161#ifdef USE_PAM
162 if (options.use_pam)
163 PRIVSEP(start_pam(authctxt));
164#endif
165 } else { 161 } else {
166 logit("input_userauth_request: invalid user %s", user); 162 logit("input_userauth_request: invalid user %s", user);
167 authctxt->pw = fakepw(); 163 authctxt->pw = fakepw();
168#ifdef USE_PAM
169 if (options.use_pam)
170 PRIVSEP(start_pam(authctxt));
171#endif
172#ifdef SSH_AUDIT_EVENTS 164#ifdef SSH_AUDIT_EVENTS
173 PRIVSEP(audit_event(SSH_INVALID_USER)); 165 PRIVSEP(audit_event(SSH_INVALID_USER));
174#endif 166#endif
175 } 167 }
168#ifdef USE_PAM
169 if (options.use_pam)
170 PRIVSEP(start_pam(authctxt));
171#endif
176 setproctitle("%s%s", authctxt->valid ? user : "unknown", 172 setproctitle("%s%s", authctxt->valid ? user : "unknown",
177 use_privsep ? " [net]" : ""); 173 use_privsep ? " [net]" : "");
178 authctxt->service = xstrdup(service); 174 authctxt->service = xstrdup(service);
diff --git a/bufaux.c b/bufaux.c
index 8d096a056..106a3a0c7 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $"); 40RCSID("$OpenBSD: bufaux.c,v 1.37 2005/11/05 05:01:15 djm Exp $");
41 41
42#include <openssl/bn.h> 42#include <openssl/bn.h>
43#include "bufaux.h" 43#include "bufaux.h"
@@ -63,6 +63,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
63 if (oi != bin_size) { 63 if (oi != bin_size) {
64 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d", 64 error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
65 oi, bin_size); 65 oi, bin_size);
66 xfree(buf);
66 return (-1); 67 return (-1);
67 } 68 }
68 69
@@ -187,10 +188,12 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
187 188
188 if (len > 0 && (bin[0] & 0x80)) { 189 if (len > 0 && (bin[0] & 0x80)) {
189 error("buffer_get_bignum2_ret: negative numbers not supported"); 190 error("buffer_get_bignum2_ret: negative numbers not supported");
191 xfree(bin);
190 return (-1); 192 return (-1);
191 } 193 }
192 if (len > 8 * 1024) { 194 if (len > 8 * 1024) {
193 error("buffer_get_bignum2_ret: cannot handle BN of size %d", len); 195 error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
196 xfree(bin);
194 return (-1); 197 return (-1);
195 } 198 }
196 BN_bin2bn(bin, len, value); 199 BN_bin2bn(bin, len, value);
diff --git a/buildpkg.sh.in b/buildpkg.sh.in
index f90ae6e81..cb9eb3048 100644
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@@ -353,7 +353,7 @@ else
353 # Create user if required 353 # Create user if required
354 [ "\$DO_PASSWD" = yes ] && { 354 [ "\$DO_PASSWD" = yes ] && {
355 # Use uid of 67 if possible 355 # Use uid of 67 if possible
356 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null 356 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
357 then 357 then
358 : 358 :
359 else 359 else
diff --git a/canohost.c b/canohost.c
index c27086bfd..6ca60e6b4 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $"); 15RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $");
16 16
17#include "packet.h" 17#include "packet.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -43,9 +43,6 @@ get_remote_hostname(int sock, int use_dns)
43 cleanup_exit(255); 43 cleanup_exit(255);
44 } 44 }
45 45
46 if (from.ss_family == AF_INET)
47 check_ip_options(sock, ntop);
48
49 ipv64_normalise_mapped(&from, &fromlen); 46 ipv64_normalise_mapped(&from, &fromlen);
50 47
51 if (from.ss_family == AF_INET6) 48 if (from.ss_family == AF_INET6)
@@ -55,6 +52,9 @@ get_remote_hostname(int sock, int use_dns)
55 NULL, 0, NI_NUMERICHOST) != 0) 52 NULL, 0, NI_NUMERICHOST) != 0)
56 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 53 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
57 54
55 if (from.ss_family == AF_INET)
56 check_ip_options(sock, ntop);
57
58 if (!use_dns) 58 if (!use_dns)
59 return xstrdup(ntop); 59 return xstrdup(ntop);
60 60
@@ -102,7 +102,7 @@ get_remote_hostname(int sock, int use_dns)
102 hints.ai_socktype = SOCK_STREAM; 102 hints.ai_socktype = SOCK_STREAM;
103 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 103 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
104 logit("reverse mapping checking getaddrinfo for %.700s " 104 logit("reverse mapping checking getaddrinfo for %.700s "
105 "failed - POSSIBLE BREAKIN ATTEMPT!", name); 105 "failed - POSSIBLE BREAK-IN ATTEMPT!", name);
106 return xstrdup(ntop); 106 return xstrdup(ntop);
107 } 107 }
108 /* Look for the address from the list of addresses. */ 108 /* Look for the address from the list of addresses. */
@@ -117,7 +117,7 @@ get_remote_hostname(int sock, int use_dns)
117 if (!ai) { 117 if (!ai) {
118 /* Address not found for the host name. */ 118 /* Address not found for the host name. */
119 logit("Address %.100s maps to %.600s, but this does not " 119 logit("Address %.100s maps to %.600s, but this does not "
120 "map back to the address - POSSIBLE BREAKIN ATTEMPT!", 120 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
121 ntop, name); 121 ntop, name);
122 return xstrdup(ntop); 122 return xstrdup(ntop);
123 } 123 }
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
158 for (i = 0; i < option_size; i++) 158 for (i = 0; i < option_size; i++)
159 snprintf(text + i*3, sizeof(text) - i*3, 159 snprintf(text + i*3, sizeof(text) - i*3,
160 " %2.2x", options[i]); 160 " %2.2x", options[i]);
161 logit("Connection from %.100s with IP options:%.800s", 161 fatal("Connection from %.100s with IP options:%.800s",
162 ipaddr, text);
163 packet_disconnect("Connection from %.100s with IP options:%.800s",
164 ipaddr, text); 162 ipaddr, text);
165 } 163 }
166#endif /* IP_OPTIONS */ 164#endif /* IP_OPTIONS */
@@ -200,26 +198,27 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
200const char * 198const char *
201get_canonical_hostname(int use_dns) 199get_canonical_hostname(int use_dns)
202{ 200{
201 char *host;
203 static char *canonical_host_name = NULL; 202 static char *canonical_host_name = NULL;
204 static int use_dns_done = 0; 203 static char *remote_ip = NULL;
205 204
206 /* Check if we have previously retrieved name with same option. */ 205 /* Check if we have previously retrieved name with same option. */
207 if (canonical_host_name != NULL) { 206 if (use_dns && canonical_host_name != NULL)
208 if (use_dns_done != use_dns) 207 return canonical_host_name;
209 xfree(canonical_host_name); 208 if (!use_dns && remote_ip != NULL)
210 else 209 return remote_ip;
211 return canonical_host_name;
212 }
213 210
214 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 211 /* Get the real hostname if socket; otherwise return UNKNOWN. */
215 if (packet_connection_is_on_socket()) 212 if (packet_connection_is_on_socket())
216 canonical_host_name = get_remote_hostname( 213 host = get_remote_hostname(packet_get_connection_in(), use_dns);
217 packet_get_connection_in(), use_dns);
218 else 214 else
219 canonical_host_name = xstrdup("UNKNOWN"); 215 host = "UNKNOWN";
220 216
221 use_dns_done = use_dns; 217 if (use_dns)
222 return canonical_host_name; 218 canonical_host_name = host;
219 else
220 remote_ip = host;
221 return host;
223} 222}
224 223
225/* 224/*
diff --git a/channels.c b/channels.c
index 8c7b2b369..1252f3446 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $"); 42RCSID("$OpenBSD: channels.c,v 1.232 2006/01/30 12:22:22 reyk Exp $");
43 43
44#include "ssh.h" 44#include "ssh.h"
45#include "ssh1.h" 45#include "ssh1.h"
@@ -58,8 +58,6 @@ RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
58 58
59/* -- channel core */ 59/* -- channel core */
60 60
61#define CHAN_RBUF 16*1024
62
63/* 61/*
64 * Pointer to an array containing all allocated channels. The array is 62 * Pointer to an array containing all allocated channels. The array is
65 * dynamically extended as needed. 63 * dynamically extended as needed.
@@ -142,23 +140,51 @@ static void port_open_helper(Channel *c, char *rtype);
142/* -- channel core */ 140/* -- channel core */
143 141
144Channel * 142Channel *
145channel_lookup(int id) 143channel_by_id(int id)
146{ 144{
147 Channel *c; 145 Channel *c;
148 146
149 if (id < 0 || (u_int)id >= channels_alloc) { 147 if (id < 0 || (u_int)id >= channels_alloc) {
150 logit("channel_lookup: %d: bad id", id); 148 logit("channel_by_id: %d: bad id", id);
151 return NULL; 149 return NULL;
152 } 150 }
153 c = channels[id]; 151 c = channels[id];
154 if (c == NULL) { 152 if (c == NULL) {
155 logit("channel_lookup: %d: bad id: channel free", id); 153 logit("channel_by_id: %d: bad id: channel free", id);
156 return NULL; 154 return NULL;
157 } 155 }
158 return c; 156 return c;
159} 157}
160 158
161/* 159/*
160 * Returns the channel if it is allowed to receive protocol messages.
161 * Private channels, like listening sockets, may not receive messages.
162 */
163Channel *
164channel_lookup(int id)
165{
166 Channel *c;
167
168 if ((c = channel_by_id(id)) == NULL)
169 return (NULL);
170
171 switch(c->type) {
172 case SSH_CHANNEL_X11_OPEN:
173 case SSH_CHANNEL_LARVAL:
174 case SSH_CHANNEL_CONNECTING:
175 case SSH_CHANNEL_DYNAMIC:
176 case SSH_CHANNEL_OPENING:
177 case SSH_CHANNEL_OPEN:
178 case SSH_CHANNEL_INPUT_DRAINING:
179 case SSH_CHANNEL_OUTPUT_DRAINING:
180 return (c);
181 break;
182 }
183 logit("Non-public channel %d, type %d.", id, c->type);
184 return (NULL);
185}
186
187/*
162 * Register filedescriptors for a channel, used when allocating a channel or 188 * Register filedescriptors for a channel, used when allocating a channel or
163 * when the channel consumer/producer is ready, e.g. shell exec'd 189 * when the channel consumer/producer is ready, e.g. shell exec'd
164 */ 190 */
@@ -269,9 +295,11 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
269 c->force_drain = 0; 295 c->force_drain = 0;
270 c->single_connection = 0; 296 c->single_connection = 0;
271 c->detach_user = NULL; 297 c->detach_user = NULL;
298 c->detach_close = 0;
272 c->confirm = NULL; 299 c->confirm = NULL;
273 c->confirm_ctx = NULL; 300 c->confirm_ctx = NULL;
274 c->input_filter = NULL; 301 c->input_filter = NULL;
302 c->output_filter = NULL;
275 debug("channel %d: new [%s]", found, remote_name); 303 debug("channel %d: new [%s]", found, remote_name);
276 return c; 304 return c;
277} 305}
@@ -628,29 +656,32 @@ channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
628 c->confirm_ctx = ctx; 656 c->confirm_ctx = ctx;
629} 657}
630void 658void
631channel_register_cleanup(int id, channel_callback_fn *fn) 659channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
632{ 660{
633 Channel *c = channel_lookup(id); 661 Channel *c = channel_by_id(id);
634 662
635 if (c == NULL) { 663 if (c == NULL) {
636 logit("channel_register_cleanup: %d: bad id", id); 664 logit("channel_register_cleanup: %d: bad id", id);
637 return; 665 return;
638 } 666 }
639 c->detach_user = fn; 667 c->detach_user = fn;
668 c->detach_close = do_close;
640} 669}
641void 670void
642channel_cancel_cleanup(int id) 671channel_cancel_cleanup(int id)
643{ 672{
644 Channel *c = channel_lookup(id); 673 Channel *c = channel_by_id(id);
645 674
646 if (c == NULL) { 675 if (c == NULL) {
647 logit("channel_cancel_cleanup: %d: bad id", id); 676 logit("channel_cancel_cleanup: %d: bad id", id);
648 return; 677 return;
649 } 678 }
650 c->detach_user = NULL; 679 c->detach_user = NULL;
680 c->detach_close = 0;
651} 681}
652void 682void
653channel_register_filter(int id, channel_filter_fn *fn) 683channel_register_filter(int id, channel_infilter_fn *ifn,
684 channel_outfilter_fn *ofn)
654{ 685{
655 Channel *c = channel_lookup(id); 686 Channel *c = channel_lookup(id);
656 687
@@ -658,7 +689,8 @@ channel_register_filter(int id, channel_filter_fn *fn)
658 logit("channel_register_filter: %d: bad id", id); 689 logit("channel_register_filter: %d: bad id", id);
659 return; 690 return;
660 } 691 }
661 c->input_filter = fn; 692 c->input_filter = ifn;
693 c->output_filter = ofn;
662} 694}
663 695
664void 696void
@@ -1227,6 +1259,19 @@ port_open_helper(Channel *c, char *rtype)
1227 xfree(remote_ipaddr); 1259 xfree(remote_ipaddr);
1228} 1260}
1229 1261
1262static void
1263channel_set_reuseaddr(int fd)
1264{
1265 int on = 1;
1266
1267 /*
1268 * Set socket options.
1269 * Allow local port reuse in TIME_WAIT.
1270 */
1271 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
1272 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
1273}
1274
1230/* 1275/*
1231 * This socket is listening for connections to a forwarded TCP/IP port. 1276 * This socket is listening for connections to a forwarded TCP/IP port.
1232 */ 1277 */
@@ -1398,6 +1443,8 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
1398 debug2("channel %d: filter stops", c->self); 1443 debug2("channel %d: filter stops", c->self);
1399 chan_read_failed(c); 1444 chan_read_failed(c);
1400 } 1445 }
1446 } else if (c->datagram) {
1447 buffer_put_string(&c->input, buf, len);
1401 } else { 1448 } else {
1402 buffer_append(&c->input, buf, len); 1449 buffer_append(&c->input, buf, len);
1403 } 1450 }
@@ -1408,7 +1455,7 @@ static int
1408channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 1455channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1409{ 1456{
1410 struct termios tio; 1457 struct termios tio;
1411 u_char *data; 1458 u_char *data = NULL, *buf;
1412 u_int dlen; 1459 u_int dlen;
1413 int len; 1460 int len;
1414 1461
@@ -1416,14 +1463,45 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1416 if (c->wfd != -1 && 1463 if (c->wfd != -1 &&
1417 FD_ISSET(c->wfd, writeset) && 1464 FD_ISSET(c->wfd, writeset) &&
1418 buffer_len(&c->output) > 0) { 1465 buffer_len(&c->output) > 0) {
1419 data = buffer_ptr(&c->output); 1466 if (c->output_filter != NULL) {
1420 dlen = buffer_len(&c->output); 1467 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) {
1468 debug2("channel %d: filter stops", c->self);
1469 if (c->type != SSH_CHANNEL_OPEN)
1470 chan_mark_dead(c);
1471 else
1472 chan_write_failed(c);
1473 return -1;
1474 }
1475 } else if (c->datagram) {
1476 buf = data = buffer_get_string(&c->output, &dlen);
1477 } else {
1478 buf = data = buffer_ptr(&c->output);
1479 dlen = buffer_len(&c->output);
1480 }
1481
1482 if (c->datagram) {
1483 /* ignore truncated writes, datagrams might get lost */
1484 c->local_consumed += dlen + 4;
1485 len = write(c->wfd, buf, dlen);
1486 xfree(data);
1487 if (len < 0 && (errno == EINTR || errno == EAGAIN))
1488 return 1;
1489 if (len <= 0) {
1490 if (c->type != SSH_CHANNEL_OPEN)
1491 chan_mark_dead(c);
1492 else
1493 chan_write_failed(c);
1494 return -1;
1495 }
1496 return 1;
1497 }
1421#ifdef _AIX 1498#ifdef _AIX
1422 /* XXX: Later AIX versions can't push as much data to tty */ 1499 /* XXX: Later AIX versions can't push as much data to tty */
1423 if (compat20 && c->wfd_isatty) 1500 if (compat20 && c->wfd_isatty)
1424 dlen = MIN(dlen, 8*1024); 1501 dlen = MIN(dlen, 8*1024);
1425#endif 1502#endif
1426 len = write(c->wfd, data, dlen); 1503
1504 len = write(c->wfd, buf, dlen);
1427 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1505 if (len < 0 && (errno == EINTR || errno == EAGAIN))
1428 return 1; 1506 return 1;
1429 if (len <= 0) { 1507 if (len <= 0) {
@@ -1440,14 +1518,14 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1440 } 1518 }
1441 return -1; 1519 return -1;
1442 } 1520 }
1443 if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') { 1521 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
1444 if (tcgetattr(c->wfd, &tio) == 0 && 1522 if (tcgetattr(c->wfd, &tio) == 0 &&
1445 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1523 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
1446 /* 1524 /*
1447 * Simulate echo to reduce the impact of 1525 * Simulate echo to reduce the impact of
1448 * traffic analysis. We need to match the 1526 * traffic analysis. We need to match the
1449 * size of a SSH2_MSG_CHANNEL_DATA message 1527 * size of a SSH2_MSG_CHANNEL_DATA message
1450 * (4 byte channel id + data) 1528 * (4 byte channel id + buf)
1451 */ 1529 */
1452 packet_send_ignore(4 + len); 1530 packet_send_ignore(4 + len);
1453 packet_send(); 1531 packet_send();
@@ -1666,7 +1744,7 @@ channel_garbage_collect(Channel *c)
1666 if (c == NULL) 1744 if (c == NULL)
1667 return; 1745 return;
1668 if (c->detach_user != NULL) { 1746 if (c->detach_user != NULL) {
1669 if (!chan_is_dead(c, 0)) 1747 if (!chan_is_dead(c, c->detach_close))
1670 return; 1748 return;
1671 debug2("channel %d: gc: notify user", c->self); 1749 debug2("channel %d: gc: notify user", c->self);
1672 c->detach_user(c->self, NULL); 1750 c->detach_user(c->self, NULL);
@@ -1776,6 +1854,22 @@ channel_output_poll(void)
1776 if ((c->istate == CHAN_INPUT_OPEN || 1854 if ((c->istate == CHAN_INPUT_OPEN ||
1777 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1855 c->istate == CHAN_INPUT_WAIT_DRAIN) &&
1778 (len = buffer_len(&c->input)) > 0) { 1856 (len = buffer_len(&c->input)) > 0) {
1857 if (c->datagram) {
1858 if (len > 0) {
1859 u_char *data;
1860 u_int dlen;
1861
1862 data = buffer_get_string(&c->input,
1863 &dlen);
1864 packet_start(SSH2_MSG_CHANNEL_DATA);
1865 packet_put_int(c->remote_id);
1866 packet_put_string(data, dlen);
1867 packet_send();
1868 c->remote_window -= dlen + 4;
1869 xfree(data);
1870 }
1871 continue;
1872 }
1779 /* 1873 /*
1780 * Send some data for the other side over the secure 1874 * Send some data for the other side over the secure
1781 * connection. 1875 * connection.
@@ -1898,7 +1992,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
1898 c->local_window -= data_len; 1992 c->local_window -= data_len;
1899 } 1993 }
1900 packet_check_eom(); 1994 packet_check_eom();
1901 buffer_append(&c->output, data, data_len); 1995 if (c->datagram)
1996 buffer_put_string(&c->output, data, data_len);
1997 else
1998 buffer_append(&c->output, data, data_len);
1902 xfree(data); 1999 xfree(data);
1903} 2000}
1904 2001
@@ -2129,9 +2226,8 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
2129 id = packet_get_int(); 2226 id = packet_get_int();
2130 c = channel_lookup(id); 2227 c = channel_lookup(id);
2131 2228
2132 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 2229 if (c == NULL) {
2133 logit("Received window adjust for " 2230 logit("Received window adjust for non-open channel %d.", id);
2134 "non-open channel %d.", id);
2135 return; 2231 return;
2136 } 2232 }
2137 adjust = packet_get_int(); 2233 adjust = packet_get_int();
@@ -2188,7 +2284,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2188 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2284 const char *host_to_connect, u_short port_to_connect, int gateway_ports)
2189{ 2285{
2190 Channel *c; 2286 Channel *c;
2191 int sock, r, success = 0, on = 1, wildcard = 0, is_client; 2287 int sock, r, success = 0, wildcard = 0, is_client;
2192 struct addrinfo hints, *ai, *aitop; 2288 struct addrinfo hints, *ai, *aitop;
2193 const char *host, *addr; 2289 const char *host, *addr;
2194 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2290 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -2275,13 +2371,8 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2275 verbose("socket: %.100s", strerror(errno)); 2371 verbose("socket: %.100s", strerror(errno));
2276 continue; 2372 continue;
2277 } 2373 }
2278 /* 2374
2279 * Set socket options. 2375 channel_set_reuseaddr(sock);
2280 * Allow local port reuse in TIME_WAIT.
2281 */
2282 if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
2283 sizeof(on)) == -1)
2284 error("setsockopt SO_REUSEADDR: %s", strerror(errno));
2285 2376
2286 debug("Local forwarding listening on %s port %s.", ntop, strport); 2377 debug("Local forwarding listening on %s port %s.", ntop, strport);
2287 2378
@@ -2453,7 +2544,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
2453 2544
2454 permitted_opens[i].listen_port = 0; 2545 permitted_opens[i].listen_port = 0;
2455 permitted_opens[i].port_to_connect = 0; 2546 permitted_opens[i].port_to_connect = 0;
2456 free(permitted_opens[i].host_to_connect); 2547 xfree(permitted_opens[i].host_to_connect);
2457 permitted_opens[i].host_to_connect = NULL; 2548 permitted_opens[i].host_to_connect = NULL;
2458} 2549}
2459 2550
@@ -2668,6 +2759,9 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2668 char strport[NI_MAXSERV]; 2759 char strport[NI_MAXSERV];
2669 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2760 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
2670 2761
2762 if (chanids == NULL)
2763 return -1;
2764
2671 for (display_number = x11_display_offset; 2765 for (display_number = x11_display_offset;
2672 display_number < MAX_DISPLAYS; 2766 display_number < MAX_DISPLAYS;
2673 display_number++) { 2767 display_number++) {
@@ -2704,6 +2798,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2704 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 2798 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
2705 } 2799 }
2706#endif 2800#endif
2801 channel_set_reuseaddr(sock);
2707 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2802 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2708 debug2("bind port %d: %.100s", port, strerror(errno)); 2803 debug2("bind port %d: %.100s", port, strerror(errno));
2709 close(sock); 2804 close(sock);
@@ -2749,8 +2844,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2749 } 2844 }
2750 2845
2751 /* Allocate a channel for each socket. */ 2846 /* Allocate a channel for each socket. */
2752 if (chanids != NULL) 2847 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
2753 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
2754 for (n = 0; n < num_socks; n++) { 2848 for (n = 0; n < num_socks; n++) {
2755 sock = socks[n]; 2849 sock = socks[n];
2756 nc = channel_new("x11 listener", 2850 nc = channel_new("x11 listener",
@@ -2758,11 +2852,9 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2758 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2852 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2759 0, "X11 inet listener", 1); 2853 0, "X11 inet listener", 1);
2760 nc->single_connection = single_connection; 2854 nc->single_connection = single_connection;
2761 if (*chanids != NULL) 2855 (*chanids)[n] = nc->self;
2762 (*chanids)[n] = nc->self;
2763 } 2856 }
2764 if (*chanids != NULL) 2857 (*chanids)[n] = -1;
2765 (*chanids)[n] = -1;
2766 2858
2767 /* Return the display number for the DISPLAY environment variable. */ 2859 /* Return the display number for the DISPLAY environment variable. */
2768 *display_numberp = display_number; 2860 *display_numberp = display_number;
@@ -2948,7 +3040,7 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
2948 error("deny_input_open: type %d", type); 3040 error("deny_input_open: type %d", type);
2949 break; 3041 break;
2950 } 3042 }
2951 error("Warning: this is probably a break in attempt by a malicious server."); 3043 error("Warning: this is probably a break-in attempt by a malicious server.");
2952 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3044 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2953 packet_put_int(rchan); 3045 packet_put_int(rchan);
2954 packet_send(); 3046 packet_send();
diff --git a/channels.h b/channels.h
index 1cb2c3a34..a97dd9007 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.83 2005/12/30 15:56:37 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -63,7 +63,8 @@ struct Channel;
63typedef struct Channel Channel; 63typedef struct Channel Channel;
64 64
65typedef void channel_callback_fn(int, void *); 65typedef void channel_callback_fn(int, void *);
66typedef int channel_filter_fn(struct Channel *, char *, int); 66typedef int channel_infilter_fn(struct Channel *, char *, int);
67typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *);
67 68
68struct Channel { 69struct Channel {
69 int type; /* channel type/state */ 70 int type; /* channel type/state */
@@ -106,11 +107,15 @@ struct Channel {
106 107
107 /* callback */ 108 /* callback */
108 channel_callback_fn *confirm; 109 channel_callback_fn *confirm;
109 channel_callback_fn *detach_user;
110 void *confirm_ctx; 110 void *confirm_ctx;
111 channel_callback_fn *detach_user;
112 int detach_close;
111 113
112 /* filter */ 114 /* filter */
113 channel_filter_fn *input_filter; 115 channel_infilter_fn *input_filter;
116 channel_outfilter_fn *output_filter;
117
118 int datagram; /* keep boundaries */
114}; 119};
115 120
116#define CHAN_EXTENDED_IGNORE 0 121#define CHAN_EXTENDED_IGNORE 0
@@ -142,6 +147,8 @@ struct Channel {
142#define CHAN_EOF_SENT 0x04 147#define CHAN_EOF_SENT 0x04
143#define CHAN_EOF_RCVD 0x08 148#define CHAN_EOF_RCVD 0x08
144 149
150#define CHAN_RBUF 16*1024
151
145/* check whether 'efd' is still in use */ 152/* check whether 'efd' is still in use */
146#define CHANNEL_EFD_INPUT_ACTIVE(c) \ 153#define CHANNEL_EFD_INPUT_ACTIVE(c) \
147 (compat20 && c->extended_usage == CHAN_EXTENDED_READ && \ 154 (compat20 && c->extended_usage == CHAN_EXTENDED_READ && \
@@ -154,6 +161,7 @@ struct Channel {
154 161
155/* channel management */ 162/* channel management */
156 163
164Channel *channel_by_id(int);
157Channel *channel_lookup(int); 165Channel *channel_lookup(int);
158Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int); 166Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int);
159void channel_set_fds(int, int, int, int, int, int, u_int); 167void channel_set_fds(int, int, int, int, int, int, u_int);
@@ -163,9 +171,9 @@ void channel_stop_listening(void);
163 171
164void channel_send_open(int); 172void channel_send_open(int);
165void channel_request_start(int, char *, int); 173void channel_request_start(int, char *, int);
166void channel_register_cleanup(int, channel_callback_fn *); 174void channel_register_cleanup(int, channel_callback_fn *, int);
167void channel_register_confirm(int, channel_callback_fn *, void *); 175void channel_register_confirm(int, channel_callback_fn *, void *);
168void channel_register_filter(int, channel_filter_fn *); 176void channel_register_filter(int, channel_infilter_fn *, channel_outfilter_fn *);
169void channel_cancel_cleanup(int); 177void channel_cancel_cleanup(int);
170int channel_close_fd(int *); 178int channel_close_fd(int *);
171void channel_send_window_changes(void); 179void channel_send_window_changes(void);
diff --git a/cipher-aes.c b/cipher-aes.c
index 22d500d42..228ddb104 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -23,7 +23,11 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26#if OPENSSL_VERSION_NUMBER < 0x00907000L 26
27/* compatibility with old or broken OpenSSL versions */
28#include "openbsd-compat/openssl-compat.h"
29
30#ifdef USE_BUILTIN_RIJNDAEL
27RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); 31RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
28 32
29#include <openssl/evp.h> 33#include <openssl/evp.h>
@@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
31#include "xmalloc.h" 35#include "xmalloc.h"
32#include "log.h" 36#include "log.h"
33 37
34#if OPENSSL_VERSION_NUMBER < 0x00906000L
35#define SSH_OLD_EVP
36#endif
37
38#define RIJNDAEL_BLOCKSIZE 16 38#define RIJNDAEL_BLOCKSIZE 16
39struct ssh_rijndael_ctx 39struct ssh_rijndael_ctx
40{ 40{
@@ -157,4 +157,4 @@ evp_rijndael(void)
157#endif 157#endif
158 return (&rijndal_cbc); 158 return (&rijndal_cbc);
159} 159}
160#endif /* OPENSSL_VERSION_NUMBER */ 160#endif /* USE_BUILTIN_RIJNDAEL */
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 856177349..8a98f3c42 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
21#include "log.h" 21#include "log.h"
22#include "xmalloc.h" 22#include "xmalloc.h"
23 23
24#if OPENSSL_VERSION_NUMBER < 0x00906000L 24/* compatibility with old or broken OpenSSL versions */
25#define SSH_OLD_EVP 25#include "openbsd-compat/openssl-compat.h"
26#endif
27 26
28#if OPENSSL_VERSION_NUMBER < 0x00907000L 27#ifdef USE_BUILTIN_RIJNDAEL
29#include "rijndael.h" 28#include "rijndael.h"
30#define AES_KEY rijndael_ctx 29#define AES_KEY rijndael_ctx
31#define AES_BLOCK_SIZE 16 30#define AES_BLOCK_SIZE 16
diff --git a/cipher.c b/cipher.c
index 0dddf270a..1434d5524 100644
--- a/cipher.c
+++ b/cipher.c
@@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
334 if ((u_int)evplen != len) 334 if ((u_int)evplen != len)
335 fatal("%s: wrong iv length %d != %d", __func__, 335 fatal("%s: wrong iv length %d != %d", __func__,
336 evplen, len); 336 evplen, len);
337#if OPENSSL_VERSION_NUMBER < 0x00907000L 337#ifdef USE_BUILTIN_RIJNDAEL
338 if (c->evptype == evp_rijndael) 338 if (c->evptype == evp_rijndael)
339 ssh_rijndael_iv(&cc->evp, 0, iv, len); 339 ssh_rijndael_iv(&cc->evp, 0, iv, len);
340 else 340 else
@@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
365 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); 365 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
366 if (evplen == 0) 366 if (evplen == 0)
367 return; 367 return;
368#if OPENSSL_VERSION_NUMBER < 0x00907000L 368#ifdef USE_BUILTIN_RIJNDAEL
369 if (c->evptype == evp_rijndael) 369 if (c->evptype == evp_rijndael)
370 ssh_rijndael_iv(&cc->evp, 1, iv, evplen); 370 ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
371 else 371 else
diff --git a/clientloop.c b/clientloop.c
index 47f3c7ecd..b76f7cfe0 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
59 */ 59 */
60 60
61#include "includes.h" 61#include "includes.h"
62RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); 62RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
63 63
64#include "ssh.h" 64#include "ssh.h"
65#include "ssh1.h" 65#include "ssh1.h"
@@ -77,6 +77,7 @@ RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
77#include "log.h" 77#include "log.h"
78#include "readconf.h" 78#include "readconf.h"
79#include "clientloop.h" 79#include "clientloop.h"
80#include "sshconnect.h"
80#include "authfd.h" 81#include "authfd.h"
81#include "atomicio.h" 82#include "atomicio.h"
82#include "sshpty.h" 83#include "sshpty.h"
@@ -113,7 +114,7 @@ extern char *host;
113static volatile sig_atomic_t received_window_change_signal = 0; 114static volatile sig_atomic_t received_window_change_signal = 0;
114static volatile sig_atomic_t received_signal = 0; 115static volatile sig_atomic_t received_signal = 0;
115 116
116/* Flag indicating whether the user\'s terminal is in non-blocking mode. */ 117/* Flag indicating whether the user's terminal is in non-blocking mode. */
117static int in_non_blocking_mode = 0; 118static int in_non_blocking_mode = 0;
118 119
119/* Common data for the client loop code. */ 120/* Common data for the client loop code. */
@@ -266,7 +267,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
266 } 267 }
267 } 268 }
268 snprintf(cmd, sizeof(cmd), 269 snprintf(cmd, sizeof(cmd),
269 "%s %s%s list %s . 2>" _PATH_DEVNULL, 270 "%s %s%s list %s 2>" _PATH_DEVNULL,
270 xauth_path, 271 xauth_path,
271 generated ? "-f " : "" , 272 generated ? "-f " : "" ,
272 generated ? xauthfile : "", 273 generated ? xauthfile : "",
@@ -914,6 +915,15 @@ process_cmdline(void)
914 logit(" -Lport:host:hostport Request local forward"); 915 logit(" -Lport:host:hostport Request local forward");
915 logit(" -Rport:host:hostport Request remote forward"); 916 logit(" -Rport:host:hostport Request remote forward");
916 logit(" -KRhostport Cancel remote forward"); 917 logit(" -KRhostport Cancel remote forward");
918 if (!options.permit_local_command)
919 goto out;
920 logit(" !args Execute local command");
921 goto out;
922 }
923
924 if (*s == '!' && options.permit_local_command) {
925 s++;
926 ssh_local_cmd(s);
917 goto out; 927 goto out;
918 } 928 }
919 929
@@ -1376,10 +1386,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
1376 session_ident = ssh2_chan_id; 1386 session_ident = ssh2_chan_id;
1377 if (escape_char != SSH_ESCAPECHAR_NONE) 1387 if (escape_char != SSH_ESCAPECHAR_NONE)
1378 channel_register_filter(session_ident, 1388 channel_register_filter(session_ident,
1379 simple_escape_filter); 1389 simple_escape_filter, NULL);
1380 if (session_ident != -1) 1390 if (session_ident != -1)
1381 channel_register_cleanup(session_ident, 1391 channel_register_cleanup(session_ident,
1382 client_channel_closed); 1392 client_channel_closed, 0);
1383 } else { 1393 } else {
1384 /* Check if we should immediately send eof on stdin. */ 1394 /* Check if we should immediately send eof on stdin. */
1385 client_check_initial_eof_on_stdin(); 1395 client_check_initial_eof_on_stdin();
@@ -1678,7 +1688,7 @@ client_request_x11(const char *request_type, int rchan)
1678 1688
1679 if (!options.forward_x11) { 1689 if (!options.forward_x11) {
1680 error("Warning: ssh server tried X11 forwarding."); 1690 error("Warning: ssh server tried X11 forwarding.");
1681 error("Warning: this is probably a break in attempt by a malicious server."); 1691 error("Warning: this is probably a break-in attempt by a malicious server.");
1682 return NULL; 1692 return NULL;
1683 } 1693 }
1684 originator = packet_get_string(NULL); 1694 originator = packet_get_string(NULL);
@@ -1711,7 +1721,7 @@ client_request_agent(const char *request_type, int rchan)
1711 1721
1712 if (!options.forward_agent) { 1722 if (!options.forward_agent) {
1713 error("Warning: ssh server tried agent forwarding."); 1723 error("Warning: ssh server tried agent forwarding.");
1714 error("Warning: this is probably a break in attempt by a malicious server."); 1724 error("Warning: this is probably a break-in attempt by a malicious server.");
1715 return NULL; 1725 return NULL;
1716 } 1726 }
1717 sock = ssh_get_authentication_socket(); 1727 sock = ssh_get_authentication_socket();
@@ -1880,7 +1890,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1880 /* Split */ 1890 /* Split */
1881 name = xstrdup(env[i]); 1891 name = xstrdup(env[i]);
1882 if ((val = strchr(name, '=')) == NULL) { 1892 if ((val = strchr(name, '=')) == NULL) {
1883 free(name); 1893 xfree(name);
1884 continue; 1894 continue;
1885 } 1895 }
1886 *val++ = '\0'; 1896 *val++ = '\0';
@@ -1894,7 +1904,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1894 } 1904 }
1895 if (!matched) { 1905 if (!matched) {
1896 debug3("Ignored env %s", name); 1906 debug3("Ignored env %s", name);
1897 free(name); 1907 xfree(name);
1898 continue; 1908 continue;
1899 } 1909 }
1900 1910
@@ -1903,7 +1913,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
1903 packet_put_cstring(name); 1913 packet_put_cstring(name);
1904 packet_put_cstring(val); 1914 packet_put_cstring(val);
1905 packet_send(); 1915 packet_send();
1906 free(name); 1916 xfree(name);
1907 } 1917 }
1908 } 1918 }
1909 1919
diff --git a/config.h.in b/config.h.in
index 1b964ee0f..3101aba54 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,191 +1,87 @@
1/* config.h.in. Generated from configure.ac by autoheader. */ 1/* config.h.in. Generated from configure.ac by autoheader. */
2/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
3
4/*
5 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28#ifndef _CONFIG_H
29#define _CONFIG_H
30
31/* Generated automatically from acconfig.h by autoheader. */
32/* Please make your changes there */
33 2
3/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
4 */
5#undef AIX_GETNAMEINFO_HACK
34 6
35/* Define if your platform breaks doing a seteuid before a setuid */ 7/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
36#undef SETEUID_BREAKS_SETUID 8#undef AIX_LOGINFAILED_4ARG
37
38/* Define if your setreuid() is broken */
39#undef BROKEN_SETREUID
40
41/* Define if your setregid() is broken */
42#undef BROKEN_SETREGID
43
44/* Define if your setresuid() is broken */
45#undef BROKEN_SETRESUID
46
47/* Define if your setresgid() is broken */
48#undef BROKEN_SETRESGID
49
50/* Define to a Set Process Title type if your system is */
51/* supported by bsd-setproctitle.c */
52#undef SPT_TYPE
53#undef SPT_PADCHAR
54
55/* SCO workaround */
56#undef BROKEN_SYS_TERMIO_H
57
58/* Define if you have SecureWare-based protected password database */
59#undef HAVE_SECUREWARE
60
61/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
62/* from environment and PATH */
63#undef LOGIN_PROGRAM_FALLBACK
64
65/* Full path of your "passwd" program */
66#undef _PATH_PASSWD_PROG
67
68/* Define if your password has a pw_class field */
69#undef HAVE_PW_CLASS_IN_PASSWD
70 9
71/* Define if your password has a pw_expire field */ 10/* Define if your resolver libs need this for getrrsetbyname */
72#undef HAVE_PW_EXPIRE_IN_PASSWD 11#undef BIND_8_COMPAT
73 12
74/* Define if your password has a pw_change field */ 13/* Define if cmsg_type is not passed correctly */
75#undef HAVE_PW_CHANGE_IN_PASSWD 14#undef BROKEN_CMSG_TYPE
76 15
77/* Define if your system uses access rights style file descriptor passing */ 16/* getaddrinfo is broken (if present) */
78#undef HAVE_ACCRIGHTS_IN_MSGHDR 17#undef BROKEN_GETADDRINFO
79 18
80/* Define if your system uses ancillary data style file descriptor passing */ 19/* getgroups(0,NULL) will return -1 */
81#undef HAVE_CONTROL_IN_MSGHDR 20#undef BROKEN_GETGROUPS
82 21
83/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */ 22/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
84#undef BROKEN_INET_NTOA 23#undef BROKEN_INET_NTOA
85 24
86/* Define if your system defines sys_errlist[] */ 25/* ia_uinfo routines not supported by OS yet */
87#undef HAVE_SYS_ERRLIST 26#undef BROKEN_LIBIAF
88
89/* Define if your system defines sys_nerr */
90#undef HAVE_SYS_NERR
91
92/* Define if your system choked on IP TOS setting */
93#undef IP_TOS_IS_BROKEN
94
95/* Define if you have the getuserattr function. */
96#undef HAVE_GETUSERATTR
97
98/* Define if you have the basename function. */
99#undef HAVE_BASENAME
100
101/* Work around problematic Linux PAM modules handling of PAM_TTY */
102#undef PAM_TTY_KLUDGE
103
104/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
105#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
106
107/* Use PIPES instead of a socketpair() */
108#undef USE_PIPES
109 27
110/* Define if your snprintf is busted */ 28/* Ultrix mmap can't map files */
111#undef BROKEN_SNPRINTF 29#undef BROKEN_MMAP
112 30
113/* Define if you are on Cygwin */ 31/* Define if your struct dirent expects you to allocate extra space for d_name
114#undef HAVE_CYGWIN 32 */
33#undef BROKEN_ONE_BYTE_DIRENT_D_NAME
115 34
116/* Define if you have a broken realpath. */ 35/* Define if you have a broken realpath. */
117#undef BROKEN_REALPATH 36#undef BROKEN_REALPATH
118 37
119/* Define if you are on NeXT */ 38/* Needed for NeXT */
120#undef HAVE_NEXT 39#undef BROKEN_SAVED_UIDS
121
122/* Define if you want to enable PAM support */
123#undef USE_PAM
124
125/* Define if you want to enable AIX4's authenticate function */
126#undef WITH_AIXAUTHENTICATE
127 40
128/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */ 41/* Define if your setregid() is broken */
129#undef AIX_LOGINFAILED_4ARG 42#undef BROKEN_SETREGID
130 43
131/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */ 44/* Define if your setresgid() is broken */
132#undef SKEYCHALLENGE_4ARG 45#undef BROKEN_SETRESGID
133 46
134/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ 47/* Define if your setresuid() is broken */
135#undef WITH_IRIX_ARRAY 48#undef BROKEN_SETRESUID
136 49
137/* Define if you want IRIX project management */ 50/* Define if your setreuid() is broken */
138#undef WITH_IRIX_PROJECT 51#undef BROKEN_SETREUID
139 52
140/* Define if you want IRIX audit trails */ 53/* LynxOS has broken setvbuf() implementation */
141#undef WITH_IRIX_AUDIT 54#undef BROKEN_SETVBUF
142 55
143/* Define if you want IRIX kernel jobs */ 56/* Define if your snprintf is busted */
144#undef WITH_IRIX_JOBS 57#undef BROKEN_SNPRINTF
145 58
146/* Location of PRNGD/EGD random number socket */ 59/* updwtmpx is broken (if present) */
147#undef PRNGD_SOCKET 60#undef BROKEN_UPDWTMPX
148 61
149/* Port number of PRNGD/EGD random number socket */ 62/* Define if you have BSD auth support */
150#undef PRNGD_PORT 63#undef BSD_AUTH
151 64
152/* Builtin PRNG command timeout */ 65/* Define if you want to specify the path to your lastlog file */
153#undef ENTROPY_TIMEOUT_MSEC 66#undef CONF_LASTLOG_FILE
154 67
155/* non-privileged user for privilege separation */ 68/* Define if you want to specify the path to your utmpx file */
156#undef SSH_PRIVSEP_USER 69#undef CONF_UTMPX_FILE
157 70
158/* Define if you want to install preformatted manpages.*/ 71/* Define if you want to specify the path to your utmp file */
159#undef MANTYPE 72#undef CONF_UTMP_FILE
160 73
161/* Define if your ssl headers are included with #include <openssl/header.h> */ 74/* Define if you want to specify the path to your wtmpx file */
162#undef HAVE_OPENSSL 75#undef CONF_WTMPX_FILE
163 76
164/* Define if you are linking against RSAref. Used only to print the right 77/* Define if you want to specify the path to your wtmp file */
165 * message at run-time. */ 78#undef CONF_WTMP_FILE
166#undef RSAREF
167 79
168/* struct timeval */ 80/* Define if your platform needs to skip post auth file descriptor passing */
169#undef HAVE_STRUCT_TIMEVAL 81#undef DISABLE_FD_PASSING
170 82
171/* struct utmp and struct utmpx fields */ 83/* Define if you don't want to use lastlog */
172#undef HAVE_HOST_IN_UTMP 84#undef DISABLE_LASTLOG
173#undef HAVE_HOST_IN_UTMPX
174#undef HAVE_ADDR_IN_UTMP
175#undef HAVE_ADDR_IN_UTMPX
176#undef HAVE_ADDR_V6_IN_UTMP
177#undef HAVE_ADDR_V6_IN_UTMPX
178#undef HAVE_SYSLEN_IN_UTMPX
179#undef HAVE_PID_IN_UTMP
180#undef HAVE_TYPE_IN_UTMP
181#undef HAVE_TYPE_IN_UTMPX
182#undef HAVE_TV_IN_UTMP
183#undef HAVE_TV_IN_UTMPX
184#undef HAVE_ID_IN_UTMP
185#undef HAVE_ID_IN_UTMPX
186#undef HAVE_EXIT_IN_UTMP
187#undef HAVE_TIME_IN_UTMP
188#undef HAVE_TIME_IN_UTMPX
189 85
190/* Define if you don't want to use your system's login() call */ 86/* Define if you don't want to use your system's login() call */
191#undef DISABLE_LOGIN 87#undef DISABLE_LOGIN
@@ -196,11 +92,8 @@
196/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */ 92/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
197#undef DISABLE_PUTUTXLINE 93#undef DISABLE_PUTUTXLINE
198 94
199/* Define if you don't want to use lastlog */ 95/* Define if you want to disable shadow passwords */
200#undef DISABLE_LASTLOG 96#undef DISABLE_SHADOW
201
202/* Define if you don't want to use lastlog in session.c */
203#undef NO_SSH_LASTLOG
204 97
205/* Define if you don't want to use utmp */ 98/* Define if you don't want to use utmp */
206#undef DISABLE_UTMP 99#undef DISABLE_UTMP
@@ -214,159 +107,17 @@
214/* Define if you don't want to use wtmpx */ 107/* Define if you don't want to use wtmpx */
215#undef DISABLE_WTMPX 108#undef DISABLE_WTMPX
216 109
217/* Some systems need a utmpx entry for /bin/login to work */
218#undef LOGIN_NEEDS_UTMPX
219
220/* Some versions of /bin/login need the TERM supplied on the commandline */
221#undef LOGIN_NEEDS_TERM
222
223/* Define if your login program cannot handle end of options ("--") */
224#undef LOGIN_NO_ENDOPT
225
226/* Define if you want to specify the path to your lastlog file */
227#undef CONF_LASTLOG_FILE
228
229/* Define if you want to specify the path to your utmp file */
230#undef CONF_UTMP_FILE
231
232/* Define if you want to specify the path to your wtmp file */
233#undef CONF_WTMP_FILE
234
235/* Define if you want to specify the path to your utmpx file */
236#undef CONF_UTMPX_FILE
237
238/* Define if you want to specify the path to your wtmpx file */
239#undef CONF_WTMPX_FILE
240
241/* Define if you want external askpass support */
242#undef USE_EXTERNAL_ASKPASS
243
244/* Define if libc defines __progname */
245#undef HAVE___PROGNAME
246
247/* Define if compiler implements __FUNCTION__ */
248#undef HAVE___FUNCTION__
249
250/* Define if compiler implements __func__ */
251#undef HAVE___func__
252
253/* Define this is you want GSSAPI support in the version 2 protocol */
254#undef GSSAPI
255
256/* Define if you want Kerberos 5 support */
257#undef KRB5
258
259/* Define this if you are using the Heimdal version of Kerberos V5 */
260#undef HEIMDAL
261
262/* Define this if you want to use libkafs' AFS support */
263#undef USE_AFS
264
265/* Define if you want S/Key support */
266#undef SKEY
267
268/* Define if you want TCP Wrappers support */
269#undef LIBWRAP
270
271/* Define if your libraries define login() */
272#undef HAVE_LOGIN
273
274/* Define if your libraries define daemon() */
275#undef HAVE_DAEMON
276
277/* Define if your libraries define getpagesize() */
278#undef HAVE_GETPAGESIZE
279
280/* Define if xauth is found in your path */
281#undef XAUTH_PATH
282
283/* Define if you want to allow MD5 passwords */
284#undef HAVE_MD5_PASSWORDS
285
286/* Define if you want to disable shadow passwords */
287#undef DISABLE_SHADOW
288
289/* Define if you want to use shadow password expire field */
290#undef HAS_SHADOW_EXPIRE
291
292/* Define if you have Digital Unix Security Integration Architecture */
293#undef HAVE_OSF_SIA
294
295/* Define if you have getpwanam(3) [SunOS 4.x] */
296#undef HAVE_GETPWANAM
297
298/* Define if you have an old version of PAM which takes only one argument */
299/* to pam_strerror */
300#undef HAVE_OLD_PAM
301
302/* Define if you are using Solaris-derived PAM which passes pam_messages */
303/* to the conversation function with an extra level of indirection */
304#undef PAM_SUN_CODEBASE
305
306/* Set this to your mail directory if you don't have maillock.h */
307#undef MAIL_DIRECTORY
308
309/* Data types */
310#undef HAVE_U_INT
311#undef HAVE_INTXX_T
312#undef HAVE_U_INTXX_T
313#undef HAVE_UINTXX_T
314#undef HAVE_INT64_T
315#undef HAVE_U_INT64_T
316#undef HAVE_U_CHAR
317#undef HAVE_SIZE_T
318#undef HAVE_SSIZE_T
319#undef HAVE_CLOCK_T
320#undef HAVE_MODE_T
321#undef HAVE_PID_T
322#undef HAVE_SA_FAMILY_T
323#undef HAVE_STRUCT_SOCKADDR_STORAGE
324#undef HAVE_STRUCT_ADDRINFO
325#undef HAVE_STRUCT_IN6_ADDR
326#undef HAVE_STRUCT_SOCKADDR_IN6
327
328/* Fields in struct sockaddr_storage */
329#undef HAVE_SS_FAMILY_IN_SS
330#undef HAVE___SS_FAMILY_IN_SS
331
332/* Define if you have /dev/ptmx */
333#undef HAVE_DEV_PTMX
334
335/* Define if you have /dev/ptc */
336#undef HAVE_DEV_PTS_AND_PTC
337
338/* Define if you need to use IP address instead of hostname in $DISPLAY */
339#undef IPADDR_IN_DISPLAY
340
341/* Specify default $PATH */
342#undef USER_PATH
343
344/* Specify location of ssh.pid */
345#undef _PATH_SSH_PIDDIR
346
347/* getaddrinfo is broken (if present) */
348#undef BROKEN_GETADDRINFO
349
350/* updwtmpx is broken (if present) */
351#undef BROKEN_UPDWTMPX
352
353/* Workaround more Linux IPv6 quirks */ 110/* Workaround more Linux IPv6 quirks */
354#undef DONT_TRY_OTHER_AF 111#undef DONT_TRY_OTHER_AF
355 112
356/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ 113/* Builtin PRNG command timeout */
357#undef IPV4_IN_IPV6 114#undef ENTROPY_TIMEOUT_MSEC
358
359/* Define if you have BSD auth support */
360#undef BSD_AUTH
361
362/* Define if X11 doesn't support AF_UNIX sockets on that system */
363#undef NO_X11_UNIX_SOCKETS
364 115
365/* Define if the concept of ports only accessible to superusers isn't known */ 116/* Define to 1 if the `getpgrp' function requires zero arguments. */
366#undef NO_IPPORT_RESERVED_CONCEPT 117#undef GETPGRP_VOID
367 118
368/* Needed for SCO and NeXT */ 119/* Conflicting defs for getspnam */
369#undef BROKEN_SAVED_UIDS 120#undef GETSPNAM_CONFLICTING_DEFS
370 121
371/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ 122/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
372#undef GLOB_HAS_ALTDIRFUNC 123#undef GLOB_HAS_ALTDIRFUNC
@@ -374,109 +125,36 @@
374/* Define if your system glob() function has gl_matchc options in glob_t */ 125/* Define if your system glob() function has gl_matchc options in glob_t */
375#undef GLOB_HAS_GL_MATCHC 126#undef GLOB_HAS_GL_MATCHC
376 127
377/* Define in your struct dirent expects you to allocate extra space for d_name */ 128/* Define this if you want GSSAPI support in the version 2 protocol */
378#undef BROKEN_ONE_BYTE_DIRENT_D_NAME 129#undef GSSAPI
379
380/* Define if your system has /etc/default/login */
381#undef HAVE_ETC_DEFAULT_LOGIN
382
383/* Define if your getopt(3) defines and uses optreset */
384#undef HAVE_GETOPT_OPTRESET
385
386/* Define on *nto-qnx systems */
387#undef MISSING_NFDBITS
388
389/* Define on *nto-qnx systems */
390#undef MISSING_HOWMANY
391
392/* Define on *nto-qnx systems */
393#undef MISSING_FD_MASK
394
395/* Define if you want smartcard support */
396#undef SMARTCARD
397
398/* Define if you want smartcard support using sectok */
399#undef USE_SECTOK
400
401/* Define if you want smartcard support using OpenSC */
402#undef USE_OPENSC
403
404/* Define if you want to use OpenSSL's internally seeded PRNG only */
405#undef OPENSSL_PRNG_ONLY
406
407/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
408#undef WITH_ABBREV_NO_TTY
409
410/* Define if you want a different $PATH for the superuser */
411#undef SUPERUSER_PATH
412
413/* Path that unprivileged child will chroot() to in privep mode */
414#undef PRIVSEP_PATH
415
416/* Define if your platform needs to skip post auth file descriptor passing */
417#undef DISABLE_FD_PASSING
418
419/* Silly mkstemp() */
420#undef HAVE_STRICT_MKSTEMP
421
422/* Some systems put this outside of libc */
423#undef HAVE_NANOSLEEP
424
425/* Define if sshd somehow reacquires a controlling TTY after setsid() */
426#undef SSHD_ACQUIRES_CTTY
427
428/* Define if cmsg_type is not passed correctly */
429#undef BROKEN_CMSG_TYPE
430
431/*
432 * Define to whatever link() returns for "not supported" if it doesn't
433 * return EOPNOTSUPP.
434 */
435#undef LINK_OPNOTSUPP_ERRNO
436
437/* Strings used in /etc/passwd to denote locked account */
438#undef LOCKED_PASSWD_STRING
439#undef LOCKED_PASSWD_PREFIX
440#undef LOCKED_PASSWD_SUBSTR
441
442/* Define if getrrsetbyname() exists */
443#undef HAVE_GETRRSETBYNAME
444
445/* Define if HEADER.ad exists in arpa/nameser.h */
446#undef HAVE_HEADER_AD
447
448/* Define if your resolver libs need this for getrrsetbyname */
449#undef BIND_8_COMPAT
450
451/* Define if you have /proc/$pid/fd */
452#undef HAVE_PROC_PID
453
454
455/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
456 */
457#undef AIX_GETNAMEINFO_HACK
458 130
459/* getgroups(0,NULL) will return -1 */ 131/* Define if you want to use shadow password expire field */
460#undef BROKEN_GETGROUPS 132#undef HAS_SHADOW_EXPIRE
461 133
462/* ia_uinfo routines not supported by OS yet */ 134/* Define if your system uses access rights style file descriptor passing */
463#undef BROKEN_LIBIAF 135#undef HAVE_ACCRIGHTS_IN_MSGHDR
464 136
465/* Ultrix mmap can't map files */ 137/* Define if you have ut_addr in utmp.h */
466#undef BROKEN_MMAP 138#undef HAVE_ADDR_IN_UTMP
467 139
468/* LynxOS has broken setvbuf() implementation */ 140/* Define if you have ut_addr in utmpx.h */
469#undef BROKEN_SETVBUF 141#undef HAVE_ADDR_IN_UTMPX
470 142
471/* Define to 1 if the `getpgrp' function requires zero arguments. */ 143/* Define if you have ut_addr_v6 in utmp.h */
472#undef GETPGRP_VOID 144#undef HAVE_ADDR_V6_IN_UTMP
473 145
474/* Conflicting defs for getspnam */ 146/* Define if you have ut_addr_v6 in utmpx.h */
475#undef GETSPNAM_CONFLICTING_DEFS 147#undef HAVE_ADDR_V6_IN_UTMPX
476 148
477/* Define to 1 if you have the `arc4random' function. */ 149/* Define to 1 if you have the `arc4random' function. */
478#undef HAVE_ARC4RANDOM 150#undef HAVE_ARC4RANDOM
479 151
152/* Define to 1 if you have the `asprintf' function. */
153#undef HAVE_ASPRINTF
154
155/* OpenBSD's gcc has bounded */
156#undef HAVE_ATTRIBUTE__BOUNDED__
157
480/* OpenBSD's gcc has sentinel */ 158/* OpenBSD's gcc has sentinel */
481#undef HAVE_ATTRIBUTE__SENTINEL__ 159#undef HAVE_ATTRIBUTE__SENTINEL__
482 160
@@ -486,6 +164,9 @@
486/* Define to 1 if you have the `b64_pton' function. */ 164/* Define to 1 if you have the `b64_pton' function. */
487#undef HAVE_B64_PTON 165#undef HAVE_B64_PTON
488 166
167/* Define if you have the basename function. */
168#undef HAVE_BASENAME
169
489/* Define to 1 if you have the `bcopy' function. */ 170/* Define to 1 if you have the `bcopy' function. */
490#undef HAVE_BCOPY 171#undef HAVE_BCOPY
491 172
@@ -501,15 +182,27 @@
501/* Define to 1 if you have the `clock' function. */ 182/* Define to 1 if you have the `clock' function. */
502#undef HAVE_CLOCK 183#undef HAVE_CLOCK
503 184
185/* define if you have clock_t data type */
186#undef HAVE_CLOCK_T
187
504/* Define to 1 if you have the `closefrom' function. */ 188/* Define to 1 if you have the `closefrom' function. */
505#undef HAVE_CLOSEFROM 189#undef HAVE_CLOSEFROM
506 190
507/* Define if gai_strerror() returns const char * */ 191/* Define if gai_strerror() returns const char * */
508#undef HAVE_CONST_GAI_STRERROR_PROTO 192#undef HAVE_CONST_GAI_STRERROR_PROTO
509 193
194/* Define if your system uses ancillary data style file descriptor passing */
195#undef HAVE_CONTROL_IN_MSGHDR
196
510/* Define to 1 if you have the <crypt.h> header file. */ 197/* Define to 1 if you have the <crypt.h> header file. */
511#undef HAVE_CRYPT_H 198#undef HAVE_CRYPT_H
512 199
200/* Define if you are on Cygwin */
201#undef HAVE_CYGWIN
202
203/* Define if your libraries define daemon() */
204#undef HAVE_DAEMON
205
513/* Define to 1 if you have the declaration of `authenticate', and to 0 if you 206/* Define to 1 if you have the declaration of `authenticate', and to 0 if you
514 don't. */ 207 don't. */
515#undef HAVE_DECL_AUTHENTICATE 208#undef HAVE_DECL_AUTHENTICATE
@@ -546,6 +239,12 @@
546 don't. */ 239 don't. */
547#undef HAVE_DECL__GETSHORT 240#undef HAVE_DECL__GETSHORT
548 241
242/* Define if you have /dev/ptmx */
243#undef HAVE_DEV_PTMX
244
245/* Define if you have /dev/ptc */
246#undef HAVE_DEV_PTS_AND_PTC
247
549/* Define to 1 if you have the <dirent.h> header file. */ 248/* Define to 1 if you have the <dirent.h> header file. */
550#undef HAVE_DIRENT_H 249#undef HAVE_DIRENT_H
551 250
@@ -564,6 +263,12 @@
564/* Define to 1 if you have the `endutxent' function. */ 263/* Define to 1 if you have the `endutxent' function. */
565#undef HAVE_ENDUTXENT 264#undef HAVE_ENDUTXENT
566 265
266/* Define if your system has /etc/default/login */
267#undef HAVE_ETC_DEFAULT_LOGIN
268
269/* Define if you have ut_exit in utmp.h */
270#undef HAVE_EXIT_IN_UTMP
271
567/* Define to 1 if you have the `fchmod' function. */ 272/* Define to 1 if you have the `fchmod' function. */
568#undef HAVE_FCHMOD 273#undef HAVE_FCHMOD
569 274
@@ -612,6 +317,12 @@
612/* Define to 1 if you have the <getopt.h> header file. */ 317/* Define to 1 if you have the <getopt.h> header file. */
613#undef HAVE_GETOPT_H 318#undef HAVE_GETOPT_H
614 319
320/* Define if your getopt(3) defines and uses optreset */
321#undef HAVE_GETOPT_OPTRESET
322
323/* Define if your libraries define getpagesize() */
324#undef HAVE_GETPAGESIZE
325
615/* Define to 1 if you have the `getpeereid' function. */ 326/* Define to 1 if you have the `getpeereid' function. */
616#undef HAVE_GETPEEREID 327#undef HAVE_GETPEEREID
617 328
@@ -621,6 +332,9 @@
621/* Define to 1 if you have the `getrlimit' function. */ 332/* Define to 1 if you have the `getrlimit' function. */
622#undef HAVE_GETRLIMIT 333#undef HAVE_GETRLIMIT
623 334
335/* Define if getrrsetbyname() exists */
336#undef HAVE_GETRRSETBYNAME
337
624/* Define to 1 if you have the `getrusage' function. */ 338/* Define to 1 if you have the `getrusage' function. */
625#undef HAVE_GETRUSAGE 339#undef HAVE_GETRUSAGE
626 340
@@ -672,12 +386,27 @@
672/* Define to 1 if you have the <gssapi_krb5.h> header file. */ 386/* Define to 1 if you have the <gssapi_krb5.h> header file. */
673#undef HAVE_GSSAPI_KRB5_H 387#undef HAVE_GSSAPI_KRB5_H
674 388
389/* Define if HEADER.ad exists in arpa/nameser.h */
390#undef HAVE_HEADER_AD
391
392/* Define if you have ut_host in utmp.h */
393#undef HAVE_HOST_IN_UTMP
394
395/* Define if you have ut_host in utmpx.h */
396#undef HAVE_HOST_IN_UTMPX
397
675/* Define to 1 if you have the <iaf.h> header file. */ 398/* Define to 1 if you have the <iaf.h> header file. */
676#undef HAVE_IAF_H 399#undef HAVE_IAF_H
677 400
678/* Define to 1 if you have the <ia.h> header file. */ 401/* Define to 1 if you have the <ia.h> header file. */
679#undef HAVE_IA_H 402#undef HAVE_IA_H
680 403
404/* Define if you have ut_id in utmp.h */
405#undef HAVE_ID_IN_UTMP
406
407/* Define if you have ut_id in utmpx.h */
408#undef HAVE_ID_IN_UTMPX
409
681/* Define to 1 if you have the `inet_aton' function. */ 410/* Define to 1 if you have the `inet_aton' function. */
682#undef HAVE_INET_ATON 411#undef HAVE_INET_ATON
683 412
@@ -690,9 +419,15 @@
690/* Define to 1 if you have the `innetgr' function. */ 419/* Define to 1 if you have the `innetgr' function. */
691#undef HAVE_INNETGR 420#undef HAVE_INNETGR
692 421
422/* define if you have int64_t data type */
423#undef HAVE_INT64_T
424
693/* Define to 1 if you have the <inttypes.h> header file. */ 425/* Define to 1 if you have the <inttypes.h> header file. */
694#undef HAVE_INTTYPES_H 426#undef HAVE_INTTYPES_H
695 427
428/* define if you have intxx_t data type */
429#undef HAVE_INTXX_T
430
696/* Define to 1 if the system has the type `in_addr_t'. */ 431/* Define to 1 if the system has the type `in_addr_t'. */
697#undef HAVE_IN_ADDR_T 432#undef HAVE_IN_ADDR_T
698 433
@@ -738,6 +473,12 @@
738/* Define to 1 if you have the <limits.h> header file. */ 473/* Define to 1 if you have the <limits.h> header file. */
739#undef HAVE_LIMITS_H 474#undef HAVE_LIMITS_H
740 475
476/* Define to 1 if you have the <linux/if_tun.h> header file. */
477#undef HAVE_LINUX_IF_TUN_H
478
479/* Define if your libraries define login() */
480#undef HAVE_LOGIN
481
741/* Define to 1 if you have the <login_cap.h> header file. */ 482/* Define to 1 if you have the <login_cap.h> header file. */
742#undef HAVE_LOGIN_CAP_H 483#undef HAVE_LOGIN_CAP_H
743 484
@@ -753,12 +494,21 @@
753/* Define to 1 if you have the `logwtmp' function. */ 494/* Define to 1 if you have the `logwtmp' function. */
754#undef HAVE_LOGWTMP 495#undef HAVE_LOGWTMP
755 496
497/* Define to 1 if the system has the type `long double'. */
498#undef HAVE_LONG_DOUBLE
499
500/* Define to 1 if the system has the type `long long'. */
501#undef HAVE_LONG_LONG
502
756/* Define to 1 if you have the <maillock.h> header file. */ 503/* Define to 1 if you have the <maillock.h> header file. */
757#undef HAVE_MAILLOCK_H 504#undef HAVE_MAILLOCK_H
758 505
759/* Define to 1 if you have the `md5_crypt' function. */ 506/* Define to 1 if you have the `md5_crypt' function. */
760#undef HAVE_MD5_CRYPT 507#undef HAVE_MD5_CRYPT
761 508
509/* Define if you want to allow MD5 passwords */
510#undef HAVE_MD5_PASSWORDS
511
762/* Define to 1 if you have the `memmove' function. */ 512/* Define to 1 if you have the `memmove' function. */
763#undef HAVE_MEMMOVE 513#undef HAVE_MEMMOVE
764 514
@@ -771,6 +521,12 @@
771/* Define to 1 if you have the `mmap' function. */ 521/* Define to 1 if you have the `mmap' function. */
772#undef HAVE_MMAP 522#undef HAVE_MMAP
773 523
524/* define if you have mode_t data type */
525#undef HAVE_MODE_T
526
527/* Some systems put nanosleep outside of libc */
528#undef HAVE_NANOSLEEP
529
774/* Define to 1 if you have the <ndir.h> header file. */ 530/* Define to 1 if you have the <ndir.h> header file. */
775#undef HAVE_NDIR_H 531#undef HAVE_NDIR_H
776 532
@@ -780,8 +536,8 @@
780/* Define to 1 if you have the <netgroup.h> header file. */ 536/* Define to 1 if you have the <netgroup.h> header file. */
781#undef HAVE_NETGROUP_H 537#undef HAVE_NETGROUP_H
782 538
783/* Define to 1 if you have the <netinet/in_systm.h> header file. */ 539/* Define if you are on NeXT */
784#undef HAVE_NETINET_IN_SYSTM_H 540#undef HAVE_NEXT
785 541
786/* Define to 1 if you have the `ngetaddrinfo' function. */ 542/* Define to 1 if you have the `ngetaddrinfo' function. */
787#undef HAVE_NGETADDRINFO 543#undef HAVE_NGETADDRINFO
@@ -792,12 +548,22 @@
792/* Define to 1 if you have the `ogetaddrinfo' function. */ 548/* Define to 1 if you have the `ogetaddrinfo' function. */
793#undef HAVE_OGETADDRINFO 549#undef HAVE_OGETADDRINFO
794 550
551/* Define if you have an old version of PAM which takes only one argument to
552 pam_strerror */
553#undef HAVE_OLD_PAM
554
795/* Define to 1 if you have the `openlog_r' function. */ 555/* Define to 1 if you have the `openlog_r' function. */
796#undef HAVE_OPENLOG_R 556#undef HAVE_OPENLOG_R
797 557
798/* Define to 1 if you have the `openpty' function. */ 558/* Define to 1 if you have the `openpty' function. */
799#undef HAVE_OPENPTY 559#undef HAVE_OPENPTY
800 560
561/* Define if your ssl headers are included with #include <openssl/header.h> */
562#undef HAVE_OPENSSL
563
564/* Define if you have Digital Unix Security Integration Architecture */
565#undef HAVE_OSF_SIA
566
801/* Define to 1 if you have the `pam_getenvlist' function. */ 567/* Define to 1 if you have the `pam_getenvlist' function. */
802#undef HAVE_PAM_GETENVLIST 568#undef HAVE_PAM_GETENVLIST
803 569
@@ -810,9 +576,18 @@
810/* Define to 1 if you have the <paths.h> header file. */ 576/* Define to 1 if you have the <paths.h> header file. */
811#undef HAVE_PATHS_H 577#undef HAVE_PATHS_H
812 578
579/* Define if you have ut_pid in utmp.h */
580#undef HAVE_PID_IN_UTMP
581
582/* define if you have pid_t data type */
583#undef HAVE_PID_T
584
813/* Define to 1 if you have the `prctl' function. */ 585/* Define to 1 if you have the `prctl' function. */
814#undef HAVE_PRCTL 586#undef HAVE_PRCTL
815 587
588/* Define if you have /proc/$pid/fd */
589#undef HAVE_PROC_PID
590
816/* Define to 1 if you have the `pstat' function. */ 591/* Define to 1 if you have the `pstat' function. */
817#undef HAVE_PSTAT 592#undef HAVE_PSTAT
818 593
@@ -825,6 +600,15 @@
825/* Define to 1 if you have the `pututxline' function. */ 600/* Define to 1 if you have the `pututxline' function. */
826#undef HAVE_PUTUTXLINE 601#undef HAVE_PUTUTXLINE
827 602
603/* Define if your password has a pw_change field */
604#undef HAVE_PW_CHANGE_IN_PASSWD
605
606/* Define if your password has a pw_class field */
607#undef HAVE_PW_CLASS_IN_PASSWD
608
609/* Define if your password has a pw_expire field */
610#undef HAVE_PW_EXPIRE_IN_PASSWD
611
828/* Define to 1 if you have the `readpassphrase' function. */ 612/* Define to 1 if you have the `readpassphrase' function. */
829#undef HAVE_READPASSPHRASE 613#undef HAVE_READPASSPHRASE
830 614
@@ -843,9 +627,15 @@
843/* Define to 1 if you have the `rresvport_af' function. */ 627/* Define to 1 if you have the `rresvport_af' function. */
844#undef HAVE_RRESVPORT_AF 628#undef HAVE_RRESVPORT_AF
845 629
630/* define if you have sa_family_t data type */
631#undef HAVE_SA_FAMILY_T
632
846/* Define to 1 if you have the <sectok.h> header file. */ 633/* Define to 1 if you have the <sectok.h> header file. */
847#undef HAVE_SECTOK_H 634#undef HAVE_SECTOK_H
848 635
636/* Define if you have SecureWare-based protected password database */
637#undef HAVE_SECUREWARE
638
849/* Define to 1 if you have the <security/pam_appl.h> header file. */ 639/* Define to 1 if you have the <security/pam_appl.h> header file. */
850#undef HAVE_SECURITY_PAM_APPL_H 640#undef HAVE_SECURITY_PAM_APPL_H
851 641
@@ -921,6 +711,9 @@
921/* Define to 1 if the system has the type `sig_atomic_t'. */ 711/* Define to 1 if the system has the type `sig_atomic_t'. */
922#undef HAVE_SIG_ATOMIC_T 712#undef HAVE_SIG_ATOMIC_T
923 713
714/* define if you have size_t data type */
715#undef HAVE_SIZE_T
716
924/* Define to 1 if you have the `snprintf' function. */ 717/* Define to 1 if you have the `snprintf' function. */
925#undef HAVE_SNPRINTF 718#undef HAVE_SNPRINTF
926 719
@@ -930,6 +723,12 @@
930/* Have PEERCRED socket option */ 723/* Have PEERCRED socket option */
931#undef HAVE_SO_PEERCRED 724#undef HAVE_SO_PEERCRED
932 725
726/* define if you have ssize_t data type */
727#undef HAVE_SSIZE_T
728
729/* Fields in struct sockaddr_storage */
730#undef HAVE_SS_FAMILY_IN_SS
731
933/* Define to 1 if you have the <stddef.h> header file. */ 732/* Define to 1 if you have the <stddef.h> header file. */
934#undef HAVE_STDDEF_H 733#undef HAVE_STDDEF_H
935 734
@@ -948,6 +747,9 @@
948/* Define to 1 if you have the `strftime' function. */ 747/* Define to 1 if you have the `strftime' function. */
949#undef HAVE_STRFTIME 748#undef HAVE_STRFTIME
950 749
750/* Silly mkstemp() */
751#undef HAVE_STRICT_MKSTEMP
752
951/* Define to 1 if you have the <strings.h> header file. */ 753/* Define to 1 if you have the <strings.h> header file. */
952#undef HAVE_STRINGS_H 754#undef HAVE_STRINGS_H
953 755
@@ -978,15 +780,33 @@
978/* Define to 1 if you have the `strtoul' function. */ 780/* Define to 1 if you have the `strtoul' function. */
979#undef HAVE_STRTOUL 781#undef HAVE_STRTOUL
980 782
783/* define if you have struct addrinfo data type */
784#undef HAVE_STRUCT_ADDRINFO
785
786/* define if you have struct in6_addr data type */
787#undef HAVE_STRUCT_IN6_ADDR
788
789/* define if you have struct sockaddr_in6 data type */
790#undef HAVE_STRUCT_SOCKADDR_IN6
791
792/* define if you have struct sockaddr_storage data type */
793#undef HAVE_STRUCT_SOCKADDR_STORAGE
794
981/* Define to 1 if `st_blksize' is member of `struct stat'. */ 795/* Define to 1 if `st_blksize' is member of `struct stat'. */
982#undef HAVE_STRUCT_STAT_ST_BLKSIZE 796#undef HAVE_STRUCT_STAT_ST_BLKSIZE
983 797
984/* Define to 1 if the system has the type `struct timespec'. */ 798/* Define to 1 if the system has the type `struct timespec'. */
985#undef HAVE_STRUCT_TIMESPEC 799#undef HAVE_STRUCT_TIMESPEC
986 800
801/* define if you have struct timeval */
802#undef HAVE_STRUCT_TIMEVAL
803
987/* Define to 1 if you have the `sysconf' function. */ 804/* Define to 1 if you have the `sysconf' function. */
988#undef HAVE_SYSCONF 805#undef HAVE_SYSCONF
989 806
807/* Define if you have syslen in utmpx.h */
808#undef HAVE_SYSLEN_IN_UTMPX
809
990/* Define to 1 if you have the <sys/audit.h> header file. */ 810/* Define to 1 if you have the <sys/audit.h> header file. */
991#undef HAVE_SYS_AUDIT_H 811#undef HAVE_SYS_AUDIT_H
992 812
@@ -1002,12 +822,18 @@
1002/* Define to 1 if you have the <sys/dir.h> header file. */ 822/* Define to 1 if you have the <sys/dir.h> header file. */
1003#undef HAVE_SYS_DIR_H 823#undef HAVE_SYS_DIR_H
1004 824
825/* Define if your system defines sys_errlist[] */
826#undef HAVE_SYS_ERRLIST
827
1005/* Define to 1 if you have the <sys/mman.h> header file. */ 828/* Define to 1 if you have the <sys/mman.h> header file. */
1006#undef HAVE_SYS_MMAN_H 829#undef HAVE_SYS_MMAN_H
1007 830
1008/* Define to 1 if you have the <sys/ndir.h> header file. */ 831/* Define to 1 if you have the <sys/ndir.h> header file. */
1009#undef HAVE_SYS_NDIR_H 832#undef HAVE_SYS_NDIR_H
1010 833
834/* Define if your system defines sys_nerr */
835#undef HAVE_SYS_NERR
836
1011/* Define to 1 if you have the <sys/prctl.h> header file. */ 837/* Define to 1 if you have the <sys/prctl.h> header file. */
1012#undef HAVE_SYS_PRCTL_H 838#undef HAVE_SYS_PRCTL_H
1013 839
@@ -1062,6 +888,12 @@
1062/* Define to 1 if you have the <time.h> header file. */ 888/* Define to 1 if you have the <time.h> header file. */
1063#undef HAVE_TIME_H 889#undef HAVE_TIME_H
1064 890
891/* Define if you have ut_time in utmp.h */
892#undef HAVE_TIME_IN_UTMP
893
894/* Define if you have ut_time in utmpx.h */
895#undef HAVE_TIME_IN_UTMPX
896
1065/* Define to 1 if you have the <tmpdir.h> header file. */ 897/* Define to 1 if you have the <tmpdir.h> header file. */
1066#undef HAVE_TMPDIR_H 898#undef HAVE_TMPDIR_H
1067 899
@@ -1071,12 +903,30 @@
1071/* Define to 1 if you have the <ttyent.h> header file. */ 903/* Define to 1 if you have the <ttyent.h> header file. */
1072#undef HAVE_TTYENT_H 904#undef HAVE_TTYENT_H
1073 905
906/* Define if you have ut_tv in utmp.h */
907#undef HAVE_TV_IN_UTMP
908
909/* Define if you have ut_tv in utmpx.h */
910#undef HAVE_TV_IN_UTMPX
911
912/* Define if you have ut_type in utmp.h */
913#undef HAVE_TYPE_IN_UTMP
914
915/* Define if you have ut_type in utmpx.h */
916#undef HAVE_TYPE_IN_UTMPX
917
918/* define if you have uintxx_t data type */
919#undef HAVE_UINTXX_T
920
1074/* Define to 1 if you have the <unistd.h> header file. */ 921/* Define to 1 if you have the <unistd.h> header file. */
1075#undef HAVE_UNISTD_H 922#undef HAVE_UNISTD_H
1076 923
1077/* Define to 1 if you have the `unsetenv' function. */ 924/* Define to 1 if you have the `unsetenv' function. */
1078#undef HAVE_UNSETENV 925#undef HAVE_UNSETENV
1079 926
927/* Define to 1 if the system has the type `unsigned long long'. */
928#undef HAVE_UNSIGNED_LONG_LONG
929
1080/* Define to 1 if you have the `updwtmp' function. */ 930/* Define to 1 if you have the `updwtmp' function. */
1081#undef HAVE_UPDWTMP 931#undef HAVE_UPDWTMP
1082 932
@@ -1107,6 +957,24 @@
1107/* Define to 1 if you have the <utmp.h> header file. */ 957/* Define to 1 if you have the <utmp.h> header file. */
1108#undef HAVE_UTMP_H 958#undef HAVE_UTMP_H
1109 959
960/* define if you have u_char data type */
961#undef HAVE_U_CHAR
962
963/* define if you have u_int data type */
964#undef HAVE_U_INT
965
966/* define if you have u_int64_t data type */
967#undef HAVE_U_INT64_T
968
969/* define if you have u_intxx_t data type */
970#undef HAVE_U_INTXX_T
971
972/* Define to 1 if you have the `vasprintf' function. */
973#undef HAVE_VASPRINTF
974
975/* Define if va_copy exists */
976#undef HAVE_VA_COPY
977
1110/* Define to 1 if you have the `vhangup' function. */ 978/* Define to 1 if you have the `vhangup' function. */
1111#undef HAVE_VHANGUP 979#undef HAVE_VHANGUP
1112 980
@@ -1134,14 +1002,100 @@
1134/* Define to 1 if you have the `__b64_pton' function. */ 1002/* Define to 1 if you have the `__b64_pton' function. */
1135#undef HAVE___B64_PTON 1003#undef HAVE___B64_PTON
1136 1004
1005/* Define if compiler implements __FUNCTION__ */
1006#undef HAVE___FUNCTION__
1007
1008/* Define if libc defines __progname */
1009#undef HAVE___PROGNAME
1010
1011/* Fields in struct sockaddr_storage */
1012#undef HAVE___SS_FAMILY_IN_SS
1013
1014/* Define if __va_copy exists */
1015#undef HAVE___VA_COPY
1016
1017/* Define if compiler implements __func__ */
1018#undef HAVE___func__
1019
1020/* Define this if you are using the Heimdal version of Kerberos V5 */
1021#undef HEIMDAL
1022
1023/* Define if you need to use IP address instead of hostname in $DISPLAY */
1024#undef IPADDR_IN_DISPLAY
1025
1026/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
1027#undef IPV4_IN_IPV6
1028
1029/* Define if your system choked on IP TOS setting */
1030#undef IP_TOS_IS_BROKEN
1031
1032/* Define if you want Kerberos 5 support */
1033#undef KRB5
1034
1035/* Define if you want TCP Wrappers support */
1036#undef LIBWRAP
1037
1038/* Define to whatever link() returns for "not supported" if it doesn't return
1039 EOPNOTSUPP. */
1040#undef LINK_OPNOTSUPP_ERRNO
1041
1137/* max value of long long calculated by configure */ 1042/* max value of long long calculated by configure */
1138#undef LLONG_MAX 1043#undef LLONG_MAX
1139 1044
1140/* min value of long long calculated by configure */ 1045/* min value of long long calculated by configure */
1141#undef LLONG_MIN 1046#undef LLONG_MIN
1142 1047
1048/* Account locked with pw(1) */
1049#undef LOCKED_PASSWD_PREFIX
1050
1051/* String used in /etc/passwd to denote locked account */
1052#undef LOCKED_PASSWD_STRING
1053
1054/* String used in /etc/passwd to denote locked account */
1055#undef LOCKED_PASSWD_SUBSTR
1056
1057/* Some versions of /bin/login need the TERM supplied on the commandline */
1058#undef LOGIN_NEEDS_TERM
1059
1060/* Some systems need a utmpx entry for /bin/login to work */
1061#undef LOGIN_NEEDS_UTMPX
1062
1063/* Define if your login program cannot handle end of options ("--") */
1064#undef LOGIN_NO_ENDOPT
1065
1066/* If your header files don't define LOGIN_PROGRAM, then use this (detected)
1067 from environment and PATH */
1068#undef LOGIN_PROGRAM_FALLBACK
1069
1070/* Set this to your mail directory if you don't have maillock.h */
1071#undef MAIL_DIRECTORY
1072
1073/* Define on *nto-qnx systems */
1074#undef MISSING_FD_MASK
1075
1076/* Define on *nto-qnx systems */
1077#undef MISSING_HOWMANY
1078
1079/* Define on *nto-qnx systems */
1080#undef MISSING_NFDBITS
1081
1143/* Need setpgrp to acquire controlling tty */ 1082/* Need setpgrp to acquire controlling tty */
1144#undef NEED_SETPRGP 1083#undef NEED_SETPGRP
1084
1085/* Define if the concept of ports only accessible to superusers isn't known */
1086#undef NO_IPPORT_RESERVED_CONCEPT
1087
1088/* Define if you don't want to use lastlog in session.c */
1089#undef NO_SSH_LASTLOG
1090
1091/* Define if X11 doesn't support AF_UNIX sockets on that system */
1092#undef NO_X11_UNIX_SOCKETS
1093
1094/* libcrypto is missing AES 192 and 256 bit functions */
1095#undef OPENSSL_LOBOTOMISED_AES
1096
1097/* Define if you want OpenSSL's internally seeded PRNG only */
1098#undef OPENSSL_PRNG_ONLY
1145 1099
1146/* Define to the address where bug reports for this package should be sent. */ 1100/* Define to the address where bug reports for this package should be sent. */
1147#undef PACKAGE_BUGREPORT 1101#undef PACKAGE_BUGREPORT
@@ -1158,9 +1112,25 @@
1158/* Define to the version of this package. */ 1112/* Define to the version of this package. */
1159#undef PACKAGE_VERSION 1113#undef PACKAGE_VERSION
1160 1114
1115/* Define if you are using Solaris-derived PAM which passes pam_messages to
1116 the conversation function with an extra level of indirection */
1117#undef PAM_SUN_CODEBASE
1118
1119/* Work around problematic Linux PAM modules handling of PAM_TTY */
1120#undef PAM_TTY_KLUDGE
1121
1161/* must supply username to passwd */ 1122/* must supply username to passwd */
1162#undef PASSWD_NEEDS_USERNAME 1123#undef PASSWD_NEEDS_USERNAME
1163 1124
1125/* Port number of PRNGD/EGD random number socket */
1126#undef PRNGD_PORT
1127
1128/* Location of PRNGD/EGD random number socket */
1129#undef PRNGD_SOCKET
1130
1131/* Define if your platform breaks doing a seteuid before a setuid */
1132#undef SETEUID_BREAKS_SETUID
1133
1164/* The size of a `char', as computed by sizeof. */ 1134/* The size of a `char', as computed by sizeof. */
1165#undef SIZEOF_CHAR 1135#undef SIZEOF_CHAR
1166 1136
@@ -1176,28 +1146,120 @@
1176/* The size of a `short int', as computed by sizeof. */ 1146/* The size of a `short int', as computed by sizeof. */
1177#undef SIZEOF_SHORT_INT 1147#undef SIZEOF_SHORT_INT
1178 1148
1149/* Define if you want S/Key support */
1150#undef SKEY
1151
1152/* Define if your skeychallenge() function takes 4 arguments (NetBSD) */
1153#undef SKEYCHALLENGE_4ARG
1154
1155/* Define if you want smartcard support */
1156#undef SMARTCARD
1157
1158/* Define as const if snprintf() can declare const char *fmt */
1159#undef SNPRINTF_CONST
1160
1161/* Define to a Set Process Title type if your system is supported by
1162 bsd-setproctitle.c */
1163#undef SPT_TYPE
1164
1165/* Define if sshd somehow reacquires a controlling TTY after setsid() */
1166#undef SSHD_ACQUIRES_CTTY
1167
1168/* Define if pam_chauthtok wants real uid set to the unpriv'ed user */
1169#undef SSHPAM_CHAUTHTOK_NEEDS_RUID
1170
1179/* Use audit debugging module */ 1171/* Use audit debugging module */
1180#undef SSH_AUDIT_EVENTS 1172#undef SSH_AUDIT_EVENTS
1181 1173
1174/* non-privileged user for privilege separation */
1175#undef SSH_PRIVSEP_USER
1176
1177/* Use tunnel device compatibility to OpenBSD */
1178#undef SSH_TUN_COMPAT_AF
1179
1180/* Open tunnel devices the FreeBSD way */
1181#undef SSH_TUN_FREEBSD
1182
1183/* Open tunnel devices the Linux tun/tap way */
1184#undef SSH_TUN_LINUX
1185
1186/* No layer 2 tunnel support */
1187#undef SSH_TUN_NO_L2
1188
1189/* Open tunnel devices the OpenBSD way */
1190#undef SSH_TUN_OPENBSD
1191
1192/* Prepend the address family to IP tunnel traffic */
1193#undef SSH_TUN_PREPEND_AF
1194
1182/* Define to 1 if you have the ANSI C header files. */ 1195/* Define to 1 if you have the ANSI C header files. */
1183#undef STDC_HEADERS 1196#undef STDC_HEADERS
1184 1197
1198/* Define if you want a different $PATH for the superuser */
1199#undef SUPERUSER_PATH
1200
1185/* Support passwords > 8 chars */ 1201/* Support passwords > 8 chars */
1186#undef UNIXWARE_LONG_PASSWORDS 1202#undef UNIXWARE_LONG_PASSWORDS
1187 1203
1204/* Specify default $PATH */
1205#undef USER_PATH
1206
1207/* Define this if you want to use libkafs' AFS support */
1208#undef USE_AFS
1209
1188/* Use BSM audit module */ 1210/* Use BSM audit module */
1189#undef USE_BSM_AUDIT 1211#undef USE_BSM_AUDIT
1190 1212
1191/* Use btmp to log bad logins */ 1213/* Use btmp to log bad logins */
1192#undef USE_BTMP 1214#undef USE_BTMP
1193 1215
1216/* platform uses an in-memory credentials cache */
1217#undef USE_CCAPI
1218
1194/* Use libedit for sftp */ 1219/* Use libedit for sftp */
1195#undef USE_LIBEDIT 1220#undef USE_LIBEDIT
1196 1221
1222/* Define if you want smartcard support using OpenSC */
1223#undef USE_OPENSC
1224
1225/* Define if you want to enable PAM support */
1226#undef USE_PAM
1227
1228/* Use PIPES instead of a socketpair() */
1229#undef USE_PIPES
1230
1231/* Define if you want smartcard support using sectok */
1232#undef USE_SECTOK
1233
1234/* platform has the Security Authorization Session API */
1235#undef USE_SECURITY_SESSION_API
1236
1237/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
1238#undef WITH_ABBREV_NO_TTY
1239
1240/* Define if you want to enable AIX4's authenticate function */
1241#undef WITH_AIXAUTHENTICATE
1242
1243/* Define if you have/want arrays (cluster-wide session managment, not C
1244 arrays) */
1245#undef WITH_IRIX_ARRAY
1246
1247/* Define if you want IRIX audit trails */
1248#undef WITH_IRIX_AUDIT
1249
1250/* Define if you want IRIX kernel jobs */
1251#undef WITH_IRIX_JOBS
1252
1253/* Define if you want IRIX project management */
1254#undef WITH_IRIX_PROJECT
1255
1197/* Define to 1 if your processor stores words with the most significant byte 1256/* Define to 1 if your processor stores words with the most significant byte
1198 first (like Motorola and SPARC, unlike Intel and VAX). */ 1257 first (like Motorola and SPARC, unlike Intel and VAX). */
1199#undef WORDS_BIGENDIAN 1258#undef WORDS_BIGENDIAN
1200 1259
1260/* Define if xauth is found in your path */
1261#undef XAUTH_PATH
1262
1201/* Number of bits in a file offset, on hosts where this is settable. */ 1263/* Number of bits in a file offset, on hosts where this is settable. */
1202#undef _FILE_OFFSET_BITS 1264#undef _FILE_OFFSET_BITS
1203 1265
@@ -1207,6 +1269,15 @@
1207/* log for bad login attempts */ 1269/* log for bad login attempts */
1208#undef _PATH_BTMP 1270#undef _PATH_BTMP
1209 1271
1272/* Full path of your "passwd" program */
1273#undef _PATH_PASSWD_PROG
1274
1275/* Specify location of ssh.pid */
1276#undef _PATH_SSH_PIDDIR
1277
1278/* Define if we don't have struct __res_state in resolv.h */
1279#undef __res_state
1280
1210/* Define to `__inline__' or `__inline' if that's what the C compiler 1281/* Define to `__inline__' or `__inline' if that's what the C compiler
1211 calls it, or to nothing if 'inline' is not supported under any name. */ 1282 calls it, or to nothing if 'inline' is not supported under any name. */
1212#ifndef __cplusplus 1283#ifndef __cplusplus
@@ -1215,7 +1286,3 @@
1215 1286
1216/* type to use in place of socklen_t if not defined */ 1287/* type to use in place of socklen_t if not defined */
1217#undef socklen_t 1288#undef socklen_t
1218
1219/* ******************* Shouldn't need to edit below this line ************** */
1220
1221#endif /* _CONFIG_H */
diff --git a/configure b/configure
index 362218407..de1d8e81e 100755
--- a/configure
+++ b/configure
@@ -1,4 +1,5 @@
1#! /bin/sh 1#! /bin/sh
2# From configure.ac Revision: 1.322.2.6 .
2# Guess values for system-dependent variables and create Makefiles. 3# Guess values for system-dependent variables and create Makefiles.
3# Generated by GNU Autoconf 2.59 for OpenSSH Portable. 4# Generated by GNU Autoconf 2.59 for OpenSSH Portable.
4# 5#
@@ -311,7 +312,7 @@ ac_includes_default="\
311# include <unistd.h> 312# include <unistd.h>
312#endif" 313#endif"
313 314
314ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT build build_cpu build_vendor build_os host host_cpu host_vendor host_os AWK CPP RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA AR CAT KILL PERL SED ENT TEST_MINUS_S_SH SH TEST_SHELL PATH_GROUPADD_PROG PATH_USERADD_PROG MAKE_PACKAGE_SUPPORTED LOGIN_PROGRAM_FALLBACK PATH_PASSWD_PROG LD EGREP LIBWRAP LIBEDIT LIBPAM INSTALL_SSH_RAND_HELPER SSH_PRIVSEP_USER PROG_LS PROG_NETSTAT PROG_ARP PROG_IFCONFIG PROG_JSTAT PROG_PS PROG_SAR PROG_W PROG_WHO PROG_LAST PROG_LASTLOG PROG_DF PROG_VMSTAT PROG_UPTIME PROG_IPCS PROG_TAIL INSTALL_SSH_PRNG_CMDS OPENSC_CONFIG PRIVSEP_PATH xauth_path STRIP_OPT XAUTH_PATH NROFF MANTYPE mansubdir user_path piddir LIBOBJS LTLIBOBJS' 315ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT build build_cpu build_vendor build_os host host_cpu host_vendor host_os AWK CPP RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA EGREP AR CAT KILL PERL SED ENT TEST_MINUS_S_SH SH TEST_SHELL PATH_GROUPADD_PROG PATH_USERADD_PROG MAKE_PACKAGE_SUPPORTED STARTUP_SCRIPT_SHELL LOGIN_PROGRAM_FALLBACK PATH_PASSWD_PROG LD LIBWRAP LIBEDIT LIBPAM INSTALL_SSH_RAND_HELPER SSH_PRIVSEP_USER PROG_LS PROG_NETSTAT PROG_ARP PROG_IFCONFIG PROG_JSTAT PROG_PS PROG_SAR PROG_W PROG_WHO PROG_LAST PROG_LASTLOG PROG_DF PROG_VMSTAT PROG_UPTIME PROG_IPCS PROG_TAIL INSTALL_SSH_PRNG_CMDS OPENSC_CONFIG PRIVSEP_PATH xauth_path STRIP_OPT XAUTH_PATH NROFF MANTYPE mansubdir user_path piddir LIBOBJS LTLIBOBJS'
315ac_subst_files='' 316ac_subst_files=''
316 317
317# Initialize some variables set by options. 318# Initialize some variables set by options.
@@ -884,7 +885,7 @@ Optional Packages:
884 --with-entropy-timeout Specify entropy gathering command timeout (msec) 885 --with-entropy-timeout Specify entropy gathering command timeout (msec)
885 --with-privsep-user=user Specify non-privileged user for privilege separation 886 --with-privsep-user=user Specify non-privileged user for privilege separation
886 --with-sectok Enable smartcard support using libsectok 887 --with-sectok Enable smartcard support using libsectok
887--with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH) 888 --with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH)
888 --with-kerberos5=PATH Enable Kerberos 5 support 889 --with-kerberos5=PATH Enable Kerberos 5 support
889 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 890 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
890 --with-xauth=PATH Specify path to xauth program 891 --with-xauth=PATH Specify path to xauth program
@@ -1359,6 +1360,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
1359 1360
1360 1361
1361 1362
1363
1362 ac_config_headers="$ac_config_headers config.h" 1364 ac_config_headers="$ac_config_headers config.h"
1363 1365
1364ac_ext=c 1366ac_ext=c
@@ -3036,6 +3038,21 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
3036 3038
3037test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' 3039test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
3038 3040
3041echo "$as_me:$LINENO: checking for egrep" >&5
3042echo $ECHO_N "checking for egrep... $ECHO_C" >&6
3043if test "${ac_cv_prog_egrep+set}" = set; then
3044 echo $ECHO_N "(cached) $ECHO_C" >&6
3045else
3046 if echo a | (grep -E '(a|b)') >/dev/null 2>&1
3047 then ac_cv_prog_egrep='grep -E'
3048 else ac_cv_prog_egrep='egrep'
3049 fi
3050fi
3051echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
3052echo "${ECHO_T}$ac_cv_prog_egrep" >&6
3053 EGREP=$ac_cv_prog_egrep
3054
3055
3039# Extract the first word of "ar", so it can be a program name with args. 3056# Extract the first word of "ar", so it can be a program name with args.
3040set dummy ar; ac_word=$2 3057set dummy ar; ac_word=$2
3041echo "$as_me:$LINENO: checking for $ac_word" >&5 3058echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -3552,6 +3569,13 @@ else
3552echo "${ECHO_T}no" >&6 3569echo "${ECHO_T}no" >&6
3553fi 3570fi
3554 3571
3572if test -x /sbin/sh; then
3573 STARTUP_SCRIPT_SHELL=/sbin/sh
3574
3575else
3576 STARTUP_SCRIPT_SHELL=/bin/sh
3577
3578fi
3555 3579
3556# System features 3580# System features
3557# Check whether --enable-largefile or --disable-largefile was given. 3581# Check whether --enable-largefile or --disable-largefile was given.
@@ -3927,7 +3951,8 @@ fi
3927 3951
3928# Use LOGIN_PROGRAM from environment if possible 3952# Use LOGIN_PROGRAM from environment if possible
3929if test ! -z "$LOGIN_PROGRAM" ; then 3953if test ! -z "$LOGIN_PROGRAM" ; then
3930 cat >>confdefs.h <<_ACEOF 3954
3955cat >>confdefs.h <<_ACEOF
3931#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM" 3956#define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM"
3932_ACEOF 3957_ACEOF
3933 3958
@@ -4020,7 +4045,8 @@ echo "${ECHO_T}no" >&6
4020fi 4045fi
4021 4046
4022if test ! -z "$PATH_PASSWD_PROG" ; then 4047if test ! -z "$PATH_PASSWD_PROG" ; then
4023 cat >>confdefs.h <<_ACEOF 4048
4049cat >>confdefs.h <<_ACEOF
4024#define _PATH_PASSWD_PROG "$PATH_PASSWD_PROG" 4050#define _PATH_PASSWD_PROG "$PATH_PASSWD_PROG"
4025_ACEOF 4051_ACEOF
4026 4052
@@ -4167,12 +4193,14 @@ fi
4167 4193
4168if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 4194if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
4169 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" 4195 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
4170 GCC_VER=`$CC --version` 4196 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
4171 case $GCC_VER in 4197 case $GCC_VER in
4172 1.*) ;; 4198 1.*) ;;
4173 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; 4199 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4174 2.*) ;; 4200 2.*) ;;
4175 *) CFLAGS="$CFLAGS -Wsign-compare" ;; 4201 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4202 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
4203 *) ;;
4176 esac 4204 esac
4177 4205
4178 if test -z "$have_llong_max"; then 4206 if test -z "$have_llong_max"; then
@@ -4247,110 +4275,6 @@ fi
4247 fi 4275 fi
4248fi 4276fi
4249 4277
4250if test -z "$have_llong_max"; then
4251 echo "$as_me:$LINENO: checking for max value of long long" >&5
4252echo $ECHO_N "checking for max value of long long... $ECHO_C" >&6
4253 if test "$cross_compiling" = yes; then
4254
4255 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking" >&5
4256echo "$as_me: WARNING: cross compiling: not checking" >&2;}
4257
4258
4259else
4260 cat >conftest.$ac_ext <<_ACEOF
4261/* confdefs.h. */
4262_ACEOF
4263cat confdefs.h >>conftest.$ac_ext
4264cat >>conftest.$ac_ext <<_ACEOF
4265/* end confdefs.h. */
4266
4267#include <stdio.h>
4268/* Why is this so damn hard? */
4269#ifdef __GNUC__
4270# undef __GNUC__
4271#endif
4272#define __USE_ISOC99
4273#include <limits.h>
4274#define DATA "conftest.llminmax"
4275int main(void) {
4276 FILE *f;
4277 long long i, llmin, llmax = 0;
4278
4279 if((f = fopen(DATA,"w")) == NULL)
4280 exit(1);
4281
4282#if defined(LLONG_MIN) && defined(LLONG_MAX)
4283 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
4284 llmin = LLONG_MIN;
4285 llmax = LLONG_MAX;
4286#else
4287 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
4288 /* This will work on one's complement and two's complement */
4289 for (i = 1; i > llmax; i <<= 1, i++)
4290 llmax = i;
4291 llmin = llmax + 1LL; /* wrap */
4292#endif
4293
4294 /* Sanity check */
4295 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
4296 || llmax - 1 > llmax) {
4297 fprintf(f, "unknown unknown\n");
4298 exit(2);
4299 }
4300
4301 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
4302 exit(3);
4303
4304 exit(0);
4305}
4306
4307_ACEOF
4308rm -f conftest$ac_exeext
4309if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
4310 (eval $ac_link) 2>&5
4311 ac_status=$?
4312 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4313 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
4314 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
4315 (eval $ac_try) 2>&5
4316 ac_status=$?
4317 echo "$as_me:$LINENO: \$? = $ac_status" >&5
4318 (exit $ac_status); }; }; then
4319
4320 llong_min=`$AWK '{print $1}' conftest.llminmax`
4321 llong_max=`$AWK '{print $2}' conftest.llminmax`
4322 echo "$as_me:$LINENO: result: $llong_max" >&5
4323echo "${ECHO_T}$llong_max" >&6
4324
4325cat >>confdefs.h <<_ACEOF
4326#define LLONG_MAX ${llong_max}LL
4327_ACEOF
4328
4329 echo "$as_me:$LINENO: checking for min value of long long" >&5
4330echo $ECHO_N "checking for min value of long long... $ECHO_C" >&6
4331 echo "$as_me:$LINENO: result: $llong_min" >&5
4332echo "${ECHO_T}$llong_min" >&6
4333
4334cat >>confdefs.h <<_ACEOF
4335#define LLONG_MIN ${llong_min}LL
4336_ACEOF
4337
4338
4339else
4340 echo "$as_me: program exited with status $ac_status" >&5
4341echo "$as_me: failed program was:" >&5
4342sed 's/^/| /' conftest.$ac_ext >&5
4343
4344( exit $ac_status )
4345
4346 echo "$as_me:$LINENO: result: not found" >&5
4347echo "${ECHO_T}not found" >&6
4348
4349fi
4350rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
4351fi
4352fi
4353
4354 4278
4355# Check whether --with-rpath or --without-rpath was given. 4279# Check whether --with-rpath or --without-rpath was given.
4356if test "${with_rpath+set}" = set; then 4280if test "${with_rpath+set}" = set; then
@@ -4527,7 +4451,8 @@ fi
4527echo "$as_me:$LINENO: result: $ac_cv_func_authenticate" >&5 4451echo "$as_me:$LINENO: result: $ac_cv_func_authenticate" >&5
4528echo "${ECHO_T}$ac_cv_func_authenticate" >&6 4452echo "${ECHO_T}$ac_cv_func_authenticate" >&6
4529if test $ac_cv_func_authenticate = yes; then 4453if test $ac_cv_func_authenticate = yes; then
4530 cat >>confdefs.h <<\_ACEOF 4454
4455cat >>confdefs.h <<\_ACEOF
4531#define WITH_AIXAUTHENTICATE 1 4456#define WITH_AIXAUTHENTICATE 1
4532_ACEOF 4457_ACEOF
4533 4458
@@ -5070,7 +4995,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5070 (exit $ac_status); }; }; then 4995 (exit $ac_status); }; }; then
5071 echo "$as_me:$LINENO: result: yes" >&5 4996 echo "$as_me:$LINENO: result: yes" >&5
5072echo "${ECHO_T}yes" >&6 4997echo "${ECHO_T}yes" >&6
5073 cat >>confdefs.h <<\_ACEOF 4998
4999cat >>confdefs.h <<\_ACEOF
5074#define AIX_LOGINFAILED_4ARG 1 5000#define AIX_LOGINFAILED_4ARG 1
5075_ACEOF 5001_ACEOF
5076 5002
@@ -5195,63 +5121,82 @@ fi
5195done 5121done
5196 5122
5197 check_for_aix_broken_getaddrinfo=1 5123 check_for_aix_broken_getaddrinfo=1
5198 cat >>confdefs.h <<\_ACEOF 5124
5125cat >>confdefs.h <<\_ACEOF
5199#define BROKEN_REALPATH 1 5126#define BROKEN_REALPATH 1
5200_ACEOF 5127_ACEOF
5201 5128
5202 cat >>confdefs.h <<\_ACEOF 5129
5130cat >>confdefs.h <<\_ACEOF
5203#define SETEUID_BREAKS_SETUID 1 5131#define SETEUID_BREAKS_SETUID 1
5204_ACEOF 5132_ACEOF
5205 5133
5206 cat >>confdefs.h <<\_ACEOF 5134
5135cat >>confdefs.h <<\_ACEOF
5207#define BROKEN_SETREUID 1 5136#define BROKEN_SETREUID 1
5208_ACEOF 5137_ACEOF
5209 5138
5210 cat >>confdefs.h <<\_ACEOF 5139
5140cat >>confdefs.h <<\_ACEOF
5211#define BROKEN_SETREGID 1 5141#define BROKEN_SETREGID 1
5212_ACEOF 5142_ACEOF
5213 5143
5214 cat >>confdefs.h <<\_ACEOF 5144
5145cat >>confdefs.h <<\_ACEOF
5215#define DISABLE_LASTLOG 1 5146#define DISABLE_LASTLOG 1
5216_ACEOF 5147_ACEOF
5217 5148
5218 cat >>confdefs.h <<\_ACEOF 5149
5150cat >>confdefs.h <<\_ACEOF
5219#define LOGIN_NEEDS_UTMPX 1 5151#define LOGIN_NEEDS_UTMPX 1
5220_ACEOF 5152_ACEOF
5221 5153
5222 cat >>confdefs.h <<\_ACEOF 5154
5155cat >>confdefs.h <<\_ACEOF
5223#define SPT_TYPE SPT_REUSEARGV 5156#define SPT_TYPE SPT_REUSEARGV
5224_ACEOF 5157_ACEOF
5225 5158
5159
5160cat >>confdefs.h <<\_ACEOF
5161#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1
5162_ACEOF
5163
5226 ;; 5164 ;;
5227*-*-cygwin*) 5165*-*-cygwin*)
5228 check_for_libcrypt_later=1 5166 check_for_libcrypt_later=1
5229 LIBS="$LIBS /usr/lib/textmode.o" 5167 LIBS="$LIBS /usr/lib/textmode.o"
5230 cat >>confdefs.h <<\_ACEOF 5168
5169cat >>confdefs.h <<\_ACEOF
5231#define HAVE_CYGWIN 1 5170#define HAVE_CYGWIN 1
5232_ACEOF 5171_ACEOF
5233 5172
5234 cat >>confdefs.h <<\_ACEOF 5173
5174cat >>confdefs.h <<\_ACEOF
5235#define USE_PIPES 1 5175#define USE_PIPES 1
5236_ACEOF 5176_ACEOF
5237 5177
5238 cat >>confdefs.h <<\_ACEOF 5178
5179cat >>confdefs.h <<\_ACEOF
5239#define DISABLE_SHADOW 1 5180#define DISABLE_SHADOW 1
5240_ACEOF 5181_ACEOF
5241 5182
5242 cat >>confdefs.h <<\_ACEOF 5183
5184cat >>confdefs.h <<\_ACEOF
5243#define IP_TOS_IS_BROKEN 1 5185#define IP_TOS_IS_BROKEN 1
5244_ACEOF 5186_ACEOF
5245 5187
5246 cat >>confdefs.h <<\_ACEOF 5188
5189cat >>confdefs.h <<\_ACEOF
5247#define NO_X11_UNIX_SOCKETS 1 5190#define NO_X11_UNIX_SOCKETS 1
5248_ACEOF 5191_ACEOF
5249 5192
5250 cat >>confdefs.h <<\_ACEOF 5193
5194cat >>confdefs.h <<\_ACEOF
5251#define NO_IPPORT_RESERVED_CONCEPT 1 5195#define NO_IPPORT_RESERVED_CONCEPT 1
5252_ACEOF 5196_ACEOF
5253 5197
5254 cat >>confdefs.h <<\_ACEOF 5198
5199cat >>confdefs.h <<\_ACEOF
5255#define DISABLE_FD_PASSING 1 5200#define DISABLE_FD_PASSING 1
5256_ACEOF 5201_ACEOF
5257 5202
@@ -5315,7 +5260,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
5315( exit $ac_status ) 5260( exit $ac_status )
5316echo "$as_me:$LINENO: result: buggy" >&5 5261echo "$as_me:$LINENO: result: buggy" >&5
5317echo "${ECHO_T}buggy" >&6 5262echo "${ECHO_T}buggy" >&6
5318 cat >>confdefs.h <<\_ACEOF 5263
5264cat >>confdefs.h <<\_ACEOF
5319#define BROKEN_GETADDRINFO 1 5265#define BROKEN_GETADDRINFO 1
5320_ACEOF 5266_ACEOF
5321 5267
@@ -5334,10 +5280,130 @@ _ACEOF
5334#define BROKEN_SETREGID 1 5280#define BROKEN_SETREGID 1
5335_ACEOF 5281_ACEOF
5336 5282
5337 cat >>confdefs.h <<_ACEOF 5283
5284cat >>confdefs.h <<_ACEOF
5338#define BIND_8_COMPAT 1 5285#define BIND_8_COMPAT 1
5339_ACEOF 5286_ACEOF
5340 5287
5288 echo "$as_me:$LINENO: checking if we have the Security Authorization Session API" >&5
5289echo $ECHO_N "checking if we have the Security Authorization Session API... $ECHO_C" >&6
5290 cat >conftest.$ac_ext <<_ACEOF
5291/* confdefs.h. */
5292_ACEOF
5293cat confdefs.h >>conftest.$ac_ext
5294cat >>conftest.$ac_ext <<_ACEOF
5295/* end confdefs.h. */
5296#include <Security/AuthSession.h>
5297int
5298main ()
5299{
5300SessionCreate(0, 0);
5301 ;
5302 return 0;
5303}
5304_ACEOF
5305rm -f conftest.$ac_objext
5306if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5307 (eval $ac_compile) 2>conftest.er1
5308 ac_status=$?
5309 grep -v '^ *+' conftest.er1 >conftest.err
5310 rm -f conftest.er1
5311 cat conftest.err >&5
5312 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5313 (exit $ac_status); } &&
5314 { ac_try='test -z "$ac_c_werror_flag"
5315 || test ! -s conftest.err'
5316 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5317 (eval $ac_try) 2>&5
5318 ac_status=$?
5319 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5320 (exit $ac_status); }; } &&
5321 { ac_try='test -s conftest.$ac_objext'
5322 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5323 (eval $ac_try) 2>&5
5324 ac_status=$?
5325 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5326 (exit $ac_status); }; }; then
5327 ac_cv_use_security_session_api="yes"
5328
5329cat >>confdefs.h <<\_ACEOF
5330#define USE_SECURITY_SESSION_API 1
5331_ACEOF
5332
5333 LIBS="$LIBS -framework Security"
5334 echo "$as_me:$LINENO: result: yes" >&5
5335echo "${ECHO_T}yes" >&6
5336else
5337 echo "$as_me: failed program was:" >&5
5338sed 's/^/| /' conftest.$ac_ext >&5
5339
5340ac_cv_use_security_session_api="no"
5341 echo "$as_me:$LINENO: result: no" >&5
5342echo "${ECHO_T}no" >&6
5343fi
5344rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5345 echo "$as_me:$LINENO: checking if we have an in-memory credentials cache" >&5
5346echo $ECHO_N "checking if we have an in-memory credentials cache... $ECHO_C" >&6
5347 cat >conftest.$ac_ext <<_ACEOF
5348/* confdefs.h. */
5349_ACEOF
5350cat confdefs.h >>conftest.$ac_ext
5351cat >>conftest.$ac_ext <<_ACEOF
5352/* end confdefs.h. */
5353#include <Kerberos/Kerberos.h>
5354int
5355main ()
5356{
5357cc_context_t c;
5358 (void) cc_initialize (&c, 0, NULL, NULL);
5359 ;
5360 return 0;
5361}
5362_ACEOF
5363rm -f conftest.$ac_objext
5364if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5365 (eval $ac_compile) 2>conftest.er1
5366 ac_status=$?
5367 grep -v '^ *+' conftest.er1 >conftest.err
5368 rm -f conftest.er1
5369 cat conftest.err >&5
5370 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5371 (exit $ac_status); } &&
5372 { ac_try='test -z "$ac_c_werror_flag"
5373 || test ! -s conftest.err'
5374 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5375 (eval $ac_try) 2>&5
5376 ac_status=$?
5377 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5378 (exit $ac_status); }; } &&
5379 { ac_try='test -s conftest.$ac_objext'
5380 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5381 (eval $ac_try) 2>&5
5382 ac_status=$?
5383 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5384 (exit $ac_status); }; }; then
5385
5386cat >>confdefs.h <<\_ACEOF
5387#define USE_CCAPI 1
5388_ACEOF
5389
5390 LIBS="$LIBS -framework Security"
5391 echo "$as_me:$LINENO: result: yes" >&5
5392echo "${ECHO_T}yes" >&6
5393 if test "x$ac_cv_use_security_session_api" = "xno"; then
5394 { { echo "$as_me:$LINENO: error: *** Need a security framework to use the credentials cache API ***" >&5
5395echo "$as_me: error: *** Need a security framework to use the credentials cache API ***" >&2;}
5396 { (exit 1); exit 1; }; }
5397 fi
5398else
5399 echo "$as_me: failed program was:" >&5
5400sed 's/^/| /' conftest.$ac_ext >&5
5401
5402echo "$as_me:$LINENO: result: no" >&5
5403echo "${ECHO_T}no" >&6
5404
5405fi
5406rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5341 ;; 5407 ;;
5342*-*-hpux*) 5408*-*-hpux*)
5343 # first we define all of the options common to all HP-UX releases 5409 # first we define all of the options common to all HP-UX releases
@@ -5347,7 +5413,8 @@ _ACEOF
5347#define USE_PIPES 1 5413#define USE_PIPES 1
5348_ACEOF 5414_ACEOF
5349 5415
5350 cat >>confdefs.h <<\_ACEOF 5416
5417cat >>confdefs.h <<\_ACEOF
5351#define LOGIN_NO_ENDOPT 1 5418#define LOGIN_NO_ENDOPT 1
5352_ACEOF 5419_ACEOF
5353 5420
@@ -5355,7 +5422,8 @@ _ACEOF
5355#define LOGIN_NEEDS_UTMPX 1 5422#define LOGIN_NEEDS_UTMPX 1
5356_ACEOF 5423_ACEOF
5357 5424
5358 cat >>confdefs.h <<\_ACEOF 5425
5426cat >>confdefs.h <<\_ACEOF
5359#define LOCKED_PASSWD_STRING "*" 5427#define LOCKED_PASSWD_STRING "*"
5360_ACEOF 5428_ACEOF
5361 5429
@@ -5363,6 +5431,7 @@ _ACEOF
5363#define SPT_TYPE SPT_PSTAT 5431#define SPT_TYPE SPT_PSTAT
5364_ACEOF 5432_ACEOF
5365 5433
5434 MAIL="/var/mail/username"
5366 LIBS="$LIBS -lsec" 5435 LIBS="$LIBS -lsec"
5367 5436
5368echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5 5437echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
@@ -5451,11 +5520,13 @@ fi
5451 fi 5520 fi
5452 ;; 5521 ;;
5453 *-*-hpux11*) 5522 *-*-hpux11*)
5454 cat >>confdefs.h <<\_ACEOF 5523
5524cat >>confdefs.h <<\_ACEOF
5455#define PAM_SUN_CODEBASE 1 5525#define PAM_SUN_CODEBASE 1
5456_ACEOF 5526_ACEOF
5457 5527
5458 cat >>confdefs.h <<\_ACEOF 5528
5529cat >>confdefs.h <<\_ACEOF
5459#define DISABLE_UTMP 1 5530#define DISABLE_UTMP 1
5460_ACEOF 5531_ACEOF
5461 5532
@@ -5472,7 +5543,8 @@ _ACEOF
5472 # lastly, we define options specific to minor releases 5543 # lastly, we define options specific to minor releases
5473 case "$host" in 5544 case "$host" in
5474 *-*-hpux10.26) 5545 *-*-hpux10.26)
5475 cat >>confdefs.h <<\_ACEOF 5546
5547cat >>confdefs.h <<\_ACEOF
5476#define HAVE_SECUREWARE 1 5548#define HAVE_SECUREWARE 1
5477_ACEOF 5549_ACEOF
5478 5550
@@ -5483,7 +5555,8 @@ _ACEOF
5483 ;; 5555 ;;
5484*-*-irix5*) 5556*-*-irix5*)
5485 PATH="$PATH:/usr/etc" 5557 PATH="$PATH:/usr/etc"
5486 cat >>confdefs.h <<\_ACEOF 5558
5559cat >>confdefs.h <<\_ACEOF
5487#define BROKEN_INET_NTOA 1 5560#define BROKEN_INET_NTOA 1
5488_ACEOF 5561_ACEOF
5489 5562
@@ -5499,7 +5572,8 @@ _ACEOF
5499#define BROKEN_SETREGID 1 5572#define BROKEN_SETREGID 1
5500_ACEOF 5573_ACEOF
5501 5574
5502 cat >>confdefs.h <<\_ACEOF 5575
5576cat >>confdefs.h <<\_ACEOF
5503#define WITH_ABBREV_NO_TTY 1 5577#define WITH_ABBREV_NO_TTY 1
5504_ACEOF 5578_ACEOF
5505 5579
@@ -5510,15 +5584,18 @@ _ACEOF
5510 ;; 5584 ;;
5511*-*-irix6*) 5585*-*-irix6*)
5512 PATH="$PATH:/usr/etc" 5586 PATH="$PATH:/usr/etc"
5513 cat >>confdefs.h <<\_ACEOF 5587
5588cat >>confdefs.h <<\_ACEOF
5514#define WITH_IRIX_ARRAY 1 5589#define WITH_IRIX_ARRAY 1
5515_ACEOF 5590_ACEOF
5516 5591
5517 cat >>confdefs.h <<\_ACEOF 5592
5593cat >>confdefs.h <<\_ACEOF
5518#define WITH_IRIX_PROJECT 1 5594#define WITH_IRIX_PROJECT 1
5519_ACEOF 5595_ACEOF
5520 5596
5521 cat >>confdefs.h <<\_ACEOF 5597
5598cat >>confdefs.h <<\_ACEOF
5522#define WITH_IRIX_AUDIT 1 5599#define WITH_IRIX_AUDIT 1
5523_ACEOF 5600_ACEOF
5524 5601
@@ -5613,7 +5690,8 @@ fi
5613echo "$as_me:$LINENO: result: $ac_cv_func_jlimit_startjob" >&5 5690echo "$as_me:$LINENO: result: $ac_cv_func_jlimit_startjob" >&5
5614echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6 5691echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6
5615if test $ac_cv_func_jlimit_startjob = yes; then 5692if test $ac_cv_func_jlimit_startjob = yes; then
5616 cat >>confdefs.h <<\_ACEOF 5693
5694cat >>confdefs.h <<\_ACEOF
5617#define WITH_IRIX_JOBS 1 5695#define WITH_IRIX_JOBS 1
5618_ACEOF 5696_ACEOF
5619 5697
@@ -5635,7 +5713,8 @@ _ACEOF
5635#define BROKEN_SETREGID 1 5713#define BROKEN_SETREGID 1
5636_ACEOF 5714_ACEOF
5637 5715
5638 cat >>confdefs.h <<\_ACEOF 5716
5717cat >>confdefs.h <<\_ACEOF
5639#define BROKEN_UPDWTMPX 1 5718#define BROKEN_UPDWTMPX 1
5640_ACEOF 5719_ACEOF
5641 5720
@@ -5652,15 +5731,18 @@ _ACEOF
5652 no_dev_ptmx=1 5731 no_dev_ptmx=1
5653 check_for_libcrypt_later=1 5732 check_for_libcrypt_later=1
5654 check_for_openpty_ctty_bug=1 5733 check_for_openpty_ctty_bug=1
5655 cat >>confdefs.h <<\_ACEOF 5734
5735cat >>confdefs.h <<\_ACEOF
5656#define DONT_TRY_OTHER_AF 1 5736#define DONT_TRY_OTHER_AF 1
5657_ACEOF 5737_ACEOF
5658 5738
5659 cat >>confdefs.h <<\_ACEOF 5739
5740cat >>confdefs.h <<\_ACEOF
5660#define PAM_TTY_KLUDGE 1 5741#define PAM_TTY_KLUDGE 1
5661_ACEOF 5742_ACEOF
5662 5743
5663 cat >>confdefs.h <<\_ACEOF 5744
5745cat >>confdefs.h <<\_ACEOF
5664#define LOCKED_PASSWD_PREFIX "!" 5746#define LOCKED_PASSWD_PREFIX "!"
5665_ACEOF 5747_ACEOF
5666 5748
@@ -5668,7 +5750,8 @@ _ACEOF
5668#define SPT_TYPE SPT_REUSEARGV 5750#define SPT_TYPE SPT_REUSEARGV
5669_ACEOF 5751_ACEOF
5670 5752
5671 cat >>confdefs.h <<\_ACEOF 5753
5754cat >>confdefs.h <<\_ACEOF
5672#define LINK_OPNOTSUPP_ERRNO EPERM 5755#define LINK_OPNOTSUPP_ERRNO EPERM
5673_ACEOF 5756_ACEOF
5674 5757
@@ -5677,25 +5760,432 @@ cat >>confdefs.h <<\_ACEOF
5677#define _PATH_BTMP "/var/log/btmp" 5760#define _PATH_BTMP "/var/log/btmp"
5678_ACEOF 5761_ACEOF
5679 5762
5680 5763 cat >>confdefs.h <<\_ACEOF
5681cat >>confdefs.h <<\_ACEOF
5682#define USE_BTMP 1 5764#define USE_BTMP 1
5683_ACEOF 5765_ACEOF
5684 5766
5685 inet6_default_4in6=yes 5767 inet6_default_4in6=yes
5686 case `uname -r` in 5768 case `uname -r` in
5687 1.*|2.0.*) 5769 1.*|2.0.*)
5688 cat >>confdefs.h <<\_ACEOF 5770
5771cat >>confdefs.h <<\_ACEOF
5689#define BROKEN_CMSG_TYPE 1 5772#define BROKEN_CMSG_TYPE 1
5690_ACEOF 5773_ACEOF
5691 5774
5692 ;; 5775 ;;
5693 esac 5776 esac
5777 # tun(4) forwarding compat code
5778
5779echo "$as_me:$LINENO: checking for ANSI C header files" >&5
5780echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
5781if test "${ac_cv_header_stdc+set}" = set; then
5782 echo $ECHO_N "(cached) $ECHO_C" >&6
5783else
5784 cat >conftest.$ac_ext <<_ACEOF
5785/* confdefs.h. */
5786_ACEOF
5787cat confdefs.h >>conftest.$ac_ext
5788cat >>conftest.$ac_ext <<_ACEOF
5789/* end confdefs.h. */
5790#include <stdlib.h>
5791#include <stdarg.h>
5792#include <string.h>
5793#include <float.h>
5794
5795int
5796main ()
5797{
5798
5799 ;
5800 return 0;
5801}
5802_ACEOF
5803rm -f conftest.$ac_objext
5804if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5805 (eval $ac_compile) 2>conftest.er1
5806 ac_status=$?
5807 grep -v '^ *+' conftest.er1 >conftest.err
5808 rm -f conftest.er1
5809 cat conftest.err >&5
5810 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5811 (exit $ac_status); } &&
5812 { ac_try='test -z "$ac_c_werror_flag"
5813 || test ! -s conftest.err'
5814 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5815 (eval $ac_try) 2>&5
5816 ac_status=$?
5817 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5818 (exit $ac_status); }; } &&
5819 { ac_try='test -s conftest.$ac_objext'
5820 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5821 (eval $ac_try) 2>&5
5822 ac_status=$?
5823 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5824 (exit $ac_status); }; }; then
5825 ac_cv_header_stdc=yes
5826else
5827 echo "$as_me: failed program was:" >&5
5828sed 's/^/| /' conftest.$ac_ext >&5
5829
5830ac_cv_header_stdc=no
5831fi
5832rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
5833
5834if test $ac_cv_header_stdc = yes; then
5835 # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
5836 cat >conftest.$ac_ext <<_ACEOF
5837/* confdefs.h. */
5838_ACEOF
5839cat confdefs.h >>conftest.$ac_ext
5840cat >>conftest.$ac_ext <<_ACEOF
5841/* end confdefs.h. */
5842#include <string.h>
5843
5844_ACEOF
5845if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
5846 $EGREP "memchr" >/dev/null 2>&1; then
5847 :
5848else
5849 ac_cv_header_stdc=no
5850fi
5851rm -f conftest*
5852
5853fi
5854
5855if test $ac_cv_header_stdc = yes; then
5856 # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
5857 cat >conftest.$ac_ext <<_ACEOF
5858/* confdefs.h. */
5859_ACEOF
5860cat confdefs.h >>conftest.$ac_ext
5861cat >>conftest.$ac_ext <<_ACEOF
5862/* end confdefs.h. */
5863#include <stdlib.h>
5864
5865_ACEOF
5866if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
5867 $EGREP "free" >/dev/null 2>&1; then
5868 :
5869else
5870 ac_cv_header_stdc=no
5871fi
5872rm -f conftest*
5873
5874fi
5875
5876if test $ac_cv_header_stdc = yes; then
5877 # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
5878 if test "$cross_compiling" = yes; then
5879 :
5880else
5881 cat >conftest.$ac_ext <<_ACEOF
5882/* confdefs.h. */
5883_ACEOF
5884cat confdefs.h >>conftest.$ac_ext
5885cat >>conftest.$ac_ext <<_ACEOF
5886/* end confdefs.h. */
5887#include <ctype.h>
5888#if ((' ' & 0x0FF) == 0x020)
5889# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
5890# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
5891#else
5892# define ISLOWER(c) \
5893 (('a' <= (c) && (c) <= 'i') \
5894 || ('j' <= (c) && (c) <= 'r') \
5895 || ('s' <= (c) && (c) <= 'z'))
5896# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
5897#endif
5898
5899#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
5900int
5901main ()
5902{
5903 int i;
5904 for (i = 0; i < 256; i++)
5905 if (XOR (islower (i), ISLOWER (i))
5906 || toupper (i) != TOUPPER (i))
5907 exit(2);
5908 exit (0);
5909}
5910_ACEOF
5911rm -f conftest$ac_exeext
5912if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
5913 (eval $ac_link) 2>&5
5914 ac_status=$?
5915 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5916 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
5917 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5918 (eval $ac_try) 2>&5
5919 ac_status=$?
5920 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5921 (exit $ac_status); }; }; then
5922 :
5923else
5924 echo "$as_me: program exited with status $ac_status" >&5
5925echo "$as_me: failed program was:" >&5
5926sed 's/^/| /' conftest.$ac_ext >&5
5927
5928( exit $ac_status )
5929ac_cv_header_stdc=no
5930fi
5931rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
5932fi
5933fi
5934fi
5935echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
5936echo "${ECHO_T}$ac_cv_header_stdc" >&6
5937if test $ac_cv_header_stdc = yes; then
5938
5939cat >>confdefs.h <<\_ACEOF
5940#define STDC_HEADERS 1
5941_ACEOF
5942
5943fi
5944
5945# On IRIX 5.3, sys/types and inttypes.h are conflicting.
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
5956 inttypes.h stdint.h unistd.h
5957do
5958as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
5959echo "$as_me:$LINENO: checking for $ac_header" >&5
5960echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
5961if eval "test \"\${$as_ac_Header+set}\" = set"; then
5962 echo $ECHO_N "(cached) $ECHO_C" >&6
5963else
5964 cat >conftest.$ac_ext <<_ACEOF
5965/* confdefs.h. */
5966_ACEOF
5967cat confdefs.h >>conftest.$ac_ext
5968cat >>conftest.$ac_ext <<_ACEOF
5969/* end confdefs.h. */
5970$ac_includes_default
5971
5972#include <$ac_header>
5973_ACEOF
5974rm -f conftest.$ac_objext
5975if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
5976 (eval $ac_compile) 2>conftest.er1
5977 ac_status=$?
5978 grep -v '^ *+' conftest.er1 >conftest.err
5979 rm -f conftest.er1
5980 cat conftest.err >&5
5981 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5982 (exit $ac_status); } &&
5983 { ac_try='test -z "$ac_c_werror_flag"
5984 || test ! -s conftest.err'
5985 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5986 (eval $ac_try) 2>&5
5987 ac_status=$?
5988 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5989 (exit $ac_status); }; } &&
5990 { ac_try='test -s conftest.$ac_objext'
5991 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
5992 (eval $ac_try) 2>&5
5993 ac_status=$?
5994 echo "$as_me:$LINENO: \$? = $ac_status" >&5
5995 (exit $ac_status); }; }; then
5996 eval "$as_ac_Header=yes"
5997else
5998 echo "$as_me: failed program was:" >&5
5999sed 's/^/| /' conftest.$ac_ext >&5
6000
6001eval "$as_ac_Header=no"
6002fi
6003rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6004fi
6005echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6006echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6007if test `eval echo '${'$as_ac_Header'}'` = yes; then
6008 cat >>confdefs.h <<_ACEOF
6009#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
6010_ACEOF
6011
6012fi
6013
6014done
6015
6016
6017
6018for ac_header in linux/if_tun.h
6019do
6020as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
6021if eval "test \"\${$as_ac_Header+set}\" = set"; then
6022 echo "$as_me:$LINENO: checking for $ac_header" >&5
6023echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
6024if eval "test \"\${$as_ac_Header+set}\" = set"; then
6025 echo $ECHO_N "(cached) $ECHO_C" >&6
6026fi
6027echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6028echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6029else
6030 # Is the header compilable?
6031echo "$as_me:$LINENO: checking $ac_header usability" >&5
6032echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
6033cat >conftest.$ac_ext <<_ACEOF
6034/* confdefs.h. */
6035_ACEOF
6036cat confdefs.h >>conftest.$ac_ext
6037cat >>conftest.$ac_ext <<_ACEOF
6038/* end confdefs.h. */
6039$ac_includes_default
6040#include <$ac_header>
6041_ACEOF
6042rm -f conftest.$ac_objext
6043if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6044 (eval $ac_compile) 2>conftest.er1
6045 ac_status=$?
6046 grep -v '^ *+' conftest.er1 >conftest.err
6047 rm -f conftest.er1
6048 cat conftest.err >&5
6049 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6050 (exit $ac_status); } &&
6051 { ac_try='test -z "$ac_c_werror_flag"
6052 || test ! -s conftest.err'
6053 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6054 (eval $ac_try) 2>&5
6055 ac_status=$?
6056 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6057 (exit $ac_status); }; } &&
6058 { ac_try='test -s conftest.$ac_objext'
6059 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6060 (eval $ac_try) 2>&5
6061 ac_status=$?
6062 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6063 (exit $ac_status); }; }; then
6064 ac_header_compiler=yes
6065else
6066 echo "$as_me: failed program was:" >&5
6067sed 's/^/| /' conftest.$ac_ext >&5
6068
6069ac_header_compiler=no
6070fi
6071rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6072echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
6073echo "${ECHO_T}$ac_header_compiler" >&6
6074
6075# Is the header present?
6076echo "$as_me:$LINENO: checking $ac_header presence" >&5
6077echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
6078cat >conftest.$ac_ext <<_ACEOF
6079/* confdefs.h. */
6080_ACEOF
6081cat confdefs.h >>conftest.$ac_ext
6082cat >>conftest.$ac_ext <<_ACEOF
6083/* end confdefs.h. */
6084#include <$ac_header>
6085_ACEOF
6086if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
6087 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
6088 ac_status=$?
6089 grep -v '^ *+' conftest.er1 >conftest.err
6090 rm -f conftest.er1
6091 cat conftest.err >&5
6092 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6093 (exit $ac_status); } >/dev/null; then
6094 if test -s conftest.err; then
6095 ac_cpp_err=$ac_c_preproc_warn_flag
6096 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
6097 else
6098 ac_cpp_err=
6099 fi
6100else
6101 ac_cpp_err=yes
6102fi
6103if test -z "$ac_cpp_err"; then
6104 ac_header_preproc=yes
6105else
6106 echo "$as_me: failed program was:" >&5
6107sed 's/^/| /' conftest.$ac_ext >&5
6108
6109 ac_header_preproc=no
6110fi
6111rm -f conftest.err conftest.$ac_ext
6112echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
6113echo "${ECHO_T}$ac_header_preproc" >&6
6114
6115# So? What about this header?
6116case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
6117 yes:no: )
6118 { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
6119echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
6120 { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
6121echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
6122 ac_header_preproc=yes
6123 ;;
6124 no:yes:* )
6125 { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
6126echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
6127 { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
6128echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
6129 { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
6130echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
6131 { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
6132echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
6133 { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
6134echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
6135 { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
6136echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
6137 (
6138 cat <<\_ASBOX
6139## ------------------------------------------- ##
6140## Report this to openssh-unix-dev@mindrot.org ##
6141## ------------------------------------------- ##
6142_ASBOX
6143 ) |
6144 sed "s/^/$as_me: WARNING: /" >&2
6145 ;;
6146esac
6147echo "$as_me:$LINENO: checking for $ac_header" >&5
6148echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
6149if eval "test \"\${$as_ac_Header+set}\" = set"; then
6150 echo $ECHO_N "(cached) $ECHO_C" >&6
6151else
6152 eval "$as_ac_Header=\$ac_header_preproc"
6153fi
6154echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6155echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6156
6157fi
6158if test `eval echo '${'$as_ac_Header'}'` = yes; then
6159 cat >>confdefs.h <<_ACEOF
6160#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
6161_ACEOF
6162
6163fi
6164
6165done
6166
6167 if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
6168
6169cat >>confdefs.h <<\_ACEOF
6170#define SSH_TUN_LINUX 1
6171_ACEOF
6172
6173
6174cat >>confdefs.h <<\_ACEOF
6175#define SSH_TUN_COMPAT_AF 1
6176_ACEOF
6177
6178
6179cat >>confdefs.h <<\_ACEOF
6180#define SSH_TUN_PREPEND_AF 1
6181_ACEOF
6182
6183 fi
5694 ;; 6184 ;;
5695mips-sony-bsd|mips-sony-newsos4) 6185mips-sony-bsd|mips-sony-newsos4)
5696 6186
5697cat >>confdefs.h <<\_ACEOF 6187cat >>confdefs.h <<\_ACEOF
5698#define NEED_SETPRGP 6188#define NEED_SETPGRP 1
5699_ACEOF 6189_ACEOF
5700 6190
5701 SONY=1 6191 SONY=1
@@ -5705,9 +6195,325 @@ _ACEOF
5705 if test "x$withval" != "xno" ; then 6195 if test "x$withval" != "xno" ; then
5706 need_dash_r=1 6196 need_dash_r=1
5707 fi 6197 fi
6198
6199cat >>confdefs.h <<\_ACEOF
6200#define SSH_TUN_FREEBSD 1
6201_ACEOF
6202
6203 if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6204 echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6205echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6206if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6207 echo $ECHO_N "(cached) $ECHO_C" >&6
6208fi
6209echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6210echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6211else
6212 # Is the header compilable?
6213echo "$as_me:$LINENO: checking net/if_tap.h usability" >&5
6214echo $ECHO_N "checking net/if_tap.h usability... $ECHO_C" >&6
6215cat >conftest.$ac_ext <<_ACEOF
6216/* confdefs.h. */
6217_ACEOF
6218cat confdefs.h >>conftest.$ac_ext
6219cat >>conftest.$ac_ext <<_ACEOF
6220/* end confdefs.h. */
6221$ac_includes_default
6222#include <net/if_tap.h>
6223_ACEOF
6224rm -f conftest.$ac_objext
6225if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6226 (eval $ac_compile) 2>conftest.er1
6227 ac_status=$?
6228 grep -v '^ *+' conftest.er1 >conftest.err
6229 rm -f conftest.er1
6230 cat conftest.err >&5
6231 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6232 (exit $ac_status); } &&
6233 { ac_try='test -z "$ac_c_werror_flag"
6234 || test ! -s conftest.err'
6235 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6236 (eval $ac_try) 2>&5
6237 ac_status=$?
6238 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6239 (exit $ac_status); }; } &&
6240 { ac_try='test -s conftest.$ac_objext'
6241 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6242 (eval $ac_try) 2>&5
6243 ac_status=$?
6244 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6245 (exit $ac_status); }; }; then
6246 ac_header_compiler=yes
6247else
6248 echo "$as_me: failed program was:" >&5
6249sed 's/^/| /' conftest.$ac_ext >&5
6250
6251ac_header_compiler=no
6252fi
6253rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6254echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
6255echo "${ECHO_T}$ac_header_compiler" >&6
6256
6257# Is the header present?
6258echo "$as_me:$LINENO: checking net/if_tap.h presence" >&5
6259echo $ECHO_N "checking net/if_tap.h presence... $ECHO_C" >&6
6260cat >conftest.$ac_ext <<_ACEOF
6261/* confdefs.h. */
6262_ACEOF
6263cat confdefs.h >>conftest.$ac_ext
6264cat >>conftest.$ac_ext <<_ACEOF
6265/* end confdefs.h. */
6266#include <net/if_tap.h>
6267_ACEOF
6268if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
6269 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
6270 ac_status=$?
6271 grep -v '^ *+' conftest.er1 >conftest.err
6272 rm -f conftest.er1
6273 cat conftest.err >&5
6274 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6275 (exit $ac_status); } >/dev/null; then
6276 if test -s conftest.err; then
6277 ac_cpp_err=$ac_c_preproc_warn_flag
6278 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
6279 else
6280 ac_cpp_err=
6281 fi
6282else
6283 ac_cpp_err=yes
6284fi
6285if test -z "$ac_cpp_err"; then
6286 ac_header_preproc=yes
6287else
6288 echo "$as_me: failed program was:" >&5
6289sed 's/^/| /' conftest.$ac_ext >&5
6290
6291 ac_header_preproc=no
6292fi
6293rm -f conftest.err conftest.$ac_ext
6294echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
6295echo "${ECHO_T}$ac_header_preproc" >&6
6296
6297# So? What about this header?
6298case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
6299 yes:no: )
6300 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&5
6301echo "$as_me: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
6302 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the compiler's result" >&5
6303echo "$as_me: WARNING: net/if_tap.h: proceeding with the compiler's result" >&2;}
6304 ac_header_preproc=yes
6305 ;;
6306 no:yes:* )
6307 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: present but cannot be compiled" >&5
6308echo "$as_me: WARNING: net/if_tap.h: present but cannot be compiled" >&2;}
6309 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&5
6310echo "$as_me: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&2;}
6311 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: see the Autoconf documentation" >&5
6312echo "$as_me: WARNING: net/if_tap.h: see the Autoconf documentation" >&2;}
6313 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&5
6314echo "$as_me: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&2;}
6315 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&5
6316echo "$as_me: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&2;}
6317 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&5
6318echo "$as_me: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&2;}
6319 (
6320 cat <<\_ASBOX
6321## ------------------------------------------- ##
6322## Report this to openssh-unix-dev@mindrot.org ##
6323## ------------------------------------------- ##
6324_ASBOX
6325 ) |
6326 sed "s/^/$as_me: WARNING: /" >&2
6327 ;;
6328esac
6329echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6330echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6331if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6332 echo $ECHO_N "(cached) $ECHO_C" >&6
6333else
6334 ac_cv_header_net_if_tap_h=$ac_header_preproc
6335fi
6336echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6337echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6338
6339fi
6340if test $ac_cv_header_net_if_tap_h = yes; then
6341 :
6342else
6343
6344cat >>confdefs.h <<\_ACEOF
6345#define SSH_TUN_NO_L2 1
6346_ACEOF
6347
6348fi
6349
6350
6351
6352cat >>confdefs.h <<\_ACEOF
6353#define SSH_TUN_PREPEND_AF 1
6354_ACEOF
6355
5708 ;; 6356 ;;
5709*-*-freebsd*) 6357*-*-freebsd*)
5710 check_for_libcrypt_later=1 6358 check_for_libcrypt_later=1
6359
6360cat >>confdefs.h <<\_ACEOF
6361#define LOCKED_PASSWD_PREFIX "*LOCKED*"
6362_ACEOF
6363
6364
6365cat >>confdefs.h <<\_ACEOF
6366#define SSH_TUN_FREEBSD 1
6367_ACEOF
6368
6369 if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6370 echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6371echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6372if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6373 echo $ECHO_N "(cached) $ECHO_C" >&6
6374fi
6375echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6376echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6377else
6378 # Is the header compilable?
6379echo "$as_me:$LINENO: checking net/if_tap.h usability" >&5
6380echo $ECHO_N "checking net/if_tap.h usability... $ECHO_C" >&6
6381cat >conftest.$ac_ext <<_ACEOF
6382/* confdefs.h. */
6383_ACEOF
6384cat confdefs.h >>conftest.$ac_ext
6385cat >>conftest.$ac_ext <<_ACEOF
6386/* end confdefs.h. */
6387$ac_includes_default
6388#include <net/if_tap.h>
6389_ACEOF
6390rm -f conftest.$ac_objext
6391if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6392 (eval $ac_compile) 2>conftest.er1
6393 ac_status=$?
6394 grep -v '^ *+' conftest.er1 >conftest.err
6395 rm -f conftest.er1
6396 cat conftest.err >&5
6397 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6398 (exit $ac_status); } &&
6399 { ac_try='test -z "$ac_c_werror_flag"
6400 || test ! -s conftest.err'
6401 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6402 (eval $ac_try) 2>&5
6403 ac_status=$?
6404 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6405 (exit $ac_status); }; } &&
6406 { ac_try='test -s conftest.$ac_objext'
6407 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6408 (eval $ac_try) 2>&5
6409 ac_status=$?
6410 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6411 (exit $ac_status); }; }; then
6412 ac_header_compiler=yes
6413else
6414 echo "$as_me: failed program was:" >&5
6415sed 's/^/| /' conftest.$ac_ext >&5
6416
6417ac_header_compiler=no
6418fi
6419rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6420echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
6421echo "${ECHO_T}$ac_header_compiler" >&6
6422
6423# Is the header present?
6424echo "$as_me:$LINENO: checking net/if_tap.h presence" >&5
6425echo $ECHO_N "checking net/if_tap.h presence... $ECHO_C" >&6
6426cat >conftest.$ac_ext <<_ACEOF
6427/* confdefs.h. */
6428_ACEOF
6429cat confdefs.h >>conftest.$ac_ext
6430cat >>conftest.$ac_ext <<_ACEOF
6431/* end confdefs.h. */
6432#include <net/if_tap.h>
6433_ACEOF
6434if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
6435 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
6436 ac_status=$?
6437 grep -v '^ *+' conftest.er1 >conftest.err
6438 rm -f conftest.er1
6439 cat conftest.err >&5
6440 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6441 (exit $ac_status); } >/dev/null; then
6442 if test -s conftest.err; then
6443 ac_cpp_err=$ac_c_preproc_warn_flag
6444 ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
6445 else
6446 ac_cpp_err=
6447 fi
6448else
6449 ac_cpp_err=yes
6450fi
6451if test -z "$ac_cpp_err"; then
6452 ac_header_preproc=yes
6453else
6454 echo "$as_me: failed program was:" >&5
6455sed 's/^/| /' conftest.$ac_ext >&5
6456
6457 ac_header_preproc=no
6458fi
6459rm -f conftest.err conftest.$ac_ext
6460echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
6461echo "${ECHO_T}$ac_header_preproc" >&6
6462
6463# So? What about this header?
6464case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
6465 yes:no: )
6466 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&5
6467echo "$as_me: WARNING: net/if_tap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
6468 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the compiler's result" >&5
6469echo "$as_me: WARNING: net/if_tap.h: proceeding with the compiler's result" >&2;}
6470 ac_header_preproc=yes
6471 ;;
6472 no:yes:* )
6473 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: present but cannot be compiled" >&5
6474echo "$as_me: WARNING: net/if_tap.h: present but cannot be compiled" >&2;}
6475 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&5
6476echo "$as_me: WARNING: net/if_tap.h: check for missing prerequisite headers?" >&2;}
6477 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: see the Autoconf documentation" >&5
6478echo "$as_me: WARNING: net/if_tap.h: see the Autoconf documentation" >&2;}
6479 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&5
6480echo "$as_me: WARNING: net/if_tap.h: section \"Present But Cannot Be Compiled\"" >&2;}
6481 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&5
6482echo "$as_me: WARNING: net/if_tap.h: proceeding with the preprocessor's result" >&2;}
6483 { echo "$as_me:$LINENO: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&5
6484echo "$as_me: WARNING: net/if_tap.h: in the future, the compiler will take precedence" >&2;}
6485 (
6486 cat <<\_ASBOX
6487## ------------------------------------------- ##
6488## Report this to openssh-unix-dev@mindrot.org ##
6489## ------------------------------------------- ##
6490_ASBOX
6491 ) |
6492 sed "s/^/$as_me: WARNING: /" >&2
6493 ;;
6494esac
6495echo "$as_me:$LINENO: checking for net/if_tap.h" >&5
6496echo $ECHO_N "checking for net/if_tap.h... $ECHO_C" >&6
6497if test "${ac_cv_header_net_if_tap_h+set}" = set; then
6498 echo $ECHO_N "(cached) $ECHO_C" >&6
6499else
6500 ac_cv_header_net_if_tap_h=$ac_header_preproc
6501fi
6502echo "$as_me:$LINENO: result: $ac_cv_header_net_if_tap_h" >&5
6503echo "${ECHO_T}$ac_cv_header_net_if_tap_h" >&6
6504
6505fi
6506if test $ac_cv_header_net_if_tap_h = yes; then
6507 :
6508else
6509
6510cat >>confdefs.h <<\_ACEOF
6511#define SSH_TUN_NO_L2 1
6512_ACEOF
6513
6514fi
6515
6516
5711 ;; 6517 ;;
5712*-*-bsdi*) 6518*-*-bsdi*)
5713 cat >>confdefs.h <<\_ACEOF 6519 cat >>confdefs.h <<\_ACEOF
@@ -5728,7 +6534,8 @@ _ACEOF
5728 conf_utmp_location=/etc/utmp 6534 conf_utmp_location=/etc/utmp
5729 conf_wtmp_location=/usr/adm/wtmp 6535 conf_wtmp_location=/usr/adm/wtmp
5730 MAIL=/usr/spool/mail 6536 MAIL=/usr/spool/mail
5731 cat >>confdefs.h <<\_ACEOF 6537
6538cat >>confdefs.h <<\_ACEOF
5732#define HAVE_NEXT 1 6539#define HAVE_NEXT 1
5733_ACEOF 6540_ACEOF
5734 6541
@@ -5740,7 +6547,8 @@ _ACEOF
5740#define USE_PIPES 1 6547#define USE_PIPES 1
5741_ACEOF 6548_ACEOF
5742 6549
5743 cat >>confdefs.h <<\_ACEOF 6550
6551cat >>confdefs.h <<\_ACEOF
5744#define BROKEN_SAVED_UIDS 1 6552#define BROKEN_SAVED_UIDS 1
5745_ACEOF 6553_ACEOF
5746 6554
@@ -5751,6 +6559,16 @@ cat >>confdefs.h <<\_ACEOF
5751#define HAVE_ATTRIBUTE__SENTINEL__ 1 6559#define HAVE_ATTRIBUTE__SENTINEL__ 1
5752_ACEOF 6560_ACEOF
5753 6561
6562
6563cat >>confdefs.h <<\_ACEOF
6564#define HAVE_ATTRIBUTE__BOUNDED__ 1
6565_ACEOF
6566
6567
6568cat >>confdefs.h <<\_ACEOF
6569#define SSH_TUN_OPENBSD 1
6570_ACEOF
6571
5754 ;; 6572 ;;
5755*-*-solaris*) 6573*-*-solaris*)
5756 if test "x$withval" != "xno" ; then 6574 if test "x$withval" != "xno" ; then
@@ -5764,7 +6582,8 @@ _ACEOF
5764#define LOGIN_NEEDS_UTMPX 1 6582#define LOGIN_NEEDS_UTMPX 1
5765_ACEOF 6583_ACEOF
5766 6584
5767 cat >>confdefs.h <<\_ACEOF 6585
6586cat >>confdefs.h <<\_ACEOF
5768#define LOGIN_NEEDS_TERM 1 6587#define LOGIN_NEEDS_TERM 1
5769_ACEOF 6588_ACEOF
5770 6589
@@ -5772,7 +6591,8 @@ _ACEOF
5772#define PAM_TTY_KLUDGE 1 6591#define PAM_TTY_KLUDGE 1
5773_ACEOF 6592_ACEOF
5774 6593
5775 cat >>confdefs.h <<\_ACEOF 6594
6595cat >>confdefs.h <<\_ACEOF
5776#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1 6596#define SSHPAM_CHAUTHTOK_NEEDS_RUID 1
5777_ACEOF 6597_ACEOF
5778 6598
@@ -5781,7 +6601,8 @@ _ACEOF
5781_ACEOF 6601_ACEOF
5782 6602
5783 # Pushing STREAMS modules will cause sshd to acquire a controlling tty. 6603 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
5784 cat >>confdefs.h <<\_ACEOF 6604
6605cat >>confdefs.h <<\_ACEOF
5785#define SSHD_ACQUIRES_CTTY 1 6606#define SSHD_ACQUIRES_CTTY 1
5786_ACEOF 6607_ACEOF
5787 6608
@@ -5798,7 +6619,8 @@ echo "${ECHO_T}yes" >&6
5798#define DISABLE_UTMP 1 6619#define DISABLE_UTMP 1
5799_ACEOF 6620_ACEOF
5800 6621
5801 cat >>confdefs.h <<\_ACEOF 6622
6623cat >>confdefs.h <<\_ACEOF
5802#define DISABLE_WTMP 1 6624#define DISABLE_WTMP 1
5803_ACEOF 6625_ACEOF
5804 6626
@@ -6022,14 +6844,14 @@ _ACEOF
6022 6844
6023fi 6845fi
6024 6846
6025 # -lresolv needs to be at then end of LIBS or DNS lookups break 6847 # -lresolv needs to be at the end of LIBS or DNS lookups break
6026 echo "$as_me:$LINENO: checking for resolv in -lres_query" >&5 6848 echo "$as_me:$LINENO: checking for res_query in -lresolv" >&5
6027echo $ECHO_N "checking for resolv in -lres_query... $ECHO_C" >&6 6849echo $ECHO_N "checking for res_query in -lresolv... $ECHO_C" >&6
6028if test "${ac_cv_lib_res_query_resolv+set}" = set; then 6850if test "${ac_cv_lib_resolv_res_query+set}" = set; then
6029 echo $ECHO_N "(cached) $ECHO_C" >&6 6851 echo $ECHO_N "(cached) $ECHO_C" >&6
6030else 6852else
6031 ac_check_lib_save_LIBS=$LIBS 6853 ac_check_lib_save_LIBS=$LIBS
6032LIBS="-lres_query $LIBS" 6854LIBS="-lresolv $LIBS"
6033cat >conftest.$ac_ext <<_ACEOF 6855cat >conftest.$ac_ext <<_ACEOF
6034/* confdefs.h. */ 6856/* confdefs.h. */
6035_ACEOF 6857_ACEOF
@@ -6043,11 +6865,11 @@ extern "C"
6043#endif 6865#endif
6044/* We use char because int might match the return type of a gcc2 6866/* We use char because int might match the return type of a gcc2
6045 builtin and then its argument prototype would still apply. */ 6867 builtin and then its argument prototype would still apply. */
6046char resolv (); 6868char res_query ();
6047int 6869int
6048main () 6870main ()
6049{ 6871{
6050resolv (); 6872res_query ();
6051 ; 6873 ;
6052 return 0; 6874 return 0;
6053} 6875}
@@ -6074,20 +6896,20 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
6074 ac_status=$? 6896 ac_status=$?
6075 echo "$as_me:$LINENO: \$? = $ac_status" >&5 6897 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6076 (exit $ac_status); }; }; then 6898 (exit $ac_status); }; }; then
6077 ac_cv_lib_res_query_resolv=yes 6899 ac_cv_lib_resolv_res_query=yes
6078else 6900else
6079 echo "$as_me: failed program was:" >&5 6901 echo "$as_me: failed program was:" >&5
6080sed 's/^/| /' conftest.$ac_ext >&5 6902sed 's/^/| /' conftest.$ac_ext >&5
6081 6903
6082ac_cv_lib_res_query_resolv=no 6904ac_cv_lib_resolv_res_query=no
6083fi 6905fi
6084rm -f conftest.err conftest.$ac_objext \ 6906rm -f conftest.err conftest.$ac_objext \
6085 conftest$ac_exeext conftest.$ac_ext 6907 conftest$ac_exeext conftest.$ac_ext
6086LIBS=$ac_check_lib_save_LIBS 6908LIBS=$ac_check_lib_save_LIBS
6087fi 6909fi
6088echo "$as_me:$LINENO: result: $ac_cv_lib_res_query_resolv" >&5 6910echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_res_query" >&5
6089echo "${ECHO_T}$ac_cv_lib_res_query_resolv" >&6 6911echo "${ECHO_T}$ac_cv_lib_resolv_res_query" >&6
6090if test $ac_cv_lib_res_query_resolv = yes; then 6912if test $ac_cv_lib_resolv_res_query = yes; then
6091 LIBS="$LIBS -lresolv" 6913 LIBS="$LIBS -lresolv"
6092fi 6914fi
6093 6915
@@ -6123,6 +6945,7 @@ _ACEOF
6123 ;; 6945 ;;
6124# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. 6946# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
6125*-*-sysv4.2*) 6947*-*-sysv4.2*)
6948 CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
6126 cat >>confdefs.h <<\_ACEOF 6949 cat >>confdefs.h <<\_ACEOF
6127#define USE_PIPES 1 6950#define USE_PIPES 1
6128_ACEOF 6951_ACEOF
@@ -6144,6 +6967,10 @@ cat >>confdefs.h <<\_ACEOF
6144#define PASSWD_NEEDS_USERNAME 1 6967#define PASSWD_NEEDS_USERNAME 1
6145_ACEOF 6968_ACEOF
6146 6969
6970 cat >>confdefs.h <<\_ACEOF
6971#define LOCKED_PASSWD_STRING "*LK*"
6972_ACEOF
6973
6147 ;; 6974 ;;
6148# UnixWare 7.x, OpenUNIX 8 6975# UnixWare 7.x, OpenUNIX 8
6149*-*-sysv5*) 6976*-*-sysv5*)
@@ -6169,8 +6996,7 @@ _ACEOF
6169#define BROKEN_SETREGID 1 6996#define BROKEN_SETREGID 1
6170_ACEOF 6997_ACEOF
6171 6998
6172 6999 cat >>confdefs.h <<\_ACEOF
6173cat >>confdefs.h <<\_ACEOF
6174#define PASSWD_NEEDS_USERNAME 1 7000#define PASSWD_NEEDS_USERNAME 1
6175_ACEOF 7001_ACEOF
6176 7002
@@ -6183,6 +7009,11 @@ cat >>confdefs.h <<\_ACEOF
6183_ACEOF 7009_ACEOF
6184 7010
6185 ;; 7011 ;;
7012 *) cat >>confdefs.h <<\_ACEOF
7013#define LOCKED_PASSWD_STRING "*LK*"
7014_ACEOF
7015
7016 ;;
6186 esac 7017 esac
6187 ;; 7018 ;;
6188*-*-sysv*) 7019*-*-sysv*)
@@ -6236,8 +7067,7 @@ _ACEOF
6236#define BROKEN_UPDWTMPX 1 7067#define BROKEN_UPDWTMPX 1
6237_ACEOF 7068_ACEOF
6238 7069
6239 7070 cat >>confdefs.h <<\_ACEOF
6240cat >>confdefs.h <<\_ACEOF
6241#define PASSWD_NEEDS_USERNAME 1 7071#define PASSWD_NEEDS_USERNAME 1
6242_ACEOF 7072_ACEOF
6243 7073
@@ -6348,7 +7178,8 @@ done
6348 TEST_SHELL=ksh 7178 TEST_SHELL=ksh
6349 ;; 7179 ;;
6350*-*-unicosmk*) 7180*-*-unicosmk*)
6351 cat >>confdefs.h <<\_ACEOF 7181
7182cat >>confdefs.h <<\_ACEOF
6352#define NO_SSH_LASTLOG 1 7183#define NO_SSH_LASTLOG 1
6353_ACEOF 7184_ACEOF
6354 7185
@@ -6454,11 +7285,13 @@ fi;
6454 if test -f /etc/sia/matrix.conf; then 7285 if test -f /etc/sia/matrix.conf; then
6455 echo "$as_me:$LINENO: result: yes" >&5 7286 echo "$as_me:$LINENO: result: yes" >&5
6456echo "${ECHO_T}yes" >&6 7287echo "${ECHO_T}yes" >&6
6457 cat >>confdefs.h <<\_ACEOF 7288
7289cat >>confdefs.h <<\_ACEOF
6458#define HAVE_OSF_SIA 1 7290#define HAVE_OSF_SIA 1
6459_ACEOF 7291_ACEOF
6460 7292
6461 cat >>confdefs.h <<\_ACEOF 7293
7294cat >>confdefs.h <<\_ACEOF
6462#define DISABLE_LOGIN 1 7295#define DISABLE_LOGIN 1
6463_ACEOF 7296_ACEOF
6464 7297
@@ -6470,7 +7303,8 @@ _ACEOF
6470 else 7303 else
6471 echo "$as_me:$LINENO: result: no" >&5 7304 echo "$as_me:$LINENO: result: no" >&5
6472echo "${ECHO_T}no" >&6 7305echo "${ECHO_T}no" >&6
6473 cat >>confdefs.h <<\_ACEOF 7306
7307cat >>confdefs.h <<\_ACEOF
6474#define LOCKED_PASSWD_SUBSTR "Nologin" 7308#define LOCKED_PASSWD_SUBSTR "Nologin"
6475_ACEOF 7309_ACEOF
6476 7310
@@ -6494,7 +7328,7 @@ _ACEOF
6494 7328
6495 ;; 7329 ;;
6496 7330
6497*-*-nto-qnx) 7331*-*-nto-qnx*)
6498 cat >>confdefs.h <<\_ACEOF 7332 cat >>confdefs.h <<\_ACEOF
6499#define USE_PIPES 1 7333#define USE_PIPES 1
6500_ACEOF 7334_ACEOF
@@ -6503,34 +7337,40 @@ _ACEOF
6503#define NO_X11_UNIX_SOCKETS 1 7337#define NO_X11_UNIX_SOCKETS 1
6504_ACEOF 7338_ACEOF
6505 7339
6506 cat >>confdefs.h <<\_ACEOF 7340
7341cat >>confdefs.h <<\_ACEOF
6507#define MISSING_NFDBITS 1 7342#define MISSING_NFDBITS 1
6508_ACEOF 7343_ACEOF
6509 7344
6510 cat >>confdefs.h <<\_ACEOF 7345
7346cat >>confdefs.h <<\_ACEOF
6511#define MISSING_HOWMANY 1 7347#define MISSING_HOWMANY 1
6512_ACEOF 7348_ACEOF
6513 7349
6514 cat >>confdefs.h <<\_ACEOF 7350
7351cat >>confdefs.h <<\_ACEOF
6515#define MISSING_FD_MASK 1 7352#define MISSING_FD_MASK 1
6516_ACEOF 7353_ACEOF
6517 7354
7355 cat >>confdefs.h <<\_ACEOF
7356#define DISABLE_LASTLOG 1
7357_ACEOF
7358
6518 ;; 7359 ;;
6519 7360
6520*-*-ultrix*) 7361*-*-ultrix*)
6521 7362
6522cat >>confdefs.h <<\_ACEOF 7363cat >>confdefs.h <<\_ACEOF
6523#define BROKEN_GETGROUPS 7364#define BROKEN_GETGROUPS 1
6524_ACEOF 7365_ACEOF
6525 7366
6526 7367
6527cat >>confdefs.h <<\_ACEOF 7368cat >>confdefs.h <<\_ACEOF
6528#define BROKEN_MMAP 7369#define BROKEN_MMAP 1
6529_ACEOF 7370_ACEOF
6530 7371
6531 7372 cat >>confdefs.h <<\_ACEOF
6532cat >>confdefs.h <<\_ACEOF 7373#define NEED_SETPGRP 1
6533#define NEED_SETPRGP
6534_ACEOF 7374_ACEOF
6535 7375
6536 7376
@@ -6542,7 +7382,7 @@ _ACEOF
6542 7382
6543*-*-lynxos) 7383*-*-lynxos)
6544 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 7384 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
6545 cat >>confdefs.h <<\_ACEOF 7385 cat >>confdefs.h <<\_ACEOF
6546#define MISSING_HOWMANY 1 7386#define MISSING_HOWMANY 1
6547_ACEOF 7387_ACEOF
6548 7388
@@ -6610,7 +7450,7 @@ if test "${with_Werror+set}" = set; then
6610 7450
6611 if test -n "$withval" && test "x$withval" != "xno"; then 7451 if test -n "$withval" && test "x$withval" != "xno"; then
6612 werror_flags="-Werror" 7452 werror_flags="-Werror"
6613 if "x${withval}" != "xyes"; then 7453 if test "x${withval}" != "xyes"; then
6614 werror_flags="$withval" 7454 werror_flags="$withval"
6615 fi 7455 fi
6616 fi 7456 fi
@@ -6667,262 +7507,6 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
6667fi 7507fi
6668 7508
6669 7509
6670echo "$as_me:$LINENO: checking for egrep" >&5
6671echo $ECHO_N "checking for egrep... $ECHO_C" >&6
6672if test "${ac_cv_prog_egrep+set}" = set; then
6673 echo $ECHO_N "(cached) $ECHO_C" >&6
6674else
6675 if echo a | (grep -E '(a|b)') >/dev/null 2>&1
6676 then ac_cv_prog_egrep='grep -E'
6677 else ac_cv_prog_egrep='egrep'
6678 fi
6679fi
6680echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
6681echo "${ECHO_T}$ac_cv_prog_egrep" >&6
6682 EGREP=$ac_cv_prog_egrep
6683
6684
6685echo "$as_me:$LINENO: checking for ANSI C header files" >&5
6686echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
6687if test "${ac_cv_header_stdc+set}" = set; then
6688 echo $ECHO_N "(cached) $ECHO_C" >&6
6689else
6690 cat >conftest.$ac_ext <<_ACEOF
6691/* confdefs.h. */
6692_ACEOF
6693cat confdefs.h >>conftest.$ac_ext
6694cat >>conftest.$ac_ext <<_ACEOF
6695/* end confdefs.h. */
6696#include <stdlib.h>
6697#include <stdarg.h>
6698#include <string.h>
6699#include <float.h>
6700
6701int
6702main ()
6703{
6704
6705 ;
6706 return 0;
6707}
6708_ACEOF
6709rm -f conftest.$ac_objext
6710if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6711 (eval $ac_compile) 2>conftest.er1
6712 ac_status=$?
6713 grep -v '^ *+' conftest.er1 >conftest.err
6714 rm -f conftest.er1
6715 cat conftest.err >&5
6716 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6717 (exit $ac_status); } &&
6718 { ac_try='test -z "$ac_c_werror_flag"
6719 || test ! -s conftest.err'
6720 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6721 (eval $ac_try) 2>&5
6722 ac_status=$?
6723 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6724 (exit $ac_status); }; } &&
6725 { ac_try='test -s conftest.$ac_objext'
6726 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6727 (eval $ac_try) 2>&5
6728 ac_status=$?
6729 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6730 (exit $ac_status); }; }; then
6731 ac_cv_header_stdc=yes
6732else
6733 echo "$as_me: failed program was:" >&5
6734sed 's/^/| /' conftest.$ac_ext >&5
6735
6736ac_cv_header_stdc=no
6737fi
6738rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6739
6740if test $ac_cv_header_stdc = yes; then
6741 # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
6742 cat >conftest.$ac_ext <<_ACEOF
6743/* confdefs.h. */
6744_ACEOF
6745cat confdefs.h >>conftest.$ac_ext
6746cat >>conftest.$ac_ext <<_ACEOF
6747/* end confdefs.h. */
6748#include <string.h>
6749
6750_ACEOF
6751if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
6752 $EGREP "memchr" >/dev/null 2>&1; then
6753 :
6754else
6755 ac_cv_header_stdc=no
6756fi
6757rm -f conftest*
6758
6759fi
6760
6761if test $ac_cv_header_stdc = yes; then
6762 # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
6763 cat >conftest.$ac_ext <<_ACEOF
6764/* confdefs.h. */
6765_ACEOF
6766cat confdefs.h >>conftest.$ac_ext
6767cat >>conftest.$ac_ext <<_ACEOF
6768/* end confdefs.h. */
6769#include <stdlib.h>
6770
6771_ACEOF
6772if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
6773 $EGREP "free" >/dev/null 2>&1; then
6774 :
6775else
6776 ac_cv_header_stdc=no
6777fi
6778rm -f conftest*
6779
6780fi
6781
6782if test $ac_cv_header_stdc = yes; then
6783 # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
6784 if test "$cross_compiling" = yes; then
6785 :
6786else
6787 cat >conftest.$ac_ext <<_ACEOF
6788/* confdefs.h. */
6789_ACEOF
6790cat confdefs.h >>conftest.$ac_ext
6791cat >>conftest.$ac_ext <<_ACEOF
6792/* end confdefs.h. */
6793#include <ctype.h>
6794#if ((' ' & 0x0FF) == 0x020)
6795# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
6796# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
6797#else
6798# define ISLOWER(c) \
6799 (('a' <= (c) && (c) <= 'i') \
6800 || ('j' <= (c) && (c) <= 'r') \
6801 || ('s' <= (c) && (c) <= 'z'))
6802# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
6803#endif
6804
6805#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
6806int
6807main ()
6808{
6809 int i;
6810 for (i = 0; i < 256; i++)
6811 if (XOR (islower (i), ISLOWER (i))
6812 || toupper (i) != TOUPPER (i))
6813 exit(2);
6814 exit (0);
6815}
6816_ACEOF
6817rm -f conftest$ac_exeext
6818if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
6819 (eval $ac_link) 2>&5
6820 ac_status=$?
6821 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6822 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
6823 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6824 (eval $ac_try) 2>&5
6825 ac_status=$?
6826 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6827 (exit $ac_status); }; }; then
6828 :
6829else
6830 echo "$as_me: program exited with status $ac_status" >&5
6831echo "$as_me: failed program was:" >&5
6832sed 's/^/| /' conftest.$ac_ext >&5
6833
6834( exit $ac_status )
6835ac_cv_header_stdc=no
6836fi
6837rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
6838fi
6839fi
6840fi
6841echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
6842echo "${ECHO_T}$ac_cv_header_stdc" >&6
6843if test $ac_cv_header_stdc = yes; then
6844
6845cat >>confdefs.h <<\_ACEOF
6846#define STDC_HEADERS 1
6847_ACEOF
6848
6849fi
6850
6851# On IRIX 5.3, sys/types and inttypes.h are conflicting.
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
6862 inttypes.h stdint.h unistd.h
6863do
6864as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
6865echo "$as_me:$LINENO: checking for $ac_header" >&5
6866echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
6867if eval "test \"\${$as_ac_Header+set}\" = set"; then
6868 echo $ECHO_N "(cached) $ECHO_C" >&6
6869else
6870 cat >conftest.$ac_ext <<_ACEOF
6871/* confdefs.h. */
6872_ACEOF
6873cat confdefs.h >>conftest.$ac_ext
6874cat >>conftest.$ac_ext <<_ACEOF
6875/* end confdefs.h. */
6876$ac_includes_default
6877
6878#include <$ac_header>
6879_ACEOF
6880rm -f conftest.$ac_objext
6881if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
6882 (eval $ac_compile) 2>conftest.er1
6883 ac_status=$?
6884 grep -v '^ *+' conftest.er1 >conftest.err
6885 rm -f conftest.er1
6886 cat conftest.err >&5
6887 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6888 (exit $ac_status); } &&
6889 { ac_try='test -z "$ac_c_werror_flag"
6890 || test ! -s conftest.err'
6891 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6892 (eval $ac_try) 2>&5
6893 ac_status=$?
6894 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6895 (exit $ac_status); }; } &&
6896 { ac_try='test -s conftest.$ac_objext'
6897 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
6898 (eval $ac_try) 2>&5
6899 ac_status=$?
6900 echo "$as_me:$LINENO: \$? = $ac_status" >&5
6901 (exit $ac_status); }; }; then
6902 eval "$as_ac_Header=yes"
6903else
6904 echo "$as_me: failed program was:" >&5
6905sed 's/^/| /' conftest.$ac_ext >&5
6906
6907eval "$as_ac_Header=no"
6908fi
6909rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
6910fi
6911echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
6912echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
6913if test `eval echo '${'$as_ac_Header'}'` = yes; then
6914 cat >>confdefs.h <<_ACEOF
6915#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
6916_ACEOF
6917
6918fi
6919
6920done
6921
6922
6923
6924
6925
6926 7510
6927 7511
6928 7512
@@ -6989,7 +7573,6 @@ for ac_header in \
6989 glob.h \ 7573 glob.h \
6990 ia.h \ 7574 ia.h \
6991 iaf.h \ 7575 iaf.h \
6992 lastlog.h \
6993 limits.h \ 7576 limits.h \
6994 login.h \ 7577 login.h \
6995 login_cap.h \ 7578 login_cap.h \
@@ -6997,7 +7580,6 @@ for ac_header in \
6997 ndir.h \ 7580 ndir.h \
6998 netdb.h \ 7581 netdb.h \
6999 netgroup.h \ 7582 netgroup.h \
7000 netinet/in_systm.h \
7001 pam/pam_appl.h \ 7583 pam/pam_appl.h \
7002 paths.h \ 7584 paths.h \
7003 pty.h \ 7585 pty.h \
@@ -7187,6 +7769,73 @@ fi
7187done 7769done
7188 7770
7189 7771
7772# lastlog.h requires sys/time.h to be included first on Solaris
7773
7774for ac_header in lastlog.h
7775do
7776as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
7777echo "$as_me:$LINENO: checking for $ac_header" >&5
7778echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
7779if eval "test \"\${$as_ac_Header+set}\" = set"; then
7780 echo $ECHO_N "(cached) $ECHO_C" >&6
7781else
7782 cat >conftest.$ac_ext <<_ACEOF
7783/* confdefs.h. */
7784_ACEOF
7785cat confdefs.h >>conftest.$ac_ext
7786cat >>conftest.$ac_ext <<_ACEOF
7787/* end confdefs.h. */
7788
7789#ifdef HAVE_SYS_TIME_H
7790# include <sys/time.h>
7791#endif
7792
7793
7794#include <$ac_header>
7795_ACEOF
7796rm -f conftest.$ac_objext
7797if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
7798 (eval $ac_compile) 2>conftest.er1
7799 ac_status=$?
7800 grep -v '^ *+' conftest.er1 >conftest.err
7801 rm -f conftest.er1
7802 cat conftest.err >&5
7803 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7804 (exit $ac_status); } &&
7805 { ac_try='test -z "$ac_c_werror_flag"
7806 || test ! -s conftest.err'
7807 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
7808 (eval $ac_try) 2>&5
7809 ac_status=$?
7810 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7811 (exit $ac_status); }; } &&
7812 { ac_try='test -s conftest.$ac_objext'
7813 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
7814 (eval $ac_try) 2>&5
7815 ac_status=$?
7816 echo "$as_me:$LINENO: \$? = $ac_status" >&5
7817 (exit $ac_status); }; }; then
7818 eval "$as_ac_Header=yes"
7819else
7820 echo "$as_me: failed program was:" >&5
7821sed 's/^/| /' conftest.$ac_ext >&5
7822
7823eval "$as_ac_Header=no"
7824fi
7825rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
7826fi
7827echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
7828echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
7829if test `eval echo '${'$as_ac_Header'}'` = yes; then
7830 cat >>confdefs.h <<_ACEOF
7831#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
7832_ACEOF
7833
7834fi
7835
7836done
7837
7838
7190# sys/ptms.h requires sys/stream.h to be included first on Solaris 7839# sys/ptms.h requires sys/stream.h to be included first on Solaris
7191 7840
7192for ac_header in sys/ptms.h 7841for ac_header in sys/ptms.h
@@ -7919,11 +8568,7 @@ else
7919 save_LIBS="$LIBS" 8568 save_LIBS="$LIBS"
7920 LIBS="$LIBS -lgen" 8569 LIBS="$LIBS -lgen"
7921 if test "$cross_compiling" = yes; then 8570 if test "$cross_compiling" = yes; then
7922 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 8571 ac_cv_have_broken_dirname="no"
7923See \`config.log' for more details." >&5
7924echo "$as_me: error: cannot run test program while cross compiling
7925See \`config.log' for more details." >&2;}
7926 { (exit 1); exit 1; }; }
7927else 8572else
7928 cat >conftest.$ac_ext <<_ACEOF 8573 cat >conftest.$ac_ext <<_ACEOF
7929/* confdefs.h. */ 8574/* confdefs.h. */
@@ -7967,7 +8612,6 @@ sed 's/^/| /' conftest.$ac_ext >&5
7967 8612
7968( exit $ac_status ) 8613( exit $ac_status )
7969 ac_cv_have_broken_dirname="yes" 8614 ac_cv_have_broken_dirname="yes"
7970
7971fi 8615fi
7972rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 8616rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
7973fi 8617fi
@@ -8427,7 +9071,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_basename" >&5
8427echo "${ECHO_T}$ac_cv_search_basename" >&6 9071echo "${ECHO_T}$ac_cv_search_basename" >&6
8428if test "$ac_cv_search_basename" != no; then 9072if test "$ac_cv_search_basename" != no; then
8429 test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS" 9073 test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS"
8430 cat >>confdefs.h <<\_ACEOF 9074
9075cat >>confdefs.h <<\_ACEOF
8431#define HAVE_BASENAME 1 9076#define HAVE_BASENAME 1
8432_ACEOF 9077_ACEOF
8433 9078
@@ -9019,9 +9664,13 @@ fi
9019 9664
9020fi 9665fi
9021 9666
9022echo "$as_me:$LINENO: checking for utimes" >&5 9667
9023echo $ECHO_N "checking for utimes... $ECHO_C" >&6 9668for ac_func in utimes
9024if test "${ac_cv_func_utimes+set}" = set; then 9669do
9670as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
9671echo "$as_me:$LINENO: checking for $ac_func" >&5
9672echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
9673if eval "test \"\${$as_ac_var+set}\" = set"; then
9025 echo $ECHO_N "(cached) $ECHO_C" >&6 9674 echo $ECHO_N "(cached) $ECHO_C" >&6
9026else 9675else
9027 cat >conftest.$ac_ext <<_ACEOF 9676 cat >conftest.$ac_ext <<_ACEOF
@@ -9030,12 +9679,12 @@ _ACEOF
9030cat confdefs.h >>conftest.$ac_ext 9679cat confdefs.h >>conftest.$ac_ext
9031cat >>conftest.$ac_ext <<_ACEOF 9680cat >>conftest.$ac_ext <<_ACEOF
9032/* end confdefs.h. */ 9681/* end confdefs.h. */
9033/* Define utimes to an innocuous variant, in case <limits.h> declares utimes. 9682/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
9034 For example, HP-UX 11i <limits.h> declares gettimeofday. */ 9683 For example, HP-UX 11i <limits.h> declares gettimeofday. */
9035#define utimes innocuous_utimes 9684#define $ac_func innocuous_$ac_func
9036 9685
9037/* System header to define __stub macros and hopefully few prototypes, 9686/* System header to define __stub macros and hopefully few prototypes,
9038 which can conflict with char utimes (); below. 9687 which can conflict with char $ac_func (); below.
9039 Prefer <limits.h> to <assert.h> if __STDC__ is defined, since 9688 Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
9040 <limits.h> exists even on freestanding compilers. */ 9689 <limits.h> exists even on freestanding compilers. */
9041 9690
@@ -9045,7 +9694,7 @@ cat >>conftest.$ac_ext <<_ACEOF
9045# include <assert.h> 9694# include <assert.h>
9046#endif 9695#endif
9047 9696
9048#undef utimes 9697#undef $ac_func
9049 9698
9050/* Override any gcc2 internal prototype to avoid an error. */ 9699/* Override any gcc2 internal prototype to avoid an error. */
9051#ifdef __cplusplus 9700#ifdef __cplusplus
@@ -9054,14 +9703,14 @@ extern "C"
9054#endif 9703#endif
9055/* We use char because int might match the return type of a gcc2 9704/* We use char because int might match the return type of a gcc2
9056 builtin and then its argument prototype would still apply. */ 9705 builtin and then its argument prototype would still apply. */
9057char utimes (); 9706char $ac_func ();
9058/* The GNU C library defines this for functions which it implements 9707/* The GNU C library defines this for functions which it implements
9059 to always fail with ENOSYS. Some functions are actually named 9708 to always fail with ENOSYS. Some functions are actually named
9060 something starting with __ and the normal name is an alias. */ 9709 something starting with __ and the normal name is an alias. */
9061#if defined (__stub_utimes) || defined (__stub___utimes) 9710#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
9062choke me 9711choke me
9063#else 9712#else
9064char (*f) () = utimes; 9713char (*f) () = $ac_func;
9065#endif 9714#endif
9066#ifdef __cplusplus 9715#ifdef __cplusplus
9067} 9716}
@@ -9070,7 +9719,7 @@ char (*f) () = utimes;
9070int 9719int
9071main () 9720main ()
9072{ 9721{
9073return f != utimes; 9722return f != $ac_func;
9074 ; 9723 ;
9075 return 0; 9724 return 0;
9076} 9725}
@@ -9097,20 +9746,23 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9097 ac_status=$? 9746 ac_status=$?
9098 echo "$as_me:$LINENO: \$? = $ac_status" >&5 9747 echo "$as_me:$LINENO: \$? = $ac_status" >&5
9099 (exit $ac_status); }; }; then 9748 (exit $ac_status); }; }; then
9100 ac_cv_func_utimes=yes 9749 eval "$as_ac_var=yes"
9101else 9750else
9102 echo "$as_me: failed program was:" >&5 9751 echo "$as_me: failed program was:" >&5
9103sed 's/^/| /' conftest.$ac_ext >&5 9752sed 's/^/| /' conftest.$ac_ext >&5
9104 9753
9105ac_cv_func_utimes=no 9754eval "$as_ac_var=no"
9106fi 9755fi
9107rm -f conftest.err conftest.$ac_objext \ 9756rm -f conftest.err conftest.$ac_objext \
9108 conftest$ac_exeext conftest.$ac_ext 9757 conftest$ac_exeext conftest.$ac_ext
9109fi 9758fi
9110echo "$as_me:$LINENO: result: $ac_cv_func_utimes" >&5 9759echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
9111echo "${ECHO_T}$ac_cv_func_utimes" >&6 9760echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
9112if test $ac_cv_func_utimes = yes; then 9761if test `eval echo '${'$as_ac_var'}'` = yes; then
9113 : 9762 cat >>confdefs.h <<_ACEOF
9763#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
9764_ACEOF
9765
9114else 9766else
9115 echo "$as_me:$LINENO: checking for utimes in -lc89" >&5 9767 echo "$as_me:$LINENO: checking for utimes in -lc89" >&5
9116echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6 9768echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6
@@ -9186,6 +9838,7 @@ fi
9186 9838
9187 9839
9188fi 9840fi
9841done
9189 9842
9190 9843
9191 9844
@@ -9461,7 +10114,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_login" >&5
9461echo "${ECHO_T}$ac_cv_search_login" >&6 10114echo "${ECHO_T}$ac_cv_search_login" >&6
9462if test "$ac_cv_search_login" != no; then 10115if test "$ac_cv_search_login" != no; then
9463 test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS" 10116 test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS"
9464 cat >>confdefs.h <<\_ACEOF 10117
10118cat >>confdefs.h <<\_ACEOF
9465#define HAVE_LOGIN 1 10119#define HAVE_LOGIN 1
9466_ACEOF 10120_ACEOF
9467 10121
@@ -9768,7 +10422,8 @@ _ACEOF
9768if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | 10422if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
9769 $EGREP "FOUNDIT" >/dev/null 2>&1; then 10423 $EGREP "FOUNDIT" >/dev/null 2>&1; then
9770 10424
9771 cat >>confdefs.h <<\_ACEOF 10425
10426cat >>confdefs.h <<\_ACEOF
9772#define GLOB_HAS_ALTDIRFUNC 1 10427#define GLOB_HAS_ALTDIRFUNC 1
9773_ACEOF 10428_ACEOF
9774 10429
@@ -9802,7 +10457,8 @@ _ACEOF
9802if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | 10457if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
9803 $EGREP "FOUNDIT" >/dev/null 2>&1; then 10458 $EGREP "FOUNDIT" >/dev/null 2>&1; then
9804 10459
9805 cat >>confdefs.h <<\_ACEOF 10460
10461cat >>confdefs.h <<\_ACEOF
9806#define GLOB_HAS_GL_MATCHC 1 10462#define GLOB_HAS_GL_MATCHC 1
9807_ACEOF 10463_ACEOF
9808 10464
@@ -9866,7 +10522,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
9866 10522
9867 echo "$as_me:$LINENO: result: no" >&5 10523 echo "$as_me:$LINENO: result: no" >&5
9868echo "${ECHO_T}no" >&6 10524echo "${ECHO_T}no" >&6
9869 cat >>confdefs.h <<\_ACEOF 10525
10526cat >>confdefs.h <<\_ACEOF
9870#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 10527#define BROKEN_ONE_BYTE_DIRENT_D_NAME 1
9871_ACEOF 10528_ACEOF
9872 10529
@@ -9878,7 +10535,8 @@ fi
9878echo "$as_me:$LINENO: checking for /proc/pid/fd directory" >&5 10535echo "$as_me:$LINENO: checking for /proc/pid/fd directory" >&5
9879echo $ECHO_N "checking for /proc/pid/fd directory... $ECHO_C" >&6 10536echo $ECHO_N "checking for /proc/pid/fd directory... $ECHO_C" >&6
9880if test -d "/proc/$$/fd" ; then 10537if test -d "/proc/$$/fd" ; then
9881 cat >>confdefs.h <<\_ACEOF 10538
10539cat >>confdefs.h <<\_ACEOF
9882#define HAVE_PROC_PID 1 10540#define HAVE_PROC_PID 1
9883_ACEOF 10541_ACEOF
9884 10542
@@ -9903,7 +10561,8 @@ if test "${with_skey+set}" = set; then
9903 LDFLAGS="$LDFLAGS -L${withval}/lib" 10561 LDFLAGS="$LDFLAGS -L${withval}/lib"
9904 fi 10562 fi
9905 10563
9906 cat >>confdefs.h <<\_ACEOF 10564
10565cat >>confdefs.h <<\_ACEOF
9907#define SKEY 1 10566#define SKEY 1
9908_ACEOF 10567_ACEOF
9909 10568
@@ -9912,14 +10571,7 @@ _ACEOF
9912 10571
9913 echo "$as_me:$LINENO: checking for s/key support" >&5 10572 echo "$as_me:$LINENO: checking for s/key support" >&5
9914echo $ECHO_N "checking for s/key support... $ECHO_C" >&6 10573echo $ECHO_N "checking for s/key support... $ECHO_C" >&6
9915 if test "$cross_compiling" = yes; then 10574 cat >conftest.$ac_ext <<_ACEOF
9916 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
9917See \`config.log' for more details." >&5
9918echo "$as_me: error: cannot run test program while cross compiling
9919See \`config.log' for more details." >&2;}
9920 { (exit 1); exit 1; }; }
9921else
9922 cat >conftest.$ac_ext <<_ACEOF
9923/* confdefs.h. */ 10575/* confdefs.h. */
9924_ACEOF 10576_ACEOF
9925cat confdefs.h >>conftest.$ac_ext 10577cat confdefs.h >>conftest.$ac_ext
@@ -9931,12 +10583,23 @@ cat >>conftest.$ac_ext <<_ACEOF
9931int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } 10583int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
9932 10584
9933_ACEOF 10585_ACEOF
9934rm -f conftest$ac_exeext 10586rm -f conftest.$ac_objext conftest$ac_exeext
9935if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 10587if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9936 (eval $ac_link) 2>&5 10588 (eval $ac_link) 2>conftest.er1
9937 ac_status=$? 10589 ac_status=$?
10590 grep -v '^ *+' conftest.er1 >conftest.err
10591 rm -f conftest.er1
10592 cat conftest.err >&5
9938 echo "$as_me:$LINENO: \$? = $ac_status" >&5 10593 echo "$as_me:$LINENO: \$? = $ac_status" >&5
9939 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' 10594 (exit $ac_status); } &&
10595 { ac_try='test -z "$ac_c_werror_flag"
10596 || test ! -s conftest.err'
10597 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
10598 (eval $ac_try) 2>&5
10599 ac_status=$?
10600 echo "$as_me:$LINENO: \$? = $ac_status" >&5
10601 (exit $ac_status); }; } &&
10602 { ac_try='test -s conftest$ac_exeext'
9940 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 10603 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
9941 (eval $ac_try) 2>&5 10604 (eval $ac_try) 2>&5
9942 ac_status=$? 10605 ac_status=$?
@@ -9945,11 +10608,9 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
9945 echo "$as_me:$LINENO: result: yes" >&5 10608 echo "$as_me:$LINENO: result: yes" >&5
9946echo "${ECHO_T}yes" >&6 10609echo "${ECHO_T}yes" >&6
9947else 10610else
9948 echo "$as_me: program exited with status $ac_status" >&5 10611 echo "$as_me: failed program was:" >&5
9949echo "$as_me: failed program was:" >&5
9950sed 's/^/| /' conftest.$ac_ext >&5 10612sed 's/^/| /' conftest.$ac_ext >&5
9951 10613
9952( exit $ac_status )
9953 10614
9954 echo "$as_me:$LINENO: result: no" >&5 10615 echo "$as_me:$LINENO: result: no" >&5
9955echo "${ECHO_T}no" >&6 10616echo "${ECHO_T}no" >&6
@@ -9958,8 +10619,8 @@ echo "$as_me: error: ** Incomplete or missing s/key libraries." >&2;}
9958 { (exit 1); exit 1; }; } 10619 { (exit 1); exit 1; }; }
9959 10620
9960fi 10621fi
9961rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 10622rm -f conftest.err conftest.$ac_objext \
9962fi 10623 conftest$ac_exeext conftest.$ac_ext
9963 echo "$as_me:$LINENO: checking if skeychallenge takes 4 arguments" >&5 10624 echo "$as_me:$LINENO: checking if skeychallenge takes 4 arguments" >&5
9964echo $ECHO_N "checking if skeychallenge takes 4 arguments... $ECHO_C" >&6 10625echo $ECHO_N "checking if skeychallenge takes 4 arguments... $ECHO_C" >&6
9965 cat >conftest.$ac_ext <<_ACEOF 10626 cat >conftest.$ac_ext <<_ACEOF
@@ -10002,7 +10663,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
10002 (exit $ac_status); }; }; then 10663 (exit $ac_status); }; }; then
10003 echo "$as_me:$LINENO: result: yes" >&5 10664 echo "$as_me:$LINENO: result: yes" >&5
10004echo "${ECHO_T}yes" >&6 10665echo "${ECHO_T}yes" >&6
10005 cat >>confdefs.h <<\_ACEOF 10666
10667cat >>confdefs.h <<\_ACEOF
10006#define SKEYCHALLENGE_4ARG 1 10668#define SKEYCHALLENGE_4ARG 1
10007_ACEOF 10669_ACEOF
10008 10670
@@ -10102,7 +10764,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
10102 10764
10103 echo "$as_me:$LINENO: result: yes" >&5 10765 echo "$as_me:$LINENO: result: yes" >&5
10104echo "${ECHO_T}yes" >&6 10766echo "${ECHO_T}yes" >&6
10105 cat >>confdefs.h <<\_ACEOF 10767
10768cat >>confdefs.h <<\_ACEOF
10106#define LIBWRAP 1 10769#define LIBWRAP 1
10107_ACEOF 10770_ACEOF
10108 10771
@@ -10136,8 +10799,12 @@ if test "${with_libedit+set}" = set; then
10136 withval="$with_libedit" 10799 withval="$with_libedit"
10137 if test "x$withval" != "xno" ; then 10800 if test "x$withval" != "xno" ; then
10138 if test "x$withval" != "xyes"; then 10801 if test "x$withval" != "xyes"; then
10139 CPPFLAGS="$CPPFLAGS -I$withval/include" 10802 CPPFLAGS="$CPPFLAGS -I${withval}/include"
10140 LDFLAGS="$LDFLAGS -L$withval/lib" 10803 if test -n "${need_dash_r}"; then
10804 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
10805 else
10806 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
10807 fi
10141 fi 10808 fi
10142 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5 10809 echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
10143echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6 10810echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6
@@ -10207,7 +10874,7 @@ echo "${ECHO_T}$ac_cv_lib_edit_el_init" >&6
10207if test $ac_cv_lib_edit_el_init = yes; then 10874if test $ac_cv_lib_edit_el_init = yes; then
10208 10875
10209cat >>confdefs.h <<\_ACEOF 10876cat >>confdefs.h <<\_ACEOF
10210#define USE_LIBEDIT 10877#define USE_LIBEDIT 1
10211_ACEOF 10878_ACEOF
10212 10879
10213 LIBEDIT="-ledit -lcurses" 10880 LIBEDIT="-ledit -lcurses"
@@ -10734,7 +11401,7 @@ done
10734 11401
10735 11402
10736cat >>confdefs.h <<\_ACEOF 11403cat >>confdefs.h <<\_ACEOF
10737#define USE_BSM_AUDIT 11404#define USE_BSM_AUDIT 1
10738_ACEOF 11405_ACEOF
10739 11406
10740 ;; 11407 ;;
@@ -10744,7 +11411,7 @@ _ACEOF
10744echo "${ECHO_T}debug" >&6 11411echo "${ECHO_T}debug" >&6
10745 11412
10746cat >>confdefs.h <<\_ACEOF 11413cat >>confdefs.h <<\_ACEOF
10747#define SSH_AUDIT_EVENTS 11414#define SSH_AUDIT_EVENTS 1
10748_ACEOF 11415_ACEOF
10749 11416
10750 ;; 11417 ;;
@@ -10841,8 +11508,10 @@ fi;
10841 11508
10842 11509
10843 11510
11511
10844for ac_func in \ 11512for ac_func in \
10845 arc4random \ 11513 arc4random \
11514 asprintf \
10846 b64_ntop \ 11515 b64_ntop \
10847 __b64_ntop \ 11516 __b64_ntop \
10848 b64_pton \ 11517 b64_pton \
@@ -10918,7 +11587,7 @@ for ac_func in \
10918 truncate \ 11587 truncate \
10919 unsetenv \ 11588 unsetenv \
10920 updwtmpx \ 11589 updwtmpx \
10921 utimes \ 11590 vasprintf \
10922 vhangup \ 11591 vhangup \
10923 vsnprintf \ 11592 vsnprintf \
10924 waitpid \ 11593 waitpid \
@@ -11312,7 +11981,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_nanosleep" >&5
11312echo "${ECHO_T}$ac_cv_search_nanosleep" >&6 11981echo "${ECHO_T}$ac_cv_search_nanosleep" >&6
11313if test "$ac_cv_search_nanosleep" != no; then 11982if test "$ac_cv_search_nanosleep" != no; then
11314 test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS" 11983 test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS"
11315 cat >>confdefs.h <<\_ACEOF 11984
11985cat >>confdefs.h <<\_ACEOF
11316#define HAVE_NANOSLEEP 1 11986#define HAVE_NANOSLEEP 1
11317_ACEOF 11987_ACEOF
11318 11988
@@ -12027,6 +12697,7 @@ echo "$as_me: failed program was:" >&5
12027sed 's/^/| /' conftest.$ac_ext >&5 12697sed 's/^/| /' conftest.$ac_ext >&5
12028 12698
12029( exit $ac_status ) 12699( exit $ac_status )
12700
12030cat >>confdefs.h <<\_ACEOF 12701cat >>confdefs.h <<\_ACEOF
12031#define BROKEN_SETRESUID 1 12702#define BROKEN_SETRESUID 1
12032_ACEOF 12703_ACEOF
@@ -12178,6 +12849,7 @@ echo "$as_me: failed program was:" >&5
12178sed 's/^/| /' conftest.$ac_ext >&5 12849sed 's/^/| /' conftest.$ac_ext >&5
12179 12850
12180( exit $ac_status ) 12851( exit $ac_status )
12852
12181cat >>confdefs.h <<\_ACEOF 12853cat >>confdefs.h <<\_ACEOF
12182#define BROKEN_SETRESGID 1 12854#define BROKEN_SETRESGID 1
12183_ACEOF 12855_ACEOF
@@ -12805,7 +13477,8 @@ fi
12805echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5 13477echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
12806echo "${ECHO_T}$ac_cv_func_daemon" >&6 13478echo "${ECHO_T}$ac_cv_func_daemon" >&6
12807if test $ac_cv_func_daemon = yes; then 13479if test $ac_cv_func_daemon = yes; then
12808 cat >>confdefs.h <<\_ACEOF 13480
13481cat >>confdefs.h <<\_ACEOF
12809#define HAVE_DAEMON 1 13482#define HAVE_DAEMON 1
12810_ACEOF 13483_ACEOF
12811 13484
@@ -12976,7 +13649,8 @@ fi
12976echo "$as_me:$LINENO: result: $ac_cv_func_getpagesize" >&5 13649echo "$as_me:$LINENO: result: $ac_cv_func_getpagesize" >&5
12977echo "${ECHO_T}$ac_cv_func_getpagesize" >&6 13650echo "${ECHO_T}$ac_cv_func_getpagesize" >&6
12978if test $ac_cv_func_getpagesize = yes; then 13651if test $ac_cv_func_getpagesize = yes; then
12979 cat >>confdefs.h <<\_ACEOF 13652
13653cat >>confdefs.h <<\_ACEOF
12980#define HAVE_GETPAGESIZE 1 13654#define HAVE_GETPAGESIZE 1
12981_ACEOF 13655_ACEOF
12982 13656
@@ -13098,7 +13772,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
13098 13772
13099 echo "$as_me:$LINENO: result: no" >&5 13773 echo "$as_me:$LINENO: result: no" >&5
13100echo "${ECHO_T}no" >&6 13774echo "${ECHO_T}no" >&6
13101 cat >>confdefs.h <<\_ACEOF 13775
13776cat >>confdefs.h <<\_ACEOF
13102#define BROKEN_SNPRINTF 1 13777#define BROKEN_SNPRINTF 1
13103_ACEOF 13778_ACEOF
13104 13779
@@ -13110,6 +13785,134 @@ rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftes
13110fi 13785fi
13111fi 13786fi
13112 13787
13788# If we don't have a working asprintf, then we strongly depend on vsnprintf
13789# returning the right thing on overflow: the number of characters it tried to
13790# create (as per SUSv3)
13791if test "x$ac_cv_func_asprintf" != "xyes" && \
13792 test "x$ac_cv_func_vsnprintf" = "xyes" ; then
13793 echo "$as_me:$LINENO: checking whether vsnprintf returns correct values on overflow" >&5
13794echo $ECHO_N "checking whether vsnprintf returns correct values on overflow... $ECHO_C" >&6
13795 if test "$cross_compiling" = yes; then
13796 { echo "$as_me:$LINENO: WARNING: cross compiling: Assuming working vsnprintf()" >&5
13797echo "$as_me: WARNING: cross compiling: Assuming working vsnprintf()" >&2;}
13798
13799else
13800 cat >conftest.$ac_ext <<_ACEOF
13801/* confdefs.h. */
13802_ACEOF
13803cat confdefs.h >>conftest.$ac_ext
13804cat >>conftest.$ac_ext <<_ACEOF
13805/* end confdefs.h. */
13806
13807#include <sys/types.h>
13808#include <stdio.h>
13809#include <stdarg.h>
13810
13811int x_snprintf(char *str,size_t count,const char *fmt,...)
13812{
13813 size_t ret; va_list ap;
13814 va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
13815 return ret;
13816}
13817int main(void)
13818{
13819 char x[1];
13820 exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
13821}
13822_ACEOF
13823rm -f conftest$ac_exeext
13824if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
13825 (eval $ac_link) 2>&5
13826 ac_status=$?
13827 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13828 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
13829 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13830 (eval $ac_try) 2>&5
13831 ac_status=$?
13832 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13833 (exit $ac_status); }; }; then
13834 echo "$as_me:$LINENO: result: yes" >&5
13835echo "${ECHO_T}yes" >&6
13836else
13837 echo "$as_me: program exited with status $ac_status" >&5
13838echo "$as_me: failed program was:" >&5
13839sed 's/^/| /' conftest.$ac_ext >&5
13840
13841( exit $ac_status )
13842
13843 echo "$as_me:$LINENO: result: no" >&5
13844echo "${ECHO_T}no" >&6
13845
13846cat >>confdefs.h <<\_ACEOF
13847#define BROKEN_SNPRINTF 1
13848_ACEOF
13849
13850 { echo "$as_me:$LINENO: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&5
13851echo "$as_me: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor" >&2;}
13852
13853fi
13854rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13855fi
13856fi
13857
13858# On systems where [v]snprintf is broken, but is declared in stdio,
13859# check that the fmt argument is const char * or just char *.
13860# This is only useful for when BROKEN_SNPRINTF
13861echo "$as_me:$LINENO: checking whether snprintf can declare const char *fmt" >&5
13862echo $ECHO_N "checking whether snprintf can declare const char *fmt... $ECHO_C" >&6
13863cat >conftest.$ac_ext <<_ACEOF
13864/* confdefs.h. */
13865_ACEOF
13866cat confdefs.h >>conftest.$ac_ext
13867cat >>conftest.$ac_ext <<_ACEOF
13868/* end confdefs.h. */
13869#include <stdio.h>
13870 int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
13871 int main(void) { snprintf(0, 0, 0); }
13872
13873_ACEOF
13874rm -f conftest.$ac_objext
13875if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
13876 (eval $ac_compile) 2>conftest.er1
13877 ac_status=$?
13878 grep -v '^ *+' conftest.er1 >conftest.err
13879 rm -f conftest.er1
13880 cat conftest.err >&5
13881 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13882 (exit $ac_status); } &&
13883 { ac_try='test -z "$ac_c_werror_flag"
13884 || test ! -s conftest.err'
13885 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13886 (eval $ac_try) 2>&5
13887 ac_status=$?
13888 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13889 (exit $ac_status); }; } &&
13890 { ac_try='test -s conftest.$ac_objext'
13891 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
13892 (eval $ac_try) 2>&5
13893 ac_status=$?
13894 echo "$as_me:$LINENO: \$? = $ac_status" >&5
13895 (exit $ac_status); }; }; then
13896 echo "$as_me:$LINENO: result: yes" >&5
13897echo "${ECHO_T}yes" >&6
13898
13899cat >>confdefs.h <<\_ACEOF
13900#define SNPRINTF_CONST const
13901_ACEOF
13902
13903else
13904 echo "$as_me: failed program was:" >&5
13905sed 's/^/| /' conftest.$ac_ext >&5
13906
13907echo "$as_me:$LINENO: result: no" >&5
13908echo "${ECHO_T}no" >&6
13909 cat >>confdefs.h <<\_ACEOF
13910#define SNPRINTF_CONST /* not const */
13911_ACEOF
13912
13913fi
13914rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
13915
13113# Check for missing getpeereid (or equiv) support 13916# Check for missing getpeereid (or equiv) support
13114NO_PEERCHECK="" 13917NO_PEERCHECK=""
13115if test "x$ac_cv_func_getpeereid" != "xyes" ; then 13918if test "x$ac_cv_func_getpeereid" != "xyes" ; then
@@ -13157,7 +13960,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
13157echo "${ECHO_T}yes" >&6 13960echo "${ECHO_T}yes" >&6
13158 13961
13159cat >>confdefs.h <<\_ACEOF 13962cat >>confdefs.h <<\_ACEOF
13160#define HAVE_SO_PEERCRED 13963#define HAVE_SO_PEERCRED 1
13161_ACEOF 13964_ACEOF
13162 13965
13163 13966
@@ -13226,7 +14029,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
13226 14029
13227 echo "$as_me:$LINENO: result: yes" >&5 14030 echo "$as_me:$LINENO: result: yes" >&5
13228echo "${ECHO_T}yes" >&6 14031echo "${ECHO_T}yes" >&6
13229 cat >>confdefs.h <<\_ACEOF 14032
14033cat >>confdefs.h <<\_ACEOF
13230#define HAVE_STRICT_MKSTEMP 1 14034#define HAVE_STRICT_MKSTEMP 1
13231_ACEOF 14035_ACEOF
13232 14036
@@ -13240,11 +14044,11 @@ if test ! -z "$check_for_openpty_ctty_bug"; then
13240 echo "$as_me:$LINENO: checking if openpty correctly handles controlling tty" >&5 14044 echo "$as_me:$LINENO: checking if openpty correctly handles controlling tty" >&5
13241echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6 14045echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6
13242 if test "$cross_compiling" = yes; then 14046 if test "$cross_compiling" = yes; then
13243 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 14047
13244See \`config.log' for more details." >&5 14048 echo "$as_me:$LINENO: result: cross-compiling" >&5
13245echo "$as_me: error: cannot run test program while cross compiling 14049echo "${ECHO_T}cross-compiling" >&6
13246See \`config.log' for more details." >&2;} 14050
13247 { (exit 1); exit 1; }; } 14051
13248else 14052else
13249 cat >conftest.$ac_ext <<_ACEOF 14053 cat >conftest.$ac_ext <<_ACEOF
13250/* confdefs.h. */ 14054/* confdefs.h. */
@@ -13315,7 +14119,6 @@ echo "${ECHO_T}no" >&6
13315_ACEOF 14119_ACEOF
13316 14120
13317 14121
13318
13319fi 14122fi
13320rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 14123rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13321fi 14124fi
@@ -13326,11 +14129,11 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13326 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 14129 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
13327echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 14130echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
13328 if test "$cross_compiling" = yes; then 14131 if test "$cross_compiling" = yes; then
13329 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 14132
13330See \`config.log' for more details." >&5 14133 echo "$as_me:$LINENO: result: cross-compiling" >&5
13331echo "$as_me: error: cannot run test program while cross compiling 14134echo "${ECHO_T}cross-compiling" >&6
13332See \`config.log' for more details." >&2;} 14135
13333 { (exit 1); exit 1; }; } 14136
13334else 14137else
13335 cat >conftest.$ac_ext <<_ACEOF 14138 cat >conftest.$ac_ext <<_ACEOF
13336/* confdefs.h. */ 14139/* confdefs.h. */
@@ -13423,7 +14226,6 @@ echo "${ECHO_T}no" >&6
13423_ACEOF 14226_ACEOF
13424 14227
13425 14228
13426
13427fi 14229fi
13428rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 14230rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13429fi 14231fi
@@ -13434,11 +14236,10 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
13434 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5 14236 echo "$as_me:$LINENO: checking if getaddrinfo seems to work" >&5
13435echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6 14237echo $ECHO_N "checking if getaddrinfo seems to work... $ECHO_C" >&6
13436 if test "$cross_compiling" = yes; then 14238 if test "$cross_compiling" = yes; then
13437 { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling 14239 echo "$as_me:$LINENO: result: cross-compiling" >&5
13438See \`config.log' for more details." >&5 14240echo "${ECHO_T}cross-compiling" >&6
13439echo "$as_me: error: cannot run test program while cross compiling 14241
13440See \`config.log' for more details." >&2;} 14242 ]
13441 { (exit 1); exit 1; }; }
13442else 14243else
13443 cat >conftest.$ac_ext <<_ACEOF 14244 cat >conftest.$ac_ext <<_ACEOF
13444/* confdefs.h. */ 14245/* confdefs.h. */
@@ -13506,7 +14307,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
13506echo "${ECHO_T}yes" >&6 14307echo "${ECHO_T}yes" >&6
13507 14308
13508cat >>confdefs.h <<\_ACEOF 14309cat >>confdefs.h <<\_ACEOF
13509#define AIX_GETNAMEINFO_HACK 14310#define AIX_GETNAMEINFO_HACK 1
13510_ACEOF 14311_ACEOF
13511 14312
13512 14313
@@ -13524,7 +14325,6 @@ echo "${ECHO_T}no" >&6
13524_ACEOF 14325_ACEOF
13525 14326
13526 14327
13527
13528fi 14328fi
13529rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 14329rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
13530fi 14330fi
@@ -14021,7 +14821,8 @@ done
14021 14821
14022 PAM_MSG="yes" 14822 PAM_MSG="yes"
14023 14823
14024 cat >>confdefs.h <<\_ACEOF 14824
14825cat >>confdefs.h <<\_ACEOF
14025#define USE_PAM 1 14826#define USE_PAM 1
14026_ACEOF 14827_ACEOF
14027 14828
@@ -14092,7 +14893,8 @@ else
14092sed 's/^/| /' conftest.$ac_ext >&5 14893sed 's/^/| /' conftest.$ac_ext >&5
14093 14894
14094 14895
14095 cat >>confdefs.h <<\_ACEOF 14896
14897cat >>confdefs.h <<\_ACEOF
14096#define HAVE_OLD_PAM 1 14898#define HAVE_OLD_PAM 1
14097_ACEOF 14899_ACEOF
14098 14900
@@ -14185,7 +14987,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
14185 ac_status=$? 14987 ac_status=$?
14186 echo "$as_me:$LINENO: \$? = $ac_status" >&5 14988 echo "$as_me:$LINENO: \$? = $ac_status" >&5
14187 (exit $ac_status); }; }; then 14989 (exit $ac_status); }; }; then
14188 cat >>confdefs.h <<\_ACEOF 14990
14991cat >>confdefs.h <<\_ACEOF
14189#define HAVE_OPENSSL 1 14992#define HAVE_OPENSSL 1
14190_ACEOF 14993_ACEOF
14191 14994
@@ -14464,6 +15267,64 @@ fi
14464rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext 15267rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
14465fi 15268fi
14466 15269
15270# Check for OpenSSL without EVP_aes_{192,256}_cbc
15271echo "$as_me:$LINENO: checking whether OpenSSL has crippled AES support" >&5
15272echo $ECHO_N "checking whether OpenSSL has crippled AES support... $ECHO_C" >&6
15273cat >conftest.$ac_ext <<_ACEOF
15274/* confdefs.h. */
15275_ACEOF
15276cat confdefs.h >>conftest.$ac_ext
15277cat >>conftest.$ac_ext <<_ACEOF
15278/* end confdefs.h. */
15279
15280#include <string.h>
15281#include <openssl/evp.h>
15282int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
15283
15284_ACEOF
15285rm -f conftest.$ac_objext
15286if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
15287 (eval $ac_compile) 2>conftest.er1
15288 ac_status=$?
15289 grep -v '^ *+' conftest.er1 >conftest.err
15290 rm -f conftest.er1
15291 cat conftest.err >&5
15292 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15293 (exit $ac_status); } &&
15294 { ac_try='test -z "$ac_c_werror_flag"
15295 || test ! -s conftest.err'
15296 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
15297 (eval $ac_try) 2>&5
15298 ac_status=$?
15299 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15300 (exit $ac_status); }; } &&
15301 { ac_try='test -s conftest.$ac_objext'
15302 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
15303 (eval $ac_try) 2>&5
15304 ac_status=$?
15305 echo "$as_me:$LINENO: \$? = $ac_status" >&5
15306 (exit $ac_status); }; }; then
15307
15308 echo "$as_me:$LINENO: result: no" >&5
15309echo "${ECHO_T}no" >&6
15310
15311else
15312 echo "$as_me: failed program was:" >&5
15313sed 's/^/| /' conftest.$ac_ext >&5
15314
15315
15316 echo "$as_me:$LINENO: result: yes" >&5
15317echo "${ECHO_T}yes" >&6
15318
15319cat >>confdefs.h <<\_ACEOF
15320#define OPENSSL_LOBOTOMISED_AES 1
15321_ACEOF
15322
15323
15324
15325fi
15326rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
15327
14467# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 15328# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
14468# because the system crypt() is more featureful. 15329# because the system crypt() is more featureful.
14469if test "x$check_for_libcrypt_before" = "x1"; then 15330if test "x$check_for_libcrypt_before" = "x1"; then
@@ -14776,7 +15637,8 @@ fi;
14776# Which randomness source do we use? 15637# Which randomness source do we use?
14777if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then 15638if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
14778 # OpenSSL only 15639 # OpenSSL only
14779 cat >>confdefs.h <<\_ACEOF 15640
15641cat >>confdefs.h <<\_ACEOF
14780#define OPENSSL_PRNG_ONLY 1 15642#define OPENSSL_PRNG_ONLY 1
14781_ACEOF 15643_ACEOF
14782 15644
@@ -14811,7 +15673,8 @@ echo "$as_me: error: You must specify a numeric port number for --with-prngd-por
14811 esac 15673 esac
14812 if test ! -z "$withval" ; then 15674 if test ! -z "$withval" ; then
14813 PRNGD_PORT="$withval" 15675 PRNGD_PORT="$withval"
14814 cat >>confdefs.h <<_ACEOF 15676
15677cat >>confdefs.h <<_ACEOF
14815#define PRNGD_PORT $PRNGD_PORT 15678#define PRNGD_PORT $PRNGD_PORT
14816_ACEOF 15679_ACEOF
14817 15680
@@ -14853,7 +15716,8 @@ echo "$as_me: error: You may not specify both a PRNGD/EGD port and socket" >&2;}
14853echo "$as_me: WARNING: Entropy socket is not readable" >&2;} 15716echo "$as_me: WARNING: Entropy socket is not readable" >&2;}
14854 fi 15717 fi
14855 PRNGD_SOCKET="$withval" 15718 PRNGD_SOCKET="$withval"
14856 cat >>confdefs.h <<_ACEOF 15719
15720cat >>confdefs.h <<_ACEOF
14857#define PRNGD_SOCKET "$PRNGD_SOCKET" 15721#define PRNGD_SOCKET "$PRNGD_SOCKET"
14858_ACEOF 15722_ACEOF
14859 15723
@@ -14902,6 +15766,7 @@ if test "${with_entropy_timeout+set}" = set; then
14902 15766
14903 15767
14904fi; 15768fi;
15769
14905cat >>confdefs.h <<_ACEOF 15770cat >>confdefs.h <<_ACEOF
14906#define ENTROPY_TIMEOUT_MSEC $entropy_timeout 15771#define ENTROPY_TIMEOUT_MSEC $entropy_timeout
14907_ACEOF 15772_ACEOF
@@ -14920,6 +15785,7 @@ if test "${with_privsep_user+set}" = set; then
14920 15785
14921 15786
14922fi; 15787fi;
15788
14923cat >>confdefs.h <<_ACEOF 15789cat >>confdefs.h <<_ACEOF
14924#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER" 15790#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
14925_ACEOF 15791_ACEOF
@@ -15685,7 +16551,202 @@ if test ! -z "$SONY" ; then
15685 LIBS="$LIBS -liberty"; 16551 LIBS="$LIBS -liberty";
15686fi 16552fi
15687 16553
15688# Checks for data types 16554# Check for long long datatypes
16555echo "$as_me:$LINENO: checking for long long" >&5
16556echo $ECHO_N "checking for long long... $ECHO_C" >&6
16557if test "${ac_cv_type_long_long+set}" = set; then
16558 echo $ECHO_N "(cached) $ECHO_C" >&6
16559else
16560 cat >conftest.$ac_ext <<_ACEOF
16561/* confdefs.h. */
16562_ACEOF
16563cat confdefs.h >>conftest.$ac_ext
16564cat >>conftest.$ac_ext <<_ACEOF
16565/* end confdefs.h. */
16566$ac_includes_default
16567int
16568main ()
16569{
16570if ((long long *) 0)
16571 return 0;
16572if (sizeof (long long))
16573 return 0;
16574 ;
16575 return 0;
16576}
16577_ACEOF
16578rm -f conftest.$ac_objext
16579if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16580 (eval $ac_compile) 2>conftest.er1
16581 ac_status=$?
16582 grep -v '^ *+' conftest.er1 >conftest.err
16583 rm -f conftest.er1
16584 cat conftest.err >&5
16585 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16586 (exit $ac_status); } &&
16587 { ac_try='test -z "$ac_c_werror_flag"
16588 || test ! -s conftest.err'
16589 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16590 (eval $ac_try) 2>&5
16591 ac_status=$?
16592 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16593 (exit $ac_status); }; } &&
16594 { ac_try='test -s conftest.$ac_objext'
16595 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16596 (eval $ac_try) 2>&5
16597 ac_status=$?
16598 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16599 (exit $ac_status); }; }; then
16600 ac_cv_type_long_long=yes
16601else
16602 echo "$as_me: failed program was:" >&5
16603sed 's/^/| /' conftest.$ac_ext >&5
16604
16605ac_cv_type_long_long=no
16606fi
16607rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16608fi
16609echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
16610echo "${ECHO_T}$ac_cv_type_long_long" >&6
16611if test $ac_cv_type_long_long = yes; then
16612
16613cat >>confdefs.h <<_ACEOF
16614#define HAVE_LONG_LONG 1
16615_ACEOF
16616
16617
16618fi
16619echo "$as_me:$LINENO: checking for unsigned long long" >&5
16620echo $ECHO_N "checking for unsigned long long... $ECHO_C" >&6
16621if test "${ac_cv_type_unsigned_long_long+set}" = set; then
16622 echo $ECHO_N "(cached) $ECHO_C" >&6
16623else
16624 cat >conftest.$ac_ext <<_ACEOF
16625/* confdefs.h. */
16626_ACEOF
16627cat confdefs.h >>conftest.$ac_ext
16628cat >>conftest.$ac_ext <<_ACEOF
16629/* end confdefs.h. */
16630$ac_includes_default
16631int
16632main ()
16633{
16634if ((unsigned long long *) 0)
16635 return 0;
16636if (sizeof (unsigned long long))
16637 return 0;
16638 ;
16639 return 0;
16640}
16641_ACEOF
16642rm -f conftest.$ac_objext
16643if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16644 (eval $ac_compile) 2>conftest.er1
16645 ac_status=$?
16646 grep -v '^ *+' conftest.er1 >conftest.err
16647 rm -f conftest.er1
16648 cat conftest.err >&5
16649 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16650 (exit $ac_status); } &&
16651 { ac_try='test -z "$ac_c_werror_flag"
16652 || test ! -s conftest.err'
16653 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16654 (eval $ac_try) 2>&5
16655 ac_status=$?
16656 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16657 (exit $ac_status); }; } &&
16658 { ac_try='test -s conftest.$ac_objext'
16659 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16660 (eval $ac_try) 2>&5
16661 ac_status=$?
16662 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16663 (exit $ac_status); }; }; then
16664 ac_cv_type_unsigned_long_long=yes
16665else
16666 echo "$as_me: failed program was:" >&5
16667sed 's/^/| /' conftest.$ac_ext >&5
16668
16669ac_cv_type_unsigned_long_long=no
16670fi
16671rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16672fi
16673echo "$as_me:$LINENO: result: $ac_cv_type_unsigned_long_long" >&5
16674echo "${ECHO_T}$ac_cv_type_unsigned_long_long" >&6
16675if test $ac_cv_type_unsigned_long_long = yes; then
16676
16677cat >>confdefs.h <<_ACEOF
16678#define HAVE_UNSIGNED_LONG_LONG 1
16679_ACEOF
16680
16681
16682fi
16683echo "$as_me:$LINENO: checking for long double" >&5
16684echo $ECHO_N "checking for long double... $ECHO_C" >&6
16685if test "${ac_cv_type_long_double+set}" = set; then
16686 echo $ECHO_N "(cached) $ECHO_C" >&6
16687else
16688 cat >conftest.$ac_ext <<_ACEOF
16689/* confdefs.h. */
16690_ACEOF
16691cat confdefs.h >>conftest.$ac_ext
16692cat >>conftest.$ac_ext <<_ACEOF
16693/* end confdefs.h. */
16694$ac_includes_default
16695int
16696main ()
16697{
16698if ((long double *) 0)
16699 return 0;
16700if (sizeof (long double))
16701 return 0;
16702 ;
16703 return 0;
16704}
16705_ACEOF
16706rm -f conftest.$ac_objext
16707if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
16708 (eval $ac_compile) 2>conftest.er1
16709 ac_status=$?
16710 grep -v '^ *+' conftest.er1 >conftest.err
16711 rm -f conftest.er1
16712 cat conftest.err >&5
16713 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16714 (exit $ac_status); } &&
16715 { ac_try='test -z "$ac_c_werror_flag"
16716 || test ! -s conftest.err'
16717 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16718 (eval $ac_try) 2>&5
16719 ac_status=$?
16720 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16721 (exit $ac_status); }; } &&
16722 { ac_try='test -s conftest.$ac_objext'
16723 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
16724 (eval $ac_try) 2>&5
16725 ac_status=$?
16726 echo "$as_me:$LINENO: \$? = $ac_status" >&5
16727 (exit $ac_status); }; }; then
16728 ac_cv_type_long_double=yes
16729else
16730 echo "$as_me: failed program was:" >&5
16731sed 's/^/| /' conftest.$ac_ext >&5
16732
16733ac_cv_type_long_double=no
16734fi
16735rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
16736fi
16737echo "$as_me:$LINENO: result: $ac_cv_type_long_double" >&5
16738echo "${ECHO_T}$ac_cv_type_long_double" >&6
16739if test $ac_cv_type_long_double = yes; then
16740
16741cat >>confdefs.h <<_ACEOF
16742#define HAVE_LONG_DOUBLE 1
16743_ACEOF
16744
16745
16746fi
16747
16748
16749# Check datatype sizes
15689echo "$as_me:$LINENO: checking for char" >&5 16750echo "$as_me:$LINENO: checking for char" >&5
15690echo $ECHO_N "checking for char... $ECHO_C" >&6 16751echo $ECHO_N "checking for char... $ECHO_C" >&6
15691if test "${ac_cv_type_char+set}" = set; then 16752if test "${ac_cv_type_char+set}" = set; then
@@ -17762,6 +18823,124 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
17762 ac_cv_sizeof_long_long_int=0 18823 ac_cv_sizeof_long_long_int=0
17763fi 18824fi
17764 18825
18826# compute LLONG_MIN and LLONG_MAX if we don't know them.
18827if test -z "$have_llong_max"; then
18828 echo "$as_me:$LINENO: checking for max value of long long" >&5
18829echo $ECHO_N "checking for max value of long long... $ECHO_C" >&6
18830 if test "$cross_compiling" = yes; then
18831
18832 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking" >&5
18833echo "$as_me: WARNING: cross compiling: not checking" >&2;}
18834
18835
18836else
18837 cat >conftest.$ac_ext <<_ACEOF
18838/* confdefs.h. */
18839_ACEOF
18840cat confdefs.h >>conftest.$ac_ext
18841cat >>conftest.$ac_ext <<_ACEOF
18842/* end confdefs.h. */
18843
18844#include <stdio.h>
18845/* Why is this so damn hard? */
18846#ifdef __GNUC__
18847# undef __GNUC__
18848#endif
18849#define __USE_ISOC99
18850#include <limits.h>
18851#define DATA "conftest.llminmax"
18852int main(void) {
18853 FILE *f;
18854 long long i, llmin, llmax = 0;
18855
18856 if((f = fopen(DATA,"w")) == NULL)
18857 exit(1);
18858
18859#if defined(LLONG_MIN) && defined(LLONG_MAX)
18860 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
18861 llmin = LLONG_MIN;
18862 llmax = LLONG_MAX;
18863#else
18864 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
18865 /* This will work on one's complement and two's complement */
18866 for (i = 1; i > llmax; i <<= 1, i++)
18867 llmax = i;
18868 llmin = llmax + 1LL; /* wrap */
18869#endif
18870
18871 /* Sanity check */
18872 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
18873 || llmax - 1 > llmax) {
18874 fprintf(f, "unknown unknown\n");
18875 exit(2);
18876 }
18877
18878 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
18879 exit(3);
18880
18881 exit(0);
18882}
18883
18884_ACEOF
18885rm -f conftest$ac_exeext
18886if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
18887 (eval $ac_link) 2>&5
18888 ac_status=$?
18889 echo "$as_me:$LINENO: \$? = $ac_status" >&5
18890 (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
18891 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
18892 (eval $ac_try) 2>&5
18893 ac_status=$?
18894 echo "$as_me:$LINENO: \$? = $ac_status" >&5
18895 (exit $ac_status); }; }; then
18896
18897 llong_min=`$AWK '{print $1}' conftest.llminmax`
18898 llong_max=`$AWK '{print $2}' conftest.llminmax`
18899
18900 # snprintf on some Tru64s doesn't understand "%lld"
18901 case "$host" in
18902 alpha-dec-osf*)
18903 if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
18904 test "x$llong_max" = "xld"; then
18905 llong_min="-9223372036854775808"
18906 llong_max="9223372036854775807"
18907 fi
18908 ;;
18909 esac
18910
18911 echo "$as_me:$LINENO: result: $llong_max" >&5
18912echo "${ECHO_T}$llong_max" >&6
18913
18914cat >>confdefs.h <<_ACEOF
18915#define LLONG_MAX ${llong_max}LL
18916_ACEOF
18917
18918 echo "$as_me:$LINENO: checking for min value of long long" >&5
18919echo $ECHO_N "checking for min value of long long... $ECHO_C" >&6
18920 echo "$as_me:$LINENO: result: $llong_min" >&5
18921echo "${ECHO_T}$llong_min" >&6
18922
18923cat >>confdefs.h <<_ACEOF
18924#define LLONG_MIN ${llong_min}LL
18925_ACEOF
18926
18927
18928else
18929 echo "$as_me: program exited with status $ac_status" >&5
18930echo "$as_me: failed program was:" >&5
18931sed 's/^/| /' conftest.$ac_ext >&5
18932
18933( exit $ac_status )
18934
18935 echo "$as_me:$LINENO: result: not found" >&5
18936echo "${ECHO_T}not found" >&6
18937
18938fi
18939rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
18940fi
18941fi
18942
18943
17765# More checks for data types 18944# More checks for data types
17766echo "$as_me:$LINENO: checking for u_int type" >&5 18945echo "$as_me:$LINENO: checking for u_int type" >&5
17767echo $ECHO_N "checking for u_int type... $ECHO_C" >&6 18946echo $ECHO_N "checking for u_int type... $ECHO_C" >&6
@@ -17820,7 +18999,8 @@ fi
17820echo "$as_me:$LINENO: result: $ac_cv_have_u_int" >&5 18999echo "$as_me:$LINENO: result: $ac_cv_have_u_int" >&5
17821echo "${ECHO_T}$ac_cv_have_u_int" >&6 19000echo "${ECHO_T}$ac_cv_have_u_int" >&6
17822if test "x$ac_cv_have_u_int" = "xyes" ; then 19001if test "x$ac_cv_have_u_int" = "xyes" ; then
17823 cat >>confdefs.h <<\_ACEOF 19002
19003cat >>confdefs.h <<\_ACEOF
17824#define HAVE_U_INT 1 19004#define HAVE_U_INT 1
17825_ACEOF 19005_ACEOF
17826 19006
@@ -17884,7 +19064,8 @@ fi
17884echo "$as_me:$LINENO: result: $ac_cv_have_intxx_t" >&5 19064echo "$as_me:$LINENO: result: $ac_cv_have_intxx_t" >&5
17885echo "${ECHO_T}$ac_cv_have_intxx_t" >&6 19065echo "${ECHO_T}$ac_cv_have_intxx_t" >&6
17886if test "x$ac_cv_have_intxx_t" = "xyes" ; then 19066if test "x$ac_cv_have_intxx_t" = "xyes" ; then
17887 cat >>confdefs.h <<\_ACEOF 19067
19068cat >>confdefs.h <<\_ACEOF
17888#define HAVE_INTXX_T 1 19069#define HAVE_INTXX_T 1
17889_ACEOF 19070_ACEOF
17890 19071
@@ -18018,7 +19199,8 @@ fi
18018echo "$as_me:$LINENO: result: $ac_cv_have_int64_t" >&5 19199echo "$as_me:$LINENO: result: $ac_cv_have_int64_t" >&5
18019echo "${ECHO_T}$ac_cv_have_int64_t" >&6 19200echo "${ECHO_T}$ac_cv_have_int64_t" >&6
18020if test "x$ac_cv_have_int64_t" = "xyes" ; then 19201if test "x$ac_cv_have_int64_t" = "xyes" ; then
18021 cat >>confdefs.h <<\_ACEOF 19202
19203cat >>confdefs.h <<\_ACEOF
18022#define HAVE_INT64_T 1 19204#define HAVE_INT64_T 1
18023_ACEOF 19205_ACEOF
18024 19206
@@ -18081,7 +19263,8 @@ fi
18081echo "$as_me:$LINENO: result: $ac_cv_have_u_intxx_t" >&5 19263echo "$as_me:$LINENO: result: $ac_cv_have_u_intxx_t" >&5
18082echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6 19264echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6
18083if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then 19265if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
18084 cat >>confdefs.h <<\_ACEOF 19266
19267cat >>confdefs.h <<\_ACEOF
18085#define HAVE_U_INTXX_T 1 19268#define HAVE_U_INTXX_T 1
18086_ACEOF 19269_ACEOF
18087 19270
@@ -18204,7 +19387,8 @@ fi
18204echo "$as_me:$LINENO: result: $ac_cv_have_u_int64_t" >&5 19387echo "$as_me:$LINENO: result: $ac_cv_have_u_int64_t" >&5
18205echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6 19388echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6
18206if test "x$ac_cv_have_u_int64_t" = "xyes" ; then 19389if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
18207 cat >>confdefs.h <<\_ACEOF 19390
19391cat >>confdefs.h <<\_ACEOF
18208#define HAVE_U_INT64_T 1 19392#define HAVE_U_INT64_T 1
18209_ACEOF 19393_ACEOF
18210 19394
@@ -18330,7 +19514,8 @@ fi
18330echo "$as_me:$LINENO: result: $ac_cv_have_uintxx_t" >&5 19514echo "$as_me:$LINENO: result: $ac_cv_have_uintxx_t" >&5
18331echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6 19515echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6
18332 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then 19516 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
18333 cat >>confdefs.h <<\_ACEOF 19517
19518cat >>confdefs.h <<\_ACEOF
18334#define HAVE_UINTXX_T 1 19519#define HAVE_UINTXX_T 1
18335_ACEOF 19520_ACEOF
18336 19521
@@ -18527,7 +19712,8 @@ fi
18527echo "$as_me:$LINENO: result: $ac_cv_have_u_char" >&5 19712echo "$as_me:$LINENO: result: $ac_cv_have_u_char" >&5
18528echo "${ECHO_T}$ac_cv_have_u_char" >&6 19713echo "${ECHO_T}$ac_cv_have_u_char" >&6
18529if test "x$ac_cv_have_u_char" = "xyes" ; then 19714if test "x$ac_cv_have_u_char" = "xyes" ; then
18530 cat >>confdefs.h <<\_ACEOF 19715
19716cat >>confdefs.h <<\_ACEOF
18531#define HAVE_U_CHAR 1 19717#define HAVE_U_CHAR 1
18532_ACEOF 19718_ACEOF
18533 19719
@@ -18878,7 +20064,8 @@ fi
18878echo "$as_me:$LINENO: result: $ac_cv_have_size_t" >&5 20064echo "$as_me:$LINENO: result: $ac_cv_have_size_t" >&5
18879echo "${ECHO_T}$ac_cv_have_size_t" >&6 20065echo "${ECHO_T}$ac_cv_have_size_t" >&6
18880if test "x$ac_cv_have_size_t" = "xyes" ; then 20066if test "x$ac_cv_have_size_t" = "xyes" ; then
18881 cat >>confdefs.h <<\_ACEOF 20067
20068cat >>confdefs.h <<\_ACEOF
18882#define HAVE_SIZE_T 1 20069#define HAVE_SIZE_T 1
18883_ACEOF 20070_ACEOF
18884 20071
@@ -18943,7 +20130,8 @@ fi
18943echo "$as_me:$LINENO: result: $ac_cv_have_ssize_t" >&5 20130echo "$as_me:$LINENO: result: $ac_cv_have_ssize_t" >&5
18944echo "${ECHO_T}$ac_cv_have_ssize_t" >&6 20131echo "${ECHO_T}$ac_cv_have_ssize_t" >&6
18945if test "x$ac_cv_have_ssize_t" = "xyes" ; then 20132if test "x$ac_cv_have_ssize_t" = "xyes" ; then
18946 cat >>confdefs.h <<\_ACEOF 20133
20134cat >>confdefs.h <<\_ACEOF
18947#define HAVE_SSIZE_T 1 20135#define HAVE_SSIZE_T 1
18948_ACEOF 20136_ACEOF
18949 20137
@@ -19008,7 +20196,8 @@ fi
19008echo "$as_me:$LINENO: result: $ac_cv_have_clock_t" >&5 20196echo "$as_me:$LINENO: result: $ac_cv_have_clock_t" >&5
19009echo "${ECHO_T}$ac_cv_have_clock_t" >&6 20197echo "${ECHO_T}$ac_cv_have_clock_t" >&6
19010if test "x$ac_cv_have_clock_t" = "xyes" ; then 20198if test "x$ac_cv_have_clock_t" = "xyes" ; then
19011 cat >>confdefs.h <<\_ACEOF 20199
20200cat >>confdefs.h <<\_ACEOF
19012#define HAVE_CLOCK_T 1 20201#define HAVE_CLOCK_T 1
19013_ACEOF 20202_ACEOF
19014 20203
@@ -19123,7 +20312,8 @@ fi
19123echo "$as_me:$LINENO: result: $ac_cv_have_sa_family_t" >&5 20312echo "$as_me:$LINENO: result: $ac_cv_have_sa_family_t" >&5
19124echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6 20313echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6
19125if test "x$ac_cv_have_sa_family_t" = "xyes" ; then 20314if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
19126 cat >>confdefs.h <<\_ACEOF 20315
20316cat >>confdefs.h <<\_ACEOF
19127#define HAVE_SA_FAMILY_T 1 20317#define HAVE_SA_FAMILY_T 1
19128_ACEOF 20318_ACEOF
19129 20319
@@ -19188,7 +20378,8 @@ fi
19188echo "$as_me:$LINENO: result: $ac_cv_have_pid_t" >&5 20378echo "$as_me:$LINENO: result: $ac_cv_have_pid_t" >&5
19189echo "${ECHO_T}$ac_cv_have_pid_t" >&6 20379echo "${ECHO_T}$ac_cv_have_pid_t" >&6
19190if test "x$ac_cv_have_pid_t" = "xyes" ; then 20380if test "x$ac_cv_have_pid_t" = "xyes" ; then
19191 cat >>confdefs.h <<\_ACEOF 20381
20382cat >>confdefs.h <<\_ACEOF
19192#define HAVE_PID_T 1 20383#define HAVE_PID_T 1
19193_ACEOF 20384_ACEOF
19194 20385
@@ -19253,7 +20444,8 @@ fi
19253echo "$as_me:$LINENO: result: $ac_cv_have_mode_t" >&5 20444echo "$as_me:$LINENO: result: $ac_cv_have_mode_t" >&5
19254echo "${ECHO_T}$ac_cv_have_mode_t" >&6 20445echo "${ECHO_T}$ac_cv_have_mode_t" >&6
19255if test "x$ac_cv_have_mode_t" = "xyes" ; then 20446if test "x$ac_cv_have_mode_t" = "xyes" ; then
19256 cat >>confdefs.h <<\_ACEOF 20447
20448cat >>confdefs.h <<\_ACEOF
19257#define HAVE_MODE_T 1 20449#define HAVE_MODE_T 1
19258_ACEOF 20450_ACEOF
19259 20451
@@ -19320,7 +20512,8 @@ fi
19320echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_storage" >&5 20512echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_storage" >&5
19321echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6 20513echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6
19322if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then 20514if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
19323 cat >>confdefs.h <<\_ACEOF 20515
20516cat >>confdefs.h <<\_ACEOF
19324#define HAVE_STRUCT_SOCKADDR_STORAGE 1 20517#define HAVE_STRUCT_SOCKADDR_STORAGE 1
19325_ACEOF 20518_ACEOF
19326 20519
@@ -19386,7 +20579,8 @@ fi
19386echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_in6" >&5 20579echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_in6" >&5
19387echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6 20580echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6
19388if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then 20581if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
19389 cat >>confdefs.h <<\_ACEOF 20582
20583cat >>confdefs.h <<\_ACEOF
19390#define HAVE_STRUCT_SOCKADDR_IN6 1 20584#define HAVE_STRUCT_SOCKADDR_IN6 1
19391_ACEOF 20585_ACEOF
19392 20586
@@ -19452,7 +20646,8 @@ fi
19452echo "$as_me:$LINENO: result: $ac_cv_have_struct_in6_addr" >&5 20646echo "$as_me:$LINENO: result: $ac_cv_have_struct_in6_addr" >&5
19453echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6 20647echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6
19454if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then 20648if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
19455 cat >>confdefs.h <<\_ACEOF 20649
20650cat >>confdefs.h <<\_ACEOF
19456#define HAVE_STRUCT_IN6_ADDR 1 20651#define HAVE_STRUCT_IN6_ADDR 1
19457_ACEOF 20652_ACEOF
19458 20653
@@ -19519,7 +20714,8 @@ fi
19519echo "$as_me:$LINENO: result: $ac_cv_have_struct_addrinfo" >&5 20714echo "$as_me:$LINENO: result: $ac_cv_have_struct_addrinfo" >&5
19520echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6 20715echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6
19521if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then 20716if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
19522 cat >>confdefs.h <<\_ACEOF 20717
20718cat >>confdefs.h <<\_ACEOF
19523#define HAVE_STRUCT_ADDRINFO 1 20719#define HAVE_STRUCT_ADDRINFO 1
19524_ACEOF 20720_ACEOF
19525 20721
@@ -19582,7 +20778,8 @@ fi
19582echo "$as_me:$LINENO: result: $ac_cv_have_struct_timeval" >&5 20778echo "$as_me:$LINENO: result: $ac_cv_have_struct_timeval" >&5
19583echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6 20779echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6
19584if test "x$ac_cv_have_struct_timeval" = "xyes" ; then 20780if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
19585 cat >>confdefs.h <<\_ACEOF 20781
20782cat >>confdefs.h <<\_ACEOF
19586#define HAVE_STRUCT_TIMEVAL 1 20783#define HAVE_STRUCT_TIMEVAL 1
19587_ACEOF 20784_ACEOF
19588 20785
@@ -19761,7 +20958,8 @@ fi
19761 echo "$as_me:$LINENO: result: $ossh_result" >&5 20958 echo "$as_me:$LINENO: result: $ossh_result" >&5
19762echo "${ECHO_T}$ossh_result" >&6 20959echo "${ECHO_T}$ossh_result" >&6
19763 if test "x$ossh_result" = "xyes"; then 20960 if test "x$ossh_result" = "xyes"; then
19764 cat >>confdefs.h <<\_ACEOF 20961
20962cat >>confdefs.h <<\_ACEOF
19765#define HAVE_HOST_IN_UTMP 1 20963#define HAVE_HOST_IN_UTMP 1
19766_ACEOF 20964_ACEOF
19767 20965
@@ -19805,7 +21003,8 @@ fi
19805 echo "$as_me:$LINENO: result: $ossh_result" >&5 21003 echo "$as_me:$LINENO: result: $ossh_result" >&5
19806echo "${ECHO_T}$ossh_result" >&6 21004echo "${ECHO_T}$ossh_result" >&6
19807 if test "x$ossh_result" = "xyes"; then 21005 if test "x$ossh_result" = "xyes"; then
19808 cat >>confdefs.h <<\_ACEOF 21006
21007cat >>confdefs.h <<\_ACEOF
19809#define HAVE_HOST_IN_UTMPX 1 21008#define HAVE_HOST_IN_UTMPX 1
19810_ACEOF 21009_ACEOF
19811 21010
@@ -19849,7 +21048,8 @@ fi
19849 echo "$as_me:$LINENO: result: $ossh_result" >&5 21048 echo "$as_me:$LINENO: result: $ossh_result" >&5
19850echo "${ECHO_T}$ossh_result" >&6 21049echo "${ECHO_T}$ossh_result" >&6
19851 if test "x$ossh_result" = "xyes"; then 21050 if test "x$ossh_result" = "xyes"; then
19852 cat >>confdefs.h <<\_ACEOF 21051
21052cat >>confdefs.h <<\_ACEOF
19853#define HAVE_SYSLEN_IN_UTMPX 1 21053#define HAVE_SYSLEN_IN_UTMPX 1
19854_ACEOF 21054_ACEOF
19855 21055
@@ -19893,7 +21093,8 @@ fi
19893 echo "$as_me:$LINENO: result: $ossh_result" >&5 21093 echo "$as_me:$LINENO: result: $ossh_result" >&5
19894echo "${ECHO_T}$ossh_result" >&6 21094echo "${ECHO_T}$ossh_result" >&6
19895 if test "x$ossh_result" = "xyes"; then 21095 if test "x$ossh_result" = "xyes"; then
19896 cat >>confdefs.h <<\_ACEOF 21096
21097cat >>confdefs.h <<\_ACEOF
19897#define HAVE_PID_IN_UTMP 1 21098#define HAVE_PID_IN_UTMP 1
19898_ACEOF 21099_ACEOF
19899 21100
@@ -19937,7 +21138,8 @@ fi
19937 echo "$as_me:$LINENO: result: $ossh_result" >&5 21138 echo "$as_me:$LINENO: result: $ossh_result" >&5
19938echo "${ECHO_T}$ossh_result" >&6 21139echo "${ECHO_T}$ossh_result" >&6
19939 if test "x$ossh_result" = "xyes"; then 21140 if test "x$ossh_result" = "xyes"; then
19940 cat >>confdefs.h <<\_ACEOF 21141
21142cat >>confdefs.h <<\_ACEOF
19941#define HAVE_TYPE_IN_UTMP 1 21143#define HAVE_TYPE_IN_UTMP 1
19942_ACEOF 21144_ACEOF
19943 21145
@@ -19981,7 +21183,8 @@ fi
19981 echo "$as_me:$LINENO: result: $ossh_result" >&5 21183 echo "$as_me:$LINENO: result: $ossh_result" >&5
19982echo "${ECHO_T}$ossh_result" >&6 21184echo "${ECHO_T}$ossh_result" >&6
19983 if test "x$ossh_result" = "xyes"; then 21185 if test "x$ossh_result" = "xyes"; then
19984 cat >>confdefs.h <<\_ACEOF 21186
21187cat >>confdefs.h <<\_ACEOF
19985#define HAVE_TYPE_IN_UTMPX 1 21188#define HAVE_TYPE_IN_UTMPX 1
19986_ACEOF 21189_ACEOF
19987 21190
@@ -20025,7 +21228,8 @@ fi
20025 echo "$as_me:$LINENO: result: $ossh_result" >&5 21228 echo "$as_me:$LINENO: result: $ossh_result" >&5
20026echo "${ECHO_T}$ossh_result" >&6 21229echo "${ECHO_T}$ossh_result" >&6
20027 if test "x$ossh_result" = "xyes"; then 21230 if test "x$ossh_result" = "xyes"; then
20028 cat >>confdefs.h <<\_ACEOF 21231
21232cat >>confdefs.h <<\_ACEOF
20029#define HAVE_TV_IN_UTMP 1 21233#define HAVE_TV_IN_UTMP 1
20030_ACEOF 21234_ACEOF
20031 21235
@@ -20069,7 +21273,8 @@ fi
20069 echo "$as_me:$LINENO: result: $ossh_result" >&5 21273 echo "$as_me:$LINENO: result: $ossh_result" >&5
20070echo "${ECHO_T}$ossh_result" >&6 21274echo "${ECHO_T}$ossh_result" >&6
20071 if test "x$ossh_result" = "xyes"; then 21275 if test "x$ossh_result" = "xyes"; then
20072 cat >>confdefs.h <<\_ACEOF 21276
21277cat >>confdefs.h <<\_ACEOF
20073#define HAVE_ID_IN_UTMP 1 21278#define HAVE_ID_IN_UTMP 1
20074_ACEOF 21279_ACEOF
20075 21280
@@ -20113,7 +21318,8 @@ fi
20113 echo "$as_me:$LINENO: result: $ossh_result" >&5 21318 echo "$as_me:$LINENO: result: $ossh_result" >&5
20114echo "${ECHO_T}$ossh_result" >&6 21319echo "${ECHO_T}$ossh_result" >&6
20115 if test "x$ossh_result" = "xyes"; then 21320 if test "x$ossh_result" = "xyes"; then
20116 cat >>confdefs.h <<\_ACEOF 21321
21322cat >>confdefs.h <<\_ACEOF
20117#define HAVE_ID_IN_UTMPX 1 21323#define HAVE_ID_IN_UTMPX 1
20118_ACEOF 21324_ACEOF
20119 21325
@@ -20157,7 +21363,8 @@ fi
20157 echo "$as_me:$LINENO: result: $ossh_result" >&5 21363 echo "$as_me:$LINENO: result: $ossh_result" >&5
20158echo "${ECHO_T}$ossh_result" >&6 21364echo "${ECHO_T}$ossh_result" >&6
20159 if test "x$ossh_result" = "xyes"; then 21365 if test "x$ossh_result" = "xyes"; then
20160 cat >>confdefs.h <<\_ACEOF 21366
21367cat >>confdefs.h <<\_ACEOF
20161#define HAVE_ADDR_IN_UTMP 1 21368#define HAVE_ADDR_IN_UTMP 1
20162_ACEOF 21369_ACEOF
20163 21370
@@ -20201,7 +21408,8 @@ fi
20201 echo "$as_me:$LINENO: result: $ossh_result" >&5 21408 echo "$as_me:$LINENO: result: $ossh_result" >&5
20202echo "${ECHO_T}$ossh_result" >&6 21409echo "${ECHO_T}$ossh_result" >&6
20203 if test "x$ossh_result" = "xyes"; then 21410 if test "x$ossh_result" = "xyes"; then
20204 cat >>confdefs.h <<\_ACEOF 21411
21412cat >>confdefs.h <<\_ACEOF
20205#define HAVE_ADDR_IN_UTMPX 1 21413#define HAVE_ADDR_IN_UTMPX 1
20206_ACEOF 21414_ACEOF
20207 21415
@@ -20245,7 +21453,8 @@ fi
20245 echo "$as_me:$LINENO: result: $ossh_result" >&5 21453 echo "$as_me:$LINENO: result: $ossh_result" >&5
20246echo "${ECHO_T}$ossh_result" >&6 21454echo "${ECHO_T}$ossh_result" >&6
20247 if test "x$ossh_result" = "xyes"; then 21455 if test "x$ossh_result" = "xyes"; then
20248 cat >>confdefs.h <<\_ACEOF 21456
21457cat >>confdefs.h <<\_ACEOF
20249#define HAVE_ADDR_V6_IN_UTMP 1 21458#define HAVE_ADDR_V6_IN_UTMP 1
20250_ACEOF 21459_ACEOF
20251 21460
@@ -20289,7 +21498,8 @@ fi
20289 echo "$as_me:$LINENO: result: $ossh_result" >&5 21498 echo "$as_me:$LINENO: result: $ossh_result" >&5
20290echo "${ECHO_T}$ossh_result" >&6 21499echo "${ECHO_T}$ossh_result" >&6
20291 if test "x$ossh_result" = "xyes"; then 21500 if test "x$ossh_result" = "xyes"; then
20292 cat >>confdefs.h <<\_ACEOF 21501
21502cat >>confdefs.h <<\_ACEOF
20293#define HAVE_ADDR_V6_IN_UTMPX 1 21503#define HAVE_ADDR_V6_IN_UTMPX 1
20294_ACEOF 21504_ACEOF
20295 21505
@@ -20333,7 +21543,8 @@ fi
20333 echo "$as_me:$LINENO: result: $ossh_result" >&5 21543 echo "$as_me:$LINENO: result: $ossh_result" >&5
20334echo "${ECHO_T}$ossh_result" >&6 21544echo "${ECHO_T}$ossh_result" >&6
20335 if test "x$ossh_result" = "xyes"; then 21545 if test "x$ossh_result" = "xyes"; then
20336 cat >>confdefs.h <<\_ACEOF 21546
21547cat >>confdefs.h <<\_ACEOF
20337#define HAVE_EXIT_IN_UTMP 1 21548#define HAVE_EXIT_IN_UTMP 1
20338_ACEOF 21549_ACEOF
20339 21550
@@ -20377,7 +21588,8 @@ fi
20377 echo "$as_me:$LINENO: result: $ossh_result" >&5 21588 echo "$as_me:$LINENO: result: $ossh_result" >&5
20378echo "${ECHO_T}$ossh_result" >&6 21589echo "${ECHO_T}$ossh_result" >&6
20379 if test "x$ossh_result" = "xyes"; then 21590 if test "x$ossh_result" = "xyes"; then
20380 cat >>confdefs.h <<\_ACEOF 21591
21592cat >>confdefs.h <<\_ACEOF
20381#define HAVE_TIME_IN_UTMP 1 21593#define HAVE_TIME_IN_UTMP 1
20382_ACEOF 21594_ACEOF
20383 21595
@@ -20421,7 +21633,8 @@ fi
20421 echo "$as_me:$LINENO: result: $ossh_result" >&5 21633 echo "$as_me:$LINENO: result: $ossh_result" >&5
20422echo "${ECHO_T}$ossh_result" >&6 21634echo "${ECHO_T}$ossh_result" >&6
20423 if test "x$ossh_result" = "xyes"; then 21635 if test "x$ossh_result" = "xyes"; then
20424 cat >>confdefs.h <<\_ACEOF 21636
21637cat >>confdefs.h <<\_ACEOF
20425#define HAVE_TIME_IN_UTMPX 1 21638#define HAVE_TIME_IN_UTMPX 1
20426_ACEOF 21639_ACEOF
20427 21640
@@ -20465,7 +21678,8 @@ fi
20465 echo "$as_me:$LINENO: result: $ossh_result" >&5 21678 echo "$as_me:$LINENO: result: $ossh_result" >&5
20466echo "${ECHO_T}$ossh_result" >&6 21679echo "${ECHO_T}$ossh_result" >&6
20467 if test "x$ossh_result" = "xyes"; then 21680 if test "x$ossh_result" = "xyes"; then
20468 cat >>confdefs.h <<\_ACEOF 21681
21682cat >>confdefs.h <<\_ACEOF
20469#define HAVE_TV_IN_UTMPX 1 21683#define HAVE_TV_IN_UTMPX 1
20470_ACEOF 21684_ACEOF
20471 21685
@@ -20586,6 +21800,135 @@ _ACEOF
20586 21800
20587fi 21801fi
20588 21802
21803echo "$as_me:$LINENO: checking for struct __res_state.retrans" >&5
21804echo $ECHO_N "checking for struct __res_state.retrans... $ECHO_C" >&6
21805if test "${ac_cv_member_struct___res_state_retrans+set}" = set; then
21806 echo $ECHO_N "(cached) $ECHO_C" >&6
21807else
21808 cat >conftest.$ac_ext <<_ACEOF
21809/* confdefs.h. */
21810_ACEOF
21811cat confdefs.h >>conftest.$ac_ext
21812cat >>conftest.$ac_ext <<_ACEOF
21813/* end confdefs.h. */
21814
21815#include <stdio.h>
21816#if HAVE_SYS_TYPES_H
21817# include <sys/types.h>
21818#endif
21819#include <netinet/in.h>
21820#include <arpa/nameser.h>
21821#include <resolv.h>
21822
21823
21824int
21825main ()
21826{
21827static struct __res_state ac_aggr;
21828if (ac_aggr.retrans)
21829return 0;
21830 ;
21831 return 0;
21832}
21833_ACEOF
21834rm -f conftest.$ac_objext
21835if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
21836 (eval $ac_compile) 2>conftest.er1
21837 ac_status=$?
21838 grep -v '^ *+' conftest.er1 >conftest.err
21839 rm -f conftest.er1
21840 cat conftest.err >&5
21841 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21842 (exit $ac_status); } &&
21843 { ac_try='test -z "$ac_c_werror_flag"
21844 || test ! -s conftest.err'
21845 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21846 (eval $ac_try) 2>&5
21847 ac_status=$?
21848 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21849 (exit $ac_status); }; } &&
21850 { ac_try='test -s conftest.$ac_objext'
21851 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21852 (eval $ac_try) 2>&5
21853 ac_status=$?
21854 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21855 (exit $ac_status); }; }; then
21856 ac_cv_member_struct___res_state_retrans=yes
21857else
21858 echo "$as_me: failed program was:" >&5
21859sed 's/^/| /' conftest.$ac_ext >&5
21860
21861cat >conftest.$ac_ext <<_ACEOF
21862/* confdefs.h. */
21863_ACEOF
21864cat confdefs.h >>conftest.$ac_ext
21865cat >>conftest.$ac_ext <<_ACEOF
21866/* end confdefs.h. */
21867
21868#include <stdio.h>
21869#if HAVE_SYS_TYPES_H
21870# include <sys/types.h>
21871#endif
21872#include <netinet/in.h>
21873#include <arpa/nameser.h>
21874#include <resolv.h>
21875
21876
21877int
21878main ()
21879{
21880static struct __res_state ac_aggr;
21881if (sizeof ac_aggr.retrans)
21882return 0;
21883 ;
21884 return 0;
21885}
21886_ACEOF
21887rm -f conftest.$ac_objext
21888if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
21889 (eval $ac_compile) 2>conftest.er1
21890 ac_status=$?
21891 grep -v '^ *+' conftest.er1 >conftest.err
21892 rm -f conftest.er1
21893 cat conftest.err >&5
21894 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21895 (exit $ac_status); } &&
21896 { ac_try='test -z "$ac_c_werror_flag"
21897 || test ! -s conftest.err'
21898 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21899 (eval $ac_try) 2>&5
21900 ac_status=$?
21901 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21902 (exit $ac_status); }; } &&
21903 { ac_try='test -s conftest.$ac_objext'
21904 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
21905 (eval $ac_try) 2>&5
21906 ac_status=$?
21907 echo "$as_me:$LINENO: \$? = $ac_status" >&5
21908 (exit $ac_status); }; }; then
21909 ac_cv_member_struct___res_state_retrans=yes
21910else
21911 echo "$as_me: failed program was:" >&5
21912sed 's/^/| /' conftest.$ac_ext >&5
21913
21914ac_cv_member_struct___res_state_retrans=no
21915fi
21916rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
21917fi
21918rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
21919fi
21920echo "$as_me:$LINENO: result: $ac_cv_member_struct___res_state_retrans" >&5
21921echo "${ECHO_T}$ac_cv_member_struct___res_state_retrans" >&6
21922if test $ac_cv_member_struct___res_state_retrans = yes; then
21923 :
21924else
21925
21926cat >>confdefs.h <<\_ACEOF
21927#define __res_state state
21928_ACEOF
21929
21930fi
21931
20589 21932
20590echo "$as_me:$LINENO: checking for ss_family field in struct sockaddr_storage" >&5 21933echo "$as_me:$LINENO: checking for ss_family field in struct sockaddr_storage" >&5
20591echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6 21934echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6
@@ -20646,7 +21989,8 @@ fi
20646echo "$as_me:$LINENO: result: $ac_cv_have_ss_family_in_struct_ss" >&5 21989echo "$as_me:$LINENO: result: $ac_cv_have_ss_family_in_struct_ss" >&5
20647echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6 21990echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6
20648if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then 21991if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
20649 cat >>confdefs.h <<\_ACEOF 21992
21993cat >>confdefs.h <<\_ACEOF
20650#define HAVE_SS_FAMILY_IN_SS 1 21994#define HAVE_SS_FAMILY_IN_SS 1
20651_ACEOF 21995_ACEOF
20652 21996
@@ -20712,7 +22056,8 @@ fi
20712echo "$as_me:$LINENO: result: $ac_cv_have___ss_family_in_struct_ss" >&5 22056echo "$as_me:$LINENO: result: $ac_cv_have___ss_family_in_struct_ss" >&5
20713echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6 22057echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6
20714if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then 22058if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
20715 cat >>confdefs.h <<\_ACEOF 22059
22060cat >>confdefs.h <<\_ACEOF
20716#define HAVE___SS_FAMILY_IN_SS 1 22061#define HAVE___SS_FAMILY_IN_SS 1
20717_ACEOF 22062_ACEOF
20718 22063
@@ -20777,7 +22122,8 @@ fi
20777echo "$as_me:$LINENO: result: $ac_cv_have_pw_class_in_struct_passwd" >&5 22122echo "$as_me:$LINENO: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
20778echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6 22123echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6
20779if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then 22124if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
20780 cat >>confdefs.h <<\_ACEOF 22125
22126cat >>confdefs.h <<\_ACEOF
20781#define HAVE_PW_CLASS_IN_PASSWD 1 22127#define HAVE_PW_CLASS_IN_PASSWD 1
20782_ACEOF 22128_ACEOF
20783 22129
@@ -20842,7 +22188,8 @@ fi
20842echo "$as_me:$LINENO: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5 22188echo "$as_me:$LINENO: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
20843echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6 22189echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6
20844if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then 22190if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
20845 cat >>confdefs.h <<\_ACEOF 22191
22192cat >>confdefs.h <<\_ACEOF
20846#define HAVE_PW_EXPIRE_IN_PASSWD 1 22193#define HAVE_PW_EXPIRE_IN_PASSWD 1
20847_ACEOF 22194_ACEOF
20848 22195
@@ -20907,7 +22254,8 @@ fi
20907echo "$as_me:$LINENO: result: $ac_cv_have_pw_change_in_struct_passwd" >&5 22254echo "$as_me:$LINENO: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
20908echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6 22255echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6
20909if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then 22256if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
20910 cat >>confdefs.h <<\_ACEOF 22257
22258cat >>confdefs.h <<\_ACEOF
20911#define HAVE_PW_CHANGE_IN_PASSWD 1 22259#define HAVE_PW_CHANGE_IN_PASSWD 1
20912_ACEOF 22260_ACEOF
20913 22261
@@ -20971,7 +22319,8 @@ fi
20971echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5 22319echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5
20972echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6 22320echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6
20973if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then 22321if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
20974 cat >>confdefs.h <<\_ACEOF 22322
22323cat >>confdefs.h <<\_ACEOF
20975#define HAVE_ACCRIGHTS_IN_MSGHDR 1 22324#define HAVE_ACCRIGHTS_IN_MSGHDR 1
20976_ACEOF 22325_ACEOF
20977 22326
@@ -21035,7 +22384,8 @@ fi
21035echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5 22384echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5
21036echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6 22385echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6
21037if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then 22386if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
21038 cat >>confdefs.h <<\_ACEOF 22387
22388cat >>confdefs.h <<\_ACEOF
21039#define HAVE_CONTROL_IN_MSGHDR 1 22389#define HAVE_CONTROL_IN_MSGHDR 1
21040_ACEOF 22390_ACEOF
21041 22391
@@ -21099,7 +22449,8 @@ fi
21099echo "$as_me:$LINENO: result: $ac_cv_libc_defines___progname" >&5 22449echo "$as_me:$LINENO: result: $ac_cv_libc_defines___progname" >&5
21100echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6 22450echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6
21101if test "x$ac_cv_libc_defines___progname" = "xyes" ; then 22451if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
21102 cat >>confdefs.h <<\_ACEOF 22452
22453cat >>confdefs.h <<\_ACEOF
21103#define HAVE___PROGNAME 1 22454#define HAVE___PROGNAME 1
21104_ACEOF 22455_ACEOF
21105 22456
@@ -21165,7 +22516,8 @@ fi
21165echo "$as_me:$LINENO: result: $ac_cv_cc_implements___FUNCTION__" >&5 22516echo "$as_me:$LINENO: result: $ac_cv_cc_implements___FUNCTION__" >&5
21166echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6 22517echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6
21167if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then 22518if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
21168 cat >>confdefs.h <<\_ACEOF 22519
22520cat >>confdefs.h <<\_ACEOF
21169#define HAVE___FUNCTION__ 1 22521#define HAVE___FUNCTION__ 1
21170_ACEOF 22522_ACEOF
21171 22523
@@ -21231,12 +22583,145 @@ fi
21231echo "$as_me:$LINENO: result: $ac_cv_cc_implements___func__" >&5 22583echo "$as_me:$LINENO: result: $ac_cv_cc_implements___func__" >&5
21232echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6 22584echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6
21233if test "x$ac_cv_cc_implements___func__" = "xyes" ; then 22585if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
21234 cat >>confdefs.h <<\_ACEOF 22586
22587cat >>confdefs.h <<\_ACEOF
21235#define HAVE___func__ 1 22588#define HAVE___func__ 1
21236_ACEOF 22589_ACEOF
21237 22590
21238fi 22591fi
21239 22592
22593echo "$as_me:$LINENO: checking whether va_copy exists" >&5
22594echo $ECHO_N "checking whether va_copy exists... $ECHO_C" >&6
22595if test "${ac_cv_have_va_copy+set}" = set; then
22596 echo $ECHO_N "(cached) $ECHO_C" >&6
22597else
22598
22599 cat >conftest.$ac_ext <<_ACEOF
22600/* confdefs.h. */
22601_ACEOF
22602cat confdefs.h >>conftest.$ac_ext
22603cat >>conftest.$ac_ext <<_ACEOF
22604/* end confdefs.h. */
22605#include <stdarg.h>
22606 va_list x,y;
22607int
22608main ()
22609{
22610va_copy(x,y);
22611 ;
22612 return 0;
22613}
22614_ACEOF
22615rm -f conftest.$ac_objext conftest$ac_exeext
22616if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
22617 (eval $ac_link) 2>conftest.er1
22618 ac_status=$?
22619 grep -v '^ *+' conftest.er1 >conftest.err
22620 rm -f conftest.er1
22621 cat conftest.err >&5
22622 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22623 (exit $ac_status); } &&
22624 { ac_try='test -z "$ac_c_werror_flag"
22625 || test ! -s conftest.err'
22626 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22627 (eval $ac_try) 2>&5
22628 ac_status=$?
22629 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22630 (exit $ac_status); }; } &&
22631 { ac_try='test -s conftest$ac_exeext'
22632 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22633 (eval $ac_try) 2>&5
22634 ac_status=$?
22635 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22636 (exit $ac_status); }; }; then
22637 ac_cv_have_va_copy="yes"
22638else
22639 echo "$as_me: failed program was:" >&5
22640sed 's/^/| /' conftest.$ac_ext >&5
22641
22642 ac_cv_have_va_copy="no"
22643
22644fi
22645rm -f conftest.err conftest.$ac_objext \
22646 conftest$ac_exeext conftest.$ac_ext
22647
22648fi
22649echo "$as_me:$LINENO: result: $ac_cv_have_va_copy" >&5
22650echo "${ECHO_T}$ac_cv_have_va_copy" >&6
22651if test "x$ac_cv_have_va_copy" = "xyes" ; then
22652
22653cat >>confdefs.h <<\_ACEOF
22654#define HAVE_VA_COPY 1
22655_ACEOF
22656
22657fi
22658
22659echo "$as_me:$LINENO: checking whether __va_copy exists" >&5
22660echo $ECHO_N "checking whether __va_copy exists... $ECHO_C" >&6
22661if test "${ac_cv_have___va_copy+set}" = set; then
22662 echo $ECHO_N "(cached) $ECHO_C" >&6
22663else
22664
22665 cat >conftest.$ac_ext <<_ACEOF
22666/* confdefs.h. */
22667_ACEOF
22668cat confdefs.h >>conftest.$ac_ext
22669cat >>conftest.$ac_ext <<_ACEOF
22670/* end confdefs.h. */
22671#include <stdarg.h>
22672 va_list x,y;
22673int
22674main ()
22675{
22676__va_copy(x,y);
22677 ;
22678 return 0;
22679}
22680_ACEOF
22681rm -f conftest.$ac_objext conftest$ac_exeext
22682if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
22683 (eval $ac_link) 2>conftest.er1
22684 ac_status=$?
22685 grep -v '^ *+' conftest.er1 >conftest.err
22686 rm -f conftest.er1
22687 cat conftest.err >&5
22688 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22689 (exit $ac_status); } &&
22690 { ac_try='test -z "$ac_c_werror_flag"
22691 || test ! -s conftest.err'
22692 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22693 (eval $ac_try) 2>&5
22694 ac_status=$?
22695 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22696 (exit $ac_status); }; } &&
22697 { ac_try='test -s conftest$ac_exeext'
22698 { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
22699 (eval $ac_try) 2>&5
22700 ac_status=$?
22701 echo "$as_me:$LINENO: \$? = $ac_status" >&5
22702 (exit $ac_status); }; }; then
22703 ac_cv_have___va_copy="yes"
22704else
22705 echo "$as_me: failed program was:" >&5
22706sed 's/^/| /' conftest.$ac_ext >&5
22707
22708 ac_cv_have___va_copy="no"
22709
22710fi
22711rm -f conftest.err conftest.$ac_objext \
22712 conftest$ac_exeext conftest.$ac_ext
22713
22714fi
22715echo "$as_me:$LINENO: result: $ac_cv_have___va_copy" >&5
22716echo "${ECHO_T}$ac_cv_have___va_copy" >&6
22717if test "x$ac_cv_have___va_copy" = "xyes" ; then
22718
22719cat >>confdefs.h <<\_ACEOF
22720#define HAVE___VA_COPY 1
22721_ACEOF
22722
22723fi
22724
21240echo "$as_me:$LINENO: checking whether getopt has optreset support" >&5 22725echo "$as_me:$LINENO: checking whether getopt has optreset support" >&5
21241echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6 22726echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6
21242if test "${ac_cv_have_getopt_optreset+set}" = set; then 22727if test "${ac_cv_have_getopt_optreset+set}" = set; then
@@ -21297,7 +22782,8 @@ fi
21297echo "$as_me:$LINENO: result: $ac_cv_have_getopt_optreset" >&5 22782echo "$as_me:$LINENO: result: $ac_cv_have_getopt_optreset" >&5
21298echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6 22783echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6
21299if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then 22784if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
21300 cat >>confdefs.h <<\_ACEOF 22785
22786cat >>confdefs.h <<\_ACEOF
21301#define HAVE_GETOPT_OPTRESET 1 22787#define HAVE_GETOPT_OPTRESET 1
21302_ACEOF 22788_ACEOF
21303 22789
@@ -21361,7 +22847,8 @@ fi
21361echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_errlist" >&5 22847echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_errlist" >&5
21362echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6 22848echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6
21363if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then 22849if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
21364 cat >>confdefs.h <<\_ACEOF 22850
22851cat >>confdefs.h <<\_ACEOF
21365#define HAVE_SYS_ERRLIST 1 22852#define HAVE_SYS_ERRLIST 1
21366_ACEOF 22853_ACEOF
21367 22854
@@ -21426,7 +22913,8 @@ fi
21426echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_nerr" >&5 22913echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_nerr" >&5
21427echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6 22914echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6
21428if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then 22915if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
21429 cat >>confdefs.h <<\_ACEOF 22916
22917cat >>confdefs.h <<\_ACEOF
21430#define HAVE_SYS_NERR 1 22918#define HAVE_SYS_NERR 1
21431_ACEOF 22919_ACEOF
21432 22920
@@ -21684,11 +23172,13 @@ fi
21684echo "$as_me: error: Can't find libsectok" >&2;} 23172echo "$as_me: error: Can't find libsectok" >&2;}
21685 { (exit 1); exit 1; }; } 23173 { (exit 1); exit 1; }; }
21686 fi 23174 fi
21687 cat >>confdefs.h <<\_ACEOF 23175
23176cat >>confdefs.h <<\_ACEOF
21688#define SMARTCARD 1 23177#define SMARTCARD 1
21689_ACEOF 23178_ACEOF
21690 23179
21691 cat >>confdefs.h <<\_ACEOF 23180
23181cat >>confdefs.h <<\_ACEOF
21692#define USE_SECTOK 1 23182#define USE_SECTOK 1
21693_ACEOF 23183_ACEOF
21694 23184
@@ -21759,7 +23249,8 @@ fi
21759#define SMARTCARD 1 23249#define SMARTCARD 1
21760_ACEOF 23250_ACEOF
21761 23251
21762 cat >>confdefs.h <<\_ACEOF 23252
23253cat >>confdefs.h <<\_ACEOF
21763#define USE_OPENSC 1 23254#define USE_OPENSC 1
21764_ACEOF 23255_ACEOF
21765 23256
@@ -21894,7 +23385,8 @@ echo "$as_me:$LINENO: result: $ac_cv_search_getrrsetbyname" >&5
21894echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6 23385echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6
21895if test "$ac_cv_search_getrrsetbyname" != no; then 23386if test "$ac_cv_search_getrrsetbyname" != no; then
21896 test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS" 23387 test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS"
21897 cat >>confdefs.h <<\_ACEOF 23388
23389cat >>confdefs.h <<\_ACEOF
21898#define HAVE_GETRRSETBYNAME 1 23390#define HAVE_GETRRSETBYNAME 1
21899_ACEOF 23391_ACEOF
21900 23392
@@ -22613,7 +24105,8 @@ fi
22613echo "$as_me:$LINENO: result: $ac_cv_member_HEADER_ad" >&5 24105echo "$as_me:$LINENO: result: $ac_cv_member_HEADER_ad" >&5
22614echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6 24106echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6
22615if test $ac_cv_member_HEADER_ad = yes; then 24107if test $ac_cv_member_HEADER_ad = yes; then
22616 cat >>confdefs.h <<\_ACEOF 24108
24109cat >>confdefs.h <<\_ACEOF
22617#define HAVE_HEADER_AD 1 24110#define HAVE_HEADER_AD 1
22618_ACEOF 24111_ACEOF
22619 24112
@@ -22636,7 +24129,8 @@ if test "${with_kerberos5+set}" = set; then
22636 KRB5ROOT=${withval} 24129 KRB5ROOT=${withval}
22637 fi 24130 fi
22638 24131
22639 cat >>confdefs.h <<\_ACEOF 24132
24133cat >>confdefs.h <<\_ACEOF
22640#define KRB5 1 24134#define KRB5 1
22641_ACEOF 24135_ACEOF
22642 24136
@@ -22654,7 +24148,8 @@ echo $ECHO_N "checking for gssapi support... $ECHO_C" >&6
22654 if $KRB5CONF | grep gssapi >/dev/null ; then 24148 if $KRB5CONF | grep gssapi >/dev/null ; then
22655 echo "$as_me:$LINENO: result: yes" >&5 24149 echo "$as_me:$LINENO: result: yes" >&5
22656echo "${ECHO_T}yes" >&6 24150echo "${ECHO_T}yes" >&6
22657 cat >>confdefs.h <<\_ACEOF 24151
24152cat >>confdefs.h <<\_ACEOF
22658#define GSSAPI 1 24153#define GSSAPI 1
22659_ACEOF 24154_ACEOF
22660 24155
@@ -22708,7 +24203,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
22708 (exit $ac_status); }; }; then 24203 (exit $ac_status); }; }; then
22709 echo "$as_me:$LINENO: result: yes" >&5 24204 echo "$as_me:$LINENO: result: yes" >&5
22710echo "${ECHO_T}yes" >&6 24205echo "${ECHO_T}yes" >&6
22711 cat >>confdefs.h <<\_ACEOF 24206
24207cat >>confdefs.h <<\_ACEOF
22712#define HEIMDAL 1 24208#define HEIMDAL 1
22713_ACEOF 24209_ACEOF
22714 24210
@@ -23586,7 +25082,6 @@ fi
23586 if test ! -z "$blibpath" ; then 25082 if test ! -z "$blibpath" ; then
23587 blibpath="$blibpath:${KRB5ROOT}/lib" 25083 blibpath="$blibpath:${KRB5ROOT}/lib"
23588 fi 25084 fi
23589 fi
23590 25085
23591 25086
23592 25087
@@ -24042,8 +25537,8 @@ fi
24042done 25537done
24043 25538
24044 25539
24045 LIBS="$LIBS $K5LIBS" 25540 LIBS="$LIBS $K5LIBS"
24046 echo "$as_me:$LINENO: checking for library containing k_hasafs" >&5 25541 echo "$as_me:$LINENO: checking for library containing k_hasafs" >&5
24047echo $ECHO_N "checking for library containing k_hasafs... $ECHO_C" >&6 25542echo $ECHO_N "checking for library containing k_hasafs... $ECHO_C" >&6
24048if test "${ac_cv_search_k_hasafs+set}" = set; then 25543if test "${ac_cv_search_k_hasafs+set}" = set; then
24049 echo $ECHO_N "(cached) $ECHO_C" >&6 25544 echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -24166,12 +25661,14 @@ echo "$as_me:$LINENO: result: $ac_cv_search_k_hasafs" >&5
24166echo "${ECHO_T}$ac_cv_search_k_hasafs" >&6 25661echo "${ECHO_T}$ac_cv_search_k_hasafs" >&6
24167if test "$ac_cv_search_k_hasafs" != no; then 25662if test "$ac_cv_search_k_hasafs" != no; then
24168 test "$ac_cv_search_k_hasafs" = "none required" || LIBS="$ac_cv_search_k_hasafs $LIBS" 25663 test "$ac_cv_search_k_hasafs" = "none required" || LIBS="$ac_cv_search_k_hasafs $LIBS"
24169 cat >>confdefs.h <<\_ACEOF 25664
25665cat >>confdefs.h <<\_ACEOF
24170#define USE_AFS 1 25666#define USE_AFS 1
24171_ACEOF 25667_ACEOF
24172 25668
24173fi 25669fi
24174 25670
25671 fi
24175 25672
24176 25673
24177fi; 25674fi;
@@ -24273,7 +25770,8 @@ if test -z "$xauth_path" ; then
24273 XAUTH_PATH="undefined" 25770 XAUTH_PATH="undefined"
24274 25771
24275else 25772else
24276 cat >>confdefs.h <<_ACEOF 25773
25774cat >>confdefs.h <<_ACEOF
24277#define XAUTH_PATH "$xauth_path" 25775#define XAUTH_PATH "$xauth_path"
24278_ACEOF 25776_ACEOF
24279 25777
@@ -24284,7 +25782,8 @@ fi
24284# Check for mail directory (last resort if we cannot get it from headers) 25782# Check for mail directory (last resort if we cannot get it from headers)
24285if test ! -z "$MAIL" ; then 25783if test ! -z "$MAIL" ; then
24286 maildir=`dirname $MAIL` 25784 maildir=`dirname $MAIL`
24287 cat >>confdefs.h <<_ACEOF 25785
25786cat >>confdefs.h <<_ACEOF
24288#define MAIL_DIRECTORY "$maildir" 25787#define MAIL_DIRECTORY "$maildir"
24289_ACEOF 25788_ACEOF
24290 25789
@@ -24316,7 +25815,8 @@ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5
24316echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6 25815echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6
24317if test $ac_cv_file___dev_ptmx_ = yes; then 25816if test $ac_cv_file___dev_ptmx_ = yes; then
24318 25817
24319 cat >>confdefs.h <<_ACEOF 25818
25819cat >>confdefs.h <<_ACEOF
24320#define HAVE_DEV_PTMX 1 25820#define HAVE_DEV_PTMX 1
24321_ACEOF 25821_ACEOF
24322 25822
@@ -24348,7 +25848,8 @@ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5
24348echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6 25848echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6
24349if test $ac_cv_file___dev_ptc_ = yes; then 25849if test $ac_cv_file___dev_ptc_ = yes; then
24350 25850
24351 cat >>confdefs.h <<_ACEOF 25851
25852cat >>confdefs.h <<_ACEOF
24352#define HAVE_DEV_PTS_AND_PTC 1 25853#define HAVE_DEV_PTS_AND_PTC 1
24353_ACEOF 25854_ACEOF
24354 25855
@@ -24452,7 +25953,8 @@ if test "${with_md5_passwords+set}" = set; then
24452 withval="$with_md5_passwords" 25953 withval="$with_md5_passwords"
24453 25954
24454 if test "x$withval" != "xno" ; then 25955 if test "x$withval" != "xno" ; then
24455 cat >>confdefs.h <<\_ACEOF 25956
25957cat >>confdefs.h <<\_ACEOF
24456#define HAVE_MD5_PASSWORDS 1 25958#define HAVE_MD5_PASSWORDS 1
24457_ACEOF 25959_ACEOF
24458 25960
@@ -24536,7 +26038,8 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
24536 if test "x$sp_expire_available" = "xyes" ; then 26038 if test "x$sp_expire_available" = "xyes" ; then
24537 echo "$as_me:$LINENO: result: yes" >&5 26039 echo "$as_me:$LINENO: result: yes" >&5
24538echo "${ECHO_T}yes" >&6 26040echo "${ECHO_T}yes" >&6
24539 cat >>confdefs.h <<\_ACEOF 26041
26042cat >>confdefs.h <<\_ACEOF
24540#define HAS_SHADOW_EXPIRE 1 26043#define HAS_SHADOW_EXPIRE 1
24541_ACEOF 26044_ACEOF
24542 26045
@@ -24549,7 +26052,8 @@ fi
24549# Use ip address instead of hostname in $DISPLAY 26052# Use ip address instead of hostname in $DISPLAY
24550if test ! -z "$IPADDR_IN_DISPLAY" ; then 26053if test ! -z "$IPADDR_IN_DISPLAY" ; then
24551 DISPLAY_HACK_MSG="yes" 26054 DISPLAY_HACK_MSG="yes"
24552 cat >>confdefs.h <<\_ACEOF 26055
26056cat >>confdefs.h <<\_ACEOF
24553#define IPADDR_IN_DISPLAY 1 26057#define IPADDR_IN_DISPLAY 1
24554_ACEOF 26058_ACEOF
24555 26059
@@ -24584,7 +26088,14 @@ echo "$as_me: /etc/default/login handling disabled" >&6;}
24584 etc_default_login=yes 26088 etc_default_login=yes
24585 fi 26089 fi
24586else 26090else
24587 etc_default_login=yes 26091 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
26092 then
26093 { echo "$as_me:$LINENO: WARNING: cross compiling: not checking /etc/default/login" >&5
26094echo "$as_me: WARNING: cross compiling: not checking /etc/default/login" >&2;}
26095 etc_default_login=no
26096 else
26097 etc_default_login=yes
26098 fi
24588 26099
24589fi; 26100fi;
24590 26101
@@ -24610,12 +26121,9 @@ if test $ac_cv_file___etc_default_login_ = yes; then
24610 external_path_file=/etc/default/login 26121 external_path_file=/etc/default/login
24611fi 26122fi
24612 26123
24613 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; 26124 if test "x$external_path_file" = "x/etc/default/login"; then
24614 then 26125
24615 { echo "$as_me:$LINENO: WARNING: cross compiling: Disabling /etc/default/login test" >&5 26126cat >>confdefs.h <<\_ACEOF
24616echo "$as_me: WARNING: cross compiling: Disabling /etc/default/login test" >&2;}
24617 elif test "x$external_path_file" = "x/etc/default/login"; then
24618 cat >>confdefs.h <<\_ACEOF
24619#define HAVE_ETC_DEFAULT_LOGIN 1 26127#define HAVE_ETC_DEFAULT_LOGIN 1
24620_ACEOF 26128_ACEOF
24621 26129
@@ -24754,7 +26262,8 @@ echo "${ECHO_T}Adding $t_bindir to USER_PATH so scp will work" >&6
24754 26262
24755fi; 26263fi;
24756if test "x$external_path_file" != "x/etc/login.conf" ; then 26264if test "x$external_path_file" != "x/etc/login.conf" ; then
24757 cat >>confdefs.h <<_ACEOF 26265
26266cat >>confdefs.h <<_ACEOF
24758#define USER_PATH "$user_path" 26267#define USER_PATH "$user_path"
24759_ACEOF 26268_ACEOF
24760 26269
@@ -24769,7 +26278,8 @@ if test "${with_superuser_path+set}" = set; then
24769 26278
24770 if test -n "$withval" && test "x$withval" != "xno" && \ 26279 if test -n "$withval" && test "x$withval" != "xno" && \
24771 test "x${withval}" != "xyes"; then 26280 test "x${withval}" != "xyes"; then
24772 cat >>confdefs.h <<_ACEOF 26281
26282cat >>confdefs.h <<_ACEOF
24773#define SUPERUSER_PATH "$withval" 26283#define SUPERUSER_PATH "$withval"
24774_ACEOF 26284_ACEOF
24775 26285
@@ -24791,7 +26301,8 @@ if test "${with_4in6+set}" = set; then
24791 if test "x$withval" != "xno" ; then 26301 if test "x$withval" != "xno" ; then
24792 echo "$as_me:$LINENO: result: yes" >&5 26302 echo "$as_me:$LINENO: result: yes" >&5
24793echo "${ECHO_T}yes" >&6 26303echo "${ECHO_T}yes" >&6
24794 cat >>confdefs.h <<\_ACEOF 26304
26305cat >>confdefs.h <<\_ACEOF
24795#define IPV4_IN_IPV6 1 26306#define IPV4_IN_IPV6 1
24796_ACEOF 26307_ACEOF
24797 26308
@@ -24827,7 +26338,8 @@ if test "${with_bsd_auth+set}" = set; then
24827 withval="$with_bsd_auth" 26338 withval="$with_bsd_auth"
24828 26339
24829 if test "x$withval" != "xno" ; then 26340 if test "x$withval" != "xno" ; then
24830 cat >>confdefs.h <<\_ACEOF 26341
26342cat >>confdefs.h <<\_ACEOF
24831#define BSD_AUTH 1 26343#define BSD_AUTH 1
24832_ACEOF 26344_ACEOF
24833 26345
@@ -24864,6 +26376,7 @@ echo "$as_me: WARNING: ** no $piddir directory on this system **" >&2;}
24864 26376
24865fi; 26377fi;
24866 26378
26379
24867cat >>confdefs.h <<_ACEOF 26380cat >>confdefs.h <<_ACEOF
24868#define _PATH_SSH_PIDDIR "$piddir" 26381#define _PATH_SSH_PIDDIR "$piddir"
24869_ACEOF 26382_ACEOF
@@ -24901,7 +26414,8 @@ if test "${enable_utmpx+set}" = set; then
24901 enableval="$enable_utmpx" 26414 enableval="$enable_utmpx"
24902 26415
24903 if test "x$enableval" = "xno" ; then 26416 if test "x$enableval" = "xno" ; then
24904 cat >>confdefs.h <<\_ACEOF 26417
26418cat >>confdefs.h <<\_ACEOF
24905#define DISABLE_UTMPX 1 26419#define DISABLE_UTMPX 1
24906_ACEOF 26420_ACEOF
24907 26421
@@ -24927,7 +26441,8 @@ if test "${enable_wtmpx+set}" = set; then
24927 enableval="$enable_wtmpx" 26441 enableval="$enable_wtmpx"
24928 26442
24929 if test "x$enableval" = "xno" ; then 26443 if test "x$enableval" = "xno" ; then
24930 cat >>confdefs.h <<\_ACEOF 26444
26445cat >>confdefs.h <<\_ACEOF
24931#define DISABLE_WTMPX 1 26446#define DISABLE_WTMPX 1
24932_ACEOF 26447_ACEOF
24933 26448
@@ -24953,7 +26468,8 @@ if test "${enable_pututline+set}" = set; then
24953 enableval="$enable_pututline" 26468 enableval="$enable_pututline"
24954 26469
24955 if test "x$enableval" = "xno" ; then 26470 if test "x$enableval" = "xno" ; then
24956 cat >>confdefs.h <<\_ACEOF 26471
26472cat >>confdefs.h <<\_ACEOF
24957#define DISABLE_PUTUTLINE 1 26473#define DISABLE_PUTUTLINE 1
24958_ACEOF 26474_ACEOF
24959 26475
@@ -24966,7 +26482,8 @@ if test "${enable_pututxline+set}" = set; then
24966 enableval="$enable_pututxline" 26482 enableval="$enable_pututxline"
24967 26483
24968 if test "x$enableval" = "xno" ; then 26484 if test "x$enableval" = "xno" ; then
24969 cat >>confdefs.h <<\_ACEOF 26485
26486cat >>confdefs.h <<\_ACEOF
24970#define DISABLE_PUTUTXLINE 1 26487#define DISABLE_PUTUTXLINE 1
24971_ACEOF 26488_ACEOF
24972 26489
@@ -25133,7 +26650,8 @@ echo "$as_me: WARNING: ** Cannot find lastlog **" >&2;}
25133fi 26650fi
25134 26651
25135if test -n "$conf_lastlog_location"; then 26652if test -n "$conf_lastlog_location"; then
25136 cat >>confdefs.h <<_ACEOF 26653
26654cat >>confdefs.h <<_ACEOF
25137#define CONF_LASTLOG_FILE "$conf_lastlog_location" 26655#define CONF_LASTLOG_FILE "$conf_lastlog_location"
25138_ACEOF 26656_ACEOF
25139 26657
@@ -25212,7 +26730,8 @@ _ACEOF
25212 fi 26730 fi
25213fi 26731fi
25214if test -n "$conf_utmp_location"; then 26732if test -n "$conf_utmp_location"; then
25215 cat >>confdefs.h <<_ACEOF 26733
26734cat >>confdefs.h <<_ACEOF
25216#define CONF_UTMP_FILE "$conf_utmp_location" 26735#define CONF_UTMP_FILE "$conf_utmp_location"
25217_ACEOF 26736_ACEOF
25218 26737
@@ -25291,7 +26810,8 @@ _ACEOF
25291 fi 26810 fi
25292fi 26811fi
25293if test -n "$conf_wtmp_location"; then 26812if test -n "$conf_wtmp_location"; then
25294 cat >>confdefs.h <<_ACEOF 26813
26814cat >>confdefs.h <<_ACEOF
25295#define CONF_WTMP_FILE "$conf_wtmp_location" 26815#define CONF_WTMP_FILE "$conf_wtmp_location"
25296_ACEOF 26816_ACEOF
25297 26817
@@ -25366,7 +26886,8 @@ _ACEOF
25366 26886
25367 fi 26887 fi
25368else 26888else
25369 cat >>confdefs.h <<_ACEOF 26889
26890cat >>confdefs.h <<_ACEOF
25370#define CONF_UTMPX_FILE "$conf_utmpx_location" 26891#define CONF_UTMPX_FILE "$conf_utmpx_location"
25371_ACEOF 26892_ACEOF
25372 26893
@@ -25440,7 +26961,8 @@ _ACEOF
25440 26961
25441 fi 26962 fi
25442else 26963else
25443 cat >>confdefs.h <<_ACEOF 26964
26965cat >>confdefs.h <<_ACEOF
25444#define CONF_WTMPX_FILE "$conf_wtmpx_location" 26966#define CONF_WTMPX_FILE "$conf_wtmpx_location"
25445_ACEOF 26967_ACEOF
25446 26968
@@ -25821,9 +27343,9 @@ exec 6>&1
25821exec 5>>config.log 27343exec 5>>config.log
25822{ 27344{
25823 echo 27345 echo
25824 sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<BOXI_EOF 27346 sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
25825## Running $as_me. ## 27347## Running $as_me. ##
25826BOXI_EOF 27348_ASBOX
25827} >&5 27349} >&5
25828cat >&5 <<_CSEOF 27350cat >&5 <<_CSEOF
25829 27351
@@ -26104,6 +27626,7 @@ s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
26104s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t 27626s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
26105s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t 27627s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
26106s,@INSTALL_DATA@,$INSTALL_DATA,;t t 27628s,@INSTALL_DATA@,$INSTALL_DATA,;t t
27629s,@EGREP@,$EGREP,;t t
26107s,@AR@,$AR,;t t 27630s,@AR@,$AR,;t t
26108s,@CAT@,$CAT,;t t 27631s,@CAT@,$CAT,;t t
26109s,@KILL@,$KILL,;t t 27632s,@KILL@,$KILL,;t t
@@ -26116,10 +27639,10 @@ s,@TEST_SHELL@,$TEST_SHELL,;t t
26116s,@PATH_GROUPADD_PROG@,$PATH_GROUPADD_PROG,;t t 27639s,@PATH_GROUPADD_PROG@,$PATH_GROUPADD_PROG,;t t
26117s,@PATH_USERADD_PROG@,$PATH_USERADD_PROG,;t t 27640s,@PATH_USERADD_PROG@,$PATH_USERADD_PROG,;t t
26118s,@MAKE_PACKAGE_SUPPORTED@,$MAKE_PACKAGE_SUPPORTED,;t t 27641s,@MAKE_PACKAGE_SUPPORTED@,$MAKE_PACKAGE_SUPPORTED,;t t
27642s,@STARTUP_SCRIPT_SHELL@,$STARTUP_SCRIPT_SHELL,;t t
26119s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t 27643s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t
26120s,@PATH_PASSWD_PROG@,$PATH_PASSWD_PROG,;t t 27644s,@PATH_PASSWD_PROG@,$PATH_PASSWD_PROG,;t t
26121s,@LD@,$LD,;t t 27645s,@LD@,$LD,;t t
26122s,@EGREP@,$EGREP,;t t
26123s,@LIBWRAP@,$LIBWRAP,;t t 27646s,@LIBWRAP@,$LIBWRAP,;t t
26124s,@LIBEDIT@,$LIBEDIT,;t t 27647s,@LIBEDIT@,$LIBEDIT,;t t
26125s,@LIBPAM@,$LIBPAM,;t t 27648s,@LIBPAM@,$LIBPAM,;t t
diff --git a/configure.ac b/configure.ac
index 6e36aa22b..cfaaca92d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $ 1# $Id: configure.ac,v 1.322.2.6 2006/02/08 11:11:06 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,6 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) 17AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
18AC_REVISION($Revision: 1.322.2.6 $)
18AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
19 20
20AC_CONFIG_HEADER(config.h) 21AC_CONFIG_HEADER(config.h)
@@ -27,6 +28,7 @@ AC_PROG_AWK
27AC_PROG_CPP 28AC_PROG_CPP
28AC_PROG_RANLIB 29AC_PROG_RANLIB
29AC_PROG_INSTALL 30AC_PROG_INSTALL
31AC_PROG_EGREP
30AC_PATH_PROG(AR, ar) 32AC_PATH_PROG(AR, ar)
31AC_PATH_PROG(CAT, cat) 33AC_PATH_PROG(CAT, cat)
32AC_PATH_PROG(KILL, kill) 34AC_PATH_PROG(KILL, kill)
@@ -47,6 +49,11 @@ AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd,
47AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd, 49AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd,
48 [/usr/sbin${PATH_SEPARATOR}/etc]) 50 [/usr/sbin${PATH_SEPARATOR}/etc])
49AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no) 51AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no)
52if test -x /sbin/sh; then
53 AC_SUBST(STARTUP_SCRIPT_SHELL,/sbin/sh)
54else
55 AC_SUBST(STARTUP_SCRIPT_SHELL,/bin/sh)
56fi
50 57
51# System features 58# System features
52AC_SYS_LARGEFILE 59AC_SYS_LARGEFILE
@@ -57,7 +64,9 @@ fi
57 64
58# Use LOGIN_PROGRAM from environment if possible 65# Use LOGIN_PROGRAM from environment if possible
59if test ! -z "$LOGIN_PROGRAM" ; then 66if test ! -z "$LOGIN_PROGRAM" ; then
60 AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM") 67 AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM",
68 [If your header files don't define LOGIN_PROGRAM,
69 then use this (detected) from environment and PATH])
61else 70else
62 # Search for login 71 # Search for login
63 AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login) 72 AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login)
@@ -68,7 +77,8 @@ fi
68 77
69AC_PATH_PROG(PATH_PASSWD_PROG, passwd) 78AC_PATH_PROG(PATH_PASSWD_PROG, passwd)
70if test ! -z "$PATH_PASSWD_PROG" ; then 79if test ! -z "$PATH_PASSWD_PROG" ; then
71 AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG") 80 AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG",
81 [Full path of your "passwd" program])
72fi 82fi
73 83
74if test -z "$LD" ; then 84if test -z "$LD" ; then
@@ -82,12 +92,14 @@ AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
82 92
83if test "$GCC" = "yes" || test "$GCC" = "egcs"; then 93if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
84 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized" 94 CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
85 GCC_VER=`$CC --version` 95 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
86 case $GCC_VER in 96 case $GCC_VER in
87 1.*) ;; 97 1.*) ;;
88 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;; 98 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
89 2.*) ;; 99 2.*) ;;
90 *) CFLAGS="$CFLAGS -Wsign-compare" ;; 100 3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
101 4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
102 *) ;;
91 esac 103 esac
92 104
93 if test -z "$have_llong_max"; then 105 if test -z "$have_llong_max"; then
@@ -103,70 +115,6 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
103 fi 115 fi
104fi 116fi
105 117
106if test -z "$have_llong_max"; then
107 AC_MSG_CHECKING([for max value of long long])
108 AC_RUN_IFELSE(
109 [AC_LANG_SOURCE([[
110#include <stdio.h>
111/* Why is this so damn hard? */
112#ifdef __GNUC__
113# undef __GNUC__
114#endif
115#define __USE_ISOC99
116#include <limits.h>
117#define DATA "conftest.llminmax"
118int main(void) {
119 FILE *f;
120 long long i, llmin, llmax = 0;
121
122 if((f = fopen(DATA,"w")) == NULL)
123 exit(1);
124
125#if defined(LLONG_MIN) && defined(LLONG_MAX)
126 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
127 llmin = LLONG_MIN;
128 llmax = LLONG_MAX;
129#else
130 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
131 /* This will work on one's complement and two's complement */
132 for (i = 1; i > llmax; i <<= 1, i++)
133 llmax = i;
134 llmin = llmax + 1LL; /* wrap */
135#endif
136
137 /* Sanity check */
138 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
139 || llmax - 1 > llmax) {
140 fprintf(f, "unknown unknown\n");
141 exit(2);
142 }
143
144 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
145 exit(3);
146
147 exit(0);
148}
149 ]])],
150 [
151 llong_min=`$AWK '{print $1}' conftest.llminmax`
152 llong_max=`$AWK '{print $2}' conftest.llminmax`
153 AC_MSG_RESULT($llong_max)
154 AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
155 [max value of long long calculated by configure])
156 AC_MSG_CHECKING([for min value of long long])
157 AC_MSG_RESULT($llong_min)
158 AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
159 [min value of long long calculated by configure])
160 ],
161 [
162 AC_MSG_RESULT(not found)
163 ],
164 [
165 AC_MSG_WARN([cross compiling: not checking])
166 ]
167 )
168fi
169
170AC_ARG_WITH(rpath, 118AC_ARG_WITH(rpath,
171 [ --without-rpath Disable auto-added -R linker paths], 119 [ --without-rpath Disable auto-added -R linker paths],
172 [ 120 [
@@ -201,7 +149,8 @@ case "$host" in
201 fi 149 fi
202 LDFLAGS="$saved_LDFLAGS" 150 LDFLAGS="$saved_LDFLAGS"
203 dnl Check for authenticate. Might be in libs.a on older AIXes 151 dnl Check for authenticate. Might be in libs.a on older AIXes
204 AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], 152 AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1,
153 [Define if you want to enable AIX4's authenticate function])],
205 [AC_CHECK_LIB(s,authenticate, 154 [AC_CHECK_LIB(s,authenticate,
206 [ AC_DEFINE(WITH_AIXAUTHENTICATE) 155 [ AC_DEFINE(WITH_AIXAUTHENTICATE)
207 LIBS="$LIBS -ls" 156 LIBS="$LIBS -ls"
@@ -217,7 +166,9 @@ case "$host" in
217 [#include <usersec.h>], 166 [#include <usersec.h>],
218 [(void)loginfailed("user","host","tty",0);], 167 [(void)loginfailed("user","host","tty",0);],
219 [AC_MSG_RESULT(yes) 168 [AC_MSG_RESULT(yes)
220 AC_DEFINE(AIX_LOGINFAILED_4ARG)], 169 AC_DEFINE(AIX_LOGINFAILED_4ARG, 1,
170 [Define if your AIX loginfailed() function
171 takes 4 arguments (AIX >= 5.2)])],
221 [AC_MSG_RESULT(no)] 172 [AC_MSG_RESULT(no)]
222 )], 173 )],
223 [], 174 [],
@@ -225,25 +176,38 @@ case "$host" in
225 ) 176 )
226 AC_CHECK_FUNCS(setauthdb) 177 AC_CHECK_FUNCS(setauthdb)
227 check_for_aix_broken_getaddrinfo=1 178 check_for_aix_broken_getaddrinfo=1
228 AC_DEFINE(BROKEN_REALPATH) 179 AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
229 AC_DEFINE(SETEUID_BREAKS_SETUID) 180 AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
230 AC_DEFINE(BROKEN_SETREUID) 181 [Define if your platform breaks doing a seteuid before a setuid])
231 AC_DEFINE(BROKEN_SETREGID) 182 AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken])
183 AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken])
232 dnl AIX handles lastlog as part of its login message 184 dnl AIX handles lastlog as part of its login message
233 AC_DEFINE(DISABLE_LASTLOG) 185 AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog])
234 AC_DEFINE(LOGIN_NEEDS_UTMPX) 186 AC_DEFINE(LOGIN_NEEDS_UTMPX, 1,
235 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) 187 [Some systems need a utmpx entry for /bin/login to work])
188 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV,
189 [Define to a Set Process Title type if your system is
190 supported by bsd-setproctitle.c])
191 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
192 [AIX 5.2 and 5.3 (and presumably newer) require this])
236 ;; 193 ;;
237*-*-cygwin*) 194*-*-cygwin*)
238 check_for_libcrypt_later=1 195 check_for_libcrypt_later=1
239 LIBS="$LIBS /usr/lib/textmode.o" 196 LIBS="$LIBS /usr/lib/textmode.o"
240 AC_DEFINE(HAVE_CYGWIN) 197 AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
241 AC_DEFINE(USE_PIPES) 198 AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
242 AC_DEFINE(DISABLE_SHADOW) 199 AC_DEFINE(DISABLE_SHADOW, 1,
243 AC_DEFINE(IP_TOS_IS_BROKEN) 200 [Define if you want to disable shadow passwords])
244 AC_DEFINE(NO_X11_UNIX_SOCKETS) 201 AC_DEFINE(IP_TOS_IS_BROKEN, 1,
245 AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) 202 [Define if your system choked on IP TOS setting])
246 AC_DEFINE(DISABLE_FD_PASSING) 203 AC_DEFINE(NO_X11_UNIX_SOCKETS, 1,
204 [Define if X11 doesn't support AF_UNIX sockets on that system])
205 AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
206 [Define if the concept of ports only accessible to
207 superusers isn't known])
208 AC_DEFINE(DISABLE_FD_PASSING, 1,
209 [Define if your platform needs to skip post auth
210 file descriptor passing])
247 ;; 211 ;;
248*-*-dgux*) 212*-*-dgux*)
249 AC_DEFINE(IP_TOS_IS_BROKEN) 213 AC_DEFINE(IP_TOS_IS_BROKEN)
@@ -260,44 +224,50 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
260 exit(1); 224 exit(1);
261}], [AC_MSG_RESULT(working)], 225}], [AC_MSG_RESULT(working)],
262 [AC_MSG_RESULT(buggy) 226 [AC_MSG_RESULT(buggy)
263 AC_DEFINE(BROKEN_GETADDRINFO)], 227 AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
264 [AC_MSG_RESULT(assume it is working)]) 228 [AC_MSG_RESULT(assume it is working)])
265 AC_DEFINE(SETEUID_BREAKS_SETUID) 229 AC_DEFINE(SETEUID_BREAKS_SETUID)
266 AC_DEFINE(BROKEN_SETREUID) 230 AC_DEFINE(BROKEN_SETREUID)
267 AC_DEFINE(BROKEN_SETREGID) 231 AC_DEFINE(BROKEN_SETREGID)
268 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1) 232 AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
269 AC_MSG_CHECKING(if we have the Security Authorization Session API) 233 [Define if your resolver libs need this for getrrsetbyname])
270 AC_TRY_COMPILE([#include <Security/AuthSession.h>], 234 AC_MSG_CHECKING(if we have the Security Authorization Session API)
271 [SessionCreate(0, 0);], 235 AC_TRY_COMPILE([#include <Security/AuthSession.h>],
272 [ac_cv_use_security_session_api="yes" 236 [SessionCreate(0, 0);],
273 AC_DEFINE(USE_SECURITY_SESSION_API) 237 [ac_cv_use_security_session_api="yes"
274 LIBS="$LIBS -framework Security" 238 AC_DEFINE(USE_SECURITY_SESSION_API, 1,
275 AC_MSG_RESULT(yes)], 239 [platform has the Security Authorization Session API])
276 [ac_cv_use_security_session_api="no" 240 LIBS="$LIBS -framework Security"
277 AC_MSG_RESULT(no)]) 241 AC_MSG_RESULT(yes)],
278 AC_MSG_CHECKING(if we have an in-memory credentials cache) 242 [ac_cv_use_security_session_api="no"
279 AC_TRY_COMPILE( 243 AC_MSG_RESULT(no)])
280 [#include <Kerberos/Kerberos.h>], 244 AC_MSG_CHECKING(if we have an in-memory credentials cache)
281 [cc_context_t c; 245 AC_TRY_COMPILE(
282 (void) cc_initialize (&c, 0, NULL, NULL);], 246 [#include <Kerberos/Kerberos.h>],
283 [AC_DEFINE(USE_CCAPI) 247 [cc_context_t c;
284 LIBS="$LIBS -framework Security" 248 (void) cc_initialize (&c, 0, NULL, NULL);],
285 AC_MSG_RESULT(yes) 249 [AC_DEFINE(USE_CCAPI, 1,
286 if test "x$ac_cv_use_security_session_api" = "xno"; then 250 [platform uses an in-memory credentials cache])
287 AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) 251 LIBS="$LIBS -framework Security"
288 fi], 252 AC_MSG_RESULT(yes)
289 [AC_MSG_RESULT(no)] 253 if test "x$ac_cv_use_security_session_api" = "xno"; then
290 ) 254 AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)
255 fi],
256 [AC_MSG_RESULT(no)]
257 )
291 ;; 258 ;;
292*-*-hpux*) 259*-*-hpux*)
293 # first we define all of the options common to all HP-UX releases 260 # first we define all of the options common to all HP-UX releases
294 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" 261 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
295 IPADDR_IN_DISPLAY=yes 262 IPADDR_IN_DISPLAY=yes
296 AC_DEFINE(USE_PIPES) 263 AC_DEFINE(USE_PIPES)
297 AC_DEFINE(LOGIN_NO_ENDOPT) 264 AC_DEFINE(LOGIN_NO_ENDOPT, 1,
265 [Define if your login program cannot handle end of options ("--")])
298 AC_DEFINE(LOGIN_NEEDS_UTMPX) 266 AC_DEFINE(LOGIN_NEEDS_UTMPX)
299 AC_DEFINE(LOCKED_PASSWD_STRING, "*") 267 AC_DEFINE(LOCKED_PASSWD_STRING, "*",
268 [String used in /etc/passwd to denote locked account])
300 AC_DEFINE(SPT_TYPE,SPT_PSTAT) 269 AC_DEFINE(SPT_TYPE,SPT_PSTAT)
270 MAIL="/var/mail/username"
301 LIBS="$LIBS -lsec" 271 LIBS="$LIBS -lsec"
302 AC_CHECK_LIB(xnet, t_error, , 272 AC_CHECK_LIB(xnet, t_error, ,
303 AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) 273 AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
@@ -310,8 +280,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
310 fi 280 fi
311 ;; 281 ;;
312 *-*-hpux11*) 282 *-*-hpux11*)
313 AC_DEFINE(PAM_SUN_CODEBASE) 283 AC_DEFINE(PAM_SUN_CODEBASE, 1,
314 AC_DEFINE(DISABLE_UTMP) 284 [Define if you are using Solaris-derived PAM which
285 passes pam_messages to the conversation function
286 with an extra level of indirection])
287 AC_DEFINE(DISABLE_UTMP, 1,
288 [Define if you don't want to use utmp])
315 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) 289 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
316 check_for_hpux_broken_getaddrinfo=1 290 check_for_hpux_broken_getaddrinfo=1
317 check_for_conflicting_getspnam=1 291 check_for_conflicting_getspnam=1
@@ -321,7 +295,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
321 # lastly, we define options specific to minor releases 295 # lastly, we define options specific to minor releases
322 case "$host" in 296 case "$host" in
323 *-*-hpux10.26) 297 *-*-hpux10.26)
324 AC_DEFINE(HAVE_SECUREWARE) 298 AC_DEFINE(HAVE_SECUREWARE, 1,
299 [Define if you have SecureWare-based
300 protected password database])
325 disable_ptmx_check=yes 301 disable_ptmx_check=yes
326 LIBS="$LIBS -lsecpw" 302 LIBS="$LIBS -lsecpw"
327 ;; 303 ;;
@@ -329,24 +305,33 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
329 ;; 305 ;;
330*-*-irix5*) 306*-*-irix5*)
331 PATH="$PATH:/usr/etc" 307 PATH="$PATH:/usr/etc"
332 AC_DEFINE(BROKEN_INET_NTOA) 308 AC_DEFINE(BROKEN_INET_NTOA, 1,
309 [Define if you system's inet_ntoa is busted
310 (e.g. Irix gcc issue)])
333 AC_DEFINE(SETEUID_BREAKS_SETUID) 311 AC_DEFINE(SETEUID_BREAKS_SETUID)
334 AC_DEFINE(BROKEN_SETREUID) 312 AC_DEFINE(BROKEN_SETREUID)
335 AC_DEFINE(BROKEN_SETREGID) 313 AC_DEFINE(BROKEN_SETREGID)
336 AC_DEFINE(WITH_ABBREV_NO_TTY) 314 AC_DEFINE(WITH_ABBREV_NO_TTY, 1,
315 [Define if you shouldn't strip 'tty' from your
316 ttyname in [uw]tmp])
337 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 317 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
338 ;; 318 ;;
339*-*-irix6*) 319*-*-irix6*)
340 PATH="$PATH:/usr/etc" 320 PATH="$PATH:/usr/etc"
341 AC_DEFINE(WITH_IRIX_ARRAY) 321 AC_DEFINE(WITH_IRIX_ARRAY, 1,
342 AC_DEFINE(WITH_IRIX_PROJECT) 322 [Define if you have/want arrays
343 AC_DEFINE(WITH_IRIX_AUDIT) 323 (cluster-wide session managment, not C arrays)])
344 AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) 324 AC_DEFINE(WITH_IRIX_PROJECT, 1,
325 [Define if you want IRIX project management])
326 AC_DEFINE(WITH_IRIX_AUDIT, 1,
327 [Define if you want IRIX audit trails])
328 AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1,
329 [Define if you want IRIX kernel jobs])])
345 AC_DEFINE(BROKEN_INET_NTOA) 330 AC_DEFINE(BROKEN_INET_NTOA)
346 AC_DEFINE(SETEUID_BREAKS_SETUID) 331 AC_DEFINE(SETEUID_BREAKS_SETUID)
347 AC_DEFINE(BROKEN_SETREUID) 332 AC_DEFINE(BROKEN_SETREUID)
348 AC_DEFINE(BROKEN_SETREGID) 333 AC_DEFINE(BROKEN_SETREGID)
349 AC_DEFINE(BROKEN_UPDWTMPX) 334 AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)])
350 AC_DEFINE(WITH_ABBREV_NO_TTY) 335 AC_DEFINE(WITH_ABBREV_NO_TTY)
351 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 336 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
352 ;; 337 ;;
@@ -354,22 +339,37 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
354 no_dev_ptmx=1 339 no_dev_ptmx=1
355 check_for_libcrypt_later=1 340 check_for_libcrypt_later=1
356 check_for_openpty_ctty_bug=1 341 check_for_openpty_ctty_bug=1
357 AC_DEFINE(DONT_TRY_OTHER_AF) 342 AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks])
358 AC_DEFINE(PAM_TTY_KLUDGE) 343 AC_DEFINE(PAM_TTY_KLUDGE, 1,
359 AC_DEFINE(LOCKED_PASSWD_PREFIX, "!") 344 [Work around problematic Linux PAM modules handling of PAM_TTY])
345 AC_DEFINE(LOCKED_PASSWD_PREFIX, "!",
346 [String used in /etc/passwd to denote locked account])
360 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) 347 AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
361 AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM) 348 AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM,
349 [Define to whatever link() returns for "not supported"
350 if it doesn't return EOPNOTSUPP.])
362 AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts]) 351 AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
363 AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) 352 AC_DEFINE(USE_BTMP)
364 inet6_default_4in6=yes 353 inet6_default_4in6=yes
365 case `uname -r` in 354 case `uname -r` in
366 1.*|2.0.*) 355 1.*|2.0.*)
367 AC_DEFINE(BROKEN_CMSG_TYPE) 356 AC_DEFINE(BROKEN_CMSG_TYPE, 1,
357 [Define if cmsg_type is not passed correctly])
368 ;; 358 ;;
369 esac 359 esac
360 # tun(4) forwarding compat code
361 AC_CHECK_HEADERS(linux/if_tun.h)
362 if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
363 AC_DEFINE(SSH_TUN_LINUX, 1,
364 [Open tunnel devices the Linux tun/tap way])
365 AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
366 [Use tunnel device compatibility to OpenBSD])
367 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
368 [Prepend the address family to IP tunnel traffic])
369 fi
370 ;; 370 ;;
371mips-sony-bsd|mips-sony-newsos4) 371mips-sony-bsd|mips-sony-newsos4)
372 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) 372 AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
373 SONY=1 373 SONY=1
374 ;; 374 ;;
375*-*-netbsd*) 375*-*-netbsd*)
@@ -377,9 +377,18 @@ mips-sony-bsd|mips-sony-newsos4)
377 if test "x$withval" != "xno" ; then 377 if test "x$withval" != "xno" ; then
378 need_dash_r=1 378 need_dash_r=1
379 fi 379 fi
380 AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
381 AC_CHECK_HEADER([net/if_tap.h], ,
382 AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
383 AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
384 [Prepend the address family to IP tunnel traffic])
380 ;; 385 ;;
381*-*-freebsd*) 386*-*-freebsd*)
382 check_for_libcrypt_later=1 387 check_for_libcrypt_later=1
388 AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)])
389 AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
390 AC_CHECK_HEADER([net/if_tap.h], ,
391 AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
383 ;; 392 ;;
384*-*-bsdi*) 393*-*-bsdi*)
385 AC_DEFINE(SETEUID_BREAKS_SETUID) 394 AC_DEFINE(SETEUID_BREAKS_SETUID)
@@ -391,13 +400,15 @@ mips-sony-bsd|mips-sony-newsos4)
391 conf_utmp_location=/etc/utmp 400 conf_utmp_location=/etc/utmp
392 conf_wtmp_location=/usr/adm/wtmp 401 conf_wtmp_location=/usr/adm/wtmp
393 MAIL=/usr/spool/mail 402 MAIL=/usr/spool/mail
394 AC_DEFINE(HAVE_NEXT) 403 AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT])
395 AC_DEFINE(BROKEN_REALPATH) 404 AC_DEFINE(BROKEN_REALPATH)
396 AC_DEFINE(USE_PIPES) 405 AC_DEFINE(USE_PIPES)
397 AC_DEFINE(BROKEN_SAVED_UIDS) 406 AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT])
398 ;; 407 ;;
399*-*-openbsd*) 408*-*-openbsd*)
400 AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) 409 AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
410 AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
411 AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
401 ;; 412 ;;
402*-*-solaris*) 413*-*-solaris*)
403 if test "x$withval" != "xno" ; then 414 if test "x$withval" != "xno" ; then
@@ -405,12 +416,18 @@ mips-sony-bsd|mips-sony-newsos4)
405 fi 416 fi
406 AC_DEFINE(PAM_SUN_CODEBASE) 417 AC_DEFINE(PAM_SUN_CODEBASE)
407 AC_DEFINE(LOGIN_NEEDS_UTMPX) 418 AC_DEFINE(LOGIN_NEEDS_UTMPX)
408 AC_DEFINE(LOGIN_NEEDS_TERM) 419 AC_DEFINE(LOGIN_NEEDS_TERM, 1,
420 [Some versions of /bin/login need the TERM supplied
421 on the commandline])
409 AC_DEFINE(PAM_TTY_KLUDGE) 422 AC_DEFINE(PAM_TTY_KLUDGE)
410 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID) 423 AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
424 [Define if pam_chauthtok wants real uid set
425 to the unpriv'ed user])
411 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") 426 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
412 # Pushing STREAMS modules will cause sshd to acquire a controlling tty. 427 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
413 AC_DEFINE(SSHD_ACQUIRES_CTTY) 428 AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
429 [Define if sshd somehow reacquires a controlling TTY
430 after setsid()])
414 external_path_file=/etc/default/login 431 external_path_file=/etc/default/login
415 # hardwire lastlog location (can't detect it on some versions) 432 # hardwire lastlog location (can't detect it on some versions)
416 conf_lastlog_location="/var/adm/lastlog" 433 conf_lastlog_location="/var/adm/lastlog"
@@ -419,7 +436,8 @@ mips-sony-bsd|mips-sony-newsos4)
419 if test "$sol2ver" -ge 8; then 436 if test "$sol2ver" -ge 8; then
420 AC_MSG_RESULT(yes) 437 AC_MSG_RESULT(yes)
421 AC_DEFINE(DISABLE_UTMP) 438 AC_DEFINE(DISABLE_UTMP)
422 AC_DEFINE(DISABLE_WTMP) 439 AC_DEFINE(DISABLE_WTMP, 1,
440 [Define if you don't want to use wtmp])
423 else 441 else
424 AC_MSG_RESULT(no) 442 AC_MSG_RESULT(no)
425 fi 443 fi
@@ -444,8 +462,8 @@ mips-sony-bsd|mips-sony-newsos4)
444*-sni-sysv*) 462*-sni-sysv*)
445 # /usr/ucblib MUST NOT be searched on ReliantUNIX 463 # /usr/ucblib MUST NOT be searched on ReliantUNIX
446 AC_CHECK_LIB(dl, dlsym, ,) 464 AC_CHECK_LIB(dl, dlsym, ,)
447 # -lresolv needs to be at then end of LIBS or DNS lookups break 465 # -lresolv needs to be at the end of LIBS or DNS lookups break
448 AC_CHECK_LIB(res_query, resolv, [ LIBS="$LIBS -lresolv" ]) 466 AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ])
449 IPADDR_IN_DISPLAY=yes 467 IPADDR_IN_DISPLAY=yes
450 AC_DEFINE(USE_PIPES) 468 AC_DEFINE(USE_PIPES)
451 AC_DEFINE(IP_TOS_IS_BROKEN) 469 AC_DEFINE(IP_TOS_IS_BROKEN)
@@ -460,11 +478,13 @@ mips-sony-bsd|mips-sony-newsos4)
460 ;; 478 ;;
461# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel. 479# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
462*-*-sysv4.2*) 480*-*-sysv4.2*)
481 CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
463 AC_DEFINE(USE_PIPES) 482 AC_DEFINE(USE_PIPES)
464 AC_DEFINE(SETEUID_BREAKS_SETUID) 483 AC_DEFINE(SETEUID_BREAKS_SETUID)
465 AC_DEFINE(BROKEN_SETREUID) 484 AC_DEFINE(BROKEN_SETREUID)
466 AC_DEFINE(BROKEN_SETREGID) 485 AC_DEFINE(BROKEN_SETREGID)
467 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 486 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
487 AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
468 ;; 488 ;;
469# UnixWare 7.x, OpenUNIX 8 489# UnixWare 7.x, OpenUNIX 8
470*-*-sysv5*) 490*-*-sysv5*)
@@ -474,11 +494,14 @@ mips-sony-bsd|mips-sony-newsos4)
474 AC_DEFINE(SETEUID_BREAKS_SETUID) 494 AC_DEFINE(SETEUID_BREAKS_SETUID)
475 AC_DEFINE(BROKEN_SETREUID) 495 AC_DEFINE(BROKEN_SETREUID)
476 AC_DEFINE(BROKEN_SETREGID) 496 AC_DEFINE(BROKEN_SETREGID)
477 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 497 AC_DEFINE(PASSWD_NEEDS_USERNAME)
478 case "$host" in 498 case "$host" in
479 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x 499 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
480 TEST_SHELL=/u95/bin/sh 500 TEST_SHELL=/u95/bin/sh
481 AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet]) 501 AC_DEFINE(BROKEN_LIBIAF, 1,
502 [ia_uinfo routines not supported by OS yet])
503 ;;
504 *) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
482 ;; 505 ;;
483 esac 506 esac
484 ;; 507 ;;
@@ -504,13 +527,14 @@ mips-sony-bsd|mips-sony-newsos4)
504 AC_DEFINE(BROKEN_SETREGID) 527 AC_DEFINE(BROKEN_SETREGID)
505 AC_DEFINE(WITH_ABBREV_NO_TTY) 528 AC_DEFINE(WITH_ABBREV_NO_TTY)
506 AC_DEFINE(BROKEN_UPDWTMPX) 529 AC_DEFINE(BROKEN_UPDWTMPX)
507 AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd]) 530 AC_DEFINE(PASSWD_NEEDS_USERNAME)
508 AC_CHECK_FUNCS(getluid setluid) 531 AC_CHECK_FUNCS(getluid setluid)
509 MANTYPE=man 532 MANTYPE=man
510 TEST_SHELL=ksh 533 TEST_SHELL=ksh
511 ;; 534 ;;
512*-*-unicosmk*) 535*-*-unicosmk*)
513 AC_DEFINE(NO_SSH_LASTLOG) 536 AC_DEFINE(NO_SSH_LASTLOG, 1,
537 [Define if you don't want to use lastlog in session.c])
514 AC_DEFINE(SETEUID_BREAKS_SETUID) 538 AC_DEFINE(SETEUID_BREAKS_SETUID)
515 AC_DEFINE(BROKEN_SETREUID) 539 AC_DEFINE(BROKEN_SETREUID)
516 AC_DEFINE(BROKEN_SETREGID) 540 AC_DEFINE(BROKEN_SETREGID)
@@ -557,13 +581,18 @@ mips-sony-bsd|mips-sony-newsos4)
557 if test -z "$no_osfsia" ; then 581 if test -z "$no_osfsia" ; then
558 if test -f /etc/sia/matrix.conf; then 582 if test -f /etc/sia/matrix.conf; then
559 AC_MSG_RESULT(yes) 583 AC_MSG_RESULT(yes)
560 AC_DEFINE(HAVE_OSF_SIA) 584 AC_DEFINE(HAVE_OSF_SIA, 1,
561 AC_DEFINE(DISABLE_LOGIN) 585 [Define if you have Digital Unix Security
586 Integration Architecture])
587 AC_DEFINE(DISABLE_LOGIN, 1,
588 [Define if you don't want to use your
589 system's login() call])
562 AC_DEFINE(DISABLE_FD_PASSING) 590 AC_DEFINE(DISABLE_FD_PASSING)
563 LIBS="$LIBS -lsecurity -ldb -lm -laud" 591 LIBS="$LIBS -lsecurity -ldb -lm -laud"
564 else 592 else
565 AC_MSG_RESULT(no) 593 AC_MSG_RESULT(no)
566 AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") 594 AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
595 [String used in /etc/passwd to denote locked account])
567 fi 596 fi
568 fi 597 fi
569 AC_DEFINE(BROKEN_GETADDRINFO) 598 AC_DEFINE(BROKEN_GETADDRINFO)
@@ -572,24 +601,25 @@ mips-sony-bsd|mips-sony-newsos4)
572 AC_DEFINE(BROKEN_SETREGID) 601 AC_DEFINE(BROKEN_SETREGID)
573 ;; 602 ;;
574 603
575*-*-nto-qnx) 604*-*-nto-qnx*)
576 AC_DEFINE(USE_PIPES) 605 AC_DEFINE(USE_PIPES)
577 AC_DEFINE(NO_X11_UNIX_SOCKETS) 606 AC_DEFINE(NO_X11_UNIX_SOCKETS)
578 AC_DEFINE(MISSING_NFDBITS) 607 AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems])
579 AC_DEFINE(MISSING_HOWMANY) 608 AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
580 AC_DEFINE(MISSING_FD_MASK) 609 AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
610 AC_DEFINE(DISABLE_LASTLOG)
581 ;; 611 ;;
582 612
583*-*-ultrix*) 613*-*-ultrix*)
584 AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1]) 614 AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1])
585 AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files]) 615 AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files])
586 AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty]) 616 AC_DEFINE(NEED_SETPGRP)
587 AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix]) 617 AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
588 ;; 618 ;;
589 619
590*-*-lynxos) 620*-*-lynxos)
591 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__" 621 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
592 AC_DEFINE(MISSING_HOWMANY) 622 AC_DEFINE(MISSING_HOWMANY)
593 AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation]) 623 AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
594 ;; 624 ;;
595esac 625esac
@@ -636,7 +666,7 @@ AC_ARG_WITH(Werror,
636 [ 666 [
637 if test -n "$withval" && test "x$withval" != "xno"; then 667 if test -n "$withval" && test "x$withval" != "xno"; then
638 werror_flags="-Werror" 668 werror_flags="-Werror"
639 if "x${withval}" != "xyes"; then 669 if test "x${withval}" != "xyes"; then
640 werror_flags="$withval" 670 werror_flags="$withval"
641 fi 671 fi
642 fi 672 fi
@@ -669,7 +699,6 @@ AC_CHECK_HEADERS( \
669 glob.h \ 699 glob.h \
670 ia.h \ 700 ia.h \
671 iaf.h \ 701 iaf.h \
672 lastlog.h \
673 limits.h \ 702 limits.h \
674 login.h \ 703 login.h \
675 login_cap.h \ 704 login_cap.h \
@@ -677,7 +706,6 @@ AC_CHECK_HEADERS( \
677 ndir.h \ 706 ndir.h \
678 netdb.h \ 707 netdb.h \
679 netgroup.h \ 708 netgroup.h \
680 netinet/in_systm.h \
681 pam/pam_appl.h \ 709 pam/pam_appl.h \
682 paths.h \ 710 paths.h \
683 pty.h \ 711 pty.h \
@@ -719,6 +747,13 @@ AC_CHECK_HEADERS( \
719 vis.h \ 747 vis.h \
720) 748)
721 749
750# lastlog.h requires sys/time.h to be included first on Solaris
751AC_CHECK_HEADERS(lastlog.h, [], [], [
752#ifdef HAVE_SYS_TIME_H
753# include <sys/time.h>
754#endif
755])
756
722# sys/ptms.h requires sys/stream.h to be included first on Solaris 757# sys/ptms.h requires sys/stream.h to be included first on Solaris
723AC_CHECK_HEADERS(sys/ptms.h, [], [], [ 758AC_CHECK_HEADERS(sys/ptms.h, [], [], [
724#ifdef HAVE_SYS_STREAM_H 759#ifdef HAVE_SYS_STREAM_H
@@ -737,8 +772,8 @@ AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
737 ac_cv_have_broken_dirname, [ 772 ac_cv_have_broken_dirname, [
738 save_LIBS="$LIBS" 773 save_LIBS="$LIBS"
739 LIBS="$LIBS -lgen" 774 LIBS="$LIBS -lgen"
740 AC_TRY_RUN( 775 AC_RUN_IFELSE(
741 [ 776 [AC_LANG_SOURCE([[
742#include <libgen.h> 777#include <libgen.h>
743#include <string.h> 778#include <string.h>
744 779
@@ -753,9 +788,10 @@ int main(int argc, char **argv) {
753 exit(0); 788 exit(0);
754 } 789 }
755} 790}
756 ], 791 ]])],
792 [ ac_cv_have_broken_dirname="no" ],
793 [ ac_cv_have_broken_dirname="yes" ],
757 [ ac_cv_have_broken_dirname="no" ], 794 [ ac_cv_have_broken_dirname="no" ],
758 [ ac_cv_have_broken_dirname="yes" ]
759 ) 795 )
760 LIBS="$save_LIBS" 796 LIBS="$save_LIBS"
761 ]) 797 ])
@@ -769,7 +805,8 @@ int main(int argc, char **argv) {
769 805
770AC_CHECK_FUNC(getspnam, , 806AC_CHECK_FUNC(getspnam, ,
771 AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) 807 AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
772AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) 808AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1,
809 [Define if you have the basename function.]))
773 810
774dnl zlib is required 811dnl zlib is required
775AC_ARG_WITH(zlib, 812AC_ARG_WITH(zlib,
@@ -873,14 +910,15 @@ dnl UnixWare 2.x
873AC_CHECK_FUNC(strcasecmp, 910AC_CHECK_FUNC(strcasecmp,
874 [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] 911 [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
875) 912)
876AC_CHECK_FUNC(utimes, 913AC_CHECK_FUNCS(utimes,
877 [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) 914 [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES)
878 LIBS="$LIBS -lc89"]) ] 915 LIBS="$LIBS -lc89"]) ]
879) 916)
880 917
881dnl Checks for libutil functions 918dnl Checks for libutil functions
882AC_CHECK_HEADERS(libutil.h) 919AC_CHECK_HEADERS(libutil.h)
883AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN)]) 920AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1,
921 [Define if your libraries define login()])])
884AC_CHECK_FUNCS(logout updwtmp logwtmp) 922AC_CHECK_FUNCS(logout updwtmp logwtmp)
885 923
886AC_FUNC_STRFTIME 924AC_FUNC_STRFTIME
@@ -895,7 +933,9 @@ AC_EGREP_CPP(FOUNDIT,
895 #endif 933 #endif
896 ], 934 ],
897 [ 935 [
898 AC_DEFINE(GLOB_HAS_ALTDIRFUNC) 936 AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1,
937 [Define if your system glob() function has
938 the GLOB_ALTDIRFUNC extension])
899 AC_MSG_RESULT(yes) 939 AC_MSG_RESULT(yes)
900 ], 940 ],
901 [ 941 [
@@ -911,7 +951,9 @@ AC_EGREP_CPP(FOUNDIT,
911 int main(void){glob_t g; g.gl_matchc = 1;} 951 int main(void){glob_t g; g.gl_matchc = 1;}
912 ], 952 ],
913 [ 953 [
914 AC_DEFINE(GLOB_HAS_GL_MATCHC) 954 AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
955 [Define if your system glob() function has
956 gl_matchc options in glob_t])
915 AC_MSG_RESULT(yes) 957 AC_MSG_RESULT(yes)
916 ], 958 ],
917 [ 959 [
@@ -929,7 +971,9 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
929 [AC_MSG_RESULT(yes)], 971 [AC_MSG_RESULT(yes)],
930 [ 972 [
931 AC_MSG_RESULT(no) 973 AC_MSG_RESULT(no)
932 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) 974 AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1,
975 [Define if your struct dirent expects you to
976 allocate extra space for d_name])
933 ], 977 ],
934 [ 978 [
935 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME]) 979 AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
@@ -939,7 +983,7 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
939 983
940AC_MSG_CHECKING([for /proc/pid/fd directory]) 984AC_MSG_CHECKING([for /proc/pid/fd directory])
941if test -d "/proc/$$/fd" ; then 985if test -d "/proc/$$/fd" ; then
942 AC_DEFINE(HAVE_PROC_PID) 986 AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])
943 AC_MSG_RESULT(yes) 987 AC_MSG_RESULT(yes)
944else 988else
945 AC_MSG_RESULT(no) 989 AC_MSG_RESULT(no)
@@ -957,17 +1001,17 @@ AC_ARG_WITH(skey,
957 LDFLAGS="$LDFLAGS -L${withval}/lib" 1001 LDFLAGS="$LDFLAGS -L${withval}/lib"
958 fi 1002 fi
959 1003
960 AC_DEFINE(SKEY) 1004 AC_DEFINE(SKEY, 1, [Define if you want S/Key support])
961 LIBS="-lskey $LIBS" 1005 LIBS="-lskey $LIBS"
962 SKEY_MSG="yes" 1006 SKEY_MSG="yes"
963 1007
964 AC_MSG_CHECKING([for s/key support]) 1008 AC_MSG_CHECKING([for s/key support])
965 AC_TRY_RUN( 1009 AC_LINK_IFELSE(
966 [ 1010 [AC_LANG_SOURCE([[
967#include <stdio.h> 1011#include <stdio.h>
968#include <skey.h> 1012#include <skey.h>
969int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } 1013int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
970 ], 1014 ]])],
971 [AC_MSG_RESULT(yes)], 1015 [AC_MSG_RESULT(yes)],
972 [ 1016 [
973 AC_MSG_RESULT(no) 1017 AC_MSG_RESULT(no)
@@ -979,7 +1023,9 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
979 #include <skey.h>], 1023 #include <skey.h>],
980 [(void)skeychallenge(NULL,"name","",0);], 1024 [(void)skeychallenge(NULL,"name","",0);],
981 [AC_MSG_RESULT(yes) 1025 [AC_MSG_RESULT(yes)
982 AC_DEFINE(SKEYCHALLENGE_4ARG)], 1026 AC_DEFINE(SKEYCHALLENGE_4ARG, 1,
1027 [Define if your skeychallenge()
1028 function takes 4 arguments (NetBSD)])],
983 [AC_MSG_RESULT(no)] 1029 [AC_MSG_RESULT(no)]
984 ) 1030 )
985 fi 1031 fi
@@ -1030,7 +1076,9 @@ AC_ARG_WITH(tcp-wrappers,
1030 [hosts_access(0);], 1076 [hosts_access(0);],
1031 [ 1077 [
1032 AC_MSG_RESULT(yes) 1078 AC_MSG_RESULT(yes)
1033 AC_DEFINE(LIBWRAP) 1079 AC_DEFINE(LIBWRAP, 1,
1080 [Define if you want
1081 TCP Wrappers support])
1034 AC_SUBST(LIBWRAP) 1082 AC_SUBST(LIBWRAP)
1035 TCPW_MSG="yes" 1083 TCPW_MSG="yes"
1036 ], 1084 ],
@@ -1049,11 +1097,15 @@ AC_ARG_WITH(libedit,
1049 [ --with-libedit[[=PATH]] Enable libedit support for sftp], 1097 [ --with-libedit[[=PATH]] Enable libedit support for sftp],
1050 [ if test "x$withval" != "xno" ; then 1098 [ if test "x$withval" != "xno" ; then
1051 if test "x$withval" != "xyes"; then 1099 if test "x$withval" != "xyes"; then
1052 CPPFLAGS="$CPPFLAGS -I$withval/include" 1100 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1053 LDFLAGS="$LDFLAGS -L$withval/lib" 1101 if test -n "${need_dash_r}"; then
1102 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1103 else
1104 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1105 fi
1054 fi 1106 fi
1055 AC_CHECK_LIB(edit, el_init, 1107 AC_CHECK_LIB(edit, el_init,
1056 [ AC_DEFINE(USE_LIBEDIT, [], [Use libedit for sftp]) 1108 [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
1057 LIBEDIT="-ledit -lcurses" 1109 LIBEDIT="-ledit -lcurses"
1058 LIBEDIT_MSG="yes" 1110 LIBEDIT_MSG="yes"
1059 AC_SUBST(LIBEDIT) 1111 AC_SUBST(LIBEDIT)
@@ -1097,12 +1149,12 @@ AC_ARG_WITH(audit,
1097 [AC_MSG_ERROR(BSM enabled and required function not found)]) 1149 [AC_MSG_ERROR(BSM enabled and required function not found)])
1098 # These are optional 1150 # These are optional
1099 AC_CHECK_FUNCS(getaudit_addr) 1151 AC_CHECK_FUNCS(getaudit_addr)
1100 AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module]) 1152 AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
1101 ;; 1153 ;;
1102 debug) 1154 debug)
1103 AUDIT_MODULE=debug 1155 AUDIT_MODULE=debug
1104 AC_MSG_RESULT(debug) 1156 AC_MSG_RESULT(debug)
1105 AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) 1157 AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
1106 ;; 1158 ;;
1107 no) 1159 no)
1108 AC_MSG_RESULT(no) 1160 AC_MSG_RESULT(no)
@@ -1116,6 +1168,7 @@ AC_ARG_WITH(audit,
1116dnl Checks for library functions. Please keep in alphabetical order 1168dnl Checks for library functions. Please keep in alphabetical order
1117AC_CHECK_FUNCS( \ 1169AC_CHECK_FUNCS( \
1118 arc4random \ 1170 arc4random \
1171 asprintf \
1119 b64_ntop \ 1172 b64_ntop \
1120 __b64_ntop \ 1173 __b64_ntop \
1121 b64_pton \ 1174 b64_pton \
@@ -1191,7 +1244,7 @@ AC_CHECK_FUNCS( \
1191 truncate \ 1244 truncate \
1192 unsetenv \ 1245 unsetenv \
1193 updwtmpx \ 1246 updwtmpx \
1194 utimes \ 1247 vasprintf \
1195 vhangup \ 1248 vhangup \
1196 vsnprintf \ 1249 vsnprintf \
1197 waitpid \ 1250 waitpid \
@@ -1212,7 +1265,8 @@ str = gai_strerror(0);],[
1212 AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, 1265 AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1,
1213 [Define if gai_strerror() returns const char *])])]) 1266 [Define if gai_strerror() returns const char *])])])
1214 1267
1215AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) 1268AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1,
1269 [Some systems put nanosleep outside of libc]))
1216 1270
1217dnl Make sure prototypes are defined for these before using them. 1271dnl Make sure prototypes are defined for these before using them.
1218AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) 1272AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
@@ -1244,7 +1298,8 @@ AC_CHECK_FUNCS(setresuid, [
1244int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} 1298int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
1245 ]])], 1299 ]])],
1246 [AC_MSG_RESULT(yes)], 1300 [AC_MSG_RESULT(yes)],
1247 [AC_DEFINE(BROKEN_SETRESUID) 1301 [AC_DEFINE(BROKEN_SETRESUID, 1,
1302 [Define if your setresuid() is broken])
1248 AC_MSG_RESULT(not implemented)], 1303 AC_MSG_RESULT(not implemented)],
1249 [AC_MSG_WARN([cross compiling: not checking setresuid])] 1304 [AC_MSG_WARN([cross compiling: not checking setresuid])]
1250 ) 1305 )
@@ -1260,7 +1315,8 @@ AC_CHECK_FUNCS(setresgid, [
1260int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} 1315int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
1261 ]])], 1316 ]])],
1262 [AC_MSG_RESULT(yes)], 1317 [AC_MSG_RESULT(yes)],
1263 [AC_DEFINE(BROKEN_SETRESGID) 1318 [AC_DEFINE(BROKEN_SETRESGID, 1,
1319 [Define if your setresgid() is broken])
1264 AC_MSG_RESULT(not implemented)], 1320 AC_MSG_RESULT(not implemented)],
1265 [AC_MSG_WARN([cross compiling: not checking setresuid])] 1321 [AC_MSG_WARN([cross compiling: not checking setresuid])]
1266 ) 1322 )
@@ -1276,13 +1332,16 @@ AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
1276AC_CHECK_FUNCS(setutxent utmpxname) 1332AC_CHECK_FUNCS(setutxent utmpxname)
1277 1333
1278AC_CHECK_FUNC(daemon, 1334AC_CHECK_FUNC(daemon,
1279 [AC_DEFINE(HAVE_DAEMON)], 1335 [AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
1280 [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] 1336 [AC_CHECK_LIB(bsd, daemon,
1337 [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
1281) 1338)
1282 1339
1283AC_CHECK_FUNC(getpagesize, 1340AC_CHECK_FUNC(getpagesize,
1284 [AC_DEFINE(HAVE_GETPAGESIZE)], 1341 [AC_DEFINE(HAVE_GETPAGESIZE, 1,
1285 [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] 1342 [Define if your libraries define getpagesize()])],
1343 [AC_CHECK_LIB(ucb, getpagesize,
1344 [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])]
1286) 1345)
1287 1346
1288# Check for broken snprintf 1347# Check for broken snprintf
@@ -1296,13 +1355,62 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
1296 [AC_MSG_RESULT(yes)], 1355 [AC_MSG_RESULT(yes)],
1297 [ 1356 [
1298 AC_MSG_RESULT(no) 1357 AC_MSG_RESULT(no)
1299 AC_DEFINE(BROKEN_SNPRINTF) 1358 AC_DEFINE(BROKEN_SNPRINTF, 1,
1359 [Define if your snprintf is busted])
1300 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) 1360 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
1301 ], 1361 ],
1302 [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ] 1362 [ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
1303 ) 1363 )
1304fi 1364fi
1305 1365
1366# If we don't have a working asprintf, then we strongly depend on vsnprintf
1367# returning the right thing on overflow: the number of characters it tried to
1368# create (as per SUSv3)
1369if test "x$ac_cv_func_asprintf" != "xyes" && \
1370 test "x$ac_cv_func_vsnprintf" = "xyes" ; then
1371 AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
1372 AC_RUN_IFELSE(
1373 [AC_LANG_SOURCE([[
1374#include <sys/types.h>
1375#include <stdio.h>
1376#include <stdarg.h>
1377
1378int x_snprintf(char *str,size_t count,const char *fmt,...)
1379{
1380 size_t ret; va_list ap;
1381 va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
1382 return ret;
1383}
1384int main(void)
1385{
1386 char x[1];
1387 exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
1388} ]])],
1389 [AC_MSG_RESULT(yes)],
1390 [
1391 AC_MSG_RESULT(no)
1392 AC_DEFINE(BROKEN_SNPRINTF, 1,
1393 [Define if your snprintf is busted])
1394 AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
1395 ],
1396 [ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
1397 )
1398fi
1399
1400# On systems where [v]snprintf is broken, but is declared in stdio,
1401# check that the fmt argument is const char * or just char *.
1402# This is only useful for when BROKEN_SNPRINTF
1403AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
1404AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
1405 int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
1406 int main(void) { snprintf(0, 0, 0); }
1407 ]])],
1408 [AC_MSG_RESULT(yes)
1409 AC_DEFINE(SNPRINTF_CONST, [const],
1410 [Define as const if snprintf() can declare const char *fmt])],
1411 [AC_MSG_RESULT(no)
1412 AC_DEFINE(SNPRINTF_CONST, [/* not const */])])
1413
1306# Check for missing getpeereid (or equiv) support 1414# Check for missing getpeereid (or equiv) support
1307NO_PEERCHECK="" 1415NO_PEERCHECK=""
1308if test "x$ac_cv_func_getpeereid" != "xyes" ; then 1416if test "x$ac_cv_func_getpeereid" != "xyes" ; then
@@ -1312,7 +1420,7 @@ if test "x$ac_cv_func_getpeereid" != "xyes" ; then
1312 #include <sys/socket.h>], 1420 #include <sys/socket.h>],
1313 [int i = SO_PEERCRED;], 1421 [int i = SO_PEERCRED;],
1314 [ AC_MSG_RESULT(yes) 1422 [ AC_MSG_RESULT(yes)
1315 AC_DEFINE(HAVE_SO_PEERCRED, [], [Have PEERCRED socket option]) 1423 AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option])
1316 ], 1424 ],
1317 [AC_MSG_RESULT(no) 1425 [AC_MSG_RESULT(no)
1318 NO_PEERCHECK=1] 1426 NO_PEERCHECK=1]
@@ -1322,21 +1430,21 @@ fi
1322dnl see whether mkstemp() requires XXXXXX 1430dnl see whether mkstemp() requires XXXXXX
1323if test "x$ac_cv_func_mkdtemp" = "xyes" ; then 1431if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
1324AC_MSG_CHECKING([for (overly) strict mkstemp]) 1432AC_MSG_CHECKING([for (overly) strict mkstemp])
1325AC_TRY_RUN( 1433AC_RUN_IFELSE(
1326 [ 1434 [AC_LANG_SOURCE([[
1327#include <stdlib.h> 1435#include <stdlib.h>
1328main() { char template[]="conftest.mkstemp-test"; 1436main() { char template[]="conftest.mkstemp-test";
1329if (mkstemp(template) == -1) 1437if (mkstemp(template) == -1)
1330 exit(1); 1438 exit(1);
1331unlink(template); exit(0); 1439unlink(template); exit(0);
1332} 1440}
1333 ], 1441 ]])],
1334 [ 1442 [
1335 AC_MSG_RESULT(no) 1443 AC_MSG_RESULT(no)
1336 ], 1444 ],
1337 [ 1445 [
1338 AC_MSG_RESULT(yes) 1446 AC_MSG_RESULT(yes)
1339 AC_DEFINE(HAVE_STRICT_MKSTEMP) 1447 AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()])
1340 ], 1448 ],
1341 [ 1449 [
1342 AC_MSG_RESULT(yes) 1450 AC_MSG_RESULT(yes)
@@ -1348,8 +1456,8 @@ fi
1348dnl make sure that openpty does not reacquire controlling terminal 1456dnl make sure that openpty does not reacquire controlling terminal
1349if test ! -z "$check_for_openpty_ctty_bug"; then 1457if test ! -z "$check_for_openpty_ctty_bug"; then
1350 AC_MSG_CHECKING(if openpty correctly handles controlling tty) 1458 AC_MSG_CHECKING(if openpty correctly handles controlling tty)
1351 AC_TRY_RUN( 1459 AC_RUN_IFELSE(
1352 [ 1460 [AC_LANG_SOURCE([[
1353#include <stdio.h> 1461#include <stdio.h>
1354#include <sys/fcntl.h> 1462#include <sys/fcntl.h>
1355#include <sys/types.h> 1463#include <sys/types.h>
@@ -1381,13 +1489,16 @@ main()
1381 exit(0); /* Did not acquire ctty: OK */ 1489 exit(0); /* Did not acquire ctty: OK */
1382 } 1490 }
1383} 1491}
1384 ], 1492 ]])],
1385 [ 1493 [
1386 AC_MSG_RESULT(yes) 1494 AC_MSG_RESULT(yes)
1387 ], 1495 ],
1388 [ 1496 [
1389 AC_MSG_RESULT(no) 1497 AC_MSG_RESULT(no)
1390 AC_DEFINE(SSHD_ACQUIRES_CTTY) 1498 AC_DEFINE(SSHD_ACQUIRES_CTTY)
1499 ],
1500 [
1501 AC_MSG_RESULT(cross-compiling, assuming yes)
1391 ] 1502 ]
1392 ) 1503 )
1393fi 1504fi
@@ -1395,8 +1506,8 @@ fi
1395if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ 1506if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1396 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then 1507 test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
1397 AC_MSG_CHECKING(if getaddrinfo seems to work) 1508 AC_MSG_CHECKING(if getaddrinfo seems to work)
1398 AC_TRY_RUN( 1509 AC_RUN_IFELSE(
1399 [ 1510 [AC_LANG_SOURCE([[
1400#include <stdio.h> 1511#include <stdio.h>
1401#include <sys/socket.h> 1512#include <sys/socket.h>
1402#include <netdb.h> 1513#include <netdb.h>
@@ -1450,13 +1561,16 @@ main(void)
1450 } 1561 }
1451 exit(0); 1562 exit(0);
1452} 1563}
1453 ], 1564 ]])],
1454 [ 1565 [
1455 AC_MSG_RESULT(yes) 1566 AC_MSG_RESULT(yes)
1456 ], 1567 ],
1457 [ 1568 [
1458 AC_MSG_RESULT(no) 1569 AC_MSG_RESULT(no)
1459 AC_DEFINE(BROKEN_GETADDRINFO) 1570 AC_DEFINE(BROKEN_GETADDRINFO)
1571 ],
1572 [
1573 AC_MSG_RESULT(cross-compiling, assuming yes)
1460 ] 1574 ]
1461 ) 1575 )
1462fi 1576fi
@@ -1464,8 +1578,8 @@ fi
1464if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ 1578if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
1465 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then 1579 test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
1466 AC_MSG_CHECKING(if getaddrinfo seems to work) 1580 AC_MSG_CHECKING(if getaddrinfo seems to work)
1467 AC_TRY_RUN( 1581 AC_RUN_IFELSE(
1468 [ 1582 [AC_LANG_SOURCE([[
1469#include <stdio.h> 1583#include <stdio.h>
1470#include <sys/socket.h> 1584#include <sys/socket.h>
1471#include <netdb.h> 1585#include <netdb.h>
@@ -1507,15 +1621,18 @@ main(void)
1507 } 1621 }
1508 exit(0); 1622 exit(0);
1509} 1623}
1510 ], 1624 ]])],
1511 [ 1625 [
1512 AC_MSG_RESULT(yes) 1626 AC_MSG_RESULT(yes)
1513 AC_DEFINE(AIX_GETNAMEINFO_HACK, [], 1627 AC_DEFINE(AIX_GETNAMEINFO_HACK, 1,
1514[Define if you have a getaddrinfo that fails for the all-zeros IPv6 address]) 1628 [Define if you have a getaddrinfo that fails
1629 for the all-zeros IPv6 address])
1515 ], 1630 ],
1516 [ 1631 [
1517 AC_MSG_RESULT(no) 1632 AC_MSG_RESULT(no)
1518 AC_DEFINE(BROKEN_GETADDRINFO) 1633 AC_DEFINE(BROKEN_GETADDRINFO)
1634 ],
1635 AC_MSG_RESULT(cross-compiling, assuming no)
1519 ] 1636 ]
1520 ) 1637 )
1521fi 1638fi
@@ -1558,7 +1675,8 @@ AC_ARG_WITH(pam,
1558 1675
1559 PAM_MSG="yes" 1676 PAM_MSG="yes"
1560 1677
1561 AC_DEFINE(USE_PAM) 1678 AC_DEFINE(USE_PAM, 1,
1679 [Define if you want to enable PAM support])
1562 if test $ac_cv_lib_dl_dlopen = yes; then 1680 if test $ac_cv_lib_dl_dlopen = yes; then
1563 LIBPAM="-lpam -ldl" 1681 LIBPAM="-lpam -ldl"
1564 else 1682 else
@@ -1585,7 +1703,9 @@ if test "x$PAM_MSG" = "xyes" ; then
1585 [(void)pam_strerror((pam_handle_t *)NULL, -1);], 1703 [(void)pam_strerror((pam_handle_t *)NULL, -1);],
1586 [AC_MSG_RESULT(no)], 1704 [AC_MSG_RESULT(no)],
1587 [ 1705 [
1588 AC_DEFINE(HAVE_OLD_PAM) 1706 AC_DEFINE(HAVE_OLD_PAM, 1,
1707 [Define if you have an old version of PAM
1708 which takes only one argument to pam_strerror])
1589 AC_MSG_RESULT(yes) 1709 AC_MSG_RESULT(yes)
1590 PAM_MSG="yes (old library)" 1710 PAM_MSG="yes (old library)"
1591 ] 1711 ]
@@ -1625,7 +1745,9 @@ AC_ARG_WITH(ssl-dir,
1625 ] 1745 ]
1626) 1746)
1627LIBS="-lcrypto $LIBS" 1747LIBS="-lcrypto $LIBS"
1628AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), 1748AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
1749 [Define if your ssl headers are included
1750 with #include <openssl/header.h>]),
1629 [ 1751 [
1630 dnl Check default openssl install dir 1752 dnl Check default openssl install dir
1631 if test -n "${need_dash_r}"; then 1753 if test -n "${need_dash_r}"; then
@@ -1735,6 +1857,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
1735 ] 1857 ]
1736) 1858)
1737 1859
1860# Check for OpenSSL without EVP_aes_{192,256}_cbc
1861AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
1862AC_COMPILE_IFELSE(
1863 [AC_LANG_SOURCE([[
1864#include <string.h>
1865#include <openssl/evp.h>
1866int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
1867 ]])],
1868 [
1869 AC_MSG_RESULT(no)
1870 ],
1871 [
1872 AC_MSG_RESULT(yes)
1873 AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
1874 [libcrypto is missing AES 192 and 256 bit functions])
1875 ]
1876)
1877
1738# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 1878# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
1739# because the system crypt() is more featureful. 1879# because the system crypt() is more featureful.
1740if test "x$check_for_libcrypt_before" = "x1"; then 1880if test "x$check_for_libcrypt_before" = "x1"; then
@@ -1799,7 +1939,8 @@ AC_ARG_WITH(rand-helper,
1799# Which randomness source do we use? 1939# Which randomness source do we use?
1800if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then 1940if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
1801 # OpenSSL only 1941 # OpenSSL only
1802 AC_DEFINE(OPENSSL_PRNG_ONLY) 1942 AC_DEFINE(OPENSSL_PRNG_ONLY, 1,
1943 [Define if you want OpenSSL's internally seeded PRNG only])
1803 RAND_MSG="OpenSSL internal ONLY" 1944 RAND_MSG="OpenSSL internal ONLY"
1804 INSTALL_SSH_RAND_HELPER="" 1945 INSTALL_SSH_RAND_HELPER=""
1805elif test ! -z "$USE_RAND_HELPER" ; then 1946elif test ! -z "$USE_RAND_HELPER" ; then
@@ -1827,7 +1968,8 @@ AC_ARG_WITH(prngd-port,
1827 esac 1968 esac
1828 if test ! -z "$withval" ; then 1969 if test ! -z "$withval" ; then
1829 PRNGD_PORT="$withval" 1970 PRNGD_PORT="$withval"
1830 AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) 1971 AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT,
1972 [Port number of PRNGD/EGD random number socket])
1831 fi 1973 fi
1832 ] 1974 ]
1833) 1975)
@@ -1858,7 +2000,8 @@ AC_ARG_WITH(prngd-socket,
1858 AC_MSG_WARN(Entropy socket is not readable) 2000 AC_MSG_WARN(Entropy socket is not readable)
1859 fi 2001 fi
1860 PRNGD_SOCKET="$withval" 2002 PRNGD_SOCKET="$withval"
1861 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") 2003 AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET",
2004 [Location of PRNGD/EGD random number socket])
1862 fi 2005 fi
1863 ], 2006 ],
1864 [ 2007 [
@@ -1893,7 +2036,8 @@ AC_ARG_WITH(entropy-timeout,
1893 fi 2036 fi
1894 ] 2037 ]
1895) 2038)
1896AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) 2039AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout,
2040 [Builtin PRNG command timeout])
1897 2041
1898SSH_PRIVSEP_USER=sshd 2042SSH_PRIVSEP_USER=sshd
1899AC_ARG_WITH(privsep-user, 2043AC_ARG_WITH(privsep-user,
@@ -1905,7 +2049,8 @@ AC_ARG_WITH(privsep-user,
1905 fi 2049 fi
1906 ] 2050 ]
1907) 2051)
1908AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER") 2052AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER",
2053 [non-privileged user for privilege separation])
1909AC_SUBST(SSH_PRIVSEP_USER) 2054AC_SUBST(SSH_PRIVSEP_USER)
1910 2055
1911# We do this little dance with the search path to insure 2056# We do this little dance with the search path to insure
@@ -1963,7 +2108,10 @@ if test ! -z "$SONY" ; then
1963 LIBS="$LIBS -liberty"; 2108 LIBS="$LIBS -liberty";
1964fi 2109fi
1965 2110
1966# Checks for data types 2111# Check for long long datatypes
2112AC_CHECK_TYPES([long long, unsigned long long, long double])
2113
2114# Check datatype sizes
1967AC_CHECK_SIZEOF(char, 1) 2115AC_CHECK_SIZEOF(char, 1)
1968AC_CHECK_SIZEOF(short int, 2) 2116AC_CHECK_SIZEOF(short int, 2)
1969AC_CHECK_SIZEOF(int, 4) 2117AC_CHECK_SIZEOF(int, 4)
@@ -1975,6 +2123,84 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
1975 ac_cv_sizeof_long_long_int=0 2123 ac_cv_sizeof_long_long_int=0
1976fi 2124fi
1977 2125
2126# compute LLONG_MIN and LLONG_MAX if we don't know them.
2127if test -z "$have_llong_max"; then
2128 AC_MSG_CHECKING([for max value of long long])
2129 AC_RUN_IFELSE(
2130 [AC_LANG_SOURCE([[
2131#include <stdio.h>
2132/* Why is this so damn hard? */
2133#ifdef __GNUC__
2134# undef __GNUC__
2135#endif
2136#define __USE_ISOC99
2137#include <limits.h>
2138#define DATA "conftest.llminmax"
2139int main(void) {
2140 FILE *f;
2141 long long i, llmin, llmax = 0;
2142
2143 if((f = fopen(DATA,"w")) == NULL)
2144 exit(1);
2145
2146#if defined(LLONG_MIN) && defined(LLONG_MAX)
2147 fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
2148 llmin = LLONG_MIN;
2149 llmax = LLONG_MAX;
2150#else
2151 fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
2152 /* This will work on one's complement and two's complement */
2153 for (i = 1; i > llmax; i <<= 1, i++)
2154 llmax = i;
2155 llmin = llmax + 1LL; /* wrap */
2156#endif
2157
2158 /* Sanity check */
2159 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
2160 || llmax - 1 > llmax) {
2161 fprintf(f, "unknown unknown\n");
2162 exit(2);
2163 }
2164
2165 if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
2166 exit(3);
2167
2168 exit(0);
2169}
2170 ]])],
2171 [
2172 llong_min=`$AWK '{print $1}' conftest.llminmax`
2173 llong_max=`$AWK '{print $2}' conftest.llminmax`
2174
2175 # snprintf on some Tru64s doesn't understand "%lld"
2176 case "$host" in
2177 alpha-dec-osf*)
2178 if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
2179 test "x$llong_max" = "xld"; then
2180 llong_min="-9223372036854775808"
2181 llong_max="9223372036854775807"
2182 fi
2183 ;;
2184 esac
2185
2186 AC_MSG_RESULT($llong_max)
2187 AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
2188 [max value of long long calculated by configure])
2189 AC_MSG_CHECKING([for min value of long long])
2190 AC_MSG_RESULT($llong_min)
2191 AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
2192 [min value of long long calculated by configure])
2193 ],
2194 [
2195 AC_MSG_RESULT(not found)
2196 ],
2197 [
2198 AC_MSG_WARN([cross compiling: not checking])
2199 ]
2200 )
2201fi
2202
2203
1978# More checks for data types 2204# More checks for data types
1979AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ 2205AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
1980 AC_TRY_COMPILE( 2206 AC_TRY_COMPILE(
@@ -1985,7 +2211,7 @@ AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
1985 ) 2211 )
1986]) 2212])
1987if test "x$ac_cv_have_u_int" = "xyes" ; then 2213if test "x$ac_cv_have_u_int" = "xyes" ; then
1988 AC_DEFINE(HAVE_U_INT) 2214 AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type])
1989 have_u_int=1 2215 have_u_int=1
1990fi 2216fi
1991 2217
@@ -1998,7 +2224,7 @@ AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
1998 ) 2224 )
1999]) 2225])
2000if test "x$ac_cv_have_intxx_t" = "xyes" ; then 2226if test "x$ac_cv_have_intxx_t" = "xyes" ; then
2001 AC_DEFINE(HAVE_INTXX_T) 2227 AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type])
2002 have_intxx_t=1 2228 have_intxx_t=1
2003fi 2229fi
2004 2230
@@ -2035,7 +2261,7 @@ AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
2035 ) 2261 )
2036]) 2262])
2037if test "x$ac_cv_have_int64_t" = "xyes" ; then 2263if test "x$ac_cv_have_int64_t" = "xyes" ; then
2038 AC_DEFINE(HAVE_INT64_T) 2264 AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type])
2039fi 2265fi
2040 2266
2041AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ 2267AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
@@ -2047,7 +2273,7 @@ AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
2047 ) 2273 )
2048]) 2274])
2049if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then 2275if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
2050 AC_DEFINE(HAVE_U_INTXX_T) 2276 AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type])
2051 have_u_intxx_t=1 2277 have_u_intxx_t=1
2052fi 2278fi
2053 2279
@@ -2073,7 +2299,7 @@ AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
2073 ) 2299 )
2074]) 2300])
2075if test "x$ac_cv_have_u_int64_t" = "xyes" ; then 2301if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
2076 AC_DEFINE(HAVE_U_INT64_T) 2302 AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type])
2077 have_u_int64_t=1 2303 have_u_int64_t=1
2078fi 2304fi
2079 2305
@@ -2102,7 +2328,8 @@ if test -z "$have_u_intxx_t" ; then
2102 ) 2328 )
2103 ]) 2329 ])
2104 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then 2330 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
2105 AC_DEFINE(HAVE_UINTXX_T) 2331 AC_DEFINE(HAVE_UINTXX_T, 1,
2332 [define if you have uintxx_t data type])
2106 fi 2333 fi
2107fi 2334fi
2108 2335
@@ -2153,7 +2380,7 @@ AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
2153 ) 2380 )
2154]) 2381])
2155if test "x$ac_cv_have_u_char" = "xyes" ; then 2382if test "x$ac_cv_have_u_char" = "xyes" ; then
2156 AC_DEFINE(HAVE_U_CHAR) 2383 AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type])
2157fi 2384fi
2158 2385
2159TYPE_SOCKLEN_T 2386TYPE_SOCKLEN_T
@@ -2175,7 +2402,7 @@ AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
2175 ) 2402 )
2176]) 2403])
2177if test "x$ac_cv_have_size_t" = "xyes" ; then 2404if test "x$ac_cv_have_size_t" = "xyes" ; then
2178 AC_DEFINE(HAVE_SIZE_T) 2405 AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type])
2179fi 2406fi
2180 2407
2181AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [ 2408AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
@@ -2189,7 +2416,7 @@ AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
2189 ) 2416 )
2190]) 2417])
2191if test "x$ac_cv_have_ssize_t" = "xyes" ; then 2418if test "x$ac_cv_have_ssize_t" = "xyes" ; then
2192 AC_DEFINE(HAVE_SSIZE_T) 2419 AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type])
2193fi 2420fi
2194 2421
2195AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [ 2422AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
@@ -2203,7 +2430,7 @@ AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
2203 ) 2430 )
2204]) 2431])
2205if test "x$ac_cv_have_clock_t" = "xyes" ; then 2432if test "x$ac_cv_have_clock_t" = "xyes" ; then
2206 AC_DEFINE(HAVE_CLOCK_T) 2433 AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type])
2207fi 2434fi
2208 2435
2209AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [ 2436AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
@@ -2228,7 +2455,8 @@ AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
2228 ) 2455 )
2229]) 2456])
2230if test "x$ac_cv_have_sa_family_t" = "xyes" ; then 2457if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
2231 AC_DEFINE(HAVE_SA_FAMILY_T) 2458 AC_DEFINE(HAVE_SA_FAMILY_T, 1,
2459 [define if you have sa_family_t data type])
2232fi 2460fi
2233 2461
2234AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [ 2462AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
@@ -2242,7 +2470,7 @@ AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
2242 ) 2470 )
2243]) 2471])
2244if test "x$ac_cv_have_pid_t" = "xyes" ; then 2472if test "x$ac_cv_have_pid_t" = "xyes" ; then
2245 AC_DEFINE(HAVE_PID_T) 2473 AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type])
2246fi 2474fi
2247 2475
2248AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [ 2476AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
@@ -2256,7 +2484,7 @@ AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
2256 ) 2484 )
2257]) 2485])
2258if test "x$ac_cv_have_mode_t" = "xyes" ; then 2486if test "x$ac_cv_have_mode_t" = "xyes" ; then
2259 AC_DEFINE(HAVE_MODE_T) 2487 AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type])
2260fi 2488fi
2261 2489
2262 2490
@@ -2272,7 +2500,8 @@ AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage
2272 ) 2500 )
2273]) 2501])
2274if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then 2502if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
2275 AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) 2503 AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1,
2504 [define if you have struct sockaddr_storage data type])
2276fi 2505fi
2277 2506
2278AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ 2507AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
@@ -2287,7 +2516,8 @@ AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
2287 ) 2516 )
2288]) 2517])
2289if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then 2518if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
2290 AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6) 2519 AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1,
2520 [define if you have struct sockaddr_in6 data type])
2291fi 2521fi
2292 2522
2293AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ 2523AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
@@ -2302,7 +2532,8 @@ AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
2302 ) 2532 )
2303]) 2533])
2304if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then 2534if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
2305 AC_DEFINE(HAVE_STRUCT_IN6_ADDR) 2535 AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1,
2536 [define if you have struct in6_addr data type])
2306fi 2537fi
2307 2538
2308AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ 2539AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
@@ -2318,7 +2549,8 @@ AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
2318 ) 2549 )
2319]) 2550])
2320if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then 2551if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
2321 AC_DEFINE(HAVE_STRUCT_ADDRINFO) 2552 AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1,
2553 [define if you have struct addrinfo data type])
2322fi 2554fi
2323 2555
2324AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ 2556AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
@@ -2330,7 +2562,7 @@ AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
2330 ) 2562 )
2331]) 2563])
2332if test "x$ac_cv_have_struct_timeval" = "xyes" ; then 2564if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
2333 AC_DEFINE(HAVE_STRUCT_TIMEVAL) 2565 AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval])
2334 have_struct_timeval=1 2566 have_struct_timeval=1
2335fi 2567fi
2336 2568
@@ -2395,6 +2627,17 @@ OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX)
2395OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX) 2627OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)
2396 2628
2397AC_CHECK_MEMBERS([struct stat.st_blksize]) 2629AC_CHECK_MEMBERS([struct stat.st_blksize])
2630AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state,
2631 [Define if we don't have struct __res_state in resolv.h])],
2632[
2633#include <stdio.h>
2634#if HAVE_SYS_TYPES_H
2635# include <sys/types.h>
2636#endif
2637#include <netinet/in.h>
2638#include <arpa/nameser.h>
2639#include <resolv.h>
2640])
2398 2641
2399AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage], 2642AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
2400 ac_cv_have_ss_family_in_struct_ss, [ 2643 ac_cv_have_ss_family_in_struct_ss, [
@@ -2409,7 +2652,7 @@ AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
2409 ) 2652 )
2410]) 2653])
2411if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then 2654if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
2412 AC_DEFINE(HAVE_SS_FAMILY_IN_SS) 2655 AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage])
2413fi 2656fi
2414 2657
2415AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage], 2658AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
@@ -2425,7 +2668,8 @@ AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
2425 ) 2668 )
2426]) 2669])
2427if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then 2670if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
2428 AC_DEFINE(HAVE___SS_FAMILY_IN_SS) 2671 AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1,
2672 [Fields in struct sockaddr_storage])
2429fi 2673fi
2430 2674
2431AC_CACHE_CHECK([for pw_class field in struct passwd], 2675AC_CACHE_CHECK([for pw_class field in struct passwd],
@@ -2440,7 +2684,8 @@ AC_CACHE_CHECK([for pw_class field in struct passwd],
2440 ) 2684 )
2441]) 2685])
2442if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then 2686if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
2443 AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD) 2687 AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1,
2688 [Define if your password has a pw_class field])
2444fi 2689fi
2445 2690
2446AC_CACHE_CHECK([for pw_expire field in struct passwd], 2691AC_CACHE_CHECK([for pw_expire field in struct passwd],
@@ -2455,7 +2700,8 @@ AC_CACHE_CHECK([for pw_expire field in struct passwd],
2455 ) 2700 )
2456]) 2701])
2457if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then 2702if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
2458 AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD) 2703 AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1,
2704 [Define if your password has a pw_expire field])
2459fi 2705fi
2460 2706
2461AC_CACHE_CHECK([for pw_change field in struct passwd], 2707AC_CACHE_CHECK([for pw_change field in struct passwd],
@@ -2470,7 +2716,8 @@ AC_CACHE_CHECK([for pw_change field in struct passwd],
2470 ) 2716 )
2471]) 2717])
2472if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then 2718if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
2473 AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD) 2719 AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1,
2720 [Define if your password has a pw_change field])
2474fi 2721fi
2475 2722
2476dnl make sure we're using the real structure members and not defines 2723dnl make sure we're using the real structure members and not defines
@@ -2496,7 +2743,9 @@ exit(0);
2496 ) 2743 )
2497]) 2744])
2498if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then 2745if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
2499 AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR) 2746 AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1,
2747 [Define if your system uses access rights style
2748 file descriptor passing])
2500fi 2749fi
2501 2750
2502AC_CACHE_CHECK([for msg_control field in struct msghdr], 2751AC_CACHE_CHECK([for msg_control field in struct msghdr],
@@ -2521,7 +2770,9 @@ exit(0);
2521 ) 2770 )
2522]) 2771])
2523if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then 2772if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
2524 AC_DEFINE(HAVE_CONTROL_IN_MSGHDR) 2773 AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1,
2774 [Define if your system uses ancillary data style
2775 file descriptor passing])
2525fi 2776fi
2526 2777
2527AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ 2778AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
@@ -2532,7 +2783,7 @@ AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
2532 ) 2783 )
2533]) 2784])
2534if test "x$ac_cv_libc_defines___progname" = "xyes" ; then 2785if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
2535 AC_DEFINE(HAVE___PROGNAME) 2786 AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname])
2536fi 2787fi
2537 2788
2538AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ 2789AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
@@ -2545,7 +2796,8 @@ AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNC
2545 ) 2796 )
2546]) 2797])
2547if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then 2798if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
2548 AC_DEFINE(HAVE___FUNCTION__) 2799 AC_DEFINE(HAVE___FUNCTION__, 1,
2800 [Define if compiler implements __FUNCTION__])
2549fi 2801fi
2550 2802
2551AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ 2803AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
@@ -2558,7 +2810,33 @@ AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__,
2558 ) 2810 )
2559]) 2811])
2560if test "x$ac_cv_cc_implements___func__" = "xyes" ; then 2812if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
2561 AC_DEFINE(HAVE___func__) 2813 AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__])
2814fi
2815
2816AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
2817 AC_TRY_LINK(
2818 [#include <stdarg.h>
2819 va_list x,y;],
2820 [va_copy(x,y);],
2821 [ ac_cv_have_va_copy="yes" ],
2822 [ ac_cv_have_va_copy="no" ]
2823 )
2824])
2825if test "x$ac_cv_have_va_copy" = "xyes" ; then
2826 AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists])
2827fi
2828
2829AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
2830 AC_TRY_LINK(
2831 [#include <stdarg.h>
2832 va_list x,y;],
2833 [__va_copy(x,y);],
2834 [ ac_cv_have___va_copy="yes" ],
2835 [ ac_cv_have___va_copy="no" ]
2836 )
2837])
2838if test "x$ac_cv_have___va_copy" = "xyes" ; then
2839 AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists])
2562fi 2840fi
2563 2841
2564AC_CACHE_CHECK([whether getopt has optreset support], 2842AC_CACHE_CHECK([whether getopt has optreset support],
@@ -2573,7 +2851,8 @@ AC_CACHE_CHECK([whether getopt has optreset support],
2573 ) 2851 )
2574]) 2852])
2575if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then 2853if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
2576 AC_DEFINE(HAVE_GETOPT_OPTRESET) 2854 AC_DEFINE(HAVE_GETOPT_OPTRESET, 1,
2855 [Define if your getopt(3) defines and uses optreset])
2577fi 2856fi
2578 2857
2579AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ 2858AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
@@ -2584,7 +2863,8 @@ AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
2584 ) 2863 )
2585]) 2864])
2586if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then 2865if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
2587 AC_DEFINE(HAVE_SYS_ERRLIST) 2866 AC_DEFINE(HAVE_SYS_ERRLIST, 1,
2867 [Define if your system defines sys_errlist[]])
2588fi 2868fi
2589 2869
2590 2870
@@ -2596,7 +2876,7 @@ AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
2596 ) 2876 )
2597]) 2877])
2598if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then 2878if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
2599 AC_DEFINE(HAVE_SYS_NERR) 2879 AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
2600fi 2880fi
2601 2881
2602SCARD_MSG="no" 2882SCARD_MSG="no"
@@ -2623,8 +2903,11 @@ AC_ARG_WITH(sectok,
2623 if test "$ac_cv_lib_sectok_sectok_open" != yes; then 2903 if test "$ac_cv_lib_sectok_sectok_open" != yes; then
2624 AC_MSG_ERROR(Can't find libsectok) 2904 AC_MSG_ERROR(Can't find libsectok)
2625 fi 2905 fi
2626 AC_DEFINE(SMARTCARD) 2906 AC_DEFINE(SMARTCARD, 1,
2627 AC_DEFINE(USE_SECTOK) 2907 [Define if you want smartcard support])
2908 AC_DEFINE(USE_SECTOK, 1,
2909 [Define if you want smartcard support
2910 using sectok])
2628 SCARD_MSG="yes, using sectok" 2911 SCARD_MSG="yes, using sectok"
2629 fi 2912 fi
2630 ] 2913 ]
@@ -2633,7 +2916,7 @@ AC_ARG_WITH(sectok,
2633# Check whether user wants OpenSC support 2916# Check whether user wants OpenSC support
2634OPENSC_CONFIG="no" 2917OPENSC_CONFIG="no"
2635AC_ARG_WITH(opensc, 2918AC_ARG_WITH(opensc,
2636 [--with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)], 2919 [ --with-opensc[[=PFX]] Enable smartcard support using OpenSC (optionally in PATH)],
2637 [ 2920 [
2638 if test "x$withval" != "xno" ; then 2921 if test "x$withval" != "xno" ; then
2639 if test "x$withval" != "xyes" ; then 2922 if test "x$withval" != "xyes" ; then
@@ -2647,7 +2930,9 @@ AC_ARG_WITH(opensc,
2647 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS" 2930 CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
2648 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" 2931 LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
2649 AC_DEFINE(SMARTCARD) 2932 AC_DEFINE(SMARTCARD)
2650 AC_DEFINE(USE_OPENSC) 2933 AC_DEFINE(USE_OPENSC, 1,
2934 [Define if you want smartcard support
2935 using OpenSC])
2651 SCARD_MSG="yes, using OpenSC" 2936 SCARD_MSG="yes, using OpenSC"
2652 fi 2937 fi
2653 fi 2938 fi
@@ -2656,7 +2941,8 @@ AC_ARG_WITH(opensc,
2656 2941
2657# Check libraries needed by DNS fingerprint support 2942# Check libraries needed by DNS fingerprint support
2658AC_SEARCH_LIBS(getrrsetbyname, resolv, 2943AC_SEARCH_LIBS(getrrsetbyname, resolv,
2659 [AC_DEFINE(HAVE_GETRRSETBYNAME)], 2944 [AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
2945 [Define if getrrsetbyname() exists])],
2660 [ 2946 [
2661 # Needed by our getrrsetbyname() 2947 # Needed by our getrrsetbyname()
2662 AC_SEARCH_LIBS(res_query, resolv) 2948 AC_SEARCH_LIBS(res_query, resolv)
@@ -2685,7 +2971,8 @@ int main()
2685 [#include <sys/types.h> 2971 [#include <sys/types.h>
2686 #include <arpa/nameser.h>]) 2972 #include <arpa/nameser.h>])
2687 AC_CHECK_MEMBER(HEADER.ad, 2973 AC_CHECK_MEMBER(HEADER.ad,
2688 [AC_DEFINE(HAVE_HEADER_AD)],, 2974 [AC_DEFINE(HAVE_HEADER_AD, 1,
2975 [Define if HEADER.ad exists in arpa/nameser.h])],,
2689 [#include <arpa/nameser.h>]) 2976 [#include <arpa/nameser.h>])
2690 ]) 2977 ])
2691 2978
@@ -2700,7 +2987,7 @@ AC_ARG_WITH(kerberos5,
2700 KRB5ROOT=${withval} 2987 KRB5ROOT=${withval}
2701 fi 2988 fi
2702 2989
2703 AC_DEFINE(KRB5) 2990 AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support])
2704 KRB5_MSG="yes" 2991 KRB5_MSG="yes"
2705 2992
2706 AC_MSG_CHECKING(for krb5-config) 2993 AC_MSG_CHECKING(for krb5-config)
@@ -2711,7 +2998,9 @@ AC_ARG_WITH(kerberos5,
2711 AC_MSG_CHECKING(for gssapi support) 2998 AC_MSG_CHECKING(for gssapi support)
2712 if $KRB5CONF | grep gssapi >/dev/null ; then 2999 if $KRB5CONF | grep gssapi >/dev/null ; then
2713 AC_MSG_RESULT(yes) 3000 AC_MSG_RESULT(yes)
2714 AC_DEFINE(GSSAPI) 3001 AC_DEFINE(GSSAPI, 1,
3002 [Define this if you want GSSAPI
3003 support in the version 2 protocol])
2715 k5confopts=gssapi 3004 k5confopts=gssapi
2716 else 3005 else
2717 AC_MSG_RESULT(no) 3006 AC_MSG_RESULT(no)
@@ -2724,7 +3013,9 @@ AC_ARG_WITH(kerberos5,
2724 AC_TRY_COMPILE([ #include <krb5.h> ], 3013 AC_TRY_COMPILE([ #include <krb5.h> ],
2725 [ char *tmp = heimdal_version; ], 3014 [ char *tmp = heimdal_version; ],
2726 [ AC_MSG_RESULT(yes) 3015 [ AC_MSG_RESULT(yes)
2727 AC_DEFINE(HEIMDAL) ], 3016 AC_DEFINE(HEIMDAL, 1,
3017 [Define this if you are using the
3018 Heimdal version of Kerberos V5]) ],
2728 AC_MSG_RESULT(no) 3019 AC_MSG_RESULT(no)
2729 ) 3020 )
2730 else 3021 else
@@ -2779,14 +3070,15 @@ AC_ARG_WITH(kerberos5,
2779 if test ! -z "$blibpath" ; then 3070 if test ! -z "$blibpath" ; then
2780 blibpath="$blibpath:${KRB5ROOT}/lib" 3071 blibpath="$blibpath:${KRB5ROOT}/lib"
2781 fi 3072 fi
2782 fi
2783 3073
2784 AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) 3074 AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
2785 AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) 3075 AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h)
2786 AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) 3076 AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h)
2787 3077
2788 LIBS="$LIBS $K5LIBS" 3078 LIBS="$LIBS $K5LIBS"
2789 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) 3079 AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1,
3080 [Define this if you want to use libkafs' AFS support]))
3081 fi
2790 ] 3082 ]
2791) 3083)
2792 3084
@@ -2840,7 +3132,8 @@ if test -z "$xauth_path" ; then
2840 XAUTH_PATH="undefined" 3132 XAUTH_PATH="undefined"
2841 AC_SUBST(XAUTH_PATH) 3133 AC_SUBST(XAUTH_PATH)
2842else 3134else
2843 AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") 3135 AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path",
3136 [Define if xauth is found in your path])
2844 XAUTH_PATH=$xauth_path 3137 XAUTH_PATH=$xauth_path
2845 AC_SUBST(XAUTH_PATH) 3138 AC_SUBST(XAUTH_PATH)
2846fi 3139fi
@@ -2848,7 +3141,8 @@ fi
2848# Check for mail directory (last resort if we cannot get it from headers) 3141# Check for mail directory (last resort if we cannot get it from headers)
2849if test ! -z "$MAIL" ; then 3142if test ! -z "$MAIL" ; then
2850 maildir=`dirname $MAIL` 3143 maildir=`dirname $MAIL`
2851 AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir") 3144 AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir",
3145 [Set this to your mail directory if you don't have maillock.h])
2852fi 3146fi
2853 3147
2854if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then 3148if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
@@ -2859,7 +3153,8 @@ if test -z "$no_dev_ptmx" ; then
2859 if test "x$disable_ptmx_check" != "xyes" ; then 3153 if test "x$disable_ptmx_check" != "xyes" ; then
2860 AC_CHECK_FILE("/dev/ptmx", 3154 AC_CHECK_FILE("/dev/ptmx",
2861 [ 3155 [
2862 AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) 3156 AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1,
3157 [Define if you have /dev/ptmx])
2863 have_dev_ptmx=1 3158 have_dev_ptmx=1
2864 ] 3159 ]
2865 ) 3160 )
@@ -2869,7 +3164,8 @@ fi
2869if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then 3164if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
2870 AC_CHECK_FILE("/dev/ptc", 3165 AC_CHECK_FILE("/dev/ptc",
2871 [ 3166 [
2872 AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) 3167 AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1,
3168 [Define if you have /dev/ptc])
2873 have_dev_ptc=1 3169 have_dev_ptc=1
2874 ] 3170 ]
2875 ) 3171 )
@@ -2916,7 +3212,8 @@ AC_ARG_WITH(md5-passwords,
2916 [ --with-md5-passwords Enable use of MD5 passwords], 3212 [ --with-md5-passwords Enable use of MD5 passwords],
2917 [ 3213 [
2918 if test "x$withval" != "xno" ; then 3214 if test "x$withval" != "xno" ; then
2919 AC_DEFINE(HAVE_MD5_PASSWORDS) 3215 AC_DEFINE(HAVE_MD5_PASSWORDS, 1,
3216 [Define if you want to allow MD5 passwords])
2920 MD5_MSG="yes" 3217 MD5_MSG="yes"
2921 fi 3218 fi
2922 ] 3219 ]
@@ -2946,7 +3243,8 @@ if test -z "$disable_shadow" ; then
2946 3243
2947 if test "x$sp_expire_available" = "xyes" ; then 3244 if test "x$sp_expire_available" = "xyes" ; then
2948 AC_MSG_RESULT(yes) 3245 AC_MSG_RESULT(yes)
2949 AC_DEFINE(HAS_SHADOW_EXPIRE) 3246 AC_DEFINE(HAS_SHADOW_EXPIRE, 1,
3247 [Define if you want to use shadow password expire field])
2950 else 3248 else
2951 AC_MSG_RESULT(no) 3249 AC_MSG_RESULT(no)
2952 fi 3250 fi
@@ -2955,7 +3253,9 @@ fi
2955# Use ip address instead of hostname in $DISPLAY 3253# Use ip address instead of hostname in $DISPLAY
2956if test ! -z "$IPADDR_IN_DISPLAY" ; then 3254if test ! -z "$IPADDR_IN_DISPLAY" ; then
2957 DISPLAY_HACK_MSG="yes" 3255 DISPLAY_HACK_MSG="yes"
2958 AC_DEFINE(IPADDR_IN_DISPLAY) 3256 AC_DEFINE(IPADDR_IN_DISPLAY, 1,
3257 [Define if you need to use IP address
3258 instead of hostname in $DISPLAY])
2959else 3259else
2960 DISPLAY_HACK_MSG="no" 3260 DISPLAY_HACK_MSG="no"
2961 AC_ARG_WITH(ipaddr-display, 3261 AC_ARG_WITH(ipaddr-display,
@@ -2978,17 +3278,21 @@ AC_ARG_ENABLE(etc-default-login,
2978 else 3278 else
2979 etc_default_login=yes 3279 etc_default_login=yes
2980 fi ], 3280 fi ],
2981 [ etc_default_login=yes ] 3281 [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
3282 then
3283 AC_MSG_WARN([cross compiling: not checking /etc/default/login])
3284 etc_default_login=no
3285 else
3286 etc_default_login=yes
3287 fi ]
2982) 3288)
2983 3289
2984if test "x$etc_default_login" != "xno"; then 3290if test "x$etc_default_login" != "xno"; then
2985 AC_CHECK_FILE("/etc/default/login", 3291 AC_CHECK_FILE("/etc/default/login",
2986 [ external_path_file=/etc/default/login ]) 3292 [ external_path_file=/etc/default/login ])
2987 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; 3293 if test "x$external_path_file" = "x/etc/default/login"; then
2988 then 3294 AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1,
2989 AC_MSG_WARN([cross compiling: Disabling /etc/default/login test]) 3295 [Define if your system has /etc/default/login])
2990 elif test "x$external_path_file" = "x/etc/default/login"; then
2991 AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN)
2992 fi 3296 fi
2993fi 3297fi
2994 3298
@@ -3025,8 +3329,8 @@ $external_path_file .])
3025If PATH is defined in $external_path_file, ensure the path to scp is included, 3329If PATH is defined in $external_path_file, ensure the path to scp is included,
3026otherwise scp will not work.]) 3330otherwise scp will not work.])
3027 fi 3331 fi
3028 AC_TRY_RUN( 3332 AC_RUN_IFELSE(
3029 [ 3333 [AC_LANG_SOURCE([[
3030/* find out what STDPATH is */ 3334/* find out what STDPATH is */
3031#include <stdio.h> 3335#include <stdio.h>
3032#ifdef HAVE_PATHS_H 3336#ifdef HAVE_PATHS_H
@@ -3058,7 +3362,8 @@ main()
3058 3362
3059 exit(0); 3363 exit(0);
3060} 3364}
3061 ], [ user_path=`cat conftest.stdpath` ], 3365 ]])],
3366 [ user_path=`cat conftest.stdpath` ],
3062 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], 3367 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
3063 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ] 3368 [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
3064 ) 3369 )
@@ -3081,7 +3386,7 @@ main()
3081 fi ] 3386 fi ]
3082) 3387)
3083if test "x$external_path_file" != "x/etc/login.conf" ; then 3388if test "x$external_path_file" != "x/etc/login.conf" ; then
3084 AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") 3389 AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH])
3085 AC_SUBST(user_path) 3390 AC_SUBST(user_path)
3086fi 3391fi
3087 3392
@@ -3091,7 +3396,9 @@ AC_ARG_WITH(superuser-path,
3091 [ 3396 [
3092 if test -n "$withval" && test "x$withval" != "xno" && \ 3397 if test -n "$withval" && test "x$withval" != "xno" && \
3093 test "x${withval}" != "xyes"; then 3398 test "x${withval}" != "xyes"; then
3094 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval") 3399 AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval",
3400 [Define if you want a different $PATH
3401 for the superuser])
3095 superuser_path=$withval 3402 superuser_path=$withval
3096 fi 3403 fi
3097 ] 3404 ]
@@ -3105,7 +3412,9 @@ AC_ARG_WITH(4in6,
3105 [ 3412 [
3106 if test "x$withval" != "xno" ; then 3413 if test "x$withval" != "xno" ; then
3107 AC_MSG_RESULT(yes) 3414 AC_MSG_RESULT(yes)
3108 AC_DEFINE(IPV4_IN_IPV6) 3415 AC_DEFINE(IPV4_IN_IPV6, 1,
3416 [Detect IPv4 in IPv6 mapped addresses
3417 and treat as IPv4])
3109 IPV4_IN6_HACK_MSG="yes" 3418 IPV4_IN6_HACK_MSG="yes"
3110 else 3419 else
3111 AC_MSG_RESULT(no) 3420 AC_MSG_RESULT(no)
@@ -3127,7 +3436,8 @@ AC_ARG_WITH(bsd-auth,
3127 [ --with-bsd-auth Enable BSD auth support], 3436 [ --with-bsd-auth Enable BSD auth support],
3128 [ 3437 [
3129 if test "x$withval" != "xno" ; then 3438 if test "x$withval" != "xno" ; then
3130 AC_DEFINE(BSD_AUTH) 3439 AC_DEFINE(BSD_AUTH, 1,
3440 [Define if you have BSD auth support])
3131 BSD_AUTH_MSG=yes 3441 BSD_AUTH_MSG=yes
3132 fi 3442 fi
3133 ] 3443 ]
@@ -3156,7 +3466,7 @@ AC_ARG_WITH(pid-dir,
3156 ] 3466 ]
3157) 3467)
3158 3468
3159AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir") 3469AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid])
3160AC_SUBST(piddir) 3470AC_SUBST(piddir)
3161 3471
3162dnl allow user to disable some login recording features 3472dnl allow user to disable some login recording features
@@ -3180,7 +3490,8 @@ AC_ARG_ENABLE(utmpx,
3180 [ --disable-utmpx disable use of utmpx even if detected [no]], 3490 [ --disable-utmpx disable use of utmpx even if detected [no]],
3181 [ 3491 [
3182 if test "x$enableval" = "xno" ; then 3492 if test "x$enableval" = "xno" ; then
3183 AC_DEFINE(DISABLE_UTMPX) 3493 AC_DEFINE(DISABLE_UTMPX, 1,
3494 [Define if you don't want to use utmpx])
3184 fi 3495 fi
3185 ] 3496 ]
3186) 3497)
@@ -3196,7 +3507,8 @@ AC_ARG_ENABLE(wtmpx,
3196 [ --disable-wtmpx disable use of wtmpx even if detected [no]], 3507 [ --disable-wtmpx disable use of wtmpx even if detected [no]],
3197 [ 3508 [
3198 if test "x$enableval" = "xno" ; then 3509 if test "x$enableval" = "xno" ; then
3199 AC_DEFINE(DISABLE_WTMPX) 3510 AC_DEFINE(DISABLE_WTMPX, 1,
3511 [Define if you don't want to use wtmpx])
3200 fi 3512 fi
3201 ] 3513 ]
3202) 3514)
@@ -3212,7 +3524,9 @@ AC_ARG_ENABLE(pututline,
3212 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], 3524 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
3213 [ 3525 [
3214 if test "x$enableval" = "xno" ; then 3526 if test "x$enableval" = "xno" ; then
3215 AC_DEFINE(DISABLE_PUTUTLINE) 3527 AC_DEFINE(DISABLE_PUTUTLINE, 1,
3528 [Define if you don't want to use pututline()
3529 etc. to write [uw]tmp])
3216 fi 3530 fi
3217 ] 3531 ]
3218) 3532)
@@ -3220,7 +3534,9 @@ AC_ARG_ENABLE(pututxline,
3220 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]], 3534 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
3221 [ 3535 [
3222 if test "x$enableval" = "xno" ; then 3536 if test "x$enableval" = "xno" ; then
3223 AC_DEFINE(DISABLE_PUTUTXLINE) 3537 AC_DEFINE(DISABLE_PUTUTXLINE, 1,
3538 [Define if you don't want to use pututxline()
3539 etc. to write [uw]tmpx])
3224 fi 3540 fi
3225 ] 3541 ]
3226) 3542)
@@ -3295,7 +3611,8 @@ if test -z "$conf_lastlog_location"; then
3295fi 3611fi
3296 3612
3297if test -n "$conf_lastlog_location"; then 3613if test -n "$conf_lastlog_location"; then
3298 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location") 3614 AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location",
3615 [Define if you want to specify the path to your lastlog file])
3299fi 3616fi
3300 3617
3301dnl utmp detection 3618dnl utmp detection
@@ -3325,7 +3642,8 @@ if test -z "$conf_utmp_location"; then
3325 fi 3642 fi
3326fi 3643fi
3327if test -n "$conf_utmp_location"; then 3644if test -n "$conf_utmp_location"; then
3328 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location") 3645 AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location",
3646 [Define if you want to specify the path to your utmp file])
3329fi 3647fi
3330 3648
3331dnl wtmp detection 3649dnl wtmp detection
@@ -3355,7 +3673,8 @@ if test -z "$conf_wtmp_location"; then
3355 fi 3673 fi
3356fi 3674fi
3357if test -n "$conf_wtmp_location"; then 3675if test -n "$conf_wtmp_location"; then
3358 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location") 3676 AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location",
3677 [Define if you want to specify the path to your wtmp file])
3359fi 3678fi
3360 3679
3361 3680
@@ -3383,7 +3702,8 @@ if test -z "$conf_utmpx_location"; then
3383 AC_DEFINE(DISABLE_UTMPX) 3702 AC_DEFINE(DISABLE_UTMPX)
3384 fi 3703 fi
3385else 3704else
3386 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location") 3705 AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
3706 [Define if you want to specify the path to your utmpx file])
3387fi 3707fi
3388 3708
3389dnl wtmpx detection 3709dnl wtmpx detection
@@ -3408,7 +3728,8 @@ if test -z "$conf_wtmpx_location"; then
3408 AC_DEFINE(DISABLE_WTMPX) 3728 AC_DEFINE(DISABLE_WTMPX)
3409 fi 3729 fi
3410else 3730else
3411 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location") 3731 AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
3732 [Define if you want to specify the path to your wtmpx file])
3412fi 3733fi
3413 3734
3414 3735
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index bfde0fefc..09c08f194 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%if %{use_stable} 19%if %{use_stable}
20 %define version 4.2p1 20 %define version 4.3p2
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
23%else 23%else
@@ -357,4 +357,4 @@ fi
357* Mon Jan 01 1998 ... 357* Mon Jan 01 1998 ...
358Template Version: 1.31 358Template Version: 1.31
359 359
360$Id: openssh.spec,v 1.55 2005/09/01 09:10:49 djm Exp $ 360$Id: openssh.spec,v 1.56.2.1 2006/02/11 00:00:45 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index fbfb5c195..0540890e6 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -551,14 +551,14 @@ then
551 [ -z "${_cygwin}" ] && _cygwin="ntsec" 551 [ -z "${_cygwin}" ] && _cygwin="ntsec"
552 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] 552 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
553 then 553 then
554 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" 554 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
555 then 555 then
556 echo 556 echo
557 echo "The service has been installed under sshd_server account." 557 echo "The service has been installed under sshd_server account."
558 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." 558 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
559 fi 559 fi
560 else 560 else
561 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" 561 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
562 then 562 then
563 echo 563 echo
564 echo "The service has been installed under LocalSystem account." 564 echo "The service has been installed under LocalSystem account."
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index fe07ce360..9482efe9e 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -198,7 +198,7 @@ fi
198 198
199if [ ! -f "${pwdhome}/.ssh/id_rsa" ] 199if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
200then 200then
201 if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " 201 if request "Shall I create an SSH2 RSA identity file for you?"
202 then 202 then
203 echo "Generating ${pwdhome}/.ssh/id_rsa" 203 echo "Generating ${pwdhome}/.ssh/id_rsa"
204 if [ "${with_passphrase}" = "yes" ] 204 if [ "${with_passphrase}" = "yes" ]
@@ -217,7 +217,7 @@ fi
217 217
218if [ ! -f "${pwdhome}/.ssh/id_dsa" ] 218if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
219then 219then
220 if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " 220 if request "Shall I create an SSH2 DSA identity file for you?"
221 then 221 then
222 echo "Generating ${pwdhome}/.ssh/id_dsa" 222 echo "Generating ${pwdhome}/.ssh/id_dsa"
223 if [ "${with_passphrase}" = "yes" ] 223 if [ "${with_passphrase}" = "yes" ]
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 049b07fe4..cbdf7bbc7 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 4.2p1 1%define ver 4.3p2
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 6ad862fad..b49e78c65 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,14 +1,29 @@
1Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 1# Default values for additional components
2Name: openssh 2%define build_x11_askpass 1
3Version: 4.2p1 3
4URL: http://www.openssh.com/ 4# Define the UID/GID to use for privilege separation
5Release: 1 5%define sshd_gid 65
6Source0: openssh-%{version}.tar.gz 6%define sshd_uid 71
7Copyright: BSD 7
8Group: Applications/Internet 8# The version of x11-ssh-askpass to use
9BuildRoot: /tmp/openssh-%{version}-buildroot 9%define xversion 1.2.4.1
10PreReq: openssl 10
11Obsoletes: ssh 11# Allow the ability to override defaults with -D skip_xxx=1
12%{?skip_x11_askpass:%define build_x11_askpass 0}
13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh
16Version: 4.3p2
17URL: http://www.openssh.com/
18Release: 1
19Source0: openssh-%{version}.tar.gz
20Source1: x11-ssh-askpass-%{xversion}.tar.gz
21License: BSD
22Group: Productivity/Networking/SSH
23BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
24PreReq: openssl
25Obsoletes: ssh
26Provides: ssh
12# 27#
13# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) 28# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
14# building prerequisites -- stuff for 29# building prerequisites -- stuff for
@@ -16,14 +31,25 @@ Obsoletes: ssh
16# TCP Wrappers (nkitb), 31# TCP Wrappers (nkitb),
17# and Gnome (glibdev, gtkdev, and gnlibsd) 32# and Gnome (glibdev, gtkdev, and gnlibsd)
18# 33#
19BuildPrereq: openssl 34BuildPrereq: openssl
20BuildPrereq: nkitb 35BuildPrereq: nkitb
21BuildPrereq: glibdev 36#BuildPrereq: glibdev
22BuildPrereq: gtkdev 37#BuildPrereq: gtkdev
23BuildPrereq: gnlibsd 38#BuildPrereq: gnlibsd
39
40%package askpass
41Summary: A passphrase dialog for OpenSSH and the X window System.
42Group: Productivity/Networking/SSH
43Requires: openssh = %{version}
44Obsoletes: ssh-extras
45Provides: openssh:${_libdir}/ssh/ssh-askpass
46
47%if %{build_x11_askpass}
48BuildPrereq: XFree86-devel
49%endif
24 50
25%description 51%description
26Ssh (Secure Shell) a program for logging into a remote machine and for 52Ssh (Secure Shell) is a program for logging into a remote machine and for
27executing commands in a remote machine. It is intended to replace 53executing commands in a remote machine. It is intended to replace
28rlogin and rsh, and provide secure encrypted communications between 54rlogin and rsh, and provide secure encrypted communications between
29two untrusted hosts over an insecure network. X11 connections and 55two untrusted hosts over an insecure network. X11 connections and
@@ -34,10 +60,26 @@ up to date in terms of security and features, as well as removing all
34patented algorithms to seperate libraries (OpenSSL). 60patented algorithms to seperate libraries (OpenSSL).
35 61
36This package includes all files necessary for both the OpenSSH 62This package includes all files necessary for both the OpenSSH
37client and server. Additionally, this package contains the GNOME 63client and server.
38passphrase dialog. 64
65%description askpass
66Ssh (Secure Shell) is a program for logging into a remote machine and for
67executing commands in a remote machine. It is intended to replace
68rlogin and rsh, and provide secure encrypted communications between
69two untrusted hosts over an insecure network. X11 connections and
70arbitrary TCP/IP ports can also be forwarded over the secure channel.
71
72OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
73up to date in terms of security and features, as well as removing all
74patented algorithms to seperate libraries (OpenSSL).
75
76This package contains an X Window System passphrase dialog for OpenSSH.
39 77
40%changelog 78%changelog
79* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
80- Removed accidental inclusion of --without-zlib-version-check
81* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
82- Overhaul to deal with newer versions of SuSE and OpenSSH
41* Mon Jun 12 2000 Damien Miller <djm@mindrot.org> 83* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
42- Glob manpages to catch compressed files 84- Glob manpages to catch compressed files
43* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au> 85* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
@@ -84,116 +126,124 @@ passphrase dialog.
84 126
85%prep 127%prep
86 128
129%if %{build_x11_askpass}
130%setup -q -a 1
131%else
87%setup -q 132%setup -q
133%endif
88 134
89%build 135%build
90CFLAGS="$RPM_OPT_FLAGS" \ 136CFLAGS="$RPM_OPT_FLAGS" \
91./configure --prefix=/usr \ 137%configure --prefix=/usr \
92 --sysconfdir=/etc/ssh \ 138 --sysconfdir=%{_sysconfdir}/ssh \
93 --datadir=/usr/share/openssh \ 139 --mandir=%{_mandir} \
140 --with-privsep-path=/var/lib/empty \
94 --with-pam \ 141 --with-pam \
95 --with-gnome-askpass \
96 --with-tcp-wrappers \ 142 --with-tcp-wrappers \
97 --with-ipv4-default \ 143 --libexecdir=%{_libdir}/ssh
98 --libexecdir=/usr/lib/ssh
99make 144make
100 145
101cd contrib 146%if %{build_x11_askpass}
102gcc -O -g `gnome-config --cflags gnome gnomeui` \ 147cd x11-ssh-askpass-%{xversion}
103 gnome-ssh-askpass.c -o gnome-ssh-askpass \ 148%configure --mandir=/usr/X11R6/man \
104 `gnome-config --libs gnome gnomeui` 149 --libexecdir=%{_libdir}/ssh
150xmkmf -a
151make
105cd .. 152cd ..
153%endif
106 154
107%install 155%install
108rm -rf $RPM_BUILD_ROOT 156rm -rf $RPM_BUILD_ROOT
109make install DESTDIR=$RPM_BUILD_ROOT/ 157make install DESTDIR=$RPM_BUILD_ROOT/
110install -d $RPM_BUILD_ROOT/etc/ssh/
111install -d $RPM_BUILD_ROOT/etc/pam.d/ 158install -d $RPM_BUILD_ROOT/etc/pam.d/
112install -d $RPM_BUILD_ROOT/sbin/init.d/ 159install -d $RPM_BUILD_ROOT/etc/init.d/
113install -d $RPM_BUILD_ROOT/var/adm/fillup-templates 160install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
114install -d $RPM_BUILD_ROOT/usr/lib/ssh
115install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd 161install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
116install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd 162install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
117ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd 163install -m744 contrib/suse/sysconfig.ssh \
118install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass
119ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass
120install -m744 contrib/suse/rc.config.sshd \
121 $RPM_BUILD_ROOT/var/adm/fillup-templates 164 $RPM_BUILD_ROOT/var/adm/fillup-templates
122 165
166%if %{build_x11_askpass}
167cd x11-ssh-askpass-%{xversion}
168make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
169rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
170%endif
171
123%clean 172%clean
124rm -rf $RPM_BUILD_ROOT 173rm -rf $RPM_BUILD_ROOT
125 174
175%pre
176/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
177/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
178
126%post 179%post
127if [ "$1" = 1 ]; then
128 echo "Creating SSH stop/start scripts in the rc directories..."
129 ln -s ../sshd /sbin/init.d/rc2.d/K20sshd
130 ln -s ../sshd /sbin/init.d/rc2.d/S20sshd
131 ln -s ../sshd /sbin/init.d/rc3.d/K20sshd
132 ln -s ../sshd /sbin/init.d/rc3.d/S20sshd
133fi
134echo "Updating /etc/rc.config..."
135if [ -x /bin/fillup ] ; then
136 /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd
137else
138 echo "ERROR: fillup not found. This should NOT happen in SuSE Linux."
139 echo "Update /etc/rc.config by hand from the following template file:"
140 echo " /var/adm/fillup-templates/rc.config.sshd"
141fi
142if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then 180if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
143 echo "Generating SSH host key..." 181 echo "Generating SSH RSA host key..."
144 /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 182 /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
145fi 183fi
146if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then 184if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
147 echo "Generating SSH DSA host key..." 185 echo "Generating SSH DSA host key..."
148 /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 186 /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
149fi
150if test -r /var/run/sshd.pid
151then
152 echo "Restarting the running SSH daemon..."
153 /usr/sbin/rcsshd restart >&2
154fi 187fi
188%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
189%run_permissions
190
191%verifyscript
192%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
155 193
156%preun 194%preun
157if [ "$1" = 0 ] 195%stop_on_removal sshd
158then 196
159 echo "Stopping the SSH daemon..." 197%postun
160 /usr/sbin/rcsshd stop >&2 198%restart_on_update sshd
161 echo "Removing SSH stop/start scripts from the rc directories..." 199%{insserv_cleanup}
162 rm /sbin/init.d/rc2.d/K20sshd
163 rm /sbin/init.d/rc2.d/S20sshd
164 rm /sbin/init.d/rc3.d/K20sshd
165 rm /sbin/init.d/rc3.d/S20sshd
166fi
167 200
168%files 201%files
169%defattr(-,root,root) 202%defattr(-,root,root)
170%doc ChangeLog OVERVIEW README* 203%doc ChangeLog OVERVIEW README*
171%doc RFC.nroff TODO CREDITS LICENCE 204%doc RFC.nroff TODO CREDITS LICENCE
172%attr(0755,root,root) %dir /etc/ssh 205%attr(0755,root,root) %dir %{_sysconfdir}/ssh
173%attr(0644,root,root) %config /etc/ssh/ssh_config 206%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
174%attr(0600,root,root) %config /etc/ssh/sshd_config 207%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
175%attr(0600,root,root) %config /etc/ssh/moduli 208%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
176%attr(0644,root,root) %config /etc/pam.d/sshd 209%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
177%attr(0755,root,root) %config /sbin/init.d/sshd 210%attr(0755,root,root) %config /etc/init.d/sshd
178%attr(0755,root,root) /usr/bin/ssh-keygen 211%attr(0755,root,root) %{_bindir}/ssh-keygen
179%attr(0755,root,root) /usr/bin/scp 212%attr(0755,root,root) %{_bindir}/scp
180%attr(4755,root,root) /usr/bin/ssh 213%attr(0755,root,root) %{_bindir}/ssh
181%attr(-,root,root) /usr/bin/slogin 214%attr(-,root,root) %{_bindir}/slogin
182%attr(0755,root,root) /usr/bin/ssh-agent 215%attr(0755,root,root) %{_bindir}/ssh-agent
183%attr(0755,root,root) /usr/bin/ssh-add 216%attr(0755,root,root) %{_bindir}/ssh-add
184%attr(0755,root,root) /usr/bin/ssh-keyscan 217%attr(0755,root,root) %{_bindir}/ssh-keyscan
185%attr(0755,root,root) /usr/bin/sftp 218%attr(0755,root,root) %{_bindir}/sftp
186%attr(0755,root,root) /usr/sbin/sshd 219%attr(0755,root,root) %{_sbindir}/sshd
187%attr(-,root,root) /usr/sbin/rcsshd 220%attr(0755,root,root) %dir %{_libdir}/ssh
188%attr(0755,root,root) %dir /usr/lib/ssh 221%attr(0755,root,root) %{_libdir}/ssh/sftp-server
189%attr(0755,root,root) /usr/lib/ssh/ssh-askpass 222%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
190%attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass 223%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
191%attr(0644,root,root) %doc /usr/man/man1/scp.1* 224%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
192%attr(0644,root,root) %doc /usr/man/man1/ssh.1* 225%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
193%attr(-,root,root) %doc /usr/man/man1/slogin.1* 226%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
194%attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* 227%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
195%attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* 228%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
196%attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* 229%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
197%attr(0644,root,root) %doc /usr/man/man8/sshd.8* 230%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
198%attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd 231%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
232%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
233%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
234%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
235%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
236%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
199 237
238%if %{build_x11_askpass}
239%files askpass
240%defattr(-,root,root)
241%doc x11-ssh-askpass-%{xversion}/README
242%doc x11-ssh-askpass-%{xversion}/ChangeLog
243%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
244%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
245%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
246%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
247%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
248%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
249%endif
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index f7d431ebb..573960bfa 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -1,80 +1,133 @@
1#! /bin/sh 1#! /bin/sh
2# Copyright (c) 1995-1998 SuSE GmbH Nuernberg, Germany. 2# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
3# 3#
4# Author: Chris Saia <csaia@wtower.com> 4# Author: Jiri Smid <feedback@suse.de>
5# 5#
6# /sbin/init.d/sshd 6# /etc/init.d/sshd
7# 7#
8# and symbolic its link 8# and symbolic its link
9# 9#
10# /sbin/rcsshd 10# /usr/sbin/rcsshd
11# 11#
12### BEGIN INIT INFO
13# Provides: sshd
14# Required-Start: $network $remote_fs
15# Required-Stop: $network $remote_fs
16# Default-Start: 3 5
17# Default-Stop: 0 1 2 6
18# Description: Start the sshd daemon
19### END INIT INFO
12 20
13. /etc/rc.config 21SSHD_BIN=/usr/sbin/sshd
22test -x $SSHD_BIN || exit 5
14 23
15# Determine the base and follow a runlevel link name. 24SSHD_SYSCONFIG=/etc/sysconfig/ssh
16base=${0##*/} 25test -r $SSHD_SYSCONFIG || exit 6
17link=${base#*[SK][0-9][0-9]} 26. $SSHD_SYSCONFIG
18 27
19# Force execution if not called by a runlevel directory. 28SSHD_PIDFILE=/var/run/sshd.init.pid
20test $link = $base && START_SSHD=yes 29
21test "$START_SSHD" = yes || exit 0 30. /etc/rc.status
31
32# Shell functions sourced from /etc/rc.status:
33# rc_check check and set local and overall rc status
34# rc_status check and set local and overall rc status
35# rc_status -v ditto but be verbose in local rc status
36# rc_status -v -r ditto and clear the local rc status
37# rc_failed set local and overall rc status to failed
38# rc_reset clear local rc status (overall remains)
39# rc_exit exit appropriate to overall rc status
40
41# First reset status of this service
42rc_reset
22 43
23# The echo return value for success (defined in /etc/rc.config).
24return=$rc_done
25case "$1" in 44case "$1" in
26 start) 45 start)
27 echo -n "Starting service sshd" 46 if ! test -f /etc/ssh/ssh_host_key ; then
47 echo Generating /etc/ssh/ssh_host_key.
48 ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
49 fi
50 if ! test -f /etc/ssh/ssh_host_dsa_key ; then
51 echo Generating /etc/ssh/ssh_host_dsa_key.
52
53 ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
54 fi
55 if ! test -f /etc/ssh/ssh_host_rsa_key ; then
56 echo Generating /etc/ssh/ssh_host_rsa_key.
57
58 ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
59 fi
60 echo -n "Starting SSH daemon"
28 ## Start daemon with startproc(8). If this fails 61 ## Start daemon with startproc(8). If this fails
29 ## the echo return value is set appropriate. 62 ## the echo return value is set appropriate.
30 63
31 startproc /usr/sbin/sshd || return=$rc_failed 64 startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
32 65
33 echo -e "$return" 66 # Remember status and be verbose
67 rc_status -v
34 ;; 68 ;;
35 stop) 69 stop)
36 echo -n "Stopping service sshd" 70 echo -n "Shutting down SSH daemon"
37 ## Stop daemon with killproc(8) and if this fails 71 ## Stop daemon with killproc(8) and if this fails
38 ## set echo the echo return value. 72 ## set echo the echo return value.
39 73
40 killproc -TERM /usr/sbin/sshd || return=$rc_failed 74 killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
41 75
42 echo -e "$return" 76 # Remember status and be verbose
77 rc_status -v
43 ;; 78 ;;
79 try-restart)
80 ## Stop the service and if this succeeds (i.e. the
81 ## service was running before), start it again.
82 $0 status >/dev/null && $0 restart
83
84 # Remember status and be quiet
85 rc_status
86 ;;
44 restart) 87 restart)
45 ## If first returns OK call the second, if first or 88 ## Stop the service and regardless of whether it was
46 ## second command fails, set echo return value. 89 ## running or not, start it again.
47 $0 stop && $0 start || return=$rc_failed 90 $0 stop
48 ;; 91 $0 start
49 reload)
50 ## Choose ONE of the following two cases:
51 92
52 ## First possibility: A few services accepts a signal 93 # Remember status and be quiet
53 ## to reread the (changed) configuration. 94 rc_status
95 ;;
96 force-reload|reload)
97 ## Signal the daemon to reload its config. Most daemons
98 ## do this on signal 1 (SIGHUP).
54 99
55 echo -n "Reload service sshd" 100 echo -n "Reload service sshd"
56 killproc -HUP /usr/sbin/sshd || return=$rc_failed 101
57 echo -e "$return" 102 killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
58 ;; 103
104 rc_status -v
105
106 ;;
59 status) 107 status)
60 echo -n "Checking for service sshd" 108 echo -n "Checking for service sshd "
61 ## Check status with checkproc(8), if process is running 109 ## Check status with checkproc(8), if process is running
62 ## checkproc will return with exit status 0. 110 ## checkproc will return with exit status 0.
63 111
64 checkproc /usr/sbin/sshd && echo OK || echo No process 112 # Status has a slightly different for the status command:
113 # 0 - service running
114 # 1 - service dead, but /var/run/ pid file exists
115 # 2 - service dead, but /var/lock/ lock file exists
116 # 3 - service not running
117
118 checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
119
120 rc_status -v
65 ;; 121 ;;
66 probe) 122 probe)
67 ## Optional: Probe for the necessity of a reload, 123 ## Optional: Probe for the necessity of a reload,
68 ## give out the argument which is required for a reload. 124 ## give out the argument which is required for a reload.
69 125
70 test /etc/ssh/sshd_config -nt /var/run/sshd.pid && echo reload 126 test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
71 ;; 127 ;;
72 *) 128 *)
73 echo "Usage: $0 {start|stop|status|restart|reload[|probe]}" 129 echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
74 exit 1 130 exit 1
75 ;; 131 ;;
76esac 132esac
77 133rc_exit
78# Inform the caller not only verbosely and set an exit status.
79test "$return" = "$rc_done" || exit 1
80exit 0
diff --git a/contrib/suse/sysconfig.ssh b/contrib/suse/sysconfig.ssh
new file mode 100644
index 000000000..c6a37e5cb
--- /dev/null
+++ b/contrib/suse/sysconfig.ssh
@@ -0,0 +1,9 @@
1## Path: Network/Remote access/SSH
2## Description: SSH server settings
3## Type: string
4## Default: ""
5## ServiceRestart: sshd
6#
7# Options for sshd
8#
9SSHD_OPTS=""
diff --git a/defines.h b/defines.h
index 408b988b5..f25934176 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */ 28/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -450,6 +450,10 @@ struct winsize {
450# define __sentinel__ 450# define __sentinel__
451#endif 451#endif
452 452
453#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
454# define __bounded__(x, y, z)
455#endif
456
453/* *-*-nto-qnx doesn't define this macro in the system headers */ 457/* *-*-nto-qnx doesn't define this macro in the system headers */
454#ifdef MISSING_HOWMANY 458#ifdef MISSING_HOWMANY
455# define howmany(x,y) (((x)+((y)-1))/(y)) 459# define howmany(x,y) (((x)+((y)-1))/(y))
@@ -688,7 +692,7 @@ struct winsize {
688# define CUSTOM_SYS_AUTH_PASSWD 1 692# define CUSTOM_SYS_AUTH_PASSWD 1
689#endif 693#endif
690 694
691#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 695#ifdef HAVE_LIBIAF
692# define CUSTOM_SYS_AUTH_PASSWD 1 696# define CUSTOM_SYS_AUTH_PASSWD 1
693#endif 697#endif
694 698
@@ -711,4 +715,12 @@ struct winsize {
711# undef HAVE_MMAP 715# undef HAVE_MMAP
712#endif 716#endif
713 717
718/* some system headers on HP-UX define YES/NO */
719#ifdef YES
720# undef YES
721#endif
722#ifdef NO
723# undef NO
724#endif
725
714#endif /* _DEFINES_H */ 726#endif /* _DEFINES_H */
diff --git a/dns.c b/dns.c
index 4487c1aba..a71dd9bff 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */ 1/* $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -25,27 +25,16 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28
29#include "includes.h" 28#include "includes.h"
29RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
30 30
31#include <openssl/bn.h>
32#ifdef LWRES
33#include <lwres/netdb.h>
34#include <dns/result.h>
35#else /* LWRES */
36#include <netdb.h> 31#include <netdb.h>
37#endif /* LWRES */
38 32
39#include "xmalloc.h" 33#include "xmalloc.h"
40#include "key.h" 34#include "key.h"
41#include "dns.h" 35#include "dns.h"
42#include "log.h" 36#include "log.h"
43#include "uuencode.h"
44
45extern char *__progname;
46RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
47 37
48#ifndef LWRES
49static const char *errset_text[] = { 38static const char *errset_text[] = {
50 "success", /* 0 ERRSET_SUCCESS */ 39 "success", /* 0 ERRSET_SUCCESS */
51 "out of memory", /* 1 ERRSET_NOMEMORY */ 40 "out of memory", /* 1 ERRSET_NOMEMORY */
@@ -75,8 +64,6 @@ dns_result_totext(unsigned int res)
75 return "unknown error"; 64 return "unknown error";
76 } 65 }
77} 66}
78#endif /* LWRES */
79
80 67
81/* 68/*
82 * Read SSHFP parameters from key buffer. 69 * Read SSHFP parameters from key buffer.
@@ -95,12 +82,14 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
95 *algorithm = SSHFP_KEY_DSA; 82 *algorithm = SSHFP_KEY_DSA;
96 break; 83 break;
97 default: 84 default:
98 *algorithm = SSHFP_KEY_RESERVED; 85 *algorithm = SSHFP_KEY_RESERVED; /* 0 */
99 } 86 }
100 87
101 if (*algorithm) { 88 if (*algorithm) {
102 *digest_type = SSHFP_HASH_SHA1; 89 *digest_type = SSHFP_HASH_SHA1;
103 *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); 90 *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
91 if (*digest == NULL)
92 fatal("dns_read_key: null from key_fingerprint_raw()");
104 success = 1; 93 success = 1;
105 } else { 94 } else {
106 *digest_type = SSHFP_HASH_RESERVED; 95 *digest_type = SSHFP_HASH_RESERVED;
@@ -133,7 +122,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
133 *digest = (u_char *) xmalloc(*digest_len); 122 *digest = (u_char *) xmalloc(*digest_len);
134 memcpy(*digest, rdata + 2, *digest_len); 123 memcpy(*digest, rdata + 2, *digest_len);
135 } else { 124 } else {
136 *digest = NULL; 125 *digest = xstrdup("");
137 } 126 }
138 127
139 success = 1; 128 success = 1;
@@ -187,7 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
187 176
188 *flags = 0; 177 *flags = 0;
189 178
190 debug3("verify_hostkey_dns"); 179 debug3("verify_host_key_dns");
191 if (hostkey == NULL) 180 if (hostkey == NULL)
192 fatal("No key to look up!"); 181 fatal("No key to look up!");
193 182
@@ -223,7 +212,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
223 if (fingerprints->rri_nrdatas) 212 if (fingerprints->rri_nrdatas)
224 *flags |= DNS_VERIFY_FOUND; 213 *flags |= DNS_VERIFY_FOUND;
225 214
226 for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { 215 for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) {
227 /* 216 /*
228 * Extract the key from the answer. Ignore any badly 217 * Extract the key from the answer. Ignore any badly
229 * formatted fingerprints. 218 * formatted fingerprints.
@@ -247,8 +236,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
247 *flags |= DNS_VERIFY_MATCH; 236 *flags |= DNS_VERIFY_MATCH;
248 } 237 }
249 } 238 }
239 xfree(dnskey_digest);
250 } 240 }
251 241
242 xfree(hostkey_digest); /* from key_fingerprint_raw() */
252 freerrset(fingerprints); 243 freerrset(fingerprints);
253 244
254 if (*flags & DNS_VERIFY_FOUND) 245 if (*flags & DNS_VERIFY_FOUND)
@@ -262,7 +253,6 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
262 return 0; 253 return 0;
263} 254}
264 255
265
266/* 256/*
267 * Export the fingerprint of a key as a DNS resource record 257 * Export the fingerprint of a key as a DNS resource record
268 */ 258 */
@@ -278,7 +268,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
278 int success = 0; 268 int success = 0;
279 269
280 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, 270 if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
281 &rdata_digest, &rdata_digest_len, key)) { 271 &rdata_digest, &rdata_digest_len, key)) {
282 272
283 if (generic) 273 if (generic)
284 fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, 274 fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
@@ -291,9 +281,10 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
291 for (i = 0; i < rdata_digest_len; i++) 281 for (i = 0; i < rdata_digest_len; i++)
292 fprintf(f, "%02x", rdata_digest[i]); 282 fprintf(f, "%02x", rdata_digest[i]);
293 fprintf(f, "\n"); 283 fprintf(f, "\n");
284 xfree(rdata_digest); /* from key_fingerprint_raw() */
294 success = 1; 285 success = 1;
295 } else { 286 } else {
296 error("dns_export_rr: unsupported algorithm"); 287 error("export_dns_rr: unsupported algorithm");
297 } 288 }
298 289
299 return success; 290 return success;
diff --git a/dns.h b/dns.h
index c5da22ef6..0aa1c28f2 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $ */ 1/* $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2003 Wesley Griffin. All rights reserved. 4 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -25,7 +25,6 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28
29#include "includes.h" 28#include "includes.h"
30 29
31#ifndef DNS_H 30#ifndef DNS_H
@@ -49,7 +48,6 @@ enum sshfp_hashes {
49#define DNS_VERIFY_MATCH 0x00000002 48#define DNS_VERIFY_MATCH 0x00000002
50#define DNS_VERIFY_SECURE 0x00000004 49#define DNS_VERIFY_SECURE 0x00000004
51 50
52
53int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); 51int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *);
54int export_dns_rr(const char *, const Key *, FILE *, int); 52int export_dns_rr(const char *, const Key *, FILE *, int);
55 53
diff --git a/entropy.c b/entropy.c
index 410bbb927..e5b45b0b6 100644
--- a/entropy.c
+++ b/entropy.c
@@ -26,6 +26,7 @@
26 26
27#include <openssl/rand.h> 27#include <openssl/rand.h>
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29#include <openssl/err.h>
29 30
30#include "ssh.h" 31#include "ssh.h"
31#include "misc.h" 32#include "misc.h"
@@ -33,6 +34,8 @@
33#include "atomicio.h" 34#include "atomicio.h"
34#include "pathnames.h" 35#include "pathnames.h"
35#include "log.h" 36#include "log.h"
37#include "buffer.h"
38#include "bufaux.h"
36 39
37/* 40/*
38 * Portable OpenSSH PRNG seeding: 41 * Portable OpenSSH PRNG seeding:
@@ -45,7 +48,7 @@
45 * XXX: we should tell the child how many bytes we need. 48 * XXX: we should tell the child how many bytes we need.
46 */ 49 */
47 50
48RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $"); 51RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $");
49 52
50#ifndef OPENSSL_PRNG_ONLY 53#ifndef OPENSSL_PRNG_ONLY
51#define RANDOM_SEED_SIZE 48 54#define RANDOM_SEED_SIZE 48
@@ -145,10 +148,35 @@ init_rng(void)
145 "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); 148 "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
146 149
147#ifndef OPENSSL_PRNG_ONLY 150#ifndef OPENSSL_PRNG_ONLY
148 if ((original_uid = getuid()) == -1) 151 original_uid = getuid();
149 fatal("getuid: %s", strerror(errno)); 152 original_euid = geteuid();
150 if ((original_euid = geteuid()) == -1)
151 fatal("geteuid: %s", strerror(errno));
152#endif 153#endif
153} 154}
154 155
156#ifndef OPENSSL_PRNG_ONLY
157void
158rexec_send_rng_seed(Buffer *m)
159{
160 u_char buf[RANDOM_SEED_SIZE];
161
162 if (RAND_bytes(buf, sizeof(buf)) <= 0) {
163 error("Couldn't obtain random bytes (error %ld)",
164 ERR_get_error());
165 buffer_put_string(m, "", 0);
166 } else
167 buffer_put_string(m, buf, sizeof(buf));
168}
169
170void
171rexec_recv_rng_seed(Buffer *m)
172{
173 u_char *buf;
174 u_int len;
175
176 buf = buffer_get_string_ret(m, &len);
177 if (buf != NULL) {
178 debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
179 RAND_add(buf, len, len);
180 }
181}
182#endif
diff --git a/entropy.h b/entropy.h
index 5f63c1f1f..ec1ebcc57 100644
--- a/entropy.h
+++ b/entropy.h
@@ -22,12 +22,17 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24 24
25/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ 25/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */
26 26
27#ifndef _RANDOMS_H 27#ifndef _RANDOMS_H
28#define _RANDOMS_H 28#define _RANDOMS_H
29 29
30#include "buffer.h"
31
30void seed_rng(void); 32void seed_rng(void);
31void init_rng(void); 33void init_rng(void);
32 34
35void rexec_send_rng_seed(Buffer *);
36void rexec_recv_rng_seed(Buffer *);
37
33#endif /* _RANDOMS_H */ 38#endif /* _RANDOMS_H */
diff --git a/gss-genr.c b/gss-genr.c
index 9dec270a3..dfaa708ea 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
@@ -30,9 +30,7 @@
30 30
31#include "xmalloc.h" 31#include "xmalloc.h"
32#include "bufaux.h" 32#include "bufaux.h"
33#include "compat.h"
34#include "log.h" 33#include "log.h"
35#include "monitor_wrap.h"
36#include "ssh2.h" 34#include "ssh2.h"
37#include <openssl/evp.h> 35#include <openssl/evp.h>
38 36
@@ -426,7 +424,8 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
426} 424}
427 425
428OM_uint32 426OM_uint32
429ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { 427ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
428{
430 if (*ctx) 429 if (*ctx)
431 ssh_gssapi_delete_ctx(ctx); 430 ssh_gssapi_delete_ctx(ctx);
432 ssh_gssapi_build_ctx(ctx); 431 ssh_gssapi_build_ctx(ctx);
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 4f02621dd..5c5837ffb 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */ 1/* $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
diff --git a/gss-serv.c b/gss-serv.c
index 05ae54e97..190f56fc0 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -29,20 +29,17 @@
29#ifdef GSSAPI 29#ifdef GSSAPI
30 30
31#include "bufaux.h" 31#include "bufaux.h"
32#include "compat.h"
33#include "auth.h" 32#include "auth.h"
34#include "log.h" 33#include "log.h"
35#include "channels.h" 34#include "channels.h"
36#include "session.h" 35#include "session.h"
37#include "servconf.h" 36#include "servconf.h"
38#include "monitor_wrap.h"
39#include "xmalloc.h" 37#include "xmalloc.h"
40#include "getput.h" 38#include "getput.h"
39#include "monitor_wrap.h"
41 40
42#include "ssh-gss.h" 41#include "ssh-gss.h"
43 42
44extern ServerOptions options;
45
46static ssh_gssapi_client gssapi_client = 43static ssh_gssapi_client gssapi_client =
47 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 44 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
48 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 45 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
@@ -61,7 +58,7 @@ ssh_gssapi_mech* supported_mechs[]= {
61 &gssapi_null_mech, 58 &gssapi_null_mech,
62}; 59};
63 60
64/* Unpriviledged */ 61/* Unprivileged */
65char * 62char *
66ssh_gssapi_server_mechanisms() { 63ssh_gssapi_server_mechanisms() {
67 gss_OID_set supported; 64 gss_OID_set supported;
@@ -71,19 +68,19 @@ ssh_gssapi_server_mechanisms() {
71 NULL)); 68 NULL));
72} 69}
73 70
74/* Unpriviledged */ 71/* Unprivileged */
75int 72int
76ssh_gssapi_server_check_mech(gss_OID oid, void *data) { 73ssh_gssapi_server_check_mech(gss_OID oid, void *data) {
77 Gssctxt * ctx = NULL; 74 Gssctxt * ctx = NULL;
78 int res; 75 int res;
79 76
80 res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); 77 res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
81 ssh_gssapi_delete_ctx(&ctx); 78 ssh_gssapi_delete_ctx(&ctx);
82 79
83 return (res); 80 return (res);
84} 81}
85 82
86/* Unpriviledged */ 83/* Unprivileged */
87void 84void
88ssh_gssapi_supported_oids(gss_OID_set *oidset) 85ssh_gssapi_supported_oids(gss_OID_set *oidset)
89{ 86{
@@ -112,7 +109,7 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
112 * oid 109 * oid
113 * credentials (from ssh_gssapi_acquire_cred) 110 * credentials (from ssh_gssapi_acquire_cred)
114 */ 111 */
115/* Priviledged */ 112/* Privileged */
116OM_uint32 113OM_uint32
117ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, 114ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
118 gss_buffer_desc *send_tok, OM_uint32 *flags) 115 gss_buffer_desc *send_tok, OM_uint32 *flags)
@@ -160,14 +157,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
160 OM_uint32 offset; 157 OM_uint32 offset;
161 OM_uint32 oidl; 158 OM_uint32 oidl;
162 159
163 tok=ename->value; 160 tok = ename->value;
164 161
165 /* 162 /*
166 * Check that ename is long enough for all of the fixed length 163 * Check that ename is long enough for all of the fixed length
167 * header, and that the initial ID bytes are correct 164 * header, and that the initial ID bytes are correct
168 */ 165 */
169 166
170 if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) 167 if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
171 return GSS_S_FAILURE; 168 return GSS_S_FAILURE;
172 169
173 /* 170 /*
@@ -186,7 +183,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
186 */ 183 */
187 if (tok[4] != 0x06 || tok[5] != oidl || 184 if (tok[4] != 0x06 || tok[5] != oidl ||
188 ename->length < oidl+6 || 185 ename->length < oidl+6 ||
189 !ssh_gssapi_check_oid(ctx,tok+6,oidl)) 186 !ssh_gssapi_check_oid(ctx, tok+6, oidl))
190 return GSS_S_FAILURE; 187 return GSS_S_FAILURE;
191 188
192 offset = oidl+6; 189 offset = oidl+6;
@@ -201,7 +198,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
201 return GSS_S_FAILURE; 198 return GSS_S_FAILURE;
202 199
203 name->value = xmalloc(name->length+1); 200 name->value = xmalloc(name->length+1);
204 memcpy(name->value,tok+offset,name->length); 201 memcpy(name->value, tok+offset,name->length);
205 ((char *)name->value)[name->length] = 0; 202 ((char *)name->value)[name->length] = 0;
206 203
207 return GSS_S_COMPLETE; 204 return GSS_S_COMPLETE;
@@ -210,7 +207,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
210/* Extract the client details from a given context. This can only reliably 207/* Extract the client details from a given context. This can only reliably
211 * be called once for a context */ 208 * be called once for a context */
212 209
213/* Priviledged (called from accept_secure_ctx) */ 210/* Privileged (called from accept_secure_ctx) */
214OM_uint32 211OM_uint32
215ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 212ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
216{ 213{
@@ -285,15 +282,14 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
285 282
286 if (gssapi_client.store.envvar != NULL && 283 if (gssapi_client.store.envvar != NULL &&
287 gssapi_client.store.envval != NULL) { 284 gssapi_client.store.envval != NULL) {
288
289 debug("Setting %s to %s", gssapi_client.store.envvar, 285 debug("Setting %s to %s", gssapi_client.store.envvar,
290 gssapi_client.store.envval); 286 gssapi_client.store.envval);
291 child_set_env(envp, envsizep, gssapi_client.store.envvar, 287 child_set_env(envp, envsizep, gssapi_client.store.envvar,
292 gssapi_client.store.envval); 288 gssapi_client.store.envval);
293 } 289 }
294} 290}
295 291
296/* Priviledged */ 292/* Privileged */
297int 293int
298ssh_gssapi_userok(char *user) 294ssh_gssapi_userok(char *user)
299{ 295{
diff --git a/hostfile.c b/hostfile.c
index 63550a29d..3ed646247 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $"); 39RCSID("$OpenBSD: hostfile.c,v 1.36 2005/11/22 03:36:03 dtucker Exp $");
40 40
41#include <resolv.h> 41#include <resolv.h>
42#include <openssl/hmac.h> 42#include <openssl/hmac.h>
@@ -88,8 +88,8 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
88 return (-1); 88 return (-1);
89 } 89 }
90 if (ret != SHA_DIGEST_LENGTH) { 90 if (ret != SHA_DIGEST_LENGTH) {
91 debug2("extract_salt: expected salt len %u, got %u", 91 debug2("extract_salt: expected salt len %d, got %d",
92 salt_len, ret); 92 SHA_DIGEST_LENGTH, ret);
93 return (-1); 93 return (-1);
94 } 94 }
95 95
diff --git a/includes.h b/includes.h
index fa65aa38d..520817400 100644
--- a/includes.h
+++ b/includes.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */ 1/* $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -21,6 +21,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
21 21
22#include "config.h" 22#include "config.h"
23 23
24#define _GNU_SOURCE /* activate extra prototypes for glibc */
25
24#include <stdarg.h> 26#include <stdarg.h>
25#include <stdio.h> 27#include <stdio.h>
26#include <ctype.h> 28#include <ctype.h>
@@ -67,7 +69,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
67#ifdef HAVE_NEXT 69#ifdef HAVE_NEXT
68# include <libc.h> 70# include <libc.h>
69#endif 71#endif
70#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */
71#include <unistd.h> /* For STDIN_FILENO, etc */ 72#include <unistd.h> /* For STDIN_FILENO, etc */
72#include <termios.h> /* Struct winsize */ 73#include <termios.h> /* Struct winsize */
73 74
diff --git a/kex.c b/kex.c
index 8cd851d23..47983f8d9 100644
--- a/kex.c
+++ b/kex.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $"); 26RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
27 27
28#include <openssl/crypto.h> 28#include <openssl/crypto.h>
29 29
@@ -298,21 +298,27 @@ choose_kex(Kex *k, char *client, char *server)
298 fatal("no kex alg"); 298 fatal("no kex alg");
299 if (strcmp(k->name, KEX_DH1) == 0) { 299 if (strcmp(k->name, KEX_DH1) == 0) {
300 k->kex_type = KEX_DH_GRP1_SHA1; 300 k->kex_type = KEX_DH_GRP1_SHA1;
301 k->evp_md = EVP_sha1();
301 } else if (strcmp(k->name, KEX_DH14) == 0) { 302 } else if (strcmp(k->name, KEX_DH14) == 0) {
302 k->kex_type = KEX_DH_GRP14_SHA1; 303 k->kex_type = KEX_DH_GRP14_SHA1;
303 } else if (strcmp(k->name, KEX_DHGEX) == 0) { 304 k->evp_md = EVP_sha1();
305 } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
304 k->kex_type = KEX_DH_GEX_SHA1; 306 k->kex_type = KEX_DH_GEX_SHA1;
307 k->evp_md = EVP_sha1();
305#ifdef GSSAPI 308#ifdef GSSAPI
306 } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, 309 } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
307 sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) { 310 sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
308 k->kex_type = KEX_GSS_GEX_SHA1; 311 k->kex_type = KEX_GSS_GEX_SHA1;
309 } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, 312 k->evp_md = EVP_sha1();
313 } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
310 sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) { 314 sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
311 k->kex_type = KEX_GSS_GRP1_SHA1; 315 k->kex_type = KEX_GSS_GRP1_SHA1;
316 k->evp_md = EVP_sha1();
312#endif 317#endif
313 } else 318 } else
314 fatal("bad kex alg %s", k->name); 319 fatal("bad kex alg %s", k->name);
315} 320}
321
316static void 322static void
317choose_hostkeyalg(Kex *k, char *client, char *server) 323choose_hostkeyalg(Kex *k, char *client, char *server)
318{ 324{
@@ -416,28 +422,28 @@ kex_choose_conf(Kex *kex)
416} 422}
417 423
418static u_char * 424static u_char *
419derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret) 425derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
426 BIGNUM *shared_secret)
420{ 427{
421 Buffer b; 428 Buffer b;
422 const EVP_MD *evp_md = EVP_sha1();
423 EVP_MD_CTX md; 429 EVP_MD_CTX md;
424 char c = id; 430 char c = id;
425 u_int have; 431 u_int have;
426 int mdsz = EVP_MD_size(evp_md); 432 int mdsz;
427 u_char *digest; 433 u_char *digest;
428 434
429 if (mdsz < 0) 435 if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
430 fatal("derive_key: mdsz < 0"); 436 fatal("bad kex md size %d", mdsz);
431 digest = xmalloc(roundup(need, mdsz)); 437 digest = xmalloc(roundup(need, mdsz));
432 438
433 buffer_init(&b); 439 buffer_init(&b);
434 buffer_put_bignum2(&b, shared_secret); 440 buffer_put_bignum2(&b, shared_secret);
435 441
436 /* K1 = HASH(K || H || "A" || session_id) */ 442 /* K1 = HASH(K || H || "A" || session_id) */
437 EVP_DigestInit(&md, evp_md); 443 EVP_DigestInit(&md, kex->evp_md);
438 if (!(datafellows & SSH_BUG_DERIVEKEY)) 444 if (!(datafellows & SSH_BUG_DERIVEKEY))
439 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 445 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
440 EVP_DigestUpdate(&md, hash, mdsz); 446 EVP_DigestUpdate(&md, hash, hashlen);
441 EVP_DigestUpdate(&md, &c, 1); 447 EVP_DigestUpdate(&md, &c, 1);
442 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); 448 EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
443 EVP_DigestFinal(&md, digest, NULL); 449 EVP_DigestFinal(&md, digest, NULL);
@@ -448,10 +454,10 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
448 * Key = K1 || K2 || ... || Kn 454 * Key = K1 || K2 || ... || Kn
449 */ 455 */
450 for (have = mdsz; need > have; have += mdsz) { 456 for (have = mdsz; need > have; have += mdsz) {
451 EVP_DigestInit(&md, evp_md); 457 EVP_DigestInit(&md, kex->evp_md);
452 if (!(datafellows & SSH_BUG_DERIVEKEY)) 458 if (!(datafellows & SSH_BUG_DERIVEKEY))
453 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 459 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
454 EVP_DigestUpdate(&md, hash, mdsz); 460 EVP_DigestUpdate(&md, hash, hashlen);
455 EVP_DigestUpdate(&md, digest, have); 461 EVP_DigestUpdate(&md, digest, have);
456 EVP_DigestFinal(&md, digest + have, NULL); 462 EVP_DigestFinal(&md, digest + have, NULL);
457 } 463 }
@@ -467,13 +473,15 @@ Newkeys *current_keys[MODE_MAX];
467 473
468#define NKEYS 6 474#define NKEYS 6
469void 475void
470kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) 476kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
471{ 477{
472 u_char *keys[NKEYS]; 478 u_char *keys[NKEYS];
473 u_int i, mode, ctos; 479 u_int i, mode, ctos;
474 480
475 for (i = 0; i < NKEYS; i++) 481 for (i = 0; i < NKEYS; i++) {
476 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); 482 keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
483 shared_secret);
484 }
477 485
478 debug2("kex_derive_keys"); 486 debug2("kex_derive_keys");
479 for (mode = 0; mode < MODE_MAX; mode++) { 487 for (mode = 0; mode < MODE_MAX; mode++) {
diff --git a/kex.h b/kex.h
index b458c2d1e..1c4d1a718 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */ 1/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -31,9 +31,9 @@
31#include "cipher.h" 31#include "cipher.h"
32#include "key.h" 32#include "key.h"
33 33
34#define KEX_DH1 "diffie-hellman-group1-sha1" 34#define KEX_DH1 "diffie-hellman-group1-sha1"
35#define KEX_DH14 "diffie-hellman-group14-sha1" 35#define KEX_DH14 "diffie-hellman-group14-sha1"
36#define KEX_DHGEX "diffie-hellman-group-exchange-sha1" 36#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
37 37
38#define COMP_NONE 0 38#define COMP_NONE 0
39#define COMP_ZLIB 1 39#define COMP_ZLIB 1
@@ -116,8 +116,9 @@ struct Kex {
116 Buffer peer; 116 Buffer peer;
117 int done; 117 int done;
118 int flags; 118 int flags;
119 const EVP_MD *evp_md;
119#ifdef GSSAPI 120#ifdef GSSAPI
120 int gss_deleg_creds; 121 int gss_deleg_creds;
121 int gss_trust_dns; 122 int gss_trust_dns;
122 char *gss_host; 123 char *gss_host;
123#endif 124#endif
@@ -134,7 +135,7 @@ void kex_finish(Kex *);
134 135
135void kex_send_kexinit(Kex *); 136void kex_send_kexinit(Kex *);
136void kex_input_kexinit(int, u_int32_t, void *); 137void kex_input_kexinit(int, u_int32_t, void *);
137void kex_derive_keys(Kex *, u_char *, BIGNUM *); 138void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
138 139
139Newkeys *kex_get_newkeys(int); 140Newkeys *kex_get_newkeys(int);
140 141
@@ -148,12 +149,13 @@ void kexgss_client(Kex *);
148void kexgss_server(Kex *); 149void kexgss_server(Kex *);
149#endif 150#endif
150 151
151u_char * 152void
152kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 153kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
153 BIGNUM *, BIGNUM *, BIGNUM *); 154 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
154u_char * 155void
155kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int, 156kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
156 int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *); 157 int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
158 BIGNUM *, BIGNUM *, u_char **, u_int *);
157 159
158void 160void
159derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); 161derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
diff --git a/kexdh.c b/kexdh.c
index 4bbb7d1db..f79d8781d 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $"); 26RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
27 27
28#include <openssl/evp.h> 28#include <openssl/evp.h>
29 29
@@ -32,7 +32,7 @@ RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
32#include "ssh2.h" 32#include "ssh2.h"
33#include "kex.h" 33#include "kex.h"
34 34
35u_char * 35void
36kex_dh_hash( 36kex_dh_hash(
37 char *client_version_string, 37 char *client_version_string,
38 char *server_version_string, 38 char *server_version_string,
@@ -41,7 +41,8 @@ kex_dh_hash(
41 u_char *serverhostkeyblob, int sbloblen, 41 u_char *serverhostkeyblob, int sbloblen,
42 BIGNUM *client_dh_pub, 42 BIGNUM *client_dh_pub,
43 BIGNUM *server_dh_pub, 43 BIGNUM *server_dh_pub,
44 BIGNUM *shared_secret) 44 BIGNUM *shared_secret,
45 u_char **hash, u_int *hashlen)
45{ 46{
46 Buffer b; 47 Buffer b;
47 static u_char digest[EVP_MAX_MD_SIZE]; 48 static u_char digest[EVP_MAX_MD_SIZE];
@@ -77,5 +78,6 @@ kex_dh_hash(
77#ifdef DEBUG_KEX 78#ifdef DEBUG_KEX
78 dump_digest("hash", digest, EVP_MD_size(evp_md)); 79 dump_digest("hash", digest, EVP_MD_size(evp_md));
79#endif 80#endif
80 return digest; 81 *hash = digest;
82 *hashlen = EVP_MD_size(evp_md);
81} 83}
diff --git a/kexdhc.c b/kexdhc.c
index f48bd4678..d8a2fa3b7 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); 26RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
27 27
28#include "xmalloc.h" 28#include "xmalloc.h"
29#include "key.h" 29#include "key.h"
@@ -41,7 +41,7 @@ kexdh_client(Kex *kex)
41 Key *server_host_key; 41 Key *server_host_key;
42 u_char *server_host_key_blob = NULL, *signature = NULL; 42 u_char *server_host_key_blob = NULL, *signature = NULL;
43 u_char *kbuf, *hash; 43 u_char *kbuf, *hash;
44 u_int klen, kout, slen, sbloblen; 44 u_int klen, kout, slen, sbloblen, hashlen;
45 45
46 /* generate and send 'e', client DH public key */ 46 /* generate and send 'e', client DH public key */
47 switch (kex->kex_type) { 47 switch (kex->kex_type) {
@@ -114,7 +114,7 @@ kexdh_client(Kex *kex)
114 xfree(kbuf); 114 xfree(kbuf);
115 115
116 /* calc and verify H */ 116 /* calc and verify H */
117 hash = kex_dh_hash( 117 kex_dh_hash(
118 kex->client_version_string, 118 kex->client_version_string,
119 kex->server_version_string, 119 kex->server_version_string,
120 buffer_ptr(&kex->my), buffer_len(&kex->my), 120 buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -122,25 +122,26 @@ kexdh_client(Kex *kex)
122 server_host_key_blob, sbloblen, 122 server_host_key_blob, sbloblen,
123 dh->pub_key, 123 dh->pub_key,
124 dh_server_pub, 124 dh_server_pub,
125 shared_secret 125 shared_secret,
126 &hash, &hashlen
126 ); 127 );
127 xfree(server_host_key_blob); 128 xfree(server_host_key_blob);
128 BN_clear_free(dh_server_pub); 129 BN_clear_free(dh_server_pub);
129 DH_free(dh); 130 DH_free(dh);
130 131
131 if (key_verify(server_host_key, signature, slen, hash, 20) != 1) 132 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
132 fatal("key_verify failed for server_host_key"); 133 fatal("key_verify failed for server_host_key");
133 key_free(server_host_key); 134 key_free(server_host_key);
134 xfree(signature); 135 xfree(signature);
135 136
136 /* save session id */ 137 /* save session id */
137 if (kex->session_id == NULL) { 138 if (kex->session_id == NULL) {
138 kex->session_id_len = 20; 139 kex->session_id_len = hashlen;
139 kex->session_id = xmalloc(kex->session_id_len); 140 kex->session_id = xmalloc(kex->session_id_len);
140 memcpy(kex->session_id, hash, kex->session_id_len); 141 memcpy(kex->session_id, hash, kex->session_id_len);
141 } 142 }
142 143
143 kex_derive_keys(kex, hash, shared_secret); 144 kex_derive_keys(kex, hash, hashlen, shared_secret);
144 BN_clear_free(shared_secret); 145 BN_clear_free(shared_secret);
145 kex_finish(kex); 146 kex_finish(kex);
146} 147}
diff --git a/kexdhs.c b/kexdhs.c
index 225e65592..26c8cdfd6 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); 26RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
27 27
28#include "xmalloc.h" 28#include "xmalloc.h"
29#include "key.h" 29#include "key.h"
@@ -41,7 +41,7 @@ kexdh_server(Kex *kex)
41 DH *dh; 41 DH *dh;
42 Key *server_host_key; 42 Key *server_host_key;
43 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 43 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
44 u_int sbloblen, klen, kout; 44 u_int sbloblen, klen, kout, hashlen;
45 u_int slen; 45 u_int slen;
46 46
47 /* generate server DH public key */ 47 /* generate server DH public key */
@@ -103,7 +103,7 @@ kexdh_server(Kex *kex)
103 key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); 103 key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
104 104
105 /* calc H */ 105 /* calc H */
106 hash = kex_dh_hash( 106 kex_dh_hash(
107 kex->client_version_string, 107 kex->client_version_string,
108 kex->server_version_string, 108 kex->server_version_string,
109 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 109 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -111,21 +111,20 @@ kexdh_server(Kex *kex)
111 server_host_key_blob, sbloblen, 111 server_host_key_blob, sbloblen,
112 dh_client_pub, 112 dh_client_pub,
113 dh->pub_key, 113 dh->pub_key,
114 shared_secret 114 shared_secret,
115 &hash, &hashlen
115 ); 116 );
116 BN_clear_free(dh_client_pub); 117 BN_clear_free(dh_client_pub);
117 118
118 /* save session id := H */ 119 /* save session id := H */
119 /* XXX hashlen depends on KEX */
120 if (kex->session_id == NULL) { 120 if (kex->session_id == NULL) {
121 kex->session_id_len = 20; 121 kex->session_id_len = hashlen;
122 kex->session_id = xmalloc(kex->session_id_len); 122 kex->session_id = xmalloc(kex->session_id_len);
123 memcpy(kex->session_id, hash, kex->session_id_len); 123 memcpy(kex->session_id, hash, kex->session_id_len);
124 } 124 }
125 125
126 /* sign H */ 126 /* sign H */
127 /* XXX hashlen depends on KEX */ 127 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
128 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
129 128
130 /* destroy_sensitive_data(); */ 129 /* destroy_sensitive_data(); */
131 130
@@ -141,7 +140,7 @@ kexdh_server(Kex *kex)
141 /* have keys, free DH */ 140 /* have keys, free DH */
142 DH_free(dh); 141 DH_free(dh);
143 142
144 kex_derive_keys(kex, hash, shared_secret); 143 kex_derive_keys(kex, hash, hashlen, shared_secret);
145 BN_clear_free(shared_secret); 144 BN_clear_free(shared_secret);
146 kex_finish(kex); 145 kex_finish(kex);
147} 146}
diff --git a/kexgex.c b/kexgex.c
index b0c39c8cb..705484a47 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $"); 27RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
28 28
29#include <openssl/evp.h> 29#include <openssl/evp.h>
30 30
@@ -33,8 +33,9 @@ RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
33#include "kex.h" 33#include "kex.h"
34#include "ssh2.h" 34#include "ssh2.h"
35 35
36u_char * 36void
37kexgex_hash( 37kexgex_hash(
38 const EVP_MD *evp_md,
38 char *client_version_string, 39 char *client_version_string,
39 char *server_version_string, 40 char *server_version_string,
40 char *ckexinit, int ckexinitlen, 41 char *ckexinit, int ckexinitlen,
@@ -43,11 +44,11 @@ kexgex_hash(
43 int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen, 44 int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
44 BIGNUM *client_dh_pub, 45 BIGNUM *client_dh_pub,
45 BIGNUM *server_dh_pub, 46 BIGNUM *server_dh_pub,
46 BIGNUM *shared_secret) 47 BIGNUM *shared_secret,
48 u_char **hash, u_int *hashlen)
47{ 49{
48 Buffer b; 50 Buffer b;
49 static u_char digest[EVP_MAX_MD_SIZE]; 51 static u_char digest[EVP_MAX_MD_SIZE];
50 const EVP_MD *evp_md = EVP_sha1();
51 EVP_MD_CTX md; 52 EVP_MD_CTX md;
52 53
53 buffer_init(&b); 54 buffer_init(&b);
@@ -79,14 +80,15 @@ kexgex_hash(
79#ifdef DEBUG_KEXDH 80#ifdef DEBUG_KEXDH
80 buffer_dump(&b); 81 buffer_dump(&b);
81#endif 82#endif
83
82 EVP_DigestInit(&md, evp_md); 84 EVP_DigestInit(&md, evp_md);
83 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); 85 EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
84 EVP_DigestFinal(&md, digest, NULL); 86 EVP_DigestFinal(&md, digest, NULL);
85 87
86 buffer_free(&b); 88 buffer_free(&b);
87 89 *hash = digest;
90 *hashlen = EVP_MD_size(evp_md);
88#ifdef DEBUG_KEXDH 91#ifdef DEBUG_KEXDH
89 dump_digest("hash", digest, EVP_MD_size(evp_md)); 92 dump_digest("hash", digest, *hashlen);
90#endif 93#endif
91 return digest;
92} 94}
diff --git a/kexgexc.c b/kexgexc.c
index 0193183b9..a6ff8757d 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $"); 27RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
28 28
29#include "xmalloc.h" 29#include "xmalloc.h"
30#include "key.h" 30#include "key.h"
@@ -42,7 +42,7 @@ kexgex_client(Kex *kex)
42 BIGNUM *p = NULL, *g = NULL; 42 BIGNUM *p = NULL, *g = NULL;
43 Key *server_host_key; 43 Key *server_host_key;
44 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 44 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
45 u_int klen, kout, slen, sbloblen; 45 u_int klen, kout, slen, sbloblen, hashlen;
46 int min, max, nbits; 46 int min, max, nbits;
47 DH *dh; 47 DH *dh;
48 48
@@ -155,7 +155,8 @@ kexgex_client(Kex *kex)
155 min = max = -1; 155 min = max = -1;
156 156
157 /* calc and verify H */ 157 /* calc and verify H */
158 hash = kexgex_hash( 158 kexgex_hash(
159 kex->evp_md,
159 kex->client_version_string, 160 kex->client_version_string,
160 kex->server_version_string, 161 kex->server_version_string,
161 buffer_ptr(&kex->my), buffer_len(&kex->my), 162 buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -165,25 +166,27 @@ kexgex_client(Kex *kex)
165 dh->p, dh->g, 166 dh->p, dh->g,
166 dh->pub_key, 167 dh->pub_key,
167 dh_server_pub, 168 dh_server_pub,
168 shared_secret 169 shared_secret,
170 &hash, &hashlen
169 ); 171 );
172
170 /* have keys, free DH */ 173 /* have keys, free DH */
171 DH_free(dh); 174 DH_free(dh);
172 xfree(server_host_key_blob); 175 xfree(server_host_key_blob);
173 BN_clear_free(dh_server_pub); 176 BN_clear_free(dh_server_pub);
174 177
175 if (key_verify(server_host_key, signature, slen, hash, 20) != 1) 178 if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
176 fatal("key_verify failed for server_host_key"); 179 fatal("key_verify failed for server_host_key");
177 key_free(server_host_key); 180 key_free(server_host_key);
178 xfree(signature); 181 xfree(signature);
179 182
180 /* save session id */ 183 /* save session id */
181 if (kex->session_id == NULL) { 184 if (kex->session_id == NULL) {
182 kex->session_id_len = 20; 185 kex->session_id_len = hashlen;
183 kex->session_id = xmalloc(kex->session_id_len); 186 kex->session_id = xmalloc(kex->session_id_len);
184 memcpy(kex->session_id, hash, kex->session_id_len); 187 memcpy(kex->session_id, hash, kex->session_id_len);
185 } 188 }
186 kex_derive_keys(kex, hash, shared_secret); 189 kex_derive_keys(kex, hash, hashlen, shared_secret);
187 BN_clear_free(shared_secret); 190 BN_clear_free(shared_secret);
188 191
189 kex_finish(kex); 192 kex_finish(kex);
diff --git a/kexgexs.c b/kexgexs.c
index baebfcfb0..c48b27af9 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -24,7 +24,7 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); 27RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
28 28
29#include "xmalloc.h" 29#include "xmalloc.h"
30#include "key.h" 30#include "key.h"
@@ -43,7 +43,7 @@ kexgex_server(Kex *kex)
43 Key *server_host_key; 43 Key *server_host_key;
44 DH *dh; 44 DH *dh;
45 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; 45 u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
46 u_int sbloblen, klen, kout, slen; 46 u_int sbloblen, klen, kout, slen, hashlen;
47 int min = -1, max = -1, nbits = -1, type; 47 int min = -1, max = -1, nbits = -1, type;
48 48
49 if (kex->load_host_key == NULL) 49 if (kex->load_host_key == NULL)
@@ -137,8 +137,9 @@ kexgex_server(Kex *kex)
137 if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) 137 if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
138 min = max = -1; 138 min = max = -1;
139 139
140 /* calc H */ /* XXX depends on 'kex' */ 140 /* calc H */
141 hash = kexgex_hash( 141 kexgex_hash(
142 kex->evp_md,
142 kex->client_version_string, 143 kex->client_version_string,
143 kex->server_version_string, 144 kex->server_version_string,
144 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 145 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -148,21 +149,20 @@ kexgex_server(Kex *kex)
148 dh->p, dh->g, 149 dh->p, dh->g,
149 dh_client_pub, 150 dh_client_pub,
150 dh->pub_key, 151 dh->pub_key,
151 shared_secret 152 shared_secret,
153 &hash, &hashlen
152 ); 154 );
153 BN_clear_free(dh_client_pub); 155 BN_clear_free(dh_client_pub);
154 156
155 /* save session id := H */ 157 /* save session id := H */
156 /* XXX hashlen depends on KEX */
157 if (kex->session_id == NULL) { 158 if (kex->session_id == NULL) {
158 kex->session_id_len = 20; 159 kex->session_id_len = hashlen;
159 kex->session_id = xmalloc(kex->session_id_len); 160 kex->session_id = xmalloc(kex->session_id_len);
160 memcpy(kex->session_id, hash, kex->session_id_len); 161 memcpy(kex->session_id, hash, kex->session_id_len);
161 } 162 }
162 163
163 /* sign H */ 164 /* sign H */
164 /* XXX hashlen depends on KEX */ 165 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
165 PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
166 166
167 /* destroy_sensitive_data(); */ 167 /* destroy_sensitive_data(); */
168 168
@@ -179,7 +179,7 @@ kexgex_server(Kex *kex)
179 /* have keys, free DH */ 179 /* have keys, free DH */
180 DH_free(dh); 180 DH_free(dh);
181 181
182 kex_derive_keys(kex, hash, shared_secret); 182 kex_derive_keys(kex, hash, hashlen, shared_secret);
183 BN_clear_free(shared_secret); 183 BN_clear_free(shared_secret);
184 184
185 kex_finish(kex); 185 kex_finish(kex);
diff --git a/kexgssc.c b/kexgssc.c
index 1843403b6..9830ad384 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -46,23 +46,20 @@ kexgss_client(Kex *kex) {
46 gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; 46 gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
47 Gssctxt *ctxt; 47 Gssctxt *ctxt;
48 OM_uint32 maj_status, min_status, ret_flags; 48 OM_uint32 maj_status, min_status, ret_flags;
49 unsigned int klen, kout; 49 u_int klen, kout, slen = 0, hashlen, strlen;
50 DH *dh; 50 DH *dh;
51 BIGNUM *dh_server_pub = NULL; 51 BIGNUM *dh_server_pub = NULL;
52 BIGNUM *shared_secret = NULL; 52 BIGNUM *shared_secret = NULL;
53 BIGNUM *p = NULL; 53 BIGNUM *p = NULL;
54 BIGNUM *g = NULL; 54 BIGNUM *g = NULL;
55 unsigned char *kbuf; 55 u_char *kbuf, *hash;
56 unsigned char *hash; 56 u_char *serverhostkey = NULL;
57 unsigned char *serverhostkey = NULL;
58 char *msg; 57 char *msg;
59 char *lang; 58 char *lang;
60 int type = 0; 59 int type = 0;
61 int first = 1; 60 int first = 1;
62 int slen = 0;
63 int gex = 0; 61 int gex = 0;
64 int nbits, min, max; 62 int nbits, min, max;
65 u_int strlen;
66 63
67 /* Initialise our GSSAPI world */ 64 /* Initialise our GSSAPI world */
68 ssh_gssapi_build_ctx(&ctxt); 65 ssh_gssapi_build_ctx(&ctxt);
@@ -244,7 +241,9 @@ kexgss_client(Kex *kex) {
244 xfree(kbuf); 241 xfree(kbuf);
245 242
246 if (gex) { 243 if (gex) {
247 hash = kexgex_hash( kex->client_version_string, 244 kexgex_hash(
245 kex->evp_md,
246 kex->client_version_string,
248 kex->server_version_string, 247 kex->server_version_string,
249 buffer_ptr(&kex->my), buffer_len(&kex->my), 248 buffer_ptr(&kex->my), buffer_len(&kex->my),
250 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 249 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@@ -253,23 +252,25 @@ kexgss_client(Kex *kex) {
253 dh->p, dh->g, 252 dh->p, dh->g,
254 dh->pub_key, 253 dh->pub_key,
255 dh_server_pub, 254 dh_server_pub,
256 shared_secret 255 shared_secret,
256 &hash, &hashlen
257 ); 257 );
258 } else { 258 } else {
259 /* The GSS hash is identical to the DH one */ 259 /* The GSS hash is identical to the DH one */
260 hash = kex_dh_hash( kex->client_version_string, 260 kex_dh_hash( kex->client_version_string,
261 kex->server_version_string, 261 kex->server_version_string,
262 buffer_ptr(&kex->my), buffer_len(&kex->my), 262 buffer_ptr(&kex->my), buffer_len(&kex->my),
263 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 263 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
264 serverhostkey, slen, /* server host key */ 264 serverhostkey, slen, /* server host key */
265 dh->pub_key, /* e */ 265 dh->pub_key, /* e */
266 dh_server_pub, /* f */ 266 dh_server_pub, /* f */
267 shared_secret /* K */ 267 shared_secret, /* K */
268 &hash, &hashlen
268 ); 269 );
269 } 270 }
270 271
271 gssbuf.value = hash; 272 gssbuf.value = hash;
272 gssbuf.length = 20; 273 gssbuf.length = hashlen;
273 274
274 /* Verify that the hash matches the MIC we just got. */ 275 /* Verify that the hash matches the MIC we just got. */
275 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) 276 if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
@@ -284,7 +285,7 @@ kexgss_client(Kex *kex) {
284 285
285 /* save session id */ 286 /* save session id */
286 if (kex->session_id == NULL) { 287 if (kex->session_id == NULL) {
287 kex->session_id_len = 20; 288 kex->session_id_len = hashlen;
288 kex->session_id = xmalloc(kex->session_id_len); 289 kex->session_id = xmalloc(kex->session_id_len);
289 memcpy(kex->session_id, hash, kex->session_id_len); 290 memcpy(kex->session_id, hash, kex->session_id_len);
290 } 291 }
@@ -294,7 +295,7 @@ kexgss_client(Kex *kex) {
294 else 295 else
295 ssh_gssapi_delete_ctx(&ctxt); 296 ssh_gssapi_delete_ctx(&ctxt);
296 297
297 kex_derive_keys(kex, hash, shared_secret); 298 kex_derive_keys(kex, hash, hashlen, shared_secret);
298 BN_clear_free(shared_secret); 299 BN_clear_free(shared_secret);
299 kex_finish(kex); 300 kex_finish(kex);
300} 301}
diff --git a/kexgsss.c b/kexgsss.c
index 268eeccae..6447dc97b 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -56,15 +56,14 @@ kexgss_server(Kex *kex)
56 gss_buffer_desc gssbuf, recv_tok, msg_tok; 56 gss_buffer_desc gssbuf, recv_tok, msg_tok;
57 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 57 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
58 Gssctxt *ctxt = NULL; 58 Gssctxt *ctxt = NULL;
59 unsigned int klen, kout; 59 u_int slen, klen, kout, hashlen;
60 unsigned char *kbuf, *hash; 60 u_char *kbuf, *hash;
61 DH *dh; 61 DH *dh;
62 int min = -1, max = -1, nbits = -1; 62 int min = -1, max = -1, nbits = -1;
63 BIGNUM *shared_secret = NULL; 63 BIGNUM *shared_secret = NULL;
64 BIGNUM *dh_client_pub = NULL; 64 BIGNUM *dh_client_pub = NULL;
65 int type = 0; 65 int type = 0;
66 int gex; 66 int gex;
67 u_int slen;
68 gss_OID oid; 67 gss_OID oid;
69 68
70 /* Initialise GSSAPI */ 69 /* Initialise GSSAPI */
@@ -189,7 +188,8 @@ kexgss_server(Kex *kex)
189 xfree(kbuf); 188 xfree(kbuf);
190 189
191 if (gex) { 190 if (gex) {
192 hash = kexgex_hash( 191 kexgex_hash(
192 kex->evp_md,
193 kex->client_version_string, kex->server_version_string, 193 kex->client_version_string, kex->server_version_string,
194 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 194 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
195 buffer_ptr(&kex->my), buffer_len(&kex->my), 195 buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -198,29 +198,31 @@ kexgss_server(Kex *kex)
198 dh->p, dh->g, 198 dh->p, dh->g,
199 dh_client_pub, 199 dh_client_pub,
200 dh->pub_key, 200 dh->pub_key,
201 shared_secret 201 shared_secret,
202 &hash, &hashlen
202 ); 203 );
203 } 204 }
204 else { 205 else {
205 /* The GSSAPI hash is identical to the Diffie Helman one */ 206 /* The GSSAPI hash is identical to the Diffie Helman one */
206 hash = kex_dh_hash( 207 kex_dh_hash(
207 kex->client_version_string, kex->server_version_string, 208 kex->client_version_string, kex->server_version_string,
208 buffer_ptr(&kex->peer), buffer_len(&kex->peer), 209 buffer_ptr(&kex->peer), buffer_len(&kex->peer),
209 buffer_ptr(&kex->my), buffer_len(&kex->my), 210 buffer_ptr(&kex->my), buffer_len(&kex->my),
210 NULL, 0, /* Change this if we start sending host keys */ 211 NULL, 0, /* Change this if we start sending host keys */
211 dh_client_pub, dh->pub_key, shared_secret 212 dh_client_pub, dh->pub_key, shared_secret,
213 &hash, &hashlen
212 ); 214 );
213 } 215 }
214 BN_free(dh_client_pub); 216 BN_free(dh_client_pub);
215 217
216 if (kex->session_id == NULL) { 218 if (kex->session_id == NULL) {
217 kex->session_id_len = 20; 219 kex->session_id_len = hashlen;
218 kex->session_id = xmalloc(kex->session_id_len); 220 kex->session_id = xmalloc(kex->session_id_len);
219 memcpy(kex->session_id, hash, kex->session_id_len); 221 memcpy(kex->session_id, hash, kex->session_id_len);
220 } 222 }
221 223
222 gssbuf.value = hash; 224 gssbuf.value = hash;
223 gssbuf.length = 20; /* Hashlen appears to always be 20 */ 225 gssbuf.length = hashlen;
224 226
225 if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) 227 if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
226 fatal("Couldn't get MIC"); 228 fatal("Couldn't get MIC");
@@ -247,7 +249,7 @@ kexgss_server(Kex *kex)
247 249
248 DH_free(dh); 250 DH_free(dh);
249 251
250 kex_derive_keys(kex, hash, shared_secret); 252 kex_derive_keys(kex, hash, hashlen, shared_secret);
251 BN_clear_free(shared_secret); 253 BN_clear_free(shared_secret);
252 kex_finish(kex); 254 kex_finish(kex);
253} 255}
diff --git a/loginrec.c b/loginrec.c
index c3783c991..d096346ec 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -165,7 +165,7 @@
165# include <libutil.h> 165# include <libutil.h>
166#endif 166#endif
167 167
168RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $"); 168RCSID("$Id: loginrec.c,v 1.71 2005/11/22 08:55:13 dtucker Exp $");
169 169
170/** 170/**
171 ** prototypes for helper functions in this file 171 ** prototypes for helper functions in this file
@@ -1589,7 +1589,7 @@ lastlog_get_entry(struct logininfo *li)
1589 return (0); 1589 return (0);
1590 default: 1590 default:
1591 error("%s: Error reading from %s: Expecting %d, got %d", 1591 error("%s: Error reading from %s: Expecting %d, got %d",
1592 __func__, LASTLOG_FILE, sizeof(last), ret); 1592 __func__, LASTLOG_FILE, (int)sizeof(last), ret);
1593 return (0); 1593 return (0);
1594 } 1594 }
1595 1595
@@ -1613,7 +1613,7 @@ record_failed_login(const char *username, const char *hostname,
1613 int fd; 1613 int fd;
1614 struct utmp ut; 1614 struct utmp ut;
1615 struct sockaddr_storage from; 1615 struct sockaddr_storage from;
1616 size_t fromlen = sizeof(from); 1616 socklen_t fromlen = sizeof(from);
1617 struct sockaddr_in *a4; 1617 struct sockaddr_in *a4;
1618 struct sockaddr_in6 *a6; 1618 struct sockaddr_in6 *a6;
1619 time_t t; 1619 time_t t;
diff --git a/misc.c b/misc.c
index 2dd8ae6e3..29e928886 100644
--- a/misc.c
+++ b/misc.c
@@ -24,7 +24,11 @@
24 */ 24 */
25 25
26#include "includes.h" 26#include "includes.h"
27RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $"); 27RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $");
28
29#ifdef SSH_TUN_OPENBSD
30#include <net/if.h>
31#endif
28 32
29#include "misc.h" 33#include "misc.h"
30#include "log.h" 34#include "log.h"
@@ -194,6 +198,37 @@ a2port(const char *s)
194 return port; 198 return port;
195} 199}
196 200
201int
202a2tun(const char *s, int *remote)
203{
204 const char *errstr = NULL;
205 char *sp, *ep;
206 int tun;
207
208 if (remote != NULL) {
209 *remote = SSH_TUNID_ANY;
210 sp = xstrdup(s);
211 if ((ep = strchr(sp, ':')) == NULL) {
212 xfree(sp);
213 return (a2tun(s, NULL));
214 }
215 ep[0] = '\0'; ep++;
216 *remote = a2tun(ep, NULL);
217 tun = a2tun(sp, NULL);
218 xfree(sp);
219 return (*remote == SSH_TUNID_ERR ? *remote : tun);
220 }
221
222 if (strcasecmp(s, "any") == 0)
223 return (SSH_TUNID_ANY);
224
225 tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr);
226 if (errstr != NULL)
227 return (SSH_TUNID_ERR);
228
229 return (tun);
230}
231
197#define SECONDS 1 232#define SECONDS 1
198#define MINUTES (SECONDS * 60) 233#define MINUTES (SECONDS * 60)
199#define HOURS (MINUTES * 60) 234#define HOURS (MINUTES * 60)
@@ -356,12 +391,15 @@ void
356addargs(arglist *args, char *fmt, ...) 391addargs(arglist *args, char *fmt, ...)
357{ 392{
358 va_list ap; 393 va_list ap;
359 char buf[1024]; 394 char *cp;
360 u_int nalloc; 395 u_int nalloc;
396 int r;
361 397
362 va_start(ap, fmt); 398 va_start(ap, fmt);
363 vsnprintf(buf, sizeof(buf), fmt, ap); 399 r = vasprintf(&cp, fmt, ap);
364 va_end(ap); 400 va_end(ap);
401 if (r == -1)
402 fatal("addargs: argument too long");
365 403
366 nalloc = args->nalloc; 404 nalloc = args->nalloc;
367 if (args->list == NULL) { 405 if (args->list == NULL) {
@@ -372,10 +410,44 @@ addargs(arglist *args, char *fmt, ...)
372 410
373 args->list = xrealloc(args->list, nalloc * sizeof(char *)); 411 args->list = xrealloc(args->list, nalloc * sizeof(char *));
374 args->nalloc = nalloc; 412 args->nalloc = nalloc;
375 args->list[args->num++] = xstrdup(buf); 413 args->list[args->num++] = cp;
376 args->list[args->num] = NULL; 414 args->list[args->num] = NULL;
377} 415}
378 416
417void
418replacearg(arglist *args, u_int which, char *fmt, ...)
419{
420 va_list ap;
421 char *cp;
422 int r;
423
424 va_start(ap, fmt);
425 r = vasprintf(&cp, fmt, ap);
426 va_end(ap);
427 if (r == -1)
428 fatal("replacearg: argument too long");
429
430 if (which >= args->num)
431 fatal("replacearg: tried to replace invalid arg %d >= %d",
432 which, args->num);
433 xfree(args->list[which]);
434 args->list[which] = cp;
435}
436
437void
438freeargs(arglist *args)
439{
440 u_int i;
441
442 if (args->list != NULL) {
443 for (i = 0; i < args->num; i++)
444 xfree(args->list[i]);
445 xfree(args->list);
446 args->nalloc = args->num = 0;
447 args->list = NULL;
448 }
449}
450
379/* 451/*
380 * Expands tildes in the file name. Returns data allocated by xmalloc. 452 * Expands tildes in the file name. Returns data allocated by xmalloc.
381 * Warning: this calls getpw*. 453 * Warning: this calls getpw*.
@@ -507,6 +579,99 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
507 return -1; 579 return -1;
508} 580}
509 581
582int
583tun_open(int tun, int mode)
584{
585#if defined(CUSTOM_SYS_TUN_OPEN)
586 return (sys_tun_open(tun, mode));
587#elif defined(SSH_TUN_OPENBSD)
588 struct ifreq ifr;
589 char name[100];
590 int fd = -1, sock;
591
592 /* Open the tunnel device */
593 if (tun <= SSH_TUNID_MAX) {
594 snprintf(name, sizeof(name), "/dev/tun%d", tun);
595 fd = open(name, O_RDWR);
596 } else if (tun == SSH_TUNID_ANY) {
597 for (tun = 100; tun >= 0; tun--) {
598 snprintf(name, sizeof(name), "/dev/tun%d", tun);
599 if ((fd = open(name, O_RDWR)) >= 0)
600 break;
601 }
602 } else {
603 debug("%s: invalid tunnel %u", __func__, tun);
604 return (-1);
605 }
606
607 if (fd < 0) {
608 debug("%s: %s open failed: %s", __func__, name, strerror(errno));
609 return (-1);
610 }
611
612 debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
613
614 /* Set the tunnel device operation mode */
615 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
616 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
617 goto failed;
618
619 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
620 goto failed;
621
622 /* Set interface mode */
623 ifr.ifr_flags &= ~IFF_UP;
624 if (mode == SSH_TUNMODE_ETHERNET)
625 ifr.ifr_flags |= IFF_LINK0;
626 else
627 ifr.ifr_flags &= ~IFF_LINK0;
628 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
629 goto failed;
630
631 /* Bring interface up */
632 ifr.ifr_flags |= IFF_UP;
633 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
634 goto failed;
635
636 close(sock);
637 return (fd);
638
639 failed:
640 if (fd >= 0)
641 close(fd);
642 if (sock >= 0)
643 close(sock);
644 debug("%s: failed to set %s mode %d: %s", __func__, name,
645 mode, strerror(errno));
646 return (-1);
647#else
648 error("Tunnel interfaces are not supported on this platform");
649 return (-1);
650#endif
651}
652
653void
654sanitise_stdfd(void)
655{
656 int nullfd, dupfd;
657
658 if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
659 fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno));
660 exit(1);
661 }
662 while (++dupfd <= 2) {
663 /* Only clobber closed fds */
664 if (fcntl(dupfd, F_GETFL, 0) >= 0)
665 continue;
666 if (dup2(nullfd, dupfd) == -1) {
667 fprintf(stderr, "dup2: %s", strerror(errno));
668 exit(1);
669 }
670 }
671 if (nullfd > 2)
672 close(nullfd);
673}
674
510char * 675char *
511tohex(const u_char *d, u_int l) 676tohex(const u_char *d, u_int l)
512{ 677{
diff --git a/misc.h b/misc.h
index 2d630feb5..0a1a09a68 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */ 1/* $OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -20,6 +20,7 @@ int set_nonblock(int);
20int unset_nonblock(int); 20int unset_nonblock(int);
21void set_nodelay(int); 21void set_nodelay(int);
22int a2port(const char *); 22int a2port(const char *);
23int a2tun(const char *, int *);
23char *hpdelim(char **); 24char *hpdelim(char **);
24char *cleanhostname(char *); 25char *cleanhostname(char *);
25char *colon(char *); 26char *colon(char *);
@@ -27,6 +28,7 @@ long convtime(const char *);
27char *tilde_expand_filename(const char *, uid_t); 28char *tilde_expand_filename(const char *, uid_t);
28char *percent_expand(const char *, ...) __attribute__((__sentinel__)); 29char *percent_expand(const char *, ...) __attribute__((__sentinel__));
29char *tohex(const u_char *, u_int); 30char *tohex(const u_char *, u_int);
31void sanitise_stdfd(void);
30 32
31struct passwd *pwcopy(struct passwd *); 33struct passwd *pwcopy(struct passwd *);
32 34
@@ -36,7 +38,11 @@ struct arglist {
36 u_int num; 38 u_int num;
37 u_int nalloc; 39 u_int nalloc;
38}; 40};
39void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); 41void addargs(arglist *, char *, ...)
42 __attribute__((format(printf, 2, 3)));
43void replacearg(arglist *, u_int, char *, ...)
44 __attribute__((format(printf, 3, 4)));
45void freeargs(arglist *);
40 46
41/* readpass.c */ 47/* readpass.c */
42 48
@@ -48,3 +54,16 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
48char *read_passphrase(const char *, int); 54char *read_passphrase(const char *, int);
49int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 55int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
50int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 56int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
57
58int tun_open(int, int);
59
60/* Common definitions for ssh tunnel device forwarding */
61#define SSH_TUNMODE_NO 0x00
62#define SSH_TUNMODE_POINTOPOINT 0x01
63#define SSH_TUNMODE_ETHERNET 0x02
64#define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT
65#define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET)
66
67#define SSH_TUNID_ANY 0x7fffffff
68#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1)
69#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2)
diff --git a/monitor.c b/monitor.c
index 86fe23931..57d2c376c 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $"); 28RCSID("$OpenBSD: monitor.c,v 1.64 2005/10/13 22:24:31 stevesk Exp $");
29 29
30#include <openssl/dh.h> 30#include <openssl/dh.h>
31 31
@@ -849,9 +849,7 @@ mm_answer_pam_account(int sock, Buffer *m)
849 ret = do_pam_account(); 849 ret = do_pam_account();
850 850
851 buffer_put_int(m, ret); 851 buffer_put_int(m, ret);
852 buffer_append(&loginmsg, "\0", 1); 852 buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
853 buffer_put_cstring(m, buffer_ptr(&loginmsg));
854 buffer_clear(&loginmsg);
855 853
856 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m); 854 mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
857 855
@@ -1850,7 +1848,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1850 buffer_clear(m); 1848 buffer_clear(m);
1851 buffer_put_int(m, major); 1849 buffer_put_int(m, major);
1852 1850
1853 mm_request_send(sock,MONITOR_ANS_GSSSETUP, m); 1851 mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
1854 1852
1855 /* Now we have a context, enable the step */ 1853 /* Now we have a context, enable the step */
1856 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); 1854 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
@@ -1863,7 +1861,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1863{ 1861{
1864 gss_buffer_desc in; 1862 gss_buffer_desc in;
1865 gss_buffer_desc out = GSS_C_EMPTY_BUFFER; 1863 gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
1866 OM_uint32 major,minor; 1864 OM_uint32 major, minor;
1867 OM_uint32 flags = 0; /* GSI needs this */ 1865 OM_uint32 flags = 0; /* GSI needs this */
1868 u_int len; 1866 u_int len;
1869 1867
@@ -1880,7 +1878,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1880 1878
1881 gss_release_buffer(&minor, &out); 1879 gss_release_buffer(&minor, &out);
1882 1880
1883 if (major==GSS_S_COMPLETE) { 1881 if (major == GSS_S_COMPLETE) {
1884 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 1882 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1885 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 1883 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1886 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 1884 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1930,7 +1928,7 @@ mm_answer_gss_userok(int sock, Buffer *m)
1930 debug3("%s: sending result %d", __func__, authenticated); 1928 debug3("%s: sending result %d", __func__, authenticated);
1931 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); 1929 mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1932 1930
1933 auth_method="gssapi-with-mic"; 1931 auth_method = "gssapi-with-mic";
1934 1932
1935 /* Monitor loop will terminate if authenticated */ 1933 /* Monitor loop will terminate if authenticated */
1936 return (authenticated); 1934 return (authenticated);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 72b75d50a..c94675c6f 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -72,7 +72,6 @@ extern struct monitor *pmonitor;
72extern Buffer input, output; 72extern Buffer input, output;
73extern Buffer loginmsg; 73extern Buffer loginmsg;
74extern ServerOptions options; 74extern ServerOptions options;
75extern Buffer loginmsg;
76 75
77int 76int
78mm_is_monitor(void) 77mm_is_monitor(void)
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6f5ee2845..3a8703bc1 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $ 1# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -18,9 +18,9 @@ LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o 19OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
20 20
21COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
22 22
23PORTS=port-irix.o port-aix.o port-uw.o 23PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
24 24
25.c.o: 25.c.o:
26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $< 26 $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
index dcaa03e5d..9a60f583b 100644
--- a/openbsd-compat/base64.c
+++ b/openbsd-compat/base64.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
2
3/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ 1/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */
4 2
5/* 3/*
@@ -44,6 +42,8 @@
44 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. 42 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
45 */ 43 */
46 44
45/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
46
47#include "includes.h" 47#include "includes.h"
48 48
49#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) 49#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
@@ -139,7 +139,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
139 size_t datalength = 0; 139 size_t datalength = 0;
140 u_char input[3]; 140 u_char input[3];
141 u_char output[4]; 141 u_char output[4];
142 int i; 142 u_int i;
143 143
144 while (2 < srclength) { 144 while (2 < srclength) {
145 input[0] = *src++; 145 input[0] = *src++;
@@ -206,7 +206,8 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
206int 206int
207b64_pton(char const *src, u_char *target, size_t targsize) 207b64_pton(char const *src, u_char *target, size_t targsize)
208{ 208{
209 int tarindex, state, ch; 209 u_int tarindex, state;
210 int ch;
210 char *pos; 211 char *pos;
211 212
212 state = 0; 213 state = 0;
diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c
index 552dc1e1c..ad040e139 100644
--- a/openbsd-compat/basename.c
+++ b/openbsd-compat/basename.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ 1/* $OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */
2
3/* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
7 * 5 *
8 * Permission to use, copy, modify, and distribute this software for any 6 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above 7 * purpose with or without fee is hereby granted, provided that the above
@@ -18,34 +16,35 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_BASENAME 22#ifndef HAVE_BASENAME
23 23
24#ifndef lint
25static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $";
26#endif /* not lint */
27
28char * 24char *
29basename(const char *path) 25basename(const char *path)
30{ 26{
31 static char bname[MAXPATHLEN]; 27 static char bname[MAXPATHLEN];
32 register const char *endp, *startp; 28 size_t len;
29 const char *endp, *startp;
33 30
34 /* Empty or NULL string gets treated as "." */ 31 /* Empty or NULL string gets treated as "." */
35 if (path == NULL || *path == '\0') { 32 if (path == NULL || *path == '\0') {
36 (void)strlcpy(bname, ".", sizeof bname); 33 bname[0] = '.';
37 return(bname); 34 bname[1] = '\0';
35 return (bname);
38 } 36 }
39 37
40 /* Strip trailing slashes */ 38 /* Strip any trailing slashes */
41 endp = path + strlen(path) - 1; 39 endp = path + strlen(path) - 1;
42 while (endp > path && *endp == '/') 40 while (endp > path && *endp == '/')
43 endp--; 41 endp--;
44 42
45 /* All slashes become "/" */ 43 /* All slashes becomes "/" */
46 if (endp == path && *endp == '/') { 44 if (endp == path && *endp == '/') {
47 (void)strlcpy(bname, "/", sizeof bname); 45 bname[0] = '/';
48 return(bname); 46 bname[1] = '\0';
47 return (bname);
49 } 48 }
50 49
51 /* Find the start of the base */ 50 /* Find the start of the base */
@@ -53,12 +52,14 @@ basename(const char *path)
53 while (startp > path && *(startp - 1) != '/') 52 while (startp > path && *(startp - 1) != '/')
54 startp--; 53 startp--;
55 54
56 if (endp - startp + 2 > sizeof(bname)) { 55 len = endp - startp + 1;
56 if (len >= sizeof(bname)) {
57 errno = ENAMETOOLONG; 57 errno = ENAMETOOLONG;
58 return(NULL); 58 return (NULL);
59 } 59 }
60 strlcpy(bname, startp, endp - startp + 2); 60 memcpy(bname, startp, len);
61 return(bname); 61 bname[len] = '\0';
62 return (bname);
62} 63}
63 64
64#endif /* !defined(HAVE_BASENAME) */ 65#endif /* !defined(HAVE_BASENAME) */
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 8a273f9b5..7f48fd03a 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -1,6 +1,6 @@
1/* This file has be substantially modified from the original OpenBSD source */ 1/* This file has be substantially modified from the original OpenBSD source */
2 2
3/* $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $ */ 3/* $OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $ */
4 4
5/* 5/*
6 * Copyright 1996, Jason Downs. All rights reserved. 6 * Copyright 1996, Jason Downs. All rights reserved.
@@ -28,6 +28,8 @@
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */ 29 */
30 30
31/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
32
31#include "includes.h" 33#include "includes.h"
32 34
33#ifndef HAVE_BINDRESVPORT_SA 35#ifndef HAVE_BINDRESVPORT_SA
@@ -42,9 +44,7 @@
42 * Bind a socket to a privileged IP port 44 * Bind a socket to a privileged IP port
43 */ 45 */
44int 46int
45bindresvport_sa(sd, sa) 47bindresvport_sa(int sd, struct sockaddr *sa)
46 int sd;
47 struct sockaddr *sa;
48{ 48{
49 int error, af; 49 int error, af;
50 struct sockaddr_storage myaddr; 50 struct sockaddr_storage myaddr;
diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c
new file mode 100644
index 000000000..5ca01f80f
--- /dev/null
+++ b/openbsd-compat/bsd-asprintf.c
@@ -0,0 +1,95 @@
1/*
2 * Copyright (c) 2004 Darren Tucker.
3 *
4 * Based originally on asprintf.c from OpenBSD:
5 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include "includes.h"
21
22#ifndef HAVE_VASPRINTF
23
24#ifndef VA_COPY
25# ifdef HAVE_VA_COPY
26# define VA_COPY(dest, src) va_copy(dest, src)
27# else
28# ifdef HAVE___VA_COPY
29# define VA_COPY(dest, src) __va_copy(dest, src)
30# else
31# define VA_COPY(dest, src) (dest) = (src)
32# endif
33# endif
34#endif
35
36#define INIT_SZ 128
37
38int vasprintf(char **str, const char *fmt, va_list ap)
39{
40 int ret = -1;
41 va_list ap2;
42 char *string, *newstr;
43 size_t len;
44
45 VA_COPY(ap2, ap);
46 if ((string = malloc(INIT_SZ)) == NULL)
47 goto fail;
48
49 ret = vsnprintf(string, INIT_SZ, fmt, ap2);
50 if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
51 *str = string;
52 } else if (ret == INT_MAX) { /* shouldn't happen */
53 goto fail;
54 } else { /* bigger than initial, realloc allowing for nul */
55 len = (size_t)ret + 1;
56 if ((newstr = realloc(string, len)) == NULL) {
57 free(string);
58 goto fail;
59 } else {
60 va_end(ap2);
61 VA_COPY(ap2, ap);
62 ret = vsnprintf(newstr, len, fmt, ap2);
63 if (ret >= 0 && (size_t)ret < len) {
64 *str = newstr;
65 } else { /* failed with realloc'ed string, give up */
66 free(newstr);
67 goto fail;
68 }
69 }
70 }
71 va_end(ap2);
72 return (ret);
73
74fail:
75 *str = NULL;
76 errno = ENOMEM;
77 va_end(ap2);
78 return (-1);
79}
80#endif
81
82#ifndef HAVE_ASPRINTF
83int asprintf(char **str, const char *fmt, ...)
84{
85 va_list ap;
86 int ret;
87
88 *str = NULL;
89 va_start(ap, fmt);
90 ret = vasprintf(str, fmt, ap);
91 va_end(ap);
92
93 return ret;
94}
95#endif
diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
index 61a9fa391..5b7b94ae4 100644
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -46,7 +46,7 @@
46# define OPEN_MAX 256 46# define OPEN_MAX 256
47#endif 47#endif
48 48
49RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $"); 49RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
50 50
51#ifndef lint 51#ifndef lint
52static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $"; 52static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
@@ -67,7 +67,7 @@ closefrom(int lowfd)
67 67
68 /* Check for a /proc/$$/fd directory. */ 68 /* Check for a /proc/$$/fd directory. */
69 len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid()); 69 len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
70 if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) { 70 if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
71 while ((dent = readdir(dirp)) != NULL) { 71 while ((dent = readdir(dirp)) != NULL) {
72 fd = strtol(dent->d_name, &endp, 10); 72 fd = strtol(dent->d_name, &endp, 10);
73 if (dent->d_name != endp && *endp == '\0' && 73 if (dent->d_name != endp && *endp == '\0' &&
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 6ba9bd986..d32b054d7 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
18#include "includes.h" 18#include "includes.h"
19#include "xmalloc.h" 19#include "xmalloc.h"
20 20
21RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $"); 21RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $");
22 22
23#ifndef HAVE___PROGNAME 23#ifndef HAVE___PROGNAME
24char *__progname; 24char *__progname;
@@ -223,10 +223,7 @@ strdup(const char *str)
223 len = strlen(str) + 1; 223 len = strlen(str) + 1;
224 cp = malloc(len); 224 cp = malloc(len);
225 if (cp != NULL) 225 if (cp != NULL)
226 if (strlcpy(cp, str, len) != len) { 226 return(memcpy(cp, str, len));
227 free(cp); 227 return NULL;
228 return NULL;
229 }
230 return cp;
231} 228}
232#endif 229#endif
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index b5a7ef7a0..e4ba154fd 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -45,45 +45,82 @@
45 * missing. Some systems only have snprintf() but not vsnprintf(), so 45 * missing. Some systems only have snprintf() but not vsnprintf(), so
46 * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. 46 * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
47 * 47 *
48 * Ben Lindstrom <mouring@eviladmin.org> 09/27/00 for OpenSSH 48 * Andrew Tridgell (tridge@samba.org) Oct 1998
49 * Welcome to the world of %lld and %qd support. With other 49 * fixed handling of %.0f
50 * long long support. This is needed for sftp-server to work 50 * added test for HAVE_LONG_DOUBLE
51 * right.
52 * 51 *
53 * Ben Lindstrom <mouring@eviladmin.org> 02/12/01 for OpenSSH 52 * tridge@samba.org, idra@samba.org, April 2001
54 * Removed all hint of VARARGS stuff and banished it to the void, 53 * got rid of fcvt code (twas buggy and made testing harder)
55 * and did a bit of KNF style work to make things a bit more 54 * added C99 semantics
56 * acceptable. Consider stealing from mutt or enlightenment. 55 *
56 * date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0
57 * actually print args for %g and %e
58 *
59 * date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0
60 * Since includes.h isn't included here, VA_COPY has to be defined here. I don't
61 * see any include file that is guaranteed to be here, so I'm defining it
62 * locally. Fixes AIX and Solaris builds.
63 *
64 * date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13
65 * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
66 * functions
67 *
68 * date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4
69 * Fix usage of va_list passed as an arg. Use __va_copy before using it
70 * when it exists.
71 *
72 * date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14
73 * Fix incorrect zpadlen handling in fmtfp.
74 * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
75 * few mods to make it easier to compile the tests.
76 * addedd the "Ollie" test to the floating point ones.
77 *
78 * Martin Pool (mbp@samba.org) April 2003
79 * Remove NO_CONFIG_H so that the test case can be built within a source
80 * tree with less trouble.
81 * Remove unnecessary SAFE_FREE() definition.
82 *
83 * Martin Pool (mbp@samba.org) May 2003
84 * Put in a prototype for dummy_snprintf() to quiet compiler warnings.
85 *
86 * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
87 * if the C library has some snprintf functions already.
57 **************************************************************/ 88 **************************************************************/
58 89
59#include "includes.h" 90#include "includes.h"
60 91
61RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $"); 92RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
62 93
63#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */ 94#if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */
64# undef HAVE_SNPRINTF 95# undef HAVE_SNPRINTF
65# undef HAVE_VSNPRINTF 96# undef HAVE_VSNPRINTF
66#endif 97#endif
67 98
68#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) 99#ifndef VA_COPY
69 100# ifdef HAVE_VA_COPY
70static void 101# define VA_COPY(dest, src) va_copy(dest, src)
71dopr(char *buffer, size_t maxlen, const char *format, va_list args); 102# else
72 103# ifdef HAVE___VA_COPY
73static void 104# define VA_COPY(dest, src) __va_copy(dest, src)
74fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, 105# else
75 int min, int max); 106# define VA_COPY(dest, src) (dest) = (src)
107# endif
108# endif
109#endif
76 110
77static void 111#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
78fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base,
79 int min, int max, int flags);
80 112
81static void 113#ifdef HAVE_LONG_DOUBLE
82fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 114# define LDOUBLE long double
83 int min, int max, int flags); 115#else
116# define LDOUBLE double
117#endif
84 118
85static void 119#ifdef HAVE_LONG_LONG
86dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); 120# define LLONG long long
121#else
122# define LLONG long
123#endif
87 124
88/* 125/*
89 * dopr(): poor man's version of doprintf 126 * dopr(): poor man's version of doprintf
@@ -109,28 +146,49 @@ dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
109#define DP_F_UNSIGNED (1 << 6) 146#define DP_F_UNSIGNED (1 << 6)
110 147
111/* Conversion Flags */ 148/* Conversion Flags */
112#define DP_C_SHORT 1 149#define DP_C_SHORT 1
113#define DP_C_LONG 2 150#define DP_C_LONG 2
114#define DP_C_LDOUBLE 3 151#define DP_C_LDOUBLE 3
115#define DP_C_LONG_LONG 4 152#define DP_C_LLONG 4
116 153
117#define char_to_int(p) (p - '0') 154#define char_to_int(p) ((p)- '0')
118#define abs_val(p) (p < 0 ? -p : p) 155#ifndef MAX
119 156# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
157#endif
120 158
121static void 159static size_t dopr(char *buffer, size_t maxlen, const char *format,
122dopr(char *buffer, size_t maxlen, const char *format, va_list args) 160 va_list args_in);
161static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
162 char *value, int flags, int min, int max);
163static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
164 long value, int base, int min, int max, int flags);
165static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
166 LDOUBLE fvalue, int min, int max, int flags);
167static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
168
169static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
123{ 170{
124 char *strvalue, ch; 171 char ch;
125 long value; 172 LLONG value;
126 long double fvalue; 173 LDOUBLE fvalue;
127 int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0; 174 char *strvalue;
128 size_t currlen = 0; 175 int min;
129 176 int max;
177 int state;
178 int flags;
179 int cflags;
180 size_t currlen;
181 va_list args;
182
183 VA_COPY(args, args_in);
184
185 state = DP_S_DEFAULT;
186 currlen = flags = cflags = min = 0;
187 max = -1;
130 ch = *format++; 188 ch = *format++;
131 189
132 while (state != DP_S_DONE) { 190 while (state != DP_S_DONE) {
133 if ((ch == '\0') || (currlen >= maxlen)) 191 if (ch == '\0')
134 state = DP_S_DONE; 192 state = DP_S_DONE;
135 193
136 switch(state) { 194 switch(state) {
@@ -138,7 +196,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
138 if (ch == '%') 196 if (ch == '%')
139 state = DP_S_FLAGS; 197 state = DP_S_FLAGS;
140 else 198 else
141 dopr_outch(buffer, &currlen, maxlen, ch); 199 dopr_outch (buffer, &currlen, maxlen, ch);
142 ch = *format++; 200 ch = *format++;
143 break; 201 break;
144 case DP_S_FLAGS: 202 case DP_S_FLAGS:
@@ -170,34 +228,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
170 break; 228 break;
171 case DP_S_MIN: 229 case DP_S_MIN:
172 if (isdigit((unsigned char)ch)) { 230 if (isdigit((unsigned char)ch)) {
173 min = 10 * min + char_to_int (ch); 231 min = 10*min + char_to_int (ch);
174 ch = *format++; 232 ch = *format++;
175 } else if (ch == '*') { 233 } else if (ch == '*') {
176 min = va_arg (args, int); 234 min = va_arg (args, int);
177 ch = *format++; 235 ch = *format++;
178 state = DP_S_DOT; 236 state = DP_S_DOT;
179 } else 237 } else {
180 state = DP_S_DOT; 238 state = DP_S_DOT;
239 }
181 break; 240 break;
182 case DP_S_DOT: 241 case DP_S_DOT:
183 if (ch == '.') { 242 if (ch == '.') {
184 state = DP_S_MAX; 243 state = DP_S_MAX;
185 ch = *format++; 244 ch = *format++;
186 } else 245 } else {
187 state = DP_S_MOD; 246 state = DP_S_MOD;
247 }
188 break; 248 break;
189 case DP_S_MAX: 249 case DP_S_MAX:
190 if (isdigit((unsigned char)ch)) { 250 if (isdigit((unsigned char)ch)) {
191 if (max < 0) 251 if (max < 0)
192 max = 0; 252 max = 0;
193 max = 10 * max + char_to_int(ch); 253 max = 10*max + char_to_int (ch);
194 ch = *format++; 254 ch = *format++;
195 } else if (ch == '*') { 255 } else if (ch == '*') {
196 max = va_arg (args, int); 256 max = va_arg (args, int);
197 ch = *format++; 257 ch = *format++;
198 state = DP_S_MOD; 258 state = DP_S_MOD;
199 } else 259 } else {
200 state = DP_S_MOD; 260 state = DP_S_MOD;
261 }
201 break; 262 break;
202 case DP_S_MOD: 263 case DP_S_MOD:
203 switch (ch) { 264 switch (ch) {
@@ -208,15 +269,11 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
208 case 'l': 269 case 'l':
209 cflags = DP_C_LONG; 270 cflags = DP_C_LONG;
210 ch = *format++; 271 ch = *format++;
211 if (ch == 'l') { 272 if (ch == 'l') { /* It's a long long */
212 cflags = DP_C_LONG_LONG; 273 cflags = DP_C_LLONG;
213 ch = *format++; 274 ch = *format++;
214 } 275 }
215 break; 276 break;
216 case 'q':
217 cflags = DP_C_LONG_LONG;
218 ch = *format++;
219 break;
220 case 'L': 277 case 'L':
221 cflags = DP_C_LDOUBLE; 278 cflags = DP_C_LDOUBLE;
222 ch = *format++; 279 ch = *format++;
@@ -231,37 +288,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
231 case 'd': 288 case 'd':
232 case 'i': 289 case 'i':
233 if (cflags == DP_C_SHORT) 290 if (cflags == DP_C_SHORT)
234 value = va_arg(args, int); 291 value = va_arg (args, int);
235 else if (cflags == DP_C_LONG) 292 else if (cflags == DP_C_LONG)
236 value = va_arg(args, long int); 293 value = va_arg (args, long int);
237 else if (cflags == DP_C_LONG_LONG) 294 else if (cflags == DP_C_LLONG)
238 value = va_arg (args, long long); 295 value = va_arg (args, LLONG);
239 else 296 else
240 value = va_arg (args, int); 297 value = va_arg (args, int);
241 fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags); 298 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
242 break; 299 break;
243 case 'o': 300 case 'o':
244 flags |= DP_F_UNSIGNED; 301 flags |= DP_F_UNSIGNED;
245 if (cflags == DP_C_SHORT) 302 if (cflags == DP_C_SHORT)
246 value = va_arg(args, unsigned int); 303 value = va_arg (args, unsigned int);
247 else if (cflags == DP_C_LONG) 304 else if (cflags == DP_C_LONG)
248 value = va_arg(args, unsigned long int); 305 value = (long)va_arg (args, unsigned long int);
249 else if (cflags == DP_C_LONG_LONG) 306 else if (cflags == DP_C_LLONG)
250 value = va_arg(args, unsigned long long); 307 value = (long)va_arg (args, unsigned LLONG);
251 else 308 else
252 value = va_arg(args, unsigned int); 309 value = (long)va_arg (args, unsigned int);
253 fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags); 310 fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
254 break; 311 break;
255 case 'u': 312 case 'u':
256 flags |= DP_F_UNSIGNED; 313 flags |= DP_F_UNSIGNED;
257 if (cflags == DP_C_SHORT) 314 if (cflags == DP_C_SHORT)
258 value = va_arg(args, unsigned int); 315 value = va_arg (args, unsigned int);
259 else if (cflags == DP_C_LONG) 316 else if (cflags == DP_C_LONG)
260 value = va_arg(args, unsigned long int); 317 value = (long)va_arg (args, unsigned long int);
261 else if (cflags == DP_C_LONG_LONG) 318 else if (cflags == DP_C_LLONG)
262 value = va_arg(args, unsigned long long); 319 value = (LLONG)va_arg (args, unsigned LLONG);
263 else 320 else
264 value = va_arg(args, unsigned int); 321 value = (long)va_arg (args, unsigned int);
265 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); 322 fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
266 break; 323 break;
267 case 'X': 324 case 'X':
@@ -269,79 +326,86 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
269 case 'x': 326 case 'x':
270 flags |= DP_F_UNSIGNED; 327 flags |= DP_F_UNSIGNED;
271 if (cflags == DP_C_SHORT) 328 if (cflags == DP_C_SHORT)
272 value = va_arg(args, unsigned int); 329 value = va_arg (args, unsigned int);
273 else if (cflags == DP_C_LONG) 330 else if (cflags == DP_C_LONG)
274 value = va_arg(args, unsigned long int); 331 value = (long)va_arg (args, unsigned long int);
275 else if (cflags == DP_C_LONG_LONG) 332 else if (cflags == DP_C_LLONG)
276 value = va_arg(args, unsigned long long); 333 value = (LLONG)va_arg (args, unsigned LLONG);
277 else 334 else
278 value = va_arg(args, unsigned int); 335 value = (long)va_arg (args, unsigned int);
279 fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags); 336 fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
280 break; 337 break;
281 case 'f': 338 case 'f':
282 if (cflags == DP_C_LDOUBLE) 339 if (cflags == DP_C_LDOUBLE)
283 fvalue = va_arg(args, long double); 340 fvalue = va_arg (args, LDOUBLE);
284 else 341 else
285 fvalue = va_arg(args, double); 342 fvalue = va_arg (args, double);
286 /* um, floating point? */ 343 /* um, floating point? */
287 fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags); 344 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
288 break; 345 break;
289 case 'E': 346 case 'E':
290 flags |= DP_F_UP; 347 flags |= DP_F_UP;
291 case 'e': 348 case 'e':
292 if (cflags == DP_C_LDOUBLE) 349 if (cflags == DP_C_LDOUBLE)
293 fvalue = va_arg(args, long double); 350 fvalue = va_arg (args, LDOUBLE);
294 else 351 else
295 fvalue = va_arg(args, double); 352 fvalue = va_arg (args, double);
353 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
296 break; 354 break;
297 case 'G': 355 case 'G':
298 flags |= DP_F_UP; 356 flags |= DP_F_UP;
299 case 'g': 357 case 'g':
300 if (cflags == DP_C_LDOUBLE) 358 if (cflags == DP_C_LDOUBLE)
301 fvalue = va_arg(args, long double); 359 fvalue = va_arg (args, LDOUBLE);
302 else 360 else
303 fvalue = va_arg(args, double); 361 fvalue = va_arg (args, double);
362 fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
304 break; 363 break;
305 case 'c': 364 case 'c':
306 dopr_outch(buffer, &currlen, maxlen, va_arg(args, int)); 365 dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
307 break; 366 break;
308 case 's': 367 case 's':
309 strvalue = va_arg(args, char *); 368 strvalue = va_arg (args, char *);
310 if (max < 0) 369 if (!strvalue) strvalue = "(NULL)";
311 max = maxlen; /* ie, no max */ 370 if (max == -1) {
312 fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max); 371 max = strlen(strvalue);
372 }
373 if (min > 0 && max >= 0 && min > max) max = min;
374 fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
313 break; 375 break;
314 case 'p': 376 case 'p':
315 strvalue = va_arg(args, void *); 377 strvalue = va_arg (args, void *);
316 fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags); 378 fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
317 break; 379 break;
318 case 'n': 380 case 'n':
319 if (cflags == DP_C_SHORT) { 381 if (cflags == DP_C_SHORT) {
320 short int *num; 382 short int *num;
321 num = va_arg(args, short int *); 383 num = va_arg (args, short int *);
322 *num = currlen; 384 *num = currlen;
323 } else if (cflags == DP_C_LONG) { 385 } else if (cflags == DP_C_LONG) {
324 long int *num; 386 long int *num;
325 num = va_arg(args, long int *); 387 num = va_arg (args, long int *);
326 *num = currlen; 388 *num = (long int)currlen;
327 } else if (cflags == DP_C_LONG_LONG) { 389 } else if (cflags == DP_C_LLONG) {
328 long long *num; 390 LLONG *num;
329 num = va_arg(args, long long *); 391 num = va_arg (args, LLONG *);
330 *num = currlen; 392 *num = (LLONG)currlen;
331 } else { 393 } else {
332 int *num; 394 int *num;
333 num = va_arg(args, int *); 395 num = va_arg (args, int *);
334 *num = currlen; 396 *num = currlen;
335 } 397 }
336 break; 398 break;
337 case '%': 399 case '%':
338 dopr_outch(buffer, &currlen, maxlen, ch); 400 dopr_outch (buffer, &currlen, maxlen, ch);
339 break; 401 break;
340 case 'w': /* not supported yet, treat as next char */ 402 case 'w':
403 /* not supported yet, treat as next char */
341 ch = *format++; 404 ch = *format++;
342 break; 405 break;
343 default: /* Unknown, skip */ 406 default:
344 break; 407 /* Unknown, skip */
408 break;
345 } 409 }
346 ch = *format++; 410 ch = *format++;
347 state = DP_S_DEFAULT; 411 state = DP_S_DEFAULT;
@@ -350,24 +414,33 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
350 break; 414 break;
351 case DP_S_DONE: 415 case DP_S_DONE:
352 break; 416 break;
353 default: /* hmm? */ 417 default:
418 /* hmm? */
354 break; /* some picky compilers need this */ 419 break; /* some picky compilers need this */
355 } 420 }
356 } 421 }
357 if (currlen < maxlen - 1) 422 if (maxlen != 0) {
358 buffer[currlen] = '\0'; 423 if (currlen < maxlen - 1)
359 else 424 buffer[currlen] = '\0';
360 buffer[maxlen - 1] = '\0'; 425 else if (maxlen > 0)
426 buffer[maxlen - 1] = '\0';
427 }
428
429 return currlen;
361} 430}
362 431
363static void 432static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
364fmtstr(char *buffer, size_t *currlen, size_t maxlen, 433 char *value, int flags, int min, int max)
365 char *value, int flags, int min, int max)
366{ 434{
367 int cnt = 0, padlen, strln; /* amount to pad */ 435 int padlen, strln; /* amount to pad */
368 436 int cnt = 0;
369 if (value == 0) 437
438#ifdef DEBUG_SNPRINTF
439 printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
440#endif
441 if (value == 0) {
370 value = "<NULL>"; 442 value = "<NULL>";
443 }
371 444
372 for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ 445 for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
373 padlen = min - strln; 446 padlen = min - strln;
@@ -375,18 +448,18 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
375 padlen = 0; 448 padlen = 0;
376 if (flags & DP_F_MINUS) 449 if (flags & DP_F_MINUS)
377 padlen = -padlen; /* Left Justify */ 450 padlen = -padlen; /* Left Justify */
378 451
379 while ((padlen > 0) && (cnt < max)) { 452 while ((padlen > 0) && (cnt < max)) {
380 dopr_outch(buffer, currlen, maxlen, ' '); 453 dopr_outch (buffer, currlen, maxlen, ' ');
381 --padlen; 454 --padlen;
382 ++cnt; 455 ++cnt;
383 } 456 }
384 while (*value && (cnt < max)) { 457 while (*value && (cnt < max)) {
385 dopr_outch(buffer, currlen, maxlen, *value++); 458 dopr_outch (buffer, currlen, maxlen, *value++);
386 ++cnt; 459 ++cnt;
387 } 460 }
388 while ((padlen < 0) && (cnt < max)) { 461 while ((padlen < 0) && (cnt < max)) {
389 dopr_outch(buffer, currlen, maxlen, ' '); 462 dopr_outch (buffer, currlen, maxlen, ' ');
390 ++padlen; 463 ++padlen;
391 ++cnt; 464 ++cnt;
392 } 465 }
@@ -394,49 +467,49 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
394 467
395/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */ 468/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
396 469
397static void 470static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
398fmtint(char *buffer, size_t *currlen, size_t maxlen, 471 long value, int base, int min, int max, int flags)
399 long value, int base, int min, int max, int flags)
400{ 472{
473 int signvalue = 0;
401 unsigned long uvalue; 474 unsigned long uvalue;
402 char convert[20]; 475 char convert[20];
403 int signvalue = 0, place = 0, caps = 0; 476 int place = 0;
404 int spadlen = 0; /* amount to space pad */ 477 int spadlen = 0; /* amount to space pad */
405 int zpadlen = 0; /* amount to zero pad */ 478 int zpadlen = 0; /* amount to zero pad */
406 479 int caps = 0;
480
407 if (max < 0) 481 if (max < 0)
408 max = 0; 482 max = 0;
409 483
410 uvalue = value; 484 uvalue = value;
411 485
412 if (!(flags & DP_F_UNSIGNED)) { 486 if(!(flags & DP_F_UNSIGNED)) {
413 if (value < 0) { 487 if( value < 0 ) {
414 signvalue = '-'; 488 signvalue = '-';
415 uvalue = -value; 489 uvalue = -value;
416 } else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ 490 } else {
417 signvalue = '+'; 491 if (flags & DP_F_PLUS) /* Do a sign (+/i) */
418 else if (flags & DP_F_SPACE) 492 signvalue = '+';
419 signvalue = ' '; 493 else if (flags & DP_F_SPACE)
494 signvalue = ' ';
495 }
420 } 496 }
421 497
422 if (flags & DP_F_UP) 498 if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
423 caps = 1; /* Should characters be upper case? */ 499
424 do { 500 do {
425 convert[place++] = 501 convert[place++] =
426 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 502 (caps? "0123456789ABCDEF":"0123456789abcdef")
427 [uvalue % (unsigned)base]; 503 [uvalue % (unsigned)base ];
428 uvalue = (uvalue / (unsigned)base ); 504 uvalue = (uvalue / (unsigned)base );
429 } while (uvalue && (place < 20)); 505 } while(uvalue && (place < 20));
430 if (place == 20) 506 if (place == 20) place--;
431 place--;
432 convert[place] = 0; 507 convert[place] = 0;
433 508
434 zpadlen = max - place; 509 zpadlen = max - place;
435 spadlen = min - MAX (max, place) - (signvalue ? 1 : 0); 510 spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
436 if (zpadlen < 0) 511 if (zpadlen < 0) zpadlen = 0;
437 zpadlen = 0; 512 if (spadlen < 0) spadlen = 0;
438 if (spadlen < 0)
439 spadlen = 0;
440 if (flags & DP_F_ZERO) { 513 if (flags & DP_F_ZERO) {
441 zpadlen = MAX(zpadlen, spadlen); 514 zpadlen = MAX(zpadlen, spadlen);
442 spadlen = 0; 515 spadlen = 0;
@@ -444,27 +517,32 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
444 if (flags & DP_F_MINUS) 517 if (flags & DP_F_MINUS)
445 spadlen = -spadlen; /* Left Justifty */ 518 spadlen = -spadlen; /* Left Justifty */
446 519
520#ifdef DEBUG_SNPRINTF
521 printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
522 zpadlen, spadlen, min, max, place);
523#endif
524
447 /* Spaces */ 525 /* Spaces */
448 while (spadlen > 0) { 526 while (spadlen > 0) {
449 dopr_outch(buffer, currlen, maxlen, ' '); 527 dopr_outch (buffer, currlen, maxlen, ' ');
450 --spadlen; 528 --spadlen;
451 } 529 }
452 530
453 /* Sign */ 531 /* Sign */
454 if (signvalue) 532 if (signvalue)
455 dopr_outch(buffer, currlen, maxlen, signvalue); 533 dopr_outch (buffer, currlen, maxlen, signvalue);
456 534
457 /* Zeros */ 535 /* Zeros */
458 if (zpadlen > 0) { 536 if (zpadlen > 0) {
459 while (zpadlen > 0) { 537 while (zpadlen > 0) {
460 dopr_outch(buffer, currlen, maxlen, '0'); 538 dopr_outch (buffer, currlen, maxlen, '0');
461 --zpadlen; 539 --zpadlen;
462 } 540 }
463 } 541 }
464 542
465 /* Digits */ 543 /* Digits */
466 while (place > 0) 544 while (place > 0)
467 dopr_outch(buffer, currlen, maxlen, convert[--place]); 545 dopr_outch (buffer, currlen, maxlen, convert[--place]);
468 546
469 /* Left Justified spaces */ 547 /* Left Justified spaces */
470 while (spadlen < 0) { 548 while (spadlen < 0) {
@@ -473,11 +551,20 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
473 } 551 }
474} 552}
475 553
476static long double 554static LDOUBLE abs_val(LDOUBLE value)
477pow10(int exp)
478{ 555{
479 long double result = 1; 556 LDOUBLE result = value;
557
558 if (value < 0)
559 result = -value;
560
561 return result;
562}
480 563
564static LDOUBLE POW10(int exp)
565{
566 LDOUBLE result = 1;
567
481 while (exp) { 568 while (exp) {
482 result *= 10; 569 result *= 10;
483 exp--; 570 exp--;
@@ -486,28 +573,69 @@ pow10(int exp)
486 return result; 573 return result;
487} 574}
488 575
489static long 576static LLONG ROUND(LDOUBLE value)
490round(long double value)
491{ 577{
492 long intpart = value; 578 LLONG intpart;
493
494 value -= intpart;
495 if (value >= 0.5)
496 intpart++;
497 579
580 intpart = (LLONG)value;
581 value = value - intpart;
582 if (value >= 0.5) intpart++;
583
498 return intpart; 584 return intpart;
499} 585}
500 586
501static void 587/* a replacement for modf that doesn't need the math library. Should
502fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 588 be portable, but slow */
503 int min, int max, int flags) 589static double my_modf(double x0, double *iptr)
504{ 590{
505 char iconvert[20], fconvert[20]; 591 int i;
506 int signvalue = 0, iplace = 0, fplace = 0; 592 long l;
593 double x = x0;
594 double f = 1.0;
595
596 for (i=0;i<100;i++) {
597 l = (long)x;
598 if (l <= (x+1) && l >= (x-1)) break;
599 x *= 0.1;
600 f *= 10.0;
601 }
602
603 if (i == 100) {
604 /* yikes! the number is beyond what we can handle. What do we do? */
605 (*iptr) = 0;
606 return 0;
607 }
608
609 if (i != 0) {
610 double i2;
611 double ret;
612
613 ret = my_modf(x0-l*f, &i2);
614 (*iptr) = l*f + i2;
615 return ret;
616 }
617
618 (*iptr) = l;
619 return x - (*iptr);
620}
621
622
623static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
624 LDOUBLE fvalue, int min, int max, int flags)
625{
626 int signvalue = 0;
627 double ufvalue;
628 char iconvert[311];
629 char fconvert[311];
630 int iplace = 0;
631 int fplace = 0;
507 int padlen = 0; /* amount to pad */ 632 int padlen = 0; /* amount to pad */
508 int zpadlen = 0, caps = 0; 633 int zpadlen = 0;
509 long intpart, fracpart; 634 int caps = 0;
510 long double ufvalue; 635 int idx;
636 double intpart;
637 double fracpart;
638 double temp;
511 639
512 /* 640 /*
513 * AIX manpage says the default is 0, but Solaris says the default 641 * AIX manpage says the default is 0, but Solaris says the default
@@ -516,137 +644,159 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
516 if (max < 0) 644 if (max < 0)
517 max = 6; 645 max = 6;
518 646
519 ufvalue = abs_val(fvalue); 647 ufvalue = abs_val (fvalue);
520 648
521 if (fvalue < 0) 649 if (fvalue < 0) {
522 signvalue = '-'; 650 signvalue = '-';
523 else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ 651 } else {
524 signvalue = '+'; 652 if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
525 else if (flags & DP_F_SPACE) 653 signvalue = '+';
526 signvalue = ' '; 654 } else {
655 if (flags & DP_F_SPACE)
656 signvalue = ' ';
657 }
658 }
527 659
528 intpart = ufvalue; 660#if 0
661 if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
662#endif
663
664#if 0
665 if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
666#endif
529 667
530 /* 668 /*
531 * Sorry, we only support 9 digits past the decimal because of our 669 * Sorry, we only support 16 digits past the decimal because of our
532 * conversion method 670 * conversion method
533 */ 671 */
534 if (max > 9) 672 if (max > 16)
535 max = 9; 673 max = 16;
536 674
537 /* We "cheat" by converting the fractional part to integer by 675 /* We "cheat" by converting the fractional part to integer by
538 * multiplying by a factor of 10 676 * multiplying by a factor of 10
539 */ 677 */
540 fracpart = round((pow10 (max)) * (ufvalue - intpart));
541 678
542 if (fracpart >= pow10 (max)) { 679 temp = ufvalue;
680 my_modf(temp, &intpart);
681
682 fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
683
684 if (fracpart >= POW10(max)) {
543 intpart++; 685 intpart++;
544 fracpart -= pow10 (max); 686 fracpart -= POW10(max);
545 } 687 }
546 688
547 /* Convert integer part */ 689 /* Convert integer part */
548 do { 690 do {
691 temp = intpart*0.1;
692 my_modf(temp, &intpart);
693 idx = (int) ((temp -intpart +0.05)* 10.0);
694 /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
695 /* printf ("%llf, %f, %x\n", temp, intpart, idx); */
549 iconvert[iplace++] = 696 iconvert[iplace++] =
550 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 697 (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
551 [intpart % 10]; 698 } while (intpart && (iplace < 311));
552 intpart = (intpart / 10); 699 if (iplace == 311) iplace--;
553 } while(intpart && (iplace < 20));
554 if (iplace == 20)
555 iplace--;
556 iconvert[iplace] = 0; 700 iconvert[iplace] = 0;
557 701
558 /* Convert fractional part */ 702 /* Convert fractional part */
559 do { 703 if (fracpart)
560 fconvert[fplace++] = 704 {
561 (caps ? "0123456789ABCDEF" : "0123456789abcdef") 705 do {
562 [fracpart % 10]; 706 temp = fracpart*0.1;
563 fracpart = (fracpart / 10); 707 my_modf(temp, &fracpart);
564 } while(fracpart && (fplace < 20)); 708 idx = (int) ((temp -fracpart +0.05)* 10.0);
565 if (fplace == 20) 709 /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
566 fplace--; 710 /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
711 fconvert[fplace++] =
712 (caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
713 } while(fracpart && (fplace < 311));
714 if (fplace == 311) fplace--;
715 }
567 fconvert[fplace] = 0; 716 fconvert[fplace] = 0;
568 717
569 /* -1 for decimal point, another -1 if we are printing a sign */ 718 /* -1 for decimal point, another -1 if we are printing a sign */
570 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); 719 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
571 zpadlen = max - fplace; 720 zpadlen = max - fplace;
572 if (zpadlen < 0) 721 if (zpadlen < 0) zpadlen = 0;
573 zpadlen = 0;
574 if (padlen < 0) 722 if (padlen < 0)
575 padlen = 0; 723 padlen = 0;
576 if (flags & DP_F_MINUS) 724 if (flags & DP_F_MINUS)
577 padlen = -padlen; /* Left Justifty */ 725 padlen = -padlen; /* Left Justifty */
578 726
579 if ((flags & DP_F_ZERO) && (padlen > 0)) { 727 if ((flags & DP_F_ZERO) && (padlen > 0)) {
580 if (signvalue) { 728 if (signvalue) {
581 dopr_outch(buffer, currlen, maxlen, signvalue); 729 dopr_outch (buffer, currlen, maxlen, signvalue);
582 --padlen; 730 --padlen;
583 signvalue = 0; 731 signvalue = 0;
584 } 732 }
585 while (padlen > 0) { 733 while (padlen > 0) {
586 dopr_outch(buffer, currlen, maxlen, '0'); 734 dopr_outch (buffer, currlen, maxlen, '0');
587 --padlen; 735 --padlen;
588 } 736 }
589 } 737 }
590 while (padlen > 0) { 738 while (padlen > 0) {
591 dopr_outch(buffer, currlen, maxlen, ' '); 739 dopr_outch (buffer, currlen, maxlen, ' ');
592 --padlen; 740 --padlen;
593 } 741 }
594 if (signvalue) 742 if (signvalue)
595 dopr_outch(buffer, currlen, maxlen, signvalue); 743 dopr_outch (buffer, currlen, maxlen, signvalue);
596 744
597 while (iplace > 0) 745 while (iplace > 0)
598 dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]); 746 dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
747
748#ifdef DEBUG_SNPRINTF
749 printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
750#endif
599 751
600 /* 752 /*
601 * Decimal point. This should probably use locale to find the 753 * Decimal point. This should probably use locale to find the correct
602 * correct char to print out. 754 * char to print out.
603 */ 755 */
604 dopr_outch(buffer, currlen, maxlen, '.'); 756 if (max > 0) {
605 757 dopr_outch (buffer, currlen, maxlen, '.');
606 while (fplace > 0) 758
607 dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]); 759 while (zpadlen > 0) {
760 dopr_outch (buffer, currlen, maxlen, '0');
761 --zpadlen;
762 }
608 763
609 while (zpadlen > 0) { 764 while (fplace > 0)
610 dopr_outch(buffer, currlen, maxlen, '0'); 765 dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
611 --zpadlen;
612 } 766 }
613 767
614 while (padlen < 0) { 768 while (padlen < 0) {
615 dopr_outch(buffer, currlen, maxlen, ' '); 769 dopr_outch (buffer, currlen, maxlen, ' ');
616 ++padlen; 770 ++padlen;
617 } 771 }
618} 772}
619 773
620static void 774static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
621dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
622{ 775{
623 if (*currlen < maxlen) 776 if (*currlen < maxlen) {
624 buffer[(*currlen)++] = c; 777 buffer[(*currlen)] = c;
778 }
779 (*currlen)++;
625} 780}
626#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ 781#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
627 782
628#ifndef HAVE_VSNPRINTF 783#if !defined(HAVE_VSNPRINTF)
629int 784int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
630vsnprintf(char *str, size_t count, const char *fmt, va_list args)
631{ 785{
632 str[0] = 0; 786 return dopr(str, count, fmt, args);
633 dopr(str, count, fmt, args);
634
635 return(strlen(str));
636} 787}
637#endif /* !HAVE_VSNPRINTF */ 788#endif
638 789
639#ifndef HAVE_SNPRINTF 790#if !defined(HAVE_SNPRINTF)
640int 791int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
641snprintf(char *str,size_t count,const char *fmt,...)
642{ 792{
793 size_t ret;
643 va_list ap; 794 va_list ap;
644 795
645 va_start(ap, fmt); 796 va_start(ap, fmt);
646 (void) vsnprintf(str, count, fmt, ap); 797 ret = vsnprintf(str, count, fmt, ap);
647 va_end(ap); 798 va_end(ap);
648 799 return ret;
649 return(strlen(str));
650} 800}
801#endif
651 802
652#endif /* !HAVE_SNPRINTF */
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index c0be5fff9..f8a0680bf 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ 1/* $OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1990, 1993 3 * Copyright (c) 1990, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#ifndef HAVE_DAEMON 35#ifndef HAVE_DAEMON
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40int 37int
41daemon(int nochdir, int noclose) 38daemon(int nochdir, int noclose)
42{ 39{
diff --git a/openbsd-compat/dirname.c b/openbsd-compat/dirname.c
index 25ab34dd6..30fcb4968 100644
--- a/openbsd-compat/dirname.c
+++ b/openbsd-compat/dirname.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ 1/* $OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $ */
2
3/* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
7 * 5 *
8 * Permission to use, copy, modify, and distribute this software for any 6 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above 7 * purpose with or without fee is hereby granted, provided that the above
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_DIRNAME 22#ifndef HAVE_DIRNAME
23 23
24#ifndef lint
25static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $";
26#endif /* not lint */
27
28#include <errno.h> 24#include <errno.h>
29#include <string.h> 25#include <string.h>
30#include <sys/param.h> 26#include <sys/param.h>
@@ -32,16 +28,18 @@ static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Ex
32char * 28char *
33dirname(const char *path) 29dirname(const char *path)
34{ 30{
35 static char bname[MAXPATHLEN]; 31 static char dname[MAXPATHLEN];
36 register const char *endp; 32 size_t len;
33 const char *endp;
37 34
38 /* Empty or NULL string gets treated as "." */ 35 /* Empty or NULL string gets treated as "." */
39 if (path == NULL || *path == '\0') { 36 if (path == NULL || *path == '\0') {
40 (void)strlcpy(bname, ".", sizeof bname); 37 dname[0] = '.';
41 return(bname); 38 dname[1] = '\0';
39 return (dname);
42 } 40 }
43 41
44 /* Strip trailing slashes */ 42 /* Strip any trailing slashes */
45 endp = path + strlen(path) - 1; 43 endp = path + strlen(path) - 1;
46 while (endp > path && *endp == '/') 44 while (endp > path && *endp == '/')
47 endp--; 45 endp--;
@@ -52,19 +50,23 @@ dirname(const char *path)
52 50
53 /* Either the dir is "/" or there are no slashes */ 51 /* Either the dir is "/" or there are no slashes */
54 if (endp == path) { 52 if (endp == path) {
55 (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname); 53 dname[0] = *endp == '/' ? '/' : '.';
56 return(bname); 54 dname[1] = '\0';
55 return (dname);
57 } else { 56 } else {
57 /* Move forward past the separating slashes */
58 do { 58 do {
59 endp--; 59 endp--;
60 } while (endp > path && *endp == '/'); 60 } while (endp > path && *endp == '/');
61 } 61 }
62 62
63 if (endp - path + 2 > sizeof(bname)) { 63 len = endp - path + 1;
64 if (len >= sizeof(dname)) {
64 errno = ENAMETOOLONG; 65 errno = ENAMETOOLONG;
65 return(NULL); 66 return (NULL);
66 } 67 }
67 strlcpy(bname, path, endp - path + 2); 68 memcpy(dname, path, len);
68 return(bname); 69 dname[len] = '\0';
70 return (dname);
69} 71}
70#endif 72#endif
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index 19be59172..711cb9cd5 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ 1/* $OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1989, 1991, 1993 3 * Copyright (c) 1989, 1991, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#if !defined(HAVE_GETCWD) 35#if !defined(HAVE_GETCWD)
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40#include <sys/param.h> 37#include <sys/param.h>
41#include <sys/stat.h> 38#include <sys/stat.h>
42#include <errno.h> 39#include <errno.h>
@@ -54,12 +51,12 @@ static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp
54char * 51char *
55getcwd(char *pt, size_t size) 52getcwd(char *pt, size_t size)
56{ 53{
57 register struct dirent *dp; 54 struct dirent *dp;
58 register DIR *dir = NULL; 55 DIR *dir = NULL;
59 register dev_t dev; 56 dev_t dev;
60 register ino_t ino; 57 ino_t ino;
61 register int first; 58 int first;
62 register char *bpt, *bup; 59 char *bpt, *bup;
63 struct stat s; 60 struct stat s;
64 dev_t root_dev; 61 dev_t root_dev;
65 ino_t root_ino; 62 ino_t root_ino;
@@ -80,7 +77,7 @@ getcwd(char *pt, size_t size)
80 } 77 }
81 ept = pt + size; 78 ept = pt + size;
82 } else { 79 } else {
83 if ((pt = malloc(ptsize = 1024 - 4)) == NULL) 80 if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL)
84 return (NULL); 81 return (NULL);
85 ept = pt + ptsize; 82 ept = pt + ptsize;
86 } 83 }
@@ -88,13 +85,13 @@ getcwd(char *pt, size_t size)
88 *bpt = '\0'; 85 *bpt = '\0';
89 86
90 /* 87 /*
91 * Allocate bytes (1024 - malloc space) for the string of "../"'s. 88 * Allocate bytes for the string of "../"'s.
92 * Should always be enough (it's 340 levels). If it's not, allocate 89 * Should always be enough (it's 340 levels). If it's not, allocate
93 * as necessary. Special * case the first stat, it's ".", not "..". 90 * as necessary. Special * case the first stat, it's ".", not "..".
94 */ 91 */
95 if ((up = malloc(upsize = 1024 - 4)) == NULL) 92 if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
96 goto err; 93 goto err;
97 eup = up + MAXPATHLEN; 94 eup = up + upsize;
98 bup = up; 95 bup = up;
99 up[0] = '.'; 96 up[0] = '.';
100 up[1] = '\0'; 97 up[1] = '\0';
@@ -139,18 +136,16 @@ getcwd(char *pt, size_t size)
139 136
140 if ((nup = realloc(up, upsize *= 2)) == NULL) 137 if ((nup = realloc(up, upsize *= 2)) == NULL)
141 goto err; 138 goto err;
139 bup = nup + (bup - up);
142 up = nup; 140 up = nup;
143 bup = up;
144 eup = up + upsize; 141 eup = up + upsize;
145 } 142 }
146 *bup++ = '.'; 143 *bup++ = '.';
147 *bup++ = '.'; 144 *bup++ = '.';
148 *bup = '\0'; 145 *bup = '\0';
149 146
150 /* Open and stat parent directory. 147 /* Open and stat parent directory. */
151 * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) 148 if (!(dir = opendir(up)) || fstat(dirfd(dir), &s))
152 */
153 if (!(dir = opendir(up)) || lstat(up,&s))
154 goto err; 149 goto err;
155 150
156 /* Add trailing slash for next directory. */ 151 /* Add trailing slash for next directory. */
@@ -175,7 +170,7 @@ getcwd(char *pt, size_t size)
175 goto notfound; 170 goto notfound;
176 if (ISDOT(dp)) 171 if (ISDOT(dp))
177 continue; 172 continue;
178 memmove(bup, dp->d_name, dp->d_namlen + 1); 173 memcpy(bup, dp->d_name, dp->d_namlen + 1);
179 174
180 /* Save the first error for later. */ 175 /* Save the first error for later. */
181 if (lstat(up, &s)) { 176 if (lstat(up, &s)) {
@@ -193,19 +188,18 @@ getcwd(char *pt, size_t size)
193 * leading slash. 188 * leading slash.
194 */ 189 */
195 if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) { 190 if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
196 size_t len, off; 191 size_t len;
197 char *npt; 192 char *npt;
198 193
199 if (!ptsize) { 194 if (!ptsize) {
200 errno = ERANGE; 195 errno = ERANGE;
201 goto err; 196 goto err;
202 } 197 }
203 off = bpt - pt;
204 len = ept - bpt; 198 len = ept - bpt;
205 if ((npt = realloc(pt, ptsize *= 2)) == NULL) 199 if ((npt = realloc(pt, ptsize *= 2)) == NULL)
206 goto err; 200 goto err;
201 bpt = npt + (bpt - pt);
207 pt = npt; 202 pt = npt;
208 bpt = pt + off;
209 ept = pt + ptsize; 203 ept = pt + ptsize;
210 memmove(ept - len, bpt, len); 204 memmove(ept - len, bpt, len);
211 bpt = ept - len; 205 bpt = ept - len;
@@ -213,7 +207,7 @@ getcwd(char *pt, size_t size)
213 if (!first) 207 if (!first)
214 *--bpt = '/'; 208 *--bpt = '/';
215 bpt -= dp->d_namlen; 209 bpt -= dp->d_namlen;
216 memmove(bpt, dp->d_name, dp->d_namlen); 210 memcpy(bpt, dp->d_name, dp->d_namlen);
217 (void)closedir(dir); 211 (void)closedir(dir);
218 212
219 /* Truncate any file name. */ 213 /* Truncate any file name. */
@@ -230,12 +224,16 @@ notfound:
230 errno = save_errno ? save_errno : ENOENT; 224 errno = save_errno ? save_errno : ENOENT;
231 /* FALLTHROUGH */ 225 /* FALLTHROUGH */
232err: 226err:
227 save_errno = errno;
228
233 if (ptsize) 229 if (ptsize)
234 free(pt); 230 free(pt);
235 if (up) 231 free(up);
236 free(up);
237 if (dir) 232 if (dir)
238 (void)closedir(dir); 233 (void)closedir(dir);
234
235 errno = save_errno;
236
239 return (NULL); 237 return (NULL);
240} 238}
241 239
diff --git a/openbsd-compat/getgrouplist.c b/openbsd-compat/getgrouplist.c
index 59c164f44..a57d7d388 100644
--- a/openbsd-compat/getgrouplist.c
+++ b/openbsd-compat/getgrouplist.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ 1/* $OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1991, 1993 3 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#ifndef HAVE_GETGROUPLIST 35#ifndef HAVE_GETGROUPLIST
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40/* 37/*
41 * get credential 38 * get credential
42 */ 39 */
@@ -46,14 +43,10 @@ static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraad
46#include <grp.h> 43#include <grp.h>
47 44
48int 45int
49getgrouplist(uname, agroup, groups, grpcnt) 46getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
50 const char *uname;
51 gid_t agroup;
52 register gid_t *groups;
53 int *grpcnt;
54{ 47{
55 register struct group *grp; 48 struct group *grp;
56 register int i, ngroups; 49 int i, ngroups;
57 int ret, maxgroups; 50 int ret, maxgroups;
58 int bail; 51 int bail;
59 52
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
index f5ee6778d..5450e43d9 100644
--- a/openbsd-compat/getopt.c
+++ b/openbsd-compat/getopt.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
2
3/* 1/*
4 * Copyright (c) 1987, 1993, 1994 2 * Copyright (c) 1987, 1993, 1994
5 * The Regents of the University of California. All rights reserved. 3 * The Regents of the University of California. All rights reserved.
@@ -29,6 +27,8 @@
29 * SUCH DAMAGE. 27 * SUCH DAMAGE.
30 */ 28 */
31 29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
31
32#include "includes.h" 32#include "includes.h"
33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) 33#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
34 34
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 2016ffe31..bea6aea3b 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ 1/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
2
3/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2001 Jakob Schlyter. All rights reserved. 4 * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
@@ -45,54 +43,26 @@
45 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 43 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
46 */ 44 */
47 45
46/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
47
48#include "includes.h" 48#include "includes.h"
49 49
50#ifndef HAVE_GETRRSETBYNAME 50#ifndef HAVE_GETRRSETBYNAME
51 51
52#include "getrrsetbyname.h" 52#include "getrrsetbyname.h"
53 53
54#define ANSWER_BUFFER_SIZE 1024*64
55
56#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO 54#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
57extern int h_errno; 55extern int h_errno;
58#endif 56#endif
59 57
60struct dns_query { 58/* We don't need multithread support here */
61 char *name; 59#ifdef _THREAD_PRIVATE
62 u_int16_t type; 60# undef _THREAD_PRIVATE
63 u_int16_t class; 61#endif
64 struct dns_query *next; 62#define _THREAD_PRIVATE(a,b,c) (c)
65}; 63struct __res_state _res;
66
67struct dns_rr {
68 char *name;
69 u_int16_t type;
70 u_int16_t class;
71 u_int16_t ttl;
72 u_int16_t size;
73 void *rdata;
74 struct dns_rr *next;
75};
76
77struct dns_response {
78 HEADER header;
79 struct dns_query *query;
80 struct dns_rr *answer;
81 struct dns_rr *authority;
82 struct dns_rr *additional;
83};
84
85static struct dns_response *parse_dns_response(const u_char *, int);
86static struct dns_query *parse_dns_qsection(const u_char *, int,
87 const u_char **, int);
88static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
89 int);
90
91static void free_dns_query(struct dns_query *);
92static void free_dns_rr(struct dns_rr *);
93static void free_dns_response(struct dns_response *);
94 64
95static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t); 65/* Necessary functions and macros */
96 66
97/* 67/*
98 * Inline versions of get/put short/long. Pointer is advanced. 68 * Inline versions of get/put short/long. Pointer is advanced.
@@ -162,14 +132,56 @@ _getlong(msgp)
162u_int32_t _getlong(register const u_char *); 132u_int32_t _getlong(register const u_char *);
163#endif 133#endif
164 134
135/* ************** */
136
137#define ANSWER_BUFFER_SIZE 1024*64
138
139struct dns_query {
140 char *name;
141 u_int16_t type;
142 u_int16_t class;
143 struct dns_query *next;
144};
145
146struct dns_rr {
147 char *name;
148 u_int16_t type;
149 u_int16_t class;
150 u_int16_t ttl;
151 u_int16_t size;
152 void *rdata;
153 struct dns_rr *next;
154};
155
156struct dns_response {
157 HEADER header;
158 struct dns_query *query;
159 struct dns_rr *answer;
160 struct dns_rr *authority;
161 struct dns_rr *additional;
162};
163
164static struct dns_response *parse_dns_response(const u_char *, int);
165static struct dns_query *parse_dns_qsection(const u_char *, int,
166 const u_char **, int);
167static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
168 int);
169
170static void free_dns_query(struct dns_query *);
171static void free_dns_rr(struct dns_rr *);
172static void free_dns_response(struct dns_response *);
173
174static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
175
165int 176int
166getrrsetbyname(const char *hostname, unsigned int rdclass, 177getrrsetbyname(const char *hostname, unsigned int rdclass,
167 unsigned int rdtype, unsigned int flags, 178 unsigned int rdtype, unsigned int flags,
168 struct rrsetinfo **res) 179 struct rrsetinfo **res)
169{ 180{
181 struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
170 int result; 182 int result;
171 struct rrsetinfo *rrset = NULL; 183 struct rrsetinfo *rrset = NULL;
172 struct dns_response *response; 184 struct dns_response *response = NULL;
173 struct dns_rr *rr; 185 struct dns_rr *rr;
174 struct rdatainfo *rdata; 186 struct rdatainfo *rdata;
175 int length; 187 int length;
@@ -195,19 +207,19 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
195 } 207 }
196 208
197 /* initialize resolver */ 209 /* initialize resolver */
198 if ((_res.options & RES_INIT) == 0 && res_init() == -1) { 210 if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
199 result = ERRSET_FAIL; 211 result = ERRSET_FAIL;
200 goto fail; 212 goto fail;
201 } 213 }
202 214
203#ifdef DEBUG 215#ifdef DEBUG
204 _res.options |= RES_DEBUG; 216 _resp->options |= RES_DEBUG;
205#endif /* DEBUG */ 217#endif /* DEBUG */
206 218
207#ifdef RES_USE_DNSSEC 219#ifdef RES_USE_DNSSEC
208 /* turn on DNSSEC if EDNS0 is configured */ 220 /* turn on DNSSEC if EDNS0 is configured */
209 if (_res.options & RES_USE_EDNS0) 221 if (_resp->options & RES_USE_EDNS0)
210 _res.options |= RES_USE_DNSSEC; 222 _resp->options |= RES_USE_DNSSEC;
211#endif /* RES_USE_DNSEC */ 223#endif /* RES_USE_DNSEC */
212 224
213 /* make query */ 225 /* make query */
@@ -257,13 +269,11 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
257#endif 269#endif
258 270
259 /* copy name from answer section */ 271 /* copy name from answer section */
260 length = strlen(response->answer->name); 272 rrset->rri_name = strdup(response->answer->name);
261 rrset->rri_name = malloc(length + 1);
262 if (rrset->rri_name == NULL) { 273 if (rrset->rri_name == NULL) {
263 result = ERRSET_NOMEMORY; 274 result = ERRSET_NOMEMORY;
264 goto fail; 275 goto fail;
265 } 276 }
266 strlcpy(rrset->rri_name, response->answer->name, length + 1);
267 277
268 /* count answers */ 278 /* count answers */
269 rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass, 279 rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
@@ -281,7 +291,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
281 291
282 /* allocate memory for signatures */ 292 /* allocate memory for signatures */
283 rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); 293 rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
284 if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) { 294 if (rrset->rri_sigs == NULL) {
285 result = ERRSET_NOMEMORY; 295 result = ERRSET_NOMEMORY;
286 goto fail; 296 goto fail;
287 } 297 }
@@ -311,6 +321,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
311 memcpy(rdata->rdi_data, rr->rdata, rr->size); 321 memcpy(rdata->rdi_data, rr->rdata, rr->size);
312 } 322 }
313 } 323 }
324 free_dns_response(response);
314 325
315 *res = rrset; 326 *res = rrset;
316 return (ERRSET_SUCCESS); 327 return (ERRSET_SUCCESS);
@@ -318,6 +329,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
318fail: 329fail:
319 if (rrset != NULL) 330 if (rrset != NULL)
320 freerrset(rrset); 331 freerrset(rrset);
332 if (response != NULL)
333 free_dns_response(response);
321 return (result); 334 return (result);
322} 335}
323 336
@@ -467,7 +480,8 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count)
467} 480}
468 481
469static struct dns_rr * 482static struct dns_rr *
470parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count) 483parse_dns_rrsection(const u_char *answer, int size, const u_char **cp,
484 int count)
471{ 485{
472 struct dns_rr *head, *curr, *prev; 486 struct dns_rr *head, *curr, *prev;
473 int i, length; 487 int i, length;
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index 7fafc8c40..f6a04ea3f 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ 1/* $OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1989, 1993 3 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -32,6 +31,8 @@
32 * SUCH DAMAGE. 31 * SUCH DAMAGE.
33 */ 32 */
34 33
34/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
35
35#include "includes.h" 36#include "includes.h"
36#include <ctype.h> 37#include <ctype.h>
37 38
@@ -50,14 +51,6 @@ get_arg_max(void)
50#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \ 51#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
51 !defined(GLOB_HAS_GL_MATCHC) 52 !defined(GLOB_HAS_GL_MATCHC)
52 53
53#if defined(LIBC_SCCS) && !defined(lint)
54#if 0
55static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93";
56#else
57static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $";
58#endif
59#endif /* LIBC_SCCS and not lint */
60
61/* 54/*
62 * glob(3) -- a superset of the one defined in POSIX 1003.2. 55 * glob(3) -- a superset of the one defined in POSIX 1003.2.
63 * 56 *
@@ -158,10 +151,8 @@ static void qprintf(const char *, Char *);
158#endif 151#endif
159 152
160int 153int
161glob(pattern, flags, errfunc, pglob) 154glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
162 const char *pattern; 155 glob_t *pglob)
163 int flags, (*errfunc)(const char *, int);
164 glob_t *pglob;
165{ 156{
166 const u_char *patnext; 157 const u_char *patnext;
167 int c; 158 int c;
@@ -209,9 +200,7 @@ glob(pattern, flags, errfunc, pglob)
209 * characters 200 * characters
210 */ 201 */
211static int 202static int
212globexp1(pattern, pglob) 203globexp1(const Char *pattern, glob_t *pglob)
213 const Char *pattern;
214 glob_t *pglob;
215{ 204{
216 const Char* ptr = pattern; 205 const Char* ptr = pattern;
217 int rv; 206 int rv;
@@ -234,10 +223,7 @@ globexp1(pattern, pglob)
234 * If it fails then it tries to glob the rest of the pattern and returns. 223 * If it fails then it tries to glob the rest of the pattern and returns.
235 */ 224 */
236static int 225static int
237globexp2(ptr, pattern, pglob, rv) 226globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
238 const Char *ptr, *pattern;
239 glob_t *pglob;
240 int *rv;
241{ 227{
242 int i; 228 int i;
243 Char *lm, *ls; 229 Char *lm, *ls;
@@ -342,11 +328,7 @@ globexp2(ptr, pattern, pglob, rv)
342 * expand tilde from the passwd file. 328 * expand tilde from the passwd file.
343 */ 329 */
344static const Char * 330static const Char *
345globtilde(pattern, patbuf, patbuf_len, pglob) 331globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
346 const Char *pattern;
347 Char *patbuf;
348 size_t patbuf_len;
349 glob_t *pglob;
350{ 332{
351 struct passwd *pwd; 333 struct passwd *pwd;
352 char *h; 334 char *h;
@@ -414,9 +396,7 @@ globtilde(pattern, patbuf, patbuf_len, pglob)
414 * to find no matches. 396 * to find no matches.
415 */ 397 */
416static int 398static int
417glob0(pattern, pglob) 399glob0(const Char *pattern, glob_t *pglob)
418 const Char *pattern;
419 glob_t *pglob;
420{ 400{
421 const Char *qpatnext; 401 const Char *qpatnext;
422 int c, err, oldpathc; 402 int c, err, oldpathc;
@@ -503,17 +483,13 @@ glob0(pattern, pglob)
503} 483}
504 484
505static int 485static int
506compare(p, q) 486compare(const void *p, const void *q)
507 const void *p, *q;
508{ 487{
509 return(strcmp(*(char **)p, *(char **)q)); 488 return(strcmp(*(char **)p, *(char **)q));
510} 489}
511 490
512static int 491static int
513glob1(pattern, pattern_last, pglob, limitp) 492glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
514 Char *pattern, *pattern_last;
515 glob_t *pglob;
516 size_t *limitp;
517{ 493{
518 Char pathbuf[MAXPATHLEN]; 494 Char pathbuf[MAXPATHLEN];
519 495
@@ -531,12 +507,8 @@ glob1(pattern, pattern_last, pglob, limitp)
531 * meta characters. 507 * meta characters.
532 */ 508 */
533static int 509static int
534glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, 510glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
535 pattern_last, pglob, limitp) 511 Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
536 Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
537 Char *pattern, *pattern_last;
538 glob_t *pglob;
539 size_t *limitp;
540{ 512{
541 struct stat sb; 513 struct stat sb;
542 Char *p, *q; 514 Char *p, *q;
@@ -595,14 +567,11 @@ glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern,
595} 567}
596 568
597static int 569static int
598glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, 570glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
599 restpattern, restpattern_last, pglob, limitp) 571 Char *pattern, Char *pattern_last, Char *restpattern,
600 Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; 572 Char *restpattern_last, glob_t *pglob, size_t *limitp)
601 Char *pattern, *pattern_last, *restpattern, *restpattern_last;
602 glob_t *pglob;
603 size_t *limitp;
604{ 573{
605 register struct dirent *dp; 574 struct dirent *dp;
606 DIR *dirp; 575 DIR *dirp;
607 int err; 576 int err;
608 char buf[MAXPATHLEN]; 577 char buf[MAXPATHLEN];
@@ -640,8 +609,8 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
640 else 609 else
641 readdirfunc = (struct dirent *(*)(void *))readdir; 610 readdirfunc = (struct dirent *(*)(void *))readdir;
642 while ((dp = (*readdirfunc)(dirp))) { 611 while ((dp = (*readdirfunc)(dirp))) {
643 register u_char *sc; 612 u_char *sc;
644 register Char *dc; 613 Char *dc;
645 614
646 /* Initial DOT must be matched literally. */ 615 /* Initial DOT must be matched literally. */
647 if (dp->d_name[0] == DOT && *pattern != DOT) 616 if (dp->d_name[0] == DOT && *pattern != DOT)
@@ -689,13 +658,10 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
689 * gl_pathv points to (gl_offs + gl_pathc + 1) items. 658 * gl_pathv points to (gl_offs + gl_pathc + 1) items.
690 */ 659 */
691static int 660static int
692globextend(path, pglob, limitp) 661globextend(const Char *path, glob_t *pglob, size_t *limitp)
693 const Char *path;
694 glob_t *pglob;
695 size_t *limitp;
696{ 662{
697 register char **pathv; 663 char **pathv;
698 register int i; 664 int i;
699 u_int newsize, len; 665 u_int newsize, len;
700 char *copy; 666 char *copy;
701 const Char *p; 667 const Char *p;
@@ -747,8 +713,7 @@ globextend(path, pglob, limitp)
747 * pattern causes a recursion level. 713 * pattern causes a recursion level.
748 */ 714 */
749static int 715static int
750match(name, pat, patend) 716match(Char *name, Char *pat, Char *patend)
751 register Char *name, *pat, *patend;
752{ 717{
753 int ok, negate_range; 718 int ok, negate_range;
754 Char c, k; 719 Char c, k;
@@ -759,11 +724,10 @@ match(name, pat, patend)
759 case M_ALL: 724 case M_ALL:
760 if (pat == patend) 725 if (pat == patend)
761 return(1); 726 return(1);
762 do 727 do {
763 if (match(name, pat, patend)) 728 if (match(name, pat, patend))
764 return(1); 729 return(1);
765 while (*name++ != EOS) 730 } while (*name++ != EOS);
766 ;
767 return(0); 731 return(0);
768 case M_ONE: 732 case M_ONE:
769 if (*name++ == EOS) 733 if (*name++ == EOS)
@@ -796,11 +760,10 @@ match(name, pat, patend)
796 760
797/* Free allocated data belonging to a glob_t structure. */ 761/* Free allocated data belonging to a glob_t structure. */
798void 762void
799globfree(pglob) 763globfree(glob_t *pglob)
800 glob_t *pglob;
801{ 764{
802 register int i; 765 int i;
803 register char **pp; 766 char **pp;
804 767
805 if (pglob->gl_pathv != NULL) { 768 if (pglob->gl_pathv != NULL) {
806 pp = pglob->gl_pathv + pglob->gl_offs; 769 pp = pglob->gl_pathv + pglob->gl_offs;
@@ -813,9 +776,7 @@ globfree(pglob)
813} 776}
814 777
815static DIR * 778static DIR *
816g_opendir(str, pglob) 779g_opendir(Char *str, glob_t *pglob)
817 register Char *str;
818 glob_t *pglob;
819{ 780{
820 char buf[MAXPATHLEN]; 781 char buf[MAXPATHLEN];
821 782
@@ -833,10 +794,7 @@ g_opendir(str, pglob)
833} 794}
834 795
835static int 796static int
836g_lstat(fn, sb, pglob) 797g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
837 register Char *fn;
838 struct stat *sb;
839 glob_t *pglob;
840{ 798{
841 char buf[MAXPATHLEN]; 799 char buf[MAXPATHLEN];
842 800
@@ -848,10 +806,7 @@ g_lstat(fn, sb, pglob)
848} 806}
849 807
850static int 808static int
851g_stat(fn, sb, pglob) 809g_stat(Char *fn, struct stat *sb, glob_t *pglob)
852 register Char *fn;
853 struct stat *sb;
854 glob_t *pglob;
855{ 810{
856 char buf[MAXPATHLEN]; 811 char buf[MAXPATHLEN];
857 812
@@ -863,9 +818,7 @@ g_stat(fn, sb, pglob)
863} 818}
864 819
865static Char * 820static Char *
866g_strchr(str, ch) 821g_strchr(Char *str, int ch)
867 Char *str;
868 int ch;
869{ 822{
870 do { 823 do {
871 if (*str == ch) 824 if (*str == ch)
@@ -875,10 +828,7 @@ g_strchr(str, ch)
875} 828}
876 829
877static int 830static int
878g_Ctoc(str, buf, len) 831g_Ctoc(const Char *str, char *buf, u_int len)
879 register const Char *str;
880 char *buf;
881 u_int len;
882{ 832{
883 833
884 while (len--) { 834 while (len--) {
@@ -890,11 +840,9 @@ g_Ctoc(str, buf, len)
890 840
891#ifdef DEBUG 841#ifdef DEBUG
892static void 842static void
893qprintf(str, s) 843qprintf(const char *str, Char *s)
894 const char *str;
895 register Char *s;
896{ 844{
897 register Char *p; 845 Char *p;
898 846
899 (void)printf("%s:\n", str); 847 (void)printf("%s:\n", str);
900 for (p = s; *p; p++) 848 for (p = s; *p; p++)
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index 3428b2013..4fdbfc1ea 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: include/glob.h */ 1/* $OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $ */
2
3/* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */
4/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */ 2/* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */
5 3
6/* 4/*
@@ -37,6 +35,8 @@
37 * @(#)glob.h 8.1 (Berkeley) 6/2/93 35 * @(#)glob.h 8.1 (Berkeley) 6/2/93
38 */ 36 */
39 37
38/* OPENBSD ORIGINAL: include/glob.h */
39
40#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \ 40#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
41 !defined(GLOB_HAS_GL_MATCHC) 41 !defined(GLOB_HAS_GL_MATCHC)
42 42
@@ -72,6 +72,7 @@ typedef struct {
72#define GLOB_MARK 0x0008 /* Append / to matching directories. */ 72#define GLOB_MARK 0x0008 /* Append / to matching directories. */
73#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ 73#define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */
74#define GLOB_NOSORT 0x0020 /* Don't sort. */ 74#define GLOB_NOSORT 0x0020 /* Don't sort. */
75#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
75 76
76#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ 77#define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */
77#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ 78#define GLOB_BRACE 0x0080 /* Expand braces ala csh. */
@@ -79,7 +80,6 @@ typedef struct {
79#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ 80#define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */
80#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ 81#define GLOB_QUOTE 0x0400 /* Quote special chars with \. */
81#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ 82#define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */
82#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */
83#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */ 83#define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */
84 84
85/* Error values returned by glob(3) */ 85/* Error values returned by glob(3) */
diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c
index c141bcc68..130597e14 100644
--- a/openbsd-compat/inet_aton.c
+++ b/openbsd-compat/inet_aton.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ 1/* $OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $ */
2
3/* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1983, 1990, 1993 4 * Copyright (c) 1983, 1990, 1993
@@ -51,19 +49,12 @@
51 * --Copyright-- 49 * --Copyright--
52 */ 50 */
53 51
52/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
53
54#include "includes.h" 54#include "includes.h"
55 55
56#if !defined(HAVE_INET_ATON) 56#if !defined(HAVE_INET_ATON)
57 57
58#if defined(LIBC_SCCS) && !defined(lint)
59#if 0
60static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
61static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $";
62#else
63static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $";
64#endif
65#endif /* LIBC_SCCS and not lint */
66
67#include <sys/types.h> 58#include <sys/types.h>
68#include <sys/param.h> 59#include <sys/param.h>
69#include <netinet/in.h> 60#include <netinet/in.h>
@@ -76,8 +67,7 @@ static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert E
76 * The value returned is in network order. 67 * The value returned is in network order.
77 */ 68 */
78in_addr_t 69in_addr_t
79inet_addr(cp) 70inet_addr(const char *cp)
80 register const char *cp;
81{ 71{
82 struct in_addr val; 72 struct in_addr val;
83 73
@@ -97,11 +87,11 @@ inet_addr(cp)
97int 87int
98inet_aton(const char *cp, struct in_addr *addr) 88inet_aton(const char *cp, struct in_addr *addr)
99{ 89{
100 register u_int32_t val; 90 u_int32_t val;
101 register int base, n; 91 int base, n;
102 register char c; 92 char c;
103 unsigned int parts[4]; 93 u_int parts[4];
104 register unsigned int *pp = parts; 94 u_int *pp = parts;
105 95
106 c = *cp; 96 c = *cp;
107 for (;;) { 97 for (;;) {
diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c
index dc010dc53..0eb7b3bd7 100644
--- a/openbsd-compat/inet_ntoa.c
+++ b/openbsd-compat/inet_ntoa.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ 1/* $OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1983, 1993 3 * Copyright (c) 1983, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -29,14 +28,12 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
32
32#include "includes.h" 33#include "includes.h"
33 34
34#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) 35#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
35 36
36#if defined(LIBC_SCCS) && !defined(lint)
37static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $";
38#endif /* LIBC_SCCS and not lint */
39
40/* 37/*
41 * Convert network-format internet address 38 * Convert network-format internet address
42 * to base 256 d.d.d.d representation. 39 * to base 256 d.d.d.d representation.
@@ -46,10 +43,11 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E
46#include <arpa/inet.h> 43#include <arpa/inet.h>
47#include <stdio.h> 44#include <stdio.h>
48 45
49char *inet_ntoa(struct in_addr in) 46char *
47inet_ntoa(struct in_addr in)
50{ 48{
51 static char b[18]; 49 static char b[18];
52 register char *p; 50 char *p;
53 51
54 p = (char *)&in; 52 p = (char *)&in;
55#define UC(b) (((int)b)&0xff) 53#define UC(b) (((int)b)&0xff)
diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c
index 47796c370..e7ca4b7f8 100644
--- a/openbsd-compat/inet_ntop.c
+++ b/openbsd-compat/inet_ntop.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ 1/* $OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $ */
2
3/* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */
4 2
5/* Copyright (c) 1996 by Internet Software Consortium. 3/* Copyright (c) 1996 by Internet Software Consortium.
6 * 4 *
@@ -18,18 +16,12 @@
18 * SOFTWARE. 16 * SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
20
21#include "includes.h" 21#include "includes.h"
22 22
23#ifndef HAVE_INET_NTOP 23#ifndef HAVE_INET_NTOP
24 24
25#if defined(LIBC_SCCS) && !defined(lint)
26#if 0
27static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
28#else
29static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $";
30#endif
31#endif /* LIBC_SCCS and not lint */
32
33#include <sys/param.h> 25#include <sys/param.h>
34#include <sys/types.h> 26#include <sys/types.h>
35#include <sys/socket.h> 27#include <sys/socket.h>
@@ -65,11 +57,7 @@ static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
65 * Paul Vixie, 1996. 57 * Paul Vixie, 1996.
66 */ 58 */
67const char * 59const char *
68inet_ntop(af, src, dst, size) 60inet_ntop(int af, const void *src, char *dst, size_t size)
69 int af;
70 const void *src;
71 char *dst;
72 size_t size;
73{ 61{
74 switch (af) { 62 switch (af) {
75 case AF_INET: 63 case AF_INET:
@@ -95,10 +83,7 @@ inet_ntop(af, src, dst, size)
95 * Paul Vixie, 1996. 83 * Paul Vixie, 1996.
96 */ 84 */
97static const char * 85static const char *
98inet_ntop4(src, dst, size) 86inet_ntop4(const u_char *src, char *dst, size_t size)
99 const u_char *src;
100 char *dst;
101 size_t size;
102{ 87{
103 static const char fmt[] = "%u.%u.%u.%u"; 88 static const char fmt[] = "%u.%u.%u.%u";
104 char tmp[sizeof "255.255.255.255"]; 89 char tmp[sizeof "255.255.255.255"];
@@ -120,10 +105,7 @@ inet_ntop4(src, dst, size)
120 * Paul Vixie, 1996. 105 * Paul Vixie, 1996.
121 */ 106 */
122static const char * 107static const char *
123inet_ntop6(src, dst, size) 108inet_ntop6(const u_char *src, char *dst, size_t size)
124 const u_char *src;
125 char *dst;
126 size_t size;
127{ 109{
128 /* 110 /*
129 * Note that int32_t and int16_t need only be "at least" large enough 111 * Note that int32_t and int16_t need only be "at least" large enough
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index 969f69580..88e04c520 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -1,8 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
2
3/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ 1/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
4/* Changes: Removed mktemp */ 2/* Changes: Removed mktemp */
5 3
4/* $OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
6/* 5/*
7 * Copyright (c) 1987, 1993 6 * Copyright (c) 1987, 1993
8 * The Regents of the University of California. All rights reserved. 7 * The Regents of the University of California. All rights reserved.
@@ -32,20 +31,16 @@
32 * SUCH DAMAGE. 31 * SUCH DAMAGE.
33 */ 32 */
34 33
34/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
35
35#include "includes.h" 36#include "includes.h"
36 37
37#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) 38#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
38 39
39#if defined(LIBC_SCCS) && !defined(lint)
40static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
41#endif /* LIBC_SCCS and not lint */
42
43static int _gettemp(char *, int *, int, int); 40static int _gettemp(char *, int *, int, int);
44 41
45int 42int
46mkstemps(path, slen) 43mkstemps(char *path, int slen)
47 char *path;
48 int slen;
49{ 44{
50 int fd; 45 int fd;
51 46
@@ -53,8 +48,7 @@ mkstemps(path, slen)
53} 48}
54 49
55int 50int
56mkstemp(path) 51mkstemp(char *path)
57 char *path;
58{ 52{
59 int fd; 53 int fd;
60 54
@@ -62,8 +56,7 @@ mkstemp(path)
62} 56}
63 57
64char * 58char *
65mkdtemp(path) 59mkdtemp(char *path)
66 char *path;
67{ 60{
68 return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); 61 return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
69} 62}
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index ba68bc27e..1a3027353 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */ 1/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -142,6 +142,10 @@ unsigned int arc4random(void);
142void arc4random_stir(void); 142void arc4random_stir(void);
143#endif /* !HAVE_ARC4RANDOM */ 143#endif /* !HAVE_ARC4RANDOM */
144 144
145#ifndef HAVE_ASPRINTF
146int asprintf(char **, const char *, ...);
147#endif
148
145#ifndef HAVE_OPENPTY 149#ifndef HAVE_OPENPTY
146int openpty(int *, int *, char *, struct termios *, struct winsize *); 150int openpty(int *, int *, char *, struct termios *, struct winsize *);
147#endif /* HAVE_OPENPTY */ 151#endif /* HAVE_OPENPTY */
@@ -152,10 +156,18 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
152int snprintf(char *, size_t, const char *, ...); 156int snprintf(char *, size_t, const char *, ...);
153#endif 157#endif
154 158
159#ifndef HAVE_STRTOLL
160long long strtoll(const char *, char **, int);
161#endif
162
155#ifndef HAVE_STRTONUM 163#ifndef HAVE_STRTONUM
156long long strtonum(const char *, long long, long long, const char **); 164long long strtonum(const char *, long long, long long, const char **);
157#endif 165#endif
158 166
167#ifndef HAVE_VASPRINTF
168int vasprintf(char **, const char *, va_list);
169#endif
170
159#ifndef HAVE_VSNPRINTF 171#ifndef HAVE_VSNPRINTF
160int vsnprintf(char *, size_t, const char *, va_list); 172int vsnprintf(char *, size_t, const char *, va_list);
161#endif 173#endif
@@ -174,5 +186,6 @@ char *shadow_pw(struct passwd *pw);
174#include "port-irix.h" 186#include "port-irix.h"
175#include "port-aix.h" 187#include "port-aix.h"
176#include "port-uw.h" 188#include "port-uw.h"
189#include "port-tun.h"
177 190
178#endif /* _OPENBSD_COMPAT_H */ 191#endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index d9b2fa55f..8a015ec43 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,7 +24,11 @@
24# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) 24# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
25#endif 25#endif
26 26
27#if OPENSSL_VERSION_NUMBER < 0x00907000L 27#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
28# define USE_BUILTIN_RIJNDAEL
29#endif
30
31#ifdef USE_BUILTIN_RIJNDAEL
28# define EVP_aes_128_cbc evp_rijndael 32# define EVP_aes_128_cbc evp_rijndael
29# define EVP_aes_192_cbc evp_rijndael 33# define EVP_aes_192_cbc evp_rijndael
30# define EVP_aes_256_cbc evp_rijndael 34# define EVP_aes_256_cbc evp_rijndael
@@ -43,7 +47,12 @@ extern const EVP_CIPHER *evp_acss(void);
43#endif 47#endif
44 48
45/* 49/*
46 * insert comment here 50 * We overload some of the OpenSSL crypto functions with ssh_* equivalents
51 * which cater for older and/or less featureful OpenSSL version.
52 *
53 * In order for the compat library to call the real functions, it must
54 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
55 * implement the ssh_* equivalents.
47 */ 56 */
48#ifdef SSH_OLD_EVP 57#ifdef SSH_OLD_EVP
49 58
diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c
new file mode 100644
index 000000000..31921615f
--- /dev/null
+++ b/openbsd-compat/port-tun.c
@@ -0,0 +1,252 @@
1/*
2 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#include "log.h"
20#include "misc.h"
21#include "bufaux.h"
22
23/*
24 * This is the portable version of the SSH tunnel forwarding, it
25 * uses some preprocessor definitions for various platform-specific
26 * settings.
27 *
28 * SSH_TUN_LINUX Use the (newer) Linux tun/tap device
29 * SSH_TUN_COMPAT_AF Translate the OpenBSD address family
30 * SSH_TUN_PREPEND_AF Prepend/remove the address family
31 */
32
33/*
34 * System-specific tunnel open function
35 */
36
37#if defined(SSH_TUN_LINUX)
38#include <linux/if.h>
39#include <linux/if_tun.h>
40
41int
42sys_tun_open(int tun, int mode)
43{
44 struct ifreq ifr;
45 int fd = -1;
46 const char *name = NULL;
47
48 if ((fd = open("/dev/net/tun", O_RDWR)) == -1) {
49 debug("%s: failed to open tunnel control interface: %s",
50 __func__, strerror(errno));
51 return (-1);
52 }
53
54 bzero(&ifr, sizeof(ifr));
55
56 if (mode == SSH_TUNMODE_ETHERNET) {
57 ifr.ifr_flags = IFF_TAP;
58 name = "tap%d";
59 } else {
60 ifr.ifr_flags = IFF_TUN;
61 name = "tun%d";
62 }
63 ifr.ifr_flags |= IFF_NO_PI;
64
65 if (tun != SSH_TUNID_ANY) {
66 if (tun > SSH_TUNID_MAX) {
67 debug("%s: invalid tunnel id %x: %s", __func__,
68 tun, strerror(errno));
69 goto failed;
70 }
71 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun);
72 }
73
74 if (ioctl(fd, TUNSETIFF, &ifr) == -1) {
75 debug("%s: failed to configure tunnel (mode %d): %s", __func__,
76 mode, strerror(errno));
77 goto failed;
78 }
79
80 if (tun == SSH_TUNID_ANY)
81 debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
82 else
83 debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
84
85 return (fd);
86
87 failed:
88 close(fd);
89 return (-1);
90}
91#endif /* SSH_TUN_LINUX */
92
93#ifdef SSH_TUN_FREEBSD
94#include <sys/socket.h>
95#include <net/if.h>
96#include <net/if_tun.h>
97
98int
99sys_tun_open(int tun, int mode)
100{
101 struct ifreq ifr;
102 char name[100];
103 int fd = -1, sock, flag;
104 const char *tunbase = "tun";
105
106 if (mode == SSH_TUNMODE_ETHERNET) {
107#ifdef SSH_TUN_NO_L2
108 debug("%s: no layer 2 tunnelling support", __func__);
109 return (-1);
110#else
111 tunbase = "tap";
112#endif
113 }
114
115 /* Open the tunnel device */
116 if (tun <= SSH_TUNID_MAX) {
117 snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
118 fd = open(name, O_RDWR);
119 } else if (tun == SSH_TUNID_ANY) {
120 for (tun = 100; tun >= 0; tun--) {
121 snprintf(name, sizeof(name), "/dev/%s%d",
122 tunbase, tun);
123 if ((fd = open(name, O_RDWR)) >= 0)
124 break;
125 }
126 } else {
127 debug("%s: invalid tunnel %u\n", __func__, tun);
128 return (-1);
129 }
130
131 if (fd < 0) {
132 debug("%s: %s open failed: %s", __func__, name,
133 strerror(errno));
134 return (-1);
135 }
136
137 /* Turn on tunnel headers */
138 flag = 1;
139#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
140 if (mode != SSH_TUNMODE_ETHERNET &&
141 ioctl(fd, TUNSIFHEAD, &flag) == -1) {
142 debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
143 strerror(errno));
144 close(fd);
145 }
146#endif
147
148 debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
149
150 /* Set the tunnel device operation mode */
151 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
152 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
153 goto failed;
154
155 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
156 goto failed;
157 ifr.ifr_flags |= IFF_UP;
158 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
159 goto failed;
160
161 close(sock);
162 return (fd);
163
164 failed:
165 if (fd >= 0)
166 close(fd);
167 if (sock >= 0)
168 close(sock);
169 debug("%s: failed to set %s mode %d: %s", __func__, name,
170 mode, strerror(errno));
171 return (-1);
172}
173#endif /* SSH_TUN_FREEBSD */
174
175/*
176 * System-specific channel filters
177 */
178
179#if defined(SSH_TUN_FILTER)
180#define OPENBSD_AF_INET 2
181#define OPENBSD_AF_INET6 24
182
183int
184sys_tun_infilter(struct Channel *c, char *buf, int len)
185{
186#if defined(SSH_TUN_PREPEND_AF)
187 char rbuf[CHAN_RBUF];
188 struct ip *iph;
189#endif
190 u_int32_t *af;
191 char *ptr = buf;
192
193#if defined(SSH_TUN_PREPEND_AF)
194 if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
195 return (-1);
196 ptr = (char *)&rbuf[0];
197 bcopy(buf, ptr + sizeof(u_int32_t), len);
198 len += sizeof(u_int32_t);
199 af = (u_int32_t *)ptr;
200
201 iph = (struct ip *)(ptr + sizeof(u_int32_t));
202 switch (iph->ip_v) {
203 case 6:
204 *af = AF_INET6;
205 break;
206 case 4:
207 default:
208 *af = AF_INET;
209 break;
210 }
211#endif
212
213#if defined(SSH_TUN_COMPAT_AF)
214 if (len < (int)sizeof(u_int32_t))
215 return (-1);
216
217 af = (u_int32_t *)ptr;
218 if (*af == htonl(AF_INET6))
219 *af = htonl(OPENBSD_AF_INET6);
220 else
221 *af = htonl(OPENBSD_AF_INET);
222#endif
223
224 buffer_put_string(&c->input, ptr, len);
225 return (0);
226}
227
228u_char *
229sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen)
230{
231 u_char *buf;
232 u_int32_t *af;
233
234 *data = buffer_get_string(&c->output, dlen);
235 if (*dlen < sizeof(*af))
236 return (NULL);
237 buf = *data;
238
239#if defined(SSH_TUN_PREPEND_AF)
240 *dlen -= sizeof(u_int32_t);
241 buf = *data + sizeof(u_int32_t);
242#elif defined(SSH_TUN_COMPAT_AF)
243 af = ntohl(*(u_int32_t *)buf);
244 if (*af == OPENBSD_AF_INET6)
245 *af = htonl(AF_INET6);
246 else
247 *af = htonl(AF_INET);
248#endif
249
250 return (buf);
251}
252#endif /* SSH_TUN_FILTER */
diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h
new file mode 100644
index 000000000..86d9272b4
--- /dev/null
+++ b/openbsd-compat/port-tun.h
@@ -0,0 +1,33 @@
1/*
2 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#ifndef _PORT_TUN_H
18#define _PORT_TUN_H
19
20#include "channels.h"
21
22#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
23# define CUSTOM_SYS_TUN_OPEN
24int sys_tun_open(int, int);
25#endif
26
27#if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF)
28# define SSH_TUN_FILTER
29int sys_tun_infilter(struct Channel *, char *, int);
30u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *);
31#endif
32
33#endif
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index d881ff028..c64427121 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -25,7 +25,7 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) 28#ifdef HAVE_LIBIAF
29#ifdef HAVE_CRYPT_H 29#ifdef HAVE_CRYPT_H
30#include <crypt.h> 30#include <crypt.h>
31#endif 31#endif
@@ -42,7 +42,6 @@ int
42sys_auth_passwd(Authctxt *authctxt, const char *password) 42sys_auth_passwd(Authctxt *authctxt, const char *password)
43{ 43{
44 struct passwd *pw = authctxt->pw; 44 struct passwd *pw = authctxt->pw;
45 char *encrypted_password;
46 char *salt; 45 char *salt;
47 int result; 46 int result;
48 47
@@ -55,21 +54,24 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
55 54
56 /* Encrypt the candidate password using the proper salt. */ 55 /* Encrypt the candidate password using the proper salt. */
57 salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx"; 56 salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
58#ifdef UNIXWARE_LONG_PASSWORDS
59 if (!nischeck(pw->pw_name))
60 encrypted_password = bigcrypt(password, salt);
61 else
62#endif /* UNIXWARE_LONG_PASSWORDS */
63 encrypted_password = xcrypt(password, salt);
64 57
65 /* 58 /*
66 * Authentication is accepted if the encrypted passwords 59 * Authentication is accepted if the encrypted passwords
67 * are identical. 60 * are identical.
68 */ 61 */
69 result = (strcmp(encrypted_password, pw_password) == 0); 62#ifdef UNIXWARE_LONG_PASSWORDS
63 if (!nischeck(pw->pw_name)) {
64 result = ((strcmp(bigcrypt(password, salt), pw_password) == 0)
65 || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0));
66 }
67 else
68#endif /* UNIXWARE_LONG_PASSWORDS */
69 result = (strcmp(xcrypt(password, salt), pw_password) == 0);
70 70
71#if !defined(BROKEN_LIBIAF)
71 if (authctxt->valid) 72 if (authctxt->valid)
72 free(pw_password); 73 free(pw_password);
74#endif
73 return(result); 75 return(result);
74} 76}
75 77
@@ -114,6 +116,7 @@ nischeck(char *namep)
114 functions that call shadow_pw() will need to free 116 functions that call shadow_pw() will need to free
115 */ 117 */
116 118
119#if !defined(BROKEN_LIBIAF)
117char * 120char *
118get_iaf_password(struct passwd *pw) 121get_iaf_password(struct passwd *pw)
119{ 122{
@@ -130,5 +133,6 @@ get_iaf_password(struct passwd *pw)
130 else 133 else
131 fatal("ia_openinfo: Unable to open the shadow passwd file"); 134 fatal("ia_openinfo: Unable to open the shadow passwd file");
132} 135}
133#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ 136#endif /* !BROKEN_LIBIAF */
137#endif /* HAVE_LIBIAF */
134 138
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index eb060bdbf..919c0174a 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ 1/* $OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $ */
2
3/* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -22,9 +20,7 @@
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512. 20 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 */ 21 */
24 22
25#if defined(LIBC_SCCS) && !defined(lint) 23/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
26static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $";
27#endif /* LIBC_SCCS and not lint */
28 24
29#include "includes.h" 25#include "includes.h"
30 26
diff --git a/openbsd-compat/readpassphrase.h b/openbsd-compat/readpassphrase.h
index 178edf346..5fd7c5d77 100644
--- a/openbsd-compat/readpassphrase.h
+++ b/openbsd-compat/readpassphrase.h
@@ -1,34 +1,27 @@
1/* OPENBSD ORIGINAL: include/readpassphrase.h */ 1/* $OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $ */
2
3/* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
7 * All rights reserved. 5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
8 * 9 *
9 * Redistribution and use in source and binary forms, with or without 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * modification, are permitted provided that the following conditions 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * are met: 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * 1. Redistributions of source code must retain the above copyright 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * notice, this list of conditions and the following disclaimer. 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * 2. Redistributions in binary form must reproduce the above copyright 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * notice, this list of conditions and the following disclaimer in the 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 * 17 *
20 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 18 * Sponsored in part by the Defense Advanced Research Projects
21 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 19 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 20 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
26 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
27 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
28 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
29 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */ 21 */
31 22
23/* OPENBSD ORIGINAL: include/readpassphrase.h */
24
32#ifndef _READPASSPHRASE_H_ 25#ifndef _READPASSPHRASE_H_
33#define _READPASSPHRASE_H_ 26#define _READPASSPHRASE_H_
34 27
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index 8430bec24..b6120d034 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ 1/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru> 3 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
5 * 4 *
@@ -28,6 +27,8 @@
28 * SUCH DAMAGE. 27 * SUCH DAMAGE.
29 */ 28 */
30 29
30/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
31
31#include "includes.h" 32#include "includes.h"
32 33
33#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) 34#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 75167065c..71cf6e6eb 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ 1/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. 3 * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved.
5 * Copyright (c) 1983, 1993, 1994 4 * Copyright (c) 1983, 1993, 1994
@@ -30,26 +29,21 @@
30 * SUCH DAMAGE. 29 * SUCH DAMAGE.
31 */ 30 */
32 31
32/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
33
33#include "includes.h" 34#include "includes.h"
34 35
35#ifndef HAVE_RRESVPORT_AF 36#ifndef HAVE_RRESVPORT_AF
36 37
37#if defined(LIBC_SCCS) && !defined(lint)
38static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $";
39#endif /* LIBC_SCCS and not lint */
40
41#include "includes.h"
42
43#if 0 38#if 0
44int 39int
45rresvport(alport) 40rresvport(int *alport)
46 int *alport;
47{ 41{
48 return rresvport_af(alport, AF_INET); 42 return rresvport_af(alport, AF_INET);
49} 43}
50#endif 44#endif
51 45
52int 46int
53rresvport_af(int *alport, sa_family_t af) 47rresvport_af(int *alport, sa_family_t af)
54{ 48{
55 struct sockaddr_storage ss; 49 struct sockaddr_storage ss;
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index c3a86c651..b52a99c2c 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ 1/* $OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1987 Regents of the University of California. 3 * Copyright (c) 1987 Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,36 +28,31 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
32
32#include "includes.h" 33#include "includes.h"
33#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) 34#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <stdlib.h> 36#include <stdlib.h>
40#include <string.h> 37#include <string.h>
41 38
42char *__findenv(const char *name, int *offset); 39extern char **environ;
43 40
41/* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
44/* 42/*
45 * __findenv -- 43 * __findenv --
46 * Returns pointer to value associated with name, if any, else NULL. 44 * Returns pointer to value associated with name, if any, else NULL.
47 * Sets offset to be the offset of the name/value combination in the 45 * Sets offset to be the offset of the name/value combination in the
48 * environmental array, for use by setenv(3) and unsetenv(3). 46 * environmental array, for use by setenv(3) and unsetenv(3).
49 * Explicitly removes '=' in argument name. 47 * Explicitly removes '=' in argument name.
50 *
51 * This routine *should* be a static; don't use it.
52 */ 48 */
53char * 49static char *
54__findenv(name, offset) 50__findenv(const char *name, int *offset)
55 register const char *name;
56 int *offset;
57{ 51{
58 extern char **environ; 52 extern char **environ;
59 register int len, i; 53 int len, i;
60 register const char *np; 54 const char *np;
61 register char **p, *cp; 55 char **p, *cp;
62 56
63 if (name == NULL || environ == NULL) 57 if (name == NULL || environ == NULL)
64 return (NULL); 58 return (NULL);
@@ -84,14 +78,10 @@ __findenv(name, offset)
84 * "value". If rewrite is set, replace any current value. 78 * "value". If rewrite is set, replace any current value.
85 */ 79 */
86int 80int
87setenv(name, value, rewrite) 81setenv(const char *name, const char *value, int rewrite)
88 register const char *name;
89 register const char *value;
90 int rewrite;
91{ 82{
92 extern char **environ; 83 static char **lastenv; /* last value of environ */
93 static int alloced; /* if allocated space before */ 84 char *C;
94 register char *C;
95 int l_value, offset; 85 int l_value, offset;
96 86
97 if (*value == '=') /* no `=' in value */ 87 if (*value == '=') /* no `=' in value */
@@ -106,30 +96,23 @@ setenv(name, value, rewrite)
106 return (0); 96 return (0);
107 } 97 }
108 } else { /* create new slot */ 98 } else { /* create new slot */
109 register int cnt; 99 size_t cnt;
110 register char **P; 100 char **P;
111 101
112 for (P = environ, cnt = 0; *P; ++P, ++cnt); 102 for (P = environ; *P != NULL; P++)
113 if (alloced) { /* just increase size */ 103 ;
114 P = (char **)realloc((void *)environ, 104 cnt = P - environ;
115 (size_t)(sizeof(char *) * (cnt + 2))); 105 P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
116 if (!P) 106 if (!P)
117 return (-1); 107 return (-1);
118 environ = P; 108 if (lastenv != environ)
119 } 109 memcpy(P, environ, cnt * sizeof(char *));
120 else { /* get new space */ 110 lastenv = environ = P;
121 alloced = 1; /* copy old entries into it */
122 P = (char **)malloc((size_t)(sizeof(char *) *
123 (cnt + 2)));
124 if (!P)
125 return (-1);
126 memmove(P, environ, cnt * sizeof(char *));
127 environ = P;
128 }
129 environ[cnt + 1] = NULL;
130 offset = cnt; 111 offset = cnt;
112 environ[cnt + 1] = NULL;
131 } 113 }
132 for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ 114 for (C = (char *)name; *C && *C != '='; ++C)
115 ; /* no `=' in name */
133 if (!(environ[offset] = /* name + `=' + value */ 116 if (!(environ[offset] = /* name + `=' + value */
134 malloc((size_t)((int)(C - name) + l_value + 2)))) 117 malloc((size_t)((int)(C - name) + l_value + 2))))
135 return (-1); 118 return (-1);
@@ -147,15 +130,12 @@ setenv(name, value, rewrite)
147 * Delete environmental variable "name". 130 * Delete environmental variable "name".
148 */ 131 */
149void 132void
150unsetenv(name) 133unsetenv(const char *name)
151 const char *name;
152{ 134{
153 extern char **environ; 135 char **P;
154 register char **P;
155 int offset; 136 int offset;
156 char *__findenv();
157 137
158 while (__findenv(name, &offset)) /* if set multiple times */ 138 while (__findenv(name, &offset)) /* if set multiple times */
159 for (P = &environ[offset];; ++P) 139 for (P = &environ[offset];; ++P)
160 if (!(*P = *(P + 1))) 140 if (!(*P = *(P + 1)))
161 break; 141 break;
diff --git a/openbsd-compat/sigact.c b/openbsd-compat/sigact.c
index 2772ac574..8b8e4dd2c 100644
--- a/openbsd-compat/sigact.c
+++ b/openbsd-compat/sigact.c
@@ -1,9 +1,7 @@
1/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ 1/* $OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $ */
2
3/* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */
4 2
5/**************************************************************************** 3/****************************************************************************
6 * Copyright (c) 1998 Free Software Foundation, Inc. * 4 * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
7 * * 5 * *
8 * Permission is hereby granted, free of charge, to any person obtaining a * 6 * Permission is hereby granted, free of charge, to any person obtaining a *
9 * copy of this software and associated documentation files (the * 7 * copy of this software and associated documentation files (the *
@@ -35,6 +33,8 @@
35 * and: Eric S. Raymond <esr@snark.thyrsus.com> * 33 * and: Eric S. Raymond <esr@snark.thyrsus.com> *
36 ****************************************************************************/ 34 ****************************************************************************/
37 35
36/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
37
38#include "includes.h" 38#include "includes.h"
39#include <signal.h> 39#include <signal.h>
40#include "sigact.h" 40#include "sigact.h"
diff --git a/openbsd-compat/sigact.h b/openbsd-compat/sigact.h
index b37c1f84a..db96d0a5c 100644
--- a/openbsd-compat/sigact.h
+++ b/openbsd-compat/sigact.h
@@ -1,7 +1,7 @@
1/* $OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $ */ 1/* $OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $ */
2 2
3/**************************************************************************** 3/****************************************************************************
4 * Copyright (c) 1998 Free Software Foundation, Inc. * 4 * Copyright (c) 1998,2000 Free Software Foundation, Inc. *
5 * * 5 * *
6 * Permission is hereby granted, free of charge, to any person obtaining a * 6 * Permission is hereby granted, free of charge, to any person obtaining a *
7 * copy of this software and associated documentation files (the * 7 * copy of this software and associated documentation files (the *
@@ -34,12 +34,14 @@
34 ****************************************************************************/ 34 ****************************************************************************/
35 35
36/* 36/*
37 * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $ 37 * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $
38 * 38 *
39 * This file exists to handle non-POSIX systems which don't have <unistd.h>, 39 * This file exists to handle non-POSIX systems which don't have <unistd.h>,
40 * and usually no sigaction() nor <termios.h> 40 * and usually no sigaction() nor <termios.h>
41 */ 41 */
42 42
43/* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */
44
43#ifndef _SIGACTION_H 45#ifndef _SIGACTION_H
44#define _SIGACTION_H 46#define _SIGACTION_H
45 47
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
index 70f01cb2a..bcc1b61ad 100644
--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ 1/* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_STRLCAT 22#ifndef HAVE_STRLCAT
23 23
24#if defined(LIBC_SCCS) && !defined(lint)
25static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $";
26#endif /* LIBC_SCCS and not lint */
27
28#include <sys/types.h> 24#include <sys/types.h>
29#include <string.h> 25#include <string.h>
30 26
@@ -38,9 +34,9 @@ static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp
38size_t 34size_t
39strlcat(char *dst, const char *src, size_t siz) 35strlcat(char *dst, const char *src, size_t siz)
40{ 36{
41 register char *d = dst; 37 char *d = dst;
42 register const char *s = src; 38 const char *s = src;
43 register size_t n = siz; 39 size_t n = siz;
44 size_t dlen; 40 size_t dlen;
45 41
46 /* Find the end of dst and adjust bytes left but don't go past end */ 42 /* Find the end of dst and adjust bytes left but don't go past end */
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index ccfa12a0a..679a5b291 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ 1/* $OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */
4 2
5/* 3/*
6 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> 4 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,13 +16,11 @@
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */ 17 */
20 18
19/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
20
21#include "includes.h" 21#include "includes.h"
22#ifndef HAVE_STRLCPY 22#ifndef HAVE_STRLCPY
23 23
24#if defined(LIBC_SCCS) && !defined(lint)
25static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $";
26#endif /* LIBC_SCCS and not lint */
27
28#include <sys/types.h> 24#include <sys/types.h>
29#include <string.h> 25#include <string.h>
30 26
@@ -36,9 +32,9 @@ static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp
36size_t 32size_t
37strlcpy(char *dst, const char *src, size_t siz) 33strlcpy(char *dst, const char *src, size_t siz)
38{ 34{
39 register char *d = dst; 35 char *d = dst;
40 register const char *s = src; 36 const char *s = src;
41 register size_t n = siz; 37 size_t n = siz;
42 38
43 /* Copy as many bytes as will fit */ 39 /* Copy as many bytes as will fit */
44 if (n != 0 && --n != 0) { 40 if (n != 0 && --n != 0) {
diff --git a/openbsd-compat/strmode.c b/openbsd-compat/strmode.c
index ea8d515e3..4a8161422 100644
--- a/openbsd-compat/strmode.c
+++ b/openbsd-compat/strmode.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ 1/* $OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1990 The Regents of the University of California. 3 * Copyright (c) 1990 The Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRMODE 34#ifndef HAVE_STRMODE
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <sys/types.h> 36#include <sys/types.h>
40#include <sys/stat.h> 37#include <sys/stat.h>
41#include <string.h> 38#include <string.h>
@@ -72,11 +69,6 @@ strmode(int mode, char *p)
72 *p++ = 'p'; 69 *p++ = 'p';
73 break; 70 break;
74#endif 71#endif
75#ifdef S_IFWHT
76 case S_IFWHT: /* whiteout */
77 *p++ = 'w';
78 break;
79#endif
80 default: /* unknown */ 72 default: /* unknown */
81 *p++ = '?'; 73 *p++ = '?';
82 break; 74 break;
diff --git a/openbsd-compat/strsep.c b/openbsd-compat/strsep.c
index 330d84ce1..b36eb8fda 100644
--- a/openbsd-compat/strsep.c
+++ b/openbsd-compat/strsep.c
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ 1/* $OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $ */
2
3/* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */
4 2
5/*- 3/*-
6 * Copyright (c) 1990, 1993 4 * Copyright (c) 1990, 1993
@@ -31,6 +29,8 @@
31 * SUCH DAMAGE. 29 * SUCH DAMAGE.
32 */ 30 */
33 31
32/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
33
34#include "includes.h" 34#include "includes.h"
35 35
36#if !defined(HAVE_STRSEP) 36#if !defined(HAVE_STRSEP)
@@ -38,14 +38,6 @@
38#include <string.h> 38#include <string.h>
39#include <stdio.h> 39#include <stdio.h>
40 40
41#if defined(LIBC_SCCS) && !defined(lint)
42#if 0
43static char sccsid[] = "@(#)strsep.c 8.1 (Berkeley) 6/4/93";
44#else
45static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
46#endif
47#endif /* LIBC_SCCS and not lint */
48
49/* 41/*
50 * Get next token from string *stringp, where tokens are possibly-empty 42 * Get next token from string *stringp, where tokens are possibly-empty
51 * strings separated by characters from delim. 43 * strings separated by characters from delim.
diff --git a/openbsd-compat/strtoll.c b/openbsd-compat/strtoll.c
index 60c276f8a..f62930388 100644
--- a/openbsd-compat/strtoll.c
+++ b/openbsd-compat/strtoll.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */ 1/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1992 The Regents of the University of California. 3 * Copyright (c) 1992 The Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRTOLL 34#ifndef HAVE_STRTOLL
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <sys/types.h> 36#include <sys/types.h>
40 37
41#include <ctype.h> 38#include <ctype.h>
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
index b681ed83b..8ad0d0058 100644
--- a/openbsd-compat/strtonum.c
+++ b/openbsd-compat/strtonum.c
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
2
3/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */ 1/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
4 2
5/* 3/*
@@ -19,6 +17,8 @@
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */ 18 */
21 19
20/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
21
22#include "includes.h" 22#include "includes.h"
23#ifndef HAVE_STRTONUM 23#ifndef HAVE_STRTONUM
24#include <limits.h> 24#include <limits.h>
diff --git a/openbsd-compat/strtoul.c b/openbsd-compat/strtoul.c
index 24d0e253d..8219c8391 100644
--- a/openbsd-compat/strtoul.c
+++ b/openbsd-compat/strtoul.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ 1/* $OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
2
3/* 2/*
4 * Copyright (c) 1990 Regents of the University of California. 3 * Copyright (c) 1990 Regents of the University of California.
5 * All rights reserved. 4 * All rights reserved.
@@ -29,13 +28,11 @@
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
31 30
31/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
32
32#include "includes.h" 33#include "includes.h"
33#ifndef HAVE_STRTOUL 34#ifndef HAVE_STRTOUL
34 35
35#if defined(LIBC_SCCS) && !defined(lint)
36static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $";
37#endif /* LIBC_SCCS and not lint */
38
39#include <ctype.h> 36#include <ctype.h>
40#include <errno.h> 37#include <errno.h>
41#include <limits.h> 38#include <limits.h>
@@ -48,15 +45,12 @@ static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp
48 * alphabets and digits are each contiguous. 45 * alphabets and digits are each contiguous.
49 */ 46 */
50unsigned long 47unsigned long
51strtoul(nptr, endptr, base) 48strtoul(const char *nptr, char **endptr, int base)
52 const char *nptr;
53 char **endptr;
54 register int base;
55{ 49{
56 register const char *s; 50 const char *s;
57 register unsigned long acc, cutoff; 51 unsigned long acc, cutoff;
58 register int c; 52 int c;
59 register int neg, any, cutlim; 53 int neg, any, cutlim;
60 54
61 /* 55 /*
62 * See strtol for comments as to the logic used. 56 * See strtol for comments as to the logic used.
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index c49a94650..402343324 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: sys/sys/queue.h */
2
3/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */ 1/* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */
4/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ 2/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */
5 3
@@ -34,6 +32,8 @@
34 * @(#)queue.h 8.5 (Berkeley) 8/20/94 32 * @(#)queue.h 8.5 (Berkeley) 8/20/94
35 */ 33 */
36 34
35/* OPENBSD ORIGINAL: sys/sys/queue.h */
36
37#ifndef _FAKE_QUEUE_H_ 37#ifndef _FAKE_QUEUE_H_
38#define _FAKE_QUEUE_H_ 38#define _FAKE_QUEUE_H_
39 39
diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h
index 73cfbe72a..c80b90b21 100644
--- a/openbsd-compat/sys-tree.h
+++ b/openbsd-compat/sys-tree.h
@@ -1,5 +1,3 @@
1/* OPENBSD ORIGINAL: sys/sys/tree.h */
2
3/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ 1/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */
4/* 2/*
5 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -26,6 +24,8 @@
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */ 25 */
28 26
27/* OPENBSD ORIGINAL: sys/sys/tree.h */
28
29#ifndef _SYS_TREE_H_ 29#ifndef _SYS_TREE_H_
30#define _SYS_TREE_H_ 30#define _SYS_TREE_H_
31 31
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c
index 1fb7a01e3..3a087b341 100644
--- a/openbsd-compat/vis.c
+++ b/openbsd-compat/vis.c
@@ -1,5 +1,4 @@
1/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ 1/* $OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */
2
3/*- 2/*-
4 * Copyright (c) 1989, 1993 3 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved. 4 * The Regents of the University of California. All rights reserved.
@@ -28,36 +27,34 @@
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE. 28 * SUCH DAMAGE.
30 */ 29 */
30
31/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
32
31#include "includes.h" 33#include "includes.h"
32#if !defined(HAVE_STRNVIS) 34#if !defined(HAVE_STRNVIS)
33 35
34#if defined(LIBC_SCCS) && !defined(lint)
35static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
36#endif /* LIBC_SCCS and not lint */
37
38#include <ctype.h> 36#include <ctype.h>
39#include <string.h> 37#include <string.h>
40 38
41#include "vis.h" 39#include "vis.h"
42 40
43#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') 41#define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
44#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ 42#define isvisible(c) \
45 isgraph((u_char)(c))) || \ 43 (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \
46 ((flag & VIS_SP) == 0 && (c) == ' ') || \ 44 (((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') || \
47 ((flag & VIS_TAB) == 0 && (c) == '\t') || \ 45 (flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) || \
48 ((flag & VIS_NL) == 0 && (c) == '\n') || \ 46 ((flag & VIS_SP) == 0 && (c) == ' ') || \
49 ((flag & VIS_SAFE) && ((c) == '\b' || \ 47 ((flag & VIS_TAB) == 0 && (c) == '\t') || \
50 (c) == '\007' || (c) == '\r' || \ 48 ((flag & VIS_NL) == 0 && (c) == '\n') || \
51 isgraph((u_char)(c))))) 49 ((flag & VIS_SAFE) && ((c) == '\b' || \
50 (c) == '\007' || (c) == '\r' || \
51 isgraph((u_char)(c)))))
52 52
53/* 53/*
54 * vis - visually encode characters 54 * vis - visually encode characters
55 */ 55 */
56char * 56char *
57vis(dst, c, flag, nextc) 57vis(char *dst, int c, int flag, int nextc)
58 register char *dst;
59 int c, nextc;
60 register int flag;
61{ 58{
62 if (isvisible(c)) { 59 if (isvisible(c)) {
63 *dst++ = c; 60 *dst++ = c;
@@ -111,7 +108,8 @@ vis(dst, c, flag, nextc)
111 goto done; 108 goto done;
112 } 109 }
113 } 110 }
114 if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) { 111 if (((c & 0177) == ' ') || (flag & VIS_OCTAL) ||
112 ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) {
115 *dst++ = '\\'; 113 *dst++ = '\\';
116 *dst++ = ((u_char)c >> 6 & 07) + '0'; 114 *dst++ = ((u_char)c >> 6 & 07) + '0';
117 *dst++ = ((u_char)c >> 3 & 07) + '0'; 115 *dst++ = ((u_char)c >> 3 & 07) + '0';
@@ -124,7 +122,7 @@ vis(dst, c, flag, nextc)
124 c &= 0177; 122 c &= 0177;
125 *dst++ = 'M'; 123 *dst++ = 'M';
126 } 124 }
127 if (iscntrl(c)) { 125 if (iscntrl((u_char)c)) {
128 *dst++ = '^'; 126 *dst++ = '^';
129 if (c == 0177) 127 if (c == 0177)
130 *dst++ = '?'; 128 *dst++ = '?';
@@ -153,12 +151,9 @@ done:
153 * This is useful for encoding a block of data. 151 * This is useful for encoding a block of data.
154 */ 152 */
155int 153int
156strvis(dst, src, flag) 154strvis(char *dst, const char *src, int flag)
157 register char *dst;
158 register const char *src;
159 int flag;
160{ 155{
161 register char c; 156 char c;
162 char *start; 157 char *start;
163 158
164 for (start = dst; (c = *src);) 159 for (start = dst; (c = *src);)
@@ -168,16 +163,11 @@ strvis(dst, src, flag)
168} 163}
169 164
170int 165int
171strnvis(dst, src, siz, flag) 166strnvis(char *dst, const char *src, size_t siz, int flag)
172 char *dst;
173 const char *src;
174 size_t siz;
175 int flag;
176{ 167{
177 char c;
178 char *start, *end; 168 char *start, *end;
179 char tbuf[5]; 169 char tbuf[5];
180 int i; 170 int c, i;
181 171
182 i = 0; 172 i = 0;
183 for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) { 173 for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
@@ -217,13 +207,9 @@ strnvis(dst, src, siz, flag)
217} 207}
218 208
219int 209int
220strvisx(dst, src, len, flag) 210strvisx(char *dst, const char *src, size_t len, int flag)
221 register char *dst;
222 register const char *src;
223 register size_t len;
224 int flag;
225{ 211{
226 register char c; 212 char c;
227 char *start; 213 char *start;
228 214
229 for (start = dst; len > 1; len--) { 215 for (start = dst; len > 1; len--) {
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h
index 663355a24..3898a9e70 100644
--- a/openbsd-compat/vis.h
+++ b/openbsd-compat/vis.h
@@ -1,6 +1,4 @@
1/* OPENBSD ORIGINAL: include/vis.h */ 1/* $OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $ */
2
3/* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */
4/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ 2/* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */
5 3
6/*- 4/*-
@@ -34,6 +32,8 @@
34 * @(#)vis.h 5.9 (Berkeley) 4/3/91 32 * @(#)vis.h 5.9 (Berkeley) 4/3/91
35 */ 33 */
36 34
35/* OPENBSD ORIGINAL: include/vis.h */
36
37#include "includes.h" 37#include "includes.h"
38#if !defined(HAVE_STRNVIS) 38#if !defined(HAVE_STRNVIS)
39 39
@@ -63,6 +63,7 @@
63 * other 63 * other
64 */ 64 */
65#define VIS_NOSLASH 0x40 /* inhibit printing '\' */ 65#define VIS_NOSLASH 0x40 /* inhibit printing '\' */
66#define VIS_GLOB 0x100 /* encode glob(3) magics and '#' */
66 67
67/* 68/*
68 * unvis return codes 69 * unvis return codes
@@ -80,10 +81,14 @@
80 81
81char *vis(char *, int, int, int); 82char *vis(char *, int, int, int);
82int strvis(char *, const char *, int); 83int strvis(char *, const char *, int);
83int strnvis(char *, const char *, size_t, int); 84int strnvis(char *, const char *, size_t, int)
84int strvisx(char *, const char *, size_t, int); 85 __attribute__ ((__bounded__(__string__,1,3)));
86int strvisx(char *, const char *, size_t, int)
87 __attribute__ ((__bounded__(__string__,1,3)));
85int strunvis(char *, const char *); 88int strunvis(char *, const char *);
86int unvis(char *, char, int *, int); 89int unvis(char *, char, int *, int);
90ssize_t strnunvis(char *, const char *, size_t)
91 __attribute__ ((__bounded__(__string__,1,3)));
87 92
88#endif /* !_VIS_H_ */ 93#endif /* !_VIS_H_ */
89 94
diff --git a/opensshd.init.in b/opensshd.init.in
index ffa7cdac2..c36c5c88a 100755
--- a/opensshd.init.in
+++ b/opensshd.init.in
@@ -1,4 +1,4 @@
1#!/sbin/sh 1#!@STARTUP_SCRIPT_SHELL@
2# Donated code that was put under PD license. 2# Donated code that was put under PD license.
3# 3#
4# Stripped PRNGd out of it for the time being. 4# Stripped PRNGd out of it for the time being.
diff --git a/packet.c b/packet.c
index 70e0110cb..db2aa2411 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
37 */ 37 */
38 38
39#include "includes.h" 39#include "includes.h"
40RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $"); 40RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $");
41 41
42#include "openbsd-compat/sys-queue.h" 42#include "openbsd-compat/sys-queue.h"
43 43
@@ -572,7 +572,7 @@ packet_send1(void)
572 buffer_clear(&outgoing_packet); 572 buffer_clear(&outgoing_packet);
573 573
574 /* 574 /*
575 * Note that the packet is now only buffered in output. It won\'t be 575 * Note that the packet is now only buffered in output. It won't be
576 * actually sent until packet_write_wait or packet_write_poll is 576 * actually sent until packet_write_wait or packet_write_poll is
577 * called. 577 * called.
578 */ 578 */
diff --git a/progressmeter.c b/progressmeter.c
index 3cda09061..13c51d87e 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -85,8 +85,8 @@ format_rate(char *buf, int size, off_t bytes)
85 bytes = (bytes + 512) / 1024; 85 bytes = (bytes + 512) / 1024;
86 } 86 }
87 snprintf(buf, size, "%3lld.%1lld%c%s", 87 snprintf(buf, size, "%3lld.%1lld%c%s",
88 (int64_t) (bytes + 5) / 100, 88 (long long) (bytes + 5) / 100,
89 (int64_t) (bytes + 5) / 10 % 10, 89 (long long) (bytes + 5) / 10 % 10,
90 unit[i], 90 unit[i],
91 i ? "B" : " "); 91 i ? "B" : " ");
92} 92}
@@ -99,7 +99,7 @@ format_size(char *buf, int size, off_t bytes)
99 for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++) 99 for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
100 bytes = (bytes + 512) / 1024; 100 bytes = (bytes + 512) / 1024;
101 snprintf(buf, size, "%4lld%c%s", 101 snprintf(buf, size, "%4lld%c%s",
102 (int64_t) bytes, 102 (long long) bytes,
103 unit[i], 103 unit[i],
104 i ? "B" : " "); 104 i ? "B" : " ");
105} 105}
diff --git a/readconf.c b/readconf.c
index 345df9c25..355a41ccb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -70,6 +70,10 @@ RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
70 Cipher none 70 Cipher none
71 PasswordAuthentication no 71 PasswordAuthentication no
72 72
73 Host vpn.fake.com
74 Tunnel yes
75 TunnelDevice 3
76
73 # Defaults for various options 77 # Defaults for various options
74 Host * 78 Host *
75 ForwardAgent no 79 ForwardAgent no
@@ -108,6 +112,7 @@ typedef enum {
108 oGssTrustDns, 112 oGssTrustDns,
109 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 113 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
110 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 114 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
115 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
111 oDeprecated, oUnsupported 116 oDeprecated, oUnsupported
112} OpCodes; 117} OpCodes;
113 118
@@ -201,6 +206,10 @@ static struct {
201 { "controlpath", oControlPath }, 206 { "controlpath", oControlPath },
202 { "controlmaster", oControlMaster }, 207 { "controlmaster", oControlMaster },
203 { "hashknownhosts", oHashKnownHosts }, 208 { "hashknownhosts", oHashKnownHosts },
209 { "tunnel", oTunnel },
210 { "tunneldevice", oTunnelDevice },
211 { "localcommand", oLocalCommand },
212 { "permitlocalcommand", oPermitLocalCommand },
204 { NULL, oBadOption } 213 { NULL, oBadOption }
205}; 214};
206 215
@@ -267,6 +276,7 @@ clear_forwardings(Options *options)
267 xfree(options->remote_forwards[i].connect_host); 276 xfree(options->remote_forwards[i].connect_host);
268 } 277 }
269 options->num_remote_forwards = 0; 278 options->num_remote_forwards = 0;
279 options->tun_open = SSH_TUNMODE_NO;
270} 280}
271 281
272/* 282/*
@@ -299,7 +309,7 @@ process_config_line(Options *options, const char *host,
299 int *activep) 309 int *activep)
300{ 310{
301 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; 311 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
302 int opcode, *intptr, value; 312 int opcode, *intptr, value, value2;
303 size_t len; 313 size_t len;
304 Forward fwd; 314 Forward fwd;
305 315
@@ -560,9 +570,10 @@ parse_string:
560 goto parse_string; 570 goto parse_string;
561 571
562 case oProxyCommand: 572 case oProxyCommand:
573 charptr = &options->proxy_command;
574parse_command:
563 if (s == NULL) 575 if (s == NULL)
564 fatal("%.200s line %d: Missing argument.", filename, linenum); 576 fatal("%.200s line %d: Missing argument.", filename, linenum);
565 charptr = &options->proxy_command;
566 len = strspn(s, WHITESPACE "="); 577 len = strspn(s, WHITESPACE "=");
567 if (*activep && *charptr == NULL) 578 if (*activep && *charptr == NULL)
568 *charptr = xstrdup(s + len); 579 *charptr = xstrdup(s + len);
@@ -829,6 +840,49 @@ parse_int:
829 intptr = &options->hash_known_hosts; 840 intptr = &options->hash_known_hosts;
830 goto parse_flag; 841 goto parse_flag;
831 842
843 case oTunnel:
844 intptr = &options->tun_open;
845 arg = strdelim(&s);
846 if (!arg || *arg == '\0')
847 fatal("%s line %d: Missing yes/point-to-point/"
848 "ethernet/no argument.", filename, linenum);
849 value = 0; /* silence compiler */
850 if (strcasecmp(arg, "ethernet") == 0)
851 value = SSH_TUNMODE_ETHERNET;
852 else if (strcasecmp(arg, "point-to-point") == 0)
853 value = SSH_TUNMODE_POINTOPOINT;
854 else if (strcasecmp(arg, "yes") == 0)
855 value = SSH_TUNMODE_DEFAULT;
856 else if (strcasecmp(arg, "no") == 0)
857 value = SSH_TUNMODE_NO;
858 else
859 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
860 "no argument: %s", filename, linenum, arg);
861 if (*activep)
862 *intptr = value;
863 break;
864
865 case oTunnelDevice:
866 arg = strdelim(&s);
867 if (!arg || *arg == '\0')
868 fatal("%.200s line %d: Missing argument.", filename, linenum);
869 value = a2tun(arg, &value2);
870 if (value == SSH_TUNID_ERR)
871 fatal("%.200s line %d: Bad tun device.", filename, linenum);
872 if (*activep) {
873 options->tun_local = value;
874 options->tun_remote = value2;
875 }
876 break;
877
878 case oLocalCommand:
879 charptr = &options->local_command;
880 goto parse_command;
881
882 case oPermitLocalCommand:
883 intptr = &options->permit_local_command;
884 goto parse_flag;
885
832 case oDeprecated: 886 case oDeprecated:
833 debug("%s line %d: Deprecated option \"%s\"", 887 debug("%s line %d: Deprecated option \"%s\"",
834 filename, linenum, keyword); 888 filename, linenum, keyword);
@@ -974,6 +1028,11 @@ initialize_options(Options * options)
974 options->control_path = NULL; 1028 options->control_path = NULL;
975 options->control_master = -1; 1029 options->control_master = -1;
976 options->hash_known_hosts = -1; 1030 options->hash_known_hosts = -1;
1031 options->tun_open = -1;
1032 options->tun_local = -1;
1033 options->tun_remote = -1;
1034 options->local_command = NULL;
1035 options->permit_local_command = -1;
977} 1036}
978 1037
979/* 1038/*
@@ -1100,6 +1159,15 @@ fill_default_options(Options * options)
1100 options->control_master = 0; 1159 options->control_master = 0;
1101 if (options->hash_known_hosts == -1) 1160 if (options->hash_known_hosts == -1)
1102 options->hash_known_hosts = 0; 1161 options->hash_known_hosts = 0;
1162 if (options->tun_open == -1)
1163 options->tun_open = SSH_TUNMODE_NO;
1164 if (options->tun_local == -1)
1165 options->tun_local = SSH_TUNID_ANY;
1166 if (options->tun_remote == -1)
1167 options->tun_remote = SSH_TUNID_ANY;
1168 if (options->permit_local_command == -1)
1169 options->permit_local_command = 0;
1170 /* options->local_command should not be set by default */
1103 /* options->proxy_command should not be set by default */ 1171 /* options->proxy_command should not be set by default */
1104 /* options->user will be set in the main program if appropriate */ 1172 /* options->user will be set in the main program if appropriate */
1105 /* options->hostname will be set in the main program if appropriate */ 1173 /* options->hostname will be set in the main program if appropriate */
diff --git a/readconf.h b/readconf.h
index b403c10ec..bb70e9373 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ 1/* $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -115,6 +115,14 @@ typedef struct {
115 int control_master; 115 int control_master;
116 116
117 int hash_known_hosts; 117 int hash_known_hosts;
118
119 int tun_open; /* tun(4) */
120 int tun_local; /* force tun device (optional) */
121 int tun_remote; /* force tun device (optional) */
122
123 char *local_command;
124 int permit_local_command;
125
118} Options; 126} Options;
119 127
120#define SSHCTL_MASTER_NO 0 128#define SSHCTL_MASTER_NO 0
diff --git a/regress/README.regress b/regress/README.regress
index 0c07c9cf1..5aaf734bd 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -97,8 +97,12 @@ Known Issues.
97 unless ssh-rand-helper is in pre-installed (the path to 97 unless ssh-rand-helper is in pre-installed (the path to
98 ssh-rand-helper is hard coded). 98 ssh-rand-helper is hard coded).
99 99
100- Similarly, if you do not have "scp" in your system's $PATH then the
101 multiplex scp tests will fail (since the system's shell startup scripts
102 will determine where the shell started by sshd will look for scp).
103
100- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head 104- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
101 test to fail. The old behaviour can be restored by setting (and 105 test to fail. The old behaviour can be restored by setting (and
102 exporting) _POSIX2_VERSION=199209 before running the tests. 106 exporting) _POSIX2_VERSION=199209 before running the tests.
103 107
104$Id: README.regress,v 1.9 2004/08/17 12:31:33 dtucker Exp $ 108$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 46d20dc2b..6186a8d48 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -27,7 +27,7 @@ else
27 fail "ssh-add failed with $r != 1" 27 fail "ssh-add failed with $r != 1"
28 fi 28 fi
29 29
30 < /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1 30 < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
31 r=$? 31 r=$?
32 if [ $r -lt 2 ]; then 32 if [ $r -lt 2 ]; then
33 fail "ssh-add did not fail for ${UNPRIV}: $r < 2" 33 fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index dfe065dd6..3b171144f 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ 1# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -32,3 +32,34 @@ for p in 1 2; do
32 32
33 sleep 10 33 sleep 10
34done 34done
35
36for p in 1 2; do
37 trace "simple clear forwarding proto $p"
38 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
39
40 trace "clear local forward proto $p"
41 ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
42 -oClearAllForwardings=yes somehost sleep 10
43 if [ $? != 0 ]; then
44 fail "connection failed with cleared local forwarding"
45 else
46 # this one should fail
47 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
48 2>${TEST_SSH_LOGFILE} && \
49 fail "local forwarding not cleared"
50 fi
51 sleep 10
52
53 trace "clear remote forward proto $p"
54 ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
55 -oClearAllForwardings=yes somehost sleep 10
56 if [ $? != 0 ]; then
57 fail "connection failed with cleared remote forwarding"
58 else
59 # this one should fail
60 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
61 2>${TEST_SSH_LOGFILE} && \
62 fail "remote forwarding not cleared"
63 fi
64 sleep 10
65done
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index a172e5790..4fba7b5ac 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
index ba6dbc6f5..1daf29f9a 100644
--- a/regress/reconfigure.sh
+++ b/regress/reconfigure.sh
@@ -15,8 +15,9 @@ esac
15 15
16start_sshd 16start_sshd
17 17
18$SUDO kill -HUP `cat $PIDFILE` 18PID=`cat $PIDFILE`
19sleep 1 19rm -f $PIDFILE
20$SUDO kill -HUP $PID
20 21
21trace "wait for sshd to restart" 22trace "wait for sshd to restart"
22i=0; 23i=0;
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index 8e4314773..d1005a995 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $ 2# $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4 4
5printname () { 5printname () {
@@ -16,8 +16,11 @@ printname () {
16 done 16 done
17} 17}
18 18
19# discard first 5 args 19# Discard all but last argument. We use arg later.
20shift; shift; shift; shift; shift 20while test "$1" != ""; do
21 arg="$1"
22 shift
23done
21 24
22BAD="../../../../../../../../../../../../../${DIR}/dotpathdir" 25BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
23 26
@@ -49,6 +52,6 @@ badserver_4)
49 echo "X" 52 echo "X"
50 ;; 53 ;;
51*) 54*)
52 exec $1 55 exec $arg
53 ;; 56 ;;
54esac 57esac
diff --git a/regress/scp.sh b/regress/scp.sh
index c3034b6e7..c5d412dd9 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $ 1# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="scp" 4tid="scp"
@@ -28,6 +28,11 @@ scpclean() {
28 mkdir ${DIR} ${DIR2} 28 mkdir ${DIR} ${DIR2}
29} 29}
30 30
31verbose "$tid: simple copy local file to local file"
32scpclean
33$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
34cmp ${DATA} ${COPY} || fail "corrupted copy"
35
31verbose "$tid: simple copy local file to remote file" 36verbose "$tid: simple copy local file to remote file"
32scpclean 37scpclean
33$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed" 38$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
@@ -44,6 +49,12 @@ cp ${DATA} ${COPY}
44$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed" 49$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
45cmp ${COPY} ${DIR}/copy || fail "corrupted copy" 50cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
46 51
52verbose "$tid: simple copy local file to local dir"
53scpclean
54cp ${DATA} ${COPY}
55$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
56cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
57
47verbose "$tid: simple copy remote file to local dir" 58verbose "$tid: simple copy remote file to local dir"
48scpclean 59scpclean
49cp ${DATA} ${COPY} 60cp ${DATA} ${COPY}
@@ -57,6 +68,13 @@ cp ${DATA} ${DIR}/copy
57$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed" 68$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
58diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 69diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
59 70
71verbose "$tid: recursive local dir to local dir"
72scpclean
73rm -rf ${DIR2}
74cp ${DATA} ${DIR}/copy
75$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
76diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
77
60verbose "$tid: recursive remote dir to local dir" 78verbose "$tid: recursive remote dir to local dir"
61scpclean 79scpclean
62rm -rf ${DIR2} 80rm -rf ${DIR2}
@@ -64,6 +82,13 @@ cp ${DATA} ${DIR}/copy
64$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed" 82$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
65diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 83diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
66 84
85verbose "$tid: shell metacharacters"
86scpclean
87(cd ${DIR} && \
88touch '`touch metachartest`' && \
89$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
90[ ! -f metachartest ] ) || fail "shell metacharacters"
91
67if [ ! -z "$SUDO" ]; then 92if [ ! -z "$SUDO" ]; then
68 verbose "$tid: skipped file after scp -p with failed chown+utimes" 93 verbose "$tid: skipped file after scp -p with failed chown+utimes"
69 scpclean 94 scpclean
@@ -73,7 +98,7 @@ if [ ! -z "$SUDO" ]; then
73 chmod 660 ${DIR2}/copy 98 chmod 660 ${DIR2}/copy
74 $SUDO chown root ${DIR2}/copy 99 $SUDO chown root ${DIR2}/copy
75 $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1 100 $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
76 diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" 101 $SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
77 $SUDO rm ${DIR2}/copy 102 $SUDO rm ${DIR2}/copy
78fi 103fi
79 104
@@ -91,5 +116,12 @@ for i in 0 1 2 3 4; do
91 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" 116 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
92done 117done
93 118
119verbose "$tid: detect non-directory target"
120scpclean
121echo a > ${COPY}
122echo b > ${COPY2}
123$SCP $scpopts ${DATA} ${COPY} ${COPY2}
124cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
125
94scpclean 126scpclean
95rm -f ${OBJ}/scp-ssh-wrapper.scp 127rm -f ${OBJ}/scp-ssh-wrapper.scp
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 4b3a70eb3..59ae33c08 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -24,6 +24,8 @@ if [ -x /usr/ucb/whoami ]; then
24 USER=`/usr/ucb/whoami` 24 USER=`/usr/ucb/whoami`
25elif whoami >/dev/null 2>&1; then 25elif whoami >/dev/null 2>&1; then
26 USER=`whoami` 26 USER=`whoami`
27elif logname >/dev/null 2>&1; then
28 USER=`logname`
27else 29else
28 USER=`id -un` 30 USER=`id -un`
29fi 31fi
@@ -194,6 +196,7 @@ trap fatal 3 2
194cat << EOF > $OBJ/sshd_config 196cat << EOF > $OBJ/sshd_config
195 StrictModes no 197 StrictModes no
196 Port $PORT 198 Port $PORT
199 AddressFamily inet
197 ListenAddress 127.0.0.1 200 ListenAddress 127.0.0.1
198 #ListenAddress ::1 201 #ListenAddress ::1
199 PidFile $PIDFILE 202 PidFile $PIDFILE
@@ -244,7 +247,7 @@ trace "generate keys"
244for t in rsa rsa1; do 247for t in rsa rsa1; do
245 # generate user key 248 # generate user key
246 rm -f $OBJ/$t 249 rm -f $OBJ/$t
247 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ 250 ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\
248 fail "ssh-keygen for $t failed" 251 fail "ssh-keygen for $t failed"
249 252
250 # known hosts file for client 253 # known hosts file for client
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index c6e1b9152..379fe353a 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,9 +1,10 @@
1# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
5 5
6ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour 6ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
7 arcfour128 arcfour256 arcfour
7 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se 8 aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
8 aes128-ctr aes192-ctr aes256-ctr" 9 aes128-ctr aes192-ctr aes256-ctr"
9macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96" 10macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 17a4d0dd4..a8e6bc800 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -4,7 +4,7 @@
4tid="yes pipe head" 4tid="yes pipe head"
5 5
6for p in 1 2; do 6for p in 1 2; do
7 lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)` 7 lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
8 if [ $? -ne 0 ]; then 8 if [ $? -ne 0 ]; then
9 fail "yes|head test failed" 9 fail "yes|head test failed"
10 lines = 0; 10 lines = 0;
diff --git a/scp.0 b/scp.0
index aa54dda3f..2c7f15567 100644
--- a/scp.0
+++ b/scp.0
@@ -92,6 +92,7 @@ DESCRIPTION
92 Protocol 92 Protocol
93 ProxyCommand 93 ProxyCommand
94 PubkeyAuthentication 94 PubkeyAuthentication
95 RekeyLimit
95 RhostsRSAAuthentication 96 RhostsRSAAuthentication
96 RSAAuthentication 97 RSAAuthentication
97 SendEnv 98 SendEnv
@@ -141,4 +142,4 @@ AUTHORS
141 Timo Rinne <tri@iki.fi> 142 Timo Rinne <tri@iki.fi>
142 Tatu Ylonen <ylo@cs.hut.fi> 143 Tatu Ylonen <ylo@cs.hut.fi>
143 144
144OpenBSD 3.8 September 25, 1999 3 145OpenBSD 3.9 September 25, 1999 3
diff --git a/scp.1 b/scp.1
index b5191e318..d9b1f8e8f 100644
--- a/scp.1
+++ b/scp.1
@@ -9,7 +9,7 @@
9.\" 9.\"
10.\" Created: Sun May 7 00:14:37 1995 ylo 10.\" Created: Sun May 7 00:14:37 1995 ylo
11.\" 11.\"
12.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $ 12.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $
13.\" 13.\"
14.Dd September 25, 1999 14.Dd September 25, 1999
15.Dt SCP 1 15.Dt SCP 1
@@ -152,6 +152,7 @@ For full details of the options listed below, and their possible values, see
152.It Protocol 152.It Protocol
153.It ProxyCommand 153.It ProxyCommand
154.It PubkeyAuthentication 154.It PubkeyAuthentication
155.It RekeyLimit
155.It RhostsRSAAuthentication 156.It RhostsRSAAuthentication
156.It RSAAuthentication 157.It RSAAuthentication
157.It SendEnv 158.It SendEnv
diff --git a/scp.c b/scp.c
index 1407aa71d..620024ea7 100644
--- a/scp.c
+++ b/scp.c
@@ -71,7 +71,7 @@
71 */ 71 */
72 72
73#include "includes.h" 73#include "includes.h"
74RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $"); 74RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");
75 75
76#include "xmalloc.h" 76#include "xmalloc.h"
77#include "atomicio.h" 77#include "atomicio.h"
@@ -118,6 +118,48 @@ killchild(int signo)
118 exit(1); 118 exit(1);
119} 119}
120 120
121static int
122do_local_cmd(arglist *a)
123{
124 u_int i;
125 int status;
126 pid_t pid;
127
128 if (a->num == 0)
129 fatal("do_local_cmd: no arguments");
130
131 if (verbose_mode) {
132 fprintf(stderr, "Executing:");
133 for (i = 0; i < a->num; i++)
134 fprintf(stderr, " %s", a->list[i]);
135 fprintf(stderr, "\n");
136 }
137 if ((pid = fork()) == -1)
138 fatal("do_local_cmd: fork: %s", strerror(errno));
139
140 if (pid == 0) {
141 execvp(a->list[0], a->list);
142 perror(a->list[0]);
143 exit(1);
144 }
145
146 do_cmd_pid = pid;
147 signal(SIGTERM, killchild);
148 signal(SIGINT, killchild);
149 signal(SIGHUP, killchild);
150
151 while (waitpid(pid, &status, 0) == -1)
152 if (errno != EINTR)
153 fatal("do_local_cmd: waitpid: %s", strerror(errno));
154
155 do_cmd_pid = -1;
156
157 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
158 return (-1);
159
160 return (0);
161}
162
121/* 163/*
122 * This function executes the given command as the specified user on the 164 * This function executes the given command as the specified user on the
123 * given host. This returns < 0 if execution fails, and >= 0 otherwise. This 165 * given host. This returns < 0 if execution fails, and >= 0 otherwise. This
@@ -162,7 +204,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
162 close(pin[0]); 204 close(pin[0]);
163 close(pout[1]); 205 close(pout[1]);
164 206
165 args.list[0] = ssh_program; 207 replacearg(&args, 0, "%s", ssh_program);
166 if (remuser != NULL) 208 if (remuser != NULL)
167 addargs(&args, "-l%s", remuser); 209 addargs(&args, "-l%s", remuser);
168 addargs(&args, "%s", host); 210 addargs(&args, "%s", host);
@@ -222,12 +264,17 @@ main(int argc, char **argv)
222 extern char *optarg; 264 extern char *optarg;
223 extern int optind; 265 extern int optind;
224 266
267 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
268 sanitise_stdfd();
269
225 __progname = ssh_get_progname(argv[0]); 270 __progname = ssh_get_progname(argv[0]);
226 271
272 memset(&args, '\0', sizeof(args));
227 args.list = NULL; 273 args.list = NULL;
228 addargs(&args, "ssh"); /* overwritten with ssh_program */ 274 addargs(&args, "%s", ssh_program);
229 addargs(&args, "-x"); 275 addargs(&args, "-x");
230 addargs(&args, "-oForwardAgent no"); 276 addargs(&args, "-oForwardAgent no");
277 addargs(&args, "-oPermitLocalCommand no");
231 addargs(&args, "-oClearAllForwardings yes"); 278 addargs(&args, "-oClearAllForwardings yes");
232 279
233 fflag = tflag = 0; 280 fflag = tflag = 0;
@@ -336,9 +383,9 @@ main(int argc, char **argv)
336 if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ 383 if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */
337 toremote(targ, argc, argv); 384 toremote(targ, argc, argv);
338 else { 385 else {
339 tolocal(argc, argv); /* Dest is local host. */
340 if (targetshouldbedirectory) 386 if (targetshouldbedirectory)
341 verifydir(argv[argc - 1]); 387 verifydir(argv[argc - 1]);
388 tolocal(argc, argv); /* Dest is local host. */
342 } 389 }
343 /* 390 /*
344 * Finally check the exit status of the ssh process, if one was forked 391 * Finally check the exit status of the ssh process, if one was forked
@@ -364,6 +411,10 @@ toremote(char *targ, int argc, char **argv)
364{ 411{
365 int i, len; 412 int i, len;
366 char *bp, *host, *src, *suser, *thost, *tuser, *arg; 413 char *bp, *host, *src, *suser, *thost, *tuser, *arg;
414 arglist alist;
415
416 memset(&alist, '\0', sizeof(alist));
417 alist.list = NULL;
367 418
368 *targ++ = 0; 419 *targ++ = 0;
369 if (*targ == 0) 420 if (*targ == 0)
@@ -381,56 +432,48 @@ toremote(char *targ, int argc, char **argv)
381 tuser = NULL; 432 tuser = NULL;
382 } 433 }
383 434
435 if (tuser != NULL && !okname(tuser)) {
436 xfree(arg);
437 return;
438 }
439
384 for (i = 0; i < argc - 1; i++) { 440 for (i = 0; i < argc - 1; i++) {
385 src = colon(argv[i]); 441 src = colon(argv[i]);
386 if (src) { /* remote to remote */ 442 if (src) { /* remote to remote */
387 static char *ssh_options = 443 freeargs(&alist);
388 "-x -o'ClearAllForwardings yes'"; 444 addargs(&alist, "%s", ssh_program);
445 if (verbose_mode)
446 addargs(&alist, "-v");
447 addargs(&alist, "-x");
448 addargs(&alist, "-oClearAllForwardings yes");
449 addargs(&alist, "-n");
450
389 *src++ = 0; 451 *src++ = 0;
390 if (*src == 0) 452 if (*src == 0)
391 src = "."; 453 src = ".";
392 host = strrchr(argv[i], '@'); 454 host = strrchr(argv[i], '@');
393 len = strlen(ssh_program) + strlen(argv[i]) + 455
394 strlen(src) + (tuser ? strlen(tuser) : 0) +
395 strlen(thost) + strlen(targ) +
396 strlen(ssh_options) + CMDNEEDS + 20;
397 bp = xmalloc(len);
398 if (host) { 456 if (host) {
399 *host++ = 0; 457 *host++ = 0;
400 host = cleanhostname(host); 458 host = cleanhostname(host);
401 suser = argv[i]; 459 suser = argv[i];
402 if (*suser == '\0') 460 if (*suser == '\0')
403 suser = pwd->pw_name; 461 suser = pwd->pw_name;
404 else if (!okname(suser)) { 462 else if (!okname(suser))
405 xfree(bp);
406 continue; 463 continue;
407 } 464 addargs(&alist, "-l");
408 if (tuser && !okname(tuser)) { 465 addargs(&alist, "%s", suser);
409 xfree(bp);
410 continue;
411 }
412 snprintf(bp, len,
413 "%s%s %s -n "
414 "-l %s %s %s %s '%s%s%s:%s'",
415 ssh_program, verbose_mode ? " -v" : "",
416 ssh_options, suser, host, cmd, src,
417 tuser ? tuser : "", tuser ? "@" : "",
418 thost, targ);
419 } else { 466 } else {
420 host = cleanhostname(argv[i]); 467 host = cleanhostname(argv[i]);
421 snprintf(bp, len,
422 "exec %s%s %s -n %s "
423 "%s %s '%s%s%s:%s'",
424 ssh_program, verbose_mode ? " -v" : "",
425 ssh_options, host, cmd, src,
426 tuser ? tuser : "", tuser ? "@" : "",
427 thost, targ);
428 } 468 }
429 if (verbose_mode) 469 addargs(&alist, "%s", host);
430 fprintf(stderr, "Executing: %s\n", bp); 470 addargs(&alist, "%s", cmd);
431 if (system(bp) != 0) 471 addargs(&alist, "%s", src);
472 addargs(&alist, "%s%s%s:%s",
473 tuser ? tuser : "", tuser ? "@" : "",
474 thost, targ);
475 if (do_local_cmd(&alist) != 0)
432 errs = 1; 476 errs = 1;
433 (void) xfree(bp);
434 } else { /* local to remote */ 477 } else { /* local to remote */
435 if (remin == -1) { 478 if (remin == -1) {
436 len = strlen(targ) + CMDNEEDS + 20; 479 len = strlen(targ) + CMDNEEDS + 20;
@@ -454,20 +497,23 @@ tolocal(int argc, char **argv)
454{ 497{
455 int i, len; 498 int i, len;
456 char *bp, *host, *src, *suser; 499 char *bp, *host, *src, *suser;
500 arglist alist;
501
502 memset(&alist, '\0', sizeof(alist));
503 alist.list = NULL;
457 504
458 for (i = 0; i < argc - 1; i++) { 505 for (i = 0; i < argc - 1; i++) {
459 if (!(src = colon(argv[i]))) { /* Local to local. */ 506 if (!(src = colon(argv[i]))) { /* Local to local. */
460 len = strlen(_PATH_CP) + strlen(argv[i]) + 507 freeargs(&alist);
461 strlen(argv[argc - 1]) + 20; 508 addargs(&alist, "%s", _PATH_CP);
462 bp = xmalloc(len); 509 if (iamrecursive)
463 (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, 510 addargs(&alist, "-r");
464 iamrecursive ? " -r" : "", pflag ? " -p" : "", 511 if (pflag)
465 argv[i], argv[argc - 1]); 512 addargs(&alist, "-p");
466 if (verbose_mode) 513 addargs(&alist, "%s", argv[i]);
467 fprintf(stderr, "Executing: %s\n", bp); 514 addargs(&alist, "%s", argv[argc-1]);
468 if (system(bp)) 515 if (do_local_cmd(&alist))
469 ++errs; 516 ++errs;
470 (void) xfree(bp);
471 continue; 517 continue;
472 } 518 }
473 *src++ = 0; 519 *src++ = 0;
@@ -560,7 +606,7 @@ syserr: run_err("%s: %s", name, strerror(errno));
560#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) 606#define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
561 snprintf(buf, sizeof buf, "C%04o %lld %s\n", 607 snprintf(buf, sizeof buf, "C%04o %lld %s\n",
562 (u_int) (stb.st_mode & FILEMODEMASK), 608 (u_int) (stb.st_mode & FILEMODEMASK),
563 (int64_t)stb.st_size, last); 609 (long long)stb.st_size, last);
564 if (verbose_mode) { 610 if (verbose_mode) {
565 fprintf(stderr, "Sending file modes: %s", buf); 611 fprintf(stderr, "Sending file modes: %s", buf);
566 } 612 }
@@ -568,7 +614,10 @@ syserr: run_err("%s: %s", name, strerror(errno));
568 if (response() < 0) 614 if (response() < 0)
569 goto next; 615 goto next;
570 if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) { 616 if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
571next: (void) close(fd); 617next: if (fd != -1) {
618 (void) close(fd);
619 fd = -1;
620 }
572 continue; 621 continue;
573 } 622 }
574 if (showprogress) 623 if (showprogress)
@@ -597,8 +646,11 @@ next: (void) close(fd);
597 if (showprogress) 646 if (showprogress)
598 stop_progress_meter(); 647 stop_progress_meter();
599 648
600 if (close(fd) < 0 && !haderr) 649 if (fd != -1) {
601 haderr = errno; 650 if (close(fd) < 0 && !haderr)
651 haderr = errno;
652 fd = -1;
653 }
602 if (!haderr) 654 if (!haderr)
603 (void) atomicio(vwrite, remout, "", 1); 655 (void) atomicio(vwrite, remout, "", 1);
604 else 656 else
diff --git a/servconf.c b/servconf.c
index becd5b7c5..219a0300f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -102,6 +102,7 @@ initialize_server_options(ServerOptions *options)
102 options->authorized_keys_file = NULL; 102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL; 103 options->authorized_keys_file2 = NULL;
104 options->num_accept_env = 0; 104 options->num_accept_env = 0;
105 options->permit_tun = -1;
105 106
106 /* Needs to be accessable in many places */ 107 /* Needs to be accessable in many places */
107 use_privsep = -1; 108 use_privsep = -1;
@@ -232,6 +233,8 @@ fill_default_server_options(ServerOptions *options)
232 } 233 }
233 if (options->authorized_keys_file == NULL) 234 if (options->authorized_keys_file == NULL)
234 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 235 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
236 if (options->permit_tun == -1)
237 options->permit_tun = SSH_TUNMODE_NO;
235 238
236 /* Turn privilege separation on by default */ 239 /* Turn privilege separation on by default */
237 if (use_privsep == -1) 240 if (use_privsep == -1)
@@ -273,7 +276,8 @@ typedef enum {
273 sBanner, sUseDNS, sHostbasedAuthentication, 276 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 277 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 278 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
276 sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv, 279 sGssAuthentication, sGssKeyEx, sGssCleanupCreds,
280 sAcceptEnv, sPermitTunnel,
277 sUsePrivilegeSeparation, 281 sUsePrivilegeSeparation,
278 sDeprecated, sUnsupported 282 sDeprecated, sUnsupported
279} ServerOpCodes; 283} ServerOpCodes;
@@ -378,6 +382,7 @@ static struct {
378 { "authorizedkeysfile2", sAuthorizedKeysFile2 }, 382 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
379 { "useprivilegeseparation", sUsePrivilegeSeparation}, 383 { "useprivilegeseparation", sUsePrivilegeSeparation},
380 { "acceptenv", sAcceptEnv }, 384 { "acceptenv", sAcceptEnv },
385 { "permittunnel", sPermitTunnel },
381 { NULL, sBadOption } 386 { NULL, sBadOption }
382}; 387};
383 388
@@ -971,6 +976,28 @@ parse_flag:
971 } 976 }
972 break; 977 break;
973 978
979 case sPermitTunnel:
980 intptr = &options->permit_tun;
981 arg = strdelim(&cp);
982 if (!arg || *arg == '\0')
983 fatal("%s line %d: Missing yes/point-to-point/"
984 "ethernet/no argument.", filename, linenum);
985 value = 0; /* silence compiler */
986 if (strcasecmp(arg, "ethernet") == 0)
987 value = SSH_TUNMODE_ETHERNET;
988 else if (strcasecmp(arg, "point-to-point") == 0)
989 value = SSH_TUNMODE_POINTOPOINT;
990 else if (strcasecmp(arg, "yes") == 0)
991 value = SSH_TUNMODE_YES;
992 else if (strcasecmp(arg, "no") == 0)
993 value = SSH_TUNMODE_NO;
994 else
995 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
996 "no argument: %s", filename, linenum, arg);
997 if (*intptr == -1)
998 *intptr = value;
999 break;
1000
974 case sDeprecated: 1001 case sDeprecated:
975 logit("%s line %d: Deprecated option %s", 1002 logit("%s line %d: Deprecated option %s",
976 filename, linenum, arg); 1003 filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index 3e4e07e08..0ef05bcd9 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -134,7 +134,10 @@ typedef struct {
134 134
135 char *authorized_keys_file; /* File containing public keys */ 135 char *authorized_keys_file; /* File containing public keys */
136 char *authorized_keys_file2; 136 char *authorized_keys_file2;
137
137 int use_pam; /* Enable auth via PAM */ 138 int use_pam; /* Enable auth via PAM */
139
140 int permit_tun;
138} ServerOptions; 141} ServerOptions;
139 142
140void initialize_server_options(ServerOptions *); 143void initialize_server_options(ServerOptions *);
diff --git a/serverloop.c b/serverloop.c
index d2eff170a..3d8e7cfb5 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $"); 38RCSID("$OpenBSD: serverloop.c,v 1.124 2005/12/13 15:03:02 reyk Exp $");
39 39
40#include "xmalloc.h" 40#include "xmalloc.h"
41#include "packet.h" 41#include "packet.h"
@@ -61,6 +61,7 @@ extern ServerOptions options;
61/* XXX */ 61/* XXX */
62extern Kex *xxx_kex; 62extern Kex *xxx_kex;
63extern Authctxt *the_authctxt; 63extern Authctxt *the_authctxt;
64extern int use_privsep;
64 65
65static Buffer stdin_buffer; /* Buffer for stdin data. */ 66static Buffer stdin_buffer; /* Buffer for stdin data. */
66static Buffer stdout_buffer; /* Buffer for stdout data. */ 67static Buffer stdout_buffer; /* Buffer for stdout data. */
@@ -90,6 +91,9 @@ static int client_alive_timeouts = 0;
90 91
91static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ 92static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */
92 93
94/* Cleanup on signals (!use_privsep case only) */
95static volatile sig_atomic_t received_sigterm = 0;
96
93/* prototypes */ 97/* prototypes */
94static void server_init_dispatch(void); 98static void server_init_dispatch(void);
95 99
@@ -151,6 +155,12 @@ sigchld_handler(int sig)
151 errno = save_errno; 155 errno = save_errno;
152} 156}
153 157
158static void
159sigterm_handler(int sig)
160{
161 received_sigterm = sig;
162}
163
154/* 164/*
155 * Make packets from buffered stderr data, and buffer it for sending 165 * Make packets from buffered stderr data, and buffer it for sending
156 * to the client. 166 * to the client.
@@ -502,6 +512,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
502 child_terminated = 0; 512 child_terminated = 0;
503 mysignal(SIGCHLD, sigchld_handler); 513 mysignal(SIGCHLD, sigchld_handler);
504 514
515 if (!use_privsep) {
516 signal(SIGTERM, sigterm_handler);
517 signal(SIGINT, sigterm_handler);
518 signal(SIGQUIT, sigterm_handler);
519 }
520
505 /* Initialize our global variables. */ 521 /* Initialize our global variables. */
506 fdin = fdin_arg; 522 fdin = fdin_arg;
507 fdout = fdout_arg; 523 fdout = fdout_arg;
@@ -548,7 +564,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
548 * If we have no separate fderr (which is the case when we have a pty 564 * If we have no separate fderr (which is the case when we have a pty
549 * - there we cannot make difference between data sent to stdout and 565 * - there we cannot make difference between data sent to stdout and
550 * stderr), indicate that we have seen an EOF from stderr. This way 566 * stderr), indicate that we have seen an EOF from stderr. This way
551 * we don\'t need to check the descriptor everywhere. 567 * we don't need to check the descriptor everywhere.
552 */ 568 */
553 if (fderr == -1) 569 if (fderr == -1)
554 fderr_eof = 1; 570 fderr_eof = 1;
@@ -629,6 +645,12 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
629 wait_until_can_do_something(&readset, &writeset, &max_fd, 645 wait_until_can_do_something(&readset, &writeset, &max_fd,
630 &nalloc, max_time_milliseconds); 646 &nalloc, max_time_milliseconds);
631 647
648 if (received_sigterm) {
649 logit("Exiting on signal %d", received_sigterm);
650 /* Clean up sessions, utmp, etc. */
651 cleanup_exit(255);
652 }
653
632 /* Process any channel events. */ 654 /* Process any channel events. */
633 channel_after_select(readset, writeset); 655 channel_after_select(readset, writeset);
634 656
@@ -749,6 +771,12 @@ server_loop2(Authctxt *authctxt)
749 connection_in = packet_get_connection_in(); 771 connection_in = packet_get_connection_in();
750 connection_out = packet_get_connection_out(); 772 connection_out = packet_get_connection_out();
751 773
774 if (!use_privsep) {
775 signal(SIGTERM, sigterm_handler);
776 signal(SIGINT, sigterm_handler);
777 signal(SIGQUIT, sigterm_handler);
778 }
779
752 notify_setup(); 780 notify_setup();
753 781
754 max_fd = MAX(connection_in, connection_out); 782 max_fd = MAX(connection_in, connection_out);
@@ -766,6 +794,12 @@ server_loop2(Authctxt *authctxt)
766 wait_until_can_do_something(&readset, &writeset, &max_fd, 794 wait_until_can_do_something(&readset, &writeset, &max_fd,
767 &nalloc, 0); 795 &nalloc, 0);
768 796
797 if (received_sigterm) {
798 logit("Exiting on signal %d", received_sigterm);
799 /* Clean up sessions, utmp, etc. */
800 cleanup_exit(255);
801 }
802
769 collect_children(); 803 collect_children();
770 if (!rekeying) { 804 if (!rekeying) {
771 channel_after_select(readset, writeset); 805 channel_after_select(readset, writeset);
@@ -880,6 +914,52 @@ server_request_direct_tcpip(void)
880} 914}
881 915
882static Channel * 916static Channel *
917server_request_tun(void)
918{
919 Channel *c = NULL;
920 int mode, tun;
921 int sock;
922
923 mode = packet_get_int();
924 switch (mode) {
925 case SSH_TUNMODE_POINTOPOINT:
926 case SSH_TUNMODE_ETHERNET:
927 break;
928 default:
929 packet_send_debug("Unsupported tunnel device mode.");
930 return NULL;
931 }
932 if ((options.permit_tun & mode) == 0) {
933 packet_send_debug("Server has rejected tunnel device "
934 "forwarding");
935 return NULL;
936 }
937
938 tun = packet_get_int();
939 if (forced_tun_device != -1) {
940 if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
941 goto done;
942 tun = forced_tun_device;
943 }
944 sock = tun_open(tun, mode);
945 if (sock < 0)
946 goto done;
947 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
948 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
949 c->datagram = 1;
950#if defined(SSH_TUN_FILTER)
951 if (mode == SSH_TUNMODE_POINTOPOINT)
952 channel_register_filter(c->self, sys_tun_infilter,
953 sys_tun_outfilter);
954#endif
955
956 done:
957 if (c == NULL)
958 packet_send_debug("Failed to open the tunnel device.");
959 return c;
960}
961
962static Channel *
883server_request_session(void) 963server_request_session(void)
884{ 964{
885 Channel *c; 965 Channel *c;
@@ -900,7 +980,7 @@ server_request_session(void)
900 channel_free(c); 980 channel_free(c);
901 return NULL; 981 return NULL;
902 } 982 }
903 channel_register_cleanup(c->self, session_close_by_channel); 983 channel_register_cleanup(c->self, session_close_by_channel, 0);
904 return c; 984 return c;
905} 985}
906 986
@@ -924,6 +1004,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
924 c = server_request_session(); 1004 c = server_request_session();
925 } else if (strcmp(ctype, "direct-tcpip") == 0) { 1005 } else if (strcmp(ctype, "direct-tcpip") == 0) {
926 c = server_request_direct_tcpip(); 1006 c = server_request_direct_tcpip();
1007 } else if (strcmp(ctype, "tun@openssh.com") == 0) {
1008 c = server_request_tun();
927 } 1009 }
928 if (c != NULL) { 1010 if (c != NULL) {
929 debug("server_input_channel_open: confirm %s", ctype); 1011 debug("server_input_channel_open: confirm %s", ctype);
diff --git a/session.c b/session.c
index db8722f47..0cbd5fbb2 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.191 2005/12/24 02:27:41 djm Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -209,15 +209,6 @@ do_authenticated(Authctxt *authctxt)
209{ 209{
210 setproctitle("%s", authctxt->pw->pw_name); 210 setproctitle("%s", authctxt->pw->pw_name);
211 211
212 /*
213 * Cancel the alarm we set to limit the time taken for
214 * authentication.
215 */
216 alarm(0);
217 if (startup_pipe != -1) {
218 close(startup_pipe);
219 startup_pipe = -1;
220 }
221 /* setup the channel layer */ 212 /* setup the channel layer */
222 if (!no_port_forwarding_flag && options.allow_tcp_forwarding) 213 if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
223 channel_permit_all_opens(); 214 channel_permit_all_opens();
@@ -1419,7 +1410,7 @@ child_close_fds(void)
1419 endpwent(); 1410 endpwent();
1420 1411
1421 /* 1412 /*
1422 * Close any extra open file descriptors so that we don\'t have them 1413 * Close any extra open file descriptors so that we don't have them
1423 * hanging around in clients. Note that we want to do this after 1414 * hanging around in clients. Note that we want to do this after
1424 * initgroups, because at least on Solaris 2.3 it leaves file 1415 * initgroups, because at least on Solaris 2.3 it leaves file
1425 * descriptors open. 1416 * descriptors open.
@@ -1471,7 +1462,9 @@ do_child(Session *s, const char *command)
1471 if (!check_quietlogin(s, command)) 1462 if (!check_quietlogin(s, command))
1472 do_motd(); 1463 do_motd();
1473#else /* HAVE_OSF_SIA */ 1464#else /* HAVE_OSF_SIA */
1474 do_nologin(pw); 1465 /* When PAM is enabled we rely on it to do the nologin check */
1466 if (!options.use_pam)
1467 do_nologin(pw);
1475 do_setusercontext(pw); 1468 do_setusercontext(pw);
1476 /* 1469 /*
1477 * PAM session modules in do_setusercontext may have 1470 * PAM session modules in do_setusercontext may have
@@ -1552,7 +1545,7 @@ do_child(Session *s, const char *command)
1552 } 1545 }
1553#endif 1546#endif
1554 1547
1555 /* Change current directory to the user\'s home directory. */ 1548 /* Change current directory to the user's home directory. */
1556 if (chdir(pw->pw_dir) < 0) { 1549 if (chdir(pw->pw_dir) < 0) {
1557 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 1550 fprintf(stderr, "Could not chdir to home directory %s: %s\n",
1558 pw->pw_dir, strerror(errno)); 1551 pw->pw_dir, strerror(errno));
@@ -1867,7 +1860,7 @@ session_x11_req(Session *s)
1867 1860
1868 if (s->auth_proto != NULL || s->auth_data != NULL) { 1861 if (s->auth_proto != NULL || s->auth_data != NULL) {
1869 error("session_x11_req: session %d: " 1862 error("session_x11_req: session %d: "
1870 "x11 fowarding already active", s->self); 1863 "x11 forwarding already active", s->self);
1871 return 0; 1864 return 0;
1872 } 1865 }
1873 s->single_connection = packet_get_char(); 1866 s->single_connection = packet_get_char();
@@ -2099,7 +2092,7 @@ session_close_x11(int id)
2099{ 2092{
2100 Channel *c; 2093 Channel *c;
2101 2094
2102 if ((c = channel_lookup(id)) == NULL) { 2095 if ((c = channel_by_id(id)) == NULL) {
2103 debug("session_close_x11: x11 channel %d missing", id); 2096 debug("session_close_x11: x11 channel %d missing", id);
2104 } else { 2097 } else {
2105 /* Detach X11 listener */ 2098 /* Detach X11 listener */
@@ -2154,7 +2147,6 @@ static void
2154session_exit_message(Session *s, int status) 2147session_exit_message(Session *s, int status)
2155{ 2148{
2156 Channel *c; 2149 Channel *c;
2157 u_int i;
2158 2150
2159 if ((c = channel_lookup(s->chanid)) == NULL) 2151 if ((c = channel_lookup(s->chanid)) == NULL)
2160 fatal("session_exit_message: session %d: no channel %d", 2152 fatal("session_exit_message: session %d: no channel %d",
@@ -2184,7 +2176,14 @@ session_exit_message(Session *s, int status)
2184 2176
2185 /* disconnect channel */ 2177 /* disconnect channel */
2186 debug("session_exit_message: release channel %d", s->chanid); 2178 debug("session_exit_message: release channel %d", s->chanid);
2187 channel_cancel_cleanup(s->chanid); 2179
2180 /*
2181 * Adjust cleanup callback attachment to send close messages when
2182 * the channel gets EOF. The session will be then be closed
2183 * by session_close_by_channel when the childs close their fds.
2184 */
2185 channel_register_cleanup(c->self, session_close_by_channel, 1);
2186
2188 /* 2187 /*
2189 * emulate a write failure with 'chan_write_failed', nobody will be 2188 * emulate a write failure with 'chan_write_failed', nobody will be
2190 * interested in data we write. 2189 * interested in data we write.
@@ -2193,15 +2192,6 @@ session_exit_message(Session *s, int status)
2193 */ 2192 */
2194 if (c->ostate != CHAN_OUTPUT_CLOSED) 2193 if (c->ostate != CHAN_OUTPUT_CLOSED)
2195 chan_write_failed(c); 2194 chan_write_failed(c);
2196 s->chanid = -1;
2197
2198 /* Close any X11 listeners associated with this session */
2199 if (s->x11_chanids != NULL) {
2200 for (i = 0; s->x11_chanids[i] != -1; i++) {
2201 session_close_x11(s->x11_chanids[i]);
2202 s->x11_chanids[i] = -1;
2203 }
2204 }
2205} 2195}
2206 2196
2207void 2197void
@@ -2245,7 +2235,9 @@ session_close_by_pid(pid_t pid, int status)
2245 } 2235 }
2246 if (s->chanid != -1) 2236 if (s->chanid != -1)
2247 session_exit_message(s, status); 2237 session_exit_message(s, status);
2248 session_close(s); 2238 if (s->ttyfd != -1)
2239 session_pty_cleanup(s);
2240 s->pid = 0;
2249} 2241}
2250 2242
2251/* 2243/*
@@ -2256,6 +2248,7 @@ void
2256session_close_by_channel(int id, void *arg) 2248session_close_by_channel(int id, void *arg)
2257{ 2249{
2258 Session *s = session_by_channel(id); 2250 Session *s = session_by_channel(id);
2251 u_int i;
2259 2252
2260 if (s == NULL) { 2253 if (s == NULL) {
2261 debug("session_close_by_channel: no session for id %d", id); 2254 debug("session_close_by_channel: no session for id %d", id);
@@ -2275,6 +2268,15 @@ session_close_by_channel(int id, void *arg)
2275 } 2268 }
2276 /* detach by removing callback */ 2269 /* detach by removing callback */
2277 channel_cancel_cleanup(s->chanid); 2270 channel_cancel_cleanup(s->chanid);
2271
2272 /* Close any X11 listeners associated with this session */
2273 if (s->x11_chanids != NULL) {
2274 for (i = 0; s->x11_chanids[i] != -1; i++) {
2275 session_close_x11(s->x11_chanids[i]);
2276 s->x11_chanids[i] = -1;
2277 }
2278 }
2279
2278 s->chanid = -1; 2280 s->chanid = -1;
2279 session_close(s); 2281 session_close(s);
2280} 2282}
@@ -2369,7 +2371,7 @@ session_setup_x11fwd(Session *s)
2369 } 2371 }
2370 for (i = 0; s->x11_chanids[i] != -1; i++) { 2372 for (i = 0; s->x11_chanids[i] != -1; i++) {
2371 channel_register_cleanup(s->x11_chanids[i], 2373 channel_register_cleanup(s->x11_chanids[i],
2372 session_close_single_x11); 2374 session_close_single_x11, 0);
2373 } 2375 }
2374 2376
2375 /* Set up a suitable value for the DISPLAY variable. */ 2377 /* Set up a suitable value for the DISPLAY variable. */
diff --git a/sftp-client.c b/sftp-client.c
index afbd1e6f3..05bce3368 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -20,7 +20,7 @@
20/* XXX: copy between two remote sites */ 20/* XXX: copy between two remote sites */
21 21
22#include "includes.h" 22#include "includes.h"
23RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $"); 23RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
24 24
25#include "openbsd-compat/sys-queue.h" 25#include "openbsd-compat/sys-queue.h"
26 26
@@ -42,9 +42,6 @@ extern int showprogress;
42/* Minimum amount of data to read at at time */ 42/* Minimum amount of data to read at at time */
43#define MIN_READ_SIZE 512 43#define MIN_READ_SIZE 512
44 44
45/* Maximum packet size */
46#define MAX_MSG_LENGTH (256 * 1024)
47
48struct sftp_conn { 45struct sftp_conn {
49 int fd_in; 46 int fd_in;
50 int fd_out; 47 int fd_out;
@@ -59,7 +56,7 @@ send_msg(int fd, Buffer *m)
59{ 56{
60 u_char mlen[4]; 57 u_char mlen[4];
61 58
62 if (buffer_len(m) > MAX_MSG_LENGTH) 59 if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
63 fatal("Outbound message too long %u", buffer_len(m)); 60 fatal("Outbound message too long %u", buffer_len(m));
64 61
65 /* Send length first */ 62 /* Send length first */
@@ -87,7 +84,7 @@ get_msg(int fd, Buffer *m)
87 } 84 }
88 85
89 msg_len = buffer_get_int(m); 86 msg_len = buffer_get_int(m);
90 if (msg_len > MAX_MSG_LENGTH) 87 if (msg_len > SFTP_MAX_MSG_LENGTH)
91 fatal("Received message too long %u", msg_len); 88 fatal("Received message too long %u", msg_len);
92 89
93 buffer_append_space(m, msg_len); 90 buffer_append_space(m, msg_len);
diff --git a/sftp-common.h b/sftp-common.h
index b42ba9140..2b1995a2d 100644
--- a/sftp-common.h
+++ b/sftp-common.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $ */ 1/* $OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -25,6 +25,9 @@
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */ 26 */
27 27
28/* Maximum packet that we are willing to send/accept */
29#define SFTP_MAX_MSG_LENGTH (256 * 1024)
30
28typedef struct Attrib Attrib; 31typedef struct Attrib Attrib;
29 32
30/* File attributes */ 33/* File attributes */
diff --git a/sftp-server.0 b/sftp-server.0
index 285ff706e..5367b5fdb 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -24,4 +24,4 @@ AUTHORS
24HISTORY 24HISTORY
25 sftp-server first appeared in OpenBSD 2.8 . 25 sftp-server first appeared in OpenBSD 2.8 .
26 26
27OpenBSD 3.8 August 30, 2000 1 27OpenBSD 3.9 August 30, 2000 1
diff --git a/sftp-server.c b/sftp-server.c
index 6870e7732..7060c44ad 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -14,13 +14,14 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16#include "includes.h" 16#include "includes.h"
17RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $"); 17RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
18 18
19#include "buffer.h" 19#include "buffer.h"
20#include "bufaux.h" 20#include "bufaux.h"
21#include "getput.h" 21#include "getput.h"
22#include "log.h" 22#include "log.h"
23#include "xmalloc.h" 23#include "xmalloc.h"
24#include "misc.h"
24 25
25#include "sftp.h" 26#include "sftp.h"
26#include "sftp-common.h" 27#include "sftp-common.h"
@@ -427,7 +428,7 @@ process_read(void)
427 len = get_int(); 428 len = get_int();
428 429
429 TRACE("read id %u handle %d off %llu len %d", id, handle, 430 TRACE("read id %u handle %d off %llu len %d", id, handle,
430 (u_int64_t)off, len); 431 (unsigned long long)off, len);
431 if (len > sizeof buf) { 432 if (len > sizeof buf) {
432 len = sizeof buf; 433 len = sizeof buf;
433 logit("read change len %d", len); 434 logit("read change len %d", len);
@@ -468,7 +469,7 @@ process_write(void)
468 data = get_string(&len); 469 data = get_string(&len);
469 470
470 TRACE("write id %u handle %d off %llu len %d", id, handle, 471 TRACE("write id %u handle %d off %llu len %d", id, handle,
471 (u_int64_t)off, len); 472 (unsigned long long)off, len);
472 fd = handle_to_fd(handle); 473 fd = handle_to_fd(handle);
473 if (fd >= 0) { 474 if (fd >= 0) {
474 if (lseek(fd, off, SEEK_SET) < 0) { 475 if (lseek(fd, off, SEEK_SET) < 0) {
@@ -945,7 +946,7 @@ process(void)
945 return; /* Incomplete message. */ 946 return; /* Incomplete message. */
946 cp = buffer_ptr(&iqueue); 947 cp = buffer_ptr(&iqueue);
947 msg_len = GET_32BIT(cp); 948 msg_len = GET_32BIT(cp);
948 if (msg_len > 256 * 1024) { 949 if (msg_len > SFTP_MAX_MSG_LENGTH) {
949 error("bad message "); 950 error("bad message ");
950 exit(11); 951 exit(11);
951 } 952 }
@@ -1036,6 +1037,9 @@ main(int ac, char **av)
1036 int in, out, max; 1037 int in, out, max;
1037 ssize_t len, olen, set_size; 1038 ssize_t len, olen, set_size;
1038 1039
1040 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1041 sanitise_stdfd();
1042
1039 /* XXX should use getopt */ 1043 /* XXX should use getopt */
1040 1044
1041 __progname = ssh_get_progname(av[0]); 1045 __progname = ssh_get_progname(av[0]);
diff --git a/sftp.0 b/sftp.0
index 1205c437b..77ab78d96 100644
--- a/sftp.0
+++ b/sftp.0
@@ -25,8 +25,8 @@ DESCRIPTION
25 The third usage format allows sftp to start in a remote directory. 25 The third usage format allows sftp to start in a remote directory.
26 26
27 The final usage format allows for automated sessions using the -b option. 27 The final usage format allows for automated sessions using the -b option.
28 In such cases, it is usually necessary to configure public key authenti- 28 In such cases, it is necessary to configure non-interactive authentica-
29 cation to obviate the need to enter a password at connection time (see 29 tion to obviate the need to enter a password at connection time (see
30 sshd(8) and ssh-keygen(1) for details). The options are as follows: 30 sshd(8) and ssh-keygen(1) for details). The options are as follows:
31 31
32 -1 Specify the use of protocol version 1. 32 -1 Specify the use of protocol version 1.
@@ -96,6 +96,7 @@ DESCRIPTION
96 Protocol 96 Protocol
97 ProxyCommand 97 ProxyCommand
98 PubkeyAuthentication 98 PubkeyAuthentication
99 RekeyLimit
99 RhostsRSAAuthentication 100 RhostsRSAAuthentication
100 RSAAuthentication 101 RSAAuthentication
101 SendEnv 102 SendEnv
@@ -262,4 +263,4 @@ SEE ALSO
262 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- 263 T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
263 filexfer-00.txt, January 2001, work in progress material. 264 filexfer-00.txt, January 2001, work in progress material.
264 265
265OpenBSD 3.8 February 4, 2001 4 266OpenBSD 3.9 February 4, 2001 4
diff --git a/sftp.1 b/sftp.1
index c89ffc30f..47aafa89e 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: sftp.1,v 1.61 2005/03/01 17:19:35 jmc Exp $ 1.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
2.\" 2.\"
3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 3.\" Copyright (c) 2001 Damien Miller. All rights reserved.
4.\" 4.\"
@@ -78,7 +78,7 @@ to start in a remote directory.
78The final usage format allows for automated sessions using the 78The final usage format allows for automated sessions using the
79.Fl b 79.Fl b
80option. 80option.
81In such cases, it is usually necessary to configure public key authentication 81In such cases, it is necessary to configure non-interactive authentication
82to obviate the need to enter a password at connection time (see 82to obviate the need to enter a password at connection time (see
83.Xr sshd 8 83.Xr sshd 8
84and 84and
@@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see
180.It Protocol 180.It Protocol
181.It ProxyCommand 181.It ProxyCommand
182.It PubkeyAuthentication 182.It PubkeyAuthentication
183.It RekeyLimit
183.It RhostsRSAAuthentication 184.It RhostsRSAAuthentication
184.It RSAAuthentication 185.It RSAAuthentication
185.It SendEnv 186.It SendEnv
diff --git a/sftp.c b/sftp.c
index f98ed7d27..a2e3f6aad 100644
--- a/sftp.c
+++ b/sftp.c
@@ -16,7 +16,7 @@
16 16
17#include "includes.h" 17#include "includes.h"
18 18
19RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $"); 19RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
20 20
21#ifdef USE_LIBEDIT 21#ifdef USE_LIBEDIT
22#include <histedit.h> 22#include <histedit.h>
@@ -697,6 +697,8 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
697 } 697 }
698 698
699 if (lflag & SORT_FLAGS) { 699 if (lflag & SORT_FLAGS) {
700 for (n = 0; d[n] != NULL; n++)
701 ; /* count entries */
700 sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT); 702 sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT);
701 qsort(d, n, sizeof(*d), sdirent_comp); 703 qsort(d, n, sizeof(*d), sdirent_comp);
702 } 704 }
@@ -1447,11 +1449,16 @@ main(int argc, char **argv)
1447 extern int optind; 1449 extern int optind;
1448 extern char *optarg; 1450 extern char *optarg;
1449 1451
1452 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1453 sanitise_stdfd();
1454
1450 __progname = ssh_get_progname(argv[0]); 1455 __progname = ssh_get_progname(argv[0]);
1456 memset(&args, '\0', sizeof(args));
1451 args.list = NULL; 1457 args.list = NULL;
1452 addargs(&args, "ssh"); /* overwritten with ssh_program */ 1458 addargs(&args, ssh_program);
1453 addargs(&args, "-oForwardX11 no"); 1459 addargs(&args, "-oForwardX11 no");
1454 addargs(&args, "-oForwardAgent no"); 1460 addargs(&args, "-oForwardAgent no");
1461 addargs(&args, "-oPermitLocalCommand no");
1455 addargs(&args, "-oClearAllForwardings yes"); 1462 addargs(&args, "-oClearAllForwardings yes");
1456 1463
1457 ll = SYSLOG_LEVEL_INFO; 1464 ll = SYSLOG_LEVEL_INFO;
@@ -1483,6 +1490,7 @@ main(int argc, char **argv)
1483 break; 1490 break;
1484 case 'S': 1491 case 'S':
1485 ssh_program = optarg; 1492 ssh_program = optarg;
1493 replacearg(&args, 0, "%s", ssh_program);
1486 break; 1494 break;
1487 case 'b': 1495 case 'b':
1488 if (batchmode) 1496 if (batchmode)
@@ -1559,7 +1567,6 @@ main(int argc, char **argv)
1559 addargs(&args, "%s", host); 1567 addargs(&args, "%s", host);
1560 addargs(&args, "%s", (sftp_server != NULL ? 1568 addargs(&args, "%s", (sftp_server != NULL ?
1561 sftp_server : "sftp")); 1569 sftp_server : "sftp"));
1562 args.list[0] = ssh_program;
1563 1570
1564 if (!batchmode) 1571 if (!batchmode)
1565 fprintf(stderr, "Connecting to %s...\n", host); 1572 fprintf(stderr, "Connecting to %s...\n", host);
@@ -1572,6 +1579,7 @@ main(int argc, char **argv)
1572 fprintf(stderr, "Attaching to %s...\n", sftp_direct); 1579 fprintf(stderr, "Attaching to %s...\n", sftp_direct);
1573 connect_to_server(sftp_direct, args.list, &in, &out); 1580 connect_to_server(sftp_direct, args.list, &in, &out);
1574 } 1581 }
1582 freeargs(&args);
1575 1583
1576 err = interactive_loop(in, out, file1, file2); 1584 err = interactive_loop(in, out, file1, file2);
1577 1585
diff --git a/ssh-add.0 b/ssh-add.0
index 1c2455f9b..ee05d09d6 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -99,4 +99,4 @@ AUTHORS
99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 99 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
100 versions 1.5 and 2.0. 100 versions 1.5 and 2.0.
101 101
102OpenBSD 3.8 September 25, 1999 2 102OpenBSD 3.9 September 25, 1999 2
diff --git a/ssh-add.c b/ssh-add.c
index a3428769c..2b01e6f13 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
35 */ 35 */
36 36
37#include "includes.h" 37#include "includes.h"
38RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $"); 38RCSID("$OpenBSD: ssh-add.c,v 1.74 2005/11/12 18:37:59 deraadt Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41 41
@@ -312,6 +312,9 @@ main(int argc, char **argv)
312 char *sc_reader_id = NULL; 312 char *sc_reader_id = NULL;
313 int i, ch, deleting = 0, ret = 0; 313 int i, ch, deleting = 0, ret = 0;
314 314
315 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
316 sanitise_stdfd();
317
315 __progname = ssh_get_progname(argv[0]); 318 __progname = ssh_get_progname(argv[0]);
316 init_rng(); 319 init_rng();
317 seed_rng(); 320 seed_rng();
@@ -321,7 +324,8 @@ main(int argc, char **argv)
321 /* At first, get a connection to the authentication agent. */ 324 /* At first, get a connection to the authentication agent. */
322 ac = ssh_get_authentication_connection(); 325 ac = ssh_get_authentication_connection();
323 if (ac == NULL) { 326 if (ac == NULL) {
324 fprintf(stderr, "Could not open a connection to your authentication agent.\n"); 327 fprintf(stderr,
328 "Could not open a connection to your authentication agent.\n");
325 exit(2); 329 exit(2);
326 } 330 }
327 while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { 331 while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
diff --git a/ssh-agent.0 b/ssh-agent.0
index 8490a9da8..7d64d550f 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -19,7 +19,7 @@ DESCRIPTION
19 19
20 -a bind_address 20 -a bind_address
21 Bind the agent to the unix-domain socket bind_address. The de- 21 Bind the agent to the unix-domain socket bind_address. The de-
22 fault is /tmp/ssh-XXXXXXXX/agent.<ppid>. 22 fault is /tmp/ssh-XXXXXXXXXX/agent.<ppid>.
23 23
24 -c Generate C-shell commands on stdout. This is the default if 24 -c Generate C-shell commands on stdout. This is the default if
25 SHELL looks like it's a csh style of shell. 25 SHELL looks like it's a csh style of shell.
@@ -33,9 +33,9 @@ DESCRIPTION
33 -t life 33 -t life
34 Set a default value for the maximum lifetime of identities added 34 Set a default value for the maximum lifetime of identities added
35 to the agent. The lifetime may be specified in seconds or in a 35 to the agent. The lifetime may be specified in seconds or in a
36 time format specified in sshd(8). A lifetime specified for an 36 time format specified in sshd_config(5). A lifetime specified
37 identity with ssh-add(1) overrides this value. Without this op- 37 for an identity with ssh-add(1) overrides this value. Without
38 tion the default maximum lifetime is forever. 38 this option the default maximum lifetime is forever.
39 39
40 -d Debug mode. When this option is specified ssh-agent will not 40 -d Debug mode. When this option is specified ssh-agent will not
41 fork. 41 fork.
@@ -98,7 +98,7 @@ FILES
98 Contains the protocol version 2 RSA authentication identity of 98 Contains the protocol version 2 RSA authentication identity of
99 the user. 99 the user.
100 100
101 /tmp/ssh-XXXXXXXX/agent.<ppid> 101 /tmp/ssh-XXXXXXXXXX/agent.<ppid>
102 Unix-domain sockets used to contain the connection to the authen- 102 Unix-domain sockets used to contain the connection to the authen-
103 tication agent. These sockets should only be readable by the 103 tication agent. These sockets should only be readable by the
104 owner. The sockets should get automatically removed when the 104 owner. The sockets should get automatically removed when the
@@ -114,4 +114,4 @@ AUTHORS
114 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 114 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
115 versions 1.5 and 2.0. 115 versions 1.5 and 2.0.
116 116
117OpenBSD 3.8 September 25, 1999 2 117OpenBSD 3.9 September 25, 1999 2
diff --git a/ssh-agent.1 b/ssh-agent.1
index 741cf4bd1..fd6bd3f6c 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $ 1.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -70,7 +70,7 @@ The options are as follows:
70Bind the agent to the unix-domain socket 70Bind the agent to the unix-domain socket
71.Ar bind_address . 71.Ar bind_address .
72The default is 72The default is
73.Pa /tmp/ssh-XXXXXXXX/agent.<ppid> . 73.Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid> .
74.It Fl c 74.It Fl c
75Generate C-shell commands on 75Generate C-shell commands on
76.Dv stdout . 76.Dv stdout .
@@ -90,7 +90,7 @@ environment variable).
90.It Fl t Ar life 90.It Fl t Ar life
91Set a default value for the maximum lifetime of identities added to the agent. 91Set a default value for the maximum lifetime of identities added to the agent.
92The lifetime may be specified in seconds or in a time format specified in 92The lifetime may be specified in seconds or in a time format specified in
93.Xr sshd 8 . 93.Xr sshd_config 5 .
94A lifetime specified for an identity with 94A lifetime specified for an identity with
95.Xr ssh-add 1 95.Xr ssh-add 1
96overrides this value. 96overrides this value.
@@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user.
185Contains the protocol version 2 DSA authentication identity of the user. 185Contains the protocol version 2 DSA authentication identity of the user.
186.It Pa ~/.ssh/id_rsa 186.It Pa ~/.ssh/id_rsa
187Contains the protocol version 2 RSA authentication identity of the user. 187Contains the protocol version 2 RSA authentication identity of the user.
188.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid> 188.It Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid>
189Unix-domain sockets used to contain the connection to the 189Unix-domain sockets used to contain the connection to the
190authentication agent. 190authentication agent.
191These sockets should only be readable by the owner. 191These sockets should only be readable by the owner.
diff --git a/ssh-agent.c b/ssh-agent.c
index dd7e22ad5..a69c25eec 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
35 35
36#include "includes.h" 36#include "includes.h"
37#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
38RCSID("$OpenBSD: ssh-agent.c,v 1.122 2004/10/29 22:53:56 djm Exp $"); 38RCSID("$OpenBSD: ssh-agent.c,v 1.124 2005/10/30 08:52:18 djm Exp $");
39 39
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/md5.h> 41#include <openssl/md5.h>
@@ -355,7 +355,7 @@ process_remove_identity(SocketEntry *e, int version)
355 if (id != NULL) { 355 if (id != NULL) {
356 /* 356 /*
357 * We have this key. Free the old key. Since we 357 * We have this key. Free the old key. Since we
358 * don\'t want to leave empty slots in the middle of 358 * don't want to leave empty slots in the middle of
359 * the array, we actually free the key there and move 359 * the array, we actually free the key there and move
360 * all the entries between the empty slot and the end 360 * all the entries between the empty slot and the end
361 * of the array. 361 * of the array.
@@ -1008,6 +1008,9 @@ main(int ac, char **av)
1008 pid_t pid; 1008 pid_t pid;
1009 char pidstrbuf[1 + 3 * sizeof pid]; 1009 char pidstrbuf[1 + 3 * sizeof pid];
1010 1010
1011 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1012 sanitise_stdfd();
1013
1011 /* drop */ 1014 /* drop */
1012 setegid(getgid()); 1015 setegid(getgid());
1013 setgid(getgid()); 1016 setgid(getgid());
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index de651e9c4..a972607b2 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -27,7 +27,9 @@ DESCRIPTION
27 ssh-keygen generates, manages and converts authentication keys for 27 ssh-keygen generates, manages and converts authentication keys for
28 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 28 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
29 and RSA or DSA keys for use by SSH protocol version 2. The type of key 29 and RSA or DSA keys for use by SSH protocol version 2. The type of key
30 to be generated is specified with the -t option. 30 to be generated is specified with the -t option. If invoked without any
31 arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
32 connections.
31 33
32 ssh-keygen is also used to generate groups for use in Diffie-Hellman 34 ssh-keygen is also used to generate groups for use in Diffie-Hellman
33 group exchange (DH-GEX). See the MODULI GENERATION section for details. 35 group exchange (DH-GEX). See the MODULI GENERATION section for details.
@@ -74,9 +76,10 @@ DESCRIPTION
74 file. 76 file.
75 77
76 -b bits 78 -b bits
77 Specifies the number of bits in the key to create. Minimum is 79 Specifies the number of bits in the key to create. For RSA keys,
78 512 bits. Generally, 2048 bits is considered sufficient. The 80 the minimum size is 768 bits and the default is 2048 bits. Gen-
79 default is 2048 bits. 81 erally, 2048 bits is considered sufficient. DSA keys must be ex-
82 actly 1024 bits as specified by FIPS 186-2.
80 83
81 -C comment 84 -C comment
82 Provides a new comment. 85 Provides a new comment.
@@ -282,4 +285,4 @@ AUTHORS
282 created OpenSSH. Markus Friedl contributed the support for SSH protocol 285 created OpenSSH. Markus Friedl contributed the support for SSH protocol
283 versions 1.5 and 2.0. 286 versions 1.5 and 2.0.
284 287
285OpenBSD 3.8 September 25, 1999 5 288OpenBSD 3.9 September 25, 1999 5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 5454d00ce..ab16bcd77 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -118,6 +118,9 @@ keys for use by SSH protocol version 2.
118The type of key to be generated is specified with the 118The type of key to be generated is specified with the
119.Fl t 119.Fl t
120option. 120option.
121If invoked without any arguments,
122.Nm
123will generate an RSA key for use in SSH protocol 2 connections.
121.Pp 124.Pp
122.Nm 125.Nm
123is also used to generate groups for use in Diffie-Hellman group 126is also used to generate groups for use in Diffie-Hellman group
@@ -187,9 +190,9 @@ command.
187Show the bubblebabble digest of specified private or public key file. 190Show the bubblebabble digest of specified private or public key file.
188.It Fl b Ar bits 191.It Fl b Ar bits
189Specifies the number of bits in the key to create. 192Specifies the number of bits in the key to create.
190Minimum is 512 bits. 193For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
191Generally, 2048 bits is considered sufficient. 194Generally, 2048 bits is considered sufficient.
192The default is 2048 bits. 195DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
193.It Fl C Ar comment 196.It Fl C Ar comment
194Provides a new comment. 197Provides a new comment.
195.It Fl c 198.It Fl c
diff --git a/ssh-keygen.c b/ssh-keygen.c
index b17851946..64fadc7a1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); 15RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
16 16
17#include <openssl/evp.h> 17#include <openssl/evp.h>
18#include <openssl/pem.h> 18#include <openssl/pem.h>
@@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
35#endif 35#endif
36#include "dns.h" 36#include "dns.h"
37 37
38/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ 38/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
39u_int32_t bits = 2048; 39#define DEFAULT_BITS 2048
40#define DEFAULT_BITS_DSA 1024
41u_int32_t bits = 0;
40 42
41/* 43/*
42 * Flag indicating that we just want to change the passphrase. This can be 44 * Flag indicating that we just want to change the passphrase. This can be
@@ -1018,6 +1020,9 @@ main(int ac, char **av)
1018 extern int optind; 1020 extern int optind;
1019 extern char *optarg; 1021 extern char *optarg;
1020 1022
1023 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1024 sanitise_stdfd();
1025
1021 __progname = ssh_get_progname(av[0]); 1026 __progname = ssh_get_progname(av[0]);
1022 1027
1023 SSLeay_add_all_algorithms(); 1028 SSLeay_add_all_algorithms();
@@ -1041,7 +1046,7 @@ main(int ac, char **av)
1041 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { 1046 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1042 switch (opt) { 1047 switch (opt) {
1043 case 'b': 1048 case 'b':
1044 bits = strtonum(optarg, 512, 32768, &errstr); 1049 bits = strtonum(optarg, 768, 32768, &errstr);
1045 if (errstr) 1050 if (errstr)
1046 fatal("Bits has bad value %s (%s)", 1051 fatal("Bits has bad value %s (%s)",
1047 optarg, errstr); 1052 optarg, errstr);
@@ -1214,8 +1219,10 @@ main(int ac, char **av)
1214 out_file, strerror(errno)); 1219 out_file, strerror(errno));
1215 return (1); 1220 return (1);
1216 } 1221 }
1222 if (bits == 0)
1223 bits = DEFAULT_BITS;
1217 if (gen_candidates(out, memory, bits, start) != 0) 1224 if (gen_candidates(out, memory, bits, start) != 0)
1218 fatal("modulus candidate generation failed\n"); 1225 fatal("modulus candidate generation failed");
1219 1226
1220 return (0); 1227 return (0);
1221 } 1228 }
@@ -1238,21 +1245,24 @@ main(int ac, char **av)
1238 out_file, strerror(errno)); 1245 out_file, strerror(errno));
1239 } 1246 }
1240 if (prime_test(in, out, trials, generator_wanted) != 0) 1247 if (prime_test(in, out, trials, generator_wanted) != 0)
1241 fatal("modulus screening failed\n"); 1248 fatal("modulus screening failed");
1242 return (0); 1249 return (0);
1243 } 1250 }
1244 1251
1245 arc4random_stir(); 1252 arc4random_stir();
1246 1253
1247 if (key_type_name == NULL) { 1254 if (key_type_name == NULL)
1248 printf("You must specify a key type (-t).\n"); 1255 key_type_name = "rsa";
1249 usage(); 1256
1250 }
1251 type = key_type_from_name(key_type_name); 1257 type = key_type_from_name(key_type_name);
1252 if (type == KEY_UNSPEC) { 1258 if (type == KEY_UNSPEC) {
1253 fprintf(stderr, "unknown key type %s\n", key_type_name); 1259 fprintf(stderr, "unknown key type %s\n", key_type_name);
1254 exit(1); 1260 exit(1);
1255 } 1261 }
1262 if (bits == 0)
1263 bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
1264 if (type == KEY_DSA && bits != 1024)
1265 fatal("DSA keys must be 1024 bits");
1256 if (!quiet) 1266 if (!quiet)
1257 printf("Generating public/private %s key pair.\n", key_type_name); 1267 printf("Generating public/private %s key pair.\n", key_type_name);
1258 private = key_generate(type, bits); 1268 private = key_generate(type, bits);
@@ -1265,7 +1275,7 @@ main(int ac, char **av)
1265 if (!have_identity) 1275 if (!have_identity)
1266 ask_filename(pw, "Enter file in which to save the key"); 1276 ask_filename(pw, "Enter file in which to save the key");
1267 1277
1268 /* Create ~/.ssh directory if it doesn\'t already exist. */ 1278 /* Create ~/.ssh directory if it doesn't already exist. */
1269 snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); 1279 snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
1270 if (strstr(identity_file, dotsshdir) != NULL && 1280 if (strstr(identity_file, dotsshdir) != NULL &&
1271 stat(dotsshdir, &st) < 0) { 1281 stat(dotsshdir, &st) < 0) {
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index b365148e4..0206c04fb 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -94,9 +94,9 @@ SEE ALSO
94 ssh(1), sshd(8) 94 ssh(1), sshd(8)
95 95
96AUTHORS 96AUTHORS
97 David Mazieres <dm@lcs.mit.edu> wrote the initial version, and 97 David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
98 Wayne Davison <wayned@users.sourceforge.net> added support for protocol 98 Davison <wayned@users.sourceforge.net> added support for protocol version
99 version 2. 99 2.
100 100
101BUGS 101BUGS
102 It generates "Connection closed by remote host" messages on the consoles 102 It generates "Connection closed by remote host" messages on the consoles
@@ -104,4 +104,4 @@ BUGS
104 This is because it opens a connection to the ssh port, reads the public 104 This is because it opens a connection to the ssh port, reads the public
105 key, and drops the connection as soon as it gets the key. 105 key, and drops the connection as soon as it gets the key.
106 106
107OpenBSD 3.8 January 1, 1996 2 107OpenBSD 3.9 January 1, 1996 2
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 7e846f77c..80fc8cd96 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -156,6 +156,7 @@ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
156.Xr ssh 1 , 156.Xr ssh 1 ,
157.Xr sshd 8 157.Xr sshd 8
158.Sh AUTHORS 158.Sh AUTHORS
159.An -nosplit
159.An David Mazieres Aq dm@lcs.mit.edu 160.An David Mazieres Aq dm@lcs.mit.edu
160wrote the initial version, and 161wrote the initial version, and
161.An Wayne Davison Aq wayned@users.sourceforge.net 162.An Wayne Davison Aq wayned@users.sourceforge.net
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 46f063687..6915102dd 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
7 */ 7 */
8 8
9#include "includes.h" 9#include "includes.h"
10RCSID("$OpenBSD: ssh-keyscan.c,v 1.55 2005/06/17 02:44:33 djm Exp $"); 10RCSID("$OpenBSD: ssh-keyscan.c,v 1.57 2005/10/30 04:01:03 djm Exp $");
11 11
12#include "openbsd-compat/sys-queue.h" 12#include "openbsd-compat/sys-queue.h"
13 13
@@ -499,12 +499,18 @@ congreet(int s)
499 size_t bufsiz; 499 size_t bufsiz;
500 con *c = &fdcon[s]; 500 con *c = &fdcon[s];
501 501
502 bufsiz = sizeof(buf); 502 for (;;) {
503 cp = buf; 503 memset(buf, '\0', sizeof(buf));
504 while (bufsiz-- && (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') { 504 bufsiz = sizeof(buf);
505 if (*cp == '\r') 505 cp = buf;
506 *cp = '\n'; 506 while (bufsiz-- &&
507 cp++; 507 (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
508 if (*cp == '\r')
509 *cp = '\n';
510 cp++;
511 }
512 if (n != 1 || strncmp(buf, "SSH-", 4) == 0)
513 break;
508 } 514 }
509 if (n == 0) { 515 if (n == 0) {
510 switch (errno) { 516 switch (errno) {
@@ -712,6 +718,9 @@ main(int argc, char **argv)
712 seed_rng(); 718 seed_rng();
713 TAILQ_INIT(&tq); 719 TAILQ_INIT(&tq);
714 720
721 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
722 sanitise_stdfd();
723
715 if (argc <= 1) 724 if (argc <= 1)
716 usage(); 725 usage();
717 726
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index ea944a6fe..c32c42fb2 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -39,4 +39,4 @@ HISTORY
39AUTHORS 39AUTHORS
40 Markus Friedl <markus@openbsd.org> 40 Markus Friedl <markus@openbsd.org>
41 41
42OpenBSD 3.8 May 24, 2002 1 42OpenBSD 3.9 May 24, 2002 1
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 04597a91d..dae3a2e8c 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24#include "includes.h" 24#include "includes.h"
25RCSID("$OpenBSD: ssh-keysign.c,v 1.18 2004/08/23 14:29:23 dtucker Exp $"); 25RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $");
26 26
27#include <openssl/evp.h> 27#include <openssl/evp.h>
28#include <openssl/rand.h> 28#include <openssl/rand.h>
@@ -148,6 +148,13 @@ main(int argc, char **argv)
148 u_int slen, dlen; 148 u_int slen, dlen;
149 u_int32_t rnd[256]; 149 u_int32_t rnd[256];
150 150
151 /* Ensure that stdin and stdout are connected */
152 if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
153 exit(1);
154 /* Leave /dev/null fd iff it is attached to stderr */
155 if (fd > 2)
156 close(fd);
157
151 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); 158 key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
152 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); 159 key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
153 160
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 35a7a7ce5..75ad52fa4 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -46,4 +46,4 @@ AUTHORS
46SEE ALSO 46SEE ALSO
47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) 47 ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
48 48
49OpenBSD 3.8 April 14, 2002 1 49OpenBSD 3.9 April 14, 2002 1
diff --git a/ssh.0 b/ssh.0
index 274fab8b5..83c4b94eb 100644
--- a/ssh.0
+++ b/ssh.0
@@ -5,208 +5,26 @@ NAME
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] 7 ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
8 [-D port] [-e escape_char] [-F configfile] [-i identity_file] 8 [-D [bind_address:]port] [-e escape_char] [-F configfile]
9 [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] 9 [-i identity_file] [-L [bind_address:]port:host:hostport]
10 [-O ctl_cmd] [-o option] [-p port] 10 [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
11 [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname 11 [-R [bind_address:]port:host:hostport] [-S ctl_path]
12 [command] 12 [-w tunnel:tunnel] [user@]hostname [command]
13 13
14DESCRIPTION 14DESCRIPTION
15 ssh (SSH client) is a program for logging into a remote machine and for 15 ssh (SSH client) is a program for logging into a remote machine and for
16 executing commands on a remote machine. It is intended to replace rlogin 16 executing commands on a remote machine. It is intended to replace rlogin
17 and rsh, and provide secure encrypted communications between two untrust- 17 and rsh, and provide secure encrypted communications between two untrust-
18 ed hosts over an insecure network. X11 connections and arbitrary TCP/IP 18 ed hosts over an insecure network. X11 connections and arbitrary TCP
19 ports can also be forwarded over the secure channel. 19 ports can also be forwarded over the secure channel.
20 20
21 ssh connects and logs into the specified hostname (with optional user 21 ssh connects and logs into the specified hostname (with optional user
22 name). The user must prove his/her identity to the remote machine using 22 name). The user must prove his/her identity to the remote machine using
23 one of several methods depending on the protocol version used. 23 one of several methods depending on the protocol version used (see be-
24 low).
24 25
25 If command is specified, command is executed on the remote host instead 26 If command is specified, it is executed on the remote host instead of a
26 of a login shell. 27 login shell.
27
28 SSH protocol version 1
29 The first authentication method is the rhosts or hosts.equiv method com-
30 bined with RSA-based host authentication. If the machine the user logs
31 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
32 machine, and the user names are the same on both sides, or if the files
33 ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
34 machine and contain a line containing the name of the client machine and
35 the name of the user on that machine, the user is considered for log in.
36 Additionally, if the server can verify the client's host key (see
37 /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section),
38 only then is login permitted. This authentication method closes security
39 holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to
40 the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh proto-
41 col in general, are inherently insecure and should be disabled if securi-
42 ty is desired.]
43
44 As a second authentication method, ssh supports RSA based authentication.
45 The scheme is based on public-key cryptography: there are cryptosystems
46 where encryption and decryption are done using separate keys, and it is
47 not possible to derive the decryption key from the encryption key. RSA
48 is one such system. The idea is that each user creates a public/private
49 key pair for authentication purposes. The server knows the public key,
50 and only the user knows the private key.
51
52 The file ~/.ssh/authorized_keys lists the public keys that are permitted
53 for logging in. When the user logs in, the ssh program tells the server
54 which key pair it would like to use for authentication. The server
55 checks if this key is permitted, and if so, sends the user (actually the
56 ssh program running on behalf of the user) a challenge, a random number,
57 encrypted by the user's public key. The challenge can only be decrypted
58 using the proper private key. The user's client then decrypts the chal-
59 lenge using the private key, proving that he/she knows the private key
60 but without disclosing it to the server.
61
62 ssh implements the RSA authentication protocol automatically. The user
63 creates his/her RSA key pair by running ssh-keygen(1). This stores the
64 private key in ~/.ssh/identity and stores the public key in
65 ~/.ssh/identity.pub in the user's home directory. The user should then
66 copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory
67 on the remote machine (the authorized_keys file corresponds to the con-
68 ventional ~/.rhosts file, and has one key per line, though the lines can
69 be very long). After this, the user can log in without giving the pass-
70 word.
71
72 The most convenient way to use RSA authentication may be with an authen-
73 tication agent. See ssh-agent(1) for more information.
74
75 If other authentication methods fail, ssh prompts the user for a pass-
76 word. The password is sent to the remote host for checking; however,
77 since all communications are encrypted, the password cannot be seen by
78 someone listening on the network.
79
80 SSH protocol version 2
81 When a user connects using protocol version 2, similar authentication
82 methods are available. Using the default values for
83 PreferredAuthentications, the client will try to authenticate first using
84 the hostbased method; if this method fails, public key authentication is
85 attempted, and finally if this method fails, keyboard-interactive and
86 password authentication are tried.
87
88 The public key method is similar to RSA authentication described in the
89 previous section and allows the RSA or DSA algorithm to be used: The
90 client uses his private key, ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the
91 session identifier and sends the result to the server. The server checks
92 whether the matching public key is listed in ~/.ssh/authorized_keys and
93 grants access if both the key is found and the signature is correct. The
94 session identifier is derived from a shared Diffie-Hellman value and is
95 only known to the client and the server.
96
97 If public key authentication fails or is not available, a password can be
98 sent encrypted to the remote host to prove the user's identity.
99
100 Additionally, ssh supports hostbased or challenge response authentica-
101 tion.
102
103 Protocol 2 provides additional mechanisms for confidentiality (the traf-
104 fic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) and in-
105 tegrity (hmac-md5, hmac-sha1, hmac-ripemd160). Note that protocol 1
106 lacks a strong mechanism for ensuring the integrity of the connection.
107
108 Login session and remote execution
109 When the user's identity has been accepted by the server, the server ei-
110 ther executes the given command, or logs into the machine and gives the
111 user a normal shell on the remote machine. All communication with the
112 remote command or shell will be automatically encrypted.
113
114 If a pseudo-terminal has been allocated (normal login session), the user
115 may use the escape characters noted below.
116
117 If no pseudo-tty has been allocated, the session is transparent and can
118 be used to reliably transfer binary data. On most systems, setting the
119 escape character to ``none'' will also make the session transparent even
120 if a tty is used.
121
122 The session terminates when the command or shell on the remote machine
123 exits and all X11 and TCP/IP connections have been closed. The exit sta-
124 tus of the remote program is returned as the exit status of ssh.
125
126 Escape Characters
127 When a pseudo-terminal has been requested, ssh supports a number of func-
128 tions through the use of an escape character.
129
130 A single tilde character can be sent as ~~ or by following the tilde by a
131 character other than those described below. The escape character must
132 always follow a newline to be interpreted as special. The escape charac-
133 ter can be changed in configuration files using the EscapeChar configura-
134 tion directive or on the command line by the -e option.
135
136 The supported escapes (assuming the default `~') are:
137
138 ~. Disconnect.
139
140 ~^Z Background ssh.
141
142 ~# List forwarded connections.
143
144 ~& Background ssh at logout when waiting for forwarded connection /
145 X11 sessions to terminate.
146
147 ~? Display a list of escape characters.
148
149 ~B Send a BREAK to the remote system (only useful for SSH protocol
150 version 2 and if the peer supports it).
151
152 ~C Open command line. Currently this allows the addition of port
153 forwardings using the -L and -R options (see below). It also al-
154 lows the cancellation of existing remote port-forwardings using
155 -KR hostport. Basic help is available, using the -h option.
156
157 ~R Request rekeying of the connection (only useful for SSH protocol
158 version 2 and if the peer supports it).
159
160 X11 and TCP forwarding
161 If the ForwardX11 variable is set to ``yes'' (or see the description of
162 the -X and -x options described later) and the user is using X11 (the
163 DISPLAY environment variable is set), the connection to the X11 display
164 is automatically forwarded to the remote side in such a way that any X11
165 programs started from the shell (or command) will go through the encrypt-
166 ed channel, and the connection to the real X server will be made from the
167 local machine. The user should not manually set DISPLAY. Forwarding of
168 X11 connections can be configured on the command line or in configuration
169 files.
170
171 The DISPLAY value set by ssh will point to the server machine, but with a
172 display number greater than zero. This is normal, and happens because
173 ssh creates a ``proxy'' X server on the server machine for forwarding the
174 connections over the encrypted channel.
175
176 ssh will also automatically set up Xauthority data on the server machine.
177 For this purpose, it will generate a random authorization cookie, store
178 it in Xauthority on the server, and verify that any forwarded connections
179 carry this cookie and replace it by the real cookie when the connection
180 is opened. The real authentication cookie is never sent to the server
181 machine (and no cookies are sent in the plain).
182
183 If the ForwardAgent variable is set to ``yes'' (or see the description of
184 the -A and -a options described later) and the user is using an authenti-
185 cation agent, the connection to the agent is automatically forwarded to
186 the remote side.
187
188 Forwarding of arbitrary TCP/IP connections over the secure channel can be
189 specified either on the command line or in a configuration file. One
190 possible application of TCP/IP forwarding is a secure connection to an
191 electronic purse; another is going through firewalls.
192
193 Server authentication
194 ssh automatically maintains and checks a database containing identifica-
195 tions for all hosts it has ever been used with. Host keys are stored in
196 ~/.ssh/known_hosts in the user's home directory. Additionally, the file
197 /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
198 new hosts are automatically added to the user's file. If a host's iden-
199 tification ever changes, ssh warns about this and disables password au-
200 thentication to prevent a trojan horse from getting the user's password.
201 Another purpose of this mechanism is to prevent man-in-the-middle attacks
202 which could otherwise be used to circumvent the encryption. The
203 StrictHostKeyChecking option can be used to prevent logins to machines
204 whose host key is not known or has changed.
205
206 ssh can be configured to verify host identification using fingerprint re-
207 source records (SSHFP) published in DNS. The VerifyHostKeyDNS option can
208 be used to control how DNS lookups are performed. SSHFP resource records
209 can be generated using ssh-keygen(1).
210 28
211 The options are as follows: 29 The options are as follows:
212 30
@@ -238,7 +56,7 @@ DESCRIPTION
238 dress. 56 dress.
239 57
240 -C Requests compression of all data (including stdin, stdout, 58 -C Requests compression of all data (including stdin, stdout,
241 stderr, and data for forwarded X11 and TCP/IP connections). The 59 stderr, and data for forwarded X11 and TCP connections). The
242 compression algorithm is the same used by gzip(1), and the 60 compression algorithm is the same used by gzip(1), and the
243 ``level'' can be controlled by the CompressionLevel option for 61 ``level'' can be controlled by the CompressionLevel option for
244 protocol version 1. Compression is desirable on modem lines and 62 protocol version 1. Compression is desirable on modem lines and
@@ -250,7 +68,7 @@ DESCRIPTION
250 Selects the cipher specification for encrypting the session. 68 Selects the cipher specification for encrypting the session.
251 69
252 Protocol version 1 allows specification of a single cipher. The 70 Protocol version 1 allows specification of a single cipher. The
253 suported values are ``3des'', ``blowfish'' and ``des''. 3des 71 supported values are ``3des'', ``blowfish'', and ``des''. 3des
254 (triple-des) is an encrypt-decrypt-encrypt triple with three dif- 72 (triple-des) is an encrypt-decrypt-encrypt triple with three dif-
255 ferent keys. It is believed to be secure. blowfish is a fast 73 ferent keys. It is believed to be secure. blowfish is a fast
256 block cipher; it appears very secure and is much faster than 74 block cipher; it appears very secure and is much faster than
@@ -259,29 +77,39 @@ DESCRIPTION
259 the 3des cipher. Its use is strongly discouraged due to crypto- 77 the 3des cipher. Its use is strongly discouraged due to crypto-
260 graphic weaknesses. The default is ``3des''. 78 graphic weaknesses. The default is ``3des''.
261 79
262 For protocol version 2 cipher_spec is a comma-separated list of 80 For protocol version 2, cipher_spec is a comma-separated list of
263 ciphers listed in order of preference. The supported ciphers are 81 ciphers listed in order of preference. The supported ciphers
264 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', 82 are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
265 ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', 83 aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blow-
266 ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and 84 fish-cbc, and cast128-cbc. The default is:
267 ``cast128-cbc''. The default is
268 85
269 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 86 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
270 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 87 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
271 aes192-ctr,aes256-ctr'' 88 aes192-ctr,aes256-ctr
272 89
273 -D port 90 -D [bind_address:]port
274 Specifies a local ``dynamic'' application-level port forwarding. 91 Specifies a local ``dynamic'' application-level port forwarding.
275 This works by allocating a socket to listen to port on the local 92 This works by allocating a socket to listen to port on the local
276 side, and whenever a connection is made to this port, the connec- 93 side, optionally bound to the specified bind_address. Whenever a
277 tion is forwarded over the secure channel, and the application 94 connection is made to this port, the connection is forwarded over
278 protocol is then used to determine where to connect to from the 95 the secure channel, and the application protocol is then used to
279 remote machine. Currently the SOCKS4 and SOCKS5 protocols are 96 determine where to connect to from the remote machine. Currently
280 supported, and ssh will act as a SOCKS server. Only root can 97 the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
281 forward privileged ports. Dynamic port forwardings can also be 98 as a SOCKS server. Only root can forward privileged ports. Dy-
282 specified in the configuration file. 99 namic port forwardings can also be specified in the configuration
283 100 file.
284 -e ch | ^ch | none 101
102 IPv6 addresses can be specified with an alternative syntax:
103 [bind_address/]port or by enclosing the address in square brack-
104 ets. Only the superuser can forward privileged ports. By de-
105 fault, the local port is bound in accordance with the
106 GatewayPorts setting. However, an explicit bind_address may be
107 used to bind the connection to a specific address. The
108 bind_address of ``localhost'' indicates that the listening port
109 be bound for local use only, while an empty address or `*' indi-
110 cates that the port should be available from all interfaces.
111
112 -e escape_char
285 Sets the escape character for sessions with a pty (default: `~'). 113 Sets the escape character for sessions with a pty (default: `~').
286 The escape character is only recognized at the beginning of a 114 The escape character is only recognized at the beginning of a
287 line. The escape character followed by a dot (`.') closes the 115 line. The escape character followed by a dot (`.') closes the
@@ -305,9 +133,10 @@ DESCRIPTION
305 -g Allows remote hosts to connect to local forwarded ports. 133 -g Allows remote hosts to connect to local forwarded ports.
306 134
307 -I smartcard_device 135 -I smartcard_device
308 Specifies which smartcard device to use. The argument is the de- 136 Specify the device ssh should use to communicate with a smartcard
309 vice ssh should use to communicate with a smartcard used for 137 used for storing the user's private RSA key. This option is only
310 storing the user's private RSA key. 138 available if support for smartcard devices is compiled in (de-
139 fault is no support).
311 140
312 -i identity_file 141 -i identity_file
313 Selects a file from which the identity (private key) for RSA or 142 Selects a file from which the identity (private key) for RSA or
@@ -345,8 +174,10 @@ DESCRIPTION
345 may be specified on a per-host basis in the configuration file. 174 may be specified on a per-host basis in the configuration file.
346 175
347 -M Places the ssh client into ``master'' mode for connection shar- 176 -M Places the ssh client into ``master'' mode for connection shar-
348 ing. Refer to the description of ControlMaster in ssh_config(5) 177 ing. Multiple -M options places ssh into ``master'' mode with
349 for details. 178 confirmation required before slave connections are accepted. Re-
179 fer to the description of ControlMaster in ssh_config(5) for de-
180 tails.
350 181
351 -m mac_spec 182 -m mac_spec
352 Additionally, for protocol version 2 a comma-separated list of 183 Additionally, for protocol version 2 a comma-separated list of
@@ -410,17 +241,20 @@ DESCRIPTION
410 IdentityFile 241 IdentityFile
411 IdentitiesOnly 242 IdentitiesOnly
412 KbdInteractiveDevices 243 KbdInteractiveDevices
244 LocalCommand
413 LocalForward 245 LocalForward
414 LogLevel 246 LogLevel
415 MACs 247 MACs
416 NoHostAuthenticationForLocalhost 248 NoHostAuthenticationForLocalhost
417 NumberOfPasswordPrompts 249 NumberOfPasswordPrompts
418 PasswordAuthentication 250 PasswordAuthentication
251 PermitLocalCommand
419 Port 252 Port
420 PreferredAuthentications 253 PreferredAuthentications
421 Protocol 254 Protocol
422 ProxyCommand 255 ProxyCommand
423 PubkeyAuthentication 256 PubkeyAuthentication
257 RekeyLimit
424 RemoteForward 258 RemoteForward
425 RhostsRSAAuthentication 259 RhostsRSAAuthentication
426 RSAAuthentication 260 RSAAuthentication
@@ -430,6 +264,8 @@ DESCRIPTION
430 SmartcardDevice 264 SmartcardDevice
431 StrictHostKeyChecking 265 StrictHostKeyChecking
432 TCPKeepAlive 266 TCPKeepAlive
267 Tunnel
268 TunnelDevice
433 UsePrivilegedPort 269 UsePrivilegedPort
434 User 270 User
435 UserKnownHostsFile 271 UserKnownHostsFile
@@ -489,6 +325,12 @@ DESCRIPTION
489 tion, and configuration problems. Multiple -v options increase 325 tion, and configuration problems. Multiple -v options increase
490 the verbosity. The maximum is 3. 326 the verbosity. The maximum is 3.
491 327
328 -w tunnel:tunnel
329 Requests a tun(4) device on the client (first tunnel arg) and
330 server (second tunnel arg). The devices may be specified by nu-
331 merical ID or the keyword ``any'', which uses the next available
332 tunnel device. See also the Tunnel directive in ssh_config(5).
333
492 -X Enables X11 forwarding. This can also be specified on a per-host 334 -X Enables X11 forwarding. This can also be specified on a per-host
493 basis in a configuration file. 335 basis in a configuration file.
494 336
@@ -508,100 +350,358 @@ DESCRIPTION
508 -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not 350 -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
509 subjected to the X11 SECURITY extension controls. 351 subjected to the X11 SECURITY extension controls.
510 352
511CONFIGURATION FILES
512 ssh may additionally obtain configuration data from a per-user configura- 353 ssh may additionally obtain configuration data from a per-user configura-
513 tion file and a system-wide configuration file. The file format and con- 354 tion file and a system-wide configuration file. The file format and con-
514 figuration options are described in ssh_config(5). 355 figuration options are described in ssh_config(5).
515 356
516ENVIRONMENT 357 ssh exits with the exit status of the remote command or with 255 if an
517 ssh will normally set the following environment variables: 358 error occurred.
359
360AUTHENTICATION
361 The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the
362 default, with ssh falling back to protocol 1 if it detects protocol 2 is
363 unsupported. These settings may be altered using the Protocol option in
364 ssh_config(5), or enforced using the -1 and -2 options (see above). Both
365 protocols support similar authentication methods, but protocol 2 is pre-
366 ferred since it provides additional mechanisms for confidentiality (the
367 traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
368 integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
369 strong mechanism for ensuring the integrity of the connection.
370
371 The methods available for authentication are: host-based authentication,
372 public key authentication, challenge-response authentication, and pass-
373 word authentication. Authentication methods are tried in the order spec-
374 ified above, though protocol 2 has a configuration option to change the
375 default order: PreferredAuthentications.
376
377 Host-based authentication works as follows: If the machine the user logs
378 in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
379 machine, and the user names are the same on both sides, or if the files
380 ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
381 machine and contain a line containing the name of the client machine and
382 the name of the user on that machine, the user is considered for login.
383 Additionally, the server must be able to verify the client's host key
384 (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
385 below) for login to be permitted. This authentication method closes se-
386 curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
387 [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
388 rlogin/rsh protocol in general, are inherently insecure and should be
389 disabled if security is desired.]
390
391 Public key authentication works as follows: The scheme is based on pub-
392 lic-key cryptography, using cryptosystems where encryption and decryption
393 are done using separate keys, and it is unfeasible to derive the decryp-
394 tion key from the encryption key. The idea is that each user creates a
395 public/private key pair for authentication purposes. The server knows
396 the public key, and only the user knows the private key. ssh implements
397 public key authentication protocol automatically, using either the RSA or
398 DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
399 protocol 2 may use either. The HISTORY section of ssl(8) contains a
400 brief discussion of the two algorithms.
401
402 The file ~/.ssh/authorized_keys lists the public keys that are permitted
403 for logging in. When the user logs in, the ssh program tells the server
404 which key pair it would like to use for authentication. The client
405 proves that it has access to the private key and the server checks that
406 the corresponding public key is authorized to accept the account.
407
408 The user creates his/her key pair by running ssh-keygen(1). This stores
409 the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
410 2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
411 ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
412 ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us-
413 er should then copy the public key to ~/.ssh/authorized_keys in his/her
414 home directory on the remote machine. The authorized_keys file corre-
415 sponds to the conventional ~/.rhosts file, and has one key per line,
416 though the lines can be very long. After this, the user can log in with-
417 out giving the password.
418
419 The most convenient way to use public key authentication may be with an
420 authentication agent. See ssh-agent(1) for more information.
421
422 Challenge-response authentication works as follows: The server sends an
423 arbitrary "challenge" text, and prompts for a response. Protocol 2 al-
424 lows multiple challenges and responses; protocol 1 is restricted to just
425 one challenge/response. Examples of challenge-response authentication
426 include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD
427 systems).
428
429 Finally, if other authentication methods fail, ssh prompts the user for a
430 password. The password is sent to the remote host for checking; however,
431 since all communications are encrypted, the password cannot be seen by
432 someone listening on the network.
433
434 ssh automatically maintains and checks a database containing identifica-
435 tion for all hosts it has ever been used with. Host keys are stored in
436 ~/.ssh/known_hosts in the user's home directory. Additionally, the file
437 /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
438 new hosts are automatically added to the user's file. If a host's iden-
439 tification ever changes, ssh warns about this and disables password au-
440 thentication to prevent server spoofing or man-in-the-middle attacks,
441 which could otherwise be used to circumvent the encryption. The
442 StrictHostKeyChecking option can be used to control logins to machines
443 whose host key is not known or has changed.
444
445 When the user's identity has been accepted by the server, the server ei-
446 ther executes the given command, or logs into the machine and gives the
447 user a normal shell on the remote machine. All communication with the
448 remote command or shell will be automatically encrypted.
449
450 If a pseudo-terminal has been allocated (normal login session), the user
451 may use the escape characters noted below.
452
453 If no pseudo-tty has been allocated, the session is transparent and can
454 be used to reliably transfer binary data. On most systems, setting the
455 escape character to ``none'' will also make the session transparent even
456 if a tty is used.
457
458 The session terminates when the command or shell on the remote machine
459 exits and all X11 and TCP connections have been closed.
460
461ESCAPE CHARACTERS
462 When a pseudo-terminal has been requested, ssh supports a number of func-
463 tions through the use of an escape character.
464
465 A single tilde character can be sent as ~~ or by following the tilde by a
466 character other than those described below. The escape character must
467 always follow a newline to be interpreted as special. The escape charac-
468 ter can be changed in configuration files using the EscapeChar configura-
469 tion directive or on the command line by the -e option.
470
471 The supported escapes (assuming the default `~') are:
472
473 ~. Disconnect.
474
475 ~^Z Background ssh.
476
477 ~# List forwarded connections.
478
479 ~& Background ssh at logout when waiting for forwarded connection /
480 X11 sessions to terminate.
481
482 ~? Display a list of escape characters.
483
484 ~B Send a BREAK to the remote system (only useful for SSH protocol
485 version 2 and if the peer supports it).
486
487 ~C Open command line. Currently this allows the addition of port
488 forwardings using the -L and -R options (see above). It also al-
489 lows the cancellation of existing remote port-forwardings using
490 -KR hostport. !command allows the user to execute a local com-
491 mand if the PermitLocalCommand option is enabled in
492 ssh_config(5). Basic help is available, using the -h option.
493
494 ~R Request rekeying of the connection (only useful for SSH protocol
495 version 2 and if the peer supports it).
496
497TCP FORWARDING
498 Forwarding of arbitrary TCP connections over the secure channel can be
499 specified either on the command line or in a configuration file. One
500 possible application of TCP forwarding is a secure connection to a mail
501 server; another is going through firewalls.
502
503 In the example below, we look at encrypting communication between an IRC
504 client and server, even though the IRC server does not directly support
505 encrypted communications. This works as follows: the user connects to
506 the remote host using ssh, specifying a port to be used to forward con-
507 nections to the remote server. After that it is possible to start the
508 service which is to be encrypted on the client machine, connecting to the
509 same local port, and ssh will encrypt and forward the connection.
510
511 The following example tunnels an IRC session from client machine
512 ``127.0.0.1'' (localhost) to remote server ``server.example.com'':
513
514 $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
515 $ irc -c '#users' -p 1234 pinky 127.0.0.1
516
517 This tunnels a connection to IRC server ``server.example.com'', joining
518 channel ``#users'', nickname ``pinky'', using port 1234. It doesn't mat-
519 ter which port is used, as long as it's greater than 1023 (remember, only
520 root can open sockets on privileged ports) and doesn't conflict with any
521 ports already in use. The connection is forwarded to port 6667 on the
522 remote server, since that's the standard port for IRC services.
523
524 The -f option backgrounds ssh and the remote command ``sleep 10'' is
525 specified to allow an amount of time (10 seconds, in the example) to
526 start the service which is to be tunnelled. If no connections are made
527 within the time specified, ssh will exit.
528
529X11 FORWARDING
530 If the ForwardX11 variable is set to ``yes'' (or see the description of
531 the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY
532 environment variable is set), the connection to the X11 display is auto-
533 matically forwarded to the remote side in such a way that any X11 pro-
534 grams started from the shell (or command) will go through the encrypted
535 channel, and the connection to the real X server will be made from the
536 local machine. The user should not manually set DISPLAY. Forwarding of
537 X11 connections can be configured on the command line or in configuration
538 files.
539
540 The DISPLAY value set by ssh will point to the server machine, but with a
541 display number greater than zero. This is normal, and happens because
542 ssh creates a ``proxy'' X server on the server machine for forwarding the
543 connections over the encrypted channel.
544
545 ssh will also automatically set up Xauthority data on the server machine.
546 For this purpose, it will generate a random authorization cookie, store
547 it in Xauthority on the server, and verify that any forwarded connections
548 carry this cookie and replace it by the real cookie when the connection
549 is opened. The real authentication cookie is never sent to the server
550 machine (and no cookies are sent in the plain).
551
552 If the ForwardAgent variable is set to ``yes'' (or see the description of
553 the -A and -a options above) and the user is using an authentication
554 agent, the connection to the agent is automatically forwarded to the re-
555 mote side.
556
557VERIFYING HOST KEYS
558 When connecting to a server for the first time, a fingerprint of the
559 server's public key is presented to the user (unless the option
560 StrictHostKeyChecking has been disabled). Fingerprints can be determined
561 using ssh-keygen(1):
562
563 $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
564
565 If the fingerprint is already known, it can be matched and verified, and
566 the key can be accepted. If the fingerprint is unknown, an alternative
567 method of verification is available: SSH fingerprints verified by DNS.
568 An additional resource record (RR), SSHFP, is added to a zonefile and the
569 connecting client is able to match the fingerprint with that of the key
570 presented.
571
572 In this example, we are connecting a client to a server,
573 ``host.example.com''. The SSHFP resource records should first be added
574 to the zonefile for host.example.com:
518 575
519 DISPLAY The DISPLAY variable indicates the location of the X11 server. 576 $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
520 It is automatically set by ssh to point to a value of the form 577 $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
521 ``hostname:n'' where hostname indicates the host where the shell
522 runs, and n is an integer >= 1. ssh uses this special value to
523 forward X11 connections over the secure channel. The user
524 should normally not set DISPLAY explicitly, as that will render
525 the X11 connection insecure (and will require the user to manu-
526 ally copy any required authorization cookies).
527 578
528 HOME Set to the path of the user's home directory. 579 The output lines will have to be added to the zonefile. To check that
580 the zone is answering fingerprint queries:
529 581
530 LOGNAME Synonym for USER; set for compatibility with systems that use 582 $ dig -t SSHFP host.example.com
531 this variable.
532 583
533 MAIL Set to the path of the user's mailbox. 584 Finally the client connects:
534 585
535 PATH Set to the default PATH, as specified when compiling ssh. 586 $ ssh -o "VerifyHostKeyDNS ask" host.example.com
587 [...]
588 Matching host key fingerprint found in DNS.
589 Are you sure you want to continue connecting (yes/no)?
536 590
537 SSH_ASKPASS 591 See the VerifyHostKeyDNS option in ssh_config(5) for more information.
538 If ssh needs a passphrase, it will read the passphrase from the
539 current terminal if it was run from a terminal. If ssh does not
540 have a terminal associated with it but DISPLAY and SSH_ASKPASS
541 are set, it will execute the program specified by SSH_ASKPASS
542 and open an X11 window to read the passphrase. This is particu-
543 larly useful when calling ssh from a .xsession or related
544 script. (Note that on some machines it may be necessary to
545 redirect the input from /dev/null to make this work.)
546 592
547 SSH_AUTH_SOCK 593SSH-BASED VIRTUAL PRIVATE NETWORKS
548 Identifies the path of a unix-domain socket used to communicate 594 ssh contains support for Virtual Private Network (VPN) tunnelling using
549 with the agent. 595 the tun(4) network pseudo-device, allowing two networks to be joined se-
596 curely. The sshd_config(5) configuration option PermitTunnel controls
597 whether the server supports this, and at what level (layer 2 or 3 traf-
598 fic).
550 599
551 SSH_CONNECTION 600 The following example would connect client network 10.0.50.0/24 with re-
552 Identifies the client and server ends of the connection. The 601 mote network 10.0.99.0/24, provided that the SSH server running on the
553 variable contains four space-separated values: client ip-ad- 602 gateway to the remote network, at 192.168.1.15, allows it:
554 dress, client port number, server ip-address and server port
555 number.
556 603
557 SSH_ORIGINAL_COMMAND 604 # ssh -f -w 0:1 192.168.1.15 true
558 The variable contains the original command line if a forced com- 605 # ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
559 mand is executed. It can be used to extract the original argu-
560 ments.
561 606
562 SSH_TTY This is set to the name of the tty (path to the device) associ- 607 Client access may be more finely tuned via the /root/.ssh/authorized_keys
563 ated with the current shell or command. If the current session 608 file (see below) and the PermitRootLogin server option. The following
564 has no tty, this variable is not set. 609 entry would permit connections on the first tun(4) device from user
610 ``jane'' and on the second device from user ``john'', if PermitRootLogin
611 is set to ``forced-commands-only'':
565 612
566 TZ The timezone variable is set to indicate the present timezone if 613 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
567 it was set when the daemon was started (i.e., the daemon passes 614 tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
568 the value on to new connections).
569 615
570 USER Set to the name of the user logging in. 616 Since a SSH-based setup entails a fair amount of overhead, it may be more
617 suited to temporary setups, such as for wireless VPNs. More permanent
618 VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).
619
620ENVIRONMENT
621 ssh will normally set the following environment variables:
622
623 DISPLAY The DISPLAY variable indicates the location of the
624 X11 server. It is automatically set by ssh to
625 point to a value of the form ``hostname:n'', where
626 ``hostname'' indicates the host where the shell
627 runs, and `n' is an integer >= 1. ssh uses this
628 special value to forward X11 connections over the
629 secure channel. The user should normally not set
630 DISPLAY explicitly, as that will render the X11
631 connection insecure (and will require the user to
632 manually copy any required authorization cookies).
633
634 HOME Set to the path of the user's home directory.
635
636 LOGNAME Synonym for USER; set for compatibility with sys-
637 tems that use this variable.
638
639 MAIL Set to the path of the user's mailbox.
640
641 PATH Set to the default PATH, as specified when compil-
642 ing ssh.
643
644 SSH_ASKPASS If ssh needs a passphrase, it will read the
645 passphrase from the current terminal if it was run
646 from a terminal. If ssh does not have a terminal
647 associated with it but DISPLAY and SSH_ASKPASS are
648 set, it will execute the program specified by
649 SSH_ASKPASS and open an X11 window to read the
650 passphrase. This is particularly useful when call-
651 ing ssh from a .xsession or related script. (Note
652 that on some machines it may be necessary to redi-
653 rect the input from /dev/null to make this work.)
654
655 SSH_AUTH_SOCK Identifies the path of a UNIX-domain socket used to
656 communicate with the agent.
657
658 SSH_CONNECTION Identifies the client and server ends of the con-
659 nection. The variable contains four space-separat-
660 ed values: client IP address, client port number,
661 server IP address, and server port number.
662
663 SSH_ORIGINAL_COMMAND This variable contains the original command line if
664 a forced command is executed. It can be used to
665 extract the original arguments.
666
667 SSH_TTY This is set to the name of the tty (path to the de-
668 vice) associated with the current shell or command.
669 If the current session has no tty, this variable is
670 not set.
671
672 TZ This variable is set to indicate the present time
673 zone if it was set when the daemon was started
674 (i.e., the daemon passes the value on to new con-
675 nections).
676
677 USER Set to the name of the user logging in.
571 678
572 Additionally, ssh reads ~/.ssh/environment, and adds lines of the format 679 Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
573 ``VARNAME=value'' to the environment if the file exists and if users are 680 ``VARNAME=value'' to the environment if the file exists and users are al-
574 allowed to change their environment. For more information, see the 681 lowed to change their environment. For more information, see the
575 PermitUserEnvironment option in sshd_config(5). 682 PermitUserEnvironment option in sshd_config(5).
576 683
577FILES 684FILES
578 ~/.ssh/known_hosts 685 ~/.rhosts
579 Records host keys for all hosts the user has logged into that are 686 This file is used for host-based authentication (see above). On
580 not in /etc/ssh/ssh_known_hosts. See sshd(8). 687 some machines this file may need to be world-readable if the us-
581 688 er's home directory is on an NFS partition, because sshd(8) reads
582 ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa 689 it as root. Additionally, this file must be owned by the user,
583 Contains the authentication identity of the user. They are for 690 and must not have write permissions for anyone else. The recom-
584 protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 691 mended permission for most machines is read/write for the user,
585 These files contain sensitive data and should be readable by the 692 and not accessible by others.
586 user but not accessible by others (read/write/execute). Note 693
587 that ssh ignores a private key file if it is accessible by oth- 694 ~/.shosts
588 ers. It is possible to specify a passphrase when generating the 695 This file is used in exactly the same way as .rhosts, but allows
589 key; the passphrase will be used to encrypt the sensitive part of 696 host-based authentication without permitting login with
590 this file using 3DES. 697 rlogin/rsh.
591 698
592 ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub 699 ~/.ssh/authorized_keys
593 Contains the public key for authentication (public part of the 700 Lists the public keys (RSA/DSA) that can be used for logging in
594 identity file in human-readable form). The contents of the 701 as this user. The format of this file is described in the
595 ~/.ssh/identity.pub file should be added to the file 702 sshd(8) manual page. This file is not highly sensitive, but the
596 ~/.ssh/authorized_keys on all machines where the user wishes to 703 recommended permissions are read/write for the user, and not ac-
597 log in using protocol version 1 RSA authentication. The contents 704 cessible by others.
598 of the ~/.ssh/id_dsa.pub and ~/.ssh/id_rsa.pub file should be
599 added to ~/.ssh/authorized_keys on all machines where the user
600 wishes to log in using protocol version 2 DSA/RSA authentication.
601 These files are not sensitive and can (but need not) be readable
602 by anyone. These files are never used automatically and are not
603 necessary; they are only provided for the convenience of the us-
604 er.
605 705
606 ~/.ssh/config 706 ~/.ssh/config
607 This is the per-user configuration file. The file format and 707 This is the per-user configuration file. The file format and
@@ -609,112 +709,75 @@ FILES
609 the potential for abuse, this file must have strict permissions: 709 the potential for abuse, this file must have strict permissions:
610 read/write for the user, and not accessible by others. 710 read/write for the user, and not accessible by others.
611 711
612 ~/.ssh/authorized_keys 712 ~/.ssh/environment
613 Lists the public keys (RSA/DSA) that can be used for logging in 713 Contains additional definitions for environment variables; see
614 as this user. The format of this file is described in the 714 ENVIRONMENT, above.
615 sshd(8) manual page. In the simplest form the format is the same 715
616 as the .pub identity files. This file is not highly sensitive, 716 ~/.ssh/identity
617 but the recommended permissions are read/write for the user, and 717 ~/.ssh/id_dsa
618 not accessible by others. 718 ~/.ssh/id_rsa
719 Contains the private key for authentication. These files contain
720 sensitive data and should be readable by the user but not acces-
721 sible by others (read/write/execute). ssh will simply ignore a
722 private key file if it is accessible by others. It is possible
723 to specify a passphrase when generating the key which will be
724 used to encrypt the sensitive part of this file using 3DES.
725
726 ~/.ssh/identity.pub
727 ~/.ssh/id_dsa.pub
728 ~/.ssh/id_rsa.pub
729 Contains the public key for authentication. These files are not
730 sensitive and can (but need not) be readable by anyone.
619 731
620 /etc/ssh/ssh_known_hosts 732 ~/.ssh/known_hosts
621 Systemwide list of known host keys. This file should be prepared 733 Contains a list of host keys for all hosts the user has logged
622 by the system administrator to contain the public host keys of 734 into that are not already in the systemwide list of known host
623 all machines in the organization. This file should be world- 735 keys. See sshd(8) for further details of the format of this
624 readable. This file contains public keys, one per line, in the 736 file.
625 following format (fields separated by spaces): system name, pub- 737
626 lic key and optional comment field. When different names are 738 ~/.ssh/rc
627 used for the same machine, all such names should be listed, sepa- 739 Commands in this file are executed by ssh when the user logs in,
628 rated by commas. The format is described in the sshd(8) manual 740 just before the user's shell (or command) is started. See the
629 page. 741 sshd(8) manual page for more information.
630 742
631 The canonical system name (as returned by name servers) is used 743 /etc/hosts.equiv
632 by sshd(8) to verify the client host when logging in; other names 744 This file is for host-based authentication (see above). It
633 are needed because ssh does not convert the user-supplied name to 745 should only be writable by root.
634 a canonical name before checking the key, because someone with 746
635 access to the name servers would then be able to fool host au- 747 /etc/shosts.equiv
636 thentication. 748 This file is used in exactly the same way as hosts.equiv, but al-
749 lows host-based authentication without permitting login with
750 rlogin/rsh.
637 751
638 /etc/ssh/ssh_config 752 /etc/ssh/ssh_config
639 Systemwide configuration file. The file format and configuration 753 Systemwide configuration file. The file format and configuration
640 options are described in ssh_config(5). 754 options are described in ssh_config(5).
641 755
642 /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, 756 /etc/ssh/ssh_host_key
643 /etc/ssh/ssh_host_rsa_key 757 /etc/ssh/ssh_host_dsa_key
758 /etc/ssh/ssh_host_rsa_key
644 These three files contain the private parts of the host keys and 759 These three files contain the private parts of the host keys and
645 are used for RhostsRSAAuthentication and HostbasedAuthentication. 760 are used for host-based authentication. If protocol version 1 is
646 If the protocol version 1 RhostsRSAAuthentication method is used, 761 used, ssh must be setuid root, since the host key is readable on-
647 ssh must be setuid root, since the host key is readable only by 762 ly by root. For protocol version 2, ssh uses ssh-keysign(8) to
648 root. For protocol version 2, ssh uses ssh-keysign(8) to access 763 access the host keys, eliminating the requirement that ssh be se-
649 the host keys for HostbasedAuthentication. This eliminates the 764 tuid root when host-based authentication is used. By default ssh
650 requirement that ssh be setuid root when that authentication 765 is not setuid root.
651 method is used. By default ssh is not setuid root.
652 766
653 ~/.rhosts 767 /etc/ssh/ssh_known_hosts
654 This file is used in RhostsRSAAuthentication and 768 Systemwide list of known host keys. This file should be prepared
655 HostbasedAuthentication authentication to list the host/user 769 by the system administrator to contain the public host keys of
656 pairs that are permitted to log in. (Note that this file is also 770 all machines in the organization. It should be world-readable.
657 used by rlogin and rsh, which makes using this file insecure.) 771 See sshd(8) for further details of the format of this file.
658 Each line of the file contains a host name (in the canonical form
659 returned by name servers), and then a user name on that host,
660 separated by a space. On some machines this file may need to be
661 world-readable if the user's home directory is on a NFS parti-
662 tion, because sshd(8) reads it as root. Additionally, this file
663 must be owned by the user, and must not have write permissions
664 for anyone else. The recommended permission for most machines is
665 read/write for the user, and not accessible by others.
666
667 Note that sshd(8) allows authentication only in combination with
668 client host key authentication before permitting log in. If the
669 server machine does not have the client's host key in
670 /etc/ssh/ssh_known_hosts, it can be stored in ~/.ssh/known_hosts.
671 The easiest way to do this is to connect back to the client from
672 the server machine using ssh; this will automatically add the
673 host key to ~/.ssh/known_hosts.
674
675 ~/.shosts
676 This file is used exactly the same way as .rhosts. The purpose
677 for having this file is to be able to use RhostsRSAAuthentication
678 and HostbasedAuthentication authentication without permitting lo-
679 gin with rlogin or rsh(1).
680
681 /etc/hosts.equiv
682 This file is used during RhostsRSAAuthentication and
683 HostbasedAuthentication authentication. It contains canonical
684 hosts names, one per line (the full format is described in the
685 sshd(8) manual page). If the client host is found in this file,
686 login is automatically permitted provided client and server user
687 names are the same. Additionally, successful client host key au-
688 thentication is required. This file should only be writable by
689 root.
690
691 /etc/shosts.equiv
692 This file is processed exactly as /etc/hosts.equiv. This file
693 may be useful to permit logins using ssh but not using
694 rsh/rlogin.
695 772
696 /etc/ssh/sshrc 773 /etc/ssh/sshrc
697 Commands in this file are executed by ssh when the user logs in 774 Commands in this file are executed by ssh when the user logs in,
698 just before the user's shell (or command) is started. See the
699 sshd(8) manual page for more information.
700
701 ~/.ssh/rc
702 Commands in this file are executed by ssh when the user logs in
703 just before the user's shell (or command) is started. See the 775 just before the user's shell (or command) is started. See the
704 sshd(8) manual page for more information. 776 sshd(8) manual page for more information.
705 777
706 ~/.ssh/environment
707 Contains additional definitions for environment variables, see
708 section ENVIRONMENT above.
709
710DIAGNOSTICS
711 ssh exits with the exit status of the remote command or with 255 if an
712 error occurred.
713
714SEE ALSO 778SEE ALSO
715 gzip(1), rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), 779 scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
716 ssh-keygen(1), telnet(1), hosts.equiv(5), ssh_config(5), ssh-keysign(8), 780 tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
717 sshd(8)
718 781
719 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH 782 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH
720 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January 783 Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
@@ -727,4 +790,4 @@ AUTHORS
727 created OpenSSH. Markus Friedl contributed the support for SSH protocol 790 created OpenSSH. Markus Friedl contributed the support for SSH protocol
728 versions 1.5 and 2.0. 791 versions 1.5 and 2.0.
729 792
730OpenBSD 3.8 September 25, 1999 12 793OpenBSD 3.9 September 25, 1999 12
diff --git a/ssh.1 b/ssh.1
index b0749763b..f4c677628 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ 37.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -43,21 +43,29 @@
43.Nd OpenSSH SSH client (remote login program) 43.Nd OpenSSH SSH client (remote login program)
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Nm ssh 45.Nm ssh
46.Bk -words
47.Op Fl 1246AaCfgkMNnqsTtVvXxY 46.Op Fl 1246AaCfgkMNnqsTtVvXxY
48.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
49.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
50.Op Fl D Ar port 49.Oo Fl D\ \&
50.Sm off
51.Oo Ar bind_address : Oc
52.Ar port
53.Sm on
54.Oc
51.Op Fl e Ar escape_char 55.Op Fl e Ar escape_char
52.Op Fl F Ar configfile 56.Op Fl F Ar configfile
57.Bk -words
53.Op Fl i Ar identity_file 58.Op Fl i Ar identity_file
59.Ek
54.Oo Fl L\ \& 60.Oo Fl L\ \&
55.Sm off 61.Sm off
56.Oo Ar bind_address : Oc 62.Oo Ar bind_address : Oc
57.Ar port : host : hostport 63.Ar port : host : hostport
58.Sm on 64.Sm on
59.Oc 65.Oc
66.Bk -words
60.Op Fl l Ar login_name 67.Op Fl l Ar login_name
68.Ek
61.Op Fl m Ar mac_spec 69.Op Fl m Ar mac_spec
62.Op Fl O Ar ctl_cmd 70.Op Fl O Ar ctl_cmd
63.Op Fl o Ar option 71.Op Fl o Ar option
@@ -69,6 +77,8 @@
69.Sm on 77.Sm on
70.Oc 78.Oc
71.Op Fl S Ar ctl_path 79.Op Fl S Ar ctl_path
80.Bk -words
81.Op Fl w Ar tunnel : Ns Ar tunnel
72.Oo Ar user Ns @ Oc Ns Ar hostname 82.Oo Ar user Ns @ Oc Ns Ar hostname
73.Op Ar command 83.Op Ar command
74.Ek 84.Ek
@@ -79,7 +89,7 @@ executing commands on a remote machine.
79It is intended to replace rlogin and rsh, 89It is intended to replace rlogin and rsh,
80and provide secure encrypted communications between 90and provide secure encrypted communications between
81two untrusted hosts over an insecure network. 91two untrusted hosts over an insecure network.
82X11 connections and arbitrary TCP/IP ports 92X11 connections and arbitrary TCP ports
83can also be forwarded over the secure channel. 93can also be forwarded over the secure channel.
84.Pp 94.Pp
85.Nm 95.Nm
@@ -90,306 +100,12 @@ connects and logs into the specified
90name). 100name).
91The user must prove 101The user must prove
92his/her identity to the remote machine using one of several methods 102his/her identity to the remote machine using one of several methods
93depending on the protocol version used. 103depending on the protocol version used (see below).
94.Pp 104.Pp
95If 105If
96.Ar command 106.Ar command
97is specified, 107is specified,
98.Ar command 108it is executed on the remote host instead of a login shell.
99is executed on the remote host instead of a login shell.
100.Ss SSH protocol version 1
101The first authentication method is the
102.Em rhosts
103or
104.Em hosts.equiv
105method combined with RSA-based host authentication.
106If the machine the user logs in from is listed in
107.Pa /etc/hosts.equiv
108or
109.Pa /etc/shosts.equiv
110on the remote machine, and the user names are
111the same on both sides, or if the files
112.Pa ~/.rhosts
113or
114.Pa ~/.shosts
115exist in the user's home directory on the
116remote machine and contain a line containing the name of the client
117machine and the name of the user on that machine, the user is
118considered for log in.
119Additionally, if the server can verify the client's
120host key (see
121.Pa /etc/ssh/ssh_known_hosts
122and
123.Pa ~/.ssh/known_hosts
124in the
125.Sx FILES
126section), only then is login permitted.
127This authentication method closes security holes due to IP
128spoofing, DNS spoofing and routing spoofing.
129[Note to the administrator:
130.Pa /etc/hosts.equiv ,
131.Pa ~/.rhosts ,
132and the rlogin/rsh protocol in general, are inherently insecure and should be
133disabled if security is desired.]
134.Pp
135As a second authentication method,
136.Nm
137supports RSA based authentication.
138The scheme is based on public-key cryptography: there are cryptosystems
139where encryption and decryption are done using separate keys, and it
140is not possible to derive the decryption key from the encryption key.
141RSA is one such system.
142The idea is that each user creates a public/private
143key pair for authentication purposes.
144The server knows the public key, and only the user knows the private key.
145.Pp
146The file
147.Pa ~/.ssh/authorized_keys
148lists the public keys that are permitted for logging in.
149When the user logs in, the
150.Nm
151program tells the server which key pair it would like to use for
152authentication.
153The server checks if this key is permitted, and if so,
154sends the user (actually the
155.Nm
156program running on behalf of the user) a challenge, a random number,
157encrypted by the user's public key.
158The challenge can only be decrypted using the proper private key.
159The user's client then decrypts the challenge using the private key,
160proving that he/she knows the private key
161but without disclosing it to the server.
162.Pp
163.Nm
164implements the RSA authentication protocol automatically.
165The user creates his/her RSA key pair by running
166.Xr ssh-keygen 1 .
167This stores the private key in
168.Pa ~/.ssh/identity
169and stores the public key in
170.Pa ~/.ssh/identity.pub
171in the user's home directory.
172The user should then copy the
173.Pa identity.pub
174to
175.Pa ~/.ssh/authorized_keys
176in his/her home directory on the remote machine (the
177.Pa authorized_keys
178file corresponds to the conventional
179.Pa ~/.rhosts
180file, and has one key
181per line, though the lines can be very long).
182After this, the user can log in without giving the password.
183.Pp
184The most convenient way to use RSA authentication may be with an
185authentication agent.
186See
187.Xr ssh-agent 1
188for more information.
189.Pp
190If other authentication methods fail,
191.Nm
192prompts the user for a password.
193The password is sent to the remote
194host for checking; however, since all communications are encrypted,
195the password cannot be seen by someone listening on the network.
196.Ss SSH protocol version 2
197When a user connects using protocol version 2,
198similar authentication methods are available.
199Using the default values for
200.Cm PreferredAuthentications ,
201the client will try to authenticate first using the hostbased method;
202if this method fails, public key authentication is attempted,
203and finally if this method fails, keyboard-interactive and
204password authentication are tried.
205.Pp
206The public key method is similar to RSA authentication described
207in the previous section and allows the RSA or DSA algorithm to be used:
208The client uses his private key,
209.Pa ~/.ssh/id_dsa
210or
211.Pa ~/.ssh/id_rsa ,
212to sign the session identifier and sends the result to the server.
213The server checks whether the matching public key is listed in
214.Pa ~/.ssh/authorized_keys
215and grants access if both the key is found and the signature is correct.
216The session identifier is derived from a shared Diffie-Hellman value
217and is only known to the client and the server.
218.Pp
219If public key authentication fails or is not available, a password
220can be sent encrypted to the remote host to prove the user's identity.
221.Pp
222Additionally,
223.Nm
224supports hostbased or challenge response authentication.
225.Pp
226Protocol 2 provides additional mechanisms for confidentiality
227(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
228and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
229Note that protocol 1 lacks a strong mechanism for ensuring the
230integrity of the connection.
231.Ss Login session and remote execution
232When the user's identity has been accepted by the server, the server
233either executes the given command, or logs into the machine and gives
234the user a normal shell on the remote machine.
235All communication with
236the remote command or shell will be automatically encrypted.
237.Pp
238If a pseudo-terminal has been allocated (normal login session), the
239user may use the escape characters noted below.
240.Pp
241If no pseudo-tty has been allocated,
242the session is transparent and can be used to reliably transfer binary data.
243On most systems, setting the escape character to
244.Dq none
245will also make the session transparent even if a tty is used.
246.Pp
247The session terminates when the command or shell on the remote
248machine exits and all X11 and TCP/IP connections have been closed.
249The exit status of the remote program is returned as the exit status of
250.Nm ssh .
251.Ss Escape Characters
252When a pseudo-terminal has been requested,
253.Nm
254supports a number of functions through the use of an escape character.
255.Pp
256A single tilde character can be sent as
257.Ic ~~
258or by following the tilde by a character other than those described below.
259The escape character must always follow a newline to be interpreted as
260special.
261The escape character can be changed in configuration files using the
262.Cm EscapeChar
263configuration directive or on the command line by the
264.Fl e
265option.
266.Pp
267The supported escapes (assuming the default
268.Ql ~ )
269are:
270.Bl -tag -width Ds
271.It Cm ~.
272Disconnect.
273.It Cm ~^Z
274Background
275.Nm ssh .
276.It Cm ~#
277List forwarded connections.
278.It Cm ~&
279Background
280.Nm
281at logout when waiting for forwarded connection / X11 sessions to terminate.
282.It Cm ~?
283Display a list of escape characters.
284.It Cm ~B
285Send a BREAK to the remote system
286(only useful for SSH protocol version 2 and if the peer supports it).
287.It Cm ~C
288Open command line.
289Currently this allows the addition of port forwardings using the
290.Fl L
291and
292.Fl R
293options (see below).
294It also allows the cancellation of existing remote port-forwardings
295using
296.Fl KR Ar hostport .
297Basic help is available, using the
298.Fl h
299option.
300.It Cm ~R
301Request rekeying of the connection
302(only useful for SSH protocol version 2 and if the peer supports it).
303.El
304.Ss X11 and TCP forwarding
305If the
306.Cm ForwardX11
307variable is set to
308.Dq yes
309(or see the description of the
310.Fl X
311and
312.Fl x
313options described later)
314and the user is using X11 (the
315.Ev DISPLAY
316environment variable is set), the connection to the X11 display is
317automatically forwarded to the remote side in such a way that any X11
318programs started from the shell (or command) will go through the
319encrypted channel, and the connection to the real X server will be made
320from the local machine.
321The user should not manually set
322.Ev DISPLAY .
323Forwarding of X11 connections can be
324configured on the command line or in configuration files.
325.Pp
326The
327.Ev DISPLAY
328value set by
329.Nm
330will point to the server machine, but with a display number greater than zero.
331This is normal, and happens because
332.Nm
333creates a
334.Dq proxy
335X server on the server machine for forwarding the
336connections over the encrypted channel.
337.Pp
338.Nm
339will also automatically set up Xauthority data on the server machine.
340For this purpose, it will generate a random authorization cookie,
341store it in Xauthority on the server, and verify that any forwarded
342connections carry this cookie and replace it by the real cookie when
343the connection is opened.
344The real authentication cookie is never
345sent to the server machine (and no cookies are sent in the plain).
346.Pp
347If the
348.Cm ForwardAgent
349variable is set to
350.Dq yes
351(or see the description of the
352.Fl A
353and
354.Fl a
355options described later) and
356the user is using an authentication agent, the connection to the agent
357is automatically forwarded to the remote side.
358.Pp
359Forwarding of arbitrary TCP/IP connections over the secure channel can
360be specified either on the command line or in a configuration file.
361One possible application of TCP/IP forwarding is a secure connection to an
362electronic purse; another is going through firewalls.
363.Ss Server authentication
364.Nm
365automatically maintains and checks a database containing
366identifications for all hosts it has ever been used with.
367Host keys are stored in
368.Pa ~/.ssh/known_hosts
369in the user's home directory.
370Additionally, the file
371.Pa /etc/ssh/ssh_known_hosts
372is automatically checked for known hosts.
373Any new hosts are automatically added to the user's file.
374If a host's identification ever changes,
375.Nm
376warns about this and disables password authentication to prevent a
377trojan horse from getting the user's password.
378Another purpose of this mechanism is to prevent man-in-the-middle attacks
379which could otherwise be used to circumvent the encryption.
380The
381.Cm StrictHostKeyChecking
382option can be used to prevent logins to machines whose
383host key is not known or has changed.
384.Pp
385.Nm
386can be configured to verify host identification using fingerprint resource
387records (SSHFP) published in DNS.
388The
389.Cm VerifyHostKeyDNS
390option can be used to control how DNS lookups are performed.
391SSHFP resource records can be generated using
392.Xr ssh-keygen 1 .
393.Pp 109.Pp
394The options are as follows: 110The options are as follows:
395.Bl -tag -width Ds 111.Bl -tag -width Ds
@@ -430,7 +146,7 @@ of the connection.
430Only useful on systems with more than one address. 146Only useful on systems with more than one address.
431.It Fl C 147.It Fl C
432Requests compression of all data (including stdin, stdout, stderr, and 148Requests compression of all data (including stdin, stdout, stderr, and
433data for forwarded X11 and TCP/IP connections). 149data for forwarded X11 and TCP connections).
434The compression algorithm is the same used by 150The compression algorithm is the same used by
435.Xr gzip 1 , 151.Xr gzip 1 ,
436and the 152and the
@@ -448,9 +164,9 @@ option.
448Selects the cipher specification for encrypting the session. 164Selects the cipher specification for encrypting the session.
449.Pp 165.Pp
450Protocol version 1 allows specification of a single cipher. 166Protocol version 1 allows specification of a single cipher.
451The suported values are 167The supported values are
452.Dq 3des , 168.Dq 3des ,
453.Dq blowfish 169.Dq blowfish ,
454and 170and
455.Dq des . 171.Dq des .
456.Ar 3des 172.Ar 3des
@@ -470,37 +186,44 @@ Its use is strongly discouraged due to cryptographic weaknesses.
470The default is 186The default is
471.Dq 3des . 187.Dq 3des .
472.Pp 188.Pp
473For protocol version 2 189For protocol version 2,
474.Ar cipher_spec 190.Ar cipher_spec
475is a comma-separated list of ciphers 191is a comma-separated list of ciphers
476listed in order of preference. 192listed in order of preference.
477The supported ciphers are 193The supported ciphers are:
478.Dq 3des-cbc , 1943des-cbc,
479.Dq aes128-cbc , 195aes128-cbc,
480.Dq aes192-cbc , 196aes192-cbc,
481.Dq aes256-cbc , 197aes256-cbc,
482.Dq aes128-ctr , 198aes128-ctr,
483.Dq aes192-ctr , 199aes192-ctr,
484.Dq aes256-ctr , 200aes256-ctr,
485.Dq arcfour128 , 201arcfour128,
486.Dq arcfour256 , 202arcfour256,
487.Dq arcfour , 203arcfour,
488.Dq blowfish-cbc , 204blowfish-cbc,
489and 205and
490.Dq cast128-cbc . 206cast128-cbc.
491The default is 207The default is:
492.Bd -literal 208.Bd -literal -offset indent
493 ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 209aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
494 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 210arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
495 aes192-ctr,aes256-ctr'' 211aes192-ctr,aes256-ctr
496.Ed 212.Ed
497.It Fl D Ar port 213.It Fl D Xo
214.Sm off
215.Oo Ar bind_address : Oc
216.Ar port
217.Sm on
218.Xc
498Specifies a local 219Specifies a local
499.Dq dynamic 220.Dq dynamic
500application-level port forwarding. 221application-level port forwarding.
501This works by allocating a socket to listen to 222This works by allocating a socket to listen to
502.Ar port 223.Ar port
503on the local side, and whenever a connection is made to this port, the 224on the local side, optionally bound to the specified
225.Ar bind_address .
226Whenever a connection is made to this port, the
504connection is forwarded over the secure channel, and the application 227connection is forwarded over the secure channel, and the application
505protocol is then used to determine where to connect to from the 228protocol is then used to determine where to connect to from the
506remote machine. 229remote machine.
@@ -509,7 +232,31 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and
509will act as a SOCKS server. 232will act as a SOCKS server.
510Only root can forward privileged ports. 233Only root can forward privileged ports.
511Dynamic port forwardings can also be specified in the configuration file. 234Dynamic port forwardings can also be specified in the configuration file.
512.It Fl e Ar ch | ^ch | none 235.Pp
236IPv6 addresses can be specified with an alternative syntax:
237.Sm off
238.Xo
239.Op Ar bind_address No /
240.Ar port
241.Xc
242.Sm on
243or by enclosing the address in square brackets.
244Only the superuser can forward privileged ports.
245By default, the local port is bound in accordance with the
246.Cm GatewayPorts
247setting.
248However, an explicit
249.Ar bind_address
250may be used to bind the connection to a specific address.
251The
252.Ar bind_address
253of
254.Dq localhost
255indicates that the listening port be bound for local use only, while an
256empty address or
257.Sq *
258indicates that the port should be available from all interfaces.
259.It Fl e Ar escape_char
513Sets the escape character for sessions with a pty (default: 260Sets the escape character for sessions with a pty (default:
514.Ql ~ ) . 261.Ql ~ ) .
515The escape character is only recognized at the beginning of a line. 262The escape character is only recognized at the beginning of a line.
@@ -545,11 +292,12 @@ something like
545.It Fl g 292.It Fl g
546Allows remote hosts to connect to local forwarded ports. 293Allows remote hosts to connect to local forwarded ports.
547.It Fl I Ar smartcard_device 294.It Fl I Ar smartcard_device
548Specifies which smartcard device to use. 295Specify the device
549The argument is the device
550.Nm 296.Nm
551should use to communicate with a smartcard used for storing the user's 297should use to communicate with a smartcard used for storing the user's
552private RSA key. 298private RSA key.
299This option is only available if support for smartcard devices
300is compiled in (default is no support).
553.It Fl i Ar identity_file 301.It Fl i Ar identity_file
554Selects a file from which the identity (private key) for 302Selects a file from which the identity (private key) for
555RSA or DSA authentication is read. 303RSA or DSA authentication is read.
@@ -621,6 +369,13 @@ Places the
621client into 369client into
622.Dq master 370.Dq master
623mode for connection sharing. 371mode for connection sharing.
372Multiple
373.Fl M
374options places
375.Nm
376into
377.Dq master
378mode with confirmation required before slave connections are accepted.
624Refer to the description of 379Refer to the description of
625.Cm ControlMaster 380.Cm ControlMaster
626in 381in
@@ -709,17 +464,20 @@ For full details of the options listed below, and their possible values, see
709.It IdentityFile 464.It IdentityFile
710.It IdentitiesOnly 465.It IdentitiesOnly
711.It KbdInteractiveDevices 466.It KbdInteractiveDevices
467.It LocalCommand
712.It LocalForward 468.It LocalForward
713.It LogLevel 469.It LogLevel
714.It MACs 470.It MACs
715.It NoHostAuthenticationForLocalhost 471.It NoHostAuthenticationForLocalhost
716.It NumberOfPasswordPrompts 472.It NumberOfPasswordPrompts
717.It PasswordAuthentication 473.It PasswordAuthentication
474.It PermitLocalCommand
718.It Port 475.It Port
719.It PreferredAuthentications 476.It PreferredAuthentications
720.It Protocol 477.It Protocol
721.It ProxyCommand 478.It ProxyCommand
722.It PubkeyAuthentication 479.It PubkeyAuthentication
480.It RekeyLimit
723.It RemoteForward 481.It RemoteForward
724.It RhostsRSAAuthentication 482.It RhostsRSAAuthentication
725.It RSAAuthentication 483.It RSAAuthentication
@@ -729,6 +487,8 @@ For full details of the options listed below, and their possible values, see
729.It SmartcardDevice 487.It SmartcardDevice
730.It StrictHostKeyChecking 488.It StrictHostKeyChecking
731.It TCPKeepAlive 489.It TCPKeepAlive
490.It Tunnel
491.It TunnelDevice
732.It UsePrivilegedPort 492.It UsePrivilegedPort
733.It User 493.It User
734.It UserKnownHostsFile 494.It UserKnownHostsFile
@@ -828,6 +588,24 @@ Multiple
828.Fl v 588.Fl v
829options increase the verbosity. 589options increase the verbosity.
830The maximum is 3. 590The maximum is 3.
591.It Fl w Ar tunnel : Ns Ar tunnel
592Requests a
593.Xr tun 4
594device on the client
595(first
596.Ar tunnel
597arg)
598and server
599(second
600.Ar tunnel
601arg).
602The devices may be specified by numerical ID or the keyword
603.Dq any ,
604which uses the next available tunnel device.
605See also the
606.Cm Tunnel
607directive in
608.Xr ssh_config 5 .
831.It Fl X 609.It Fl X
832Enables X11 forwarding. 610Enables X11 forwarding.
833This can also be specified on a per-host basis in a configuration file. 611This can also be specified on a per-host basis in a configuration file.
@@ -855,16 +633,474 @@ Enables trusted X11 forwarding.
855Trusted X11 forwardings are not subjected to the X11 SECURITY extension 633Trusted X11 forwardings are not subjected to the X11 SECURITY extension
856controls. 634controls.
857.El 635.El
858.Sh CONFIGURATION FILES 636.Pp
859.Nm 637.Nm
860may additionally obtain configuration data from 638may additionally obtain configuration data from
861a per-user configuration file and a system-wide configuration file. 639a per-user configuration file and a system-wide configuration file.
862The file format and configuration options are described in 640The file format and configuration options are described in
863.Xr ssh_config 5 . 641.Xr ssh_config 5 .
642.Pp
643.Nm
644exits with the exit status of the remote command or with 255
645if an error occurred.
646.Sh AUTHENTICATION
647The OpenSSH SSH client supports SSH protocols 1 and 2.
648Protocol 2 is the default, with
649.Nm
650falling back to protocol 1 if it detects protocol 2 is unsupported.
651These settings may be altered using the
652.Cm Protocol
653option in
654.Xr ssh_config 5 ,
655or enforced using the
656.Fl 1
657and
658.Fl 2
659options (see above).
660Both protocols support similar authentication methods,
661but protocol 2 is preferred since
662it provides additional mechanisms for confidentiality
663(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
664and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
665Protocol 1 lacks a strong mechanism for ensuring the
666integrity of the connection.
667.Pp
668The methods available for authentication are:
669host-based authentication,
670public key authentication,
671challenge-response authentication,
672and password authentication.
673Authentication methods are tried in the order specified above,
674though protocol 2 has a configuration option to change the default order:
675.Cm PreferredAuthentications .
676.Pp
677Host-based authentication works as follows:
678If the machine the user logs in from is listed in
679.Pa /etc/hosts.equiv
680or
681.Pa /etc/shosts.equiv
682on the remote machine, and the user names are
683the same on both sides, or if the files
684.Pa ~/.rhosts
685or
686.Pa ~/.shosts
687exist in the user's home directory on the
688remote machine and contain a line containing the name of the client
689machine and the name of the user on that machine, the user is
690considered for login.
691Additionally, the server
692.Em must
693be able to verify the client's
694host key (see the description of
695.Pa /etc/ssh/ssh_known_hosts
696and
697.Pa ~/.ssh/known_hosts ,
698below)
699for login to be permitted.
700This authentication method closes security holes due to IP
701spoofing, DNS spoofing, and routing spoofing.
702[Note to the administrator:
703.Pa /etc/hosts.equiv ,
704.Pa ~/.rhosts ,
705and the rlogin/rsh protocol in general, are inherently insecure and should be
706disabled if security is desired.]
707.Pp
708Public key authentication works as follows:
709The scheme is based on public-key cryptography,
710using cryptosystems
711where encryption and decryption are done using separate keys,
712and it is unfeasible to derive the decryption key from the encryption key.
713The idea is that each user creates a public/private
714key pair for authentication purposes.
715The server knows the public key, and only the user knows the private key.
716.Nm
717implements public key authentication protocol automatically,
718using either the RSA or DSA algorithms.
719Protocol 1 is restricted to using only RSA keys,
720but protocol 2 may use either.
721The
722.Sx HISTORY
723section of
724.Xr ssl 8
725contains a brief discussion of the two algorithms.
726.Pp
727The file
728.Pa ~/.ssh/authorized_keys
729lists the public keys that are permitted for logging in.
730When the user logs in, the
731.Nm
732program tells the server which key pair it would like to use for
733authentication.
734The client proves that it has access to the private key
735and the server checks that the corresponding public key
736is authorized to accept the account.
737.Pp
738The user creates his/her key pair by running
739.Xr ssh-keygen 1 .
740This stores the private key in
741.Pa ~/.ssh/identity
742(protocol 1),
743.Pa ~/.ssh/id_dsa
744(protocol 2 DSA),
745or
746.Pa ~/.ssh/id_rsa
747(protocol 2 RSA)
748and stores the public key in
749.Pa ~/.ssh/identity.pub
750(protocol 1),
751.Pa ~/.ssh/id_dsa.pub
752(protocol 2 DSA),
753or
754.Pa ~/.ssh/id_rsa.pub
755(protocol 2 RSA)
756in the user's home directory.
757The user should then copy the public key
758to
759.Pa ~/.ssh/authorized_keys
760in his/her home directory on the remote machine.
761The
762.Pa authorized_keys
763file corresponds to the conventional
764.Pa ~/.rhosts
765file, and has one key
766per line, though the lines can be very long.
767After this, the user can log in without giving the password.
768.Pp
769The most convenient way to use public key authentication may be with an
770authentication agent.
771See
772.Xr ssh-agent 1
773for more information.
774.Pp
775Challenge-response authentication works as follows:
776The server sends an arbitrary
777.Qq challenge
778text, and prompts for a response.
779Protocol 2 allows multiple challenges and responses;
780protocol 1 is restricted to just one challenge/response.
781Examples of challenge-response authentication include
782BSD Authentication (see
783.Xr login.conf 5 )
784and PAM (some non-OpenBSD systems).
785.Pp
786Finally, if other authentication methods fail,
787.Nm
788prompts the user for a password.
789The password is sent to the remote
790host for checking; however, since all communications are encrypted,
791the password cannot be seen by someone listening on the network.
792.Pp
793.Nm
794automatically maintains and checks a database containing
795identification for all hosts it has ever been used with.
796Host keys are stored in
797.Pa ~/.ssh/known_hosts
798in the user's home directory.
799Additionally, the file
800.Pa /etc/ssh/ssh_known_hosts
801is automatically checked for known hosts.
802Any new hosts are automatically added to the user's file.
803If a host's identification ever changes,
804.Nm
805warns about this and disables password authentication to prevent
806server spoofing or man-in-the-middle attacks,
807which could otherwise be used to circumvent the encryption.
808The
809.Cm StrictHostKeyChecking
810option can be used to control logins to machines whose
811host key is not known or has changed.
812.Pp
813When the user's identity has been accepted by the server, the server
814either executes the given command, or logs into the machine and gives
815the user a normal shell on the remote machine.
816All communication with
817the remote command or shell will be automatically encrypted.
818.Pp
819If a pseudo-terminal has been allocated (normal login session), the
820user may use the escape characters noted below.
821.Pp
822If no pseudo-tty has been allocated,
823the session is transparent and can be used to reliably transfer binary data.
824On most systems, setting the escape character to
825.Dq none
826will also make the session transparent even if a tty is used.
827.Pp
828The session terminates when the command or shell on the remote
829machine exits and all X11 and TCP connections have been closed.
830.Sh ESCAPE CHARACTERS
831When a pseudo-terminal has been requested,
832.Nm
833supports a number of functions through the use of an escape character.
834.Pp
835A single tilde character can be sent as
836.Ic ~~
837or by following the tilde by a character other than those described below.
838The escape character must always follow a newline to be interpreted as
839special.
840The escape character can be changed in configuration files using the
841.Cm EscapeChar
842configuration directive or on the command line by the
843.Fl e
844option.
845.Pp
846The supported escapes (assuming the default
847.Ql ~ )
848are:
849.Bl -tag -width Ds
850.It Cm ~.
851Disconnect.
852.It Cm ~^Z
853Background
854.Nm .
855.It Cm ~#
856List forwarded connections.
857.It Cm ~&
858Background
859.Nm
860at logout when waiting for forwarded connection / X11 sessions to terminate.
861.It Cm ~?
862Display a list of escape characters.
863.It Cm ~B
864Send a BREAK to the remote system
865(only useful for SSH protocol version 2 and if the peer supports it).
866.It Cm ~C
867Open command line.
868Currently this allows the addition of port forwardings using the
869.Fl L
870and
871.Fl R
872options (see above).
873It also allows the cancellation of existing remote port-forwardings
874using
875.Fl KR Ar hostport .
876.Ic !\& Ns Ar command
877allows the user to execute a local command if the
878.Ic PermitLocalCommand
879option is enabled in
880.Xr ssh_config 5 .
881Basic help is available, using the
882.Fl h
883option.
884.It Cm ~R
885Request rekeying of the connection
886(only useful for SSH protocol version 2 and if the peer supports it).
887.El
888.Sh TCP FORWARDING
889Forwarding of arbitrary TCP connections over the secure channel can
890be specified either on the command line or in a configuration file.
891One possible application of TCP forwarding is a secure connection to a
892mail server; another is going through firewalls.
893.Pp
894In the example below, we look at encrypting communication between
895an IRC client and server, even though the IRC server does not directly
896support encrypted communications.
897This works as follows:
898the user connects to the remote host using
899.Nm ,
900specifying a port to be used to forward connections
901to the remote server.
902After that it is possible to start the service which is to be encrypted
903on the client machine,
904connecting to the same local port,
905and
906.Nm
907will encrypt and forward the connection.
908.Pp
909The following example tunnels an IRC session from client machine
910.Dq 127.0.0.1
911(localhost)
912to remote server
913.Dq server.example.com :
914.Bd -literal -offset 4n
915$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
916$ irc -c '#users' -p 1234 pinky 127.0.0.1
917.Ed
918.Pp
919This tunnels a connection to IRC server
920.Dq server.example.com ,
921joining channel
922.Dq #users ,
923nickname
924.Dq pinky ,
925using port 1234.
926It doesn't matter which port is used,
927as long as it's greater than 1023
928(remember, only root can open sockets on privileged ports)
929and doesn't conflict with any ports already in use.
930The connection is forwarded to port 6667 on the remote server,
931since that's the standard port for IRC services.
932.Pp
933The
934.Fl f
935option backgrounds
936.Nm
937and the remote command
938.Dq sleep 10
939is specified to allow an amount of time
940(10 seconds, in the example)
941to start the service which is to be tunnelled.
942If no connections are made within the time specified,
943.Nm
944will exit.
945.Sh X11 FORWARDING
946If the
947.Cm ForwardX11
948variable is set to
949.Dq yes
950(or see the description of the
951.Fl X ,
952.Fl x ,
953and
954.Fl Y
955options above)
956and the user is using X11 (the
957.Ev DISPLAY
958environment variable is set), the connection to the X11 display is
959automatically forwarded to the remote side in such a way that any X11
960programs started from the shell (or command) will go through the
961encrypted channel, and the connection to the real X server will be made
962from the local machine.
963The user should not manually set
964.Ev DISPLAY .
965Forwarding of X11 connections can be
966configured on the command line or in configuration files.
967.Pp
968The
969.Ev DISPLAY
970value set by
971.Nm
972will point to the server machine, but with a display number greater than zero.
973This is normal, and happens because
974.Nm
975creates a
976.Dq proxy
977X server on the server machine for forwarding the
978connections over the encrypted channel.
979.Pp
980.Nm
981will also automatically set up Xauthority data on the server machine.
982For this purpose, it will generate a random authorization cookie,
983store it in Xauthority on the server, and verify that any forwarded
984connections carry this cookie and replace it by the real cookie when
985the connection is opened.
986The real authentication cookie is never
987sent to the server machine (and no cookies are sent in the plain).
988.Pp
989If the
990.Cm ForwardAgent
991variable is set to
992.Dq yes
993(or see the description of the
994.Fl A
995and
996.Fl a
997options above) and
998the user is using an authentication agent, the connection to the agent
999is automatically forwarded to the remote side.
1000.Sh VERIFYING HOST KEYS
1001When connecting to a server for the first time,
1002a fingerprint of the server's public key is presented to the user
1003(unless the option
1004.Cm StrictHostKeyChecking
1005has been disabled).
1006Fingerprints can be determined using
1007.Xr ssh-keygen 1 :
1008.Pp
1009.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1010.Pp
1011If the fingerprint is already known,
1012it can be matched and verified,
1013and the key can be accepted.
1014If the fingerprint is unknown,
1015an alternative method of verification is available:
1016SSH fingerprints verified by DNS.
1017An additional resource record (RR),
1018SSHFP,
1019is added to a zonefile
1020and the connecting client is able to match the fingerprint
1021with that of the key presented.
1022.Pp
1023In this example, we are connecting a client to a server,
1024.Dq host.example.com .
1025The SSHFP resource records should first be added to the zonefile for
1026host.example.com:
1027.Bd -literal -offset indent
1028$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
1029$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1030.Ed
1031.Pp
1032The output lines will have to be added to the zonefile.
1033To check that the zone is answering fingerprint queries:
1034.Pp
1035.Dl $ dig -t SSHFP host.example.com
1036.Pp
1037Finally the client connects:
1038.Bd -literal -offset indent
1039$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1040[...]
1041Matching host key fingerprint found in DNS.
1042Are you sure you want to continue connecting (yes/no)?
1043.Ed
1044.Pp
1045See the
1046.Cm VerifyHostKeyDNS
1047option in
1048.Xr ssh_config 5
1049for more information.
1050.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1051.Nm
1052contains support for Virtual Private Network (VPN) tunnelling
1053using the
1054.Xr tun 4
1055network pseudo-device,
1056allowing two networks to be joined securely.
1057The
1058.Xr sshd_config 5
1059configuration option
1060.Cm PermitTunnel
1061controls whether the server supports this,
1062and at what level (layer 2 or 3 traffic).
1063.Pp
1064The following example would connect client network 10.0.50.0/24
1065with remote network 10.0.99.0/24, provided that the SSH server
1066running on the gateway to the remote network,
1067at 192.168.1.15, allows it:
1068.Bd -literal -offset indent
1069# ssh -f -w 0:1 192.168.1.15 true
1070# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
1071.Ed
1072.Pp
1073Client access may be more finely tuned via the
1074.Pa /root/.ssh/authorized_keys
1075file (see below) and the
1076.Cm PermitRootLogin
1077server option.
1078The following entry would permit connections on the first
1079.Xr tun 4
1080device from user
1081.Dq jane
1082and on the second device from user
1083.Dq john ,
1084if
1085.Cm PermitRootLogin
1086is set to
1087.Dq forced-commands-only :
1088.Bd -literal -offset 2n
1089tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
1090tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
1091.Ed
1092.Pp
1093Since a SSH-based setup entails a fair amount of overhead,
1094it may be more suited to temporary setups,
1095such as for wireless VPNs.
1096More permanent VPNs are better provided by tools such as
1097.Xr ipsecctl 8
1098and
1099.Xr isakmpd 8 .
864.Sh ENVIRONMENT 1100.Sh ENVIRONMENT
865.Nm 1101.Nm
866will normally set the following environment variables: 1102will normally set the following environment variables:
867.Bl -tag -width LOGNAME 1103.Bl -tag -width "SSH_ORIGINAL_COMMAND"
868.It Ev DISPLAY 1104.It Ev DISPLAY
869The 1105The
870.Ev DISPLAY 1106.Ev DISPLAY
@@ -872,9 +1108,12 @@ variable indicates the location of the X11 server.
872It is automatically set by 1108It is automatically set by
873.Nm 1109.Nm
874to point to a value of the form 1110to point to a value of the form
875.Dq hostname:n 1111.Dq hostname:n ,
876where hostname indicates 1112where
877the host where the shell runs, and n is an integer \*(Ge 1. 1113.Dq hostname
1114indicates the host where the shell runs, and
1115.Sq n
1116is an integer \*(Ge 1.
878.Nm 1117.Nm
879uses this special value to forward X11 connections over the secure 1118uses this special value to forward X11 connections over the secure
880channel. 1119channel.
@@ -895,7 +1134,7 @@ Set to the path of the user's mailbox.
895Set to the default 1134Set to the default
896.Ev PATH , 1135.Ev PATH ,
897as specified when compiling 1136as specified when compiling
898.Nm ssh . 1137.Nm .
899.It Ev SSH_ASKPASS 1138.It Ev SSH_ASKPASS
900If 1139If
901.Nm 1140.Nm
@@ -920,15 +1159,16 @@ may be necessary to redirect the input from
920.Pa /dev/null 1159.Pa /dev/null
921to make this work.) 1160to make this work.)
922.It Ev SSH_AUTH_SOCK 1161.It Ev SSH_AUTH_SOCK
923Identifies the path of a unix-domain socket used to communicate with the 1162Identifies the path of a
924agent. 1163.Ux Ns -domain
1164socket used to communicate with the agent.
925.It Ev SSH_CONNECTION 1165.It Ev SSH_CONNECTION
926Identifies the client and server ends of the connection. 1166Identifies the client and server ends of the connection.
927The variable contains 1167The variable contains
928four space-separated values: client ip-address, client port number, 1168four space-separated values: client IP address, client port number,
929server ip-address and server port number. 1169server IP address, and server port number.
930.It Ev SSH_ORIGINAL_COMMAND 1170.It Ev SSH_ORIGINAL_COMMAND
931The variable contains the original command line if a forced command 1171This variable contains the original command line if a forced command
932is executed. 1172is executed.
933It can be used to extract the original arguments. 1173It can be used to extract the original arguments.
934.It Ev SSH_TTY 1174.It Ev SSH_TTY
@@ -937,7 +1177,7 @@ with the current shell or command.
937If the current session has no tty, 1177If the current session has no tty,
938this variable is not set. 1178this variable is not set.
939.It Ev TZ 1179.It Ev TZ
940The timezone variable is set to indicate the present timezone if it 1180This variable is set to indicate the present time zone if it
941was set when the daemon was started (i.e., the daemon passes the value 1181was set when the daemon was started (i.e., the daemon passes the value
942on to new connections). 1182on to new connections).
943.It Ev USER 1183.It Ev USER
@@ -950,221 +1190,150 @@ reads
950.Pa ~/.ssh/environment , 1190.Pa ~/.ssh/environment ,
951and adds lines of the format 1191and adds lines of the format
952.Dq VARNAME=value 1192.Dq VARNAME=value
953to the environment if the file exists and if users are allowed to 1193to the environment if the file exists and users are allowed to
954change their environment. 1194change their environment.
955For more information, see the 1195For more information, see the
956.Cm PermitUserEnvironment 1196.Cm PermitUserEnvironment
957option in 1197option in
958.Xr sshd_config 5 . 1198.Xr sshd_config 5 .
959.Sh FILES 1199.Sh FILES
960.Bl -tag -width Ds 1200.Bl -tag -width Ds -compact
961.It Pa ~/.ssh/known_hosts 1201.It ~/.rhosts
962Records host keys for all hosts the user has logged into that are not 1202This file is used for host-based authentication (see above).
963in 1203On some machines this file may need to be
964.Pa /etc/ssh/ssh_known_hosts . 1204world-readable if the user's home directory is on an NFS partition,
965See 1205because
966.Xr sshd 8 . 1206.Xr sshd 8
967.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa 1207reads it as root.
968Contains the authentication identity of the user. 1208Additionally, this file must be owned by the user,
969They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. 1209and must not have write permissions for anyone else.
1210The recommended
1211permission for most machines is read/write for the user, and not
1212accessible by others.
1213.Pp
1214.It ~/.shosts
1215This file is used in exactly the same way as
1216.Pa .rhosts ,
1217but allows host-based authentication without permitting login with
1218rlogin/rsh.
1219.Pp
1220.It ~/.ssh/authorized_keys
1221Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1222The format of this file is described in the
1223.Xr sshd 8
1224manual page.
1225This file is not highly sensitive, but the recommended
1226permissions are read/write for the user, and not accessible by others.
1227.Pp
1228.It ~/.ssh/config
1229This is the per-user configuration file.
1230The file format and configuration options are described in
1231.Xr ssh_config 5 .
1232Because of the potential for abuse, this file must have strict permissions:
1233read/write for the user, and not accessible by others.
1234.Pp
1235.It ~/.ssh/environment
1236Contains additional definitions for environment variables; see
1237.Sx ENVIRONMENT ,
1238above.
1239.Pp
1240.It ~/.ssh/identity
1241.It ~/.ssh/id_dsa
1242.It ~/.ssh/id_rsa
1243Contains the private key for authentication.
970These files 1244These files
971contain sensitive data and should be readable by the user but not 1245contain sensitive data and should be readable by the user but not
972accessible by others (read/write/execute). 1246accessible by others (read/write/execute).
973Note that
974.Nm 1247.Nm
975ignores a private key file if it is accessible by others. 1248will simply ignore a private key file if it is accessible by others.
976It is possible to specify a passphrase when 1249It is possible to specify a passphrase when
977generating the key; the passphrase will be used to encrypt the 1250generating the key which will be used to encrypt the
978sensitive part of this file using 3DES. 1251sensitive part of this file using 3DES.
979.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub 1252.Pp
980Contains the public key for authentication (public part of the 1253.It ~/.ssh/identity.pub
981identity file in human-readable form). 1254.It ~/.ssh/id_dsa.pub
982The contents of the 1255.It ~/.ssh/id_rsa.pub
983.Pa ~/.ssh/identity.pub 1256Contains the public key for authentication.
984file should be added to the file
985.Pa ~/.ssh/authorized_keys
986on all machines
987where the user wishes to log in using protocol version 1 RSA authentication.
988The contents of the
989.Pa ~/.ssh/id_dsa.pub
990and
991.Pa ~/.ssh/id_rsa.pub
992file should be added to
993.Pa ~/.ssh/authorized_keys
994on all machines
995where the user wishes to log in using protocol version 2 DSA/RSA authentication.
996These files are not 1257These files are not
997sensitive and can (but need not) be readable by anyone. 1258sensitive and can (but need not) be readable by anyone.
998These files are
999never used automatically and are not necessary; they are only provided for
1000the convenience of the user.
1001.It Pa ~/.ssh/config
1002This is the per-user configuration file.
1003The file format and configuration options are described in
1004.Xr ssh_config 5 .
1005Because of the potential for abuse, this file must have strict permissions:
1006read/write for the user, and not accessible by others.
1007.It Pa ~/.ssh/authorized_keys
1008Lists the public keys (RSA/DSA) that can be used for logging in as this user.
1009The format of this file is described in the
1010.Xr sshd 8
1011manual page.
1012In the simplest form the format is the same as the
1013.Pa .pub
1014identity files.
1015This file is not highly sensitive, but the recommended
1016permissions are read/write for the user, and not accessible by others.
1017.It Pa /etc/ssh/ssh_known_hosts
1018Systemwide list of known host keys.
1019This file should be prepared by the
1020system administrator to contain the public host keys of all machines in the
1021organization.
1022This file should be world-readable.
1023This file contains
1024public keys, one per line, in the following format (fields separated
1025by spaces): system name, public key and optional comment field.
1026When different names are used
1027for the same machine, all such names should be listed, separated by
1028commas.
1029The format is described in the
1030.Xr sshd 8
1031manual page.
1032.Pp 1259.Pp
1033The canonical system name (as returned by name servers) is used by 1260.It ~/.ssh/known_hosts
1261Contains a list of host keys for all hosts the user has logged into
1262that are not already in the systemwide list of known host keys.
1263See
1034.Xr sshd 8 1264.Xr sshd 8
1035to verify the client host when logging in; other names are needed because 1265for further details of the format of this file.
1266.Pp
1267.It ~/.ssh/rc
1268Commands in this file are executed by
1036.Nm 1269.Nm
1037does not convert the user-supplied name to a canonical name before 1270when the user logs in, just before the user's shell (or command) is
1038checking the key, because someone with access to the name servers 1271started.
1039would then be able to fool host authentication. 1272See the
1273.Xr sshd 8
1274manual page for more information.
1275.Pp
1276.It /etc/hosts.equiv
1277This file is for host-based authentication (see above).
1278It should only be writable by root.
1279.Pp
1280.It /etc/shosts.equiv
1281This file is used in exactly the same way as
1282.Pa hosts.equiv ,
1283but allows host-based authentication without permitting login with
1284rlogin/rsh.
1285.Pp
1040.It Pa /etc/ssh/ssh_config 1286.It Pa /etc/ssh/ssh_config
1041Systemwide configuration file. 1287Systemwide configuration file.
1042The file format and configuration options are described in 1288The file format and configuration options are described in
1043.Xr ssh_config 5 . 1289.Xr ssh_config 5 .
1044.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key 1290.Pp
1291.It /etc/ssh/ssh_host_key
1292.It /etc/ssh/ssh_host_dsa_key
1293.It /etc/ssh/ssh_host_rsa_key
1045These three files contain the private parts of the host keys 1294These three files contain the private parts of the host keys
1046and are used for 1295and are used for host-based authentication.
1047.Cm RhostsRSAAuthentication 1296If protocol version 1 is used,
1048and
1049.Cm HostbasedAuthentication .
1050If the protocol version 1
1051.Cm RhostsRSAAuthentication
1052method is used,
1053.Nm 1297.Nm
1054must be setuid root, since the host key is readable only by root. 1298must be setuid root, since the host key is readable only by root.
1055For protocol version 2, 1299For protocol version 2,
1056.Nm 1300.Nm
1057uses 1301uses
1058.Xr ssh-keysign 8 1302.Xr ssh-keysign 8
1059to access the host keys for 1303to access the host keys,
1060.Cm HostbasedAuthentication . 1304eliminating the requirement that
1061This eliminates the requirement that
1062.Nm 1305.Nm
1063be setuid root when that authentication method is used. 1306be setuid root when host-based authentication is used.
1064By default 1307By default
1065.Nm 1308.Nm
1066is not setuid root. 1309is not setuid root.
1067.It Pa ~/.rhosts
1068This file is used in
1069.Cm RhostsRSAAuthentication
1070and
1071.Cm HostbasedAuthentication
1072authentication to list the
1073host/user pairs that are permitted to log in.
1074(Note that this file is
1075also used by rlogin and rsh, which makes using this file insecure.)
1076Each line of the file contains a host name (in the canonical form
1077returned by name servers), and then a user name on that host,
1078separated by a space.
1079On some machines this file may need to be
1080world-readable if the user's home directory is on a NFS partition,
1081because
1082.Xr sshd 8
1083reads it as root.
1084Additionally, this file must be owned by the user,
1085and must not have write permissions for anyone else.
1086The recommended
1087permission for most machines is read/write for the user, and not
1088accessible by others.
1089.Pp 1310.Pp
1090Note that 1311.It /etc/ssh/ssh_known_hosts
1091.Xr sshd 8 1312Systemwide list of known host keys.
1092allows authentication only in combination with client host key 1313This file should be prepared by the
1093authentication before permitting log in. 1314system administrator to contain the public host keys of all machines in the
1094If the server machine does not have the client's host key in 1315organization.
1095.Pa /etc/ssh/ssh_known_hosts , 1316It should be world-readable.
1096it can be stored in 1317See
1097.Pa ~/.ssh/known_hosts .
1098The easiest way to do this is to
1099connect back to the client from the server machine using ssh; this
1100will automatically add the host key to
1101.Pa ~/.ssh/known_hosts .
1102.It Pa ~/.shosts
1103This file is used exactly the same way as
1104.Pa .rhosts .
1105The purpose for
1106having this file is to be able to use
1107.Cm RhostsRSAAuthentication
1108and
1109.Cm HostbasedAuthentication
1110authentication without permitting login with
1111.Xr rlogin
1112or
1113.Xr rsh 1 .
1114.It Pa /etc/hosts.equiv
1115This file is used during
1116.Cm RhostsRSAAuthentication
1117and
1118.Cm HostbasedAuthentication
1119authentication.
1120It contains
1121canonical hosts names, one per line (the full format is described in the
1122.Xr sshd 8
1123manual page).
1124If the client host is found in this file, login is
1125automatically permitted provided client and server user names are the
1126same.
1127Additionally, successful client host key authentication is required.
1128This file should only be writable by root.
1129.It Pa /etc/shosts.equiv
1130This file is processed exactly as
1131.Pa /etc/hosts.equiv .
1132This file may be useful to permit logins using
1133.Nm
1134but not using rsh/rlogin.
1135.It Pa /etc/ssh/sshrc
1136Commands in this file are executed by
1137.Nm
1138when the user logs in just before the user's shell (or command) is started.
1139See the
1140.Xr sshd 8 1318.Xr sshd 8
1141manual page for more information. 1319for further details of the format of this file.
1142.It Pa ~/.ssh/rc 1320.Pp
1321.It /etc/ssh/sshrc
1143Commands in this file are executed by 1322Commands in this file are executed by
1144.Nm 1323.Nm
1145when the user logs in just before the user's shell (or command) is 1324when the user logs in, just before the user's shell (or command) is started.
1146started.
1147See the 1325See the
1148.Xr sshd 8 1326.Xr sshd 8
1149manual page for more information. 1327manual page for more information.
1150.It Pa ~/.ssh/environment
1151Contains additional definitions for environment variables, see section
1152.Sx ENVIRONMENT
1153above.
1154.El 1328.El
1155.Sh DIAGNOSTICS
1156.Nm
1157exits with the exit status of the remote command or with 255
1158if an error occurred.
1159.Sh SEE ALSO 1329.Sh SEE ALSO
1160.Xr gzip 1 ,
1161.Xr rsh 1 ,
1162.Xr scp 1 , 1330.Xr scp 1 ,
1163.Xr sftp 1 , 1331.Xr sftp 1 ,
1164.Xr ssh-add 1 , 1332.Xr ssh-add 1 ,
1165.Xr ssh-agent 1 , 1333.Xr ssh-agent 1 ,
1166.Xr ssh-keygen 1 , 1334.Xr ssh-keygen 1 ,
1167.Xr telnet 1 , 1335.Xr ssh-keyscan 1 ,
1336.Xr tun 4 ,
1168.Xr hosts.equiv 5 , 1337.Xr hosts.equiv 5 ,
1169.Xr ssh_config 5 , 1338.Xr ssh_config 5 ,
1170.Xr ssh-keysign 8 , 1339.Xr ssh-keysign 8 ,
diff --git a/ssh.c b/ssh.c
index c9e5aac7a..3940dabfd 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: ssh.c,v 1.249 2005/07/30 01:26:16 djm Exp $"); 43RCSID("$OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $");
44 44
45#include <openssl/evp.h> 45#include <openssl/evp.h>
46#include <openssl/err.h> 46#include <openssl/err.h>
@@ -158,13 +158,13 @@ usage(void)
158{ 158{
159 fprintf(stderr, 159 fprintf(stderr,
160"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" 160"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
161" [-D port] [-e escape_char] [-F configfile]\n" 161" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
162" [-i identity_file] [-L [bind_address:]port:host:hostport]\n" 162" [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
163" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 163" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
164" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" 164" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
165" [user@]hostname [command]\n" 165" [-w tunnel:tunnel] [user@]hostname [command]\n"
166 ); 166 );
167 exit(1); 167 exit(255);
168} 168}
169 169
170static int ssh_session(void); 170static int ssh_session(void);
@@ -188,6 +188,9 @@ main(int ac, char **av)
188 struct servent *sp; 188 struct servent *sp;
189 Forward fwd; 189 Forward fwd;
190 190
191 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
192 sanitise_stdfd();
193
191 __progname = ssh_get_progname(av[0]); 194 __progname = ssh_get_progname(av[0]);
192 init_rng(); 195 init_rng();
193 196
@@ -220,7 +223,7 @@ main(int ac, char **av)
220 pw = getpwuid(original_real_uid); 223 pw = getpwuid(original_real_uid);
221 if (!pw) { 224 if (!pw) {
222 logit("You don't exist, go away!"); 225 logit("You don't exist, go away!");
223 exit(1); 226 exit(255);
224 } 227 }
225 /* Take a copy of the returned structure. */ 228 /* Take a copy of the returned structure. */
226 pw = pwcopy(pw); 229 pw = pwcopy(pw);
@@ -241,7 +244,7 @@ main(int ac, char **av)
241 244
242again: 245again:
243 while ((opt = getopt(ac, av, 246 while ((opt = getopt(ac, av,
244 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { 247 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
245 switch (opt) { 248 switch (opt) {
246 case '1': 249 case '1':
247 options.protocol = SSH_PROTO_1; 250 options.protocol = SSH_PROTO_1;
@@ -337,6 +340,15 @@ again:
337 if (opt == 'V') 340 if (opt == 'V')
338 exit(0); 341 exit(0);
339 break; 342 break;
343 case 'w':
344 if (options.tun_open == -1)
345 options.tun_open = SSH_TUNMODE_DEFAULT;
346 options.tun_local = a2tun(optarg, &options.tun_remote);
347 if (options.tun_local == SSH_TUNID_ERR) {
348 fprintf(stderr, "Bad tun device '%s'\n", optarg);
349 exit(255);
350 }
351 break;
340 case 'q': 352 case 'q':
341 options.log_level = SYSLOG_LEVEL_QUIET; 353 options.log_level = SYSLOG_LEVEL_QUIET;
342 break; 354 break;
@@ -352,7 +364,7 @@ again:
352 else { 364 else {
353 fprintf(stderr, "Bad escape character '%s'.\n", 365 fprintf(stderr, "Bad escape character '%s'.\n",
354 optarg); 366 optarg);
355 exit(1); 367 exit(255);
356 } 368 }
357 break; 369 break;
358 case 'c': 370 case 'c':
@@ -367,7 +379,7 @@ again:
367 fprintf(stderr, 379 fprintf(stderr,
368 "Unknown cipher type '%s'\n", 380 "Unknown cipher type '%s'\n",
369 optarg); 381 optarg);
370 exit(1); 382 exit(255);
371 } 383 }
372 if (options.cipher == SSH_CIPHER_3DES) 384 if (options.cipher == SSH_CIPHER_3DES)
373 options.ciphers = "3des-cbc"; 385 options.ciphers = "3des-cbc";
@@ -383,7 +395,7 @@ again:
383 else { 395 else {
384 fprintf(stderr, "Unknown mac type '%s'\n", 396 fprintf(stderr, "Unknown mac type '%s'\n",
385 optarg); 397 optarg);
386 exit(1); 398 exit(255);
387 } 399 }
388 break; 400 break;
389 case 'M': 401 case 'M':
@@ -396,7 +408,7 @@ again:
396 options.port = a2port(optarg); 408 options.port = a2port(optarg);
397 if (options.port == 0) { 409 if (options.port == 0) {
398 fprintf(stderr, "Bad port '%s'\n", optarg); 410 fprintf(stderr, "Bad port '%s'\n", optarg);
399 exit(1); 411 exit(255);
400 } 412 }
401 break; 413 break;
402 case 'l': 414 case 'l':
@@ -410,7 +422,7 @@ again:
410 fprintf(stderr, 422 fprintf(stderr,
411 "Bad local forwarding specification '%s'\n", 423 "Bad local forwarding specification '%s'\n",
412 optarg); 424 optarg);
413 exit(1); 425 exit(255);
414 } 426 }
415 break; 427 break;
416 428
@@ -421,7 +433,7 @@ again:
421 fprintf(stderr, 433 fprintf(stderr,
422 "Bad remote forwarding specification " 434 "Bad remote forwarding specification "
423 "'%s'\n", optarg); 435 "'%s'\n", optarg);
424 exit(1); 436 exit(255);
425 } 437 }
426 break; 438 break;
427 439
@@ -432,7 +444,7 @@ again:
432 if ((fwd.listen_host = hpdelim(&cp)) == NULL) { 444 if ((fwd.listen_host = hpdelim(&cp)) == NULL) {
433 fprintf(stderr, "Bad dynamic forwarding " 445 fprintf(stderr, "Bad dynamic forwarding "
434 "specification '%.100s'\n", optarg); 446 "specification '%.100s'\n", optarg);
435 exit(1); 447 exit(255);
436 } 448 }
437 if (cp != NULL) { 449 if (cp != NULL) {
438 fwd.listen_port = a2port(cp); 450 fwd.listen_port = a2port(cp);
@@ -445,7 +457,7 @@ again:
445 if (fwd.listen_port == 0) { 457 if (fwd.listen_port == 0) {
446 fprintf(stderr, "Bad dynamic port '%s'\n", 458 fprintf(stderr, "Bad dynamic port '%s'\n",
447 optarg); 459 optarg);
448 exit(1); 460 exit(255);
449 } 461 }
450 add_local_forward(&options, &fwd); 462 add_local_forward(&options, &fwd);
451 xfree(p); 463 xfree(p);
@@ -466,7 +478,7 @@ again:
466 line = xstrdup(optarg); 478 line = xstrdup(optarg);
467 if (process_config_line(&options, host ? host : "", 479 if (process_config_line(&options, host ? host : "",
468 line, "command-line", 0, &dummy) != 0) 480 line, "command-line", 0, &dummy) != 0)
469 exit(1); 481 exit(255);
470 xfree(line); 482 xfree(line);
471 break; 483 break;
472 case 's': 484 case 's':
@@ -642,7 +654,7 @@ again:
642 original_effective_uid == 0 && options.use_privileged_port, 654 original_effective_uid == 0 && options.use_privileged_port,
643#endif 655#endif
644 options.proxy_command) != 0) 656 options.proxy_command) != 0)
645 exit(1); 657 exit(255);
646 658
647 /* 659 /*
648 * If we successfully made the connection, load the host private key 660 * If we successfully made the connection, load the host private key
@@ -695,7 +707,7 @@ again:
695 707
696 /* 708 /*
697 * Now that we are back to our own permissions, create ~/.ssh 709 * Now that we are back to our own permissions, create ~/.ssh
698 * directory if it doesn\'t already exist. 710 * directory if it doesn't already exist.
699 */ 711 */
700 snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); 712 snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
701 if (stat(buf, &st) < 0) 713 if (stat(buf, &st) < 0)
@@ -791,8 +803,7 @@ ssh_init_forwarding(void)
791 debug("Remote connections from %.200s:%d forwarded to " 803 debug("Remote connections from %.200s:%d forwarded to "
792 "local address %.200s:%d", 804 "local address %.200s:%d",
793 (options.remote_forwards[i].listen_host == NULL) ? 805 (options.remote_forwards[i].listen_host == NULL) ?
794 (options.gateway_ports ? "*" : "LOCALHOST") : 806 "LOCALHOST" : options.remote_forwards[i].listen_host,
795 options.remote_forwards[i].listen_host,
796 options.remote_forwards[i].listen_port, 807 options.remote_forwards[i].listen_port,
797 options.remote_forwards[i].connect_host, 808 options.remote_forwards[i].connect_host,
798 options.remote_forwards[i].connect_port); 809 options.remote_forwards[i].connect_port);
@@ -808,7 +819,7 @@ static void
808check_agent_present(void) 819check_agent_present(void)
809{ 820{
810 if (options.forward_agent) { 821 if (options.forward_agent) {
811 /* Clear agent forwarding if we don\'t have an agent. */ 822 /* Clear agent forwarding if we don't have an agent. */
812 if (!ssh_agent_present()) 823 if (!ssh_agent_present())
813 options.forward_agent = 0; 824 options.forward_agent = 0;
814 } 825 }
@@ -1010,7 +1021,7 @@ ssh_control_listener(void)
1010 fatal("ControlPath too long"); 1021 fatal("ControlPath too long");
1011 1022
1012 if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 1023 if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
1013 fatal("%s socket(): %s\n", __func__, strerror(errno)); 1024 fatal("%s socket(): %s", __func__, strerror(errno));
1014 1025
1015 old_umask = umask(0177); 1026 old_umask = umask(0177);
1016 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { 1027 if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) {
@@ -1019,12 +1030,12 @@ ssh_control_listener(void)
1019 fatal("ControlSocket %s already exists", 1030 fatal("ControlSocket %s already exists",
1020 options.control_path); 1031 options.control_path);
1021 else 1032 else
1022 fatal("%s bind(): %s\n", __func__, strerror(errno)); 1033 fatal("%s bind(): %s", __func__, strerror(errno));
1023 } 1034 }
1024 umask(old_umask); 1035 umask(old_umask);
1025 1036
1026 if (listen(control_fd, 64) == -1) 1037 if (listen(control_fd, 64) == -1)
1027 fatal("%s listen(): %s\n", __func__, strerror(errno)); 1038 fatal("%s listen(): %s", __func__, strerror(errno));
1028 1039
1029 set_nonblock(control_fd); 1040 set_nonblock(control_fd);
1030} 1041}
@@ -1057,6 +1068,33 @@ ssh_session2_setup(int id, void *arg)
1057 packet_send(); 1068 packet_send();
1058 } 1069 }
1059 1070
1071 if (options.tun_open != SSH_TUNMODE_NO) {
1072 Channel *c;
1073 int fd;
1074
1075 debug("Requesting tun.");
1076 if ((fd = tun_open(options.tun_local,
1077 options.tun_open)) >= 0) {
1078 c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
1079 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1080 0, "tun", 1);
1081 c->datagram = 1;
1082#if defined(SSH_TUN_FILTER)
1083 if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
1084 channel_register_filter(c->self, sys_tun_infilter,
1085 sys_tun_outfilter);
1086#endif
1087 packet_start(SSH2_MSG_CHANNEL_OPEN);
1088 packet_put_cstring("tun@openssh.com");
1089 packet_put_int(c->self);
1090 packet_put_int(c->local_window_max);
1091 packet_put_int(c->local_maxpacket);
1092 packet_put_int(options.tun_open);
1093 packet_put_int(options.tun_remote);
1094 packet_send();
1095 }
1096 }
1097
1060 client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), 1098 client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
1061 NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); 1099 NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
1062 1100
@@ -1121,6 +1159,11 @@ ssh_session2(void)
1121 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) 1159 if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
1122 id = ssh_session2_open(); 1160 id = ssh_session2_open();
1123 1161
1162 /* Execute a local command */
1163 if (options.local_command != NULL &&
1164 options.permit_local_command)
1165 ssh_local_cmd(options.local_command);
1166
1124 /* If requested, let ssh continue in the background. */ 1167 /* If requested, let ssh continue in the background. */
1125 if (fork_after_authentication_flag) 1168 if (fork_after_authentication_flag)
1126 if (daemon(1, 1) < 0) 1169 if (daemon(1, 1) < 0)
diff --git a/ssh_config b/ssh_config
index f41bee0a2..7bc8762d6 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $ 1# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
2 2
3# This is the ssh client system-wide configuration file. See 3# This is the ssh client system-wide configuration file. See
4# ssh_config(5) for more information. This file provides defaults for 4# ssh_config(5) for more information. This file provides defaults for
@@ -37,3 +37,6 @@
37# Cipher 3des 37# Cipher 3des
38# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc 38# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
39# EscapeChar ~ 39# EscapeChar ~
40# Tunnel no
41# TunnelDevice any:any
42# PermitLocalCommand no
diff --git a/ssh_config.0 b/ssh_config.0
index a2706b69c..46a0543c3 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -129,16 +129,19 @@ DESCRIPTION
129 on a control socket specified using the ControlPath argument. 129 on a control socket specified using the ControlPath argument.
130 Additional sessions can connect to this socket using the same 130 Additional sessions can connect to this socket using the same
131 ControlPath with ControlMaster set to ``no'' (the default). 131 ControlPath with ControlMaster set to ``no'' (the default).
132 These sessions will reuse the master instance's network connec- 132 These sessions will try to reuse the master instance's network
133 tion rather than initiating new ones. Setting this to ``ask'' 133 connection rather than initiating new ones, but will fall back to
134 will cause ssh to listen for control connections, but require 134 connecting normally if the control socket does not exist, or is
135 confirmation using the SSH_ASKPASS program before they are ac- 135 not listening.
136 cepted (see ssh-add(1) for details). If the ControlPath can not 136
137 be opened, ssh will continue without connecting to a master in- 137 Setting this to ``ask'' will cause ssh to listen for control con-
138 stance. 138 nections, but require confirmation using the SSH_ASKPASS program
139 before they are accepted (see ssh-add(1) for details). If the
140 ControlPath can not be opened, ssh will continue without connect-
141 ing to a master instance.
139 142
140 X11 and ssh-agent(1) forwarding is supported over these multi- 143 X11 and ssh-agent(1) forwarding is supported over these multi-
141 plexed connections, however the display and agent fowarded will 144 plexed connections, however the display and agent forwarded will
142 be the one belonging to the master connection i.e. it is not pos- 145 be the one belonging to the master connection i.e. it is not pos-
143 sible to forward multiple displays or agents. 146 sible to forward multiple displays or agents.
144 147
@@ -159,14 +162,24 @@ DESCRIPTION
159 nections are uniquely identified. 162 nections are uniquely identified.
160 163
161 DynamicForward 164 DynamicForward
162 Specifies that a TCP/IP port on the local machine be forwarded 165 Specifies that a TCP port on the local machine be forwarded over
163 over the secure channel, and the application protocol is then 166 the secure channel, and the application protocol is then used to
164 used to determine where to connect to from the remote machine. 167 determine where to connect to from the remote machine.
165 The argument must be a port number. Currently the SOCKS4 and 168
166 SOCKS5 protocols are supported, and ssh will act as a SOCKS serv- 169 The argument must be [bind_address:]port. IPv6 addresses can be
167 er. Multiple forwardings may be specified, and additional for- 170 specified by enclosing addresses in square brackets or by using
168 wardings can be given on the command line. Only the superuser 171 an alternative syntax: [bind_address/]port. By default, the lo-
169 can forward privileged ports. 172 cal port is bound in accordance with the GatewayPorts setting.
173 However, an explicit bind_address may be used to bind the connec-
174 tion to a specific address. The bind_address of ``localhost''
175 indicates that the listening port be bound for local use only,
176 while an empty address or `*' indicates that the port should be
177 available from all interfaces.
178
179 Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
180 will act as a SOCKS server. Multiple forwardings may be speci-
181 fied, and additional forwardings can be given on the command
182 line. Only the superuser can forward privileged ports.
170 183
171 EnableSSHKeysign 184 EnableSSHKeysign
172 Setting this option to ``yes'' in the global client configuration 185 Setting this option to ``yes'' in the global client configuration
@@ -280,6 +293,14 @@ DESCRIPTION
280 permitted (both on the command line and in HostName specifica- 293 permitted (both on the command line and in HostName specifica-
281 tions). 294 tions).
282 295
296 IdentitiesOnly
297 Specifies that ssh should only use the authentication identity
298 files configured in the ssh_config files, even if the ssh-agent
299 offers more identities. The argument to this keyword must be
300 ``yes'' or ``no''. This option is intended for situations where
301 ssh-agent offers many different identities. The default is
302 ``no''.
303
283 IdentityFile 304 IdentityFile
284 Specifies a file from which the user's RSA or DSA authentication 305 Specifies a file from which the user's RSA or DSA authentication
285 identity is read. The default is ~/.ssh/identity for protocol 306 identity is read. The default is ~/.ssh/identity for protocol
@@ -290,35 +311,33 @@ DESCRIPTION
290 is possible to have multiple identity files specified in configu- 311 is possible to have multiple identity files specified in configu-
291 ration files; all these identities will be tried in sequence. 312 ration files; all these identities will be tried in sequence.
292 313
293 IdentitiesOnly
294 Specifies that ssh should only use the authentication identity
295 files configured in the ssh_config files, even if the ssh-agent
296 offers more identities. The argument to this keyword must be
297 ``yes'' or ``no''. This option is intented for situations where
298 ssh-agent offers many different identities. The default is
299 ``no''.
300
301 KbdInteractiveDevices 314 KbdInteractiveDevices
302 Specifies the list of methods to use in keyboard-interactive au- 315 Specifies the list of methods to use in keyboard-interactive au-
303 thentication. Multiple method names must be comma-separated. 316 thentication. Multiple method names must be comma-separated.
304 The default is to use the server specified list. 317 The default is to use the server specified list.
305 318
319 LocalCommand
320 Specifies a command to execute on the local machine after suc-
321 cessfully connecting to the server. The command string extends
322 to the end of the line, and is executed with /bin/sh. This di-
323 rective is ignored unless PermitLocalCommand has been enabled.
324
306 LocalForward 325 LocalForward
307 Specifies that a TCP/IP port on the local machine be forwarded 326 Specifies that a TCP port on the local machine be forwarded over
308 over the secure channel to the specified host and port from the 327 the secure channel to the specified host and port from the remote
309 remote machine. The first argument must be [bind_address:]port 328 machine. The first argument must be [bind_address:]port and the
310 and the second argument must be host:hostport. IPv6 addresses 329 second argument must be host:hostport. IPv6 addresses can be
311 can be specified by enclosing addresses in square brackets or by 330 specified by enclosing addresses in square brackets or by using
312 using an alternative syntax: [bind_address/]port and 331 an alternative syntax: [bind_address/]port and host/hostport.
313 host/hostport. Multiple forwardings may be specified, and addi- 332 Multiple forwardings may be specified, and additional forwardings
314 tional forwardings can be given on the command line. Only the 333 can be given on the command line. Only the superuser can forward
315 superuser can forward privileged ports. By default, the local 334 privileged ports. By default, the local port is bound in accor-
316 port is bound in accordance with the GatewayPorts setting. How- 335 dance with the GatewayPorts setting. However, an explicit
317 ever, an explicit bind_address may be used to bind the connection 336 bind_address may be used to bind the connection to a specific ad-
318 to a specific address. The bind_address of ``localhost'' indi- 337 dress. The bind_address of ``localhost'' indicates that the lis-
319 cates that the listening port be bound for local use only, while 338 tening port be bound for local use only, while an empty address
320 an empty address or `*' indicates that the port should be avail- 339 or `*' indicates that the port should be available from all in-
321 able from all interfaces. 340 terfaces.
322 341
323 LogLevel 342 LogLevel
324 Gives the verbosity level that is used when logging messages from 343 Gives the verbosity level that is used when logging messages from
@@ -351,6 +370,11 @@ DESCRIPTION
351 to this keyword must be ``yes'' or ``no''. The default is 370 to this keyword must be ``yes'' or ``no''. The default is
352 ``yes''. 371 ``yes''.
353 372
373 PermitLocalCommand
374 Allow local command execution via the LocalCommand option or us-
375 ing the !command escape sequence in ssh(1). The argument must be
376 ``yes'' or ``no''. The default is ``no''.
377
354 Port Specifies the port number to connect on the remote host. Default 378 Port Specifies the port number to connect on the remote host. Default
355 is 22. 379 is 22.
356 380
@@ -393,16 +417,24 @@ DESCRIPTION
393 to this keyword must be ``yes'' or ``no''. The default is 417 to this keyword must be ``yes'' or ``no''. The default is
394 ``yes''. This option applies to protocol version 2 only. 418 ``yes''. This option applies to protocol version 2 only.
395 419
420 RekeyLimit
421 Specifies the maximum amount of data that may be transmitted be-
422 fore the session key is renegotiated. The argument is the number
423 of bytes, with an optional suffix of `K', `M', or `G' to indicate
424 Kilobytes, Megabytes, or Gigabytes, respectively. The default is
425 between ``1G'' and ``4G'', depending on the cipher. This option
426 applies to protocol version 2 only.
427
396 RemoteForward 428 RemoteForward
397 Specifies that a TCP/IP port on the remote machine be forwarded 429 Specifies that a TCP port on the remote machine be forwarded over
398 over the secure channel to the specified host and port from the 430 the secure channel to the specified host and port from the local
399 local machine. The first argument must be [bind_address:]port 431 machine. The first argument must be [bind_address:]port and the
400 and the second argument must be host:hostport. IPv6 addresses 432 second argument must be host:hostport. IPv6 addresses can be
401 can be specified by enclosing addresses in square brackets or by 433 specified by enclosing addresses in square brackets or by using
402 using an alternative syntax: [bind_address/]port and 434 an alternative syntax: [bind_address/]port and host/hostport.
403 host/hostport. Multiple forwardings may be specified, and addi- 435 Multiple forwardings may be specified, and additional forwardings
404 tional forwardings can be given on the command line. Only the 436 can be given on the command line. Only the superuser can forward
405 superuser can forward privileged ports. 437 privileged ports.
406 438
407 If the bind_address is not specified, the default is to only bind 439 If the bind_address is not specified, the default is to only bind
408 to loopback addresses. If the bind_address is `*' or an empty 440 to loopback addresses. If the bind_address is `*' or an empty
@@ -434,15 +466,8 @@ DESCRIPTION
434 separated by whitespace or spread across multiple SendEnv direc- 466 separated by whitespace or spread across multiple SendEnv direc-
435 tives. The default is not to send any environment variables. 467 tives. The default is not to send any environment variables.
436 468
437 ServerAliveInterval
438 Sets a timeout interval in seconds after which if no data has
439 been received from the server, ssh will send a message through
440 the encrypted channel to request a response from the server. The
441 default is 0, indicating that these messages will not be sent to
442 the server. This option applies to protocol version 2 only.
443
444 ServerAliveCountMax 469 ServerAliveCountMax
445 Sets the number of server alive messages (see above) which may be 470 Sets the number of server alive messages (see below) which may be
446 sent without ssh receiving any messages back from the server. If 471 sent without ssh receiving any messages back from the server. If
447 this threshold is reached while server alive messages are being 472 this threshold is reached while server alive messages are being
448 sent, ssh will disconnect from the server, terminating the ses- 473 sent, ssh will disconnect from the server, terminating the ses-
@@ -455,9 +480,16 @@ DESCRIPTION
455 tion has become inactive. 480 tion has become inactive.
456 481
457 The default value is 3. If, for example, ServerAliveInterval 482 The default value is 3. If, for example, ServerAliveInterval
458 (above) is set to 15, and ServerAliveCountMax is left at the de- 483 (see below) is set to 15, and ServerAliveCountMax is left at the
459 fault, if the server becomes unresponsive ssh will disconnect af- 484 default, if the server becomes unresponsive ssh will disconnect
460 ter approximately 45 seconds. 485 after approximately 45 seconds.
486
487 ServerAliveInterval
488 Sets a timeout interval in seconds after which if no data has
489 been received from the server, ssh will send a message through
490 the encrypted channel to request a response from the server. The
491 default is 0, indicating that these messages will not be sent to
492 the server. This option applies to protocol version 2 only.
461 493
462 SmartcardDevice 494 SmartcardDevice
463 Specifies which smartcard device to use. The argument to this 495 Specifies which smartcard device to use. The argument to this
@@ -496,6 +528,16 @@ DESCRIPTION
496 To disable TCP keepalive messages, the value should be set to 528 To disable TCP keepalive messages, the value should be set to
497 ``no''. 529 ``no''.
498 530
531 Tunnel Request starting tun(4) device forwarding between the client and
532 the server. This option also allows requesting layer 2 (ether-
533 net) instead of layer 3 (point-to-point) tunneling from the serv-
534 er. The argument must be ``yes'', ``point-to-point'',
535 ``ethernet'' or ``no''. The default is ``no''.
536
537 TunnelDevice
538 Force a specified tun(4) device on the client. Without this op-
539 tion, the next available device will be used.
540
499 UsePrivilegedPort 541 UsePrivilegedPort
500 Specifies whether to use a privileged port for outgoing connec- 542 Specifies whether to use a privileged port for outgoing connec-
501 tions. The argument must be ``yes'' or ``no''. The default is 543 tions. The argument must be ``yes'' or ``no''. The default is
@@ -551,4 +593,4 @@ AUTHORS
551 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 593 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
552 versions 1.5 and 2.0. 594 versions 1.5 and 2.0.
553 595
554OpenBSD 3.8 September 25, 1999 9 596OpenBSD 3.9 September 25, 1999 9
diff --git a/ssh_config.5 b/ssh_config.5
index 9033185b1..5c41189fa 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -263,8 +263,10 @@ with
263set to 263set to
264.Dq no 264.Dq no
265(the default). 265(the default).
266These sessions will reuse the master instance's network connection rather 266These sessions will try to reuse the master instance's network connection
267than initiating new ones. 267rather than initiating new ones, but will fall back to connecting normally
268if the control socket does not exist, or is not listening.
269.Pp
268Setting this to 270Setting this to
269.Dq ask 271.Dq ask
270will cause 272will cause
@@ -283,7 +285,7 @@ will continue without connecting to a master instance.
283X11 and 285X11 and
284.Xr ssh-agent 1 286.Xr ssh-agent 1
285forwarding is supported over these multiplexed connections, however the 287forwarding is supported over these multiplexed connections, however the
286display and agent fowarded will be the one belonging to the master 288display and agent forwarded will be the one belonging to the master
287connection i.e. it is not possible to forward multiple displays or agents. 289connection i.e. it is not possible to forward multiple displays or agents.
288.Pp 290.Pp
289Two additional options allow for opportunistic multiplexing: try to use a 291Two additional options allow for opportunistic multiplexing: try to use a
@@ -316,11 +318,33 @@ used for opportunistic connection sharing include
316all three of these escape sequences. 318all three of these escape sequences.
317This ensures that shared connections are uniquely identified. 319This ensures that shared connections are uniquely identified.
318.It Cm DynamicForward 320.It Cm DynamicForward
319Specifies that a TCP/IP port on the local machine be forwarded 321Specifies that a TCP port on the local machine be forwarded
320over the secure channel, and the application 322over the secure channel, and the application
321protocol is then used to determine where to connect to from the 323protocol is then used to determine where to connect to from the
322remote machine. 324remote machine.
323The argument must be a port number. 325.Pp
326The argument must be
327.Sm off
328.Oo Ar bind_address : Oc Ar port .
329.Sm on
330IPv6 addresses can be specified by enclosing addresses in square brackets or
331by using an alternative syntax:
332.Oo Ar bind_address Ns / Oc Ns Ar port .
333By default, the local port is bound in accordance with the
334.Cm GatewayPorts
335setting.
336However, an explicit
337.Ar bind_address
338may be used to bind the connection to a specific address.
339The
340.Ar bind_address
341of
342.Dq localhost
343indicates that the listening port be bound for local use only, while an
344empty address or
345.Sq *
346indicates that the port should be available from all interfaces.
347.Pp
324Currently the SOCKS4 and SOCKS5 protocols are supported, and 348Currently the SOCKS4 and SOCKS5 protocols are supported, and
325.Nm ssh 349.Nm ssh
326will act as a SOCKS server. 350will act as a SOCKS server.
@@ -503,23 +527,6 @@ Default is the name given on the command line.
503Numeric IP addresses are also permitted (both on the command line and in 527Numeric IP addresses are also permitted (both on the command line and in
504.Cm HostName 528.Cm HostName
505specifications). 529specifications).
506.It Cm IdentityFile
507Specifies a file from which the user's RSA or DSA authentication identity
508is read.
509The default is
510.Pa ~/.ssh/identity
511for protocol version 1, and
512.Pa ~/.ssh/id_rsa
513and
514.Pa ~/.ssh/id_dsa
515for protocol version 2.
516Additionally, any identities represented by the authentication agent
517will be used for authentication.
518The file name may use the tilde
519syntax to refer to a user's home directory.
520It is possible to have
521multiple identity files specified in configuration files; all these
522identities will be tried in sequence.
523.It Cm IdentitiesOnly 530.It Cm IdentitiesOnly
524Specifies that 531Specifies that
525.Nm ssh 532.Nm ssh
@@ -533,17 +540,42 @@ The argument to this keyword must be
533.Dq yes 540.Dq yes
534or 541or
535.Dq no . 542.Dq no .
536This option is intented for situations where 543This option is intended for situations where
537.Nm ssh-agent 544.Nm ssh-agent
538offers many different identities. 545offers many different identities.
539The default is 546The default is
540.Dq no . 547.Dq no .
548.It Cm IdentityFile
549Specifies a file from which the user's RSA or DSA authentication identity
550is read.
551The default is
552.Pa ~/.ssh/identity
553for protocol version 1, and
554.Pa ~/.ssh/id_rsa
555and
556.Pa ~/.ssh/id_dsa
557for protocol version 2.
558Additionally, any identities represented by the authentication agent
559will be used for authentication.
560The file name may use the tilde
561syntax to refer to a user's home directory.
562It is possible to have
563multiple identity files specified in configuration files; all these
564identities will be tried in sequence.
541.It Cm KbdInteractiveDevices 565.It Cm KbdInteractiveDevices
542Specifies the list of methods to use in keyboard-interactive authentication. 566Specifies the list of methods to use in keyboard-interactive authentication.
543Multiple method names must be comma-separated. 567Multiple method names must be comma-separated.
544The default is to use the server specified list. 568The default is to use the server specified list.
569.It Cm LocalCommand
570Specifies a command to execute on the local machine after successfully
571connecting to the server.
572The command string extends to the end of the line, and is executed with
573.Pa /bin/sh .
574This directive is ignored unless
575.Cm PermitLocalCommand
576has been enabled.
545.It Cm LocalForward 577.It Cm LocalForward
546Specifies that a TCP/IP port on the local machine be forwarded over 578Specifies that a TCP port on the local machine be forwarded over
547the secure channel to the specified host and port from the remote machine. 579the secure channel to the specified host and port from the remote machine.
548The first argument must be 580The first argument must be
549.Sm off 581.Sm off
@@ -611,6 +643,19 @@ or
611.Dq no . 643.Dq no .
612The default is 644The default is
613.Dq yes . 645.Dq yes .
646.It Cm PermitLocalCommand
647Allow local command execution via the
648.Ic LocalCommand
649option or using the
650.Ic !\& Ns Ar command
651escape sequence in
652.Xr ssh 1 .
653The argument must be
654.Dq yes
655or
656.Dq no .
657The default is
658.Dq no .
614.It Cm Port 659.It Cm Port
615Specifies the port number to connect on the remote host. 660Specifies the port number to connect on the remote host.
616Default is 22. 661Default is 22.
@@ -683,8 +728,23 @@ or
683The default is 728The default is
684.Dq yes . 729.Dq yes .
685This option applies to protocol version 2 only. 730This option applies to protocol version 2 only.
731.It Cm RekeyLimit
732Specifies the maximum amount of data that may be transmitted before the
733session key is renegotiated.
734The argument is the number of bytes, with an optional suffix of
735.Sq K ,
736.Sq M ,
737or
738.Sq G
739to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
740The default is between
741.Dq 1G
742and
743.Dq 4G ,
744depending on the cipher.
745This option applies to protocol version 2 only.
686.It Cm RemoteForward 746.It Cm RemoteForward
687Specifies that a TCP/IP port on the remote machine be forwarded over 747Specifies that a TCP port on the remote machine be forwarded over
688the secure channel to the specified host and port from the local machine. 748the secure channel to the specified host and port from the local machine.
689The first argument must be 749The first argument must be
690.Sm off 750.Sm off
@@ -761,17 +821,8 @@ across multiple
761.Cm SendEnv 821.Cm SendEnv
762directives. 822directives.
763The default is not to send any environment variables. 823The default is not to send any environment variables.
764.It Cm ServerAliveInterval
765Sets a timeout interval in seconds after which if no data has been received
766from the server,
767.Nm ssh
768will send a message through the encrypted
769channel to request a response from the server.
770The default
771is 0, indicating that these messages will not be sent to the server.
772This option applies to protocol version 2 only.
773.It Cm ServerAliveCountMax 824.It Cm ServerAliveCountMax
774Sets the number of server alive messages (see above) which may be 825Sets the number of server alive messages (see below) which may be
775sent without 826sent without
776.Nm ssh 827.Nm ssh
777receiving any messages back from the server. 828receiving any messages back from the server.
@@ -793,10 +844,19 @@ server depend on knowing when a connection has become inactive.
793The default value is 3. 844The default value is 3.
794If, for example, 845If, for example,
795.Cm ServerAliveInterval 846.Cm ServerAliveInterval
796(above) is set to 15, and 847(see below) is set to 15, and
797.Cm ServerAliveCountMax 848.Cm ServerAliveCountMax
798is left at the default, if the server becomes unresponsive ssh 849is left at the default, if the server becomes unresponsive ssh
799will disconnect after approximately 45 seconds. 850will disconnect after approximately 45 seconds.
851.It Cm ServerAliveInterval
852Sets a timeout interval in seconds after which if no data has been received
853from the server,
854.Nm ssh
855will send a message through the encrypted
856channel to request a response from the server.
857The default
858is 0, indicating that these messages will not be sent to the server.
859This option applies to protocol version 2 only.
800.It Cm SmartcardDevice 860.It Cm SmartcardDevice
801Specifies which smartcard device to use. 861Specifies which smartcard device to use.
802The argument to this keyword is the device 862The argument to this keyword is the device
@@ -856,6 +916,25 @@ This is important in scripts, and many users want it too.
856.Pp 916.Pp
857To disable TCP keepalive messages, the value should be set to 917To disable TCP keepalive messages, the value should be set to
858.Dq no . 918.Dq no .
919.It Cm Tunnel
920Request starting
921.Xr tun 4
922device forwarding between the client and the server.
923This option also allows requesting layer 2 (ethernet)
924instead of layer 3 (point-to-point) tunneling from the server.
925The argument must be
926.Dq yes ,
927.Dq point-to-point ,
928.Dq ethernet
929or
930.Dq no .
931The default is
932.Dq no .
933.It Cm TunnelDevice
934Force a specified
935.Xr tun 4
936device on the client.
937Without this option, the next available device will be used.
859.It Cm UsePrivilegedPort 938.It Cm UsePrivilegedPort
860Specifies whether to use a privileged port for outgoing connections. 939Specifies whether to use a privileged port for outgoing connections.
861The argument must be 940The argument must be
diff --git a/sshconnect.c b/sshconnect.c
index ba7b9b71e..64ffec240 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $"); 16RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19 19
@@ -31,13 +31,12 @@ RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $");
31#include "readconf.h" 31#include "readconf.h"
32#include "atomicio.h" 32#include "atomicio.h"
33#include "misc.h" 33#include "misc.h"
34
35#include "dns.h" 34#include "dns.h"
36 35
37char *client_version_string = NULL; 36char *client_version_string = NULL;
38char *server_version_string = NULL; 37char *server_version_string = NULL;
39 38
40int matching_host_key_dns = 0; 39static int matching_host_key_dns = 0;
41 40
42/* import */ 41/* import */
43extern Options options; 42extern Options options;
@@ -604,7 +603,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
604 file_key = key_new(host_key->type); 603 file_key = key_new(host_key->type);
605 604
606 /* 605 /*
607 * Check if the host key is present in the user\'s list of known 606 * Check if the host key is present in the user's list of known
608 * hosts or in the systemwide list. 607 * hosts or in the systemwide list.
609 */ 608 */
610 host_file = user_hostfile; 609 host_file = user_hostfile;
@@ -1035,3 +1034,39 @@ warn_changed_key(Key *host_key)
1035 1034
1036 xfree(fp); 1035 xfree(fp);
1037} 1036}
1037
1038/*
1039 * Execute a local command
1040 */
1041int
1042ssh_local_cmd(const char *args)
1043{
1044 char *shell;
1045 pid_t pid;
1046 int status;
1047
1048 if (!options.permit_local_command ||
1049 args == NULL || !*args)
1050 return (1);
1051
1052 if ((shell = getenv("SHELL")) == NULL)
1053 shell = _PATH_BSHELL;
1054
1055 pid = fork();
1056 if (pid == 0) {
1057 debug3("Executing %s -c \"%s\"", shell, args);
1058 execl(shell, shell, "-c", args, (char *)NULL);
1059 error("Couldn't execute %s -c \"%s\": %s",
1060 shell, args, strerror(errno));
1061 _exit(1);
1062 } else if (pid == -1)
1063 fatal("fork failed: %.100s", strerror(errno));
1064 while (waitpid(pid, &status, 0) == -1)
1065 if (errno != EINTR)
1066 fatal("Couldn't wait for child: %s", strerror(errno));
1067
1068 if (!WIFEXITED(status))
1069 return (1);
1070
1071 return (WEXITSTATUS(status));
1072}
diff --git a/sshconnect.h b/sshconnect.h
index 0be30fe69..e7c7a2b34 100644
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ 1/* $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -49,7 +49,7 @@ void ssh_userauth1(const char *, const char *, char *, Sensitive *);
49void ssh_userauth2(const char *, const char *, char *, Sensitive *); 49void ssh_userauth2(const char *, const char *, char *, Sensitive *);
50 50
51void ssh_put_password(char *); 51void ssh_put_password(char *);
52 52int ssh_local_cmd(const char *);
53 53
54/* 54/*
55 * Macros to raise/lower permissions. 55 * Macros to raise/lower permissions.
diff --git a/sshconnect1.c b/sshconnect1.c
index bd05723c7..440d7c5bd 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.62 2005/10/30 08:52:18 djm Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/md5.h> 19#include <openssl/md5.h>
@@ -84,7 +84,7 @@ try_agent_authentication(void)
84 /* Wait for server's response. */ 84 /* Wait for server's response. */
85 type = packet_read(); 85 type = packet_read();
86 86
87 /* The server sends failure if it doesn\'t like our key or 87 /* The server sends failure if it doesn't like our key or
88 does not support RSA authentication. */ 88 does not support RSA authentication. */
89 if (type == SSH_SMSG_FAILURE) { 89 if (type == SSH_SMSG_FAILURE) {
90 debug("Server refused our key."); 90 debug("Server refused our key.");
@@ -215,8 +215,8 @@ try_rsa_authentication(int idx)
215 type = packet_read(); 215 type = packet_read();
216 216
217 /* 217 /*
218 * The server responds with failure if it doesn\'t like our key or 218 * The server responds with failure if it doesn't like our key or
219 * doesn\'t support RSA authentication. 219 * doesn't support RSA authentication.
220 */ 220 */
221 if (type == SSH_SMSG_FAILURE) { 221 if (type == SSH_SMSG_FAILURE) {
222 debug("Server refused our key."); 222 debug("Server refused our key.");
diff --git a/sshconnect2.c b/sshconnect2.c
index aa0b6ec59..1a69c6b2b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); 26RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $");
27 27
28#include "openbsd-compat/sys-queue.h" 28#include "openbsd-compat/sys-queue.h"
29 29
@@ -754,7 +754,7 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
754 754
755 packet_check_eom(); 755 packet_check_eom();
756 756
757 debug("Server GSSAPI Error:\n%s\n", msg); 757 debug("Server GSSAPI Error:\n%s", msg);
758 xfree(msg); 758 xfree(msg);
759 xfree(lang); 759 xfree(lang);
760} 760}
diff --git a/sshd.0 b/sshd.0
index 9a9613b54..040be6cad 100644
--- a/sshd.0
+++ b/sshd.0
@@ -8,95 +8,20 @@ SYNOPSIS
8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]
9 9
10DESCRIPTION 10DESCRIPTION
11 sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- 11 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
12 grams replace rlogin and rsh, and provide secure encrypted communications 12 programs replace rlogin and rsh, and provide secure encrypted communica-
13 between two untrusted hosts over an insecure network. The programs are 13 tions between two untrusted hosts over an insecure network.
14 intended to be as easy to install and use as possible.
15
16 sshd is the daemon that listens for connections from clients. It is nor-
17 mally started at boot from /etc/rc. It forks a new daemon for each in-
18 coming connection. The forked daemons handle key exchange, encryption,
19 authentication, command execution, and data exchange. This implementa-
20 tion of sshd supports both SSH protocol version 1 and 2 simultaneously.
21 sshd works as follows:
22
23 SSH protocol version 1
24 Each host has a host-specific RSA key (normally 2048 bits) used to iden-
25 tify the host. Additionally, when the daemon starts, it generates a
26 server RSA key (normally 768 bits). This key is normally regenerated ev-
27 ery hour if it has been used, and is never stored on disk.
28
29 Whenever a client connects, the daemon responds with its public host and
30 server keys. The client compares the RSA host key against its own
31 database to verify that it has not changed. The client then generates a
32 256-bit random number. It encrypts this random number using both the
33 host key and the server key, and sends the encrypted number to the serv-
34 er. Both sides then use this random number as a session key which is
35 used to encrypt all further communications in the session. The rest of
36 the session is encrypted using a conventional cipher, currently Blowfish
37 or 3DES, with 3DES being used by default. The client selects the encryp-
38 tion algorithm to use from those offered by the server.
39 14
40 Next, the server and the client enter an authentication dialog. The 15 sshd listens for connections from clients. It is normally started at
41 client tries to authenticate itself using .rhosts authentication combined 16 boot from /etc/rc. It forks a new daemon for each incoming connection.
42 with RSA host authentication, RSA challenge-response authentication, or 17 The forked daemons handle key exchange, encryption, authentication, com-
43 password based authentication. 18 mand execution, and data exchange.
44
45 Regardless of the authentication type, the account is checked to ensure
46 that it is accessible. An account is not accessible if it is locked,
47 listed in DenyUsers or its group is listed in DenyGroups . The defini-
48 tion of a locked account is system dependant. Some platforms have their
49 own account database (eg AIX) and some modify the passwd field ( `*LK*'
50 on Solaris, `*' on HP-UX, containing `Nologin' on Tru64 and a leading
51 `!!' on Linux). If there is a requirement to disable password authenti-
52 cation for the account while allowing still public-key, then the passwd
53 field should be set to something other than these values (eg `NP' or
54 `*NP*' ).
55
56 rshd, rlogind, and rexecd are disabled (thus completely disabling rlogin
57 and rsh into the machine).
58
59 SSH protocol version 2
60 Version 2 works similarly: Each host has a host-specific key (RSA or DSA)
61 used to identify the host. However, when the daemon starts, it does not
62 generate a server key. Forward security is provided through a Diffie-
63 Hellman key agreement. This key agreement results in a shared session
64 key.
65
66 The rest of the session is encrypted using a symmetric cipher, currently
67 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit
68 AES. The client selects the encryption algorithm to use from those of-
69 fered by the server. Additionally, session integrity is provided through
70 a cryptographic message authentication code (hmac-sha1 or hmac-md5).
71
72 Protocol version 2 provides a public key based user (PubkeyAuthentica-
73 tion) or client host (HostbasedAuthentication) authentication method,
74 conventional password authentication and challenge response based meth-
75 ods.
76
77 Command execution and data forwarding
78 If the client successfully authenticates itself, a dialog for preparing
79 the session is entered. At this time the client may request things like
80 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP
81 connections, or forwarding the authentication agent connection over the
82 secure channel.
83
84 Finally, the client either requests a shell or execution of a command.
85 The sides then enter session mode. In this mode, either side may send
86 data at any time, and such data is forwarded to/from the shell or command
87 on the server side, and the user terminal in the client side.
88
89 When the user program terminates and all forwarded X11 and other connec-
90 tions have been closed, the server sends command exit status to the
91 client, and both sides exit.
92 19
93 sshd can be configured using command-line options or a configuration file 20 sshd can be configured using command-line options or a configuration file
94 (by default sshd_config(5)). Command-line options override values speci- 21 (by default sshd_config(5)); command-line options override values speci-
95 fied in the configuration file. 22 fied in the configuration file. sshd rereads its configuration file when
96 23 it receives a hangup signal, SIGHUP, by executing itself with the name
97 sshd rereads its configuration file when it receives a hangup signal, 24 and options it was started with, e.g., /usr/sbin/sshd.
98 SIGHUP, by executing itself with the name and options it was started
99 with, e.g., /usr/sbin/sshd.
100 25
101 The options are as follows: 26 The options are as follows:
102 27
@@ -165,8 +90,9 @@ DESCRIPTION
165 -p port 90 -p port
166 Specifies the port on which the server listens for connections 91 Specifies the port on which the server listens for connections
167 (default 22). Multiple port options are permitted. Ports speci- 92 (default 22). Multiple port options are permitted. Ports speci-
168 fied in the configuration file are ignored when a command-line 93 fied in the configuration file with the Port option are ignored
169 port is specified. 94 when a command-line port is specified. Ports specified using the
95 ListenAddress option override command-line ports.
170 96
171 -q Quiet mode. Nothing is sent to the system log. Normally the be- 97 -q Quiet mode. Nothing is sent to the system log. Normally the be-
172 ginning, authentication, and termination of each connection is 98 ginning, authentication, and termination of each connection is
@@ -185,15 +111,74 @@ DESCRIPTION
185 the utmp file. -u0 may also be used to prevent sshd from making 111 the utmp file. -u0 may also be used to prevent sshd from making
186 DNS requests unless the authentication mechanism or configuration 112 DNS requests unless the authentication mechanism or configuration
187 requires it. Authentication mechanisms that may require DNS in- 113 requires it. Authentication mechanisms that may require DNS in-
188 clude RhostsRSAAuthentication, HostbasedAuthentication and using 114 clude RhostsRSAAuthentication, HostbasedAuthentication, and using
189 a from="pattern-list" option in a key file. Configuration op- 115 a from="pattern-list" option in a key file. Configuration op-
190 tions that require DNS include using a USER@HOST pattern in 116 tions that require DNS include using a USER@HOST pattern in
191 AllowUsers or DenyUsers. 117 AllowUsers or DenyUsers.
192 118
193CONFIGURATION FILE 119AUTHENTICATION
194 sshd reads configuration data from /etc/ssh/sshd_config (or the file 120 The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols
195 specified with -f on the command line). The file format and configura- 121 are supported by default, though this can be changed via the Protocol op-
196 tion options are described in sshd_config(5). 122 tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro-
123 tocol 1 only supports RSA keys. For both protocols, each host has a
124 host-specific key, normally 2048 bits, used to identify the host.
125
126 Forward security for protocol 1 is provided through an additional server
127 key, normally 768 bits, generated when the server starts. This key is
128 normally regenerated every hour if it has been used, and is never stored
129 on disk. Whenever a client connects, the daemon responds with its public
130 host and server keys. The client compares the RSA host key against its
131 own database to verify that it has not changed. The client then gener-
132 ates a 256-bit random number. It encrypts this random number using both
133 the host key and the server key, and sends the encrypted number to the
134 server. Both sides then use this random number as a session key which is
135 used to encrypt all further communications in the session. The rest of
136 the session is encrypted using a conventional cipher, currently Blowfish
137 or 3DES, with 3DES being used by default. The client selects the encryp-
138 tion algorithm to use from those offered by the server.
139
140 For protocol 2, forward security is provided through a Diffie-Hellman key
141 agreement. This key agreement results in a shared session key. The rest
142 of the session is encrypted using a symmetric cipher, currently 128-bit
143 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
144 client selects the encryption algorithm to use from those offered by the
145 server. Additionally, session integrity is provided through a crypto-
146 graphic message authentication code (hmac-sha1 or hmac-md5).
147
148 Finally, the server and the client enter an authentication dialog. The
149 client tries to authenticate itself using host-based authentication, pub-
150 lic key authentication, challenge-response authentication, or password
151 authentication.
152
153 Regardless of the authentication type, the account is checked to ensure
154 that it is accessible. An account is not accessible if it is locked,
155 listed in DenyUsers or its group is listed in DenyGroups . The defini-
156 tion of a locked account is system dependant. Some platforms have their
157 own account database (eg AIX) and some modify the passwd field ( `*LK*'
158 on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
159 leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
160 a requirement to disable password authentication for the account while
161 allowing still public-key, then the passwd field should be set to some-
162 thing other than these values (eg `NP' or `*NP*' ).
163
164 System security is not improved unless rshd, rlogind, and rexecd are dis-
165 abled (thus completely disabling rlogin and rsh into the machine).
166
167COMMAND EXECUTION AND DATA FORWARDING
168 If the client successfully authenticates itself, a dialog for preparing
169 the session is entered. At this time the client may request things like
170 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con-
171 nections, or forwarding the authentication agent connection over the se-
172 cure channel.
173
174 Finally, the client either requests a shell or execution of a command.
175 The sides then enter session mode. In this mode, either side may send
176 data at any time, and such data is forwarded to/from the shell or command
177 on the server side, and the user terminal in the client side.
178
179 When the user program terminates and all forwarded X11 and other connec-
180 tions have been closed, the server sends command exit status to the
181 client, and both sides exit.
197 182
198LOGIN PROCESS 183LOGIN PROCESS
199 When a user successfully logs in, sshd does the following: 184 When a user successfully logs in, sshd does the following:
@@ -280,9 +265,9 @@ AUTHORIZED_KEYS FILE FORMAT
280 backslash. This option might be useful to restrict certain pub- 265 backslash. This option might be useful to restrict certain pub-
281 lic keys to perform just a specific operation. An example might 266 lic keys to perform just a specific operation. An example might
282 be a key that permits remote backups but nothing else. Note that 267 be a key that permits remote backups but nothing else. Note that
283 the client may specify TCP/IP and/or X11 forwarding unless they 268 the client may specify TCP and/or X11 forwarding unless they are
284 are explicitly prohibited. Note that this option applies to 269 explicitly prohibited. Note that this option applies to shell,
285 shell, command or subsystem execution. 270 command or subsystem execution.
286 271
287 environment="NAME=value" 272 environment="NAME=value"
288 Specifies that the string is to be added to the environment when 273 Specifies that the string is to be added to the environment when
@@ -293,10 +278,9 @@ AUTHORIZED_KEYS FILE FORMAT
293 This option is automatically disabled if UseLogin is enabled. 278 This option is automatically disabled if UseLogin is enabled.
294 279
295 no-port-forwarding 280 no-port-forwarding
296 Forbids TCP/IP forwarding when this key is used for authentica- 281 Forbids TCP forwarding when this key is used for authentication.
297 tion. Any port forward requests by the client will return an er- 282 Any port forward requests by the client will return an error.
298 ror. This might be used, e.g., in connection with the command 283 This might be used, e.g., in connection with the command option.
299 option.
300 284
301 no-X11-forwarding 285 no-X11-forwarding
302 Forbids X11 forwarding when this key is used for authentication. 286 Forbids X11 forwarding when this key is used for authentication.
@@ -316,6 +300,11 @@ AUTHORIZED_KEYS FILE FORMAT
316 is performed on the specified hostnames, they must be literal do- 300 is performed on the specified hostnames, they must be literal do-
317 mains or addresses. 301 mains or addresses.
318 302
303 tunnel="n"
304 Force a tun(4) device on the server. Without this option, the
305 next available device will be used if the client requests a tun-
306 nel.
307
319 Examples 308 Examples
320 1024 33 12121...312314325 ylo@foo.bar 309 1024 33 12121...312314325 ylo@foo.bar
321 310
@@ -326,6 +315,9 @@ AUTHORIZED_KEYS FILE FORMAT
326 315
327 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 316 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
328 317
318 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openb-
319 sd.org
320
329SSH_KNOWN_HOSTS FILE FORMAT 321SSH_KNOWN_HOSTS FILE FORMAT
330 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host 322 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
331 public keys for all known hosts. The global file should be prepared by 323 public keys for all known hosts. The global file should be prepared by
@@ -571,4 +563,4 @@ AUTHORS
571 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 563 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
572 for privilege separation. 564 for privilege separation.
573 565
574OpenBSD 3.8 September 25, 1999 9 566OpenBSD 3.9 September 25, 1999 9
diff --git a/sshd.8 b/sshd.8
index fdff4ac91..51d339b65 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $ 37.\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -56,16 +56,14 @@
56.Ek 56.Ek
57.Sh DESCRIPTION 57.Sh DESCRIPTION
58.Nm 58.Nm
59(SSH Daemon) is the daemon program for 59(OpenSSH Daemon) is the daemon program for
60.Xr ssh 1 . 60.Xr ssh 1 .
61Together these programs replace rlogin and rsh, and 61Together these programs replace rlogin and rsh, and
62provide secure encrypted communications between two untrusted hosts 62provide secure encrypted communications between two untrusted hosts
63over an insecure network. 63over an insecure network.
64The programs are intended to be as easy to
65install and use as possible.
66.Pp 64.Pp
67.Nm 65.Nm
68is the daemon that listens for connections from clients. 66listens for connections from clients.
69It is normally started at boot from 67It is normally started at boot from
70.Pa /etc/rc . 68.Pa /etc/rc .
71It forks a new 69It forks a new
@@ -73,119 +71,13 @@ daemon for each incoming connection.
73The forked daemons handle 71The forked daemons handle
74key exchange, encryption, authentication, command execution, 72key exchange, encryption, authentication, command execution,
75and data exchange. 73and data exchange.
76This implementation of
77.Nm
78supports both SSH protocol version 1 and 2 simultaneously.
79.Nm
80works as follows:
81.Ss SSH protocol version 1
82Each host has a host-specific RSA key
83(normally 2048 bits) used to identify the host.
84Additionally, when
85the daemon starts, it generates a server RSA key (normally 768 bits).
86This key is normally regenerated every hour if it has been used, and
87is never stored on disk.
88.Pp
89Whenever a client connects, the daemon responds with its public
90host and server keys.
91The client compares the
92RSA host key against its own database to verify that it has not changed.
93The client then generates a 256-bit random number.
94It encrypts this
95random number using both the host key and the server key, and sends
96the encrypted number to the server.
97Both sides then use this
98random number as a session key which is used to encrypt all further
99communications in the session.
100The rest of the session is encrypted
101using a conventional cipher, currently Blowfish or 3DES, with 3DES
102being used by default.
103The client selects the encryption algorithm
104to use from those offered by the server.
105.Pp
106Next, the server and the client enter an authentication dialog.
107The client tries to authenticate itself using
108.Em .rhosts
109authentication combined with RSA host
110authentication, RSA challenge-response authentication, or password
111based authentication.
112.Pp
113Regardless of the authentication type, the account is checked to
114ensure that it is accessible. An account is not accessible if it is
115locked, listed in
116.Cm DenyUsers
117or its group is listed in
118.Cm DenyGroups
119\&. The definition of a locked account is system dependant. Some platforms
120have their own account database (eg AIX) and some modify the passwd field (
121.Ql \&*LK\&*
122on Solaris,
123.Ql \&*
124on HP-UX, containing
125.Ql Nologin
126on Tru64 and a leading
127.Ql \&!!
128on Linux). If there is a requirement to disable password authentication
129for the account while allowing still public-key, then the passwd field
130should be set to something other than these values (eg
131.Ql NP
132or
133.Ql \&*NP\&*
134).
135.Pp
136.Nm rshd ,
137.Nm rlogind ,
138and
139.Nm rexecd
140are disabled (thus completely disabling
141.Xr rlogin
142and
143.Xr rsh
144into the machine).
145.Ss SSH protocol version 2
146Version 2 works similarly:
147Each host has a host-specific key (RSA or DSA) used to identify the host.
148However, when the daemon starts, it does not generate a server key.
149Forward security is provided through a Diffie-Hellman key agreement.
150This key agreement results in a shared session key.
151.Pp
152The rest of the session is encrypted using a symmetric cipher, currently
153128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
154The client selects the encryption algorithm
155to use from those offered by the server.
156Additionally, session integrity is provided
157through a cryptographic message authentication code
158(hmac-sha1 or hmac-md5).
159.Pp
160Protocol version 2 provides a public key based
161user (PubkeyAuthentication) or
162client host (HostbasedAuthentication) authentication method,
163conventional password authentication and challenge response based methods.
164.Ss Command execution and data forwarding
165If the client successfully authenticates itself, a dialog for
166preparing the session is entered.
167At this time the client may request
168things like allocating a pseudo-tty, forwarding X11 connections,
169forwarding TCP/IP connections, or forwarding the authentication agent
170connection over the secure channel.
171.Pp
172Finally, the client either requests a shell or execution of a command.
173The sides then enter session mode.
174In this mode, either side may send
175data at any time, and such data is forwarded to/from the shell or
176command on the server side, and the user terminal in the client side.
177.Pp
178When the user program terminates and all forwarded X11 and other
179connections have been closed, the server sends command exit status to
180the client, and both sides exit.
181.Pp 74.Pp
182.Nm 75.Nm
183can be configured using command-line options or a configuration file 76can be configured using command-line options or a configuration file
184(by default 77(by default
185.Xr sshd_config 5 ) . 78.Xr sshd_config 5 ) ;
186Command-line options override values specified in the 79command-line options override values specified in the
187configuration file. 80configuration file.
188.Pp
189.Nm 81.Nm
190rereads its configuration file when it receives a hangup signal, 82rereads its configuration file when it receives a hangup signal,
191.Dv SIGHUP , 83.Dv SIGHUP ,
@@ -285,8 +177,12 @@ For full details of the options, and their values, see
285Specifies the port on which the server listens for connections 177Specifies the port on which the server listens for connections
286(default 22). 178(default 22).
287Multiple port options are permitted. 179Multiple port options are permitted.
288Ports specified in the configuration file are ignored when a 180Ports specified in the configuration file with the
289command-line port is specified. 181.Cm Port
182option are ignored when a command-line port is specified.
183Ports specified using the
184.Cm ListenAddress
185option override command-line ports.
290.It Fl q 186.It Fl q
291Quiet mode. 187Quiet mode.
292Nothing is sent to the system log. 188Nothing is sent to the system log.
@@ -321,7 +217,7 @@ from making DNS requests unless the authentication
321mechanism or configuration requires it. 217mechanism or configuration requires it.
322Authentication mechanisms that may require DNS include 218Authentication mechanisms that may require DNS include
323.Cm RhostsRSAAuthentication , 219.Cm RhostsRSAAuthentication ,
324.Cm HostbasedAuthentication 220.Cm HostbasedAuthentication ,
325and using a 221and using a
326.Cm from="pattern-list" 222.Cm from="pattern-list"
327option in a key file. 223option in a key file.
@@ -331,15 +227,114 @@ USER@HOST pattern in
331or 227or
332.Cm DenyUsers . 228.Cm DenyUsers .
333.El 229.El
334.Sh CONFIGURATION FILE 230.Sh AUTHENTICATION
335.Nm 231The OpenSSH SSH daemon supports SSH protocols 1 and 2.
336reads configuration data from 232Both protocols are supported by default,
337.Pa /etc/ssh/sshd_config 233though this can be changed via the
338(or the file specified with 234.Cm Protocol
339.Fl f 235option in
340on the command line).
341The file format and configuration options are described in
342.Xr sshd_config 5 . 236.Xr sshd_config 5 .
237Protocol 2 supports both RSA and DSA keys;
238protocol 1 only supports RSA keys.
239For both protocols,
240each host has a host-specific key,
241normally 2048 bits,
242used to identify the host.
243.Pp
244Forward security for protocol 1 is provided through
245an additional server key,
246normally 768 bits,
247generated when the server starts.
248This key is normally regenerated every hour if it has been used, and
249is never stored on disk.
250Whenever a client connects, the daemon responds with its public
251host and server keys.
252The client compares the
253RSA host key against its own database to verify that it has not changed.
254The client then generates a 256-bit random number.
255It encrypts this
256random number using both the host key and the server key, and sends
257the encrypted number to the server.
258Both sides then use this
259random number as a session key which is used to encrypt all further
260communications in the session.
261The rest of the session is encrypted
262using a conventional cipher, currently Blowfish or 3DES, with 3DES
263being used by default.
264The client selects the encryption algorithm
265to use from those offered by the server.
266.Pp
267For protocol 2,
268forward security is provided through a Diffie-Hellman key agreement.
269This key agreement results in a shared session key.
270The rest of the session is encrypted using a symmetric cipher, currently
271128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
272The client selects the encryption algorithm
273to use from those offered by the server.
274Additionally, session integrity is provided
275through a cryptographic message authentication code
276(hmac-sha1 or hmac-md5).
277.Pp
278Finally, the server and the client enter an authentication dialog.
279The client tries to authenticate itself using
280host-based authentication,
281public key authentication,
282challenge-response authentication,
283or password authentication.
284.Pp
285Regardless of the authentication type, the account is checked to
286ensure that it is accessible. An account is not accessible if it is
287locked, listed in
288.Cm DenyUsers
289or its group is listed in
290.Cm DenyGroups
291\&. The definition of a locked account is system dependant. Some platforms
292have their own account database (eg AIX) and some modify the passwd field (
293.Ql \&*LK\&*
294on Solaris and UnixWare,
295.Ql \&*
296on HP-UX, containing
297.Ql Nologin
298on Tru64,
299a leading
300.Ql \&*LOCKED\&*
301on FreeBSD and a leading
302.Ql \&!!
303on Linux). If there is a requirement to disable password authentication
304for the account while allowing still public-key, then the passwd field
305should be set to something other than these values (eg
306.Ql NP
307or
308.Ql \&*NP\&*
309).
310.Pp
311System security is not improved unless
312.Nm rshd ,
313.Nm rlogind ,
314and
315.Nm rexecd
316are disabled (thus completely disabling
317.Xr rlogin
318and
319.Xr rsh
320into the machine).
321.Sh COMMAND EXECUTION AND DATA FORWARDING
322If the client successfully authenticates itself, a dialog for
323preparing the session is entered.
324At this time the client may request
325things like allocating a pseudo-tty, forwarding X11 connections,
326forwarding TCP connections, or forwarding the authentication agent
327connection over the secure channel.
328.Pp
329Finally, the client either requests a shell or execution of a command.
330The sides then enter session mode.
331In this mode, either side may send
332data at any time, and such data is forwarded to/from the shell or
333command on the server side, and the user terminal in the client side.
334.Pp
335When the user program terminates and all forwarded X11 and other
336connections have been closed, the server sends command exit status to
337the client, and both sides exit.
343.Sh LOGIN PROCESS 338.Sh LOGIN PROCESS
344When a user successfully logs in, 339When a user successfully logs in,
345.Nm 340.Nm
@@ -473,7 +468,7 @@ A quote may be included in the command by quoting it with a backslash.
473This option might be useful 468This option might be useful
474to restrict certain public keys to perform just a specific operation. 469to restrict certain public keys to perform just a specific operation.
475An example might be a key that permits remote backups but nothing else. 470An example might be a key that permits remote backups but nothing else.
476Note that the client may specify TCP/IP and/or X11 471Note that the client may specify TCP and/or X11
477forwarding unless they are explicitly prohibited. 472forwarding unless they are explicitly prohibited.
478Note that this option applies to shell, command or subsystem execution. 473Note that this option applies to shell, command or subsystem execution.
479.It Cm environment="NAME=value" 474.It Cm environment="NAME=value"
@@ -490,7 +485,7 @@ This option is automatically disabled if
490.Cm UseLogin 485.Cm UseLogin
491is enabled. 486is enabled.
492.It Cm no-port-forwarding 487.It Cm no-port-forwarding
493Forbids TCP/IP forwarding when this key is used for authentication. 488Forbids TCP forwarding when this key is used for authentication.
494Any port forward requests by the client will return an error. 489Any port forward requests by the client will return an error.
495This might be used, e.g., in connection with the 490This might be used, e.g., in connection with the
496.Cm command 491.Cm command
@@ -515,6 +510,12 @@ Multiple
515options may be applied separated by commas. 510options may be applied separated by commas.
516No pattern matching is performed on the specified hostnames, 511No pattern matching is performed on the specified hostnames,
517they must be literal domains or addresses. 512they must be literal domains or addresses.
513.It Cm tunnel="n"
514Force a
515.Xr tun 4
516device on the server.
517Without this option, the next available device will be used if
518the client requests a tunnel.
518.El 519.El
519.Ss Examples 520.Ss Examples
5201024 33 12121...312314325 ylo@foo.bar 5211024 33 12121...312314325 ylo@foo.bar
@@ -524,6 +525,8 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
524command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi 525command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
525.Pp 526.Pp
526permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 527permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
528.Pp
529tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org
527.Sh SSH_KNOWN_HOSTS FILE FORMAT 530.Sh SSH_KNOWN_HOSTS FILE FORMAT
528The 531The
529.Pa /etc/ssh/ssh_known_hosts 532.Pa /etc/ssh/ssh_known_hosts
diff --git a/sshd.c b/sshd.c
index da0b26587..1eac32797 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
42 */ 42 */
43 43
44#include "includes.h" 44#include "includes.h"
45RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $"); 45RCSID("$OpenBSD: sshd.c,v 1.318 2005/12/24 02:27:41 djm Exp $");
46 46
47#include <openssl/dh.h> 47#include <openssl/dh.h>
48#include <openssl/bn.h> 48#include <openssl/bn.h>
@@ -637,16 +637,8 @@ privsep_postauth(Authctxt *authctxt)
637 if (authctxt->pw->pw_uid == 0 || options.use_login) { 637 if (authctxt->pw->pw_uid == 0 || options.use_login) {
638#endif 638#endif
639 /* File descriptor passing is broken or root login */ 639 /* File descriptor passing is broken or root login */
640 monitor_apply_keystate(pmonitor);
641 use_privsep = 0; 640 use_privsep = 0;
642 return; 641 goto skip;
643 }
644
645 /* Authentication complete */
646 alarm(0);
647 if (startup_pipe != -1) {
648 close(startup_pipe);
649 startup_pipe = -1;
650 } 642 }
651 643
652 /* New socket pair */ 644 /* New socket pair */
@@ -673,6 +665,7 @@ privsep_postauth(Authctxt *authctxt)
673 /* Drop privileges */ 665 /* Drop privileges */
674 do_setusercontext(authctxt->pw); 666 do_setusercontext(authctxt->pw);
675 667
668 skip:
676 /* It is safe now to apply the key state */ 669 /* It is safe now to apply the key state */
677 monitor_apply_keystate(pmonitor); 670 monitor_apply_keystate(pmonitor);
678 671
@@ -804,6 +797,7 @@ send_rexec_state(int fd, Buffer *conf)
804 * bignum iqmp " 797 * bignum iqmp "
805 * bignum p " 798 * bignum p "
806 * bignum q " 799 * bignum q "
800 * string rngseed (only if OpenSSL is not self-seeded)
807 */ 801 */
808 buffer_init(&m); 802 buffer_init(&m);
809 buffer_put_cstring(&m, buffer_ptr(conf)); 803 buffer_put_cstring(&m, buffer_ptr(conf));
@@ -820,6 +814,10 @@ send_rexec_state(int fd, Buffer *conf)
820 } else 814 } else
821 buffer_put_int(&m, 0); 815 buffer_put_int(&m, 0);
822 816
817#ifndef OPENSSL_PRNG_ONLY
818 rexec_send_rng_seed(&m);
819#endif
820
823 if (ssh_msg_send(fd, 0, &m) == -1) 821 if (ssh_msg_send(fd, 0, &m) == -1)
824 fatal("%s: ssh_msg_send failed", __func__); 822 fatal("%s: ssh_msg_send failed", __func__);
825 823
@@ -862,6 +860,11 @@ recv_rexec_state(int fd, Buffer *conf)
862 rsa_generate_additional_parameters( 860 rsa_generate_additional_parameters(
863 sensitive_data.server_key->rsa); 861 sensitive_data.server_key->rsa);
864 } 862 }
863
864#ifndef OPENSSL_PRNG_ONLY
865 rexec_recv_rng_seed(&m);
866#endif
867
865 buffer_free(&m); 868 buffer_free(&m);
866 869
867 debug3("%s: done", __func__); 870 debug3("%s: done", __func__);
@@ -918,6 +921,9 @@ main(int ac, char **av)
918 if (geteuid() == 0 && setgroups(0, NULL) == -1) 921 if (geteuid() == 0 && setgroups(0, NULL) == -1)
919 debug("setgroups(): %.200s", strerror(errno)); 922 debug("setgroups(): %.200s", strerror(errno));
920 923
924 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
925 sanitise_stdfd();
926
921 /* Initialize configuration options to their default values. */ 927 /* Initialize configuration options to their default values. */
922 initialize_server_options(&options); 928 initialize_server_options(&options);
923 929
@@ -1055,8 +1061,6 @@ main(int ac, char **av)
1055 drop_cray_privs(); 1061 drop_cray_privs();
1056#endif 1062#endif
1057 1063
1058 seed_rng();
1059
1060 sensitive_data.server_key = NULL; 1064 sensitive_data.server_key = NULL;
1061 sensitive_data.ssh1_host_key = NULL; 1065 sensitive_data.ssh1_host_key = NULL;
1062 sensitive_data.have_ssh1_key = 0; 1066 sensitive_data.have_ssh1_key = 0;
@@ -1075,6 +1079,8 @@ main(int ac, char **av)
1075 if (!rexec_flag) 1079 if (!rexec_flag)
1076 buffer_free(&cfg); 1080 buffer_free(&cfg);
1077 1081
1082 seed_rng();
1083
1078 /* Fill in default values for those options not explicitly set. */ 1084 /* Fill in default values for those options not explicitly set. */
1079 fill_default_server_options(&options); 1085 fill_default_server_options(&options);
1080 1086
@@ -1645,7 +1651,12 @@ main(int ac, char **av)
1645 debug("get_remote_port failed"); 1651 debug("get_remote_port failed");
1646 cleanup_exit(255); 1652 cleanup_exit(255);
1647 } 1653 }
1648 remote_ip = get_remote_ipaddr(); 1654
1655 /*
1656 * We use get_canonical_hostname with usedns = 0 instead of
1657 * get_remote_ipaddr here so IP options will be checked.
1658 */
1659 remote_ip = get_canonical_hostname(0);
1649 1660
1650#ifdef SSH_AUDIT_EVENTS 1661#ifdef SSH_AUDIT_EVENTS
1651 audit_connection_from(remote_ip, remote_port); 1662 audit_connection_from(remote_ip, remote_port);
@@ -1699,8 +1710,7 @@ main(int ac, char **av)
1699 error("SessionGetInfo() failed with error %.8X", 1710 error("SessionGetInfo() failed with error %.8X",
1700 (unsigned) err); 1711 (unsigned) err);
1701 else 1712 else
1702 debug("Current Session ID is %.8X / Session Attributes a 1713 debug("Current Session ID is %.8X / Session Attributes are %.8X",
1703re %.8X",
1704 (unsigned) sid, (unsigned) sattrs); 1714 (unsigned) sid, (unsigned) sattrs);
1705 1715
1706 if (inetd_flag && !(sattrs & sessionIsRoot)) 1716 if (inetd_flag && !(sattrs & sessionIsRoot))
@@ -1719,18 +1729,17 @@ re %.8X",
1719 error("SessionGetInfo() failed with error %.8X", 1729 error("SessionGetInfo() failed with error %.8X",
1720 (unsigned) err); 1730 (unsigned) err);
1721 else 1731 else
1722 debug("New Session ID is %.8X / Session Attribut 1732 debug("New Session ID is %.8X / Session Attributes are %.8X",
1723es are %.8X",
1724 (unsigned) sid, (unsigned) sattrs); 1733 (unsigned) sid, (unsigned) sattrs);
1725 } 1734 }
1726 } 1735 }
1727#endif 1736#endif
1728 1737
1729 /* 1738 /*
1730 * We don\'t want to listen forever unless the other side 1739 * We don't want to listen forever unless the other side
1731 * successfully authenticates itself. So we set up an alarm which is 1740 * successfully authenticates itself. So we set up an alarm which is
1732 * cleared after successful authentication. A limit of zero 1741 * cleared after successful authentication. A limit of zero
1733 * indicates no limit. Note that we don\'t set the alarm in debugging 1742 * indicates no limit. Note that we don't set the alarm in debugging
1734 * mode; it is just annoying to have the server exit just when you 1743 * mode; it is just annoying to have the server exit just when you
1735 * are about to discover the bug. 1744 * are about to discover the bug.
1736 */ 1745 */
@@ -1777,6 +1786,17 @@ es are %.8X",
1777 } 1786 }
1778 1787
1779 authenticated: 1788 authenticated:
1789 /*
1790 * Cancel the alarm we set to limit the time taken for
1791 * authentication.
1792 */
1793 alarm(0);
1794 signal(SIGALRM, SIG_DFL);
1795 if (startup_pipe != -1) {
1796 close(startup_pipe);
1797 startup_pipe = -1;
1798 }
1799
1780#ifdef SSH_AUDIT_EVENTS 1800#ifdef SSH_AUDIT_EVENTS
1781 audit_event(SSH_AUTH_SUCCESS); 1801 audit_event(SSH_AUTH_SUCCESS);
1782#endif 1802#endif
diff --git a/sshd_config b/sshd_config
index 1440c05ff..4957dd1a6 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ 1# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -96,6 +96,7 @@
96#UseDNS yes 96#UseDNS yes
97#PidFile /var/run/sshd.pid 97#PidFile /var/run/sshd.pid
98#MaxStartups 10 98#MaxStartups 10
99#PermitTunnel no
99 100
100# no default banner path 101# no default banner path
101#Banner /some/path 102#Banner /some/path
diff --git a/sshd_config.0 b/sshd_config.0
index d821a84b6..d2c5454e1 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -92,7 +92,7 @@ DESCRIPTION
92 aes192-ctr,aes256-ctr'' 92 aes192-ctr,aes256-ctr''
93 93
94 ClientAliveCountMax 94 ClientAliveCountMax
95 Sets the number of client alive messages (see above) which may be 95 Sets the number of client alive messages (see below) which may be
96 sent without sshd receiving any messages back from the client. 96 sent without sshd receiving any messages back from the client.
97 If this threshold is reached while client alive messages are be- 97 If this threshold is reached while client alive messages are be-
98 ing sent, sshd will disconnect the client, terminating the ses- 98 ing sent, sshd will disconnect the client, terminating the ses-
@@ -104,9 +104,10 @@ DESCRIPTION
104 able when the client or server depend on knowing when a connec- 104 able when the client or server depend on knowing when a connec-
105 tion has become inactive. 105 tion has become inactive.
106 106
107 The default value is 3. If ClientAliveInterval (above) is set to 107 The default value is 3. If ClientAliveInterval (see below) is
108 15, and ClientAliveCountMax is left at the default, unresponsive 108 set to 15, and ClientAliveCountMax is left at the default, unre-
109 ssh clients will be disconnected after approximately 45 seconds. 109 sponsive ssh clients will be disconnected after approximately 45
110 seconds.
110 111
111 ClientAliveInterval 112 ClientAliveInterval
112 Sets a timeout interval in seconds after which if no data has 113 Sets a timeout interval in seconds after which if no data has
@@ -198,7 +199,7 @@ DESCRIPTION
198 199
199 KerberosGetAFSToken 200 KerberosGetAFSToken
200 If AFS is active and the user has a Kerberos 5 TGT, attempt to 201 If AFS is active and the user has a Kerberos 5 TGT, attempt to
201 aquire an AFS token before accessing the user's home directory. 202 acquire an AFS token before accessing the user's home directory.
202 Default is ``no''. 203 Default is ``no''.
203 204
204 KerberosOrLocalPasswd 205 KerberosOrLocalPasswd
@@ -295,6 +296,11 @@ DESCRIPTION
295 296
296 If this option is set to ``no'' root is not allowed to log in. 297 If this option is set to ``no'' root is not allowed to log in.
297 298
299 PermitTunnel
300 Specifies whether tun(4) device forwarding is allowed. The argu-
301 ment must be ``yes'', ``point-to-point'', ``ethernet'' or ``no''.
302 The default is ``no''.
303
298 PermitUserEnvironment 304 PermitUserEnvironment
299 Specifies whether ~/.ssh/environment and environment= options in 305 Specifies whether ~/.ssh/environment and environment= options in
300 ~/.ssh/authorized_keys are processed by sshd. The default is 306 ~/.ssh/authorized_keys are processed by sshd. The default is
@@ -501,4 +507,4 @@ AUTHORS
501 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 507 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
502 for privilege separation. 508 for privilege separation.
503 509
504OpenBSD 3.8 September 25, 1999 8 510OpenBSD 3.9 September 25, 1999 8
diff --git a/sshd_config.5 b/sshd_config.5
index 5af4b1b27..841cb29d3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -181,7 +181,7 @@ The default is
181 aes192-ctr,aes256-ctr'' 181 aes192-ctr,aes256-ctr''
182.Ed 182.Ed
183.It Cm ClientAliveCountMax 183.It Cm ClientAliveCountMax
184Sets the number of client alive messages (see above) which may be 184Sets the number of client alive messages (see below) which may be
185sent without 185sent without
186.Nm sshd 186.Nm sshd
187receiving any messages back from the client. 187receiving any messages back from the client.
@@ -203,7 +203,7 @@ server depend on knowing when a connection has become inactive.
203The default value is 3. 203The default value is 3.
204If 204If
205.Cm ClientAliveInterval 205.Cm ClientAliveInterval
206(above) is set to 15, and 206(see below) is set to 15, and
207.Cm ClientAliveCountMax 207.Cm ClientAliveCountMax
208is left at the default, unresponsive ssh clients 208is left at the default, unresponsive ssh clients
209will be disconnected after approximately 45 seconds. 209will be disconnected after approximately 45 seconds.
@@ -354,7 +354,7 @@ Kerberos servtab which allows the verification of the KDC's identity.
354Default is 354Default is
355.Dq no . 355.Dq no .
356.It Cm KerberosGetAFSToken 356.It Cm KerberosGetAFSToken
357If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire 357If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
358an AFS token before accessing the user's home directory. 358an AFS token before accessing the user's home directory.
359Default is 359Default is
360.Dq no . 360.Dq no .
@@ -508,6 +508,18 @@ All other authentication methods are disabled for root.
508If this option is set to 508If this option is set to
509.Dq no 509.Dq no
510root is not allowed to log in. 510root is not allowed to log in.
511.It Cm PermitTunnel
512Specifies whether
513.Xr tun 4
514device forwarding is allowed.
515The argument must be
516.Dq yes ,
517.Dq point-to-point ,
518.Dq ethernet
519or
520.Dq no .
521The default is
522.Dq no .
511.It Cm PermitUserEnvironment 523.It Cm PermitUserEnvironment
512Specifies whether 524Specifies whether
513.Pa ~/.ssh/environment 525.Pa ~/.ssh/environment
diff --git a/version.h b/version.h
index b9c87e2fb..d5fd0c6ce 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */ 1/* $OpenBSD: version.h,v 1.46 2006/02/01 11:27:22 markus Exp $ */
2 2
3#define SSH_VERSION "OpenSSH_4.2" 3#define SSH_VERSION "OpenSSH_4.3"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p2"
6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 6#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 08:29:31 +0000